1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include <cstddef>
18 #include "account_constants.h"
19 #include "account_info.h"
20 #include "account_log_wrapper.h"
21 #include "account_hisysevent_adapter.h"
22 #include "iinner_os_account_manager.h"
23 #include "ipc_skeleton.h"
24 #include "os_account_constants.h"
25
26 namespace OHOS {
27 namespace AccountSA {
28 namespace {
29 const std::string DUMP_TAB_CHARACTER = "\t";
30 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
31 {OsAccountType::ADMIN, "admin"},
32 {OsAccountType::NORMAL, "normal"},
33 {OsAccountType::GUEST, "guest"},
34 {OsAccountType::PRIVATE, "private"},
35 };
36 const char CONSTANT_CREATE[] = "constraint.os.account.create";
37 const char CONSTANT_CREATE_DIRECTLY[] = "constraint.os.account.create.directly";
38 const char CONSTANT_REMOVE[] = "constraint.os.account.remove";
39 const char CONSTANT_ACTIVATE[] = "constraint.os.account.activate";
40 const char CONSTANT_SET_ICON[] = "constraint.os.account.set.icon";
41 #ifndef IS_RELEASE_VERSION
42 const std::int32_t ROOT_UID = 0;
43 #endif
44 const char DEFAULT_ANON_STR[] = "**********";
45 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
46
47 const char MANAGE_LOCAL_ACCOUNTS[] = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
48 const char GET_LOCAL_ACCOUNTS[] = "ohos.permission.GET_LOCAL_ACCOUNTS";
49 const char INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION[] =
50 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
51 const char INTERACT_ACROSS_LOCAL_ACCOUNTS[] = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
52 const std::string GET_DOMAIN_ACCOUNTS = "ohos.permission.GET_DOMAIN_ACCOUNTS";
53 const std::set<uint32_t> uidWhiteListForCreation { 3057 };
54 const std::int32_t EDM_UID = 3057;
55 const std::string SPECIAL_CHARACTER_ARRAY = "<>|\":*?/\\";
56 const std::vector<std::string> SHORT_NAME_CANNOT_BE_NAME_ARRAY = {".", ".."};
57
AnonymizeNameStr(const std::string & nameStr)58 std::string AnonymizeNameStr(const std::string& nameStr)
59 {
60 if (nameStr.empty()) {
61 return nameStr;
62 }
63 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
64 return retStr;
65 }
66
CheckLocalId(int localId)67 ErrCode CheckLocalId(int localId)
68 {
69 if (localId < 0) {
70 ACCOUNT_LOGE("Id %{public}d is invalid", localId);
71 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
72 }
73 return ERR_OK;
74 }
75
IsTypeOutOfRange(const OsAccountType & type)76 bool IsTypeOutOfRange(const OsAccountType& type)
77 {
78 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
79 return true;
80 }
81 if ((type > OsAccountType::GUEST) && (type < OsAccountType::PRIVATE)) {
82 return true;
83 }
84 return false;
85 }
86 } // namespace
87
OsAccountManagerService()88 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance())
89 {}
90
~OsAccountManagerService()91 OsAccountManagerService::~OsAccountManagerService()
92 {}
93
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)94 ErrCode OsAccountManagerService::CreateOsAccount(
95 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
96 {
97 ErrCode errCode = ValidateAccountCreateParamAndPermission(name, type);
98 if (errCode != ERR_OK) {
99 return errCode;
100 }
101 return innerManager_.CreateOsAccount(name, type, osAccountInfo);
102 }
103
ValidateShortName(const std::string & shortName)104 ErrCode OsAccountManagerService::ValidateShortName(const std::string &shortName)
105 {
106 size_t shortNameSize = shortName.size();
107 if (shortNameSize == 0 || shortNameSize > Constants::SHORT_NAME_MAX_SIZE) {
108 ACCOUNT_LOGE("CreateOsAccount short name length %{public}zu is invalid!", shortNameSize);
109 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
110 }
111
112 if (shortName.find_first_of(SPECIAL_CHARACTER_ARRAY) != std::string::npos) {
113 ACCOUNT_LOGE("CreateOsAccount short name is invalidate, short name is %{public}s !", shortName.c_str());
114 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
115 }
116
117 for (size_t i = 0; i < SHORT_NAME_CANNOT_BE_NAME_ARRAY.size(); i++) {
118 if (shortName == SHORT_NAME_CANNOT_BE_NAME_ARRAY[i]) {
119 ACCOUNT_LOGE("CreateOsAccount short name is invalidate, short name is %{public}s !", shortName.c_str());
120 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
121 }
122 }
123 return ERR_OK;
124 }
125
CreateOsAccount(const std::string & localName,const std::string & shortName,const OsAccountType & type,OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)126 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
127 const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)
128 {
129 ErrCode errCode = ValidateAccountCreateParamAndPermission(localName, type);
130 if (errCode != ERR_OK) {
131 return errCode;
132 }
133
134 if (options.hasShortName) {
135 errCode = ValidateShortName(shortName);
136 if (errCode != ERR_OK) {
137 return errCode;
138 }
139 }
140
141 return innerManager_.CreateOsAccount(localName, shortName, type, osAccountInfo, options);
142 }
143
ValidateAccountCreateParamAndPermission(const std::string & localName,const OsAccountType & type)144 ErrCode OsAccountManagerService::ValidateAccountCreateParamAndPermission(const std::string &localName,
145 const OsAccountType &type)
146 {
147 // permission check
148 if (!CheckCreateOsAccountWhiteList() &&
149 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY) ||
150 !PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE))) {
151 ACCOUNT_LOGE("Account manager service, permission denied!");
152 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
153 }
154
155 bool isMultiOsAccountEnable = false;
156 IsMultiOsAccountEnable(isMultiOsAccountEnable);
157 if (!isMultiOsAccountEnable) {
158 ACCOUNT_LOGE("System is not multi os account enable error");
159 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
160 }
161
162 size_t localNameSize = localName.size();
163 if ((localNameSize == 0) || (localNameSize > Constants::LOCAL_NAME_MAX_SIZE)) {
