From 5262f594f2b7b0b0d6cdfd6ec530612585f1f249 Mon Sep 17 00:00:00 2001 From: wwp Date: Wed, 9 Jul 2025 16:34:44 +0800 Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81=E6=A0=A1=E9=AA=8C=E5=BA=94?= =?UTF-8?q?=E7=94=A8=E7=94=B3=E8=AF=B7=E4=BC=81=E4=B8=9A=E6=99=AE=E9=80=9A?= =?UTF-8?q?=E6=9D=83=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wwp --- .../accesstoken/include/access_token.h | 12 +- .../HapTokenTest/init_hap_token_test.cpp | 204 ++++++++++++++++ .../HapTokenTest/update_hap_token_test.cpp | 220 ++++++++++++++++++ services/accesstokenmanager/idl/IdlCommon.idl | 3 +- .../include/permission/permission_manager.h | 7 +- .../service/accesstoken_manager_service.h | 8 +- .../include/token/accesstoken_info_manager.h | 4 +- .../cpp/src/permission/permission_manager.cpp | 37 ++- .../service/accesstoken_manager_service.cpp | 14 +- .../src/token/accesstoken_info_manager.cpp | 10 +- .../permission_manager_coverage_test.cpp | 10 +- .../accesstoken_info_manager_test.cpp | 62 ++++- .../accesstoken_manager_service_test.cpp | 30 +-- .../accesstoken_manager_service_test.h | 2 +- .../grantpermissionservice_fuzzer.cpp | 2 +- .../deleteremotedevicetokensstub_fuzzer.cpp | 2 +- .../deleteremotetokenstub_fuzzer.cpp | 2 +- .../gethaptokeninfofromremotestub_fuzzer.cpp | 2 +- .../getremotenativetokenidstub_fuzzer.cpp | 2 +- .../grantpermissionstub_fuzzer.cpp | 2 +- .../setremotehaptokeninfostub_fuzzer.cpp | 2 +- 21 files changed, 579 insertions(+), 58 deletions(-) diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h index 32d49bf73..e43cceca1 100644 --- a/interfaces/innerkits/accesstoken/include/access_token.h +++ b/interfaces/innerkits/accesstoken/include/access_token.h @@ -333,7 +333,8 @@ typedef enum TypeOptType { */ typedef enum TypePermissionRulesEnum { PERMISSION_EDM_RULE = 0, - PERMISSION_ACL_RULE + PERMISSION_ACL_RULE, + PERMISSION_ENTERPRISE_NORMAL_RULE } PermissionRulesEnum; /** @@ -356,6 +357,15 @@ typedef enum HapPolicyCheckIgnoreType { ACL_IGNORE_CHECK, } HapPolicyCheckIgnore; +/** + * @brief Apl and isSystemApp info about tokenId + */ +typedef struct { + /** apl for tokenId */ + int32_t apl; + /** is system app */ + bool isSystemApp; +} TokenIdInfo; } // namespace AccessToken } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp index 1a34227ba..0430eeaa0 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/init_hap_token_test.cpp @@ -42,6 +42,7 @@ static constexpr int32_t THIRTY_TIME_CYCLES = 30; static constexpr int32_t MAX_EXTENDED_MAP_SIZE = 512; static constexpr int32_t MAX_VALUE_LENGTH = 1024; const std::string APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm"; +const std::string APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL = "enterprise_normal"; const std::string APP_DISTRIBUTION_TYPE_NONE = "none"; const std::string OVER_SIZE_STR = "AAANSUhEUgAAABUAAAAXCAIAAABrvZPKAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAEXRFWHRTb2Z0d2FyZQBTbmlwYXN0ZV0Xzt0A" @@ -1047,6 +1048,209 @@ HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest014, TestSize.Level0) ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); } +/** + * @tc.name: InitHapTokenSpecsTest015 + * @tc.desc: Initialize ENTERPRISE_NORMAL permission for a enterprise_mdm hap. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest015, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "InitHapTokenSpecsTest015"); + MockNativeToken mock("foundation"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER"); + EXPECT_EQ(PERMISSION_GRANTED, ret); + + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenID, "ohos.permission.FILE_GUARD_MANAGER", flag); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: InitHapTokenSpecsTest016 + * @tc.desc: Initialize ENTERPRISE_NORMAL permission for a enterprise_normal hap. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest016, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "InitHapTokenSpecsTest016"); + MockNativeToken mock("foundation"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER"); + EXPECT_EQ(PERMISSION_GRANTED, ret); + + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenID, "ohos.permission.FILE_GUARD_MANAGER", flag); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: InitHapTokenSpecsTest017 + * @tc.desc: Initialize ENTERPRISE_NORMAL permission for a system hap. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest017, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "InitHapTokenSpecsTest017"); + MockNativeToken mock("foundation"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = true; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER"); + EXPECT_EQ(PERMISSION_GRANTED, ret); + + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenID, "ohos.permission.FILE_GUARD_MANAGER", flag); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: InitHapTokenSpecsTest018 + * @tc.desc: Initialize ENTERPRISE_NORMAL permission for a debug hap. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest018, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "InitHapTokenSpecsTest018"); + MockNativeToken mock("foundation"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_NONE; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(RET_SUCCESS, ret); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER"); + EXPECT_EQ(PERMISSION_GRANTED, ret); + + uint32_t flag; + ret = AccessTokenKit::GetPermissionFlag(tokenID, "ohos.permission.FILE_GUARD_MANAGER", flag); + EXPECT_EQ(RET_SUCCESS, ret); + EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag); + + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: InitHapTokenSpecsTest019 + * @tc.desc: Initialize ENTERPRISE_NORMAL permission for a Non enterprise/system/debug hap. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(InitHapTokenTest, InitHapTokenSpecsTest019, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "InitHapTokenSpecsTest019"); + MockNativeToken mock("foundation"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + infoParams.isSystemApp = false; + + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + policyParams.aclRequestedList = { "ohos.permission.FILE_GUARD_MANAGER" }; + AccessTokenIDEx fullTokenId; + int32_t ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + ASSERT_EQ(ERR_PERM_REQUEST_CFG_FAILED, ret); + + HapInfoCheckResult result; + ret = AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId, result); + ASSERT_EQ(ERR_PERM_REQUEST_CFG_FAILED, ret); + ASSERT_EQ(result.permCheckResult.permissionName, "ohos.permission.FILE_GUARD_MANAGER"); + ASSERT_EQ(result.permCheckResult.rule, PERMISSION_ENTERPRISE_NORMAL_RULE); + + ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER"); + EXPECT_EQ(PERMISSION_DENIED, ret); +} + /** * @tc.name: InitHapTokenAbnormalTest001 * @tc.desc: Invaild HapInfoParams. diff --git a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp index 06aea9862..7d74f47d4 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/HapTokenTest/update_hap_token_test.cpp @@ -43,6 +43,8 @@ static const int32_t INDEX_ZERO = 0; static uint64_t g_selfTokenId = 0; static constexpr int32_t API_VERSION_EIGHT = 8; const std::string APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm"; +const std::string APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL = "enterprise_normal"; +const std::string APP_DISTRIBUTION_TYPE_NONE = "none"; const std::string OVER_SIZE_STR = "AAANSUhEUgAAABUAAAAXCAIAAABrvZPKAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAEXRFWHRTb2Z0d2FyZQBTbmlwYXN0ZV0Xzt0A" "FBSURBVDiN7ZQ/S8NQFMVPxU/QCx06GBzrkqUZ42rBbHWUBDqYxSnUoTxXydCSycVsgltfBiFDR8HNdHGxY4nQQAPvMzwHsWn+KM" @@ -1380,6 +1382,224 @@ HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest011, TestSize.Level0) EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); } +/** + * @tc.name: UpdateHapTokenSpecsTest012 + * @tc.desc: Update to a enterprise_normal app, system ENTERPRISE_NORMAL permission is available. + * 1.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM + * 2.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL, Update success + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest012, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "UpdateHapTokenSpecsTest012"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId)); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + + UpdateHapInfoParams updateHapInfoParams = { + .appIDDesc = infoParams.appIDDesc, + .apiVersion = infoParams.apiVersion, + .isSystemApp = false, + .appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL + }; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::UpdateHapToken(fullTokenId, updateHapInfoParams, policyParams)); + tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: UpdateHapTokenSpecsTest013 + * @tc.desc: Update to a system app, system ENTERPRISE_NORMAL permission is available. + * 1.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM + * 2.appDistributionType = "", isSystemApp = true, Update success + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest013, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "UpdateHapTokenSpecsTest013"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId)); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + + UpdateHapInfoParams updateHapInfoParams = { + .appIDDesc = infoParams.appIDDesc, + .apiVersion = infoParams.apiVersion, + .isSystemApp = true, + .appDistributionType = "" + }; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::UpdateHapToken(fullTokenId, updateHapInfoParams, policyParams)); + tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: UpdateHapTokenSpecsTest014 + * @tc.desc: Update to a debug app, system ENTERPRISE_NORMAL permission is available. + * 1.