From cdd6e8778c97db753822f6622e066e82a44fcdd5 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Sun, 6 Jul 2025 23:01:39 +0800 Subject: [PATCH 1/2] =?UTF-8?q?feat:=20=E6=96=B0=E5=A2=9E=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9D=83=E9=99=90=E8=AE=BE=E7=BD=AE=E6=8E=A5?= =?UTF-8?q?=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker Change-Id: I3b255338c9c5792690150ba87edb98b199be2ad6 --- frameworks/common/include/data_validator.h | 4 + frameworks/common/src/constant_common.cpp | 2 +- frameworks/common/src/data_validator.cpp | 28 +- .../accesstoken/include/access_token.h | 16 +- .../accesstoken/include/access_token_error.h | 3 +- .../accesstoken/include/accesstoken_kit.h | 11 + .../accesstoken/libaccesstoken_sdk.map | 1 + .../accesstoken/src/accesstoken_kit.cpp | 38 +- .../src/accesstoken_manager_client.cpp | 16 + .../src/accesstoken_manager_client.h | 2 + .../share_permission_with_sandbox_test.cpp | 2 +- .../EdmPolicyTest/edm_policy_set_test.cpp | 754 +++++++++++++++++- .../app_installation_optimized_test.cpp | 8 +- .../HapTokenTest/init_hap_token_test.cpp | 2 +- .../HapTokenTest/update_hap_token_test.cpp | 4 +- ...ar_user_granted__permission_state_test.cpp | 4 +- .../security_component_grant_test.cpp | 2 +- .../test/unittest/common/test_common.cpp | 8 + .../test/unittest/common/test_common.h | 1 + .../idl/IAccessTokenManager.idl | 1 + .../permission/permission_data_brief.h | 1 + .../include/permission/permission_manager.h | 15 + .../include/permission/permission_validator.h | 1 + .../service/accesstoken_manager_service.h | 2 + .../src/permission/permission_data_brief.cpp | 64 +- .../cpp/src/permission/permission_manager.cpp | 251 +++++- .../src/permission/permission_validator.cpp | 5 + .../service/accesstoken_manager_service.cpp | 29 +- .../accesstoken_info_manager_test.cpp | 52 +- .../accesstoken_manager_service_test.cpp | 19 + .../test/unittest/permission_manager_test.cpp | 210 ++++- test/fuzztest/innerkits/accesstoken/BUILD.gn | 1 + .../BUILD.gn | 43 + .../corpus/init | 14 + .../project.xml | 25 + .../setpermissionstatuswithpolicy_fuzzer.cpp | 49 ++ .../setpermissionstatuswithpolicy_fuzzer.h | 21 + .../grantpermissionservice_fuzzer.cpp | 4 +- .../revokepermissionservice_fuzzer.cpp | 4 +- 39 files changed, 1648 insertions(+), 69 deletions(-) create mode 100644 test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/BUILD.gn create mode 100644 test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/corpus/init create mode 100644 test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/project.xml create mode 100644 test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.cpp create mode 100644 test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.h diff --git a/frameworks/common/include/data_validator.h b/frameworks/common/include/data_validator.h index 5fd826d6e..10f35ebac 100644 --- a/frameworks/common/include/data_validator.h +++ b/frameworks/common/include/data_validator.h @@ -49,6 +49,8 @@ public: static bool IsDescValid(const std::string& desc); static bool IsPermissionFlagValid(uint32_t flag); + static bool IsPermissionFlagValidForAdmin(uint32_t flag); + static bool IsPermissionStatusValid(int32_t status); static bool IsDcapValid(const std::string& dcap); static bool IsTokenIDValid(AccessTokenID id); static bool IsDlpTypeValid(int dlpType); @@ -59,6 +61,7 @@ public: static bool IsHapCaller(AccessTokenID id); static bool IsAclExtendedMapSizeValid(const std::map& aclExtendedMap); static bool IsAclExtendedMapContentValid(const std::string& permissionName, const std::string& value); + static bool IsPermissionListSizeValid(const std::vector& permissionList); private: const static int MAX_LENGTH = 256; @@ -66,6 +69,7 @@ private: const static int MAX_DCAP_LENGTH = 1024; const static int32_t MAX_EXTENDED_MAP_SIZE = 512; const static int32_t MAX_VALUE_LENGTH = 1024; + const static int32_t MAX_PERMISSION_LIST_SIZE = 1024; }; } // namespace AccessToken } // namespace Security diff --git a/frameworks/common/src/constant_common.cpp b/frameworks/common/src/constant_common.cpp index 1e4a9599f..f50940021 100644 --- a/frameworks/common/src/constant_common.cpp +++ b/frameworks/common/src/constant_common.cpp @@ -63,7 +63,7 @@ bool ConstantCommon::IsPermOperatedByUser(int32_t flag) bool ConstantCommon::IsPermOperatedBySystem(int32_t flag) { uint32_t uFlag = static_cast(flag); - return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_GRANTED_BY_POLICY); + return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE); } bool ConstantCommon::IsPermGrantedBySecComp(int32_t flag) diff --git a/frameworks/common/src/data_validator.cpp b/frameworks/common/src/data_validator.cpp index 329636c47..7c4527a7e 100644 --- a/frameworks/common/src/data_validator.cpp +++ b/frameworks/common/src/data_validator.cpp @@ -140,14 +140,27 @@ bool DataValidator::IsDcapValid(const std::string& dcap) bool DataValidator::IsPermissionFlagValid(uint32_t flag) { uint32_t unmaskedFlag = - flag & (~PermissionFlag::PERMISSION_GRANTED_BY_POLICY); + flag & (~PermissionFlag::PERMISSION_PRE_AUTHORIZED_CANCELABLE); return unmaskedFlag == PermissionFlag::PERMISSION_DEFAULT_FLAG || unmaskedFlag == PermissionFlag::PERMISSION_USER_SET || unmaskedFlag == PermissionFlag::PERMISSION_USER_FIXED || unmaskedFlag == PermissionFlag::PERMISSION_SYSTEM_FIXED || unmaskedFlag == PermissionFlag::PERMISSION_COMPONENT_SET || - unmaskedFlag == PermissionFlag::PERMISSION_POLICY_FIXED || - unmaskedFlag == PermissionFlag::PERMISSION_ALLOW_THIS_TIME; + unmaskedFlag == PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY || + unmaskedFlag == PermissionFlag::PERMISSION_ALLOW_THIS_TIME || + unmaskedFlag == PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY || + unmaskedFlag == PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; +} + +bool DataValidator::IsPermissionFlagValidForAdmin(uint32_t flag) +{ + return flag == PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY || + flag == PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; +} + +bool DataValidator::IsPermissionStatusValid(int32_t status) +{ + return status == PERMISSION_GRANTED || status == PERMISSION_DENIED; } bool DataValidator::IsTokenIDValid(AccessTokenID id) @@ -213,6 +226,15 @@ bool DataValidator::IsHapCaller(AccessTokenID id) } return true; } + +bool DataValidator::IsPermissionListSizeValid(const std::vector& permissionList) +{ + if (permissionList.size() <= 0 || permissionList.size() > MAX_PERMISSION_LIST_SIZE) { + LOGE(ATM_DOMAIN, ATM_TAG, "Permission list size is invalid(%{public}zu).", permissionList.size()); + return false; + } + return true; +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index 651a28d6c..32d49bf73 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -199,7 +199,7 @@ typedef enum TypePermissionFlag { * a user_grant permission has been set by system for pre-authorization, * and it is cancellable. it always works with other flags. */ - PERMISSION_GRANTED_BY_POLICY = 1 << 3, + PERMISSION_PRE_AUTHORIZED_CANCELABLE = 1 << 3, /** * permission has been set by security component. */ @@ -207,11 +207,21 @@ typedef enum TypePermissionFlag { /* * permission is fixed by policy and the permission cannot be granted or revoked by user */ - PERMISSION_POLICY_FIXED = 1 << 5, + PERMISSION_FIXED_FOR_SECURITY_POLICY = 1 << 5, /* * permission is only allowed during the current lifecycle foreground period */ PERMISSION_ALLOW_THIS_TIME = 1 << 6, + /** + * permission is fixed by admin policy, it cannot be granted or revoked by user, + * and it can be cancelled by admin. + */ + PERMISSION_FIXED_BY_ADMIN_POLICY = 1 << 7, + /** + * permission which is fixed by admin policy, cancel fixed by admin policy. + * it can be granted or revoked by user. + */ + PERMISSION_ADMIN_POLICIES_CANCEL = 1 << 8, } PermissionFlag; /** @@ -249,6 +259,8 @@ typedef enum TypePermissionErrorReason { PRIVACY_STATEMENT_NOT_AGREED = 4, /** The permission cannot be requested in a pop-up window */ UNABLE_POP_UP = 5, + /** The permission is fixed by policy */ + FIXED_BY_POLICY = 6, /** The service is abnormal */ SERVICE_ABNORMAL = 12, } PermissionErrorReason; diff --git a/interfaces/innerkits/accesstoken/include/access_token_error.h b/interfaces/innerkits/accesstoken/include/access_token_error.h index fd3076ec8..695883703 100644 --- a/interfaces/innerkits/accesstoken/include/access_token_error.h +++ b/interfaces/innerkits/accesstoken/include/access_token_error.h @@ -79,7 +79,8 @@ enum AccessTokenError { ERR_REMOTE_CONNECTION, ERR_ADD_DEATH_RECIPIENT_FAILED, ERR_PRASE_RAW_DATA_FAILED, - ERR_PERMISSION_WITHOUT_VALUE + ERR_PERMISSION_WITHOUT_VALUE, + ERR_PERMISSION_RESTRICTED }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h index 1e9ceb137..a2a9af9d5 100644 --- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h +++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h @@ -559,6 +559,17 @@ public: * @return bool */ static bool IsToastShownNeeded(int32_t pid); + + /** + * @brief Set multiple permissions status and flag with policy. + * @param tokenID token id + * @param permissionList permission list to be set + * @param status the permission status to be set + * @param flag enum PermissionFlag, see access_token.h + * @return error code, see access_token_error.h + */ + static int32_t SetPermissionStatusWithPolicy( + uint32_t tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); }; } // namespace AccessToken } // namespace Security diff --git a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map index 6ff38a5da..8c89678b9 100644 --- a/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map +++ b/interfaces/innerkits/accesstoken/libaccesstoken_sdk.map @@ -28,6 +28,7 @@ "OHOS::Security::AccessToken::AccessTokenKit::GetNativeTokenInfo(unsigned int, OHOS::Security::AccessToken::NativeTokenInfo&)"; "OHOS::Security::AccessToken::AccessTokenKit::GetPermissionFlag(unsigned int, std::__h::basic_string, std::__h::allocator> const&, unsigned int&)"; "OHOS::Security::AccessToken::AccessTokenKit::GrantPermission(unsigned int, std::__h::basic_string, std::__h::allocator> const&, unsigned int)"; + "OHOS::Security::AccessToken::AccessTokenKit::SetPermissionStatusWithPolicy(unsigned int, std::__h::vector, std::__h::allocator>, std::__h::allocator, std::__h::allocator>>> const&, int, unsigned int)"; "OHOS::Security::AccessToken::AccessTokenKit::RevokePermission(unsigned int, std::__h::basic_string, std::__h::allocator> const&, unsigned int)"; "OHOS::Security::AccessToken::AccessTokenKit::ClearUserGrantedPermissionState(unsigned int)"; "OHOS::Security::AccessToken::PermStateChangeCallbackCustomize::PermStateChangeCallbackCustomize(OHOS::Security::AccessToken::PermStateChangeScope