Reset fingerprint lockout timer when strong auth is used.

Fixes bug 22565462

Change-Id: I4842877839845e7fe103396d8ca8104928568c04

6 files changed, 42 insertions, 0 deletions

diff --git a/core/java/android/hardware/fingerprint/FingerprintManager.java b/core/java/android/hardware/fingerprint/FingerprintManager.java
index ee37047..061fad9 100644
--- a/core/java/android/hardware/fingerprint/FingerprintManager.java
+++ b/core/java/android/hardware/fingerprint/FingerprintManager.java
@@ -668,6 +668,25 @@ public class FingerprintManager {
         return 0;
     }
 
+    /**
+     * Reset the lockout timer when asked to do so by keyguard.
+     *
+     * @param token an opaque token returned by password confirmation.
+     *
+     * @hide
+     */
+    public void resetTimeout(byte[] token) {
+        if (mService != null) {
+            try {
+                mService.resetTimeout(token);
+            } catch (RemoteException e) {
+                Log.v(TAG, "Remote exception in getAuthenticatorId(): ", e);
+            }
+        } else {
+            Log.w(TAG, "getAuthenticatorId(): Service not connected!");
+        }
+    }
+
     private class MyHandler extends Handler {
         private MyHandler(Context context) {
             super(context.getMainLooper());
@@ -677,6 +696,7 @@ public class FingerprintManager {
             super(looper);
         }
 
+        @Override
         public void handleMessage(android.os.Message msg) {
             switch(msg.what) {
                 case MSG_ENROLL_RESULT:
diff --git a/core/java/android/hardware/fingerprint/IFingerprintService.aidl b/core/java/android/hardware/fingerprint/IFingerprintService.aidl
index 5e233b8..3356354 100644
--- a/core/java/android/hardware/fingerprint/IFingerprintService.aidl
+++ b/core/java/android/hardware/fingerprint/IFingerprintService.aidl
@@ -68,4 +68,7 @@ interface IFingerprintService {
 
     // Gets the authenticator ID for fingerprint
     long getAuthenticatorId(String opPackageName);
+
+    // Reset the timeout when user authenticates with strong auth (e.g. PIN, pattern or password)
+    void resetTimeout(in byte [] cryptoToken);
 }
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 629d14b..58f2d47 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2465,6 +2465,10 @@
     <permission android:name="android.permission.MANAGE_FINGERPRINT"
         android:protectionLevel="system|signature" />
 
+    <!-- Allows an app to reset fingerprint attempt counter. Reserved for the system. @hide -->
+    <permission android:name="android.permission.RESET_FINGERPRINT_LOCKOUT"
+        android:protectionLevel="signature" />
+
     <!-- Allows an application to control keyguard.  Only allowed for system processes.
         @hide -->
     <permission android:name="android.permission.CONTROL_KEYGUARD"
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java b/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java
index 3232f65..1e62646 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java
@@ -578,6 +578,10 @@ public class KeyguardUpdateMonitor implements TrustManager.TrustListener {
     public void reportSuccessfulStrongAuthUnlockAttempt() {
         mStrongAuthTimedOut.remove(sCurrentUser);
         scheduleStrongAuthTimeout();
+        if (mFpm != null) {
+            byte[] token = null; /* TODO: pass real auth token once fp HAL supports it */
+            mFpm.resetTimeout(token);
+        }
     }
 
     private void scheduleStrongAuthTimeout() {
diff --git a/packages/SystemUI/AndroidManifest.xml b/packages/SystemUI/AndroidManifest.xml
index 677ab91..372fa03 100644
--- a/packages/SystemUI/AndroidManifest.xml
+++ b/packages/SystemUI/AndroidManifest.xml
@@ -108,6 +108,7 @@
     <uses-permission android:name="android.permission.ACCESS_KEYGUARD_SECURE_STORAGE" />
     <uses-permission android:name="android.permission.TRUST_LISTENER" />
     <uses-permission android:name="android.permission.USE_FINGERPRINT" />
+    <uses-permission android:name="android.permission.RESET_FINGERPRINT_LOCKOUT" />
 
     <!-- Needed for WallpaperManager.clear in ImageWallpaper.updateWallpaperLocked -->
     <uses-permission android:name="android.permission.SET_WALLPAPER"/>
diff --git a/services/core/java/com/android/server/fingerprint/FingerprintService.java b/services/core/java/com/android/server/fingerprint/FingerprintService.java
index 17607ff..befa311 100644
--- a/services/core/java/com/android/server/fingerprint/FingerprintService.java
+++ b/services/core/java/com/android/server/fingerprint/FingerprintService.java
@@ -54,6 +54,7 @@ import android.hardware.fingerprint.IFingerprintServiceReceiver;
 import android.view.Display;
 
 import static android.Manifest.permission.MANAGE_FINGERPRINT;
+import static android.Manifest.permission.RESET_FINGERPRINT_LOCKOUT;
 import static android.Manifest.permission.USE_FINGERPRINT;
 
 import java.io.File;
@@ -255,6 +256,9 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
             Slog.v(TAG, "Reset fingerprint lockout");
         }
         mFailedAttempts = 0;
+        // If we're asked to reset failed attempts externally (i.e. from Keyguard), the runnable
+        // may still be in the queue; remove it.
+        mHandler.removeCallbacks(mLockoutReset);
     }
 
     private boolean handleFailedAttempt(ClientMonitor clientMonitor) {
@@ -878,6 +882,12 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
                 Binder.restoreCallingIdentity(ident);
             }
         }
+        @Override // Binder call
+        public void resetTimeout(byte [] token) {
+            checkPermission(RESET_FINGERPRINT_LOCKOUT);
+            // TODO: confirm security token when we move timeout management into the HAL layer.
+            mLockoutReset.run();
+        }
     }
 
     private void dumpInternal(PrintWriter pw) {