1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_auth_service.h"
17 #include "hisysevent_adapter.h"
18
19 #include <cinttypes>
20
21 #include "accesstoken_kit.h"
22 #include "auth_common.h"
23 #include "event_listener_manager.h"
24 #include "auth_widget_helper.h"
25 #include "context_factory.h"
26 #include "context_helper.h"
27 #include "hdi_wrapper.h"
28 #include "iam_check.h"
29 #include "iam_common_defines.h"
30 #include "iam_logger.h"
31 #include "iam_para2str.h"
32 #include "iam_ptr.h"
33 #include "iam_time.h"
34 #include "ipc_common.h"
35 #include "ipc_skeleton.h"
36 #include "service_init_manager.h"
37 #include "soft_bus_manager.h"
38 #include "widget_client.h"
39 #include "auth_widget_helper.h"
40 #include "remote_msg_util.h"
41 #include "remote_iam_callback.h"
42 #include "remote_auth_service.h"
43 #include "device_manager_util.h"
44 #include "xcollie_helper.h"
45
46 #define LOG_TAG "USER_AUTH_SA"
47
48 namespace OHOS {
49 namespace UserIam {
50 namespace UserAuth {
51 namespace {
52 const int32_t MINIMUM_VERSION = 0;
53 const int32_t CURRENT_VERSION = 1;
54 const int32_t USERIAM_IPC_THREAD_NUM = 4;
55 const uint32_t NETWORK_ID_LENGTH = 64;
GetTemplatesByAuthType(int32_t userId,AuthType authType,std::vector<uint64_t> & templateIds)56 int32_t GetTemplatesByAuthType(int32_t userId, AuthType authType, std::vector<uint64_t> &templateIds)
57 {
58 templateIds.clear();
59 std::vector<std::shared_ptr<CredentialInfoInterface>> credentialInfos;
60 int32_t ret = UserIdmDatabase::Instance().GetCredentialInfo(userId, authType, credentialInfos);
61 if (ret != SUCCESS) {
62 IAM_LOGE("get credential fail, ret:%{public}d, userId:%{public}d, authType:%{public}d", ret,
63 userId, authType);
64 return GENERAL_ERROR;
65 }
66
67 if (credentialInfos.empty()) {
68 IAM_LOGE("user %{public}d has no credential type %{public}d", userId, authType);
69 return SUCCESS;
70 }
71
72 templateIds.reserve(credentialInfos.size());
73 for (auto &info : credentialInfos) {
74 if (info == nullptr) {
75 IAM_LOGE("info is nullptr");
76 continue;
77 }
78 templateIds.push_back(info->GetTemplateId());
79 }
80
81 return SUCCESS;
82 }
83
IsTemplateIdListRequired(const std::vector<Attributes::AttributeKey> & keys)84 bool IsTemplateIdListRequired(const std::vector<Attributes::AttributeKey> &keys)
85 {
86 for (const auto &key : keys) {
87 if (key == Attributes::AttributeKey::ATTR_PIN_SUB_TYPE ||
88 key == Attributes::AttributeKey::ATTR_REMAIN_TIMES ||
89 key == Attributes::AttributeKey::ATTR_FREEZING_TIME ||
90 key == Attributes::AttributeKey::ATTR_NEXT_FAIL_LOCKOUT_DURATION ||
91 key == Attributes::AttributeKey::ATTR_CREDENTIAL_LENGTH) {
92 return true;
93 }
94 }
95 return false;
96 }
97
GetResourceNodeByTypeAndRole(AuthType authType,ExecutorRole role,std::vector<std::weak_ptr<ResourceNode>> & authTypeNodes)98 void GetResourceNodeByTypeAndRole(AuthType authType, ExecutorRole role,
99 std::vector<std::weak_ptr<ResourceNode>> &authTypeNodes)
100 {
101 authTypeNodes.clear();
102 ResourceNodePool::Instance().Enumerate(
103 [&authTypeNodes, role, authType](const std::weak_ptr<ResourceNode> &weakNode) {
104 auto node = weakNode.lock();
105 if (node == nullptr) {
106 return;
107 }
108 if (node->GetAuthType() != authType) {
109 return;
110 }
111 if (node->GetExecutorRole() != role) {
112 return;
113 }
114 authTypeNodes.push_back(node);
115 });
116 }
117
GetAuthParamStr(const AuthParamInner & authParam,std::optional<RemoteAuthParam> & remoteAuthParam)118 std::string GetAuthParamStr(const AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam)
119 {
120 std::ostringstream authParamString;
121 authParamString << "userId:" << authParam.userId << " authType:" << authParam.authType
122 << " authIntent:" << authParam.authIntent << " atl:" << authParam.authTrustLevel;
123 if (remoteAuthParam.has_value()) {
124 const uint32_t networkIdPrintLen = 4;
125 const uint32_t tokenIdMinLen = 2;
126 auto verifierNetworkIdStr = remoteAuthParam->verifierNetworkId.value_or("").substr(0, networkIdPrintLen);
127 auto collectorNetworkIdStr = remoteAuthParam->collectorNetworkId.value_or("").substr(0, networkIdPrintLen);
128 auto tokenIdStr = std::to_string(remoteAuthParam->collectorTokenId.value_or(0));
129 if (tokenIdStr.size() > tokenIdMinLen) {
130 tokenIdStr = std::string(1, tokenIdStr[0]) + "****" + std::string(1, tokenIdStr[tokenIdStr.size() - 1]);
131 } else {
132 tokenIdStr = "";
133 }
134
135 authParamString << " isRemoteAuth:true" << " verifierNetworkId:" << verifierNetworkIdStr << "****"
136 " collectorNetworkId:" << collectorNetworkIdStr << "****" << " collectorTokenId:" << tokenIdStr;
137 }
138 return authParamString.str();
139 }
140 const bool REGISTER_RESULT = SystemAbility::MakeAndRegisterAbility(UserAuthService::GetInstance().get());
141 } // namespace
142 std::mutex UserAuthService::mutex_;
143 std::shared_ptr<UserAuthService> UserAuthService::instance_ = nullptr;
144
GetInstance()145 std::shared_ptr<UserAuthService> UserAuthService::GetInstance()
146 {
147 if (instance_ == nullptr) {
148 std::lock_guard<std::mutex> guard(mutex_);
149 if (instance_ == nullptr) {
150 instance_ = Common::MakeShared<UserAuthService>();
151 if (instance_ == nullptr) {
152 IAM_LOGE("make share failed");
153 }
154 }
155 }
156 return instance_;
157 }
158
UserAuthService()159 UserAuthService::UserAuthService()
160 : SystemAbility(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH, true), UserAuthStub(false)
161 {}
162
OnStart()163 void UserAuthService::OnStart()
164 {
165 IAM_LOGI("Sa start UserAuthService");
166 IPCSkeleton::SetMaxWorkThreadNum(USERIAM_IPC_THREAD_NUM);
167 if (!Publish(this)) {
168 IAM_LOGE("failed to publish service");
169 }
170 ServiceInitManager::GetInstance().OnUserAuthServiceStart();
171 }
172
OnStop()173 void UserAuthService::OnStop()
174 {
175 IAM_LOGI("Sa stop UserAuthService");
176 ServiceInitManager::GetInstance().OnUserAuthServiceStop();
177 }
178
CheckAuthTrustLevel(AuthTrustLevel authTrustLevel)179 bool UserAuthService::CheckAuthTrustLevel(AuthTrustLevel authTrustLevel)
180 {
181 if ((authTrustLevel != ATL1) && (authTrustLevel != ATL2) &&
182 (authTrustLevel != ATL3) && (authTrustLevel != ATL4)) {
183 IAM_LOGE("authTrustLevel not support %{public}u", authTrustLevel);
184 return false;
185 }
186 return true;
187 }
188
GetAvailableStatus(int32_t apiVersion,int32_t userId,int32_t authType,uint32_t authTrustLevel,int32_t & funcResult)189 int32_t UserAuthService::GetAvailableStatus(int32_t apiVersion, int32_t userId, int32_t authType,
190 uint32_t authTrustLevel, int32_t &funcResult)
191 {
192 IAM_LOGD("start");
193 funcResult = GetAvailableStatusImpl(apiVersion, userId, authType, authTrustLevel);
194 return SUCCESS;
195 }
196
GetAvailableStatus(int32_t apiVersion,int32_t authType,uint32_t authTrustLevel,int32_t & funcResult)197 int32_t UserAuthService::GetAvailableStatus(int32_t apiVersion, int32_t authType, uint32_t authTrustLevel,
198 int32_t &funcResult)
199 {
200 IAM_LOGD("start");
201 funcResult = GetAvailableStatusImpl(apiVersion, authType, authTrustLevel);
202 return SUCCESS;
203 }
204
GetAvailableStatusImpl(int32_t apiVersion,int32_t userId,int32_t authType,uint32_t authTrustLevel)205 int32_t UserAuthService::GetAvailableStatusImpl(int32_t apiVersion, int32_t userId, int32_t authType,
206 uint32_t authTrustLevel)
207 {
208 IAM_LOGD("start with userId");
209
210 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
211 IAM_LOGE("failed to check permission");
212 return CHECK_PERMISSION_FAILED;
213 }
214 return GetAvailableStatusInner(apiVersion, userId, static_cast<AuthType>(authType),
215 static_cast<AuthTrustLevel>(authTrustLevel));
216 }
217
GetAvailableStatusImpl(int32_t apiVersion,int32_t authType,uint32_t authTrustLevel)218 int32_t UserAuthService::GetAvailableStatusImpl(int32_t apiVersion, int32_t authType, uint32_t authTrustLevel)
219 {
220 IAM_LOGD("start without userId");
221 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
222 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
223 IAM_LOGE("failed to check permission");
224 return CHECK_PERMISSION_FAILED;
225 }
226 if (apiVersion <= API_VERSION_8 && static_cast<AuthType>(authType) == PIN) {
227 IAM_LOGE("authType not support");
228 return TYPE_NOT_SUPPORT;
229 }
230 int32_t userId = INVALID_USER_ID;
231 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
232 IAM_LOGE("failed to get userId");
233 return GENERAL_ERROR;
234 }
235 return GetAvailableStatusInner(apiVersion, userId, static_cast<AuthType>(authType),
236 static_cast<AuthTrustLevel>(authTrustLevel));
237 }
238
GetAvailableStatusInner(int32_t apiVersion,int32_t userId,AuthType authType,AuthTrustLevel authTrustLevel)239 int32_t UserAuthService::GetAvailableStatusInner(int32_t apiVersion, int32_t userId, AuthType authType,
240 AuthTrustLevel authTrustLevel)
241 {
242 if (!CheckAuthTrustLevel(authTrustLevel)) {
243 IAM_LOGE("authTrustLevel is not in correct range");
244 return TRUST_LEVEL_NOT_SUPPORT;
245 }
246 auto hdi = HdiWrapper::GetHdiInstance();
247 if (hdi == nullptr) {
248 IAM_LOGE("hdi interface is nullptr");
249 return GENERAL_ERROR;
250 }
251 int32_t checkRet = GENERAL_ERROR;
252 int32_t result = hdi->GetAvailableStatus(userId, authType, authTrustLevel, checkRet);
253 if (result != SUCCESS) {
254 IAM_LOGE("hdi GetAvailableStatus failed");
255 return GENERAL_ERROR;
256 }
257 IAM_LOGI("GetAvailableStatus result:%{public}d", checkRet);
258 return checkRet;
259 }
260
FillGetPropertyKeys(AuthType authType,const std::vector<Attributes::AttributeKey> & keys,std::vector<uint32_t> & uint32Keys)261 void UserAuthService::FillGetPropertyKeys(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
262 std::vector<uint32_t> &uint32Keys)
263 {
264 uint32Keys.reserve(keys.size());
265 for (const auto &key : keys) {
266 if (key == Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION && authType != PIN) {
267 continue;
268 }
269 uint32Keys.push_back(static_cast<uint32_t>(key));
270 }
271 }
272
FillGetPropertyValue(AuthType authType,const std::vector<Attributes::AttributeKey> & keys,Attributes & values)273 void UserAuthService::FillGetPropertyValue(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
274 Attributes &values)
275 {
276 for (const auto &key : keys) {
