Merge "Use DPMS lock for the policy engine" into udc-dev am: 98c8c131

    private final UserManager mUserManager;

    private final UserManager mUserManager;

    // TODO(b/256849338): add more granular locks

    // TODO(b/256849338): add more granular locks

    private final Object mLock = new Object();

    private final Object mLock;

    /**

    /**

     * Map of <userId, Map<policyKey, policyState>>

     * Map of <userId, Map<policyKey, policyState>>

    DevicePolicyEngine(

    DevicePolicyEngine(

            @NonNull Context context,

            @NonNull Context context,

            @NonNull DeviceAdminServiceController deviceAdminServiceController) {

            @NonNull DeviceAdminServiceController deviceAdminServiceController,

            @NonNull Object lock) {

        mContext = Objects.requireNonNull(context);

        mContext = Objects.requireNonNull(context);

        mDeviceAdminServiceController = Objects.requireNonNull(deviceAdminServiceController);

        mDeviceAdminServiceController = Objects.requireNonNull(deviceAdminServiceController);

        mLock = Objects.requireNonNull(lock);

        mUserManager = mContext.getSystemService(UserManager.class);

        mUserManager = mContext.getSystemService(UserManager.class);

        mLocalPolicies = new SparseArray<>();

        mLocalPolicies = new SparseArray<>();

        mGlobalPolicies = new HashMap<>();

        mGlobalPolicies = new HashMap<>();

            PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId);

            PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId);

            if (policyDefinition.isNonCoexistablePolicy()) {

            if (policyDefinition.isNonCoexistablePolicy()) {

                setNonCoexistableLocalPolicy(policyDefinition, localPolicyState, enforcingAdmin,

                setNonCoexistableLocalPolicyLocked(policyDefinition, localPolicyState,

                        value, userId, skipEnforcePolicy);

                        enforcingAdmin, value, userId, skipEnforcePolicy);

                return;

                return;

            }

            }

            // the data structures.

            // the data structures.

            if (!skipEnforcePolicy) {

            if (!skipEnforcePolicy) {

                if (policyChanged) {

                if (policyChanged) {

                    onLocalPolicyChanged(policyDefinition, enforcingAdmin, userId);

                    onLocalPolicyChangedLocked(policyDefinition, enforcingAdmin, userId);

                }

                }

                boolean policyEnforced = Objects.equals(

                boolean policyEnforced = Objects.equals(

                        localPolicyState.getCurrentResolvedPolicy(), value);

                        localPolicyState.getCurrentResolvedPolicy(), value);

     *

     *

     * <p>Passing a {@code null} value means the policy set by this admin should be removed.

     * <p>Passing a {@code null} value means the policy set by this admin should be removed.

     */

     */

    private <V> void setNonCoexistableLocalPolicy(

    private <V> void setNonCoexistableLocalPolicyLocked(

            PolicyDefinition<V> policyDefinition,

            PolicyDefinition<V> policyDefinition,

            PolicyState<V> localPolicyState,

            PolicyState<V> localPolicyState,

            EnforcingAdmin enforcingAdmin,

            EnforcingAdmin enforcingAdmin,

            PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId);

            PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId);

            if (policyDefinition.isNonCoexistablePolicy()) {

            if (policyDefinition.isNonCoexistablePolicy()) {

                setNonCoexistableLocalPolicy(policyDefinition, localPolicyState, enforcingAdmin,

                setNonCoexistableLocalPolicyLocked(policyDefinition, localPolicyState,

                        /* value= */ null, userId, /* skipEnforcePolicy= */ false);

                        enforcingAdmin, /* value= */ null, userId, /* skipEnforcePolicy= */ false);

                return;

                return;

            }

            }

            }

            }

            if (policyChanged) {

            if (policyChanged) {

                onLocalPolicyChanged(policyDefinition, enforcingAdmin, userId);

                onLocalPolicyChangedLocked(policyDefinition, enforcingAdmin, userId);

            }

            }

            // For a removePolicy to be enforced, it means no current policy exists

            // For a removePolicy to be enforced, it means no current policy exists

    /**

    /**

     * Enforces the new policy and notifies relevant admins.

