diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index d2c1263324c77242629d5d5e311aec2e8281d6d8..dbee2271d209e4d6c36a5ac7108cae61c871242d 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -222,6 +222,8 @@ struct DmAccess { std::string extraInfo; // Expandable field, JSON format, KV structure std::string cert; bool isCommonFlag{false}; + bool isGeneratedLnnCredThisBind{false}; + bool isGeneratedTransmitThisBind{false}; }; struct DmAuthContext { diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index 50df8617b39b450a72233a1ab83772f121739cca..cbe53329740a151dd89c977b2a97eabb408b4760 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -190,6 +190,12 @@ protected: void SetProcessInfo(std::shared_ptr context); bool IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string &credId, const DistributedDeviceProfile::AccessControlProfile &profile); + DmAuthScope GetAuthorizedScope(int32_t bindLevel); + void BindFail(std::shared_ptr context); + void DeleteAcl(std::shared_ptr context, bool isDelLnnAcl, + std::vector> &tokenIds); + void RemoveTokenIdsFromCredential(std::shared_ptr context, const std::string &credId, + std::vector> &tokenIds); }; class AuthSrcConfirmState : public DmAuthState { diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp index bf0f85689b1baeabce5f4dd7cc1e13684cbde19c..47d2813af2c1f73a7d926e5a106ebb81bf1fc99a 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp @@ -601,18 +601,13 @@ int32_t AuthSinkCredentialExchangeState::Action(std::shared_ptr c LOGE("AuthSinkCredentialExchangeState::Action failed, agree user cred failed."); return ret; } + context->accessee.isGeneratedLnnCredThisBind = true; // Delete temporary credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); } - DmAuthScope authorizedScope = DM_AUTH_SCOPE_INVALID; - if (context->accessee.bindLevel == static_cast(APP) || - context->accessee.bindLevel == static_cast(SERVICE)) { - authorizedScope = DM_AUTH_SCOPE_APP; - } else if (context->accessee.bindLevel == static_cast(USER)) { - authorizedScope = DM_AUTH_SCOPE_USER; - } + DmAuthScope authorizedScope = GetAuthorizedScope(context->accessee.bindLevel); // Generate transport credentials and public key ret = GenerateCredIdAndPublicKey(authorizedScope, context); if (ret != DM_OK) { @@ -628,7 +623,7 @@ int32_t AuthSinkCredentialExchangeState::Action(std::shared_ptr c context->SetCredentialId(DM_AUTH_LOCAL_SIDE, authorizedScope, ""); return ret; } - + context->accessee.isGeneratedTransmitThisBind = true; // Delete temporary transport credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); @@ -660,6 +655,7 @@ int32_t AuthSrcCredentialAuthStartState::AgreeAndDeleteCredential(std::shared_pt context->SetCredentialId(DM_AUTH_LOCAL_SIDE, DM_AUTH_SCOPE_LNN, ""); return ret; } + context->accesser.isGeneratedLnnCredThisBind = true; // Delete temporary lnn credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); } @@ -680,6 +676,7 @@ int32_t AuthSrcCredentialAuthStartState::AgreeAndDeleteCredential(std::shared_pt LOGE("AuthSrcCredentialAuthStartState::Action failed, agree app cred failed."); return ret; } + context->accesser.isGeneratedTransmitThisBind = true; // Delete temporary transport credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); return DM_OK; diff --git a/services/implementation/src/authentication_v2/dm_auth_state.cpp b/services/implementation/src/authentication_v2/dm_auth_state.cpp index 5364cf8ee2fb278077c4cb13cfea3febe77c04d2..c51087201146cd1aaff624fb66d3d11b293b5dcc 100644 --- a/services/implementation/src/authentication_v2/dm_auth_state.