1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "domain_account_manager_service.h"
17
18 #include "account_error_no.h"
19 #include "account_log_wrapper.h"
20 #include "account_permission_manager.h"
21 #include "inner_domain_account_manager.h"
22 #include "ipc_skeleton.h"
23
24 namespace OHOS {
25 namespace AccountSA {
26 namespace {
27 constexpr int32_t START_USER_ID = 100;
28 const std::set<uint32_t> UID_WHITELIST_FOR_SET { 3057 };
29 const char MANAGE_LOCAL_ACCOUNTS[] = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
30 const char MANAGE_DOMAIN_ACCOUNTS[] = "ohos.permission.MANAGE_DOMAIN_ACCOUNTS";
31 const char GET_LOCAL_ACCOUNTS[] = "ohos.permission.GET_LOCAL_ACCOUNTS";
32 const char ACCESS_USER_AUTH_INTERNAL[] = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
33 const char GET_DOMAIN_ACCOUNTS[] = "ohos.permission.GET_DOMAIN_ACCOUNTS";
34 const char INTERACT_ACROSS_LOCAL_ACCOUNTS[] = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
35 const char MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS[] = "ohos.permission.MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS";
36 static const std::set<IDomainAccountIpcCode> NON_SYSTEM_API_SET = {
37 IDomainAccountIpcCode::COMMAND_UPDATE_ACCOUNT_INFO,
38 IDomainAccountIpcCode::COMMAND_UPDATE_SERVER_CONFIG,
39 IDomainAccountIpcCode::COMMAND_GET_SERVER_CONFIG,
40 IDomainAccountIpcCode::COMMAND_GET_ALL_SERVER_CONFIGS,
41 IDomainAccountIpcCode::COMMAND_ADD_SERVER_CONFIG,
42 IDomainAccountIpcCode::COMMAND_REMOVE_SERVER_CONFIG,
43 IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_SERVER_CONFIG,
44 };
45 static const std::map<IDomainAccountIpcCode, std::vector<std::string>> PERMISSIONMAP = {
46 {IDomainAccountIpcCode::COMMAND_REGISTER_PLUGIN, {MANAGE_LOCAL_ACCOUNTS}},
47 {IDomainAccountIpcCode::COMMAND_UNREGISTER_PLUGIN, {MANAGE_LOCAL_ACCOUNTS}},
48 {IDomainAccountIpcCode::COMMAND_SET_ACCOUNT_POLICY, {MANAGE_LOCAL_ACCOUNTS}},
49 {IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_POLICY, {MANAGE_LOCAL_ACCOUNTS}},
50 {IDomainAccountIpcCode::COMMAND_HAS_DOMAIN_ACCOUNT, {MANAGE_LOCAL_ACCOUNTS}},
51 {IDomainAccountIpcCode::COMMAND_UPDATE_ACCOUNT_TOKEN, {MANAGE_LOCAL_ACCOUNTS}},
52 {IDomainAccountIpcCode::COMMAND_UPDATE_ACCOUNT_INFO, {MANAGE_LOCAL_ACCOUNTS, MANAGE_DOMAIN_ACCOUNTS}},
53 {IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_STATUS, {GET_LOCAL_ACCOUNTS}},
54 {IDomainAccountIpcCode::COMMAND_REGISTER_ACCOUNT_STATUS_LISTENER, {GET_LOCAL_ACCOUNTS}},
55 {IDomainAccountIpcCode::COMMAND_UNREGISTER_ACCOUNT_STATUS_LISTENER, {GET_LOCAL_ACCOUNTS}},
56 {IDomainAccountIpcCode::COMMAND_AUTH, {ACCESS_USER_AUTH_INTERNAL}},
57 {IDomainAccountIpcCode::COMMAND_AUTH_USER, {ACCESS_USER_AUTH_INTERNAL}},
58 {IDomainAccountIpcCode::COMMAND_GET_DOMAIN_ACCOUNT_INFO, {GET_DOMAIN_ACCOUNTS}},
59 {IDomainAccountIpcCode::COMMAND_IS_AUTHENTICATION_EXPIRED,
60 {MANAGE_LOCAL_ACCOUNTS, INTERACT_ACROSS_LOCAL_ACCOUNTS}},
61 {IDomainAccountIpcCode::COMMAND_ADD_SERVER_CONFIG,
62 {MANAGE_LOCAL_ACCOUNTS, MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS}},
63 {IDomainAccountIpcCode::COMMAND_REMOVE_SERVER_CONFIG,
64 {MANAGE_LOCAL_ACCOUNTS, MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS}},
65 {IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_SERVER_CONFIG,
66 {MANAGE_LOCAL_ACCOUNTS, MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS}},
67 {IDomainAccountIpcCode::COMMAND_UPDATE_SERVER_CONFIG, {MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS}},
68 {IDomainAccountIpcCode::COMMAND_GET_SERVER_CONFIG, {MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS}},
69 {IDomainAccountIpcCode::COMMAND_GET_ALL_SERVER_CONFIGS, {MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS}}
70 };
71 }
72
DomainAccountManagerService()73 DomainAccountManagerService::DomainAccountManagerService()
74 {}
75
~DomainAccountManagerService()76 DomainAccountManagerService::~DomainAccountManagerService()
77 {}
78
