1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_service.h"
17
18 #include <unistd.h>
19
20 #include "access_token.h"
21 #include "access_token_error.h"
22 #include "access_token_db.h"
23 #include "accesstoken_dfx_define.h"
24 #include "accesstoken_id_manager.h"
25 #include "accesstoken_info_manager.h"
26 #include "accesstoken_common_log.h"
27 #include "constant_common.h"
28 #include "data_validator.h"
29 #include "hap_token_info.h"
30 #include "hap_token_info_inner.h"
31 #include "hisysevent_adapter.h"
32 #ifdef HITRACE_NATIVE_ENABLE
33 #include "hitrace_meter.h"
34 #endif
35 #include "ipc_skeleton.h"
36 #include "json_parse_loader.h"
37 #include "libraryloader.h"
38 #include "memory_guard.h"
39 #include "parameter.h"
40 #include "parameters.h"
41 #include "permission_list_state.h"
42 #include "permission_manager.h"
43 #include "permission_map.h"
44 #include "permission_validator.h"
45 #include "short_grant_manager.h"
46 #include "string_ex.h"
47 #include "system_ability_definition.h"
48 #include "token_field_const.h"
49 #ifdef TOKEN_SYNC_ENABLE
50 #include "token_modify_notifier.h"
51 #endif // TOKEN_SYNC_ENABLE
52
53 namespace OHOS {
54 namespace Security {
55 namespace AccessToken {
56 namespace {
57 static const char* ACCESS_TOKEN_SERVICE_INIT_KEY = "accesstoken.permission.init";
58 constexpr int32_t ERROR = -1;
59 constexpr int TWO_ARGS = 2;
60 const char* GRANT_ABILITY_BUNDLE_NAME = "com.ohos.permissionmanager";
61 const char* GRANT_ABILITY_ABILITY_NAME = "com.ohos.permissionmanager.GrantAbility";
62 const char* PERMISSION_STATE_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.PermissionStateSheetAbility";
63 const char* GLOBAL_SWITCH_SHEET_ABILITY_NAME = "com.ohos.permissionmanager.GlobalSwitchSheetAbility";
64 const char* APPLICATION_SETTING_ABILITY_NAME = "com.ohos.permissionmanager.MainAbility";
65 const char* DEVELOPER_MODE_STATE = "const.security.developermode.state";
66 }
67
68 const bool REGISTER_RESULT =
69 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
70
AccessTokenManagerService()71 AccessTokenManagerService::AccessTokenManagerService()
72 : SystemAbility(SA_ID_ACCESSTOKEN_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
73 {
74 LOGI(ATM_DOMAIN, ATM_TAG, "AccessTokenManagerService()");
75 }
76
~AccessTokenManagerService()77 AccessTokenManagerService::~AccessTokenManagerService()
78 {
79 LOGI(ATM_DOMAIN, ATM_TAG, "~AccessTokenManagerService()");
80 }
81
OnStart()82 void AccessTokenManagerService::OnStart()
83 {
84 if (state_ == ServiceRunningState::STATE_RUNNING) {
85 LOGI(ATM_DOMAIN, ATM_TAG, "AccessTokenManagerService has already started!");
86 return;
87 }
88 LOGI(ATM_DOMAIN, ATM_TAG, "AccessTokenManagerService is starting.");
89 if (!Initialize()) {
90 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to initialize.");
91 return;
92 }
93 state_ = ServiceRunningState::STATE_RUNNING;
94 bool ret = Publish(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
95 if (!ret) {
96 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to publish service!");
97 ReportSysEventServiceStartError(SA_PUBLISH_FAILED, "Publish accesstoken_service fail.", ERROR);
98 return;
99 }
100 AccessTokenServiceParamSet();
101 (void)AddSystemAbilityListener(SECURITY_COMPONENT_SERVICE_ID);
102 #ifdef TOKEN_SYNC_ENABLE
103 (void)AddSystemAbilityListener(DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID);
104 #endif
105 LOGI(ATM_DOMAIN, ATM_TAG, "Congratulations, AccessTokenManagerService start successfully!");
106 }
107
OnStop()108 void AccessTokenManagerService::OnStop()
109 {
110 LOGI(ATM_DOMAIN, ATM_TAG, "Stop service.");
111 state_ = ServiceRunningState::STATE_NOT_START;
112 }
113
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)114 void AccessTokenManagerService::OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
115 {
116 #ifdef TOKEN_SYNC_ENABLE
117 if (systemAbilityId == DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID) {
118 AccessTokenInfoManager::GetInstance().InitDmCallback();
119 }
120 #endif
121 }
122
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)123 void AccessTokenManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
124 {
125 if (systemAbilityId == SECURITY_COMPONENT_SERVICE_ID) {
126 HapTokenInfoInner::ClearAllSecCompGrantedPerm();
127 return;
128 }
129 }
130
GetPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)131 PermUsedTypeEnum AccessTokenManagerService::GetPermissionUsedType(
132 AccessTokenID tokenID, const std::string& permissionName)
133 {
134 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permission=%{public}s", tokenID, permissionName.c_str());
135 return PermissionManager::GetInstance().GetPermissionUsedType(tokenID, permissionName);
136 }
137
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)138 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
139 {
140 #ifdef HITRACE_NATIVE_ENABLE
141 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "AccessTokenVerifyPermission");
142 #endif
143 int32_t res = AccessTokenInfoManager::GetInstance().VerifyAccessToken(tokenID, permissionName);
144 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, permission: %{public}s, res %{public}d",
145 tokenID, permissionName.c_str(), res);
146 if ((res == PERMISSION_GRANTED) &&
147 (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) == TOKEN_HAP)) {
148 res = AccessTokenInfoManager::GetInstance().IsPermissionRestrictedByUserPolicy(tokenID, permissionName) ?
