Migrate reset password token APIs (79b1fd6a) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DevicePolicyManager.java

+13 −7

Original line number	Diff line number	Diff line
		@@ -4020,26 +4020,26 @@ public class DevicePolicyManager {
		return MTE_NOT_CONTROLLED_BY_POLICY;
		}

		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String AUTO_TIMEZONE_POLICY = "autoTimezone";

		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String PERMISSION_GRANT_POLICY = "permissionGrant";


		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String LOCK_TASK_POLICY = "lockTask";

		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		@@ -4047,25 +4047,31 @@ public class DevicePolicyManager {
		"userControlDisabledPackages";


		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String PERSISTENT_PREFERRED_ACTIVITY_POLICY =
		"persistentPreferredActivity";

		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String PACKAGE_UNINSTALL_BLOCKED_POLICY = "packageUninstallBlocked";

		// TODO: Expose this as SystemAPI once we add the query API
		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String APPLICATION_RESTRICTIONS_POLICY = "applicationRestrictions";

		// TODO: Expose this as a public API
		/**
		* @hide
		*/
		public static final String RESET_PASSWORD_TOKEN_POLICY = "resetPasswordToken";

		/**
		* This object is a single place to tack on invalidation and disable calls. All
		* binder caches in this class derive from this Config, so all can be invalidated or

core/java/android/app/admin/LongPolicyValue.java

0 → 100644

+79 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2023 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		package android.app.admin;

		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.os.Parcel;

		import java.util.Objects;

		/**
		* @hide
		*/
		public final class LongPolicyValue extends PolicyValue<Long> {

		public LongPolicyValue(long value) {
		super(value);
		}

		private LongPolicyValue(Parcel source) {
		this(source.readLong());
		}

		@Override
		public boolean equals(@Nullable Object o) {
		if (this == o) return true;
		if (o == null \|\| getClass() != o.getClass()) return false;
		LongPolicyValue other = (LongPolicyValue) o;
		return Objects.equals(getValue(), other.getValue());
		}

		@Override
		public int hashCode() {
		return Objects.hash(getValue());
		}

		@Override
		public String toString() {
		return "LongPolicyValue { mValue= " + getValue() + " }";
		}

		@Override
		public int describeContents() {
		return 0;
		}

		@Override
		public void writeToParcel(@NonNull Parcel dest, int flags) {
		dest.writeLong(getValue());
		}

		@NonNull
		public static final Creator<LongPolicyValue> CREATOR =
		new Creator<LongPolicyValue>() {
		@Override
		public LongPolicyValue createFromParcel(Parcel source) {
		return new LongPolicyValue(source);
		}

		@Override
		public LongPolicyValue[] newArray(int size) {
		return new LongPolicyValue[size];
		}
		};
		}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java

+3 −2

Original line number	Diff line number	Diff line
		@@ -555,8 +555,9 @@ final class DevicePolicyEngine {
		if (!hasLocalPolicyLocked(policyDefinition, userId)) {
		return null;
		}
		return getLocalPolicyStateLocked(policyDefinition, userId)
		.getPoliciesSetByAdmins().get(enforcingAdmin).getValue();
		PolicyValue<V> value = getLocalPolicyStateLocked(policyDefinition, userId)
		.getPoliciesSetByAdmins().get(enforcingAdmin);
		return value == null ? null : value.getValue();
		}
		}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+120 −45

Original line number	Diff line number	Diff line
		@@ -235,6 +235,7 @@ import android.app.admin.IDevicePolicyManager;
		import android.app.admin.IntegerPolicyValue;
		import android.app.admin.IntentFilterPolicyKey;
		import android.app.admin.LockTaskPolicy;
		import android.app.admin.LongPolicyValue;
		import android.app.admin.ManagedProfileProvisioningParams;
		import android.app.admin.ManagedSubscriptionsPolicy;
		import android.app.admin.NetworkEvent;
		@@ -16997,22 +16998,51 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(admin);
		Preconditions.checkCallAuthorization(
		isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller));
		final int userId = caller.getUserId();

