Update auth flags and state across secure lock device progress

import static android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE;

import static android.Manifest.permission.TEST_BIOMETRIC;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import static android.hardware.biometrics.BiometricConstants.BIOMETRIC_ERROR_LOCKOUT;

import static android.hardware.biometrics.BiometricConstants.BIOMETRIC_ERROR_LOCKOUT_PERMANENT;

import static android.security.Flags.disableAdaptiveAuthCounterLock;

import static android.security.Flags.failedAuthLockToggle;

import static android.security.Flags.secureLockDevice;

import static android.security.Flags.secureLockdown;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.PRIMARY_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_ADAPTIVE_AUTH_REQUEST;

import android.annotation.EnforcePermission;

    static final int MAX_ALLOWED_FAILED_AUTH_ATTEMPTS = 5;

    private static final boolean DEFAULT_DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK = false;

    private static final int MSG_REPORT_PRIMARY_AUTH_ATTEMPT = 1;

    private static final int MSG_REPORT_BIOMETRIC_AUTH_ATTEMPT = 2;

    private static final int MSG_REPORT_BIOMETRIC_AUTH_SUCCESS = 2;

    private static final int MSG_REPORT_BIOMETRIC_AUTH_FAILURE = 3;

    private static final int MSG_REPORT_BIOMETRIC_AUTH_ERROR = 4;

    private static final int AUTH_SUCCESS = 1;

    private static final int AUTH_FAILURE = 0;

    private static final int TYPE_PRIMARY_AUTH = 0;

        mWindowManager = Objects.requireNonNull(

                LocalServices.getService(WindowManagerInternal.class));

        mUserManager = Objects.requireNonNull(LocalServices.getService(UserManagerInternal.class));

        if (android.security.Flags.secureLockdown()) {

        if (secureLockdown()) {

            mSecureLockDeviceService = Objects.requireNonNull(

                    LocalServices.getService(SecureLockDeviceServiceInternal.class));

        }

                public void onAuthenticationAcquired(AuthenticationAcquiredInfo authInfo) {}

                @Override

                public void onAuthenticationError(AuthenticationErrorInfo authInfo) {}

                public void onAuthenticationError(AuthenticationErrorInfo authInfo) {

                    Slog.i(TAG, "AuthenticationStateListener#onAuthenticationError");

                    mHandler.obtainMessage(

                            MSG_REPORT_BIOMETRIC_AUTH_ERROR, authInfo).sendToTarget();

                }

                @Override

                public void onAuthenticationFailed(AuthenticationFailedInfo authInfo) {

                    Slog.i(TAG, "AuthenticationStateListener#onAuthenticationFailed");

                    mHandler.obtainMessage(MSG_REPORT_BIOMETRIC_AUTH_ATTEMPT, AUTH_FAILURE,

                            authInfo.getUserId()).sendToTarget();

                    mHandler.obtainMessage(

                            MSG_REPORT_BIOMETRIC_AUTH_FAILURE, authInfo).sendToTarget();

                }

                @Override

                    if (DEBUG) {

                        Slog.d(TAG, "AuthenticationStateListener#onAuthenticationSucceeded");

                    }

                    mHandler.obtainMessage(MSG_REPORT_BIOMETRIC_AUTH_ATTEMPT, AUTH_SUCCESS,

                            authInfo.getUserId()).sendToTarget();

                    mHandler.obtainMessage(

                            MSG_REPORT_BIOMETRIC_AUTH_SUCCESS, authInfo).sendToTarget();

                }

            };

                case MSG_REPORT_PRIMARY_AUTH_ATTEMPT:

                    handleReportPrimaryAuthAttempt(msg.arg1 != AUTH_FAILURE, msg.arg2);

                    break;

                case MSG_REPORT_BIOMETRIC_AUTH_ATTEMPT:

                    handleReportBiometricAuthAttempt(msg.arg1 != AUTH_FAILURE, msg.arg2);

                case MSG_REPORT_BIOMETRIC_AUTH_SUCCESS:

                    AuthenticationSucceededInfo successInfo = (AuthenticationSucceededInfo) msg.obj;

                    handleReportBiometricAuthSuccess(successInfo);

                    break;

                case MSG_REPORT_BIOMETRIC_AUTH_FAILURE:

