1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include <cstddef>
18 #include "account_constants.h"
19 #include "account_info.h"
20 #include "account_log_wrapper.h"
21 #include "account_hisysevent_adapter.h"
22 #include "iinner_os_account_manager.h"
23 #include "ipc_skeleton.h"
24 #include "os_account_constants.h"
25
26 namespace OHOS {
27 namespace AccountSA {
28 namespace {
29 const std::string DUMP_TAB_CHARACTER = "\t";
30 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
31 {OsAccountType::ADMIN, "admin"},
32 {OsAccountType::NORMAL, "normal"},
33 {OsAccountType::GUEST, "guest"},
34 {OsAccountType::PRIVATE, "private"},
35 };
36 const std::string CONSTANT_CREATE = "constraint.os.account.create";
37 const std::string CONSTANT_CREATE_DIRECTLY = "constraint.os.account.create.directly";
38 const std::string CONSTANT_REMOVE = "constraint.os.account.remove";
39 const std::string CONSTANT_ACTIVATE = "constraint.os.account.activate";
40 const std::string CONSTANT_SET_ICON = "constraint.os.account.set.icon";
41 #ifndef IS_RELEASE_VERSION
42 const std::int32_t ROOT_UID = 0;
43 #endif
44 const std::string DEFAULT_ANON_STR = "**********";
45 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
46
47 const std::string MANAGE_LOCAL_ACCOUNTS = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
48 const std::string GET_LOCAL_ACCOUNTS = "ohos.permission.GET_LOCAL_ACCOUNTS";
49 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION =
50 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
51 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
52 const std::string GET_DOMAIN_ACCOUNTS = "ohos.permission.GET_DOMAIN_ACCOUNTS";
53 const std::set<uint32_t> uidWhiteListForCreation { 3057 };
54 const std::int32_t EDM_UID = 3057;
55
AnonymizeNameStr(const std::string & nameStr)56 std::string AnonymizeNameStr(const std::string& nameStr)
57 {
58 if (nameStr.empty()) {
59 return nameStr;
60 }
61 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
62 return retStr;
63 }
64
CheckLocalId(int localId)65 ErrCode CheckLocalId(int localId)
66 {
67 if (localId < 0) {
68 ACCOUNT_LOGE("id %{public}d is invalid", localId);
69 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
70 }
71 return ERR_OK;
72 }
73
IsTypeOutOfRange(const OsAccountType & type)74 bool IsTypeOutOfRange(const OsAccountType& type)
75 {
76 return (type < OsAccountType::ADMIN) || ((type > OsAccountType::GUEST) && (type < OsAccountType::PRIVATE)) ||
77 (type >= OsAccountType::END);
78 }
79 } // namespace
80
OsAccountManagerService()81 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance())
82 {}
83
~OsAccountManagerService()84 OsAccountManagerService::~OsAccountManagerService()
85 {}
86
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)87 ErrCode OsAccountManagerService::CreateOsAccount(
88 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
89 {
90 ErrCode errCode = ValidateAccountCreateParamAndPermission(name, type);
91 if (errCode != ERR_OK) {
92 return errCode;
93 }
94 return innerManager_.CreateOsAccount(name, type, osAccountInfo);
95 }
96
CreateOsAccount(const std::string & localName,const std::string & shortName,const OsAccountType & type,OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)97 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
98 const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)
99 {
100 ErrCode errCode = ValidateAccountCreateParamAndPermission(localName, type);
101 if (errCode != ERR_OK) {
102 return errCode;
103 }
104
105 if (options.hasShortName) {
106 errCode = innerManager_.ValidateShortName(shortName);
107 if (errCode != ERR_OK) {
108 return errCode;
109 }
110 }
111
112 return innerManager_.CreateOsAccount(localName, shortName, type, osAccountInfo, options);
113 }
114
ValidateAccountCreateParamAndPermission(const std::string & localName,const OsAccountType & type)115 ErrCode OsAccountManagerService::ValidateAccountCreateParamAndPermission(const std::string &localName,
116 const OsAccountType &type)
117 {
118 // permission check
119 if (!CheckCreateOsAccountWhiteList() &&
120 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY) ||
121 !PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE))) {
122 ACCOUNT_LOGE("account manager service, permission denied!");
123 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
124 }
125
126 bool isMultiOsAccountEnable = false;
127 IsMultiOsAccountEnable(isMultiOsAccountEnable);
128 if (!isMultiOsAccountEnable) {
129 ACCOUNT_LOGE("system is not multi os account enable error");
130 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
131 }
132
133 size_t localNameSize = localName.size();
134 if ((localNameSize == 0) || (localNameSize > Constants::LOCAL_NAME_MAX_SIZE)) {
135 ACCOUNT_LOGE("CreateOsAccount local name length %{public}zu is invalid!", localNameSize);
136 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
137 }
138
139 if (IsTypeOutOfRange(type)) {
140 ACCOUNT_LOGE("os account type is invalid");
141 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
142 }
143
144 bool isAllowedCreateAdmin = false;
145 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
146 if (errCode != ERR_OK) {
147 ACCOUNT_LOGE("query allowed create admin error");
148 return errCode;
149 }
150 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
151 ACCOUNT_LOGE("cannot create admin account error");
152 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
153 }
154 return ERR_OK;
155 }
156
CreateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)157 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo,
158 const CreateOsAccountOptions &options)
159 {
160 bool isMultiOsAccountEnable = false;
161 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
162 if (!isMultiOsAccountEnable) {
