1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "test_common.h"
16 #include <thread>
17 #include "atm_tools_param_info.h"
18 #include "gtest/gtest.h"
19 #include "test_common.h"
20
21 namespace OHOS {
22 namespace Security {
23 namespace AccessToken {
24 std::mutex g_lockSetToken;
25 uint64_t g_shellTokenId = 0;
GetInfoManagerTestInfoParms()26 HapInfoParams TestCommon::GetInfoManagerTestInfoParms()
27 {
28 HapInfoParams g_infoManagerTestInfoParms = {
29 .userID = 1,
30 .bundleName = "accesstoken_test",
31 .instIndex = 0,
32 .appIDDesc = "test3",
33 .apiVersion = 8,
34 .appDistributionType = "enterprise_mdm"
35 };
36 return g_infoManagerTestInfoParms;
37 }
38
GetInfoManagerTestNormalInfoParms()39 HapInfoParams TestCommon::GetInfoManagerTestNormalInfoParms()
40 {
41 HapInfoParams g_infoManagerTestNormalInfoParms = {
42 .userID = 1,
43 .bundleName = "accesstoken_test",
44 .instIndex = 0,
45 .appIDDesc = "test3",
46 .apiVersion = 8,
47 .isSystemApp = false
48 };
49 return g_infoManagerTestNormalInfoParms;
50 }
51
GetInfoManagerTestSystemInfoParms()52 HapInfoParams TestCommon::GetInfoManagerTestSystemInfoParms()
53 {
54 HapInfoParams g_infoManagerTestSystemInfoParms = {
55 .userID = 1,
56 .bundleName = "accesstoken_test",
57 .instIndex = 0,
58 .appIDDesc = "test3",
59 .apiVersion = 8,
60 .isSystemApp = true
61 };
62 return g_infoManagerTestSystemInfoParms;
63 }
64
GetInfoManagerTestPolicyPrams()65 HapPolicyParams TestCommon::GetInfoManagerTestPolicyPrams()
66 {
67 PermissionDef g_infoManagerTestPermDef1 = {
68 .permissionName = "ohos.permission.test1",
69 .bundleName = "accesstoken_test",
70 .grantMode = 1,
71 .availableLevel = APL_NORMAL,
72 .label = "label3",
73 .labelId = 1,
74 .description = "open the door",
75 .descriptionId = 1,
76 .availableType = MDM
77 };
78
79 PermissionDef g_infoManagerTestPermDef2 = {
80 .permissionName = "ohos.permission.test2",
81 .bundleName = "accesstoken_test",
82 .grantMode = 1,
83 .availableLevel = APL_NORMAL,
84 .label = "label3",
85 .labelId = 1,
86 .description = "break the door",
87 .descriptionId = 1,
88 };
89
90 PermissionStateFull g_infoManagerTestState1 = {
91 .permissionName = "ohos.permission.GET_WIFI_INFO",
92 .isGeneral = true,
93 .resDeviceID = {"local3"},
94 .grantStatus = {PermissionState::PERMISSION_GRANTED},
95 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
96 };
97
98 PermissionStateFull g_infoManagerTestState2 = {
99 .permissionName = "ohos.permission.SET_WIFI_INFO",
100 .isGeneral = false,
101 .resDeviceID = {"device 1", "device 2"},
102 .grantStatus = {PermissionState::PERMISSION_GRANTED, PermissionState::PERMISSION_GRANTED},
103 .grantFlags = {PermissionFlag::PERMISSION_USER_SET, PermissionFlag::PERMISSION_USER_FIXED}
104 };
105
106 HapPolicyParams g_infoManagerTestPolicyPrams = {
107 .apl = APL_NORMAL,
108 .domain = "test.domain3",
109 .permList = {g_infoManagerTestPermDef1, g_infoManagerTestPermDef2},
110 .permStateList = {g_infoManagerTestState1, g_infoManagerTestState2}
111 };
112 return g_infoManagerTestPolicyPrams;
113 }
114
GetTestPolicyParams()115 HapPolicyParams TestCommon::GetTestPolicyParams()
116 {
117 PermissionStateFull g_testPermReq = {
118 .permissionName = "ohos.permission.MANAGE_HAP_TOKENID",
119 .isGeneral = true,
120 .resDeviceID = {"test_device"},
121 .grantStatus = {PermissionState::PERMISSION_GRANTED},
122 .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED}
123 };
124 HapPolicyParams g_testPolicyParams = {
125 .apl = APL_SYSTEM_CORE,
126 .domain = "test_domain",
127 .permStateList = { g_testPermReq },
