1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "edm_policy_set_test.h"
17 #include <thread>
18
19 #include "accesstoken_kit.h"
20 #include "accesstoken_common_log.h"
21 #include "access_token_error.h"
22 #include "permission_map.h"
23 #include "perm_setproc.h"
24 #include "test_common.h"
25 #include "token_setproc.h"
26 #include "tokenid_kit.h"
27
28 using namespace testing::ext;
29 using namespace OHOS::Security::AccessToken;
30
31 namespace {
32 static const uint32_t DEFAULT_ACCOUNT_ID = 100;
33 static const uint32_t MOCK_USER_ID_10001 = 10001;
34 static const uint32_t MOCK_USER_ID_10002 = 10002;
35 static const uint32_t MOCK_USER_ID_10003 = 10003;
36 static const int32_t MAX_PERMISSION_LIST_SIZE = 1024;
37 static const int32_t MAX_LENGTH = 256;
38 const std::string MANAGE_HAP_TOKEN_ID_PERMISSION = "ohos.permission.MANAGE_HAP_TOKENID";
39 const std::string INTERNET = "ohos.permission.INTERNET";
40 static const std::string GET_NETWORK_STATS = "ohos.permission.GET_NETWORK_STATS";
41 static const std::string LOCATION = "ohos.permission.LOCATION";
42 static const std::string GET_SENSITIVE_PERMISSIONS = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
43 static const std::string REVOKE_SENSITIVE_PERMISSIONS = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS"; // system_grant
44 static const std::string MICROPHONE = "ohos.permission.MICROPHONE"; // user_grant
45 static const std::string CAMERA = "ohos.permission.CAMERA"; // user_grant
46 static const std::string CUSTOM_SCREEN_CAPTURE = "ohos.permission.CUSTOM_SCREEN_CAPTURE"; // user_grant
47 static const std::string READ_HEALTH_DATA = "ohos.permission.READ_HEALTH_DATA";
48 static const std::string MANAGE_EDM_POLICY = "ohos.permission.MANAGE_EDM_POLICY"; // system_grant
49 PermissionStateFull g_infoManagerInternetState = {
50 .permissionName = INTERNET,
51 .isGeneral = true,
52 .resDeviceID = {"local2"},
53 .grantStatus = {PermissionState::PERMISSION_GRANTED},
54 .grantFlags = {0}
55 };
56
57 PermissionStateFull g_infoManagerNetWorkState = {
58 .permissionName = GET_NETWORK_STATS,
59 .isGeneral = true,
60 .resDeviceID = {"local2"},
61 .grantStatus = {PermissionState::PERMISSION_GRANTED},
62 .grantFlags = {0}
63 };
64
65 PermissionStateFull g_infoManagerManageNetState = {
66 .permissionName = LOCATION,
67 .isGeneral = true,
68 .resDeviceID = {"local2"},
69 .grantStatus = {PermissionState::PERMISSION_DENIED},
70 .grantFlags = {0}
71 };
72
73 PermissionStateFull g_infoManagerMicrophoneState = {
74 .permissionName = MICROPHONE,
75 .isGeneral = true,
76 .resDeviceID = {"local2"},
77 .grantStatus = {PermissionState::PERMISSION_DENIED},
78 .grantFlags = {0}
79 };
80
81 PermissionStateFull g_infoManagerCameraState = {
82 .permissionName = CAMERA,
83 .isGeneral = true,
84 .resDeviceID = {"local2"},
85 .grantStatus = {PermissionState::PERMISSION_GRANTED},
86 .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED}
87 };
88
89 PermissionStateFull g_infoManagerCustomScreenCaptureState = {
90 .permissionName = CUSTOM_SCREEN_CAPTURE,
91 .isGeneral = true,
92 .resDeviceID = {"local2"},
93 .grantStatus = {PermissionState::PERMISSION_GRANTED},
94 .grantFlags = {0}
95 };
96
97 // Permission set
98 HapInfoParams g_testHapInfoParams = {
99 .userID = 0,
100 .bundleName = "testName",
101 .instIndex = 0,
102 .appIDDesc = "test2",
103 .apiVersion = 11 // api version is 11
104 };
105
106 HapPolicyParams g_testPolicyParams = {
107 .apl = APL_SYSTEM_CORE,
108 .domain = "test.domain2",
109 .permStateList = {
110 g_infoManagerInternetState,
111 g_infoManagerNetWorkState,
112 g_infoManagerManageNetState,
113 g_infoManagerMicrophoneState,
114 g_infoManagerCameraState,
115 g_infoManagerCustomScreenCaptureState,
116 }
117 };
118
119 PermissionStateFull g_infoManagerCustomScreenCaptureState02 = {
120 .permissionName = CUSTOM_SCREEN_CAPTURE,
121 .isGeneral = true,
122 .resDeviceID = {"local2"},
123 .grantStatus = {PermissionState::PERMISSION_GRANTED},
124 .grantFlags = {0}
125 };
126
127 PermissionStateFull g_infoManagerCustomScreenCaptureState03 = {
128 .permissionName = CUSTOM_SCREEN_CAPTURE,
129 .isGeneral = true,
130 .resDeviceID = {"local2"},
131 .grantStatus = {PermissionState::PERMISSION_GRANTED},
132 .grantFlags = {PERMISSION_FIXED_BY_ADMIN_POLICY}
133 };
134
135 PermissionStateFull g_infoManagerCustomScreenCaptureState04 = {
136 .permissionName = CUSTOM_SCREEN_CAPTURE,
137 .isGeneral = true,
138 .resDeviceID = {"local2"},
139 .grantStatus = {PermissionState::PERMISSION_GRANTED},
140 .grantFlags = {PERMISSION_ADMIN_POLICIES_CANCEL}
141 };
142
143 HapPolicyParams g_testPolicyParams02 = {
144 .apl = APL_SYSTEM_CORE,
145 .domain = "test.domain2",
146 .preAuthorizationInfo = {
147 {
148 .permissionName = CUSTOM_SCREEN_CAPTURE,
149 .userCancelable = true,
150 },
151 },
152 .permStateList = {
153 g_infoManagerCustomScreenCaptureState02
154 }
155 };
156
157 HapPolicyParams g_testPolicyParams03 = {
158 .apl = APL_SYSTEM_CORE,
159 .domain = "test.domain2",
160 .preAuthorizationInfo = {
161 {
162 .permissionName = CUSTOM_SCREEN_CAPTURE,
163 .userCancelable = false,
164 },
165 },
166 .permStateList = {
167 g_infoManagerCustomScreenCaptureState02
168 }
169 };
170
171 HapPolicyParams g_testPolicyParams04 = {
172 .apl = APL_SYSTEM_CORE,
173 .domain = "test.domain2",
174 .preAuthorizationInfo = {
175 {
176 .permissionName = CUSTOM_SCREEN_CAPTURE,
177 .userCancelable = false,
178 },
179 },
180 .permStateList = {
181 g_infoManagerCustomScreenCaptureState03
182 }
183 };
184
185 HapPolicyParams g_testPolicyParams05 = {
186 .apl = APL_SYSTEM_CORE,
187 .domain = "test.domain2",
188 .preAuthorizationInfo = {
189 {
190 .permissionName = CUSTOM_SCREEN_CAPTURE,
191 .userCancelable = false,
192 },
193 },
194 .permStateList = {
195 g_infoManagerCustomScreenCaptureState04
196 }
197 };
198
199 std::vector<uint32_t> g_permFlagList = {
200 PERMISSION_DEFAULT_FLAG,
201 PERMISSION_COMPONENT_SET,
202 PERMISSION_USER_SET,
203 PERMISSION_USER_FIXED,
204 PERMISSION_PRE_AUTHORIZED_CANCELABLE,
