diff --git a/commondependency/include/deviceprofile_connector.h b/commondependency/include/deviceprofile_connector.h index 30869a2525bd9d0b1964e969d7e2f03efdc60ad9..7bfceb0c21dfd656ed211277a4481ec2cf00ecbc 100644 --- a/commondependency/include/deviceprofile_connector.h +++ b/commondependency/include/deviceprofile_connector.h @@ -24,6 +24,7 @@ #include "service_info_profile.h" #include "service_info_unique_key.h" #include "trusted_device_info.h" +#include "nlohmann/json.hpp" enum AllowAuthType { ALLOW_AUTH_ONCE = 1, @@ -168,6 +169,8 @@ public: std::multimap GetDevIdAndUserIdByActHash(const std::string &localUdid, const std::string &peerUdid, int32_t peerUserId, const std::string &peerAccountHash); std::multimap GetDeviceIdAndUserId(const std::string &localUdid, int32_t localUserId); + void CreateLocalAclParcel(int32_t &size, std::string &localAcl, const std::string &remoteUdid); + void ParseRemoteAcl(int32_t &size, std::string &peerAcl, const std::string &remoteUdid); void HandleSyncBackgroundUserIdEvent(const std::vector &remoteUserIds, const std::string &remoteUdid, const std::vector &localUserIds, std::string &localUdid); void HandleDeviceUnBind(int32_t bindType, const std::string &peerUdid, @@ -195,6 +198,12 @@ private: void ProcessBindType(DistributedDeviceProfile::AccessControlProfile profiles, std::string localDeviceId, std::vector &sinkBindType, std::vector &bindTypeIndex, uint32_t index, std::string targetDeviceId); + void ParseAclFromJson(std::string &peerAcl, int32_t &size, + DistributedDeviceProfile::AccessControlProfile profile, bool &isSame); + void SyncIdenticalAccountAcl(DistributedDeviceProfile::AccessControlProfile profile, + const nlohmann::json &jsonObject, bool &isSame, bool &isDelete, int32_t index); + void SyncPointToPointAcl(DistributedDeviceProfile::AccessControlProfile profile, + const nlohmann::json &jsonObject, bool &isSame, bool &isDelete, int32_t index); bool CheckAppLevelAccess(const DistributedDeviceProfile::AccessControlProfile &profile, const DmAccessCaller &caller, const DmAccessCallee &callee); int32_t GetAuthForm(DistributedDeviceProfile::AccessControlProfile profiles, const std::string &trustDev, diff --git a/commondependency/src/deviceprofile_connector.cpp b/commondependency/src/deviceprofile_connector.cpp index 63207c7750db70f73bbd1d9ed3f5d970c72ab7b5..5c244bc206b391abcd87a9f5977ca5ac463daf44 100644 --- a/commondependency/src/deviceprofile_connector.cpp +++ b/commondependency/src/deviceprofile_connector.cpp @@ -40,6 +40,7 @@ const uint32_t DEVICE = 1; const uint32_t SERVICE = 2; const uint32_t APP = 3; constexpr uint32_t MAX_SESSION_KEY_LENGTH = 512; +constexpr uint32_t MAX_ACL_LENGTH = 1024; namespace OHOS { namespace DistributedHardware { @@ -1470,6 +1471,149 @@ std::map DeviceProfileConnector::GetUserIdAndBindLevel(const s return userIdAndBindLevel; } +void DeviceProfileConnector::CreateLocalAclParcel(int32_t &size, std::string &localAcl, const std::string &remoteUdid) +{ + std::vector profiles = GetAccessControlProfile(); + std::vector profilesFilter = {}; + for (const auto &item : profiles) { + if (item.GetTrustDeviceId() == remoteUdid) { + profilesFilter.push_back(item); + } + } + size = static_cast(profilesFilter.size()); + nlohmann::json json; + for (uint32_t index = 0; index < profilesFilter.size(); index++) { + std::string accesserDeviceId = "accesserDeviceId" + std::to_string(index); + std::string