277 if (key == Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION && authType != PIN) {
278 if (!values.SetInt32Value(Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION, FIRST_LOCKOUT_DURATION_EXCEPT_PIN)) {
279 IAM_LOGE("set nextFailLockoutDuration failed, authType %{public}d", authType);
280 }
281 break;
282 }
283 }
284 }
285
GetResourseNode(AuthType authType)286 std::shared_ptr<ResourceNode> UserAuthService::GetResourseNode(AuthType authType)
287 {
288 std::vector<std::weak_ptr<ResourceNode>> authTypeNodes;
289 GetResourceNodeByTypeAndRole(authType, ALL_IN_ONE, authTypeNodes);
290 if (authTypeNodes.size() != 1) {
291 IAM_LOGE("auth type %{public}d resource node num %{public}zu is not expected",
292 authType, authTypeNodes.size());
293 return nullptr;
294 }
295
296 auto resourceNode = authTypeNodes[0].lock();
297 if (resourceNode == nullptr) {
298 IAM_LOGE("resourceNode is nullptr");
299 return nullptr;
300 }
301
302 return resourceNode;
303 }
304
GetPropertyInner(AuthType authType,const std::vector<Attributes::AttributeKey> & keys,const sptr<IGetExecutorPropertyCallback> & getExecutorPropertyCallback,std::vector<uint64_t> & templateIds)305 int32_t UserAuthService::GetPropertyInner(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
306 const sptr<IGetExecutorPropertyCallback> &getExecutorPropertyCallback, std::vector<uint64_t> &templateIds)
307 {
308 Attributes values;
309 auto resourceNode = GetResourseNode(authType);
310 if (resourceNode == nullptr) {
311 IAM_LOGE("resourceNode is nullptr");
312 getExecutorPropertyCallback->OnGetExecutorPropertyResult(GENERAL_ERROR, values.Serialize());
313 return SUCCESS;
314 }
315
316 std::vector<uint32_t> uint32Keys;
317 FillGetPropertyKeys(authType, keys, uint32Keys);
318 Attributes attr;
319 attr.SetUint32Value(Attributes::ATTR_PROPERTY_MODE, PROPERTY_MODE_GET);
320 attr.SetUint64ArrayValue(Attributes::ATTR_TEMPLATE_ID_LIST, templateIds);
321 attr.SetUint32ArrayValue(Attributes::ATTR_KEY_LIST, uint32Keys);
322
323 int32_t result = resourceNode->GetProperty(attr, values);
324 if (result != SUCCESS) {
325 IAM_LOGE("failed to get property, result = %{public}d", result);
326 }
327 FillGetPropertyValue(authType, keys, values);
328
329 getExecutorPropertyCallback->OnGetExecutorPropertyResult(result, values.Serialize());
330 return SUCCESS;
331 }
332
GetProperty(int32_t userId,int32_t authType,const std::vector<uint32_t> & keys,const sptr<IGetExecutorPropertyCallback> & getExecutorPropertyCallback)333 int32_t UserAuthService::GetProperty(int32_t userId, int32_t authType,
334 const std::vector<uint32_t> &keys, const sptr<IGetExecutorPropertyCallback> &getExecutorPropertyCallback)
335 {
336 IAM_LOGD("start");
337 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
338 IF_FALSE_LOGE_AND_RETURN_VAL(getExecutorPropertyCallback != nullptr, INVALID_PARAMETERS);
339 Attributes values;
340
341 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
342 IAM_LOGE("failed to check permission");
343 getExecutorPropertyCallback->OnGetExecutorPropertyResult(CHECK_PERMISSION_FAILED, values.Serialize());
344 return SUCCESS;
345 }
346
347 std::vector<Attributes::AttributeKey> attrKeys;
348 attrKeys.resize(keys.size());
349 std::transform(keys.begin(), keys.end(), attrKeys.begin(), [](uint32_t key) {
350 return static_cast<Attributes::AttributeKey>(key);
351 });
352 std::vector<uint64_t> templateIds;
353 if (IsTemplateIdListRequired(attrKeys)) {
354 int32_t ret = GetTemplatesByAuthType(userId, static_cast<AuthType>(authType), templateIds);
355 if (ret != SUCCESS) {
356 IAM_LOGE("get templates fail, ret:%{public}d, userId:%{public}d, authType:%{public}d", ret,
357 userId, authType);
358 getExecutorPropertyCallback->OnGetExecutorPropertyResult(GENERAL_ERROR, values.Serialize());
359 return SUCCESS;
360 }
361 if (templateIds.size() == 0) {
362 IAM_LOGE("template id list is required, but templateIds size is 0");
363 getExecutorPropertyCallback->OnGetExecutorPropertyResult(NOT_ENROLLED, values.Serialize());
364 return SUCCESS;
365 }
366 }
367
368 return GetPropertyInner(static_cast<AuthType>(authType), attrKeys, getExecutorPropertyCallback, templateIds);
369 }
370
GetPropertyById(uint64_t credentialId,const std::vector<uint32_t> & keys,const sptr<IGetExecutorPropertyCallback> & getExecutorPropertyCallback)371 int32_t UserAuthService::GetPropertyById(uint64_t credentialId, const std::vector<uint32_t> &keys,
372 const sptr<IGetExecutorPropertyCallback> &getExecutorPropertyCallback)
373 {
374 IAM_LOGD("start");
375 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
376 IF_FALSE_LOGE_AND_RETURN_VAL(getExecutorPropertyCallback != nullptr, INVALID_PARAMETERS);
377 Attributes values;
378
379 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
380 IAM_LOGE("failed to check permission");
381 getExecutorPropertyCallback->OnGetExecutorPropertyResult(CHECK_PERMISSION_FAILED, values.Serialize());
382 return SUCCESS;
383 }
384
385 std::shared_ptr<CredentialInfoInterface> credInfo;
386 std::vector<uint64_t> templateIds;
387 int32_t ret = UserIdmDatabase::Instance().GetCredentialInfoById(credentialId, credInfo);
388 if (ret != SUCCESS) {
389 IAM_LOGE("get credentialInfp fail, ret:%{public}d", ret);
390 getExecutorPropertyCallback->OnGetExecutorPropertyResult(ret, values.Serialize());
391 return SUCCESS;
392 }
393 if (credInfo == nullptr) {
394 IAM_LOGE("credential is nullptr");
395 getExecutorPropertyCallback->OnGetExecutorPropertyResult(GENERAL_ERROR, values.Serialize());
396 return SUCCESS;
397 }
398
399 std::vector<Attributes::AttributeKey> attrKeys;
400 attrKeys.resize(keys.size());
401 std::transform(keys.begin(), keys.end(), attrKeys.begin(), [](uint32_t key) {
402 return static_cast<Attributes::AttributeKey>(key);
403 });
404 AuthType authType = credInfo->GetAuthType();
405 templateIds.push_back(credInfo->GetTemplateId());
406 return GetPropertyInner(authType, attrKeys, getExecutorPropertyCallback, templateIds);
407 }
408
SetProperty(int32_t userId,int32_t authType,const std::vector<uint8_t> & attributes,const sptr<ISetExecutorPropertyCallback> & setExecutorPropertyCallback)409 int32_t UserAuthService::SetProperty(int32_t userId, int32_t authType, const std::vector<uint8_t> &attributes,
410 const sptr<ISetExecutorPropertyCallback> &setExecutorPropertyCallback)
411 {
412 IAM_LOGD("start");
413 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
414 if (setExecutorPropertyCallback == nullptr) {
415 IAM_LOGE("callback is nullptr");
416 return INVALID_PARAMETERS;
417 }
418 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
419 IAM_LOGE("permission check failed");
420 setExecutorPropertyCallback->OnSetExecutorPropertyResult(CHECK_PERMISSION_FAILED);
421 return CHECK_PERMISSION_FAILED;
422 }
423
424 std::vector<std::weak_ptr<ResourceNode>> authTypeNodes;
425 GetResourceNodeByTypeAndRole(static_cast<AuthType>(authType), ALL_IN_ONE, authTypeNodes);
426 if (authTypeNodes.size() != 1) {
427 IAM_LOGE("auth type %{public}d resource node num %{public}zu is not expected",
428 authType, authTypeNodes.size());
429 setExecutorPropertyCallback->OnSetExecutorPropertyResult(GENERAL_ERROR);
430 return SUCCESS;
431 }
432
433 auto resourceNode = authTypeNodes[0].lock();
434 if (resourceNode == nullptr) {
435 IAM_LOGE("resourceNode is nullptr");
436 setExecutorPropertyCallback->OnSetExecutorPropertyResult(GENERAL_ERROR);
437 return SUCCESS;
438 }
439 const Attributes properties(attributes);
440 int32_t result = resourceNode->SetProperty(properties);
441 if (result != SUCCESS) {
442 IAM_LOGE("set property failed, result = %{public}d", result);
443 }
444 setExecutorPropertyCallback->OnSetExecutorPropertyResult(result);
445 return result;
446 }
447
GetAuthContextCallback(int32_t apiVersion,const std::vector<uint8_t> & challenge,AuthType authType,AuthTrustLevel authTrustLevel,const sptr<IIamCallback> & userAuthCallback)448 std::shared_ptr<ContextCallback> UserAuthService::GetAuthContextCallback(int32_t apiVersion,
449 const std::vector<uint8_t> &challenge, AuthType authType,
450 AuthTrustLevel authTrustLevel, const sptr<IIamCallback> &userAuthCallback)
451 {
452 if (userAuthCallback == nullptr) {
453 IAM_LOGE("callback is nullptr");
454 return nullptr;
455 }
456 auto contextCallback = ContextCallback::NewInstance(userAuthCallback, TRACE_AUTH_USER_ALL);
457 if (contextCallback == nullptr) {
458 IAM_LOGE("failed to construct context callback");
459 Attributes extraInfo;
460 userAuthCallback->OnResult(GENERAL_ERROR, extraInfo.Serialize());
461 return nullptr;
462 }
463 contextCallback->SetTraceAuthType(authType);
464 contextCallback->SetTraceAuthWidgetType(authType);
465 contextCallback->SetTraceAuthTrustLevel(authTrustLevel);
466 contextCallback->SetTraceSdkVersion(apiVersion);
467 return contextCallback;
468 }
469
CheckAuthPermissionAndParam(int32_t authType,const int32_t & callerType,const std::string & callerName,AuthTrustLevel authTrustLevel)470 int32_t UserAuthService::CheckAuthPermissionAndParam(int32_t authType, const int32_t &callerType,
471 const std::string &callerName, AuthTrustLevel authTrustLevel)
472 {
473 if (!IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
474 IAM_LOGE("failed to check permission");
475 return CHECK_PERMISSION_FAILED;
476 }
477 if (callerType == Security::AccessToken::TOKEN_HAP && (!IpcCommon::CheckForegroundApplication(callerName))) {
478 IAM_LOGE("failed to check foreground application");
479 return CHECK_PERMISSION_FAILED;
480 }
481 if (authType == PIN) {
482 IAM_LOGE("authType not support");
483 return TYPE_NOT_SUPPORT;
484 }
485 if (!CheckAuthTrustLevel(authTrustLevel)) {
486 IAM_LOGE("authTrustLevel is not in correct range");
487 return TRUST_LEVEL_NOT_SUPPORT;
488 }
489 return SUCCESS;
490 }
491
StartAuth(int32_t apiVersion,Authentication::AuthenticationPara & para,std::shared_ptr<ContextCallback> & contextCallback,uint64_t & contextId)492 int32_t UserAuthService::StartAuth(int32_t apiVersion, Authentication::AuthenticationPara ¶,
493 std::shared_ptr<ContextCallback> &contextCallback, uint64_t &contextId)
494 {
495 IAM_LOGI("start");
496 contextId = StartAuthContext(apiVersion, para, contextCallback, true);
497 if (contextId == BAD_CONTEXT_ID) {
498 IAM_LOGE("StartAuthContext fail");
