1 /*
2  * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "auth_widget_helper.h"
17 
18 #include <cinttypes>
19 #include "securec.h"
20 
21 #include "iam_check.h"
22 #include "iam_logger.h"
23 #include "resource_node_pool.h"
24 #include "system_param_manager.h"
25 #include "user_idm_database.h"
26 #include "widget_client.h"
27 
28 #define LOG_TAG "USER_AUTH_SA"
29 
30 namespace OHOS {
31 namespace UserIam {
32 namespace UserAuth {
33 
InitWidgetContextParam(const AuthParamInner & authParam,std::vector<AuthType> & validType,const WidgetParam & widgetParam,ContextFactory::AuthWidgetContextPara & para)34 bool AuthWidgetHelper::InitWidgetContextParam(const AuthParamInner &authParam, std::vector<AuthType> &validType,
35     const WidgetParam &widgetParam, ContextFactory::AuthWidgetContextPara &para)
36 {
37     for (auto &authType : validType) {
38         ContextFactory::AuthProfile profile;
39         if (!GetUserAuthProfile(para.userId, authType, profile)) {
40             IAM_LOGE("get user auth profile failed");
41             return false;
42         }
43         para.authProfileMap[authType] = profile;
44         if (authType == AuthType::PIN || authType == AuthType::PRIVATE_PIN) {
45             WidgetClient::Instance().SetPinSubType(static_cast<PinSubType>(profile.pinSubType));
46         } else if (authType == AuthType::FINGERPRINT) {
47             WidgetClient::Instance().SetSensorInfo(profile.sensorInfo);
48         }
49     }
50     para.challenge = std::move(authParam.challenge);
51     para.authTypeList = std::move(validType);
52     para.atl = authParam.authTrustLevel;
53     para.widgetParam = widgetParam;
54     if (widgetParam.windowMode == WindowModeType::UNKNOWN_WINDOW_MODE) {
55         para.widgetParam.windowMode = WindowModeType::DIALOG_BOX;
56     }
57     return true;
58 }
59 
GetUserAuthProfile(int32_t userId,const AuthType & authType,ContextFactory::AuthProfile & profile)60 bool AuthWidgetHelper::GetUserAuthProfile(int32_t userId, const AuthType &authType,
61     ContextFactory::AuthProfile &profile)
62 {
63     Attributes values;
64     std::vector<std::shared_ptr<CredentialInfoInterface>> credentialInfos;
65     int32_t ret = UserIdmDatabase::Instance().GetCredentialInfo(userId, authType, credentialInfos);
66     if (ret != SUCCESS) {
67         IAM_LOGE("get credential fail, ret:%{public}d, userId:%{public}d, authType:%{public}d", ret,
68             userId, authType);
69         return false;
70     }
71     if (credentialInfos.empty() || credentialInfos[0] == nullptr) {
72         IAM_LOGE("user %{public}d has no credential type %{public}d", userId, authType);
73         return false;
74     }
75     uint64_t executorIndex = credentialInfos[0]->GetExecutorIndex();
76     auto resourceNode = ResourceNodePool::Instance().Select(executorIndex).lock();
77     if (resourceNode == nullptr) {
78         IAM_LOGE("resourceNode is nullptr");
79         return false;
80     }
81 
82     std::vector<uint64_t> templateIds;
83     templateIds.reserve(credentialInfos.size());
84     for (auto &info : credentialInfos) {
85         if (info == nullptr) {
86             IAM_LOGE("info is null");
87             continue;
88         }
89         templateIds.push_back(info->GetTemplateId());
90     }
91     std::vector<uint32_t> uint32Keys = {
92         Attributes::ATTR_SENSOR_INFO,
93         Attributes::ATTR_REMAIN_TIMES,
94         Attributes::ATTR_FREEZING_TIME
95     };
96     if (authType == AuthType::PIN || authType == AuthType::PRIVATE_PIN) {
97         uint32Keys.push_back(Attributes::ATTR_PIN_SUB_TYPE);
98     }
99 
100     Attributes attr;
