Add request manage credentials to Settings

Background * This is part of the work to support a credential management app on unmanaged devices. Changes * Add new activity to Settings to display a screen to the user requesting whether the calling app can manage their KeyChain credentials. * Display the authentication policy Manual Testing * Verify screen is not displayed if intent action is not android.security.MANAGE_CREDENTIALS * Verify screen is not displayed if authentication policy is not valid * Verify button panel is visible if all items in the authentication policy are displayed * Verify button panel is not visible if not all items in the authentication policy are displayed. Verify that scrolling to the bottom of the item list, the button panel becomes visible. Bug: 165641221 Test: Manual testing make RunSettingsRoboTests -j ROBOTEST_FILTER=com.android.settings.security.RequestManageCredentialsTest Change-Id: Ie23b226f1a285b3de6ec3e91b8880d9144bb24a3
2020-11-26 12:40:38 +00:00
parent ab20590d0f
commit 580b7af1a4
12 changed files with 864 additions and 0 deletions
--- a/src/com/android/settings/security/CredentialManagementAppAdapter.java
+++ b/src/com/android/settings/security/CredentialManagementAppAdapter.java
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageManager;
+import android.net.Uri;
+import android.security.AppUriAuthenticationPolicy;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.ImageView;
+import android.widget.TextView;
+
+import androidx.annotation.NonNull;
+import androidx.recyclerview.widget.LinearLayoutManager;
+import androidx.recyclerview.widget.RecyclerView;
+
+import com.android.settings.R;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Adapter for the requesting credential management app. This adapter displays the details of the
+ * requesting app, including its authentication policy, when {@link RequestManageCredentials}
+ * is started.
+ * <p>
+ *
+ * @hide
+ * @see RequestManageCredentials
+ * @see AppUriAuthenticationPolicy
+ */
+public class CredentialManagementAppAdapter extends RecyclerView.Adapter<RecyclerView.ViewHolder> {
+
+    private static final int HEADER_VIEW = 1;
+
+    private final String mCredentialManagerPackage;
+    private final Map<String, Map<Uri, String>> mAppUriAuthentication;
+    private final List<String> mSortedAppNames;
+
+    private final Context mContext;
+    private final PackageManager mPackageManager;
+    private final RecyclerView.RecycledViewPool mViewPool;
+
+    /**
+     * View holder for the header in the request manage credentials screen.
+     */
+    public class HeaderViewHolder extends RecyclerView.ViewHolder {
+        private final ImageView mAppIconView;
+        private final TextView mTitleView;
+
+        public HeaderViewHolder(View view) {
+            super(view);
+            mAppIconView = view.findViewById(R.id.credential_management_app_icon);
+            mTitleView = view.findViewById(R.id.credential_management_app_title);
+        }
+
+        /**
+         * Bind the header view and add details on the requesting app's icon and name.
+         */
+        public void bindView() {
+            try {
+                ApplicationInfo applicationInfo =
+                        mPackageManager.getApplicationInfo(mCredentialManagerPackage, 0);
+                mAppIconView.setImageDrawable(mPackageManager.getApplicationIcon(applicationInfo));
+                mTitleView.setText(mContext.getString(R.string.request_manage_credentials_title,
+                        applicationInfo.loadLabel(mPackageManager)));
+            } catch (PackageManager.NameNotFoundException e) {
+                mAppIconView.setImageDrawable(null);
+                mTitleView.setText(mContext.getString(R.string.request_manage_credentials_title,
+                        mCredentialManagerPackage));
+            }
+        }
+    }
+
+    /**
+     * View holder for the authentication policy in the request manage credentials screen.
+     */
+    public class AppAuthenticationViewHolder extends RecyclerView.ViewHolder {
+        private final ImageView mAppIconView;
+        private final TextView mAppNameView;
+        RecyclerView mChildRecyclerView;
+
+        public AppAuthenticationViewHolder(View view) {
+            super(view);
+            mAppIconView = view.findViewById(R.id.app_icon);
+            mAppNameView = view.findViewById(R.id.app_name);
+            mChildRecyclerView = view.findViewById(R.id.uris);
+        }
+
+        /**
+         * Bind the app's authentication policy view at the given position. Add details on the
+         * app's icon, name and list of URIs.
