/*
 * Copyright (C) 2018 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.server.incident;

import android.app.ActivityManager;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.pm.UserInfo;
import android.content.res.Resources;
import android.os.Binder;
import android.os.Build;
import android.os.IBinder;
import android.os.IIncidentAuthListener;
import android.os.IIncidentCompanion;
import android.os.IIncidentManager;
import android.os.IncidentManager;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.UserHandle;
import android.os.UserManager;
import android.util.Log;

import com.android.internal.util.DumpUtils;
import com.android.server.SystemService;

import java.io.FileDescriptor;
import java.io.PrintWriter;
import java.util.List;

/**
 * Helper service for incidentd and dumpstated to provide user feedback
 * and authorization for bug and inicdent reports to be taken.
 */
public class IncidentCompanionService extends SystemService {
    static final String TAG = "IncidentCompanionService";

    /**
     * Dump argument for proxying restricted image dumps to the services
     * listed in the config.
     */
    private static String[] RESTRICTED_IMAGE_DUMP_ARGS = new String[] {
        "--hal", "--restricted_image" };

    /**
     * The two permissions, for sendBroadcastAsUserMultiplePermissions.
     */
    private static final String[] DUMP_AND_USAGE_STATS_PERMISSIONS = new String[] {
        android.Manifest.permission.DUMP,
        android.Manifest.permission.PACKAGE_USAGE_STATS
    };

    /**
     * Tracker for reports pending approval.
     */
    private PendingReports mPendingReports;

    /**
     * Implementation of the IIncidentCompanion binder interface.
     */
    private final class BinderService extends IIncidentCompanion.Stub {
        /**
         * ONEWAY binder call to initiate authorizing the report. If you don't need
         * IncidentCompanionService to check whether the calling UID matches then
         * pass 0 for callingUid.  Either way, the caller must have DUMP and USAGE_STATS
         * permissions to retrieve the data, so it ends up being about the same.
         */
        @Override
        public void authorizeReport(int callingUid, final String callingPackage,
                final String receiverClass, final String reportId,
                final int flags, final IIncidentAuthListener listener) {
            enforceRequestAuthorizationPermission();

            final long ident = Binder.clearCallingIdentity();
            try {
                mPendingReports.authorizeReport(callingUid, callingPackage,
                        receiverClass, reportId, flags, listener);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * ONEWAY binder call to cancel the inbound authorization request.
         * <p>
         * This is a oneway call, and so is authorizeReport, so the
         * caller's ordering is preserved.  The other calls on this object are synchronous, so
         * their ordering is not guaranteed with respect to these calls.  So the implementation
         * sends out extra broadcasts to allow for eventual consistency.
         */
        public void cancelAuthorization(final IIncidentAuthListener listener) {
            enforceRequestAuthorizationPermission();

            // Caller can cancel if they don't want it anymore, and mRequestQueue elides
            // authorize/cancel pairs.
            final long ident = Binder.clearCallingIdentity();
            try {
                mPendingReports.cancelAuthorization(listener);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * ONEWAY implementation to send broadcast from incidentd, which is native.
         */
        @Override
        public void sendReportReadyBroadcast(String pkg, String cls) {
            enforceRequestAuthorizationPermission();

            final long ident = Binder.clearCallingIdentity();
            try {
                final Context context = getContext();

                final int primaryUser = getAndValidateUser(context);
                if (primaryUser == UserHandle.USER_NULL) {
                    return;
                }

                final Intent intent = new Intent(Intent.ACTION_INCIDENT_REPORT_READY);
                intent.setComponent(new ComponentName(pkg, cls));

                Log.d(TAG, "sendReportReadyBroadcast sending primaryUser=" + primaryUser
                        + " userHandle=" + UserHandle.getUserHandleForUid(primaryUser)
                        + " intent=" + intent);

                // Send it to the primary user.  Only they can do incident reports.
                context.sendBroadcastAsUserMultiplePermissions(intent,
                        UserHandle.getUserHandleForUid(primaryUser),
                        DUMP_AND_USAGE_STATS_PERMISSIONS);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS binder call to get the list of reports that are pending confirmation
         * by the user.
         */
        @Override
        public List<String> getPendingReports() {
            enforceAuthorizePermission();
            return mPendingReports.getPendingReports();
        }

