Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4175f40f authored by Tsung-Mao Fang's avatar Tsung-Mao Fang
Browse files

Check current user owns a frp credential 

In Android U+ tablet device, Android introduces headless mode which
running on a main user instead of system user. Therefore, device throw
a security error in HSUM build now.

For now, we check whether current user owns a frp
credential instead. This way also works on non HSUM build.

Test: robo test + run FRP mode in Suw flow.
Fix: 262438904
Change-Id: Ie4c7c470b13b9de8d532e61e9984521cebe7adff
parent 20326d69

src/com/android/settings/Utils.java

+11 −7
Original line number Original line Diff line number Diff line
@@ -98,6 +98,7 @@ import androidx.annotation.ColorInt; 
import androidx.annotation.NonNull;

import androidx.annotation.NonNull;

import androidx.annotation.Nullable;

import androidx.annotation.Nullable;

import androidx.annotation.StringRes;

import androidx.annotation.StringRes;

import androidx.annotation.VisibleForTesting;

import androidx.core.graphics.drawable.IconCompat;

import androidx.core.graphics.drawable.IconCompat;

import androidx.core.graphics.drawable.RoundedBitmapDrawable;

import androidx.core.graphics.drawable.RoundedBitmapDrawable;

import androidx.core.graphics.drawable.RoundedBitmapDrawableFactory;

import androidx.core.graphics.drawable.RoundedBitmapDrawableFactory;
@@ -704,23 +705,26 @@ public final class Utils extends com.android.settingslib.Utils { 
                && bundle.getBoolean(ChooseLockSettingsHelper.EXTRA_KEY_ALLOW_ANY_USER, false);

                && bundle.getBoolean(ChooseLockSettingsHelper.EXTRA_KEY_ALLOW_ANY_USER, false);

        final int userId = bundle.getInt(Intent.EXTRA_USER_ID, UserHandle.myUserId());

        final int userId = bundle.getInt(Intent.EXTRA_USER_ID, UserHandle.myUserId());

        if (userId == LockPatternUtils.USER_FRP) {

        if (userId == LockPatternUtils.USER_FRP) {

            return allowAnyUser ? userId : enforceSystemUser(context, userId);

            return allowAnyUser ? userId : checkUserOwnsFrpCredential(context, userId);

        } else {

        } else {

            return allowAnyUser ? userId : enforceSameOwner(context, userId);

            return allowAnyUser ? userId : enforceSameOwner(context, userId);

        }

        }

    }

    }





    /**

    /**

     * Returns the given user id if the current user is the system user.

     * Returns the given user id if the current user owns frp credential.

     *

     *

     * @throws SecurityException if the current user is not the system user.

     * @throws SecurityException if the current user do not own the frp credential.

     */

     */

    public static int enforceSystemUser(Context context, int userId) {

    @VisibleForTesting

        if (UserHandle.myUserId() == UserHandle.USER_SYSTEM) {

    static int checkUserOwnsFrpCredential(Context context, int userId) {

        final UserManager um = context.getSystemService(UserManager.class);

        if (LockPatternUtils.userOwnsFrpCredential(context,

                um.getUserInfo(UserHandle.myUserId()))) {

            return userId;

            return userId;

        }

        }

        throw new SecurityException("Given user id " + userId + " must only be used from "

        throw new SecurityException("Current user id " + UserHandle.myUserId()

                + "USER_SYSTEM, but current user is " + UserHandle.myUserId());

                + " does not own frp credential.");

    }

    }





    /**

    /**

tests/robotests/src/com/android/settings/UtilsTest.java

+39 −6
Original line number Original line Diff line number Diff line
@@ -18,6 +18,7 @@ package com.android.settings; 




import static com.google.common.truth.Truth.assertThat;

import static com.google.common.truth.Truth.assertThat;





import static org.junit.Assert.assertThrows;

import static org.mockito.ArgumentMatchers.anyInt;

import static org.mockito.ArgumentMatchers.anyInt;

import static org.mockito.ArgumentMatchers.anyString;

import static org.mockito.ArgumentMatchers.anyString;

import static org.mockito.ArgumentMatchers.eq;

import static org.mockito.ArgumentMatchers.eq;
@@ -59,6 +60,9 @@ import android.widget.TextView; 
import androidx.core.graphics.drawable.IconCompat;

import androidx.core.graphics.drawable.IconCompat;

import androidx.fragment.app.FragmentActivity;

import androidx.fragment.app.FragmentActivity;





