1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_info_manager.h"
17
18 #include <cinttypes>
19 #include <cstdint>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <securec.h>
23 #include "access_token.h"
24 #include "access_token_db.h"
25 #include "accesstoken_dfx_define.h"
26 #include "accesstoken_id_manager.h"
27 #include "accesstoken_common_log.h"
28 #include "accesstoken_remote_token_manager.h"
29 #include "access_token_error.h"
30 #include "atm_tools_param_info_parcel.h"
31 #include "callback_manager.h"
32 #include "constant_common.h"
33 #include "data_translator.h"
34 #include "data_validator.h"
35 #ifdef SUPPORT_SANDBOX_APP
36 #include "dlp_permission_set_manager.h"
37 #endif
38 #include "generic_values.h"
39 #include "hap_token_info_inner.h"
40 #include "hisysevent_adapter.h"
41 #include "ipc_skeleton.h"
42 #include "json_parse_loader.h"
43 #include "permission_manager.h"
44 #include "permission_map.h"
45 #include "permission_validator.h"
46 #include "perm_setproc.h"
47 #include "token_field_const.h"
48 #include "token_setproc.h"
49 #ifdef TOKEN_SYNC_ENABLE
50 #include "token_modify_notifier.h"
51 #endif
52
53 namespace OHOS {
54 namespace Security {
55 namespace AccessToken {
56 namespace {
57 std::recursive_mutex g_instanceMutex;
58 static const unsigned int SYSTEM_APP_FLAG = 0x0001;
59 static constexpr int32_t BASE_USER_RANGE = 200000;
60 #ifdef TOKEN_SYNC_ENABLE
61 static const int MAX_PTHREAD_NAME_LEN = 15; // pthread name max length
62 static const char* ACCESS_TOKEN_PACKAGE_NAME = "ohos.security.distributed_token_sync";
63 #endif
64 static const char* DUMP_JSON_PATH = "/data/service/el1/public/access_token/nativetoken.log";
65 static const char* SYSTEM_RESOURCE_BUNDLE_NAME = "ohos.global.systemres";
66 }
67
AccessTokenInfoManager()68 AccessTokenInfoManager::AccessTokenInfoManager() : hasInited_(false) {}
69
~AccessTokenInfoManager()70 AccessTokenInfoManager::~AccessTokenInfoManager()
71 {
72 if (!hasInited_) {
73 return;
74 }
75
76 #ifdef TOKEN_SYNC_ENABLE
77 int32_t ret = DistributedHardware::DeviceManager::GetInstance().UnInitDeviceManager(ACCESS_TOKEN_PACKAGE_NAME);
78 if (ret != ERR_OK) {
79 LOGE(ATM_DOMAIN, ATM_TAG, "UnInitDeviceManager failed, code: %{public}d", ret);
80 }
81 #endif
82
83 this->hasInited_ = false;
84 }
85
Init()86 void AccessTokenInfoManager::Init()
87 {
88 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->managerLock_);
89 if (hasInited_) {
90 return;
91 }
92
93 LOGI(ATM_DOMAIN, ATM_TAG, "Init begin!");
94 LibraryLoader loader(CONFIG_PARSE_LIBPATH);
95 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
96 if (policy == nullptr) {
97 LOGE(ATM_DOMAIN, ATM_TAG, "Dlopen libaccesstoken_json_parse failed.");
98 return;
99 }
100 std::vector<NativeTokenInfoBase> tokenInfos;
101 int ret = policy->GetAllNativeTokenInfo(tokenInfos);
102 if (ret != RET_SUCCESS) {
103 ReportSysEventServiceStartError(
104 INIT_NATIVE_TOKENINFO_ERROR, "GetAllNativeTokenInfo fail from native json.", ret);
105 }
106 uint32_t hapSize = 0;
107 uint32_t nativeSize = tokenInfos.size();
108 InitHapTokenInfos(hapSize);
109 InitNativeTokenInfos(tokenInfos);
110 uint32_t pefDefSize = GetDefPermissionsSize();
111 ReportSysEventServiceStart(getpid(), hapSize, nativeSize, pefDefSize);
112 LOGI(ATM_DOMAIN, ATM_TAG, "InitTokenInfo end, hapSize %{public}d, nativeSize %{public}d, pefDefSize %{public}d.",
113 hapSize, nativeSize, pefDefSize);
114
115 #ifdef SUPPORT_SANDBOX_APP
116 std::vector<PermissionDlpMode> dlpPerms;
117 ret = policy->GetDlpPermissions(dlpPerms);
118 if (ret == RET_SUCCESS) {
119 LOGI(ATM_DOMAIN, ATM_TAG, "Load dlpPer size=%{public}zu.", dlpPerms.size());
120 DlpPermissionSetManager::GetInstance().ProcessDlpPermInfos(dlpPerms);
121 }
122 #endif
123 hasInited_ = true;
124 LOGI(ATM_DOMAIN, ATM_TAG, "Init success");
125 }
126
IsSystemResource(const std::string & bundleName)127 static bool IsSystemResource(const std::string& bundleName)
128 {
129 return std::string(SYSTEM_RESOURCE_BUNDLE_NAME) == bundleName;
130 }
131
132 #ifdef TOKEN_SYNC_ENABLE
InitDmCallback(void)133 void AccessTokenInfoManager::InitDmCallback(void)
134 {
135 std::function<void()> runner = []() {
136 std::string name = "AtmInfoMgrInit";
137 pthread_setname_np(pthread_self(), name.substr(0, MAX_PTHREAD_NAME_LEN).c_str());
138 std::shared_ptr<AccessTokenDmInitCallback> ptrDmInitCallback = std::make_shared<AccessTokenDmInitCallback>();
139 int32_t ret = DistributedHardware::DeviceManager::GetInstance().InitDeviceManager(ACCESS_TOKEN_PACKAGE_NAME,
140 ptrDmInitCallback);
141 if (ret != ERR_OK) {
142 LOGE(ATM_DOMAIN, ATM_TAG, "Initialize: InitDeviceManager error, result: %{public}d", ret);
143 }
144 LOGI(ATM_DOMAIN, ATM_TAG, "device manager part init end");
145 return;
146 };
147 std::thread initThread(runner);
148 initThread.detach();
149 }
150 #endif
151
InitHapTokenInfos(uint32_t & hapSize)152 void AccessTokenInfoManager::InitHapTokenInfos(uint32_t& hapSize)
153 {
154 GenericValues conditionValue;
155 std::vector<GenericValues> hapTokenRes;
156 std::vector<GenericValues> permStateRes;
157 std::vector<GenericValues> extendedPermRes;
158 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenRes);
159 if (ret != RET_SUCCESS || hapTokenRes.empty()) {
160 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load hap from db fail.", ret);
161 }
162 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
163 if (ret != RET_SUCCESS || permStateRes.empty()) {
164 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load perm state from db fail.", ret);
165 }
166 ret = AccessTokenDb::GetInstance().Find(
167 AtmDataType::ACCESSTOKEN_PERMISSION_EXTEND_VALUE, conditionValue, extendedPermRes);
168 if (ret != RET_SUCCESS) { // extendedPermRes may be empty
169 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load exetended value from db fail.", ret);
170 }
171 for (const GenericValues& tokenValue : hapTokenRes) {
172 AccessTokenID tokenId = (AccessTokenID)tokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
173 std::string bundle = tokenValue.GetString(TokenFiledConst::FIELD_BUNDLE_NAME);
174 int result = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_HAP);
175 if (result != RET_SUCCESS) {
176 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId %{public}u add id failed, error=%{public}d.", tokenId, result);
177 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR,
178 "RegisterTokenId fail, " + bundle + std::to_string(tokenId), result);
179 continue;
180 }
181 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
182 result = hap->RestoreHapTokenInfo(tokenId, tokenValue, permStateRes, extendedPermRes);
183 if (result != RET_SUCCESS) {
184 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
185 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId %{public}u restore failed.", tokenId);
186 continue;
187 }
188
189 result = AddHapTokenInfo(hap);
190 if (result != RET_SUCCESS) {
191 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
192 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId %{public}u add failed.", tokenId);
193 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR,
194 "AddHapTokenInfo fail, " + bundle + std::to_string(tokenId), result);
195 continue;
196 }
197 hapSize++;
198 LOGI(ATM_DOMAIN, ATM_TAG,
199 " Restore hap token %{public}u bundle name %{public}s user %{public}d,"
200 " permSize %{public}d, inst %{public}d ok!",
201 tokenId, hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetReqPermissionSize(), hap->GetInstIndex());
202 }
203 }
204
GetHapUniqueStr(const int & userID,const std::string & bundleName,const int & instIndex) const205 std::string AccessTokenInfoManager::GetHapUniqueStr(const int& userID,
206 const std::string& bundleName, const int& instIndex) const
207 {
208 return bundleName + "&" + std::to_string(userID) + "&" + std::to_string(instIndex);
209 }
210
GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner> & info) const211 std::string AccessTokenInfoManager::GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner>& info) const
212 {
213 if (info == nullptr) {
214 return std::string("");
215 }
216 return GetHapUniqueStr(info->GetUserID(), info->GetBundleName(), info->GetInstIndex());
217 }
218
AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner> & info)219 int AccessTokenInfoManager::AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner>& info)
220 {
221 if (info == nullptr) {
222 LOGE(ATM_DOMAIN, ATM_TAG, "Token info is null.");
223 return AccessTokenError::ERR_PARAM_INVALID;
224 }
225 AccessTokenID id = info->GetTokenID();
226 AccessTokenID idRemoved = INVALID_TOKENID;
227 {
228 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
229 if (hapTokenInfoMap_.count(id) > 0) {
230 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u info has exist.", id);
231 return AccessTokenError::ERR_TOKENID_HAS_EXISTED;
232 }
233
234 if (!info->IsRemote()) {
235 std::string hapUniqueKey = GetHapUniqueStr(info);
236 auto iter = hapTokenIdMap_.find(hapUniqueKey);
237 if (iter != hapTokenIdMap_.end()) {
238 LOGI(ATM_DOMAIN, ATM_TAG, "Token %{public}u Unique info has exist, update.", id);
239 idRemoved = iter->second;
240 }
241 hapTokenIdMap_[hapUniqueKey] = id;
242 }
243 hapTokenInfoMap_[id] = info;
244 }
245 if (idRemoved != INVALID_TOKENID) {
246 RemoveHapTokenInfo(idRemoved);
247 }
248 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "ADD_HAP",
249 HiviewDFX::HiSysEvent::EventType::STATISTIC,
250 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
251 "INSTINDEX", info->GetInstIndex());
252
253 // add hap to kernel
254 int32_t userId = info->GetUserID();
255 {
256 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
257 if (!permPolicyList_.empty() &&
258 (std::find(inactiveUserList_.begin(), inactiveUserList_.end(), userId) != inactiveUserList_.end())) {
259 LOGI(ATM_DOMAIN, ATM_TAG, "Execute user policy.");
260 PermissionManager::GetInstance().AddHapPermToKernel(id, permPolicyList_);
261 return RET_SUCCESS;
262 }
263 }
264 PermissionManager::GetInstance().AddHapPermToKernel(id, std::vector<std::string>());
265 return RET_SUCCESS;
266 }
267
GetHapTokenInfoInner(AccessTokenID id)268 std::shared_ptr<HapTokenInfoInner> AccessTokenInfoManager::GetHapTokenInfoInner(AccessTokenID id)
269 {
270 {
271 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
272 auto iter = hapTokenInfoMap_.find(id);
273 if (iter != hapTokenInfoMap_.end()) {
274 return iter->second;
275 }
276 }
277
