1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "clone_app_permission_test.h"
17 #include <thread>
18
19 #include "accesstoken_kit.h"
20 #include "accesstoken_common_log.h"
21 #include "access_token_error.h"
22 #include "nativetoken_kit.h"
23 #include "test_common.h"
24 #include "token_setproc.h"
25 #include "tokenid_kit.h"
26
27 using namespace testing::ext;
28 using namespace OHOS::Security::AccessToken;
29
30 namespace {
31 static const std::string PERMISSION_ALL = "ohos.permission.APP_TRACKING_CONSENT";
32 static const std::string PERMISSION_FULL_CONTROL = "ohos.permission.WRITE_MEDIA";
33 static const std::string PERMISSION_NOT_DISPLAYED = "ohos.permission.ANSWER_CALL";
34 static const std::string TEST_PERMISSION_GRANT = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS";
35 static const std::string TEST_PERMISSION_REVOKE = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
36 static uint64_t g_selfTokenId = 0;
37
38 HapInfoParams g_infoParmsCommon = {
39 .userID = 1,
40 .bundleName = "CloneAppPermissionTest",
41 .instIndex = 0,
42 .dlpType = DLP_COMMON,
43 .appIDDesc = "CloneAppPermissionTest"
44 };
45
46 HapInfoParams g_infoParmsCommonClone1 = {
47 .userID = 1,
48 .bundleName = "CloneAppPermissionTest",
49 .instIndex = 5, // clone app index is 5
50 .dlpType = DLP_COMMON,
51 .appIDDesc = "CloneAppPermissionTest"
52 };
53
54 HapInfoParams g_infoParmsCommonClone2 = {
55 .userID = 1,
56 .bundleName = "CloneAppPermissionTest",
57 .instIndex = 6, // clone app index is 6
58 .dlpType = DLP_COMMON,
59 .appIDDesc = "CloneAppPermissionTest"
60 };
61
62 HapInfoParams g_infoParmsFullControl = {
63 .userID = 1,
64 .bundleName = "CloneAppPermissionTest",
65 .instIndex = 1,
66 .dlpType = DLP_FULL_CONTROL,
67 .appIDDesc = "CloneAppPermissionTest"
68 };
69
70 HapInfoParams g_infoParmsReadOnly = {
71 .userID = 1,
72 .bundleName = "CloneAppPermissionTest",
73 .instIndex = 2,
74 .dlpType = DLP_READ,
75 .appIDDesc = "CloneAppPermissionTest"
76 };
77
78 PermissionStateFull g_stateFullControl = {
79 .permissionName = "ohos.permission.WRITE_MEDIA",
80 .isGeneral = true,
81 .resDeviceID = {"local"},
82 .grantStatus = {PermissionState::PERMISSION_DENIED},
83 .grantFlags = {0}
84 };
85
86 PermissionStateFull g_stateAll = {
87 .permissionName = PERMISSION_ALL,
88 .isGeneral = true,
89 .resDeviceID = {"local"},
90 .grantStatus = {PermissionState::PERMISSION_DENIED},
91 .grantFlags = {0}
92 };
93
94 HapPolicyParams g_policyParams = {
95 .apl = APL_NORMAL,
96 .domain = "test.domain",
97 .permStateList = {g_stateFullControl, g_stateAll}
98 };
99
100 }
101
TearDownTestCase()102 void CloneAppPermissionTest::TearDownTestCase()
103 {
104 EXPECT_EQ(0, SetSelfTokenID(g_selfTokenId));
105 TestCommon::ResetTestEvironment();
106
107 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(1, "PermissionEnvironment", 0);
108 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
109 if (tokenId != INVALID_TOKENID) {
110 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenId));
111 }
112 }
113
SetUp()114 void CloneAppPermissionTest::SetUp()
115 {
116 LOGI(ATM_DOMAIN, ATM_TAG, "SetUp ok.");
117 }
118
TearDown()119 void CloneAppPermissionTest::TearDown()
120 {
121 }
122
SetUpTestCase()123 void CloneAppPermissionTest::SetUpTestCase()
124 {
125 g_selfTokenId = GetSelfTokenID();
126 TestCommon::SetTestEvironment(g_selfTokenId);
127
128 HapInfoParams infoParmsEnvironment = {
129 .userID = 1,
130 .bundleName = "PermissionEnvironment",
131 .instIndex = 0,
132 .dlpType = DLP_COMMON,
133 .appIDDesc = "PermissionEnvironment",
134 .isSystemApp = true
135 };
136 PermissionStateFull stateGrant = {
137 .permissionName = TEST_PERMISSION_GRANT,
138 .isGeneral = true,
