From 0f5871f2896e2918717c5502f5e92fec74f8736a Mon Sep 17 00:00:00 2001 From: liuzhongming Date: Tue, 5 Aug 2025 09:26:20 +0800 Subject: [PATCH] =?UTF-8?q?=E7=BB=91=E5=AE=9A=E5=A4=B1=E8=B4=A5=E8=80=81?= =?UTF-8?q?=E5=8C=96=E6=97=A0=E6=95=88=E6=95=B0=E6=8D=AE=20Signed-off-by:?= =?UTF-8?q?=20liuzhongming=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../authentication_v2/dm_auth_context.h | 2 + .../include/authentication_v2/dm_auth_state.h | 6 + .../auth_stages/auth_credential.cpp | 13 +- .../src/authentication_v2/dm_auth_state.cpp | 147 +++++++++++++++--- 4 files changed, 137 insertions(+), 31 deletions(-) diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index d2c126332..dbee2271d 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -222,6 +222,8 @@ struct DmAccess { std::string extraInfo; // Expandable field, JSON format, KV structure std::string cert; bool isCommonFlag{false}; + bool isGeneratedLnnCredThisBind{false}; + bool isGeneratedTransmitThisBind{false}; }; struct DmAuthContext { diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index 50df8617b..cbe533297 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -190,6 +190,12 @@ protected: void SetProcessInfo(std::shared_ptr context); bool IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string &credId, const DistributedDeviceProfile::AccessControlProfile &profile); + DmAuthScope GetAuthorizedScope(int32_t bindLevel); + void BindFail(std::shared_ptr context); + void DeleteAcl(std::shared_ptr context, bool isDelLnnAcl, + std::vector> &tokenIds); + void RemoveTokenIdsFromCredential(std::shared_ptr context, const std::string &credId, + std::vector> &tokenIds); }; class AuthSrcConfirmState : public DmAuthState { diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp index bf0f85689..47d2813af 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp @@ -601,18 +601,13 @@ int32_t AuthSinkCredentialExchangeState::Action(std::shared_ptr c LOGE("AuthSinkCredentialExchangeState::Action failed, agree user cred failed."); return ret; } + context->accessee.isGeneratedLnnCredThisBind = true; // Delete temporary credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); } - DmAuthScope authorizedScope = DM_AUTH_SCOPE_INVALID; - if (context->accessee.bindLevel == static_cast(APP) || - context->accessee.bindLevel == static_cast(SERVICE)) { - authorizedScope = DM_AUTH_SCOPE_APP; - } else if (context->accessee.bindLevel == static_cast(USER)) { - authorizedScope = DM_AUTH_SCOPE_USER; - } + DmAuthScope authorizedScope = GetAuthorizedScope(context->accessee.bindLevel); // Generate transport credentials and public key ret = GenerateCredIdAndPublicKey(authorizedScope, context); if (ret != DM_OK) { @@ -628,7 +623,7 @@ int32_t AuthSinkCredentialExchangeState::Action(std::shared_ptr c context->SetCredentialId(DM_AUTH_LOCAL_SIDE, authorizedScope, ""); return ret; } - + context->accessee.isGeneratedTransmitThisBind = true; // Delete temporary transport credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); @@ -660,6 +655,7 @@ int32_t AuthSrcCredentialAuthStartState::AgreeAndDeleteCredential(std::shared_pt context->SetCredentialId(DM_AUTH_LOCAL_SIDE, DM_AUTH_SCOPE_LNN, ""); return ret; } + context->accesser.isGeneratedLnnCredThisBind = true; // Delete temporary lnn credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); } @@ -680,6 +676,7 @@ int32_t AuthSrcCredentialAuthStartState::AgreeAndDeleteCredential(std::shared_pt LOGE("AuthSrcCredentialAuthStartState::Action failed, agree app cred failed."); return ret; } + context->accesser.isGeneratedTransmitThisBind = true; // Delete temporary transport credentials sync ffrt::submit([=]() { context->hiChainAuthConnector->DeleteCredential(osAccountId, tmpCredId);}); return DM_OK; diff --git a/services/implementation/src/authentication_v2/dm_auth_state.cpp b/services/implementation/src/authentication_v2/dm_auth_state.cpp index 5364cf8ee..c51087201 100644 --- a/services/implementation/src/authentication_v2/dm_auth_state.