1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_auth_service.h"
17 #include "hisysevent_adapter.h"
18
19 #include <cinttypes>
20
21 #include "accesstoken_kit.h"
22 #include "auth_common.h"
23 #include "auth_event_listener_manager.h"
24 #include "auth_widget_helper.h"
25 #include "context_factory.h"
26 #include "auth_common.h"
27 #include "context_helper.h"
28 #include "hdi_wrapper.h"
29 #include "iam_check.h"
30 #include "iam_common_defines.h"
31 #include "iam_logger.h"
32 #include "iam_para2str.h"
33 #include "iam_ptr.h"
34 #include "iam_time.h"
35 #include "ipc_common.h"
36 #include "ipc_skeleton.h"
37 #include "keyguard_status_listener.h"
38 #include "system_param_manager.h"
39 #include "soft_bus_manager.h"
40 #include "widget_client.h"
41 #include "remote_msg_util.h"
42 #include "remote_iam_callback.h"
43 #include "remote_auth_service.h"
44 #include "device_manager_util.h"
45 #include "xcollie_helper.h"
46
47 #define LOG_TAG "USER_AUTH_SA"
48
49 namespace OHOS {
50 namespace UserIam {
51 namespace UserAuth {
52 namespace {
53 const int32_t MINIMUM_VERSION = 0;
54 const int32_t CURRENT_VERSION = 1;
55 const int32_t USERIAM_IPC_THREAD_NUM = 4;
56 const uint32_t NETWORK_ID_LENGTH = 64;
57 const bool REMOTE_AUTH_SERVICE_RESULT = RemoteAuthService::GetInstance().Start();
GetTemplatesByAuthType(int32_t userId,AuthType authType,std::vector<uint64_t> & templateIds)58 int32_t GetTemplatesByAuthType(int32_t userId, AuthType authType, std::vector<uint64_t> &templateIds)
59 {
60 templateIds.clear();
61 std::vector<std::shared_ptr<CredentialInfoInterface>> credentialInfos;
62 int32_t ret = UserIdmDatabase::Instance().GetCredentialInfo(userId, authType, credentialInfos);
63 if (ret != SUCCESS) {
64 IAM_LOGE("get credential fail, ret:%{public}d, userId:%{public}d, authType:%{public}d", ret,
65 userId, authType);
66 return GENERAL_ERROR;
67 }
68
69 if (credentialInfos.empty()) {
70 IAM_LOGE("user %{public}d has no credential type %{public}d", userId, authType);
71 return SUCCESS;
72 }
73
74 templateIds.reserve(credentialInfos.size());
75 for (auto &info : credentialInfos) {
76 if (info == nullptr) {
77 IAM_LOGE("info is nullptr");
78 continue;
79 }
80 templateIds.push_back(info->GetTemplateId());
81 }
82
83 return SUCCESS;
84 }
85
IsTemplateIdListRequired(const std::vector<Attributes::AttributeKey> & keys)86 bool IsTemplateIdListRequired(const std::vector<Attributes::AttributeKey> &keys)
87 {
88 for (const auto &key : keys) {
89 if (key == Attributes::AttributeKey::ATTR_PIN_SUB_TYPE ||
90 key == Attributes::AttributeKey::ATTR_REMAIN_TIMES ||
91 key == Attributes::AttributeKey::ATTR_FREEZING_TIME ||
92 key == Attributes::AttributeKey::ATTR_NEXT_FAIL_LOCKOUT_DURATION) {
93 return true;
94 }
95 }
96 return false;
97 }
98
GetResourceNodeByTypeAndRole(AuthType authType,ExecutorRole role,std::vector<std::weak_ptr<ResourceNode>> & authTypeNodes)99 void GetResourceNodeByTypeAndRole(AuthType authType, ExecutorRole role,
100 std::vector<std::weak_ptr<ResourceNode>> &authTypeNodes)
101 {
102 authTypeNodes.clear();
103 ResourceNodePool::Instance().Enumerate(
104 [&authTypeNodes, role, authType](const std::weak_ptr<ResourceNode> &weakNode) {
105 auto node = weakNode.lock();
106 if (node == nullptr) {
107 return;
108 }
109 if (node->GetAuthType() != authType) {
110 return;
111 }
112 if (node->GetExecutorRole() != role) {
113 return;
114 }
115 authTypeNodes.push_back(node);
116 });
117 }
118
GetAuthParamStr(const AuthParamInner & authParam,std::optional<RemoteAuthParam> & remoteAuthParam)119 std::string GetAuthParamStr(const AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam)
120 {
121 std::ostringstream authParamString;
122 authParamString << "userId:" << authParam.userId << " authType:" << authParam.authType
123 << " authIntent:" << authParam.authIntent << " atl:" << authParam.authTrustLevel;
124 if (remoteAuthParam.has_value()) {
125 const uint32_t networkIdPrintLen = 4;
126 const uint32_t tokenIdMinLen = 2;
127 auto verifierNetworkIdStr = remoteAuthParam->verifierNetworkId.value_or("").substr(0, networkIdPrintLen);
128 auto collectorNetworkIdStr = remoteAuthParam->collectorNetworkId.value_or("").substr(0, networkIdPrintLen);
129 auto tokenIdStr = std::to_string(remoteAuthParam->collectorTokenId.value_or(0));
130 if (tokenIdStr.size() > tokenIdMinLen) {
131 tokenIdStr = std::string(1, tokenIdStr[0]) + "****" + std::string(1, tokenIdStr[tokenIdStr.size() - 1]);
132 } else {
133 tokenIdStr = "";
134 }
135
136 authParamString << " isRemoteAuth:true" << " verifierNetworkId:" << verifierNetworkIdStr << "****"
137 " collectorNetworkId:" << collectorNetworkIdStr << "****" << " collectorTokenId:" << tokenIdStr;
138 }
139 return authParamString.str();
140 }
141 const bool REGISTER_RESULT = SystemAbility::MakeAndRegisterAbility(UserAuthService::GetInstance().get());
142 } // namespace
143 std::mutex UserAuthService::mutex_;
144 std::shared_ptr<UserAuthService> UserAuthService::instance_ = nullptr;
145
GetInstance()146 std::shared_ptr<UserAuthService> UserAuthService::GetInstance()
147 {
148 if (instance_ == nullptr) {
149 std::lock_guard<std::mutex> guard(mutex_);
150 if (instance_ == nullptr) {
151 instance_ = Common::MakeShared<UserAuthService>();
152 if (instance_ == nullptr) {
153 IAM_LOGE("make share failed");
154 }
155 }
156 }
157 return instance_;
158 }
159
UserAuthService()160 UserAuthService::UserAuthService()
161 : SystemAbility(SUBSYS_USERIAM_SYS_ABILITY_USERAUTH, true)
162 {}
163
OnStart()164 void UserAuthService::OnStart()
165 {
166 IAM_LOGI("start service");
167 IPCSkeleton::SetMaxWorkThreadNum(USERIAM_IPC_THREAD_NUM);
168 if (!Publish(this)) {
169 IAM_LOGE("failed to publish service");
170 }
171 SystemParamManager::GetInstance().Start();
172 SoftBusManager::GetInstance().Start();
173 KeyguardStatusListenerManager::GetInstance().RegisterCommonEventListener();
174 }
175
OnStop()176 void UserAuthService::OnStop()
177 {
178 IAM_LOGI("stop service");
179 SoftBusManager::GetInstance().Stop();
180 KeyguardStatusListenerManager::GetInstance().UnRegisterCommonEventListener();
181 }
182
CheckAuthTrustLevel(AuthTrustLevel authTrustLevel)183 bool UserAuthService::CheckAuthTrustLevel(AuthTrustLevel authTrustLevel)
184 {
185 if ((authTrustLevel != ATL1) && (authTrustLevel != ATL2) &&
186 (authTrustLevel != ATL3) && (authTrustLevel != ATL4)) {
187 IAM_LOGE("authTrustLevel not support %{public}u", authTrustLevel);
188 return false;
189 }
190 return true;
191 }
192
GetAvailableStatus(int32_t apiVersion,int32_t userId,AuthType authType,AuthTrustLevel authTrustLevel)193 int32_t UserAuthService::GetAvailableStatus(int32_t apiVersion, int32_t userId, AuthType authType,
194 AuthTrustLevel authTrustLevel)
195 {
196 IAM_LOGI("start with userId");
197
198 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
199 IAM_LOGE("failed to check permission");
200 return CHECK_PERMISSION_FAILED;
201 }
202 return GetAvailableStatusInner(apiVersion, userId, authType, authTrustLevel);
203 }
204
GetAvailableStatus(int32_t apiVersion,AuthType authType,AuthTrustLevel authTrustLevel)205 int32_t UserAuthService::GetAvailableStatus(int32_t apiVersion, AuthType authType, AuthTrustLevel authTrustLevel)
