1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accesstoken_info_manager.h"
17
18 #include <cinttypes>
19 #include <cstdint>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <securec.h>
23 #include "access_token.h"
24 #include "accesstoken_dfx_define.h"
25 #include "accesstoken_id_manager.h"
26 #include "accesstoken_log.h"
27 #include "accesstoken_remote_token_manager.h"
28 #include "access_token_error.h"
29 #include "atm_tools_param_info_parcel.h"
30 #include "callback_manager.h"
31 #include "constant_common.h"
32 #include "data_translator.h"
33 #include "data_validator.h"
34 #ifdef SUPPORT_SANDBOX_APP
35 #include "dlp_permission_set_manager.h"
36 #endif
37 #include "generic_values.h"
38 #include "hap_token_info_inner.h"
39 #include "hisysevent_adapter.h"
40 #include "ipc_skeleton.h"
41 #include "permission_definition_cache.h"
42 #include "permission_manager.h"
43 #include "access_token_db.h"
44 #include "token_field_const.h"
45 #include "token_setproc.h"
46 #ifdef TOKEN_SYNC_ENABLE
47 #include "token_modify_notifier.h"
48 #endif
49
50 namespace OHOS {
51 namespace Security {
52 namespace AccessToken {
53 namespace {
54 std::recursive_mutex g_instanceMutex;
55 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenInfoManager"};
56 static const unsigned int SYSTEM_APP_FLAG = 0x0001;
57 #ifdef TOKEN_SYNC_ENABLE
58 static const int MAX_PTHREAD_NAME_LEN = 15; // pthread name max length
59 static const std::string ACCESS_TOKEN_PACKAGE_NAME = "ohos.security.distributed_token_sync";
60 #endif
61 static const std::string DUMP_JSON_PATH = "/data/service/el1/public/access_token/nativetoken.log";
62 }
63
AccessTokenInfoManager()64 AccessTokenInfoManager::AccessTokenInfoManager() : hasInited_(false) {}
65
~AccessTokenInfoManager()66 AccessTokenInfoManager::~AccessTokenInfoManager()
67 {
68 if (!hasInited_) {
69 return;
70 }
71
72 #ifdef TOKEN_SYNC_ENABLE
73 int32_t ret = DistributedHardware::DeviceManager::GetInstance().UnInitDeviceManager(ACCESS_TOKEN_PACKAGE_NAME);
74 if (ret != ERR_OK) {
75 ACCESSTOKEN_LOG_ERROR(LABEL, "UnInitDeviceManager failed, code: %{public}d", ret);
76 }
77 #endif
78
79 this->hasInited_ = false;
80 }
81
Init()82 void AccessTokenInfoManager::Init()
83 {
84 OHOS::Utils::UniqueWriteGuard<OHOS::Utils::RWLock> lk(this->managerLock_);
85 if (hasInited_) {
86 return;
87 }
88
89 ACCESSTOKEN_LOG_INFO(LABEL, "Init begin!");
90 uint32_t hapSize = 0;
91 uint32_t nativeSize = 0;
92 InitHapTokenInfos(hapSize);
93 InitNativeTokenInfos(nativeSize);
94 uint32_t pefDefSize = PermissionDefinitionCache::GetInstance().GetDefPermissionsSize();
95 ReportSysEventServiceStart(getpid(), hapSize, nativeSize, pefDefSize);
96 ACCESSTOKEN_LOG_INFO(LABEL, "InitTokenInfo end, hapSize %{public}d, nativeSize %{public}d, pefDefSize %{public}d.",
97 hapSize, nativeSize, pefDefSize);
98
99 #ifdef TOKEN_SYNC_ENABLE
100 std::function<void()> runner = []() {
101 std::string name = "AtmInfoMgrInit";
102 pthread_setname_np(pthread_self(), name.substr(0, MAX_PTHREAD_NAME_LEN).c_str());
103 auto sleepTime = std::chrono::milliseconds(1000);
104 std::shared_ptr<AccessTokenDmInitCallback> ptrDmInitCallback = std::make_shared<AccessTokenDmInitCallback>();
105 while (1) {
106 int32_t ret = DistributedHardware::DeviceManager::GetInstance().InitDeviceManager(ACCESS_TOKEN_PACKAGE_NAME,
107 ptrDmInitCallback);
108 if (ret != ERR_OK) {
109 ACCESSTOKEN_LOG_ERROR(LABEL, "Initialize: InitDeviceManager error, result: %{public}d", ret);
110 std::this_thread::sleep_for(sleepTime);
111 continue;
112 }
113 return;
114 }
115 };
116 std::thread initThread(runner);
117 initThread.detach();
118 #endif
119
120 hasInited_ = true;
121 ACCESSTOKEN_LOG_INFO(LABEL, "Init success");
122 }
123
InitHapTokenInfos(uint32_t & hapSize)124 void AccessTokenInfoManager::InitHapTokenInfos(uint32_t& hapSize)
125 {
126 GenericValues conditionValue;
127 std::vector<GenericValues> hapTokenRes;
128 std::vector<GenericValues> permDefRes;
129 std::vector<GenericValues> permStateRes;
130 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenRes);
131 if (ret != RET_SUCCESS || hapTokenRes.empty()) {
132 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load hap from db fail.", ret);
133 }
134 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, conditionValue, permDefRes);
135 if (ret != RET_SUCCESS || permDefRes.empty()) {
136 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load perm def from db fail.", ret);
137 }
138 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
139 if (ret != RET_SUCCESS || permStateRes.empty()) {
140 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR, "Load perm state from db fail.", ret);
141 }
142 for (const GenericValues& tokenValue : hapTokenRes) {
143 AccessTokenID tokenId = (AccessTokenID)tokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
144 std::string bundle = tokenValue.GetString(TokenFiledConst::FIELD_BUNDLE_NAME);
145 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, TOKEN_HAP);
146 if (ret != RET_SUCCESS) {
147 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u add id failed, error=%{public}d.", tokenId, ret);
148 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR,
149 "RegisterTokenId fail, " + bundle + std::to_string(tokenId), ret);
150 continue;
151 }
152 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
153 ret = hap->RestoreHapTokenInfo(tokenId, tokenValue, permStateRes);
154 if (ret != RET_SUCCESS) {
155 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
156 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u restore failed.", tokenId);
157 continue;
158 }
159
160 ret = AddHapTokenInfo(hap);
161 if (ret != RET_SUCCESS) {
162 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
163 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u add failed.", tokenId);
164 ReportSysEventServiceStartError(INIT_HAP_TOKENINFO_ERROR,
165 "AddHapTokenInfo fail, " + bundle + std::to_string(tokenId), ret);
166 continue;
167 }
168 hapSize++;
169 ACCESSTOKEN_LOG_INFO(LABEL,
170 " Restore hap token %{public}u bundle name %{public}s user %{public}d,"
171 " permSize %{public}d, inst %{public}d ok!",
172 tokenId, hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetReqPermissionSize(), hap->GetInstIndex());
173 }
174 PermissionDefinitionCache::GetInstance().RestorePermDefInfo(permDefRes);
175 }
176
InitNativeTokenInfos(uint32_t & nativeSize)177 void AccessTokenInfoManager::InitNativeTokenInfos(uint32_t& nativeSize)
178 {
179 GenericValues conditionValue;
180 std::vector<GenericValues> nativeTokenResults;
181 std::vector<GenericValues> permStateRes;
182 int32_t ret = AccessTokenDb::GetInstance().Find(
183 AtmDataType::ACCESSTOKEN_NATIVE_INFO, conditionValue, nativeTokenResults);
184 if (ret != RET_SUCCESS || nativeTokenResults.empty()) {
185 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR, "Load native from db fail.", ret);
186 }
187 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
188 if (ret != RET_SUCCESS || permStateRes.empty()) {
189 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR, "Load perm state from db fail.", ret);
190 }
191 for (const GenericValues& nativeTokenValue : nativeTokenResults) {
192 AccessTokenID tokenId = (AccessTokenID)nativeTokenValue.GetInt(TokenFiledConst::FIELD_TOKEN_ID);
193 std::string process = nativeTokenValue.GetString(TokenFiledConst::FIELD_PROCESS_NAME);
194 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenId);
