1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_stub.h"
17
18 #include <unistd.h>
19 #include "accesstoken_dfx_define.h"
20 #include "accesstoken_log.h"
21 #include "access_token_error.h"
22 #include "ipc_skeleton.h"
23 #include "string_ex.h"
24
25 namespace OHOS {
26 namespace Security {
27 namespace AccessToken {
28 namespace {
29 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "ATMStub"};
30 constexpr int32_t FOUNDATION_UID = 5523;
31 static const int32_t DUMP_CAPACITY_SIZE = 2 * 1024 * 1000;
32 static const int MAX_PERMISSION_SIZE = 1000;
33 #ifdef TOKEN_SYNC_ENABLE
34 static const int MAX_NATIVE_TOKEN_INFO_SIZE = 20480;
35 #endif
36 const std::string GRANT_SENSITIVE_PERMISSIONS = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS";
37 const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
38 const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
39 }
40
OnRemoteRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)41 int32_t AccessTokenManagerStub::OnRemoteRequest(
42 uint32_t code, MessageParcel& data, MessageParcel& reply, MessageOption& option)
43 {
44 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
45 ACCESSTOKEN_LOG_DEBUG(LABEL, "code %{public}u token %{public}u", code, callingTokenID);
46 std::u16string descriptor = data.ReadInterfaceToken();
47 if (descriptor != IAccessTokenManager::GetDescriptor()) {
48 ACCESSTOKEN_LOG_ERROR(LABEL, "get unexpect descriptor: %{public}s", Str16ToStr8(descriptor).c_str());
49 return -1;
50 }
51 auto itFunc = requestFuncMap_.find(code);
52 if (itFunc != requestFuncMap_.end()) {
53 auto requestFunc = itFunc->second;
54 if (requestFunc != nullptr) {
55 (this->*requestFunc)(data, reply);
56 } else {
57 // when valid code without any function to handle
58 return IPCObjectStub::OnRemoteRequest(code, data, reply, option);
59 }
60 } else {
61 return IPCObjectStub::OnRemoteRequest(code, data, reply, option); // when code invalid
62 }
63
64 return NO_ERROR;
65 }
66
DeleteTokenInfoInner(MessageParcel & data,MessageParcel & reply)67 void AccessTokenManagerStub::DeleteTokenInfoInner(MessageParcel& data, MessageParcel& reply)
68 {
69 if (!IsFoundationCalling() && !IsPrivilegedCalling()) {
70 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied");
71 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
72 return;
73 }
74 AccessTokenID tokenID = data.ReadUint32();
75 int result = this->DeleteToken(tokenID);
76 reply.WriteInt32(result);
77 }
78
VerifyAccessTokenInner(MessageParcel & data,MessageParcel & reply)79 void AccessTokenManagerStub::VerifyAccessTokenInner(MessageParcel& data, MessageParcel& reply)
80 {
81 AccessTokenID tokenID = data.ReadUint32();
82 std::string permissionName = data.ReadString();
83 int result = this->VerifyAccessToken(tokenID, permissionName);
84 reply.WriteInt32(result);
85 }
86
GetDefPermissionInner(MessageParcel & data,MessageParcel & reply)87 void AccessTokenManagerStub::GetDefPermissionInner(MessageParcel& data, MessageParcel& reply)
88 {
89 std::string permissionName = data.ReadString();
90 PermissionDefParcel permissionDefParcel;
91 int result = this->GetDefPermission(permissionName, permissionDefParcel);
92 reply.WriteInt32(result);
93 if (result != RET_SUCCESS) {
94 return;
95 }
96 reply.WriteParcelable(&permissionDefParcel);
97 }
98
GetDefPermissionsInner(MessageParcel & data,MessageParcel & reply)99 void AccessTokenManagerStub::GetDefPermissionsInner(MessageParcel& data, MessageParcel& reply)
100 {
101 AccessTokenID tokenID = data.ReadUint32();
102 std::vector<PermissionDefParcel> permList;
103
104 int result = this->GetDefPermissions(tokenID, permList);
105 reply.WriteInt32(result);
106 if (result != RET_SUCCESS) {
107 return;
108 }
109 ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s called, permList size: %{public}zu", __func__, permList.size());
110 reply.WriteUint32(permList.size());
111 for (const auto& permDef : permList) {
112 reply.WriteParcelable(&permDef);
113 }
114 }
115
GetReqPermissionsInner(MessageParcel & data,MessageParcel & reply)116 void AccessTokenManagerStub::GetReqPermissionsInner(MessageParcel& data, MessageParcel& reply)
