1 /*
2 * Copyright (c) 2021-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include <cstddef>
18 #include <stack>
19 #include "account_constants.h"
20 #include "account_info.h"
21 #include "account_log_wrapper.h"
22 #include "account_hisysevent_adapter.h"
23 #include "iinner_os_account_manager.h"
24 #include "ipc_skeleton.h"
25 #include "os_account_constants.h"
26 #ifdef HICOLLIE_ENABLE
27 #include "account_timer.h"
28 #include "xcollie/xcollie.h"
29 #endif // HICOLLIE_ENABLE
30 #include "os_account_info_json_parser.h"
31
32 namespace OHOS {
33 namespace AccountSA {
34 namespace {
35 #ifdef HICOLLIE_ENABLE
36 thread_local std::stack<int32_t> g_timerIdStack;
37 #endif
38 const std::string DUMP_TAB_CHARACTER = "\t";
39 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
40 {OsAccountType::ADMIN, "admin"},
41 {OsAccountType::NORMAL, "normal"},
42 {OsAccountType::GUEST, "guest"},
43 {OsAccountType::PRIVATE, "private"},
44 {OsAccountType::MAINTENANCE, "maintenance"},
45 };
46 const char CONSTANT_CREATE[] = "constraint.os.account.create";
47 const char CONSTANT_CREATE_DIRECTLY[] = "constraint.os.account.create.directly";
48 const char CONSTANT_REMOVE[] = "constraint.os.account.remove";
49 const char CONSTANT_ACTIVATE[] = "constraint.os.account.activate";
50 const char CONSTANT_SET_ICON[] = "constraint.os.account.set.icon";
51 #ifndef IS_RELEASE_VERSION
52 const std::int32_t ROOT_UID = 0;
53 #endif
54 const char DEFAULT_ANON_STR[] = "**********";
55 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
56
57 const char MANAGE_LOCAL_ACCOUNTS[] = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
58 const char GET_LOCAL_ACCOUNTS[] = "ohos.permission.GET_LOCAL_ACCOUNTS";
59 const char INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION[] =
60 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
61 const char INTERACT_ACROSS_LOCAL_ACCOUNTS[] = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
62 const std::string GET_DOMAIN_ACCOUNTS = "ohos.permission.GET_DOMAIN_ACCOUNTS";
63 const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY";
64 const std::set<uint32_t> uidWhiteListForCreation { 3057 };
65 const std::string SPECIAL_CHARACTER_ARRAY = "<>|\":*?/\\";
66 const std::vector<std::string> SHORT_NAME_CANNOT_BE_NAME_ARRAY = {".", ".."};
67 #ifdef HICOLLIE_ENABLE
68 constexpr std::int32_t RECOVERY_TIMEOUT = 6; // timeout 6s
69 #endif
70 const std::set<uint32_t> WATCH_DOG_WHITE_LIST = {
71 static_cast<uint32_t>(IOsAccountIpcCode::COMMAND_CREATE_OS_ACCOUNT),
72 static_cast<uint32_t>(
73 IOsAccountIpcCode::
74 COMMAND_CREATE_OS_ACCOUNT_IN_STRING_IN_STRING_IN_INT_OUT_STRINGRAWDATA_IN_CREATEOSACCOUNTOPTIONS),
75 static_cast<uint32_t>(
76 IOsAccountIpcCode::
77 COMMAND_CREATE_OS_ACCOUNT_IN_STRING_IN_STRING_IN_INT_OUT_STRINGRAWDATA),
78 static_cast<uint32_t>(
79 IOsAccountIpcCode::COMMAND_CREATE_OS_ACCOUNT_WITH_FULL_INFO),
80 static_cast<uint32_t>(
81 IOsAccountIpcCode::
82 COMMAND_CREATE_OS_ACCOUNT_WITH_FULL_INFO_IN_OSACCOUNTINFO),
83 static_cast<uint32_t>(
84 IOsAccountIpcCode::COMMAND_CREATE_OS_ACCOUNT_FOR_DOMAIN),
85 static_cast<uint32_t>(
86 IOsAccountIpcCode::
87 COMMAND_CREATE_OS_ACCOUNT_FOR_DOMAIN_IN_INT_IN_DOMAINACCOUNTINFO_IN_IDOMAINACCOUNTCALLBACK),
88 };
89
AnonymizeNameStr(const std::string & nameStr)90 std::string AnonymizeNameStr(const std::string& nameStr)
91 {
92 if (nameStr.empty()) {
93 return nameStr;
94 }
95 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
96 return retStr;
97 }
98
CheckLocalId(int localId)99 ErrCode CheckLocalId(int localId)
100 {
101 if (localId < 0) {
102 ACCOUNT_LOGE("Id %{public}d is invalid", localId);
103 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
104 }
105 return ERR_OK;
106 }
107
IsTypeOutOfRange(const OsAccountType & type)108 bool IsTypeOutOfRange(const OsAccountType& type)
109 {
110 if (type == OsAccountType::MAINTENANCE) {
111 #ifndef IS_RELEASE_VERSION
112 // root check in none release version for test
113 if (!AccountPermissionManager::CheckSaCall() && !AccountPermissionManager::CheckShellCall()) {
114 #else
115 if (!AccountPermissionManager::CheckSaCall()) {
116 #endif
117 return true;
118 }
119 return false;
120 }
121 if ((type < OsAccountType::ADMIN) || (type >= OsAccountType::END)) {
122 return true;
123 }
124 if ((type > OsAccountType::GUEST) && (type < OsAccountType::PRIVATE)) {
125 return true;
126 }
127 return false;
128 }
129
130 void WriteOsAccountInfo(StringRawData& stringRawData, const OsAccountInfo& osAccountInfo)
131 {
132 std::string accountJson = osAccountInfo.ToString();
133 stringRawData.Marshalling(accountJson);
134 }
135
136 bool WriteOsAccountInfoVector(StringRawData& stringRawData, const std::vector<OsAccountInfo>& osAccountInfos)
137 {
138 auto accountJsons = CreateJsonArray();
139 for (const auto& accountItem : osAccountInfos) {
140 auto accountJson = ToJson(accountItem);
141 if (accountJson != nullptr) {
142 AddObjToArray(accountJsons, accountJson);
143 }
144 }
145 std::string accountStr = PackJsonToString(accountJsons);
146 if (accountStr.size() >= Constants::IPC_WRITE_RAW_DATA_MAX_SIZE) {
147 ACCOUNT_LOGE("AccountArrayJson is too long");
148 return false;
149 }
150 stringRawData.Marshalling(accountStr);
151 return true;
152 }
153
154 ErrCode CheckOsAccountConstraint(const std::string &constraint)
155 {
156 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
157 ACCOUNT_LOGE("Failed to read string for constraint, please check constraint length %{public}zu.",
158 constraint.size());
159 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
160 }
161 return ERR_OK;
162 }
163 } // namespace
164
OsAccountManagerService()165 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance()),
166 constraintManger_(OsAccountConstraintManager::GetInstance())
167 {}
168
~OsAccountManagerService()169 OsAccountManagerService::~OsAccountManagerService()
170 {}
171
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)172 ErrCode OsAccountManagerService::CreateOsAccount(
173 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
174 {
175 ErrCode errCode = ValidateAccountCreateParamAndPermission(name, type);
176 if (errCode != ERR_OK) {
177 return errCode;
178 }
179 return innerManager_.CreateOsAccount(name, type, osAccountInfo);
180 }
181
CreateOsAccount(const std::string & name,int32_t typeValue,StringRawData & stringRawData)182 ErrCode OsAccountManagerService::CreateOsAccount(
183 const std::string &name, int32_t typeValue, StringRawData& stringRawData)
184 {
185 ErrCode result = AccountPermissionManager::CheckSystemApp();
186 if (result != ERR_OK) {
187 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
188 return result;
189 }
190
191 auto type = static_cast<OsAccountType>(typeValue);
192 OsAccountInfo osAccountInfo;
193 auto errCode = CreateOsAccount(name, type, osAccountInfo);
194 if (errCode == ERR_OK) {
195 WriteOsAccountInfo(stringRawData, osAccountInfo);
196 }
197 return errCode;
198 }
199
ValidateShortName(const std::string & shortName)200 ErrCode OsAccountManagerService::ValidateShortName(const std::string &shortName)
201 {
202 size_t shortNameSize = shortName.size();
203 if (shortNameSize == 0 || shortNameSize > Constants::SHORT_NAME_MAX_SIZE) {
204 ACCOUNT_LOGE("CreateOsAccount short name length %{public}zu is invalid!", shortNameSize);
205 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
206 }
207
208 if (shortName.find_first_of(SPECIAL_CHARACTER_ARRAY) != std::string::npos) {
209 ACCOUNT_LOGE("CreateOsAccount short name is invalidate, short name is %{public}s !", shortName.c_str());
210 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
211 }
212
213 for (size_t i = 0; i < SHORT_NAME_CANNOT_BE_NAME_ARRAY.size(); i++) {
214 if (shortName == SHORT_NAME_CANNOT_BE_NAME_ARRAY[i]) {
215 ACCOUNT_LOGE("CreateOsAccount short name is invalidate, short name is %{public}s !", shortName.c_str());
216 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
217 }
218 }
219 return ERR_OK;
220 }
221
CreateOsAccount(const std::string & localName,const std::string & shortName,const OsAccountType & type,OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)222 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
223 const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)
224 {
225 #ifdef ENABLE_ACCOUNT_SHORT_NAME
226 OsAccountInfo accountInfoOld;
227 ErrCode code = innerManager_.GetRealOsAccountInfoById(Constants::START_USER_ID, accountInfoOld);
228 if (code != ERR_OK) {
229 ACCOUNT_LOGE("QueryOsAccountById error, errCode %{public}d.", code);
230 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
231 }
232 DomainAccountInfo domainAccountInfo;
233 accountInfoOld.GetDomainInfo(domainAccountInfo);
234 if (accountInfoOld.GetShortName().empty() && domainAccountInfo.accountName_.empty()) {
235 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
236 ACCOUNT_LOGE("Account manager service, permission denied!");
237 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
238 }
239 accountInfoOld.SetType(type);
240 accountInfoOld.SetLocalName(localName);
241 accountInfoOld.SetShortName(shortName);
242 code = innerManager_.UpdateFirstOsAccountInfo(accountInfoOld, osAccountInfo);
243 return code;
244 }
245 #endif // ENABLE_ACCOUNT_SHORT_NAME
246 ErrCode errCode = ValidateAccountCreateParamAndPermission(localName, type);
247 if (errCode != ERR_OK) {
248 return errCode;
249 }
250
251 if (options.hasShortName) {
252 errCode = ValidateShortName(shortName);
253 if (errCode != ERR_OK) {
254 return errCode;
255 }
256 }
257
258 return innerManager_.CreateOsAccount(localName, shortName, type, osAccountInfo, options);
259 }
260
CreateOsAccount(const std::string & localName,const std::string & shortName,int32_t typeValue,StringRawData & stringRawData)261 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
262 int32_t typeValue, StringRawData& stringRawData)
263 {
264 CreateOsAccountOptions options = {};
265 return CreateOsAccount(localName, shortName, typeValue, stringRawData, options);
266 }
267
CreateOsAccount(const std::string & localName,const std::string & shortName,int32_t typeValue,StringRawData & stringRawData,const CreateOsAccountOptions & options)268 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
269 int32_t typeValue, StringRawData& stringRawData, const CreateOsAccountOptions &options)
270 {
271 ErrCode result = AccountPermissionManager::CheckSystemApp();
272 if (result != ERR_OK) {
273 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
274 return result;
275 }
276
277 auto type = static_cast<OsAccountType>(typeValue);
278 OsAccountInfo osAccountInfo;
279 auto errCode = CreateOsAccount(localName, shortName, type, osAccountInfo, options);
280 if (errCode == ERR_OK) {
