1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include <cstddef>
18 #include "account_constants.h"
19 #include "account_info.h"
20 #include "account_log_wrapper.h"
21 #include "account_hisysevent_adapter.h"
22 #include "iinner_os_account_manager.h"
23 #include "ipc_skeleton.h"
24 #include "os_account_constants.h"
25
26 namespace OHOS {
27 namespace AccountSA {
28 namespace {
29 const std::string DUMP_TAB_CHARACTER = "\t";
30 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
31 {OsAccountType::ADMIN, "admin"},
32 {OsAccountType::NORMAL, "normal"},
33 {OsAccountType::GUEST, "guest"},
34 {OsAccountType::PRIVATE, "private"},
35 };
36 const std::string CONSTANT_CREATE = "constraint.os.account.create";
37 const std::string CONSTANT_CREATE_DIRECTLY = "constraint.os.account.create.directly";
38 const std::string CONSTANT_REMOVE = "constraint.os.account.remove";
39 const std::string CONSTANT_ACTIVATE = "constraint.os.account.activate";
40 const std::string CONSTANT_SET_ICON = "constraint.os.account.set.icon";
41 #ifndef IS_RELEASE_VERSION
42 const std::int32_t ROOT_UID = 0;
43 #endif
44 const std::string DEFAULT_ANON_STR = "**********";
45 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
46
47 const std::string MANAGE_LOCAL_ACCOUNTS = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
48 const std::string GET_LOCAL_ACCOUNTS = "ohos.permission.GET_LOCAL_ACCOUNTS";
49 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION =
50 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
51 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
52 const std::set<uint32_t> uidWhiteListForCreation { 3057 };
53
AnonymizeNameStr(const std::string& nameStr)54 std::string AnonymizeNameStr(const std::string& nameStr)
55 {
56 if (nameStr.empty()) {
57 return nameStr;
58 }
59 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
60 return retStr;
61 }
62
CheckLocalId(int localId)63 ErrCode CheckLocalId(int localId)
64 {
65 if (localId < 0) {
66 ACCOUNT_LOGE("id %{public}d is invalid", localId);
67 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
68 }
69 return ERR_OK;
70 }
71
IsTypeOutOfRange(const OsAccountType& type)72 bool IsTypeOutOfRange(const OsAccountType& type)
73 {
74 return (type < OsAccountType::ADMIN) || ((type > OsAccountType::GUEST) && (type < OsAccountType::PRIVATE)) ||
75 (type >= OsAccountType::END);
76 }
77 } // namespace
78
OsAccountManagerService()79 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance())
80 {}
81
~OsAccountManagerService()82 OsAccountManagerService::~OsAccountManagerService()
83 {}
84
CreateOsAccount( const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)85 ErrCode OsAccountManagerService::CreateOsAccount(
86 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
87 {
88 ErrCode errCode = ValidateAccountCreateParamAndPermission(name, type);
89 if (errCode != ERR_OK) {
90 return errCode;
91 }
92 return innerManager_.CreateOsAccount(name, type, osAccountInfo);
93 }
94
CreateOsAccount(const std::string &localName, const std::string &shortName, const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)95 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
96 const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)
97 {
98 ErrCode errCode = ValidateAccountCreateParamAndPermission(localName, type);
99 if (errCode != ERR_OK) {
100 return errCode;
101 }
102
103 if (options.hasShortName) {
104 errCode = innerManager_.ValidateShortName(shortName);
105 if (errCode != ERR_OK) {
106 return errCode;
107 }
108 }
109
110 return innerManager_.CreateOsAccount(localName, shortName, type, osAccountInfo, options);
111 }
112
ValidateAccountCreateParamAndPermission(const std::string &localName, const OsAccountType &type)113 ErrCode OsAccountManagerService::ValidateAccountCreateParamAndPermission(const std::string &localName,
114 const OsAccountType &type)
115 {
116 // permission check
117 if (!CheckCreateOsAccountWhiteList() &&
118 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY) ||
119 !PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE))) {
120 ACCOUNT_LOGE("account manager service, permission denied!");
121 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
122 }
123
124 bool isMultiOsAccountEnable = false;
125 IsMultiOsAccountEnable(isMultiOsAccountEnable);
126 if (!isMultiOsAccountEnable) {
127 ACCOUNT_LOGE("system is not multi os account enable error");
128 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
129 }
130
131 size_t localNameSize = localName.size();
132 if ((localNameSize == 0) || (localNameSize > Constants::LOCAL_NAME_MAX_SIZE)) {
133 ACCOUNT_LOGE("CreateOsAccount local name length %{public}zu is invalid!", localNameSize);
134 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
135 }
136
137 if (IsTypeOutOfRange(type)) {
138 ACCOUNT_LOGE("os account type is invalid");
139 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
140 }
141
142 bool isAllowedCreateAdmin = false;
143 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
144 if (errCode != ERR_OK) {
145 ACCOUNT_LOGE("query allowed create admin error");
146 return errCode;
147 }
148 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
149 ACCOUNT_LOGE("cannot create admin account error");
150 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
151 }
152 return ERR_OK;
153 }
154
CreateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)155 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo,
