Introduce admin constraints for org-owned profile owner

* Convert some existing preferences to use this new constraint

* Allow security logging to be called by org-owned profile owner
  * Small tweaks to security logging event date printing

* Remove redundant constaints "deviceOwner|profileOwner" (which
  is the default behaviour) from preferences

* Remove unused constaints "notDeviceOwner" and "notProfileOwner"

* Update constraints for some API
  * Enabling backup service is callable by PO since Q
  * Setting time & timezone is callbele by org-owned profile owner
  * WiFi config lockdown is callable by org-owned profile owner
  * Setting system update policy is callably by org-owned profile owner
  * Installing system update is callable by org-owned profile owner
  * Setting organization name is callable by PO and DO
  * Setting lockscreen message is callable by org-owned profile owner
  * Changing location mode is callable by DO only
  * Setting auto time and timezone is callable by org-owned profile owner
  * Factory resetting device is callable by org-owned profile owner

* Document custom constraints for some preferences

Bug: 149916080
Test: manual
Change-Id: Ic7bc08405a586de2d675ffa3b3e392ea63385d43

Author: Rubin Xu

app/src/main/java/com/afwsamples/testdpc/common/preference/DpcPreferenceHelper.java

@@ -29,6 +29,8 @@
 import android.view.View;
 import android.widget.TextView;
 import com.afwsamples.testdpc.R;
+import com.afwsamples.testdpc.common.ReflectionUtil;
+import com.afwsamples.testdpc.common.ReflectionUtil.ReflectionIsTemporaryException;
 import com.afwsamples.testdpc.common.Util;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@@ -47,15 +49,18 @@
  */
 public class DpcPreferenceHelper {
     @Retention(RetentionPolicy.SOURCE)
-    @IntDef(flag = true, value = {ADMIN_NONE, ADMIN_DEVICE_OWNER, ADMIN_PROFILE_OWNER})
+    @IntDef(flag = true, value = {ADMIN_NONE, ADMIN_DEVICE_OWNER, ADMIN_BYOD_PROFILE_OWNER,
+        ADMIN_ORG_OWNED_PROFILE_OWNER})
     public @interface AdminKind {}
     public static final int ADMIN_NONE = 0x1;
     public static final int ADMIN_DEVICE_OWNER = 0x2;
-    public static final int ADMIN_PROFILE_OWNER = 0x4;
-    public static final int ADMIN_ANY = ADMIN_NONE | ADMIN_DEVICE_OWNER | ADMIN_PROFILE_OWNER;
+    public static final int ADMIN_BYOD_PROFILE_OWNER = 0x4;
+    public static final int ADMIN_ORG_OWNED_PROFILE_OWNER = 0x8;
+    public static final int ADMIN_PROFILE_OWNER =
+        ADMIN_BYOD_PROFILE_OWNER | ADMIN_ORG_OWNED_PROFILE_OWNER;
+    public static final int ADMIN_ANY =
+        ADMIN_NONE | ADMIN_DEVICE_OWNER | ADMIN_PROFILE_OWNER | ADMIN_ORG_OWNED_PROFILE_OWNER;
     public static final int ADMIN_NOT_NONE = ADMIN_ANY & ~ADMIN_NONE;
-    public static final int ADMIN_NOT_DEVICE_OWNER = ADMIN_ANY & ~ADMIN_DEVICE_OWNER;
-    public static final int ADMIN_NOT_PROFILE_OWNER = ADMIN_ANY & ~ADMIN_PROFILE_OWNER;
     public static final @AdminKind int ADMIN_DEFAULT = ADMIN_NOT_NONE;
     public static final int NO_CUSTOM_CONSTRIANT = 0;
 
