From 6236622167e24f52e85268a0bb4bbfabf44d5504 Mon Sep 17 00:00:00 2001 From: lsq Date: Mon, 4 Jul 2022 10:45:33 +0800 Subject: [PATCH] =?UTF-8?q?dlp=E6=9D=83=E9=99=90=E8=A7=A3=E6=9E=90?= =?UTF-8?q?=E5=8F=8A=E5=A4=84=E7=90=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: lsq Change-Id: Ia99e3afd66ce8d6079ee31e805afa4cce5e20a97 Signed-off-by: lsq --- .../accesstoken/include/access_token.h | 6 + .../accesstoken/include/permission_dlp_mode.h | 33 ++ services/accesstokenmanager/BUILD.gn | 7 + .../permission/dlp_permission_set_manager.h | 53 ++ .../permission/dlp_permission_set_parser.h | 53 ++ .../permission/dlp_permission_set_manager.cpp | 107 ++++ .../permission/dlp_permission_set_parser.cpp | 152 ++++++ .../cpp/src/permission/permission_manager.cpp | 14 +- .../service/accesstoken_manager_service.cpp | 2 + .../src/token/accesstoken_info_manager.cpp | 34 +- .../cpp/src/token/native_token_receptor.cpp | 5 + .../cpp/src/accesstoken_info_manager_test.cpp | 459 ++++++++++++++++++ 12 files changed, 923 insertions(+), 2 deletions(-) create mode 100644 interfaces/innerkits/accesstoken/include/permission_dlp_mode.h create mode 100644 services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_manager.h create mode 100644 services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_parser.h create mode 100644 services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_manager.cpp create mode 100644 services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_parser.cpp diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index 0834e0b78..ef3aab948 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -90,6 +90,12 @@ typedef enum DlpType { DLP_READ = 1, DLP_FULL_CONTROL = 2, } HapDlpType; + +typedef enum TypeDlpPerm { + DLP_PERM_ALL = 0, + DLP_PERM_FULL_CONTROL = 1, + DLP_PERM_NONE = 2, +} DlpPermMode; } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/include/permission_dlp_mode.h b/interfaces/innerkits/accesstoken/include/permission_dlp_mode.h new file mode 100644 index 000000000..89aade9bb --- /dev/null +++ b/interfaces/innerkits/accesstoken/include/permission_dlp_mode.h @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef INTERFACES_INNER_KITS_ACCESSTOKEN_PERMISSION_DLP_MODE_H +#define INTERFACES_INNER_KITS_ACCESSTOKEN_PERMISSION_DLP_MODE_H + +#include + +namespace OHOS { +namespace Security { +namespace AccessToken { +class PermissionDlpMode final { +public: + std::string permissionName; + int32_t dlpMode; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS + +#endif // INTERFACES_INNER_KITS_ACCESSTOKEN_PERMISSION_DLP_MODE_H diff --git a/services/accesstokenmanager/BUILD.gn b/services/accesstokenmanager/BUILD.gn index 76c93af48..da04b2348 100644 --- a/services/accesstokenmanager/BUILD.gn +++ b/services/accesstokenmanager/BUILD.gn @@ -47,6 +47,8 @@ ohos_shared_library("accesstoken_manager_service") { "main/cpp/src/database/data_storage.cpp", "main/cpp/src/database/data_translator.cpp", "main/cpp/src/database/sqlite_storage.cpp", + "main/cpp/src/permission/dlp_permission_set_manager.cpp", + "main/cpp/src/permission/dlp_permission_set_parser.cpp", "main/cpp/src/permission/permission_definition_cache.cpp", "main/cpp/src/permission/permission_manager.cpp", "main/cpp/src/permission/permission_policy_set.cpp", @@ -62,6 +64,11 @@ ohos_shared_library("accesstoken_manager_service") { cflags_cc = [ "-DHILOG_ENABLE" ] + if (!defined(global_parts_info) || + defined(global_parts_info.security_dlp_permission_service)) { + cflags_cc += [ "-DSUPPORT_SANDBOX_APP" ] + } + deps = [ "//base/security/access_token/frameworks/accesstoken:accesstoken_communication_adapter_cxx", "//base/security/access_token/frameworks/common:accesstoken_common_cxx", diff --git a/services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_manager.h b/services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_manager.h new file mode 100644 index 000000000..c0db14d53 --- /dev/null +++ b/services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_manager.h @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef ACCESSTOKEN_DLP_PERMISSION_SET_MANAGER_H +#define ACCESSTOKEN_DLP_PERMISSION_SET_MANAGER_H + +#include +#include + +#include "nocopyable.h" +#include "permission_dlp_mode.h" +#include "permission_state_full.