156 const CreateOsAccountOptions &options)
157 {
158 bool isMultiOsAccountEnable = false;
159 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
160 if (!isMultiOsAccountEnable) {
161 ACCOUNT_LOGE("system is not multi os account enable error");
162 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
163 }
164
165 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
166 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
167 ACCOUNT_LOGE("account manager service, permission denied!");
168 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
169 }
170
171 bool isAllowedCreateAdmin = false;
172 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
173 if (errCode != ERR_OK) {
174 ACCOUNT_LOGE("query allowed create admin error");
175 return errCode;
176 }
177 if (!isAllowedCreateAdmin && (osAccountInfo.GetType() == OsAccountType::ADMIN)) {
178 ACCOUNT_LOGE("cannot create admin account error");
179 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
180 }
181
182 return innerManager_.CreateOsAccountWithFullInfo(osAccountInfo, options);
183 }
184
UpdateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)185 ErrCode OsAccountManagerService::UpdateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)
186 {
187 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
188 ACCOUNT_LOGE("account manager service, permission denied!");
189 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
190 }
191
192 bool isAllowedCreateAdmin = false;
193 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
194 if (errCode != ERR_OK) {
195 ACCOUNT_LOGE("query allowed update admin error");
196 return errCode;
197 }
198 if (!isAllowedCreateAdmin && osAccountInfo.GetType() == OsAccountType::ADMIN) {
199 ACCOUNT_LOGE("cannot update admin account error");
200 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
201 }
202
203 return innerManager_.UpdateOsAccountWithFullInfo(osAccountInfo);
204 }
205
CreateOsAccountForDomain(const OsAccountType &type, const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback, const CreateOsAccountForDomainOptions &options)206 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
207 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback,
208 const CreateOsAccountForDomainOptions &options)
209 {
210 ACCOUNT_LOGI("start");
211 // permission check
212 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
213 ACCOUNT_LOGE("account manager service, permission denied!");
214 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
215 }
216
217 // parameters check
218 if (IsTypeOutOfRange(type)) {
219 ACCOUNT_LOGE("os account type is invalid");
220 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
221 }
222 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
223 ACCOUNT_LOGE("Domain account name is empty or domain is empty");
224 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
225 }
226 if (domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE ||
227 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
228 ACCOUNT_LOGE("Domain account name is overlength or domain is overlength");
229 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
230 }
231
232 if (options.hasShortName || (options.shortName != "")) {
233 ErrCode code = innerManager_.ValidateShortName(options.shortName);
234 if (code != ERR_OK) {
235 ACCOUNT_LOGE("Failed to create os account for domain, shortName=%{public}s is invalid!",
236 options.shortName.c_str());
237 return code;
238 }
239 }
240
241 bool isAllowedCreateAdmin = false;
242 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
243 if (errCode != ERR_OK) {
244 ACCOUNT_LOGE("Failed to get allowed create admin permission, code=%{public}d.", errCode);
245 return errCode;
246 }
247 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
248 ACCOUNT_LOGE("Do not allowed create admin.");
249 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
250 }
251 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback, options);
252 }
253
RemoveOsAccount(const int id)254 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
255 {
256 // parameters check
257 ErrCode res = CheckLocalId(id);
258 if (res != ERR_OK) {
259 return res;
260 }
261 if ((id == Constants::START_USER_ID) || (id == Constants::ADMIN_LOCAL_ID)) {
262 ACCOUNT_LOGE("cannot remove system preinstalled user");
263 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
264 }
265 // permission check
266 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
267 ACCOUNT_LOGE("account manager service, permission denied!");
268 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
269 }
270
271 return innerManager_.RemoveOsAccount(id);
272 }
273
IsOsAccountExists(const int id, bool &isOsAccountExists)274 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
275 {
276 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
277 }
278
IsOsAccountActived(const int id, bool &isOsAccountActived)279 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
280 {
281 // check current account state
282 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
283 if (callerUserId == id) {
284 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
285 }
286
287 // check other account state, check permission first
288 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
289 ACCOUNT_LOGE("account manager service, permission denied!");
290 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
291 }
292
293 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
294 }
295
