1 /*
2 * Copyright (c) 2022-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "account_iam_service.h"
17
18 #include "account_log_wrapper.h"
19 #include "account_permission_manager.h"
20 #include "iget_cred_info_callback.h"
21 #include "iinner_os_account_manager.h"
22 #include "inner_account_iam_manager.h"
23 #include "ipc_skeleton.h"
24 #include "token_setproc.h"
25
26 namespace OHOS {
27 namespace AccountSA {
28 namespace {
29 const char PERMISSION_ACCESS_USER_AUTH_INTERNAL[] = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
30 const char PERMISSION_MANAGE_USER_IDM[] = "ohos.permission.MANAGE_USER_IDM";
31 const char PERMISSION_USE_USER_IDM[] = "ohos.permission.USE_USER_IDM";
32 } // namespace
33
AccountIAMService()34 AccountIAMService::AccountIAMService()
35 {}
36
~AccountIAMService()37 AccountIAMService::~AccountIAMService()
38 {}
39
GetCurrentUserId(int32_t & userId)40 static bool GetCurrentUserId(int32_t &userId)
41 {
42 std::vector<int32_t> userIds;
43 (void)IInnerOsAccountManager::GetInstance().QueryActiveOsAccountIds(userIds);
44 if (userIds.empty()) {
45 ACCOUNT_LOGE("Fail to get activated os account ids");
46 return false;
47 }
48 userId = userIds[0];
49 return true;
50 }
51
IsRestrictedAccountId(int32_t accountId)52 static bool IsRestrictedAccountId(int32_t accountId)
53 {
54 return (accountId == 0);
55 }
56
NormalizeAccountId(int32_t & accountId)57 static int32_t NormalizeAccountId(int32_t &accountId)
58 {
59 if (accountId < -1) {
60 ACCOUNT_LOGE("The id = %{public}d is invalid", accountId);
61 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
62 } else if (accountId == -1) {
63 if (!GetCurrentUserId(accountId)) {
64 return ERR_ACCOUNT_ZIDL_ACCOUNT_SERVICE_ERROR;
65 }
66 } else {
67 bool isOsAccountExits = false;
68 IInnerOsAccountManager::GetInstance().IsOsAccountExists(accountId, isOsAccountExits);
69 if (!isOsAccountExits) {
70 ACCOUNT_LOGE("Account does not exist");
71 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
72 }
73 }
74 return ERR_OK;
75 }
76
CallbackEnter(uint32_t code)77 int32_t AccountIAMService::CallbackEnter([[maybe_unused]] uint32_t code)
78 {
79 Security::AccessToken::AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
80 int32_t result = SetFirstCallerTokenID(tokenCaller);
81 ACCOUNT_LOGD("SetFirstCallerTokenID code: %{public}d, result: %{public}d", code, result);
82
83 if (static_cast<IAccountIAMIpcCode>(code) == IAccountIAMIpcCode::COMMAND_GET_ACCOUNT_STATE) {
84 return ERR_OK;
85 }
86 result = AccountPermissionManager::CheckSystemApp();
87 if (result != ERR_OK) {
88 ACCOUNT_LOGE("Is not system application, code = %{public}d result = %{public}d.", code, result);
89 }
90 return result;
91 }
92
OpenSession(int32_t userId,std::vector<uint8_t> & challenge)93 int32_t AccountIAMService::OpenSession(int32_t userId, std::vector<uint8_t> &challenge)
94 {
95 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
96 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
97 }
98 int32_t ret = NormalizeAccountId(userId);
99 if (ret != ERR_OK) {
100 return ret;
101 }
102 if (IsRestrictedAccountId(userId)) {
103 ACCOUNT_LOGE("The id = %{public}d is restricted", userId);
104 return ERR_ACCOUNT_COMMON_ACCOUNT_IS_RESTRICTED;
105 }
106 InnerAccountIAMManager::GetInstance().OpenSession(userId, challenge);
107 return ERR_OK;
108 }
109
CloseSession(int32_t userId)110 int32_t AccountIAMService::CloseSession(int32_t userId)
111 {
112 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
113 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
114 }
115 int32_t ret = NormalizeAccountId(userId);
116 if (ret != ERR_OK) {
