1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "test_common.h"
16 #include <thread>
17 #include "atm_tools_param_info.h"
18 #include "gtest/gtest.h"
19 #include "test_common.h"
20
21 namespace OHOS {
22 namespace Security {
23 namespace AccessToken {
24 std::mutex g_lockSetToken;
25 uint64_t g_shellTokenId = 0;
GetInfoManagerTestInfoParms()26 HapInfoParams TestCommon::GetInfoManagerTestInfoParms()
27 {
28 HapInfoParams g_infoManagerTestInfoParms = {
29 .userID = 1,
30 .bundleName = "accesstoken_test",
31 .instIndex = 0,
32 .appIDDesc = "test3",
33 .apiVersion = 8,
34 .appDistributionType = "enterprise_mdm"
35 };
36 return g_infoManagerTestInfoParms;
37 }
38
GetInfoManagerTestNormalInfoParms()39 HapInfoParams TestCommon::GetInfoManagerTestNormalInfoParms()
40 {
41 HapInfoParams g_infoManagerTestNormalInfoParms = {
42 .userID = 1,
43 .bundleName = "accesstoken_test",
44 .instIndex = 0,
45 .appIDDesc = "test3",
46 .apiVersion = 8,
47 .isSystemApp = false
48 };
49 return g_infoManagerTestNormalInfoParms;
50 }
51
GetInfoManagerTestSystemInfoParms()52 HapInfoParams TestCommon::GetInfoManagerTestSystemInfoParms()
53 {
54 HapInfoParams g_infoManagerTestSystemInfoParms = {
55 .userID = 1,
56 .bundleName = "accesstoken_test",
57 .instIndex = 0,
58 .appIDDesc = "test3",
59 .apiVersion = 8,
60 .isSystemApp = true
61 };
62 return g_infoManagerTestSystemInfoParms;
63 }
64
GetInfoManagerTestPolicyPrams()65 HapPolicyParams TestCommon::GetInfoManagerTestPolicyPrams()
66 {
67 PermissionDef g_infoManagerTestPermDef1 = {
68 .permissionName = "ohos.permission.test1",
69 .bundleName = "accesstoken_test",
70 .grantMode = 1,
71 .availableLevel = APL_NORMAL,
72 .label = "label3",
73 .labelId = 1,
74 .description = "open the door",
75 .descriptionId = 1,
76 .availableType = MDM
77 };
78
79 PermissionDef g_infoManagerTestPermDef2 = {
80 .permissionName = "ohos.permission.test2",
81 .bundleName = "accesstoken_test",
82 .grantMode = 1,
83 .availableLevel = APL_NORMAL,
84 .label = "label3",
85 .labelId = 1,
86 .description = "break the door",
87 .descriptionId = 1,
88 };
89
90 PermissionStateFull g_infoManagerTestState1 = {
91 .permissionName = "ohos.permission.GET_WIFI_INFO",
92 .isGeneral = true,
93 .resDeviceID = {"local3"},
94 .grantStatus = {PermissionState::PERMISSION_GRANTED},
95 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
96 };
97
98 PermissionStateFull g_infoManagerTestState2 = {
99 .permissionName = "ohos.permission.SET_WIFI_INFO",
100 .isGeneral = false,
101 .resDeviceID = {"device 1", "device 2"},
102 .grantStatus = {PermissionState::PERMISSION_GRANTED, PermissionState::PERMISSION_GRANTED},
103 .grantFlags = {PermissionFlag::PERMISSION_USER_SET, PermissionFlag::PERMISSION_USER_FIXED}
104 };
105
106 HapPolicyParams g_infoManagerTestPolicyPrams = {
107 .apl = APL_NORMAL,
108 .domain = "test.domain3",
109 .permList = {g_infoManagerTestPermDef1, g_infoManagerTestPermDef2},
110 .permStateList = {g_infoManagerTestState1, g_infoManagerTestState2}
111 };
112 return g_infoManagerTestPolicyPrams;
113 }
114
GetTestPolicyParams()115 HapPolicyParams TestCommon::GetTestPolicyParams()
116 {
117 PermissionStateFull g_testPermReq = {
118 .permissionName = "ohos.permission.MANAGE_HAP_TOKENID",
119 .isGeneral = true,
120 .resDeviceID = {"test_device"},
121 .grantStatus = {PermissionState::PERMISSION_GRANTED},
122 .grantFlags = {PermissionFlag::PERMISSION_SYSTEM_FIXED}
123 };
124 HapPolicyParams g_testPolicyParams = {
125 .apl = APL_SYSTEM_CORE,
126 .domain = "test_domain",
