Merge pull request #2335 from brandonpage/screen-lock-timeout

brandonpage · web-flow · commit 3da964f3bc3f · 2022-08-10T15:01:47.000-07:00
Add Screen Lock Timeout
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/app/SalesforceSDKUpgradeManager.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/app/SalesforceSDKUpgradeManager.java
@@ -28,15 +28,24 @@
 
 import static com.salesforce.androidsdk.security.ScreenLockManager.MOBILE_POLICY_PREF;
 import static com.salesforce.androidsdk.security.ScreenLockManager.SCREEN_LOCK;
+import static com.salesforce.androidsdk.security.ScreenLockManager.SCREEN_LOCK_TIMEOUT;
 
 import android.content.Context;
 import android.content.SharedPreferences;
 
 import com.salesforce.androidsdk.accounts.UserAccount;
 import com.salesforce.androidsdk.accounts.UserAccountManager;
+import com.salesforce.androidsdk.analytics.SalesforceAnalyticsManager;
+import com.salesforce.androidsdk.auth.HttpAccess;
+import com.salesforce.androidsdk.auth.OAuth2;
 import com.salesforce.androidsdk.util.SalesforceSDKLogger;
 
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.HashMap;
 import java.util.List;
+import java.util.concurrent.Executors;
 
 /**
  * This class handles upgrades from one version to another.
@@ -94,6 +103,10 @@ protected synchronized void upgradeAccMgr() {
             if (installedVerDouble < 9.2) {
                 upgradeTo9Dot2();
             }
+            // Already incorporated into 9.2 upgrade.
+            if (installedVerDouble > 9.2 && installedVerDouble <= 10.1) {
+                upgradeTo10Dot1Dot1();
+            }
         } catch (Exception e) {
             SalesforceSDKLogger.e(TAG, "Failed to parse installed version.");
         }
@@ -146,8 +159,10 @@ private void upgradeTo9Dot2() {
         if (globalPrefs.contains(KEY_TIMEOUT) && globalPrefs.contains(KEY_PASSCODE_LENGTH)) {
             SharedPreferences.Editor globalEditor = globalPrefs.edit();
             // Check that Passcode was enabled
-            if (globalPrefs.getInt(KEY_TIMEOUT, 0) != 0) {
+            int timeout = globalPrefs.getInt(KEY_TIMEOUT, 0);
+            if (timeout != 0) {
                 globalEditor.putBoolean(SCREEN_LOCK, true);
+                globalEditor.putInt(SCREEN_LOCK_TIMEOUT, timeout);
             }
 
             globalEditor.remove(KEY_PASSCODE);
@@ -170,11 +185,12 @@ private void upgradeTo9Dot2() {
                             + account.getOrgLevelFilenameSuffix(), Context.MODE_PRIVATE);
                     if (orgPrefs.contains(KEY_TIMEOUT) && orgPrefs.contains(KEY_PASSCODE_LENGTH)) {
                         // Check that Passcode was enabled
-                        if (orgPrefs.getInt(KEY_TIMEOUT, 0) != 0) {
+                        int userTimeout = orgPrefs.getInt(KEY_TIMEOUT, 0);
+                        if (userTimeout != 0) {
                             // Set screen lock key at user level
                             final SharedPreferences userPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF
                                     + account.getUserLevelFilenameSuffix(), Context.MODE_PRIVATE);
-                            userPrefs.edit().putBoolean(SCREEN_LOCK, true).apply();
+                            userPrefs.edit().putBoolean(SCREEN_LOCK, true).putInt(SCREEN_LOCK_TIMEOUT, userTimeout).apply();
                         }
 
