From f20e34167e4d5b07772067f50486cb6fc6acf7c6 Mon Sep 17 00:00:00 2001 From: Pavel Grafov Date: Thu, 9 Aug 2018 16:51:55 +0100 Subject: [PATCH] Respect per-user fingerprints on profiles with unified challenge. When an app uses KeyguardManager.createConfirmDeviceCredentialIntent to ask the user to confirm credentials, it first goes into ConfirmDeviceCredentialActivity and then goes into ConfirmLockPattern/ConfirmLockPassword, that incorporates a derivative of ConfirmDeviceCredentialBaseFragment to deal with the actual credential and fingerprint checking. There are two bits of logic that are changed: 1) ConfirmDeviceCredentialBaseFragment gets target user id from the intent, then uses UserManager.getCredentialOwnerProfile to find the credential owner user id. If the target user is a work profile with unified challenge, profile owner will be primary user, otherwise it will be the same user. When credential confirmation dialog is invoked via KeyguardManager.createConfirmDeviceCredentialIntent, mUserId will already correspond to credential owner because ConfirmDeviceCredentialActivity already calls getCredentialOwnerUserId(), so real target user is not available. With this CL ConfirmDeviceCredentialActivity doesn't query credential owner because it will be handled later anyway. 2) Currently when confirming credentials for work profile with unified challenge we use mEffectiveUserId (credential owner) for fingerprints, which is incorrect, since fingerprints are per-user and primary profile fingerprints cannot unlock work profile apps' auth-bound keys. With this CL work profile user is used for fingerprints. Bug: 111821299 Test: manual, tried ConfirmCredential sample app in both profiles Test: manual, tried CA certificate installation in both profiles Test: manual, tried separate work challenge Change-Id: I074f773de1bd6207b01664f259bdd04766f32d41 --- src/com/android/settings/password/ConfirmDeviceCredentialActivity.java | 3 ++- .../android/settings/password/ConfirmDeviceCredentialBaseFragment.java | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java index 65d72f11bb..f5b3b054c5 100644 --- a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java +++ b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java @@ -23,6 +23,7 @@ import android.app.admin.DevicePolicyManager; import android.content.Context; import android.content.Intent; import android.os.Bundle; +import android.os.UserHandle; import android.os.UserManager; import android.util.Log; @@ -70,7 +71,7 @@ public class ConfirmDeviceCredentialActivity extends Activity { KeyguardManager.EXTRA_ALTERNATE_BUTTON_LABEL); boolean frp = KeyguardManager.ACTION_CONFIRM_FRP_CREDENTIAL.equals(intent.getAction()); - int userId = Utils.getCredentialOwnerUserId(this); + int userId = UserHandle.myUserId(); if (isInternalActivity()) { try { userId = Utils.getUserIdFromBundle(this, intent.getExtras()); diff --git a/src/com/android/settings/password/ConfirmDeviceCredentialBaseFragment.java b/src/com/android/settings/password/ConfirmDeviceCredentialBaseFragment.java index 0f6eeb3bb6..23bc26f3da 100644 --- a/src/com/android/settings/password/ConfirmDeviceCredentialBaseFragment.java +++ b/src/com/android/settings/password/ConfirmDeviceCredentialBaseFragment.java @@ -125,8 +125,7 @@ public abstract class ConfirmDeviceCredentialBaseFragment extends InstrumentedFr mCancelButton = (Button) view.findViewById(R.id.cancelButton); mFingerprintIcon = (ImageView) view.findViewById(R.id.fingerprintIcon); mFingerprintHelper = new FingerprintUiHelper( - mFingerprintIcon, - (TextView) view.findViewById(R.id.errorText), this, mEffectiveUserId); + mFingerprintIcon, view.findViewById(R.id.errorText), this, mUserId); boolean showCancelButton = getActivity().getIntent().getBooleanExtra( SHOW_CANCEL_BUTTON, false); boolean hasAlternateButton = mFrp && !TextUtils.isEmpty(mFrpAlternateButtonText); -- 2.11.0