281 WriteOsAccountInfo(stringRawData, osAccountInfo);
282 }
283 return errCode;
284 }
285
ValidateAccountCreateParamAndPermission(const std::string & localName,const OsAccountType & type)286 ErrCode OsAccountManagerService::ValidateAccountCreateParamAndPermission(const std::string &localName,
287 const OsAccountType &type)
288 {
289 // permission check
290 if (!CheckCreateOsAccountWhiteList() &&
291 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY) ||
292 !PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE))) {
293 ACCOUNT_LOGE("Account manager service, permission denied!");
294 REPORT_PERMISSION_FAIL();
295 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
296 }
297
298 bool isMultiOsAccountEnable = false;
299 IsMultiOsAccountEnable(isMultiOsAccountEnable);
300 if (!isMultiOsAccountEnable) {
301 ACCOUNT_LOGE("System is not multi os account enable error");
302 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
303 }
304
305 size_t localNameSize = localName.size();
306 if ((localNameSize == 0) || (localNameSize > Constants::LOCAL_NAME_MAX_SIZE)) {
307 ACCOUNT_LOGE("CreateOsAccount local name length %{public}zu is invalid!", localNameSize);
308 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
309 }
310
311 if (IsTypeOutOfRange(type)) {
312 ACCOUNT_LOGE("Os account type is invalid");
313 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
314 }
315
316 bool isAllowedCreateAdmin = false;
317 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
318 if (errCode != ERR_OK) {
319 ACCOUNT_LOGE("Query allowed create admin error");
320 return errCode;
321 }
322 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
323 ACCOUNT_LOGE("Cannot create admin account error");
324 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
325 }
326 return ERR_OK;
327 }
328
CreateOsAccountWithFullInfo(const OsAccountInfo & osAccountInfo)329 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(const OsAccountInfo& osAccountInfo)
330 {
331 CreateOsAccountOptions options = {};
332 return CreateOsAccountWithFullInfo(osAccountInfo, options);
333 }
334
CreateOsAccountWithFullInfo(const OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)335 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(const OsAccountInfo& osAccountInfo,
336 const CreateOsAccountOptions &options)
337 {
338 ErrCode code = const_cast<OsAccountInfo *>(&osAccountInfo)->ParamCheck();
339 if (code != ERR_OK) {
340 ACCOUNT_LOGE("OsAccountInfo required field is invalidate, code = %{public}u.", code);
341 return code;
342 }
343 ErrCode result = AccountPermissionManager::CheckSystemApp();
344 if (result != ERR_OK) {
345 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
346 return result;
347 }
348
349 bool isMultiOsAccountEnable = false;
350 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
351 if (!isMultiOsAccountEnable) {
352 ACCOUNT_LOGE("System is not multi os account enable error");
353 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
354 }
355
356 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
357 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
358 ACCOUNT_LOGE("Account manager service, permission denied!");
359 REPORT_PERMISSION_FAIL();
360 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
361 }
362
363 bool isAllowedCreateAdmin = false;
364 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
365 if (errCode != ERR_OK) {
366 ACCOUNT_LOGE("Query allowed create admin error");
367 return errCode;
368 }
369 if (!isAllowedCreateAdmin && (osAccountInfo.GetType() == OsAccountType::ADMIN)) {
370 ACCOUNT_LOGE("Cannot create admin account error");
371 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
372 }
373
374 auto convertOsAccountInfo = osAccountInfo;
375 return innerManager_.CreateOsAccountWithFullInfo(convertOsAccountInfo, options);
376 }
377
UpdateOsAccountWithFullInfo(const OsAccountInfo & osAccountInfo)378 ErrCode OsAccountManagerService::UpdateOsAccountWithFullInfo(const OsAccountInfo& osAccountInfo)
379 {
380 ErrCode code = const_cast<OsAccountInfo *>(&osAccountInfo)->ParamCheck();
381 if (code != ERR_OK) {
382 ACCOUNT_LOGE("OsAccountInfo required field is invalidate, code = %{public}u.", code);
383 return code;
384 }
385 ErrCode result = AccountPermissionManager::CheckSystemApp();
386 if (result != ERR_OK) {
387 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
388 return result;
389 }
390
391 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
392 ACCOUNT_LOGE("Account manager service, permission denied!");
393 REPORT_PERMISSION_FAIL();
394 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
395 }
396
397 bool isAllowedCreateAdmin = false;
398 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
399 if (errCode != ERR_OK) {
400 ACCOUNT_LOGE("Query allowed update admin error");
401 return errCode;
402 }
403 if (!isAllowedCreateAdmin && osAccountInfo.GetType() == OsAccountType::ADMIN) {
404 ACCOUNT_LOGE("Cannot update admin account error");
405 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
406 }
407
408 auto convertOsAccountInfo = osAccountInfo;
409 return innerManager_.UpdateOsAccountWithFullInfo(convertOsAccountInfo);
410 }
411
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback,const CreateOsAccountForDomainOptions & options)412 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
413 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback,
414 const CreateOsAccountForDomainOptions &options)
415 {
416 ACCOUNT_LOGI("Start");
417 // permission check
418 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
419 ACCOUNT_LOGE("Account manager service, permission denied!");
420 REPORT_PERMISSION_FAIL();
421 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
422 }
423
424 // parameters check
425 if (IsTypeOutOfRange(type)) {
426 ACCOUNT_LOGE("Os account type is invalid");
427 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
428 }
429 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
430 ACCOUNT_LOGE("Domain account name is empty or domain is empty");
431 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
432 }
433 if (domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE ||
434 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
435 ACCOUNT_LOGE("Domain account name is overlength or domain is overlength");
436 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
437 }
438
439 if (options.hasShortName || (options.shortName != "")) {
440 ErrCode code = ValidateShortName(options.shortName);
441 if (code != ERR_OK) {
442 ACCOUNT_LOGE("Failed to create os account for domain, shortName=%{public}s is invalid!",
443 options.shortName.c_str());
444 return code;
445 }
446 }
447
448 bool isAllowedCreateAdmin = false;
449 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
450 if (errCode != ERR_OK) {
451 ACCOUNT_LOGE("Failed to get allowed create admin permission, code=%{public}d.", errCode);
452 return errCode;
453 }
454 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
455 ACCOUNT_LOGE("Do not allowed create admin.");
456 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
457 }
458 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback, options);
459 }
460
CreateOsAccountForDomain(int32_t typeValue,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback)461 ErrCode OsAccountManagerService::CreateOsAccountForDomain(int32_t typeValue, const DomainAccountInfo &domainInfo,
462 const sptr<IDomainAccountCallback> &callback)
463 {
464 CreateOsAccountForDomainOptions options = {};
465 return CreateOsAccountForDomain(typeValue, domainInfo, callback, options);
466 }
467
CreateOsAccountForDomain(int32_t typeValue,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback,const CreateOsAccountForDomainOptions & options)468 ErrCode OsAccountManagerService::CreateOsAccountForDomain(int32_t typeValue,
469 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback,
470 const CreateOsAccountForDomainOptions &options)
471 {
472 ErrCode result = AccountPermissionManager::CheckSystemApp();
473 if (result != ERR_OK) {
474 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
475 return result;
476 }
477 auto type = static_cast<OsAccountType>(typeValue);
478 return CreateOsAccountForDomain(type, domainInfo, callback, options);
479 }
480
RemoveOsAccount(int32_t id)481 ErrCode OsAccountManagerService::RemoveOsAccount(int32_t id)
482 {
483 ErrCode result = AccountPermissionManager::CheckSystemApp();
484 if (result != ERR_OK) {
485 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
486 return result;
487 }
488 // parameters check
489 ErrCode res = CheckLocalId(id);
490 if (res != ERR_OK) {
491 return res;
492 }
493 if (id == Constants::START_USER_ID) {
494 ACCOUNT_LOGE("Cannot remove system preinstalled user");
495 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
496 }
497 res = CheckLocalIdRestricted(id);
498 if (res != ERR_OK) {
499 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
500 return res;
501 }
502 // permission check
503 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
504 ACCOUNT_LOGE("Account manager service, permission denied!");
505 REPORT_PERMISSION_FAIL();
506 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
507 }
508
509 return innerManager_.RemoveOsAccount(id);
510 }
511
IsOsAccountExists(int32_t id,bool & isOsAccountExists)512 ErrCode OsAccountManagerService::IsOsAccountExists(int32_t id, bool &isOsAccountExists)
513 {
514 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
515 }
516
IsOsAccountActived(int32_t id,bool & isOsAccountActived)517 ErrCode OsAccountManagerService::IsOsAccountActived(int32_t id, bool &isOsAccountActived)
518 {
519 // check current account state
520 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
521 if (callerUserId == id) {
522 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
523 }
524
525 // check other account state, check permission first
526 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
527 ACCOUNT_LOGE("Account manager service, permission denied!");
528 REPORT_PERMISSION_FAIL();
529 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
530 }
531
532 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
533 }
534
IsOsAccountConstraintEnable(int32_t id,const std::string & constraint,bool & isConstraintEnable)535 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
536 int32_t id, const std::string &constraint, bool &isConstraintEnable)
537 {
538 ErrCode res = CheckOsAccountConstraint(constraint);
539 if (res != ERR_OK) {
540 return res;
541 }
542 res = CheckLocalId(id);
543 if (res != ERR_OK) {
544 return res;
545 }
546 // permission check
547 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
548 ACCOUNT_LOGE("Account manager service, permission denied!");