import com.android.settings.testutils.shadow.ShadowLockPatternUtils;



import org.junit.After;

import org.junit.Before;

import org.junit.Before;

import org.junit.Test;

import org.junit.Test;

import org.junit.runner.RunWith;

import org.junit.runner.RunWith;
@@ -67,6 +71,7 @@ import org.mockito.MockitoAnnotations; 
import org.robolectric.Robolectric;

import org.robolectric.Robolectric;

import org.robolectric.RobolectricTestRunner;

import org.robolectric.RobolectricTestRunner;

import org.robolectric.RuntimeEnvironment;

import org.robolectric.RuntimeEnvironment;

import org.robolectric.annotation.Config;

import org.robolectric.shadows.ShadowBinder;

import org.robolectric.shadows.ShadowBinder;





import java.net.InetAddress;

import java.net.InetAddress;
@@ -74,6 +79,7 @@ import java.util.ArrayList; 
import java.util.List;

import java.util.List;





@RunWith(RobolectricTestRunner.class)

@RunWith(RobolectricTestRunner.class)

@Config(shadows = ShadowLockPatternUtils.class)

public class UtilsTest {

public class UtilsTest {





    private static final String PACKAGE_NAME = "com.android.app";

    private static final String PACKAGE_NAME = "com.android.app";
@@ -88,7 +94,7 @@ public class UtilsTest { 
    @Mock

    @Mock

    private DevicePolicyManager mDevicePolicyManager;

    private DevicePolicyManager mDevicePolicyManager;

    @Mock

    @Mock

    private UserManager mUserManager;

    private UserManager mMockUserManager;

    @Mock

    @Mock

    private PackageManager mPackageManager;

    private PackageManager mPackageManager;

    @Mock

    @Mock
@@ -96,18 +102,27 @@ public class UtilsTest { 
    @Mock

    @Mock

    private ApplicationInfo mApplicationInfo;

    private ApplicationInfo mApplicationInfo;

    private Context mContext;

    private Context mContext;

    private UserManager mUserManager;

    private static final int FLAG_SYSTEM = 0x00000000;

    private static final int FLAG_MAIN = 0x00004000;





    @Before

    @Before

    public void setUp() {

    public void setUp() {

        MockitoAnnotations.initMocks(this);

        MockitoAnnotations.initMocks(this);





        mContext = spy(RuntimeEnvironment.application);

        mContext = spy(RuntimeEnvironment.application);

        mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE);

        when(mContext.getSystemService(WifiManager.class)).thenReturn(wifiManager);

        when(mContext.getSystemService(WifiManager.class)).thenReturn(wifiManager);

        when(mContext.getSystemService(Context.CONNECTIVITY_SERVICE))

        when(mContext.getSystemService(Context.CONNECTIVITY_SERVICE))

                .thenReturn(connectivityManager);

                .thenReturn(connectivityManager);

        when(mContext.getPackageManager()).thenReturn(mPackageManager);

        when(mContext.getPackageManager()).thenReturn(mPackageManager);

    }

    }





    @After

    public void tearDown() {

        ShadowLockPatternUtils.reset();

    }



    @Test

    @Test

    public void getWifiIpAddresses_succeeds() throws Exception {

    public void getWifiIpAddresses_succeeds() throws Exception {

        when(wifiManager.getCurrentNetwork()).thenReturn(network);

        when(wifiManager.getCurrentNetwork()).thenReturn(network);
@@ -173,7 +188,8 @@ public class UtilsTest { 
    public void isProfileOrDeviceOwner_deviceOwnerApp_returnTrue() {

    public void isProfileOrDeviceOwner_deviceOwnerApp_returnTrue() {

        when(mDevicePolicyManager.isDeviceOwnerAppOnAnyUser(PACKAGE_NAME)).thenReturn(true);

        when(mDevicePolicyManager.isDeviceOwnerAppOnAnyUser(PACKAGE_NAME)).thenReturn(true);





        assertThat(Utils.isProfileOrDeviceOwner(mUserManager, mDevicePolicyManager, PACKAGE_NAME))

        assertThat(

            Utils.isProfileOrDeviceOwner(mMockUserManager, mDevicePolicyManager, PACKAGE_NAME))

                .isTrue();

                .isTrue();

