1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_kit.h"
17 #include <cinttypes>
18 #include <string>
19 #include <vector>
20 #include "accesstoken_common_log.h"
21 #include "access_token_error.h"
22 #include "accesstoken_manager_client.h"
23 #include "constant_common.h"
24 #include "data_validator.h"
25 #include "hap_token_info.h"
26 #include "permission_def.h"
27 #include "permission_map.h"
28 #include "perm_setproc.h"
29 #include "perm_state_change_callback_customize.h"
30 #include "tokenid_kit.h"
31 #include "token_setproc.h"
32
33 namespace OHOS {
34 namespace Security {
35 namespace AccessToken {
36 namespace {
37 static const uint64_t SYSTEM_APP_MASK = (static_cast<uint64_t>(1) << 32);
38 static const uint64_t ATOMIC_SERVICE_MASK = (static_cast<uint64_t>(1) << 33);
39 static const uint64_t TOKEN_ID_LOWMASK = 0xffffffff;
40 static const int INVALID_DLP_TOKEN_FLAG = -1;
41 static const int FIRSTCALLER_TOKENID_DEFAULT = 0;
42 static const int MAX_LENGTH = 256;
43 } // namespace
44
GetPermissionUsedType(AccessTokenID tokenID,const std::string & permissionName)45 PermUsedTypeEnum AccessTokenKit::GetPermissionUsedType(
46 AccessTokenID tokenID, const std::string& permissionName)
47 {
48 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s.",
49 tokenID, permissionName.c_str());
50 if ((tokenID == INVALID_TOKENID) || (!DataValidator::IsPermissionNameValid(permissionName))) {
51 LOGE(ATM_DOMAIN, ATM_TAG, "Input param failed.");
52 return PermUsedTypeEnum::INVALID_USED_TYPE;
53 }
54 return AccessTokenManagerClient::GetInstance().GetPermissionUsedType(tokenID, permissionName);
55 }
56
GrantPermissionForSpecifiedTime(AccessTokenID tokenID,const std::string & permissionName,uint32_t onceTime)57 int AccessTokenKit::GrantPermissionForSpecifiedTime(
58 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
59 {
60 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s, onceTime=%{public}d.",
61 tokenID, permissionName.c_str(), onceTime);
62 if (tokenID == INVALID_TOKENID) {
63 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid tokenID");
64 return AccessTokenError::ERR_PARAM_INVALID;
65 }
66 if (!DataValidator::IsPermissionNameValid(permissionName)) {
67 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid permissionName");
68 return AccessTokenError::ERR_PARAM_INVALID;
69 }
70 return AccessTokenManagerClient::GetInstance().GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
71 }
72
IsRenderToken(AccessTokenID tokenID)73 static bool IsRenderToken(AccessTokenID tokenID)
74 {
75 AccessTokenIDInner* idInner = reinterpret_cast<AccessTokenIDInner*>(&tokenID);
76 return idInner->renderFlag;
77 }
78
TransferHapPolicyParams(const HapPolicyParams & policyIn,HapPolicy & policyOut)79 static void TransferHapPolicyParams(const HapPolicyParams& policyIn, HapPolicy& policyOut)
80 {
81 policyOut.apl = policyIn.apl;
82 policyOut.domain = policyIn.domain;
83 policyOut.permList.assign(policyIn.permList.begin(), policyIn.permList.end());
84 policyOut.aclRequestedList.assign(policyIn.aclRequestedList.begin(), policyIn.aclRequestedList.end());
85 policyOut.preAuthorizationInfo.assign(policyIn.preAuthorizationInfo.begin(), policyIn.preAuthorizationInfo.end());
86 for (const auto& perm : policyIn.permStateList) {
87 PermissionStatus tmp;
88 tmp.permissionName = perm.permissionName;
89 tmp.grantStatus = perm.grantStatus[0];
90 tmp.grantFlag = perm.grantFlags[0];
91 policyOut.permStateList.emplace_back(tmp);
92 }
93 policyOut.checkIgnore = policyIn.checkIgnore;
94 policyOut.aclExtendedMap = policyIn.aclExtendedMap;
95 }
96
AllocHapToken(const HapInfoParams & info,const HapPolicyParams & policy)97 AccessTokenIDEx AccessTokenKit::AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy)
98 {
99 AccessTokenIDEx res = {0};
100 LOGI(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundleName :%{public}s, \
101 permList: %{public}zu, stateList: %{public}zu, checkIgnore: %{public}d, isAtomicService: %{public}d",
102 info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(), policy.checkIgnore,
103 info.isAtomicService);
104 if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
105 !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
106 !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) {
107 LOGE(ATM_DOMAIN, ATM_TAG, "Input param failed");
108 return res;
109 }
110 HapPolicy newPolicy;
111 TransferHapPolicyParams(policy, newPolicy);
112 return AccessTokenManagerClient::GetInstance().AllocHapToken(info, newPolicy);
113 }
114
InitHapToken(const HapInfoParams & info,HapPolicyParams & policy,AccessTokenIDEx & fullTokenId)115 int32_t AccessTokenKit::InitHapToken(const HapInfoParams& info, HapPolicyParams& policy,
116 AccessTokenIDEx& fullTokenId)
117 {
118 HapInfoCheckResult result;
119 return InitHapToken(info, policy, fullTokenId, result);
120 }
121
InitHapToken(const HapInfoParams & info,HapPolicyParams & policy,AccessTokenIDEx & fullTokenId,HapInfoCheckResult & result)122 int32_t AccessTokenKit::InitHapToken(const HapInfoParams& info, HapPolicyParams& policy,
