1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.app.admin;
import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT;
import static org.xmlpull.v1.XmlPullParser.END_TAG;
import static org.xmlpull.v1.XmlPullParser.TEXT;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.content.ComponentName;
import android.os.Parcel;
import android.os.Parcelable;
import android.util.IndentingPrintWriter;
import android.util.Log;
import android.util.TypedXmlPullParser;
import android.util.TypedXmlSerializer;
import org.xmlpull.v1.XmlPullParserException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
/**
* The factory reset protection policy determines which accounts can unlock a device that
* has gone through untrusted factory reset.
* <p>
* Only a device owner or profile owner of an organization-owned device can set a factory
* reset protection policy for the device by calling the {@code DevicePolicyManager} method
* {@link DevicePolicyManager#setFactoryResetProtectionPolicy(ComponentName,
* FactoryResetProtectionPolicy)}}.
* <p>
* Normally factory reset protection does not kick in if the device is factory reset via Settings.
* This is also the case when a device owner sets factory reset protection policy. However,
* when a profile owner of an organization-owned device sets factory reset protection policy that
* locks the device to specific accounts, the policy will take effect even if factory reset is
* performed from Settings.
*
* @see DevicePolicyManager#setFactoryResetProtectionPolicy
* @see DevicePolicyManager#getFactoryResetProtectionPolicy
*/
public final class FactoryResetProtectionPolicy implements Parcelable {
private static final String LOG_TAG = "FactoryResetProtectionPolicy";
private static final String KEY_FACTORY_RESET_PROTECTION_ACCOUNT =
"factory_reset_protection_account";
private static final String KEY_FACTORY_RESET_PROTECTION_ENABLED =
"factory_reset_protection_enabled";
private static final String ATTR_VALUE = "value";
private final List<String> mFactoryResetProtectionAccounts;
private final boolean mFactoryResetProtectionEnabled;
private FactoryResetProtectionPolicy(List<String> factoryResetProtectionAccounts,
boolean factoryResetProtectionEnabled) {
mFactoryResetProtectionAccounts = factoryResetProtectionAccounts;
mFactoryResetProtectionEnabled = factoryResetProtectionEnabled;
}
/**
* Get the list of accounts that can provision a device which has been factory reset.
*/
public @NonNull List<String> getFactoryResetProtectionAccounts() {
return mFactoryResetProtectionAccounts;
}
/**
* Return whether factory reset protection for the device is enabled or not.
*/
public boolean isFactoryResetProtectionEnabled() {
return mFactoryResetProtectionEnabled;
}
/**
* Builder class for {@link FactoryResetProtectionPolicy} objects.
*/
public static class Builder {
private List<String> mFactoryResetProtectionAccounts;
private boolean mFactoryResetProtectionEnabled;
/**
* Initialize a new Builder to construct a {@link FactoryResetProtectionPolicy}.
*/
public Builder() {
mFactoryResetProtectionEnabled = true;
};
/**
* Sets which accounts can unlock a device that has been factory reset.
* <p>
* Once set, the consumer unlock flow will be disabled and only accounts in this list
* can unlock factory reset protection after untrusted factory reset.
* <p>
* It's up to the FRP management agent to interpret the {@code String} as account it
* supports. Please consult their relevant documentation for details.
*
* @param factoryResetProtectionAccounts list of accounts.
* @return the same Builder instance.
*/
@NonNull
public Builder setFactoryResetProtectionAccounts(
@NonNull List<String> factoryResetProtectionAccounts) {
mFactoryResetProtectionAccounts = new ArrayList<>(factoryResetProtectionAccounts);
return this;
}
/**
* Sets whether factory reset protection is enabled or not.
* <p>
* Once disabled, factory reset protection will not kick in all together when the device
* goes through untrusted factory reset. This applies to both the consumer unlock flow and
* the admin account overrides via {@link #setFactoryResetProtectionAccounts}. By default,
* factory reset protection is enabled.
*
* @param factoryResetProtectionEnabled Whether the policy is enabled or not.
* @return the same Builder instance.
*/
@NonNull
public Builder setFactoryResetProtectionEnabled(boolean factoryResetProtectionEnabled) {
mFactoryResetProtectionEnabled = factoryResetProtectionEnabled;
return this;
}
/**
* Combines all of the attributes that have been set on this {@code Builder}
*
* @return a new {@link FactoryResetProtectionPolicy} object.
