1 /*
2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "temp_permission_observer.h"
17
18 #include "access_token.h"
19 #include "access_token_error.h"
20 #include "accesstoken_info_manager.h"
21 #include "accesstoken_common_log.h"
22 #include "libraryloader.h"
23 #include "app_manager_access_client.h"
24 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
25 #include "background_task_manager_access_client.h"
26 #endif
27 #include "form_manager_access_client.h"
28 #include "hisysevent.h"
29 #include "hisysevent_adapter.h"
30 #include "ipc_skeleton.h"
31 #include "json_parse_loader.h"
32
33 namespace OHOS {
34 namespace Security {
35 namespace AccessToken {
36 namespace {
37 static const std::string TASK_NAME_TEMP_PERMISSION = "atm_permission_manager_temp_permission";
38 static const std::string FORM_INVISIBLE_NAME = "#0";
39 static const std::string FORM_VISIBLE_NAME = "#1";
40 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
41 static constexpr int32_t ROOT_UID = 0;
42 #endif
43 static constexpr int32_t FOREGROUND_FLAG = 0;
44 static constexpr int32_t FORMS_FLAG = 1;
45 static constexpr int32_t CONTINUOUS_TASK_FLAG = 2;
46 static constexpr int32_t DEFAULT_CANCLE_MILLISECONDS = 10 * 1000; // 10s
47 std::recursive_mutex g_instanceMutex;
48 static const std::vector<std::string> g_tempPermission = {
49 "ohos.permission.READ_PASTEBOARD",
50 "ohos.permission.APPROXIMATELY_LOCATION",
51 "ohos.permission.LOCATION",
52 "ohos.permission.LOCATION_IN_BACKGROUND"
53 };
54 }
55
GetInstance()56 TempPermissionObserver& TempPermissionObserver::GetInstance()
57 {
58 static TempPermissionObserver* instance = nullptr;
59 if (instance == nullptr) {
60 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
61 if (instance == nullptr) {
62 TempPermissionObserver* tmp = new (std::nothrow) TempPermissionObserver();
63 instance = std::move(tmp);
64 }
65 }
66 return *instance;
67 }
68
OnAppStateChanged(const AppStateData & appStateData)69 void PermissionAppStateObserver::OnAppStateChanged(const AppStateData &appStateData)
70 {
71 uint32_t tokenID = appStateData.accessTokenId;
72 std::vector<bool> list;
73 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
74 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
75 return;
76 }
77 LOGI(ATM_DOMAIN, ATM_TAG, "OnChange(accessTokenId=%{public}d, state=%{public}d)", tokenID, appStateData.state);
78 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_FOREGROUND)) {
79 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FOREGROUND_FLAG, true);
80 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
81 (void)TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
82 } else if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_BACKGROUND)) {
83 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FOREGROUND_FLAG, false);
84 if (list[FORMS_FLAG]) {
85 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID has form, don't delayRevokePermission!", tokenID);
86 return;
87 }
88 if (list[CONTINUOUS_TASK_FLAG]) {
89 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID has continuoustask, don't delayRevokePermission!", tokenID);
90 return;
91 }
92 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
93 (void)TempPermissionObserver::GetInstance().DelayRevokePermission(tokenID, taskName);
94 }
95 }
96
OnAppStopped(const AppStateData & appStateData)97 void PermissionAppStateObserver::OnAppStopped(const AppStateData &appStateData)
98 {
99 if (appStateData.state == static_cast<int32_t>(ApplicationState::APP_STATE_TERMINATED)) {
100 uint32_t tokenID = appStateData.accessTokenId;