123 AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result)
124 {
125 LOGI(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d, bundleName :%{public}s, permList: %{public}zu, "
126 "stateList: %{public}zu, aclExtendedMap: %{public}zu, checkIgnore: %{public}d, isAtomicService: %{public}d",
127 info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size(),
128 policy.aclExtendedMap.size(), policy.checkIgnore, info.isAtomicService);
129 if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
130 !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
131 !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType) ||
132 !DataValidator::IsAclExtendedMapSizeValid(policy.aclExtendedMap)) {
133 LOGE(ATM_DOMAIN, ATM_TAG, "Input param failed");
134 return AccessTokenError::ERR_PARAM_INVALID;
135 }
136 HapPolicy newPolicy;
137 TransferHapPolicyParams(policy, newPolicy);
138 return AccessTokenManagerClient::GetInstance().InitHapToken(info, newPolicy, fullTokenId, result);
139 }
140
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)141 AccessTokenID AccessTokenKit::AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
142 {
143 LOGI(ATM_DOMAIN, ATM_TAG, "DeviceID=%{public}s, tokenID=%{public}d",
144 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
145 #ifdef DEBUG_API_PERFORMANCE
146 LOGD(ATM_DOMAIN, ATM_TAG, "Api_performance:start call");
147 AccessTokenID resID = AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
148 LOGD(ATM_DOMAIN, ATM_TAG, "Api_performance:end call");
149 return resID;
150 #else
151 return AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
152 #endif
153 }
154
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const HapPolicyParams & policy)155 int32_t AccessTokenKit::UpdateHapToken(
156 AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParams& policy)
157 {
158 HapInfoCheckResult result;
159 return UpdateHapToken(tokenIdEx, info, policy, result);
160 }
161
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const HapPolicyParams & policy,HapInfoCheckResult & result)162 int32_t AccessTokenKit::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info,
163 const HapPolicyParams& policy, HapInfoCheckResult& result)
164 {
165 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, isSystemApp: %{public}d, \
166 permList: %{public}zu, stateList: %{public}zu, aclExtendedMap: %{public}zu, checkIgnore: %{public}d, \
167 isAtomicService: %{public}d",
168 tokenIdEx.tokenIdExStruct.tokenID, info.isSystemApp, policy.permList.size(), policy.permStateList.size(),
169 policy.aclExtendedMap.size(), policy.checkIgnore, info.isAtomicService);
170 if ((tokenIdEx.tokenIdExStruct.tokenID == INVALID_TOKENID) || (!DataValidator::IsAppIDDescValid(info.appIDDesc)) ||
171 (!DataValidator::IsAplNumValid(policy.apl)) ||
172 !DataValidator::IsAclExtendedMapSizeValid(policy.aclExtendedMap)) {
173 LOGE(ATM_DOMAIN, ATM_TAG, "Input param failed");
174 return AccessTokenError::ERR_PARAM_INVALID;
175 }
176 HapPolicy newPolicy;
177 TransferHapPolicyParams(policy, newPolicy);
178 return AccessTokenManagerClient::GetInstance().UpdateHapToken(tokenIdEx, info, newPolicy, result);
179 }
180
DeleteToken(AccessTokenID tokenID)181 int AccessTokenKit::DeleteToken(AccessTokenID tokenID)
182 {
183 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
184 if (tokenID == INVALID_TOKENID) {
185 return AccessTokenError::ERR_PARAM_INVALID;
186 }
187 return AccessTokenManagerClient::GetInstance().DeleteToken(tokenID);
188 }
189
GetTokenType(AccessTokenID tokenID)190 ATokenTypeEnum AccessTokenKit::GetTokenType(AccessTokenID tokenID) __attribute__((no_sanitize("cfi")))
191 {
192 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
193 if (tokenID == INVALID_TOKENID) {
194 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid.");
195 return TOKEN_INVALID;
196 }
197 return AccessTokenManagerClient::GetInstance().GetTokenType(tokenID);
198 }
199
GetTokenTypeFlag(AccessTokenID tokenID)200 ATokenTypeEnum AccessTokenKit::GetTokenTypeFlag(AccessTokenID tokenID)
201 {
202 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
203 if (tokenID == INVALID_TOKENID) {
204 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
205 return TOKEN_INVALID;
206 }
207 AccessTokenIDInner* idInner = reinterpret_cast<AccessTokenIDInner*>(&tokenID);
208 return static_cast<ATokenTypeEnum>(idInner->type);
209 }
210
GetTokenType(FullTokenID tokenID)211 ATokenTypeEnum AccessTokenKit::GetTokenType(FullTokenID tokenID)
212 {
213 AccessTokenID id = tokenID & TOKEN_ID_LOWMASK;
214 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", id);
215 if (id == INVALID_TOKENID) {
216 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
217 return TOKEN_INVALID;
218 }
219 return AccessTokenManagerClient::GetInstance().GetTokenType(id);
220 }
221
GetTokenTypeFlag(FullTokenID tokenID)222 ATokenTypeEnum AccessTokenKit::GetTokenTypeFlag(FullTokenID tokenID)
223 {
224 AccessTokenID id = tokenID & TOKEN_ID_LOWMASK;
225 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", id);
226 if (id == INVALID_TOKENID) {
227 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
228 return TOKEN_INVALID;
229 }
230 AccessTokenIDInner* idInner = reinterpret_cast<AccessTokenIDInner*>(&id);
231 return static_cast<ATokenTypeEnum>(idInner->type);
232 }
233
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)234 AccessTokenID AccessTokenKit::GetHapTokenID(
235 int32_t userID, const std::string& bundleName, int32_t instIndex) __attribute__((no_sanitize("cfi")))
236 {
237 LOGD(ATM_DOMAIN, ATM_TAG, "UserID=%{public}d, bundleName=%{public}s, instIndex=%{public}d.",
238 userID, bundleName.c_str(), instIndex);
239 if ((!DataValidator::IsUserIdValid(userID)) || (!DataValidator::IsBundleNameValid(bundleName))) {
240 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token param check failed");
241 return INVALID_TOKENID;
242 }
243 AccessTokenIDEx tokenIdEx =
244 AccessTokenManagerClient::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
245 return tokenIdEx.tokenIdExStruct.tokenID;
246 }
247
GetHapTokenIDEx(int32_t userID,const std::string & bundleName,int32_t instIndex)248 AccessTokenIDEx AccessTokenKit::GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex)
249 {
250 AccessTokenIDEx tokenIdEx = {0};
251 LOGD(ATM_DOMAIN, ATM_TAG, "UserID=%{public}d, bundleName=%{public}s, instIndex=%{public}d.",
252 userID, bundleName.c_str(), instIndex);
253 if ((!DataValidator::IsUserIdValid(userID)) || (!DataValidator::IsBundleNameValid(bundleName))) {
254 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token param check failed");
255 return tokenIdEx;
256 }
257 return AccessTokenManagerClient::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
258 }
259
GetTokenIDByUserID(int32_t userID,std::unordered_set<AccessTokenID> & tokenIdList)260 int32_t AccessTokenKit::GetTokenIDByUserID(int32_t userID, std::unordered_set<AccessTokenID>& tokenIdList)
261 {
262 LOGD(ATM_DOMAIN, ATM_TAG, "UserID=%{public}d.", userID);
263 if (!DataValidator::IsUserIdValid(userID)) {
264 LOGE(ATM_DOMAIN, ATM_TAG, "UserID=%{public}d is invalid", userID);
265 return AccessTokenError::ERR_PARAM_INVALID;
266 }
267 return AccessTokenManagerClient::GetInstance().GetTokenIDByUserID(userID, tokenIdList);
268 }
269
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & hapTokenInfoRes)270 int AccessTokenKit::GetHapTokenInfo(
271 AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes) __attribute__((no_sanitize("cfi")))
272 {
273 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
274 if (GetTokenTypeFlag(tokenID) != TOKEN_HAP) {
275 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID =%{public}d is invalid", tokenID);
276 return AccessTokenError::ERR_PARAM_INVALID;
277 }
278 if (IsRenderToken(tokenID)) {
279 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process.", tokenID);
280 return ERR_TOKENID_NOT_EXIST;
281 }
282
283 return AccessTokenManagerClient::GetInstance().GetHapTokenInfo(tokenID, hapTokenInfoRes);
284 }
285
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfo & nativeTokenInfoRes)286 int AccessTokenKit::GetNativeTokenInfo(
287 AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes) __attribute__((no_sanitize("cfi")))
288 {
289 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
290 if (GetTokenTypeFlag(tokenID) != TOKEN_NATIVE && GetTokenTypeFlag(tokenID) != TOKEN_SHELL) {
291 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID =%{public}d is invalid", tokenID);
292 return AccessTokenError::ERR_PARAM_INVALID;
293 }
294 return AccessTokenManagerClient::GetInstance().GetNativeTokenInfo(tokenID, nativeTokenInfoRes);
295 }
296
GetSelfPermissionStatus(const std::string & permissionName,PermissionOper & status)297 int32_t AccessTokenKit::GetSelfPermissionStatus(const std::string& permissionName, PermissionOper& status)
298 {
299 if (permissionName.empty() || permissionName.size() > MAX_LENGTH) {
300 return ERR_PARAM_INVALID;
301 }
302 return AccessTokenManagerClient::GetInstance().GetSelfPermissionStatus(permissionName, status);
303 }
304
GetSelfPermissionsState(std::vector<PermissionListState> & permList,PermissionGrantInfo & info)305 PermissionOper AccessTokenKit::GetSelfPermissionsState(std::vector<PermissionListState>& permList,
306 PermissionGrantInfo& info)
307 {
308 LOGD(ATM_DOMAIN, ATM_TAG, "PermList.size=%{public}zu.", permList.size());
309 return AccessTokenManagerClient::GetInstance().GetSelfPermissionsState(permList, info);
310 }
311
GetPermissionsStatus(AccessTokenID tokenID,std::vector<PermissionListState> & permList)312 int32_t AccessTokenKit::GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListState>& permList)
313 {
314 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permList.size=%{public}zu.", tokenID, permList.size());
315 if (tokenID == INVALID_TOKENID) {
316 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
317 return ERR_PARAM_INVALID;
318 }
