1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_info_manager.h"
17
18 #include <securec.h>
19 #include "access_token.h"
20 #include "accesstoken_dfx_define.h"
21 #include "accesstoken_id_manager.h"
22 #include "accesstoken_log.h"
23 #include "accesstoken_remote_token_manager.h"
24 #include "access_token_error.h"
25 #include "callback_manager.h"
26 #include "constant_common.h"
27 #include "data_translator.h"
28 #include "data_validator.h"
29 #ifdef SUPPORT_SANDBOX_APP
30 #include "dlp_permission_set_manager.h"
31 #endif
32 #ifdef RESOURCESCHEDULE_FFRT_ENABLE
33 #include "ffrt.h"
34 #endif
35 #include "generic_values.h"
36 #include "hap_token_info_inner.h"
37 #include "permission_definition_cache.h"
38 #include "permission_manager.h"
39 #include "softbus_bus_center.h"
40 #include "access_token_db.h"
41 #include "token_field_const.h"
42
43 #ifdef TOKEN_SYNC_ENABLE
44 #include "token_modify_notifier.h"
45 #include "token_sync_kit.h"
46 #endif
47
48 namespace OHOS {
49 namespace Security {
50 namespace AccessToken {
51 namespace {
52 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenInfoManager"};
53 static const std::string ACCESS_TOKEN_PACKAGE_NAME = "ohos.security.distributed_token_sync";
54 static const unsigned int SYSTEM_APP_FLAG = 0x0001;
55 }
56
57 #ifdef RESOURCESCHEDULE_FFRT_ENABLE
AccessTokenInfoManager()58 AccessTokenInfoManager::AccessTokenInfoManager() : curTaskNum_(0), hasInited_(false) {}
59 #else
AccessTokenInfoManager()60 AccessTokenInfoManager::AccessTokenInfoManager() : tokenDataWorker_("TokenStore"), hasInited_(false) {}
61 #endif
62
~AccessTokenInfoManager()63 AccessTokenInfoManager::~AccessTokenInfoManager()
64 {
65 if (!hasInited_) {
66 return;
67 }
68 #ifndef RESOURCESCHEDULE_FFRT_ENABLE
69 this->tokenDataWorker_.Stop();
70 #endif
71 this->hasInited_ = false;
72 }
73
Init()74 void AccessTokenInfoManager::Init()
75 {
76 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->managerLock_);
77 if (hasInited_) {
78 return;
79 }
80
81 ACCESSTOKEN_LOG_INFO(LABEL, "init begin!");
82 InitHapTokenInfos();
83 InitNativeTokenInfos();
84 #ifndef RESOURCESCHEDULE_FFRT_ENABLE
85 this->tokenDataWorker_.Start(1);
86 #endif
87 hasInited_ = true;
88 ACCESSTOKEN_LOG_INFO(LABEL, "Init success");
89 }
90
InitHapTokenInfos()91 void AccessTokenInfoManager::InitHapTokenInfos()
92 {
93 std::vector<GenericValues> hapTokenRes;
94 std::vector<GenericValues> permDefRes;
95 std::vector<GenericValues> permStateRes;
96
97 AccessTokenDb::GetInstance().Find(AccessTokenDb::ACCESSTOKEN_HAP_INFO, hapTokenRes);
98 AccessTokenDb::GetInstance().Find(AccessTokenDb::ACCESSTOKEN_PERMISSION_DEF, permDefRes);
99 AccessTokenDb::GetInstance().Find(AccessTokenDb::ACCESSTOKEN_PERMISSION_STATE, permStateRes);
100
101 for (const GenericValues& tokenValue : hapTokenRes) {
102 AccessTokenID tokenId = (AccessTokenID)tokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
103 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_HAP);
104 if (ret != RET_SUCCESS) {
105 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add id failed.", tokenId);
106 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
107 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", LOAD_DATABASE_ERROR,
108 "ERROR_REASON", "hap tokenID error");
109 continue;
110 }
111 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
112 ret = hap->RestoreHapTokenInfo(tokenId, tokenValue, permStateRes);
113 if (ret != RET_SUCCESS) {
114 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
115 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u restore failed.", tokenId);
116 continue;
117 }
118
119 ret = AddHapTokenInfo(hap);
120 if (ret != RET_SUCCESS) {
121 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
122 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add failed.", tokenId);
123 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
124 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", LOAD_DATABASE_ERROR,
125 "ERROR_REASON", "hap token has exist");
126 continue;
127 }
128 ACCESSTOKEN_LOG_INFO(LABEL,
129 " restore hap token %{public}u bundle name %{public}s user %{public}d inst %{public}d ok!",
130 tokenId, hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetInstIndex());
131 }
132 PermissionDefinitionCache::GetInstance().RestorePermDefInfo(permDefRes);
133 }
134
InitNativeTokenInfos()135 void AccessTokenInfoManager::InitNativeTokenInfos()
136 {
137 std::vector<GenericValues> nativeTokenResults;
138 std::vector<GenericValues> permStateRes;
139
140 AccessTokenDb::GetInstance().Find(AccessTokenDb::ACCESSTOKEN_NATIVE_INFO, nativeTokenResults);
141 AccessTokenDb::GetInstance().Find(AccessTokenDb::ACCESSTOKEN_PERMISSION_STATE, permStateRes);
142 for (const GenericValues& nativeTokenValue : nativeTokenResults) {
143 AccessTokenID tokenId = (AccessTokenID)nativeTokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
144 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId);
145 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type);
146 if (ret != RET_SUCCESS) {
147 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
148 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", LOAD_DATABASE_ERROR,
149 "ERROR_REASON", "native tokenID error");
150 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add failed.", tokenId);
151 continue;
152 }
153 std::shared_ptr<NativeTokenInfoInner> native = std::make_shared<NativeTokenInfoInner>();
154
155 ret = native->RestoreNativeTokenInfo(tokenId, nativeTokenValue, permStateRes);
156 if (ret != RET_SUCCESS) {
157 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
158 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u restore failed.", tokenId);
159 continue;
160 }
161
162 ret = AddNativeTokenInfo(native);
163 if (ret != RET_SUCCESS) {
164 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
165 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId %{public}u add failed.", tokenId);
166 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_CHECK",
167 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", LOAD_DATABASE_ERROR,
168 "ERROR_REASON", "native tokenID error");
169 continue;
170 }
171 ACCESSTOKEN_LOG_INFO(LABEL,
172 "restore native token %{public}u process name %{public}s ok!",
173 tokenId, native->GetProcessName().c_str());
174 }
175 }
176
GetHapUniqueStr(const int & userID,const std::string & bundleName,const int & instIndex) const177 std::string AccessTokenInfoManager::GetHapUniqueStr(const int& userID,
178 const std::string& bundleName, const int& instIndex) const
179 {
180 return bundleName + "&" + std::to_string(userID) + "&" + std::to_string(instIndex);
181 }
182
GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner> & info) const183 std::string AccessTokenInfoManager::GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner>& info) const
184 {
185 if (info == nullptr) {
186 return std::string("");
187 }