149 PERMISSION_DENIED : PERMISSION_GRANTED;
150 }
151 #ifdef HITRACE_NATIVE_ENABLE
152 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
153 #endif
154 return res;
155 }
156
VerifyAccessToken(AccessTokenID tokenID,const std::vector<std::string> & permissionList,std::vector<int32_t> & permStateList)157 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID,
158 const std::vector<std::string>& permissionList, std::vector<int32_t>& permStateList)
159 {
160 permStateList.clear();
161 permStateList.resize(permissionList.size(), PERMISSION_DENIED);
162 for (size_t i = 0; i < permissionList.size(); i++) {
163 permStateList[i] = VerifyAccessToken(tokenID, permissionList[i]);
164 }
165 return RET_SUCCESS;
166 }
167
GetDefPermission(const std::string & permissionName,PermissionDefParcel & permissionDefResult)168 int AccessTokenManagerService::GetDefPermission(
169 const std::string& permissionName, PermissionDefParcel& permissionDefResult)
170 {
171 LOGI(ATM_DOMAIN, ATM_TAG, "Permission: %{public}s", permissionName.c_str());
172
173 // for ipc call not by accesstoken client
174 if (!DataValidator::IsPermissionNameValid(permissionName)) {
175 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid");
176 return AccessTokenError::ERR_PARAM_INVALID;
177 }
178
179 PermissionBriefDef briefDef;
180 if (!GetPermissionBriefDef(permissionName, briefDef)) {
181 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
182 }
183
184 ConvertPermissionBriefToDef(briefDef, permissionDefResult.permissionDef);
185
186 if (briefDef.grantMode == GrantMode::SYSTEM_GRANT) {
187 return 0;
188 }
189
190 GenericValues conditionValue;
191 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
192
193 std::vector<GenericValues> results;
194 int32_t res = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, conditionValue, results);
195 if (res != 0) {
196 return res;
197 }
198
199 if (results.empty()) {
200 // user grant permission has define in map, not exsit in db
201 return AccessTokenError::ERR_SERVICE_ABNORMAL;
202 }
203
204 permissionDefResult.permissionDef.labelId = results[0].GetInt(TokenFiledConst::FIELD_LABEL_ID);
205 permissionDefResult.permissionDef.descriptionId = results[0].GetInt(TokenFiledConst::FIELD_DESCRIPTION_ID);
206
207 return 0;
208 }
209
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStatusParcel> & reqPermList,bool isSystemGrant)210 int AccessTokenManagerService::GetReqPermissions(
211 AccessTokenID tokenID, std::vector<PermissionStatusParcel>& reqPermList, bool isSystemGrant)
212 {
213 std::vector<PermissionStatus> permList;
214 int ret = PermissionManager::GetInstance().GetReqPermissions(tokenID, permList, isSystemGrant);
215
216 for (const auto& perm : permList) {
217 PermissionStatusParcel permParcel;
218 permParcel.permState = perm;
219 reqPermList.emplace_back(permParcel);
220 }
221 return ret;
222 }
223
GetSelfPermissionsState(std::vector<PermissionListStateParcel> & reqPermList,PermissionGrantInfoParcel & infoParcel)224 PermissionOper AccessTokenManagerService::GetSelfPermissionsState(std::vector<PermissionListStateParcel>& reqPermList,
225 PermissionGrantInfoParcel& infoParcel)
226 {
227 infoParcel.info.grantBundleName = grantBundleName_;
228 infoParcel.info.grantAbilityName = grantAbilityName_;
229 infoParcel.info.grantServiceAbilityName = grantServiceAbilityName_;
230 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
231 return GetPermissionsState(callingTokenID, reqPermList);
232 }
233
GetPermissionsStatus(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)234 int32_t AccessTokenManagerService::GetPermissionsStatus(AccessTokenID tokenID,
235 std::vector<PermissionListStateParcel>& reqPermList)
236 {
237 if (!AccessTokenInfoManager::GetInstance().IsTokenIdExist(tokenID)) {
238 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d does not exist", tokenID);
239 return ERR_TOKENID_NOT_EXIST;
240 }
241 PermissionOper ret = GetPermissionsState(tokenID, reqPermList);
242 return ret == INVALID_OPER ? RET_FAILED : RET_SUCCESS;
243 }
244