                         // Delete passcode keys at org level
@@ -193,4 +209,48 @@ private void upgradeTo9Dot2() {
             }
         }
     }
+
+    // TODO: Remove upgrade step in Mobile SDK 12.0
+    private void upgradeTo10Dot1Dot1() {
+        final Context ctx = SalesforceSDKManager.getInstance().getAppContext();
+        final SharedPreferences globalPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF, Context.MODE_PRIVATE);
+        if (globalPrefs.contains(SCREEN_LOCK)) {
+            final UserAccountManager manager = SalesforceSDKManager.getInstance().getUserAccountManager();
+            final List<UserAccount> accounts = manager.getAuthenticatedUsers();
+
+            if (accounts != null) {
+                Executors.newSingleThreadExecutor().execute(() -> {
+                    int lowestTimeout = Integer.MAX_VALUE;
+
+                    // Get and set connected app mobile policy timeout per user.
+                    for (UserAccount account : accounts) {
+                        try {
+                            final OAuth2.IdServiceResponse response = OAuth2.callIdentityService(HttpAccess.DEFAULT,
+                                    account.getIdUrl(), account.getAuthToken());
+
+                            if (response.mobilePolicy && response.screenLockTimeout != -1) {
+                                final SharedPreferences userPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF
+                                        + account.getUserLevelFilenameSuffix(), Context.MODE_PRIVATE);
+                                int timeoutInMills = response.screenLockTimeout * 1000 * 60;
+                                userPrefs.edit().putInt(SCREEN_LOCK_TIMEOUT, timeoutInMills).apply();
+
+                                if (lowestTimeout == Integer.MAX_VALUE || timeoutInMills < lowestTimeout) {
+                                    lowestTimeout = timeoutInMills;
+                                }
+                            }
+                        } catch (IOException e) {
+                            SalesforceSDKLogger.e(TAG, "Exception throw retrieving mobile policy", e);
+                        }
+                    }
+
+                    // Set timeout or remove block.
+                    if (lowestTimeout < Integer.MAX_VALUE && lowestTimeout > 0) {
+                        globalPrefs.edit().putInt(SCREEN_LOCK_TIMEOUT, lowestTimeout).apply();
+                    } else {
+                        globalPrefs.edit().remove(SCREEN_LOCK).apply();
+                    }
+                });
+            }
+        }
+    }
 }
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java
@@ -90,6 +90,7 @@ public class OAuth2 {
     private static final String INSTANCE_URL = "instance_url";
     private static final String JSON = "json";
     private static final String MOBILE_POLICY = "mobile_policy";
+    private static final String SCREEN_LOCK_TIMEOUT = "screen_lock";
     private static final String REFRESH_TOKEN = "refresh_token";
     private static final String HYBRID_REFRESH = "hybrid_refresh";
     private static final String RESPONSE_TYPE = "response_type";
@@ -527,7 +528,7 @@ public static class IdServiceResponse {
         public String pictureUrl;
         public String thumbnailUrl;
         public boolean mobilePolicy;
-        public int pinLength = -1;
+        @Deprecated public int pinLength = -1;
         public int screenLockTimeout = -1;
         public boolean biometricUnlockAllowed = true;
         public JSONObject customAttributes;
@@ -553,7 +554,11 @@ public IdServiceResponse(Response response) {
                 }
                 customAttributes = parsedResponse.optJSONObject(CUSTOM_ATTRIBUTES);
                 customPermissions = parsedResponse.optJSONObject(CUSTOM_PERMISSIONS);
-                mobilePolicy = parsedResponse.has(MOBILE_POLICY);
+                if (parsedResponse.has(MOBILE_POLICY)) {
+                    JSONObject mobilePolicyObject = parsedResponse.getJSONObject(MOBILE_POLICY);
+                    mobilePolicy = mobilePolicyObject.has(SCREEN_LOCK_TIMEOUT);
+                    screenLockTimeout = mobilePolicyObject.getInt(SCREEN_LOCK_TIMEOUT);
+                }
             } catch (Exception e) {
                 SalesforceSDKLogger.w(TAG, "Could not parse identity response", e);
             }
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/security/ScreenLockManager.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/security/ScreenLockManager.java
@@ -48,28 +48,46 @@ public class ScreenLockManager {
 
     public static final String MOBILE_POLICY_PREF = "mobile_policy";
     public static final String SCREEN_LOCK = "screen_lock";
+    public static final String SCREEN_LOCK_TIMEOUT = "screen_lock_timeout";
 
-    private boolean backgroundedSinceUnlock = true;
+    private long lastLockedTimestamp = 0;
 