549 REPORT_PERMISSION_FAIL();
550 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
551 }
552
553 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
554 }
555
CheckOsAccountConstraintEnabled(int32_t id,const std::string & constraint,bool & isEnabled)556 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
557 int32_t id, const std::string &constraint, bool &isEnabled)
558 {
559 ErrCode res = CheckOsAccountConstraint(constraint);
560 if (res != ERR_OK) {
561 return res;
562 }
563 res = CheckLocalId(id);
564 if (res != ERR_OK) {
565 return res;
566 }
567
568 // check current account state
569 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
570 if (callerUserId == id) {
571 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
572 }
573
574 // permission check
575 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
576 ACCOUNT_LOGE("Account manager service, permission denied!");
577 REPORT_PERMISSION_FAIL();
578 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
579 }
580
581 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
582 }
583
IsOsAccountVerified(int32_t id,bool & isVerified)584 ErrCode OsAccountManagerService::IsOsAccountVerified(int32_t id, bool &isVerified)
585 {
586 ErrCode res = CheckLocalId(id);
587 if (res != ERR_OK) {
588 return res;
589 }
590 // check current account state
591 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
592 if (callerUserId == id) {
593 return innerManager_.IsOsAccountVerified(id, isVerified);
594 }
595
596 // check other account state, check permission first
597 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
598 ACCOUNT_LOGE("Account manager service, permission denied!");
599 REPORT_PERMISSION_FAIL();
600 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
601 }
602
603 return innerManager_.IsOsAccountVerified(id, isVerified);
604 }
605
IsOsAccountDeactivating(int32_t id,bool & isDeactivating)606 ErrCode OsAccountManagerService::IsOsAccountDeactivating(int32_t id, bool &isDeactivating)
607 {
608 ErrCode res = CheckLocalId(id);
609 if (res != ERR_OK) {
610 return res;
611 }
612 // check current account state
613 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
614 if (callerUserId == id) {
615 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
616 }
617
618 // check other account state, check permission first
619 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
620 ACCOUNT_LOGE("Account manager service, permission denied!");
621 REPORT_PERMISSION_FAIL();
622 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
623 }
624
625 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
626 }
627
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)628 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
629 {
630 // permission check
631 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
632 ACCOUNT_LOGE("Account manager service, permission denied!");
633 REPORT_PERMISSION_FAIL();
634 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
635 }
636
637 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
638 }
639
GetOsAccountLocalIdFromProcess(int & id)640 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
641 {
642 #ifdef HICOLLIE_ENABLE
643 unsigned int flag = HiviewDFX::XCOLLIE_FLAG_LOG | HiviewDFX::XCOLLIE_FLAG_RECOVERY;
644 XCollieCallback callbackFunc = [callingPid = IPCSkeleton::GetCallingPid(),
645 callingUid = IPCSkeleton::GetCallingUid()](void *) {
646 ACCOUNT_LOGE("ProcGetOsAccountLocalIdFromProcess failed, callingPid: %{public}d, callingUid: %{public}d.",
647 callingPid, callingUid);
648 ReportOsAccountOperationFail(callingUid, "watchDog", -1, "Get osaccount local id time out");
649 };
650 int timerId = HiviewDFX::XCollie::GetInstance().SetTimer(
651 TIMER_NAME, RECOVERY_TIMEOUT, callbackFunc, nullptr, flag);
652 #endif // HICOLLIE_ENABLE
653 const std::int32_t uid = IPCSkeleton::GetCallingUid();
654 id = uid / UID_TRANSFORM_DIVISOR;
655 #ifdef HICOLLIE_ENABLE
656 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
657 #endif // HICOLLIE_ENABLE
658 return ERR_OK;
659 }
660
IsMainOsAccount(bool & isMainOsAccount)661 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
662 {
663 ErrCode result = AccountPermissionManager::CheckSystemApp();
664 if (result != ERR_OK) {
665 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
666 return result;
667 }
668 // permission check
669 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
670 ACCOUNT_LOGW("Account manager service, permission denied!");
671 REPORT_PERMISSION_FAIL();
672 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
673 }
674
675 const std::int32_t uid = IPCSkeleton::GetCallingUid();
676 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
677 return ERR_OK;
678 }
679
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)680 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
681 {
682 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
683 ACCOUNT_LOGE("Domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
684 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
685 }
686
687 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE) {
688 ACCOUNT_LOGE("AccountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
689 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
690 }
691 // permission check
692 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
693 ACCOUNT_LOGE("Account manager service, permission denied!");
694 REPORT_PERMISSION_FAIL();
695 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
696 }
697
698 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
699 }
700
QueryMaxOsAccountNumber(uint32_t & maxOsAccountNumber)701 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(uint32_t &maxOsAccountNumber)
702 {
703 ErrCode result = AccountPermissionManager::CheckSystemApp();
704 if (result != ERR_OK) {
705 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
706 return result;
707 }
708 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
709 }
710
QueryMaxLoggedInOsAccountNumber(uint32_t & maxNum)711 ErrCode OsAccountManagerService::QueryMaxLoggedInOsAccountNumber(uint32_t &maxNum)
712 {
713 ErrCode result = AccountPermissionManager::CheckSystemApp();
714 if (result != ERR_OK) {
715 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
716 return result;
717 }
718 return innerManager_.QueryMaxLoggedInOsAccountNumber(maxNum);
719 }
720
GetOsAccountAllConstraints(int32_t id,std::vector<std::string> & constraints)721 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(int32_t id, std::vector<std::string> &constraints)
722 {
723 // permission check
724 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
725 ACCOUNT_LOGE("Account manager service, permission denied!");
726 REPORT_PERMISSION_FAIL();
727 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
728 }
729
730 return innerManager_.GetOsAccountAllConstraints(id, constraints);
731 }
732
733 #ifdef FUZZ_TEST
734 // LCOV_EXCL_START
735 #endif
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)736 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
737 {
738 // permission check
739 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
740 ACCOUNT_LOGE("Account manager service, permission denied!");
741 REPORT_PERMISSION_FAIL();
742 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
743 }
744 ErrCode result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
745 if (result != ERR_OK) {
746 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
747 result, "Query all created os account failed.");
748 return result;
749 }
750 #ifdef SUPPORT_DOMAIN_ACCOUNTS
751 for (auto& info : osAccountInfos) {
752 result = GetServerConfigInfo(info);
753 if (result != ERR_OK) {
754 ACCOUNT_LOGE("Failed to get domain server config, error=%{public}d", result);
755 ReportOsAccountOperationFail(info.GetLocalId(), Constants::OPERATION_GET_INFO,
756 result, "Failed to get domain server config");
757 continue;
758 }
759 }
760 #endif // SUPPORT_DOMAIN_ACCOUNTS
761 return ERR_OK;
762 }
763 #ifdef FUZZ_TEST
764 // LCOV_EXCL_STOP
765 #endif
766
767 #ifdef FUZZ_TEST
768 // LCOV_EXCL_START
769 #endif
QueryAllCreatedOsAccounts(StringRawData & osAccountInfos)770 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(StringRawData& osAccountInfos)
771 {
772 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
773 if (checkResult != ERR_OK) {
774 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
775 return checkResult;
776 }
777 std::vector<OsAccountInfo> osAccountVec;
778 ErrCode errCode = QueryAllCreatedOsAccounts(osAccountVec);
779 if (errCode == ERR_OK && !WriteOsAccountInfoVector(osAccountInfos, osAccountVec)) {
780 ACCOUNT_LOGE("WriteOsAccountInfoVector failed, please check osAccountInfos");
781 return IPC_STUB_WRITE_PARCEL_ERR;
782 }
783 return errCode;
784 }
785
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)786 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
787 {
788 // permission check
789 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
790 ACCOUNT_LOGE("Account manager service, permission denied!");
791 REPORT_PERMISSION_FAIL();
792 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
793 }
794
795 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
796 ErrCode errCode = innerManager_.QueryOsAccountById(id, osAccountInfo);
797 if (errCode != ERR_OK) {
798 return errCode;
799 }
800 #ifdef SUPPORT_DOMAIN_ACCOUNTS
801 errCode = GetServerConfigInfo(osAccountInfo);
802 if (errCode != ERR_OK) {
803 ACCOUNT_LOGE("Failed to get domain server config, error=%{public}d", errCode);
804 ReportOsAccountOperationFail(osAccountInfo.GetLocalId(), Constants::OPERATION_GET_INFO,
805 errCode, "Failed to get domain server config");
806 return ERR_OK;
807 }
808 #endif // SUPPORT_DOMAIN_ACCOUNTS
809 return ERR_OK;
810 }
811 #ifdef FUZZ_TEST
812 // LCOV_EXCL_STOP
813 #endif
814
QueryCurrentOsAccount(StringRawData & stringRawData)815 ErrCode OsAccountManagerService::QueryCurrentOsAccount(StringRawData& stringRawData)
816 {
817 OsAccountInfo osAccountInfo;
818 auto errCode = QueryCurrentOsAccount(osAccountInfo);
819 if (errCode == ERR_OK) {
820 WriteOsAccountInfo(stringRawData, osAccountInfo);
821 }
822 return errCode;
823 }
824
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)825 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
826 {
827 // parameters check
828 ErrCode res = CheckLocalId(id);
829 if (res != ERR_OK) {
830 return res;
831 }
832 // permission check
833 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
834 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
835 ACCOUNT_LOGE("Account manager service, permission denied!");
836 REPORT_PERMISSION_FAIL();
837 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
838 }
839