117 return ret;
118 }
119 if (IsRestrictedAccountId(userId)) {
120 ACCOUNT_LOGE("The id = %{public}d is restricted", userId);
121 return ERR_ACCOUNT_COMMON_ACCOUNT_IS_RESTRICTED;
122 }
123 InnerAccountIAMManager::GetInstance().CloseSession(userId);
124 return ERR_OK;
125 }
126
AddCredential(int32_t userId,const CredentialParametersIam & credInfoIam,const sptr<IIDMCallback> & idmCallback)127 int32_t AccountIAMService::AddCredential(
128 int32_t userId, const CredentialParametersIam& credInfoIam, const sptr<IIDMCallback> &idmCallback)
129 {
130 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
131 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
132 }
133 Attributes emptyResult;
134 int32_t ret = NormalizeAccountId(userId);
135 if (ret != ERR_OK) {
136 return ret;
137 }
138 if (IsRestrictedAccountId(userId)) {
139 ACCOUNT_LOGE("The id = %{public}d is restricted", userId);
140 return ERR_ACCOUNT_COMMON_ACCOUNT_IS_RESTRICTED;
141 }
142 InnerAccountIAMManager::GetInstance().AddCredential(userId, credInfoIam.credentialParameters, idmCallback);
143 auto info = const_cast<CredentialParametersIam*>(&credInfoIam);
144 std::fill(info->credentialParameters.token.begin(), info->credentialParameters.token.end(), 0);
145 return ERR_OK;
146 }
147
UpdateCredential(int32_t userId,const CredentialParametersIam & credInfoIam,const sptr<IIDMCallback> & idmCallback)148 int32_t AccountIAMService::UpdateCredential(int32_t userId, const CredentialParametersIam& credInfoIam,
149 const sptr<IIDMCallback> &idmCallback)
150 {
151 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
152 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
153 }
154 int32_t ret = NormalizeAccountId(userId);
155 if (ret != ERR_OK) {
156 return ret;
157 }
158 InnerAccountIAMManager::GetInstance().UpdateCredential(userId, credInfoIam.credentialParameters, idmCallback);
159 auto info = const_cast<CredentialParametersIam *>(&credInfoIam);
160 std::fill(info->credentialParameters.token.begin(), info->credentialParameters.token.end(), 0);
161 return ERR_OK;
162 }
163
Cancel(int32_t userId)164 int32_t AccountIAMService::Cancel(int32_t userId)
165 {
166 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
167 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
168 }
169 int32_t ret = NormalizeAccountId(userId);
170 if (ret != ERR_OK) {
171 return ret;
172 }
173 return InnerAccountIAMManager::GetInstance().Cancel(userId);
174 }
175
DelCred(int32_t userId,uint64_t credentialId,const std::vector<uint8_t> & authToken,const sptr<IIDMCallback> & idmCallback)176 int32_t AccountIAMService::DelCred(
177 int32_t userId, uint64_t credentialId, const std::vector<uint8_t> &authToken, const sptr<IIDMCallback> &idmCallback)
178 {
179 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
180 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
181 }
182 int32_t ret = NormalizeAccountId(userId);
183 if (ret != ERR_OK) {
184 return ret;
185 }
186 InnerAccountIAMManager::GetInstance().DelCred(userId, credentialId, authToken, idmCallback);
187 auto token = const_cast<std::vector<uint8_t> *>(&authToken);
188 std::fill(token->begin(), token->end(), 0);
189 return ERR_OK;
190 }
191
DelUser(int32_t userId,const std::vector<uint8_t> & authToken,const sptr<IIDMCallback> & idmCallback)192 int32_t AccountIAMService::DelUser(
193 int32_t userId, const std::vector<uint8_t> &authToken, const sptr<IIDMCallback> &idmCallback)
194 {
195 if (!CheckPermission(PERMISSION_MANAGE_USER_IDM)) {
196 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
197 }
198 int32_t ret = NormalizeAccountId(userId);
199 if (ret != ERR_OK) {
200 return ret;
