1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "ipc_common.h"
17 #include "ipc_skeleton.h"
18 #include "accesstoken_kit.h"
19 #include "app_mgr_interface.h"
20 #include "iam_common_defines.h"
21 #include "iam_logger.h"
22 #include "iam_para2str.h"
23 #include "iservice_registry.h"
24 #include "system_ability_definition.h"
25 #include "tokenid_kit.h"
26 #ifdef HAS_OS_ACCOUNT_PART
27 #include "os_account_manager.h"
28 #include "os_account_info.h"
29 #include "user_auth_hdi.h"
30 #endif // HAS_OS_ACCOUNT_PART
31 #define LOG_TAG "USER_AUTH_SA"
32
33 namespace OHOS {
34 namespace UserIam {
35 namespace UserAuth {
36 namespace PermissionString {
37 const std::string MANAGE_USER_IDM_PERMISSION = "ohos.permission.MANAGE_USER_IDM";
38 const std::string USE_USER_IDM_PERMISSION = "ohos.permission.USE_USER_IDM";
39 const std::string ACCESS_USER_AUTH_INTERNAL_PERMISSION = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
40 const std::string ACCESS_BIOMETRIC_PERMISSION = "ohos.permission.ACCESS_BIOMETRIC";
41 const std::string ACCESS_AUTH_RESPOOL = "ohos.permission.ACCESS_AUTH_RESPOOL";
42 const std::string ENFORCE_USER_IDM = "ohos.permission.ENFORCE_USER_IDM";
43 const std::string SUPPORT_USER_AUTH = "ohos.permission.SUPPORT_USER_AUTH";
44 const std::string USE_USER_ACCESS_MANAGER = "ohos.permission.USE_USER_ACCESS_MANAGER";
45 const std::string USER_AUTH_FROM_BACKGROUND = "ohos.permission.USER_AUTH_FROM_BACKGROUND";
46 }
47
48 namespace {
49 const std::vector<std::pair<int32_t, std::string>> enforceUserIdmWhiteLists = {
50 {3058, "accountmgr"},
51 };
52 const std::vector<std::pair<int32_t, std::string>> EDM_WHITE_LIST = {
53 {3057, "edm"},
54 };
55 }
56
GetCallingUserId(IPCObjectStub & stub,int32_t & userId)57 int32_t IpcCommon::GetCallingUserId(IPCObjectStub &stub, int32_t &userId)
58 {
59 uint32_t tokenId = GetAccessTokenId(stub);
60 using namespace Security::AccessToken;
61 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
62 if (callingType != Security::AccessToken::TOKEN_HAP) {
63 IAM_LOGE("failed to get calling type");
64 return TYPE_NOT_SUPPORT;
65 }
66 HapTokenInfo hapInfo;
67 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapInfo);
68 if (result != SUCCESS) {
69 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
70 return TYPE_NOT_SUPPORT;
71 }
72 if (hapInfo.userID != 0) {
73 userId = hapInfo.userID;
74 IAM_LOGI("hap is not in user0, userId = %{public}d", hapInfo.userID);
75 return SUCCESS;
76 }
77
78 #ifdef HAS_OS_ACCOUNT_PART
79 result = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId);
80 if (result != SUCCESS) {
81 IAM_LOGE("GetForegroundOsAccountLocalId failed result = %{public}d", result);
82 return TYPE_NOT_SUPPORT;
83 }
84 #endif
85 IAM_LOGI("hapUserId is %{public}d, ForegroundUserId is %{public}d", hapInfo.userID, userId);
86 return SUCCESS;
87 }
88
GetActiveUserId(std::optional<int32_t> & userId)89 int32_t IpcCommon::GetActiveUserId(std::optional<int32_t> &userId)
90 {
91 if (userId.has_value() && userId.value() != 0) {
92 return SUCCESS;
93 }
94 std::vector<int32_t> ids;
95 #ifdef HAS_OS_ACCOUNT_PART
96 ErrCode queryRet = AccountSA::OsAccountManager::QueryActiveOsAccountIds(ids);
97 if (queryRet != ERR_OK || ids.empty()) {
98 IAM_LOGE("failed to query active account id");
99 return GENERAL_ERROR;
100 }
101 #else // HAS_OS_ACCOUNT_PART
102 const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
103 ids.push_back(DEFAULT_OS_ACCOUNT_ID);
104 IAM_LOGI("there is no os account part, use default id");
105 #endif // HAS_OS_ACCOUNT_PART
106 userId = ids.front();
107 return SUCCESS;
108 }
109
GetAllUserId(std::vector<int32_t> & userIds)110 int32_t IpcCommon::GetAllUserId(std::vector<int32_t> &userIds)
