From 50bdb8d55ca0716eccefd92ecbc199e4e90b8bcc Mon Sep 17 00:00:00 2001 From: yangliu Date: Wed, 25 Jun 2025 10:33:34 +0800 Subject: [PATCH 1/3] add acl check Signed-off-by: yangliu --- .../src/device_manager_adapter.cpp | 10 ++-- .../include/communicator/commu_types.h | 3 + .../route_head_handler_impl.cpp | 3 +- .../src/session_manager/session_manager.cpp | 56 +++++++++++++++++-- .../app/src/session_manager/session_manager.h | 3 + 5 files changed, 64 insertions(+), 11 deletions(-) diff --git a/services/distributeddataservice/adapter/communicator/src/device_manager_adapter.cpp b/services/distributeddataservice/adapter/communicator/src/device_manager_adapter.cpp index d6a78e9c8..ff992d6c8 100644 --- a/services/distributeddataservice/adapter/communicator/src/device_manager_adapter.cpp +++ b/services/distributeddataservice/adapter/communicator/src/device_manager_adapter.cpp @@ -629,10 +629,10 @@ bool DeviceManagerAdapter::IsSameAccount(const std::string &id) bool DeviceManagerAdapter::CheckAccessControl(const AccessCaller &accCaller, const AccessCallee &accCallee) { DmAccessCaller dmAccessCaller = { .accountId = accCaller.accountId, .pkgName = accCaller.bundleName, - .networkId = accCaller.networkId, .userId = accCaller.userId }; - DmAccessCallee dmAccessCallee = { .accountId = accCallee.accountId, .networkId = accCallee.networkId, - .userId = accCallee.userId }; - return DeviceManager::GetInstance().CheckAccessControl(dmAccessCaller, dmAccessCallee); + .networkId = accCaller.networkId, .tokenId = accCaller.tokenId, .userId = accCaller.userId }; + DmAccessCallee dmAccessCallee = { .accountId = accCallee.accountId, .pkgName = accCallee.bundleName, + .networkId = accCallee.networkId, .tokenId = accCallee.tokenId, .userId = accCallee.userId }; + return DeviceManager::GetInstance().CheckSinkAccessControl(dmAccessCaller, dmAccessCallee); } bool DeviceManagerAdapter::IsSameAccount(const AccessCaller &accCaller, const AccessCallee &accCallee) @@ -641,7 +641,7 @@ bool DeviceManagerAdapter::IsSameAccount(const AccessCaller &accCaller, const Ac .userId = accCaller.userId }; DmAccessCallee dmAccessCallee = { .accountId = accCallee.accountId, .networkId = accCallee.networkId, .userId = accCallee.userId }; - return DeviceManager::GetInstance().CheckIsSameAccount(dmAccessCaller, dmAccessCallee); + return DeviceManager::GetInstance().CheckSinkIsSameAccount(dmAccessCaller, dmAccessCallee); } void DeviceManagerAdapter::ResetLocalDeviceInfo() diff --git a/services/distributeddataservice/adapter/include/communicator/commu_types.h b/services/distributeddataservice/adapter/include/communicator/commu_types.h index 6b1f1af69..4c701b2d7 100644 --- a/services/distributeddataservice/adapter/include/communicator/commu_types.h +++ b/services/distributeddataservice/adapter/include/communicator/commu_types.h @@ -35,12 +35,15 @@ struct API_EXPORT AccessCaller { std::string bundleName; std::string networkId; int32_t userId; + uint64_t tokenId; }; struct API_EXPORT AccessCallee { std::string accountId; std::string networkId; int32_t userId; + int32_t userId; + uint64_t tokenId; }; struct API_EXPORT AclParams { diff --git a/services/distributeddataservice/app/src/session_manager/route_head_handler_impl.cpp b/services/distributeddataservice/app/src/session_manager/route_head_handler_impl.cpp index 56d347e2e..9080f7812 100644 --- a/services/distributeddataservice/app/src/session_manager/route_head_handler_impl.cpp +++ b/services/distributeddataservice/app/src/session_manager/route_head_handler_impl.cpp @@ -316,6 +316,7 @@ std::string RouteHeadHandlerImpl::ParseStoreId(const std::string &deviceId, cons if (labelTag != label) { continue; } + session_.storeId = storeMeta.storeId; return storeMeta.storeId; } return ""; @@ -352,7 +353,7 @@ bool RouteHeadHandlerImpl::ParseHeadDataUser(const uint8_t *data, uint32_t total } // flip the local and peer ends - SessionPoint local { .deviceId = session_.targetDeviceId, .appId = session_.appId }; + SessionPoint local { .deviceId = session_.targetDeviceId, .appId = session_.appId, .storeId = session_.storeId }; SessionPoint peer { .deviceId = session_.sourceDeviceId, .userId = session_.sourceUserId, .appId = session_.appId, .accountId = session_.accountId }; ZLOGD("valid session:appId:%{public}s, srcDevId:%{public}s, srcUser:%{public}u, trgDevId:%{public}s,", diff --git a/services/distributeddataservice/app/src/session_manager/session_manager.cpp b/services/distributeddataservice/app/src/session_manager/session_manager.cpp index cb435f6fb..181df372e 100644 --- a/services/distributeddataservice/app/src/session_manager/session_manager.cpp +++ b/services/distributeddataservice/app/src/session_manager/session_manager.cpp @@ -63,7 +63,9 @@ Session SessionManager::GetSession(const SessionPoint &local, const std::string std::vector targetUsers {}; for (const auto &user : users) { - aclParams.accCallee.userId = user.id; + if (!GetAclCalleeParams(user.id, targetDeviceId, local, aclParams)) { + continue; + } auto [isPermitted, isSameAccount] = AuthDelegate::GetInstance()->CheckAccess(local.userId, user.id, targetDeviceId, aclParams); ZLOGD("targetDeviceId:%{public}s, user.id:%{public}d, isPermitted:%{public}d, isSameAccount: %{public}d", @@ -79,7 +81,7 @@ Session SessionManager::GetSession(const SessionPoint &local, const std::string } } session.targetUserIds.insert(session.targetUserIds.end(), targetUsers.begin(), targetUsers.end()); - ZLOGD("access to peer users:%{public}s", DistributedData::Serializable::Marshall(session.targetUserIds).c_str()); + ZLOGI("access to peer users:%{public}s", DistributedData::Serializable::Marshall(session.targetUserIds).c_str()); return session; } @@ -87,7 +89,8 @@ bool SessionManager::GetSendAuthParams(const SessionPoint &local, const std::str AclParams &aclParams) const { std::vector metaData; - if (!MetaDataManager::GetInstance().LoadMeta(StoreMetaData::GetPrefix({ local.deviceId }), metaData)) { + if (!MetaDataManager::GetInstance().LoadMeta(StoreMetaData::GetPrefix({ local.deviceId, + std::to_string(local.userId) }), metaData)) { ZLOGE("load meta failed, deviceId:%{public}s, user:%{public}d", Anonymous::Change(local.deviceId).c_str(), local.userId); return false; @@ -98,8 +101,10 @@ bool SessionManager::GetSendAuthParams(const SessionPoint &local, const std::str aclParams.accCaller.accountId = local.accountId; aclParams.accCaller.userId = local.userId; aclParams.accCaller.networkId = DmAdapter::GetInstance().ToNetworkID(local.deviceId); + aclParams.accCaller.tokenId = storeMeta.tokenId; aclParams.accCallee.networkId = DmAdapter::GetInstance().ToNetworkID(targetDeviceId); + aclParams.accCallee.bundleName = storeMeta.bundleName; aclParams.authType = storeMeta.authType; return true; } @@ -114,22 +119,26 @@ bool SessionManager::GetRecvAuthParams(const SessionPoint &local, const SessionP AclParams &aclParams) const { std::vector metaData; - if (!MetaDataManager::GetInstance().LoadMeta(StoreMetaData::GetPrefix({ peer.deviceId }), metaData)) { + if (!MetaDataManager::GetInstance().LoadMeta(StoreMetaData::GetPrefix({ peer.deviceId, + std::to_string(peer.userId) }), metaData)) { ZLOGE("load meta failed, deviceId:%{public}s, user:%{public}d", Anonymous::Change(peer.deviceId).c_str(), peer.userId); return