From 6362f258b1ba4a36bf557304785f2b16f38765fe Mon Sep 17 00:00:00 2001 From: zhangbeihai Date: Thu, 15 May 2025 16:57:27 +0800 Subject: [PATCH 1/2] add sync permission check Signed-off-by: zhangbeihai --- .../service/object/BUILD.gn | 1 + .../service/object/src/object_manager.cpp | 1 + .../object/src/object_service_impl.cpp | 36 +++++++++++++++++-- .../service/udmf/store/runtime_store.cpp | 21 ++++++++--- .../service/udmf/store/runtime_store.h | 1 + 5 files changed, 54 insertions(+), 6 deletions(-) diff --git a/services/distributeddataservice/service/object/BUILD.gn b/services/distributeddataservice/service/object/BUILD.gn index e76a7510e..661ba4270 100644 --- a/services/distributeddataservice/service/object/BUILD.gn +++ b/services/distributeddataservice/service/object/BUILD.gn @@ -20,6 +20,7 @@ config("object_public_config") { "${data_service_path}/service/common", "${data_service_path}/adapter/include/communicator", "${data_service_path}/adapter/include/utils", + "${data_service_path}/service/permission/include", ] } diff --git a/services/distributeddataservice/service/object/src/object_manager.cpp b/services/distributeddataservice/service/object/src/object_manager.cpp index 51635cf04..859de7085 100644 --- a/services/distributeddataservice/service/object/src/object_manager.cpp +++ b/services/distributeddataservice/service/object/src/object_manager.cpp @@ -317,6 +317,7 @@ int32_t ObjectStoreManager::Clear() return STORE_NOT_OPEN; } result = RevokeSaveToStore(""); + callbacks_.Clear(); Close(); return result; } diff --git a/services/distributeddataservice/service/object/src/object_service_impl.cpp b/services/distributeddataservice/service/object/src/object_service_impl.cpp index 71f6195e7..f87fca6f8 100644 --- a/services/distributeddataservice/service/object/src/object_service_impl.cpp +++ b/services/distributeddataservice/service/object/src/object_service_impl.cpp @@ -33,6 +33,7 @@ #include "metadata/store_meta_data.h" #include "object_asset_loader.h" #include "object_dms_handler.h" +#include "permission_validator.h" #include "snapshot/bind_event.h" #include "store/auto_cache.h" #include "utils/anonymous.h" @@ -60,6 +61,23 @@ ObjectServiceImpl::Factory::~Factory() { } +int32_t ObjectServiceImpl::PermissionCheck(const std::string &bundleName, const std::string &sessionId, uint32_t &tokenId) +{ + bool isContinue = false; + int32_t status = IsContinue(isContinue); + if (status != OBJECT_SUCCESS) { + ZLOGE("object continue failed %{public}d", status); + return status; + } + // check permission + if (!isContinue && !DistributedKv::PermissionValidator::GetInstance().CheckSyncPermission(tokenId)) { + ZLOGE("object permission denied, isContinue:%{public}d, bundleName:%{public}s, sessionId:%{public}s," + " tokenId:%{public}d", isContinue, bundleName.c_str(), sessionId.c_str(), tokenId); + return OBJECT_PERMISSION_DENIED; + } + return OBJECT_SUCCESS; +} + int32_t ObjectServiceImpl::ObjectStoreSave(const std::string &bundleName, const std::string &sessionId, const std::string &deviceId, const std::map> &data, sptr callback) @@ -72,6 +90,11 @@ int32_t ObjectServiceImpl::ObjectStoreSave(const std::string &bundleName, const if (status != OBJECT_SUCCESS) { return status; } + status = PermissionCheck(bundleName, sessionId, tokenId); + if (status != OBJECT_SUCCESS) { + ZLOGE("Save permission check fail %{public}d", status); + return status; + } status = ObjectStoreManager::GetInstance()->Save(bundleName, sessionId, data, deviceId, callback); if (status != OBJECT_SUCCESS) { ZLOGE("save fail %{public}d", status); @@ -208,6 +231,11 @@ int32_t ObjectServiceImpl::ObjectStoreRevokeSave( if (status != OBJECT_SUCCESS) { return status; } + status = PermissionCheck(bundleName, sessionId, tokenId); + if (status != OBJECT_SUCCESS) { + ZLOGE("Save permission check fail %{public}d", status); + return status; + } status = ObjectStoreManager::GetInstance()->RevokeSave(bundleName, sessionId, callback); if (status != OBJECT_SUCCESS) { ZLOGE("revoke save fail %{public}d", status); @@ -225,6 +253,11 @@ int32_t ObjectServiceImpl::ObjectStoreRetrieve( if (status != OBJECT_SUCCESS) { return status; } + status = PermissionCheck(bundleName, sessionId, tokenId); + if (status != OBJECT_SUCCESS) { + ZLOGE("Save permission check fail %{public}d", status); + return status; + } status = ObjectStoreManager::GetInstance()->Retrieve(bundleName, sessionId, callback, tokenId); if (status != OBJECT_SUCCESS) { ZLOGE("retrieve fail %{public}d", status); @@ -279,8 +312,7 @@ int32_t