1 /* 2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 /** 17 * @addtogroup AccessToken 18 * @{ 19 * 20 * @brief Provides permission management. 21 * 22 * Provides tokenID-based application permission verification mechanism. 23 * When an application accesses sensitive data or APIs, this module can check 24 * whether the application has the corresponding permission. Allows applications 25 * to query their access token information or APL levcels based on token IDs. 26 * 27 * @since 7.0 28 * @version 7.0 29 */ 30 31 /** 32 * @file accesstoken_kit.h 33 * 34 * @brief Declares access token interfaces. 35 * 36 * @since 7.0 37 * @version 7.0 38 */ 39 40 #ifndef INTERFACES_INNER_KITS_ACCESSTOKEN_KIT_H 41 #define INTERFACES_INNER_KITS_ACCESSTOKEN_KIT_H 42 43 #include <string> 44 #include <vector> 45 46 #include "access_token.h" 47 #include "atm_tools_param_info.h" 48 #include "hap_token_info.h" 49 #include "native_token_info.h" 50 #include "permission_def.h" 51 #include "permission_list_state.h" 52 #include "permission_grant_info.h" 53 #include "permission_state_change_info.h" 54 #include "permission_state_full.h" 55 #include "perm_state_change_callback_customize.h" 56 #ifdef TOKEN_SYNC_ENABLE 57 #include "token_sync_kit_interface.h" 58 #endif // TOKEN_SYNC_ENABLE 59 60 namespace OHOS { 61 namespace Security { 62 namespace AccessToken { 63 /** 64 * @brief Declares AccessTokenKit class 65 */ 66 class AccessTokenKit { 67 public: 68 /** 69 * @brief Get permission used type by tokenID. 70 * @param tokenID token id 71 * @param permissionName permission to be checked 72 * @return enum PermUsedTypeEnum, see access_token.h 73 */ 74 static PermUsedTypeEnum GetUserGrantedPermissionUsedType(AccessTokenID tokenID, const std::string& permissionName); 75 76 /** 77 * @brief Grant input permission to input tokenID flag for specified time. 78 * @param tokenID token id 79 * @param permissionName permission name quote 80 * @param onceTime the time it takes to work, the unit is second. 81 * @return error code, see access_token_error.h 82 */ 83 static int GrantPermissionForSpecifiedTime( 84 AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime); 85 86 /** 87 * @brief Create a unique hap token by input values. 88 * @param info struct HapInfoParams quote, see hap_token_info.h 89 * @param policy struct HapPolicyParams quote, see hap_token_info.h 90 * @return union AccessTokenIDEx, see access_token.h 91 */ 92 static AccessTokenIDEx AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy); 93 /** 94 * @brief Create a unique hap token by input values and init the permission state. 95 * @param info struct HapInfoParams quote, see hap_token_info.h 96 * @param policy struct HapPolicyParams quote, see hap_token_info.h 97 * @return union AccessTokenIDEx, see access_token.h 98 */ 99 static int32_t InitHapToken(const HapInfoParams& info, HapPolicyParams& policy, AccessTokenIDEx& fullTokenId); 100 /** 101 * @brief Create a unique mapping token binding remote tokenID and DeviceID. 102 * @param remoteDeviceID remote device deviceID 103 * @param remoteTokenID remote device tokenID 104 * @return local tokenID which mapped by local token 105 */ 106 static AccessTokenID AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID); 107 /** 108 * @brief Update hap token info. 109 * @param tokenIdEx union AccessTokenIDEx quote, see access_token.h 110 * @param isSystemApp is system app or not 111 * @param appIDDesc app id description quote 112 * @param apiVersion app api version 113 * @param policy struct HapPolicyParams quote, see hap_token_info.h 114 * @return error code, see access_token_error.h 115 */ 116 static int32_t UpdateHapToken( 117 AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, const HapPolicyParams& policy); 118 /** 119 * @brief Delete token info. 120 * @param tokenID token id 121 * @return error code, see access_token_error.h 122 */ 123 static int DeleteToken(AccessTokenID tokenID); 124 /** 125 * @brief Get token type by ATM service. 126 * @param tokenID token id 127 * @return token type enum, see access_token.h 128 */ 129 static ATokenTypeEnum GetTokenType(AccessTokenID tokenID); 130 /** 131 * @brief Get token type from flag in tokenId, which doesn't depend on ATM service. 132 * @param tokenID token id 133 * @return token type enum, see access_token.h 134 */ 135 static ATokenTypeEnum GetTokenTypeFlag(AccessTokenID tokenID); 136 /** 137 * @brief Get token type by ATM service with uint_64 parameters. 138 * @param tokenID token id 139 * @return token type enum, see access_token.h 140 */ 141 static ATokenTypeEnum GetTokenType(FullTokenID tokenID); 142 /** 143 * @brief Get token type from flag in tokenId, which doesn't depend 144 * on ATM service, with uint_64 parameters. 145 * @param tokenID token id 146 * @return token type enum, see access_token.h 147 */ 148 static ATokenTypeEnum GetTokenTypeFlag(FullTokenID tokenID); 149 /** 150 * @brief Check native token dcap by token id. 151 * @param tokenID token id 152 * @param dcap dcap to be checked 153 * @return error code, see access_token_error.h 154 */ 155 static int CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap); 156 /** 157 * @brief Query hap tokenID by input prarms. 