Merge cherrypicks of ['googleplex-android-review.googlesource.com/29613539',...

        }

        // Disable back gesture on the hub, but not when the shade is showing.

        if ((sysuiStateFlags & SYSUI_STATE_COMMUNAL_HUB_SHOWING) != 0) {

            return (sysuiStateFlags & SYSUI_STATE_NOTIFICATION_PANEL_VISIBLE) == 0;

            // Use QS expanded signal as the notification panel is always considered visible

            // expanded when on the lock screen and when opening hub over lock screen. This does

            // mean that back gesture is disabled when opening shade over hub while in portrait

            // mode, since QS is not expanded.

            // TODO(b/370108274): allow back gesture on shade over hub in portrait

            return (sysuiStateFlags & SYSUI_STATE_QUICK_SETTINGS_EXPANDED) == 0;

        }

        if ((sysuiStateFlags & SYSUI_STATE_ALLOW_GESTURE_IGNORING_BAR_VISIBILITY) != 0) {

            sysuiStateFlags &= ~SYSUI_STATE_NAV_BAR_HIDDEN;

import com.android.systemui.SysuiTestCase

import com.android.systemui.shared.system.QuickStepContract.SYSUI_STATE_BOUNCER_SHOWING

import com.android.systemui.shared.system.QuickStepContract.SYSUI_STATE_COMMUNAL_HUB_SHOWING

import com.android.systemui.shared.system.QuickStepContract.SYSUI_STATE_NOTIFICATION_PANEL_VISIBLE

import com.android.systemui.shared.system.QuickStepContract.SYSUI_STATE_QUICK_SETTINGS_EXPANDED

import com.google.common.truth.Truth.assertThat

import kotlin.test.Test

import org.junit.runner.RunWith

    }

    @Test

    fun isBackGestureDisabled_hubAndShadeShowing() {

    fun isBackGestureDisabled_hubAndQSExpanded() {

        val sysuiStateFlags =

            SYSUI_STATE_COMMUNAL_HUB_SHOWING and SYSUI_STATE_NOTIFICATION_PANEL_VISIBLE

            SYSUI_STATE_COMMUNAL_HUB_SHOWING and SYSUI_STATE_QUICK_SETTINGS_EXPANDED

        // Gestures are enabled because the shade shows over the hub.

        assertThat(

                return -1;

            }

            if (!Utils.isValidAuthenticatorConfig(promptInfo)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), promptInfo)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

                    + ", Caller=" + callingUserId

                    + ", Authenticators=" + authenticators);

            if (!Utils.isValidAuthenticatorConfig(authenticators)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), authenticators)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

                    + ", Caller=" + callingUserId

                    + ", Authenticators=" + authenticators);

            if (!Utils.isValidAuthenticatorConfig(authenticators)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), authenticators)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

            Slog.d(TAG, "getSupportedModalities: Authenticators=" + authenticators);

            if (!Utils.isValidAuthenticatorConfig(authenticators)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), authenticators)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

package com.android.server.biometrics;

import static android.Manifest.permission.SET_BIOMETRIC_DIALOG_ADVANCED;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import static android.app.ActivityManager.RunningAppProcessInfo.IMPORTANCE_FOREGROUND_SERVICE;

import static android.hardware.biometrics.BiometricManager.Authenticators;

     * @param promptInfo

     * @return

     */

    static boolean isValidAuthenticatorConfig(PromptInfo promptInfo) {

    static boolean isValidAuthenticatorConfig(Context context, PromptInfo promptInfo) {

        final int authenticators = promptInfo.getAuthenticators();

        return isValidAuthenticatorConfig(authenticators);

        return isValidAuthenticatorConfig(context, authenticators);

    }

    /**

     * Checks if the authenticator configuration is a valid combination of the public APIs

     * @param authenticators

     * @return

     * Checks if the authenticator configuration is a valid combination of the public APIs.

     *

     * throws {@link SecurityException} if the caller requests for mandatory biometrics without

     * {@link SET_BIOMETRIC_DIALOG_ADVANCED} permission

     */

    static boolean isValidAuthenticatorConfig(int authenticators) {

    static boolean isValidAuthenticatorConfig(Context context, int authenticators) {

        // The caller is not required to set the authenticators. But if they do, check the below.

        if (authenticators == 0) {

            return true;

        // Check if any of the non-biometric and non-credential bits are set. If so, this is

        // invalid.

        final int testBits = ~(Authenticators.DEVICE_CREDENTIAL

        final int testBits;

        if (Flags.mandatoryBiometrics()) {

            testBits = ~(Authenticators.DEVICE_CREDENTIAL

                    | Authenticators.BIOMETRIC_MIN_STRENGTH

                    | Authenticators.MANDATORY_BIOMETRICS);

        } else {

            testBits = ~(Authenticators.DEVICE_CREDENTIAL

                    | Authenticators.BIOMETRIC_MIN_STRENGTH);

        }

        if ((authenticators & testBits) != 0) {

            Slog.e(BiometricService.TAG, "Non-biometric, non-credential bits found."

