1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_auth_service.h"
17 #include "hisysevent_adapter.h"
18
19 #include <cinttypes>
20
21 #include "accesstoken_kit.h"
22 #include "auth_common.h"
23 #include "auth_event_listener_manager.h"
24 #include "auth_widget_helper.h"
25 #include "context_factory.h"
26 #include "context_helper.h"
27 #include "hdi_wrapper.h"
28 #include "iam_check.h"
29 #include "iam_common_defines.h"
30 #include "iam_logger.h"
31 #include "iam_para2str.h"
32 #include "iam_ptr.h"
33 #include "iam_time.h"
34 #include "ipc_common.h"
35 #include "ipc_skeleton.h"
36 #include "keyguard_status_listener.h"
37 #include "soft_bus_manager.h"
38 #include "widget_client.h"
39 #include "remote_msg_util.h"
40 #include "remote_iam_callback.h"
41 #include "remote_auth_service.h"
42 #include "device_manager_util.h"
43 #include "xcollie_helper.h"
44
45 #define LOG_TAG "USER_AUTH_SA"
46
47 namespace OHOS {
48 namespace UserIam {
49 namespace UserAuth {
50 namespace {
51 const int32_t MINIMUM_VERSION = 0;
52 const int32_t CURRENT_VERSION = 1;
53 const int32_t USERIAM_IPC_THREAD_NUM = 4;
54 const uint32_t NETWORK_ID_LENGTH = 64;
55 const bool REMOTE_AUTH_SERVICE_RESULT = RemoteAuthService::GetInstance().Start();
GetTemplatesByAuthType(int32_t userId, AuthType authType, std::vector<uint64_t> &templateIds)56 void GetTemplatesByAuthType(int32_t userId, AuthType authType, std::vector<uint64_t> &templateIds)
57 {
58 templateIds.clear();
59 auto credentialInfos = UserIdmDatabase::Instance().GetCredentialInfo(userId, authType);
60 if (credentialInfos.empty()) {
61 IAM_LOGE("user %{public}d has no credential type %{public}d", userId, authType);
62 return;
63 }
64
65 templateIds.reserve(credentialInfos.size());
66 for (auto &info : credentialInfos) {
67 if (info == nullptr) {
68 IAM_LOGE("info is nullptr");
69 continue;
70 }
71 templateIds.push_back(info->GetTemplateId());
72 }
73 }
74
IsTemplateIdListRequired(const std::vector<Attributes::AttributeKey> &keys)75 bool IsTemplateIdListRequired(const std::vector<Attributes::AttributeKey> &keys)
76 {
77 for (const auto &key : keys) {
78 if (key == Attributes::AttributeKey::ATTR_PIN_SUB_TYPE ||
79 key == Attributes::AttributeKey::ATTR_REMAIN_TIMES ||
80 key == Attributes::AttributeKey::ATTR_FREEZING_TIME ||
81 key == Attributes::AttributeKey::ATTR_NEXT_FAIL_LOCKOUT_DURATION) {
82 return true;
83 }
84 }
85 return false;
86 }
87
GetResourceNodeByTypeAndRole(AuthType authType, ExecutorRole role, std::vector<std::weak_ptr<ResourceNode>> &authTypeNodes)88 void GetResourceNodeByTypeAndRole(AuthType authType, ExecutorRole role,
89 std::vector<std::weak_ptr<ResourceNode>> &authTypeNodes)
90 {
91 authTypeNodes.clear();
92 ResourceNodePool::Instance().Enumerate(
93 [&authTypeNodes, role, authType](const std::weak_ptr<ResourceNode> &weakNode) {
94 auto node = weakNode.lock();
95 if (node == nullptr) {
96 return;
97 }
98 if (node->GetAuthType() != authType) {
99 return;
100 }
101 if (node->GetExecutorRole() != role) {
102 return;
103 }
104 authTypeNodes.push_back(node);
105 });
106 }
107
GetAuthParamStr(const AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam)108 std::string GetAuthParamStr(const AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam)
109 {
110 std::ostringstream authParamString;
111 authParamString << "userId:" << authParam.userId << " authType:" << authParam.authType
112 << " atl:" << authParam.authTrustLevel;
113 if (remoteAuthParam.has_value()) {
114 const uint32_t NETWORK_ID_PRINT_LEN = 4;
115 const uint32_t TOKEN_ID_MIN_LEN = 2;
116 auto verifierNetworkIdStr = remoteAuthParam->verifierNetworkId.value_or("").substr(0, NETWORK_ID_PRINT_LEN);
117 auto collectorNetworkIdStr = remoteAuthParam->collectorNetworkId.value_or("").substr(0, NETWORK_ID_PRINT_LEN);
118 auto tokenIdStr = std::to_string(remoteAuthParam->collectorTokenId.value_or(0));
119 if (tokenIdStr.size() > TOKEN_ID_MIN_LEN) {
120 tokenIdStr = std::string(1, tokenIdStr[0]) + "****" + std::string(1, tokenIdStr[tokenIdStr.size() - 1]);
121 } else {
122 tokenIdStr = "";
123 }
124
125 authParamString << " isRemoteAuth:true" << " verifierNetworkId:" << verifierNetworkIdStr << "****"
126 " collectorNetworkId:" << collectorNetworkIdStr << "****" << " collectorTokenId:" << tokenIdStr;
127 }
128 return authParamString.str();
129 }
130 const bool REGISTER_RESULT = SystemAbility::MakeAndRegisterAbility(UserAuthService::GetInstance().get());
131 } // namespace
132 std::mutex UserAuthService::mutex_;
133 std::shared_ptr<UserAuthService> UserAuthService::instance_ = nullptr;
134
GetInstance()135 std::shared_ptr<UserAuthService> UserAuthService::GetInstance()
136 {
137 if (instance_ == nullptr) {
138 std::lock_guard<std::mutex> guard(mutex_);
139 if (instance_ == nullptr) {
140 instance_ = Common::MakeShared<UserAuthService>();
141 if (instance_ == nullptr) {
142 IAM_LOGE("make share failed");
143 }
144 }
145 }
146 return instance_;
147 }
148
UserAuthService()149 UserAuthService::UserAuthService()
150 : SystemAbility(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH, true)
151 {}
152
OnStart()153 void UserAuthService::OnStart()
154 {
155 IAM_LOGI("start service");
156 IPCSkeleton::SetMaxWorkThreadNum(USERIAM_IPC_THREAD_NUM);
157 if (!Publish(this)) {
158 IAM_LOGE("failed to publish service");
159 }
160 SoftBusManager::GetInstance().Start();
161 KeyguardStatusListenerManager::GetInstance().RegisterCommonEventListener();
162 }
163
OnStop()164 void UserAuthService::OnStop()
165 {
166 IAM_LOGI("stop service");
167 SoftBusManager::GetInstance().Stop();
168 KeyguardStatusListenerManager::GetInstance().UnRegisterCommonEventListener();
169 }
170
CheckAuthTrustLevel(AuthTrustLevel authTrustLevel)171 bool UserAuthService::CheckAuthTrustLevel(AuthTrustLevel authTrustLevel)
172 {
173 if ((authTrustLevel != ATL1) && (authTrustLevel != ATL2) &&
174 (authTrustLevel != ATL3) && (authTrustLevel != ATL4)) {
175 IAM_LOGE("authTrustLevel not support %{public}u", authTrustLevel);
176 return false;
177 }
178 return true;
179 }
180
GetAvailableStatus(int32_t apiVersion, int32_t userId, AuthType authType, AuthTrustLevel authTrustLevel)181 int32_t UserAuthService::GetAvailableStatus(int32_t apiVersion, int32_t userId, AuthType authType,
182 AuthTrustLevel authTrustLevel)
183 {
184 IAM_LOGI("start with userId");
185
186 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
187 IAM_LOGE("failed to check permission");
188 return CHECK_PERMISSION_FAILED;
189 }
190 return GetAvailableStatusInner(apiVersion, userId, authType, authTrustLevel);
191 }
192
GetAvailableStatus(int32_t apiVersion, AuthType authType, AuthTrustLevel authTrustLevel)193 int32_t UserAuthService::GetAvailableStatus(int32_t apiVersion, AuthType authType, AuthTrustLevel authTrustLevel)