195 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(tokenId, type);
196 if (ret != RET_SUCCESS) {
197 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR,
198 "RegisterTokenId fail, " + process + std::to_string(tokenId), ret);
199 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u add failed, error=%{public}d.", tokenId, ret);
200 continue;
201 }
202 std::shared_ptr<NativeTokenInfoInner> native = std::make_shared<NativeTokenInfoInner>();
203
204 ret = native->RestoreNativeTokenInfo(tokenId, nativeTokenValue, permStateRes);
205 if (ret != RET_SUCCESS) {
206 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
207 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId %{public}u restore failed.", tokenId);
208 continue;
209 }
210
211 ret = AddNativeTokenInfo(native);
212 if (ret != RET_SUCCESS) {
213 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
214 ACCESSTOKEN_LOG_ERROR(LABEL, "Id %{public}u add failed.", tokenId);
215 ReportSysEventServiceStartError(INIT_NATIVE_TOKENINFO_ERROR,
216 "AddNativeTokenInfo fail, " + process + std::to_string(tokenId), ret);
217 continue;
218 }
219 nativeSize++;
220 ACCESSTOKEN_LOG_INFO(LABEL,
221 "restore native token %{public}u process name %{public}s, permSize %{public}d ok!",
222 tokenId, native->GetProcessName().c_str(), native->GetReqPermissionSize());
223 }
224 }
225
GetHapUniqueStr(const int & userID,const std::string & bundleName,const int & instIndex) const226 std::string AccessTokenInfoManager::GetHapUniqueStr(const int& userID,
227 const std::string& bundleName, const int& instIndex) const
228 {
229 return bundleName + "&" + std::to_string(userID) + "&" + std::to_string(instIndex);
230 }
231
GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner> & info) const232 std::string AccessTokenInfoManager::GetHapUniqueStr(const std::shared_ptr<HapTokenInfoInner>& info) const
233 {
234 if (info == nullptr) {
235 return std::string("");
236 }
237 return GetHapUniqueStr(info->GetUserID(), info->GetBundleName(), info->GetInstIndex());
238 }
239
AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner> & info)240 int AccessTokenInfoManager::AddHapTokenInfo(const std::shared_ptr<HapTokenInfoInner>& info)
241 {
242 if (info == nullptr) {
243 ACCESSTOKEN_LOG_ERROR(LABEL, "Token info is null.");
244 return AccessTokenError::ERR_PARAM_INVALID;
245 }
246 AccessTokenID id = info->GetTokenID();
247 AccessTokenID idRemoved = INVALID_TOKENID;
248 {
249 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
250 if (hapTokenInfoMap_.count(id) > 0) {
251 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u info has exist.", id);
252 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
253 }
254
255 if (!info->IsRemote()) {
256 std::string hapUniqueKey = GetHapUniqueStr(info);
257 auto iter = hapTokenIdMap_.find(hapUniqueKey);
258 if (iter != hapTokenIdMap_.end()) {
259 ACCESSTOKEN_LOG_INFO(LABEL, "Token %{public}u Unique info has exist, update.", id);
260 idRemoved = iter->second;
261 }
262 hapTokenIdMap_[hapUniqueKey] = id;
263 }
264 hapTokenInfoMap_[id] = info;
265 }
266 if (idRemoved != INVALID_TOKENID) {
267 RemoveHapTokenInfo(idRemoved);
268 }
269 // add hap to kernel
270 std::shared_ptr<PermissionPolicySet> policySet = info->GetHapInfoPermissionPolicySet();
271 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
272
273 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "ADD_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
274 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
275 "INSTINDEX", info->GetInstIndex());
276
277 return RET_SUCCESS;
278 }
279
AddNativeTokenInfo(const std::shared_ptr<NativeTokenInfoInner> & info)280 int AccessTokenInfoManager::AddNativeTokenInfo(const std::shared_ptr<NativeTokenInfoInner>& info)
281 {
282 if (info == nullptr) {
283 ACCESSTOKEN_LOG_ERROR(LABEL, "Token info is null.");
284 return AccessTokenError::ERR_PARAM_INVALID;
285 }
286
287 AccessTokenID id = info->GetTokenID();
288 std::string processName = info->GetProcessName();
289 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
290 if (nativeTokenInfoMap_.count(id) > 0) {
291 ACCESSTOKEN_LOG_ERROR(
292 LABEL, "Token %{public}u has exist.", id);
293 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
294 }
295 if (!info->IsRemote()) {
296 if (nativeTokenIdMap_.count(processName) > 0) {
297 ACCESSTOKEN_LOG_ERROR(
298 LABEL, "Token %{public}u process name %{public}s has exist.", id, processName.c_str());
299 return AccessTokenError::ERR_PROCESS_NOT_EXIST;
300 }
301 nativeTokenIdMap_[processName] = id;
302 }
303
304 ACCESSTOKEN_LOG_DEBUG(LABEL, "Token info is added %{public}u.", id);
305 nativeTokenInfoMap_[id] = info;
306
307 // add native to kernel
308 std::shared_ptr<PermissionPolicySet> policySet = info->GetNativeInfoPermissionPolicySet();
309 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
310
311 return RET_SUCCESS;
312 }
313
GetHapTokenInfoInner(AccessTokenID id)314 std::shared_ptr<HapTokenInfoInner> AccessTokenInfoManager::GetHapTokenInfoInner(AccessTokenID id)
315 {
316 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
317 auto iter = hapTokenInfoMap_.find(id);
318 if (iter != hapTokenInfoMap_.end()) {
319 return iter->second;
320 }
321 GenericValues conditionValue;
322 if (PermissionDefinitionCache::GetInstance().IsHapPermissionDefEmpty()) {
323 std::vector<GenericValues> permDefRes;
324 AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, conditionValue, permDefRes);
325 PermissionDefinitionCache::GetInstance().RestorePermDefInfo(permDefRes); // restore all permission definition
326 ACCESSTOKEN_LOG_INFO(LABEL, "Restore perm def size: %{public}zu, mapSize: %{public}zu.",
327 permDefRes.size(), hapTokenInfoMap_.size());
328 }
329
330 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(id));
331 std::vector<GenericValues> hapTokenResults;
332 int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenResults);
333 if (ret != RET_SUCCESS || hapTokenResults.empty()) {
334 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to find Id(%{public}u) from hap_token_table, err: %{public}d, "
335 "hapSize: %{public}zu, mapSize: %{public}zu.", id, ret, hapTokenResults.size(), hapTokenInfoMap_.size());
336 return nullptr;
337 }
338 std::vector<GenericValues> permStateRes;
339 ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes);
340 if (ret != RET_SUCCESS) {
341 ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to find Id(%{public}u) from perm_state_table, err: %{public}d, "
342 "mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size());
343 return nullptr;
344 }
345
346 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>();
347 ret = hap->RestoreHapTokenInfo(id, hapTokenResults[0], permStateRes);
348 if (ret != RET_SUCCESS) {
349 ACCESSTOKEN_LOG_ERROR(LABEL, "Id %{public}u restore failed, err: %{public}d, mapSize: %{public}zu.",
350 id, ret, hapTokenInfoMap_.size());
351 return nullptr;
352 }
353 AccessTokenIDManager::GetInstance().RegisterTokenId(id, TOKEN_HAP);
354 hapTokenIdMap_[GetHapUniqueStr(hap)] = id;
355 hapTokenInfoMap_[id] = hap;
356 std::shared_ptr<PermissionPolicySet> policySet = hap->GetHapInfoPermissionPolicySet();
357 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
358 ACCESSTOKEN_LOG_INFO(LABEL, " Token %{public}u is not found in map(mapSize: %{public}zu), begin load from DB,"
359 " restore bundle %{public}s user %{public}d, idx %{public}d, permSize %{public}d.", id, hapTokenInfoMap_.size(),
