Lock out user after 5 failed attempts

null-dev · null-dev · commit d8b2a4443c4c · 2022-05-21T17:21:00.000-07:00
diff --git a/faceunlock/src/main/java/ax/nd/faceunlock/FaceAuthActivity.kt b/faceunlock/src/main/java/ax/nd/faceunlock/FaceAuthActivity.kt
@@ -4,17 +4,20 @@ import android.os.Bundle
 import android.widget.TextView
 import android.widget.Toast
 import androidx.appcompat.app.AppCompatActivity
+import ax.nd.faceunlock.pref.Prefs
 import ax.nd.faceunlock.service.FaceAuthServiceCallbacks
 import ax.nd.faceunlock.service.FaceAuthServiceController
 
 class FaceAuthActivity : AppCompatActivity(), FaceAuthServiceCallbacks {
     private var controller: FaceAuthServiceController? = null
+    private lateinit var prefs: Prefs
     private var startTime: Long = 0
 
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
         setContentView(R.layout.activity_face_auth)
-        controller = FaceAuthServiceController(this, this)
+        prefs = FaceApplication.getApp().prefs
+        controller = FaceAuthServiceController(this, prefs, this)
     }
 
 
diff --git a/faceunlock/src/main/java/ax/nd/faceunlock/pref/PrefKeys.kt b/faceunlock/src/main/java/ax/nd/faceunlock/pref/PrefKeys.kt
@@ -7,4 +7,5 @@ object PrefKeys {
     const val REQUIRE_PIN_ON_BOOT = "require_pin_on_boot"
     const val BYPASS_KEYGUARD = "bypass_keyguard"
     const val SHOW_STATUS_TEXT = "show_status_text"
+    const val FAILED_UNLOCK_ATTEMPTS = "failed_unlock_attempts"
 }
diff --git a/faceunlock/src/main/java/ax/nd/faceunlock/pref/Prefs.kt b/faceunlock/src/main/java/ax/nd/faceunlock/pref/Prefs.kt
@@ -14,4 +14,5 @@ class Prefs(context: Context) {
     val requirePinOnBoot = flowPrefs.getBoolean(PrefKeys.REQUIRE_PIN_ON_BOOT, false)
     val bypassKeyguard = flowPrefs.getBoolean(PrefKeys.BYPASS_KEYGUARD, true)
     val showStatusText = flowPrefs.getBoolean(PrefKeys.SHOW_STATUS_TEXT, true)
+    val failedUnlockAttempts = flowPrefs.getInt(PrefKeys.FAILED_UNLOCK_ATTEMPTS, 0)
 }
diff --git a/faceunlock/src/main/java/ax/nd/faceunlock/service/FaceAuthServiceController.kt b/faceunlock/src/main/java/ax/nd/faceunlock/service/FaceAuthServiceController.kt
@@ -7,17 +7,19 @@ import android.content.ServiceConnection
 import android.os.IBinder
 import android.os.RemoteException
 import android.util.Log
+import ax.nd.faceunlock.pref.Prefs
 import ax.nd.faceunlock.stub.biometrics.BiometricFaceConstants
 import ax.nd.faceunlock.stub.face.FaceManager
 import com.android.internal.util.custom.faceunlock.IFaceService
 import com.android.internal.util.custom.faceunlock.IFaceServiceReceiver
+import kotlinx.coroutines.runBlocking
 
 interface FaceAuthServiceCallbacks {
     fun onAuthed()
     fun onError(errId: Int, message: String)
 }
 
-class FaceAuthServiceController(private val context: Context, private val cb: FaceAuthServiceCallbacks) {
+class FaceAuthServiceController(private val context: Context, private val prefs: Prefs, private val cb: FaceAuthServiceCallbacks) {
     private var serviceBound = false
     private val authCallback = object : IFaceServiceReceiver.Stub() {
         @Throws(RemoteException::class)
@@ -30,9 +32,14 @@ class FaceAuthServiceController(private val context: Context, private val cb: Fa
         override fun onAuthenticated(faceId: Int, userId: Int, token: ByteArray?) {
             if(userId == -1) {
                 // onAuthenticated can still be called if the request times out
+                // Commit this synchronously for security
+                runBlocking {
+                    prefs.failedUnlockAttempts.setAndCommit(prefs.failedUnlockAttempts.get() + 1)
+                }
                 onError(BiometricFaceConstants.FACE_ERROR_TIMEOUT, 0)
             } else {
                 Log.d(TAG, "Authentication OK: $faceId, $userId")
+                prefs.failedUnlockAttempts.set(0)
                 stopInternal(cancel = false)
                 cb.onAuthed()
             }
@@ -82,6 +89,10 @@ class FaceAuthServiceController(private val context: Context, private val cb: Fa
     }
 
     fun start() {
+        if(prefs.failedUnlockAttempts.get() >= 5) {
+            authCallback.onError(BiometricFaceConstants.FACE_ERROR_LOCKOUT_PERMANENT, 0)
+            return
+        }
         if(!serviceBound) {
             serviceBound = true
             context.bindService(
diff --git a/faceunlock/src/main/java/ax/nd/faceunlock/service/LockscreenFaceAuthService.kt b/faceunlock/src/main/java/ax/nd/faceunlock/service/LockscreenFaceAuthService.kt
@@ -50,7 +50,7 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
 