164 ACCOUNT_LOGE("CreateOsAccount local name length %{public}zu is invalid!", localNameSize);
165 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
166 }
167
168 if (IsTypeOutOfRange(type)) {
169 ACCOUNT_LOGE("Os account type is invalid");
170 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
171 }
172
173 bool isAllowedCreateAdmin = false;
174 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
175 if (errCode != ERR_OK) {
176 ACCOUNT_LOGE("Query allowed create admin error");
177 return errCode;
178 }
179 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
180 ACCOUNT_LOGE("Cannot create admin account error");
181 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
182 }
183 return ERR_OK;
184 }
185
CreateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)186 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo,
187 const CreateOsAccountOptions &options)
188 {
189 bool isMultiOsAccountEnable = false;
190 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
191 if (!isMultiOsAccountEnable) {
192 ACCOUNT_LOGE("System is not multi os account enable error");
193 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
194 }
195
196 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
197 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
198 ACCOUNT_LOGE("Account manager service, permission denied!");
199 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
200 }
201
202 bool isAllowedCreateAdmin = false;
203 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
204 if (errCode != ERR_OK) {
205 ACCOUNT_LOGE("Query allowed create admin error");
206 return errCode;
207 }
208 if (!isAllowedCreateAdmin && (osAccountInfo.GetType() == OsAccountType::ADMIN)) {
209 ACCOUNT_LOGE("Cannot create admin account error");
210 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
211 }
212
213 return innerManager_.CreateOsAccountWithFullInfo(osAccountInfo, options);
214 }
215
UpdateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo)216 ErrCode OsAccountManagerService::UpdateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)
217 {
218 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
219 ACCOUNT_LOGE("Account manager service, permission denied!");
220 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
221 }
222
223 bool isAllowedCreateAdmin = false;
224 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
225 if (errCode != ERR_OK) {
226 ACCOUNT_LOGE("Query allowed update admin error");
227 return errCode;
228 }
229 if (!isAllowedCreateAdmin && osAccountInfo.GetType() == OsAccountType::ADMIN) {
230 ACCOUNT_LOGE("Cannot update admin account error");
231 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
232 }
233
234 return innerManager_.UpdateOsAccountWithFullInfo(osAccountInfo);
235 }
236
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback,const CreateOsAccountForDomainOptions & options)237 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
238 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback,
239 const CreateOsAccountForDomainOptions &options)
240 {
241 ACCOUNT_LOGI("Start");
242 // permission check
243 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
244 ACCOUNT_LOGE("Account manager service, permission denied!");
245 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
246 }
247
248 // parameters check
249 if (IsTypeOutOfRange(type)) {
250 ACCOUNT_LOGE("Os account type is invalid");
251 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
252 }
253 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
254 ACCOUNT_LOGE("Domain account name is empty or domain is empty");
255 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
256 }
257 if (domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE ||
258 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
259 ACCOUNT_LOGE("Domain account name is overlength or domain is overlength");
260 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
261 }
262
263 if (options.hasShortName || (options.shortName != "")) {
264 ErrCode code = ValidateShortName(options.shortName);
265 if (code != ERR_OK) {
266 ACCOUNT_LOGE("Failed to create os account for domain, shortName=%{public}s is invalid!",
267 options.shortName.c_str());
268 return code;
269 }
270 }
271
272 bool isAllowedCreateAdmin = false;
273 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
274 if (errCode != ERR_OK) {
275 ACCOUNT_LOGE("Failed to get allowed create admin permission, code=%{public}d.", errCode);
276 return errCode;
277 }
278 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
279 ACCOUNT_LOGE("Do not allowed create admin.");
280 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
281 }
282 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback, options);
283 }
284
RemoveOsAccount(const int id)285 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
286 {
287 // parameters check
288 ErrCode res = CheckLocalId(id);
289 if (res != ERR_OK) {
290 return res;
291 }
292 if ((id == Constants::START_USER_ID) || (id == Constants::ADMIN_LOCAL_ID)) {
293 ACCOUNT_LOGE("Cannot remove system preinstalled user");
294 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
295 }
296 // permission check
297 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
298 ACCOUNT_LOGE("Account manager service, permission denied!");
299 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
300 }
301
302 return innerManager_.RemoveOsAccount(id);
303 }
304
IsOsAccountExists(const int id,bool & isOsAccountExists)305 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
306 {
307 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
308 }
309
IsOsAccountActived(const int id,bool & isOsAccountActived)310 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
311 {
312 // check current account state
313 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
314 if (callerUserId == id) {
315 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
316 }
317
318 // check other account state, check permission first