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM + * 2.appDistributionType = APP_DISTRIBUTION_TYPE_NONE, Update success + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest014, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "UpdateHapTokenSpecsTest014"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId)); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + + UpdateHapInfoParams updateHapInfoParams = { + .appIDDesc = infoParams.appIDDesc, + .apiVersion = infoParams.apiVersion, + .isSystemApp = false, + .appDistributionType = APP_DISTRIBUTION_TYPE_NONE + }; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::UpdateHapToken(fullTokenId, updateHapInfoParams, policyParams)); + tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: UpdateHapTokenSpecsTest015 + * @tc.desc: Update to a non enterprise/system/debug app, ENTERPRISE_NORMAL permission is unavailable. + * 1.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM, permission is GRANTED. + * 2.appDistributionType ="", Update failed. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest015, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "UpdateHapTokenSpecsTest015"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId)); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + + UpdateHapInfoParams updateHapInfoParams = { + .appIDDesc = infoParams.appIDDesc, + .apiVersion = infoParams.apiVersion, + .isSystemApp = false, + .appDistributionType = "" + }; + ASSERT_EQ( + ERR_PERM_REQUEST_CFG_FAILED, AccessTokenKit::UpdateHapToken(fullTokenId, updateHapInfoParams, policyParams)); + HapInfoCheckResult result; + ASSERT_EQ(ERR_PERM_REQUEST_CFG_FAILED, + AccessTokenKit::UpdateHapToken(fullTokenId, updateHapInfoParams, policyParams, result)); + EXPECT_EQ(result.permCheckResult.permissionName, "ohos.permission.FILE_GUARD_MANAGER"); + EXPECT_EQ(result.permCheckResult.rule, PERMISSION_ENTERPRISE_NORMAL_RULE); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + +/** + * @tc.name: UpdateHapTokenSpecsTest016 + * @tc.desc: Update to a non enterprise/system/debug app, ENTERPRISE_NORMAL permission is unavailable. + * 1.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM, permission is GRANTED. + * 2.appDistributionType ="", dataRefresh = true, Update success. + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(UpdateHapTokenTest, UpdateHapTokenSpecsTest016, TestSize.Level0) +{ + LOGI(ATM_DOMAIN, ATM_TAG, "UpdateHapTokenSpecsTest016"); + + HapInfoParams infoParams; + HapPolicyParams policyParams; + TestCommon::GetHapParams(infoParams, policyParams); + policyParams.apl = APL_SYSTEM_CORE; + infoParams.isSystemApp = false; + infoParams.appDistributionType = APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM; + PermissionStateFull permissionStateFull001 = { + .permissionName = "ohos.permission.FILE_GUARD_MANAGER", + .isGeneral = true, + .resDeviceID = {"local"}, + .grantStatus = {PERMISSION_DENIED}, + .grantFlags = {PERMISSION_SYSTEM_FIXED} + }; + policyParams.permStateList = {permissionStateFull001}; + AccessTokenIDEx fullTokenId; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::InitHapToken(infoParams, policyParams, fullTokenId)); + AccessTokenID tokenID = fullTokenId.tokenIdExStruct.tokenID; + EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.FILE_GUARD_MANAGER")); + + UpdateHapInfoParams updateHapInfoParams = { + .appIDDesc = infoParams.appIDDesc, + .apiVersion = infoParams.apiVersion, + .isSystemApp = false, + .appDistributionType = "", + .dataRefresh = true + }; + ASSERT_EQ(RET_SUCCESS, AccessTokenKit::UpdateHapToken(fullTokenId, updateHapInfoParams, policyParams)); + EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenID)); +} + /** * @tc.name: UpdateHapTokenAbnormalTest001 * @tc.desc: cannot update hap token info with invalid appIDDesc. diff --git a/services/accesstokenmanager/idl/IdlCommon.idl b/services/accesstokenmanager/idl/IdlCommon.idl index 29aa82f87..66d520822 100644 --- a/services/accesstokenmanager/idl/IdlCommon.idl +++ b/services/accesstokenmanager/idl/IdlCommon.idl @@ -43,7 +43,8 @@ struct UpdateHapInfoParamsIdl { enum PermissionRulesEnumIdl { PERMISSION_EDM_RULE = 0, - PERMISSION_ACL_RULE + PERMISSION_ACL_RULE, + PERMISSION_ENTERPRISE_NORMAL_RULE }; struct HapInfoCheckResultIdl { diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h index f2d8d6a26..175fa2f0d 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h @@ -109,7 +109,8 @@ public: std::vector& initializedList, std::vector& undefValues); void NotifyUpdatedPermList(const std::vector& grantedPermListBefore, const std::vector& grantedPermListAfter, AccessTokenID tokenID); - bool IsPermAvailableRangeSatisfied(const PermissionBriefDef& briefDef, const std::string& appDistributionType); + bool IsPermAvailableRangeSatisfied(const PermissionBriefDef& briefDef, const std::string& appDistributionType, + bool isSystemApp, PermissionRulesEnum& rule); protected: static void RegisterImpl(PermissionManager* implInstance); @@ -133,8 +134,8 @@ private: std::vector& permsList, int32_t apiVersion, const LocationIndex& locationIndex); void