From 3aefb7370853ef519b5a247938ab3e3da18492ea Mon Sep 17 00:00:00 2001 From: bigtea Date: Mon, 10 Feb 2025 14:44:08 +0800 Subject: [PATCH] optimize updatehaptoken 5.0.3 Signed-off-by: bigtea --- .../accesstoken/src/hap_info_parcel.cpp | 8 + .../accesstoken/include/hap_token_info.h | 2 + .../innerkits/accesstoken/test/BUILD.gn | 1 + .../test/unittest/src/init_hap_token_test.cpp | 196 ++++++++++++++++++ .../test/unittest/src/init_hap_token_test.h | 40 ++++ .../include/token/accesstoken_info_manager.h | 2 +- .../src/token/accesstoken_info_manager.cpp | 49 +++-- 7 files changed, 281 insertions(+), 17 deletions(-) create mode 100644 interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.cpp create mode 100644 interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.h diff --git a/frameworks/accesstoken/src/hap_info_parcel.cpp b/frameworks/accesstoken/src/hap_info_parcel.cpp index 9a46ce07e..bac45bdb6 100644 --- a/frameworks/accesstoken/src/hap_info_parcel.cpp +++ b/frameworks/accesstoken/src/hap_info_parcel.cpp @@ -29,6 +29,10 @@ bool HapInfoParcel::Marshalling(Parcel& out) const RETURN_IF_FALSE(out.WriteInt32(this->hapInfoParameter.apiVersion)); RETURN_IF_FALSE(out.WriteBool(this->hapInfoParameter.isSystemApp)); RETURN_IF_FALSE(out.WriteString(this->hapInfoParameter.appDistributionType)); + RETURN_IF_FALSE(out.WriteBool(this->hapInfoParameter.isRestore)); + if (this->hapInfoParameter.isRestore) { + RETURN_IF_FALSE(out.WriteUint32(this->hapInfoParameter.tokenID)); + } return true; } @@ -46,6 +50,10 @@ HapInfoParcel* HapInfoParcel::Unmarshalling(Parcel& in) RELEASE_IF_FALSE(in.ReadInt32(hapInfoParcel->hapInfoParameter.apiVersion), hapInfoParcel); RELEASE_IF_FALSE(in.ReadBool(hapInfoParcel->hapInfoParameter.isSystemApp), hapInfoParcel); RELEASE_IF_FALSE(in.ReadString(hapInfoParcel->hapInfoParameter.appDistributionType), hapInfoParcel); + RELEASE_IF_FALSE(in.ReadBool(hapInfoParcel->hapInfoParameter.isRestore), hapInfoParcel); + if (hapInfoParcel->hapInfoParameter.isRestore) { + RELEASE_IF_FALSE(in.ReadUint32(hapInfoParcel->hapInfoParameter.tokenID), hapInfoParcel); + } return hapInfoParcel; } } // namespace AccessToken diff --git a/interfaces/innerkits/accesstoken/include/hap_token_info.h b/interfaces/innerkits/accesstoken/include/hap_token_info.h index 781040841..81fd960b9 100644 --- a/interfaces/innerkits/accesstoken/include/hap_token_info.h +++ b/interfaces/innerkits/accesstoken/include/hap_token_info.h @@ -70,6 +70,8 @@ public: bool isSystemApp; /* app type */ std::string appDistributionType; + bool isRestore = false; + AccessTokenID tokenID = INVALID_TOKENID; }; /** diff --git a/interfaces/innerkits/accesstoken/test/BUILD.gn b/interfaces/innerkits/accesstoken/test/BUILD.gn index 9876a5e60..9cbee3abf 100644 --- a/interfaces/innerkits/accesstoken/test/BUILD.gn +++ b/interfaces/innerkits/accesstoken/test/BUILD.gn @@ -43,6 +43,7 @@ ohos_unittest("libaccesstoken_sdk_test") { "unittest/src/accesstoken_short_time_permission_test.cpp", "unittest/src/app_installation_optimized_test.cpp", "unittest/src/clone_app_permission_test.cpp", + "unittest/src/init_hap_token_test.cpp", "unittest/src/remote_token_kit_test.cpp", "unittest/src/security_component_grant_test.cpp", ] diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.cpp new file mode 100644 index 000000000..8ae7d63b5 --- /dev/null +++ b/interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.cpp @@ -0,0 +1,196 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "init_hap_token_test.h" +#include "gtest/gtest.h" +#include + +#include "access_token.h" +#include "access_token_error.h" +#include "accesstoken_log.h" +#include "accesstoken_service_ipc_interface_code.h" +#include "nativetoken_kit.h" +#include "permission_grant_info.h" +#include "permission_state_change_info_parcel.h" +#include "string_ex.h" +#include "tokenid_kit.h" +#include "token_setproc.h" + +using namespace testing::ext; +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +static AccessTokenID g_selfTokenId = 0; +static constexpr int32_t DEFAULT_API_VERSION = 12; + +PermissionStateFull g_infoManagerManageHapState = { + .permissionName = "ohos.permission.MANAGE_HAP_TOKENID", + .isGeneral = true, + .resDeviceID = {"test_device"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED} +}; + +PermissionStateFull g_infoManagerCameraState = { + .permissionName = "ohos.permission.CAMERA", + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {0} +}; + +HapInfoParams g_testHapInfoParams = { + .userID = 0, + .bundleName = "InitHapTokenTest", + .instIndex = 0, + .appIDDesc = "InitHapTokenTest", + .apiVersion = DEFAULT_API_VERSION, + .isSystemApp = true, + .appDistributionType = "" +}; + +HapPolicyParams g_testPolicyParams = { + .apl = APL_SYSTEM_CORE, + .domain = "test_domain", + .permList = {}, + .permStateList = { g_infoManagerManageHapState }, + .aclRequestedList = {}, + .preAuthorizationInfo = {} +}; +}; + +void InitHapTokenTest::SetUpTestCase() +{ + g_selfTokenId = GetSelfTokenID(); + // clean up test cases + AccessTokenID tokenId = AccessTokenKit::GetHapTokenID(g_testHapInfoParams.userID, + g_testHapInfoParams.bundleName, + g_testHapInfoParams.instIndex); + AccessTokenKit::DeleteToken(tokenId); + AccessTokenIDEx tokenIdEx = AccessTokenKit::AllocHapToken(g_testHapInfoParams, g_testPolicyParams); + SetSelfTokenID(tokenIdEx.tokenIDEx); +} + +void InitHapTokenTest::TearDownTestCase() +{ + AccessTokenID tokenId = AccessTokenKit::GetHapTokenID(g_testHapInfoParams.userID, + g_testHapInfoParams.bundleName, + g_testHapInfoParams.instIndex); + AccessTokenKit::DeleteToken(tokenId); + SetSelfTokenID(g_selfTokenId); +} + +void InitHapTokenTest::SetUp() +{ + setuid(0); +} + +void InitHapTokenTest::TearDown() +{ +} + +void InitHapTokenTest::GetHapParams(HapInfoParams& infoParams, HapPolicyParams& policyParams) +{ + infoParams.userID = 0; + infoParams.bundleName = "com.ohos.AccessTokenTestBundle"; + infoParams.instIndex = 0; + infoParams.appIDDesc = "AccessTokenTestAppID"; + infoParams.apiVersion = DEFAULT_API_VERSION; + infoParams.isSystemApp = true; + infoParams.appDistributionType = ""; + + policyParams.apl = APL_NORMAL; + policyParams.domain = "accesstoken_test_domain"; + policyParams.permList = {}; + policyParams.permStateList = {}; + policyParams.aclRequestedList = {}; + policyParams.preAuthorizationInfo = {}; +} + +/** + * @tc.name: InitHapTokenAbnormalTest006 + * @tc.desc: InitHapToken isRestore with INVALID_TOKENID + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenAbnormalTest006, TestSize.Level1) +{ + HapInfoParams infoParams; + HapPolicyParams policyParams; + GetHapParams(infoParams, policyParams); + + infoParams.isRestore = true; + infoParams.tokenID = INVALID_TOKENID; + + PreAuthorizationInfo preAuthorizationInfo; + preAuthorizationInfo.permissionName = ""; + policyParams.preAuthorizationInfo = {preAuthorizationInfo}; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + EXPECT_EQ(ERR_PARAM_INVALID, ret); +} + +/** + * @tc.name: InitHapTokenSpecsTest009 + * @tc.desc: InitHapToken isRestore with real token + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest009, TestSize.Level1) +{ + HapInfoParams infoParams; + HapPolicyParams policyParams; + GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.ACCESS_CERT_MANAGER", + .isGeneral = false, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_GRANTED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + + policyParams.permStateList = {permissionStateFull001, g_infoManagerCameraState}; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.ACCESS_CERT_MANAGER"); + EXPECT_EQ(PERMISSION_GRANTED, ret); + + (void)AccessTokenKit::GrantPermission(tokenID, "ohos.permission.CAMERA", PERMISSION_USER_SET); + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.CAMERA"); + EXPECT_EQ(ret, PERMISSION_GRANTED); + + ret = AccessTokenKit::DeleteToken(tokenID); + EXPECT_EQ(RET_SUCCESS, ret); + + infoParams.isRestore = true; + infoParams.tokenID = tokenID; + ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + EXPECT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.ACCESS_CERT_MANAGER"); + EXPECT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.CAMERA"); + EXPECT_EQ(ret, PERMISSION_DENIED); +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS \ No newline at end of file diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.h b/interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.h new file mode 100644 index 000000000..98a045712 --- /dev/null +++ b/interfaces/innerkits/accesstoken/test/unittest/src/init_hap_token_test.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef INIT_HAP_TOKEN_TEST_H +#define INIT_HAP_TOKEN_TEST_H + +#include + +#include "access_token.h" +#include "accesstoken_kit.h" +#include "permission_def.h" +#include "permission_state_full.