163 ACCOUNT_LOGE("system is not multi os account enable error");
164 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
165 }
166
167 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
168 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
169 ACCOUNT_LOGE("account manager service, permission denied!");
170 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
171 }
172
173 bool isAllowedCreateAdmin = false;
174 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
175 if (errCode != ERR_OK) {
176 ACCOUNT_LOGE("query allowed create admin error");
177 return errCode;
178 }
179 if (!isAllowedCreateAdmin && (osAccountInfo.GetType() == OsAccountType::ADMIN)) {
180 ACCOUNT_LOGE("cannot create admin account error");
181 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
182 }
183
184 return innerManager_.CreateOsAccountWithFullInfo(osAccountInfo, options);
185 }
186
UpdateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo)187 ErrCode OsAccountManagerService::UpdateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)
188 {
189 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
190 ACCOUNT_LOGE("account manager service, permission denied!");
191 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
192 }
193
194 bool isAllowedCreateAdmin = false;
195 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
196 if (errCode != ERR_OK) {
197 ACCOUNT_LOGE("query allowed update admin error");
198 return errCode;
199 }
200 if (!isAllowedCreateAdmin && osAccountInfo.GetType() == OsAccountType::ADMIN) {
201 ACCOUNT_LOGE("cannot update admin account error");
202 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
203 }
204
205 return innerManager_.UpdateOsAccountWithFullInfo(osAccountInfo);
206 }
207
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback,const CreateOsAccountForDomainOptions & options)208 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
209 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback,
210 const CreateOsAccountForDomainOptions &options)
211 {
212 ACCOUNT_LOGI("start");
213 // permission check
214 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
215 ACCOUNT_LOGE("account manager service, permission denied!");
216 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
217 }
218
219 // parameters check
220 if (IsTypeOutOfRange(type)) {
221 ACCOUNT_LOGE("os account type is invalid");
222 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
223 }
224 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
225 ACCOUNT_LOGE("Domain account name is empty or domain is empty");
226 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
227 }
228 if (domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE ||
229 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
230 ACCOUNT_LOGE("Domain account name is overlength or domain is overlength");
231 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
232 }
233
234 if (options.hasShortName || (options.shortName != "")) {
235 ErrCode code = innerManager_.ValidateShortName(options.shortName);
236 if (code != ERR_OK) {
237 ACCOUNT_LOGE("Failed to create os account for domain, shortName=%{public}s is invalid!",
238 options.shortName.c_str());
239 return code;
240 }
241 }
242
243 bool isAllowedCreateAdmin = false;
244 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
245 if (errCode != ERR_OK) {
246 ACCOUNT_LOGE("Failed to get allowed create admin permission, code=%{public}d.", errCode);
247 return errCode;
248 }
249 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
250 ACCOUNT_LOGE("Do not allowed create admin.");
251 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
252 }
253 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback, options);
254 }
255
RemoveOsAccount(const int id)256 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
257 {
258 // parameters check
259 ErrCode res = CheckLocalId(id);
260 if (res != ERR_OK) {
261 return res;
262 }
263 if ((id == Constants::START_USER_ID) || (id == Constants::ADMIN_LOCAL_ID)) {
264 ACCOUNT_LOGE("cannot remove system preinstalled user");
265 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
266 }
267 // permission check
268 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
269 ACCOUNT_LOGE("account manager service, permission denied!");
270 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
271 }
272
273 return innerManager_.RemoveOsAccount(id);
274 }
275
IsOsAccountExists(const int id,bool & isOsAccountExists)276 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
277 {
278 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
279 }
280
IsOsAccountActived(const int id,bool & isOsAccountActived)281 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
282 {
283 // check current account state
284 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
285 if (callerUserId == id) {
286 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
287 }
288
289 // check other account state, check permission first
290 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
291 ACCOUNT_LOGE("account manager service, permission denied!");
292 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
293 }
294
295 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
296 }
297
IsOsAccountConstraintEnable(const int id,const std::string & constraint,bool & isConstraintEnable)298 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
299 const int id, const std::string &constraint, bool &isConstraintEnable)
300 {
301 ErrCode res = CheckLocalId(id);
302 if (res != ERR_OK) {
303 return res;
304 }
305 // permission check
306 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
307 ACCOUNT_LOGE("account manager service, permission denied!");
308 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
