1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include "account_info.h"
18 #include "account_log_wrapper.h"
19 #include "hisysevent_adapter.h"
20 #include "iinner_os_account_manager.h"
21 #include "ipc_skeleton.h"
22 #include "os_account_constants.h"
23
24 namespace OHOS {
25 namespace AccountSA {
26 namespace {
27 const std::string DUMP_TAB_CHARACTER = "\t";
28 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
29 {OsAccountType::ADMIN, "admin"},
30 {OsAccountType::NORMAL, "normal"},
31 {OsAccountType::GUEST, "guest"},
32 };
33 const std::string CONSTANT_CREATE = "constraint.os.account.create";
34 const std::string CONSTANT_CREATE_DIRECTLY = "constraint.os.account.create.directly";
35 const std::string CONSTANT_REMOVE = "constraint.os.account.remove";
36 const std::string CONSTANT_START = "constraint.os.account.start";
37 const std::string CONSTANT_SET_ICON = "constraint.os.account.set.icon";
38 const std::int32_t ROOT_UID = 0;
39 const std::string DEFAULT_ANON_STR = "**********";
40 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
41
42 const std::string MANAGE_LOCAL_ACCOUNTS = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
43 const std::string GET_LOCAL_ACCOUNTS = "ohos.permission.GET_LOCAL_ACCOUNTS";
44 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION =
45 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
46 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
47
AnonymizeNameStr(const std::string & nameStr)48 std::string AnonymizeNameStr(const std::string& nameStr)
49 {
50 if (nameStr.empty()) {
51 return nameStr;
52 }
53 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
54 return retStr;
55 }
56
CheckInvalidLocalId(int localId)57 ErrCode CheckInvalidLocalId(int localId)
58 {
59 if (localId > Constants::MAX_USER_ID) {
60 ACCOUNT_LOGE("id %{public}d is out of range", localId);
61 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
62 }
63 return ERR_OK;
64 }
65
CheckLocalId(int localId)66 ErrCode CheckLocalId(int localId)
67 {
68 if (localId < Constants::START_USER_ID) {
69 ACCOUNT_LOGE("id %{public}d is system reserved", localId);
70 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
71 }
72 return CheckInvalidLocalId(localId);
73 }
74 } // namespace
75
OsAccountManagerService()76 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance())
77 {}
78
~OsAccountManagerService()79 OsAccountManagerService::~OsAccountManagerService()
80 {}
81
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)82 ErrCode OsAccountManagerService::CreateOsAccount(
83 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
84 {
85 bool isMultiOsAccountEnable = false;
86 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
87 if (!isMultiOsAccountEnable) {
88 ACCOUNT_LOGE("system is not multi os account enable error");
89 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
90 }
91
92 // permission check
93 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
94 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
95 ACCOUNT_LOGE("account manager service, permission denied!");
96 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
97 }
98
99 // parameters check
100 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
101 ACCOUNT_LOGE("os account name out of max allowed size");
102 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
103 }
104 if (name.size() <= 0) {
105 ACCOUNT_LOGE("os account name is empty");
106 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
107 }
108 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
109 ACCOUNT_LOGE("os account type is invalid");
110 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
111 }
112
113 bool isAllowedCreateAdmin = false;
114 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
115 if (errCode != ERR_OK) {
116 ACCOUNT_LOGE("query allowed create admin error");
117 return errCode;
118 }
119 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
120 ACCOUNT_LOGE("cannot create admin account error");
121 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
122 }
123 return innerManager_.CreateOsAccount(name, type, osAccountInfo);
124 }
125
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback)126 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
127 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback)
128 {
129 ACCOUNT_LOGI("start");
130 bool isMultiOsAccountEnable = false;
131 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
132 if (!isMultiOsAccountEnable) {
133 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
134 }
135
136 // permission check
137 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
138 ACCOUNT_LOGE("account manager service, permission denied!");
139 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
140 }
141
142 // parameters check
143 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
144 ACCOUNT_LOGE("os account type is invalid");
145 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
146 }
147 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
148 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
149 }
150 if (domainInfo.accountName_.size() > Constants::DOMAIN_ACCOUNT_NAME_MAX_SIZE ||
151 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
152 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
153 }
154
155 bool isAllowedCreateAdmin = false;
156 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
157 if (errCode != ERR_OK) {
158 return errCode;
159 }
160 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
161 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
162 }
163 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback);
164 }
165
RemoveOsAccount(const int id)166 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
167 {
168 // parameters check
169 if (id <= Constants::START_USER_ID) {
170 ACCOUNT_LOGE("cannot remove system preinstalled user");
171 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
