Merge "Switch to work challenge if MP calls resetPassword" into nyc-dev

2016-04-05 14:04:39 +00:00
parent 723a65a51b ce5c4009cf
commit 691b1a6005
2 changed files with 14 additions and 20 deletions
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -2185,9 +2185,6 @@ public class DevicePolicyManager {
     * Force a new device unlock password (the password needed to access the entire device, not for
     * individual accounts) on the user. This takes effect immediately.
     * <p>
-     * Calling this from a managed profile that shares the password with the owner profile will
-     * throw a security exception.
-     * <p>
     * <em>Note: This API has been limited as of {@link android.os.Build.VERSION_CODES#N} for
     * device admins that are not device owner and not profile owner.
     * The password can now only be changed if there is currently no password set.  Device owner
@@ -2201,10 +2198,10 @@ public class DevicePolicyManager {
     * case the currently active quality will be increased to match.
     * <p>
     * Calling with a null or empty password will clear any existing PIN, pattern or password if the
-     * current password constraints allow it. <em>Note: This will not
-     * work in {@link android.os.Build.VERSION_CODES#N} and later for device admins that are not
-     * device owner and not profile owner.  Once set, the password cannot be changed to null or
-     * empty, except by device owner or profile owner.</em>
+     * current password constraints allow it. <em>Note: This will not work in
+     * {@link android.os.Build.VERSION_CODES#N} and later for managed profiles, or for device admins
+     * that are not device owner or profile owner.  Once set, the password cannot be changed to null
+     * or empty except by these admins.</em>
     * <p>
     * The calling device admin must have requested
     * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call this method; if it has
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3740,32 +3740,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
        final int callingUid = mInjector.binderGetCallingUid();
        final int userHandle = mInjector.userHandleGetCallingUserId();

-        if (getCredentialOwner(userHandle, /* parent */ false) != userHandle) {
-            throw new SecurityException("You can not change password for this profile because"
-                    + " it shares the password with the owner profile");
-        }
-
        String password = passwordOrNull != null ? passwordOrNull : "";

+        // Password resetting to empty/null is not allowed for managed profiles.
+        if (TextUtils.isEmpty(password)) {
+            enforceNotManagedProfile(userHandle, "clear the active password");
+        }
+
        int quality;
        synchronized (this) {
-            // If caller has PO (or DO), it can clear the password, so see if that's the case
-            // first.
+            // If caller has PO (or DO) it can change the password, so see if that's the case first.
            ActiveAdmin admin = getActiveAdminWithPolicyForUidLocked(
                    null, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, callingUid);
            if (admin == null) {
                // Otherwise, make sure the caller has any active admin with the right policy.
                admin = getActiveAdminForCallerLocked(null,
                        DeviceAdminInfo.USES_POLICY_RESET_PASSWORD);
-            }

-            final ComponentName adminComponent = admin.info.getComponent();
-
-            // As of N, only profile owners and device owners can reset the password.
-            if (!(isProfileOwner(adminComponent, userHandle)
-                    || isDeviceOwner(adminComponent, userHandle))) {
                final boolean preN = getTargetSdk(admin.info.getPackageName(), userHandle)
                        <= android.os.Build.VERSION_CODES.M;
+
                // As of N, password resetting to empty/null is not allowed anymore.
                // TODO Should we allow DO/PO to set an empty password?
                if (TextUtils.isEmpty(password)) {
@@ -3894,6 +3888,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
        // back in to the service.
        final long ident = mInjector.binderClearCallingIdentity();
        try {
+            if (isManagedProfile(userHandle)) {
+                mLockPatternUtils.setSeparateProfileChallengeEnabled(userHandle, true);
+            }
            if (!TextUtils.isEmpty(password)) {
                mLockPatternUtils.saveLockPassword(password, null, quality, userHandle);
            } else {