1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "enterprise_device_mgr_ability.h"
17
18 #include <cstring>
19 #include <string_ex.h>
20 #include <thread>
21
22 #include "application_state_observer.h"
23 #include "common_event_manager.h"
24 #include "common_event_support.h"
25 #include "device_policies_storage_rdb.h"
26 #include "directory_ex.h"
27 #include "iservice_registry.h"
28 #include "matching_skills.h"
29 #include "message_parcel.h"
30 #include "parameters.h"
31 #include "system_ability.h"
32 #include "system_ability_definition.h"
33
34 #include "edm_constants.h"
35 #include "edm_errors.h"
36 #include "edm_ipc_interface_code.h"
37 #include "edm_log.h"
38 #include "edm_sys_manager.h"
39 #include "enterprise_admin_connection.h"
40 #include "enterprise_bundle_connection.h"
41 #include "enterprise_conn_manager.h"
42 #include "func_code_utils.h"
43 #include "password_policy_serializer.h"
44 #include "usb_device_id.h"
45 #include "user_auth_client.h"
46
47 #ifdef PASTEBOARD_EDM_ENABLE
48 #include "clipboard_policy_serializer.h"
49 #include "clipboard_utils.h"
50 #endif
51
52 namespace OHOS {
53 namespace EDM {
54 const bool REGISTER_RESULT =
55 SystemAbility::MakeAndRegisterAbility(EnterpriseDeviceMgrAbility::GetInstance().GetRefPtr());
56
57 const std::string PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN = "ohos.permission.MANAGE_ENTERPRISE_DEVICE_ADMIN";
58 const std::string PERMISSION_SET_ENTERPRISE_INFO = "ohos.permission.SET_ENTERPRISE_INFO";
59 const std::string PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT = "ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT";
60 const std::string PERMISSION_UPDATE_SYSTEM = "ohos.permission.UPDATE_SYSTEM";
61 const std::string PARAM_EDM_ENABLE = "persist.edm.edm_enable";
62 const std::string PARAM_SECURITY_MODE = "ohos.boot.advsecmode.state";
63 const std::string SYSTEM_UPDATE_FOR_POLICY = "usual.event.DUE_SA_FIRMWARE_UPDATE_FOR_POLICY";
64 const std::string FIRMWARE_EVENT_INFO_NAME = "version";
65 const std::string FIRMWARE_EVENT_INFO_TYPE = "packageType";
66 const std::string FIRMWARE_EVENT_INFO_CHECK_TIME = "firstReceivedTime";
67 const std::string DEVELOP_MODE_STATE = "const.security.developermode.state";
68
69 std::mutex EnterpriseDeviceMgrAbility::mutexLock_;
70
71 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::instance_;
72
73 constexpr int32_t TIMER_TIMEOUT = 360000; // 6 * 60 * 1000;
74
AddCommonEventFuncMap()75 void EnterpriseDeviceMgrAbility::AddCommonEventFuncMap()
76 {
77 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_USER_REMOVED] =
78 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
79 that->OnCommonEventUserRemoved(data);
80 };
81 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_ADDED] =
82 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
83 that->OnCommonEventPackageAdded(data);
84 };
85 commonEventFuncMap_[EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED] =
86 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
87 that->OnCommonEventPackageRemoved(data);
88 };
89 commonEventFuncMap_[SYSTEM_UPDATE_FOR_POLICY] =
90 [](EnterpriseDeviceMgrAbility* that, const EventFwk::CommonEventData &data) {
91 that->OnCommonEventSystemUpdate(data);
92 };
93 }
94
OnCommonEventSystemUpdate(const EventFwk::CommonEventData & data)95 void EnterpriseDeviceMgrAbility::OnCommonEventSystemUpdate(const EventFwk::CommonEventData &data)
96 {
97 EDMLOGI("OnCommonEventSystemUpdate");
98 UpdateInfo updateInfo;
99 updateInfo.version = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_NAME);
100 updateInfo.firstReceivedTime = data.GetWant().GetLongParam(FIRMWARE_EVENT_INFO_CHECK_TIME, 0);
101 updateInfo.packageType = data.GetWant().GetStringParam(FIRMWARE_EVENT_INFO_TYPE);
102
103 ConnectAbilityOnSystemUpdate(updateInfo);
104 }
105
ConnectAbilityOnSystemUpdate(const UpdateInfo & updateInfo)106 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemUpdate(const UpdateInfo &updateInfo)
107 {
108 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
109 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::SYSTEM_UPDATE, subAdmins);
110 if (subAdmins.empty()) {
111 EDMLOGW("Get subscriber by common event failed.");
112 return;
113 }
114 AAFwk::Want want;
115 for (const auto &subAdmin : subAdmins) {
116 for (const auto &it : subAdmin.second) {
117 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
118 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
119 sptr<IEnterpriseConnection> connection =
120 manager->CreateUpdateConnection(want, subAdmin.first, updateInfo);
121 manager->ConnectAbility(connection);
122 }
123 }
124 }
125
AddOnAddSystemAbilityFuncMap()126 void EnterpriseDeviceMgrAbility::AddOnAddSystemAbilityFuncMap()
127 {
128 addSystemAbilityFuncMap_[APP_MGR_SERVICE_ID] =
129 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
130 that->OnAppManagerServiceStart();
131 };
132 addSystemAbilityFuncMap_[COMMON_EVENT_SERVICE_ID] =
133 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
134 that->OnCommonEventServiceStart();
135 };
136 addSystemAbilityFuncMap_[ABILITY_MGR_SERVICE_ID] =
137 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
138 that->OnAbilityManagerServiceStart();
139 };
140 addSystemAbilityFuncMap_[SUBSYS_USERIAM_SYS_ABILITY_USERAUTH] =
141 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
142 that->OnUserAuthFrameworkStart();
143 };
144 #ifdef PASTEBOARD_EDM_ENABLE
145 addSystemAbilityFuncMap_[PASTEBOARD_SERVICE_ID] =
146 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
147 that->OnPasteboardServiceStart();
148 };
149 #endif
150 #ifdef USB_EDM_ENABLE
151 addSystemAbilityFuncMap_[USB_SYSTEM_ABILITY_ID] =
152 [](EnterpriseDeviceMgrAbility* that, int32_t systemAbilityId, const std::string &deviceId) {
153 that->OnUsbServiceStart();
154 };
155 #endif
156 }
157
158 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
EnterpriseDeviceEventSubscriber(const EventFwk::CommonEventSubscribeInfo & subscribeInfo,EnterpriseDeviceMgrAbility & listener)159 EnterpriseDeviceEventSubscriber::EnterpriseDeviceEventSubscriber(
160 const EventFwk::CommonEventSubscribeInfo &subscribeInfo,
161 EnterpriseDeviceMgrAbility &listener) : EventFwk::CommonEventSubscriber(subscribeInfo), listener_(listener) {}
162
OnReceiveEvent(const EventFwk::CommonEventData & data)163 void EnterpriseDeviceEventSubscriber::OnReceiveEvent(const EventFwk::CommonEventData &data)
164 {
165 const std::string action = data.GetWant().GetAction();
166 EDMLOGI("EDM OnReceiveEvent get action: %{public}s", action.c_str());
167 auto func = listener_.commonEventFuncMap_.find(action);
168 if (func != listener_.commonEventFuncMap_.end()) {
169 auto commonEventFunc = func->second;
170 if (commonEventFunc != nullptr) {
171 return commonEventFunc(&listener_, data);
172 }
173 } else {
174 EDMLOGW("OnReceiveEvent action is invalid");
175 }
176 }
177
CreateEnterpriseDeviceEventSubscriber(EnterpriseDeviceMgrAbility & listener)178 std::shared_ptr<EventFwk::CommonEventSubscriber> EnterpriseDeviceMgrAbility::CreateEnterpriseDeviceEventSubscriber(
179 EnterpriseDeviceMgrAbility &listener)
180 {
181 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
182 AddCommonEventFuncMap();
183 for (auto &item : commonEventFuncMap_) {
184 if (item.first == SYSTEM_UPDATE_FOR_POLICY) {
185 continue;
186 }
187 skill.AddEvent(item.first);
188 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", item.first.c_str());
189 }
190 EventFwk::CommonEventSubscribeInfo info(skill);
