From 14678a61932e5a00b76cee1b0b0c55e8ddd9cfca Mon Sep 17 00:00:00 2001
From: wuliushuan <wuliushuan.30044128@huawei.com>
Date: Tue, 22 Apr 2025 16:19:21 +0800
Subject: [PATCH] =?UTF-8?q?=E6=BC=8F=E6=B4=9EOpenHarmony-4.1-Release=20250?=
 =?UTF-8?q?423?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: wuliushuan <wuliushuan.30044128@huawei.com>
Change-Id: Iab65d790eb9a4fdda3174f48d506fe545656e09e
---
 .../test/unittest/src/privacy_kit_test.cpp    | 71 +++++++++++++++++++
 .../src/service/accesstoken_manager_stub.cpp  | 12 ++++
 .../src/service/privacy_manager_stub.cpp      | 25 +++++++
 3 files changed, 108 insertions(+)

diff --git a/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp b/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp
index 03d5c9cd6..38c9d7c64 100644
--- a/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp
+++ b/interfaces/innerkits/privacy/test/unittest/src/privacy_kit_test.cpp
@@ -617,6 +617,23 @@ HWTEST_F(PrivacyKitTest, RemovePermissionUsedRecords003, TestSize.Level1)
     ASSERT_EQ(static_cast<uint32_t>(0), result.bundleRecords.size());
 }
 
+/**
+ * @tc.name: RemovePermissionUsedRecords004
+ * @tc.desc: RemovePermissionUsedRecords caller is normal app.
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(PrivacyKitTest, RemovePermissionUsedRecords004, TestSize.Level1)
+{
+    AccessTokenIDEx tokenIdEx = {0};
+    tokenIdEx = AccessTokenKit::AllocHapToken(g_normalInfoParms, g_policyPramsA);
+    ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx);
+    EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
+    ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP,
+        PrivacyKit::RemovePermissionUsedRecords(tokenIdEx.tokenIdExStruct.tokenID, ""));
+    EXPECT_EQ(0, AccessTokenKit::DeleteToken(tokenIdEx.tokenIdExStruct.tokenID));
+}
+
 /**
  * @tc.name: GetPermissionUsedRecords001
  * @tc.desc: cannot GetPermissionUsedRecords with invalid query time and flag.
@@ -790,6 +807,25 @@ HWTEST_F(PrivacyKitTest, GetPermissionUsedRecordsAsync002, TestSize.Level1)
     ASSERT_EQ(RET_NO_ERROR, PrivacyKit::GetPermissionUsedRecords(request, callback));
 }
 
+/**
+ * @tc.name: GetPermissionUsedRecordsAsync004
+ * @tc.desc: cannot GetPermissionUsedRecordsAsync without permission.
+ * @tc.type: FUNC
+ * @tc.require: issueI5P4IU
+ */
+HWTEST_F(PrivacyKitTest, GetPermissionUsedRecordsAsync004, TestSize.Level1)
+{
+    AccessTokenIDEx tokenIdEx = {0};
+    tokenIdEx = AccessTokenKit::AllocHapToken(g_normalInfoParms, g_policyPramsA);
+    ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx);
+    EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
+    PermissionUsedRequest request;
+    std::vector<std::string> permissionList;
+    BuildQueryRequest(g_tokenIdA, GetLocalDeviceUdid(), "", permissionList, request);
+    OHOS::sptr<TestCallBack> callback(new TestCallBack());
+    ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP, PrivacyKit::GetPermissionUsedRecords(request, callback));
+}
+
 class CbCustomizeTest1 : public PermActiveStatusCustomizedCbk {
 public:
     explicit CbCustomizeTest1(const std::vector<std::string> &permList)
@@ -1161,6 +1197,23 @@ HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission002, TestSize.Level1)
     std::string permissionName = "ohos.permission.CAMERA";
     ASSERT_EQ(false, PrivacyKit::IsAllowedUsingPermission(g_tokenIdE, permissionName));
 }
+
+/**
+ * @tc.name: IsAllowedUsingPermission003
+ * @tc.desc: IsAllowedUsingPermission with no permission.
+ * @tc.type: FUNC
+ * @tc.require: issueI5RWX3 issueI5RWX8
+ */
+HWTEST_F(PrivacyKitTest, IsAllowedUsingPermission003, TestSize.Level1)
+{
+    AccessTokenIDEx tokenIdEx = {0};
+    tokenIdEx = AccessTokenKit::AllocHapToken(g_systemInfoParms, g_policyPramsA);
+    ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx);
+    EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
+    std::string permissionName = "ohos.permission.CAMERA";
+    ASSERT_EQ(false, PrivacyKit::IsAllowedUsingPermission(g_tokenIdE, permissionName));
+}
+
 /**
  * @tc.name: StartUsingPermission001
  * @tc.desc: StartUsingPermission with invalid tokenId or permission.
@@ -1337,6 +1390,24 @@ HWTEST_F(PrivacyKitTest, StartUsingPermission010, TestSize.Level1)
     ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP, PrivacyKit::StartUsingPermission(g_tokenIdE, permissionName));
 }
 