319 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
320 ACCOUNT_LOGE("Account manager service, permission denied!");
321 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
322 }
323
324 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
325 }
326
IsOsAccountConstraintEnable(const int id,const std::string & constraint,bool & isConstraintEnable)327 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
328 const int id, const std::string &constraint, bool &isConstraintEnable)
329 {
330 ErrCode res = CheckLocalId(id);
331 if (res != ERR_OK) {
332 return res;
333 }
334 // permission check
335 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
336 ACCOUNT_LOGE("Account manager service, permission denied!");
337 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
338 }
339
340 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
341 }
342
CheckOsAccountConstraintEnabled(const int id,const std::string & constraint,bool & isEnabled)343 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
344 const int id, const std::string &constraint, bool &isEnabled)
345 {
346 ErrCode res = CheckLocalId(id);
347 if (res != ERR_OK) {
348 return res;
349 }
350
351 // check current account state
352 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
353 if (callerUserId == id) {
354 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
355 }
356
357 // permission check
358 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
359 ACCOUNT_LOGE("Account manager service, permission denied!");
360 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
361 }
362
363 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
364 }
365
IsOsAccountVerified(const int id,bool & isVerified)366 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
367 {
368 ErrCode res = CheckLocalId(id);
369 if (res != ERR_OK) {
370 return res;
371 }
372 // check current account state
373 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
374 if (callerUserId == id) {
375 return innerManager_.IsOsAccountVerified(id, isVerified);
376 }
377
378 // check other account state, check permission first
379 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
380 ACCOUNT_LOGE("Account manager service, permission denied!");
381 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
382 }
383
384 return innerManager_.IsOsAccountVerified(id, isVerified);
385 }
386
IsOsAccountDeactivating(const int id,bool & isDeactivating)387 ErrCode OsAccountManagerService::IsOsAccountDeactivating(const int id, bool &isDeactivating)
388 {
389 ErrCode res = CheckLocalId(id);
390 if (res != ERR_OK) {
391 return res;
392 }
393 // check current account state
394 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
395 if (callerUserId == id) {
396 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
397 }
398
399 // check other account state, check permission first
400 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
401 ACCOUNT_LOGE("Account manager service, permission denied!");
402 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
403 }
404
405 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
406 }
407
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)408 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
409 {
410 // permission check
411 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
412 ACCOUNT_LOGE("Account manager service, permission denied!");
413 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
414 }
415
416 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
417 }
418
GetOsAccountLocalIdFromProcess(int & id)419 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
420 {
421 const std::int32_t uid = IPCSkeleton::GetCallingUid();
422 id = uid / UID_TRANSFORM_DIVISOR;
423 return ERR_OK;
424 }
425
IsMainOsAccount(bool & isMainOsAccount)426 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
427 {
428 // permission check
429 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
430 ACCOUNT_LOGW("Account manager service, permission denied!");
431 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
432 }
433
434 const std::int32_t uid = IPCSkeleton::GetCallingUid();
435 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
436 return ERR_OK;
437 }
438
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)439 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
440 {
441 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
442 ACCOUNT_LOGE("Domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
443 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
444 }
445
446 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE) {
447 ACCOUNT_LOGE("AccountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
448 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
449 }
450 // permission check
451 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
452 ACCOUNT_LOGE("Account manager service, permission denied!");
453 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
454 }
455
456 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
457 }
458
QueryMaxOsAccountNumber(uint32_t & maxOsAccountNumber)459 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(uint32_t &maxOsAccountNumber)
460 {
461 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
462 }
463
QueryMaxLoggedInOsAccountNumber(uint32_t & maxNum)464 ErrCode OsAccountManagerService::QueryMaxLoggedInOsAccountNumber(uint32_t &maxNum)
465 {
466 return innerManager_.QueryMaxLoggedInOsAccountNumber(maxNum);
467 }
468
GetOsAccountAllConstraints(const int id,std::vector<std::string> & constraints)469 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
470 {
471 // permission check
472 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
473 ACCOUNT_LOGE("Account manager service, permission denied!");
474 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
475 }
476
477 return innerManager_.GetOsAccountAllConstraints(id, constraints);
478 }
479
