Merge "Check current user owns a frp credential"

src/com/android/settings/Utils.java

@@ -98,6 +98,7 @@ import androidx.annotation.ColorInt;
 import androidx.annotation.NonNull;
 import androidx.annotation.Nullable;
 import androidx.annotation.StringRes;
+import androidx.annotation.VisibleForTesting;
 import androidx.core.graphics.drawable.IconCompat;
 import androidx.core.graphics.drawable.RoundedBitmapDrawable;
 import androidx.core.graphics.drawable.RoundedBitmapDrawableFactory;
@@ -704,23 +705,26 @@ public final class Utils extends com.android.settingslib.Utils {
                 && bundle.getBoolean(ChooseLockSettingsHelper.EXTRA_KEY_ALLOW_ANY_USER, false);
         final int userId = bundle.getInt(Intent.EXTRA_USER_ID, UserHandle.myUserId());
         if (userId == LockPatternUtils.USER_FRP) {
-            return allowAnyUser ? userId : enforceSystemUser(context, userId);
+            return allowAnyUser ? userId : checkUserOwnsFrpCredential(context, userId);
         } else {
             return allowAnyUser ? userId : enforceSameOwner(context, userId);
         }
     }
 
     /**
-     * Returns the given user id if the current user is the system user.
+     * Returns the given user id if the current user owns frp credential.
      *
-     * @throws SecurityException if the current user is not the system user.
+     * @throws SecurityException if the current user do not own the frp credential.
      */
-    public static int enforceSystemUser(Context context, int userId) {
+    @VisibleForTesting
-        if (UserHandle.myUserId() == UserHandle.USER_SYSTEM) {
+    static int checkUserOwnsFrpCredential(Context context, int userId) {
+        final UserManager um = context.getSystemService(UserManager.class);
+        if (LockPatternUtils.userOwnsFrpCredential(context,
+                um.getUserInfo(UserHandle.myUserId()))) {
             return userId;
         }
-        throw new SecurityException("Given user id " + userId + " must only be used from "
+        throw new SecurityException("Current user id " + UserHandle.myUserId()
-                + "USER_SYSTEM, but current user is " + UserHandle.myUserId());
+                + " does not own frp credential.");
     }
 
     /**

tests/robotests/src/com/android/settings/UtilsTest.java

@@ -18,6 +18,7 @@ package com.android.settings;
 
 import static com.google.common.truth.Truth.assertThat;
 
+import static org.junit.Assert.assertThrows;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
@@ -59,6 +60,9 @@ import android.widget.TextView;
 import androidx.core.graphics.drawable.IconCompat;
 import androidx.fragment.app.FragmentActivity;
 
+import com.android.settings.testutils.shadow.ShadowLockPatternUtils;
+
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -67,6 +71,7 @@ import org.mockito.MockitoAnnotations;
 import org.robolectric.Robolectric;
 import org.robolectric.RobolectricTestRunner;
 import org.robolectric.RuntimeEnvironment;
+import org.robolectric.annotation.Config;
 import org.robolectric.shadows.ShadowBinder;
 
 import java.net.InetAddress;
@@ -74,6 +79,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 @RunWith(RobolectricTestRunner.class)
+@Config(shadows = ShadowLockPatternUtils.class)
 public class UtilsTest {
 
     private static final String PACKAGE_NAME = "com.android.app";
@@ -88,7 +94,7 @@ public class UtilsTest {
     @Mock
     private DevicePolicyManager mDevicePolicyManager;
     @Mock
-    private UserManager mUserManager;
+    private UserManager mMockUserManager;
     @Mock
     private PackageManager mPackageManager;
     @Mock
@@ -96,18 +102,27 @@ public class UtilsTest {
     @Mock
     private ApplicationInfo mApplicationInfo;
     private Context mContext;
+    private UserManager mUserManager;
+    private static final int FLAG_SYSTEM = 0x00000000;
+    private static final int FLAG_MAIN = 0x00004000;
 
     @Before
     public void setUp() {
         MockitoAnnotations.initMocks(this);
 
         mContext = spy(RuntimeEnvironment.application);
+        mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
         when(mContext.getSystemService(WifiManager.class)).thenReturn(wifiManager);
         when(mContext.getSystemService(Context.CONNECTIVITY_SERVICE))
                 .thenReturn(connectivityManager);
         when(mContext.getPackageManager()).thenReturn(mPackageManager);
     }
 
