1 /*
2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "temp_permission_observer.h"
17
18 #include "access_token.h"
19 #include "access_token_error.h"
20 #include "accesstoken_info_manager.h"
21 #include "accesstoken_common_log.h"
22 #include "libraryloader.h"
23 #include "app_manager_access_client.h"
24 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
25 #include "background_task_manager_access_client.h"
26 #endif
27 #include "form_manager_access_client.h"
28 #include "hisysevent.h"
29 #include "hisysevent_adapter.h"
30 #include "ipc_skeleton.h"
31 #include "json_parse_loader.h"
32
33 namespace OHOS {
34 namespace Security {
35 namespace AccessToken {
36 namespace {
37 static const std::string TASK_NAME_TEMP_PERMISSION = "atm_permission_manager_temp_permission";
38 static const std::string FORM_INVISIBLE_NAME = "#0";
39 static const std::string FORM_VISIBLE_NAME = "#1";
40 static constexpr int32_t ROOT_UID = 0;
41 static constexpr int32_t FOREGROUND_FLAG = 0;
42 static constexpr int32_t FORMS_FLAG = 1;
43 static constexpr int32_t CONTINUOUS_TASK_FLAG = 2;
44 static constexpr int32_t DEFAULT_CANCLE_MILLISECONDS = 10 * 1000; // 10s
45 std::recursive_mutex g_instanceMutex;
46 static const std::vector<std::string> g_tempPermission = {
47 "ohos.permission.READ_PASTEBOARD",
48 "ohos.permission.APPROXIMATELY_LOCATION",
49 "ohos.permission.LOCATION",
50 "ohos.permission.LOCATION_IN_BACKGROUND"
51 };
52 }
53
GetInstance()54 TempPermissionObserver& TempPermissionObserver::GetInstance()
55 {
56 static TempPermissionObserver* instance = nullptr;
57 if (instance == nullptr) {
58 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
59 if (instance == nullptr) {
60 TempPermissionObserver* tmp = new TempPermissionObserver();
61 instance = std::move(tmp);
62 }
63 }
64 return *instance;
65 }
66
OnAppStateChanged(const AppStateData & appStateData)67 void PermissionAppStateObserver::OnAppStateChanged(const AppStateData &appStateData)
68 {
69 uint32_t tokenID = appStateData.accessTokenId;
70 std::vector<bool> list;
71 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
72 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
73 return;
74 }
75 LOGI(ATM_DOMAIN, ATM_TAG, "OnChange(accessTokenId=%{public}d, state=%{public}d)", tokenID, appStateData.state);
76 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_FOREGROUND)) {
77 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FOREGROUND_FLAG, true);
78 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
79 TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
80 } else if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_BACKGROUND)) {
81 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FOREGROUND_FLAG, false);
82 if (list[FORMS_FLAG]) {
83 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID has form, don't delayRevokePermission!", tokenID);
84 return;
85 }
86 if (list[CONTINUOUS_TASK_FLAG]) {
87 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID has continuoustask, don't delayRevokePermission!", tokenID);
88 return;
89 }
90 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
91 TempPermissionObserver::GetInstance().DelayRevokePermission(tokenID, taskName);
92 }
93 }
94
OnAppStopped(const AppStateData & appStateData)95 void PermissionAppStateObserver::OnAppStopped(const AppStateData &appStateData)
96 {
97 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_TERMINATED)) {
98 uint32_t tokenID = appStateData.accessTokenId;
99 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d died.", tokenID);
100 // cancle task when process die
101 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
102 TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
103 TempPermissionObserver::GetInstance().RevokeAllTempPermission(tokenID);
104 }
105 }
106
OnAppCacheStateChanged(const AppStateData & appStateData)107 void PermissionAppStateObserver::OnAppCacheStateChanged(const AppStateData &appStateData)
108 {