194 {
195 IAM_LOGI("start without userId");
196
197 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
198 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
199 IAM_LOGE("failed to check permission");
200 return CHECK_PERMISSION_FAILED;
201 }
202 if (apiVersion <= API_VERSION_8 && authType == PIN) {
203 IAM_LOGE("authType not support");
204 return TYPE_NOT_SUPPORT;
205 }
206 int32_t userId = INVALID_USER_ID;
207 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
208 IAM_LOGE("failed to get userId");
209 return GENERAL_ERROR;
210 }
211 return GetAvailableStatusInner(apiVersion, userId, authType, authTrustLevel);
212 }
213
GetAvailableStatusInner(int32_t apiVersion, int32_t userId, AuthType authType, AuthTrustLevel authTrustLevel)214 int32_t UserAuthService::GetAvailableStatusInner(int32_t apiVersion, int32_t userId, AuthType authType,
215 AuthTrustLevel authTrustLevel)
216 {
217 if (!CheckAuthTrustLevel(authTrustLevel)) {
218 IAM_LOGE("authTrustLevel is not in correct range");
219 return TRUST_LEVEL_NOT_SUPPORT;
220 }
221 auto hdi = HdiWrapper::GetHdiInstance();
222 if (hdi == nullptr) {
223 IAM_LOGE("hdi interface is nullptr");
224 return GENERAL_ERROR;
225 }
226 int32_t checkRet = GENERAL_ERROR;
227 int32_t result = hdi->GetAvailableStatus(userId, authType, authTrustLevel, checkRet);
228 if (result != SUCCESS) {
229 IAM_LOGE("hdi GetAvailableStatus failed");
230 return GENERAL_ERROR;
231 }
232 IAM_LOGI("GetAvailableStatus result:%{public}d", checkRet);
233 return checkRet;
234 }
235
FillGetPropertyKeys(AuthType authType, const std::vector<Attributes::AttributeKey> &keys, std::vector<uint32_t> &uint32Keys)236 void UserAuthService::FillGetPropertyKeys(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
237 std::vector<uint32_t> &uint32Keys)
238 {
239 uint32Keys.reserve(keys.size());
240 for (const auto &key : keys) {
241 if (key == Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION && authType != PIN) {
242 continue;
243 }
244 uint32Keys.push_back(static_cast<uint32_t>(key));
245 }
246 }
247
FillGetPropertyValue(AuthType authType, const std::vector<Attributes::AttributeKey> &keys, Attributes &values)248 void UserAuthService::FillGetPropertyValue(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
249 Attributes &values)
250 {
251 for (const auto &key : keys) {
252 if (key == Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION && authType != PIN) {
253 if (!values.SetInt32Value(Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION, FIRST_LOCKOUT_DURATION_EXCEPT_PIN)) {
254 IAM_LOGE("set nextFailLockoutDuration failed, authType %{public}d", authType);
255 }
256 break;
257 }
258 }
259 }
260
GetProperty(int32_t userId, AuthType authType, const std::vector<Attributes::AttributeKey> &keys, sptr<GetExecutorPropertyCallbackInterface> &callback)261 void UserAuthService::GetProperty(int32_t userId, AuthType authType,
262 const std::vector<Attributes::AttributeKey> &keys, sptr<GetExecutorPropertyCallbackInterface> &callback)
263 {
264 IAM_LOGI("start");
265 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
266 IF_FALSE_LOGE_AND_RETURN(callback != nullptr);
267 Attributes values;
268
269 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
270 IAM_LOGE("failed to check permission");
271 callback->OnGetExecutorPropertyResult(CHECK_PERMISSION_FAILED, values);
272 return;
273 }
274
275 std::vector<uint64_t> templateIds;
276 if (IsTemplateIdListRequired(keys)) {
277 GetTemplatesByAuthType(userId, authType, templateIds);
278 if (templateIds.size() == 0) {
279 IAM_LOGE("template id list is required, but templateIds size is 0");
280 callback->OnGetExecutorPropertyResult(NOT_ENROLLED, values);
281 return;
282 }
283 }
284
285 std::vector<std::weak_ptr<ResourceNode>> authTypeNodes;
286 GetResourceNodeByTypeAndRole(authType, ALL_IN_ONE, authTypeNodes);
287 if (authTypeNodes.size() != 1) {
288 IAM_LOGE("auth type %{public}d resource node num %{public}zu is not expected",
289 authType, authTypeNodes.size());
290 callback->OnGetExecutorPropertyResult(GENERAL_ERROR, values);
291 return;
292 }
293
294 auto resourceNode = authTypeNodes[0].lock();
295 if (resourceNode == nullptr) {
296 IAM_LOGE("resourceNode is nullptr");
297 callback->OnGetExecutorPropertyResult(GENERAL_ERROR, values);
298 return;
299 }
300
301 std::vector<uint32_t> uint32Keys;
302 FillGetPropertyKeys(authType, keys, uint32Keys);
303 Attributes attr;
304 attr.SetUint32Value(Attributes::ATTR_PROPERTY_MODE, PROPERTY_MODE_GET);
305 attr.SetUint64ArrayValue(Attributes::ATTR_TEMPLATE_ID_LIST, templateIds);
306 attr.SetUint32ArrayValue(Attributes::ATTR_KEY_LIST, uint32Keys);
307
308 int32_t result = resourceNode->GetProperty(attr, values);
309 if (result != SUCCESS) {
310 IAM_LOGE("failed to get property, result = %{public}d", result);
311 }
312 FillGetPropertyValue(authType, keys, values);
313
314 callback->OnGetExecutorPropertyResult(result, values);
315 }
316
SetProperty(int32_t userId, AuthType authType, const Attributes &attributes, sptr<SetExecutorPropertyCallbackInterface> &callback)317 void UserAuthService::SetProperty(int32_t userId, AuthType authType, const Attributes &attributes,
318 sptr<SetExecutorPropertyCallbackInterface> &callback)
319 {
320 IAM_LOGI("start");
321 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
322 if (callback == nullptr) {
323 IAM_LOGE("callback is nullptr");
324 return;
325 }
326 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
327 IAM_LOGE("permission check failed");
328 callback->OnSetExecutorPropertyResult(CHECK_PERMISSION_FAILED);
329 return;
330 }
331
332 std::vector<std::weak_ptr<ResourceNode>> authTypeNodes;
333 GetResourceNodeByTypeAndRole(authType, ALL_IN_ONE, authTypeNodes);
334 if (authTypeNodes.size() != 1) {
335 IAM_LOGE("auth type %{public}d resource node num %{public}zu is not expected",
336 authType, authTypeNodes.size());
337 callback->OnSetExecutorPropertyResult(GENERAL_ERROR);
338 return;
339 }
340
341 auto resourceNode = authTypeNodes[0].lock();
342 if (resourceNode == nullptr) {
343 IAM_LOGE("resourceNode is nullptr");
344 callback->OnSetExecutorPropertyResult(GENERAL_ERROR);
345 return;
346 }
347 int32_t result = resourceNode->SetProperty(attributes);
348 if (result != SUCCESS) {
349 IAM_LOGE("set property failed, result = %{public}d", result);
350 }
351 callback->OnSetExecutorPropertyResult(result);
352 }
353
GetAuthContextCallback(int32_t apiVersion, const std::vector<uint8_t> &challenge, AuthType authType, AuthTrustLevel authTrustLevel, sptr<UserAuthCallbackInterface> &callback)354 std::shared_ptr<ContextCallback> UserAuthService::GetAuthContextCallback(int32_t apiVersion,
