Loading services/core/java/com/android/server/locksettings/LockSettingsService.java +2 −15 Original line number Original line Diff line number Diff line Loading @@ -25,7 +25,6 @@ import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback; import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback; import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY; import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT; import static com.android.internal.widget.LockPatternUtils.USER_FRP; import static com.android.internal.widget.LockPatternUtils.USER_FRP; Loading Loading @@ -2532,23 +2531,12 @@ public class LockSettingsService extends ILockSettings.Stub { return type == PersistentData.TYPE_SP || type == PersistentData.TYPE_SP_WEAVER; return type == PersistentData.TYPE_SP || type == PersistentData.TYPE_SP_WEAVER; } } long handle = getSyntheticPasswordHandleLocked(userId); long handle = getSyntheticPasswordHandleLocked(userId); // This is a global setting return handle != SyntheticPasswordManager.DEFAULT_HANDLE; long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY, SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM); return enabled != 0 && handle != SyntheticPasswordManager.DEFAULT_HANDLE; } } @VisibleForTesting @VisibleForTesting protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) { protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) { long handle = getSyntheticPasswordHandleLocked(userId); return true; // This is a global setting long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY, SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM); return enabled != 0 && handle == SyntheticPasswordManager.DEFAULT_HANDLE; } private void enableSyntheticPasswordLocked() { setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM); } } private VerifyCredentialResponse spBasedDoVerifyCredential(byte[] userCredential, private VerifyCredentialResponse spBasedDoVerifyCredential(byte[] userCredential, Loading Loading @@ -2829,7 +2817,6 @@ public class LockSettingsService extends ILockSettings.Stub { throws RemoteException { throws RemoteException { if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId); if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId); synchronized (mSpManager) { synchronized (mSpManager) { enableSyntheticPasswordLocked(); // Migrate to synthetic password based credentials if the user has no password, // Migrate to synthetic password based credentials if the user has no password, // the token can then be activated immediately. // the token can then be activated immediately. AuthenticationToken auth = null; AuthenticationToken auth = null; Loading services/tests/servicestests/src/com/android/server/locksettings/SyntheticPasswordTests.java +0 −105 Original line number Original line Diff line number Diff line Loading @@ -103,31 +103,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; } } @Test public void testPasswordMigration() throws RemoteException { final byte[] password = "testPasswordMigration-password".getBytes(); disableSyntheticPassword(); mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); enableSyntheticPassword(); // Performs migration assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); // SP-based verification assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertArrayNotEquals(primaryStorageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); } protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { enableSyntheticPassword(); enableSyntheticPassword(); int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC Loading Loading @@ -269,86 +244,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); } } @Test public void testManagedProfileUnifiedChallengeMigration() throws RemoteException { final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes(); disableSyntheticPassword(); mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); assertTrue(primarySid != 0); assertTrue(profileSid != 0); assertTrue(profileSid != primarySid); // do migration enableSyntheticPassword(); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); // verify assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); assertArrayNotEquals(primaryStorageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); assertArrayNotEquals(profileStorageKey, mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); } @Test public void testManagedProfileSeparateChallengeMigration() throws RemoteException { final byte[] primaryPassword = "testManagedProfileSeparateChallengeMigration-primary".getBytes(); final byte[] profilePassword = "testManagedProfileSeparateChallengeMigration-profile".getBytes(); disableSyntheticPassword(); mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false); final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); assertTrue(primarySid != 0); assertTrue(profileSid != 0); assertTrue(profileSid != primarySid); // do migration enableSyntheticPassword(); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, MANAGED_PROFILE_USER_ID).getResponseCode()); // verify assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, MANAGED_PROFILE_USER_ID).getResponseCode()); assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); assertArrayNotEquals(primaryStorageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); assertArrayNotEquals(profileStorageKey, mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); } @Test @Test public void testTokenBasedResetPassword() throws RemoteException { public void testTokenBasedResetPassword() throws RemoteException { final byte[] password = "password".getBytes(); final byte[] password = "password".getBytes(); Loading Loading