IsOsAccountConstraintEnable( const int id, const std::string &constraint, bool &isConstraintEnable)296 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
297 const int id, const std::string &constraint, bool &isConstraintEnable)
298 {
299 ErrCode res = CheckLocalId(id);
300 if (res != ERR_OK) {
301 return res;
302 }
303 // permission check
304 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
305 ACCOUNT_LOGE("account manager service, permission denied!");
306 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
307 }
308
309 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
310 }
311
CheckOsAccountConstraintEnabled( const int id, const std::string &constraint, bool &isEnabled)312 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
313 const int id, const std::string &constraint, bool &isEnabled)
314 {
315 ErrCode res = CheckLocalId(id);
316 if (res != ERR_OK) {
317 return res;
318 }
319
320 // check current account state
321 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
322 if (callerUserId == id) {
323 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
324 }
325
326 // permission check
327 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
328 ACCOUNT_LOGE("account manager service, permission denied!");
329 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
330 }
331
332 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
333 }
334
IsOsAccountVerified(const int id, bool &isVerified)335 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
336 {
337 ErrCode res = CheckLocalId(id);
338 if (res != ERR_OK) {
339 return res;
340 }
341 // check current account state
342 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
343 if (callerUserId == id) {
344 return innerManager_.IsOsAccountVerified(id, isVerified);
345 }
346
347 // check other account state, check permission first
348 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
349 ACCOUNT_LOGE("account manager service, permission denied!");
350 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
351 }
352
353 return innerManager_.IsOsAccountVerified(id, isVerified);
354 }
355
GetCreatedOsAccountsCount(unsigned int &osAccountsCount)356 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
357 {
358 // permission check
359 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
360 ACCOUNT_LOGE("account manager service, permission denied!");
361 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
362 }
363
364 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
365 }
366
GetOsAccountLocalIdFromProcess(int &id)367 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
368 {
369 const std::int32_t uid = IPCSkeleton::GetCallingUid();
370 id = uid / UID_TRANSFORM_DIVISOR;
371 return ERR_OK;
372 }
373
IsMainOsAccount(bool &isMainOsAccount)374 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
375 {
376 // permission check
377 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
378 ACCOUNT_LOGW("account manager service, permission denied!");
379 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
380 }
381
382 const std::int32_t uid = IPCSkeleton::GetCallingUid();
383 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
384 return ERR_OK;
385 }
386
GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)387 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
388 {
389 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
390 ACCOUNT_LOGE("domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
391 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
392 }
393
394 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE) {
395 ACCOUNT_LOGE("accountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
396 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
397 }
398 // permission check
399 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
400 ACCOUNT_LOGE("account manager service, permission denied!");
401 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
402 }
403
404 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
405 }
406
QueryMaxOsAccountNumber(uint32_t &maxOsAccountNumber)407 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(uint32_t &maxOsAccountNumber)
408 {
409 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
410 }
411
QueryMaxLoggedInOsAccountNumber(uint32_t &maxNum)412 ErrCode OsAccountManagerService::QueryMaxLoggedInOsAccountNumber(uint32_t &maxNum)
413 {
414 return innerManager_.QueryMaxLoggedInOsAccountNumber(maxNum);
415 }
416
GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)417 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
418 {
419 // permission check
420 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
421 ACCOUNT_LOGE("account manager service, permission denied!");
422 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
423 }
424
425 return innerManager_.GetOsAccountAllConstraints(id, constraints);
426 }
427
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)428 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
429 {
430 // permission check
431 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
432 ACCOUNT_LOGE("account manager service, permission denied!");
433 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
434 }
435
436 return innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
437 }
438
QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)439 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
440 {
441 // permission check
442 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