139 .resDeviceID = {"local"},
140 .grantStatus = {PermissionState::PERMISSION_GRANTED},
141 .grantFlags = {0}
142 };
143 PermissionStateFull stateRevoke = {
144 .permissionName = TEST_PERMISSION_REVOKE,
145 .isGeneral = true,
146 .resDeviceID = {"local"},
147 .grantStatus = {PermissionState::PERMISSION_GRANTED},
148 .grantFlags = {0}
149 };
150 HapPolicyParams policyParams = {
151 .apl = APL_NORMAL,
152 .domain = "test.domain",
153 .permStateList = {stateGrant, stateRevoke}
154 };
155 AccessTokenIDEx tokenIdEx = {0};
156 EXPECT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(infoParmsEnvironment, policyParams, tokenIdEx));
157 EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID);
158 EXPECT_EQ(true, TokenIdKit::IsSystemAppByFullTokenID(tokenIdEx.tokenIDEx));
159 EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
160 LOGI(ATM_DOMAIN, ATM_TAG, "SetUpTestCase ok.");
161 }
162
AllocHapTokenId(HapInfoParams info,HapPolicyParams policy)163 static AccessTokenID AllocHapTokenId(HapInfoParams info, HapPolicyParams policy)
164 {
165 AccessTokenIDEx tokenIdEx = {0};
166 EXPECT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(info, policy, tokenIdEx));
167 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
168 EXPECT_NE(INVALID_TOKENID, tokenId);
169 int ret = AccessTokenKit::VerifyAccessToken(tokenId, PERMISSION_FULL_CONTROL, false);
170 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
171 ret = AccessTokenKit::VerifyAccessToken(tokenId, PERMISSION_ALL, false);
172 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
173 uint32_t flag;
174 ret = AccessTokenKit::GetPermissionFlag(tokenId, PERMISSION_FULL_CONTROL, flag);
175 EXPECT_EQ(flag, PERMISSION_DEFAULT_FLAG);
176 EXPECT_EQ(ret, RET_SUCCESS);
177 ret = AccessTokenKit::GetPermissionFlag(tokenId, PERMISSION_ALL, flag);
178 EXPECT_EQ(flag, PERMISSION_DEFAULT_FLAG);
179 EXPECT_EQ(ret, RET_SUCCESS);
180 return tokenId;
181 }
182
183 /**
184 * @tc.name: OriginApp01
185 * @tc.desc: main app grant permission.
186 * @tc.type: FUNC
187 * @tc.require:Issue Number
188 */
189 HWTEST_F(CloneAppPermissionTest, OriginApp01, TestSize.Level0)
190 {
191 int ret;
192 auto policyParams = g_policyParams;
193 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
194 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
195 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
196 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
197 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
198
199 // grant common app
200 ret = AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
201 EXPECT_EQ(RET_SUCCESS, ret);
202 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
203 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
204 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
205 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
206 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
207 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
208 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
209 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
210 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
211 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
212
213 ret = TestCommon::DeleteTestHapToken(tokenCommon);
214 EXPECT_EQ(RET_SUCCESS, ret);
215 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
216 EXPECT_EQ(RET_SUCCESS, ret);
217 ret = TestCommon::DeleteTestHapToken(tokenRead);
218 EXPECT_EQ(RET_SUCCESS, ret);
219 ret = TestCommon::DeleteTestHapToken(tokenClone1);
220 EXPECT_EQ(RET_SUCCESS, ret);
221 ret = TestCommon::DeleteTestHapToken(tokenClone2);
222 EXPECT_EQ(RET_SUCCESS, ret);
223 }
224
225 /**
226 * @tc.name: OriginApp02
227 * @tc.desc: main app revoke permission.