109 uint32_t tokenID = appStateData.accessTokenId;
110 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID is %{public}d, state is %{public}d.", tokenID, appStateData.state);
111
112 /*
113 warm start application shut down application do not means kill process,
114 actually this operation means application turn background with OnAppCacheStateChanged callback,
115 so temporary authorization should be cancle as OnAppStopped when receive this callback
116 */
117 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
118 TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
119 TempPermissionObserver::GetInstance().RevokeAllTempPermission(tokenID);
120 }
121
NotifyWhetherFormsVisible(const FormVisibilityType visibleType,const std::string & bundleName,std::vector<FormInstance> & formInstances)122 int32_t PermissionFormStateObserver::NotifyWhetherFormsVisible(const FormVisibilityType visibleType,
123 const std::string &bundleName, std::vector<FormInstance> &formInstances)
124 {
125 for (size_t i = 0; i < formInstances.size(); i++) {
126 AccessTokenID tokenID;
127 if (!TempPermissionObserver::GetInstance().GetTokenIDByBundle(formInstances[i].bundleName_, tokenID)) {
128 continue;
129 }
130 std::vector<bool> list;
131 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
132 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
133 continue;
134 }
135
136 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s, tokenID: %{public}d, formVisiblity:%{public}d",
137 formInstances[i].bundleName_.c_str(), tokenID, formInstances[i].formVisiblity_);
138
139 if (formInstances[i].formVisiblity_ == FormVisibilityType::VISIBLE) {
140 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FORMS_FLAG, true);
141 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
142 TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
143 } else if (formInstances[i].formVisiblity_ == FormVisibilityType::INVISIBLE) {
144 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FORMS_FLAG, false);
145 if (list[FOREGROUND_FLAG]) {
146 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID in foreground don't delayRevokePermission!", tokenID);
147 continue;
148 }
149 if (list[CONTINUOUS_TASK_FLAG]) {
150 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID has task, don't delayRevokePermission!", tokenID);
151 continue;
152 }
153 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
154 TempPermissionObserver::GetInstance().DelayRevokePermission(tokenID, taskName);
155 }
156 }
157 return RET_SUCCESS;
158 }
159 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
OnContinuousTaskStart(const std::shared_ptr<ContinuousTaskCallbackInfo> & continuousTaskCallbackInfo)160 void PermissionBackgroundTaskObserver::OnContinuousTaskStart(
161 const std::shared_ptr<ContinuousTaskCallbackInfo> &continuousTaskCallbackInfo)
162 {
163 AccessTokenID tokenID = static_cast<AccessTokenID>(continuousTaskCallbackInfo->GetFullTokenId());
164 uint32_t typeId = continuousTaskCallbackInfo->GetTypeId();
165 if (static_cast<BackgroundMode>(typeId) != BackgroundMode::LOCATION) {
166 LOGD(ATM_DOMAIN, ATM_TAG, "TypeId:%{public}d can not use temp permission", typeId);
167 return;
168 }
169 std::vector<bool> list;
170 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
171 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
172 return;
173 }
174 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}d", tokenID);
175 TempPermissionObserver::GetInstance().AddContinuousTask(tokenID);
176 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, CONTINUOUS_TASK_FLAG, true);
177 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
178 TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
179 }
180
OnContinuousTaskStop(const std::shared_ptr<ContinuousTaskCallbackInfo> & continuousTaskCallbackInfo)181 void PermissionBackgroundTaskObserver::OnContinuousTaskStop(
182 const std::shared_ptr<ContinuousTaskCallbackInfo> &continuousTaskCallbackInfo)
183 {