499 return GENERAL_ERROR;
500 }
501 return SUCCESS;
502 }
503
Auth(int32_t apiVersion,const IpcAuthParamInner & ipcAuthParamInner,const sptr<IIamCallback> & userAuthCallback,uint64_t & contextId)504 int32_t UserAuthService::Auth(int32_t apiVersion, const IpcAuthParamInner &ipcAuthParamInner,
505 const sptr<IIamCallback> &userAuthCallback, uint64_t &contextId)
506 {
507 IAM_LOGI("start");
508 auto contextCallback = GetAuthContextCallback(apiVersion, ipcAuthParamInner.challenge,
509 static_cast<AuthType>(ipcAuthParamInner.authType),
510 static_cast<AuthTrustLevel>(ipcAuthParamInner.authTrustLevel), userAuthCallback);
511 if (contextCallback == nullptr) {
512 IAM_LOGE("contextCallback is nullptr");
513 return GENERAL_ERROR;
514 }
515 std::string callerName = "";
516 Attributes extraInfo;
517 Authentication::AuthenticationPara para = {};
518 if ((!IpcCommon::GetCallerName(*this, para.callerName, para.callerType))) {
519 IAM_LOGE("get bundle name fail");
520 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth GetCallerName fail");
521 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
522 return GENERAL_ERROR;
523 }
524 contextCallback->SetTraceCallerName(para.callerName);
525 contextCallback->SetTraceCallerType(para.callerType);
526 int32_t checkRet = CheckAuthPermissionAndParam(static_cast<AuthType>(ipcAuthParamInner.authType), para.callerType,
527 para.callerName, static_cast<AuthTrustLevel>(ipcAuthParamInner.authTrustLevel));
528 if (checkRet != SUCCESS) {
529 IAM_LOGE("check auth permission and param fail");
530 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth CheckAuthPermissionAndParam fail");
531 contextCallback->OnResult(checkRet, extraInfo);
532 return checkRet;
533 }
534 int32_t userId = INVALID_USER_ID;
535 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
536 IAM_LOGE("get callingUserId failed");
537 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth GetCallingUserId fail");
538 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
539 return CHECK_PERMISSION_FAILED;
540 }
541 contextCallback->SetTraceUserId(userId);
542 para.tokenId = IpcCommon::GetAccessTokenId(*this);
543 para.userId = userId;
544 para.authType = static_cast<AuthType>(ipcAuthParamInner.authType);
545 para.atl = static_cast<AuthTrustLevel>(ipcAuthParamInner.authTrustLevel);
546 para.challenge = std::move(ipcAuthParamInner.challenge);
547 para.endAfterFirstFail = true;
548 para.sdkVersion = apiVersion;
549 para.authIntent = AuthIntent::DEFAULT;
550 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(userId);
551 return StartAuth(apiVersion, para, contextCallback, contextId);
552 }
553
StartAuthContext(int32_t apiVersion,Authentication::AuthenticationPara para,const std::shared_ptr<ContextCallback> & contextCallback,bool needSubscribeAppState)554 uint64_t UserAuthService::StartAuthContext(int32_t apiVersion, Authentication::AuthenticationPara para,
555 const std::shared_ptr<ContextCallback> &contextCallback, bool needSubscribeAppState)
556 {
557 Attributes extraInfo;
558 auto context = ContextFactory::CreateSimpleAuthContext(para, contextCallback, needSubscribeAppState);
559 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
560 IAM_LOGE("failed to insert context");
561 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth insert context fail");
562 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
563 return BAD_CONTEXT_ID;
564 }
565 contextCallback->SetTraceRequestContextId(context->GetContextId());
566 contextCallback->SetTraceAuthContextId(context->GetContextId());
567 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
568
569 if (!context->Start()) {
570 int32_t errorCode = context->GetLatestError();
571 IAM_LOGE("failed to start auth apiVersion:%{public}d errorCode:%{public}d", apiVersion, errorCode);
572 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth start context fail");
573 contextCallback->OnResult(errorCode, extraInfo);
574 return BAD_CONTEXT_ID;
575 }
576 return context->GetContextId();
577 }
578
StartRemoteAuthInvokerContext(AuthParamInner authParam,RemoteAuthInvokerContextParam & param,const std::shared_ptr<ContextCallback> & contextCallback)579 uint64_t UserAuthService::StartRemoteAuthInvokerContext(AuthParamInner authParam,
580 RemoteAuthInvokerContextParam ¶m, const std::shared_ptr<ContextCallback> &contextCallback)
581 {
582 Attributes extraInfo;
583 std::shared_ptr<Context> context = ContextFactory::CreateRemoteAuthInvokerContext(authParam, param,
584 contextCallback);
585 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
586 IAM_LOGE("failed to insert context");
587 contextCallback->SetTraceAuthFinishReason("UserAuthService StartRemoteAuthInvokerContext insert context fail");
588 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
589 return BAD_CONTEXT_ID;
590 }
591 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
592 contextCallback->SetTraceRequestContextId(context->GetContextId());
593 contextCallback->SetTraceAuthContextId(context->GetContextId());
594
595 if (!context->Start()) {
596 int32_t errorCode = context->GetLatestError();
597 IAM_LOGE("failed to start auth errorCode:%{public}d", errorCode);
598 contextCallback->SetTraceAuthFinishReason("UserAuthService StartRemoteAuthInvokerContext start context fail");
599 contextCallback->OnResult(errorCode, extraInfo);
600 return BAD_CONTEXT_ID;
601 }
602 return context->GetContextId();
603 }
604
StartLocalRemoteAuthContext(Authentication::AuthenticationPara para,LocalRemoteAuthContextParam & localRemoteAuthContextParam,const std::shared_ptr<ContextCallback> & contextCallback)605 uint64_t UserAuthService::StartLocalRemoteAuthContext(Authentication::AuthenticationPara para,
606 LocalRemoteAuthContextParam &localRemoteAuthContextParam, const std::shared_ptr<ContextCallback> &contextCallback)
607 {
608 Attributes extraInfo;
609 std::shared_ptr<Context> context = ContextFactory::CreateLocalRemoteAuthContext(para, localRemoteAuthContextParam,
610 contextCallback);
611 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
612 IAM_LOGE("failed to insert context");
613 contextCallback->SetTraceAuthFinishReason("UserAuthService StartLocalRemoteAuthContext insert context fail");
614 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
615 return BAD_CONTEXT_ID;
616 }
617 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
618 contextCallback->SetTraceRequestContextId(context->GetContextId());
619 contextCallback->SetTraceAuthContextId(context->GetContextId());
620
621 if (!context->Start()) {
622 int32_t errorCode = context->GetLatestError();
623 IAM_LOGE("failed to start auth errorCode:%{public}d", errorCode);
624 contextCallback->SetTraceAuthFinishReason("UserAuthService StartLocalRemoteAuthContext start context fail");
625 contextCallback->OnResult(errorCode, extraInfo);
626 return BAD_CONTEXT_ID;
627 }
628 return context->GetContextId();
629 }
630
CheckAuthPermissionAndParam(AuthType authType,AuthTrustLevel authTrustLevel,const std::shared_ptr<ContextCallback> & contextCallback,Attributes & extraInfo)631 bool UserAuthService::CheckAuthPermissionAndParam(AuthType authType, AuthTrustLevel authTrustLevel,
632 const std::shared_ptr<ContextCallback> &contextCallback, Attributes &extraInfo)
633 {
634 if (!CheckAuthTrustLevel(authTrustLevel)) {
635 IAM_LOGE("authTrustLevel is not in correct range");
636 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthUser CheckAuthTrustLevel fail");
637 contextCallback->OnResult(TRUST_LEVEL_NOT_SUPPORT, extraInfo);
638 return false;
639 }
640 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
641 IAM_LOGE("failed to check permission");
642 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthUser CheckPermission fail");
643 contextCallback->OnResult(CHECK_PERMISSION_FAILED, extraInfo);
644 return false;
645 }
646 return true;
647 }
648
StartAuthUser(AuthParamInner & authParam,std::optional<RemoteAuthParam> & remoteAuthParam,Authentication::AuthenticationPara & para,std::shared_ptr<ContextCallback> & contextCallback,uint64_t & contextId)649 int32_t UserAuthService::StartAuthUser(AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam,
650 Authentication::AuthenticationPara ¶, std::shared_ptr<ContextCallback> &contextCallback, uint64_t &contextId)
651 {
652 Attributes extraInfo;
653 if (!remoteAuthParam.has_value()) {
654 bool needSubscribeAppState = !IpcCommon::CheckPermission(*this, USER_AUTH_FROM_BACKGROUND);
655 contextId = StartAuthContext(INNER_API_VERSION_10000, para, contextCallback, needSubscribeAppState);
656 if (contextId == BAD_CONTEXT_ID) {
657 IAM_LOGE("StartAuthContext fail");
658 return GENERAL_ERROR;
659 }
660 return SUCCESS;
661 }
662
663 ResultCode failReason = GENERAL_ERROR;
664 contextId = AuthRemoteUser(authParam, para, remoteAuthParam.value(), contextCallback, failReason);
665 if (contextId == BAD_CONTEXT_ID) {
666 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthRemoteUser fail");
667 contextCallback->OnResult(failReason, extraInfo);
668 return failReason;
669 }
670
671 IAM_LOGI("success");
672 return SUCCESS;
673 }
674
AuthUser(const IpcAuthParamInner & ipcAuthParamInner,const IpcRemoteAuthParam & ipcRemoteAuthParam,const sptr<IIamCallback> & userAuthCallback,uint64_t & contextId)675 int32_t UserAuthService::AuthUser(const IpcAuthParamInner &ipcAuthParamInner,
676 const IpcRemoteAuthParam &ipcRemoteAuthParam, const sptr<IIamCallback> &userAuthCallback,
677 uint64_t &contextId)
678 {
679 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
680 contextId = BAD_CONTEXT_ID;
681 AuthParamInner authParam = {};
682 std::optional<RemoteAuthParam> remoteAuthParam = std::nullopt;
683 InitAuthParam(ipcAuthParamInner, authParam);
684 InitRemoteAuthParam(ipcRemoteAuthParam, remoteAuthParam);
685 IAM_LOGI("start, %{public}s", GetAuthParamStr(authParam, remoteAuthParam).c_str());
686 auto contextCallback = GetAuthContextCallback(INNER_API_VERSION_10000, authParam.challenge, authParam.authType,
687 authParam.authTrustLevel, userAuthCallback);
688 if (contextCallback == nullptr) {
689 IAM_LOGE("contextCallback is nullptr");
690 return GENERAL_ERROR;
691 }
692 contextCallback->SetTraceIsRemoteAuth(remoteAuthParam.has_value());
693 contextCallback->SetTraceUserId(authParam.userId);