117 {
118 AccessTokenID tokenID = data.ReadUint32();
119 int isSystemGrant = data.ReadInt32();
120 std::vector<PermissionStateFullParcel> permList;
121
122 int result = this->GetReqPermissions(tokenID, permList, isSystemGrant);
123 reply.WriteInt32(result);
124 if (result != RET_SUCCESS) {
125 return;
126 }
127 ACCESSTOKEN_LOG_DEBUG(LABEL, "permList size: %{public}zu", permList.size());
128 reply.WriteUint32(permList.size());
129 for (const auto& permDef : permList) {
130 reply.WriteParcelable(&permDef);
131 }
132 }
133
GetSelfPermissionsStateInner(MessageParcel & data,MessageParcel & reply)134 void AccessTokenManagerStub::GetSelfPermissionsStateInner(MessageParcel& data, MessageParcel& reply)
135 {
136 std::vector<PermissionListStateParcel> permList;
137 uint32_t size = 0;
138 if (!data.ReadUint32(size)) {
139 reply.WriteInt32(INVALID_OPER);
140 return;
141 }
142 ACCESSTOKEN_LOG_DEBUG(LABEL, "permList size read from client data is %{public}d.", size);
143 if (size > MAX_PERMISSION_SIZE) {
144 ACCESSTOKEN_LOG_ERROR(LABEL, "permList size %{public}d is invalid", size);
145 reply.WriteInt32(INVALID_OPER);
146 return;
147 }
148 for (uint32_t i = 0; i < size; i++) {
149 sptr<PermissionListStateParcel> permissionParcel = data.ReadParcelable<PermissionListStateParcel>();
150 if (permissionParcel != nullptr) {
151 permList.emplace_back(*permissionParcel);
152 }
153 }
154
155 PermissionOper result = this->GetSelfPermissionsState(permList);
156
157 reply.WriteInt32(result);
158
159 reply.WriteUint32(permList.size());
160 for (const auto& perm : permList) {
161 reply.WriteParcelable(&perm);
162 }
163 }
164
GetPermissionFlagInner(MessageParcel & data,MessageParcel & reply)165 void AccessTokenManagerStub::GetPermissionFlagInner(MessageParcel& data, MessageParcel& reply)
166 {
167 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
168 AccessTokenID tokenID = data.ReadUint32();
169 std::string permissionName = data.ReadString();
170 if (!IsPrivilegedCalling() &&
171 VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
172 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED &&
173 VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
174 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
175 reply.WriteInt32(PERMISSION_DEFAULT_FLAG);
176 return;
177 }
178 int32_t flag;
179 int result = this->GetPermissionFlag(tokenID, permissionName, flag);
180 reply.WriteInt32(result);
181 if (result != RET_SUCCESS) {
182 return;
183 }
184 reply.WriteInt32(flag);
185 }
186
GrantPermissionInner(MessageParcel & data,MessageParcel & reply)187 void AccessTokenManagerStub::GrantPermissionInner(MessageParcel& data, MessageParcel& reply)
188 {
189 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
190 AccessTokenID tokenID = data.ReadUint32();
191 std::string permissionName = data.ReadString();
192 int flag = data.ReadInt32();
193 if (!IsPrivilegedCalling() && !IsFoundationCalling() &&
194 VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
195 HiviewDFX::HiSysEvent::Write(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
196 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
197 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
198 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
199 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
200 return;
201 }
202 int result = this->GrantPermission(tokenID, permissionName, flag);
203 reply.WriteInt32(result);
204 }
205
RevokePermissionInner(MessageParcel & data,MessageParcel & reply)206 void AccessTokenManagerStub::RevokePermissionInner(MessageParcel& data, MessageParcel& reply)
207 {
208 unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
209 AccessTokenID tokenID = data.ReadUint32();
210 std::string permissionName = data.ReadString();
211 int flag = data.ReadInt32();
212 if (!IsPrivilegedCalling() && !IsFoundationCalling() &&
213 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
214 HiviewDFX::HiSysEvent::Write(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
215 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
216 "CALLER_TOKENID", callingTokenID, "PERMISSION_NAME", permissionName);
217 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
218 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
219 return;
220 }
221 int result = this->RevokePermission(tokenID, permissionName, flag);
222 reply.WriteInt32(result);
223 }
224
ClearUserGrantedPermissionStateInner(MessageParcel & data,MessageParcel & reply)225 void AccessTokenManagerStub::ClearUserGrantedPermissionStateInner(MessageParcel& data, MessageParcel& reply)
226 {
227 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
228 if (!IsPrivilegedCalling() && !IsFoundationCalling() &&
229 VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
230 HiviewDFX::HiSysEvent::Write(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT",
231 HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR,
232 "CALLER_TOKENID", callingTokenID);
233 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
234 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
235 return;
236 }
237 AccessTokenID tokenID = data.ReadUint32();
238 int result = this->ClearUserGrantedPermissionState(tokenID);
239 reply.WriteInt32(result);
240 }
241
AllocHapTokenInner(MessageParcel & data,MessageParcel & reply)242 void AccessTokenManagerStub::AllocHapTokenInner(MessageParcel& data, MessageParcel& reply)
243 {
244 AccessTokenIDEx res = {0};
245 if (!IsFoundationCalling() && !IsPrivilegedCalling()) {
246 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
247 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
248 return;
249 }
250
251 sptr<HapInfoParcel> hapInfoParcel = data.ReadParcelable<HapInfoParcel>();
252 sptr<HapPolicyParcel> hapPolicyParcel = data.ReadParcelable<HapPolicyParcel>();
253 if (hapInfoParcel == nullptr || hapPolicyParcel == nullptr) {
254 ACCESSTOKEN_LOG_ERROR(LABEL, "read hapPolicyParcel or hapInfoParcel fail");
255 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
256 return;
257 }
258 res = this->AllocHapToken(*hapInfoParcel, *hapPolicyParcel);
259 reply.WriteUint64(res.tokenIDEx);
260 }
261
GetTokenTypeInner(MessageParcel & data,MessageParcel & reply)262 void AccessTokenManagerStub::GetTokenTypeInner(MessageParcel& data, MessageParcel& reply)
263 {
264 AccessTokenID tokenID = data.ReadUint32();
265 int result = this->GetTokenType(tokenID);
266 reply.WriteInt32(result);
267 }
268
CheckNativeDCapInner(MessageParcel & data,MessageParcel & reply)269 void AccessTokenManagerStub::CheckNativeDCapInner(MessageParcel& data, MessageParcel& reply)
270 {
271 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
272 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
273 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
274 return;
275 }
276 AccessTokenID tokenID = data.ReadUint32();
277 std::string dCap = data.ReadString();
278 int result = this->CheckNativeDCap(tokenID, dCap);
279 reply.WriteInt32(result);
280 }
281
GetHapTokenIDInner(MessageParcel & data,MessageParcel & reply)282 void AccessTokenManagerStub::GetHapTokenIDInner(MessageParcel& data, MessageParcel& reply)
283 {
284 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
285 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
286 reply.WriteInt32(INVALID_TOKENID);
287 return;
288 }
289 int userID = data.ReadInt32();
290 std::string bundleName = data.ReadString();
291 int instIndex = data.ReadInt32();
292 AccessTokenID result = this->GetHapTokenID(userID, bundleName, instIndex);
293 reply.WriteUint32(result);
294 }
295
AllocLocalTokenIDInner(MessageParcel & data,MessageParcel & reply)296 void AccessTokenManagerStub::AllocLocalTokenIDInner(MessageParcel& data, MessageParcel& reply)
297 {
298 if ((!IsNativeProcessCalling()) && !IsPrivilegedCalling()) {
299 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
300 reply.WriteInt32(INVALID_TOKENID);
301 return;
302 }
303 std::string remoteDeviceID = data.ReadString();
304 AccessTokenID remoteTokenID = data.ReadUint32();
305 AccessTokenID result = this->AllocLocalTokenID(remoteDeviceID, remoteTokenID);
306 reply.WriteUint32(result);
307 }
308
