From b71a4a7f3ad25ee4eb63fb8442234479397877a0 Mon Sep 17 00:00:00 2001 From: zuojiangjiang Date: Sat, 26 Mar 2022 17:33:28 +0800 Subject: [PATCH 1/5] add check sync permission with accessToken Signed-off-by: zuojiangjiang --- .../include/permission/permission_validator.h | 2 +- .../adapter/permission/BUILD.gn | 1 + .../src/client_permission_validator.cpp | 25 ++++++++++++++++--- .../src/client_permission_validator.h | 3 ++- .../permission/src/permission_validator.cpp | 5 ++-- .../app/src/kvstore_data_service.cpp | 3 ++- .../app/src/kvstore_meta_manager.cpp | 2 ++ .../app/src/kvstore_meta_manager.h | 2 ++ 8 files changed, 34 insertions(+), 9 deletions(-) diff --git a/services/distributeddataservice/adapter/include/permission/permission_validator.h b/services/distributeddataservice/adapter/include/permission/permission_validator.h index 99c6fc126..af61dabd1 100644 --- a/services/distributeddataservice/adapter/include/permission/permission_validator.h +++ b/services/distributeddataservice/adapter/include/permission/permission_validator.h @@ -45,7 +45,7 @@ public: // check whether the client process have enough privilege to share data with the other devices. // uid: client process uid KVSTORE_API static bool CheckSyncPermission(const std::string &userId, const std::string &appId, - std::int32_t uid = 0); + std::uint32_t tokenId, std::int32_t uid = 0); KVSTORE_API static bool RegisterPermissionChanged( const KvStoreTuple &kvStoreTuple, const AppThreadInfo &appThreadInfo); diff --git a/services/distributeddataservice/adapter/permission/BUILD.gn b/services/distributeddataservice/adapter/permission/BUILD.gn index b2d7de6df..e600aee70 100755 --- a/services/distributeddataservice/adapter/permission/BUILD.gn +++ b/services/distributeddataservice/adapter/permission/BUILD.gn @@ -44,6 +44,7 @@ ohos_static_library("distributeddata_permission_static") { external_deps = [ "ability_base:base", "ability_base:want", + "access_token:libaccesstoken_sdk", "bundle_framework:appexecfwk_base", "bundle_framework:appexecfwk_core", "hiviewdfx_hilog_native:libhilog", diff --git a/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp b/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp index a7ee8ef4c..981a7d204 100644 --- a/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp +++ b/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp @@ -18,6 +18,8 @@ #include "client_permission_validator.h" #include #include +#include "accesstoken_kit.h" +#include "log_print.h" namespace OHOS { namespace DistributedKv { @@ -46,11 +48,26 @@ void ClientPermissionValidator::UpdatePermissionStatus( } } -bool ClientPermissionValidator::CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::int32_t curUid) +bool ClientPermissionValidator::CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, + std::uint32_t tokenId, std::int32_t curUid) { - (void) kvStoreTuple; - (void) curUid; - return true; + std::int32_t uid; + std::lock_guard tupleLock(tupleMutex_); + auto tupleMapIt = kvStoreTupleMap_.find(kvStoreTuple); + if (tupleMapIt != kvStoreTupleMap_.end()) { + uid = tupleMapIt->second.uid; + } else { + ZLOGD("can't find this kvstore tuple[%s-%s-%s] in kvStoreTupleMap_[%zu].", + kvStoreTuple.userId.c_str(), kvStoreTuple.appId.c_str(), kvStoreTuple.storeId.c_str(), + kvStoreTupleMap_.size()); + if (curUid != 0) { + bool permissionStatus = + (Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, DISTRIBUTED_DATASYNC) == + Security::AccessToken::PERMISSION_GRANTED); + return permissionStatus; + } + } + return false; } bool ClientPermissionValidator::RegisterPermissionChanged( diff --git a/services/distributeddataservice/adapter/permission/src/client_permission_validator.h b/services/distributeddataservice/adapter/permission/src/client_permission_validator.h index b31bcc902..a1d6ec194 100644 --- a/services/distributeddataservice/adapter/permission/src/client_permission_validator.h +++ b/services/distributeddataservice/adapter/permission/src/client_permission_validator.h @@ -62,7 +62,7 @@ public: void UpdatePermissionStatus(int32_t uid, const std::string &permissionType, bool permissionStatus); - bool CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::int32_t curUid); + bool CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::uint32_t