184 AccessTokenID tokenID = static_cast<AccessTokenID>(continuousTaskCallbackInfo->GetFullTokenId());
185 uint32_t typeId = continuousTaskCallbackInfo->GetTypeId();
186 if (static_cast<BackgroundMode>(typeId) != BackgroundMode::LOCATION) {
187 LOGD(ATM_DOMAIN, ATM_TAG, "TypeId:%{public}d can not use temp permission", typeId);
188 return;
189 }
190 std::vector<bool> list;
191 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
192 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
193 return;
194 }
195 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}d", tokenID);
196 TempPermissionObserver::GetInstance().DelContinuousTask(tokenID);
197 if (TempPermissionObserver::GetInstance().FindContinuousTask(tokenID)) {
198 LOGW(ATM_DOMAIN, ATM_TAG, "Has continuous task don't delayRevokePermission!");
199 return;
200 }
201 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, CONTINUOUS_TASK_FLAG, false);
202 if (list[FOREGROUND_FLAG] || list[FORMS_FLAG]) {
203 LOGW(ATM_DOMAIN, ATM_TAG, "Has form or inForeground don't delayRevokePermission!");
204 return;
205 }
206 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
207 TempPermissionObserver::GetInstance().DelayRevokePermission(tokenID, taskName);
208 }
209 #endif
NotifyAppManagerDeath()210 void PermissionAppManagerDeathCallback::NotifyAppManagerDeath()
211 {
212 LOGI(ATM_DOMAIN, ATM_TAG, "TempPermissionObserver AppManagerDeath called");
213
214 TempPermissionObserver::GetInstance().OnAppMgrRemoteDiedHandle();
215 }
216
TempPermissionObserver()217 TempPermissionObserver::TempPermissionObserver() : cancleTimes_(DEFAULT_CANCLE_MILLISECONDS)
218 {}
219
~TempPermissionObserver()220 TempPermissionObserver::~TempPermissionObserver()
221 {
222 UnRegisterCallback();
223 }
224
RegisterCallback()225 void TempPermissionObserver::RegisterCallback()
226 {
227 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
228 {
229 std::lock_guard<std::mutex> lock(backgroundTaskCallbackMutex_);
230 if (backgroundTaskCallback_ == nullptr) {
231 backgroundTaskCallback_ = new (std::nothrow) PermissionBackgroundTaskObserver();
232 if (backgroundTaskCallback_ == nullptr) {
233 LOGE(ATM_DOMAIN, ATM_TAG, "Register backgroundTaskCallback failed.");
234 return;
235 }
236 int ret = BackgourndTaskManagerAccessClient::GetInstance().SubscribeBackgroundTask(backgroundTaskCallback_);
237 LOGI(ATM_DOMAIN, ATM_TAG, "Register backgroundTaskCallback %{public}d.", ret);
238 }
239 }
240 #endif
241 {
242 std::lock_guard<std::mutex> lock(formStateCallbackMutex_);
243 if (formVisibleCallback_ == nullptr) {
244 formVisibleCallback_ = new (std::nothrow) PermissionFormStateObserver();
245 if (formVisibleCallback_ == nullptr) {
246 LOGE(ATM_DOMAIN, ATM_TAG, "Register formStateCallback failed.");
247 return;
248 }
249 int ret = FormManagerAccessClient::GetInstance().RegisterAddObserver(
250 FORM_VISIBLE_NAME, formVisibleCallback_->AsObject());
251 if (ret != ERR_OK) {
252 LOGI(ATM_DOMAIN, ATM_TAG, "Register observer %{public}d.", ret);
253 }
254 }
255 if (formInvisibleCallback_ == nullptr) {
256 formInvisibleCallback_ = new (std::nothrow) PermissionFormStateObserver();
257 if (formInvisibleCallback_ == nullptr) {
258 LOGE(ATM_DOMAIN, ATM_TAG, "Register formStateCallback failed.");
259 formVisibleCallback_ = nullptr;
260 return;
261 }
262 int ret = FormManagerAccessClient::GetInstance().RegisterAddObserver(
263 FORM_INVISIBLE_NAME, formInvisibleCallback_->AsObject());
264 if (ret != ERR_OK) {
265 LOGI(ATM_DOMAIN, ATM_TAG, "Register observer %{public}d.", ret);
266 }
267 }
268 }
269 RegisterAppStatusListener();
270 }
271
RegisterAppStatusListener()272 void TempPermissionObserver::RegisterAppStatusListener()
273 {
274 {
275 std::lock_guard<std::mutex> lock(appStateCallbackMutex_);
276 if (appStateCallback_ == nullptr) {
277 appStateCallback_ = new (std::nothrow) PermissionAppStateObserver();
278 if (appStateCallback_ == nullptr) {
279 LOGE(ATM_DOMAIN, ATM_TAG, "Register appStateCallback failed.");
280 return;