206 {
207 IAM_LOGI("start without userId");
208
209 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
210 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
211 IAM_LOGE("failed to check permission");
212 return CHECK_PERMISSION_FAILED;
213 }
214 if ((apiVersion <= API_VERSION_8 && authType == PIN) ||
215 !SystemParamManager::GetInstance().IsAuthTypeEnable(authType)) {
216 IAM_LOGE("authType not support");
217 return TYPE_NOT_SUPPORT;
218 }
219 int32_t userId = INVALID_USER_ID;
220 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
221 IAM_LOGE("failed to get userId");
222 return GENERAL_ERROR;
223 }
224 return GetAvailableStatusInner(apiVersion, userId, authType, authTrustLevel);
225 }
226
GetAvailableStatusInner(int32_t apiVersion,int32_t userId,AuthType authType,AuthTrustLevel authTrustLevel)227 int32_t UserAuthService::GetAvailableStatusInner(int32_t apiVersion, int32_t userId, AuthType authType,
228 AuthTrustLevel authTrustLevel)
229 {
230 if (!CheckAuthTrustLevel(authTrustLevel)) {
231 IAM_LOGE("authTrustLevel is not in correct range");
232 return TRUST_LEVEL_NOT_SUPPORT;
233 }
234 auto hdi = HdiWrapper::GetHdiInstance();
235 if (hdi == nullptr) {
236 IAM_LOGE("hdi interface is nullptr");
237 return GENERAL_ERROR;
238 }
239 int32_t checkRet = GENERAL_ERROR;
240 int32_t result = hdi->GetAvailableStatus(userId, authType, authTrustLevel, checkRet);
241 if (result != SUCCESS) {
242 IAM_LOGE("hdi GetAvailableStatus failed");
243 return GENERAL_ERROR;
244 }
245 IAM_LOGI("GetAvailableStatus result:%{public}d", checkRet);
246 return checkRet;
247 }
248
FillGetPropertyKeys(AuthType authType,const std::vector<Attributes::AttributeKey> & keys,std::vector<uint32_t> & uint32Keys)249 void UserAuthService::FillGetPropertyKeys(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
250 std::vector<uint32_t> &uint32Keys)
251 {
252 uint32Keys.reserve(keys.size());
253 for (const auto &key : keys) {
254 if (key == Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION && authType != PIN) {
255 continue;
256 }
257 uint32Keys.push_back(static_cast<uint32_t>(key));
258 }
259 }
260
FillGetPropertyValue(AuthType authType,const std::vector<Attributes::AttributeKey> & keys,Attributes & values)261 void UserAuthService::FillGetPropertyValue(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
262 Attributes &values)
263 {
264 for (const auto &key : keys) {
265 if (key == Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION && authType != PIN) {
266 if (!values.SetInt32Value(Attributes::ATTR_NEXT_FAIL_LOCKOUT_DURATION, FIRST_LOCKOUT_DURATION_EXCEPT_PIN)) {
267 IAM_LOGE("set nextFailLockoutDuration failed, authType %{public}d", authType);
268 }
269 break;
270 }
271 }
272 }
273
GetResourseNode(AuthType authType)274 std::shared_ptr<ResourceNode> UserAuthService::GetResourseNode(AuthType authType)
275 {
276 std::vector<std::weak_ptr<ResourceNode>> authTypeNodes;
277 GetResourceNodeByTypeAndRole(authType, ALL_IN_ONE, authTypeNodes);
278 if (authTypeNodes.size() != 1) {
279 IAM_LOGE("auth type %{public}d resource node num %{public}zu is not expected",
280 authType, authTypeNodes.size());
281 return nullptr;
282 }
283
284 auto resourceNode = authTypeNodes[0].lock();
285 if (resourceNode == nullptr) {
286 IAM_LOGE("resourceNode is nullptr");
287 return nullptr;
288 }
289
290 return resourceNode;
291 }
292
GetPropertyInner(AuthType authType,const std::vector<Attributes::AttributeKey> & keys,sptr<GetExecutorPropertyCallbackInterface> & callback,std::vector<uint64_t> & templateIds)293 void UserAuthService::GetPropertyInner(AuthType authType, const std::vector<Attributes::AttributeKey> &keys,
294 sptr<GetExecutorPropertyCallbackInterface> &callback, std::vector<uint64_t> &templateIds)
295 {
296 Attributes values;
297 auto resourceNode = GetResourseNode(authType);
298 if (resourceNode == nullptr) {
299 IAM_LOGE("resourceNode is nullptr");
300 callback->OnGetExecutorPropertyResult(GENERAL_ERROR, values);
301 return;
302 }
303
304 std::vector<uint32_t> uint32Keys;
305 FillGetPropertyKeys(authType, keys, uint32Keys);
306 Attributes attr;
307 attr.SetUint32Value(Attributes::ATTR_PROPERTY_MODE, PROPERTY_MODE_GET);
308 attr.SetUint64ArrayValue(Attributes::ATTR_TEMPLATE_ID_LIST, templateIds);
309 attr.SetUint32ArrayValue(Attributes::ATTR_KEY_LIST, uint32Keys);
310
311 int32_t result = resourceNode->GetProperty(attr, values);
312 if (result != SUCCESS) {
313 IAM_LOGE("failed to get property, result = %{public}d", result);
314 }
315 FillGetPropertyValue(authType, keys, values);
316
317 callback->OnGetExecutorPropertyResult(result, values);
318 }
319
GetProperty(int32_t userId,AuthType authType,const std::vector<Attributes::AttributeKey> & keys,sptr<GetExecutorPropertyCallbackInterface> & callback)320 void UserAuthService::GetProperty(int32_t userId, AuthType authType,
321 const std::vector<Attributes::AttributeKey> &keys, sptr<GetExecutorPropertyCallbackInterface> &callback)
322 {
323 IAM_LOGI("start");
324 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
325 IF_FALSE_LOGE_AND_RETURN(callback != nullptr);
326 Attributes values;
327
328 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
329 IAM_LOGE("failed to check permission");
330 callback->OnGetExecutorPropertyResult(CHECK_PERMISSION_FAILED, values);
331 return;
332 }
333
334 std::vector<uint64_t> templateIds;
335 if (IsTemplateIdListRequired(keys)) {
336 int32_t ret = GetTemplatesByAuthType(userId, authType, templateIds);
337 if (ret != SUCCESS) {
338 IAM_LOGE("get templates fail, ret:%{public}d, userId:%{public}d, authType:%{public}d", ret,
339 userId, authType);
340 callback->OnGetExecutorPropertyResult(GENERAL_ERROR, values);
341 return;
342 }
343 if (templateIds.size() == 0) {
344 IAM_LOGE("template id list is required, but templateIds size is 0");
345 callback->OnGetExecutorPropertyResult(NOT_ENROLLED, values);
346 return;
347 }
348 }
349
350 GetPropertyInner(authType, keys, callback, templateIds);
351 }
352
GetPropertyById(uint64_t credentialId,const std::vector<Attributes::AttributeKey> & keys,sptr<GetExecutorPropertyCallbackInterface> & callback)353 void UserAuthService::GetPropertyById(uint64_t credentialId, const std::vector<Attributes::AttributeKey> &keys,
354 sptr<GetExecutorPropertyCallbackInterface> &callback)
355 {
356 IAM_LOGI("start");
357 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
358 IF_FALSE_LOGE_AND_RETURN(callback != nullptr);
359 Attributes values;
360
361 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
362 IAM_LOGE("failed to check permission");
363 callback->OnGetExecutorPropertyResult(CHECK_PERMISSION_FAILED, values);
364 return;
365 }
366
367 std::shared_ptr<CredentialInfoInterface> credInfo;
368 std::vector<uint64_t> templateIds;
369 int32_t ret = UserIdmDatabase::Instance().GetCredentialInfoById(credentialId, credInfo);
370 if (ret != SUCCESS) {
371 IAM_LOGE("get credentialInfp fail, ret:%{public}d", ret);
372 callback->OnGetExecutorPropertyResult(ret, values);
373 return;
374 }
375 if (credInfo == nullptr) {
376 IAM_LOGE("credential is nullptr");