*/
@NonNull
public FactoryResetProtectionPolicy build() {
return new FactoryResetProtectionPolicy(mFactoryResetProtectionAccounts,
mFactoryResetProtectionEnabled);
}
}
@Override
public String toString() {
return "FactoryResetProtectionPolicy{"
+ "mFactoryResetProtectionAccounts=" + mFactoryResetProtectionAccounts
+ ", mFactoryResetProtectionEnabled=" + mFactoryResetProtectionEnabled
+ '}';
}
@Override
public void writeToParcel(@NonNull Parcel dest, @Nullable int flags) {
int accountsCount = mFactoryResetProtectionAccounts.size();
dest.writeInt(accountsCount);
for (String account: mFactoryResetProtectionAccounts) {
dest.writeString(account);
}
dest.writeBoolean(mFactoryResetProtectionEnabled);
}
@Override
public int describeContents() {
return 0;
}
public static final @NonNull Creator<FactoryResetProtectionPolicy> CREATOR =
new Creator<FactoryResetProtectionPolicy>() {
@Override
public FactoryResetProtectionPolicy createFromParcel(Parcel in) {
List<String> factoryResetProtectionAccounts = new ArrayList<>();
int accountsCount = in.readInt();
for (int i = 0; i < accountsCount; i++) {
factoryResetProtectionAccounts.add(in.readString());
}
boolean factoryResetProtectionEnabled = in.readBoolean();
return new FactoryResetProtectionPolicy(factoryResetProtectionAccounts,
factoryResetProtectionEnabled);
}
@Override
public FactoryResetProtectionPolicy[] newArray(int size) {
return new FactoryResetProtectionPolicy[size];
}
};
/**
* Restore a previously saved FactoryResetProtectionPolicy from XML.
* <p>
* No validation is required on the reconstructed policy since the XML was previously
* created by the system server from a validated policy.
* @hide
*/
@Nullable
public static FactoryResetProtectionPolicy readFromXml(@NonNull TypedXmlPullParser parser) {
try {
boolean factoryResetProtectionEnabled = parser.getAttributeBoolean(null,
KEY_FACTORY_RESET_PROTECTION_ENABLED, false);
List<String> factoryResetProtectionAccounts = new ArrayList<>();
int outerDepth = parser.getDepth();
int type;
while ((type = parser.next()) != END_DOCUMENT
&& (type != END_TAG || parser.getDepth() > outerDepth)) {
if (type == END_TAG || type == TEXT) {
continue;
}
if (!parser.getName().equals(KEY_FACTORY_RESET_PROTECTION_ACCOUNT)) {
continue;
}
factoryResetProtectionAccounts.add(
parser.getAttributeValue(null, ATTR_VALUE));
}
return new FactoryResetProtectionPolicy(factoryResetProtectionAccounts,
factoryResetProtectionEnabled);
} catch (XmlPullParserException | IOException e) {
Log.w(LOG_TAG, "Reading from xml failed", e);
}
return null;
}
/**
* @hide
*/
public void writeToXml(@NonNull TypedXmlSerializer out) throws IOException {
out.attributeBoolean(null, KEY_FACTORY_RESET_PROTECTION_ENABLED,
mFactoryResetProtectionEnabled);
for (String account : mFactoryResetProtectionAccounts) {
out.startTag(null, KEY_FACTORY_RESET_PROTECTION_ACCOUNT);
out.attribute(null, ATTR_VALUE, account);
out.endTag(null, KEY_FACTORY_RESET_PROTECTION_ACCOUNT);
}
}
/**
* Returns if the policy will result in factory reset protection being locked to
* admin-specified accounts.
* <p>
* When a device has a non-empty factory reset protection policy, trusted factory reset
* via Settings will no longer remove factory reset protection from the device.
* @hide
*/
public boolean isNotEmpty() {
return !mFactoryResetProtectionAccounts.isEmpty() && mFactoryResetProtectionEnabled;
}
/**
* @hide
*/
public void dump(IndentingPrintWriter pw) {
pw.print("factoryResetProtectionEnabled=");
pw.println(mFactoryResetProtectionEnabled);
pw.print("factoryResetProtectionAccounts=");
pw.increaseIndent();
for (int i = 0; i < mFactoryResetProtectionAccounts.size(); i++) {
pw.println(mFactoryResetProtectionAccounts.get(i));
}
pw.decreaseIndent();
}
}
|