281 }
282 int ret = AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(appStateCallback_);
283 if (ret != ERR_OK) {
284 LOGI(ATM_DOMAIN, ATM_TAG, "Register appStateCallback %{public}d.", ret);
285 }
286 }
287 }
288 // app manager death callback register
289 {
290 std::lock_guard<std::mutex> lock(appManagerDeathMutex_);
291 if (appManagerDeathCallback_ == nullptr) {
292 appManagerDeathCallback_ = std::make_shared<PermissionAppManagerDeathCallback>();
293 if (appManagerDeathCallback_ == nullptr) {
294 LOGE(ATM_DOMAIN, ATM_TAG, "Register appManagerDeathCallback failed.");
295 return;
296 }
297 AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_);
298 }
299 }
300 }
301
UnRegisterCallback()302 void TempPermissionObserver::UnRegisterCallback()
303 {
304 {
305 std::lock_guard<std::mutex> lock(appStateCallbackMutex_);
306 if (appStateCallback_ != nullptr) {
307 int32_t ret = AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(appStateCallback_);
308 if (ret != ERR_OK) {
309 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
310 }
311 appStateCallback_= nullptr;
312 }
313 }
314 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
315 {
316 std::lock_guard<std::mutex> lock(backgroundTaskCallbackMutex_);
317 if (backgroundTaskCallback_ != nullptr) {
318 int32_t ret = BackgourndTaskManagerAccessClient::GetInstance().UnsubscribeBackgroundTask(
319 backgroundTaskCallback_);
320 if (ret != ERR_NONE) {
321 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
322 }
323 backgroundTaskCallback_= nullptr;
324 }
325 }
326 #endif
327 {
328 std::lock_guard<std::mutex> lock(formStateCallbackMutex_);
329 if (formVisibleCallback_ != nullptr) {
330 int32_t ret = FormManagerAccessClient::GetInstance().RegisterRemoveObserver(
331 FORM_VISIBLE_NAME,
332 formVisibleCallback_);
333 if (ret != ERR_OK) {
334 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
335 }
336 formVisibleCallback_ = nullptr;
337 }
338 if (formInvisibleCallback_ != nullptr) {
339 int32_t ret = FormManagerAccessClient::GetInstance().RegisterRemoveObserver(
340 FORM_INVISIBLE_NAME, formInvisibleCallback_);
341 if (ret != ERR_OK) {
342 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
343 }
344 formInvisibleCallback_ = nullptr;
345 }
346 }
347 }
348
GetAppStateListByTokenID(AccessTokenID tokenID,std::vector<bool> & list)349 bool TempPermissionObserver::GetAppStateListByTokenID(AccessTokenID tokenID, std::vector<bool>& list)
350 {
351 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
352 auto iter = tempPermTokenMap_.find(tokenID);
353 if (iter == tempPermTokenMap_.end()) {
354 return false;
355 }
356 list = iter->second;
357 return true;
358 }
359
ModifyAppState(AccessTokenID tokenID,int32_t index,bool flag)360 void TempPermissionObserver::ModifyAppState(AccessTokenID tokenID, int32_t index, bool flag)
361 {
362 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
363 auto iter = tempPermTokenMap_.find(tokenID);
364 if (iter == tempPermTokenMap_.end()) {
365 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
366 return;
367 }
368 iter->second[index] = flag;
369 }
370
GetTokenIDByBundle(const std::string & bundleName,AccessTokenID & tokenID)371 bool TempPermissionObserver::GetTokenIDByBundle(const std::string &bundleName, AccessTokenID& tokenID)
372 {
373 std::unique_lock<std::mutex> lck(formTokenMutex_);
374 auto iter = formTokenMap_.find(bundleName);
375 if (iter == formTokenMap_.end()) {
376 LOGD(ATM_DOMAIN, ATM_TAG, "BundleName:%{public}s not exist in map", bundleName.c_str());
377 return false;
378 }
379 tokenID = iter->second;
380 return true;
381 }
382
AddContinuousTask(AccessTokenID tokenID)383 void TempPermissionObserver::AddContinuousTask(AccessTokenID tokenID)
384 {
385 std::unique_lock<std::mutex> lck(continuousTaskMutex_);
386 auto iter = continuousTaskMap_.find(tokenID);
387 if (iter == continuousTaskMap_.end()) {
388 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
389 continuousTaskMap_[tokenID] = 1;