191 return std::make_shared<EnterpriseDeviceEventSubscriber>(info, listener);
192 }
193 #endif
194
OnCommonEventUserRemoved(const EventFwk::CommonEventData & data)195 void EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved(const EventFwk::CommonEventData &data)
196 {
197 int userIdToRemove = data.GetCode();
198 if (userIdToRemove == 0) {
199 return;
200 }
201 EDMLOGI("OnCommonEventUserRemoved");
202 std::lock_guard<std::mutex> autoLock(mutexLock_);
203 // include super admin, need to be removed
204 std::vector<std::shared_ptr<Admin>> userAdmin;
205 adminMgr_->GetAdminByUserId(userIdToRemove, userAdmin);
206 for (auto &item : userAdmin) {
207 if (FAILED(RemoveAdminAndAdminPolicy(item->adminInfo_.packageName_, userIdToRemove))) {
208 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved remove admin failed packagename = %{public}s",
209 item->adminInfo_.packageName_.c_str());
210 }
211 }
212 std::vector<std::shared_ptr<Admin>> subAndSuperAdmin;
213 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, subAndSuperAdmin);
214 for (const auto &subAdmin : subAndSuperAdmin) {
215 if ((subAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN || subAdmin->GetAdminType() == AdminType::ENT) &&
216 FAILED(RemoveAdminAndAdminPolicy(subAdmin->adminInfo_.packageName_, userIdToRemove))) {
217 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventUserRemoved: remove sub and super admin policy failed.");
218 }
219 }
220 }
221
OnCommonEventPackageAdded(const EventFwk::CommonEventData & data)222 void EnterpriseDeviceMgrAbility::OnCommonEventPackageAdded(const EventFwk::CommonEventData &data)
223 {
224 EDMLOGI("OnCommonEventPackageAdded");
225 std::string bundleName = data.GetWant().GetElement().GetBundleName();
226 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_ADDED);
227 }
228
OnCommonEventPackageRemoved(const EventFwk::CommonEventData & data)229 void EnterpriseDeviceMgrAbility::OnCommonEventPackageRemoved(const EventFwk::CommonEventData &data)
230 {
231 EDMLOGI("OnCommonEventPackageRemoved");
232 std::string bundleName = data.GetWant().GetElement().GetBundleName();
233 int32_t userId = data.GetWant().GetIntParam(AppExecFwk::Constants::USER_ID, AppExecFwk::Constants::INVALID_USERID);
234 std::lock_guard<std::mutex> autoLock(mutexLock_);
235 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
236 if (admin != nullptr) {
237 if (admin->adminInfo_.adminType_ == AdminType::NORMAL) {
238 RemoveAdminAndAdminPolicy(bundleName, userId);
239 }
240 if (admin->adminInfo_.adminType_ == AdminType::SUB_SUPER_ADMIN && userId == DEFAULT_USER_ID) {
241 // remove sub super admin and sub super admin policy
242 RemoveSubSuperAdminAndAdminPolicy(bundleName);
243 }
244 if (admin->adminInfo_.adminType_ == AdminType::ENT && userId == DEFAULT_USER_ID) {
245 // remove super admin and super admin policy
246 RemoveSuperAdminAndAdminPolicy(bundleName);
247 }
248 if (!adminMgr_->IsAdminExist()) {
249 system::SetParameter(PARAM_EDM_ENABLE, "false");
250 }
251 }
252 ConnectAbilityOnSystemEvent(bundleName, ManagedEvent::BUNDLE_REMOVED);
253 }
254
ConnectAbilityOnSystemEvent(const std::string & bundleName,ManagedEvent event)255 void EnterpriseDeviceMgrAbility::ConnectAbilityOnSystemEvent(const std::string &bundleName, ManagedEvent event)
256 {
257 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
258 adminMgr_->GetAdminBySubscribeEvent(event, subAdmins);
259 if (subAdmins.empty()) {
260 EDMLOGW("Get subscriber by common event failed.");
261 return;
262 }
263 AAFwk::Want want;
264 for (const auto &subAdmin : subAdmins) {
265 for (const auto &it : subAdmin.second) {
266 want.SetElementName(it->adminInfo_.packageName_, it->adminInfo_.className_);
267 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
268 sptr<IEnterpriseConnection> connection =
269 manager->CreateBundleConnection(want, static_cast<uint32_t>(event), subAdmin.first, bundleName);
270 manager->ConnectAbility(connection);
271 }
272 }
273 }
274
GetInstance()275 sptr<EnterpriseDeviceMgrAbility> EnterpriseDeviceMgrAbility::GetInstance()
276 {
277 if (instance_ == nullptr) {
278 std::lock_guard<std::mutex> autoLock(mutexLock_);
279 if (instance_ == nullptr) {
280 EDMLOGD("EnterpriseDeviceMgrAbility:GetInstance instance = new EnterpriseDeviceMgrAbility()");
281 instance_ = new (std::nothrow) EnterpriseDeviceMgrAbility();
282 }
283 }
284 return instance_;
285 }
286
EnterpriseDeviceMgrAbility()287 EnterpriseDeviceMgrAbility::EnterpriseDeviceMgrAbility() : SystemAbility(ENTERPRISE_DEVICE_MANAGER_SA_ID, true)
288 {
289 EDMLOGI("EnterpriseDeviceMgrAbility:new instance");
290 }
291
~EnterpriseDeviceMgrAbility()292 EnterpriseDeviceMgrAbility::~EnterpriseDeviceMgrAbility()
293 {
294 instance_ = nullptr;
295
296 if (adminMgr_) {
297 adminMgr_.reset();
298 }
299
300 if (pluginMgr_) {
301 pluginMgr_.reset();
302 }
303
304 if (policyMgr_) {
305 policyMgr_.reset();
306 }
307 EDMLOGD("instance is destroyed");
308 }
309
Dump(int32_t fd,const std::vector<std::u16string> & args)310 int32_t EnterpriseDeviceMgrAbility::Dump(int32_t fd, const std::vector<std::u16string> &args)
311 {
312 EDMLOGI("EnterpriseDeviceMgrAbility::Dump");
313 if (fd < 0) {
314 EDMLOGE("Dump fd invalid");
315 return ERR_EDM_DUMP_FAILED;
316 }
317 std::string result;
318 result.append("Ohos enterprise device manager service: \n");
319 std::vector<std::string> enabledAdminList;
320 GetEnabledAdmin(AdminType::NORMAL, enabledAdminList);
321 if (enabledAdminList.empty()) {
322 result.append("There is no admin enabled\n");
323 } else {
324 result.append("Enabled admin exist :\n");
325 for (const auto &enabledAdmin : enabledAdminList) {
326 result.append(enabledAdmin);
327 result.append("\n");
328 }
329 }
330 int32_t ret = dprintf(fd, "%s", result.c_str());
331 if (ret < 0) {
332 EDMLOGE("dprintf to dump fd failed");
333 return ERR_EDM_DUMP_FAILED;
334 }
335 return ERR_OK;
336 }
337
OnStart()338 void EnterpriseDeviceMgrAbility::OnStart()
339 {
340 std::lock_guard<std::mutex> autoLock(mutexLock_);
341 EDMLOGD("EnterpriseDeviceMgrAbility::OnStart() Publish");
342 InitAllAdmins();
343 InitAllPolices();
344 RemoveAllDebugAdmin();
345 if (!registerToService_) {
346 if (!Publish(this)) {
347 EDMLOGE("EnterpriseDeviceMgrAbility: res == false");
348 return;
349 }
350 registerToService_ = true;
351 }
352 AddOnAddSystemAbilityFuncMap();
353 AddSystemAbilityListeners();
354 }
355
InitAllAdmins()356 void EnterpriseDeviceMgrAbility::InitAllAdmins()
357 {
358 if (!adminMgr_) {
359 adminMgr_ = AdminManager::GetInstance();
360 }
361 EDMLOGD("create adminMgr_ success");
362 adminMgr_->Init();
363 }
364
InitAllPlugins()365 void EnterpriseDeviceMgrAbility::InitAllPlugins()
366 {
367 if (!pluginMgr_) {
368 pluginMgr_ = PluginManager::GetInstance();
369 }
370 EDMLOGD("create pluginMgr_ success");
371 lastCallTime_ = std::chrono::system_clock::now();
372 if (pluginHasInit_) {
373 std::unique_lock<std::mutex> lock(waitMutex_);
374 notifySignal_ = true;
375 waitSignal_.notify_one();
376 } else {
377 pluginMgr_->LoadPlugin();
378 pluginHasInit_ = true;
379 std::thread timerThread([this]() {
380 this->UnloadPluginTask();
381 });
382 timerThread.detach();
383 }
384 }
385
UnloadPluginTask()386 void EnterpriseDeviceMgrAbility::UnloadPluginTask()
387 {
388 while (pluginHasInit_) {
389 std::unique_lock<std::mutex> lock(waitMutex_);
390 notifySignal_ = false;
391 waitSignal_.wait_for(lock, std::chrono::milliseconds(TIMER_TIMEOUT), [this] { return this->notifySignal_; });
392 auto now = std::chrono::system_clock::now();
