Skip to content
Commit ea925cf0 authored by Haining Chen's avatar Haining Chen
Browse files

Unset StrongAuthFlags when unlocking a user profile 

Currently the full user (e.g. userId 0) is required to enter device
credential (e.g. device PIN/pattern/password) to unlock the device in
certain cases as specified by StrongAuthFlags (e.g. the user has
triggered lockdown). After successfully verify the device credential,
StrongAuthFlags for the full user will be set back to
STRONG_AUTH_NOT_REQUIRED. This may or may not clear StrongAuthFlags for
a profile of the user, depending on whether the profile has a separate
or unified lock.

Case #1: the profile has a seprate lock. In this case, the user will
need to enter the device credential on lockscreen to unlock the device,
and then enter the different profile lock to unlock the profile.
StrongAuthFlags for the profile will only be cleared after successfully
verifying the profile lock.

Case #2: the profile has a unified lock. Currently in this case,
StrongAuthFlags for the profile doesn't get cleared properly after the
user verifies the device credential on lockscreen and unpauses the
profile. For example, if the user triggers lockdown and later enters the
device credential to unlock the device, StrongAuthFlags for the full
user gets cleared (so the full user exits lockdown) while
StrongAuthFlags for the profile doesn't get cleared (so the profile
remains in lockdown), and thus notifications for the profile won't be
shown properly.

This CL fixes the issue above for the case #2. The user will only need
to enter the device credential on lockscreen once to unlock the device.
If the profile is already unpaused, at this point StrongAuthFlags
should already be cleared; otherwise, StrongAuthFlags will be cleared
after the user unpauses the profile (but without having to enter any
lock again since the profile uses a unified lock).

Test: (1) Set up a profile (e.g. a managed profile) with a unified lock.
      (2) Trigger the lockdown mode on lockscreen, and verify that
      StrongAuthFlags for the full user and the profile are both set
      properly, via "adb shell dumpsys lock_settings".
      (3) Enter the device credential on lockscreen for the full user,
      and verify that StrongAuthFlags for the full user is unset.
      StrongAuthFlags for the profile should also be cleared at this
      point if the profile was unpaused already before lockdown;
      otherwise
      (4) Unpause the profile and verify that StrongAuthFlags for the
      profile is cleared.

Fix: 176924824
Bug: 173721373
Change-Id: Ic466fc22a5be9047d39194ad42c56dc4a2acb4dc
parent 81a6dbd3
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment