1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_policy_set.h"
17
18 #include <algorithm>
19
20 #include "accesstoken_log.h"
21 #include "access_token_error.h"
22 #include "data_storage.h"
23 #include "data_translator.h"
24 #include "token_field_const.h"
25 #include "permission_definition_cache.h"
26 #include "permission_validator.h"
27
28 namespace OHOS {
29 namespace Security {
30 namespace AccessToken {
31 namespace {
32 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "PermissionPolicySet"};
33 }
34
~PermissionPolicySet()35 PermissionPolicySet::~PermissionPolicySet()
36 {
37 ACCESSTOKEN_LOG_DEBUG(LABEL,
38 "%{public}s called, tokenID: 0x%{public}x destruction", __func__, tokenId_);
39 }
40
BuildPermissionPolicySet(AccessTokenID tokenId,const std::vector<PermissionStateFull> & permStateList)41 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::BuildPermissionPolicySet(
42 AccessTokenID tokenId, const std::vector<PermissionStateFull>& permStateList)
43 {
44 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
45 PermissionValidator::FilterInvalidPermissionState(permStateList, policySet->permStateList_);
46 policySet->tokenId_ = tokenId;
47
48 return policySet;
49 }
50
UpdatePermStateFull(const PermissionStateFull & permOld,PermissionStateFull & permNew)51 void PermissionPolicySet::UpdatePermStateFull(const PermissionStateFull& permOld, PermissionStateFull& permNew)
52 {
53 if (permNew.isGeneral == permOld.isGeneral) {
54 permNew.resDeviceID = permOld.resDeviceID;
55 permNew.grantStatus = permOld.grantStatus;
56 permNew.grantFlags = permOld.grantFlags;
57 }
58 }
59
Update(const std::vector<PermissionStateFull> & permStateList)60 void PermissionPolicySet::Update(const std::vector<PermissionStateFull>& permStateList)
61 {
62 std::vector<PermissionStateFull> permStateFilterList;
63 PermissionValidator::FilterInvalidPermissionState(permStateList, permStateFilterList);
64
65 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
66
67 for (PermissionStateFull& permStateNew : permStateFilterList) {
68 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
69 [permStateNew](const PermissionStateFull& permStateOld) {
70 return permStateNew.permissionName == permStateOld.permissionName;
71 });
72 if (iter != permStateList_.end()) {
73 UpdatePermStateFull(*iter, permStateNew);
74 break;
75 }
76 }
77 permStateList_ = permStateFilterList;
78 }
79
GetFlagWroteToDb(int32_t grantFlag)80 int32_t PermissionPolicySet::GetFlagWroteToDb(int32_t grantFlag)
81 {
82 return GetFlagWithoutSpecifiedElement(grantFlag, PERMISSION_COMPONENT_SET);
83 }
84
RestorePermissionPolicy(AccessTokenID tokenId,const std::vector<GenericValues> & permStateRes)85 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::RestorePermissionPolicy(AccessTokenID tokenId,
86 const std::vector<GenericValues>& permStateRes)
87 {
88 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
89 policySet->tokenId_ = tokenId;
90
91 for (const GenericValues& stateValue : permStateRes) {
92 if ((AccessTokenID)stateValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID) == tokenId) {
93 PermissionStateFull state;
94 int ret = DataTranslator::TranslationIntoPermissionStateFull(stateValue, state);
95 if (ret == RET_SUCCESS) {
96 MergePermissionStateFull(policySet->permStateList_, state);
97 } else {
98 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId 0x%{public}x permState is wrong.", tokenId);
99 }
100 }
101 }
102 return policySet;
103 }
104