393 auto diffTime = std::chrono::duration_cast<std::chrono::milliseconds>(now - lastCallTime_).count();
394 if (diffTime >= std::chrono::milliseconds(TIMER_TIMEOUT).count()) {
395 std::lock_guard<std::mutex> autoLock(mutexLock_);
396 if (pluginMgr_) {
397 pluginMgr_->UnloadPlugin();
398 }
399 pluginHasInit_ = false;
400 }
401 }
402 }
403
InitAllPolices()404 void EnterpriseDeviceMgrAbility::InitAllPolices()
405 {
406 if (!policyMgr_) {
407 policyMgr_ = std::make_shared<PolicyManager>();
408 IPolicyManager::policyManagerInstance_ = policyMgr_.get();
409 }
410 std::vector<int32_t> userIds;
411 auto devicePolicies = DevicePoliciesStorageRdb::GetInstance();
412 if (devicePolicies == nullptr) {
413 EDMLOGW("OnAddSystemAbility::InitAllPolices:get rdbStore failed.");
414 return;
415 }
416 EDMLOGI("InitAllPolices userIds size %{public}zu", userIds.size());
417 devicePolicies->QueryAllUserId(userIds);
418 policyMgr_->Init(userIds);
419 }
420
RemoveAllDebugAdmin()421 void EnterpriseDeviceMgrAbility::RemoveAllDebugAdmin()
422 {
423 bool isDebug = system::GetBoolParameter(DEVELOP_MODE_STATE, false);
424 if (!isDebug) {
425 std::vector<std::shared_ptr<Admin>> userAdmin;
426 adminMgr_->GetAdminByUserId(DEFAULT_USER_ID, userAdmin);
427 for (const auto &item: userAdmin) {
428 if (item->adminInfo_.isDebug_) {
429 EDMLOGD("remove debug admin %{public}s", item->adminInfo_.packageName_.c_str());
430 RemoveSuperAdminAndAdminPolicy(item->adminInfo_.packageName_);
431 }
432 }
433 }
434 }
435
AddSystemAbilityListeners()436 void EnterpriseDeviceMgrAbility::AddSystemAbilityListeners()
437 {
438 AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
439 AddSystemAbilityListener(APP_MGR_SERVICE_ID);
440 AddSystemAbilityListener(ABILITY_MGR_SERVICE_ID);
441 AddSystemAbilityListener(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH);
442 #ifdef PASTEBOARD_EDM_ENABLE
443 AddSystemAbilityListener(PASTEBOARD_SERVICE_ID);
444 #endif
445 #ifdef USB_EDM_ENABLE
446 AddSystemAbilityListener(USB_SYSTEM_ABILITY_ID);
447 #endif
448 }
449
OnAddSystemAbility(int32_t systemAbilityId,const std::string & deviceId)450 void EnterpriseDeviceMgrAbility::OnAddSystemAbility(int32_t systemAbilityId, const std::string &deviceId)
451 {
452 EDMLOGD("OnAddSystemAbility systemAbilityId:%{public}d added!", systemAbilityId);
453 auto func = addSystemAbilityFuncMap_.find(systemAbilityId);
454 if (func != addSystemAbilityFuncMap_.end()) {
455 auto memberFunc = func->second;
456 if (memberFunc != nullptr) {
457 return memberFunc(this, systemAbilityId, deviceId);
458 }
459 }
460 }
461
OnAppManagerServiceStart()462 void EnterpriseDeviceMgrAbility::OnAppManagerServiceStart()
463 {
464 EDMLOGI("OnAppManagerServiceStart");
465 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
466 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
467 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
468 if (!subAdmins.empty()) {
469 EDMLOGI("the admin that listened the APP_START or APP_STOP event is existed");
470 SubscribeAppState();
471 }
472 }
473
OnAbilityManagerServiceStart()474 void EnterpriseDeviceMgrAbility::OnAbilityManagerServiceStart()
475 {
476 EDMLOGI("OnAbilityManagerServiceStart");
477 auto superAdmin = adminMgr_->GetSuperAdmin();
478 if (superAdmin != nullptr) {
479 AAFwk::Want connectWant;
480 connectWant.SetElementName(superAdmin->adminInfo_.packageName_, superAdmin->adminInfo_.className_);
481 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
482 sptr<IEnterpriseConnection> connection = manager->CreateAdminConnection(connectWant,
483 IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, DEFAULT_USER_ID, false);
484 manager->ConnectAbility(connection);
485 }
486 }
487
OnCommonEventServiceStart()488 void EnterpriseDeviceMgrAbility::OnCommonEventServiceStart()
489 {
490 #ifdef COMMON_EVENT_SERVICE_EDM_ENABLE
491 commonEventSubscriber = CreateEnterpriseDeviceEventSubscriber(*this);
492 EventFwk::CommonEventManager::SubscribeCommonEvent(this->commonEventSubscriber);
493 EDMLOGI("create commonEventSubscriber success");
494
495 EventFwk::MatchingSkills skill = EventFwk::MatchingSkills();
496 skill.AddEvent(SYSTEM_UPDATE_FOR_POLICY);
497 EDMLOGI("CreateEnterpriseDeviceEventSubscriber AddEvent: %{public}s", SYSTEM_UPDATE_FOR_POLICY.c_str());
498 EventFwk::CommonEventSubscribeInfo info(skill);
499 info.SetPermission(PERMISSION_UPDATE_SYSTEM);
500 EventFwk::CommonEventManager::SubscribeCommonEvent(std::make_shared<EnterpriseDeviceEventSubscriber>(info, *this));
501 #else
502 EDMLOGW("EnterpriseDeviceMgrAbility::OnCommonEventServiceStart Unsupported Capabilities.");
503 return;
504 #endif
505 }
506
507 #ifdef PASTEBOARD_EDM_ENABLE
OnPasteboardServiceStart()508 void EnterpriseDeviceMgrAbility::OnPasteboardServiceStart()
509 {
510 EDMLOGI("OnPasteboardServiceStart");
511 std::string policyData;
512 policyMgr_->GetPolicy("", "clipboard_policy", policyData, EdmConstants::DEFAULT_USER_ID);
513 auto clipboardSerializer_ = ClipboardSerializer::GetInstance();
514 std::map<int32_t, ClipboardPolicy> policyMap;
515 clipboardSerializer_->Deserialize(policyData, policyMap);
516 ClipboardUtils::HandlePasteboardPolicy(policyMap);
517 }
518 #endif
519
OnUserAuthFrameworkStart()520 void EnterpriseDeviceMgrAbility::OnUserAuthFrameworkStart()
521 {
522 EDMLOGI("OnUserAuthFrameworkStart");
523 std::string policyData;
524 policyMgr_->GetPolicy("", "password_policy", policyData, EdmConstants::DEFAULT_USER_ID);
525 auto serializer_ = PasswordSerializer::GetInstance();
526 PasswordPolicy policy;
527 serializer_->Deserialize(policyData, policy);
528 UserIam::UserAuth::GlobalConfigParam param;
529 param.type = UserIam::UserAuth::GlobalConfigType::PIN_EXPIRED_PERIOD;
530 param.value.pinExpiredPeriod = policy.validityPeriod;
531 int32_t ret = UserIam::UserAuth::UserAuthClient::GetInstance().SetGlobalConfigParam(param);
532 if (ret != 0) {
533 EDMLOGW("SetGlobalConfigParam Error");
534 }
535 }
536
537 #ifdef USB_EDM_ENABLE
OnUsbServiceStart()538 void EnterpriseDeviceMgrAbility::OnUsbServiceStart()
539 {
540 EDMLOGI("OnUsbServiceStart");
541 std::string disableUsbPolicy;
542 policyMgr_->GetPolicy("", "disable_usb", disableUsbPolicy, EdmConstants::DEFAULT_USER_ID);
543 bool isUsbDisabled = false;
544 BoolSerializer::GetInstance()->Deserialize(policyData, isUsbDisabled);
545 if (isUsbDisabled) {
546 ErrCode disableUsbRet = UsbPolicyUtils::SetUsbDisabled(isUsbDisabled);
547 if (disableUsbRet != ERR_OK) {
548 EDMLOGW("SetUsbDisabled Error: %{public}d", disableUsbRet);
549 }
550 return;
551 }
552
553 std::string allowUsbDevicePolicy;
554 policyMgr_->GetPolicy("", "allowed_usb_devices", allowUsbDevicePolicy, EdmConstants::DEFAULT_USER_ID);
555 std::vector<UsbDeviceId> usbDeviceIds;
556 ArrayUsbDeviceIdSerializer::GetInstance()->Deserialize(policyData, usbDeviceIds);
557 if (!usbDeviceIds.empty()) {
558 ErrCode allowedUsbRet = UsbPolicyUtils::AddAllowedUsbDevices(usbDeviceIds);
559 if (allowedUsbRet != ERR_OK) {
560 EDMLOGW("AddAllowedUsbDevices Error: %{public}d", allowedUsbRet);
561 }
562 return;
563 }
564
565 std::string usbStoragePolicy;
566 policyMgr_->GetPolicy("", "usb_read_only", usbStoragePolicy, EdmConstants::DEFAULT_USER_ID);
567 if (usbStoragePolicy == std::to_string(EdmConstants::STORAGE_USB_POLICY_DISABLED)) {
568 ErrCode storageRet = UsbPolicyUtils::SetStorageUsbDeviceDisabled(true);
569 if (storageRet != ERR_OK) {
570 EDMLOGW("SetStorageUsbDeviceDisabled Error: %{public}d", storageRet);
571 }
572 }
573 }
