1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "edm_policy_set_test.h"
17 #include <thread>
18
19 #include "accesstoken_kit.h"
20 #include "accesstoken_common_log.h"
21 #include "access_token_error.h"
22 #include "permission_map.h"
23 #include "perm_setproc.h"
24 #include "test_common.h"
25 #include "token_setproc.h"
26 #include "tokenid_kit.h"
27
28 using namespace testing::ext;
29 using namespace OHOS::Security::AccessToken;
30
31 namespace {
32 static const uint32_t DEFAULT_ACCOUNT_ID = 100;
33 static const uint32_t MOCK_USER_ID_10001 = 10001;
34 static const uint32_t MOCK_USER_ID_10002 = 10002;
35 static const uint32_t MOCK_USER_ID_10003 = 10003;
36 const std::string MANAGE_HAP_TOKEN_ID_PERMISSION = "ohos.permission.MANAGE_HAP_TOKENID";
37 const std::string INTERNET = "ohos.permission.INTERNET";
38 static const std::string GET_NETWORK_STATS = "ohos.permission.GET_NETWORK_STATS";
39 static const std::string LOCATION = "ohos.permission.LOCATION";
40 static const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
41 static const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
42 PermissionStateFull g_infoManagerInternetState = {
43 .permissionName = INTERNET,
44 .isGeneral = true,
45 .resDeviceID = {"local2"},
46 .grantStatus = {PermissionState::PERMISSION_GRANTED},
47 .grantFlags = {0}
48 };
49
50 PermissionStateFull g_infoManagerNetWorkState = {
51 .permissionName = GET_NETWORK_STATS,
52 .isGeneral = true,
53 .resDeviceID = {"local2"},
54 .grantStatus = {PermissionState::PERMISSION_GRANTED},
55 .grantFlags = {0}
56 };
57
58 PermissionStateFull g_infoManagerManageNetState = {
59 .permissionName = LOCATION,
60 .isGeneral = true,
61 .resDeviceID = {"local2"},
62 .grantStatus = {PermissionState::PERMISSION_DENIED},
63 .grantFlags = {0}
64 };
65
66 // Permission set
67 HapInfoParams g_testHapInfoParams = {
68 .userID = 0,
69 .bundleName = "testName",
70 .instIndex = 0,
71 .appIDDesc = "test2",
72 .apiVersion = 11 // api version is 11
73 };
74
75 HapPolicyParams g_testPolicyParams = {
76 .apl = APL_SYSTEM_CORE,
77 .domain = "test.domain2",
78 .permStateList = {
79 g_infoManagerInternetState,
80 g_infoManagerNetWorkState,
81 g_infoManagerManageNetState,
82 }
83 };
84
85 uint64_t g_selfShellTokenId;
86 static MockHapToken* g_mock = nullptr;
87 }
88
TearDownTestCase()89 void EdmPolicySetTest::TearDownTestCase()
90 {
91 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(
92 g_testHapInfoParams.userID, g_testHapInfoParams.bundleName, g_testHapInfoParams.instIndex);
93 TestCommon::DeleteTestHapToken(tokenIdEx.tokenIdExStruct.tokenID);
94 if (g_mock != nullptr) {
95 delete g_mock;
96 g_mock = nullptr;
97 }
98 EXPECT_EQ(0, SetSelfTokenID(g_selfShellTokenId));
99 TestCommon::ResetTestEvironment();
100 }
101
SetUp()102 void EdmPolicySetTest::SetUp()
103 {
104 LOGI(ATM_DOMAIN, ATM_TAG, "SetUp ok.");
105 }
106
TearDown()107 void EdmPolicySetTest::TearDown()
108 {
109 }
110
SetUpTestCase()111 void EdmPolicySetTest::SetUpTestCase()
112 {
113 g_selfShellTokenId = GetSelfTokenID();
114 TestCommon::SetTestEvironment(g_selfShellTokenId);
115
116 std::vector<std::string> reqPerm;
117 reqPerm.emplace_back(MANAGE_HAP_TOKEN_ID_PERMISSION);
118 reqPerm.emplace_back(GET_SENSITIVE_PERMISSIONS);
119 reqPerm.emplace_back(REVOKE_SENSITIVE_PERMISSIONS);
120 g_mock = new (std::nothrow) MockHapToken("EdmPolicySetTest", reqPerm);
121 LOGI(ATM_DOMAIN, ATM_TAG, "SetUpTestCase ok.");
122 }
123
124 /**
125 * @tc.name: InitUserPolicy001
126 * @tc.desc: InitUserPolicy failed invalid userList size.