390 return;
391 }
392 continuousTaskMap_[tokenID]++;
393 }
394
DelContinuousTask(AccessTokenID tokenID)395 void TempPermissionObserver::DelContinuousTask(AccessTokenID tokenID)
396 {
397 std::unique_lock<std::mutex> lck(continuousTaskMutex_);
398 auto iter = continuousTaskMap_.find(tokenID);
399 if (iter == continuousTaskMap_.end()) {
400 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
401 return;
402 }
403 continuousTaskMap_[tokenID]--;
404 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d has %{public}d tasks in map",
405 tokenID, continuousTaskMap_[tokenID]);
406 if (continuousTaskMap_[tokenID] == 0) {
407 continuousTaskMap_.erase(tokenID);
408 }
409 }
410
FindContinuousTask(AccessTokenID tokenID)411 bool TempPermissionObserver::FindContinuousTask(AccessTokenID tokenID)
412 {
413 std::unique_lock<std::mutex> lck(continuousTaskMutex_);
414 auto iter = continuousTaskMap_.find(tokenID);
415 if (iter == continuousTaskMap_.end()) {
416 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
417 return false;
418 }
419 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d has %{public}d tasks in map",
420 tokenID, continuousTaskMap_[tokenID]);
421 return true;
422 }
423
IsAllowGrantTempPermission(AccessTokenID tokenID,const std::string & permissionName)424 bool TempPermissionObserver::IsAllowGrantTempPermission(AccessTokenID tokenID, const std::string& permissionName)
425 {
426 HapTokenInfo tokenInfo;
427 if (AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, tokenInfo) != RET_SUCCESS) {
428 LOGE(ATM_DOMAIN, ATM_TAG, "Invalid tokenId(%{public}d)", tokenID);
429 return false;
430 }
431 auto iterator = std::find(g_tempPermission.begin(), g_tempPermission.end(), permissionName);
432 if (iterator == g_tempPermission.end()) {
433 LOGW(ATM_DOMAIN, ATM_TAG, "Permission is not available to temp grant: %{public}s!", permissionName.c_str());
434 return false;
435 }
436 return CheckPermissionState(tokenID, permissionName, tokenInfo.bundleName);
437 }
438
CheckPermissionState(AccessTokenID tokenID,const std::string & permissionName,const std::string & bundleName)439 bool TempPermissionObserver::CheckPermissionState(AccessTokenID tokenID,
440 const std::string& permissionName, const std::string& bundleName)
441 {
442 bool isForeground = false;
443 std::vector<AppStateData> foreGroundAppList;
444 AppManagerAccessClient::GetInstance().GetForegroundApplications(foreGroundAppList);
445 if (std::any_of(foreGroundAppList.begin(), foreGroundAppList.end(),
446 [tokenID](const auto& foreGroundApp) { return foreGroundApp.accessTokenId == tokenID; })) {
447 isForeground = true;
448 }
449 bool isContinuousTaskExist = false;
450 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
451 std::vector<std::shared_ptr<ContinuousTaskCallbackInfo>> continuousTaskList;
452 BackgourndTaskManagerAccessClient::GetInstance().GetContinuousTaskApps(continuousTaskList);
453 for (auto iter = continuousTaskList.begin(); iter != continuousTaskList.end(); iter++) {
454 if (static_cast<AccessTokenID>((*iter)->tokenId_) == tokenID) {
455 if (std::any_of((*iter)->typeIds_.begin(), (*iter)->typeIds_.end(),
456 [](const auto& typeId) { return static_cast<BackgroundMode>(typeId) == BackgroundMode::LOCATION; })) {
457 TempPermissionObserver::GetInstance().AddContinuousTask(tokenID);
458 isContinuousTaskExist = true;
459 }
460 }
461 }
462 #endif
463 bool isFormVisible = FormManagerAccessClient::GetInstance().HasFormVisible(tokenID);
464 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d, isForeground:%{public}d, isFormVisible:%{public}d,"
465 "isContinuousTaskExist:%{public}d",
466 tokenID, isForeground, isFormVisible, isContinuousTaskExist);
467 bool userEnable = true;
468 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
469 int callingUid = IPCSkeleton::GetCallingUid();
470 if (callingUid == ROOT_UID) {
471 userEnable = false;
472 }
473 #endif
474 if (!userEnable || isForeground || isFormVisible || isContinuousTaskExist) {
