1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_kit.h"
17
18 #include <string>
19 #include <vector>
20
21 #include "accesstoken_log.h"
22 #include "accesstoken_manager_client.h"
23 #include "data_validator.h"
24
25 namespace OHOS {
26 namespace Security {
27 namespace AccessToken {
28 namespace {
29 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenKit"};
30 } // namespace
31
AllocHapToken(const HapInfoParams & info,const HapPolicyParams & policy)32 AccessTokenIDEx AccessTokenKit::AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy)
33 {
34 AccessTokenIDEx res = {0};
35 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
36 if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc)
37 || !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl)
38 || !DataValidator::IsDomainValid(policy.domain)) {
39 ACCESSTOKEN_LOG_ERROR(LABEL, "input param failed");
40 return res;
41 }
42
43 return AccessTokenManagerClient::GetInstance().AllocHapToken(info, policy);
44 }
45
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)46 AccessTokenID AccessTokenKit::AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
47 {
48 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, deviceID=%{private}s tokenID=%{public}d",
49 __func__, remoteDeviceID.c_str(), remoteTokenID);
50 #ifdef DEBUG_API_PERFORMANCE
51 ACCESSTOKEN_LOG_INFO(LABEL, "api_performance:start call");
52 AccessTokenID resID = AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
53 ACCESSTOKEN_LOG_INFO(LABEL, "api_performance:end call");
54 return resID;
55 #else
56 return AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
57 #endif
58 }
59
UpdateHapToken(AccessTokenID tokenID,const std::string & appIDDesc,const HapPolicyParams & policy)60 int AccessTokenKit::UpdateHapToken(AccessTokenID tokenID, const std::string& appIDDesc, const HapPolicyParams& policy)
61 {
62 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
63 if ((tokenID == 0) || (!DataValidator::IsAppIDDescValid(appIDDesc))
64 || (!DataValidator::IsAplNumValid(policy.apl))) {
65 ACCESSTOKEN_LOG_ERROR(LABEL, "input param failed");
66 return RET_FAILED;
67 }
68 return AccessTokenManagerClient::GetInstance().UpdateHapToken(tokenID, appIDDesc, policy);
69 }
70
DeleteToken(AccessTokenID tokenID)71 int AccessTokenKit::DeleteToken(AccessTokenID tokenID)
72 {
73 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
74 if (tokenID == 0) {
75 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
76 return RET_FAILED;
77 }
78 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
79 return AccessTokenManagerClient::GetInstance().DeleteToken(tokenID);
80 }
81
GetTokenType(AccessTokenID tokenID)82 ATokenTypeEnum AccessTokenKit::GetTokenType(AccessTokenID tokenID)
83 {
84 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
85 if (tokenID == 0) {
86 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
87 return TOKEN_INVALID;
88 }
89 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
90 return AccessTokenManagerClient::GetInstance().GetTokenType(tokenID);
91 }
92
GetTokenTypeFlag(AccessTokenID tokenID)93 ATokenTypeEnum AccessTokenKit::GetTokenTypeFlag(AccessTokenID tokenID)
94 {
95 if (tokenID == 0) {
96 return TOKEN_INVALID;
97 }
98 AccessTokenIDInner *idInner = (AccessTokenIDInner *)&tokenID;
99 return (ATokenTypeEnum)(idInner->type);
100 }
101
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)102 int AccessTokenKit::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
103 {
104 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
105 if (tokenID == 0) {
106 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
107 return RET_FAILED;
108 }
109 if (!DataValidator::IsDcapValid(dcap)) {
110 ACCESSTOKEN_LOG_ERROR(LABEL, "dcap is invalid");
111 return RET_FAILED;
112 }
113 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, dcap=%{public}s", tokenID, dcap.c_str());
114 return AccessTokenManagerClient::GetInstance().CheckNativeDCap(tokenID, dcap);
115 }
116
GetHapTokenID(int userID,const std::string & bundleName,int instIndex)117 AccessTokenID AccessTokenKit::GetHapTokenID(int userID, const std::string& bundleName, int instIndex)
118 {
119 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
120 if (!DataValidator::IsUserIdValid(userID) || !DataValidator::IsBundleNameValid(bundleName)) {
121 ACCESSTOKEN_LOG_ERROR(LABEL, "hap token param failed");
122 return 0;
123 }
124 ACCESSTOKEN_LOG_INFO(LABEL, "int userID=%{public}d, bundleName=%{public}s, instIndex=%{public}d",
125 userID, bundleName.c_str(), instIndex);
126 return AccessTokenManagerClient::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
127 }
128
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & hapTokenInfoRes)129 int AccessTokenKit::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes)
130 {
131 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
132 if (tokenID == 0) {
133 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
134 return RET_FAILED;
135 }
136 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
137
138 return AccessTokenManagerClient::GetInstance().GetHapTokenInfo(tokenID, hapTokenInfoRes);
139 }
140
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfo & nativeTokenInfoRes)141 int AccessTokenKit::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes)