355 const std::vector<uint8_t> &challenge, AuthType authType,
356 AuthTrustLevel authTrustLevel, sptr<UserAuthCallbackInterface> &callback)
357 {
358 if (callback == nullptr) {
359 IAM_LOGE("callback is nullptr");
360 return nullptr;
361 }
362 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_AUTH_USER_ALL);
363 if (contextCallback == nullptr) {
364 IAM_LOGE("failed to construct context callback");
365 Attributes extraInfo;
366 callback->OnResult(GENERAL_ERROR, extraInfo);
367 return nullptr;
368 }
369 contextCallback->SetTraceAuthType(authType);
370 contextCallback->SetTraceAuthWidgetType(authType);
371 contextCallback->SetTraceAuthTrustLevel(authTrustLevel);
372 contextCallback->SetTraceSdkVersion(apiVersion);
373 return contextCallback;
374 }
375
CheckAuthPermissionAndParam(int32_t authType, const int32_t &callerType, const std::string &callerName, AuthTrustLevel authTrustLevel)376 int32_t UserAuthService::CheckAuthPermissionAndParam(int32_t authType, const int32_t &callerType,
377 const std::string &callerName, AuthTrustLevel authTrustLevel)
378 {
379 if (!IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
380 IAM_LOGE("failed to check permission");
381 return CHECK_PERMISSION_FAILED;
382 }
383 if (callerType == Security::AccessToken::TOKEN_HAP && (!IpcCommon::CheckForegroundApplication(callerName))) {
384 IAM_LOGE("failed to check foreground application");
385 return CHECK_PERMISSION_FAILED;
386 }
387 if (authType == PIN) {
388 IAM_LOGE("authType not support");
389 return TYPE_NOT_SUPPORT;
390 }
391 if (!CheckAuthTrustLevel(authTrustLevel)) {
392 IAM_LOGE("authTrustLevel is not in correct range");
393 return TRUST_LEVEL_NOT_SUPPORT;
394 }
395 return SUCCESS;
396 }
397
Auth(int32_t apiVersion, const std::vector<uint8_t> &challenge, AuthType authType, AuthTrustLevel authTrustLevel, sptr<UserAuthCallbackInterface> &callback)398 uint64_t UserAuthService::Auth(int32_t apiVersion, const std::vector<uint8_t> &challenge,
399 AuthType authType, AuthTrustLevel authTrustLevel, sptr<UserAuthCallbackInterface> &callback)
400 {
401 IAM_LOGI("start");
402 auto contextCallback = GetAuthContextCallback(apiVersion, challenge, authType, authTrustLevel, callback);
403 if (contextCallback == nullptr) {
404 IAM_LOGE("contextCallback is nullptr");
405 return BAD_CONTEXT_ID;
406 }
407 std::string callerName = "";
408 Attributes extraInfo;
409 int32_t callerType = 0;
410 if ((!IpcCommon::GetCallerName(*this, callerName, callerType))) {
411 IAM_LOGE("get bundle name fail");
412 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth GetCallerName fail");
413 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
414 return BAD_CONTEXT_ID;
415 }
416 contextCallback->SetTraceCallerName(callerName);
417 contextCallback->SetTraceCallerType(callerType);
418 int32_t checkRet = CheckAuthPermissionAndParam(authType, callerType, callerName, authTrustLevel);
419 if (checkRet != SUCCESS) {
420 IAM_LOGE("check auth permission and param fail");
421 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth CheckAuthPermissionAndParam fail");
422 contextCallback->OnResult(checkRet, extraInfo);
423 return BAD_CONTEXT_ID;
424 }
425 int32_t userId = INVALID_USER_ID;
426 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
427 IAM_LOGE("get callingUserId failed");
428 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth GetCallingUserId fail");
429 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
430 return BAD_CONTEXT_ID;
431 }
432 contextCallback->SetTraceUserId(userId);
433 Authentication::AuthenticationPara para = {};
434 para.tokenId = IpcCommon::GetAccessTokenId(*this);
435 para.userId = userId;
436 para.authType = authType;
437 para.atl = authTrustLevel;
438 para.challenge = std::move(challenge);
439 para.endAfterFirstFail = true;
440 para.callerName = callerName;
441 para.callerType = callerType;
442 para.sdkVersion = apiVersion;
443 para.authIntent = AuthIntent::DEFAULT;
444 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(userId);
445 return StartAuthContext(apiVersion, para, contextCallback);
446 }
447
StartAuthContext(int32_t apiVersion, Authentication::AuthenticationPara para, const std::shared_ptr<ContextCallback> &contextCallback)448 uint64_t UserAuthService::StartAuthContext(int32_t apiVersion, Authentication::AuthenticationPara para,
449 const std::shared_ptr<ContextCallback> &contextCallback)
450 {
451 Attributes extraInfo;
452 auto context = ContextFactory::CreateSimpleAuthContext(para, contextCallback);
453 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
454 IAM_LOGE("failed to insert context");
455 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth insert context fail");
456 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
457 return BAD_CONTEXT_ID;
458 }
459 contextCallback->SetTraceRequestContextId(context->GetContextId());
460 contextCallback->SetTraceAuthContextId(context->GetContextId());
461 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
462
463 if (!context->Start()) {
464 int32_t errorCode = context->GetLatestError();
465 IAM_LOGE("failed to start auth apiVersion:%{public}d errorCode:%{public}d", apiVersion, errorCode);
466 contextCallback->SetTraceAuthFinishReason("UserAuthService Auth start context fail");
467 contextCallback->OnResult(errorCode, extraInfo);
468 return BAD_CONTEXT_ID;
469 }
470 return context->GetContextId();
471 }
472
StartRemoteAuthInvokerContext(AuthParamInner authParam, RemoteAuthInvokerContextParam ¶m, const std::shared_ptr<ContextCallback> &contextCallback)473 uint64_t UserAuthService::StartRemoteAuthInvokerContext(AuthParamInner authParam,
474 RemoteAuthInvokerContextParam ¶m, const std::shared_ptr<ContextCallback> &contextCallback)
475 {
476 Attributes extraInfo;
477 std::shared_ptr<Context> context = ContextFactory::CreateRemoteAuthInvokerContext(authParam, param,
478 contextCallback);
479 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
480 IAM_LOGE("failed to insert context");
481 contextCallback->SetTraceAuthFinishReason("UserAuthService StartRemoteAuthInvokerContext insert context fail");
482 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
483 return BAD_CONTEXT_ID;
484 }
485 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
486 contextCallback->SetTraceRequestContextId(context->GetContextId());
487 contextCallback->SetTraceAuthContextId(context->GetContextId());
488
489 if (!context->Start()) {
490 int32_t errorCode = context->GetLatestError();
491 IAM_LOGE("failed to start auth errorCode:%{public}d", errorCode);
492 contextCallback->SetTraceAuthFinishReason("UserAuthService StartRemoteAuthInvokerContext start context fail");
