Merge "[CDM perm sync] Skip user consent for the same OEM devices" into udc-qpr-dev am: 33be01e8

import android.content.Intent;

import android.content.IntentSender;

import android.content.pm.PackageManagerInternal;

import android.content.pm.Signature;

import android.net.MacAddress;

import android.os.Binder;

import android.os.Bundle;

import android.os.RemoteException;

import android.os.ResultReceiver;

import android.os.UserHandle;

import android.util.Log;

import android.util.PackageUtils;

import android.util.Slog;

import com.android.internal.util.ArrayUtils;

import java.util.Arrays;

import java.util.HashSet;

import java.util.List;

import java.util.Set;

/**

 * Class responsible for handling incoming {@link AssociationRequest}s.

    };

    private boolean mayAssociateWithoutPrompt(@NonNull String packageName, @UserIdInt int userId) {

        // Below we check if the requesting package is allowlisted (usually by the OEM) for creating

        // CDM associations without user confirmation (prompt).

        // For this we'll check to config arrays:

        // - com.android.internal.R.array.config_companionDevicePackages

        // and

        // - com.android.internal.R.array.config_companionDeviceCerts.

        // Both arrays are expected to contain similar number of entries.

        // config_companionDevicePackages contains package names of the allowlisted packages.

        // config_companionDeviceCerts contains SHA256 digests of the signatures of the

        // corresponding packages.

        // If a package may be signed with one of several certificates, its package name would

        // appear multiple times in the config_companionDevicePackages, with different entries

        // (one for each of the valid signing certificates) at the corresponding positions in

        // config_companionDeviceCerts.

        final String[] allowlistedPackages = mContext.getResources()

                .getStringArray(com.android.internal.R.array.config_companionDevicePackages);

        if (!ArrayUtils.contains(allowlistedPackages, packageName)) {

            if (DEBUG) {

                Log.d(TAG, packageName + " is not allowlisted for creating associations "

                        + "without user confirmation (prompt)");

                Log.v(TAG, "Allowlisted packages=" + Arrays.toString(allowlistedPackages));

            }

            return false;

        }

        // Throttle frequent associations

        final long now = System.currentTimeMillis();

        final List<AssociationInfo> associationForPackage =

            }

        }

        final String[] allowlistedPackagesSignatureDigests = mContext.getResources()

                .getStringArray(com.android.internal.R.array.config_companionDeviceCerts);

        final Set<String> allowlistedSignatureDigestsForRequestingPackage = new HashSet<>();

        for (int i = 0; i < allowlistedPackages.length; i++) {

            if (allowlistedPackages[i].equals(packageName)) {

                final String digest = allowlistedPackagesSignatureDigests[i].replaceAll(":", "");

                allowlistedSignatureDigestsForRequestingPackage.add(digest);

            }

        }

        final Signature[] requestingPackageSignatures = mPackageManager.getPackage(packageName)

                .getSigningDetails().getSignatures();

        final String[] requestingPackageSignatureDigests =

                PackageUtils.computeSignaturesSha256Digests(requestingPackageSignatures);

        boolean requestingPackageSignatureAllowlisted = false;

        for (String signatureDigest : requestingPackageSignatureDigests) {

            if (allowlistedSignatureDigestsForRequestingPackage.contains(signatureDigest)) {

                requestingPackageSignatureAllowlisted = true;

                break;

            }

        }

        if (!requestingPackageSignatureAllowlisted) {

            Slog.w(TAG, "Certificate mismatch for allowlisted package " + packageName);

            if (DEBUG) {

                Log.d(TAG, "  > allowlisted signatures for " + packageName + ": ["

                        + String.join(", ", allowlistedSignatureDigestsForRequestingPackage)

                        + "]");

                Log.d(TAG, "  > actual signatures for " + packageName + ": "

                        + Arrays.toString(requestingPackageSignatureDigests));

            }

        }

        return requestingPackageSignatureAllowlisted;

        return PackageUtils.isPackageAllowlisted(mContext, mPackageManager, packageName);

