1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dfsu_access_token_helper.h"
17 #include "accesstoken_kit.h"
18 #include "ipc_skeleton.h"
19 #include "tokenid_kit.h"
20 #include "utils_log.h"
21 #include "dfs_error.h"
22
23 namespace OHOS::FileManagement {
24 using namespace std;
25 using namespace Security::AccessToken;
26 constexpr int32_t ROOT_UID = 0;
27 constexpr int32_t BASE_USER_RANGE = 200000;
CheckCallerPermission(const std::string & permissionName)28 bool DfsuAccessTokenHelper::CheckCallerPermission(const std::string &permissionName)
29 {
30 auto tokenId = IPCSkeleton::GetCallingTokenID();
31 auto uid = IPCSkeleton::GetCallingUid();
32 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
33 if (tokenType == TOKEN_HAP || tokenType == TOKEN_NATIVE) {
34 bool isGranted = CheckPermission(tokenId, permissionName);
35 if (!isGranted) {
36 LOGE("Token Type is %{public}d", tokenType);
37 }
38 return isGranted;
39 } else if ((tokenType == TOKEN_SHELL) && (uid == ROOT_UID)) {
40 LOGI("Token type is shell");
41 return true;
42 } else {
43 LOGE("Unsupported token type:%{public}d", tokenType);
44 return false;
45 }
46 }
47
CheckPermission(uint32_t tokenId,const std::string & permissionName)48 bool DfsuAccessTokenHelper::CheckPermission(uint32_t tokenId, const std::string &permissionName)
49 {
50 int32_t ret = AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
51 if (ret == PermissionState::PERMISSION_DENIED) {
52 LOGE("permission %{private}s: PERMISSION_DENIED", permissionName.c_str());
53 return false;
54 }
55 return true;
56 }
57
GetCallerBundleName(std::string & bundleName)58 int32_t DfsuAccessTokenHelper::GetCallerBundleName(std::string &bundleName)
59 {
60 auto tokenId = IPCSkeleton::GetCallingTokenID();
61 return GetBundleNameByToken(tokenId, bundleName);
62 }
63
GetBundleNameByToken(uint32_t tokenId,std::string & bundleName)64 int32_t DfsuAccessTokenHelper::GetBundleNameByToken(uint32_t tokenId, std::string &bundleName)
65 {
66 int32_t tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
67 switch (tokenType) {
68 case TOKEN_HAP: {
69 HapTokenInfo hapInfo;
70 if (AccessTokenKit::GetHapTokenInfo(tokenId, hapInfo) != 0) {
71 LOGE("get hap token info fail");
72 return E_GET_TOKEN_INFO_ERROR;
73 }
74 bundleName = hapInfo.bundleName;
75 break;
76 }
77 case TOKEN_NATIVE:
78 // fall-through
79 case TOKEN_SHELL: {
80 NativeTokenInfo tokenInfo;
81 if (AccessTokenKit::GetNativeTokenInfo(tokenId, tokenInfo) != 0) {
82 LOGE("get native token info fail");
83 return E_GET_TOKEN_INFO_ERROR;
84 }
85 bundleName = tokenInfo.processName;
86 break;
87 }
88 default: {
89 LOGE("token type not match");
90 return E_GET_TOKEN_INFO_ERROR;
91 }
92 }
93 if (bundleName.empty()) {
94 LOGE("package name is empty");
95 return E_INVAL_ARG;
96 }
97 return E_OK;
98 }
IsSystemApp()99 bool DfsuAccessTokenHelper::IsSystemApp()
100 {
101 auto tokenId = IPCSkeleton::GetCallingTokenID();
102 auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
103 if (tokenType == TOKEN_HAP) {
104 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
105 return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
106 }
107 return true;
108 }
109
GetUserId()110 int32_t DfsuAccessTokenHelper::GetUserId()
111 {
112 auto uid = IPCSkeleton::GetCallingUid();
113 return uid / BASE_USER_RANGE;
114 }
115 } // namespace OHOS::FileManagement