From f248dd3d0e838b4c446c64b544b459ca11045e80 Mon Sep 17 00:00:00 2001 From: lsq Date: Wed, 22 Jun 2022 16:51:24 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E6=B8=85=E7=A9=BA=E6=8E=88=E6=9D=83?= =?UTF-8?q?=E7=8A=B6=E6=80=81=E6=97=B6=EF=BC=8C=E4=B8=8D=E6=B8=85=E7=A9=BA?= =?UTF-8?q?user=5Fgrant=E9=A2=84=E6=8E=88=E6=9D=83=E7=9A=84=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=8A=B6=E6=80=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: lsq Change-Id: Ice7b246695c1e2e77ecdee9b2aa13e7e8e0a30f4 --- frameworks/common/src/data_validator.cpp | 10 ++-- .../accesstoken/include/access_token.h | 1 + .../unittest/src/accesstoken_kit_test.cpp | 58 ++++++++++++++++++- .../permission/permission_policy_set.h | 1 + .../cpp/src/permission/permission_manager.cpp | 14 +---- .../src/permission/permission_policy_set.cpp | 25 +++++++- .../src/permission/permission_validator.cpp | 5 +- 7 files changed, 92 insertions(+), 22 deletions(-) diff --git a/frameworks/common/src/data_validator.cpp b/frameworks/common/src/data_validator.cpp index 92bda34ee..8bcce5d07 100644 --- a/frameworks/common/src/data_validator.cpp +++ b/frameworks/common/src/data_validator.cpp @@ -76,10 +76,12 @@ bool DataValidator::IsDcapValid(const std::string& dcap) bool DataValidator::IsPermissionFlagValid(int flag) { - return flag == PermissionFlag::PERMISSION_DEFAULT_FLAG || - flag == PermissionFlag::PERMISSION_USER_SET || - flag == PermissionFlag::PERMISSION_USER_FIXED || - flag == PermissionFlag::PERMISSION_SYSTEM_FIXED; + int flagUnmasked = flag & (~PermissionFlag::PERMISSION_GRANTED_BY_POLICY); + + return flagUnmasked == PermissionFlag::PERMISSION_DEFAULT_FLAG || + flagUnmasked == PermissionFlag::PERMISSION_USER_SET || + flagUnmasked == PermissionFlag::PERMISSION_USER_FIXED || + flagUnmasked == PermissionFlag::PERMISSION_SYSTEM_FIXED; } bool DataValidator::IsTokenIDValid(AccessTokenID id) diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index b5f3e732b..0834e0b78 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -75,6 +75,7 @@ typedef enum TypePermissionFlag { PERMISSION_USER_SET = 1 << 0, PERMISSION_USER_FIXED = 1 << 1, PERMISSION_SYSTEM_FIXED = 1 << 2, + PERMISSION_GRANTED_BY_POLICY = 1 << 3, } PermissionFlag; typedef enum TypePermissionOper { diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp index d665400f7..d3e6b6b74 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp @@ -213,7 +213,7 @@ void AccessTokenKitTest::SetUp() .isGeneral = true, .resDeviceID = {"device"}, .grantStatus = {PermissionState::PERMISSION_GRANTED}, - .grantFlags = {PermissionFlag::PERMISSION_USER_SET} + .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED} }; PermissionStateFull permTestState1 = { .grantFlags = {0}, @@ -957,6 +957,62 @@ HWTEST_F(AccessTokenKitTest, ClearUserGrantedPermissionState003, TestSize.Level0 } } +/** + * @tc.name: ClearUserGrantedPermissionState004 + * @tc.desc: Clear user/system granted permission after ClearUserGrantedPermissionState has been invoked. + * @tc.type: FUNC + * @tc.require:AR000GK6TF AR000GK6TG + */ +HWTEST_F(AccessTokenKitTest, ClearUserGrantedPermissionState004, TestSize.Level0) +{ + AccessTokenIDEx tokenIdEx = {0}; + OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState1 = { + .permissionName = "ohos.permission.CAMERA", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_DEFAULT_FLAG} + }; + OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState2 = { + .permissionName = "ohos.permission.SEND_MESSAGES", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED}, + .