142 {
143 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
144 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
145
146 return AccessTokenManagerClient::GetInstance().GetNativeTokenInfo(tokenID, nativeTokenInfoRes);
147 }
148
GetSelfPermissionsState(std::vector<PermissionListState> & permList)149 PermissionOper AccessTokenKit::GetSelfPermissionsState(std::vector<PermissionListState>& permList)
150 {
151 ACCESSTOKEN_LOG_INFO(LABEL, "called");
152 return AccessTokenManagerClient::GetInstance().GetSelfPermissionsState(permList);
153 }
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)154 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
155 {
156 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
157 if (tokenID == 0) {
158 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
159 return PERMISSION_DENIED;
160 }
161 if (!DataValidator::IsPermissionNameValid(permissionName)) {
162 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
163 return PERMISSION_DENIED;
164 }
165 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s", tokenID, permissionName.c_str());
166 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
167 }
168
VerifyAccessToken(AccessTokenID callerTokenID,AccessTokenID firstTokenID,const std::string & permissionName)169 int AccessTokenKit::VerifyAccessToken(
170 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName)
171 {
172 int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName);
173 if (ret != PERMISSION_GRANTED) {
174 return ret;
175 }
176 if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
177 return ret;
178 }
179 return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName);
180 }
181
VerifyNativeToken(AccessTokenID tokenID,const std::string & permissionName)182 int AccessTokenKit::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName)
183 {
184 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
185 if (tokenID == 0) {
186 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID=%{public}d is invalid", tokenID);
187 return PERMISSION_DENIED;
188 }
189 if (!DataValidator::IsPermissionNameValid(permissionName)) {
190 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
191 return PERMISSION_DENIED;
192 }
193 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s", tokenID, permissionName.c_str());
194 return AccessTokenManagerClient::GetInstance().VerifyNativeToken(tokenID, permissionName);
195 }
196
GetDefPermission(const std::string & permissionName,PermissionDef & permissionDefResult)197 int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
198 {
199 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
200 if (!DataValidator::IsPermissionNameValid(permissionName)) {
201 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
202 return RET_FAILED;
203 }
204 ACCESSTOKEN_LOG_INFO(LABEL, "permissionName=%{public}s", permissionName.c_str());
205
206 int ret = AccessTokenManagerClient::GetInstance().GetDefPermission(permissionName, permissionDefResult);
207 ACCESSTOKEN_LOG_INFO(LABEL, "GetDefPermission bundleName = %{public}s", permissionDefResult.bundleName.c_str());
208
209 return ret;
210 }
211
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDef> & permDefList)212 int AccessTokenKit::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permDefList)
213 {
214 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
215 if (tokenID == 0) {
216 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
217 return RET_FAILED;
218 }
219 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
220
221 return AccessTokenManagerClient::GetInstance().GetDefPermissions(tokenID, permDefList);
222 }
223
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFull> & reqPermList,bool isSystemGrant)224 int AccessTokenKit::GetReqPermissions(
225 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
226 {
227 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
228 if (tokenID == 0) {
229 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
230 return RET_FAILED;
231 }
232 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, isSystemGrant=%{public}d", tokenID, isSystemGrant);
233
234 return AccessTokenManagerClient::GetInstance().GetReqPermissions(tokenID, reqPermList, isSystemGrant);
235 }
236
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName)237 int AccessTokenKit::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName)
238 {
239 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
240 if (tokenID == 0) {
241 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
242 return DEFAULT_PERMISSION_FLAGS;
243 }
244 if (!DataValidator::IsPermissionNameValid(permissionName)) {
245 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
246 return DEFAULT_PERMISSION_FLAGS;
247 }
248 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s", tokenID, permissionName.c_str());
249 return AccessTokenManagerClient::GetInstance().GetPermissionFlag(tokenID, permissionName);
250 }
251
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,int flag)252 int AccessTokenKit::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, int flag)
253 {
254 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