UpdateHapTokenInner(MessageParcel & data,MessageParcel & reply)309 void AccessTokenManagerStub::UpdateHapTokenInner(MessageParcel& data, MessageParcel& reply)
310 {
311 if (!IsFoundationCalling() && !IsPrivilegedCalling()) {
312 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
313 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
314 return;
315 }
316 AccessTokenID tokenID = data.ReadUint32();
317 std::string appIDDesc = data.ReadString();
318 int32_t apiVersion = data.ReadInt32();
319 sptr<HapPolicyParcel> policyParcel = data.ReadParcelable<HapPolicyParcel>();
320 if (policyParcel == nullptr) {
321 ACCESSTOKEN_LOG_ERROR(LABEL, "policyParcel read faild");
322 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
323 return;
324 }
325 int32_t result = this->UpdateHapToken(tokenID, appIDDesc, apiVersion, *policyParcel);
326 reply.WriteInt32(result);
327 }
328
GetHapTokenInfoInner(MessageParcel & data,MessageParcel & reply)329 void AccessTokenManagerStub::GetHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
330 {
331 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
332 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
333 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
334 return;
335 }
336 HapTokenInfoParcel hapTokenInfoParcel;
337 AccessTokenID tokenID = data.ReadUint32();
338 int result = this->GetHapTokenInfo(tokenID, hapTokenInfoParcel);
339 reply.WriteInt32(result);
340 if (result != RET_SUCCESS) {
341 return;
342 }
343 reply.WriteParcelable(&hapTokenInfoParcel);
344 }
345
GetNativeTokenInfoInner(MessageParcel & data,MessageParcel & reply)346 void AccessTokenManagerStub::GetNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
347 {
348 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
349 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
350 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
351 return;
352 }
353 AccessTokenID tokenID = data.ReadUint32();
354 NativeTokenInfoParcel nativeTokenInfoParcel;
355 int result = this->GetNativeTokenInfo(tokenID, nativeTokenInfoParcel);
356 reply.WriteInt32(result);
357 if (result != RET_SUCCESS) {
358 return;
359 }
360 reply.WriteParcelable(&nativeTokenInfoParcel);
361 }
362
RegisterPermStateChangeCallbackInner(MessageParcel & data,MessageParcel & reply)363 void AccessTokenManagerStub::RegisterPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
364 {
365 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
366 if (VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
367 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
368 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
369 return;
370 }
371 sptr<PermStateChangeScopeParcel> scopeParcel = data.ReadParcelable<PermStateChangeScopeParcel>();
372 if (scopeParcel == nullptr) {
373 ACCESSTOKEN_LOG_ERROR(LABEL, "read scopeParcel fail");
374 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
375 return;
376 }
377 sptr<IRemoteObject> callback = data.ReadRemoteObject();
378 if (callback == nullptr) {
379 ACCESSTOKEN_LOG_ERROR(LABEL, "read callback fail");
380 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
381 return;
382 }
383 int32_t result = this->RegisterPermStateChangeCallback(*scopeParcel, callback);
384 reply.WriteInt32(result);
385 }
386
UnRegisterPermStateChangeCallbackInner(MessageParcel & data,MessageParcel & reply)387 void AccessTokenManagerStub::UnRegisterPermStateChangeCallbackInner(MessageParcel& data, MessageParcel& reply)
388 {
389 uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
390 if (VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
391 ACCESSTOKEN_LOG_ERROR(LABEL, "permission denied(tokenID=%{public}d)", callingTokenID);
392 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
393 return;
394 }
395 sptr<IRemoteObject> callback = data.ReadRemoteObject();
396 if (callback == nullptr) {
397 ACCESSTOKEN_LOG_ERROR(LABEL, "read callback fail");
398 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
399 return;
400 }
401 int32_t result = this->UnRegisterPermStateChangeCallback(callback);
402 reply.WriteInt32(result);
403 }
404
