1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_kit.h"
17 #include <string>
18 #include <vector>
19 #include "accesstoken_dfx_define.h"
20 #include "accesstoken_log.h"
21 #include "access_token_error.h"
22 #include "accesstoken_manager_client.h"
23 #include "constant_common.h"
24 #include "data_validator.h"
25 #include "hap_token_info.h"
26 #include "permission_def.h"
27 #include "permission_map.h"
28 #include "perm_setproc.h"
29 #include "perm_state_change_callback_customize.h"
30 #include "tokenid_kit.h"
31 #include "token_setproc.h"
32
33 namespace OHOS {
34 namespace Security {
35 namespace AccessToken {
36 namespace {
37 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenKit"};
38 static const uint64_t TOKEN_ID_LOWMASK = 0xffffffff;
39 static const int INVALID_DLP_TOKEN_FLAG = -1;
40 static const int FIRSTCALLER_TOKENID_DEFAULT = 0;
41 } // namespace
42
GetPermissionUsedType( AccessTokenID tokenID, const std::string& permissionName)43 PermUsedTypeEnum AccessTokenKit::GetPermissionUsedType(
44 AccessTokenID tokenID, const std::string& permissionName)
45 {
46 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permissionName=%{public}s.",
47 tokenID, permissionName.c_str());
48 if ((tokenID == INVALID_TOKENID) || (!DataValidator::IsPermissionNameValid(permissionName))) {
49 ACCESSTOKEN_LOG_ERROR(LABEL, "Input param failed.");
50 return PermUsedTypeEnum::INVALID_USED_TYPE;
51 }
52 return AccessTokenManagerClient::GetInstance().GetPermissionUsedType(tokenID, permissionName);
53 }
54
GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)55 int AccessTokenKit::GrantPermissionForSpecifiedTime(
56 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime)
57 {
58 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID=%{public}d, permissionName=%{public}s, onceTime=%{public}d.",
59 tokenID, permissionName.c_str(), onceTime);
60 if (tokenID == INVALID_TOKENID) {
61 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenID");
62 return AccessTokenError::ERR_PARAM_INVALID;
63 }
64 if (!DataValidator::IsPermissionNameValid(permissionName)) {
65 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permissionName");
66 return AccessTokenError::ERR_PARAM_INVALID;
67 }
68 return AccessTokenManagerClient::GetInstance().GrantPermissionForSpecifiedTime(tokenID, permissionName, onceTime);
69 }
70
AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy)71 AccessTokenIDEx AccessTokenKit::AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy)
72 {
73 AccessTokenIDEx res = {0};
74 ACCESSTOKEN_LOG_INFO(LABEL, "UserID: %{public}d, bundleName :%{public}s, \
75 permList: %{public}zu, stateList: %{public}zu",
76 info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size());
77 if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
78 !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
79 !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) {
80 ACCESSTOKEN_LOG_ERROR(LABEL, "Input param failed");
81 return res;
82 }
83 return AccessTokenManagerClient::GetInstance().AllocHapToken(info, policy);
84 }
85
InitHapToken(const HapInfoParams& info, HapPolicyParams& policy, AccessTokenIDEx& fullTokenId)86 int32_t AccessTokenKit::InitHapToken(const HapInfoParams& info, HapPolicyParams& policy,
87 AccessTokenIDEx& fullTokenId)
88 {
89 ACCESSTOKEN_LOG_INFO(LABEL, "UserID: %{public}d, bundleName :%{public}s, \
90 permList: %{public}zu, stateList: %{public}zu",
91 info.userID, info.bundleName.c_str(), policy.permList.size(), policy.permStateList.size());
92 if ((!DataValidator::IsUserIdValid(info.userID)) || !DataValidator::IsAppIDDescValid(info.appIDDesc) ||
93 !DataValidator::IsBundleNameValid(info.bundleName) || !DataValidator::IsAplNumValid(policy.apl) ||
94 !DataValidator::IsDomainValid(policy.domain) || !DataValidator::IsDlpTypeValid(info.dlpType)) {
95 ACCESSTOKEN_LOG_ERROR(LABEL, "Input param failed");
96 return AccessTokenError::ERR_PARAM_INVALID;