     * Enforces the new policy and notifies relevant admins.

     */

     */

    private <V> void onLocalPolicyChanged(

    private <V> void onLocalPolicyChangedLocked(

            @NonNull PolicyDefinition<V> policyDefinition,

            @NonNull PolicyDefinition<V> policyDefinition,

            @NonNull EnforcingAdmin enforcingAdmin,

            @NonNull EnforcingAdmin enforcingAdmin,

            int userId) {

            int userId) {

                policyDefinition, localPolicyState.getCurrentResolvedPolicy(), userId);

                policyDefinition, localPolicyState.getCurrentResolvedPolicy(), userId);

        // Send policy updates to admins who've set it locally

        // Send policy updates to admins who've set it locally

        sendPolicyChangedToAdmins(

        sendPolicyChangedToAdminsLocked(

                localPolicyState,

                localPolicyState,

                enforcingAdmin,

                enforcingAdmin,

                policyDefinition,

                policyDefinition,

        // Send policy updates to admins who've set it globally

        // Send policy updates to admins who've set it globally

        if (hasGlobalPolicyLocked(policyDefinition)) {

        if (hasGlobalPolicyLocked(policyDefinition)) {

            PolicyState<V> globalPolicyState = getGlobalPolicyStateLocked(policyDefinition);

            PolicyState<V> globalPolicyState = getGlobalPolicyStateLocked(policyDefinition);

            sendPolicyChangedToAdmins(

            sendPolicyChangedToAdminsLocked(

                    globalPolicyState,

                    globalPolicyState,

                    enforcingAdmin,

                    enforcingAdmin,

                    policyDefinition,

                    policyDefinition,

            // the data structures.

            // the data structures.

            if (!skipEnforcePolicy) {

            if (!skipEnforcePolicy) {

                if (policyChanged) {

                if (policyChanged) {

                    onGlobalPolicyChanged(policyDefinition, enforcingAdmin);

                    onGlobalPolicyChangedLocked(policyDefinition, enforcingAdmin);

                }

                }

                boolean policyAppliedGlobally = Objects.equals(

                boolean policyAppliedGlobally = Objects.equals(

            boolean policyChanged = policyState.removePolicy(enforcingAdmin);

            boolean policyChanged = policyState.removePolicy(enforcingAdmin);

            if (policyChanged) {

            if (policyChanged) {

                onGlobalPolicyChanged(policyDefinition, enforcingAdmin);

                onGlobalPolicyChangedLocked(policyDefinition, enforcingAdmin);

            }

            }

            applyGlobalPolicyOnUsersWithLocalPoliciesLocked(policyDefinition, enforcingAdmin,

            applyGlobalPolicyOnUsersWithLocalPoliciesLocked(policyDefinition, enforcingAdmin,

    /**

    /**

     * Enforces the new policy globally and notifies relevant admins.

     * Enforces the new policy globally and notifies relevant admins.

     */

     */

    private <V> void onGlobalPolicyChanged(

    private <V> void onGlobalPolicyChangedLocked(

            @NonNull PolicyDefinition<V> policyDefinition,

            @NonNull PolicyDefinition<V> policyDefinition,

            @NonNull EnforcingAdmin enforcingAdmin) {

            @NonNull EnforcingAdmin enforcingAdmin) {

        PolicyState<V> policyState = getGlobalPolicyStateLocked(policyDefinition);

        PolicyState<V> policyState = getGlobalPolicyStateLocked(policyDefinition);

        enforcePolicy(policyDefinition, policyState.getCurrentResolvedPolicy(),

        enforcePolicy(policyDefinition, policyState.getCurrentResolvedPolicy(),

                UserHandle.USER_ALL);

