1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_kit.h"
17 #include <string>
18 #include <vector>
19 #include "accesstoken_dfx_define.h"
20 #include "accesstoken_log.h"
21 #include "access_token_error.h"
22 #include "accesstoken_manager_client.h"
23 #include "constant_common.h"
24 #include "data_validator.h"
25 #include "hap_token_info.h"
26 #include "hisysevent.h"
27 #include "permission_def.h"
28 #include "perm_state_change_callback_customize.h"
29 #include "token_setproc.h"
30
31 namespace OHOS {
32 namespace Security {
33 namespace AccessToken {
34 namespace {
35 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenKit"};
36 static const int INVALID_DLP_TOKEN_FLAG = -1;
37 static const int FIRSTCALLER_TOKENID_DEFAULT = 0;
38 } // namespace
39
AllocHapToken(const HapInfoParams & info,const HapPolicyParams & policy)40 AccessTokenIDEx AccessTokenKit::AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy)
41 {
42 AccessTokenIDEx res = {0};
43 ACCESSTOKEN_LOG_DEBUG(LABEL, "called!");
44 if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
45 !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
46 !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) {
47 ACCESSTOKEN_LOG_ERROR(LABEL, "input param failed");
48 return res;
49 }
50
51 return AccessTokenManagerClient::GetInstance().AllocHapToken(info, policy);
52 }
53
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)54 AccessTokenID AccessTokenKit::AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
55 {
56 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, deviceID=%{public}s, tokenID=%{public}d",
57 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
58 #ifdef DEBUG_API_PERFORMANCE
59 ACCESSTOKEN_LOG_DEBUG(LABEL, "api_performance:start call");
60 AccessTokenID resID = AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
61 ACCESSTOKEN_LOG_DEBUG(LABEL, "api_performance:end call");
62 return resID;
63 #else
64 return AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
65 #endif
66 }
67
UpdateHapToken(AccessTokenID tokenID,const std::string & appIDDesc,int32_t apiVersion,const HapPolicyParams & policy)68 int AccessTokenKit::UpdateHapToken(
69 AccessTokenID tokenID, const std::string& appIDDesc, int32_t apiVersion, const HapPolicyParams& policy)
70 {
71 ACCESSTOKEN_LOG_DEBUG(LABEL, "called");
72 if ((tokenID == 0) || (!DataValidator::IsAppIDDescValid(appIDDesc)) ||
73 (!DataValidator::IsAplNumValid(policy.apl))) {
74 ACCESSTOKEN_LOG_ERROR(LABEL, "input param failed");
75 return RET_FAILED;
76 }
77 return AccessTokenManagerClient::GetInstance().UpdateHapToken(tokenID, appIDDesc, apiVersion, policy);
78 }
79
DeleteToken(AccessTokenID tokenID)80 int AccessTokenKit::DeleteToken(AccessTokenID tokenID)
81 {
82 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
83 if (tokenID == 0) {
84 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
85 return RET_FAILED;
86 }
87 return AccessTokenManagerClient::GetInstance().DeleteToken(tokenID);
88 }
89
GetTokenType(AccessTokenID tokenID)90 ATokenTypeEnum AccessTokenKit::GetTokenType(AccessTokenID tokenID)
91 {
92 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
93 if (tokenID == 0) {
94 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
95 return TOKEN_INVALID;
96 }
97 return AccessTokenManagerClient::GetInstance().GetTokenType(tokenID);
98 }
99
GetTokenTypeFlag(AccessTokenID tokenID)100 ATokenTypeEnum AccessTokenKit::GetTokenTypeFlag(AccessTokenID tokenID)
101 {
102 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
103 if (tokenID == 0) {
104 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
105 return TOKEN_INVALID;
106 }
107 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
108 return static_cast<ATokenTypeEnum>(idInner->type);
109 }
110
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)111 int AccessTokenKit::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
112 {
113 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d, dcap=%{public}s", tokenID, dcap.c_str());
114 if (tokenID == 0) {
115 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
116 return RET_FAILED;
117 }
118 if (!DataValidator::IsDcapValid(dcap)) {
119 ACCESSTOKEN_LOG_ERROR(LABEL, "dcap is invalid");
120 return RET_FAILED;
121 }