840 ErrCode errCode = innerManager_.QueryOsAccountById(id, osAccountInfo);
841 if (errCode != ERR_OK) {
842 return errCode;
843 }
844 #ifdef SUPPORT_DOMAIN_ACCOUNTS
845 errCode = GetServerConfigInfo(osAccountInfo);
846 if (errCode != ERR_OK) {
847 ACCOUNT_LOGE("Failed to get domain server config, error=%{public}d", errCode);
848 ReportOsAccountOperationFail(osAccountInfo.GetLocalId(), Constants::OPERATION_GET_INFO,
849 errCode, "Failed to get domain server config");
850 return ERR_OK;
851 }
852 #endif // SUPPORT_DOMAIN_ACCOUNTS
853 return ERR_OK;
854 }
855
856 #ifdef FUZZ_TEST
857 // LCOV_EXCL_START
858 #endif
QueryOsAccountById(int32_t id,StringRawData & stringRawData)859 ErrCode OsAccountManagerService::QueryOsAccountById(int32_t id, StringRawData& stringRawData)
860 {
861 ErrCode result = AccountPermissionManager::CheckSystemApp();
862 if (result != ERR_OK) {
863 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
864 return result;
865 }
866 OsAccountInfo osAccountInfo;
867 auto errCode = QueryOsAccountById(id, osAccountInfo);
868 if (errCode == ERR_OK) {
869 WriteOsAccountInfo(stringRawData, osAccountInfo);
870 }
871 return errCode;
872 }
873
GetOsAccountTypeFromProcess(int32_t & typeValue)874 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(int32_t& typeValue)
875 {
876 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
877 auto type = static_cast<OsAccountType>(typeValue);
878 ErrCode result = innerManager_.GetOsAccountType(id, type);
879 if (result == ERR_OK) {
880 typeValue = static_cast<int32_t>(type);
881 } else {
882 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
883 result, "Query os account type failed.");
884 }
885 return result;
886 }
887 #ifdef FUZZ_TEST
888 // LCOV_EXCL_STOP
889 #endif
890
GetOsAccountType(int32_t id,int32_t & typeValue)891 ErrCode OsAccountManagerService::GetOsAccountType(int32_t id, int32_t& typeValue)
892 {
893 ErrCode result = AccountPermissionManager::CheckSystemApp();
894 if (result != ERR_OK) {
895 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
896 return result;
897 }
898 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
899 ACCOUNT_LOGE("Check permission failed.");
900 REPORT_PERMISSION_FAIL();
901 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
902 }
903 auto type = static_cast<OsAccountType>(typeValue);
904 auto res = innerManager_.GetOsAccountType(id, type);
905 typeValue = static_cast<int32_t>(type);
906 return res;
907 }
908
GetOsAccountProfilePhoto(const int id,std::string & photo)909 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
910 {
911 ErrCode result = CheckLocalId(id);
912 if (result != ERR_OK) {
913 return result;
914 }
915 // get current account photo
916 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
917 if (callerUserId == id) {
918 return innerManager_.GetOsAccountProfilePhoto(id, photo);
919 }
920
921 // get other account photo, check permission first
922 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
923 ACCOUNT_LOGE("Account manager service, permission denied!");
924 REPORT_PERMISSION_FAIL();
925 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
926 }
927
928 return innerManager_.GetOsAccountProfilePhoto(id, photo);
929 }
930
931 #ifdef FUZZ_TEST
932 // LCOV_EXCL_START
933 #endif
GetOsAccountProfilePhoto(int32_t id,StringRawData & stringRawData)934 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(int32_t id, StringRawData& stringRawData)
935 {
936 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
937 if (checkResult != ERR_OK) {
938 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
939 return checkResult;
940 }
941 std::string photo;
942 auto errCode = GetOsAccountProfilePhoto(id, photo);
943 if (errCode == ERR_OK) {
944 stringRawData.Marshalling(photo);
945 }
946 return errCode;
947 }
948
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)949 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
950 {
951 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
952 }
953 #ifdef FUZZ_TEST
954 // LCOV_EXCL_STOP
955 #endif
956
SetOsAccountName(int32_t id,const std::string & name)957 ErrCode OsAccountManagerService::SetOsAccountName(int32_t id, const std::string &name)
958 {
959 ErrCode result = AccountPermissionManager::CheckSystemApp();
960 if (result != ERR_OK) {
961 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
962 return result;
963 }
964 // parameters check
965 ErrCode res = CheckLocalId(id);
966 if (res != ERR_OK) {
967 return res;
968 }
969 res = CheckLocalIdRestricted(id);
970 if (res != ERR_OK) {
971 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
972 return res;
973 }
974 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
975 ACCOUNT_LOGE("Set os account name is out of allowed size");
976 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
977 }
978 if (name.size() <= 0) {
979 ACCOUNT_LOGE("Os account name is empty");
980 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
981 }
982
983 // permission check
984 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
985 ACCOUNT_LOGE("Account manager service, permission denied!");
986 REPORT_PERMISSION_FAIL();
987 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
988 }
989
990 return innerManager_.SetOsAccountName(id, name);
991 }
992
ConstraintPublish(const std::vector<std::string> & oldConstraints,const std::vector<std::string> & constraints,int32_t localId,bool isEnabled)993 void OsAccountManagerService::ConstraintPublish(const std::vector<std::string> &oldConstraints,
994 const std::vector<std::string> &constraints, int32_t localId, bool isEnabled)
995 {
996 // Create a set to store constraints that need to be published
997 std::set<std::string> constraintsSet;
998 std::vector<std::string> newConstraints;
999 ErrCode errCode = innerManager_.GetOsAccountAllConstraints(localId, newConstraints);
1000 if (errCode != ERR_OK) {
1001 ACCOUNT_LOGE("Call getOsAccountAllConstraints failed, errCode=%{public}d.", errCode);
1002 return;
1003 }
1004 // Iterate through each constraint in the new constraints list
1005 for (auto const &constraint : constraints) {
1006 // Check if the constraint is currently enabled for the account
1007 bool isEnabledNew =
1008 std::find(newConstraints.begin(), newConstraints.end(), constraint) != newConstraints.end();
1009 if (isEnabledNew != isEnabled) {
1010 ACCOUNT_LOGD("%{public}s not publish, enable=%{public}d.", constraint.c_str(), isEnabled);
1011 continue;
1012 }
1013 bool isEnabledOld = std::find(oldConstraints.begin(), oldConstraints.end(), constraint) != oldConstraints.end();
1014 if (isEnabledOld != isEnabledNew) {
1015 constraintsSet.emplace(constraint);
1016 }
1017 }
1018 // Publish the final set of constraints with the specified enable state
1019 return constraintManger_.Publish(localId, constraintsSet, isEnabled);
1020 }
1021
SetOsAccountConstraints(int32_t id,const std::vector<std::string> & constraints,bool enable)1022 ErrCode OsAccountManagerService::SetOsAccountConstraints(
1023 int32_t id, const std::vector<std::string> &constraints, bool enable)
1024 {
1025 ErrCode result = AccountPermissionManager::CheckSystemApp();
1026 if (result != ERR_OK) {
1027 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1028 return result;
1029 }
1030 ErrCode res = CheckLocalId(id);
1031 if (res != ERR_OK) {
1032 return res;
1033 }
1034 res = CheckLocalIdRestricted(id);
1035 if (res != ERR_OK) {
1036 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
1037 return res;
1038 }
1039 // permission check
1040 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1041 ACCOUNT_LOGE("Account manager service, permission denied!");
1042 REPORT_PERMISSION_FAIL();
1043 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1044 }
1045 std::vector<std::string> oldConstraints;
1046 result = innerManager_.GetOsAccountAllConstraints(id, oldConstraints);
1047 if (result != ERR_OK) {
1048 ACCOUNT_LOGE("GetOsAccountAllConstraints failed, result=%{public}d", result);
1049 return result;
1050 }
1051 result = innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
1052 if (result != ERR_OK) {
1053 ACCOUNT_LOGE("SetBaseOsAccountConstraints failed, result=%{public}d", result);
1054 return result;
1055 }
1056 ConstraintPublish(oldConstraints, constraints, id, enable);
1057 return result;
1058 }
1059
SetOsAccountProfilePhoto(const int id,const std::string & photo)1060 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
1061 {
1062 // parameters check
1063 ErrCode res = CheckLocalId(id);
1064 if (res != ERR_OK) {
1065 return res;
1066 }
1067 res = CheckLocalIdRestricted(id);
1068 if (res != ERR_OK) {
1069 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
1070 return res;
1071 }
1072 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
1073 ACCOUNT_LOGE("Photo out of allowed size");
1074 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1075 }
1076 if (photo.empty()) {
1077 ACCOUNT_LOGE("Photo is empty");
1078 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1079 }
1080 // permission check
1081 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
1082 ACCOUNT_LOGE("Account manager service, permission denied!");
1083 REPORT_PERMISSION_FAIL();
1084 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1085 }
1086
1087 return innerManager_.SetOsAccountProfilePhoto(id, photo);
1088 }
1089
SetOsAccountProfilePhoto(int32_t id,const StringRawData & stringRawData)1090 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(int32_t id, const StringRawData& stringRawData)
1091 {
1092 ErrCode result = AccountPermissionManager::CheckSystemApp();
1093 if (result != ERR_OK) {
1094 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1095 return result;
1096 }
1097 std::string photo;
1098 stringRawData.Unmarshalling(photo);
1099 return SetOsAccountProfilePhoto(id, photo);
1100 }
1101
ActivateOsAccount(int32_t id)1102 ErrCode OsAccountManagerService::ActivateOsAccount(int32_t id)
1103 {
1104 ErrCode result = AccountPermissionManager::CheckSystemApp();
1105 if (result != ERR_OK) {
1106 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1107 return result;
1108 }
1109 // parameters check
1110 ErrCode res = CheckLocalId(id);
1111 if (res != ERR_OK) {
1112 return res;
1113 }
1114 res = CheckLocalIdRestricted(id);
1115 if (res != ERR_OK) {
1116 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
1117 return res;
1118 }
1119 // permission check
1120 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_ACTIVATE)) {
1121 ACCOUNT_LOGE("Account manager service, permission denied!");
1122 REPORT_PERMISSION_FAIL();
1123 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1124 }
1125
1126 return innerManager_.ActivateOsAccount(id);
1127 }
1128
