From 0a587d2840ca105746a9e14d018dc8ec2b3442be Mon Sep 17 00:00:00 2001
From: Clara Bayarri <clarabayarri@google.com>
Date: Tue, 23 Feb 2016 14:49:41 -0800
Subject: [PATCH] Unlock Keystore/Keymaster separately for Work Challenge

The Keystore should be unlocked by the work challenge when
the work profile has its own lock, and should not be unlocked
by the device lock in this case.

Tested use cases:

When unified, both users have the password key set to the parent's
Setting a work challenge changes the work profile's password key to its
own
Unifying causes the work challenge key to be set to null first and then
when the device password is reset right after that it is reset to the
same as the parent
Unlocking when locks are unified unlocks both using the same password
key
Unlocking the device when not unified only unlocks the parent
Unlocking the work challenge only unlocks the work profile

Bug:26817206
Change-Id: I99dca279687f4f77636992e355dbdb607bbf7b6d
---
 .../android/server/LockSettingsService.java   | 40 ++++++++++++++++---
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index c318140ae7e8c..ba2a2e05d3d8d 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -545,9 +545,23 @@ public class LockSettingsService extends ILockSettings.Stub {
         final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE);
         final KeyStore ks = KeyStore.getInstance();
 
-        final List<UserInfo> profiles = um.getProfiles(userHandle);
-        for (UserInfo pi : profiles) {
-            ks.onUserPasswordChanged(pi.id, password);
+        if (um.getUserInfo(userHandle).isManagedProfile()) {
+            if (mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)) {
+                ks.onUserPasswordChanged(userHandle, password);
+            } else {
+                throw new RuntimeException("Can't set keystore password on a profile that "
+                        + "doesn't have a profile challenge.");
+            }
+        } else {
+            final List<UserInfo> profiles = um.getProfiles(userHandle);
+            for (UserInfo pi : profiles) {
+                // Change password on the given user and all its profiles that don't have
+                // their own profile challenge enabled.
+                if (pi.id == userHandle || (pi.isManagedProfile()
+                        && !mLockPatternUtils.isSeparateProfileChallengeEnabled(pi.id))) {
+                    ks.onUserPasswordChanged(pi.id, password);
+                }
+            }
         }
     }
 
@@ -555,9 +569,23 @@ public class LockSettingsService extends ILockSettings.Stub {
         final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE);
         final KeyStore ks = KeyStore.getInstance();
 
-        final List<UserInfo> profiles = um.getProfiles(userHandle);
-        for (UserInfo pi : profiles) {
-            ks.unlock(pi.id, password);
+        if (um.getUserInfo(userHandle).isManagedProfile()) {
+            if (mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)) {
+                ks.unlock(userHandle, password);
+            } else {
+                throw new RuntimeException("Can't unlock a profile explicitly if it "
+                        + "doesn't have a profile challenge.");
+            }
+        } else {
+            final List<UserInfo> profiles = um.getProfiles(userHandle);
+            for (UserInfo pi : profiles) {
+                // Unlock the given user and all its profiles that don't have
+                // their own profile challenge enabled.
+                if (pi.id == userHandle || (pi.isManagedProfile()
+                        && !mLockPatternUtils.isSeparateProfileChallengeEnabled(pi.id))) {
+                    ks.unlock(pi.id, password);
+                }
+            }
         }
     }