block adding repos when Unknown Sources is disable by Device Admin

Device Admin apps aka Mobile Device Management can set all sorts of
restrictions on the device.  One of these is to globally disable the use
of Unknown Sources.  The other is to restrict a user on the device from
using Unknown Sources.  Both of these are supported.  When either or both
are set, then F-Droid will not allow adding new repos, either via Intent or
via the UI.

refs #2238
https://gitlab.com/groups/CalyxOS/-/epics/25
https://gitlab.com/CalyxOS/calyxos/-/issues/611

app/src/main/java/org/fdroid/fdroid/data/NewRepoConfig.java

@@ -10,6 +10,7 @@ import org.fdroid.fdroid.R;
 import org.fdroid.fdroid.Utils;
 import org.fdroid.fdroid.nearby.SwapWorkflowActivity;
 import org.fdroid.fdroid.nearby.peers.WifiPeer;
+import org.fdroid.fdroid.views.ManageReposActivity;
 
 import java.util.Arrays;
 import java.util.List;
@@ -50,6 +51,12 @@ public class NewRepoConfig {
             return;
         }
 
+        if (ManageReposActivity.hasDisallowInstallUnknownSources(context)) {
+            errorMessage = ManageReposActivity.getDisallowInstallUnknownSourcesErrorMessage(context);
+            isValidRepo = false;
+            return;
+        }
+
         Utils.debugLog(TAG, "Parsing incoming intent looking for repo: " + incomingUri);
 
         // scheme and host should only ever be pure ASCII aka Locale.ENGLISH

app/src/main/java/org/fdroid/fdroid/views/ManageReposActivity.java

@@ -33,6 +33,7 @@ import android.net.wifi.WifiInfo;
 import android.net.wifi.WifiManager;
 import android.os.Build;
 import android.os.Bundle;
+import android.os.UserManager;
 import android.text.Editable;
 import android.text.TextUtils;
 import android.text.TextWatcher;
@@ -194,7 +195,11 @@ public class ManageReposActivity extends AppCompatActivity
     @Override
     public void finish() {
         Intent ret = new Intent();
-        setResult(RESULT_OK, ret);
+        if (getIntent() != null && hasDisallowInstallUnknownSources(this)) {
+            setResult(RESULT_CANCELED, ret);
+        } else {
+            setResult(RESULT_OK, ret);
+        }
         super.finish();
     }
 
@@ -262,7 +267,12 @@ public class ManageReposActivity extends AppCompatActivity
     }
 
     private void showAddRepo(String newAddress, String newFingerprint, String username, String password) {
-        new AddRepo(newAddress, newFingerprint, username, password);
+        if (hasDisallowInstallUnknownSources(this)) {
+            String msg = getDisallowInstallUnknownSourcesErrorMessage(this);
+            Toast.makeText(this, msg, Toast.LENGTH_LONG).show();
+        } else {
+            new AddRepo(newAddress, newFingerprint, username, password);
+        }
     }
 
     /**
@@ -911,4 +921,32 @@ public class ManageReposActivity extends AppCompatActivity
     private void notifyDataSetChanged() {
         getSupportLoaderManager().restartLoader(0, null, this);
     }
+
+    /**
+     * {@link android.app.admin.DevicePolicyManager} makes it possible to set
+     * user- or device-wide restrictions.  This changes whether installing from
+     * "Unknown Sources" has been disallowed by device policy.
+     *
+     * @return boolean whether installing from Unknown Sources has been disallowed
+     * @see UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES
+     * @see UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY
+     */
+    public static boolean hasDisallowInstallUnknownSources(Context context) {
+        UserManager userManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
+        if (Build.VERSION.SDK_INT < 29) {
+            return userManager.hasUserRestriction(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
+        } else {
+            return userManager.hasUserRestriction(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES)
+                    || userManager.hasUserRestriction(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY);
+        }
+    }
+
+    public static String getDisallowInstallUnknownSourcesErrorMessage(Context context) {
+        UserManager userManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
+        if (Build.VERSION.SDK_INT >= 29
+                && userManager.hasUserRestriction(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY)) {
+            return context.getString(R.string.has_disallow_install_unknown_sources_globally);
+        }
+        return context.getString(R.string.has_disallow_install_unknown_sources);
+    }
 }

app/src/main/res/values/strings.xml

@@ -197,6 +197,10 @@ This often occurs with apps installed via Google Play or other sources, if they
     <string name="bad_fingerprint">Bad fingerprint</string>
     <string name="invalid_url">This is not a valid URL.</string>
     <string name="malformed_repo_uri">Ignoring malformed repo URI: %s</string>
+    <!-- Message presented in a dialog box when the device-wide management policy restricts adding new repos, e.g. "Unknown Sources". -->
+    <string name="has_disallow_install_unknown_sources_globally">Your device admin doesn\'t allow installing apps from unknown sources, that includes new repos</string>
+    <!-- Message presented in a dialog box when the user restriction set by the system restricts adding new repos, e.g. "Unknown Sources". -->
+    <string name="has_disallow_install_unknown_sources">Unknown sources can\'t be added by this user, that includes new repos</string>
     <string name="repo_provider">Repository: %s</string>
 
     <string name="menu_manage">Repositories</string>