1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include "account_info.h"
18 #include "account_log_wrapper.h"
19 #include "hisysevent_adapter.h"
20 #include "iinner_os_account_manager.h"
21 #include "ipc_skeleton.h"
22 #include "os_account_constants.h"
23
24 namespace OHOS {
25 namespace AccountSA {
26 namespace {
27 const std::string DUMP_TAB_CHARACTER = "\t";
28 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
29 {OsAccountType::ADMIN, "admin"},
30 {OsAccountType::NORMAL, "normal"},
31 {OsAccountType::GUEST, "guest"},
32 };
33 const std::string CONSTANT_CREATE = "constraint.os.account.create";
34 const std::string CONSTANT_CREATE_DIRECTLY = "constraint.os.account.create.directly";
35 const std::string CONSTANT_REMOVE = "constraint.os.account.remove";
36 const std::string CONSTANT_START = "constraint.os.account.start";
37 const std::string CONSTANT_SET_ICON = "constraint.os.account.set.icon";
38 const std::int32_t ROOT_UID = 0;
39 const std::string DEFAULT_ANON_STR = "**********";
40 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
AnonymizeNameStr(const std::string & nameStr)41 std::string AnonymizeNameStr(const std::string& nameStr)
42 {
43 if (nameStr.empty()) {
44 return nameStr;
45 }
46 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
47 return retStr;
48 }
49
CheckInvalidLocalId(int localId)50 ErrCode CheckInvalidLocalId(int localId)
51 {
52 if (localId > Constants::MAX_USER_ID) {
53 ACCOUNT_LOGE("id %{public}d is out of range", localId);
54 return ERR_OSACCOUNT_KIT_LOCAL_ID_INVALID_ERROR;
55 }
56 return ERR_OK;
57 }
58
CheckLocalId(int localId)59 ErrCode CheckLocalId(int localId)
60 {
61 if (localId < Constants::START_USER_ID) {
62 ACCOUNT_LOGE("id %{public}d is system reserved", localId);
63 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
64 }
65 return CheckInvalidLocalId(localId);
66 }
67 } // namespace
68
OsAccountManagerService()69 OsAccountManagerService::OsAccountManagerService()
70 {
71 innerManager_ = DelayedSingleton<IInnerOsAccountManager>::GetInstance();
72 permissionManagerPtr_ = DelayedSingleton<AccountPermissionManager>::GetInstance();
73 }
~OsAccountManagerService()74 OsAccountManagerService::~OsAccountManagerService()
75 {}
76
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)77 ErrCode OsAccountManagerService::CreateOsAccount(
78 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
79 {
80 bool isMultiOsAccountEnable = false;
81 innerManager_->IsMultiOsAccountEnable(isMultiOsAccountEnable);
82 if (!isMultiOsAccountEnable) {
83 ACCOUNT_LOGE("system is not multi os account enable error");
84 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
85 }
86
87 // permission check
88 if ((!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
89 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
90 ACCOUNT_LOGE("account manager service, permission denied!");
91 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
92 }
93
94 // parameters check
95 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
96 ACCOUNT_LOGE("os account name out of max allowed size");
97 return ERR_OSACCOUNT_SERVICE_MANAGER_NAME_SIZE_OVERFLOW_ERROR;
98 }
99 if (name.size() <= 0) {
100 ACCOUNT_LOGE("os account name is empty");
101 return ERR_OSACCOUNT_SERVICE_MANAGER_NAME_SIZE_EMPTY_ERROR;
102 }
103 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
104 ACCOUNT_LOGE("os account type is invalid");
105 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_INVALID_TYPE_ACCOUNT_ERROR;
106 }
107
108 bool isAllowedCreateAdmin = false;
109 ErrCode errCode = innerManager_->IsAllowedCreateAdmin(isAllowedCreateAdmin);
110 if (errCode != ERR_OK) {
111 ACCOUNT_LOGE("query allowed create admin error");
112 return errCode;
113 }
114 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
115 ACCOUNT_LOGE("cannot create admin account error");
116 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
117 }
118 return innerManager_->CreateOsAccount(name, type, osAccountInfo);
119 }
120
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,OsAccountInfo & osAccountInfo)121 ErrCode OsAccountManagerService::CreateOsAccountForDomain(
122 const OsAccountType &type, const DomainAccountInfo &domainInfo, OsAccountInfo &osAccountInfo)
123 {
124 ACCOUNT_LOGI("start");
125 bool isMultiOsAccountEnable = false;
126 innerManager_->IsMultiOsAccountEnable(isMultiOsAccountEnable);
127 if (!isMultiOsAccountEnable) {
128 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
129 }
130
131 // permission check
132 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
133 ACCOUNT_LOGE("account manager service, permission denied!");
134 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
135 }
136
137 // parameters check
138 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
139 ACCOUNT_LOGE("os account type is invalid");
140 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_INVALID_TYPE_ACCOUNT_ERROR;
141 }
142 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
