1/*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "permission_helper.h"
17
18#include "ipc_skeleton.h"
19#include "tokenid_kit.h"
20
21#include "mmi_log.h"
22#include "proto.h"
23
24#undef MMI_LOG_DOMAIN
25#define MMI_LOG_DOMAIN MMI_LOG_SERVER
26#undef MMI_LOG_TAG
27#define MMI_LOG_TAG "PermissionHelper"
28
29namespace OHOS {
30namespace MMI {
31bool PermissionHelper::VerifySystemApp()
32{
33    MMI_HILOGD("Verify system App");
34    auto callerToken = IPCSkeleton::GetCallingTokenID();
35    auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
36    MMI_HILOGD("Token type is %{public}d", static_cast<int32_t>(tokenType));
37    if (tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE
38        || tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
39        MMI_HILOGD("Called tokenType is native, verify success");
40        return true;
41    }
42    uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
43    if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
44        MMI_HILOGE("System api is called by non-system app");
45        return false;
46    }
47    return true;
48}
49
50bool PermissionHelper::CheckMonitor()
51{
52    CALL_DEBUG_ENTER;
53    std::string monitorPermissionCode = "ohos.permission.INPUT_MONITORING";
54    return CheckHapPermission(monitorPermissionCode);
55}
56
57bool PermissionHelper::CheckInterceptor()
58{
59    CALL_DEBUG_ENTER;
60    std::string interceptorPermissionCode = "ohos.permission.INTERCEPT_INPUT_EVENT";
61    return CheckHapPermission(interceptorPermissionCode);
62}
63
64bool PermissionHelper::CheckInfraredEmmit()
65{
66    CALL_DEBUG_ENTER;
67    std::string infraredEmmitPermissionCode = "ohos.permission.MANAGE_INPUT_INFRARED_EMITTER";
68    return CheckHapPermission(infraredEmmitPermissionCode);
69}
70
71bool PermissionHelper::CheckAuthorize()
72{
73    CALL_DEBUG_ENTER;
74    std::string injectPermissionCode = "ohos.permission.INJECT_INPUT_EVENT";
75    return CheckHapPermission(injectPermissionCode);
76}
77
78bool PermissionHelper::CheckHapPermission(const std::string permissionCode)
79{
80    CALL_DEBUG_ENTER;
81    auto tokenId = IPCSkeleton::GetCallingTokenID();
82    auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
83    if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
84        (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
85        int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionCode);
86        if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
87            MMI_HILOGE("Check permission failed ret:%{public}d permission:%{public}s", ret, permissionCode.c_str());
88            return false;
89        }
90        MMI_HILOGD("Check interceptor permission success permission:%{public}s", permissionCode.c_str());
91        return true;
92    } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
93        MMI_HILOGI("Token type is shell");
94        return true;
95    } else {
96        MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
97        return false;
98    }
99}
100
101bool PermissionHelper::CheckHapPermission(uint32_t tokenId, const std::string permissionCode)
102{
103    CALL_DEBUG_ENTER;
104    auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
105    if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
106        (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
107    } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
108        MMI_HILOGI("Token type is shell");
109        return true;
110    } else {
111        MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
112        return false;
113    }
114    std::string context = "For CheckPerm. PermiCode" + permissionCode + ";appId:" + std::to_string(tokenId);
115    int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionCode);
116    if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
117        MMI_HILOGE("Check Permi: %{public}s fail for appId:%{public}d, and ret:%{public}d",
118                   permissionCode.c_str(), tokenId, ret);
119        return false;
120    }
121    MMI_HILOGD("Check permission( %{public}s) permission success", permissionCode.c_str());
122    return true;
123}
124
125bool PermissionHelper::CheckDispatchControl()
126{
127    CALL_DEBUG_ENTER;
128    std::string inputDispatchControl = "ohos.permission.INPUT_CONTROL_DISPATCHING";
129    return CheckHapPermission(inputDispatchControl);
130}
131
132int32_t PermissionHelper::GetTokenType()
133{
134    CALL_DEBUG_ENTER;
135    auto tokenId = IPCSkeleton::GetCallingTokenID();
136    auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
137    if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
138        uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
139        if (OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
140            return TokenType::TOKEN_SYSTEM_HAP;
141        }
142        return TokenType::TOKEN_HAP;
143    } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
144        return TokenType::TOKEN_NATIVE;
145    } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
146        return TokenType::TOKEN_SHELL;
147    } else {
148        MMI_HILOGW("Unsupported token type:%{public}d", tokenType);
149        return TokenType::TOKEN_INVALID;
150    }
151}
152
153bool PermissionHelper::RequestFromShell()
154{
155    CALL_DEBUG_ENTER;
156    auto tokenId = IPCSkeleton::GetCallingTokenID();
157    auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
158    MMI_HILOGD("Token type is %{public}d", static_cast<int32_t>(tokenType));
159    return tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL;
160}
161
162bool PermissionHelper::CheckMouseCursor()
163{
164    CALL_DEBUG_ENTER;
165    std::string mousePermissionCode = "ohos.permission.MANAGE_MOUSE_CURSOR";
166    return CheckHapPermission(mousePermissionCode);
167}
168
169bool PermissionHelper::CheckInputEventFilter()
170{
171    CALL_DEBUG_ENTER;
172    std::string filterPermissionCode = "ohos.permission.FILTER_INPUT_EVENT";
173    return CheckHapPermission(filterPermissionCode);
174}
175} // namespace MMI
176} // namespace OHOS
177