RegisterPlugin(const sptr<IDomainAccountPlugin> & plugin)79 ErrCode DomainAccountManagerService::RegisterPlugin(const sptr<IDomainAccountPlugin> &plugin)
80 {
81 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_REGISTER_PLUGIN);
82 if (result != ERR_OK) {
83 return result;
84 }
85 return InnerDomainAccountManager::GetInstance().RegisterPlugin(plugin);
86 }
87
UnregisterPlugin()88 ErrCode DomainAccountManagerService::UnregisterPlugin()
89 {
90 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_UNREGISTER_PLUGIN);
91 if (result != ERR_OK) {
92 return result;
93 }
94 return InnerDomainAccountManager::GetInstance().UnregisterPlugin();
95 }
96
HasDomainAccount(const DomainAccountInfo & info,const sptr<IDomainAccountCallback> & callback)97 ErrCode DomainAccountManagerService::HasDomainAccount(
98 const DomainAccountInfo &info, const sptr<IDomainAccountCallback> &callback)
99 {
100 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_HAS_DOMAIN_ACCOUNT);
101 if (result != ERR_OK) {
102 return result;
103 }
104 return InnerDomainAccountManager::GetInstance().HasDomainAccount(info, callback);
105 }
106
GetAccessToken(const DomainAccountInfo & info,const AAFwk::WantParams & parameters,const sptr<IDomainAccountCallback> & callback)107 ErrCode DomainAccountManagerService::GetAccessToken(
108 const DomainAccountInfo &info, const AAFwk::WantParams ¶meters, const sptr<IDomainAccountCallback> &callback)
109 {
110 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_ACCESS_TOKEN);
111 if (result != ERR_OK) {
112 return result;
113 }
114 return InnerDomainAccountManager::GetInstance().GetAccessToken(info, parameters, callback);
115 }
116
UpdateAccountToken(const DomainAccountInfo & info,const std::vector<uint8_t> & token)117 ErrCode DomainAccountManagerService::UpdateAccountToken(
118 const DomainAccountInfo &info, const std::vector<uint8_t> &token)
119 {
120 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_UPDATE_ACCOUNT_TOKEN);
121 if (result != ERR_OK) {
122 return result;
123 }
124 return InnerDomainAccountManager::GetInstance().UpdateAccountToken(info, token);
125 }
126
CheckManageExpiryThresholdWhiteList()127 static bool CheckManageExpiryThresholdWhiteList()
128 {
129 return UID_WHITELIST_FOR_SET.find(IPCSkeleton::GetCallingUid()) != UID_WHITELIST_FOR_SET.end();
130 }
131
IsAuthenticationExpired(const DomainAccountInfo & info,bool & isExpired)132 ErrCode DomainAccountManagerService::IsAuthenticationExpired(const DomainAccountInfo &info, bool &isExpired)
133 {
134 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_IS_AUTHENTICATION_EXPIRED);
135 if (result != ERR_OK) {
136 return result;
137 }
138 return InnerDomainAccountManager::GetInstance().IsAuthenticationExpired(info, isExpired);
139 }
140
SetAccountPolicy(const DomainAccountInfo & info,const std::string & policy)141 ErrCode DomainAccountManagerService::SetAccountPolicy(const DomainAccountInfo &info, const std::string &policy)
142 {
143 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_SET_ACCOUNT_POLICY);
144 if (result != ERR_OK) {
145 return result;
146 }
147 // check EDM uid
148 if (!CheckManageExpiryThresholdWhiteList()) {
149 ACCOUNT_LOGE("Permission denied, callingUid=%{public}d.", IPCSkeleton::GetCallingUid());
150 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
151 }
152 return InnerDomainAccountManager::GetInstance().SetAccountPolicy(info, policy);
153 }
154
GetAccountPolicy(const DomainAccountInfo & info,std::string & policy)155 ErrCode DomainAccountManagerService::GetAccountPolicy(const DomainAccountInfo &info, std::string &policy)
156 {
157 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_POLICY);
158 if (result != ERR_OK) {
159 return result;
160 }
161 // check EDM uid
162 if (!CheckManageExpiryThresholdWhiteList()) {
163 ACCOUNT_LOGE("Permission denied, callingUid=%{public}d.", IPCSkeleton::GetCallingUid());
164 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
165 }
166 return InnerDomainAccountManager::GetInstance().GetAccountPolicy(info, policy);
