From d96a61db115e8624ea5f690b474cf7cbf081d921 Mon Sep 17 00:00:00 2001 From: liuzhongming Date: Thu, 31 Jul 2025 16:03:17 +0800 Subject: [PATCH] =?UTF-8?q?=E8=80=81=E5=8C=96acl=E5=92=8C=E5=87=AD?= =?UTF-8?q?=E6=8D=AE=E4=B8=8D=E4=B8=80=E8=87=B4=E6=95=B0=E6=8D=AE=20Signed?= =?UTF-8?q?-off-by:=20liuzhongming=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../include/authentication_v2/dm_auth_state.h | 2 ++ .../auth_stages/auth_confirm.cpp | 6 ++++++ .../auth_stages/auth_negotiate.cpp | 6 ++++++ .../src/authentication_v2/dm_auth_state.cpp | 18 ++++++++++++++++++ 4 files changed, 32 insertions(+) diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index b8bf3536d..50df8617b 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -188,6 +188,8 @@ protected: uint32_t GetCredentialType(std::shared_ptr context, const JsonItemObject &credInfo); bool HaveSameTokenId(std::shared_ptr context, const std::vector &tokenIdHashList); void SetProcessInfo(std::shared_ptr context); + bool IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string &credId, + const DistributedDeviceProfile::AccessControlProfile &profile); }; class AuthSrcConfirmState : public DmAuthState { diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp index 1e1c7b3c6..411188a11 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp @@ -457,6 +457,12 @@ void AuthSrcConfirmState::CheckCredIdInAclForP2P(std::shared_ptr const DistributedDeviceProfile::AccessControlProfile &profile, JsonObject &credInfo, uint32_t bindType, bool &checkResult) { + if (!DmAuthState::IsMatchCredentialAndP2pACL(credInfo, credId, profile)) { + LOGE("acl bindlevel and credential authorizedScope not match"); + DeleteAcl(context, profile); + credInfo.Erase(credId); + return; + } if (credInfo[credId][FILED_CRED_TYPE].Get() == bindType) { std::vector appList; credInfo[credId][FILED_AUTHORIZED_APP_LIST].Get(appList); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index ceca621c8..490247779 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -564,6 +564,12 @@ void AuthSinkNegotiateStateMachine::CheckCredIdInAclForP2P(std::shared_ptr() == bindType) { std::vector appList; credInfo[credId][FILED_AUTHORIZED_APP_LIST].Get(appList); diff --git a/services/implementation/src/authentication_v2/dm_auth_state.cpp b/services/implementation/src/authentication_v2/dm_auth_state.cpp index df52e3b14..5364cf8ee 100644 --- a/services/implementation/src/authentication_v2/dm_auth_state.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_state.cpp @@ -852,5 +852,23 @@ void DmAuthState::GetPeerDeviceId(std::shared_ptr context, std::s } LOGE("failed"); } + +bool DmAuthState::IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string &credId, + const DistributedDeviceProfile::AccessControlProfile &profile) +{ + if (!credInfo.Contains(credId) || !credInfo[credId].Contains(FILED_AUTHORIZED_SCOPE) || + !credInfo[credId][FILED_AUTHORIZED_SCOPE].IsNumberInteger()) { + return false; + } + int32_t authorizedScope = credInfo[credId][FILED_AUTHORIZED_SCOPE].Get(); + if (authorizedScope == static_cast(DM_AUTH_SCOPE_USER) && profile.GetBindLevel() == USER) { + return true; + } + if (authorizedScope == static_cast(DM_AUTH_SCOPE_APP) && + (profile.GetBindLevel() == SERVICE || profile.GetBindLevel() == APP)) { + return true; + } + return false; +} } // namespace DistributedHardware } // namespace OHOS -- Gitee