97 }
98 return AccessTokenManagerClient::GetInstance().InitHapToken(info, policy, fullTokenId);
99 }
100
AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID)101 AccessTokenID AccessTokenKit::AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID)
102 {
103 ACCESSTOKEN_LOG_INFO(LABEL, "DeviceID=%{public}s, tokenID=%{public}d",
104 ConstantCommon::EncryptDevId(remoteDeviceID).c_str(), remoteTokenID);
105 #ifdef DEBUG_API_PERFORMANCE
106 ACCESSTOKEN_LOG_DEBUG(LABEL, "Api_performance:start call");
107 AccessTokenID resID = AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
108 ACCESSTOKEN_LOG_DEBUG(LABEL, "Api_performance:end call");
109 return resID;
110 #else
111 return AccessTokenManagerClient::GetInstance().AllocLocalTokenID(remoteDeviceID, remoteTokenID);
112 #endif
113 }
114
UpdateHapToken( AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParams& policy)115 int32_t AccessTokenKit::UpdateHapToken(
116 AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParams& policy)
117 {
118 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID: %{public}d, isSystemApp: %{public}d, \
119 permList: %{public}zu, stateList: %{public}zu",
120 tokenIdEx.tokenIdExStruct.tokenID, info.isSystemApp, policy.permList.size(), policy.permStateList.size());
121 if ((tokenIdEx.tokenIdExStruct.tokenID == INVALID_TOKENID) || (!DataValidator::IsAppIDDescValid(info.appIDDesc)) ||
122 (!DataValidator::IsAplNumValid(policy.apl))) {
123 ACCESSTOKEN_LOG_ERROR(LABEL, "Input param failed");
124 return AccessTokenError::ERR_PARAM_INVALID;
125 }
126 return AccessTokenManagerClient::GetInstance().UpdateHapToken(tokenIdEx, info, policy);
127 }
128
DeleteToken(AccessTokenID tokenID)129 int AccessTokenKit::DeleteToken(AccessTokenID tokenID)
130 {
131 ACCESSTOKEN_LOG_INFO(LABEL, "TokenID=%{public}d.", tokenID);
132 if (tokenID == INVALID_TOKENID) {
133 return AccessTokenError::ERR_PARAM_INVALID;
134 }
135 return AccessTokenManagerClient::GetInstance().DeleteToken(tokenID);
136 }
137
GetTokenType(AccessTokenID tokenID)138 ATokenTypeEnum AccessTokenKit::GetTokenType(AccessTokenID tokenID) __attribute__((no_sanitize("cfi")))
139 {
140 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
141 if (tokenID == INVALID_TOKENID) {
142 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid.");
143 return TOKEN_INVALID;
144 }
145 return AccessTokenManagerClient::GetInstance().GetTokenType(tokenID);
146 }
147
GetTokenTypeFlag(AccessTokenID tokenID)148 ATokenTypeEnum AccessTokenKit::GetTokenTypeFlag(AccessTokenID tokenID)
149 {
150 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
151 if (tokenID == INVALID_TOKENID) {
152 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
153 return TOKEN_INVALID;
154 }
155 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
156 return static_cast<ATokenTypeEnum>(idInner->type);
157 }
158
GetTokenType(FullTokenID tokenID)159 ATokenTypeEnum AccessTokenKit::GetTokenType(FullTokenID tokenID)
160 {
161 AccessTokenID id = tokenID & TOKEN_ID_LOWMASK;
162 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", id);
163 if (id == INVALID_TOKENID) {
164 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
165 return TOKEN_INVALID;
166 }
167 return AccessTokenManagerClient::GetInstance().GetTokenType(id);
168 }
169
GetTokenTypeFlag(FullTokenID tokenID)170 ATokenTypeEnum AccessTokenKit::GetTokenTypeFlag(FullTokenID tokenID)
171 {
172 AccessTokenID id = tokenID & TOKEN_ID_LOWMASK;
173 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", id);
174 if (id == INVALID_TOKENID) {
175 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
176 return TOKEN_INVALID;
177 }
178 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&id);
179 return static_cast<ATokenTypeEnum>(idInner->type);
180 }
181
GetHapTokenID( int32_t userID, const std::string& bundleName, int32_t instIndex)182 AccessTokenID AccessTokenKit::GetHapTokenID(