475 std::vector<bool> list;
476 list.emplace_back(isForeground);
477 list.emplace_back(isFormVisible);
478 list.emplace_back(isContinuousTaskExist);
479 AddTempPermTokenToList(tokenID, bundleName, permissionName, list);
480 return true;
481 }
482 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
483 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", GRANT_TEMP_PERMISSION_FAILED,
484 "TOKENID", tokenID, "PERM", permissionName, "BUNDLE_NAME", bundleName);
485 return false;
486 }
487
AddTempPermTokenToList(AccessTokenID tokenID,const std::string & bundleName,const std::string & permissionName,const std::vector<bool> & list)488 void TempPermissionObserver::AddTempPermTokenToList(AccessTokenID tokenID,
489 const std::string& bundleName, const std::string& permissionName, const std::vector<bool>& list)
490 {
491 RegisterCallback();
492 {
493 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
494 tempPermTokenMap_[tokenID] = list;
495 }
496 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d, permissionName:%{public}s", tokenID, permissionName.c_str());
497 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "GRANT_TEMP_PERMISSION",
498 HiviewDFX::HiSysEvent::EventType::BEHAVIOR,
499 "TOKENID", tokenID, "PERMISSION_NAME", permissionName);
500 {
501 std::unique_lock<std::mutex> lck(formTokenMutex_);
502 formTokenMap_[bundleName] = tokenID;
503 }
504 }
505
GetPermissionState(AccessTokenID tokenID,std::vector<PermissionStatus> & permissionStateList)506 bool TempPermissionObserver::GetPermissionState(AccessTokenID tokenID,
507 std::vector<PermissionStatus>& permissionStateList)
508 {
509 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
510 if (infoPtr == nullptr) {
511 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenID);
512 return false;
513 }
514 if (infoPtr->IsRemote()) {
515 LOGE(ATM_DOMAIN, ATM_TAG, "It is a remote hap token %{public}u!", tokenID);
516 return false;
517 }
518 if (infoPtr->GetPermissionStateList(permissionStateList) != RET_SUCCESS) {
519 LOGE(ATM_DOMAIN, ATM_TAG, "GetPermissionStateList failed, token %{public}u!", tokenID);
520 return false;
521 }
522 return true;
523 }
524
RevokeAllTempPermission(AccessTokenID tokenID)525 void TempPermissionObserver::RevokeAllTempPermission(AccessTokenID tokenID)
526 {
527 std::vector<bool> list;
528 if (!GetAppStateListByTokenID(tokenID, list)) {
529 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in permList", tokenID);
530 return;
531 }
532 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
533 tempPermTokenMap_.erase(tokenID);
534 if (tempPermTokenMap_.empty()) {
535 UnRegisterCallback();
536 }
537
538 std::vector<PermissionStatus> tmpList;
539 if (!GetPermissionState(tokenID, tmpList)) {
540 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d get permission state full fail!", tokenID);
541 return;
542 }
543 for (const auto& permissionState : tmpList) {
544 if (permissionState.grantFlag & PERMISSION_ALLOW_THIS_TIME) {
545 if (PermissionManager::GetInstance().UpdatePermission(
546 tokenID, permissionState.permissionName, false, PERMISSION_ALLOW_THIS_TIME, false) != RET_SUCCESS) {
547 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d revoke permission:%{public}s failed!",
548 tokenID, permissionState.permissionName.c_str());
549 return;
550 }
551 }
552 }
553 }
554
RevokeTempPermission(AccessTokenID tokenID,const std::string & permissionName)555 void TempPermissionObserver::RevokeTempPermission(AccessTokenID tokenID, const std::string& permissionName)
556 {
557 std::vector<PermissionStatus> tmpList;
558 if (!GetPermissionState(tokenID, tmpList)) {
559 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d get permission state full fail!", tokenID);
560 return;
561 }
562 for (const auto& permissionState : tmpList) {
563 if ((permissionState.grantFlag & PERMISSION_ALLOW_THIS_TIME) &&
564 permissionState.permissionName == permissionName) {
565 if (PermissionManager::GetInstance().UpdatePermission(
