1 /*
2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_manager_service.h"
17
18 #include <fcntl.h>
19 #include <cstdint>
20 #include <unistd.h>
21
22 #include "access_token.h"
23 #include "access_token_error.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_info_manager.h"
27 #include "accesstoken_log.h"
28 #ifdef CUSTOMIZATION_CONFIG_POLICY_ENABLE
29 #include "config_policy_utils.h"
30 #include "json_parser.h"
31 #endif
32 #include "constant_common.h"
33 #ifdef SUPPORT_SANDBOX_APP
34 #include "dlp_permission_set_parser.h"
35 #endif
36 #include "hap_token_info.h"
37 #include "hap_token_info_inner.h"
38 #include "hisysevent.h"
39 #ifdef HITRACE_NATIVE_ENABLE
40 #include "hitrace_meter.h"
41 #endif
42 #include "ipc_skeleton.h"
43 #include "native_token_info_inner.h"
44 #include "native_token_receptor.h"
45 #include "parameter.h"
46 #include "permission_list_state.h"
47 #include "permission_manager.h"
48 #include "privacy_kit.h"
49 #include "string_ex.h"
50 #include "system_ability_definition.h"
51 #include "system_permission_definition_parser.h"
52
53 namespace OHOS {
54 namespace Security {
55 namespace AccessToken {
56 namespace {
57 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
58 LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "ATMServ"
59 };
60 static const char* ACCESS_TOKEN_SERVICE_INIT_KEY = "accesstoken.permission.init";
61 constexpr int TWO_ARGS = 2;
62 const std::string GRANT_ABILITY_BUNDLE_NAME = "com.ohos.permissionmanager";
63 const std::string GRANT_ABILITY_ABILITY_NAME = "com.ohos.permissionmanager.GrantAbility";
64 const std::string TEST_JSON_PATH = "/data/service/el1/public/access_token/nativetoken.log";
65 #ifdef CUSTOMIZATION_CONFIG_POLICY_ENABLE
66 static const std::string ACCESSTOKEN_CONFIG_FILE = "/etc/access_token/accesstoken_config.json";
67 static const std::string PERMISSION_MANAGER_BUNDLE_NAME_KEY = "permission_manager_bundle_name";
68 static const std::string GRANT_ABILITY_NAME_KEY = "grant_ability_name";
69 #endif
70 }
71
72 const bool REGISTER_RESULT =
73 SystemAbility::MakeAndRegisterAbility(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
74
AccessTokenManagerService()75 AccessTokenManagerService::AccessTokenManagerService()
76 : SystemAbility(SA_ID_ACCESSTOKEN_MANAGER_SERVICE, true), state_(ServiceRunningState::STATE_NOT_START)
77 {
78 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService()");
79 }
80
~AccessTokenManagerService()81 AccessTokenManagerService::~AccessTokenManagerService()
82 {
83 ACCESSTOKEN_LOG_INFO(LABEL, "~AccessTokenManagerService()");
84 tokenDumpWorker_.Stop();
85 }
86
OnStart()87 void AccessTokenManagerService::OnStart()
88 {
89 if (state_ == ServiceRunningState::STATE_RUNNING) {
90 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService has already started!");
91 return;
92 }
93 ACCESSTOKEN_LOG_INFO(LABEL, "AccessTokenManagerService is starting");
94 if (!Initialize()) {
95 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to initialize");
96 return;
97 }
98 state_ = ServiceRunningState::STATE_RUNNING;
99 bool ret = Publish(DelayedSingleton<AccessTokenManagerService>::GetInstance().get());
100 if (!ret) {
101 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to publish service!");
102 return;
103 }
104 (void)AddSystemAbilityListener(SECURITY_COMPONENT_SERVICE_ID);
105 ACCESSTOKEN_LOG_INFO(LABEL, "Congratulations, AccessTokenManagerService start successfully!");
106 }
107