188 return GetHapUniqueStr(info->GetUserID(), info->GetBundleName(), info->GetInstIndex());
189 }
190
AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner> & info)191 int AccessTokenInfoManager::AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner>& info)
192 {
193 if (info == nullptr) {
194 ACCESSTOKEN_LOG_ERROR(LABEL, "token info is null.");
195 return AccessTokenError::ERR_PARAM_INVALID;
196 }
197 AccessTokenID id = info->GetTokenID();
198 AccessTokenID idRemoved = INVALID_TOKENID;
199 {
200 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
201 if (hapTokenInfoMap_.count(id) > 0) {
202 ACCESSTOKEN_LOG_ERROR(LABEL, "token %{public}u info has exist.", id);
203 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
204 }
205
206 if (!info->IsRemote()) {
207 std::string HapUniqueKey = GetHapUniqueStr(info);
208 auto iter = hapTokenIdMap_.find(HapUniqueKey);
209 if (iter != hapTokenIdMap_.end()) {
210 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u Unique info has exist, update.", id);
211 idRemoved = iter->second;
212 }
213 hapTokenIdMap_[HapUniqueKey] = id;
214 }
215 hapTokenInfoMap_[id] = info;
216 }
217 if (idRemoved != INVALID_TOKENID) {
218 RemoveHapTokenInfo(idRemoved);
219 }
220 // add hap to kernel
221 std::shared_ptr<PermissionPolicySet> policySet = info->GetHapInfoPermissionPolicySet();
222 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
223
224 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "ADD_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
225 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
226 "INSTINDEX", info->GetInstIndex());
227
228 return RET_SUCCESS;
229 }
230
AddNativeTokenInfo(const std::shared_ptr<NativeTokenInfoInner> & info)231 int AccessTokenInfoManager::AddNativeTokenInfo(const std::shared_ptr<NativeTokenInfoInner>& info)
232 {
233 if (info == nullptr) {
234 ACCESSTOKEN_LOG_ERROR(LABEL, "token info is null.");
235 return AccessTokenError::ERR_PARAM_INVALID;
236 }
237
238 AccessTokenID id = info->GetTokenID();
239 std::string processName = info->GetProcessName();
240 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
241 if (nativeTokenInfoMap_.count(id) > 0) {
242 ACCESSTOKEN_LOG_ERROR(
243 LABEL, "token %{public}u has exist.", id);
244 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
245 }
246 if (!info->IsRemote()) {
247 if (nativeTokenIdMap_.count(processName) > 0) {
248 ACCESSTOKEN_LOG_ERROR(
249 LABEL, "token %{public}u process name %{public}s has exist.", id, processName.c_str());
250 return AccessTokenError::ERR_PROCESS_NOT_EXIST;
251 }
252 nativeTokenIdMap_[processName] = id;
253 }
254
255 ACCESSTOKEN_LOG_INFO(LABEL, "token info is added %{public}u.", id);
256 nativeTokenInfoMap_[id] = info;
257
258 // add native to kernel
259 std::shared_ptr<PermissionPolicySet> policySet = info->GetNativeInfoPermissionPolicySet();
260 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
261
262 return RET_SUCCESS;
263 }
264
GetHapTokenInfoInner(AccessTokenID id)265 std::shared_ptr<HapTokenInfoInner> AccessTokenInfoManager::GetHapTokenInfoInner(AccessTokenID id)
266 {
267 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
268 auto iter = hapTokenInfoMap_.find(id);
269 if (iter != hapTokenInfoMap_.end()) {
270 return iter->second;
271 }
272 ACCESSTOKEN_LOG_ERROR(LABEL, "token %{public}u is invalid.", id);
273 return nullptr;
274 }
275
GetHapTokenDlpType(AccessTokenID id)276 int32_t AccessTokenInfoManager::GetHapTokenDlpType(AccessTokenID id)
277 {
278 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
279 auto iter = hapTokenInfoMap_.find(id);
280 if ((iter != hapTokenInfoMap_.end()) && (iter->second != nullptr)) {
281 return iter->second->GetDlpType();
282 }
283 ACCESSTOKEN_LOG_ERROR(LABEL, "token %{public}u is invalid.", id);
284 return DLP_FULL_BUTT;
285 }
286
IsTokenIdExist(AccessTokenID id)287 bool AccessTokenInfoManager::IsTokenIdExist(AccessTokenID id)
288 {
289 {
290 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
291 if (hapTokenInfoMap_.count(id) != 0) {
292 return true;
293 }
294 }
295 {
296 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
297 if (nativeTokenInfoMap_.count(id) != 0) {
298 return true;
299 }
300 }
301 return false;
302 }
303
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & info)304 int AccessTokenInfoManager::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& info)
305 {
306 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
307 if (infoPtr == nullptr) {
308 ACCESSTOKEN_LOG_ERROR(
309 LABEL, "token %{public}u is invalid.", tokenID);
310 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
311 }
312 infoPtr->TranslateToHapTokenInfo(info);
313 return RET_SUCCESS;
314 }
315
GetHapPermissionPolicySet(AccessTokenID id)316 std::shared_ptr<PermissionPolicySet> AccessTokenInfoManager::GetHapPermissionPolicySet(AccessTokenID id)
317 {
318 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(id);
319 if (infoPtr == nullptr) {
320 ACCESSTOKEN_LOG_ERROR(
321 LABEL, "token %{public}u is invalid.", id);
322 return nullptr;
323 }
324 return infoPtr->GetHapInfoPermissionPolicySet();
325 }
326
GetNativeTokenInfoInner(AccessTokenID id)327 std::shared_ptr<NativeTokenInfoInner> AccessTokenInfoManager::GetNativeTokenInfoInner(AccessTokenID id)
328 {
329 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
330 auto iter = nativeTokenInfoMap_.find(id);
331 if (iter != nativeTokenInfoMap_.end()) {
332 return iter->second;
333 }
334
335 ACCESSTOKEN_LOG_ERROR(LABEL, "token %{public}u is invalid.", id);
336 return nullptr;
337 }
338
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfo & infoParcel)339 int AccessTokenInfoManager::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& infoParcel)
340 {
341 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenID);
342 if (infoPtr == nullptr) {
343 ACCESSTOKEN_LOG_ERROR(
344 LABEL, "token %{public}u is invalid.", tokenID);
345 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
346 }
347
348 infoPtr->TranslateToNativeTokenInfo(infoParcel);
349 return RET_SUCCESS;
350 }
351
GetNativePermissionPolicySet(AccessTokenID id)352 std::shared_ptr<PermissionPolicySet> AccessTokenInfoManager::GetNativePermissionPolicySet(AccessTokenID id)
353 {
354 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(id);
355 if (infoPtr == nullptr) {
356 ACCESSTOKEN_LOG_ERROR(
357 LABEL, "token %{public}u is invalid.", id);
358 return nullptr;
359 }
360 return infoPtr->GetNativeInfoPermissionPolicySet();
361 }
362
RemoveHapTokenInfo(AccessTokenID id)363 int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id)
364 {
365 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
366 if (type != TOKEN_HAP) {
367 ACCESSTOKEN_LOG_ERROR(
368 LABEL, "token %{public}u is not hap.", id);
369 return ERR_PARAM_INVALID;
370 }
371 std::shared_ptr<HapTokenInfoInner> info;
372 // make sure that RemoveDefPermissions is called outside of the lock to avoid deadlocks.
