Merge changes I06ce80ad,I33c42150 into main

@RequiresFeature(PackageManager.FEATURE_DEVICE_ADMIN)

public class DevicePolicyManager {

    /** @hide */

    public static final String DEPRECATE_USERMANAGERINTERNAL_DEVICEPOLICY_FLAG =

            "deprecate_usermanagerinternal_devicepolicy";

    /** @hide */

    public static final boolean DEPRECATE_USERMANAGERINTERNAL_DEVICEPOLICY_DEFAULT = true;

    /** @hide */

    public static final String ADD_ISFINANCED_DEVICE_FLAG =

            "add-isfinanced-device";

import static android.Manifest.permission.MANAGE_BIOMETRIC;

import static android.Manifest.permission.SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS;

import static android.Manifest.permission.SET_INITIAL_LOCK;

import static android.app.admin.DevicePolicyManager.DEPRECATE_USERMANAGERINTERNAL_DEVICEPOLICY_DEFAULT;

import static android.app.admin.DevicePolicyManager.DEPRECATE_USERMANAGERINTERNAL_DEVICEPOLICY_FLAG;

import static android.app.admin.DevicePolicyResources.Strings.Core.PROFILE_ENCRYPTED_DETAIL;

import static android.app.admin.DevicePolicyResources.Strings.Core.PROFILE_ENCRYPTED_MESSAGE;

import static android.app.admin.DevicePolicyResources.Strings.Core.PROFILE_ENCRYPTED_TITLE;

import android.os.storage.IStorageManager;

import android.os.storage.StorageManager;

import android.os.storage.StorageManagerInternal;

import android.provider.DeviceConfig;

import android.provider.Settings;

import android.security.AndroidKeyStoreMaintenance;

import android.security.KeyStoreAuthorization;

            return;

        }

        // TODO(b/258213147): Remove

        final long identity = Binder.clearCallingIdentity();

        try {

            if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_DEVICE_POLICY_MANAGER,

                    DEPRECATE_USERMANAGERINTERNAL_DEVICEPOLICY_FLAG,

                    DEPRECATE_USERMANAGERINTERNAL_DEVICEPOLICY_DEFAULT)) {

            if (mInjector.getDeviceStateCache().isUserOrganizationManaged(userId)) {

                Slog.i(TAG, "Organization managed users can have escrow token");

                return;

            }

            } else {

                final UserManagerInternal userManagerInternal = mInjector.getUserManagerInternal();

                // Managed profile should have escrow enabled

                if (userManagerInternal.isUserManaged(userId)) {

                    Slog.i(TAG, "Managed profile can have escrow token");

                    return;

                }

                // Devices with Device Owner should have escrow enabled on all users.

                if (userManagerInternal.isDeviceManaged()) {

                    Slog.i(TAG, "Corp-owned device can have escrow token");

                    return;

                }

            }

        } finally {

            Binder.restoreCallingIdentity(identity);

        }

    /** Removes a {@link UserLifecycleListener}. */

    public abstract void removeUserLifecycleListener(UserLifecycleListener listener);

    /**

     * Called by {@link com.android.server.devicepolicy.DevicePolicyManagerService} to update

     * whether the device is managed by device owner.

     *

     * @deprecated Use methods in {@link android.app.admin.DevicePolicyManagerInternal}.

     */

    @Deprecated

    // TODO(b/258213147): Remove

    public abstract void setDeviceManaged(boolean isManaged);

    /**

     * Returns whether the device is managed by device owner.

     *

     * @deprecated Use methods in {@link android.app.admin.DevicePolicyManagerInternal}.

     */

    @Deprecated

    // TODO(b/258213147): Remove

    public abstract boolean isDeviceManaged();

    /**

     * Called by {@link com.android.server.devicepolicy.DevicePolicyManagerService} to update

     * whether the user is managed by profile owner.

     *

     * @deprecated Use methods in {@link android.app.admin.DevicePolicyManagerInternal}.