201 }
202 InnerAccountIAMManager::GetInstance().DelUser(userId, authToken, idmCallback);
203 auto token = const_cast<std::vector<uint8_t> *>(&authToken);
204 std::fill(token->begin(), token->end(), 0);
205 return ERR_OK;
206 }
207
GetCredentialInfo(int32_t userId,int32_t authTypeInt,const sptr<IGetCredInfoCallback> & getCredInfoCallback)208 int32_t AccountIAMService::GetCredentialInfo(
209 int32_t userId, int32_t authTypeInt, const sptr<IGetCredInfoCallback> &getCredInfoCallback)
210 {
211 if (!CheckPermission(PERMISSION_USE_USER_IDM)) {
212 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
213 }
214 AuthType authType = static_cast<AuthType>(authTypeInt);
215 int32_t ret = NormalizeAccountId(userId);
216 if (ret != ERR_OK) {
217 return ret;
218 }
219 if ((authType < UserIam::UserAuth::ALL) ||
220 (static_cast<int32_t>(authType) >= static_cast<int32_t>(IAMAuthType::TYPE_END))) {
221 ACCOUNT_LOGE("authType is not in correct range");
222 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
223 }
224 InnerAccountIAMManager::GetInstance().GetCredentialInfo(userId, authType, getCredInfoCallback);
225 return ERR_OK;
226 }
227
PrepareRemoteAuth(const std::string & remoteNetworkId,const sptr<IPreRemoteAuthCallback> & preRemoteAuthCallback)228 int32_t AccountIAMService::PrepareRemoteAuth(
229 const std::string &remoteNetworkId, const sptr<IPreRemoteAuthCallback> &preRemoteAuthCallback)
230 {
231 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
232 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
233 }
234 return InnerAccountIAMManager::GetInstance().PrepareRemoteAuth(remoteNetworkId, preRemoteAuthCallback);
235 }
236
AuthUser(const AuthParam & authParam,const sptr<IIDMCallback> & idmCallback,uint64_t & contextId)237 int32_t AccountIAMService::AuthUser(
238 const AuthParam& authParam, const sptr<IIDMCallback> &idmCallback, uint64_t &contextId)
239 {
240 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
241 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
242 }
243 auto authParamTemp = authParam;
244 if ((authParamTemp.remoteAuthParam == std::nullopt) && (authParamTemp.userId == -1) &&
245 (!GetCurrentUserId(authParamTemp.userId))) {
246 return ERR_ACCOUNT_ZIDL_ACCOUNT_SERVICE_ERROR;
247 }
248 return InnerAccountIAMManager::GetInstance().AuthUser(authParamTemp, idmCallback, contextId);
249 }
250
CancelAuth(uint64_t contextId)251 int32_t AccountIAMService::CancelAuth(uint64_t contextId)
252 {
253 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
254 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
255 }
256 return InnerAccountIAMManager::GetInstance().CancelAuth(contextId);
257 }
258
GetAvailableStatus(int32_t authTypeInt,uint32_t authTrustLevelInt,int32_t & status)259 int32_t AccountIAMService::GetAvailableStatus(int32_t authTypeInt, uint32_t authTrustLevelInt, int32_t &status)
260 {
261 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
262 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
263 }
264 AuthType authType = static_cast<AuthType>(authTypeInt);
265 AuthTrustLevel authTrustLevel = static_cast<AuthTrustLevel>(authTrustLevelInt);
266 if (authTrustLevel < UserIam::UserAuth::ATL1 || authTrustLevel > UserIam::UserAuth::ATL4) {
267 ACCOUNT_LOGE("authTrustLevel is not in correct range");
268 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
269 }
270 if (authType < UserIam::UserAuth::ALL) {
271 ACCOUNT_LOGE("authType is not in correct range");
272 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
273 }
274 return InnerAccountIAMManager::GetInstance().GetAvailableStatus(authType, authTrustLevel, status);
275 }