278 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
279 GenericValues conditionValue;
280 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(id));
281 std::vector<GenericValues> hapTokenResults;
282 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenResults);
283 if (ret != RET_SUCCESS || hapTokenResults.empty()) {
284 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from hap_token_table, err: %{public}d, "
285 "hapSize: %{public}zu, mapSize: %{public}zu.", id, ret, hapTokenResults.size(), hapTokenInfoMap_.size());
286 return nullptr;
287 }
288 std::vector<GenericValues> permStateRes;
289 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
290 if (ret != RET_SUCCESS) {
291 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from perm_state_table, err: %{public}d, "
292 "mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size());
293 return nullptr;
294 }
295
296 std::vector<GenericValues> extendedPermRes;
297 ret = AccessTokenDb::GetInstance().Find(
298 AtmDataType::ACCESSTOKEN_PERMISSION_EXTEND_VALUE, conditionValue, extendedPermRes);
299 if (ret != RET_SUCCESS) { // extendedPermRes may be empty
300 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from perm_extend_value_table, err: %{public}d, "
301 "mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size());
302 return nullptr;
303 }
304
305 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
306 ret = hap->RestoreHapTokenInfo(id, hapTokenResults[0], permStateRes, extendedPermRes);
307 if (ret != RET_SUCCESS) {
308 LOGE(ATM_DOMAIN, ATM_TAG, "Id %{public}u restore failed, err: %{public}d, mapSize: %{public}zu.",
309 id, ret, hapTokenInfoMap_.size());
310 return nullptr;
311 }
312 AccessTokenIDManager::GetInstance().RegisterTokenId(id, TOKEN_HAP);
313 hapTokenIdMap_[GetHapUniqueStr(hap)] = id;
314 hapTokenInfoMap_[id] = hap;
315 PermissionManager::GetInstance().AddHapPermToKernel(id, std::vector<std::string>());
316 LOGI(ATM_DOMAIN, ATM_TAG, " Token %{public}u is not found in map(mapSize: %{public}zu), begin load from DB,"
317 " restore bundle %{public}s user %{public}d, idx %{public}d, permSize %{public}d.", id, hapTokenInfoMap_.size(),
318 hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetInstIndex(), hap->GetReqPermissionSize());
319 return hap;
320 }
321
GetHapTokenDlpType(AccessTokenID id)322 int32_t AccessTokenInfoManager::GetHapTokenDlpType(AccessTokenID id)
323 {
324 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
325 auto iter = hapTokenInfoMap_.find(id);
326 if ((iter != hapTokenInfoMap_.end()) && (iter->second != nullptr)) {
327 return iter->second->GetDlpType();
328 }
329 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid, mapSize: %{public}zu.", id, hapTokenInfoMap_.size());
330 return BUTT_DLP_TYPE;
331 }
332
IsTokenIdExist(AccessTokenID id)333 bool AccessTokenInfoManager::IsTokenIdExist(AccessTokenID id)
334 {
335 {
336 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
337 if (hapTokenInfoMap_.count(id) != 0) {
338 return true;
339 }
340 }
341 {
342 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
343 if (nativeTokenInfoMap_.count(id) != 0) {
344 return true;
345 }
346 }
347 return false;
348 }
349
GetTokenIDByUserID(int32_t userID,std::unordered_set<AccessTokenID> & tokenIdList)350 int32_t AccessTokenInfoManager::GetTokenIDByUserID(int32_t userID, std::unordered_set<AccessTokenID>& tokenIdList)
351 {
352 GenericValues conditionValue;
353 std::vector<GenericValues> tokenIDResults;
354 conditionValue.Put(TokenFiledConst::FIELD_USER_ID, userID);
355 int32_t ret = AccessTokenDb::GetInstance().Find(
356 AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, tokenIDResults);
357 if (ret != RET_SUCCESS) {
358 LOGE(ATM_DOMAIN, ATM_TAG, "UserID(%{public}d) find tokenID failed, ret: %{public}d.", userID, ret);
359 return ret;
360 }
361 if (tokenIDResults.empty()) {
362 LOGE(ATM_DOMAIN, ATM_TAG, "UserID(%{public}d) find tokenID empty.", userID);
363 return RET_SUCCESS;
364 }
365
366 for (const GenericValues& tokenIDResult : tokenIDResults) {
367 AccessTokenID tokenId = (AccessTokenID)tokenIDResult.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
368 tokenIdList.emplace(tokenId);
369 }
370 return RET_SUCCESS;
371 }
372
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & info)373 int AccessTokenInfoManager::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& info)
374 {
375 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
376 if (infoPtr == nullptr) {
377 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenID);
378 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
379 }
380 infoPtr->TranslateToHapTokenInfo(info);
381 return RET_SUCCESS;
382 }
383
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfoBase & info)384 int AccessTokenInfoManager::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfoBase& info)
385 {
386 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
387 auto iter = nativeTokenInfoMap_.find(tokenID);
388 if (iter == nativeTokenInfoMap_.end()) {
389 LOGE(ATM_DOMAIN, ATM_TAG, "Id %{public}u is not exist.", tokenID);
390 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
391 }
392 info.apl = iter->second.apl;
393 info.processName = iter->second.processName;
394 return RET_SUCCESS;
395 }
396
RemoveHapTokenInfo(AccessTokenID id)397 int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id)
398 {
399 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
400 if (type != TOKEN_HAP) {
401 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is not hap.", id);
402 return ERR_PARAM_INVALID;
403 }
404 std::shared_ptr<HapTokenInfoInner> info;
405 {
406 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
407 // remove hap to kernel
408 PermissionManager::GetInstance().RemovePermFromKernel(id);
409 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
410
411 if (hapTokenInfoMap_.count(id) == 0) {
412 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u no exist.", id);
413 return ERR_TOKENID_NOT_EXIST;
414 }
415
416 info = hapTokenInfoMap_[id];
417 if (info == nullptr) {
418 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u is null.", id);
419 return ERR_TOKEN_INVALID;
420 }
421 if (info->IsRemote()) {
422 LOGE(ATM_DOMAIN, ATM_TAG, "Remote hap token %{public}u can not delete.", id);
423 return ERR_IDENTITY_CHECK_FAILED;
424 }
425 std::string HapUniqueKey = GetHapUniqueStr(info);
426 auto iter = hapTokenIdMap_.find(HapUniqueKey);
427 if ((iter != hapTokenIdMap_.end()) && (iter->second == id)) {
428 hapTokenIdMap_.erase(HapUniqueKey);
429 }
430 hapTokenInfoMap_.erase(id);
431 }
432 RemoveHapTokenInfoFromDb(info);
433
434 LOGI(ATM_DOMAIN, ATM_TAG, "Remove hap token %{public}u ok!", id);
435 PermissionStateNotify(info, id);
436 #ifdef TOKEN_SYNC_ENABLE
437 TokenModifyNotifier::GetInstance().NotifyTokenDelete(id);
438 #endif
439
440 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
441 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
442 "INSTINDEX", info->GetInstIndex());
443
444 return RET_SUCCESS;
445 }
446
RemoveNativeTokenInfo(AccessTokenID id)447 int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id)
448 {
449 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
450 if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
451 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is not native or shell.", id);
452 return ERR_PARAM_INVALID;
453 }
454
455 {
456 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
457 if (nativeTokenInfoMap_.count(id) == 0) {
458 LOGE(ATM_DOMAIN, ATM_TAG, "Native token %{public}u is null.", id);
459 return ERR_TOKENID_NOT_EXIST;
460 }
461
462 nativeTokenInfoMap_.erase(id);
463 }
464 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
465 LOGI(ATM_DOMAIN, ATM_TAG, "Remove native token %{public}u ok!", id);
466
467 // remove native to kernel
468 PermissionManager::GetInstance().RemovePermFromKernel(id);
469 return RET_SUCCESS;
470 }
471
CheckHapInfoParam(const HapInfoParams & info,const HapPolicy & policy)472 int32_t AccessTokenInfoManager::CheckHapInfoParam(const HapInfoParams& info, const HapPolicy& policy)
473 {
474 if ((!DataValidator::IsUserIdValid(info.userID)) || (!DataValidator::IsBundleNameValid(info.bundleName)) ||
475 (!DataValidator::IsAppIDDescValid(info.appIDDesc)) || (!DataValidator::IsDomainValid(policy.domain)) ||
476 (!DataValidator::IsDlpTypeValid(info.dlpType)) || (info.isRestore && info.tokenID == INVALID_TOKENID) ||
477 !DataValidator::IsAclExtendedMapSizeValid(policy.aclExtendedMap)) {
478 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token param failed");
479 return AccessTokenError::ERR_PARAM_INVALID;
480 }
481
482 for (const auto& extendValue : policy.aclExtendedMap) {
483 if (!IsDefinedPermission(extendValue.first)) {
484 continue;
485 }
486 if (!DataValidator::IsAclExtendedMapContentValid(extendValue.first, extendValue.second)) {
487 LOGE(ATM_DOMAIN, ATM_TAG, "acl extended content is unvalid.");
488 return AccessTokenError::ERR_PARAM_INVALID;
489 }
490 }
491 return ERR_OK;
492 }
493
CreateHapTokenInfo(const HapInfoParams & info,const HapPolicy & policy,AccessTokenIDEx & tokenIdEx)494 int AccessTokenInfoManager::CreateHapTokenInfo(
495 const HapInfoParams& info, const HapPolicy& policy, AccessTokenIDEx& tokenIdEx)
496 {
497 if (CheckHapInfoParam(info, policy) != ERR_OK) {
498 return AccessTokenError::ERR_PARAM_INVALID;
499 }
500 AccessTokenID tokenId = info.tokenID;
501 if (info.isRestore) {
502 LOGI(ATM_DOMAIN, ATM_TAG, "isRestore is true, tokenId is %{public}u", tokenId);
503 int32_t res = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_HAP);
504 if (res != RET_SUCCESS) {
505 LOGE(ATM_DOMAIN, ATM_TAG, "Token Id register failed, res is %{public}d", res);
506 return res;
507 }
508 } else {
509 int32_t dlpFlag = (info.dlpType > DLP_COMMON) ? 1 : 0;
510 int32_t cloneFlag = ((dlpFlag == 0) && (info.instIndex) > 0) ? 1 : 0;
511 tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, dlpFlag, cloneFlag);
512 if (tokenId == 0) {
513 LOGE(ATM_DOMAIN, ATM_TAG, "Token Id create failed");
514 return ERR_TOKENID_CREATE_FAILED;
515 }
516 }
517
518 #ifdef SUPPORT_SANDBOX_APP
519 std::shared_ptr<HapTokenInfoInner> tokenInfo;
520 HapPolicy policyNew = policy;
521 if (info.dlpType != DLP_COMMON) {
522 DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(info.dlpType, policyNew.permStateList);
523 }
524 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policyNew);
525 #else
526 std::shared_ptr<HapTokenInfoInner> tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