309 }
310
311 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
312 }
313
CheckOsAccountConstraintEnabled(const int id,const std::string & constraint,bool & isEnabled)314 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
315 const int id, const std::string &constraint, bool &isEnabled)
316 {
317 ErrCode res = CheckLocalId(id);
318 if (res != ERR_OK) {
319 return res;
320 }
321
322 // check current account state
323 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
324 if (callerUserId == id) {
325 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
326 }
327
328 // permission check
329 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
330 ACCOUNT_LOGE("account manager service, permission denied!");
331 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
332 }
333
334 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
335 }
336
IsOsAccountVerified(const int id,bool & isVerified)337 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
338 {
339 ErrCode res = CheckLocalId(id);
340 if (res != ERR_OK) {
341 return res;
342 }
343 // check current account state
344 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
345 if (callerUserId == id) {
346 return innerManager_.IsOsAccountVerified(id, isVerified);
347 }
348
349 // check other account state, check permission first
350 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
351 ACCOUNT_LOGE("account manager service, permission denied!");
352 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
353 }
354
355 return innerManager_.IsOsAccountVerified(id, isVerified);
356 }
357
IsOsAccountDeactivating(const int id,bool & isDeactivating)358 ErrCode OsAccountManagerService::IsOsAccountDeactivating(const int id, bool &isDeactivating)
359 {
360 ErrCode res = CheckLocalId(id);
361 if (res != ERR_OK) {
362 return res;
363 }
364 // check current account state
365 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
366 if (callerUserId == id) {
367 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
368 }
369
370 // check other account state, check permission first
371 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
372 ACCOUNT_LOGE("Account manager service, permission denied!");
373 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
374 }
375
376 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
377 }
378
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)379 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
380 {
381 // permission check
382 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
383 ACCOUNT_LOGE("account manager service, permission denied!");
384 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
385 }
386
387 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
388 }
389
GetOsAccountLocalIdFromProcess(int & id)390 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
391 {
392 const std::int32_t uid = IPCSkeleton::GetCallingUid();
393 id = uid / UID_TRANSFORM_DIVISOR;
394 return ERR_OK;
395 }
396
IsMainOsAccount(bool & isMainOsAccount)397 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
398 {
399 // permission check
400 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
401 ACCOUNT_LOGW("account manager service, permission denied!");
402 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
403 }
404
405 const std::int32_t uid = IPCSkeleton::GetCallingUid();
406 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
407 return ERR_OK;
408 }
409
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)410 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
411 {
412 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
413 ACCOUNT_LOGE("domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
414 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
415 }
416
417 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE) {
418 ACCOUNT_LOGE("accountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
419 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
420 }
421 // permission check
422 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
423 ACCOUNT_LOGE("account manager service, permission denied!");
424 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
425 }
426
427 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
428 }
429
QueryMaxOsAccountNumber(uint32_t & maxOsAccountNumber)430 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(uint32_t &maxOsAccountNumber)
431 {
432 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
433 }
434
QueryMaxLoggedInOsAccountNumber(uint32_t & maxNum)435 ErrCode OsAccountManagerService::QueryMaxLoggedInOsAccountNumber(uint32_t &maxNum)
436 {
437 return innerManager_.QueryMaxLoggedInOsAccountNumber(maxNum);
438 }
439
GetOsAccountAllConstraints(const int id,std::vector<std::string> & constraints)440 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
441 {
442 // permission check
443 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
444 ACCOUNT_LOGE("account manager service, permission denied!");
445 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
446 }
447
448 return innerManager_.GetOsAccountAllConstraints(id, constraints);
449 }
450
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)451 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
452 {
453 // permission check
454 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
455 ACCOUNT_LOGE("account manager service, permission denied!");
456 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
457 }
458
459 return innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
460 }
461
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)462 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
463 {
464 // permission check
465 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