172 }
173 if (id > Constants::MAX_USER_ID) {
174 ACCOUNT_LOGE("localId %{public}d is out of range", id);
175 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
176 }
177
178 // permission check
179 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
180 ACCOUNT_LOGE("account manager service, permission denied!");
181 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
182 }
183
184 return innerManager_.RemoveOsAccount(id);
185 }
186
IsOsAccountExists(const int id,bool & isOsAccountExists)187 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
188 {
189 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
190 }
191
IsOsAccountActived(const int id,bool & isOsAccountActived)192 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
193 {
194 ErrCode res = CheckInvalidLocalId(id);
195 if (res != ERR_OK) {
196 return res;
197 }
198
199 // check current account state
200 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
201 if (callerUserId == id) {
202 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
203 }
204
205 // check other account state, check permission first
206 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
207 ACCOUNT_LOGE("account manager service, permission denied!");
208 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
209 }
210
211 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
212 }
213
IsOsAccountConstraintEnable(const int id,const std::string & constraint,bool & isConstraintEnable)214 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
215 const int id, const std::string &constraint, bool &isConstraintEnable)
216 {
217 ErrCode res = CheckLocalId(id);
218 if (res != ERR_OK) {
219 return res;
220 }
221 // permission check
222 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
223 ACCOUNT_LOGE("account manager service, permission denied!");
224 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
225 }
226
227 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
228 }
229
CheckOsAccountConstraintEnabled(const int id,const std::string & constraint,bool & isEnabled)230 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
231 const int id, const std::string &constraint, bool &isEnabled)
232 {
233 ErrCode res = CheckLocalId(id);
234 if (res != ERR_OK) {
235 return res;
236 }
237 // permission check
238 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
239 ACCOUNT_LOGE("account manager service, permission denied!");
240 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
241 }
242
243 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
244 }
245
IsOsAccountVerified(const int id,bool & isVerified)246 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
247 {
248 ErrCode res = CheckInvalidLocalId(id);
249 if (res != ERR_OK) {
250 return res;
251 }
252 // check current account state
253 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
254 if (callerUserId == id) {
255 return innerManager_.IsOsAccountVerified(id, isVerified);
256 }
257
258 // check other account state, check permission first
259 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
260 ACCOUNT_LOGE("account manager service, permission denied!");
261 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
262 }
263
264 return innerManager_.IsOsAccountVerified(id, isVerified);
265 }
266
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)267 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
268 {
269 // permission check
270 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
271 ACCOUNT_LOGE("account manager service, permission denied!");
272 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
273 }
274
275 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
276 }
277
GetOsAccountLocalIdFromProcess(int & id)278 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
279 {
280 const std::int32_t uid = IPCSkeleton::GetCallingUid();
281 id = uid / UID_TRANSFORM_DIVISOR;
282 return ERR_OK;
283 }
284
IsMainOsAccount(bool & isMainOsAccount)285 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
286 {
287 // permission check
288 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
289 ACCOUNT_LOGW("account manager service, permission denied!");
290 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
291 }
292
293 const std::int32_t uid = IPCSkeleton::GetCallingUid();
294 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
295 return ERR_OK;
296 }
297
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)298 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
299 {
300 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
301 ACCOUNT_LOGE("domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
302 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
303 }
304
305 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::DOMAIN_ACCOUNT_NAME_MAX_SIZE) {
306 ACCOUNT_LOGE("accountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
307 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
308 }
309 // permission check
310 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
311 ACCOUNT_LOGE("account manager service, permission denied!");
312 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
313 }
314
315 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
316 }
317
QueryMaxOsAccountNumber(int & maxOsAccountNumber)318 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(int &maxOsAccountNumber)
319 {
320 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
321 }
322
GetOsAccountAllConstraints(const int id,std::vector<std::string> & constraints)323 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
324 {
325 ErrCode res = CheckInvalidLocalId(id);
326 if (res != ERR_OK) {
327 return res;
328 }
329 // permission check
330 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
331 ACCOUNT_LOGE("account manager service, permission denied!");
332 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
333 }
334