101 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d died.", tokenID);
102 // cancle task when process die
103 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
104 (void)TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
105 TempPermissionObserver::GetInstance().RevokeAllTempPermission(tokenID);
106 }
107 }
108
OnAppCacheStateChanged(const AppStateData & appStateData)109 void PermissionAppStateObserver::OnAppCacheStateChanged(const AppStateData &appStateData)
110 {
111 uint32_t tokenID = appStateData.accessTokenId;
112 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID is %{public}d, state is %{public}d.", tokenID, appStateData.state);
113
114 /*
115 warm start application shut down application do not means kill process,
116 actually this operation means application turn background with OnAppCacheStateChanged callback,
117 so temporary authorization should be cancle as OnAppStopped when receive this callback
118 */
119 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
120 (void)TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
121 TempPermissionObserver::GetInstance().RevokeAllTempPermission(tokenID);
122 }
123
NotifyWhetherFormsVisible(const FormVisibilityType visibleType,const std::string & bundleName,std::vector<FormInstance> & formInstances)124 int32_t PermissionFormStateObserver::NotifyWhetherFormsVisible(const FormVisibilityType visibleType,
125 const std::string &bundleName, std::vector<FormInstance> &formInstances)
126 {
127 for (size_t i = 0; i < formInstances.size(); i++) {
128 AccessTokenID tokenID;
129 if (!TempPermissionObserver::GetInstance().GetTokenIDByBundle(formInstances[i].bundleName_, tokenID)) {
130 continue;
131 }
132 std::vector<bool> list;
133 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
134 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
135 continue;
136 }
137
138 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}s, tokenID: %{public}d, formVisiblity:%{public}d",
139 formInstances[i].bundleName_.c_str(), tokenID, formInstances[i].formVisiblity_);
140
141 if (formInstances[i].formVisiblity_ == FormVisibilityType::VISIBLE) {
142 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FORMS_FLAG, true);
143 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
144 (void)TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
145 } else if (formInstances[i].formVisiblity_ == FormVisibilityType::INVISIBLE) {
146 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, FORMS_FLAG, false);
147 if (list[FOREGROUND_FLAG]) {
148 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID in foreground don't delayRevokePermission!", tokenID);
149 continue;
150 }
151 if (list[CONTINUOUS_TASK_FLAG]) {
152 LOGW(ATM_DOMAIN, ATM_TAG, "%{public}d:tokenID has task, don't delayRevokePermission!", tokenID);
153 continue;
154 }
155 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
156 (void)TempPermissionObserver::GetInstance().DelayRevokePermission(tokenID, taskName);
157 }
158 }
159 return RET_SUCCESS;
160 }
161 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
OnContinuousTaskStart(const std::shared_ptr<ContinuousTaskCallbackInfo> & continuousTaskCallbackInfo)162 void PermissionBackgroundTaskObserver::OnContinuousTaskStart(
163 const std::shared_ptr<ContinuousTaskCallbackInfo> &continuousTaskCallbackInfo)
164 {
165 AccessTokenID tokenID = static_cast<AccessTokenID>(continuousTaskCallbackInfo->GetFullTokenId());
166 std::vector<uint32_t> typeIds = continuousTaskCallbackInfo->GetTypeIds();