128 .aclRequestedList = {},
129 .preAuthorizationInfo = {}
130 };
131 return g_testPolicyParams;
132 }
133
GetHapParams(HapInfoParams & infoParams,HapPolicyParams & policyParams)134 void TestCommon::GetHapParams(HapInfoParams& infoParams, HapPolicyParams& policyParams)
135 {
136 infoParams.userID = 0;
137 infoParams.bundleName = "com.ohos.AccessTokenTestBundle";
138 infoParams.instIndex = 0;
139 infoParams.appIDDesc = "AccessTokenTestAppID";
140 infoParams.apiVersion = DEFAULT_API_VERSION;
141 infoParams.isSystemApp = true;
142 infoParams.appDistributionType = "";
143
144 policyParams.apl = APL_NORMAL;
145 policyParams.domain = "accesstoken_test_domain";
146 policyParams.permList = {};
147 policyParams.permStateList = {};
148 policyParams.aclRequestedList = {};
149 policyParams.preAuthorizationInfo = {};
150 }
151
TestPreparePermStateList(HapPolicyParams & policy)152 void TestCommon::TestPreparePermStateList(HapPolicyParams &policy)
153 {
154 PermissionStateFull permStatMicro = {
155 .permissionName = "ohos.permission.MICROPHONE",
156 .isGeneral = true,
157 .resDeviceID = {"device3"},
158 .grantStatus = {PermissionState::PERMISSION_DENIED},
159 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
160 };
161 PermissionStateFull permStatCamera = {
162 .permissionName = "ohos.permission.SET_WIFI_INFO",
163 .isGeneral = true,
164 .resDeviceID = {"device3"},
165 .grantStatus = {PermissionState::PERMISSION_GRANTED},
166 .grantFlags = {PermissionFlag::PERMISSION_USER_FIXED}
167 };
168 PermissionStateFull permStatAlpha = {
169 .permissionName = "ohos.permission.ALPHA",
170 .isGeneral = true,
171 .resDeviceID = {"device3"},
172 .grantStatus = {PermissionState::PERMISSION_DENIED},
173 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
174 };
175 PermissionStateFull permStatBeta = {
176 .permissionName = "ohos.permission.BETA",
177 .isGeneral = true,
178 .resDeviceID = {"device3"},
179 .grantStatus = {PermissionState::PERMISSION_GRANTED},
180 .grantFlags = {PermissionFlag::PERMISSION_USER_FIXED}
181 };
182 policy.permStateList.emplace_back(permStatMicro);
183 policy.permStateList.emplace_back(permStatCamera);
184 policy.permStateList.emplace_back(permStatAlpha);
185 policy.permStateList.emplace_back(permStatBeta);
186 }
187
TestPreparePermDefList(HapPolicyParams & policy)188 void TestCommon::TestPreparePermDefList(HapPolicyParams &policy)
189 {
190 PermissionDef permissionDefBeta;
191 permissionDefBeta.permissionName = "ohos.permission.BETA";
192 permissionDefBeta.bundleName = "ohos";
193 permissionDefBeta.grantMode = GrantMode::SYSTEM_GRANT;
194 permissionDefBeta.availableLevel = APL_NORMAL;
195 permissionDefBeta.provisionEnable = false;
196 permissionDefBeta.distributedSceneEnable = false;
197
198 PermissionDef permissionDefAlpha;
199 permissionDefAlpha.permissionName = "ohos.permission.ALPHA";
200 permissionDefAlpha.bundleName = "ohos";
201 permissionDefAlpha.grantMode = GrantMode::USER_GRANT;
202 permissionDefAlpha.availableLevel = APL_NORMAL;
203 permissionDefAlpha.provisionEnable = false;
204 permissionDefAlpha.distributedSceneEnable = false;
205
206 policy.permList.emplace_back(permissionDefBeta);
207 policy.permList.emplace_back(permissionDefAlpha);
208 }
209
210
TestPrepareKernelPermissionStatus(HapPolicyParams & policyParams)211 void TestCommon::TestPrepareKernelPermissionStatus(HapPolicyParams& policyParams)
212 {
213 PermissionStateFull permissionStatusBasic = {
214 .permissionName = "ohos.permission.test_basic",
215 .isGeneral = false,
216 .resDeviceID = {"local"},