255 if (tokenID == 0) {
256 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
257 return RET_FAILED;
258 }
259 if (!DataValidator::IsPermissionNameValid(permissionName)) {
260 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
261 return RET_FAILED;
262 }
263 if (!DataValidator::IsPermissionFlagValid(flag)) {
264 ACCESSTOKEN_LOG_ERROR(LABEL, "flag is invalid");
265 return RET_FAILED;
266 }
267 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s, flag=%{public}d",
268 tokenID, permissionName.c_str(), flag);
269 return AccessTokenManagerClient::GetInstance().GrantPermission(tokenID, permissionName, flag);
270 }
271
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,int flag)272 int AccessTokenKit::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, int flag)
273 {
274 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
275 if (tokenID == 0) {
276 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
277 return RET_FAILED;
278 }
279 if (!DataValidator::IsPermissionNameValid(permissionName)) {
280 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
281 return RET_FAILED;
282 }
283 if (!DataValidator::IsPermissionFlagValid(flag)) {
284 ACCESSTOKEN_LOG_ERROR(LABEL, "flag is invalid");
285 return RET_FAILED;
286 }
287 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s, flag=%{public}d",
288 tokenID, permissionName.c_str(), flag);
289 return AccessTokenManagerClient::GetInstance().RevokePermission(tokenID, permissionName, flag);
290 }
291
ClearUserGrantedPermissionState(AccessTokenID tokenID)292 int AccessTokenKit::ClearUserGrantedPermissionState(AccessTokenID tokenID)
293 {
294 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
295 if (tokenID == 0) {
296 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
297 return RET_FAILED;
298 }
299 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
300 return AccessTokenManagerClient::GetInstance().ClearUserGrantedPermissionState(tokenID);
301 }
302
303 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)304 int AccessTokenKit::GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
305 {
306 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
307 if (tokenID == 0) {
308 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
309 return RET_FAILED;
310 }
311 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d", tokenID);
312
313 return AccessTokenManagerClient::GetInstance().GetHapTokenInfoFromRemote(tokenID, hapSync);
314 }
315
GetAllNativeTokenInfo(std::vector<NativeTokenInfo> & nativeTokenInfosRes)316 int AccessTokenKit::GetAllNativeTokenInfo(std::vector<NativeTokenInfo>& nativeTokenInfosRes)
317 {
318 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
319
320 return AccessTokenManagerClient::GetInstance().GetAllNativeTokenInfo(nativeTokenInfosRes);
321 }
322
SetRemoteHapTokenInfo(const std::string & deviceID,const HapTokenInfoForSync & hapSync)323 int AccessTokenKit::SetRemoteHapTokenInfo(const std::string& deviceID,
324 const HapTokenInfoForSync& hapSync)
325 {
326 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, deviceID=%{private}s tokenID=%{public}d",
327 __func__, deviceID.c_str(), hapSync.baseInfo.tokenID);
328 return AccessTokenManagerClient::GetInstance().SetRemoteHapTokenInfo(deviceID, hapSync);
329 }
330
SetRemoteNativeTokenInfo(const std::string & deviceID,std::vector<NativeTokenInfo> & nativeTokenInfoList)331 int AccessTokenKit::SetRemoteNativeTokenInfo(const std::string& deviceID,
332 std::vector<NativeTokenInfo>& nativeTokenInfoList)
333 {
334 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, deviceID=%{private}s", __func__, deviceID.c_str());
335 return AccessTokenManagerClient::GetInstance()
336 .SetRemoteNativeTokenInfo(deviceID, nativeTokenInfoList);
337 }
338
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)339 int AccessTokenKit::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
340 {
341 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, deviceID=%{private}s tokenID=%{public}d",
342 __func__, deviceID.c_str(), tokenID);
343 return AccessTokenManagerClient::GetInstance().DeleteRemoteToken(deviceID, tokenID);
344 }
345
DeleteRemoteDeviceTokens(const std::string & deviceID)346 int AccessTokenKit::DeleteRemoteDeviceTokens(const std::string& deviceID)
347 {
348 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, deviceID=%{private}s", __func__, deviceID.c_str());
349 return AccessTokenManagerClient::GetInstance().DeleteRemoteDeviceTokens(deviceID);
350 }
351
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)352 AccessTokenID AccessTokenKit::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
353 {
354 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, deviceID=%{private}s tokenID=%{public}d",
355 __func__, deviceID.c_str(), tokenID);
356 return AccessTokenManagerClient::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
357 }
358 #endif
359
DumpTokenInfo(std::string & dumpInfo)360 void AccessTokenKit::DumpTokenInfo(std::string& dumpInfo)
361 {
362 ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__);
363 AccessTokenManagerClient::GetInstance().DumpTokenInfo(dumpInfo);
364 }
365 } // namespace AccessToken
366 } // namespace Security
367 } // namespace OHOS
368