1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include <cstddef>
18 #include "account_info.h"
19 #include "account_log_wrapper.h"
20 #include "hisysevent_adapter.h"
21 #include "iinner_os_account_manager.h"
22 #include "ipc_skeleton.h"
23 #include "os_account_constants.h"
24
25 namespace OHOS {
26 namespace AccountSA {
27 namespace {
28 const std::string DUMP_TAB_CHARACTER = "\t";
29 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
30 {OsAccountType::ADMIN, "admin"},
31 {OsAccountType::NORMAL, "normal"},
32 {OsAccountType::GUEST, "guest"},
33 };
34 const std::string CONSTANT_CREATE = "constraint.os.account.create";
35 const std::string CONSTANT_CREATE_DIRECTLY = "constraint.os.account.create.directly";
36 const std::string CONSTANT_REMOVE = "constraint.os.account.remove";
37 const std::string CONSTANT_ACTIVATE = "constraint.os.account.activate";
38 const std::string CONSTANT_SET_ICON = "constraint.os.account.set.icon";
39 #ifndef IS_RELEASE_VERSION
40 const std::int32_t ROOT_UID = 0;
41 #endif
42 const std::string DEFAULT_ANON_STR = "**********";
43 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
44
45 const std::string MANAGE_LOCAL_ACCOUNTS = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
46 const std::string GET_LOCAL_ACCOUNTS = "ohos.permission.GET_LOCAL_ACCOUNTS";
47 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION =
48 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
49 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
50 const std::set<uint32_t> uidWhiteListForCreation { 3057 };
51
AnonymizeNameStr(const std::string & nameStr)52 std::string AnonymizeNameStr(const std::string& nameStr)
53 {
54 if (nameStr.empty()) {
55 return nameStr;
56 }
57 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
58 return retStr;
59 }
60
CheckInvalidLocalId(int localId)61 ErrCode CheckInvalidLocalId(int localId)
62 {
63 if (localId > Constants::MAX_USER_ID) {
64 ACCOUNT_LOGE("id %{public}d is out of range", localId);
65 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
66 }
67 return ERR_OK;
68 }
69
CheckLocalId(int localId)70 ErrCode CheckLocalId(int localId)
71 {
72 if (localId < Constants::START_USER_ID) {
73 ACCOUNT_LOGE("id %{public}d is system reserved", localId);
74 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
75 }
76 return CheckInvalidLocalId(localId);
77 }
78 } // namespace
79
OsAccountManagerService()80 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance())
81 {}
82
~OsAccountManagerService()83 OsAccountManagerService::~OsAccountManagerService()
84 {}
85
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)86 ErrCode OsAccountManagerService::CreateOsAccount(
87 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
88 {
89 // parameters check
90 size_t localNameSize = name.size();
91 if (localNameSize == 0 || localNameSize > Constants::LOCAL_NAME_MAX_SIZE) {
92 ACCOUNT_LOGE("CreateOsAccount local name length %{public}zu is invalid!", localNameSize);
93 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
94 }
95 return CreateOsAccount(name, name, type, osAccountInfo);
96 }
97
CreateOsAccount(const std::string & localName,const std::string & shortName,const OsAccountType & type,OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)98 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
99 const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)
100 {
101 // permission check
102 if (!CheckCreateOsAccountWhiteList() &&
103 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY) ||
104 !PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE))) {
105 ACCOUNT_LOGE("account manager service, permission denied!");
106 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
107 }
108
109 return innerManager_.CreateOsAccount(localName, shortName, type, osAccountInfo, options);
110 }
111
CreateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo)112 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)
113 {
114 bool isMultiOsAccountEnable = false;
115 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
116 if (!isMultiOsAccountEnable) {
117 ACCOUNT_LOGE("system is not multi os account enable error");
118 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
119 }
120
121 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
122 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
123 ACCOUNT_LOGE("account manager service, permission denied!");
124 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
125 }
126
127 bool isAllowedCreateAdmin = false;
128 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
129 if (errCode != ERR_OK) {
130 ACCOUNT_LOGE("query allowed create admin error");
131 return errCode;
132 }
133 if (!isAllowedCreateAdmin && (osAccountInfo.GetType() == OsAccountType::ADMIN)) {
134 ACCOUNT_LOGE("cannot create admin account error");
135 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
136 }
137
138 return innerManager_.CreateOsAccountWithFullInfo(osAccountInfo);
139 }
140
UpdateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo)141 ErrCode OsAccountManagerService::UpdateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)
142 {
143 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
144 ACCOUNT_LOGE("account manager service, permission denied!");
145 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
146 }
147
148 bool isAllowedCreateAdmin = false;
149 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
150 if (errCode != ERR_OK) {
151 ACCOUNT_LOGE("query allowed update admin error");
152 return errCode;