const&)"; diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index 9e64a8b7a..37733daae 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -481,7 +481,7 @@ int AccessTokenKit::GrantPermission(AccessTokenID tokenID, const std::string& pe LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid"); return AccessTokenError::ERR_PARAM_INVALID; } - if (!DataValidator::IsPermissionFlagValid(flag)) { + if (!DataValidator::IsPermissionFlagValid(flag) || DataValidator::IsPermissionFlagValidForAdmin(flag)) { LOGE(ATM_DOMAIN, ATM_TAG, "Flag is invalid"); return AccessTokenError::ERR_PARAM_INVALID; } @@ -500,7 +500,7 @@ int AccessTokenKit::RevokePermission(AccessTokenID tokenID, const std::string& p LOGE(ATM_DOMAIN, ATM_TAG, "Invalid permissionName"); return AccessTokenError::ERR_PARAM_INVALID; } - if (!DataValidator::IsPermissionFlagValid(flag)) { + if (!DataValidator::IsPermissionFlagValid(flag) || DataValidator::IsPermissionFlagValidForAdmin(flag)) { LOGE(ATM_DOMAIN, ATM_TAG, "Invalid flag"); return AccessTokenError::ERR_PARAM_INVALID; } @@ -862,6 +862,40 @@ bool AccessTokenKit::IsToastShownNeeded(int32_t pid) { return AccessTokenManagerClient::GetInstance().IsToastShownNeeded(pid); } + +int32_t AccessTokenKit::SetPermissionStatusWithPolicy( + uint32_t tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "TokenID=%{public}d, permList.size=%{public}zu, status=%{public}d, flag=%{public}u.", + tokenID, permissionList.size(), status, flag); + if (tokenID == INVALID_TOKENID) { + LOGE(ATM_DOMAIN, ATM_TAG, "tokenID: %{public}d, TokenID is invalid.", tokenID); + return AccessTokenError::ERR_PARAM_INVALID; + } + if (permissionList.empty()) { + LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList is empty."); + return AccessTokenError::ERR_PARAM_INVALID; + } + for (const auto& perm : permissionList) { + if (!DataValidator::IsPermissionNameValid(perm)) { + LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName is invalid: %{public}s.", perm.c_str()); + return AccessTokenError::ERR_PARAM_INVALID; + } + } + if (!DataValidator::IsPermissionStatusValid(status)) { + LOGE(ATM_DOMAIN, ATM_TAG, "Status: %{public}d, status is invalid.", status); + return AccessTokenError::ERR_PARAM_INVALID; + } + if (!DataValidator::IsPermissionFlagValidForAdmin(flag)) { + LOGE(ATM_DOMAIN, ATM_TAG, "Flag: %{public}u, flag is invalid.", flag); + return AccessTokenError::ERR_PARAM_INVALID; + } + if (!DataValidator::IsPermissionListSizeValid(permissionList)) { + LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList size is invalid: %{public}zu.", permissionList.size()); + return AccessTokenError::ERR_PARAM_INVALID; + } + return AccessTokenManagerClient::GetInstance().SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag); +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp index 054166843..c395dd52f 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp @@ -388,6 +388,22 @@ int AccessTokenManagerClient::ClearUserGrantedPermissionState(AccessTokenID toke return result; } +int32_t AccessTokenManagerClient::SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + auto proxy = GetProxy(); + if (proxy == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "Proxy is null."); + return AccessTokenError::ERR_SERVICE_ABNORMAL; + } + int32_t result = proxy->SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag); + if (result != RET_SUCCESS) { + result = ConvertResult(result); + } + LOGI(ATM_DOMAIN, ATM_TAG, "Result from server (error=%{public}d).", result); + return result; +} + int32_t AccessTokenManagerClient::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status, int32_t userID = 0) { diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h index 64ddbd8c6..685019059 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h @@ -69,6 +69,8 @@ public: int GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime); int ClearUserGrantedPermissionState(AccessTokenID tokenID); + int32_t SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); AccessTokenIDEx AllocHapToken(const HapInfoParams& info, const HapPolicy& policy); int32_t InitHapToken(const HapInfoParams& info, HapPolicy& policy, AccessTokenIDEx& fullTokenId, HapInfoCheckResult& result); diff --git a/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp index 3e4408d13..87db9f702 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/DlpTest/share_permission_with_sandbox_test.cpp @@ -286,7 +286,7 @@ HWTEST_F(SharePermissionTest, PermissionShareClearUserGrantTest001, TestSize.Lev AccessTokenID tokenFullRead = AllocHapTokenId(g_infoParmsReadOnly, g_policyParams); // grant pre-authorization - ret = TestCommon::GrantPermissionByTest(tokenFullControl, PERMISSION_ALL, PERMISSION_GRANTED_BY_POLICY); + ret = TestCommon::GrantPermissionByTest(tokenFullControl, PERMISSION_ALL, PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, ret); uint32_t flag; EXPECT_EQ(RET_SUCCESS, TestCommon::GetPermissionFlagByTest(tokenCommon, PERMISSION_ALL, flag)); diff --git a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp index e8388d6f7..a9748cda7 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/EdmPolicyTest/edm_policy_set_test.cpp @@ -33,12 +33,19 @@ static const uint32_t DEFAULT_ACCOUNT_ID = 100; static const uint32_t MOCK_USER_ID_10001 = 10001; static const uint32_t MOCK_USER_ID_10002 = 10002; static const uint32_t MOCK_USER_ID_10003 = 10003; +static const int32_t MAX_PERMISSION_LIST_SIZE = 1024; +static const int32_t MAX_LENGTH = 256; const std::string MANAGE_HAP_TOKEN_ID_PERMISSION = "ohos.permission.MANAGE_HAP_TOKENID"; const std::string INTERNET = "ohos.permission.INTERNET"; static const std::string GET_NETWORK_STATS = "ohos.permission.GET_NETWORK_STATS"; static const std::string LOCATION = "ohos.permission.LOCATION"; static const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS"; -static const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS"; +static const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS"; // system_grant +static const std::string MICROPHONE = "ohos.permission.MICROPHONE"; // user_grant +static const std::string CAMERA = "ohos.permission.CAMERA"; // user_grant +static const std::string CUSTOM_SCREEN_CAPTURE = "ohos.permission.CUSTOM_SCREEN_CAPTURE"; // user_grant +static const std::string READ_HEALTH_DATA = "ohos.permission.READ_HEALTH_DATA"; +static const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY"; // system_grant PermissionStateFull g_infoManagerInternetState = { .permissionName = INTERNET, .isGeneral = true, @@ -63,6 +70,30 @@ PermissionStateFull g_infoManagerManageNetState = { .grantFlags = {0} }; +PermissionStateFull g_infoManagerMicrophoneState = { + .permissionName = MICROPHONE, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_DENIED}, + .grantFlags = {0} +}; + +PermissionStateFull g_infoManagerCameraState = { + .permissionName = CAMERA, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED} +}; + +PermissionStateFull g_infoManagerCustomScreenCaptureState = { + .permissionName = CUSTOM_SCREEN_CAPTURE, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {0} +}; + // Permission set HapInfoParams g_testHapInfoParams = { .userID = 0, @@ -79,6 +110,45 @@ HapPolicyParams g_testPolicyParams = { g_infoManagerInternetState, g_infoManagerNetWorkState, g_infoManagerManageNetState, + g_infoManagerMicrophoneState, + g_infoManagerCameraState, + g_infoManagerCustomScreenCaptureState, + } +}; + +PermissionStateFull g_infoManagerCustomScreenCaptureState02 = { + .permissionName = CUSTOM_SCREEN_CAPTURE, + .isGeneral = true, + .resDeviceID = {"local2"}, + .grantStatus = {PermissionState::PERMISSION_GRANTED}, + .grantFlags = {0} +}; + +HapPolicyParams g_testPolicyParams02 = { + .apl = APL_SYSTEM_CORE, + .domain = "test.domain2", + .preAuthorizationInfo = { + { + .permissionName = CUSTOM_SCREEN_CAPTURE, + .userCancelable = true, + }, + }, + .permStateList = { + g_infoManagerCustomScreenCaptureState02 + } +}; + +HapPolicyParams g_testPolicyParams03 = { + .apl = APL_SYSTEM_CORE, + .domain = "test.domain2", + .preAuthorizationInfo = { + { + .permissionName = CUSTOM_SCREEN_CAPTURE, + .userCancelable = false, + }, + }, + .permStateList = { + g_infoManagerCustomScreenCaptureState02 } }; @@ -452,9 +522,9 @@ HWTEST_F(EdmPolicySetTest, UserPolicyTestForClearUserGranted, TestSize.Level0) EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED); EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED); - ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser1.tokenIdExStruct.tokenID); + ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser1.tokenIdExStruct.tokenID); EXPECT_EQ(RET_SUCCESS, ret); - ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser2.tokenIdExStruct.tokenID); + ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser2.tokenIdExStruct.tokenID); EXPECT_EQ(RET_SUCCESS, ret); EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED); EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED); @@ -468,8 +538,8 @@ HWTEST_F(EdmPolicySetTest, UserPolicyTestForClearUserGranted, TestSize.Level0) EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED); EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED); - ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser1.tokenIdExStruct.tokenID); - ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser2.tokenIdExStruct.tokenID); + ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser1.tokenIdExStruct.tokenID); + ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser2.tokenIdExStruct.tokenID); EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED); EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED); @@ -566,4 +636,676 @@ HWTEST_F(EdmPolicySetTest, UserPolicyForUpdateHapTokenTest, TestSize.Level0) EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED); EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID)); -} \ No newline at end of file +} + +/** + * @tc.name: SetPermissionStatusWithPolicy001 + * @tc.desc: Normal parameter testing. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + std::vector stateList = {PERMISSION_GRANTED, PERMISSION_DENIED}; + for (auto status : stateList) { + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 status: " << status; + EXPECT_EQ(RET_SUCCESS, + AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, status, PERMISSION_FIXED_BY_ADMIN_POLICY)); + std::vector permsList; + for (auto perm : permList) { + GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 check perm: " << perm; + EXPECT_EQ(status, AccessTokenKit::VerifyAccessToken(tokenID, perm, false)); + permsList.push_back({perm, FORBIDDEN_OPER}); + } + SetSelfTokenID(tokenID); + PermissionGrantInfo info; + EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); + EXPECT_EQ(status == PERMISSION_GRANTED ? PASS_OPER : INVALID_OPER, permsList[0].state); + EXPECT_EQ(status == PERMISSION_GRANTED ? REQ_SUCCESS : FIXED_BY_POLICY, permsList[0].errorReason); + EXPECT_EQ(status == PERMISSION_GRANTED ? PASS_OPER : INVALID_OPER, permsList[1].state); + EXPECT_EQ(status == PERMISSION_GRANTED ? REQ_SUCCESS : FIXED_BY_POLICY, permsList[1].errorReason); + SetSelfTokenID(selfTokenId); + } + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy002 + * @tc.desc: tokenID exception test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy002, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy002"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + INVALID_TOKENID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy003 + * @tc.desc: PermissionList exception test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy003, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy003"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + uint32_t ret = RET_SUCCESS; + + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, {""}, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + std::string permName(MAX_LENGTH + 1, 'A'); + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, {""}, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + std::vector permList = {}; + ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + permList.resize(MAX_PERMISSION_LIST_SIZE + 1, MICROPHONE); + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + permList.clear(); + permList.push_back("ohos.permission.TEST_123"); + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PERMISSION_NOT_EXIST, ret); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy004 + * @tc.desc: status exception test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy004, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy004"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, 1, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy005 + * @tc.desc: flag exception test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy005, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy005"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_DENIED, + 1<<9)); + EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED, + 1<<6)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy006 + * @tc.desc: hap unauthorized testing. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy006, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy006"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false)); + + std::vector permList = {CAMERA}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy007 + * @tc.desc: The caller has no permission to test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy007, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy007"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("foundation"); + + std::vector permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PERMISSION_DENIED, ret); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: SetPermissionStatusWithPolicy008 + * @tc.desc: Permission priority test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy008, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy008"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + MockNativeToken mock("edm"); + + uint32_t flag = 0; + uint32_t ret = RET_SUCCESS; + + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag); + + // 1. set flag is PERMISSION_USER_FIXED. + EXPECT_EQ(RET_SUCCESS, TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_USER_FIXED, flag); + + // 2. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + + // 3. can't clear PERMISSION_FIXED_BY_ADMIN_POLICY. + EXPECT_EQ(RET_SUCCESS, TestCommon::ClearUserGrantedPermissionStateByTest(tokenID)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 4. can't set flag is PERMISSION_USER_FIXED. + EXPECT_EQ(ERR_PERMISSION_RESTRICTED, + TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + + // 5. can set flag is PERMISSION_SYSTEM_FIXED. + EXPECT_EQ(RET_SUCCESS, TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_SYSTEM_FIXED)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + + // 6. can not set flag is PERMISSION_FIXED_BY_ADMIN_POLICY + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(ERR_PARAM_INVALID, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: EdmTestGrantPermission001 + * @tc.desc: Grant permission priority test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestGrantPermission001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestGrantPermission001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. can't grant flag is PERMISSION_USER_FIXED + ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED); + EXPECT_EQ(ERR_PERMISSION_RESTRICTED, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 4. can grant flag is PERMISSION_USER_FIXED + ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_USER_FIXED, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: EdmTestRevokePermission001 + * @tc.desc: Revoke permission priority test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestRevokePermission001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestRevokePermission001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. can't revoke flag is PERMISSION_USER_FIXED + ret = TestCommon::RevokePermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED); + EXPECT_EQ(ERR_PERMISSION_RESTRICTED, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 4. can revoke flag is PERMISSION_USER_FIXED + ret = TestCommon::RevokePermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_USER_FIXED, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: EdmTestClearUserGrantedPermissionState001 + * @tc.desc: Clear user granted permission state test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestClearUserGrantedPermissionState001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestClearUserGrantedPermissionState001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. can't clear flag is PERMISSION_FIXED_BY_ADMIN_POLICY + ret = TestCommon::ClearUserGrantedPermissionStateByTest(tokenID); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 4. can clear flag is PERMISSION_ADMIN_POLICIES_CANCEL + ret = TestCommon::ClearUserGrantedPermissionStateByTest(tokenID); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: EdmTestGetSelfPermissionsState001 + * @tc.desc: GetSelfPermissionsState test. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestGetSelfPermissionsState001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestGetSelfPermissionsState001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint64_t selfTokenId = GetSelfTokenID(); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. get permission state is INVALID_OPER. + std::vector permsList = {{CUSTOM_SCREEN_CAPTURE}}; + PermissionGrantInfo info; + SetSelfTokenID(tokenID); + EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); + EXPECT_EQ(INVALID_OPER, permsList[0].state); + SetSelfTokenID(selfTokenId); + + // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_DENIED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 4. get permission state is SETTING_OPER. + SetSelfTokenID(tokenID); + EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info)); + EXPECT_EQ(SETTING_OPER, permsList[0].state); + SetSelfTokenID(selfTokenId); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + + +/** + * @tc.name: EdmTestUpdateHapToken001 + * @tc.desc: GetSelfPermissionsState test with admin fixed status. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestUpdateHapToken001, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestUpdateHapToken001"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. can't UpdateHapToken flag is PERMISSION_PRE_AUTHORIZED_CANCELABLE. + UpdateHapInfoParams info; + info.appIDDesc = "TEST"; + info.apiVersion = 12; + info.isSystemApp = false; + { + MockNativeToken mock("foundation"); + ret = AccessTokenKit::UpdateHapToken(tokenIdEx, info, g_testPolicyParams02); + } + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 3. can UpdateHapToken flag is PERMISSION_SYSTEM_FIXED. + { + MockNativeToken mock("foundation"); + ret = AccessTokenKit::UpdateHapToken(tokenIdEx, info, g_testPolicyParams03); + } + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); +} + + +/** + * @tc.name: EdmTestUpdateHapToken002 + * @tc.desc: UpdateHapToken test with admin cancel status. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestUpdateHapToken002, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestUpdateHapToken002"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 3. can UpdateHapToken flag is PERMISSION_PRE_AUTHORIZED_CANCELABLE. + UpdateHapInfoParams info; + info.appIDDesc = "TEST"; + info.apiVersion = 12; + info.isSystemApp = false; + { + MockNativeToken mock("foundation"); + ret = AccessTokenKit::UpdateHapToken(tokenIdEx, info, g_testPolicyParams02); + } + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag); // PERMISSION_PRE_AUTHORIZED_CANCELABLE not return + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} + +/** + * @tc.name: EdmTestUpdateHapToken003 + * @tc.desc: UpdateHapToken test with system fixed status. + * @tc.type: FUNC + * @tc.require:Issue Number + */ +HWTEST_F(EdmPolicySetTest, EdmTestUpdateHapToken003, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestUpdateHapToken003"); + + g_testHapInfoParams.userID = MOCK_USER_ID_10001; + AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams); + AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; + ASSERT_NE(INVALID_TOKENID, tokenID); + + MockNativeToken mock("edm"); + uint32_t flag = 0; + + // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY. + std::vector permList = {CUSTOM_SCREEN_CAPTURE}; + uint32_t ret = RET_SUCCESS; + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 2. set flag is PERMISSION_ADMIN_POLICIES_CANCEL. + ret = AccessTokenKit::SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + // 3. can UpdateHapToken flag is PERMISSION_SYSTEM_FIXED. + UpdateHapInfoParams info; + info.appIDDesc = "TEST"; + info.apiVersion = 12; + info.isSystemApp = false; + { + MockNativeToken mock("foundation"); + ret = AccessTokenKit::UpdateHapToken(tokenIdEx, info, g_testPolicyParams03); + } + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag)); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false)); + + EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID)); +} diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp index 5e8af25c3..71addc172 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/app_installation_optimized_test.cpp @@ -275,7 +275,7 @@ HWTEST_F(AppInstallationOptimizedTest, InitHapToken005, TestSize.Level0) EXPECT_EQ(RET_SUCCESS, res); EXPECT_EQ(static_cast(1), permStatList.size()); EXPECT_EQ(CALENDAR_PERMISSION, permStatList[0].permissionName); - EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } @@ -589,7 +589,7 @@ HWTEST_F(AppInstallationOptimizedTest, UpdateHapToken003, TestSize.Level0) EXPECT_EQ(permStatList1[0].grantFlags[0], PERMISSION_DEFAULT_FLAG); EXPECT_EQ(CALENDAR_PERMISSION, permStatList1[1].permissionName); EXPECT_EQ(permStatList1[1].