     /**
      * Stores the mobile policy for the org upon user login.
      *
      * @param account the newly add account
      * @param screenLockRequired if the account requires screen lock or not
+     *
+     * @deprecated Timeout is now required. This method will be removed in 11.0.
+     */
+    @Deprecated
+    public void storeMobilePolicy(UserAccount account, boolean screenLockRequired) { }
+
+    /**
+     * Stores the mobile policy for the org upon user login.
+     *
+     * @param account the newly add account
+     * @param screenLockRequired if the account requires screen lock or not
+     * @param timeout timeout in milliseconds
      */
-    public void storeMobilePolicy(UserAccount account, boolean screenLockRequired) {
+    public void storeMobilePolicy(UserAccount account, boolean screenLockRequired, int timeout) {
         Context ctx = SalesforceSDKManager.getInstance().getAppContext();
         SharedPreferences accountSharedPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF
                 + account.getUserLevelFilenameSuffix(), Context.MODE_PRIVATE);
-        accountSharedPrefs.edit().putBoolean(SCREEN_LOCK, screenLockRequired).apply();
+        accountSharedPrefs.edit().putBoolean(SCREEN_LOCK, screenLockRequired).putInt(SCREEN_LOCK_TIMEOUT, timeout).apply();
 
         SharedPreferences globalPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF, Context.MODE_PRIVATE);
         if (screenLockRequired) {
-            globalPrefs.edit().putBoolean(SCREEN_LOCK, true).apply();
+            int currentTimeout = globalPrefs.getInt(SCREEN_LOCK_TIMEOUT, 0);
+            SharedPreferences.Editor globalPrefsEditor = globalPrefs.edit();
+
+            globalPrefsEditor.putBoolean(SCREEN_LOCK, true);
+            if (currentTimeout == 0 || timeout < currentTimeout) {
+                globalPrefsEditor.putInt(SCREEN_LOCK_TIMEOUT, timeout);
+            }
+            globalPrefsEditor.apply();
 
-            // This is needed to block access to the app immediately on login
-            backgroundedSinceUnlock = true;
-            onAppForegrounded();
+            lock();
         }
     }
 
@@ -86,7 +104,7 @@ public void onAppForegrounded() {
      * To be called by the protected activity is paused to denote that the app should lock.
      */
     public void onAppBackgrounded() {
-        backgroundedSinceUnlock = true;
+        lastLockedTimestamp = System.currentTimeMillis();
     }
 
     /**
@@ -95,7 +113,7 @@ public void onAppBackgrounded() {
     public void reset() {
         Context ctx = SalesforceSDKManager.getInstance().getAppContext();
         SharedPreferences globalPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF, Context.MODE_PRIVATE);
-        globalPrefs.edit().remove(SCREEN_LOCK).apply();
+        globalPrefs.edit().remove(SCREEN_LOCK).remove(SCREEN_LOCK_TIMEOUT).apply();
     }
 
     /**
@@ -110,23 +128,34 @@ public void cleanUp(UserAccount account) {
         if (account != null) {
             final SharedPreferences accountPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF
                     + account.getUserLevelFilenameSuffix(), Context.MODE_PRIVATE);
-            accountPrefs.edit().remove(SCREEN_LOCK).apply();
+            accountPrefs.edit().remove(SCREEN_LOCK).remove(SCREEN_LOCK_TIMEOUT).apply();
         }
 
         // Determine if any other users still need Screen Lock.
         final List<UserAccount> accounts = SalesforceSDKManager.getInstance()
                 .getUserAccountManager().getAuthenticatedUsers();
+        int lowestTimeout = Integer.MAX_VALUE;
+
         if (accounts != null) {
             accounts.remove(account);
             for (final UserAccount mAccount : accounts) {
                 if (mAccount != null) {
                     final SharedPreferences accountPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF
                             + mAccount.getUserLevelFilenameSuffix(), Context.MODE_PRIVATE);
                     if (accountPrefs.getBoolean(SCREEN_LOCK, false)) {
-                        return;
+                        int timeout = accountPrefs.getInt(SCREEN_LOCK_TIMEOUT, Integer.MAX_VALUE);
+                        if (timeout < lowestTimeout) {
+                            lowestTimeout = timeout;
+                        }
                     }
                 }
             }
+
+            if (lowestTimeout < Integer.MAX_VALUE) {
+                SharedPreferences globalPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF, Context.MODE_PRIVATE);
+                globalPrefs.edit().putInt(SCREEN_LOCK_TIMEOUT, lowestTimeout).apply();
+                return;
+            }
         }
 
         // If we have returned, no other accounts require Screen Lock.
@@ -135,20 +164,21 @@ public void cleanUp(UserAccount account) {
 
     /**
      * Unlocks the app.
+     *
+     * @deprecated This method will be removed in 11.0.
      */
-    public void unlock() {
-        backgroundedSinceUnlock = false;
-    }
+    @Deprecated
+    public void unlock() { }
 
