1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "os_account_manager_service.h"
16 #include <algorithm>
17 #include <cstddef>
18 #include "account_constants.h"
19 #include "account_info.h"
20 #include "account_log_wrapper.h"
21 #include "account_hisysevent_adapter.h"
22 #include "iinner_os_account_manager.h"
23 #include "ipc_skeleton.h"
24 #include "os_account_constants.h"
25
26 namespace OHOS {
27 namespace AccountSA {
28 namespace {
29 const std::string DUMP_TAB_CHARACTER = "\t";
30 const std::map<OsAccountType, std::string> DUMP_TYPE_MAP = {
31 {OsAccountType::ADMIN, "admin"},
32 {OsAccountType::NORMAL, "normal"},
33 {OsAccountType::GUEST, "guest"},
34 {OsAccountType::PRIVATE, "private"},
35 };
36 const std::string CONSTANT_CREATE = "constraint.os.account.create";
37 const std::string CONSTANT_CREATE_DIRECTLY = "constraint.os.account.create.directly";
38 const std::string CONSTANT_REMOVE = "constraint.os.account.remove";
39 const std::string CONSTANT_ACTIVATE = "constraint.os.account.activate";
40 const std::string CONSTANT_SET_ICON = "constraint.os.account.set.icon";
41 #ifndef IS_RELEASE_VERSION
42 const std::int32_t ROOT_UID = 0;
43 #endif
44 const std::string DEFAULT_ANON_STR = "**********";
45 const size_t INTERCEPT_HEAD_PART_LEN_FOR_NAME = 1;
46
47 const std::string MANAGE_LOCAL_ACCOUNTS = "ohos.permission.MANAGE_LOCAL_ACCOUNTS";
48 const std::string GET_LOCAL_ACCOUNTS = "ohos.permission.GET_LOCAL_ACCOUNTS";
49 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION =
50 "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
51 const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
52 const std::set<uint32_t> uidWhiteListForCreation { 3057 };
53 const std::int32_t EDM_UID = 3057;
54
AnonymizeNameStr(const std::string & nameStr)55 std::string AnonymizeNameStr(const std::string& nameStr)
56 {
57 if (nameStr.empty()) {
58 return nameStr;
59 }
60 std::string retStr = nameStr.substr(0, INTERCEPT_HEAD_PART_LEN_FOR_NAME) + DEFAULT_ANON_STR;
61 return retStr;
62 }
63
CheckLocalId(int localId)64 ErrCode CheckLocalId(int localId)
65 {
66 if (localId < 0) {
67 ACCOUNT_LOGE("id %{public}d is invalid", localId);
68 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
69 }
70 return ERR_OK;
71 }
72
IsTypeOutOfRange(const OsAccountType & type)73 bool IsTypeOutOfRange(const OsAccountType& type)
74 {
75 return (type < OsAccountType::ADMIN) || ((type > OsAccountType::GUEST) && (type < OsAccountType::PRIVATE)) ||
76 (type >= OsAccountType::END);
77 }
78 } // namespace
79
OsAccountManagerService()80 OsAccountManagerService::OsAccountManagerService() : innerManager_(IInnerOsAccountManager::GetInstance())
81 {}
82
~OsAccountManagerService()83 OsAccountManagerService::~OsAccountManagerService()
84 {}
85
CreateOsAccount(const std::string & name,const OsAccountType & type,OsAccountInfo & osAccountInfo)86 ErrCode OsAccountManagerService::CreateOsAccount(
87 const std::string &name, const OsAccountType &type, OsAccountInfo &osAccountInfo)
88 {
89 ErrCode errCode = ValidateAccountCreateParamAndPermission(name, type);
90 if (errCode != ERR_OK) {
91 return errCode;
92 }
93 return innerManager_.CreateOsAccount(name, type, osAccountInfo);
94 }
95
CreateOsAccount(const std::string & localName,const std::string & shortName,const OsAccountType & type,OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)96 ErrCode OsAccountManagerService::CreateOsAccount(const std::string &localName, const std::string &shortName,
97 const OsAccountType &type, OsAccountInfo &osAccountInfo, const CreateOsAccountOptions &options)
98 {
99 ErrCode errCode = ValidateAccountCreateParamAndPermission(localName, type);
100 if (errCode != ERR_OK) {
101 return errCode;
102 }
103
104 if (options.hasShortName) {
105 errCode = innerManager_.ValidateShortName(shortName);
106 if (errCode != ERR_OK) {
107 return errCode;
108 }
109 }
110
111 return innerManager_.CreateOsAccount(localName, shortName, type, osAccountInfo, options);
112 }
113
ValidateAccountCreateParamAndPermission(const std::string & localName,const OsAccountType & type)114 ErrCode OsAccountManagerService::ValidateAccountCreateParamAndPermission(const std::string &localName,
115 const OsAccountType &type)
116 {
117 // permission check
118 if (!CheckCreateOsAccountWhiteList() &&
119 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY) ||
120 !PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE))) {
121 ACCOUNT_LOGE("account manager service, permission denied!");
122 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
123 }
124
125 bool isMultiOsAccountEnable = false;
126 IsMultiOsAccountEnable(isMultiOsAccountEnable);
127 if (!isMultiOsAccountEnable) {
128 ACCOUNT_LOGE("system is not multi os account enable error");
129 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
130 }
131
132 size_t localNameSize = localName.size();
133 if ((localNameSize == 0) || (localNameSize > Constants::LOCAL_NAME_MAX_SIZE)) {
134 ACCOUNT_LOGE("CreateOsAccount local name length %{public}zu is invalid!", localNameSize);
135 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
136 }
137
138 if (IsTypeOutOfRange(type)) {
139 ACCOUNT_LOGE("os account type is invalid");
140 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
141 }
142
143 bool isAllowedCreateAdmin = false;
144 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
145 if (errCode != ERR_OK) {
146 ACCOUNT_LOGE("query allowed create admin error");
147 return errCode;
148 }
149 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
150 ACCOUNT_LOGE("cannot create admin account error");
151 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
152 }
153 return ERR_OK;
154 }
155
CreateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo,const CreateOsAccountOptions & options)156 ErrCode OsAccountManagerService::CreateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo,
157 const CreateOsAccountOptions &options)
158 {
159 bool isMultiOsAccountEnable = false;
160 innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
161 if (!isMultiOsAccountEnable) {
162 ACCOUNT_LOGE("system is not multi os account enable error");