127 * @tc.type: FUNC
128 * @tc.require:Issue Number
129 */
130 HWTEST_F(EdmPolicySetTest, InitUserPolicy001, TestSize.Level1)
131 {
132 const int32_t invalidSize = 1025; // 1025 is invalid size.
133 std::vector<UserState> userList(invalidSize);
134 std::vector<std::string> permList = { "ohos.permission.INTERNET" };
135 int32_t ret = AccessTokenKit::InitUserPolicy(userList, permList);
136 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
137 }
138
139 /**
140 * @tc.name: InitUserPolicy002
141 * @tc.desc: InitUserPolicy failed empty userList.
142 * @tc.type: FUNC
143 * @tc.require:Issue Number
144 */
145 HWTEST_F(EdmPolicySetTest, InitUserPolicy002, TestSize.Level1)
146 {
147 std::vector<UserState> userListEmtpy;
148 std::vector<std::string> permList = { "ohos.permission.INTERNET" };
149 int32_t ret = AccessTokenKit::InitUserPolicy(userListEmtpy, permList);
150 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
151 }
152
153 /**
154 * @tc.name: InitUserPolicy003
155 * @tc.desc: InitUserPolicy failed empty userList.
156 * @tc.type: FUNC
157 * @tc.require:Issue Number
158 */
159 HWTEST_F(EdmPolicySetTest, InitUserPolicy003, TestSize.Level1)
160 {
161 UserState user = {.userId = DEFAULT_ACCOUNT_ID, .isActive = true};
162 const int32_t invalidSize = 1025; // 1025 is invalid size.
163 std::vector<UserState> userList = { user };
164 std::vector<std::string> permList(invalidSize, "abc");
165 int32_t ret = AccessTokenKit::InitUserPolicy(userList, permList);
166 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
167 }
168
169 /**
170 * @tc.name: InitUserPolicy004
171 * @tc.desc: InitUserPolicy failed empty permList.
172 * @tc.type: FUNC
173 * @tc.require:Issue Number
174 */
175 HWTEST_F(EdmPolicySetTest, InitUserPolicy004, TestSize.Level1)
176 {
177 UserState user = {.userId = DEFAULT_ACCOUNT_ID, .isActive = true};
178 std::vector<UserState> userList = { user };
179 std::vector<std::string> permListEmpty;
180 int32_t ret = AccessTokenKit::InitUserPolicy(userList, permListEmpty);
181 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
182 }
183
184
185 /**
186 * @tc.name: InitUserPolicy005
187 * @tc.desc: InitUserPolicy and the stock permission status is refreshed according to the policy.
188 * @tc.type: FUNC
189 * @tc.require:Issue Number
190 */
191 HWTEST_F(EdmPolicySetTest, InitUserPolicy005, TestSize.Level1)
192 {
193 GTEST_LOG_(INFO) << "permissionSet OK ";
194 MockNativeToken mock("foundation");
195
196 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
197 AccessTokenIDEx fullIdUser1;
198 EXPECT_EQ(RET_SUCCESS,
199 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
200 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
201 AccessTokenIDEx fullIdUser2;
202 EXPECT_EQ(RET_SUCCESS,
203 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
204 g_testHapInfoParams.userID = MOCK_USER_ID_10003;
205 AccessTokenIDEx fullIdUser3;
206 EXPECT_EQ(RET_SUCCESS,
207 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser3));
208
209 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
210 PERMISSION_DENIED);
211
212 UserState user0 = {.userId = -1, .isActive = true};
213 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
214 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
215 UserState user3 = {.userId = MOCK_USER_ID_10003, .isActive = false};
216
217 std::vector<UserState> userList = { user0, user1, user2, user3 };
218 std::vector<std::string> permList = { INTERNET, GET_NETWORK_STATS, LOCATION };
219 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::InitUserPolicy(userList, permList));
220
221 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
222 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
223 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser3.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
224 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
225 PERMISSION_DENIED);
226 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
227 PERMISSION_DENIED);
228 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser3.tokenIdExStruct.tokenID, LOCATION),
229 PERMISSION_DENIED);
230
231 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
232 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
233 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser3.tokenIdExStruct.tokenID));
234
235 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::ClearUserPolicy());
236 }
237
238 /**
239 * @tc.name: InitUserPolicy006
240 * @tc.desc: Check permission status in the heap.