+    @After
+    public void tearDown() {
+        ShadowLockPatternUtils.reset();
+    }
+
     @Test
     public void getWifiIpAddresses_succeeds() throws Exception {
         when(wifiManager.getCurrentNetwork()).thenReturn(network);
@@ -173,7 +188,8 @@ public class UtilsTest {
     public void isProfileOrDeviceOwner_deviceOwnerApp_returnTrue() {
         when(mDevicePolicyManager.isDeviceOwnerAppOnAnyUser(PACKAGE_NAME)).thenReturn(true);
 
-        assertThat(Utils.isProfileOrDeviceOwner(mUserManager, mDevicePolicyManager, PACKAGE_NAME))
+        assertThat(
+            Utils.isProfileOrDeviceOwner(mMockUserManager, mDevicePolicyManager, PACKAGE_NAME))
                 .isTrue();
     }
 
@@ -182,11 +198,12 @@ public class UtilsTest {
         final List<UserInfo> userInfos = new ArrayList<>();
         userInfos.add(new UserInfo());
 
-        when(mUserManager.getUsers()).thenReturn(userInfos);
+        when(mMockUserManager.getUsers()).thenReturn(userInfos);
         when(mDevicePolicyManager.getProfileOwnerAsUser(userInfos.get(0).id))
             .thenReturn(new ComponentName(PACKAGE_NAME, ""));
 
-        assertThat(Utils.isProfileOrDeviceOwner(mUserManager, mDevicePolicyManager, PACKAGE_NAME))
+        assertThat(
+            Utils.isProfileOrDeviceOwner(mMockUserManager, mDevicePolicyManager, PACKAGE_NAME))
                 .isTrue();
     }
 
@@ -339,4 +356,20 @@ public class UtilsTest {
 
         assertThat(Utils.canCurrentUserDream(mockContext)).isFalse();
     }
+
+    @Test
+    public void checkUserOwnsFrpCredential_userOwnsFrpCredential_returnUserId() {
+        ShadowLockPatternUtils.setUserOwnsFrpCredential(true);
+
+        assertThat(Utils.checkUserOwnsFrpCredential(mContext, 123)).isEqualTo(123);
+    }
+
+    @Test
+    public void checkUserOwnsFrpCredential_userNotOwnsFrpCredential_returnUserId() {
+        ShadowLockPatternUtils.setUserOwnsFrpCredential(false);
+
+        assertThrows(
+                SecurityException.class,
+                () -> Utils.checkUserOwnsFrpCredential(mContext, 123));
+    }
 }

tests/robotests/src/com/android/settings/testutils/shadow/ShadowLockPatternUtils.java

@@ -19,6 +19,8 @@ package com.android.settings.testutils.shadow;
 import android.app.admin.DevicePolicyManager;
 import android.app.admin.PasswordMetrics;
 import android.content.ComponentName;
+import android.content.Context;
+import android.content.pm.UserInfo;
 import android.os.UserHandle;
 
 import com.android.internal.widget.LockPatternUtils;
@@ -42,6 +44,8 @@ public class ShadowLockPatternUtils {
     private static Map<Integer, PasswordMetrics> sUserToProfileMetricsMap = new HashMap<>();
     private static Map<Integer, Boolean> sUserToIsSecureMap = new HashMap<>();
 
+    private static boolean sIsUserOwnsFrpCredential;
+
     @Resetter
     public static void reset() {
         sUserToComplexityMap.clear();
@@ -50,6 +54,7 @@ public class ShadowLockPatternUtils {
         sUserToProfileMetricsMap.clear();
         sUserToIsSecureMap.clear();
         sDeviceEncryptionEnabled = false;
+        sIsUserOwnsFrpCredential = false;
     }
 
     @Implementation
@@ -122,6 +127,15 @@ public class ShadowLockPatternUtils {
         return complexity;
     }
 
+    @Implementation
+    public static boolean userOwnsFrpCredential(Context context, UserInfo info) {
+        return sIsUserOwnsFrpCredential;
+    }
+
+    public static void setUserOwnsFrpCredential(boolean isUserOwnsFrpCredential) {
+        sIsUserOwnsFrpCredential = isUserOwnsFrpCredential;
+    }
+
     public static void setRequiredPasswordComplexity(int userHandle, int complexity) {
         sUserToComplexityMap.put(userHandle, complexity);
     }