694 Attributes extraInfo;
695 Authentication::AuthenticationPara para = {};
696 if ((!IpcCommon::GetCallerName(*this, para.callerName, para.callerType))) {
697 IAM_LOGE("get caller name fail");
698 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthUser GetCallerName fail");
699 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
700 return GENERAL_ERROR;
701 }
702 contextCallback->SetTraceCallerName(para.callerName);
703 contextCallback->SetTraceCallerType(para.callerType);
704 if (CheckAuthPermissionAndParam(authParam.authType, authParam.authTrustLevel, contextCallback,
705 extraInfo) == false) {
706 return CHECK_PERMISSION_FAILED;
707 }
708 para.tokenId = IpcCommon::GetAccessTokenId(*this);
709 para.userId = authParam.userId;
710 para.authType = authParam.authType;
711 para.atl = authParam.authTrustLevel;
712 para.challenge = authParam.challenge;
713 para.endAfterFirstFail = false;
714 para.sdkVersion = INNER_API_VERSION_10000;
715 para.authIntent = authParam.authIntent;
716 para.skipLockedBiometricAuth = authParam.skipLockedBiometricAuth;
717 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(authParam.userId);
718 return StartAuthUser(authParam, remoteAuthParam, para, contextCallback, contextId);
719 }
720
DoPrepareRemoteAuth(const std::string & networkId)721 int32_t UserAuthService::DoPrepareRemoteAuth(const std::string &networkId)
722 {
723 IAM_LOGI("start");
724
725 std::string udid;
726 bool getUdidRet = DeviceManagerUtil::GetInstance().GetUdidByNetworkId(networkId, udid);
727 IF_FALSE_LOGE_AND_RETURN_VAL(getUdidRet, GENERAL_ERROR);
728
729 auto hdi = HdiWrapper::GetHdiInstance();
730 IF_FALSE_LOGE_AND_RETURN_VAL(hdi != nullptr, GENERAL_ERROR);
731
732 int32_t hdiRet = hdi->PrepareRemoteAuth(udid);
733 if (hdiRet == DEVICE_CAPABILITY_NOT_SUPPORT || hdiRet == REMOTE_DEVICE_CONNECTION_FAIL) {
734 IAM_LOGE("prepare remote auth failed, ret: %{public}d", hdiRet);
735 return hdiRet;
736 }
737 IF_FALSE_LOGE_AND_RETURN_VAL(hdiRet == SUCCESS, GENERAL_ERROR);
738
739 IAM_LOGI("success");
740 return SUCCESS;
741 }
742
PrepareRemoteAuthInner(const std::string & networkId,const sptr<IIamCallback> & callback)743 int32_t UserAuthService::PrepareRemoteAuthInner(const std::string &networkId,
744 const sptr<IIamCallback> &callback)
745 {
746 if (networkId.empty()) {
747 IAM_LOGE("networkId is empty");
748 return INVALID_PARAMETERS;
749 }
750
751 if (callback == nullptr) {
752 IAM_LOGE("callback is nullptr");
753 return INVALID_PARAMETERS;
754 }
755
756 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
757 IAM_LOGE("failed to check permission");
758 return CHECK_PERMISSION_FAILED;
759 }
760
761 auto handler = ThreadHandler::GetSingleThreadInstance();
762 IF_FALSE_LOGE_AND_RETURN_VAL(handler != nullptr, GENERAL_ERROR);
763
764 handler->PostTask([networkId, callback]() {
765 Attributes attr;
766
767 auto service = UserAuthService::GetInstance();
768 if (service == nullptr) {
769 IAM_LOGE("service is nullptr");
770 callback->OnResult(GENERAL_ERROR, attr.Serialize());
771 return;
772 }
773
774 int32_t ret = service->DoPrepareRemoteAuth(networkId);
775 if (ret != SUCCESS) {
776 IAM_LOGE("failed to prepare remote auth");
777 }
778
779 callback->OnResult(ret, attr.Serialize());
780 });
781
782 return SUCCESS;
783 }
784
PrepareRemoteAuth(const std::string & networkId,const sptr<IIamCallback> & callback)785 int32_t UserAuthService::PrepareRemoteAuth(const std::string &networkId,
786 const sptr<IIamCallback> &callback)
787 {
788 IAM_LOGI("start");
789 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
790 if (callback == nullptr) {
791 IAM_LOGE("callback is nullptr");
792 return INVALID_PARAMETERS;
793 }
794
795 int32_t ret = PrepareRemoteAuthInner(networkId, callback);
796 if (ret != SUCCESS) {
797 IAM_LOGE("failed to prepare remote auth");
798 Attributes attr;
799 callback->OnResult(ret, attr.Serialize());
800 }
801
802 IAM_LOGI("end");
803 return SUCCESS;
804 }
805
ProcessAuthParamForRemoteAuth(AuthParamInner & authParam,Authentication::AuthenticationPara & para,RemoteAuthParam & remoteAuthParam,std::string & localNetworkId)806 bool UserAuthService::ProcessAuthParamForRemoteAuth(AuthParamInner &authParam, Authentication::AuthenticationPara ¶,
807 RemoteAuthParam &remoteAuthParam, std::string &localNetworkId)
808 {
809 if (para.authType != PIN) {
810 IAM_LOGE("remote auth only support pin auth");
811 return false;
812 }
813
814 if (authParam.userId == INVALID_USER_ID) {
815 IAM_LOGE("userid must be set for remote auth");
816 return false;
817 }
818
819 bool completeRet = CompleteRemoteAuthParam(remoteAuthParam, localNetworkId);
820 if (!completeRet) {
821 IAM_LOGE("failed to complete remote auth param");
822 return false;
823 }
824
825 if (remoteAuthParam.collectorTokenId.has_value()) {
826 para.collectorTokenId = remoteAuthParam.collectorTokenId.value();
827 } else {
828 para.collectorTokenId = para.tokenId;
829 }
830
831 return true;
832 }
833
AuthRemoteUser(AuthParamInner & authParam,Authentication::AuthenticationPara & para,RemoteAuthParam & remoteAuthParam,const std::shared_ptr<ContextCallback> & contextCallback,ResultCode & failReason)834 uint64_t UserAuthService::AuthRemoteUser(AuthParamInner &authParam, Authentication::AuthenticationPara ¶,
835 RemoteAuthParam &remoteAuthParam, const std::shared_ptr<ContextCallback> &contextCallback, ResultCode &failReason)
836 {
837 IAM_LOGI("start");
838
839 std::string localNetworkId;
840 if (!DeviceManagerUtil::GetInstance().GetLocalDeviceNetWorkId(localNetworkId)) {
841 IAM_LOGE("failed to get local network id");
842 failReason = GENERAL_ERROR;
843 return BAD_CONTEXT_ID;
844 }
845
846 if (!ProcessAuthParamForRemoteAuth(authParam, para, remoteAuthParam, localNetworkId)) {
847 IAM_LOGE("failed to check remote auth param");
848 failReason = INVALID_PARAMETERS;
849 return BAD_CONTEXT_ID;
850 }
851
852 failReason = GENERAL_ERROR;
853
854 if (remoteAuthParam.verifierNetworkId.value() == localNetworkId &&
855 remoteAuthParam.collectorNetworkId.value() == localNetworkId) {
856 IAM_LOGI("verifierNetworkId and collectorNetworkId are both local, start local remote auth");
857 LocalRemoteAuthContextParam localRemoteAuthContextParam = {};
858 localRemoteAuthContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
859 return StartLocalRemoteAuthContext(para, localRemoteAuthContextParam, contextCallback);
860 }
861
862 if (remoteAuthParam.collectorNetworkId.value() == localNetworkId) {
863 RemoteAuthInvokerContextParam remoteAuthInvokerContextParam = {};
864 remoteAuthInvokerContextParam.verifierNetworkId = remoteAuthParam.verifierNetworkId.value();
865 remoteAuthInvokerContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
866 remoteAuthInvokerContextParam.tokenId = para.tokenId;
867 remoteAuthInvokerContextParam.collectorTokenId = para.collectorTokenId;
868 remoteAuthInvokerContextParam.callerName = para.callerName;
869 remoteAuthInvokerContextParam.callerType = para.callerType;
870 IAM_LOGI("start remote auth invoker context");
871 return StartRemoteAuthInvokerContext(authParam, remoteAuthInvokerContextParam, contextCallback);
872 }
873
874 RemoteAuthContextParam remoteAuthContextParam = {};
875 remoteAuthContextParam.authType = authParam.authType;
876 remoteAuthContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
877 remoteAuthContextParam.executorInfoMsg = {};
878 int32_t dummyLastError = 0;
879 IAM_LOGI("start remote auth context");
880 return RemoteAuthService::GetInstance().StartRemoteAuthContext(
881 para, remoteAuthContextParam, contextCallback, dummyLastError);
882 }
883
Identify(const std::vector<uint8_t> & challenge,int32_t authType,const sptr<IIamCallback> & userAuthCallback,uint64_t & contextId)884 int32_t UserAuthService::Identify(const std::vector<uint8_t> &challenge, int32_t authType,
885 const sptr<IIamCallback> &userAuthCallback, uint64_t &contextId)
886 {
887 IAM_LOGI("start");
888 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
889 contextId = BAD_CONTEXT_ID;
890 if (userAuthCallback == nullptr) {
891 IAM_LOGE("callback is nullptr");
892 return INVALID_PARAMETERS;
893 }
894 Attributes extraInfo;
895 auto contextCallback = ContextCallback::NewInstance(userAuthCallback, TRACE_IDENTIFY);
896 if (contextCallback == nullptr) {
897 IAM_LOGE("failed to construct context callback");
898 userAuthCallback->OnResult(GENERAL_ERROR, extraInfo.Serialize());
899 return GENERAL_ERROR;
900 }
901 if (static_cast<AuthType>(authType) == PIN) {
902 IAM_LOGE("type not support %{public}d", authType);
903 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify IsAuthTypeEnable fail");
904 contextCallback->OnResult(TYPE_NOT_SUPPORT, extraInfo);
905 return GENERAL_ERROR;
906 }
907 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
908 IAM_LOGE("failed to check permission");
909 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify CheckPermission fail");
910 contextCallback->OnResult(CHECK_PERMISSION_FAILED, extraInfo);
911 return CHECK_PERMISSION_FAILED;
912 }
913
914 Identification::IdentificationPara para = {};
915 para.tokenId = IpcCommon::GetAccessTokenId(*this);
916 para.authType = static_cast<AuthType>(authType);
917 para.challenge = std::move(challenge);
918 auto context = ContextFactory::CreateIdentifyContext(para, contextCallback);
919 if (!ContextPool::Instance().Insert(context)) {
920 IAM_LOGE("failed to insert context");
921 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify insert context fail");
922 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
923 return GENERAL_ERROR;
924 }
925
926 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
927
928 if (!context->Start()) {
929 IAM_LOGE("failed to start identify");
930 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify start context fail");
931 contextCallback->OnResult(context->GetLatestError(), extraInfo);
932 return GENERAL_ERROR;
933 }
934 contextId = context->GetContextId();
935 return SUCCESS;
936 }
937
CancelAuthOrIdentify(uint64_t contextId,int32_t cancelReason)938 int32_t UserAuthService::CancelAuthOrIdentify(uint64_t contextId, int32_t cancelReason)
939 {
940 IAM_LOGD("start");
941 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
942 bool checkRet = !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
