Merge "Call KeyChain credential management app APIs Settings"
This commit is contained in:
Rubin Xu
Android (Google) Code Review
@@ -19,17 +19,25 @@ package com.android.settings.security;
|
||||
import android.annotation.Nullable;
|
||||
import android.app.Activity;
|
||||
import android.app.admin.DevicePolicyManager;
|
||||
import android.content.Context;
|
||||
import android.content.pm.UserInfo;
|
||||
import android.os.Bundle;
|
||||
import android.os.Handler;
|
||||
import android.os.HandlerThread;
|
||||
import android.os.Process;
|
||||
import android.os.RemoteException;
|
||||
import android.os.UserManager;
|
||||
import android.security.AppUriAuthenticationPolicy;
|
||||
import android.security.Credentials;
|
||||
import android.security.KeyChain;
|
||||
import android.text.TextUtils;
|
||||
import android.util.Log;
|
||||
import android.view.View;
|
||||
import android.widget.Button;
|
||||
import android.widget.LinearLayout;
|
||||
import android.widget.Toast;
|
||||
|
||||
import androidx.annotation.NonNull;
|
||||
import androidx.annotation.VisibleForTesting;
|
||||
import androidx.recyclerview.widget.LinearLayoutManager;
|
||||
import androidx.recyclerview.widget.RecyclerView;
|
||||
|
||||
@@ -66,29 +74,98 @@ public class RequestManageCredentials extends Activity {
|
||||
private LinearLayout mButtonPanel;
|
||||
private ExtendedFloatingActionButton mExtendedFab;
|
||||
|
||||
private HandlerThread mKeyChainTread;
|
||||
private KeyChain.KeyChainConnection mKeyChainConnection;
|
||||
|
||||
private boolean mDisplayingButtonPanel = false;
|
||||
|
||||
@Override
|
||||
public void onCreate(@Nullable Bundle savedInstanceState) {
|
||||
super.onCreate(savedInstanceState);
|
||||
|
||||
if (Credentials.ACTION_MANAGE_CREDENTIALS.equals(getIntent().getAction())) {
|
||||
setContentView(R.layout.request_manage_credentials);
|
||||
// This is not authenticated, as any app can ask to be the credential management app.
|
||||
mCredentialManagerPackage = getReferrer().getHost();
|
||||
mAuthenticationPolicy =
|
||||
getIntent().getParcelableExtra(KeyChain.EXTRA_AUTHENTICATION_POLICY);
|
||||
enforceValidAuthenticationPolicy(mAuthenticationPolicy);
|
||||
|
||||
loadRecyclerView();
|
||||
loadButtons();
|
||||
loadExtendedFloatingActionButton();
|
||||
addOnScrollListener();
|
||||
} else {
|
||||
if (!Credentials.ACTION_MANAGE_CREDENTIALS.equals(getIntent().getAction())) {
|
||||
Log.e(TAG, "Unable to start activity because intent action is not "
|
||||
+ Credentials.ACTION_MANAGE_CREDENTIALS);
|
||||
finish();
|
||||
finishWithResultCancelled();
|
||||
return;
|
||||
}
|
||||
if (isManagedDevice()) {
|
||||
Log.e(TAG, "Credential management on managed devices should be done by the Device "
|
||||
+ "Policy Controller, not a credential management app");
|
||||
finishWithResultCancelled();
|
||||
return;
|
||||
}
|
||||
mCredentialManagerPackage = getLaunchedFromPackage();
|
||||
if (TextUtils.isEmpty(mCredentialManagerPackage)) {
|
||||
Log.e(TAG, "Unknown credential manager app");
|
||||
finishWithResultCancelled();
|
||||
return;
|
||||
}
|
||||
setContentView(R.layout.request_manage_credentials);
|
||||
|
||||
mKeyChainTread = new HandlerThread("KeyChainConnection");
|
||||
mKeyChainTread.start();
|
||||
mKeyChainConnection = getKeyChainConnection(this, mKeyChainTread);
|
||||
|
||||
AppUriAuthenticationPolicy policy =
|
||||
getIntent().getParcelableExtra(KeyChain.EXTRA_AUTHENTICATION_POLICY);
|
||||
if (!isValidAuthenticationPolicy(policy)) {
|
||||
Log.e(TAG, "Invalid authentication policy");
|
||||
finishWithResultCancelled();
|
||||
return;
|
||||
}
|
||||
mAuthenticationPolicy = policy;
|
||||
|
||||
loadRecyclerView();
|
||||
loadButtons();
|
||||
loadExtendedFloatingActionButton();
|
||||
addOnScrollListener();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void onDestroy() {
|
||||
super.onDestroy();
|
||||
if (mKeyChainConnection != null) {
|
||||
mKeyChainConnection.close();
|
||||
mKeyChainConnection = null;