+         */
+        public void bindView(int position) {
+            final String appName = mSortedAppNames.get(position);
+            try {
+                ApplicationInfo applicationInfo = mPackageManager.getApplicationInfo(appName, 0);
+                mAppIconView.setImageDrawable(mPackageManager.getApplicationIcon(applicationInfo));
+                mAppNameView.setText(String.valueOf(applicationInfo.loadLabel(mPackageManager)));
+            } catch (PackageManager.NameNotFoundException e) {
+                mAppIconView.setImageDrawable(null);
+                mAppNameView.setText(appName);
+            }
+            bindChildView(mAppUriAuthentication.get(appName));
+        }
+
+        /**
+         * Bind the list of URIs for an app.
+         */
+        public void bindChildView(Map<Uri, String> urisToAliases) {
+            LinearLayoutManager layoutManager = new LinearLayoutManager(
+                    mChildRecyclerView.getContext(), RecyclerView.VERTICAL, false);
+            layoutManager.setInitialPrefetchItemCount(urisToAliases.size());
+            UriAuthenticationPolicyAdapter childItemAdapter =
+                    new UriAuthenticationPolicyAdapter(new ArrayList<>(urisToAliases.keySet()));
+            mChildRecyclerView.setLayoutManager(layoutManager);
+            mChildRecyclerView.setAdapter(childItemAdapter);
+            mChildRecyclerView.setRecycledViewPool(mViewPool);
+        }
+    }
+
+    public CredentialManagementAppAdapter(Context context, String credentialManagerPackage,
+            Map<String, Map<Uri, String>> appUriAuthentication) {
+        mContext = context;
+        mCredentialManagerPackage = credentialManagerPackage;
+        mPackageManager = context.getPackageManager();
+        mAppUriAuthentication = appUriAuthentication;
+        mSortedAppNames = sortPackageNames(mAppUriAuthentication);
+        mViewPool = new RecyclerView.RecycledViewPool();
+    }
+
+    /**
+     * Sort package names in the following order:
+     * - installed apps
+     * - alphabetically
+     */
+    private List<String> sortPackageNames(Map<String, Map<Uri, String>> authenticationPolicy) {
+        List<String> packageNames = new ArrayList<>(authenticationPolicy.keySet());
+        packageNames.sort((firstPackageName, secondPackageName) -> {
+            boolean isFirstPackageInstalled = isPackageInstalled(firstPackageName);
+            boolean isSecondPackageInstalled = isPackageInstalled(secondPackageName);
+            if (isFirstPackageInstalled == isSecondPackageInstalled) {
+                return firstPackageName.compareTo(secondPackageName);
+            } else if (isFirstPackageInstalled) {
+                return -1;
+            } else {
+                return 1;
+            }
+        });
+        return packageNames;
+    }
+
+    private boolean isPackageInstalled(String packageName) {
+        try {
+            mPackageManager.getPackageInfo(packageName, 0);
+            return true;
+        } catch (PackageManager.NameNotFoundException e) {
+            return false;
+        }
+    }
+
+    @NonNull
+    @Override
+    public RecyclerView.ViewHolder onCreateViewHolder(@NonNull ViewGroup viewGroup, int viewType) {
+        View view;
+        if (viewType == HEADER_VIEW) {
+            view = LayoutInflater.from(viewGroup.getContext())
+                    .inflate(R.layout.request_manage_credentials_header, viewGroup, false);
+            view.setEnabled(false);
+            return new HeaderViewHolder(view);
+        } else {
+            view = LayoutInflater.from(viewGroup.getContext())
+                    .inflate(R.layout.app_authentication_item, viewGroup, false);
+            return new AppAuthenticationViewHolder(view);
+        }
+    }
+
+    @Override
+    public void onBindViewHolder(@NonNull RecyclerView.ViewHolder viewHolder, int i) {
+        if (viewHolder instanceof HeaderViewHolder) {
+            ((HeaderViewHolder) viewHolder).bindView();
+        } else if (viewHolder instanceof AppAuthenticationViewHolder) {
+            ((AppAuthenticationViewHolder) viewHolder).bindView(i - 1);
+        }
+    }
+
+    @Override
+    public int getItemCount() {
+        // Add an extra view to show the header view
+        return mAppUriAuthentication.size() + 1;
+    }
+
+    @Override
+    public int getItemViewType(int position) {
+        if (position == 0) {
+            return HEADER_VIEW;
+        }
+        return super.getItemViewType(position);
+    }
+
+}
--- a/src/com/android/settings/security/RequestManageCredentials.java
+++ b/src/com/android/settings/security/RequestManageCredentials.java
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.annotation.Nullable;
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.os.Bundle;
+import android.security.AppUriAuthenticationPolicy;
+import android.security.Credentials;
+import android.security.KeyChain;
+import android.util.Log;
+import android.view.View;
+import android.widget.Button;
+import android.widget.LinearLayout;
+import android.widget.Toast;
+
+import androidx.annotation.NonNull;
+import androidx.recyclerview.widget.LinearLayoutManager;
+import androidx.recyclerview.widget.RecyclerView;
+
+import com.android.settings.R;
+
+/**
+ * Displays a full screen to the user asking whether the calling app can manage the user's
+ * KeyChain credentials. This screen includes the authentication policy highlighting what apps and
+ * URLs the calling app can authenticate the user to.