443 ACCOUNT_LOGE("account manager service, permission denied!");
444 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
445 }
446
447 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
448 return innerManager_.QueryOsAccountById(id, osAccountInfo);
449 }
450
QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)451 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
452 {
453 // parameters check
454 ErrCode res = CheckLocalId(id);
455 if (res != ERR_OK) {
456 return res;
457 }
458 // permission check
459 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
460 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
461 ACCOUNT_LOGE("account manager service, permission denied!");
462 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
463 }
464
465 return innerManager_.QueryOsAccountById(id, osAccountInfo);
466 }
467
GetOsAccountTypeFromProcess(OsAccountType &type)468 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
469 {
470 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
471 return innerManager_.GetOsAccountType(id, type);
472 }
473
GetOsAccountType(const int id, OsAccountType& type)474 ErrCode OsAccountManagerService::GetOsAccountType(const int id, OsAccountType& type)
475 {
476 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
477 ACCOUNT_LOGE("Check permission failed.");
478 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
479 }
480 return innerManager_.GetOsAccountType(id, type);
481 }
482
GetOsAccountProfilePhoto(const int id, std::string &photo)483 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
484 {
485 ErrCode result = CheckLocalId(id);
486 if (result != ERR_OK) {
487 return result;
488 }
489 // get current account photo
490 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
491 if (callerUserId == id) {
492 return innerManager_.GetOsAccountProfilePhoto(id, photo);
493 }
494
495 // get other account photo, check permission first
496 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
497 ACCOUNT_LOGE("account manager service, permission denied!");
498 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
499 }
500
501 return innerManager_.GetOsAccountProfilePhoto(id, photo);
502 }
503
IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)504 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
505 {
506 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
507 }
508
SetOsAccountName(const int id, const std::string &name)509 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
510 {
511 // parameters check
512 ErrCode res = CheckLocalId(id);
513 if (res != ERR_OK) {
514 return res;
515 }
516 if (id == Constants::ADMIN_LOCAL_ID) {
517 ACCOUNT_LOGE("cannot set name for system preinstalled user");
518 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
519 }
520 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
521 ACCOUNT_LOGE("set os account name is out of allowed size");
522 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
523 }
524 if (name.size() <= 0) {
525 ACCOUNT_LOGE("os account name is empty");
526 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
527 }
528
529 // permission check
530 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
531 ACCOUNT_LOGE("account manager service, permission denied!");
532 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
533 }
534
535 return innerManager_.SetOsAccountName(id, name);
536 }
537
SetOsAccountConstraints( const int id, const std::vector<std::string> &constraints, const bool enable)538 ErrCode OsAccountManagerService::SetOsAccountConstraints(
539 const int id, const std::vector<std::string> &constraints, const bool enable)
540 {
541 ErrCode res = CheckLocalId(id);
542 if (res != ERR_OK) {
543 return res;
544 }
545 if (id == Constants::ADMIN_LOCAL_ID) {
546 ACCOUNT_LOGE("cannot set constraints for system preinstalled user");
547 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
548 }
549 // permission check
550 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
551 ACCOUNT_LOGE("account manager service, permission denied!");
552 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
553 }
554
555 return innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
556 }
557
SetOsAccountProfilePhoto(const int id, const std::string &photo)558 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
559 {
560 // parameters check
561 ErrCode res = CheckLocalId(id);
562 if (res != ERR_OK) {
563 return res;
564 }
565 if (id == Constants::ADMIN_LOCAL_ID) {
566 ACCOUNT_LOGE("cannot set photo for system preinstalled user");
567 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
568 }
569 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
570 ACCOUNT_LOGE("photo out of allowed size");
571 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
572 }
573 if (photo.empty()) {
574 ACCOUNT_LOGE("photo is empty");
575 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
576 }
577 // permission check
578 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
579 ACCOUNT_LOGE("account manager service, permission denied!");
580 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
581 }
582
583 return innerManager_.SetOsAccountProfilePhoto(id, photo);
584 }
585
ActivateOsAccount(const int id)586 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
587 {
588 // parameters check
589 ErrCode res = CheckLocalId(id);
590 if (res != ERR_OK) {
591 return res;
592 }
593 if (id == Constants::ADMIN_LOCAL_ID) {
