Do not use canAuthenticate() to check if user can reset lockout

canAuthenticate() is meant for apps so it will reflect the
FACE_UNLOCK_APP_ENABLED setting. If disabled, resetLockout will not be
run for that user.

Fixes: 138269776

Test: Disable unlocking for apps, get locked out, enter password.
      Lockout is reset now.

Change-Id: I5d7bf3abbac7c8982595d5733464a887ab5184ab

core/java/android/hardware/biometrics/BiometricManager.java

@@ -128,6 +128,25 @@ public class BiometricManager {
         }
     }
 
+    /**
+     * @hide
+     * @param userId
+     * @return
+     */
+    @RequiresPermission(USE_BIOMETRIC_INTERNAL)
+    public boolean hasEnrolledBiometrics(int userId) {
+        if (mService != null) {
+            try {
+                return mService.hasEnrolledBiometrics(userId);
+            } catch (RemoteException e) {
+                Slog.w(TAG, "Remote exception in hasEnrolledBiometrics(): " + e);
+                return false;
+            }
+        } else {
+            return false;
+        }
+    }
+
     /**
      * Listens for changes to biometric eligibility on keyguard from user settings.
      * @param callback

core/java/android/hardware/biometrics/IBiometricService.aidl

@@ -42,6 +42,9 @@ interface IBiometricService {
     // Checks if biometrics can be used.
     int canAuthenticate(String opPackageName, int userId);
 
+    // Checks if any biometrics are enrolled.
+    boolean hasEnrolledBiometrics(int userId);
+
     // Register callback for when keyguard biometric eligibility changes.
     void registerEnabledOnKeyguardCallback(IBiometricEnabledOnKeyguardCallback callback);