1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_policy_set.h"
17
18 #include <algorithm>
19
20 #include "accesstoken_id_manager.h"
21 #include "accesstoken_log.h"
22 #include "access_token_db.h"
23 #include "access_token_error.h"
24 #include "permission_definition_cache.h"
25 #include "permission_map.h"
26 #include "permission_validator.h"
27 #include "data_translator.h"
28 #include "token_field_const.h"
29
30 namespace OHOS {
31 namespace Security {
32 namespace AccessToken {
33 namespace {
34 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "PermissionPolicySet"};
35 }
36
~PermissionPolicySet()37 PermissionPolicySet::~PermissionPolicySet()
38 {
39 ACCESSTOKEN_LOG_DEBUG(LABEL,
40 "%{public}s called, tokenID: 0x%{public}x destruction", __func__, tokenId_);
41 }
42
BuildPermissionPolicySet(AccessTokenID tokenId,const std::vector<PermissionStateFull> & permStateList)43 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::BuildPermissionPolicySet(
44 AccessTokenID tokenId, const std::vector<PermissionStateFull>& permStateList)
45 {
46 ATokenTypeEnum tokenType = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId);
47 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
48 PermissionValidator::FilterInvalidPermissionState(tokenType, true, permStateList, policySet->permStateList_);
49 policySet->tokenId_ = tokenId;
50 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, permStateList_ size: %{public}zu",
51 tokenId, policySet->permStateList_.size());
52 return policySet;
53 }
54
BuildPolicySetWithoutDefCheck(AccessTokenID tokenId,const std::vector<PermissionStateFull> & permStateList)55 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::BuildPolicySetWithoutDefCheck(
56 AccessTokenID tokenId, const std::vector<PermissionStateFull>& permStateList)
57 {
58 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
59 PermissionValidator::FilterInvalidPermissionState(
60 TOKEN_TYPE_BUTT, false, permStateList, policySet->permStateList_);
61 policySet->tokenId_ = tokenId;
62 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, permStateList_ size: %{public}zu",
63 tokenId, policySet->permStateList_.size());
64 return policySet;
65 }
66
UpdatePermStateFull(const PermissionStateFull & permOld,PermissionStateFull & permNew)67 void PermissionPolicySet::UpdatePermStateFull(const PermissionStateFull& permOld, PermissionStateFull& permNew)
68 {
69 if (permNew.isGeneral == permOld.isGeneral) {
70 permNew.resDeviceID = permOld.resDeviceID;
71 permNew.grantStatus = permOld.grantStatus;
72 permNew.grantFlags = permOld.grantFlags;
73 }
74 }
75
Update(const std::vector<PermissionStateFull> & permStateList)76 void PermissionPolicySet::Update(const std::vector<PermissionStateFull>& permStateList)
77 {
78 std::vector<PermissionStateFull> permStateFilterList;
79 PermissionValidator::FilterInvalidPermissionState(TOKEN_HAP, true, permStateList, permStateFilterList);
80 ACCESSTOKEN_LOG_INFO(LABEL, "permStateFilterList size: %{public}zu.", permStateFilterList.size());
81 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
82
83 for (PermissionStateFull& permStateNew : permStateFilterList) {
84 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
85 [permStateNew](const PermissionStateFull& permStateOld) {
86 return permStateNew.permissionName == permStateOld.permissionName;
87 });
88 if (iter != permStateList_.end()) {
89 UpdatePermStateFull(*iter, permStateNew);
90 break;
91 }
92 }
93 permStateList_ = permStateFilterList;
94 }
95