		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin(
		admin, userId);
		Long currentTokenHandle = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		PolicyDefinition.RESET_PASSWORD_TOKEN,
		enforcingAdmin,
		userId);
		long tokenHandle = addEscrowToken(
		token, currentTokenHandle == null ? 0 : currentTokenHandle, userId);
		if (tokenHandle == 0) {
		return false;
		}
		mDevicePolicyEngine.setLocalPolicy(
		PolicyDefinition.RESET_PASSWORD_TOKEN,
		enforcingAdmin,
		new LongPolicyValue(tokenHandle),
		userId);
		return true;
		} else {
		synchronized (getLockObject()) {
		final int userHandle = caller.getUserId();
		DevicePolicyData policy = getUserData(userId);
		policy.mPasswordTokenHandle = addEscrowToken(
		token, policy.mPasswordTokenHandle, userId);
		saveSettingsLocked(userId);
		return policy.mPasswordTokenHandle != 0;
		}
		}
		}

		DevicePolicyData policy = getUserData(userHandle);
		private long addEscrowToken(byte[] token, long currentPasswordTokenHandle, int userId) {
		resetEscrowToken(currentPasswordTokenHandle, userId);
		return mInjector.binderWithCleanCallingIdentity(() -> mLockPatternUtils.addEscrowToken(
		token, userId, /* EscrowTokenStateChangeCallback= */ null));
		}

		private boolean resetEscrowToken(long tokenHandle, int userId) {
		return mInjector.binderWithCleanCallingIdentity(() -> {
		if (policy.mPasswordTokenHandle != 0) {
		mLockPatternUtils.removeEscrowToken(policy.mPasswordTokenHandle, userHandle);
		if (tokenHandle != 0) {
		return mLockPatternUtils.removeEscrowToken(tokenHandle, userId);
		}
		policy.mPasswordTokenHandle = mLockPatternUtils.addEscrowToken(token,
		userHandle, /EscrowTokenStateChangeCallback/ null);
		saveSettingsLocked(userHandle);
		return policy.mPasswordTokenHandle != 0;
		return false;
		});
		}
		}

		@Override
		public boolean clearResetPasswordToken(ComponentName admin) {
		@@ -17022,22 +17052,34 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(admin);
		Preconditions.checkCallAuthorization(
		isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller));
		final int userId = caller.getUserId();
		boolean result = false;

		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin(
		admin, userId);
		Long currentTokenHandle = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		PolicyDefinition.RESET_PASSWORD_TOKEN,
		enforcingAdmin,
		userId);
		if (currentTokenHandle != null) {
		result = resetEscrowToken(currentTokenHandle, userId);
		mDevicePolicyEngine.removeLocalPolicy(
		PolicyDefinition.RESET_PASSWORD_TOKEN,
		enforcingAdmin,
		userId);
		}
		} else {
		synchronized (getLockObject()) {
		final int userHandle = caller.getUserId();

		DevicePolicyData policy = getUserData(userHandle);
		DevicePolicyData policy = getUserData(userId);
		if (policy.mPasswordTokenHandle != 0) {
		return mInjector.binderWithCleanCallingIdentity(() -> {
		boolean result = mLockPatternUtils.removeEscrowToken(
		policy.mPasswordTokenHandle, userHandle);
		result = resetEscrowToken(policy.mPasswordTokenHandle, userId);
		policy.mPasswordTokenHandle = 0;
		saveSettingsLocked(userHandle);
		return result;
		});
		saveSettingsLocked(userId);
		}
		}
		return false;
		}
		return result;
		}

		@Override
		@@ -17049,16 +17091,30 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Preconditions.checkCallAuthorization(
		isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller));

		int userId = caller.getUserId();

		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin(
		admin, userId);
		Long currentTokenHandle = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		PolicyDefinition.RESET_PASSWORD_TOKEN,
		enforcingAdmin,
		userId);
		return isResetPasswordTokenActiveForUserLocked(
		currentTokenHandle == null ? 0 : currentTokenHandle, userId);
		} else {
		synchronized (getLockObject()) {
		return isResetPasswordTokenActiveForUserLocked(caller.getUserId());
		DevicePolicyData policy = getUserData(userId);
		return isResetPasswordTokenActiveForUserLocked(policy.mPasswordTokenHandle, userId);
		}
		}
		}

