Merge "DO NOT MERGE Check fingerprint client against top activity in auth callback" into qt-dev

package com.android.server.biometrics;

package com.android.server.biometrics;

import android.app.ActivityManager;

import android.app.ActivityTaskManager;

import android.content.ComponentName;

import android.content.Context;

import android.content.Context;

import android.content.pm.ApplicationInfo;

import android.hardware.biometrics.BiometricAuthenticator;

import android.hardware.biometrics.BiometricAuthenticator;

import android.hardware.biometrics.BiometricConstants;

import android.hardware.biometrics.BiometricConstants;

import android.hardware.biometrics.BiometricsProtoEnums;

import android.hardware.biometrics.BiometricsProtoEnums;

import android.os.IBinder;

import android.os.IBinder;

import android.os.RemoteException;

import android.os.RemoteException;

import android.security.KeyStore;

import android.security.KeyStore;

import android.util.EventLog;

import android.util.Slog;

import android.util.Slog;

import java.util.ArrayList;

import java.util.ArrayList;

import java.util.List;

/**

/**

 * A class to keep track of the authentication state for a given client.

 * A class to keep track of the authentication state for a given client.

                    + ", requireConfirmation: " + mRequireConfirmation

                    + ", requireConfirmation: " + mRequireConfirmation

                    + ", user: " + getTargetUserId());

                    + ", user: " + getTargetUserId());

            // Ensure authentication only succeeds if the client activity is on top or is keyguard.

            boolean isBackgroundAuth = false;

            if (authenticated && !Utils.isKeyguard(getContext(), getOwnerString())) {

                try {

                    final List<ActivityManager.RunningTaskInfo> tasks =

                            ActivityTaskManager.getService().getTasks(1);

                    if (tasks == null || tasks.isEmpty()) {

                        Slog.e(TAG, "No running tasks reported");

                        isBackgroundAuth = true;

                    } else {

                        final ComponentName topActivity = tasks.get(0).topActivity;

                        if (topActivity == null) {

                            Slog.e(TAG, "Unable to get top activity");

                            isBackgroundAuth = true;

                        } else {

                            final String topPackage = topActivity.getPackageName();

                            if (!topPackage.contentEquals(getOwnerString())) {

                                Slog.e(TAG, "Background authentication detected, top: " + topPackage

                                        + ", client: " + this);

                                isBackgroundAuth = true;

                            }

                        }

                    }

                } catch (RemoteException e) {

                    Slog.e(TAG, "Unable to get running tasks", e);

                    isBackgroundAuth = true;

                }

            }

            // Fail authentication if we can't confirm the client activity is on top.

            if (isBackgroundAuth) {

                Slog.e(TAG, "Failing possible background authentication");

                authenticated = false;

                // SafetyNet logging for exploitation attempts of b/159249069.

                final ApplicationInfo appInfo = getContext().getApplicationInfo();

                EventLog.writeEvent(0x534e4554, "159249069", appInfo != null ? appInfo.uid : -1,

                        "Attempted background authentication");

            }

            if (authenticated) {

            if (authenticated) {

                // SafetyNet logging for b/159249069 if constraint is violated.

                if (isBackgroundAuth) {

                    final ApplicationInfo appInfo = getContext().getApplicationInfo();

                    EventLog.writeEvent(0x534e4554, "159249069", appInfo != null ? appInfo.uid : -1,

                            "Successful background authentication!");

                }

                mAlreadyDone = true;

                mAlreadyDone = true;

                if (listener != null) {

                if (listener != null) {

package com.android.server.biometrics;

package com.android.server.biometrics;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import android.content.ComponentName;

import android.content.Context;

import android.content.Context;

import android.content.pm.PackageManager;

import android.os.Build;

import android.os.Build;

import android.provider.Settings;

import android.provider.Settings;

import com.android.internal.R;

public class Utils {

public class Utils {

    public static boolean isDebugEnabled(Context context, int targetUserId) {

    public static boolean isDebugEnabled(Context context, int targetUserId) {

        if (!(Build.IS_ENG || Build.IS_USERDEBUG)) {

        if (!(Build.IS_ENG || Build.IS_USERDEBUG)) {

        }

        }

        return true;

        return true;

    }

    }

    static boolean isKeyguard(Context context, String clientPackage) {

        final boolean hasPermission = context.checkCallingOrSelfPermission(USE_BIOMETRIC_INTERNAL)

                == PackageManager.PERMISSION_GRANTED;

        final ComponentName keyguardComponent = ComponentName.unflattenFromString(

                context.getResources().getString(R.string.config_keyguardComponent));

        final String keyguardPackage = keyguardComponent != null

                ? keyguardComponent.getPackageName() : null;

        return hasPermission && keyguardPackage != null && keyguardPackage.equals(clientPackage);

    }

}

}