466 ACCOUNT_LOGE("account manager service, permission denied!");
467 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
468 }
469
470 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
471 return innerManager_.QueryOsAccountById(id, osAccountInfo);
472 }
473
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)474 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
475 {
476 // parameters check
477 ErrCode res = CheckLocalId(id);
478 if (res != ERR_OK) {
479 return res;
480 }
481 // permission check
482 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
483 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
484 ACCOUNT_LOGE("account manager service, permission denied!");
485 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
486 }
487
488 return innerManager_.QueryOsAccountById(id, osAccountInfo);
489 }
490
GetOsAccountTypeFromProcess(OsAccountType & type)491 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
492 {
493 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
494 return innerManager_.GetOsAccountType(id, type);
495 }
496
GetOsAccountType(const int id,OsAccountType & type)497 ErrCode OsAccountManagerService::GetOsAccountType(const int id, OsAccountType& type)
498 {
499 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
500 ACCOUNT_LOGE("Check permission failed.");
501 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
502 }
503 return innerManager_.GetOsAccountType(id, type);
504 }
505
GetOsAccountProfilePhoto(const int id,std::string & photo)506 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
507 {
508 ErrCode result = CheckLocalId(id);
509 if (result != ERR_OK) {
510 return result;
511 }
512 // get current account photo
513 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
514 if (callerUserId == id) {
515 return innerManager_.GetOsAccountProfilePhoto(id, photo);
516 }
517
518 // get other account photo, check permission first
519 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
520 ACCOUNT_LOGE("account manager service, permission denied!");
521 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
522 }
523
524 return innerManager_.GetOsAccountProfilePhoto(id, photo);
525 }
526
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)527 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
528 {
529 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
530 }
531
SetOsAccountName(const int id,const std::string & name)532 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
533 {
534 // parameters check
535 ErrCode res = CheckLocalId(id);
536 if (res != ERR_OK) {
537 return res;
538 }
539 if (id == Constants::ADMIN_LOCAL_ID) {
540 ACCOUNT_LOGE("cannot set name for system preinstalled user");
541 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
542 }
543 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
544 ACCOUNT_LOGE("set os account name is out of allowed size");
545 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
546 }
547 if (name.size() <= 0) {
548 ACCOUNT_LOGE("os account name is empty");
549 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
550 }
551
552 // permission check
553 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
554 ACCOUNT_LOGE("account manager service, permission denied!");
555 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
556 }
557
558 return innerManager_.SetOsAccountName(id, name);
559 }
560
SetOsAccountConstraints(const int id,const std::vector<std::string> & constraints,const bool enable)561 ErrCode OsAccountManagerService::SetOsAccountConstraints(
562 const int id, const std::vector<std::string> &constraints, const bool enable)
563 {
564 ErrCode res = CheckLocalId(id);
565 if (res != ERR_OK) {
566 return res;
567 }
568 if (id == Constants::ADMIN_LOCAL_ID) {
569 ACCOUNT_LOGE("cannot set constraints for system preinstalled user");
570 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
571 }
572 // permission check
573 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
574 ACCOUNT_LOGE("account manager service, permission denied!");
575 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
576 }
577
578 return innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
579 }
580
SetOsAccountProfilePhoto(const int id,const std::string & photo)581 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
582 {
583 // parameters check
584 ErrCode res = CheckLocalId(id);
585 if (res != ERR_OK) {
586 return res;
587 }
588 if (id == Constants::ADMIN_LOCAL_ID) {
589 ACCOUNT_LOGE("cannot set photo for system preinstalled user");
590 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
591 }
592 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
593 ACCOUNT_LOGE("photo out of allowed size");
594 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
595 }
596 if (photo.empty()) {
597 ACCOUNT_LOGE("photo is empty");
598 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
599 }
600 // permission check
601 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
602 ACCOUNT_LOGE("account manager service, permission denied!");
603 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
604 }
605
606 return innerManager_.SetOsAccountProfilePhoto(id, photo);
607 }
608
ActivateOsAccount(const int id)609 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
610 {
611 // parameters check
612 ErrCode res = CheckLocalId(id);
613 if (res != ERR_OK) {
614 return res;
615 }
616 if (id == Constants::ADMIN_LOCAL_ID) {
617 ACCOUNT_LOGE("cannot activate name for system preinstalled user");
618 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
619 }
620 // permission check
621 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_ACTIVATE)) {
622 ACCOUNT_LOGE("account manager service, permission denied!");
623 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