GetFlagWroteToDb(uint32_t grantFlag)96 uint32_t PermissionPolicySet::GetFlagWroteToDb(uint32_t grantFlag)
97 {
98 return GetFlagWithoutSpecifiedElement(grantFlag, PERMISSION_COMPONENT_SET);
99 }
100
RestorePermissionPolicy(AccessTokenID tokenId,const std::vector<GenericValues> & permStateRes)101 std::shared_ptr<PermissionPolicySet> PermissionPolicySet::RestorePermissionPolicy(AccessTokenID tokenId,
102 const std::vector<GenericValues>& permStateRes)
103 {
104 std::shared_ptr<PermissionPolicySet> policySet = std::make_shared<PermissionPolicySet>();
105 policySet->tokenId_ = tokenId;
106
107 for (const GenericValues& stateValue : permStateRes) {
108 if ((AccessTokenID)stateValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID) == tokenId) {
109 PermissionStateFull state;
110 int ret = DataTranslator::TranslationIntoPermissionStateFull(stateValue, state);
111 if (ret == RET_SUCCESS) {
112 MergePermissionStateFull(policySet->permStateList_, state);
113 } else {
114 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenId 0x%{public}x permState is wrong.", tokenId);
115 }
116 }
117 }
118 return policySet;
119 }
120
MergePermissionStateFull(std::vector<PermissionStateFull> & permStateList,PermissionStateFull & state)121 void PermissionPolicySet::MergePermissionStateFull(std::vector<PermissionStateFull>& permStateList,
122 PermissionStateFull& state)
123 {
124 uint32_t flag = GetFlagWroteToDb(state.grantFlags[0]);
125 state.grantFlags[0] = flag;
126 for (auto iter = permStateList.begin(); iter != permStateList.end(); iter++) {
127 if (state.permissionName == iter->permissionName) {
128 iter->resDeviceID.emplace_back(state.resDeviceID[0]);
129 iter->grantStatus.emplace_back(state.grantStatus[0]);
130 iter->grantFlags.emplace_back(state.grantFlags[0]);
131 ACCESSTOKEN_LOG_INFO(LABEL, "update permission: %{public}s.", state.permissionName.c_str());
132 return;
133 }
134 }
135 ACCESSTOKEN_LOG_INFO(LABEL, "add permission: %{public}s.", state.permissionName.c_str());
136 permStateList.emplace_back(state);
137 }
138
StorePermissionState(std::vector<GenericValues> & valueList) const139 void PermissionPolicySet::StorePermissionState(std::vector<GenericValues>& valueList) const
140 {
141 for (const auto& permissionState : permStateList_) {
142 ACCESSTOKEN_LOG_DEBUG(LABEL, "permissionName: %{public}s", permissionState.permissionName.c_str());
143 if (permissionState.isGeneral) {
144 GenericValues genericValues;
145 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId_));
146 DataTranslator::TranslationIntoGenericValues(permissionState, 0, genericValues);
147 valueList.emplace_back(genericValues);
148 continue;
149 }
150
151 unsigned int stateSize = permissionState.resDeviceID.size();
152 for (unsigned int i = 0; i < stateSize; i++) {
153 GenericValues genericValues;
154 genericValues.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenId_));
155 DataTranslator::TranslationIntoGenericValues(permissionState, i, genericValues);
156 valueList.emplace_back(genericValues);
157 }
158 }
159 }
160
StorePermissionPolicySet(std::vector<GenericValues> & permStateValueList)161 void PermissionPolicySet::StorePermissionPolicySet(std::vector<GenericValues>& permStateValueList)
162 {
163 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
164 StorePermissionState(permStateValueList);
165 }
166
IsPermOperatedByUser(int32_t flag)167 static bool IsPermOperatedByUser(int32_t flag)
168 {
169 uint32_t uFlag = static_cast<uint32_t>(flag);
170 return (uFlag & PERMISSION_USER_FIXED) || (uFlag & PERMISSION_USER_SET);