122 return AccessTokenManagerClient::GetInstance().CheckNativeDCap(tokenID, dcap);
123 }
124
GetHapTokenID(int userID,const std::string & bundleName,int instIndex)125 AccessTokenID AccessTokenKit::GetHapTokenID(int userID, const std::string& bundleName, int instIndex)
126 {
127 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, userID=%{public}d, bundleName=%{public}s, instIndex=%{public}d",
128 userID, bundleName.c_str(), instIndex);
129 if (!DataValidator::IsUserIdValid(userID) || !DataValidator::IsBundleNameValid(bundleName)) {
130 ACCESSTOKEN_LOG_ERROR(LABEL, "hap token param failed");
131 return 0;
132 }
133 return AccessTokenManagerClient::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
134 }
135
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & hapTokenInfoRes)136 int AccessTokenKit::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes)
137 {
138 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
139 if (tokenID == 0) {
140 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
141 return RET_FAILED;
142 }
143
144 return AccessTokenManagerClient::GetInstance().GetHapTokenInfo(tokenID, hapTokenInfoRes);
145 }
146
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfo & nativeTokenInfoRes)147 int AccessTokenKit::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes)
148 {
149 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
150
151 return AccessTokenManagerClient::GetInstance().GetNativeTokenInfo(tokenID, nativeTokenInfoRes);
152 }
153
GetSelfPermissionsState(std::vector<PermissionListState> & permList)154 PermissionOper AccessTokenKit::GetSelfPermissionsState(std::vector<PermissionListState>& permList)
155 {
156 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, permList.size=%{public}zu.", permList.size());
157 return AccessTokenManagerClient::GetInstance().GetSelfPermissionsState(permList);
158 }
159
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)160 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
161 {
162 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d, permissionName=%{public}s",
163 tokenID, permissionName.c_str());
164 if (!DataValidator::IsPermissionNameValid(permissionName)) {
165 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
166 return PERMISSION_DENIED;
167 }
168 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
169 }
170
VerifyAccessToken(AccessTokenID callerTokenID,AccessTokenID firstTokenID,const std::string & permissionName)171 int AccessTokenKit::VerifyAccessToken(
172 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName)
173 {
174 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, callerTokenID=%{public}d, firstTokenID=%{public}d, permissionName=%{public}s",
175 callerTokenID, firstTokenID, permissionName.c_str());
176 int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName);
177 if (ret != PERMISSION_GRANTED) {
178 return ret;
179 }
180 if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
181 return ret;
182 }
183 return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName);
184 }
185
GetDefPermission(const std::string & permissionName,PermissionDef & permissionDefResult)186 int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
187 {
188 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, permissionName=%{public}s", permissionName.c_str());
189 if (!DataValidator::IsPermissionNameValid(permissionName)) {
190 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
191 return AccessTokenError::ERR_PARAM_INVALID;
192 }
193
194 int ret = AccessTokenManagerClient::GetInstance().GetDefPermission(permissionName, permissionDefResult);
195 ACCESSTOKEN_LOG_DEBUG(LABEL, "GetDefPermission bundleName = %{public}s", permissionDefResult.bundleName.c_str());
196
197 return ret;
198 }
199
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDef> & permDefList)200 int AccessTokenKit::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permDefList)
201 {
202 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
203 if (tokenID == 0) {
204 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
205 return RET_FAILED;
206 }
207
208 return AccessTokenManagerClient::GetInstance().GetDefPermissions(tokenID, permDefList);
209 }
210
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFull> & reqPermList,bool isSystemGrant)211 int AccessTokenKit::GetReqPermissions(
