Merge "Throw if admin sets password constraints that have no effect."

     * only imposed if the administrator has also requested either {@link #PASSWORD_QUALITY_NUMERIC}

     * , {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, {@link #PASSWORD_QUALITY_ALPHABETIC},

     * {@link #PASSWORD_QUALITY_ALPHANUMERIC}, or {@link #PASSWORD_QUALITY_COMPLEX} with

     * {@link #setPasswordQuality}.

     * {@link #setPasswordQuality}. If an app targeting SDK level

     * {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without settings

     * password quality to one of these values first, this method will throw

     * {@link IllegalStateException}.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *     restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *     does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumLength(@NonNull ComponentName admin, int length) {

        if (mService != null) {

     * place immediately. To prompt the user for a new password, use

     * {@link #ACTION_SET_NEW_PASSWORD} or {@link #ACTION_SET_NEW_PARENT_PROFILE_PASSWORD} after

     * setting this value. This constraint is only imposed if the administrator has also requested

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The default value is 0.

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. If an app targeting

     * SDK level {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without

     * settings password quality to {@link #PASSWORD_QUALITY_COMPLEX} first, this method will throw

     * {@link IllegalStateException}. The default value is 0.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *            A value of 0 means there is no restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *             does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumUpperCase(@NonNull ComponentName admin, int length) {

        if (mService != null) {

     * place immediately. To prompt the user for a new password, use

     * {@link #ACTION_SET_NEW_PASSWORD} or {@link #ACTION_SET_NEW_PARENT_PROFILE_PASSWORD} after

     * setting this value. This constraint is only imposed if the administrator has also requested

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The default value is 0.

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. If an app targeting

     * SDK level {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without

     * settings password quality to {@link #PASSWORD_QUALITY_COMPLEX} first, this method will throw

     * {@link IllegalStateException}. The default value is 0.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *            A value of 0 means there is no restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *             does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumLowerCase(@NonNull ComponentName admin, int length) {

        if (mService != null) {

     * immediately. To prompt the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} or

     * {@link #ACTION_SET_NEW_PARENT_PROFILE_PASSWORD} after setting this value. This constraint is

     * only imposed if the administrator has also requested {@link #PASSWORD_QUALITY_COMPLEX} with

     * {@link #setPasswordQuality}. The default value is 1.

     * {@link #setPasswordQuality}. If an app targeting SDK level

     * {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without settings

     * password quality to {@link #PASSWORD_QUALITY_COMPLEX} first, this method will throw

     * {@link IllegalStateException}. The default value is 1.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *            0 means there is no restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *             does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumLetters(@NonNull ComponentName admin, int length) {

        if (mService != null) {

     * place immediately. To prompt the user for a new password, use

     * {@link #ACTION_SET_NEW_PASSWORD} or {@link #ACTION_SET_NEW_PARENT_PROFILE_PASSWORD} after

     * setting this value. This constraint is only imposed if the administrator has also requested

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The default value is 1.

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. If an app targeting

     * SDK level {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without

     * settings password quality to {@link #PASSWORD_QUALITY_COMPLEX} first, this method will throw

     * {@link IllegalStateException}. The default value is 1.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *            value of 0 means there is no restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *             does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumNumeric(@NonNull ComponentName admin, int length) {

        if (mService != null) {

     * immediately. To prompt the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} or

     * {@link #ACTION_SET_NEW_PARENT_PROFILE_PASSWORD} after setting this value. This constraint is

     * only imposed if the administrator has also requested {@link #PASSWORD_QUALITY_COMPLEX} with

     * {@link #setPasswordQuality}. The default value is 1.

     * {@link #setPasswordQuality}. If an app targeting SDK level

     * {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without settings

     * password quality to {@link #PASSWORD_QUALITY_COMPLEX} first, this method will throw

     * {@link IllegalStateException}. The default value is 1.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *            0 means there is no restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *             does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumSymbols(@NonNull ComponentName admin, int length) {

        if (mService != null) {

     * one, so the change does not take place immediately. To prompt the user for a new password,

     * use {@link #ACTION_SET_NEW_PASSWORD} or {@link #ACTION_SET_NEW_PARENT_PROFILE_PASSWORD} after

     * setting this value. This constraint is only imposed if the administrator has also requested

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The default value is 0.

     * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. If an app targeting

     * SDK level {@link android.os.Build.VERSION_CODES#R} and above enforces this constraint without

     * settings password quality to {@link #PASSWORD_QUALITY_COMPLEX} first, this method will throw

     * {@link IllegalStateException}. The default value is 0.

     * <p>

     * On devices not supporting {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature, the

     * password is always treated as empty.

     *            0 means there is no restriction.

