1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "revoke_permission_test.h"
17 #include "gtest/gtest.h"
18 #include <thread>
19
20 #include "access_token.h"
21 #include "access_token_error.h"
22 #include "accesstoken_common_log.h"
23 #include "iaccess_token_manager.h"
24 #include "permission_grant_info.h"
25 #include "permission_state_change_info_parcel.h"
26 #include "string_ex.h"
27 #include "test_common.h"
28 #include "tokenid_kit.h"
29 #include "token_setproc.h"
30
31 using namespace testing::ext;
32 namespace OHOS {
33 namespace Security {
34 namespace AccessToken {
35 namespace {
36 static uint64_t g_selfTokenId = 0;
37 static const std::string TEST_BUNDLE_NAME = "ohos";
38 static const int INVALID_PERMNAME_LEN = 260;
39 static const unsigned int TEST_TOKENID_INVALID = 0;
40 static const int CYCLE_TIMES = 100;
41 static const int TEST_USER_ID = 0;
42 static constexpr int32_t DEFAULT_API_VERSION = 8;
43 static MockHapToken* g_mock = nullptr;
44 };
45
SetUpTestCase()46 void RevokePermissionTest::SetUpTestCase()
47 {
48 g_selfTokenId = GetSelfTokenID();
49 TestCommon::SetTestEvironment(g_selfTokenId);
50
51 std::vector<std::string> reqPerm;
52 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
53 g_mock = new (std::nothrow) MockHapToken("RevokePermissionTest", reqPerm);
54
55 // clean up test cases
56 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
57 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
58 TestCommon::DeleteTestHapToken(tokenID);
59 }
60
TearDownTestCase()61 void RevokePermissionTest::TearDownTestCase()
62 {
63 if (g_mock != nullptr) {
64 delete g_mock;
65 g_mock = nullptr;
66 }
67
68 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
69 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
70 TestCommon::DeleteTestHapToken(tokenID);
71
72 SetSelfTokenID(g_selfTokenId);
73 TestCommon::ResetTestEvironment();
74 }
75
SetUp()76 void RevokePermissionTest::SetUp()
77 {
78 LOGI(ATM_DOMAIN, ATM_TAG, "SetUp ok.");
79
80 setuid(0);
81 HapInfoParams info = {
82 .userID = TEST_USER_ID,
83 .bundleName = TEST_BUNDLE_NAME,
84 .instIndex = 0,
85 .appIDDesc = "RevokePermissionTest",
86 .apiVersion = DEFAULT_API_VERSION
87 };
88
89 PermissionStateFull permStatMicro = {
90 .permissionName = "ohos.permission.MICROPHONE",
91 .isGeneral = true,
92 .resDeviceID = {"device3"},
93 .grantStatus = {PermissionState::PERMISSION_DENIED},
94 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
95 };
96 PermissionStateFull permStatCamera = {
97 .permissionName = "ohos.permission.CAMERA",
98 .isGeneral = true,
99 .resDeviceID = {"device3"},
100 .grantStatus = {PermissionState::PERMISSION_GRANTED},
101 .grantFlags = {PermissionFlag::PERMISSION_USER_FIXED}
102 };
103
104 HapPolicyParams policy = {
105 .apl = APL_NORMAL,
106 .domain = "RevokePermissionTest",
107 .permStateList = { permStatMicro, permStatCamera },
108 };
109
110 AccessTokenIDEx tokenIdEx = {0};
111 ASSERT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(info, policy, tokenIdEx));
112 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
113 ASSERT_NE(tokenId, INVALID_TOKENID);
114 }
115
TearDown()116 void RevokePermissionTest::TearDown()
117 {
118 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
119 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
120 TestCommon::DeleteTestHapToken(tokenID);
121 }
122
123 /**
124 * @tc.name: RevokePermissionFuncTest001
125 * @tc.desc: Revoke permission that has ohos.permission.REVOKE_SENSITIVE_PERMISSIONS
126 * @tc.type: FUNC
127 * @tc.require: Issue Number
128 */
129 HWTEST_F(RevokePermissionTest, RevokePermissionFuncTest001, TestSize.Level0)
130 {
131 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionFuncTest001");
132
133 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
134 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
135 ASSERT_NE(INVALID_TOKENID, tokenID);
136 int ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
137 ASSERT_EQ(RET_SUCCESS, ret);
138
139 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
140 ASSERT_EQ(PERMISSION_DENIED, ret);
141
142 ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.CAMERA", PERMISSION_USER_FIXED);
143 ASSERT_EQ(RET_SUCCESS, ret);
144
145 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
146 ASSERT_EQ(PERMISSION_DENIED, ret);
147
148 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
149 }
150
151 /**
152 * @tc.name: RevokePermissionAbnormalTest001
153 * @tc.desc: Revoke permission that tokenID is invalid.
154 * @tc.type: FUNC
155 * @tc.require: Issue Number
156 */
157 HWTEST_F(RevokePermissionTest, RevokePermissionAbnormalTest001, TestSize.Level0)
158 {
159 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionAbnormalTest001");
160
161 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
162 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
163 ASSERT_NE(INVALID_TOKENID, tokenID);
164
165 int ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.GAMMA", PERMISSION_USER_FIXED);
166 ASSERT_EQ(ERR_PERMISSION_NOT_EXIST, ret);
167
168 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
169 }
170
171 /**
172 * @tc.name: RevokePermissionAbnormalTest002
173 * @tc.desc: Revoke permission that permission is invalid.