574 #endif
575
OnRemoveSystemAbility(int32_t systemAbilityId,const std::string & deviceId)576 void EnterpriseDeviceMgrAbility::OnRemoveSystemAbility(int32_t systemAbilityId, const std::string &deviceId) {}
577
OnStop()578 void EnterpriseDeviceMgrAbility::OnStop()
579 {
580 EDMLOGD("EnterpriseDeviceMgrAbility::OnStop()");
581 std::lock_guard<std::mutex> autoLock(mutexLock_);
582 if (pluginHasInit_) {
583 pluginHasInit_ = false;
584 std::unique_lock<std::mutex> lock(waitMutex_);
585 notifySignal_ = true;
586 waitSignal_.notify_one();
587 }
588 }
589
GetAllPermissionsByAdmin(const std::string & bundleInfoName,std::vector<std::string> & permissionList,int32_t userId)590 ErrCode EnterpriseDeviceMgrAbility::GetAllPermissionsByAdmin(const std::string &bundleInfoName,
591 std::vector<std::string> &permissionList, int32_t userId)
592 {
593 bool ret = false;
594 AppExecFwk::BundleInfo bundleInfo;
595 if (permissionList.size() > 0) {
596 permissionList.clear();
597 }
598 EDMLOGD("GetAllPermissionsByAdmin GetBundleInfo: bundleInfoName %{public}s userid %{public}d",
599 bundleInfoName.c_str(), userId);
600 ret = GetBundleMgr()->GetBundleInfo(bundleInfoName, AppExecFwk::BundleFlag::GET_BUNDLE_WITH_REQUESTED_PERMISSION,
601 bundleInfo, userId);
602 if (!ret) {
603 EDMLOGW("GetAllPermissionsByAdmin: GetBundleInfo failed %{public}d", ret);
604 return ERR_EDM_PARAM_ERROR;
605 }
606 std::vector<std::string> reqPermission = bundleInfo.reqPermissions;
607 if (reqPermission.empty()) {
608 EDMLOGW("GetAllPermissionsByAdmin: bundleInfo reqPermissions empty");
609 return ERR_OK;
610 }
611
612 std::vector<EdmPermission> edmPermissions;
613 ErrCode code = adminMgr_->GetReqPermission(reqPermission, edmPermissions);
614 if (SUCCEEDED(code)) {
615 for (const auto &perm : edmPermissions) {
616 permissionList.push_back(perm.getPermissionName());
617 }
618 }
619 return ERR_OK;
620 }
621
GetBundleMgr()622 std::shared_ptr<IEdmBundleManager> EnterpriseDeviceMgrAbility::GetBundleMgr()
623 {
624 return GetExternalManagerFactory()->CreateBundleManager();
625 }
626
GetAppMgr()627 std::shared_ptr<IEdmAppManager> EnterpriseDeviceMgrAbility::GetAppMgr()
628 {
629 return GetExternalManagerFactory()->CreateAppManager();
630 }
631
GetOsAccountMgr()632 std::shared_ptr<IEdmOsAccountManager> EnterpriseDeviceMgrAbility::GetOsAccountMgr()
633 {
634 return GetExternalManagerFactory()->CreateOsAccountManager();
635 }
636
SubscribeAppState()637 bool EnterpriseDeviceMgrAbility::SubscribeAppState()
638 {
639 if (appStateObserver_) {
640 EDMLOGD("appStateObserver has subscribed");
641 return true;
642 }
643 appStateObserver_ = new (std::nothrow) ApplicationStateObserver(*this);
644 if (!appStateObserver_) {
645 EDMLOGE("new ApplicationStateObserver failed");
646 return false;
647 }
648 if (GetAppMgr()->RegisterApplicationStateObserver(appStateObserver_)) {
649 EDMLOGE("RegisterApplicationStateObserver fail!");
650 appStateObserver_.clear();
651 appStateObserver_ = nullptr;
652 return false;
653 }
654 return true;
655 }
656
UnsubscribeAppState()657 bool EnterpriseDeviceMgrAbility::UnsubscribeAppState()
658 {
659 if (!appStateObserver_) {
660 EDMLOGD("appStateObserver has subscribed");
661 return true;
662 }
663 std::unordered_map<int32_t, std::vector<std::shared_ptr<Admin>>> subAdmins;
664 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_START, subAdmins);
665 adminMgr_->GetAdminBySubscribeEvent(ManagedEvent::APP_STOP, subAdmins);
666 if (!subAdmins.empty()) {
667 return true;
668 }
669 if (GetAppMgr()->UnregisterApplicationStateObserver(appStateObserver_)) {
670 EDMLOGE("UnregisterApplicationStateObserver fail!");
671 return false;
672 }
673 appStateObserver_.clear();
674 appStateObserver_ = nullptr;
675 return true;
676 }
677
VerifyEnableAdminCondition(AppExecFwk::ElementName & admin,AdminType type,int32_t userId,bool isDebug)678 ErrCode EnterpriseDeviceMgrAbility::VerifyEnableAdminCondition(AppExecFwk::ElementName &admin, AdminType type,
679 int32_t userId, bool isDebug)
680 {
681 if (type == AdminType::UNKNOWN) {
682 EDMLOGW("EnableAdmin: admin type is invalid.");
683 return ERR_EDM_ADD_ADMIN_FAILED;
684 }
685 if (type == AdminType::ENT && userId != DEFAULT_USER_ID) {
686 EDMLOGW("EnableAdmin: Super admin can only be enabled in default user.");
687 return ERR_EDM_ADD_ADMIN_FAILED;
688 }
689
690 if (type != AdminType::ENT && system::GetBoolParameter(PARAM_SECURITY_MODE, false)) {
691 EDMLOGW("EnableAdmin: The current mode is not supported.");
692 return ERR_EDM_ADD_ADMIN_FAILED;
693 }
694
695 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
696 if (existAdmin != nullptr) {
697 if (existAdmin->GetAdminType() == AdminType::SUB_SUPER_ADMIN) {
698 EDMLOGW("EnableAdmin: sub-super admin can not be enabled as a normal or super admin.");
699 return ERR_EDM_ADD_ADMIN_FAILED;
700 }
701 if (existAdmin->GetAdminType() == AdminType::ENT && (type != AdminType::ENT || userId != DEFAULT_USER_ID)) {
702 EDMLOGW("EnableAdmin: an exist super admin can't be enabled twice with different role or user id.");
703 return ERR_EDM_ADD_ADMIN_FAILED;
704 }
705 if (isDebug != existAdmin->adminInfo_.isDebug_) {
706 EDMLOGW("EnableAdmin: debug parameter can not be changed.");
707 return ERR_EDM_ADD_ADMIN_FAILED;
708 }
709 /* An application can't be enabled twice with different ability name */
710 if (existAdmin->adminInfo_.className_ != admin.GetAbilityName()) {
711 EDMLOGW("EnableAdmin: There is another admin ability enabled with the same package name.");
712 return ERR_EDM_ADD_ADMIN_FAILED;
713 }
714 }
715 if (!isDebug && type == AdminType::ENT && adminMgr_->IsSuperAdminExist()) {
716 if (existAdmin == nullptr || existAdmin->adminInfo_.adminType_ != AdminType::ENT) {
717 EDMLOGW("EnableAdmin: There is another super admin enabled.");
718 return ERR_EDM_ADD_ADMIN_FAILED;
719 }
720 }
721 return ERR_OK;
722 }
723
EnableAdmin(AppExecFwk::ElementName & admin,EntInfo & entInfo,AdminType type,int32_t userId)724 ErrCode EnterpriseDeviceMgrAbility::EnableAdmin(AppExecFwk::ElementName &admin, EntInfo &entInfo, AdminType type,
725 int32_t userId)
726 {
727 EDMLOGD("EnterpriseDeviceMgrAbility::EnableAdmin user id = %{public}d", userId);
728 std::lock_guard<std::mutex> autoLock(mutexLock_);
729 bool isDebug = GetAccessTokenMgr()->IsDebug();
730 if (!isDebug && !GetAccessTokenMgr()->VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
731 EDMLOGW("EnterpriseDeviceMgrAbility::EnableAdmin check permission failed");
732 return EdmReturnErrCode::PERMISSION_DENIED;
733 }
734 std::vector<AppExecFwk::ExtensionAbilityInfo> abilityInfo;
735 AAFwk::Want want;
736 want.SetElement(admin);
737 if (!GetBundleMgr()->QueryExtensionAbilityInfos(want, AppExecFwk::ExtensionAbilityType::ENTERPRISE_ADMIN,
738 AppExecFwk::ExtensionAbilityInfoFlag::GET_EXTENSION_INFO_WITH_PERMISSION, userId, abilityInfo) ||
739 abilityInfo.empty()) {
740 EDMLOGW("EnableAdmin: QueryExtensionAbilityInfos failed");
741 return EdmReturnErrCode::COMPONENT_INVALID;
742 }
743 if (FAILED(VerifyEnableAdminCondition(admin, type, userId, isDebug))) {
744 EDMLOGW("EnableAdmin: VerifyEnableAdminCondition failed.");
745 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
746 }
747
748 /* Get all request and registered permissions */
749 std::vector<std::string> permissionList;
750 if (FAILED(GetAllPermissionsByAdmin(admin.GetBundleName(), permissionList, userId))) {
751 EDMLOGW("EnableAdmin: GetAllPermissionsByAdmin failed");
752 return EdmReturnErrCode::COMPONENT_INVALID;