205 PERMISSION_FIXED_FOR_SECURITY_POLICY,
206 // PERMISSION_ALLOW_THIS_TIME
207 };
208
209 UpdateHapInfoParams g_updateHapInfo = {
210 .appIDDesc = "TEST",
211 .apiVersion = 12,
212 .isSystemApp = false
213 };
214
215 uint64_t g_selfShellTokenId;
216 static MockHapToken* g_mock = nullptr;
217 }
218
TearDownTestCase()219 void EdmPolicySetTest::TearDownTestCase()
220 {
221 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(
222 g_testHapInfoParams.userID, g_testHapInfoParams.bundleName, g_testHapInfoParams.instIndex);
223 TestCommon::DeleteTestHapToken(tokenIdEx.tokenIdExStruct.tokenID);
224 if (g_mock != nullptr) {
225 delete g_mock;
226 g_mock = nullptr;
227 }
228 EXPECT_EQ(0, SetSelfTokenID(g_selfShellTokenId));
229 TestCommon::ResetTestEvironment();
230 }
231
SetUp()232 void EdmPolicySetTest::SetUp()
233 {
234 LOGI(ATM_DOMAIN, ATM_TAG, "SetUp ok.");
235 }
236
TearDown()237 void EdmPolicySetTest::TearDown()
238 {
239 }
240
SetUpTestCase()241 void EdmPolicySetTest::SetUpTestCase()
242 {
243 g_selfShellTokenId = GetSelfTokenID();
244 TestCommon::SetTestEvironment(g_selfShellTokenId);
245
246 std::vector<std::string> reqPerm;
247 reqPerm.emplace_back(MANAGE_HAP_TOKEN_ID_PERMISSION);
248 reqPerm.emplace_back(GET_SENSITIVE_PERMISSIONS);
249 reqPerm.emplace_back(REVOKE_SENSITIVE_PERMISSIONS);
250 g_mock = new (std::nothrow) MockHapToken("EdmPolicySetTest", reqPerm);
251 LOGI(ATM_DOMAIN, ATM_TAG, "SetUpTestCase ok.");
252 }
253
254 /**
255 * @tc.name: InitUserPolicy001
256 * @tc.desc: InitUserPolicy failed invalid userList size.
257 * @tc.type: FUNC
258 * @tc.require:Issue Number
259 */
260 HWTEST_F(EdmPolicySetTest, InitUserPolicy001, TestSize.Level0)
261 {
262 const int32_t invalidSize = 1025; // 1025 is invalid size.
263 std::vector<UserState> userList(invalidSize);
264 std::vector<std::string> permList = { "ohos.permission.INTERNET" };
265 int32_t ret = AccessTokenKit::InitUserPolicy(userList, permList);
266 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
267 }
268
269 /**
270 * @tc.name: InitUserPolicy002
271 * @tc.desc: InitUserPolicy failed empty userList.
272 * @tc.type: FUNC
273 * @tc.require:Issue Number
274 */
275 HWTEST_F(EdmPolicySetTest, InitUserPolicy002, TestSize.Level0)
276 {
277 std::vector<UserState> userListEmtpy;
278 std::vector<std::string> permList = { "ohos.permission.INTERNET" };
279 int32_t ret = AccessTokenKit::InitUserPolicy(userListEmtpy, permList);
280 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
281 }
282
283 /**
284 * @tc.name: InitUserPolicy003
285 * @tc.desc: InitUserPolicy failed empty userList.
286 * @tc.type: FUNC
287 * @tc.require:Issue Number
288 */
289 HWTEST_F(EdmPolicySetTest, InitUserPolicy003, TestSize.Level0)
290 {
291 UserState user = {.userId = DEFAULT_ACCOUNT_ID, .isActive = true};
292 const int32_t invalidSize = 1025; // 1025 is invalid size.
293 std::vector<UserState> userList = { user };
294 std::vector<std::string> permList(invalidSize, "abc");
295 int32_t ret = AccessTokenKit::InitUserPolicy(userList, permList);
296 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
297 }
298
299 /**
300 * @tc.name: InitUserPolicy004
301 * @tc.desc: InitUserPolicy failed empty permList.
302 * @tc.type: FUNC
303 * @tc.require:Issue Number
304 */
305 HWTEST_F(EdmPolicySetTest, InitUserPolicy004, TestSize.Level0)
306 {
307 UserState user = {.userId = DEFAULT_ACCOUNT_ID, .isActive = true};
308 std::vector<UserState> userList = { user };
309 std::vector<std::string> permListEmpty;
310 int32_t ret = AccessTokenKit::InitUserPolicy(userList, permListEmpty);
311 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
312 }
313
314
315 /**
316 * @tc.name: InitUserPolicy005
317 * @tc.desc: InitUserPolicy and the stock permission status is refreshed according to the policy.
318 * @tc.type: FUNC
319 * @tc.require:Issue Number
320 */
321 HWTEST_F(EdmPolicySetTest, InitUserPolicy005, TestSize.Level0)
322 {
323 GTEST_LOG_(INFO) << "permissionSet OK ";
324 MockNativeToken mock("foundation");
325
326 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
327 AccessTokenIDEx fullIdUser1;
328 EXPECT_EQ(RET_SUCCESS,
329 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
330 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
331 AccessTokenIDEx fullIdUser2;
332 EXPECT_EQ(RET_SUCCESS,
333 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
334 g_testHapInfoParams.userID = MOCK_USER_ID_10003;
335 AccessTokenIDEx fullIdUser3;
336 EXPECT_EQ(RET_SUCCESS,
337 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser3));
338
339 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
340 PERMISSION_DENIED);
341
342 UserState user0 = {.userId = -1, .isActive = true};
343 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
344 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
345 UserState user3 = {.userId = MOCK_USER_ID_10003, .isActive = false};
346
347 std::vector<UserState> userList = { user0, user1, user2, user3 };
348 std::vector<std::string> permList = { INTERNET, GET_NETWORK_STATS, LOCATION };
349 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::InitUserPolicy(userList, permList));
350
351 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
352 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
353 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser3.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
354 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
355 PERMISSION_DENIED);
356 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
357 PERMISSION_DENIED);
358 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser3.tokenIdExStruct.tokenID, LOCATION),
359 PERMISSION_DENIED);
360
361 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
362 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
363 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser3.tokenIdExStruct.tokenID));
364
365 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::ClearUserPolicy());
366 }
367
368 /**
369 * @tc.name: InitUserPolicy006
370 * @tc.desc: Check permission status in the heap.
