1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "ipc_common.h"
17 #include "ipc_skeleton.h"
18 #include "accesstoken_kit.h"
19 #include "app_mgr_interface.h"
20 #include "iam_common_defines.h"
21 #include "iam_logger.h"
22 #include "iam_para2str.h"
23 #include "iservice_registry.h"
24 #include "system_ability_definition.h"
25 #include "tokenid_kit.h"
26 #ifdef HAS_OS_ACCOUNT_PART
27 #include "os_account_manager.h"
28 #include "os_account_info.h"
29 #include "user_auth_hdi.h"
30 #endif // HAS_OS_ACCOUNT_PART
31 #define LOG_TAG "USER_AUTH_SA"
32
33 namespace OHOS {
34 namespace UserIam {
35 namespace UserAuth {
36 namespace PermissionString {
37 const std::string MANAGE_USER_IDM_PERMISSION = "ohos.permission.MANAGE_USER_IDM";
38 const std::string USE_USER_IDM_PERMISSION = "ohos.permission.USE_USER_IDM";
39 const std::string ACCESS_USER_AUTH_INTERNAL_PERMISSION = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
40 const std::string ACCESS_BIOMETRIC_PERMISSION = "ohos.permission.ACCESS_BIOMETRIC";
41 const std::string ACCESS_AUTH_RESPOOL = "ohos.permission.ACCESS_AUTH_RESPOOL";
42 const std::string ENFORCE_USER_IDM = "ohos.permission.ENFORCE_USER_IDM";
43 const std::string SUPPORT_USER_AUTH = "ohos.permission.SUPPORT_USER_AUTH";
44 const std::string USE_USER_ACCESS_MANAGER = "ohos.permission.USE_USER_ACCESS_MANAGER";
45 const std::string USER_AUTH_FROM_BACKGROUND = "ohos.permission.USER_AUTH_FROM_BACKGROUND";
46 const std::string ENTERPRISE_DEVICE_MGR = "ohos.permission.MANAGE_EDM_POLICY";
47 }
48
49 namespace {
50 const std::vector<std::pair<int32_t, std::string>> enforceUserIdmWhiteLists = {
51 {3058, "accountmgr"},
52 };
53 }
54
GetCallingUserId(IPCObjectStub & stub,int32_t & userId)55 int32_t IpcCommon::GetCallingUserId(IPCObjectStub &stub, int32_t &userId)
56 {
57 uint32_t tokenId = GetAccessTokenId(stub);
58 using namespace Security::AccessToken;
59 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
60 if (callingType != Security::AccessToken::TOKEN_HAP) {
61 IAM_LOGE("failed to get calling type");
62 return TYPE_NOT_SUPPORT;
63 }
64 HapTokenInfo hapInfo;
65 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapInfo);
66 if (result != SUCCESS) {
67 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
68 return TYPE_NOT_SUPPORT;
69 }
70 if (hapInfo.userID != 0) {
71 userId = hapInfo.userID;
72 IAM_LOGI("hap is not in user0, userId = %{public}d", hapInfo.userID);
73 return SUCCESS;
74 }
75
76 #ifdef HAS_OS_ACCOUNT_PART
77 result = AccountSA::OsAccountManager::GetForegroundOsAccountLocalId(userId);
78 if (result != SUCCESS) {
79 IAM_LOGE("GetForegroundOsAccountLocalId failed result = %{public}d", result);
80 return TYPE_NOT_SUPPORT;
81 }
82 #endif
83 IAM_LOGI("hapUserId is %{public}d, ForegroundUserId is %{public}d", hapInfo.userID, userId);
84 return SUCCESS;
85 }
86
GetActiveUserId(std::optional<int32_t> & userId)87 int32_t IpcCommon::GetActiveUserId(std::optional<int32_t> &userId)
88 {
89 if (userId.has_value() && userId.value() != 0) {
90 return SUCCESS;
91 }
92 std::vector<int32_t> ids;
93 #ifdef HAS_OS_ACCOUNT_PART
94 ErrCode queryRet = AccountSA::OsAccountManager::QueryActiveOsAccountIds(ids);
95 if (queryRet != ERR_OK || ids.empty()) {
96 IAM_LOGE("failed to query active account id");
97 return GENERAL_ERROR;
98 }
99 #else // HAS_OS_ACCOUNT_PART
100 const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
101 ids.push_back(DEFAULT_OS_ACCOUNT_ID);
102 IAM_LOGI("there is no os account part, use default id");
103 #endif // HAS_OS_ACCOUNT_PART
104 userId = ids.front();
105 return SUCCESS;
106 }
107
GetAllUserId(std::vector<int32_t> & userIds)108 int32_t IpcCommon::GetAllUserId(std::vector<int32_t> &userIds)
109 {