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_state.cpp @@ -110,6 +110,17 @@ bool DmAuthState::IsScreenLocked() return isLocked; } +DmAuthScope DmAuthState::GetAuthorizedScope(int32_t bindLevel) +{ + DmAuthScope authorizedScope = DM_AUTH_SCOPE_INVALID; + if (bindLevel == static_cast(APP) || bindLevel == static_cast(SERVICE)) { + authorizedScope = DM_AUTH_SCOPE_APP; + } else if (bindLevel == static_cast(USER)) { + authorizedScope = DM_AUTH_SCOPE_USER; + } + return authorizedScope; +} + void DmAuthState::SourceFinish(std::shared_ptr context) { LOGI("SourceFinish reason:%{public}d, state:%{public}d", context->reason, context->state); @@ -120,18 +131,8 @@ void DmAuthState::SourceFinish(std::shared_ptr context) GetOutputState(context->state), GenerateBindResultContent(context)); context->successFinished = true; - if (context->reason != DM_OK && context->reason != DM_ALREADY_AUTHED && context->reUseCreId.empty() && - context->reason != DM_BIND_TRUST_TARGET) { - // 根据凭据id 删除sink端多余的凭据 - context->hiChainAuthConnector->DeleteCredential(context->accesser.userId, - context->accesser.lnnCredentialId); - context->hiChainAuthConnector->DeleteCredential(context->accesser.userId, - context->accesser.transmitCredentialId); - // 根据skid删除sk,删除skid - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accesser.userId, - context->accesser.lnnSessionKeyId); - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accesser.userId, - context->accesser.transmitSessionKeyId); + if (context->reason != DM_OK && context->reason != DM_ALREADY_AUTHED && context->reason != DM_BIND_TRUST_TARGET) { + BindFail(context); } LOGI("SourceFinish notify online"); char deviceIdHash[DM_MAX_DEVICE_ID_LEN] = {0}; @@ -155,17 +156,8 @@ void DmAuthState::SinkFinish(std::shared_ptr context) GetOutputReplay(context->accessee.bundleName, context->reason), GetOutputState(context->state), GenerateBindResultContent(context)); context->successFinished = true; - if (context->reason != DM_OK && context->reUseCreId.empty()) { - // 根据凭据id 删除sink端多余的凭据 - context->hiChainAuthConnector->DeleteCredential(context->accessee.userId, - context->accessee.lnnCredentialId); - context->hiChainAuthConnector->DeleteCredential(context->accessee.userId, - context->accessee.transmitCredentialId); - // 根据skid删除sk,删除skid - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accessee.userId, - context->accessee.lnnSessionKeyId); - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accessee.userId, - context->accessee.transmitSessionKeyId); + if (context->reason != DM_OK) { + BindFail(context); } else { SetAclInfo(context); if (NeedAgreeAcl(context)) { @@ -870,5 +862,114 @@ bool DmAuthState::IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string & } return false; } + +void DmAuthState::BindFail(std::shared_ptr context) +{ + CHECK_NULL_VOID(context); + CHECK_NULL_VOID(context->hiChainAuthConnector); + if (context->reason == DM_BIND_TRUST_TARGET) { + return; + } + bool isDelLnnAcl = false; + DmAccess &access = (context->direction == DM_AUTH_SOURCE) ? context->accesser : context->accessee; + if (access.isGeneratedLnnCredThisBind) { + if (!access.lnnCredentialId.empty()) { + context->hiChainAuthConnector->DeleteCredential(access.userId, access.lnnCredentialId); + } + if (access.lnnSessionKeyId != 0) { + DeviceProfileConnector::GetInstance().DeleteSessionKey(access.userId, access.lnnSessionKeyId); + } + isDelLnnAcl = true; + } + std::vector> tokenIds; + if (!access.isAuthed && access.transmitSessionKeyId != 