1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "grant_permission_test.h"
17 #include "gtest/gtest.h"
18 #include <thread>
19
20 #include "access_token.h"
21 #include "access_token_error.h"
22 #include "accesstoken_common_log.h"
23 #include "iaccess_token_manager.h"
24 #include "permission_grant_info.h"
25 #include "permission_state_change_info_parcel.h"
26 #include "string_ex.h"
27 #include "test_common.h"
28 #include "tokenid_kit.h"
29 #include "token_setproc.h"
30
31 using namespace testing::ext;
32 namespace OHOS {
33 namespace Security {
34 namespace AccessToken {
35 namespace {
36 static uint64_t g_selfTokenId = 0;
37 static const std::string TEST_BUNDLE_NAME = "ohos";
38 static const int INVALID_PERMNAME_LEN = 260;
39 static const unsigned int TEST_TOKENID_INVALID = 0;
40 static const int CYCLE_TIMES = 100;
41 static const int TEST_USER_ID = 0;
42 static constexpr int32_t DEFAULT_API_VERSION = 8;
43 static MockHapToken* g_mock = nullptr;
44 };
45
SetUpTestCase()46 void GrantPermissionTest::SetUpTestCase()
47 {
48 g_selfTokenId = GetSelfTokenID();
49 TestCommon::SetTestEvironment(g_selfTokenId);
50
51 std::vector<std::string> reqPerm;
52 reqPerm.emplace_back("ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
53 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
54 g_mock = new (std::nothrow) MockHapToken("GrantPermissionTest", reqPerm);
55
56 // clean up test cases
57 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
58 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
59 TestCommon::DeleteTestHapToken(tokenID);
60 }
61
TearDownTestCase()62 void GrantPermissionTest::TearDownTestCase()
63 {
64 if (g_mock != nullptr) {
65 delete g_mock;
66 g_mock = nullptr;
67 }
68 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
69 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
70 TestCommon::DeleteTestHapToken(tokenID);
71
72 SetSelfTokenID(g_selfTokenId);
73 TestCommon::ResetTestEvironment();
74 }
75
SetUp()76 void GrantPermissionTest::SetUp()
77 {
78 LOGI(ATM_DOMAIN, ATM_TAG, "SetUp ok.");
79
80 setuid(0);
81 HapInfoParams info = {
82 .userID = TEST_USER_ID,
83 .bundleName = TEST_BUNDLE_NAME,
84 .instIndex = 0,
85 .appIDDesc = "GrantPermissionTest",
86 .apiVersion = DEFAULT_API_VERSION
87 };
88 PermissionStateFull permStatMicro = {
89 .permissionName = "ohos.permission.MICROPHONE",
90 .isGeneral = true,
91 .resDeviceID = {"device3"},
92 .grantStatus = {PermissionState::PERMISSION_DENIED},
93 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
94 };
95 PermissionStateFull permStatCam = {
96 .permissionName = "ohos.permission.CAMERA",
97 .isGeneral = true,
98 .resDeviceID = {"device3"},
99 .grantStatus = {PermissionState::PERMISSION_GRANTED},
100 .grantFlags = {PermissionFlag::PERMISSION_USER_FIXED}
101 };
102
103 HapPolicyParams policy = {
104 .apl = APL_NORMAL,
105 .domain = "GrantPermissionTest",
106 .permStateList = { permStatMicro, permStatCam },
107 };
108
109 AccessTokenIDEx tokenIdEx = {0};
110 ASSERT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(info, policy, tokenIdEx));
111 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
112 ASSERT_NE(tokenId, INVALID_TOKENID);
113 }
114
TearDown()115 void GrantPermissionTest::TearDown()
116 {
117 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
118 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
119 TestCommon::DeleteTestHapToken(tokenID);
120 }
121
122 /**
123 * @tc.name: GrantPermissionFuncTest001
124 * @tc.desc: Grant permission that has ohos.permission.GRANT_SENSITIVE_PERMISSIONS
125 * @tc.type: FUNC
126 * @tc.require: Issue Number
127 */
128 HWTEST_F(GrantPermissionTest, GrantPermissionFuncTest001, TestSize.Level0)
129 {
130 LOGI(ATM_DOMAIN, ATM_TAG, "GrantPermissionFuncTest001");
131
132 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
133 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
134 ASSERT_NE(INVALID_TOKENID, tokenID);
135 int ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
136 ASSERT_EQ(RET_SUCCESS, ret);
137
138 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
139 ASSERT_EQ(PERMISSION_GRANTED, ret);
140
141 ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.CAMERA", PERMISSION_USER_FIXED);
142 ASSERT_EQ(RET_SUCCESS, ret);
143
144 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.CAMERA", false);
145 ASSERT_EQ(PERMISSION_GRANTED, ret);
146
147 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
148 }
149
150 /**
151 * @tc.name: GrantPermissionAbnormalTest001
152 * @tc.desc: Grant permission that tokenID or permission is invalid.