153 }
154 if (!isAllowedCreateAdmin && osAccountInfo.GetType() == OsAccountType::ADMIN) {
155 ACCOUNT_LOGE("cannot update admin account error");
156 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
157 }
158
159 return innerManager_.UpdateOsAccountWithFullInfo(osAccountInfo);
160 }
161
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback)162 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
163 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback)
164 {
165 ACCOUNT_LOGI("start");
166 // permission check
167 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
168 ACCOUNT_LOGE("account manager service, permission denied!");
169 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
170 }
171
172 // parameters check
173 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
174 ACCOUNT_LOGE("os account type is invalid");
175 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
176 }
177 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
178 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
179 }
180 if (domainInfo.accountName_.size() > Constants::DOMAIN_ACCOUNT_NAME_MAX_SIZE ||
181 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
182 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
183 }
184
185 bool isAllowedCreateAdmin = false;
186 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
187 if (errCode != ERR_OK) {
188 return errCode;
189 }
190 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
191 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
192 }
193 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback);
194 }
195
RemoveOsAccount(const int id)196 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
197 {
198 // parameters check
199 if (id <= Constants::START_USER_ID) {
200 ACCOUNT_LOGE("cannot remove system preinstalled user");
201 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
202 }
203 if (id > Constants::MAX_USER_ID) {
204 ACCOUNT_LOGE("localId %{public}d is out of range", id);
205 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
206 }
207
208 // permission check
209 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
210 ACCOUNT_LOGE("account manager service, permission denied!");
211 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
212 }
213
214 return innerManager_.RemoveOsAccount(id);
215 }
216
IsOsAccountExists(const int id,bool & isOsAccountExists)217 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
218 {
219 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
220 }
221
IsOsAccountActived(const int id,bool & isOsAccountActived)222 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
223 {
224 ErrCode res = CheckInvalidLocalId(id);
225 if (res != ERR_OK) {
226 return res;
227 }
228
229 // check current account state
230 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
231 if (callerUserId == id) {
232 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
233 }
234
235 // check other account state, check permission first
236 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
237 ACCOUNT_LOGE("account manager service, permission denied!");
238 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
239 }
240
241 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
242 }
243
IsOsAccountConstraintEnable(const int id,const std::string & constraint,bool & isConstraintEnable)244 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
245 const int id, const std::string &constraint, bool &isConstraintEnable)
246 {
247 ErrCode res = CheckLocalId(id);
248 if (res != ERR_OK) {
249 return res;
250 }
251 // permission check
252 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
253 ACCOUNT_LOGE("account manager service, permission denied!");
254 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
255 }
256
257 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
258 }
259
CheckOsAccountConstraintEnabled(const int id,const std::string & constraint,bool & isEnabled)260 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
261 const int id, const std::string &constraint, bool &isEnabled)
262 {
263 ErrCode res = CheckLocalId(id);
264 if (res != ERR_OK) {
265 return res;
266 }
267
268 // check current account state
269 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
270 if (callerUserId == id) {
271 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
272 }
273
274 // permission check
275 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
276 ACCOUNT_LOGE("account manager service, permission denied!");
277 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
278 }
279
280 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
281 }
282
IsOsAccountVerified(const int id,bool & isVerified)283 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
284 {
285 ErrCode res = CheckInvalidLocalId(id);
286 if (res != ERR_OK) {
287 return res;
288 }
289 // check current account state
290 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
291 if (callerUserId == id) {
292 return innerManager_.IsOsAccountVerified(id, isVerified);
293 }
294
295 // check other account state, check permission first
296 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
297 ACCOUNT_LOGE("account manager service, permission denied!");
298 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
299 }
300
301 return innerManager_.IsOsAccountVerified(id, isVerified);
302 }
303
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)304 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
305 {
306 // permission check
307 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
