diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index 76995977d1664f8e0a132c1ba640da90a5645340..578b02637574eeb4c387d0b2ccf4f40c1088a74f 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -81,7 +81,8 @@ enum AccessTokenKitRet { typedef struct { unsigned int tokenUniqueID : 20; /** reserved, default 00000 */ - unsigned int res : 5; + unsigned int res : 4; + unsigned int cloneFlag : 1; /** renderflag, default 0 */ unsigned int renderFlag : 1; unsigned int dlpFlag : 1; diff --git a/interfaces/innerkits/accesstoken/src/tokenid_kit.cpp b/interfaces/innerkits/accesstoken/src/tokenid_kit.cpp index 0d7175ec801bcf7ebb90f024e3cc9c05fe6ae381..1fe62f96ce81f195b06227ce4a5e81e8b65e9e57 100644 --- a/interfaces/innerkits/accesstoken/src/tokenid_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/tokenid_kit.cpp @@ -28,11 +28,13 @@ static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ static const uint64_t SYSTEM_APP_MASK = (static_cast(1) << 32); static const uint64_t TOKEN_ID_LOWMASK = 0xffffffff; } + bool TokenIdKit::IsSystemAppByFullTokenID(uint64_t tokenId) { ACCESSTOKEN_LOG_DEBUG(LABEL, "called, tokenId=%{public}" PRId64, tokenId); return (tokenId & SYSTEM_APP_MASK) == SYSTEM_APP_MASK; } + uint64_t TokenIdKit::GetRenderTokenID(uint64_t tokenId) { AccessTokenID id = tokenId & TOKEN_ID_LOWMASK; diff --git a/interfaces/innerkits/accesstoken/test/BUILD.gn b/interfaces/innerkits/accesstoken/test/BUILD.gn index ed02cea3e899e75a409918120ce2facf746e5df0..0917c64628d77c00405dd726396ba4161096951f 100644 --- a/interfaces/innerkits/accesstoken/test/BUILD.gn +++ b/interfaces/innerkits/accesstoken/test/BUILD.gn @@ -40,6 +40,7 @@ ohos_unittest("libaccesstoken_sdk_test") { "unittest/src/accesstoken_kit_test.cpp", "unittest/src/accesstoken_location_request_test.cpp", "unittest/src/app_installation_optimized_test.cpp", + "unittest/src/clone_app_permission_test.cpp", "unittest/src/remote_token_kit_test.cpp", "unittest/src/security_component_grant_test.cpp", ] diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/clone_app_permission_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/clone_app_permission_test.cpp new file mode 100644 index 0000000000000000000000000000000000000000..71792b6d36a70a43bd718b5c8246d4871f3f0da4 --- /dev/null +++ b/interfaces/innerkits/accesstoken/test/unittest/src/clone_app_permission_test.cpp @@ -0,0 +1,792 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "clone_app_permission_test.h" +#include + +#include "accesstoken_kit.h" +#include "accesstoken_log.h" +#include "access_token_error.h" +#include "nativetoken_kit.h" +#include "softbus_bus_center.h" +#include "token_setproc.h" +#include "tokenid_kit.h" + +using namespace testing::ext; +using namespace OHOS::Security::AccessToken; + +namespace { +static const std::string PERMISSION_ALL = "ohos.permission.CAMERA"; +static const std::string PERMISSION_FULL_CONTROL = "ohos.permission.WRITE_MEDIA"; +static const std::string PERMISSION_NOT_DISPLAYED = "ohos.permission.ANSWER_CALL"; +static const std::string TEST_PERMISSION_GRANT = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"; +static const std::string TEST_PERMISSION_REVOKE = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS"; +static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, + SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenKitExtensionTest"}; + +HapInfoParams g_infoParmsCommon = { + .userID = 1, + .bundleName = "CloneAppPermissionTest", + .instIndex = 0, + .dlpType = DLP_COMMON, + .appIDDesc = "CloneAppPermissionTest" +}; + +HapInfoParams g_infoParmsCommonClone1 = { + .userID = 1, + .bundleName = "CloneAppPermissionTest", + .instIndex = 5, // clone app index is 5 + .dlpType = DLP_COMMON, + .appIDDesc = "CloneAppPermissionTest" +}; + +HapInfoParams g_infoParmsCommonClone2 = { + .userID = 1, + .bundleName = "CloneAppPermissionTest", + .instIndex = 6, // clone app index is 6 + .dlpType = DLP_COMMON, + .appIDDesc = "CloneAppPermissionTest" +}; + +HapInfoParams g_infoParmsFullControl = { + .userID = 1, + .bundleName = "CloneAppPermissionTest", + .instIndex = 1, + .dlpType = DLP_FULL_CONTROL, + .appIDDesc = "CloneAppPermissionTest" +}; + +HapInfoParams g_infoParmsReadOnly = { + .userID = 1, + .bundleName = "CloneAppPermissionTest", + .instIndex = 2, + .dlpType = DLP_READ, + .appIDDesc = "CloneAppPermissionTest" +}; + +PermissionStateFull g_stateFullControl = { + .permissionName = "ohos.permission.WRITE_MEDIA", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {0} +}; + +PermissionStateFull g_stateAll = { + .permissionName = "ohos.permission.CAMERA", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {0} +}; + +HapPolicyParams g_policyParams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {}, + .permStateList = {g_stateFullControl, g_stateAll} +}; + +} + +void CloneAppPermissionTest::TearDownTestCase() +{ + AccessTokenID tokenId = AccessTokenKit::GetHapTokenID(1, "PermissionEnvironment", 0); + int32_t ret = AccessTokenKit::DeleteToken(tokenId); + EXPECT_EQ(RET_SUCCESS, ret); +} + +void CloneAppPermissionTest::SetUp() +{ + ACCESSTOKEN_LOG_INFO(LABEL, "SetUp ok."); +} + +void CloneAppPermissionTest::TearDown() +{ +} + +void CloneAppPermissionTest::SetUpTestCase() +{ + HapInfoParams infoParmsEnvironment = { + .userID = 1, + .bundleName = "PermissionEnvironment", + .instIndex = 0, + .dlpType = DLP_COMMON, + .appIDDesc = "PermissionEnvironment", + .isSystemApp = true + }; + PermissionStateFull stateGrant = { + .permissionName = TEST_PERMISSION_GRANT, + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {0} + }; + PermissionStateFull stateRevoke = { + .permissionName = TEST_PERMISSION_REVOKE, + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {0} + }; + HapPolicyParams policyParams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {}, + .permStateList = {stateGrant, stateRevoke} + }; + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(infoParmsEnvironment, policyParams); + EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID); + EXPECT_EQ(true, TokenIdKit::IsSystemAppByFullTokenID(tokenIdEx.tokenIDEx)); + EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx)); + ACCESSTOKEN_LOG_INFO(LABEL, "SetUpTestCase ok."); +} + +static AccessTokenID AllocHapTokenId(HapInfoParams info, HapPolicyParams policy) +{ + AccessTokenIDEx tokenIdEx = {0}; + tokenIdEx = AccessTokenKit::AllocHapToken(info, policy); + AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID; + EXPECT_NE(0, tokenId); + int ret = AccessTokenKit::VerifyAccessToken(tokenId, PERMISSION_FULL_CONTROL, false); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenId, PERMISSION_ALL, false); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenId, PERMISSION_FULL_CONTROL, flag); + EXPECT_EQ(flag, PERMISSION_DEFAULT_FLAG); + EXPECT_EQ(ret, RET_SUCCESS); + ret = AccessTokenKit::GetPermissionFlag(tokenId, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_DEFAULT_FLAG); + EXPECT_EQ(ret, RET_SUCCESS); + return tokenId; +} + +/** + * @tc.name: OriginApp01 + * @tc.desc: main app grant permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, OriginApp01, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + // grant common app + ret = AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: OriginApp02 + * @tc.desc: main app revoke permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, OriginApp02, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + // grant common app + ret = AccessTokenKit::RevokePermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: OriginApp03 + * @tc.desc: main app clear permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, OriginApp03, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED); + AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED); + AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED); + + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + + + ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenCommon); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenCommon)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenFullControl)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenRead)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone1)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone2)); +} + +/** + * @tc.name: ReadDlp01 + * @tc.desc: read mode dlp app grant permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, ReadDlp01, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + // grant common app + ret = AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: ReadDlp02 + * @tc.desc: read mode dlp app revoke permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, ReadDlp02, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + // grant common app + ret = AccessTokenKit::RevokePermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: ReadDlp03 + * @tc.desc: read mode dlp app clear permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, ReadDlp03, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED); + AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED); + AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED); + + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + + + ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenRead); + EXPECT_EQ(ret, RET_SUCCESS); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenCommon)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenFullControl)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenRead)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone1)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone2)); +} + + +/** + * @tc.name: CloneApp01 + * @tc.desc: clone app grant permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, CloneApp01, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + // grant common app + ret = AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: CloneApp02 + * @tc.desc: clone app grant permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, CloneApp02, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + // grant common app + ret = AccessTokenKit::RevokePermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: CloneApp03 + * @tc.desc: clone app clear permission. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, CloneApp03, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED); + AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED); + AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED); + + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + + + ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenClone1); + EXPECT_EQ(ret, RET_SUCCESS); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenCommon)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenFullControl)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenRead)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone1)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone2)); +} + + +/** + * @tc.name: CloneApp04 + * @tc.desc: The permissions of the clone application do not inherit the permissions of the main application + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, CloneApp04, TestSize.Level1) +{ + int ret; + uint32_t flag; + auto policyParams = g_policyParams; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + ret = AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED); + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::RevokePermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag); + EXPECT_EQ(flag, PERMISSION_USER_FIXED); + EXPECT_EQ(ret, RET_SUCCESS); + + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL); + EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED); + ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag); + EXPECT_EQ(flag, 0); + EXPECT_EQ(ret, RET_SUCCESS); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} + +/** + * @tc.name: CloneApp05 + * @tc.desc: create a clone app + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(CloneAppPermissionTest, CloneApp05, TestSize.Level1) +{ + int ret; + auto policyParams = g_policyParams; + int32_t cloneFlag; + int32_t dlpFlag; + AccessTokenIDInner *idInner = nullptr; + AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams); + AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams); + AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams); + AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams); + AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams); + + idInner = reinterpret_cast(&tokenCommon); + cloneFlag = static_cast(idInner->cloneFlag); + EXPECT_EQ(cloneFlag, 0); + dlpFlag = static_cast(idInner->dlpFlag); + EXPECT_EQ(dlpFlag, 0); + + idInner = reinterpret_cast(&tokenFullControl); + cloneFlag = static_cast(idInner->cloneFlag); + EXPECT_EQ(cloneFlag, 0); + dlpFlag = static_cast(idInner->dlpFlag); + EXPECT_EQ(dlpFlag, 0); + + idInner = reinterpret_cast(&g_infoParmsReadOnly); + cloneFlag = static_cast(idInner->cloneFlag); + EXPECT_EQ(cloneFlag, 0); + dlpFlag = static_cast(idInner->dlpFlag); + EXPECT_EQ(dlpFlag, 0); + + idInner = reinterpret_cast(&g_infoParmsCommonClone1); + cloneFlag = static_cast(idInner->cloneFlag); + EXPECT_EQ(cloneFlag, 0); + dlpFlag = static_cast(idInner->dlpFlag); + EXPECT_EQ(dlpFlag, 