174 * @tc.type: FUNC
175 * @tc.require: Issue Number
176 */
177 HWTEST_F(RevokePermissionTest, RevokePermissionAbnormalTest002, TestSize.Level0)
178 {
179 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionAbnormalTest002");
180
181 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
182 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
183 ASSERT_NE(INVALID_TOKENID, tokenID);
184
185 int ret = AccessTokenKit::RevokePermission(tokenID, "", PERMISSION_USER_FIXED);
186 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
187
188 std::string invalidPerm(INVALID_PERMNAME_LEN, 'a');
189 ret = AccessTokenKit::RevokePermission(tokenID, invalidPerm, PERMISSION_USER_FIXED);
190 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
191
192 ret = AccessTokenKit::RevokePermission(TEST_TOKENID_INVALID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
193 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
194
195 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
196
197 ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.BETA", PERMISSION_USER_FIXED);
198 ASSERT_EQ(ERR_PERMISSION_NOT_EXIST, ret);
199 }
200
201 /**
202 * @tc.name: RevokePermissionAbnormalTest003
203 * @tc.desc: Revoke permission that flag is invalid.
204 * @tc.type: FUNC
205 * @tc.require:Issue I5RJBB
206 */
207 HWTEST_F(RevokePermissionTest, RevokePermissionAbnormalTest003, TestSize.Level0)
208 {
209 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionAbnormalTest003");
210
211 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
212 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
213 ASSERT_NE(INVALID_TOKENID, tokenID);
214
215 int invalidFlag = -1;
216 int32_t ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.MICROPHONE", invalidFlag);
217 ASSERT_EQ(AccessTokenError::ERR_PARAM_INVALID, ret);
218
219 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
220 }
221
222 /**
223 * @tc.name: RevokePermissionSpecsTest001
224 * @tc.desc: RevokePermission is invoked multiple times.
225 * @tc.type: FUNC
226 * @tc.require: Issue Number
227 */
228 HWTEST_F(RevokePermissionTest, RevokePermissionSpecsTest001, TestSize.Level0)
229 {
230 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionSpecsTest001");
231
232 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
233 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
234 ASSERT_NE(INVALID_TOKENID, tokenID);
235 uint32_t flag;
236 for (int i = 0; i < CYCLE_TIMES; i++) {
237 int32_t ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
238 ASSERT_EQ(RET_SUCCESS, ret);
239
240 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
241 ASSERT_EQ(PERMISSION_DENIED, ret);
242
243 ret = AccessTokenKit::GetPermissionFlag(tokenID, "ohos.permission.MICROPHONE", flag);
244 ASSERT_EQ(PERMISSION_USER_FIXED, flag);
245 ASSERT_EQ(RET_SUCCESS, ret);
246 }
247 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
248 }
249
250 /**
251 * @tc.name: RevokePermissionSpecsTest002
252 * @tc.desc: Revoke permission caller is normal app.
253 * @tc.type: FUNC
254 * @tc.require: issueI66BH3
255 */
256 HWTEST_F(RevokePermissionTest, RevokePermissionSpecsTest002, TestSize.Level0)
257 {
258 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionSpecsTest002");
259 std::vector<std::string> reqPerm;
260 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
261 MockHapToken mock("RevokePermissionSpecsTest002", reqPerm, false);
262
263 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
264 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
265 ASSERT_NE(INVALID_TOKENID, tokenID);
266
267 int ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
268 ASSERT_EQ(ERR_NOT_SYSTEM_APP, ret);
269
270 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
271 }
272
273 /**
274 * @tc.name: RevokePermissionSpecsTest003
275 * @tc.desc: Revoke permission caller is system app.
276 * @tc.type: FUNC
277 * @tc.require: issueI66BH3
278 */
279 HWTEST_F(RevokePermissionTest, RevokePermissionSpecsTest003, TestSize.Level0)
280 {
281 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionSpecsTest003");
282
283 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
284 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
285 ASSERT_NE(INVALID_TOKENID, tokenID);
286
287 int ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
288 ASSERT_EQ(RET_SUCCESS, ret);
289
290 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
291 ASSERT_EQ(PERMISSION_DENIED, ret);
292
293 ret = AccessTokenKit::RevokePermission(tokenID, "ohos.permission.CAMERA", PERMISSION_USER_FIXED);
294 ASSERT_EQ(RET_SUCCESS, ret);
295
296 ret = AccessTokenKit::VerifyAccessToken(tokenID, "ohos.permission.MICROPHONE", false);
297 ASSERT_EQ(PERMISSION_DENIED, ret);
298
299 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
300 }
301
302 /**
303 * @tc.name: RevokePermissionWithRenderTest001
304 * @tc.desc: Revoke permission with render tokenID
305 * @tc.type: FUNC
306 * @tc.require: issue
307 */
308 HWTEST_F(RevokePermissionTest, RevokePermissionWithRenderTest001, TestSize.Level0)
309 {
310 LOGI(ATM_DOMAIN, ATM_TAG, "RevokePermissionWithRenderTest001");
311
312 AccessTokenIDEx tokenIdEx = TestCommon::GetHapTokenIdFromBundle(TEST_USER_ID, TEST_BUNDLE_NAME, 0);
313 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
314 ASSERT_NE(INVALID_TOKENID, tokenID);
315
316 // get render token
317 uint64_t renderToken = AccessTokenKit::GetRenderTokenID(tokenID);
318 ASSERT_NE(renderToken, INVALID_TOKENID);
319 ASSERT_NE(renderToken, tokenID);
320
321 int ret = AccessTokenKit::RevokePermission(renderToken, "ohos.permission.MICROPHONE", PERMISSION_USER_FIXED);
322 EXPECT_EQ(ERR_TOKENID_NOT_EXIST, ret);
323
324 ASSERT_EQ(RET_SUCCESS, TestCommon::DeleteTestHapToken(tokenID));
325 }
326 } // namespace AccessToken
327 } // namespace Security
328 } // namespace OHOS