commit 3fef1f284390a2ff7a58e0dcd56cb90bf83d2017
author Robin Lee <rgl@google.com> Tue Dec 20 14:50:13 2016 +0000
committer Robin Lee <rgl@google.com> Wed Jan 11 14:13:03 2017 +0000
tree 7e228c0844a22a67238b25d66edbc4d8be5461c2
parent 54402aab14deb9f21b0a9b451f80113ab9821b04

Bounce work challenge through a WorkLockActivity

This stops us from depending on Settings for keeping the work profile
secure. Instead that is delegated to a smaller Activity inside SystemUI
which has just two jobs:

 1) Don't let anyone see the content that's supposed to be locked.

 2) Start ConfirmCredentialsActivity (still lives in Settings for now)

Bug: 31001762
Test: //cts/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/MixedManagedProfileOwnerTest#testResetPasswordFbe
Test: //tests/PoApi/src/com/google/android/afwtest/poapi/WorkChallengeTest
Change-Id: If43820b683007a60a37edf32fb65b442a8fb709b

services/core/java/com/android/server/am/ActivityStackSupervisor.java

diff --git a/services/core/java/com/android/server/am/ActivityStackSupervisor.java b/services/core/java/com/android/server/am/ActivityStackSupervisor.java
index 8bd7c90..aeab7be 100644
--- a/services/core/java/com/android/server/am/ActivityStackSupervisor.java
+++ b/services/core/java/com/android/server/am/ActivityStackSupervisor.java
@@ -763,43 +763,51 @@
     }
 
     /**
-     * TODO: Handle freefom mode.
-     * @return true when credential confirmation is needed for the user and there is any
-     *         activity started by the user in any visible stack.
+     * Detects whether we should show a lock screen in front of this task for a locked user.
+     * <p>
+     * We'll do this if either of the following holds:
+     * <ul>
+     *   <li>The top activity explicitly belongs to {@param userId}.</li>
+     *   <li>The top activity returns a result to an activity belonging to {@param userId}.</li>
+     * </ul>
+     *
+     * @return {@code true} if the top activity looks like it belongs to {@param userId}.
      */
-    boolean isUserLockedProfile(@UserIdInt int userId) {
-        if (!mService.mUserController.shouldConfirmCredentials(userId)) {
-            return false;
-        }
-        final ActivityStack fullScreenStack = getStack(FULLSCREEN_WORKSPACE_STACK_ID);
-        final ActivityStack dockedStack = getStack(DOCKED_STACK_ID);
-        final ActivityStack[] activityStacks = new ActivityStack[] {fullScreenStack, dockedStack};
-        for (final ActivityStack activityStack : activityStacks) {
-            if (activityStack == null) {
-                continue;
-            }
-            if (activityStack.topRunningActivityLocked() == null) {
-                continue;
-            }
-            if (activityStack.getStackVisibilityLocked(null) == STACK_INVISIBLE) {
-                continue;
-            }
-            if (activityStack.isDockedStack() && mIsDockMinimized) {
-                continue;
-            }
-            final TaskRecord topTask = activityStack.topTask();
-            if (topTask == null) {
-                continue;
-            }
-            // To handle the case that work app is in the task but just is not the top one.
-            for (int i = topTask.mActivities.size() - 1; i >= 0; i--) {
-                final ActivityRecord activityRecord = topTask.mActivities.get(i);
-                if (activityRecord.userId == userId) {
-                    return true;
+    private boolean taskTopActivityIsUser(TaskRecord task, @UserIdInt int userId) {
+        // To handle the case that work app is in the task but just is not the top one.
+        final ActivityRecord activityRecord = task.getTopActivity();
+        final ActivityRecord resultTo = (activityRecord != null ? activityRecord.resultTo : null);
+
+        return (activityRecord != null && activityRecord.userId == userId)
+                || (resultTo != null && resultTo.userId == userId);
+    }
+
+    /**
+     * Find all visible task stacks containing {@param userId} and intercept them with an activity
+     * to block out the contents and possibly start a credential-confirming intent.
+     *
+     * @param userId user handle for the locked managed profile.
+     */
+    void lockAllProfileTasks(@UserIdInt int userId) {
+        mWindowManager.deferSurfaceLayout();
+        try {
+            final List<ActivityStack> stacks = getStacks();
+            for (int stackNdx = stacks.size() - 1; stackNdx >= 0; stackNdx--) {
+                final List<TaskRecord> tasks = stacks.get(stackNdx).getAllTasks();
+                for (int taskNdx = tasks.size() - 1; taskNdx >= 0; taskNdx--) {
+                    final TaskRecord task = tasks.get(taskNdx);
+
+                    // Check the task for a top activity belonging to userId, or returning a result
+                    // to an activity belonging to userId. Example case: a document picker for
+                    // personal files, opened by a work app, should still get locked.
+                    if (taskTopActivityIsUser(task, userId)) {
+                        mService.mActivityStarter.startTaskLockedActivity(task);
+                    }
                 }
             }
+        } finally {
+            mWindowManager.continueSurfaceLayout();
         }
-        return false;
     }
 
     void setNextTaskIdForUserLocked(int taskId, int userId) {