Convert biometrics to RestrictedPreference

Bug: 188847063
Test: adb shell settings put secure com.android.settings.biometrics.ParentalControlsUtils.always_require_consent 1
      Preference becomes gray with an info icon
Test: atest ParentalControlsUtilsTest
Test: make -j56 RunSettingsRoboTests ROBOTEST_FILTER=CombinedBiometricStatusPreferenceControllerTest
Test: make -j56 RunSettingsRoboTests ROBOTEST_FILTER=FingerprintStatusPreferenceControllerTest
Test: make -j56 RunSettingsRoboTests ROBOTEST_FILTER=FaceStatusPreferenceControllerTest

Change-Id: I929c11606eec76063f7b060fdc5cb2b5f60a80e2

res/xml/security_dashboard_settings.xml

@@ -43,19 +43,19 @@
             android:summary="@string/summary_placeholder"
             settings:keywords="@string/keywords_lockscreen" />
 
-        <Preference
+        <com.android.settingslib.RestrictedPreference
             android:key="fingerprint_settings"
             android:title="@string/security_settings_fingerprint_preference_title"
             android:summary="@string/summary_placeholder"
             settings:keywords="@string/keywords_fingerprint_settings" />
 
-        <Preference
+        <com.android.settingslib.RestrictedPreference
             android:key="face_settings"
             android:title="@string/security_settings_face_preference_title"
             android:summary="@string/summary_placeholder"
             settings:keywords="@string/keywords_face_settings" />
 
-        <Preference
+        <com.android.settingslib.RestrictedPreference
             android:key="biometric_settings"
             android:title="@string/security_settings_biometric_preference_title"
             android:summary="@string/summary_placeholder"

src/com/android/settings/biometrics/ParentalControlsUtils.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.biometrics;
+
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Context;
+import android.hardware.biometrics.BiometricAuthenticator;
+import android.os.Build;
+import android.os.UserHandle;
+import android.provider.Settings;
+import android.util.Log;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.settingslib.RestrictedLockUtils;
+
+/**
+ * Utilities for things at the cross-section of biometrics and parental controls. For example,
+ * determining if parental consent is required, determining which strings should be shown, etc.
+ */
+public class ParentalControlsUtils {
+
+    private static final String TAG = "ParentalControlsUtils";
+    private static final String TEST_ALWAYS_REQUIRE_CONSENT =
+            "com.android.settings.biometrics.ParentalControlsUtils.always_require_consent";
+
+    /**
+     * Public version that enables test paths based on {@link #TEST_ALWAYS_REQUIRE_CONSENT}
+     * @return non-null EnforcedAdmin if parental consent is required
+     */
+    public static RestrictedLockUtils.EnforcedAdmin parentConsentRequired(@NonNull Context context,
+            @BiometricAuthenticator.Modality int modality) {
+
+        final UserHandle userHandle = new UserHandle(UserHandle.myUserId());
+        if (Build.IS_USERDEBUG || Build.IS_ENG) {
+            final boolean testAlwaysRequireConsent = Settings.Secure.getInt(
+                    context.getContentResolver(), TEST_ALWAYS_REQUIRE_CONSENT, 0) != 0;
+            if (testAlwaysRequireConsent) {
+                Log.d(TAG, "Requiring consent for test flow");
+                return new RestrictedLockUtils.EnforcedAdmin(null /* ComponentName */, userHandle);
+            }
+        }
+
+        final DevicePolicyManager dpm = context.getSystemService(DevicePolicyManager.class);
+        return parentConsentRequiredInternal(dpm, modality, userHandle);
+    }
+
+    /**
+     * Internal testable version.
+     * @return non-null EnforcedAdmin if parental consent is required
+     */
+    @Nullable
+    @VisibleForTesting
+    static RestrictedLockUtils.EnforcedAdmin parentConsentRequiredInternal(
+            @NonNull DevicePolicyManager dpm, @BiometricAuthenticator.Modality int modality,
+            @NonNull UserHandle userHandle) {
+        final ComponentName cn = dpm.getProfileOwnerOrDeviceOwnerSupervisionComponent(userHandle);
+        if (cn == null) {
+            return null;
+        }
+
+        final int keyguardDisabledFeatures = dpm.getKeyguardDisabledFeatures(cn);
+        final boolean dpmFpDisabled = containsFlag(keyguardDisabledFeatures,
+                DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT);
+        final boolean dpmFaceDisabled = containsFlag(keyguardDisabledFeatures,
+                DevicePolicyManager.KEYGUARD_DISABLE_FACE);
+        final boolean dpmIrisDisabled = containsFlag(keyguardDisabledFeatures,
+                DevicePolicyManager.KEYGUARD_DISABLE_IRIS);
+
+        final boolean consentRequired;
+        if (containsFlag(modality, BiometricAuthenticator.TYPE_FINGERPRINT) && dpmFpDisabled) {
+            consentRequired = true;
+        } else if (containsFlag(modality, BiometricAuthenticator.TYPE_FACE) && dpmFaceDisabled) {
+            consentRequired = true;
+        } else if (containsFlag(modality, BiometricAuthenticator.TYPE_IRIS) && dpmIrisDisabled) {
+            consentRequired = true;
+        } else {
+            consentRequired = false;
+        }
+
+        if (consentRequired) {
+            return new RestrictedLockUtils.EnforcedAdmin(cn, userHandle);
+        } else {
+            return null;
+        }
+    }
+
+    private static boolean containsFlag(int haystack, int needle) {
+        return (haystack & needle) != 0;
+    }
+}

