diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index fa6be7c2469c2..3574a6411b073 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -1016,9 +1016,14 @@ public class LockSettingsService extends ILockSettings.Stub { } private void enforceFrpResolved() { - if (mInjector.settingsSecureGetInt(mContext.getContentResolver(), - Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) { - throw new SecurityException("Cannot change credential while FRP is not resolved yet"); + final ContentResolver cr = mContext.getContentResolver(); + final boolean inSetupWizard = mInjector.settingsSecureGetInt(cr, + Settings.Secure.USER_SETUP_COMPLETE, 0, UserHandle.USER_SYSTEM) == 0; + final boolean secureFrp = mInjector.settingsSecureGetInt(cr, + Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1; + if (inSetupWizard && secureFrp) { + throw new SecurityException("Cannot change credential in SUW while factory reset" + + " protection is not resolved yet"); } } diff --git a/services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java b/services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java index c5e924be2612f..2bcd653a5476b 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java @@ -23,6 +23,7 @@ public class FakeSettings { private int mDeviceProvisioned; private int mSecureFrpMode; + private int mUserSetupComplete; public void setDeviceProvisioned(boolean provisioned) { mDeviceProvisioned = provisioned ? 1 : 0; @@ -32,6 +33,10 @@ public class FakeSettings { mSecureFrpMode = secure ? 1 : 0; } + public void setUserSetupComplete(boolean complete) { + mUserSetupComplete = complete ? 1 : 0; + } + public int globalGetInt(String keyName) { switch (keyName) { case Settings.Global.DEVICE_PROVISIONED: @@ -46,6 +51,10 @@ public class FakeSettings { if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) { return mSecureFrpMode; } + if (Settings.Secure.USER_SETUP_COMPLETE.equals(keyName) + && userId == UserHandle.USER_SYSTEM) { + return mUserSetupComplete; + } return defaultValue; } } diff --git a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java index 661ce113e81ea..07d7830c9b0fe 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java @@ -417,7 +417,8 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { } @Test - public void testCredentialChangeNotPossibleInSecureFrpMode() { + public void testCredentialChangeNotPossibleInSecureFrpModeDuringSuw() { + mSettings.setUserSetupComplete(false); mSettings.setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); @@ -425,6 +426,14 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { } catch (SecurityException e) { } } + @Test + public void testCredentialChangePossibleInSecureFrpModeAfterSuw() { + mSettings.setUserSetupComplete(true); + mSettings.setSecureFrpMode(true); + assertTrue(mService.setLockCredential(newPassword("1234"), nonePassword(), + PRIMARY_USER_ID)); + } + private void testCreateCredential(int userId, LockscreenCredential credential) throws RemoteException { assertTrue(mService.setLockCredential(credential, nonePassword(), userId));