ReloadNativeTokenInfoInner(MessageParcel & data,MessageParcel & reply)405 void AccessTokenManagerStub::ReloadNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
406 {
407 if (!IsPrivilegedCalling()) {
408 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
409 reply.WriteUint32(AccessTokenError::ERR_PERMISSION_DENIED);
410 return;
411 }
412 int32_t result = this->ReloadNativeTokenInfo();
413 reply.WriteInt32(result);
414 }
415
GetNativeTokenIdInner(MessageParcel & data,MessageParcel & reply)416 void AccessTokenManagerStub::GetNativeTokenIdInner(MessageParcel& data, MessageParcel& reply)
417 {
418 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
419 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
420 reply.WriteUint32(INVALID_TOKENID);
421 return;
422 }
423 std::string processName;
424 if (!data.ReadString(processName)) {
425 ACCESSTOKEN_LOG_ERROR(LABEL, "readString fail, processName=%{public}s", processName.c_str());
426 return;
427 }
428 AccessTokenID result = this->GetNativeTokenId(processName);
429 reply.WriteUint32(result);
430 }
431
432 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemoteInner(MessageParcel & data,MessageParcel & reply)433 void AccessTokenManagerStub::GetHapTokenInfoFromRemoteInner(MessageParcel& data, MessageParcel& reply)
434 {
435 if (!IsAccessTokenCalling()) {
436 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
437 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
438 return;
439 }
440 AccessTokenID tokenID = data.ReadUint32();
441 HapTokenInfoForSyncParcel hapTokenParcel;
442
443 int result = this->GetHapTokenInfoFromRemote(tokenID, hapTokenParcel);
444 reply.WriteInt32(result);
445 if (result != RET_SUCCESS) {
446 return;
447 }
448 reply.WriteParcelable(&hapTokenParcel);
449 }
450
GetAllNativeTokenInfoInner(MessageParcel & data,MessageParcel & reply)451 void AccessTokenManagerStub::GetAllNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
452 {
453 if (!IsAccessTokenCalling()) {
454 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
455 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
456 return;
457 }
458 std::vector<NativeTokenInfoForSyncParcel> nativeTokenInfosRes;
459 int result = this->GetAllNativeTokenInfo(nativeTokenInfosRes);
460 reply.WriteInt32(result);
461 if (result != RET_SUCCESS) {
462 return;
463 }
464 reply.WriteUint32(nativeTokenInfosRes.size());
465 for (const auto& native : nativeTokenInfosRes) {
466 reply.WriteParcelable(&native);
467 }
468 }
469
SetRemoteHapTokenInfoInner(MessageParcel & data,MessageParcel & reply)470 void AccessTokenManagerStub::SetRemoteHapTokenInfoInner(MessageParcel& data, MessageParcel& reply)
471 {
472 if (!IsAccessTokenCalling()) {
473 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
474 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
475 return;
476 }
477 std::string deviceID = data.ReadString();
478 sptr<HapTokenInfoForSyncParcel> hapTokenParcel = data.ReadParcelable<HapTokenInfoForSyncParcel>();
479 if (hapTokenParcel == nullptr) {
480 ACCESSTOKEN_LOG_ERROR(LABEL, "hapTokenParcel read faild");
481 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
482 return;
483 }
484 int result = this->SetRemoteHapTokenInfo(deviceID, *hapTokenParcel);
485 reply.WriteInt32(result);
486 }
487
SetRemoteNativeTokenInfoInner(MessageParcel & data,MessageParcel & reply)488 void AccessTokenManagerStub::SetRemoteNativeTokenInfoInner(MessageParcel& data, MessageParcel& reply)
489 {
490 if (!IsAccessTokenCalling()) {
491 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
492 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
493 return;
494 }
495 std::string deviceID = data.ReadString();
496
497 std::vector<NativeTokenInfoForSyncParcel> nativeParcelList;
498 uint32_t size = data.ReadUint32();
499 if (size > MAX_NATIVE_TOKEN_INFO_SIZE) {
500 ACCESSTOKEN_LOG_ERROR(LABEL, "size %{public}u is invalid", size);
501 reply.WriteInt32(AccessTokenError::ERR_OVERSIZE);
502 return;
503 }
504 for (uint32_t i = 0; i < size; i++) {
505 sptr<NativeTokenInfoForSyncParcel> nativeParcel = data.ReadParcelable<NativeTokenInfoForSyncParcel>();
