1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License 15 */ 16 17 package android.app.trust; 18 19 import android.Manifest; 20 import android.annotation.RequiresPermission; 21 import android.annotation.SdkConstant; 22 import android.annotation.SystemService; 23 import android.compat.annotation.UnsupportedAppUsage; 24 import android.content.Context; 25 import android.hardware.biometrics.BiometricSourceType; 26 import android.os.Bundle; 27 import android.os.Handler; 28 import android.os.IBinder; 29 import android.os.Looper; 30 import android.os.Message; 31 import android.os.RemoteException; 32 import android.util.ArrayMap; 33 34 import com.android.internal.policy.IDeviceLockedStateListener; 35 36 import java.util.ArrayList; 37 import java.util.List; 38 39 /** 40 * See {@link com.android.server.trust.TrustManagerService} 41 * @hide 42 */ 43 @SystemService(Context.TRUST_SERVICE) 44 public class TrustManager { 45 46 /** 47 * Intent action used to identify services that can serve as significant providers. 48 * 49 * @hide 50 */ 51 @SdkConstant(SdkConstant.SdkConstantType.SERVICE_ACTION) 52 public static final String ACTION_BIND_SIGNIFICANT_PLACE_PROVIDER = 53 "com.android.trust.provider.SignificantPlaceProvider.BIND"; 54 55 private static final int MSG_TRUST_CHANGED = 1; 56 private static final int MSG_TRUST_MANAGED_CHANGED = 2; 57 private static final int MSG_TRUST_ERROR = 3; 58 private static final int MSG_ENABLED_TRUST_AGENTS_CHANGED = 4; 59 private static final int MSG_IS_ACTIVE_UNLOCK_RUNNING = 5; 60 61 private static final String TAG = "TrustManager"; 62 private static final String DATA_FLAGS = "initiatedByUser"; 63 private static final String DATA_NEWLY_UNLOCKED = "newlyUnlocked"; 64 private static final String DATA_MESSAGE = "message"; 65 private static final String DATA_GRANTED_MESSAGES = "grantedMessages"; 66 67 private final ITrustManager mService; 68 private final ArrayMap<TrustListener, ITrustListener> mTrustListeners; 69 TrustManager(IBinder b)70 public TrustManager(IBinder b) { 71 mService = ITrustManager.Stub.asInterface(b); 72 mTrustListeners = new ArrayMap<TrustListener, ITrustListener>(); 73 } 74 75 /** 76 * Changes the lock status for the given user. This is only applicable to Managed Profiles, 77 * other users should be handled by Keyguard. 78 * 79 * @param userId The id for the user to be locked/unlocked. 80 * @param locked The value for that user's locked state. 81 */ 82 @RequiresPermission(Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE) setDeviceLockedForUser(int userId, boolean locked)83 public void setDeviceLockedForUser(int userId, boolean locked) { 84 try { 85 mService.setDeviceLockedForUser(userId, locked); 86 } catch (RemoteException e) { 87 throw e.rethrowFromSystemServer(); 88 } 89 } 90 91 /** 92 * Reports that user {@param userId} has tried to unlock the device. 93 * 94 * @param successful if true, the unlock attempt was successful. 95 * 96 * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. 97 */ 98 @UnsupportedAppUsage reportUnlockAttempt(boolean successful, int userId)99 public void reportUnlockAttempt(boolean successful, int userId) { 100 try { 101 mService.reportUnlockAttempt(successful, userId); 102 } catch (RemoteException e) { 103 throw e.rethrowFromSystemServer(); 104 } 105 } 106 107 /** 108 * Reports that the user {@code userId} is likely interested in unlocking the device. 109 * 110 * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. 111 * 112 * @param dismissKeyguard whether the user wants to dismiss keyguard 113 */ reportUserRequestedUnlock(int userId, boolean dismissKeyguard)114 public void reportUserRequestedUnlock(int userId, boolean dismissKeyguard) { 115 try { 116 mService.reportUserRequestedUnlock(userId, dismissKeyguard); 117 } catch (RemoteException e) { 118 throw e.rethrowFromSystemServer(); 119 } 120 } 121 122 /** 123 * Reports that the user {@code userId} may want to unlock the device soon. 124 * 125 * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. 