212 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
213 {
214 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d, isSystemGrant=%{public}d", tokenID, isSystemGrant);
215 if (tokenID == 0) {
216 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
217 return RET_FAILED;
218 }
219
220 return AccessTokenManagerClient::GetInstance().GetReqPermissions(tokenID, reqPermList, isSystemGrant);
221 }
222
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,int & flag)223 int AccessTokenKit::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, int& flag)
224 {
225 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d, permissionName=%{public}s",
226 tokenID, permissionName.c_str());
227 if (tokenID == 0) {
228 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
229 return AccessTokenError::ERR_PARAM_INVALID;
230 }
231 if (!DataValidator::IsPermissionNameValid(permissionName)) {
232 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
233 return AccessTokenError::ERR_PARAM_INVALID;
234 }
235 return AccessTokenManagerClient::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
236 }
237
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,int flag)238 int AccessTokenKit::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, int flag)
239 {
240 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d, permissionName=%{public}s, flag=%{public}d",
241 tokenID, permissionName.c_str(), flag);
242 if (tokenID == 0) {
243 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
244 return AccessTokenError::ERR_PARAM_INVALID;
245 }
246 if (!DataValidator::IsPermissionNameValid(permissionName)) {
247 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
248 return AccessTokenError::ERR_PARAM_INVALID;
249 }
250 if (!DataValidator::IsPermissionFlagValid(flag)) {
251 ACCESSTOKEN_LOG_ERROR(LABEL, "flag is invalid");
252 return AccessTokenError::ERR_PARAM_INVALID;
253 }
254 return AccessTokenManagerClient::GetInstance().GrantPermission(tokenID, permissionName, flag);
255 }
256
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,int flag)257 int AccessTokenKit::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, int flag)
258 {
259 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d, permissionName=%{public}s, flag=%{public}d",
260 tokenID, permissionName.c_str(), flag);
261 if (tokenID == 0) {
262 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
263 return AccessTokenError::ERR_PARAM_INVALID;
264 }
265 if (!DataValidator::IsPermissionNameValid(permissionName)) {
266 ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid");
267 return AccessTokenError::ERR_PARAM_INVALID;
268 }
269 if (!DataValidator::IsPermissionFlagValid(flag)) {
270 ACCESSTOKEN_LOG_ERROR(LABEL, "flag is invalid");
271 return AccessTokenError::ERR_PARAM_INVALID;
272 }
273 return AccessTokenManagerClient::GetInstance().RevokePermission(tokenID, permissionName, flag);
274 }
275
ClearUserGrantedPermissionState(AccessTokenID tokenID)276 int AccessTokenKit::ClearUserGrantedPermissionState(AccessTokenID tokenID)
277 {
278 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
279 if (tokenID == 0) {
280 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
281 return RET_FAILED;
282 }
283 return AccessTokenManagerClient::GetInstance().ClearUserGrantedPermissionState(tokenID);
284 }
285
RegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize> & callback)286 int32_t AccessTokenKit::RegisterPermStateChangeCallback(
287 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
288 {
289 ACCESSTOKEN_LOG_INFO(LABEL, "called");
290 return AccessTokenManagerClient::GetInstance().RegisterPermStateChangeCallback(callback);
291 }
292
UnRegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize> & callback)293 int32_t AccessTokenKit::UnRegisterPermStateChangeCallback(
294 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
295 {
296 ACCESSTOKEN_LOG_INFO(LABEL, "called");
297 return AccessTokenManagerClient::GetInstance().UnRegisterPermStateChangeCallback(callback);
298 }
299
GetHapDlpFlag(AccessTokenID tokenID)300 int32_t AccessTokenKit::GetHapDlpFlag(AccessTokenID tokenID)
301 {
302 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
303 if (tokenID == 0) {
304 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