319 return AccessTokenManagerClient::GetInstance().GetPermissionsStatus(tokenID, permList);
320 }
321
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName,bool crossIpc)322 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, bool crossIpc)
323 {
324 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s, crossIpc=%{public}d.",
325 tokenID, permissionName.c_str(), crossIpc);
326 if (IsRenderToken(tokenID)) {
327 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process, perm denied.", tokenID);
328 return PERMISSION_DENIED;
329 }
330 uint32_t code;
331 if (!TransferPermissionToOpcode(permissionName, code)) {
332 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName(%{public}s) is not exist.", permissionName.c_str());
333 return PERMISSION_DENIED;
334 }
335 if (crossIpc) {
336 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
337 }
338 bool isGranted = false;
339 int32_t ret = GetPermissionFromKernel(tokenID, code, isGranted);
340 if (ret != 0) {
341 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
342 }
343 return isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
344 }
345
VerifyAccessToken(AccessTokenID callerTokenID,AccessTokenID firstTokenID,const std::string & permissionName,bool crossIpc)346 int AccessTokenKit::VerifyAccessToken(
347 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName, bool crossIpc)
348 {
349 LOGD(ATM_DOMAIN, ATM_TAG, "CallerToken=%{public}d, firstToken=%{public}d, permissionName=%{public}s.",
350 callerTokenID, firstTokenID, permissionName.c_str());
351 int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName, crossIpc);
352 if (ret != PERMISSION_GRANTED) {
353 return ret;
354 }
355 if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
356 return ret;
357 }
358 return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName, crossIpc);
359 }
360
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)361 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
362 {
363 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s.",
364 tokenID, permissionName.c_str());
365 if (IsRenderToken(tokenID)) {
366 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process, perm denied.", tokenID);
367 return PERMISSION_DENIED;
368 }
369 uint32_t code;
370 if (!TransferPermissionToOpcode(permissionName, code)) {
371 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName(%{public}s) is not exist.", permissionName.c_str());
372 return PERMISSION_DENIED;
373 }
374 bool isGranted = false;
375 int32_t ret = GetPermissionFromKernel(tokenID, code, isGranted);
376 if (ret != 0) {
377 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
378 }
379 return isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
380 }
381
VerifyAccessToken(AccessTokenID callerTokenID,AccessTokenID firstTokenID,const std::string & permissionName)382 int AccessTokenKit::VerifyAccessToken(
383 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName)
384 {
385 LOGD(ATM_DOMAIN, ATM_TAG, "CallerToken=%{public}d, firstToken=%{public}d, permissionName=%{public}s.",
386 callerTokenID, firstTokenID, permissionName.c_str());
387 int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName);
388 if (ret != PERMISSION_GRANTED) {
389 return ret;
390 }
391 if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
392 return ret;
393 }
394 return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName);
395 }
396
VerifyAccessToken(AccessTokenID tokenID,const std::vector<std::string> & permissionList,std::vector<int32_t> & permStateList,bool crossIpc)397 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::vector<std::string>& permissionList,
398 std::vector<int32_t>& permStateList, bool crossIpc)
399 {
400 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionlist.size=%{public}zu, crossIpc=%{public}d.",
401 tokenID, permissionList.size(), crossIpc);
402 permStateList.clear();
403 if (IsRenderToken(tokenID)) {
404 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process, perm denied.", tokenID);
405 permStateList.resize(permissionList.size(), PERMISSION_DENIED);
406 return RET_SUCCESS;
407 }
408 if (crossIpc) {
409 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionList, permStateList);
410 }
411
412 permStateList.resize(permissionList.size(), PERMISSION_DENIED);
413 std::vector<std::string> permListCrossIpc;
414 std::unordered_map<size_t, size_t> permToState;
415 for (size_t i = 0; i < permissionList.size(); i++) {
416 bool isGranted = false;
417 uint32_t code;
418 if (!TransferPermissionToOpcode(permissionList[i], code)) {
419 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName(%{public}s) is not exist.", permissionList[i].c_str());
420 permStateList[i] = PERMISSION_DENIED;
421 continue;
422 }
423 int32_t ret = GetPermissionFromKernel(tokenID, code, isGranted);
424 if (ret != 0) {
425 permToState[permListCrossIpc.size()] = i;
426 permListCrossIpc.emplace_back(permissionList[i]);
427 continue;
428 }
429 permStateList[i] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