126 */ reportUserMayRequestUnlock(int userId)127 public void reportUserMayRequestUnlock(int userId) { 128 try { 129 mService.reportUserMayRequestUnlock(userId); 130 } catch (RemoteException e) { 131 throw e.rethrowFromSystemServer(); 132 } 133 } 134 135 /** 136 * Reports that user {@param userId} has entered a temporary device lockout. 137 * 138 * This generally occurs when the user has unsuccessfully tried to unlock the device too many 139 * times. The user will then be unable to unlock the device until a set amount of time has 140 * elapsed. 141 * 142 * @param timeout The amount of time that needs to elapse, in milliseconds, until the user may 143 * attempt to unlock the device again. 144 * 145 * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. 146 */ reportUnlockLockout(int timeoutMs, int userId)147 public void reportUnlockLockout(int timeoutMs, int userId) { 148 try { 149 mService.reportUnlockLockout(timeoutMs, userId); 150 } catch (RemoteException e) { 151 throw e.rethrowFromSystemServer(); 152 } 153 } 154 155 /** 156 * Reports that the list of enabled trust agents changed for user {@param userId}. 157 * 158 * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. 159 */ reportEnabledTrustAgentsChanged(int userId)160 public void reportEnabledTrustAgentsChanged(int userId) { 161 try { 162 mService.reportEnabledTrustAgentsChanged(userId); 163 } catch (RemoteException e) { 164 throw e.rethrowFromSystemServer(); 165 } 166 } 167 168 /** 169 * Reports that the visibility of the keyguard has changed. 170 * 171 * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. 172 */ reportKeyguardShowingChanged()173 public void reportKeyguardShowingChanged() { 174 try { 175 mService.reportKeyguardShowingChanged(); 176 } catch (RemoteException e) { 177 throw e.rethrowFromSystemServer(); 178 } 179 } 180 181 /** 182 * Returns whether active unlock can be used to unlock the device for user {@code userId}. 183 */ isActiveUnlockRunning(int userId)184 public boolean isActiveUnlockRunning(int userId) { 185 try { 186 return mService.isActiveUnlockRunning(userId); 187 } catch (RemoteException e) { 188 throw e.rethrowFromSystemServer(); 189 } 190 } 191 192 /** 193 * Registers a listener for trust events. 194 * 195 * Requires the {@link android.Manifest.permission#TRUST_LISTENER} permission. 196 */ registerTrustListener(final TrustListener trustListener)197 public void registerTrustListener(final TrustListener trustListener) { 198 try { 199 ITrustListener.Stub iTrustListener = new ITrustListener.Stub() { 200 @Override 201 public void onTrustChanged(boolean enabled, boolean newlyUnlocked, int userId, 202 int flags, List<String> trustGrantedMessages) { 203 Message m = mHandler.obtainMessage(MSG_TRUST_CHANGED, (enabled ? 1 : 0), userId, 204 trustListener); 205 if (flags != 0) { 206 m.getData().putInt(DATA_FLAGS, flags); 207 } 208 m.getData().putInt(DATA_NEWLY_UNLOCKED, newlyUnlocked ? 1 : 0); 209 m.getData().putCharSequenceArrayList( 210 DATA_GRANTED_MESSAGES, (ArrayList) trustGrantedMessages); 211 m.sendToTarget(); 212 } 213 214 @Override 215 public void onEnabledTrustAgentsChanged(int userId) { 216 final Message m = mHandler.obtainMessage(MSG_ENABLED_TRUST_AGENTS_CHANGED, 217 userId, 0, trustListener); 218 m.sendToTarget(); 219 } 220 221 @Override 222 public void onTrustManagedChanged(boolean managed, int userId) { 223 mHandler.obtainMessage(MSG_TRUST_MANAGED_CHANGED, (managed ? 