From 91d7545826bc8e7d7f86d73ea0faaaf7def59f87 Mon Sep 17 00:00:00 2001
From: Joe Bolinger <jbolinger@google.com>
Date: Wed, 28 Jul 2021 15:05:24 -0700
Subject: [PATCH] Limit biometric enrollments when Unicorn account is present.

This prevents biometric enrollment from happening after consent
has been obtained and is being managed by family link.

Note that this requires a corresponding change the setup wizard app
to work in most cases.

Bug: 193577587
Test: manual (enroll then relaunch SuW and repeat)
Change-Id: If260e49f38a141931d7f3362c1faf80ee7790232
---
 .../biometrics/BiometricEnrollActivity.java   | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/com/android/settings/biometrics/BiometricEnrollActivity.java b/src/com/android/settings/biometrics/BiometricEnrollActivity.java
index f6396c330a7..904a37d1ba6 100644
--- a/src/com/android/settings/biometrics/BiometricEnrollActivity.java
+++ b/src/com/android/settings/biometrics/BiometricEnrollActivity.java
@@ -28,6 +28,7 @@ import android.app.settings.SettingsEnums;
 import android.content.Intent;
 import android.content.pm.PackageManager;
 import android.content.res.Resources;
+import android.hardware.biometrics.BiometricAuthenticator;
 import android.hardware.biometrics.BiometricManager;
 import android.hardware.biometrics.BiometricManager.Authenticators;
 import android.hardware.biometrics.BiometricManager.BiometricError;
@@ -116,8 +117,10 @@ public class BiometricEnrollActivity extends InstrumentedActivity {
     public void onCreate(@Nullable Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
 
+        final Intent intent = getIntent();
+
         if (this instanceof InternalActivity) {
-            mUserId = getIntent().getIntExtra(Intent.EXTRA_USER_ID, UserHandle.myUserId());
+            mUserId = intent.getIntExtra(Intent.EXTRA_USER_ID, UserHandle.myUserId());
             if (BiometricUtils.containsGatekeeperPasswordHandle(getIntent())) {
                 mGkPwHandle = BiometricUtils.getGatekeeperPasswordHandle(getIntent());
             }
@@ -135,7 +138,6 @@ public class BiometricEnrollActivity extends InstrumentedActivity {
         }
 
         // Log a framework stats event if this activity was launched via intent action.
-        final Intent intent = getIntent();
         if (!mIsEnrollActionLogged && ACTION_BIOMETRIC_ENROLL.equals(intent.getAction())) {
             mIsEnrollActionLogged = true;
 
@@ -205,6 +207,22 @@ public class BiometricEnrollActivity extends InstrumentedActivity {
         Log.d(TAG, "parentalOptionsRequired: " + mParentalOptionsRequired
                 + ", skipReturnToParent: " + mSkipReturnToParent);
 
+        // Only allow the consent flow to happen once when running from setup wizard.
+        // This isn't common and should only happen if setup wizard is not completed normally
+        // due to a restart, etc.
+        if (isSetupWizard && mParentalOptionsRequired) {
+            final boolean consentAlreadyManaged = ParentalControlsUtils.parentConsentRequired(this,
+                    BiometricAuthenticator.TYPE_FACE | BiometricAuthenticator.TYPE_FINGERPRINT)
+                    != null;
+            if (consentAlreadyManaged) {
+                Log.w(TAG, "Consent was already setup - skipping enrollment");
+                setResult(RESULT_SKIP);
+                finish();
+                return;
+            }
+        }
+
+        // start enrollment process if we haven't bailed out yet
         if (mParentalOptionsRequired && mParentalOptions == null) {
             mParentalConsentHelper = new ParentalConsentHelper(
                     mIsFaceEnrollable, mIsFingerprintEnrollable, mGkPwHandle);