506 if (nativeParcel == nullptr) {
507 ACCESSTOKEN_LOG_ERROR(LABEL, "nativeParcel read faild");
508 reply.WriteInt32(AccessTokenError::ERR_READ_PARCEL_FAILED);
509 return;
510 }
511 nativeParcelList.emplace_back(*nativeParcel);
512 }
513
514 int result = this->SetRemoteNativeTokenInfo(deviceID, nativeParcelList);
515 reply.WriteInt32(result);
516 }
517
DeleteRemoteTokenInner(MessageParcel & data,MessageParcel & reply)518 void AccessTokenManagerStub::DeleteRemoteTokenInner(MessageParcel& data, MessageParcel& reply)
519 {
520 if (!IsAccessTokenCalling()) {
521 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
522 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
523 return;
524 }
525 std::string deviceID = data.ReadString();
526 AccessTokenID tokenID = data.ReadUint32();
527
528 int result = this->DeleteRemoteToken(deviceID, tokenID);
529 reply.WriteInt32(result);
530 }
531
GetRemoteNativeTokenIDInner(MessageParcel & data,MessageParcel & reply)532 void AccessTokenManagerStub::GetRemoteNativeTokenIDInner(MessageParcel& data, MessageParcel& reply)
533 {
534 if (!IsAccessTokenCalling()) {
535 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
536 reply.WriteInt32(INVALID_TOKENID);
537 return;
538 }
539 std::string deviceID = data.ReadString();
540 AccessTokenID tokenID = data.ReadUint32();
541
542 AccessTokenID result = this->GetRemoteNativeTokenID(deviceID, tokenID);
543 reply.WriteUint32(result);
544 }
545
DeleteRemoteDeviceTokensInner(MessageParcel & data,MessageParcel & reply)546 void AccessTokenManagerStub::DeleteRemoteDeviceTokensInner(MessageParcel& data, MessageParcel& reply)
547 {
548 if (!IsAccessTokenCalling()) {
549 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
550 reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
551 return;
552 }
553 std::string deviceID = data.ReadString();
554
555 int result = this->DeleteRemoteDeviceTokens(deviceID);
556 reply.WriteInt32(result);
557 }
558 #endif
559
DumpTokenInfoInner(MessageParcel & data,MessageParcel & reply)560 void AccessTokenManagerStub::DumpTokenInfoInner(MessageParcel& data, MessageParcel& reply)
561 {
562 if (!IsNativeProcessCalling() && !IsPrivilegedCalling()) {
563 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s called, permission denied", __func__);
564 reply.WriteString("");
565 return;
566 }
567 AccessTokenID tokenID = data.ReadUint32();
568 std::string dumpInfo = "";
569 this->DumpTokenInfo(tokenID, dumpInfo);
570 if (!reply.SetDataCapacity(DUMP_CAPACITY_SIZE)) {
571 ACCESSTOKEN_LOG_WARN(LABEL, "SetDataCapacity failed");
572 }
573 if (!reply.WriteString(dumpInfo)) {
574 ACCESSTOKEN_LOG_ERROR(LABEL, "WriteString failed");
575 }
576 }
577
IsPrivilegedCalling() const578 bool AccessTokenManagerStub::IsPrivilegedCalling() const
579 {
580 // shell process is root in debug mode.
581 int32_t callingUid = IPCSkeleton::GetCallingUid();
582 return callingUid == SYSTEM_UID || callingUid == ROOT_UID;
583 }
584
IsFoundationCalling() const585 bool AccessTokenManagerStub::IsFoundationCalling() const
586 {
587 int32_t callingUid = IPCSkeleton::GetCallingUid();
588 return callingUid == FOUNDATION_UID;
589 }
590
IsAccessTokenCalling()591 bool AccessTokenManagerStub::IsAccessTokenCalling()
592 {
593 uint32_t tokenCaller = IPCSkeleton::GetCallingTokenID();
594 if (tokenSyncId_ == 0) {
595 tokenSyncId_ = this->GetNativeTokenId("token_sync_service");
596 }
597 return tokenCaller == tokenSyncId_;
598 }
599
IsNativeProcessCalling()600 bool AccessTokenManagerStub::IsNativeProcessCalling()
601 {
602 AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
603 return this->GetTokenType(tokenCaller) == TOKEN_NATIVE;
604 }
605
AccessTokenManagerStub()606 AccessTokenManagerStub::AccessTokenManagerStub()
607 {
608 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::VERIFY_ACCESSTOKEN)] =
609 &AccessTokenManagerStub::VerifyAccessTokenInner;
610 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_DEF_PERMISSION)] =
611 &AccessTokenManagerStub::GetDefPermissionInner;
612 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_DEF_PERMISSIONS)] =