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(permStatList1[1].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(permStatList1[1].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } @@ -997,7 +997,7 @@ HWTEST_F(AppInstallationOptimizedTest, UpdateHapToken013, TestSize.Level0) TestCommon::GetReqPermissionsByTest(fullTokenId.tokenIdExStruct.tokenID, state, false); EXPECT_EQ(static_cast(2), state.size()); EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(state[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); EXPECT_EQ(state[1].grantFlags[0], PERMISSION_DEFAULT_FLAG); @@ -1050,7 +1050,7 @@ HWTEST_F(AppInstallationOptimizedTest, UpdateHapToken014, TestSize.Level0) EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); EXPECT_EQ(state[0].grantFlags[0], PERMISSION_SYSTEM_FIXED); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); - EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp index 8bbd287b4..1a34227ba 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp @@ -668,7 +668,7 @@ HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest004, TestSize.Level0) ASSERT_EQ(static_cast(2), permStatList.size()); ASSERT_EQ("ohos.permission.ACCESS_NEARLINK", permStatList[0].permissionName); EXPECT_EQ(permStatList[0].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(permStatList[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); ASSERT_EQ("ohos.permission.READ_WRITE_DESKTOP_DIRECTORY", permStatList[1].permissionName); EXPECT_EQ(permStatList[1].grantStatus[0], PERMISSION_GRANTED); EXPECT_EQ(permStatList[1].grantFlags[0], PERMISSION_SYSTEM_FIXED); diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp index ae21df44b..06aea9862 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp @@ -1219,7 +1219,7 @@ HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest008, TestSize.Level0) AccessTokenKit::GetReqPermissions(fullTokenId.tokenIdExStruct.tokenID, state, false); EXPECT_EQ(static_cast(2), state.size()); EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); - EXPECT_EQ(state[0].grantFlags[0], PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[0].grantFlags[0], PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); EXPECT_EQ(state[1].grantFlags[0], PERMISSION_DEFAULT_FLAG); @@ -1276,7 +1276,7 @@ HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest009, TestSize.Level0) EXPECT_EQ(state[0].grantStatus[0], PERMISSION_GRANTED); EXPECT_EQ(state[0].grantFlags[0], PERMISSION_SYSTEM_FIXED); EXPECT_EQ(state[1].grantStatus[0], PERMISSION_DENIED); - EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_GRANTED_BY_POLICY); + EXPECT_EQ(state[1].grantFlags[0], PERMISSION_USER_FIXED | PERMISSION_PRE_AUTHORIZED_CANCELABLE); EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(fullTokenId.tokenIdExStruct.tokenID)); } diff --git a/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp index bc84fa973..2547a1bd7 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/PermissionsTest/clear_user_granted__permission_state_test.cpp @@ -138,14 +138,14 @@ HWTEST_F(ClearUserGrantedPermissionStateTest, ClearUserGrantedPermissionStateFun .isGeneral = true, .resDeviceID = {"local"}, .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED}, - .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_DEFAULT_FLAG} + .grantFlags = {PERMISSION_PRE_AUTHORIZED_CANCELABLE | PERMISSION_DEFAULT_FLAG} }; OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState2 = { .permissionName = "ohos.permission.SEND_MESSAGES", .isGeneral = true, .resDeviceID = {"local"}, .grantStatus = {OHOS::Security::AccessToken::PermissionState::PERMISSION_DENIED}, - .grantFlags = {PERMISSION_GRANTED_BY_POLICY | PERMISSION_USER_FIXED} + .grantFlags = {PERMISSION_PRE_AUTHORIZED_CANCELABLE | PERMISSION_USER_FIXED} }; OHOS::Security::AccessToken::PermissionStateFull infoManagerTestState3 = { .permissionName = "ohos.permission.RECEIVE_SMS", diff --git a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp index 6cb648279..1820fa25d 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/SecurityComponentTest/security_component_grant_test.cpp @@ -182,7 +182,7 @@ HWTEST_F(SecurityComponentGrantTest, SecurityComponentGrantTest003, TestSize.Lev ASSERT_NE(tokenID, INVALID_TOKENID); // system grant - int32_t res = TestCommon::GrantPermissionByTest(tokenID, TEST_PERMISSION, PERMISSION_GRANTED_BY_POLICY); + int32_t res = TestCommon::GrantPermissionByTest(tokenID, TEST_PERMISSION, PERMISSION_PRE_AUTHORIZED_CANCELABLE); ASSERT_EQ(res, RET_SUCCESS); // security component grant diff --git a/interfaces/innerkits/accesstoken/test/unittest/common/test_common.cpp b/interfaces/innerkits/accesstoken/test/unittest/common/test_common.cpp index bd50abdad..9c22c054a 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/common/test_common.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/common/test_common.cpp @@ -336,6 +336,14 @@ int32_t TestCommon::RevokePermissionByTest(AccessTokenID tokenID, const std::str return AccessTokenKit::RevokePermission(tokenID, permission, flag); } +int32_t TestCommon::ClearUserGrantedPermissionStateByTest(AccessTokenID tokenID) +{ + std::vector reqPerm; + reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS"); + MockHapToken mock("AccessTokenTestRevoke", reqPerm); + return AccessTokenKit::ClearUserGrantedPermissionState(tokenID); +} + AccessTokenID TestCommon::GetNativeTokenIdFromProcess(const std::string &process) { uint64_t selfTokenId = GetSelfTokenID(); diff --git a/interfaces/innerkits/accesstoken/test/unittest/common/test_common.h b/interfaces/innerkits/accesstoken/test/unittest/common/test_common.h index 56d814aad..3ac03a171 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/common/test_common.h +++ b/interfaces/innerkits/accesstoken/test/unittest/common/test_common.h @@ -71,6 +71,7 @@ public: int32_t userID, const std::string& bundleName, int32_t instIndex); static int32_t GrantPermissionByTest(AccessTokenID tokenID, const std::string& permission, uint32_t flag); static int32_t RevokePermissionByTest(AccessTokenID tokenID, const std::string& permission, uint32_t flag); + static int32_t ClearUserGrantedPermissionStateByTest(AccessTokenID tokenID); static int32_t GetReqPermissionsByTest( AccessTokenID tokenID, std::vector& permStatList, bool isSystemGrant); static int32_t GetPermissionFlagByTest(AccessTokenID tokenID, const std::string& permission, uint32_t& flag); diff --git a/services/accesstokenmanager/idl/IAccessTokenManager.idl b/services/accesstokenmanager/idl/IAccessTokenManager.idl index d2e29972a..a3fab9519 100644 --- a/services/accesstokenmanager/idl/IAccessTokenManager.idl +++ b/services/accesstokenmanager/idl/IAccessTokenManager.idl @@ -92,4 +92,5 @@ interface OHOS.Security.AccessToken.IAccessTokenManager{ [ipccode 102, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void UpdateSecCompEnhance([in] int pid, [in] unsigned int seqNum); [ipccode 103, macrodef SECURITY_COMPONENT_ENHANCE_ENABLE] void GetSecCompEnhance([in] int pid, [out] SecCompEnhanceDataParcel enhanceParcel); [ipccode 104] void IsToastShownNeeded([in] int pid, [out] boolean needToShow); + [ipccode 105] void SetPermissionStatusWithPolicy([in] unsigned int tokenID, [in] List permissionList, [in] int status, [in] unsigned int flag); } diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h b/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h index 45a5d82ff..fae1b482f 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_data_brief.h @@ -98,6 +98,7 @@ private: void UpdatePermStatus(const BriefPermData& permOld, BriefPermData& permNew); uint32_t GetFlagWroteToDb(uint32_t grantFlag); void MergePermBriefData(std::vector& permBriefDataList, BriefPermData& data); + bool isRestrictedPermission(uint32_t oldFlag, uint32_t newFlag); int32_t UpdatePermStateList(AccessTokenID tokenId, uint32_t opCode, bool isGranted, uint32_t flag); int32_t UpdateSecCompGrantedPermList(AccessTokenID tokenId, const std::string& permissionName, bool isToGrant); int32_t VerifyPermissionStatus(AccessTokenID tokenID, uint32_t permCode); diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h index 71e96caf7..f2d8d6a26 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h @@ -71,12 +71,20 @@ public: bool isGranted, uint32_t flag); int32_t CheckAndUpdatePermissionInner(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag); + int32_t CheckMultiPermissionStatus( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); + int32_t UpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag); + int32_t CheckAndUpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); int32_t UpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag, bool needKill); int32_t GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); int32_t RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); int32_t GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime); + int32_t SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag); void GetSelfPermissionState(const std::vector& permsList, PermissionListState& permState, int32_t apiVersion); int32_t AddPermStateChangeCallback( @@ -109,6 +117,12 @@ private: void ScopeToString( const std::vector& tokenIDs, const std::vector& permList); int32_t ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes); + int32_t UpdateTokenPermissionState(const std::shared_ptr& infoPtr, AccessTokenID tokenID, + const std::string& permission, bool isGranted, uint32_t flag, bool needKill); + int32_t UpdateMultiTokenPermissionState(const std::shared_ptr &infoPtr, AccessTokenID tokenID, + const std::vector &permissionList, bool isGranted, uint32_t flag, bool needKill); + int32_t UpdateMultiTokenPermissionStateCheck(const std::shared_ptr &infoPtr, + AccessTokenID tokenID, const std::vector &permissionList); int32_t UpdateTokenPermissionState( AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill); int32_t UpdateTokenPermissionStateCheck(const std::shared_ptr& infoPtr, @@ -123,6 +137,7 @@ private: const std::string& appDistributionType, HapInfoCheckResult& result); void