624 }
625
626 return innerManager_.ActivateOsAccount(id);
627 }
628
DeactivateOsAccount(const int id)629 ErrCode OsAccountManagerService::DeactivateOsAccount(const int id)
630 {
631 // parameters check
632 ErrCode res = CheckLocalId(id);
633 if (res != ERR_OK) {
634 return res;
635 }
636 if (id == Constants::ADMIN_LOCAL_ID) {
637 ACCOUNT_LOGE("cannot deactivate name for system preinstalled user");
638 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
639 }
640 // permission check
641 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
642 ACCOUNT_LOGE("account manager service, permission denied!");
643 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
644 }
645 int32_t currentId = Constants::START_USER_ID;
646 GetCurrentLocalId(currentId);
647
648 #ifndef SUPPORT_STOP_MAIN_OS_ACCOUNT
649 if (id == Constants::START_USER_ID) {
650 ACCOUNT_LOGW("the %{public}d os account can't stop", id);
651 return ERR_OSACCOUNT_SERVICE_INNER_ACCOUNT_STOP_ACTIVE_ERROR;
652 }
653 #endif // SUPPORT_STOP_OS_ACCOUNT
654
655 res = innerManager_.DeactivateOsAccount(id);
656
657 if (currentId == id) { // if stop current account
658 #ifdef SUPPORT_STOP_MAIN_OS_ACCOUNT
659 innerManager_.ActivateOsAccount(id, false);
660 #else
661 innerManager_.ActivateOsAccount(Constants::START_USER_ID, false);
662 #endif // SUPPORT_STOP_MAIN_OS_ACCOUNT
663 }
664 return res;
665 }
666
DeactivateAllOsAccounts()667 ErrCode OsAccountManagerService::DeactivateAllOsAccounts()
668 {
669 // permission check
670 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
671 ACCOUNT_LOGE("Permission check failed.");
672 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
673 }
674
675 std::vector<int32_t> userIds;
676 ErrCode res = innerManager_.QueryActiveOsAccountIds(userIds);
677 if (res != ERR_OK) {
678 ACCOUNT_LOGE("Get activated os account ids failed.");
679 return res;
680 }
681 if (userIds.empty()) {
682 ACCOUNT_LOGI("Activated os account list is empty.");
683 return ERR_OK;
684 }
685 ErrCode result = ERR_OK;
686 for (auto osAccountId : userIds) {
687 ACCOUNT_LOGI("DeactivateAllOsAccounts, id=%{public}d", osAccountId);
688 res = innerManager_.DeactivateOsAccount(osAccountId);
689 if (res != ERR_OK) {
690 ACCOUNT_LOGE("Deactivate os account id failed, id=%{public}d", osAccountId);
691 result = res;
692 }
693 }
694 return result;
695 }
696
GetCurrentLocalId(int32_t & userId)697 void OsAccountManagerService::GetCurrentLocalId(int32_t &userId)
698 {
699 std::vector<int32_t> userIds;
700 if ((innerManager_.QueryActiveOsAccountIds(userIds) != ERR_OK) || userIds.empty()) {
701 ACCOUNT_LOGE("fail to get activated os account ids");
702 return;
703 }
704 userId = userIds[0];
705 return;
706 }
707
StartOsAccount(const int id)708 ErrCode OsAccountManagerService::StartOsAccount(const int id)
709 {
710 return innerManager_.StartOsAccount(id);
711 }
712
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)713 ErrCode OsAccountManagerService::SubscribeOsAccount(
714 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
715 {
716 // permission check
717 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
718 subscribeInfo.GetOsAccountSubscribeType(osAccountSubscribeType);
719 if (osAccountSubscribeType == SWITCHED || osAccountSubscribeType == SWITCHING) {
720 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
721 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
722 ACCOUNT_LOGE("account manager service, permission denied!");
723 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
724 }
725 } else {
726 if (!(PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
727 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
728 ACCOUNT_LOGE("account manager service, permission denied!");
729 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
730 }
731 }
732
733 auto osSubscribeInfo = innerManager_.GetSubscribeRecordInfo(eventListener);
734 if (osSubscribeInfo != nullptr) {
735 std::string name;
736 osSubscribeInfo->GetName(name);
737 ACCOUNT_LOGI("Event listener %{public}s already exists.", name.c_str());
738 return ERR_OK;
739 }
740
741 return innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
742 }
743
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)744 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
745 {
746 // permission check
747 auto osSubscribeInfo = innerManager_.GetSubscribeRecordInfo(eventListener);
748 if (osSubscribeInfo == nullptr) {
749 ACCOUNT_LOGI("Event listener is not exist.");
750 return ERR_OK;
751 }
752 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
753 osSubscribeInfo->GetOsAccountSubscribeType(osAccountSubscribeType);
754 if (osAccountSubscribeType == SWITCHED || osAccountSubscribeType == SWITCHING) {
755 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
756 ACCOUNT_LOGE("account manager service, permission denied!");
757 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
758 }
759 } else {
760 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
761 ACCOUNT_LOGE("account manager service, permission denied!");
762 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
763 }
764 }
765
766 return innerManager_.UnsubscribeOsAccount(eventListener);
767 }
768
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)769 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
770 {
771 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
772 }
773
GetSerialNumberByOsAccountLocalId(const int & id,int64_t & serialNumber)774 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
775 {
776 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
777 }
778
GetOsAccountSwitchMod()779 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
780 {
781 return innerManager_.GetOsAccountSwitchMod();
782 }
783