111 {
112 #ifdef HAS_OS_ACCOUNT_PART
113 std::vector<OHOS::AccountSA::OsAccountInfo> accountInfos = {};
114 ErrCode ret = AccountSA::OsAccountManager::QueryAllCreatedOsAccounts(accountInfos);
115 if (ret != ERR_OK) {
116 IAM_LOGE("failed to query all account id ret %{public}d ", ret);
117 return GENERAL_ERROR;
118 }
119
120 if (accountInfos.empty()) {
121 IAM_LOGE("accountInfos count %{public}zu", accountInfos.size());
122 return SUCCESS;
123 }
124
125 std::transform(accountInfos.begin(), accountInfos.end(), std::back_inserter(userIds),
126 [](auto &iter) { return iter.GetLocalId(); });
127 #else
128 const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
129 userIds.push_back(DEFAULT_OS_ACCOUNT_ID);
130 #endif
131
132 return SUCCESS;
133 }
134
MapOsAccountTypeToUserType(int32_t userId,AccountSA::OsAccountType osAccountType)135 static HdiUserType MapOsAccountTypeToUserType(int32_t userId, AccountSA::OsAccountType osAccountType)
136 {
137 if (osAccountType == AccountSA::OsAccountType::PRIVATE) {
138 return HdiUserType::PRIVATE;
139 } else if (userId == MAIN_USER_ID) {
140 return HdiUserType::MAIN;
141 } else {
142 return HdiUserType::SUB;
143 }
144 }
145
GetUserTypeByUserId(int32_t userId,int32_t & userType)146 int32_t IpcCommon::GetUserTypeByUserId(int32_t userId, int32_t &userType)
147 {
148 #ifdef HAS_OS_ACCOUNT_PART
149 AccountSA::OsAccountType osAccountType;
150 ErrCode ret = AccountSA::OsAccountManager::GetOsAccountType(userId, osAccountType);
151 if (ret != ERR_OK) {
152 IAM_LOGE("failed to get osAccountType for userId %d, error code: %d", userId, ret);
153 return TYPE_NOT_SUPPORT;
154 }
155 userType = MapOsAccountTypeToUserType(userId, osAccountType);
156 IAM_LOGI("userType:%{public}d", userType);
157 #else
158 const int32_t DEFAULT_OS_ACCOUNT_TYPE = 0;
159 userType = DEFAULT_OS_ACCOUNT_TYPE;
160 #endif
161
162 return SUCCESS;
163 }
164
CheckForegroundApplication(const std::string & bundleName)165 bool IpcCommon::CheckForegroundApplication(const std::string &bundleName)
166 {
167 sptr<ISystemAbilityManager> samgrClient = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
168 if (samgrClient == nullptr) {
169 IAM_LOGI("Get system ability manager failed");
170 return false;
171 }
172 sptr<AppExecFwk::IAppMgr> iAppManager =
173 iface_cast<AppExecFwk::IAppMgr>(samgrClient->GetSystemAbility(APP_MGR_SERVICE_ID));
174 if (iAppManager == nullptr) {
175 IAM_LOGI("Failed to get ability manager service");
176 return false;
177 }
178 std::vector<AppExecFwk::AppStateData> foregroundAppList;
179 iAppManager->GetForegroundApplications(foregroundAppList);
180 auto it = std::find_if(foregroundAppList.begin(), foregroundAppList.end(), [bundleName] (auto foregroundApp) {
181 return bundleName.compare(foregroundApp.bundleName) == 0;
182 });
183 if (it == foregroundAppList.end()) {
184 IAM_LOGI("app : %{public}s is not foreground", bundleName.c_str());
185 return false;
186 }
187 return true;
188 }
189
CheckPermission(IPCObjectStub & stub,Permission permission)190 bool IpcCommon::CheckPermission(IPCObjectStub &stub, Permission permission)
191 {
192 switch (permission) {
193 case MANAGE_USER_IDM_PERMISSION:
194 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::MANAGE_USER_IDM_PERMISSION);
195 case USE_USER_IDM_PERMISSION:
196 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::USE_USER_IDM_PERMISSION);
197 case ACCESS_USER_AUTH_INTERNAL_PERMISSION:
198 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_USER_AUTH_INTERNAL_PERMISSION);
199 case ACCESS_BIOMETRIC_PERMISSION:
200 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_BIOMETRIC_PERMISSION);
201 case ACCESS_AUTH_RESPOOL:
202 return CheckDirectCaller(stub, PermissionString::ACCESS_AUTH_RESPOOL);
