Merge "Introduce DISALLOW_UNIFIED_PASSWORD."

api/current.txt

@@ -6418,6 +6418,7 @@ package android.app.admin {
     method public boolean isResetPasswordTokenActive(android.content.ComponentName);
     method public boolean isSecurityLoggingEnabled(android.content.ComponentName);
     method public boolean isUninstallBlocked(android.content.ComponentName, java.lang.String);
+    method public boolean isUsingUnifiedPassword(android.content.ComponentName);
     method public void lockNow();
     method public void lockNow(int);
     method public boolean logoutUser(android.content.ComponentName);
@@ -32124,6 +32125,7 @@ package android.os {
     field public static final java.lang.String DISALLOW_SHARE_LOCATION = "no_share_location";
     field public static final java.lang.String DISALLOW_SMS = "no_sms";
     field public static final java.lang.String DISALLOW_SYSTEM_ERROR_DIALOGS = "no_system_error_dialogs";
+    field public static final java.lang.String DISALLOW_UNIFIED_PASSWORD = "no_unified_password";
     field public static final java.lang.String DISALLOW_UNINSTALL_APPS = "no_uninstall_apps";
     field public static final java.lang.String DISALLOW_UNMUTE_MICROPHONE = "no_unmute_microphone";
     field public static final java.lang.String DISALLOW_USB_FILE_TRANSFER = "no_usb_file_transfer";

core/java/android/app/admin/DevicePolicyManager.java

@@ -2664,6 +2664,28 @@ public class DevicePolicyManager {
         return false;
     }
 
+    /**
+     * When called by a profile owner of a managed profile returns true if the profile uses unified
+     * challenge with its parent user.
+     *
+     * <strong>Note: This method is not concerned with password quality and will return false if
+     * the profile has empty password as a separate challenge.
+     *
+     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
+     * @throws SecurityException if {@code admin} is not a profile owner of a managed profile.
+     * @see UserManager#DISALLOW_UNIFIED_PASSWORD
+     */
+    public boolean isUsingUnifiedPassword(@NonNull ComponentName admin) {
+        if (mService != null) {
+            try {
+                return mService.isUsingUnifiedPassword(admin);
+            } catch (RemoteException e) {
+                throw e.rethrowFromSystemServer();
+            }
+        }
+        return true;
+    }
+
     /**
      * Determine whether the current profile password the user has set is sufficient
      * to meet the policy requirements (e.g. quality, minimum length) that have been

core/java/android/app/admin/IDevicePolicyManager.aidl

@@ -80,6 +80,7 @@ interface IDevicePolicyManager {
 
     boolean isActivePasswordSufficient(int userHandle, boolean parent);
     boolean isProfileActivePasswordSufficientForParent(int userHandle);
+    boolean isUsingUnifiedPassword(in ComponentName admin);
     int getCurrentFailedPasswordAttempts(int userHandle, boolean parent);
     int getProfileWithMinimumFailedPasswordsForWipe(int userHandle, boolean parent);
 

core/java/android/os/UserManager.java

@@ -773,6 +773,25 @@ public class UserManager {
     @SystemApi
     public static final String DISALLOW_OEM_UNLOCK = "no_oem_unlock";
 
+    /**
+     * Specifies that the managed profile is not allowed to have unified lock screen challenge with
+     * the primary user.
+     *
+     * <p><strong>Note:</strong> Setting this restriction alone doesn't automatically set a
+     * separate challenge. Profile owner can ask the user to set a new password using
+     * {@link DevicePolicyManager#ACTION_SET_NEW_PASSWORD} and verify it using
+     * {@link DevicePolicyManager#isUsingUnifiedPassword(ComponentName)}.
+     *
+     * <p>Can be set by profile owners. It only has effect on managed profiles when set by managed
+     * profile owner. Has no effect on non-managed profiles or users.
+     * <p>Key for user restrictions.
+     * <p>Type: Boolean
+     * @see DevicePolicyManager#addUserRestriction(ComponentName, String)
+     * @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
+     * @see #getUserRestrictions()
+     */
+    public static final String DISALLOW_UNIFIED_PASSWORD = "no_unified_password";
+
     /**
      * Allows apps in the parent profile to handle web links from the managed profile.
      *

core/java/com/android/internal/widget/LockPatternUtils.java

@@ -27,7 +27,6 @@ import android.content.ContentResolver;
 import android.content.Context;
 import android.content.pm.UserInfo;
 import android.os.AsyncTask;
-import android.os.Build;
 import android.os.Handler;
 import android.os.IBinder;
 import android.os.Looper;
@@ -35,7 +34,6 @@ import android.os.Message;
 import android.os.RemoteException;
 import android.os.ServiceManager;
 import android.os.SystemClock;
-import android.os.SystemProperties;
 import android.os.UserHandle;
 import android.os.UserManager;
 import android.os.storage.IStorageManager;
@@ -964,9 +962,12 @@ public class LockPatternUtils {
 
     /**
      * Retrieves whether the current profile and device locks can be unified.
+     * @param userHandle profile user handle.
      */
     public boolean isSeparateProfileChallengeAllowedToUnify(int userHandle) {
-        return getDevicePolicyManager().isProfileActivePasswordSufficientForParent(userHandle);
+        return getDevicePolicyManager().isProfileActivePasswordSufficientForParent(userHandle)
+                && !getUserManager().hasUserRestriction(
+                        UserManager.DISALLOW_UNIFIED_PASSWORD, UserHandle.of(userHandle));
     }
 
     private boolean hasSeparateChallenge(int userHandle) {

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

@@ -113,7 +113,8 @@ public class UserRestrictionsUtils {
             UserManager.DISALLOW_OEM_UNLOCK,
             UserManager.DISALLOW_UNMUTE_DEVICE,
             UserManager.DISALLOW_AUTOFILL,
-            UserManager.DISALLOW_USER_SWITCH
+            UserManager.DISALLOW_USER_SWITCH,
+            UserManager.DISALLOW_UNIFIED_PASSWORD,
     });
 
     /**
@@ -192,7 +193,7 @@ public class UserRestrictionsUtils {
             UserManager.DISALLOW_BLUETOOTH_SHARING
     );
 
-    /*
+    /**
      * Special user restrictions that are always applied to all users no matter who sets them.
      */
     private static final Set<String> PROFILE_GLOBAL_RESTRICTIONS = Sets.newArraySet(

services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java

@@ -62,8 +62,13 @@ abstract class BaseIDevicePolicyManager extends IDevicePolicyManager.Stub {
     public void setSystemSetting(ComponentName who, String setting, String value){}
 
     public void transferOwner(ComponentName admin, ComponentName target, PersistableBundle bundle) {}
+
     public boolean generateKeyPair(ComponentName who, String callerPackage, String algorithm,
             ParcelableKeyGenParameterSpec keySpec, KeymasterCertificateChain attestationChain) {
         return false;
     }
+
+    public boolean isUsingUnifiedPassword(ComponentName who) {
+        return true;
+    }
 }

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -4081,6 +4081,17 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         }
     }
 
+    @Override
+    public boolean isUsingUnifiedPassword(ComponentName admin) {
+        if (!mHasFeature) {
+            return true;
+        }
+        final int userId = mInjector.userHandleGetCallingUserId();
+        enforceProfileOrDeviceOwner(admin);
+        enforceManagedProfile(userId, "query unified challenge status");
+        return !isSeparateProfileChallengeEnabled(userId);
+    }
+
     @Override
     public boolean isProfileActivePasswordSufficientForParent(int userHandle) {
         if (!mHasFeature) {