217 .grantStatus = {PERMISSION_GRANTED},
218 .grantFlags = {PERMISSION_SYSTEM_FIXED}
219 };
220
221 PermissionStateFull permissionStateFull001 = permissionStatusBasic;
222 permissionStateFull001.permissionName = "ohos.permission.KERNEL_ATM_SELF_USE";
223 PermissionStateFull permissionStateFull002 = permissionStatusBasic;
224 permissionStateFull002.permissionName = "ohos.permission.MICROPHONE";
225 PermissionStateFull permissionStateFull003 = permissionStatusBasic;
226 permissionStateFull003.permissionName = "ohos.permission.CAMERA";
227 policyParams.permStateList = {permissionStateFull001, permissionStateFull002, permissionStateFull003};
228 policyParams.aclExtendedMap["ohos.permission.KERNEL_ATM_SELF_USE"] = "123";
229 policyParams.aclExtendedMap["ohos.permission.MICROPHONE"] = "456"; // filtered
230 policyParams.aclExtendedMap["ohos.permission.CAMERA"] = "789"; // filtered
231 }
232
SetTestEvironment(uint64_t shellTokenId)233 void TestCommon::SetTestEvironment(uint64_t shellTokenId)
234 {
235 std::lock_guard<std::mutex> lock(g_lockSetToken);
236 g_shellTokenId = shellTokenId;
237 }
238
ResetTestEvironment()239 void TestCommon::ResetTestEvironment()
240 {
241 std::lock_guard<std::mutex> lock(g_lockSetToken);
242 g_shellTokenId = 0;
243 }
244
GetShellTokenId()245 uint64_t TestCommon::GetShellTokenId()
246 {
247 std::lock_guard<std::mutex> lock(g_lockSetToken);
248 return g_shellTokenId;
249 }
250
AllocTestHapToken(const HapInfoParams & hapInfo,HapPolicyParams & hapPolicy,AccessTokenIDEx & tokenIdEx)251 int32_t TestCommon::AllocTestHapToken(
252 const HapInfoParams& hapInfo, HapPolicyParams& hapPolicy, AccessTokenIDEx& tokenIdEx)
253 {
254 uint64_t selfTokenId = GetSelfTokenID();
255 for (auto& permissionStateFull : hapPolicy.permStateList) {
256 PermissionDef permDefResult;
257 if (AccessTokenKit::GetDefPermission(permissionStateFull.permissionName, permDefResult) != RET_SUCCESS) {
258 continue;
259 }
260 if (permDefResult.availableLevel > hapPolicy.apl) {
261 hapPolicy.aclRequestedList.emplace_back(permissionStateFull.permissionName);
262 }
263 }
264 if (TestCommon::GetNativeTokenIdFromProcess("foundation") == selfTokenId) {
265 return AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdEx);
266 }
267
268 // set sh token for self
269 MockNativeToken mock("foundation");
270 int32_t ret = AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdEx);
271
272 // restore
273 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
274
275 return ret;
276 }
277
AllocAndGrantHapTokenByTest(const HapInfoParams & info,HapPolicyParams & policy)278 AccessTokenIDEx TestCommon::AllocAndGrantHapTokenByTest(const HapInfoParams& info, HapPolicyParams& policy)
279 {
280 for (const auto& permissionStateFull : policy.permStateList) {
281 PermissionDef permDefResult;
282 if (AccessTokenKit::GetDefPermission(permissionStateFull.permissionName, permDefResult) != RET_SUCCESS) {
283 continue;
284 }
285 if (permDefResult.availableLevel > policy.apl) {
286 policy.aclRequestedList.emplace_back(permissionStateFull.permissionName);
287 }
288 }
289
290 AccessTokenIDEx tokenIdEx = {0};
291 EXPECT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(info, policy, tokenIdEx));
292 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
293 EXPECT_NE(tokenId, INVALID_TOKENID);
294
295 for (const auto& permissionStateFull : policy.permStateList) {
296 if (permissionStateFull.grantStatus[0] == PERMISSION_GRANTED) {
297 TestCommon::GrantPermissionByTest(
298 tokenId, permissionStateFull.permissionName, permissionStateFull.grantFlags[0]);