377 callback->OnGetExecutorPropertyResult(GENERAL_ERROR, values);
378 return;
379 }
380
381 AuthType authType = credInfo->GetAuthType();
382 templateIds.push_back(credInfo->GetTemplateId());
383 GetPropertyInner(authType, keys, callback, templateIds);
384 }
385
SetProperty(int32_t userId,AuthType authType,const Attributes & attributes,sptr<SetExecutorPropertyCallbackInterface> & callback)386 void UserAuthService::SetProperty(int32_t userId, AuthType authType, const Attributes &attributes,
387 sptr<SetExecutorPropertyCallbackInterface> &callback)
388 {
389 IAM_LOGI("start");
390 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
391 if (callback == nullptr) {
392 IAM_LOGE("callback is nullptr");
393 return;
394 }
395 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
396 IAM_LOGE("permission check failed");
397 callback->OnSetExecutorPropertyResult(CHECK_PERMISSION_FAILED);
398 return;
399 }
400
401 std::vector<std::weak_ptr<ResourceNode>> authTypeNodes;
402 GetResourceNodeByTypeAndRole(authType, ALL_IN_ONE, authTypeNodes);
403 if (authTypeNodes.size() != 1) {
404 IAM_LOGE("auth type %{public}d resource node num %{public}zu is not expected",
405 authType, authTypeNodes.size());
406 callback->OnSetExecutorPropertyResult(GENERAL_ERROR);
407 return;
408 }
409
410 auto resourceNode = authTypeNodes[0].lock();
411 if (resourceNode == nullptr) {
412 IAM_LOGE("resourceNode is nullptr");
413 callback->OnSetExecutorPropertyResult(GENERAL_ERROR);
414 return;
415 }
416 int32_t result = resourceNode->SetProperty(attributes);
417 if (result != SUCCESS) {
418 IAM_LOGE("set property failed, result = %{public}d", result);
419 }
420 callback->OnSetExecutorPropertyResult(result);
421 }
422
GetAuthContextCallback(int32_t apiVersion,const std::vector<uint8_t> & challenge,AuthType authType,AuthTrustLevel authTrustLevel,sptr<UserAuthCallbackInterface> & callback)423 std::shared_ptr<ContextCallback> UserAuthService::GetAuthContextCallback(int32_t apiVersion,
424 const std::vector<uint8_t> &challenge, AuthType authType,
425 AuthTrustLevel authTrustLevel, sptr<UserAuthCallbackInterface> &callback)
426 {
427 if (callback == nullptr) {
428 IAM_LOGE("callback is nullptr");
429 return nullptr;
430 }
431 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_AUTH_USER_ALL);
432 if (contextCallback == nullptr) {
433 IAM_LOGE("failed to construct context callback");
434 Attributes extraInfo;
435 callback->OnResult(GENERAL_ERROR, extraInfo);
436 return nullptr;
437 }
438 contextCallback->SetTraceAuthType(authType);
439 contextCallback->SetTraceAuthTrustLevel(authTrustLevel);
440 contextCallback->SetTraceAuthWidgetType(authType);
441 contextCallback->SetTraceSdkVersion(apiVersion);
442 return contextCallback;
443 }
444
CheckAuthPermissionAndParam(int32_t authType,const int32_t & callerType,const std::string & callerName,AuthTrustLevel authTrustLevel)445 int32_t UserAuthService::CheckAuthPermissionAndParam(int32_t authType, const int32_t &callerType,
446 const std::string &callerName, AuthTrustLevel authTrustLevel)
447 {
448 if (!IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
449 IAM_LOGE("failed to check permission");
450 return CHECK_PERMISSION_FAILED;
451 }
452 if (callerType == Security::AccessToken::TOKEN_HAP && (!IpcCommon::CheckForegroundApplication(callerName))) {
453 IAM_LOGE("failed to check foreground application");
454 return CHECK_PERMISSION_FAILED;
455 }
456 if ((authType == PIN) || !SystemParamManager::GetInstance().IsAuthTypeEnable(authType)) {
457 IAM_LOGE("authType not support");
458 return TYPE_NOT_SUPPORT;
459 }
460 if (!CheckAuthTrustLevel(authTrustLevel)) {
461 IAM_LOGE("authTrustLevel is not in correct range");
462 return TRUST_LEVEL_NOT_SUPPORT;
463 }
464 return SUCCESS;
465 }
466
Auth(int32_t apiVersion,const std::vector<uint8_t> & challenge,AuthType authType,AuthTrustLevel authTrustLevel,sptr<UserAuthCallbackInterface> & callback)467 uint64_t UserAuthService::Auth(int32_t apiVersion, const std::vector<uint8_t> &challenge,
468 AuthType authType, AuthTrustLevel authTrustLevel, sptr<UserAuthCallbackInterface> &callback)
469 {
470 IAM_LOGI("start");
471 auto contextCallback = GetAuthContextCallback(apiVersion, challenge, authType, authTrustLevel, callback);
472 if (contextCallback == nullptr) {
473 IAM_LOGE("contextCallback is nullptr");
474 return BAD_CONTEXT_ID;
475 }
476 std::string callerName = "";
477 Attributes extraInfo;
478 int32_t callerType = 0;
479 if ((!IpcCommon::GetCallerName(*this, callerName, callerType))) {
480 IAM_LOGE("get bundle name fail");
481 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
482 return BAD_CONTEXT_ID;
483 }
484 contextCallback->SetTraceCallerName(callerName);
485 contextCallback->SetTraceCallerType(callerType);
486 int32_t checkRet = CheckAuthPermissionAndParam(authType, callerType, callerName, authTrustLevel);
487 if (checkRet != SUCCESS) {
488 IAM_LOGE("check auth permission and param fail");
489 contextCallback->OnResult(checkRet, extraInfo);
490 return BAD_CONTEXT_ID;
491 }
492 int32_t userId = INVALID_USER_ID;
493 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
494 IAM_LOGE("get callingUserId failed");
495 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
496 return BAD_CONTEXT_ID;
497 }
498 contextCallback->SetTraceUserId(userId);
499 Authentication::AuthenticationPara para = {};
500 para.tokenId = IpcCommon::GetAccessTokenId(*this);
501 para.userId = userId;
502 para.authType = authType;
503 para.atl = authTrustLevel;
504 para.challenge = std::move(challenge);
505 para.endAfterFirstFail = true;
506 para.callerName = callerName;
507 para.callerType = callerType;
508 para.sdkVersion = apiVersion;
509 para.authIntent = AuthIntent::DEFAULT;
510 para.isOsAccountVerified = GetAndUpateOsAccountVerifiedState(userId);
511 return StartAuthContext(apiVersion, para, contextCallback);
512 }
513
StartAuthContext(int32_t apiVersion,Authentication::AuthenticationPara para,const std::shared_ptr<ContextCallback> & contextCallback)514 uint64_t UserAuthService::StartAuthContext(int32_t apiVersion, Authentication::AuthenticationPara para,
515 const std::shared_ptr<ContextCallback> &contextCallback)
516 {
517 Attributes extraInfo;
518 auto context = ContextFactory::CreateSimpleAuthContext(para, contextCallback);
519 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
520 IAM_LOGE("failed to insert context");
521 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
522 return BAD_CONTEXT_ID;
523 }
524 contextCallback->SetTraceRequestContextId(context->GetContextId());
525 contextCallback->SetTraceAuthContextId(context->GetContextId());
526 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
527
528 if (!context->Start()) {
529 int32_t errorCode = context->GetLatestError();
530 IAM_LOGE("failed to start auth apiVersion:%{public}d errorCode:%{public}d", apiVersion, errorCode);
531 contextCallback->OnResult(errorCode, extraInfo);
532 return BAD_CONTEXT_ID;
533 }
534 return context->GetContextId();
535 }
536
StartRemoteAuthInvokerContext(AuthParamInner authParam,RemoteAuthInvokerContextParam & param,const std::shared_ptr<ContextCallback> & contextCallback)537 uint64_t UserAuthService::StartRemoteAuthInvokerContext(AuthParamInner authParam,