335 return innerManager_.GetOsAccountAllConstraints(id, constraints);
336 }
337
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)338 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
339 {
340 // permission check
341 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
342 ACCOUNT_LOGE("account manager service, permission denied!");
343 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
344 }
345
346 return innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
347 }
348
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)349 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
350 {
351 // permission check
352 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
353 ACCOUNT_LOGE("account manager service, permission denied!");
354 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
355 }
356
357 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
358 return innerManager_.QueryOsAccountById(id, osAccountInfo);
359 }
360
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)361 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
362 {
363 // parameters check
364 ErrCode res = CheckLocalId(id);
365 if (res != ERR_OK) {
366 return res;
367 }
368 // permission check
369 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
370 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
371 ACCOUNT_LOGE("account manager service, permission denied!");
372 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
373 }
374
375 return innerManager_.QueryOsAccountById(id, osAccountInfo);
376 }
377
GetOsAccountTypeFromProcess(OsAccountType & type)378 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
379 {
380 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
381 return innerManager_.GetOsAccountType(id, type);
382 }
383
GetOsAccountProfilePhoto(const int id,std::string & photo)384 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
385 {
386 ErrCode result = CheckLocalId(id);
387 if (result != ERR_OK) {
388 return result;
389 }
390 // get current account photo
391 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
392 if (callerUserId == id) {
393 return innerManager_.GetOsAccountProfilePhoto(id, photo);
394 }
395
396 // get other account photo, check permission first
397 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
398 ACCOUNT_LOGE("account manager service, permission denied!");
399 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
400 }
401
402 return innerManager_.GetOsAccountProfilePhoto(id, photo);
403 }
404
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)405 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
406 {
407 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
408 }
409
SetOsAccountName(const int id,const std::string & name)410 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
411 {
412 // parameters check
413 ErrCode res = CheckLocalId(id);
414 if (res != ERR_OK) {
415 return res;
416 }
417 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
418 ACCOUNT_LOGE("set os account name is out of allowed size");
419 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
420 }
421 if (name.size() <= 0) {
422 ACCOUNT_LOGE("os account name is empty");
423 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
424 }
425
426 // permission check
427 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
428 ACCOUNT_LOGE("account manager service, permission denied!");
429 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
430 }
431
432 return innerManager_.SetOsAccountName(id, name);
433 }
434
SetOsAccountConstraints(const int id,const std::vector<std::string> & constraints,const bool enable)435 ErrCode OsAccountManagerService::SetOsAccountConstraints(
436 const int id, const std::vector<std::string> &constraints, const bool enable)
437 {
438 ErrCode res = CheckLocalId(id);
439 if (res != ERR_OK) {
440 return res;
441 }
442
443 // permission check
444 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
445 ACCOUNT_LOGE("account manager service, permission denied!");
446 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
447 }
448
449 return innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
450 }
451
SetOsAccountProfilePhoto(const int id,const std::string & photo)452 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
453 {
454 // parameters check
455 ErrCode res = CheckLocalId(id);
456 if (res != ERR_OK) {
457 return res;
458 }
459 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
460 ACCOUNT_LOGE("photo out of allowed size");
461 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
462 }
463 if (photo.empty()) {
464 ACCOUNT_LOGE("photo is empty");
465 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
466 }
467 // permission check
468 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
469 ACCOUNT_LOGE("account manager service, permission denied!");
470 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
471 }
472
473 return innerManager_.SetOsAccountProfilePhoto(id, photo);
474 }
475
ActivateOsAccount(const int id)476 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
477 {
478 // parameters check
479 ErrCode res = CheckLocalId(id);
480 if (res != ERR_OK) {
481 return res;
482 }
483
484 // permission check
485 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_START)) {
486 ACCOUNT_LOGE("account manager service, permission denied!");
487 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
488 }
489
490 return innerManager_.ActivateOsAccount(id);
491 }
492
StartOsAccount(const int id)493 ErrCode OsAccountManagerService::StartOsAccount(const int id)
494 {
495 return innerManager_.StartOsAccount(id);
496 }
497
StopOsAccount(const int id)498 ErrCode OsAccountManagerService::StopOsAccount(const int id)
499 {
500 return innerManager_.StopOsAccount(id);
501 }
502
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)503 ErrCode OsAccountManagerService::SubscribeOsAccount(
504 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
