Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9be0899b authored by joshmccloskey's avatar joshmccloskey Committed by Joshua Mccloskey
Browse files

Enforce policy management. 

Test: Verified disabling fingerprint will not allow
the user to unlock work apps with fingerprint. (But can use fingeprint
within apps.)
Test: Verified disabling face and/or iris on a fingerprint device will
continue to
allow the user to unlock work apps with fingerprint.
Test: Verified disabling face on a face authentication device
will not allow the user to unlock work apps with face authentication.
(But can use face
authentication within apps.)
Test: Verified disabling fingerprint and/or iris on a face
authentication device will continue to allow the user to unlock work
apps with face authentication.
Bug: 141382589

Change-Id: I74135dd9f6afb1b789302ad0af3daf8a73a4181b
parent ca3639a6

src/com/android/settings/password/ConfirmDeviceCredentialActivity.java

+40 −3
Original line number Diff line number Diff line
@@ -25,6 +25,7 @@ import android.app.admin.DevicePolicyManager; 
import android.app.trust.TrustManager;

import android.content.Context;

import android.content.Intent;

import android.content.pm.PackageManager;

import android.hardware.biometrics.BiometricConstants;

import android.hardware.biometrics.BiometricManager;

import android.hardware.biometrics.BiometricPrompt;
@@ -52,6 +53,12 @@ import java.util.concurrent.Executor; 
public class ConfirmDeviceCredentialActivity extends FragmentActivity {

    public static final String TAG = ConfirmDeviceCredentialActivity.class.getSimpleName();



    /**

     * If the intent is sent from {@link com.android.systemui.keyguard.WorkLockActivity} then

     * check for device policy management flags.

     */

    public static final String EXTRA_FROM_WORK_LOCK_ACTIVITY = "from_work_lock_activity";



    // The normal flow that apps go through

    private static final int CREDENTIAL_NORMAL = 1;

    // Unlocks the managed profile when the primary profile is unlocked
@@ -90,6 +97,8 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity { 
    private TrustManager mTrustManager;

    private ChooseLockSettingsHelper mChooseLockSettingsHelper;

    private Handler mHandler = new Handler(Looper.getMainLooper());

    private Context mContext;

    private boolean mFromWorkLockActivity;



    private String mTitle;

    private String mDetails;
@@ -149,6 +158,8 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity { 
        mLockPatternUtils = new LockPatternUtils(this);



        Intent intent = getIntent();

        mContext = this;

        mFromWorkLockActivity = intent.getBooleanExtra(EXTRA_FROM_WORK_LOCK_ACTIVITY, false);

        mTitle = intent.getStringExtra(KeyguardManager.EXTRA_TITLE);

        mDetails = intent.getStringExtra(KeyguardManager.EXTRA_DESCRIPTION);

        String alternateButton = intent.getStringExtra(
@@ -190,7 +201,7 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity { 
        } else if (isManagedProfile && isInternalActivity()

                && !lockPatternUtils.isSeparateProfileChallengeEnabled(mUserId)) {

            mCredentialMode = CREDENTIAL_MANAGED;

            if (isBiometricAllowed(effectiveUserId, mUserId)) {

            if (mFromWorkLockActivity && isBiometricAllowed(effectiveUserId, mUserId)) {

                showBiometricPrompt(bpBundle);

                launchedBiometric = true;

            } else {
@@ -256,10 +267,36 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity { 
                || !mUserManager.isUserUnlocked(mUserId);

    }



    /**

     * TODO: Pass a list of disabled features to an internal BiometricPrompt API, so we can

     * potentially show different modalities on multi-auth devices.

     *

     * @param effectiveUserId

     * @return false if their exists one biometric on the device which is not disabled by the

     * policy manager.

     */

    private boolean isBiometricDisabledByAdmin(int effectiveUserId) {

        final int disabledFeatures =

            mDevicePolicyManager.getKeyguardDisabledFeatures(null, effectiveUserId);

        return (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_BIOMETRICS) != 0;



        final PackageManager pm = mContext.getPackageManager();

        if (pm.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)

            && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT) == 0) {

            Log.d(TAG,"Fingerprint enabled & allowed by device policy manager");

            return false;

        }

        if (pm.hasSystemFeature(PackageManager.FEATURE_IRIS)

            && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_IRIS) == 0) {

            Log.d(TAG,"Iris enabled & allowed by device policy manager");

            return false;

        }

        if (pm.hasSystemFeature(PackageManager.FEATURE_FACE)

            && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_FACE) == 0) {

            Log.d(TAG,"Face enabled & allowed by device policy manager");

            return false;

        }



        return true;

    }



    private boolean isBiometricAllowed(int effectiveUserId, int realUserId) {