143 return ERR_OSACCOUNT_SERVICE_MANAGER_NAME_SIZE_EMPTY_ERROR;
144 }
145 if (domainInfo.accountName_.size() > Constants::DOMAIN_ACCOUNT_NAME_MAX_SIZE ||
146 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
147 return ERR_OSACCOUNT_SERVICE_MANAGER_NAME_SIZE_OVERFLOW_ERROR;
148 }
149
150 bool isAllowedCreateAdmin = false;
151 ErrCode errCode = innerManager_->IsAllowedCreateAdmin(isAllowedCreateAdmin);
152 if (errCode != ERR_OK) {
153 return errCode;
154 }
155 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
156 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
157 }
158 return innerManager_->CreateOsAccountForDomain(type, domainInfo, osAccountInfo);
159 }
160
RemoveOsAccount(const int id)161 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
162 {
163 // parameters check
164 if (id <= Constants::START_USER_ID) {
165 ACCOUNT_LOGE("cannot remove system preinstalled user");
166 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
167 }
168 if (id > Constants::MAX_USER_ID) {
169 ACCOUNT_LOGE("localId %{public}d is out of range", id);
170 return ERR_OSACCOUNT_KIT_LOCAL_ID_INVALID_ERROR;
171 }
172
173 // permission check
174 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
175 ACCOUNT_LOGE("account manager service, permission denied!");
176 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
177 }
178
179 return innerManager_->RemoveOsAccount(id);
180 }
181
IsOsAccountExists(const int id,bool & isOsAccountExists)182 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
183 {
184 return innerManager_->IsOsAccountExists(id, isOsAccountExists);
185 }
186
IsOsAccountActived(const int id,bool & isOsAccountActived)187 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
188 {
189 ErrCode res = CheckInvalidLocalId(id);
190 if (res != ERR_OK) {
191 return res;
192 }
193
194 // check current account state
195 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
196 if (callerUserId == id) {
197 return innerManager_->IsOsAccountActived(id, isOsAccountActived);
198 }
199
200 // check other account state, check permission first
201 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "") &&
202 !PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
203 ACCOUNT_LOGE("account manager service, permission denied!");
204 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
205 }
206
207 return innerManager_->IsOsAccountActived(id, isOsAccountActived);
208 }
209
IsOsAccountConstraintEnable(const int id,const std::string & constraint,bool & isConstraintEnable)210 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
211 const int id, const std::string &constraint, bool &isConstraintEnable)
212 {
213 ErrCode res = CheckLocalId(id);
214 if (res != ERR_OK) {
215 return res;
216 }
217 // permission check
218 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
219 ACCOUNT_LOGE("account manager service, permission denied!");
220 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
221 }
222
223 return innerManager_->IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
224 }
225
CheckOsAccountConstraintEnabled(const int id,const std::string & constraint,bool & isEnabled)226 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
227 const int id, const std::string &constraint, bool &isEnabled)
228 {
229 ErrCode res = CheckLocalId(id);
230 if (res != ERR_OK) {
231 return res;
232 }
233 // permission check
234 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "") &&
235 !PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
236 ACCOUNT_LOGE("account manager service, permission denied!");
237 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
238 }
239
240 return innerManager_->IsOsAccountConstraintEnable(id, constraint, isEnabled);
241 }
242
IsOsAccountVerified(const int id,bool & isVerified)243 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
244 {
245 ErrCode res = CheckInvalidLocalId(id);
246 if (res != ERR_OK) {
247 return res;
248 }
249 // check current account state
250 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
251 if (callerUserId == id) {
252 return innerManager_->IsOsAccountVerified(id, isVerified);
253 }
254
255 // check other account state, check permission first
256 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "") &&
257 !PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
258 ACCOUNT_LOGE("account manager service, permission denied!");
259 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
260 }
261
262 return innerManager_->IsOsAccountVerified(id, isVerified);
263 }
264
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)265 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
266 {
267 // permission check
268 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
269 ACCOUNT_LOGE("account manager service, permission denied!");
270 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
271 }
272
273 return innerManager_->GetCreatedOsAccountsCount(osAccountsCount);