371 * @tc.type: FUNC
372 * @tc.require:Issue Number
373 */
374 HWTEST_F(EdmPolicySetTest, InitUserPolicy006, TestSize.Level0)
375 {
376 GTEST_LOG_(INFO) << "permissionSet OK ";
377 MockNativeToken mock("foundation");
378
379 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
380 AccessTokenIDEx fullIdUser1;
381 EXPECT_EQ(RET_SUCCESS,
382 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
383 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
384 AccessTokenIDEx fullIdUser2;
385 EXPECT_EQ(RET_SUCCESS,
386 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
387
388 UserState user0 = {.userId = -1, .isActive = true};
389 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
390 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
391
392 std::vector<UserState> userList = { user0, user1, user2};
393 std::vector<std::string> permList = { INTERNET, GET_NETWORK_STATS, LOCATION };
394 int32_t res = AccessTokenKit::InitUserPolicy(userList, permList);
395 EXPECT_EQ(res, 0);
396
397 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
398 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
399
400 std::vector<PermissionStateFull> permStatList;
401 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetReqPermissions(fullIdUser2.tokenIdExStruct.tokenID, permStatList, true));
402 EXPECT_EQ(static_cast<uint32_t>(2), permStatList.size());
403 EXPECT_EQ(INTERNET, permStatList[0].permissionName);
404 EXPECT_EQ(PERMISSION_GRANTED, permStatList[0].grantStatus[0]);
405
406 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
407 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
408
409 res = AccessTokenKit::ClearUserPolicy();
410 EXPECT_EQ(res, 0);
411 }
412
413 /**
414 * @tc.name: UpdateUserPolicy001
415 * @tc.desc: UpdateUserPolicy failed with
416 * policy uninitialized and ClearUserPolicy successfully with policy uninitialized.
417 * @tc.type: FUNC
418 * @tc.require:Issue Number
419 */
420 HWTEST_F(EdmPolicySetTest, UpdateUserPolicy001, TestSize.Level0)
421 {
422 GTEST_LOG_(INFO) << "permissionSet OK ";
423 MockNativeToken mock("foundation");
424
425 UserState user = {.userId = DEFAULT_ACCOUNT_ID, .isActive = true};
426 const std::vector<UserState> userList = { user };
427 int32_t res = AccessTokenKit::UpdateUserPolicy(userList);
428 EXPECT_EQ(res, AccessTokenError::ERR_USER_POLICY_NOT_INITIALIZED);
429
430 res = AccessTokenKit::ClearUserPolicy();
431 EXPECT_EQ(res, RET_SUCCESS);
432 }
433
434 /**
435 * @tc.name: UpdateUserPolicy003
436 * @tc.desc: UpdateUserPolicy with invalid userList.
437 * @tc.type: FUNC
438 * @tc.require:Issue Number
439 */
440 HWTEST_F(EdmPolicySetTest, UpdateUserPolicy003, TestSize.Level0)
441 {
442 const int32_t invalidSize = 1025; // 1025 is invalid size.
443 std::vector<UserState> userList(invalidSize);
444 int32_t ret = AccessTokenKit::UpdateUserPolicy(userList);
445 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
446
447 std::vector<UserState> userListEmpty;
448 ret = AccessTokenKit::UpdateUserPolicy(userListEmpty);
449 EXPECT_EQ(ret, AccessTokenError::ERR_PARAM_INVALID);
450 }
451
452 /**
453 * @tc.name: UpdateUserPolicy004
454 * @tc.desc: UpdateUserPolicy and the stock permission status is refreshed according to the policy.
455 * @tc.type: FUNC
456 * @tc.require:Issue Number
457 */
458 HWTEST_F(EdmPolicySetTest, UpdateUserPolicy004, TestSize.Level0)
459 {
460 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
461 AccessTokenIDEx fullIdUser1;
462 EXPECT_EQ(RET_SUCCESS,
463 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
464 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
465 AccessTokenIDEx fullIdUser2;
466 EXPECT_EQ(RET_SUCCESS,
467 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
468
469 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = false};
470 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = true};
471 std::vector<UserState> userListBefore = { user1, user2 };
472 std::vector<std::string> permList = { INTERNET, LOCATION };
473 int32_t ret = AccessTokenKit::InitUserPolicy(userListBefore, permList);
474 EXPECT_EQ(ret, 0);
475 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
476 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
477 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
478 PERMISSION_DENIED);
479 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
480 PERMISSION_DENIED);
481
482 // update the policy
483 user1.isActive = true;
484 user2.isActive = false;
485 std::vector<UserState> userListAfter = { user1, user2 };
486 ret = AccessTokenKit::UpdateUserPolicy(userListAfter);
487 EXPECT_EQ(ret, 0);
488 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
489 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
490 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
491 PERMISSION_DENIED);
492 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
493 PERMISSION_DENIED);
494
495 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
496 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
497
498 int32_t res = AccessTokenKit::ClearUserPolicy();
499 EXPECT_EQ(res, 0);
500 }
501
502
503 /**
504 * @tc.name: UserPolicyTestForNewHap
505 * @tc.desc: Set the authorization status based on the user policy during new hap installation
506 * @tc.type: FUNC
507 * @tc.require:Issue Number
508 */
509 HWTEST_F(EdmPolicySetTest, UserPolicyTestForNewHap, TestSize.Level0)
510 {
511 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
512 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = true};
513 std::vector<UserState> userListBefore = { user1, user2 };
514 std::vector<std::string> permList = { INTERNET, LOCATION };
515 EXPECT_EQ(AccessTokenKit::InitUserPolicy(userListBefore, permList), 0);
516
517 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
518 AccessTokenIDEx fullIdUser1;
519 EXPECT_EQ(RET_SUCCESS,
520 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
521 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
522 AccessTokenIDEx fullIdUser2;
523 EXPECT_EQ(RET_SUCCESS,
524 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
525
526 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
527 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
528 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
529 PERMISSION_DENIED);
530 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
531 PERMISSION_DENIED);
532 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
533 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
534
535 // update the policy
536 user1.isActive = false;
537 user2.isActive = false;
538 std::vector<UserState> userListAfter = { user1, user2 };
539 int32_t ret = AccessTokenKit::UpdateUserPolicy(userListAfter);
540 EXPECT_EQ(ret, 0);
541 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
542 EXPECT_EQ(RET_SUCCESS,
543 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
544 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
545 EXPECT_EQ(RET_SUCCESS,
546 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
547 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
548 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
549 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, LOCATION),
550 PERMISSION_DENIED);
551 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, LOCATION),
552 PERMISSION_DENIED);
553 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
554 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
555 EXPECT_EQ(AccessTokenKit::ClearUserPolicy(), 0);
556 }
557
558 /**
559 * @tc.name: UserPolicyTestForNewHap
560 * @tc.desc: Set the authorization status based on the user policy during new hap installation
561 * @tc.type: FUNC
562 * @tc.require:Issue Number
563 */
564 HWTEST_F(EdmPolicySetTest, UserPolicyTestForClearUserGranted, TestSize.Level0)
565 {
566 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = true};
567 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
568 std::vector<UserState> userListBefore = { user1, user2 };
569 std::vector<std::string> permList = { INTERNET, LOCATION };
570 int32_t ret = AccessTokenKit::InitUserPolicy(userListBefore, permList);
571 EXPECT_EQ(ret, 0);
572
573 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
574 AccessTokenIDEx fullIdUser1;
575 EXPECT_EQ(RET_SUCCESS,
576 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
577 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
578 AccessTokenIDEx fullIdUser2;
579 EXPECT_EQ(RET_SUCCESS,
580 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
581
582 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
583 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
584
585 ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser1.tokenIdExStruct.tokenID);
586 EXPECT_EQ(RET_SUCCESS, ret);
587 ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser2.tokenIdExStruct.tokenID);
588 EXPECT_EQ(RET_SUCCESS, ret);
589 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
590 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
591
592 // update the policy
593 user1.isActive = false;
594 user2.isActive = true;
595 std::vector<UserState> userListAfter = { user1, user2 };
596 ret = AccessTokenKit::UpdateUserPolicy(userListAfter);
597
598 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
599 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
600
601 ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser1.tokenIdExStruct.tokenID);
602 ret = TestCommon::ClearUserGrantedPermissionStateByTest(fullIdUser2.tokenIdExStruct.tokenID);
603 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
604 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
605
606 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
607 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
608
609 int32_t res = AccessTokenKit::ClearUserPolicy();
610 EXPECT_EQ(res, 0);
611 }
612
613 /**
614 * @tc.name: ClearUserPolicy001
615 * @tc.desc: Check permission status after clear user policy.