183 int32_t userID, const std::string& bundleName, int32_t instIndex) __attribute__((no_sanitize("cfi")))
184 {
185 ACCESSTOKEN_LOG_DEBUG(LABEL, "UserID=%{public}d, bundleName=%{public}s, instIndex=%{public}d.",
186 userID, bundleName.c_str(), instIndex);
187 if ((!DataValidator::IsUserIdValid(userID)) || (!DataValidator::IsBundleNameValid(bundleName))) {
188 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token param check failed");
189 return INVALID_TOKENID;
190 }
191 AccessTokenIDEx tokenIdEx =
192 AccessTokenManagerClient::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
193 return tokenIdEx.tokenIdExStruct.tokenID;
194 }
195
GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex)196 AccessTokenIDEx AccessTokenKit::GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex)
197 {
198 AccessTokenIDEx tokenIdEx = {0};
199 ACCESSTOKEN_LOG_DEBUG(LABEL, "UserID=%{public}d, bundleName=%{public}s, instIndex=%{public}d.",
200 userID, bundleName.c_str(), instIndex);
201 if ((!DataValidator::IsUserIdValid(userID)) || (!DataValidator::IsBundleNameValid(bundleName))) {
202 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token param check failed");
203 return tokenIdEx;
204 }
205 return AccessTokenManagerClient::GetInstance().GetHapTokenID(userID, bundleName, instIndex);
206 }
207
GetHapTokenInfo( AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes)208 int AccessTokenKit::GetHapTokenInfo(
209 AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes) __attribute__((no_sanitize("cfi")))
210 {
211 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
212 if (GetTokenTypeFlag(tokenID) != TOKEN_HAP) {
213 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID =%{public}d is invalid", tokenID);
214 return AccessTokenError::ERR_PARAM_INVALID;
215 }
216
217 return AccessTokenManagerClient::GetInstance().GetHapTokenInfo(tokenID, hapTokenInfoRes);
218 }
219
GetNativeTokenInfo( AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes)220 int AccessTokenKit::GetNativeTokenInfo(
221 AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes) __attribute__((no_sanitize("cfi")))
222 {
223 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
224 if (GetTokenTypeFlag(tokenID) != TOKEN_NATIVE && GetTokenTypeFlag(tokenID) != TOKEN_SHELL) {
225 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID =%{public}d is invalid", tokenID);
226 return AccessTokenError::ERR_PARAM_INVALID;
227 }
228 return AccessTokenManagerClient::GetInstance().GetNativeTokenInfo(tokenID, nativeTokenInfoRes);
229 }
230
GetSelfPermissionsState(std::vector<PermissionListState>& permList, PermissionGrantInfo& info)231 PermissionOper AccessTokenKit::GetSelfPermissionsState(std::vector<PermissionListState>& permList,
232 PermissionGrantInfo& info)
233 {
234 ACCESSTOKEN_LOG_DEBUG(LABEL, "PermList.size=%{public}zu.", permList.size());
235 return AccessTokenManagerClient::GetInstance().GetSelfPermissionsState(permList, info);
236 }
237
GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListState>& permList)238 int32_t AccessTokenKit::GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListState>& permList)
239 {
240 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permList.size=%{public}zu.", tokenID, permList.size());
241 if (tokenID == INVALID_TOKENID) {
242 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
243 return ERR_PARAM_INVALID;
244 }
245 return AccessTokenManagerClient::GetInstance().GetPermissionsStatus(tokenID, permList);
246 }
247
VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, bool crossIpc)248 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, bool crossIpc)
249 {
250 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permissionName=%{public}s, crossIpc=%{public}d.",
251 tokenID, permissionName.c_str(), crossIpc);
252 if (!DataValidator::IsPermissionNameValid(permissionName)) {
253 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName is invalid");