tokenId, std::int32_t curUid); private: ClientPermissionValidator() = default; @@ -76,6 +76,7 @@ private: void RebuildBundleManager(); std::mutex tupleMutex_; + std::map kvStoreTupleMap_; std::mutex permissionMutex_; std::map dataSyncPermissionMap_; }; diff --git a/services/distributeddataservice/adapter/permission/src/permission_validator.cpp b/services/distributeddataservice/adapter/permission/src/permission_validator.cpp index ed6f14b85..5cda112ce 100644 --- a/services/distributeddataservice/adapter/permission/src/permission_validator.cpp +++ b/services/distributeddataservice/adapter/permission/src/permission_validator.cpp @@ -36,10 +36,11 @@ std::set PermissionValidator::autoLaunchEnableList_ = { }; // check whether the client process have enough privilege to share data with the other devices. -bool PermissionValidator::CheckSyncPermission(const std::string &userId, const std::string &appId, std::int32_t uid) +bool PermissionValidator::CheckSyncPermission(const std::string &userId, const std::string &appId, + std::uint32_t tokenId, std::int32_t uid) { KvStoreTuple kvStoreTuple {userId, appId}; - return ClientPermissionValidator::GetInstance().CheckClientSyncPermission(kvStoreTuple, uid); + return ClientPermissionValidator::GetInstance().CheckClientSyncPermission(kvStoreTuple, uid, tokenId); } bool PermissionValidator::RegisterPermissionChanged( diff --git a/services/distributeddataservice/app/src/kvstore_data_service.cpp b/services/distributeddataservice/app/src/kvstore_data_service.cpp index 56d28ebdc..72e28e7be 100644 --- a/services/distributeddataservice/app/src/kvstore_data_service.cpp +++ b/services/distributeddataservice/app/src/kvstore_data_service.cpp @@ -375,6 +375,7 @@ Status KvStoreDataService::UpdateMetaData(const Options &options, const KvStoreP metaData.kvStoreType = options.kvStoreType; metaData.schema = options.schema; metaData.storeId = kvParas.storeId; + metaData.tokenId = IPCSkeleton::GetCallingTokenID(); metaData.userId = AccountDelegate::GetInstance()->GetCurrentAccountId(kvParas.bundleName); metaData.uid = IPCSkeleton::GetCallingUid(); metaData.version = STORE_VERSION; @@ -1075,7 +1076,7 @@ bool KvStoreDataService::CheckPermissions(const std::string &userId, const std:: if (PermissionValidator::IsAutoLaunchEnabled(appId)) { return true; } - bool ret = PermissionValidator::CheckSyncPermission(userId, appId, metaData.uid); + bool ret = PermissionValidator::CheckSyncPermission(userId, appId, metaData.tokenId, metaData.uid); ZLOGD("checking sync permission ret:%{public}d.", ret); return ret; } diff --git a/services/distributeddataservice/app/src/kvstore_meta_manager.cpp b/services/distributeddataservice/app/src/kvstore_meta_manager.cpp index aec8a152c..0166ae6c0 100644 --- a/services/distributeddataservice/app/src/kvstore_meta_manager.cpp +++ b/services/distributeddataservice/app/src/kvstore_meta_manager.cpp @@ -1095,6 +1095,7 @@ std::string KvStoreMetaData::Marshal() const {VERSION, version}, {SECURITY_LEVEL, securityLevel}, {DIRTY_KEY, isDirty}, + {TOKEN_ID, tokenId}, }; return jval.dump(); } @@ -1138,6 +1139,7 @@ void KvStoreMetaData::Unmarshal(const nlohmann::json &jObject) securityLevel = Serializable::GetVal(jObject, SECURITY_LEVEL, json::value_t::number_unsigned, securityLevel); isDirty = Serializable::GetVal(jObject, DIRTY_KEY, json::value_t::boolean, isDirty); + tokenId = Serializable::GetVal(jObject, TOKEN_ID, json::value_t::number_unsigned, tokenId); } template diff --git a/services/distributeddataservice/app/src/kvstore_meta_manager.h b/services/distributeddataservice/app/src/kvstore_meta_manager.h index bdf780df8..c483a53fd 100644 --- a/services/distributeddataservice/app/src/kvstore_meta_manager.h +++ b/services/distributeddataservice/app/src/kvstore_meta_manager.h @@ -101,6 +101,7 @@ struct KvStoreMetaData { KvStoreType kvStoreType = KvStoreType::DEVICE_COLLABORATION; std::string schema = ""; std::string storeId = ""; + std::uint32_t tokenId; std::string userId = ""; std::int32_t uid = -1; std::uint32_t version = 0; @@ -134,6 +135,7 @@ private: static constexpr const char *VERSION = "version"; static constexpr const char *SECURITY_LEVEL = "securityLevel"; static constexpr const char *DIRTY_KEY = "isDirty"; + static constexpr const char *TOKEN_ID = "tokenId"; }; struct MetaData { -- Gitee From 9ee2fc9a5faf6a15291f401736e96a888d45318a Mon Sep 17 00:00:00 2001 From: zuojiangjiang Date: Sat, 26 Mar 2022 18:01:07 +0800 Subject: [PATCH 2/5] fix error Signed-off-by: zuojiangjiang --- .../include/permission/permission_validator.h | 2 +- .../src/client_permission_validator.cpp | 22 +++---------------- .../src/client_permission_validator.h | 3 +-- .../permission/src/permission_validator.cpp | 4 ++-- .../app/src/kvstore_data_service.cpp | 2 +- 5 files changed, 8 insertions(+), 25 deletions(-) diff --git a/services/distributeddataservice/adapter/include/permission/permission_validator.h b/services/distributeddataservice/adapter/include/permission/permission_validator.h index af61dabd1..e0475f5b0 100644 --- a/services/distributeddataservice/adapter/include/permission/permission_validator.h +++ b/services/distributeddataservice/adapter/include/permission/permission_validator.h @@ -45,7 +45,7 @@ public: // check whether the client process have enough privilege to share data with the other devices. // uid: client process uid KVSTORE_API static bool CheckSyncPermission(const std::string &userId, const std::string &appId, - std::uint32_t tokenId, std::int32_t uid = 0); + std::uint32_t tokenId); KVSTORE_API static bool RegisterPermissionChanged( const KvStoreTuple &kvStoreTuple, const AppThreadInfo &appThreadInfo); diff --git a/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp b/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp index 981a7d204..9e4879e65 100644 --- a/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp +++ b/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp @@ -48,26 +48,10 @@ void ClientPermissionValidator::UpdatePermissionStatus( } } -bool ClientPermissionValidator::CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, - std::uint32_t tokenId, std::int32_t curUid) +bool ClientPermissionValidator::CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::uint32_t tokenId) { - std::int32_t uid; - std::lock_guard tupleLock(tupleMutex_); - auto tupleMapIt = kvStoreTupleMap_.find(kvStoreTuple); - if (tupleMapIt != kvStoreTupleMap_.end()) { - uid = tupleMapIt->second.uid; - } else { - ZLOGD("can't find this kvstore tuple[%s-%s-%s] in kvStoreTupleMap_[%zu].", - kvStoreTuple.userId.c_str(), kvStoreTuple.appId.c_str(), kvStoreTuple.storeId.c_str(), - kvStoreTupleMap_.size()); - if (curUid != 0) { - bool permissionStatus = - (Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, DISTRIBUTED_DATASYNC) == - Security::AccessToken::PERMISSION_GRANTED); - return permissionStatus; - } - } - return false; + return (Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, DISTRIBUTED_DATASYNC) == + Security::AccessToken::PERMISSION_GRANTED); } bool ClientPermissionValidator::RegisterPermissionChanged( diff --git a/services/distributeddataservice/adapter/permission/src/client_permission_validator.h b/services/distributeddataservice/adapter/permission/src/client_permission_validator.h index a1d6ec194..84eca73f6 100644 --- a/services/distributeddataservice/adapter/permission/src/client_permission_validator.h +++ b/services/distributeddataservice/adapter/permission/src/client_permission_validator.h @@ -62,7 +62,7 @@ public: void UpdatePermissionStatus(int32_t uid, const std::string &permissionType, bool permissionStatus); - bool CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::uint32_t tokenId, std::int32_t curUid); + bool CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::uint32_t tokenId); private: ClientPermissionValidator() = default; @@ -76,7 +76,6 @@ private: void RebuildBundleManager(); std::mutex tupleMutex_; - std::map kvStoreTupleMap_; std::mutex permissionMutex_; std::map dataSyncPermissionMap_; }; diff --git a/services/distributeddataservice/adapter/permission/src/permission_validator.cpp b/services/distributeddataservice/adapter/permission/src/permission_validator.cpp index 5cda112ce..f96bd9b3b 100644 --- a/services/distributeddataservice/adapter/permission/src/permission_validator.cpp +++ b/services/distributeddataservice/adapter/permission/src/permission_validator.cpp @@ -37,10 +37,10 @@ std::set PermissionValidator::autoLaunchEnableList_ = { // check whether the client process have enough privilege to share data with