From 25102ef75e01e3cb691aacf1c5f5d953e835cfa1 Mon Sep 17 00:00:00 2001
From: Rubin Xu <rubinxu@google.com>
Date: Fri, 8 Sep 2017 12:08:26 +0100
Subject: [PATCH] Always treat password as sufficient if no password policy is
 set

Handle the special case when work profile is freshly created on a FDE device

Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases
      -t com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testPasswordSufficientInitially
Bug: 63887564
Change-Id: Ie8e430d4ff63be74fb2d4fc3ad3a8735f1de48b0
---
 .../devicepolicy/DevicePolicyManagerService.java      | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 0b967b31f4b5b..fff682c59be72 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4106,6 +4106,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
 
     private boolean isActivePasswordSufficientForUserLocked(
             DevicePolicyData policy, int userHandle, boolean parent) {
+        final int requiredPasswordQuality = getPasswordQuality(null, userHandle, parent);
+        if (requiredPasswordQuality == DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED) {
+            // A special case is when there is no required password quality, then we just return
+            // true since any password would be sufficient. This is for the scenario when a work
+            // profile is first created so there is no information about the current password but
+            // it should be considered sufficient as there is no password requirement either.
+            // This is useful since it short-circuits the password checkpoint for FDE device below.
+            return true;
+        }
+
         if (!mInjector.storageManagerIsFileBasedEncryptionEnabled()
                 && !policy.mPasswordStateHasBeenSetSinceBoot) {
             // Before user enters their password for the first time after a reboot, return the
@@ -4116,7 +4126,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             return policy.mPasswordValidAtLastCheckpoint;
         }
 
-        final int requiredPasswordQuality = getPasswordQuality(null, userHandle, parent);
         if (policy.mActivePasswordMetrics.quality < requiredPasswordQuality) {
             return false;
         }