0) { + DeviceProfileConnector::GetInstance().DeleteSessionKey(access.userId, access.transmitSessionKeyId); + tokenIds.push_back(std::make_pair(context->accesser.tokenId, context->accessee.tokenId)); + } + if (context->IsProxyBind && !context->subjectProxyOnes.empty()) { + for (auto &app : context->subjectProxyOnes) { + DmProxyAccess &proxyAccess = context->direction == DM_AUTH_SOURCE ? app.proxyAccesser : app.proxyAccessee; + if (proxyAccess.isAuthed || proxyAccess.transmitSessionKeyId == 0) { + continue; + } + DeviceProfileConnector::GetInstance().DeleteSessionKey(access.userId, proxyAccess.transmitSessionKeyId); + tokenIds.push_back(std::make_pair(app.proxyAccesser.tokenId, app.proxyAccessee.tokenId)); + } + } + if (access.isGeneratedTransmitThisBind && !access.transmitCredentialId.empty()) { + context->hiChainAuthConnector->DeleteCredential(access.userId, access.transmitCredentialId); + } else if (!context->reUseCreId.empty()) { + RemoveTokenIdsFromCredential(context, context->reUseCreId, tokenIds); + } else { + LOGE("no credential"); + } + DeleteAcl(context, isDelLnnAcl, tokenIds); +} + +void DmAuthState::DeleteAcl(std::shared_ptr context, bool isDelLnnAcl, + std::vector> &tokenIds) +{ + CHECK_NULL_VOID(context); + DmAccess &access = (context->direction == DM_AUTH_SOURCE) ? context->accesser : context->accessee; + DmAccess &remoteAccess = (context->direction == DM_AUTH_SOURCE) ? context->accessee : context->accesser; + if (remoteAccess.deviceId.empty()) { + return; + } + if (!isDelLnnAcl && tokenIds.empty()) { + return; + } + std::vector acls = + DeviceProfileConnector::GetInstance().GetAclList(access.deviceId, access.userId, + remoteAccess.deviceId, remoteAccess.userId); + for (DistributedDeviceProfile::AccessControlProfile acl : acls) { + if (isDelLnnAcl && DeviceProfileConnector::GetInstance().IsLnnAcl(acl)) { + DeviceProfileConnector::GetInstance().DeleteAccessControlById(acl.GetAccessControlId()); + continue; + } + auto it = std::find(tokenIds.begin(), tokenIds.end(), + std::make_pair(acl.GetAccesser().GetAccesserTokenId(), acl.GetAccessee().GetAccesseeTokenId())); + if (it != tokenIds.end()) { + DeviceProfileConnector::GetInstance().DeleteAccessControlById(acl.GetAccessControlId()); + continue; + } + } +} + +void DmAuthState::RemoveTokenIdsFromCredential(std::shared_ptr context, const std::string &credId, + std::vector> &tokenIds) +{ + CHECK_NULL_VOID(context); + CHECK_NULL_VOID(context->hiChainAuthConnector); + DmAccess &access = (context->direction == DM_AUTH_SOURCE) ? context->accesser : context->accessee; + JsonObject credJson; + context->hiChainAuthConnector->QueryCredInfoByCredId(access.userId, credId, credJson); + if (!credJson.Contains(credId)) { + LOGE("query cred failed"); + return; + } + if (!credJson[credId].Contains(FILED_AUTHORIZED_APP_LIST)) { + LOGE("applist is empty"); + context->hiChainAuthConnector->DeleteCredential(access.userId, credId); + return; + } + std::vector appList; + credJson[credId][FILED_AUTHORIZED_APP_LIST].Get(appList); + for (const auto& it : tokenIds) { + auto erIt = std::find(appList.begin(), appList.end(), std::to_string(it.first)); + if (erIt != appList.end()) { + appList.erase(erIt); + } + auto eeIt = std::find(appList.begin(), appList.end(), std::to_string(it.second)); + if (eeIt != appList.end()) { + appList.erase(eeIt); + } + } + if (appList.size() == 0) { + LOGE("applist is empty, delete credential"); + context->hiChainAuthConnector->DeleteCredential(access.userId, credId); + return; + } + context->hiChainAuthConnector->UpdateCredential(credId, access.userId, appList); +} } // namespace DistributedHardware } // namespace OHOS