943 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION);
944 if (checkRet) {
945 IAM_LOGE("failed to check permission");
946 return CHECK_PERMISSION_FAILED;
947 }
948 auto context = ContextPool::Instance().Select(contextId).lock();
949 if (context == nullptr) {
950 IAM_LOGE("context not exist");
951 return INVALID_CONTEXT_ID;
952 }
953
954 if (context->GetTokenId() != IpcCommon::GetAccessTokenId(*this)) {
955 IAM_LOGE("failed to check tokenId");
956 return CHECK_PERMISSION_FAILED;
957 }
958
959 if (cancelReason == CancelReason::MODAL_CREATE_ERROR || cancelReason == CancelReason::MODAL_RUN_ERROR) {
960 IAM_LOGE("widget modal fault");
961 UserIam::UserAuth::ReportSystemFault(Common::GetNowTimeString(), "AuthWidget");
962 }
963
964 if (!context->Stop()) {
965 IAM_LOGE("failed to cancel auth or identify");
966 return context->GetLatestError();
967 }
968
969 return SUCCESS;
970 }
971
GetVersion(int32_t & version)972 int32_t UserAuthService::GetVersion(int32_t &version)
973 {
974 IAM_LOGI("start");
975 version = MINIMUM_VERSION;
976 bool checkRet = !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
977 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION);
978 if (checkRet) {
979 IAM_LOGE("failed to check permission");
980 return CHECK_PERMISSION_FAILED;
981 }
982 version = CURRENT_VERSION;
983 return SUCCESS;
984 }
985
CheckAuthWidgetType(const std::vector<AuthType> & authType)986 int32_t UserAuthService::CheckAuthWidgetType(const std::vector<AuthType> &authType)
987 {
988 if (authType.empty() || (authType.size() > MAX_AUTH_TYPE_SIZE)) {
989 IAM_LOGE("invalid authType size:%{public}zu", authType.size());
990 return INVALID_PARAMETERS;
991 }
992 const std::set<AuthType> WIDGET_AUTH_TYPE_VALID_SET = {AuthType::PIN, AuthType::FACE, AuthType::FINGERPRINT,
993 AuthType::PRIVATE_PIN};
994 for (const auto &iter : authType) {
995 if (WIDGET_AUTH_TYPE_VALID_SET.find(iter) == WIDGET_AUTH_TYPE_VALID_SET.end()) {
996 IAM_LOGE("authType check fail:%{public}d", static_cast<int32_t>(iter));
997 return TYPE_NOT_SUPPORT;
998 }
999 }
1000 std::set<AuthType> typeChecker(authType.begin(), authType.end());
1001 if (typeChecker.size() != authType.size()) {
1002 IAM_LOGE("duplicate auth type");
1003 return INVALID_PARAMETERS;
1004 }
1005 bool hasPin = false;
1006 bool hasPrivatePin = false;
1007 for (const auto &iter : authType) {
1008 if (iter == AuthType::PIN) {
1009 hasPin = true;
1010 } else if (iter == AuthType::PRIVATE_PIN) {
1011 hasPrivatePin = true;
1012 }
1013 }
1014 if (hasPin && hasPrivatePin) {
1015 IAM_LOGE("pin and private pin not support");
1016 return INVALID_PARAMETERS;
1017 }
1018 return SUCCESS;
1019 }
1020
CheckSingeFaceOrFinger(const std::vector<AuthType> & authType)1021 bool UserAuthService::CheckSingeFaceOrFinger(const std::vector<AuthType> &authType)
1022 {
1023 return std::all_of(authType.begin(), authType.end(), [](AuthType type) {
1024 return type == AuthType::FACE || type == AuthType::FINGERPRINT;
1025 });
1026 }
1027
CheckPrivatePinEnroll(const std::vector<AuthType> & authType,std::vector<AuthType> & validType)1028 bool UserAuthService::CheckPrivatePinEnroll(const std::vector<AuthType> &authType, std::vector<AuthType> &validType)
1029 {
1030 bool hasPrivatePin = false;
1031 for (auto &iter : authType) {
1032 if (iter == AuthType::PRIVATE_PIN) {
1033 hasPrivatePin = true;
1034 break;
1035 }
1036 }
1037 if (!hasPrivatePin) {
1038 return true;
1039 }
1040 const size_t sizeTwo = 2;
1041 bool hasFace = false;
1042 bool hasFinger = false;
1043 for (const auto &iter : validType) {
1044 if (iter == AuthType::FACE) {
1045 hasFace = true;
1046 } else if (iter == AuthType::FINGERPRINT) {
1047 hasFinger = true;
1048 }
1049 if (hasFace && hasFinger) {
1050 break;
1051 }
1052 }
1053 if (validType.size() == sizeTwo && hasFace && hasFinger) {
1054 return false;
1055 }
1056 return true;
1057 }
1058
CheckCallerPermissionForPrivatePin(const AuthParamInner & authParam)1059 int32_t UserAuthService::CheckCallerPermissionForPrivatePin(const AuthParamInner &authParam)
1060 {
1061 bool hasPrivatePin = false;
1062 for (auto &iter : authParam.authTypes) {
1063 if (iter == AuthType::PRIVATE_PIN) {
1064 hasPrivatePin = true;
1065 break;
1066 }
1067 }
1068 if (!hasPrivatePin) {
1069 return SUCCESS;
1070 }
1071 if (IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1072 return SUCCESS;
1073 }
1074 if (IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1075 return SUCCESS;
1076 }
1077 IAM_LOGE("CheckPermission failed");
1078 return CHECK_PERMISSION_FAILED;
1079 }
1080
CheckCallerPermissionForUserId(const AuthParamInner & authParam)1081 int32_t UserAuthService::CheckCallerPermissionForUserId(const AuthParamInner &authParam)
1082 {
1083 // inner api caller
1084 if (IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1085 return SUCCESS;
1086 }
1087 // native api caller
1088 int32_t userId = INVALID_USER_ID;
1089 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
1090 IAM_LOGE("failed to get callingUserId");
1091 return GENERAL_ERROR;
1092 }
1093 if (IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION) &&
1094 (IpcCommon::CheckPermission(*this, IS_SYSTEM_APP) || authParam.userId == userId)) {
1095 return SUCCESS;
1096 }
1097 IAM_LOGE("CheckPermission failed");
1098 return CHECK_PERMISSION_FAILED;
1099 }
1100
CheckAuthPermissionAndParam(const AuthParamInner & authParam,const WidgetParamInner & widgetParam,bool isBackgroundApplication)1101 int32_t UserAuthService::CheckAuthPermissionAndParam(const AuthParamInner &authParam,
1102 const WidgetParamInner &widgetParam, bool isBackgroundApplication)
1103 {
1104 int32_t checkRet = CheckWindowMode(widgetParam);
1105 if (checkRet != SUCCESS) {
1106 IAM_LOGE("CheckWindowMode failed");
1107 return checkRet;
1108 }
1109 if (CheckCallerPermissionForPrivatePin(authParam) != SUCCESS) {
1110 IAM_LOGE("CheckCallerPermissionForPrivatePin failed");
1111 return CHECK_PERMISSION_FAILED;
1112 }
1113 if (!authParam.isUserIdSpecified && !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
1114 IAM_LOGE("CheckPermission failed");
1115 return CHECK_PERMISSION_FAILED;
1116 }
1117 if (authParam.isUserIdSpecified && CheckCallerPermissionForUserId(authParam) != SUCCESS) {
1118 IAM_LOGE("CheckPermission failed");
1119 return CHECK_PERMISSION_FAILED;
1120 }
1121 if (isBackgroundApplication && (!IpcCommon::CheckPermission(*this, USER_AUTH_FROM_BACKGROUND))) {
1122 IAM_LOGE("failed to check foreground application");
1123 return CHECK_PERMISSION_FAILED;
1124 }
1125 int32_t ret = CheckAuthWidgetType(authParam.authTypes);
1126 if (ret != SUCCESS) {
1127 IAM_LOGE("CheckAuthWidgetType fail.");
1128 return ret;
1129 }
1130 if (!CheckAuthTrustLevel(authParam.authTrustLevel)) {
1131 IAM_LOGE("authTrustLevel is not in correct range");
1132 return ResultCode::TRUST_LEVEL_NOT_SUPPORT;
1133 }
1134 if (widgetParam.navigationButtonText.empty()) {
1135 static const size_t authTypeTwo = 2;
1136 static const size_t authType0 = 0;
1137 static const size_t authType1 = 1;
1138 std::vector<AuthType> authType = authParam.authTypes;
1139 if (((authType.size() == authTypeTwo) &&
1140 (authType[authType0] == AuthType::FACE) && (authType[authType1] == AuthType::FINGERPRINT)) ||
1141 ((authType.size() == authTypeTwo) &&
1142 (authType[authType0] == AuthType::FINGERPRINT) && (authType[authType1] == AuthType::FACE))) {
1143 IAM_LOGE("only face and finger not support");
1144 return INVALID_PARAMETERS;
1145 }
1146 }
1147 if (widgetParam.title.empty()) {
1148 IAM_LOGE("title is empty");
1149 return INVALID_PARAMETERS;
1150 }
1151 return SUCCESS;
1152 }
1153
CheckWindowMode(const WidgetParamInner & widgetParam)1154 int32_t UserAuthService::CheckWindowMode(const WidgetParamInner &widgetParam)
1155 {
1156 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP) &&
1157 (widgetParam.windowMode == WindowModeType::NONE_INTERRUPTION_DIALOG_BOX)) {
1158 IAM_LOGE("the caller is not a system application.");
1159 return CHECK_SYSTEM_APP_FAILED;
1160 }
1161 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP) &&
1162 (widgetParam.windowMode != WindowModeType::UNKNOWN_WINDOW_MODE)) {
1163 IAM_LOGE("normal app can't set window mode.");
1164 return INVALID_PARAMETERS;
1165 }
1166 return SUCCESS;
1167 }
1168
StartWidgetContext(const std::shared_ptr<ContextCallback> & contextCallback,const AuthParamInner & authParam,const WidgetParamInner & widgetParam,std::vector<AuthType> & validType,ContextFactory::AuthWidgetContextPara & para,const sptr<IModalCallback> & modalCallback)1169 uint64_t UserAuthService::StartWidgetContext(const std::shared_ptr<ContextCallback> &contextCallback,
1170 const AuthParamInner &authParam, const WidgetParamInner &widgetParam, std::vector<AuthType> &validType,
1171 ContextFactory::AuthWidgetContextPara ¶, const sptr<IModalCallback> &modalCallback)
1172 {
1173 Attributes extraInfo;
1174 para.tokenId = IpcCommon::GetAccessTokenId(*this);
1175 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(para.userId);
1176 if (!AuthWidgetHelper::InitWidgetContextParam(authParam, validType, widgetParam, para)) {
1177 IAM_LOGE("init widgetContext failed");
1178 contextCallback->SetTraceAuthFinishReason("UserAuthService InitWidgetContextParam fail");
1179 contextCallback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
1180 return BAD_CONTEXT_ID;
1181 }
1182 auto context = ContextFactory::CreateWidgetContext(para, contextCallback, modalCallback);
1183 if (context == nullptr || !Insert2ContextPool(context)) {
1184 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget insert context fail");
1185 contextCallback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
1186 return BAD_CONTEXT_ID;
1187 }
1188 contextCallback->SetTraceRequestContextId(context->GetContextId());
1189 if (!context->Start()) {
1190 int32_t errorCode = context->GetLatestError();
1191 IAM_LOGE("start widget context fail %{public}d", errorCode);
1192 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget start context fail");
1193 contextCallback->OnResult(errorCode, extraInfo);
1194 return BAD_CONTEXT_ID;
1195 }
1196 return context->GetContextId();
1197 }
1198