+ * <p>
+ * Users can allow or deny the calling app. If denied, the calling app may re-request this
+ * capability. If allowed, the calling app will become the credential management app and will be
+ * able to manage the user's KeyChain credentials. The following APIs can be called to manage
+ * KeyChain credentials:
+ * {@link DevicePolicyManager#installKeyPair}
+ * {@link DevicePolicyManager#removeKeyPair}
+ * {@link DevicePolicyManager#generateKeyPair}
+ * {@link DevicePolicyManager#setKeyPairCertificate}
+ * <p>
+ *
+ * @see AppUriAuthenticationPolicy
+ */
+public class RequestManageCredentials extends Activity {
+
+    private static final String TAG = "ManageCredentials";
+
+    private String mCredentialManagerPackage;
+    private AppUriAuthenticationPolicy mAuthenticationPolicy;
+
+    private RecyclerView mRecyclerView;
+    private LinearLayoutManager mLayoutManager;
+    private LinearLayout mButtonPanel;
+
+    private boolean mDisplayingButtonPanel = false;
+
+    @Override
+    public void onCreate(@Nullable Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+
+        if (Credentials.ACTION_MANAGE_CREDENTIALS.equals(getIntent().getAction())) {
+            setContentView(R.layout.request_manage_credentials);
+            // This is not authenticated, as any app can ask to be the credential management app.
+            mCredentialManagerPackage = getReferrer().getHost();
+            mAuthenticationPolicy =
+                    getIntent().getParcelableExtra(KeyChain.EXTRA_AUTHENTICATION_POLICY);
+            enforceValidAuthenticationPolicy(mAuthenticationPolicy);
+
+            loadRecyclerView();
+            loadButtons();
+            addOnScrollListener();
+        } else {
+            Log.e(TAG, "Unable to start activity because intent action is not "
+                    + Credentials.ACTION_MANAGE_CREDENTIALS);
+            finish();
+        }
+    }
+
+    private void loadRecyclerView() {
+        mLayoutManager = new LinearLayoutManager(this);
+        mRecyclerView = findViewById(R.id.apps_list);
+        mRecyclerView.setLayoutManager(mLayoutManager);
+
+        CredentialManagementAppAdapter recyclerViewAdapter = new CredentialManagementAppAdapter(
+                this, mCredentialManagerPackage, mAuthenticationPolicy.getAppAndUriMappings());
+        mRecyclerView.setAdapter(recyclerViewAdapter);
+    }
+
+    private void loadButtons() {
+        mButtonPanel = findViewById(R.id.button_panel);
+        Button dontAllowButton = findViewById(R.id.dont_allow_button);
+        Button allowButton = findViewById(R.id.allow_button);
+
+        dontAllowButton.setOnClickListener(finishRequestManageCredentials());
+        allowButton.setOnClickListener(setCredentialManagementApp());
+    }
+
+    private View.OnClickListener finishRequestManageCredentials() {
+        return v -> {
+            Toast.makeText(this, R.string.request_manage_credentials_dont_allow,
+                    Toast.LENGTH_SHORT).show();
+            setResult(RESULT_CANCELED);
+            finish();
+        };
+    }
+
+    private View.OnClickListener setCredentialManagementApp() {
+        return v -> {
+            // TODO: Implement allow logic
+            Toast.makeText(this, R.string.request_manage_credentials_allow,
+                    Toast.LENGTH_SHORT).show();
+            finish();
+        };
+    }
+
+    private void addOnScrollListener() {
+        mRecyclerView.addOnScrollListener(new RecyclerView.OnScrollListener() {
+            @Override
+            public void onScrolled(@NonNull RecyclerView recyclerView, int dx, int dy) {
+                super.onScrolled(recyclerView, dx, dy);
+                if (!mDisplayingButtonPanel) {
+                    if (isRecyclerScrollable()) {
+                        hideButtonPanel();
+                    } else {
+                        showButtonPanel();
+                    }
+                }
+            }
+        });
+    }
+
+    private void showButtonPanel() {
+        // Add padding to remove overlap between recycler view and button panel.