167 auto it = std::find(typeIds.begin(), typeIds.end(), static_cast<uint32_t>(BackgroundMode::LOCATION));
168 if (it == typeIds.end()) {
169 LOGI(ATM_DOMAIN, ATM_TAG, "TypeId can not use temp permission");
170 return;
171 }
172 std::vector<bool> list;
173 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
174 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
175 return;
176 }
177 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}d", tokenID);
178 TempPermissionObserver::GetInstance().AddContinuousTask(tokenID);
179 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, CONTINUOUS_TASK_FLAG, true);
180 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
181 (void)TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
182 }
183
OnContinuousTaskStop(const std::shared_ptr<ContinuousTaskCallbackInfo> & continuousTaskCallbackInfo)184 void PermissionBackgroundTaskObserver::OnContinuousTaskStop(
185 const std::shared_ptr<ContinuousTaskCallbackInfo> &continuousTaskCallbackInfo)
186 {
187 AccessTokenID tokenID = static_cast<AccessTokenID>(continuousTaskCallbackInfo->GetFullTokenId());
188 std::vector<uint32_t> typeIds = continuousTaskCallbackInfo->GetTypeIds();
189 auto it = std::find(typeIds.begin(), typeIds.end(), static_cast<uint32_t>(BackgroundMode::LOCATION));
190 if (it == typeIds.end()) {
191 LOGI(ATM_DOMAIN, ATM_TAG, "TypeId can not use temp permission");
192 return;
193 }
194 std::vector<bool> list;
195 if (!TempPermissionObserver::GetInstance().GetAppStateListByTokenID(tokenID, list)) {
196 LOGD(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not use temp permission", tokenID);
197 return;
198 }
199 LOGI(ATM_DOMAIN, ATM_TAG, "%{public}d", tokenID);
200 TempPermissionObserver::GetInstance().DelContinuousTask(tokenID);
201 if (TempPermissionObserver::GetInstance().FindContinuousTask(tokenID)) {
202 LOGW(ATM_DOMAIN, ATM_TAG, "Has continuous task don't delayRevokePermission!");
203 return;
204 }
205 TempPermissionObserver::GetInstance().ModifyAppState(tokenID, CONTINUOUS_TASK_FLAG, false);
206 if (list[FOREGROUND_FLAG] || list[FORMS_FLAG]) {
207 LOGW(ATM_DOMAIN, ATM_TAG, "Has form or inForeground don't delayRevokePermission!");
208 return;
209 }
210 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(tokenID);
211 (void)TempPermissionObserver::GetInstance().DelayRevokePermission(tokenID, taskName);
212 }
213 #endif
NotifyAppManagerDeath()214 void PermissionAppManagerDeathCallback::NotifyAppManagerDeath()
215 {
216 LOGI(ATM_DOMAIN, ATM_TAG, "TempPermissionObserver AppManagerDeath called");
217
218 TempPermissionObserver::GetInstance().OnAppMgrRemoteDiedHandle();
219 }
220
TempPermissionObserver()221 TempPermissionObserver::TempPermissionObserver() : cancelTimes_(DEFAULT_CANCLE_MILLISECONDS)
222 {}
223
~TempPermissionObserver()224 TempPermissionObserver::~TempPermissionObserver()
225 {
226 UnRegisterCallback();
227 }
228
RegisterCallback()229 void TempPermissionObserver::RegisterCallback()
230 {
231 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
232 {
233 std::lock_guard<std::mutex> lock(backgroundTaskCallbackMutex_);
234 if (backgroundTaskCallback_ == nullptr) {
235 backgroundTaskCallback_ = new (std::nothrow) PermissionBackgroundTaskObserver();
236 if (backgroundTaskCallback_ == nullptr) {
237 LOGE(ATM_DOMAIN, ATM_TAG, "Register backgroundTaskCallback failed.");
238 return;
239 }
240 int ret = BackgroundTaskManagerAccessClient::GetInstance().SubscribeBackgroundTask(backgroundTaskCallback_);
241 LOGI(ATM_DOMAIN, ATM_TAG, "Register backgroundTaskCallback %{public}d.", ret);