158 * @param userID user id 159 * @param bundleName bundle name 160 * @param instIndex inst index 161 * @return token id if exsit or 0 if not exsit 162 */ 163 static AccessTokenID GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex); 164 /** 165 * @brief Query hap token attribute by input prarms. 166 * @param userID user id 167 * @param bundleName bundle name 168 * @param instIndex inst index 169 * @return union AccessTokenIDEx, see access_token.h 170 */ 171 static AccessTokenIDEx GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex); 172 /** 173 * @brief Get hap token info by token id. 174 * @param tokenID token id 175 * @param hapTokenInfoRes HapTokenInfo quote, as query result 176 * @return error code, see access_token_error.h 177 */ 178 static int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes); 179 /** 180 * @brief Get native token info by token id. 181 * @param tokenID token id 182 * @param nativeTokenInfoRes NativeTokenInfo quote, as query result 183 * @return error code, see access_token_error.h 184 */ 185 static int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes); 186 /** 187 * @brief Check if the input tokenID has been granted the input permission. 188 * @param tokenID token id 189 * @param permissionName permission to be checked 190 * @return enum PermissionState, see access_token.h 191 */ 192 static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); 193 /** 194 * @brief Check if the input tokenID has been granted the input permission. 195 * @param callerTokenID the tokenID of caller native process or hap process 196 * @param firstTokenID the tokenID of first caller native process or hap process 197 * @param permissionName permission to be checked 198 * @return enum PermissionState, see access_token.h 199 */ 200 static int VerifyAccessToken( 201 AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName); 202 /** 203 * @brief Check if the input tokenID has been granted the input permission. 204 * @param tokenID token id 205 * @param permissionName permission to be checked 206 * @param crossIpc whether to cross ipc 207 * @return enum PermissionState, see access_token.h 208 */ 209 static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName, bool crossIpc); 210 /** 211 * @brief Check if the input tokenID has been granted the input permission. 212 * @param callerTokenID the tokenID of caller native process or hap process 213 * @param firstTokenID the tokenID of first caller native process or hap process 214 * @param permissionName permission to be checked 215 * @param crossIpc whether to cross ipc 216 * @return enum PermissionState, see access_token.h 217 */ 218 static int VerifyAccessToken(AccessTokenID callerTokenID, 219 AccessTokenID firstTokenID, const std::string& permissionName, bool crossIpc); 220 221 /** 222 * @brief Get permission definition by permission name. 223 * @param permissionName permission name quote 224 * @param permissionDefResult PermissionDef quote, as query result 225 * @return error code, see access_token_error.h 226 */ 227 static int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); 228 /** 229 * @brief Get all permission definitions by token id. 230 * @param tokenID token id 231 * @param permList PermissionDef list quote, as query result 232 * @return error code, see access_token_error.h 233 */ 234 static int GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permList); 235 /** 236 * @brief Get all requested permission full state by token id and grant mode. 237 * @param tokenID token id 238 * @param reqPermList PermissionStateFull list quote, as query result 239 * @param isSystemGrant grant mode 240 * @return error code, see access_token_error.h 241 */ 242 static int GetReqPermissions( 243 AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant); 244 /** 245 * @brief Get permission grant flag 246 * @param tokenID token id 247 * @param permissionName permission name quote 248 * @param flag the permission grant flag, as query result 249 * @return error code, see access_token_error.h 250 */ 251 static int GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName, uint32_t& flag); 252 /** 253 * @brief Set permission request toggle status 254 * @param permissionName permission name quote 255 * @param status the permission request toggle status to set 256 * @param userID the userID 257 * @return error code, see access_token_error.h 258 */ 259 static int32_t SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status, int32_t userID); 260 /** 261 * @brief Get permission request toggle status 262 * @param permissionName permission name quote 263 * @param status the permission request toggle status to get 264 * @param userID the userID 265 * @return error code, see access_token_error.h 266 */ 267 static int32_t GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status, 268 int32_t userID); 269 /** 270 * @brief Get requsted permission grant result 271 * @param permList PermissionListState list quote, as input and query result 272 * @return enum PermissionOper, see access_token.h 273 */ 274 static PermissionOper GetSelfPermissionsState(std::vector<PermissionListState>& permList, 275 PermissionGrantInfo& info); 276 /** 277 * @brief Get requsted permissions status 278 * @param permList PermissionListState list quote, as input and query result 279 * @return error code, see access_token_error.h 280 */ 281 