GetPermissionsState(AccessTokenID tokenID,std::vector<PermissionListStateParcel> & reqPermList)245 PermissionOper AccessTokenManagerService::GetPermissionsState(AccessTokenID tokenID,
246 std::vector<PermissionListStateParcel>& reqPermList)
247 {
248 int32_t apiVersion = 0;
249 if (!PermissionManager::GetInstance().GetApiVersionByTokenId(tokenID, apiVersion)) {
250 LOGE(ATM_DOMAIN, ATM_TAG, "Get api version error");
251 return INVALID_OPER;
252 }
253 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, apiVersion: %{public}d", tokenID, apiVersion);
254
255 bool needRes = false;
256 std::vector<PermissionStatus> permsList;
257 int retUserGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, false);
258 int retSysGrant = PermissionManager::GetInstance().GetReqPermissions(tokenID, permsList, true);
259 if ((retSysGrant != RET_SUCCESS) || (retUserGrant != RET_SUCCESS)) {
260 LOGE(ATM_DOMAIN, ATM_TAG,
261 "GetReqPermissions failed, retUserGrant:%{public}d, retSysGrant:%{public}d",
262 retUserGrant, retSysGrant);
263 return INVALID_OPER;
264 }
265
266 // api9 location permission handle here
267 if (apiVersion >= ACCURATE_LOCATION_API_VERSION) {
268 needRes = PermissionManager::GetInstance().LocationPermissionSpecialHandle(
269 tokenID, reqPermList, permsList, apiVersion);
270 }
271
272 uint32_t size = reqPermList.size();
273 for (uint32_t i = 0; i < size; i++) {
274 // api9 location permission special handle above
275 if (((reqPermList[i].permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) ||
276 (reqPermList[i].permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) ||
277 (reqPermList[i].permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME)) &&
278 (apiVersion >= ACCURATE_LOCATION_API_VERSION)) {
279 continue;
280 }
281
282 PermissionManager::GetInstance().GetSelfPermissionState(permsList, reqPermList[i].permsState, apiVersion);
283 if (static_cast<PermissionOper>(reqPermList[i].permsState.state) == DYNAMIC_OPER) {
284 needRes = true;
285 }
286 LOGD(ATM_DOMAIN, ATM_TAG, "Perm: %{public}s, state: %{public}d",
287 reqPermList[i].permsState.permissionName.c_str(), reqPermList[i].permsState.state);
288 }
289 if (GetTokenType(tokenID) == TOKEN_HAP && AccessTokenInfoManager::GetInstance().GetPermDialogCap(tokenID)) {
290 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d is under control", tokenID);
291 uint32_t size = reqPermList.size();
292 for (uint32_t i = 0; i < size; i++) {
293 if (reqPermList[i].permsState.state != INVALID_OPER) {
294 reqPermList[i].permsState.state = FORBIDDEN_OPER;
295 reqPermList[i].permsState.errorReason = PRIVACY_STATEMENT_NOT_AGREED;
296 }
297 }
298 return FORBIDDEN_OPER;
299 }
300 if (needRes) {
301 return DYNAMIC_OPER;
302 }
303 return PASS_OPER;
304 }
305
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)306 int AccessTokenManagerService::GetPermissionFlag(
307 AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
308 {
309 return PermissionManager::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
310 }
311
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID=0)312 int32_t AccessTokenManagerService::SetPermissionRequestToggleStatus(
313 const std::string& permissionName, uint32_t status, int32_t userID = 0)
314 {
315 return AccessTokenInfoManager::GetInstance().SetPermissionRequestToggleStatus(permissionName, status, userID);
316 }
317
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID=0)318 int32_t AccessTokenManagerService::GetPermissionRequestToggleStatus(
319 const std::string& permissionName, uint32_t& status, int32_t userID = 0)
320 {
321 return AccessTokenInfoManager::GetInstance().GetPermissionRequestToggleStatus(permissionName, status, userID);
322 }
323
RequestAppPermOnSetting(AccessTokenID tokenID)324 int32_t AccessTokenManagerService::RequestAppPermOnSetting(AccessTokenID tokenID)
325 {
326 HapTokenInfo hapInfo;
327 int32_t ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo);
328 if (ret != ERR_OK) {
329 LOGE(ATM_DOMAIN, ATM_TAG, "GetHapTokenInfo failed, err=%{public}d.", ret);
330 return ret;
331 }
332 return PermissionManager::GetInstance().RequestAppPermOnSetting(hapInfo,
