1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "permission_validator.h"
16
17 #include <set>
18
19 #include "access_token.h"
20 #include "accesstoken_common_log.h"
21 #include "data_validator.h"
22 #include "permission_map.h"
23
24 namespace OHOS {
25 namespace Security {
26 namespace AccessToken {
27
IsGrantModeValid(int grantMode)28 bool PermissionValidator::IsGrantModeValid(int grantMode)
29 {
30 return grantMode == GrantMode::SYSTEM_GRANT || grantMode == GrantMode::USER_GRANT;
31 }
32
IsGrantStatusValid(int grantStatus)33 bool PermissionValidator::IsGrantStatusValid(int grantStatus)
34 {
35 return grantStatus == PermissionState::PERMISSION_GRANTED || grantStatus == PermissionState::PERMISSION_DENIED;
36 }
37
IsPermissionFlagValid(uint32_t flag)38 bool PermissionValidator::IsPermissionFlagValid(uint32_t flag)
39 {
40 return DataValidator::IsPermissionFlagValid(flag);
41 }
42
IsPermissionFlagValidForAdmin(uint32_t flag)43 bool PermissionValidator::IsPermissionFlagValidForAdmin(uint32_t flag)
44 {
45 return DataValidator::IsPermissionFlagValidForAdmin(flag);
46 }
47
IsPermissionNameValid(const std::string & permissionName)48 bool PermissionValidator::IsPermissionNameValid(const std::string& permissionName)
49 {
50 return DataValidator::IsPermissionNameValid(permissionName);
51 }
52
IsUserIdValid(const int32_t userID)53 bool PermissionValidator::IsUserIdValid(const int32_t userID)
54 {
55 return DataValidator::IsUserIdValid(userID);
56 }
57
IsToggleStatusValid(const uint32_t status)58 bool PermissionValidator::IsToggleStatusValid(const uint32_t status)
59 {
60 return DataValidator::IsToggleStatusValid(status);
61 }
62
IsPermissionDefValid(const PermissionDef & permDef)63 bool PermissionValidator::IsPermissionDefValid(const PermissionDef& permDef)
64 {
65 if (!DataValidator::IsLabelValid(permDef.label)) {
66 LOGE(ATM_DOMAIN, ATM_TAG, "Label invalid.");
67 return false;
68 }
69 if (!DataValidator::IsDescValid(permDef.description)) {
70 LOGE(ATM_DOMAIN, ATM_TAG, "Desc invalid.");
71 return false;
72 }
73 if (!DataValidator::IsBundleNameValid(permDef.bundleName)) {
74 LOGE(ATM_DOMAIN, ATM_TAG, "BundleName invalid.");
75 return false;
76 }
77 if (!DataValidator::IsPermissionNameValid(permDef.permissionName)) {
78 LOGE(ATM_DOMAIN, ATM_TAG, "PermissionName invalid.");
79 return false;
80 }
81 if (!IsGrantModeValid(permDef.grantMode)) {
82 LOGE(ATM_DOMAIN, ATM_TAG, "GrantMode invalid.");
83 return false;
84 }
85 if (!DataValidator::IsAvailableTypeValid(permDef.availableType)) {
86 LOGE(ATM_DOMAIN, ATM_TAG, "AvailableType invalid.");
87 return false;
88 }
89 if (!DataValidator::IsAplNumValid(permDef.availableLevel)) {
90 LOGE(ATM_DOMAIN, ATM_TAG, "AvailableLevel invalid.");
91 return false;
92 }
93 return true;
94 }
95
IsPermissionAvailable(ATokenTypeEnum tokenType,const std::string & permissionName)96 bool PermissionValidator::IsPermissionAvailable(ATokenTypeEnum tokenType, const std::string& permissionName)
97 {
98 LOGD(ATM_DOMAIN, ATM_TAG, "TokenType is %{public}d.", tokenType);
99 if (tokenType == TOKEN_HAP) {
100 if (!IsPermissionValidForHap(permissionName)) {
101 LOGE(ATM_DOMAIN, ATM_TAG, "%{public}s is not defined for hap.", permissionName.c_str());
102 return false;
103 }
104 }
105 // permission request for TOKEN_NATIVE process is going to be check when the permission request way is normalized.
106 return true;
107 }
108
IsPermissionStateValid(const PermissionStatus & permState)109 bool PermissionValidator::IsPermissionStateValid(const PermissionStatus& permState)
110 {
111 if (!DataValidator::IsPermissionNameValid(permState.permissionName)) {
112 return false;
113 }
114 if (!IsGrantStatusValid(permState.grantStatus) || !IsPermissionFlagValid(permState.grantFlag)) {
115 LOGE(ATM_DOMAIN, ATM_TAG, "GrantStatus or grantFlag is invalid");
116 return false;
117 }
118 return true;
119 }
120
FilterInvalidPermissionDef(const std::vector<PermissionDef> & permList,std::vector<PermissionDef> & result)121 void PermissionValidator::FilterInvalidPermissionDef(
122 const std::vector<PermissionDef>& permList, std::vector<PermissionDef>& result)
123 {
124 std::set<std::string> permDefSet;
125 for (auto it = permList.begin(); it != permList.end(); ++it) {
126 std::string permName = it->permissionName;
127 if (!IsPermissionDefValid(*it) || permDefSet.count(permName) != 0) {
128 continue;
129 }
130 permDefSet.insert(permName);
131 result.emplace_back(*it);
132 }
133 }
134
FilterInvalidPermissionState(ATokenTypeEnum tokenType,bool doPermAvailableCheck,const std::vector<PermissionStatus> & permList,std::vector<PermissionStatus> & result)135 void PermissionValidator::FilterInvalidPermissionState(ATokenTypeEnum tokenType, bool doPermAvailableCheck,
136 const std::vector<PermissionStatus>& permList, std::vector<PermissionStatus>& result)
137 {
138 std::set<std::string> permStateSet;
139 for (auto it = permList.begin(); it != permList.end(); ++it) {
140 std::string permName = it->permissionName;
141 PermissionStatus res = *it;
142 if (!IsPermissionStateValid(res) || permStateSet.count(permName) != 0) {
143 continue;
144 }
145 if (doPermAvailableCheck && !IsPermissionAvailable(tokenType, permName)) {
146 continue;
147 }
148 permStateSet.insert(permName);
149 result.emplace_back(res);
150 }
151 }
152 } // namespace AccessToken
153 } // namespace Security
154 } // namespace OHOS
155