    }

    }
@@ -182,11 +198,12 @@ public class UtilsTest { 
        final List<UserInfo> userInfos = new ArrayList<>();

        final List<UserInfo> userInfos = new ArrayList<>();

        userInfos.add(new UserInfo());

        userInfos.add(new UserInfo());





        when(mUserManager.getUsers()).thenReturn(userInfos);

        when(mMockUserManager.getUsers()).thenReturn(userInfos);

        when(mDevicePolicyManager.getProfileOwnerAsUser(userInfos.get(0).id))

        when(mDevicePolicyManager.getProfileOwnerAsUser(userInfos.get(0).id))

            .thenReturn(new ComponentName(PACKAGE_NAME, ""));

            .thenReturn(new ComponentName(PACKAGE_NAME, ""));





        assertThat(Utils.isProfileOrDeviceOwner(mUserManager, mDevicePolicyManager, PACKAGE_NAME))

        assertThat(

            Utils.isProfileOrDeviceOwner(mMockUserManager, mDevicePolicyManager, PACKAGE_NAME))

                .isTrue();

                .isTrue();

    }

    }
@@ -339,4 +356,20 @@ public class UtilsTest { 




        assertThat(Utils.canCurrentUserDream(mockContext)).isFalse();

        assertThat(Utils.canCurrentUserDream(mockContext)).isFalse();

    }

    }



    @Test

    public void checkUserOwnsFrpCredential_userOwnsFrpCredential_returnUserId() {

        ShadowLockPatternUtils.setUserOwnsFrpCredential(true);



        assertThat(Utils.checkUserOwnsFrpCredential(mContext, 123)).isEqualTo(123);

    }



    @Test

    public void checkUserOwnsFrpCredential_userNotOwnsFrpCredential_returnUserId() {

        ShadowLockPatternUtils.setUserOwnsFrpCredential(false);



        assertThrows(

                SecurityException.class,

                () -> Utils.checkUserOwnsFrpCredential(mContext, 123));

    }

}
 
}

tests/robotests/src/com/android/settings/testutils/shadow/ShadowLockPatternUtils.java

+14 −0
Original line number Original line Diff line number Diff line
@@ -19,6 +19,8 @@ package com.android.settings.testutils.shadow; 
import android.app.admin.DevicePolicyManager;

import android.app.admin.DevicePolicyManager;

import android.app.admin.PasswordMetrics;

import android.app.admin.PasswordMetrics;

import android.content.ComponentName;

import android.content.ComponentName;

import android.content.Context;

import android.content.pm.UserInfo;

import android.os.UserHandle;

import android.os.UserHandle;





import com.android.internal.widget.LockPatternUtils;

import com.android.internal.widget.LockPatternUtils;
@@ -42,6 +44,8 @@ public class ShadowLockPatternUtils { 
    private static Map<Integer, PasswordMetrics> sUserToProfileMetricsMap = new HashMap<>();

    private static Map<Integer, PasswordMetrics> sUserToProfileMetricsMap = new HashMap<>();

    private static Map<Integer, Boolean> sUserToIsSecureMap = new HashMap<>();

    private static Map<Integer, Boolean> sUserToIsSecureMap = new HashMap<>();





    private static boolean sIsUserOwnsFrpCredential;



    @Resetter

    @Resetter

    public static void reset() {

    public static void reset() {

        sUserToComplexityMap.clear();

        sUserToComplexityMap.clear();
@@ -50,6 +54,7 @@ public class ShadowLockPatternUtils { 
        sUserToProfileMetricsMap.clear();

        sUserToProfileMetricsMap.clear();

        sUserToIsSecureMap.clear();

        sUserToIsSecureMap.clear();

        sDeviceEncryptionEnabled = false;

        sDeviceEncryptionEnabled = false;

        sIsUserOwnsFrpCredential = false;

    }

    }





    @Implementation

    @Implementation
@@ -122,6 +127,15 @@ public class ShadowLockPatternUtils { 
        return complexity;

        return complexity;

    }

    }





    @Implementation

    public static boolean userOwnsFrpCredential(Context context, UserInfo info) {

        return sIsUserOwnsFrpCredential;

    }



    public static void setUserOwnsFrpCredential(boolean isUserOwnsFrpCredential) {

        sIsUserOwnsFrpCredential = isUserOwnsFrpCredential;

    }



    public static void setRequiredPasswordComplexity(int userHandle, int complexity) {

    public static void setRequiredPasswordComplexity(int userHandle, int complexity) {

        sUserToComplexityMap.put(userHandle, complexity);

        sUserToComplexityMap.put(userHandle, complexity);

    }

    }