accesserUserId = "accesserUserId" + std::to_string(index); + std::string accesserAccountId = "accesserAccountId" + std::to_string(index); + std::string accesserTokenId = "accesserTokenId" + std::to_string(index); + std::string accesseeDeviceId = "accesseeDeviceId" + std::to_string(index); + std::string accesseeUserId = "accesseeUserId" + std::to_string(index); + std::string accesseeAccountId = "accesseeAccountId" + std::to_string(index); + std::string accesseeTokenId = "accesseeTokenId" + std::to_string(index); + std::string bindType = "bindType" + std::to_string(index); + json[accesserDeviceId] = profilesFilter.at(index).GetAccesser().GetAccesserDeviceId(); + json[accesserUserId] = profilesFilter.at(index).GetAccesser().GetAccesserUserId(); + json[accesserAccountId] = profilesFilter.at(index).GetAccesser().GetAccesserAccountId(); + json[accesserTokenId] = profilesFilter.at(index).GetAccesser().GetAccesserTokenId(); + json[accesseeDeviceId] = profilesFilter.at(index).GetAccessee().GetAccesseeDeviceId(); + json[accesseeUserId] = profilesFilter.at(index).GetAccessee().GetAccesseeUserId(); + json[accesseeAccountId] = profilesFilter.at(index).GetAccessee().GetAccesseeAccountId(); + json[accesseeTokenId] = profilesFilter.at(index).GetAccessee().GetAccesseeTokenId(); + json[bindType] = profilesFilter.at(index).GetBindType(); + } + localAcl = SafetyDump(json); +} + +void DeviceProfileConnector::ParseRemoteAcl(int32_t &size, std::string &peerAcl, const std::string &remoteUdid) +{ + if (size < 0 || size > MAX_ACL_LENGTH) { + LOGI("ParseRemoteAcl peerAcl size error."); + return; + } + std::vector profiles = GetAccessControlProfile(); + std::vector profilesFilter = {}; + for (const auto &item : profiles) { + if (item.GetTrustDeviceId() == remoteUdid) { + profilesFilter.push_back(item); + } + } + uint32_t localAclSize = static_cast(profilesFilter.size()); + for (uint32_t item = 0; item < localAclSize; item++) { + LOGI("ParseRemoteAcl Start."); + bool isSame = true; + if (size == 0) { + isSame = false; + } else { + ParseAclFromJson(peerAcl, size, profilesFilter.at(item), isSame); + } + if (!isSame) { + DeviceProfileConnector::GetInstance().DeleteAccessControlById(profilesFilter.at(item).GetAccessControlId()); + } + } +} + +void DeviceProfileConnector::ParseAclFromJson(std::string &peerAcl, int32_t &size, + AccessControlProfile profile, bool &isSame) +{ + nlohmann::json jsonObject = nlohmann::json::parse(peerAcl, nullptr, false); + if (jsonObject.is_discarded()) { + LOGE("ParseAclFromJson DecodeRequestAuth jsonStr error"); + return; + } + for (int32_t index = 0; index < size; index++) { + bool isDelete = false; + std::string accesserDeviceId = "accesserDeviceId" + std::to_string(index); + std::string accesserUserId = "accesserUserId" + std::to_string(index); + std::string accesserAccountId = "accesserAccountId" + std::to_string(index); + std::string accesserTokenId = "accesserTokenId" + std::to_string(index); + std::string accesseeDeviceId = "accesseeDeviceId" + std::to_string(index); + std::string accesseeUserId = "accesseeUserId" + std::to_string(index); + std::string accesseeAccountId = "accesseeAccountId" + std::to_string(index); + std::string accesseeTokenId = "accesseeTokenId" + std::to_string(index); + std::string bindType = "bindType" + std::to_string(index); + if (!IsString(jsonObject, accesserDeviceId) || !IsInt32(jsonObject, accesserUserId) || + !IsString(jsonObject, accesserAccountId) || !IsInt32(jsonObject, accesserTokenId) || + !IsString(jsonObject, accesseeDeviceId) || !IsInt32(jsonObject, accesseeUserId) || + !IsString(jsonObject, accesseeAccountId) || !IsInt32(jsonObject, accesseeTokenId) || + !IsInt32(jsonObject, bindType)) { + LOGE("ParseAclFromJson format error."); + isSame = true; + return; + } + if (profile.GetBindType() == DM_IDENTICAL_ACCOUNT && + jsonObject[bindType].get() == DM_IDENTICAL_ACCOUNT) { + SyncIdenticalAccountAcl(profile, jsonObject, isSame, isDelete, index); + } else { + SyncPointToPointAcl(profile, jsonObject, isSame, isDelete, index); + } + if (!isDelete) { + isSame = true; + return; + } + } +} + +void DeviceProfileConnector::SyncIdenticalAccountAcl(DistributedDeviceProfile::AccessControlProfile profile, + const nlohmann::json &jsonObject, bool &isSame, bool &isDelete, int32_t index) +{ + std::string accesserDeviceId = "accesserDeviceId" + std::to_string(index); + std::string accesserAccountId = "accesserAccountId" + std::to_string(index); + std::string accesseeDeviceId = "accesseeDeviceId" + std::to_string(index); + std::string accesseeAccountId = "accesseeAccountId" + std::to_string(index); + if (profile.GetAccesser().GetAccesserDeviceId() != jsonObject[accesseeDeviceId].get() || + profile.GetAccessee().GetAccesseeDeviceId() != jsonObject[accesserDeviceId].get() || + profile.GetAccesser().GetAccesserAccountId() != jsonObject[accesseeAccountId].get() || + profile.GetAccessee().GetAccesseeAccountId() != jsonObject[accesserAccountId].get()) { + isDelete = true; + isSame = false; + } +} + +void DeviceProfileConnector::SyncPointToPointAcl(DistributedDeviceProfile::AccessControlProfile profile, + const nlohmann::json &jsonObject, bool &isSame, bool &isDelete, int32_t index) +{ + std::string accesserDeviceId = "accesserDeviceId" + std::to_string(index); + std::string accesserUserId = "accesserUserId" + std::to_string(index); + std::string accesserAccountId = "accesserAccountId" + std::to_string(index); + std::string accesserTokenId = "accesserTokenId" + std::to_string(index); + std::string accesseeDeviceId = "accesseeDeviceId" + std::to_string(index); + std::string accesseeUserId = "accesseeUserId" + std::to_string(index); + std::string accesseeAccountId = "accesseeAccountId" + std::to_string(index); + std::string accesseeTokenId = "accesseeTokenId" + std::to_string(index); + if (profile.GetAccesser().GetAccesserDeviceId() != jsonObject[accesserDeviceId].get() || + profile.GetAccesser().GetAccesserUserId() != jsonObject[accesserUserId].get() || + profile.GetAccesser().GetAccesserAccountId() != jsonObject[accesserAccountId].get() || + profile.GetAccesser().GetAccesserTokenId() != jsonObject[accesserTokenId].get() || + profile.GetAccessee().GetAccesseeDeviceId() != jsonObject[accesseeDeviceId].get() || + profile.GetAccessee().GetAccesseeUserId() != jsonObject[accesseeUserId].get() || + profile.GetAccessee().GetAccesseeAccountId() != jsonObject[accesseeAccountId].get() || + profile.GetAccessee().GetAccesseeTokenId() != jsonObject[accesseeTokenId].get()) { + isDelete = true; + isSame = false; + } +} + void DeviceProfileConnector::UpdateACL(std::string &localUdid, const std::vector &localUserIds, const std::string &remoteUdid, const std::vector &remoteFrontUserIds, const std::vector &remoteBackUserIds) diff --git a/services/implementation/include/authentication/auth_message_processor.h b/services/implementation/include/authentication/auth_message_processor.h index dc49ba75fbd2a7f2710cb3cff06edc01d25a7ca0..17ffb674d79a17db9843da5a246587a3b91726b8 100644 --- a/services/implementation/include/authentication/auth_message_processor.h +++ b/services/implementation/include/authentication/auth_message_processor.h @@ -60,6 +60,8 @@ extern const char* TAG_HAVE_CREDENTIAL; extern const char* TAG_PUBLICKEY; extern const char* TAG_SESSIONKEY; extern const char* TAG_BIND_LEVEL; +extern const char* TAG_ACL_SIZE; +extern const char* TAG_ALL_ACL; extern const char* TAG_LOCAL_USERID; extern const char* TAG_BIND_TYPE_SIZE; extern const char* TAG_ISONLINE; @@ -115,6 +117,7 @@ private: void CreateResponseFinishMessage(nlohmann::json &json); void ParseResponseFinishMessage(nlohmann::json &json); void GetAuthReqMessage(nlohmann::json &json); + void ParseRemoteAcl(nlohmann::json &jsonObject); void ParsePkgNegotiateMessage(const nlohmann::json &json); void CreatePublicKeyMessageExt(nlohmann::json &json); void ParsePublicKeyMessageExt(nlohmann::json &json); diff --git a/services/implementation/include/authentication/dm_auth_manager.h b/services/implementation/include/authentication/dm_auth_manager.h index aef138cdf572f25766dea6d5156757ae0d4bfae3..f9c2527e7960f74944127e0ac8ae2bf053faf115 100644 --- a/services/implementation/include/authentication/dm_auth_manager.h +++ b/services/implementation/include/authentication/dm_auth_manager.h @@ -200,6 +200,10 @@ typedef struct DmAuthResponseContext { bool isSrcPincodeImported = false; int32_t localSessionKeyId = 0; int32_t remoteSessionKeyId = 0; + int32_t localAclSize; + std::string localAllAcl; + int32_t peerAclSize = -1; + std::string peerAllAcl = ""; } DmAuthResponseContext; class AuthMessageProcessor; diff --git a/services/implementation/src/authentication/auth_message_processor.cpp b/services/implementation/src/authentication/auth_message_processor.cpp index e6a49044f3f91d1ab4605dcd92521107608de1b8..6cc473fa7bd83be514bc0849f59d7fb75d21d21e 100644 --- a/services/implementation/src/authentication/auth_message_processor.cpp +++ b/services/implementation/src/authentication/auth_message_processor.cpp @@ -55,6 +55,8 @@ const char* TAG_HAVE_CREDENTIAL = "haveCredential"; const char* TAG_PUBLICKEY = "publicKey"; const char* TAG_SESSIONKEY = "sessionKey"; const char* TAG_BIND_LEVEL = "bindLevel"; +const char* TAG_ACL_SIZE = "aclSize"; +const char* TAG_ALL_ACL = "allAcl"; const char* TAG_LOCAL_USERID = "localUserId"; const char* TAG_BIND_TYPE_SIZE = "bindTypeSize"; const char* TAG_ISONLINE = "isOnline"; @@ -759,6 +761,9 @@ void AuthMessageProcessor::CreateReqReCheckMessage(nlohmann::json &jsonObj) jsonTemp[TAG_TOKENID] = authResponseContext_->tokenId; jsonTemp[TAG_BUNDLE_NAME] = authResponseContext_->bundleName; jsonTemp[TAG_BIND_LEVEL] = authResponseContext_->bindLevel; + jsonTemp[TAG_ACL_SIZE] = authResponseContext_->localAclSize; + LOGI("CreateReqReCheckMessage localAclSize = %{public}d", authResponseContext_->localAclSize); + jsonTemp[TAG_ALL_ACL] = authResponseContext_->localAllAcl; std::string strTemp = SafetyDump(jsonTemp); std::string encryptStr = ""; CHECK_NULL_VOID(cryptoMgr_); @@ -814,6 +819,18 @@ void AuthMessageProcessor::ParseReqReCheckMessage(nlohmann::json &json) if (IsInt32(jsonObject, TAG_BIND_LEVEL)) { authResponseContext_->localBindLevel = jsonObject[TAG_BIND_LEVEL].get(); } + ParseRemoteAcl(jsonObject); +} + +void AuthMessageProcessor::ParseRemoteAcl(nlohmann::json &jsonObject) +{ + if (IsInt32(jsonObject, TAG_ACL_SIZE)) { + authResponseContext_->peerAclSize = jsonObject[TAG_ACL_SIZE].get(); + LOGI("ParseRemoteAcl peerAclSize = %{public}d", authResponseContext_->peerAclSize); + } + if (IsString(jsonObject, TAG_ALL_ACL)) { + authResponseContext_->peerAllAcl = jsonObject[TAG_ALL_ACL].get(); + } } int32_t AuthMessageProcessor::SaveSessionKey(const uint8_t *sessionKey, const uint32_t keyLen) diff --git a/services/implementation/src/authentication/dm_auth_manager.cpp b/services/implementation/src/authentication/dm_auth_manager.cpp index 99e7125d1bb36f69d48c20274fa7c8951a57a098..ad64cb663502eed1bd5d0832a33ff93b13e37e37 100644 --- a/services/implementation/src/authentication/dm_auth_manager.cpp +++ b/services/implementation/src/authentication/dm_auth_manager.cpp @@ -3071,9 +3071,12 @@ void DmAuthManager::RequestReCheckMsg() authResponseContext_->tokenId = authRequestContext_->tokenId; authResponseContext_->bundleName = authRequestContext_->hostPkgName; authResponseContext_->bindLevel = authRequestContext_->bindLevel; + DeviceProfileConnector::GetInstance().CreateLocalAclParcel(authResponseContext_->localAclSize, + authResponseContext_->localAllAcl, remoteDeviceId_); authMessageProcessor_->SetResponseContext(authResponseContext_); std::string message = authMessageProcessor_->CreateSimpleMessage(MSG_TYPE_REQ_RECHECK_MSG); softbusConnector_->GetSoftbusSession()->SendData(authResponseContext_->sessionId, message); + authResponseContext_->localAllAcl = ""; } void DmAuthManager::ResponseReCheckMsg() @@ -3089,6 +3092,9 @@ void DmAuthManager::ResponseReCheckMsg() authResponseState_->TransitionTo(std::make_shared()); return; } + DeviceProfileConnector::GetInstance().ParseRemoteAcl(authResponseContext_->peerAclSize, + authResponseContext_->peerAllAcl, remoteDeviceId_); + authResponseContext_->peerAllAcl = ""; char localDeviceId[DEVICE_UUID_LENGTH] = {0}; GetDevUdid(localDeviceId, DEVICE_UUID_LENGTH); authResponseContext_->edition = DM_VERSION_5_0_4; @@ -3100,10 +3106,13 @@ void DmAuthManager::ResponseReCheckMsg() authResponseContext_->peerBundleName, 0, authResponseContext_->tokenId) != DM_OK) { LOGE("get tokenId by bundleName failed %{public}s", GetAnonyString(authResponseContext_->bundleName).c_str()); } + DeviceProfileConnector::GetInstance().CreateLocalAclParcel(authResponseContext_->localAclSize, + authResponseContext_->localAllAcl, remoteDeviceId_); authResponseContext_->bundleName = authResponseContext_->peerBundleName; authMessageProcessor_->SetEncryptFlag(true); std::string message = authMessageProcessor_->CreateSimpleMessage(MSG_TYPE_RESP_RECHECK_MSG); softbusConnector_->GetSoftbusSession()->SendData(authResponseContext_->sessionId, message); + authResponseContext_->localAllAcl = ""; PutAccessControlList(); } @@ -3119,6 +3128,9 @@ void DmAuthManager::RequestReCheckMsgDone() authRequestState_->TransitionTo(std::make_shared()); return; } + DeviceProfileConnector::GetInstance().ParseRemoteAcl(authResponseContext_->peerAclSize, + authResponseContext_->peerAllAcl, remoteDeviceId_); + authResponseContext_->peerAllAcl = ""; authRequestState_->TransitionTo(std::make_shared()); PutAccessControlList(); }