Merge "Enforce permission for identity check bit" into main

                return -1;

            }

            if (!Utils.isValidAuthenticatorConfig(promptInfo)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), promptInfo)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

                    + ", Caller=" + callingUserId

                    + ", Authenticators=" + authenticators);

            if (!Utils.isValidAuthenticatorConfig(authenticators)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), authenticators)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

                    + ", Caller=" + callingUserId

                    + ", Authenticators=" + authenticators);

            if (!Utils.isValidAuthenticatorConfig(authenticators)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), authenticators)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

            Slog.d(TAG, "getSupportedModalities: Authenticators=" + authenticators);

            if (!Utils.isValidAuthenticatorConfig(authenticators)) {

            if (!Utils.isValidAuthenticatorConfig(getContext(), authenticators)) {

                throw new SecurityException("Invalid authenticator configuration");

            }

package com.android.server.biometrics;

import static android.Manifest.permission.SET_BIOMETRIC_DIALOG_ADVANCED;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import static android.app.ActivityManager.RunningAppProcessInfo.IMPORTANCE_FOREGROUND_SERVICE;

import static android.hardware.biometrics.BiometricManager.Authenticators;

     * @param promptInfo

     * @return

     */

    static boolean isValidAuthenticatorConfig(PromptInfo promptInfo) {

    static boolean isValidAuthenticatorConfig(Context context, PromptInfo promptInfo) {

        final int authenticators = promptInfo.getAuthenticators();

        return isValidAuthenticatorConfig(authenticators);

        return isValidAuthenticatorConfig(context, authenticators);

    }

    /**

     * Checks if the authenticator configuration is a valid combination of the public APIs

     * @param authenticators

     * @return

     * Checks if the authenticator configuration is a valid combination of the public APIs.

     *

     * throws {@link SecurityException} if the caller requests for mandatory biometrics without

     * {@link SET_BIOMETRIC_DIALOG_ADVANCED} permission

     */

    static boolean isValidAuthenticatorConfig(int authenticators) {

    static boolean isValidAuthenticatorConfig(Context context, int authenticators) {

        // The caller is not required to set the authenticators. But if they do, check the below.

        if (authenticators == 0) {

            return true;

        } else if (biometricBits == Authenticators.BIOMETRIC_WEAK) {

            return true;

        } else if (isMandatoryBiometricsRequested(authenticators)) {

            //TODO(b/347123256): Update CTS test

            context.enforceCallingOrSelfPermission(SET_BIOMETRIC_DIALOG_ADVANCED,

                    "Must have SET_BIOMETRIC_DIALOG_ADVANCED permission");

            return true;

        }

package com.android.server.biometrics;

import static android.Manifest.permission.SET_BIOMETRIC_DIALOG_ADVANCED;

import static android.hardware.biometrics.BiometricManager.Authenticators;

import static junit.framework.Assert.assertEquals;

import static junit.framework.Assert.assertFalse;

import static junit.framework.Assert.assertTrue;

import static org.junit.Assert.assertThrows;

import static org.mockito.ArgumentMatchers.any;

import static org.mockito.ArgumentMatchers.eq;

import static org.mockito.Mockito.doNothing;

import static org.mockito.Mockito.doThrow;

import android.content.Context;

import android.hardware.biometrics.BiometricAuthenticator;

import android.hardware.biometrics.BiometricConstants;

import android.hardware.biometrics.BiometricManager;

import androidx.test.filters.SmallTest;

import org.junit.Before;

import org.junit.Rule;

import org.junit.Test;

import org.mockito.Mock;

import org.mockito.junit.MockitoJUnit;

import org.mockito.junit.MockitoRule;

@Presubmit

@SmallTest

    @Rule

    public final CheckFlagsRule mCheckFlagsRule =

            DeviceFlagsValueProvider.createCheckFlagsRule();

    @Rule

    public MockitoRule mockitorule = MockitoJUnit.rule();

    @Mock

    private Context mContext;

    @Before

    public void setUp() {

        doThrow(SecurityException.class).when(mContext).enforceCallingOrSelfPermission(

                eq(SET_BIOMETRIC_DIALOG_ADVANCED), any());

    }

    @Test

    public void testCombineAuthenticatorBundles_withKeyDeviceCredential_andKeyAuthenticators() {

    @Test

    public void testIsValidAuthenticatorConfig() {

        assertTrue(Utils.isValidAuthenticatorConfig(Authenticators.EMPTY_SET));

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.EMPTY_SET));

        assertTrue(Utils.isValidAuthenticatorConfig(Authenticators.BIOMETRIC_STRONG));

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.BIOMETRIC_STRONG));

        assertTrue(Utils.isValidAuthenticatorConfig(Authenticators.BIOMETRIC_WEAK));

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.BIOMETRIC_WEAK));

        assertTrue(Utils.isValidAuthenticatorConfig(Authenticators.DEVICE_CREDENTIAL));

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.DEVICE_CREDENTIAL));

        assertTrue(Utils.isValidAuthenticatorConfig(Authenticators.DEVICE_CREDENTIAL

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.DEVICE_CREDENTIAL

                | Authenticators.BIOMETRIC_STRONG));

        assertTrue(Utils.isValidAuthenticatorConfig(Authenticators.DEVICE_CREDENTIAL

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.DEVICE_CREDENTIAL

                | Authenticators.BIOMETRIC_WEAK));

        assertFalse(Utils.isValidAuthenticatorConfig(Authenticators.BIOMETRIC_CONVENIENCE));

        assertFalse(Utils.isValidAuthenticatorConfig(

                mContext, Authenticators.BIOMETRIC_CONVENIENCE));

        assertFalse(Utils.isValidAuthenticatorConfig(Authenticators.BIOMETRIC_CONVENIENCE

        assertFalse(Utils.isValidAuthenticatorConfig(mContext, Authenticators.BIOMETRIC_CONVENIENCE

                | Authenticators.DEVICE_CREDENTIAL));

        assertFalse(Utils.isValidAuthenticatorConfig(Authenticators.BIOMETRIC_MAX_STRENGTH));

        assertFalse(Utils.isValidAuthenticatorConfig(

                mContext, Authenticators.BIOMETRIC_MAX_STRENGTH));

        assertFalse(Utils.isValidAuthenticatorConfig(

                mContext, Authenticators.BIOMETRIC_MIN_STRENGTH));

        assertThrows(SecurityException.class, () -> Utils.isValidAuthenticatorConfig(

                        mContext, Authenticators.MANDATORY_BIOMETRICS));

        doNothing().when(mContext).enforceCallingOrSelfPermission(

                eq(SET_BIOMETRIC_DIALOG_ADVANCED), any());

        assertFalse(Utils.isValidAuthenticatorConfig(Authenticators.BIOMETRIC_MIN_STRENGTH));

        assertTrue(Utils.isValidAuthenticatorConfig(mContext, Authenticators.MANDATORY_BIOMETRICS));

        // The rest of the bits are not allowed to integrate with the public APIs

        for (int i = 8; i < 32; i++) {

                    || authenticator == Authenticators.MANDATORY_BIOMETRICS) {

                continue;

            }

            assertFalse(Utils.isValidAuthenticatorConfig(1 << i));

            assertFalse(Utils.isValidAuthenticatorConfig(mContext, 1 << i));

        }

    }