CheckSkipLockedBiometricAuth(int32_t userId,const AuthParamInner & authParam,const WidgetParamInner & widgetParam,std::vector<AuthType> & validType)1199 int32_t UserAuthService::CheckSkipLockedBiometricAuth(int32_t userId, const AuthParamInner &authParam,
1200 const WidgetParamInner &widgetParam, std::vector<AuthType> &validType)
1201 {
1202 if (!authParam.skipLockedBiometricAuth) {
1203 if (validType.empty()) {
1204 IAM_LOGE("validType size is 0");
1205 return TYPE_NOT_SUPPORT;
1206 }
1207 return SUCCESS;
1208 }
1209
1210 std::vector<AuthType> authTypeList;
1211 for (auto &type : validType) {
1212 ContextFactory::AuthProfile profile = {};
1213 if (!AuthWidgetHelper::GetUserAuthProfile(userId, type, profile)) {
1214 IAM_LOGE("get user auth profile failed");
1215 continue;
1216 }
1217 if (profile.remainTimes != 0 || type == PIN || type == PRIVATE_PIN) {
1218 authTypeList.push_back(type);
1219 }
1220 }
1221
1222 if (authTypeList.empty()) {
1223 if (!widgetParam.navigationButtonText.empty()) {
1224 IAM_LOGE("authTypeList is null, return cancel from widget");
1225 return CANCELED_FROM_WIDGET;
1226 }
1227 IAM_LOGE("authTypeList is null, return lock");
1228 return LOCKED;
1229 }
1230 validType = std::move(authTypeList);
1231 return SUCCESS;
1232 }
1233
CheckValidSolution(int32_t userId,const AuthParamInner & authParam,const WidgetParamInner & widgetParam,std::vector<AuthType> & validType)1234 int32_t UserAuthService::CheckValidSolution(int32_t userId, const AuthParamInner &authParam,
1235 const WidgetParamInner &widgetParam, std::vector<AuthType> &validType)
1236 {
1237 int32_t ret = AuthWidgetHelper::CheckValidSolution(
1238 userId, authParam.authTypes, authParam.authTrustLevel, validType);
1239 if (ret != SUCCESS) {
1240 IAM_LOGE("CheckValidSolution fail %{public}d", ret);
1241 return ret;
1242 }
1243 if (!widgetParam.navigationButtonText.empty() && !CheckSingeFaceOrFinger(validType)) {
1244 IAM_LOGE("navigationButtonText check fail, validType.size:%{public}zu", validType.size());
1245 return INVALID_PARAMETERS;
1246 }
1247 if (widgetParam.windowMode == FULLSCREEN && CheckSingeFaceOrFinger(validType)) {
1248 IAM_LOGE("Single fingerprint or single face does not support full screen");
1249 return INVALID_PARAMETERS;
1250 }
1251 if (!CheckPrivatePinEnroll(authParam.authTypes, validType)) {
1252 IAM_LOGE("check privatePin enroll error");
1253 return INVALID_PARAMETERS;
1254 }
1255 if (!IpcCommon::IsOsAccountVerified(userId)) {
1256 IAM_LOGI("auth userId: %{public}u, biometric authentication has been filtered.", userId);
1257 validType.erase(std::remove_if(validType.begin(), validType.end(), [](AuthType authType) {
1258 return authType != AuthType::PIN && authType != AuthType::PRIVATE_PIN;
1259 }), validType.end());
1260 }
1261 return CheckSkipLockedBiometricAuth(userId, authParam, widgetParam, validType);
1262 }
1263
GetCallerInfo(bool isUserIdSpecified,int32_t userId,ContextFactory::AuthWidgetContextPara & para,std::shared_ptr<ContextCallback> & contextCallback)1264 int32_t UserAuthService::GetCallerInfo(bool isUserIdSpecified, int32_t userId,
1265 ContextFactory::AuthWidgetContextPara ¶, std::shared_ptr<ContextCallback> &contextCallback)
1266 {
1267 static_cast<void>(IpcCommon::GetCallerName(*this, para.callerName, para.callerType));
1268 contextCallback->SetTraceCallerName(para.callerName);
1269 contextCallback->SetTraceCallerType(para.callerType);
1270 static_cast<void>(IpcCommon::GetCallingAppID(*this, para.callingAppID));
1271
1272 if (para.sdkVersion < INNER_API_VERSION_10000 && para.callerType == Security::AccessToken::TOKEN_HAP &&
1273 (!IpcCommon::CheckForegroundApplication(para.callerName))) {
1274 para.isBackgroundApplication = true;
1275 }
1276 contextCallback->SetTraceIsBackgroundApplication(para.isBackgroundApplication);
1277
1278 if (isUserIdSpecified) {
1279 para.userId = userId;
1280 contextCallback->SetTraceUserId(para.userId);
1281 return SUCCESS;
1282 }
1283 if (IpcCommon::GetCallingUserId(*this, para.userId) != SUCCESS) {
1284 IAM_LOGE("get callingUserId failed");
1285 return GENERAL_ERROR;
1286 }
1287 contextCallback->SetTraceUserId(para.userId);
1288 return SUCCESS;
1289 }
1290
ProcessPinExpired(int32_t ret,const AuthParamInner & authParam,std::vector<AuthType> & validType,ContextFactory::AuthWidgetContextPara & para)1291 void UserAuthService::ProcessPinExpired(int32_t ret, const AuthParamInner &authParam,
1292 std::vector<AuthType> &validType, ContextFactory::AuthWidgetContextPara ¶)
1293 {
1294 if (ret != PIN_EXPIRED) {
1295 return;
1296 }
1297 para.isPinExpired = true;
1298 bool hasPrivatePin = false;
1299 for (auto &iter : authParam.authTypes) {
1300 if (iter == AuthType::PRIVATE_PIN) {
1301 hasPrivatePin = true;
1302 break;
1303 }
1304 }
1305 if (hasPrivatePin) {
1306 validType.clear();
1307 validType.emplace_back(AuthType::PRIVATE_PIN);
1308 } else {
1309 validType.emplace_back(AuthType::PIN);
1310 }
1311 }
1312
StartAuthWidget(AuthParamInner & authParam,WidgetParamInner & widgetParam,ContextFactory::AuthWidgetContextPara & para,std::shared_ptr<ContextCallback> & contextCallback,const sptr<IModalCallback> & modalCallback,uint64_t & contextId)1313 int32_t UserAuthService::StartAuthWidget(AuthParamInner &authParam, WidgetParamInner &widgetParam,
1314 ContextFactory::AuthWidgetContextPara ¶, std::shared_ptr<ContextCallback> &contextCallback,
1315 const sptr<IModalCallback> &modalCallback, uint64_t &contextId)
1316 {
1317 IAM_LOGI("start");
1318 Attributes extraInfo;
1319 std::vector<AuthType> validType;
1320 int32_t checkRet = CheckValidSolution(para.userId, authParam, widgetParam, validType);
1321 if (checkRet != SUCCESS && checkRet != PIN_EXPIRED) {
1322 IAM_LOGE("check valid solution failed");
1323 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget CheckValidSolution fail");
1324 contextCallback->OnResult(checkRet, extraInfo);
1325 return checkRet;
1326 }
1327 ProcessPinExpired(checkRet, authParam, validType, para);
1328 ProcessWidgetSessionExclusive();
1329
1330 contextId = StartWidgetContext(contextCallback, authParam, widgetParam, validType, para, modalCallback);
1331 if (contextId == BAD_CONTEXT_ID) {
1332 IAM_LOGE("StartWidgetContext fail");
1333 return GENERAL_ERROR;
1334 }
1335 return SUCCESS;
1336 }
1337
AuthWidget(int32_t apiVersion,const IpcAuthParamInner & ipcAuthParamInner,const IpcWidgetParamInner & ipcWidgetParamInner,const sptr<IIamCallback> & userAuthCallback,const sptr<IModalCallback> & modalCallback,uint64_t & contextId)1338 int32_t UserAuthService::AuthWidget(int32_t apiVersion, const IpcAuthParamInner &ipcAuthParamInner,
1339 const IpcWidgetParamInner &ipcWidgetParamInner, const sptr<IIamCallback> &userAuthCallback,
1340 const sptr<IModalCallback> &modalCallback, uint64_t &contextId)
1341 {
1342 IAM_LOGI("start %{public}d authTrustLevel:%{public}u", apiVersion, ipcAuthParamInner.authTrustLevel);
1343 AuthParamInner authParam = {};
1344 WidgetParamInner widgetParam = {};
1345 InitAuthParam(ipcAuthParamInner, authParam);
1346 InitWidgetParam(ipcWidgetParamInner, widgetParam);
1347 auto contextCallback = GetAuthContextCallback(apiVersion, authParam, widgetParam, userAuthCallback);
1348 if (contextCallback == nullptr) {
1349 IAM_LOGE("contextCallback is nullptr");
1350 return GENERAL_ERROR;
1351 }
1352 ContextFactory::AuthWidgetContextPara para;
1353 para.sdkVersion = apiVersion;
1354 Attributes extraInfo;
1355 int32_t checkRet = GetCallerInfo(authParam.isUserIdSpecified, authParam.userId, para, contextCallback);
1356 if (checkRet != SUCCESS) {
1357 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget GetCallerInfo fail");
1358 contextCallback->OnResult(checkRet, extraInfo);
1359 return checkRet;
1360 }
1361 checkRet = CheckAuthPermissionAndParam(authParam, widgetParam, para.isBackgroundApplication);
1362 if (checkRet != SUCCESS) {
1363 IAM_LOGE("check permission and auth widget param failed");
1364 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget CheckAuthPermissionAndParam fail");
1365 contextCallback->OnResult(checkRet, extraInfo);
1366 return checkRet;
1367 }
1368
1369 if (AuthWidgetHelper::CheckReuseUnlockResult(para, authParam, extraInfo) == SUCCESS) {
1370 IAM_LOGE("check reuse unlock result success");
1371 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget CheckReuseUnlockResult success");
1372 contextCallback->OnResult(SUCCESS, extraInfo);
1373 contextId = REUSE_AUTH_RESULT_CONTEXT_ID;
1374 return SUCCESS;
1375 }
1376
1377 return StartAuthWidget(authParam, widgetParam, para, contextCallback, modalCallback, contextId);
1378 }
1379
ProcessWidgetSessionExclusive()1380 void UserAuthService::ProcessWidgetSessionExclusive()
1381 {
1382 auto contextList = ContextPool::Instance().Select(ContextType::WIDGET_AUTH_CONTEXT);
1383 for (const auto &context : contextList) {
1384 if (auto ctx = context.lock(); ctx != nullptr) {
1385 IAM_LOGE("widget session exclusive, force stop the old context ****%{public}hx",
1386 static_cast<uint16_t>(ctx->GetContextId()));
1387 ctx->Stop();
1388 }
1389 }
1390 }
1391
Insert2ContextPool(const std::shared_ptr<Context> & context)1392 bool UserAuthService::Insert2ContextPool(const std::shared_ptr<Context> &context)
1393 {
1394 bool ret = false;
1395 const int32_t retryTimes = 3;
1396 for (auto i = 0; i < retryTimes; i++) {
1397 ret = ContextPool::Instance().Insert(context);
1398 if (ret) {
1399 break;
1400 }
1401 }
1402 IAM_LOGI("insert context to pool, retry %{public}d times", retryTimes);
1403 return ret;
1404 }
1405
GetAuthContextCallback(int32_t apiVersion,const AuthParamInner & authParam,const WidgetParamInner & widgetParam,const sptr<IIamCallback> & callback)1406 std::shared_ptr<ContextCallback> UserAuthService::GetAuthContextCallback(int32_t apiVersion,
1407 const AuthParamInner &authParam, const WidgetParamInner &widgetParam,
1408 const sptr<IIamCallback> &callback)
1409 {
1410 if (callback == nullptr) {
1411 IAM_LOGE("callback is nullptr");
1412 return nullptr;
1413 }
1414 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_AUTH_USER_BEHAVIOR);
1415 if (contextCallback == nullptr) {
1416 IAM_LOGE("failed to construct context callback");
1417 Attributes extraInfo;
1418 callback->OnResult(ResultCode::GENERAL_ERROR, extraInfo.Serialize());
1419 return nullptr;
1420 }
1421 contextCallback->SetTraceSdkVersion(apiVersion);
