Merge "Modify DPM KEYGUARD_DISABLE_SECURE_CAMERA restriction"

    public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff;

    /**

     * Keyguard features that when set on a managed profile that doesn't have its own challenge will

     * affect the profile's parent user. These can also be set on the managed profile's parent

     * {@link DevicePolicyManager} instance.

     * Keyguard features that when set on a non-organization-owned managed profile that doesn't

     * have its own challenge will affect the profile's parent user. These can also be set on the

     * managed profile's parent {@link DevicePolicyManager} instance to explicitly control the

     * parent user.

     *

     * <p>

     * Organization-owned managed profile supports disabling additional keyguard features on the

     * parent user as defined in {@link #ORG_OWNED_PROFILE_KEYGUARD_FEATURES_PARENT_ONLY}.

     *

     * @hide

     */

    public static final int PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER =

    public static final int NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER =

            DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS

            | DevicePolicyManager.KEYGUARD_DISABLE_BIOMETRICS;

    /**

     * Keyguard features that when set by the profile owner of an organization-owned managed

     * profile will affect the profile's parent user if set on the managed profile's parent

     * {@link DevicePolicyManager} instance.

     *

     * @hide

     */

    public static final int ORG_OWNED_PROFILE_KEYGUARD_FEATURES_PARENT_ONLY =

            KEYGUARD_DISABLE_SECURE_CAMERA;

    /**

     * Keyguard features that when set on a normal or organization-owned managed profile, have

     * the potential to affect the profile's parent user.

     *

     * @hide

     */

    public static final int PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER =

            DevicePolicyManager.NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER

                    | DevicePolicyManager.ORG_OWNED_PROFILE_KEYGUARD_FEATURES_PARENT_ONLY;

    /**

     * @deprecated This method does not actually modify the storage encryption of the device.

     * It has never affected the encryption status of a device.

     * <li>{@link #KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS} which affects notifications generated

     * by applications in the managed profile.

     * </ul>

     * <p>

     * From version {@link android.os.Build.VERSION_CODES#R} the profile owner of an

     * organization-owned managed profile can set:

     * <ul>

     * <li>{@link #KEYGUARD_DISABLE_SECURE_CAMERA} which affects the parent user when called on the

     * parent profile.

     * </ul>

     * {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, {@link #KEYGUARD_DISABLE_FINGERPRINT},

     * {@link #KEYGUARD_DISABLE_FACE} and {@link #KEYGUARD_DISABLE_IRIS} can also be

     * set on the {@link DevicePolicyManager} instance returned by

     * {@link #getParentProfileInstance(ComponentName)} in order to set restrictions on the parent

     * profile.

     * {@link #KEYGUARD_DISABLE_FACE}, {@link #KEYGUARD_DISABLE_IRIS} and

     * {@link #KEYGUARD_DISABLE_SECURE_CAMERA} can also be set on the {@link DevicePolicyManager}

     * instance returned by {@link #getParentProfileInstance(ComponentName)} in order to set

     * restrictions on the parent profile. {@link #KEYGUARD_DISABLE_SECURE_CAMERA} can only be set

     * on the parent profile instance if the calling device admin is the profile owner of an

     * organization-owned managed profile.

     * <p>

     * Requests to disable other features on a managed profile will be ignored.

     * <p>

import static android.app.admin.DevicePolicyManager.LOCK_TASK_FEATURE_HOME;

import static android.app.admin.DevicePolicyManager.LOCK_TASK_FEATURE_NOTIFICATIONS;

import static android.app.admin.DevicePolicyManager.LOCK_TASK_FEATURE_OVERVIEW;

import static android.app.admin.DevicePolicyManager.NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER;

import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_NONE;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC;

    /** Keyguard features that are allowed to be set on a managed profile */

    private static final int PROFILE_KEYGUARD_FEATURES =

            PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER | PROFILE_KEYGUARD_FEATURES_PROFILE_ONLY;

            NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER

                    | PROFILE_KEYGUARD_FEATURES_PROFILE_ONLY;

    private static final int DEVICE_ADMIN_DEACTIVATE_TIMEOUT = 10000;

        }

        Objects.requireNonNull(who, "ComponentName is null");

        final int userHandle = mInjector.userHandleGetCallingUserId();

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent);

            if (isManagedProfile(userHandle)) {

                if (parent) {

                    if (isProfileOwnerOfOrganizationOwnedDevice(ap)) {

                        which = which & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER;

                    } else {

                        which = which & NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER;

                    }

                } else {

                    which = which & PROFILE_KEYGUARD_FEATURES;

                }

            }

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(

                    who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent);

            if (ap.disabledKeyguardFeatures != which) {

                ap.disabledKeyguardFeatures = which;

                saveSettingsLocked(userHandle);

        assertThat(actualAccounts).containsExactlyElementsIn(expectedAccounts);

    }

    public void testSetKeyguardDisabledFeaturesWithDO() throws Exception {

        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;

        setupDeviceOwner();

        dpm.setKeyguardDisabledFeatures(admin1, DevicePolicyManager.KEYGUARD_DISABLE_SECURE_CAMERA);

        assertThat(dpm.getKeyguardDisabledFeatures(admin1)).isEqualTo(

                DevicePolicyManager.KEYGUARD_DISABLE_SECURE_CAMERA);

    }

    public void testSetKeyguardDisabledFeaturesWithPO() throws Exception {

        setupProfileOwner();

        dpm.setKeyguardDisabledFeatures(admin1, DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT);

        assertThat(dpm.getKeyguardDisabledFeatures(admin1)).isEqualTo(

                DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT);

    }

    public void testSetKeyguardDisabledFeaturesWithPOOfOrganizationOwnedDevice()

            throws Exception {

        final int MANAGED_PROFILE_USER_ID = DpmMockContext.CALLER_USER_HANDLE;

        final int MANAGED_PROFILE_ADMIN_UID =

                UserHandle.getUid(MANAGED_PROFILE_USER_ID, DpmMockContext.SYSTEM_UID);

        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;

        addManagedProfile(admin1, MANAGED_PROFILE_ADMIN_UID, admin1);

        configureProfileOwnerOfOrgOwnedDevice(admin1, DpmMockContext.CALLER_USER_HANDLE);

        parentDpm.setKeyguardDisabledFeatures(admin1,

                DevicePolicyManager.KEYGUARD_DISABLE_SECURE_CAMERA);

        assertThat(parentDpm.getKeyguardDisabledFeatures(admin1)).isEqualTo(

                DevicePolicyManager.KEYGUARD_DISABLE_SECURE_CAMERA);

    }

    public void testSetApplicationHiddenWithDO() throws Exception {

        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;

        setupDeviceOwner();