IsCurrentOsAccountVerified(bool & isVerified)784 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
785 {
786 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
787 return innerManager_.IsOsAccountVerified(id, isVerified);
788 }
789
IsOsAccountCompleted(const int id,bool & isOsAccountCompleted)790 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
791 {
792 return innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
793 }
794
SetCurrentOsAccountIsVerified(const bool isVerified)795 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
796 {
797 // permission check
798 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
799 ACCOUNT_LOGE("account manager service, permission denied!");
800 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
801 }
802
803 // parameters check
804 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
805 ErrCode res = CheckLocalId(id);
806 if (res != ERR_OK) {
807 return res;
808 }
809 if (id == Constants::ADMIN_LOCAL_ID) {
810 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
811 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
812 }
813 return innerManager_.SetOsAccountIsVerified(id, isVerified);
814 }
815
SetOsAccountIsVerified(const int id,const bool isVerified)816 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
817 {
818 // parameters check
819 ErrCode res = CheckLocalId(id);
820 if (res != ERR_OK) {
821 return res;
822 }
823 if (id == Constants::ADMIN_LOCAL_ID) {
824 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
825 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
826 }
827 // permission check
828 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
829 ACCOUNT_LOGE("account manager service, permission denied!");
830 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
831 }
832
833 return innerManager_.SetOsAccountIsVerified(id, isVerified);
834 }
835
DumpState(const int & id,std::vector<std::string> & state)836 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
837 {
838 state.clear();
839
840 // permission check
841 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
842 ACCOUNT_LOGE("account manager service, permission denied!");
843 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
844 }
845
846 ErrCode result = ERR_OK;
847 std::vector<OsAccountInfo> osAccountInfos;
848
849 if (id == -1) {
850 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
851 if (result != ERR_OK) {
852 return result;
853 }
854 } else {
855 OsAccountInfo osAccountInfo;
856 result = innerManager_.QueryOsAccountById(id, osAccountInfo);
857 if (result != ERR_OK) {
858 return result;
859 }
860
861 osAccountInfos.emplace_back(osAccountInfo);
862 }
863
864 return DumpStateByAccounts(osAccountInfos, state);
865 }
866
DumpOsAccountInfo(std::vector<std::string> & state)867 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
868 {
869 state.clear();
870
871 ErrCode result = ERR_OK;
872 std::vector<OsAccountInfo> osAccountInfos;
873 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
874 if (result != ERR_OK) {
875 return result;
876 }
877
878 return DumpStateByAccounts(osAccountInfos, state);
879 }
880
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)881 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
882 int &createdOsAccountNum)
883 {
884 // permission check
885 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
886 ACCOUNT_LOGE("account manager service, permission denied!");
887 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
888 }
889
890 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
891 }
892
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)893 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
894 int64_t &serialNumber)
895 {
896 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
897 }
898
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)899 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
900 {
901 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
902 }
903
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)904 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
905 const int id, OsAccountInfo &osAccountInfo)
906 {
907 // permission check
908 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
909 ACCOUNT_LOGE("account manager service, permission denied!");
910 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
911 }
912
913 return innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
914 }
915
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)916 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
917 std::vector<OsAccountInfo> &osAccountList)
918 {
919 // permission check
920 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
921 ACCOUNT_LOGE("account manager service, permission denied!");
922 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
923 }
924
925 return innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
926 }
927
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)928 ErrCode OsAccountManagerService::DumpStateByAccounts(
929 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
930 {
931 ACCOUNT_LOGD("enter");
932 for (auto osAccountInfo : osAccountInfos) {
933 std::string info = "";
934
935 std::string localId = std::to_string(osAccountInfo.GetLocalId());
936 state.emplace_back("ID: " + localId);
937
938 std::string localName = osAccountInfo.GetLocalName();
939 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
940
941 std::string type = "";
942 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
943 if (it != DUMP_TYPE_MAP.end()) {
944 type = it->second;
945 } else {
946 type = "unknown";
947 }
948 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
949 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
950 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