613 &AccessTokenManagerStub::GetDefPermissionsInner;
614 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_REQ_PERMISSIONS)] =
615 &AccessTokenManagerStub::GetReqPermissionsInner;
616 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_PERMISSION_FLAG)] =
617 &AccessTokenManagerStub::GetPermissionFlagInner;
618 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GRANT_PERMISSION)] =
619 &AccessTokenManagerStub::GrantPermissionInner;
620 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::REVOKE_PERMISSION)] =
621 &AccessTokenManagerStub::RevokePermissionInner;
622 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::CLEAR_USER_GRANT_PERMISSION)] =
623 &AccessTokenManagerStub::ClearUserGrantedPermissionStateInner;
624 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::ALLOC_TOKEN_HAP)] =
625 &AccessTokenManagerStub::AllocHapTokenInner;
626 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::TOKEN_DELETE)] =
627 &AccessTokenManagerStub::DeleteTokenInfoInner;
628 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_TOKEN_TYPE)] =
629 &AccessTokenManagerStub::GetTokenTypeInner;
630 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::CHECK_NATIVE_DCAP)] =
631 &AccessTokenManagerStub::CheckNativeDCapInner;
632 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_HAP_TOKEN_ID)] =
633 &AccessTokenManagerStub::GetHapTokenIDInner;
634 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::ALLOC_LOCAL_TOKEN_ID)] =
635 &AccessTokenManagerStub::AllocLocalTokenIDInner;
636 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_NATIVE_TOKENINFO)] =
637 &AccessTokenManagerStub::GetNativeTokenInfoInner;
638 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_HAP_TOKENINFO)] =
639 &AccessTokenManagerStub::GetHapTokenInfoInner;
640 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::UPDATE_HAP_TOKEN)] =
641 &AccessTokenManagerStub::UpdateHapTokenInner;
642 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::RELOAD_NATIVE_TOKEN_INFO)] =
643 &AccessTokenManagerStub::ReloadNativeTokenInfoInner;
644 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_NATIVE_TOKEN_ID)] =
645 &AccessTokenManagerStub::GetNativeTokenIdInner;
646 #ifdef TOKEN_SYNC_ENABLE
647 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_HAP_TOKEN_FROM_REMOTE)] =
648 &AccessTokenManagerStub::GetHapTokenInfoFromRemoteInner;
649 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_ALL_NATIVE_TOKEN_FROM_REMOTE)] =
650 &AccessTokenManagerStub::GetAllNativeTokenInfoInner;
651 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::SET_REMOTE_HAP_TOKEN_INFO)] =
652 &AccessTokenManagerStub::SetRemoteHapTokenInfoInner;
653 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::SET_REMOTE_NATIVE_TOKEN_INFO)] =
654 &AccessTokenManagerStub::SetRemoteNativeTokenInfoInner;
655 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::DELETE_REMOTE_TOKEN_INFO)] =
656 &AccessTokenManagerStub::DeleteRemoteTokenInner;
657 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::DELETE_REMOTE_DEVICE_TOKEN)] =
658 &AccessTokenManagerStub::DeleteRemoteDeviceTokensInner;
659 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_NATIVE_REMOTE_TOKEN)] =
660 &AccessTokenManagerStub::GetRemoteNativeTokenIDInner;
661 #endif
662
663 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::DUMP_TOKENINFO)] =
664 &AccessTokenManagerStub::DumpTokenInfoInner;
665 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::GET_PERMISSION_OPER_STATE)] =
666 &AccessTokenManagerStub::GetSelfPermissionsStateInner;
667
668 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::REGISTER_PERM_STATE_CHANGE_CALLBACK)] =
669 &AccessTokenManagerStub::RegisterPermStateChangeCallbackInner;
670 requestFuncMap_[static_cast<uint32_t>(IAccessTokenManager::InterfaceCode::UNREGISTER_PERM_STATE_CHANGE_CALLBACK)] =
671 &AccessTokenManagerStub::UnRegisterPermStateChangeCallbackInner;
672 }
673
~AccessTokenManagerStub()674 AccessTokenManagerStub::~AccessTokenManagerStub()
675 {
676 requestFuncMap_.clear();
677 }
678 } // namespace AccessToken
679 } // namespace Security
680 } // namespace OHOS
681