                UserHandle.USER_ALL);

        sendPolicyChangedToAdmins(

        sendPolicyChangedToAdminsLocked(

                policyState,

                policyState,

                enforcingAdmin,

                enforcingAdmin,

                policyDefinition,

                policyDefinition,

                        policyDefinition,

                        policyDefinition,

                        localPolicyState.getCurrentResolvedPolicy(),

                        localPolicyState.getCurrentResolvedPolicy(),

                        userId);

                        userId);

                sendPolicyChangedToAdmins(

                sendPolicyChangedToAdminsLocked(

                        localPolicyState,

                        localPolicyState,

                        enforcingAdmin,

                        enforcingAdmin,

                        policyDefinition,

                        policyDefinition,

    }

    }

    <V> void transferPolicies(EnforcingAdmin oldAdmin, EnforcingAdmin newAdmin) {

    <V> void transferPolicies(EnforcingAdmin oldAdmin, EnforcingAdmin newAdmin) {

        synchronized (mLock) {

            Set<PolicyKey> globalPolicies = new HashSet<>(mGlobalPolicies.keySet());

            Set<PolicyKey> globalPolicies = new HashSet<>(mGlobalPolicies.keySet());

            for (PolicyKey policy : globalPolicies) {

            for (PolicyKey policy : globalPolicies) {

                PolicyState<?> policyState = mGlobalPolicies.get(policy);

                PolicyState<?> policyState = mGlobalPolicies.get(policy);

                    }

                    }

                }

                }

            }

            }

        }

        removePoliciesForAdmin(oldAdmin);

        removePoliciesForAdmin(oldAdmin);

    }

    }

            mLocalPolicies.get(userId).put(

            mLocalPolicies.get(userId).put(

                    policyDefinition.getPolicyKey(), new PolicyState<>(policyDefinition));

                    policyDefinition.getPolicyKey(), new PolicyState<>(policyDefinition));

        }

        }

        return getPolicyState(mLocalPolicies.get(userId), policyDefinition);

        return getPolicyStateLocked(mLocalPolicies.get(userId), policyDefinition);

    }

    }

    private <V> void removeLocalPolicyStateLocked(

    private <V> void removeLocalPolicyStateLocked(

            mGlobalPolicies.put(

            mGlobalPolicies.put(

                    policyDefinition.getPolicyKey(), new PolicyState<>(policyDefinition));

                    policyDefinition.getPolicyKey(), new PolicyState<>(policyDefinition));

        }

        }

        return getPolicyState(mGlobalPolicies, policyDefinition);

        return getPolicyStateLocked(mGlobalPolicies, policyDefinition);

    }

    }

    private <V> void removeGlobalPolicyStateLocked(PolicyDefinition<V> policyDefinition) {

    private <V> void removeGlobalPolicyStateLocked(PolicyDefinition<V> policyDefinition) {

        mGlobalPolicies.remove(policyDefinition.getPolicyKey());

        mGlobalPolicies.remove(policyDefinition.getPolicyKey());

    }

    }

    private static <V> PolicyState<V> getPolicyState(

    private static <V> PolicyState<V> getPolicyStateLocked(

            Map<PolicyKey, PolicyState<?>> policies, PolicyDefinition<V> policyDefinition) {

            Map<PolicyKey, PolicyState<?>> policies, PolicyDefinition<V> policyDefinition) {

        try {

        try {

            // This will not throw an exception because policyDefinition is of type V, so unless

            // This will not throw an exception because policyDefinition is of type V, so unless

    }

    }

    // TODO(b/261430877): Finalise the decision on which admins to send the updates to.