127 .permStateList = { g_testPermReq },
128 .aclRequestedList = {},
129 .preAuthorizationInfo = {}
130 };
131 return g_testPolicyParams;
132 }
133
GetHapParams(HapInfoParams & infoParams,HapPolicyParams & policyParams)134 void TestCommon::GetHapParams(HapInfoParams& infoParams, HapPolicyParams& policyParams)
135 {
136 infoParams.userID = 0;
137 infoParams.bundleName = "com.ohos.AccessTokenTestBundle";
138 infoParams.instIndex = 0;
139 infoParams.appIDDesc = "AccessTokenTestAppID";
140 infoParams.apiVersion = DEFAULT_API_VERSION;
141 infoParams.isSystemApp = true;
142 infoParams.appDistributionType = "";
143
144 policyParams.apl = APL_NORMAL;
145 policyParams.domain = "accesstoken_test_domain";
146 policyParams.permList = {};
147 policyParams.permStateList = {};
148 policyParams.aclRequestedList = {};
149 policyParams.preAuthorizationInfo = {};
150 }
151
TestPreparePermStateList(HapPolicyParams & policy)152 void TestCommon::TestPreparePermStateList(HapPolicyParams &policy)
153 {
154 PermissionStateFull permStatMicro = {
155 .permissionName = "ohos.permission.MICROPHONE",
156 .isGeneral = true,
157 .resDeviceID = {"device3"},
158 .grantStatus = {PermissionState::PERMISSION_DENIED},
159 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
160 };
161 PermissionStateFull permStatCamera = {
162 .permissionName = "ohos.permission.SET_WIFI_INFO",
163 .isGeneral = true,
164 .resDeviceID = {"device3"},
165 .grantStatus = {PermissionState::PERMISSION_GRANTED},
166 .grantFlags = {PermissionFlag::PERMISSION_USER_FIXED}
167 };
168 PermissionStateFull permStatAlpha = {
169 .permissionName = "ohos.permission.ALPHA",
170 .isGeneral = true,
171 .resDeviceID = {"device3"},
172 .grantStatus = {PermissionState::PERMISSION_DENIED},
173 .grantFlags = {PermissionFlag::PERMISSION_USER_SET}
174 };
175 PermissionStateFull permStatBeta = {
176 .permissionName = "ohos.permission.BETA",
177 .isGeneral = true,
178 .resDeviceID = {"device3"},
179 .grantStatus = {PermissionState::PERMISSION_GRANTED},
180 .grantFlags = {PermissionFlag::PERMISSION_USER_FIXED}
181 };
182 policy.permStateList.emplace_back(permStatMicro);
183 policy.permStateList.emplace_back(permStatCamera);
184 policy.permStateList.emplace_back(permStatAlpha);
185 policy.permStateList.emplace_back(permStatBeta);
186 }
187
TestPreparePermDefList(HapPolicyParams & policy)188 void TestCommon::TestPreparePermDefList(HapPolicyParams &policy)
189 {
190 PermissionDef permissionDefBeta;
191 permissionDefBeta.permissionName = "ohos.permission.BETA";
192 permissionDefBeta.bundleName = "ohos";
193 permissionDefBeta.grantMode = GrantMode::SYSTEM_GRANT;
194 permissionDefBeta.availableLevel = APL_NORMAL;
195 permissionDefBeta.provisionEnable = false;
196 permissionDefBeta.distributedSceneEnable = false;
197
198 PermissionDef permissionDefAlpha;
199 permissionDefAlpha.permissionName = "ohos.permission.ALPHA";
200 permissionDefAlpha.bundleName = "ohos";
201 permissionDefAlpha.grantMode = GrantMode::USER_GRANT;
202 permissionDefAlpha.availableLevel = APL_NORMAL;
203 permissionDefAlpha.provisionEnable = false;
204 permissionDefAlpha.distributedSceneEnable = false;
205
206 policy.permList.emplace_back(permissionDefBeta);
207 policy.permList.emplace_back(permissionDefAlpha);
208 }
209
210
TestPrepareKernelPermissionStatus(HapPolicyParams & policyParams)211 void TestCommon::TestPrepareKernelPermissionStatus(HapPolicyParams& policyParams)
212 {
213 PermissionStateFull permissionStatusBasic = {
214 .permissionName = "ohos.permission.test_basic",