308 ACCOUNT_LOGE("account manager service, permission denied!");
309 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
310 }
311
312 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
313 }
314
GetOsAccountLocalIdFromProcess(int & id)315 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
316 {
317 const std::int32_t uid = IPCSkeleton::GetCallingUid();
318 id = uid / UID_TRANSFORM_DIVISOR;
319 return ERR_OK;
320 }
321
IsMainOsAccount(bool & isMainOsAccount)322 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
323 {
324 // permission check
325 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
326 ACCOUNT_LOGW("account manager service, permission denied!");
327 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
328 }
329
330 const std::int32_t uid = IPCSkeleton::GetCallingUid();
331 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
332 return ERR_OK;
333 }
334
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)335 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
336 {
337 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
338 ACCOUNT_LOGE("domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
339 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
340 }
341
342 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::DOMAIN_ACCOUNT_NAME_MAX_SIZE) {
343 ACCOUNT_LOGE("accountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
344 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
345 }
346 // permission check
347 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
348 ACCOUNT_LOGE("account manager service, permission denied!");
349 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
350 }
351
352 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
353 }
354
QueryMaxOsAccountNumber(int & maxOsAccountNumber)355 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(int &maxOsAccountNumber)
356 {
357 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
358 }
359
GetOsAccountAllConstraints(const int id,std::vector<std::string> & constraints)360 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
361 {
362 ErrCode res = CheckInvalidLocalId(id);
363 if (res != ERR_OK) {
364 return res;
365 }
366 // permission check
367 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
368 ACCOUNT_LOGE("account manager service, permission denied!");
369 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
370 }
371
372 return innerManager_.GetOsAccountAllConstraints(id, constraints);
373 }
374
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)375 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
376 {
377 // permission check
378 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
379 ACCOUNT_LOGE("account manager service, permission denied!");
380 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
381 }
382
383 return innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
384 }
385
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)386 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
387 {
388 // permission check
389 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
390 ACCOUNT_LOGE("account manager service, permission denied!");
391 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
392 }
393
394 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
395 return innerManager_.QueryOsAccountById(id, osAccountInfo);
396 }
397
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)398 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
399 {
400 // parameters check
401 ErrCode res = CheckLocalId(id);
402 if (res != ERR_OK) {
403 return res;
404 }
405 // permission check
406 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
407 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
408 ACCOUNT_LOGE("account manager service, permission denied!");
409 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
410 }
411
412 return innerManager_.QueryOsAccountById(id, osAccountInfo);
413 }
414
GetOsAccountTypeFromProcess(OsAccountType & type)415 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
416 {
417 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
418 return innerManager_.GetOsAccountType(id, type);
419 }
420
GetOsAccountProfilePhoto(const int id,std::string & photo)421 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
422 {
423 ErrCode result = CheckLocalId(id);
424 if (result != ERR_OK) {
425 return result;
426 }
427 // get current account photo
428 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
429 if (callerUserId == id) {
430 return innerManager_.GetOsAccountProfilePhoto(id, photo);
431 }
432
433 // get other account photo, check permission first
434 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
435 ACCOUNT_LOGE("account manager service, permission denied!");
436 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
437 }
438
439 return innerManager_.GetOsAccountProfilePhoto(id, photo);
440 }
441
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)442 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
443 {
444 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
445 }
446
SetOsAccountName(const int id,const std::string & name)447 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
448 {
449 // parameters check
450 ErrCode res = CheckLocalId(id);
451 if (res != ERR_OK) {
452 return res;
453 }
454 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
455 ACCOUNT_LOGE("set os account name is out of allowed size");
456 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
457 }