services/core/java/com/android/server/locksettings/LockSettingsService.java +2 −15 Original line number Original line Diff line number Diff line Loading @@ -25,7 +25,6 @@ import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback; import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback; import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY; import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT; import static com.android.internal.widget.LockPatternUtils.USER_FRP; import static com.android.internal.widget.LockPatternUtils.USER_FRP; Loading Loading @@ -2532,23 +2531,12 @@ public class LockSettingsService extends ILockSettings.Stub { return type == PersistentData.TYPE_SP || type == PersistentData.TYPE_SP_WEAVER; return type == PersistentData.TYPE_SP || type == PersistentData.TYPE_SP_WEAVER; } } long handle = getSyntheticPasswordHandleLocked(userId); long handle = getSyntheticPasswordHandleLocked(userId); // This is a global setting return handle != SyntheticPasswordManager.DEFAULT_HANDLE; long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY, SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM); return enabled != 0 && handle != SyntheticPasswordManager.DEFAULT_HANDLE; } } @VisibleForTesting @VisibleForTesting protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) { protected boolean shouldMigrateToSyntheticPasswordLocked(int userId) { long handle = getSyntheticPasswordHandleLocked(userId); return true; // This is a global setting long enabled = getLong(SYNTHETIC_PASSWORD_ENABLED_KEY, SYNTHETIC_PASSWORD_ENABLED_BY_DEFAULT, UserHandle.USER_SYSTEM); return enabled != 0 && handle == SyntheticPasswordManager.DEFAULT_HANDLE; } private void enableSyntheticPasswordLocked() { setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM); } } private VerifyCredentialResponse spBasedDoVerifyCredential(byte[] userCredential, private VerifyCredentialResponse spBasedDoVerifyCredential(byte[] userCredential, Loading Loading @@ -2829,7 +2817,6 @@ public class LockSettingsService extends ILockSettings.Stub { throws RemoteException { throws RemoteException { if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId); if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId); synchronized (mSpManager) { synchronized (mSpManager) { enableSyntheticPasswordLocked(); // Migrate to synthetic password based credentials if the user has no password, // Migrate to synthetic password based credentials if the user has no password, // the token can then be activated immediately. // the token can then be activated immediately. AuthenticationToken auth = null; AuthenticationToken auth = null; Loading
services/tests/servicestests/src/com/android/server/locksettings/SyntheticPasswordTests.java +0 −105 Original line number Original line Diff line number Diff line Loading @@ -103,31 +103,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; } } @Test public void testPasswordMigration() throws RemoteException { final byte[] password = "testPasswordMigration-password".getBytes(); disableSyntheticPassword(); mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); enableSyntheticPassword(); // Performs migration assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); // SP-based verification assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertArrayNotEquals(primaryStorageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); } protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { enableSyntheticPassword(); enableSyntheticPassword(); int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC Loading Loading @@ -269,86 +244,6 @@ public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); } } @Test public void testManagedProfileUnifiedChallengeMigration() throws RemoteException { final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes(); disableSyntheticPassword(); mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); assertTrue(primarySid != 0); assertTrue(profileSid != 0); assertTrue(profileSid != primarySid); // do migration enableSyntheticPassword(); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); // verify assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); assertArrayNotEquals(primaryStorageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); assertArrayNotEquals(profileStorageKey, mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); } @Test public void testManagedProfileSeparateChallengeMigration() throws RemoteException { final byte[] primaryPassword = "testManagedProfileSeparateChallengeMigration-primary".getBytes(); final byte[] profilePassword = "testManagedProfileSeparateChallengeMigration-profile".getBytes(); disableSyntheticPassword(); mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false); final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); assertTrue(primarySid != 0); assertTrue(profileSid != 0); assertTrue(profileSid != primarySid); // do migration enableSyntheticPassword(); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, MANAGED_PROFILE_USER_ID).getResponseCode()); // verify assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) .getResponseCode()); assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, MANAGED_PROFILE_USER_ID).getResponseCode()); assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); assertArrayNotEquals(primaryStorageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); assertArrayNotEquals(profileStorageKey, mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); } @Test @Test public void testTokenBasedResetPassword() throws RemoteException { public void testTokenBasedResetPassword() throws RemoteException { final byte[] password = "password".getBytes(); final byte[] password = "password".getBytes(); Loading