753 }
754 /* Filter permissions with AdminType, such as NORMAL can't request super permission */
755 if (FAILED(adminMgr_->GetGrantedPermission(permissionList, type))) {
756 EDMLOGW("EnableAdmin: GetGrantedPermission failed");
757 // permission verify, should throw exception if failed
758 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
759 }
760 Admin edmAdmin(abilityInfo.at(0), type, entInfo, permissionList, isDebug);
761 if (FAILED(adminMgr_->SetAdminValue(userId, edmAdmin))) {
762 EDMLOGE("EnableAdmin: SetAdminValue failed.");
763 return EdmReturnErrCode::ENABLE_ADMIN_FAILED;
764 }
765 system::SetParameter(PARAM_EDM_ENABLE, "true");
766 EDMLOGI("EnableAdmin: SetAdminValue success %{public}s, type:%{public}d", admin.GetBundleName().c_str(),
767 static_cast<uint32_t>(type));
768 AAFwk::Want connectWant;
769 connectWant.SetElementName(admin.GetBundleName(), admin.GetAbilityName());
770 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
771 sptr<IEnterpriseConnection> connection =
772 manager->CreateAdminConnection(connectWant, IEnterpriseAdmin::COMMAND_ON_ADMIN_ENABLED, userId);
773 manager->ConnectAbility(connection);
774 return ERR_OK;
775 }
776
RemoveAdminItem(const std::string & adminName,const std::string & policyName,const std::string & policyValue,int32_t userId)777 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminItem(const std::string &adminName, const std::string &policyName,
778 const std::string &policyValue, int32_t userId)
779 {
780 InitAllPlugins();
781 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByPolicyName(policyName);
782 if (plugin == nullptr) {
783 EDMLOGW("RemoveAdminItem: Get plugin by policy failed: %{public}s\n", policyName.c_str());
784 return ERR_EDM_GET_PLUGIN_MGR_FAILED;
785 }
786 ErrCode ret = plugin->OnAdminRemove(adminName, policyValue, userId);
787 if (ret != ERR_OK) {
788 EDMLOGW("RemoveAdminItem: OnAdminRemove failed, admin:%{public}s, value:%{public}s, res:%{public}d\n",
789 adminName.c_str(), policyValue.c_str(), ret);
790 }
791 if (plugin->NeedSavePolicy()) {
792 std::string mergedPolicyData;
793 ret = plugin->MergePolicyData(adminName, mergedPolicyData);
794 if (ret != ERR_OK) {
795 EDMLOGW("RemoveAdminItem: Get admin by policy name failed: %{public}s, ErrCode:%{public}d\n",
796 policyName.c_str(), ret);
797 }
798
799 ErrCode setRet = ERR_OK;
800 std::unordered_map<std::string, std::string> adminListMap;
801 ret = policyMgr_->GetAdminByPolicyName(policyName, adminListMap, userId);
802 if ((ret == ERR_EDM_POLICY_NOT_FOUND) || adminListMap.empty()) {
803 setRet = policyMgr_->SetPolicy("", policyName, "", "", userId);
804 } else {
805 setRet = policyMgr_->SetPolicy(adminName, policyName, "", mergedPolicyData, userId);
806 }
807
808 if (FAILED(setRet)) {
809 EDMLOGW("RemoveAdminItem: DeleteAdminPolicy failed, admin:%{public}s, policy:%{public}s, res:%{public}d\n",
810 adminName.c_str(), policyName.c_str(), ret);
811 return ERR_EDM_DEL_ADMIN_FAILED;
812 }
813 }
814 plugin->OnAdminRemoveDone(adminName, policyValue, userId);
815 return ERR_OK;
816 }
817
RemoveAdminAndAdminPolicy(const std::string & adminName,int32_t userId)818 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminAndAdminPolicy(const std::string &adminName, int32_t userId)
819 {
820 EDMLOGD("RemoveAdminAndAdminPolicy:admin: %{public}s, user id:%{public}d.", adminName.c_str(), userId);
821 ErrCode removeAdminPolicyRet = RemoveAdminPolicy(adminName, userId);
822 if (FAILED(removeAdminPolicyRet)) {
823 EDMLOGE("Remove admin %{public}s policy with user id = %{public}d fail.", adminName.c_str(), userId);
824 return removeAdminPolicyRet;
825 }
826
827 ErrCode removeAdminRet = RemoveAdmin(adminName, userId);
828 if (FAILED(removeAdminRet)) {
829 EDMLOGE("Remove admin %{public}s with user id = %{public}d fail.", adminName.c_str(), userId);
830 return removeAdminRet;
831 }
832 return ERR_OK;
833 }
834
RemoveAdmin(const std::string & adminName,int32_t userId)835 ErrCode EnterpriseDeviceMgrAbility::RemoveAdmin(const std::string &adminName, int32_t userId)
836 {
837 bool shouldUnsubscribeAppState = ShouldUnsubscribeAppState(adminName, userId);
838 auto ret = adminMgr_->DeleteAdmin(adminName, userId);
839 if (ret != ERR_OK && ret != ERR_EDM_UNKNOWN_ADMIN) {
840 return ERR_EDM_DEL_ADMIN_FAILED;
841 }
842 if (shouldUnsubscribeAppState) {
843 UnsubscribeAppState();
844 }
845 return ERR_OK;
846 }
847
RemoveAdminPolicy(const std::string & adminName,int32_t userId)848 ErrCode EnterpriseDeviceMgrAbility::RemoveAdminPolicy(const std::string &adminName, int32_t userId)
849 {
850 std::unordered_map<std::string, std::string> policyItems;
851 policyMgr_->GetAllPolicyByAdmin(adminName, policyItems, userId);
852 for (const auto &policyItem : policyItems) {
853 std::string policyItemName = policyItem.first;
854 std::string policyItemValue = policyItem.second;
855 EDMLOGD("RemoveAdminPolicy:policyName:%{public}s", policyItemName.c_str());
856 if (RemoveAdminItem(adminName, policyItemName, policyItemValue, userId) != ERR_OK) {
857 return ERR_EDM_DEL_ADMIN_FAILED;
858 }
859 }
860 return ERR_OK;
861 }
862
RemoveSubSuperAdminAndAdminPolicy(const std::string & bundleName)863 ErrCode EnterpriseDeviceMgrAbility::RemoveSubSuperAdminAndAdminPolicy(const std::string &bundleName)
864 {
865 std::vector<int32_t> userIds;
866 policyMgr_->GetPolicyUserIds(userIds);
867 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
868 }
869
RemoveSuperAdminAndAdminPolicy(const std::string & bundleName)870 ErrCode EnterpriseDeviceMgrAbility::RemoveSuperAdminAndAdminPolicy(const std::string &bundleName)
871 {
872 std::vector<int32_t> userIds;
873 policyMgr_->GetPolicyUserIds(userIds);
874 // remove sub-super admin
875 std::vector<std::string> subAdmins;
876 adminMgr_->GetSubSuperAdminsByParentName(bundleName, subAdmins);
877 for (auto const &subAdminName : subAdmins) {
878 if (RemoveSubOrSuperAdminAndAdminPolicy(subAdminName, userIds) != ERR_OK) {
879 return ERR_EDM_DEL_ADMIN_FAILED;
880 }
881 }
882 // remove super admin on other userid
883 return RemoveSubOrSuperAdminAndAdminPolicy(bundleName, userIds);
884 }
885
RemoveSubOrSuperAdminAndAdminPolicy(const std::string & bundleName,const std::vector<int32_t> & nonDefaultUserIds)886 ErrCode EnterpriseDeviceMgrAbility::RemoveSubOrSuperAdminAndAdminPolicy(const std::string &bundleName,
887 const std::vector<int32_t> &nonDefaultUserIds)
888 {
889 // remove super admin on other userid
890 for (auto const &userId : nonDefaultUserIds) {
891 if (RemoveAdminAndAdminPolicy(bundleName, userId) != ERR_OK) {
892 return ERR_EDM_DEL_ADMIN_FAILED;
893 }
894 }
895 // remove super admin default userid
896 return RemoveAdminAndAdminPolicy(bundleName, DEFAULT_USER_ID);
897 }
898
ShouldUnsubscribeAppState(const std::string & adminName,int32_t userId)899 bool EnterpriseDeviceMgrAbility::ShouldUnsubscribeAppState(const std::string &adminName, int32_t userId)
900 {
901 std::shared_ptr<Admin> adminPtr = adminMgr_->GetAdminByPkgName(adminName, userId);
902 return std::any_of(adminPtr->adminInfo_.managedEvents_.begin(), adminPtr->adminInfo_.managedEvents_.end(),
903 [](ManagedEvent event) { return event == ManagedEvent::APP_START || event == ManagedEvent::APP_STOP; });
904 }
905
DisableAdmin(AppExecFwk::ElementName & admin,int32_t userId)906 ErrCode EnterpriseDeviceMgrAbility::DisableAdmin(AppExecFwk::ElementName &admin, int32_t userId)
907 {
908 EDMLOGI("EnterpriseDeviceMgrAbility::DisableAdmin user id = %{public}d", userId);
