---或许是命运的不幸注定要将自己缤纷多彩的梦撞碎;
---或许是天地的无情终归要将自己继日的辛勤当做泡影放飞;
---或许是许许多多的难以理解却又实实在在的障碍与挫折早已将意气丰发的拼搏与百折不挠的进击化为道道忧愁阵阵孤寂;
---那么就请在凄惨中反省我们自己吧!
fingerprint-faceunlock连续使用72小时后,需要输入密码进行强认证解锁流程探索
Google官方术语中,password, pin or pattern这三种类型的屏幕锁称为strong method authentication,强方法认证,而像指纹/面容解锁的方式则称作辅助的认证方式(weak authentication)。
为了安全起见,当上一次强认证解锁后达到一定的时间,例如72小时,则需要用户进行强制认证进行解锁设备,本文主要叙述timeout发生后要求强制解锁认证的流程。
设定强认证解锁超时机制是从解锁开始的,以password解锁为例,简单介绍下解锁的逻辑。
1.设备解锁流程
当我们在password界面输入了正确的密码,点击IME功能键或者Enter键,则会触发verifyPasswordAndUnlock。
@Override
public boolean onEditorAction(TextView v, int actionId, KeyEvent event) {
// Check if this was the result of hitting the enter key
final boolean isSoftImeEvent = event == null
&& (actionId == EditorInfo.IME_NULL
|| actionId == EditorInfo.IME_ACTION_DONE
|| actionId == EditorInfo.IME_ACTION_NEXT);
final boolean isKeyboardEnterKey = event != null
&& KeyEvent.isConfirmKey(event.getKeyCode())
&& event.getAction() == KeyEvent.ACTION_DOWN;
if (isSoftImeEvent || isKeyboardEnterKey) {
verifyPasswordAndUnlock();
return true;
}
return false;
}LockPatternChecker.checkPassword
--- LockPatternUtils.checkPassword
--- checkCredential
--- LockSettingsService::checkCredential
--- doVerifyCredential
--- spBasedDoVerifyCredential
--- getGateKeeperService().verifyChallenge(userId, challenge, storedHash.hash, credential); 去底层完成校验,略,后续深入
通过spBasedDoVerifyCredential方法得到一个response值,表示校验返回的结果。
public static final int RESPONSE_ERROR = -1;
public static final int RESPONSE_OK = 0;
public static final int RESPONSE_RETRY = 1;当底层校验成功后,返回RESPONSE_OK,通知上层验证成功,完成解锁。
2. 设置Alarm超时进行强认证解锁
底层校验密码成功,则会进行report动作,调用reportSuccessfulStrongAuthUnlock:
if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
mStrongAuth.reportSuccessfulStrongAuthUnlock(userId); // LockSettingsStrongAuth
if (shouldReEnrollBaseZero) {
setLockCredentialInternal(credential, storedHash.type, credentialToVerify,
DevicePolicyManager.PASSWORD_QUALITY_SOMETHING, userId, false,
/* isLockTiedToParent= */ false);
}
}
public void reportSuccessfulStrongAuthUnlock(int userId) {
final int argNotUsed = 0;
mHandler.obtainMessage(MSG_SCHEDULE_STRONG_AUTH_TIMEOUT, userId, argNotUsed).sendToTarget();
}
private final Handler mHandler = new Handler() {
@Override
public void handleMessage(Message msg) {
switch (msg.what) {
case MSG_REGISTER_TRACKER:
handleAddStrongAuthTracker((IStrongAuthTracker) msg.obj);
break;
case MSG_UNREGISTER_TRACKER:
handleRemoveStrongAuthTracker((IStrongAuthTracker) msg.obj);
break;
case MSG_REQUIRE_STRONG_AUTH:
handleRequireStrongAuth(msg.arg1, msg.arg2);
break;
case MSG_REMOVE_USER:
handleRemoveUser(msg.arg1);
break;
case MSG_SCHEDULE_STRONG_AUTH_TIMEOUT:
handleScheduleStrongAuthTimeout(msg.arg1);
break;
}
}
};
private void handleScheduleStrongAuthTimeout(int userId) {
final DevicePolicyManager dpm =
(DevicePolicyManager) mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