src/com/android/settings/biometrics/combination/CombinedBiometricStatusPreferenceController.java

@@ -16,15 +16,22 @@
 package com.android.settings.biometrics.combination;
 
 import android.content.Context;
+import android.hardware.biometrics.BiometricAuthenticator;
 import android.hardware.face.FaceManager;
 import android.hardware.fingerprint.FingerprintManager;
 
 import androidx.annotation.Nullable;
+import androidx.preference.Preference;
+import androidx.preference.PreferenceScreen;
 
+import com.android.internal.annotations.VisibleForTesting;
 import com.android.settings.R;
 import com.android.settings.Settings;
 import com.android.settings.Utils;
 import com.android.settings.biometrics.BiometricStatusPreferenceController;
+import com.android.settings.biometrics.ParentalControlsUtils;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedPreference;
 
 /**
  * Preference controller for biometrics settings page controlling the ability to unlock the phone
@@ -38,6 +45,8 @@ public class CombinedBiometricStatusPreferenceController extends
     FingerprintManager mFingerprintManager;
     @Nullable
     FaceManager mFaceManager;
+    @VisibleForTesting
+    RestrictedPreference mPreference;
 
     public CombinedBiometricStatusPreferenceController(Context context) {
         this(context, KEY_BIOMETRIC_SETTINGS);
@@ -49,6 +58,12 @@ public class CombinedBiometricStatusPreferenceController extends
         mFaceManager = Utils.getFaceManagerOrNull(context);
     }
 
+    @Override
+    public void displayPreference(PreferenceScreen screen) {
+        super.displayPreference(screen);
+        mPreference = screen.findPreference(KEY_BIOMETRIC_SETTINGS);
+    }
+
     @Override
     protected boolean isDeviceSupported() {
         return Utils.hasFingerprintHardware(mContext) && Utils.hasFaceHardware(mContext);
@@ -59,6 +74,24 @@ public class CombinedBiometricStatusPreferenceController extends
         return false;
     }
 
+    @Override
+    public void updateState(Preference preference) {
+        super.updateState(preference);
+        // This controller currently is shown if fingerprint&face exist on the device. If this
+        // changes in the future, the modalities passed into the below will need to be updated.
+        final RestrictedLockUtils.EnforcedAdmin admin = ParentalControlsUtils
+                .parentConsentRequired(mContext,
+                BiometricAuthenticator.TYPE_FACE | BiometricAuthenticator.TYPE_FINGERPRINT);
+        updateStateInternal(admin);
+    }
+
+    @VisibleForTesting
+    void updateStateInternal(@Nullable RestrictedLockUtils.EnforcedAdmin enforcedAdmin) {
+        if (enforcedAdmin != null && mPreference != null) {
+            mPreference.setDisabledByAdmin(enforcedAdmin);
+        }
+    }
+
     @Override
     protected String getSummaryTextEnrolled() {
         // Note that this is currently never called (see the super class)

src/com/android/settings/biometrics/face/FaceStatusPreferenceController.java

@@ -17,18 +17,29 @@
 package com.android.settings.biometrics.face;
 
 import android.content.Context;
+import android.hardware.biometrics.BiometricAuthenticator;
 import android.hardware.face.FaceManager;
 