FillUndefinedPermVector(const std::string& permissionName, const std::string& appDistributionType, const HapPolicy& policy, std::vector& undefValues); - bool AclAndEdmCheck(const PermissionBriefDef& briefDef, const HapPolicy& policy, const std::string& permissionName, - const std::string& appDistributionType, HapInfoCheckResult& result); + bool AclAndEdmCheck(const PermissionBriefDef& briefDef, const HapInitInfo& initInfo, + const std::string& permissionName, const std::string& appDistributionType, HapInfoCheckResult& result); void GetMasterAppUndValues(AccessTokenID tokenId, std::vector& undefValues); std::shared_ptr GetAbilityManager(); bool HandlePermissionDeniedCase(uint32_t goalGrantFlag, PermissionListState& permState); diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index b94a93d69..9768d9a84 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -150,17 +150,17 @@ private: void ReportAddHapFinish(AccessTokenIDEx fullTokenId, const HapInfoParcel& info, int64_t beginTime, int32_t errorCode); bool IsPermissionValid(int32_t hapApl, const PermissionBriefDef& data, const std::string& value, bool isAcl); - void FilterInvalidData(const std::vector& results, const std::map& tokenIdAplMap, - std::vector& validValueList); + void FilterInvalidData(const std::vector& results, + const std::map& tokenIdAplMap, std::vector& validValueList); void UpdateUndefinedInfoCache(const std::vector& validValueList, std::vector& stateValues, std::vector& extendValues); - void HandleHapUndefinedInfo(const std::map& tokenIdAplMap, + void HandleHapUndefinedInfo(const std::map& tokenIdAplMap, std::vector& deleteDataTypes, std::vector& deleteValues, std::vector& addDataTypes, std::vector>& addValues); void UpdateDatabaseAsync(const std::vector& deleteDataTypes, const std::vector& deleteValues, const std::vector& addDataTypes, const std::vector>& addValues); - void HandlePermDefUpdate(const std::map& tokenIdAplMap); + void HandlePermDefUpdate(const std::map& tokenIdAplMap); ServiceRunningState state_; std::string grantBundleName_; diff --git a/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h b/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h index d067a5347..56a08d945 100644 --- a/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h +++ b/services/accesstokenmanager/main/cpp/include/token/accesstoken_info_manager.h @@ -47,7 +47,7 @@ public: static AccessTokenInfoManager& GetInstance(); ~AccessTokenInfoManager(); void Init(uint32_t& hapSize, uint32_t& nativeSize, uint32_t& pefDefSize, uint32_t& dlpSize, - std::map& tokenIdAplMap); + std::map& tokenIdAplMap); void InitNativeTokenInfos(const std::vector& tokenInfos); int32_t GetTokenIDByUserID(int32_t userID, std::unordered_set& tokenIdList); std::shared_ptr GetHapTokenInfoInner(AccessTokenID id); @@ -109,7 +109,7 @@ private: int32_t AddHapInfoToCache(const GenericValues& tokenValue, const std::vector& permStateRes, const std::vector& extendedPermRes); - void InitHapTokenInfos(uint32_t& hapSize, std::map& tokenIdAplMap); + void InitHapTokenInfos(uint32_t& hapSize, std::map& tokenIdAplMap); void ReportAddHapIdChange(const std::shared_ptr& hapInfo, AccessTokenID oriTokenId); int AddHapTokenInfo(const std::shared_ptr& info, AccessTokenID& oriTokenId); std::string GetHapUniqueStr(const std::shared_ptr& info) const; diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 0a639ff58..6dfc15720 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -66,6 +66,8 @@ static const std::vector g_notDisplayedPerms = { "ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO" }; constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM = "enterprise_mdm"; +constexpr const char* APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL = "enterprise_normal"; +constexpr const char* APP_DISTRIBUTION_TYPE_DEBUG = "none"; } PermissionManager* PermissionManager::implInstance_ = nullptr; std::recursive_mutex PermissionManager::mutex_; @@ -1073,7 +1075,7 @@ bool IsAclSatisfied(const PermissionBriefDef& briefDef, const HapPolicy& policy) } bool PermissionManager::IsPermAvailableRangeSatisfied(const PermissionBriefDef& briefDef, - const std::string& appDistributionType) + const std::string& appDistributionType, bool isSystemApp, PermissionRulesEnum& rule) { if (briefDef.availableType == ATokenAvailableTypeEnum::MDM) { if (appDistributionType == "none") { @@ -1084,9 +1086,22 @@ bool PermissionManager::IsPermAvailableRangeSatisfied(const PermissionBriefDef& if (appDistributionType != APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM) { LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s is a mdm permission, the hap is not a mdm application.", briefDef.permissionName); + rule = PERMISSION_EDM_RULE; return false; } } + if (briefDef.availableType == ATokenAvailableTypeEnum::ENTERPRISE_NORMAL) { + if (appDistributionType == APP_DISTRIBUTION_TYPE_ENTERPRISE_MDM || + appDistributionType == APP_DISTRIBUTION_TYPE_ENTERPRISE_NORMAL || + isSystemApp || + appDistributionType == APP_DISTRIBUTION_TYPE_DEBUG) { + return true; + } + LOGE(ATM_DOMAIN, ATM_TAG, "permission %{public}s is only enable in enterpriseApp, systemApp, debugApp", + briefDef.permissionName); + rule = PERMISSION_ENTERPRISE_NORMAL_RULE; + return false; + } return true; } @@ -1172,21 +1187,29 @@ void PermissionManager::FillUndefinedPermVector(const std::string& permissionNam return; } -bool PermissionManager::AclAndEdmCheck(const PermissionBriefDef& briefDef, const HapPolicy& policy, +bool PermissionManager::AclAndEdmCheck(const PermissionBriefDef& briefDef, const HapInitInfo& initInfo, const std::string& permissionName, const std::string& appDistributionType, HapInfoCheckResult& result) { // acl check - if (!IsAclSatisfied(briefDef, policy)) { + if (!IsAclSatisfied(briefDef, initInfo.policy)) { result.permCheckResult.permissionName = permissionName; result.permCheckResult.rule = PERMISSION_ACL_RULE; LOGC(ATM_DOMAIN, ATM_TAG, "Acl of %{public}s is invalid.", briefDef.permissionName); return false; } - // edm check - if (!IsPermAvailableRangeSatisfied(briefDef, appDistributionType)) { + // edm and enterprise_normal check + bool isSystemApp = initInfo.isUpdate? initInfo.updateInfo.isSystemApp : initInfo.installInfo.isSystemApp; + PermissionRulesEnum rule = PERMISSION_ACL_RULE; + if (!IsPermAvailableRangeSatisfied(briefDef, appDistributionType, isSystemApp, rule)) { result.permCheckResult.permissionName = permissionName; - result.permCheckResult.rule = PERMISSION_EDM_RULE; + if (rule == PERMISSION_EDM_RULE) { + LOGE(ATM_DOMAIN, ATM_TAG, "mdm permission check failed."); + result.permCheckResult.rule = PERMISSION_EDM_RULE; + } else if (rule == PERMISSION_ENTERPRISE_NORMAL_RULE) { + LOGE(ATM_DOMAIN, ATM_TAG, "enterprise_normal permission check failed."); + result.permCheckResult.rule = PERMISSION_ENTERPRISE_NORMAL_RULE; + } LOGC(ATM_DOMAIN, ATM_TAG, "Available range of %{public}s is invalid.", briefDef.permissionName); return false; @@ -1215,7 +1238,7 @@ bool PermissionManager::InitPermissionList(const HapInitInfo& initInfo, std::vec continue; } - if (!AclAndEdmCheck(briefDef, initInfo.policy, state.permissionName, appDistributionType, result)) { + if (!AclAndEdmCheck(briefDef, initInfo, state.permissionName, appDistributionType, result)) { if (initInfo.updateInfo.dataRefresh) { FillUndefinedPermVector(state.permissionName, appDistributionType, initInfo.policy, undefValues); continue; diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 36c4d4785..b47ea8fe6 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -1421,7 +1421,7 @@ int32_t AccessTokenManagerService::GetReqPermissionByName( } void AccessTokenManagerService::FilterInvalidData(const std::vector& results, - const std::map& tokenIdAplMap, std::vector& validValueList) + const std::map& tokenIdAplMap, std::vector& validValueList) { int32_t tokenId = 0; std::string permissionName; @@ -1443,14 +1443,16 @@ void AccessTokenManagerService::FilterInvalidData(const std::vectorsecond.isSystemApp, rule)) { continue; } acl = result.GetInt(TokenFiledConst::FIELD_ACL); value = result.GetString(TokenFiledConst::FIELD_VALUE); - if (!IsPermissionValid(iter->second, data, value, (acl == 1))) { + if (!IsPermissionValid(iter->second.apl, data, value, (acl == 1))) { // hap apl less than perm apl without acl is invalid now, keep them in db, maybe valid someday continue; } @@ -1533,7 +1535,7 @@ bool AccessTokenManagerService::IsPermissionValid(int32_t hapApl, const Permissi return false; } -void AccessTokenManagerService::HandleHapUndefinedInfo(const std::map& tokenIdAplMap, +void AccessTokenManagerService::HandleHapUndefinedInfo(const std::map& tokenIdAplMap, std::vector& deleteDataTypes, std::vector& deleteValues, std::vector& addDataTypes, std::vector>& addValues) { @@ -1581,7 +1583,7 @@ void AccessTokenManagerService::UpdateDatabaseAsync(const std::vector& tokenIdAplMap) +void AccessTokenManagerService::HandlePermDefUpdate(const std::map& tokenIdAplMap) { std::string dbPermDefVersion; GenericValues conditionValue; @@ -1638,7 +1640,7 @@ bool AccessTokenManagerService::Initialize() uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); HandlePermDefUpdate(tokenIdAplMap); diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index f10f89e4e..55f91e5d5 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -87,7 +87,7 @@ AccessTokenInfoManager::~AccessTokenInfoManager() } void AccessTokenInfoManager::Init(uint32_t& hapSize, uint32_t& nativeSize, uint32_t& pefDefSize, uint32_t& dlpSize, - std::map& tokenIdAplMap) + std::map& tokenIdAplMap) { OHOS::Utils::UniqueWriteGuard lk(this->managerLock_); if (hasInited_) { @@ -207,7 +207,7 @@ int32_t AccessTokenInfoManager::AddHapInfoToCache(const GenericValues& tokenValu return RET_SUCCESS; } -void AccessTokenInfoManager::InitHapTokenInfos(uint32_t& hapSize, std::map& tokenIdAplMap) +void