diff --git a/frameworks/common/src/data_validator.cpp b/frameworks/common/src/data_validator.cpp index 92bda34ee5ad11cbbcef602800c32962e8b243b8..80fde5efa0d466653c23ab75670c0b8e6342378d 100644 --- a/frameworks/common/src/data_validator.cpp +++ b/frameworks/common/src/data_validator.cpp @@ -76,10 +76,13 @@ bool DataValidator::IsDcapValid(const std::string& dcap) bool DataValidator::IsPermissionFlagValid(int flag) { - return flag == PermissionFlag::PERMISSION_DEFAULT_FLAG || - flag == PermissionFlag::PERMISSION_USER_SET || - flag == PermissionFlag::PERMISSION_USER_FIXED || - flag == PermissionFlag::PERMISSION_SYSTEM_FIXED; + uint32_t unmaskedFlag = + static_cast(flag) & (~PermissionFlag::PERMISSION_GRANTED_BY_POLICY); + + return unmaskedFlag == PermissionFlag::PERMISSION_DEFAULT_FLAG || + unmaskedFlag == PermissionFlag::PERMISSION_USER_SET || + unmaskedFlag == PermissionFlag::PERMISSION_USER_FIXED || + unmaskedFlag == PermissionFlag::PERMISSION_SYSTEM_FIXED; } bool DataValidator::IsTokenIDValid(AccessTokenID id) diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index b5f3e732b9aeae3dae792da3c2bb510f0d3a88bc..0834e0b78c21d411ed5f9b32ea432e5a7642532b 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -75,6 +75,7 @@ typedef enum TypePermissionFlag { PERMISSION_USER_SET = 1 << 0, PERMISSION_USER_FIXED = 1 << 1, PERMISSION_SYSTEM_FIXED = 1 << 2, + PERMISSION_GRANTED_BY_POLICY = 1 << 3, } PermissionFlag; typedef enum TypePermissionOper { diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp index d665400f76cf797a368f481ef320773e5f46e10c..d0373c59c2c87dcc7e87bcdc9e3de24a014be732 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp @@ -213,7 +213,7 @@ void AccessTokenKitTest::SetUp() .isGeneral = true, .resDeviceID = {"device"}, .grantStatus = {PermissionState::PERMISSION_GRANTED}, - .grantFlags = {PermissionFlag::PERMISSION_USER_SET} + .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED} }; PermissionStateFull permTestState1 = { .grantFlags = {0}, @@ -957,6 +957,61 @@ HWTEST_F(AccessTokenKitTest, ClearUserGrantedPermissionState003, TestSize.Level0 } } +/** + * @tc.name: ClearUserGrantedPermissionState004 + * @tc.desc: Clear user/system granted permission after ClearUserGrantedPermissionState has been invoked. + * @tc.type: FUNC + * @tc.require:AR000GK6TF AR000GK6TG + */ +HWTEST_F(AccessTokenKitTest, ClearUserGrantedPermissionState004, TestSize.Level0) +{ + AccessTokenIDEx tokenIdEx = {0}; + OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState1 = { + .permissionName = "ohos.permission.CAMERA", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_DEFAULT_FLAG} + }; + OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState2 = { + .permissionName = "ohos.permission.SEND_MESSAGES", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED}, + .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_USER_FIXED} + }; + OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState3 = { + .permissionName = "ohos.permission.RECEIVE_SMS", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PERMISSION_USER_FIXED} + }; + OHOS::Security::AccessToken::HapPolicyParams infoManagerTestPolicyPrams = { + .apl = OHOS::Security::AccessToken::ATokenAplEnum::APL_NORMAL, + .domain = "test.domain", + .permList = {g_infoManagerTestPermDef1}, + .permStateList = {infoManagerTestState1, infoManagerTestState2, infoManagerTestState3} + }; + tokenIdEx = AccessTokenKit::AllocHapToken(g_infoManagerTestInfoParms, infoManagerTestPolicyPrams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(0, tokenID); + int ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.CAMERA"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.SEND_MESSAGES"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.RECEIVE_SMS"); + ASSERT_EQ(PERMISSION_DENIED, ret); + + ret = AccessTokenKit::DeleteToken(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); +} + /** * @tc.name: GetTokenType001 * @tc.desc: get the token type. diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h b/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h index 6f600f4f9fd8b43a054b9e07062c347ec76377b9..b90de396837f43de12e6a60daa826c5f45460914 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_policy_set.h @@ -45,12 +45,13 @@ public: void GetDefPermissions(std::vector& permList); void GetPermissionStateFulls(std::vector& permList); int QueryPermissionFlag(const std::string& permissionName); - void UpdatePermissionStatus(const std::string& permissionName, bool isGranted, int flag); + void UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag); void ToString(std::string& info); bool IsPermissionReqValid(int32_t tokenApl, const std::string& permissionName, const std::vector& nativeAcls); void PermStateToString(int32_t tokenApl, const std::vector& nativeAcls, std::string& info); void GetPermissionStateList(std::vector& stateList); + void ResetUserGrantPermissionStatus(void); private: static void MergePermissionStateFull(std::vector& permStateList, diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 