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_USER_FIXED} + }; + OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState3 = { + .permissionName = "ohos.permission.RECEIVE_SMS", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PERMISSION_USER_FIXED} + }; + OHOS::Security::AccessToken::HapPolicyParams infoManagerTestPolicyPrams = { + .apl = OHOS::Security::AccessToken::ATokenAplEnum::APL_NORMAL, + .domain = "test.domain", + .permList = {g_infoManagerTestPermDef1}, + .permStateList = {infoManagerTestState1, infoManagerTestState2, infoManagerTestState3} + }; + tokenIdEx = AccessTokenKit::AllocHapToken(g_infoManagerTestInfoParms, infoManagerTestPolicyPrams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(0, tokenID); + int ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.CAMERA"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.SEND_MESSAGES"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.RECEIVE_SMS"); + ASSERT_EQ(PERMISSION_DENIED, ret); + + ret = AccessTokenKit::DeleteToken(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + +} + /** * @tc.name: GetTokenType001 * @tc.desc: get the token type. diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h b/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h index 6f600f4f9..6855b4b39 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h @@ -51,6 +51,7 @@ public: const std::vector& nativeAcls); void PermStateToString(int32_t tokenApl, const std::vector& nativeAcls, std::string& info); void GetPermissionStateList(std::vector& stateList); + void ResetUserGrantPermissionStatus(void); private: static void MergePermissionStateFull(std::vector& permStateList, diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 04c3947f1..dcbaf52b5 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -265,11 +265,11 @@ void PermissionManager::GetSelfPermissionState(std::vector if (goalGrantStatus == PERMISSION_DENIED) { if ((goalGrantFlags == PERMISSION_DEFAULT_FLAG) || - (goalGrantFlags == PERMISSION_USER_SET)) { + ((goalGrantFlags & PERMISSION_USER_SET) != 0)) { permState.state = DYNAMIC_OPER; return; } - if (goalGrantFlags == PERMISSION_USER_FIXED) { + if ((goalGrantFlags & PERMISSION_USER_FIXED) != 0) { permState.state = SETTING_OPER; return; } @@ -387,15 +387,7 @@ void PermissionManager::ClearUserGrantedPermissionState(AccessTokenID tokenID) return; } - std::vector permList; - permPolicySet->GetPermissionStateFulls(permList); - for (auto& perm : permList) { - PermissionDef permDef; - bool isGranted = false; - GetDefPermission(perm.permissionName, permDef); - isGranted = (permDef.grantMode == SYSTEM_GRANT) ? true : false; - permPolicySet->UpdatePermissionStatus(perm.permissionName, isGranted, PERMISSION_DEFAULT_FLAG); - } + permPolicySet->ResetUserGrantPermissionStatus(); } std::string PermissionManager::TransferPermissionDefToString(const PermissionDef& inPermissionDef) diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp index 7b770235a..88f445c8d 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp @@ -169,7 +169,7 @@ int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName) for (auto perm : permStateList_) { if (perm.permissionName == permissionName) { if (perm.isGeneral) { - return perm.grantFlags[0]; + return perm.grantFlags[0] & (~PERMISSION_GRANTED_BY_POLICY); } else { return PERMISSION_DEFAULT_FLAG; } @@ -185,7 +185,7 @@ void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionNa if (perm.permissionName == permissionName) { if (perm.isGeneral) { perm.grantStatus[0] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; - perm.grantFlags[0] = flag; + perm.grantFlags[0] = flag | (perm.grantFlags[0] & PERMISSION_GRANTED_BY_POLICY); } else { return; } @@ -193,6 +193,27 @@ void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionNa } } +void PermissionPolicySet::ResetUserGrantPermissionStatus(void) +{ + Utils::UniqueWriteGuard infoGuard(this->permPolicySetLock_); + for (auto& perm : permStateList_) { + if (perm.isGeneral) { + if ((perm.grantFlags[0] & PERMISSION_SYSTEM_FIXED) != 0) { + continue; + } + if ((perm.grantFlags[0] & PERMISSION_GRANTED_BY_POLICY) != 0) { + perm.grantStatus[0] = PERMISSION_GRANTED; + perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY | PERMISSION_DEFAULT_FLAG; + continue; + } + perm.grantStatus[0] = PERMISSION_DENIED; + perm.grantFlags[0] = PERMISSION_DEFAULT_FLAG; + } else { + continue; + } + } +} + void PermissionPolicySet::GetPermissionStateList(std::vector& stateList) { Utils::UniqueReadGuard infoGuard(this->permPolicySetLock_); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp index 7f46cae37..83c5af20f 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp @@ -35,10 +35,7 @@ bool PermissionValidator::IsGrantStatusValid(int grantStaus) bool PermissionValidator::IsPermissionFlagValid(int flag) { - return flag == PermissionFlag::PERMISSION_DEFAULT_FLAG || - flag == PermissionFlag::PERMISSION_USER_SET || - flag == PermissionFlag::PERMISSION_USER_FIXED || - flag == PermissionFlag::PERMISSION_SYSTEM_FIXED; + return DataValidator::IsPermissionFlagValid(flag); } bool PermissionValidator::IsPermissionNameValid(const std::string& permissionName) -- Gitee From 37653aa1ea5a06b7944f3687f86e7124cf06ce0f Mon Sep 17 00:00:00 2001 From: lsq Date: Tue, 28 Jun 2022 19:41:07 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E4=BD=8D=E8=BF=90=E7=AE=97=E8=A7=84?= =?UTF-8?q?=E8=8C=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: lsq Change-Id: I837f9bfee96479ac1fa1edc77814ae439182626c --- .../test/unittest/src/accesstoken_kit_test.cpp | 1 - .../include/permission/permission_policy_set.h | 2 +- .../cpp/src/permission/permission_manager.cpp | 6 +++--- .../src/permission/permission_policy_set.cpp | 17 +++++++++++------ 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp index d3e6b6b74..d0373c59c 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp @@ -1010,7 +1010,6 @@ HWTEST_F(AccessTokenKitTest, ClearUserGrantedPermissionState004, TestSize.Level0 ret = AccessTokenKit::DeleteToken(tokenID); ASSERT_EQ(RET_SUCCESS, ret); - } /** diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h b/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h index 6855b4b39..b90de3968 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h @@ -45,7 +45,7 @@ public: void GetDefPermissions(std::vector& permList); void GetPermissionStateFulls(std::vector& permList); int QueryPermissionFlag(const std::string& permissionName); - void UpdatePermissionStatus(const std::string& permissionName, bool isGranted, int flag); + void UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag); void ToString(std::string& info); bool IsPermissionReqValid(int32_t tokenApl, const std::string& permissionName, const std::vector& nativeAcls); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index dcbaf52b5..984a4afe2 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -239,14 +239,14 @@ void PermissionManager::GetSelfPermissionState(std::vector { bool foundGoal = false; int32_t goalGrantStatus; - int32_t goalGrantFlags; + uint32_t goalGrantFlags; for (auto& perm : permsList) { if (perm.permissionName == permState.permissionName) { ACCESSTOKEN_LOG_INFO(LABEL, "find goal permission: %{public}s!", permState.permissionName.c_str()); foundGoal = true; goalGrantStatus = perm.grantStatus[0]; - goalGrantFlags = perm.grantFlags[0]; + goalGrantFlags = static_cast(perm.grantFlags[0]); break; } } @@ -320,7 +320,7 @@ void PermissionManager::UpdateTokenPermissionState( return; } - permPolicySet->UpdatePermissionStatus(permissionName, isGranted, flag); + permPolicySet->UpdatePermissionStatus(permissionName, isGranted, static_cast(flag)); #ifdef