505 {
506 // permission check
507 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
508 ACCOUNT_LOGE("account manager service, permission denied!");
509 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
510 }
511
512 return innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
513 }
514
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)515 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
516 {
517 // permission check
518 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
519 ACCOUNT_LOGE("account manager service, permission denied!");
520 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
521 }
522
523 return innerManager_.UnsubscribeOsAccount(eventListener);
524 }
525
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)526 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
527 {
528 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
529 }
530
GetSerialNumberByOsAccountLocalId(const int & id,int64_t & serialNumber)531 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
532 {
533 ErrCode result = CheckInvalidLocalId(id);
534 if (result != ERR_OK) {
535 return result;
536 }
537 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
538 }
539
GetOsAccountSwitchMod()540 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
541 {
542 return innerManager_.GetOsAccountSwitchMod();
543 }
544
IsCurrentOsAccountVerified(bool & isVerified)545 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
546 {
547 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
548 return innerManager_.IsOsAccountVerified(id, isVerified);
549 }
550
IsOsAccountCompleted(const int id,bool & isOsAccountCompleted)551 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
552 {
553 return innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
554 }
555
SetCurrentOsAccountIsVerified(const bool isVerified)556 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
557 {
558 // permission check
559 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
560 ACCOUNT_LOGE("account manager service, permission denied!");
561 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
562 }
563
564 // parameters check
565 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
566 ErrCode res = CheckLocalId(id);
567 if (res != ERR_OK) {
568 return res;
569 }
570
571 return innerManager_.SetOsAccountIsVerified(id, isVerified);
572 }
573
SetOsAccountIsVerified(const int id,const bool isVerified)574 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
575 {
576 // parameters check
577 ErrCode res = CheckLocalId(id);
578 if (res != ERR_OK) {
579 return res;
580 }
581
582 // permission check
583 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
584 ACCOUNT_LOGE("account manager service, permission denied!");
585 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
586 }
587
588 return innerManager_.SetOsAccountIsVerified(id, isVerified);
589 }
590
DumpState(const int & id,std::vector<std::string> & state)591 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
592 {
593 state.clear();
594
595 // permission check
596 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
597 ACCOUNT_LOGE("account manager service, permission denied!");
598 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
599 }
600
601 ErrCode result = ERR_OK;
602 std::vector<OsAccountInfo> osAccountInfos;
603
604 if (id == -1) {
605 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
606 if (result != ERR_OK) {
607 return result;
608 }
609 } else {
610 OsAccountInfo osAccountInfo;
611 result = innerManager_.QueryOsAccountById(id, osAccountInfo);
612 if (result != ERR_OK) {
613 return result;
614 }
615
616 osAccountInfos.emplace_back(osAccountInfo);
617 }
618
619 return DumpStateByAccounts(osAccountInfos, state);
620 }
621
DumpOsAccountInfo(std::vector<std::string> & state)622 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
623 {
624 state.clear();
625
626 ErrCode result = ERR_OK;
627 std::vector<OsAccountInfo> osAccountInfos;
628 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
629 if (result != ERR_OK) {
630 return result;
631 }
632
633 return DumpStateByAccounts(osAccountInfos, state);
634 }
635
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)636 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
637 int &createdOsAccountNum)
638 {
639 // permission check
640 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
641 ACCOUNT_LOGE("account manager service, permission denied!");
642 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
643 }
644
645 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
646 }
647
CreateBasicAccounts()648 void OsAccountManagerService::CreateBasicAccounts()
649 {
650 ACCOUNT_LOGI("enter!");
651 innerManager_.Init();
652 ACCOUNT_LOGI("exit!");
653 }
654
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)655 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
656 int64_t &serialNumber)
657 {
658 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
659 }
660
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)661 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
662 {
663 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
664 }
665
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)666 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
667 const int id, OsAccountInfo &osAccountInfo)
668 {
669 // permission check
670 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
671 ACCOUNT_LOGE("account manager service, permission denied!");
672 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
673 }
674
675 return innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
676 }
677
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)678 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
679 std::vector<OsAccountInfo> &osAccountList)
680 {
681 // permission check
682 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