1 : 0), userId, 224 trustListener).sendToTarget(); 225 } 226 227 @Override 228 public void onTrustError(CharSequence message) { 229 Message m = mHandler.obtainMessage(MSG_TRUST_ERROR, trustListener); 230 m.getData().putCharSequence(DATA_MESSAGE, message); 231 m.sendToTarget(); 232 } 233 234 @Override 235 public void onIsActiveUnlockRunningChanged(boolean isRunning, int userId) { 236 mHandler.obtainMessage(MSG_IS_ACTIVE_UNLOCK_RUNNING, 237 (isRunning ? 1 : 0), userId, trustListener).sendToTarget(); 238 } 239 }; 240 mService.registerTrustListener(iTrustListener); 241 mTrustListeners.put(trustListener, iTrustListener); 242 } catch (RemoteException e) { 243 throw e.rethrowFromSystemServer(); 244 } 245 } 246 247 /** 248 * Unregisters a listener for trust events. 249 * 250 * Requires the {@link android.Manifest.permission#TRUST_LISTENER} permission. 251 */ unregisterTrustListener(final TrustListener trustListener)252 public void unregisterTrustListener(final TrustListener trustListener) { 253 ITrustListener iTrustListener = mTrustListeners.remove(trustListener); 254 if (iTrustListener != null) { 255 try { 256 mService.unregisterTrustListener(iTrustListener); 257 } catch (RemoteException e) { 258 throw e.rethrowFromSystemServer(); 259 } 260 } 261 } 262 263 /** 264 * Registers a listener for device lock state events. 265 * 266 * Requires the {@link android.Manifest.permission#SUBSCRIBE_TO_KEYGUARD_LOCKED_STATE} 267 * permission. 268 */ registerDeviceLockedStateListener(final IDeviceLockedStateListener listener, int deviceId)269 public void registerDeviceLockedStateListener(final IDeviceLockedStateListener listener, 270 int deviceId) { 271 try { 272 mService.registerDeviceLockedStateListener(listener, deviceId); 273 } catch (RemoteException e) { 274 throw e.rethrowFromSystemServer(); 275 } 276 } 277 278 /** 279 * Unregisters a listener for device lock state events. 280 * 281 * Requires the {@link android.Manifest.permission#SUBSCRIBE_TO_KEYGUARD_LOCKED_STATE} 282 * permission. 283 */ unregisterDeviceLockedStateListener(final IDeviceLockedStateListener listener)284 public void unregisterDeviceLockedStateListener(final IDeviceLockedStateListener listener) { 285 try { 286 mService.unregisterDeviceLockedStateListener(listener); 287 } catch (RemoteException e) { 288 throw e.rethrowFromSystemServer(); 289 } 290 } 291 292 /** 293 * @return whether {@param userId} has enabled and configured trust agents. Ignores short-term 294 * unavailability of trust due to {@link LockPatternUtils.StrongAuthTracker}. 295 */ 296 @RequiresPermission(android.Manifest.permission.TRUST_LISTENER) isTrustUsuallyManaged(int userId)297 public boolean isTrustUsuallyManaged(int userId) { 298 try { 299 return mService.isTrustUsuallyManaged(userId); 300 } catch (RemoteException e) { 301 throw e.rethrowFromSystemServer(); 302 } 303 } 304 305 /** 306 * Updates the trust state for the user due to the user unlocking via a biometric sensor. 307 * Should only be called if user authenticated via fingerprint, face, or iris and bouncer 308 * can be skipped. 309 * 310 * @param userId 311 */ 312 @RequiresPermission(Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE) unlockedByBiometricForUser(int userId, BiometricSourceType source)313 public void unlockedByBiometricForUser(int userId, BiometricSourceType source) { 314 try { 315 mService.unlockedByBiometricForUser(userId, source); 316 } catch (RemoteException e) { 317 throw e.rethrowFromSystemServer(); 318 } 319 } 320 321 /** 322 * Clears authentication by the specified biometric type for all users. 323 */ 324 @RequiresPermission(Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE) clearAllBiometricRecognized(BiometricSourceType source, int unlockedUser)325 public void clearAllBiometricRecognized(BiometricSourceType source, int unlockedUser) { 326 try { 327 mService.clearAllBiometricRecognized(source, unlockedUser); 328 } catch (RemoteException e) { 329 throw e.rethrowFromSystemServer(); 330 } 331 } 332 333 /** 334 * Returns true if the device is currently in a significant place, and false in all other 335 * circumstances. 