228 * @tc.type: FUNC
229 * @tc.require:Issue Number
230 */
231 HWTEST_F(CloneAppPermissionTest, OriginApp02, TestSize.Level0)
232 {
233 int ret;
234 auto policyParams = g_policyParams;
235 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
236 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
237 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
238 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
239 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
240
241 // grant common app
242 ret = AccessTokenKit::RevokePermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
243 EXPECT_EQ(RET_SUCCESS, ret);
244 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
245 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
246 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
247 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
248 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
249 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
250 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
251 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
252 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
253 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
254 uint32_t flag;
255 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
256 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
257 EXPECT_EQ(ret, RET_SUCCESS);
258
259 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
260 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
261 EXPECT_EQ(ret, RET_SUCCESS);
262
263 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
264 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
265 EXPECT_EQ(ret, RET_SUCCESS);
266
267 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
268 EXPECT_EQ(flag, 0);
269 EXPECT_EQ(ret, RET_SUCCESS);
270
271 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
272 EXPECT_EQ(flag, 0);
273 EXPECT_EQ(ret, RET_SUCCESS);
274
275 ret = TestCommon::DeleteTestHapToken(tokenCommon);
276 EXPECT_EQ(RET_SUCCESS, ret);
277 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
278 EXPECT_EQ(RET_SUCCESS, ret);
279 ret = TestCommon::DeleteTestHapToken(tokenRead);
280 EXPECT_EQ(RET_SUCCESS, ret);
281 ret = TestCommon::DeleteTestHapToken(tokenClone1);
282 EXPECT_EQ(RET_SUCCESS, ret);
283 ret = TestCommon::DeleteTestHapToken(tokenClone2);
284 EXPECT_EQ(RET_SUCCESS, ret);
285 }
286
287 /**
288 * @tc.name: OriginApp03
289 * @tc.desc: main app clear permission.
290 * @tc.type: FUNC
291 * @tc.require:Issue Number
292 */
293 HWTEST_F(CloneAppPermissionTest, OriginApp03, TestSize.Level0)
294 {
295 int ret;
296 auto policyParams = g_policyParams;
297 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
298 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
299 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
300 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
301 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
302
303 AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
304 AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
305 AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED);
306
307 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
308 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
309 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
310 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
311 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
312 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
313 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
314 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
315
316
317 ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenCommon);
318 EXPECT_EQ(ret, RET_SUCCESS);
319
320 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
321 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
322 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
323 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
324 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
325 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
326 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
327 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
328 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
329 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
330
331 uint32_t flag;
332 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
333 EXPECT_EQ(flag, 0);
334 EXPECT_EQ(ret, RET_SUCCESS);
335
336 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
337 EXPECT_EQ(flag, 0);
338 EXPECT_EQ(ret, RET_SUCCESS);
339
340 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
341 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
342 EXPECT_EQ(ret, RET_SUCCESS);
343
344 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
345 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
346 EXPECT_EQ(ret, RET_SUCCESS);
347
348 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenCommon));
349 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenFullControl));
350 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenRead));
351 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenClone1));
352 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenClone2));
353 }
354
355 /**
356 * @tc.name: ReadDlp01
357 * @tc.desc: read mode dlp app grant permission.