333 grantBundleName_, applicationSettingAbilityName_);
334 }
335
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)336 int AccessTokenManagerService::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
337 {
338 int32_t ret = PermissionManager::GetInstance().GrantPermission(tokenID, permissionName, flag);
339 return ret;
340 }
341
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)342 int AccessTokenManagerService::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
343 {
344 return PermissionManager::GetInstance().RevokePermission(tokenID, permissionName, flag);
345 }
346
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)347 int AccessTokenManagerService::GrantPermissionForSpecifiedTime(
348 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
349 {
350 int32_t ret = PermissionManager::GetInstance().GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
351 return ret;
352 }
353
ClearUserGrantedPermissionState(AccessTokenID tokenID)354 int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tokenID)
355 {
356 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
357 AccessTokenInfoManager::GetInstance().ClearUserGrantedPermissionState(tokenID);
358 AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenID, false);
359 return RET_SUCCESS;
360 }
361
RegisterPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)362 int32_t AccessTokenManagerService::RegisterPermStateChangeCallback(
363 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
364 {
365 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
366 }
367
UnRegisterPermStateChangeCallback(const sptr<IRemoteObject> & callback)368 int32_t AccessTokenManagerService::UnRegisterPermStateChangeCallback(const sptr<IRemoteObject>& callback)
369 {
370 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
371 }
372
RegisterSelfPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)373 int32_t AccessTokenManagerService::RegisterSelfPermStateChangeCallback(
374 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
375 {
376 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
377 }
378
UnRegisterSelfPermStateChangeCallback(const sptr<IRemoteObject> & callback)379 int32_t AccessTokenManagerService::UnRegisterSelfPermStateChangeCallback(const sptr<IRemoteObject>& callback)
380 {
381 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
382 }
383
AllocHapToken(const HapInfoParcel & info,const HapPolicyParcel & policy)384 AccessTokenIDEx AccessTokenManagerService::AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy)
385 {
386 LOGI(ATM_DOMAIN, ATM_TAG, "BundleName: %{public}s", info.hapInfoParameter.bundleName.c_str());
387 AccessTokenIDEx tokenIdEx;
388 tokenIdEx.tokenIDEx = 0LL;
389
390 int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
391 info.hapInfoParameter, policy.hapPolicy, tokenIdEx);
392 if (ret != RET_SUCCESS) {
393 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token info create failed");
394 }
395 return tokenIdEx;
396 }
397
InitHapToken(const HapInfoParcel & info,HapPolicyParcel & policy,AccessTokenIDEx & fullTokenId,HapInfoCheckResult & result)398 int32_t AccessTokenManagerService::InitHapToken(const HapInfoParcel& info, HapPolicyParcel& policy,
399 AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result)
400 {
401 LOGI(ATM_DOMAIN, ATM_TAG, "Init hap %{public}s.", info.hapInfoParameter.bundleName.c_str());
402 std::vector<PermissionStatus> initializedList;
403 if (info.hapInfoParameter.dlpType == DLP_COMMON) {
404 if (!PermissionManager::GetInstance().InitPermissionList(info.hapInfoParameter.appDistributionType,
405 policy.hapPolicy, initializedList, result)) {
406 return ERR_PERM_REQUEST_CFG_FAILED;
407 }
408 } else {
409 if (!PermissionManager::GetInstance().InitDlpPermissionList(
410 info.hapInfoParameter.bundleName, info.hapInfoParameter.userID, initializedList)) {
411 return ERR_PERM_REQUEST_CFG_FAILED;
412 }
413 }
414 policy.hapPolicy.permStateList = initializedList;
415
416 int32_t ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
417 info.hapInfoParameter, policy.hapPolicy, fullTokenId);
418 if (ret != RET_SUCCESS) {
