Merge branch 'workaccount-store-cross-profile' into workaccount-store

Author: fynngodau

play-services-auth-workaccount/core/src/main/kotlin/com/google/android/gms/auth/account/authenticator/WorkAccountAuthenticator.kt

@@ -19,6 +19,7 @@ import org.microg.gms.auth.AuthConstants
 import org.microg.gms.common.PackageUtils
 import org.microg.gms.auth.AuthRequest
 import org.microg.gms.auth.AuthResponse
+import org.microg.gms.auth.workaccount.WorkProfileSettings
 import java.io.IOException
 import kotlin.jvm.Throws
 
@@ -38,7 +39,14 @@ class WorkAccountAuthenticator(val context: Context) : AbstractAccountAuthentica
         requiredFeatures: Array<out String>?,
         options: Bundle
     ): Bundle? {
-        if (
+
+        if (!WorkProfileSettings(context).allowCreateWorkAccount) {
+            return Bundle().apply {
+                putInt(AccountManager.KEY_ERROR_CODE, AccountManager.ERROR_CODE_UNSUPPORTED_OPERATION)
+                putString(AccountManager.KEY_ERROR_MESSAGE, context.getString(R.string.auth_work_authenticator_disabled_error)
+                )
+            }
+        } else if (
             !options.containsKey(KEY_ACCOUNT_CREATION_TOKEN)
             || options.getString(KEY_ACCOUNT_CREATION_TOKEN) == null
             || options.getInt(AccountManager.KEY_CALLER_UID) != android.os.Process.myUid()) {

play-services-auth-workaccount/core/src/main/kotlin/org/microg/gms/auth/workaccount/WorkAccountService.kt

@@ -110,15 +110,17 @@ class WorkAccountServiceImpl(val context: Context) : IWorkAccountService.Stub()
             null
         )
         Thread {
-            future.result.let { result ->
-                if (result.containsKey(AccountManager.KEY_ERROR_CODE)) {
-                    Log.w(TAG, "could not add work account due to network error: ${result.getString(AccountManager.KEY_ERROR_MESSAGE)}")
-                } else callback?.onAccountAdded(
-                    Account(
-                        result.getString(AccountManager.KEY_ACCOUNT_NAME),
-                        result.getString(AccountManager.KEY_ACCOUNT_TYPE)
+            try {
+                future.result.let { result ->
+                    callback?.onAccountAdded(
+                        Account(
+                            result.getString(AccountManager.KEY_ACCOUNT_NAME),
+                            result.getString(AccountManager.KEY_ACCOUNT_TYPE)
+                        )
                     )
-                )
+                }
+            } catch (e: Exception) {
+                Log.e(TAG, "could not add work account with error message: ${e.message}")
             }
         }.start()
     }

play-services-auth-workaccount/core/src/main/kotlin/org/microg/gms/auth/workaccount/WorkProfileSettings.kt

@@ -0,0 +1,23 @@
+package org.microg.gms.auth.workaccount
+
+import android.content.ContentValues
+import android.content.Context
+import android.database.Cursor
+import org.microg.gms.settings.SettingsContract
+
+class WorkProfileSettings(private val context: Context) {
+    private fun <T> getSettings(vararg projection: String, f: (Cursor) -> T): T =
+        SettingsContract.getSettings(
+            context,
+            SettingsContract.WorkProfile.getContentUri(context),
+            projection,
+            f
+        )
+
+    private fun setSettings(v: ContentValues.() -> Unit) =
+        SettingsContract.setSettings(context, SettingsContract.WorkProfile.getContentUri(context), v)
+
+    var allowCreateWorkAccount: Boolean
+        get() = getSettings(SettingsContract.WorkProfile.CREATE_WORK_ACCOUNT) { c -> c.getInt(0) != 0 }
+        set(value) = setSettings { put(SettingsContract.WorkProfile.CREATE_WORK_ACCOUNT, value) }
+}

play-services-auth-workaccount/core/src/main/res/values/strings.xml

@@ -7,5 +7,6 @@
 
     <string name="auth_work_authenticator_label">Managed Google for Work account</string>
     <string name="auth_work_authenticator_add_manual_error">This type of account is created automatically by your profile administrator if needed.</string>
+    <string name="auth_work_authenticator_disabled_error">Creating a work account is disabled in microG settings.</string>
 