274 }
275
GetOsAccountLocalIdFromProcess(int & id)276 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
277 {
278 const std::int32_t uid = IPCSkeleton::GetCallingUid();
279 id = uid / UID_TRANSFORM_DIVISOR;
280 return ERR_OK;
281 }
282
IsMainOsAccount(bool & isMainOsAccount)283 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
284 {
285 // permission check
286 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
287 ACCOUNT_LOGW("account manager service, permission denied!");
288 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
289 }
290
291 const std::int32_t uid = IPCSkeleton::GetCallingUid();
292 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
293 return ERR_OK;
294 }
295
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)296 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
297 {
298 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
299 ACCOUNT_LOGE("domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
300 return ERR_OSACCOUNT_SERVICE_INNER_DOMAIN_NAME_LEN_ERROR;
301 }
302
303 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::DOMAIN_ACCOUNT_NAME_MAX_SIZE) {
304 ACCOUNT_LOGE("accountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
305 return ERR_OSACCOUNT_SERVICE_INNER_DOMAIN_ACCOUNT_NAME_LEN_ERROR;
306 }
307 // permission check
308 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
309 ACCOUNT_LOGE("account manager service, permission denied!");
310 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
311 }
312
313 return innerManager_->GetOsAccountLocalIdFromDomain(domainInfo, id);
314 }
315
QueryMaxOsAccountNumber(int & maxOsAccountNumber)316 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(int &maxOsAccountNumber)
317 {
318 return innerManager_->QueryMaxOsAccountNumber(maxOsAccountNumber);
319 }
320
GetOsAccountAllConstraints(const int id,std::vector<std::string> & constraints)321 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
322 {
323 ErrCode res = CheckInvalidLocalId(id);
324 if (res != ERR_OK) {
325 return res;
326 }
327 // permission check
328 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
329 ACCOUNT_LOGE("account manager service, permission denied!");
330 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
331 }
332
333 return innerManager_->GetOsAccountAllConstraints(id, constraints);
334 }
335
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)336 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
337 {
338 // permission check
339 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
340 ACCOUNT_LOGE("account manager service, permission denied!");
341 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
342 }
343
344 return innerManager_->QueryAllCreatedOsAccounts(osAccountInfos);
345 }
346
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)347 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
348 {
349 // permission check
350 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
351 ACCOUNT_LOGE("account manager service, permission denied!");
352 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
353 }
354
355 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
356 return innerManager_->QueryOsAccountById(id, osAccountInfo);
357 }
358
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)359 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
360 {
361 // parameters check
362 ErrCode res = CheckLocalId(id);
363 if (res != ERR_OK) {
364 return res;
365 }
366 // permission check
367 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "") &&
368 !PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
369 ACCOUNT_LOGE("account manager service, permission denied!");
370 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
371 }
372
373 return innerManager_->QueryOsAccountById(id, osAccountInfo);
374 }
375
GetOsAccountTypeFromProcess(OsAccountType & type)376 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
377 {
378 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
379 return innerManager_->GetOsAccountType(id, type);
380 }
381
GetOsAccountProfilePhoto(const int id,std::string & photo)382 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
383 {
384 ErrCode result = CheckLocalId(id);
385 if (result != ERR_OK) {
386 return result;
387 }
388 // get current account photo
389 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
390 if (callerUserId == id) {
391 return innerManager_->GetOsAccountProfilePhoto(id, photo);
392 }
393
394 // get other account photo, check permission first
395 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
396 ACCOUNT_LOGE("account manager service, permission denied!");
397 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
398 }
399
400 return innerManager_->GetOsAccountProfilePhoto(id, photo);
401 }
402
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)403 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
404 {
405 return innerManager_->IsMultiOsAccountEnable(isMultiOsAccountEnable);
