• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 /**
17  * @addtogroup AccessToken
18  * @{
19  *
20  * @brief Provides permission management.
21  *
22  * Provides tokenID-based application permission verification mechanism.
23  * When an application accesses sensitive data or APIs, this module can check
24  * whether the application has the corresponding permission. Allows applications
25  * to query their access token information or APL levcels based on token IDs.
26  *
27  * @since 7.0
28  * @version 7.0
29  */
30 
31 /**
32  * @file accesstoken_kit.h
33  *
34  * @brief Declares access token interfaces.
35  *
36  * @since 7.0
37  * @version 7.0
38  */
39 
40 #ifndef INTERFACES_INNER_KITS_ACCESSTOKEN_KIT_H
41 #define INTERFACES_INNER_KITS_ACCESSTOKEN_KIT_H
42 
43 #include <string>
44 #include <unordered_set>
45 #include <vector>
46 
47 #include "access_token.h"
48 #include "atm_tools_param_info.h"
49 #include "hap_token_info.h"
50 #include "native_token_info.h"
51 #include "permission_def.h"
52 #include "permission_list_state.h"
53 #include "permission_grant_info.h"
54 #include "permission_state_change_info.h"
55 #include "permission_state_full.h"
56 #include "perm_state_change_callback_customize.h"
57 #ifdef TOKEN_SYNC_ENABLE
58 #include "token_sync_kit_interface.h"
59 #endif // TOKEN_SYNC_ENABLE
60 
61 namespace OHOS {
62 namespace Security {
63 namespace AccessToken {
64 /**
65  * @brief Declares AccessTokenKit class
66  */
67 class AccessTokenKit {
68 public:
69     /**
70      * @brief Get permission used type by tokenID.
71      * @param tokenID token id
72      * @param permissionName permission to be checked
73      * @return enum PermUsedTypeEnum, see access_token.h
74      */
75     static PermUsedTypeEnum GetPermissionUsedType(AccessTokenID tokenID, const std::string& permissionName);
76 
77     /**
78      * @brief Grant input permission to input tokenID flag for specified time.
79      * @param tokenID token id
80      * @param permissionName permission name quote
81      * @param onceTime the time it takes to work, the unit is second.
82      * @return error code, see access_token_error.h
83      */
84     static int GrantPermissionForSpecifiedTime(
85         AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime);
86 
87     /**
88      * @brief Create a unique hap token by input values.
89      * @param info struct HapInfoParams quote, see hap_token_info.h
90      * @param policy struct HapPolicyParams quote, see hap_token_info.h
91      * @return union AccessTokenIDEx, see access_token.h
92      */
93     static AccessTokenIDEx AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy);
94     /**
95      * @brief Create a unique hap token by input values and init the permission state.
96      * @param info struct HapInfoParams quote, see hap_token_info.h
97      * @param policy struct HapPolicyParams quote, see hap_token_info.h
98      * @return union AccessTokenIDEx, see access_token.h
99      */
100     static int32_t InitHapToken(const HapInfoParams& info, HapPolicyParams& policy, AccessTokenIDEx& fullTokenId);
101     /**
102      * @brief Create a unique hap token by input values and init the permission state.
103      * @param info struct HapInfoParams quote, see hap_token_info.h
104      * @param policy struct HapPolicyParams quote, see hap_token_info.h
105      * @param result struct HapInfoCheckResult, see hap_token_info.h
106      * @return union AccessTokenIDEx, see access_token.h
107      */
108     static int32_t InitHapToken(const HapInfoParams& info, HapPolicyParams& policy,
109         AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result);
110     /**
111      * @brief Create a unique mapping token binding remote tokenID and DeviceID.
112      * @param remoteDeviceID remote device deviceID
113      * @param remoteTokenID remote device tokenID
114      * @return local tokenID which mapped by local token
115      */
116     static AccessTokenID AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID);
117     /**
118      * @brief Update hap token info.
119      * @param tokenIdEx union AccessTokenIDEx quote, see access_token.h
120      * @param isSystemApp is system app or not
121      * @param appIDDesc app id description quote
122      * @param apiVersion app api version
123      * @param policy struct HapPolicyParams quote, see hap_token_info.h
124      * @return error code, see access_token_error.h
125      */
126     static int32_t UpdateHapToken(
127         AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParams& policy);
128     /**
129      * @brief Update hap token info.
130      * @param tokenIdEx union AccessTokenIDEx quote, see access_token.h
131      * @param isSystemApp is system app or not
132      * @param appIDDesc app id description quote
133      * @param apiVersion app api version
134      * @param policy struct HapPolicyParams quote, see hap_token_info.h
135      * @param result struct HapInfoCheckResult, see hap_token_info.h
136      * @return error code, see access_token_error.h
137      */
138     static int32_t UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info,
139         const HapPolicyParams& policy, HapInfoCheckResult& result);
140     /**
141      * @brief Delete token info.
