Don't unlock the work profile if it is turned off.
Test: Turn off work, lock and unlock device with PIN/password/pattern,
turn on work and now you get a screen lock prompt.
Test: runtest frameworks-services -c com.android.server.LockSettingsServiceTests
Change-Id: I0c6946af4ffb1546ffbd4d80c11fa4b8ab5555bc
diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index 2067620..c0d1107 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -957,7 +957,9 @@
// Unlock managed profile with unified lock
if (pi.isManagedProfile()
&& !mLockPatternUtils.isSeparateProfileChallengeEnabled(pi.id)
- && mStorage.hasChildProfileLock(pi.id)) {
+ && mStorage.hasChildProfileLock(pi.id)
+ && mUserManager.isUserRunning(pi.id)
+ && !mUserManager.isUserUnlocked(pi.id)) {
unlockChildProfile(pi.id);
}
}
diff --git a/services/tests/servicestests/src/com/android/server/BaseLockSettingsServiceTests.java b/services/tests/servicestests/src/com/android/server/BaseLockSettingsServiceTests.java
index a2a4019..9343449 100644
--- a/services/tests/servicestests/src/com/android/server/BaseLockSettingsServiceTests.java
+++ b/services/tests/servicestests/src/com/android/server/BaseLockSettingsServiceTests.java
@@ -53,20 +53,22 @@
import java.io.File;
import java.util.Arrays;
+import java.util.ArrayList;
public class BaseLockSettingsServiceTests extends AndroidTestCase {
protected static final int PRIMARY_USER_ID = 0;
protected static final int MANAGED_PROFILE_USER_ID = 12;
+ protected static final int TURNED_OFF_PROFILE_USER_ID = 17;
protected static final int SECONDARY_USER_ID = 20;
private static final UserInfo PRIMARY_USER_INFO = new UserInfo(PRIMARY_USER_ID, null, null,
UserInfo.FLAG_INITIALIZED | UserInfo.FLAG_ADMIN | UserInfo.FLAG_PRIMARY);
- private static final UserInfo MANAGED_PROFILE_INFO = new UserInfo(MANAGED_PROFILE_USER_ID, null,
- null, UserInfo.FLAG_INITIALIZED | UserInfo.FLAG_MANAGED_PROFILE);
private static final UserInfo SECONDARY_USER_INFO = new UserInfo(SECONDARY_USER_ID, null, null,
UserInfo.FLAG_INITIALIZED);
+ private ArrayList<UserInfo> mPrimaryUserProfiles = new ArrayList<>();
+
LockSettingsService mService;
MockLockSettingsContext mContext;
@@ -106,13 +108,12 @@
mService = new LockSettingsServiceTestable(mContext, mLockPatternUtils,
mStorage, mGateKeeperService, mKeyStore, mStorageManager, mActivityManager);
when(mUserManager.getUserInfo(eq(PRIMARY_USER_ID))).thenReturn(PRIMARY_USER_INFO);
- when(mUserManager.getProfiles(eq(PRIMARY_USER_ID))).thenReturn(Arrays.asList(
- new UserInfo[] {PRIMARY_USER_INFO, MANAGED_PROFILE_INFO}));
- when(mUserManager.getUserInfo(eq(MANAGED_PROFILE_USER_ID))).thenReturn(
- MANAGED_PROFILE_INFO);
- when(mUserManager.getProfileParent(eq(MANAGED_PROFILE_USER_ID))).thenReturn(
- PRIMARY_USER_INFO);
+ mPrimaryUserProfiles.add(PRIMARY_USER_INFO);
+ installChildProfile(MANAGED_PROFILE_USER_ID);
+ installQuietModeChildProfile(TURNED_OFF_PROFILE_USER_ID);
+ when(mUserManager.getProfiles(eq(PRIMARY_USER_ID))).thenReturn(mPrimaryUserProfiles);
when(mUserManager.getUserInfo(eq(SECONDARY_USER_ID))).thenReturn(SECONDARY_USER_INFO);
+ when(mUserManager.isUserRunning(eq(MANAGED_PROFILE_USER_ID))).thenReturn(true);
when(mActivityManager.unlockUser(anyInt(), any(), any(), any())).thenAnswer(
new Answer<Boolean>() {
@@ -132,6 +133,21 @@
new ComponentName("com.dummy.package", ".FakeDeviceOwner"));
}
+ private UserInfo installChildProfile(int profileId) {
+ final UserInfo userInfo = new UserInfo(
+ profileId, null, null, UserInfo.FLAG_INITIALIZED | UserInfo.FLAG_MANAGED_PROFILE);
+ mPrimaryUserProfiles.add(userInfo);
+ when(mUserManager.getUserInfo(eq(profileId))).thenReturn(userInfo);
+ when(mUserManager.getProfileParent(eq(profileId))).thenReturn(PRIMARY_USER_INFO);
+ return userInfo;
+ }
+
+ private UserInfo installQuietModeChildProfile(int profileId) {
+ final UserInfo userInfo = installChildProfile(profileId);
+ userInfo.flags |= UserInfo.FLAG_QUIET_MODE;
+ return userInfo;
+ }
+
@Override
protected void tearDown() throws Exception {
super.tearDown();
diff --git a/services/tests/servicestests/src/com/android/server/LockSettingsServiceTests.java b/services/tests/servicestests/src/com/android/server/LockSettingsServiceTests.java
index ae9762a..cfc3962 100644
--- a/services/tests/servicestests/src/com/android/server/LockSettingsServiceTests.java
+++ b/services/tests/servicestests/src/com/android/server/LockSettingsServiceTests.java
@@ -98,12 +98,18 @@
mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);
final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
+ final long turnedOffprofileSid =
+ mGateKeeperService.getSecureUserId(TURNED_OFF_PROFILE_USER_ID);
assertTrue(primarySid != 0);
assertTrue(profileSid != 0);
assertTrue(profileSid != primarySid);
+ assertTrue(turnedOffprofileSid != 0);
+ assertTrue(turnedOffprofileSid != primarySid);
+ assertTrue(turnedOffprofileSid != profileSid);
// clear auth token and wait for verify challenge from primary user to re-generate it.
mGateKeeperService.clearAuthToken(MANAGED_PROFILE_USER_ID);
+ mGateKeeperService.clearAuthToken(TURNED_OFF_PROFILE_USER_ID);
// verify credential
assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
@@ -113,6 +119,9 @@
assertNotNull(mGateKeeperService.getAuthToken(MANAGED_PROFILE_USER_ID));
assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
+ // Verify that profile which arent't running (e.g. turn off work) don't get unlocked
+ assertNull(mGateKeeperService.getAuthToken(TURNED_OFF_PROFILE_USER_ID));
+
/* Currently in LockSettingsService.setLockCredential, unlockUser() is called with the new
* credential as part of verifyCredential() before the new credential is committed in
* StorageManager. So we relax the check in our mock StorageManager to allow that.
@@ -123,12 +132,14 @@
UnifiedPassword, PRIMARY_USER_ID);
mStorageManager.setIgnoreBadUnlock(false);
assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
+ assertNull(mGateKeeperService.getAuthToken(TURNED_OFF_PROFILE_USER_ID));
- //Clear unified challenge
+ // Clear unified challenge
mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, UnifiedPassword,
PRIMARY_USER_ID);
assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
assertEquals(0, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
+ assertEquals(0, mGateKeeperService.getSecureUserId(TURNED_OFF_PROFILE_USER_ID));
}
public void testManagedProfileSeparateChallenge() throws RemoteException {