                    AuthenticationFailedInfo failInfo = (AuthenticationFailedInfo) msg.obj;

                    handleReportBiometricAuthFailure(failInfo.getUserId());

                    break;

                case MSG_REPORT_BIOMETRIC_AUTH_ERROR:

                    AuthenticationErrorInfo errorInfo = (AuthenticationErrorInfo) msg.obj;

                    handleReportBiometricAuthError(errorInfo);

                    break;

            }

        }

        reportAuthAttempt(TYPE_PRIMARY_AUTH, success, userId);

    }

    private void handleReportBiometricAuthAttempt(boolean success, int userId) {

    private void handleReportBiometricAuthSuccess(AuthenticationSucceededInfo successInfo) {

        boolean isStrongBiometric = successInfo.isIsStrongBiometric();

        int userId = successInfo.getUserId();

        if (DEBUG) {

            Slog.d(TAG, "handleReportBiometricAuthAttempt: success=" + success

                    + ", userId=" + userId);

            Slog.d(TAG, "handleReportBiometricAuthSuccess: isStrongBiometric="

                    + isStrongBiometric + ", userId=" + userId);

        }

        if (secureLockDevice() && secureLockdown() && isStrongBiometric

                && mSecureLockDeviceService.isSecureLockDeviceEnabled()) {

            // After successful strong biometric auth during secure lock device, notify

            // SecureLockDeviceService

            mSecureLockDeviceService.onStrongBiometricAuthenticationSuccess(UserHandle.of(userId));

        }

        reportAuthAttempt(TYPE_BIOMETRIC_AUTH, /* success */ true, userId);

    }

    private void handleReportBiometricAuthFailure(int userId) {

        if (DEBUG) {

            Slog.d(TAG, "handleReportBiometricAuthFailure: userId=" + userId);

        }

        reportAuthAttempt(TYPE_BIOMETRIC_AUTH, /* success */ false, userId);

    }

    private void handleReportBiometricAuthError(AuthenticationErrorInfo errorInfo) {

        if (DEBUG) {

            Slog.d(TAG, "handleReportBiometricAuthError: "

                    + "biometricSourceType=" + errorInfo.getBiometricSourceType()  + ", "

                    + "requestReason=" + errorInfo.getRequestReason()  + ", "

                    + "errCode=" + errorInfo.getErrCode()  + ", "

                    + "errString=" + errorInfo.getErrString()

            );

        }

        // BIOMETRIC_ERROR_LOCKOUT == FACE_ERROR_LOCKOUT == FINGERPRINT_ERROR_LOCKOUT

        boolean isLockout = errorInfo.getErrCode() == BIOMETRIC_ERROR_LOCKOUT

                || errorInfo.getErrCode() == BIOMETRIC_ERROR_LOCKOUT_PERMANENT;

        boolean secureLockDeviceEnabled = secureLockDevice() && secureLockdown()

                && mSecureLockDeviceService.isSecureLockDeviceEnabled();

        if (secureLockDeviceEnabled && isLockout) {

            // On biometric lockout when secure lock device is enabled, reset authentication

            // progress and return to step 1 of the two-factor authentication - credential

            // auth on the bouncer

            mLockPatternUtils.requireStrongAuth(PRIMARY_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE,

                    UserHandle.USER_ALL);

        }

        reportAuthAttempt(TYPE_BIOMETRIC_AUTH, success, userId);

    }

    private void reportAuthAttempt(int authType, boolean success, int userId) {

            // Required for internal service to acquire necessary system permissions

            final long identity = Binder.clearCallingIdentity();

            try {

                return mSecureLockDeviceService.disableSecureLockDevice(user, params);

                boolean authenticationComplete =

                        mSecureLockDeviceService.hasUserCompletedTwoFactorAuthentication(user);

                Slog.d("SecureLockDeviceService", "Disabling secure lock device: "

                        + "user " + user + ", authenticationComplete " + authenticationComplete);

                return mSecureLockDeviceService.disableSecureLockDevice(user, params,

                        /* authenticationComplete = */ authenticationComplete);

            } finally {

                Binder.restoreCallingIdentity(identity);