MergePermissionStateFull(std::vector<PermissionStateFull> & permStateList,PermissionStateFull & state)105 void PermissionPolicySet::MergePermissionStateFull(std::vector<PermissionStateFull>& permStateList,
106 PermissionStateFull& state)
107 {
108 int flag = GetFlagWroteToDb(state.grantFlags[0]);
109 state.grantFlags[0] = flag;
110
111 for (auto iter = permStateList.begin(); iter != permStateList.end(); iter++) {
112 if (state.permissionName == iter->permissionName) {
113 iter->resDeviceID.emplace_back(state.resDeviceID[0]);
114 iter->grantStatus.emplace_back(state.grantStatus[0]);
115 iter->grantFlags.emplace_back(state.grantFlags[0]);
116 return;
117 }
118 }
119 permStateList.emplace_back(state);
120 }
121
StorePermissionState(std::vector<GenericValues> & valueList) const122 void PermissionPolicySet::StorePermissionState(std::vector<GenericValues>& valueList) const
123 {
124 for (const auto& permissionState : permStateList_) {
125 if (permissionState.isGeneral) {
126 GenericValues genericValues;
127 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId_));
128 DataTranslator::TranslationIntoGenericValues(permissionState, 0, genericValues);
129 valueList.emplace_back(genericValues);
130 continue;
131 }
132
133 unsigned int stateSize = permissionState.resDeviceID.size();
134 for (unsigned int i = 0; i < stateSize; i++) {
135 GenericValues genericValues;
136 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId_));
137 DataTranslator::TranslationIntoGenericValues(permissionState, i, genericValues);
138 valueList.emplace_back(genericValues);
139 }
140 }
141 }
142
StorePermissionPolicySet(std::vector<GenericValues> & permStateValueList)143 void PermissionPolicySet::StorePermissionPolicySet(std::vector<GenericValues>& permStateValueList)
144 {
145 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
146 StorePermissionState(permStateValueList);
147 }
148
IsPermOperatedByUser(int32_t flag)149 static bool IsPermOperatedByUser(int32_t flag)
150 {
151 uint32_t uFlag = static_cast<uint32_t>(flag);
152 return (uFlag & PERMISSION_USER_FIXED) || (uFlag & PERMISSION_USER_SET);
153 }
154
IsPermOperatedBySystem(int32_t flag)155 static bool IsPermOperatedBySystem(int32_t flag)
156 {
157 uint32_t uFlag = static_cast<uint32_t>(flag);
158 return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_GRANTED_BY_POLICY);
159 }
160
IsPermGrantedBySecComp(int32_t flag)161 static bool IsPermGrantedBySecComp(int32_t flag)
162 {
163 uint32_t uFlag = static_cast<uint32_t>(flag);
164 return uFlag & PERMISSION_COMPONENT_SET;
165 }
166
GetFlagWithoutSpecifiedElement(int32_t fullFlag,int32_t removedFlag)167 int32_t PermissionPolicySet::GetFlagWithoutSpecifiedElement(int32_t fullFlag, int32_t removedFlag)
168 {
169 uint32_t uFullFlag = static_cast<uint32_t>(fullFlag);
170 uint32_t uRemovedFlag = static_cast<uint32_t>(removedFlag);
171 uint32_t unmaskedFlag = (uFullFlag) & (~uRemovedFlag);
172 return static_cast<int32_t>(unmaskedFlag);
173 }
174
VerifyPermissionStatus(const std::string & permissionName)175 int PermissionPolicySet::VerifyPermissionStatus(const std::string& permissionName)
176 {
177 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
178 for (const auto& perm : permStateList_) {
179 if (perm.permissionName == permissionName) {
180 if (perm.isGeneral) {
181 return IsPermGrantedBySecComp(perm.grantFlags[0]) ? PERMISSION_GRANTED : perm.grantStatus[0];
182 } else {
183 return PERMISSION_DENIED;
184 }
185 }
186 }
187 // check if undeclared permission is granted by security component.