GetMasterAppUndValues(AccessTokenID tokenId, std::vector& undefValues); std::shared_ptr GetAbilityManager(); + bool HandlePermissionDeniedCase(uint32_t goalGrantFlag, PermissionListState& permState); PermissionGrantEvent grantEvent_; static std::recursive_mutex mutex_; diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h b/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h index aec8b663e..e679272d1 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_validator.h @@ -31,6 +31,7 @@ public: static bool IsUserIdValid(const int32_t userID); static bool IsToggleStatusValid(const uint32_t status); static bool IsPermissionFlagValid(uint32_t flag); + static bool IsPermissionFlagValidForAdmin(uint32_t flag); static bool IsPermissionDefValid(const PermissionDef& permDef); static bool IsPermissionStateValid(const PermissionStatus& permState); static void FilterInvalidPermissionDef( diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index 8d70754ed..f366a9568 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -76,6 +76,8 @@ public: int GrantPermissionForSpecifiedTime( AccessTokenID tokenID, const std::string& permissionName, uint32_t onceTime) override; int ClearUserGrantedPermissionState(AccessTokenID tokenID) override; + int32_t SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) override; int DeleteToken(AccessTokenID tokenID) override; int GetTokenType(AccessTokenID tokenID); int GetTokenType(AccessTokenID tokenID, int32_t& tokenType) override; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp index d1986c22a..77778dbce 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp @@ -261,6 +261,20 @@ void PermissionDataBrief::AddPermToBriefPermission( void PermissionDataBrief::UpdatePermStatus(const BriefPermData& permOld, BriefPermData& permNew) { + // If old permission is fixed by admin policy or admin cancel, and new permisson is fixed by system, + // use new initalized state. + if (((permOld.flag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0 || + (permOld.flag & PERMISSION_ADMIN_POLICIES_CANCEL) != 0) && + (permNew.flag == PERMISSION_SYSTEM_FIXED)) { + return; + } + // If old permission is admin cancel, and new permisson is pre_authorization cancelable, + // use new initalized state. + if ((permOld.flag & PERMISSION_ADMIN_POLICIES_CANCEL) != 0 && + permNew.flag == PERMISSION_PRE_AUTHORIZED_CANCELABLE) { + return; + } + // if user_grant permission is not operated by user, it keeps the new initalized state. // the new state can be pre_authorization. if ((permOld.flag == PERMISSION_DEFAULT_FLAG) && (permOld.status == PERMISSION_DENIED)) { @@ -271,7 +285,7 @@ void PermissionDataBrief::UpdatePermStatus(const BriefPermData& permOld, BriefPe if ((permOld.flag == PERMISSION_SYSTEM_FIXED) || // if old user_grant permission is granted by pre_authorization unfixed // and the user has not operated this permission, it keeps the new initalized state. - (permOld.flag == PERMISSION_GRANTED_BY_POLICY)) { + (permOld.flag == PERMISSION_PRE_AUTHORIZED_CANCELABLE)) { return; } @@ -403,10 +417,32 @@ int32_t PermissionDataBrief::StorePermissionBriefData(AccessTokenID tokenId, static uint32_t UpdateWithNewFlag(uint32_t oldFlag, uint32_t currFlag) { - uint32_t newFlag = currFlag | (oldFlag & PERMISSION_GRANTED_BY_POLICY); + uint32_t newFlag = currFlag | (oldFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE); return newFlag; } +/** + * @brief Check whether the permission is restricted by admin policy and cannot be modified. + * Returns true if: + * - the oldFlag was set with PERMISSION_FIXED_BY_ADMIN_POLICY, and + * - the newFlag does NOT contain any of the following flags: + * PERMISSION_FIXED_BY_ADMIN_POLICY, PERMISSION_SYSTEM_FIXED, or PERMISSION_ADMIN_POLICIES_CANCEL. + * This indicates that the permission is controlled by admin policy and cannot be modified. + * + * @param oldFlag The original permission flag before modification. + * @param newFlag The new permission flag to be applied. + * @return Returns true if the permission is restricted and cannot be modified; + * otherwise returns false. + */ +bool PermissionDataBrief::isRestrictedPermission(uint32_t oldFlag, uint32_t newFlag) +{ + bool isFixedByAdmin = ((oldFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) == PERMISSION_FIXED_BY_ADMIN_POLICY); + bool newFlagDoesNotHaveFixedAdmin = (newFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) == 0; + bool newFlagHasNoSystemFixed = (newFlag & PERMISSION_SYSTEM_FIXED) == 0; + bool newFlagHasNoAdminCancel = (newFlag & PERMISSION_ADMIN_POLICIES_CANCEL) == 0; + return isFixedByAdmin && newFlagDoesNotHaveFixedAdmin && newFlagHasNoSystemFixed && newFlagHasNoAdminCancel; +} + int32_t PermissionDataBrief::UpdatePermStateList( AccessTokenID tokenId, uint32_t opCode, bool isGranted, uint32_t flag) { @@ -424,13 +460,26 @@ int32_t PermissionDataBrief::UpdatePermStateList( LOGC(ATM_DOMAIN, ATM_TAG, "Permission not request!"); return AccessTokenError::ERR_PARAM_INVALID; } - if ((static_cast(iter->flag) & PERMISSION_SYSTEM_FIXED) == PERMISSION_SYSTEM_FIXED) { LOGC(ATM_DOMAIN, ATM_TAG, "Permission fixed by system!"); return AccessTokenError::ERR_PARAM_INVALID; } - iter->status = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; + if (isRestrictedPermission(iter->flag, flag)) { + LOGC(ATM_DOMAIN, ATM_TAG, "Oldflag: %{public}d, invalid params!", iter->flag); + return AccessTokenError::ERR_PERMISSION_RESTRICTED; + } + if ((flag & PERMISSION_ADMIN_POLICIES_CANCEL) == PERMISSION_ADMIN_POLICIES_CANCEL && + (iter->flag & PERMISSION_FIXED_BY_ADMIN_POLICY) == 0) { + LOGC(ATM_DOMAIN, ATM_TAG, "Permission is not fixed by admin policy, cannot cancel."); + return AccessTokenError::ERR_PARAM_INVALID; + } + if ((flag & PERMISSION_ADMIN_POLICIES_CANCEL) == 0) { + iter->status = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; + } iter->flag = UpdateWithNewFlag(iter->flag, flag); + LOGI(ATM_DOMAIN, ATM_TAG, + "Update perm state list, tokenId: %{public}d, permCode: %{public}d, status: %{public}d, flag: %{public}d", + tokenId, opCode, iter->status, iter->flag); return RET_SUCCESS; } @@ -503,9 +552,12 @@ int32_t PermissionDataBrief::ResetUserGrantPermissionStatus(AccessTokenID tokenI } /* A user_grant permission has been set by system for cancellable pre-authorization. */ /* it should keep granted when the app reset. */ - if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) { + if ((oldFlag & PERMISSION_PRE_AUTHORIZED_CANCELABLE) != 0) { perm.status = PERMISSION_GRANTED; - perm.flag = PERMISSION_GRANTED_BY_POLICY; + perm.flag = PERMISSION_PRE_AUTHORIZED_CANCELABLE; + continue; + } + if ((oldFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0) { continue; } perm.status = PERMISSION_DENIED; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 949652a13..0a639ff58 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -207,6 +207,37 @@ static bool IsPermissionRestrictedByRules(const std::string& permission) return false; } +bool PermissionManager::HandlePermissionDeniedCase(uint32_t goalGrantFlag, PermissionListState& permState) +{ + if ((goalGrantFlag & PERMISSION_FIXED_BY_ADMIN_POLICY) != 0) { + permState.state = INVALID_OPER; + permState.errorReason = FIXED_BY_POLICY; + return true; + } + if ((goalGrantFlag & PERMISSION_ADMIN_POLICIES_CANCEL) != 0) { + permState.state = SETTING_OPER; + permState.errorReason = REQ_SUCCESS; + return true; + } + if ((goalGrantFlag & PERMISSION_FIXED_FOR_SECURITY_POLICY) != 0) { + permState.state = SETTING_OPER; + permState.errorReason = REQ_SUCCESS; + return true; + } + if ((goalGrantFlag == PERMISSION_DEFAULT_FLAG) || ((goalGrantFlag & PERMISSION_USER_SET) != 0) || + ((goalGrantFlag & PERMISSION_COMPONENT_SET) != 0) || ((goalGrantFlag & PERMISSION_ALLOW_THIS_TIME) != 0)) { + permState.state = DYNAMIC_OPER; + permState.errorReason = REQ_SUCCESS; + return true; + } + if ((goalGrantFlag & PERMISSION_USER_FIXED) != 0) { + permState.state = SETTING_OPER; + permState.errorReason = REQ_SUCCESS; + return true; + } + return false; +} + void PermissionManager::GetSelfPermissionState(const std::vector& permsList, PermissionListState& permState, int32_t apiVersion) { @@ -230,24 +261,8 @@ void PermissionManager::GetSelfPermissionState(const std::vector infoGuard(this->permParamSetLock_); if (filtered || (IsUserGrantPermission(permissionName) && - ((flag != PERMISSION_GRANTED_BY_POLICY) && (flag != PERMISSION_SYSTEM_FIXED)))) { + ((flag != PERMISSION_PRE_AUTHORIZED_CANCELABLE) && (flag != PERMISSION_SYSTEM_FIXED)))) { paramValue_++; LOGD(ATM_DOMAIN, ATM_TAG, "paramValue_ change %{public}llu", static_cast(paramValue_)); @@ -367,6 +382,83 @@ void PermissionManager::NotifyWhenPermissionStateUpdated(AccessTokenID tokenID, grantEvent_.AddEvent(tokenID, permissionName, infoPtr->permUpdateTimestamp_); } +int32_t PermissionManager::UpdateTokenPermissionState(const std::shared_ptr& infoPtr, + AccessTokenID tokenID, const std::string& permission, bool isGranted, uint32_t flag, bool needKill) +{ + bool isSecCompGrantedBefore = HapTokenInfoInner::IsPermissionGrantedWithSecComp(tokenID, permission); + bool statusChanged = false; + int32_t ret = infoPtr->UpdatePermissionStatus(permission, isGranted, flag, statusChanged); + if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Update info perm status failed, ret is %{public}d", ret); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", + tokenID, "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret, "INT_VAL2", + static_cast(flag), "NEED_KILL", needKill); + return ret; + } + if (statusChanged) { + NotifyWhenPermissionStateUpdated(tokenID, permission, isGranted, flag, infoPtr); + // To notify kill process when perm is revoke + if (needKill && (!isGranted && !isSecCompGrantedBefore)) { + LOGI(ATM_DOMAIN, ATM_TAG, "(%{public}s) is revoked, kill process(%{public}u).", permission.c_str(), + tokenID); + std::shared_ptr abilityManagerLoader = GetAbilityManager(); + AbilityManagerAccessLoaderInterface *abilityManager = + abilityManagerLoader->GetObject(); + if (abilityManager == nullptr) { + LOGE(ATM_DOMAIN, ATM_TAG, "AbilityManager is nullptr!"); + } else if ((ret = abilityManager->KillProcessForPermissionUpdate(tokenID)) != ERR_OK) { + LOGE(ATM_DOMAIN, ATM_TAG, "kill process failed, ret=%{public}d.", ret); + } + } + } + return RET_SUCCESS; +} + +int32_t PermissionManager::UpdateMultiTokenPermissionState(const std::shared_ptr &infoPtr, + AccessTokenID tokenID, const std::vector &permissionList, bool isGranted, uint32_t flag, bool needKill) +{ + HapTokenInfo hapInfo; + AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo); + ClearThreadErrorMsg(); + + uint32_t