1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "permission_validator.h"
16
17 #include <set>
18
19 #include "access_token.h"
20 #include "accesstoken_common_log.h"
21 #include "data_validator.h"
22 #include "permission_map.h"
23
24 namespace OHOS {
25 namespace Security {
26 namespace AccessToken {
27
IsGrantModeValid(int grantMode)28 bool PermissionValidator::IsGrantModeValid(int grantMode)
29 {
30 return grantMode == GrantMode::SYSTEM_GRANT || grantMode == GrantMode::USER_GRANT;
31 }
32
IsGrantStatusValid(int grantStatus)33 bool PermissionValidator::IsGrantStatusValid(int grantStatus)
34 {
35 return grantStatus == PermissionState::PERMISSION_GRANTED || grantStatus == PermissionState::PERMISSION_DENIED;
36 }
37
IsPermissionFlagValid(uint32_t flag)38 bool PermissionValidator::IsPermissionFlagValid(uint32_t flag)
39 {
40 return DataValidator::IsPermissionFlagValid(flag);
41 }
42
IsPermissionNameValid(const std::string & permissionName)43 bool PermissionValidator::IsPermissionNameValid(const std::string& permissionName)
44 {
45 return DataValidator::IsPermissionNameValid(permissionName);
46 }
47
IsUserIdValid(const int32_t userID)48 bool PermissionValidator::IsUserIdValid(const int32_t userID)
49 {
50 return DataValidator::IsUserIdValid(userID);
51 }
52
IsToggleStatusValid(const uint32_t status)53 bool PermissionValidator::IsToggleStatusValid(const uint32_t status)
54 {
55 return DataValidator::IsToggleStatusValid(status);
56 }
57
IsPermissionDefValid(const PermissionDef & permDef)58 bool PermissionValidator::IsPermissionDefValid(const PermissionDef& permDef)
59 {
60 if (!DataValidator::IsLabelValid(permDef.label)) {
61 LOGE(ATM_DOMAIN, ATM_TAG, "Label invalid.");
62 return false;
63 }
64 if (!DataValidator::IsDescValid(permDef.description)) {
65 LOGE(ATM_DOMAIN, ATM_TAG, "Desc invalid.");
66 return false;
67 }
68 if (!DataValidator::IsBundleNameValid(permDef.bundleName)) {
69 LOGE(ATM_DOMAIN, ATM_TAG, "BundleName invalid.");
70 return false;
71 }
72 if (!DataValidator::IsPermissionNameValid(permDef.permissionName)) {
73 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName invalid.");
74 return false;
75 }
76 if (!IsGrantModeValid(permDef.grantMode)) {
77 LOGE(ATM_DOMAIN, ATM_TAG, "GrantMode invalid.");
78 return false;
79 }
80 if (!DataValidator::IsAvailableTypeValid(permDef.availableType)) {
81 LOGE(ATM_DOMAIN, ATM_TAG, "AvailableType invalid.");
82 return false;
83 }
84 if (!DataValidator::IsAplNumValid(permDef.availableLevel)) {
85 LOGE(ATM_DOMAIN, ATM_TAG, "AvailableLevel invalid.");
86 return false;
87 }
88 return true;
89 }
90
IsPermissionAvailable(ATokenTypeEnum tokenType,const std::string & permissionName)91 bool PermissionValidator::IsPermissionAvailable(ATokenTypeEnum tokenType, const std::string& permissionName)
92 {
93 LOGD(ATM_DOMAIN, ATM_TAG, "TokenType is %{public}d.", tokenType);
94 if (tokenType == TOKEN_HAP) {
95 if (!IsPermissionValidForHap(permissionName)) {
96 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s is not defined for hap.", permissionName.c_str());
97 return false;
98 }
99 }
100 // permission request for TOKEN_NATIVE process is going to be check when the permission request way is normalized.
101 return true;
102 }
103
IsPermissionStateValid(const PermissionStatus & permState)104 bool PermissionValidator::IsPermissionStateValid(const PermissionStatus& permState)
105 {
106 if (!DataValidator::IsPermissionNameValid(permState.permissionName)) {
107 return false;
108 }
109 if (!IsGrantStatusValid(permState.grantStatus) || !IsPermissionFlagValid(permState.grantFlag)) {
110 LOGE(ATM_DOMAIN, ATM_TAG, "GrantStatus or grantFlag is invalid");
111 return false;
112 }
113 return true;
114 }
115
FilterInvalidPermissionDef(const std::vector<PermissionDef> & permList,std::vector<PermissionDef> & result)116 void PermissionValidator::FilterInvalidPermissionDef(
117 const std::vector<PermissionDef>& permList, std::vector<PermissionDef>& result)
118 {
119 std::set<std::string> permDefSet;
120 for (auto it = permList.begin(); it != permList.end(); ++it) {
121 std::string permName = it->permissionName;
122 if (!IsPermissionDefValid(*it) || permDefSet.count(permName) != 0) {
123 continue;
124 }
125 permDefSet.insert(permName);
126 result.emplace_back(*it);
127 }
128 }
129
FilterInvalidPermissionState(ATokenTypeEnum tokenType,bool doPermAvailableCheck,const std::vector<PermissionStatus> & permList,std::vector<PermissionStatus> & result)130 void PermissionValidator::FilterInvalidPermissionState(ATokenTypeEnum tokenType, bool doPermAvailableCheck,
131 const std::vector<PermissionStatus>& permList, std::vector<PermissionStatus>& result)
132 {
133 std::set<std::string> permStateSet;
134 for (auto it = permList.begin(); it != permList.end(); ++it) {
135 std::string permName = it->permissionName;
136 PermissionStatus res = *it;
137 if (!IsPermissionStateValid(res) || permStateSet.count(permName) != 0) {
138 continue;
139 }
140 if (doPermAvailableCheck && !IsPermissionAvailable(tokenType, permName)) {
141 continue;
142 }
143 permStateSet.insert(permName);
144 result.emplace_back(res);
145 }
146 }
147 } // namespace AccessToken
148 } // namespace Security
149 } // namespace OHOS
150