241 * @tc.type: FUNC
242 * @tc.require:Issue Number
243 */
244 HWTEST_F(EdmPolicySetTest, InitUserPolicy006, TestSize.Level1)
245 {
246 GTEST_LOG_(INFO) << "permissionSet OK ";
247 MockNativeToken mock("foundation");
248
249 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
250 AccessTokenIDEx fullIdUser1;
251 EXPECT_EQ(RET_SUCCESS,
252 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
253 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
254 AccessTokenIDEx fullIdUser2;
255 EXPECT_EQ(RET_SUCCESS,
256 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
257
258 UserState user0 = {.userId = -1, .isActive = true};
259 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
260 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
261
262 std::vector<UserState> userList = { user0, user1, user2};
263 std::vector<std::string> permList = { INTERNET, GET_NETWORK_STATS, LOCATION };
264 int32_t res = AccessTokenKit::InitUserPolicy(userList, permList);
265 EXPECT_EQ(res, 0);
266
267 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
268 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
269
270 std::vector<PermissionStateFull> permStatList;
271 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetReqPermissions(fullIdUser2.tokenIdExStruct.tokenID, permStatList, true));
272 ASSERT_EQ(static_cast<uint32_t>(2), permStatList.size());
273 EXPECT_EQ(INTERNET, permStatList[0].permissionName);
274 EXPECT_EQ(PERMISSION_GRANTED, permStatList[0].grantStatus[0]);
275
276 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
277 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
278
279 res = AccessTokenKit::ClearUserPolicy();
280 EXPECT_EQ(res, 0);
281 }
282
283 /**
284 * @tc.name: UpdateUserPolicy001
285 * @tc.desc: UpdateUserPolicy failed with
286 * policy uninitialized and ClearUserPolicy successfully with policy uninitialized.
287 * @tc.type: FUNC
288 * @tc.require:Issue Number
289 */
290 HWTEST_F(EdmPolicySetTest, UpdateUserPolicy001, TestSize.Level1)
291 {
292 GTEST_LOG_(INFO) << "permissionSet OK ";
293 MockNativeToken mock("foundation");
294
295 UserState user = {.userId = DEFAULT_ACCOUNT_ID, .isActive = true};
296 const std::vector<UserState> userList = { user };
297 int32_t res = AccessTokenKit::UpdateUserPolicy(userList);
298 EXPECT_EQ(res, AccessTokenError::ERR_USER_POLICY_NOT_INITIALIZED);
299
300 res = AccessTokenKit::ClearUserPolicy();
301 EXPECT_EQ(res, RET_SUCCESS);
302 }
303
304 /**
305 * @tc.name: UpdateUserPolicy003
306 * @tc.desc: UpdateUserPolicy with invalid userList.
307 * @tc.type: FUNC
308 * @tc.require:Issue Number
309 */
310 HWTEST_F(EdmPolicySetTest, UpdateUserPolicy003, TestSize.Level1)
311 {
312 const int32_t invalidSize = 1025; // 1025 is invalid size.
313 std::vector<UserState> userList(invalidSize);
314 int32_t ret = AccessTokenKit::UpdateUserPolicy(userList);
315 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
316
317 std::vector<UserState> userListEmpty;
318 ret = AccessTokenKit::UpdateUserPolicy(userListEmpty);
319 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
320 }
321
322 /**
323 * @tc.name: UpdateUserPolicy004
324 * @tc.desc: UpdateUserPolicy and the stock permission status is refreshed according to the policy.