@@ -252,6 +257,16 @@ private int getCurrentAdmin() {
         if (dpm.isDeviceOwnerApp(packageName)) {
             return ADMIN_DEVICE_OWNER;
         }
+        Boolean orgOwned;
+        try {
+            orgOwned = (Boolean) ReflectionUtil.invoke(dpm,
+                "isOrganizationOwnedDeviceWithManagedProfile");
+        } catch (ReflectionIsTemporaryException e) {
+            orgOwned = false;
+        }
+        if (orgOwned) {
+            return ADMIN_ORG_OWNED_PROFILE_OWNER;
+        }
         if (dpm.isProfileOwnerApp(packageName)) {
             return ADMIN_PROFILE_OWNER;
         }
@@ -304,7 +319,12 @@ private String getAdminConstraintSummary() {
         if (isEnabledForAdmin(ADMIN_DEVICE_OWNER)) {
             admins.add(mContext.getString(R.string.device_owner));
         }
-        if (isEnabledForAdmin(ADMIN_PROFILE_OWNER)) {
+        // Only add the org-owned profile message if the constraint is specific to org-owned profile
+        // and not all profile types, to reduce verbosity of the message.
+        if (isEnabledForAdmin(ADMIN_ORG_OWNED_PROFILE_OWNER) &&
+            !isEnabledForAdmin(ADMIN_PROFILE_OWNER)) {
+            admins.add(mContext.getString(R.string.org_owned_profile_owner));
+        } else if (isEnabledForAdmin(ADMIN_PROFILE_OWNER)) {
             admins.add(mContext.getString(R.string.profile_owner));
         }
         if (!TextUtils.isEmpty(mDelegationConstraint)) {

app/src/main/java/com/afwsamples/testdpc/policy/PolicyManagementFragment.java

@@ -457,7 +457,7 @@ public class PolicyManagementFragment extends BaseSearchablePolicyPreferenceFrag
     private SwitchPreference mStayOnWhilePluggedInSwitchPreference;
     private DpcSwitchPreference mInstallNonMarketAppsPreference;
 
-    private SwitchPreference mEnableBackupServicePreference;
+    private DpcSwitchPreference mEnableBackupServicePreference;
     private SwitchPreference mEnableSecurityLoggingPreference;
     private SwitchPreference mEnableNetworkLoggingPreference;
     private DpcSwitchPreference mSetAutoTimeRequiredPreference;
@@ -558,8 +558,6 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
         mDisableCameraOnParentSwitchPreference = (DpcSwitchPreference)
                 findPreference(DISABLE_CAMERA_ON_PARENT_KEY);
         mDisableCameraOnParentSwitchPreference.setOnPreferenceChangeListener(this);
-        mDisableCameraOnParentSwitchPreference
-                .setCustomConstraint(this::validateProfileOwnerOfOrganizationOwnedDevice);
         findPreference(CAPTURE_IMAGE_KEY).setOnPreferenceClickListener(this);
         findPreference(CAPTURE_VIDEO_KEY).setOnPreferenceClickListener(this);
         mDisableScreenCaptureSwitchPreference = (SwitchPreference) findPreference(
@@ -568,8 +566,6 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
         mDisableScreenCaptureOnParentSwitchPreference = (DpcSwitchPreference) findPreference(
                 DISABLE_SCREEN_CAPTURE_ON_PARENT_KEY);
         mDisableScreenCaptureOnParentSwitchPreference.setOnPreferenceChangeListener(this);
-        mDisableScreenCaptureOnParentSwitchPreference
-                .setCustomConstraint(this::validateProfileOwnerOfOrganizationOwnedDevice);
         mMuteAudioSwitchPreference = (SwitchPreference) findPreference(
                 MUTE_AUDIO_KEY);
         mMuteAudioSwitchPreference.setOnPreferenceChangeListener(this);
@@ -608,8 +604,10 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
         findPreference(WIPE_DATA_KEY).setOnPreferenceClickListener(this);
         findPreference(PERSISTENT_DEVICE_OWNER_KEY).setOnPreferenceClickListener(this);
         findPreference(REMOVE_DEVICE_OWNER_KEY).setOnPreferenceClickListener(this);
-        mEnableBackupServicePreference = (SwitchPreference) findPreference(ENABLE_BACKUP_SERVICE);
+        mEnableBackupServicePreference = (DpcSwitchPreference) findPreference(
+            ENABLE_BACKUP_SERVICE);
         mEnableBackupServicePreference.setOnPreferenceChangeListener(this);
+        mEnableBackupServicePreference.setCustomConstraint(this::validateDeviceOwnerBeforeQ);
         findPreference(REQUEST_BUGREPORT_KEY).setOnPreferenceClickListener(this);
         mEnableSecurityLoggingPreference =
             (SwitchPreference) findPreference(ENABLE_SECURITY_LOGGING);
@@ -657,13 +655,9 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
         findPreference(HIDE_APPS_KEY).setOnPreferenceClickListener(this);
         mHideAppsParentPreference = (DpcPreference) findPreference(HIDE_APPS_PARENT_KEY);
         mHideAppsParentPreference.setOnPreferenceClickListener(this);
-        mHideAppsParentPreference.setCustomConstraint(
-                this::validateProfileOwnerOfOrganizationOwnedDevice);
         findPreference(UNHIDE_APPS_KEY).setOnPreferenceClickListener(this);
         mUnhideAppsParentPreference = (DpcPreference) findPreference(UNHIDE_APPS_PARENT_KEY);
         mUnhideAppsParentPreference.setOnPreferenceClickListener(this);
-        mUnhideAppsParentPreference.setCustomConstraint(
-                this::validateProfileOwnerOfOrganizationOwnedDevice);
         findPreference(SUSPEND_APPS_KEY).setOnPreferenceClickListener(this);
         findPreference(UNSUSPEND_APPS_KEY).setOnPreferenceClickListener(this);
         findPreference(CLEAR_APP_DATA_KEY).setOnPreferenceClickListener(this);
@@ -702,7 +696,6 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
         findPreference(SET_USER_RESTRICTIONS_KEY).setOnPreferenceClickListener(this);
         mUserRestrictionsParentPreference = (DpcPreference) findPreference(SET_USER_RESTRICTIONS_PARENT_KEY);
         mUserRestrictionsParentPreference.setOnPreferenceClickListener(this);
-        mUserRestrictionsParentPreference.setCustomConstraint(this::validateProfileOwnerOfOrganizationOwnedDevice);
 