static int32_t GetPermissionsStatus(AccessTokenID tokenID, std::vector<PermissionListState>& permList); 282 /** 283 * @brief Grant input permission to input tokenID with input flag. 284 * @param tokenID token id 285 * @param permissionName permission name quote 286 * @param flag enum PermissionFlag, see access_token.h 287 * @return error code, see access_token_error.h 288 */ 289 static int GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); 290 /** 291 * @brief Revoke input permission to input tokenID with input flag. 292 * @param tokenID token id 293 * @param permissionName permission name quote 294 * @param flag enum PermissionFlag, see access_token.h 295 * @return error code, see access_token_error.h 296 */ 297 static int RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); 298 /** 299 * @brief Clear all user granted permissions state in input tokenID. 300 * @param tokenID token id 301 * @return error code, see access_token_error.h 302 */ 303 static int ClearUserGrantedPermissionState(AccessTokenID tokenID); 304 /** 305 * @brief Register permission state change callback. 306 * @param callback smart point of class PermStateChangeCallbackCustomize quote 307 * @return error code, see access_token_error.h 308 */ 309 static int32_t RegisterPermStateChangeCallback( 310 const std::shared_ptr<PermStateChangeCallbackCustomize>& callback); 311 /** 312 * @brief Unregister permission state change callback. 313 * @param callback smart point of class PermStateChangeCallbackCustomize quote 314 * @return error code, see access_token_error.h 315 */ 316 static int32_t UnRegisterPermStateChangeCallback(const std::shared_ptr<PermStateChangeCallbackCustomize>& callback); 317 /** 318 * @brief Get current version. 319 * @param version access token version. 320 * @return error code, see access_token_error.h 321 */ 322 static int32_t GetVersion(uint32_t& version); 323 /** 324 * @brief Get hap dlp flag by input tokenID. 325 * @param tokenID token id 326 * @return dlp flag in tokenID bitmap, or default -1 327 */ 328 static int32_t GetHapDlpFlag(AccessTokenID tokenID); 329 /** 330 * @brief Reload native token info. 331 * @return error code, see access_token_error.h 332 */ 333 static int32_t ReloadNativeTokenInfo(); 334 /** 335 * @brief Get tokenID by native process name. 336 * @param processName native process name 337 * @return token id of native process 338 */ 339 static AccessTokenID GetNativeTokenId(const std::string& processName); 340 341 /** 342 * @brief Set permission dialog capability 343 * @param hapBaseInfo base infomation of hap 344 * @param enable status of enable dialog 345 * @return error code, see access_token_error.h 346 */ 347 static int32_t SetPermDialogCap(const HapBaseInfo& hapBaseInfo, bool enable); 348 349 #ifdef TOKEN_SYNC_ENABLE 350 /** 351 * @brief Get remote hap token info by remote token id. 352 * @param tokenID remote token id 353 * @param hapSync HapTokenInfoForSync quote, as query result 354 * @return error code, see access_token_error.h 355 */ 356 static int GetHapTokenInfoFromRemote(AccessTokenID tokenID, HapTokenInfoForSync& hapSync); 357 /** 358 * @brief Set remote hap token info with remote deviceID. 359 * @param deviceID remote deviceID 360 * @param hapSync hap token info to set 361 * @return error code, see access_token_error.h 362 */ 363 static int SetRemoteHapTokenInfo(const std::string& deviceID, const HapTokenInfoForSync& hapSync); 364 /** 365 * @brief Delete remote token by remote deviceID and remote tokenID. 366 * @param deviceID remote deviceID 367 * @param tokenID remote tokenID 368 * @return error code, see access_token_error.h 369 */ 370 static int DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID); 371 /** 372 * @brief Get local mapping native tokenID by remote deviceID 373 * and remote tokenID. 374 * @param deviceID remote deviceID 375 * @param tokenID remote tokenID 376 * @return token id of mapping native tokenID 377 */ 378 static AccessTokenID GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID); 379 /** 380 * @brief Delete remote tokens by remote deviceID. 381 * @param deviceID remote deviceID 382 * @return error code, see access_token_error.h 383 */ 384 static int DeleteRemoteDeviceTokens(const std::string& deviceID); 385 /** 386 * @brief Regist a token sync service callback 387 * @param syncCallback token sync class 388 * @return error code, see access_token_error.h 389 */ 390 static int32_t RegisterTokenSyncCallback(const std::shared_ptr<TokenSyncKitInterface>& syncCallback); 391 /** 392 * @brief UnRegist a token sync service callback 393 * @param syncCallback token sync class 394 * @return error code, see access_token_error.h 395 */ 396 static int32_t UnRegisterTokenSyncCallback(); 397 #endif 398 /** 399 * @brief Dump all token infos in the cache. 400 * @param tokenID token id, if tokenID is valid, only dump this token info 401 * @param dumpInfo all token info 402 */ 403 static void DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo); 404 /** 405 * @brief Get application info of permission manager. 406 * @param info application info of permission manager 407 */ 408 static void GetPermissionManagerInfo(PermissionGrantInfo& info); 409 }; 410 } // namespace AccessToken 411 } // namespace Security 412 } // namespace OHOS 413 #endif 414