1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.net;
18 
19 import android.annotation.IntDef;
20 import android.annotation.NonNull;
21 
22 import com.android.internal.net.VpnProfile;
23 
24 import java.io.IOException;
25 import java.lang.annotation.Retention;
26 import java.lang.annotation.RetentionPolicy;
27 import java.security.GeneralSecurityException;
28 
29 /**
30  * PlatformVpnProfile represents a configuration for a platform-based VPN implementation.
31  *
32  * <p>Platform-based VPNs allow VPN applications to provide configuration and authentication options
33  * to leverage the Android OS' implementations of well-defined control plane (authentication, key
34  * negotiation) and data plane (per-packet encryption) protocols to simplify the creation of VPN
35  * tunnels. In contrast, {@link VpnService} based VPNs must implement both the control and data
36  * planes on a per-app basis.
37  *
38  * @see Ikev2VpnProfile
39  */
40 public abstract class PlatformVpnProfile {
41     /**
42      * Alias to platform VPN related types from VpnProfile, for API use.
43      *
44      * @hide
45      */
46     @Retention(RetentionPolicy.SOURCE)
47     @IntDef({
48         TYPE_IKEV2_IPSEC_USER_PASS,
49         TYPE_IKEV2_IPSEC_PSK,
50         TYPE_IKEV2_IPSEC_RSA,
51     })
52     public static @interface PlatformVpnType {}
53 
54     public static final int TYPE_IKEV2_IPSEC_USER_PASS = VpnProfile.TYPE_IKEV2_IPSEC_USER_PASS;
55     public static final int TYPE_IKEV2_IPSEC_PSK = VpnProfile.TYPE_IKEV2_IPSEC_PSK;
56     public static final int TYPE_IKEV2_IPSEC_RSA = VpnProfile.TYPE_IKEV2_IPSEC_RSA;
57 
58     /** @hide */
59     public static final int MAX_MTU_DEFAULT = 1360;
60 
61     /** @hide */
62     @PlatformVpnType protected final int mType;
63 
64     /** @hide */
65     protected final boolean mExcludeLocalRoutes;
66     /** @hide */
67     protected final boolean mRequiresInternetValidation;
68 
69     /** @hide */
PlatformVpnProfile(@latformVpnType int type, boolean excludeLocalRoutes, boolean requiresValidation)70     PlatformVpnProfile(@PlatformVpnType int type, boolean excludeLocalRoutes,
71             boolean requiresValidation) {
72         mType = type;
73         mExcludeLocalRoutes = excludeLocalRoutes;
74         mRequiresInternetValidation = requiresValidation;
75     }
76 
77     /** Returns the profile integer type. */
78     @PlatformVpnType
getType()79     public final int getType() {
80         return mType;
81     }
82 
83     /**
84      * Returns whether the local traffic is exempted from the VPN.
85      */
areLocalRoutesExcluded()86     public final boolean areLocalRoutesExcluded() {
87         return mExcludeLocalRoutes;
88     }
89 
90     /**
91      * Returns whether this VPN should undergo Internet validation.
92      *
93      * If this is true, the platform will perform basic validation checks for Internet
94      * connectivity over this VPN. If and when they succeed, the VPN network capabilities will
95      * reflect this by gaining the {@link NetworkCapabilities#NET_CAPABILITY_VALIDATED}
96      * capability.
97      *
98      * If this is false, the platform assumes the VPN either is always capable of reaching the
99      * Internet or intends not to. In this case, the VPN network capabilities will
100      * always gain the {@link NetworkCapabilities#NET_CAPABILITY_VALIDATED} capability
101      * immediately after it connects, whether it can reach public Internet destinations or not.
102      */
isInternetValidationRequired()103     public final boolean isInternetValidationRequired() {
104         return mRequiresInternetValidation;
105     }
106 
107     /** Returns a type string describing the VPN profile type */
108     @NonNull
getTypeString()109     public final String getTypeString() {
110         switch (mType) {
111             case TYPE_IKEV2_IPSEC_USER_PASS:
112                 return "IKEv2/IPsec Username/Password";
113             case TYPE_IKEV2_IPSEC_PSK:
114                 return "IKEv2/IPsec Preshared key";
115             case TYPE_IKEV2_IPSEC_RSA:
116                 return "IKEv2/IPsec RSA Digital Signature";
117             default:
118                 return "Unknown VPN profile type";
119         }
120     }
121 
122     /** @hide */
123     @NonNull
toVpnProfile()124     public abstract VpnProfile toVpnProfile() throws IOException, GeneralSecurityException;
125 
126     /** @hide */
127     @NonNull
fromVpnProfile(@onNull VpnProfile profile)128     public static PlatformVpnProfile fromVpnProfile(@NonNull VpnProfile profile)
129             throws IOException, GeneralSecurityException {
130         switch (profile.type) {
131             case TYPE_IKEV2_IPSEC_USER_PASS: // fallthrough
132             case TYPE_IKEV2_IPSEC_PSK: // fallthrough
133             case TYPE_IKEV2_IPSEC_RSA:
134                 return Ikev2VpnProfile.fromVpnProfile(profile);
135             default:
136                 throw new IllegalArgumentException("Unknown VPN Profile type");
137         }
138     }
139 }
140