         findPreference(REBOOT_KEY).setOnPreferenceClickListener(this);
         findPreference(SET_SHORT_SUPPORT_MESSAGE_KEY).setOnPreferenceClickListener(this);
@@ -757,13 +750,9 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
 
         mSuspendPersonalApps = (DpcSwitchPreference) findPreference(SUSPEND_PERSONAL_APPS_KEY);
         mSuspendPersonalApps.setOnPreferenceChangeListener(this);
-        mSuspendPersonalApps.setCustomConstraint(
-                this::validateProfileOwnerOfOrganizationOwnedDevice);
 
         mProfileMaxTimeOff = (DpcEditTextPreference) findPreference(PROFILE_MAX_TIME_OFF_KEY);
         mProfileMaxTimeOff.setOnPreferenceChangeListener(this);
-        mProfileMaxTimeOff.setCustomConstraint(
-                this::validateProfileOwnerOfOrganizationOwnedDevice);
         maybeUpdateProfileMaxTimeOff();
 
         onCreateSetNewPasswordWithComplexityPreference();
@@ -2359,7 +2348,11 @@ private void loadAppFeedbackNotifications() {
     private void loadAppStatus() {
         final @StringRes int appStatusStringId;
         if (mDevicePolicyManager.isProfileOwnerApp(mPackageName)) {
-            appStatusStringId = R.string.this_is_a_profile_owner;
+            if (isOrganizationOwnedDeviceWithManagedProfile()) {
+                appStatusStringId = R.string.this_is_an_org_owned_profile_owner;
+            } else {
+                appStatusStringId = R.string.this_is_a_profile_owner;
+            }
         } else if (mDevicePolicyManager.isDeviceOwnerApp(mPackageName)) {
             appStatusStringId = R.string.this_is_a_device_owner;
         } else if (isDelegatedApp()) {
@@ -4021,6 +4014,15 @@ private int validateDeviceOwnerBeforeP() {
         return NO_CUSTOM_CONSTRIANT;
     }
 
+    private int validateDeviceOwnerBeforeQ() {
+        if (Util.SDK_INT < VERSION_CODES.Q) {
+            if (!mDevicePolicyManager.isDeviceOwnerApp(mPackageName)) {
+                return R.string.requires_device_owner;
+            }
+        }
+        return NO_CUSTOM_CONSTRIANT;
+    }
+
     // TODO: nuke it when R sdk is available
     private boolean isOrganizationOwnedDeviceWithManagedProfile() {
         try {
@@ -4032,13 +4034,6 @@ private boolean isOrganizationOwnedDeviceWithManagedProfile() {
         }
     }
 