DeactivateOsAccount(int32_t id)1129 ErrCode OsAccountManagerService::DeactivateOsAccount(int32_t id)
1130 {
1131 ErrCode result = AccountPermissionManager::CheckSystemApp();
1132 if (result != ERR_OK) {
1133 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1134 return result;
1135 }
1136 // parameters check
1137 ErrCode res = CheckLocalId(id);
1138 if (res != ERR_OK) {
1139 return res;
1140 }
1141 res = CheckLocalIdRestricted(id);
1142 if (res != ERR_OK) {
1143 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
1144 return res;
1145 }
1146 // permission check
1147 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
1148 ACCOUNT_LOGE("Account manager service, permission denied!");
1149 REPORT_PERMISSION_FAIL();
1150 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1151 }
1152 int32_t currentId = Constants::START_USER_ID;
1153 GetCurrentLocalId(currentId);
1154
1155 #ifndef SUPPORT_STOP_MAIN_OS_ACCOUNT
1156 if (id == Constants::START_USER_ID) {
1157 ACCOUNT_LOGW("The %{public}d os account can't stop", id);
1158 return ERR_OSACCOUNT_SERVICE_INNER_ACCOUNT_STOP_ACTIVE_ERROR;
1159 }
1160 #endif // SUPPORT_STOP_OS_ACCOUNT
1161
1162 res = innerManager_.DeactivateOsAccount(id);
1163
1164 if (currentId == id) { // if stop current account
1165 #ifdef SUPPORT_STOP_MAIN_OS_ACCOUNT
1166 innerManager_.ActivateOsAccount(id, false, Constants::DEFAULT_DISPALY_ID, true);
1167 #else
1168 innerManager_.ActivateOsAccount(Constants::START_USER_ID, false, Constants::DEFAULT_DISPALY_ID);
1169 #endif // SUPPORT_STOP_MAIN_OS_ACCOUNT
1170 }
1171 return res;
1172 }
1173
1174 #ifdef FUZZ_TEST
1175 // LCOV_EXCL_START
1176 #endif
DeactivateAllOsAccounts()1177 ErrCode OsAccountManagerService::DeactivateAllOsAccounts()
1178 {
1179 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
1180 if (checkResult != ERR_OK) {
1181 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
1182 return checkResult;
1183 }
1184 // permission check
1185 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
1186 ACCOUNT_LOGE("Permission check failed.");
1187 REPORT_PERMISSION_FAIL();
1188 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1189 }
1190
1191 std::vector<int32_t> userIds;
1192 ErrCode res = innerManager_.QueryActiveOsAccountIds(userIds);
1193 if (res != ERR_OK) {
1194 ACCOUNT_LOGE("Get activated os account ids failed.");
1195 return res;
1196 }
1197 if (userIds.empty()) {
1198 ACCOUNT_LOGI("Activated os account list is empty.");
1199 return ERR_OK;
1200 }
1201 ErrCode result = ERR_OK;
1202 for (auto osAccountId : userIds) {
1203 ACCOUNT_LOGI("DeactivateAllOsAccounts, id=%{public}d", osAccountId);
1204 #ifdef ENABLE_U1_ACCOUNT
1205 if (osAccountId == Constants::U1_ID) {
1206 continue;
1207 }
1208 #endif // ENABLE_U1_ACCOUNT
1209 res = innerManager_.DeactivateOsAccount(osAccountId);
1210 if (res != ERR_OK) {
1211 ACCOUNT_LOGE("Deactivate os account id failed, id=%{public}d", osAccountId);
1212 result = res;
1213 }
1214 }
1215 return result;
1216 }
1217 #ifdef FUZZ_TEST
1218 // LCOV_EXCL_STOP
1219 #endif
1220
1221 #ifdef FUZZ_TEST
1222 // LCOV_EXCL_START
1223 #endif
GetCurrentLocalId(int32_t & userId)1224 void OsAccountManagerService::GetCurrentLocalId(int32_t &userId)
1225 {
1226 std::vector<int32_t> userIds;
1227 if ((innerManager_.QueryActiveOsAccountIds(userIds) != ERR_OK) || userIds.empty()) {
1228 ACCOUNT_LOGE("Fail to get activated os account ids");
1229 return;
1230 }
1231 userId = userIds[0];
1232 return;
1233 }
1234 #ifdef FUZZ_TEST
1235 // LCOV_EXCL_STOP
1236 #endif
1237
StartOsAccount(int32_t id)1238 ErrCode OsAccountManagerService::StartOsAccount(int32_t id)
1239 {
1240 return innerManager_.StartOsAccount(id);
1241 }
1242
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)1243 ErrCode OsAccountManagerService::SubscribeOsAccount(
1244 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
1245 {
1246 #ifdef HICOLLIE_ENABLE
1247 unsigned int flag = HiviewDFX::XCOLLIE_FLAG_LOG | HiviewDFX::XCOLLIE_FLAG_RECOVERY;
1248 XCollieCallback callbackFunc = [callingPid = IPCSkeleton::GetCallingPid(),
1249 callingUid = IPCSkeleton::GetCallingUid()](void *) {
1250 ACCOUNT_LOGE("ProcSubscribeOsAccount failed, callingPid: %{public}d, callingUid: %{public}d.",
1251 callingPid, callingUid);
1252 ReportOsAccountOperationFail(callingUid, "watchDog", -1, "Subscribe osaccount time out");
1253 };
1254 int timerId = HiviewDFX::XCollie::GetInstance().SetTimer(TIMER_NAME, RECOVERY_TIMEOUT, callbackFunc, nullptr, flag);
1255 #endif // HICOLLIE_ENABLE
1256 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
1257 if (checkResult != ERR_OK) {
1258 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
1259 #ifdef HICOLLIE_ENABLE
1260 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
1261 #endif // HICOLLIE_ENABLE
1262 return checkResult;
1263 }
1264
1265 // permission check
1266 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
1267 subscribeInfo.GetOsAccountSubscribeType(osAccountSubscribeType);
1268 std::set<OsAccountState> states;
1269 subscribeInfo.GetStates(states);
1270 if (osAccountSubscribeType == OsAccountState::INVALID_TYPE && states.empty()) {
1271 ACCOUNT_LOGE("Invalid subscriber information");
1272 #ifdef HICOLLIE_ENABLE
1273 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
1274 #endif // HICOLLIE_ENABLE
1275 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1276 }
1277 // permission check
1278 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
1279 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
1280 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
1281 ACCOUNT_LOGE("Account manager service, permission denied!");
1282 REPORT_PERMISSION_FAIL();
1283 #ifdef HICOLLIE_ENABLE
1284 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
1285 #endif // HICOLLIE_ENABLE
1286 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1287 }
1288 ErrCode result = innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
1289 if (result != ERR_OK) {
1290 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1291 result, "Subscribe os account failed.");
1292 }
1293 #ifdef HICOLLIE_ENABLE
1294 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
1295 #endif // HICOLLIE_ENABLE
1296 return result;
1297 }
1298
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)1299 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
1300 {
1301 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
1302 if (checkResult != ERR_OK) {
1303 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
1304 return checkResult;
1305 }
1306
1307 // permission check
1308 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
1309 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
1310 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
1311 ACCOUNT_LOGE("Account manager service, permission denied!");
1312 REPORT_PERMISSION_FAIL();
1313 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1314 }
1315
1316 ErrCode result = innerManager_.UnsubscribeOsAccount(eventListener);
1317 if (result != ERR_OK) {
1318 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1319 result, "Unsubscribe os account failed.");
1320 }
1321 return result;
1322 }
1323
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)1324 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
1325 {
1326 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
1327 }
1328
GetSerialNumberByOsAccountLocalId(int32_t id,int64_t & serialNumber)1329 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(int32_t id, int64_t &serialNumber)
1330 {
1331 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
1332 }
1333
GetOsAccountSwitchMod(int32_t & switchMod)1334 ErrCode OsAccountManagerService::GetOsAccountSwitchMod(int32_t &switchMod)
1335 {
1336 switchMod = static_cast<int32_t>(innerManager_.GetOsAccountSwitchMod());
1337 return ERR_OK;
1338 }
1339
1340 #ifdef FUZZ_TEST
1341 // LCOV_EXCL_START
1342 #endif
IsCurrentOsAccountVerified(bool & isVerified)1343 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
1344 {
1345 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1346 return innerManager_.IsOsAccountVerified(id, isVerified);
1347 }
1348 #ifdef FUZZ_TEST
1349 // LCOV_EXCL_STOP
1350 #endif
1351
IsOsAccountCompleted(int32_t id,bool & isOsAccountCompleted)1352 ErrCode OsAccountManagerService::IsOsAccountCompleted(int32_t id, bool &isOsAccountCompleted)
1353 {
1354 ErrCode result = innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
1355 if (result != ERR_OK) {
1356 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1357 result, "Get os account completed failed.");
1358 }
1359 return result;
1360 }
1361
SetCurrentOsAccountIsVerified(bool isVerified)1362 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(bool isVerified)
1363 {
1364 // permission check
1365 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1366 ACCOUNT_LOGE("Account manager service, permission denied!");
1367 REPORT_PERMISSION_FAIL();
1368 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1369 }
1370
1371 // parameters check
1372 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1373 ErrCode res = CheckLocalId(id);
1374 if (res != ERR_OK) {
1375 return res;
1376 }
1377 res = CheckLocalIdRestricted(id);
1378 if (res != ERR_OK) {
1379 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
1380 return res;
1381 }
1382 return innerManager_.SetOsAccountIsVerified(id, isVerified);
1383 }
1384
SetOsAccountIsVerified(int32_t id,bool isVerified)1385 ErrCode OsAccountManagerService::SetOsAccountIsVerified(int32_t id, bool isVerified)
1386 {
1387 // parameters check
1388 ErrCode res = CheckLocalId(id);
1389 if (res != ERR_OK) {
1390 return res;
1391 }
1392 res = CheckLocalIdRestricted(id);
1393 if (res != ERR_OK) {
1394 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, id);
1395 return res;
1396 }
1397 // permission check
1398 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1399 ACCOUNT_LOGE("Account manager service, permission denied!");
1400 REPORT_PERMISSION_FAIL();
1401 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1402 }
1403
1404 return innerManager_.SetOsAccountIsVerified(id, isVerified);
1405 }
1406
DumpState(int32_t id,std::vector<std::string> & state)1407 ErrCode OsAccountManagerService::DumpState(int32_t id, std::vector<std::string> &state)
1408 {
1409 state.clear();
1410
1411 // permission check
1412 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1413 ACCOUNT_LOGE("Account manager service, permission denied!");
1414 REPORT_PERMISSION_FAIL();
1415 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1416 }
1417
1418 ErrCode result = ERR_OK;
1419 std::vector<OsAccountInfo> osAccountInfos;
1420
1421 if (id == -1) {
1422 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
1423 if (result != ERR_OK) {