360 hap->GetBundleName().c_str(), hap->GetUserID(), hap->GetInstIndex(), hap->GetReqPermissionSize());
361 return hap;
362 }
363
GetHapTokenDlpType(AccessTokenID id)364 int32_t AccessTokenInfoManager::GetHapTokenDlpType(AccessTokenID id)
365 {
366 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
367 auto iter = hapTokenInfoMap_.find(id);
368 if ((iter != hapTokenInfoMap_.end()) && (iter->second != nullptr)) {
369 return iter->second->GetDlpType();
370 }
371 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid, mapSize: %{public}zu.", id, hapTokenInfoMap_.size());
372 return BUTT_DLP_TYPE;
373 }
374
IsTokenIdExist(AccessTokenID id)375 bool AccessTokenInfoManager::IsTokenIdExist(AccessTokenID id)
376 {
377 {
378 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
379 if (hapTokenInfoMap_.count(id) != 0) {
380 return true;
381 }
382 }
383 {
384 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
385 if (nativeTokenInfoMap_.count(id) != 0) {
386 return true;
387 }
388 }
389 return false;
390 }
391
GetHapTokenInfo(AccessTokenID tokenID,HapTokenInfo & info)392 int AccessTokenInfoManager::GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& info)
393 {
394 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
395 if (infoPtr == nullptr) {
396 ACCESSTOKEN_LOG_ERROR(
397 LABEL, "Token %{public}u is invalid.", tokenID);
398 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
399 }
400 infoPtr->TranslateToHapTokenInfo(info);
401 return RET_SUCCESS;
402 }
403
GetHapPermissionPolicySet(AccessTokenID id)404 std::shared_ptr<PermissionPolicySet> AccessTokenInfoManager::GetHapPermissionPolicySet(AccessTokenID id)
405 {
406 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(id);
407 if (infoPtr == nullptr) {
408 ACCESSTOKEN_LOG_ERROR(
409 LABEL, "Token %{public}u is invalid.", id);
410 return nullptr;
411 }
412 return infoPtr->GetHapInfoPermissionPolicySet();
413 }
414
GetNativeTokenInfoInner(AccessTokenID id)415 std::shared_ptr<NativeTokenInfoInner> AccessTokenInfoManager::GetNativeTokenInfoInner(AccessTokenID id)
416 {
417 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
418 auto iter = nativeTokenInfoMap_.find(id);
419 if (iter != nativeTokenInfoMap_.end()) {
420 return iter->second;
421 }
422
423 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid.", id);
424 return nullptr;
425 }
426
GetNativeTokenInfo(AccessTokenID tokenID,NativeTokenInfo & infoParcel)427 int AccessTokenInfoManager::GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& infoParcel)
428 {
429 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenID);
430 if (infoPtr == nullptr) {
431 ACCESSTOKEN_LOG_ERROR(
432 LABEL, "Token %{public}u is invalid.", tokenID);
433 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
434 }
435
436 infoPtr->TranslateToNativeTokenInfo(infoParcel);
437 return RET_SUCCESS;
438 }
439
GetNativePermissionPolicySet(AccessTokenID id)440 std::shared_ptr<PermissionPolicySet> AccessTokenInfoManager::GetNativePermissionPolicySet(AccessTokenID id)
441 {
442 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(id);
443 if (infoPtr == nullptr) {
444 ACCESSTOKEN_LOG_ERROR(
445 LABEL, "Token %{public}u is invalid.", id);
446 return nullptr;
447 }
448 return infoPtr->GetNativeInfoPermissionPolicySet();
449 }
450
RemoveHapTokenInfo(AccessTokenID id)451 int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id)
452 {
453 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
454 if (type != TOKEN_HAP) {
455 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is not hap.", id);
456 return ERR_PARAM_INVALID;
457 }
458 std::shared_ptr<HapTokenInfoInner> info;
459 // make sure that RemoveDefPermissions is called outside of the lock to avoid deadlocks.
460 PermissionManager::GetInstance().RemoveDefPermissions(id);
461 {
462 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
463 RemoveHapTokenInfoFromDb(id);
464 // remove hap to kernel
465 PermissionManager::GetInstance().RemovePermFromKernel(id);
466 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
467
468 if (hapTokenInfoMap_.count(id) == 0) {
469 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token %{public}u no exist.", id);
470 return ERR_TOKENID_NOT_EXIST;
471 }
472
473 info = hapTokenInfoMap_[id];
474 if (info == nullptr) {
475 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token %{public}u is null.", id);
476 return ERR_TOKEN_INVALID;
477 }
478 if (info->IsRemote()) {
479 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote hap token %{public}u can not delete.", id);
480 return ERR_IDENTITY_CHECK_FAILED;
481 }
482 std::string HapUniqueKey = GetHapUniqueStr(info);
483 auto iter = hapTokenIdMap_.find(HapUniqueKey);
484 if ((iter != hapTokenIdMap_.end()) && (iter->second == id)) {
485 hapTokenIdMap_.erase(HapUniqueKey);
486 }
487 hapTokenInfoMap_.erase(id);
488 }
489
490 ACCESSTOKEN_LOG_INFO(LABEL, "Remove hap token %{public}u ok!", id);
491 PermissionStateNotify(info, id);
492 #ifdef TOKEN_SYNC_ENABLE
493 TokenModifyNotifier::GetInstance().NotifyTokenDelete(id);
494 #endif
495
496 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC,
497 "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(),
498 "INSTINDEX", info->GetInstIndex());
499
500 return RET_SUCCESS;
501 }
502
RemoveNativeTokenInfo(AccessTokenID id)503 int AccessTokenInfoManager::RemoveNativeTokenInfo(AccessTokenID id)
504 {
505 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id);
506 if ((type != TOKEN_NATIVE) && (type != TOKEN_SHELL)) {
507 ACCESSTOKEN_LOG_ERROR(
508 LABEL, "Token %{public}u is not hap.", id);
509 return ERR_PARAM_INVALID;
510 }
511
512 {
513 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
514 if (nativeTokenInfoMap_.count(id) == 0) {
515 ACCESSTOKEN_LOG_ERROR(LABEL, "Native token %{public}u is null.", id);
516 return ERR_TOKENID_NOT_EXIST;
517 }
518
519 std::shared_ptr<NativeTokenInfoInner> info = nativeTokenInfoMap_[id];
520 if (info->IsRemote()) {
521 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote native token %{public}u can not delete.", id);
522 return ERR_TOKEN_INVALID;
523 }
524 std::string processName = nativeTokenInfoMap_[id]->GetProcessName();
525 if (nativeTokenIdMap_.count(processName) != 0) {
526 nativeTokenIdMap_.erase(processName);
527 }
528 nativeTokenInfoMap_.erase(id);
529 }
530 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
531 ACCESSTOKEN_LOG_INFO(LABEL, "Remove native token %{public}u ok!", id);
532
533 if (!RemoveNativeInfoFromDatabase(id)) {
534 return AccessTokenError::ERR_DATABASE_OPERATE_FAILED;
535 }
536
537 // remove native to kernel
538 PermissionManager::GetInstance().RemovePermFromKernel(id);
539 return RET_SUCCESS;
540 }
541
542 #ifdef SUPPORT_SANDBOX_APP
GetPolicyCopied(const HapPolicyParams & policy,HapPolicyParams & policyNew)543 static void GetPolicyCopied(const HapPolicyParams& policy, HapPolicyParams& policyNew)
544 {
545 policyNew.apl = policy.apl;
546 policyNew.domain = policy.domain;
547
548 for (const auto& state : policy.permStateList) {
549 policyNew.permStateList.emplace_back(state);
550 }
551 for (const auto& def : policy.permList) {
552 policyNew.permList.emplace_back(def);
553 }
554 }
555 #endif
556
CreateHapTokenInfo(const HapInfoParams & info,const HapPolicyParams & policy,AccessTokenIDEx & tokenIdEx)557 int AccessTokenInfoManager::CreateHapTokenInfo(