+/**
+ * @tc.name: StartUsingPermission014
+ * @tc.desc: StartUsingPermission caller is normal app.
+ * @tc.type: FUNC
+ * @tc.require: issueI5RWX5 issueI5RWX3 issueI5RWXA
+ */
+HWTEST_F(PrivacyKitTest, StartUsingPermission014, TestSize.Level1)
+{
+    AccessTokenIDEx tokenIdEx = {0};
+    tokenIdEx = AccessTokenKit::AllocHapToken(g_normalInfoParms, g_policyPramsA);
+    ASSERT_NE(INVALID_TOKENID, tokenIdEx.tokenIDEx);
+    EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
+    std::string permissionName = "ohos.permission.CAMERA";
+    auto callbackPtr = std::make_shared<CbCustomizeTest4>();
+    ASSERT_EQ(PrivacyError::ERR_NOT_SYSTEM_APP,
+        PrivacyKit::StartUsingPermission(g_tokenIdE, permissionName, callbackPtr));
+}
+
 /**
  * @tc.name: StopUsingPermission001
  * @tc.desc: StopUsingPermission with invalid tokenId or permission.
diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
index d2b955f88..2a665559e 100644
--- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
+++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp
@@ -142,6 +142,18 @@ void AccessTokenManagerStub::GetDefPermissionsInner(MessageParcel& data, Message
 
 void AccessTokenManagerStub::GetReqPermissionsInner(MessageParcel& data, MessageParcel& reply)
 {
+    unsigned int callingTokenID = IPCSkeleton::GetCallingTokenID();
+    if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
+        reply.WriteInt32(AccessTokenError::ERR_NOT_SYSTEM_APP);
+        return;
+    }
+    if (!IsPrivilegedCalling() &&
+        VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) {
+        ACCESSTOKEN_LOG_ERROR(LABEL, "Permission denied(tokenID=%{public}d)", callingTokenID);
+        reply.WriteInt32(AccessTokenError::ERR_PERMISSION_DENIED);
+        return;
+    }
+
     AccessTokenID tokenID = data.ReadUint32();
     int isSystemGrant = data.ReadInt32();
     std::vector<PermissionStateFullParcel> permList;
diff --git a/services/privacymanager/src/service/privacy_manager_stub.cpp b/services/privacymanager/src/service/privacy_manager_stub.cpp
index bda6c7b6a..a419be486 100644
--- a/services/privacymanager/src/service/privacy_manager_stub.cpp
+++ b/services/privacymanager/src/service/privacy_manager_stub.cpp
@@ -124,6 +124,12 @@ void PrivacyManagerStub::StartUsingPermissionInner(MessageParcel& data, MessageP
 
 void PrivacyManagerStub::StartUsingPermissionCallbackInner(MessageParcel& data, MessageParcel& reply)
 {
+    uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
+    if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
+        reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP);
+        return;
+    }
+
     if (!VerifyPermission(PERMISSION_USED_STATS)) {
         reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED);
         return;
@@ -159,6 +165,12 @@ void PrivacyManagerStub::StopUsingPermissionInner(MessageParcel& data, MessagePa
 
 void PrivacyManagerStub::RemovePermissionUsedRecordsInner(MessageParcel& data, MessageParcel& reply)
 {
+    uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
+    if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
+        reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP);
+        return;
+    }
+
     if (!IsAccessTokenCalling() && !VerifyPermission(PERMISSION_USED_STATS)) {
         reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED);
         return;
@@ -195,6 +207,12 @@ void PrivacyManagerStub::GetPermissionUsedRecordsInner(MessageParcel& data, Mess
 
 void PrivacyManagerStub::GetPermissionUsedRecordsAsyncInner(MessageParcel& data, MessageParcel& reply)
 {
+    uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
+    if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
+        reply.WriteInt32(PrivacyError::ERR_NOT_SYSTEM_APP);
+        return;
+    }
+
     if (!VerifyPermission(PERMISSION_USED_STATS)) {
         reply.WriteInt32(PrivacyError::ERR_PERMISSION_DENIED);
         return;
@@ -271,6 +289,13 @@ void PrivacyManagerStub::UnRegisterPermActiveStatusCallbackInner(MessageParcel&
 
 void PrivacyManagerStub::IsAllowedUsingPermissionInner(MessageParcel& data, MessageParcel& reply)
 {
+    uint32_t callingTokenID = IPCSkeleton::GetCallingTokenID();
+    if ((AccessTokenKit::GetTokenTypeFlag(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) {
+        ACCESSTOKEN_LOG_ERROR(LABEL, "Permission denied(tokenID=%{public}d)", callingTokenID);
+        reply.WriteBool(false);
+        return;
+    }
+
     if (!VerifyPermission(PERMISSION_USED_STATS)) {
         reply.WriteBool(false);
         return;
-- 
Gitee