163 return ERR_OSACCOUNT_SERVICE_MANAGER_NOT_ENABLE_MULTI_ERROR;
164 }
165
166 if ((!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) ||
167 (!PermissionCheck("", CONSTANT_CREATE_DIRECTLY))) {
168 ACCOUNT_LOGE("account manager service, permission denied!");
169 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
170 }
171
172 bool isAllowedCreateAdmin = false;
173 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
174 if (errCode != ERR_OK) {
175 ACCOUNT_LOGE("query allowed create admin error");
176 return errCode;
177 }
178 if (!isAllowedCreateAdmin && (osAccountInfo.GetType() == OsAccountType::ADMIN)) {
179 ACCOUNT_LOGE("cannot create admin account error");
180 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
181 }
182
183 return innerManager_.CreateOsAccountWithFullInfo(osAccountInfo, options);
184 }
185
UpdateOsAccountWithFullInfo(OsAccountInfo & osAccountInfo)186 ErrCode OsAccountManagerService::UpdateOsAccountWithFullInfo(OsAccountInfo &osAccountInfo)
187 {
188 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
189 ACCOUNT_LOGE("account manager service, permission denied!");
190 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
191 }
192
193 bool isAllowedCreateAdmin = false;
194 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
195 if (errCode != ERR_OK) {
196 ACCOUNT_LOGE("query allowed update admin error");
197 return errCode;
198 }
199 if (!isAllowedCreateAdmin && osAccountInfo.GetType() == OsAccountType::ADMIN) {
200 ACCOUNT_LOGE("cannot update admin account error");
201 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
202 }
203
204 return innerManager_.UpdateOsAccountWithFullInfo(osAccountInfo);
205 }
206
CreateOsAccountForDomain(const OsAccountType & type,const DomainAccountInfo & domainInfo,const sptr<IDomainAccountCallback> & callback,const CreateOsAccountForDomainOptions & options)207 ErrCode OsAccountManagerService::CreateOsAccountForDomain(const OsAccountType &type,
208 const DomainAccountInfo &domainInfo, const sptr<IDomainAccountCallback> &callback,
209 const CreateOsAccountForDomainOptions &options)
210 {
211 ACCOUNT_LOGI("start");
212 // permission check
213 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_CREATE)) {
214 ACCOUNT_LOGE("account manager service, permission denied!");
215 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
216 }
217
218 // parameters check
219 if (IsTypeOutOfRange(type)) {
220 ACCOUNT_LOGE("os account type is invalid");
221 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
222 }
223 if (domainInfo.accountName_.empty() || domainInfo.domain_.empty()) {
224 ACCOUNT_LOGE("Domain account name is empty or domain is empty");
225 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
226 }
227 if (domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE ||
228 domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
229 ACCOUNT_LOGE("Domain account name is overlength or domain is overlength");
230 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
231 }
232
233 if (options.hasShortName || (options.shortName != "")) {
234 ErrCode code = innerManager_.ValidateShortName(options.shortName);
235 if (code != ERR_OK) {
236 ACCOUNT_LOGE("Failed to create os account for domain, shortName=%{public}s is invalid!",
237 options.shortName.c_str());
238 return code;
239 }
240 }
241
242 bool isAllowedCreateAdmin = false;
243 ErrCode errCode = innerManager_.IsAllowedCreateAdmin(isAllowedCreateAdmin);
244 if (errCode != ERR_OK) {
245 ACCOUNT_LOGE("Failed to get allowed create admin permission, code=%{public}d.", errCode);
246 return errCode;
247 }
248 if (!isAllowedCreateAdmin && type == OsAccountType::ADMIN) {
249 ACCOUNT_LOGE("Do not allowed create admin.");
250 return ERR_OSACCOUNT_SERVICE_MANAGER_CREATE_OSACCOUNT_TYPE_ERROR;
251 }
252 return innerManager_.CreateOsAccountForDomain(type, domainInfo, callback, options);
253 }
254
RemoveOsAccount(const int id)255 ErrCode OsAccountManagerService::RemoveOsAccount(const int id)
256 {
257 // parameters check
258 ErrCode res = CheckLocalId(id);
259 if (res != ERR_OK) {
260 return res;
261 }
262 if ((id == Constants::START_USER_ID) || (id == Constants::ADMIN_LOCAL_ID)) {
263 ACCOUNT_LOGE("cannot remove system preinstalled user");
264 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
265 }
266 // permission check
267 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_REMOVE)) {
268 ACCOUNT_LOGE("account manager service, permission denied!");
269 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
270 }
271
272 return innerManager_.RemoveOsAccount(id);
273 }
274
IsOsAccountExists(const int id,bool & isOsAccountExists)275 ErrCode OsAccountManagerService::IsOsAccountExists(const int id, bool &isOsAccountExists)
276 {
277 return innerManager_.IsOsAccountExists(id, isOsAccountExists);
278 }
279
IsOsAccountActived(const int id,bool & isOsAccountActived)280 ErrCode OsAccountManagerService::IsOsAccountActived(const int id, bool &isOsAccountActived)
281 {
282 // check current account state
283 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
284 if (callerUserId == id) {
285 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
286 }
287
288 // check other account state, check permission first
289 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
290 ACCOUNT_LOGE("account manager service, permission denied!");
291 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
292 }
293
294 return innerManager_.IsOsAccountActived(id, isOsAccountActived);
295 }
296
IsOsAccountConstraintEnable(const int id,const std::string & constraint,bool & isConstraintEnable)297 ErrCode OsAccountManagerService::IsOsAccountConstraintEnable(
298 const int id, const std::string &constraint, bool &isConstraintEnable)
299 {
300 ErrCode res = CheckLocalId(id);
301 if (res != ERR_OK) {
302 return res;
303 }
304 // permission check
305 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
306 ACCOUNT_LOGE("account manager service, permission denied!");
307 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
308 }
309
310 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isConstraintEnable);