909 bool isSDA = IsSuperAdmin(admin.GetBundleName());
910 userId = isSDA ? DEFAULT_USER_ID : userId;
911 AdminType adminType = isSDA ? AdminType::ENT : AdminType::NORMAL;
912 return DoDisableAdmin(admin.GetBundleName(), userId, adminType);
913 }
914
CheckCallingUid(const std::string & bundleName)915 ErrCode EnterpriseDeviceMgrAbility::CheckCallingUid(const std::string &bundleName)
916 {
917 // super admin can be removed by itself
918 int uid = GetCallingUid();
919 std::string callingBundleName;
920 if (GetBundleMgr()->GetNameForUid(uid, callingBundleName) != ERR_OK) {
921 EDMLOGW("CheckCallingUid failed: get bundleName for uid %{public}d fail.", uid);
922 return ERR_EDM_PERMISSION_ERROR;
923 }
924 if (bundleName == callingBundleName) {
925 return ERR_OK;
926 }
927 EDMLOGW("CheckCallingUid failed: only the app %{public}s can remove itself.", callingBundleName.c_str());
928 return ERR_EDM_PERMISSION_ERROR;
929 }
930
DisableSuperAdmin(const std::string & bundleName)931 ErrCode EnterpriseDeviceMgrAbility::DisableSuperAdmin(const std::string &bundleName)
932 {
933 EDMLOGI("EnterpriseDeviceMgrAbility::DisableSuperAdmin bundle name = %{public}s", bundleName.c_str());
934 return DoDisableAdmin(bundleName, DEFAULT_USER_ID, AdminType::ENT);
935 }
936
DoDisableAdmin(const std::string & bundleName,int32_t userId,AdminType adminType)937 ErrCode EnterpriseDeviceMgrAbility::DoDisableAdmin(const std::string &bundleName, int32_t userId, AdminType adminType)
938 {
939 std::lock_guard<std::mutex> autoLock(mutexLock_);
940 bool isDebug = GetAccessTokenMgr()->IsDebug();
941 if (!isDebug && !GetAccessTokenMgr()->VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
942 EDMLOGW("DoDisableAdmin::DisableSuperAdmin check permission failed.");
943 return EdmReturnErrCode::PERMISSION_DENIED;
944 }
945 std::shared_ptr<Admin> admin = adminMgr_->GetAdminByPkgName(bundleName, userId);
946 if (admin == nullptr) {
947 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
948 }
949 if (isDebug && !admin->adminInfo_.isDebug_) {
950 EDMLOGW("DoDisableAdmin: shell command can only remove debug super admin.");
951 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
952 }
953 if (admin->adminInfo_.adminType_ != adminType) {
954 EDMLOGW("DoDisableAdmin: only remove the certain admin.");
955 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
956 }
957 if (adminType == AdminType::ENT && FAILED(RemoveSuperAdminAndAdminPolicy(bundleName))) {
958 EDMLOGW("DoDisableAdmin: remove admin failed.");
959 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
960 } else if (adminType == AdminType::NORMAL && FAILED(RemoveAdminAndAdminPolicy(bundleName, userId))) {
961 EDMLOGW("DoDisableAdmin: disable admin failed.");
962 return EdmReturnErrCode::DISABLE_ADMIN_FAILED;
963 }
964 if (!adminMgr_->IsAdminExist()) {
965 system::SetParameter(PARAM_EDM_ENABLE, "false");
966 }
967 AAFwk::Want want;
968 want.SetElementName(admin->adminInfo_.packageName_, admin->adminInfo_.className_);
969 std::shared_ptr<EnterpriseConnManager> manager = DelayedSingleton<EnterpriseConnManager>::GetInstance();
970 sptr<IEnterpriseConnection> connection =
971 manager->CreateAdminConnection(want, IEnterpriseAdmin::COMMAND_ON_ADMIN_DISABLED, userId);
972 manager->ConnectAbility(connection);
973 return ERR_OK;
974 }
975
IsSuperAdmin(const std::string & bundleName)976 bool EnterpriseDeviceMgrAbility::IsSuperAdmin(const std::string &bundleName)
977 {
978 std::lock_guard<std::mutex> autoLock(mutexLock_);
979 return adminMgr_->IsSuperAdmin(bundleName);
980 }
981
IsAdminEnabled(AppExecFwk::ElementName & admin,int32_t userId)982 bool EnterpriseDeviceMgrAbility::IsAdminEnabled(AppExecFwk::ElementName &admin, int32_t userId)
983 {
984 std::lock_guard<std::mutex> autoLock(mutexLock_);
985 std::shared_ptr<Admin> existAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
986 if (existAdmin != nullptr) {
987 EDMLOGD("IsAdminEnabled: get admin successed");
988 return true;
989 }
990 return false;
991 }
992
GetCurrentUserId()993 int32_t EnterpriseDeviceMgrAbility::GetCurrentUserId()
994 {
995 std::vector<int32_t> ids;
996 ErrCode ret = GetOsAccountMgr()->QueryActiveOsAccountIds(ids);
997 if (FAILED(ret) || ids.empty()) {
998 EDMLOGE("EnterpriseDeviceMgrAbility GetCurrentUserId failed");
999 return -1;
1000 }
1001 EDMLOGD("EnterpriseDeviceMgrAbility GetCurrentUserId user id = %{public}d", ids.at(0));
1002 return (ids.at(0));
1003 }
1004
UpdateDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)1005 ErrCode EnterpriseDeviceMgrAbility::UpdateDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
1006 MessageParcel &data, MessageParcel &reply, int32_t userId)
1007 {
1008 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1009 if (plugin == nullptr) {
1010 EDMLOGW("UpdateDevicePolicy: get plugin failed, code:%{public}d", code);
1011 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1012 }
1013
1014 std::string policyName = plugin->GetPolicyName();
1015 HandlePolicyData handlePolicyData{"", false};
1016 policyMgr_->GetPolicy(admin.GetBundleName(), policyName, handlePolicyData.policyData, userId);
1017 ErrCode ret = plugin->GetExecuteStrategy()->OnSetExecute(code, data, reply, handlePolicyData, userId);
1018 if (FAILED(ret)) {
1019 EDMLOGW("UpdateDevicePolicy: OnHandlePolicy failed");
1020 return ret;
1021 }
1022 EDMLOGD("UpdateDevicePolicy: isChanged:%{public}d, needSave:%{public}d", handlePolicyData.isChanged,
1023 plugin->NeedSavePolicy());
1024 std::string oldCombinePolicy;
1025 policyMgr_->GetPolicy("", policyName, oldCombinePolicy, userId);
1026 std::string mergedPolicy = handlePolicyData.policyData;
1027 bool isGlobalChanged = false;
1028 if (plugin->NeedSavePolicy() && handlePolicyData.isChanged) {
1029 ret = plugin->MergePolicyData(admin.GetBundleName(), mergedPolicy);
1030 if (FAILED(ret)) {
1031 EDMLOGW("UpdateDevicePolicy: MergePolicyData failed error:%{public}d", ret);
1032 return ret;
1033 }
1034 policyMgr_->SetPolicy(admin.GetBundleName(), policyName, handlePolicyData.policyData, mergedPolicy, userId);
1035 isGlobalChanged = (oldCombinePolicy != mergedPolicy);
1036 }
1037 plugin->OnHandlePolicyDone(code, admin.GetBundleName(), isGlobalChanged, userId);
1038 return ERR_OK;
1039 }
1040
HandleDevicePolicy(uint32_t code,AppExecFwk::ElementName & admin,MessageParcel & data,MessageParcel & reply,int32_t userId)1041 ErrCode EnterpriseDeviceMgrAbility::HandleDevicePolicy(uint32_t code, AppExecFwk::ElementName &admin,
1042 MessageParcel &data, MessageParcel &reply, int32_t userId)
1043 {
1044 std::lock_guard<std::mutex> autoLock(mutexLock_);
1045 InitAllPlugins();
1046 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1047 if (plugin == nullptr) {
1048 EDMLOGW("HandleDevicePolicy: get plugin failed, code:%{public}d", code);
1049 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1050 }
1051 #ifndef EDM_FUZZ_TEST
1052 bool isUserExist = false;
1053 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1054 if (!isUserExist) {
1055 return EdmReturnErrCode::PARAM_ERROR;
1056 }
1057 EDMLOGI("HandleDevicePolicy: HandleDevicePolicy userId = %{public}d", userId);
1058 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1059 if (deviceAdmin == nullptr) {
1060 EDMLOGW("HandleDevicePolicy: get admin failed");
1061 return EdmReturnErrCode::ADMIN_INACTIVE;
1062 }
1063 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
1064 EDMLOGW("HandleDevicePolicy: CheckCallingUid failed.");
1065 return EdmReturnErrCode::PERMISSION_DENIED;
1066 }