616 * @tc.type: FUNC
617 * @tc.require:Issue Number
618 */
619 HWTEST_F(EdmPolicySetTest, ClearUserPolicy001, TestSize.Level0)
620 {
621 g_testHapInfoParams.userID = MOCK_USER_ID_10002;
622 AccessTokenIDEx fullIdUser2;
623 EXPECT_EQ(RET_SUCCESS,
624 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser2));
625 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
626 AccessTokenIDEx fullIdUser1;
627 EXPECT_EQ(RET_SUCCESS,
628 TestCommon::AllocTestHapToken(g_testHapInfoParams, g_testPolicyParams, fullIdUser1));
629
630 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = false};
631 UserState user2 = {.userId = MOCK_USER_ID_10002, .isActive = false};
632 std::vector<UserState> userList = { user1, user2};
633 std::vector<std::string> permList = { INTERNET };
634 EXPECT_EQ(0, AccessTokenKit::InitUserPolicy(userList, permList));
635 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
636 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
637 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET, true),
638 PERMISSION_DENIED);
639 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET, true),
640 PERMISSION_DENIED);
641
642 int32_t res = AccessTokenKit::ClearUserPolicy();
643 EXPECT_EQ(res, 0);
644
645 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
646 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser2.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
647
648 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
649 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser2.tokenIdExStruct.tokenID));
650 }
651
652
653 /**
654 * @tc.name: UserPolicyForUpdateHapTokenTest
655 * @tc.desc: UpdateHapToken and check permission status with user policy After .
656 * @tc.type: FUNC
657 * @tc.require:Issue Number
658 */
659 HWTEST_F(EdmPolicySetTest, UserPolicyForUpdateHapTokenTest, TestSize.Level0)
660 {
661 HapPolicyParams testPolicyParams1 = {
662 .apl = APL_SYSTEM_CORE,
663 .domain = "test.domain2",
664 .permStateList = {
665 g_infoManagerNetWorkState,
666 }
667 };
668 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
669 AccessTokenIDEx fullIdUser1;
670 EXPECT_EQ(RET_SUCCESS,
671 TestCommon::AllocTestHapToken(g_testHapInfoParams, testPolicyParams1, fullIdUser1));
672
673 UserState user1 = {.userId = MOCK_USER_ID_10001, .isActive = false};
674 std::vector<UserState> userList = { user1};
675 std::vector<std::string> permList = { INTERNET };
676 EXPECT_EQ(0, AccessTokenKit::InitUserPolicy(userList, permList));
677 HapPolicyParams testPolicyParams2 = {
678 .apl = APL_SYSTEM_CORE,
679 .domain = "test.domain2",
680 .permStateList = {
681 g_infoManagerInternetState,
682 g_infoManagerNetWorkState,
683 }
684 };
685 UpdateHapInfoParams info;
686 info.appIDDesc = "TEST";
687 info.apiVersion = 12;
688 info.isSystemApp = false;
689 {
690 MockNativeToken mock("foundation");
691 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::UpdateHapToken(fullIdUser1, info, testPolicyParams2));
692 }
693 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_DENIED);
694
695 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::ClearUserPolicy());
696 EXPECT_EQ(AccessTokenKit::VerifyAccessToken(fullIdUser1.tokenIdExStruct.tokenID, INTERNET), PERMISSION_GRANTED);
697
698 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(fullIdUser1.tokenIdExStruct.tokenID));
699 }
700
701 /**
702 * @tc.name: SetPermissionStatusWithPolicy001
703 * @tc.desc: Normal parameter testing.
704 * @tc.type: FUNC
705 * @tc.require:Issue Number
706 */
707 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy001, TestSize.Level0)
708 {
709 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy001");
710
711 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
712 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
713 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
714 ASSERT_NE(INVALID_TOKENID, tokenID);
715
716 MockNativeToken mock("edm");
717 uint64_t selfTokenId = GetSelfTokenID();
718 ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false));
719
720 uint32_t flag = 0;
721 std::vector<std::string> permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE};
722 std::vector<PermissionState> stateList = {PERMISSION_GRANTED, PERMISSION_DENIED};
723 for (auto status : stateList) {
724 GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 status: " << status;
725 EXPECT_EQ(RET_SUCCESS,
726 AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, status, PERMISSION_FIXED_BY_ADMIN_POLICY));
727 std::vector<PermissionListState> permsList;
728 for (auto perm : permList) {
729 GTEST_LOG_(INFO) << "SetPermissionStatusWithPolicy001 check perm: " << perm;
730 EXPECT_EQ(status, AccessTokenKit::VerifyAccessToken(tokenID, perm, false));
731 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, perm, flag));
732 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
733 }
734 }
735
736 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
737 }
738
739 /**
740 * @tc.name: SetPermissionStatusWithPolicy002
741 * @tc.desc: tokenID exception test.
742 * @tc.type: FUNC
743 * @tc.require:Issue Number
744 */
745 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy002, TestSize.Level0)
746 {
747 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy002");
748
749 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
750 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
751 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
752 ASSERT_NE(INVALID_TOKENID, tokenID);
753
754 MockNativeToken mock("edm");
755 uint64_t selfTokenId = GetSelfTokenID();
756 ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false));
757
758 std::vector<std::string> permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE};
759 uint32_t ret = RET_SUCCESS;
760 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
761 INVALID_TOKENID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
762 EXPECT_EQ(ERR_PARAM_INVALID, ret);
763
764 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
765 }
766
767 /**
768 * @tc.name: SetPermissionStatusWithPolicy003
769 * @tc.desc: PermissionList exception test.