419 return ret;
420 }
421
422 return ret;
423 }
424
DeleteToken(AccessTokenID tokenID)425 int AccessTokenManagerService::DeleteToken(AccessTokenID tokenID)
426 {
427 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
428 // only support hap token deletion
429 return AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID);
430 }
431
GetTokenType(AccessTokenID tokenID)432 int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID)
433 {
434 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
435 return AccessTokenIDManager::GetInstance().GetTokenIdType(tokenID);
436 }
437
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)438 AccessTokenIDEx AccessTokenManagerService::GetHapTokenID(
439 int32_t userID, const std::string& bundleName, int32_t instIndex)
440 {
441 LOGD(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundle: %{public}s, instIndex: %{public}d",
442 userID, bundleName.c_str(), instIndex);
443 return AccessTokenInfoManager::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
444 }
445
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)446 AccessTokenID AccessTokenManagerService::AllocLocalTokenID(
447 const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
448 {
449 LOGI(ATM_DOMAIN, ATM_TAG, "RemoteDeviceID: %{public}s, remoteTokenID: %{public}d",
450 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
451 AccessTokenID tokenID = AccessTokenInfoManager::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
452 return tokenID;
453 }
454
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const HapPolicyParcel & policyParcel,HapInfoCheckResult & result)455 int32_t AccessTokenManagerService::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info,
456 const HapPolicyParcel& policyParcel, HapInfoCheckResult& result)
457 {
458 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenIdEx.tokenIdExStruct.tokenID);
459 std::vector<PermissionStatus> InitializedList;
460 if (!PermissionManager::GetInstance().InitPermissionList(
461 info.appDistributionType, policyParcel.hapPolicy, InitializedList, result)) {
462 return ERR_PERM_REQUEST_CFG_FAILED;
463 }
464 int32_t ret = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, info,
465 InitializedList, policyParcel.hapPolicy);
466 return ret;
467 }
GetTokenIDByUserID(int32_t userID,std::unordered_set<AccessTokenID> & tokenIdList)468 int32_t AccessTokenManagerService::GetTokenIDByUserID(int32_t userID, std::unordered_set<AccessTokenID>& tokenIdList)
469 {
470 LOGD(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d", userID);
471
472 return AccessTokenInfoManager::GetInstance().GetTokenIDByUserID(userID, tokenIdList);
473 }
474
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfoParcel & infoParcel)475 int AccessTokenManagerService::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfoParcel& infoParcel)
476 {
477 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
478
479 return AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, infoParcel.hapTokenInfoParams);
480 }
481
GetHapTokenInfoExtension(AccessTokenID tokenID,HapTokenInfoParcel & hapTokenInfoRes,std::string & appID)482 int AccessTokenManagerService::GetHapTokenInfoExtension(AccessTokenID tokenID,
483 HapTokenInfoParcel& hapTokenInfoRes, std::string& appID)
484 {
485 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d.", tokenID);
486 int ret = AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapTokenInfoRes.hapTokenInfoParams);
487 if (ret != RET_SUCCESS) {
488 LOGE(ATM_DOMAIN, ATM_TAG, "Get hap token info extenstion failed, ret is %{public}d.", ret);
489 return ret;
490 }
491
492 return AccessTokenInfoManager::GetInstance().GetHapAppIdByTokenId(tokenID, appID);
493 }
494
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfoParcel & infoParcel)495 int AccessTokenManagerService::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoParcel& infoParcel)
496 {
497 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
498 NativeTokenInfoBase baseInfo;
499 int32_t ret = AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, baseInfo);
500 infoParcel.nativeTokenInfoParams.apl = baseInfo.apl;