     * @throws SecurityException if {@code admin} is not an active administrator or {@code admin}

     *             does not use {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD}

     * @throws IllegalStateException if the calling app is targeting SDK level

     *     {@link android.os.Build.VERSION_CODES#R} and above and didn't set a sufficient password

     *     quality requirement prior to calling this method.

     */

    public void setPasswordMinimumNonLetter(@NonNull ComponentName admin, int length) {

        if (mService != null) {

                final PasswordMetrics metrics = ap.minimumPasswordMetrics;

                if (metrics.quality != quality) {

                    metrics.quality = quality;

                    resetInactivePasswordRequirementsIfRPlus(userId, ap);

                    updatePasswordValidityCheckpointLocked(userId, parent);

                    updatePasswordQualityCacheForUserGroup(userId);

                    saveSettingsLocked(userId);

                .write();

    }

    /**

     * For admins targeting R+ reset various password constraints to default values when quality is

     * set to a value that makes those constraints that have no effect.

     */

    private void resetInactivePasswordRequirementsIfRPlus(int userId, ActiveAdmin admin) {

        if (getTargetSdk(admin.info.getPackageName(), userId) > Build.VERSION_CODES.Q) {

            final PasswordMetrics metrics = admin.minimumPasswordMetrics;

            if (metrics.quality < PASSWORD_QUALITY_NUMERIC) {

                metrics.length = ActiveAdmin.DEF_MINIMUM_PASSWORD_LENGTH;

            }

            if (metrics.quality < PASSWORD_QUALITY_COMPLEX) {

                metrics.letters = ActiveAdmin.DEF_MINIMUM_PASSWORD_LETTERS;

                metrics.upperCase = ActiveAdmin.DEF_MINIMUM_PASSWORD_UPPER_CASE;

                metrics.lowerCase = ActiveAdmin.DEF_MINIMUM_PASSWORD_LOWER_CASE;

                metrics.numeric = ActiveAdmin.DEF_MINIMUM_PASSWORD_NUMERIC;

                metrics.symbols = ActiveAdmin.DEF_MINIMUM_PASSWORD_SYMBOLS;

                metrics.nonLetter = ActiveAdmin.DEF_MINIMUM_PASSWORD_NON_LETTER;

            }

        }

    }

    /**

     * Updates a flag that tells us whether the user's password currently satisfies the

     * requirements set by all of the user's active admins. The flag is updated both in memory

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            ensureMinimumQuality(userId, ap, PASSWORD_QUALITY_NUMERIC, "setPasswordMinimumLength");

            if (metrics.length != length) {

                metrics.length = length;

                updatePasswordValidityCheckpointLocked(userId, parent);

                .write();

    }

    private void ensureMinimumQuality(

            int userId, ActiveAdmin admin, int minimumQuality, String operation) {

        if (admin.minimumPasswordMetrics.quality < minimumQuality

                && getTargetSdk(admin.info.getPackageName(), userId) > Build.VERSION_CODES.Q) {

            throw new IllegalStateException(String.format(

                    "password quality should be at least %d for %s", minimumQuality, operation));

        }

    }

    @Override

    public int getPasswordMinimumLength(ComponentName who, int userHandle, boolean parent) {

        return getStrictestPasswordRequirement(who, userHandle, parent,

                admin -> admin.minimumPasswordMetrics.length, PASSWORD_QUALITY_UNSPECIFIED);

                admin -> admin.minimumPasswordMetrics.length, PASSWORD_QUALITY_NUMERIC);

    }

    @Override

        synchronized (getLockObject()) {

            final ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            ensureMinimumQuality(

                    userId, ap, PASSWORD_QUALITY_COMPLEX, "setPasswordMinimumUpperCase");

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            if (metrics.upperCase != length) {

                metrics.upperCase = length;

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            ensureMinimumQuality(

                    userId, ap, PASSWORD_QUALITY_COMPLEX, "setPasswordMinimumLowerCase");

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            if (metrics.lowerCase != length) {

                metrics.lowerCase = length;

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            ensureMinimumQuality(userId, ap, PASSWORD_QUALITY_COMPLEX, "setPasswordMinimumLetters");

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            if (metrics.letters != length) {

                metrics.letters = length;

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            ensureMinimumQuality(userId, ap, PASSWORD_QUALITY_COMPLEX, "setPasswordMinimumNumeric");

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            if (metrics.numeric != length) {

                metrics.numeric = length;

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            ensureMinimumQuality(userId, ap, PASSWORD_QUALITY_COMPLEX, "setPasswordMinimumSymbols");

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            if (metrics.symbols != length) {

                ap.minimumPasswordMetrics.symbols = length;

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent);

            ensureMinimumQuality(

                    userId, ap, PASSWORD_QUALITY_COMPLEX, "setPasswordMinimumNonLetter");

            final PasswordMetrics metrics = ap.minimumPasswordMetrics;

            if (metrics.nonLetter != length) {

                ap.minimumPasswordMetrics.nonLetter = length;