305 return INVALID_DLP_TOKEN_FLAG;
306 }
307 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
308 return static_cast<int32_t>(idInner->dlpFlag);
309 }
310
ReloadNativeTokenInfo()311 int32_t AccessTokenKit::ReloadNativeTokenInfo()
312 {
313 return AccessTokenManagerClient::GetInstance().ReloadNativeTokenInfo();
314 }
315
GetNativeTokenId(const std::string & processName)316 AccessTokenID AccessTokenKit::GetNativeTokenId(const std::string& processName)
317 {
318 if (!DataValidator::IsProcessNameValid(processName)) {
319 ACCESSTOKEN_LOG_ERROR(LABEL, "processName is invalid, processName=%{public}s", processName.c_str());
320 return INVALID_TOKENID;
321 }
322 return AccessTokenManagerClient::GetInstance().GetNativeTokenId(processName);
323 }
324
325 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)326 int AccessTokenKit::GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
327 {
328 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
329 if (tokenID == 0) {
330 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID is invalid");
331 return RET_FAILED;
332 }
333
334 return AccessTokenManagerClient::GetInstance().GetHapTokenInfoFromRemote(tokenID, hapSync);
335 }
336
GetAllNativeTokenInfo(std::vector<NativeTokenInfoForSync> & nativeTokenInfosRes)337 int AccessTokenKit::GetAllNativeTokenInfo(std::vector<NativeTokenInfoForSync>& nativeTokenInfosRes)
338 {
339 ACCESSTOKEN_LOG_DEBUG(LABEL, "called");
340
341 return AccessTokenManagerClient::GetInstance().GetAllNativeTokenInfo(nativeTokenInfosRes);
342 }
343
SetRemoteHapTokenInfo(const std::string & deviceID,const HapTokenInfoForSync & hapSync)344 int AccessTokenKit::SetRemoteHapTokenInfo(const std::string& deviceID,
345 const HapTokenInfoForSync& hapSync)
346 {
347 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, deviceID=%{public}s, tokenID=%{public}d",
348 ConstantCommon::EncryptDevId(deviceID).c_str(), hapSync.baseInfo.tokenID);
349 return AccessTokenManagerClient::GetInstance().SetRemoteHapTokenInfo(deviceID, hapSync);
350 }
351
SetRemoteNativeTokenInfo(const std::string & deviceID,const std::vector<NativeTokenInfoForSync> & nativeTokenInfoList)352 int AccessTokenKit::SetRemoteNativeTokenInfo(const std::string& deviceID,
353 const std::vector<NativeTokenInfoForSync>& nativeTokenInfoList)
354 {
355 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, deviceID=%{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
356 return AccessTokenManagerClient::GetInstance().SetRemoteNativeTokenInfo(deviceID, nativeTokenInfoList);
357 }
358
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)359 int AccessTokenKit::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
360 {
361 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, deviceID=%{public}s, tokenID=%{public}d",
362 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
363 return AccessTokenManagerClient::GetInstance().DeleteRemoteToken(deviceID, tokenID);
364 }
365
DeleteRemoteDeviceTokens(const std::string & deviceID)366 int AccessTokenKit::DeleteRemoteDeviceTokens(const std::string& deviceID)
367 {
368 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, deviceID=%{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
369 return AccessTokenManagerClient::GetInstance().DeleteRemoteDeviceTokens(deviceID);
370 }
371
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)372 AccessTokenID AccessTokenKit::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
373 {
374 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, deviceID=%{public}s, tokenID=%{public}d",
375 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
376 return AccessTokenManagerClient::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
377 }
378 #endif
379
DumpTokenInfo(AccessTokenID tokenID,std::string & dumpInfo)380 void AccessTokenKit::DumpTokenInfo(AccessTokenID tokenID, std::string& dumpInfo)
381 {
382 ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenID=%{public}d", tokenID);
383 AccessTokenManagerClient::GetInstance().DumpTokenInfo(tokenID, dumpInfo);
384 }
385
GetVersion(void)386 int32_t AccessTokenKit::GetVersion(void)
387 {
388 return DEFAULT_TOKEN_VERSION;
389 }
390 } // namespace AccessToken
391 } // namespace Security
392 } // namespace OHOS
393