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)480 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
481 {
482 // permission check
483 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
484 ACCOUNT_LOGE("Account manager service, permission denied!");
485 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
486 }
487 ErrCode result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
488 if (result != ERR_OK) {
489 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
490 result, "Query all created os account failed.");
491 }
492 return result;
493 }
494
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)495 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
496 {
497 // permission check
498 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
499 ACCOUNT_LOGE("Account manager service, permission denied!");
500 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
501 }
502
503 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
504 return innerManager_.QueryOsAccountById(id, osAccountInfo);
505 }
506
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)507 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
508 {
509 // parameters check
510 ErrCode res = CheckLocalId(id);
511 if (res != ERR_OK) {
512 return res;
513 }
514 // permission check
515 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
516 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
517 ACCOUNT_LOGE("Account manager service, permission denied!");
518 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
519 }
520
521 return innerManager_.QueryOsAccountById(id, osAccountInfo);
522 }
523
GetOsAccountTypeFromProcess(OsAccountType & type)524 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
525 {
526 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
527 ErrCode result = innerManager_.GetOsAccountType(id, type);
528 if (result != ERR_OK) {
529 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
530 result, "Query os account type failed.");
531 }
532 return result;
533 }
534
GetOsAccountType(const int id,OsAccountType & type)535 ErrCode OsAccountManagerService::GetOsAccountType(const int id, OsAccountType& type)
536 {
537 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
538 ACCOUNT_LOGE("Check permission failed.");
539 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
540 }
541 return innerManager_.GetOsAccountType(id, type);
542 }
543
GetOsAccountProfilePhoto(const int id,std::string & photo)544 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
545 {
546 ErrCode result = CheckLocalId(id);
547 if (result != ERR_OK) {
548 return result;
549 }
550 // get current account photo
551 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
552 if (callerUserId == id) {
553 return innerManager_.GetOsAccountProfilePhoto(id, photo);
554 }
555
556 // get other account photo, check permission first
557 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
558 ACCOUNT_LOGE("Account manager service, permission denied!");
559 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
560 }
561
562 return innerManager_.GetOsAccountProfilePhoto(id, photo);
563 }
564
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)565 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
566 {
567 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
568 }
569
SetOsAccountName(const int id,const std::string & name)570 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
571 {
572 // parameters check
573 ErrCode res = CheckLocalId(id);
574 if (res != ERR_OK) {
575 return res;
576 }
577 if (id == Constants::ADMIN_LOCAL_ID) {
578 ACCOUNT_LOGE("Cannot set name for system preinstalled user");
579 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
580 }
581 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
582 ACCOUNT_LOGE("Set os account name is out of allowed size");
583 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
584 }
585 if (name.size() <= 0) {
586 ACCOUNT_LOGE("Os account name is empty");
587 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
588 }
589
590 // permission check
591 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
592 ACCOUNT_LOGE("Account manager service, permission denied!");
593 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
594 }
595
596 return innerManager_.SetOsAccountName(id, name);
597 }
598
SetOsAccountConstraints(const int id,const std::vector<std::string> & constraints,const bool enable)599 ErrCode OsAccountManagerService::SetOsAccountConstraints(
600 const int id, const std::vector<std::string> &constraints, const bool enable)
601 {
602 ErrCode res = CheckLocalId(id);
603 if (res != ERR_OK) {
604 return res;
605 }
606 if (id == Constants::ADMIN_LOCAL_ID) {
607 ACCOUNT_LOGE("Cannot set constraints for system preinstalled user");
608 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
609 }
610 // permission check
611 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
612 ACCOUNT_LOGE("Account manager service, permission denied!");
613 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
614 }
615
616 return innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
617 }
618
SetOsAccountProfilePhoto(const int id,const std::string & photo)619 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
620 {
621 // parameters check
622 ErrCode res = CheckLocalId(id);
623 if (res != ERR_OK) {
624 return res;
625 }
626 if (id == Constants::ADMIN_LOCAL_ID) {
627 ACCOUNT_LOGE("Cannot set photo for system preinstalled user");
628 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
629 }
630 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
631 ACCOUNT_LOGE("Photo out of allowed size");
632 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
633 }
634 if (photo.empty()) {
635 ACCOUNT_LOGE("Photo is empty");
636 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
637 }
638 // permission check
639 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
640 ACCOUNT_LOGE("Account manager service, permission denied!");