101     attr.SetInt32Value(Attributes::ATTR_AUTH_TYPE, authType);
102     attr.SetUint32Value(Attributes::ATTR_PROPERTY_MODE, PROPERTY_MODE_GET);
103     attr.SetUint64ArrayValue(Attributes::ATTR_TEMPLATE_ID_LIST, templateIds);
104     attr.SetUint32ArrayValue(Attributes::ATTR_KEY_LIST, uint32Keys);
105     int32_t result = resourceNode->GetProperty(attr, values);
106     if (result != SUCCESS) {
107         IAM_LOGE("failed to get property, result = %{public}d", result);
108         return false;
109     }
110     return ParseAttributes(values, authType, profile);
111 }
112 
ParseAttributes(const Attributes & values,const AuthType & authType,ContextFactory::AuthProfile & profile)113 bool AuthWidgetHelper::ParseAttributes(const Attributes &values, const AuthType &authType,
114     ContextFactory::AuthProfile &profile)
115 {
116     if (authType == AuthType::PIN || authType == AuthType::PRIVATE_PIN) {
117         if (!values.GetInt32Value(Attributes::ATTR_PIN_SUB_TYPE, profile.pinSubType)) {
118             IAM_LOGE("get ATTR_PIN_SUB_TYPE failed");
119             return false;
120         }
121     }
122     if (!values.GetStringValue(Attributes::ATTR_SENSOR_INFO, profile.sensorInfo)) {
123         IAM_LOGE("get ATTR_SENSOR_INFO failed");
124         return false;
125     }
126     if (!values.GetInt32Value(Attributes::ATTR_REMAIN_TIMES, profile.remainTimes)) {
127         IAM_LOGE("get ATTR_REMAIN_TIMES failed");
128         return false;
129     }
130     if (!values.GetInt32Value(Attributes::ATTR_FREEZING_TIME, profile.freezingTime)) {
131         IAM_LOGE("get ATTR_FREEZING_TIME failed");
132         return false;
133     }
134     return true;
135 }
136 
CheckValidSolution(int32_t userId,const std::vector<AuthType> & authTypeList,const AuthTrustLevel & atl,std::vector<AuthType> & validTypeList)137 int32_t AuthWidgetHelper::CheckValidSolution(int32_t userId,
138     const std::vector<AuthType> &authTypeList, const AuthTrustLevel &atl, std::vector<AuthType> &validTypeList)
139 {
140     IAM_LOGI("start userId:%{public}d atl:%{public}u typeSize:%{public}zu", userId, atl, authTypeList.size());
141     auto hdi = HdiWrapper::GetHdiInstance();
142     if (hdi == nullptr) {
143         IAM_LOGE("hdi interface is nullptr");
144         return GENERAL_ERROR;
145     }
146     std::vector<int32_t> inputAuthType;
147     std::vector<int32_t> validTypes;
148     uint32_t inputAtl = atl;
149     for (auto &type : authTypeList) {
150         if (!SystemParamManager::GetInstance().IsAuthTypeEnable(type)) {
151             IAM_LOGE("authType:%{public}d not enable", type);
152             continue;
153         }
154         inputAuthType.emplace_back(static_cast<int32_t>(type));
155     }
156     int32_t result = hdi->GetValidSolution(userId, inputAuthType, inputAtl, validTypes);
157     if (result != SUCCESS) {
158         IAM_LOGE("GetValidSolution failed result:%{public}d userId:%{public}d", result, userId);
159         return result;
160     }
161     validTypeList.clear();
162     for (auto &type : validTypes) {
163         IAM_LOGI("get valid authType:%{public}d", type);
164         validTypeList.emplace_back(static_cast<AuthType>(type));
165     }
166     return result;
167 }
168 
SetReuseUnlockResult(int32_t apiVersion,const HdiReuseUnlockInfo & info,Attributes & extraInfo)169 int32_t AuthWidgetHelper::SetReuseUnlockResult(int32_t apiVersion, const HdiReuseUnlockInfo &info,
170     Attributes &extraInfo)
171 {
172     bool setSignatureResult = extraInfo.SetUint8ArrayValue(Attributes::ATTR_SIGNATURE, info.token);
173     IF_FALSE_LOGE_AND_RETURN_VAL(setSignatureResult == true, GENERAL_ERROR);