        /**
         * SYNCHRONOUS binder call to mark a report as approved.
         */
        @Override
        public void approveReport(String uri) {
            enforceAuthorizePermission();

            final long ident = Binder.clearCallingIdentity();
            try {
                mPendingReports.approveReport(uri);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS binder call to mark a report as NOT approved.
         */
        @Override
        public void denyReport(String uri) {
            enforceAuthorizePermission();

            final long ident = Binder.clearCallingIdentity();
            try {
                mPendingReports.denyReport(uri);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS binder call to get the list of incident reports waiting for a receiver.
         */
        @Override
        public List<String> getIncidentReportList(String pkg, String cls) throws RemoteException {
            enforceAccessReportsPermissions(null);

            final long ident = Binder.clearCallingIdentity();
            try {
                return getIIncidentManager().getIncidentReportList(pkg, cls);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS binder call to commit an incident report
         */
        @Override
        public void deleteIncidentReports(String pkg, String cls, String id)
                throws RemoteException {
            if (pkg == null || cls == null || id == null
                    || pkg.length() == 0 || cls.length() == 0 || id.length() == 0) {
                throw new RuntimeException("Invalid pkg, cls or id");
            }
            enforceAccessReportsPermissions(pkg);

            final long ident = Binder.clearCallingIdentity();
            try {
                getIIncidentManager().deleteIncidentReports(pkg, cls, id);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS binder call to delete all incident reports for a package.
         */
        @Override
        public void deleteAllIncidentReports(String pkg) throws RemoteException {
            if (pkg == null || pkg.length() == 0) {
                throw new RuntimeException("Invalid pkg");
            }
            enforceAccessReportsPermissions(pkg);

            final long ident = Binder.clearCallingIdentity();
            try {
                getIIncidentManager().deleteAllIncidentReports(pkg);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS binder call to get the IncidentReport object.
         */
        @Override
        public IncidentManager.IncidentReport getIncidentReport(String pkg, String cls, String id)
                throws RemoteException {
            if (pkg == null || cls == null || id == null
                    || pkg.length() == 0 || cls.length() == 0 || id.length() == 0) {
                throw new RuntimeException("Invalid pkg, cls or id");
            }
            enforceAccessReportsPermissions(pkg);

            final long ident = Binder.clearCallingIdentity();
            try {
                return getIIncidentManager().getIncidentReport(pkg, cls, id);
            } finally {
                Binder.restoreCallingIdentity(ident);
            }
        }

        /**
         * SYNCHRONOUS implementation of adb shell dumpsys debugreportcompanion.
         */
        @Override
        protected void dump(FileDescriptor fd, final PrintWriter writer, String[] args) {
            if (!DumpUtils.checkDumpPermission(getContext(), TAG, writer)) {
                return;
            }

            if (args.length == 1 && "--restricted_image".equals(args[0])) {
                // Does NOT clearCallingIdentity
                dumpRestrictedImages(fd);
            } else {
                // Regular dump
                mPendingReports.dump(fd, writer, args);
            }
        }

        /**
         * Proxy for the restricted images section.
         */
        private void dumpRestrictedImages(FileDescriptor fd) {
            // Only supported on eng or userdebug.
            if (!(Build.IS_ENG || Build.IS_USERDEBUG)) {
                return;
            }

            final Resources res = getContext().getResources();
            final String[] services = res.getStringArray(
                    com.android.internal.R.array.config_restrictedImagesServices);
            final int servicesCount = services.length;
            for (int i = 0; i < servicesCount; i++) {
                final String name = services[i];
                Log.d(TAG, "Looking up service " + name);
                final IBinder service = ServiceManager.getService(name);
                if (service != null) {
                    Log.d(TAG, "Calling dump on service: " + name);
                    try {
                        service.dump(fd, RESTRICTED_IMAGE_DUMP_ARGS);
                    } catch (RemoteException ex) {
                        Log.w(TAG, "dump --restricted_image of " + name + " threw", ex);
                    }
                }
            }
        }

        /**
         * Inside the binder interface class because we want to do all of the authorization
         * here, before calling out to the helper objects.
         */
        private void enforceRequestAuthorizationPermission() {
            getContext().enforceCallingOrSelfPermission(
                    android.Manifest.permission.REQUEST_INCIDENT_REPORT_APPROVAL, null);
        }

        /**
         * Inside the binder interface class because we want to do all of the authorization
         * here, before calling out to the helper objects.
         */
        private void enforceAuthorizePermission() {
            getContext().enforceCallingOrSelfPermission(
                    android.Manifest.permission.APPROVE_INCIDENT_REPORTS, null);
        }