    // TODO(b/261430877): Finalise the decision on which admins to send the updates to.

    private <V> void sendPolicyChangedToAdmins(

    private <V> void sendPolicyChangedToAdminsLocked(

            PolicyState<V> policyState,

            PolicyState<V> policyState,

            EnforcingAdmin callingAdmin,

            EnforcingAdmin callingAdmin,

            PolicyDefinition<V> policyDefinition,

            PolicyDefinition<V> policyDefinition,

            if (parentInfo == null || parentInfo.getUserHandle().getIdentifier() == userId) {

            if (parentInfo == null || parentInfo.getUserHandle().getIdentifier() == userId) {

                return;

                return;

            }

            }

            synchronized (mLock) {

                if (!mLocalPolicies.contains(parentInfo.getUserHandle().getIdentifier())) {

                if (!mLocalPolicies.contains(parentInfo.getUserHandle().getIdentifier())) {

                    return;

                    return;

                }

                }

                for (Map.Entry<PolicyKey, PolicyState<?>> entry : mLocalPolicies.get(

                for (Map.Entry<PolicyKey, PolicyState<?>> entry : mLocalPolicies.get(

                        parentInfo.getUserHandle().getIdentifier()).entrySet()) {

                        parentInfo.getUserHandle().getIdentifier()).entrySet()) {

                enforcePolicyOnUser(userId, entry.getValue());

                    enforcePolicyOnUserLocked(userId, entry.getValue());

                }

            }

            }

        });

        });

    }

    }

    private <V> void enforcePolicyOnUser(int userId, PolicyState<V> policyState) {

    private <V> void enforcePolicyOnUserLocked(int userId, PolicyState<V> policyState) {

        if (!policyState.getPolicyDefinition().isInheritable()) {

        if (!policyState.getPolicyDefinition().isInheritable()) {

            return;

            return;

        }

        }

     */

     */

    @NonNull

    @NonNull

    DevicePolicyState getDevicePolicyState() {

    DevicePolicyState getDevicePolicyState() {

        synchronized (mLock) {

            Map<UserHandle, Map<PolicyKey, android.app.admin.PolicyState<?>>> policies =

            Map<UserHandle, Map<PolicyKey, android.app.admin.PolicyState<?>>> policies =

                    new HashMap<>();

                    new HashMap<>();

            for (int i = 0; i < mLocalPolicies.size(); i++) {

            for (int i = 0; i < mLocalPolicies.size(); i++) {

            }

            }

            return new DevicePolicyState(policies);

            return new DevicePolicyState(policies);

        }

        }

    }

    /**

    /**

     * Removes all local and global policies set by that admin.

     * Removes all local and global policies set by that admin.

     */

     */

    void removePoliciesForAdmin(EnforcingAdmin admin) {

    void removePoliciesForAdmin(EnforcingAdmin admin) {

        synchronized (mLock) {

            Set<PolicyKey> globalPolicies = new HashSet<>(mGlobalPolicies.keySet());

            Set<PolicyKey> globalPolicies = new HashSet<>(mGlobalPolicies.keySet());

            for (PolicyKey policy : globalPolicies) {

            for (PolicyKey policy : globalPolicies) {

                PolicyState<?> policyState = mGlobalPolicies.get(policy);

                PolicyState<?> policyState = mGlobalPolicies.get(policy);

                }

                }

            }

            }

        }

        }

    }

    /**

    /**

     * Removes all local policies for the provided {@code userId}.

     * Removes all local policies for the provided {@code userId}.

     */

     */

    private void removeLocalPoliciesForUser(int userId) {

    private void removeLocalPoliciesForUser(int userId) {

        synchronized (mLock) {

            if (!mLocalPolicies.contains(userId)) {

            if (!mLocalPolicies.contains(userId)) {

                // No policies on user

                // No policies on user

                return;

                return;

            mLocalPolicies.remove(userId);

            mLocalPolicies.remove(userId);

        }

        }

    }

    /**

    /**

     * Removes all local and global policies for admins installed in the provided

     * Removes all local and global policies for admins installed in the provided

     */

     */

    private void updateDeviceAdminServiceOnPolicyRemoveLocked(

    private void updateDeviceAdminServiceOnPolicyRemoveLocked(

            @NonNull EnforcingAdmin enforcingAdmin) {

            @NonNull EnforcingAdmin enforcingAdmin) {

        if (doesAdminHavePolicies(enforcingAdmin)) {

        if (doesAdminHavePoliciesLocked(enforcingAdmin)) {

            return;

            return;