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +class DlpPermissionSetManager final { +public: + static DlpPermissionSetManager& GetInstance(); + virtual ~DlpPermissionSetManager(); + + int32_t UpdatePermStateWithDlpInfo(int32_t dlpType, std::vector& permStateList); + bool IsPermStateNeedUpdate(int32_t dlpType, int32_t dlpMode); + void ProcessDlpPermInfos(const std::vector& info); + int32_t GetPermDlpMode(const std::string& permissionName); + +private: + DlpPermissionSetManager(); + DISALLOW_COPY_AND_MOVE(DlpPermissionSetManager); + void ProcessDlpPermsInfos(std::vector& dlpPerms); + + /** + * key: the permission name. + * value: the mode of permission. + */ + std::map dlpPermissionModeMap_; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // ACCESSTOKEN_DLP_PERMISSION_SET_MANAGER_H diff --git a/services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_parser.h b/services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_parser.h new file mode 100644 index 000000000..0e5071f82 --- /dev/null +++ b/services/accesstokenmanager/main/cpp/include/permission/dlp_permission_set_parser.h @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef ACCESSTOKEN_DLP_PERMISSION_SET_PARSER_H +#define ACCESSTOKEN_DLP_PERMISSION_SET_PARSER_H + +#include +#include + +#include "permission_dlp_mode.h" +#include "nlohmann/json.hpp" +#include "nocopyable.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +const std::string CLONE_PERMISSION_CONFIG_FILE = "/data/service/el0/access_token/cloneAppPermission.json"; +constexpr int32_t MAX_CLONE_PERMISSION_CONFIG_FILE_SIZE = 5 * 1024 * 1024; // 5M +constexpr size_t MAX_BUFFER_SIZE = 1024; +class DlpPermissionSetParser final { +public: + static DlpPermissionSetParser& GetInstance(); + virtual ~DlpPermissionSetParser() = default; + int32_t Init(); + +private: + DlpPermissionSetParser() : ready_(false) {} + DISALLOW_COPY_AND_MOVE(DlpPermissionSetParser); + int ReadCfgFile(std::string &dlpPermsRawData); + void FromJson(const nlohmann::json &jsonObject, std::vector& dlpPerms); + int32_t ParserDlpPermsRawData(const std::string& dlpPermsRawData, + std::vector& dlpPerms); + void from_json(const nlohmann::json& j, PermissionDlpMode& p); + void ProcessDlpPermsInfos(std::vector& dlpPerms); + + bool ready_; +}; +} // namespace AccessToken +} // namespace Security +} // namespace OHOS +#endif // ACCESSTOKEN_DLP_PERMISSION_SET_PARSER_H diff --git a/services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_manager.cpp new file mode 100644 index 000000000..053cee3eb --- /dev/null +++ b/services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_manager.cpp @@ -0,0 +1,107 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "dlp_permission_set_manager.h" + +#include +#include +#include +#include +#include + +#include "access_token.h" +#include "accesstoken_log.h" +#include "data_validator.h" +#include "securec.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "DlpPermissionSetManager"}; +} + +DlpPermissionSetManager& DlpPermissionSetManager::GetInstance() +{ + static DlpPermissionSetManager instance; + return instance; +} + +DlpPermissionSetManager::DlpPermissionSetManager() +{} + +DlpPermissionSetManager::~DlpPermissionSetManager() +{} + +void DlpPermissionSetManager::ProcessDlpPermInfos(const std::vector& dlpPermInfos) +{ + for (auto iter = dlpPermInfos.begin(); iter != dlpPermInfos.end(); iter++) { + auto it = dlpPermissionModeMap_.find(iter->permissionName); + if (it != dlpPermissionModeMap_.end()) { + ACCESSTOKEN_LOG_WARN(LABEL, + "info for permission: %{public}s dlpMode %{public}d has been insert, please check!", + iter->permissionName.c_str(), iter->dlpMode); + continue; + } + dlpPermissionModeMap_[iter->permissionName] = iter->dlpMode; + continue; + } +} + +int32_t DlpPermissionSetManager::GetPermDlpMode(const std::string& permissionName) +{ + auto it = dlpPermissionModeMap_.find(permissionName); + if (it == dlpPermissionModeMap_.end()) { + ACCESSTOKEN_LOG_DEBUG(LABEL, "can not find permission: %{public}s in dlp permission cfg", + permissionName.c_str()); + return DLP_PERM_ALL; + } + return dlpPermissionModeMap_[permissionName]; +} + +int32_t DlpPermissionSetManager::UpdatePermStateWithDlpInfo(int32_t dlpType, + std::vector& permStateList) +{ + ACCESSTOKEN_LOG_DEBUG(LABEL, "dlpType: %{public}d", dlpType); + for (auto iter = permStateList.begin(); iter != permStateList.end(); iter++) { + if (iter->grantStatus[0] == PERMISSION_DENIED) { + continue; + } + int32_t dlpMode = GetPermDlpMode(iter->permissionName); + bool res = IsPermStateNeedUpdate(dlpType, dlpMode); + if (res) { + iter->grantStatus[0] = PERMISSION_DENIED; + } + } + return RET_SUCCESS; +} + +bool DlpPermissionSetManager::IsPermStateNeedUpdate(int32_t dlpType, int32_t dlpMode) +{ + ACCESSTOKEN_LOG_DEBUG(LABEL, "dlpType: %{public}d dlpMode %{public}d", dlpType, dlpMode); + /* permission is available to all dlp hap */ + if (dlpMode == DLP_PERM_ALL) { + return false; + } + + /* permission is available to full control */ + if (dlpMode == DLP_PERM_FULL_CONTROL && dlpType == DLP_FULL_CONTROL) { + return false; + } + /* permission is available to none */ + return true; +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS diff --git a/services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_parser.cpp b/services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_parser.cpp new file mode 100644 index 000000000..089ec3d7e --- /dev/null +++ b/services/accesstokenmanager/main/cpp/src/permission/dlp_permission_set_parser.cpp @@ -0,0 +1,152 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "dlp_permission_set_parser.h" + +#include +#include +#include +#include +#include + +#include "accesstoken_log.h" +#include "data_validator.h" +#include "dlp_permission_set_manager.h" +#include "securec.h" + +namespace OHOS { +namespace Security { +namespace AccessToken { +namespace { +static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "DlpPermissionSetParser"}; +} + +// nlohmann json need the function named from_json to parse +void from_json(const nlohmann::json& j, PermissionDlpMode& p) +{ + if (j.find("name") == j.end()) { + return; + } + p.permissionName = j.at("name").get(); + if (!DataValidator::IsProcessNameValid(p.permissionName)) { + return; + } + + if (j.find("dlpGrantRange") == j.end()) { + return; + } + std::string dlpModeStr = j.at("dlpGrantRange").get(); + if (dlpModeStr == "all") { + p.dlpMode = DLP_PERM_ALL; + return; + } + if (dlpModeStr == "full_control") { + p.dlpMode = DLP_PERM_FULL_CONTROL; + return; + } + p.dlpMode = DLP_PERM_NONE; + return; +} + +int32_t DlpPermissionSetParser::ParserDlpPermsRawData(const std::string& dlpPermsRawData, + std::vector& dlpPerms) +{ + nlohmann::json jsonRes = nlohmann::json::parse(dlpPermsRawData, nullptr, false); + if (jsonRes.is_discarded()) { + ACCESSTOKEN_LOG_ERROR(LABEL, "jsonRes is invalid."); + return RET_FAILED; + } + + if (jsonRes.find("dlpPermissions") != jsonRes.end()) { + nlohmann::json dlpPermTokenJson = jsonRes.at("dlpPermissions").get(); + dlpPerms = dlpPermTokenJson.get>(); + } + + return RET_SUCCESS; +} + +int32_t DlpPermissionSetParser::ReadCfgFile(std::string& dlpPermsRawData) +{ + int32_t fd = open(CLONE_PERMISSION_CONFIG_FILE.c_str(), O_RDONLY); + if (fd < 0) { + ACCESSTOKEN_LOG_ERROR(LABEL, "open failed errno %{public}d.", errno); + return RET_FAILED; + } + struct stat statBuffer; + + if (fstat(fd, &statBuffer) != 0) { + ACCESSTOKEN_LOG_ERROR(LABEL, "fstat failed."); + close(fd); + return RET_FAILED; + } + + if (statBuffer.st_size == 0) { + ACCESSTOKEN_LOG_ERROR(LABEL, "config file size is invalid."); + close(fd); + return RET_FAILED; + } + if (statBuffer.st_size > MAX_CLONE_PERMISSION_CONFIG_FILE_SIZE) { + ACCESSTOKEN_LOG_ERROR(LABEL, "config file size is too large."); + close(fd); + return RET_FAILED; + } + dlpPermsRawData.reserve(statBuffer.st_size); + + char buff[MAX_BUFFER_SIZE] = { 0 }; + ssize_t readLen = 0; + while ((readLen = read(fd, buff, MAX_BUFFER_SIZE)) > 0) { + dlpPermsRawData.append(buff, readLen); + } + close(fd); + + if (readLen == 0) { + return RET_SUCCESS; + } + return RET_FAILED; +} + +int32_t DlpPermissionSetParser::Init() +{ + if (ready_) { + ACCESSTOKEN_LOG_ERROR(LABEL, "dlp permission has been set."); + return RET_SUCCESS; + } + + std::string dlpPermsRawData; + int32_t ret = ReadCfgFile(dlpPermsRawData); + if (ret != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "readCfgFile failed."); + return RET_FAILED; + } + std::vector dlpPerms; + ret = ParserDlpPermsRawData(dlpPermsRawData, dlpPerms); + if (ret != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "ParserDlpPermsRawData failed."); + return RET_FAILED; + } + DlpPermissionSetManager::GetInstance().ProcessDlpPermInfos(dlpPerms); + + ready_ = true; + ACCESSTOKEN_LOG_INFO(LABEL, "init ok."); + return RET_SUCCESS; +} + +DlpPermissionSetParser& DlpPermissionSetParser::GetInstance() +{ + static DlpPermissionSetParser instance; + return instance; +} +} // namespace AccessToken +} // namespace Security +} // namespace OHOS diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 75db81996..07feb4538 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -18,6 +18,7 @@ #include "accesstoken_id_manager.h" #include "accesstoken_info_manager.h" #include "accesstoken_log.h" +#include "dlp_permission_set_manager.h" #include "permission_definition_cache.h" #include "permission_validator.h" #ifdef TOKEN_SYNC_ENABLE @@ -319,8 +320,19 @@ void PermissionManager::UpdateTokenPermissionState( ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!"); return; } - +#ifdef SUPPORT_SANDBOX_APP + int32_t dlpType = infoPtr->GetDlpType(); + if (isGranted && dlpType != DLP_COMMON) { + int32_t dlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permissionName); + if (DlpPermissionSetManager::GetInstance().IsPermStateNeedUpdate(dlpType, dlpMode)) { + ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}u is not allowed to be granted permissionName %{public}s", + tokenID, permissionName.c_str()); + return; + } + } +#endif permPolicySet->UpdatePermissionStatus(permissionName, isGranted, static_cast(flag)); + #ifdef TOKEN_SYNC_ENABLE TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID); #endif diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 017468bd7..591a23bd4 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -26,6 +26,7 @@ #include "device_manager.h" #endif #include "constant_common.h" +#include "dlp_permission_set_parser.h" #include "hap_token_info.h" #include "hap_token_info_inner.h" #include "ipc_skeleton.h" @@ -438,6 +439,7 @@ bool AccessTokenManagerService::Initialize() #ifdef TOKEN_SYNC_ENABLE CreateDeviceListenner(); // for start tokensync when remote devivce online #endif + DlpPermissionSetParser::GetInstance().Init(); return true; } } // namespace AccessToken diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index c5f21ccd5..76d6d77a3 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -23,6 +23,7 @@ #include "data_storage.h" #include "data_translator.h" #include "data_validator.h" +#include "dlp_permission_set_manager.h" #include "field_const.h" #include "generic_values.h" #include "hap_token_info_inner.h" @@ -371,6 +372,19 @@ int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id) return RET_SUCCESS; } +static void GetPolicyCopied(const HapPolicyParams& policy, HapPolicyParams& policyNew) +{ + policyNew.apl = policy.apl; + policyNew.domain = policy.domain; + + for (auto& state : policy.permStateList) { + policyNew.permStateList.emplace_back(state); + } + for (auto& def : policy.permList) { + policyNew.permList.emplace_back(def); + } +} + int AccessTokenInfoManager::CreateHapTokenInfo( const HapInfoParams& info, const HapPolicyParams& policy, AccessTokenIDEx& tokenIdEx) { @@ -386,8 +400,26 @@ int AccessTokenInfoManager::CreateHapTokenInfo( ACCESSTOKEN_LOG_INFO(LABEL, "token Id create failed"); return RET_FAILED; } - +#ifdef SUPPORT_SANDBOX_APP + std::shared_ptr tokenInfo; + if (info.dlpType != DLP_COMMON) { + HapPolicyParams policyNew; + GetPolicyCopied(policy, policyNew); + int32_t res = DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo( + info.dlpType, policyNew.permStateList); + if (res != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s update dlp permission failed", info.bundleName.c_str()); + AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId); + return RET_FAILED; + } + tokenInfo = std::make_shared(tokenId, info, policyNew); + } else { + tokenInfo = std::make_shared(tokenId, info, policy); + } +#else std::shared_ptr tokenInfo = std::make_shared(tokenId, info, policy); +#endif + if (tokenInfo == nullptr) { AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId); ACCESSTOKEN_LOG_INFO(LABEL, "alloc token info failed"); diff --git a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp index f948fb372..37cd2eee0 100644 --- a/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/native_token_receptor.cpp @@ -43,14 +43,19 @@ int32_t NativeReqPermsGet( if (permReqList.size() > MAX_REQ_PERM_NUM) { return RET_FAILED; } + std::set permRes; for (const auto& permReq : permReqList) { PermissionStateFull permState; + if (permRes.count(permReq) != 0) { + continue; + } permState.permissionName = permReq; permState.isGeneral = true; permState.resDeviceID.push_back(""); permState.grantStatus.push_back(PERMISSION_GRANTED); permState.grantFlags.push_back(PERMISSION_SYSTEM_FIXED); permStateList.push_back(permState); + permRes.insert(permReq); } return RET_SUCCESS; } diff --git a/services/accesstokenmanager/test/unittest/cpp/src/accesstoken_info_manager_test.cpp b/services/accesstokenmanager/test/unittest/cpp/src/accesstoken_info_manager_test.cpp index 8879bcb3f..d163465eb 100644 --- a/services/accesstokenmanager/test/unittest/cpp/src/accesstoken_info_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/cpp/src/accesstoken_info_manager_test.cpp @@ -19,6 +19,11 @@ #include #include "accesstoken_info_manager.h" #include "accesstoken_log.h" +#define private public +#include "dlp_permission_set_manager.h" +#include "dlp_permission_set_parser.h" +#undef private +#include "permission_manager.h" using namespace testing::ext; using namespace OHOS::Security::AccessToken; @@ -83,6 +88,80 @@ static HapPolicyParams g_infoManagerTestPolicyPrams = { .permList = {g_infoManagerTestPermDef1, g_infoManagerTestPermDef2}, .permStateList = {g_infoManagerTestState1, g_infoManagerTestState2} }; + +static PermissionStateFull g_infoManagerTestStateA = { + .grantFlags = {1}, + .grantStatus = {PERMISSION_GRANTED}, + .isGeneral = true, + .resDeviceID = {"local"} +}; +static PermissionStateFull g_infoManagerTestStateB = { + .grantFlags = {1}, + .grantStatus = {PERMISSION_GRANTED}, + .isGeneral = true, + .resDeviceID = {"local"} +}; +static PermissionStateFull g_infoManagerTestStateC = { + .grantFlags = {1}, + .grantStatus = {PERMISSION_GRANTED}, + .isGeneral = true, + .resDeviceID = {"local"} +}; +static PermissionStateFull g_infoManagerTestStateD = { + .grantFlags = {1}, + .grantStatus = {PERMISSION_GRANTED}, + .isGeneral = true, + .resDeviceID = {"local"} +}; + +static PermissionDef g_infoManagerPermDef1 = { + .permissionName = "ohos.permission.MEDIA_LOCATION", + .bundleName = "accesstoken_test", + .grantMode = USER_GRANT, + .label = "label", + .labelId = 1, + .description = "MEDIA_LOCATION", + .descriptionId = 1, + .availableLevel = APL_NORMAL, + .provisionEnable = false, + .distributedSceneEnable = false +}; +static PermissionDef g_infoManagerPermDef2 = { + .permissionName = "ohos.permission.MICROPHONE", + .bundleName = "accesstoken_test", + .grantMode = USER_GRANT, + .label = "label", + .labelId = 1, + .description = "MICROPHONE", + .descriptionId = 1, + .availableLevel = APL_NORMAL, + .provisionEnable = false, + .distributedSceneEnable = false +}; +static PermissionDef g_infoManagerPermDef3 = { + .permissionName = "ohos.permission.READ_CALENDAR", + .bundleName = "accesstoken_test", + .grantMode = USER_GRANT, + .label = "label", + .labelId = 1, + .description = "READ_CALENDAR", + .descriptionId = 1, + .availableLevel = APL_NORMAL, + .provisionEnable = false, + .distributedSceneEnable = false +}; +static PermissionDef g_infoManagerPermDef4 = { + .permissionName = "ohos.permission.READ_CALL_LOG", + .bundleName = "accesstoken_test", + .grantMode = USER_GRANT, + .label = "label", + .labelId = 1, + .description = "READ_CALL_LOG", + .descriptionId = 1, + .availableLevel = APL_NORMAL, + .provisionEnable = false, + .distributedSceneEnable = false +}; } void AccessTokenInfoManagerTest::SetUpTestCase() @@ -242,3 +321,383 @@ HWTEST_F(AccessTokenInfoManagerTest, UpdateHapToken001, TestSize.Level1) ASSERT_EQ(RET_SUCCESS, ret); GTEST_LOG_(INFO) << "remove the token info"; } + +#ifdef SUPPORT_SANDBOX_APP +static void PrepareJsonData1() +{ + std::string testStr = R"({"dlpPermissions":[)"\ + R"({"name":"ohos.permission.CAPTURE_SCREEN","dlpGrantRange":"none"},)"\ + R"({"name":"ohos.permission.CHANGE_ABILITY_ENABLED_STATE","dlpGrantRange":"all"},)"\ + R"({"name":"ohos.permission.CLEAN_APPLICATION_DATA","dlpGrantRange":"full_control"}]})"; + + std::vector dlpPerms; + int res = DlpPermissionSetParser::GetInstance().ParserDlpPermsRawData(testStr, dlpPerms); + if (res != RET_SUCCESS) { + GTEST_LOG_(INFO) << "ParserDlpPermsRawData failed:"; + } + for (auto iter = dlpPerms.begin(); iter != dlpPerms.end(); iter++) { + GTEST_LOG_(INFO) << "iter:" << iter->permissionName.c_str(); + } + DlpPermissionSetManager::GetInstance().ProcessDlpPermInfos(dlpPerms); +} + +/** + * @tc.name: DlpPermissionConfig001 + * @tc.desc: test DLP_COMMON app with system_grant permissions. + * @tc.type: FUNC + * @tc.require: SR000GVIGR + */ +HWTEST_F(AccessTokenInfoManagerTest, DlpPermissionConfig001, TestSize.Level1) +{ + PrepareJsonData1(); + + g_infoManagerTestStateA.permissionName = "ohos.permission.CAPTURE_SCREEN"; + g_infoManagerTestStateB.permissionName = "ohos.permission.CHANGE_ABILITY_ENABLED_STATE"; + g_infoManagerTestStateC.permissionName = "ohos.permission.CLEAN_APPLICATION_DATA"; + g_infoManagerTestStateD.permissionName = "ohos.permission.COMMONEVENT_STICKY"; + + static HapPolicyParams infoManagerTestPolicyPrams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {}, + .permStateList = {g_infoManagerTestStateA, g_infoManagerTestStateB, + g_infoManagerTestStateC, g_infoManagerTestStateD} + }; + static HapInfoParams infoManagerTestInfoParms = { + .bundleName = "DlpPermissionConfig001", + .userID = 1, + .instIndex = 0, + .dlpType = DLP_COMMON, + .appIDDesc = "testtesttesttest" + }; + AccessTokenIDEx tokenIdEx = {0}; + int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(infoManagerTestInfoParms, + infoManagerTestPolicyPrams, tokenIdEx); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "add a hap token"; + + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CAPTURE_SCREEN"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CHANGE_ABILITY_ENABLED_STATE"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CLEAN_APPLICATION_DATA"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.COMMONEVENT_STICKY"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "remove the token info"; +} + +/** + * @tc.name: DlpPermissionConfig002 + * @tc.desc: test DLP_READ app with system_grant permissions. + * @tc.type: FUNC + * @tc.require: SR000GVIGR + */ +HWTEST_F(AccessTokenInfoManagerTest, DlpPermissionConfig002, TestSize.Level1) +{ + PrepareJsonData1(); + + g_infoManagerTestStateA.permissionName = "ohos.permission.CAPTURE_SCREEN"; + g_infoManagerTestStateB.permissionName = "ohos.permission.CHANGE_ABILITY_ENABLED_STATE"; + g_infoManagerTestStateC.permissionName = "ohos.permission.CLEAN_APPLICATION_DATA"; + g_infoManagerTestStateD.permissionName = "ohos.permission.COMMONEVENT_STICKY"; + + static HapPolicyParams infoManagerTestPolicyPrams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {}, + .permStateList = {g_infoManagerTestStateA, g_infoManagerTestStateB, + g_infoManagerTestStateC, g_infoManagerTestStateD} + }; + static HapInfoParams infoManagerTestInfoParms = { + .bundleName = "DlpPermissionConfig002", + .userID = 1, + .instIndex = 0, + .dlpType = DLP_READ, + .appIDDesc = "testtesttesttest" + }; + AccessTokenIDEx tokenIdEx = {0}; + int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(infoManagerTestInfoParms, + infoManagerTestPolicyPrams, tokenIdEx); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "add a hap