+import androidx.annotation.Nullable;
+import androidx.preference.Preference;
+import androidx.preference.PreferenceScreen;
+
+import com.android.internal.annotations.VisibleForTesting;
 import com.android.settings.R;
 import com.android.settings.Settings;
 import com.android.settings.Utils;
 import com.android.settings.biometrics.BiometricStatusPreferenceController;
+import com.android.settings.biometrics.ParentalControlsUtils;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedPreference;
 
 public class FaceStatusPreferenceController extends BiometricStatusPreferenceController {
 
     public static final String KEY_FACE_SETTINGS = "face_settings";
 
     protected final FaceManager mFaceManager;
+    @VisibleForTesting
+    RestrictedPreference mPreference;
 
     public FaceStatusPreferenceController(Context context) {
         this(context, KEY_FACE_SETTINGS);
@@ -39,6 +50,12 @@ public class FaceStatusPreferenceController extends BiometricStatusPreferenceCon
         mFaceManager = Utils.getFaceManagerOrNull(context);
     }
 
+    @Override
+    public void displayPreference(PreferenceScreen screen) {
+        super.displayPreference(screen);
+        mPreference = screen.findPreference(KEY_FACE_SETTINGS);
+    }
+
     @Override
     protected boolean isDeviceSupported() {
         return !Utils.isMultipleBiometricsSupported(mContext) && Utils.hasFaceHardware(mContext);
@@ -49,6 +66,21 @@ public class FaceStatusPreferenceController extends BiometricStatusPreferenceCon
         return mFaceManager.hasEnrolledTemplates(getUserId());
     }
 
+    @Override
+    public void updateState(Preference preference) {
+        super.updateState(preference);
+        final RestrictedLockUtils.EnforcedAdmin admin = ParentalControlsUtils
+                .parentConsentRequired(mContext, BiometricAuthenticator.TYPE_FACE);
+        updateStateInternal(admin);
+    }
+
+    @VisibleForTesting
+    void updateStateInternal(@Nullable RestrictedLockUtils.EnforcedAdmin enforcedAdmin) {
+        if (enforcedAdmin != null && mPreference != null) {
+            mPreference.setDisabledByAdmin(enforcedAdmin);
+        }
+    }
+
     @Override
     protected String getSummaryTextEnrolled() {
         return mContext.getResources()

src/com/android/settings/biometrics/fingerprint/FingerprintStatusPreferenceController.java

@@ -17,17 +17,28 @@
 package com.android.settings.biometrics.fingerprint;
 
 import android.content.Context;
+import android.hardware.biometrics.BiometricAuthenticator;
 import android.hardware.fingerprint.FingerprintManager;
 
+import androidx.annotation.Nullable;
+import androidx.preference.Preference;
+import androidx.preference.PreferenceScreen;
+
+import com.android.internal.annotations.VisibleForTesting;
 import com.android.settings.R;
 import com.android.settings.Utils;
 import com.android.settings.biometrics.BiometricStatusPreferenceController;
+import com.android.settings.biometrics.ParentalControlsUtils;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedPreference;
 
 public class FingerprintStatusPreferenceController extends BiometricStatusPreferenceController {
 
     private static final String KEY_FINGERPRINT_SETTINGS = "fingerprint_settings";
 
     protected final FingerprintManager mFingerprintManager;
+    @VisibleForTesting
+    RestrictedPreference mPreference;
 
     public FingerprintStatusPreferenceController(Context context) {
         this(context, KEY_FINGERPRINT_SETTINGS);
@@ -38,6 +49,12 @@ public class FingerprintStatusPreferenceController extends BiometricStatusPrefer
         mFingerprintManager = Utils.getFingerprintManagerOrNull(context);
     }
 
+    @Override
+    public void displayPreference(PreferenceScreen screen) {
+        super.displayPreference(screen);
+        mPreference = screen.findPreference(KEY_FINGERPRINT_SETTINGS);
+    }
+
     @Override
     protected boolean isDeviceSupported() {
         return !Utils.isMultipleBiometricsSupported(mContext)
@@ -49,6 +66,21 @@ public class FingerprintStatusPreferenceController extends BiometricStatusPrefer
         return mFingerprintManager.hasEnrolledFingerprints(getUserId());
     }
 
+    @Override
+    public void updateState(Preference preference) {
+        super.updateState(preference);
+        final RestrictedLockUtils.EnforcedAdmin admin = ParentalControlsUtils
+                .parentConsentRequired(mContext, BiometricAuthenticator.TYPE_FINGERPRINT);
+        updateStateInternal(admin);
+    }
+
+    @VisibleForTesting
+    void updateStateInternal(@Nullable RestrictedLockUtils.EnforcedAdmin enforcedAdmin) {
+        if (enforcedAdmin != null && mPreference != null) {
+            mPreference.setDisabledByAdmin(enforcedAdmin);
+        }
+    }
+
     @Override
     protected String getSummaryTextEnrolled() {
         final int numEnrolled = mFingerprintManager.getEnrolledFingerprints(getUserId()).size();

tests/robotests/src/com/android/settings/biometrics/combination/CombinedBiometricStatusPreferenceControllerTest.java