527 #endif
528 AddHapTokenInfoToDb(tokenInfo, info.appIDDesc, policy, false);
529 int ret = AddHapTokenInfo(tokenInfo);
530 if (ret != RET_SUCCESS) {
531 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s add token info failed", info.bundleName.c_str());
532 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
533 RemoveHapTokenInfoFromDb(tokenInfo);
534 return ret;
535 }
536 LOGI(ATM_DOMAIN, ATM_TAG,
537 "Create hap token %{public}u bundleName %{public}s user %{public}d inst %{public}d isRestore %{public}d ok",
538 tokenId, tokenInfo->GetBundleName().c_str(), tokenInfo->GetUserID(), tokenInfo->GetInstIndex(), info.isRestore);
539 AllocAccessTokenIDEx(info, tokenId, tokenIdEx);
540 return RET_SUCCESS;
541 }
542
AllocAccessTokenIDEx(const HapInfoParams & info,AccessTokenID tokenId,AccessTokenIDEx & tokenIdEx)543 int AccessTokenInfoManager::AllocAccessTokenIDEx(
544 const HapInfoParams& info, AccessTokenID tokenId, AccessTokenIDEx& tokenIdEx)
545 {
546 tokenIdEx.tokenIdExStruct.tokenID = tokenId;
547 if (info.isSystemApp) {
548 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
549 }
550 return RET_SUCCESS;
551 }
552
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)553 AccessTokenIDEx AccessTokenInfoManager::GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex)
554 {
555 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
556 std::string HapUniqueKey = GetHapUniqueStr(userID, bundleName, instIndex);
557 AccessTokenIDEx tokenIdEx = {0};
558 auto iter = hapTokenIdMap_.find(HapUniqueKey);
559 if (iter != hapTokenIdMap_.end()) {
560 AccessTokenID tokenId = iter->second;
561 auto infoIter = hapTokenInfoMap_.find(tokenId);
562 if (infoIter != hapTokenInfoMap_.end()) {
563 if (infoIter->second == nullptr) {
564 LOGE(ATM_DOMAIN, ATM_TAG, "HapTokenInfoInner is nullptr");
565 return tokenIdEx;
566 }
567 HapTokenInfo info = infoIter->second->GetHapInfoBasic();
568 tokenIdEx.tokenIdExStruct.tokenID = info.tokenID;
569 tokenIdEx.tokenIdExStruct.tokenAttr = info.tokenAttr;
570 }
571 }
572 return tokenIdEx;
573 }
574
GetNativePermissionList(const NativeTokenInfoBase & native,std::vector<uint32_t> & opCodeList,std::vector<bool> & statusList)575 void AccessTokenInfoManager::GetNativePermissionList(const NativeTokenInfoBase& native,
576 std::vector<uint32_t>& opCodeList, std::vector<bool>& statusList)
577 {
578 // need to process aclList
579 for (const auto& state : native.permStateList) {
580 uint32_t code;
581 // add IsPermissionReqValid to filter invalid permission
582 if (TransferPermissionToOpcode(state.permissionName, code)) {
583 opCodeList.emplace_back(code);
584 statusList.emplace_back(state.grantStatus == PERMISSION_GRANTED);
585 }
586 }
587 }
588
InitNativeTokenInfos(const std::vector<NativeTokenInfoBase> & tokenInfos)589 void AccessTokenInfoManager::InitNativeTokenInfos(const std::vector<NativeTokenInfoBase>& tokenInfos)
590 {
591 for (const auto& info: tokenInfos) {
592 AccessTokenID tokenId = info.tokenID;
593 std::string process = info.processName;
594 // add tokenId to cache
595 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId);
596 int32_t res = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type);
597 if (res != RET_SUCCESS && res != ERR_TOKENID_HAS_EXISTED) {
598 LOGE(ATM_DOMAIN, ATM_TAG, "Token id register fail, res is %{public}d.", res);
599 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR,
600 "RegisterTokenId fail, " + process + std::to_string(tokenId), res);
601 continue;
602 }
603 std::vector<uint32_t> opCodeList;
604 std::vector<bool> statusList;
605 GetNativePermissionList(info, opCodeList, statusList);
606 // add native token info to cache
607 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
608 NativeTokenInfoCache cache;
609 cache.processName = process;
610 cache.apl = static_cast<ATokenAplEnum>(info.apl);
611 cache.opCodeList = opCodeList;
612 cache.statusList = statusList;
613
614 nativeTokenInfoMap_[tokenId] = cache;
615 PermissionManager::GetInstance().AddNativePermToKernel(tokenId, cache.opCodeList, cache.statusList);
616 LOGI(ATM_DOMAIN, ATM_TAG,
617 "Init native token %{public}u process name %{public}s, permSize %{public}zu ok!",
618 tokenId, process.c_str(), info.permStateList.size());
619 }
620 }
621
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const std::vector<PermissionStatus> & permStateList,const HapPolicy & hapPolicy)622 int32_t AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info,
623 const std::vector<PermissionStatus>& permStateList, const HapPolicy& hapPolicy)
624 {
625 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
626 if (!DataValidator::IsAppIDDescValid(info.appIDDesc)) {
627 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u parm format error!", tokenID);
628 return AccessTokenError::ERR_PARAM_INVALID;
629 }
630 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
631 if (infoPtr == nullptr) {
632 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid, can not update!", tokenID);
633 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
634 }
635
636 if (infoPtr->IsRemote()) {
637 LOGE(ATM_DOMAIN, ATM_TAG, "Remote hap token %{public}u can not update!", tokenID);
638 return ERR_IDENTITY_CHECK_FAILED;
639 }
640 if (info.isSystemApp) {
641 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
642 } else {
643 tokenIdEx.tokenIdExStruct.tokenAttr &= ~SYSTEM_APP_FLAG;
644 }
645 {
646 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
647 infoPtr->Update(info, permStateList, hapPolicy);
648 }
649
650 int32_t ret = AddHapTokenInfoToDb(infoPtr, info.appIDDesc, hapPolicy, true);
651 if (ret != RET_SUCCESS) {
652 return ret;
653 }
654 LOGI(ATM_DOMAIN, ATM_TAG, "Token %{public}u bundle name %{public}s user %{public}d \
655 inst %{public}d tokenAttr %{public}d update ok!", tokenID, infoPtr->GetBundleName().c_str(),
656 infoPtr->GetUserID(), infoPtr->GetInstIndex(), infoPtr->GetHapInfoBasic().tokenAttr);
657 // DFX
658 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_HAP",
659 HiviewDFX::HiSysEvent::EventType::STATISTIC, "TOKENID", tokenID, "USERID",
660 infoPtr->GetUserID(), "BUNDLENAME", infoPtr->GetBundleName(), "INSTINDEX", infoPtr->GetInstIndex());
661
662 #ifdef TOKEN_SYNC_ENABLE
663 TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID);
664 #endif
665 // update hap to kernel
666 UpdateHapToKernel(tokenID, infoPtr->GetUserID());
667 return RET_SUCCESS;
668 }
669
UpdateHapToKernel(AccessTokenID tokenID,int32_t userId)670 void AccessTokenInfoManager::UpdateHapToKernel(AccessTokenID tokenID, int32_t userId)
671 {
672 {
673 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
674 if (!permPolicyList_.empty() &&
675 (std::find(inactiveUserList_.begin(), inactiveUserList_.end(), userId) != inactiveUserList_.end())) {
676 LOGI(ATM_DOMAIN, ATM_TAG, "Execute user policy.");
677 PermissionManager::GetInstance().AddHapPermToKernel(tokenID, permPolicyList_);
678 return;
679 }
680 }
681 PermissionManager::GetInstance().AddHapPermToKernel(tokenID, std::vector<std::string>());
682 }
683
684 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenSync(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)685 int AccessTokenInfoManager::GetHapTokenSync(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
686 {
687 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
688 if (infoPtr == nullptr || infoPtr->IsRemote()) {
689 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenID);
690 return ERR_IDENTITY_CHECK_FAILED;
691 }
692 hapSync.baseInfo = infoPtr->GetHapInfoBasic();
693 return infoPtr->GetPermissionStateList(hapSync.permStateList);
694 }
695
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)696 int AccessTokenInfoManager::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
697 HapTokenInfoForSync& hapSync)
698 {
699 int ret = GetHapTokenSync(tokenID, hapSync);
700 TokenModifyNotifier::GetInstance().AddHapTokenObservation(tokenID);
701 return ret;
702 }
703
UpdateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)704 int AccessTokenInfoManager::UpdateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
705 {
706 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(mapID);
707 if (infoPtr == nullptr || !infoPtr->IsRemote()) {
708 LOGI(ATM_DOMAIN, ATM_TAG, "Token %{public}u is null or not remote, can not update!", mapID);
709 return ERR_IDENTITY_CHECK_FAILED;
710 }
711 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
712 infoPtr->UpdateRemoteHapTokenInfo(mapID, hapSync.baseInfo, hapSync.permStateList);
713 // update remote hap to kernel
714 PermissionManager::GetInstance().AddHapPermToKernel(mapID, std::vector<std::string>());
715 return RET_SUCCESS;
716 }
717
CreateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)718 int AccessTokenInfoManager::CreateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
719 {
720 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>(mapID, hapSync);
721 hap->SetRemote(true);
722
723 int ret = AddHapTokenInfo(hap);
724 if (ret != RET_SUCCESS) {
725 LOGE(ATM_DOMAIN, ATM_TAG, "Add local token failed.");
726 return ret;
727 }
728
729 return RET_SUCCESS;
730 }
731
IsRemoteHapTokenValid(const std::string & deviceID,const HapTokenInfoForSync & hapSync)732 bool AccessTokenInfoManager::IsRemoteHapTokenValid(const std::string& deviceID, const HapTokenInfoForSync& hapSync)
733 {
734 std::string errReason;
735 if (!DataValidator::IsDeviceIdValid(deviceID)) {
736 errReason = "respond deviceID error";
737 } else if (!DataValidator::IsUserIdValid(hapSync.baseInfo.userID)) {
738 errReason = "respond userID error";
739 } else if (!DataValidator::IsBundleNameValid(hapSync.baseInfo.bundleName)) {
740 errReason = "respond bundleName error";
741 } else if (!DataValidator::IsTokenIDValid(hapSync.baseInfo.tokenID)) {
742 errReason = "respond tokenID error";
743 } else if (!DataValidator::IsDlpTypeValid(hapSync.baseInfo.dlpType)) {
744 errReason = "respond dlpType error";
745 } else if (hapSync.baseInfo.ver != DEFAULT_TOKEN_VERSION) {
746 errReason = "respond version error";
747 } else if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(hapSync.baseInfo.tokenID) != TOKEN_HAP) {
748 errReason = "respond token type error";
749 } else {
750 return true;
751 }
752
753 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
754 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_RESPONSE_ERROR,
755 "REMOTE_ID", ConstantCommon::EncryptDevId(deviceID), "ERROR_REASON", errReason);