|
||||
mKeyChainTread.quitSafely();
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isValidAuthenticationPolicy(AppUriAuthenticationPolicy policy) {
|
||||
if (policy == null || policy.getAppAndUriMappings().isEmpty()) {
|
||||
return false;
|
||||
}
|
||||
try {
|
||||
// Check whether any of the aliases in the policy already exist
|
||||
for (String alias : policy.getAliases()) {
|
||||
if (mKeyChainConnection.getService().requestPrivateKey(alias) != null) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
} catch (RemoteException e) {
|
||||
Log.e(TAG, "Invalid authentication policy", e);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private boolean isManagedDevice() {
|
||||
DevicePolicyManager dpm = getSystemService(DevicePolicyManager.class);
|
||||
|
||||
return dpm.getDeviceOwnerUser() != null
|
||||
|| dpm.getProfileOwner() != null
|
||||
|| hasManagedProfile();
|
||||
}
|
||||
|
||||
private boolean hasManagedProfile() {
|
||||
UserManager um = getSystemService(UserManager.class);
|
||||
for (final UserInfo userInfo : um.getProfiles(getUserId())) {
|
||||
if (userInfo.isManagedProfile()) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private void loadRecyclerView() {
|
||||
@@ -107,8 +184,10 @@ public class RequestManageCredentials extends Activity {
|
||||
Button dontAllowButton = findViewById(R.id.dont_allow_button);
|
||||
Button allowButton = findViewById(R.id.allow_button);
|
||||
|
||||
dontAllowButton.setOnClickListener(finishRequestManageCredentials());
|
||||
allowButton.setOnClickListener(setCredentialManagementApp());
|
||||
dontAllowButton.setOnClickListener(b -> {
|
||||
finishWithResultCancelled();
|
||||
});
|
||||
allowButton.setOnClickListener(b -> setOrUpdateCredentialManagementApp());
|
||||
}
|
||||
|
||||
private void loadExtendedFloatingActionButton() {
|
||||
@@ -120,22 +199,26 @@ public class RequestManageCredentials extends Activity {
|
||||
});
|
||||
}
|
||||
|
||||
private View.OnClickListener finishRequestManageCredentials() {
|
||||
return v -> {
|
||||
Toast.makeText(this, R.string.request_manage_credentials_dont_allow,
|
||||
Toast.LENGTH_SHORT).show();
|
||||
setResult(RESULT_CANCELED);
|
||||
finish();
|
||||
};
|
||||
private void setOrUpdateCredentialManagementApp() {
|
||||
try {
|
||||
mKeyChainConnection.getService().setCredentialManagementApp(
|
||||
mCredentialManagerPackage, mAuthenticationPolicy);
|
||||
} catch (RemoteException e) {
|
||||
Log.e(TAG, "Unable to set credential manager app", e);
|
||||
}
|
||||
finish();
|
||||
}
|
||||
|
||||
private View.OnClickListener setCredentialManagementApp() {
|
||||
return v -> {
|
||||
// TODO: Implement allow logic
|
||||
Toast.makeText(this, R.string.request_manage_credentials_allow,
|
||||
Toast.LENGTH_SHORT).show();
|
||||
finish();
|
||||
};
|
||||
@VisibleForTesting
|
||||
KeyChain.KeyChainConnection getKeyChainConnection(Context context, HandlerThread thread) {
|
||||
final Handler handler = new Handler(thread.getLooper());
|
||||
try {
|
||||
KeyChain.KeyChainConnection connection = KeyChain.bindAsUser(
|
||||
context, handler, Process.myUserHandle());
|
||||
return connection;
|
||||
} catch (InterruptedException e) {
|
||||
throw new RuntimeException("Faile to bind to KeyChain", e);
|
||||
}
|
||||
}
|
||||
|
||||
private void addOnScrollListener() {
|
||||
@@ -182,12 +265,8 @@ public class RequestManageCredentials extends Activity {
|
||||
< mRecyclerView.getAdapter().getItemCount() - 1;
|
||||
}
|
||||
|
||||
private void enforceValidAuthenticationPolicy(AppUriAuthenticationPolicy policy) {
|
||||
// TODO: Check whether any of the aliases in the policy already exist
|
||||
if (policy == null || policy.getAppAndUriMappings().isEmpty()) {
|
||||
Log.e(TAG, "Invalid authentication policy");
|
||||
setResult(RESULT_CANCELED);
|
||||
finish();
|
||||
}
|
||||
private void finishWithResultCancelled() {
|
||||
setResult(RESULT_CANCELED);
|
||||
finish();
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user