OnStop()108 void AccessTokenManagerService::OnStop()
109 {
110 ACCESSTOKEN_LOG_INFO(LABEL, "stop service");
111 state_ = ServiceRunningState::STATE_NOT_START;
112 }
113
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)114 void AccessTokenManagerService::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string& deviceId)
115 {
116 if (systemAbilityId == SECURITY_COMPONENT_SERVICE_ID) {
117 std::vector<AccessTokenID> tokenIdList;
118 AccessTokenIDManager::GetInstance().GetHapTokenIdList(tokenIdList);
119 PermissionManager::GetInstance().ClearAllSecCompGrantedPerm(tokenIdList);
120 return;
121 }
122 }
123
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)124 int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
125 {
126 #ifdef HITRACE_NATIVE_ENABLE
127 StartTrace(HITRACE_TAG_ACCESS_CONTROL, "AccessTokenVerifyPermission");
128 #endif
129 int32_t res = PermissionManager::GetInstance().VerifyAccessToken(tokenID, permissionName);
130 ACCESSTOKEN_LOG_DEBUG(LABEL, "tokenID: %{public}d, permission: %{public}s, res %{public}d",
131 tokenID, permissionName.c_str(), res);
132 #ifdef HITRACE_NATIVE_ENABLE
133 FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
134 #endif
135 return res;
136 }
137
GetDefPermission(const std::string & permissionName,PermissionDefParcel & permissionDefResult)138 int AccessTokenManagerService::GetDefPermission(
139 const std::string& permissionName, PermissionDefParcel& permissionDefResult)
140 {
141 ACCESSTOKEN_LOG_INFO(LABEL, "permission: %{public}s", permissionName.c_str());
142 return PermissionManager::GetInstance().GetDefPermission(permissionName, permissionDefResult.permissionDef);
143 }
144
GetDefPermissions(AccessTokenID tokenID,std::vector<PermissionDefParcel> & permList)145 int AccessTokenManagerService::GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDefParcel>& permList)
146 {
147 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d", tokenID);
148 std::vector<PermissionDef> permVec;
149 int ret = PermissionManager::GetInstance().GetDefPermissions(tokenID, permVec);
150 for (const auto& perm : permVec) {
151 PermissionDefParcel permParcel;
152 permParcel.permissionDef = perm;
153 permList.emplace_back(permParcel);
154 }
155 return ret;
156 }
157
GetReqPermissions(AccessTokenID tokenID,std::vector<PermissionStateFullParcel> & reqPermList,bool isSystemGrant)158 int AccessTokenManagerService::GetReqPermissions(
159 AccessTokenID tokenID, std::vector<PermissionStateFullParcel>& reqPermList, bool isSystemGrant)
160 {
161 ACCESSTOKEN_LOG_DEBUG(LABEL, "tokenID: %{public}d, isSystemGrant: %{public}d", tokenID, isSystemGrant);
162
163 std::vector<PermissionStateFull> permList;
164 int ret = PermissionManager::GetInstance().GetReqPermissions(tokenID, permList, isSystemGrant);
165
166 for (const auto& perm : permList) {
167 PermissionStateFullParcel permParcel;
168 permParcel.permStatFull = perm;
169 reqPermList.emplace_back(permParcel);
170 }
171 return ret;
172 }
173
GetSelfPermissionsState(std::vector<PermissionListStateParcel> & reqPermList,PermissionGrantInfoParcel & infoParcel)174 PermissionOper AccessTokenManagerService::GetSelfPermissionsState(std::vector<PermissionListStateParcel>& reqPermList,
175 PermissionGrantInfoParcel& infoParcel)
176 {
177 infoParcel.info.grantBundleName = grantBundleName_;
178 infoParcel.info.grantAbilityName = grantAbilityName_;
179 AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID();
