1 /* 2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 /** 17 * @addtogroup AccessToken 18 * @{ 19 * 20 * @brief Provides permission management. 21 * 22 * Provides tokenID-based application permission verification mechanism. 23 * When an application accesses sensitive data or APIs, this module can check 24 * whether the application has the corresponding permission. Allows applications 25 * to query their access token information or APL levcels based on token IDs. 26 * 27 * @since 7.0 28 * @version 7.0 29 */ 30 31 /** 32 * @file accesstoken_kit.h 33 * 34 * @brief Declares access token interfaces. 35 * 36 * @since 7.0 37 * @version 7.0 38 */ 39 40 #ifndef INTERFACES_INNER_KITS_ACCESSTOKEN_KIT_H 41 #define INTERFACES_INNER_KITS_ACCESSTOKEN_KIT_H 42 43 #include <string> 44 #include <unordered_set> 45 #include <vector> 46 47 #include "access_token.h" 48 #include "atm_tools_param_info.h" 49 #include "hap_token_info.h" 50 #include "native_token_info.h" 51 #include "permission_def.h" 52 #include "permission_list_state.h" 53 #include "permission_grant_info.h" 54 #include "permission_state_change_info.h" 55 #include "permission_state_full.h" 56 #include "perm_state_change_callback_customize.h" 57 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE 58 #include "sec_comp_enhance_data.h" 59 #endif 60 #ifdef TOKEN_SYNC_ENABLE 61 #include "token_sync_kit_interface.h" 62 #endif // TOKEN_SYNC_ENABLE 63 64 namespace OHOS { 65 namespace Security { 66 namespace AccessToken { 67 /** 68 * @brief Declares AccessTokenKit class 69 */ 70 class AccessTokenKit { 71 public: 72 /** 73 * @brief Get permission used type by tokenID. 74 * @param tokenID token id 75 * @param permissionName permission to be checked 76 * @return enum PermUsedTypeEnum, see access_token.h 77 */ 78 static PermUsedTypeEnum GetPermissionUsedType(AccessTokenID tokenID, const std::string& permissionName); 79 80 /** 81 * @brief Grant input permission to input tokenID flag for specified time. 82 * @param tokenID token id 83 * @param permissionName permission name quote 84 * @param onceTime the time it takes to work, the unit is second. 85 * @return error code, see access_token_error.h 86 */ 87 static int GrantPermissionForSpecifiedTime( 88 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime); 89 90 /** 91 * @brief Create a unique hap token by input values. 92 * @param info struct HapInfoParams quote, see hap_token_info.h 93 * @param policy struct HapPolicyParams quote, see hap_token_info.h 94 * @return union AccessTokenIDEx, see access_token.h 95 */ 96 static AccessTokenIDEx AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy); 97 /** 98 * @brief Create a unique hap token by input values and init the permission state. 99 * @param info struct HapInfoParams quote, see hap_token_info.h 100 * @param policy struct HapPolicyParams quote, see hap_token_info.h 101 * @return union AccessTokenIDEx, see access_token.h 102 */ 103 static int32_t InitHapToken(const HapInfoParams& info, HapPolicyParams& policy, AccessTokenIDEx& fullTokenId); 104 /** 105 * @brief Create a unique hap token by input values and init the permission state. 106 * @param info struct HapInfoParams quote, see hap_token_info.h 107 * @param policy struct HapPolicyParams quote, see hap_token_info.h 108 * @param result struct HapInfoCheckResult, see hap_token_info.h 109 * @return union AccessTokenIDEx, see access_token.h 110 */ 111 static int32_t InitHapToken(const HapInfoParams& info, HapPolicyParams& policy, 112 AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result); 113 /** 114 * @brief Create a unique mapping token binding remote tokenID and DeviceID. 115 * @param remoteDeviceID remote device deviceID 116 * @param remoteTokenID remote device tokenID 117 * @return local tokenID which mapped by local token 118 */ 119 static AccessTokenID AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID); 120 /** 121 * @brief Update hap token info. 122 * @param tokenIdEx union AccessTokenIDEx quote, see access_token.h 123 * @param isSystemApp is system app or not 124 * @param appIDDesc app id description quote 125 * @param apiVersion app api version 126 * @param policy struct HapPolicyParams quote, see hap_token_info.h 127 * @return error code, see access_token_error.h 128 */ 129 static int32_t UpdateHapToken( 130 AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParams& policy); 131 /** 132 * @brief Update hap token info. 133 * @param tokenIdEx union AccessTokenIDEx quote, see access_token.h 134 * @param isSystemApp is system app or not 135 * @param appIDDesc app id description quote 136 * @param apiVersion app api version 137 * @param policy struct HapPolicyParams quote, see hap_token_info.h 138 * @param result struct HapInfoCheckResult, see hap_token_info.h 139 * @return error code, see access_token_error.h 140 */ 141 static int32_t UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, 142 const HapPolicyParams& policy, HapInfoCheckResult& result); 143 /** 144 * @brief Delete token info. 145 * @param tokenID token id 146 * @return error code, see access_token_error.h 147 */ 148 static int DeleteToken(AccessTokenID tokenID); 149 /** 150 * @brief Get token type by ATM service. 151 * @param tokenID token id 152 * @return token type enum, see access_token.h 153 */ 154 static ATokenTypeEnum GetTokenType(AccessTokenID tokenID); 155 /** 156 * @brief Get token type from flag in tokenId, which doesn't depend on ATM service. 157 * @param tokenID token id 158 * @return token type enum, see access_token.h 159 */ 160 static ATokenTypeEnum GetTokenTypeFlag(AccessTokenID tokenID); 161 /** 162 * @brief Get token type by ATM service with uint_64 parameters. 163 * @param tokenID token id 164 * @return token type enum, see access_token.h 165 */ 166 static ATokenTypeEnum GetTokenType(FullTokenID tokenID); 167 /** 168 * @brief Get token type from flag in tokenId, which doesn't depend 169 * on ATM service, with uint_64 parameters. 170 * @param tokenID token id 171 * @return token type enum, see access_token.h 172 */ 173 static ATokenTypeEnum GetTokenTypeFlag(FullTokenID tokenID); 174 /** 175 * @brief Get token id by user id. 176 * @param userID user id 177 * @param tokenIdList token id list 178 * @return error code, see access_token_error.h 179 */ 180 static int32_t GetTokenIDByUserID(int32_t userID, std::unordered_set<AccessTokenID>& tokenIdList); 181 /** 182 * @brief Query hap tokenID by input prarms. 183 * @param userID user id 184 * @param bundleName bundle name 185 * @param instIndex inst index 186 * @return token id if exsit or 0 if not exsit 187 */ 188 static AccessTokenID GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex); 189 /** 190 * @brief Query hap token attribute by input prarms. 191 * @param userID user id 192 * @param bundleName bundle name 193 * @param instIndex inst index 194 * @return union AccessTokenIDEx, see access_token.h 195 */ 196 static AccessTokenIDEx GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex); 197 /** 198 * @brief Get hap token info by token id. 199 * @param tokenID token id 200 * @param hapTokenInfoRes HapTokenInfo quote, as query result 201 * @return error code, see access_token_error.h 202 */ 203 static int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes); 204 /** 205 * @brief Get native token info by token id. 206 * @param tokenID token id 207 * @param nativeTokenInfoRes NativeTokenInfo quote, as query result 208 * @return error code, see access_token_error.h 209 */ 210 static int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes); 211 /** 212 * @brief Check if the input tokenID has been granted the input permission. 213 * @param tokenID token id 214 * @param permissionName permission to be checked 215 * @return enum PermissionState, see access_token.h 216 */ 217 static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); 218 /** 219 * @brief Check if the input tokenID has been granted the input permission. 220 * @param callerTokenID the tokenID of caller native process or hap process 221 * @param firstTokenID the tokenID of first caller native process or hap process 222 * @param permissionName permission to be checked 223 * @return enum PermissionState, see access_token.h 224 */ 225 static int VerifyAccessToken( 226 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName); 227 /** 228 * @brief Check if the input tokenID has been granted the input permission. 229 * @param tokenID token id 230 * @param permissionName permission to be checked 231 * @param crossIpc whether to cross ipc 232 * @return enum PermissionState, see access_token.h 233 */ 234 static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, bool crossIpc); 235 /** 236 * @brief Check if the input tokenID has been granted the input permission. 