430 }
431 if (!permListCrossIpc.empty()) {
432 std::vector<int32_t> permStateCrossIpc;
433 int ret = AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID,
434 permListCrossIpc, permStateCrossIpc);
435 if (ret != ERR_OK) {
436 return ret;
437 }
438 for (size_t i = 0; i < permStateCrossIpc.size(); i++) {
439 if (permToState.find(i) != permToState.end()) {
440 permStateList[permToState[i]] = permStateCrossIpc[i];
441 }
442 }
443 }
444 return ERR_OK;
445 }
446
GetDefPermission(const std::string & permissionName,PermissionDef & permissionDefResult)447 int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
448 {
449 LOGD(ATM_DOMAIN, ATM_TAG, "PermissionName=%{public}s.", permissionName.c_str());
450 if (!DataValidator::IsPermissionNameValid(permissionName)) {
451 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid");
452 return AccessTokenError::ERR_PARAM_INVALID;
453 }
454
455 PermissionBriefDef briefDef;
456 if (!GetPermissionBriefDef(permissionName, briefDef)) {
457 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
458 }
459
460 if (briefDef.grantMode == GrantMode::SYSTEM_GRANT) {
461 ConvertPermissionBriefToDef(briefDef, permissionDefResult);
462 return 0;
463 }
464
465 return AccessTokenManagerClient::GetInstance().GetDefPermission(permissionName, permissionDefResult);
466 }
467
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFull> & reqPermList,bool isSystemGrant)468 int AccessTokenKit::GetReqPermissions(
469 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
470 {
471 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, isSystemGrant=%{public}d.", tokenID, isSystemGrant);
472 if (tokenID == INVALID_TOKENID) {
473 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
474 return AccessTokenError::ERR_PARAM_INVALID;
475 }
476
477 return AccessTokenManagerClient::GetInstance().GetReqPermissions(tokenID, reqPermList, isSystemGrant);
478 }
479
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)480 int AccessTokenKit::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
481 {
482 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s.",
483 tokenID, permissionName.c_str());
484 if (tokenID == INVALID_TOKENID) {
485 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
486 return AccessTokenError::ERR_PARAM_INVALID;
487 }
488 if (!DataValidator::IsPermissionNameValid(permissionName)) {
489 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid");
490 return AccessTokenError::ERR_PARAM_INVALID;
491 }
492 return AccessTokenManagerClient::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
493 }
494
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)495 int AccessTokenKit::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
496 {
497 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s, flag=%{public}d.",
498 tokenID, permissionName.c_str(), flag);
499 if (tokenID == INVALID_TOKENID) {
500 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
501 return AccessTokenError::ERR_PARAM_INVALID;
502 }
503 if (IsRenderToken(tokenID)) {
504 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process.", tokenID);
505 return ERR_TOKENID_NOT_EXIST;
506 }
507 if (!DataValidator::IsPermissionNameValid(permissionName)) {
508 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid");
509 return AccessTokenError::ERR_PARAM_INVALID;
510 }
511 if (!DataValidator::IsPermissionFlagValid(flag) || DataValidator::IsPermissionFlagValidForAdmin(flag)) {
512 LOGE(ATM_DOMAIN, ATM_TAG, "Flag is invalid");
513 return AccessTokenError::ERR_PARAM_INVALID;
514 }
515 return AccessTokenManagerClient::GetInstance().GrantPermission(tokenID, permissionName, flag);
516 }
517
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)518 int AccessTokenKit::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
519 {
520 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permissionName=%{public}s, flag=%{public}d.",
521 tokenID, permissionName.c_str(), flag);
522 if (tokenID == INVALID_TOKENID) {
523 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid tokenID");
524 return AccessTokenError::ERR_PARAM_INVALID;
525 }
526 if (IsRenderToken(tokenID)) {
527 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process.", tokenID);
528 return ERR_TOKENID_NOT_EXIST;
529 }
530 if (!DataValidator::IsPermissionNameValid(permissionName)) {
531 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid permissionName");
532 return AccessTokenError::ERR_PARAM_INVALID;
533 }
534 if (!DataValidator::IsPermissionFlagValid(flag) || DataValidator::IsPermissionFlagValidForAdmin(flag)) {
535 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid flag");
536 return AccessTokenError::ERR_PARAM_INVALID;
537 }
538 return AccessTokenManagerClient::GetInstance().RevokePermission(tokenID, permissionName, flag);
539 }
540
ClearUserGrantedPermissionState(AccessTokenID tokenID)541 int AccessTokenKit::ClearUserGrantedPermissionState(AccessTokenID tokenID)
542 {
543 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