311 }
312
CheckOsAccountConstraintEnabled(const int id,const std::string & constraint,bool & isEnabled)313 ErrCode OsAccountManagerService::CheckOsAccountConstraintEnabled(
314 const int id, const std::string &constraint, bool &isEnabled)
315 {
316 ErrCode res = CheckLocalId(id);
317 if (res != ERR_OK) {
318 return res;
319 }
320
321 // check current account state
322 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
323 if (callerUserId == id) {
324 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
325 }
326
327 // permission check
328 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
329 ACCOUNT_LOGE("account manager service, permission denied!");
330 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
331 }
332
333 return innerManager_.IsOsAccountConstraintEnable(id, constraint, isEnabled);
334 }
335
IsOsAccountVerified(const int id,bool & isVerified)336 ErrCode OsAccountManagerService::IsOsAccountVerified(const int id, bool &isVerified)
337 {
338 ErrCode res = CheckLocalId(id);
339 if (res != ERR_OK) {
340 return res;
341 }
342 // check current account state
343 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
344 if (callerUserId == id) {
345 return innerManager_.IsOsAccountVerified(id, isVerified);
346 }
347
348 // check other account state, check permission first
349 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
350 ACCOUNT_LOGE("account manager service, permission denied!");
351 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
352 }
353
354 return innerManager_.IsOsAccountVerified(id, isVerified);
355 }
356
IsOsAccountDeactivating(const int id,bool & isDeactivating)357 ErrCode OsAccountManagerService::IsOsAccountDeactivating(const int id, bool &isDeactivating)
358 {
359 ErrCode res = CheckLocalId(id);
360 if (res != ERR_OK) {
361 return res;
362 }
363 // check current account state
364 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
365 if (callerUserId == id) {
366 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
367 }
368
369 // check other account state, check permission first
370 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
371 ACCOUNT_LOGE("Account manager service, permission denied!");
372 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
373 }
374
375 return innerManager_.IsOsAccountDeactivating(id, isDeactivating);
376 }
377
GetCreatedOsAccountsCount(unsigned int & osAccountsCount)378 ErrCode OsAccountManagerService::GetCreatedOsAccountsCount(unsigned int &osAccountsCount)
379 {
380 // permission check
381 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
382 ACCOUNT_LOGE("account manager service, permission denied!");
383 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
384 }
385
386 return innerManager_.GetCreatedOsAccountsCount(osAccountsCount);
387 }
388
GetOsAccountLocalIdFromProcess(int & id)389 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromProcess(int &id)
390 {
391 const std::int32_t uid = IPCSkeleton::GetCallingUid();
392 id = uid / UID_TRANSFORM_DIVISOR;
393 return ERR_OK;
394 }
395
IsMainOsAccount(bool & isMainOsAccount)396 ErrCode OsAccountManagerService::IsMainOsAccount(bool &isMainOsAccount)
397 {
398 // permission check
399 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
400 ACCOUNT_LOGW("account manager service, permission denied!");
401 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
402 }
403
404 const std::int32_t uid = IPCSkeleton::GetCallingUid();
405 isMainOsAccount = ((uid / UID_TRANSFORM_DIVISOR) == MAIN_OS_ACCOUNT_LOCAL_ID);
406 return ERR_OK;
407 }
408
GetOsAccountLocalIdFromDomain(const DomainAccountInfo & domainInfo,int & id)409 ErrCode OsAccountManagerService::GetOsAccountLocalIdFromDomain(const DomainAccountInfo &domainInfo, int &id)
410 {
411 if (domainInfo.domain_.empty() || domainInfo.domain_.size() > Constants::DOMAIN_NAME_MAX_SIZE) {
412 ACCOUNT_LOGE("domain name length invalid. length %{public}zu.", domainInfo.domain_.size());
413 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
414 }
415
416 if (domainInfo.accountName_.empty() || domainInfo.accountName_.size() > Constants::LOCAL_NAME_MAX_SIZE) {
417 ACCOUNT_LOGE("accountName length invalid. length %{public}zu.", domainInfo.accountName_.size());
418 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
419 }
420 // permission check
421 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
422 ACCOUNT_LOGE("account manager service, permission denied!");
423 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
424 }
425
426 return innerManager_.GetOsAccountLocalIdFromDomain(domainInfo, id);
427 }
428
QueryMaxOsAccountNumber(uint32_t & maxOsAccountNumber)429 ErrCode OsAccountManagerService::QueryMaxOsAccountNumber(uint32_t &maxOsAccountNumber)
430 {
431 return innerManager_.QueryMaxOsAccountNumber(maxOsAccountNumber);
432 }
433
QueryMaxLoggedInOsAccountNumber(uint32_t & maxNum)434 ErrCode OsAccountManagerService::QueryMaxLoggedInOsAccountNumber(uint32_t &maxNum)
435 {
436 return innerManager_.QueryMaxLoggedInOsAccountNumber(maxNum);
437 }
438
GetOsAccountAllConstraints(const int id,std::vector<std::string> & constraints)439 ErrCode OsAccountManagerService::GetOsAccountAllConstraints(const int id, std::vector<std::string> &constraints)
440 {
441 // permission check
442 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
443 ACCOUNT_LOGE("account manager service, permission denied!");
444 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
445 }
446
447 return innerManager_.GetOsAccountAllConstraints(id, constraints);
448 }
449
QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> & osAccountInfos)450 ErrCode OsAccountManagerService::QueryAllCreatedOsAccounts(std::vector<OsAccountInfo> &osAccountInfos)
451 {
452 // permission check
453 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
454 ACCOUNT_LOGE("account manager service, permission denied!");
455 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
456 }
457
458 return innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
459 }
460
QueryCurrentOsAccount(OsAccountInfo & osAccountInfo)461 ErrCode OsAccountManagerService::QueryCurrentOsAccount(OsAccountInfo &osAccountInfo)