501 infoParcel.nativeTokenInfoParams.processName = baseInfo.processName;
502 return ret;
503 }
504
505 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
ReloadNativeTokenInfo()506 int32_t AccessTokenManagerService::ReloadNativeTokenInfo()
507 {
508 LibraryLoader loader(CONFIG_PARSE_LIBPATH);
509 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
510 if (policy == nullptr) {
511 LOGE(ATM_DOMAIN, ATM_TAG, "Dlopen libaccesstoken_json_parse failed.");
512 return RET_FAILED;
513 }
514
515 std::vector<NativeTokenInfoBase> tokenInfos;
516 int32_t res = policy->GetAllNativeTokenInfo(tokenInfos);
517 if (res != RET_SUCCESS) {
518 return res;
519 }
520
521 AccessTokenInfoManager::GetInstance().InitNativeTokenInfos(tokenInfos);
522 return RET_SUCCESS;
523 }
524 #endif
525
GetNativeTokenId(const std::string & processName)526 AccessTokenID AccessTokenManagerService::GetNativeTokenId(const std::string& processName)
527 {
528 return AccessTokenInfoManager::GetInstance().GetNativeTokenId(processName);
529 }
530
531 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSyncParcel & hapSyncParcel)532 int AccessTokenManagerService::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
533 HapTokenInfoForSyncParcel& hapSyncParcel)
534 {
535 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d", tokenID);
536
537 return AccessTokenInfoManager::GetInstance().GetHapTokenInfoFromRemote(tokenID,
538 hapSyncParcel.hapTokenInfoForSyncParams);
539 }
540
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSyncParcel & hapSyncParcel)541 int AccessTokenManagerService::SetRemoteHapTokenInfo(const std::string& deviceID,
542 HapTokenInfoForSyncParcel& hapSyncParcel)
543 {
544 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
545 int ret = AccessTokenInfoManager::GetInstance().SetRemoteHapTokenInfo(deviceID,
546 hapSyncParcel.hapTokenInfoForSyncParams);
547 return ret;
548 }
549
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)550 int AccessTokenManagerService::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
551 {
552 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s, token id %{public}d",
553 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
554 return AccessTokenInfoManager::GetInstance().DeleteRemoteToken(deviceID, tokenID);
555 }
556
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)557 AccessTokenID AccessTokenManagerService::GetRemoteNativeTokenID(const std::string& deviceID,
558 AccessTokenID tokenID)
559 {
560 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s, token id %{public}d",
561 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
562
563 return AccessTokenInfoManager::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
564 }
565
DeleteRemoteDeviceTokens(const std::string & deviceID)566 int AccessTokenManagerService::DeleteRemoteDeviceTokens(const std::string& deviceID)
567 {
568 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
569 return AccessTokenInfoManager::GetInstance().DeleteRemoteDeviceTokens(deviceID);
570 }
571
RegisterTokenSyncCallback(const sptr<IRemoteObject> & callback)572 int32_t AccessTokenManagerService::RegisterTokenSyncCallback(const sptr<IRemoteObject>& callback)
573 {
574 LOGI(ATM_DOMAIN, ATM_TAG, "Call token sync callback registed.");
575 return TokenModifyNotifier::GetInstance().RegisterTokenSyncCallback(callback);
576 }
577
UnRegisterTokenSyncCallback()578 int32_t AccessTokenManagerService::UnRegisterTokenSyncCallback()
579 {
580 LOGI(ATM_DOMAIN, ATM_TAG, "Call token sync callback unregisted.");
581 return TokenModifyNotifier::GetInstance().UnRegisterTokenSyncCallback();
582 }
583 #endif
584
DumpTokenInfo(const AtmToolsParamInfoParcel & infoParcel,std::string & dumpInfo)585 void AccessTokenManagerService::DumpTokenInfo(const AtmToolsParamInfoParcel& infoParcel, std::string& dumpInfo)
586 {
587 LOGI(ATM_DOMAIN, ATM_TAG, "Called");
588 bool isDeveloperMode = OHOS::system::GetBoolParameter(DEVELOPER_MODE_STATE, false);
589 if (!isDeveloperMode) {
590 dumpInfo = "Developer mode not support.";
591 return;
592 }
593