215 .isGeneral = false,
216 .resDeviceID = {"local"},
217 .grantStatus = {PERMISSION_GRANTED},
218 .grantFlags = {PERMISSION_SYSTEM_FIXED}
219 };
220
221 PermissionStateFull permissionStateFull001 = permissionStatusBasic;
222 permissionStateFull001.permissionName = "ohos.permission.KERNEL_ATM_SELF_USE";
223 PermissionStateFull permissionStateFull002 = permissionStatusBasic;
224 permissionStateFull002.permissionName = "ohos.permission.MICROPHONE";
225 PermissionStateFull permissionStateFull003 = permissionStatusBasic;
226 permissionStateFull003.permissionName = "ohos.permission.CAMERA";
227 policyParams.permStateList = {permissionStateFull001, permissionStateFull002, permissionStateFull003};
228 policyParams.aclExtendedMap["ohos.permission.KERNEL_ATM_SELF_USE"] = "123";
229 policyParams.aclExtendedMap["ohos.permission.MICROPHONE"] = "456"; // filtered
230 policyParams.aclExtendedMap["ohos.permission.CAMERA"] = "789"; // filtered
231 }
232
SetTestEvironment(uint64_t shellTokenId)233 void TestCommon::SetTestEvironment(uint64_t shellTokenId)
234 {
235 std::lock_guard<std::mutex> lock(g_lockSetToken);
236 g_shellTokenId = shellTokenId;
237 }
238
ResetTestEvironment()239 void TestCommon::ResetTestEvironment()
240 {
241 std::lock_guard<std::mutex> lock(g_lockSetToken);
242 g_shellTokenId = 0;
243 }
244
GetShellTokenId()245 uint64_t TestCommon::GetShellTokenId()
246 {
247 std::lock_guard<std::mutex> lock(g_lockSetToken);
248 return g_shellTokenId;
249 }
250
AllocTestHapToken(const HapInfoParams & hapInfo,HapPolicyParams & hapPolicy,AccessTokenIDEx & tokenIdEx)251 int32_t TestCommon::AllocTestHapToken(
252 const HapInfoParams& hapInfo, HapPolicyParams& hapPolicy, AccessTokenIDEx& tokenIdEx)
253 {
254 uint64_t selfTokenId = GetSelfTokenID();
255 for (auto& permissionStateFull : hapPolicy.permStateList) {
256 PermissionDef permDefResult;
257 if (AccessTokenKit::GetDefPermission(permissionStateFull.permissionName, permDefResult) != RET_SUCCESS) {
258 continue;
259 }
260 if (permDefResult.availableLevel > hapPolicy.apl) {
261 hapPolicy.aclRequestedList.emplace_back(permissionStateFull.permissionName);
262 }
263 }
264 if (TestCommon::GetNativeTokenIdFromProcess("foundation") == selfTokenId) {
265 return AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdEx);
266 }
267
268 // set sh token for self
269 MockNativeToken mock("foundation");
270 int32_t ret = AccessTokenKit::InitHapToken(hapInfo, hapPolicy, tokenIdEx);
271
272 // restore
273 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
274
275 return ret;
276 }
277
AllocAndGrantHapTokenByTest(const HapInfoParams & info,HapPolicyParams & policy)278 AccessTokenIDEx TestCommon::AllocAndGrantHapTokenByTest(const HapInfoParams& info, HapPolicyParams& policy)
279 {
280 for (const auto& permissionStateFull : policy.permStateList) {
281 PermissionDef permDefResult;
282 if (AccessTokenKit::GetDefPermission(permissionStateFull.permissionName, permDefResult) != RET_SUCCESS) {
283 continue;
284 }
285 if (permDefResult.availableLevel > policy.apl) {
286 policy.aclRequestedList.emplace_back(permissionStateFull.permissionName);
287 }
288 }
289
290 AccessTokenIDEx tokenIdEx = {0};
291 EXPECT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(info, policy, tokenIdEx));
292 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
293 EXPECT_NE(tokenId, INVALID_TOKENID);
294
295 for (const auto& permissionStateFull : policy.permStateList) {
296 if (permissionStateFull.grantStatus[0] == PERMISSION_GRANTED) {