594 ACCOUNT_LOGE("cannot activate name for system preinstalled user");
595 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
596 }
597 // permission check
598 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_ACTIVATE)) {
599 ACCOUNT_LOGE("account manager service, permission denied!");
600 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
601 }
602
603 return innerManager_.ActivateOsAccount(id);
604 }
605
DeactivateOsAccount(const int id)606 ErrCode OsAccountManagerService::DeactivateOsAccount(const int id)
607 {
608 // parameters check
609 ErrCode res = CheckLocalId(id);
610 if (res != ERR_OK) {
611 return res;
612 }
613 if (id == Constants::ADMIN_LOCAL_ID) {
614 ACCOUNT_LOGE("cannot deactivate name for system preinstalled user");
615 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
616 }
617 // permission check
618 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
619 ACCOUNT_LOGE("account manager service, permission denied!");
620 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
621 }
622 int32_t currentId = Constants::START_USER_ID;
623 GetCurrentLocalId(currentId);
624
625 #ifndef SUPPORT_STOP_MAIN_OS_ACCOUNT
626 if (id == Constants::START_USER_ID) {
627 ACCOUNT_LOGW("the %{public}d os account can't stop", id);
628 return ERR_OSACCOUNT_SERVICE_INNER_ACCOUNT_STOP_ACTIVE_ERROR;
629 }
630 #endif // SUPPORT_STOP_OS_ACCOUNT
631
632 res = innerManager_.DeactivateOsAccount(id);
633 if (res != ERR_OK) {
634 return res;
635 }
636
637 if (currentId == id) { // if stop current account
638 #ifdef SUPPORT_STOP_MAIN_OS_ACCOUNT
639 innerManager_.ActivateOsAccount(id, false, Constants::DEFAULT_DISPALY_ID, true);
640 #else
641 innerManager_.ActivateOsAccount(Constants::START_USER_ID, false, Constants::DEFAULT_DISPALY_ID);
642 #endif // SUPPORT_STOP_MAIN_OS_ACCOUNT
643 }
644 return ERR_OK;
645 }
646
DeactivateAllOsAccounts()647 ErrCode OsAccountManagerService::DeactivateAllOsAccounts()
648 {
649 // permission check
650 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
651 ACCOUNT_LOGE("Permission check failed.");
652 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
653 }
654
655 std::vector<int32_t> userIds;
656 ErrCode res = innerManager_.QueryActiveOsAccountIds(userIds);
657 if (res != ERR_OK) {
658 ACCOUNT_LOGE("Get activated os account ids failed.");
659 return res;
660 }
661 if (userIds.empty()) {
662 ACCOUNT_LOGI("Activated os account list is empty.");
663 return ERR_OK;
664 }
665 ErrCode result = ERR_OK;
666 for (auto osAccountId : userIds) {
667 ACCOUNT_LOGI("DeactivateAllOsAccounts, id=%{public}d", osAccountId);
668 res = innerManager_.DeactivateOsAccount(osAccountId);
669 if (res != ERR_OK) {
670 ACCOUNT_LOGE("Deactivate os account id failed, id=%{public}d", osAccountId);
671 result = res;
672 }
673 }
674 return result;
675 }
676
GetCurrentLocalId(int32_t &userId)677 void OsAccountManagerService::GetCurrentLocalId(int32_t &userId)
678 {
679 std::vector<int32_t> userIds;
680 if ((innerManager_.QueryActiveOsAccountIds(userIds) != ERR_OK) || userIds.empty()) {
681 ACCOUNT_LOGE("fail to get activated os account ids");
682 return;
683 }
684 userId = userIds[0];
685 return;
686 }
687
StartOsAccount(const int id)688 ErrCode OsAccountManagerService::StartOsAccount(const int id)
689 {
690 return innerManager_.StartOsAccount(id);
691 }
692
SubscribeOsAccount( const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)693 ErrCode OsAccountManagerService::SubscribeOsAccount(
694 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
695 {
696 // permission check
697 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
698 subscribeInfo.GetOsAccountSubscribeType(osAccountSubscribeType);
699 if (osAccountSubscribeType == SWITCHED || osAccountSubscribeType == SWITCHING) {
700 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
701 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
702 ACCOUNT_LOGE("account manager service, permission denied!");
703 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
704 }
705 } else {
706 if (!(PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
707 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
708 ACCOUNT_LOGE("account manager service, permission denied!");
709 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
710 }
711 }
712
713 auto osSubscribeInfo = innerManager_.GetSubscribeRecordInfo(eventListener);
714 if (osSubscribeInfo != nullptr) {
715 std::string name;
716 osSubscribeInfo->GetName(name);
717 ACCOUNT_LOGI("Event listener %{public}s already exists.", name.c_str());
718 return ERR_OK;
719 }
720
721 return innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
722 }
723
UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)724 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
725 {
726 // permission check
727 auto osSubscribeInfo = innerManager_.GetSubscribeRecordInfo(eventListener);
728 if (osSubscribeInfo == nullptr) {
729 ACCOUNT_LOGI("Event listener is not exist.");
730 return ERR_OK;
731 }
732 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
733 osSubscribeInfo->GetOsAccountSubscribeType(osAccountSubscribeType);
734 if (osAccountSubscribeType == SWITCHED || osAccountSubscribeType == SWITCHING) {
735 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
736 ACCOUNT_LOGE("account manager service, permission denied!");
737 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
738 }
739 } else {
740 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