406 }
407
SetOsAccountName(const int id,const std::string & name)408 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
409 {
410 // parameters check
411 ErrCode res = CheckLocalId(id);
412 if (res != ERR_OK) {
413 return res;
414 }
415 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
416 ACCOUNT_LOGE("set os account name is out of allowed size");
417 return ERR_OSACCOUNT_SERVICE_MANAGER_NAME_SIZE_OVERFLOW_ERROR;
418 }
419 if (name.size() <= 0) {
420 ACCOUNT_LOGE("os account name is empty");
421 return ERR_OSACCOUNT_SERVICE_MANAGER_NAME_SIZE_EMPTY_ERROR;
422 }
423
424 // permission check
425 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
426 ACCOUNT_LOGE("account manager service, permission denied!");
427 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
428 }
429
430 return innerManager_->SetOsAccountName(id, name);
431 }
432
SetOsAccountConstraints(const int id,const std::vector<std::string> & constraints,const bool enable)433 ErrCode OsAccountManagerService::SetOsAccountConstraints(
434 const int id, const std::vector<std::string> &constraints, const bool enable)
435 {
436 ErrCode res = CheckLocalId(id);
437 if (res != ERR_OK) {
438 return res;
439 }
440
441 // permission check
442 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
443 ACCOUNT_LOGE("account manager service, permission denied!");
444 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
445 }
446
447 return innerManager_->SetBaseOsAccountConstraints(id, constraints, enable);
448 }
449
SetOsAccountProfilePhoto(const int id,const std::string & photo)450 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
451 {
452 // parameters check
453 ErrCode res = CheckLocalId(id);
454 if (res != ERR_OK) {
455 return res;
456 }
457 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
458 ACCOUNT_LOGE("photo out of allowed size");
459 return ERR_OSACCOUNT_SERVICE_MANAGER_PHOTO_SIZE_OVERFLOW_ERROR;
460 }
461 if (photo.empty()) {
462 ACCOUNT_LOGE("photo is empty");
463 return ERR_ACCOUNT_COMMON_INVALID_PARAMTER;
464 }
465 // permission check
466 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
467 ACCOUNT_LOGE("account manager service, permission denied!");
468 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
469 }
470
471 return innerManager_->SetOsAccountProfilePhoto(id, photo);
472 }
473
ActivateOsAccount(const int id)474 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
475 {
476 // parameters check
477 ErrCode res = CheckLocalId(id);
478 if (res != ERR_OK) {
479 return res;
480 }
481
482 // permission check
483 if (!PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_START)) {
484 ACCOUNT_LOGE("account manager service, permission denied!");
485 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
486 }
487
488 return innerManager_->ActivateOsAccount(id);
489 }
490
StartOsAccount(const int id)491 ErrCode OsAccountManagerService::StartOsAccount(const int id)
492 {
493 return innerManager_->StartOsAccount(id);
494 }
495
StopOsAccount(const int id)496 ErrCode OsAccountManagerService::StopOsAccount(const int id)
497 {
498 return innerManager_->StopOsAccount(id);
499 }
500
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)501 ErrCode OsAccountManagerService::SubscribeOsAccount(
502 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
503 {
504 // permission check
505 if (!PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
506 ACCOUNT_LOGE("account manager service, permission denied!");
507 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
508 }
509
510 return innerManager_->SubscribeOsAccount(subscribeInfo, eventListener);
511 }
512
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)513 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
514 {
515 // permission check
516 if (!PermissionCheck(AccountPermissionManager::INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
517 ACCOUNT_LOGE("account manager service, permission denied!");
518 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
519 }
520
521 return innerManager_->UnsubscribeOsAccount(eventListener);
522 }
523
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)524 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
525 {
526 return innerManager_->GetOsAccountLocalIdBySerialNumber(serialNumber, id);
527 }
528
GetSerialNumberByOsAccountLocalId(const int & id,int64_t & serialNumber)529 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
530 {
531 ErrCode result = CheckInvalidLocalId(id);
532 if (result != ERR_OK) {
533 return result;
534 }
535 return innerManager_->GetSerialNumberByOsAccountLocalId(id, serialNumber);
536 }
537
GetOsAccountSwitchMod()538 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
539 {
540 return innerManager_->GetOsAccountSwitchMod();
541 }
542
IsCurrentOsAccountVerified(bool & isVerified)543 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
544 {
545 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