188 if (std::any_of(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
189 [permissionName](const auto& permission) { return permission == permissionName; })) {
190 return PERMISSION_GRANTED;
191 }
192 return PERMISSION_DENIED;
193 }
194
GetDefPermissions(std::vector<PermissionDef> & permList)195 void PermissionPolicySet::GetDefPermissions(std::vector<PermissionDef>& permList)
196 {
197 PermissionDefinitionCache::GetInstance().GetDefPermissionsByTokenId(permList, tokenId_);
198 }
199
GetPermissionStateFulls(std::vector<PermissionStateFull> & permList)200 void PermissionPolicySet::GetPermissionStateFulls(std::vector<PermissionStateFull>& permList)
201 {
202 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
203 permList.assign(permStateList_.begin(), permStateList_.end());
204 }
205
QueryPermissionFlag(const std::string & permissionName,int & flag)206 int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName, int& flag)
207 {
208 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
209 for (const auto& perm : permStateList_) {
210 if (perm.permissionName == permissionName) {
211 if (perm.isGeneral) {
212 flag = perm.grantFlags[0];
213 return RET_SUCCESS;
214 } else {
215 return AccessTokenError::ERR_PARAM_INVALID;
216 }
217 }
218 }
219 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
220 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
221 }
222
UpdateWithNewFlag(int32_t oldFlag,int32_t currFlag)223 static int32_t UpdateWithNewFlag(int32_t oldFlag, int32_t currFlag)
224 {
225 uint32_t newFlag = static_cast<uint32_t>(currFlag) |
226 ((static_cast<uint32_t>(oldFlag)) & PERMISSION_GRANTED_BY_POLICY);
227 return static_cast<int32_t>(newFlag);
228 }
229
UpdatePermStateList(const std::string & permissionName,bool isGranted,uint32_t flag)230 int32_t PermissionPolicySet::UpdatePermStateList(const std::string& permissionName, bool isGranted, uint32_t flag)
231 {
232 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
233 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
234 [permissionName](const PermissionStateFull& permState) {
235 return permissionName == permState.permissionName;
236 });
237 if (iter != permStateList_.end()) {
238 if (iter->isGeneral) {
239 iter->grantStatus[0] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
240 iter->grantFlags[0] = UpdateWithNewFlag(iter->grantFlags[0], flag);
241 } else {
242 ACCESSTOKEN_LOG_WARN(LABEL, "perm isGeneral is false.");
243 }
244 } else {
245 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
246 return AccessTokenError::ERR_PARAM_INVALID;
247 }
248 return RET_SUCCESS;
249 }
250
SecCompGrantedPermListUpdated(const std::string & permissionName,bool isAdded)251 void PermissionPolicySet::SecCompGrantedPermListUpdated(const std::string& permissionName, bool isAdded)
252 {
253 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
254 if (isAdded) {
255 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission in secCompGrantedPermList_ is added.");
256 auto iter = std::find_if(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
257 [permissionName](const std::string &grantedPerm) {
258 return permissionName == grantedPerm;
259 });
260 if (iter == secCompGrantedPermList_.end()) {
261 secCompGrantedPermList_.emplace_back(permissionName);
262 return;
263 }
264 } else {
265 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission in secCompGrantedPermList_ is deleted.");
266 auto iter = std::find_if(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
267 [permissionName](const std::string &grantedPerm) {
268 return permissionName == grantedPerm;
269 });
270 if (iter != secCompGrantedPermList_.end()) {
271 secCompGrantedPermList_.erase(iter);
272 return;
273 }
274 }
275 return;
276 }
277
SetPermissionFlag(const std::string & permissionName,uint32_t flag,bool needToAdd)278 void PermissionPolicySet::SetPermissionFlag(const std::string& permissionName, uint32_t flag, bool needToAdd)
279 {
280 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
281 for (auto& perm : permStateList_) {
282 if (perm.permissionName == permissionName) {
283 if (perm.isGeneral) {
284 uint32_t oldFlag = static_cast<uint32_t>(perm.grantFlags[0]);
285 uint32_t newFlag =
286 needToAdd ? (oldFlag | flag) : (oldFlag & (~PERMISSION_COMPONENT_SET));
287 perm.grantFlags[0] = static_cast<int32_t>(newFlag);
288 return;
289 }
290 }
291 }
292 return;
293 }
294
UpdateSecCompGrantedPermList(const std::string & permissionName,bool isToGrant)295 int32_t PermissionPolicySet::UpdateSecCompGrantedPermList(const std::string& permissionName, bool isToGrant)
296 {
297 int32_t flag = 0;
298 int32_t ret = QueryPermissionFlag(permissionName, flag);
299
300 ACCESSTOKEN_LOG_DEBUG(LABEL, "ret is %{public}d. flag is %{public}d", ret, flag);
301 // if the permission has been operated by user or the permission has been granted by system.
