• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 package android.security.authenticationpolicy;
17 
18 import static android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE;
19 import static android.security.Flags.FLAG_SECURE_LOCKDOWN;
20 
21 import android.annotation.FlaggedApi;
22 import android.annotation.IntDef;
23 import android.annotation.NonNull;
24 import android.annotation.RequiresPermission;
25 import android.annotation.SystemApi;
26 import android.annotation.SystemService;
27 import android.content.Context;
28 import android.os.RemoteException;
29 
30 import java.lang.annotation.Retention;
31 import java.lang.annotation.RetentionPolicy;
32 
33 /**
34  * AuthenticationPolicyManager is a centralized interface for managing authentication related
35  * policies on the device. This includes device locking capabilities to protect users in "at risk"
36  * environments.
37  *
38  * AuthenticationPolicyManager is designed to protect Android users by integrating with apps and
39  * key system components, such as the lock screen. It is not related to enterprise control surfaces
40  * and does not offer additional administrative controls.
41  *
42  * <p>
43  * To use this class, call {@link #enableSecureLockDevice} to enable secure lock on the device.
44  * This will require the caller to have the
45  * {@link android.Manifest.permission#MANAGE_SECURE_LOCK_DEVICE} permission.
46  *
47  * <p>
48  * To disable secure lock on the device, call {@link #disableSecureLockDevice}. This will require
49  * the caller to have the {@link android.Manifest.permission#MANAGE_SECURE_LOCK_DEVICE} permission.
50  *
51  * @hide
52  */
53 @SystemApi
54 @FlaggedApi(FLAG_SECURE_LOCKDOWN)
55 @SystemService(Context.AUTHENTICATION_POLICY_SERVICE)
56 public final class AuthenticationPolicyManager {
57     private static final String TAG = "AuthenticationPolicyManager";
58 
59     @NonNull private final IAuthenticationPolicyService mAuthenticationPolicyService;
60     @NonNull private final Context mContext;
61 
62     /**
63      * Error result code for {@link #enableSecureLockDevice} and {@link
64      * #disableSecureLockDevice}.
65      *
66      * Secure lock device request status unknown.
67      *
68      * @hide
69      */
70     @SystemApi
71     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
72     public static final int ERROR_UNKNOWN = 0;
73 
74     /**
75      * Success result code for {@link #enableSecureLockDevice} and {@link #disableSecureLockDevice}.
76      *
77      * Secure lock device request successful.
78      *
79      * @hide
80      */
81     @SystemApi
82     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
83     public static final int SUCCESS = 1;
84 
85     /**
86      * Error result code for {@link #enableSecureLockDevice} and {@link #disableSecureLockDevice}.
87      *
88      * Secure lock device is unsupported.
89      *
90      * @hide
91      */
92     @SystemApi
93     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
94     public static final int ERROR_UNSUPPORTED = 2;
95 
96 
97     /**
98      * Error result code for {@link #enableSecureLockDevice} and {@link #disableSecureLockDevice}.
99      *
100      * Invalid secure lock device request params provided.
101      *
102      * @hide
103      */
104     @SystemApi
105     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
106     public static final int ERROR_INVALID_PARAMS = 3;
107 
108 
109     /**
110      * Error result code for {@link #enableSecureLockDevice} and {@link #disableSecureLockDevice}.
111      *
112      * Secure lock device is unavailable because there are no biometrics enrolled on the device.
113      *
114      * @hide
115      */
116     @SystemApi
117     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
118     public static final int ERROR_NO_BIOMETRICS_ENROLLED = 4;
119 
120     /**
121      * Error result code for {@link #enableSecureLockDevice} and {@link #disableSecureLockDevice}.
122      *
123      * Secure lock device is unavailable because the device has no biometric hardware or the
124      * biometric sensors do not meet
125      * {@link android.hardware.biometrics.BiometricManager.Authenticators#BIOMETRIC_STRONG}
126      *
127      * @hide
128      */
129     @SystemApi
130     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
131     public static final int ERROR_INSUFFICIENT_BIOMETRICS = 5;
132 
133     /**
134      * Error result code for {@link #enableSecureLockDevice}.
135      *
136      * Secure lock is already enabled.