462 {
463 // permission check
464 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && (!PermissionCheck(GET_LOCAL_ACCOUNTS, ""))) {
465 ACCOUNT_LOGE("account manager service, permission denied!");
466 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
467 }
468
469 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
470 return innerManager_.QueryOsAccountById(id, osAccountInfo);
471 }
472
QueryOsAccountById(const int id,OsAccountInfo & osAccountInfo)473 ErrCode OsAccountManagerService::QueryOsAccountById(const int id, OsAccountInfo &osAccountInfo)
474 {
475 // parameters check
476 ErrCode res = CheckLocalId(id);
477 if (res != ERR_OK) {
478 return res;
479 }
480 // permission check
481 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") &&
482 !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
483 ACCOUNT_LOGE("account manager service, permission denied!");
484 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
485 }
486
487 return innerManager_.QueryOsAccountById(id, osAccountInfo);
488 }
489
GetOsAccountTypeFromProcess(OsAccountType & type)490 ErrCode OsAccountManagerService::GetOsAccountTypeFromProcess(OsAccountType &type)
491 {
492 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
493 return innerManager_.GetOsAccountType(id, type);
494 }
495
GetOsAccountType(const int id,OsAccountType & type)496 ErrCode OsAccountManagerService::GetOsAccountType(const int id, OsAccountType& type)
497 {
498 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") && !PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
499 ACCOUNT_LOGE("Check permission failed.");
500 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
501 }
502 return innerManager_.GetOsAccountType(id, type);
503 }
504
GetOsAccountProfilePhoto(const int id,std::string & photo)505 ErrCode OsAccountManagerService::GetOsAccountProfilePhoto(const int id, std::string &photo)
506 {
507 ErrCode result = CheckLocalId(id);
508 if (result != ERR_OK) {
509 return result;
510 }
511 // get current account photo
512 int callerUserId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
513 if (callerUserId == id) {
514 return innerManager_.GetOsAccountProfilePhoto(id, photo);
515 }
516
517 // get other account photo, check permission first
518 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
519 ACCOUNT_LOGE("account manager service, permission denied!");
520 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
521 }
522
523 return innerManager_.GetOsAccountProfilePhoto(id, photo);
524 }
525
IsMultiOsAccountEnable(bool & isMultiOsAccountEnable)526 ErrCode OsAccountManagerService::IsMultiOsAccountEnable(bool &isMultiOsAccountEnable)
527 {
528 return innerManager_.IsMultiOsAccountEnable(isMultiOsAccountEnable);
529 }
530
SetOsAccountName(const int id,const std::string & name)531 ErrCode OsAccountManagerService::SetOsAccountName(const int id, const std::string &name)
532 {
533 // parameters check
534 ErrCode res = CheckLocalId(id);
535 if (res != ERR_OK) {
536 return res;
537 }
538 if (id == Constants::ADMIN_LOCAL_ID) {
539 ACCOUNT_LOGE("cannot set name for system preinstalled user");
540 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
541 }
542 if (name.size() > Constants::LOCAL_NAME_MAX_SIZE) {
543 ACCOUNT_LOGE("set os account name is out of allowed size");
544 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
545 }
546 if (name.size() <= 0) {
547 ACCOUNT_LOGE("os account name is empty");
548 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
549 }
550
551 // permission check
552 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
553 ACCOUNT_LOGE("account manager service, permission denied!");
554 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
555 }
556
557 return innerManager_.SetOsAccountName(id, name);
558 }
559
SetOsAccountConstraints(const int id,const std::vector<std::string> & constraints,const bool enable)560 ErrCode OsAccountManagerService::SetOsAccountConstraints(
561 const int id, const std::vector<std::string> &constraints, const bool enable)
562 {
563 ErrCode res = CheckLocalId(id);
564 if (res != ERR_OK) {
565 return res;
566 }
567 if (id == Constants::ADMIN_LOCAL_ID) {
568 ACCOUNT_LOGE("cannot set constraints for system preinstalled user");
569 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
570 }
571 // permission check
572 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
573 ACCOUNT_LOGE("account manager service, permission denied!");
574 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
575 }
576
577 return innerManager_.SetBaseOsAccountConstraints(id, constraints, enable);
578 }
579
SetOsAccountProfilePhoto(const int id,const std::string & photo)580 ErrCode OsAccountManagerService::SetOsAccountProfilePhoto(const int id, const std::string &photo)
581 {
582 // parameters check
583 ErrCode res = CheckLocalId(id);
584 if (res != ERR_OK) {
585 return res;
586 }
587 if (id == Constants::ADMIN_LOCAL_ID) {
588 ACCOUNT_LOGE("cannot set photo for system preinstalled user");
589 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
590 }
591 if (photo.size() > Constants::LOCAL_PHOTO_MAX_SIZE) {
592 ACCOUNT_LOGE("photo out of allowed size");
593 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
594 }
595 if (photo.empty()) {
596 ACCOUNT_LOGE("photo is empty");
597 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
598 }
599 // permission check
600 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, CONSTANT_SET_ICON)) {
601 ACCOUNT_LOGE("account manager service, permission denied!");
602 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
603 }
604
605 return innerManager_.SetOsAccountProfilePhoto(id, photo);
606 }
607
ActivateOsAccount(const int id)608 ErrCode OsAccountManagerService::ActivateOsAccount(const int id)
609 {
610 // parameters check
611 ErrCode res = CheckLocalId(id);
612 if (res != ERR_OK) {
613 return res;
614 }
615 if (id == Constants::ADMIN_LOCAL_ID) {
616 ACCOUNT_LOGE("cannot activate name for system preinstalled user");
617 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
618 }