            }

import static android.security.authenticationpolicy.AuthenticationPolicyManager.ERROR_UNSUPPORTED;

import static android.security.authenticationpolicy.AuthenticationPolicyManager.SUCCESS;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.PRIMARY_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_BIOMETRIC_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE;

import android.annotation.NonNull;

import android.app.ActivityManager;

import android.app.ActivityTaskManager;

import com.android.internal.annotations.VisibleForTesting;

import com.android.internal.app.IVoiceInteractionManagerService;

import com.android.internal.statusbar.IStatusBarService;

import com.android.internal.widget.LockPatternUtils;

import com.android.server.IoThread;

import com.android.server.LocalServices;

import com.android.server.SystemService;

import com.android.server.locksettings.LockSettingsInternal;

import com.android.server.pm.UserManagerInternal;

import com.android.server.security.authenticationpolicy.settings.SecureLockDeviceSettingsManager;

import com.android.server.security.authenticationpolicy.settings.SecureLockDeviceSettingsManagerImpl;

import com.android.server.security.authenticationpolicy.settings.SecureLockDeviceStore;

    @NonNull private final Object mSecureLockDeviceStatusListenerLock = new Object();

    @NonNull private final SecureLockDeviceStore mStore;

    @NonNull private final SecureLockDeviceSettingsManager mSecureLockDeviceSettingsManager;

    private final UserManagerInternal mUserManagerInternal;

    // Lock for concurrent access to mUserAuthenticatedWithStrongBiometric

    private final Object mBiometricAuthStateLock = new Object();

    private final RemoteCallbackList<ISecureLockDeviceStatusListener>

            mSecureLockDeviceStatusListeners = new RemoteCallbackList<>();

    // Not final because initialized after SecureLockDeviceService in SystemServer

    private ActivityManager mActivityManager;

    private LockPatternUtils mLockPatternUtils;

    private LockSettingsInternal mLockSettingsInternal;

    private StrongAuthTracker mStrongAuthTracker;

    private WindowManagerInternal mWindowManagerInternal;

    // Stores the UserHandle of the user who has authenticated with a strong biometric

    // to disable secure lock. Will be null if no user is currently authenticated.

    private UserHandle mUserAuthenticatedWithStrongBiometric = null;

    SecureLockDeviceService(@NonNull Context context,

            @NonNull SecureLockDeviceSettingsManager settingsManager,

            @Nullable BiometricManager biometricManager, @Nullable FaceManager faceManager,

            @Nullable FingerprintManager fingerprintManager, @NonNull PowerManager powerManager) {

            @Nullable BiometricManager biometricManager,

            @Nullable FaceManager faceManager, @Nullable FingerprintManager fingerprintManager,

            @NonNull PowerManager powerManager, @NonNull UserManagerInternal userManagerInternal) {

        mContext = context;

        mBiometricManager = biometricManager;

        mFaceManager = faceManager;

        mPowerManager = powerManager;

        mSecureLockDeviceSettingsManager = settingsManager;

        mSecureLockDeviceSettingsManager.resetManagedSettings();

        mUserManagerInternal = userManagerInternal;

        mStore = new SecureLockDeviceStore(IoThread.getHandler(), mSecureLockDeviceSettingsManager);

    }

                context.getSystemService(BiometricManager.class),

                context.getSystemService(FaceManager.class),

                context.getSystemService(FingerprintManager.class),

                Objects.requireNonNull(context.getSystemService(PowerManager.class))

                Objects.requireNonNull(context.getSystemService(PowerManager.class)),

                LocalServices.getService(UserManagerInternal.class)

        );

    }

        }

        mSecureLockDeviceSettingsManager.enableSecurityFeaturesFromBoot(secureLockDeviceClientId);

        // TODO (b/398058587): Set strong auth flags for user to configure allowed auth types

        synchronized (mBiometricAuthStateLock) {

            mUserAuthenticatedWithStrongBiometric = null;

        }

        mStore.storeSecureLockDeviceEnabled(secureLockDeviceClientId);

        notifyAllSecureLockDeviceListenersEnabledStatusUpdated();

        }

    }

    /**

     * Applies Secure Lock Device strong auth flags for all users when secure lock device is

     * enabled.