302 if ((IsPermOperatedByUser(flag) || IsPermOperatedBySystem(flag))) {
303 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission has been operated.");
304 if (isToGrant) {
305 int32_t status = VerifyPermissionStatus(permissionName);
306 // Permission has been granted, there is no need to add perm state in security component permList.
307 if (status == PERMISSION_GRANTED) {
308 return RET_SUCCESS;
309 } else {
310 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission has been revoked by user.");
311 return RET_FAILED;
312 }
313 } else {
314 /* revoke is called while the permission has been operated by user or system */
315 /* the permission need to be deleted from secCompGrantedPermList_ */
316 SecCompGrantedPermListUpdated(permissionName, false);
317 return RET_SUCCESS;
318 }
319 }
320 // the permission has not been operated by user or the app has not applied for this permission in config.json
321 SecCompGrantedPermListUpdated(permissionName, isToGrant);
322 // If the app has applied for this permission and security component operation has taken effect.
323 SetPermissionFlag(permissionName, PERMISSION_COMPONENT_SET, isToGrant);
324 return RET_SUCCESS;
325 }
326
UpdatePermissionStatus(const std::string & permissionName,bool isGranted,uint32_t flag)327 int32_t PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag)
328 {
329 ACCESSTOKEN_LOG_DEBUG(LABEL, "permissionName %{public}s.", permissionName.c_str());
330 if (!IsPermGrantedBySecComp(flag)) {
331 return UpdatePermStateList(permissionName, isGranted, flag);
332 }
333 ACCESSTOKEN_LOG_DEBUG(LABEL, "Permission is set by security component.");
334 return UpdateSecCompGrantedPermList(permissionName, isGranted);
335 }
336
ClearSecCompGrantedPerm(void)337 void PermissionPolicySet::ClearSecCompGrantedPerm(void)
338 {
339 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
340 secCompGrantedPermList_.erase(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end());
341 for (auto& perm : permStateList_) {
342 if (perm.isGeneral) {
343 perm.grantFlags[0] = GetFlagWithoutSpecifiedElement(perm.grantFlags[0], PERMISSION_COMPONENT_SET);
344 }
345 }
346 }
347
ResetUserGrantPermissionStatus(void)348 void PermissionPolicySet::ResetUserGrantPermissionStatus(void)
349 {
350 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
351 for (auto& perm : permStateList_) {
352 if (perm.isGeneral) {
353 uint32_t oldFlag = static_cast<uint32_t>(perm.grantFlags[0]);
354 if ((oldFlag & PERMISSION_SYSTEM_FIXED) != 0) {
355 continue;
356 }
357 /* A user_grant permission has been set by system for cancellable pre-authorization. */
358 /* it should keep granted when the app reset. */
359 if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) {
360 perm.grantStatus[0] = PERMISSION_GRANTED;
361 perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY;
362 continue;
363 }
364 perm.grantStatus[0] = PERMISSION_DENIED;
365 perm.grantFlags[0] = PERMISSION_DEFAULT_FLAG;
366 } else {
367 continue;
368 }
369 }
370 }
371
GetPermissionStateList(std::vector<PermissionStateFull> & stateList)372 void PermissionPolicySet::GetPermissionStateList(std::vector<PermissionStateFull>& stateList)
373 {
374 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
375 for (const auto& state : permStateList_) {
376 stateList.emplace_back(state);
377 }
378 }
379
GetResetPermissionListToNotify(std::vector<std::string> & permissionList,std::vector<PermStateChangeType> & changeTypeList)380 void PermissionPolicySet::GetResetPermissionListToNotify(
