1 /*
2 * Copyright (C) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "compatible_auth_sub_session.h"
17
18 #include "compatible_auth_sub_session_common.h"
19 #include "compatible_auth_sub_session_util.h"
20 #include "dev_auth_module_manager.h"
21 #include "ext_plugin_manager.h"
22 #include "hc_log.h"
23 #include "hc_types.h"
24 #include "hitrace_adapter.h"
25 #include "group_auth_data_operation.h"
26 #include "group_operation_common.h"
27
CheckInputAuthParams(const CJson * authParam)28 static int32_t CheckInputAuthParams(const CJson *authParam)
29 {
30 int32_t keyLen = DEFAULT_RETURN_KEY_LENGTH;
31 (void)GetIntFromJson(authParam, FIELD_KEY_LENGTH, &keyLen);
32 if ((keyLen < MIN_KEY_LENGTH) || (keyLen > MAX_KEY_LENGTH)) {
33 LOGE("The key length is invalid!");
34 return HC_ERR_INVALID_PARAMS;
35 }
36 if (GetStringFromJson(authParam, FIELD_SERVICE_PKG_NAME) == NULL) {
37 LOGE("Failed to get servicePkgName!");
38 return HC_ERR_JSON_GET;
39 }
40 return HC_SUCCESS;
41 }
42
CreateClientAuthSubSessionInner(int32_t osAccountId,CJson * jsonParams,const DeviceAuthCallback * callback,CompatibleBaseSubSession ** session)43 static int32_t CreateClientAuthSubSessionInner(int32_t osAccountId, CJson *jsonParams,
44 const DeviceAuthCallback *callback, CompatibleBaseSubSession **session)
45 {
46 ParamsVecForAuth authParamsVec;
47 CreateAuthParamsList(&authParamsVec);
48 int32_t res = GetAuthParamsVec(osAccountId, jsonParams, &authParamsVec);
49 if (res != HC_SUCCESS) {
50 LOGW("Failed to get auth param list!");
51 DestroyAuthParamsList(&authParamsVec);
52 return res;
53 }
54 if (authParamsVec.size(&authParamsVec) == 0) {
55 LOGE("Empty auth params list!");
56 DestroyAuthParamsList(&authParamsVec);
57 return HC_ERR_NO_CANDIDATE_GROUP;
58 }
59 CompatibleAuthSubSession *subSession = (CompatibleAuthSubSession *)HcMalloc(sizeof(CompatibleAuthSubSession), 0);
60 if (subSession == NULL) {
61 LOGE("Failed to allocate memory for session!");
62 DestroyAuthParamsList(&authParamsVec);
63 return HC_ERR_ALLOC_MEMORY;
64 }
65 subSession->base.type = TYPE_CLIENT_AUTH_SUB_SESSION;
66 subSession->base.callback = callback;
67 subSession->base.appId = GetDuplicatePkgName(jsonParams);
68 subSession->currentIndex = 0;
69 subSession->paramsList = authParamsVec;
70 subSession->base.status = STATUS_INITIAL;
71 *session = (CompatibleBaseSubSession *)subSession;
72
73 return HC_SUCCESS;
74 }
75
CheckAcceptRequest(const CJson * context)76 static int32_t CheckAcceptRequest(const CJson *context)
77 {
78 uint32_t confirmation = REQUEST_REJECTED;
79 (void)GetUnsignedIntFromJson(context, FIELD_CONFIRMATION, &confirmation);
80 if (confirmation != REQUEST_ACCEPTED) {
81 LOGE("The service rejected this request!");
82 return HC_ERR_REQ_REJECTED;
83 }
84 LOGI("The service accepted this request!");
85 return HC_SUCCESS;
86 }
87
GetAuthInfoForServer(CJson * dataFromClient,ParamsVecForAuth * authParamsVec)88 static int32_t GetAuthInfoForServer(CJson *dataFromClient, ParamsVecForAuth *authParamsVec)
89 {
90 int32_t res = CheckAcceptRequest(dataFromClient);
91 if (res != HC_SUCCESS) {
92 return res;
93 }