594 AccessTokenInfoManager::GetInstance().DumpTokenInfo(infoParcel.info, dumpInfo);
595 }
596
GetVersion(uint32_t & version)597 int32_t AccessTokenManagerService::GetVersion(uint32_t& version)
598 {
599 LOGI(ATM_DOMAIN, ATM_TAG, "Called");
600 version = DEFAULT_TOKEN_VERSION;
601 return RET_SUCCESS;
602 }
603
SetPermDialogCap(const HapBaseInfoParcel & hapBaseInfoParcel,bool enable)604 int32_t AccessTokenManagerService::SetPermDialogCap(const HapBaseInfoParcel& hapBaseInfoParcel, bool enable)
605 {
606 AccessTokenIDEx tokenIdEx = AccessTokenInfoManager::GetInstance().GetHapTokenID(
607 hapBaseInfoParcel.hapBaseInfo.userID,
608 hapBaseInfoParcel.hapBaseInfo.bundleName,
609 hapBaseInfoParcel.hapBaseInfo.instIndex);
610 int32_t ret = AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenIdEx.tokenIdExStruct.tokenID, enable);
611 // DFX
612 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "SET_PERMISSION_DIALOG_CAP",
613 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "TOKENID", tokenIdEx.tokenIdExStruct.tokenID,
614 "USERID", hapBaseInfoParcel.hapBaseInfo.userID, "BUNDLENAME", hapBaseInfoParcel.hapBaseInfo.bundleName,
615 "INSTINDEX", hapBaseInfoParcel.hapBaseInfo.instIndex, "ENABLE", enable);
616 return ret;
617 }
618
GetPermissionManagerInfo(PermissionGrantInfoParcel & infoParcel)619 void AccessTokenManagerService::GetPermissionManagerInfo(PermissionGrantInfoParcel& infoParcel)
620 {
621 infoParcel.info.grantBundleName = grantBundleName_;
622 infoParcel.info.grantAbilityName = grantAbilityName_;
623 infoParcel.info.grantServiceAbilityName = grantServiceAbilityName_;
624 infoParcel.info.permStateAbilityName = permStateAbilityName_;
625 infoParcel.info.globalSwitchAbilityName = globalSwitchAbilityName_;
626 }
627
InitUserPolicy(const std::vector<UserState> & userList,const std::vector<std::string> & permList)628 int32_t AccessTokenManagerService::InitUserPolicy(
629 const std::vector<UserState>& userList, const std::vector<std::string>& permList)
630 {
631 return AccessTokenInfoManager::GetInstance().InitUserPolicy(userList, permList);
632 }
633
UpdateUserPolicy(const std::vector<UserState> & userList)634 int32_t AccessTokenManagerService::UpdateUserPolicy(const std::vector<UserState>& userList)
635 {
636 return AccessTokenInfoManager::GetInstance().UpdateUserPolicy(userList);
637 }
638
ClearUserPolicy()639 int32_t AccessTokenManagerService::ClearUserPolicy()
640 {
641 return AccessTokenInfoManager::GetInstance().ClearUserPolicy();
642 }
643
Dump(int fd,const std::vector<std::u16string> & args)644 int AccessTokenManagerService::Dump(int fd, const std::vector<std::u16string>& args)
645 {
646 if (fd < 0) {
647 return ERR_INVALID_VALUE;
648 }
649
650 dprintf(fd, "AccessToken Dump:\n");
651 std::string arg0 = ((args.size() == 0)? "" : Str16ToStr8(args.at(0)));
652 if (arg0.compare("-h") == 0) {
653 dprintf(fd, "Usage:\n");
654 dprintf(fd, " -h: command help\n");
655 dprintf(fd, " -a: dump all tokens\n");
656 dprintf(fd, " -t <TOKEN_ID>: dump special token id\n");
657 } else if (arg0.compare("-t") == 0) {
658 if (args.size() < TWO_ARGS) {
659 return ERR_INVALID_VALUE;
660 }
661 long long tokenID = atoll(static_cast<const char *>(Str16ToStr8(args.at(1)).c_str()));
662 if (tokenID <= 0) {
663 return ERR_INVALID_VALUE;
664 }
665 AtmToolsParamInfoParcel infoParcel;
666 infoParcel.info.tokenId = static_cast<AccessTokenID>(tokenID);
667 std::string dumpStr;
668 DumpTokenInfo(infoParcel, dumpStr);
669 dprintf(fd, "%s\n", dumpStr.c_str());
670 } else if (arg0.compare("-a") == 0 || arg0 == "") {
671 std::string dumpStr;
672 AtmToolsParamInfoParcel infoParcel;
673 DumpTokenInfo(infoParcel, dumpStr);
674 dprintf(fd, "%s\n", dumpStr.c_str());
675 }
676 return ERR_OK;
677 }
678
AccessTokenServiceParamSet() const679 void AccessTokenManagerService::AccessTokenServiceParamSet() const
680 {
681 int32_t res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(1).c_str());
682 if (res != 0) {
683 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY 1 failed %{public}d", res);
684 return;
685 }
686 // 2 is to tell others sa that at service is loaded.
