Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bcbc5f5a authored by Barani Muthukumaran's avatar Barani Muthukumaran Committed by Paul Crowley
Browse files

Force all devices to migrate to synthetic password 

Remove the property used to disable the migration.
With this change disabling of synthetic password will
no longer work.

https://partnerissuetracker.corp.google.com/issues/146040259
has been created to track the removal of all non-synthetic
password related flows.

Test: Device boot and validate FBE (inclding OTA).

Change-Id: Ib4633ff2f667ee7f88195c7cbd07ba99eea76d51
parent 11d07a8b

services/core/java/com/android/server/locksettings/LockSettingsService.java

+2 −16
Original line number Diff line number Diff line
@@ -27,8 +27,6 @@ import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSW 
import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN;

import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PIN;

import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback;

import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT;

import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY;

import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT;

import static com.android.internal.widget.LockPatternUtils.USER_FRP;
@@ -2582,23 +2580,12 @@ public class LockSettingsService extends ILockSettings.Stub { 
            return type == PersistentData.TYPE_SP || type == PersistentData.TYPE_SP_WEAVER;

        }

        long handle = getSyntheticPasswordHandleLocked(userId);

        // This is a global setting

        long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY,

                SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM);

      return enabled != 0 && handle != SyntheticPasswordManager.DEFAULT_HANDLE;

        return handle != SyntheticPasswordManager.DEFAULT_HANDLE;

    }



    @VisibleForTesting

    protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) {

        long handle = getSyntheticPasswordHandleLocked(userId);

        // This is a global setting

        long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY,

                SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM);

        return enabled != 0 && handle == SyntheticPasswordManager.DEFAULT_HANDLE;

    }



    private void enableSyntheticPasswordLocked() {

        setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM);

        return true;

    }



    private VerifyCredentialResponse spBasedDoVerifyCredential(LockscreenCredential userCredential,
@@ -2937,7 +2924,6 @@ public class LockSettingsService extends ILockSettings.Stub { 
    private long addEscrowToken(byte[] token, int userId, EscrowTokenStateChangeCallback callback) {

        if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId);

        synchronized (mSpManager) {

            enableSyntheticPasswordLocked();

            // Migrate to synthetic password based credentials if the user has no password,

            // the token can then be activated immediately.

            AuthenticationToken auth = null;

services/tests/servicestests/src/com/android/server/locksettings/SyntheticPasswordTests.java

+0 −99
Original line number Diff line number Diff line
@@ -101,30 +101,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { 
        return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0;

    }



    @Test

    public void testPasswordMigration() throws RemoteException {

        final LockscreenCredential password = newPassword("testPasswordMigration-password");



        disableSyntheticPassword();

        assertTrue(mService.setLockCredential(password, nonePassword(), PRIMARY_USER_ID));

        long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);

        final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);

        enableSyntheticPassword();

        // Performs migration

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                password, 0, PRIMARY_USER_ID)

                    .getResponseCode());

        assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));

        assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));



        // SP-based verification

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                password, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertArrayNotEquals(primaryStorageKey,

                mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));

    }



    protected void initializeCredentialUnderSP(LockscreenCredential password, int userId)

            throws RemoteException {

        enableSyntheticPassword();
@@ -252,81 +228,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { 
        verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));

    }



    @Test

    public void testManagedProfileUnifiedChallengeMigration() throws RemoteException {

        LockscreenCredential UnifiedPassword = newPassword("unified-pwd");

        disableSyntheticPassword();

        mService.setLockCredential(UnifiedPassword, nonePassword(), PRIMARY_USER_ID);

        mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);

        final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);

        final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);

        byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);

        byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);

        assertTrue(primarySid != 0);

        assertTrue(profileSid != 0);

        assertTrue(profileSid != primarySid);



        // do migration

        enableSyntheticPassword();

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                UnifiedPassword, 0, PRIMARY_USER_ID)

                        .getResponseCode());



        // verify

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                UnifiedPassword, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));

        assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));

        assertArrayNotEquals(primaryStorageKey,

                mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));

        assertArrayNotEquals(profileStorageKey,

                mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));

        assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));

        assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));

    }



    @Test

    public void testManagedProfileSeparateChallengeMigration() throws RemoteException {

        LockscreenCredential primaryPassword = newPassword("primary");

        LockscreenCredential profilePassword = newPassword("profile");

        disableSyntheticPassword();

        mService.setLockCredential(primaryPassword, nonePassword(), PRIMARY_USER_ID);

        mService.setLockCredential(profilePassword, nonePassword(), MANAGED_PROFILE_USER_ID);

        final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);

        final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);

        byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);

        byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);

        assertTrue(primarySid != 0);

        assertTrue(profileSid != 0);

        assertTrue(profileSid != primarySid);



        // do migration

        enableSyntheticPassword();

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                primaryPassword, 0, PRIMARY_USER_ID)

                        .getResponseCode());

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                profilePassword, 0, MANAGED_PROFILE_USER_ID)

                .getResponseCode());



        // verify

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                primaryPassword, 0, PRIMARY_USER_ID)

                .getResponseCode());

        assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(

                profilePassword, 0, MANAGED_PROFILE_USER_ID)

                .getResponseCode());

        assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));

        assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));

        assertArrayNotEquals(primaryStorageKey,

                mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));

        assertArrayNotEquals(profileStorageKey,

                mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));

        assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));

        assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));

    }



    @Test

    public void testTokenBasedResetPassword() throws RemoteException {

        LockscreenCredential password = newPassword("password");