171 }
172
IsPermOperatedBySystem(int32_t flag)173 static bool IsPermOperatedBySystem(int32_t flag)
174 {
175 uint32_t uFlag = static_cast<uint32_t>(flag);
176 return (uFlag & PERMISSION_SYSTEM_FIXED) || (uFlag & PERMISSION_GRANTED_BY_POLICY);
177 }
178
IsPermGrantedBySecComp(int32_t flag)179 static bool IsPermGrantedBySecComp(int32_t flag)
180 {
181 uint32_t uFlag = static_cast<uint32_t>(flag);
182 return uFlag & PERMISSION_COMPONENT_SET;
183 }
184
GetFlagWithoutSpecifiedElement(uint32_t fullFlag,uint32_t removedFlag)185 uint32_t PermissionPolicySet::GetFlagWithoutSpecifiedElement(uint32_t fullFlag, uint32_t removedFlag)
186 {
187 uint32_t unmaskedFlag = (fullFlag) & (~removedFlag);
188 return unmaskedFlag;
189 }
190
VerifyPermissionStatus(const std::string & permissionName)191 int PermissionPolicySet::VerifyPermissionStatus(const std::string& permissionName)
192 {
193 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
194 for (const auto& perm : permStateList_) {
195 if (perm.permissionName != permissionName) {
196 continue;
197 }
198 if (!perm.isGeneral) {
199 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID: %{public}d, permission: %{public}s is not general",
200 tokenId_, permissionName.c_str());
201 return PERMISSION_DENIED;
202 }
203 if (IsPermGrantedBySecComp(perm.grantFlags[0])) {
204 ACCESSTOKEN_LOG_INFO(LABEL, "tokenID: %{public}d, permission is granted by seccomp", tokenId_);
205 return PERMISSION_GRANTED;
206 }
207 if (perm.grantStatus[0] != PERMISSION_GRANTED) {
208 ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID: %{public}d, permission: %{public}s is not granted",
209 tokenId_, permissionName.c_str());
210 return PERMISSION_DENIED;
211 }
212 return PERMISSION_GRANTED;
213 }
214 // check if undeclared permission is granted by security component.
215 if (std::any_of(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
216 [permissionName](const auto& permission) { return permission == permissionName; })) {
217 return PERMISSION_GRANTED;
218 }
219 ACCESSTOKEN_LOG_DEBUG(LABEL, "tokenID: %{public}d, permission: %{public}s is undeclared",
220 tokenId_, permissionName.c_str());
221 return PERMISSION_DENIED;
222 }
223
GetDefPermissions(std::vector<PermissionDef> & permList)224 void PermissionPolicySet::GetDefPermissions(std::vector<PermissionDef>& permList)
225 {
226 PermissionDefinitionCache::GetInstance().GetDefPermissionsByTokenId(permList, tokenId_);
227 }
228
GetPermissionStateFulls(std::vector<PermissionStateFull> & permList)229 void PermissionPolicySet::GetPermissionStateFulls(std::vector<PermissionStateFull>& permList)
230 {
231 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
232 permList.assign(permStateList_.begin(), permStateList_.end());
233 }
234
QueryPermissionFlag(const std::string & permissionName,int & flag)235 int PermissionPolicySet::QueryPermissionFlag(const std::string& permissionName, int& flag)
236 {
237 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
238 for (const auto& perm : permStateList_) {
239 if (perm.permissionName == permissionName) {
240 if (perm.isGeneral) {
241 flag = perm.grantFlags[0];
242 return RET_SUCCESS;
243 } else {
244 return AccessTokenError::ERR_PARAM_INVALID;
245 }
246 }
247 }
248 ACCESSTOKEN_LOG_ERROR(LABEL, "invalid params!");
249 return AccessTokenError::ERR_PERMISSION_NOT_EXIST;
250 }
251
UpdateWithNewFlag(int32_t oldFlag,int32_t currFlag)252 static int32_t UpdateWithNewFlag(int32_t oldFlag, int32_t currFlag)
253 {
254 uint32_t newFlag = static_cast<uint32_t>(currFlag) |