false; } for (const auto &storeMeta : metaData) { - if (storeMeta.appId == local.appId) { + if (storeMeta.appId == local.appId && storeMeta.storeId == local.storeId) { auto accountId = AccountDelegate::GetInstance()->GetCurrentAccountId(); aclParams.accCaller.bundleName = storeMeta.bundleName; aclParams.accCaller.accountId = accountId; aclParams.accCaller.userId = local.userId; aclParams.accCaller.networkId = DmAdapter::GetInstance().ToNetworkID(local.deviceId); + aclParams.accCaller.tokenId = GetToken(storeMeta.bundleName, local); + aclParams.accCallee.bundleName = storeMeta.bundleName; aclParams.accCallee.accountId = accountFlag ? peer.accountId : accountId; aclParams.accCallee.userId = peer.userId; aclParams.accCallee.networkId = DmAdapter::GetInstance().ToNetworkID(peer.deviceId); + aclParams.accCallee.tokenId = storeMeta.tokenId; aclParams.authType = storeMeta.authType; return true; } @@ -140,6 +149,43 @@ bool SessionManager::GetRecvAuthParams(const SessionPoint &local, const SessionP return false; } +bool SessionManager::GetAclCalleeParams(int32_t peerUser, const std::string &targetDeviceId, + const SessionPoint &local, AclParams &aclParams) const +{ + StoreMetaData meta; + meta.devicdId = targetDeviceId; + meta.user = std::to_string(peerUser); + meta.bundleName = aclParams.accCaller.bundleName; + meta.storeId = local.storeId; + if (!MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), metaData)) { + ZLOGE("load meta failed, deviceId:%{public}s, user:%{public}d, bundleName:%{public}s, store:%{public}s", + Anonymous::Change(targetDeviceId).c_str(), peer.userId, meta.bundleName.c_str(), + Anonymous::Change(meta.storeId).c_str()); + return false; + } + aclParams.accCallee.accountId = meta.account; + aclParams.accCallee.tokenId = meta.tokenId; + aclParams.accCallee.userId = peerUser; + ZLOGI("find... add log"); + return true; +} + +uint64_t SessionManager::GetTokenId(const std::string &bundleName, const SessionPoint &local) const +{ + StoreMetaData meta; + meta.devicdId = local.devicdId; + meta.user = std::to_string(local.userId); + meta.bundleName = bundleName; + meta.storeId = local.storeId; + if (!MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), metaData)) { + ZLOGE("load meta failed, deviceId:%{public}s, user:%{public}d, bundleName:%{public}s, store:%{public}s", + Anonymous::Change(local.devicdId).c_str(), local.userId, bundleName.c_str(), + Anonymous::Change(local.storeId).c_str()); + } + ZLOGI("find... add log"); + return meta.tokenId; +} + bool SessionManager::CheckSession(const SessionPoint &local, const SessionPoint &peer, bool accountFlag) const { AclParams aclParams; diff --git a/services/distributeddataservice/app/src/session_manager/session_manager.h b/services/distributeddataservice/app/src/session_manager/session_manager.h index c41e30c23..c686a64ef 100644 --- a/services/distributeddataservice/app/src/session_manager/session_manager.h +++ b/services/distributeddataservice/app/src/session_manager/session_manager.h @@ -60,6 +60,9 @@ private: AclParams &aclParams) const; bool GetRecvAuthParams(const SessionPoint &local, const SessionPoint &peer, bool accountFlag, AclParams &aclParams) const; + bool GetAclCalleeParams(int32_t peerUser, const std::string &targetDeviceId, + const SessionPoint &local, AclParams &aclParams) const; + uint64_t GetTokenId(const std::string &bundleName, const SessionPoint &local) const; }; } // namespace OHOS::DistributedData -- Gitee From e371b417f10d5cc70cc7cc399b4119eccba5d650 Mon Sep 17 00:00:00 2001 From: yangliu Date: Wed, 25 Jun 2025 10:42:52 +0800 Subject: [PATCH 2/3] add acl check Signed-off-by: yangliu --- .../adapter/include/communicator/commu_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/distributeddataservice/adapter/include/communicator/commu_types.h b/services/distributeddataservice/adapter/include/communicator/commu_types.h index 4c701b2d7..dcc50a689 100644 --- a/services/distributeddataservice/adapter/include/communicator/commu_types.h +++ b/services/distributeddataservice/adapter/include/communicator/commu_types.h @@ -40,9 +40,9 @@ struct API_EXPORT AccessCaller { struct API_EXPORT AccessCallee { std::string accountId; + std::string bundleName; std::string networkId; int32_t userId; - int32_t userId; uint64_t tokenId; }; -- Gitee From 99135b64aceb29953759aaa8d6ec5a4e9f96786b Mon Sep 17 00:00:00 2001 From: yangliu Date: Thu, 26 Jun 2025 20:36:21 +0800 Subject: [PATCH 3/3] update Signed-off-by: yangliu --- .../app/src/session_manager/session_manager.cpp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/services/distributeddataservice/app/src/session_manager/session_manager.cpp b/services/distributeddataservice/app/src/session_manager/session_manager.cpp index 181df372e..441a8bd86 100644 --- a/services/distributeddataservice/app/src/session_manager/session_manager.cpp +++ b/services/distributeddataservice/app/src/session_manager/session_manager.cpp @@ -132,7 +132,7 @@ bool SessionManager::GetRecvAuthParams(const SessionPoint &local, const SessionP aclParams.accCaller.accountId = accountId; aclParams.accCaller.userId = local.userId; aclParams.accCaller.networkId = DmAdapter::GetInstance().ToNetworkID(local.deviceId); - aclParams.accCaller.tokenId = GetToken(storeMeta.bundleName, local); + aclParams.accCaller.tokenId = GetTokenId(storeMeta.bundleName, local); aclParams.accCallee.bundleName = storeMeta.bundleName; aclParams.accCallee.accountId = accountFlag ? peer.accountId : accountId; @@ -153,13 +153,13 @@ bool SessionManager::GetAclCalleeParams(int32_t peerUser, const std::string &tar const SessionPoint &local, AclParams &aclParams) const { StoreMetaData meta; - meta.devicdId = targetDeviceId; + meta.deviceId = targetDeviceId; meta.user = std::to_string(peerUser); meta.bundleName = aclParams.accCaller.bundleName; meta.storeId = local.storeId; - if (!MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), metaData)) { + if (!MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), meta)) { ZLOGE("load meta failed, deviceId:%{public}s, user:%{public}d, bundleName:%{public}s, store:%{public}s", - Anonymous::Change(targetDeviceId).c_str(), peer.userId, meta.bundleName.c_str(), + Anonymous::Change(targetDeviceId).c_str(), peerUser, meta.bundleName.c_str(), Anonymous::Change(meta.storeId).c_str()); return false; } @@ -173,13 +173,13 @@ bool SessionManager::GetAclCalleeParams(int32_t peerUser, const std::string &tar uint64_t SessionManager::GetTokenId(const std::string &bundleName, const SessionPoint &local) const { StoreMetaData meta; - meta.devicdId = local.devicdId; + meta.deviceId = local.deviceId; meta.user = std::to_string(local.userId); meta.bundleName = bundleName; meta.storeId = local.storeId; - if (!MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), metaData)) { + if (!MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), meta)) { ZLOGE("load meta failed, deviceId:%{public}s, user:%{public}d, bundleName:%{public}s, store:%{public}s", - Anonymous::Change(local.devicdId).c_str(), local.userId, bundleName.c_str(), + Anonymous::Change(local.deviceId).c_str(), local.userId, bundleName.c_str(), Anonymous::Change(local.storeId).c_str()); } ZLOGI("find... add log"); -- Gitee