951 state.emplace_back(DUMP_TAB_CHARACTER + "isForeground: " + std::to_string(osAccountInfo.GetIsForeground()));
952 state.emplace_back(DUMP_TAB_CHARACTER + "dispalyId: " + std::to_string(osAccountInfo.GetDisplayId()));
953
954 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
955 auto constraints = osAccountInfo.GetConstraints();
956 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
957 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
958
959 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
960 (osAccountInfo.GetIsVerified() ? "true" : "false"));
961
962 int64_t serialNumber = osAccountInfo.GetSerialNumber();
963 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
964 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
965 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
966 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
967 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
968 state.emplace_back("\n");
969 }
970
971 return ERR_OK;
972 }
973
QueryActiveOsAccountIds(std::vector<int32_t> & ids)974 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
975 {
976 return innerManager_.QueryActiveOsAccountIds(ids);
977 }
978
QueryOsAccountConstraintSourceTypes(const int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)979 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
980 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
981 {
982 // parameters check
983 ErrCode res = CheckLocalId(id);
984 if (res != ERR_OK) {
985 return res;
986 }
987 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
988 ACCOUNT_LOGE("constraint length is invalid. length %{public}zu.", constraint.size());
989 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
990 }
991
992 // permission check
993 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
994 ACCOUNT_LOGE("account manager service, permission denied!");
995 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
996 }
997
998 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
999 }
1000
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t enforcerId,const bool isDeviceOwner)1001 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
1002 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
1003 {
1004 // permission check
1005 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1006 ACCOUNT_LOGE("account manager service, permission denied!");
1007 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1008 }
1009
1010 return innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
1011 }
1012
ContainsAnyConstraint(const std::vector<std::string> & constraints,const std::vector<std::string> & constraintList)1013 static bool ContainsAnyConstraint(const std::vector<std::string> &constraints,
1014 const std::vector<std::string> &constraintList)
1015 {
1016 for (const auto &constraint : constraintList) {
1017 if (std::find(constraints.begin(), constraints.end(), constraint) != constraints.end()) {
1018 return true;
1019 }
1020 }
1021 return false;
1022 }
1023
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t targetId,const int32_t enforcerId,const bool isDeviceOwner)1024 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
1025 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
1026 {
1027 // check EDM uid
1028 int32_t callingUid = IPCSkeleton::GetCallingUid();
1029 std::vector<std::string> createConstraintList = {CONSTANT_CREATE, CONSTANT_CREATE_DIRECTLY};
1030 if (ContainsAnyConstraint(constraints, createConstraintList) && callingUid != EDM_UID) {
1031 ACCOUNT_LOGE("Permission denied, callingUid=%{public}d.", callingUid);
1032 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1033 }
1034
1035 // permission check
1036 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1037 ACCOUNT_LOGE("account manager service, permission denied!");
1038 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1039 }
1040
1041 // parameters check
1042 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
1043 ACCOUNT_LOGE("invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
1044 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1045 }
1046
1047 return innerManager_.SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
1048 }
1049
SetDefaultActivatedOsAccount(const int32_t id)1050 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(const int32_t id)
1051 {
1052 // parameters check
1053 ErrCode ret = CheckLocalId(id);
1054 if (ret != ERR_OK) {
1055 return ret;
1056 }
1057
1058 // permission check
1059 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1060 ACCOUNT_LOGE("account manager service, permission denied!");
1061 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1062 }
1063
1064 return innerManager_.SetDefaultActivatedOsAccount(id);
1065 }
1066
GetDefaultActivatedOsAccount(int32_t & id)1067 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
1068 {
1069 return innerManager_.GetDefaultActivatedOsAccount(id);
1070 }
1071
GetOsAccountShortNameCommon(const int32_t id,std::string & shortName)1072 ErrCode OsAccountManagerService::GetOsAccountShortNameCommon(const int32_t id, std::string &shortName)
1073 {
1074 ErrCode errCode = innerManager_.GetOsAccountShortName(id, shortName);
1075 if (errCode != ERR_OK) {
1076 ACCOUNT_LOGE("GetOsAccountShortName error %{public}d", errCode);
1077 return errCode;
1078 }
1079 return ERR_OK;
1080 }
1081
GetOsAccountShortName(std::string & shortName)1082 ErrCode OsAccountManagerService::GetOsAccountShortName(std::string &shortName)
1083 {
1084 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1085 return GetOsAccountShortNameCommon(id, shortName);
1086 }
1087
GetOsAccountName(std::string & name)1088 ErrCode OsAccountManagerService::GetOsAccountName(std::string &name)
1089 {