358 * @tc.type: FUNC
359 * @tc.require:Issue Number
360 */
361 HWTEST_F(CloneAppPermissionTest, ReadDlp01, TestSize.Level0)
362 {
363 int ret;
364 auto policyParams = g_policyParams;
365 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
366 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
367 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
368 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
369 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
370
371 // grant common app
372 ret = AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
373 EXPECT_EQ(RET_SUCCESS, ret);
374 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
375 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
376 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
377 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
378 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
379 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
380 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
381 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
382 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
383 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
384
385 ret = TestCommon::DeleteTestHapToken(tokenCommon);
386 EXPECT_EQ(RET_SUCCESS, ret);
387 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
388 EXPECT_EQ(RET_SUCCESS, ret);
389 ret = TestCommon::DeleteTestHapToken(tokenRead);
390 EXPECT_EQ(RET_SUCCESS, ret);
391 ret = TestCommon::DeleteTestHapToken(tokenClone1);
392 EXPECT_EQ(RET_SUCCESS, ret);
393 ret = TestCommon::DeleteTestHapToken(tokenClone2);
394 EXPECT_EQ(RET_SUCCESS, ret);
395 }
396
397 /**
398 * @tc.name: ReadDlp02
399 * @tc.desc: read mode dlp app revoke permission.
400 * @tc.type: FUNC
401 * @tc.require:Issue Number
402 */
403 HWTEST_F(CloneAppPermissionTest, ReadDlp02, TestSize.Level0)
404 {
405 int ret;
406 auto policyParams = g_policyParams;
407 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
408 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
409 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
410 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
411 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
412
413 // grant common app
414 ret = AccessTokenKit::RevokePermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
415 EXPECT_EQ(RET_SUCCESS, ret);
416 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
417 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
418 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
419 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
420 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
421 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
422 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
423 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
424 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
425 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
426
427 uint32_t flag;
428 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
429 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
430 EXPECT_EQ(ret, RET_SUCCESS);
431
432 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
433 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
434 EXPECT_EQ(ret, RET_SUCCESS);
435
436 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
437 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
438 EXPECT_EQ(ret, RET_SUCCESS);
439
440 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
441 EXPECT_EQ(flag, 0);
442 EXPECT_EQ(ret, RET_SUCCESS);
443
444 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
445 EXPECT_EQ(flag, 0);
446 EXPECT_EQ(ret, RET_SUCCESS);
447
448 ret = TestCommon::DeleteTestHapToken(tokenCommon);
449 EXPECT_EQ(RET_SUCCESS, ret);
450 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
451 EXPECT_EQ(RET_SUCCESS, ret);
452 ret = TestCommon::DeleteTestHapToken(tokenRead);
453 EXPECT_EQ(RET_SUCCESS, ret);
454 ret = TestCommon::DeleteTestHapToken(tokenClone1);
455 EXPECT_EQ(RET_SUCCESS, ret);
456 ret = TestCommon::DeleteTestHapToken(tokenClone2);
457 EXPECT_EQ(RET_SUCCESS, ret);
458 }
459
460 /**
461 * @tc.name: ReadDlp03
462 * @tc.desc: read mode dlp app clear permission.
463 * @tc.type: FUNC
464 * @tc.require:Issue Number
465 */
466 HWTEST_F(CloneAppPermissionTest, ReadDlp03, TestSize.Level0)
467 {
468 int ret;
469 auto policyParams = g_policyParams;
470 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
471 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
472 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
473 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
474 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
475
476 AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
477 AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
478 AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED);
479
480 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
481 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
482 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
483 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
484 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
485 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
486 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
487 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
488
489
490 ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenRead);
491 EXPECT_EQ(ret, RET_SUCCESS);
492 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
493 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
494 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
495 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
496 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
497 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
498 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
499 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
500 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
501 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
502 uint32_t flag;
503 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
504 EXPECT_EQ(flag, 0);
505 EXPECT_EQ(ret, RET_SUCCESS);
506
507 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
508 EXPECT_EQ(flag, 0);
509 EXPECT_EQ(ret, RET_SUCCESS);
510
511 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
512 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
513 EXPECT_EQ(ret, RET_SUCCESS);
514
515 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
516 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
517 EXPECT_EQ(ret, RET_SUCCESS);
518
519 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenCommon));
520 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenFullControl));
521 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenRead));
522 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenClone1));
523 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenClone2));
524 }
525
526
527 /**
528 * @tc.name: CloneApp01
529 * @tc.desc: clone app grant permission.