538 RemoteAuthInvokerContextParam ¶m, const std::shared_ptr<ContextCallback> &contextCallback)
539 {
540 Attributes extraInfo;
541 std::shared_ptr<Context> context = ContextFactory::CreateRemoteAuthInvokerContext(authParam, param,
542 contextCallback);
543 if (context == nullptr || !ContextPool::Instance().Insert(context)) {
544 IAM_LOGE("failed to insert context");
545 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
546 return BAD_CONTEXT_ID;
547 }
548 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
549
550 if (!context->Start()) {
551 int32_t errorCode = context->GetLatestError();
552 IAM_LOGE("failed to start auth errorCode:%{public}d", errorCode);
553 contextCallback->OnResult(errorCode, extraInfo);
554 return BAD_CONTEXT_ID;
555 }
556 return context->GetContextId();
557 }
558
CheckAuthPermissionAndParam(AuthType authType,AuthTrustLevel authTrustLevel,const std::shared_ptr<ContextCallback> & contextCallback,Attributes & extraInfo)559 bool UserAuthService::CheckAuthPermissionAndParam(AuthType authType, AuthTrustLevel authTrustLevel,
560 const std::shared_ptr<ContextCallback> &contextCallback, Attributes &extraInfo)
561 {
562 if (!CheckAuthTrustLevel(authTrustLevel)) {
563 IAM_LOGE("authTrustLevel is not in correct range");
564 contextCallback->OnResult(TRUST_LEVEL_NOT_SUPPORT, extraInfo);
565 return false;
566 }
567 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
568 IAM_LOGE("failed to check permission");
569 contextCallback->OnResult(CHECK_PERMISSION_FAILED, extraInfo);
570 return false;
571 }
572 if (!SystemParamManager::GetInstance().IsAuthTypeEnable(authType)) {
573 IAM_LOGE("auth type not support");
574 contextCallback->OnResult(TYPE_NOT_SUPPORT, extraInfo);
575 return false;
576 }
577 return true;
578 }
579
AuthUser(AuthParamInner & authParam,std::optional<RemoteAuthParam> & remoteAuthParam,sptr<UserAuthCallbackInterface> & callback)580 uint64_t UserAuthService::AuthUser(AuthParamInner &authParam, std::optional<RemoteAuthParam> &remoteAuthParam,
581 sptr<UserAuthCallbackInterface> &callback)
582 {
583 IAM_LOGI("start, %{public}s", GetAuthParamStr(authParam, remoteAuthParam).c_str());
584 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
585 auto contextCallback = GetAuthContextCallback(INNER_API_VERSION_10000, authParam.challenge, authParam.authType,
586 authParam.authTrustLevel, callback);
587 if (contextCallback == nullptr) {
588 IAM_LOGE("contextCallback is nullptr");
589 return BAD_CONTEXT_ID;
590 }
591 contextCallback->SetTraceUserId(authParam.userId);
592 Attributes extraInfo;
593 std::string callerName = "";
594 int32_t callerType = 0;
595 if ((!IpcCommon::GetCallerName(*this, callerName, callerType))) {
596 IAM_LOGE("get caller name fail");
597 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
598 return BAD_CONTEXT_ID;
599 }
600 contextCallback->SetTraceCallerName(callerName);
601 contextCallback->SetTraceCallerType(callerType);
602 if (CheckAuthPermissionAndParam(authParam.authType, authParam.authTrustLevel, contextCallback,
603 extraInfo) == false) {
604 return BAD_CONTEXT_ID;
605 }
606 Authentication::AuthenticationPara para = {};
607 para.tokenId = IpcCommon::GetAccessTokenId(*this);
608 para.userId = authParam.userId;
609 para.authType = authParam.authType;
610 para.atl = authParam.authTrustLevel;
611 para.challenge = authParam.challenge;
612 para.endAfterFirstFail = false;
613 para.callerName = callerName;
614 para.callerType = callerType;
615 para.sdkVersion = INNER_API_VERSION_10000;
616 para.authIntent = authParam.authIntent;
617 para.isOsAccountVerified = GetAndUpateOsAccountVerifiedState(authParam.userId);
618 if (!remoteAuthParam.has_value()) {
619 return StartAuthContext(INNER_API_VERSION_10000, para, contextCallback);
620 }
621
622 ResultCode failReason = GENERAL_ERROR;
623 uint64_t contextId = AuthRemoteUser(authParam, para, remoteAuthParam.value(), contextCallback, failReason);
624 if (contextId == BAD_CONTEXT_ID) {
625 contextCallback->OnResult(failReason, extraInfo);
626 return BAD_CONTEXT_ID;
627 }
628
629 IAM_LOGI("success");
630 return contextId;
631 }
632
PrepareRemoteAuthInner(const std::string & networkId)633 int32_t UserAuthService::PrepareRemoteAuthInner(const std::string &networkId)
634 {
635 IAM_LOGI("start");
636 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
637 IAM_LOGE("failed to check permission");
638 return CHECK_PERMISSION_FAILED;
639 }
640 if (networkId.empty()) {
641 IAM_LOGE("networkId is empty");
642 return INVALID_PARAMETERS;
643 }
644
645 std::string udid;
646 bool getUdidRet = DeviceManagerUtil::GetInstance().GetUdidByNetworkId(networkId, udid);
647 IF_FALSE_LOGE_AND_RETURN_VAL(getUdidRet, GENERAL_ERROR);
648
649 auto hdi = HdiWrapper::GetHdiInstance();
650 IF_FALSE_LOGE_AND_RETURN_VAL(hdi != nullptr, GENERAL_ERROR);
651
652 int32_t ret = hdi->PrepareRemoteAuth(udid);
653 IF_FALSE_LOGE_AND_RETURN_VAL(ret == HDF_SUCCESS, GENERAL_ERROR);
654
655 IAM_LOGI("success");
656 return SUCCESS;
657 }
658
PrepareRemoteAuth(const std::string & networkId,sptr<UserAuthCallbackInterface> & callback)659 int32_t UserAuthService::PrepareRemoteAuth(const std::string &networkId, sptr<UserAuthCallbackInterface> &callback)
660 {
661 IAM_LOGI("start");
662 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
663 if (callback == nullptr) {
664 IAM_LOGE("callback is nullptr");
665 return INVALID_PARAMETERS;
666 }
667
668 int32_t ret = PrepareRemoteAuthInner(networkId);
669 if (ret != SUCCESS) {
670 IAM_LOGE("failed to prepare remote auth");
671 }
672
673 Attributes attr;
674 callback->OnResult(ret, attr);
675
676 IAM_LOGI("success");
677 return SUCCESS;
678 }
679
AuthRemoteUser(AuthParamInner & authParam,Authentication::AuthenticationPara & para,RemoteAuthParam & remoteAuthParam,const std::shared_ptr<ContextCallback> & contextCallback,ResultCode & failReason)680 uint64_t UserAuthService::AuthRemoteUser(AuthParamInner &authParam, Authentication::AuthenticationPara ¶,
681 RemoteAuthParam &remoteAuthParam, const std::shared_ptr<ContextCallback> &contextCallback, ResultCode &failReason)
682 {
683 IAM_LOGI("start");
684 failReason = GENERAL_ERROR;
685
686 if (para.authType != PIN) {
687 IAM_LOGE("Remote auth only support pin auth");
688 failReason = INVALID_PARAMETERS;
689 return BAD_CONTEXT_ID;
690 }
691
692 if (authParam.userId == INVALID_USER_ID) {
693 IAM_LOGE("userid must be set for remote auth");
694 failReason = INVALID_PARAMETERS;
695 return BAD_CONTEXT_ID;
696 }
697
698 std::string localNetworkId;
699 bool getNetworkIdRet = DeviceManagerUtil::GetInstance().GetLocalDeviceNetWorkId(localNetworkId);
700 IF_FALSE_LOGE_AND_RETURN_VAL(getNetworkIdRet, BAD_CONTEXT_ID);
701
702 bool completeRet = CompleteRemoteAuthParam(remoteAuthParam, localNetworkId);
703 if (!completeRet) {
704 IAM_LOGE("failed to complete remote auth param");
705 failReason = INVALID_PARAMETERS;
706 return BAD_CONTEXT_ID;
707 }
708
709 if (remoteAuthParam.collectorTokenId.has_value()) {
710 para.collectorTokenId = remoteAuthParam.collectorTokenId.value();
711 } else {
712 para.collectorTokenId = para.tokenId;
