2 files changed, 27 insertions, 11 deletions

diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index b14702dc6647..b3ab229927fe 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1243,23 +1243,24 @@ public class LockSettingsService extends ILockSettings.Stub {
         }
     }
 
-    private void enforceFrpResolved() {
+    private void enforceFrpNotActive() {
         final int mainUserId = mInjector.getUserManagerInternal().getMainUserId();
         if (mainUserId < 0) {
-            Slog.d(TAG, "No Main user on device; skipping enforceFrpResolved");
+            Slog.d(TAG, "No Main user on device; skipping enforceFrpNotActive");
             return;
         }
-        final ContentResolver cr = mContext.getContentResolver();
 
+        final ContentResolver cr = mContext.getContentResolver();
         final boolean inSetupWizard = Settings.Secure.getIntForUser(cr,
                 Settings.Secure.USER_SETUP_COMPLETE, 0, mainUserId) == 0;
-        final boolean secureFrp = android.security.Flags.frpEnforcement()
+        final boolean isFrpActive = android.security.Flags.frpEnforcement()
                 ? mStorage.isFactoryResetProtectionActive()
-                : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1);
+                : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1)
+                        && inSetupWizard;
 
-        if (inSetupWizard && secureFrp) {
-            throw new SecurityException("Cannot change credential in SUW while factory reset"
-                    + " protection is not resolved yet");
+        if (isFrpActive) {
+            throw new SecurityException("Cannot change credential while factory reset protection"
+                    + " is active");
         }
     }
 
@@ -1831,7 +1832,7 @@ public class LockSettingsService extends ILockSettings.Stub {
 
         final long identity = Binder.clearCallingIdentity();
         try {
-            enforceFrpResolved();
+            enforceFrpNotActive();
             // When changing credential for profiles with unified challenge, some callers
             // will pass in empty credential while others will pass in the credential of
             // the parent user. setLockCredentialInternal() handles the formal case (empty
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java
index 4b22652a3f21..601a01624189 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java
@@ -43,6 +43,8 @@ import android.app.PropertyInvalidatedCache;
 import android.content.Intent;
 import android.os.RemoteException;
 import android.os.UserHandle;
+import android.platform.test.annotations.DisableFlags;
+import android.platform.test.annotations.EnableFlags;
 import android.platform.test.annotations.Presubmit;
 import android.platform.test.flag.junit.SetFlagsRule;
 import android.service.gatekeeper.GateKeeperResponse;
@@ -483,18 +485,31 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests {
         setSecureFrpMode(true);
         try {
             mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);
-            fail("Password shouldn't be changeable before FRP unlock");
+            fail("Password shouldn't be changeable while FRP is active");
         } catch (SecurityException e) { }
     }
 
     @Test
-    public void testSetCredentialPossibleInSecureFrpModeAfterSuw() throws RemoteException {
+    @DisableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT)
+    public void testSetCredentialPossibleInSecureFrpModeAfterSuw_FlagOff() throws RemoteException {
         setUserSetupComplete(true);
         setSecureFrpMode(true);
         setCredential(PRIMARY_USER_ID, newPassword("1234"));
     }
 
     @Test
+    @EnableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT)
+    public void testSetCredentialNotPossibleInSecureFrpModeAfterSuw_FlagOn()
+            throws RemoteException {
+        setUserSetupComplete(true);
+        setSecureFrpMode(true);
+        try {
+            mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);
+            fail("Password shouldn't be changeable after SUW while FRP is active");
+        } catch (SecurityException e) { }
+    }
+
+    @Test
     public void testPasswordHistoryDisabledByDefault() throws Exception {
         final int userId = PRIMARY_USER_ID;
         checkPasswordHistoryLength(userId, 0);