1067 std::string setPermission = plugin->GetPermission(FuncOperateType::SET, data.ReadString());
1068 if (setPermission == NONE_PERMISSION_MATCH) {
1069 EDMLOGE("HandleDevicePolicy: GetPermission failed!");
1070 return EdmReturnErrCode::PERMISSION_DENIED;
1071 }
1072 EDMLOGD("HandleDevicePolicy: plugin info:%{public}d , %{public}s , %{public}s", plugin->GetCode(),
1073 plugin->GetPolicyName().c_str(), setPermission.c_str());
1074 if (plugin->GetApiType(FuncOperateType::SET) == IPlugin::ApiType::SYSTEM &&
1075 !GetAccessTokenMgr()->IsSystemAppOrNative()) {
1076 EDMLOGE("HandleDevicePolicy: not system app or native process");
1077 return EdmReturnErrCode::SYSTEM_API_DENIED;
1078 }
1079 if (!deviceAdmin->CheckPermission(setPermission) || (deviceAdmin->adminInfo_.adminType_ != AdminType::ENT &&
1080 deviceAdmin->adminInfo_.adminType_ != AdminType::SUB_SUPER_ADMIN && userId != GetCurrentUserId())) {
1081 EDMLOGW("HandleDevicePolicy: admin check permission failed");
1082 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1083 }
1084 if (!GetAccessTokenMgr()->VerifyCallingPermission(setPermission)) {
1085 EDMLOGW("HandleDevicePolicy: VerifyCallingPermission failed");
1086 return EdmReturnErrCode::PERMISSION_DENIED;
1087 }
1088 #endif
1089 ErrCode ret = UpdateDevicePolicy(code, admin, data, reply, userId);
1090 CreateSecurityContent(admin.GetBundleName(), admin.GetAbilityName(), code, plugin->GetPolicyName(), ret);
1091 return ret;
1092 }
1093
CreateSecurityContent(const std::string & bundleName,const std::string & abilityName,uint32_t code,const std::string & policyName,ErrCode errorCode)1094 void EnterpriseDeviceMgrAbility::CreateSecurityContent(const std::string &bundleName, const std::string &abilityName,
1095 uint32_t code, const std::string &policyName, ErrCode errorCode)
1096 {
1097 ReportInfo reportInfo = ReportInfo(FuncCodeUtils::GetOperateType(code), policyName, std::to_string(errorCode));
1098 SecurityReport::ReportSecurityInfo(bundleName, abilityName, reportInfo);
1099 }
1100
GetDevicePolicy(uint32_t code,MessageParcel & data,MessageParcel & reply,int32_t userId)1101 ErrCode EnterpriseDeviceMgrAbility::GetDevicePolicy(uint32_t code, MessageParcel &data, MessageParcel &reply,
1102 int32_t userId)
1103 {
1104 std::lock_guard<std::mutex> autoLock(mutexLock_);
1105 bool isUserExist = false;
1106 GetOsAccountMgr()->IsOsAccountExists(userId, isUserExist);
1107 if (!isUserExist) {
1108 reply.WriteInt32(EdmReturnErrCode::PARAM_ERROR);
1109 return EdmReturnErrCode::PARAM_ERROR;
1110 }
1111 InitAllPlugins();
1112 std::shared_ptr<IPlugin> plugin = pluginMgr_->GetPluginByFuncCode(code);
1113 if (plugin == nullptr) {
1114 EDMLOGW("GetDevicePolicy: get plugin failed");
1115 reply.WriteInt32(EdmReturnErrCode::INTERFACE_UNSUPPORTED);
1116 return EdmReturnErrCode::INTERFACE_UNSUPPORTED;
1117 }
1118 std::string permissionTag = data.ReadString();
1119 bool isCheckSystem = (plugin->GetApiType(FuncOperateType::GET) == IPlugin::ApiType::SYSTEM)
1120 || (permissionTag == EdmConstants::PERMISSION_TAG_SYSTEM_API);
1121 if (isCheckSystem && !GetAccessTokenMgr()->IsSystemAppOrNative()) {
1122 EDMLOGE("GetDevicePolicy: not system app or native process");
1123 reply.WriteInt32(EdmReturnErrCode::SYSTEM_API_DENIED);
1124 return EdmReturnErrCode::SYSTEM_API_DENIED;
1125 }
1126 AppExecFwk::ElementName elementName;
1127 std::string getPermission = plugin->GetPermission(FuncOperateType::GET, permissionTag);
1128 // has admin
1129 if (data.ReadInt32() == 0) {
1130 if (getPermission == NONE_PERMISSION_MATCH) {
1131 EDMLOGE("GetDevicePolicy: GetPermission failed!");
1132 return EdmReturnErrCode::PERMISSION_DENIED;
1133 }
1134 ErrCode ret = CheckGetPolicyPermission(data, reply, getPermission, userId, elementName);
1135 if (FAILED(ret)) {
1136 return ret;
1137 }
1138 }
1139 std::string policyName = plugin->GetPolicyName();
1140 std::string policyValue;
1141
1142 if (plugin->NeedSavePolicy()) {
1143 policyMgr_->GetPolicy(elementName.GetBundleName(), policyName, policyValue, userId);
1144 }
1145 ErrCode getRet = plugin->GetExecuteStrategy()->OnGetExecute(code, policyValue, data, reply, userId);
1146 CreateSecurityContent(elementName.GetBundleName(), elementName.GetAbilityName(), code, plugin->GetPolicyName(),
1147 getRet);
1148 return getRet;
1149 }
1150
CheckGetPolicyPermission(MessageParcel & data,MessageParcel & reply,const std::string & getPermission,const int32_t userId,AppExecFwk::ElementName & elementName)1151 ErrCode EnterpriseDeviceMgrAbility::CheckGetPolicyPermission(MessageParcel &data, MessageParcel &reply,
1152 const std::string &getPermission, const int32_t userId, AppExecFwk::ElementName &elementName)
1153 {
1154 std::unique_ptr<AppExecFwk::ElementName> admin(data.ReadParcelable<AppExecFwk::ElementName>());
1155 if (!admin) {
1156 EDMLOGW("GetDevicePolicy: ReadParcelable failed");
1157 reply.WriteInt32(EdmReturnErrCode::PARAM_ERROR);
1158 return ERR_EDM_PARAM_ERROR;
1159 }
1160 #ifndef EDM_FUZZ_TEST
1161 std::shared_ptr<Admin> deviceAdmin = adminMgr_->GetAdminByPkgName(admin->GetBundleName(), userId);
1162 if (deviceAdmin == nullptr) {
1163 EDMLOGW("GetDevicePolicy: get admin failed");
1164 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
1165 return EdmReturnErrCode::ADMIN_INACTIVE;
1166 }
1167 if (FAILED(CheckCallingUid(deviceAdmin->adminInfo_.packageName_))) {
1168 EDMLOGW("GetDevicePolicy: CheckCallingUid failed.");
1169 reply.WriteInt32(EdmReturnErrCode::PERMISSION_DENIED);
1170 return EdmReturnErrCode::PERMISSION_DENIED;
1171 }
1172 if (!getPermission.empty() && !deviceAdmin->CheckPermission(getPermission)) {
1173 EDMLOGW("GetDevicePolicy: admin check permission failed %{public}s", getPermission.c_str());
1174 reply.WriteInt32(EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED);
1175 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1176 }
1177 #endif
1178 elementName.SetBundleName(admin->GetBundleName());
1179 elementName.SetAbilityName(admin->GetAbilityName());
1180 return ERR_OK;
1181 }
1182
GetEnabledAdmin(AdminType type,std::vector<std::string> & enabledAdminList)1183 ErrCode EnterpriseDeviceMgrAbility::GetEnabledAdmin(AdminType type, std::vector<std::string> &enabledAdminList)
1184 {
1185 std::lock_guard<std::mutex> autoLock(mutexLock_);
1186 std::vector<std::string> superList;
1187 std::vector<std::string> normalList;
1188 switch (type) {
1189 case AdminType::NORMAL:
1190 adminMgr_->GetEnabledAdmin(AdminType::NORMAL, normalList, GetCurrentUserId());
1191 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1192 break;
1193 case AdminType::ENT:
1194 adminMgr_->GetEnabledAdmin(AdminType::ENT, superList, DEFAULT_USER_ID);
1195 break;
1196 case AdminType::UNKNOWN:
1197 break;
1198 default:
1199 return ERR_EDM_PARAM_ERROR;
1200 }
1201 if (!superList.empty()) {
1202 enabledAdminList.insert(enabledAdminList.begin(), superList.begin(), superList.end());
1203 }
1204 if (!normalList.empty()) {
1205 enabledAdminList.insert(enabledAdminList.begin(), normalList.begin(), normalList.end());
1206 }
1207 for (const auto &enabledAdmin : enabledAdminList) {
1208 EDMLOGD("GetEnabledAdmin: %{public}s", enabledAdmin.c_str());
1209 }
1210 return ERR_OK;
1211 }
1212
GetEnterpriseInfo(AppExecFwk::ElementName & admin,MessageParcel & reply)1213 ErrCode EnterpriseDeviceMgrAbility::GetEnterpriseInfo(AppExecFwk::ElementName &admin, MessageParcel &reply)
1214 {
1215 std::lock_guard<std::mutex> autoLock(mutexLock_);
1216 EntInfo entInfo;