1424 return result;
1425 }
1426 #ifdef ENABLE_U1_ACCOUNT
1427 OsAccountInfo osAccountInfo;
1428 result = innerManager_.GetRealOsAccountInfoById(Constants::U1_ID, osAccountInfo);
1429 if (result == ERR_OK) {
1430 osAccountInfos.insert(osAccountInfos.begin(), osAccountInfo);
1431 }
1432 #endif // ENABLE_U1_ACCOUNT
1433 } else {
1434 OsAccountInfo osAccountInfo;
1435 result = innerManager_.GetRealOsAccountInfoById(id, osAccountInfo);
1436 if (result != ERR_OK) {
1437 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
1438 }
1439
1440 osAccountInfos.emplace_back(osAccountInfo);
1441 }
1442
1443 return DumpStateByAccounts(osAccountInfos, state);
1444 }
1445
DumpOsAccountInfo(std::vector<std::string> & state)1446 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
1447 {
1448 state.clear();
1449
1450 ErrCode result = ERR_OK;
1451 std::vector<OsAccountInfo> osAccountInfos;
1452 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
1453 if (result != ERR_OK) {
1454 return result;
1455 }
1456
1457 return DumpStateByAccounts(osAccountInfos, state);
1458 }
1459
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)1460 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
1461 int &createdOsAccountNum)
1462 {
1463 // permission check
1464 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1465 ACCOUNT_LOGE("Account manager service, permission denied!");
1466 REPORT_PERMISSION_FAIL();
1467 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1468 }
1469
1470 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
1471 }
1472
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)1473 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
1474 int64_t &serialNumber)
1475 {
1476 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
1477 }
1478
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)1479 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
1480 {
1481 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
1482 }
1483
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)1484 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
1485 const int id, OsAccountInfo &osAccountInfo)
1486 {
1487 // permission check
1488 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1489 ACCOUNT_LOGE("Account manager service, permission denied!");
1490 REPORT_PERMISSION_FAIL();
1491 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1492 }
1493
1494 ErrCode errCode = innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
1495 if (errCode != ERR_OK) {
1496 return errCode;
1497 }
1498 #ifdef SUPPORT_DOMAIN_ACCOUNTS
1499 errCode = GetServerConfigInfo(osAccountInfo);
1500 if (errCode != ERR_OK) {
1501 ACCOUNT_LOGE("Failed to get domain server config, error=%{public}d", errCode);
1502 ReportOsAccountOperationFail(osAccountInfo.GetLocalId(), Constants::OPERATION_GET_INFO,
1503 errCode, "Failed to get domain server config");
1504 return ERR_OK;
1505 }
1506 #endif
1507 return ERR_OK;
1508 }
1509
GetOsAccountFromDatabase(const std::string & storeID,int32_t id,StringRawData & stringRawData)1510 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
1511 int32_t id, StringRawData& stringRawData)
1512 {
1513 OsAccountInfo osAccountInfo;
1514 auto errCode = GetOsAccountFromDatabase(storeID, id, osAccountInfo);
1515 if (errCode == ERR_OK) {
1516 WriteOsAccountInfo(stringRawData, osAccountInfo);
1517 }
1518 return errCode;
1519 }
1520
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)1521 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
1522 std::vector<OsAccountInfo> &osAccountList)
1523 {
1524 // permission check
1525 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1526 ACCOUNT_LOGE("Account manager service, permission denied!");
1527 REPORT_PERMISSION_FAIL();
1528 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1529 }
1530
1531 ErrCode errCode = innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
1532 if (errCode != ERR_OK) {
1533 return errCode;
1534 }
1535 #ifdef SUPPORT_DOMAIN_ACCOUNTS
1536 for (auto &info : osAccountList) {
1537 errCode = GetServerConfigInfo(info);
1538 if (errCode != ERR_OK) {
1539 ACCOUNT_LOGE("Failed to get domain server config, error=%{public}d", errCode);
1540 ReportOsAccountOperationFail(info.GetLocalId(), Constants::OPERATION_GET_INFO,
1541 errCode, "Failed to get domain server config");
1542 continue;
1543 }
1544 }
1545 #endif
1546 return ERR_OK;
1547 }
1548
GetOsAccountListFromDatabase(const std::string & storeID,StringRawData & osAccountInfos)1549 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
1550 StringRawData& osAccountInfos)
1551 {
1552 std::vector<OsAccountInfo> osAccountVec;
1553 auto errCode = GetOsAccountListFromDatabase(storeID, osAccountVec);
1554 if (errCode == ERR_OK && !WriteOsAccountInfoVector(osAccountInfos, osAccountVec)) {
1555 ACCOUNT_LOGE("WriteOsAccountInfoVector failed, please check osAccountInfos");
1556 return IPC_STUB_WRITE_PARCEL_ERR;
1557 }
1558 return errCode;
1559 }
1560
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)1561 ErrCode OsAccountManagerService::DumpStateByAccounts(
1562 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
1563 {
1564 ACCOUNT_LOGD("Enter");
1565 for (auto osAccountInfo : osAccountInfos) {
1566 std::string info = "";
1567
1568 std::string localId = std::to_string(osAccountInfo.GetLocalId());
1569 state.emplace_back("ID: " + localId);
1570
1571 std::string localName = osAccountInfo.GetLocalName();
1572 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
1573
1574 std::string type = "";
1575 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
1576 if (it != DUMP_TYPE_MAP.end()) {
1577 type = it->second;
1578 } else {
1579 type = "unknown";
1580 }
1581 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
1582 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
1583 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
1584 state.emplace_back(DUMP_TAB_CHARACTER + "isForeground: " + std::to_string(osAccountInfo.GetIsForeground()));
1585 state.emplace_back(DUMP_TAB_CHARACTER + "dispalyId: " + std::to_string(osAccountInfo.GetDisplayId()));
1586
1587 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
1588 auto constraints = osAccountInfo.GetConstraints();
1589 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
1590 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
1591
1592 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
1593 (osAccountInfo.GetIsVerified() ? "true" : "false"));
1594
1595 int64_t serialNumber = osAccountInfo.GetSerialNumber();
1596 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
1597 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
1598 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
1599 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
1600 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
1601 state.emplace_back("\n");
1602 }
1603
1604 return ERR_OK;
1605 }
1606
1607 #ifdef FUZZ_TEST
1608 // LCOV_EXCL_START
1609 #endif
QueryActiveOsAccountIds(std::vector<int32_t> & ids)1610 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
1611 {
1612 #ifdef HICOLLIE_ENABLE
1613 unsigned int flag = HiviewDFX::XCOLLIE_FLAG_LOG | HiviewDFX::XCOLLIE_FLAG_RECOVERY;
1614 XCollieCallback callbackFunc = [callingPid = IPCSkeleton::GetCallingPid(),
1615 callingUid = IPCSkeleton::GetCallingUid()](void *) {
1616 ACCOUNT_LOGE("ProcQueryActiveOsAccountIds failed, callingPid: %{public}d, callingUid: %{public}d.",
1617 callingPid, callingUid);
1618 ReportOsAccountOperationFail(callingUid, "watchDog", -1, "Query active account id time out");
1619 };
1620 int timerId = HiviewDFX::XCollie::GetInstance().SetTimer(
1621 TIMER_NAME, RECOVERY_TIMEOUT, callbackFunc, nullptr, flag);
1622 #endif // HICOLLIE_ENABLE
1623 ErrCode result = innerManager_.QueryActiveOsAccountIds(ids);
1624 if (result != ERR_OK) {
1625 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1626 result, "Query active os accountIds failed.");
1627 }
1628 #ifdef HICOLLIE_ENABLE
1629 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
1630 #endif // HICOLLIE_ENABLE
1631 return result;
1632 }
1633 #ifdef FUZZ_TEST
1634 // LCOV_EXCL_STOP
1635 #endif
1636
QueryOsAccountConstraintSourceTypes(int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)1637 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(int32_t id,
1638 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
1639 {
1640 ErrCode result = AccountPermissionManager::CheckSystemApp();
1641 if (result != ERR_OK) {
1642 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1643 return result;
1644 }
1645 // parameters check
1646 ErrCode res = CheckLocalId(id);
1647 if (res != ERR_OK) {
1648 return res;
1649 }
1650 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
1651 ACCOUNT_LOGE("Constraint length is invalid. length %{public}zu.", constraint.size());
1652 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1653 }
1654
1655 // permission check
1656 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1657 ACCOUNT_LOGE("Account manager service, permission denied!");
1658 REPORT_PERMISSION_FAIL();
1659 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1660 }
1661
1662 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
1663 }
1664
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,bool enable,int32_t enforcerId,bool isDeviceOwner)1665 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
1666 bool enable, int32_t enforcerId, bool isDeviceOwner)
1667 {
1668 if (enforcerId < 0) {
1669 ACCOUNT_LOGE("Failed to read localId, please check enforcerId");
1670 return ERR_OSACCOUNT_KIT_READ_IN_LOCAL_ID_ERROR;
1671 }
1672 // permission check
1673 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") || !PermissionCheck(MANAGE_EDM_POLICY, "")) {
1674 ACCOUNT_LOGE("Account manager service, permission denied!");
1675 REPORT_PERMISSION_FAIL();
1676 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1677 }
1678 std::vector<OsAccountInfo> osAccountInfos;
1679 ErrCode result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
1680 if (result != ERR_OK) {
1681 ACCOUNT_LOGE("QueryAllCreatedOsAccounts failed, result=%{public}d", result);
1682 return result;
1683 }
1684 std::map<int32_t, std::vector<std::string>> oldConstraintsMap;
1685 for (auto const&info : osAccountInfos) {
1686 std::vector<std::string> oldConstraints;
1687 result = innerManager_.GetOsAccountAllConstraints(info.GetLocalId(), oldConstraints);
1688 if (result != ERR_OK) {
1689 ACCOUNT_LOGE("GetOsAccountAllConstraints failed, result=%{public}d", result);
1690 return result;
1691 }
1692 oldConstraintsMap.emplace(info.GetLocalId(), oldConstraints);
1693 }
1694
1695 result = innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
1696 if (result != ERR_OK) {