 </resources>

play-services-base/core/src/main/AndroidManifest.xml

@@ -3,19 +3,43 @@
   ~ SPDX-FileCopyrightText: 2020, microG Project Team
   ~ SPDX-License-Identifier: Apache-2.0
   -->
-<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
 
     <permission android:name="${applicationId}.permission.READ_SETTINGS"
         android:protectionLevel="signature" />
     <permission android:name="${applicationId}.permission.WRITE_SETTINGS"
         android:protectionLevel="signature" />
 
+    <uses-permission android:name="android.permission.INTERACT_ACROSS_PROFILES"
+        tools:ignore="ProtectedPermissions" />
+    <uses-permission android:name="android.permission.INTERACT_ACROSS_USERS"
+        tools:ignore="ProtectedPermissions" />
+
     <application>
         <provider
             android:name="org.microg.gms.settings.SettingsProvider"
             android:authorities="${applicationId}.microg.settings"
             android:exported="true"
+            android:grantUriPermissions="true"
             android:readPermission="${applicationId}.permission.READ_SETTINGS"
             android:writePermission="${applicationId}.permission.WRITE_SETTINGS" />
+
+        <activity
+            android:name="org.microg.gms.crossprofile.CrossProfileSendActivity"
+            android:exported="false"
+            tools:targetApi="30" />
+
+        <activity
+            android:name="org.microg.gms.crossprofile.CrossProfileRequestActivity"
+            android:exported="false"
+            tools:targetApi="30" />
+
+        <receiver android:name="org.microg.gms.crossprofile.UserInitReceiver"
+            android:exported="false">
+            <intent-filter>
+                <action android:name="android.intent.action.USER_INITIALIZE" />
+            </intent-filter>
+        </receiver>
     </application>
 </manifest>

play-services-base/core/src/main/kotlin/org/microg/gms/crossprofile/CrossProfileRequestActivity.kt

@@ -0,0 +1,86 @@
+package org.microg.gms.crossprofile
+
+import android.app.Activity
+import android.content.Intent
+import android.content.pm.CrossProfileApps
+import android.os.Build
+import android.os.Bundle
+import android.os.UserManager
+import android.util.Log
+import androidx.annotation.RequiresApi
+import org.microg.gms.settings.SettingsContract.CROSS_PROFILE_PERMISSION
+import org.microg.gms.settings.SettingsContract.CROSS_PROFILE_SHARED_PREFERENCES_NAME
+import androidx.core.content.edit
+
+/**
+ * Two-step process:
+ *   1. request to hear back from `CrossProfileRequestActivity`
+ *   2. receive resulting URI as intent data
+ *
+ * This dance so complicated because Android platform does not offer better APIs that only need
+ * `INTERACT_ACROSS_PROFILES`, an appops permission (and not `INTERACT_ACROSS_USERS`, a
+ * privileged|system permission).
+ */
+@RequiresApi(Build.VERSION_CODES.R)
+class CrossProfileRequestActivity : Activity() {
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+
+        // Check that we are work profile
+        val userManager = getSystemService(UserManager::class.java)
+        if (!userManager.isManagedProfile) {
+            Log.w(CrossProfileSendActivity.TAG, "I was asked to send a cross-profile request, but I am not on a work profile!")
+            finish()
+            return
+        }
+
+        val crossProfileApps = getSystemService(CrossProfileApps::class.java)
+
+        val targetProfiles = crossProfileApps.targetUserProfiles
+
+        if (!crossProfileApps.canInteractAcrossProfiles() || targetProfiles.isEmpty()) {
+            Log.w(
+                TAG, "I am supposed to send a cross-profile request, but the prerequisites are not met: " +
+                        "can interact = ${crossProfileApps.canInteractAcrossProfiles()}, " +
+                        "#targetProfiles = ${targetProfiles.size}")
+            finish()
+            return
+        }
+
+        val intent = Intent(this, CrossProfileSendActivity::class.java)
+
+        Log.d(TAG, "asking for cross-profile URI")
+        crossProfileApps.startActivity(
+            intent,
+            targetProfiles.first(),
+            // if this parameter is provided, it works like `startActivityForResult` (with requestCode 0)
+            this
+        )
+
+        // finish only after receiving result
+    }
+
+    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
+        Log.d(TAG, data?.data.toString())
+
+        val uri = data?.data
+        if (uri == null) {
+            Log.w(TAG, "expected to receive data, but intent did not contain any.")
+            finish()
+            return
+        }
+
+        contentResolver.takePersistableUriPermission(uri, 0)
+
+        val preferences = getSharedPreferences(CROSS_PROFILE_SHARED_PREFERENCES_NAME, MODE_PRIVATE)
+        Log.i(TAG, "storing work URI")
+        preferences.edit { putString(CROSS_PROFILE_PERMISSION, uri.toString()) }
+
+        finish()
+    }
+
+    companion object {
+        const val TAG = "GmsCrossProfileRequest"
+    }
+}

