Improve work profile unification flow

When unifying work profile challenge, keep the device lock
as long as it will still meet password requirement after unification.
If not, prompt the user to set a new device lock and only unify
work challenge after a compliant device lock is set.

Bug: 148630506
Fix: 149682344
Test: make RunSettingsRoboTests
ROBOTEST_FILTER='ChooseLockGenericTest|ChooseLockPasswordTest|ChooseLockPatternTest|LockUnificationPreferenceControllerTest'

Change-Id: I99cde2650902927f6a4cc7c0cc7c6016e0dc283f

2 files changed, 35 insertions, 61 deletions

diff --git a/src/com/android/settings/security/LockUnificationPreferenceController.java b/src/com/android/settings/security/LockUnificationPreferenceController.java
index 4bac601cf2..9cacf8e2ec 100644
--- a/src/com/android/settings/security/LockUnificationPreferenceController.java
+++ b/src/com/android/settings/security/LockUnificationPreferenceController.java
@@ -16,7 +16,6 @@
 
 package com.android.settings.security;
 
-import static com.android.settings.security.SecuritySettings.UNIFY_LOCK_CONFIRM_DEVICE_REQUEST;
 import static com.android.settings.security.SecuritySettings.UNIFY_LOCK_CONFIRM_PROFILE_REQUEST;
 import static com.android.settings.security.SecuritySettings.UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST;
 
@@ -48,12 +47,14 @@ import com.android.settingslib.core.AbstractPreferenceController;
  * Controller for password unification/un-unification flows.
  *
  * When password is being unified, there may be two cases:
- *   1. If work password is not empty and satisfies device-wide policies (if any), it will be made
- *      into device-wide password. To do that we need both current device and profile passwords
- *      because both of them will be changed as a result.
- *   2. Otherwise device-wide password is preserved. In this case we only need current profile
- *      password, but after unifying the passwords we proceed to ask the user for a new device
- *      password.
+ *   1. If device password will satisfy device-wide policies post-unification (when password policy
+ *      set on the work challenge will be enforced on device password), the device password is
+ *      preserved while work challenge is unified. Only the current work challenge is required
+ *      in this flow.
+ *   2. Otherwise the user will need to enroll a new compliant device password before unification
+ *      takes place. In this case we first confirm the current work challenge, then guide the user
+ *      through an enrollment flow for the new device password, and finally unify the work challenge
+ *      at the very end.
  */
 public class LockUnificationPreferenceController extends AbstractPreferenceController
         implements PreferenceControllerMixin, Preference.OnPreferenceChangeListener {
@@ -73,7 +74,7 @@ public class LockUnificationPreferenceController extends AbstractPreferenceContr
 
     private LockscreenCredential mCurrentDevicePassword;
     private LockscreenCredential mCurrentProfilePassword;
-    private boolean mKeepDeviceLock;
+    private boolean mRequireNewDevicePassword;
 
     @Override
     public void displayPreference(PreferenceScreen screen) {
@@ -112,13 +113,9 @@ public class LockUnificationPreferenceController extends AbstractPreferenceContr
         }
         final boolean useOneLock = (Boolean) value;
         if (useOneLock) {
-            // Keep current device (personal) lock if the profile lock is empty or is not compliant
-            // with the policy on personal side.
-            mKeepDeviceLock =
-                    mLockPatternUtils.getKeyguardStoredPasswordQuality(mProfileUserId)
-                            < DevicePolicyManager.PASSWORD_QUALITY_SOMETHING
-                            || !mDpm.isProfileActivePasswordSufficientForParent(mProfileUserId);
-            UnificationConfirmationDialog.newInstance(!mKeepDeviceLock).show(mHost);
+            mRequireNewDevicePassword = !mDpm.isPasswordSufficientAfterProfileUnification(
+                    UserHandle.myUserId(), mProfileUserId);
+            startUnification();
         } else {
             final String title = mContext.getString(R.string.unlock_set_unlock_launch_picker_title);
             final ChooseLockSettingsHelper helper =
@@ -149,13 +146,9 @@ public class LockUnificationPreferenceController extends AbstractPreferenceContr
     public boolean handleActivityResult(int requestCode, int resultCode, Intent data) {
         if (requestCode == UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST
                 && resultCode == Activity.RESULT_OK) {
-            ununifyLocks();
-            return true;
-        } else if (requestCode == UNIFY_LOCK_CONFIRM_DEVICE_REQUEST
-                && resultCode == Activity.RESULT_OK) {
             mCurrentDevicePassword =
                     data.getParcelableExtra(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD);
-            launchConfirmProfileLock();
+            ununifyLocks();
             return true;
         } else if (requestCode == UNIFY_LOCK_CONFIRM_PROFILE_REQUEST
                 && resultCode == Activity.RESULT_OK) {
@@ -170,67 +163,44 @@ public class LockUnificationPreferenceController extends AbstractPreferenceContr
     private void ununifyLocks() {
         final Bundle extras = new Bundle();
         extras.putInt(Intent.EXTRA_USER_ID, mProfileUserId);
+        extras.putParcelable(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD, mCurrentDevicePassword);
         new SubSettingLauncher(mContext)
                 .setDestination(ChooseLockGeneric.ChooseLockGenericFragment.class.getName())
-                    .setTitleRes(R.string.lock_settings_picker_title_profile)
+                .setTitleRes(R.string.lock_settings_picker_title_profile)
                 .setSourceMetricsCategory(mHost.getMetricsCategory())
                 .setArguments(extras)
                 .launch();
     }
 