137      *
138      * @hide
139      */
140     @SystemApi
141     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
142     public static final int ERROR_ALREADY_ENABLED = 6;
143 
144     /**
145      * Communicates the current status of a request to enable secure lock on the device.
146      *
147      * @hide
148      */
149     @IntDef(prefix = {"ENABLE_SECURE_LOCK_DEVICE_STATUS_"}, value = {
150             ERROR_UNKNOWN,
151             SUCCESS,
152             ERROR_UNSUPPORTED,
153             ERROR_INVALID_PARAMS,
154             ERROR_NO_BIOMETRICS_ENROLLED,
155             ERROR_INSUFFICIENT_BIOMETRICS,
156             ERROR_ALREADY_ENABLED
157     })
158     @Retention(RetentionPolicy.SOURCE)
159     public @interface EnableSecureLockDeviceRequestStatus {}
160 
161     /**
162      * Communicates the current status of a request to disable secure lock on the device.
163      *
164      * @hide
165      */
166     @IntDef(prefix = {"DISABLE_SECURE_LOCK_DEVICE_STATUS_"}, value = {
167             ERROR_UNKNOWN,
168             SUCCESS,
169             ERROR_UNSUPPORTED,
170             ERROR_INVALID_PARAMS,
171     })
172     @Retention(RetentionPolicy.SOURCE)
173     public @interface DisableSecureLockDeviceRequestStatus {}
174 
175     /** @hide */
AuthenticationPolicyManager(@onNull Context context, @NonNull IAuthenticationPolicyService authenticationPolicyService)176     public AuthenticationPolicyManager(@NonNull Context context,
177             @NonNull IAuthenticationPolicyService authenticationPolicyService) {
178         mContext = context;
179         mAuthenticationPolicyService = authenticationPolicyService;
180     }
181 
182     /**
183      * Called by a privileged component to remotely enable secure lock on the device.
184      *
185      * Secure lock is an enhanced security state that restricts access to sensitive data (app
186      * notifications, widgets, quick settings, assistant, etc) and requires multi-factor
187      * authentication for device entry, such as
188      * {@link android.hardware.biometrics.BiometricManager.Authenticators#DEVICE_CREDENTIAL} and
189      * {@link android.hardware.biometrics.BiometricManager.Authenticators#BIOMETRIC_STRONG}.
190      *
191      * If secure lock is already enabled when this method is called, it will return
192      * {@link ERROR_ALREADY_ENABLED}.
193      *
194      * @param params EnableSecureLockDeviceParams for caller to supply params related to the secure
195      *               lock device request
196      * @return @EnableSecureLockDeviceRequestStatus int indicating the result of the secure lock
197      * device request
198      *
199      * @hide
200      */
201     @EnableSecureLockDeviceRequestStatus
202     @RequiresPermission(MANAGE_SECURE_LOCK_DEVICE)
203     @SystemApi
204     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
enableSecureLockDevice(@onNull EnableSecureLockDeviceParams params)205     public int enableSecureLockDevice(@NonNull EnableSecureLockDeviceParams params) {
206         try {
207             return mAuthenticationPolicyService.enableSecureLockDevice(params);
208         } catch (RemoteException e) {
209             throw e.rethrowFromSystemServer();
210         }
211     }
212 
213     /**
214      * Called by a privileged component to disable secure lock on the device.
215      *
216      * If secure lock is already disabled when this method is called, it will return
217      * {@link SUCCESS}.
218      *
219      * @param params @DisableSecureLockDeviceParams for caller to supply params related to the
220      *               secure lock device request
221      * @return @DisableSecureLockDeviceRequestStatus int indicating the result of the secure lock
222      * device request
223      *
224      * @hide
225      */
226     @DisableSecureLockDeviceRequestStatus
227     @RequiresPermission(MANAGE_SECURE_LOCK_DEVICE)
228     @SystemApi
229     @FlaggedApi(FLAG_SECURE_LOCKDOWN)
disableSecureLockDevice(@onNull DisableSecureLockDeviceParams params)230     public int disableSecureLockDevice(@NonNull DisableSecureLockDeviceParams params) {
231         try {
232             return mAuthenticationPolicyService.disableSecureLockDevice(params);
233         } catch (RemoteException e) {
234             throw e.rethrowFromSystemServer();
235         }
236     }
237 }
238