242 }
243 }
244 #endif
245 {
246 std::lock_guard<std::mutex> lock(formStateCallbackMutex_);
247 if (formVisibleCallback_ == nullptr) {
248 formVisibleCallback_ = new (std::nothrow) PermissionFormStateObserver();
249 if (formVisibleCallback_ == nullptr) {
250 LOGE(ATM_DOMAIN, ATM_TAG, "Register formStateCallback failed.");
251 return;
252 }
253 int ret = FormManagerAccessClient::GetInstance().RegisterAddObserver(
254 FORM_VISIBLE_NAME, formVisibleCallback_->AsObject());
255 if (ret != ERR_OK) {
256 LOGI(ATM_DOMAIN, ATM_TAG, "Register observer %{public}d.", ret);
257 }
258 }
259 if (formInvisibleCallback_ == nullptr) {
260 formInvisibleCallback_ = new (std::nothrow) PermissionFormStateObserver();
261 if (formInvisibleCallback_ == nullptr) {
262 LOGE(ATM_DOMAIN, ATM_TAG, "Register formStateCallback failed.");
263 formVisibleCallback_ = nullptr;
264 return;
265 }
266 int ret = FormManagerAccessClient::GetInstance().RegisterAddObserver(
267 FORM_INVISIBLE_NAME, formInvisibleCallback_->AsObject());
268 if (ret != ERR_OK) {
269 LOGI(ATM_DOMAIN, ATM_TAG, "Register observer %{public}d.", ret);
270 }
271 }
272 }
273 RegisterAppStatusListener();
274 }
275
RegisterAppStatusListener()276 void TempPermissionObserver::RegisterAppStatusListener()
277 {
278 {
279 std::lock_guard<std::mutex> lock(appStateCallbackMutex_);
280 if (appStateCallback_ == nullptr) {
281 appStateCallback_ = new (std::nothrow) PermissionAppStateObserver();
282 if (appStateCallback_ == nullptr) {
283 LOGE(ATM_DOMAIN, ATM_TAG, "Register appStateCallback failed.");
284 return;
285 }
286 int ret = AppManagerAccessClient::GetInstance().RegisterApplicationStateObserver(appStateCallback_);
287 if (ret != ERR_OK) {
288 LOGI(ATM_DOMAIN, ATM_TAG, "Register appStateCallback %{public}d.", ret);
289 }
290 }
291 }
292 // app manager death callback register
293 {
294 std::lock_guard<std::mutex> lock(appManagerDeathMutex_);
295 if (appManagerDeathCallback_ == nullptr) {
296 appManagerDeathCallback_ = std::make_shared<PermissionAppManagerDeathCallback>();
297 if (appManagerDeathCallback_ == nullptr) {
298 LOGE(ATM_DOMAIN, ATM_TAG, "Register appManagerDeathCallback failed.");
299 return;
300 }
301 AppManagerAccessClient::GetInstance().RegisterDeathCallback(appManagerDeathCallback_);
302 }
303 }
304 }
305
UnRegisterCallback()306 void TempPermissionObserver::UnRegisterCallback()
307 {
308 {
309 std::lock_guard<std::mutex> lock(appStateCallbackMutex_);
310 if (appStateCallback_ != nullptr) {
311 int32_t ret = AppManagerAccessClient::GetInstance().UnregisterApplicationStateObserver(appStateCallback_);
312 if (ret != ERR_OK) {
313 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
314 }
315 appStateCallback_= nullptr;
316 }
317 }
318 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
319 {
320 std::lock_guard<std::mutex> lock(backgroundTaskCallbackMutex_);
321 if (backgroundTaskCallback_ != nullptr) {
322 int32_t ret = BackgroundTaskManagerAccessClient::GetInstance().UnsubscribeBackgroundTask(
323 backgroundTaskCallback_);
324 if (ret != ERR_NONE) {
325 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
326 }
327 backgroundTaskCallback_= nullptr;
328 }
329 }
330 #endif
331 {
332 std::lock_guard<std::mutex> lock(formStateCallbackMutex_);
333 if (formVisibleCallback_ != nullptr) {
334 int32_t ret = FormManagerAccessClient::GetInstance().RegisterRemoveObserver(
335 FORM_VISIBLE_NAME,
336 formVisibleCallback_);
337 if (ret != ERR_OK) {
338 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
339 }
340 formVisibleCallback_ = nullptr;
341 }