493 contextCallback->OnResult(errorCode, extraInfo);
494 return BAD_CONTEXT_ID;
495 }
496 return context->GetContextId();
497 }
498
CheckAuthPermissionAndParam(AuthType authType, AuthTrustLevel authTrustLevel, const std::shared_ptr<ContextCallback> &contextCallback, Attributes &extraInfo)499 bool UserAuthService::CheckAuthPermissionAndParam(AuthType authType, AuthTrustLevel authTrustLevel,
500 const std::shared_ptr<ContextCallback> &contextCallback, Attributes &extraInfo)
501 {
502 if (!CheckAuthTrustLevel(authTrustLevel)) {
503 IAM_LOGE("authTrustLevel is not in correct range");
504 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthUser CheckAuthTrustLevel fail");
505 contextCallback->OnResult(TRUST_LEVEL_NOT_SUPPORT, extraInfo);
506 return false;
507 }
508 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
509 IAM_LOGE("failed to check permission");
510 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthUser CheckPermission fail");
511 contextCallback->OnResult(CHECK_PERMISSION_FAILED, extraInfo);
512 return false;
513 }
514 return true;
515 }
516
AuthUser(AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam, sptr<UserAuthCallbackInterface> &callback)517 uint64_t UserAuthService::AuthUser(AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam,
518 sptr<UserAuthCallbackInterface> &callback)
519 {
520 IAM_LOGI("start, %{public}s", GetAuthParamStr(authParam, remoteAuthParam).c_str());
521 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
522 auto contextCallback = GetAuthContextCallback(INNER_API_VERSION_10000, authParam.challenge, authParam.authType,
523 authParam.authTrustLevel, callback);
524 if (contextCallback == nullptr) {
525 IAM_LOGE("contextCallback is nullptr");
526 return BAD_CONTEXT_ID;
527 }
528 contextCallback->SetTraceIsRemoteAuth(remoteAuthParam.has_value());
529 contextCallback->SetTraceUserId(authParam.userId);
530 Attributes extraInfo;
531 Authentication::AuthenticationPara para = {};
532 if ((!IpcCommon::GetCallerName(*this, para.callerName, para.callerType))) {
533 IAM_LOGE("get caller name fail");
534 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthUser GetCallerName fail");
535 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
536 return BAD_CONTEXT_ID;
537 }
538 contextCallback->SetTraceCallerName(para.callerName);
539 contextCallback->SetTraceCallerType(para.callerType);
540 if (CheckAuthPermissionAndParam(authParam.authType, authParam.authTrustLevel, contextCallback,
541 extraInfo) == false) {
542 return BAD_CONTEXT_ID;
543 }
544 para.tokenId = IpcCommon::GetAccessTokenId(*this);
545 para.userId = authParam.userId;
546 para.authType = authParam.authType;
547 para.atl = authParam.authTrustLevel;
548 para.challenge = authParam.challenge;
549 para.endAfterFirstFail = false;
550 para.sdkVersion = INNER_API_VERSION_10000;
551 para.authIntent = authParam.authIntent;
552 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(authParam.userId);
553 if (!remoteAuthParam.has_value()) {
554 return StartAuthContext(INNER_API_VERSION_10000, para, contextCallback);
555 }
556
557 ResultCode failReason = GENERAL_ERROR;
558 uint64_t contextId = AuthRemoteUser(authParam, para, remoteAuthParam.value(), contextCallback, failReason);
559 if (contextId == BAD_CONTEXT_ID) {
560 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthRemoteUser fail");
561 contextCallback->OnResult(failReason, extraInfo);
562 return BAD_CONTEXT_ID;
563 }
564
565 IAM_LOGI("success");
566 return contextId;
567 }
568
PrepareRemoteAuthInner(const std::string &networkId)569 int32_t UserAuthService::PrepareRemoteAuthInner(const std::string &networkId)
570 {
571 IAM_LOGI("start");
572 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
573 IAM_LOGE("failed to check permission");
574 return CHECK_PERMISSION_FAILED;
575 }
576 if (networkId.empty()) {
577 IAM_LOGE("networkId is empty");
578 return INVALID_PARAMETERS;
579 }
580
581 std::string udid;
582 bool getUdidRet = DeviceManagerUtil::GetInstance().GetUdidByNetworkId(networkId, udid);
583 IF_FALSE_LOGE_AND_RETURN_VAL(getUdidRet, GENERAL_ERROR);
584
585 auto hdi = HdiWrapper::GetHdiInstance();
586 IF_FALSE_LOGE_AND_RETURN_VAL(hdi != nullptr, GENERAL_ERROR);
587
588 int32_t ret = hdi->PrepareRemoteAuth(udid);
589 IF_FALSE_LOGE_AND_RETURN_VAL(ret == HDF_SUCCESS, GENERAL_ERROR);
590
591 IAM_LOGI("success");
592 return SUCCESS;
593 }
594
PrepareRemoteAuth(const std::string &networkId, sptr<UserAuthCallbackInterface> &callback)595 int32_t UserAuthService::PrepareRemoteAuth(const std::string &networkId, sptr<UserAuthCallbackInterface> &callback)
596 {
597 IAM_LOGI("start");
598 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
599 if (callback == nullptr) {
600 IAM_LOGE("callback is nullptr");
601 return INVALID_PARAMETERS;
602 }
603
604 int32_t ret = PrepareRemoteAuthInner(networkId);
605 if (ret != SUCCESS) {
606 IAM_LOGE("failed to prepare remote auth");
607 }
608
609 Attributes attr;
610 callback->OnResult(ret, attr);
611
612 IAM_LOGI("success");
613 return SUCCESS;
614 }
615
AuthRemoteUser(AuthParamInner &authParam, Authentication::AuthenticationPara ¶, RemoteAuthParam &remoteAuthParam, const std::shared_ptr<ContextCallback> &contextCallback, ResultCode &failReason)616 uint64_t UserAuthService::AuthRemoteUser(AuthParamInner &authParam, Authentication::AuthenticationPara ¶,
617 RemoteAuthParam &remoteAuthParam, const std::shared_ptr<ContextCallback> &contextCallback, ResultCode &failReason)
618 {
619 IAM_LOGI("start");
620 failReason = GENERAL_ERROR;
621
622 if (para.authType != PIN) {
623 IAM_LOGE("Remote auth only support pin auth");
624 failReason = INVALID_PARAMETERS;
625 return BAD_CONTEXT_ID;
626 }
627
628 if (authParam.userId == INVALID_USER_ID) {
629 IAM_LOGE("userid must be set for remote auth");
630 failReason = INVALID_PARAMETERS;
631 return BAD_CONTEXT_ID;
632 }
633
634 std::string localNetworkId;
635 bool getNetworkIdRet = DeviceManagerUtil::GetInstance().GetLocalDeviceNetWorkId(localNetworkId);
636 IF_FALSE_LOGE_AND_RETURN_VAL(getNetworkIdRet, BAD_CONTEXT_ID);
637
638 bool completeRet = CompleteRemoteAuthParam(remoteAuthParam, localNetworkId);
639 if (!completeRet) {
640 IAM_LOGE("failed to complete remote auth param");
641 failReason = INVALID_PARAMETERS;
642 return BAD_CONTEXT_ID;
643 }
644
645 if (remoteAuthParam.collectorTokenId.has_value()) {
646 para.collectorTokenId = remoteAuthParam.collectorTokenId.value();
647 } else {
648 para.collectorTokenId = para.tokenId;
649 }
650
651 if (remoteAuthParam.collectorNetworkId.value() == localNetworkId) {
652 RemoteAuthInvokerContextParam remoteAuthInvokerContextParam;
653 remoteAuthInvokerContextParam.connectionName = "";