1217 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1218 ErrCode code = adminMgr_->GetEntInfo(admin.GetBundleName(), entInfo, userId);
1219 if (code != ERR_OK) {
1220 reply.WriteInt32(EdmReturnErrCode::ADMIN_INACTIVE);
1221 return EdmReturnErrCode::ADMIN_INACTIVE;
1222 }
1223 reply.WriteInt32(ERR_OK);
1224 entInfo.Marshalling(reply);
1225 EDMLOGD(
1226 "EnterpriseDeviceMgrAbility::GetEnterpriseInfo: entInfo->enterpriseName %{public}s, "
1227 "entInfo->description:%{public}s",
1228 entInfo.enterpriseName.c_str(), entInfo.description.c_str());
1229 return ERR_OK;
1230 }
1231
SetEnterpriseInfo(AppExecFwk::ElementName & admin,EntInfo & entInfo)1232 ErrCode EnterpriseDeviceMgrAbility::SetEnterpriseInfo(AppExecFwk::ElementName &admin, EntInfo &entInfo)
1233 {
1234 std::lock_guard<std::mutex> autoLock(mutexLock_);
1235 if (!GetAccessTokenMgr()->VerifyCallingPermission(PERMISSION_SET_ENTERPRISE_INFO)) {
1236 EDMLOGW("EnterpriseDeviceMgrAbility::SetEnterpriseInfo: check permission failed");
1237 return EdmReturnErrCode::PERMISSION_DENIED;
1238 }
1239 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1240 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), userId);
1241 if (adminItem == nullptr) {
1242 return EdmReturnErrCode::ADMIN_INACTIVE;
1243 }
1244 int32_t ret = CheckCallingUid(adminItem->adminInfo_.packageName_);
1245 if (ret != ERR_OK) {
1246 EDMLOGW("SetEnterpriseInfo: CheckCallingUid failed: %{public}d", ret);
1247 return EdmReturnErrCode::PERMISSION_DENIED;
1248 }
1249 ErrCode code = adminMgr_->SetEntInfo(admin.GetBundleName(), entInfo, userId);
1250 return (code != ERR_OK) ? EdmReturnErrCode::ADMIN_INACTIVE : ERR_OK;
1251 }
1252
HandleApplicationEvent(const std::vector<uint32_t> & events,bool subscribe)1253 ErrCode EnterpriseDeviceMgrAbility::HandleApplicationEvent(const std::vector<uint32_t> &events, bool subscribe)
1254 {
1255 bool shouldHandleAppState = std::any_of(events.begin(), events.end(), [](uint32_t event) {
1256 return event == static_cast<uint32_t>(ManagedEvent::APP_START) ||
1257 event == static_cast<uint32_t>(ManagedEvent::APP_STOP);
1258 });
1259 if (!shouldHandleAppState) {
1260 return ERR_OK;
1261 }
1262 if (subscribe) {
1263 return SubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1264 } else {
1265 return UnsubscribeAppState() ? ERR_OK : EdmReturnErrCode::SYSTEM_ABNORMALLY;
1266 }
1267 }
1268
SubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1269 ErrCode EnterpriseDeviceMgrAbility::SubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1270 const std::vector<uint32_t> &events)
1271 {
1272 std::lock_guard<std::mutex> autoLock(mutexLock_);
1273 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1274 RETURN_IF_FAILED(HandleApplicationEvent(events, true));
1275 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1276 adminMgr_->SaveSubscribeEvents(events, admin.GetBundleName(), userId);
1277 return ERR_OK;
1278 }
1279
UnsubscribeManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1280 ErrCode EnterpriseDeviceMgrAbility::UnsubscribeManagedEvent(const AppExecFwk::ElementName &admin,
1281 const std::vector<uint32_t> &events)
1282 {
1283 std::lock_guard<std::mutex> autoLock(mutexLock_);
1284 RETURN_IF_FAILED(VerifyManagedEvent(admin, events));
1285 int32_t userId = adminMgr_->IsSuperOrSubSuperAdmin(admin.GetBundleName()) ? DEFAULT_USER_ID : GetCurrentUserId();
1286 adminMgr_->RemoveSubscribeEvents(events, admin.GetBundleName(), userId);
1287 return HandleApplicationEvent(events, false);
1288 }
1289
VerifyManagedEvent(const AppExecFwk::ElementName & admin,const std::vector<uint32_t> & events)1290 ErrCode EnterpriseDeviceMgrAbility::VerifyManagedEvent(const AppExecFwk::ElementName &admin,
1291 const std::vector<uint32_t> &events)
1292 {
1293 if (!GetAccessTokenMgr()->VerifyCallingPermission(PERMISSION_ENTERPRISE_SUBSCRIBE_MANAGED_EVENT)) {
1294 EDMLOGW("EnterpriseDeviceMgrAbility::VerifyManagedEvent: check permission failed");
1295 return EdmReturnErrCode::PERMISSION_DENIED;
1296 }
1297 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1298 if (adminItem == nullptr) {
1299 return EdmReturnErrCode::ADMIN_INACTIVE;
1300 }
1301 int32_t ret = CheckCallingUid(adminItem->adminInfo_.packageName_);
1302 if (ret != ERR_OK) {
1303 EDMLOGW("VerifyManagedEvent: CheckCallingUid failed: %{public}d", ret);
1304 return EdmReturnErrCode::PERMISSION_DENIED;
1305 }
1306 if (events.empty()) {
1307 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1308 }
1309 auto iter =
1310 std::find_if(events.begin(), events.end(), [this](uint32_t event) { return !CheckManagedEvent(event); });
1311 if (iter != std::end(events)) {
1312 return EdmReturnErrCode::MANAGED_EVENTS_INVALID;
1313 }
1314 return ERR_OK;
1315 }
1316
CheckManagedEvent(uint32_t event)1317 bool EnterpriseDeviceMgrAbility::CheckManagedEvent(uint32_t event)
1318 {
1319 switch (event) {
1320 case static_cast<uint32_t>(ManagedEvent::BUNDLE_ADDED):
1321 case static_cast<uint32_t>(ManagedEvent::BUNDLE_REMOVED):
1322 case static_cast<uint32_t>(ManagedEvent::APP_START):
1323 case static_cast<uint32_t>(ManagedEvent::APP_STOP):
1324 case static_cast<uint32_t>(ManagedEvent::SYSTEM_UPDATE):
1325 break;
1326 default:
1327 return false;
1328 }
1329 return true;
1330 }
1331
AuthorizeAdmin(const AppExecFwk::ElementName & admin,const std::string & bundleName)1332 ErrCode EnterpriseDeviceMgrAbility::AuthorizeAdmin(const AppExecFwk::ElementName &admin, const std::string &bundleName)
1333 {
1334 std::lock_guard<std::mutex> autoLock(mutexLock_);
1335 if (!GetAccessTokenMgr()->VerifyCallingPermission(PERMISSION_MANAGE_ENTERPRISE_DEVICE_ADMIN)) {
1336 EDMLOGW("EnterpriseDeviceMgrAbility::AuthorizeAdmin: check permission failed");
1337 return EdmReturnErrCode::PERMISSION_DENIED;
1338 }
1339 std::shared_ptr<Admin> adminItem = adminMgr_->GetAdminByPkgName(admin.GetBundleName(), GetCurrentUserId());
1340 if (adminItem == nullptr) {
1341 EDMLOGW("EnterpriseDeviceMgrAbility::AuthorizeAdmin: not active admin.");
1342 return EdmReturnErrCode::ADMIN_INACTIVE;
1343 }
1344 if (adminItem->GetAdminType() != AdminType::ENT) {
1345 EDMLOGW("AuthorizeAdmin: Caller is not super admin.");
1346 return EdmReturnErrCode::ADMIN_EDM_PERMISSION_DENIED;
1347 }
1348 if (FAILED(CheckCallingUid(admin.GetBundleName()))) {
1349 EDMLOGW("AuthorizeAdmin: CheckCallingUid failed.");
1350 return EdmReturnErrCode::PERMISSION_DENIED;
1351 }
1352 /* Get all request and registered permissions */
1353 std::vector<std::string> permissionList;
1354 if (FAILED(GetAllPermissionsByAdmin(bundleName, permissionList, DEFAULT_USER_ID))) {
1355 EDMLOGW("AuthorizeAdmin: GetAllPermissionsByAdmin failed.");
1356 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1357 }
1358 if (FAILED(adminMgr_->SaveAuthorizedAdmin(bundleName, permissionList, admin.GetBundleName()))) {
1359 EDMLOGW("AuthorizeAdmin: SaveAuthorizedAdmin failed.");
1360 return EdmReturnErrCode::AUTHORIZE_PERMISSION_FAILED;
1361 }
1362 return ERR_OK;
1363 }
1364
GetSuperAdmin(MessageParcel & reply)1365 ErrCode EnterpriseDeviceMgrAbility::GetSuperAdmin(MessageParcel &reply)
1366 {
1367 std::lock_guard<std::mutex> autoLock(mutexLock_);
1368 auto superAdmin = adminMgr_->GetSuperAdmin();
1369 reply.WriteInt32(ERR_OK);
1370 if (superAdmin == nullptr) {
1371 reply.WriteString("");
1372 reply.WriteString("");
1373 } else {
1374 reply.WriteString(superAdmin->adminInfo_.packageName_);
1375 reply.WriteString(superAdmin->adminInfo_.className_);
1376 }
1377 return ERR_OK;
1378 }
1379 } // namespace EDM
1380 } // namespace OHOS