     */

    // TODO(b/258213147): Remove

    @Deprecated

    public abstract void setUserManaged(int userId, boolean isManaged);

    /**

     * Whether a profile owner manages this user.

     *

     * @deprecated Use methods in {@link android.app.admin.DevicePolicyManagerInternal}.

     */

    // TODO(b/258213147): Remove

    @Deprecated

    public abstract boolean isUserManaged(int userId);

    /**

     * Called by {@link com.android.server.devicepolicy.DevicePolicyManagerService} to omit

     * restriction check, because DevicePolicyManager must always be able to set user icon

    private final LocalService mLocalService;

    @GuardedBy("mUsersLock")

    private boolean mIsDeviceManaged;

    @GuardedBy("mUsersLock")

    private final SparseBooleanArray mIsUserManaged = new SparseBooleanArray();

    @GuardedBy("mUserRestrictionsListeners")

    private final ArrayList<UserRestrictionsListener> mUserRestrictionsListeners =

            new ArrayList<>();

            if (!userInfo.isAdmin()) {

                return false;

            }

            // restricted profile can be created if there is no DO set and the admin user has no PO;

            return !mIsDeviceManaged && !mIsUserManaged.get(userId);

        }

        return !getDevicePolicyManagerInternal().isUserOrganizationManaged(userId);

    }

    @Override

        // Remove this user from the list

        synchronized (mUsersLock) {

            removeUserDataLU(userId);

            mIsUserManaged.delete(userId);

            getActivityManagerInternal().onUserRemoved(userId);

        }

        synchronized (mUserStates) {

            synchronized (mGuestRestrictions) {

                UserRestrictionsUtils.dumpRestrictions(pw, "    ", mGuestRestrictions);

            }

            synchronized (mUsersLock) {

            pw.println();

                pw.println("  Device managed: " + mIsDeviceManaged);

            synchronized (mUsersLock) {

                if (mRemovingUserIds.size() > 0) {

                    pw.println();

                    pw.println("  Recently removed userIds: " + mRecentlyRemovedIds);

                }

            }

        pw.print("    Last entered foreground: ");

        dumpTimeAgo(pw, tempStringBuilder, now, userData.mLastEnteredForegroundTimeMillis);

        pw.print("    Has profile owner: ");

        pw.println(mIsUserManaged.get(userId));

        // bedstead relies on this being here, even though since Android 14 this has always been

        // false. TODO(b/258213147) update bedstead and remove this.

        pw.println("    Has profile owner: false");

        pw.println("    Restrictions:");

        synchronized (mRestrictionsLock) {

            }

        }

        // TODO(b/258213147): Remove

        @Override

        public void setDeviceManaged(boolean isManaged) {

            synchronized (mUsersLock) {

                mIsDeviceManaged = isManaged;

            }

        }

        // TODO(b/258213147): Remove

        @Override

        public boolean isDeviceManaged() {

            synchronized (mUsersLock) {

                return mIsDeviceManaged;

            }

        }

        // TODO(b/258213147): Remove

        @Override

        public void setUserManaged(@UserIdInt int userId, boolean isManaged) {

            synchronized (mUsersLock) {

                mIsUserManaged.put(userId, isManaged);

            }

        }

        // TODO(b/258213147): Remove

        @Override

        public boolean isUserManaged(@UserIdInt int userId) {

            synchronized (mUsersLock) {

                return mIsUserManaged.get(userId);

            }

        }

        @Override

        public void setUserIcon(@UserIdInt int userId, Bitmap bitmap) {

            final long ident = Binder.clearCallingIdentity();

    private Owners makeOwners(Injector injector, PolicyPathProvider pathProvider) {

        return new Owners(

                injector.getUserManager(), injector.getUserManagerInternal(),

                injector.getUserManager(),

                injector.getPackageManagerInternal(),

                injector.getActivityTaskManagerInternal(),

                injector.getActivityManagerInternal(), mStateCache, pathProvider);