142      * @param tokenID token id
143      * @return error code, see access_token_error.h
144      */
145     static int DeleteToken(AccessTokenID tokenID);
146     /**
147      * @brief Get token type by ATM service.
148      * @param tokenID token id
149      * @return token type enum, see access_token.h
150      */
151     static ATokenTypeEnum GetTokenType(AccessTokenID tokenID);
152     /**
153      * @brief Get token type from flag in tokenId, which doesn't depend on ATM service.
154      * @param tokenID token id
155      * @return token type enum, see access_token.h
156      */
157     static ATokenTypeEnum GetTokenTypeFlag(AccessTokenID tokenID);
158     /**
159      * @brief Get token type by ATM service with uint_64 parameters.
160      * @param tokenID token id
161      * @return token type enum, see access_token.h
162      */
163     static ATokenTypeEnum GetTokenType(FullTokenID tokenID);
164     /**
165      * @brief Get token type from flag in tokenId, which doesn't depend
166      *        on ATM service, with uint_64 parameters.
167      * @param tokenID token id
168      * @return token type enum, see access_token.h
169      */
170     static ATokenTypeEnum GetTokenTypeFlag(FullTokenID tokenID);
171     /**
172      * @brief Get token id by user id.
173      * @param userID user id
174      * @param tokenIdList token id list
175      * @return error code, see access_token_error.h
176      */
177     static int32_t GetTokenIDByUserID(int32_t userID, std::unordered_set<AccessTokenID>& tokenIdList);
178     /**
179      * @brief Query hap tokenID by input prarms.
180      * @param userID user id
181      * @param bundleName bundle name
182      * @param instIndex inst index
183      * @return token id if exsit or 0 if not exsit
184      */
185     static AccessTokenID GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex);
186     /**
187      * @brief Query hap token attribute by input prarms.
188      * @param userID user id
189      * @param bundleName bundle name
190      * @param instIndex inst index
191      * @return union AccessTokenIDEx, see access_token.h
192      */
193     static AccessTokenIDEx GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex);
194     /**
195      * @brief Get hap token info by token id.
196      * @param tokenID token id
197      * @param hapTokenInfoRes HapTokenInfo quote, as query result
198      * @return error code, see access_token_error.h
199      */
200     static int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes);
201     /**
202      * @brief Get native token info by token id.
203      * @param tokenID token id
204      * @param nativeTokenInfoRes NativeTokenInfo quote, as query result
205      * @return error code, see access_token_error.h
206      */
207     static int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes);
208     /**
209      * @brief Check if the input tokenID has been granted the input permission.
210      * @param tokenID token id
211      * @param permissionName permission to be checked
212      * @return enum PermissionState, see access_token.h
213      */
214     static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName);
215     /**
216      * @brief Check if the input tokenID has been granted the input permission.
217      * @param callerTokenID the tokenID of caller native process or hap process
218      * @param firstTokenID the tokenID of first caller native process or hap process
219      * @param permissionName permission to be checked
220      * @return enum PermissionState, see access_token.h
221      */
222     static int VerifyAccessToken(
223         AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName);
224     /**
225      * @brief Check if the input tokenID has been granted the input permission.
226      * @param tokenID token id
227      * @param permissionName permission to be checked
228      * @param crossIpc whether to cross ipc
229      * @return enum PermissionState, see access_token.h
230      */
231     static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, bool crossIpc);
232     /**
233      * @brief Check if the input tokenID has been granted the input permission.
234      * @param callerTokenID the tokenID of caller native process or hap process
235      * @param firstTokenID the tokenID of first caller native process or hap process
236      * @param permissionName permission to be checked
237      * @param crossIpc whether to cross ipc
238      * @return enum PermissionState, see access_token.h
239      */
240     static int VerifyAccessToken(AccessTokenID callerTokenID,
241         AccessTokenID firstTokenID, const std::string& permissionName, bool crossIpc);
242     /**
243      * @brief Check if the input tokenID has been granted the input permission list.
244      * @param tokenID token id
245      * @param permissionList permission list to be checked
246      * @param permStateList enum PermissionState list, as result
247      * @param crossIpc whether to cross ipc
248      * @return error code, see access_token_error.h
249      */
250     static int VerifyAccessToken(AccessTokenID tokenID, const std::vector<std::string>& permissionList,
251         std::vector<int32_t>& permStateList, bool crossIpc = false);
252 
253     /**
254      * @brief Get permission definition by permission name.