558 const HapInfoParams& info, const HapPolicyParams& policy, AccessTokenIDEx& tokenIdEx)
559 {
560 if ((!DataValidator::IsUserIdValid(info.userID)) || (!DataValidator::IsBundleNameValid(info.bundleName)) ||
561 (!DataValidator::IsAppIDDescValid(info.appIDDesc)) || (!DataValidator::IsDomainValid(policy.domain)) ||
562 (!DataValidator::IsDlpTypeValid(info.dlpType))) {
563 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token param failed");
564 return AccessTokenError::ERR_PARAM_INVALID;
565 }
566 int32_t dlpFlag = (info.dlpType > DLP_COMMON) ? 1 : 0;
567 int32_t cloneFlag = ((dlpFlag == 0) && (info.instIndex) > 0) ? 1 : 0;
568 AccessTokenID tokenId = AccessTokenIDManager::GetInstance().CreateAndRegisterTokenId(TOKEN_HAP, dlpFlag, cloneFlag);
569 if (tokenId == 0) {
570 ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id create failed");
571 return ERR_TOKENID_CREATE_FAILED;
572 }
573 PermissionManager::GetInstance().AddDefPermissions(policy.permList, tokenId, false);
574 #ifdef SUPPORT_SANDBOX_APP
575 std::shared_ptr<HapTokenInfoInner> tokenInfo;
576 if (info.dlpType != DLP_COMMON) {
577 HapPolicyParams policyNew;
578 GetPolicyCopied(policy, policyNew);
579 DlpPermissionSetManager::GetInstance().UpdatePermStateWithDlpInfo(info.dlpType, policyNew.permStateList);
580 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policyNew);
581 } else {
582 tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
583 }
584 #else
585 std::shared_ptr<HapTokenInfoInner> tokenInfo = std::make_shared<HapTokenInfoInner>(tokenId, info, policy);
586 #endif
587 int ret = AddHapTokenInfo(tokenInfo);
588 if (ret != RET_SUCCESS) {
589 ACCESSTOKEN_LOG_ERROR(LABEL, "%{public}s add token info failed", info.bundleName.c_str());
590 AccessTokenIDManager::GetInstance().ReleaseTokenId(tokenId);
591 PermissionManager::GetInstance().RemoveDefPermissions(tokenId);
592 return ret;
593 }
594 ACCESSTOKEN_LOG_INFO(LABEL, "Create hap token %{public}u bundleName %{public}s user %{public}d inst %{public}d ok",
595 tokenId, tokenInfo->GetBundleName().c_str(), tokenInfo->GetUserID(), tokenInfo->GetInstIndex());
596 AllocAccessTokenIDEx(info, tokenId, tokenIdEx);
597 AddHapTokenInfoToDb(tokenId, tokenInfo);
598 return RET_SUCCESS;
599 }
600
AllocAccessTokenIDEx(const HapInfoParams & info,AccessTokenID tokenId,AccessTokenIDEx & tokenIdEx)601 int AccessTokenInfoManager::AllocAccessTokenIDEx(
602 const HapInfoParams& info, AccessTokenID tokenId, AccessTokenIDEx& tokenIdEx)
603 {
604 tokenIdEx.tokenIdExStruct.tokenID = tokenId;
605 if (info.isSystemApp) {
606 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
607 }
608 return RET_SUCCESS;
609 }
610
CheckNativeDCap(AccessTokenID tokenID,const std::string & dcap)611 int AccessTokenInfoManager::CheckNativeDCap(AccessTokenID tokenID, const std::string& dcap)
612 {
613 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenID);
614 if (infoPtr == nullptr) {
615 ACCESSTOKEN_LOG_ERROR(
616 LABEL, "Token %{public}u is invalid.", tokenID);
617 return ERR_TOKENID_NOT_EXIST;
618 }
619
620 std::vector<std::string> dcaps = infoPtr->GetDcap();
621 for (auto iter = dcaps.begin(); iter != dcaps.end(); iter++) {
622 if (*iter == dcap) {
623 return RET_SUCCESS;
624 }
625 }
626 return ERR_CHECK_DCAP_FAIL;
627 }
628
GetHapTokenID(int32_t userID,const std::string & bundleName,int32_t instIndex)629 AccessTokenIDEx AccessTokenInfoManager::GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex)
630 {
631 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
632 std::string HapUniqueKey = GetHapUniqueStr(userID, bundleName, instIndex);
633 AccessTokenIDEx tokenIdEx = {0};
634 auto iter = hapTokenIdMap_.find(HapUniqueKey);
635 if (iter != hapTokenIdMap_.end()) {
636 AccessTokenID tokenId = iter->second;
637 auto infoIter = hapTokenInfoMap_.find(tokenId);
638 if (infoIter != hapTokenInfoMap_.end()) {
639 if (infoIter->second == nullptr) {
640 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr");
641 return tokenIdEx;
642 }
643 HapTokenInfo info = infoIter->second->GetHapInfoBasic();
644 tokenIdEx.tokenIdExStruct.tokenID = info.tokenID;
645 tokenIdEx.tokenIdExStruct.tokenAttr = info.tokenAttr;
646 }
647 }
648 return tokenIdEx;
649 }
650
TryUpdateExistNativeToken(const std::shared_ptr<NativeTokenInfoInner> & infoPtr)651 bool AccessTokenInfoManager::TryUpdateExistNativeToken(const std::shared_ptr<NativeTokenInfoInner>& infoPtr)
652 {
653 if (infoPtr == nullptr) {
654 ACCESSTOKEN_LOG_WARN(LABEL, "Info is null.");
655 return false;
656 }
657
658 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
659 AccessTokenID id = infoPtr->GetTokenID();
660 std::string processName = infoPtr->GetProcessName();
661 bool idExist = (nativeTokenInfoMap_.count(id) > 0);
662 bool processExist = (nativeTokenIdMap_.count(processName) > 0);
663 // id is exist, but it is not this process, so neither update nor add.
664 if (idExist && !processExist) {
665 ACCESSTOKEN_LOG_ERROR(
666 LABEL, "Token Id is exist, but process name is not exist, can not update.");
667 return true;
668 }
669
670 // this process is exist, but id is not same, perhaps libat lose his data, we need delete old, add new later.
671 if (!idExist && processExist) {
672 AccessTokenID idRemove = nativeTokenIdMap_[processName];
673 nativeTokenIdMap_.erase(processName);
674 if (nativeTokenInfoMap_.count(idRemove) > 0) {
675 nativeTokenInfoMap_.erase(idRemove);
676 }
677 AccessTokenIDManager::GetInstance().ReleaseTokenId(idRemove);
678 return false;
679 }
680
681 if (!idExist && !processExist) {
682 return false;
683 }
684
685 nativeTokenInfoMap_[id] = infoPtr;
686
687 // add native to kernel
688 std::shared_ptr<PermissionPolicySet> policySet = infoPtr->GetNativeInfoPermissionPolicySet();
689 PermissionManager::GetInstance().AddPermToKernel(id, policySet);
690 return true;
691 }
692
ProcessNativeTokenInfos(const std::vector<std::shared_ptr<NativeTokenInfoInner>> & tokenInfos)693 void AccessTokenInfoManager::ProcessNativeTokenInfos(
694 const std::vector<std::shared_ptr<NativeTokenInfoInner>>& tokenInfos)
695 {
696 for (const auto& infoPtr: tokenInfos) {
697 if (infoPtr == nullptr) {
698 ACCESSTOKEN_LOG_WARN(LABEL, "Token info from libat is null");
699 continue;
700 }
701 bool isUpdated = TryUpdateExistNativeToken(infoPtr);
702 if (!isUpdated) {
703 ACCESSTOKEN_LOG_INFO(LABEL,
704 "Token %{public}u process name %{public}s is new, add to manager!",
705 infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str());
706 AccessTokenID id = infoPtr->GetTokenID();
707 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(id);
708 int ret = AccessTokenIDManager::GetInstance().RegisterTokenId(id, type);
709 if (ret != RET_SUCCESS) {
710 ACCESSTOKEN_LOG_ERROR(LABEL, "Token Id register fail");
711 continue;
712 }
713 ret = AddNativeTokenInfo(infoPtr);
714 if (ret != RET_SUCCESS) {
715 AccessTokenIDManager::GetInstance().ReleaseTokenId(id);
716 ACCESSTOKEN_LOG_ERROR(LABEL,
717 "Token %{public}u process name %{public}s add to manager failed!",
718 infoPtr->GetTokenID(), infoPtr->GetProcessName().c_str());
719 }
720 }
721 }
722 AddAllNativeTokenInfoToDb();
723 }
724
UpdateHapToken(AccessTokenIDEx & tokenIdEx,const UpdateHapInfoParams & info,const std::vector<PermissionStateFull> & permStateList,ATokenAplEnum apl,const std::vector<PermissionDef> & permList)725 int32_t AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info,