654 remoteAuthInvokerContextParam.verifierNetworkId = remoteAuthParam.verifierNetworkId.value();
655 remoteAuthInvokerContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
656 remoteAuthInvokerContextParam.tokenId = para.tokenId;
657 remoteAuthInvokerContextParam.collectorTokenId = para.collectorTokenId;
658 remoteAuthInvokerContextParam.callerName = para.callerName;
659 remoteAuthInvokerContextParam.callerType = para.callerType;
660 IAM_LOGI("start remote auth invoker context");
661 return StartRemoteAuthInvokerContext(authParam, remoteAuthInvokerContextParam, contextCallback);
662 }
663
664 RemoteAuthContextParam remoteAuthContextParam;
665 remoteAuthContextParam.authType = authParam.authType;
666 remoteAuthContextParam.connectionName = "";
667 remoteAuthContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
668 remoteAuthContextParam.executorInfoMsg = {};
669 int32_t dummyLastError = 0;
670 IAM_LOGI("start remote auth context");
671 return RemoteAuthService::GetInstance().StartRemoteAuthContext(
672 para, remoteAuthContextParam, contextCallback, dummyLastError);
673 }
674
Identify(const std::vector<uint8_t> &challenge, AuthType authType, sptr<UserAuthCallbackInterface> &callback)675 uint64_t UserAuthService::Identify(const std::vector<uint8_t> &challenge, AuthType authType,
676 sptr<UserAuthCallbackInterface> &callback)
677 {
678 IAM_LOGI("start");
679 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
680
681 if (callback == nullptr) {
682 IAM_LOGE("callback is nullptr");
683 return BAD_CONTEXT_ID;
684 }
685 Attributes extraInfo;
686 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_IDENTIFY);
687 if (contextCallback == nullptr) {
688 IAM_LOGE("failed to construct context callback");
689 callback->OnResult(GENERAL_ERROR, extraInfo);
690 return BAD_CONTEXT_ID;
691 }
692 if (authType == PIN) {
693 IAM_LOGE("type not support %{public}d", authType);
694 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify IsAuthTypeEnable fail");
695 contextCallback->OnResult(TYPE_NOT_SUPPORT, extraInfo);
696 return BAD_CONTEXT_ID;
697 }
698 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
699 IAM_LOGE("failed to check permission");
700 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify CheckPermission fail");
701 contextCallback->OnResult(CHECK_PERMISSION_FAILED, extraInfo);
702 return BAD_CONTEXT_ID;
703 }
704
705 Identification::IdentificationPara para = {};
706 para.tokenId = IpcCommon::GetAccessTokenId(*this);
707 para.authType = authType;
708 para.challenge = std::move(challenge);
709 auto context = ContextFactory::CreateIdentifyContext(para, contextCallback);
710 if (!ContextPool::Instance().Insert(context)) {
711 IAM_LOGE("failed to insert context");
712 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify insert context fail");
713 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
714 return BAD_CONTEXT_ID;
715 }
716
717 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
718
719 if (!context->Start()) {
720 IAM_LOGE("failed to start identify");
721 contextCallback->SetTraceAuthFinishReason("UserAuthService Identify start context fail");
722 contextCallback->OnResult(context->GetLatestError(), extraInfo);
723 return BAD_CONTEXT_ID;
724 }
725 return context->GetContextId();
726 }
727
CancelAuthOrIdentify(uint64_t contextId)728 int32_t UserAuthService::CancelAuthOrIdentify(uint64_t contextId)
729 {
730 IAM_LOGI("start");
731 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
732 bool checkRet = !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
733 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION);
734 if (checkRet) {
735 IAM_LOGE("failed to check permission");
736 return CHECK_PERMISSION_FAILED;
737 }
738 auto context = ContextPool::Instance().Select(contextId).lock();
739 if (context == nullptr) {
740 IAM_LOGE("context not exist");
741 return GENERAL_ERROR;
742 }
743
744 if (context->GetTokenId() != IpcCommon::GetAccessTokenId(*this)) {
745 IAM_LOGE("failed to check tokenId");
746 return INVALID_CONTEXT_ID;
747 }
748
749 if (!context->Stop()) {
750 IAM_LOGE("failed to cancel auth or identify");
751 return context->GetLatestError();
752 }
753
754 return SUCCESS;
755 }
756
GetVersion(int32_t &version)757 int32_t UserAuthService::GetVersion(int32_t &version)
758 {
759 IAM_LOGI("start");
760 version = MINIMUM_VERSION;
761 bool checkRet = !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
762 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION);
763 if (checkRet) {
764 IAM_LOGE("failed to check permission");
765 return CHECK_PERMISSION_FAILED;
766 }
767 version = CURRENT_VERSION;
768 return SUCCESS;
769 }
770
CheckAuthWidgetType(const std::vector<AuthType> &authType)771 int32_t UserAuthService::CheckAuthWidgetType(const std::vector<AuthType> &authType)
772 {
773 if (authType.empty() || (authType.size() > MAX_AUTH_TYPE_SIZE)) {
774 IAM_LOGE("invalid authType size:%{public}zu", authType.size());
775 return INVALID_PARAMETERS;
776 }
777 for (auto &type : authType) {
778 if ((type != AuthType::PIN) && (type != AuthType::FACE) && (type != AuthType::FINGERPRINT)) {
779 IAM_LOGE("unsupport auth type %{public}d", type);
780 return TYPE_NOT_SUPPORT;
781 }
782 }
783 std::set<AuthType> typeChecker(authType.begin(), authType.end());
784 if (typeChecker.size() != authType.size()) {
785 IAM_LOGE("duplicate auth type");
786 return INVALID_PARAMETERS;
787 }
788 return SUCCESS;
789 }
790
CheckSingeFaceOrFinger(const std::vector<AuthType> &authType)791 bool UserAuthService::CheckSingeFaceOrFinger(const std::vector<AuthType> &authType)
792 {
793 const size_t sizeOne = 1;
794 const size_t type0 = 0;
795 if (authType.size() != sizeOne) {
796 return false;
797 }
798 if (authType[type0] == AuthType::FACE) {
799 return true;
800 }
801 if (authType[type0] == AuthType::FINGERPRINT) {
802 return true;
803 }
804 return false;
805 }
806
CheckAuthPermissionAndParam(const AuthParamInner &authParam, const WidgetParam &widgetParam, bool isBackgroundApplication)807 int32_t UserAuthService::CheckAuthPermissionAndParam(const AuthParamInner &authParam, const WidgetParam &widgetParam,
808 bool isBackgroundApplication)
809 {
810 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP) &&
811 (widgetParam.windowMode != WindowModeType::UNKNOWN_WINDOW_MODE)) {
812 IAM_LOGE("normal app can't set window mode.");
813 return INVALID_PARAMETERS;
814 }
815 if (!authParam.isUserIdSpecified && !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
816 IAM_LOGE("CheckPermission failed");
817 return CHECK_PERMISSION_FAILED;
818 }
819 if (authParam.isUserIdSpecified && !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
820 IAM_LOGE("CheckPermission failed");