619 // permission check
620 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, CONSTANT_ACTIVATE)) {
621 ACCOUNT_LOGE("account manager service, permission denied!");
622 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
623 }
624
625 return innerManager_.ActivateOsAccount(id);
626 }
627
DeactivateOsAccount(const int id)628 ErrCode OsAccountManagerService::DeactivateOsAccount(const int id)
629 {
630 // parameters check
631 ErrCode res = CheckLocalId(id);
632 if (res != ERR_OK) {
633 return res;
634 }
635 if (id == Constants::ADMIN_LOCAL_ID) {
636 ACCOUNT_LOGE("cannot deactivate name for system preinstalled user");
637 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
638 }
639 // permission check
640 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
641 ACCOUNT_LOGE("account manager service, permission denied!");
642 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
643 }
644 int32_t currentId = Constants::START_USER_ID;
645 GetCurrentLocalId(currentId);
646
647 #ifndef SUPPORT_STOP_MAIN_OS_ACCOUNT
648 if (id == Constants::START_USER_ID) {
649 ACCOUNT_LOGW("the %{public}d os account can't stop", id);
650 return ERR_OSACCOUNT_SERVICE_INNER_ACCOUNT_STOP_ACTIVE_ERROR;
651 }
652 #endif // SUPPORT_STOP_OS_ACCOUNT
653
654 res = innerManager_.DeactivateOsAccount(id);
655 if (res != ERR_OK) {
656 return res;
657 }
658
659 if (currentId == id) { // if stop current account
660 #ifdef SUPPORT_STOP_MAIN_OS_ACCOUNT
661 innerManager_.ActivateOsAccount(id, false);
662 #else
663 innerManager_.ActivateOsAccount(Constants::START_USER_ID, false);
664 #endif // SUPPORT_STOP_MAIN_OS_ACCOUNT
665 }
666 return ERR_OK;
667 }
668
DeactivateAllOsAccounts()669 ErrCode OsAccountManagerService::DeactivateAllOsAccounts()
670 {
671 // permission check
672 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
673 ACCOUNT_LOGE("Permission check failed.");
674 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
675 }
676
677 std::vector<int32_t> userIds;
678 ErrCode res = innerManager_.QueryActiveOsAccountIds(userIds);
679 if (res != ERR_OK) {
680 ACCOUNT_LOGE("Get activated os account ids failed.");
681 return res;
682 }
683 if (userIds.empty()) {
684 ACCOUNT_LOGI("Activated os account list is empty.");
685 return ERR_OK;
686 }
687 ErrCode result = ERR_OK;
688 for (auto osAccountId : userIds) {
689 ACCOUNT_LOGI("DeactivateAllOsAccounts, id=%{public}d", osAccountId);
690 res = innerManager_.DeactivateOsAccount(osAccountId);
691 if (res != ERR_OK) {
692 ACCOUNT_LOGE("Deactivate os account id failed, id=%{public}d", osAccountId);
693 result = res;
694 }
695 }
696 return result;
697 }
698
GetCurrentLocalId(int32_t & userId)699 void OsAccountManagerService::GetCurrentLocalId(int32_t &userId)
700 {
701 std::vector<int32_t> userIds;
702 if ((innerManager_.QueryActiveOsAccountIds(userIds) != ERR_OK) || userIds.empty()) {
703 ACCOUNT_LOGE("fail to get activated os account ids");
704 return;
705 }
706 userId = userIds[0];
707 return;
708 }
709
StartOsAccount(const int id)710 ErrCode OsAccountManagerService::StartOsAccount(const int id)
711 {
712 return innerManager_.StartOsAccount(id);
713 }
714
SubscribeOsAccount(const OsAccountSubscribeInfo & subscribeInfo,const sptr<IRemoteObject> & eventListener)715 ErrCode OsAccountManagerService::SubscribeOsAccount(
716 const OsAccountSubscribeInfo &subscribeInfo, const sptr<IRemoteObject> &eventListener)
717 {
718 // permission check
719 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
720 subscribeInfo.GetOsAccountSubscribeType(osAccountSubscribeType);
721 if (osAccountSubscribeType == SWITCHED || osAccountSubscribeType == SWITCHING) {
722 if (!(PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "") ||
723 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
724 ACCOUNT_LOGE("account manager service, permission denied!");
725 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
726 }
727 } else {
728 if (!(PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "") ||
729 (AccountPermissionManager::CheckSaCall() && PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")))) {
730 ACCOUNT_LOGE("account manager service, permission denied!");
731 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
732 }
733 }
734
735 auto osSubscribeInfo = innerManager_.GetSubscribeRecordInfo(eventListener);
736 if (osSubscribeInfo != nullptr) {
737 std::string name;
738 osSubscribeInfo->GetName(name);
739 ACCOUNT_LOGI("Event listener %{public}s already exists.", name.c_str());
740 return ERR_OK;
741 }
742
743 return innerManager_.SubscribeOsAccount(subscribeInfo, eventListener);
744 }
745
UnsubscribeOsAccount(const sptr<IRemoteObject> & eventListener)746 ErrCode OsAccountManagerService::UnsubscribeOsAccount(const sptr<IRemoteObject> &eventListener)
747 {
748 // permission check
749 auto osSubscribeInfo = innerManager_.GetSubscribeRecordInfo(eventListener);
750 if (osSubscribeInfo == nullptr) {
751 ACCOUNT_LOGI("Event listener is not exist.");
752 return ERR_OK;
753 }
754 OS_ACCOUNT_SUBSCRIBE_TYPE osAccountSubscribeType;
755 osSubscribeInfo->GetOsAccountSubscribeType(osAccountSubscribeType);
756 if (osAccountSubscribeType == SWITCHED || osAccountSubscribeType == SWITCHING) {
757 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
758 ACCOUNT_LOGE("account manager service, permission denied!");
759 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
760 }
761 } else {
762 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION, "")) {
763 ACCOUNT_LOGE("account manager service, permission denied!");
764 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
765 }
766 }
767
768 return innerManager_.UnsubscribeOsAccount(eventListener);
769 }
770
GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber,int & id)771 ErrCode OsAccountManagerService::GetOsAccountLocalIdBySerialNumber(const int64_t serialNumber, int &id)
772 {
773 return innerManager_.GetOsAccountLocalIdBySerialNumber(serialNumber, id);
774 }
775
GetSerialNumberByOsAccountLocalId(const int & id,int64_t & serialNumber)776 ErrCode OsAccountManagerService::GetSerialNumberByOsAccountLocalId(const int &id, int64_t &serialNumber)