94 int32_t authForm = AUTH_FORM_INVALID_TYPE;
95 if (GetIntFromJson(dataFromClient, FIELD_AUTH_FORM, &authForm) != HC_SUCCESS) {
96 LOGE("Failed to get auth form from clientData!");
97 return HC_ERR_JSON_GET;
98 }
99 int32_t groupAuthType = GetAuthType(authForm);
100 BaseGroupAuth *groupAuthHandle = GetGroupAuth(groupAuthType);
101 if (groupAuthHandle == NULL) {
102 LOGE("Failed to get group auth handle with groupAuthType!");
103 return HC_ERR_NOT_SUPPORT;
104 }
105 return groupAuthHandle->getAuthParamsVecForServer(dataFromClient, authParamsVec);
106 }
107
IsPeerGroupAuthError(const CJson * in)108 static bool IsPeerGroupAuthError(const CJson *in)
109 {
110 int32_t groupErrMsg = 0;
111 if (GetIntFromJson(in, FIELD_GROUP_ERROR_MSG, &groupErrMsg) != HC_SUCCESS) {
112 return false;
113 }
114 return true;
115 }
116
HandlePeerAuthError(CompatibleAuthSubSession * session)117 static int32_t HandlePeerAuthError(CompatibleAuthSubSession *session)
118 {
119 if (AuthOnNextGroupIfExist(session) != HC_SUCCESS) {
120 LOGE("Failed to auth on next group!");
121 return HC_ERR_PEER_ERROR;
122 }
123 return HC_SUCCESS;
124 }
125
DeleteDeviceToken(int32_t osAccountId,const TrustedDeviceEntry * entry)126 static void DeleteDeviceToken(int32_t osAccountId, const TrustedDeviceEntry *entry)
127 {
128 CJson *deleteParams = CreateJson();
129 if (deleteParams == NULL) {
130 LOGE("Failed to create delete params!");
131 return;
132 }
133 if (AddIntToJson(deleteParams, FIELD_CREDENTIAL_TYPE, (int32_t)entry->credential) != HC_SUCCESS) {
134 LOGE("Failed to add credentialType!");
135 FreeJson(deleteParams);
136 return;
137 }
138 if (AddStringToJson(deleteParams, FIELD_USER_ID, StringGet(&entry->userId)) != HC_SUCCESS) {
139 LOGE("Failed to add userId!");
140 FreeJson(deleteParams);
141 return;
142 }
143 if (AddStringToJson(deleteParams, FIELD_DEVICE_ID, StringGet(&entry->authId)) != HC_SUCCESS) {
144 LOGE("Failed to add deviceId!");
145 FreeJson(deleteParams);
146 return;
147 }
148 int32_t res = ProcCred(ACCOUNT_RELATED_PLUGIN, osAccountId, DELETE_TRUSTED_CREDENTIALS, deleteParams, NULL);
149 LOGI("Delete token result is: %" LOG_PUB "d", res);
150 FreeJson(deleteParams);
151 }
152
DelTrustDeviceOnAuthErrorV1(const CJson * paramInSession,int32_t peerResultCode)153 static void DelTrustDeviceOnAuthErrorV1(const CJson *paramInSession, int32_t peerResultCode)
154 {
155 int32_t authForm = 0;
156 if (GetIntFromJson(paramInSession, FIELD_AUTH_FORM, &authForm) != HC_SUCCESS) {
157 LOGE("Get FIELD_AUTH_FORM from session failed!");
158 return;
159 }
160 if ((authForm != AUTH_FORM_IDENTICAL_ACCOUNT) || ((peerResultCode != PEER_ACCOUNT_NOT_MATCH) &&
161 (peerResultCode != PEER_ACCOUNT_NOT_LOGIN) && (peerResultCode != PEER_ACCOUNT_NOT_REG))) {
162 return;
163 }
164 int32_t osAccountId;
165 if (GetIntFromJson(paramInSession, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
166 LOGE("Get osAccountId from session failed!");
167 return;
168 }
169 const char *groupId = GetStringFromJson(paramInSession, FIELD_GROUP_ID);
170 if (groupId == NULL) {
171 LOGE("Get groupId from session failed!");
172 return;
173 }
