Merge "[1/N] Skeleton for watch ranging for Identity Check" into main

  description: "This flag applies Identity Check to all biometric prompt requests"

  bug: "402534668"

}

flag {

  name: "identity_check_watch"

  namespace: "biometrics_framework"

  description: "This flag is for the integration of Identity Check with Watch"

  bug: "397954948"

}

package android.security.authenticationpolicy;

import static android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import static android.hardware.biometrics.Flags.FLAG_IDENTITY_CHECK_WATCH;

import static android.security.Flags.FLAG_SECURE_LOCKDOWN;

import static android.security.Flags.FLAG_SECURE_LOCK_DEVICE;

import android.content.Context;

import android.os.Binder;

import android.os.Build;

import android.os.Handler;

import android.os.RemoteException;

import android.proximity.IProximityResultCallback;

import android.util.Log;

import java.lang.annotation.Retention;

            throw e.rethrowFromSystemServer();

        }

    }

    /**

     * This function will start watch ranging for Identity Check. We will remove specific

     * Identity Check implementation when this is generalized.

     *

     * @param resultCallback callback used to return the ranging result

     * @param handler handler to start the ranging request

     *

     * @hide

     */

    @RequiresPermission(USE_BIOMETRIC_INTERNAL)

    @FlaggedApi(FLAG_IDENTITY_CHECK_WATCH)

    public void startWatchRangingForIdentityCheck(

            @NonNull IProximityResultCallback resultCallback, Handler handler) {

        //TODO (b/397954948) : Update callback results to trigger in the handler

        handler.post(() -> {

            try {

                mAuthenticationPolicyService.startWatchRangingForIdentityCheck(resultCallback);

            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

            }

        });

    }

}

package android.security.authenticationpolicy;

import android.os.UserHandle;

import android.proximity.IProximityResultCallback;

import android.security.authenticationpolicy.EnableSecureLockDeviceParams;

import android.security.authenticationpolicy.DisableSecureLockDeviceParams;

import android.security.authenticationpolicy.ISecureLockDeviceStatusListener;

    @EnforcePermission("MANAGE_SECURE_LOCK_DEVICE")

    void unregisterSecureLockDeviceStatusListener(in ISecureLockDeviceStatusListener listener);

    @EnforcePermission("USE_BIOMETRIC_INTERNAL")

    void startWatchRangingForIdentityCheck(in IProximityResultCallback resultCallback);

}

 No newline at end of file

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.SuppressLint;

import android.app.ActivityManager;

import android.app.IActivityManager;

import android.app.UserSwitchObserver;

import android.os.UserHandle;

import android.os.UserManager;

import android.provider.Settings;

import android.proximity.IProximityResultCallback;

import android.security.GateKeeper;

import android.security.KeyStoreAuthorization;

import android.security.authenticationpolicy.AuthenticationPolicyManager;

import android.service.gatekeeper.IGateKeeperService;

import android.text.TextUtils;

import android.util.ArraySet;

    @NonNull private final Supplier<Long> mRequestCounter;

    @NonNull private final BiometricContext mBiometricContext;

    private final UserManager mUserManager;

    private final AuthenticationPolicyManager mAuthenticationPolicyManager;

    @VisibleForTesting

    IStatusBarService mStatusBarService;

        public BiometricNotificationLogger getNotificationLogger() {

            return new BiometricNotificationLogger();

        }

        public AuthenticationPolicyManager getAuthenticationPolicyManager(Context context) {

            return (AuthenticationPolicyManager)

                    context.getSystemService(Context.AUTHENTICATION_POLICY_SERVICE);

        }

    }

    /**

        mKeyStoreAuthorization = injector.getKeyStoreAuthorization();

        mGateKeeper = injector.getGateKeeperService();

        mBiometricNotificationLogger = injector.getNotificationLogger();

        mAuthenticationPolicyManager = mInjector.getAuthenticationPolicyManager(context);

        try {

            injector.getActivityManagerService().registerUserSwitchObserver(

                operationId, userId, createBiometricSensorReceiver(requestId), receiver,

                opPackageName, promptInfo, debugEnabled,

                mInjector.getFingerprintSensorProperties(getContext()));

        startWatchRangingIfIdentityCheckActive(promptInfo);

        try {

            mAuthSession.goToInitialState();

        } catch (RemoteException e) {

        }

    }

    /**

     * This is invoked only if Identity Check is active and the device is considered at risk. If the

     * watch is in range, it will re-enable device credential if it was originally requested.

     *

     * @param promptInfo biometric prompt info

     */

    @SuppressLint("MissingPermission")

    private void startWatchRangingIfIdentityCheckActive(PromptInfo promptInfo) {

        if (android.hardware.biometrics.Flags.identityCheckWatch()

                && promptInfo.isIdentityCheckActive() && promptInfo.isDeviceCredentialAllowed()) {

            if (mAuthenticationPolicyManager == null) {

                Slog.e(TAG, "Authentication policy manager is null. Skipping watch ranging");

                return;

            }

            //TODO (b/397954948) : Update callback results to handle System UI changes

            mAuthenticationPolicyManager.startWatchRangingForIdentityCheck(

                    new IProximityResultCallback() {

                        @Override

                        public void onError(int error) throws RemoteException {

                        }

                        @Override

                        public void onSuccess(int result) throws RemoteException {

                        }

                        @Override

                        public IBinder asBinder() {

                            return null;

                        }

                    }, mHandler);

        }

    }

    private void handleCancelAuthentication(long requestId) {

        final AuthSession session = getAuthSessionIfCurrent(requestId);

        if (session == null) {

import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;

import static android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE;

import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL;

import static android.security.Flags.disableAdaptiveAuthCounterLock;

import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_ADAPTIVE_AUTH_REQUEST;

import android.os.SystemClock;

import android.os.UserHandle;

import android.provider.Settings;

import android.proximity.IProximityResultCallback;

import android.security.authenticationpolicy.AuthenticationPolicyManager;

import android.security.authenticationpolicy.AuthenticationPolicyManager.DisableSecureLockDeviceRequestStatus;

import android.security.authenticationpolicy.AuthenticationPolicyManager.EnableSecureLockDeviceRequestStatus;

                Binder.restoreCallingIdentity(identity);

            }

        }

        @Override

        @EnforcePermission(USE_BIOMETRIC_INTERNAL)

        public void startWatchRangingForIdentityCheck(

                IProximityResultCallback resultCallback) {

            startWatchRangingForIdentityCheck_enforcePermission();

            Slog.d(TAG, "startWatchRangingForIdentityCheck");

            //TODO (b/397954948) : Bind to IProximityProviderService and start ranging

        }

    };

}

 No newline at end of file