token"; + + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CAPTURE_SCREEN"); + ASSERT_EQ(PERMISSION_DENIED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CHANGE_ABILITY_ENABLED_STATE"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CLEAN_APPLICATION_DATA"); + ASSERT_EQ(PERMISSION_DENIED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.COMMONEVENT_STICKY"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "remove the token info"; +} + +/** + * @tc.name: DlpPermissionConfig003 + * @tc.desc: test DLP_FULL_CONTROL app with system_grant permissions. + * @tc.type: FUNC + * @tc.require: SR000GVIGR + */ +HWTEST_F(AccessTokenInfoManagerTest, DlpPermissionConfig003, TestSize.Level1) +{ + PrepareJsonData1(); + + g_infoManagerTestStateA.permissionName = "ohos.permission.CAPTURE_SCREEN"; + g_infoManagerTestStateB.permissionName = "ohos.permission.CHANGE_ABILITY_ENABLED_STATE"; + g_infoManagerTestStateC.permissionName = "ohos.permission.CLEAN_APPLICATION_DATA"; + g_infoManagerTestStateD.permissionName = "ohos.permission.COMMONEVENT_STICKY"; + + static HapPolicyParams infoManagerTestPolicyPrams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {}, + .permStateList = {g_infoManagerTestStateA, g_infoManagerTestStateB, + g_infoManagerTestStateC, g_infoManagerTestStateD} + }; + static HapInfoParams infoManagerTestInfoParms = { + .bundleName = "DlpPermissionConfig003", + .userID = 1, + .instIndex = 0, + .dlpType = DLP_FULL_CONTROL, + .appIDDesc = "testtesttesttest" + }; + AccessTokenIDEx tokenIdEx = {0}; + int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(infoManagerTestInfoParms, + infoManagerTestPolicyPrams, tokenIdEx); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "add a hap token"; + + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CAPTURE_SCREEN"); + ASSERT_EQ(PERMISSION_DENIED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CHANGE_ABILITY_ENABLED_STATE"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.CLEAN_APPLICATION_DATA"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken( + tokenID, "ohos.permission.COMMONEVENT_STICKY"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "remove the token info"; +} + +static void PrepareUserPermState() +{ + g_infoManagerTestStateA.permissionName = "ohos.permission.MEDIA_LOCATION"; + g_infoManagerTestStateA.grantStatus[0] = PERMISSION_DENIED; + g_infoManagerTestStateB.permissionName = "ohos.permission.MICROPHONE"; + g_infoManagerTestStateB.grantStatus[0] = PERMISSION_DENIED; + g_infoManagerTestStateC.permissionName = "ohos.permission.READ_CALENDAR"; + g_infoManagerTestStateC.grantStatus[0] = PERMISSION_DENIED; + g_infoManagerTestStateD.permissionName = "ohos.permission.READ_CALL_LOG"; + g_infoManagerTestStateD.grantStatus[0] = PERMISSION_DENIED; +} + +static void PrepareJsonData2() +{ + std::string testStr = R"({"dlpPermissions":[)"\ + R"({"name":"ohos.permission.MEDIA_LOCATION","dlpGrantRange":"none"},)"\ + R"({"name":"ohos.permission.MICROPHONE","dlpGrantRange":"all"},)"\ + R"({"name":"ohos.permission.READ_CALENDAR","dlpGrantRange":"full_control"}]})"; + + std::vector dlpPerms; + int res = DlpPermissionSetParser::GetInstance().ParserDlpPermsRawData(testStr, dlpPerms); + if (res != RET_SUCCESS) { + GTEST_LOG_(INFO) << "ParserDlpPermsRawData failed:"; + } + DlpPermissionSetManager::GetInstance().ProcessDlpPermInfos(dlpPerms); +} + +/** + * @tc.name: DlpPermissionConfig004 + * @tc.desc: test DLP_COMMON app with user_grant permissions. + * @tc.type: FUNC + * @tc.require: SR000GVIGR + */ +HWTEST_F(AccessTokenInfoManagerTest, DlpPermissionConfig004, TestSize.Level1) +{ + PrepareJsonData2(); + PrepareUserPermState(); + + static HapPolicyParams infoManagerTestPolicyPrams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {g_infoManagerPermDef1, g_infoManagerPermDef2, + g_infoManagerPermDef3, g_infoManagerPermDef4}, + .permStateList = {g_infoManagerTestStateA, g_infoManagerTestStateB, + g_infoManagerTestStateC, g_infoManagerTestStateD} + }; + static HapInfoParams infoManagerTestInfoParms = { + .bundleName = "accesstoken_test", + .userID = 1, + .instIndex = 0, + .dlpType = DLP_COMMON, + .appIDDesc = "testtesttesttest" + }; + AccessTokenIDEx tokenIdEx = {0}; + int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(infoManagerTestInfoParms, + infoManagerTestPolicyPrams, tokenIdEx); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "add a hap token"; + + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.MEDIA_LOCATION", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.READ_CALENDAR", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.READ_CALL_LOG", PERMISSION_USER_FIXED); + + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.MEDIA_LOCATION"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.READ_CALENDAR"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.READ_CALL_LOG"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "remove the token info"; +} + +/** + * @tc.name: DlpPermissionConfig005 + * @tc.desc: test DLP_READ app with user_grant permissions. + * @tc.type: FUNC + * @tc.require: SR000GVIGR + */ +HWTEST_F(AccessTokenInfoManagerTest, DlpPermissionConfig005, TestSize.Level1) +{ + PrepareJsonData2(); + PrepareUserPermState(); + + static HapPolicyParams infoManagerTestPolicyPrams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {g_infoManagerPermDef1, g_infoManagerPermDef2, + g_infoManagerPermDef3, g_infoManagerPermDef4}, + .permStateList = {g_infoManagerTestStateA, g_infoManagerTestStateB, + g_infoManagerTestStateC, g_infoManagerTestStateD} + }; + static HapInfoParams infoManagerTestInfoParms = { + .bundleName = "accesstoken_test", + .userID = 1, + .instIndex = 0, + .dlpType = DLP_READ, + .appIDDesc = "testtesttesttest" + }; + AccessTokenIDEx tokenIdEx = {0}; + int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(infoManagerTestInfoParms, + infoManagerTestPolicyPrams, tokenIdEx); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "add a hap token"; + + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.MEDIA_LOCATION", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.READ_CALENDAR", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.READ_CALL_LOG", PERMISSION_USER_FIXED); + + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.MEDIA_LOCATION"); + ASSERT_EQ(PERMISSION_DENIED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.READ_CALENDAR"); + ASSERT_EQ(PERMISSION_DENIED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.READ_CALL_LOG"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "remove the token info"; +} + +/** + * @tc.name: DlpPermissionConfig006 + * @tc.desc: test DLP_FULL_CONTROL app with user_grant permissions. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(AccessTokenInfoManagerTest, DlpPermissionConfig006, TestSize.Level1) +{ + PrepareJsonData2(); + PrepareUserPermState(); + + static HapPolicyParams infoManagerTestPolicyPrams = { + .apl = APL_NORMAL, + .domain = "test.domain", + .permList = {g_infoManagerPermDef1, g_infoManagerPermDef2, + g_infoManagerPermDef3, g_infoManagerPermDef4}, + .permStateList = {g_infoManagerTestStateA, g_infoManagerTestStateB, + g_infoManagerTestStateC, g_infoManagerTestStateD} + }; + static HapInfoParams infoManagerTestInfoParms = { + .bundleName = "accesstoken_test", + .userID = 1, + .instIndex = 0, + .dlpType = DLP_FULL_CONTROL, + .appIDDesc = "testtesttesttest" + }; + AccessTokenIDEx tokenIdEx = {0}; + int ret = AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(infoManagerTestInfoParms, + infoManagerTestPolicyPrams, tokenIdEx); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "add a hap token"; + + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.MEDIA_LOCATION", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.READ_CALENDAR", PERMISSION_USER_FIXED); + PermissionManager::GetInstance().GrantPermission(tokenID, + "ohos.permission.READ_CALL_LOG", PERMISSION_USER_FIXED); + + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.MEDIA_LOCATION"); + ASSERT_EQ(PERMISSION_DENIED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.READ_CALENDAR"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + ret = PermissionManager::GetInstance().VerifyAccessToken(tokenID, "ohos.permission.READ_CALL_LOG"); + ASSERT_EQ(PERMISSION_GRANTED, ret); + + ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + ASSERT_EQ(RET_SUCCESS, ret); + GTEST_LOG_(INFO) << "remove the token info"; +} +#endif \ No newline at end of file -- Gitee