299 } else {
300 TestCommon::RevokePermissionByTest(
301 tokenId, permissionStateFull.permissionName, permissionStateFull.grantFlags[0]);
302 }
303 }
304 return tokenIdEx;
305 }
306
DeleteTestHapToken(AccessTokenID tokenID)307 int32_t TestCommon::DeleteTestHapToken(AccessTokenID tokenID)
308 {
309 uint64_t selfTokenId = GetSelfTokenID();
310 if (TestCommon::GetNativeTokenIdFromProcess("foundation") == selfTokenId) {
311 return AccessTokenKit::DeleteToken(tokenID);
312 }
313
314 // set sh token for self
315 MockNativeToken mock("foundation");
316
317 int32_t ret = AccessTokenKit::DeleteToken(tokenID);
318 // restore
319 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
320 return ret;
321 }
322
GrantPermissionByTest(AccessTokenID tokenID,const std::string & permission,uint32_t flag)323 int32_t TestCommon::GrantPermissionByTest(AccessTokenID tokenID, const std::string& permission, uint32_t flag)
324 {
325 std::vector<std::string> reqPerm;
326 reqPerm.emplace_back("ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
327 MockHapToken mock("AccessTokenTestGrant", reqPerm);
328 return AccessTokenKit::GrantPermission(tokenID, permission, flag);
329 }
330
RevokePermissionByTest(AccessTokenID tokenID,const std::string & permission,uint32_t flag)331 int32_t TestCommon::RevokePermissionByTest(AccessTokenID tokenID, const std::string& permission, uint32_t flag)
332 {
333 std::vector<std::string> reqPerm;
334 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
335 MockHapToken mock("AccessTokenTestRevoke", reqPerm);
336 return AccessTokenKit::RevokePermission(tokenID, permission, flag);
337 }
338
GetNativeToken(const char * processName,const char ** perms,int32_t permNum)339 uint64_t TestCommon::GetNativeToken(const char *processName, const char **perms, int32_t permNum)
340 {
341 uint64_t tokenId;
342 NativeTokenInfoParams infoInstance = {
343 .dcapsNum = 0,
344 .permsNum = permNum,
345 .aclsNum = 0,
346 .dcaps = nullptr,
347 .perms = perms,
348 .acls = nullptr,
349 .aplStr = "system_core",
350 .processName = processName,
351 };
352
353 tokenId = GetAccessTokenId(&infoInstance);
354 AccessTokenKit::ReloadNativeTokenInfo();
355 return tokenId;
356 }
357
GetNativeTokenIdFromProcess(const std::string & process)358 AccessTokenID TestCommon::GetNativeTokenIdFromProcess(const std::string &process)
359 {
360 uint64_t selfTokenId = GetSelfTokenID();
361 EXPECT_EQ(0, SetSelfTokenID(TestCommon::GetShellTokenId())); // set shell token
362
363 std::string dumpInfo;
364 AtmToolsParamInfo info;
365 info.processName = process;
366 AccessTokenKit::DumpTokenInfo(info, dumpInfo);
367 size_t pos = dumpInfo.find("\"tokenID\": ");
368 if (pos == std::string::npos) {
369 return 0;
370 }
371 pos += std::string("\"tokenID\": ").length();
372 std::string numStr;
373 while (pos < dumpInfo.length() && std::isdigit(dumpInfo[pos])) {
374 numStr += dumpInfo[pos];
375 ++pos;
376 }
377 // restore
378 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
379
380 std::istringstream iss(numStr);
381 AccessTokenID tokenID;
382 iss >> tokenID;
383 return tokenID;
384 }
385
386 // need call by native process
GetHapTokenIdFromBundle(int32_t userID,const std::string & bundleName,int32_t instIndex)387 AccessTokenIDEx TestCommon::GetHapTokenIdFromBundle(
388 int32_t userID, const std::string& bundleName, int32_t instIndex)
389 {
390 uint64_t selfTokenId = GetSelfTokenID();
391 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(static_cast<AccessTokenID>(selfTokenId));
392 if (type != TOKEN_NATIVE) {
