diff --git a/hisysevent.yaml b/hisysevent.yaml index 9db48c4d2eaea49c94f6ddf5676e6e03c28dfd36..60383083b43b6e5cc22f9510b9b65bb71e7de0dd 100644 --- a/hisysevent.yaml +++ b/hisysevent.yaml @@ -31,7 +31,7 @@ PERMISSION_VERIFY_REPORT: CODE: {type: INT32, desc: error code} CALLER_TOKENID: {type: UINT32, desc: caller token id} PERMISSION_NAME: {type: STRING, desc: permission name} - INTERFACE: {type: STRING, desc: interface information} + INTERFACE: {type: STRING, desc: INTerface information} PERMISSION_CHECK: __BASE: {type: FAULT, level: CRITICAL, desc: permission check error} @@ -69,6 +69,9 @@ DEL_HAP: USERID: {type: INT32, desc: user id} BUNDLENAME: {type: STRING, desc: bundle name} INSTINDEX: {type: INT32, desc: inst index} + SCENE_CODE: {type: INT32, desc: scene code} + ERROR_CODE: {type: INT32, desc: error code} + DURATION: {type: INT64, desc: duration} PERM_DIALOG_STATUS_INFO: __BASE: {type: STATISTIC, level: MINOR, desc: status information of permission dialog} @@ -93,6 +96,11 @@ UPDATE_PERMISSION: PERMISSION_NAME: {type: STRING, desc: permission name} PERMISSION_FLAG: {type: UINT32, desc: permission flag} GRANTED_FLAG: {type: BOOL, desc: grant or revoke} + SCENE_CODE: {type: INT32, desc: scene code} + ERROR_CODE: {type: INT32, desc: error code} + USERID: {type: INT32, desc: user id} + BUNDLENAME: {type: STRING, desc: bundle name} + INSTINDEX: {type: INT32, desc: inst index} UPDATE_HAP: __BASE: {type: STATISTIC, level: MINOR, tag: usability, desc: update hap to device} @@ -100,6 +108,14 @@ UPDATE_HAP: USERID: {type: INT32, desc: user id} BUNDLENAME: {type: STRING, desc: bundle name} INSTINDEX: {type: INT32, desc: inst index} + SCENE_CODE: {type: INT32, desc: scene code} + ERROR_CODE: {type: INT32, desc: error code} + TOKENIDEX: {type: UINT64, desc: tokenIDEx} + PERM_INFO: {type: STRING, desc: perm info} + ACL_INFO: {type: STRING, desc: acl info} + PREAUTH_INFO: {type: STRING, desc: pre-auth info} + EXTEND_INFO: {type: STRING, desc: extend info} + DURATION: {type: INT64, desc: duration} CLEAR_USER_PERMISSION_STATE: __BASE: {type: BEHAVIOR, level: MINOR, desc: clear user permission state} @@ -136,3 +152,9 @@ VERIFY_ACCESS_TOKEN_EVENT: SELF_TOKENID: {type: UINT32, desc: self tokenID} CONTEXT_TOKENID: {type: UINT32, desc: context tokenID} +ACCESSTOKEN_EXCEPTION: + __BASE: {type: FAULT, level: CRITICAL, desc: accesstoken exception} + SCENE_CODE: {type: INT32, desc: scene code} + ERROR_CODE: {type: INT32, desc: error code} + ERROR_MSG: {type: STRING, desc: error reason} + diff --git a/interfaces/innerkits/accesstoken/include/hap_token_info.h b/interfaces/innerkits/accesstoken/include/hap_token_info.h index 5e80c3ced990c4fbc5d1b4aa6e8c9ded7bf34ade..0292fc3954e2382b8d7190d5eb50e6c5666719d8 100644 --- a/interfaces/innerkits/accesstoken/include/hap_token_info.h +++ b/interfaces/innerkits/accesstoken/include/hap_token_info.h @@ -96,12 +96,12 @@ public: class HapTokenInfo final { public: char ver; - int userID; + int userID = 0; std::string bundleName; /** which version of the SDK is used to develop this hap */ int32_t apiVersion; /** instance index */ - int instIndex; + int instIndex = 0; /** * dlp type, for details about the valid values, * see the definition of HapDlpType in the access_token.h file. diff --git a/services/accesstokenmanager/main/cpp/include/dfx/hisysevent_adapter.h b/services/accesstokenmanager/main/cpp/include/dfx/hisysevent_adapter.h