FingerprintService: refresh auth id after enroll and remove.

FingerprintService maintains a field (mAuthenticatorIds) to keep track
of the current authenticator ids of all users / profiles. It is queried
when, for example, KeyStore generates a fingerprint-bound key.
Previously, mAuthenticatorIds was not immediately updated after finger
enrollment or removal, which meant the cached authenticator id would
remain outdated until the next updateActiveGroup(). Consequently,
fingerprint-bound keys generated during this period would be incorrectly
invalidated.

In this CL, we call updateActiveGroup() when a new fingerprint is
enrolled and when all fingerprints are removed in a group. We also
ensure that getAuthenticatorId() returns 0 when the calling user has no
fingerprints enrolled, although the daemon returns a non-zero value.

Bug: 31692813
Test: manual
Test: CTS verifier > Security > Fingerprint Bound Keys Test
Change-Id: I07ea330ae0f662cefdbb54e164281e1185aafdd7