770 * @tc.type: FUNC
771 * @tc.require:Issue Number
772 */
773 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy003, TestSize.Level0)
774 {
775 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy003");
776
777 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
778 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
779 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
780 ASSERT_NE(INVALID_TOKENID, tokenID);
781
782 MockNativeToken mock("edm");
783 uint64_t selfTokenId = GetSelfTokenID();
784 ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false));
785
786 uint32_t ret = RET_SUCCESS;
787
788 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
789 tokenID, {""}, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
790 EXPECT_EQ(ERR_PARAM_INVALID, ret);
791
792 std::string permName(MAX_LENGTH + 1, 'A');
793 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
794 tokenID, {""}, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
795 EXPECT_EQ(ERR_PARAM_INVALID, ret);
796
797 std::vector<std::string> permList = {};
798 ret = RET_SUCCESS;
799 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
800 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
801 EXPECT_EQ(ERR_PARAM_INVALID, ret);
802
803 permList.resize(MAX_PERMISSION_LIST_SIZE + 1, MICROPHONE);
804 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
805 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
806 EXPECT_EQ(ERR_PARAM_INVALID, ret);
807
808 permList.clear();
809 permList.push_back("ohos.permission.TEST_123");
810 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
811 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
812 EXPECT_EQ(ERR_PERMISSION_NOT_EXIST, ret);
813
814 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
815 }
816
817 /**
818 * @tc.name: SetPermissionStatusWithPolicy004
819 * @tc.desc: status exception test.
820 * @tc.type: FUNC
821 * @tc.require:Issue Number
822 */
823 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy004, TestSize.Level0)
824 {
825 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy004");
826
827 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
828 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
829 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
830 ASSERT_NE(INVALID_TOKENID, tokenID);
831
832 MockNativeToken mock("edm");
833 uint64_t selfTokenId = GetSelfTokenID();
834 ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false));
835
836 std::vector<std::string> permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE};
837 uint32_t ret = RET_SUCCESS;
838 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
839 tokenID, permList, 1, PERMISSION_FIXED_BY_ADMIN_POLICY);
840 EXPECT_EQ(ERR_PARAM_INVALID, ret);
841
842 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
843 }
844
845 /**
846 * @tc.name: SetPermissionStatusWithPolicy005
847 * @tc.desc: flag exception test.
848 * @tc.type: FUNC
849 * @tc.require:Issue Number
850 */
851 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy005, TestSize.Level0)
852 {
853 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy005");
854
855 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
856 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
857 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
858 ASSERT_NE(INVALID_TOKENID, tokenID);
859
860 MockNativeToken mock("edm");
861 uint64_t selfTokenId = GetSelfTokenID();
862 ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false));
863
864 std::vector<std::string> permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE};
865
866 EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_DENIED,
867 1<<9));
868 EXPECT_EQ(ERR_PARAM_INVALID, AccessTokenKit::SetPermissionStatusWithPolicy(tokenID, permList, PERMISSION_GRANTED,
869 1<<6));
870
871 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
872 }
873
874 /**
875 * @tc.name: SetPermissionStatusWithPolicy006
876 * @tc.desc: hap unauthorized testing.
877 * @tc.type: FUNC
878 * @tc.require:Issue Number
879 */
880 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy006, TestSize.Level0)
881 {
882 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy006");
883
884 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
885 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
886 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
887 ASSERT_NE(INVALID_TOKENID, tokenID);
888
889 MockNativeToken mock("edm");
890 uint64_t selfTokenId = GetSelfTokenID();
891 ASSERT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(selfTokenId, MANAGE_EDM_POLICY, false));
892
893 std::vector<std::string> permList = {CAMERA};
894 uint32_t ret = RET_SUCCESS;
895 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
896 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
897 EXPECT_EQ(ERR_PARAM_INVALID, ret);
898
899 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
900 }
901
902 /**
903 * @tc.name: SetPermissionStatusWithPolicy007
904 * @tc.desc: The caller has no permission to test.
905 * @tc.type: FUNC
906 * @tc.require:Issue Number
907 */
908 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy007, TestSize.Level0)
909 {
910 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy007");
911
912 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
913 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
914 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
915 ASSERT_NE(INVALID_TOKENID, tokenID);
916
917 MockNativeToken mock("foundation");
918
919 std::vector<std::string> permList = {MICROPHONE, CUSTOM_SCREEN_CAPTURE};
920 uint32_t ret = RET_SUCCESS;
921 int32_t selfUid = getuid();
922 setuid(10001);
923 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
924 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
925 EXPECT_EQ(ERR_PERMISSION_DENIED, ret);
926 setuid(selfUid);
927 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
928 }
929
930 /**
931 * @tc.name: SetPermissionStatusWithPolicy008
932 * @tc.desc: Permission priority test.
933 * @tc.type: FUNC
934 * @tc.require:Issue Number
935 */
936 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy008, TestSize.Level0)
937 {
938 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy008");
939
940 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
941 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
942 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
943 ASSERT_NE(INVALID_TOKENID, tokenID);
944 MockNativeToken mock("edm");
945
946 uint32_t flag = 0;
947 uint32_t ret = RET_SUCCESS;
948
949 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
950 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
951 tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL);
952 EXPECT_EQ(ERR_PARAM_INVALID, ret);
953 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
954 EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag);
955
956 // 1. set flag is PERMISSION_USER_FIXED.
957 EXPECT_EQ(RET_SUCCESS, TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED));
958 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
959 EXPECT_EQ(PERMISSION_USER_FIXED, flag);
960
961 // 2. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
962 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
963 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
964 EXPECT_EQ(RET_SUCCESS, ret);
965 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
966 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
967
968 // 3. can't clear PERMISSION_FIXED_BY_ADMIN_POLICY.
969 EXPECT_EQ(RET_SUCCESS, TestCommon::ClearUserGrantedPermissionStateByTest(tokenID));
970 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
971 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
972 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
973
974 // 4. can't set flag is PERMISSION_USER_FIXED.
975 EXPECT_EQ(ERR_PERMISSION_RESTRICTED,
976 TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED));
977 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
978 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
979
980 // 5. can set flag is PERMISSION_SYSTEM_FIXED.
981 EXPECT_EQ(RET_SUCCESS, TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_SYSTEM_FIXED));
982 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
983 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
984
985 // 6. can not set flag is PERMISSION_FIXED_BY_ADMIN_POLICY
986 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
987 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
988 EXPECT_EQ(ERR_PARAM_INVALID, ret);
989 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
990 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
991
992 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
993 }
994
995 /**
996 * @tc.name: SetPermissionStatusWithPolicy009
997 * @tc.desc: Permission priority test.
998 * @tc.type: FUNC
999 * @tc.require:Issue Number
1000 */
1001 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy009, TestSize.Level0)
1002 {
1003 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy009");
1004
1005 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1006 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1007 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1008 ASSERT_NE(INVALID_TOKENID, tokenID);
1009 MockNativeToken mock("edm");
1010
1011 uint32_t flag = 0;
1012 uint32_t ret = RET_SUCCESS;
1013 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1014
1015 // set flag is PERMISSION_FIXED_BY_ADMIN_POLICY, status is PERMISSION_GRANTED.
1016 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1017 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1018 EXPECT_EQ(RET_SUCCESS, ret);
1019 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1020 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1021 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1022
1023 // set flag is PERMISSION_ADMIN_POLICIES_CANCEL, status is PERMISSION_DENIED.
1024 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1025 tokenID, permList, PERMISSION_DENIED, PERMISSION_ADMIN_POLICIES_CANCEL);
1026 EXPECT_EQ(RET_SUCCESS, ret);
1027 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1028 // flag is change.
1029 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1030 // status is not change.
1031 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1032
1033 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1034 }
1035
1036 /**
1037 * @tc.name: SetPermissionStatusWithPolicy010
1038 * @tc.desc: Permission priority test.