544 if (tokenID == INVALID_TOKENID) {
545 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
546 return AccessTokenError::ERR_PARAM_INVALID;
547 }
548 return AccessTokenManagerClient::GetInstance().ClearUserGrantedPermissionState(tokenID);
549 }
550
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID=0)551 int32_t AccessTokenKit::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status,
552 int32_t userID = 0)
553 {
554 LOGD(ATM_DOMAIN, ATM_TAG, "PermissionName=%{public}s, status=%{public}d, userID=%{public}d.",
555 permissionName.c_str(), status, userID);
556 if (!DataValidator::IsPermissionNameValid(permissionName)) {
557 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid.");
558 return AccessTokenError::ERR_PARAM_INVALID;
559 }
560 if (!DataValidator::IsToggleStatusValid(status)) {
561 LOGE(ATM_DOMAIN, ATM_TAG, "Toggle status is invalid.");
562 return AccessTokenError::ERR_PARAM_INVALID;
563 }
564 if (!DataValidator::IsUserIdValid(userID)) {
565 LOGE(ATM_DOMAIN, ATM_TAG, "UserID is invalid.");
566 return AccessTokenError::ERR_PARAM_INVALID;
567 }
568 return AccessTokenManagerClient::GetInstance().SetPermissionRequestToggleStatus(permissionName, status, userID);
569 }
570
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID=0)571 int32_t AccessTokenKit::GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
572 int32_t userID = 0)
573 {
574 LOGD(ATM_DOMAIN, ATM_TAG, "PermissionName=%{public}s, userID=%{public}d.",
575 permissionName.c_str(), userID);
576 if (!DataValidator::IsPermissionNameValid(permissionName)) {
577 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid.");
578 return AccessTokenError::ERR_PARAM_INVALID;
579 }
580 if (!DataValidator::IsUserIdValid(userID)) {
581 LOGE(ATM_DOMAIN, ATM_TAG, "UserID is invalid.");
582 return AccessTokenError::ERR_PARAM_INVALID;
583 }
584 return AccessTokenManagerClient::GetInstance().GetPermissionRequestToggleStatus(permissionName, status, userID);
585 }
586
RequestAppPermOnSetting(AccessTokenID tokenID)587 int32_t AccessTokenKit::RequestAppPermOnSetting(AccessTokenID tokenID)
588 {
589 LOGD(ATM_DOMAIN, ATM_TAG, "tokenID=%{public}d.", tokenID);
590 if (tokenID == INVALID_TOKENID) {
591 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
592 return AccessTokenError::ERR_PARAM_INVALID;
593 }
594 return AccessTokenManagerClient::GetInstance().RequestAppPermOnSetting(tokenID);
595 }
596
RegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize> & callback)597 int32_t AccessTokenKit::RegisterPermStateChangeCallback(
598 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
599 {
600 return AccessTokenManagerClient::GetInstance().RegisterPermStateChangeCallback(callback, SYSTEM_REGISTER_TYPE);
601 }
602
UnRegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize> & callback)603 int32_t AccessTokenKit::UnRegisterPermStateChangeCallback(
604 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
605 {
606 return AccessTokenManagerClient::GetInstance().UnRegisterPermStateChangeCallback(callback, SYSTEM_REGISTER_TYPE);
607 }
608
RegisterSelfPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize> & callback)609 int32_t AccessTokenKit::RegisterSelfPermStateChangeCallback(
610 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
611 {
612 return AccessTokenManagerClient::GetInstance().RegisterPermStateChangeCallback(callback, SELF_REGISTER_TYPE);
613 }
614
UnRegisterSelfPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize> & callback)615 int32_t AccessTokenKit::UnRegisterSelfPermStateChangeCallback(
616 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
617 {
618 return AccessTokenManagerClient::GetInstance().UnRegisterPermStateChangeCallback(callback, SELF_REGISTER_TYPE);
619 }
620
GetHapDlpFlag(AccessTokenID tokenID)621 int32_t AccessTokenKit::GetHapDlpFlag(AccessTokenID tokenID)
622 {
623 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
624 if (tokenID == INVALID_TOKENID) {
625 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
626 return INVALID_DLP_TOKEN_FLAG;
627 }
628 AccessTokenIDInner* idInner = reinterpret_cast<AccessTokenIDInner*>(&tokenID);
629 return static_cast<int32_t>(idInner->dlpFlag);
630 }
631
ReloadNativeTokenInfo()632 int32_t AccessTokenKit::ReloadNativeTokenInfo()
633 {
634 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
635 return AccessTokenManagerClient::GetInstance().ReloadNativeTokenInfo();
636 #else
637 return 0;
638 #endif
639 }
640
GetHapTokenInfoExtension(AccessTokenID tokenID,HapTokenInfoExt & info)641 int AccessTokenKit::GetHapTokenInfoExtension(AccessTokenID tokenID, HapTokenInfoExt& info)
642 {
643 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
644 if (GetTokenTypeFlag(tokenID) != TOKEN_HAP) {
645 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID =%{public}d is invalid.", tokenID);
646 return AccessTokenError::ERR_PARAM_INVALID;
647 }
648 if (IsRenderToken(tokenID)) {
649 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is render process.", tokenID);