153 * @tc.type: FUNC
154 * @tc.require: Issue Number
155 */
156 HWTEST_F(GrantPermissionTest, GrantPermissionAbnormalTest001, TestSize.Level0)
157 {
158 LOGI(ATM_DOMAIN, ATM_TAG, "GrantPermissionAbnormalTest001");
159
160 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
161 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
162 ASSERT_NE(INVALID_TOKENID, tokenID);
163
164 int ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.GAMMA", PERMISSION_USER_FIXED);
165 ASSERT_EQ(ERR_PERMISSION_NOT_EXIST, ret);
166
167 ret = AccessTokenKit::GrantPermission(tokenID, "", PERMISSION_USER_FIXED);
168 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
169
170 std::string invalidPerm(INVALID_PERMNAME_LEN, 'a');
171 ret = AccessTokenKit::GrantPermission(tokenID, invalidPerm, PERMISSION_USER_FIXED);
172 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
173
174 ret = AccessTokenKit::GrantPermission(TEST_TOKENID_INVALID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
175 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
176
177 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
178
179 ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.BETA", PERMISSION_USER_FIXED);
180 ASSERT_EQ(ERR_PERMISSION_NOT_EXIST, ret);
181 }
182
183 /**
184 * @tc.name: GrantPermissionAbnormalTest002
185 * @tc.desc: GrantPermission function abnormal branch
186 * @tc.type: FUNC
187 * @tc.require:Issue I5RJBB
188 */
189 HWTEST_F(GrantPermissionTest, GrantPermissionAbnormalTest002, TestSize.Level0)
190 {
191 LOGI(ATM_DOMAIN, ATM_TAG, "GrantPermissionAbnormalTest002");
192
193 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
194 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
195 ASSERT_NE(INVALID_TOKENID, tokenID);
196
197 int32_t invalidFlag = -1;
198 int32_t ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.MICROPHONE", invalidFlag);
199 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
200 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
201 }
202
203 /**
204 * @tc.name: GrantPermissionSpecsTest001
205 * @tc.desc: GrantPermission is invoked multiple times.
206 * @tc.type: FUNC
207 * @tc.require: Issue Number
208 */
209 HWTEST_F(GrantPermissionTest, GrantPermissionSpecsTest001, TestSize.Level0)
210 {
211 LOGI(ATM_DOMAIN, ATM_TAG, "GrantPermissionSpecsTest001");
212
213 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
214 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
215 ASSERT_NE(INVALID_TOKENID, tokenID);
216 uint32_t flag;
217 for (int i = 0; i < CYCLE_TIMES; i++) {
218 int32_t ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
219 ASSERT_EQ(RET_SUCCESS, ret);
220
221 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
222 ASSERT_EQ(PERMISSION_GRANTED, ret);
223
224 ret = AccessTokenKit::GetPermissionFlag(tokenID, "ohos.permission.MICROPHONE", flag);
225 ASSERT_EQ(PERMISSION_USER_FIXED, flag);
226 ASSERT_EQ(RET_SUCCESS, ret);
227 }
228 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
229 }
230
231 /**
232 * @tc.name: GrantPermissionSpecsTest002
233 * @tc.desc: GrantPermission caller is normal app.