756 return false;
757 }
758
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSync & hapSync)759 int AccessTokenInfoManager::SetRemoteHapTokenInfo(const std::string& deviceID, HapTokenInfoForSync& hapSync)
760 {
761 if (!IsRemoteHapTokenValid(deviceID, hapSync)) {
762 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
763 return ERR_IDENTITY_CHECK_FAILED;
764 }
765
766 AccessTokenID remoteID = hapSync.baseInfo.tokenID;
767 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, remoteID);
768 if (mapID != 0) {
769 LOGI(ATM_DOMAIN, ATM_TAG, "Device %{public}s token %{public}u update exist remote hap token %{public}u.",
770 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
771 // update remote token mapping id
772 hapSync.baseInfo.tokenID = mapID;
773 return UpdateRemoteHapTokenInfo(mapID, hapSync);
774 }
775
776 mapID = AccessTokenRemoteTokenManager::GetInstance().MapRemoteDeviceTokenToLocal(deviceID, remoteID);
777 if (mapID == 0) {
778 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s token %{public}u map failed.",
779 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID);
780 return ERR_TOKEN_MAP_FAILED;
781 }
782
783 // update remote token mapping id
784 hapSync.baseInfo.tokenID = mapID;
785 int ret = CreateRemoteHapTokenInfo(mapID, hapSync);
786 if (ret != RET_SUCCESS) {
787 int result = AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, mapID);
788 if (result != RET_SUCCESS) {
789 LOGE(ATM_DOMAIN, ATM_TAG, "remove device map token id failed");
790 }
791 LOGI(ATM_DOMAIN, ATM_TAG, "Device %{public}s token %{public}u map to local token %{public}u failed.",
792 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
793 return ret;
794 }
795 LOGI(ATM_DOMAIN, ATM_TAG, "Device %{public}s token %{public}u map to local token %{public}u success.",
796 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
797 return RET_SUCCESS;
798 }
799
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)800 int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
801 {
802 if (!DataValidator::IsDeviceIdValid(deviceID)) {
803 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s parms invalid.",
804 ConstantCommon::EncryptDevId(deviceID).c_str());
805 return AccessTokenError::ERR_PARAM_INVALID;
806 }
807 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
808 if (mapID == 0) {
809 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s tokenId %{public}u is not mapped.",
810 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
811 return ERR_TOKEN_MAP_FAILED;
812 }
813
814 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(mapID);
815 if (type == TOKEN_HAP) {
816 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
817 if (hapTokenInfoMap_.count(mapID) == 0) {
818 LOGE(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u no exist.", mapID);
819 return ERR_TOKEN_INVALID;
820 }
821 hapTokenInfoMap_.erase(mapID);
822 } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) {
823 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
824 if (nativeTokenInfoMap_.count(mapID) == 0) {
825 LOGE(ATM_DOMAIN, ATM_TAG, "Native token %{public}u is null.", mapID);
826 return ERR_TOKEN_INVALID;
827 }
828 nativeTokenInfoMap_.erase(mapID);
829 } else {
830 LOGE(ATM_DOMAIN, ATM_TAG, "Mapping tokenId %{public}u type is unknown.", mapID);
831 }
832
833 return AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, tokenID);
834 }
835
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)836 AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
837 {
838 if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) ||
839 ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) &&
840 (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) {
841 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s parms invalid.",
842 ConstantCommon::EncryptDevId(deviceID).c_str());
843 return 0;
844 }
845 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
846 }
847
DeleteRemoteDeviceTokens(const std::string & deviceID)848 int AccessTokenInfoManager::DeleteRemoteDeviceTokens(const std::string& deviceID)
849 {
850 if (!DataValidator::IsDeviceIdValid(deviceID)) {
851 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s parms invalid.",
852 ConstantCommon::EncryptDevId(deviceID).c_str());
853 return AccessTokenError::ERR_PARAM_INVALID;
854 }
855 std::vector<AccessTokenID> remoteTokens;
856 int ret = AccessTokenRemoteTokenManager::GetInstance().GetDeviceAllRemoteTokenID(deviceID, remoteTokens);
857 if (ret != RET_SUCCESS) {
858 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s have no remote token.",
859 ConstantCommon::EncryptDevId(deviceID).c_str());
860 return ret;
861 }
862 for (AccessTokenID remoteID : remoteTokens) {
863 ret = DeleteRemoteToken(deviceID, remoteID);
864 if (ret != RET_SUCCESS) {
865 LOGE(ATM_DOMAIN, ATM_TAG, "delete remote token failed! deviceId=%{public}s, remoteId=%{public}d.", \
866 deviceID.c_str(), remoteID);
867 }
868 }
869 return ret;
870 }
871
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)872 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
873 AccessTokenID remoteTokenID)
874 {
875 if (!DataValidator::IsDeviceIdValid(remoteDeviceID)) {
876 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s parms invalid.",
877 ConstantCommon::EncryptDevId(remoteDeviceID).c_str());
878 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
879 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
880 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", "deviceID error");
881 return 0;
882 }
883 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
884 int result = SetFirstCallerTokenID(fullTokenId); // for debug
885 LOGI(ATM_DOMAIN, ATM_TAG, "Set first caller %{public}" PRIu64 "., ret is %{public}d", fullTokenId, result);
886
887 std::string remoteUdid;
888 DistributedHardware::DeviceManager::GetInstance().GetUdidByNetworkId(ACCESS_TOKEN_PACKAGE_NAME, remoteDeviceID,
889 remoteUdid);
890 LOGI(ATM_DOMAIN, ATM_TAG, "Device %{public}s remoteUdid.", ConstantCommon::EncryptDevId(remoteUdid).c_str());
891 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid,
892 remoteTokenID);
893 if (mapID != 0) {
894 return mapID;
895 }
896 int ret = TokenModifyNotifier::GetInstance().GetRemoteHapTokenInfo(remoteUdid, remoteTokenID);
897 if (ret != RET_SUCCESS) {
898 LOGE(ATM_DOMAIN, ATM_TAG, "Device %{public}s token %{public}u sync failed",
899 ConstantCommon::EncryptDevId(remoteUdid).c_str(), remoteTokenID);
900 std::string errorReason = "token sync call error, error number is " + std::to_string(ret);
901 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
902 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
903 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", errorReason);
904 return 0;
905 }
906
907 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid, remoteTokenID);
908 }
909 #else
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)910 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
911 AccessTokenID remoteTokenID)
912 {
913 LOGE(ATM_DOMAIN, ATM_TAG, "Tokensync is disable, check dependent components");
914 return 0;
915 }
916 #endif
917
GetInstance()918 AccessTokenInfoManager& AccessTokenInfoManager::GetInstance()
919 {
920 static AccessTokenInfoManager* instance = nullptr;
921 if (instance == nullptr) {
922 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
923 if (instance == nullptr) {
924 AccessTokenInfoManager* tmp = new AccessTokenInfoManager();
925 instance = std::move(tmp);
926 }
927 }
928 return *instance;
929 }
930
GeneratePermExtendValues(AccessTokenID tokenID,const std::vector<PermissionWithValue> kernelPermList,std::vector<GenericValues> & permExtendValues)931 static void GeneratePermExtendValues(AccessTokenID tokenID, const std::vector<PermissionWithValue> kernelPermList,
932 std::vector<GenericValues>& permExtendValues)
933 {
934 for (auto& extendValue : kernelPermList) {
935 GenericValues genericValues;
936 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
937 genericValues.Put(TokenFiledConst::FIELD_PERMISSION_NAME, extendValue.permissionName);
938 genericValues.Put(TokenFiledConst::FIELD_VALUE, extendValue.value);
939 permExtendValues.emplace_back(genericValues);
940 }
941 }
942
GetUserGrantPermFromDef(const std::vector<PermissionDef> & permList,AccessTokenID tokenID,std::vector<GenericValues> & permDefValues)943 static void GetUserGrantPermFromDef(const std::vector<PermissionDef>& permList, AccessTokenID tokenID,
944 std::vector<GenericValues>& permDefValues)
945 {
946 for (const auto& def : permList) {
947 GenericValues value;
948 value.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
949 DataTranslator::TranslationIntoGenericValues(def, value);
950 permDefValues.emplace_back(value);
951 }
952 }
953
AddHapTokenInfoToDb(const std::shared_ptr<HapTokenInfoInner> & hapInfo,const std::string & appId,const HapPolicy & policy,bool isUpdate)954 int AccessTokenInfoManager::AddHapTokenInfoToDb(const std::shared_ptr<HapTokenInfoInner>& hapInfo,
955 const std::string& appId, const HapPolicy& policy, bool isUpdate)
956 {
957 if (hapInfo == nullptr) {
958 LOGE(ATM_DOMAIN, ATM_TAG, "Token info is null!");
959 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
960 }
961 if (hapInfo->IsRemote()) {
962 LOGE(ATM_DOMAIN, ATM_TAG, "It is a remote hap!");
963 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
964 }
965 AccessTokenID tokenID = hapInfo->GetTokenID();
966 bool isSystemRes = IsSystemResource(hapInfo->GetBundleName());
967
968 std::vector<GenericValues> hapInfoValues; // get new hap token info from cache
969 hapInfo->StoreHapInfo(hapInfoValues, appId, policy.apl);
970
971 std::vector<GenericValues> permStateValues; // get new permission status from cache if exist
972 hapInfo->StorePermissionPolicy(permStateValues);
973
974 std::vector<GenericValues> permExtendValues; // get new extend permission value
975 std::vector<PermissionWithValue> extendedPermList;
976 PermissionDataBrief::GetInstance().GetExetendedValueList(tokenID, extendedPermList);
977
978 GeneratePermExtendValues(tokenID, extendedPermList, permExtendValues);
979
980 std::vector<AtmDataType> addDataTypes;
981 addDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_HAP_INFO);
982 addDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_STATE);
983 addDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_EXTEND_VALUE);
984
985 std::vector<std::vector<GenericValues>> addValues;
986 addValues.emplace_back(hapInfoValues);