726 const std::vector<PermissionStateFull>& permStateList, ATokenAplEnum apl,
727 const std::vector<PermissionDef>& permList)
728 {
729 AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID;
730 if (!DataValidator::IsAppIDDescValid(info.appIDDesc)) {
731 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u parm format error!", tokenID);
732 return AccessTokenError::ERR_PARAM_INVALID;
733 }
734 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
735 if (infoPtr == nullptr) {
736 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u is invalid, can not update!", tokenID);
737 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
738 }
739
740 if (infoPtr->IsRemote()) {
741 ACCESSTOKEN_LOG_ERROR(LABEL, "Remote hap token %{public}u can not update!", tokenID);
742 return ERR_IDENTITY_CHECK_FAILED;
743 }
744 if (info.isSystemApp) {
745 tokenIdEx.tokenIdExStruct.tokenAttr |= SYSTEM_APP_FLAG;
746 } else {
747 tokenIdEx.tokenIdExStruct.tokenAttr &= ~SYSTEM_APP_FLAG;
748 }
749 {
750 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
751 infoPtr->Update(info, permStateList, apl);
752 ACCESSTOKEN_LOG_INFO(LABEL,
753 "Token %{public}u bundle name %{public}s user %{public}d inst %{public}d tokenAttr %{public}d update ok!",
754 tokenID, infoPtr->GetBundleName().c_str(), infoPtr->GetUserID(), infoPtr->GetInstIndex(),
755 infoPtr->GetHapInfoBasic().tokenAttr);
756 }
757 PermissionManager::GetInstance().AddDefPermissions(permList, tokenID, true);
758 #ifdef TOKEN_SYNC_ENABLE
759 TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID);
760 #endif
761 // update hap to kernel
762 std::shared_ptr<PermissionPolicySet> policySet = infoPtr->GetHapInfoPermissionPolicySet();
763 PermissionManager::GetInstance().AddPermToKernel(tokenID, policySet);
764 return ModifyHapTokenInfoFromDb(tokenID, infoPtr);
765 }
766
767 #ifdef TOKEN_SYNC_ENABLE
GetHapTokenSync(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)768 int AccessTokenInfoManager::GetHapTokenSync(AccessTokenID tokenID, HapTokenInfoForSync& hapSync)
769 {
770 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenID);
771 if (infoPtr == nullptr || infoPtr->IsRemote()) {
772 ACCESSTOKEN_LOG_ERROR(
773 LABEL, "Token %{public}u is invalid.", tokenID);
774 return ERR_IDENTITY_CHECK_FAILED;
775 }
776 hapSync.baseInfo = infoPtr->GetHapInfoBasic();
777 std::shared_ptr<PermissionPolicySet> permSetPtr = infoPtr->GetHapInfoPermissionPolicySet();
778 if (permSetPtr == nullptr) {
779 ACCESSTOKEN_LOG_ERROR(
780 LABEL, "Token %{public}u permSet is invalid.", tokenID);
781 return ERR_TOKEN_INVALID;
782 }
783 permSetPtr->GetPermissionStateList(hapSync.permStateList);
784 return RET_SUCCESS;
785 }
786
GetHapTokenInfoFromRemote(AccessTokenID tokenID,HapTokenInfoForSync & hapSync)787 int AccessTokenInfoManager::GetHapTokenInfoFromRemote(AccessTokenID tokenID,
788 HapTokenInfoForSync& hapSync)
789 {
790 int ret = GetHapTokenSync(tokenID, hapSync);
791 TokenModifyNotifier::GetInstance().AddHapTokenObservation(tokenID);
792 return ret;
793 }
794
UpdateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)795 int AccessTokenInfoManager::UpdateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
796 {
797 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(mapID);
798 if (infoPtr == nullptr || !infoPtr->IsRemote()) {
799 ACCESSTOKEN_LOG_INFO(LABEL, "Token %{public}u is null or not remote, can not update!", mapID);
800 return ERR_IDENTITY_CHECK_FAILED;
801 }
802
803 std::shared_ptr<PermissionPolicySet> newPermPolicySet =
804 PermissionPolicySet::BuildPolicySetWithoutDefCheck(mapID, hapSync.permStateList);
805
806 {
807 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
808 infoPtr->SetTokenBaseInfo(hapSync.baseInfo);
809 infoPtr->SetPermissionPolicySet(newPermPolicySet);
810 }
811 // update remote hap to kernel
812 PermissionManager::GetInstance().AddPermToKernel(mapID, newPermPolicySet);
813 return RET_SUCCESS;
814 }
815
CreateRemoteHapTokenInfo(AccessTokenID mapID,HapTokenInfoForSync & hapSync)816 int AccessTokenInfoManager::CreateRemoteHapTokenInfo(AccessTokenID mapID, HapTokenInfoForSync& hapSync)
817 {
818 std::shared_ptr<HapTokenInfoInner> hap = std::make_shared<HapTokenInfoInner>(mapID, hapSync);
819 hap->SetRemote(true);
820
821 int ret = AddHapTokenInfo(hap);
822 if (ret != RET_SUCCESS) {
823 ACCESSTOKEN_LOG_ERROR(LABEL, "Add local token failed.");
824 return ret;
825 }
826
827 return RET_SUCCESS;
828 }
829
IsRemoteHapTokenValid(const std::string & deviceID,const HapTokenInfoForSync & hapSync)830 bool AccessTokenInfoManager::IsRemoteHapTokenValid(const std::string& deviceID, const HapTokenInfoForSync& hapSync)
831 {
832 std::string errReason;
833 if (!DataValidator::IsDeviceIdValid(deviceID) || !DataValidator::IsDeviceIdValid(hapSync.baseInfo.deviceID)) {
834 errReason = "respond deviceID error";
835 } else if (!DataValidator::IsUserIdValid(hapSync.baseInfo.userID)) {
836 errReason = "respond userID error";
837 } else if (!DataValidator::IsBundleNameValid(hapSync.baseInfo.bundleName)) {
838 errReason = "respond bundleName error";
839 } else if (!DataValidator::IsAplNumValid(hapSync.baseInfo.apl)) {
840 errReason = "respond apl error";
841 } else if (!DataValidator::IsTokenIDValid(hapSync.baseInfo.tokenID)) {
842 errReason = "respond tokenID error";
843 } else if (!DataValidator::IsAppIDDescValid(hapSync.baseInfo.appID)) {
844 errReason = "respond appID error";
845 } else if (!DataValidator::IsDlpTypeValid(hapSync.baseInfo.dlpType)) {
846 errReason = "respond dlpType error";
847 } else if (hapSync.baseInfo.ver != DEFAULT_TOKEN_VERSION) {
848 errReason = "respond version error";
849 } else if (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(hapSync.baseInfo.tokenID) != TOKEN_HAP) {
850 errReason = "respond token type error";
851 } else {
852 return true;
853 }
854
855 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
856 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_RESPONSE_ERROR,
857 "REMOTE_ID", ConstantCommon::EncryptDevId(deviceID), "ERROR_REASON", errReason);
858 return false;
859 }
860
SetRemoteHapTokenInfo(const std::string & deviceID,HapTokenInfoForSync & hapSync)861 int AccessTokenInfoManager::SetRemoteHapTokenInfo(const std::string& deviceID, HapTokenInfoForSync& hapSync)
862 {
863 if (!IsRemoteHapTokenValid(deviceID, hapSync)) {
864 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid", ConstantCommon::EncryptDevId(deviceID).c_str());
865 return ERR_IDENTITY_CHECK_FAILED;
866 }
867
868 AccessTokenID remoteID = hapSync.baseInfo.tokenID;
869 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, remoteID);
870 if (mapID != 0) {
871 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s token %{public}u update exist remote hap token %{public}u.",
872 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
873 // update remote token mapping id
874 hapSync.baseInfo.tokenID = mapID;
875 hapSync.baseInfo.deviceID = deviceID;
876 return UpdateRemoteHapTokenInfo(mapID, hapSync);
877 }
878
879 mapID = AccessTokenRemoteTokenManager::GetInstance().MapRemoteDeviceTokenToLocal(deviceID, remoteID);
880 if (mapID == 0) {
881 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s token %{public}u map failed.",
882 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID);
883 return ERR_TOKEN_MAP_FAILED;
884 }
885
886 // update remote token mapping id
887 hapSync.baseInfo.tokenID = mapID;
888 hapSync.baseInfo.deviceID = deviceID;
