From e7fb309a510efbe5fe7fe3f040435b5131f366b2 Mon Sep 17 00:00:00 2001 From: bigtea Date: Tue, 21 Jan 2025 17:52:37 +0800 Subject: [PATCH] Add ACCESS_TOKEN hisysevent 5.0.1 Signed-off-by: bigtea --- hisysevent.yaml | 22 +++++++ .../include/napi_hisysevent_adapter.h | 37 +++++++++++ .../include/napi_request_permission.h | 1 + .../napi/accesstoken/src/napi_atmanager.cpp | 29 +++++++++ .../src/napi_request_permission.cpp | 9 ++- .../main/cpp/include/dfx/hisysevent_adapter.h | 6 ++ .../include/permission/permission_manager.h | 2 + .../cpp/src/permission/permission_manager.cpp | 62 +++++++++++++------ .../permission/temp_permission_observer.cpp | 9 +-- .../src/token/accesstoken_info_manager.cpp | 3 + 10 files changed, 154 insertions(+), 26 deletions(-) create mode 100644 interfaces/kits/napi/accesstoken/include/napi_hisysevent_adapter.h diff --git a/hisysevent.yaml b/hisysevent.yaml index 7d77c9308..9ca3e39d6 100644 --- a/hisysevent.yaml +++ b/hisysevent.yaml @@ -86,3 +86,25 @@ REQUEST_PERMISSIONS_FROM_USER: __BASE: {type: BEHAVIOR, level: MINOR, desc: request permissions from user} BUNDLENAME: {type: STRING, desc: bundle name} UIEXTENSION_FLAG: {type: BOOL, desc: uiextension flag} + +REQ_PERM_FROM_USER_ERROR: + __BASE: {type: FAULT, level: CRITICAL, desc: failed to request permission from user} + ERROR_CODE: {type: INT32, desc: error code} + SELF_TOKENID: {type: UINT32, desc: self tokenID} + CONTEXT_TOKENID: {type: UINT32, desc: context tokenID} + +UPDATE_PERMISSION_STATUS_ERROR: + __BASE: {type: FAULT, level: CRITICAL, desc: failed to grant or revoke permission} + ERROR_CODE: {type: INT32, desc: error code} + TOKENID: {type: UINT32, desc: tokenID} + PERM: {type: STRING, desc: permission name} + BUNDLE_NAME: {type: STRING, desc: bundle name} + INT_VAL1: {type: INT32, desc: hap dlp type/return value} + INT_VAL2: {type: INT32, desc: permission dlp mode/update permission flag} + NEED_KILL: {type: BOOL, desc: need kill hap} + +VERIFY_ACCESS_TOKEN_EVENT: + __BASE: {type: STATISTIC, level: CRITICAL, desc: verify access token event} + EVENT_CODE: {type: INT32, desc: event code} + SELF_TOKENID: {type: UINT32, desc: self tokenID} + CONTEXT_TOKENID: {type: UINT32, desc: context tokenID} diff --git a/interfaces/kits/napi/accesstoken/include/napi_hisysevent_adapter.h b/interfaces/kits/napi/accesstoken/include/napi_hisysevent_adapter.h new file mode 100644 index 000000000..2578f88ab --- /dev/null +++ b/interfaces/kits/napi/accesstoken/include/napi_hisysevent_adapter.h @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef ACCESSTOKEN_NAPI_HISYSEVENT_ADAPTER_H +#define ACCESSTOKEN_NAPI_HISYSEVENT_ADAPTER_H + +namespace OHOS { +namespace Security { +namespace AccessToken { +enum ReqPermFromUserErrorCode { + TOKENID_INCONSISTENCY = 0, + ABILITY_FLAG_ERROR = 1, + GET_UI_CONTENT_FAILED = 2, + CREATE_MODAL_UI_FAILED = 3, + TRIGGER_RELEASE = 4, + TRIGGER_ONERROR = 5, + TRIGGER_DESTROY = 6, +}; +enum VerifyAccessTokenEventCode { + VERIFY_TOKENID_INCONSISTENCY = 0, +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // ACCESSTOKEN_NAPI_HISYSEVENT_ADAPTER_H diff --git a/interfaces/kits/napi/accesstoken/include/napi_request_permission.h b/interfaces/kits/napi/accesstoken/include/napi_request_permission.h index e04575c29..76faf0eaa 100644 --- a/interfaces/kits/napi/accesstoken/include/napi_request_permission.h +++ b/interfaces/kits/napi/accesstoken/include/napi_request_permission.h @@ -91,6 +91,7 @@ public: private: int32_t sessionId_ = 0; std::shared_ptr reqContext_ = nullptr; + std::atomic isOnResult_; }; struct ResultCallback { diff --git a/interfaces/kits/napi/accesstoken/src/napi_atmanager.cpp b/interfaces/kits/napi/accesstoken/src/napi_atmanager.cpp index 134967a00..3ea7bbf3d 100644 --- a/interfaces/kits/napi/accesstoken/src/napi_atmanager.cpp +++ b/interfaces/kits/napi/accesstoken/src/napi_atmanager.cpp @@ -15,6 +15,8 @@ #include "napi_atmanager.h" #include "access_token.h" +#include "hisysevent.h" +#include "napi_hisysevent_adapter.h" #include "napi_request_global_switch_on_setting.h" #include "napi_request_permission.h" #include "napi_request_permission_on_setting.h" @@ -30,6 +32,8 @@ std::vector g_permStateChangeRegisters; std::mutex g_lockCache; std::map g_cache; static PermissionParamCache g_paramCache; +static std::atomic g_cnt = 0; +constexpr uint32_t REPORT_CNT = 10; namespace { static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = { LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenAbilityAccessCtrl" @@ -415,6 +419,15 @@ void NapiAtManager::VerifyAccessTokenExecute(napi_env env, void *data) if (asyncContext == nullptr) { return; } + AccessTokenID selfTokenId = static_cast(GetSelfTokenID()); + if (asyncContext->tokenId != selfTokenId) { + int32_t cnt = g_cnt.fetch_add(1); + if (cnt % REPORT_CNT == 0) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "VERIFY_ACCESS_TOKEN_EVENT", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "EVENT_CODE", VERIFY_TOKENID_INCONSISTENCY, + "SELF_TOKENID", selfTokenId, "CONTEXT_TOKENID", asyncContext->tokenId); + } + } asyncContext->result = AccessTokenKit::VerifyAccessToken(asyncContext->tokenId, asyncContext->permissionName); } @@ -481,6 +494,15 @@ void NapiAtManager::CheckAccessTokenExecute(napi_env env, void *data) asyncContext->errorCode = JS_ERROR_PARAM_INVALID; return; } + AccessTokenID selfTokenId = static_cast(GetSelfTokenID()); + if (asyncContext->tokenId != selfTokenId) { + int32_t cnt = g_cnt.fetch_add(1); + if (cnt % REPORT_CNT == 0) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "VERIFY_ACCESS_TOKEN_EVENT", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "EVENT_CODE", VERIFY_TOKENID_INCONSISTENCY, + "SELF_TOKENID", selfTokenId, "CONTEXT_TOKENID", asyncContext->tokenId); + } + } asyncContext->result = AccessTokenKit::VerifyAccessToken(asyncContext->tokenId, asyncContext->permissionName); @@ -610,6 +632,13 @@ napi_value NapiAtManager::VerifyAccessTokenSync(napi_env env, napi_callback_info return nullptr; } if (asyncContext->tokenId != static_cast(selfTokenId)) { + int32_t cnt = g_cnt.fetch_add(1); + if (cnt % REPORT_CNT == 0) { + AccessTokenID selfToken = static_cast(selfTokenId); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "VERIFY_ACCESS_TOKEN_EVENT", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "EVENT_CODE", VERIFY_TOKENID_INCONSISTENCY, + "SELF_TOKENID", selfToken, "CONTEXT_TOKENID", asyncContext->tokenId); + } asyncContext->result = AccessTokenKit::VerifyAccessToken(asyncContext->tokenId, asyncContext->permissionName); napi_value result = nullptr; NAPI_CALL(env, napi_create_int32(env, asyncContext->result, &result)); diff --git a/interfaces/kits/napi/accesstoken/src/napi_request_permission.cpp b/interfaces/kits/napi/accesstoken/src/napi_request_permission.cpp index 39b0ebe32..a795aed9b 100644 --- a/interfaces/kits/napi/accesstoken/src/napi_request_permission.cpp +++ b/interfaces/kits/napi/accesstoken/src/napi_request_permission.cpp @@ -21,6 +21,7 @@ #include "accesstoken_log.h" #include "hisysevent.h" #include "napi_base_context.h" +#include "napi_hisysevent_adapter.h" #include "token_setproc.h" #include "want.h" @@ -483,6 +484,7 @@ void UIExtensionCallback::ReleaseHandler(int32_t code) UIExtensionCallback::UIExtensionCallback(const std::shared_ptr& reqContext) { this->reqContext_ = reqContext; + isOnResult_.exchange(false); } UIExtensionCallback::~UIExtensionCallback() @@ -498,6 +500,7 @@ void UIExtensionCallback::SetSessionId(int32_t sessionId) */ void UIExtensionCallback::OnResult(int32_t resultCode, const AAFwk::Want& result) { + isOnResult_.exchange(true); ACCESSTOKEN_LOG_INFO(LABEL, "ResultCode is %{public}d", resultCode); this->reqContext_->permissionList = result.GetStringArrayParam(PERMISSION_KEY); this->reqContext_->permissionsState = result.GetIntArrayParam(RESULT_KEY); @@ -519,7 +522,6 @@ void UIExtensionCallback::OnReceive(const AAFwk::WantParams& receive) void UIExtensionCallback::OnRelease(int32_t releaseCode) { ACCESSTOKEN_LOG_INFO(LABEL, "ReleaseCode is %{public}d", releaseCode); - ReleaseHandler(-1); } @@ -530,7 +532,6 @@ void UIExtensionCallback::OnError(int32_t code, const std::string& name, const s { ACCESSTOKEN_LOG_INFO(LABEL, "Code is %{public}d, name is %{public}s, message is %{public}s", code, name.c_str(), message.c_str()); - ReleaseHandler(-1); } @@ -549,6 +550,10 @@ void UIExtensionCallback::OnRemoteReady(const std::shared_ptr& infoPtr, + AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag); std::string TransferPermissionDefToString(const PermissionDef& inPermissionDef); bool IsPermissionVaild(const std::string& permissionName); bool GetLocationPermissionIndex(std::vector& reqPermList, LocationIndex& locationIndex); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 7fe33bcb1..648a512ab 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -32,6 +32,7 @@ #include "dlp_permission_set_manager.h" #endif #include "ipc_skeleton.h" +#include "hisysevent_adapter.h" #include "parameter.h" #include "permission_definition_cache.h" #include "short_grant_manager.h" @@ -573,35 +574,26 @@ int32_t PermissionManager::UpdateTokenPermissionState( ACCESSTOKEN_LOG_ERROR(LABEL, "tokenInfo is null, tokenId=%{public}u", id); return AccessTokenError::ERR_TOKENID_NOT_EXIST; } - if (infoPtr->IsRemote()) { - ACCESSTOKEN_LOG_ERROR(LABEL, "Remote token can not update"); - return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; - } - if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) { - if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) { - ACCESSTOKEN_LOG_ERROR(LABEL, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str()); - return ERR_IDENTITY_CHECK_FAILED; - } + + int32_t ret = UpdateTokenPermissionStateCheck(infoPtr, id, permission, isGranted, flag); + if (ret != ERR_OK) { + return ret; } + std::shared_ptr permPolicySet = infoPtr->GetHapInfoPermissionPolicySet(); if (permPolicySet == nullptr) { ACCESSTOKEN_LOG_ERROR(LABEL, "PolicySet is null, TokenID=%{public}d.", id); return AccessTokenError::ERR_PARAM_INVALID; } -#ifdef SUPPORT_SANDBOX_APP - int32_t hapDlpType = infoPtr->GetDlpType(); - if (hapDlpType != DLP_COMMON) { - int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission); - if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) { - ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id); - return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; - } - } -#endif + int32_t statusBefore = permPolicySet->VerifyPermissionStatus(permission); bool isSecCompGrantedBefore = permPolicySet->IsPermissionGrantedWithSecComp(permission); - int32_t ret = permPolicySet->UpdatePermissionStatus(permission, isGranted, flag); + ret = permPolicySet->UpdatePermissionStatus(permission, isGranted, flag); if (ret != RET_SUCCESS) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", id, + "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret, + "INT_VAL2", static_cast(flag), "NEED_KILL", needKill); return ret; } int32_t statusAfter = permPolicySet->VerifyPermissionStatus(permission); @@ -623,6 +615,36 @@ int32_t PermissionManager::UpdateTokenPermissionState( return RET_SUCCESS; } +int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr& infoPtr, + AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag) +{ + if (infoPtr->IsRemote()) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Remote token can not update"); + return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; + } + if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) { + if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str()); + return ERR_IDENTITY_CHECK_FAILED; + } + } + +#ifdef SUPPORT_SANDBOX_APP + int32_t hapDlpType = infoPtr->GetDlpType(); + if (hapDlpType != DLP_COMMON) { + int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission); + if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) { + ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", id, "PERM", + permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, "INT_VAL2", permDlpMode); + return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; + } + } +#endif + return ERR_OK; +} + int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag, bool needKill) { diff --git a/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp b/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp index 4438c6e7d..5142d2471 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp @@ -27,6 +27,7 @@ #endif #include "form_manager_access_client.h" #include "hisysevent.h" +#include "hisysevent_adapter.h" #include "ipc_skeleton.h" namespace OHOS { @@ -359,13 +360,13 @@ bool TempPermissionObserver::IsAllowGrantTempPermission(AccessTokenID tokenID, c } #endif if (!userEnable || isForeground || isFormVisible || isContinuousTaskExist) { - std::vector list; - list.emplace_back(isForeground); - list.emplace_back(isFormVisible); - list.emplace_back(isContinuousTaskExist); + std::vector list{isForeground, isFormVisible, isContinuousTaskExist}; AddTempPermTokenToList(tokenID, tokenInfo.bundleName, permissionName, list); return true; } + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", GRANT_TEMP_PERMISSION_FAILED, + "TOKENID", tokenID, "PERM", permissionName, "BUNDLE_NAME", tokenInfo.bundleName); return false; } diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index 46f5cc3bb..1bc580953 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -674,6 +674,9 @@ bool AccessTokenInfoManager::TryUpdateExistNativeToken(const std::shared_ptr