741 ACCOUNT_LOGE("account manager service, permission denied!");
742 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
743 }
744 }
745
746 return innerManager_.UnsubscribeOsAccount(eventListener);
747 }
748
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)749 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
750 {
751 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
752 }
753
GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)754 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
755 {
756 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
757 }
758
GetOsAccountSwitchMod()759 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
760 {
761 return innerManager_.GetOsAccountSwitchMod();
762 }
763
IsCurrentOsAccountVerified(bool &isVerified)764 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
765 {
766 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
767 return innerManager_.IsOsAccountVerified(id, isVerified);
768 }
769
IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)770 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
771 {
772 return innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
773 }
774
SetCurrentOsAccountIsVerified(const bool isVerified)775 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
776 {
777 // permission check
778 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
779 ACCOUNT_LOGE("account manager service, permission denied!");
780 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
781 }
782
783 // parameters check
784 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
785 ErrCode res = CheckLocalId(id);
786 if (res != ERR_OK) {
787 return res;
788 }
789 if (id == Constants::ADMIN_LOCAL_ID) {
790 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
791 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
792 }
793 return innerManager_.SetOsAccountIsVerified(id, isVerified);
794 }
795
SetOsAccountIsVerified(const int id, const bool isVerified)796 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
797 {
798 // parameters check
799 ErrCode res = CheckLocalId(id);
800 if (res != ERR_OK) {
801 return res;
802 }
803 if (id == Constants::ADMIN_LOCAL_ID) {
804 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
805 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
806 }
807 // permission check
808 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
809 ACCOUNT_LOGE("account manager service, permission denied!");
810 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
811 }
812
813 return innerManager_.SetOsAccountIsVerified(id, isVerified);
814 }
815
DumpState(const int &id, std::vector<std::string> &state)816 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
817 {
818 state.clear();
819
820 // permission check
821 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
822 ACCOUNT_LOGE("account manager service, permission denied!");
823 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
824 }
825
826 ErrCode result = ERR_OK;
827 std::vector<OsAccountInfo> osAccountInfos;
828
829 if (id == -1) {
830 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
831 if (result != ERR_OK) {
832 return result;
833 }
834 } else {
835 OsAccountInfo osAccountInfo;
836 result = innerManager_.QueryOsAccountById(id, osAccountInfo);
837 if (result != ERR_OK) {
838 return result;
839 }
840
841 osAccountInfos.emplace_back(osAccountInfo);
842 }
843
844 return DumpStateByAccounts(osAccountInfos, state);
845 }
846
DumpOsAccountInfo(std::vector<std::string> &state)847 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
848 {
849 state.clear();
850
851 ErrCode result = ERR_OK;
852 std::vector<OsAccountInfo> osAccountInfos;
853 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
854 if (result != ERR_OK) {
855 return result;
856 }
857
858 return DumpStateByAccounts(osAccountInfos, state);
859 }
860
GetCreatedOsAccountNumFromDatabase(const std::string& storeID, int &createdOsAccountNum)861 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
862 int &createdOsAccountNum)
863 {
864 // permission check
865 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
866 ACCOUNT_LOGE("account manager service, permission denied!");
867 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
868 }
869
870 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
871 }
872
GetSerialNumberFromDatabase(const std::string& storeID, int64_t &serialNumber)873 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
874 int64_t &serialNumber)
875 {
876 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
877 }
878
GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)879 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
880 {
881 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
882 }
883
GetOsAccountFromDatabase(const std::string& storeID, const int id, OsAccountInfo &osAccountInfo)884 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
885 const int id, OsAccountInfo &osAccountInfo)
886 {
887 // permission check
888 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
889 ACCOUNT_LOGE("account manager service, permission denied!");
890 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
891 }
892
893 return innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
894 }
895
GetOsAccountListFromDatabase(const std::string& storeID, std::vector<OsAccountInfo> &osAccountList)896 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
897 std::vector<OsAccountInfo> &osAccountList)
898 {