373 PermissionManager::GetInstance().RemoveDefPermissions(id);
374 {
375 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
376 if (hapTokenInfoMap_.count(id) == 0) {
377 ACCESSTOKEN_LOG_ERROR(LABEL, "hap token %{public}u no exist.", id);
378 return ERR_TOKENID_NOT_EXIST;
379 }
380
381 info = hapTokenInfoMap_[id];
382 if (info == nullptr) {
383 ACCESSTOKEN_LOG_ERROR(LABEL, "hap token %{public}u is null.", id);
384 return ERR_TOKEN_INVALID;
385 }
386 if (info->IsRemote()) {
387 ACCESSTOKEN_LOG_ERROR(LABEL, "remote hap token %{public}u can not delete.", id);
388 return ERR_IDENTITY_CHECK_FAILED;
389 }
390 std::string HapUniqueKey = GetHapUniqueStr(info);
391 auto iter = hapTokenIdMap_.find(HapUniqueKey);
392 if ((iter != hapTokenIdMap_.end()) && (iter->second == id)) {
393 hapTokenIdMap_.erase(HapUniqueKey);
394 }
395 hapTokenInfoMap_.erase(id);
396 }
397
398 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
399 ACCESSTOKEN_LOG_INFO(LABEL, "remove hap token %{public}u ok!", id);
400 RemoveHapTokenInfoFromDb(id);
401 PermissionStateNotify(info, id);
402 // remove hap to kernel
403 PermissionManager::GetInstance().RemovePermFromKernel(id);
404 #ifdef TOKEN_SYNC_ENABLE
405 TokenModifyNotifier::GetInstance().NotifyTokenDelete(id);
406 #endif
407
408 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
409 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
410 "INSTINDEX", info->GetInstIndex());
411
412 return RET_SUCCESS;
413 }
414
RemoveNativeTokenInfo(AccessTokenID id)415 int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id)
416 {
417 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
418 if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
419 ACCESSTOKEN_LOG_ERROR(
420 LABEL, "token %{public}u is not hap.", id);
421 return ERR_PARAM_INVALID;
422 }
423
424 {
425 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
426 if (nativeTokenInfoMap_.count(id) == 0) {
427 ACCESSTOKEN_LOG_ERROR(LABEL, "native token %{public}u is null.", id);
428 return ERR_TOKENID_NOT_EXIST;
429 }
430
431 std::shared_ptr<NativeTokenInfoInner> info = nativeTokenInfoMap_[id];
432 if (info->IsRemote()) {
433 ACCESSTOKEN_LOG_ERROR(LABEL, "remote native token %{public}u can not delete.", id);
434 return ERR_TOKEN_INVALID;
435 }
436 std::string processName = nativeTokenInfoMap_[id]->GetProcessName();
437 if (nativeTokenIdMap_.count(processName) != 0) {
438 nativeTokenIdMap_.erase(processName);
439 }
440 nativeTokenInfoMap_.erase(id);
441 }
442 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
443 ACCESSTOKEN_LOG_INFO(LABEL, "remove native token %{public}u ok!", id);
444 RefreshTokenInfoIfNeeded();
445 // remove native to kernel
446 PermissionManager::GetInstance().RemovePermFromKernel(id);
447 return RET_SUCCESS;
448 }
449
450 #ifdef SUPPORT_SANDBOX_APP
GetPolicyCopied(const HapPolicyParams & policy,HapPolicyParams & policyNew)451 static void GetPolicyCopied(const HapPolicyParams& policy, HapPolicyParams& policyNew)
452 {
453 policyNew.apl = policy.apl;
454 policyNew.domain = policy.domain;
455
456 for (const auto& state : policy.permStateList) {
457 policyNew.permStateList.emplace_back(state);
458 }
459 for (const auto& def : policy.permList) {
460 policyNew.permList.emplace_back(def);
461 }
462 }
463 #endif
464
CreateHapTokenInfo(const HapInfoParams & info,const HapPolicyParams & policy,AccessTokenIDEx & tokenIdEx)465 int AccessTokenInfoManager::CreateHapTokenInfo(
466 const HapInfoParams& info, const HapPolicyParams& policy, AccessTokenIDEx& tokenIdEx)
467 {
468 if ((!DataValidator::IsUserIdValid(info.userID)) || (!DataValidator::IsBundleNameValid(info.bundleName)) ||
469 (!DataValidator::IsAppIDDescValid(info.appIDDesc)) || (!DataValidator::IsDomainValid(policy.domain)) ||
470 (!DataValidator::IsDlpTypeValid(info.dlpType))) {
471 ACCESSTOKEN_LOG_ERROR(LABEL, "hap token param failed");
472 return AccessTokenError::ERR_PARAM_INVALID;
473 }
474 AccessTokenID tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, info.dlpType);
475 if (tokenId == 0) {
476 ACCESSTOKEN_LOG_INFO(LABEL, "token Id create failed");
477 return ERR_TOKENID_CREATE_FAILED;
478 }
479 PermissionManager::GetInstance().AddDefPermissions(policy.permList, tokenId, false);
480 #ifdef SUPPORT_SANDBOX_APP
481 std::shared_ptr<HapTokenInfoInner> tokenInfo;
482 if (info.dlpType != DLP_COMMON) {
483 HapPolicyParams policyNew;
484 GetPolicyCopied(policy, policyNew);
485 int32_t res = DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(
486 info.dlpType, policyNew.permStateList);
487 if (res != RET_SUCCESS) {
488 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s update dlp permission failed", info.bundleName.c_str());
489 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
490 PermissionManager::GetInstance().RemoveDefPermissions(tokenId);
491 return res;
492 }
493 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policyNew);
494 } else {
495 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
496 }
497 #else
498 std::shared_ptr<HapTokenInfoInner> tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
499 #endif
500 int ret = AddHapTokenInfo(tokenInfo);
501 if (ret != RET_SUCCESS) {
502 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s add token info failed", info.bundleName.c_str());
503 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
504 PermissionManager::GetInstance().RemoveDefPermissions(tokenId);
505 return ret;
506 }
507 ACCESSTOKEN_LOG_INFO(LABEL, "create hap token %{public}u bundleName %{public}s user %{public}d inst %{public}d ok",
508 tokenId, tokenInfo->GetBundleName().c_str(), tokenInfo->GetUserID(), tokenInfo->GetInstIndex());
509 AllocAccessTokenIDEx(info, tokenId, tokenIdEx);
510 AddHapTokenInfoToDb(tokenId);
511 return RET_SUCCESS;
512 }
513
AllocAccessTokenIDEx(const HapInfoParams & info,AccessTokenID tokenId,AccessTokenIDEx & tokenIdEx)514 int AccessTokenInfoManager::AllocAccessTokenIDEx(
515 const HapInfoParams& info, AccessTokenID tokenId, AccessTokenIDEx& tokenIdEx)
516 {
517 tokenIdEx.tokenIdExStruct.tokenID = tokenId;
518 if (info.isSystemApp) {
519 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
520 }
521 return RET_SUCCESS;
522 }
523
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)524 int AccessTokenInfoManager::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
525 {
526 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenID);
527 if (infoPtr == nullptr) {