203 case ENFORCE_USER_IDM:
204 return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM) &&
205 CheckNativeCallingProcessWhiteList(stub, permission);
206 case SUPPORT_USER_AUTH:
207 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::SUPPORT_USER_AUTH);
208 case IS_SYSTEM_APP:
209 return CheckCallerIsSystemApp(stub);
210 case CLEAR_REDUNDANCY_PERMISSION:
211 return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM);
212 case USE_USER_ACCESS_MANAGER:
213 return CheckDirectCaller(stub, PermissionString::USE_USER_ACCESS_MANAGER);
214 case USER_AUTH_FROM_BACKGROUND:
215 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::USER_AUTH_FROM_BACKGROUND);
216 case ENTERPRISE_DEVICE_MGR:
217 return CheckNativeCallingProcessWhiteList(stub, permission);
218 default:
219 IAM_LOGE("failed to check permission");
220 return false;
221 }
222 }
223
GetAccessTokenId(IPCObjectStub & stub)224 uint32_t IpcCommon::GetAccessTokenId(IPCObjectStub &stub)
225 {
226 uint32_t tokenId = stub.GetFirstTokenID();
227 IAM_LOGI("get first caller tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
228 if (tokenId == 0) {
229 tokenId = stub.GetCallingTokenID();
230 IAM_LOGI("no first caller, get direct caller tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
231 }
232 return tokenId;
233 }
234
GetTokenId(IPCObjectStub & stub)235 uint32_t IpcCommon::GetTokenId(IPCObjectStub &stub)
236 {
237 uint32_t tokenId = stub.GetCallingTokenID();
238 IAM_LOGI("get tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
239 return tokenId;
240 }
241
GetWhiteLists(Permission permission)242 std::vector<std::pair<int32_t, std::string>> IpcCommon::GetWhiteLists(Permission permission)
243 {
244 switch (permission) {
245 case ENFORCE_USER_IDM:
246 return enforceUserIdmWhiteLists;
247 case ENTERPRISE_DEVICE_MGR:
248 return EDM_WHITE_LIST;
249 default:
250 IAM_LOGE("the permission has no white lists");
251 return {};
252 }
253 }
254
CheckNativeCallingProcessWhiteList(IPCObjectStub & stub,Permission permission)255 bool IpcCommon::CheckNativeCallingProcessWhiteList(IPCObjectStub &stub, Permission permission)
256 {
257 uint32_t tokenId = GetTokenId(stub);
258 using namespace Security::AccessToken;
259 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
260 if (callingType != Security::AccessToken::TOKEN_NATIVE) {
261 IAM_LOGE("failed to get calling type");
262 return false;
263 }
264 NativeTokenInfo nativeTokenInfo;
265 int result = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
266 if (result != SUCCESS) {
267 IAM_LOGE("failed to get native token info, result = %{public}d", result);
268 return false;
269 }
270
271 std::vector<std::pair<int32_t, std::string>> whiteLists = IpcCommon::GetWhiteLists(permission);
272 std::string processName = nativeTokenInfo.processName;
273 int32_t processUid = stub.GetCallingUid();
274 for (const auto &whiteList : whiteLists) {
275 if (whiteList.first == processUid && whiteList.second == processName) {
276 return true;
277 }
278 }
279 IAM_LOGE("failed to check process white list");
280 return false;
281 }
282
CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub & stub,const std::string & permission)283 bool IpcCommon::CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub &stub, const std::string &permission)
284 {
285 uint32_t firstTokenId = stub.GetFirstTokenID();
286 uint32_t callingTokenId = GetTokenId(stub);
287 using namespace Security::AccessToken;
288 if ((firstTokenId != 0 && AccessTokenKit::VerifyAccessToken(firstTokenId, permission) != RET_SUCCESS) ||
289 AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
290 IAM_LOGE("failed to check permission");
291 return false;
292 }
293 return true;
294 }
295