987 addValues.emplace_back(permStateValues);
988 addValues.emplace_back(permExtendValues);
989
990 if (isSystemRes) {
991 std::vector<GenericValues> permDefValues;
992 GetUserGrantPermFromDef(policy.permList, tokenID, permDefValues);
993 addDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_DEF);
994 addValues.emplace_back(permDefValues);
995 }
996
997 std::vector<AtmDataType> delDataTypes;
998 std::vector<GenericValues> deleteValues;
999
1000 if (isUpdate) { // udapte: delete and add; otherwise add only
1001 delDataTypes.assign(addDataTypes.begin(), addDataTypes.end());
1002 GenericValues conditionValue;
1003 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1004 deleteValues.emplace_back(conditionValue);
1005 deleteValues.emplace_back(conditionValue);
1006 deleteValues.emplace_back(conditionValue);
1007 if (isSystemRes) {
1008 deleteValues.emplace_back(conditionValue);
1009 }
1010 }
1011
1012 return AccessTokenDb::GetInstance().DeleteAndInsertValues(delDataTypes, deleteValues, addDataTypes, addValues);
1013 }
1014
RemoveHapTokenInfoFromDb(const std::shared_ptr<HapTokenInfoInner> & info)1015 int AccessTokenInfoManager::RemoveHapTokenInfoFromDb(const std::shared_ptr<HapTokenInfoInner>& info)
1016 {
1017 AccessTokenID tokenID = info->GetTokenID();
1018 GenericValues condition;
1019 condition.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1020
1021 std::vector<AtmDataType> deleteDataTypes;
1022 deleteDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_HAP_INFO);
1023 deleteDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_STATE);
1024 deleteDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_EXTEND_VALUE);
1025
1026 std::vector<GenericValues> deleteValues;
1027 deleteValues.emplace_back(condition);
1028 deleteValues.emplace_back(condition);
1029 deleteValues.emplace_back(condition);
1030
1031 if (IsSystemResource(info->GetBundleName())) {
1032 deleteDataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_DEF);
1033 deleteValues.emplace_back(condition);
1034 }
1035
1036 std::vector<AtmDataType> addDataTypes;
1037 std::vector<std::vector<GenericValues>> addValues;
1038 int32_t ret = AccessTokenDb::GetInstance().DeleteAndInsertValues(deleteDataTypes, deleteValues, addDataTypes,
1039 addValues);
1040 if (ret != RET_SUCCESS) {
1041 LOGE(ATM_DOMAIN, ATM_TAG, "Id %{public}d DeleteAndInsertHap failed, ret %{public}d.", tokenID, ret);
1042 return ret;
1043 }
1044 return RET_SUCCESS;
1045 }
1046
PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner> & info,AccessTokenID id)1047 void AccessTokenInfoManager::PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner>& info, AccessTokenID id)
1048 {
1049 std::vector<std::string> permissionList;
1050 int32_t userId = info->GetUserID();
1051 {
1052 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1053 if (!permPolicyList_.empty() &&
1054 (std::find(inactiveUserList_.begin(), inactiveUserList_.end(), userId) != inactiveUserList_.end())) {
1055 LOGI(ATM_DOMAIN, ATM_TAG, "Execute user policy.");
1056 HapTokenInfoInner::GetGrantedPermByTokenId(id, permPolicyList_, permissionList);
1057 } else {
1058 std::vector<std::string> emptyList;
1059 HapTokenInfoInner::GetGrantedPermByTokenId(id, emptyList, permissionList);
1060 }
1061 }
1062 if (permissionList.size() != 0) {
1063 PermissionManager::GetInstance().ParamUpdate(permissionList[0], 0, true);
1064 }
1065 for (const auto& permissionName : permissionList) {
1066 CallbackManager::GetInstance().ExecuteCallbackAsync(
1067 id, permissionName, PermStateChangeType::STATE_CHANGE_REVOKED);
1068 }
1069 }
1070
GetHapAppIdByTokenId(AccessTokenID tokenID,std::string & appId)1071 int32_t AccessTokenInfoManager::GetHapAppIdByTokenId(AccessTokenID tokenID, std::string& appId)
1072 {
1073 GenericValues conditionValue;
1074 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1075 std::vector<GenericValues> hapTokenResults;
1076 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenResults);
1077 if (ret != RET_SUCCESS) {
1078 LOGE(ATM_DOMAIN, ATM_TAG,
1079 "Failed to find Id(%{public}u) from hap_token_table, err: %{public}d.", tokenID, ret);
1080 return ret;
1081 }
1082
1083 if (hapTokenResults.empty()) {
1084 LOGE(ATM_DOMAIN, ATM_TAG, "Id(%{public}u) is not in hap_token_table.", tokenID);
1085 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1086 }
1087 std::string result = hapTokenResults[0].GetString(TokenFiledConst::FIELD_APP_ID);
1088 if (!DataValidator::IsAppIDDescValid(result)) {
1089 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID: 0x%{public}x appID is error.", tokenID);
1090 return AccessTokenError::ERR_PARAM_INVALID;
1091 }
1092 appId = result;
1093 return RET_SUCCESS;
1094 }
1095
GetNativeTokenId(const std::string & processName)1096 AccessTokenID AccessTokenInfoManager::GetNativeTokenId(const std::string& processName)
1097 {
1098 AccessTokenID tokenID = INVALID_TOKENID;
1099 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1100 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); ++iter) {
1101 if (iter->second.processName == processName) {
1102 tokenID = iter->first;
1103 break;
1104 }
1105 }
1106 return tokenID;
1107 }
1108
DumpHapTokenInfoByTokenId(const AccessTokenID tokenId,std::string & dumpInfo)1109 void AccessTokenInfoManager::DumpHapTokenInfoByTokenId(const AccessTokenID tokenId, std::string& dumpInfo)
1110 {
1111 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(tokenId);
1112 if (type == TOKEN_HAP) {
1113 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenId);
1114 if (infoPtr != nullptr) {
1115 infoPtr->ToString(dumpInfo);
1116 }
1117 } else if (type == TOKEN_NATIVE || type == TOKEN_SHELL) {
1118 NativeTokenToString(tokenId, dumpInfo);
1119 } else {
1120 dumpInfo.append("invalid tokenId");
1121 }
1122 }
1123
DumpHapTokenInfoByBundleName(const std::string & bundleName,std::string & dumpInfo)1124 void AccessTokenInfoManager::DumpHapTokenInfoByBundleName(const std::string& bundleName, std::string& dumpInfo)
1125 {
1126 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1127 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1128 if (iter->second != nullptr) {
1129 if (bundleName != iter->second->GetBundleName()) {
1130 continue;
1131 }
1132
1133 iter->second->ToString(dumpInfo);
1134 dumpInfo.append("\n");
1135 }
1136 }
1137 }
1138
DumpAllHapTokenname(std::string & dumpInfo)1139 void AccessTokenInfoManager::DumpAllHapTokenname(std::string& dumpInfo)
1140 {
1141 LOGD(ATM_DOMAIN, ATM_TAG, "Get all hap token name.");
1142
1143 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1144 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1145 if (iter->second != nullptr) {
1146 dumpInfo += std::to_string(iter->second->GetTokenID()) + ": " + iter->second->GetBundleName();
1147 dumpInfo.append("\n");
1148 }
1149 }
1150 }
1151
DumpNativeTokenInfoByProcessName(const std::string & processName,std::string & dumpInfo)1152 void AccessTokenInfoManager::DumpNativeTokenInfoByProcessName(const std::string& processName, std::string& dumpInfo)
1153 {
1154 NativeTokenToString(GetNativeTokenId(processName), dumpInfo);
1155 }
1156
DumpAllNativeTokenName(std::string & dumpInfo)1157 void AccessTokenInfoManager::DumpAllNativeTokenName(std::string& dumpInfo)
1158 {
1159 LOGD(ATM_DOMAIN, ATM_TAG, "Get all native token name.");
1160
1161 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1162 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1163 dumpInfo += std::to_string(iter->first) + ": " + iter->second.processName;
1164 dumpInfo.append("\n");
1165 }
1166 }
1167
GetCurDumpTaskNum()1168 int32_t AccessTokenInfoManager::GetCurDumpTaskNum()
1169 {
1170 return dumpTaskNum_.load();
1171 }
1172
AddDumpTaskNum()1173 void AccessTokenInfoManager::AddDumpTaskNum()
1174 {
1175 dumpTaskNum_++;
1176 }
1177
ReduceDumpTaskNum()1178 void AccessTokenInfoManager::ReduceDumpTaskNum()
1179 {
1180 dumpTaskNum_--;
1181 }
1182
DumpToken()1183 void AccessTokenInfoManager::DumpToken()
1184 {
1185 LOGI(ATM_DOMAIN, ATM_TAG, "AccessToken Dump");
1186 int32_t fd = open(DUMP_JSON_PATH, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP);
1187 if (fd < 0) {
1188 LOGE(ATM_DOMAIN, ATM_TAG, "Open failed errno %{public}d.", errno);
1189 return;
1190 }
1191 std::string dumpStr;
1192 AtmToolsParamInfoParcel infoParcel;
1193 DumpTokenInfo(infoParcel.info, dumpStr);
1194 dprintf(fd, "%s\n", dumpStr.c_str());
1195 close(fd);
1196 }
1197
DumpTokenInfo(const AtmToolsParamInfo & info,std::string & dumpInfo)1198 void AccessTokenInfoManager::DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)
1199 {
1200 if (info.tokenId != 0) {
1201 DumpHapTokenInfoByTokenId(info.tokenId, dumpInfo);
1202 return;
1203 }
1204
1205 if ((!info.bundleName.empty()) && (info.bundleName.length() > 0)) {
1206 DumpHapTokenInfoByBundleName(info.bundleName, dumpInfo);
1207 return;
1208 }
1209
1210 if ((!info.processName.empty()) && (info.processName.length() > 0)) {
1211 DumpNativeTokenInfoByProcessName(info.processName, dumpInfo);
1212 return;
1213 }
1214
1215 DumpAllHapTokenname(dumpInfo);
1216 DumpAllNativeTokenName(dumpInfo);
1217 }
1218
1219
ClearUserGrantedPermissionState(AccessTokenID tokenID)1220 void AccessTokenInfoManager::ClearUserGrantedPermissionState(AccessTokenID tokenID)
1221 {
1222 if (ClearUserGrantedPermission(tokenID) != RET_SUCCESS) {
1223 return;
1224 }
1225 std::vector<AccessTokenID> tokenIdList;
1226 GetRelatedSandBoxHapList(tokenID, tokenIdList);
1227 for (const auto& id : tokenIdList) {
1228 (void)ClearUserGrantedPermission(id);
1229 }
1230 // DFX
1231 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "CLEAR_USER_PERMISSION_STATE",
1232 HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "TOKENID", tokenID,
1233 "TOKENID_LEN", static_cast<uint32_t>(tokenIdList.size()));
1234 }
1235
ClearUserGrantedPermission(AccessTokenID id)1236 int32_t AccessTokenInfoManager::ClearUserGrantedPermission(AccessTokenID id)
1237 {
1238 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id);
1239 if (infoPtr == nullptr) {
1240 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", id);
1241 return ERR_PARAM_INVALID;
1242 }
1243 if (infoPtr->IsRemote()) {
1244 LOGE(ATM_DOMAIN, ATM_TAG, "It is a remote hap token %{public}u!", id);
1245 return ERR_IDENTITY_CHECK_FAILED;
1246 }
1247 std::vector<std::string> grantedPermListBefore;
1248 std::vector<std::string> emptyList;
1249 HapTokenInfoInner::GetGrantedPermByTokenId(id, emptyList, grantedPermListBefore);
1250
1251 // reset permission.
