1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "cert_manager_permission_check.h"
17 
18 #include "accesstoken_kit.h"
19 #include "ipc_skeleton.h"
20 #include "tokenid_kit.h"
21 
22 #include "cm_log.h"
23 
24 using namespace OHOS::Security::AccessToken;
25 
HasPermission(const std::string & permissionName)26 static bool HasPermission(const std::string &permissionName)
27 {
28     AccessTokenID tokenId = OHOS::IPCSkeleton::GetCallingTokenID();
29 
30     int result = AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
31     if (result == PERMISSION_GRANTED) {
32         return true;
33     }
34 
35     return false;
36 }
37 
CmHasPrivilegedPermission(void)38 bool CmHasPrivilegedPermission(void)
39 {
40     return HasPermission("ohos.permission.ACCESS_CERT_MANAGER_INTERNAL");
41 }
42 
CmHasCommonPermission(void)43 bool CmHasCommonPermission(void)
44 {
45     return HasPermission("ohos.permission.ACCESS_CERT_MANAGER");
46 }
47 
CmHasUserTrustedPermission(void)48 bool CmHasUserTrustedPermission(void)
49 {
50     return HasPermission("ohos.permission.ACCESS_USER_TRUSTED_CERT");
51 }
52 
CmHasSystemAppPermission(void)53 bool CmHasSystemAppPermission(void)
54 {
55     return HasPermission("ohos.permission.ACCESS_SYSTEM_APP_CERT");
56 }
57 
CmIsSystemApp(void)58 bool CmIsSystemApp(void)
59 {
60     AccessTokenID tokenId = OHOS::IPCSkeleton::GetCallingTokenID();
61     auto tokenType = AccessTokenKit::GetTokenType(tokenId);
62     if (tokenType == TOKEN_HAP) { /* only care about hap type */
63         uint64_t fullTokenId = OHOS::IPCSkeleton::GetCallingFullTokenID();
64         return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
65     }
66     return true;
67 }
68 
CmIsSystemAppByStoreType(const uint32_t store)69 bool CmIsSystemAppByStoreType(const uint32_t store)
70 {
71     /* care about public and system credential */
72     if (store == CM_CREDENTIAL_STORE || store == CM_SYS_CREDENTIAL_STORE) {
73         return CmIsSystemApp();
74     }
75     return true;
76 }
77 
CmPermissionCheck(const uint32_t store)78 bool CmPermissionCheck(const uint32_t store)
79 {
80     switch (store) {
81         case CM_CREDENTIAL_STORE:
82             return CmHasPrivilegedPermission() && CmHasCommonPermission();
83         case CM_PRI_CREDENTIAL_STORE:
84             return CmHasCommonPermission();
85         case CM_SYS_CREDENTIAL_STORE:
86             return CmHasCommonPermission() && CmHasSystemAppPermission();
87         default:
88             return false;
89     }
90 }
91