237 * @param callerTokenID the tokenID of caller native process or hap process 238 * @param firstTokenID the tokenID of first caller native process or hap process 239 * @param permissionName permission to be checked 240 * @param crossIpc whether to cross ipc 241 * @return enum PermissionState, see access_token.h 242 */ 243 static int VerifyAccessToken(AccessTokenID callerTokenID, 244 AccessTokenID firstTokenID, const std::string& permissionName, bool crossIpc); 245 /** 246 * @brief Check if the input tokenID has been granted the input permission list. 247 * @param tokenID token id 248 * @param permissionList permission list to be checked 249 * @param permStateList enum PermissionState list, as result 250 * @param crossIpc whether to cross ipc 251 * @return error code, see access_token_error.h 252 */ 253 static int VerifyAccessToken(AccessTokenID tokenID, const std::vector<std::string>& permissionList, 254 std::vector<int32_t>& permStateList, bool crossIpc = false); 255 256 /** 257 * @brief Get permission definition by permission name. 258 * @param permissionName permission name quote 259 * @param permissionDefResult PermissionDef quote, as query result 260 * @return error code, see access_token_error.h 261 */ 262 static int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); 263 /** 264 * @brief Get all requested permission full state by token id and grant mode. 265 * @param tokenID token id 266 * @param reqPermList PermissionStateFull list quote, as query result 267 * @param isSystemGrant grant mode 268 * @return error code, see access_token_error.h 269 */ 270 static int GetReqPermissions( 271 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant); 272 /** 273 * @brief Get permission grant flag 274 * @param tokenID token id 275 * @param permissionName permission name quote 276 * @param flag the permission grant flag, as query result 277 * @return error code, see access_token_error.h 278 */ 279 static int GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag); 280 /** 281 * @brief Set permission request toggle status 282 * @param permissionName permission name quote 283 * @param status the permission request toggle status to set 284 * @param userID the userID 285 * @return error code, see access_token_error.h 286 */ 287 static int32_t SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status, int32_t userID); 288 /** 289 * @brief Get permission request toggle status 290 * @param permissionName permission name quote 291 * @param status the permission request toggle status to get 292 * @param userID the userID 293 * @return error code, see access_token_error.h 294 */ 295 static int32_t GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status, 296 int32_t userID); 297 /** 298 * @brief Starts the permission manager page of an application. 299 * @param tokenID token id 300 * @return error code, see access_token_error.h 301 */ 302 static int32_t RequestAppPermOnSetting(AccessTokenID tokenID); 303 /** 304 * @brief Get self permission status 305 * @param permissionName permission name quote 306 * @param status the permission status 307 * @return error code, see access_token_error.h 308 */ 309 static int32_t GetSelfPermissionStatus(const std::string& permissionName, PermissionOper& status); 310 /** 311 * @brief Get requsted permission grant result 312 * @param permList PermissionListState list quote, as input and query result 313 * @return enum PermissionOper, see access_token.h 314 */ 315 static PermissionOper GetSelfPermissionsState(std::vector<PermissionListState>& permList, 316 PermissionGrantInfo& info); 317 /** 318 * @brief Get requsted permissions status 319 * @param permList PermissionListState list quote, as input and query result 320 * @return error code, see access_token_error.h 321 */ 322 static int32_t GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListState>& permList); 323 /** 324 * @brief Grant input permission to input tokenID with input flag. 325 * @param tokenID token id 326 * @param permissionName permission name quote 327 * @param flag enum PermissionFlag, see access_token.h 328 * @return error code, see access_token_error.h 329 */ 330 static int GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); 331 /** 332 * @brief Revoke input permission to input tokenID with input flag. 333 * @param tokenID token id 334 * @param permissionName permission name quote 335 * @param flag enum PermissionFlag, see access_token.h 336 * @return error code, see access_token_error.h 337 */ 338 static int RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); 339 /** 340 * @brief Clear all user granted permissions state in input tokenID. 