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_state.cpp @@ -110,6 +110,17 @@ bool DmAuthState::IsScreenLocked() return isLocked; } +DmAuthScope DmAuthState::GetAuthorizedScope(int32_t bindLevel) +{ + DmAuthScope authorizedScope = DM_AUTH_SCOPE_INVALID; + if (bindLevel == static_cast(APP) || bindLevel == static_cast(SERVICE)) { + authorizedScope = DM_AUTH_SCOPE_APP; + } else if (bindLevel == static_cast(USER)) { + authorizedScope = DM_AUTH_SCOPE_USER; + } + return authorizedScope; +} + void DmAuthState::SourceFinish(std::shared_ptr context) { LOGI("SourceFinish reason:%{public}d, state:%{public}d", context->reason, context->state); @@ -120,18 +131,8 @@ void DmAuthState::SourceFinish(std::shared_ptr context) GetOutputState(context->state), GenerateBindResultContent(context)); context->successFinished = true; - if (context->reason != DM_OK && context->reason != DM_ALREADY_AUTHED && context->reUseCreId.empty() && - context->reason != DM_BIND_TRUST_TARGET) { - // 根据凭据id 删除sink端多余的凭据 - context->hiChainAuthConnector->DeleteCredential(context->accesser.userId, - context->accesser.lnnCredentialId); - context->hiChainAuthConnector->DeleteCredential(context->accesser.userId, - context->accesser.transmitCredentialId); - // 根据skid删除sk,删除skid - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accesser.userId, - context->accesser.lnnSessionKeyId); - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accesser.userId, - context->accesser.transmitSessionKeyId); + if (context->reason != DM_OK && context->reason != DM_ALREADY_AUTHED && context->reason != DM_BIND_TRUST_TARGET) { + BindFail(context); } LOGI("SourceFinish notify online"); char deviceIdHash[DM_MAX_DEVICE_ID_LEN] = {0}; @@ -155,17 +156,8 @@ void DmAuthState::SinkFinish(std::shared_ptr context) GetOutputReplay(context->accessee.bundleName, context->reason), GetOutputState(context->state), GenerateBindResultContent(context)); context->successFinished = true; - if (context->reason != DM_OK && context->reUseCreId.empty()) { - // 根据凭据id 删除sink端多余的凭据 - context->hiChainAuthConnector->DeleteCredential(context->accessee.userId, - context->accessee.lnnCredentialId); - context->hiChainAuthConnector->DeleteCredential(context->accessee.userId, - context->accessee.transmitCredentialId); - // 根据skid删除sk,删除skid - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accessee.userId, - context->accessee.lnnSessionKeyId); - DeviceProfileConnector::GetInstance().DeleteSessionKey(context->accessee.userId, - context->accessee.transmitSessionKeyId); + if (context->reason != DM_OK) { + BindFail(context); } else { SetAclInfo(context); if (NeedAgreeAcl(context)) { @@ -870,5 +862,114 @@ bool DmAuthState::IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string & } return false; } + +void DmAuthState::BindFail(std::shared_ptr context) +{ + CHECK_NULL_VOID(context); + CHECK_NULL_VOID(context->hiChainAuthConnector); + if (context->reason == DM_BIND_TRUST_TARGET) { + return; + } + bool isDelLnnAcl = false; + DmAccess &access = (context->direction == DM_AUTH_SOURCE) ? context->accesser : context->accessee; + if (access.isGeneratedLnnCredThisBind) { + if (!access.lnnCredentialId.empty()) { + context->hiChainAuthConnector->DeleteCredential(access.userId, access.lnnCredentialId); + } + if (access.lnnSessionKeyId != 0) { + DeviceProfileConnector::GetInstance().DeleteSessionKey(access.userId, access.lnnSessionKeyId); + } + isDelLnnAcl = true; + } + std::vector> tokenIds; + if (!access.isAuthed && access.transmitSessionKeyId != 0) { + DeviceProfileConnector::GetInstance().DeleteSessionKey(access.userId, access.transmitSessionKeyId); + tokenIds.push_back(std::make_pair(context->accesser.tokenId, context->accessee.tokenId)); + } + if (context->IsProxyBind && !context->subjectProxyOnes.empty()) { + for (auto &app : context->subjectProxyOnes) { + DmProxyAccess &proxyAccess = context->direction == DM_AUTH_SOURCE ? app.proxyAccesser : app.proxyAccessee; + if (proxyAccess.isAuthed || proxyAccess.transmitSessionKeyId == 0) { + continue; + } + DeviceProfileConnector::GetInstance().DeleteSessionKey(access.userId, proxyAccess.transmitSessionKeyId); + tokenIds.push_back(std::make_pair(app.proxyAccesser.tokenId, app.proxyAccessee.tokenId)); + } + } + if (access.isGeneratedTransmitThisBind && !access.transmitCredentialId.empty()) { + context->hiChainAuthConnector->DeleteCredential(access.userId, access.transmitCredentialId); + } else if (!context->reUseCreId.empty()) { + RemoveTokenIdsFromCredential(context, context->reUseCreId, tokenIds); + } else { + LOGE("no credential"); + } + DeleteAcl(context, isDelLnnAcl, tokenIds); +} + +void DmAuthState::DeleteAcl(std::shared_ptr context, bool isDelLnnAcl, + std::vector> &tokenIds) +{ + CHECK_NULL_VOID(context); + DmAccess &access = (context->direction == DM_AUTH_SOURCE) ? context->accesser : context->accessee; + DmAccess &remoteAccess = (context->direction == DM_AUTH_SOURCE) ? context->accessee : context->accesser; + if (remoteAccess.deviceId.empty()) { + return; + } + if (!isDelLnnAcl && tokenIds.empty()) { + return; + } + std::vector acls = + DeviceProfileConnector::GetInstance().GetAclList(access.deviceId, access.userId, + remoteAccess.deviceId, remoteAccess.userId); + for (DistributedDeviceProfile::AccessControlProfile acl : acls) { + if (isDelLnnAcl && DeviceProfileConnector::GetInstance().IsLnnAcl(acl)) { + DeviceProfileConnector::GetInstance().DeleteAccessControlById(acl.GetAccessControlId()); + continue; + } + auto it = std::find(tokenIds.begin(), tokenIds.end(), + std::make_pair(acl.GetAccesser().GetAccesserTokenId(), acl.GetAccessee().GetAccesseeTokenId())); + if (it != tokenIds.end()) { + DeviceProfileConnector::GetInstance().DeleteAccessControlById(acl.GetAccessControlId()); + continue; + } + } +} + +void DmAuthState::RemoveTokenIdsFromCredential(std::shared_ptr context, const std::string &credId, + std::vector> &tokenIds) +{ + CHECK_NULL_VOID(context); + CHECK_NULL_VOID(context->hiChainAuthConnector); + DmAccess &access = (context->direction == DM_AUTH_SOURCE) ? context->accesser : context->accessee; + JsonObject credJson; + context->hiChainAuthConnector->QueryCredInfoByCredId(access.userId, credId, credJson); + if (!credJson.Contains(credId)) { + LOGE("query cred failed"); + return; + } + if (!credJson[credId].Contains(FILED_AUTHORIZED_APP_LIST)) { + LOGE("applist is empty"); + context->hiChainAuthConnector->DeleteCredential(access.userId, credId); + return; + } + std::vector appList; + credJson[credId][FILED_AUTHORIZED_APP_LIST].Get(appList); + for (const auto& it : tokenIds) { + auto erIt = std::find(appList.begin(), appList.end(), std::to_string(it.first)); + if (erIt != appList.end()) { + appList.erase(erIt); + } + auto eeIt = std::find(appList.begin(), appList.end(), std::to_string(it.second)); + if (eeIt != appList.end()) { + appList.erase(eeIt); + } + } + if (appList.size() == 0) { + LOGE("applist is empty, delete credential"); + context->hiChainAuthConnector->DeleteCredential(access.userId, credId); + return; + } + context->hiChainAuthConnector->UpdateCredential(credId, access.userId, appList); +} } // namespace DistributedHardware } // namespace OHOS -- Gitee