167 }
168
Auth(const DomainAccountInfo & info,const std::vector<uint8_t> & password,const sptr<IDomainAccountCallback> & callback)169 ErrCode DomainAccountManagerService::Auth(const DomainAccountInfo &info, const std::vector<uint8_t> &password,
170 const sptr<IDomainAccountCallback> &callback)
171 {
172 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_AUTH);
173 if (result != ERR_OK) {
174 return result;
175 }
176 return InnerDomainAccountManager::GetInstance().Auth(info, password, callback);
177 }
178
AuthUser(int32_t userId,const std::vector<uint8_t> & password,const sptr<IDomainAccountCallback> & callback)179 ErrCode DomainAccountManagerService::AuthUser(int32_t userId, const std::vector<uint8_t> &password,
180 const sptr<IDomainAccountCallback> &callback)
181 {
182 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_AUTH_USER);
183 if (result != ERR_OK) {
184 return result;
185 }
186 if (userId < START_USER_ID) {
187 ACCOUNT_LOGE("invalid userId");
188 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
189 }
190 return InnerDomainAccountManager::GetInstance().AuthUser(userId, password, callback);
191 }
192
AuthWithPopup(int32_t userId,const sptr<IDomainAccountCallback> & callback)193 ErrCode DomainAccountManagerService::AuthWithPopup(int32_t userId, const sptr<IDomainAccountCallback> &callback)
194 {
195 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_AUTH_WITH_POPUP);
196 if (result != ERR_OK) {
197 return result;
198 }
199 if (userId < 0) {
200 ACCOUNT_LOGE("invalid userId");
201 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
202 }
203 return InnerDomainAccountManager::GetInstance().AuthWithPopup(userId, callback);
204 }
205
GetAccountStatus(const DomainAccountInfo & info,int32_t & status)206 ErrCode DomainAccountManagerService::GetAccountStatus(const DomainAccountInfo &info, int32_t &status)
207 {
208 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_STATUS);
209 if (result != ERR_OK) {
210 return result;
211 }
212 DomainAccountStatus domainAccountStatus;
213 auto errcode = InnerDomainAccountManager::GetInstance().GetAccountStatus(info, domainAccountStatus);
214 status = static_cast<int32_t>(domainAccountStatus);
215 return errcode;
216 }
217
GetDomainAccountInfo(const DomainAccountInfo & info,const sptr<IDomainAccountCallback> & callback)218 ErrCode DomainAccountManagerService::GetDomainAccountInfo(
219 const DomainAccountInfo &info, const sptr<IDomainAccountCallback> &callback)
220 {
221 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_DOMAIN_ACCOUNT_INFO);
222 if (result != ERR_OK) {
223 return result;
224 }
225 return InnerDomainAccountManager::GetInstance().GetDomainAccountInfo(info, callback);
226 }
227
UpdateAccountInfo(const DomainAccountInfo & oldAccountInfo,const DomainAccountInfo & newAccountInfo)228 ErrCode DomainAccountManagerService::UpdateAccountInfo(
229 const DomainAccountInfo &oldAccountInfo, const DomainAccountInfo &newAccountInfo)
230 {
231 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_UPDATE_ACCOUNT_INFO);
232 if (result != ERR_OK) {
233 return result;
234 }
235 return InnerDomainAccountManager::GetInstance().UpdateAccountInfo(oldAccountInfo, newAccountInfo);
236 }
237
RegisterAccountStatusListener(const sptr<IDomainAccountCallback> & listener)238 ErrCode DomainAccountManagerService::RegisterAccountStatusListener(const sptr<IDomainAccountCallback> &listener)
239 {
240 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_REGISTER_ACCOUNT_STATUS_LISTENER);
241 if (result != ERR_OK) {
242 return result;
243 }
244 return InnerDomainAccountManager::GetInstance().RegisterAccountStatusListener(listener);
245 }
246
UnregisterAccountStatusListener(const sptr<IDomainAccountCallback> & listener)247 ErrCode DomainAccountManagerService::UnregisterAccountStatusListener(const sptr<IDomainAccountCallback> &listener)
248 {
249 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_UNREGISTER_ACCOUNT_STATUS_LISTENER);
250 if (result != ERR_OK) {
251 return result;