821 return CHECK_PERMISSION_FAILED;
822 }
823 if (isBackgroundApplication && (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP))) {
824 IAM_LOGE("failed to check foreground application");
825 return CHECK_PERMISSION_FAILED;
826 }
827 int32_t ret = CheckAuthWidgetType(authParam.authTypes);
828 if (ret != SUCCESS) {
829 IAM_LOGE("CheckAuthWidgetType fail.");
830 return ret;
831 }
832 if (!CheckAuthTrustLevel(authParam.authTrustLevel)) {
833 IAM_LOGE("authTrustLevel is not in correct range");
834 return ResultCode::TRUST_LEVEL_NOT_SUPPORT;
835 }
836 static const size_t authTypeTwo = 2;
837 static const size_t authType0 = 0;
838 static const size_t authType1 = 1;
839 std::vector<AuthType> authType = authParam.authTypes;
840 if (((authType.size() == authTypeTwo) &&
841 (authType[authType0] == AuthType::FACE) && (authType[authType1] == AuthType::FINGERPRINT)) ||
842 ((authType.size() == authTypeTwo) &&
843 (authType[authType0] == AuthType::FINGERPRINT) && (authType[authType1] == AuthType::FACE))) {
844 IAM_LOGE("only face and finger not support");
845 return INVALID_PARAMETERS;
846 }
847 if (widgetParam.title.empty()) {
848 IAM_LOGE("title is empty");
849 return INVALID_PARAMETERS;
850 }
851 return SUCCESS;
852 }
853
StartWidgetContext(const std::shared_ptr<ContextCallback> &contextCallback, const AuthParamInner &authParam, const WidgetParam &widgetParam, std::vector<AuthType> &validType, ContextFactory::AuthWidgetContextPara ¶)854 uint64_t UserAuthService::StartWidgetContext(const std::shared_ptr<ContextCallback> &contextCallback,
855 const AuthParamInner &authParam, const WidgetParam &widgetParam, std::vector<AuthType> &validType,
856 ContextFactory::AuthWidgetContextPara ¶)
857 {
858 Attributes extraInfo;
859 para.tokenId = IpcCommon::GetAccessTokenId(*this);
860 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(para.userId);
861 if (!AuthWidgetHelper::InitWidgetContextParam(authParam, validType, widgetParam, para)) {
862 IAM_LOGE("init widgetContext failed");
863 contextCallback->SetTraceAuthFinishReason("UserAuthService InitWidgetContextParam fail");
864 contextCallback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
865 return BAD_CONTEXT_ID;
866 }
867 auto context = ContextFactory::CreateWidgetContext(para, contextCallback);
868 if (context == nullptr || !Insert2ContextPool(context)) {
869 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget insert context fail");
870 contextCallback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
871 return BAD_CONTEXT_ID;
872 }
873 contextCallback->SetTraceRequestContextId(context->GetContextId());
874 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
875 if (!context->Start()) {
876 int32_t errorCode = context->GetLatestError();
877 IAM_LOGE("start widget context fail %{public}d", errorCode);
878 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget start context fail");
879 contextCallback->OnResult(errorCode, extraInfo);
880 return BAD_CONTEXT_ID;
881 }
882 return context->GetContextId();
883 }
884
CheckValidSolution(int32_t userId, const AuthParamInner &authParam, const WidgetParam &widgetParam, std::vector<AuthType> &validType)885 int32_t UserAuthService::CheckValidSolution(int32_t userId, const AuthParamInner &authParam,
886 const WidgetParam &widgetParam, std::vector<AuthType> &validType)
887 {
888 int32_t ret = AuthWidgetHelper::CheckValidSolution(
889 userId, authParam.authTypes, authParam.authTrustLevel, validType);
890 if (ret != SUCCESS) {
891 IAM_LOGE("CheckValidSolution fail %{public}d", ret);
892 return ret;
893 }
894 if (!widgetParam.navigationButtonText.empty() && !CheckSingeFaceOrFinger(validType)) {
895 IAM_LOGE("navigationButtonText check fail, validType.size:%{public}zu", validType.size());
896 return INVALID_PARAMETERS;
897 }
898 if (widgetParam.windowMode == FULLSCREEN && CheckSingeFaceOrFinger(validType)) {
899 IAM_LOGE("Single fingerprint or single face does not support full screen");
900 return INVALID_PARAMETERS;
901 }
902 return SUCCESS;
903 }
904
GetCallerInfo(bool isUserIdSpecified, int32_t userId, ContextFactory::AuthWidgetContextPara ¶, bool &isBackgroundApplication, std::shared_ptr<ContextCallback> &contextCallback)905 int32_t UserAuthService::GetCallerInfo(bool isUserIdSpecified, int32_t userId,
906 ContextFactory::AuthWidgetContextPara ¶, bool &isBackgroundApplication,
907 std::shared_ptr<ContextCallback> &contextCallback)
908 {
909 static_cast<void>(IpcCommon::GetCallerName(*this, para.callerName, para.callerType));
910 contextCallback->SetTraceCallerName(para.callerName);
911 contextCallback->SetTraceCallerType(para.callerType);
912 static_cast<void>(IpcCommon::GetCallingAppID(*this, para.callingAppID));
913
914 if (para.sdkVersion < INNER_API_VERSION_10000 && para.callerType == Security::AccessToken::TOKEN_HAP &&
915 (!IpcCommon::CheckForegroundApplication(para.callerName))) {
916 isBackgroundApplication = true;
917 }
918 contextCallback->SetTraceIsBackgroundApplication(isBackgroundApplication);
919
920 if (isUserIdSpecified) {
921 para.userId = userId;
922 contextCallback->SetTraceUserId(para.userId);
923 return SUCCESS;
924 }
925 if (IpcCommon::GetCallingUserId(*this, para.userId) != SUCCESS) {
926 IAM_LOGE("get callingUserId failed");
927 return GENERAL_ERROR;
928 }
929 contextCallback->SetTraceUserId(para.userId);
930 return SUCCESS;
931 }
932
AuthWidget(int32_t apiVersion, const AuthParamInner &authParam, const WidgetParam &widgetParam, sptr<UserAuthCallbackInterface> &callback)933 uint64_t UserAuthService::AuthWidget(int32_t apiVersion, const AuthParamInner &authParam,
934 const WidgetParam &widgetParam, sptr<UserAuthCallbackInterface> &callback)
935 {
936 IAM_LOGI("start %{public}d authTrustLevel:%{public}u", apiVersion, authParam.authTrustLevel);
937 auto contextCallback = GetAuthContextCallback(apiVersion, authParam, widgetParam, callback);
938 if (contextCallback == nullptr) {
939 IAM_LOGE("contextCallback is nullptr");
940 return BAD_CONTEXT_ID;
941 }
942 ContextFactory::AuthWidgetContextPara para;
943 para.sdkVersion = apiVersion;
944 Attributes extraInfo;
945 bool isBackgroundApplication = false;
946 int32_t checkRet = GetCallerInfo(authParam.isUserIdSpecified, authParam.userId, para, isBackgroundApplication,
947 contextCallback);
948 if (checkRet != SUCCESS) {
949 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget GetCallerInfo fail");
950 contextCallback->OnResult(checkRet, extraInfo);
951 return BAD_CONTEXT_ID;
952 }
953 checkRet = CheckAuthPermissionAndParam(authParam, widgetParam, isBackgroundApplication);
954 if (checkRet != SUCCESS) {
955 IAM_LOGE("check permission and auth widget param failed");