458 if (name.size() <= 0) {
459 ACCOUNT_LOGE("os account name is empty");
460 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
461 }
462
463 // permission check
464 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
465 ACCOUNT_LOGE("account manager service, permission denied!");
466 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
467 }
468
469 return innerManager_.SetOsAccountName(id, name);
470 }
471
SetOsAccountConstraints(const int id,const std::vector<std::string> & constraints,const bool enable)472 ErrCode OsAccountManagerService::SetOsAccountConstraints(
473 const int id, const std::vector<std::string> &constraints, const bool enable)
474 {
475 ErrCode res = CheckLocalId(id);
476 if (res != ERR_OK) {
477 return res;
478 }
479
480 // permission check
481 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
482 ACCOUNT_LOGE("account manager service, permission denied!");
483 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
484 }
485
486 return innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
487 }
488
SetOsAccountProfilePhoto(const int id,const std::string & photo)489 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
490 {
491 // parameters check
492 ErrCode res = CheckLocalId(id);
493 if (res != ERR_OK) {
494 return res;
495 }
496 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
497 ACCOUNT_LOGE("photo out of allowed size");
498 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
499 }
500 if (photo.empty()) {
501 ACCOUNT_LOGE("photo is empty");
502 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
503 }
504 // permission check
505 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
506 ACCOUNT_LOGE("account manager service, permission denied!");
507 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
508 }
509
510 return innerManager_.SetOsAccountProfilePhoto(id, photo);
511 }
512
ActivateOsAccount(const int id)513 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
514 {
515 // parameters check
516 ErrCode res = CheckLocalId(id);
517 if (res != ERR_OK) {
518 return res;
519 }
520
521 // permission check
522 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_ACTIVATE)) {
523 ACCOUNT_LOGE("account manager service, permission denied!");
524 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
525 }
526
527 return innerManager_.ActivateOsAccount(id);
528 }
529
DeactivateOsAccount(const int id)530 ErrCode OsAccountManagerService::DeactivateOsAccount(const int id)
531 {
532 // parameters check
533 ErrCode res = CheckLocalId(id);
534 if (res != ERR_OK) {
535 return res;
536 }
537
538 // permission check
539 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
540 ACCOUNT_LOGE("account manager service, permission denied!");
541 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
542 }
543 int32_t currentId = Constants::START_USER_ID;
544 GetCurrentLocalId(currentId);
545
546 res = innerManager_.DeactivateOsAccount(id);
547 if (res != ERR_OK) {
548 return res;
549 }
550
551 if (currentId == id) { // if stop current account
552 #ifdef SUPPROT_STOP_MAIN_OS_ACCOUNT
553 ActivateOsAccount(id);
554 #else
555 ActivateOsAccount(Constants::START_USER_ID);
556 #endif // SUPPROT_STOP_MAIN_OS_ACCOUNT
557 }
558 return ERR_OK;
559 }
560
GetCurrentLocalId(int32_t & userId)561 void OsAccountManagerService::GetCurrentLocalId(int32_t &userId)
562 {
563 std::vector<int32_t> userIds;
564 if ((innerManager_.QueryActiveOsAccountIds(userIds) != ERR_OK) || userIds.empty()) {
565 ACCOUNT_LOGE("fail to get activated os account ids");
566 return;
567 }
568 userId = userIds[0];
569 return;
570 }
571
StartOsAccount(const int id)572 ErrCode OsAccountManagerService::StartOsAccount(const int id)
573 {
574 return innerManager_.StartOsAccount(id);
575 }
576
StopOsAccount(const int id)577 ErrCode OsAccountManagerService::StopOsAccount(const int id)
578 {
579 return innerManager_.StopOsAccount(id);
580 }
581
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)582 ErrCode OsAccountManagerService::SubscribeOsAccount(
583 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
584 {
585 // permission check
586 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
587 ACCOUNT_LOGE("account manager service, permission denied!");
588 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
589 }
590
591 return innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
592 }
593
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)594 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
595 {
596 // permission check
597 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
598 ACCOUNT_LOGE("account manager service, permission denied!");
599 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
600 }
601
602 return innerManager_.UnsubscribeOsAccount(eventListener);
603 }
604
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)605 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
606 {
607 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
608 }
609
GetSerialNumberByOsAccountLocalId(const int & id,int64_t & serialNumber)610 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
611 {
612 ErrCode result = CheckInvalidLocalId(id);
613 if (result != ERR_OK) {
614 return result;
615 }
616 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
617 }
618
GetOsAccountSwitchMod()619 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
620 {
621 return innerManager_.GetOsAccountSwitchMod();
622 }
623
IsCurrentOsAccountVerified(bool & isVerified)624 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