180 bool isPermDialogForbidden = AccessTokenInfoManager::GetInstance().GetPermDialogCap(callingTokenID);
181 if (isPermDialogForbidden) {
182 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID=%{public}d is under control", callingTokenID);
183 return FORBIDDEN_OPER;
184 }
185 int32_t apiVersion = 0;
186 if (!PermissionManager::GetInstance().GetApiVersionByTokenId(callingTokenID, apiVersion)) {
187 ACCESSTOKEN_LOG_ERROR(LABEL, "get api version error");
188 return INVALID_OPER;
189 }
190 ACCESSTOKEN_LOG_INFO(LABEL, "callingTokenID: %{public}d, apiVersion: %{public}d", callingTokenID, apiVersion);
191
192 bool needRes = false;
193 std::vector<PermissionStateFull> permsList;
194 int retUserGrant = PermissionManager::GetInstance().GetReqPermissions(callingTokenID, permsList, false);
195 int retSysGrant = PermissionManager::GetInstance().GetReqPermissions(callingTokenID, permsList, true);
196 if ((retSysGrant != RET_SUCCESS) || (retUserGrant != RET_SUCCESS)) {
197 ACCESSTOKEN_LOG_ERROR(LABEL,
198 "GetReqPermissions failed, retUserGrant:%{public}d, retSysGrant:%{public}d",
199 retUserGrant, retSysGrant);
200 return INVALID_OPER;
201 }
202
203 // api9 location permission handle here
204 if (apiVersion >= ACCURATE_LOCATION_API_VERSION) {
205 needRes = PermissionManager::GetInstance().LocationPermissionSpecialHandle(reqPermList, permsList, apiVersion);
206 }
207
208 uint32_t size = reqPermList.size();
209 for (uint32_t i = 0; i < size; i++) {
210 // api9 location permission special handle above
211 if (((reqPermList[i].permsState.permissionName == VAGUE_LOCATION_PERMISSION_NAME) ||
212 (reqPermList[i].permsState.permissionName == ACCURATE_LOCATION_PERMISSION_NAME) ||
213 (reqPermList[i].permsState.permissionName == BACKGROUND_LOCATION_PERMISSION_NAME)) &&
214 (apiVersion >= ACCURATE_LOCATION_API_VERSION)) {
215 continue;
216 }
217
218 PermissionManager::GetInstance().GetSelfPermissionState(permsList, reqPermList[i].permsState, apiVersion);
219 if (static_cast<PermissionOper>(reqPermList[i].permsState.state) == DYNAMIC_OPER) {
220 needRes = true;
221 }
222 ACCESSTOKEN_LOG_DEBUG(LABEL, "perm: 0x%{public}s, state: 0x%{public}d",
223 reqPermList[i].permsState.permissionName.c_str(), reqPermList[i].permsState.state);
224 }
225 if (needRes) {
226 return DYNAMIC_OPER;
227 }
228 return PASS_OPER;
229 }
230
GetPermissionFlag(AccessTokenID tokenID,const std::string & permissionName,uint32_t & flag)231 int AccessTokenManagerService::GetPermissionFlag(
232 AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
233 {
234 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, permission: %{public}s",
235 tokenID, permissionName.c_str());
236 return PermissionManager::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
237 }
238
GrantPermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)239 int AccessTokenManagerService::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
240 {
241 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, permission: %{public}s, flag: %{public}d",
242 tokenID, permissionName.c_str(), flag);
243 int32_t ret = PermissionManager::GetInstance().GrantPermission(tokenID, permissionName, flag);
244 AccessTokenInfoManager::GetInstance().RefreshTokenInfoIfNeeded();
245 DumpTokenIfNeeded();
246 return ret;
247 }
248
RevokePermission(AccessTokenID tokenID,const std::string & permissionName,uint32_t flag)249 int AccessTokenManagerService::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