325 * @tc.type: FUNC
326 * @tc.require:Issue Number
327 */
328 HWTEST_F(EdmPolicySetTest, UpdateUserPolicy004, TestSize.Level1)
329 {
330 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
331 AccessTokenIDEx fullIdUser1;
332 EXPECT_EQ(RET_SUCCESS,
333 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
334 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
335 AccessTokenIDEx fullIdUser2;
336 EXPECT_EQ(RET_SUCCESS,
337 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
338 g_testHapInfoParams.userID = MOCK_USER_ID_10003;
339 AccessTokenIDEx fullIdUser3;
340 EXPECT_EQ(RET_SUCCESS,
341 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser3));
342
343 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = false};
344 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = true};
345 UserState user3 = {.userId = MOCK_USER_ID_10003, .isActive = true};
346 std::vector<UserState> userListBefore = { user1, user2, user3 };
347 std::vector<std::string> permList = { INTERNET, LOCATION };
348 int32_t ret = AccessTokenKit::InitUserPolicy(userListBefore, permList);
349 EXPECT_EQ(ret, 0);
350 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
351 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
352 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser3.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
353 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
354 PERMISSION_DENIED);
355 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
356 PERMISSION_DENIED);
357
358 // update the policy
359 user1.isActive = true;
360 user2.isActive = false;
361 std::vector<UserState> userListAfter = { user1, user2 };
362 ret = AccessTokenKit::UpdateUserPolicy(userListAfter);
363 EXPECT_EQ(ret, 0);
364 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
365 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
366 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser3.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
367 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
368 PERMISSION_DENIED);
369 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
370 PERMISSION_DENIED);
371
372 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
373 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
374 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser3.tokenIdExStruct.tokenID));
375
376 int32_t res = AccessTokenKit::ClearUserPolicy();
377 EXPECT_EQ(res, 0);
378 }
379
380
381 /**
382 * @tc.name: UserPolicyTestForNewHap
383 * @tc.desc: Set the authorization status based on the user policy during new hap installation
384 * @tc.type: FUNC
385 * @tc.require:Issue Number
386 */
387 HWTEST_F(EdmPolicySetTest, UserPolicyTestForNewHap, TestSize.Level1)
388 {
389 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
390 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = true};
391 std::vector<UserState> userListBefore = { user1, user2 };
392 std::vector<std::string> permList = { INTERNET, LOCATION };
393 EXPECT_EQ(AccessTokenKit::InitUserPolicy(userListBefore, permList), 0);
394
395 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
396 AccessTokenIDEx fullIdUser1;
397 EXPECT_EQ(RET_SUCCESS,
398 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
399 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
400 AccessTokenIDEx fullIdUser2;
401 EXPECT_EQ(RET_SUCCESS,
402 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
403
404 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
405 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
406 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
407 PERMISSION_DENIED);
408 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
409 PERMISSION_DENIED);
410 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
411 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
412
413 // update the policy
414 user1.isActive = false;
415 user2.isActive = false;
416 std::vector<UserState> userListAfter = { user1, user2 };
417 int32_t ret = AccessTokenKit::UpdateUserPolicy(userListAfter);
418 EXPECT_EQ(ret, 0);
419 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
420 EXPECT_EQ(RET_SUCCESS,
421 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
422 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
423 EXPECT_EQ(RET_SUCCESS,
424 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
425 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
426 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
427 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
428 PERMISSION_DENIED);
429 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
430 PERMISSION_DENIED);
431 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
432 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
433 EXPECT_EQ(AccessTokenKit::ClearUserPolicy(), 0);
434 }
435
436 /**
437 * @tc.name: UserPolicyTestForNewHap
438 * @tc.desc: Set the authorization status based on the user policy during new hap installation
439 * @tc.type: FUNC
440 * @tc.require:Issue Number
441 */
442 HWTEST_F(EdmPolicySetTest, UserPolicyTestForClearUserGranted, TestSize.Level1)
443 {
444 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