174 const char *peerUdid = GetStringFromJson(paramInSession, FIELD_PEER_UDID);
175 if (peerUdid == NULL) {
176 LOGE("Get peer udid from session failed!");
177 return;
178 }
179 TrustedDeviceEntry *peerDevInfo = CreateDeviceEntry();
180 if (peerDevInfo == NULL) {
181 LOGE("Failed to create device entry!");
182 return;
183 }
184 if (GaGetTrustedDeviceEntryById(osAccountId, peerUdid, true, groupId, peerDevInfo) != HC_SUCCESS) {
185 LOGW("peer device not exist, no need to delete!");
186 DestroyDeviceEntry(peerDevInfo);
187 return;
188 }
189 if (DelDeviceFromDb(osAccountId, groupId, peerDevInfo) != HC_SUCCESS) {
190 LOGE("Failed to delete not trusted account related device!");
191 DestroyDeviceEntry(peerDevInfo);
192 return;
193 }
194 if (peerDevInfo->source == IMPORTED_FROM_CLOUD) {
195 LOGI("peer device is imported, delete token.");
196 DeleteDeviceToken(osAccountId, peerDevInfo);
197 }
198 DestroyDeviceEntry(peerDevInfo);
199 LOGI("Success delete not trusted account related device!");
200 }
201
ProcessClientAuthTaskInner(CompatibleAuthSubSession * session,int32_t moduleType,CJson * in,CJson * out,int32_t * status)202 static int32_t ProcessClientAuthTaskInner(CompatibleAuthSubSession *session, int32_t moduleType, CJson *in,
203 CJson *out, int32_t *status)
204 {
205 CJson *paramInSession = (session->paramsList).get(&(session->paramsList), session->currentIndex);
206 if (paramInSession == NULL) {
207 LOGE("Failed to get param in session!");
208 return HC_ERR_NULL_PTR;
209 }
210 DEV_AUTH_START_TRACE(TRACE_TAG_PROCESS_AUTH_TASK);
211 int32_t res = ProcessTask(session->base.curTaskId, in, out, status, moduleType);
212 DEV_AUTH_FINISH_TRACE();
213 DeleteItemFromJson(in, FIELD_PAYLOAD);
214 if (res != HC_SUCCESS) {
215 LOGW("Failed to process client auth task, try to auth on next group!");
216 DestroyTask(session->base.curTaskId, moduleType);
217 int32_t peerResultCode = 0;
218 (void)GetIntFromJson(in, FIELD_RESULT_CODE, &peerResultCode);
219 DelTrustDeviceOnAuthErrorV1(paramInSession, peerResultCode);
220 return ProcessClientAuthError(session, out);
221 }
222 return HandleAuthTaskStatus(session, out, *status, false);
223 }
224
ProcessDeviceLevel(const CJson * receiveData,CJson * authParam)225 static void ProcessDeviceLevel(const CJson *receiveData, CJson *authParam)
226 {
227 bool receiveLevel = false;
228 bool authLevel = false;
229 (void)GetBoolFromJson(receiveData, FIELD_IS_DEVICE_LEVEL, &receiveLevel);
230 (void)GetBoolFromJson(authParam, FIELD_IS_DEVICE_LEVEL, &authLevel);
231 if (AddBoolToJson(authParam, FIELD_IS_DEVICE_LEVEL, receiveLevel && authLevel) != HC_SUCCESS) {
232 LOGE("Failed to add device level to auth param!");
233 }
234 }
235
ProcessClientAuthTask(CompatibleAuthSubSession * session,CJson * receivedData,int32_t * status)236 static int32_t ProcessClientAuthTask(CompatibleAuthSubSession *session, CJson *receivedData, int32_t *status)
237 {
238 CJson *paramInSession = (session->paramsList).get(&(session->paramsList), session->currentIndex);
239 if (paramInSession == NULL) {
240 LOGE("Failed to get param in session!");
241 return HC_ERR_NULL_PTR;
242 }
243 ProcessDeviceLevel(receivedData, paramInSession);