-    /** Asks the user to confirm device lock (if there is one) and proceeds to ask profile lock. */
-    private void launchConfirmDeviceAndProfileLock() {
-        final String title = mContext.getString(
-                R.string.unlock_set_unlock_launch_picker_title);
-        final ChooseLockSettingsHelper helper =
-                new ChooseLockSettingsHelper(mHost.getActivity(), mHost);
-        if (!helper.launchConfirmationActivity(
-                UNIFY_LOCK_CONFIRM_DEVICE_REQUEST, title, true, MY_USER_ID)) {
-            launchConfirmProfileLock();
-        }
-    }
-
-    private void launchConfirmProfileLock() {
+    void startUnification() {
+        // Confirm profile lock
         final String title = mContext.getString(
                 R.string.unlock_set_unlock_launch_picker_title_profile);
         final ChooseLockSettingsHelper helper =
                 new ChooseLockSettingsHelper(mHost.getActivity(), mHost);
         if (!helper.launchConfirmationActivity(
                 UNIFY_LOCK_CONFIRM_PROFILE_REQUEST, title, true, mProfileUserId)) {
+            // If profile has no lock, go straight to unification.
             unifyLocks();
             // TODO: update relevant prefs.
             // createPreferenceHierarchy();
         }
     }
 
-    void startUnification() {
-        // If the device lock stays the same, only confirm profile lock. Otherwise confirm both.
-        if (mKeepDeviceLock) {
-            launchConfirmProfileLock();
-        } else {
-            launchConfirmDeviceAndProfileLock();
-        }
-    }
-
     private void unifyLocks() {
-        if (mKeepDeviceLock) {
-            unifyKeepingDeviceLock();
-            promptForNewDeviceLock();
+        if (mRequireNewDevicePassword) {
+            promptForNewDeviceLockAndThenUnify();
         } else {
-            unifyKeepingWorkLock();
+            unifyKeepingDeviceLock();
+        }
+        if (mCurrentDevicePassword != null) {
+            mCurrentDevicePassword.zeroize();
+            mCurrentDevicePassword = null;
+        }
+        if (mCurrentProfilePassword != null) {
+            mCurrentProfilePassword.zeroize();
+            mCurrentProfilePassword = null;
         }
-        mCurrentDevicePassword = null;
-        mCurrentProfilePassword = null;
-    }
-
-    private void unifyKeepingWorkLock() {
-        mLockPatternUtils.setLockCredential(
-                mCurrentProfilePassword, mCurrentDevicePassword, MY_USER_ID);
-        mLockPatternUtils.setSeparateProfileChallengeEnabled(mProfileUserId, false,
-                mCurrentProfilePassword);
-        final boolean profilePatternVisibility =
-                mLockPatternUtils.isVisiblePatternEnabled(mProfileUserId);
-        mLockPatternUtils.setVisiblePatternEnabled(profilePatternVisibility, MY_USER_ID);
     }
 
     private void unifyKeepingDeviceLock() {
@@ -238,11 +208,16 @@ public class LockUnificationPreferenceController extends AbstractPreferenceContr
                 mCurrentProfilePassword);
     }
 
-    private void promptForNewDeviceLock() {
+    private void promptForNewDeviceLockAndThenUnify() {
+        final Bundle extras = new Bundle();
+        extras.putInt(ChooseLockSettingsHelper.EXTRA_KEY_UNIFICATION_PROFILE_ID, mProfileUserId);
+        extras.putParcelable(ChooseLockSettingsHelper.EXTRA_KEY_UNIFICATION_PROFILE_CREDENTIAL,
+                mCurrentProfilePassword);
         new SubSettingLauncher(mContext)
                 .setDestination(ChooseLockGeneric.ChooseLockGenericFragment.class.getName())
                 .setTitleRes(R.string.lock_settings_picker_title)
                 .setSourceMetricsCategory(mHost.getMetricsCategory())
+                .setArguments(extras)
                 .launch();
     }
 
diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
index effbd70dc8..c8288c6c7f 100644
--- a/src/com/android/settings/security/SecuritySettings.java
+++ b/src/com/android/settings/security/SecuritySettings.java
@@ -47,7 +47,6 @@ public class SecuritySettings extends DashboardFragment {
     private static final String WORK_PROFILE_SECURITY_CATEGORY = "security_category_profile";
 
     public static final int CHANGE_TRUST_AGENT_SETTINGS = 126;
-    public static final int UNIFY_LOCK_CONFIRM_DEVICE_REQUEST = 128;
     public static final int UNIFY_LOCK_CONFIRM_PROFILE_REQUEST = 129;
     public static final int UNUNIFY_LOCK_CONFIRM_DEVICE_REQUEST = 130;