546 return innerManager_->IsOsAccountVerified(id, isVerified);
547 }
548
IsOsAccountCompleted(const int id,bool & isOsAccountCompleted)549 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
550 {
551 return innerManager_->IsOsAccountCompleted(id, isOsAccountCompleted);
552 }
553
SetCurrentOsAccountIsVerified(const bool isVerified)554 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
555 {
556 // permission check
557 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
558 ACCOUNT_LOGE("account manager service, permission denied!");
559 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
560 }
561
562 // parameters check
563 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
564 ErrCode res = CheckLocalId(id);
565 if (res != ERR_OK) {
566 return res;
567 }
568
569 return innerManager_->SetOsAccountIsVerified(id, isVerified);
570 }
571
SetOsAccountIsVerified(const int id,const bool isVerified)572 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
573 {
574 // parameters check
575 ErrCode res = CheckLocalId(id);
576 if (res != ERR_OK) {
577 return res;
578 }
579
580 // permission check
581 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
582 ACCOUNT_LOGE("account manager service, permission denied!");
583 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
584 }
585
586 return innerManager_->SetOsAccountIsVerified(id, isVerified);
587 }
588
DumpState(const int & id,std::vector<std::string> & state)589 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
590 {
591 state.clear();
592
593 // permission check
594 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
595 ACCOUNT_LOGE("account manager service, permission denied!");
596 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
597 }
598
599 ErrCode result = ERR_OK;
600 std::vector<OsAccountInfo> osAccountInfos;
601
602 if (id == -1) {
603 result = innerManager_->QueryAllCreatedOsAccounts(osAccountInfos);
604 if (result != ERR_OK) {
605 return result;
606 }
607 } else {
608 OsAccountInfo osAccountInfo;
609 result = innerManager_->QueryOsAccountById(id, osAccountInfo);
610 if (result != ERR_OK) {
611 return result;
612 }
613
614 osAccountInfos.emplace_back(osAccountInfo);
615 }
616
617 return DumpStateByAccounts(osAccountInfos, state);
618 }
619
DumpOsAccountInfo(std::vector<std::string> & state)620 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
621 {
622 state.clear();
623
624 ErrCode result = ERR_OK;
625 std::vector<OsAccountInfo> osAccountInfos;
626 result = innerManager_->QueryAllCreatedOsAccounts(osAccountInfos);
627 if (result != ERR_OK) {
628 return result;
629 }
630
631 return DumpStateByAccounts(osAccountInfos, state);
632 }
633
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)634 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
635 int &createdOsAccountNum)
636 {
637 // permission check
638 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
639 ACCOUNT_LOGE("account manager service, permission denied!");
640 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
641 }
642
643 return innerManager_->GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
644 }
645
CreateBasicAccounts()646 void OsAccountManagerService::CreateBasicAccounts()
647 {
648 ACCOUNT_LOGI("enter!");
649 innerManager_->Init();
650 ACCOUNT_LOGI("exit!");
651 }
652
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)653 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
654 int64_t &serialNumber)
655 {
656 return innerManager_->GetSerialNumberFromDatabase(storeID, serialNumber);
657 }
658
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)659 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
660 {
661 return innerManager_->GetMaxAllowCreateIdFromDatabase(storeID, id);
662 }
663
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)664 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
665 const int id, OsAccountInfo &osAccountInfo)
666 {
667 // permission check
668 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
669 ACCOUNT_LOGE("account manager service, permission denied!");
670 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
671 }
672
673 return innerManager_->GetOsAccountFromDatabase(storeID, id, osAccountInfo);
674 }
675
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)676 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
677 std::vector<OsAccountInfo> &osAccountList)
678 {
679 // permission check
680 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
681 ACCOUNT_LOGE("account manager service, permission denied!");
682 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
683 }
684
685 return innerManager_->GetOsAccountListFromDatabase(storeID, osAccountList);
686 }
687
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)688 ErrCode OsAccountManagerService::DumpStateByAccounts(
689 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
690 {
691 ACCOUNT_LOGD("enter");
692
693 for (auto osAccountInfo : osAccountInfos) {