+        int padding_in_px = (int) (60 * getResources().getDisplayMetrics().density + 0.5f);
+        mRecyclerView.setPadding(0, 0, 0, padding_in_px);
+        mButtonPanel.setVisibility(View.VISIBLE);
+        mDisplayingButtonPanel = true;
+    }
+
+    private void hideButtonPanel() {
+        mRecyclerView.setPadding(0, 0, 0, 0);
+        mButtonPanel.setVisibility(View.GONE);
+    }
+
+    private boolean isRecyclerScrollable() {
+        if (mLayoutManager == null || mRecyclerView.getAdapter() == null) {
+            return false;
+        }
+        return mLayoutManager.findLastCompletelyVisibleItemPosition()
+                < mRecyclerView.getAdapter().getItemCount() - 1;
+    }
+
+    private void enforceValidAuthenticationPolicy(AppUriAuthenticationPolicy policy) {
+        // TODO: Check whether any of the aliases in the policy already exist
+        if (policy == null || policy.getAppAndUriMappings().isEmpty()) {
+            Log.e(TAG, "Invalid authentication policy");
+            setResult(RESULT_CANCELED);
+            finish();
+        }
+    }
+}
--- a/src/com/android/settings/security/UriAuthenticationPolicyAdapter.java
+++ b/src/com/android/settings/security/UriAuthenticationPolicyAdapter.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.net.Uri;
+import android.security.AppUriAuthenticationPolicy;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.TextView;
+
+import androidx.annotation.NonNull;
+import androidx.recyclerview.widget.RecyclerView;
+
+import com.android.settings.R;
+
+import java.util.List;
+
+/**
+ * Child adapter for the requesting credential management app. This adapter displays the list of
+ * URIs for each app in the requesting app's authentication policy, when
+ * {@link RequestManageCredentials} is started.
+ *
+ * @hide
+ * @see CredentialManagementAppAdapter
+ * @see RequestManageCredentials
+ * @see AppUriAuthenticationPolicy
+ */
+public class UriAuthenticationPolicyAdapter extends
+        RecyclerView.Adapter<UriAuthenticationPolicyAdapter.UriViewHolder> {
+
+    private final List<Uri> mUris;
+
+    /**
+     * View holder for each URI which is part of the authentication policy in the
+     * request manage credentials screen.
+     */
+    public class UriViewHolder extends RecyclerView.ViewHolder {
+        TextView mUriNameView;
+
+        public UriViewHolder(@NonNull View view) {
+            super(view);
+            mUriNameView = itemView.findViewById(R.id.uri_name);
+        }
+    }
+
+    UriAuthenticationPolicyAdapter(List<Uri> uris) {
+        this.mUris = uris;
+    }
+
+    @Override
+    public UriAuthenticationPolicyAdapter.UriViewHolder onCreateViewHolder(ViewGroup parent,
+            int viewType) {
+        View view = LayoutInflater.from(parent.getContext()).inflate(
+                R.layout.app_authentication_uri_item, parent, false);
+        return new UriViewHolder(view);
+    }
+
+    @Override
+    public void onBindViewHolder(UriAuthenticationPolicyAdapter.UriViewHolder holder,
+            int position) {
+        Uri uri = mUris.get(position);
+        holder.mUriNameView.setText(uri.toString());
+    }
+
+    @Override
+    public int getItemCount() {
+        return mUris.size();
+    }
+}