1422 contextCallback->SetTraceAuthTrustLevel(authParam.authTrustLevel);
1423
1424 uint32_t authWidgetType = 0;
1425 for (const auto authType : authParam.authTypes) {
1426 authWidgetType |= static_cast<uint32_t>(authType);
1427 }
1428 static const uint32_t bitWindowMode = 0x40000000;
1429 if (widgetParam.windowMode == FULLSCREEN) {
1430 authWidgetType |= bitWindowMode;
1431 }
1432 static const uint32_t bitNavigation = 0x80000000;
1433 if (!widgetParam.navigationButtonText.empty()) {
1434 authWidgetType |= bitNavigation;
1435 }
1436 IAM_LOGI("SetTraceAuthWidgetType %{public}08x", authWidgetType);
1437 contextCallback->SetTraceAuthWidgetType(authWidgetType);
1438 uint32_t traceReuseMode = 0;
1439 uint64_t traceReuseDuration = 0;
1440 if (authParam.reuseUnlockResult.isReuse) {
1441 traceReuseMode = authParam.reuseUnlockResult.reuseMode;
1442 traceReuseDuration = authParam.reuseUnlockResult.reuseDuration;
1443 }
1444 contextCallback->SetTraceReuseUnlockResultMode(traceReuseMode);
1445 contextCallback->SetTraceReuseUnlockResultDuration(traceReuseDuration);
1446 return contextCallback;
1447 }
1448
Notice(int32_t noticeType,const std::string & eventData)1449 int32_t UserAuthService::Notice(int32_t noticeType, const std::string &eventData)
1450 {
1451 IAM_LOGI("start");
1452 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1453 IAM_LOGE("the caller is not a system application");
1454 return ResultCode::CHECK_SYSTEM_APP_FAILED;
1455 }
1456
1457 if (!IpcCommon::CheckPermission(*this, SUPPORT_USER_AUTH)) {
1458 IAM_LOGE("failed to check permission");
1459 return ResultCode::CHECK_PERMISSION_FAILED;
1460 }
1461 return WidgetClient::Instance().OnNotice(static_cast<NoticeType>(noticeType), eventData);
1462 }
1463
RegisterWidgetCallback(int32_t version,const sptr<IWidgetCallback> & widgetCallback)1464 int32_t UserAuthService::RegisterWidgetCallback(int32_t version, const sptr<IWidgetCallback> &widgetCallback)
1465 {
1466 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1467 IAM_LOGE("the caller is not a system application");
1468 return ResultCode::CHECK_SYSTEM_APP_FAILED;
1469 }
1470
1471 if (!IpcCommon::CheckPermission(*this, SUPPORT_USER_AUTH)) {
1472 IAM_LOGE("CheckPermission failed, no permission");
1473 return ResultCode::CHECK_PERMISSION_FAILED;
1474 }
1475
1476 uint32_t tokenId = IpcCommon::GetTokenId(*this);
1477 IAM_LOGE("RegisterWidgetCallback tokenId %{public}s", GET_MASKED_STRING(tokenId).c_str());
1478
1479 int32_t curVersion = std::stoi(NOTICE_VERSION_STR);
1480 if (version != curVersion) {
1481 return ResultCode::INVALID_PARAMETERS;
1482 }
1483 if (widgetCallback == nullptr) {
1484 IAM_LOGE("callback is nullptr");
1485 return ResultCode::INVALID_PARAMETERS;
1486 }
1487 WidgetClient::Instance().SetWidgetCallback(widgetCallback);
1488 WidgetClient::Instance().SetAuthTokenId(tokenId);
1489 return ResultCode::SUCCESS;
1490 }
1491
GetEnrolledStateImpl(int32_t apiVersion,int32_t authType,IpcEnrolledState & ipcEnrolledState)1492 int32_t UserAuthService::GetEnrolledStateImpl(int32_t apiVersion, int32_t authType,
1493 IpcEnrolledState &ipcEnrolledState)
1494 {
1495 IAM_LOGI("start");
1496 if (!IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
1497 IAM_LOGE("failed to check permission");
1498 return CHECK_PERMISSION_FAILED;
1499 }
1500
1501 if (apiVersion < API_VERSION_12) {
1502 IAM_LOGE("failed to check apiVersion");
1503 return TYPE_NOT_SUPPORT;
1504 }
1505
1506 int32_t userId = INVALID_USER_ID;
1507 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
1508 IAM_LOGE("failed to get callingUserId");
1509 return GENERAL_ERROR;
1510 }
1511
1512 auto hdi = HdiWrapper::GetHdiInstance();
1513 if (hdi == nullptr) {
1514 IAM_LOGE("hdi interface is nullptr");
1515 return GENERAL_ERROR;
1516 }
1517 HdiEnrolledState hdiEnrolledState = {};
1518 int32_t result = hdi->GetEnrolledState(userId, static_cast<HdiAuthType>(authType), hdiEnrolledState);
1519 if (result == NOT_ENROLLED) {
1520 IAM_LOGI("credential is not enrolled, userId:%{public}d authType:%{public}d", userId, authType);
1521 return result;
1522 }
1523 if (result != SUCCESS) {
1524 IAM_LOGE("failed to get enrolled state,userId:%{public}d authType:%{public}d", userId, authType);
1525 return result;
1526 }
1527 ipcEnrolledState.credentialCount = hdiEnrolledState.credentialCount;
1528 ipcEnrolledState.credentialDigest = hdiEnrolledState.credentialDigest;
1529 if (apiVersion < INNER_API_VERSION_10000) {
1530 ipcEnrolledState.credentialDigest = hdiEnrolledState.credentialDigest & UINT16_MAX;
1531 }
1532 return SUCCESS;
1533 }
1534
GetEnrolledState(int32_t apiVersion,int32_t authType,IpcEnrolledState & ipcEnrolledState,int32_t & funcResult)1535 int32_t UserAuthService::GetEnrolledState(int32_t apiVersion, int32_t authType,
1536 IpcEnrolledState &ipcEnrolledState, int32_t &funcResult)
1537 {
1538 IAM_LOGI("start");
1539 funcResult = GetEnrolledStateImpl(apiVersion, authType, ipcEnrolledState);
1540 return SUCCESS;
1541 }
1542
RegistUserAuthSuccessEventListener(const sptr<IEventListenerCallback> & listener)1543 int32_t UserAuthService::RegistUserAuthSuccessEventListener(const sptr<IEventListenerCallback> &listener)
1544 {
1545 IAM_LOGI("start");
1546 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1547 IF_FALSE_LOGE_AND_RETURN_VAL(listener != nullptr, INVALID_PARAMETERS);
1548
1549 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1550 IAM_LOGE("failed to check permission");
1551 return CHECK_PERMISSION_FAILED;
1552 }
1553
1554 int32_t result = AuthEventListenerManager::GetInstance().RegistEventListener(listener);
1555 if (result != SUCCESS) {
1556 IAM_LOGE("failed to regist auth event listener");
1557 return result;
1558 }
1559
1560 return SUCCESS;
1561 }
1562
UnRegistUserAuthSuccessEventListener(const sptr<IEventListenerCallback> & listener)1563 int32_t UserAuthService::UnRegistUserAuthSuccessEventListener(const sptr<IEventListenerCallback> &listener)
1564 {
1565 IAM_LOGI("start");
1566 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1567 IF_FALSE_LOGE_AND_RETURN_VAL(listener != nullptr, INVALID_PARAMETERS);
1568
1569 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1570 IAM_LOGE("failed to check permission");
1571 return CHECK_PERMISSION_FAILED;
1572 }
1573
1574 int32_t result = AuthEventListenerManager::GetInstance().UnRegistEventListener(listener);
1575 if (result != SUCCESS) {
1576 IAM_LOGE("failed to unregist auth event listener");
1577 return result;
1578 }
1579
1580 return SUCCESS;
1581 }
1582
SetGlobalConfigParam(const IpcGlobalConfigParam & ipcGlobalConfigParam)1583 int32_t UserAuthService::SetGlobalConfigParam(const IpcGlobalConfigParam &ipcGlobalConfigParam)
1584 {
1585 IAM_LOGI("start, GlobalConfigType is %{public}d, userIds size %{public}zu, authTypes size %{public}zu",
1586 ipcGlobalConfigParam.type, ipcGlobalConfigParam.userIds.size(), ipcGlobalConfigParam.authTypes.size());
1587 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1588 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) ||
1589 !IpcCommon::CheckPermission(*this, ENTERPRISE_DEVICE_MGR)) {
1590 IAM_LOGE("failed to check permission");
1591 return CHECK_PERMISSION_FAILED;
1592 }
1593 if (ipcGlobalConfigParam.userIds.size() > MAX_USER || ipcGlobalConfigParam.authTypes.size() > MAX_AUTH_TYPE_SIZE ||
1594 ipcGlobalConfigParam.authTypes.size() == 0) {
1595 IAM_LOGE("bad global config param");
1596 return INVALID_PARAMETERS;
1597 }
1598
1599 HdiGlobalConfigParam paramConfig = {};
1600 switch (static_cast<GlobalConfigType>(ipcGlobalConfigParam.type)) {
1601 case GlobalConfigType::PIN_EXPIRED_PERIOD:
1602 if (ipcGlobalConfigParam.authTypes.size() != 1 || ipcGlobalConfigParam.authTypes[0] != PIN) {
1603 IAM_LOGE("bad authTypes for PIN_EXPIRED_PERIOD");
1604 return INVALID_PARAMETERS;
1605 }
1606 paramConfig.value.pinExpiredPeriod = ipcGlobalConfigParam.value.pinExpiredPeriod;
1607 break;
1608 case GlobalConfigType::ENABLE_STATUS:
1609 paramConfig.value.enableStatus = ipcGlobalConfigParam.value.enableStatus;
1610 break;
1611 default:
1612 IAM_LOGE("bad global config type");
1613 return INVALID_PARAMETERS;
1614 }
1615 paramConfig.type = static_cast<HdiGlobalConfigType>(ipcGlobalConfigParam.type);
1616 paramConfig.userIds = ipcGlobalConfigParam.userIds;
1617 for (const auto authType : ipcGlobalConfigParam.authTypes) {
1618 paramConfig.authTypes.push_back(static_cast<AuthType>(authType));
1619 }
1620 auto hdi = HdiWrapper::GetHdiInstance();
1621 if (hdi == nullptr) {
1622 IAM_LOGE("hdi interface is nullptr");
1623 return GENERAL_ERROR;
1624 }
1625 int32_t result = hdi->SetGlobalConfigParam(paramConfig);
1626 if (result != SUCCESS) {
1627 IAM_LOGE("failed to Set global config param");
1628 return result;
1629 }
1630
1631 return SUCCESS;
1632 }
1633
CompleteRemoteAuthParam(RemoteAuthParam & remoteAuthParam,const std::string & localNetworkId)1634 bool UserAuthService::CompleteRemoteAuthParam(RemoteAuthParam &remoteAuthParam, const std::string &localNetworkId)
1635 {
1636 IAM_LOGI("start");
1637 if (remoteAuthParam.verifierNetworkId.has_value() && remoteAuthParam.verifierNetworkId->size() !=
1638 NETWORK_ID_LENGTH) {
1639 IAM_LOGE("invalid verifierNetworkId size");
1640 return false;
1641 }
1642
1643 if (remoteAuthParam.collectorNetworkId.has_value() && remoteAuthParam.collectorNetworkId->size() !=
1644 NETWORK_ID_LENGTH) {
1645 IAM_LOGE("invalid collectorNetworkId size");
1646 return false;
1647 }
1648
1649 if (!remoteAuthParam.verifierNetworkId.has_value() && !remoteAuthParam.collectorNetworkId.has_value()) {
1650 IAM_LOGE("both verifierNetworkId and collectorNetworkId are not set");
1651 return false;
1652 }
1653
1654 if (!remoteAuthParam.verifierNetworkId.has_value()) {
1655 IAM_LOGI("verifierNetworkId not set, use local networkId as verifierNetworkId");
1656 remoteAuthParam.verifierNetworkId = localNetworkId;
1657 }
1658
1659 if (!remoteAuthParam.collectorNetworkId.has_value()) {
1660 IAM_LOGI("collectorNetworkId not set, use local networkId as collectorNetworkId");
1661 remoteAuthParam.collectorNetworkId = localNetworkId;
1662 }
1663
1664 if (remoteAuthParam.verifierNetworkId.value() != localNetworkId &&
1665 remoteAuthParam.collectorNetworkId.value() != localNetworkId) {
1666 IAM_LOGE("both verifierNetworkId and collectorNetworkId are not local networkId");