530 * @tc.type: FUNC
531 * @tc.require:Issue Number
532 */
533 HWTEST_F(CloneAppPermissionTest, CloneApp01, TestSize.Level0)
534 {
535 int ret;
536 auto policyParams = g_policyParams;
537 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
538 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
539 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
540 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
541 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
542
543 // grant common app
544 ret = AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
545 EXPECT_EQ(RET_SUCCESS, ret);
546 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
547 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
548 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
549 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
550 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
551 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
552 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
553 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
554 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
555 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
556
557 ret = TestCommon::DeleteTestHapToken(tokenCommon);
558 EXPECT_EQ(RET_SUCCESS, ret);
559 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
560 EXPECT_EQ(RET_SUCCESS, ret);
561 ret = TestCommon::DeleteTestHapToken(tokenRead);
562 EXPECT_EQ(RET_SUCCESS, ret);
563 ret = TestCommon::DeleteTestHapToken(tokenClone1);
564 EXPECT_EQ(RET_SUCCESS, ret);
565 ret = TestCommon::DeleteTestHapToken(tokenClone2);
566 EXPECT_EQ(RET_SUCCESS, ret);
567 }
568
569 /**
570 * @tc.name: CloneApp02
571 * @tc.desc: clone app grant permission.
572 * @tc.type: FUNC
573 * @tc.require:Issue Number
574 */
575 HWTEST_F(CloneAppPermissionTest, CloneApp02, TestSize.Level0)
576 {
577 int ret;
578 auto policyParams = g_policyParams;
579 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
580 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
581 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
582 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
583 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
584
585 // grant common app
586 ret = AccessTokenKit::RevokePermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
587 EXPECT_EQ(RET_SUCCESS, ret);
588 uint32_t flag;
589 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
590 EXPECT_EQ(flag, 0);
591 EXPECT_EQ(ret, RET_SUCCESS);
592
593 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
594 EXPECT_EQ(flag, 0);
595 EXPECT_EQ(ret, RET_SUCCESS);
596
597 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
598 EXPECT_EQ(flag, 0);
599 EXPECT_EQ(ret, RET_SUCCESS);
600
601 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
602 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
603 EXPECT_EQ(ret, RET_SUCCESS);
604
605 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
606 EXPECT_EQ(flag, 0);
607 EXPECT_EQ(ret, RET_SUCCESS);
608
609 ret = TestCommon::DeleteTestHapToken(tokenCommon);
610 EXPECT_EQ(RET_SUCCESS, ret);
611 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
612 EXPECT_EQ(RET_SUCCESS, ret);
613 ret = TestCommon::DeleteTestHapToken(tokenRead);
614 EXPECT_EQ(RET_SUCCESS, ret);
615 ret = TestCommon::DeleteTestHapToken(tokenClone1);
616 EXPECT_EQ(RET_SUCCESS, ret);
617 ret = TestCommon::DeleteTestHapToken(tokenClone2);
618 EXPECT_EQ(RET_SUCCESS, ret);
619 }
620
621 /**
622 * @tc.name: CloneApp03
623 * @tc.desc: clone app clear permission.