528 ACCESSTOKEN_LOG_ERROR(
529 LABEL, "token %{public}u is invalid.", tokenID);
530 return ERR_TOKENID_NOT_EXIST;
531 }
532
533 std::vector<std::string> dcaps = infoPtr->GetDcap();
534 for (auto iter = dcaps.begin(); iter != dcaps.end(); iter++) {
535 if (*iter == dcap) {
536 return RET_SUCCESS;
537 }
538 }
539 return ERR_CHECK_DCAP_FAIL;
540 }
541
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)542 AccessTokenIDEx AccessTokenInfoManager::GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex)
543 {
544 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
545 std::string HapUniqueKey = GetHapUniqueStr(userID, bundleName, instIndex);
546 AccessTokenIDEx tokenIdEx = {0};
547 auto iter = hapTokenIdMap_.find(HapUniqueKey);
548 if (iter != hapTokenIdMap_.end()) {
549 AccessTokenID tokenId = iter->second;
550 auto infoIter = hapTokenInfoMap_.find(tokenId);
551 if (infoIter != hapTokenInfoMap_.end()) {
552 if (infoIter->second == nullptr) {
553 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr");
554 return tokenIdEx;
555 }
556 HapTokenInfo info = infoIter->second->GetHapInfoBasic();
557 tokenIdEx.tokenIdExStruct.tokenID = info.tokenID;
558 tokenIdEx.tokenIdExStruct.tokenAttr = info.tokenAttr;
559 }
560 }
561 return tokenIdEx;
562 }
563
TryUpdateExistNativeToken(const std::shared_ptr<NativeTokenInfoInner> & infoPtr)564 bool AccessTokenInfoManager::TryUpdateExistNativeToken(const std::shared_ptr<NativeTokenInfoInner>& infoPtr)
565 {
566 if (infoPtr == nullptr) {
567 ACCESSTOKEN_LOG_WARN(LABEL, "info is null");
568 return false;
569 }
570
571 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
572 AccessTokenID id = infoPtr->GetTokenID();
573 std::string processName = infoPtr->GetProcessName();
574 bool idExist = (nativeTokenInfoMap_.count(id) > 0);
575 bool processExist = (nativeTokenIdMap_.count(processName) > 0);
576 // id is exist, but it is not this process, so neither update nor add.
577 if (idExist && !processExist) {
578 ACCESSTOKEN_LOG_ERROR(
579 LABEL, "token Id is exist, but process name is not exist, can not update.");
580 return true;
581 }
582
583 // this process is exist, but id is not same, perhaps libat lose his data, we need delete old, add new later.
584 if (!idExist && processExist) {
585 AccessTokenID idRemove = nativeTokenIdMap_[processName];
586 nativeTokenIdMap_.erase(processName);
587 if (nativeTokenInfoMap_.count(idRemove) > 0) {
588 nativeTokenInfoMap_.erase(idRemove);
589 }
590 AccessTokenIDManager::GetInstance().ReleaseTokenId(idRemove);
591 return false;
592 }
593
594 if (!idExist && !processExist) {
595 return false;
596 }
597
598 nativeTokenInfoMap_[id] = infoPtr;
599
600 // add native to kernel
601 std::shared_ptr<PermissionPolicySet> policySet = infoPtr->GetNativeInfoPermissionPolicySet();
602 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
603 return true;
604 }
605
ProcessNativeTokenInfos(const std::vector<std::shared_ptr<NativeTokenInfoInner>> & tokenInfos)606 void AccessTokenInfoManager::ProcessNativeTokenInfos(
607 const std::vector<std::shared_ptr<NativeTokenInfoInner>>& tokenInfos)
608 {
609 for (const auto& infoPtr: tokenInfos) {
610 if (infoPtr == nullptr) {
611 ACCESSTOKEN_LOG_WARN(LABEL, "token info from libat is null");
612 continue;
613 }
614 bool isUpdated = TryUpdateExistNativeToken(infoPtr);
615 if (!isUpdated) {
616 ACCESSTOKEN_LOG_INFO(LABEL,
617 "token %{public}u process name %{public}s is new, add to manager!",
618 infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str());
619 AccessTokenID id = infoPtr->GetTokenID();
620 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(id);
621 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, type);
622 if (ret != RET_SUCCESS) {
623 ACCESSTOKEN_LOG_ERROR(LABEL, "token Id register fail");
624 continue;
625 }
626 ret = AddNativeTokenInfo(infoPtr);
627 if (ret != RET_SUCCESS) {
628 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
629 ACCESSTOKEN_LOG_ERROR(LABEL,
630 "token %{public}u process name %{public}s add to manager failed!",
631 infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str());
632 }
633 }
634 }
635 RefreshTokenInfoIfNeeded();
636 }
637
UpdateHapToken(AccessTokenIDEx & tokenIdEx,bool isSystemApp,const std::string & appIDDesc,int32_t apiVersion,const HapPolicyParams & policy)638 int AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx,
639 bool isSystemApp, const std::string& appIDDesc, int32_t apiVersion, const HapPolicyParams& policy)
640 {
641 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
642 if (!DataValidator::IsAppIDDescValid(appIDDesc)) {
643 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u parm format error!", tokenID);
644 return AccessTokenError::ERR_PARAM_INVALID;
645 }
646 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
647 if (infoPtr == nullptr) {
648 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u is null, can not update!", tokenID);
649 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
650 }
651
652 if (infoPtr->IsRemote()) {
653 ACCESSTOKEN_LOG_ERROR(LABEL, "remote hap token %{public}u can not update!", tokenID);
654 return ERR_IDENTITY_CHECK_FAILED;
655 }
656 if (isSystemApp) {
657 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
658 } else {
659 tokenIdEx.tokenIdExStruct.tokenAttr &= ~SYSTEM_APP_FLAG;
660 }
661 {
662 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
663 infoPtr->Update(appIDDesc, apiVersion, policy, isSystemApp);
664 ACCESSTOKEN_LOG_INFO(LABEL,
665 "token %{public}u bundle name %{public}s user %{public}d inst %{public}d tokenAttr %{public}d update ok!",
666 tokenID, infoPtr->GetBundleName().c_str(), infoPtr->GetUserID(), infoPtr->GetInstIndex(),
667 infoPtr->GetHapInfoBasic().tokenAttr);
668 }
669 PermissionManager::GetInstance().AddDefPermissions(policy.permList, tokenID, true);
670 #ifdef TOKEN_SYNC_ENABLE
671 TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID);
672 #endif
673 // update hap to kernel
674 std::shared_ptr<PermissionPolicySet> policySet = infoPtr->GetHapInfoPermissionPolicySet();
675 PermissionManager::GetInstance().AddPermToKernel(tokenID, policySet);
676 RefreshTokenInfoIfNeeded();
677 return RET_SUCCESS;
678 }
679
680 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenSync(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)681 int AccessTokenInfoManager::GetHapTokenSync(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
682 {
