1 /*
2  * Copyright (C) 2023 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #include "permission_manager.h"
16 #include "app_domain_verify_hilog.h"
17 #include "ipc_skeleton.h"
18 #include "accesstoken_kit.h"
19 #include "tokenid_kit.h"
20 namespace OHOS::AppDomainVerify {
21 
CheckPermission(const std::string & permission)22 bool PermissionManager::CheckPermission(const std::string& permission)
23 {
24     APP_DOMAIN_VERIFY_HILOGI(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "%{public}s: is called.", __func__);
25     if (permission.empty()) {
26         APP_DOMAIN_VERIFY_HILOGE(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "permission empty.");
27         return false;
28     }
29     auto callerToken = IPCSkeleton::GetCallingTokenID();
30     int result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(callerToken, permission);
31     if (result != Security::AccessToken::PERMISSION_GRANTED) {
32         APP_DOMAIN_VERIFY_HILOGE(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE,
33             "permission check failed, permission:%{public}s, callerToken:%{public}u", permission.c_str(), callerToken);
34         return false;
35     }
36     return true;
37 }
IsSystemAppCall()38 bool PermissionManager::IsSystemAppCall()
39 {
40     APP_DOMAIN_VERIFY_HILOGI(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "%{public}s: is called.", __func__);
41     if (Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(IPCSkeleton::GetCallingTokenID()) !=
42         Security::AccessToken::ATokenTypeEnum::TOKEN_HAP) {
43         return true;
44     }
45     auto result = Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(IPCSkeleton::GetCallingFullTokenID());
46     if (!result) {
47         APP_DOMAIN_VERIFY_HILOGE(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "Caller is not allowed, need system app");
48     }
49     return result;
50 }
IsSACall()51 bool PermissionManager::IsSACall()
52 {
53     APP_DOMAIN_VERIFY_HILOGI(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "%{public}s: is called.", __func__);
54     auto callerToken = IPCSkeleton::GetCallingTokenID();
55     auto tokenType = Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
56     if (tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE) {
57         APP_DOMAIN_VERIFY_HILOGD(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "caller tokenType is native, verify success");
58         return true;
59     }
60     APP_DOMAIN_VERIFY_HILOGI(APP_DOMAIN_VERIFY_MGR_MODULE_SERVICE, "Not SA called.");
61     return false;
62 }
63 }