342 if (formInvisibleCallback_ != nullptr) {
343 int32_t ret = FormManagerAccessClient::GetInstance().RegisterRemoveObserver(
344 FORM_INVISIBLE_NAME, formInvisibleCallback_);
345 if (ret != ERR_OK) {
346 LOGI(ATM_DOMAIN, ATM_TAG, "Unregister appStateCallback %{public}d.", ret);
347 }
348 formInvisibleCallback_ = nullptr;
349 }
350 }
351 }
352
GetAppStateListByTokenID(AccessTokenID tokenID,std::vector<bool> & list)353 bool TempPermissionObserver::GetAppStateListByTokenID(AccessTokenID tokenID, std::vector<bool>& list)
354 {
355 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
356 auto iter = tempPermTokenMap_.find(tokenID);
357 if (iter == tempPermTokenMap_.end()) {
358 return false;
359 }
360 list = iter->second;
361 return true;
362 }
363
ModifyAppState(AccessTokenID tokenID,int32_t index,bool flag)364 void TempPermissionObserver::ModifyAppState(AccessTokenID tokenID, int32_t index, bool flag)
365 {
366 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
367 auto iter = tempPermTokenMap_.find(tokenID);
368 if (iter == tempPermTokenMap_.end()) {
369 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
370 return;
371 }
372 iter->second[index] = flag;
373 }
374
GetTokenIDByBundle(const std::string & bundleName,AccessTokenID & tokenID)375 bool TempPermissionObserver::GetTokenIDByBundle(const std::string &bundleName, AccessTokenID& tokenID)
376 {
377 std::unique_lock<std::mutex> lck(formTokenMutex_);
378 auto iter = formTokenMap_.find(bundleName);
379 if (iter == formTokenMap_.end()) {
380 LOGD(ATM_DOMAIN, ATM_TAG, "BundleName:%{public}s not exist in map", bundleName.c_str());
381 return false;
382 }
383 tokenID = iter->second;
384 return true;
385 }
386
AddContinuousTask(AccessTokenID tokenID)387 void TempPermissionObserver::AddContinuousTask(AccessTokenID tokenID)
388 {
389 std::unique_lock<std::mutex> lck(continuousTaskMutex_);
390 auto iter = continuousTaskMap_.find(tokenID);
391 if (iter == continuousTaskMap_.end()) {
392 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
393 continuousTaskMap_[tokenID] = 1;
394 return;
395 }
396 continuousTaskMap_[tokenID]++;
397 }
398
DelContinuousTask(AccessTokenID tokenID)399 void TempPermissionObserver::DelContinuousTask(AccessTokenID tokenID)
400 {
401 std::unique_lock<std::mutex> lck(continuousTaskMutex_);
402 auto iter = continuousTaskMap_.find(tokenID);
403 if (iter == continuousTaskMap_.end()) {
404 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
405 return;
406 }
407 continuousTaskMap_[tokenID]--;
408 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d has %{public}d tasks in map",
409 tokenID, continuousTaskMap_[tokenID]);
410 if (continuousTaskMap_[tokenID] == 0) {
411 continuousTaskMap_.erase(tokenID);
412 }
413 }
414
FindContinuousTask(AccessTokenID tokenID)415 bool TempPermissionObserver::FindContinuousTask(AccessTokenID tokenID)
416 {
417 std::unique_lock<std::mutex> lck(continuousTaskMutex_);
418 auto iter = continuousTaskMap_.find(tokenID);
419 if (iter == continuousTaskMap_.end()) {
420 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in map", tokenID);
421 return false;
422 }
423 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d has %{public}d tasks in map",
424 tokenID, continuousTaskMap_[tokenID]);
425 return true;
426 }
427
IsAllowGrantTempPermission(AccessTokenID tokenID,const std::string & permissionName)428 bool TempPermissionObserver::IsAllowGrantTempPermission(AccessTokenID tokenID, const std::string& permissionName)
429 {
430 HapTokenInfo tokenInfo;
