Respect per-user fingerprints on profiles with unified challenge.

When an app uses KeyguardManager.createConfirmDeviceCredentialIntent to ask the user to confirm credentials, it first goes into ConfirmDeviceCredentialActivity and then goes into ConfirmLockPattern/ConfirmLockPassword, that incorporates a derivative of ConfirmDeviceCredentialBaseFragment to deal with the actual credential and fingerprint checking. There are two bits of logic that are changed: 1) ConfirmDeviceCredentialBaseFragment gets target user id from the intent, then uses UserManager.getCredentialOwnerProfile to find the credential owner user id. If the target user is a work profile with unified challenge, profile owner will be primary user, otherwise it will be the same user. When credential confirmation dialog is invoked via KeyguardManager.createConfirmDeviceCredentialIntent, mUserId will already correspond to credential owner because ConfirmDeviceCredentialActivity already calls getCredentialOwnerUserId(), so real target user is not available. With this CL ConfirmDeviceCredentialActivity doesn't query credential owner because it will be handled later anyway. 2) Currently when confirming credentials for work profile with unified challenge we use mEffectiveUserId (credential owner) for fingerprints, which is incorrect, since fingerprints are per-user and primary profile fingerprints cannot unlock work profile apps' auth-bound keys. With this CL work profile user is used for fingerprints. Bug: 111821299 Test: manual, tried ConfirmCredential sample app in both profiles Test: manual, tried CA certificate installation in both profiles Test: manual, tried separate work challenge Change-Id: I074f773de1bd6207b01664f259bdd04766f32d41
2018-08-09 16:51:55 +01:00
parent 0d9f3abc55
commit f20e34167e
2 changed files with 3 additions and 3 deletions
--- a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
+++ b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
@@ -23,6 +23,7 @@ import android.app.admin.DevicePolicyManager;
 import android.content.Context;
 import android.content.Intent;
 import android.os.Bundle;
+import android.os.UserHandle;
 import android.os.UserManager;
 import android.util.Log;

@@ -70,7 +71,7 @@ public class ConfirmDeviceCredentialActivity extends Activity {
                KeyguardManager.EXTRA_ALTERNATE_BUTTON_LABEL);
        boolean frp = KeyguardManager.ACTION_CONFIRM_FRP_CREDENTIAL.equals(intent.getAction());

-        int userId = Utils.getCredentialOwnerUserId(this);
+        int userId = UserHandle.myUserId();
        if (isInternalActivity()) {
            try {
                userId = Utils.getUserIdFromBundle(this, intent.getExtras());
--- a/src/com/android/settings/password/ConfirmDeviceCredentialBaseFragment.java
+++ b/src/com/android/settings/password/ConfirmDeviceCredentialBaseFragment.java
@@ -125,8 +125,7 @@ public abstract class ConfirmDeviceCredentialBaseFragment extends InstrumentedFr
        mCancelButton = (Button) view.findViewById(R.id.cancelButton);
        mFingerprintIcon = (ImageView) view.findViewById(R.id.fingerprintIcon);
        mFingerprintHelper = new FingerprintUiHelper(
-                mFingerprintIcon,
-                (TextView) view.findViewById(R.id.errorText), this, mEffectiveUserId);
+                mFingerprintIcon, view.findViewById(R.id.errorText), this, mUserId);
        boolean showCancelButton = getActivity().getIntent().getBooleanExtra(
                SHOW_CANCEL_BUTTON, false);
        boolean hasAlternateButton = mFrp && !TextUtils.isEmpty(mFrpAlternateButtonText);