From bc7a47c6d30943be512f9f982ae4803ff3cdc52a Mon Sep 17 00:00:00 2001
From: Rubin Xu <rubinxu@google.com>
Date: Wed, 22 Feb 2017 20:31:57 +0000
Subject: Allow user with a profile owner to have escrow tokens

This mainly covers the unicorn case where the primary user has
a profile owner set on it.

Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedProfileOwnerTest#testResetPasswordWithToken
Bug: 35457534
Change-Id: Ieee883cce17c0b54b6e63fe113ada009e16150ad
---
 services/core/java/com/android/server/LockSettingsService.java | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index f76ddc71bc01..d66cbdd7f842 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -2198,18 +2198,26 @@ public class LockSettingsService extends ILockSettings.Stub {
         try {
             // Managed profile should have escrow enabled
             if (mUserManager.getUserInfo(userId).isManagedProfile()) {
+                Slog.i(TAG, "Managed profile can have escrow token");
                 return;
             }
             DevicePolicyManager dpm = (DevicePolicyManager)
                     mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
             // Devices with Device Owner should have escrow enabled on all users.
             if (dpm.getDeviceOwnerComponentOnAnyUser() != null) {
+                Slog.i(TAG, "Corp-owned device can have escrow token");
+                return;
+            }
+            // We could also have a profile owner on the given (non-managed) user for unicorn cases
+            if (dpm.getProfileOwnerAsUser(userId) != null) {
+                Slog.i(TAG, "User with profile owner can have escrow token");
                 return;
             }
             // If the device is yet to be provisioned (still in SUW), there is still
             // a chance that Device Owner will be set on the device later, so postpone
             // disabling escrow token for now.
             if (!dpm.isDeviceProvisioned()) {
+                Slog.i(TAG, "Postpone disabling escrow tokens until device is provisioned");
                 return;
             }
             // Disable escrow token permanently on all other device/user types.
-- 
cgit v1.2.3-59-g8ed1b