ObjectServiceImpl::IsBundleNameEqualTokenId( storeInfo.tokenId = tokenId; storeInfo.bundleName = bundleName; storeInfo.storeId = sessionId; - std::string appId = DistributedData::CheckerManager::GetInstance().GetAppId(storeInfo); - if (appId.empty()) { + if (!DistributedData::CheckerManager::GetInstance().IsValid(storeInfo)) { ZLOGE("object bundleName wrong, bundleName = %{public}s, uid = %{public}d, tokenId = %{public}s", bundleName.c_str(), storeInfo.uid, Anonymous::Change(std::to_string(storeInfo.tokenId)).c_str()); return OBJECT_PERMISSION_DENIED; diff --git a/services/distributeddataservice/service/udmf/store/runtime_store.cpp b/services/distributeddataservice/service/udmf/store/runtime_store.cpp index fa6f511e9..9174b1b23 100644 --- a/services/distributeddataservice/service/udmf/store/runtime_store.cpp +++ b/services/distributeddataservice/service/udmf/store/runtime_store.cpp @@ -447,7 +447,7 @@ bool RuntimeStore::BuildMetaDataParam(DistributedData::StoreMetaData &metaData) return false; } - uint32_t token = IPCSkeleton::GetSelfTokenID(); + uint32_t token = IPCSkeleton::GetCallingFullTokenID(); const std::string userId = std::to_string(DistributedData::AccountDelegate::GetInstance()->GetUserByToken(token)); metaData.appType = "harmony"; metaData.deviceId = localDeviceId; @@ -463,8 +463,9 @@ bool RuntimeStore::BuildMetaDataParam(DistributedData::StoreMetaData &metaData) metaData.securityLevel = DistributedKv::SecurityLevel::S1; metaData.area = DistributedKv::Area::EL1; metaData.uid = static_cast(getuid()); - metaData.storeType = DistributedKv::KvStoreType::SINGLE_VERSION; + metaData.storeType = DistributedData::StoreMetaData::StoreType::STORE_UDMF_BEGIN; metaData.dataType = DistributedKv::DataType::TYPE_DYNAMICAL; + metaData.authType = DistributedKv::AuthType::IDENTICAL_ACCOUNT; metaData.dataDir = DistributedData::DirectoryManager::GetInstance().GetStorePath(metaData); return true; @@ -497,9 +498,13 @@ bool RuntimeStore::SaveMetaData() if (DistributedData::MetaDataManager::GetInstance().LoadMeta(saveMeta.GetKey(), loadLocal, true) && DistributedData::MetaDataManager::GetInstance().LoadMeta(saveMeta.GetKey(), syncMeta, false)) { ZLOGD("Meta data is already saved."); - return true; + // 判断是否需要更新 + if (loadLocal == saveMeta && syncMeta == saveMeta) { + return true; + } } - + // 需重新更新meta + ZLOGI("SaveMeta, saveMeta.key:%{public}s", saveMeta.GetKey().c_str()); auto saved = DistributedData::MetaDataManager::GetInstance().SaveMeta(saveMeta.GetKey(), saveMeta) && DistributedData::MetaDataManager::GetInstance().SaveMeta(saveMeta.GetKey(), saveMeta, true); if (!saved) { @@ -562,5 +567,13 @@ Status RuntimeStore::DeleteEntries(const std::vector &keys) return E_OK; } +Status RuntimeStore::DeleteStore() +{ + // delete store: 1.先看是不是老meta,是的话,删除老meta,再删除store + delegateManager_->DeleteKvStore(storeId_); + // delete meta + return E_OK; +} + } // namespace UDMF } // namespace OHOS \ No newline at end of file diff --git a/services/distributeddataservice/service/udmf/store/runtime_store.h b/services/distributeddataservice/service/udmf/store/runtime_store.h index eb83a3503..0d8781f1d 100644 --- a/services/distributeddataservice/service/udmf/store/runtime_store.h +++ b/services/distributeddataservice/service/udmf/store/runtime_store.h @@ -43,6 +43,7 @@ public: Status DeleteLocal(const std::string &key) override; Status PutRuntime(const std::string &key, const Runtime &runtime) override; Status GetRuntime(const std::string &key, Runtime &runtime) override; + Status DeleteStore(); void Close() override; bool Init() override; -- Gitee From 7bc1d2d70783b5d98467298fb8aa3ff3d4a6b6c5 Mon Sep 17 00:00:00 2001 From: zhangbeihai Date: Sat, 17 May 2025 14:42:30 +0800 Subject: [PATCH 2/2] fix code Signed-off-by: zhangbeihai --- .../service/object/include/object_service_impl.h | 1 + 1 file changed, 1 insertion(+) diff --git a/services/distributeddataservice/service/object/include/object_service_impl.h b/services/distributeddataservice/service/object/include/object_service_impl.h index e398edfac..1cba58952 100644 --- a/services/distributeddataservice/service/object/include/object_service_impl.h +++ b/services/distributeddataservice/service/object/include/object_service_impl.h @@ -70,6 +70,7 @@ private: void RegisterHandler(); int32_t SaveMetaData(StoreMetaData& saveMeta, const std::string &user, const std::string &account); void UpdateMetaData(); + int32_t PermissionCheck(const std::string &bundleName, const std::string &sessionId, uint32_t &tokenId); static Factory factory_; std::shared_ptr executors_; -- Gitee