1090 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1091 ErrCode errCode = innerManager_.GetOsAccountName(id, name);
1092 if (errCode != ERR_OK) {
1093 ACCOUNT_LOGE("Failed get account name, errCode=%{public}d, uid=%{public}d", errCode,
1094 IPCSkeleton::GetCallingUid());
1095 return errCode;
1096 }
1097 return ERR_OK;
1098 }
1099
GetOsAccountShortNameById(const int32_t id,std::string & shortName)1100 ErrCode OsAccountManagerService::GetOsAccountShortNameById(const int32_t id, std::string &shortName)
1101 {
1102 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1103 ACCOUNT_LOGE("Check permission failed, please check your permission.");
1104 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1105 }
1106 return GetOsAccountShortNameCommon(id, shortName);
1107 }
1108
PermissionCheck(const std::string & permissionName,const std::string & constraintName)1109 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
1110 {
1111 int callerUid = IPCSkeleton::GetCallingUid();
1112 #ifndef IS_RELEASE_VERSION
1113 // root check in none release version for test
1114 if (callerUid == ROOT_UID) {
1115 return true;
1116 }
1117 #endif
1118
1119 // constraints check
1120 if (!constraintName.empty()) {
1121 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
1122 bool isEnable = true;
1123 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
1124 if (isEnable) {
1125 ACCOUNT_LOGE("constraint check %{public}s failed.", constraintName.c_str());
1126 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), constraintName);
1127 return false;
1128 }
1129 }
1130
1131 // permission check
1132 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
1133 return true;
1134 }
1135
1136 ACCOUNT_LOGE("failed to verify permission for %{public}s.", permissionName.c_str());
1137 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), permissionName);
1138 return false;
1139 }
1140
CheckCreateOsAccountWhiteList()1141 bool OsAccountManagerService::CheckCreateOsAccountWhiteList()
1142 {
1143 return uidWhiteListForCreation.find(GetCallingUid()) != uidWhiteListForCreation.end();
1144 }
1145
IsOsAccountForeground(const int32_t localId,const uint64_t displayId,bool & isForeground)1146 ErrCode OsAccountManagerService::IsOsAccountForeground(const int32_t localId, const uint64_t displayId,
1147 bool &isForeground)
1148 {
1149 int32_t callerId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1150 int32_t id = (localId == -1) ? callerId : localId;
1151 if (id < Constants::ADMIN_LOCAL_ID) {
1152 ACCOUNT_LOGE("LocalId %{public}d is invlaid.", id);
1153 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1154 }
1155 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1156 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1157 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1158 }
1159 bool isOsAccountExists = false;
1160 ErrCode result = IsOsAccountExists(id, isOsAccountExists);
1161 if (result != ERR_OK) {
1162 return result;
1163 }
1164 if (!isOsAccountExists) {
1165 ACCOUNT_LOGE("LocalId %{public}d not exist.", id);
1166 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
1167 }
1168 if (id >= Constants::ADMIN_LOCAL_ID && id < Constants::START_USER_ID) {
1169 ACCOUNT_LOGI("LocalId %{public}d is always in backgroud.", id);
1170 isForeground = false;
1171 return ERR_OK;
1172 }
1173 return innerManager_.IsOsAccountForeground(id, displayId, isForeground);
1174 }
1175
GetForegroundOsAccountLocalId(const uint64_t displayId,int32_t & localId)1176 ErrCode OsAccountManagerService::GetForegroundOsAccountLocalId(const uint64_t displayId, int32_t &localId)
1177 {
1178 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1179 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1180 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1181 }
1182 return innerManager_.GetForegroundOsAccountLocalId(displayId, localId);
1183 }
1184
GetForegroundOsAccounts(std::vector<ForegroundOsAccount> & accounts)1185 ErrCode OsAccountManagerService::GetForegroundOsAccounts(std::vector<ForegroundOsAccount> &accounts)
1186 {
1187 return innerManager_.GetForegroundOsAccounts(accounts);
1188 }
1189
GetBackgroundOsAccountLocalIds(std::vector<int32_t> & localIds)1190 ErrCode OsAccountManagerService::GetBackgroundOsAccountLocalIds(std::vector<int32_t> &localIds)
1191 {
1192 return innerManager_.GetBackgroundOsAccountLocalIds(localIds);
1193 }
1194
SetOsAccountToBeRemoved(int32_t localId,bool toBeRemoved)1195 ErrCode OsAccountManagerService::SetOsAccountToBeRemoved(int32_t localId, bool toBeRemoved)
1196 {
1197 ErrCode res = CheckLocalId(localId);
1198 if (res != ERR_OK) {
1199 return res;
1200 }
1201 if ((localId == Constants::START_USER_ID) || (localId == Constants::ADMIN_LOCAL_ID)) {
1202 ACCOUNT_LOGE("Cannot remove system preinstalled user.");
1203 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1204 }
1205 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1206 ACCOUNT_LOGE("Permission denied.");
1207 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1208 }
1209 return innerManager_.SetOsAccountToBeRemoved(localId, toBeRemoved);
1210 }
1211
GetOsAccountDomainInfo(const int32_t localId,DomainAccountInfo & domainInfo)1212 ErrCode OsAccountManagerService::GetOsAccountDomainInfo(const int32_t localId, DomainAccountInfo &domainInfo)
1213 {
1214 if (!(PermissionCheck(GET_DOMAIN_ACCOUNTS, "") &&
1215 PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, ""))) {
1216 ACCOUNT_LOGE("Permission denied.");
1217 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1218 }
1219 ErrCode res = CheckLocalId(localId);
1220 if (res != ERR_OK) {
1221 return res;
1222 }
1223 return innerManager_.GetOsAccountDomainInfo(localId, domainInfo);
1224 }
1225 } // namespace AccountSA
1226 } // namespace OHOS
1227