713 }
714
715 if (remoteAuthParam.collectorNetworkId.value() == localNetworkId) {
716 RemoteAuthInvokerContextParam remoteAuthInvokerContextParam;
717 remoteAuthInvokerContextParam.connectionName = "";
718 remoteAuthInvokerContextParam.verifierNetworkId = remoteAuthParam.verifierNetworkId.value();
719 remoteAuthInvokerContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
720 remoteAuthInvokerContextParam.tokenId = para.tokenId;
721 remoteAuthInvokerContextParam.collectorTokenId = para.collectorTokenId;
722 remoteAuthInvokerContextParam.callerName = para.callerName;
723 remoteAuthInvokerContextParam.callerType = para.callerType;
724 IAM_LOGI("start remote auth invoker context");
725 return StartRemoteAuthInvokerContext(authParam, remoteAuthInvokerContextParam, contextCallback);
726 }
727
728 RemoteAuthContextParam remoteAuthContextParam;
729 remoteAuthContextParam.authType = authParam.authType;
730 remoteAuthContextParam.connectionName = "";
731 remoteAuthContextParam.collectorNetworkId = remoteAuthParam.collectorNetworkId.value();
732 remoteAuthContextParam.executorInfoMsg = {};
733 int32_t dummyLastError = 0;
734 IAM_LOGI("start remote auth context");
735 return RemoteAuthService::GetInstance().StartRemoteAuthContext(
736 para, remoteAuthContextParam, contextCallback, dummyLastError);
737 }
738
Identify(const std::vector<uint8_t> & challenge,AuthType authType,sptr<UserAuthCallbackInterface> & callback)739 uint64_t UserAuthService::Identify(const std::vector<uint8_t> &challenge, AuthType authType,
740 sptr<UserAuthCallbackInterface> &callback)
741 {
742 IAM_LOGI("start");
743 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
744
745 if (callback == nullptr) {
746 IAM_LOGE("callback is nullptr");
747 return BAD_CONTEXT_ID;
748 }
749 Attributes extraInfo;
750 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_IDENTIFY);
751 if (contextCallback == nullptr) {
752 IAM_LOGE("failed to construct context callback");
753 callback->OnResult(GENERAL_ERROR, extraInfo);
754 return BAD_CONTEXT_ID;
755 }
756 if ((authType == PIN) || !SystemParamManager::GetInstance().IsAuthTypeEnable(authType)) {
757 IAM_LOGE("type not support %{public}d", authType);
758 contextCallback->OnResult(TYPE_NOT_SUPPORT, extraInfo);
759 return BAD_CONTEXT_ID;
760 }
761 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
762 IAM_LOGE("failed to check permission");
763 contextCallback->OnResult(CHECK_PERMISSION_FAILED, extraInfo);
764 return BAD_CONTEXT_ID;
765 }
766
767 Identification::IdentificationPara para = {};
768 para.tokenId = IpcCommon::GetAccessTokenId(*this);
769 para.authType = authType;
770 para.challenge = std::move(challenge);
771 auto context = ContextFactory::CreateIdentifyContext(para, contextCallback);
772 if (!ContextPool::Instance().Insert(context)) {
773 IAM_LOGE("failed to insert context");
774 contextCallback->OnResult(GENERAL_ERROR, extraInfo);
775 return BAD_CONTEXT_ID;
776 }
777
778 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
779
780 if (!context->Start()) {
781 IAM_LOGE("failed to start identify");
782 contextCallback->OnResult(context->GetLatestError(), extraInfo);
783 return BAD_CONTEXT_ID;
784 }
785 return context->GetContextId();
786 }
787
CancelAuthOrIdentify(uint64_t contextId)788 int32_t UserAuthService::CancelAuthOrIdentify(uint64_t contextId)
789 {
790 IAM_LOGI("start");
791 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
792 bool checkRet = !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
793 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION);
794 if (checkRet) {
795 IAM_LOGE("failed to check permission");
796 return CHECK_PERMISSION_FAILED;
797 }
798 auto context = ContextPool::Instance().Select(contextId).lock();
799 if (context == nullptr) {
800 IAM_LOGE("context not exist");
801 return GENERAL_ERROR;
802 }
803
804 if (context->GetTokenId() != IpcCommon::GetAccessTokenId(*this)) {
805 IAM_LOGE("failed to check tokenId");
806 return INVALID_CONTEXT_ID;
807 }
808
809 if (!context->Stop()) {
810 IAM_LOGE("failed to cancel auth or identify");
811 return context->GetLatestError();
812 }
813
814 return SUCCESS;
815 }
816
GetVersion(int32_t & version)817 int32_t UserAuthService::GetVersion(int32_t &version)
818 {
819 IAM_LOGI("start");
820 version = MINIMUM_VERSION;
821 bool checkRet = !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION) &&
822 !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION);
823 if (checkRet) {
824 IAM_LOGE("failed to check permission");
825 return CHECK_PERMISSION_FAILED;
826 }
827 version = CURRENT_VERSION;
828 return SUCCESS;
829 }
830
CheckAuthWidgetType(const std::vector<AuthType> & authType)831 int32_t UserAuthService::CheckAuthWidgetType(const std::vector<AuthType> &authType)
832 {
833 if (authType.empty() || (authType.size() > MAX_AUTH_TYPE_SIZE)) {
834 IAM_LOGE("invalid authType size:%{public}zu", authType.size());
835 return INVALID_PARAMETERS;
836 }
837 for (auto &type : authType) {
838 if ((type != AuthType::PIN) && (type != AuthType::FACE) && (type != AuthType::FINGERPRINT) &&
839 (type != AuthType::PRIVATE_PIN)) {
840 IAM_LOGE("unsupport auth type %{public}d", type);
841 return TYPE_NOT_SUPPORT;
842 }
843 }
844 std::set<AuthType> typeChecker(authType.begin(), authType.end());
845 if (typeChecker.size() != authType.size()) {
846 IAM_LOGE("duplicate auth type");
847 return INVALID_PARAMETERS;
848 }
849 bool hasPin = false;
850 bool hasPrivatePin = false;
851 for (const auto &iter : authType) {
852 if (iter == AuthType::PIN) {
853 hasPin = true;
854 } else if (iter == AuthType::PRIVATE_PIN) {
855 hasPrivatePin = true;
856 }
857 }
858 if (hasPin && hasPrivatePin) {
859 IAM_LOGE("pin and private pin not support");
860 return INVALID_PARAMETERS;
861 }
862 return SUCCESS;
863 }
864
CheckSingeFaceOrFinger(const std::vector<AuthType> & authType)865 bool UserAuthService::CheckSingeFaceOrFinger(const std::vector<AuthType> &authType)
866 {
867 const size_t sizeOne = 1;
868 const size_t type0 = 0;
869 if (authType.size() != sizeOne) {
870 return false;
871 }
872 if (authType[type0] == AuthType::FACE) {
873 return true;
874 }
875 if (authType[type0] == AuthType::FINGERPRINT) {
876 return true;
877 }
878 return false;
879 }
880
CheckPrivatePinEnroll(const std::vector<AuthType> & authType,std::vector<AuthType> & validType)881 bool UserAuthService::CheckPrivatePinEnroll(const std::vector<AuthType> &authType, std::vector<AuthType> &validType)
882 {
883 bool hasPrivatePin = false;
884 for (auto &iter : authType) {
885 if (iter == AuthType::PRIVATE_PIN) {
886 hasPrivatePin = true;
887 break;
888 }
889 }
890 if (!hasPrivatePin) {
891 return true;
892 }
893 const size_t sizeTwo = 2;
894 bool hasFace = false;
895 bool hasFinger = false;
896 for (const auto &iter : validType) {
897 if (iter == AuthType::FACE) {
898 hasFace = true;
899 } else if (iter == AuthType::FINGERPRINT) {
900 hasFinger = true;
901 }
902 if (hasFace && hasFinger) {
903 break;
904 }
905 }
906 if (validType.size() == sizeTwo && hasFace && hasFinger) {
907 return false;
908 }
909 return true;
910 }
911