0); + + idInner = reinterpret_cast(&g_infoParmsCommonClone2); + cloneFlag = static_cast(idInner->cloneFlag); + EXPECT_EQ(cloneFlag, 0); + dlpFlag = static_cast(idInner->dlpFlag); + EXPECT_EQ(dlpFlag, 0); + + ret = AccessTokenKit::DeleteToken(tokenCommon); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenFullControl); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenRead); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone1); + EXPECT_EQ(RET_SUCCESS, ret); + ret = AccessTokenKit::DeleteToken(tokenClone2); + EXPECT_EQ(RET_SUCCESS, ret); +} \ No newline at end of file diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/clone_app_permission_test.h b/interfaces/innerkits/accesstoken/test/unittest/src/clone_app_permission_test.h new file mode 100644 index 0000000000000000000000000000000000000000..f0543534fff3e7359b5f1c0d6505ce6f04ba4e07 --- /dev/null +++ b/interfaces/innerkits/accesstoken/test/unittest/src/clone_app_permission_test.h @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef CLONE_APP_PERMISSION_TEST_H +#define CLONE_APP_PERMISSION_TEST_H + +#include + +namespace OHOS { +namespace Security { +namespace AccessToken { +class CloneAppPermissionTest : public testing::Test { +public: + static void SetUpTestCase(); + static void TearDownTestCase(); + void TearDown(); + void SetUp(); + static uint64_t selfTokenId_; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // CLONE_APP_PERMISSION_TEST_H \ No newline at end of file diff --git a/services/accesstokenmanager/main/cpp/include/token/accesstoken_id_manager.h b/services/accesstokenmanager/main/cpp/include/token/accesstoken_id_manager.h index 833fe65d728dc82e0a1ea5eed9236be6dfaa0284..7d70df4693f7bd10f778ff91938b1de783d4d153 100644 --- a/services/accesstokenmanager/main/cpp/include/token/accesstoken_id_manager.h +++ b/services/accesstokenmanager/main/cpp/include/token/accesstoken_id_manager.h @@ -35,18 +35,19 @@ public: virtual ~AccessTokenIDManager() = default; int AddTokenId(AccessTokenID id, ATokenTypeEnum type); - AccessTokenID CreateAndRegisterTokenId(ATokenTypeEnum type, int dlpType); + AccessTokenID CreateAndRegisterTokenId(ATokenTypeEnum type, int32_t dlpFlag, int32_t cloneFlag); int RegisterTokenId(AccessTokenID id, ATokenTypeEnum type); void ReleaseTokenId(AccessTokenID id); ATokenTypeEnum GetTokenIdType(AccessTokenID id); int GetTokenIdDlpFlag(AccessTokenID id); + int GetTokenIdCloneFlag(AccessTokenID id); static ATokenTypeEnum GetTokenIdTypeEnum(AccessTokenID id); void GetHapTokenIdList(std::vector& idList); private: AccessTokenIDManager() = default; DISALLOW_COPY_AND_MOVE(AccessTokenIDManager); - AccessTokenID CreateTokenId(ATokenTypeEnum type, int dlpType) const; + AccessTokenID CreateTokenId(ATokenTypeEnum type, int32_t dlpFlag, int32_t cloneFlag) const; OHOS::Utils::RWLock tokenIdLock_; std::set tokenIdSet_; diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp index 3dccd03705a7d1d0bbcf205d99c352d4ae04b153..384333cf9e6b7c3331c046d81a36699f446838a0 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_id_manager.cpp @@ -38,6 +38,12 @@ int AccessTokenIDManager::GetTokenIdDlpFlag(AccessTokenID id) return idInner->dlpFlag; } +int AccessTokenIDManager::GetTokenIdCloneFlag(AccessTokenID id) +{ + AccessTokenIDInner *idInner = reinterpret_cast(&id); + return idInner->cloneFlag; +} + ATokenTypeEnum AccessTokenIDManager::GetTokenIdType(AccessTokenID id) { { @@ -78,7 +84,7 @@ void AccessTokenIDManager::GetHapTokenIdList(std::vector& idList) } } -AccessTokenID AccessTokenIDManager::CreateTokenId(ATokenTypeEnum type, int dlpType) const +AccessTokenID AccessTokenIDManager::CreateTokenId(ATokenTypeEnum type, int32_t dlpFlag, int32_t cloneFlag) const { unsigned int rand = GetRandomUint32(); if (rand == 0) { @@ -90,19 +96,20 @@ AccessTokenID AccessTokenIDManager::CreateTokenId(ATokenTypeEnum type, int dlpTy innerId.version = DEFAULT_TOKEN_VERSION; innerId.type = type; innerId.res = 0; + innerId.cloneFlag = cloneFlag; innerId.renderFlag = 0; - innerId.dlpFlag = (dlpType == 0) ? 