255 ((static_cast<uint32_t>(oldFlag)) & PERMISSION_GRANTED_BY_POLICY);
256 return static_cast<int32_t>(newFlag);
257 }
258
UpdatePermStateList(const std::string & permissionName,bool isGranted,uint32_t flag)259 int32_t PermissionPolicySet::UpdatePermStateList(const std::string& permissionName, bool isGranted, uint32_t flag)
260 {
261 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
262 auto iter = std::find_if(permStateList_.begin(), permStateList_.end(),
263 [permissionName](const PermissionStateFull& permState) {
264 return permissionName == permState.permissionName;
265 });
266 if (iter != permStateList_.end()) {
267 if (iter->isGeneral) {
268 if ((static_cast<uint32_t>(iter->grantFlags[0]) & PERMISSION_SYSTEM_FIXED) == PERMISSION_SYSTEM_FIXED) {
269 ACCESSTOKEN_LOG_ERROR(LABEL, "permission fixed by system!");
270 return AccessTokenError::ERR_PARAM_INVALID;
271 }
272 iter->grantStatus[0] = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED;
273 iter->grantFlags[0] = UpdateWithNewFlag(iter->grantFlags[0], flag);
274 } else {
275 ACCESSTOKEN_LOG_WARN(LABEL, "perm isGeneral is false.");
276 }
277 } else {
278 ACCESSTOKEN_LOG_ERROR(LABEL, "permission not request!");
279 return AccessTokenError::ERR_PARAM_INVALID;
280 }
281 return RET_SUCCESS;
282 }
283
SecCompGrantedPermListUpdated(const std::string & permissionName,bool isAdded)284 void PermissionPolicySet::SecCompGrantedPermListUpdated(const std::string& permissionName, bool isAdded)
285 {
286 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
287 if (isAdded) {
288 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission in secCompGrantedPermList_ is added.");
289 auto iter = std::find_if(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
290 [permissionName](const std::string &grantedPerm) {
291 return permissionName == grantedPerm;
292 });
293 if (iter == secCompGrantedPermList_.end()) {
294 secCompGrantedPermList_.emplace_back(permissionName);
295 return;
296 }
297 } else {
298 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission in secCompGrantedPermList_ is deleted.");
299 auto iter = std::find_if(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end(),
300 [permissionName](const std::string &grantedPerm) {
301 return permissionName == grantedPerm;
302 });
303 if (iter != secCompGrantedPermList_.end()) {
304 secCompGrantedPermList_.erase(iter);
305 return;
306 }
307 }
308 return;
309 }
310
SetPermissionFlag(const std::string & permissionName,uint32_t flag,bool needToAdd)311 void PermissionPolicySet::SetPermissionFlag(const std::string& permissionName, uint32_t flag, bool needToAdd)
312 {
313 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
314 for (auto& perm : permStateList_) {
315 if (perm.permissionName == permissionName) {
316 if (perm.isGeneral) {
317 uint32_t oldFlag = perm.grantFlags[0];
318 uint32_t newFlag =
319 needToAdd ? (oldFlag | flag) : (oldFlag & (~PERMISSION_COMPONENT_SET));
320 perm.grantFlags[0] = newFlag;
321 return;
322 }
323 }
324 }
325 return;
326 }
327
UpdateSecCompGrantedPermList(const std::string & permissionName,bool isToGrant)328 int32_t PermissionPolicySet::UpdateSecCompGrantedPermList(const std::string& permissionName, bool isToGrant)
329 {
330 int32_t flag = 0;
331 int32_t ret = QueryPermissionFlag(permissionName, flag);
332
333 ACCESSTOKEN_LOG_DEBUG(LABEL, "ret is %{public}d. flag is %{public}d", ret, flag);
334 // if the permission has been operated by user or the permission has been granted by system.