1252 infoPtr->ResetUserGrantPermissionStatus();
1253
1254 std::vector<std::string> grantedPermListAfter;
1255 HapTokenInfoInner::GetGrantedPermByTokenId(id, emptyList, grantedPermListAfter);
1256
1257 {
1258 int32_t userId = infoPtr->GetUserID();
1259 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1260 if (!permPolicyList_.empty() &&
1261 (std::find(inactiveUserList_.begin(), inactiveUserList_.end(), userId) != inactiveUserList_.end())) {
1262 PermissionManager::GetInstance().AddHapPermToKernel(id, permPolicyList_);
1263 PermissionManager::GetInstance().NotifyUpdatedPermList(grantedPermListBefore, grantedPermListAfter, id);
1264 return RET_SUCCESS;
1265 }
1266 }
1267 PermissionManager::GetInstance().AddHapPermToKernel(id, std::vector<std::string>());
1268 LOGI(ATM_DOMAIN, ATM_TAG,
1269 "grantedPermListBefore size %{public}zu, grantedPermListAfter size %{public}zu!",
1270 grantedPermListBefore.size(), grantedPermListAfter.size());
1271 PermissionManager::GetInstance().NotifyUpdatedPermList(grantedPermListBefore, grantedPermListAfter, id);
1272 return RET_SUCCESS;
1273 }
1274
IsPermissionRestrictedByUserPolicy(AccessTokenID id,const std::string & permissionName)1275 bool AccessTokenInfoManager::IsPermissionRestrictedByUserPolicy(AccessTokenID id, const std::string& permissionName)
1276 {
1277 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id);
1278 if (infoPtr == nullptr) {
1279 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", id);
1280 return ERR_PARAM_INVALID;
1281 }
1282 int32_t userId = infoPtr->GetUserID();
1283 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1284 if ((std::find(permPolicyList_.begin(), permPolicyList_.end(), permissionName) != permPolicyList_.end()) &&
1285 (std::find(inactiveUserList_.begin(), inactiveUserList_.end(), userId) != inactiveUserList_.end())) {
1286 LOGI(ATM_DOMAIN, ATM_TAG, "id %{public}u perm %{public}s.", id, permissionName.c_str());
1287 return true;
1288 }
1289 return false;
1290 }
1291
GetRelatedSandBoxHapList(AccessTokenID tokenId,std::vector<AccessTokenID> & tokenIdList)1292 void AccessTokenInfoManager::GetRelatedSandBoxHapList(AccessTokenID tokenId, std::vector<AccessTokenID>& tokenIdList)
1293 {
1294 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1295
1296 auto infoIter = hapTokenInfoMap_.find(tokenId);
1297 if (infoIter == hapTokenInfoMap_.end()) {
1298 return;
1299 }
1300 if (infoIter->second == nullptr) {
1301 LOGE(ATM_DOMAIN, ATM_TAG, "HapTokenInfoInner is nullptr.");
1302 return;
1303 }
1304 std::string bundleName = infoIter->second->GetBundleName();
1305 int32_t userID = infoIter->second->GetUserID();
1306 int32_t index = infoIter->second->GetInstIndex();
1307 int32_t dlpType = infoIter->second->GetDlpType();
1308 // the permissions of a common application whose index is not equal 0 are managed independently.
1309 if ((dlpType == DLP_COMMON) && (index != 0)) {
1310 return;
1311 }
1312
1313 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); ++iter) {
1314 if (iter->second == nullptr) {
1315 continue;
1316 }
1317 if ((bundleName == iter->second->GetBundleName()) && (userID == iter->second->GetUserID()) &&
1318 (tokenId != iter->second->GetTokenID())) {
1319 if ((iter->second->GetDlpType() == DLP_COMMON) && (iter->second->GetInstIndex() != 0)) {
1320 continue;
1321 }
1322 tokenIdList.emplace_back(iter->second->GetTokenID());
1323 }
1324 }
1325 }
1326
SetPermDialogCap(AccessTokenID tokenID,bool enable)1327 int32_t AccessTokenInfoManager::SetPermDialogCap(AccessTokenID tokenID, bool enable)
1328 {
1329 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1330 auto infoIter = hapTokenInfoMap_.find(tokenID);
1331 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1332 LOGE(ATM_DOMAIN, ATM_TAG, "HapTokenInfoInner is nullptr.");
1333 return ERR_TOKENID_NOT_EXIST;
1334 }
1335 infoIter->second->SetPermDialogForbidden(enable);
1336
1337 if (!UpdateCapStateToDatabase(tokenID, enable)) {
1338 return RET_FAILED;
1339 }
1340
1341 return RET_SUCCESS;
1342 }
1343
ParseUserPolicyInfo(const std::vector<UserState> & userList,const std::vector<std::string> & permList,std::map<int32_t,bool> & changedUserList)1344 int32_t AccessTokenInfoManager::ParseUserPolicyInfo(const std::vector<UserState>& userList,
1345 const std::vector<std::string>& permList, std::map<int32_t, bool>& changedUserList)
1346 {
1347 if (!permPolicyList_.empty()) {
1348 LOGE(ATM_DOMAIN, ATM_TAG, "UserPolicy has been initialized.");
1349 return ERR_USER_POLICY_INITIALIZED;
1350 }
1351 for (const auto &permission : permList) {
1352 if (std::find(permPolicyList_.begin(), permPolicyList_.end(), permission) == permPolicyList_.end()) {
1353 permPolicyList_.emplace_back(permission);
1354 }
1355 }
1356
1357 if (permPolicyList_.empty()) {
1358 LOGE(ATM_DOMAIN, ATM_TAG, "permList is invalid.");
1359 return ERR_PARAM_INVALID;
1360 }
1361 for (const auto &userInfo : userList) {
1362 if (userInfo.userId < 0) {
1363 LOGW(ATM_DOMAIN, ATM_TAG, "userId %{public}d is invalid.", userInfo.userId);
1364 continue;
1365 }
1366 if (userInfo.isActive) {
1367 LOGI(ATM_DOMAIN, ATM_TAG, "userid %{public}d is active.", userInfo.userId);
1368 continue;
1369 }
1370 inactiveUserList_.emplace_back(userInfo.userId);
1371 changedUserList[userInfo.userId] = false;
1372 }
1373
1374 return RET_SUCCESS;
1375 }
1376
ParseUserPolicyInfo(const std::vector<UserState> & userList,std::map<int32_t,bool> & changedUserList)1377 int32_t AccessTokenInfoManager::ParseUserPolicyInfo(const std::vector<UserState>& userList,
1378 std::map<int32_t, bool>& changedUserList)
1379 {
1380 if (permPolicyList_.empty()) {
1381 LOGE(ATM_DOMAIN, ATM_TAG, "UserPolicy has been initialized.");
1382 return ERR_USER_POLICY_NOT_INITIALIZED;
1383 }
1384 for (const auto &userInfo : userList) {
1385 if (userInfo.userId < 0) {
1386 LOGW(ATM_DOMAIN, ATM_TAG, "UserId %{public}d is invalid.", userInfo.userId);
1387 continue;
1388 }
1389 auto iter = std::find(inactiveUserList_.begin(), inactiveUserList_.end(), userInfo.userId);
1390 // the userid is changed to foreground
1391 if ((iter != inactiveUserList_.end() && userInfo.isActive)) {
1392 inactiveUserList_.erase(iter);
1393 changedUserList[userInfo.userId] = userInfo.isActive;
1394 }
1395 // the userid is changed to background
1396 if ((iter == inactiveUserList_.end() && !userInfo.isActive)) {
1397 changedUserList[userInfo.userId] = userInfo.isActive;
1398 inactiveUserList_.emplace_back(userInfo.userId);
1399 }
1400 }
1401 return RET_SUCCESS;
1402 }
1403
GetGoalHapList(std::map<AccessTokenID,bool> & tokenIdList,std::map<int32_t,bool> & changedUserList)1404 void AccessTokenInfoManager::GetGoalHapList(std::map<AccessTokenID, bool>& tokenIdList,
1405 std::map<int32_t, bool>& changedUserList)
1406 {
1407 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1408 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); ++iter) {
1409 AccessTokenID tokenId = iter->first;
1410 std::shared_ptr<HapTokenInfoInner> infoPtr = iter->second;
1411 if (infoPtr == nullptr) {
1412 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId infoPtr is null.");
1413 continue;
1414 }
1415 auto userInfo = changedUserList.find(infoPtr->GetUserID());
1416 if (userInfo != changedUserList.end()) {
1417 // Record the policy status of hap (active or not).