641 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
642 }
643
644 return innerManager_.SetOsAccountProfilePhoto(id, photo);
645 }
646
ActivateOsAccount(const int id)647 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
648 {
649 // parameters check
650 ErrCode res = CheckLocalId(id);
651 if (res != ERR_OK) {
652 return res;
653 }
654 if (id == Constants::ADMIN_LOCAL_ID) {
655 ACCOUNT_LOGE("Cannot activate name for system preinstalled user");
656 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
657 }
658 // permission check
659 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_ACTIVATE)) {
660 ACCOUNT_LOGE("Account manager service, permission denied!");
661 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
662 }
663
664 return innerManager_.ActivateOsAccount(id);
665 }
666
DeactivateOsAccount(const int id)667 ErrCode OsAccountManagerService::DeactivateOsAccount(const int id)
668 {
669 // parameters check
670 ErrCode res = CheckLocalId(id);
671 if (res != ERR_OK) {
672 return res;
673 }
674 if (id == Constants::ADMIN_LOCAL_ID) {
675 ACCOUNT_LOGE("Cannot deactivate name for system preinstalled user");
676 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
677 }
678 // permission check
679 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
680 ACCOUNT_LOGE("Account manager service, permission denied!");
681 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
682 }
683 int32_t currentId = Constants::START_USER_ID;
684 GetCurrentLocalId(currentId);
685
686 #ifndef SUPPORT_STOP_MAIN_OS_ACCOUNT
687 if (id == Constants::START_USER_ID) {
688 ACCOUNT_LOGW("The %{public}d os account can't stop", id);
689 return ERR_OSACCOUNT_SERVICE_INNER_ACCOUNT_STOP_ACTIVE_ERROR;
690 }
691 #endif // SUPPORT_STOP_OS_ACCOUNT
692
693 res = innerManager_.DeactivateOsAccount(id);
694
695 if (currentId == id) { // if stop current account
696 #ifdef SUPPORT_STOP_MAIN_OS_ACCOUNT
697 innerManager_.ActivateOsAccount(id, false, Constants::DEFAULT_DISPALY_ID, true);
698 #else
699 innerManager_.ActivateOsAccount(Constants::START_USER_ID, false, Constants::DEFAULT_DISPALY_ID);
700 #endif // SUPPORT_STOP_MAIN_OS_ACCOUNT
701 }
702 return res;
703 }
704
DeactivateAllOsAccounts()705 ErrCode OsAccountManagerService::DeactivateAllOsAccounts()
706 {
707 // permission check
708 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
709 ACCOUNT_LOGE("Permission check failed.");
710 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
711 }
712
713 std::vector<int32_t> userIds;
714 ErrCode res = innerManager_.QueryActiveOsAccountIds(userIds);
715 if (res != ERR_OK) {
716 ACCOUNT_LOGE("Get activated os account ids failed.");
717 return res;
718 }
719 if (userIds.empty()) {
720 ACCOUNT_LOGI("Activated os account list is empty.");
721 return ERR_OK;
722 }
723 ErrCode result = ERR_OK;
724 for (auto osAccountId : userIds) {
725 ACCOUNT_LOGI("DeactivateAllOsAccounts, id=%{public}d", osAccountId);
726 res = innerManager_.DeactivateOsAccount(osAccountId);
727 if (res != ERR_OK) {
728 ACCOUNT_LOGE("Deactivate os account id failed, id=%{public}d", osAccountId);
729 result = res;
730 }
731 }
732 return result;
733 }
734
GetCurrentLocalId(int32_t & userId)735 void OsAccountManagerService::GetCurrentLocalId(int32_t &userId)
736 {
737 std::vector<int32_t> userIds;
738 if ((innerManager_.QueryActiveOsAccountIds(userIds) != ERR_OK) || userIds.empty()) {
739 ACCOUNT_LOGE("Fail to get activated os account ids");
740 return;
741 }
742 userId = userIds[0];
743 return;
744 }
745
StartOsAccount(const int id)746 ErrCode OsAccountManagerService::StartOsAccount(const int id)
747 {
748 return innerManager_.StartOsAccount(id);
749 }
750
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)751 ErrCode OsAccountManagerService::SubscribeOsAccount(
752 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
753 {
754 // permission check
755 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
756 subscribeInfo.GetOsAccountSubscribeType(osAccountSubscribeType);
757 std::set<OsAccountState> states;
758 subscribeInfo.GetStates(states);
759 if (osAccountSubscribeType == OsAccountState::INVALID_TYPE && states.empty()) {
760 ACCOUNT_LOGE("Invalid subscriber information");
761 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
762 }
763 // permission check
764 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
765 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
766 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
767 ACCOUNT_LOGE("Account manager service, permission denied!");
768 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
769 }
770 ErrCode result = innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
771 if (result != ERR_OK) {
772 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
773 result, "Subscribe os account failed.");
774 }
775 return result;
776 }
777
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)778 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
779 {
780 // permission check
781 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
782 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
783 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
784 ACCOUNT_LOGE("Account manager service, permission denied!");
785 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
786 }
787
788 ErrCode result = innerManager_.UnsubscribeOsAccount(eventListener);
789 if (result != ERR_OK) {
790 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
791 result, "Unsubscribe os account failed.");
792 }
793 return result;
794 }
795
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)796 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
797 {
798 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
799 }
800
GetSerialNumberByOsAccountLocalId(const int & id,int64_t & serialNumber)801 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
802 {
803 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
804 }
805
GetOsAccountSwitchMod()806 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