    }

}

        mCompanionAppController = new CompanionApplicationController(

                context, mAssociationStore, mDevicePresenceMonitor);

        mTransportManager = new CompanionTransportManager(context, mAssociationStore);

        mSystemDataTransferProcessor = new SystemDataTransferProcessor(this, mAssociationStore,

        mSystemDataTransferProcessor = new SystemDataTransferProcessor(this,

                mPackageManagerInternal, mAssociationStore,

                mSystemDataTransferRequestStore, mTransportManager);

        // TODO(b/279663946): move context sync to a dedicated system service

        mCrossDeviceSyncController = new CrossDeviceSyncController(getContext(), mTransportManager);

import static android.content.pm.PackageManager.GET_CONFIGURATIONS;

import static android.content.pm.PackageManager.GET_PERMISSIONS;

import static com.android.server.companion.CompanionDeviceManagerService.DEBUG;

import static com.android.server.companion.CompanionDeviceManagerService.TAG;

import android.Manifest;

import android.content.pm.PackageManager;

import android.content.pm.PackageManager.PackageInfoFlags;

import android.content.pm.PackageManager.ResolveInfoFlags;

import android.content.pm.PackageManagerInternal;

import android.content.pm.ResolveInfo;

import android.content.pm.ServiceInfo;

import android.content.pm.Signature;

import android.os.Binder;

import android.util.Log;

import android.util.Slog;

import com.android.internal.util.ArrayUtils;

import java.util.ArrayList;

import java.util.Arrays;

import java.util.HashMap;

import java.util.HashSet;

import java.util.List;

import java.util.Map;

import java.util.Set;

/**

 * Utility methods for working with {@link PackageInfo}-s.

 */

final class PackageUtils {

public final class PackageUtils {

    private static final Intent COMPANION_SERVICE_INTENT =

            new Intent(CompanionDeviceService.SERVICE_INTERFACE);

    private static final String PROPERTY_PRIMARY_TAG =

            return false;

        }

    }

    /**

     * Check if the package is allowlisted in the overlay config.

     * For this we'll check to config arrays:

     *   - com.android.internal.R.array.config_companionDevicePackages

     * and

     *   - com.android.internal.R.array.config_companionDeviceCerts.

     * Both arrays are expected to contain similar number of entries.

     * config_companionDevicePackages contains package names of the allowlisted packages.

     * config_companionDeviceCerts contains SHA256 digests of the signatures of the

     * corresponding packages.

     * If a package is signed with one of several certificates, its package name would

     * appear multiple times in the config_companionDevicePackages, with different entries

     * (one for each of the valid signing certificates) at the corresponding positions in

     * config_companionDeviceCerts.

     */

    public static boolean isPackageAllowlisted(Context context,

            PackageManagerInternal packageManagerInternal, @NonNull String packageName) {

        final String[] allowlistedPackages = context.getResources()

                .getStringArray(com.android.internal.R.array.config_companionDevicePackages);

        if (!ArrayUtils.contains(allowlistedPackages, packageName)) {

            if (DEBUG) {

                Log.d(TAG, packageName + " is not allowlisted.");

            }

            return false;

        }

        final String[] allowlistedPackagesSignatureDigests = context.getResources()

                .getStringArray(com.android.internal.R.array.config_companionDeviceCerts);

        final Set<String> allowlistedSignatureDigestsForRequestingPackage = new HashSet<>();

        for (int i = 0; i < allowlistedPackages.length; i++) {

            if (allowlistedPackages[i].equals(packageName)) {

                final String digest = allowlistedPackagesSignatureDigests[i].replaceAll(":", "");

                allowlistedSignatureDigestsForRequestingPackage.add(digest);

            }

        }

        final Signature[] requestingPackageSignatures = packageManagerInternal.getPackage(

                        packageName)