276
GetProperty(int32_t userId,const GetPropertyRequestIam & request,const sptr<IGetSetPropCallback> & getSetPropCallback)277 int32_t AccountIAMService::GetProperty(
278 int32_t userId, const GetPropertyRequestIam &request, const sptr<IGetSetPropCallback> &getSetPropCallback)
279 {
280 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
281 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
282 }
283 int32_t ret = NormalizeAccountId(userId);
284 if (ret != ERR_OK) {
285 return ret;
286 }
287 InnerAccountIAMManager::GetInstance().GetProperty(userId, request.getPropertyRequest, getSetPropCallback);
288 return ERR_OK;
289 }
290
GetPropertyByCredentialId(uint64_t credentialId,const std::vector<int32_t> & keysInt,const sptr<IGetSetPropCallback> & getSetPropCallback)291 int32_t AccountIAMService::GetPropertyByCredentialId(uint64_t credentialId,
292 const std::vector<int32_t>& keysInt, const sptr<IGetSetPropCallback> &getSetPropCallback)
293 {
294 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
295 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
296 }
297 std::vector<Attributes::AttributeKey> keys;
298 for (auto &key : keysInt) {
299 keys.push_back(static_cast<Attributes::AttributeKey>(key));
300 }
301 InnerAccountIAMManager::GetInstance().GetPropertyByCredentialId(credentialId, keys, getSetPropCallback);
302 return ERR_OK;
303 }
304
SetProperty(int32_t userId,const SetPropertyRequestIam & request,const sptr<IGetSetPropCallback> & getSetPropCallback)305 int32_t AccountIAMService::SetProperty(
306 int32_t userId, const SetPropertyRequestIam &request, const sptr<IGetSetPropCallback> &getSetPropCallback)
307 {
308 if (!CheckPermission(PERMISSION_ACCESS_USER_AUTH_INTERNAL)) {
309 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
310 }
311 int32_t ret = NormalizeAccountId(userId);
312 if (ret != ERR_OK) {
313 return ret;
314 }
315 InnerAccountIAMManager::GetInstance().SetProperty(userId, request.setPropertyRequest, getSetPropCallback);
316 return ERR_OK;
317 }
318
GetAccountState(int32_t userId,int32_t & funcResult)319 int32_t AccountIAMService::GetAccountState(int32_t userId, int32_t& funcResult)
320 {
321 auto ret = InnerAccountIAMManager::GetInstance().GetState(userId);
322 funcResult = static_cast<int32_t>(ret);
323 return ERR_OK;
324 }
325
GetEnrolledId(int32_t accountId,int32_t authTypeInt,const sptr<IGetEnrolledIdCallback> & getEnrolledIdCallback)326 int32_t AccountIAMService::GetEnrolledId(
327 int32_t accountId, int32_t authTypeInt, const sptr<IGetEnrolledIdCallback> &getEnrolledIdCallback)
328 {
329 if (!CheckPermission(PERMISSION_USE_USER_IDM)) {
330 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
331 }
332 AuthType authType = static_cast<AuthType>(authTypeInt);
333 int32_t ret = NormalizeAccountId(accountId);
334 if (ret != ERR_OK) {
335 return ret;
336 }
337 if ((authType < UserIam::UserAuth::ALL) ||
338 (static_cast<int32_t>(authType) >= static_cast<int32_t>(IAMAuthType::TYPE_END))) {
339 ACCOUNT_LOGE("AuthType is not in correct range");
340 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
341 }
342 InnerAccountIAMManager::GetInstance().GetEnrolledId(accountId, authType, getEnrolledIdCallback);
343 return ERR_OK;
344 }
345
CheckPermission(const std::string & permission)346 bool AccountIAMService::CheckPermission(const std::string &permission)
347 {
348 if (AccountPermissionManager::VerifyPermission(permission) != ERR_OK) {
349 ACCOUNT_LOGE("check permission failed, permission name: %{public}s", permission.c_str());
350 return false;
351 }
352 return true;
353 }
354 } // namespace AccountSA
355 } // namespace OHOS
356