-    private int validateProfileOwnerOfOrganizationOwnedDevice() {
-        if (Util.SDK_INT < Util.R_VERSION_CODE || !isOrganizationOwnedDeviceWithManagedProfile()) {
-            return R.string.requires_profile_owner_organization_owned_device;
-        }
-        return NO_CUSTOM_CONSTRIANT;
-    }
-
     abstract static class ManageLockTaskListCallback {
         public abstract void onPositiveButtonClicked(String[] lockTaskArray);
     }

app/src/main/java/com/afwsamples/testdpc/policy/SecurityLogsFragment.java

@@ -32,6 +32,7 @@
 import com.afwsamples.testdpc.DeviceAdminReceiver;
 import com.afwsamples.testdpc.R;
 import com.afwsamples.testdpc.common.Util;
+import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -96,15 +97,16 @@ private void processEvents(List<SecurityEvent> logs) {
                     : R.string.failed_to_retrieve_security_logs);
             mAdapter.add(message);
         } else {
+            SimpleDateFormat formatter = new SimpleDateFormat("MM-dd HH:mm:ss.SSS");
             Log.d(TAG, "Incoming logs size: " + logs.size());
             for (SecurityEvent event : logs) {
                 StringBuilder sb = new StringBuilder();
-                sb.append(getStringEventTagFromId(event.getTag()));
                 if (Util.SDK_INT >= VERSION_CODES.P) {
-                    sb.append(" (id: " + getEventId(event) + ")");
+                    sb.append(getEventId(event) + ": ");
                 }
-                sb.append(" (").append(new Date(TimeUnit.NANOSECONDS.toMillis(
-                        event.getTimeNanos()))).append("): ");
+                sb.append(getStringEventTagFromId(event.getTag()));
+                sb.append(" (").append(formatter.format(new Date(TimeUnit.NANOSECONDS.toMillis(
+                        event.getTimeNanos())))).append("): ");
                 printData(sb, event.getData());
                 mAdapter.add(sb.toString());
             }

app/src/main/res/values/attrs.xml

@@ -36,13 +36,14 @@
         <attr name="admin">
             <flag name="none" value="0x1" />
             <flag name="deviceOwner" value="0x2" />
-            <flag name="profileOwner" value="0x4" />
+            <!-- A regular non-org-owned managed profile owner. -->
+            <flag name="byodProfileOwner" value="0x4" />
+            <flag name="orgOwnedProfileOwner" value="0x8" />
 
-            <flag name="notNone" value="0x6" /> <!-- default -->
-            <flag name="notDeviceOwner" value="0x5" />
-            <flag name="notProfileOwner" value="0x3" />
-
-            <flag name="any" value="0x7" />
+            <!-- A regular or org-owned managed profile owner. -->
+            <flag name="profileOwner" value="0xC" />
+            <flag name="notNone" value="0xE" /> <!-- default -->
+            <flag name="any" value="0xF" />
         </attr>
 
         <!-- Constrain a preference to a delegated scope. -->

app/src/main/res/values/strings.xml

@@ -100,6 +100,7 @@
     <string name="requires_delimiter">,\u0020</string>
     <string name="requires_or">\u0020or\u0020</string>
     <string name="device_owner">device owner</string>
+    <string name="org_owned_profile_owner">organization-owned profile owner</string>
     <string name="profile_owner">profile owner</string>
     <string name="primary_user">primary user</string>
     <string name="secondary_user">secondary user</string>
@@ -115,6 +116,7 @@
 
     <string name="this_is_a_device_owner">This app is the device owner.</string>
     <string name="this_is_a_profile_owner">This app is a profile owner.</string>
+    <string name="this_is_an_org_owned_profile_owner">This app is a profile owner of an organization-owned device.</string>
     <string name="this_is_a_delegated_app">This app has delegated permissions.</string>
     <string name="this_is_not_an_admin">This app is not an admin.</string>
 
@@ -316,7 +318,7 @@
     <string name="wifi_cancel">Cancel</string>
     <string name="wifi_config_success">WI-FI configuration saved.</string>
     <string name="wifi_config_fail">Failed to save the WI-FI configuration.</string>
-    <string name="enable_wifi_config_lockdown">DO created WI-FI configs are modifiable only by DO.</string>
+    <string name="enable_wifi_config_lockdown">DO created WI-FI configs are modifiable only by DO</string>
     <string name="modify_wifi_configuration">Modify WI-FI configuration</string>
     <string name="show_wifi_mac_address">Show Wi-Fi MAC address</string>
     <string name="show_wifi_mac_address_title">Wi-Fi MAC address</string>