     *

     * The StrongAuthFlags are used by keyguard and bouncer to determine allowed authenticators

     * and lockdown state, and to display the correct UI for explaining why the device is locked.

     */

    private void setSecureLockDeviceStrongAuthFlags() {

        // Require primary auth only (biometrics disabled) for the first unlock step of

        // Secure Lock Device.

        for (int userId : mUserManagerInternal.getUserIds()) {

            mLockPatternUtils.requireStrongAuth(

                    PRIMARY_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE, userId);

            // Require strong biometric auth for the second unlock step of Secure Lock Device.

            mLockPatternUtils.requireStrongAuth(

                    STRONG_BIOMETRIC_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE, userId);

        }

    }

    /**

     * Sets up references to system services initialized after SecureLockDeviceService in

     * SystemServer, and restores secure lock device after boot if needed.

            Slog.d(TAG, "onLockSettingsReady()");

        }

        mActivityManager = mContext.getSystemService(ActivityManager.class);

        mLockSettingsInternal = LocalServices.getService(LockSettingsInternal.class);

        if (mLockPatternUtils == null) {

            mLockPatternUtils = new LockPatternUtils(mContext);

            if (mStrongAuthTracker == null) {

                mStrongAuthTracker = new StrongAuthTracker(mContext);

            }

            mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker);

        }

        mWindowManagerInternal = LocalServices.getService(WindowManagerInternal.class);

    }

            return ERROR_UNKNOWN;

        }

        // TODO (b/398058587): Set strong auth flags for user to configure allowed auth types

        setSecureLockDeviceStrongAuthFlags();

        mPowerManager.goToSleep(SystemClock.uptimeMillis(),

                PowerManager.GO_TO_SLEEP_REASON_DEVICE_ADMIN, 0);

        int userId = user.getIdentifier();

        mSecureLockDeviceSettingsManager.enableSecurityFeatures(userId);

        mStore.storeSecureLockDeviceEnabled(userId);

        synchronized (mBiometricAuthStateLock) {

            mUserAuthenticatedWithStrongBiometric = null;

        }

        notifyAllSecureLockDeviceListenersEnabledStatusUpdated();

        Slog.d(TAG, "Secure lock device is enabled");

     * @param user   {@link UserHandle} of caller requesting to disable secure lock device

     * @param params {@link DisableSecureLockDeviceParams} for caller to supply params related

     *               to the secure lock device request

     * @param authenticationComplete indicates if secure lock device is being disabled as a result

     *                               of successful two-factor primary and strong biometric

     *                               authentication

     * @return {@link DisableSecureLockDeviceRequestStatus} int indicating the result of the

     * secure lock device request

     * @hide

     */

    @Override

    @DisableSecureLockDeviceRequestStatus

    public int disableSecureLockDevice(UserHandle user, DisableSecureLockDeviceParams params) {

        if (!secureLockdown()) {

            return ERROR_UNSUPPORTED;

        } else if (!isSecureLockDeviceEnabled()) {

    public int disableSecureLockDevice(UserHandle user, DisableSecureLockDeviceParams params,

            boolean authenticationComplete) {

        if (!isSecureLockDeviceEnabled()) {

            if (DEBUG) {

                Slog.d(TAG, "Secure lock device is already disabled.");

            }

            return ERROR_NOT_AUTHORIZED;

        }

        // (1) Call into system_server to reset allowed auth types

        // TODO (b/398058587): Reset strong auth flags for user

        // Clears strong auth flags

        mLockSettingsInternal.disableSecureLockDevice(secureLockDeviceClientId,

                authenticationComplete);

        disableSecurityFeatures(secureLockDeviceClientId);

        mStore.storeSecureLockDeviceDisabled();

        notifyAllSecureLockDeviceListenersEnabledStatusUpdated();

        Slog.d(TAG, "Secure lock device is disabled");

        synchronized (mBiometricAuthStateLock) {

            mUserAuthenticatedWithStrongBiometric = null;

        }

        return SUCCESS;

    }

    /**

     * Updates status on whether the user has completed successful two-factor primary authentication

     * strong biometric authentication, and confirmed the biometric auth when necessary.