04c3947f1795db9b976c4dbf450646c6c5e45ebc..984a4afe27855cc039896f5d5b35049d420b094f 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -239,14 +239,14 @@ void PermissionManager::GetSelfPermissionState(std::vector { bool foundGoal = false; int32_t goalGrantStatus; - int32_t goalGrantFlags; + uint32_t goalGrantFlags; for (auto& perm : permsList) { if (perm.permissionName == permState.permissionName) { ACCESSTOKEN_LOG_INFO(LABEL, "find goal permission: %{public}s!", permState.permissionName.c_str()); foundGoal = true; goalGrantStatus = perm.grantStatus[0]; - goalGrantFlags = perm.grantFlags[0]; + goalGrantFlags = static_cast(perm.grantFlags[0]); break; } } @@ -265,11 +265,11 @@ void PermissionManager::GetSelfPermissionState(std::vector if (goalGrantStatus == PERMISSION_DENIED) { if ((goalGrantFlags == PERMISSION_DEFAULT_FLAG) || - (goalGrantFlags == PERMISSION_USER_SET)) { + ((goalGrantFlags & PERMISSION_USER_SET) != 0)) { permState.state = DYNAMIC_OPER; return; } - if (goalGrantFlags == PERMISSION_USER_FIXED) { + if ((goalGrantFlags & PERMISSION_USER_FIXED) != 0) { permState.state = SETTING_OPER; return; } @@ -320,7 +320,7 @@ void PermissionManager::UpdateTokenPermissionState( return; } - permPolicySet->UpdatePermissionStatus(permissionName, isGranted, flag); + permPolicySet->UpdatePermissionStatus(permissionName, isGranted, static_cast(flag)); #ifdef TOKEN_SYNC_ENABLE TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID); #endif @@ -387,15 +387,7 @@ void PermissionManager::ClearUserGrantedPermissionState(AccessTokenID tokenID) return; } - std::vector permList; - permPolicySet->GetPermissionStateFulls(permList); - for (auto& perm : permList) { - PermissionDef permDef; - bool isGranted = false; - GetDefPermission(perm.permissionName, permDef); - isGranted = (permDef.grantMode == SYSTEM_GRANT) ? true : false; - permPolicySet->UpdatePermissionStatus(perm.permissionName, isGranted, PERMISSION_DEFAULT_FLAG); - } + permPolicySet->ResetUserGrantPermissionStatus(); } std::string PermissionManager::TransferPermissionDefToString(const PermissionDef& inPermissionDef) diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp index 7b770235a23647f74602914661d8f23f0734cb3b..06396f982fe366eba3142610855259422550f193 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_policy_set.cpp @@ -169,7 +169,9 @@ int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName) for (auto perm : permStateList_) { if (perm.permissionName == permissionName) { if (perm.isGeneral) { - return perm.grantFlags[0]; + uint32_t oldFlag = static_cast(perm.grantFlags[0]); + uint32_t unmaskedFlag = (oldFlag) & (~PERMISSION_GRANTED_BY_POLICY); + return static_cast(unmaskedFlag); } else { return PERMISSION_DEFAULT_FLAG; } @@ -178,14 +180,16 @@ int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName) return PERMISSION_DEFAULT_FLAG; } -void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, int flag) +void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag) { Utils::UniqueWriteGuard infoGuard(this->permPolicySetLock_); for (auto& perm : permStateList_) { if (perm.permissionName == permissionName) { if (perm.isGeneral) { perm.grantStatus[0] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; - perm.grantFlags[0] = flag; + uint32_t currFlag = static_cast(perm.grantFlags[0]); + uint32_t newFlag = flag | (currFlag & PERMISSION_GRANTED_BY_POLICY); + perm.grantFlags[0] = static_cast(newFlag); } else { return; } @@ -193,6 +197,28 @@ void PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionNa } } +void PermissionPolicySet::ResetUserGrantPermissionStatus(void) +{ + Utils::UniqueWriteGuard infoGuard(this->permPolicySetLock_); + for (auto& perm : permStateList_) { + if (perm.isGeneral) { + uint32_t oldFlag = static_cast(perm.grantFlags[0]); + if ((oldFlag & PERMISSION_SYSTEM_FIXED) != 0) { + continue; + } + if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) { + perm.grantStatus[0] = PERMISSION_GRANTED; + perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY; + continue; + } + perm.grantStatus[0] = PERMISSION_DENIED; + perm.grantFlags[0] = PERMISSION_DEFAULT_FLAG; + } else { + continue; + } + } +} + void PermissionPolicySet::GetPermissionStateList(std::vector& stateList) { Utils::UniqueReadGuard infoGuard(this->permPolicySetLock_); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp index 7f46cae37dc9f87e7b36a1442b46314246ec1a7e..83c5af20f4237267f630d0f4dbe0628c363f7b59 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp @@ -35,10 +35,7 @@ bool PermissionValidator::IsGrantStatusValid(int grantStaus) bool PermissionValidator::IsPermissionFlagValid(int flag) { - return flag == PermissionFlag::PERMISSION_DEFAULT_FLAG || - flag == PermissionFlag::PERMISSION_USER_SET || - flag == PermissionFlag::PERMISSION_USER_FIXED || - flag == PermissionFlag::PERMISSION_SYSTEM_FIXED; + return DataValidator::IsPermissionFlagValid(flag); } bool PermissionValidator::IsPermissionNameValid(const std::string& permissionName)