From 64582809975ee06d45a1840ccaeee0dcc94f9303 Mon Sep 17 00:00:00 2001 From: l00520400 Date: Mon, 21 Feb 2022 20:30:54 +0800 Subject: [PATCH] VerifyNativeToken Signed-off-by: l00520400 Change-Id: I1dd9c626f761aef0a7cc01abe3be9f3035186ccf Signed-off-by: l00520400 --- .../include/i_accesstoken_manager.h | 2 + .../accesstoken/include/accesstoken_kit.h | 1 + .../accesstoken/src/accesstoken_kit.cpp | 15 ++++++ .../src/accesstoken_manager_client.cpp | 11 +++++ .../src/accesstoken_manager_client.h | 1 + .../src/accesstoken_manager_proxy.cpp | 32 +++++++++++++ .../src/accesstoken_manager_proxy.h | 1 + .../include/permission/permission_manager.h | 1 + .../service/accesstoken_manager_service.h | 1 + .../service/accesstoken_manager_stub.h | 1 + .../cpp/src/permission/permission_manager.cpp | 23 +++++++++ .../service/accesstoken_manager_service.cpp | 8 ++++ .../src/service/accesstoken_manager_stub.cpp | 11 +++++ .../cpp/src/native_token_receptor_test.cpp | 48 +++++++++++++++++++ 14 files changed, 156 insertions(+) diff --git a/frameworks/accesstoken/include/i_accesstoken_manager.h b/frameworks/accesstoken/include/i_accesstoken_manager.h index 12b1d3165..3bc0bb374 100644 --- a/frameworks/accesstoken/include/i_accesstoken_manager.h +++ b/frameworks/accesstoken/include/i_accesstoken_manager.h @@ -39,6 +39,7 @@ public: DECLARE_INTERFACE_DESCRIPTOR(u"ohos.security.accesstoken.IAccessTokenManager"); virtual int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName) = 0; + virtual int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) = 0; virtual int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) = 0; virtual int GetDefPermissions(AccessTokenID tokenID, std::vector& permList) = 0; virtual int GetReqPermissions( @@ -95,6 +96,7 @@ public: SET_REMOTE_NATIVE_TOKEN_INFO = 0xff2a, DELETE_REMOTE_TOKEN_INFO = 0xff2b, DELETE_REMOTE_DEVICE_TOKEN = 0xff2c, + VERIFY_NATIVETOKEN = 0xff2d, DUMP = 0xff30, }; diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h index 495f451d9..909790815 100644 --- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h +++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h @@ -43,6 +43,7 @@ public: static int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes); static int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes); static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); + static int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName); static int VerifyAccessToken( AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName); static int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index dbdad0dab..9c20487b9 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -167,6 +167,21 @@ int AccessTokenKit::VerifyAccessToken( return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName); } +int AccessTokenKit::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__); + if (tokenID == 0) { + ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID=%{public}d is invalid", tokenID); + return PERMISSION_DENIED; + } + if (!DataValidator::IsPermissionNameValid(permissionName)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid"); + return PERMISSION_DENIED; + } + ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s", tokenID, permissionName.c_str()); + return AccessTokenManagerClient::GetInstance().VerifyNativeToken(tokenID, permissionName); +} + int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult) { ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__); diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp index fc9225c37..c932253e2 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp @@ -54,6 +54,17 @@ int AccessTokenManagerClient::VerifyAccessToken(AccessTokenID tokenID, const std return proxy->VerifyAccessToken(tokenID, permissionName); } +int AccessTokenManagerClient::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s: called!", __func__); + auto proxy = GetProxy(); + if (proxy == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "proxy is null"); + return PERMISSION_DENIED; + } + return proxy->VerifyNativeToken(tokenID, permissionName); +} + int AccessTokenManagerClient::GetDefPermission( const std::string& permissionName, PermissionDef& permissionDefResult) { diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h index d3cc13fca..fb3a1086e 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h @@ -40,6 +40,7 @@ public: virtual ~AccessTokenManagerClient(); int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName); int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); int GetDefPermissions(AccessTokenID tokenID, std::vector& permList); int