diff --git a/services/distributeddataservice/service/object/BUILD.gn b/services/distributeddataservice/service/object/BUILD.gn index e76a7510e2f782d5228323c0442f9315207bf6fc..661ba42709af71e2589d6876e18b7fdac913bf52 100644 --- a/services/distributeddataservice/service/object/BUILD.gn +++ b/services/distributeddataservice/service/object/BUILD.gn @@ -20,6 +20,7 @@ config("object_public_config") { "${data_service_path}/service/common", "${data_service_path}/adapter/include/communicator", "${data_service_path}/adapter/include/utils", + "${data_service_path}/service/permission/include", ] } diff --git a/services/distributeddataservice/service/object/include/object_service_impl.h b/services/distributeddataservice/service/object/include/object_service_impl.h index e398edface1861cb6e1ff32a6e57eb41293fba57..1cba5895262d09f2123db3b5d9fc0f2d3d727bce 100644 --- a/services/distributeddataservice/service/object/include/object_service_impl.h +++ b/services/distributeddataservice/service/object/include/object_service_impl.h @@ -70,6 +70,7 @@ private: void RegisterHandler(); int32_t SaveMetaData(StoreMetaData& saveMeta, const std::string &user, const std::string &account); void UpdateMetaData(); + int32_t PermissionCheck(const std::string &bundleName, const std::string &sessionId, uint32_t &tokenId); static Factory factory_; std::shared_ptr executors_; diff --git a/services/distributeddataservice/service/object/src/object_service_impl.cpp b/services/distributeddataservice/service/object/src/object_service_impl.cpp index 71f6195e7a2c4182f769693e996f633a94bc5875..a45af345cee194d96602feedddcc3f97c43c113c 100644 --- a/services/distributeddataservice/service/object/src/object_service_impl.cpp +++ b/services/distributeddataservice/service/object/src/object_service_impl.cpp @@ -33,6 +33,7 @@ #include "metadata/store_meta_data.h" #include "object_asset_loader.h" #include "object_dms_handler.h" +#include "permission_validator.h" #include "snapshot/bind_event.h" #include "store/auto_cache.h" #include "utils/anonymous.h" @@ -60,6 +61,23 @@ ObjectServiceImpl::Factory::~Factory() { } +int32_t ObjectServiceImpl::PermissionCheck(const std::string &bundleName, const std::string &sessionId, uint32_t &tokenId) +{ + bool isContinue = false; + int32_t status = IsContinue(isContinue); + if (status != OBJECT_SUCCESS) { + ZLOGE("object continue failed %{public}d", status); + return status; + } + // check permission + if (!isContinue && !DistributedKv::PermissionValidator::GetInstance().CheckSyncPermission(tokenId)) { + ZLOGE("object permission denied, isContinue:%{public}d, bundleName:%{public}s, sessionId:%{public}s," + " tokenId:%{public}d", isContinue, bundleName.c_str(), sessionId.c_str(), tokenId); + return OBJECT_PERMISSION_DENIED; + } + return OBJECT_SUCCESS; +} + int32_t ObjectServiceImpl::ObjectStoreSave(const std::string &bundleName, const std::string &sessionId, const std::string &deviceId, const std::map> &data, sptr callback) @@ -72,6 +90,11 @@ int32_t ObjectServiceImpl::ObjectStoreSave(const std::string &bundleName, const if (status != OBJECT_SUCCESS) { return status; } + status = PermissionCheck(bundleName, sessionId, tokenId); + if (status != OBJECT_SUCCESS) { + ZLOGE("Save permission check fail %{public}d", status); + return status; + } status = ObjectStoreManager::GetInstance()->Save(bundleName, sessionId, data, deviceId, callback); if (status != OBJECT_SUCCESS) { ZLOGE("save fail %{public}d", status); @@ -208,6 +231,11 @@ int32_t ObjectServiceImpl::ObjectStoreRevokeSave( if (status != OBJECT_SUCCESS) { return status; } + status = PermissionCheck(bundleName, sessionId, tokenId); + if (status != OBJECT_SUCCESS) { + ZLOGE("Save permission check fail %{public}d", status); + return status; + } status = ObjectStoreManager::GetInstance()->RevokeSave(bundleName, sessionId, callback); if (status != OBJECT_SUCCESS) { ZLOGE("revoke save fail %{public}d", status); @@ -225,6 +253,11 @@ int32_t ObjectServiceImpl::ObjectStoreRetrieve( if (status != OBJECT_SUCCESS) { return status; } + status = PermissionCheck(bundleName, sessionId, tokenId); + if (status != OBJECT_SUCCESS) { + ZLOGE("Save permission check fail %{public}d", status); + return status; + } status = ObjectStoreManager::GetInstance()->Retrieve(bundleName, sessionId, callback, tokenId); if (status != OBJECT_SUCCESS) { ZLOGE("retrieve fail %{public}d", status); diff --git a/services/distributeddataservice/service/test/object_service_impl_test.cpp b/services/distributeddataservice/service/test/object_service_impl_test.cpp index 4a0a0b2f3cd273cd88fbc0901649e59f781ea3d2..c1ca49712e0b650cfb5cb8fba68eed0577915633 100644 --- a/services/distributeddataservice/service/test/object_service_impl_test.cpp +++ b/services/distributeddataservice/service/test/object_service_impl_test.cpp @@ -151,4 +151,21 @@ HWTEST_F(ObjectServiceImplTest, ResolveAutoLaunch001, TestSize.Level1) int32_t ret = objectServiceImpl->ResolveAutoLaunch(identifier, param); EXPECT_EQ(ret, OBJECT_SUCCESS); } + +/** + * @tc.name: PermissionCheck001 + * @tc.desc: PermissionCheck test: bundleName with no sync permission is not in continue. + * @tc.type: FUNC + */ +HWTEST_F(ObjectServiceImplTest, PermissionCheck001, TestSize.Level1) +{ + std::string bundleName = "com.examples.hmos.notepad"; + std::string sessionId = "sessionId"; + OHOS::Security::AccessToken::AccessTokenID tokenId = + OHOS::Security::AccessToken::AccessTokenKit::GetHapTokenID(100, bundleName, 0); + SetSelfTokenID(tokenId); + std::shared_ptr objectServiceImpl = std::make_shared(); + int32_t ret = objectServiceImpl->PermissionCheck(bundleName, sessionId, tokenId); + EXPECT_NE(ret, OBJECT_SUCCESS); +} } \ No newline at end of file