long when = SystemClock.elapsedRealtime() + dpm.getRequiredStrongAuthTimeout(null, userId);
// cancel current alarm listener for the user (if there was one)
StrongAuthTimeoutAlarmListener alarm = mStrongAuthTimeoutAlarmListenerForUser.get(userId);
if (alarm != null) {
mAlarmManager.cancel(alarm);
} else {
alarm = new StrongAuthTimeoutAlarmListener(userId);
mStrongAuthTimeoutAlarmListenerForUser.put(userId, alarm);
}
// schedule a new alarm listener for the user
mAlarmManager.set(AlarmManager.ELAPSED_REALTIME, when, STRONG_AUTH_TIMEOUT_ALARM_TAG,
alarm, mHandler);
} 通过handleScheduleStrongAuthTimeout方法,从当前时间戳开始,加上timeout超时的时间戳,即为下一次需要强制解锁认证的时间,设置定时Alarm来提醒用户进行强认证流程。
而超时的时间戳则通过getRequiredStrongAuthTimeout方法获取,此方法最终由DPMS(DevicePolicyManagerService)服务提供。
@RequiresFeature(PackageManager.FEATURE_SECURE_LOCK_SCREEN)
public long getRequiredStrongAuthTimeout(@Nullable ComponentName admin) {
return getRequiredStrongAuthTimeout(admin, myUserId());
}
/** @hide per-user version */
@UnsupportedAppUsage
@RequiresFeature(PackageManager.FEATURE_SECURE_LOCK_SCREEN)
public long getRequiredStrongAuthTimeout(@Nullable ComponentName admin, @UserIdInt int userId) {
if (mService != null) {
try {
return mService.getRequiredStrongAuthTimeout(admin, userId, mParentInstance);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
return DEFAULT_STRONG_AUTH_TIMEOUT_MS;
}
/**
* Return a single admin's strong auth unlock timeout or minimum value (strictest) of all
* admins if who is null.
* Returns 0 if not configured for the provided admin.
*/
@Override
public long getRequiredStrongAuthTimeout(ComponentName who, int userId, boolean parent) {
if (!mHasFeature) {
return DevicePolicyManager.DEFAULT_STRONG_AUTH_TIMEOUT_MS;
}
if (!mLockPatternUtils.hasSecureLockScreen()) {
// No strong auth timeout on devices not supporting the
// {@link PackageManager#FEATURE_SECURE_LOCK_SCREEN} feature
return 0;
}
enforceFullCrossUsersPermission(userId);
synchronized (getLockObject()) {
if (who != null) {
ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userId, parent);
return admin != null ? admin.strongAuthUnlockTimeout : 0;
}
// Return the strictest policy across all participating admins.
List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userId, parent);
long strongAuthUnlockTimeout = DevicePolicyManager.DEFAULT_STRONG_AUTH_TIMEOUT_MS;
for (int i = 0; i < admins.size(); i++) {
final long timeout = admins.get(i).strongAuthUnlockTimeout;
if (timeout != 0) { // take only participating admins into account
strongAuthUnlockTimeout = Math.min(timeout, strongAuthUnlockTimeout);
}
}
return Math.max(strongAuthUnlockTimeout, getMinimumStrongAuthTimeoutMs());
}
}这里面,我们的device owner以及profile owner类的应用是有权限去修改超时时间的,如果没有干预,则默认返回DEFAULT_STRONG_AUTH_TIMEOUT_MS:
/**
* Default and maximum timeout in milliseconds after which unlocking with weak auth times out,
* i.e. the user has to use a strong authentication method like password, PIN or pattern.