889 int ret = CreateRemoteHapTokenInfo(mapID, hapSync);
890 if (ret != RET_SUCCESS) {
891 AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, mapID);
892 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s token %{public}u map to local token %{public}u failed.",
893 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
894 return ret;
895 }
896 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s token %{public}u map to local token %{public}u success.",
897 ConstantCommon::EncryptDevId(deviceID).c_str(), remoteID, mapID);
898 return RET_SUCCESS;
899 }
900
DeleteRemoteToken(const std::string & deviceID,AccessTokenID tokenID)901 int AccessTokenInfoManager::DeleteRemoteToken(const std::string& deviceID, AccessTokenID tokenID)
902 {
903 if (!DataValidator::IsDeviceIdValid(deviceID)) {
904 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
905 ConstantCommon::EncryptDevId(deviceID).c_str());
906 return AccessTokenError::ERR_PARAM_INVALID;
907 }
908 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
909 if (mapID == 0) {
910 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s tokenId %{public}u is not mapped.",
911 ConstantCommon::EncryptDevId(deviceID).c_str(), tokenID);
912 return ERR_TOKEN_MAP_FAILED;
913 }
914
915 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(mapID);
916 if (type == TOKEN_HAP) {
917 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
918 if (hapTokenInfoMap_.count(mapID) == 0) {
919 ACCESSTOKEN_LOG_ERROR(LABEL, "Hap token %{public}u no exist.", mapID);
920 return ERR_TOKEN_INVALID;
921 }
922 hapTokenInfoMap_.erase(mapID);
923 } else if ((type == TOKEN_NATIVE) || (type == TOKEN_SHELL)) {
924 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
925 if (nativeTokenInfoMap_.count(mapID) == 0) {
926 ACCESSTOKEN_LOG_ERROR(
927 LABEL, "Native token %{public}u is null.", mapID);
928 return ERR_TOKEN_INVALID;
929 }
930 nativeTokenInfoMap_.erase(mapID);
931 } else {
932 ACCESSTOKEN_LOG_ERROR(LABEL, "Mapping tokenId %{public}u type is unknown.", mapID);
933 }
934
935 return AccessTokenRemoteTokenManager::GetInstance().RemoveDeviceMappingTokenID(deviceID, tokenID);
936 }
937
GetRemoteNativeTokenID(const std::string & deviceID,AccessTokenID tokenID)938 AccessTokenID AccessTokenInfoManager::GetRemoteNativeTokenID(const std::string& deviceID, AccessTokenID tokenID)
939 {
940 if ((!DataValidator::IsDeviceIdValid(deviceID)) || (tokenID == 0) ||
941 ((AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_NATIVE) &&
942 (AccessTokenIDManager::GetInstance().GetTokenIdTypeEnum(tokenID) != TOKEN_SHELL))) {
943 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
944 ConstantCommon::EncryptDevId(deviceID).c_str());
945 return 0;
946 }
947 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(deviceID, tokenID);
948 }
949
DeleteRemoteDeviceTokens(const std::string & deviceID)950 int AccessTokenInfoManager::DeleteRemoteDeviceTokens(const std::string& deviceID)
951 {
952 if (!DataValidator::IsDeviceIdValid(deviceID)) {
953 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
954 ConstantCommon::EncryptDevId(deviceID).c_str());
955 return AccessTokenError::ERR_PARAM_INVALID;
956 }
957 std::vector<AccessTokenID> remoteTokens;
958 int ret = AccessTokenRemoteTokenManager::GetInstance().GetDeviceAllRemoteTokenID(deviceID, remoteTokens);
959 if (ret != RET_SUCCESS) {
960 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s have no remote token.",
961 ConstantCommon::EncryptDevId(deviceID).c_str());
962 return ret;
963 }
964 for (AccessTokenID remoteID : remoteTokens) {
965 DeleteRemoteToken(deviceID, remoteID);
966 }
967 return RET_SUCCESS;
968 }
969
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)970 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
971 AccessTokenID remoteTokenID)
972 {
973 if (!DataValidator::IsDeviceIdValid(remoteDeviceID)) {
974 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s parms invalid.",
975 ConstantCommon::EncryptDevId(remoteDeviceID).c_str());
976 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
977 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
978 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", "deviceID error");
979 return 0;
980 }
981 uint64_t fullTokenId = IPCSkeleton::GetCallingFullTokenID();
982 SetFirstCallerTokenID(fullTokenId);
983 ACCESSTOKEN_LOG_INFO(LABEL, "Set first caller %{public}" PRIu64 ".", fullTokenId);
984
985 std::string remoteUdid;
986 DistributedHardware::DeviceManager::GetInstance().GetUdidByNetworkId(ACCESS_TOKEN_PACKAGE_NAME, remoteDeviceID,
987 remoteUdid);
988 ACCESSTOKEN_LOG_INFO(LABEL, "Device %{public}s remoteUdid.", ConstantCommon::EncryptDevId(remoteUdid).c_str());
989 AccessTokenID mapID = AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid,
990 remoteTokenID);
991 if (mapID != 0) {
992 return mapID;
993 }
994 int ret = TokenModifyNotifier::GetInstance().GetRemoteHapTokenInfo(remoteUdid, remoteTokenID);
995 if (ret != RET_SUCCESS) {
996 ACCESSTOKEN_LOG_ERROR(LABEL, "Device %{public}s token %{public}u sync failed",
997 ConstantCommon::EncryptDevId(remoteUdid).c_str(), remoteTokenID);
998 std::string errorReason = "token sync call error, error number is " + std::to_string(ret);
999 HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "PERMISSION_SYNC",
1000 HiviewDFX::HiSysEvent::EventType::FAULT, "CODE", TOKEN_SYNC_CALL_ERROR,
1001 "REMOTE_ID", ConstantCommon::EncryptDevId(remoteDeviceID), "ERROR_REASON", errorReason);
1002 return 0;
1003 }
1004
1005 return AccessTokenRemoteTokenManager::GetInstance().GetDeviceMappingTokenID(remoteUdid, remoteTokenID);
1006 }
1007 #else
AllocLocalTokenID(const std::string & remoteDeviceID,AccessTokenID remoteTokenID)1008 AccessTokenID AccessTokenInfoManager::AllocLocalTokenID(const std::string& remoteDeviceID,
1009 AccessTokenID remoteTokenID)
1010 {
1011 ACCESSTOKEN_LOG_ERROR(LABEL, "Tokensync is disable, check dependent components");
1012 return 0;
1013 }
1014 #endif
1015
GetInstance()1016 AccessTokenInfoManager& AccessTokenInfoManager::GetInstance()
1017 {
1018 static AccessTokenInfoManager* instance = nullptr;
1019 if (instance == nullptr) {
1020 std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
1021 if (instance == nullptr) {
1022 instance = new AccessTokenInfoManager();
1023 }
1024 }
1025 return *instance;
1026 }
1027
AddAllNativeTokenInfoToDb(void)1028 int AccessTokenInfoManager::AddAllNativeTokenInfoToDb(void)
1029 {
1030 std::vector<GenericValues> permStateValues;
1031 std::vector<GenericValues> nativeTokenValues;
1032
1033 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1034 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1035 if (iter->second != nullptr) {
1036 iter->second->StoreNativeInfo(nativeTokenValues);
1037 iter->second->StorePermissionPolicy(permStateValues);
1038 }
1039 }
1040 ACCESSTOKEN_LOG_INFO(LABEL, "permStateValues %{public}zu, nativeTokenValues %{public}zu.",
1041 permStateValues.size(), nativeTokenValues.size());
1042 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, permStateValues);
1043 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_NATIVE_INFO, nativeTokenValues);
1044 return RET_SUCCESS;
1045 }
1046
ModifyHapTokenInfoFromDb(AccessTokenID tokenID,const std::shared_ptr<HapTokenInfoInner> & hapInner)1047 int AccessTokenInfoManager::ModifyHapTokenInfoFromDb(
1048 AccessTokenID tokenID, const std::shared_ptr<HapTokenInfoInner>& hapInner)
1049 {