                    + " Authenticators: " + authenticators);

        } else if (biometricBits == Authenticators.BIOMETRIC_WEAK) {

            return true;

        } else if (isMandatoryBiometricsRequested(authenticators)) {

            //TODO(b/347123256): Update CTS test

            context.enforceCallingOrSelfPermission(SET_BIOMETRIC_DIALOG_ADVANCED,

                    "Must have SET_BIOMETRIC_DIALOG_ADVANCED permission");

            return true;

        }

import android.app.IProcessObserver;

import android.app.KeyguardManager;

import android.app.compat.CompatChanges;

import android.app.role.RoleManager;

import android.companion.AssociationRequest;

import android.compat.annotation.ChangeId;

import android.compat.annotation.EnabledSince;

import android.content.ComponentName;

/**

 * Manages MediaProjection sessions.

 *

 * <p>

 * The {@link MediaProjectionManagerService} manages the creation and lifetime of MediaProjections,

 * as well as the capabilities they grant. Any service using MediaProjection tokens as permission

 * grants <b>must</b> validate the token before use by calling {@link

    private final PackageManager mPackageManager;

    private final WindowManagerInternal mWmInternal;

    private final KeyguardManager mKeyguardManager;

    private final RoleManager mRoleManager;

    private final MediaRouter mMediaRouter;

    private final MediaRouterCallback mMediaRouterCallback;

        mKeyguardManager = (KeyguardManager) mContext.getSystemService(Context.KEYGUARD_SERVICE);

        mKeyguardManager.addKeyguardLockedStateListener(

                mContext.getMainExecutor(), this::onKeyguardLockedStateChanged);

        mRoleManager = mContext.getSystemService(RoleManager.class);

        Watchdog.getInstance().addMonitor(this);

    }

     *   - be one of the bugreport allowlisted packages, or

     *   - hold the OP_PROJECT_MEDIA AppOp.

     */

    @SuppressWarnings("BooleanMethodIsAlwaysInverted")

    private boolean canCaptureKeyguard() {

        if (!android.companion.virtualdevice.flags.Flags.mediaProjectionKeyguardRestrictions()) {

            return true;

            if (mPackageManager.checkPermission(RECORD_SENSITIVE_CONTENT,

                    mProjectionGrant.packageName)

                    == PackageManager.PERMISSION_GRANTED) {

                Slog.v(TAG,

                        "Allowing keyguard capture for package with RECORD_SENSITIVE_CONTENT "

                                + "permission");

                return true;

            }

            boolean operationActive = mAppOps.isOperationActive(AppOpsManager.OP_PROJECT_MEDIA,

                    mProjectionGrant.uid,

                    mProjectionGrant.packageName);

            if (operationActive) {

            if (AppOpsManager.MODE_ALLOWED == mAppOps.noteOpNoThrow(AppOpsManager.OP_PROJECT_MEDIA,

                    mProjectionGrant.uid, mProjectionGrant.packageName, /* attributionTag= */ null,

                    "recording lockscreen")) {

                // Some tools use media projection by granting the OP_PROJECT_MEDIA app

                // op via a shell command. Those tools can be granted keyguard capture

                Slog.v(TAG,

                        "Allowing keyguard capture for package with OP_PROJECT_MEDIA AppOp ");

                return true;

            }

            if (isProjectionAppHoldingAppStreamingRoleLocked()) {

                Slog.v(TAG,

                        "Allowing keyguard capture for package holding app streaming role.");

                return true;

            }

            return SystemConfig.getInstance().getBugreportWhitelistedPackages()

        }

    }

    /**

     * Application holding the app streaming role

     * ({@value AssociationRequest#DEVICE_PROFILE_APP_STREAMING}) are allowed to record the

     * lockscreen.

     *

     * @return true if the is held by the recording application.

     */

    @GuardedBy("mLock")

    private boolean isProjectionAppHoldingAppStreamingRoleLocked() {

        return mRoleManager.getRoleHoldersAsUser(AssociationRequest.DEVICE_PROFILE_APP_STREAMING,

                        mContext.getUser())

                .contains(mProjectionGrant.packageName);

    }

    private void dump(final PrintWriter pw) {

        pw.println("MEDIA PROJECTION MANAGER (dumpsys media_projection)");

        synchronized (mLock) {