Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0b93d2b1 authored by Barani Muthukumaran's avatar Barani Muthukumaran Committed by Paul Crowley
Browse files

Force all devices to migrate to synthetic password 

Remove the property used to disable the migration.
With this change disabling of synthetic password will
no longer work.

https://partnerissuetracker.corp.google.com/issues/146040259
has been created to track the removal of all non-synthetic
password related flows.

Bug: 146040259
Test: Device boot and validate FBE (inclding OTA).
Merged-In: Ib4633ff2f667ee7f88195c7cbd07ba99eea76d51
Change-Id: Ib4633ff2f667ee7f88195c7cbd07ba99eea76d51
parent eb7dddb9

services/core/java/com/android/server/locksettings/LockSettingsService.java

+2 −15
Original line number Diff line number Diff line
@@ -25,7 +25,6 @@ import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE; 
import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD;

import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN;

import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback;

import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY;

import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT;

import static com.android.internal.widget.LockPatternUtils.USER_FRP;
@@ -2532,23 +2531,12 @@ public class LockSettingsService extends ILockSettings.Stub { 
            return type == PersistentData.TYPE_SP || type == PersistentData.TYPE_SP_WEAVER;

        }

        long handle = getSyntheticPasswordHandleLocked(userId);

        // This is a global setting

        long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY,

                SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM);

      return enabled != 0 && handle != SyntheticPasswordManager.DEFAULT_HANDLE;

        return handle != SyntheticPasswordManager.DEFAULT_HANDLE;

    }



    @VisibleForTesting

    protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) {

        long handle = getSyntheticPasswordHandleLocked(userId);

        // This is a global setting

        long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY,

                SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM);

        return enabled != 0 && handle == SyntheticPasswordManager.DEFAULT_HANDLE;

    }



    private void enableSyntheticPasswordLocked() {

        setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM);

        return true;

    }



    private VerifyCredentialResponse spBasedDoVerifyCredential(byte[] userCredential,
@@ -2829,7 +2817,6 @@ public class LockSettingsService extends ILockSettings.Stub { 
            throws RemoteException {

        if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId);

        synchronized (mSpManager) {

            enableSyntheticPasswordLocked();

            // Migrate to synthetic password based credentials if the user has no password,

            // the token can then be activated immediately.

            AuthenticationToken auth = null;

services/tests/servicestests/src/com/android/server/locksettings/SyntheticPasswordTests.java

+0 −105
Original line number Diff line number Diff line
@@ -103,31 +103,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { 
        return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0;

    }



    @Test

    public void testPasswordMigration() throws RemoteException {

        final byte[] password = "testPasswordMigration-password".getBytes();



        disableSyntheticPassword();

        mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,

                PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);

        long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);

        final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);

        enableSyntheticPassword();

        // Performs migration

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)

                    .getResponseCode());

        assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));

        assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));



        // SP-based verification

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password,

                LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertArrayNotEquals(primaryStorageKey,

                mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));

    }



    protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException {

        enableSyntheticPassword();

        int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC
@@ -269,86 +244,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { 
        verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));

    }



    @Test

    public void testManagedProfileUnifiedChallengeMigration() throws RemoteException {

        final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes();

        disableSyntheticPassword();

        mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,

                PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);

        mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);

        final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);

        final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);

        final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);

        final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);

        assertTrue(primarySid != 0);

        assertTrue(profileSid != 0);

        assertTrue(profileSid != primarySid);



        // do migration

        enableSyntheticPassword();

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)

                        .getResponseCode());



        // verify

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));

        assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));

        assertArrayNotEquals(primaryStorageKey,

                mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));

        assertArrayNotEquals(profileStorageKey,

                mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));

        assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));

        assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));

    }



    @Test

    public void testManagedProfileSeparateChallengeMigration() throws RemoteException {

        final byte[] primaryPassword =

                "testManagedProfileSeparateChallengeMigration-primary".getBytes();

        final byte[] profilePassword =

                "testManagedProfileSeparateChallengeMigration-profile".getBytes();

        disableSyntheticPassword();

        mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,

                PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);

        mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,

                PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false);

        final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);

        final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);

        final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);

        final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);

        assertTrue(primarySid != 0);

        assertTrue(profileSid != 0);

        assertTrue(profileSid != primarySid);



        // do migration

        enableSyntheticPassword();

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,

                0, MANAGED_PROFILE_USER_ID).getResponseCode());



        // verify

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,

                0, MANAGED_PROFILE_USER_ID).getResponseCode());

        assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));

        assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));

        assertArrayNotEquals(primaryStorageKey,

                mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));

        assertArrayNotEquals(profileStorageKey,

                mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));

        assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));

        assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));

    }



    @Test

    public void testTokenBasedResetPassword() throws RemoteException {

        final byte[] password = "password".getBytes();