1050 if (hapInner == nullptr) {
1051 ACCESSTOKEN_LOG_INFO(LABEL, "token %{public}u info is null!", tokenID);
1052 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1053 }
1054
1055 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->modifyLock_);
1056 // get new hap token info from cache
1057 std::vector<GenericValues> hapInfoValues;
1058 hapInner->StoreHapInfo(hapInfoValues); // only exsit one if empty something is wrong
1059 if (hapInfoValues.empty()) {
1060 ACCESSTOKEN_LOG_INFO(LABEL, "Hap token info is empty!");
1061 return AccessTokenError::ERR_PARAM_INVALID;
1062 }
1063
1064 // get new permission def from cache if exsits
1065 std::vector<GenericValues> permDefValues;
1066 PermissionDefinitionCache::GetInstance().StorePermissionDef(tokenID, permDefValues);
1067
1068 // get new permission def from cache if exsits
1069 std::vector<GenericValues> permStateValues;
1070 hapInner->StorePermissionPolicy(permStateValues);
1071
1072 return AccessTokenDb::GetInstance().DeleteAndInsertHap(tokenID, hapInfoValues, permDefValues,
1073 permStateValues);
1074 }
1075
ModifyHapPermStateFromDb(AccessTokenID tokenID,const std::string & permission,const std::shared_ptr<HapTokenInfoInner> & hapInfo)1076 int32_t AccessTokenInfoManager::ModifyHapPermStateFromDb(
1077 AccessTokenID tokenID, const std::string& permission, const std::shared_ptr<HapTokenInfoInner>& hapInfo)
1078 {
1079 std::vector<GenericValues> permStateValues;
1080 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->modifyLock_);
1081 if (hapInfo == nullptr) {
1082 ACCESSTOKEN_LOG_INFO(LABEL, "Token %{public}u info is null!", tokenID);
1083 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1084 }
1085 hapInfo->StorePermissionPolicy(permStateValues);
1086
1087 for (size_t i = 0; i < permStateValues.size(); i++) {
1088 if (permStateValues[i].GetString(TokenFiledConst::FIELD_PERMISSION_NAME) != permission) {
1089 continue;
1090 }
1091 GenericValues conditions;
1092 conditions.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1093 conditions.Put(TokenFiledConst::FIELD_PERMISSION_NAME, permission);
1094 AccessTokenDb::GetInstance().Modify(
1095 AtmDataType::ACCESSTOKEN_PERMISSION_STATE, permStateValues[i], conditions);
1096 }
1097 return RET_SUCCESS;
1098 }
1099
AddHapTokenInfoToDb(AccessTokenID tokenID,const std::shared_ptr<HapTokenInfoInner> & hapInfo)1100 int AccessTokenInfoManager::AddHapTokenInfoToDb(
1101 AccessTokenID tokenID, const std::shared_ptr<HapTokenInfoInner>& hapInfo)
1102 {
1103 std::vector<GenericValues> hapInfoValues;
1104 std::vector<GenericValues> permDefValues;
1105 std::vector<GenericValues> permStateValues;
1106 if (hapInfo == nullptr) {
1107 ACCESSTOKEN_LOG_ERROR(LABEL, "Token %{public}u info is null!", tokenID);
1108 return AccessTokenError::ERR_TOKENID_NOT_EXIST;
1109 }
1110 hapInfo->StoreHapInfo(hapInfoValues);
1111 hapInfo->StorePermissionPolicy(permStateValues);
1112
1113 PermissionDefinitionCache::GetInstance().StorePermissionDef(tokenID, permDefValues);
1114 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_HAP_INFO, hapInfoValues);
1115 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, permStateValues);
1116 AccessTokenDb::GetInstance().Add(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, permDefValues);
1117 return RET_SUCCESS;
1118 }
1119
RemoveHapTokenInfoFromDb(AccessTokenID tokenID)1120 int AccessTokenInfoManager::RemoveHapTokenInfoFromDb(AccessTokenID tokenID)
1121 {
1122 GenericValues values;
1123 values.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1124
1125 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_HAP_INFO, values);
1126 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_DEF, values);
1127 AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, values);
1128 return RET_SUCCESS;
1129 }
1130
PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner> & info,AccessTokenID id)1131 void AccessTokenInfoManager::PermissionStateNotify(const std::shared_ptr<HapTokenInfoInner>& info, AccessTokenID id)
1132 {
1133 std::shared_ptr<PermissionPolicySet> policy = info->GetHapInfoPermissionPolicySet();
1134 if (policy == nullptr) {
1135 return;
1136 }
1137
1138 std::vector<std::string> permissionList;
1139 policy->GetDeletedPermissionListToNotify(permissionList);
1140 if (permissionList.size() != 0) {
1141 PermissionManager::GetInstance().ParamUpdate(permissionList[0], 0, true);
1142 }
1143 for (const auto& permissionName : permissionList) {
1144 CallbackManager::GetInstance().ExecuteCallbackAsync(
1145 id, permissionName, PermStateChangeType::STATE_CHANGE_REVOKED);
1146 }
1147 }
1148
GetNativeTokenId(const std::string & processName)1149 AccessTokenID AccessTokenInfoManager::GetNativeTokenId(const std::string& processName)
1150 {
1151 AccessTokenID tokenID = INVALID_TOKENID;
1152 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1153 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1154 if (iter->second != nullptr && iter->second->GetProcessName() == processName) {
1155 tokenID = iter->first;
1156 break;
1157 }
1158 }
1159 return tokenID;
1160 }
1161
DumpHapTokenInfoByTokenId(const AccessTokenID tokenId,std::string & dumpInfo)1162 void AccessTokenInfoManager::DumpHapTokenInfoByTokenId(const AccessTokenID tokenId, std::string& dumpInfo)
1163 {
1164 ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(tokenId);
1165 if (type == TOKEN_HAP) {
1166 std::shared_ptr<HapTokenInfoInner> infoPtr = GetHapTokenInfoInner(tokenId);
1167 if (infoPtr != nullptr) {
1168 infoPtr->ToString(dumpInfo);
1169 }
1170 } else if (type == TOKEN_NATIVE || type == TOKEN_SHELL) {
1171 std::shared_ptr<NativeTokenInfoInner> infoPtr = GetNativeTokenInfoInner(tokenId);
1172 if (infoPtr != nullptr) {
1173 infoPtr->ToString(dumpInfo);
1174 }
1175 } else {
1176 dumpInfo.append("invalid tokenId");
1177 }
1178 }
1179
DumpHapTokenInfoByBundleName(const std::string & bundleName,std::string & dumpInfo)1180 void AccessTokenInfoManager::DumpHapTokenInfoByBundleName(const std::string& bundleName, std::string& dumpInfo)
1181 {
1182 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1183 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1184 if (iter->second != nullptr) {
1185 if (bundleName != iter->second->GetBundleName()) {
1186 continue;
1187 }
1188
1189 iter->second->ToString(dumpInfo);
1190 dumpInfo.append("\n");
1191 }
1192 }
1193 }
1194
DumpAllHapTokenInfo(std::string & dumpInfo)1195 void AccessTokenInfoManager::DumpAllHapTokenInfo(std::string& dumpInfo)
1196 {
1197 ACCESSTOKEN_LOG_DEBUG(LABEL, "Get all hap token info.");
1198
1199 Utils::UniqueReadGuard<Utils::RWLock> hapInfoGuard(this->hapTokenInfoLock_);
1200 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); iter++) {
1201 if (iter->second != nullptr) {
1202 iter->second->ToString(dumpInfo);
1203 dumpInfo.append("\n");
1204 }
1205 }
1206 }
1207
DumpNativeTokenInfoByProcessName(const std::string & processName,std::string & dumpInfo)1208 void AccessTokenInfoManager::DumpNativeTokenInfoByProcessName(const std::string& processName, std::string& dumpInfo)
1209 {
1210 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1211 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1212 if ((iter->second != nullptr) && (processName == iter->second->GetProcessName())) {
1213 iter->second->ToString(dumpInfo);
1214 dumpInfo.append("\n");
1215 break;
1216 }
1217 }
1218 }
1219