899 // permission check
900 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
901 ACCOUNT_LOGE("account manager service, permission denied!");
902 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
903 }
904
905 return innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
906 }
907
DumpStateByAccounts( const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)908 ErrCode OsAccountManagerService::DumpStateByAccounts(
909 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
910 {
911 ACCOUNT_LOGD("enter");
912 for (auto osAccountInfo : osAccountInfos) {
913 std::string info = "";
914
915 std::string localId = std::to_string(osAccountInfo.GetLocalId());
916 state.emplace_back("ID: " + localId);
917
918 std::string localName = osAccountInfo.GetLocalName();
919 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
920
921 std::string type = "";
922 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
923 if (it != DUMP_TYPE_MAP.end()) {
924 type = it->second;
925 } else {
926 type = "unknown";
927 }
928 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
929 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
930 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
931 state.emplace_back(DUMP_TAB_CHARACTER + "isForeground: " + std::to_string(osAccountInfo.GetIsForeground()));
932 state.emplace_back(DUMP_TAB_CHARACTER + "dispalyId: " + std::to_string(osAccountInfo.GetDisplayId()));
933
934 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
935 auto constraints = osAccountInfo.GetConstraints();
936 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
937 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
938
939 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
940 (osAccountInfo.GetIsVerified() ? "true" : "false"));
941
942 int64_t serialNumber = osAccountInfo.GetSerialNumber();
943 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
944 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
945 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
946 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
947 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
948 state.emplace_back("\n");
949 }
950
951 return ERR_OK;
952 }
953
QueryActiveOsAccountIds(std::vector<int32_t>& ids)954 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
955 {
956 return innerManager_.QueryActiveOsAccountIds(ids);
957 }
958
QueryOsAccountConstraintSourceTypes(const int32_t id, const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)959 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
960 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
961 {
962 // parameters check
963 ErrCode res = CheckLocalId(id);
964 if (res != ERR_OK) {
965 return res;
966 }
967 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
968 ACCOUNT_LOGE("constraint length is invalid. length %{public}zu.", constraint.size());
969 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
970 }
971
972 // permission check
973 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
974 ACCOUNT_LOGE("account manager service, permission denied!");
975 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
976 }
977
978 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
979 }
980
SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints, const bool enable, const int32_t enforcerId, const bool isDeviceOwner)981 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
982 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
983 {
984 // permission check
985 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
986 ACCOUNT_LOGE("account manager service, permission denied!");
987 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
988 }
989
990 return innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
991 }
992
SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints, const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)993 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
994 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
995 {
996 // permission check
997 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
998 ACCOUNT_LOGE("account manager service, permission denied!");
999 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1000 }
1001
1002 // parameters check
1003 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
1004 ACCOUNT_LOGE("invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
1005 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1006 }
1007
1008 return innerManager_.SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
1009 }
1010
SetDefaultActivatedOsAccount(const int32_t id)1011 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(const int32_t id)
1012 {
1013 // parameters check
1014 ErrCode ret = CheckLocalId(id);
1015 if (ret != ERR_OK) {
1016 return ret;
1017 }
1018
1019 // permission check
1020 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1021 ACCOUNT_LOGE("account manager service, permission denied!");
1022 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1023 }
1024
1025 return innerManager_.SetDefaultActivatedOsAccount(id);
1026 }
1027
GetDefaultActivatedOsAccount(int32_t &id)1028 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
1029 {
1030 return innerManager_.GetDefaultActivatedOsAccount(id);
1031 }
1032
GetOsAccountShortNameCommon(const int32_t id, std::string &shortName)1033 ErrCode OsAccountManagerService::GetOsAccountShortNameCommon(const int32_t id, std::string &shortName)
1034 {