0 : 1; + innerId.dlpFlag = dlpFlag; innerId.tokenUniqueID = rand & TOKEN_RANDOM_MASK; AccessTokenID tokenId = *reinterpret_cast(&innerId); return tokenId; } -AccessTokenID AccessTokenIDManager::CreateAndRegisterTokenId(ATokenTypeEnum type, int dlpType) +AccessTokenID AccessTokenIDManager::CreateAndRegisterTokenId(ATokenTypeEnum type, int32_t dlpFlag, int32_t cloneFlag) { AccessTokenID tokenId = 0; // random maybe repeat, retry twice. for (int i = 0; i < MAX_CREATE_TOKEN_ID_RETRY; i++) { - tokenId = CreateTokenId(type, dlpType); + tokenId = CreateTokenId(type, dlpFlag, cloneFlag); if (tokenId == INVALID_TOKENID) { ACCESSTOKEN_LOG_ERROR(LABEL, "create tokenId failed"); return INVALID_TOKENID; diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index 050b353176687d65b05992fc8c0ae14706fcaba5..a1ef40dcacca33ad1d30e14d49816b369e125124 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -477,7 +477,9 @@ int AccessTokenInfoManager::CreateHapTokenInfo( ACCESSTOKEN_LOG_ERROR(LABEL, "hap token param failed"); return AccessTokenError::ERR_PARAM_INVALID; } - AccessTokenID tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, info.dlpType); + int32_t dlpFlag = (info.dlpType > DLP_COMMON) ? 1 : 0; + int32_t cloneFlag = ((dlpFlag == 0) && (info.instIndex) > 0) ? 1 : 0; + AccessTokenID tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, dlpFlag, cloneFlag); if (tokenId == 0) { ACCESSTOKEN_LOG_INFO(LABEL, "token Id create failed"); return ERR_TOKENID_CREATE_FAILED; @@ -1355,8 +1357,6 @@ void AccessTokenInfoManager::GetRelatedSandBoxHapList(AccessTokenID tokenId, std { Utils::UniqueReadGuard infoGuard(this->hapTokenInfoLock_); - std::string bundleName; - int32_t userID; auto infoIter = hapTokenInfoMap_.find(tokenId); if (infoIter == hapTokenInfoMap_.end()) { return; @@ -1365,15 +1365,25 @@ void AccessTokenInfoManager::GetRelatedSandBoxHapList(AccessTokenID tokenId, std ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr"); return; } - bundleName = infoIter->second->GetBundleName(); - userID = infoIter->second->GetUserID(); + std::string bundleName = infoIter->second->GetBundleName(); + int32_t userID = infoIter->second->GetUserID(); + int32_t index = infoIter->second->GetInstIndex(); + int32_t dlpType = infoIter->second->GetDlpType(); + // the permissions of a common application whose index is not equal 0 are managed independently. + if ((dlpType == DLP_COMMON) && (index != 0)) { + return; + } for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); ++iter) { - if (iter->second != nullptr) { - if ((bundleName == iter->second->GetBundleName()) && (userID == iter->second->GetUserID()) && - (tokenId != iter->second->GetTokenID())) { - tokenIdList.emplace_back(iter->second->GetTokenID()); + if (iter->second == nullptr) { + continue; + } + if ((bundleName == iter->second->GetBundleName()) && (userID == iter->second->GetUserID()) && + (tokenId != iter->second->GetTokenID())) { + if ((iter->second->GetDlpType() == DLP_COMMON) && (iter->second->GetInstIndex() != 0)) { + continue; } + tokenIdList.emplace_back(iter->second->GetTokenID()); } } } diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp index 4771a981038e838630a4c399f2be33060e9338f2..46e158322857b2e41c6adf7fd7e5ec0715e614d9 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_remote_token_manager.cpp @@ -54,7 +54,8 @@ AccessTokenID AccessTokenRemoteTokenManager::MapRemoteDeviceTokenToLocal(const s LABEL, "token %{public}x type is invalid.", remoteID); return 0; } - int dlpType = AccessTokenIDManager::GetInstance().GetTokenIdDlpFlag(remoteID); + int32_t dlpFlag = AccessTokenIDManager::GetInstance().GetTokenIdDlpFlag(remoteID); + int32_t cloneFlag = AccessTokenIDManager::GetInstance().GetTokenIdCloneFlag(remoteID); AccessTokenID mapID = 0; Utils::UniqueWriteGuard infoGuard(this->remoteDeviceLock_); @@ -64,7 +65,7 @@ AccessTokenID AccessTokenRemoteTokenManager::MapRemoteDeviceTokenToLocal(const s if (device.MappingTokenIDPairMap_.count(remoteID) > 0) { mapID = device.MappingTokenIDPairMap_[remoteID]; ACCESSTOKEN_LOG_ERROR( - LABEL, "device %{public}s token %{public}x has already mapped, maptokenID is %{public}x.", + LABEL, "device %{public}s token %{public}x has already mapped, map tokenID is %{public}x.", ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID); return mapID; } @@ -76,7 +77,7 @@ AccessTokenID AccessTokenRemoteTokenManager::MapRemoteDeviceTokenToLocal(const s mapPtr = &remoteDeviceMap_[deviceID].MappingTokenIDPairMap_; } - mapID = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(tokeType, dlpType); + mapID = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(tokeType, dlpFlag, cloneFlag); if (mapID == 0) { ACCESSTOKEN_LOG_ERROR( LABEL, "device %{public}s token %{public}x map local Token failed.",