Merge "Only enforce secure FRP mode when in setup wizard" into rvc-dev am: c8983dbed7 am: 2e36e2907f am: 63fb5f113f am: 872861e221

Change-Id: Ie816c201d9a30e94cd98a2610162a2ad769d483e
2020-03-30 18:13:36 +00:00
parent 268800d3f5 872861e221
commit 8329be185a
3 changed files with 27 additions and 4 deletions
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1016,9 +1016,14 @@ public class LockSettingsService extends ILockSettings.Stub {
    }

    private void enforceFrpResolved() {
-        if (mInjector.settingsSecureGetInt(mContext.getContentResolver(),
-                Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) {
-            throw new SecurityException("Cannot change credential while FRP is not resolved yet");
+        final ContentResolver cr = mContext.getContentResolver();
+        final boolean inSetupWizard = mInjector.settingsSecureGetInt(cr,
+                Settings.Secure.USER_SETUP_COMPLETE, 0, UserHandle.USER_SYSTEM) == 0;
+        final boolean secureFrp = mInjector.settingsSecureGetInt(cr,
+                Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1;
+        if (inSetupWizard && secureFrp) {
+            throw new SecurityException("Cannot change credential in SUW while factory reset"
+                    + " protection is not resolved yet");
        }
    }

--- a/services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java
@@ -23,6 +23,7 @@ public class FakeSettings {

    private int mDeviceProvisioned;
    private int mSecureFrpMode;
+    private int mUserSetupComplete;

    public void setDeviceProvisioned(boolean provisioned) {
        mDeviceProvisioned = provisioned ? 1 : 0;
@@ -32,6 +33,10 @@ public class FakeSettings {
        mSecureFrpMode = secure ? 1 : 0;
    }

+    public void setUserSetupComplete(boolean complete) {
+        mUserSetupComplete = complete ? 1 : 0;
+    }
+
    public int globalGetInt(String keyName) {
        switch (keyName) {
            case Settings.Global.DEVICE_PROVISIONED:
@@ -46,6 +51,10 @@ public class FakeSettings {
        if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) {
            return mSecureFrpMode;
        }
+        if (Settings.Secure.USER_SETUP_COMPLETE.equals(keyName)
+                && userId == UserHandle.USER_SYSTEM) {
+            return mUserSetupComplete;
+        }
        return defaultValue;
    }
 }
--- a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java
@@ -417,7 +417,8 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests {
    }

    @Test
-    public void testCredentialChangeNotPossibleInSecureFrpMode() {
+    public void testCredentialChangeNotPossibleInSecureFrpModeDuringSuw() {
+        mSettings.setUserSetupComplete(false);
        mSettings.setSecureFrpMode(true);
        try {
            mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);
@@ -425,6 +426,14 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests {
        } catch (SecurityException e) { }
    }

+    @Test
+    public void testCredentialChangePossibleInSecureFrpModeAfterSuw() {
+        mSettings.setUserSetupComplete(true);
+        mSettings.setSecureFrpMode(true);
+        assertTrue(mService.setLockCredential(newPassword("1234"), nonePassword(),
+                PRIMARY_USER_ID));
+    }
+
    private void testCreateCredential(int userId, LockscreenCredential credential)
            throws RemoteException {
        assertTrue(mService.setLockCredential(credential, nonePassword(), userId));