110 #ifdef HAS_OS_ACCOUNT_PART
111 std::vector<OHOS::AccountSA::OsAccountInfo> accountInfos = {};
112 ErrCode ret = AccountSA::OsAccountManager::QueryAllCreatedOsAccounts(accountInfos);
113 if (ret != ERR_OK) {
114 IAM_LOGE("failed to query all account id ret %{public}d ", ret);
115 return GENERAL_ERROR;
116 }
117
118 if (accountInfos.empty()) {
119 IAM_LOGE("accountInfos count %{public}zu", accountInfos.size());
120 return SUCCESS;
121 }
122
123 std::transform(accountInfos.begin(), accountInfos.end(), std::back_inserter(userIds),
124 [](auto &iter) { return iter.GetLocalId(); });
125 #else
126 const int32_t DEFAULT_OS_ACCOUNT_ID = 0;
127 userIds.push_back(DEFAULT_OS_ACCOUNT_ID);
128 #endif
129
130 return SUCCESS;
131 }
132
MapOsAccountTypeToUserType(int32_t userId,AccountSA::OsAccountType osAccountType)133 static HdiUserType MapOsAccountTypeToUserType(int32_t userId, AccountSA::OsAccountType osAccountType)
134 {
135 if (osAccountType == AccountSA::OsAccountType::PRIVATE) {
136 return HdiUserType::PRIVATE;
137 } else if (userId == MAIN_USER_ID) {
138 return HdiUserType::MAIN;
139 } else {
140 return HdiUserType::SUB;
141 }
142 }
143
GetUserTypeByUserId(int32_t userId,int32_t & userType)144 int32_t IpcCommon::GetUserTypeByUserId(int32_t userId, int32_t &userType)
145 {
146 #ifdef HAS_OS_ACCOUNT_PART
147 AccountSA::OsAccountType osAccountType;
148 ErrCode ret = AccountSA::OsAccountManager::GetOsAccountType(userId, osAccountType);
149 if (ret != ERR_OK) {
150 IAM_LOGE("failed to get osAccountType for userId %d, error code: %d", userId, ret);
151 return TYPE_NOT_SUPPORT;
152 }
153 userType = MapOsAccountTypeToUserType(userId, osAccountType);
154 IAM_LOGI("userType:%{public}d", userType);
155 #else
156 const int32_t DEFAULT_OS_ACCOUNT_TYPE = 0;
157 userType = DEFAULT_OS_ACCOUNT_TYPE;
158 #endif
159
160 return SUCCESS;
161 }
162
CheckForegroundApplication(const std::string & bundleName)163 bool IpcCommon::CheckForegroundApplication(const std::string &bundleName)
164 {
165 sptr<ISystemAbilityManager> samgrClient = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
166 if (samgrClient == nullptr) {
167 IAM_LOGI("Get system ability manager failed");
168 return false;
169 }
170 sptr<AppExecFwk::IAppMgr> iAppManager =
171 iface_cast<AppExecFwk::IAppMgr>(samgrClient->GetSystemAbility(APP_MGR_SERVICE_ID));
172 if (iAppManager == nullptr) {
173 IAM_LOGI("Failed to get ability manager service");
174 return false;
175 }
176 std::vector<AppExecFwk::AppStateData> foregroundAppList;
177 iAppManager->GetForegroundApplications(foregroundAppList);
178 auto it = std::find_if(foregroundAppList.begin(), foregroundAppList.end(), [bundleName] (auto foregroundApp) {
179 return bundleName.compare(foregroundApp.bundleName) == 0;
180 });
181 if (it == foregroundAppList.end()) {
182 IAM_LOGI("app : %{public}s is not foreground", bundleName.c_str());
183 return false;
184 }
185 return true;
186 }
187
CheckPermission(IPCObjectStub & stub,Permission permission)188 bool IpcCommon::CheckPermission(IPCObjectStub &stub, Permission permission)
189 {
190 switch (permission) {
191 case MANAGE_USER_IDM_PERMISSION:
192 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::MANAGE_USER_IDM_PERMISSION);
193 case USE_USER_IDM_PERMISSION:
194 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::USE_USER_IDM_PERMISSION);
195 case ACCESS_USER_AUTH_INTERNAL_PERMISSION:
196 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_USER_AUTH_INTERNAL_PERMISSION);
197 case ACCESS_BIOMETRIC_PERMISSION:
198 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::ACCESS_BIOMETRIC_PERMISSION);
199 case ACCESS_AUTH_RESPOOL:
200 return CheckDirectCaller(stub, PermissionString::ACCESS_AUTH_RESPOOL);