683 ACCOUNT_LOGE("account manager service, permission denied!");
684 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
685 }
686
687 return innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
688 }
689
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)690 ErrCode OsAccountManagerService::DumpStateByAccounts(
691 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
692 {
693 ACCOUNT_LOGD("enter");
694 for (auto osAccountInfo : osAccountInfos) {
695 std::string info = "";
696
697 std::string localId = std::to_string(osAccountInfo.GetLocalId());
698 state.emplace_back("ID: " + localId);
699
700 std::string localName = osAccountInfo.GetLocalName();
701 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
702
703 std::string type = "";
704 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
705 if (it != DUMP_TYPE_MAP.end()) {
706 type = it->second;
707 } else {
708 type = "unknown";
709 }
710 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
711 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
712 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
713
714 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
715 auto constraints = osAccountInfo.GetConstraints();
716 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
717 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
718
719 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
720 (osAccountInfo.GetIsVerified() ? "true" : "false"));
721
722 int64_t serialNumber = osAccountInfo.GetSerialNumber();
723 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
724 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
725 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
726 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
727 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
728 state.emplace_back("\n");
729 }
730
731 return ERR_OK;
732 }
733
QueryActiveOsAccountIds(std::vector<int32_t> & ids)734 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
735 {
736 return innerManager_.QueryActiveOsAccountIds(ids);
737 }
738
QueryOsAccountConstraintSourceTypes(const int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)739 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
740 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
741 {
742 // parameters check
743 ErrCode res = CheckLocalId(id);
744 if (res != ERR_OK) {
745 return res;
746 }
747 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
748 ACCOUNT_LOGE("constraint length is invalid. length %{public}zu.", constraint.size());
749 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
750 }
751
752 // permission check
753 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
754 ACCOUNT_LOGE("account manager service, permission denied!");
755 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
756 }
757
758 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
759 }
760
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t enforcerId,const bool isDeviceOwner)761 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
762 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
763 {
764 // permission check
765 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
766 ACCOUNT_LOGE("account manager service, permission denied!");
767 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
768 }
769
770 return innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
771 }
772
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t targetId,const int32_t enforcerId,const bool isDeviceOwner)773 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
774 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
775 {
776 // permission check
777 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
778 ACCOUNT_LOGE("account manager service, permission denied!");
779 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
780 }
781
782 // parameters check
783 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
784 ACCOUNT_LOGE("invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
785 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
786 }
787
788 return innerManager_.SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
789 }
790
SetDefaultActivatedOsAccount(const int32_t id)791 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(const int32_t id)
792 {
793 // parameters check
794 ErrCode ret = CheckLocalId(id);
795 if (ret != ERR_OK) {
796 return ret;
797 }
798
799 // permission check
800 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
801 ACCOUNT_LOGE("account manager service, permission denied!");
802 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
803 }
804
805 return innerManager_.SetDefaultActivatedOsAccount(id);
806 }
807
GetDefaultActivatedOsAccount(int32_t & id)808 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
809 {
810 return innerManager_.GetDefaultActivatedOsAccount(id);
811 }
812
PermissionCheck(const std::string & permissionName,const std::string & constraintName)813 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
814 {
815 int callerUid = IPCSkeleton::GetCallingUid();
816 // root check
817 if (callerUid == ROOT_UID) {
818 return true;
819 }
820
821 // constraints check
822 if (!constraintName.empty()) {
823 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
824 bool isEnable = true;
825 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
826 if (isEnable) {
827 ACCOUNT_LOGE("constraint check %{public}s failed.", constraintName.c_str());
828 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingPid(), constraintName);
829 return false;
830 }
831 }
832
833 // permission check
834 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
835 return true;
836 }
837
838 ACCOUNT_LOGE("failed to verify permission for %{public}s.", permissionName.c_str());
839 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingPid(), permissionName);
840 return false;
841 }
842 } // namespace AccountSA
843 } // namespace OHOS
844