807 {
808 return innerManager_.GetOsAccountSwitchMod();
809 }
810
IsCurrentOsAccountVerified(bool & isVerified)811 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
812 {
813 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
814 return innerManager_.IsOsAccountVerified(id, isVerified);
815 }
816
IsOsAccountCompleted(const int id,bool & isOsAccountCompleted)817 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
818 {
819 ErrCode result = innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
820 if (result != ERR_OK) {
821 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
822 result, "Get os account completed failed.");
823 }
824 return result;
825 }
826
SetCurrentOsAccountIsVerified(const bool isVerified)827 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
828 {
829 // permission check
830 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
831 ACCOUNT_LOGE("Account manager service, permission denied!");
832 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
833 }
834
835 // parameters check
836 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
837 ErrCode res = CheckLocalId(id);
838 if (res != ERR_OK) {
839 return res;
840 }
841 if (id == Constants::ADMIN_LOCAL_ID) {
842 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
843 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
844 }
845 return innerManager_.SetOsAccountIsVerified(id, isVerified);
846 }
847
SetOsAccountIsVerified(const int id,const bool isVerified)848 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
849 {
850 // parameters check
851 ErrCode res = CheckLocalId(id);
852 if (res != ERR_OK) {
853 return res;
854 }
855 if (id == Constants::ADMIN_LOCAL_ID) {
856 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
857 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
858 }
859 // permission check
860 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
861 ACCOUNT_LOGE("Account manager service, permission denied!");
862 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
863 }
864
865 return innerManager_.SetOsAccountIsVerified(id, isVerified);
866 }
867
DumpState(const int & id,std::vector<std::string> & state)868 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
869 {
870 state.clear();
871
872 // permission check
873 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
874 ACCOUNT_LOGE("Account manager service, permission denied!");
875 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
876 }
877
878 ErrCode result = ERR_OK;
879 std::vector<OsAccountInfo> osAccountInfos;
880
881 if (id == -1) {
882 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
883 if (result != ERR_OK) {
884 return result;
885 }
886 } else {
887 OsAccountInfo osAccountInfo;
888 result = innerManager_.GetRealOsAccountInfoById(id, osAccountInfo);
889 if (result != ERR_OK) {
890 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
891 }
892
893 osAccountInfos.emplace_back(osAccountInfo);
894 }
895
896 return DumpStateByAccounts(osAccountInfos, state);
897 }
898
DumpOsAccountInfo(std::vector<std::string> & state)899 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
900 {
901 state.clear();
902
903 ErrCode result = ERR_OK;
904 std::vector<OsAccountInfo> osAccountInfos;
905 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
906 if (result != ERR_OK) {
907 return result;
908 }
909
910 return DumpStateByAccounts(osAccountInfos, state);
911 }
912
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)913 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
914 int &createdOsAccountNum)
915 {
916 // permission check
917 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
918 ACCOUNT_LOGE("Account manager service, permission denied!");
919 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
920 }
921
922 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
923 }
924
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)925 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
926 int64_t &serialNumber)
927 {
928 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
929 }
930
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)931 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
932 {
933 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
934 }
935
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)936 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
937 const int id, OsAccountInfo &osAccountInfo)
938 {
939 // permission check
940 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
941 ACCOUNT_LOGE("Account manager service, permission denied!");
942 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
943 }
944
945 return innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
946 }
947
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)948 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
949 std::vector<OsAccountInfo> &osAccountList)
950 {
951 // permission check
952 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
953 ACCOUNT_LOGE("Account manager service, permission denied!");
954 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
955 }
956
957 return innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
958 }
959
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)960 ErrCode OsAccountManagerService::DumpStateByAccounts(
961 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
962 {
963 ACCOUNT_LOGD("Enter");
964 for (auto osAccountInfo : osAccountInfos) {
965 std::string info = "";
966
967 std::string localId = std::to_string(osAccountInfo.GetLocalId());
968 state.emplace_back("ID: " + localId);
969
970 std::string localName = osAccountInfo.GetLocalName();
971 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
972
973 std::string type = "";
974 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
975 if (it != DUMP_TYPE_MAP.end()) {
976 type = it->second;
977 } else {
978 type = "unknown";
979 }
980 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