CheckDirectCaller(IPCObjectStub & stub,const std::string & permission)296 bool IpcCommon::CheckDirectCaller(IPCObjectStub &stub, const std::string &permission)
297 {
298 uint32_t callingTokenId = GetTokenId(stub);
299 using namespace Security::AccessToken;
300 if (AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
301 IAM_LOGE("failed to check permission");
302 return false;
303 }
304 return true;
305 }
306
CheckCallerIsSystemApp(IPCObjectStub & stub)307 bool IpcCommon::CheckCallerIsSystemApp(IPCObjectStub &stub)
308 {
309 uint32_t callingTokenId = GetTokenId(stub);
310 using namespace Security::AccessToken;
311 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
312 bool checkRet = TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
313 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(callingTokenId);
314 if (checkRet && callingType == Security::AccessToken::TOKEN_HAP) {
315 IAM_LOGI("the caller is system application");
316 return true;
317 }
318 return false;
319 }
320
GetDirectCallerType(IPCObjectStub & stub)321 int32_t IpcCommon::GetDirectCallerType(IPCObjectStub &stub)
322 {
323 return Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(GetTokenId(stub));
324 }
325
GetCallerName(IPCObjectStub & stub,std::string & callerName,int32_t & callerType)326 bool IpcCommon::GetCallerName(IPCObjectStub &stub, std::string &callerName, int32_t &callerType)
327 {
328 uint32_t tokenId = GetAccessTokenId(stub);
329 using namespace Security::AccessToken;
330 callerType = AccessTokenKit::GetTokenTypeFlag(tokenId);
331 if (callerType == Security::AccessToken::TOKEN_HAP) {
332 HapTokenInfo hapTokenInfo;
333 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo);
334 if (result != SUCCESS) {
335 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
336 return false;
337 }
338 callerName = hapTokenInfo.bundleName;
339 IAM_LOGI("caller bundleName is %{public}s", callerName.c_str());
340 return true;
341 } else if (callerType == Security::AccessToken::TOKEN_NATIVE) {
342 NativeTokenInfo nativeTokenInfo;
343 int res = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
344 if (res != SUCCESS) {
345 IAM_LOGE("failed to get native token info, res = %{public}d", res);
346 return false;
347 }
348 callerName = nativeTokenInfo.processName;
349 IAM_LOGI("caller processName is %{public}s", callerName.c_str());
350 return true;
351 }
352 IAM_LOGI("caller is not a hap or a native");
353 return false;
354 }
355
GetCallingAppID(IPCObjectStub & stub,std::string & callingAppID)356 bool IpcCommon::GetCallingAppID(IPCObjectStub &stub, std::string &callingAppID)
357 {
358 uint32_t tokenId = GetAccessTokenId(stub);
359 using namespace Security::AccessToken;
360 ATokenTypeEnum callerTypeTemp = AccessTokenKit::GetTokenTypeFlag(tokenId);
361 if (callerTypeTemp != Security::AccessToken::TOKEN_HAP) {
362 return false;
363 }
364
365 HapTokenInfoExt hapTokenInfo;
366 int result = AccessTokenKit::GetHapTokenInfoExtension(tokenId, hapTokenInfo);
367 if (result != SUCCESS) {
368 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
369 return false;
370 }
371 callingAppID = hapTokenInfo.appID;
372 IAM_LOGI("successed in getting caller app ID");
373 return true;
374 }
375
IsOsAccountVerified(int32_t userId)376 bool IpcCommon::IsOsAccountVerified(int32_t userId)
377 {
378 bool isOsAccountVerified = false;
379 #ifdef HAS_OS_ACCOUNT_PART
380 ErrCode queryRet = AccountSA::OsAccountManager::IsOsAccountVerified(userId, isOsAccountVerified);
381 if (queryRet != ERR_OK) {
382 IAM_LOGE("failed to query account verified status");
383 return false;
384 }
385 #endif
386 return isOsAccountVerified;
387 }
388 } // namespace UserAuth
389 } // namespace UserIam
390 } // namespace OHOS