683 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
684 if (infoPtr == nullptr || infoPtr->IsRemote()) {
685 ACCESSTOKEN_LOG_ERROR(
686 LABEL, "token %{public}u is invalid.", tokenID);
687 return ERR_IDENTITY_CHECK_FAILED;
688 }
689 hapSync.baseInfo = infoPtr->GetHapInfoBasic();
690 std::shared_ptr<PermissionPolicySet> permSetPtr = infoPtr->GetHapInfoPermissionPolicySet();
691 if (permSetPtr == nullptr) {
692 ACCESSTOKEN_LOG_ERROR(
693 LABEL, "token %{public}u permSet is invalid.", tokenID);
694 return ERR_TOKEN_INVALID;
695 }
696 permSetPtr->GetPermissionStateList(hapSync.permStateList);
697 return RET_SUCCESS;
698 }
699
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)700 int AccessTokenInfoManager::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
701 HapTokenInfoForSync& hapSync)
702 {
703 int ret = GetHapTokenSync(tokenID, hapSync);
704 TokenModifyNotifier::GetInstance().AddHapTokenObservation(tokenID);
705 return ret;
706 }
707
GetAllNativeTokenInfo(std::vector<NativeTokenInfoForSync> & nativeTokenInfosRes)708 void AccessTokenInfoManager::GetAllNativeTokenInfo(
709 std::vector<NativeTokenInfoForSync>& nativeTokenInfosRes)
710 {
711 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
712 for (const auto& nativeTokenInner : nativeTokenInfoMap_) {
713 std::shared_ptr<NativeTokenInfoInner> nativeTokenInnerPtr = nativeTokenInner.second;
714 if (nativeTokenInnerPtr == nullptr || nativeTokenInnerPtr->IsRemote()
715 || nativeTokenInnerPtr->GetDcap().empty()) {
716 continue;
717 }
718 NativeTokenInfoForSync token;
719 nativeTokenInnerPtr->TranslateToNativeTokenInfo(token.baseInfo);
720
721 std::shared_ptr<PermissionPolicySet> permSetPtr =
722 nativeTokenInnerPtr->GetNativeInfoPermissionPolicySet();
723 if (permSetPtr == nullptr) {
724 ACCESSTOKEN_LOG_ERROR(
725 LABEL, "token %{public}u permSet is invalid.", token.baseInfo.tokenID);
726 return;
727 }
728 permSetPtr->GetPermissionStateList(token.permStateList);
729
730 nativeTokenInfosRes.emplace_back(token);
731 }
732 return;
733 }
734
UpdateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)735 int AccessTokenInfoManager::UpdateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
736 {
737 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(mapID);
738 if (infoPtr == nullptr || !infoPtr->IsRemote()) {
739 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u is null or not remote, can not update!", mapID);
740 return ERR_IDENTITY_CHECK_FAILED;
741 }
742
743 std::shared_ptr<PermissionPolicySet> newPermPolicySet =
744 PermissionPolicySet::BuildPolicySetWithoutDefCheck(mapID, hapSync.permStateList);
745
746 {
747 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
748 infoPtr->SetTokenBaseInfo(hapSync.baseInfo);
749 infoPtr->SetPermissionPolicySet(newPermPolicySet);
750 }
751 // update remote hap to kernel
752 PermissionManager::GetInstance().AddPermToKernel(mapID, newPermPolicySet);
753 return RET_SUCCESS;
754 }
755
CreateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)756 int AccessTokenInfoManager::CreateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
757 {
758 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>(mapID, hapSync);
759 hap->SetRemote(true);
760
761 int ret = AddHapTokenInfo(hap);
762 if (ret != RET_SUCCESS) {
763 ACCESSTOKEN_LOG_ERROR(LABEL, "add local token failed.");
764 return ret;
765 }
766
767 return RET_SUCCESS;
768 }
769
IsRemoteHapTokenValid(const std::string & deviceID,const HapTokenInfoForSync & hapSync)770 bool AccessTokenInfoManager::IsRemoteHapTokenValid(const std::string& deviceID, const HapTokenInfoForSync& hapSync)
771 {
772 std::string errReason;
773 if (!DataValidator::IsDeviceIdValid(deviceID) || !DataValidator::IsDeviceIdValid(hapSync.baseInfo.deviceID)) {
774 errReason = "respond deviceID error";
775 } else if (!DataValidator::IsUserIdValid(hapSync.baseInfo.userID)) {
776 errReason = "respond userID error";
777 } else if (!DataValidator::IsBundleNameValid(hapSync.baseInfo.bundleName)) {
778 errReason = "respond bundleName error";
779 } else if (!DataValidator::IsAplNumValid(hapSync.baseInfo.apl)) {
780 errReason = "respond apl error";
781 } else if (!DataValidator::IsTokenIDValid(hapSync.baseInfo.tokenID)) {
782 errReason = "respond tokenID error";
783 } else if (!DataValidator::IsAppIDDescValid(hapSync.baseInfo.appID)) {
784 errReason = "respond appID error";
785 } else if (!DataValidator::IsDlpTypeValid(hapSync.baseInfo.dlpType)) {
786 errReason = "respond dlpType error";
787 } else if (hapSync.baseInfo.ver != DEFAULT_TOKEN_VERSION) {
788 errReason = "respond version error";
789 } else if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(hapSync.baseInfo.tokenID) != TOKEN_HAP) {
790 errReason = "respond token type error";
791 } else {
792 return true;
793 }
794
795 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
796 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_RESPONSE_ERROR,
797 "REMOTE_ID", ConstantCommon::EncryptDevId(deviceID), "ERROR_REASON", errReason);
798 return false;
799 }
800
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSync & hapSync)801 int AccessTokenInfoManager::SetRemoteHapTokenInfo(const std::string& deviceID, HapTokenInfoForSync& hapSync)
802 {
803 if (!IsRemoteHapTokenValid(deviceID, hapSync)) {
804 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
805 return ERR_IDENTITY_CHECK_FAILED;
806 }
807
808 AccessTokenID remoteID = hapSync.baseInfo.tokenID;
809 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, remoteID);
810 if (mapID != 0) {
811 ACCESSTOKEN_LOG_INFO(LABEL, "device %{public}s token %{public}u update exist remote hap token %{public}u.",
812 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
813 // update remote token mapping id
814 hapSync.baseInfo.tokenID = mapID;
815 hapSync.baseInfo.deviceID = deviceID;
816 return UpdateRemoteHapTokenInfo(mapID, hapSync);
817 }
818
819 mapID = AccessTokenRemoteTokenManager::GetInstance().MapRemoteDeviceTokenToLocal(deviceID, remoteID);
820 if (mapID == 0) {
821 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u map failed.",
822 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID);
823 return ERR_TOKEN_MAP_FAILED;
824 }
825
826 // update remote token mapping id
827 hapSync.baseInfo.tokenID = mapID;
828 hapSync.baseInfo.deviceID = deviceID;
829 int ret = CreateRemoteHapTokenInfo(mapID, hapSync);
830 if (ret != RET_SUCCESS) {
831 AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, mapID);
