Merge "Only enforce secure FRP mode when in setup wizard" into rvc-dev am: c8983dbed7

Change-Id: I7385579ae875f5ab8dcb7c999f5294820b5bf87c

services/core/java/com/android/server/locksettings/LockSettingsService.java

@@ -1016,9 +1016,14 @@ public class LockSettingsService extends ILockSettings.Stub {
     }
 
     private void enforceFrpResolved() {
-        if (mInjector.settingsSecureGetInt(mContext.getContentResolver(),
+        final ContentResolver cr = mContext.getContentResolver();
-                Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) {
+        final boolean inSetupWizard = mInjector.settingsSecureGetInt(cr,
-            throw new SecurityException("Cannot change credential while FRP is not resolved yet");
+                Settings.Secure.USER_SETUP_COMPLETE, 0, UserHandle.USER_SYSTEM) == 0;
+        final boolean secureFrp = mInjector.settingsSecureGetInt(cr,
+                Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1;
+        if (inSetupWizard && secureFrp) {
+            throw new SecurityException("Cannot change credential in SUW while factory reset"
+                    + " protection is not resolved yet");
         }
     }
 

services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java

@@ -23,6 +23,7 @@ public class FakeSettings {
 
     private int mDeviceProvisioned;
     private int mSecureFrpMode;
+    private int mUserSetupComplete;
 
     public void setDeviceProvisioned(boolean provisioned) {
         mDeviceProvisioned = provisioned ? 1 : 0;
@@ -32,6 +33,10 @@ public class FakeSettings {
         mSecureFrpMode = secure ? 1 : 0;
     }
 
+    public void setUserSetupComplete(boolean complete) {
+        mUserSetupComplete = complete ? 1 : 0;
+    }
+
     public int globalGetInt(String keyName) {
         switch (keyName) {
             case Settings.Global.DEVICE_PROVISIONED:
@@ -46,6 +51,10 @@ public class FakeSettings {
         if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) {
             return mSecureFrpMode;
         }
+        if (Settings.Secure.USER_SETUP_COMPLETE.equals(keyName)
+                && userId == UserHandle.USER_SYSTEM) {
+            return mUserSetupComplete;
+        }
         return defaultValue;
     }
 }

services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java

@@ -417,7 +417,8 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests {
     }
 
     @Test
-    public void testCredentialChangeNotPossibleInSecureFrpMode() {
+    public void testCredentialChangeNotPossibleInSecureFrpModeDuringSuw() {
+        mSettings.setUserSetupComplete(false);
         mSettings.setSecureFrpMode(true);
         try {
             mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);
@@ -425,6 +426,14 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests {
         } catch (SecurityException e) { }
     }
 
+    @Test
+    public void testCredentialChangePossibleInSecureFrpModeAfterSuw() {
+        mSettings.setUserSetupComplete(true);
+        mSettings.setSecureFrpMode(true);
+        assertTrue(mService.setLockCredential(newPassword("1234"), nonePassword(),
+                PRIMARY_USER_ID));
+    }
+
     private void testCreateCredential(int userId, LockscreenCredential credential)
             throws RemoteException {
         assertTrue(mService.setLockCredential(credential, nonePassword(), userId));