254 return PERMISSION_DENIED;
255 }
256
257 uint32_t code;
258 if (crossIpc || !TransferPermissionToOpcode(permissionName, code)) {
259 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
260 }
261 bool isGranted = false;
262 int32_t ret = GetPermissionFromKernel(tokenID, code, isGranted);
263 if (ret != 0) {
264 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
265 }
266 return isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
267 }
268
VerifyAccessToken( AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName, bool crossIpc)269 int AccessTokenKit::VerifyAccessToken(
270 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName, bool crossIpc)
271 {
272 ACCESSTOKEN_LOG_DEBUG(LABEL, "CallerToken=%{public}d, firstToken=%{public}d, permissionName=%{public}s.",
273 callerTokenID, firstTokenID, permissionName.c_str());
274 int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName, crossIpc);
275 if (ret != PERMISSION_GRANTED) {
276 return ret;
277 }
278 if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
279 return ret;
280 }
281 return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName, crossIpc);
282 }
283
VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)284 int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
285 {
286 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permissionName=%{public}s.",
287 tokenID, permissionName.c_str());
288 uint32_t code;
289 if (!TransferPermissionToOpcode(permissionName, code)) {
290 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
291 }
292 bool isGranted = false;
293 int32_t ret = GetPermissionFromKernel(tokenID, code, isGranted);
294 if (ret != 0) {
295 return AccessTokenManagerClient::GetInstance().VerifyAccessToken(tokenID, permissionName);
296 }
297 return isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
298 }
299
VerifyAccessToken( AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName)300 int AccessTokenKit::VerifyAccessToken(
301 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName)
302 {
303 ACCESSTOKEN_LOG_DEBUG(LABEL, "CallerToken=%{public}d, firstToken=%{public}d, permissionName=%{public}s.",
304 callerTokenID, firstTokenID, permissionName.c_str());
305 int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName);
306 if (ret != PERMISSION_GRANTED) {
307 return ret;
308 }
309 if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
310 return ret;
311 }
312 return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName);
313 }
314
GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)315 int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)
316 {
317 ACCESSTOKEN_LOG_DEBUG(LABEL, "PermissionName=%{public}s.", permissionName.c_str());
318 if (!DataValidator::IsPermissionNameValid(permissionName)) {
319 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName is invalid");
320 return AccessTokenError::ERR_PARAM_INVALID;
321 }
322
323 int ret = AccessTokenManagerClient::GetInstance().GetDefPermission(permissionName, permissionDefResult);
324 ACCESSTOKEN_LOG_DEBUG(LABEL, "GetDefPermission bundleName = %{public}s", permissionDefResult.bundleName.c_str());
325
326 return ret;
327 }
328
GetDefPermissions( AccessTokenID tokenID, std::vector<PermissionDef>& permDefList)329 int AccessTokenKit::GetDefPermissions(
330 AccessTokenID tokenID, std::vector<PermissionDef>& permDefList) __attribute__((no_sanitize("cfi")))
331 {
332 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
333 if (tokenID == INVALID_TOKENID) {
334 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
335 return AccessTokenError::ERR_PARAM_INVALID;
336 }
337
338 return AccessTokenManagerClient::GetInstance().GetDefPermissions(tokenID, permDefList);
339 }
340
GetReqPermissions( AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)341 int AccessTokenKit::GetReqPermissions(
342 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant)
343 {