the other devices. bool PermissionValidator::CheckSyncPermission(const std::string &userId, const std::string &appId, - std::uint32_t tokenId, std::int32_t uid) + std::uint32_t tokenId) { KvStoreTuple kvStoreTuple {userId, appId}; - return ClientPermissionValidator::GetInstance().CheckClientSyncPermission(kvStoreTuple, uid, tokenId); + return ClientPermissionValidator::GetInstance().CheckClientSyncPermission(kvStoreTuple, tokenId); } bool PermissionValidator::RegisterPermissionChanged( diff --git a/services/distributeddataservice/app/src/kvstore_data_service.cpp b/services/distributeddataservice/app/src/kvstore_data_service.cpp index 72e28e7be..be7369f3e 100644 --- a/services/distributeddataservice/app/src/kvstore_data_service.cpp +++ b/services/distributeddataservice/app/src/kvstore_data_service.cpp @@ -1076,7 +1076,7 @@ bool KvStoreDataService::CheckPermissions(const std::string &userId, const std:: if (PermissionValidator::IsAutoLaunchEnabled(appId)) { return true; } - bool ret = PermissionValidator::CheckSyncPermission(userId, appId, metaData.tokenId, metaData.uid); + bool ret = PermissionValidator::CheckSyncPermission(userId, appId, metaData.tokenId); ZLOGD("checking sync permission ret:%{public}d.", ret); return ret; } -- Gitee From 008357eb089476826d0cdd8e1f06b5672ba480a3 Mon Sep 17 00:00:00 2001 From: zuojiangjiang Date: Sat, 26 Mar 2022 18:07:30 +0800 Subject: [PATCH 3/5] fix error Signed-off-by: zuojiangjiang --- .../adapter/permission/src/client_permission_validator.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp b/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp index 9e4879e65..4b42a96fd 100644 --- a/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp +++ b/services/distributeddataservice/adapter/permission/src/client_permission_validator.cpp @@ -50,6 +50,7 @@ void ClientPermissionValidator::UpdatePermissionStatus( bool ClientPermissionValidator::CheckClientSyncPermission(const KvStoreTuple &kvStoreTuple, std::uint32_t tokenId) { + (void)kvStoreTuple; return (Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, DISTRIBUTED_DATASYNC) == Security::AccessToken::PERMISSION_GRANTED); } -- Gitee From cbafeba75ecf225685e6e9be1ffdefb8f192b11f Mon Sep 17 00:00:00 2001 From: zuojiangjiang Date: Sat, 26 Mar 2022 18:22:06 +0800 Subject: [PATCH 4/5] fix error Signed-off-by: zuojiangjiang --- .../permission/test/unittest/permission_validator_test.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/services/distributeddataservice/adapter/permission/test/unittest/permission_validator_test.cpp b/services/distributeddataservice/adapter/permission/test/unittest/permission_validator_test.cpp index 97abd167d..a27aaab0e 100644 --- a/services/distributeddataservice/adapter/permission/test/unittest/permission_validator_test.cpp +++ b/services/distributeddataservice/adapter/permission/test/unittest/permission_validator_test.cpp @@ -53,7 +53,6 @@ HWTEST_F(PermissionValidatorTest, TestPermissionValidate001, TestSize.Level0) { std::string userId = "ohos"; std::string appId = "ohosApp"; - EXPECT_TRUE(PermissionValidator::CheckSyncPermission(userId, appId)); } /** @@ -67,7 +66,6 @@ HWTEST_F(PermissionValidatorTest, TestPermissionValidate002, TestSize.Level0) { std::string userId = "ohos"; std::string appId = "ohosApp"; - EXPECT_TRUE(PermissionValidator::CheckSyncPermission(userId, appId)); } /** -- Gitee From 74b67729cf64027313018181c89249c99669bda7 Mon Sep 17 00:00:00 2001 From: zuojiangjiang Date: Wed, 30 Mar 2022 11:46:03 +0800 Subject: [PATCH 5/5] set default value Signed-off-by: zuojiangjiang --- services/distributeddataservice/app/src/kvstore_meta_manager.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/distributeddataservice/app/src/kvstore_meta_manager.h b/services/distributeddataservice/app/src/kvstore_meta_manager.h index c483a53fd..38a3cad02 100644 --- a/services/distributeddataservice/app/src/kvstore_meta_manager.h +++ b/services/distributeddataservice/app/src/kvstore_meta_manager.h @@ -101,7 +101,7 @@ struct KvStoreMetaData { KvStoreType kvStoreType = KvStoreType::DEVICE_COLLABORATION; std::string schema = ""; std::string storeId = ""; - std::uint32_t tokenId; + std::uint32_t tokenId = 0; std::string userId = ""; std::int32_t uid = -1; std::uint32_t version = 0; -- Gitee