956 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget CheckAuthPermissionAndParam fail");
957 contextCallback->OnResult(checkRet, extraInfo);
958 return BAD_CONTEXT_ID;
959 }
960
961 if (AuthWidgetHelper::CheckReuseUnlockResult(para, authParam, extraInfo) == SUCCESS) {
962 IAM_LOGE("check reuse unlock result success");
963 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget CheckReuseUnlockResult success");
964 contextCallback->OnResult(SUCCESS, extraInfo);
965 return REUSE_AUTH_RESULT_CONTEXT_ID;
966 }
967 std::vector<AuthType> validType;
968 checkRet = CheckValidSolution(para.userId, authParam, widgetParam, validType);
969 if (checkRet != SUCCESS && checkRet != PIN_EXPIRED) {
970 IAM_LOGE("check valid solution failed");
971 contextCallback->SetTraceAuthFinishReason("UserAuthService AuthWidget CheckValidSolution fail");
972 contextCallback->OnResult(checkRet, extraInfo);
973 return BAD_CONTEXT_ID;
974 }
975 if (checkRet == PIN_EXPIRED) {
976 para.isPinExpired = true;
977 validType.emplace_back(AuthType::PIN);
978 }
979 return StartWidgetContext(contextCallback, authParam, widgetParam, validType, para);
980 }
981
Insert2ContextPool(const std::shared_ptr<Context> &context)982 bool UserAuthService::Insert2ContextPool(const std::shared_ptr<Context> &context)
983 {
984 bool ret = false;
985 const int32_t retryTimes = 3;
986 for (auto i = 0; i < retryTimes; i++) {
987 ret = ContextPool::Instance().Insert(context);
988 if (ret) {
989 break;
990 }
991 }
992 IAM_LOGI("insert context to pool, retry %{public}d times", retryTimes);
993 return ret;
994 }
995
GetAuthContextCallback(int32_t apiVersion, const AuthParamInner &authParam, const WidgetParam &widgetParam, sptr<UserAuthCallbackInterface> &callback)996 std::shared_ptr<ContextCallback> UserAuthService::GetAuthContextCallback(int32_t apiVersion,
997 const AuthParamInner &authParam, const WidgetParam &widgetParam, sptr<UserAuthCallbackInterface> &callback)
998 {
999 if (callback == nullptr) {
1000 IAM_LOGE("callback is nullptr");
1001 return nullptr;
1002 }
1003 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_AUTH_USER_BEHAVIOR);
1004 if (contextCallback == nullptr) {
1005 IAM_LOGE("failed to construct context callback");
1006 Attributes extraInfo;
1007 callback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
1008 return nullptr;
1009 }
1010 contextCallback->SetTraceSdkVersion(apiVersion);
1011 contextCallback->SetTraceAuthTrustLevel(authParam.authTrustLevel);
1012
1013 uint32_t authWidgetType = 0;
1014 for (const auto authType : authParam.authTypes) {
1015 authWidgetType |= static_cast<uint32_t>(authType);
1016 }
1017 static const uint32_t bitWindowMode = 0x40000000;
1018 if (widgetParam.windowMode == FULLSCREEN) {
1019 authWidgetType |= bitWindowMode;
1020 }
1021 static const uint32_t bitNavigation = 0x80000000;
1022 if (!widgetParam.navigationButtonText.empty()) {
1023 authWidgetType |= bitNavigation;
1024 }
1025 IAM_LOGI("SetTraceAuthWidgetType %{public}08x", authWidgetType);
1026 contextCallback->SetTraceAuthWidgetType(authWidgetType);
1027 uint32_t traceReuseMode = 0;
1028 uint64_t traceReuseDuration = 0;
1029 if (authParam.reuseUnlockResult.isReuse) {
1030 traceReuseMode = authParam.reuseUnlockResult.reuseMode;
1031 traceReuseDuration = authParam.reuseUnlockResult.reuseDuration;
1032 }
1033 contextCallback->SetTraceReuseUnlockResultMode(traceReuseMode);
1034 contextCallback->SetTraceReuseUnlockResultDuration(traceReuseDuration);
1035 return contextCallback;
1036 }
1037
Notice(NoticeType noticeType, const std::string &eventData)1038 int32_t UserAuthService::Notice(NoticeType noticeType, const std::string &eventData)
1039 {
1040 IAM_LOGI("start");
1041 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1042 IAM_LOGE("the caller is not a system application");
1043 return ResultCode::CHECK_SYSTEM_APP_FAILED;
1044 }
1045
1046 if (!IpcCommon::CheckPermission(*this, SUPPORT_USER_AUTH)) {
1047 IAM_LOGE("failed to check permission");
1048 return ResultCode::CHECK_PERMISSION_FAILED;
1049 }
1050 return WidgetClient::Instance().OnNotice(noticeType, eventData);
1051 }
1052
RegisterWidgetCallback(int32_t version, sptr<WidgetCallbackInterface> &callback)1053 int32_t UserAuthService::RegisterWidgetCallback(int32_t version, sptr<WidgetCallbackInterface> &callback)
1054 {
1055 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1056 IAM_LOGE("the caller is not a system application");
1057 return ResultCode::CHECK_SYSTEM_APP_FAILED;
1058 }
1059
1060 if (!IpcCommon::CheckPermission(*this, SUPPORT_USER_AUTH)) {
1061 IAM_LOGE("CheckPermission failed, no permission");
1062 return ResultCode::CHECK_PERMISSION_FAILED;
1063 }
1064
1065 uint32_t tokenId = IpcCommon::GetTokenId(*this);
1066 IAM_LOGE("RegisterWidgetCallback tokenId %{public}s", GET_MASKED_STRING(tokenId).c_str());
1067
1068 int32_t curVersion = std::stoi(NOTICE_VERSION_STR);
1069 if (version != curVersion) {
1070 return ResultCode::INVALID_PARAMETERS;
1071 }
1072 if (callback == nullptr) {
1073 IAM_LOGE("callback is nullptr");
1074 return ResultCode::INVALID_PARAMETERS;
1075 }
1076 WidgetClient::Instance().SetWidgetCallback(callback);
1077 WidgetClient::Instance().SetAuthTokenId(tokenId);
1078 return ResultCode::SUCCESS;
1079 }
1080
GetEnrolledState(int32_t apiVersion, AuthType authType, EnrolledState &enrolledState)1081 int32_t UserAuthService::GetEnrolledState(int32_t apiVersion, AuthType authType,
1082 EnrolledState &enrolledState)
1083 {
1084 IAM_LOGI("start");
1085
1086 if (!IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
1087 IAM_LOGE("failed to check permission");
1088 return CHECK_PERMISSION_FAILED;
1089 }
1090
1091 if (apiVersion < API_VERSION_12) {
1092 IAM_LOGE("failed to check apiVersion");
1093 return TYPE_NOT_SUPPORT;
1094 }
1095
1096 int32_t userId = INVALID_USER_ID;
1097 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
1098 IAM_LOGE("failed to get callingUserId");
1099 return GENERAL_ERROR;
1100 }
1101
1102 auto hdi = HdiWrapper::GetHdiInstance();
1103 if (hdi == nullptr) {
1104 IAM_LOGE("hdi interface is nullptr");
1105 return GENERAL_ERROR;
1106 }
1107 HdiEnrolledState hdiEnrolledState = {};
1108 int32_t result = hdi->GetEnrolledState(userId, static_cast<HdiAuthType>(authType), hdiEnrolledState);
1109 if (result != SUCCESS) {
1110 IAM_LOGE("failed to get enrolled state,userId:%{public}d authType:%{public}d", userId, authType);
1111 return result;
1112 }
1113 enrolledState.credentialCount = hdiEnrolledState.credentialCount;
1114 enrolledState.credentialDigest = hdiEnrolledState.credentialDigest;
1115 if (apiVersion < INNER_API_VERSION_10000) {
1116 enrolledState.credentialDigest = hdiEnrolledState.credentialDigest & UINT16_MAX;