255      * @param permissionName permission name quote
256      * @param permissionDefResult PermissionDef quote, as query result
257      * @return error code, see access_token_error.h
258      */
259     static int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult);
260     /**
261      * @brief Get all requested permission full state by token id and grant mode.
262      * @param tokenID token id
263      * @param reqPermList PermissionStateFull list quote, as query result
264      * @param isSystemGrant grant mode
265      * @return error code, see access_token_error.h
266      */
267     static int GetReqPermissions(
268         AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant);
269     /**
270      * @brief Get permission grant flag
271      * @param tokenID token id
272      * @param permissionName permission name quote
273      * @param flag the permission grant flag, as query result
274      * @return error code, see access_token_error.h
275      */
276     static int GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag);
277     /**
278      * @brief Set permission request toggle status
279      * @param permissionName permission name quote
280      * @param status the permission request toggle status to set
281      * @param userID the userID
282      * @return error code, see access_token_error.h
283      */
284     static int32_t SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status, int32_t userID);
285     /**
286      * @brief Get permission request toggle status
287      * @param permissionName permission name quote
288      * @param status the permission request toggle status to get
289      * @param userID the userID
290      * @return error code, see access_token_error.h
291      */
292     static int32_t GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
293         int32_t userID);
294     /**
295      * @brief Starts the permission manager page of an application.
296      * @param tokenID token id
297      * @return error code, see access_token_error.h
298      */
299     static int32_t RequestAppPermOnSetting(AccessTokenID tokenID);
300     /**
301      * @brief Get requsted permission grant result
302      * @param permList PermissionListState list quote, as input and query result
303      * @return enum PermissionOper, see access_token.h
304      */
305     static PermissionOper GetSelfPermissionsState(std::vector<PermissionListState>& permList,
306         PermissionGrantInfo& info);
307     /**
308      * @brief Get requsted permissions status
309      * @param permList PermissionListState list quote, as input and query result
310      * @return error code, see access_token_error.h
311      */
312     static int32_t GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListState>& permList);
313     /**
314      * @brief Grant input permission to input tokenID with input flag.
315      * @param tokenID token id
316      * @param permissionName permission name quote
317      * @param flag enum PermissionFlag, see access_token.h
318      * @return error code, see access_token_error.h
319      */
320     static int GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag);
321     /**
322      * @brief Revoke input permission to input tokenID with input flag.
323      * @param tokenID token id
324      * @param permissionName permission name quote
325      * @param flag enum PermissionFlag, see access_token.h
326      * @return error code, see access_token_error.h
327      */
328     static int RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag);
329     /**
330      * @brief Clear all user granted permissions state in input tokenID.
331      * @param tokenID token id
332      * @return error code, see access_token_error.h
333      */
334     static int ClearUserGrantedPermissionState(AccessTokenID tokenID);
335     /**
336      * @brief Register permission state change callback.
337      * @param callback smart point of class PermStateChangeCallbackCustomize quote
338      * @return error code, see access_token_error.h
339      */
340     static int32_t RegisterPermStateChangeCallback(
341         const std::shared_ptr<PermStateChangeCallbackCustomize>& callback);
342     /**
343      * @brief Unregister permission state change callback.
344      * @param callback smart point of class PermStateChangeCallbackCustomize quote
345      * @return error code, see access_token_error.h
346      */
347     static int32_t UnRegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize>& callback);
348     /**
349      * @brief Register permission state change callback for app.
350      * @param callback smart point of class PermStateChangeCallbackCustomize quote
351      * @return error code, see access_token_error.h
352      */
353     static int32_t RegisterSelfPermStateChangeCallback(
354         const std::shared_ptr<PermStateChangeCallbackCustomize>& callback);
355     /**
356      * @brief Unregister permission state change callback for app.
357      * @param callback smart point of class PermStateChangeCallbackCustomize quote
358      * @return error code, see access_token_error.h
359      */
360     static int32_t UnRegisterSelfPermStateChangeCallback(
361         const std::shared_ptr<PermStateChangeCallbackCustomize>& callback);
362     /**
363      * @brief Get current version.
364      * @param version access token version.
365      * @return error code, see access_token_error.h
366      */
367     static int32_t GetVersion(uint32_t& version);
368     /**
369      * @brief Get hap dlp flag by input tokenID.
370      * @param tokenID token id
371      * @return dlp flag in tokenID bitmap, or default -1
372      */
373     static int32_t GetHapDlpFlag(AccessTokenID tokenID);
374     /**
375      * @brief Reload native token info.
376      * @return error code, see access_token_error.h
377      */
378     static int32_t ReloadNativeTokenInfo();
379     /**
380      * @brief Get tokenID by native process name.
381      * @param processName native process name
382      * @return token id of native process
383      */
384     static AccessTokenID GetNativeTokenId(const std::string& processName);
385 
386     /**
387      * @brief Get hap token extension info by token id.