250 {
251 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, permission: %{public}s, flag: %{public}d",
252 tokenID, permissionName.c_str(), flag);
253 int32_t ret = PermissionManager::GetInstance().RevokePermission(tokenID, permissionName, flag);
254 AccessTokenInfoManager::GetInstance().RefreshTokenInfoIfNeeded();
255 DumpTokenIfNeeded();
256 return ret;
257 }
258
ClearUserGrantedPermissionState(AccessTokenID tokenID)259 int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tokenID)
260 {
261 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d", tokenID);
262 PermissionManager::GetInstance().ClearUserGrantedPermissionState(tokenID);
263 AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenID, false);
264 AccessTokenInfoManager::GetInstance().RefreshTokenInfoIfNeeded();
265 DumpTokenIfNeeded();
266 return RET_SUCCESS;
267 }
268
RegisterPermStateChangeCallback(const PermStateChangeScopeParcel & scope,const sptr<IRemoteObject> & callback)269 int32_t AccessTokenManagerService::RegisterPermStateChangeCallback(
270 const PermStateChangeScopeParcel& scope, const sptr<IRemoteObject>& callback)
271 {
272 ACCESSTOKEN_LOG_INFO(LABEL, "Entry");
273 return PermissionManager::GetInstance().AddPermStateChangeCallback(scope.scope, callback);
274 }
275
UnRegisterPermStateChangeCallback(const sptr<IRemoteObject> & callback)276 int32_t AccessTokenManagerService::UnRegisterPermStateChangeCallback(const sptr<IRemoteObject>& callback)
277 {
278 ACCESSTOKEN_LOG_INFO(LABEL, "Entry");
279 return PermissionManager::GetInstance().RemovePermStateChangeCallback(callback);
280 }
281
AllocHapToken(const HapInfoParcel & info,const HapPolicyParcel & policy)282 AccessTokenIDEx AccessTokenManagerService::AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy)
283 {
284 ACCESSTOKEN_LOG_INFO(LABEL, "bundleName: %{public}s", info.hapInfoParameter.bundleName.c_str());
285 AccessTokenIDEx tokenIdEx;
286 tokenIdEx.tokenIDEx = 0LL;
287
288 int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(
289 info.hapInfoParameter, policy.hapPolicyParameter, tokenIdEx);
290 if (ret != RET_SUCCESS) {
291 ACCESSTOKEN_LOG_INFO(LABEL, "hap token info create failed");
292 }
293 DumpTokenIfNeeded();
294 return tokenIdEx;
295 }
296
DeleteToken(AccessTokenID tokenID)297 int AccessTokenManagerService::DeleteToken(AccessTokenID tokenID)
298 {
299 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d", tokenID);
300 PrivacyKit::RemovePermissionUsedRecords(tokenID, "");
301 // only support hap token deletion
302 int ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID);
303 DumpTokenIfNeeded();
304 return ret;
305 }
306
GetTokenType(AccessTokenID tokenID)307 int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID)
308 {
309 ACCESSTOKEN_LOG_DEBUG(LABEL, "tokenID: %{public}d", tokenID);
310 return AccessTokenIDManager::GetInstance().GetTokenIdType(tokenID);
311 }
312
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)313 int AccessTokenManagerService::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
314 {
315 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, dcap: %{public}s",
316 tokenID, dcap.c_str());
317 return AccessTokenInfoManager::GetInstance().CheckNativeDCap(tokenID, dcap);
318 }
319
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)320 AccessTokenIDEx AccessTokenManagerService::GetHapTokenID(
321 int32_t userID, const std::string& bundleName, int32_t instIndex)
322 {