341 * @param tokenID token id 342 * @return error code, see access_token_error.h 343 */ 344 static int ClearUserGrantedPermissionState(AccessTokenID tokenID); 345 /** 346 * @brief Register permission state change callback. 347 * @param callback smart point of class PermStateChangeCallbackCustomize quote 348 * @return error code, see access_token_error.h 349 */ 350 static int32_t RegisterPermStateChangeCallback( 351 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback); 352 /** 353 * @brief Unregister permission state change callback. 354 * @param callback smart point of class PermStateChangeCallbackCustomize quote 355 * @return error code, see access_token_error.h 356 */ 357 static int32_t UnRegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize>& callback); 358 /** 359 * @brief Register permission state change callback for app. 360 * @param callback smart point of class PermStateChangeCallbackCustomize quote 361 * @return error code, see access_token_error.h 362 */ 363 static int32_t RegisterSelfPermStateChangeCallback( 364 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback); 365 /** 366 * @brief Unregister permission state change callback for app. 367 * @param callback smart point of class PermStateChangeCallbackCustomize quote 368 * @return error code, see access_token_error.h 369 */ 370 static int32_t UnRegisterSelfPermStateChangeCallback( 371 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback); 372 /** 373 * @brief Get current version. 374 * @param version access token version. 375 * @return error code, see access_token_error.h 376 */ 377 static int32_t GetVersion(uint32_t& version); 378 /** 379 * @brief Get hap dlp flag by input tokenID. 380 * @param tokenID token id 381 * @return dlp flag in tokenID bitmap, or default -1 382 */ 383 static int32_t GetHapDlpFlag(AccessTokenID tokenID); 384 /** 385 * @brief Reload native token info. 386 * @return error code, see access_token_error.h 387 */ 388 static int32_t ReloadNativeTokenInfo(); 389 /** 390 * @brief Get tokenID by native process name. 391 * @param processName native process name 392 * @return token id of native process 393 */ 394 static AccessTokenID GetNativeTokenId(const std::string& processName); 395 396 /** 397 * @brief Get hap token extension info by token id. 398 * @param tokenID token id 399 * @param info HapTokenInfoExt include appID 400 * @return error code, see access_token_error.h 401 */ 402 static int GetHapTokenInfoExtension(AccessTokenID tokenID, HapTokenInfoExt& info); 403 404 /** 405 * @brief Set permission dialog capability 406 * @param hapBaseInfo base infomation of hap 407 * @param enable status of enable dialog 408 * @return error code, see access_token_error.h 409 */ 410 static int32_t SetPermDialogCap(const HapBaseInfo& hapBaseInfo, bool enable); 411 412 #ifdef TOKEN_SYNC_ENABLE 413 /** 414 * @brief Get remote hap token info by remote token id. 415 * @param tokenID remote token id 416 * @param hapSync HapTokenInfoForSync quote, as query result 417 * @return error code, see access_token_error.h 418 */ 419 static int GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync); 420 421 /** 422 * @brief Set remote hap token info with remote deviceID. 423 * @param deviceID remote deviceID 424 * @param hapSync hap token info to set 425 * @return error code, see access_token_error.h 426 */ 427 static int SetRemoteHapTokenInfo(const std::string& deviceID, const HapTokenInfoForSync& hapSync); 428 /** 429 * @brief Delete remote token by remote deviceID and remote tokenID. 430 * @param deviceID remote deviceID 431 * @param tokenID remote tokenID 432 * @return error code, see access_token_error.h 433 */ 434 static int DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID); 435 /** 436 * @brief Get local mapping native tokenID by remote deviceID 437 * and remote tokenID. 438 * @param deviceID remote deviceID 439 * @param tokenID remote tokenID 440 * @return token id of mapping native tokenID 441 */ 442 static AccessTokenID GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID); 443 /** 444 * @brief Delete remote tokens by remote deviceID. 