381 std::vector<std::string>& permissionList, std::vector<PermStateChangeType>& changeTypeList)
382 {
383 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
384 for (const auto& perm : permStateList_) {
385 if (perm.isGeneral) {
386 uint32_t oldFlag = static_cast<uint32_t>(perm.grantFlags[0]);
387 if (((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) && (perm.grantStatus[0] == PERMISSION_DENIED)) {
388 permissionList.emplace_back(perm.permissionName);
389 changeTypeList.emplace_back(PermStateChangeType::GRANTED);
390 continue;
391 }
392 if ((oldFlag & PERMISSION_SYSTEM_FIXED) == 0 && (perm.grantStatus[0] == PERMISSION_GRANTED)) {
393 permissionList.emplace_back(perm.permissionName);
394 changeTypeList.emplace_back(PermStateChangeType::REVOKED);
395 }
396 }
397 }
398
399 for (const auto& permission : secCompGrantedPermList_) {
400 permissionList.emplace_back(permission);
401 changeTypeList.emplace_back(PermStateChangeType::REVOKED);
402 }
403 }
404
GetDeletedPermissionListToNotify(std::vector<std::string> & permissionList)405 void PermissionPolicySet::GetDeletedPermissionListToNotify(std::vector<std::string>& permissionList)
406 {
407 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
408 for (const auto& perm : permStateList_) {
409 if (perm.isGeneral) {
410 if (perm.grantStatus[0] == PERMISSION_GRANTED) {
411 permissionList.emplace_back(perm.permissionName);
412 }
413 }
414 }
415 for (const auto& permission : secCompGrantedPermList_) {
416 permissionList.emplace_back(permission);
417 }
418 }
419
PermDefToString(const PermissionDef & def,std::string & info) const420 void PermissionPolicySet::PermDefToString(const PermissionDef& def, std::string& info) const
421 {
422 info.append(R"( {)");
423 info.append("\n");
424 info.append(R"( "permissionName": ")" + def.permissionName + R"(")" + ",\n");
425 info.append(R"( "bundleName": ")" + def.bundleName + R"(")" + ",\n");
426 info.append(R"( "grantMode": )" + std::to_string(def.grantMode) + ",\n");
427 info.append(R"( "availableLevel": )" + std::to_string(def.availableLevel) + ",\n");
428 info.append(R"( "provisionEnable": )" + std::to_string(def.provisionEnable) + ",\n");
429 info.append(R"( "distributedSceneEnable": )" + std::to_string(def.distributedSceneEnable) + ",\n");
430 info.append(R"( "label": ")" + def.label + R"(")" + ",\n");
431 info.append(R"( "labelId": )" + std::to_string(def.labelId) + ",\n");
432 info.append(R"( "description": ")" + def.description + R"(")" + ",\n");
433 info.append(R"( "descriptionId": )" + std::to_string(def.descriptionId) + ",\n");
434 info.append(R"( })");
435 }
436
PermStateFullToString(const PermissionStateFull & state,std::string & info) const437 void PermissionPolicySet::PermStateFullToString(const PermissionStateFull& state, std::string& info) const
438 {
439 info.append(R"( {)");
440 info.append("\n");
441 info.append(R"( "permissionName": ")" + state.permissionName + R"(")" + ",\n");
442 info.append(R"( "isGeneral": )" + std::to_string(state.isGeneral) + ",\n");
443 info.append(R"( "resDeviceIDList": [ )");
444 for (auto iter = state.resDeviceID.begin(); iter != state.resDeviceID.end(); iter++) {
445 info.append("\n");
446 info.append(R"( { "resDeviceID": ")" + *iter + R"(")" + " }");
447 if (iter != (state.resDeviceID.end() - 1)) {
448 info.append(",");
449 }
450 }
451 info.append("\n ],\n");
452
453 info.append(R"( "grantStatusList": [)");