344 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, isSystemGrant=%{public}d.", tokenID, isSystemGrant);
345 if (tokenID == INVALID_TOKENID) {
346 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
347 return AccessTokenError::ERR_PARAM_INVALID;
348 }
349
350 return AccessTokenManagerClient::GetInstance().GetReqPermissions(tokenID, reqPermList, isSystemGrant);
351 }
352
GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)353 int AccessTokenKit::GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag)
354 {
355 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permissionName=%{public}s.",
356 tokenID, permissionName.c_str());
357 if (tokenID == INVALID_TOKENID) {
358 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
359 return AccessTokenError::ERR_PARAM_INVALID;
360 }
361 if (!DataValidator::IsPermissionNameValid(permissionName)) {
362 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName is invalid");
363 return AccessTokenError::ERR_PARAM_INVALID;
364 }
365 return AccessTokenManagerClient::GetInstance().GetPermissionFlag(tokenID, permissionName, flag);
366 }
367
GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)368 int AccessTokenKit::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
369 {
370 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permissionName=%{public}s, flag=%{public}d.",
371 tokenID, permissionName.c_str(), flag);
372 if (tokenID == INVALID_TOKENID) {
373 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
374 return AccessTokenError::ERR_PARAM_INVALID;
375 }
376 if (!DataValidator::IsPermissionNameValid(permissionName)) {
377 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName is invalid");
378 return AccessTokenError::ERR_PARAM_INVALID;
379 }
380 if (!DataValidator::IsPermissionFlagValid(flag)) {
381 ACCESSTOKEN_LOG_ERROR(LABEL, "Flag is invalid");
382 return AccessTokenError::ERR_PARAM_INVALID;
383 }
384 return AccessTokenManagerClient::GetInstance().GrantPermission(tokenID, permissionName, flag);
385 }
386
RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)387 int AccessTokenKit::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag)
388 {
389 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, permissionName=%{public}s, flag=%{public}d.",
390 tokenID, permissionName.c_str(), flag);
391 if (tokenID == INVALID_TOKENID) {
392 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenID");
393 return AccessTokenError::ERR_PARAM_INVALID;
394 }
395 if (!DataValidator::IsPermissionNameValid(permissionName)) {
396 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid permissionName");
397 return AccessTokenError::ERR_PARAM_INVALID;
398 }
399 if (!DataValidator::IsPermissionFlagValid(flag)) {
400 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid flag");
401 return AccessTokenError::ERR_PARAM_INVALID;
402 }
403 return AccessTokenManagerClient::GetInstance().RevokePermission(tokenID, permissionName, flag);
404 }
405
ClearUserGrantedPermissionState(AccessTokenID tokenID)406 int AccessTokenKit::ClearUserGrantedPermissionState(AccessTokenID tokenID)
407 {
408 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
409 if (tokenID == INVALID_TOKENID) {
410 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
411 return AccessTokenError::ERR_PARAM_INVALID;
412 }
413 return AccessTokenManagerClient::GetInstance().ClearUserGrantedPermissionState(tokenID);
414 }
415
SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status, int32_t userID = 0)416 int32_t AccessTokenKit::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status,
417 int32_t userID = 0)
418 {
419 ACCESSTOKEN_LOG_DEBUG(LABEL, "PermissionName=%{public}s, status=%{public}d, userID=%{public}d.",
420 permissionName.c_str(), status, userID);
421 if (!DataValidator::IsPermissionNameValid(permissionName)) {
422 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName is invalid.");
423 return AccessTokenError::ERR_PARAM_INVALID;