@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.biometrics.combination;
+
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.hardware.face.FaceManager;
+import android.hardware.fingerprint.FingerprintManager;
+import android.os.UserManager;
+
+import androidx.preference.Preference;
+
+import com.android.internal.widget.LockPatternUtils;
+import com.android.settings.testutils.FakeFeatureFactory;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedPreference;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.robolectric.RobolectricTestRunner;
+import org.robolectric.RuntimeEnvironment;
+import org.robolectric.shadows.ShadowApplication;
+
+@RunWith(RobolectricTestRunner.class)
+public class CombinedBiometricStatusPreferenceControllerTest {
+
+    @Mock
+    private LockPatternUtils mLockPatternUtils;
+    @Mock
+    private FingerprintManager mFingerprintManager;
+    @Mock
+    private FaceManager mFaceManager;
+    @Mock
+    private UserManager mUm;
+    @Mock
+    private PackageManager mPackageManager;
+
+    private FakeFeatureFactory mFeatureFactory;
+    private Context mContext;
+    private CombinedBiometricStatusPreferenceController mController;
+    private Preference mPreference;
+
+    @Before
+    public void setUp() {
+        MockitoAnnotations.initMocks(this);
+        mContext = spy(RuntimeEnvironment.application);
+        when(mContext.getPackageManager()).thenReturn(mPackageManager);
+        when(mPackageManager.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)).thenReturn(true);
+        when(mPackageManager.hasSystemFeature(PackageManager.FEATURE_FACE)).thenReturn(true);
+        ShadowApplication.getInstance().setSystemService(Context.FINGERPRINT_SERVICE,
+                mFingerprintManager);
+        ShadowApplication.getInstance().setSystemService(Context.FACE_SERVICE, mFaceManager);
+        ShadowApplication.getInstance().setSystemService(Context.USER_SERVICE, mUm);
+        mPreference = new Preference(mContext);
+        mFeatureFactory = FakeFeatureFactory.setupForTest();
+        when(mFeatureFactory.securityFeatureProvider.getLockPatternUtils(mContext))
+                .thenReturn(mLockPatternUtils);
+        when(mUm.getProfileIdsWithDisabled(anyInt())).thenReturn(new int[] {1234});
+        mController = new CombinedBiometricStatusPreferenceController(mContext);
+    }
+
+    @Test
+    public void updateState_parentalConsentRequired_preferenceDisabled() {
+        when(mFaceManager.isHardwareDetected()).thenReturn(true);
+        when(mFingerprintManager.isHardwareDetected()).thenReturn(true);
+
+        RestrictedPreference restrictedPreference = mock(RestrictedPreference.class);
+        RestrictedLockUtils.EnforcedAdmin admin = mock(RestrictedLockUtils.EnforcedAdmin.class);
+
+        mController.mPreference = restrictedPreference;
+        mController.updateStateInternal(admin);
+        verify(restrictedPreference).setDisabledByAdmin(eq(admin));
+    }
+}

tests/robotests/src/com/android/settings/biometrics/face/FaceStatusPreferenceControllerTest.java

@@ -22,8 +22,10 @@ import static com.android.settings.core.BasePreferenceController.UNSUPPORTED_ON_
 import static com.google.common.truth.Truth.assertThat;
 
 import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 import android.content.Context;
@@ -37,6 +39,8 @@ import androidx.preference.Preference;
 import com.android.internal.widget.LockPatternUtils;
 import com.android.settings.R;
 import com.android.settings.testutils.FakeFeatureFactory;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedPreference;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -129,4 +133,16 @@ public class FaceStatusPreferenceControllerTest {
                 .getString(R.string.security_settings_face_preference_summary));
         assertThat(mPreference.isVisible()).isTrue();
     }
+
+    @Test
+    public void updateState_parentalConsentRequired_preferenceDisabled() {
+        when(mFaceManager.isHardwareDetected()).thenReturn(true);
+
+        RestrictedPreference restrictedPreference = mock(RestrictedPreference.class);
+        RestrictedLockUtils.EnforcedAdmin admin = mock(RestrictedLockUtils.EnforcedAdmin.class);
+
+        mController.mPreference = restrictedPreference;
+        mController.updateStateInternal(admin);
+        verify(restrictedPreference).setDisabledByAdmin(eq(admin));
+    }
 }

tests/robotests/src/com/android/settings/biometrics/fingerprint/FingerprintStatusPreferenceControllerTest.java