323 ACCESSTOKEN_LOG_DEBUG(LABEL, "userID: %{public}d, bundle: %{public}s, instIndex: %{public}d",
324 userID, bundleName.c_str(), instIndex);
325 return AccessTokenInfoManager::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
326 }
327
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)328 AccessTokenID AccessTokenManagerService::AllocLocalTokenID(
329 const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
330 {
331 ACCESSTOKEN_LOG_INFO(LABEL, "remoteDeviceID: %{public}s, remoteTokenID: %{public}d",
332 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
333 AccessTokenID tokenID = AccessTokenInfoManager::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
334 DumpTokenIfNeeded();
335 return tokenID;
336 }
337
UpdateHapToken(AccessTokenIDEx & tokenIdEx,bool isSystemApp,const std::string & appIDDesc,int32_t apiVersion,const HapPolicyParcel & policyParcel)338 int AccessTokenManagerService::UpdateHapToken(AccessTokenIDEx& tokenIdEx,
339 bool isSystemApp, const std::string& appIDDesc, int32_t apiVersion, const HapPolicyParcel& policyParcel)
340 {
341 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d", tokenIdEx.tokenIdExStruct.tokenID);
342 int ret = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, isSystemApp, appIDDesc, apiVersion,
343 policyParcel.hapPolicyParameter);
344 DumpTokenIfNeeded();
345 return ret;
346 }
347
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfoParcel & infoParcel)348 int AccessTokenManagerService::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfoParcel& infoParcel)
349 {
350 ACCESSTOKEN_LOG_DEBUG(LABEL, "tokenID: %{public}d", tokenID);
351
352 return AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, infoParcel.hapTokenInfoParams);
353 }
354
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfoParcel & infoParcel)355 int AccessTokenManagerService::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoParcel& infoParcel)
356 {
357 ACCESSTOKEN_LOG_DEBUG(LABEL, "tokenID: %{public}d", tokenID);
358
359 return AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, infoParcel.nativeTokenInfoParams);
360 }
361
362 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
ReloadNativeTokenInfo()363 int32_t AccessTokenManagerService::ReloadNativeTokenInfo()
364 {
365 int32_t ret = NativeTokenReceptor::GetInstance().Init();
366 DumpTokenIfNeeded();
367 return ret;
368 }
369 #endif
370
GetNativeTokenId(const std::string & processName)371 AccessTokenID AccessTokenManagerService::GetNativeTokenId(const std::string& processName)
372 {
373 return AccessTokenInfoManager::GetInstance().GetNativeTokenId(processName);
374 }
375
376 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSyncParcel & hapSyncParcel)377 int AccessTokenManagerService::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
378 HapTokenInfoForSyncParcel& hapSyncParcel)
379 {
380 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d", tokenID);
381
382 return AccessTokenInfoManager::GetInstance().GetHapTokenInfoFromRemote(tokenID,
383 hapSyncParcel.hapTokenInfoForSyncParams);
384 }
385
GetAllNativeTokenInfo(std::vector<NativeTokenInfoForSyncParcel> & nativeTokenInfosRes)386 int AccessTokenManagerService::GetAllNativeTokenInfo(std::vector<NativeTokenInfoForSyncParcel>& nativeTokenInfosRes)
387 {
388 ACCESSTOKEN_LOG_INFO(LABEL, "called");
389
390 std::vector<NativeTokenInfoForSync> nativeVec;
391 AccessTokenInfoManager::GetInstance().GetAllNativeTokenInfo(nativeVec);