CheckCallerPermissionForPrivatePin(const AuthParamInner & authParam)912 int32_t UserAuthService::CheckCallerPermissionForPrivatePin(const AuthParamInner &authParam)
913 {
914 bool hasPrivatePin = false;
915 for (auto &iter : authParam.authTypes) {
916 if (iter == AuthType::PRIVATE_PIN) {
917 hasPrivatePin = true;
918 break;
919 }
920 }
921 if (!hasPrivatePin) {
922 return SUCCESS;
923 }
924 if (IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
925 return SUCCESS;
926 }
927 if (IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
928 return SUCCESS;
929 }
930 IAM_LOGE("CheckPermission failed");
931 return CHECK_PERMISSION_FAILED;
932 }
933
CheckAuthPermissionAndParam(const AuthParamInner & authParam,const WidgetParam & widgetParam,bool isBackgroundApplication)934 int32_t UserAuthService::CheckAuthPermissionAndParam(const AuthParamInner &authParam, const WidgetParam &widgetParam,
935 bool isBackgroundApplication)
936 {
937 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP) &&
938 (widgetParam.windowMode != WindowModeType::UNKNOWN_WINDOW_MODE)) {
939 IAM_LOGE("normal app can't set window mode.");
940 return INVALID_PARAMETERS;
941 }
942 if (CheckCallerPermissionForPrivatePin(authParam) != SUCCESS) {
943 IAM_LOGE("CheckCallerPermissionForPrivatePin failed");
944 return CHECK_PERMISSION_FAILED;
945 }
946 if (!authParam.isUserIdSpecified && !IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
947 IAM_LOGE("CheckPermission failed");
948 return CHECK_PERMISSION_FAILED;
949 }
950 if (authParam.isUserIdSpecified && !IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
951 IAM_LOGE("CheckPermission failed");
952 return CHECK_PERMISSION_FAILED;
953 }
954 int32_t ret = CheckAuthWidgetType(authParam.authTypes);
955 if (ret != SUCCESS) {
956 IAM_LOGE("CheckAuthWidgetType fail.");
957 return ret;
958 }
959 if (!CheckAuthTrustLevel(authParam.authTrustLevel)) {
960 IAM_LOGE("authTrustLevel is not in correct range");
961 return ResultCode::TRUST_LEVEL_NOT_SUPPORT;
962 }
963 static const size_t authTypeTwo = 2;
964 static const size_t authType0 = 0;
965 static const size_t authType1 = 1;
966 std::vector<AuthType> authType = authParam.authTypes;
967 if (((authType.size() == authTypeTwo) &&
968 (authType[authType0] == AuthType::FACE) && (authType[authType1] == AuthType::FINGERPRINT)) ||
969 ((authType.size() == authTypeTwo) &&
970 (authType[authType0] == AuthType::FINGERPRINT) && (authType[authType1] == AuthType::FACE))) {
971 IAM_LOGE("only face and finger not support");
972 return INVALID_PARAMETERS;
973 }
974 if (widgetParam.title.empty()) {
975 IAM_LOGE("title is empty");
976 return INVALID_PARAMETERS;
977 }
978 return SUCCESS;
979 }
980
StartWidgetContext(const std::shared_ptr<ContextCallback> & contextCallback,const AuthParamInner & authParam,const WidgetParam & widgetParam,std::vector<AuthType> & validType,ContextFactory::AuthWidgetContextPara & para)981 uint64_t UserAuthService::StartWidgetContext(const std::shared_ptr<ContextCallback> &contextCallback,
982 const AuthParamInner &authParam, const WidgetParam &widgetParam, std::vector<AuthType> &validType,
983 ContextFactory::AuthWidgetContextPara ¶)
984 {
985 Attributes extraInfo;
986 para.tokenId = IpcCommon::GetAccessTokenId(*this);
987 para.isOsAccountVerified = IpcCommon::IsOsAccountVerified(para.userId);
988 if (!AuthWidgetHelper::InitWidgetContextParam(authParam, validType, widgetParam, para)) {
989 IAM_LOGE("init widgetContext failed");
990 contextCallback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
991 return BAD_CONTEXT_ID;
992 }
993 auto context = ContextFactory::CreateWidgetContext(para, contextCallback);
994 if (context == nullptr || !Insert2ContextPool(context)) {
995 contextCallback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
996 return BAD_CONTEXT_ID;
997 }
998 contextCallback->SetTraceRequestContextId(context->GetContextId());
999 contextCallback->SetCleaner(ContextHelper::Cleaner(context));
1000 if (!context->Start()) {
1001 int32_t errorCode = context->GetLatestError();
1002 IAM_LOGE("start widget context fail %{public}d", errorCode);
1003 contextCallback->OnResult(errorCode, extraInfo);
1004 return BAD_CONTEXT_ID;
1005 }
1006 return context->GetContextId();
1007 }
1008
CheckValidSolution(int32_t userId,const AuthParamInner & authParam,const WidgetParam & widgetParam,std::vector<AuthType> & validType)1009 int32_t UserAuthService::CheckValidSolution(int32_t userId, const AuthParamInner &authParam,
1010 const WidgetParam &widgetParam, std::vector<AuthType> &validType)
1011 {
1012 int32_t ret = AuthWidgetHelper::CheckValidSolution(
1013 userId, authParam.authTypes, authParam.authTrustLevel, validType);
1014 if (ret != SUCCESS) {
1015 IAM_LOGE("CheckValidSolution fail %{public}d", ret);
1016 return ret;
1017 }
1018 if (!widgetParam.navigationButtonText.empty() && !CheckSingeFaceOrFinger(validType)) {
1019 IAM_LOGE("navigationButtonText check fail, validType.size:%{public}zu", validType.size());
1020 return INVALID_PARAMETERS;
1021 }
1022 if (widgetParam.windowMode == FULLSCREEN && CheckSingeFaceOrFinger(validType)) {
1023 IAM_LOGE("Single fingerprint or single face does not support full screen");
1024 return INVALID_PARAMETERS;
1025 }
1026 if (!CheckPrivatePinEnroll(authParam.authTypes, validType)) {
1027 IAM_LOGE("check privatePin enroll error");
1028 return INVALID_PARAMETERS;
1029 }
1030 return SUCCESS;
1031 }
1032
GetCallerInfo(bool isUserIdSpecified,int32_t userId,ContextFactory::AuthWidgetContextPara & para,bool & isBackgroundApplication,std::shared_ptr<ContextCallback> & contextCallback)1033 int32_t UserAuthService::GetCallerInfo(bool isUserIdSpecified, int32_t userId,
1034 ContextFactory::AuthWidgetContextPara ¶, bool &isBackgroundApplication,
1035 std::shared_ptr<ContextCallback> &contextCallback)
1036 {
1037 static_cast<void>(IpcCommon::GetCallerName(*this, para.callerName, para.callerType));
1038 contextCallback->SetTraceCallerName(para.callerName);
1039 contextCallback->SetTraceCallerType(para.callerType);
1040 static_cast<void>(IpcCommon::GetCallingAppID(*this, para.callingAppID));
1041
1042 if (para.sdkVersion < INNER_API_VERSION_10000 && para.callerType == Security::AccessToken::TOKEN_HAP &&
1043 (!IpcCommon::CheckForegroundApplication(para.callerName))) {
1044 isBackgroundApplication = true;
1045 }
1046 contextCallback->SetTraceIsBackgroundApplication(isBackgroundApplication);
1047
1048 if (isUserIdSpecified) {
1049 para.userId = userId;
1050 contextCallback->SetTraceUserId(para.userId);
1051 return SUCCESS;
1052 }
1053 if (IpcCommon::GetCallingUserId(*this, para.userId) != SUCCESS) {
1054 IAM_LOGE("get callingUserId failed");
1055 return GENERAL_ERROR;
1056 }
1057 contextCallback->SetTraceUserId(para.userId);
1058 return SUCCESS;
1059 }
1060
ProcessPinExpired(int32_t ret,const AuthParamInner & authParam,std::vector<AuthType> & validType,ContextFactory::AuthWidgetContextPara & para)1061 void UserAuthService::ProcessPinExpired(int32_t ret, const AuthParamInner &authParam,
1062 std::vector<AuthType> &validType, ContextFactory::AuthWidgetContextPara ¶)
1063 {
1064 if (ret != PIN_EXPIRED) {
1065 return;
1066 }
1067 para.isPinExpired = true;
1068 bool hasPrivatePin = false;
