From 795a5bb70e9dfba3f4b0c6b982d6c358ab5643f2 Mon Sep 17 00:00:00 2001
From: zero-cyc <chenlien@huawei.com>
Date: Wed, 1 Jun 2022 13:56:48 +0800
Subject: [PATCH] add apl check

Signed-off-by: zero-cyc <chenlien@huawei.com>
Change-Id: I960897e617dee801cfcff3be0ddf167a56006a95
---
 services/ans/include/access_token_helper.h    |  1 +
 services/ans/src/access_token_helper.cpp      | 39 +++++++++++++++----
 .../ans/src/advanced_notification_service.cpp |  2 +-
 .../mock/mock_access_token_helper.cpp         |  5 +++
 .../mock/mock_access_token_helper.cpp         |  5 +++
 5 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/services/ans/include/access_token_helper.h b/services/ans/include/access_token_helper.h
index 11de4e9da..965ca236a 100644
--- a/services/ans/include/access_token_helper.h
+++ b/services/ans/include/access_token_helper.h
@@ -34,6 +34,7 @@ public:
     static bool VerifyCallerPermission(
         const Security::AccessToken::AccessTokenID &tokenCaller, const std::string &permission);
     static bool VerifyNativeToken(const Security::AccessToken::AccessTokenID &callerToken);
+    static bool IsSystemHap();
 };
 }  // namespace Notification
 }  // namespace OHOS
diff --git a/services/ans/src/access_token_helper.cpp b/services/ans/src/access_token_helper.cpp
index b49617be6..f11006b65 100644
--- a/services/ans/src/access_token_helper.cpp
+++ b/services/ans/src/access_token_helper.cpp
@@ -15,20 +15,45 @@
 
 #include "access_token_helper.h"
 
+#include "ans_log_wrapper.h"
+#include "ipc_skeleton.h"
+
+using namespace OHOS::Security::AccessToken;
+
 namespace OHOS {
 namespace Notification {
 bool AccessTokenHelper::VerifyCallerPermission(
-    const Security::AccessToken::AccessTokenID &tokenCaller, const std::string &permission)
+    const AccessTokenID &tokenCaller, const std::string &permission)
+{
+    int result = AccessTokenKit::VerifyAccessToken(tokenCaller, permission);
+    return (result == PERMISSION_GRANTED);
+}
+
+bool AccessTokenHelper::VerifyNativeToken(const AccessTokenID &callerToken)
 {
-    int result = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenCaller, permission);
-    return (result == Security::AccessToken::PERMISSION_GRANTED);
+    ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(callerToken);
+    return tokenType == ATokenTypeEnum::TOKEN_NATIVE;
 }
 
-bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTokenID &callerToken)
+bool AccessTokenHelper::IsSystemHap()
 {
-    Security::AccessToken::ATokenTypeEnum tokenType =
-        Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
-    return tokenType == Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE;
+    AccessTokenID tokenId = IPCSkeleton::GetCallingTokenID();
+    ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(tokenId);
+    if (type == ATokenTypeEnum::TOKEN_NATIVE) {
+        return true;
+    }
+    if (type == ATokenTypeEnum::TOKEN_HAP) {
+        HapTokenInfo info;
+        AccessTokenKit::GetHapTokenInfo(tokenId, info);
+        if (info.apl == ATokenAplEnum::APL_SYSTEM_CORE || info.apl == ATokenAplEnum::APL_SYSTEM_BASIC) {
+            return true;
+        }
+        pid_t pid = IPCSkeleton::GetCallingPid();
+        pid_t uid = IPCSkeleton::GetCallingUid();
+        ANS_LOGW("apl not match, info.apl=%{public}d, type=%{public}d, pid=%{public}d, uid=%{public}d",
+            info.apl, type, pid, uid);
+    }
+    return false;
 }
 }  // namespace Notification
 }  // namespace OHOS
\ No newline at end of file
diff --git a/services/ans/src/advanced_notification_service.cpp b/services/ans/src/advanced_notification_service.cpp
index 3d82e40b6..817b4052c 100644
--- a/services/ans/src/advanced_notification_service.cpp
+++ b/services/ans/src/advanced_notification_service.cpp
@@ -124,7 +124,7 @@ inline bool IsSystemApp()
         isSystemApp = bundleManager->IsSystemApp(callingUid);
     }
 
-    return isSystemApp;
+    return isSystemApp || AccessTokenHelper::IsSystemHap();
 }
 
 inline int64_t ResetSeconds(int64_t date)
diff --git a/services/ans/test/unittest/mock/mock_access_token_helper.cpp b/services/ans/test/unittest/mock/mock_access_token_helper.cpp
index 0f3cba40f..ead552ce0 100644
--- a/services/ans/test/unittest/mock/mock_access_token_helper.cpp
+++ b/services/ans/test/unittest/mock/mock_access_token_helper.cpp
@@ -28,5 +28,10 @@ bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTok
 {
     return callerToken == NATIVE_TOKEN;
 }
+
+bool AccessTokenHelper::IsSystemHap()
+{
+    return true;
+}
 }  // namespace Notification
 }  // namespace OHOS
\ No newline at end of file
diff --git a/services/test/moduletest/mock/mock_access_token_helper.cpp b/services/test/moduletest/mock/mock_access_token_helper.cpp
index 51c2f039e..3cbeab21c 100644
--- a/services/test/moduletest/mock/mock_access_token_helper.cpp
+++ b/services/test/moduletest/mock/mock_access_token_helper.cpp
@@ -27,5 +27,10 @@ bool AccessTokenHelper::VerifyNativeToken(const Security::AccessToken::AccessTok
 {
     return true;
 }
+
+bool AccessTokenHelper::IsSystemHap()
+{
+    return true;
+}
 }  // namespace Notification
 }  // namespace OHOS
\ No newline at end of file
-- 
Gitee