393 AccessTokenID tokenId1 = GetNativeTokenIdFromProcess("accesstoken_service");
394 EXPECT_EQ(0, SetSelfTokenID(tokenId1));
395 }
396 AccessTokenIDEx tokenIdEx = AccessTokenKit::GetHapTokenIDEx(userID, bundleName, instIndex);
397
398 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
399 return tokenIdEx;
400 }
401
402
GetReqPermissionsByTest(AccessTokenID tokenID,std::vector<PermissionStateFull> & permStatList,bool isSystemGrant)403 int32_t TestCommon::GetReqPermissionsByTest(
404 AccessTokenID tokenID, std::vector<PermissionStateFull>& permStatList, bool isSystemGrant)
405 {
406 std::vector<std::string> reqPerm;
407 reqPerm.emplace_back("ohos.permission.GET_SENSITIVE_PERMISSIONS");
408 MockHapToken mock("GetReqPermissionsByTest", reqPerm);
409 return AccessTokenKit::GetReqPermissions(tokenID, permStatList, isSystemGrant);
410 }
411
GetPermissionFlagByTest(AccessTokenID tokenID,const std::string & permission,uint32_t & flag)412 int32_t TestCommon::GetPermissionFlagByTest(AccessTokenID tokenID, const std::string& permission, uint32_t& flag)
413 {
414 std::vector<std::string> reqPerm;
415 reqPerm.emplace_back("ohos.permission.GET_SENSITIVE_PERMISSIONS");
416 MockHapToken mock("GetPermissionFlagByTest", reqPerm, true);
417 return AccessTokenKit::GetPermissionFlag(tokenID, permission, flag);
418 }
419
MockNativeToken(const std::string & process)420 MockNativeToken::MockNativeToken(const std::string& process)
421 {
422 selfToken_ = GetSelfTokenID();
423 uint32_t tokenId = TestCommon::GetNativeTokenIdFromProcess(process);
424 SetSelfTokenID(tokenId);
425 }
426
~MockNativeToken()427 MockNativeToken::~MockNativeToken()
428 {
429 SetSelfTokenID(selfToken_);
430 }
431
MockHapToken(const std::string & bundle,const std::vector<std::string> & reqPerm,bool isSystemApp)432 MockHapToken::MockHapToken(
433 const std::string& bundle, const std::vector<std::string>& reqPerm, bool isSystemApp)
434 {
435 selfToken_ = GetSelfTokenID();
436 HapInfoParams infoParams = {
437 .userID = 0,
438 .bundleName = bundle,
439 .instIndex = 0,
440 .appIDDesc = "AccessTokenTestAppID",
441 .apiVersion = TestCommon::DEFAULT_API_VERSION,
442 .isSystemApp = isSystemApp,
443 .appDistributionType = "",
444 };
445
446 HapPolicyParams policyParams = {
447 .apl = APL_NORMAL,
448 .domain = "accesstoken_test_domain",
449 };
450 for (size_t i = 0; i < reqPerm.size(); ++i) {
451 PermissionDef permDefResult;
452 if (AccessTokenKit::GetDefPermission(reqPerm[i], permDefResult) != RET_SUCCESS) {
453 continue;
454 }
455 PermissionStateFull permState = {
456 .permissionName = reqPerm[i],
457 .isGeneral = true,
458 .resDeviceID = {"local3"},
459 .grantStatus = {PermissionState::PERMISSION_DENIED},
460 .grantFlags = {PermissionFlag::PERMISSION_DEFAULT_FLAG}
461 };
462 policyParams.permStateList.emplace_back(permState);
463 if (permDefResult.availableLevel > policyParams.apl) {
464 policyParams.aclRequestedList.emplace_back(reqPerm[i]);
465 }
466 }
467
468 AccessTokenIDEx tokenIdEx = {0};
469 EXPECT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(infoParams, policyParams, tokenIdEx));
470 mockToken_= tokenIdEx.tokenIdExStruct.tokenID;
471 EXPECT_NE(mockToken_, INVALID_TOKENID);
472 EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
473 }
474
~MockHapToken()475 MockHapToken::~MockHapToken()
476 {
477 if (mockToken_ != INVALID_TOKENID) {
478 EXPECT_EQ(0, TestCommon::DeleteTestHapToken(mockToken_));
479 }
480 EXPECT_EQ(0, SetSelfTokenID(selfToken_));
481 }
482 } // namespace AccessToken
483 } // namespace Security
484 } // namespace OHOS