694 std::string info = "";
695
696 std::string localId = std::to_string(osAccountInfo.GetLocalId());
697 state.emplace_back("ID: " + localId);
698
699 std::string localName = osAccountInfo.GetLocalName();
700 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
701
702 std::string type = "";
703 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
704 if (it != DUMP_TYPE_MAP.end()) {
705 type = it->second;
706 } else {
707 type = "unknown";
708 }
709 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
710 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
711 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
712
713 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
714 auto constraints = osAccountInfo.GetConstraints();
715 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
716 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
717
718 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
719 (osAccountInfo.GetIsVerified() ? "true" : "false"));
720
721 int64_t serialNumber = osAccountInfo.GetSerialNumber();
722 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
723 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
724 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
725 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
726 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
727 state.emplace_back("\n");
728 }
729
730 return ERR_OK;
731 }
732
QueryActiveOsAccountIds(std::vector<int32_t> & ids)733 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
734 {
735 return innerManager_->QueryActiveOsAccountIds(ids);
736 }
737
QueryOsAccountConstraintSourceTypes(const int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)738 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
739 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
740 {
741 // parameters check
742 ErrCode res = CheckLocalId(id);
743 if (res != ERR_OK) {
744 return res;
745 }
746 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
747 ACCOUNT_LOGE("constraint length is invalid. length %{public}zu.", constraint.size());
748 return ERR_OSACCOUNT_SERVICE_INNER_DOMAIN_ACCOUNT_NAME_LEN_ERROR;
749 }
750
751 // permission check
752 ACCOUNT_LOGE("QueryOsAccountConstraintSourceTypes Enter");
753 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
754 ACCOUNT_LOGE("account manager service, permission denied!");
755 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
756 }
757
758 return innerManager_->QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
759 }
760
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t enforcerId,const bool isDeviceOwner)761 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
762 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
763 {
764 // permission check
765 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
766 ACCOUNT_LOGE("account manager service, permission denied!");
767 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
768 }
769
770 return innerManager_->SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
771 }
772
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t targetId,const int32_t enforcerId,const bool isDeviceOwner)773 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
774 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
775 {
776 // permission check
777 if (!PermissionCheck(AccountPermissionManager::MANAGE_LOCAL_ACCOUNTS, "")) {
778 ACCOUNT_LOGE("account manager service, permission denied!");
779 return ERR_OSACCOUNT_SERVICE_PERMISSION_DENIED;
780 }
781
782 // parameters check
783 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
784 ACCOUNT_LOGE("invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
785 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
786 }
787
788 return innerManager_->SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
789 }
790
PermissionCheck(const std::string & permissionName,const std::string & constraintName)791 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
792 {
793 // constraints check
794 int callerUid = IPCSkeleton::GetCallingUid();
795 if (!constraintName.empty()) {
796 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
797 bool isEnable = true;
798 innerManager_->IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
799 if (isEnable) {
800 ACCOUNT_LOGE("constraint check %{public}s failed.", constraintName.c_str());
801 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingPid(), constraintName);
802 return false;
803 }
804 }
805
806 // root check
807 if (callerUid == ROOT_UID) {
808 return true;
809 }
810
811 // permission check
812 if ((permissionName.empty()) || (permissionManagerPtr_->VerifyPermission(permissionName) == ERR_OK)) {
813 return true;
814 }
815
816 ACCOUNT_LOGE("failed to verify permission for %{public}s.", permissionName.c_str());
817 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingPid(), permissionName);
818 return false;
819 }
820 } // namespace AccountSA
821 } // namespace OHOS
822