1697 ACCOUNT_LOGE("SetGlobalOsAccountConstraints failed, result=%{public}d", result);
1698 return result;
1699 }
1700 for (const auto& item : oldConstraintsMap) {
1701 ConstraintPublish(item.second, constraints, item.first, enable);
1702 }
1703 return result;
1704 }
1705
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,bool enable,int32_t targetId,int32_t enforcerId,bool isDeviceOwner)1706 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
1707 bool enable, int32_t targetId, int32_t enforcerId, bool isDeviceOwner)
1708 {
1709 if (targetId < 0) {
1710 ACCOUNT_LOGE("Failed to read targetId, please check targetId");
1711 return ERR_OSACCOUNT_KIT_READ_IN_LOCAL_ID_ERROR;
1712 }
1713 if (enforcerId < 0) {
1714 ACCOUNT_LOGE("Failed to read enforcerId, please check enforcerId");
1715 return ERR_OSACCOUNT_KIT_READ_IN_LOCAL_ID_ERROR;
1716 }
1717 // permission check
1718 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") || !PermissionCheck(MANAGE_EDM_POLICY, "")) {
1719 ACCOUNT_LOGE("Account manager service, permission denied!");
1720 REPORT_PERMISSION_FAIL();
1721 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1722 }
1723
1724 // parameters check
1725 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
1726 ACCOUNT_LOGE("Invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
1727 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1728 }
1729 std::vector<std::string> oldConstraints;
1730 ErrCode result = innerManager_.GetOsAccountAllConstraints(targetId, oldConstraints);
1731 if (result != ERR_OK) {
1732 ACCOUNT_LOGE("GetOsAccountAllConstraints failed, result=%{public}d", result);
1733 return result;
1734 }
1735 result = innerManager_.SetSpecificOsAccountConstraints(
1736 constraints, enable, targetId, enforcerId, isDeviceOwner);
1737 if (result != ERR_OK) {
1738 ACCOUNT_LOGE("SetSpecificOsAccountConstraints failed, result=%{public}d", result);
1739 return result;
1740 }
1741 ConstraintPublish(oldConstraints, constraints, targetId, enable);
1742 return result;
1743 }
1744
SubscribeOsAccountConstraints(const OsAccountConstraintSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)1745 ErrCode OsAccountManagerService::SubscribeOsAccountConstraints(const OsAccountConstraintSubscribeInfo &subscribeInfo,
1746 const sptr<IRemoteObject> &eventListener)
1747 {
1748 // permission check
1749 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1750 ACCOUNT_LOGE("Account manager service, permission denied!");
1751 REPORT_PERMISSION_FAIL();
1752 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1753 }
1754 #ifdef HICOLLIE_ENABLE
1755 unsigned int flag = HiviewDFX::XCOLLIE_FLAG_LOG;
1756 XCollieCallback callbackFunc = [callingPid = IPCSkeleton::GetCallingPid(),
1757 callingUid = IPCSkeleton::GetCallingUid()](void *) {
1758 ACCOUNT_LOGE("SubscribeOsAccountConstraints failed, callingPid: %{public}d, callingUid: %{public}d.",
1759 callingPid, callingUid);
1760 ReportOsAccountOperationFail(callingUid, "watchDog", -1, "Subscribe constraint time out");
1761 };
1762 int timerId = HiviewDFX::XCollie::GetInstance().SetTimer(
1763 TIMER_NAME, TIMEOUT, callbackFunc, nullptr, flag);
1764 #endif // HICOLLIE_ENABLE
1765 ErrCode result = constraintManger_.SubscribeOsAccountConstraints(subscribeInfo, eventListener);
1766 if (result != ERR_OK) {
1767 ACCOUNT_LOGE("Subscribe constraint failed, callingUid: %{public}d, code: %{public}d.",
1768 IPCSkeleton::GetCallingUid(), result);
1769 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1770 result, "Subscribe constraint failed.");
1771 }
1772 #ifdef HICOLLIE_ENABLE
1773 HiviewDFX::XCollie::GetInstance().CancelTimer(timerId);
1774 #endif // HICOLLIE_ENABLE
1775 return result;
1776 }
1777
UnsubscribeOsAccountConstraints(const OsAccountConstraintSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)1778 ErrCode OsAccountManagerService::UnsubscribeOsAccountConstraints(const OsAccountConstraintSubscribeInfo &subscribeInfo,
1779 const sptr<IRemoteObject> &eventListener)
1780 {
1781 // permission check
1782 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1783 ACCOUNT_LOGE("Account manager service, permission denied!");
1784 REPORT_PERMISSION_FAIL();
1785 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1786 }
1787 ErrCode result = constraintManger_.UnsubscribeOsAccountConstraints(subscribeInfo, eventListener);
1788 if (result != ERR_OK) {
1789 ACCOUNT_LOGE("Unsubscribe constraint failed, callingUid: %{public}d, code: %{public}d.",
1790 IPCSkeleton::GetCallingUid(), result);
1791 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1792 result, "Unsubscribe constraint failed.");
1793 }
1794 return result;
1795 }
1796
SetDefaultActivatedOsAccount(int32_t id)1797 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(int32_t id)
1798 {
1799 // parameters check
1800 ErrCode ret = CheckLocalId(id);
1801 if (ret != ERR_OK) {
1802 return ret;
1803 }
1804
1805 // permission check
1806 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1807 ACCOUNT_LOGE("Account manager service, permission denied!");
1808 REPORT_PERMISSION_FAIL();
1809 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1810 }
1811 if (id < Constants::START_USER_ID) {
1812 ACCOUNT_LOGE("Not allow set id:%{public}d default activated account!", id);
1813 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1814 }
1815 return innerManager_.SetDefaultActivatedOsAccount(id);
1816 }
1817
GetDefaultActivatedOsAccount(int32_t & id)1818 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
1819 {
1820 return innerManager_.GetDefaultActivatedOsAccount(id);
1821 }
1822
GetOsAccountShortNameCommon(const int32_t id,std::string & shortName)1823 ErrCode OsAccountManagerService::GetOsAccountShortNameCommon(const int32_t id, std::string &shortName)
1824 {
1825 ErrCode errCode = innerManager_.GetOsAccountShortName(id, shortName);
1826 if (errCode != ERR_OK) {
1827 ACCOUNT_LOGE("GetOsAccountShortName error %{public}d", errCode);
1828 return errCode;
1829 }
1830 return ERR_OK;
1831 }
1832
1833 #ifdef FUZZ_TEST
1834 // LCOV_EXCL_START
1835 #endif
GetOsAccountShortName(std::string & shortName)1836 ErrCode OsAccountManagerService::GetOsAccountShortName(std::string &shortName)
1837 {
1838 ErrCode result = AccountPermissionManager::CheckSystemApp();
1839 if (result != ERR_OK) {
1840 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1841 return result;
1842 }
1843 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1844 return GetOsAccountShortNameCommon(id, shortName);
1845 }
1846 #ifdef FUZZ_TEST
1847 // LCOV_EXCL_STOP
1848 #endif
1849
1850 #ifdef FUZZ_TEST
1851 // LCOV_EXCL_START
1852 #endif
GetOsAccountName(std::string & name)1853 ErrCode OsAccountManagerService::GetOsAccountName(std::string &name)
1854 {
1855 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1856 ErrCode errCode = innerManager_.GetOsAccountName(id, name);
1857 if (errCode != ERR_OK) {
1858 ACCOUNT_LOGE("Failed get account name, errCode=%{public}d, uid=%{public}d", errCode,
1859 IPCSkeleton::GetCallingUid());
1860 return errCode;
1861 }
1862 return ERR_OK;
1863 }
1864 #ifdef FUZZ_TEST
1865 // LCOV_EXCL_STOP
1866 #endif
1867
GetOsAccountNameById(int32_t id,std::string & name)1868 ErrCode OsAccountManagerService::GetOsAccountNameById(int32_t id, std::string &name)
1869 {
1870 ErrCode result = AccountPermissionManager::CheckSystemApp();
1871 if (result != ERR_OK) {
1872 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1873 return result;
1874 }
1875 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1876 ACCOUNT_LOGE("Check permission failed.");
1877 REPORT_PERMISSION_FAIL();
1878 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1879 }
1880 ErrCode errCode = innerManager_.GetOsAccountName(id, name);
1881 if (errCode != ERR_OK) {
1882 ACCOUNT_LOGE("Failed get account name, errCode=%{public}d, id=%{public}d", errCode, id);
1883 return errCode;
1884 }
1885 return ERR_OK;
1886 }
1887
GetOsAccountShortNameById(int32_t id,std::string & shortName)1888 ErrCode OsAccountManagerService::GetOsAccountShortNameById(int32_t id, std::string &shortName)
1889 {
1890 ErrCode result = AccountPermissionManager::CheckSystemApp();
1891 if (result != ERR_OK) {
1892 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
1893 return result;
1894 }
1895 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1896 ACCOUNT_LOGE("Check permission failed, please check your permission.");
1897 REPORT_PERMISSION_FAIL();
1898 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1899 }
1900 return GetOsAccountShortNameCommon(id, shortName);
1901 }
1902
PermissionCheck(const std::string & permissionName,const std::string & constraintName)1903 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
1904 {
1905 int callerUid = IPCSkeleton::GetCallingUid();
1906 #ifndef IS_RELEASE_VERSION
1907 // root check in none release version for test
1908 if (callerUid == ROOT_UID) {
1909 return true;
1910 }
1911 #endif
1912
1913 // constraints check
1914 if (!constraintName.empty()) {
1915 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
1916 bool isEnable = true;
1917 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
1918 if (isEnable) {
1919 ACCOUNT_LOGE("Constraint check %{public}s failed.", constraintName.c_str());
1920 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), constraintName);
1921 return false;
1922 }
1923 }
1924
1925 // permission check
1926 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
1927 return true;
1928 }
1929
1930 return false;
1931 }
1932
CheckCreateOsAccountWhiteList()1933 bool OsAccountManagerService::CheckCreateOsAccountWhiteList()
1934 {
1935 return uidWhiteListForCreation.find(GetCallingUid()) != uidWhiteListForCreation.end();
1936 }
1937
IsOsAccountForeground(int32_t localId,const uint64_t displayId,bool & isForeground)1938 ErrCode OsAccountManagerService::IsOsAccountForeground(int32_t localId, const uint64_t displayId,
1939 bool &isForeground)
1940 {
1941 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
1942 if (checkResult != ERR_OK) {
1943 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
1944 return checkResult;
1945 }
1946 int32_t callerId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1947 int32_t id = (localId == -1) ? callerId : localId;
1948 if (id < Constants::ADMIN_LOCAL_ID) {
1949 ACCOUNT_LOGE("LocalId %{public}d is invlaid.", id);
1950 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1951 }
1952 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1953 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1954 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1955 }
1956 bool isOsAccountExists = false;
1957 ErrCode result = IsOsAccountExists(id, isOsAccountExists);
1958 if (result != ERR_OK) {