424 }
425 if (!DataValidator::IsToggleStatusValid(status)) {
426 ACCESSTOKEN_LOG_ERROR(LABEL, "Toggle status is invalid.");
427 return AccessTokenError::ERR_PARAM_INVALID;
428 }
429 if (!DataValidator::IsUserIdValid(userID)) {
430 ACCESSTOKEN_LOG_ERROR(LABEL, "UserID is invalid.");
431 return AccessTokenError::ERR_PARAM_INVALID;
432 }
433 return AccessTokenManagerClient::GetInstance().SetPermissionRequestToggleStatus(permissionName, status, userID);
434 }
435
GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status, int32_t userID = 0)436 int32_t AccessTokenKit::GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
437 int32_t userID = 0)
438 {
439 ACCESSTOKEN_LOG_DEBUG(LABEL, "PermissionName=%{public}s, userID=%{public}d.",
440 permissionName.c_str(), userID);
441 if (!DataValidator::IsPermissionNameValid(permissionName)) {
442 ACCESSTOKEN_LOG_ERROR(LABEL, "PermissionName is invalid.");
443 return AccessTokenError::ERR_PARAM_INVALID;
444 }
445 if (!DataValidator::IsUserIdValid(userID)) {
446 ACCESSTOKEN_LOG_ERROR(LABEL, "UserID is invalid.");
447 return AccessTokenError::ERR_PARAM_INVALID;
448 }
449 return AccessTokenManagerClient::GetInstance().GetPermissionRequestToggleStatus(permissionName, status, userID);
450 }
451
RegisterPermStateChangeCallback( const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)452 int32_t AccessTokenKit::RegisterPermStateChangeCallback(
453 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
454 {
455 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
456 return AccessTokenManagerClient::GetInstance().RegisterPermStateChangeCallback(callback);
457 }
458
UnRegisterPermStateChangeCallback( const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)459 int32_t AccessTokenKit::UnRegisterPermStateChangeCallback(
460 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback)
461 {
462 ACCESSTOKEN_LOG_INFO(LABEL, "Called");
463 return AccessTokenManagerClient::GetInstance().UnRegisterPermStateChangeCallback(callback);
464 }
465
GetHapDlpFlag(AccessTokenID tokenID)466 int32_t AccessTokenKit::GetHapDlpFlag(AccessTokenID tokenID)
467 {
468 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
469 if (tokenID == INVALID_TOKENID) {
470 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
471 return INVALID_DLP_TOKEN_FLAG;
472 }
473 AccessTokenIDInner *idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenID);
474 return static_cast<int32_t>(idInner->dlpFlag);
475 }
476
ReloadNativeTokenInfo()477 int32_t AccessTokenKit::ReloadNativeTokenInfo()
478 {
479 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
480 return AccessTokenManagerClient::GetInstance().ReloadNativeTokenInfo();
481 #else
482 return 0;
483 #endif
484 }
485
GetNativeTokenId(const std::string& processName)486 AccessTokenID AccessTokenKit::GetNativeTokenId(const std::string& processName)
487 {
488 if (!DataValidator::IsProcessNameValid(processName)) {
489 ACCESSTOKEN_LOG_ERROR(LABEL, "ProcessName is invalid, processName=%{public}s", processName.c_str());
490 return INVALID_TOKENID;
491 }
492 return AccessTokenManagerClient::GetInstance().GetNativeTokenId(processName);
493 }
494
495 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)496 int AccessTokenKit::GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
497 {
498 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d.", tokenID);
499 if (tokenID == INVALID_TOKENID) {
500 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenID is invalid");
501 return AccessTokenError::ERR_PARAM_INVALID;
502 }
503
504 return AccessTokenManagerClient::GetInstance().GetHapTokenInfoFromRemote(tokenID, hapSync);
505 }
506
SetRemoteHapTokenInfo(const std::string& deviceID, const HapTokenInfoForSync& hapSync)507 int AccessTokenKit::SetRemoteHapTokenInfo(const std::string& deviceID,
508 const HapTokenInfoForSync& hapSync)
509 {
510 ACCESSTOKEN_LOG_DEBUG(LABEL, "DeviceID=%{public}s, tokenID=%{public}d.",