ret = RET_SUCCESS; + bool isHadSuccess = false; + for (const std::string &permissionName : permissionList) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", + HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMOM_START, "TOKENID", + tokenID, "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex, + "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted); + + ret = UpdateTokenPermissionState(infoPtr, tokenID, permissionName, isGranted, flag, needKill); + if (ret != RET_SUCCESS) { + break; + } + + isHadSuccess = true; + + uint32_t newFlag = flag; + if (GetPermissionFlag(tokenID, permissionName, flag) == RET_SUCCESS) { + flag = newFlag; + } + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", + HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH, + "TOKENID", tokenID, "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted, + "ERROR_CODE", ret); + ReportSysCommonEventError(static_cast(isGranted ? + IAccessTokenManagerIpcCode::COMMAND_GRANT_PERMISSION : + IAccessTokenManagerIpcCode::COMMAND_REVOKE_PERMISSION), ret); + } + + if (isHadSuccess) { + ParamFlagUpdate(); +#ifdef TOKEN_SYNC_ENABLE + TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID); +#endif + } + return ret; +} + int32_t PermissionManager::UpdateTokenPermissionState( AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag, bool needKill) { @@ -449,6 +541,76 @@ int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr return ERR_OK; } +int32_t PermissionManager::UpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag) +{ + bool isGranted = (status == PERMISSION_GRANTED); + bool needKill = false; + // To kill process when perm is revoke + if (!isGranted) { + LOGI(ATM_DOMAIN, ATM_TAG, "Perm is revoked, kill process(%{public}u).", tokenID); + needKill = true; + } + + std::shared_ptr infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID); + if (infoPtr == nullptr) { + LOGC(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u.", tokenID); + return AccessTokenError::ERR_TOKENID_NOT_EXIST; + } + + int32_t ret = UpdateMultiTokenPermissionStateCheck(infoPtr, tokenID, permissionList); + if (ret != RET_SUCCESS) { + return ret; + } + + ret = UpdateMultiTokenPermissionState(infoPtr, tokenID, permissionList, isGranted, flag, needKill); + if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Update permission %{public}u failed, ret is %{public}d.", tokenID, ret); + return ret; + } + +#ifdef SUPPORT_SANDBOX_APP + // The action of sharing would be taken place only if the grant operation or revoke operation equals to success. + std::vector tokenIdList; + AccessTokenInfoManager::GetInstance().GetRelatedSandBoxHapList(tokenID, tokenIdList); + for (const auto &id : tokenIdList) { + (void)UpdateMultiTokenPermissionState(infoPtr, id, permissionList, isGranted, flag, needKill); + } +#endif + + return RET_SUCCESS; +} + +int32_t PermissionManager::UpdateMultiTokenPermissionStateCheck(const std::shared_ptr &infoPtr, + AccessTokenID tokenID, const std::vector &permissionList) +{ + if (infoPtr->IsRemote()) { + LOGC(ATM_DOMAIN, ATM_TAG, "Remote token can not update."); + return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; + } + +#ifdef SUPPORT_SANDBOX_APP + int32_t hapDlpType = infoPtr->GetDlpType(); + if (hapDlpType == DLP_COMMON) { + return RET_SUCCESS; + } + for (const std::string& permissionName : permissionList) { + int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permissionName); + if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) { + LOGC(ATM_DOMAIN, ATM_TAG, + "%{public}s cannot to be granted to %{public}u.", permissionName.c_str(), tokenID); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", + HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", tokenID, "PERM", + permissionName, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, + "INT_VAL2", permDlpMode); + return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; + } + } +#endif + + return RET_SUCCESS; +} + int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag, bool needKill) { @@ -482,7 +644,7 @@ int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const LOGC(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str()); return AccessTokenError::ERR_PERMISSION_NOT_EXIST; } - if (!PermissionValidator::IsPermissionFlagValid(flag)) { + if (!PermissionValidator::IsPermissionFlagValid(flag) || PermissionValidator::IsPermissionFlagValidForAdmin(flag)) { LOGC(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag); return AccessTokenError::ERR_PARAM_INVALID; } @@ -524,6 +686,44 @@ int32_t PermissionManager::CheckAndUpdatePermissionInner(AccessTokenID tokenID, return ret; } +int32_t PermissionManager::CheckMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag) +{ + if (!PermissionValidator::IsPermissionFlagValidForAdmin(flag)) { + LOGC(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag); + return AccessTokenError::ERR_PARAM_INVALID; + } + for (const std::string& permissionName : permissionList) { + LOGI(ATM_DOMAIN, ATM_TAG, + "tokenID: %{public}d, permissionName: %{public}s, status: %{public}d, flag: %{public}d.", tokenID, + permissionName.c_str(), status, flag); + if (!IsDefinedPermission(permissionName)) { + LOGC(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str()); + return AccessTokenError::ERR_PERMISSION_NOT_EXIST; + } + if (!IsUserGrantPermission(permissionName)) { + LOGC(ATM_DOMAIN, ATM_TAG, "Only support permissions of user_grant to set."); + return AccessTokenError::ERR_PARAM_INVALID; + } + } + return RET_SUCCESS; +} + +int32_t PermissionManager::CheckAndUpdateMultiPermissionStatus( + AccessTokenID tokenID, const std::vector &permissionList, int32_t status, uint32_t flag) +{ + int32_t ret = RET_SUCCESS; + ret = CheckMultiPermissionStatus(tokenID, permissionList, status, flag); + if (ret != RET_SUCCESS) { + return ret; + } + ret = UpdateMultiPermissionStatus(tokenID, permissionList, status, flag); + if (ret != RET_SUCCESS) { + return ret; + } + return RET_SUCCESS; +} + int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag) { LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d", @@ -560,6 +760,13 @@ void PermissionManager::ScopeToString( tokenidStr.c_str(), permStr.c_str()); } +int32_t PermissionManager::SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, status: %{public}d, flag: %{public}u.", tokenID, status, flag); + return CheckAndUpdateMultiPermissionStatus(tokenID, permissionList, status, flag); +} + int32_t PermissionManager::ScopeFilter(const PermStateChangeScope& scopeSrc, PermStateChangeScope& scopeRes) { std::set tokenIdSet; @@ -1032,7 +1239,7 @@ bool PermissionManager::InitPermissionList(const HapInitInfo& initInfo, std::vec } bool userCancelable = true; if (IsUserGrantPermPreAuthorized(initInfo.policy.preAuthorizationInfo, state.permissionName, userCancelable)) { - state.grantFlag = userCancelable ? PERMISSION_GRANTED_BY_POLICY : PERMISSION_SYSTEM_FIXED; + state.grantFlag = userCancelable ? PERMISSION_PRE_AUTHORIZED_CANCELABLE : PERMISSION_SYSTEM_FIXED; state.grantStatus = PERMISSION_GRANTED; } initializedList.emplace_back(state); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp index 941fafe1f..814f474da 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_validator.cpp @@ -40,6 +40,11 @@ bool PermissionValidator::IsPermissionFlagValid(uint32_t flag) return DataValidator::IsPermissionFlagValid(flag); } +bool PermissionValidator::IsPermissionFlagValidForAdmin(uint32_t flag) +{ + return DataValidator::IsPermissionFlagValidForAdmin(flag); +} + bool PermissionValidator::IsPermissionNameValid(const std::string& permissionName) { return DataValidator::IsPermissionNameValid(permissionName); diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index b4a333560..ff8b9519b 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -81,6 +81,7 @@ const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITI const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS"; const std::string DISABLE_PERMISSION_DIALOG = "ohos.permission.DISABLE_PERMISSION_DIALOG"; const std::string GRANT_SHORT_TERM_WRITE_MEDIAVIDEO = "ohos.permission.GRANT_SHORT_TERM_WRITE_MEDIAVIDEO"; +const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY"; static constexpr int32_t SA_ID_ACCESSTOKEN_MANAGER_SERVICE = 3503; @@ -404,11 +405,11 @@ int AccessTokenManagerService::GetPermissionFlag( if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { return AccessTokenError::ERR_NOT_SYSTEM_APP; } - if (!IsPrivilegedCalling() && VerifyAccessToken(callingTokenID, GRANT_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED && VerifyAccessToken(callingTokenID, REVOKE_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED && - VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED) { + VerifyAccessToken(callingTokenID, GET_SENSITIVE_PERMISSIONS) == PERMISSION_DENIED && + VerifyAccessToken(callingTokenID, MANAGE_EDM_POLICY) == PERMISSION_DENIED) { LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d)", callingTokenID); return AccessTokenError::ERR_PERMISSION_DENIED; } @@ -545,6 +546,30 @@ int AccessTokenManagerService::ClearUserGrantedPermissionState(AccessTokenID tok return RET_SUCCESS; } +int32_t AccessTokenManagerService::SetPermissionStatusWithPolicy( + AccessTokenID tokenID, const std::vector& permissionList, int32_t status, uint32_t flag) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "tokenID: %{public}d, permList size:%{public}zu, status: %{public}d, flag: %{public}u.", + tokenID, permissionList.size(), status, flag); + AccessTokenID callingTokenID = IPCSkeleton::GetCallingTokenID(); + if ((this->GetTokenType(callingTokenID) == TOKEN_HAP) && (!IsSystemAppCalling())) { + return AccessTokenError::ERR_NOT_SYSTEM_APP; + } + if (!IsPrivilegedCalling() && + VerifyAccessToken(callingTokenID, MANAGE_EDM_POLICY) == PERMISSION_DENIED) { + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_VERIFY_REPORT", + HiviewDFX::HiSysEvent::EventType::SECURITY, "CODE", VERIFY_PERMISSION_ERROR, "CALLER_TOKENID", + callingTokenID); + LOGE(ATM_DOMAIN, ATM_TAG, "Permission denied(tokenID=%{public}d).", callingTokenID); + return AccessTokenError::ERR_PERMISSION_DENIED; + } + if (!DataValidator::IsPermissionListSizeValid(permissionList)) { + LOGE(ATM_DOMAIN, ATM_TAG, "PermissionList size is invalid: %{public}zu.", permissionList.size()); + return AccessTokenError::ERR_PARAM_INVALID; + } + return PermissionManager::GetInstance().SetPermissionStatusWithPolicy(tokenID, permissionList, status, flag); +} + int32_t AccessTokenManagerService::RegisterPermStateChangeCallback( const PermStateChangeScopeParcel& scope, const sptr& callback) { diff --git