AccessTokenInfoManager::InitHapTokenInfos(uint32_t& hapSize, std::map& tokenIdAplMap) { GenericValues conditionValue; std::vector hapTokenRes; @@ -228,13 +228,15 @@ void AccessTokenInfoManager::InitHapTokenInfos(uint32_t& hapSize, std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } @@ -434,7 +434,7 @@ HWTEST_F(PermissionManagerCoverageTest, HandleHapUndefinedInfo001, TestSize.Leve DelayedSingleton::GetInstance(); EXPECT_NE(nullptr, atManagerService_); - std::map tokenIdAplMap; + std::map tokenIdAplMap; std::vector deleteDataTypes2; std::vector deleteValues2; std::vector addDataTypes2; @@ -491,7 +491,7 @@ HWTEST_F(PermissionManagerCoverageTest, HandleHapUndefinedInfo002, TestSize.Leve DelayedSingleton::GetInstance(); EXPECT_NE(nullptr, atManagerService_); - std::map tokenIdAplMap; + std::map tokenIdAplMap; std::vector deleteDataTypes2; std::vector deleteValues2; std::vector addDataTypes2; @@ -532,7 +532,7 @@ HWTEST_F(PermissionManagerCoverageTest, HandlePermDefUpdate001, TestSize.Level4) DelayedSingleton::GetInstance(); EXPECT_NE(nullptr, atManagerService_); - std::map tokenIdAplMap; + std::map tokenIdAplMap; atManagerService_->HandlePermDefUpdate(tokenIdAplMap); // dbPermDefVersion is empty addDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_SYSTEM_CONFIG); @@ -579,7 +579,7 @@ HWTEST_F(PermissionManagerCoverageTest, HandlePermDefUpdate002, TestSize.Level4) DelayedSingleton::GetInstance(); EXPECT_NE(nullptr, atManagerService_); - std::map tokenIdAplMap; + std::map tokenIdAplMap; atManagerService_->HandlePermDefUpdate(tokenIdAplMap); // dbPermDefVersion is not empty addValues.emplace_back(results); diff --git a/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp b/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp index c83b1187c..288ec1105 100644 --- a/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp +++ b/services/accesstokenmanager/test/unittest/accesstoken_info_manager_test.cpp @@ -130,7 +130,7 @@ void AccessTokenInfoManagerTest::SetUpTestCase() uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } @@ -683,6 +683,64 @@ HWTEST_F(AccessTokenInfoManagerTest, InitHapToken007, TestSize.Level0) ASSERT_EQ(RET_SUCCESS, atManagerService_->DeleteToken(tokenID)); } +/** + * @tc.name: InitHapToken008 + * @tc.desc: InitHapToken function test with invalid apl permission + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(AccessTokenInfoManagerTest, InitHapToken008, TestSize.Level0) +{ + HapInfoParcel info; + info.hapInfoParameter = { + .userID = 0, + .bundleName = "accesstoken_test", + .instIndex = 0, + .dlpType = DLP_COMMON, + .appIDDesc = "testtesttesttest", + .apiVersion = DEFAULT_API_VERSION, + .isSystemApp = false, + }; + HapPolicyParcel policy; + PermissionStatus permissionStateA = { + .permissionName = "ohos.permission.GET_ALL_APP_ACCOUNTS", + .grantStatus = 1, + .grantFlag = 1 + }; + PermissionStatus permissionStateB = { + .permissionName = "ohos.permission.test", + .grantStatus = 1, + .grantFlag = 1 + }; + policy.hapPolicy = { + .apl = APL_NORMAL, + .domain = "test", + .permList = {}, + .permStateList = { permissionStateA, permissionStateB } + }; + uint64_t fullTokenId; + HapInfoCheckResultIdl resultInfoIdl; + HapInfoCheckResult result; + + ASSERT_EQ(0, + atManagerService_->InitHapToken(info, policy, fullTokenId, resultInfoIdl)); + + PermissionInfoCheckResult permCheckResult; + permCheckResult.permissionName = resultInfoIdl.permissionName; + int32_t rule = static_cast(resultInfoIdl.rule); + permCheckResult.rule = PermissionRulesEnum(rule); + result.permCheckResult = permCheckResult; + ASSERT_EQ(result.permCheckResult.permissionName, "ohos.permission.GET_ALL_APP_ACCOUNTS"); + ASSERT_EQ(result.permCheckResult.rule, PERMISSION_ACL_RULE); + permissionStateA.permissionName = "ohos.permission.FILE_GUARD_MANAGER"; + policy.hapPolicy.aclRequestedList = { "ohos.permission.FILE_GUARD_MANAGER" }; + policy.hapPolicy.permStateList = { permissionStateA, permissionStateB }; + ASSERT_EQ(0, atManagerService_->InitHapToken(info, policy, fullTokenId, resultInfoIdl)); + ASSERT_EQ(resultInfoIdl.permissionName, "ohos.permission.FILE_GUARD_MANAGER"); + rule = static_cast(resultInfoIdl.rule); + ASSERT_EQ(PermissionRulesEnum(rule), PERMISSION_ENTERPRISE_NORMAL_RULE); +} + /** * @tc.name: IsTokenIdExist001 * @tc.desc: Verify the IsTokenIdExist exist accesstokenid. @@ -1594,7 +1652,7 @@ HWTEST_F(AccessTokenInfoManagerTest, AccessTokenInfoManager001, TestSize.Level0) uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); AccessTokenInfoManager::GetInstance().hasInited_ = false; ASSERT_EQ(false, AccessTokenInfoManager::GetInstance().hasInited_); diff --git a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp index 77010240f..7630a3804 100644 --- a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp +++ b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.cpp @@ -144,7 +144,7 @@ HWTEST_F(AccessTokenManagerServiceTest, DumpTokenInfoFuncTest001, TestSize.Level } void AccessTokenManagerServiceTest::CreateHapToken(const HapInfoParcel& infoParCel, const HapPolicyParcel& policyParcel, - AccessTokenID& tokenId, std::map& tokenIdAplMap, bool hasInit) + AccessTokenID& tokenId, std::map& tokenIdAplMap, bool hasInit) { if (!hasInit) { atManagerService_->Initialize(); @@ -159,7 +159,7 @@ void AccessTokenManagerServiceTest::CreateHapToken(const HapInfoParcel& infoParC tokenIDEx.tokenIDEx = fullTokenId; tokenId = tokenIDEx.tokenIdExStruct.tokenID; ASSERT_NE(INVALID_TOKENID, tokenId); - tokenIdAplMap[static_cast(tokenId)] = g_policy.apl; + tokenIdAplMap[static_cast(tokenId)].apl = g_policy.apl; } /** @@ -194,7 +194,7 @@ HWTEST_F(AccessTokenManagerServiceTest, InitHapTokenTest001, TestSize.Level0) HapPolicyParcel policyParcel; policyParcel.hapPolicy = g_policy; // KERNEL_ATM_SELF_USE(hasValue is true) + INVALIDA AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); // query undefine table @@ -231,7 +231,7 @@ HWTEST_F(AccessTokenManagerServiceTest, InitHapTokenTest002, TestSize.Level0) HapPolicyParcel policyParcel; policyParcel.hapPolicy = g_policy; // KERNEL_ATM_SELF_USE + INVALIDA AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); // create master app HapInfoParcel infoParCel2; @@ -272,7 +272,7 @@ HWTEST_F(AccessTokenManagerServiceTest, UpdateHapTokenTest001, TestSize.Level0) HapPolicyParcel policyParcel; policyParcel.hapPolicy = g_policy; // KERNEL_ATM_SELF_USE + INVALIDA AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); // query undefine table @@ -323,7 +323,7 @@ HWTEST_F(AccessTokenManagerServiceTest, UpdateHapTokenTest002, TestSize.Level0) HapPolicyParcel policyParcel; policyParcel.hapPolicy = g_policy; // KERNEL_ATM_SELF_USE + INVALIDA AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); // update hap @@ -359,7 +359,7 @@ HWTEST_F(AccessTokenManagerServiceTest, UpdateHapTokenTest003, TestSize.Level0) HapPolicyParcel policyParcel; policyParcel.hapPolicy = g_policy; // KERNEL_ATM_SELF_USE + INVALIDA AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); // query undefine table @@ -414,7 +414,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest001, TestSize.Level0) policyParcel.hapPolicy.permStateList = {g_state4}; policyParcel.hapPolicy.aclExtendedMap = {}; AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); GenericValues value; // system grant @@ -477,7 +477,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest002, TestSize.Level0) policyParcel.hapPolicy.permStateList = {g_state4}; policyParcel.hapPolicy.aclExtendedMap = {}; AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); GenericValues value; // system grant @@ -555,7 +555,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest003, TestSize.Level0) policyParcel.hapPolicy = g_policy; policyParcel.hapPolicy.permStateList = {g_state1}; // KERNEL_ATM_SELF_USE AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); std::vector values; @@ -618,7 +618,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest004, TestSize.Level0) policyParcel.hapPolicy = g_policy; policyParcel.hapPolicy.permStateList = {g_state1}; // KERNEL_ATM_SELF_USE AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); GenericValues value; // system grant @@ -678,7 +678,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest005, TestSize.Level0) policyParcel.hapPolicy.permStateList = {g_state1}; // KERNEL_ATM_SELF_USE policyParcel.hapPolicy.aclRequestedList = { g_state6.permissionName }; AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); GenericValues value; // system grant @@ -751,7 +751,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest006, TestSize.Level0) policyParcel.hapPolicy.aclRequestedList = { g_state6.permissionName }; // POWER_MANAGER, hasValue is false policyParcel.hapPolicy.aclExtendedMap = { std::make_pair(g_state6.permissionName, "test") }; AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); std::vector values; @@ -824,7 +824,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest007, TestSize.Level0) policyParcel.hapPolicy.permStateList = {g_state4}; policyParcel.hapPolicy.aclExtendedMap = {}; AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); // KERNEL_ATM_SELF_USE, hasValue is true std::vector values; @@ -888,7 +888,7 @@ HWTEST_F(AccessTokenManagerServiceTest, OTATest008, TestSize.Level0) policyParcel.hapPolicy.permStateList = {g_state4}; policyParcel.hapPolicy.aclExtendedMap = {}; AccessTokenID tokenId; - std::map tokenIdAplMap; + std::map tokenIdAplMap; CreateHapToken(infoParCel, policyParcel, tokenId, tokenIdAplMap); GenericValues value; // system grant diff --git a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.h b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.h index f6045fe9f..c8571cdc3 100644 --- a/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.h +++ b/services/accesstokenmanager/test/unittest/accesstoken_manager_service_test.h @@ -33,7 +33,7 @@ public: void TearDown(); void CreateHapToken(const HapInfoParcel& infoParCel, const HapPolicyParcel& policyParcel, AccessTokenID& tokenId, - std::map& tokenIdAplMap, bool hasInit = false); + std::map& tokenIdAplMap, bool hasInit = false); std::shared_ptr atManagerService_; }; diff --git a/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp b/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp index 974f0fb73..ff212044b 100644 --- a/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp +++ b/test/fuzztest/normalize_service/accesstoken/grantpermissionservice_fuzzer/grantpermissionservice_fuzzer.cpp @@ -95,7 +95,7 @@ bool GrantPermissionServiceFuzzTest(const uint8_t* data, size_t size) uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } bool enable = ((provider.ConsumeIntegral() % CONSTANTS_NUMBER_FIVE) == 0); diff --git a/test/fuzztest/services/accesstoken/deleteremotedevicetokensstub_fuzzer/deleteremotedevicetokensstub_fuzzer.cpp b/test/fuzztest/services/accesstoken/deleteremotedevicetokensstub_fuzzer/deleteremotedevicetokensstub_fuzzer.cpp index b7adfc1a9..35de2db22 100644 --- a/test/fuzztest/services/accesstoken/deleteremotedevicetokensstub_fuzzer/deleteremotedevicetokensstub_fuzzer.cpp +++ b/test/fuzztest/services/accesstoken/deleteremotedevicetokensstub_fuzzer/deleteremotedevicetokensstub_fuzzer.cpp @@ -63,7 +63,7 @@ namespace OHOS { uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } DelayedSingleton::GetInstance()->OnRemoteRequest(code, datas, reply, option); diff --git a/test/fuzztest/services/accesstoken/deleteremotetokenstub_fuzzer/deleteremotetokenstub_fuzzer.cpp b/test/fuzztest/services/accesstoken/deleteremotetokenstub_fuzzer/deleteremotetokenstub_fuzzer.cpp index ebb06b76b..e9af186c9 100644 --- a/test/fuzztest/services/accesstoken/deleteremotetokenstub_fuzzer/deleteremotetokenstub_fuzzer.cpp +++ b/test/fuzztest/services/accesstoken/deleteremotetokenstub_fuzzer/deleteremotetokenstub_fuzzer.cpp @@ -67,7 +67,7 @@ namespace OHOS { uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } DelayedSingleton::GetInstance()->OnRemoteRequest(code, datas, reply, option); diff --git a/test/fuzztest/services/accesstoken/gethaptokeninfofromremotestub_fuzzer/gethaptokeninfofromremotestub_fuzzer.cpp b/test/fuzztest/services/accesstoken/gethaptokeninfofromremotestub_fuzzer/gethaptokeninfofromremotestub_fuzzer.cpp index c0a79f4a8..33a054910 100644 --- a/test/fuzztest/services/accesstoken/gethaptokeninfofromremotestub_fuzzer/gethaptokeninfofromremotestub_fuzzer.cpp +++ b/test/fuzztest/services/accesstoken/gethaptokeninfofromremotestub_fuzzer/gethaptokeninfofromremotestub_fuzzer.cpp @@ -63,7 +63,7 @@ namespace OHOS { uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } DelayedSingleton::GetInstance()->OnRemoteRequest(code, datas, reply, option); diff --git a/test/fuzztest/services/accesstoken/getremotenativetokenidstub_fuzzer/getremotenativetokenidstub_fuzzer.cpp b/test/fuzztest/services/accesstoken/getremotenativetokenidstub_fuzzer/getremotenativetokenidstub_fuzzer.cpp index 3c607f10a..cb2f9c309 100644 --- a/test/fuzztest/services/accesstoken/getremotenativetokenidstub_fuzzer/getremotenativetokenidstub_fuzzer.cpp +++ b/test/fuzztest/services/accesstoken/getremotenativetokenidstub_fuzzer/getremotenativetokenidstub_fuzzer.cpp @@ -67,7 +67,7 @@ namespace OHOS { uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } DelayedSingleton::GetInstance()->OnRemoteRequest(code, datas, reply, option); diff --git a/test/fuzztest/services/accesstoken/grantpermissionstub_fuzzer/grantpermissionstub_fuzzer.cpp b/test/fuzztest/services/accesstoken/grantpermissionstub_fuzzer/grantpermissionstub_fuzzer.cpp index b76a4f277..10a54d423 100644 --- a/test/fuzztest/services/accesstoken/grantpermissionstub_fuzzer/grantpermissionstub_fuzzer.cpp +++ b/test/fuzztest/services/accesstoken/grantpermissionstub_fuzzer/grantpermissionstub_fuzzer.cpp @@ -82,7 +82,7 @@ namespace OHOS { uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } bool enable = ((size % CONSTANTS_NUMBER_TWO) == 0); diff --git a/test/fuzztest/services/accesstoken/setremotehaptokeninfostub_fuzzer/setremotehaptokeninfostub_fuzzer.cpp b/test/fuzztest/services/accesstoken/setremotehaptokeninfostub_fuzzer/setremotehaptokeninfostub_fuzzer.cpp index 0789b3080..56b7a11e6 100644 --- a/test/fuzztest/services/accesstoken/setremotehaptokeninfostub_fuzzer/setremotehaptokeninfostub_fuzzer.cpp +++ b/test/fuzztest/services/accesstoken/setremotehaptokeninfostub_fuzzer/setremotehaptokeninfostub_fuzzer.cpp @@ -98,7 +98,7 @@ namespace OHOS { uint32_t nativeSize = 0; uint32_t pefDefSize = 0; uint32_t dlpSize = 0; - std::map tokenIdAplMap; + std::map tokenIdAplMap; AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap); } DelayedSingleton::GetInstance()->OnRemoteRequest(code, datas, reply, option); -- Gitee