     private var active: Boolean = false
     private var lockStateReceiver: BroadcastReceiver? = null
-    private var requirePinOnBootReceiver: BroadcastReceiver? = null
+    private var unlockReceiver: BroadcastReceiver? = null
     private var controller: FaceAuthServiceController? = null
     private var keyguardManager: KeyguardManager? = null
     private var displayManager: DisplayManager? = null
@@ -63,6 +63,7 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
     private lateinit var prefs: Prefs
 
     private var showStatusText = true
+    private var booted = false
 
     override fun onCreate() {
         super.onCreate()
@@ -73,7 +74,7 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
 
         prefs = FaceApplication.getApp().prefs
 
-        controller = FaceAuthServiceController(this, this)
+        controller = FaceAuthServiceController(this, prefs, this)
 
         windowManager = getSystemService()
         keyguardManager = getSystemService()
@@ -85,12 +86,13 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
         textView?.setShadowLayer(10f, 0f, 0f, Color.BLACK)
         textView?.setTextSize(TypedValue.COMPLEX_UNIT_SP, 16f)
         textView?.setPadding(0, 16.dpToPx.toInt(), 0, 0)
+        textView?.textAlignment = TextView.TEXT_ALIGNMENT_CENTER
 
-        if(prefs.requirePinOnBoot.get()) {
-            setupRequirePinOnBootReceiver()
-        } else {
+        booted = !prefs.requirePinOnBoot.get()
+        if(booted) {
             reconfigureUnlockHook()
         }
+        setupUnlockReceiver()
 
         serviceScope.launch {
             prefs.showStatusText.asFlow().collect { showStatusText ->
@@ -99,30 +101,33 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
         }
     }
 
-    private fun setupRequirePinOnBootReceiver() {
+    private fun setupUnlockReceiver() {
         val intentFilter = IntentFilter().apply {
             addAction(Intent.ACTION_USER_PRESENT)
         }
-        requirePinOnBootReceiver = object : BroadcastReceiver() {
+        unlockReceiver = object : BroadcastReceiver() {
             override fun onReceive(p0: Context?, p1: Intent?) {
-                unregisterRequirePinOnBootReceiver()
-                reconfigureUnlockHook()
+                if(!booted) {
+                    booted = true
+                    reconfigureUnlockHook()
+                }
+                prefs.failedUnlockAttempts.set(0)
             }
         }
-        registerReceiver(requirePinOnBootReceiver, intentFilter)
+        registerReceiver(unlockReceiver, intentFilter)
     }
 
-    private fun unregisterRequirePinOnBootReceiver() {
-        requirePinOnBootReceiver?.let {
+    private fun unregisterUnlockReceiver() {
+        unlockReceiver?.let {
             unregisterReceiver(it)
-            requirePinOnBootReceiver = null
+            unlockReceiver = null
         }
     }
 
     private fun reconfigureUnlockHook() {
         serviceScope.launch {
             prefs.earlyUnlockHook.asFlow().collect { earlyUnlock ->
-                unregisterUnlockReceiver()
+                unregisterLockStateReceiver()
                 if(earlyUnlock) {
                     registerEarlyUnlockReceiver()
                 } else {
@@ -163,7 +168,7 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
         registerReceiver(lockStateReceiver, intentFilter)
     }
 
-    private fun unregisterUnlockReceiver() {
+    private fun unregisterLockStateReceiver() {
         lockStateReceiver?.let {
             unregisterReceiver(it)
             lockStateReceiver = null
@@ -184,8 +189,8 @@ class LockscreenFaceAuthService : AccessibilityService(), FaceAuthServiceCallbac
     override fun onDestroy() {
         super.onDestroy()
 
+        unregisterLockStateReceiver()
         unregisterUnlockReceiver()
-        unregisterRequirePinOnBootReceiver()
         hide()
         serviceJob.cancel()
     }

Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,5 @@ object PrefKeys {`
`7`	`7`	`const val REQUIRE_PIN_ON_BOOT = "require_pin_on_boot"`
`8`	`8`	`const val BYPASS_KEYGUARD = "bypass_keyguard"`
`9`	`9`	`const val SHOW_STATUS_TEXT = "show_status_text"`
	`10`	`+ const val FAILED_UNLOCK_ATTEMPTS = "failed_unlock_attempts"`
`10`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,5 @@ class Prefs(context: Context) {`
`14`	`14`	`val requirePinOnBoot = flowPrefs.getBoolean(PrefKeys.REQUIRE_PIN_ON_BOOT, false)`
`15`	`15`	`val bypassKeyguard = flowPrefs.getBoolean(PrefKeys.BYPASS_KEYGUARD, true)`
`16`	`16`	`val showStatusText = flowPrefs.getBoolean(PrefKeys.SHOW_STATUS_TEXT, true)`
	`17`	`+ val failedUnlockAttempts = flowPrefs.getInt(PrefKeys.FAILED_UNLOCK_ATTEMPTS, 0)`
`17`	`18`	`}`