388      * @param tokenID token id
389      * @param info HapTokenInfoExt include appID
390      * @return error code, see access_token_error.h
391      */
392     static int GetHapTokenInfoExtension(AccessTokenID tokenID, HapTokenInfoExt& info);
393 
394     /**
395      * @brief Set permission dialog capability
396      * @param hapBaseInfo base infomation of hap
397      * @param enable status of enable dialog
398      * @return error code, see access_token_error.h
399      */
400     static int32_t SetPermDialogCap(const HapBaseInfo& hapBaseInfo, bool enable);
401 
402 #ifdef TOKEN_SYNC_ENABLE
403     /**
404      * @brief Get remote hap token info by remote token id.
405      * @param tokenID remote token id
406      * @param hapSync HapTokenInfoForSync quote, as query result
407      * @return error code, see access_token_error.h
408      */
409     static int GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync);
410 
411     /**
412      * @brief Set remote hap token info with remote deviceID.
413      * @param deviceID remote deviceID
414      * @param hapSync hap token info to set
415      * @return error code, see access_token_error.h
416      */
417     static int SetRemoteHapTokenInfo(const std::string& deviceID, const HapTokenInfoForSync& hapSync);
418     /**
419      * @brief Delete remote token by remote deviceID and remote tokenID.
420      * @param deviceID remote deviceID
421      * @param tokenID remote tokenID
422      * @return error code, see access_token_error.h
423      */
424     static int DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID);
425     /**
426      * @brief Get local mapping native tokenID by remote deviceID
427      *        and remote tokenID.
428      * @param deviceID remote deviceID
429      * @param tokenID remote tokenID
430      * @return token id of mapping native tokenID
431      */
432     static AccessTokenID GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID);
433     /**
434      * @brief Delete remote tokens by remote deviceID.
435      * @param deviceID remote deviceID
436      * @return error code, see access_token_error.h
437      */
438     static int DeleteRemoteDeviceTokens(const std::string& deviceID);
439     /**
440      * @brief Regist a token sync service callback
441      * @param syncCallback token sync class
442      * @return error code, see access_token_error.h
443      */
444     static int32_t RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface>& syncCallback);
445     /**
446      * @brief UnRegist a token sync service callback
447      * @param syncCallback token sync class
448      * @return error code, see access_token_error.h
449      */
450     static int32_t UnRegisterTokenSyncCallback();
451 #endif
452     /**
453      * @brief Dump all token infos in the cache.
454      * @param tokenID token id, if tokenID is valid, only dump this token info
455      * @param dumpInfo all token info
456      */
457     static void DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo);
458     /**
459      * @brief Get application info of permission manager.
460      * @param info application info of permission manager
461      */
462     static void GetPermissionManagerInfo(PermissionGrantInfo& info);
463 
464     /**
465      * @brief Set user permission policy
466      * @param userList list of user id.
467      * @param permList list of permission
468      * @return error code, see access_token_error.h
469      */
470     static int32_t InitUserPolicy(const std::vector<UserState>& userList, const std::vector<std::string>& permList);
471 
472     /**
473      * @brief Update user permission policy
474      * @param userList list of user id.
475      * @return error code, see access_token_error.h
476      */
477     static int32_t UpdateUserPolicy(const std::vector<UserState>& userList);
478 
479     /**
480      * @brief Clear user permission policy
481      * @return error code, see access_token_error.h
482      */
483     static int32_t ClearUserPolicy();
484 
485     /**
486      * @brief Whether it is a system application
487      * @param tokenId token id.
488      * @return bool
489      */
490     static bool IsSystemAppByFullTokenID(uint64_t tokenId);
491 
492     /**
493      * @brief Gets the render process tokenId.
494      * @param tokenId token id.
495      * @return tokenId
496      */
497     static uint64_t GetRenderTokenID(uint64_t tokenId);
498 
499     /**
500      * @brief Get kernel permission and value by token id.
501      * @param tokenID token id
502      * @param kernelPermList PermissionWithValue quote, as query result
503      * @return error code, see access_token_error.h
504      */
505     static int32_t GetKernelPermissions(AccessTokenID tokenID, std::vector<PermissionWithValue>& kernelPermList);
506 
507     /**
508      * @brief Get extended value of permission by token id and permission name.
509      * @param tokenID token id
510      * @param permissionName permission name
511      * @param value as result
512      * @return error code, see access_token_error.h
513      */
514     static int32_t GetReqPermissionByName(
515         AccessTokenID tokenID, const std::string& permissionName, std::string& value);
516 };
517 } // namespace AccessToken
518 } // namespace Security
519 } // namespace OHOS
520 #endif
521