297 TestCommon::GrantPermissionByTest(
298 tokenId, permissionStateFull.permissionName, permissionStateFull.grantFlags[0]);
299 } else {
300 TestCommon::RevokePermissionByTest(
301 tokenId, permissionStateFull.permissionName, permissionStateFull.grantFlags[0]);
302 }
303 }
304 return tokenIdEx;
305 }
306
DeleteTestHapToken(AccessTokenID tokenID)307 int32_t TestCommon::DeleteTestHapToken(AccessTokenID tokenID)
308 {
309 uint64_t selfTokenId = GetSelfTokenID();
310 if (TestCommon::GetNativeTokenIdFromProcess("foundation") == selfTokenId) {
311 return AccessTokenKit::DeleteToken(tokenID);
312 }
313
314 // set sh token for self
315 MockNativeToken mock("foundation");
316
317 int32_t ret = AccessTokenKit::DeleteToken(tokenID);
318 // restore
319 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
320 return ret;
321 }
322
GrantPermissionByTest(AccessTokenID tokenID,const std::string & permission,uint32_t flag)323 int32_t TestCommon::GrantPermissionByTest(AccessTokenID tokenID, const std::string& permission, uint32_t flag)
324 {
325 std::vector<std::string> reqPerm;
326 reqPerm.emplace_back("ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
327 MockHapToken mock("AccessTokenTestGrant", reqPerm);
328 return AccessTokenKit::GrantPermission(tokenID, permission, flag);
329 }
330
RevokePermissionByTest(AccessTokenID tokenID,const std::string & permission,uint32_t flag)331 int32_t TestCommon::RevokePermissionByTest(AccessTokenID tokenID, const std::string& permission, uint32_t flag)
332 {
333 std::vector<std::string> reqPerm;
334 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
335 MockHapToken mock("AccessTokenTestRevoke", reqPerm);
336 return AccessTokenKit::RevokePermission(tokenID, permission, flag);
337 }
338
ClearUserGrantedPermissionStateByTest(AccessTokenID tokenID)339 int32_t TestCommon::ClearUserGrantedPermissionStateByTest(AccessTokenID tokenID)
340 {
341 std::vector<std::string> reqPerm;
342 reqPerm.emplace_back("ohos.permission.REVOKE_SENSITIVE_PERMISSIONS");
343 MockHapToken mock("AccessTokenTestRevoke", reqPerm);
344 return AccessTokenKit::ClearUserGrantedPermissionState(tokenID);
345 }
346
GetNativeTokenIdFromProcess(const std::string & process)347 AccessTokenID TestCommon::GetNativeTokenIdFromProcess(const std::string &process)
348 {
349 uint64_t selfTokenId = GetSelfTokenID();
350 EXPECT_EQ(0, SetSelfTokenID(TestCommon::GetShellTokenId())); // set shell token
351
352 std::string dumpInfo;
353 AtmToolsParamInfo info;
354 info.processName = process;
355 AccessTokenKit::DumpTokenInfo(info, dumpInfo);
356 size_t pos = dumpInfo.find("\"tokenID\": ");
357 if (pos == std::string::npos) {
358 return 0;
359 }
360 pos += std::string("\"tokenID\": ").length();
361 std::string numStr;
362 while (pos < dumpInfo.length() && std::isdigit(dumpInfo[pos])) {
363 numStr += dumpInfo[pos];
364 ++pos;
365 }
366 // restore
367 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
368
369 std::istringstream iss(numStr);
370 AccessTokenID tokenID;
371 iss >> tokenID;
372 return tokenID;
373 }
374
375 // need call by native process
GetHapTokenIdFromBundle(int32_t userID,const std::string & bundleName,int32_t instIndex)376 AccessTokenIDEx TestCommon::GetHapTokenIdFromBundle(
377 int32_t userID, const std::string& bundleName, int32_t instIndex)
378 {
379 uint64_t selfTokenId = GetSelfTokenID();
380 ATokenTypeEnum type = AccessTokenKit::GetTokenTypeFlag(static_cast<AccessTokenID>(selfTokenId));
381 if (type != TOKEN_NATIVE) {