981 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
982 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
983 state.emplace_back(DUMP_TAB_CHARACTER + "isForeground: " + std::to_string(osAccountInfo.GetIsForeground()));
984 state.emplace_back(DUMP_TAB_CHARACTER + "dispalyId: " + std::to_string(osAccountInfo.GetDisplayId()));
985
986 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
987 auto constraints = osAccountInfo.GetConstraints();
988 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
989 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
990
991 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
992 (osAccountInfo.GetIsVerified() ? "true" : "false"));
993
994 int64_t serialNumber = osAccountInfo.GetSerialNumber();
995 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
996 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
997 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
998 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
999 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
1000 state.emplace_back("\n");
1001 }
1002
1003 return ERR_OK;
1004 }
1005
QueryActiveOsAccountIds(std::vector<int32_t> & ids)1006 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
1007 {
1008 ErrCode result = innerManager_.QueryActiveOsAccountIds(ids);
1009 if (result != ERR_OK) {
1010 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1011 result, "Query active os accountIds failed.");
1012 }
1013 return result;
1014 }
1015
QueryOsAccountConstraintSourceTypes(const int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)1016 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
1017 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
1018 {
1019 // parameters check
1020 ErrCode res = CheckLocalId(id);
1021 if (res != ERR_OK) {
1022 return res;
1023 }
1024 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
1025 ACCOUNT_LOGE("Constraint length is invalid. length %{public}zu.", constraint.size());
1026 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1027 }
1028
1029 // permission check
1030 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1031 ACCOUNT_LOGE("Account manager service, permission denied!");
1032 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1033 }
1034
1035 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
1036 }
1037
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t enforcerId,const bool isDeviceOwner)1038 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
1039 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
1040 {
1041 // permission check
1042 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1043 ACCOUNT_LOGE("Account manager service, permission denied!");
1044 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1045 }
1046
1047 return innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
1048 }
1049
ContainsAnyConstraint(const std::vector<std::string> & constraints,const std::vector<std::string> & constraintList)1050 static bool ContainsAnyConstraint(const std::vector<std::string> &constraints,
1051 const std::vector<std::string> &constraintList)
1052 {
1053 for (const auto &constraint : constraintList) {
1054 if (std::find(constraints.begin(), constraints.end(), constraint) != constraints.end()) {
1055 return true;
1056 }
1057 }
1058 return false;
1059 }
1060
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t targetId,const int32_t enforcerId,const bool isDeviceOwner)1061 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
1062 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
1063 {
1064 // check EDM uid
1065 int32_t callingUid = IPCSkeleton::GetCallingUid();
1066 std::vector<std::string> createConstraintList = {CONSTANT_CREATE, CONSTANT_CREATE_DIRECTLY};
1067 if (ContainsAnyConstraint(constraints, createConstraintList) && callingUid != EDM_UID) {
1068 ACCOUNT_LOGE("Permission denied, callingUid=%{public}d.", callingUid);
1069 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1070 }
1071
1072 // permission check
1073 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1074 ACCOUNT_LOGE("Account manager service, permission denied!");
1075 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1076 }
1077
1078 // parameters check
1079 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
1080 ACCOUNT_LOGE("Invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
1081 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1082 }
1083
1084 return innerManager_.SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
1085 }
1086
SetDefaultActivatedOsAccount(const int32_t id)1087 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(const int32_t id)
1088 {
1089 // parameters check
1090 ErrCode ret = CheckLocalId(id);
1091 if (ret != ERR_OK) {
1092 return ret;
1093 }
1094
1095 // permission check
1096 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1097 ACCOUNT_LOGE("Account manager service, permission denied!");
1098 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1099 }
1100
1101 return innerManager_.SetDefaultActivatedOsAccount(id);
1102 }
1103
GetDefaultActivatedOsAccount(int32_t & id)1104 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
1105 {
1106 return innerManager_.GetDefaultActivatedOsAccount(id);
1107 }
1108
GetOsAccountShortNameCommon(const int32_t id,std::string & shortName)1109 ErrCode OsAccountManagerService::GetOsAccountShortNameCommon(const int32_t id, std::string &shortName)
1110 {
1111 ErrCode errCode = innerManager_.GetOsAccountShortName(id, shortName);
1112 if (errCode != ERR_OK) {
1113 ACCOUNT_LOGE("GetOsAccountShortName error %{public}d", errCode);
1114 return errCode;
1115 }
1116 return ERR_OK;
1117 }
1118
GetOsAccountShortName(std::string & shortName)1119 ErrCode OsAccountManagerService::GetOsAccountShortName(std::string &shortName)
1120 {
1121 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1122 return GetOsAccountShortNameCommon(id, shortName);
1123 }
1124