511 ConstantCommon::EncryptDevId(deviceID).c_str(), hapSync.baseInfo.tokenID);
512 return AccessTokenManagerClient::GetInstance().SetRemoteHapTokenInfo(deviceID, hapSync);
513 }
514
DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)515 int AccessTokenKit::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
516 {
517 ACCESSTOKEN_LOG_DEBUG(LABEL, "DeviceID=%{public}s, tokenID=%{public}d.",
518 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
519 return AccessTokenManagerClient::GetInstance().DeleteRemoteToken(deviceID, tokenID);
520 }
521
DeleteRemoteDeviceTokens(const std::string& deviceID)522 int AccessTokenKit::DeleteRemoteDeviceTokens(const std::string& deviceID)
523 {
524 ACCESSTOKEN_LOG_DEBUG(LABEL, "DeviceID=%{public}s.", ConstantCommon::EncryptDevId(deviceID).c_str());
525 return AccessTokenManagerClient::GetInstance().DeleteRemoteDeviceTokens(deviceID);
526 }
527
GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)528 AccessTokenID AccessTokenKit::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
529 {
530 ACCESSTOKEN_LOG_DEBUG(LABEL, "DeviceID=%{public}s., tokenID=%{public}d",
531 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
532 return AccessTokenManagerClient::GetInstance().GetRemoteNativeTokenID(deviceID, tokenID);
533 }
534
RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface>& syncCallback)535 int32_t AccessTokenKit::RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface>& syncCallback)
536 {
537 ACCESSTOKEN_LOG_DEBUG(LABEL, "Call RegisterTokenSyncCallback.");
538 return AccessTokenManagerClient::GetInstance().RegisterTokenSyncCallback(syncCallback);
539 }
540
UnRegisterTokenSyncCallback()541 int32_t AccessTokenKit::UnRegisterTokenSyncCallback()
542 {
543 ACCESSTOKEN_LOG_DEBUG(LABEL, "Call UnRegisterTokenSyncCallback.");
544 return AccessTokenManagerClient::GetInstance().UnRegisterTokenSyncCallback();
545 }
546 #endif
547
DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)548 void AccessTokenKit::DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)
549 {
550 ACCESSTOKEN_LOG_DEBUG(LABEL, "TokenID=%{public}d, bundleName=%{public}s, processName=%{public}s.",
551 info.tokenId, info.bundleName.c_str(), info.processName.c_str());
552 AccessTokenManagerClient::GetInstance().DumpTokenInfo(info, dumpInfo);
553 }
554
GetVersion(uint32_t& version)555 int32_t AccessTokenKit::GetVersion(uint32_t& version)
556 {
557 return AccessTokenManagerClient::GetInstance().GetVersion(version);
558 }
559
SetPermDialogCap(const HapBaseInfo& hapBaseInfo, bool enable)560 int32_t AccessTokenKit::SetPermDialogCap(const HapBaseInfo& hapBaseInfo, bool enable)
561 {
562 return AccessTokenManagerClient::GetInstance().SetPermDialogCap(hapBaseInfo, enable);
563 }
564
GetPermissionManagerInfo(PermissionGrantInfo& info)565 void AccessTokenKit::GetPermissionManagerInfo(PermissionGrantInfo& info)
566 {
567 AccessTokenManagerClient::GetInstance().GetPermissionManagerInfo(info);
568 }
569
InitUserPolicy( const std::vector<UserState>& userList, const std::vector<std::string>& permList)570 int32_t AccessTokenKit::InitUserPolicy(
571 const std::vector<UserState>& userList, const std::vector<std::string>& permList)
572 {
573 ACCESSTOKEN_LOG_INFO(LABEL, "Enter.");
574 return AccessTokenManagerClient::GetInstance().InitUserPolicy(userList, permList);
575 }
576
UpdateUserPolicy(const std::vector<UserState>& userList)577 int32_t AccessTokenKit::UpdateUserPolicy(const std::vector<UserState>& userList)
578 {
579 ACCESSTOKEN_LOG_INFO(LABEL, "Enter.");
580 return AccessTokenManagerClient::GetInstance().UpdateUserPolicy(userList);
581 }
582
ClearUserPolicy()583 int32_t AccessTokenKit::ClearUserPolicy()
584 {
585 ACCESSTOKEN_LOG_INFO(LABEL, "Enter.");
586 return AccessTokenManagerClient::GetInstance().ClearUserPolicy();
587 }
588 } // namespace AccessToken
589 } // namespace Security
590 } // namespace OHOS
591