234 * @tc.type: FUNC
235 * @tc.require: issueI66BH3
236 */
237 HWTEST_F(GrantPermissionTest, GrantPermissionSpecsTest002, TestSize.Level0)
238 {
239 LOGI(ATM_DOMAIN, ATM_TAG, "GrantPermissionSpecsTest002");
240 std::vector<std::string> reqPerm;
241 reqPerm.emplace_back("ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
242 MockHapToken mock("GrantPermissionSpecsTest002", reqPerm, false);
243
244 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
245 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
246 ASSERT_NE(INVALID_TOKENID, tokenID);
247 int ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
248 ASSERT_EQ(ERR_NOT_SYSTEM_APP, ret);
249
250 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
251 }
252
253 /**
254 * @tc.name: GrantPermissionSpecsTest003
255 * @tc.desc: GrantPermission caller is system app.
256 * @tc.type: FUNC
257 * @tc.require: issueI66BH3
258 */
259 HWTEST_F(GrantPermissionTest, GrantPermissionSpecsTest003, TestSize.Level0)
260 {
261 LOGI(ATM_DOMAIN, ATM_TAG, "GrantPermissionSpecsTest003");
262
263 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
264 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
265 int ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
266 ASSERT_EQ(RET_SUCCESS, ret);
267
268 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
269 ASSERT_EQ(PERMISSION_GRANTED, ret);
270
271 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
272 }
273
274 /**
275 * @tc.name: GrantPermissionSpecsTest004
276 * @tc.desc: success to revoke permission when granting permission twice by secure component.
277 * @tc.type: FUNC
278 * @tc.require: issueI66BH3
279 */
280 HWTEST_F(GrantPermissionTest, GrantPermissionSpecsTest004, TestSize.Level0)
281 {
282 std::vector<std::string> reqPerm;
283 reqPerm.emplace_back("ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
284 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
285 MockHapToken mock("GrantPermissionSpecsTest004", reqPerm, true);
286
287 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
288 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
289 int ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.SECURE_PASTE", PERMISSION_COMPONENT_SET);
290 ASSERT_EQ(RET_SUCCESS, ret);
291 ret = AccessTokenKit::GrantPermission(tokenID, "ohos.permission.SECURE_PASTE", PERMISSION_COMPONENT_SET);
292 ASSERT_EQ(RET_SUCCESS, ret);
293
294 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.SECURE_PASTE", false);
295 ASSERT_EQ(PERMISSION_GRANTED, ret);
296
297 ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.SECURE_PASTE", PERMISSION_COMPONENT_SET);
298 ASSERT_EQ(RET_SUCCESS, ret);
299
300 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.SECURE_PASTE", false);
301 ASSERT_EQ(PERMISSION_DENIED, ret);
302
303 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
304 }
305
306 /**
307 * @tc.name: GrantPermissionWithRenderTest001
308 * @tc.desc: Grant permission with render tokenID
309 * @tc.type: FUNC
310 * @tc.require: issue
311 */
312 HWTEST_F(GrantPermissionTest, GrantPermissionWithRenderTest001, TestSize.Level0)
313 {
314 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
315 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
316
317 // get render token
318 uint64_t renderToken = AccessTokenKit::GetRenderTokenID(tokenID);
319 ASSERT_NE(renderToken, INVALID_TOKENID);
320 ASSERT_NE(renderToken, tokenID);
321
322 int ret = AccessTokenKit::GrantPermission(renderToken, "ohos.permission.SECURE_PASTE", PERMISSION_COMPONENT_SET);
323 EXPECT_EQ(ERR_TOKENID_NOT_EXIST, ret);
324
325 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
326 }
327 } // namespace AccessToken
328 } // namespace Security
329 } // namespace OHOS