GetOsAccountName(std::string & name)1125 ErrCode OsAccountManagerService::GetOsAccountName(std::string &name)
1126 {
1127 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1128 ErrCode errCode = innerManager_.GetOsAccountName(id, name);
1129 if (errCode != ERR_OK) {
1130 ACCOUNT_LOGE("Failed get account name, errCode=%{public}d, uid=%{public}d", errCode,
1131 IPCSkeleton::GetCallingUid());
1132 return errCode;
1133 }
1134 return ERR_OK;
1135 }
1136
GetOsAccountShortNameById(const int32_t id,std::string & shortName)1137 ErrCode OsAccountManagerService::GetOsAccountShortNameById(const int32_t id, std::string &shortName)
1138 {
1139 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1140 ACCOUNT_LOGE("Check permission failed, please check your permission.");
1141 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1142 }
1143 return GetOsAccountShortNameCommon(id, shortName);
1144 }
1145
PermissionCheck(const std::string & permissionName,const std::string & constraintName)1146 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
1147 {
1148 int callerUid = IPCSkeleton::GetCallingUid();
1149 #ifndef IS_RELEASE_VERSION
1150 // root check in none release version for test
1151 if (callerUid == ROOT_UID) {
1152 return true;
1153 }
1154 #endif
1155
1156 // constraints check
1157 if (!constraintName.empty()) {
1158 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
1159 bool isEnable = true;
1160 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
1161 if (isEnable) {
1162 ACCOUNT_LOGE("Constraint check %{public}s failed.", constraintName.c_str());
1163 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), constraintName);
1164 return false;
1165 }
1166 }
1167
1168 // permission check
1169 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
1170 return true;
1171 }
1172
1173 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), permissionName);
1174 return false;
1175 }
1176
CheckCreateOsAccountWhiteList()1177 bool OsAccountManagerService::CheckCreateOsAccountWhiteList()
1178 {
1179 return uidWhiteListForCreation.find(GetCallingUid()) != uidWhiteListForCreation.end();
1180 }
1181
IsOsAccountForeground(const int32_t localId,const uint64_t displayId,bool & isForeground)1182 ErrCode OsAccountManagerService::IsOsAccountForeground(const int32_t localId, const uint64_t displayId,
1183 bool &isForeground)
1184 {
1185 int32_t callerId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1186 int32_t id = (localId == -1) ? callerId : localId;
1187 if (id < Constants::ADMIN_LOCAL_ID) {
1188 ACCOUNT_LOGE("LocalId %{public}d is invlaid.", id);
1189 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1190 }
1191 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1192 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1193 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1194 }
1195 bool isOsAccountExists = false;
1196 ErrCode result = IsOsAccountExists(id, isOsAccountExists);
1197 if (result != ERR_OK) {
1198 return result;
1199 }
1200 if (!isOsAccountExists) {
1201 ACCOUNT_LOGE("LocalId %{public}d not exist.", id);
1202 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
1203 }
1204 if (id >= Constants::ADMIN_LOCAL_ID && id < Constants::START_USER_ID) {
1205 ACCOUNT_LOGI("LocalId %{public}d is always in backgroud.", id);
1206 isForeground = false;
1207 return ERR_OK;
1208 }
1209 return innerManager_.IsOsAccountForeground(id, displayId, isForeground);
1210 }
1211
GetForegroundOsAccountLocalId(const uint64_t displayId,int32_t & localId)1212 ErrCode OsAccountManagerService::GetForegroundOsAccountLocalId(const uint64_t displayId, int32_t &localId)
1213 {
1214 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1215 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1216 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1217 }
1218
1219 return innerManager_.GetForegroundOsAccountLocalId(displayId, localId);
1220 }
1221
GetForegroundOsAccounts(std::vector<ForegroundOsAccount> & accounts)1222 ErrCode OsAccountManagerService::GetForegroundOsAccounts(std::vector<ForegroundOsAccount> &accounts)
1223 {
1224 ErrCode result = innerManager_.GetForegroundOsAccounts(accounts);
1225 if (result != ERR_OK) {
1226 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1227 result, "Get foreground os accounts failed.");
1228 }
1229 return result;
1230 }
1231
GetBackgroundOsAccountLocalIds(std::vector<int32_t> & localIds)1232 ErrCode OsAccountManagerService::GetBackgroundOsAccountLocalIds(std::vector<int32_t> &localIds)
1233 {
1234 return innerManager_.GetBackgroundOsAccountLocalIds(localIds);
1235 }
1236
SetOsAccountToBeRemoved(int32_t localId,bool toBeRemoved)1237 ErrCode OsAccountManagerService::SetOsAccountToBeRemoved(int32_t localId, bool toBeRemoved)
1238 {
1239 ErrCode res = CheckLocalId(localId);
1240 if (res != ERR_OK) {
1241 return res;
1242 }
1243 if ((localId == Constants::START_USER_ID) || (localId == Constants::ADMIN_LOCAL_ID)) {
1244 ACCOUNT_LOGE("Cannot remove system preinstalled user.");
1245 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1246 }
1247 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1248 ACCOUNT_LOGE("Permission denied.");
1249 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1250 }
1251 return innerManager_.SetOsAccountToBeRemoved(localId, toBeRemoved);
1252 }
1253
GetOsAccountDomainInfo(const int32_t localId,DomainAccountInfo & domainInfo)1254 ErrCode OsAccountManagerService::GetOsAccountDomainInfo(const int32_t localId, DomainAccountInfo &domainInfo)
1255 {
1256 if (!(PermissionCheck(GET_DOMAIN_ACCOUNTS, "") &&
1257 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, ""))) {
1258 ACCOUNT_LOGE("Permission denied.");
1259 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1260 }
1261 ErrCode res = CheckLocalId(localId);
1262 if (res != ERR_OK) {
1263 return res;
1264 }
1265 return innerManager_.GetOsAccountDomainInfo(localId, domainInfo);
1266 }
1267 } // namespace AccountSA
1268 } // namespace OHOS
1269