335 if ((IsPermOperatedByUser(flag) || IsPermOperatedBySystem(flag))) {
336 ACCESSTOKEN_LOG_DEBUG(LABEL, "The permission has been operated.");
337 if (isToGrant) {
338 int32_t status = VerifyPermissionStatus(permissionName);
339 // Permission has been granted, there is no need to add perm state in security component permList.
340 if (status == PERMISSION_GRANTED) {
341 return RET_SUCCESS;
342 } else {
343 ACCESSTOKEN_LOG_ERROR(LABEL, "Permission has been revoked by user.");
344 return ERR_PERMISSION_DENIED;
345 }
346 } else {
347 /* revoke is called while the permission has been operated by user or system */
348 /* the permission need to be deleted from secCompGrantedPermList_ */
349 SecCompGrantedPermListUpdated(permissionName, false);
350 return RET_SUCCESS;
351 }
352 }
353 // the permission has not been operated by user or the app has not applied for this permission in config.json
354 SecCompGrantedPermListUpdated(permissionName, isToGrant);
355 // If the app has applied for this permission and security component operation has taken effect.
356 SetPermissionFlag(permissionName, PERMISSION_COMPONENT_SET, isToGrant);
357 return RET_SUCCESS;
358 }
359
UpdatePermissionStatus(const std::string & permissionName,bool isGranted,uint32_t flag)360 int32_t PermissionPolicySet::UpdatePermissionStatus(const std::string& permissionName, bool isGranted, uint32_t flag)
361 {
362 ACCESSTOKEN_LOG_DEBUG(LABEL, "permissionName %{public}s.", permissionName.c_str());
363 if (!IsPermGrantedBySecComp(flag)) {
364 return UpdatePermStateList(permissionName, isGranted, flag);
365 }
366 ACCESSTOKEN_LOG_DEBUG(LABEL, "Permission is set by security component.");
367 return UpdateSecCompGrantedPermList(permissionName, isGranted);
368 }
369
ClearSecCompGrantedPerm(void)370 void PermissionPolicySet::ClearSecCompGrantedPerm(void)
371 {
372 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
373 secCompGrantedPermList_.erase(secCompGrantedPermList_.begin(), secCompGrantedPermList_.end());
374 for (auto& perm : permStateList_) {
375 if (perm.isGeneral) {
376 perm.grantFlags[0] = GetFlagWithoutSpecifiedElement(perm.grantFlags[0], PERMISSION_COMPONENT_SET);
377 }
378 }
379 }
380
ResetUserGrantPermissionStatus(void)381 void PermissionPolicySet::ResetUserGrantPermissionStatus(void)
382 {
383 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
384 for (auto& perm : permStateList_) {
385 if (perm.isGeneral) {
386 uint32_t oldFlag = static_cast<uint32_t>(perm.grantFlags[0]);
387 if ((oldFlag & PERMISSION_SYSTEM_FIXED) != 0) {
388 continue;
389 }
390 /* A user_grant permission has been set by system for cancellable pre-authorization. */
391 /* it should keep granted when the app reset. */
392 if ((oldFlag & PERMISSION_GRANTED_BY_POLICY) != 0) {
393 perm.grantStatus[0] = PERMISSION_GRANTED;
394 perm.grantFlags[0] = PERMISSION_GRANTED_BY_POLICY;
395 continue;
396 }
397 perm.grantStatus[0] = PERMISSION_DENIED;
398 perm.grantFlags[0] = PERMISSION_DEFAULT_FLAG;
399 } else {
400 continue;
401 }
402 }
403 }
404
GetPermissionStateList(std::vector<PermissionStateFull> & stateList)405 void PermissionPolicySet::GetPermissionStateList(std::vector<PermissionStateFull>& stateList)
406 {
407 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
408 for (const auto& state : permStateList_) {
409 stateList.emplace_back(state);
410 }
411 }
412
GetGrantedPermissionList(std::vector<std::string> & permissionList)413 void PermissionPolicySet::GetGrantedPermissionList(std::vector<std::string>& permissionList)