*
* @hide
*/
public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 * 60 * 60 * 1000; // 72h3. Alarm触发引导用户进行强认证解锁
通过上面的分析,我们得知,每当使用强认证方式解锁一次,timeout将会重新计算,通过getRequiredStrongAuthTimeout方法得到超时时间。
而在我们持续使用设备期间,如果一直使用fingerprint/faceunlock方式解锁设备,知道设定的超时闹钟触发,就引导用户强制解锁认证流程,接下来我们跟进这一部分。
StrongAuthTimeoutAlarmListener alarm = mStrongAuthTimeoutAlarmListenerForUser.get(userId);
mAlarmManager.set(AlarmManager.ELAPSED_REALTIME, when, STRONG_AUTH_TIMEOUT_ALARM_TAG,
alarm, mHandler);alrm触发后,回调onAlarm方法,最终通过消息机制触发handler来处理:
@Override
public void onAlarm() {
requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_TIMEOUT, mUserId); // 注意这里传入的reason:STRONG_AUTH_REQUIRED_AFTER_TIMEOUT
}
public void requireStrongAuth(int strongAuthReason, int userId) {
if (userId == UserHandle.USER_ALL || userId >= UserHandle.USER_SYSTEM) {
mHandler.obtainMessage(MSG_REQUIRE_STRONG_AUTH, strongAuthReason,
userId).sendToTarget();
} else {
throw new IllegalArgumentException(
"userId must be an explicit user id or USER_ALL");
}
}
private final Handler mHandler = new Handler() {
@Override
public void handleMessage(Message msg) {
switch (msg.what) {
case MSG_REQUIRE_STRONG_AUTH:
handleRequireStrongAuth(msg.arg1, msg.arg2);
break;
}
}
};
private void handleRequireStrongAuth(int strongAuthReason, int userId) {
if (userId == UserHandle.USER_ALL) {
for (int i = 0; i < mStrongAuthForUser.size(); i++) {
int key = mStrongAuthForUser.keyAt(i);
handleRequireStrongAuthOneUser(strongAuthReason, key);
}
} else {
handleRequireStrongAuthOneUser(strongAuthReason, userId);
}
}
private void handleRequireStrongAuthOneUser(int strongAuthReason, int userId) {
int oldValue = mStrongAuthForUser.get(userId, mDefaultStrongAuthFlags);
int newValue = strongAuthReason == STRONG_AUTH_NOT_REQUIRED
? STRONG_AUTH_NOT_REQUIRED
: (oldValue | strongAuthReason);
if (oldValue != newValue) {
mStrongAuthForUser.put(userId, newValue);
notifyStrongAuthTrackers(newValue, userId);
}
}
private void notifyStrongAuthTrackers(int strongAuthReason, int userId) {
int i = mTrackers.beginBroadcast();
try {
while (i > 0) {
i--;
try {
mTrackers.getBroadcastItem(i).onStrongAuthRequiredChanged(
strongAuthReason, userId);
} catch (RemoteException e) {
Slog.e(TAG, "Exception while notifying StrongAuthTracker.", e);
}
}
} finally {
mTrackers.finishBroadcast();
}
}通过onStrongAuthRequiredChanged方法通知到SystemUI-Keyguard中,这里的mStrongAuthRequiredChangedCallback是构造StrongAuthTracker传入的,最终执行的是notifyStrongAuthStateChanged方法:
@Override
public void onStrongAuthRequiredChanged(int userId) {
mStrongAuthRequiredChangedCallback.accept(userId);
}
mStrongAuthTracker = new StrongAuthTracker(context, this::notifyStrongAuthStateChanged);
private void notifyStrongAuthStateChanged(int userId) {
checkIsHandlerThread();
for (int i = 0; i < mCallbacks.size(); i++) {
KeyguardUpdateMonitorCallback cb = mCallbacks.get(i).get();
if (cb != null) {
cb.onStrongAuthStateChanged(userId);
}
}
}KeyguardBouncer内部类mUpdateMonitorCallback实现了onStrongAuthStateChanged方法,此方法通过getBouncerPromptReason去取要求输密码的原因.
@Override
public int getBouncerPromptReason() {
int currentUser = ActivityManager.getCurrentUser();
boolean trust = mTrustManager.isTrustUsuallyManaged(currentUser);
boolean biometrics = mUpdateMonitor.isUnlockingWithBiometricsPossible(currentUser);
boolean any = trust || biometrics;
KeyguardUpdateMonitor.StrongAuthTracker strongAuthTracker =
mUpdateMonitor.getStrongAuthTracker();
int strongAuth = strongAuthTracker.getStrongAuthForUser(currentUser);
if (any && !strongAuthTracker.hasUserAuthenticatedSinceBoot()) {
return KeyguardSecurityView.PROMPT_REASON_RESTART;
} else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_TIMEOUT) != 0) { // alarm触发后,设置的reason为:STRONG_AUTH_REQUIRED_AFTER_TIMEOUT,故最终匹配这里
return KeyguardSecurityView.PROMPT_REASON_TIMEOUT;
} else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW) != 0) {
return KeyguardSecurityView.PROMPT_REASON_DEVICE_ADMIN;
} else if (trust && (strongAuth & SOME_AUTH_REQUIRED_AFTER_USER_REQUEST) != 0) {
return KeyguardSecurityView.PROMPT_REASON_USER_REQUEST;
} else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_LOCKOUT) != 0) {
return KeyguardSecurityView.PROMPT_REASON_AFTER_LOCKOUT;
}
return KeyguardSecurityView.PROMPT_REASON_NONE;
}根据PromptReason,获取之前的锁屏类型,显示锁屏界面并通过相应的强认证解锁原因字符串,提示用户解锁设备,当password/pin/pattern解锁认证成功,又会进行新一轮的timeout设置。
555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