1069 for (auto &iter : authParam.authTypes) {
1070 if (iter == AuthType::PRIVATE_PIN) {
1071 hasPrivatePin = true;
1072 break;
1073 }
1074 }
1075 if (hasPrivatePin) {
1076 validType.clear();
1077 validType.emplace_back(AuthType::PRIVATE_PIN);
1078 } else {
1079 validType.emplace_back(AuthType::PIN);
1080 }
1081 }
1082
AuthWidget(int32_t apiVersion,const AuthParamInner & authParam,const WidgetParam & widgetParam,sptr<UserAuthCallbackInterface> & callback)1083 uint64_t UserAuthService::AuthWidget(int32_t apiVersion, const AuthParamInner &authParam,
1084 const WidgetParam &widgetParam, sptr<UserAuthCallbackInterface> &callback)
1085 {
1086 IAM_LOGI("start %{public}d authTrustLevel:%{public}u", apiVersion, authParam.authTrustLevel);
1087 auto contextCallback = GetAuthContextCallback(apiVersion, authParam, widgetParam, callback);
1088 if (contextCallback == nullptr) {
1089 IAM_LOGE("contextCallback is nullptr");
1090 return BAD_CONTEXT_ID;
1091 }
1092 ContextFactory::AuthWidgetContextPara para;
1093 para.sdkVersion = apiVersion;
1094 Attributes extraInfo;
1095 bool isBackgroundApplication = false;
1096 int32_t checkRet = GetCallerInfo(authParam.isUserIdSpecified, authParam.userId, para, isBackgroundApplication,
1097 contextCallback);
1098 if (checkRet != SUCCESS) {
1099 contextCallback->OnResult(checkRet, extraInfo);
1100 return BAD_CONTEXT_ID;
1101 }
1102 checkRet = CheckAuthPermissionAndParam(authParam, widgetParam, isBackgroundApplication);
1103 if (checkRet != SUCCESS) {
1104 IAM_LOGE("check permission and auth widget param failed");
1105 contextCallback->OnResult(checkRet, extraInfo);
1106 return BAD_CONTEXT_ID;
1107 }
1108
1109 if (AuthWidgetHelper::CheckReuseUnlockResult(para, authParam, extraInfo) == SUCCESS) {
1110 IAM_LOGE("check reuse unlock result success");
1111 contextCallback->OnResult(SUCCESS, extraInfo);
1112 return REUSE_AUTH_RESULT_CONTEXT_ID;
1113 }
1114 std::vector<AuthType> validType;
1115 checkRet = CheckValidSolution(para.userId, authParam, widgetParam, validType);
1116 if (checkRet != SUCCESS && checkRet != PIN_EXPIRED) {
1117 IAM_LOGE("check valid solution failed");
1118 contextCallback->OnResult(checkRet, extraInfo);
1119 return BAD_CONTEXT_ID;
1120 }
1121 ProcessPinExpired(checkRet, authParam, validType, para);
1122 return StartWidgetContext(contextCallback, authParam, widgetParam, validType, para);
1123 }
1124
Insert2ContextPool(const std::shared_ptr<Context> & context)1125 bool UserAuthService::Insert2ContextPool(const std::shared_ptr<Context> &context)
1126 {
1127 bool ret = false;
1128 const int32_t retryTimes = 3;
1129 for (auto i = 0; i < retryTimes; i++) {
1130 ret = ContextPool::Instance().Insert(context);
1131 if (ret) {
1132 break;
1133 }
1134 }
1135 IAM_LOGI("insert context to pool, retry %{public}d times", retryTimes);
1136 return ret;
1137 }
1138
GetAuthContextCallback(int32_t apiVersion,const AuthParamInner & authParam,const WidgetParam & widgetParam,sptr<UserAuthCallbackInterface> & callback)1139 std::shared_ptr<ContextCallback> UserAuthService::GetAuthContextCallback(int32_t apiVersion,
1140 const AuthParamInner &authParam, const WidgetParam &widgetParam, sptr<UserAuthCallbackInterface> &callback)
1141 {
1142 if (callback == nullptr) {
1143 IAM_LOGE("callback is nullptr");
1144 return nullptr;
1145 }
1146 auto contextCallback = ContextCallback::NewInstance(callback, TRACE_AUTH_USER_BEHAVIOR);
1147 if (contextCallback == nullptr) {
1148 IAM_LOGE("failed to construct context callback");
1149 Attributes extraInfo;
1150 callback->OnResult(ResultCode::GENERAL_ERROR, extraInfo);
1151 return nullptr;
1152 }
1153 contextCallback->SetTraceSdkVersion(apiVersion);
1154 contextCallback->SetTraceAuthTrustLevel(authParam.authTrustLevel);
1155
1156 uint32_t authWidgetType = 0;
1157 for (const auto authType : authParam.authTypes) {
1158 authWidgetType |= static_cast<uint32_t>(authType);
1159 }
1160 static const uint32_t bitWindowMode = 0x40000000;
1161 if (widgetParam.windowMode == FULLSCREEN) {
1162 authWidgetType |= bitWindowMode;
1163 }
1164 static const uint32_t bitNavigation = 0x80000000;
1165 if (!widgetParam.navigationButtonText.empty()) {
1166 authWidgetType |= bitNavigation;
1167 }
1168 IAM_LOGI("SetTraceAuthWidgetType %{public}08x", authWidgetType);
1169 contextCallback->SetTraceAuthWidgetType(authWidgetType);
1170 uint32_t traceReuseMode = 0;
1171 uint64_t traceReuseDuration = 0;
1172 if (authParam.reuseUnlockResult.isReuse) {
1173 traceReuseMode = authParam.reuseUnlockResult.reuseMode;
1174 traceReuseDuration = authParam.reuseUnlockResult.reuseDuration;
1175 }
1176 contextCallback->SetTraceReuseUnlockResultMode(traceReuseMode);
1177 contextCallback->SetTraceReuseUnlockResultDuration(traceReuseDuration);
1178 return contextCallback;
1179 }
1180
Notice(NoticeType noticeType,const std::string & eventData)1181 int32_t UserAuthService::Notice(NoticeType noticeType, const std::string &eventData)
1182 {
1183 IAM_LOGI("start");
1184 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1185 IAM_LOGE("the caller is not a system application");
1186 return ResultCode::CHECK_SYSTEM_APP_FAILED;
1187 }
1188
1189 if (!IpcCommon::CheckPermission(*this, SUPPORT_USER_AUTH)) {
1190 IAM_LOGE("failed to check permission");
1191 return ResultCode::CHECK_PERMISSION_FAILED;
1192 }
1193 return WidgetClient::Instance().OnNotice(noticeType, eventData);
1194 }
1195
RegisterWidgetCallback(int32_t version,sptr<WidgetCallbackInterface> & callback)1196 int32_t UserAuthService::RegisterWidgetCallback(int32_t version, sptr<WidgetCallbackInterface> &callback)
1197 {
1198 if (!IpcCommon::CheckPermission(*this, IS_SYSTEM_APP)) {
1199 IAM_LOGE("the caller is not a system application");
1200 return ResultCode::CHECK_SYSTEM_APP_FAILED;
1201 }
1202
1203 if (!IpcCommon::CheckPermission(*this, SUPPORT_USER_AUTH)) {
1204 IAM_LOGE("CheckPermission failed, no permission");
1205 return ResultCode::CHECK_PERMISSION_FAILED;
1206 }
1207
1208 uint32_t tokenId = IpcCommon::GetTokenId(*this);
1209 IAM_LOGE("RegisterWidgetCallback tokenId %{public}s", GET_MASKED_STRING(tokenId).c_str());
1210
1211 int32_t curVersion = std::stoi(NOTICE_VERSION_STR);
1212 if (version != curVersion) {
1213 return ResultCode::INVALID_PARAMETERS;
1214 }
1215 if (callback == nullptr) {
1216 IAM_LOGE("callback is nullptr");
1217 return ResultCode::INVALID_PARAMETERS;
1218 }
1219 WidgetClient::Instance().SetWidgetCallback(callback);
1220 WidgetClient::Instance().SetAuthTokenId(tokenId);
1221 return ResultCode::SUCCESS;
1222 }
1223
GetEnrolledState(int32_t apiVersion,AuthType authType,EnrolledState & enrolledState)1224 int32_t UserAuthService::GetEnrolledState(int32_t apiVersion, AuthType authType,
1225 EnrolledState &enrolledState)
1226 {
1227 IAM_LOGI("start");
1228
1229 if (!IpcCommon::CheckPermission(*this, ACCESS_BIOMETRIC_PERMISSION)) {
1230 IAM_LOGE("failed to check permission");
1231 return CHECK_PERMISSION_FAILED;
1232 }
1233
1234 if (apiVersion < API_VERSION_12 ||
1235 !SystemParamManager::GetInstance().IsAuthTypeEnable(authType)) {
1236 IAM_LOGE("failed to check apiVersion");
1237 return TYPE_NOT_SUPPORT;
1238 }
1239