625 {
626 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
627 return innerManager_.IsOsAccountVerified(id, isVerified);
628 }
629
IsOsAccountCompleted(const int id,bool & isOsAccountCompleted)630 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
631 {
632 return innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
633 }
634
SetCurrentOsAccountIsVerified(const bool isVerified)635 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
636 {
637 // permission check
638 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
639 ACCOUNT_LOGE("account manager service, permission denied!");
640 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
641 }
642
643 // parameters check
644 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
645 ErrCode res = CheckLocalId(id);
646 if (res != ERR_OK) {
647 return res;
648 }
649
650 return innerManager_.SetOsAccountIsVerified(id, isVerified);
651 }
652
SetOsAccountIsVerified(const int id,const bool isVerified)653 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
654 {
655 // parameters check
656 ErrCode res = CheckLocalId(id);
657 if (res != ERR_OK) {
658 return res;
659 }
660
661 // permission check
662 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
663 ACCOUNT_LOGE("account manager service, permission denied!");
664 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
665 }
666
667 return innerManager_.SetOsAccountIsVerified(id, isVerified);
668 }
669
DumpState(const int & id,std::vector<std::string> & state)670 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
671 {
672 state.clear();
673
674 // permission check
675 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
676 ACCOUNT_LOGE("account manager service, permission denied!");
677 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
678 }
679
680 ErrCode result = ERR_OK;
681 std::vector<OsAccountInfo> osAccountInfos;
682
683 if (id == -1) {
684 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
685 if (result != ERR_OK) {
686 return result;
687 }
688 } else {
689 OsAccountInfo osAccountInfo;
690 result = innerManager_.QueryOsAccountById(id, osAccountInfo);
691 if (result != ERR_OK) {
692 return result;
693 }
694
695 osAccountInfos.emplace_back(osAccountInfo);
696 }
697
698 return DumpStateByAccounts(osAccountInfos, state);
699 }
700
DumpOsAccountInfo(std::vector<std::string> & state)701 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
702 {
703 state.clear();
704
705 ErrCode result = ERR_OK;
706 std::vector<OsAccountInfo> osAccountInfos;
707 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
708 if (result != ERR_OK) {
709 return result;
710 }
711
712 return DumpStateByAccounts(osAccountInfos, state);
713 }
714
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)715 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
716 int &createdOsAccountNum)
717 {
718 // permission check
719 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
720 ACCOUNT_LOGE("account manager service, permission denied!");
721 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
722 }
723
724 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
725 }
726
CreateBasicAccounts()727 void OsAccountManagerService::CreateBasicAccounts()
728 {
729 ACCOUNT_LOGI("enter!");
730 innerManager_.Init();
731 ACCOUNT_LOGI("exit!");
732 }
733
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)734 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
735 int64_t &serialNumber)
736 {
737 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
738 }
739
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)740 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
741 {
742 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
743 }
744
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)745 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
746 const int id, OsAccountInfo &osAccountInfo)
747 {
748 // permission check
749 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
750 ACCOUNT_LOGE("account manager service, permission denied!");
751 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
752 }
753
754 return innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
755 }
756
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)757 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
758 std::vector<OsAccountInfo> &osAccountList)
759 {
760 // permission check
761 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
762 ACCOUNT_LOGE("account manager service, permission denied!");
763 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
764 }
765
766 return innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
767 }
768
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)769 ErrCode OsAccountManagerService::DumpStateByAccounts(
770 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
771 {
772 ACCOUNT_LOGD("enter");
773 for (auto osAccountInfo : osAccountInfos) {
774 std::string info = "";
775
776 std::string localId = std::to_string(osAccountInfo.GetLocalId());
777 state.emplace_back("ID: " + localId);
778
779 std::string localName = osAccountInfo.GetLocalName();
780 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
781
782 std::string type = "";
783 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
784 if (it != DUMP_TYPE_MAP.end()) {
785 type = it->second;
786 } else {
787 type = "unknown";
788 }
789 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
790 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
791 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
792