TOKEN_SYNC_ENABLE TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID); #endif diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp index 88f445c8d..06396f982 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp @@ -169,7 +169,9 @@ int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName) for (auto perm : permStateList_) { if (perm.permissionName == permissionName) { if (perm.isGeneral) { - return perm.grantFlags[0] & (~PERMISSION_GRANTED_BY_POLICY); + uint32_t oldFlag = static_cast(perm.grantFlags[0]); + uint32_t unmaskedFlag = (oldFlag) & (~PERMISSION_GRANTED_BY_POLICY); + return static_cast(unmaskedFlag); } else { return PERMISSION_DEFAULT_FLAG; } @@ -178,14 +180,16 @@ int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName) return PERMISSION_DEFAULT_FLAG; } -void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, int flag) +void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag) { Utils::UniqueWriteGuard infoGuard(this->permPolicySetLock_); for (auto& perm : permStateList_) { if (perm.permissionName == permissionName) { if (perm.isGeneral) { perm.grantStatus[0] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; - perm.grantFlags[0] = flag | (perm.grantFlags[0] & PERMISSION_GRANTED_BY_POLICY); + uint32_t currFlag = static_cast(perm.grantFlags[0]); + uint32_t newFlag = flag | (currFlag & PERMISSION_GRANTED_BY_POLICY); + perm.grantFlags[0] = static_cast(newFlag); } else { return; } @@ -198,12 +202,13 @@ void PermissionPolicySet::ResetUserGrantPermissionStatus(void) Utils::UniqueWriteGuard infoGuard(this->permPolicySetLock_); for (auto& perm : permStateList_) { if (perm.isGeneral) { - if ((perm.grantFlags[0] & PERMISSION_SYSTEM_FIXED) != 0) { + uint32_t oldFlag = static_cast(perm.grantFlags[0]); + if ((oldFlag & PERMISSION_SYSTEM_FIXED) != 0) { continue; } - if ((perm.grantFlags[0] & PERMISSION_GRANTED_BY_POLICY) != 0) { + if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) { perm.grantStatus[0] = PERMISSION_GRANTED; - perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY | PERMISSION_DEFAULT_FLAG; + perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY; continue; } perm.grantStatus[0] = PERMISSION_DENIED; -- Gitee From 71ed1c0d13bb83ceb1673b08569815c144891b54 Mon Sep 17 00:00:00 2001 From: lsq Date: Tue, 28 Jun 2022 20:09:18 +0800 Subject: [PATCH 3/3] Signed-off-by: lsq Change-Id: Ib1a71415659562031c6ae48c7cf780e248505254 Change-Id: If4071fbae4b9aa36e5df7e17d682c936b6956b80 --- frameworks/common/src/data_validator.cpp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/frameworks/common/src/data_validator.cpp b/frameworks/common/src/data_validator.cpp index 8bcce5d07..80fde5efa 100644 --- a/frameworks/common/src/data_validator.cpp +++ b/frameworks/common/src/data_validator.cpp @@ -76,12 +76,13 @@ bool DataValidator::IsDcapValid(const std::string& dcap) bool DataValidator::IsPermissionFlagValid(int flag) { - int flagUnmasked = flag & (~PermissionFlag::PERMISSION_GRANTED_BY_POLICY); + uint32_t unmaskedFlag = + static_cast(flag) & (~PermissionFlag::PERMISSION_GRANTED_BY_POLICY); - return flagUnmasked == PermissionFlag::PERMISSION_DEFAULT_FLAG || - flagUnmasked == PermissionFlag::PERMISSION_USER_SET || - flagUnmasked == PermissionFlag::PERMISSION_USER_FIXED || - flagUnmasked == PermissionFlag::PERMISSION_SYSTEM_FIXED; + return unmaskedFlag == PermissionFlag::PERMISSION_DEFAULT_FLAG || + unmaskedFlag == PermissionFlag::PERMISSION_USER_SET || + unmaskedFlag == PermissionFlag::PERMISSION_USER_FIXED || + unmaskedFlag == PermissionFlag::PERMISSION_SYSTEM_FIXED; } bool DataValidator::IsTokenIDValid(AccessTokenID id) -- Gitee