Merge changes I4e2c7e85,I2ae60f46 into main

    description: "Flag to allow an adb secure setting to disable the adaptive auth lock"

    bug: "371057865"

}

flag {

    name: "failed_auth_lock_toggle"

    namespace: "biometrics"

    description: "Feature flag to enable the toggle for failed authentication lock"

    bug: "414605464"

}

import static android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import static android.security.Flags.disableAdaptiveAuthCounterLock;

import static android.security.Flags.failedAuthLockToggle;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_ADAPTIVE_AUTH_REQUEST;

    @VisibleForTesting

    static final int MAX_ALLOWED_FAILED_AUTH_ATTEMPTS = 5;

    private static final boolean DEFAULT_DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK = false;

    private static final int MSG_REPORT_PRIMARY_AUTH_ATTEMPT = 1;

    private static final int MSG_REPORT_BIOMETRIC_AUTH_ATTEMPT = 2;

    private static final int AUTH_SUCCESS = 1;

            return;

        }

        if (disableAdaptiveAuthCounterLock() && Build.IS_DEBUGGABLE) {

        //TODO(b/421051706): Remove the condition Build.IS_DEBUGGABLE after flags are ramped up

        if (failedAuthLockToggle()

                || (disableAdaptiveAuthCounterLock() && Build.IS_DEBUGGABLE)) {

            // If userId is a profile, use its parent's settings to determine whether failed auth

            // lock is enabled or disabled for the profile, irrespective of the profile's own

            // settings. If userId is a main user (i.e. parentUserId equals to userId), use its own

            // settings

            final int parentUserId = mUserManager.getProfileParentId(userId);

            final boolean disabled = Settings.Secure.getIntForUser(

                    getContext().getContentResolver(),

                    Settings.Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK,

                    0 /* default */, userId) != 0;

                    DEFAULT_DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK ? 1 : 0, parentUserId) != 0;

            if (disabled) {

                Slog.d(TAG, "not locking (disabled by user)");

                Slog.i(TAG, "userId=" + userId + ", parentUserId=" + parentUserId

                        + ", failed auth lock is disabled by user in settings");

                return;

            }

        }

import android.hardware.biometrics.events.AuthenticationSucceededInfo;

import android.os.RemoteException;

import android.os.UserHandle;

import android.platform.test.annotations.DisableFlags;

import android.platform.test.annotations.EnableFlags;

import android.platform.test.annotations.Presubmit;

import android.platform.test.flag.junit.SetFlagsRule;

        if (android.security.Flags.secureLockdown()) {

            LocalServices.removeServiceForTest(SecureLockDeviceServiceInternal.class);

        }

        toggleAdaptiveAuthSettingsOverride(PRIMARY_USER_ID, false /* disable */);

    }

    @Test

                false /* enabled */);

    }

    @Test

    @DisableFlags({android.security.Flags.FLAG_DISABLE_ADAPTIVE_AUTH_COUNTER_LOCK})

    @EnableFlags({android.security.Flags.FLAG_FAILED_AUTH_LOCK_TOGGLE})

    public void testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_primaryUserAndProfile_deviceLockDisabled()

            throws RemoteException {

        // The failed auth lock toggle for the primary user is set to disable

        toggleAdaptiveAuthSettingsOverride(PRIMARY_USER_ID, true /* disabled */);

        // The failed auth lock toggle for the managed profile is set to enable

        toggleAdaptiveAuthSettingsOverride(MANAGED_PROFILE_USER_ID, false /* disabled */);

        // Device lock should be disabled for both the primary user and its profile

        testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_primaryUser(

                false /* enabled */);

        testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_profileOfPrimaryUser(

                false /* enabled */);

    }

    private void testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_primaryUser(

            boolean enabled) throws RemoteException {

        // Three failed primary auth attempts

    }

    @Test

    public void testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_profileOfPrimaryUser()

    @DisableFlags({android.security.Flags.FLAG_DISABLE_ADAPTIVE_AUTH_COUNTER_LOCK})

    @EnableFlags({android.security.Flags.FLAG_FAILED_AUTH_LOCK_TOGGLE})

    public void testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_profile_deviceLockEnabled()

            throws RemoteException {

        // The failed auth lock toggle for the primary user is set to enable in test setup, so the

        // toggle for the managed profile is implicitly set to enable

        // Device lock should be enabled for the managed profile

        testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_profileOfPrimaryUser(

                true /* enabled */);

    }

    private void testReportAuthAttempt_primaryAuthAndBiometricAuthFailed_profileOfPrimaryUser(

            boolean enabled) throws RemoteException {

        // Three failed primary auth attempts

        for (int i = 0; i < 3; i++) {

            mLockSettingsStateListenerCaptor.getValue()

        }

        waitForAuthCompletion();

        if (enabled) {

            verifyLockDevice(MANAGED_PROFILE_USER_ID);

        } else {

            verifyNotLockDevice(MAX_ALLOWED_FAILED_AUTH_ATTEMPTS, MANAGED_PROFILE_USER_ID);

        }

    }

    private void verifyNotLockDevice(int expectedCntFailedAttempts, int userId) {