650 return ERR_TOKENID_NOT_EXIST;
651 }
652
653 return AccessTokenManagerClient::GetInstance().GetHapTokenInfoExtension(tokenID, info);
654 }
655
GetNativeTokenId(const std::string & processName)656 AccessTokenID AccessTokenKit::GetNativeTokenId(const std::string& processName)
657 {
658 if (!DataValidator::IsProcessNameValid(processName)) {
659 LOGE(ATM_DOMAIN, ATM_TAG, "ProcessName is invalid, processName=%{public}s", processName.c_str());
660 return INVALID_TOKENID;
661 }
662 return AccessTokenManagerClient::GetInstance().GetNativeTokenId(processName);
663 }
664
665 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)666 int AccessTokenKit::GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
667 {
668 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
669 if (tokenID == INVALID_TOKENID) {
670 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
671 return AccessTokenError::ERR_PARAM_INVALID;
672 }
673
674 return AccessTokenManagerClient::GetInstance().GetHapTokenInfoFromRemote(tokenID, hapSync);
675 }
676
SetRemoteHapTokenInfo(const std::string & deviceID,const HapTokenInfoForSync & hapSync)677 int AccessTokenKit::SetRemoteHapTokenInfo(const std::string& deviceID,
678 const HapTokenInfoForSync& hapSync)
679 {
680 LOGD(ATM_DOMAIN, ATM_TAG, "DeviceID=%{public}s, tokenID=%{public}d.",
681 ConstantCommon::EncryptDevId(deviceID).c_str(), hapSync.baseInfo.tokenID);
682 return AccessTokenManagerClient::GetInstance().SetRemoteHapTokenInfo(deviceID, hapSync);
683 }
684
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)685 int AccessTokenKit::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
686 {
687 LOGD(ATM_DOMAIN, ATM_TAG, "DeviceID=%{public}s, tokenID=%{public}d.",
688 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
689 return AccessTokenManagerClient::GetInstance().DeleteRemoteToken(deviceID, tokenID);
690 }
691
DeleteRemoteDeviceTokens(const std::string & deviceID)692 int AccessTokenKit::DeleteRemoteDeviceTokens(const std::string& deviceID)
693 {
694 LOGD(ATM_DOMAIN, ATM_TAG, "DeviceID=%{public}s.", ConstantCommon::EncryptDevId(deviceID).c_str());
695 return AccessTokenManagerClient::GetInstance().DeleteRemoteDeviceTokens(deviceID);
696 }
697
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)698 AccessTokenID AccessTokenKit::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
699 {
700 LOGD(ATM_DOMAIN, ATM_TAG, "DeviceID=%{public}s., tokenID=%{public}d",
701 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
702 return AccessTokenManagerClient::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
703 }
704
RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface> & syncCallback)705 int32_t AccessTokenKit::RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface>& syncCallback)
706 {
707 LOGD(ATM_DOMAIN, ATM_TAG, "Call RegisterTokenSyncCallback.");
708 return AccessTokenManagerClient::GetInstance().RegisterTokenSyncCallback(syncCallback);
709 }
710
UnRegisterTokenSyncCallback()711 int32_t AccessTokenKit::UnRegisterTokenSyncCallback()
712 {
713 LOGD(ATM_DOMAIN, ATM_TAG, "Call UnRegisterTokenSyncCallback.");
714 return AccessTokenManagerClient::GetInstance().UnRegisterTokenSyncCallback();
715 }
716 #endif
717
DumpTokenInfo(const AtmToolsParamInfo & info,std::string & dumpInfo)718 void AccessTokenKit::DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)
719 {
720 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, bundleName=%{public}s, processName=%{public}s.",
721 info.tokenId, info.bundleName.c_str(), info.processName.c_str());
722
723 AccessTokenManagerClient::GetInstance().DumpTokenInfo(info, dumpInfo);
724 }
725
GetVersion(uint32_t & version)726 int32_t AccessTokenKit::GetVersion(uint32_t& version)
727 {
728 return AccessTokenManagerClient::GetInstance().GetVersion(version);
729 }
730
SetPermDialogCap(const HapBaseInfo & hapBaseInfo,bool enable)731 int32_t AccessTokenKit::SetPermDialogCap(const HapBaseInfo& hapBaseInfo, bool enable)
732 {
733 return AccessTokenManagerClient::GetInstance().SetPermDialogCap(hapBaseInfo, enable);
734 }
735
GetPermissionManagerInfo(PermissionGrantInfo & info)736 void AccessTokenKit::GetPermissionManagerInfo(PermissionGrantInfo& info)
737 {
738 AccessTokenManagerClient::GetInstance().GetPermissionManagerInfo(info);
739 }
740
InitUserPolicy(const std::vector<UserState> & userList,const std::vector<std::string> & permList)741 int32_t AccessTokenKit::InitUserPolicy(
742 const std::vector<UserState>& userList, const std::vector<std::string>& permList)
743 {
744 LOGI(ATM_DOMAIN, ATM_TAG, "Enter.");
745 return AccessTokenManagerClient::GetInstance().InitUserPolicy(userList, permList);
746 }
747
UpdateUserPolicy(const std::vector<UserState> & userList)748 int32_t AccessTokenKit::UpdateUserPolicy(const std::vector<UserState>& userList)
749 {
750 LOGI(ATM_DOMAIN, ATM_TAG, "Enter.");
751 return AccessTokenManagerClient::GetInstance().UpdateUserPolicy(userList);
752 }
753
ClearUserPolicy()754 int32_t AccessTokenKit::ClearUserPolicy()