201 case ENFORCE_USER_IDM:
202 return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM) &&
203 CheckNativeCallingProcessWhiteList(stub, permission);
204 case SUPPORT_USER_AUTH:
205 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::SUPPORT_USER_AUTH);
206 case IS_SYSTEM_APP:
207 return CheckCallerIsSystemApp(stub);
208 case CLEAR_REDUNDANCY_PERMISSION:
209 return CheckDirectCaller(stub, PermissionString::ENFORCE_USER_IDM);
210 case USE_USER_ACCESS_MANAGER:
211 return CheckDirectCaller(stub, PermissionString::USE_USER_ACCESS_MANAGER);
212 case USER_AUTH_FROM_BACKGROUND:
213 return CheckDirectCallerAndFirstCallerIfSet(stub, PermissionString::USER_AUTH_FROM_BACKGROUND);
214 case ENTERPRISE_DEVICE_MGR:
215 return CheckDirectCaller(stub, PermissionString::ENTERPRISE_DEVICE_MGR);
216 default:
217 IAM_LOGE("failed to check permission");
218 return false;
219 }
220 }
221
GetAccessTokenId(IPCObjectStub & stub)222 uint32_t IpcCommon::GetAccessTokenId(IPCObjectStub &stub)
223 {
224 uint32_t tokenId = stub.GetFirstTokenID();
225 IAM_LOGD("get first caller tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
226 if (tokenId == 0) {
227 tokenId = stub.GetCallingTokenID();
228 IAM_LOGD("no first caller, get direct caller tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
229 }
230 return tokenId;
231 }
232
GetTokenId(IPCObjectStub & stub)233 uint32_t IpcCommon::GetTokenId(IPCObjectStub &stub)
234 {
235 uint32_t tokenId = stub.GetCallingTokenID();
236 IAM_LOGD("get tokenId: %{public}s", GET_MASKED_STRING(tokenId).c_str());
237 return tokenId;
238 }
239
GetWhiteLists(Permission permission)240 std::vector<std::pair<int32_t, std::string>> IpcCommon::GetWhiteLists(Permission permission)
241 {
242 switch (permission) {
243 case ENFORCE_USER_IDM:
244 return enforceUserIdmWhiteLists;
245 default:
246 IAM_LOGE("the permission has no white lists");
247 return {};
248 }
249 }
250
CheckNativeCallingProcessWhiteList(IPCObjectStub & stub,Permission permission)251 bool IpcCommon::CheckNativeCallingProcessWhiteList(IPCObjectStub &stub, Permission permission)
252 {
253 uint32_t tokenId = GetTokenId(stub);
254 using namespace Security::AccessToken;
255 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(tokenId);
256 if (callingType != Security::AccessToken::TOKEN_NATIVE) {
257 IAM_LOGE("failed to get calling type");
258 return false;
259 }
260 NativeTokenInfo nativeTokenInfo;
261 int result = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
262 if (result != SUCCESS) {
263 IAM_LOGE("failed to get native token info, result = %{public}d", result);
264 return false;
265 }
266
267 std::vector<std::pair<int32_t, std::string>> whiteLists = IpcCommon::GetWhiteLists(permission);
268 std::string processName = nativeTokenInfo.processName;
269 int32_t processUid = stub.GetCallingUid();
270 for (const auto &whiteList : whiteLists) {
271 if (whiteList.first == processUid && whiteList.second == processName) {
272 return true;
273 }
274 }
275 IAM_LOGE("failed to check process white list");
276 return false;
277 }
278
CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub & stub,const std::string & permission)279 bool IpcCommon::CheckDirectCallerAndFirstCallerIfSet(IPCObjectStub &stub, const std::string &permission)
280 {
281 uint32_t firstTokenId = stub.GetFirstTokenID();
282 uint32_t callingTokenId = GetTokenId(stub);
283 using namespace Security::AccessToken;
284 if ((firstTokenId != 0 && AccessTokenKit::VerifyAccessToken(firstTokenId, permission) != RET_SUCCESS) ||
285 AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
286 return false;
287 }
288 return true;
289 }
290