1039 * @tc.type: FUNC
1040 * @tc.require:Issue Number
1041 */
1042 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy010, TestSize.Level0)
1043 {
1044 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy010");
1045
1046 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1047 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1048 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1049 ASSERT_NE(INVALID_TOKENID, tokenID);
1050 MockNativeToken mock("edm");
1051
1052 uint32_t flag = 0;
1053 uint32_t ret = RET_SUCCESS;
1054 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1055
1056 // set flag is PERMISSION_ADMIN_POLICIES_CANCEL, status is PERMISSION_GRANTED.
1057 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1058 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1059 EXPECT_EQ(RET_SUCCESS, ret);
1060 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1061 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1062 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1063 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1064 tokenID, permList, PERMISSION_DENIED, PERMISSION_ADMIN_POLICIES_CANCEL);
1065 EXPECT_EQ(RET_SUCCESS, ret);
1066 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1067 // flag is change.
1068 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1069 // status is not change.
1070 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1071
1072 // can GrantPermission the flag is PERMISSION_USER_FIXED.
1073 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED);
1074 EXPECT_EQ(RET_SUCCESS, ret);
1075 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1076 EXPECT_EQ(PERMISSION_USER_FIXED, flag);
1077 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1078
1079 // set flag is PERMISSION_ADMIN_POLICIES_CANCEL, status is PERMISSION_GRANTED.
1080 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1081 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1082 EXPECT_EQ(RET_SUCCESS, ret);
1083 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1084 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1085 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1086 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1087 tokenID, permList, PERMISSION_DENIED, PERMISSION_ADMIN_POLICIES_CANCEL);
1088 EXPECT_EQ(RET_SUCCESS, ret);
1089 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1090 // flag is change.
1091 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1092 // status is not change.
1093 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1094
1095 // can set the flag is PERMISSION_FIXED_BY_ADMIN_POLICY
1096 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1097 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1098 EXPECT_EQ(RET_SUCCESS, ret);
1099 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1100 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1101 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1102
1103 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1104 }
1105
1106 /**
1107 * @tc.name: SetPermissionStatusWithPolicy011
1108 * @tc.desc: Permission priority test.
1109 * @tc.type: FUNC
1110 * @tc.require:Issue Number
1111 */
1112 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy011, TestSize.Level0)
1113 {
1114 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy011");
1115
1116 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1117 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1118 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1119 ASSERT_NE(INVALID_TOKENID, tokenID);
1120 MockNativeToken mock("edm");
1121
1122 uint32_t flag = 0;
1123 uint32_t ret = RET_SUCCESS;
1124 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1125
1126 for (const uint32_t &permFlag : g_permFlagList) {
1127 GTEST_LOG_(INFO) << "permFlag: " << permFlag;
1128 LOGI(ATM_DOMAIN, ATM_TAG, "permFlag: %{public}u", permFlag);
1129 // GrantPermission the flag is permFlag.
1130 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, permFlag);
1131 EXPECT_EQ(RET_SUCCESS, ret);
1132 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1133 if (permFlag == PERMISSION_PRE_AUTHORIZED_CANCELABLE) {
1134 // GetPermissionFlag will filt the PERMISSION_PRE_AUTHORIZED_CANCELABLE
1135 EXPECT_EQ(0, flag);
1136 } else if (permFlag == PERMISSION_COMPONENT_SET) {
1137 EXPECT_EQ(PERMISSION_COMPONENT_SET | PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1138 } else {
1139 EXPECT_EQ(permFlag, flag);
1140 }
1141 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1142
1143 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1144 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1145 EXPECT_EQ(RET_SUCCESS, ret);
1146 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1147 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1148
1149 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1150 tokenID, permList, PERMISSION_DENIED, PERMISSION_ADMIN_POLICIES_CANCEL);
1151 EXPECT_EQ(RET_SUCCESS, ret);
1152 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1153 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1154 }
1155
1156 // GrantPermission the flag is PERMISSION_SYSTEM_FIXED.
1157 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_SYSTEM_FIXED);
1158 EXPECT_EQ(RET_SUCCESS, ret);
1159 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1160 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
1161 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1162
1163 // can't set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1164 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1165 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1166 EXPECT_EQ(ERR_PARAM_INVALID, ret);
1167 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1168 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1169 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
1170
1171 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1172 }
1173
1174 /**
1175 * @tc.name: SetPermissionStatusWithPolicy012
1176 * @tc.desc: Permission priority test.
1177 * @tc.type: FUNC
1178 * @tc.require:Issue Number
1179 */
1180 HWTEST_F(EdmPolicySetTest, SetPermissionStatusWithPolicy012, TestSize.Level0)
1181 {
1182 LOGI(ATM_DOMAIN, ATM_TAG, "SetPermissionStatusWithPolicy012");
1183
1184 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1185 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1186 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1187 ASSERT_NE(INVALID_TOKENID, tokenID);
1188 MockNativeToken mock("edm");
1189
1190 uint32_t flag = 0;
1191 uint32_t ret = RET_SUCCESS;
1192 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1193
1194 std::vector<uint32_t> permFlagList = {
1195 PERMISSION_DEFAULT_FLAG,
1196 PERMISSION_USER_SET,
1197 PERMISSION_USER_FIXED,
1198 PERMISSION_PRE_AUTHORIZED_CANCELABLE,
1199 PERMISSION_COMPONENT_SET,
1200 PERMISSION_FIXED_FOR_SECURITY_POLICY,
1201 // PERMISSION_ALLOW_THIS_TIME
1202 };
1203
1204 // set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1205 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1206 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1207 EXPECT_EQ(RET_SUCCESS, ret);
1208 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1209 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1210 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1211
1212 for (const uint32_t &permFlag : permFlagList) {
1213 GTEST_LOG_(INFO) << "permFlag: " << permFlag;
1214 LOGI(ATM_DOMAIN, ATM_TAG, "permFlag: %{public}u", permFlag);
1215 // can't GrantPermission the flag is permFlag.
1216 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, permFlag);
1217 EXPECT_EQ(ERR_PERMISSION_RESTRICTED, ret);
1218 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1219 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1220 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1221 }
1222
1223 // can GrantPermission the flag is PERMISSION_SYSTEM_FIXED.
1224 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_SYSTEM_FIXED);
1225 EXPECT_EQ(RET_SUCCESS, ret);
1226 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1227 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
1228 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1229
1230 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1231 }
1232
1233 /**
1234 * @tc.name: EdmTestGrantPermission001
1235 * @tc.desc: Grant permission priority test.