244
245 if (IsPeerGroupAuthError(receivedData)) {
246 return HandlePeerAuthError(session);
247 }
248
249 CJson *out = CreateJson();
250 if (out == NULL) {
251 LOGE("Failed to create json for out!");
252 NotifyPeerAuthError(paramInSession, session->base.callback);
253 return HC_ERR_JSON_CREATE;
254 }
255 int32_t res = ProcessClientAuthTaskInner(session, GetAuthModuleType(paramInSession), receivedData, out, status);
256 ClearSensitiveStringInJson(out, FIELD_SESSION_KEY);
257 FreeJson(out);
258 if (res == FINISH) {
259 LOGI("End process client authSession.");
260 }
261 return res;
262 }
263
GenerateClientFirstMsg(CompatibleAuthSubSession * session,CJson * out,CJson ** sendData)264 static int32_t GenerateClientFirstMsg(CompatibleAuthSubSession *session, CJson *out, CJson **sendData)
265 {
266 *sendData = DetachItemFromJson(out, FIELD_SEND_TO_PEER);
267 if (*sendData == NULL) {
268 LOGE("The transmit data to peer is null!");
269 return HC_ERR_JSON_GET;
270 }
271 int32_t res = AddGroupAuthTransmitData(session, true, *sendData);
272 if (res != HC_SUCCESS) {
273 FreeJson(*sendData);
274 *sendData = NULL;
275 }
276 return res;
277 }
278
CreateAndProcessClientAuthTask(CompatibleAuthSubSession * session,CJson ** sendData,int32_t * status)279 static int32_t CreateAndProcessClientAuthTask(CompatibleAuthSubSession *session, CJson **sendData, int32_t *status)
280 {
281 CJson *paramInSession = (session->paramsList).get(&(session->paramsList), session->currentIndex);
282 if (paramInSession == NULL) {
283 LOGE("Failed to get param in session!");
284 return HC_ERR_NULL_PTR;
285 }
286 CJson *out = CreateJson();
287 if (out == NULL) {
288 LOGE("Failed to create json!");
289 return HC_ERR_JSON_CREATE;
290 }
291 int32_t res = CreateAndProcessAuthTask(session, paramInSession, out, status);
292 if (res != HC_SUCCESS) {
293 LOGW("Failed to create and process client auth task, try to auth on next group!");
294 res = ProcessClientAuthError(session, out);
295 FreeJson(out);
296 return res;
297 }
298 res = GenerateClientFirstMsg(session, out, sendData);
299 FreeJson(out);
300 return res;
301 }
302
ProcessServerAuthTaskInner(CompatibleAuthSubSession * session,int32_t moduleType,CJson * in,CJson * out,int32_t * status)303 static int32_t ProcessServerAuthTaskInner(CompatibleAuthSubSession *session, int32_t moduleType,
304 CJson *in, CJson *out, int32_t *status)
305 {
306 CJson *paramInSession = (session->paramsList).get(&(session->paramsList), session->currentIndex);
307 if (paramInSession == NULL) {
308 LOGE("The json data in session is null!");
309 return HC_ERR_NULL_PTR;
310 }
311 DEV_AUTH_START_TRACE(TRACE_TAG_PROCESS_AUTH_TASK);
312 int32_t res = ProcessTask(session->base.curTaskId, in, out, status, moduleType);
313 DEV_AUTH_FINISH_TRACE();
314 DeleteItemFromJson(in, FIELD_PAYLOAD);
315 if (res != HC_SUCCESS) {
316 ProcessServerAuthError(session, out);
317 return res;
318 }
319 return HandleAuthTaskStatus(session, out, *status, false);
320 }
321
ProcessServerAuthTask(CompatibleAuthSubSession * session,CJson * receivedData,int32_t * status)322 static int32_t ProcessServerAuthTask(CompatibleAuthSubSession *session, CJson *receivedData, int32_t *status)