252 }
253 return InnerDomainAccountManager::GetInstance().UnregisterAccountStatusListener(listener);
254 }
255
AddServerConfig(const std::string & parameters,DomainServerConfig & config)256 ErrCode DomainAccountManagerService::AddServerConfig(const std::string ¶meters, DomainServerConfig &config)
257 {
258 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_ADD_SERVER_CONFIG);
259 if (result != ERR_OK) {
260 return result;
261 }
262 return InnerDomainAccountManager::GetInstance().AddServerConfig(parameters, config);
263 }
264
RemoveServerConfig(const std::string & configId)265 ErrCode DomainAccountManagerService::RemoveServerConfig(const std::string &configId)
266 {
267 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_REMOVE_SERVER_CONFIG);
268 if (result != ERR_OK) {
269 return result;
270 }
271 return InnerDomainAccountManager::GetInstance().RemoveServerConfig(configId);
272 }
273
UpdateServerConfig(const std::string & configId,const std::string & parameters,DomainServerConfig & config)274 ErrCode DomainAccountManagerService::UpdateServerConfig(const std::string &configId, const std::string ¶meters,
275 DomainServerConfig &config)
276 {
277 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_UPDATE_SERVER_CONFIG);
278 if (result != ERR_OK) {
279 return result;
280 }
281 return InnerDomainAccountManager::GetInstance().UpdateServerConfig(configId, parameters, config);
282 }
283
GetAccountServerConfig(const DomainAccountInfo & info,DomainServerConfig & config)284 ErrCode DomainAccountManagerService::GetAccountServerConfig(const DomainAccountInfo &info, DomainServerConfig &config)
285 {
286 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_ACCOUNT_SERVER_CONFIG);
287 if (result != ERR_OK) {
288 return result;
289 }
290 return InnerDomainAccountManager::GetInstance().GetAccountServerConfig(info, config);
291 }
292
GetServerConfig(const std::string & configId,DomainServerConfig & config)293 ErrCode DomainAccountManagerService::GetServerConfig(const std::string &configId, DomainServerConfig &config)
294 {
295 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_SERVER_CONFIG);
296 if (result != ERR_OK) {
297 return result;
298 }
299 return InnerDomainAccountManager::GetInstance().GetServerConfig(configId, config);
300 }
301
GetAllServerConfigs(std::vector<DomainServerConfig> & configs)302 ErrCode DomainAccountManagerService::GetAllServerConfigs(std::vector<DomainServerConfig> &configs)
303 {
304 auto result = CheckPermission(IDomainAccountIpcCode::COMMAND_GET_ALL_SERVER_CONFIGS);
305 if (result != ERR_OK) {
306 return result;
307 }
308 return InnerDomainAccountManager::GetInstance().GetAllServerConfigs(configs);
309 }
310
CheckPermission(IDomainAccountIpcCode code)311 ErrCode DomainAccountManagerService::CheckPermission(IDomainAccountIpcCode code)
312 {
313 if (NON_SYSTEM_API_SET.find(code) == NON_SYSTEM_API_SET.end()) {
314 ErrCode errCode = AccountPermissionManager::CheckSystemApp();
315 if (errCode != ERR_OK) {
316 ACCOUNT_LOGE("The caller is not system application, errCode = %{public}d, code = %{public}d.",
317 errCode, static_cast<int>(code));
318 return errCode;
319 }
320 }
321 int32_t uid = IPCSkeleton::GetCallingUid();
322 if (uid == 0) {
323 return ERR_OK;
324 }
325 const auto& it = PERMISSIONMAP.find(code);
326 if (it == PERMISSIONMAP.end()) {
327 ACCOUNT_LOGE("No specific permission defined for code %{public}d, returning OK", static_cast<int>(code));
328 return ERR_OK;
329 }
330 const auto& requiredPermissions = it->second;
331 if (requiredPermissions.empty()) {
332 return ERR_OK;
333 }
334 bool hasAnyPermission = std::any_of(requiredPermissions.begin(), requiredPermissions.end(),
335 [](const std::string& permission) {
336 return AccountPermissionManager::VerifyPermission(permission) == ERR_OK;
337 });
338 if (!hasAnyPermission) {
339 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
340 }
341 return ERR_OK;
342 }
343 } // namespace AccountSA
344 } // namespace OHOS
345