1035 ErrCode errCode = innerManager_.GetOsAccountShortName(id, shortName);
1036 if (errCode != ERR_OK) {
1037 ACCOUNT_LOGE("GetOsAccountShortName error %{public}d", errCode);
1038 return errCode;
1039 }
1040 return ERR_OK;
1041 }
1042
GetOsAccountShortName(std::string &shortName)1043 ErrCode OsAccountManagerService::GetOsAccountShortName(std::string &shortName)
1044 {
1045 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1046 return GetOsAccountShortNameCommon(id, shortName);
1047 }
1048
GetOsAccountName(std::string &name)1049 ErrCode OsAccountManagerService::GetOsAccountName(std::string &name)
1050 {
1051 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1052 ErrCode errCode = innerManager_.GetOsAccountName(id, name);
1053 if (errCode != ERR_OK) {
1054 ACCOUNT_LOGE("Failed get account name, errCode=%{public}d, uid=%{public}d", errCode,
1055 IPCSkeleton::GetCallingUid());
1056 return errCode;
1057 }
1058 return ERR_OK;
1059 }
1060
GetOsAccountShortNameById(const int32_t id, std::string &shortName)1061 ErrCode OsAccountManagerService::GetOsAccountShortNameById(const int32_t id, std::string &shortName)
1062 {
1063 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1064 ACCOUNT_LOGE("Check permission failed, please check your permission.");
1065 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1066 }
1067 return GetOsAccountShortNameCommon(id, shortName);
1068 }
1069
PermissionCheck(const std::string& permissionName, const std::string& constraintName)1070 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
1071 {
1072 int callerUid = IPCSkeleton::GetCallingUid();
1073 #ifndef IS_RELEASE_VERSION
1074 // root check in none release version for test
1075 if (callerUid == ROOT_UID) {
1076 return true;
1077 }
1078 #endif
1079
1080 // constraints check
1081 if (!constraintName.empty()) {
1082 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
1083 bool isEnable = true;
1084 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
1085 if (isEnable) {
1086 ACCOUNT_LOGE("constraint check %{public}s failed.", constraintName.c_str());
1087 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), constraintName);
1088 return false;
1089 }
1090 }
1091
1092 // permission check
1093 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
1094 return true;
1095 }
1096
1097 ACCOUNT_LOGE("failed to verify permission for %{public}s.", permissionName.c_str());
1098 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), permissionName);
1099 return false;
1100 }
1101
CheckCreateOsAccountWhiteList()1102 bool OsAccountManagerService::CheckCreateOsAccountWhiteList()
1103 {
1104 return uidWhiteListForCreation.find(GetCallingUid()) != uidWhiteListForCreation.end();
1105 }
1106
IsOsAccountForeground(const int32_t localId, const uint64_t displayId, bool &isForeground)1107 ErrCode OsAccountManagerService::IsOsAccountForeground(const int32_t localId, const uint64_t displayId,
1108 bool &isForeground)
1109 {
1110 int32_t callerId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1111 int32_t id = (localId == -1) ? callerId : localId;
1112 if (id < Constants::ADMIN_LOCAL_ID) {
1113 ACCOUNT_LOGE("LocalId %{public}d is invlaid.", id);
1114 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1115 }
1116 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1117 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1118 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1119 }
1120 bool isOsAccountExists = false;
1121 ErrCode result = IsOsAccountExists(id, isOsAccountExists);
1122 if (result != ERR_OK) {
1123 return result;
1124 }
1125 if (!isOsAccountExists) {
1126 ACCOUNT_LOGE("LocalId %{public}d not exist.", id);
1127 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
1128 }
1129 if (id >= Constants::ADMIN_LOCAL_ID && id < Constants::START_USER_ID) {
1130 ACCOUNT_LOGI("LocalId %{public}d is always in backgroud.", id);
1131 isForeground = false;
1132 return ERR_OK;
1133 }
1134 return innerManager_.IsOsAccountForeground(id, displayId, isForeground);
1135 }
1136
GetForegroundOsAccountLocalId(const uint64_t displayId, int32_t &localId)1137 ErrCode OsAccountManagerService::GetForegroundOsAccountLocalId(const uint64_t displayId, int32_t &localId)
1138 {
1139 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1140 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1141 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1142 }
1143 return innerManager_.GetForegroundOsAccountLocalId(displayId, localId);
1144 }
1145
GetForegroundOsAccounts(std::vector<ForegroundOsAccount> &accounts)1146 ErrCode OsAccountManagerService::GetForegroundOsAccounts(std::vector<ForegroundOsAccount> &accounts)
1147 {
1148 return innerManager_.GetForegroundOsAccounts(accounts);
1149 }
1150
GetBackgroundOsAccountLocalIds(std::vector<int32_t> &localIds)1151 ErrCode OsAccountManagerService::GetBackgroundOsAccountLocalIds(std::vector<int32_t> &localIds)
1152 {
1153 return innerManager_.GetBackgroundOsAccountLocalIds(localIds);
1154 }
1155
SetOsAccountToBeRemoved(int32_t localId, bool toBeRemoved)1156 ErrCode OsAccountManagerService::SetOsAccountToBeRemoved(int32_t localId, bool toBeRemoved)
1157 {
1158 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1159 ACCOUNT_LOGE("Permission denied.");
1160 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1161 }
1162 return innerManager_.SetOsAccountToBeRemoved(localId, toBeRemoved);
1163 }
1164 } // namespace AccountSA
1165 } // namespace OHOS
1166