GetReqPermissions( diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp index af6849ecb..9180e9ff7 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp @@ -66,6 +66,38 @@ int AccessTokenManagerProxy::VerifyAccessToken(AccessTokenID tokenID, const std: return result; } +int AccessTokenManagerProxy::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + MessageParcel data; + data.WriteInterfaceToken(IAccessTokenManager::GetDescriptor()); + if (!data.WriteUint32(tokenID)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to write tokenID"); + return PERMISSION_DENIED; + } + if (!data.WriteString(permissionName)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to write permissionName"); + return PERMISSION_DENIED; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_SYNC); + sptr remote = Remote(); + if (remote == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "remote service null."); + return PERMISSION_DENIED; + } + int32_t requestResult = remote->SendRequest( + static_cast(IAccessTokenManager::InterfaceCode::VERIFY_NATIVETOKEN), data, reply, option); + if (requestResult != NO_ERROR) { + ACCESSTOKEN_LOG_ERROR(LABEL, "request fail, result: %{public}d", requestResult); + return PERMISSION_DENIED; + } + + int32_t result = reply.ReadInt32(); + ACCESSTOKEN_LOG_DEBUG(LABEL, "result from server data = %{public}d", result); + return result; +} + int AccessTokenManagerProxy::GetDefPermission( const std::string& permissionName, PermissionDefParcel& permissionDefResult) { diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h index 55655a6f4..197a39160 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h @@ -39,6 +39,7 @@ public: virtual ~AccessTokenManagerProxy() override; int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName) override; + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) override; int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) override; int GetDefPermissions(AccessTokenID tokenID, std::vector& permList) override; int GetReqPermissions( diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h index fcc3087cc..683a8f611 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h @@ -38,6 +38,7 @@ public: void AddDefPermissions(std::shared_ptr tokenInfo, bool updateFlag); void RemoveDefPermissions(AccessTokenID tokenID); int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName); int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); int GetDefPermissions(AccessTokenID tokenID, std::vector& permList); int GetReqPermissions( diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index cbb3cfa14..e289dc6d3 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -41,6 +41,7 @@ public: AccessTokenIDEx AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy) override; int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName) override; + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) override; int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) override; int GetDefPermissions(AccessTokenID tokenID, std::vector& permList) override; int GetReqPermissions( diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h index c4fbb77e1..8dd5ceb8c 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h @@ -35,6 +35,7 @@ public: private: void VerifyAccessTokenInner(MessageParcel& data, MessageParcel& reply); + void VerifyNativeTokenInner(MessageParcel& data, MessageParcel& reply); void GetDefPermissionInner(MessageParcel& data, MessageParcel& reply); void GetDefPermissionsInner(MessageParcel& data, MessageParcel& reply); void GetReqPermissionsInner(MessageParcel& data, MessageParcel& reply); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 392991acc..2436bb18b 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -117,6 +117,29 @@ int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::strin return permPolicySet->VerifyPermissStatus(permissionName); } +int PermissionManager::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_INFO(LABEL, + "%{public}s called, tokenID: 0x%{public}x, permissionName: %{public}s", __func__, + tokenID, permissionName.c_str()); + PermissionDef permissionInfo; + NativeTokenInfo nativeTokenInfo; + int res = PermissionManager::GetInstance().GetDefPermission(permissionName, permissionInfo); + if (res != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "GetDefPermission in %{public}s failed", __func__); + return PERMISSION_DENIED; + } + res = AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, nativeTokenInfo); + if (res != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "GetNativeTokenInfo in %{public}s failed", __func__); + return PERMISSION_DENIED; + } + if (permissionInfo.availableLevel > nativeTokenInfo.apl) { + return PERMISSION_DENIED; + } + return PERMISSION_GRANTED; +} + int PermissionManager::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult) { ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, permissionName: %{public}s", __func__, permissionName.c_str()); diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 4fe4e741b..ed290428f 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -82,6 +82,14 @@ int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const st return PermissionManager::GetInstance().VerifyAccessToken(tokenID, permissionName); } +int AccessTokenManagerService::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_INFO(LABEL, + "%{public}s called, tokenID: 0x%{public}x, permissionName: %{public}s", __func__, + tokenID, permissionName.c_str()); + return PermissionManager::GetInstance().VerifyNativeToken(tokenID, permissionName); +} + int AccessTokenManagerService::GetDefPermission( const std::string& permissionName, PermissionDefParcel& permissionDefResult) { diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp index afb050cda..29ccb1e75 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp @@ -68,6 +68,15 @@ void AccessTokenManagerStub::VerifyAccessTokenInner(MessageParcel& data, Message reply.WriteInt32(result); } +void AccessTokenManagerStub::VerifyNativeTokenInner(MessageParcel& data, MessageParcel& reply) +{ + AccessTokenID tokenID = data.ReadUint32(); + std::string permissionName = data.ReadString(); + int result = this->VerifyNativeToken(tokenID, permissionName); + reply.WriteInt32(result); +} + + void AccessTokenManagerStub::GetDefPermissionInner(MessageParcel& data, MessageParcel& reply) { std::string permissionName = data.ReadString(); @@ -392,6 +401,8 @@ AccessTokenManagerStub::AccessTokenManagerStub() { requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_ACCESSTOKEN)] = &AccessTokenManagerStub::VerifyAccessTokenInner; + requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_NATIVETOKEN)] = + &AccessTokenManagerStub::VerifyNativeTokenInner; requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::GET_DEF_PERMISSION)] = &AccessTokenManagerStub::GetDefPermissionInner; requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::GET_DEF_PERMISSIONS)] = diff --git a/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp b/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp index c1602a659..943cf600a 100644 --- a/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp +++ b/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp @@ -27,6 +27,7 @@ #include #include "accesstoken_info_manager.h" +#include "permission_manager.h" #include "data_storage.h" #include "field_const.h" #define private public @@ -570,3 +571,50 @@ HWTEST_F(NativeTokenReceptorTest, init001, TestSize.Level1) ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenId); ASSERT_EQ(ret, RET_SUCCESS); } + +/** + * @tc.name: init001 + * @tc.desc: test get native cfg + * @tc.type: FUNC + * @tc.require: Issue Number + */ +HWTEST_F(NativeTokenReceptorTest, ProcessNativeTokenInfos007, TestSize.Level1) +{ + ACCESSTOKEN_LOG_INFO(LABEL, "test ProcessNativeTokenInfos007!"); + + const char **dcaps = (const char **)malloc(sizeof(char *) * 1); + dcaps[0] = "AT_CAP_01"; + int dcapNum = 1; + + char apl3[32]; + strcpy(apl3, "system_core"); + char apl2[32]; + strcpy(apl2, "system_basic"); + char apl1[32]; + strcpy(apl1, "normal"); + + uint64_t tokenIdApl3 = ::GetAccessTokenId("ProcessNativeTokenInfos007_003", dcaps, dcapNum, apl3); + ASSERT_NE(tokenIdApl3, 0); + uint64_t tokenIdApl2 = ::GetAccessTokenId("ProcessNativeTokenInfos007_002", dcaps, dcapNum, apl2); + ASSERT_NE(tokenIdApl2, 0); + uint64_t tokenIdApl1 = ::GetAccessTokenId("ProcessNativeTokenInfos007_001", dcaps, dcapNum, apl1); + ASSERT_NE(tokenIdApl1, 0); + + NativeTokenReceptor::GetInstance().Init(); + const std::string permission = "ohos.permission.SEND_MESSAGES"; + int ret = PermissionManager::GetInstance().VerifyNativeToken(tokenIdApl3, permission); + ASSERT_EQ(ret, PERMISSION_GRANTED); + + ret = PermissionManager::GetInstance().VerifyNativeToken(tokenIdApl2, permission); + ASSERT_EQ(ret, PERMISSION_GRANTED); + + ret = PermissionManager::GetInstance().VerifyNativeToken(tokenIdApl1, permission); + ASSERT_EQ(ret, PERMISSION_DENIED); + + ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenIdApl3); + ASSERT_EQ(ret, RET_SUCCESS); + ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenIdApl2); + ASSERT_EQ(ret, RET_SUCCESS); + ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenIdApl1); + ASSERT_EQ(ret, RET_SUCCESS); +} \ No newline at end of file -- Gitee