414 {
415 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
416 for (const auto& perm : permStateList_) {
417 if (perm.isGeneral && (perm.grantStatus[0] == PERMISSION_GRANTED)) {
418 permissionList.emplace_back(perm.permissionName);
419 }
420 }
421
422 for (const auto& permission : secCompGrantedPermList_) {
423 permissionList.emplace_back(permission);
424 }
425 }
426
GetDeletedPermissionListToNotify(std::vector<std::string> & permissionList)427 void PermissionPolicySet::GetDeletedPermissionListToNotify(std::vector<std::string>& permissionList)
428 {
429 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
430 for (const auto& perm : permStateList_) {
431 if (perm.isGeneral) {
432 if (perm.grantStatus[0] == PERMISSION_GRANTED) {
433 permissionList.emplace_back(perm.permissionName);
434 }
435 }
436 }
437 for (const auto& permission : secCompGrantedPermList_) {
438 permissionList.emplace_back(permission);
439 }
440 }
441
GetPermissionStateList(std::vector<uint32_t> & opCodeList,std::vector<bool> & statusList)442 void PermissionPolicySet::GetPermissionStateList(std::vector<uint32_t>& opCodeList, std::vector<bool>& statusList)
443 {
444 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
445 for (const auto& state : permStateList_) {
446 uint32_t code;
447 if (TransferPermissionToOpcode(state.permissionName, code)) {
448 opCodeList.emplace_back(code);
449 statusList.emplace_back(state.grantStatus[0] == PERMISSION_GRANTED);
450 }
451 }
452 }
453
PermDefToString(const PermissionDef & def,std::string & info) const454 void PermissionPolicySet::PermDefToString(const PermissionDef& def, std::string& info) const
455 {
456 info.append(R"( {)");
457 info.append("\n");
458 info.append(R"( "permissionName": ")" + def.permissionName + R"(")" + ",\n");
459 info.append(R"( "bundleName": ")" + def.bundleName + R"(")" + ",\n");
460 info.append(R"( "grantMode": )" + std::to_string(def.grantMode) + ",\n");
461 info.append(R"( "availableLevel": )" + std::to_string(def.availableLevel) + ",\n");
462 info.append(R"( "provisionEnable": )" + std::to_string(def.provisionEnable) + ",\n");
463 info.append(R"( "distributedSceneEnable": )" + std::to_string(def.distributedSceneEnable) + ",\n");
464 info.append(R"( "label": ")" + def.label + R"(")" + ",\n");
465 info.append(R"( "labelId": )" + std::to_string(def.labelId) + ",\n");
466 info.append(R"( "description": ")" + def.description + R"(")" + ",\n");
467 info.append(R"( "descriptionId": )" + std::to_string(def.descriptionId) + ",\n");
468 info.append(R"( })");
469 }
470
PermStateFullToString(const PermissionStateFull & state,std::string & info) const471 void PermissionPolicySet::PermStateFullToString(const PermissionStateFull& state, std::string& info) const
472 {
473 info.append(R"( {)");
474 info.append("\n");
475 info.append(R"( "permissionName": ")" + state.permissionName + R"(")" + ",\n");
476 info.append(R"( "isGeneral": )" + std::to_string(state.isGeneral) + ",\n");
477 #ifndef ATM_BUILD_VARIANT_USER_ENABLE
478 info.append(R"( "resDeviceIDList": [ )");
479 for (auto iter = state.resDeviceID.begin(); iter != state.resDeviceID.end(); iter++) {
480 info.append("\n");
481 info.append(R"( { "resDeviceID": ")" + *iter + R"(")" + " }");
482 if (iter != (state.resDeviceID.end() - 1)) {
483 info.append(",");
484 }
485 }
486 info.append("\n ],\n");
487 #endif
488 info.append(R"( "grantStatusList": [)");