1667 return false;
1668 }
1669
1670 if (remoteAuthParam.verifierNetworkId.value() == remoteAuthParam.collectorNetworkId.value() &&
1671 remoteAuthParam.verifierNetworkId.value() != localNetworkId) {
1672 IAM_LOGE("verifierNetworkId and collectorNetworkId are the same and not local networkId");
1673 return false;
1674 }
1675
1676 if (remoteAuthParam.collectorNetworkId.value() != localNetworkId && !remoteAuthParam.collectorTokenId.has_value()) {
1677 IAM_LOGE("collectorNetworkId is not local networkId, collectorTokenId not set");
1678 return false;
1679 }
1680
1681 if (remoteAuthParam.collectorNetworkId.value() == localNetworkId && !remoteAuthParam.collectorTokenId.has_value()) {
1682 IAM_LOGI("collectorNetworkId is local networkId, update collectorTokenId with caller token id");
1683 remoteAuthParam.collectorTokenId = IpcCommon::GetAccessTokenId(*this);
1684 }
1685
1686 IAM_LOGI("success");
1687 return true;
1688 }
1689
GetAuthTokenAttr(const HdiUserAuthTokenPlain & tokenPlain,const std::vector<uint8_t> & rootSecret,Attributes & extraInfo)1690 bool UserAuthService::GetAuthTokenAttr(const HdiUserAuthTokenPlain &tokenPlain, const std::vector<uint8_t> &rootSecret,
1691 Attributes &extraInfo)
1692 {
1693 bool setTokenVersionRet = extraInfo.SetUint32Value(Attributes::ATTR_TOKEN_VERSION, tokenPlain.version);
1694 IF_FALSE_LOGE_AND_RETURN_VAL(setTokenVersionRet == true, false);
1695 bool setUserIdRet = extraInfo.SetInt32Value(Attributes::ATTR_USER_ID, tokenPlain.userId);
1696 IF_FALSE_LOGE_AND_RETURN_VAL(setUserIdRet == true, false);
1697 bool setChallengeRet = extraInfo.SetUint8ArrayValue(Attributes::ATTR_CHALLENGE, tokenPlain.challenge);
1698 IF_FALSE_LOGE_AND_RETURN_VAL(setChallengeRet == true, false);
1699 bool setTimeStampRet = extraInfo.SetUint64Value(Attributes::ATTR_TOKEN_TIME_INTERVAL, tokenPlain.timeInterval);
1700 IF_FALSE_LOGE_AND_RETURN_VAL(setTimeStampRet == true, false);
1701 bool setTrustLevelRet = extraInfo.SetUint32Value(Attributes::ATTR_AUTH_TRUST_LEVEL, tokenPlain.authTrustLevel);
1702 IF_FALSE_LOGE_AND_RETURN_VAL(setTrustLevelRet == true, false);
1703 bool setAuthTypeRet = extraInfo.SetInt32Value(Attributes::ATTR_AUTH_TYPE, tokenPlain.authType);
1704 IF_FALSE_LOGE_AND_RETURN_VAL(setAuthTypeRet == true, false);
1705 bool setTokenTypeRet = extraInfo.SetInt32Value(Attributes::ATTR_TOKEN_TYPE, tokenPlain.tokenType);
1706 IF_FALSE_LOGE_AND_RETURN_VAL(setTokenTypeRet == true, false);
1707 bool setSecureUidRet = extraInfo.SetUint64Value(Attributes::ATTR_SEC_USER_ID, tokenPlain.secureUid);
1708 IF_FALSE_LOGE_AND_RETURN_VAL(setSecureUidRet == true, false);
1709 bool setEnrolledIdRet = extraInfo.SetUint64Value(Attributes::ATTR_CREDENTIAL_DIGEST, tokenPlain.enrolledId);
1710 IF_FALSE_LOGE_AND_RETURN_VAL(setEnrolledIdRet == true, false);
1711 bool setCredentialIdRet = extraInfo.SetUint64Value(Attributes::ATTR_CREDENTIAL_ID, tokenPlain.credentialId);
1712 IF_FALSE_LOGE_AND_RETURN_VAL(setCredentialIdRet == true, false);
1713 if (rootSecret.size() != 0) {
1714 bool setRootSecret = extraInfo.SetUint8ArrayValue(Attributes::ATTR_ROOT_SECRET, rootSecret);
1715 IF_FALSE_LOGE_AND_RETURN_VAL(setRootSecret == true, false);
1716 }
1717 return true;
1718 }
1719
VerifyAuthToken(const std::vector<uint8_t> & tokenIn,uint64_t allowableDuration,const sptr<IVerifyTokenCallback> & verifyTokenCallback)1720 int32_t UserAuthService::VerifyAuthToken(const std::vector<uint8_t> &tokenIn, uint64_t allowableDuration,
1721 const sptr<IVerifyTokenCallback> &verifyTokenCallback)
1722 {
1723 IAM_LOGI("start, duration:%{public}" PRIu64 ", tokenIn size:%{public}zu.", allowableDuration, tokenIn.size());
1724 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1725 IF_FALSE_LOGE_AND_RETURN_VAL(verifyTokenCallback != nullptr, INVALID_PARAMETERS);
1726
1727 Attributes extraInfo;
1728 if (tokenIn.size() == 0 || tokenIn.data() == nullptr || allowableDuration > MAX_TOKEN_ALLOWABLE_DURATION) {
1729 IAM_LOGE("bad parameter");
1730 verifyTokenCallback->OnVerifyTokenResult(INVALID_PARAMETERS, extraInfo.Serialize());
1731 return INVALID_PARAMETERS;
1732 }
1733 if (!IpcCommon::CheckPermission(*this, USE_USER_ACCESS_MANAGER)) {
1734 IAM_LOGE("failed to check permission");
1735 verifyTokenCallback->OnVerifyTokenResult(CHECK_PERMISSION_FAILED, extraInfo.Serialize());
1736 return CHECK_PERMISSION_FAILED;
1737 }
1738 if (IpcCommon::GetDirectCallerType(*this) != Security::AccessToken::TOKEN_NATIVE &&
1739 !IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1740 IAM_LOGE("caller is not systemApp.");
1741 verifyTokenCallback->OnVerifyTokenResult(CHECK_SYSTEM_APP_FAILED, extraInfo.Serialize());
1742 return CHECK_SYSTEM_APP_FAILED;
1743 }
1744
1745 auto hdi = HdiWrapper::GetHdiInstance();
1746 if (hdi == nullptr) {
1747 IAM_LOGE("hdi interface is nullptr");
1748 verifyTokenCallback->OnVerifyTokenResult(GENERAL_ERROR, extraInfo.Serialize());
1749 return GENERAL_ERROR;
1750 }
1751
1752 HdiUserAuthTokenPlain tokenPlain = {};
1753 std::vector<uint8_t> rootSecret = {};
1754 int32_t result = hdi->VerifyAuthToken(tokenIn, allowableDuration, tokenPlain, rootSecret);
1755 if (result != SUCCESS) {
1756 IAM_LOGE("VerifyAuthToken failed result:%{public}d", result);
1757 verifyTokenCallback->OnVerifyTokenResult(result, extraInfo.Serialize());
1758 return result;
1759 }
1760 if (!GetAuthTokenAttr(tokenPlain, rootSecret, extraInfo)) {
1761 IAM_LOGE("GetAuthTokenAttr failed");
1762 verifyTokenCallback->OnVerifyTokenResult(GENERAL_ERROR, extraInfo.Serialize());
1763 return GENERAL_ERROR;
1764 }
1765 verifyTokenCallback->OnVerifyTokenResult(SUCCESS, extraInfo.Serialize());
1766 return SUCCESS;
1767 }
1768
QueryReusableAuthResult(const IpcAuthParamInner & ipcAuthParamInner,std::vector<uint8_t> & token)1769 int32_t UserAuthService::QueryReusableAuthResult(const IpcAuthParamInner &ipcAuthParamInner,
1770 std::vector<uint8_t> &token)
1771 {
1772 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1773 IAM_LOGE("failed to check permission");
1774 return CHECK_PERMISSION_FAILED;
1775 }
1776
1777 if (!(IpcCommon::GetDirectCallerType(*this) == Security::AccessToken::TOKEN_HAP &&
1778 IpcCommon::CheckPermission(*this, IS_SYSTEM_APP))) {
1779 IAM_LOGE("caller is not systemApp.");
1780 return CHECK_SYSTEM_APP_FAILED;
1781 }
1782
1783 AuthParamInner authParam = {};
1784 InitAuthParam(ipcAuthParamInner, authParam);
1785 if (!authParam.isUserIdSpecified) {
1786 if (IpcCommon::GetCallingUserId(*this, authParam.userId) != SUCCESS) {
1787 IAM_LOGE("failed to get callingUserId");
1788 return GENERAL_ERROR;
1789 }
1790 }
1791
1792 HdiReuseUnlockInfo reuseResultInfo = {};
1793 int32_t result = AuthWidgetHelper::QueryReusableAuthResult(authParam.userId, authParam, reuseResultInfo);
1794 if (result != SUCCESS) {
1795 IAM_LOGE("CheckReuseUnlockResult failed result:%{public}d userId:%{public}d", result,
1796 ipcAuthParamInner.userId);
1797 return result;
1798 }
1799
1800 token = reuseResultInfo.token;
1801 return SUCCESS;
1802 }
1803
InitAuthParam(const IpcAuthParamInner & ipcAuthParam,AuthParamInner & authParam)1804 void UserAuthService::InitAuthParam(const IpcAuthParamInner &ipcAuthParam, AuthParamInner &authParam)
1805 {
1806 authParam.userId = ipcAuthParam.userId;
1807 authParam.isUserIdSpecified = ipcAuthParam.isUserIdSpecified;
1808 authParam.challenge = ipcAuthParam.challenge;
1809 authParam.authType = static_cast<AuthType>(ipcAuthParam.authType);
1810 authParam.authTypes.resize(ipcAuthParam.authTypes.size());
1811 std::transform(ipcAuthParam.authTypes.begin(), ipcAuthParam.authTypes.end(),
1812 authParam.authTypes.begin(), [](int32_t authType) {
1813 return static_cast<AuthType>(authType);
1814 });
1815 authParam.authTrustLevel = static_cast<AuthTrustLevel>(ipcAuthParam.authTrustLevel);
1816 authParam.authIntent = static_cast<AuthIntent>(ipcAuthParam.authIntent);
1817 authParam.skipLockedBiometricAuth = ipcAuthParam.skipLockedBiometricAuth;
1818 authParam.reuseUnlockResult.isReuse = ipcAuthParam.reuseUnlockResult.isReuse;
1819 authParam.reuseUnlockResult.reuseMode = static_cast<ReuseMode>(ipcAuthParam.reuseUnlockResult.reuseMode);
1820 authParam.reuseUnlockResult.reuseDuration = ipcAuthParam.reuseUnlockResult.reuseDuration;
1821 }
1822
InitRemoteAuthParam(const IpcRemoteAuthParam & ipcRemoteAuthParam,std::optional<RemoteAuthParam> & remoteAuthParam)1823 void UserAuthService::InitRemoteAuthParam(const IpcRemoteAuthParam &ipcRemoteAuthParam,
1824 std::optional<RemoteAuthParam> &remoteAuthParam)
1825 {
1826 if (ipcRemoteAuthParam.isHasRemoteAuthParam) {
1827 remoteAuthParam = RemoteAuthParam{};
1828 remoteAuthParam->verifierNetworkId = std::nullopt;
1829 remoteAuthParam->collectorNetworkId = std::nullopt;
1830 remoteAuthParam->collectorTokenId = std::nullopt;
1831 if (ipcRemoteAuthParam.isHasVerifierNetworkId) {
1832 remoteAuthParam->verifierNetworkId = ipcRemoteAuthParam.verifierNetworkId;
1833 }
1834 if (ipcRemoteAuthParam.isHasCollectorNetworkId) {
1835 remoteAuthParam->collectorNetworkId = ipcRemoteAuthParam.collectorNetworkId;
1836 }
1837 if (ipcRemoteAuthParam.isHasCollectorTokenId) {
1838 remoteAuthParam->collectorTokenId = ipcRemoteAuthParam.collectorTokenId;
1839 }
1840 }
1841 }
1842
InitWidgetParam(const IpcWidgetParamInner & ipcWidgetParam,WidgetParamInner & widgetParam)1843 void UserAuthService::InitWidgetParam(const IpcWidgetParamInner &ipcWidgetParam, WidgetParamInner &widgetParam)
1844 {
1845 widgetParam.title = ipcWidgetParam.title;
1846 widgetParam.navigationButtonText = ipcWidgetParam.navigationButtonText;
1847 widgetParam.windowMode = static_cast<WindowModeType>(ipcWidgetParam.windowMode);
1848 widgetParam.hasContext = ipcWidgetParam.hasContext;
1849 }
1850
CallbackEnter(uint32_t code)1851 int32_t UserAuthService::CallbackEnter([[maybe_unused]] uint32_t code)
1852 {
1853 IAM_LOGI("start, code:%{public}u", code);
1854 return SUCCESS;
1855 }
1856
CallbackExit(uint32_t code,int32_t result)1857 int32_t UserAuthService::CallbackExit([[maybe_unused]] uint32_t code, [[maybe_unused]] int32_t result)
1858 {
1859 IAM_LOGI("leave, code:%{public}u, result:%{public}d", code, result);
1860 return SUCCESS;
1861 }
1862 } // namespace UserAuth
1863 } // namespace UserIam
1864 } // namespace OHOS