                .getSigningDetails().getSignatures();

        final String[] requestingPackageSignatureDigests =

                android.util.PackageUtils.computeSignaturesSha256Digests(

                        requestingPackageSignatures);

        boolean requestingPackageSignatureAllowlisted = false;

        for (String signatureDigest : requestingPackageSignatureDigests) {

            if (allowlistedSignatureDigestsForRequestingPackage.contains(signatureDigest)) {

                requestingPackageSignatureAllowlisted = true;

                break;

            }

        }

        if (!requestingPackageSignatureAllowlisted) {

            Slog.w(TAG, "Certificate mismatch for allowlisted package " + packageName);

            if (DEBUG) {

                Log.d(TAG, "  > allowlisted signatures for " + packageName + ": ["

                        + String.join(", ", allowlistedSignatureDigestsForRequestingPackage)

                        + "]");

                Log.d(TAG, "  > actual signatures for " + packageName + ": "

                        + Arrays.toString(requestingPackageSignatureDigests));

            }

        }

        return requestingPackageSignatureAllowlisted;

    }

}

import android.content.ComponentName;

import android.content.Context;

import android.content.Intent;

import android.content.pm.PackageManagerInternal;

import android.os.Binder;

import android.os.Bundle;

import android.os.Handler;

import com.android.server.companion.AssociationStore;

import com.android.server.companion.CompanionDeviceManagerService;

import com.android.server.companion.PackageUtils;

import com.android.server.companion.PermissionsUtils;

import com.android.server.companion.transport.CompanionTransportManager;

                    ".CompanionDeviceDataTransferActivity");

    private final Context mContext;

    private final PackageManagerInternal mPackageManager;

    private final AssociationStore mAssociationStore;

    private final SystemDataTransferRequestStore mSystemDataTransferRequestStore;

    private final CompanionTransportManager mTransportManager;

    private final ExecutorService mExecutor;

    public SystemDataTransferProcessor(CompanionDeviceManagerService service,

            PackageManagerInternal packageManager,

            AssociationStore associationStore,

            SystemDataTransferRequestStore systemDataTransferRequestStore,

            CompanionTransportManager transportManager) {

        mContext = service.getContext();

        mPackageManager = packageManager;

        mAssociationStore = associationStore;

        mSystemDataTransferRequestStore = systemDataTransferRequestStore;

        mTransportManager = transportManager;

     */

    public PendingIntent buildPermissionTransferUserConsentIntent(String packageName,

            @UserIdInt int userId, int associationId) {

        if (PackageUtils.isPackageAllowlisted(mContext, mPackageManager, packageName)) {

            Slog.i(LOG_TAG, "User consent Intent should be skipped. Returning null.");

            return null;

        }

        final AssociationInfo association = resolveAssociation(packageName, userId, associationId);

        Slog.i(LOG_TAG, "Creating permission sync intent for userId [" + userId

        final AssociationInfo association = resolveAssociation(packageName, userId, associationId);

        // Check if the request has been consented by the user.

        if (PackageUtils.isPackageAllowlisted(mContext, mPackageManager, packageName)) {

            Slog.i(LOG_TAG, "Skip user consent check due to the same OEM package.");

        } else {

            List<SystemDataTransferRequest> storedRequests =

                    mSystemDataTransferRequestStore.readRequestsByAssociationId(userId,

                            associationId);

            boolean hasConsented = false;

            for (SystemDataTransferRequest storedRequest : storedRequests) {

            if (storedRequest instanceof PermissionSyncRequest && storedRequest.isUserConsented()) {

                if (storedRequest instanceof PermissionSyncRequest

                        && storedRequest.isUserConsented()) {

                    hasConsented = true;

                    break;

                }

                Slog.e(LOG_TAG, message);

                try {

                    callback.onError(message);

            } catch (RemoteException ignored) { }

                } catch (RemoteException ignored) {

                }

                return;

            }

        }

        // Start permission sync

        final long callingIdentityToken = Binder.clearCallingIdentity();

include /services/companion/java/com/android/server/companion/OWNERS

 No newline at end of file