a/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp b/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp index b15a294ee..196fb9fd7 100644 --- a/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp @@ -1821,7 +1821,20 @@ HWTEST_F(AccessTokenInfoManagerTest, UpdatePermissionStatus001, TestSize.Level0) flag = PermissionFlag::PERMISSION_DEFAULT_FLAG; ASSERT_EQ(RET_SUCCESS, PermissionDataBrief::GetInstance().UpdatePermissionStatus(tokenId, "ohos.permission.CAMERA", isGranted, flag, changed)); - + + flag = PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; + ASSERT_EQ(ERR_PARAM_INVALID, PermissionDataBrief::GetInstance().UpdatePermissionStatus(tokenId, + "ohos.permission.CAMERA", isGranted, flag, changed)); + flag = PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY; + ASSERT_EQ(RET_SUCCESS, PermissionDataBrief::GetInstance().UpdatePermissionStatus(tokenId, + "ohos.permission.CAMERA", isGranted, flag, changed)); + flag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY; + ASSERT_EQ(ERR_PERMISSION_RESTRICTED, PermissionDataBrief::GetInstance().UpdatePermissionStatus(tokenId, + "ohos.permission.CAMERA", isGranted, flag, changed)); + flag = PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; + ASSERT_EQ(RET_SUCCESS, PermissionDataBrief::GetInstance().UpdatePermissionStatus(tokenId, + "ohos.permission.CAMERA", isGranted, flag, changed)); + // flag == PERMISSION_COMPONENT_SET flag = PermissionFlag::PERMISSION_COMPONENT_SET; ASSERT_EQ(RET_SUCCESS, PermissionDataBrief::GetInstance().UpdatePermissionStatus(tokenId, @@ -1839,6 +1852,43 @@ HWTEST_F(AccessTokenInfoManagerTest, UpdatePermissionStatus001, TestSize.Level0) "ohos.permission.CAMERA", isGranted, flag, changed)); } +/** + * @tc.name: UpdatePermStatus001 + * @tc.desc: PermissionDataBrief::UpdatePermStatus function test + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(AccessTokenInfoManagerTest, UpdatePermStatus001, TestSize.Level0) +{ + BriefPermData permOld; + BriefPermData permNew; + + permOld.flag = PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY; + permOld.status = PERMISSION_DENIED; + + permNew.flag = PermissionFlag::PERMISSION_SYSTEM_FIXED; + permNew.status = PERMISSION_GRANTED; + PermissionDataBrief::GetInstance().UpdatePermStatus(permOld, permNew); + ASSERT_NE(permOld.status, permNew.status); + + permOld.flag = PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; + PermissionDataBrief::GetInstance().UpdatePermStatus(permOld, permNew); + ASSERT_NE(permOld.status, permNew.status); + + permOld.flag = PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL; + permNew.flag = PermissionFlag::PERMISSION_PRE_AUTHORIZED_CANCELABLE; + PermissionDataBrief::GetInstance().UpdatePermStatus(permOld, permNew); + ASSERT_NE(permOld.status, permNew.status); + + permOld.flag = PermissionFlag::PERMISSION_SYSTEM_FIXED; + PermissionDataBrief::GetInstance().UpdatePermStatus(permOld, permNew); + ASSERT_NE(permOld.status, permNew.status); + + permOld.flag = PermissionFlag::PERMISSION_PRE_AUTHORIZED_CANCELABLE; + PermissionDataBrief::GetInstance().UpdatePermStatus(permOld, permNew); + ASSERT_NE(permOld.status, permNew.status); +} + #ifdef TOKEN_SYNC_ENABLE /** * @tc.name: MapRemoteDeviceTokenToLocal001 diff --git a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp index a60d0dd3f..c0b616816 100644 --- a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp +++ b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp @@ -867,6 +867,25 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest008, TestSize.Level0) ASSERT_EQ(0, atManagerService_->DeleteToken(tokenId)); } + +/** + * @tc.name: SetPermissionStatusWithPolicy001 + * @tc.desc: AccessTokenManagerService SetPermissionStatusWithPolicy test. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(AccessTokenManagerServiceTest, SetPermissionStatusWithPolicy001, TestSize.Level0) +{ + std::vector permList; + uint32_t ret = atManagerService_->SetPermissionStatusWithPolicy( + 0, permList, 0, PERMISSION_FIXED_BY_ADMIN_POLICY); + ASSERT_EQ(ERR_PARAM_INVALID, ret); + + permList.resize(1024 + 1, 0); + ret = atManagerService_->SetPermissionStatusWithPolicy( + 0, permList, 0, PERMISSION_FIXED_BY_ADMIN_POLICY); + ASSERT_EQ(ERR_PARAM_INVALID, ret); +} } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp index 8f6886d51..8efa635e2 100644 --- a/services/accesstokenmanager/test/unittest/permission_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/permission_manager_test.cpp @@ -130,25 +130,49 @@ static PermissionStatus g_permState2 = { static PermissionStatus g_permState6 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_DENIED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY }; static PermissionStatus g_permState7 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_GRANTED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY }; static PermissionStatus g_permState8 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_DENIED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED | PermissionFlag::PERMISSION_USER_SET + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY | PermissionFlag::PERMISSION_USER_SET }; static PermissionStatus g_permState9 = { .permissionName = "ohos.permission.CAMERA", .grantStatus = PermissionState::PERMISSION_GRANTED, - .grantFlag = PermissionFlag::PERMISSION_POLICY_FIXED | PermissionFlag::PERMISSION_USER_SET + .grantFlag = PermissionFlag::PERMISSION_FIXED_FOR_SECURITY_POLICY | PermissionFlag::PERMISSION_USER_SET +}; + +static PermissionStatus g_permState10 = { + .permissionName = "ohos.permission.CAMERA", + .grantStatus = PermissionState::PERMISSION_DENIED, + .grantFlag = PermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY +}; + +static PermissionStatus g_permState11 = { + .permissionName = "ohos.permission.CAMERA", + .grantStatus = PermissionState::PERMISSION_DENIED, + .grantFlag = PermissionFlag::PERMISSION_ADMIN_POLICIES_CANCEL +}; + +static PermissionStatus g_permState12 = { + .permissionName = "ohos.permission.CAMERA", + .grantStatus = PermissionState::PERMISSION_DENIED, + .grantFlag = PermissionFlag::PERMISSION_DEFAULT_FLAG +}; + +static PermissionStatus g_permState13 = { + .permissionName = "ohos.permission.CAMERA", + .grantStatus = PermissionState::PERMISSION_DENIED, + .grantFlag = PermissionFlag::PERMISSION_USER_FIXED }; static PermissionDef g_infoManagerPermDef1 = { @@ -523,7 +547,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) permState1.permissionName = "ohos.permission.CAMERA"; int32_t apiVersion = ACCURATE_LOCATION_API_VERSION; - // flag is PERMISSION_POLICY_FIXED and state is denied, return SETTING_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY and state is denied, return SETTING_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList1, permState1, apiVersion); ASSERT_EQ(PermissionOper::SETTING_OPER, permState1.state); @@ -532,7 +556,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) PermissionListState permState2; permState2.permissionName = "ohos.permission.CAMERA"; - // flag is PERMISSION_POLICY_FIXED and state is granted, return PASS_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY and state is granted, return PASS_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList2, permState2, apiVersion); ASSERT_EQ(PermissionOper::PASS_OPER, permState2.state); @@ -541,7 +565,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) PermissionListState permState3; permState3.permissionName = "ohos.permission.CAMERA"; - // flag is PERMISSION_POLICY_FIXED | PERMISSION_USER_SET and state is denied, return SETTING_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY | PERMISSION_USER_SET and state is denied, return SETTING_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList3, permState3, apiVersion); ASSERT_EQ(PermissionOper::SETTING_OPER, permState3.state); @@ -550,7 +574,7 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState002, TestSize.Level0) PermissionListState permState4; permState4.permissionName = "ohos.permission.CAMERA"; - // flag is PERMISSION_POLICY_FIXED | PERMISSION_USER_SET and state is granted, return PASS_OPER + // flag is PERMISSION_FIXED_FOR_SECURITY_POLICY | PERMISSION_USER_SET and state is granted, return PASS_OPER PermissionManager::GetInstance().GetSelfPermissionState(permsList4, permState4, apiVersion); ASSERT_EQ(PermissionOper::PASS_OPER, permState4.state); } @@ -578,6 +602,48 @@ HWTEST_F(PermissionManagerTest, GetSelfPermissionState003, TestSize.Level0) AccessTokenInfoManager::GetInstance().SetPermissionRequestToggleStatus(permissionName, oriStatus, 0); } +/** + * @tc.name: GetSelfPermissionState004 + * @tc.desc: PermissionManager::GetSelfPermissionState function test + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(PermissionManagerTest, GetSelfPermissionState004, TestSize.Level0) +{ + std::vector permsList1; + permsList1.emplace_back(g_permState10); + PermissionListState permState1; + permState1.permissionName = "ohos.permission.CAMERA"; + int32_t apiVersion = ACCURATE_LOCATION_API_VERSION; + + PermissionManager::GetInstance().GetSelfPermissionState(permsList1, permState1, apiVersion); + ASSERT_EQ(PermissionOper::INVALID_OPER, permState1.state); + + std::vector permsList2; + permsList2.emplace_back(g_permState11); + PermissionListState permState2; + permState2.permissionName = "ohos.permission.CAMERA"; + + PermissionManager::GetInstance().GetSelfPermissionState(permsList2, permState2, apiVersion); + ASSERT_EQ(PermissionOper::SETTING_OPER, permState2.state); + + std::vector permsList3; + permsList3.emplace_back(g_permState12); + PermissionListState permState3; + permState3.permissionName = "ohos.permission.CAMERA"; + + PermissionManager::GetInstance().GetSelfPermissionState(permsList3, permState3, apiVersion); + ASSERT_EQ(PermissionOper::DYNAMIC_OPER, permState3.state); + + std::vector permsList4; + permsList4.emplace_back(g_permState13); + PermissionListState permState4; + permState4.permissionName = "ohos.permission.CAMERA"; + + PermissionManager::GetInstance().GetSelfPermissionState(permsList4, permState4, apiVersion); + ASSERT_EQ(PermissionOper::SETTING_OPER, permState4.state); +} + /** * @tc.name: GetPermissionFlag001 * @tc.desc: PermissionManager::GetPermissionFlag function test @@ -1711,6 +1777,134 @@ HWTEST_F(PermissionManagerTest, GrantTempPermission020, TestSize.Level0) } /** + * @tc.name: SetPermissionStatusWithPolicy001 + * @tc.desc: SetPermissionStatusWithPolicy test. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(PermissionManagerTest, SetPermissionStatusWithPolicy001, TestSize.Level0) +{ + accessTokenService_->state_ = ServiceRunningState::STATE_RUNNING; + accessTokenService_->Initialize(); + AccessTokenID tokenID = CreateTempHapTokenInfo(); + TempPermissionObserver::GetInstance().RegisterCallback(); + + std::vector permList = {"ohos.permission.APPROXIMATELY_LOCATION"}; + EXPECT_EQ(RET_SUCCESS, PermissionManager::GetInstance().SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY)); + + EXPECT_EQ(ERR_PARAM_INVALID, PermissionManager::GetInstance().SetPermissionStatusWithPolicy( + tokenID, permList, PERMISSION_GRANTED, PERMISSION_ALLOW_THIS_TIME)); + + EXPECT_EQ(ERR_PERMISSION_NOT_EXIST, PermissionManager::GetInstance().SetPermissionStatusWithPolicy( + tokenID, {"ohos.permission.test123"}, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY)); + + EXPECT_EQ(ERR_PARAM_INVALID, PermissionManager::GetInstance().SetPermissionStatusWithPolicy( + tokenID, {"ohos.permission.MANAGE_INPUT_INFRARED_EMITTER"}, + PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY)); +} + +/** + * @tc.name: newUpdateTokenPermissionState003 + * @tc.desc: PermissionManager::UpdateTokenPermissionState function test + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(PermissionManagerTest, newUpdateTokenPermissionState003, TestSize.Level0) +{ + std::string permissionName = "ohos.permission.DUMP"; + uint32_t flag = 0; + + HapInfoParams info = { + .userID = USER_ID, + .bundleName = "permission_manager_test", + .instIndex = INST_INDEX, + .appIDDesc = "permission_manager_test" + }; + PermissionStatus permStat = { + .permissionName = permissionName, + .grantStatus = PermissionState::PERMISSION_DENIED, + .grantFlag = PermissionFlag::PERMISSION_DEFAULT_FLAG + }; + HapPolicy policy = { + .apl = APL_NORMAL, + .domain = "domain", + .permStateList = {permStat} + }; + AccessTokenIDEx tokenIdEx = {0}; + std::vector undefValues; + ASSERT_EQ(RET_SUCCESS, AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(info, policy, tokenIdEx, + undefValues)); + ASSERT_NE(static_cast(0), tokenIdEx.tokenIdExStruct.tokenID); + AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID; + + std::shared_ptr infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId); + + flag = PERMISSION_ALLOW_THIS_TIME; + ASSERT_EQ(RET_SUCCESS, PermissionManager::GetInstance().UpdateTokenPermissionState( + infoPtr, tokenId, permissionName, false, flag, true)); + + flag = PERMISSION_COMPONENT_SET; + ASSERT_EQ(RET_SUCCESS, PermissionManager::GetInstance().UpdateTokenPermissionState( + infoPtr, tokenId, permissionName, false, flag, true)); + + flag = PERMISSION_USER_FIXED; + ASSERT_EQ(RET_SUCCESS, PermissionManager::GetInstance().UpdateTokenPermissionState( + infoPtr, tokenId, permissionName, false, flag, true)); + + ASSERT_EQ(RET_SUCCESS, AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenId)); +} + +/** + * @tc.name: UpdateMultiTokenPermissionState001 + * @tc.desc: PermissionManager::UpdateMultiTokenPermissionState function test + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(PermissionManagerTest, UpdateMultiTokenPermissionState001, TestSize.Level0) +{ + std::string permissionName = "ohos.permission.DUMP"; + uint32_t flag = 0; + + HapInfoParams info = { + .userID = USER_ID, + .bundleName = "permission_manager_test", + .instIndex = INST_INDEX, + .appIDDesc = "permission_manager_test", + .dlpType = DLP_FULL_CONTROL + }; + PermissionStatus permStat = { + .permissionName = permissionName, + .grantStatus = PermissionState::PERMISSION_DENIED, + .grantFlag = PermissionFlag::PERMISSION_DEFAULT_FLAG + }; + HapPolicy policy = { + .apl = APL_NORMAL, + .domain = "domain", + .permStateList = {permStat} + }; + AccessTokenIDEx tokenIdEx = {0}; + std::vector undefValues; + ASSERT_EQ(RET_SUCCESS, AccessTokenInfoManager::GetInstance().CreateHapTokenInfo(info, policy, tokenIdEx, + undefValues)); + ASSERT_NE(static_cast(0), tokenIdEx.tokenIdExStruct.tokenID); + AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID; + + std::vector permList; + ASSERT_EQ(RET_SUCCESS, PermissionManager::GetInstance().UpdateMultiPermissionStatus( + tokenId, permList, PERMISSION_DENIED, flag)); + + ASSERT_EQ(ERR_TOKENID_NOT_EXIST, PermissionManager::GetInstance().UpdateMultiPermissionStatus( + 0, permList, PERMISSION_DENIED, flag)); + + std::shared_ptr infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenId); + infoPtr->SetRemote(true); + ASSERT_EQ(ERR_IDENTITY_CHECK_FAILED, PermissionManager::GetInstance().UpdateMultiPermissionStatus( + tokenId, permList, PERMISSION_DENIED, flag)); + infoPtr->SetRemote(false); +} + + /** * @tc.name: PermissionCallbackTest001 * @tc.desc: Test nullptr input for callback * @tc.type: FUNC diff --git a/test/fuzztest/innerkits/accesstoken/BUILD.gn b/test/fuzztest/innerkits/accesstoken/BUILD.gn index 157b772d6..4f799c5aa 100644 --- a/test/fuzztest/innerkits/accesstoken/BUILD.gn +++ b/test/fuzztest/innerkits/accesstoken/BUILD.gn @@ -62,6 +62,7 @@ group("fuzztest") { "verifyaccesstoken001_fuzzer:VerifyAccessToken001FuzzTest", "verifyaccesstoken_fuzzer:VerifyAccessTokenFuzzTest", "verifyaccesstokenwithlist_fuzzer:VerifyAccessTokenWithListFuzzTest", + "setpermissionstatuswithpolicy_fuzzer:SetPermissionStatusWithPolicyFuzzTest", ] if (security_component_enhance_enable) { deps += [ diff --git a/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/BUILD.gn b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/BUILD.gn new file mode 100644 index 000000000..85c87d589 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/BUILD.gn @@ -0,0 +1,43 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//build/config/features.gni") +import("//build/test.gni") +import("../../../../../access_token.gni") + +ohos_fuzztest("SetPermissionStatusWithPolicyFuzzTest") { + module_out_path = module_output_path_interface_access_token + fuzz_config_file = "." + include_dirs = [ + "${access_token_path}/interfaces/innerkits/accesstoken/include", + "${access_token_path}/test/fuzztest/common", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ "setpermissionstatuswithpolicy_fuzzer.cpp" ] + + deps = [ + "${access_token_path}/interfaces/innerkits/accesstoken:libaccesstoken_sdk", + ] + + configs = [ "${access_token_path}/config:coverage_flags" ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/corpus/init b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/corpus/init new file mode 100644 index 000000000..bc977bd97 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/corpus/init @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/project.xml b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/project.xml new file mode 100644 index 000000000..6e8ad2cfd --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.cpp b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.cpp new file mode 100644 index 000000000..2c8131413 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.cpp @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2022-2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "setpermissionstatuswithpolicy_fuzzer.h" + +#include +#include +#include +#include "accesstoken_fuzzdata.h" +#undef private +#include "accesstoken_kit.h" + +using namespace std; +using namespace OHOS::Security::AccessToken; + +namespace OHOS { + bool SetPermissionStatusWithPolicyFuzzTest(const uint8_t* data, size_t size) + { + if ((data == nullptr) || (size == 0)) { + return false; + } + + AccessTokenFuzzData fuzzData(data, size); + std::vector permList = {fuzzData.GenerateStochasticString()}; + int32_t result = AccessTokenKit::SetPermissionStatusWithPolicy( + fuzzData.GetData(), permList, 0, 128); + return result == RET_SUCCESS; + } +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + OHOS::SetPermissionStatusWithPolicyFuzzTest(data, size); + return 0; +} diff --git a/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.h b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.h new file mode 100644 index 000000000..a9fe2c627 --- /dev/null +++ b/test/fuzztest/innerkits/accesstoken/setpermissionstatuswithpolicy_fuzzer/setpermissionstatuswithpolicy_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef TEST_FUZZTEST_SETPERMISSIONSTATUSWITHPOLICY_FUZZER_H +#define TEST_FUZZTEST_SETPERMISSIONSTATUSWITHPOLICY_FUZZER_H + +#define FUZZ_PROJECT_NAME "setpermissionstatuswithpolicy_fuzzer" + +#endif // TEST_FUZZTEST_SETPERMISSIONSTATUSWITHPOLICY_FUZZER_H diff --git a/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp b/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp index c618c0c8d..974f0fb73 100644 --- a/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp +++ b/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp @@ -53,9 +53,9 @@ static const vector FLAG_LIST = { PERMISSION_USER_SET, PERMISSION_USER_FIXED, PERMISSION_SYSTEM_FIXED, - PERMISSION_GRANTED_BY_POLICY, + PERMISSION_PRE_AUTHORIZED_CANCELABLE, PERMISSION_COMPONENT_SET, - PERMISSION_POLICY_FIXED, + PERMISSION_FIXED_FOR_SECURITY_POLICY, PERMISSION_ALLOW_THIS_TIME }; static const uint32_t FLAG_LIST_SIZE = 8; diff --git a/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp b/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp index 22102a383..30e899678 100644 --- a/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp +++ b/test/fuzztest/normalize_service/accesstoken/revokepermissionservice_fuzzer/revokepermissionservice_fuzzer.cpp @@ -35,9 +35,9 @@ static const vector FLAG_LIST = { PERMISSION_USER_SET, PERMISSION_USER_FIXED, PERMISSION_SYSTEM_FIXED, - PERMISSION_GRANTED_BY_POLICY, + PERMISSION_PRE_AUTHORIZED_CANCELABLE, PERMISSION_COMPONENT_SET, - PERMISSION_POLICY_FIXED, + PERMISSION_FIXED_FOR_SECURITY_POLICY, PERMISSION_ALLOW_THIS_TIME }; static const uint32_t FLAG_LIST_SIZE = 8; -- Gitee From fb4d26f1d934b5c30d3531ed4c67ba332bf2e410 Mon Sep 17 00:00:00 2001 From: bug_maker Date: Mon, 7 Jul 2025 14:41:12 +0800 Subject: [PATCH 2/2] =?UTF-8?q?feat:=20=E6=96=B0=E5=A2=9E=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9D=83=E9=99=90=E8=AE=BE=E7=BD=AE=E6=8E=A5?= =?UTF-8?q?=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: bug_maker Change-Id: I3b255338c9c5792690150ba87edb98b199be2ad6 --- .../test/unittest/accesstoken_manager_service_test.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp index c0b616816..40eb3645b 100644 --- a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp +++ b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp @@ -881,7 +881,7 @@ HWTEST_F(AccessTokenManagerServiceTest, SetPermissionStatusWithPolicy001, TestSi 0, permList, 0, PERMISSION_FIXED_BY_ADMIN_POLICY); ASSERT_EQ(ERR_PARAM_INVALID, ret); - permList.resize(1024 + 1, 0); + permList.resize(1024 + 1); ret = atManagerService_->SetPermissionStatusWithPolicy( 0, permList, 0, PERMISSION_FIXED_BY_ADMIN_POLICY); ASSERT_EQ(ERR_PARAM_INVALID, ret); -- Gitee