755 {
756 LOGI(ATM_DOMAIN, ATM_TAG, "Enter.");
757 return AccessTokenManagerClient::GetInstance().ClearUserPolicy();
758 }
759
IsSystemAppByFullTokenID(uint64_t tokenId)760 bool AccessTokenKit::IsSystemAppByFullTokenID(uint64_t tokenId)
761 {
762 return (tokenId & SYSTEM_APP_MASK) == SYSTEM_APP_MASK;
763 }
764
GetRenderTokenID(uint64_t tokenId)765 uint64_t AccessTokenKit::GetRenderTokenID(uint64_t tokenId)
766 {
767 AccessTokenID id = tokenId & TOKEN_ID_LOWMASK;
768 if (id == INVALID_TOKENID) {
769 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
770 return tokenId;
771 }
772 AccessTokenIDInner* idInner = reinterpret_cast<AccessTokenIDInner*>(&id);
773 idInner->renderFlag = 1;
774
775 id = *reinterpret_cast<AccessTokenID*>(idInner);
776 return static_cast<uint64_t>(id);
777 }
778
GetKernelPermissions(AccessTokenID tokenID,std::vector<PermissionWithValue> & kernelPermList)779 int32_t AccessTokenKit::GetKernelPermissions(
780 AccessTokenID tokenID, std::vector<PermissionWithValue>& kernelPermList)
781 {
782 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d.", tokenID);
783 return AccessTokenManagerClient::GetInstance().GetKernelPermissions(tokenID, kernelPermList);
784 }
785
GetReqPermissionByName(AccessTokenID tokenID,const std::string & permissionName,std::string & value)786 int32_t AccessTokenKit::GetReqPermissionByName(
787 AccessTokenID tokenID, const std::string& permissionName, std::string& value)
788 {
789 LOGI(ATM_DOMAIN, ATM_TAG,
790 "TokenID=%{public}d permissionName=%{public}s.", tokenID, permissionName.c_str());
791 if (!DataValidator::IsPermissionNameValid(permissionName)) {
792 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid.");
793 return AccessTokenError::ERR_PARAM_INVALID;
794 }
795 return AccessTokenManagerClient::GetInstance().GetReqPermissionByName(tokenID, permissionName, value);
796 }
797
798 #ifdef SECURITY_COMPONENT_ENHANCE_ENABLE
RegisterSecCompEnhance(const SecCompEnhanceData & enhance)799 int32_t AccessTokenKit::RegisterSecCompEnhance(const SecCompEnhanceData& enhance)
800 {
801 return AccessTokenManagerClient::GetInstance().RegisterSecCompEnhance(enhance);
802 }
803
UpdateSecCompEnhance(int32_t pid,uint32_t seqNum)804 int32_t AccessTokenKit::UpdateSecCompEnhance(int32_t pid, uint32_t seqNum)
805 {
806 return AccessTokenManagerClient::GetInstance().UpdateSecCompEnhance(pid, seqNum);
807 }
808
GetSecCompEnhance(int32_t pid,SecCompEnhanceData & enhance)809 int32_t AccessTokenKit::GetSecCompEnhance(int32_t pid, SecCompEnhanceData& enhance)
810 {
811 return AccessTokenManagerClient::GetInstance().GetSecCompEnhance(pid, enhance);
812 }
813 #endif
814
IsAtomicServiceByFullTokenID(uint64_t tokenId)815 bool AccessTokenKit::IsAtomicServiceByFullTokenID(uint64_t tokenId)
816 {
817 LOGI(ATM_DOMAIN, ATM_TAG, "Called, tokenId=%{public}" PRId64, tokenId);
818 return (tokenId & ATOMIC_SERVICE_MASK) == ATOMIC_SERVICE_MASK;
819 }
820
IsToastShownNeeded(int32_t pid)821 bool AccessTokenKit::IsToastShownNeeded(int32_t pid)
822 {
823 return AccessTokenManagerClient::GetInstance().IsToastShownNeeded(pid);
824 }
825
SetPermissionStatusWithPolicy(uint32_t tokenID,const std::vector<std::string> & permissionList,int32_t status,uint32_t flag)826 int32_t AccessTokenKit::SetPermissionStatusWithPolicy(
827 uint32_t tokenID, const std::vector<std::string>& permissionList, int32_t status, uint32_t flag)
828 {
829 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permList.size=%{public}zu, status=%{public}d, flag=%{public}u.",
830 tokenID, permissionList.size(), status, flag);
831 if (tokenID == INVALID_TOKENID) {
832 LOGE(ATM_DOMAIN, ATM_TAG, "tokenID: %{public}d, TokenID is invalid.", tokenID);
833 return AccessTokenError::ERR_PARAM_INVALID;
834 }
835 if (permissionList.empty()) {
836 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList is empty.");
837 return AccessTokenError::ERR_PARAM_INVALID;
838 }
839 for (const auto& perm : permissionList) {
840 if (!DataValidator::IsPermissionNameValid(perm)) {
841 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid: %{public}s.", perm.c_str());
842 return AccessTokenError::ERR_PARAM_INVALID;
843 }
844 }
845 if (!DataValidator::IsPermissionStatusValid(status)) {
846 LOGE(ATM_DOMAIN, ATM_TAG, "Status: %{public}d, status is invalid.", status);
847 return AccessTokenError::ERR_PARAM_INVALID;
848 }
849 if (!DataValidator::IsPermissionFlagValidForAdmin(flag)) {
850 LOGE(ATM_DOMAIN, ATM_TAG, "Flag: %{public}u, flag is invalid.", flag);
851 return AccessTokenError::ERR_PARAM_INVALID;
852 }
853 if (!DataValidator::IsPermissionListSizeValid(permissionList)) {
854 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList size is invalid: %{public}zu.", permissionList.size());
855 return AccessTokenError::ERR_PARAM_INVALID;
856 }
857 return AccessTokenManagerClient::GetInstance().SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag);
858 }
859 } // namespace AccessToken
860 } // namespace Security
861 } // namespace OHOS
862