4/n: Remove challenge from choose/confirm, use new path

Biometric enrollment will not request a Gatekeeper HAT during initial credential setup or credential confirmation anymore. Instead, it is broken down into the following steps now. Bug: 161765592 1) Request credential setup / confirmation to return a Gatekeeper Password 2) Biometric enrollment will generate a challenge 3) Biometric enrollment will request LockSettingsService to verify(GatekeeperPassword, challenge), and upon verification, the Gatekeeper HAT will be returned. Since both LockSettingsService and Biometric enroll/settings make use of biometric challenges, this allows us to make the challenge ownership/lifecycle clear (vs. previously, where LockSettingsService has no idea who the challenge belongs to). Exempt-From-Owner-Approval:For files not owned by our team, (StorageWizard), this change is just a method rename Test: RunSettingsRoboTests Run the following on face/fingerprint devices Test: Remove credential adb shell am start -a android.app.action.SET_NEW_PASSWORD Set up credential + fingerprint Test: Remove credential, adb shell am start -a android.settings.FINGERPRINT_SETTINGS This tests the ChooseLock* logic in FingerprintSettings Test: Set up credential, adb shell am start -a android.settings.FINGERPRINT_SETTINGS This tests the ConfirmLock* logic in FingerprintSettings Test: Remove device credential, enroll fingerprint/face. Succeeds. This tests the ChooseLock* returning SP path from BiometricEnrollIntro Test: With credential and fingerprint/face enrolled, go to fingerprint/face settings and enroll. This tests the ConfirmLock* path in Fingerprint/FaceSettings Test: Remove device credential, enroll credential-only, enroll fingerprint/face separately. Succeeds. This tests the ConfirmLock* returning SP path in BiometricEnrollIntro Test: In SUW, set up credential, then biometric. This tests the ChooseLock* path in SUW Test: In SUW, set up credential, go back, then set up biometric. This tests the ConfirmLock* path in SUW Change-Id: Idf6fcb43f7497323d089eb9c37125294e7a7f5dc
2020-07-23 19:36:26 -07:00
parent e67a0afc41
commit 7b0867c6d3
25 changed files with 269 additions and 235 deletions
--- a/src/com/android/settings/password/ChooseLockGeneric.java
+++ b/src/com/android/settings/password/ChooseLockGeneric.java
@@ -144,8 +144,7 @@ public class ChooseLockGeneric extends SettingsActivity {

        private LockPatternUtils mLockPatternUtils;
        private DevicePolicyManager mDpm;
-        private boolean mHasChallenge = false;
-        private long mChallenge;
+        private boolean mRequestGatekeeperPassword = false;
        private boolean mPasswordConfirmed = false;
        private boolean mWaitingForConfirmation = false;
        private boolean mForChangeCredRequiredForBoot = false;
@@ -211,10 +210,8 @@ public class ChooseLockGeneric extends SettingsActivity {
                        ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD);
            }

-            mHasChallenge = intent.getBooleanExtra(
-                    ChooseLockSettingsHelper.EXTRA_KEY_HAS_CHALLENGE, false);
-            mChallenge = intent.getLongExtra(
-                    ChooseLockSettingsHelper.EXTRA_KEY_CHALLENGE, 0);
+            mRequestGatekeeperPassword = intent.getBooleanExtra(
+                    ChooseLockSettingsHelper.EXTRA_KEY_REQUEST_GK_PW, false);
            mForFingerprint = intent.getBooleanExtra(
                    ChooseLockSettingsHelper.EXTRA_KEY_FOR_FINGERPRINT, false);
            mForFace = intent.getBooleanExtra(
@@ -386,9 +383,12 @@ public class ChooseLockGeneric extends SettingsActivity {
                        mForFingerprint);
                intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_FOR_FACE,
                        mForFace);
+                // If the caller requested Gatekeeper Password to be returned, we assume it came
+                // from biometric enrollment. This should be cleaned up, since requesting
+                // Gatekeeper Password should not imply it came from biometric setup/settings.
                startActivityForResult(
                        intent,
-                        mIsSetNewPassword && mHasChallenge
+                        mIsSetNewPassword && mRequestGatekeeperPassword
                                ? CHOOSE_LOCK_BEFORE_BIOMETRIC_REQUEST
                                : ENABLE_ENCRYPTION_REQUEST);
            } else {
@@ -438,6 +438,10 @@ public class ChooseLockGeneric extends SettingsActivity {
                    && resultCode == BiometricEnrollBase.RESULT_FINISHED) {
                Intent intent = getBiometricEnrollIntent(getActivity());
                if (data != null) {
+                    // ChooseLockGeneric should have requested that the Gatekeeper Password be
+                    // returned, so that biometric enrollment(s) can subsequently request Gatekeeper
+                    // to create HardwareAuthToken(s) wrapping biometric-specific challenges. Send
+                    // the extras (including the GK Password) to the enrollment activity.
                    intent.putExtras(data.getExtras());
                }
                // Forward the target user id to fingerprint setup page.
@@ -722,10 +726,8 @@ public class ChooseLockGeneric extends SettingsActivity {
                            .setRequestedMinComplexity(mRequestedMinComplexity)
                            .setForFingerprint(mForFingerprint)
                            .setForFace(mForFace)
-                            .setUserId(mUserId);
-            if (mHasChallenge) {
-                builder.setChallenge(mChallenge);
-            }
+                            .setUserId(mUserId)
+                            .setRequestGatekeeperPassword(mRequestGatekeeperPassword);
            if (mUserPassword != null) {
                builder.setPassword(mUserPassword);
            }
@@ -740,10 +742,8 @@ public class ChooseLockGeneric extends SettingsActivity {
                    new ChooseLockPattern.IntentBuilder(getContext())
                            .setForFingerprint(mForFingerprint)
                            .setForFace(mForFace)
-                            .setUserId(mUserId);
-            if (mHasChallenge) {
-                builder.setChallenge(mChallenge);
-            }
+                            .setUserId(mUserId)
+                            .setRequestGatekeeperPassword(mRequestGatekeeperPassword);
            if (mUserPassword != null) {
                builder.setPattern(mUserPassword);
            }
@@ -784,8 +784,13 @@ public class ChooseLockGeneric extends SettingsActivity {
                    intent.putExtra(EXTRA_SHOW_OPTIONS_BUTTON, chooseLockSkipped);
                }
                intent.putExtra(EXTRA_CHOOSE_LOCK_GENERIC_EXTRAS, getIntent().getExtras());
+                // If the caller requested Gatekeeper Password to be returned, we assume it came
+                // from biometric enrollment. onActivityResult will put the LockSettingsService
+                // into the extras and launch biometric enrollment. This should be cleaned up,
+                // since requesting Gatekeeper Password should not imply it came from biometric
+                // setup/settings.
                startActivityForResult(intent,
-                        mIsSetNewPassword && mHasChallenge
+                        mIsSetNewPassword && mRequestGatekeeperPassword
                                ? CHOOSE_LOCK_BEFORE_BIOMETRIC_REQUEST
                                : CHOOSE_LOCK_REQUEST);
                return;