624 * @tc.type: FUNC
625 * @tc.require:Issue Number
626 */
627 HWTEST_F(CloneAppPermissionTest, CloneApp03, TestSize.Level0)
628 {
629 int ret;
630 auto policyParams = g_policyParams;
631 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
632 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
633 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
634 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
635 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
636
637 AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
638 AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
639 AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED);
640
641 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
642 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
643 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
644 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
645 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
646 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
647 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
648 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
649
650
651 ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenClone1);
652 EXPECT_EQ(ret, RET_SUCCESS);
653 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
654 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
655 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
656 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
657 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
658 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
659 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
660 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
661 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
662 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
663 uint32_t flag;
664 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
665 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
666 EXPECT_EQ(ret, RET_SUCCESS);
667
668 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
669 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
670 EXPECT_EQ(ret, RET_SUCCESS);
671
672 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
673 EXPECT_EQ(flag, 0);
674 EXPECT_EQ(ret, RET_SUCCESS);
675
676 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
677 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
678 EXPECT_EQ(ret, RET_SUCCESS);
679
680 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenCommon));
681 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenFullControl));
682 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenRead));
683 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenClone1));
684 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenClone2));
685 }
686
687
688 /**
689 * @tc.name: CloneApp04
690 * @tc.desc: The permissions of the clone application do not inherit the permissions of the main application
691 * @tc.type: FUNC
692 * @tc.require:Issue Number
693 */
694 HWTEST_F(CloneAppPermissionTest, CloneApp04, TestSize.Level0)
695 {
696 int ret;
697 uint32_t flag;
698 auto policyParams = g_policyParams;
699 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
700 ret = AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
701 EXPECT_EQ(RET_SUCCESS, ret);
702 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
703 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
704 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
705 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
706 EXPECT_EQ(ret, RET_SUCCESS);
707
708 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
709 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
710 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
711 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
712 EXPECT_EQ(flag, 0);
713 EXPECT_EQ(ret, RET_SUCCESS);
714
715 ret = AccessTokenKit::RevokePermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
716 EXPECT_EQ(RET_SUCCESS, ret);
717 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
718 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
719 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
720 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
721 EXPECT_EQ(ret, RET_SUCCESS);
722
723 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
724 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
725 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
726 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
727 EXPECT_EQ(flag, 0);
728 EXPECT_EQ(ret, RET_SUCCESS);
729
730 ret = TestCommon::DeleteTestHapToken(tokenCommon);
731 EXPECT_EQ(RET_SUCCESS, ret);
732 ret = TestCommon::DeleteTestHapToken(tokenClone1);
733 EXPECT_EQ(RET_SUCCESS, ret);
734 ret = TestCommon::DeleteTestHapToken(tokenClone2);
735 EXPECT_EQ(RET_SUCCESS, ret);
736 }
737
738 /**
739 * @tc.name: CloneApp05
740 * @tc.desc: create a clone app
741 * @tc.type: FUNC
742 * @tc.require:Issue Number
743 */
744 HWTEST_F(CloneAppPermissionTest, CloneApp05, TestSize.Level0)
745 {
746 int ret;
747 auto policyParams = g_policyParams;
748 int32_t cloneFlag;
749 int32_t dlpFlag;
750 AccessTokenIDInner *idInner = nullptr;
751 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
752 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
753 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
754 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
755 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
756
757 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenCommon);
758 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
759 EXPECT_EQ(cloneFlag, 0);
760 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
761 EXPECT_EQ(dlpFlag, 0);
762
763 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenFullControl);
764 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
765 EXPECT_EQ(cloneFlag, 0);
766 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
767 EXPECT_EQ(dlpFlag, 1);
768
769 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenRead);
770 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
771 EXPECT_EQ(cloneFlag, 0);
772 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
773 EXPECT_EQ(dlpFlag, 1);
774
775 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenClone1);
776 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
777 EXPECT_EQ(cloneFlag, 1);
778 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
779 EXPECT_EQ(dlpFlag, 0);
780
781 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenClone2);
782 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
783 EXPECT_EQ(cloneFlag, 1);
784 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
785 EXPECT_EQ(dlpFlag, 0);
786
787 ret = TestCommon::DeleteTestHapToken(tokenCommon);
788 EXPECT_EQ(RET_SUCCESS, ret);
789 ret = TestCommon::DeleteTestHapToken(tokenFullControl);
790 EXPECT_EQ(RET_SUCCESS, ret);
791 ret = TestCommon::DeleteTestHapToken(tokenRead);
792 EXPECT_EQ(RET_SUCCESS, ret);
793 ret = TestCommon::DeleteTestHapToken(tokenClone1);
794 EXPECT_EQ(RET_SUCCESS, ret);
795 ret = TestCommon::DeleteTestHapToken(tokenClone2);
796 EXPECT_EQ(RET_SUCCESS, ret);
797 }