832 ACCESSTOKEN_LOG_INFO(LABEL, "device %{public}s token %{public}u map to local token %{public}u failed.",
833 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
834 return ret;
835 }
836 ACCESSTOKEN_LOG_INFO(LABEL, "device %{public}s token %{public}u map to local token %{public}u success.",
837 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
838 return RET_SUCCESS;
839 }
840
SetRemoteNativeTokenInfo(const std::string & deviceID,std::vector<NativeTokenInfoForSync> & nativeTokenInfoList)841 int AccessTokenInfoManager::SetRemoteNativeTokenInfo(const std::string& deviceID,
842 std::vector<NativeTokenInfoForSync>& nativeTokenInfoList)
843 {
844 if (!DataValidator::IsDeviceIdValid(deviceID)) {
845 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
846 return AccessTokenError::ERR_PARAM_INVALID;
847 }
848
849 for (NativeTokenInfoForSync& nativeToken : nativeTokenInfoList) {
850 AccessTokenID remoteID = nativeToken.baseInfo.tokenID;
851 auto encryptDevId = ConstantCommon::EncryptDevId(deviceID);
852 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(remoteID);
853 if (!DataValidator::IsAplNumValid(nativeToken.baseInfo.apl) ||
854 nativeToken.baseInfo.ver != DEFAULT_TOKEN_VERSION ||
855 !DataValidator::IsProcessNameValid(nativeToken.baseInfo.processName) ||
856 nativeToken.baseInfo.dcap.empty() ||
857 (type != TOKEN_NATIVE && type != TOKEN_SHELL)) {
858 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u is invalid.",
859 encryptDevId.c_str(), remoteID);
860 continue;
861 }
862
863 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, remoteID);
864 if (mapID != 0) {
865 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u has maped, no need update it.",
866 encryptDevId.c_str(), remoteID);
867 continue;
868 }
869
870 mapID = AccessTokenRemoteTokenManager::GetInstance().MapRemoteDeviceTokenToLocal(deviceID, remoteID);
871 if (mapID == 0) {
872 AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, mapID);
873 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u map failed.",
874 encryptDevId.c_str(), remoteID);
875 continue;
876 }
877 nativeToken.baseInfo.tokenID = mapID;
878 ACCESSTOKEN_LOG_INFO(LABEL, "device %{public}s token %{public}u map to local token %{public}u.",
879 encryptDevId.c_str(), remoteID, mapID);
880
881 std::shared_ptr<NativeTokenInfoInner> nativePtr =
882 std::make_shared<NativeTokenInfoInner>(nativeToken.baseInfo, nativeToken.permStateList);
883 nativePtr->SetRemote(true);
884 int ret = AddNativeTokenInfo(nativePtr);
885 if (ret != RET_SUCCESS) {
886 AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, mapID);
887 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s tokenId %{public}u add local token failed.",
888 encryptDevId.c_str(), remoteID);
889 continue;
890 }
891 ACCESSTOKEN_LOG_INFO(LABEL, "device %{public}s token %{public}u map token %{public}u add success.",
892 encryptDevId.c_str(), remoteID, mapID);
893 }
894
895 return RET_SUCCESS;
896 }
897
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)898 int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
899 {
900 if (!DataValidator::IsDeviceIdValid(deviceID)) {
901 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
902 return AccessTokenError::ERR_PARAM_INVALID;
903 }
904 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
905 if (mapID == 0) {
906 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s tokenId %{public}u is not mapped",
907 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
908 return ERR_TOKEN_MAP_FAILED;
909 }
910
911 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(mapID);
912 if (type == TOKEN_HAP) {
913 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
914 if (hapTokenInfoMap_.count(mapID) == 0) {
915 ACCESSTOKEN_LOG_ERROR(LABEL, "hap token %{public}u no exist.", mapID);
916 return ERR_TOKEN_INVALID;
917 }
918 hapTokenInfoMap_.erase(mapID);
919 } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) {
920 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
921 if (nativeTokenInfoMap_.count(mapID) == 0) {
922 ACCESSTOKEN_LOG_ERROR(
923 LABEL, "native token %{public}u is null.", mapID);
924 return ERR_TOKEN_INVALID;
925 }
926 nativeTokenInfoMap_.erase(mapID);
927 } else {
928 ACCESSTOKEN_LOG_ERROR(LABEL, "mapping tokenId %{public}u type is unknown", mapID);
929 }
930
931 return AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, tokenID);
932 }
933
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)934 AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
935 {
936 if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) ||
937 ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) &&
938 (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) {
939 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
940 return 0;
941 }
942 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
943 }
944
DeleteRemoteDeviceTokens(const std::string & deviceID)945 int AccessTokenInfoManager::DeleteRemoteDeviceTokens(const std::string& deviceID)
946 {
947 if (!DataValidator::IsDeviceIdValid(deviceID)) {
948 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
949 return AccessTokenError::ERR_PARAM_INVALID;
950 }
951 std::vector<AccessTokenID> remoteTokens;
952 int ret = AccessTokenRemoteTokenManager::GetInstance().GetDeviceAllRemoteTokenID(deviceID, remoteTokens);
953 if (ret != RET_SUCCESS) {
954 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s have no remote token",
955 ConstantCommon::EncryptDevId(deviceID).c_str());
956 return ret;
957 }
958 for (AccessTokenID remoteID : remoteTokens) {
959 DeleteRemoteToken(deviceID, remoteID);
960 }
961 return RET_SUCCESS;
962 }
963
GetUdidByNodeId(const std::string & nodeId)964 std::string AccessTokenInfoManager::GetUdidByNodeId(const std::string &nodeId)
965 {
966 uint8_t info[UDID_MAX_LENGTH + 1] = {0};
967
968 int32_t ret = ::GetNodeKeyInfo(
969 ACCESS_TOKEN_PACKAGE_NAME.c_str(), nodeId.c_str(), NodeDeviceInfoKey::NODE_KEY_UDID, info, UDID_MAX_LENGTH);
970 if (ret != RET_SUCCESS) {
971 ACCESSTOKEN_LOG_WARN(LABEL, "GetNodeKeyInfo error, code: %{public}d", ret);
972 return "";
973 }
974 std::string udid(reinterpret_cast<char *>(info));
975 return udid;
976 }
977
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)978 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
979 AccessTokenID remoteTokenID)
980 {
981 if (!DataValidator::IsDeviceIdValid(remoteDeviceID)) {
