Merge "Guard setting of remote entry with a permission" into udc-dev

    method @NonNull public android.service.credentials.BeginCreateCredentialResponse.Builder addCreateEntry(@NonNull android.service.credentials.CreateEntry);

    method @NonNull public android.service.credentials.BeginCreateCredentialResponse build();

    method @NonNull public android.service.credentials.BeginCreateCredentialResponse.Builder setCreateEntries(@NonNull java.util.List<android.service.credentials.CreateEntry>);

    method @NonNull public android.service.credentials.BeginCreateCredentialResponse.Builder setRemoteCreateEntry(@Nullable android.service.credentials.RemoteEntry);

    method @NonNull @RequiresPermission("android.permission.PROVIDE_REMOTE_CREDENTIALS") public android.service.credentials.BeginCreateCredentialResponse.Builder setRemoteCreateEntry(@Nullable android.service.credentials.RemoteEntry);

  }

  public class BeginGetCredentialOption implements android.os.Parcelable {

    method @NonNull public android.service.credentials.BeginGetCredentialResponse.Builder setActions(@NonNull java.util.List<android.service.credentials.Action>);

    method @NonNull public android.service.credentials.BeginGetCredentialResponse.Builder setAuthenticationActions(@NonNull java.util.List<android.service.credentials.Action>);

    method @NonNull public android.service.credentials.BeginGetCredentialResponse.Builder setCredentialEntries(@NonNull java.util.List<android.service.credentials.CredentialEntry>);

    method @NonNull public android.service.credentials.BeginGetCredentialResponse.Builder setRemoteCredentialEntry(@Nullable android.service.credentials.RemoteEntry);

    method @NonNull @RequiresPermission("android.permission.PROVIDE_REMOTE_CREDENTIALS") public android.service.credentials.BeginGetCredentialResponse.Builder setRemoteCredentialEntry(@Nullable android.service.credentials.RemoteEntry);

  }

  public final class CallingAppInfo implements android.os.Parcelable {

    field public static final String PERFORM_SIM_ACTIVATION = "android.permission.PERFORM_SIM_ACTIVATION";

    field public static final String POWER_SAVER = "android.permission.POWER_SAVER";

    field public static final String PROVIDE_DEFAULT_ENABLED_CREDENTIAL_SERVICE = "android.permission.PROVIDE_DEFAULT_ENABLED_CREDENTIAL_SERVICE";

    field public static final String PROVIDE_HYBRID_CREDENTIAL_SERVICE = "android.permission.PROVIDE_HYBRID_CREDENTIAL_SERVICE";

    field public static final String PROVIDE_REMOTE_CREDENTIALS = "android.permission.PROVIDE_REMOTE_CREDENTIALS";

    field public static final String PROVIDE_RESOLVER_RANKER_SERVICE = "android.permission.PROVIDE_RESOLVER_RANKER_SERVICE";

    field public static final String PROVIDE_TRUST_AGENT = "android.permission.PROVIDE_TRUST_AGENT";

    field public static final String PROVISION_DEMO_DEVICE = "android.permission.PROVISION_DEMO_DEVICE";

package android.service.credentials;

import android.Manifest;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.RequiresPermission;

import android.os.Parcel;

import android.os.Parcelable;

         * result should be set to {@link android.app.Activity#RESULT_OK} and an extra with the

         * {@link CredentialProviderService#EXTRA_CREATE_CREDENTIAL_RESPONSE} key should be populated

         * with a {@link android.credentials.CreateCredentialResponse} object.

         *

         * <p> Note that as a provider service you will only be able to set a remote entry if :

         * - Provider service possesses the

         * {@link Manifest.permission.PROVIDE_REMOTE_CREDENTIALS} permission.

         * - Provider service is configured as the provider that can provide remote entries.

         *

         * If the above conditions are not met, setting back {@link BeginCreateCredentialResponse}

         * on the callback from {@link CredentialProviderService#onBeginCreateCredential}

         * will throw a {@link SecurityException}.

         */

        @RequiresPermission(Manifest.permission.PROVIDE_REMOTE_CREDENTIALS)

        public @NonNull Builder setRemoteCreateEntry(@Nullable RemoteEntry remoteCreateEntry) {

            mRemoteCreateEntry = remoteCreateEntry;

            return this;

package android.service.credentials;

import android.Manifest;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.RequiresPermission;

import android.os.Parcel;

import android.os.Parcelable;

         * result should be set to {@link android.app.Activity#RESULT_OK} and an extra with the

         * {@link CredentialProviderService#EXTRA_GET_CREDENTIAL_RESPONSE} key should be populated

         * with a {@link android.credentials.Credential} object.

         *

         * <p> Note that as a provider service you will only be able to set a remote entry if :

         * - Provider service possesses the

         * {@link Manifest.permission.PROVIDE_REMOTE_CREDENTIALS} permission.

         * - Provider service is configured as the provider that can provide remote entries.

         *

         * If the above conditions are not met, setting back {@link BeginGetCredentialResponse}

         * on the callback from {@link CredentialProviderService#onBeginGetCredential} will

         * throw a {@link SecurityException}.

         */

        @RequiresPermission(Manifest.permission.PROVIDE_REMOTE_CREDENTIALS)

        public @NonNull Builder setRemoteCredentialEntry(@Nullable RemoteEntry

                remoteCredentialEntry) {

            mRemoteCredentialEntry = remoteCredentialEntry;

import static com.android.internal.util.function.pooled.PooledLambda.obtainMessage;

import android.Manifest;

import android.annotation.CallSuper;

import android.annotation.NonNull;

import android.annotation.SdkConstant;

                            GetCredentialException>() {

                        @Override

                        public void onResult(BeginGetCredentialResponse result) {

                            // If provider service does not possess the HYBRID permission, this

                            // check will throw an exception in the provider process.

                            if (result.getRemoteCredentialEntry() != null) {

                                enforceRemoteEntryPermission();

                            }

                            try {

                                callback.onSuccess(result);

                            } catch (RemoteException e) {

            ));

            return transport;

        }

        private void enforceRemoteEntryPermission() {

            String permission =

                    Manifest.permission.PROVIDE_REMOTE_CREDENTIALS;

            getApplicationContext().enforceCallingOrSelfPermission(

                    permission,

                    String.format("Provider must have %s, in order to set a "

                            + "remote entry", permission)

            );

        }

        @Override

        public ICancellationSignal onBeginCreateCredential(BeginCreateCredentialRequest request,

                            BeginCreateCredentialResponse, CreateCredentialException>() {

                        @Override

                        public void onResult(BeginCreateCredentialResponse result) {

                            // If provider service does not possess the HYBRID permission, this

                            // check will throw an exception in the provider process.

                            if (result.getRemoteCreateEntry() != null) {

                                enforceRemoteEntryPermission();

                            }

                            try {

                                callback.onSuccess(result);

                            } catch (RemoteException e) {