392 for (const auto& native : nativeVec) {
393 NativeTokenInfoForSyncParcel nativeParcel;
394 nativeParcel.nativeTokenInfoForSyncParams = native;
395 nativeTokenInfosRes.emplace_back(nativeParcel);
396 }
397
398 return RET_SUCCESS;
399 }
400
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSyncParcel & hapSyncParcel)401 int AccessTokenManagerService::SetRemoteHapTokenInfo(const std::string& deviceID,
402 HapTokenInfoForSyncParcel& hapSyncParcel)
403 {
404 ACCESSTOKEN_LOG_INFO(LABEL, "deviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
405 int ret = AccessTokenInfoManager::GetInstance().SetRemoteHapTokenInfo(deviceID,
406 hapSyncParcel.hapTokenInfoForSyncParams);
407 DumpTokenIfNeeded();
408 return ret;
409 }
410
SetRemoteNativeTokenInfo(const std::string & deviceID,std::vector<NativeTokenInfoForSyncParcel> & nativeTokenInfoForSyncParcel)411 int AccessTokenManagerService::SetRemoteNativeTokenInfo(const std::string& deviceID,
412 std::vector<NativeTokenInfoForSyncParcel>& nativeTokenInfoForSyncParcel)
413 {
414 ACCESSTOKEN_LOG_INFO(LABEL, "deviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
415
416 std::vector<NativeTokenInfoForSync> nativeList;
417 std::transform(nativeTokenInfoForSyncParcel.begin(),
418 nativeTokenInfoForSyncParcel.end(), std::back_inserter(nativeList),
419 [](const auto& nativeParcel) { return nativeParcel.nativeTokenInfoForSyncParams; });
420 int ret = AccessTokenInfoManager::GetInstance().SetRemoteNativeTokenInfo(deviceID, nativeList);
421 DumpTokenIfNeeded();
422 return ret;
423 }
424
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)425 int AccessTokenManagerService::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
426 {
427 ACCESSTOKEN_LOG_INFO(LABEL, "deviceID: %{public}s, token id %{public}d",
428 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
429 int ret = AccessTokenInfoManager::GetInstance().DeleteRemoteToken(deviceID, tokenID);
430 DumpTokenIfNeeded();
431 return ret;
432 }
433
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)434 AccessTokenID AccessTokenManagerService::GetRemoteNativeTokenID(const std::string& deviceID,
435 AccessTokenID tokenID)
436 {
437 ACCESSTOKEN_LOG_INFO(LABEL, "deviceID: %{public}s, token id %{public}d",
438 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
439
440 return AccessTokenInfoManager::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
441 }
442
DeleteRemoteDeviceTokens(const std::string & deviceID)443 int AccessTokenManagerService::DeleteRemoteDeviceTokens(const std::string& deviceID)
444 {
445 ACCESSTOKEN_LOG_INFO(LABEL, "deviceID: %{public}s", ConstantCommon::EncryptDevId(deviceID).c_str());
446 int ret = AccessTokenInfoManager::GetInstance().DeleteRemoteDeviceTokens(deviceID);
447 DumpTokenIfNeeded();
448 return ret;
449 }
450 #endif
451
DumpTokenInfo(const AtmToolsParamInfoParcel & infoParcel,std::string & dumpInfo)452 void AccessTokenManagerService::DumpTokenInfo(const AtmToolsParamInfoParcel& infoParcel, std::string& dumpInfo)
453 {
454 ACCESSTOKEN_LOG_INFO(LABEL, "called");
455
456 AccessTokenInfoManager::GetInstance().DumpTokenInfo(infoParcel.info, dumpInfo);
457 }
458
SetPermDialogCap(const HapBaseInfoParcel & hapBaseInfoParcel,bool enable)459 int32_t AccessTokenManagerService::SetPermDialogCap(const HapBaseInfoParcel& hapBaseInfoParcel, bool enable)
460 {
461 AccessTokenIDEx tokenIdEx = AccessTokenInfoManager::GetInstance().GetHapTokenID(