489 for (auto iter = state.grantStatus.begin(); iter != state.grantStatus.end(); iter++) {
490 info.append("\n");
491 info.append(R"( { "grantStatus": )" + std::to_string(*iter) + " }");
492 if (iter != (state.grantStatus.end() - 1)) {
493 info.append(",");
494 }
495 }
496 info.append("\n ],\n");
497
498 info.append(R"( "grantFlagsList": [)");
499 for (auto iter = state.grantFlags.begin(); iter != state.grantFlags.end(); iter++) {
500 info.append("\n");
501 info.append(R"( { "grantFlag": )" + std::to_string(*iter) + " }");
502 if (iter != (state.grantFlags.end() - 1)) {
503 info.append(",");
504 }
505 }
506 info.append("\n ],\n");
507
508 info.append(R"( })");
509 }
510
ToString(std::string & info)511 void PermissionPolicySet::ToString(std::string& info)
512 {
513 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
514 info.append(R"( "permDefList": [)");
515 info.append("\n");
516 std::vector<PermissionDef> permList;
517 PermissionDefinitionCache::GetInstance().GetDefPermissionsByTokenId(permList, tokenId_);
518 for (auto iter = permList.begin(); iter != permList.end(); iter++) {
519 PermDefToString(*iter, info);
520 if (iter != (permList.end() - 1)) {
521 info.append(",\n");
522 }
523 }
524 info.append("\n ],\n");
525
526 info.append(R"( "permStateList": [)");
527 info.append("\n");
528 for (auto iter = permStateList_.begin(); iter != permStateList_.end(); iter++) {
529 PermStateFullToString(*iter, info);
530 if (iter != (permStateList_.end() - 1)) {
531 info.append(",\n");
532 }
533 }
534 info.append("\n ]\n");
535 }
536
IsPermissionReqValid(int32_t tokenApl,const std::string & permissionName,const std::vector<std::string> & nativeAcls)537 bool PermissionPolicySet::IsPermissionReqValid(int32_t tokenApl, const std::string& permissionName,
538 const std::vector<std::string>& nativeAcls)
539 {
540 PermissionDef permissionDef;
541 int ret = PermissionDefinitionCache::GetInstance().FindByPermissionName(
542 permissionName, permissionDef);
543 if (ret != RET_SUCCESS) {
544 return false;
545 }
546 if (tokenApl >= permissionDef.availableLevel) {
547 return true;
548 }
549
550 auto iter = std::find(nativeAcls.begin(), nativeAcls.end(), permissionName);
551 if (iter != nativeAcls.end()) {
552 return true;
553 }
554 return false;
555 }
556
PermStateToString(int32_t tokenApl,const std::vector<std::string> & nativeAcls,std::string & info)557 void PermissionPolicySet::PermStateToString(int32_t tokenApl,
558 const std::vector<std::string>& nativeAcls, std::string& info)
559 {
560 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->permPolicySetLock_);
561
562 std::vector<std::string> invalidPermList = {};
563 info.append(R"( "permStateList": [)");
564 info.append("\n");
565 for (auto iter = permStateList_.begin(); iter != permStateList_.end(); iter++) {
566 if (!IsPermissionReqValid(tokenApl, iter->permissionName, nativeAcls)) {
567 invalidPermList.emplace_back(iter->permissionName);
568 continue;
569 }
570 PermStateFullToString(*iter, info);
571 if (iter != (permStateList_.end() - 1)) {
572 info.append(",\n");
573 }
574 }
575 info.append("\n ]\n");
576
577 if (invalidPermList.empty()) {
578 return;
579 }
580
581 info.append(R"( "invalidPermList": [)");
582 info.append("\n");
583 for (auto iter = invalidPermList.begin(); iter != invalidPermList.end(); iter++) {
584 info.append(R"( "permissionName": ")" + *iter + R"(")" + ",\n");
585 }
586 info.append("\n ]\n");
587 }
588 } // namespace AccessToken
589 } // namespace Security
590 } // namespace OHOS
591