336 * 337 * @hide 338 */ 339 @RequiresPermission(Manifest.permission.ACCESS_FINE_LOCATION) isInSignificantPlace()340 public boolean isInSignificantPlace() { 341 try { 342 return mService.isInSignificantPlace(); 343 } catch (RemoteException e) { 344 throw e.rethrowFromSystemServer(); 345 } 346 } 347 348 private final Handler mHandler = new Handler(Looper.getMainLooper()) { 349 @Override 350 public void handleMessage(Message msg) { 351 switch(msg.what) { 352 case MSG_TRUST_CHANGED: 353 Bundle data = msg.peekData(); 354 int flags = data != null ? data.getInt(DATA_FLAGS) : 0; 355 boolean enabled = msg.arg1 != 0; 356 int newlyUnlockedInt = 357 data != null ? data.getInt(DATA_NEWLY_UNLOCKED) : 0; 358 boolean newlyUnlocked = newlyUnlockedInt != 0; 359 ((TrustListener) msg.obj).onTrustChanged(enabled, newlyUnlocked, msg.arg2, 360 flags, msg.getData().getStringArrayList(DATA_GRANTED_MESSAGES)); 361 break; 362 case MSG_TRUST_MANAGED_CHANGED: 363 ((TrustListener)msg.obj).onTrustManagedChanged(msg.arg1 != 0, msg.arg2); 364 break; 365 case MSG_TRUST_ERROR: 366 final CharSequence message = msg.peekData().getCharSequence(DATA_MESSAGE); 367 ((TrustListener) msg.obj).onTrustError(message); 368 break; 369 case MSG_ENABLED_TRUST_AGENTS_CHANGED: 370 ((TrustListener) msg.obj).onEnabledTrustAgentsChanged(msg.arg1); 371 break; 372 case MSG_IS_ACTIVE_UNLOCK_RUNNING: 373 ((TrustListener) msg.obj) 374 .onIsActiveUnlockRunningChanged(msg.arg1 != 0, msg.arg2); 375 break; 376 } 377 } 378 }; 379 380 public interface TrustListener { 381 382 /** 383 * Reports that the trust state has changed. 384 * @param enabled If true, the system believes the environment to be trusted. 385 * @param newlyUnlocked If true, the system believes the device is newly unlocked due 386 * to the trust changing. 387 * @param userId The user, for which the trust changed. 388 * @param flags Flags specified by the trust agent when granting trust. See 389 * {@link android.service.trust.TrustAgentService#grantTrust(CharSequence, long, int) 390 * TrustAgentService.grantTrust(CharSequence, long, int)}. 391 * @param trustGrantedMessages Messages to display to the user when trust has been granted 392 * by one or more trust agents. 393 */ onTrustChanged(boolean enabled, boolean newlyUnlocked, int userId, int flags, List<String> trustGrantedMessages)394 void onTrustChanged(boolean enabled, boolean newlyUnlocked, int userId, int flags, 395 List<String> trustGrantedMessages); 396 397 /** 398 * Reports that whether trust is managed has changed 399 * @param enabled If true, at least one trust agent is managing trust. 400 * @param userId The user, for which the state changed. 401 */ onTrustManagedChanged(boolean enabled, int userId)402 void onTrustManagedChanged(boolean enabled, int userId); 403 404 /** 405 * Reports that an error happened on a TrustAgentService. 406 * @param message A message that should be displayed on the UI. 407 */ onTrustError(CharSequence message)408 void onTrustError(CharSequence message); 409 410 /** 411 * Reports that the enabled trust agents for the specified user has changed. 412 */ onEnabledTrustAgentsChanged(int userId)413 void onEnabledTrustAgentsChanged(int userId); 414 415 /** 416 * Reports changes on if the device can be unlocked with active unlock. 417 * @param isRunning If true, the device can be unlocked with active unlock. 418 * @param userId The user, for which the state changed. 419 */ onIsActiveUnlockRunningChanged(boolean isRunning, int userId)420 void onIsActiveUnlockRunningChanged(boolean isRunning, int userId); 421 } 422 } 423