431 if (AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, tokenInfo) != RET_SUCCESS) {
432 LOGC(ATM_DOMAIN, ATM_TAG, "Invalid tokenId(%{public}d)", tokenID);
433 return false;
434 }
435 auto iterator = std::find(g_tempPermission.begin(), g_tempPermission.end(), permissionName);
436 if (iterator == g_tempPermission.end()) {
437 LOGC(ATM_DOMAIN, ATM_TAG, "Permission is not available to temp grant: %{public}s!", permissionName.c_str());
438 return false;
439 }
440 return CheckPermissionState(tokenID, permissionName, tokenInfo.bundleName);
441 }
442
CheckPermissionState(AccessTokenID tokenID,const std::string & permissionName,const std::string & bundleName)443 bool TempPermissionObserver::CheckPermissionState(AccessTokenID tokenID,
444 const std::string& permissionName, const std::string& bundleName)
445 {
446 bool isForeground = false;
447 std::vector<AppStateData> foreGroundAppList;
448 (void)AppManagerAccessClient::GetInstance().GetForegroundApplications(foreGroundAppList);
449 if (std::any_of(foreGroundAppList.begin(), foreGroundAppList.end(),
450 [tokenID](const auto& foreGroundApp) { return foreGroundApp.accessTokenId == tokenID; })) {
451 isForeground = true;
452 }
453 bool isContinuousTaskExist = false;
454 #ifdef BGTASKMGR_CONTINUOUS_TASK_ENABLE
455 std::vector<std::shared_ptr<ContinuousTaskCallbackInfo>> continuousTaskList;
456 (void)BackgroundTaskManagerAccessClient::GetInstance().GetContinuousTaskApps(continuousTaskList);
457 for (auto iter = continuousTaskList.begin(); iter != continuousTaskList.end(); iter++) {
458 if ((*iter) == nullptr) {
459 LOGE(ATM_DOMAIN, ATM_TAG, "ContinuousTaskCallbackInfo is null");
460 continue;
461 }
462 if (static_cast<AccessTokenID>((*iter)->tokenId_) == tokenID) {
463 if (std::any_of((*iter)->typeIds_.begin(), (*iter)->typeIds_.end(),
464 [](const auto& typeId) { return static_cast<BackgroundMode>(typeId) == BackgroundMode::LOCATION; })) {
465 TempPermissionObserver::GetInstance().AddContinuousTask(tokenID);
466 isContinuousTaskExist = true;
467 }
468 }
469 }
470 #endif
471 bool isFormVisible = FormManagerAccessClient::GetInstance().HasFormVisible(tokenID);
472 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d, isForeground:%{public}d, isFormVisible:%{public}d,"
473 "isContinuousTaskExist:%{public}d",
474 tokenID, isForeground, isFormVisible, isContinuousTaskExist);
475 bool userEnable = true;
476 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
477 int callingUid = IPCSkeleton::GetCallingUid();
478 if (callingUid == ROOT_UID) {
479 userEnable = false;
480 }
481 #endif
482 if (!userEnable || isForeground || isFormVisible || isContinuousTaskExist) {
483 std::vector<bool> list;
484 list.emplace_back(isForeground);
485 list.emplace_back(isFormVisible);
486 list.emplace_back(isContinuousTaskExist);
487 AddTempPermTokenToList(tokenID, bundleName, permissionName, list);
488 return true;
489 }
490 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR",
491 HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", GRANT_TEMP_PERMISSION_FAILED,
492 "TOKENID", tokenID, "PERM", permissionName, "BUNDLE_NAME", bundleName);
493 return false;
494 }
495
AddTempPermTokenToList(AccessTokenID tokenID,const std::string & bundleName,const std::string & permissionName,const std::vector<bool> & list)496 void TempPermissionObserver::AddTempPermTokenToList(AccessTokenID tokenID,
497 const std::string& bundleName, const std::string& permissionName, const std::vector<bool>& list)
498 {
499 RegisterCallback();
500 {
501 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