793 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
794 auto constraints = osAccountInfo.GetConstraints();
795 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
796 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
797
798 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
799 (osAccountInfo.GetIsVerified() ? "true" : "false"));
800
801 int64_t serialNumber = osAccountInfo.GetSerialNumber();
802 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
803 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
804 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
805 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
806 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
807 state.emplace_back("\n");
808 }
809
810 return ERR_OK;
811 }
812
QueryActiveOsAccountIds(std::vector<int32_t> & ids)813 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
814 {
815 return innerManager_.QueryActiveOsAccountIds(ids);
816 }
817
QueryOsAccountConstraintSourceTypes(const int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)818 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
819 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
820 {
821 // parameters check
822 ErrCode res = CheckLocalId(id);
823 if (res != ERR_OK) {
824 return res;
825 }
826 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
827 ACCOUNT_LOGE("constraint length is invalid. length %{public}zu.", constraint.size());
828 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
829 }
830
831 // permission check
832 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
833 ACCOUNT_LOGE("account manager service, permission denied!");
834 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
835 }
836
837 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
838 }
839
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t enforcerId,const bool isDeviceOwner)840 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
841 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
842 {
843 // permission check
844 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
845 ACCOUNT_LOGE("account manager service, permission denied!");
846 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
847 }
848
849 return innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
850 }
851
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t targetId,const int32_t enforcerId,const bool isDeviceOwner)852 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
853 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
854 {
855 // permission check
856 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
857 ACCOUNT_LOGE("account manager service, permission denied!");
858 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
859 }
860
861 // parameters check
862 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
863 ACCOUNT_LOGE("invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
864 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
865 }
866
867 return innerManager_.SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
868 }
869
SetDefaultActivatedOsAccount(const int32_t id)870 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(const int32_t id)
871 {
872 // parameters check
873 ErrCode ret = CheckLocalId(id);
874 if (ret != ERR_OK) {
875 return ret;
876 }
877
878 // permission check
879 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
880 ACCOUNT_LOGE("account manager service, permission denied!");
881 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
882 }
883
884 return innerManager_.SetDefaultActivatedOsAccount(id);
885 }
886
GetDefaultActivatedOsAccount(int32_t & id)887 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
888 {
889 return innerManager_.GetDefaultActivatedOsAccount(id);
890 }
891
GetOsAccountShortName(std::string & shortName)892 ErrCode OsAccountManagerService::GetOsAccountShortName(std::string &shortName)
893 {
894 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
895 ErrCode errCode = innerManager_.GetOsAccountShortName(id, shortName);
896 if (errCode != ERR_OK) {
897 ACCOUNT_LOGE("GetOsAccountShortName error %{public}d", errCode);
898 return errCode;
899 }
900 return ERR_OK;
901 }
902
PermissionCheck(const std::string & permissionName,const std::string & constraintName)903 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
904 {
905 int callerUid = IPCSkeleton::GetCallingUid();
906 #ifndef IS_RELEASE_VERSION
907 // root check in none release version for test
908 if (callerUid == ROOT_UID) {
909 return true;
910 }
911 #endif
912
913 // constraints check
914 if (!constraintName.empty()) {
915 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
916 bool isEnable = true;
917 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
918 if (isEnable) {
919 ACCOUNT_LOGE("constraint check %{public}s failed.", constraintName.c_str());
920 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingPid(), constraintName);
921 return false;
922 }
923 }
924
925 // permission check
926 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
927 return true;
928 }
929
930 ACCOUNT_LOGE("failed to verify permission for %{public}s.", permissionName.c_str());
931 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingPid(), permissionName);
932 return false;
933 }
934
CheckCreateOsAccountWhiteList()935 bool OsAccountManagerService::CheckCreateOsAccountWhiteList()
936 {
937 return uidWhiteListForCreation.find(GetCallingUid()) != uidWhiteListForCreation.end();
938 }
939 } // namespace AccountSA
940 } // namespace OHOS
941