462 hapBaseInfoParcel.hapBaseInfo.userID,
463 hapBaseInfoParcel.hapBaseInfo.bundleName,
464 hapBaseInfoParcel.hapBaseInfo.instIndex);
465
466 return AccessTokenInfoManager::GetInstance().SetPermDialogCap(tokenIdEx.tokenIdExStruct.tokenID, enable);
467 }
468
Dump(int fd,const std::vector<std::u16string> & args)469 int AccessTokenManagerService::Dump(int fd, const std::vector<std::u16string>& args)
470 {
471 if (fd < 0) {
472 return ERR_INVALID_VALUE;
473 }
474
475 dprintf(fd, "AccessToken Dump:\n");
476 std::string arg0 = ((args.size() == 0)? "" : Str16ToStr8(args.at(0)));
477 if (arg0.compare("-h") == 0) {
478 dprintf(fd, "Usage:\n");
479 dprintf(fd, " -h: command help\n");
480 dprintf(fd, " -a: dump all tokens\n");
481 dprintf(fd, " -t <TOKEN_ID>: dump special token id\n");
482 } else if (arg0.compare("-t") == 0) {
483 if (args.size() < TWO_ARGS) {
484 return ERR_INVALID_VALUE;
485 }
486 long long tokenID = atoll(static_cast<const char *>(Str16ToStr8(args.at(1)).c_str()));
487 if (tokenID <= 0) {
488 return ERR_INVALID_VALUE;
489 }
490 AtmToolsParamInfoParcel infoParcel;
491 infoParcel.info.tokenId = static_cast<AccessTokenID>(tokenID);
492 std::string dumpStr;
493 DumpTokenInfo(infoParcel, dumpStr);
494 dprintf(fd, "%s\n", dumpStr.c_str());
495 } else if (arg0.compare("-a") == 0 || arg0 == "") {
496 std::string dumpStr;
497 AtmToolsParamInfoParcel infoParcel;
498 DumpTokenInfo(infoParcel, dumpStr);
499 dprintf(fd, "%s\n", dumpStr.c_str());
500 }
501 return ERR_OK;
502 }
503
DumpToken()504 void AccessTokenManagerService::DumpToken()
505 {
506 ACCESSTOKEN_LOG_INFO(LABEL, "AccessToken Dump");
507 int32_t fd = open(TEST_JSON_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP);
508 if (fd < 0) {
509 ACCESSTOKEN_LOG_ERROR(LABEL, "open failed errno %{public}d.", errno);
510 close(fd);
511 return;
512 }
513 std::string dumpStr;
514 AtmToolsParamInfoParcel infoParcel;
515 AccessTokenInfoManager::GetInstance().DumpTokenInfo(infoParcel.info, dumpStr);
516 dprintf(fd, "%s\n", dumpStr.c_str());
517 close(fd);
518 }
519
DumpTokenIfNeeded()520 void AccessTokenManagerService::DumpTokenIfNeeded()
521 {
522 if (tokenDumpWorker_.GetCurTaskNum() > 1) {
523 ACCESSTOKEN_LOG_INFO(LABEL, "has refresh task!");
524 return;
525 }
526
527 tokenDumpWorker_.AddTask([this]() {
528 DumpToken();
529 // Sleep for one minute to avoid frequent refresh of the database.
530 std::this_thread::sleep_for(std::chrono::minutes(1));
531 });
532 }
533
AccessTokenServiceParamSet() const534 void AccessTokenManagerService::AccessTokenServiceParamSet() const
535 {
536 int32_t res = SetParameter(ACCESS_TOKEN_SERVICE_INIT_KEY, std::to_string(1).c_str());
537 if (res != 0) {
538 ACCESSTOKEN_LOG_ERROR(LABEL, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY failed %{public}d", res);
539 }
540 ACCESSTOKEN_LOG_INFO(LABEL, "SetParameter ACCESS_TOKEN_SERVICE_INIT_KEY success");
541 }
542
543 #ifdef CUSTOMIZATION_CONFIG_POLICY_ENABLE
GetValidConfigFilePathList(std::vector<std::string> & pathList)544 void AccessTokenManagerService::GetValidConfigFilePathList(std::vector<std::string>& pathList)
545 {
546 CfgDir *dirs = GetCfgDirList(); // malloc a CfgDir point, need to free later
547 if (dirs != nullptr) {
548 for (const auto& path : dirs->paths) {
549 if ((path == nullptr) || (!JsonParser::IsDirExsit(path))) {
550 continue;
551 }
552
553 ACCESSTOKEN_LOG_INFO(LABEL, "accesstoken cfg dir: %{public}s", path);
554 pathList.emplace_back(path);