502 tempPermTokenMap_[tokenID] = list;
503 }
504 LOGI(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d, permissionName:%{public}s", tokenID, permissionName.c_str());
505 (void)HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "GRANT_TEMP_PERMISSION",
506 HiviewDFX::HiSysEvent::EventType::BEHAVIOR,
507 "TOKENID", tokenID, "PERMISSION_NAME", permissionName);
508 {
509 std::unique_lock<std::mutex> lck(formTokenMutex_);
510 formTokenMap_[bundleName] = tokenID;
511 }
512 }
513
GetPermissionState(AccessTokenID tokenID,std::vector<PermissionStatus> & permissionStateList)514 bool TempPermissionObserver::GetPermissionState(AccessTokenID tokenID,
515 std::vector<PermissionStatus>& permissionStateList)
516 {
517 std::shared_ptr<HapTokenInfoInner> infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(tokenID);
518 if (infoPtr == nullptr) {
519 LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid.", tokenID);
520 return false;
521 }
522 if (infoPtr->IsRemote()) {
523 LOGE(ATM_DOMAIN, ATM_TAG, "It is a remote hap token %{public}u!", tokenID);
524 return false;
525 }
526 if (infoPtr->GetPermissionStateList(permissionStateList) != RET_SUCCESS) {
527 LOGE(ATM_DOMAIN, ATM_TAG, "GetPermissionStateList failed, token %{public}u!", tokenID);
528 return false;
529 }
530 return true;
531 }
532
RevokeAllTempPermission(AccessTokenID tokenID)533 void TempPermissionObserver::RevokeAllTempPermission(AccessTokenID tokenID)
534 {
535 std::vector<bool> list;
536 if (!GetAppStateListByTokenID(tokenID, list)) {
537 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d not exist in permList", tokenID);
538 return;
539 }
540 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
541 tempPermTokenMap_.erase(tokenID);
542 if (tempPermTokenMap_.empty()) {
543 UnRegisterCallback();
544 }
545
546 std::vector<PermissionStatus> tmpList;
547 if (!GetPermissionState(tokenID, tmpList)) {
548 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d get permission state full fail!", tokenID);
549 return;
550 }
551 for (const auto& permissionState : tmpList) {
552 if (permissionState.grantFlag & PERMISSION_ALLOW_THIS_TIME) {
553 if (PermissionManager::GetInstance().UpdatePermission(
554 tokenID, permissionState.permissionName, false, PERMISSION_ALLOW_THIS_TIME, false) != RET_SUCCESS) {
555 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d revoke permission:%{public}s failed!",
556 tokenID, permissionState.permissionName.c_str());
557 return;
558 }
559 }
560 }
561 }
562
RevokeTempPermission(AccessTokenID tokenID,const std::string & permissionName)563 void TempPermissionObserver::RevokeTempPermission(AccessTokenID tokenID, const std::string& permissionName)
564 {
565 std::vector<PermissionStatus> tmpList;
566 if (!GetPermissionState(tokenID, tmpList)) {
567 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d get permission state full fail!", tokenID);
568 return;
569 }
570 for (const auto& permissionState : tmpList) {
571 if ((permissionState.grantFlag & PERMISSION_ALLOW_THIS_TIME) &&
572 permissionState.permissionName == permissionName) {
573 if (PermissionManager::GetInstance().UpdatePermission(
574 tokenID, permissionState.permissionName, false, PERMISSION_ALLOW_THIS_TIME, false) != RET_SUCCESS) {
575 LOGE(ATM_DOMAIN, ATM_TAG, "TokenID:%{public}d revoke permission:%{public}s failed!",
576 tokenID, permissionState.permissionName.c_str());
577 return;
578 }
579 }
580 }
581 }
582
OnAppMgrRemoteDiedHandle()583 void TempPermissionObserver::OnAppMgrRemoteDiedHandle()
584 {
585 std::unique_lock<std::mutex> lck(tempPermissionMutex_);