DumpAllNativeTokenInfo(std::string & dumpInfo)1220 void AccessTokenInfoManager::DumpAllNativeTokenInfo(std::string& dumpInfo)
1221 {
1222 ACCESSTOKEN_LOG_DEBUG(LABEL, "Get all native token info.");
1223
1224 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->nativeTokenInfoLock_);
1225 for (auto iter = nativeTokenInfoMap_.begin(); iter != nativeTokenInfoMap_.end(); iter++) {
1226 if (iter->second != nullptr) {
1227 iter->second->ToString(dumpInfo);
1228 dumpInfo.append("\n");
1229 }
1230 }
1231 }
1232
GetCurDumpTaskNum()1233 int32_t AccessTokenInfoManager::GetCurDumpTaskNum()
1234 {
1235 return dumpTaskNum_.load();
1236 }
1237
AddDumpTaskNum()1238 void AccessTokenInfoManager::AddDumpTaskNum()
1239 {
1240 dumpTaskNum_++;
1241 }
1242
ReduceDumpTaskNum()1243 void AccessTokenInfoManager::ReduceDumpTaskNum()
1244 {
1245 dumpTaskNum_--;
1246 }
1247
DumpToken()1248 void AccessTokenInfoManager::DumpToken()
1249 {
1250 ACCESSTOKEN_LOG_INFO(LABEL, "AccessToken Dump");
1251 int32_t fd = open(DUMP_JSON_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP);
1252 if (fd < 0) {
1253 ACCESSTOKEN_LOG_ERROR(LABEL, "Open failed errno %{public}d.", errno);
1254 return;
1255 }
1256 std::string dumpStr;
1257 AtmToolsParamInfoParcel infoParcel;
1258 DumpTokenInfo(infoParcel.info, dumpStr);
1259 dprintf(fd, "%s\n", dumpStr.c_str());
1260 close(fd);
1261 }
1262
DumpTokenInfo(const AtmToolsParamInfo & info,std::string & dumpInfo)1263 void AccessTokenInfoManager::DumpTokenInfo(const AtmToolsParamInfo& info, std::string& dumpInfo)
1264 {
1265 if (info.tokenId != 0) {
1266 DumpHapTokenInfoByTokenId(info.tokenId, dumpInfo);
1267 return;
1268 }
1269
1270 if ((!info.bundleName.empty()) && (info.bundleName.length() > 0)) {
1271 DumpHapTokenInfoByBundleName(info.bundleName, dumpInfo);
1272 return;
1273 }
1274
1275 if ((!info.processName.empty()) && (info.processName.length() > 0)) {
1276 DumpNativeTokenInfoByProcessName(info.processName, dumpInfo);
1277 return;
1278 }
1279
1280 DumpAllHapTokenInfo(dumpInfo);
1281 DumpAllNativeTokenInfo(dumpInfo);
1282 }
1283
GetRelatedSandBoxHapList(AccessTokenID tokenId,std::vector<AccessTokenID> & tokenIdList)1284 void AccessTokenInfoManager::GetRelatedSandBoxHapList(AccessTokenID tokenId, std::vector<AccessTokenID>& tokenIdList)
1285 {
1286 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1287
1288 auto infoIter = hapTokenInfoMap_.find(tokenId);
1289 if (infoIter == hapTokenInfoMap_.end()) {
1290 return;
1291 }
1292 if (infoIter->second == nullptr) {
1293 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr.");
1294 return;
1295 }
1296 std::string bundleName = infoIter->second->GetBundleName();
1297 int32_t userID = infoIter->second->GetUserID();
1298 int32_t index = infoIter->second->GetInstIndex();
1299 int32_t dlpType = infoIter->second->GetDlpType();
1300 // the permissions of a common application whose index is not equal 0 are managed independently.
1301 if ((dlpType == DLP_COMMON) && (index != 0)) {
1302 return;
1303 }
1304
1305 for (auto iter = hapTokenInfoMap_.begin(); iter != hapTokenInfoMap_.end(); ++iter) {
1306 if (iter->second == nullptr) {
1307 continue;
1308 }
1309 if ((bundleName == iter->second->GetBundleName()) && (userID == iter->second->GetUserID()) &&
1310 (tokenId != iter->second->GetTokenID())) {
1311 if ((iter->second->GetDlpType() == DLP_COMMON) && (iter->second->GetInstIndex() != 0)) {
1312 continue;
1313 }
1314 tokenIdList.emplace_back(iter->second->GetTokenID());
1315 }
1316 }
1317 }
1318
SetPermDialogCap(AccessTokenID tokenID,bool enable)1319 int32_t AccessTokenInfoManager::SetPermDialogCap(AccessTokenID tokenID, bool enable)
1320 {
1321 Utils::UniqueWriteGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1322 auto infoIter = hapTokenInfoMap_.find(tokenID);
1323 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1324 ACCESSTOKEN_LOG_ERROR(LABEL, "HapTokenInfoInner is nullptr.");
1325 return ERR_TOKENID_NOT_EXIST;
1326 }
1327 infoIter->second->SetPermDialogForbidden(enable);
1328
1329 if (!UpdateCapStateToDatabase(tokenID, enable)) {
1330 return RET_FAILED;
1331 }
1332
1333 return RET_SUCCESS;
1334 }
1335
GetPermDialogCap(AccessTokenID tokenID)1336 bool AccessTokenInfoManager::GetPermDialogCap(AccessTokenID tokenID)
1337 {
1338 if (tokenID == INVALID_TOKENID) {
1339 ACCESSTOKEN_LOG_ERROR(LABEL, "Invalid tokenId.");
1340 return true;
1341 }
1342 Utils::UniqueReadGuard<Utils::RWLock> infoGuard(this->hapTokenInfoLock_);
1343 auto infoIter = hapTokenInfoMap_.find(tokenID);
1344 if ((infoIter == hapTokenInfoMap_.end()) || (infoIter->second == nullptr)) {
1345 ACCESSTOKEN_LOG_ERROR(LABEL, "TokenId is not exist in map.");
1346 return true;
1347 }
1348 return infoIter->second->IsPermDialogForbidden();
1349 }
1350
UpdateStatesToDatabase(AccessTokenID tokenID,std::vector<PermissionStateFull> & stateChangeList)1351 bool AccessTokenInfoManager::UpdateStatesToDatabase(AccessTokenID tokenID,
1352 std::vector<PermissionStateFull>& stateChangeList)
1353 {
1354 for (const auto& state : stateChangeList) {
1355 GenericValues modifyValue;
1356 modifyValue.Put(TokenFiledConst::FIELD_GRANT_STATE, state.grantStatus[0]);
1357 modifyValue.Put(TokenFiledConst::FIELD_GRANT_FLAG, static_cast<int32_t>(state.grantFlags[0]));
1358
1359 GenericValues conditionValue;
1360 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1361 conditionValue.Put(TokenFiledConst::FIELD_PERMISSION_NAME, state.permissionName);
1362
1363 int32_t res = AccessTokenDb::GetInstance().Modify(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, modifyValue,
1364 conditionValue);
1365 if (res != 0) {
1366 ACCESSTOKEN_LOG_ERROR(LABEL, "Update tokenID %{public}u permission %{public}s to database failed",
1367 tokenID, state.permissionName.c_str());
1368 return false;
1369 }
1370 }
1371
1372 return true;
1373 }
1374
UpdateCapStateToDatabase(AccessTokenID tokenID,bool enable)1375 bool AccessTokenInfoManager::UpdateCapStateToDatabase(AccessTokenID tokenID, bool enable)
1376 {
1377 GenericValues modifyValue;
1378 modifyValue.Put(TokenFiledConst::FIELD_FORBID_PERM_DIALOG, enable);
1379
1380 GenericValues conditionValue;
1381 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1382
1383 int32_t res = AccessTokenDb::GetInstance().Modify(AtmDataType::ACCESSTOKEN_HAP_INFO, modifyValue, conditionValue);
1384 if (res != 0) {
1385 ACCESSTOKEN_LOG_ERROR(LABEL,
1386 "Update tokenID %{public}u permissionDialogForbidden %{public}d to database failed", tokenID, enable);
1387 return false;
1388 }
1389
1390 return true;
1391 }
1392
RemoveNativeInfoFromDatabase(AccessTokenID tokenID)1393 bool AccessTokenInfoManager::RemoveNativeInfoFromDatabase(AccessTokenID tokenID)
1394 {
1395 GenericValues conditionValue;
1396 conditionValue.Put(TokenFiledConst::FIELD_TOKEN_ID, static_cast<int32_t>(tokenID));
1397
1398 int32_t res = AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_NATIVE_INFO, conditionValue);
1399 if (res != 0) {
1400 ACCESSTOKEN_LOG_ERROR(LABEL, "Remove tokenID %{public}u from table native_token_info failed.", tokenID);
1401 return false;
1402 }
1403
1404 res = AccessTokenDb::GetInstance().Remove(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue);
1405 if (res != 0) {
1406 ACCESSTOKEN_LOG_ERROR(LABEL, "Remove tokenID %{public}u from table permission_state failed.", tokenID);
1407 return false;
1408 }
1409
1410 return true;
1411 }
1412 } // namespace AccessToken
1413 } // namespace Security
1414 } // namespace OHOS
1415