555 }
556
557 FreeCfgDirList(dirs); // free
558 } else {
559 ACCESSTOKEN_LOG_ERROR(LABEL, "can't get valid cfg file path");
560 }
561 }
562
563 // nlohmann json need the function named from_json to parse
from_json(const nlohmann::json & j,std::string & bundleName,std::string & abilityName)564 void from_json(const nlohmann::json& j, std::string& bundleName, std::string& abilityName)
565 {}
566
GetConfigGrantValueFromFile(std::string & fileContent)567 bool AccessTokenManagerService::GetConfigGrantValueFromFile(std::string& fileContent)
568 {
569 nlohmann::json jsonRes = nlohmann::json::parse(fileContent, nullptr, false);
570 if (jsonRes.is_discarded()) {
571 ACCESSTOKEN_LOG_ERROR(LABEL, "jsonRes is invalid.");
572 return false;
573 }
574
575 if (!JsonParser::GetStringFromJson(jsonRes, PERMISSION_MANAGER_BUNDLE_NAME_KEY, grantBundleName_)) {
576 return false;
577 }
578
579 if (!JsonParser::GetStringFromJson(jsonRes, GRANT_ABILITY_NAME_KEY, grantAbilityName_)) {
580 return false;
581 }
582
583 return true;
584 }
585 #endif
586
SetDefaultConfigGrantValue()587 void AccessTokenManagerService::SetDefaultConfigGrantValue()
588 {
589 ACCESSTOKEN_LOG_INFO(LABEL, "no config file or config file is not valid, use default values");
590
591 grantBundleName_ = GRANT_ABILITY_BUNDLE_NAME;
592 grantAbilityName_ = GRANT_ABILITY_ABILITY_NAME;
593 }
594
GetConfigValue()595 void AccessTokenManagerService::GetConfigValue()
596 {
597 #ifdef CUSTOMIZATION_CONFIG_POLICY_ENABLE
598 std::vector<std::string> pathList;
599 GetValidConfigFilePathList(pathList);
600
601 for (const auto& path : pathList) {
602 std::string filePath = path + ACCESSTOKEN_CONFIG_FILE;
603 std::string fileContent;
604 int32_t res = JsonParser::ReadCfgFile(filePath, fileContent);
605 if (res != ERR_OK) {
606 continue;
607 }
608
609 if (GetConfigGrantValueFromFile(fileContent)) {
610 break; // once get the config value, break the loop
611 }
612 }
613 #endif
614 // when config file list empty or can not get two value from config file, set default value
615 if ((grantBundleName_.empty()) || (grantAbilityName_.empty())) {
616 SetDefaultConfigGrantValue();
617 }
618
619 ACCESSTOKEN_LOG_INFO(LABEL, "grantBundleName_ is %{public}s, grantAbilityName_ is %{public}s",
620 grantBundleName_.c_str(), grantAbilityName_.c_str());
621 }
622
Initialize()623 bool AccessTokenManagerService::Initialize()
624 {
625 AccessTokenInfoManager::GetInstance().Init();
626 NativeTokenReceptor::GetInstance().Init();
627
628 #ifdef EVENTHANDLER_ENABLE
629 eventRunner_ = AppExecFwk::EventRunner::Create(true);
630 if (!eventRunner_) {
631 ACCESSTOKEN_LOG_ERROR(LABEL, "failed to create a recvRunner.");
632 return false;
633 }
634 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner_);
635 TempPermissionObserver::GetInstance().InitEventHandler(eventHandler_);
636 #endif
637
638 #ifdef SUPPORT_SANDBOX_APP
639 DlpPermissionSetParser::GetInstance().Init();
640 #endif
641 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK_EVENT",
642 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "CODE", ACCESS_TOKEN_SERVICE_INIT_EVENT,
643 "PID_INFO", getpid());
644 SystemPermissionDefinitionParser::GetInstance().Init();
645 AccessTokenServiceParamSet();
646 GetConfigValue();
647 tokenDumpWorker_.Start(1);
648 ACCESSTOKEN_LOG_INFO(LABEL, "Initialize success");
649 return true;
650 }
651 } // namespace AccessToken
652 } // namespace Security
653 } // namespace OHOS
654