445 * @param deviceID remote deviceID 446 * @return error code, see access_token_error.h 447 */ 448 static int DeleteRemoteDeviceTokens(const std::string& deviceID); 449 /** 450 * @brief Regist a token sync service callback 451 * @param syncCallback token sync class 452 * @return error code, see access_token_error.h 453 */ 454 static int32_t RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface>& syncCallback); 455 /** 456 * @brief UnRegist a token sync service callback 457 * @param syncCallback token sync class 458 * @return error code, see access_token_error.h 459 */ 460 static int32_t UnRegisterTokenSyncCallback(); 461 #endif 462 /** 463 * @brief Dump all token infos in the cache. 464 * @param tokenID token id, if tokenID is valid, only dump this token info 465 * @param dumpInfo all token info 466 */ 467 static void DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo); 468 /** 469 * @brief Get application info of permission manager. 470 * @param info application info of permission manager 471 */ 472 static void GetPermissionManagerInfo(PermissionGrantInfo& info); 473 474 /** 475 * @brief Set user permission policy 476 * @param userList list of user id. 477 * @param permList list of permission 478 * @return error code, see access_token_error.h 479 */ 480 static int32_t InitUserPolicy(const std::vector<UserState>& userList, const std::vector<std::string>& permList); 481 482 /** 483 * @brief Update user permission policy 484 * @param userList list of user id. 485 * @return error code, see access_token_error.h 486 */ 487 static int32_t UpdateUserPolicy(const std::vector<UserState>& userList); 488 489 /** 490 * @brief Clear user permission policy 491 * @return error code, see access_token_error.h 492 */ 493 static int32_t ClearUserPolicy(); 494 495 /** 496 * @brief Whether it is a system application 497 * @param tokenId token id. 498 * @return bool 499 */ 500 static bool IsSystemAppByFullTokenID(uint64_t tokenId); 501 502 /** 503 * @brief Gets the render process tokenId. 504 * @param tokenId token id. 505 * @return tokenId 506 */ 507 static uint64_t GetRenderTokenID(uint64_t tokenId); 508 509 /** 510 * @brief Get kernel permission and value by token id. 511 * @param tokenID token id 512 * @param kernelPermList PermissionWithValue quote, as query result 513 * @return error code, see access_token_error.h 514 */ 515 static int32_t GetKernelPermissions(AccessTokenID tokenID, std::vector<PermissionWithValue>& kernelPermList); 516 517 /** 518 * @brief Get extended value of permission by token id and permission name. 519 * @param tokenID token id 520 * @param permissionName permission name 521 * @param value as result 522 * @return error code, see access_token_error.h 523 */ 524 static int32_t GetReqPermissionByName( 525 AccessTokenID tokenID, const std::string& permissionName, std::string& value); 526 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE 527 /** 528 * @brief Register security component enhance data when security component service did not start 529 * @param enhance enhance data 530 * @return error code, see access_token_error.h 531 */ 532 static int32_t RegisterSecCompEnhance(const SecCompEnhanceData& enhance); 533 /** 534 * @brief update security component enhance data 535 * @param pid process id 536 * @param seqNum sequence number 537 * @return error code, see access_token_error.h 538 */ 539 static int32_t UpdateSecCompEnhance(int32_t pid, uint32_t seqNum); 540 /** 541 * @brief get security component enhance data 542 * @param pid process id 543 * @param enhance enhance data 544 * @return error code, see access_token_error.h 545 */ 546 static int32_t GetSecCompEnhance(int32_t pid, SecCompEnhanceData& enhance); 547 #endif 548 549 /** 550 * Whether it is a atomic service 551 * @param tokenId token id. 552 * @return bool 553 */ 554 static bool IsAtomicServiceByFullTokenID(uint64_t tokenId); 555 556 /** 557 * @brief whether the process need to show the toast 558 * @param pid process id 559 * @return bool 560 */ 561 static bool IsToastShownNeeded(int32_t pid); 562 563 /** 564 * @brief Set multiple permissions status and flag with policy. 565 * @param tokenID token id 566 * @param permissionList permission list to be set 567 * @param status the permission status to be set 568 * @param flag enum PermissionFlag, see access_token.h 569 * @return error code, see access_token_error.h 570 */ 571 static int32_t SetPermissionStatusWithPolicy( 572 uint32_t tokenID, const std::vector<std::string>& permissionList, int32_t status, uint32_t flag); 573 }; 574 } // namespace AccessToken 575 } // namespace Security 576 } // namespace OHOS 577 #endif 578