     @VisibleForTesting
     protected boolean shouldLock() {
-        return backgroundedSinceUnlock && readMobilePolicy();
-    }
-
-    private boolean readMobilePolicy() {
+        long elapsedTime = System.currentTimeMillis() - lastLockedTimestamp;
         Context ctx = SalesforceSDKManager.getInstance().getAppContext();
         SharedPreferences sharedPrefs = ctx.getSharedPreferences(MOBILE_POLICY_PREF, Context.MODE_PRIVATE);
-        return sharedPrefs.getBoolean(SCREEN_LOCK, false);
+        boolean hasLock = sharedPrefs.getBoolean(SCREEN_LOCK, false);
+        int timeout = sharedPrefs.getInt(SCREEN_LOCK_TIMEOUT, 0);
+
+        return hasLock && (elapsedTime > timeout);
     }
 
     private void lock() {
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/OAuthWebviewHelper.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/OAuthWebviewHelper.java
@@ -621,8 +621,12 @@ protected void onPostExecute(OAuth2.TokenEndpointResponse tr) {
             // Save the user account
             addAccount(account);
 
-            final ScreenLockManager screenLockManager = mgr.getScreenLockManager();
-            screenLockManager.storeMobilePolicy(account, id.mobilePolicy);
+            // Screen lock required by mobile policy.
+            if (id.screenLockTimeout > 0) {
+                int timeoutInMills = id.screenLockTimeout * 1000 * 60;
+                final ScreenLockManager screenLockManager = mgr.getScreenLockManager();
+                screenLockManager.storeMobilePolicy(account, id.mobilePolicy, timeoutInMills);
+            }
 
             // All done
             callback.finish(account);
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/ScreenLockActivity.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/ScreenLockActivity.java
@@ -214,7 +214,6 @@ private void onAuthError(CharSequence errString) {
     private void finishSuccess() {
         resetUI();
         sendAccessibilityEvent(getString(R.string.sf__screen_lock_auth_success));
-        SalesforceSDKManager.getInstance().getScreenLockManager().unlock();
         finish();
     }
 
diff --git a/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/auth/OAuth2Test.java b/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/auth/OAuth2Test.java
@@ -286,7 +286,6 @@ public void testCallIdentityService() throws IOException, OAuthFailedException,
 		IdServiceResponse id = OAuth2.callIdentityService(httpAccess, TestCredentials.INSTANCE_URL +
                 "/id/" + TestCredentials.ORG_ID + "/" + TestCredentials.USER_ID, refreshResponse.authToken);
         Assert.assertEquals("Wrong username returned", TestCredentials.USERNAME, id.username);
-        Assert.assertEquals("Wrong pinLength returned", -1, id.pinLength);
         Assert.assertEquals("Wrong screenLockTimeout returned", -1, id.screenLockTimeout);
         Assert.assertTrue("Wrong biometricUnlockAllowed returned", id.biometricUnlockAllowed);
 	}
diff --git a/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/security/ScreenLockManagerTest.java b/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/security/ScreenLockManagerTest.java

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,6 @@ private void onAuthError(CharSequence errString) {`
`214`	`214`	`private void finishSuccess() {`
`215`	`215`	`resetUI();`
`216`	`216`	`sendAccessibilityEvent(getString(R.string.sf__screen_lock_auth_success));`
`217`		`- SalesforceSDKManager.getInstance().getScreenLockManager().unlock();`
`218`	`217`	`finish();`
`219`	`218`	`}`
`220`	`219`
Original file line number	Diff line number	Diff line change
`@@ -286,7 +286,6 @@ public void testCallIdentityService() throws IOException, OAuthFailedException,`
`286`	`286`	`IdServiceResponse id = OAuth2.callIdentityService(httpAccess, TestCredentials.INSTANCE_URL +`
`287`	`287`	`"/id/" + TestCredentials.ORG_ID + "/" + TestCredentials.USER_ID, refreshResponse.authToken);`
`288`	`288`	`Assert.assertEquals("Wrong username returned", TestCredentials.USERNAME, id.username);`
`289`		`- Assert.assertEquals("Wrong pinLength returned", -1, id.pinLength);`
`290`	`289`	`Assert.assertEquals("Wrong screenLockTimeout returned", -1, id.screenLockTimeout);`
`291`	`290`	`Assert.assertTrue("Wrong biometricUnlockAllowed returned", id.biometricUnlockAllowed);`
`292`	`291`	`}`