Merge "Force all devices to migrate to synthetic password" (afc0a810) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/locksettings/LockSettingsService.java

+2 −16

Original line number	Diff line number	Diff line
		@@ -27,8 +27,6 @@ import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSW
		import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN;
		import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PIN;
		import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback;
		import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT;
		import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY;
		import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY;
		import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT;
		import static com.android.internal.widget.LockPatternUtils.USER_FRP;
		@@ -2582,23 +2580,12 @@ public class LockSettingsService extends ILockSettings.Stub {
		return type == PersistentData.TYPE_SP \|\| type == PersistentData.TYPE_SP_WEAVER;
		}
		long handle = getSyntheticPasswordHandleLocked(userId);
		// This is a global setting
		long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY,
		SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM);
		return enabled != 0 && handle != SyntheticPasswordManager.DEFAULT_HANDLE;
		return handle != SyntheticPasswordManager.DEFAULT_HANDLE;
		}

		@VisibleForTesting
		protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) {
		long handle = getSyntheticPasswordHandleLocked(userId);
		// This is a global setting
		long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY,
		SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM);
		return enabled != 0 && handle == SyntheticPasswordManager.DEFAULT_HANDLE;
		}

		private void enableSyntheticPasswordLocked() {
		setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM);
		return true;
		}

		private VerifyCredentialResponse spBasedDoVerifyCredential(LockscreenCredential userCredential,
		@@ -2937,7 +2924,6 @@ public class LockSettingsService extends ILockSettings.Stub {
		private long addEscrowToken(byte[] token, int userId, EscrowTokenStateChangeCallback callback) {
		if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId);
		synchronized (mSpManager) {
		enableSyntheticPasswordLocked();
		// Migrate to synthetic password based credentials if the user has no password,
		// the token can then be activated immediately.
		AuthenticationToken auth = null;

services/tests/servicestests/src/com/android/server/locksettings/SyntheticPasswordTests.java

+0 −99

Original line number	Diff line number	Diff line
		@@ -101,30 +101,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests {
		return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0;
		}

		@Test
		public void testPasswordMigration() throws RemoteException {
		final LockscreenCredential password = newPassword("testPasswordMigration-password");

		disableSyntheticPassword();
		assertTrue(mService.setLockCredential(password, nonePassword(), PRIMARY_USER_ID));
		long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
		final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
		enableSyntheticPassword();
		// Performs migration
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		password, 0, PRIMARY_USER_ID)
		.getResponseCode());
		assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
		assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));

		// SP-based verification
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		password, 0, PRIMARY_USER_ID)
		.getResponseCode());
		assertArrayNotEquals(primaryStorageKey,
		mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
		}

		protected void initializeCredentialUnderSP(LockscreenCredential password, int userId)
		throws RemoteException {
		enableSyntheticPassword();
		@@ -252,81 +228,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests {
		verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));
		}

		@Test
		public void testManagedProfileUnifiedChallengeMigration() throws RemoteException {
		LockscreenCredential UnifiedPassword = newPassword("unified-pwd");
		disableSyntheticPassword();
		mService.setLockCredential(UnifiedPassword, nonePassword(), PRIMARY_USER_ID);
		mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);
		final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
		final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
		byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
		byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);
		assertTrue(primarySid != 0);
		assertTrue(profileSid != 0);
		assertTrue(profileSid != primarySid);

		// do migration
		enableSyntheticPassword();
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		UnifiedPassword, 0, PRIMARY_USER_ID)
		.getResponseCode());

		// verify
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		UnifiedPassword, 0, PRIMARY_USER_ID)
		.getResponseCode());
		assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
		assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
		assertArrayNotEquals(primaryStorageKey,
		mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
		assertArrayNotEquals(profileStorageKey,
		mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));
		assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
		assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));
		}

		@Test
		public void testManagedProfileSeparateChallengeMigration() throws RemoteException {
		LockscreenCredential primaryPassword = newPassword("primary");
		LockscreenCredential profilePassword = newPassword("profile");
		disableSyntheticPassword();
		mService.setLockCredential(primaryPassword, nonePassword(), PRIMARY_USER_ID);
		mService.setLockCredential(profilePassword, nonePassword(), MANAGED_PROFILE_USER_ID);
		final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
		final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
		byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
		byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);
		assertTrue(primarySid != 0);
		assertTrue(profileSid != 0);
		assertTrue(profileSid != primarySid);

		// do migration
		enableSyntheticPassword();
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		primaryPassword, 0, PRIMARY_USER_ID)
		.getResponseCode());
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		profilePassword, 0, MANAGED_PROFILE_USER_ID)
		.getResponseCode());

		// verify
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		primaryPassword, 0, PRIMARY_USER_ID)
		.getResponseCode());
		assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
		profilePassword, 0, MANAGED_PROFILE_USER_ID)
		.getResponseCode());
		assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
		assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
		assertArrayNotEquals(primaryStorageKey,
		mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
		assertArrayNotEquals(profileStorageKey,
		mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));
		assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
		assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));
		}

		@Test
		public void testTokenBasedResetPassword() throws RemoteException {
		LockscreenCredential password = newPassword("password");