1236 * @tc.type: FUNC
1237 * @tc.require:Issue Number
1238 */
1239 HWTEST_F(EdmPolicySetTest, EdmTestGrantPermission001, TestSize.Level0)
1240 {
1241 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestGrantPermission001");
1242
1243 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1244 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1245 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1246 ASSERT_NE(INVALID_TOKENID, tokenID);
1247
1248 MockNativeToken mock("edm");
1249 uint32_t flag = 0;
1250
1251 // GrantPermission can't set PERMISSION_FIXED_BY_ADMIN_POLICY or PERMISSION_ADMIN_POLICIES_CANCEL
1252 EXPECT_EQ(ERR_PARAM_INVALID,
1253 TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_FIXED_BY_ADMIN_POLICY));
1254 EXPECT_EQ(ERR_PARAM_INVALID,
1255 TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_ADMIN_POLICIES_CANCEL));
1256
1257 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1258 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1259 uint32_t ret = RET_SUCCESS;
1260 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1261 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1262 EXPECT_EQ(RET_SUCCESS, ret);
1263 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1264 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1265 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1266
1267 // 2. can't grant flag is PERMISSION_USER_FIXED
1268 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED);
1269 EXPECT_EQ(ERR_PERMISSION_RESTRICTED, ret);
1270 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1271 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1272 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1273
1274 // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1275 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1276 tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL);
1277 EXPECT_EQ(RET_SUCCESS, ret);
1278 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1279 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1280 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1281
1282 // 4. can grant flag is PERMISSION_USER_FIXED
1283 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED);
1284 EXPECT_EQ(RET_SUCCESS, ret);
1285 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1286 EXPECT_EQ(PERMISSION_USER_FIXED, flag);
1287 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1288
1289 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1290 }
1291
1292 /**
1293 * @tc.name: EdmTestRevokePermission001
1294 * @tc.desc: Revoke permission priority test.
1295 * @tc.type: FUNC
1296 * @tc.require:Issue Number
1297 */
1298 HWTEST_F(EdmPolicySetTest, EdmTestRevokePermission001, TestSize.Level0)
1299 {
1300 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestRevokePermission001");
1301
1302 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1303 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1304 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1305 ASSERT_NE(INVALID_TOKENID, tokenID);
1306
1307 MockNativeToken mock("edm");
1308 uint32_t flag = 0;
1309
1310 // RevokePermission can't set PERMISSION_FIXED_BY_ADMIN_POLICY or PERMISSION_ADMIN_POLICIES_CANCEL
1311 EXPECT_EQ(ERR_PARAM_INVALID,
1312 TestCommon::RevokePermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_FIXED_BY_ADMIN_POLICY));
1313 EXPECT_EQ(ERR_PARAM_INVALID,
1314 TestCommon::RevokePermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_ADMIN_POLICIES_CANCEL));
1315
1316 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1317 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1318 uint32_t ret = RET_SUCCESS;
1319 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1320 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1321 EXPECT_EQ(RET_SUCCESS, ret);
1322 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1323 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1324 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1325
1326 // 2. can't revoke flag is PERMISSION_USER_FIXED
1327 ret = TestCommon::RevokePermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED);
1328 EXPECT_EQ(ERR_PERMISSION_RESTRICTED, ret);
1329 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1330 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1331 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1332
1333 // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1334 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1335 tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL);
1336 EXPECT_EQ(RET_SUCCESS, ret);
1337 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1338 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1339 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1340
1341 // 4. can revoke flag is PERMISSION_USER_FIXED
1342 ret = TestCommon::RevokePermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED);
1343 EXPECT_EQ(RET_SUCCESS, ret);
1344 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1345 EXPECT_EQ(PERMISSION_USER_FIXED, flag);
1346 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1347
1348 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1349 }
1350
1351 /**
1352 * @tc.name: EdmTestClearUserGrantedPermissionState001
1353 * @tc.desc: Clear user granted permission state test.
1354 * @tc.type: FUNC
1355 * @tc.require:Issue Number
1356 */
1357 HWTEST_F(EdmPolicySetTest, EdmTestClearUserGrantedPermissionState001, TestSize.Level0)
1358 {
1359 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestClearUserGrantedPermissionState001");
1360
1361 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1362 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1363 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1364 ASSERT_NE(INVALID_TOKENID, tokenID);
1365
1366 MockNativeToken mock("edm");
1367 uint32_t flag = 0;
1368
1369 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1370 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1371 uint32_t ret = RET_SUCCESS;
1372 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1373 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1374 EXPECT_EQ(RET_SUCCESS, ret);
1375 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1376 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1377 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1378
1379 // 2. can't clear flag is PERMISSION_FIXED_BY_ADMIN_POLICY
1380 ret = TestCommon::ClearUserGrantedPermissionStateByTest(tokenID);
1381 EXPECT_EQ(RET_SUCCESS, ret);
1382 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1383 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1384 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1385
1386 // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1387 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1388 tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL);
1389 EXPECT_EQ(RET_SUCCESS, ret);
1390 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1391 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1392 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1393
1394 // 4. can clear flag is PERMISSION_ADMIN_POLICIES_CANCEL
1395 ret = TestCommon::ClearUserGrantedPermissionStateByTest(tokenID);
1396 EXPECT_EQ(RET_SUCCESS, ret);
1397 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1398 EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag);
1399 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1400
1401 // 5. set flag is PERMISSION_USER_FIXED
1402 ret = TestCommon::GrantPermissionByTest(tokenID, CUSTOM_SCREEN_CAPTURE, PERMISSION_USER_FIXED);
1403 EXPECT_EQ(RET_SUCCESS, ret);
1404 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1405 EXPECT_EQ(PERMISSION_USER_FIXED, flag);
1406
1407 // 6. can clear flag is PERMISSION_USER_FIXED
1408 ret = TestCommon::ClearUserGrantedPermissionStateByTest(tokenID);
1409 EXPECT_EQ(RET_SUCCESS, ret);
1410 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1411 EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag);
1412 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1413
1414 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1415 }
1416
1417 /**
1418 * @tc.name: EdmTestGetSelfPermissionsState001
1419 * @tc.desc: GetSelfPermissionsState test.
1420 * @tc.type: FUNC
1421 * @tc.require:Issue Number
1422 */
1423 HWTEST_F(EdmPolicySetTest, EdmTestGetSelfPermissionsState001, TestSize.Level0)
1424 {
1425 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestGetSelfPermissionsState001");
1426
1427 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1428 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1429 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1430 ASSERT_NE(INVALID_TOKENID, tokenID);
1431
1432 MockNativeToken mock("edm");
1433 uint64_t selfTokenId = GetSelfTokenID();
1434 uint32_t flag = 0;
1435
1436 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1437 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1438 uint32_t ret = RET_SUCCESS;
1439 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1440 tokenID, permList, PERMISSION_DENIED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1441 EXPECT_EQ(RET_SUCCESS, ret);
1442 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1443 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1444 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1445
1446 // 2. get permission state is FORBIDDEN_OPER.
1447 std::vector<PermissionListState> permsList = {{CUSTOM_SCREEN_CAPTURE}};
1448 PermissionGrantInfo info;
1449 SetSelfTokenID(tokenID);
1450 EXPECT_EQ(FORBIDDEN_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info));
1451 EXPECT_EQ(FORBIDDEN_OPER, permsList[0].state);
1452 SetSelfTokenID(selfTokenId);
1453
1454 // 3. set flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1455 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1456 tokenID, permList, PERMISSION_DENIED, PERMISSION_ADMIN_POLICIES_CANCEL);
1457 EXPECT_EQ(RET_SUCCESS, ret);
1458 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1459 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1460 EXPECT_EQ(PERMISSION_DENIED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1461
1462 // 4. get permission state is SETTING_OPER.