777 {
778 return innerManager_.GetSerialNumberByOsAccountLocalId(id, serialNumber);
779 }
780
GetOsAccountSwitchMod()781 OS_ACCOUNT_SWITCH_MOD OsAccountManagerService::GetOsAccountSwitchMod()
782 {
783 return innerManager_.GetOsAccountSwitchMod();
784 }
785
IsCurrentOsAccountVerified(bool & isVerified)786 ErrCode OsAccountManagerService::IsCurrentOsAccountVerified(bool &isVerified)
787 {
788 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
789 return innerManager_.IsOsAccountVerified(id, isVerified);
790 }
791
IsOsAccountCompleted(const int id,bool & isOsAccountCompleted)792 ErrCode OsAccountManagerService::IsOsAccountCompleted(const int id, bool &isOsAccountCompleted)
793 {
794 return innerManager_.IsOsAccountCompleted(id, isOsAccountCompleted);
795 }
796
SetCurrentOsAccountIsVerified(const bool isVerified)797 ErrCode OsAccountManagerService::SetCurrentOsAccountIsVerified(const bool isVerified)
798 {
799 // permission check
800 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
801 ACCOUNT_LOGE("account manager service, permission denied!");
802 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
803 }
804
805 // parameters check
806 int id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
807 ErrCode res = CheckLocalId(id);
808 if (res != ERR_OK) {
809 return res;
810 }
811 if (id == Constants::ADMIN_LOCAL_ID) {
812 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
813 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
814 }
815 return innerManager_.SetOsAccountIsVerified(id, isVerified);
816 }
817
SetOsAccountIsVerified(const int id,const bool isVerified)818 ErrCode OsAccountManagerService::SetOsAccountIsVerified(const int id, const bool isVerified)
819 {
820 // parameters check
821 ErrCode res = CheckLocalId(id);
822 if (res != ERR_OK) {
823 return res;
824 }
825 if (id == Constants::ADMIN_LOCAL_ID) {
826 ACCOUNT_LOGE("Cannot set verified status for system preinstalled user");
827 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
828 }
829 // permission check
830 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
831 ACCOUNT_LOGE("account manager service, permission denied!");
832 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
833 }
834
835 return innerManager_.SetOsAccountIsVerified(id, isVerified);
836 }
837
DumpState(const int & id,std::vector<std::string> & state)838 ErrCode OsAccountManagerService::DumpState(const int &id, std::vector<std::string> &state)
839 {
840 state.clear();
841
842 // permission check
843 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
844 ACCOUNT_LOGE("account manager service, permission denied!");
845 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
846 }
847
848 ErrCode result = ERR_OK;
849 std::vector<OsAccountInfo> osAccountInfos;
850
851 if (id == -1) {
852 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
853 if (result != ERR_OK) {
854 return result;
855 }
856 } else {
857 OsAccountInfo osAccountInfo;
858 result = innerManager_.QueryOsAccountById(id, osAccountInfo);
859 if (result != ERR_OK) {
860 return result;
861 }
862
863 osAccountInfos.emplace_back(osAccountInfo);
864 }
865
866 return DumpStateByAccounts(osAccountInfos, state);
867 }
868
DumpOsAccountInfo(std::vector<std::string> & state)869 ErrCode OsAccountManagerService::DumpOsAccountInfo(std::vector<std::string> &state)
870 {
871 state.clear();
872
873 ErrCode result = ERR_OK;
874 std::vector<OsAccountInfo> osAccountInfos;
875 result = innerManager_.QueryAllCreatedOsAccounts(osAccountInfos);
876 if (result != ERR_OK) {
877 return result;
878 }
879
880 return DumpStateByAccounts(osAccountInfos, state);
881 }
882
GetCreatedOsAccountNumFromDatabase(const std::string & storeID,int & createdOsAccountNum)883 ErrCode OsAccountManagerService::GetCreatedOsAccountNumFromDatabase(const std::string& storeID,
884 int &createdOsAccountNum)
885 {
886 // permission check
887 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
888 ACCOUNT_LOGE("account manager service, permission denied!");
889 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
890 }
891
892 return innerManager_.GetCreatedOsAccountNumFromDatabase(storeID, createdOsAccountNum);
893 }
894
GetSerialNumberFromDatabase(const std::string & storeID,int64_t & serialNumber)895 ErrCode OsAccountManagerService::GetSerialNumberFromDatabase(const std::string& storeID,
896 int64_t &serialNumber)
897 {
898 return innerManager_.GetSerialNumberFromDatabase(storeID, serialNumber);
899 }
900
GetMaxAllowCreateIdFromDatabase(const std::string & storeID,int & id)901 ErrCode OsAccountManagerService::GetMaxAllowCreateIdFromDatabase(const std::string& storeID, int &id)
902 {
903 return innerManager_.GetMaxAllowCreateIdFromDatabase(storeID, id);
904 }
905
GetOsAccountFromDatabase(const std::string & storeID,const int id,OsAccountInfo & osAccountInfo)906 ErrCode OsAccountManagerService::GetOsAccountFromDatabase(const std::string& storeID,
907 const int id, OsAccountInfo &osAccountInfo)
908 {
909 // permission check
910 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
911 ACCOUNT_LOGE("account manager service, permission denied!");
912 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
913 }
914
915 return innerManager_.GetOsAccountFromDatabase(storeID, id, osAccountInfo);
916 }
917
GetOsAccountListFromDatabase(const std::string & storeID,std::vector<OsAccountInfo> & osAccountList)918 ErrCode OsAccountManagerService::GetOsAccountListFromDatabase(const std::string& storeID,
919 std::vector<OsAccountInfo> &osAccountList)
920 {
921 // permission check
922 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
923 ACCOUNT_LOGE("account manager service, permission denied!");
924 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
925 }
926
927 return innerManager_.GetOsAccountListFromDatabase(storeID, osAccountList);
928 }
929
DumpStateByAccounts(const std::vector<OsAccountInfo> & osAccountInfos,std::vector<std::string> & state)930 ErrCode OsAccountManagerService::DumpStateByAccounts(
931 const std::vector<OsAccountInfo> &osAccountInfos, std::vector<std::string> &state)
932 {
933 ACCOUNT_LOGD("enter");