323 {
324 CJson *paramInSession = (session->paramsList).get(&(session->paramsList), session->currentIndex);
325 if (paramInSession == NULL) {
326 LOGE("Failed to get param in session!");
327 return HC_ERR_NULL_PTR;
328 }
329 if (IsPeerGroupAuthError(receivedData)) {
330 LOGE("Peer group auth error happened, stop the server auth session!");
331 return HC_ERR_PEER_ERROR;
332 }
333 CJson *out = CreateJson();
334 if (out == NULL) {
335 LOGE("Failed to create json for out!");
336 NotifyPeerAuthError(paramInSession, session->base.callback);
337 return HC_ERR_JSON_CREATE;
338 }
339 int32_t moduleType = GetAuthModuleType(paramInSession);
340 int32_t res = ProcessServerAuthTaskInner(session, moduleType, receivedData, out, status);
341 FreeJson(out);
342 if (res == FINISH) {
343 LOGI("finish process server authSession.");
344 }
345 return res;
346 }
347
CreateAndProcessServerAuthTask(CompatibleAuthSubSession * session,CJson * receivedData,int32_t * status)348 static int32_t CreateAndProcessServerAuthTask(CompatibleAuthSubSession *session, CJson *receivedData, int32_t *status)
349 {
350 CJson *paramInSession = (session->paramsList).get(&(session->paramsList), session->currentIndex);
351 if (paramInSession == NULL) {
352 LOGE("The json data in session is null!");
353 return HC_ERR_NULL_PTR;
354 }
355 ProcessDeviceLevel(receivedData, paramInSession);
356 CJson *out = CreateJson();
357 if (out == NULL) {
358 LOGE("Failed to create json!");
359 NotifyPeerAuthError(receivedData, session->base.callback);
360 return HC_ERR_JSON_CREATE;
361 }
362 int32_t res = CreateAndProcessAuthTask(session, paramInSession, out, status);
363 if (res != HC_SUCCESS) {
364 ProcessServerAuthError(session, out);
365 FreeJson(out);
366 return res;
367 }
368 res = HandleAuthTaskStatus(session, out, *status, false);
369 FreeJson(out);
370 return res;
371 }
372
CreateClientAuthSubSession(CJson * jsonParams,const DeviceAuthCallback * callback,CompatibleBaseSubSession ** session)373 int32_t CreateClientAuthSubSession(CJson *jsonParams, const DeviceAuthCallback *callback,
374 CompatibleBaseSubSession **session)
375 {
376 int32_t res = CheckInputAuthParams(jsonParams);
377 if (res != HC_SUCCESS) {
378 LOGE("Invalid input params!");
379 return res;
380 }
381 if (AddIntToJson(jsonParams, FIELD_OPERATION_CODE, AUTHENTICATE) != HC_SUCCESS) {
382 LOGE("Failed to add operation code to json!");
383 return HC_ERR_JSON_ADD;
384 }
385 int32_t osAccountId = INVALID_OS_ACCOUNT;
386 if (GetIntFromJson(jsonParams, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
387 LOGE("Failed to get osAccountId from params!");
388 return HC_ERR_JSON_GET;
389 }
390 return CreateClientAuthSubSessionInner(osAccountId, jsonParams, callback, session);
391 }
392
CreateServerAuthSubSession(CJson * jsonParams,const DeviceAuthCallback * callback,CompatibleBaseSubSession ** session)393 int32_t CreateServerAuthSubSession(CJson *jsonParams, const DeviceAuthCallback *callback,
394 CompatibleBaseSubSession **session)
395 {
396 ParamsVecForAuth authVec;
397 CreateAuthParamsList(&authVec);