     *

     * @param user that performed the successful biometric authentication

     *

     * @hide

     */

    @Override

    public void onStrongBiometricAuthenticationSuccess(UserHandle user) {

        Slog.d(TAG, "Received strong biometric authentication success for user " + user + ", "

                + "awaiting device entry completion to disable secure lock device.");

        synchronized (mBiometricAuthStateLock) {

            mUserAuthenticatedWithStrongBiometric = user;

        }

    }

    /**

     * Returns true if the user has completed successful two-factor primary authentication + strong

     * biometric authentication, false otherwise.

     * @param user to check for two-factor authentication completion

     * @hide

     */

    @Override

    public boolean hasUserCompletedTwoFactorAuthentication(UserHandle user) {

        synchronized (mBiometricAuthStateLock) {

            return mUserAuthenticatedWithStrongBiometric != null

                    && mUserAuthenticatedWithStrongBiometric.equals(user);

        }

    }

    /**

     * @return true if secure lock device is enabled, false otherwise

     * @see AuthenticationPolicyManager#isSecureLockDeviceEnabled()

            }

        }

    }

    @VisibleForTesting

    protected class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {

        StrongAuthTracker(Context context) {

            super(context);

        }

        private boolean containsFlag(int haystack, int needle) {

            return (haystack & needle) != 0;

        }

        @Override

        public synchronized void onStrongAuthRequiredChanged(int userId) {

            if (secureLockDevice() && isSecureLockDeviceEnabled()

                    && containsFlag(getStrongAuthForUser(userId),

                    PRIMARY_AUTH_REQUIRED_FOR_SECURE_LOCK_DEVICE)

            ) {

                Slog.d(TAG, "Primary auth is required for secure lock device; reset pending "

                        + "biometric auth success state.");

                synchronized (mBiometricAuthStateLock) {

                    mUserAuthenticatedWithStrongBiometric = null;

                }

            }

        }

    }

}

 No newline at end of file

    /**

     * @see AuthenticationPolicyManager#getSecureLockDeviceAvailability()

     * @param user calling {@link UserHandle} to check that secure lock device is available for

     * @param user {@link UserHandle} to check that secure lock device is available for

     * @return {@link GetSecureLockDeviceAvailabilityRequestStatus} int indicating whether secure

     * lock device is available for the calling user

     *

    /**

     * @see AuthenticationPolicyManager#enableSecureLockDevice(EnableSecureLockDeviceParams)

     * @param user {@link UserHandle} of caller requesting to enable secure lock device

     * @param user {@link UserHandle} secure lock device is being disabled for

     * @param params {@link EnableSecureLockDeviceParams} for caller to supply params related

     *               to the secure lock request

     * @return {@link EnableSecureLockDeviceRequestStatus} int indicating the result of the

    /**

     * @see AuthenticationPolicyManager#disableSecureLockDevice(DisableSecureLockDeviceParams)

     * @param user {@link UserHandle} of caller requesting to disable secure lock device

     * @param user {@link UserHandle} secure lock device is being disabled for

     * @param params {@link DisableSecureLockDeviceParams} for caller to supply params related

     *               to the secure lock device request

     * @param authenticationComplete indicates if secure lock device is being disabled as a result

     *                               of successful two-factor primary and biometric authentication

     * @return {@link DisableSecureLockDeviceRequestStatus} int indicating the result of the

     * secure lock device request

     */

    @DisableSecureLockDeviceRequestStatus

    public abstract int disableSecureLockDevice(UserHandle user,

            DisableSecureLockDeviceParams params);

            DisableSecureLockDeviceParams params, boolean authenticationComplete);

    /**

     * @see SecureLockDeviceService#onStrongBiometricAuthenticationSuccess

     * @param user that performed the successful biometric authentication

     * @hide

     */

    public abstract void onStrongBiometricAuthenticationSuccess(UserHandle user);

    /**

     * @see SecureLockDeviceService#hasUserCompletedTwoFactorAuthentication

     * @param user to check for two-factor authentication completion

     * @hide

     */

    public abstract boolean hasUserCompletedTwoFactorAuthentication(UserHandle user);

    /**

     * @see AuthenticationPolicyManager#isSecureLockDeviceEnabled()