1240 int32_t userId = INVALID_USER_ID;
1241 if (IpcCommon::GetCallingUserId(*this, userId) != SUCCESS) {
1242 IAM_LOGE("failed to get callingUserId");
1243 return GENERAL_ERROR;
1244 }
1245
1246 auto hdi = HdiWrapper::GetHdiInstance();
1247 if (hdi == nullptr) {
1248 IAM_LOGE("hdi interface is nullptr");
1249 return GENERAL_ERROR;
1250 }
1251 HdiEnrolledState hdiEnrolledState = {};
1252 int32_t result = hdi->GetEnrolledState(userId, static_cast<HdiAuthType>(authType), hdiEnrolledState);
1253 if (result != SUCCESS) {
1254 IAM_LOGE("failed to get enrolled state,userId:%{public}d authType:%{public}d", userId, authType);
1255 return result;
1256 }
1257 enrolledState.credentialCount = hdiEnrolledState.credentialCount;
1258 enrolledState.credentialDigest = hdiEnrolledState.credentialDigest;
1259 if (apiVersion < INNER_API_VERSION_10000) {
1260 enrolledState.credentialDigest = hdiEnrolledState.credentialDigest & UINT16_MAX;
1261 }
1262 return SUCCESS;
1263 }
1264
CheckAuthTypeIsValid(std::vector<AuthType> authType)1265 bool UserAuthService::CheckAuthTypeIsValid(std::vector<AuthType> authType)
1266 {
1267 if (authType.empty()) {
1268 return false;
1269 }
1270 for (const auto &iter : authType) {
1271 if (iter != AuthType::PIN && iter != AuthType::FACE && iter != AuthType::FINGERPRINT &&
1272 iter != AuthType::PRIVATE_PIN) {
1273 return false;
1274 }
1275 }
1276 return true;
1277 }
1278
RegistUserAuthSuccessEventListener(const std::vector<AuthType> & authType,const sptr<AuthEventListenerInterface> & listener)1279 int32_t UserAuthService::RegistUserAuthSuccessEventListener(const std::vector<AuthType> &authType,
1280 const sptr<AuthEventListenerInterface> &listener)
1281 {
1282 IAM_LOGI("start");
1283 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1284 IF_FALSE_LOGE_AND_RETURN_VAL(listener != nullptr, INVALID_PARAMETERS);
1285
1286 if (!CheckAuthTypeIsValid(authType)) {
1287 IAM_LOGE("failed to check authType");
1288 return INVALID_PARAMETERS;
1289 }
1290
1291 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1292 IAM_LOGE("failed to check permission");
1293 return CHECK_PERMISSION_FAILED;
1294 }
1295
1296 int32_t result = AuthEventListenerManager::GetInstance().RegistUserAuthSuccessEventListener(authType, listener);
1297 if (result != SUCCESS) {
1298 IAM_LOGE("failed to regist auth event listener");
1299 return result;
1300 }
1301
1302 return SUCCESS;
1303 }
1304
UnRegistUserAuthSuccessEventListener(const sptr<AuthEventListenerInterface> & listener)1305 int32_t UserAuthService::UnRegistUserAuthSuccessEventListener(
1306 const sptr<AuthEventListenerInterface> &listener)
1307 {
1308 IAM_LOGI("start");
1309 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1310 IF_FALSE_LOGE_AND_RETURN_VAL(listener != nullptr, INVALID_PARAMETERS);
1311
1312 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1313 IAM_LOGE("failed to check permission");
1314 return CHECK_PERMISSION_FAILED;
1315 }
1316
1317 int32_t result = AuthEventListenerManager::GetInstance().UnRegistUserAuthSuccessEventListener(listener);
1318 if (result != SUCCESS) {
1319 IAM_LOGE("failed to unregist auth event listener");
1320 return result;
1321 }
1322
1323 return SUCCESS;
1324 }
1325
SetGlobalConfigParam(const GlobalConfigParam & param)1326 int32_t UserAuthService::SetGlobalConfigParam(const GlobalConfigParam ¶m)
1327 {
1328 IAM_LOGI("start");
1329 Common::XCollieHelper xcollie(__FUNCTION__, Common::API_CALL_TIMEOUT);
1330 if (!IpcCommon::CheckPermission(*this, ACCESS_USER_AUTH_INTERNAL_PERMISSION)) {
1331 IAM_LOGE("failed to check permission");
1332 return CHECK_PERMISSION_FAILED;
1333 }
1334 if (param.type != PIN_EXPIRED_PERIOD) {
1335 IAM_LOGE("bad global config type");
1336 return INVALID_PARAMETERS;
1337 }
1338 HdiGlobalConfigParam paramConfig = {};
1339 paramConfig.type = PIN_EXPIRED_PERIOD;
1340 paramConfig.value.pinExpiredPeriod = param.value.pinExpiredPeriod;
1341
1342 auto hdi = HdiWrapper::GetHdiInstance();
1343 if (hdi == nullptr) {
1344 IAM_LOGE("hdi interface is nullptr");
1345 return GENERAL_ERROR;
1346 }
1347 int32_t result = hdi->SetGlobalConfigParam(paramConfig);
1348 if (result != SUCCESS) {
1349 IAM_LOGE("failed to Set global config param");
1350 return result;
1351 }
1352
1353 return SUCCESS;
1354 }
1355
CompleteRemoteAuthParam(RemoteAuthParam & remoteAuthParam,const std::string & localNetworkId)1356 bool UserAuthService::CompleteRemoteAuthParam(RemoteAuthParam &remoteAuthParam, const std::string &localNetworkId)
1357 {
1358 IAM_LOGI("start");
1359 if (remoteAuthParam.verifierNetworkId.has_value() && remoteAuthParam.verifierNetworkId->size() !=
1360 NETWORK_ID_LENGTH) {
1361 IAM_LOGE("invalid verifierNetworkId size");
1362 return false;
1363 }
1364
1365 if (remoteAuthParam.collectorNetworkId.has_value() && remoteAuthParam.collectorNetworkId->size() !=
1366 NETWORK_ID_LENGTH) {
1367 IAM_LOGE("invalid collectorNetworkId size");
1368 return false;
1369 }
1370
1371 if (!remoteAuthParam.verifierNetworkId.has_value() && !remoteAuthParam.collectorNetworkId.has_value()) {
1372 IAM_LOGE("neither verifierNetworkId nor collectorNetworkId is set");
1373 return false;
1374 } else if (remoteAuthParam.verifierNetworkId.has_value() && !remoteAuthParam.collectorNetworkId.has_value()) {
1375 IAM_LOGI("collectorNetworkId not set, verifierNetworkId set, use local networkId as collectorNetworkId");
1376 remoteAuthParam.collectorNetworkId = localNetworkId;
1377 } else if (!remoteAuthParam.verifierNetworkId.has_value() && remoteAuthParam.collectorNetworkId.has_value()) {
1378 IAM_LOGI("verifierNetworkId not set, collectorNetworkId set, use local networkId as verifierNetworkId");
1379 remoteAuthParam.verifierNetworkId = localNetworkId;
1380 }
1381
1382 if (remoteAuthParam.verifierNetworkId.value() != localNetworkId &&
1383 remoteAuthParam.collectorNetworkId.value() != localNetworkId) {
1384 IAM_LOGE("both verifierNetworkId and collectorNetworkId are not local networkId");
1385 return false;
1386 }
1387
1388 if (remoteAuthParam.verifierNetworkId.value() == remoteAuthParam.collectorNetworkId.value()) {
1389 IAM_LOGE("verifierNetworkId and collectorNetworkId are the same");
1390 return false;
1391 }
1392
1393 if (remoteAuthParam.verifierNetworkId == localNetworkId && !remoteAuthParam.collectorTokenId.has_value()) {
1394 IAM_LOGE("this device is verifier, collectorTokenId not set");
1395 return false;
1396 }
1397
1398 if (remoteAuthParam.collectorNetworkId == localNetworkId && !remoteAuthParam.collectorTokenId.has_value()) {
1399 IAM_LOGI("this device is collector, update collectorTokenId with caller token id");
1400 remoteAuthParam.collectorTokenId = IpcCommon::GetAccessTokenId(*this);
1401 }
1402
1403 IAM_LOGI("success");
1404 return true;
1405 }
1406
GetAndUpateOsAccountVerifiedState(int32_t userId)1407 bool UserAuthService::GetAndUpateOsAccountVerifiedState(int32_t userId)
1408 {
1409 IAM_LOGI("start");
1410 if (osAccountVerifiedState_ == false) {
1411 osAccountVerifiedState_ = IpcCommon::IsOsAccountVerified(userId);
1412 }
1413
1414 return osAccountVerifiedState_;
1415 }
1416 } // namespace UserAuth
1417 } // namespace UserIam
1418 } // namespace OHOS