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +class InitHapTokenTest : public testing::Test { +public: + static void SetUpTestCase(); + static void TearDownTestCase(); + void SetUp(); + void TearDown(); + static void GetHapParams(HapInfoParams& infoParams, HapPolicyParams& policyParams); +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // INIT_HAP_TOKEN_TEST_H \ No newline at end of file diff --git a/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h b/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h index 40889fe05..3cbba5634 100644 --- a/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h +++ b/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h @@ -127,7 +127,7 @@ private: OHOS::ThreadPool tokenDataWorker_; #endif bool RemoveNativeInfoFromDatabase(AccessTokenID tokenID); - + int32_t CheckHapInfoParam(const HapInfoParams& info, const HapPolicyParams& policy); bool hasInited_; std::atomic_int32_t dumpTaskNum_; diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index 1bc580953..d2b93e2b7 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -248,7 +248,7 @@ int AccessTokenInfoManager::AddHapTokenInfo(const std::shared_ptr infoGuard(this->hapTokenInfoLock_); if (hapTokenInfoMap_.count(id) > 0) { ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u info has exist.", id); - return AccessTokenError::ERR_TOKENID_NOT_EXIST; + return AccessTokenError::ERR_TOKENID_HAS_EXISTED; } if (!info->IsRemote()) { @@ -553,33 +553,49 @@ static void GetPolicyCopied(const HapPolicyParams& policy, HapPolicyParams& poli } #endif -int AccessTokenInfoManager::CreateHapTokenInfo( - const HapInfoParams& info, const HapPolicyParams& policy, AccessTokenIDEx& tokenIdEx) +int32_t AccessTokenInfoManager::CheckHapInfoParam(const HapInfoParams& info, const HapPolicyParams& policy) { if ((!DataValidator::IsUserIdValid(info.userID)) || (!DataValidator::IsBundleNameValid(info.bundleName)) || (!DataValidator::IsAppIDDescValid(info.appIDDesc)) || (!DataValidator::IsDomainValid(policy.domain)) || - (!DataValidator::IsDlpTypeValid(info.dlpType))) { + (!DataValidator::IsDlpTypeValid(info.dlpType)) || (info.isRestore && info.tokenID == INVALID_TOKENID)) { ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token param failed"); return AccessTokenError::ERR_PARAM_INVALID; } - int32_t dlpFlag = (info.dlpType > DLP_COMMON) ? 1 : 0; - int32_t cloneFlag = ((dlpFlag == 0) && (info.instIndex) > 0) ? 1 : 0; - AccessTokenID tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, dlpFlag, cloneFlag); - if (tokenId == 0) { - ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id create failed"); - return ERR_TOKENID_CREATE_FAILED; + return ERR_OK; +} + +int AccessTokenInfoManager::CreateHapTokenInfo( + const HapInfoParams& info, const HapPolicyParams& policy, AccessTokenIDEx& tokenIdEx) +{ + if (CheckHapInfoParam(info, policy) != ERR_OK) { + return AccessTokenError::ERR_PARAM_INVALID; + } + AccessTokenID tokenId = info.tokenID; + if (info.isRestore) { + ACCESSTOKEN_LOG_INFO(LABEL, "isRestore is true, tokenId is %{public}u", tokenId); + int32_t res = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_HAP); + if (res != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id register failed, res is %{public}d", res); + return res; + } + } else { + int32_t dlpFlag = (info.dlpType > DLP_COMMON) ? 1 : 0; + int32_t cloneFlag = ((dlpFlag == 0) && (info.instIndex) > 0) ? 1 : 0; + tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, dlpFlag, cloneFlag); + if (tokenId == 0) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id create failed"); + return ERR_TOKENID_CREATE_FAILED; + } } PermissionManager::GetInstance().AddDefPermissions(policy.permList, tokenId, false); #ifdef SUPPORT_SANDBOX_APP std::shared_ptr tokenInfo; + HapPolicyParams policyNew = policy; if (info.dlpType != DLP_COMMON) { - HapPolicyParams policyNew; GetPolicyCopied(policy, policyNew); DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(info.dlpType, policyNew.permStateList); - tokenInfo = std::make_shared(tokenId, info, policyNew); - } else { - tokenInfo = std::make_shared(tokenId, info, policy); } + tokenInfo = std::make_shared(tokenId, info, policyNew); #else std::shared_ptr tokenInfo = std::make_shared(tokenId, info, policy); #endif @@ -590,8 +606,9 @@ int AccessTokenInfoManager::CreateHapTokenInfo( PermissionManager::GetInstance().RemoveDefPermissions(tokenId); return ret; } - ACCESSTOKEN_LOG_INFO(LABEL, "Create hap token %{public}u bundleName %{public}s user %{public}d inst %{public}d ok", - tokenId, tokenInfo->GetBundleName().c_str(), tokenInfo->GetUserID(), tokenInfo->GetInstIndex()); + ACCESSTOKEN_LOG_INFO(LABEL, + "Create hap token %{public}u bundleName %{public}s user %{public}d inst %{public}d isRestore %{public}d ok", + tokenId, tokenInfo->GetBundleName().c_str(), tokenInfo->GetUserID(), tokenInfo->GetInstIndex(), info.isRestore); AllocAccessTokenIDEx(info, tokenId, tokenIdEx); AddHapTokenInfoToDb(tokenId, tokenInfo); return RET_SUCCESS; -- Gitee