1463 SetSelfTokenID(tokenID);
1464 EXPECT_EQ(PASS_OPER, AccessTokenKit::GetSelfPermissionsState(permsList, info));
1465 EXPECT_EQ(SETTING_OPER, permsList[0].state);
1466 SetSelfTokenID(selfTokenId);
1467
1468 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1469 }
1470
1471
1472 /**
1473 * @tc.name: EdmTestUpdateHapToken001
1474 * @tc.desc: GetSelfPermissionsState test with admin fixed status.
1475 * @tc.type: FUNC
1476 * @tc.require:Issue Number
1477 */
1478 HWTEST_F(EdmPolicySetTest, EdmTestUpdateHapToken001, TestSize.Level0)
1479 {
1480 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestUpdateHapToken001");
1481
1482 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1483 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1484 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1485 ASSERT_NE(INVALID_TOKENID, tokenID);
1486
1487 MockNativeToken mock("edm");
1488 uint32_t flag = 0;
1489 uint32_t ret = RET_SUCCESS;
1490
1491 // can't UpdateHapToken flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1492 {
1493 MockNativeToken mock("foundation");
1494 ret = AccessTokenKit::UpdateHapToken(tokenIdEx, g_updateHapInfo, g_testPolicyParams04);
1495 }
1496 EXPECT_EQ(RET_SUCCESS, ret);
1497 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1498 EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag);
1499 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1500
1501 // can't UpdateHapToken flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1502 {
1503 MockNativeToken mock("foundation");
1504 ret = AccessTokenKit::UpdateHapToken(tokenIdEx, g_updateHapInfo, g_testPolicyParams05);
1505 }
1506 EXPECT_EQ(RET_SUCCESS, ret);
1507 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1508 EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag); // PERMISSION_ADMIN_POLICIES_CANCEL not return
1509 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1510
1511 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1512 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1513 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1514 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1515 EXPECT_EQ(RET_SUCCESS, ret);
1516 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1517 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1518 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1519
1520 // 2. can't UpdateHapToken flag is PERMISSION_PRE_AUTHORIZED_CANCELABLE.
1521 {
1522 MockNativeToken mock("foundation");
1523 ret = AccessTokenKit::UpdateHapToken(tokenIdEx, g_updateHapInfo, g_testPolicyParams02);
1524 }
1525 EXPECT_EQ(RET_SUCCESS, ret);
1526 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1527 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1528 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1529
1530 // 3. can UpdateHapToken flag is PERMISSION_SYSTEM_FIXED.
1531 {
1532 MockNativeToken mock("foundation");
1533 ret = AccessTokenKit::UpdateHapToken(tokenIdEx, g_updateHapInfo, g_testPolicyParams03);
1534 }
1535 EXPECT_EQ(RET_SUCCESS, ret);
1536 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1537 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
1538 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1539 }
1540
1541
1542 /**
1543 * @tc.name: EdmTestUpdateHapToken002
1544 * @tc.desc: UpdateHapToken test with admin cancel status.
1545 * @tc.type: FUNC
1546 * @tc.require:Issue Number
1547 */
1548 HWTEST_F(EdmPolicySetTest, EdmTestUpdateHapToken002, TestSize.Level0)
1549 {
1550 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestUpdateHapToken002");
1551
1552 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1553 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1554 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1555 ASSERT_NE(INVALID_TOKENID, tokenID);
1556
1557 MockNativeToken mock("edm");
1558 uint32_t flag = 0;
1559
1560 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1561 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1562 uint32_t ret = RET_SUCCESS;
1563 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1564 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1565 EXPECT_EQ(RET_SUCCESS, ret);
1566 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1567 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1568 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1569
1570 // 2. set flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1571 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1572 tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL);
1573 EXPECT_EQ(RET_SUCCESS, ret);
1574 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1575 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1576 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1577
1578 // 3. can UpdateHapToken flag is PERMISSION_PRE_AUTHORIZED_CANCELABLE.
1579 UpdateHapInfoParams info;
1580 info.appIDDesc = "TEST";
1581 info.apiVersion = 12;
1582 info.isSystemApp = false;
1583 {
1584 MockNativeToken mock("foundation");
1585 ret = AccessTokenKit::UpdateHapToken(tokenIdEx, info, g_testPolicyParams02);
1586 }
1587 EXPECT_EQ(RET_SUCCESS, ret);
1588 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1589 EXPECT_EQ(PERMISSION_DEFAULT_FLAG, flag); // PERMISSION_PRE_AUTHORIZED_CANCELABLE not return
1590 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1591
1592 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1593 }
1594
1595 /**
1596 * @tc.name: EdmTestUpdateHapToken003
1597 * @tc.desc: UpdateHapToken test with system fixed status.
1598 * @tc.type: FUNC
1599 * @tc.require:Issue Number
1600 */
1601 HWTEST_F(EdmPolicySetTest, EdmTestUpdateHapToken003, TestSize.Level0)
1602 {
1603 LOGI(ATM_DOMAIN, ATM_TAG, "EdmTestUpdateHapToken003");
1604
1605 g_testHapInfoParams.userID = MOCK_USER_ID_10001;
1606 AccessTokenIDEx tokenIdEx = TestCommon::AllocAndGrantHapTokenByTest(g_testHapInfoParams, g_testPolicyParams);
1607 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
1608 ASSERT_NE(INVALID_TOKENID, tokenID);
1609
1610 MockNativeToken mock("edm");
1611 uint32_t flag = 0;
1612
1613 // 1. set flag is PERMISSION_FIXED_BY_ADMIN_POLICY.
1614 std::vector<std::string> permList = {CUSTOM_SCREEN_CAPTURE};
1615 uint32_t ret = RET_SUCCESS;
1616 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1617 tokenID, permList, PERMISSION_GRANTED, PERMISSION_FIXED_BY_ADMIN_POLICY);
1618 EXPECT_EQ(RET_SUCCESS, ret);
1619 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1620 EXPECT_EQ(PERMISSION_FIXED_BY_ADMIN_POLICY, flag);
1621 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1622
1623 // 2. set flag is PERMISSION_ADMIN_POLICIES_CANCEL.
1624 ret = AccessTokenKit::SetPermissionStatusWithPolicy(
1625 tokenID, permList, PERMISSION_GRANTED, PERMISSION_ADMIN_POLICIES_CANCEL);
1626 EXPECT_EQ(RET_SUCCESS, ret);
1627 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1628 EXPECT_EQ(PERMISSION_ADMIN_POLICIES_CANCEL, flag);
1629 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1630
1631 // 3. can UpdateHapToken flag is PERMISSION_SYSTEM_FIXED.
1632 UpdateHapInfoParams info;
1633 info.appIDDesc = "TEST";
1634 info.apiVersion = 12;
1635 info.isSystemApp = false;
1636 {
1637 MockNativeToken mock("foundation");
1638 ret = AccessTokenKit::UpdateHapToken(tokenIdEx, info, g_testPolicyParams03);
1639 }
1640 EXPECT_EQ(RET_SUCCESS, ret);
1641 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::GetPermissionFlag(tokenID, CUSTOM_SCREEN_CAPTURE, flag));
1642 EXPECT_EQ(PERMISSION_SYSTEM_FIXED, flag);
1643 EXPECT_EQ(PERMISSION_GRANTED, AccessTokenKit::VerifyAccessToken(tokenID, CUSTOM_SCREEN_CAPTURE, false));
1644
1645 EXPECT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
1646 }
1647