687 res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(2).c_str());
688 if (res != 0) {
689 LOGE(ATM_DOMAIN, ATM_TAG, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY 2 failed %{public}d", res);
690 return;
691 }
692 }
693
GetConfigValue()694 void AccessTokenManagerService::GetConfigValue()
695 {
696 LibraryLoader loader(CONFIG_PARSE_LIBPATH);
697 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
698 if (policy == nullptr) {
699 LOGE(ATM_DOMAIN, ATM_TAG, "Dlopen libaccesstoken_json_parse failed.");
700 return;
701 }
702 AccessTokenConfigValue value;
703 if (policy->GetConfigValue(ServiceType::ACCESSTOKEN_SERVICE, value)) {
704 // set value from config
705 grantBundleName_ = value.atConfig.grantBundleName.empty() ?
706 GRANT_ABILITY_BUNDLE_NAME : value.atConfig.grantBundleName;
707 grantAbilityName_ = value.atConfig.grantAbilityName.empty() ?
708 GRANT_ABILITY_ABILITY_NAME : value.atConfig.grantAbilityName;
709 grantServiceAbilityName_ = value.atConfig.grantServiceAbilityName.empty() ?
710 GRANT_ABILITY_ABILITY_NAME : value.atConfig.grantServiceAbilityName;
711 permStateAbilityName_ = value.atConfig.permStateAbilityName.empty() ?
712 PERMISSION_STATE_SHEET_ABILITY_NAME : value.atConfig.permStateAbilityName;
713 globalSwitchAbilityName_ = value.atConfig.globalSwitchAbilityName.empty() ?
714 GLOBAL_SWITCH_SHEET_ABILITY_NAME : value.atConfig.globalSwitchAbilityName;
715 applicationSettingAbilityName_ = value.atConfig.applicationSettingAbilityName.empty() ?
716 APPLICATION_SETTING_ABILITY_NAME : value.atConfig.applicationSettingAbilityName;
717 TempPermissionObserver::GetInstance().SetCancelTime(value.atConfig.cancleTime);
718 } else {
719 LOGI(ATM_DOMAIN, ATM_TAG, "No config file or config file is not valid, use default values");
720 grantBundleName_ = GRANT_ABILITY_BUNDLE_NAME;
721 grantAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
722 grantServiceAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
723 permStateAbilityName_ = PERMISSION_STATE_SHEET_ABILITY_NAME;
724 globalSwitchAbilityName_ = GLOBAL_SWITCH_SHEET_ABILITY_NAME;
725 applicationSettingAbilityName_ = APPLICATION_SETTING_ABILITY_NAME;
726 }
727
728 LOGI(ATM_DOMAIN, ATM_TAG, "GrantBundleName_ is %{public}s, grantAbilityName_ is %{public}s, "
729 "grantServiceAbilityName_ is %{public}s, permStateAbilityName_ is %{public}s, "
730 "globalSwitchAbilityName_ is %{public}s, applicationSettingAbilityName_ is %{public}s.",
731 grantBundleName_.c_str(), grantAbilityName_.c_str(), grantServiceAbilityName_.c_str(),
732 permStateAbilityName_.c_str(), globalSwitchAbilityName_.c_str(), applicationSettingAbilityName_.c_str());
733 }
734
GetKernelPermissions(AccessTokenID tokenId,std::vector<PermissionWithValue> & kernelPermList)735 int32_t AccessTokenManagerService::GetKernelPermissions(
736 AccessTokenID tokenId, std::vector<PermissionWithValue>& kernelPermList)
737 {
738 return AccessTokenInfoManager::GetInstance().GetKernelPermissions(tokenId, kernelPermList);
739 }
740
GetReqPermissionByName(AccessTokenID tokenId,const std::string & permissionName,std::string & value)741 int32_t AccessTokenManagerService::GetReqPermissionByName(
742 AccessTokenID tokenId, const std::string& permissionName, std::string& value)
743 {
744 return AccessTokenInfoManager::GetInstance().GetReqPermissionByName(
745 tokenId, permissionName, value);
746 }
747
Initialize()748 bool AccessTokenManagerService::Initialize()
749 {
750 MemoryGuard guard;
751 ReportSysEventPerformance();
752 AccessTokenInfoManager::GetInstance().Init();
753
754 #ifdef EVENTHANDLER_ENABLE
755 TempPermissionObserver::GetInstance().InitEventHandler();
756 ShortGrantManager::GetInstance().InitEventHandler();
757 #endif
758 GetConfigValue();
759 LOGI(ATM_DOMAIN, ATM_TAG, "Initialize success");
760 return true;
761 }
762 } // namespace AccessToken
763 } // namespace Security
764 } // namespace OHOS
765