CheckDirectCaller(IPCObjectStub & stub,const std::string & permission)291 bool IpcCommon::CheckDirectCaller(IPCObjectStub &stub, const std::string &permission)
292 {
293 uint32_t callingTokenId = GetTokenId(stub);
294 using namespace Security::AccessToken;
295 if (AccessTokenKit::VerifyAccessToken(callingTokenId, permission) != RET_SUCCESS) {
296 IAM_LOGE("failed to check permission");
297 return false;
298 }
299 return true;
300 }
301
CheckCallerIsSystemApp(IPCObjectStub & stub)302 bool IpcCommon::CheckCallerIsSystemApp(IPCObjectStub &stub)
303 {
304 uint32_t callingTokenId = GetTokenId(stub);
305 using namespace Security::AccessToken;
306 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
307 bool checkRet = TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
308 ATokenTypeEnum callingType = AccessTokenKit::GetTokenTypeFlag(callingTokenId);
309 if (checkRet && callingType == Security::AccessToken::TOKEN_HAP) {
310 IAM_LOGI("the caller is system application");
311 return true;
312 }
313 return false;
314 }
315
GetDirectCallerType(IPCObjectStub & stub)316 int32_t IpcCommon::GetDirectCallerType(IPCObjectStub &stub)
317 {
318 return Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(GetTokenId(stub));
319 }
320
GetCallerName(IPCObjectStub & stub,std::string & callerName,int32_t & callerType)321 bool IpcCommon::GetCallerName(IPCObjectStub &stub, std::string &callerName, int32_t &callerType)
322 {
323 uint32_t tokenId = GetAccessTokenId(stub);
324 using namespace Security::AccessToken;
325 callerType = AccessTokenKit::GetTokenTypeFlag(tokenId);
326 if (callerType == Security::AccessToken::TOKEN_HAP) {
327 HapTokenInfo hapTokenInfo;
328 int result = AccessTokenKit::GetHapTokenInfo(tokenId, hapTokenInfo);
329 if (result != SUCCESS) {
330 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
331 return false;
332 }
333 callerName = hapTokenInfo.bundleName;
334 IAM_LOGI("caller bundleName is %{public}s", callerName.c_str());
335 return true;
336 } else if (callerType == Security::AccessToken::TOKEN_NATIVE) {
337 NativeTokenInfo nativeTokenInfo;
338 int res = AccessTokenKit::GetNativeTokenInfo(tokenId, nativeTokenInfo);
339 if (res != SUCCESS) {
340 IAM_LOGE("failed to get native token info, res = %{public}d", res);
341 return false;
342 }
343 callerName = nativeTokenInfo.processName;
344 IAM_LOGI("caller processName is %{public}s", callerName.c_str());
345 return true;
346 }
347 IAM_LOGI("caller is not a hap or a native");
348 return false;
349 }
350
GetCallingAppID(IPCObjectStub & stub,std::string & callingAppID)351 bool IpcCommon::GetCallingAppID(IPCObjectStub &stub, std::string &callingAppID)
352 {
353 uint32_t tokenId = GetAccessTokenId(stub);
354 using namespace Security::AccessToken;
355 ATokenTypeEnum callerTypeTemp = AccessTokenKit::GetTokenTypeFlag(tokenId);
356 if (callerTypeTemp != Security::AccessToken::TOKEN_HAP) {
357 return false;
358 }
359
360 HapTokenInfoExt hapTokenInfo;
361 int result = AccessTokenKit::GetHapTokenInfoExtension(tokenId, hapTokenInfo);
362 if (result != SUCCESS) {
363 IAM_LOGE("failed to get hap token info, result = %{public}d", result);
364 return false;
365 }
366 callingAppID = hapTokenInfo.appID;
367 IAM_LOGI("successed in getting caller app ID");
368 return true;
369 }
370
IsOsAccountVerified(int32_t userId)371 bool IpcCommon::IsOsAccountVerified(int32_t userId)
372 {
373 bool isOsAccountVerified = false;
374 #ifdef HAS_OS_ACCOUNT_PART
375 ErrCode queryRet = AccountSA::OsAccountManager::IsOsAccountVerified(userId, isOsAccountVerified);
376 if (queryRet != ERR_OK) {
377 IAM_LOGE("failed to query account verified status");
378 return false;
379 }
380 #endif
381 return isOsAccountVerified;
382 }
383 } // namespace UserAuth
384 } // namespace UserIam
385 } // namespace OHOS