From 9be0899b3c8c735329e0bf33a50de324bd7a285c Mon Sep 17 00:00:00 2001
From: joshmccloskey <joshmccloskey@google.com>
Date: Mon, 14 Oct 2019 17:45:57 -0700
Subject: [PATCH] Enforce policy management.

Test: Verified disabling fingerprint will not allow
the user to unlock work apps with fingerprint. (But can use fingeprint
within apps.)
Test: Verified disabling face and/or iris on a fingerprint device will
continue to
allow the user to unlock work apps with fingerprint.
Test: Verified disabling face on a face authentication device
will not allow the user to unlock work apps with face authentication.
(But can use face
authentication within apps.)
Test: Verified disabling fingerprint and/or iris on a face
authentication device will continue to allow the user to unlock work
apps with face authentication.
Bug: 141382589

Change-Id: I74135dd9f6afb1b789302ad0af3daf8a73a4181b
---
 .../ConfirmDeviceCredentialActivity.java      | 43 +++++++++++++++++--
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
index 1da2a636053..bf8c5714371 100644
--- a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
+++ b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
@@ -25,6 +25,7 @@ import android.app.admin.DevicePolicyManager;
 import android.app.trust.TrustManager;
 import android.content.Context;
 import android.content.Intent;
+import android.content.pm.PackageManager;
 import android.hardware.biometrics.BiometricConstants;
 import android.hardware.biometrics.BiometricManager;
 import android.hardware.biometrics.BiometricPrompt;
@@ -52,6 +53,12 @@ import java.util.concurrent.Executor;
 public class ConfirmDeviceCredentialActivity extends FragmentActivity {
     public static final String TAG = ConfirmDeviceCredentialActivity.class.getSimpleName();
 
+    /**
+     * If the intent is sent from {@link com.android.systemui.keyguard.WorkLockActivity} then
+     * check for device policy management flags.
+     */
+    public static final String EXTRA_FROM_WORK_LOCK_ACTIVITY = "from_work_lock_activity";
+
     // The normal flow that apps go through
     private static final int CREDENTIAL_NORMAL = 1;
     // Unlocks the managed profile when the primary profile is unlocked
@@ -90,6 +97,8 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity {
     private TrustManager mTrustManager;
     private ChooseLockSettingsHelper mChooseLockSettingsHelper;
     private Handler mHandler = new Handler(Looper.getMainLooper());
+    private Context mContext;
+    private boolean mFromWorkLockActivity;
 
     private String mTitle;
     private String mDetails;
@@ -149,6 +158,8 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity {
         mLockPatternUtils = new LockPatternUtils(this);
 
         Intent intent = getIntent();
+        mContext = this;
+        mFromWorkLockActivity = intent.getBooleanExtra(EXTRA_FROM_WORK_LOCK_ACTIVITY, false);
         mTitle = intent.getStringExtra(KeyguardManager.EXTRA_TITLE);
         mDetails = intent.getStringExtra(KeyguardManager.EXTRA_DESCRIPTION);
         String alternateButton = intent.getStringExtra(
@@ -190,7 +201,7 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity {
         } else if (isManagedProfile && isInternalActivity()
                 && !lockPatternUtils.isSeparateProfileChallengeEnabled(mUserId)) {
             mCredentialMode = CREDENTIAL_MANAGED;
-            if (isBiometricAllowed(effectiveUserId, mUserId)) {
+            if (mFromWorkLockActivity && isBiometricAllowed(effectiveUserId, mUserId)) {
                 showBiometricPrompt(bpBundle);
                 launchedBiometric = true;
             } else {
@@ -256,10 +267,36 @@ public class ConfirmDeviceCredentialActivity extends FragmentActivity {
                 || !mUserManager.isUserUnlocked(mUserId);
     }
 
+    /**
+     * TODO: Pass a list of disabled features to an internal BiometricPrompt API, so we can
+     * potentially show different modalities on multi-auth devices.
+     *
+     * @param effectiveUserId
+     * @return false if their exists one biometric on the device which is not disabled by the
+     * policy manager.
+     */
     private boolean isBiometricDisabledByAdmin(int effectiveUserId) {
         final int disabledFeatures =
-                mDevicePolicyManager.getKeyguardDisabledFeatures(null, effectiveUserId);
-        return (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_BIOMETRICS) != 0;
+            mDevicePolicyManager.getKeyguardDisabledFeatures(null, effectiveUserId);
+
+        final PackageManager pm = mContext.getPackageManager();
+        if (pm.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)
+            && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT) == 0) {
+            Log.d(TAG,"Fingerprint enabled & allowed by device policy manager");
+            return false;
+        }
+        if (pm.hasSystemFeature(PackageManager.FEATURE_IRIS)
+            && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_IRIS) == 0) {
+            Log.d(TAG,"Iris enabled & allowed by device policy manager");
+            return false;
+        }
+        if (pm.hasSystemFeature(PackageManager.FEATURE_FACE)
+            && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_FACE) == 0) {
+            Log.d(TAG,"Face enabled & allowed by device policy manager");
+            return false;
+        }
+
+        return true;
     }
 
     private boolean isBiometricAllowed(int effectiveUserId, int realUserId) {