934 for (auto osAccountInfo : osAccountInfos) {
935 std::string info = "";
936
937 std::string localId = std::to_string(osAccountInfo.GetLocalId());
938 state.emplace_back("ID: " + localId);
939
940 std::string localName = osAccountInfo.GetLocalName();
941 state.emplace_back(DUMP_TAB_CHARACTER + "Name: " + AnonymizeNameStr(localName));
942
943 std::string type = "";
944 auto it = DUMP_TYPE_MAP.find(osAccountInfo.GetType());
945 if (it != DUMP_TYPE_MAP.end()) {
946 type = it->second;
947 } else {
948 type = "unknown";
949 }
950 state.emplace_back(DUMP_TAB_CHARACTER + "Type: " + type);
951 state.emplace_back(DUMP_TAB_CHARACTER + "Status: " +
952 (osAccountInfo.GetIsActived() ? "active" : "inactive"));
953 state.emplace_back(DUMP_TAB_CHARACTER + "isForeground: " + std::to_string(osAccountInfo.GetIsForeground()));
954 state.emplace_back(DUMP_TAB_CHARACTER + "dispalyId: " + std::to_string(osAccountInfo.GetDisplayId()));
955
956 state.emplace_back(DUMP_TAB_CHARACTER + "Constraints:");
957 auto constraints = osAccountInfo.GetConstraints();
958 std::transform(constraints.begin(), constraints.end(), std::back_inserter(state),
959 [](auto constraint) {return DUMP_TAB_CHARACTER + DUMP_TAB_CHARACTER + constraint; });
960
961 state.emplace_back(DUMP_TAB_CHARACTER + "Verified: " +
962 (osAccountInfo.GetIsVerified() ? "true" : "false"));
963
964 int64_t serialNumber = osAccountInfo.GetSerialNumber();
965 state.emplace_back(DUMP_TAB_CHARACTER + "Serial Number: " + std::to_string(serialNumber));
966 state.emplace_back(DUMP_TAB_CHARACTER + "Create Completed: " +
967 (osAccountInfo.GetIsCreateCompleted() ? "true" : "false"));
968 state.emplace_back(DUMP_TAB_CHARACTER + "To Be Removed: " +
969 (osAccountInfo.GetToBeRemoved() ? "true" : "false"));
970 state.emplace_back("\n");
971 }
972
973 return ERR_OK;
974 }
975
QueryActiveOsAccountIds(std::vector<int32_t> & ids)976 ErrCode OsAccountManagerService::QueryActiveOsAccountIds(std::vector<int32_t>& ids)
977 {
978 return innerManager_.QueryActiveOsAccountIds(ids);
979 }
980
QueryOsAccountConstraintSourceTypes(const int32_t id,const std::string & constraint,std::vector<ConstraintSourceTypeInfo> & constraintSourceTypeInfos)981 ErrCode OsAccountManagerService::QueryOsAccountConstraintSourceTypes(const int32_t id,
982 const std::string &constraint, std::vector<ConstraintSourceTypeInfo> &constraintSourceTypeInfos)
983 {
984 // parameters check
985 ErrCode res = CheckLocalId(id);
986 if (res != ERR_OK) {
987 return res;
988 }
989 if (constraint.empty() || constraint.size() > Constants::CONSTRAINT_MAX_SIZE) {
990 ACCOUNT_LOGE("constraint length is invalid. length %{public}zu.", constraint.size());
991 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
992 }
993
994 // permission check
995 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
996 ACCOUNT_LOGE("account manager service, permission denied!");
997 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
998 }
999
1000 return innerManager_.QueryOsAccountConstraintSourceTypes(id, constraint, constraintSourceTypeInfos);
1001 }
1002
SetGlobalOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t enforcerId,const bool isDeviceOwner)1003 ErrCode OsAccountManagerService::SetGlobalOsAccountConstraints(const std::vector<std::string> &constraints,
1004 const bool enable, const int32_t enforcerId, const bool isDeviceOwner)
1005 {
1006 // permission check
1007 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1008 ACCOUNT_LOGE("account manager service, permission denied!");
1009 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1010 }
1011
1012 return innerManager_.SetGlobalOsAccountConstraints(constraints, enable, enforcerId, isDeviceOwner);
1013 }
1014
ContainsAnyConstraint(const std::vector<std::string> & constraints,const std::vector<std::string> & constraintList)1015 static bool ContainsAnyConstraint(const std::vector<std::string> &constraints,
1016 const std::vector<std::string> &constraintList)
1017 {
1018 for (const auto &constraint : constraintList) {
1019 if (std::find(constraints.begin(), constraints.end(), constraint) != constraints.end()) {
1020 return true;
1021 }
1022 }
1023 return false;
1024 }
1025
SetSpecificOsAccountConstraints(const std::vector<std::string> & constraints,const bool enable,const int32_t targetId,const int32_t enforcerId,const bool isDeviceOwner)1026 ErrCode OsAccountManagerService::SetSpecificOsAccountConstraints(const std::vector<std::string> &constraints,
1027 const bool enable, const int32_t targetId, const int32_t enforcerId, const bool isDeviceOwner)
1028 {
1029 // check EDM uid
1030 int32_t callingUid = IPCSkeleton::GetCallingUid();
1031 std::vector<std::string> createConstraintList = {CONSTANT_CREATE, CONSTANT_CREATE_DIRECTLY};
1032 if (ContainsAnyConstraint(constraints, createConstraintList) && callingUid != EDM_UID) {
1033 ACCOUNT_LOGE("Permission denied, callingUid=%{public}d.", callingUid);
1034 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1035 }
1036
1037 // permission check
1038 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1039 ACCOUNT_LOGE("account manager service, permission denied!");
1040 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1041 }
1042
1043 // parameters check
1044 if (targetId < Constants::START_USER_ID || enforcerId < Constants::START_USER_ID) {
1045 ACCOUNT_LOGE("invalid input account id %{public}d or %{public}d.", targetId, enforcerId);
1046 return ERR_OSACCOUNT_SERVICE_MANAGER_ID_ERROR;
1047 }
1048
1049 return innerManager_.SetSpecificOsAccountConstraints(constraints, enable, targetId, enforcerId, isDeviceOwner);
1050 }
1051
SetDefaultActivatedOsAccount(const int32_t id)1052 ErrCode OsAccountManagerService::SetDefaultActivatedOsAccount(const int32_t id)
1053 {
1054 // parameters check
1055 ErrCode ret = CheckLocalId(id);
1056 if (ret != ERR_OK) {
1057 return ret;
1058 }
1059
1060 // permission check
1061 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1062 ACCOUNT_LOGE("account manager service, permission denied!");
1063 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1064 }
1065