445 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
446 std::vector<UserState> userListBefore = { user1, user2 };
447 std::vector<std::string> permList = { INTERNET, LOCATION };
448 int32_t ret = AccessTokenKit::InitUserPolicy(userListBefore, permList);
449 EXPECT_EQ(ret, 0);
450
451 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
452 AccessTokenIDEx fullIdUser1;
453 EXPECT_EQ(RET_SUCCESS,
454 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
455 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
456 AccessTokenIDEx fullIdUser2;
457 EXPECT_EQ(RET_SUCCESS,
458 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
459
460 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
461 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
462
463 ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser1.tokenIdExStruct.tokenID);
464 EXPECT_EQ(RET_SUCCESS, ret);
465 ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser2.tokenIdExStruct.tokenID);
466 EXPECT_EQ(RET_SUCCESS, ret);
467 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
468 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
469
470 // update the policy
471 user1.isActive = false;
472 user2.isActive = true;
473 std::vector<UserState> userListAfter = { user1, user2 };
474 ret = AccessTokenKit::UpdateUserPolicy(userListAfter);
475
476 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
477 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
478
479 ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser1.tokenIdExStruct.tokenID);
480 ret = AccessTokenKit::ClearUserGrantedPermissionState(fullIdUser2.tokenIdExStruct.tokenID);
481 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
482 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
483
484 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
485 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
486
487 int32_t res = AccessTokenKit::ClearUserPolicy();
488 EXPECT_EQ(res, 0);
489 }
490
491 /**
492 * @tc.name: ClearUserPolicy001
493 * @tc.desc: Check permission status after clear user policy.
494 * @tc.type: FUNC
495 * @tc.require:Issue Number
496 */
497 HWTEST_F(EdmPolicySetTest, ClearUserPolicy001, TestSize.Level1)
498 {
499 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
500 AccessTokenIDEx fullIdUser2;
501 EXPECT_EQ(RET_SUCCESS,
502 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
503 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
504 AccessTokenIDEx fullIdUser1;
505 EXPECT_EQ(RET_SUCCESS,
506 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
507
508 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = false};
509 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
510 std::vector<UserState> userList = { user1, user2};
511 std::vector<std::string> permList = { INTERNET };
512 EXPECT_EQ(0, AccessTokenKit::InitUserPolicy(userList, permList));
513 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
514 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
515 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET, true),
516 PERMISSION_DENIED);
517 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET, true),
518 PERMISSION_DENIED);
519
520 int32_t res = AccessTokenKit::ClearUserPolicy();
521 EXPECT_EQ(res, 0);
522
523 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
524 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
525
526 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
527 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
528 }
529
530
531 /**
532 * @tc.name: UserPolicyForUpdateHapTokenTest
533 * @tc.desc: UpdateHapToken and check permission status with user policy After .
534 * @tc.type: FUNC
535 * @tc.require:Issue Number
536 */
537 HWTEST_F(EdmPolicySetTest, UserPolicyForUpdateHapTokenTest, TestSize.Level1)
538 {
539 HapPolicyParams testPolicyParams1 = {
540 .apl = APL_SYSTEM_CORE,
541 .domain = "test.domain2",
542 .permStateList = {
543 g_infoManagerNetWorkState,
544 }
545 };
546 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
547 AccessTokenIDEx fullIdUser1;
548 EXPECT_EQ(RET_SUCCESS,
549 TestCommon::AllocTestHapToken(g_testHapInfoParams, testPolicyParams1, fullIdUser1));
550
551 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = false};
552 std::vector<UserState> userList = { user1};
553 std::vector<std::string> permList = { INTERNET };
554 EXPECT_EQ(0, AccessTokenKit::InitUserPolicy(userList, permList));
555 HapPolicyParams testPolicyParams2 = {
556 .apl = APL_SYSTEM_CORE,
557 .domain = "test.domain2",
558 .permStateList = {
559 g_infoManagerInternetState,
560 g_infoManagerNetWorkState,
561 }
562 };
563 UpdateHapInfoParams info;
564 info.appIDDesc = "TEST";
565 info.apiVersion = 12;
566 info.isSystemApp = false;
567 {
568 MockNativeToken mock("foundation");
569 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::UpdateHapToken(fullIdUser1, info, testPolicyParams2));
570 }
571 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
572
573 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::ClearUserPolicy());
574 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
575
576 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
577 }