		private boolean isResetPasswordTokenActiveForUserLocked(int userHandle) {
		DevicePolicyData policy = getUserData(userHandle);
		if (policy.mPasswordTokenHandle != 0) {
		private boolean isResetPasswordTokenActiveForUserLocked(
		long passwordTokenHandle, int userHandle) {
		if (passwordTokenHandle != 0) {
		return mInjector.binderWithCleanCallingIdentity(() ->
		mLockPatternUtils.isEscrowTokenActive(policy.mPasswordTokenHandle, userHandle));
		mLockPatternUtils.isEscrowTokenActive(passwordTokenHandle, userHandle));
		}
		return false;
		}
		@@ -17075,12 +17131,34 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Preconditions.checkCallAuthorization(
		isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller));

		int userId = caller.getUserId();
		boolean result = false;
		final String password = passwordOrNull != null ? passwordOrNull : "";

		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin(
		admin, userId);
		Long currentTokenHandle = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		PolicyDefinition.RESET_PASSWORD_TOKEN,
		enforcingAdmin,
		userId);
		if (currentTokenHandle != null && currentTokenHandle != 0) {
		result = resetPasswordInternal(password, currentTokenHandle, token, flags, caller);
		} else {
		Slogf.w(LOG_TAG, "No saved token handle");
		}
		} else {
		synchronized (getLockObject()) {
		DevicePolicyData policy = getUserData(caller.getUserId());
		DevicePolicyData policy = getUserData(userId);
		if (policy.mPasswordTokenHandle != 0) {
		final String password = passwordOrNull != null ? passwordOrNull : "";
		final boolean result = resetPasswordInternal(password, policy.mPasswordTokenHandle,
		token, flags, caller);
		result = resetPasswordInternal(
		password, policy.mPasswordTokenHandle, token, flags, caller);
		} else {
		Slogf.w(LOG_TAG, "No saved token handle");
		}
		}
		}

		if (result) {
		DevicePolicyEventLogger
		.createEvent(DevicePolicyEnums.RESET_PASSWORD_WITH_TOKEN)
		@@ -17088,11 +17166,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		.write();
		}
		return result;
		} else {
		Slogf.w(LOG_TAG, "No saved token handle");
		}
		}
		return false;
		}

		@Override
		@@ -18785,9 +18858,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		"call canProfileOwnerResetPasswordWhenLocked"));
		synchronized (getLockObject()) {
		final ActiveAdmin poAdmin = getProfileOwnerAdminLocked(userId);
		DevicePolicyData policy = getUserData(userId);
		if (poAdmin == null
		\|\| getEncryptionStatus() != ENCRYPTION_STATUS_ACTIVE_PER_USER
		\|\| !isResetPasswordTokenActiveForUserLocked(userId)) {
		\|\| !isResetPasswordTokenActiveForUserLocked(
		policy.mPasswordTokenHandle, userId)) {
		return false;
		}
		final ApplicationInfo poAppInfo;

services/devicepolicy/java/com/android/server/devicepolicy/LongPolicySerializer.java

0 → 100644

+53 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2022 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		package com.android.server.devicepolicy;

		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.app.admin.LongPolicyValue;
		import android.app.admin.PolicyKey;
		import android.util.Log;

		import com.android.modules.utils.TypedXmlPullParser;
		import com.android.modules.utils.TypedXmlSerializer;

		import org.xmlpull.v1.XmlPullParserException;

		import java.io.IOException;
		import java.util.Objects;

		final class LongPolicySerializer extends PolicySerializer<Long> {

		@Override
		void saveToXml(PolicyKey policyKey, TypedXmlSerializer serializer, String attributeName,
		@NonNull Long value) throws IOException {
		Objects.requireNonNull(value);
		serializer.attributeLong(/* namespace= */ null, attributeName, value);
		}

		@Nullable
		@Override
		LongPolicyValue readFromXml(TypedXmlPullParser parser, String attributeName) {
		try {
		return new LongPolicyValue(
		parser.getAttributeLong(/* namespace= */ null, attributeName));
		} catch (XmlPullParserException e) {
		Log.e(DevicePolicyEngine.TAG, "Error parsing Long policy value", e);
		return null;
		}
		}
		}