1959 return result;
1960 }
1961 if (!isOsAccountExists) {
1962 ACCOUNT_LOGE("LocalId %{public}d not exist.", id);
1963 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
1964 }
1965 if (id >= Constants::ADMIN_LOCAL_ID && id < Constants::START_USER_ID) {
1966 ACCOUNT_LOGI("LocalId %{public}d is always in backgroud.", id);
1967 isForeground = false;
1968 return ERR_OK;
1969 }
1970 return innerManager_.IsOsAccountForeground(id, displayId, isForeground);
1971 }
1972
GetForegroundOsAccountLocalId(const uint64_t displayId,int32_t & localId)1973 ErrCode OsAccountManagerService::GetForegroundOsAccountLocalId(const uint64_t displayId, int32_t &localId)
1974 {
1975 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1976 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1977 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1978 }
1979 return innerManager_.GetForegroundOsAccountLocalId(displayId, localId);
1980 }
1981
1982 #ifdef FUZZ_TEST
1983 // LCOV_EXCL_START
1984 #endif
GetForegroundOsAccounts(std::vector<ForegroundOsAccount> & accounts)1985 ErrCode OsAccountManagerService::GetForegroundOsAccounts(std::vector<ForegroundOsAccount> &accounts)
1986 {
1987 ErrCode checkResult = AccountPermissionManager::CheckSystemApp();
1988 if (checkResult != ERR_OK) {
1989 ACCOUNT_LOGE("Is not system application, result = %{public}u.", checkResult);
1990 return checkResult;
1991 }
1992 ErrCode result = innerManager_.GetForegroundOsAccounts(accounts);
1993 if (result != ERR_OK) {
1994 REPORT_OS_ACCOUNT_FAIL(IPCSkeleton::GetCallingUid(), Constants::OPERATION_LOG_ERROR,
1995 result, "Get foreground os accounts failed.");
1996 }
1997 return result;
1998 }
1999 #ifdef FUZZ_TEST
2000 // LCOV_EXCL_STOP
2001 #endif
2002
2003 #ifdef FUZZ_TEST
2004 // LCOV_EXCL_START
2005 #endif
GetBackgroundOsAccountLocalIds(std::vector<int32_t> & localIds)2006 ErrCode OsAccountManagerService::GetBackgroundOsAccountLocalIds(std::vector<int32_t> &localIds)
2007 {
2008 return innerManager_.GetBackgroundOsAccountLocalIds(localIds);
2009 }
2010 #ifdef FUZZ_TEST
2011 // LCOV_EXCL_STOP
2012 #endif
2013
SetOsAccountToBeRemoved(int32_t localId,bool toBeRemoved)2014 ErrCode OsAccountManagerService::SetOsAccountToBeRemoved(int32_t localId, bool toBeRemoved)
2015 {
2016 ErrCode result = AccountPermissionManager::CheckSystemApp();
2017 if (result != ERR_OK) {
2018 ACCOUNT_LOGE("Is not system application, result = %{public}u.", result);
2019 return result;
2020 }
2021 ErrCode res = CheckLocalId(localId);
2022 if (res != ERR_OK) {
2023 return res;
2024 }
2025 if (localId == Constants::START_USER_ID) {
2026 ACCOUNT_LOGE("Cannot remove system preinstalled user.");
2027 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
2028 }
2029 res = CheckLocalIdRestricted(localId);
2030 if (res != ERR_OK) {
2031 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, localId);
2032 return res;
2033 }
2034 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
2035 ACCOUNT_LOGE("Permission denied.");
2036 REPORT_PERMISSION_FAIL();
2037 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
2038 }
2039 return innerManager_.SetOsAccountToBeRemoved(localId, toBeRemoved);
2040 }
2041
GetOsAccountDomainInfo(int32_t localId,DomainAccountInfo & domainInfo)2042 ErrCode OsAccountManagerService::GetOsAccountDomainInfo(int32_t localId, DomainAccountInfo &domainInfo)
2043 {
2044 if (!(PermissionCheck(GET_DOMAIN_ACCOUNTS, "") &&
2045 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, ""))) {
2046 ACCOUNT_LOGE("Permission denied.");
2047 REPORT_PERMISSION_FAIL();
2048 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
2049 }
2050 ErrCode res = CheckLocalId(localId);
2051 if (res != ERR_OK) {
2052 return res;
2053 }
2054 return innerManager_.GetOsAccountDomainInfo(localId, domainInfo);
2055 }
2056
2057 #ifdef SUPPORT_LOCK_OS_ACCOUNT
PublishOsAccountLockEvent(const int32_t localId,bool isLocking)2058 ErrCode OsAccountManagerService::PublishOsAccountLockEvent(const int32_t localId, bool isLocking)
2059 {
2060 ErrCode result = AccountPermissionManager::CheckSystemApp();
2061 if (result != ERR_OK) {
2062 ACCOUNT_LOGE("CheckSystemApp failed, please check permission, result = %{public}u.", result);
2063 return result;
2064 }
2065 ErrCode res = CheckLocalId(localId);
2066 if (res != ERR_OK) {
2067 return res;
2068 }
2069
2070 if (localId < Constants::START_USER_ID) {
2071 ACCOUNT_LOGE("Not allow to lock account id:%{public}d!", localId);
2072 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
2073 }
2074
2075 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
2076 ACCOUNT_LOGE("Permission denied.");
2077 REPORT_PERMISSION_FAIL();
2078 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
2079 }
2080
2081 return innerManager_.PublishOsAccountLockEvent(localId, isLocking);
2082 }
2083
LockOsAccount(const int32_t localId)2084 ErrCode OsAccountManagerService::LockOsAccount(const int32_t localId)
2085 {
2086 ErrCode result = AccountPermissionManager::CheckSystemApp();
2087 if (result != ERR_OK) {
2088 ACCOUNT_LOGE("CheckSystemApp failed, please check permission, result = %{public}u.", result);
2089 return result;
2090 }
2091 ErrCode res = CheckLocalId(localId);
2092 if (res != ERR_OK) {
2093 return res;
2094 }
2095
2096 if (localId < Constants::START_USER_ID) {
2097 ACCOUNT_LOGE("Not allow to lock account id:%{public}d!", localId);
2098 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
2099 }
2100
2101 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
2102 ACCOUNT_LOGE("Permission denied.");
2103 REPORT_PERMISSION_FAIL();
2104 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
2105 }
2106
2107 return innerManager_.LockOsAccount(localId);
2108 }
2109 #endif
2110
BindDomainAccount(const int32_t localId,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback)2111 ErrCode OsAccountManagerService::BindDomainAccount(
2112 const int32_t localId, const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback)
2113 {
2114 ErrCode res = AccountPermissionManager::CheckSystemApp();
2115 if (res != ERR_OK) {
2116 ACCOUNT_LOGE("Caller is not system application, result = %{public}d.", res);
2117 return res;
2118 }
2119 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
2120 ACCOUNT_LOGE("Permission denied.");
2121 REPORT_PERMISSION_FAIL();
2122 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
2123 }
2124 res = CheckLocalId(localId);
2125 if (res != ERR_OK) {
2126 return res;
2127 }
2128 res = CheckLocalIdRestricted(localId);
2129 if (res != ERR_OK) {
2130 ACCOUNT_LOGW("Check local id restricted, result = %{public}d, localId = %{public}d.", res, localId);
2131 return res;
2132 }
2133 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
2134 ACCOUNT_LOGE("Domain account name is empty or domain is empty");
2135 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
2136 }
2137 if (domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE ||
2138 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
2139 ACCOUNT_LOGE("Domain account name is overlength or domain is overlength");
2140 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
2141 }
2142 if (callback == nullptr) {
2143 ACCOUNT_LOGE("Callback is null");
2144 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
2145 }
2146 #ifdef SUPPORT_DOMAIN_ACCOUNTS
2147 auto work = [localId = localId, domainInfo = domainInfo, callback] {
2148 ErrCode res = InnerDomainAccountManager::GetInstance().BindDomainAccount(localId, domainInfo, callback);
2149 if (res != ERR_OK) {
2150 ACCOUNT_LOGE("Bind domain account failed, res = %{public}d.", res);
2151 }
2152 };
2153 std::thread taskThread(work);
2154 pthread_setname_np(taskThread.native_handle(), "BindDomainAccount");
2155 taskThread.detach();
2156 return ERR_OK;
2157 #else
2158 return ERR_DOMAIN_ACCOUNT_NOT_SUPPORT;
2159 #endif // SUPPORT_DOMAIN_ACCOUNTS
2160 }
2161
CheckLocalIdRestricted(int32_t localId)2162 ErrCode OsAccountManagerService::CheckLocalIdRestricted(int32_t localId)
2163 {
2164 if (localId == Constants::ADMIN_LOCAL_ID) {
2165 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
2166 }
2167 if (localId >= Constants::START_USER_ID) {
2168 return ERR_OK;
2169 }
2170 bool hasAccount = false;
2171 ErrCode ret = innerManager_.IsOsAccountExists(localId, hasAccount);
2172 if (ret != ERR_OK) {
2173 ACCOUNT_LOGE("Is OsAccount Exists failed, ret = %{public}d, localId = %{public}d", ret, localId);
2174 return ret;
2175 }
2176 if (hasAccount) {
2177 ACCOUNT_LOGW("Os account exists, return restricted account, localId = %{public}d", localId);
2178 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
2179 }
2180 ACCOUNT_LOGW("Os account not exists, return account not found, localId = %{public}d", localId);
2181 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
2182 }
2183
CallbackEnter(uint32_t code)2184 ErrCode OsAccountManagerService::CallbackEnter([[maybe_unused]] uint32_t code)
2185 {
2186 #ifdef HICOLLIE_ENABLE
2187 if (WATCH_DOG_WHITE_LIST.find(code) == WATCH_DOG_WHITE_LIST.end()) {
2188 g_timerIdStack.push(HiviewDFX::XCollie::GetInstance().SetTimer(TIMER_NAME, TIMEOUT,
2189 nullptr, nullptr, HiviewDFX::XCOLLIE_FLAG_LOG));
2190 }
2191 #endif // HICOLLIE_ENABLE
2192 return ERR_OK;
2193 }
2194
CallbackExit(uint32_t code,int32_t result)2195 ErrCode OsAccountManagerService::CallbackExit([[maybe_unused]] uint32_t code, [[maybe_unused]] int32_t result)
2196 {
2197 #ifdef HICOLLIE_ENABLE
2198 if (WATCH_DOG_WHITE_LIST.find(code) != WATCH_DOG_WHITE_LIST.end()) {
2199 return ERR_OK;
2200 }
2201 if (!g_timerIdStack.empty()) {
2202 HiviewDFX::XCollie::GetInstance().CancelTimer(g_timerIdStack.top());
2203 g_timerIdStack.pop();
2204 }
2205 #endif // HICOLLIE_ENABLE
2206 return ERR_OK;
2207 }
2208
2209 #ifdef SUPPORT_DOMAIN_ACCOUNTS
GetServerConfigInfo(OsAccountInfo & osAccountInfo)2210 ErrCode OsAccountManagerService::GetServerConfigInfo(OsAccountInfo &osAccountInfo)
2211 {
2212 if (!osAccountInfo.GetIsCreateCompleted() || osAccountInfo.GetToBeRemoved()) {
2213 return ERR_OK;
2214 }
2215 DomainAccountInfo info;
2216 osAccountInfo.GetDomainInfo(info);
2217 if (info.accountName_.empty() || info.serverConfigId_.empty()) {
2218 return ERR_OK;
2219 }
2220 DomainServerConfig config;
2221 ErrCode errCode = InnerDomainAccountManager::GetInstance().GetAccountServerConfig(info.accountName_,
2222 info.serverConfigId_, config);
2223 if (errCode != ERR_OK) {
2224 ACCOUNT_LOGE("GetAccountServerConfig failed, errCode=%{public}d", errCode);
2225 return errCode;
2226 }
2227 info.domain_ = config.domain_;
2228 info.serverConfigId_ = config.id_;
2229 osAccountInfo.SetDomainInfo(info);
2230 return ERR_OK;
2231 }
2232 #endif
2233 } // namespace AccountSA
2234 } // namespace OHOS
2235