@@ -22,8 +22,10 @@ import static com.android.settings.core.BasePreferenceController.UNSUPPORTED_ON_
 import static com.google.common.truth.Truth.assertThat;
 
 import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 import android.content.Context;
@@ -37,6 +39,8 @@ import androidx.preference.Preference;
 import com.android.internal.widget.LockPatternUtils;
 import com.android.settings.R;
 import com.android.settings.testutils.FakeFeatureFactory;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedPreference;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -130,4 +134,16 @@ public class FingerprintStatusPreferenceControllerTest {
                 R.plurals.security_settings_fingerprint_preference_summary, 1, 1));
         assertThat(mPreference.isVisible()).isTrue();
     }
+
+    @Test
+    public void updateState_parentalConsentRequired_preferenceDisabled() {
+        when(mFingerprintManager.isHardwareDetected()).thenReturn(true);
+
+        RestrictedPreference restrictedPreference = mock(RestrictedPreference.class);
+        RestrictedLockUtils.EnforcedAdmin admin = mock(RestrictedLockUtils.EnforcedAdmin.class);
+
+        mController.mPreference = restrictedPreference;
+        mController.updateStateInternal(admin);
+        verify(restrictedPreference).setDisabledByAdmin(eq(admin));
+    }
 }

tests/unit/src/com/android/settings/biometrics/ParentalControlsUtilsTest.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.biometrics;
+
+import static junit.framework.TestCase.assertNotNull;
+import static junit.framework.TestCase.assertNull;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.ContentResolver;
+import android.content.Context;
+import static android.hardware.biometrics.BiometricAuthenticator.TYPE_FACE;
+import static android.hardware.biometrics.BiometricAuthenticator.TYPE_FINGERPRINT;
+import static android.hardware.biometrics.BiometricAuthenticator.TYPE_IRIS;
+
+import android.hardware.biometrics.BiometricAuthenticator;
+import android.os.UserHandle;
+
+import androidx.annotation.Nullable;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import com.android.settingslib.RestrictedLockUtils;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+@RunWith(AndroidJUnit4.class)
+public class ParentalControlsUtilsTest {
+
+    @Mock
+    private Context mContext;
+    @Mock
+    private DevicePolicyManager mDpm;
+    private ComponentName mSupervisionComponentName = new ComponentName("pkg", "cls");
+
+    @Before
+    public void setUp() {
+        MockitoAnnotations.initMocks(this);
+        when(mContext.getContentResolver()).thenReturn(mock(ContentResolver.class));
+    }
+
+    /**
+     * Helper that sets the appropriate mocks and testing behavior before returning the actual
+     * EnforcedAdmin from ParentalControlsUtils.
+     */
+    @Nullable
+    private RestrictedLockUtils.EnforcedAdmin getEnforcedAdminForCombination(
+            @Nullable ComponentName supervisionComponentName,
+            @BiometricAuthenticator.Modality int modality, int keyguardDisabledFlags) {
+        when(mDpm.getProfileOwnerOrDeviceOwnerSupervisionComponent(any(UserHandle.class)))
+                .thenReturn(supervisionComponentName);
+        when(mDpm.getKeyguardDisabledFeatures(eq(supervisionComponentName)))
+                .thenReturn(keyguardDisabledFlags);
+
+        return ParentalControlsUtils.parentConsentRequiredInternal(mDpm, modality,
+                new UserHandle(UserHandle.myUserId()));
+    }
+
+    @Test
+    public void testEnforcedAdmin_whenDpmDisablesBiometricsAndSupervisionComponentExists() {
+        int[][] tests = {
+                {TYPE_FINGERPRINT, DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT},
+                {TYPE_FACE, DevicePolicyManager.KEYGUARD_DISABLE_FACE},
+                {TYPE_IRIS, DevicePolicyManager.KEYGUARD_DISABLE_IRIS},
+        };
+
+        for (int i = 0; i < tests.length; i++) {
+            RestrictedLockUtils.EnforcedAdmin admin = getEnforcedAdminForCombination(
+                    mSupervisionComponentName, tests[i][0] /* modality */,
+                    tests[i][1] /* keyguardDisableFlags */);
+            assertNotNull(admin);
+            assertEquals(mSupervisionComponentName, admin.component);
+        }
+    }
+
+    @Test
+    public void testNoEnforcedAdmin_whenNoSupervisionComponent() {
+        // Even if DPM flag exists, returns null EnforcedAdmin when no supervision component exists
+        RestrictedLockUtils.EnforcedAdmin admin = getEnforcedAdminForCombination(
+                null /* supervisionComponentName */, TYPE_FINGERPRINT,
+                DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT);
+        assertNull(admin);
+    }
+}