1117 }
1118 return SUCCESS;
1119 }
1120
CheckAuthTypeIsValid(std::vector<AuthType> authType)1121 bool UserAuthService::CheckAuthTypeIsValid(std::vector<AuthType> authType)
1122 {
1123 if (authType.empty()) {
1124 return false;
1125 }
1126 for (const auto &iter : authType) {
1127 if (iter != AuthType::PIN && iter != AuthType::FACE && iter != AuthType::FINGERPRINT) {
1128 return false;
1129 }
1130 }
1131 return true;
1132 }
1133
RegistUserAuthSuccessEventListener(const std::vector<AuthType> &authType, const sptr<AuthEventListenerInterface> &listener)1134 int32_t UserAuthService::RegistUserAuthSuccessEventListener(const std::vector<AuthType> &authType,
1135 const sptr<AuthEventListenerInterface> &listener)
1136 {
1137 IAM_LOGI("start");
1138 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1139 IF_FALSE_LOGE_AND_RETURN_VAL(listener != nullptr, INVALID_PARAMETERS);
1140
1141 if (!CheckAuthTypeIsValid(authType)) {
1142 IAM_LOGE("failed to check authType");
1143 return INVALID_PARAMETERS;
1144 }
1145
1146 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1147 IAM_LOGE("failed to check permission");
1148 return CHECK_PERMISSION_FAILED;
1149 }
1150
1151 int32_t result = AuthEventListenerManager::GetInstance().RegistUserAuthSuccessEventListener(authType, listener);
1152 if (result != SUCCESS) {
1153 IAM_LOGE("failed to regist auth event listener");
1154 return result;
1155 }
1156
1157 return SUCCESS;
1158 }
1159
UnRegistUserAuthSuccessEventListener( const sptr<AuthEventListenerInterface> &listener)1160 int32_t UserAuthService::UnRegistUserAuthSuccessEventListener(
1161 const sptr<AuthEventListenerInterface> &listener)
1162 {
1163 IAM_LOGI("start");
1164 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1165 IF_FALSE_LOGE_AND_RETURN_VAL(listener != nullptr, INVALID_PARAMETERS);
1166
1167 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1168 IAM_LOGE("failed to check permission");
1169 return CHECK_PERMISSION_FAILED;
1170 }
1171
1172 int32_t result = AuthEventListenerManager::GetInstance().UnRegistUserAuthSuccessEventListener(listener);
1173 if (result != SUCCESS) {
1174 IAM_LOGE("failed to unregist auth event listener");
1175 return result;
1176 }
1177
1178 return SUCCESS;
1179 }
1180
SetGlobalConfigParam(const GlobalConfigParam ¶m)1181 int32_t UserAuthService::SetGlobalConfigParam(const GlobalConfigParam ¶m)
1182 {
1183 IAM_LOGI("start, GlobalConfigType is %{public}d, userIds size %{public}zu, authTypes size %{public}zu",
1184 param.type, param.userIds.size(), param.authTypes.size());
1185 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1186 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1187 IAM_LOGE("failed to check permission");
1188 return CHECK_PERMISSION_FAILED;
1189 }
1190 if (param.userIds.size() > MAX_USER || param.authTypes.size() > MAX_AUTH_TYPE_SIZE ||
1191 param.authTypes.size() == 0) {
1192 IAM_LOGE("bad global config param");
1193 return INVALID_PARAMETERS;
1194 }
1195
1196 HdiGlobalConfigParam paramConfig = {};
1197 switch (param.type) {
1198 case GlobalConfigType::PIN_EXPIRED_PERIOD:
1199 if (param.authTypes.size() != 1 || param.authTypes[0] != PIN) {
1200 IAM_LOGE("bad authTypes for PIN_EXPIRED_PERIOD");
1201 return INVALID_PARAMETERS;
1202 }
1203 paramConfig.value.pinExpiredPeriod = param.value.pinExpiredPeriod;
1204 break;
1205 case GlobalConfigType::ENABLE_STATUS:
1206 paramConfig.value.enableStatus = param.value.enableStatus;
1207 break;
1208 default:
1209 IAM_LOGE("bad global config type");
1210 return INVALID_PARAMETERS;
1211 }
1212 paramConfig.type = static_cast<HdiGlobalConfigType>(param.type);
1213 paramConfig.userIds = param.userIds;
1214 for (const auto authType : param.authTypes) {
1215 paramConfig.authTypes.push_back(authType);
1216 }
1217 auto hdi = HdiWrapper::GetHdiInstance();
1218 if (hdi == nullptr) {
1219 IAM_LOGE("hdi interface is nullptr");
1220 return GENERAL_ERROR;
1221 }
1222 int32_t result = hdi->SetGlobalConfigParam(paramConfig);
1223 if (result != SUCCESS) {
1224 IAM_LOGE("failed to Set global config param");
1225 return result;
1226 }
1227
1228 return SUCCESS;
1229 }
1230
CompleteRemoteAuthParam(RemoteAuthParam &remoteAuthParam, const std::string &localNetworkId)1231 bool UserAuthService::CompleteRemoteAuthParam(RemoteAuthParam &remoteAuthParam, const std::string &localNetworkId)
1232 {
1233 IAM_LOGI("start");
1234 if (remoteAuthParam.verifierNetworkId.has_value() && remoteAuthParam.verifierNetworkId->size() !=
1235 NETWORK_ID_LENGTH) {
1236 IAM_LOGE("invalid verifierNetworkId size");
1237 return false;
1238 }
1239
1240 if (remoteAuthParam.collectorNetworkId.has_value() && remoteAuthParam.collectorNetworkId->size() !=
1241 NETWORK_ID_LENGTH) {
1242 IAM_LOGE("invalid collectorNetworkId size");
1243 return false;
1244 }
1245
1246 if (!remoteAuthParam.verifierNetworkId.has_value() && !remoteAuthParam.collectorNetworkId.has_value()) {
1247 IAM_LOGE("neither verifierNetworkId nor collectorNetworkId is set");
1248 return false;
1249 } else if (remoteAuthParam.verifierNetworkId.has_value() && !remoteAuthParam.collectorNetworkId.has_value()) {
1250 IAM_LOGI("collectorNetworkId not set, verifierNetworkId set, use local networkId as collectorNetworkId");
1251 remoteAuthParam.collectorNetworkId = localNetworkId;
1252 } else if (!remoteAuthParam.verifierNetworkId.has_value() && remoteAuthParam.collectorNetworkId.has_value()) {
1253 IAM_LOGI("verifierNetworkId not set, collectorNetworkId set, use local networkId as verifierNetworkId");
1254 remoteAuthParam.verifierNetworkId = localNetworkId;
1255 }
1256
1257 if (remoteAuthParam.verifierNetworkId.value() != localNetworkId &&
1258 remoteAuthParam.collectorNetworkId.value() != localNetworkId) {
1259 IAM_LOGE("both verifierNetworkId and collectorNetworkId are not local networkId");
1260 return false;
1261 }
1262
1263 if (remoteAuthParam.verifierNetworkId.value() == remoteAuthParam.collectorNetworkId.value()) {
1264 IAM_LOGE("verifierNetworkId and collectorNetworkId are the same");
1265 return false;
1266 }
1267
1268 if (remoteAuthParam.verifierNetworkId == localNetworkId && !remoteAuthParam.collectorTokenId.has_value()) {
1269 IAM_LOGE("this device is verifier, collectorTokenId not set");
1270 return false;
1271 }
1272
1273 if (remoteAuthParam.collectorNetworkId == localNetworkId && !remoteAuthParam.collectorTokenId.has_value()) {
1274 IAM_LOGI("this device is collector, update collectorTokenId with caller token id");
1275 remoteAuthParam.collectorTokenId = IpcCommon::GetAccessTokenId(*this);
1276 }
1277
1278 IAM_LOGI("success");
1279 return true;
1280 }
1281 } // namespace UserAuth
1282 } // namespace UserIam
1283 } // namespace OHOS