        /**
         * Enforce that the calling process either has APPROVE_INCIDENT_REPORTS or
         * (DUMP and PACKAGE_USAGE_STATS). This lets the approver get, because showing
         * information about the report is a prerequisite for letting the user decide.
         *
         * If pkg is null, it is not checked, so make sure that you check it for null first
         * if you do need the packages to match.
         *
         * Inside the binder interface class because we want to do all of the authorization
         * here, before calling out to the helper objects.
         */
        private void enforceAccessReportsPermissions(String pkg) {
            if (getContext().checkCallingPermission(
                        android.Manifest.permission.APPROVE_INCIDENT_REPORTS)
                    != PackageManager.PERMISSION_GRANTED) {
                getContext().enforceCallingOrSelfPermission(
                        android.Manifest.permission.DUMP, null);
                getContext().enforceCallingOrSelfPermission(
                        android.Manifest.permission.PACKAGE_USAGE_STATS, null);
                if (pkg != null) {
                    enforceCallerIsSameApp(pkg);
                }
            }
        }

        /**
         * Throw a SecurityException if the incoming binder call is not from pkg.
         */
        private void enforceCallerIsSameApp(String pkg) throws SecurityException {
            try {
                final int uid = Binder.getCallingUid();
                final int userId = UserHandle.getCallingUserId();
                final ApplicationInfo ai = getContext().getPackageManager()
                        .getApplicationInfoAsUser(pkg, 0, userId);
                if (ai == null) {
                    throw new SecurityException("Unknown package " + pkg);
                }
                if (!UserHandle.isSameApp(ai.uid, uid)) {
                    throw new SecurityException("Calling uid " + uid + " gave package "
                            + pkg + " which is owned by uid " + ai.uid);
                }
            } catch (PackageManager.NameNotFoundException re) {
                throw new SecurityException("Unknown package " + pkg + "\n" + re);
            }
        }
    }

    /**
     * Construct new IncidentCompanionService with the context.
     */
    public IncidentCompanionService(Context context) {
        super(context);
        mPendingReports = new PendingReports(context);
    }

    /**
     * Initialize the service.  It is still not safe to do UI until
     * onBootPhase(SystemService.PHASE_BOOT_COMPLETED).
     */
    @Override
    public void onStart() {
        publishBinderService(Context.INCIDENT_COMPANION_SERVICE, new BinderService());
    }

    /**
     * Handle the boot process... Starts everything running once the system is
     * up enough for us to do UI.
     */
    @Override
    public void onBootPhase(int phase) {
        super.onBootPhase(phase);
        switch (phase) {
            case SystemService.PHASE_BOOT_COMPLETED:
                mPendingReports.onBootCompleted();
                break;
        }
    }

    /**
     * Looks up incidentd every time, so we don't need a complex handshake between
     * incidentd and IncidentCompanionService.
     */
    private IIncidentManager getIIncidentManager() throws RemoteException {
        return IIncidentManager.Stub.asInterface(
                ServiceManager.getService(Context.INCIDENT_SERVICE));
    }

    /**
     * Check whether the current user is the primary user, and return the user id if they are.
     * Returns UserHandle.USER_NULL if not valid.
     */
    public static int getAndValidateUser(Context context) {
        // Current user
        UserInfo currentUser;
        try {
            currentUser = ActivityManager.getService().getCurrentUser();
        } catch (RemoteException ex) {
            // We're already inside the system process.
            throw new RuntimeException(ex);
        }

        // Primary user
        final UserManager um = UserManager.get(context);
        final UserInfo primaryUser = um.getPrimaryUser();

        // Check that we're using the right user.
        if (currentUser == null) {
            Log.w(TAG, "No current user.  Nobody to approve the report."
                    + " The report will be denied.");
            return UserHandle.USER_NULL;
        }
        if (primaryUser == null) {
            Log.w(TAG, "No primary user.  Nobody to approve the report."
                    + " The report will be denied.");
            return UserHandle.USER_NULL;
        }
        if (primaryUser.id != currentUser.id) {
            Log.w(TAG, "Only the primary user can approve bugreports, but they are not"
                    + " the current user. The report will be denied.");
            return UserHandle.USER_NULL;
        }

        return primaryUser.id;
    }
}