382 AccessTokenID tokenId1 = GetNativeTokenIdFromProcess("accesstoken_service");
383 EXPECT_EQ(0, SetSelfTokenID(tokenId1));
384 }
385 AccessTokenIDEx tokenIdEx = AccessTokenKit::GetHapTokenIDEx(userID, bundleName, instIndex);
386
387 EXPECT_EQ(0, SetSelfTokenID(selfTokenId));
388 return tokenIdEx;
389 }
390
391
GetReqPermissionsByTest(AccessTokenID tokenID,std::vector<PermissionStateFull> & permStatList,bool isSystemGrant)392 int32_t TestCommon::GetReqPermissionsByTest(
393 AccessTokenID tokenID, std::vector<PermissionStateFull>& permStatList, bool isSystemGrant)
394 {
395 std::vector<std::string> reqPerm;
396 reqPerm.emplace_back("ohos.permission.GET_SENSITIVE_PERMISSIONS");
397 MockHapToken mock("GetReqPermissionsByTest", reqPerm);
398 return AccessTokenKit::GetReqPermissions(tokenID, permStatList, isSystemGrant);
399 }
400
GetPermissionFlagByTest(AccessTokenID tokenID,const std::string & permission,uint32_t & flag)401 int32_t TestCommon::GetPermissionFlagByTest(AccessTokenID tokenID, const std::string& permission, uint32_t& flag)
402 {
403 std::vector<std::string> reqPerm;
404 reqPerm.emplace_back("ohos.permission.GET_SENSITIVE_PERMISSIONS");
405 MockHapToken mock("GetPermissionFlagByTest", reqPerm, true);
406 return AccessTokenKit::GetPermissionFlag(tokenID, permission, flag);
407 }
408
MockNativeToken(const std::string & process)409 MockNativeToken::MockNativeToken(const std::string& process)
410 {
411 selfToken_ = GetSelfTokenID();
412 uint32_t tokenId = TestCommon::GetNativeTokenIdFromProcess(process);
413 SetSelfTokenID(tokenId);
414 }
415
~MockNativeToken()416 MockNativeToken::~MockNativeToken()
417 {
418 SetSelfTokenID(selfToken_);
419 }
420
MockHapToken(const std::string & bundle,const std::vector<std::string> & reqPerm,bool isSystemApp)421 MockHapToken::MockHapToken(
422 const std::string& bundle, const std::vector<std::string>& reqPerm, bool isSystemApp)
423 {
424 selfToken_ = GetSelfTokenID();
425 HapInfoParams infoParams = {
426 .userID = 0,
427 .bundleName = bundle,
428 .instIndex = 0,
429 .appIDDesc = "AccessTokenTestAppID",
430 .apiVersion = TestCommon::DEFAULT_API_VERSION,
431 .isSystemApp = isSystemApp,
432 .appDistributionType = "",
433 };
434
435 HapPolicyParams policyParams = {
436 .apl = APL_NORMAL,
437 .domain = "accesstoken_test_domain",
438 };
439 for (size_t i = 0; i < reqPerm.size(); ++i) {
440 PermissionDef permDefResult;
441 if (AccessTokenKit::GetDefPermission(reqPerm[i], permDefResult) != RET_SUCCESS) {
442 continue;
443 }
444 PermissionStateFull permState = {
445 .permissionName = reqPerm[i],
446 .isGeneral = true,
447 .resDeviceID = {"local3"},
448 .grantStatus = {PermissionState::PERMISSION_DENIED},
449 .grantFlags = {PermissionFlag::PERMISSION_DEFAULT_FLAG}
450 };
451 policyParams.permStateList.emplace_back(permState);
452 if (permDefResult.availableLevel > policyParams.apl) {
453 policyParams.aclRequestedList.emplace_back(reqPerm[i]);
454 }
455 }
456
457 AccessTokenIDEx tokenIdEx = {0};
458 EXPECT_EQ(RET_SUCCESS, TestCommon::AllocTestHapToken(infoParams, policyParams, tokenIdEx));
459 mockToken_= tokenIdEx.tokenIdExStruct.tokenID;
460 EXPECT_NE(mockToken_, INVALID_TOKENID);
461 EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
462 }
463
~MockHapToken()464 MockHapToken::~MockHapToken()
465 {
466 if (mockToken_ != INVALID_TOKENID) {
467 EXPECT_EQ(0, TestCommon::DeleteTestHapToken(mockToken_));
468 }
469 EXPECT_EQ(0, SetSelfTokenID(selfToken_));
470 }
471 } // namespace AccessToken
472 } // namespace Security
473 } // namespace OHOS