982 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s parms invalid",
983 ConstantCommon::EncryptDevId(remoteDeviceID).c_str());
984 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
985 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
986 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", "deviceID error");
987 return 0;
988 }
989 std::string remoteUdid = GetUdidByNodeId(remoteDeviceID);
990 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s remoteUdid", ConstantCommon::EncryptDevId(remoteUdid).c_str());
991 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid,
992 remoteTokenID);
993 if (mapID != 0) {
994 return mapID;
995 }
996 int ret = TokenSyncKit::GetRemoteHapTokenInfo(remoteUdid, remoteTokenID);
997 if (ret != RET_SUCCESS) {
998 ACCESSTOKEN_LOG_ERROR(LABEL, "device %{public}s token %{public}u sync failed",
999 ConstantCommon::EncryptDevId(remoteUdid).c_str(), remoteTokenID);
1000 std::string errorReason = "token sync call error, error number is " + std::to_string(ret);
1001 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
1002 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
1003 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", errorReason);
1004 return 0;
1005 }
1006
1007 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid, remoteTokenID);
1008 }
1009 #else
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)1010 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
1011 AccessTokenID remoteTokenID)
1012 {
1013 ACCESSTOKEN_LOG_ERROR(LABEL, "tokensync is disable, check dependent components");
1014 return 0;
1015 }
1016 #endif
1017
GetInstance()1018 AccessTokenInfoManager& AccessTokenInfoManager::GetInstance()
1019 {
1020 static AccessTokenInfoManager instance;
1021 return instance;
1022 }
1023
StoreAllTokenInfo()1024 void AccessTokenInfoManager::StoreAllTokenInfo()
1025 {
1026 std::vector<GenericValues> hapInfoValues;
1027 std::vector<GenericValues> permDefValues;
1028 std::vector<GenericValues> permStateValues;
1029 std::vector<GenericValues> nativeTokenValues;
1030 uint64_t lastestUpdateStamp = 0;
1031 {
1032 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1033 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1034 if (iter->second != nullptr) {
1035 std::shared_ptr<HapTokenInfoInner>& hapInfo = iter->second;
1036 hapInfo->StoreHapInfo(hapInfoValues);
1037 hapInfo->StorePermissionPolicy(permStateValues);
1038 if (hapInfo->permUpdateTimestamp_ > lastestUpdateStamp) {
1039 lastestUpdateStamp = hapInfo->permUpdateTimestamp_;
1040 }
1041 }
1042 }
1043 }
1044
1045 {
1046 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1047 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1048 if (iter->second != nullptr) {
1049 iter->second->StoreNativeInfo(nativeTokenValues);
1050 iter->second->StorePermissionPolicy(permStateValues);
1051 }
1052 }
1053 }
1054
1055 PermissionDefinitionCache::GetInstance().StorePermissionDef(permDefValues);
1056
1057 AccessTokenDb::GetInstance().RefreshAll(AccessTokenDb::ACCESSTOKEN_HAP_INFO, hapInfoValues);
1058 AccessTokenDb::GetInstance().RefreshAll(AccessTokenDb::ACCESSTOKEN_NATIVE_INFO, nativeTokenValues);
1059 AccessTokenDb::GetInstance().RefreshAll(AccessTokenDb::ACCESSTOKEN_PERMISSION_DEF, permDefValues);
1060 int res = AccessTokenDb::GetInstance().RefreshAll(AccessTokenDb::ACCESSTOKEN_PERMISSION_STATE, permStateValues);
1061 PermissionManager::GetInstance().NotifyPermGrantStoreResult((res == 0), lastestUpdateStamp);
1062 }
1063
AddHapTokenInfoToDb(AccessTokenID tokenID)1064 int AccessTokenInfoManager::AddHapTokenInfoToDb(AccessTokenID tokenID)
1065 {
1066 std::vector<GenericValues> hapInfoValues;
1067 std::vector<GenericValues> permDefValues;
1068 std::vector<GenericValues> permStateValues;
1069
1070 std::shared_ptr<HapTokenInfoInner> hapInfo = GetHapTokenInfoInner(tokenID);
1071 if (hapInfo == nullptr) {
1072 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u info is null!", tokenID);
1073 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1074 }
1075 hapInfo->StoreHapInfo(hapInfoValues);
1076 hapInfo->StorePermissionPolicy(permStateValues);
1077
1078 PermissionDefinitionCache::GetInstance().StorePermissionDef(tokenID, permDefValues);
1079 AccessTokenDb::GetInstance().Add(AccessTokenDb::ACCESSTOKEN_HAP_INFO, hapInfoValues);
1080 AccessTokenDb::GetInstance().Add(AccessTokenDb::ACCESSTOKEN_PERMISSION_STATE, permStateValues);
1081 AccessTokenDb::GetInstance().Add(AccessTokenDb::ACCESSTOKEN_PERMISSION_DEF, permDefValues);
1082 return RET_SUCCESS;
1083 }
1084
RemoveHapTokenInfoFromDb(AccessTokenID tokenID)1085 int AccessTokenInfoManager::RemoveHapTokenInfoFromDb(AccessTokenID tokenID)
1086 {
1087 GenericValues values;
1088 values.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1089
1090 AccessTokenDb::GetInstance().Remove(AccessTokenDb::ACCESSTOKEN_HAP_INFO, values);
1091 AccessTokenDb::GetInstance().Remove(AccessTokenDb::ACCESSTOKEN_PERMISSION_DEF, values);
1092 AccessTokenDb::GetInstance().Remove(AccessTokenDb::ACCESSTOKEN_PERMISSION_STATE, values);
1093 return RET_SUCCESS;
1094 }
1095
1096 #ifdef RESOURCESCHEDULE_FFRT_ENABLE
GetCurTaskNum()1097 int32_t AccessTokenInfoManager::GetCurTaskNum()
1098 {
1099 return curTaskNum_.load();
1100 }
1101
AddCurTaskNum()1102 void AccessTokenInfoManager::AddCurTaskNum()
1103 {
1104 curTaskNum_++;
1105 }
1106
ReduceCurTaskNum()1107 void AccessTokenInfoManager::ReduceCurTaskNum()
1108 {
1109 curTaskNum_--;
1110 }
1111 #endif
1112
RefreshTokenInfoIfNeeded()1113 void AccessTokenInfoManager::RefreshTokenInfoIfNeeded()
1114 {
1115 #ifdef RESOURCESCHEDULE_FFRT_ENABLE
1116 if (GetCurTaskNum() > 1) {
1117 ACCESSTOKEN_LOG_INFO(LABEL, "has refresh task!");
1118 return;
1119 }
1120
1121 auto tokenStore = []() {
1122 AccessTokenInfoManager::GetInstance().StoreAllTokenInfo();
1123
1124 // Sleep for one second to avoid frequent refresh of the database.
1125 ffrt::this_task::sleep_for(std::chrono::seconds(1));
1126 AccessTokenInfoManager::GetInstance().ReduceCurTaskNum();
1127 };
1128 AddCurTaskNum();
1129 ffrtTaskQueue_->submit(tokenStore, ffrt::task_attr().qos(ffrt::qos_default));
1130 #else
1131 if (tokenDataWorker_.GetCurTaskNum() > 1) {
1132 ACCESSTOKEN_LOG_INFO(LABEL, "has refresh task!");
1133 return;
1134 }
1135
1136 tokenDataWorker_.AddTask([]() {
1137 AccessTokenInfoManager::GetInstance().StoreAllTokenInfo();
1138
1139 // Sleep for one second to avoid frequent refresh of the database.