        }

        }

        int userId = enforcingAdmin.getUserId();

        int userId = enforcingAdmin.getUserId();

                /* actionForLog= */ "policy-removed");

                /* actionForLog= */ "policy-removed");

    }

    }

    private boolean doesAdminHavePolicies(@NonNull EnforcingAdmin enforcingAdmin) {

    private boolean doesAdminHavePoliciesLocked(@NonNull EnforcingAdmin enforcingAdmin) {

        for (PolicyKey policy : mGlobalPolicies.keySet()) {

        for (PolicyKey policy : mGlobalPolicies.keySet()) {

            PolicyState<?> policyState = mGlobalPolicies.get(policy);

            PolicyState<?> policyState = mGlobalPolicies.get(policy);

            if (policyState.getPoliciesSetByAdmins().containsKey(enforcingAdmin)) {

            if (policyState.getPoliciesSetByAdmins().containsKey(enforcingAdmin)) {

    @NonNull

    @NonNull

    private Set<EnforcingAdmin> getEnforcingAdminsOnUser(int userId) {

    private Set<EnforcingAdmin> getEnforcingAdminsOnUser(int userId) {

        synchronized (mLock) {

            return mEnforcingAdmins.contains(userId)

            return mEnforcingAdmins.contains(userId)

                    ? mEnforcingAdmins.get(userId) : Collections.emptySet();

                    ? mEnforcingAdmins.get(userId) : Collections.emptySet();

        }

        }

    }

    private void write() {

    private void write() {

        synchronized (mLock) {

            Log.d(TAG, "Writing device policies to file.");

            Log.d(TAG, "Writing device policies to file.");

            new DevicePoliciesReaderWriter().writeToFileLocked();

            new DevicePoliciesReaderWriter().writeToFileLocked();

        }

        }

    }

    // TODO(b/256852787): trigger resolving logic after loading policies as roles are recalculated

    // TODO(b/256852787): trigger resolving logic after loading policies as roles are recalculated

    //  and could result in a different enforced policy

    //  and could result in a different enforced policy

        synchronized (mLock) {

        synchronized (mLock) {

            clear();

            clear();

            new DevicePoliciesReaderWriter().readFromFileLocked();

            new DevicePoliciesReaderWriter().readFromFileLocked();

            reapplyAllPolicies();

            reapplyAllPoliciesLocked();

        }

        }

    }

    }

    private <V> void reapplyAllPolicies() {

    private <V> void reapplyAllPoliciesLocked() {

        for (PolicyKey policy : mGlobalPolicies.keySet()) {

        for (PolicyKey policy : mGlobalPolicies.keySet()) {

            PolicyState<?> policyState = mGlobalPolicies.get(policy);

            PolicyState<?> policyState = mGlobalPolicies.get(policy);

            // Policy definition and value will always be of the same type

            // Policy definition and value will always be of the same type

     * <p>Note that this doesn't clear any enforcements, it only clears the data structures.

     * <p>Note that this doesn't clear any enforcements, it only clears the data structures.

     */

     */

    void clearAllPolicies() {

    void clearAllPolicies() {

        synchronized (mLock) {

        clear();

        clear();

        write();

        write();

    }

    }

    }

    private void clear() {

    private void clear() {

        synchronized (mLock) {

        synchronized (mLock) {

            mGlobalPolicies.clear();

            mGlobalPolicies.clear();

        mUserData = new SparseArray<>();

        mUserData = new SparseArray<>();

        mOwners = makeOwners(injector, pathProvider);

        mOwners = makeOwners(injector, pathProvider);

        mDevicePolicyEngine = new DevicePolicyEngine(mContext, mDeviceAdminServiceController);

        mDevicePolicyEngine = new DevicePolicyEngine(

                mContext, mDeviceAdminServiceController, getLockObject());

        if (!mHasFeature) {

        if (!mHasFeature) {

            // Skip the rest of the initialization

            // Skip the rest of the initialization