454 for (auto iter = state.grantStatus.begin(); iter != state.grantStatus.end(); iter++) {
455 info.append("\n");
456 info.append(R"( { "grantStatus": )" + std::to_string(*iter) + " }");
457 if (iter != (state.grantStatus.end() - 1)) {
458 info.append(",");
459 }
460 }
461 info.append("\n ],\n");
462
463 info.append(R"( "grantFlagsList": [)");
464 for (auto iter = state.grantFlags.begin(); iter != state.grantFlags.end(); iter++) {
465 info.append("\n");
466 info.append(R"( { "grantFlag": )" + std::to_string(*iter) + " }");
467 if (iter != (state.grantFlags.end() - 1)) {
468 info.append(",");
469 }
470 }
471 info.append("\n ],\n");
472
473 info.append(R"( })");
474 }
475
ToString(std::string & info)476 void PermissionPolicySet::ToString(std::string& info)
477 {
478 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
479 info.append(R"( "permDefList": [)");
480 info.append("\n");
481 std::vector<PermissionDef> permList;
482 PermissionDefinitionCache::GetInstance().GetDefPermissionsByTokenId(permList, tokenId_);
483 for (auto iter = permList.begin(); iter != permList.end(); iter++) {
484 PermDefToString(*iter, info);
485 if (iter != (permList.end() - 1)) {
486 info.append(",\n");
487 }
488 }
489 info.append("\n ],\n");
490
491 info.append(R"( "permStateList": [)");
492 info.append("\n");
493 for (auto iter = permStateList_.begin(); iter != permStateList_.end(); iter++) {
494 PermStateFullToString(*iter, info);
495 if (iter != (permStateList_.end() - 1)) {
496 info.append(",\n");
497 }
498 }
499 info.append("\n ]\n");
500 }
501
IsPermissionReqValid(int32_t tokenApl,const std::string & permissionName,const std::vector<std::string> & nativeAcls)502 bool PermissionPolicySet::IsPermissionReqValid(int32_t tokenApl, const std::string& permissionName,
503 const std::vector<std::string>& nativeAcls)
504 {
505 PermissionDef permissionDef;
506 int ret = PermissionDefinitionCache::GetInstance().FindByPermissionName(
507 permissionName, permissionDef);
508 if (ret != RET_SUCCESS) {
509 return false;
510 }
511 if (tokenApl >= permissionDef.availableLevel) {
512 return true;
513 }
514
515 auto iter = std::find(nativeAcls.begin(), nativeAcls.end(), permissionName);
516 if (iter != nativeAcls.end()) {
517 return true;
518 }
519 return false;
520 }
521
PermStateToString(int32_t tokenApl,const std::vector<std::string> & nativeAcls,std::string & info)522 void PermissionPolicySet::PermStateToString(int32_t tokenApl,
523 const std::vector<std::string>& nativeAcls, std::string& info)
524 {
525 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
526
527 std::vector<std::string> invalidPermList = {};
528 info.append(R"( "permStateList": [)");
529 info.append("\n");
530 for (auto iter = permStateList_.begin(); iter != permStateList_.end(); iter++) {
531 if (!IsPermissionReqValid(tokenApl, iter->permissionName, nativeAcls)) {
532 invalidPermList.emplace_back(iter->permissionName);
533 continue;
534 }
535 PermStateFullToString(*iter, info);
536 if (iter != (permStateList_.end() - 1)) {
537 info.append(",\n");
538 }
539 }
540 info.append("\n ]\n");
541
542 if (invalidPermList.empty()) {
543 return;
544 }
545
546 info.append(R"( "invalidPermList": [)");
547 info.append("\n");
548 for (auto iter = invalidPermList.begin(); iter != invalidPermList.end(); iter++) {
549 info.append(R"( "permissionName": ")" + *iter + R"(")" + ",\n");
550 }
551 info.append("\n ]\n");
552 }
553 } // namespace AccessToken
554 } // namespace Security
555 } // namespace OHOS
556