586 for (auto iter = tempPermTokenMap_.begin(); iter != tempPermTokenMap_.end(); ++iter) {
587 std::vector<PermissionStatus> tmpList;
588 GetPermissionState(iter->first, tmpList);
589 for (const auto& permissionState : tmpList) {
590 if (!(permissionState.grantFlag & PERMISSION_ALLOW_THIS_TIME)) {
591 continue;
592 }
593 int32_t ret = PermissionManager::GetInstance().RevokePermission(
594 iter->first, permissionState.permissionName, PERMISSION_ALLOW_THIS_TIME);
595 if (ret != RET_SUCCESS) {
596 LOGE(ATM_DOMAIN, ATM_TAG, "revoke permission failed, TokenId=%{public}d, permission \
597 name is %{public}s", iter->first, permissionState.permissionName.c_str());
598 }
599 }
600 std::string taskName = TASK_NAME_TEMP_PERMISSION + std::to_string(iter->first);
601 (void)TempPermissionObserver::GetInstance().CancleTaskOfPermissionRevoking(taskName);
602 }
603 tempPermTokenMap_.clear();
604 LOGI(ATM_DOMAIN, ATM_TAG, "TempPermTokenMap_ clear!");
605 appStateCallback_= nullptr;
606 }
607
608 #ifdef EVENTHANDLER_ENABLE
InitEventHandler()609 void TempPermissionObserver::InitEventHandler()
610 {
611 auto eventRunner = AppExecFwk::EventRunner::Create(true, AppExecFwk::ThreadMode::FFRT);
612 if (!eventRunner) {
613 LOGE(ATM_DOMAIN, ATM_TAG, "Failed to create a recvRunner.");
614 return;
615 }
616 eventHandler_ = std::make_shared<AccessEventHandler>(eventRunner);
617 }
618
GetEventHandler()619 std::shared_ptr<AccessEventHandler> TempPermissionObserver::GetEventHandler()
620 {
621 std::lock_guard<std::mutex> lock(eventHandlerLock_);
622 if (eventHandler_ == nullptr) {
623 InitEventHandler();
624 }
625 return eventHandler_;
626 }
627 #endif
628
DelayRevokePermission(AccessToken::AccessTokenID tokenID,const std::string & taskName)629 bool TempPermissionObserver::DelayRevokePermission(AccessToken::AccessTokenID tokenID, const std::string& taskName)
630 {
631 #ifdef EVENTHANDLER_ENABLE
632 auto eventHandler = GetEventHandler();
633 if (eventHandler == nullptr) {
634 LOGE(ATM_DOMAIN, ATM_TAG, "Fail to get EventHandler");
635 return false;
636 }
637
638 LOGI(ATM_DOMAIN, ATM_TAG, "Add permission task name:%{public}s", taskName.c_str());
639
640 std::function<void()> delayed = ([tokenID]() {
641 TempPermissionObserver::GetInstance().RevokeAllTempPermission(tokenID);
642 LOGI(ATM_DOMAIN, ATM_TAG, "Token: %{public}d, delay revoke permission end", tokenID);
643 });
644 eventHandler->ProxyPostTask(delayed, taskName, cancelTimes_);
645 return true;
646 #else
647 LOGW(ATM_DOMAIN, ATM_TAG, "Eventhandler is not existed");
648 return false;
649 #endif
650 }
651
CancleTaskOfPermissionRevoking(const std::string & taskName)652 bool TempPermissionObserver::CancleTaskOfPermissionRevoking(const std::string& taskName)
653 {
654 #ifdef EVENTHANDLER_ENABLE
655 auto eventHandler = GetEventHandler();
656 if (eventHandler == nullptr) {
657 LOGE(ATM_DOMAIN, ATM_TAG, "Fail to get EventHandler");
658 return false;
659 }
660
661 LOGI(ATM_DOMAIN, ATM_TAG, "Revoke permission task name:%{public}s", taskName.c_str());
662 eventHandler->ProxyRemoveTask(taskName);
663 return true;
664 #else
665 LOGW(ATM_DOMAIN, ATM_TAG, "Eventhandler is not existed");
666 return false;
667 #endif
668 }
669
SetCancelTime(int32_t cancelTime)670 void TempPermissionObserver::SetCancelTime(int32_t cancelTime)
671 {
672 if (cancelTime != 0) {
673 cancelTimes_ = cancelTime;
674 }
675
676 LOGI(ATM_DOMAIN, ATM_TAG, "CancelTimes_ is %{public}d.", cancelTimes_);
677 }
678 } // namespace AccessToken
679 } // namespace Security
680 } // namespace OHOS
681