566 tokenID, permissionState.permissionName, false, PERMISSION_ALLOW_THIS_TIME, false) != RET_SUCCESS) {
567 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d revoke permission:%{public}s failed!",
568 tokenID, permissionState.permissionName.c_str());
569 return;
570 }
571 }
572 }
573 }
574
OnAppMgrRemoteDiedHandle()575 void TempPermissionObserver::OnAppMgrRemoteDiedHandle()
576 {
577 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
578 for (auto iter = tempPermTokenMap_.begin(); iter != tempPermTokenMap_.end(); ++iter) {
579 std::vector<PermissionStatus> tmpList;
580 GetPermissionState(iter->first, tmpList);
581 for (const auto& permissionState : tmpList) {
582 if (!(permissionState.grantFlag & PERMISSION_ALLOW_THIS_TIME)) {
583 continue;
584 }
585 int32_t ret = PermissionManager::GetInstance().RevokePermission(
586 iter->first, permissionState.permissionName, PERMISSION_ALLOW_THIS_TIME);
587 if (ret != RET_SUCCESS) {
588 LOGE(ATM_DOMAIN, ATM_TAG, "revoke permission failed, TokenId=%{public}d, permission \
589 name is %{public}s", iter->first, permissionState.permissionName.c_str());
590 }
591 }
592 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(iter->first);
593 TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
594 }
595 tempPermTokenMap_.clear();
596 LOGI(ATM_DOMAIN, ATM_TAG, "TempPermTokenMap_ clear!");
597 appStateCallback_= nullptr;
598 }
599
600 #ifdef EVENTHANDLER_ENABLE
InitEventHandler()601 void TempPermissionObserver::InitEventHandler()
602 {
603 auto eventRunner = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
604 if (!eventRunner) {
605 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to create a recvRunner.");
606 return;
607 }
608 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner);
609 }
610
GetEventHandler()611 std::shared_ptr<AccessEventHandler> TempPermissionObserver::GetEventHandler()
612 {
613 std::lock_guard<std::mutex> lock(eventHandlerLock_);
614 if (eventHandler_ == nullptr) {
615 InitEventHandler();
616 }
617 return eventHandler_;
618 }
619 #endif
620
DelayRevokePermission(AccessToken::AccessTokenID tokenID,const std::string & taskName)621 bool TempPermissionObserver::DelayRevokePermission(AccessToken::AccessTokenID tokenID, const std::string& taskName)
622 {
623 #ifdef EVENTHANDLER_ENABLE
624 auto eventHandler = GetEventHandler();
625 if (eventHandler == nullptr) {
626 LOGE(ATM_DOMAIN, ATM_TAG, "Fail to get EventHandler");
627 return false;
628 }
629
630 LOGI(ATM_DOMAIN, ATM_TAG, "Add permission task name:%{public}s", taskName.c_str());
631
632 std::function<void()> delayed = ([tokenID]() {
633 TempPermissionObserver::GetInstance().RevokeAllTempPermission(tokenID);
634 LOGI(ATM_DOMAIN, ATM_TAG, "Token: %{public}d, delay revoke permission end", tokenID);
635 });
636 eventHandler->ProxyPostTask(delayed, taskName, cancleTimes_);
637 return true;
638 #else
639 LOGW(ATM_DOMAIN, ATM_TAG, "Eventhandler is not existed");
640 return false;
641 #endif
642 }
643
CancleTaskOfPermissionRevoking(const std::string & taskName)644 bool TempPermissionObserver::CancleTaskOfPermissionRevoking(const std::string& taskName)
645 {
646 #ifdef EVENTHANDLER_ENABLE
647 auto eventHandler = GetEventHandler();
648 if (eventHandler == nullptr) {
649 LOGE(ATM_DOMAIN, ATM_TAG, "Fail to get EventHandler");
650 return false;
651 }
652
653 LOGI(ATM_DOMAIN, ATM_TAG, "Revoke permission task name:%{public}s", taskName.c_str());
654 eventHandler->ProxyRemoveTask(taskName);
655 return true;
656 #else
657 LOGW(ATM_DOMAIN, ATM_TAG, "Eventhandler is not existed");
658 return false;
659 #endif
660 }
661
SetCancelTime(int32_t cancleTime)662 void TempPermissionObserver::SetCancelTime(int32_t cancleTime)
663 {
664 if (cancleTime != 0) {
665 cancleTimes_ = cancleTime;
666 }
667
668 LOGI(ATM_DOMAIN, ATM_TAG, "CancleTimes_ is %{public}d.", cancleTimes_);
669 }
670 } // namespace AccessToken
671 } // namespace Security
672 } // namespace OHOS
673