1140 std::this_thread::sleep_for(std::chrono::seconds(1));
1141 });
1142 #endif
1143 }
1144
PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner> & info,AccessTokenID id)1145 void AccessTokenInfoManager::PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner>& info, AccessTokenID id)
1146 {
1147 std::shared_ptr<PermissionPolicySet> policy = info->GetHapInfoPermissionPolicySet();
1148 if (policy == nullptr) {
1149 return;
1150 }
1151
1152 std::vector<std::string> permissionList;
1153 policy->GetDeletedPermissionListToNotify(permissionList);
1154 if (permissionList.size() != 0) {
1155 PermissionManager::GetInstance().ParamUpdate(permissionList[0], 0, true);
1156 }
1157 for (const auto& permissionName : permissionList) {
1158 CallbackManager::GetInstance().ExecuteCallbackAsync(id, permissionName, PermStateChangeType::REVOKED);
1159 }
1160 }
1161
GetNativeTokenId(const std::string & processName)1162 AccessTokenID AccessTokenInfoManager::GetNativeTokenId(const std::string& processName)
1163 {
1164 AccessTokenID tokenID = INVALID_TOKENID;
1165 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1166 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1167 if (iter->second != nullptr && iter->second->GetProcessName() == processName) {
1168 tokenID = iter->first;
1169 break;
1170 }
1171 }
1172 return tokenID;
1173 }
1174
DumpHapTokenInfoByTokenId(const AccessTokenID tokenId,std::string & dumpInfo)1175 void AccessTokenInfoManager::DumpHapTokenInfoByTokenId(const AccessTokenID tokenId, std::string& dumpInfo)
1176 {
1177 ACCESSTOKEN_LOG_DEBUG(LABEL, "get hap token info by tokenId[%{public}u].", tokenId);
1178
1179 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(tokenId);
1180 if (type == TOKEN_HAP) {
1181 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenId);
1182 if (infoPtr != nullptr) {
1183 infoPtr->ToString(dumpInfo);
1184 }
1185 } else if (type == TOKEN_NATIVE || type == TOKEN_SHELL) {
1186 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenId);
1187 if (infoPtr != nullptr) {
1188 infoPtr->ToString(dumpInfo);
1189 }
1190 } else {
1191 dumpInfo.append("invalid tokenId");
1192 }
1193 }
1194
DumpHapTokenInfoByBundleName(const std::string & bundleName,std::string & dumpInfo)1195 void AccessTokenInfoManager::DumpHapTokenInfoByBundleName(const std::string& bundleName, std::string& dumpInfo)
1196 {
1197 ACCESSTOKEN_LOG_DEBUG(LABEL, "get hap token info by bundleName[%{public}s].", bundleName.c_str());
1198
1199 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1200 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1201 if (iter->second != nullptr) {
1202 if (bundleName != iter->second->GetBundleName()) {
1203 continue;
1204 }
1205
1206 iter->second->ToString(dumpInfo);
1207 dumpInfo.append("\n"); // probilly exsits remote hap token with the same bundleName
1208 }
1209 }
1210 }
1211
DumpAllHapTokenInfo(std::string & dumpInfo)1212 void AccessTokenInfoManager::DumpAllHapTokenInfo(std::string& dumpInfo)
1213 {
1214 ACCESSTOKEN_LOG_DEBUG(LABEL, "get all hap token info.");
1215
1216 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1217 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1218 if (iter->second != nullptr) {
1219 iter->second->ToString(dumpInfo);
1220 dumpInfo.append("\n");
1221 }
1222 }
1223 }
1224
DumpNativeTokenInfoByProcessName(const std::string & processName,std::string & dumpInfo)1225 void AccessTokenInfoManager::DumpNativeTokenInfoByProcessName(const std::string& processName, std::string& dumpInfo)
1226 {
1227 ACCESSTOKEN_LOG_DEBUG(LABEL, "get native token info by processName[%{public}s].", processName.c_str());
1228
1229 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1230 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1231 if ((iter->second != nullptr) && (processName == iter->second->GetProcessName())) {
1232 iter->second->ToString(dumpInfo);
1233 dumpInfo.append("\n");
1234 break;
1235 }
1236 }
1237 }
1238
DumpAllNativeTokenInfo(std::string & dumpInfo)1239 void AccessTokenInfoManager::DumpAllNativeTokenInfo(std::string& dumpInfo)
1240 {
1241 ACCESSTOKEN_LOG_DEBUG(LABEL, "get all native token info.");
1242
1243 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1244 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1245 if (iter->second != nullptr) {
1246 iter->second->ToString(dumpInfo);
1247 dumpInfo.append("\n");
1248 }
1249 }
1250 }
1251
DumpTokenInfo(const AtmToolsParamInfo & info,std::string & dumpInfo)1252 void AccessTokenInfoManager::DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)
1253 {
1254 if (info.tokenId != 0) {
1255 DumpHapTokenInfoByTokenId(info.tokenId, dumpInfo);
1256 return;
1257 }
1258
1259 if ((!info.bundleName.empty()) && (info.bundleName.length() > 0)) {
1260 DumpHapTokenInfoByBundleName(info.bundleName, dumpInfo);
1261 return;
1262 }
1263
1264 if ((!info.processName.empty()) && (info.processName.length() > 0)) {
1265 DumpNativeTokenInfoByProcessName(info.processName, dumpInfo);
1266 return;
1267 }
1268
1269 DumpAllHapTokenInfo(dumpInfo);
1270 DumpAllNativeTokenInfo(dumpInfo);
1271 }
1272
GetRelatedSandBoxHapList(AccessTokenID tokenId,std::vector<AccessTokenID> & tokenIdList)1273 void AccessTokenInfoManager::GetRelatedSandBoxHapList(AccessTokenID tokenId, std::vector<AccessTokenID>& tokenIdList)
1274 {
1275 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1276
1277 std::string bundleName;
1278 int32_t userID;
1279 auto infoIter = hapTokenInfoMap_.find(tokenId);
1280 if (infoIter == hapTokenInfoMap_.end()) {
1281 return;
1282 }
1283 if (infoIter->second == nullptr) {
1284 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr");
1285 return;
1286 }
1287 bundleName = infoIter->second->GetBundleName();
1288 userID = infoIter->second->GetUserID();
1289
1290 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); ++iter) {
1291 if (iter->second != nullptr) {
1292 if ((bundleName == iter->second->GetBundleName()) && (userID == iter->second->GetUserID()) &&
1293 (tokenId != iter->second->GetTokenID())) {
1294 tokenIdList.emplace_back(iter->second->GetTokenID());
1295 }
1296 }
1297 }
1298 }
1299
SetPermDialogCap(AccessTokenID tokenID,bool enable)1300 int32_t AccessTokenInfoManager::SetPermDialogCap(AccessTokenID tokenID, bool enable)
1301 {
1302 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1303 auto infoIter = hapTokenInfoMap_.find(tokenID);
1304 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1305 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr");
1306 return ERR_TOKENID_NOT_EXIST;
1307 }
1308 infoIter->second->SetPermDialogForbidden(enable);
1309 RefreshTokenInfoIfNeeded();
1310 return RET_SUCCESS;
1311 }
1312
GetPermDialogCap(AccessTokenID tokenID)1313 bool AccessTokenInfoManager::GetPermDialogCap(AccessTokenID tokenID)
1314 {
1315 if (tokenID == INVALID_TOKENID) {
1316 ACCESSTOKEN_LOG_ERROR(LABEL, "invaid tokenid(0)");
1317 return true;
1318 }
1319 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1320 auto infoIter = hapTokenInfoMap_.find(tokenID);
1321 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1322 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId is not exist in map");
1323 return true;
1324 }
1325 return infoIter->second->IsPermDialogForbidden();
1326 }
1327 } // namespace AccessToken
1328 } // namespace Security
1329 } // namespace OHOS
1330