398 int32_t res = GetAuthInfoForServer(jsonParams, &authVec);
399 ClearCachedData(jsonParams);
400 if (res != HC_SUCCESS) {
401 LOGE("Failed to add auth param for server!");
402 DestroyAuthParamsList(&authVec);
403 NotifyPeerAuthError(jsonParams, callback);
404 return res;
405 }
406 if (authVec.size(&authVec) == 0) {
407 LOGE("Empty auth params list!");
408 DestroyAuthParamsList(&authVec);
409 NotifyPeerAuthError(jsonParams, callback);
410 return HC_ERR_NO_CANDIDATE_GROUP;
411 }
412 CompatibleAuthSubSession *subSession = (CompatibleAuthSubSession *)HcMalloc(sizeof(CompatibleAuthSubSession), 0);
413 if (subSession == NULL) {
414 LOGE("Failed to malloc memory for session!");
415 DestroyAuthParamsList(&authVec);
416 NotifyPeerAuthError(jsonParams, callback);
417 return HC_ERR_ALLOC_MEMORY;
418 }
419
420 subSession->base.type = TYPE_SERVER_AUTH_SUB_SESSION;
421 subSession->base.callback = callback;
422 subSession->base.appId = GetDuplicatePkgName(jsonParams);
423 subSession->currentIndex = 0;
424 subSession->paramsList = authVec;
425 subSession->base.status = STATUS_INITIAL;
426 *session = (CompatibleBaseSubSession *)subSession;
427
428 return HC_SUCCESS;
429 }
430
ProcessClientAuthSubSession(CompatibleBaseSubSession * session,CJson * in,CJson ** out,int32_t * status)431 int32_t ProcessClientAuthSubSession(CompatibleBaseSubSession *session, CJson *in, CJson **out, int32_t *status)
432 {
433 CompatibleAuthSubSession *subSession = (CompatibleAuthSubSession *)session;
434 if (session->status == STATUS_PROCESSING) {
435 return ProcessClientAuthTask(subSession, in, status);
436 } else {
437 session->status = STATUS_PROCESSING;
438 return CreateAndProcessClientAuthTask(subSession, out, status);
439 }
440 }
441
ProcessServerAuthSubSession(CompatibleBaseSubSession * session,CJson * in,int32_t * status)442 int32_t ProcessServerAuthSubSession(CompatibleBaseSubSession *session, CJson *in, int32_t *status)
443 {
444 CompatibleAuthSubSession *subSession = (CompatibleAuthSubSession *)session;
445 if (session->status == STATUS_PROCESSING) {
446 return ProcessServerAuthTask(subSession, in, status);
447 } else {
448 session->status = STATUS_PROCESSING;
449 return CreateAndProcessServerAuthTask(subSession, in, status);
450 }
451 }
452
DestroyCompatibleAuthSubSession(CompatibleBaseSubSession * session)453 void DestroyCompatibleAuthSubSession(CompatibleBaseSubSession *session)
454 {
455 if (session == NULL) {
456 return;
457 }
458 CompatibleAuthSubSession *realSession = (CompatibleAuthSubSession *)session;
459 HcFree(realSession->base.appId);
460 realSession->base.appId = NULL;
461 CJson *paramInSession = (realSession->paramsList).get(&(realSession->paramsList), realSession->currentIndex);
462 if (paramInSession == NULL) {
463 LOGE("The json param in session is null!");
464 return;
465 }
466 DestroyTask(realSession->base.curTaskId, GetAuthModuleType(paramInSession));
467
468 uint32_t index;
469 void **paramsData = NULL;
470 FOR_EACH_HC_VECTOR(realSession->paramsList, index, paramsData) {
471 FreeJson((CJson *)*paramsData);
472 }
473 DestroyAuthParamsList(&(realSession->paramsList));
474 HcFree(realSession);
475 }