play-services-base/core/src/main/kotlin/org/microg/gms/crossprofile/CrossProfileSendActivity.kt

@@ -0,0 +1,53 @@
+package org.microg.gms.crossprofile
+
+import android.app.Activity
+import android.content.Intent
+import android.content.Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+import android.content.Intent.FLAG_GRANT_READ_URI_PERMISSION
+import android.content.pm.CrossProfileApps
+import android.os.Build
+import android.os.Bundle
+import android.os.UserManager
+import android.util.Log
+import androidx.annotation.RequiresApi
+import androidx.core.net.toUri
+import org.microg.gms.settings.SettingsContract.getAuthority
+
+@RequiresApi(Build.VERSION_CODES.R)
+class CrossProfileSendActivity : Activity() {
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+
+        // Check that we are primary profile
+        val userManager = getSystemService(UserManager::class.java)
+        if (userManager.isManagedProfile) {
+            Log.w(TAG, "Cross-profile send request was received on work profile!")
+            finish()
+            return
+        }
+
+        // Check prerequisites
+        val crossProfileApps = getSystemService(CrossProfileApps::class.java)
+        val targetProfiles = crossProfileApps.targetUserProfiles
+
+        if (!crossProfileApps.canInteractAcrossProfiles() || targetProfiles.isEmpty()) {
+            Log.w(
+                TAG, "received cross-profile request, but I believe I cannot answer, as prerequisites are not met: " +
+                    "can interact = ${crossProfileApps.canInteractAcrossProfiles()}, " +
+                    "#targetProfiles = ${targetProfiles.size}. Note that this is expected during initial setup of a work profile.")
+        }
+
+        // Respond
+        Log.d(TAG, "responding to cross-profile request")
+
+        setResult(1, Intent().apply {
+            setData("content://${getAuthority(this@CrossProfileSendActivity)}".toUri())
+            addFlags(FLAG_GRANT_READ_URI_PERMISSION or FLAG_GRANT_PERSISTABLE_URI_PERMISSION)
+        })
+        finish()
+    }
+
+    companion object {
+        const val TAG = "GmsCrossProfileSend"
+    }
+}

play-services-base/core/src/main/kotlin/org/microg/gms/crossprofile/UserInitReceiver.kt

@@ -0,0 +1,35 @@
+package org.microg.gms.crossprofile
+
+import android.annotation.SuppressLint
+import android.content.BroadcastReceiver
+import android.content.Context
+import android.content.Intent
+import android.os.Build
+import android.os.UserManager
+import android.util.Log
+
+class UserInitReceiver : BroadcastReceiver() {
+    @SuppressLint("UnsafeProtectedBroadcastReceiver") // exported="false"
+    override fun onReceive(context: Context, intent: Intent?) {
+
+        // Check that we are work profile
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+            val userManager = context.getSystemService(UserManager::class.java)
+            if (userManager.isManagedProfile) {
+                Log.d(TAG, "A new managed profile is being initialized; telling `CrossProfileRequestActivity` to request access to main profile's data.")
+                // CrossProfileActivity will check whether permissions are present
+                context.startActivity(
+                    Intent(context, CrossProfileRequestActivity::class.java).apply {
+                        addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
+                    }
+                )
+            } else {
+                Log.d(TAG, "A new user is being initialized, but it is not a managed profile. Not connecting data")
+            }
+        }
+    }
+
+    companion object {
+        const val TAG = "GmsUserInit"
+    }
+}