174     bool setAuthTypeResult = extraInfo.SetInt32Value(Attributes::ATTR_AUTH_TYPE,
175         static_cast<int32_t>(info.authType));
176     IF_FALSE_LOGE_AND_RETURN_VAL(setAuthTypeResult == true, GENERAL_ERROR);
177     bool setResultCodeRet = extraInfo.SetInt32Value(Attributes::ATTR_RESULT_CODE, SUCCESS);
178     IF_FALSE_LOGE_AND_RETURN_VAL(setResultCodeRet == true, GENERAL_ERROR);
179     uint64_t credentialDigest = info.enrolledState.credentialDigest;
180     if (apiVersion < INNER_API_VERSION_10000) {
181         credentialDigest = info.enrolledState.credentialDigest & UINT16_MAX;
182     }
183     bool setCredentialDigestRet = extraInfo.SetUint64Value(Attributes::ATTR_CREDENTIAL_DIGEST, credentialDigest);
184     IF_FALSE_LOGE_AND_RETURN_VAL(setCredentialDigestRet == true, GENERAL_ERROR);
185     bool setCredentialCountRet = extraInfo.SetUint16Value(Attributes::ATTR_CREDENTIAL_COUNT,
186         info.enrolledState.credentialCount);
187     IF_FALSE_LOGE_AND_RETURN_VAL(setCredentialCountRet == true, GENERAL_ERROR);
188     return SUCCESS;
189 }
190 
CheckReuseUnlockResult(const ContextFactory::AuthWidgetContextPara & para,const AuthParamInner & authParam,Attributes & extraInfo)191 int32_t AuthWidgetHelper::CheckReuseUnlockResult(const ContextFactory::AuthWidgetContextPara &para,
192     const AuthParamInner &authParam, Attributes &extraInfo)
193 {
194     IAM_LOGI("start userId:%{public}d, reuseMode:%{public}u, reuseDuration: %{public}" PRIu64 ".",
195         para.userId, authParam.reuseUnlockResult.reuseMode, authParam.reuseUnlockResult.reuseDuration);
196     if (!authParam.reuseUnlockResult.isReuse || authParam.reuseUnlockResult.reuseDuration == 0 ||
197         authParam.reuseUnlockResult.reuseDuration > MAX_ALLOWABLE_REUSE_DURATION ||
198         (authParam.reuseUnlockResult.reuseMode != AUTH_TYPE_RELEVANT &&
199         authParam.reuseUnlockResult.reuseMode != AUTH_TYPE_IRRELEVANT &&
200         authParam.reuseUnlockResult.reuseMode != CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT &&
201         authParam.reuseUnlockResult.reuseMode != CALLER_IRRELEVANT_AUTH_TYPE_IRRELEVANT)) {
202         IAM_LOGE("CheckReuseUnlockResult invalid param");
203         return INVALID_PARAMETERS;
204     }
205     auto hdi = HdiWrapper::GetHdiInstance();
206     if (hdi == nullptr) {
207         IAM_LOGE("hdi interface is nullptr");
208         return GENERAL_ERROR;
209     }
210 
211     HdiReuseUnlockParam unlockParam = {};
212     unlockParam.baseParam.userId = para.userId;
213     unlockParam.baseParam.authTrustLevel = authParam.authTrustLevel;
214     for (auto &type : authParam.authTypes) {
215         unlockParam.authTypes.emplace_back(static_cast<HdiAuthType>(type));
216     }
217     unlockParam.baseParam.challenge = authParam.challenge;
218     unlockParam.baseParam.callerName = para.callerName;
219     unlockParam.baseParam.callerType = para.callerType;
220     unlockParam.baseParam.apiVersion = para.sdkVersion;
221     unlockParam.reuseUnlockResultMode = authParam.reuseUnlockResult.reuseMode;
222     unlockParam.reuseUnlockResultDuration = authParam.reuseUnlockResult.reuseDuration;
223 
224     HdiReuseUnlockInfo reuseResultInfo = {};
225     int32_t result = hdi->CheckReuseUnlockResult(unlockParam, reuseResultInfo);
226     if (result != SUCCESS) {
227         IAM_LOGE("CheckReuseUnlockResult failed result:%{public}d userId:%{public}d", result, para.userId);
228         return result;
229     }
230 
231     return SetReuseUnlockResult(para.sdkVersion, reuseResultInfo, extraInfo);
232 }
233 } // namespace UserAuth
234 } // namespace UserIam
235 } // namespace OHOS