1066 return innerManager_.SetDefaultActivatedOsAccount(id);
1067 }
1068
GetDefaultActivatedOsAccount(int32_t & id)1069 ErrCode OsAccountManagerService::GetDefaultActivatedOsAccount(int32_t &id)
1070 {
1071 return innerManager_.GetDefaultActivatedOsAccount(id);
1072 }
1073
GetOsAccountShortNameCommon(const int32_t id,std::string & shortName)1074 ErrCode OsAccountManagerService::GetOsAccountShortNameCommon(const int32_t id, std::string &shortName)
1075 {
1076 ErrCode errCode = innerManager_.GetOsAccountShortName(id, shortName);
1077 if (errCode != ERR_OK) {
1078 ACCOUNT_LOGE("GetOsAccountShortName error %{public}d", errCode);
1079 return errCode;
1080 }
1081 return ERR_OK;
1082 }
1083
GetOsAccountShortName(std::string & shortName)1084 ErrCode OsAccountManagerService::GetOsAccountShortName(std::string &shortName)
1085 {
1086 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1087 return GetOsAccountShortNameCommon(id, shortName);
1088 }
1089
GetOsAccountName(std::string & name)1090 ErrCode OsAccountManagerService::GetOsAccountName(std::string &name)
1091 {
1092 int32_t id = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1093 ErrCode errCode = innerManager_.GetOsAccountName(id, name);
1094 if (errCode != ERR_OK) {
1095 ACCOUNT_LOGE("Failed get account name, errCode=%{public}d, uid=%{public}d", errCode,
1096 IPCSkeleton::GetCallingUid());
1097 return errCode;
1098 }
1099 return ERR_OK;
1100 }
1101
GetOsAccountShortNameById(const int32_t id,std::string & shortName)1102 ErrCode OsAccountManagerService::GetOsAccountShortNameById(const int32_t id, std::string &shortName)
1103 {
1104 if (!PermissionCheck(INTERACT_ACROSS_LOCAL_ACCOUNTS, "")) {
1105 ACCOUNT_LOGE("Check permission failed, please check your permission.");
1106 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1107 }
1108 return GetOsAccountShortNameCommon(id, shortName);
1109 }
1110
PermissionCheck(const std::string & permissionName,const std::string & constraintName)1111 bool OsAccountManagerService::PermissionCheck(const std::string& permissionName, const std::string& constraintName)
1112 {
1113 int callerUid = IPCSkeleton::GetCallingUid();
1114 #ifndef IS_RELEASE_VERSION
1115 // root check in none release version for test
1116 if (callerUid == ROOT_UID) {
1117 return true;
1118 }
1119 #endif
1120
1121 // constraints check
1122 if (!constraintName.empty()) {
1123 int callerUserId = callerUid / UID_TRANSFORM_DIVISOR;
1124 bool isEnable = true;
1125 innerManager_.IsOsAccountConstraintEnable(callerUserId, constraintName, isEnable);
1126 if (isEnable) {
1127 ACCOUNT_LOGE("constraint check %{public}s failed.", constraintName.c_str());
1128 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), constraintName);
1129 return false;
1130 }
1131 }
1132
1133 // permission check
1134 if ((permissionName.empty()) || (AccountPermissionManager::VerifyPermission(permissionName) == ERR_OK)) {
1135 return true;
1136 }
1137
1138 ACCOUNT_LOGE("failed to verify permission for %{public}s.", permissionName.c_str());
1139 ReportPermissionFail(callerUid, IPCSkeleton::GetCallingRealPid(), permissionName);
1140 return false;
1141 }
1142
CheckCreateOsAccountWhiteList()1143 bool OsAccountManagerService::CheckCreateOsAccountWhiteList()
1144 {
1145 return uidWhiteListForCreation.find(GetCallingUid()) != uidWhiteListForCreation.end();
1146 }
1147
IsOsAccountForeground(const int32_t localId,const uint64_t displayId,bool & isForeground)1148 ErrCode OsAccountManagerService::IsOsAccountForeground(const int32_t localId, const uint64_t displayId,
1149 bool &isForeground)
1150 {
1151 int32_t callerId = IPCSkeleton::GetCallingUid() / UID_TRANSFORM_DIVISOR;
1152 int32_t id = (localId == -1) ? callerId : localId;
1153 if (id < Constants::ADMIN_LOCAL_ID) {
1154 ACCOUNT_LOGE("LocalId %{public}d is invlaid.", id);
1155 return ERR_ACCOUNT_COMMON_INVALID_PARAMETER;
1156 }
1157 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1158 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1159 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1160 }
1161 bool isOsAccountExists = false;
1162 ErrCode result = IsOsAccountExists(id, isOsAccountExists);
1163 if (result != ERR_OK) {
1164 return result;
1165 }
1166 if (!isOsAccountExists) {
1167 ACCOUNT_LOGE("LocalId %{public}d not exist.", id);
1168 return ERR_ACCOUNT_COMMON_ACCOUNT_NOT_EXIST_ERROR;
1169 }
1170 if (id >= Constants::ADMIN_LOCAL_ID && id < Constants::START_USER_ID) {
1171 ACCOUNT_LOGI("LocalId %{public}d is always in backgroud.", id);
1172 isForeground = false;
1173 return ERR_OK;
1174 }
1175 return innerManager_.IsOsAccountForeground(id, displayId, isForeground);
1176 }
1177
GetForegroundOsAccountLocalId(const uint64_t displayId,int32_t & localId)1178 ErrCode OsAccountManagerService::GetForegroundOsAccountLocalId(const uint64_t displayId, int32_t &localId)
1179 {
1180 if (displayId != Constants::DEFAULT_DISPALY_ID) {
1181 ACCOUNT_LOGE("DisplayId %{public}llu not exist.", static_cast<unsigned long long>(displayId));
1182 return ERR_ACCOUNT_COMMON_DISPLAY_ID_NOT_EXIST_ERROR;
1183 }
1184 return innerManager_.GetForegroundOsAccountLocalId(displayId, localId);
1185 }
1186
GetForegroundOsAccounts(std::vector<ForegroundOsAccount> & accounts)1187 ErrCode OsAccountManagerService::GetForegroundOsAccounts(std::vector<ForegroundOsAccount> &accounts)
1188 {
1189 return innerManager_.GetForegroundOsAccounts(accounts);
1190 }
1191
GetBackgroundOsAccountLocalIds(std::vector<int32_t> & localIds)1192 ErrCode OsAccountManagerService::GetBackgroundOsAccountLocalIds(std::vector<int32_t> &localIds)
1193 {
1194 return innerManager_.GetBackgroundOsAccountLocalIds(localIds);
1195 }
1196
SetOsAccountToBeRemoved(int32_t localId,bool toBeRemoved)1197 ErrCode OsAccountManagerService::SetOsAccountToBeRemoved(int32_t localId, bool toBeRemoved)
1198 {
1199 if (!PermissionCheck(MANAGE_LOCAL_ACCOUNTS, "")) {
1200 ACCOUNT_LOGE("Permission denied.");
1201 return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
1202 }
1203 return innerManager_.SetOsAccountToBeRemoved(localId, toBeRemoved);
1204 }
1205 } // namespace AccountSA
1206 } // namespace OHOS
1207