1418 tokenIdList[tokenId] = userInfo->second;
1419 }
1420 }
1421 return;
1422 }
1423
UpdatePermissionStateToKernel(const std::map<AccessTokenID,bool> & tokenIdList)1424 int32_t AccessTokenInfoManager::UpdatePermissionStateToKernel(const std::map<AccessTokenID, bool>& tokenIdList)
1425 {
1426 for (auto iter = tokenIdList.begin(); iter != tokenIdList.end(); ++iter) {
1427 AccessTokenID tokenId = iter->first;
1428 bool isActive = iter->second;
1429 // refresh under userPolicyLock_
1430 {
1431 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1432 std::map<std::string, bool> refreshedPermList;
1433 HapTokenInfoInner::RefreshPermStateToKernel(permPolicyList_, isActive, tokenId, refreshedPermList);
1434
1435 if (refreshedPermList.size() != 0) {
1436 PermissionManager::GetInstance().ParamUpdate(std::string(), 0, true);
1437 }
1438 for (auto perm = refreshedPermList.begin(); perm != refreshedPermList.end(); ++perm) {
1439 PermStateChangeType change = perm->second ?
1440 PermStateChangeType::STATE_CHANGE_GRANTED : PermStateChangeType::STATE_CHANGE_REVOKED;
1441 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenId, perm->first, change);
1442 }
1443 }
1444 }
1445 return RET_SUCCESS;
1446 }
1447
UpdatePermissionStateToKernel(const std::vector<std::string> & permCodeList,const std::map<AccessTokenID,bool> & tokenIdList)1448 int32_t AccessTokenInfoManager::UpdatePermissionStateToKernel(const std::vector<std::string>& permCodeList,
1449 const std::map<AccessTokenID, bool>& tokenIdList)
1450 {
1451 for (auto iter = tokenIdList.begin(); iter != tokenIdList.end(); ++iter) {
1452 AccessTokenID tokenId = iter->first;
1453 bool isActive = iter->second;
1454 std::map<std::string, bool> refreshedPermList;
1455 HapTokenInfoInner::RefreshPermStateToKernel(permCodeList, isActive, tokenId, refreshedPermList);
1456
1457 if (refreshedPermList.size() != 0) {
1458 PermissionManager::GetInstance().ParamUpdate(std::string(), 0, true);
1459 }
1460 for (auto perm = refreshedPermList.begin(); perm != refreshedPermList.end(); ++perm) {
1461 LOGI(ATM_DOMAIN, ATM_TAG, "Perm %{public}s refreshed by user policy, isActive %{public}d.",
1462 perm->first.c_str(), perm->second);
1463 PermStateChangeType change = perm->second ?
1464 PermStateChangeType::STATE_CHANGE_GRANTED : PermStateChangeType::STATE_CHANGE_REVOKED;
1465 CallbackManager::GetInstance().ExecuteCallbackAsync(tokenId, perm->first, change);
1466 }
1467 }
1468 return RET_SUCCESS;
1469 }
1470
InitUserPolicy(const std::vector<UserState> & userList,const std::vector<std::string> & permList)1471 int32_t AccessTokenInfoManager::InitUserPolicy(
1472 const std::vector<UserState>& userList, const std::vector<std::string>& permList)
1473 {
1474 std::map<AccessTokenID, bool> tokenIdList;
1475 {
1476 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1477 std::map<int32_t, bool> changedUserList;
1478 int32_t ret = ParseUserPolicyInfo(userList, permList, changedUserList);
1479 if (ret != RET_SUCCESS) {
1480 return ret;
1481 }
1482 if (changedUserList.empty()) {
1483 LOGI(ATM_DOMAIN, ATM_TAG, "changedUserList is empty.");
1484 return ret;
1485 }
1486 GetGoalHapList(tokenIdList, changedUserList);
1487 }
1488 return UpdatePermissionStateToKernel(tokenIdList);
1489 }
1490
UpdateUserPolicy(const std::vector<UserState> & userList)1491 int32_t AccessTokenInfoManager::UpdateUserPolicy(const std::vector<UserState>& userList)
1492 {
1493 std::map<AccessTokenID, bool> tokenIdList;
1494 {
1495 std::map<int32_t, bool> changedUserList;
1496 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1497 int32_t ret = ParseUserPolicyInfo(userList, changedUserList);
1498 if (ret != RET_SUCCESS) {
1499 return ret;
1500 }
1501 if (changedUserList.empty()) {
1502 LOGI(ATM_DOMAIN, ATM_TAG, "changedUserList is empty.");
1503 return ret;
1504 }
1505 GetGoalHapList(tokenIdList, changedUserList);
1506 }
1507 return UpdatePermissionStateToKernel(tokenIdList);
1508 }
1509
ClearUserPolicy()1510 int32_t AccessTokenInfoManager::ClearUserPolicy()
1511 {
1512 std::map<AccessTokenID, bool> tokenIdList;
1513 std::vector<std::string> permList;
1514 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->userPolicyLock_);
1515 if (permPolicyList_.empty()) {
1516 LOGW(ATM_DOMAIN, ATM_TAG, "UserPolicy has been cleared.");
1517 return RET_SUCCESS;
1518 }
1519 permList.assign(permPolicyList_.begin(), permPolicyList_.end());
1520 std::map<int32_t, bool> changedUserList;
1521 for (const auto &userId : inactiveUserList_) {
1522 // All user comes to be active for permission manager.
1523 changedUserList[userId] = true;
1524 }
1525 GetGoalHapList(tokenIdList, changedUserList);
1526 int32_t ret = UpdatePermissionStateToKernel(permList, tokenIdList);
1527 // Lock range is large. While The number of ClearUserPolicy function calls is very small.
1528 if (ret == RET_SUCCESS) {
1529 permPolicyList_.clear();
1530 inactiveUserList_.clear();
1531 }
1532 return ret;
1533 }
1534
GetPermDialogCap(AccessTokenID tokenID)1535 bool AccessTokenInfoManager::GetPermDialogCap(AccessTokenID tokenID)
1536 {
1537 if (tokenID == INVALID_TOKENID) {
1538 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid tokenId.");
1539 return true;
1540 }
1541 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1542 auto infoIter = hapTokenInfoMap_.find(tokenID);
1543 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1544 LOGE(ATM_DOMAIN, ATM_TAG, "TokenId is not exist in map.");
1545 return true;
1546 }
1547 return infoIter->second->IsPermDialogForbidden();
1548 }
1549
UpdateCapStateToDatabase(AccessTokenID tokenID,bool enable)1550 bool AccessTokenInfoManager::UpdateCapStateToDatabase(AccessTokenID tokenID, bool enable)
1551 {
1552 GenericValues modifyValue;
1553 modifyValue.Put(TokenFiledConst::FIELD_FORBID_PERM_DIALOG, enable);
1554
1555 GenericValues conditionValue;
1556 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1557
1558 int32_t res = AccessTokenDb::GetInstance().Modify(AtmDataType::ACCESSTOKEN_HAP_INFO, modifyValue, conditionValue);
1559 if (res != 0) {
1560 LOGE(ATM_DOMAIN, ATM_TAG,
1561 "Update tokenID %{public}u permissionDialogForbidden %{public}d to database failed", tokenID, enable);
1562 return false;
1563 }
1564
1565 return true;
1566 }
1567
VerifyNativeAccessToken(AccessTokenID tokenID,const std::string & permissionName)1568 int AccessTokenInfoManager::VerifyNativeAccessToken(AccessTokenID tokenID, const std::string& permissionName)
1569 {
1570 if (!IsDefinedPermission(permissionName)) {
1571 LOGE(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str());
1572 return PERMISSION_DENIED;
1573 }
1574 uint32_t code;
1575 if (!TransferPermissionToOpcode(permissionName, code)) {
1576 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid perm(%{public}s)", permissionName.c_str());
1577 return PERMISSION_DENIED;
1578 }
1579
1580 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1581 auto iter = nativeTokenInfoMap_.find(tokenID);
1582 if (iter == nativeTokenInfoMap_.end()) {
1583 LOGE(ATM_DOMAIN, ATM_TAG, "Id %{public}u is not exist.", tokenID);
1584 return PERMISSION_DENIED;
1585 }
1586
1587 NativeTokenInfoCache cache = iter->second;
1588 for (size_t i = 0; i < cache.opCodeList.size(); ++i) {
1589 if (code == cache.opCodeList[i]) {
1590 return cache.statusList[i] ? PERMISSION_GRANTED : PERMISSION_DENIED;
1591 }
1592 }
1593
1594 return PERMISSION_DENIED;
1595 }
1596
VerifyAccessToken(AccessTokenID tokenID,const std::string & permissionName)1597 int32_t AccessTokenInfoManager::VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName)
1598 {
1599 if (tokenID == INVALID_TOKENID) {
1600 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
1601 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", VERIFY_TOKEN_ID_ERROR, "CALLER_TOKENID",
1602 static_cast<AccessTokenID>(IPCSkeleton::GetCallingTokenID()), "PERMISSION_NAME", permissionName);
1603 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID is invalid");
1604 return PERMISSION_DENIED;
1605 }
1606
1607 if (!PermissionValidator::IsPermissionNameValid(permissionName)) {
1608 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName: %{public}s, invalid params!", permissionName.c_str());
1609 return PERMISSION_DENIED;
1610 }
1611
1612 ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID);
1613 if ((tokenType == TOKEN_NATIVE) || (tokenType == TOKEN_SHELL)) {
1614 return VerifyNativeAccessToken(tokenID, permissionName);
1615 }
1616 if (tokenType == TOKEN_HAP) {
1617 return PermissionManager::GetInstance().VerifyHapAccessToken(tokenID, permissionName);
1618 }
1619 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}d, invalid tokenType!", tokenID);
1620 return PERMISSION_DENIED;
1621 }
1622
AddPermRequestToggleStatusToDb(int32_t userID,const std::string & permissionName,int32_t status)1623 int32_t AccessTokenInfoManager::AddPermRequestToggleStatusToDb(
1624 int32_t userID, const std::string& permissionName, int32_t status)
1625 {
1626 GenericValues condition;
1627 condition.Put(TokenFiledConst::FIELD_USER_ID, userID);
1628 condition.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
1629
1630 std::vector<AtmDataType> dataTypes;
1631 dataTypes.emplace_back(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS);
1632
1633 // delete
1634 std::vector<GenericValues> deleteValues;
1635 deleteValues.emplace_back(condition);
1636
1637 // add
1638 std::vector<std::vector<GenericValues>> addValues;
1639 std::vector<GenericValues> value;
1640 condition.Put(TokenFiledConst::FIELD_REQUEST_TOGGLE_STATUS, status);
1641 value.emplace_back(condition);
1642 addValues.emplace_back(value);
1643 int32_t ret = AccessTokenDb::GetInstance().DeleteAndInsertValues(dataTypes, deleteValues, dataTypes, addValues);
1644 if (ret != RET_SUCCESS) {
1645 LOGE(ATM_DOMAIN, ATM_TAG, "DeleteAndInsertHap failed, ret %{public}d.", ret);
1646 return ret;
1647 }
1648 return RET_SUCCESS;
1649 }
1650
SetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t status,int32_t userID)1651 int32_t AccessTokenInfoManager::SetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t status,
1652 int32_t userID)
1653 {
1654 if (userID == 0) {
1655 userID = IPCSkeleton::GetCallingUid() / BASE_USER_RANGE;
1656 }
1657
1658 LOGI(ATM_DOMAIN, ATM_TAG, "UserID=%{public}u, permission=%{public}s, status=%{public}d", userID,
1659 permissionName.c_str(), status);
1660 if (!PermissionValidator::IsUserIdValid(userID) ||
1661 !PermissionValidator::IsPermissionNameValid(permissionName) ||
1662 !PermissionValidator::IsToggleStatusValid(status)) {
1663 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid parameter(userId=%{public}d, perm=%{public}s, status=%{public}d).",
1664 userID, permissionName.c_str(), status);
1665 return AccessTokenError::ERR_PARAM_INVALID;
1666 }
1667 if (!IsDefinedPermission(permissionName)) {
1668 LOGE(ATM_DOMAIN, ATM_TAG, "Permission=%{public}s is not defined.", permissionName.c_str());
1669 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
1670 }
1671 if (!IsUserGrantPermission(permissionName)) {
1672 LOGE(ATM_DOMAIN, ATM_TAG, "Only support permissions of user_grant to set.");
1673 return AccessTokenError::ERR_PARAM_INVALID;
1674 }
1675
1676 int32_t ret = AddPermRequestToggleStatusToDb(userID, permissionName, status);
1677 if (ret != RET_SUCCESS) {
1678 LOGE(ATM_DOMAIN, ATM_TAG, "Status is invalid.");
1679 return ret;
1680 }
1681
1682 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERM_DIALOG_STATUS_INFO",
1683 HiviewDFX::HiSysEvent::EventType::STATISTIC, "USERID", userID, "PERMISSION_NAME", permissionName,
1684 "TOGGLE_STATUS", status);
1685
1686 return RET_SUCCESS;
1687 }
1688
FindPermRequestToggleStatusFromDb(int32_t userID,const std::string & permissionName)1689 int32_t AccessTokenInfoManager::FindPermRequestToggleStatusFromDb(int32_t userID, const std::string& permissionName)
1690 {
1691 std::vector<GenericValues> result;
1692 GenericValues conditionValue;
1693 conditionValue.Put(TokenFiledConst::FIELD_USER_ID, userID);
1694 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permissionName);
1695
1696 AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_REQUEST_TOGGLE_STATUS,
1697 conditionValue, result);
1698 if (result.empty()) {
1699 // never set, return default status: CLOSED if APP_TRACKING_CONSENT
1700 return (permissionName == "ohos.permission.APP_TRACKING_CONSENT") ?
1701 PermissionRequestToggleStatus::CLOSED : PermissionRequestToggleStatus::OPEN;
1702 }
1703 return result[0].GetInt(TokenFiledConst::FIELD_REQUEST_TOGGLE_STATUS);
1704 }
1705
GetPermissionRequestToggleStatus(const std::string & permissionName,uint32_t & status,int32_t userID)1706 int32_t AccessTokenInfoManager::GetPermissionRequestToggleStatus(const std::string& permissionName, uint32_t& status,
1707 int32_t userID)
1708 {
1709 if (userID == 0) {
1710 userID = IPCSkeleton::GetCallingUid() / BASE_USER_RANGE;
1711 }
1712
1713 LOGI(ATM_DOMAIN, ATM_TAG, "UserID=%{public}u, permissionName=%{public}s", userID, permissionName.c_str());
1714 if (!PermissionValidator::IsUserIdValid(userID) ||
1715 !PermissionValidator::IsPermissionNameValid(permissionName)) {
1716 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid parameter(userId=%{public}d, perm=%{public}s.",
1717 userID, permissionName.c_str());
1718 return AccessTokenError::ERR_PARAM_INVALID;
1719 }
1720 if (!IsDefinedPermission(permissionName)) {
1721 LOGE(ATM_DOMAIN, ATM_TAG, "Permission=%{public}s is not defined.", permissionName.c_str());
1722 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
1723 }
1724 if (!IsUserGrantPermission(permissionName)) {
1725 LOGE(ATM_DOMAIN, ATM_TAG, "Only support permissions of user_grant to get.");
1726 return AccessTokenError::ERR_PARAM_INVALID;
1727 }
1728
1729 status = static_cast<uint32_t>(FindPermRequestToggleStatusFromDb(userID, permissionName));
1730
1731 return 0;
1732 }
1733
IsPermissionReqValid(int32_t tokenApl,const std::string & permissionName,const std::vector<std::string> & nativeAcls)1734 bool AccessTokenInfoManager::IsPermissionReqValid(int32_t tokenApl, const std::string& permissionName,
1735 const std::vector<std::string>& nativeAcls)
1736 {
1737 PermissionBriefDef briefDef;
1738 if (!GetPermissionBriefDef(permissionName, briefDef)) {
1739 return false;
1740 }
1741
1742 if (tokenApl >= briefDef.availableLevel) {
1743 return true;
1744 }
1745
1746 auto iter = std::find(nativeAcls.begin(), nativeAcls.end(), permissionName);
1747 if (iter != nativeAcls.end()) {
1748 return true;
1749 }
1750 return false;
1751 }
1752
1753
GetKernelPermissions(AccessTokenID tokenId,std::vector<PermissionWithValue> & kernelPermList)1754 int32_t AccessTokenInfoManager::GetKernelPermissions(
1755 AccessTokenID tokenId, std::vector<PermissionWithValue>& kernelPermList)
1756 {
1757 return PermissionDataBrief::GetInstance().GetKernelPermissions(tokenId, kernelPermList);
1758 }
1759
1760
GetReqPermissionByName(AccessTokenID tokenId,const std::string & permissionName,std::string & value)1761 int32_t AccessTokenInfoManager::GetReqPermissionByName(
1762 AccessTokenID tokenId, const std::string& permissionName, std::string& value)
1763 {
1764 return PermissionDataBrief::GetInstance().GetReqPermissionByName(
1765 tokenId, permissionName, value, true);
1766 }
1767
GetNativeCfgInfo(std::vector<NativeTokenInfoBase> & tokenInfos)1768 int32_t AccessTokenInfoManager::GetNativeCfgInfo(std::vector<NativeTokenInfoBase>& tokenInfos)
1769 {
1770 LibraryLoader loader(CONFIG_PARSE_LIBPATH);
1771 ConfigPolicyLoaderInterface* policy = loader.GetObject<ConfigPolicyLoaderInterface>();
1772 if (policy == nullptr) {
1773 LOGE(ATM_DOMAIN, ATM_TAG, "Dlopen libaccesstoken_json_parse failed.");
1774 return RET_FAILED;
1775 }
1776 int ret = policy->GetAllNativeTokenInfo(tokenInfos);
1777 if (ret != RET_SUCCESS) {
1778 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to load native from native json, err=%{public}d.", ret);
1779 return ret;
1780 }
1781
1782 return RET_SUCCESS;
1783 }
1784
NativeTokenStateToString(const NativeTokenInfoBase & native,std::string & info,std::string & invalidPermString)1785 void AccessTokenInfoManager::NativeTokenStateToString(const NativeTokenInfoBase& native, std::string& info,
1786 std::string& invalidPermString)
1787 {
1788 for (auto iter = native.permStateList.begin(); iter != native.permStateList.end(); iter++) {
1789 if (!IsPermissionReqValid(native.apl, iter->permissionName, native.nativeAcls)) {
1790 invalidPermString.append(R"( "permissionName": ")" + iter->permissionName + R"(")" + ",\n");
1791 continue;
1792 }
1793 info.append(R"( {)");
1794 info.append("\n");
1795 info.append(R"( "permissionName": ")" + iter->permissionName + R"(")" + ",\n");
1796 info.append(R"( "grantStatus": )" + std::to_string(iter->grantStatus) + ",\n");
1797 info.append(R"( "grantFlag": )" + std::to_string(iter->grantFlag) + ",\n");
1798 info.append(R"( })");
1799 if (iter != (native.permStateList.end() - 1)) {
1800 info.append(",\n");
1801 }
1802 }
1803 }
1804
NativeTokenToString(AccessTokenID tokenID,std::string & info)1805 void AccessTokenInfoManager::NativeTokenToString(AccessTokenID tokenID, std::string& info)
1806 {
1807 std::vector<NativeTokenInfoBase> tokenInfos;
1808 int ret = GetNativeCfgInfo(tokenInfos);
1809 if (ret != RET_SUCCESS || tokenInfos.empty()) {
1810 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to load native from native json, err=%{public}d.", ret);
1811 return;
1812 }
1813 auto iter = tokenInfos.begin();
1814 while (iter != tokenInfos.end()) {
1815 if (iter->tokenID == tokenID) {
1816 break;
1817 }
1818 ++iter;
1819 }
1820 if (iter == tokenInfos.end()) {
1821 LOGE(ATM_DOMAIN, ATM_TAG, "Id %{public}u is not exist.", tokenID);
1822 return;
1823 }
1824 NativeTokenInfoBase native = *iter;
1825 std::string invalidPermString = "";
1826 info.append(R"({)");
1827 info.append("\n");
1828 info.append(R"( "tokenID": )" + std::to_string(native.tokenID) + ",\n");
1829 info.append(R"( "processName": ")" + native.processName + R"(")" + ",\n");
1830 info.append(R"( "apl": )" + std::to_string(native.apl) + ",\n");
1831 info.append(R"( "permStateList": [)");
1832 info.append("\n");
1833 NativeTokenStateToString(native, info, invalidPermString);
1834 info.append("\n ]\n");
1835
1836 if (invalidPermString.empty()) {
1837 info.append("}");
1838 return;
1839 }
1840
1841 info.append(R"( "invalidPermList": [\n)");
1842 info.append(invalidPermString);
1843 info.append("\n ]\n}");
1844 }
1845 } // namespace AccessToken
1846 } // namespace Security
1847 } // namespace OHOS
1848