index be526063a6de9e270e57b120601f2c8ea2632cd6..9b527e347f6a35210d2ca90ce3ee7ddcc07a8460 100644 --- a/services/accesstokenmanager/main/cpp/include/dfx/hisysevent_adapter.h +++ b/services/accesstokenmanager/main/cpp/include/dfx/hisysevent_adapter.h @@ -34,6 +34,16 @@ enum UpdatePermStatusErrorCode { DLP_CHECK_FAILED = 1, UPDATE_PERMISSION_STATUS_FAILED = 2, }; +enum CommonSceneCode { + AT_COMMOM_START = 0, + AT_COMMON_FINISH = 1, +}; +struct AccessTokenDfxInfo { + std::string permInfo; + std::string aclInfo; + std::string preauthInfo; + std::string extendInfo; +}; void ReportSysEventPerformance(); void ReportSysEventServiceStart(int32_t pid, uint32_t hapSize, uint32_t nativeSize, uint32_t permDefSize); void ReportSysEventServiceStartError(SceneCode scene, const std::string& errMsg, int32_t errCode); diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h index e0b4eb58ccdf3f6fbfdd309c3a3abb4c9fa93fc9..14cd8a00aa4e814b859d692a3833e5c01217747a 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h @@ -67,6 +67,8 @@ public: const std::string& bundleName, const std::string& abilityName); int32_t CheckAndUpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag); + int32_t CheckAndUpdatePermissionInner(AccessTokenID tokenID, const std::string& permissionName, + bool isGranted, uint32_t flag); int32_t UpdatePermission(AccessTokenID tokenID, const std::string& permissionName, bool isGranted, uint32_t flag, bool needKill); int32_t GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag); diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index c90a9a26ba4972b494f2d25ea8b99234ca6697e8..ecbb2c4314e27d6f18f78525d3b69a3ae38f772d 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -129,6 +129,8 @@ private: bool Initialize(); void AccessTokenServiceParamSet() const; PermissionOper GetPermissionsState(AccessTokenID tokenID, std::vector& reqPermList); + int32_t UpdateHapTokenCore(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, + const HapPolicyParcel& policyParcel, HapInfoCheckResultIdl& resultInfoIdl); ServiceRunningState state_; std::string grantBundleName_; std::string grantAbilityName_; diff --git a/services/accesstokenmanager/main/cpp/src/database/access_token_db.cpp b/services/accesstokenmanager/main/cpp/src/database/access_token_db.cpp index b1c4631b9e47a258b49e2535abc4f84211931d31..6a85638f89de5bb38059fe3bb84c107bda86b858 100644 --- a/services/accesstokenmanager/main/cpp/src/database/access_token_db.cpp +++ b/services/accesstokenmanager/main/cpp/src/database/access_token_db.cpp @@ -244,6 +244,7 @@ int32_t AccessTokenDb::Modify(const AtmDataType type, const GenericValues& modif std::string tableName; AccessTokenDbUtil::GetTableNameByType(type, tableName); if (tableName.empty()) { + LOGC(ATM_DOMAIN, ATM_TAG, "Get table name failed, type=%{public}d!", static_cast(type)); return AccessTokenError::ERR_PARAM_INVALID; } @@ -251,6 +252,7 @@ int32_t AccessTokenDb::Modify(const AtmDataType type, const GenericValues& modif AccessTokenDbUtil::ToRdbValueBucket(modifyValue, bucket); if (bucket.IsEmpty()) { + LOGC(ATM_DOMAIN, ATM_TAG, "To rdb value bucket failed!"); return AccessTokenError::ERR_PARAM_INVALID; } @@ -262,7 +264,7 @@ int32_t AccessTokenDb::Modify(const AtmDataType type, const GenericValues& modif OHOS::Utils::UniqueWriteGuard lock(this->rwLock_); auto db = GetRdb(); if (db == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "db is nullptr."); + LOGC(ATM_DOMAIN, ATM_TAG, "db is nullptr."); return AccessTokenError::ERR_DATABASE_OPERATE_FAILED; } @@ -272,6 +274,7 @@ int32_t AccessTokenDb::Modify(const AtmDataType type, const GenericValues& modif tableName.c_str(), res); int32_t result = RestoreAndUpdateIfCorrupt(res, changedRows, bucket, predicates, db); if (result != NativeRdb::E_OK) { + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to restore and update, result is %{public}d.", result); return result; } } @@ -298,19 +301,19 @@ int32_t AccessTokenDb::RestoreAndQueryIfCorrupt(const NativeRdb::RdbPredicates& LOGW(ATM_DOMAIN, ATM_TAG, "Detech database corrupt, restore from backup!"); res = db->Restore(""); if (res != NativeRdb::E_OK) { - LOGE(ATM_DOMAIN, ATM_TAG, "Db restore failed, res is %{public}d.", res); + LOGC(ATM_DOMAIN, ATM_TAG, "Db restore failed, res is %{public}d.", res); return res; } LOGI(ATM_DOMAIN, ATM_TAG, "Database restore success, try query again!"); queryResultSet = db->Query(predicates, columns); if (queryResultSet == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find records from table %{public}s again.", + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to find records from table %{public}s again.", predicates.GetTableName().c_str()); return AccessTokenError::ERR_DATABASE_OPERATE_FAILED; } } else { - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to get result count."); + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to get result count."); return AccessTokenError::ERR_DATABASE_OPERATE_FAILED; } } @@ -337,19 +340,20 @@ int32_t AccessTokenDb::Find(AtmDataType type, const GenericValues& conditionValu OHOS::Utils::UniqueReadGuard lock(this->rwLock_); auto db = GetRdb(); if (db == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "db is nullptr."); + LOGC(ATM_DOMAIN, ATM_TAG, "db is nullptr."); return AccessTokenError::ERR_DATABASE_OPERATE_FAILED; } auto queryResultSet = db->Query(predicates, columns); if (queryResultSet == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find records from table %{public}s.", + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to find records from table %{public}s.", tableName.c_str()); return AccessTokenError::ERR_DATABASE_OPERATE_FAILED; } int32_t res = RestoreAndQueryIfCorrupt(predicates, columns, queryResultSet, db); if (res != 0) { + LOGC(ATM_DOMAIN, ATM_TAG, "Restore and query failed!"); return res; } @@ -382,14 +386,14 @@ int32_t AccessTokenDb::RestoreAndCommitIfCorrupt(const int32_t resultCode, LOGW(ATM_DOMAIN, ATM_TAG, "Detech database corrupt, restore from backup!"); int32_t res = db->Restore(""); if (res != NativeRdb::E_OK) { - LOGE(ATM_DOMAIN, ATM_TAG, "Db restore failed, res is %{public}d.", res); + LOGC(ATM_DOMAIN, ATM_TAG, "Db restore failed, res is %{public}d.", res); return res; } LOGI(ATM_DOMAIN, ATM_TAG, "Database restore success, try commit again!"); res = db->Commit(); if (res != NativeRdb::E_OK) { - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to Commit again, res is %{public}d.", res); + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to Commit again, res is %{public}d.", res); return res; } @@ -406,7 +410,7 @@ int32_t AccessTokenDb::DeleteAndInsertValues( OHOS::Utils::UniqueWriteGuard lock(this->rwLock_); std::shared_ptr db = GetRdb(); if (db == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "db is nullptr."); + LOGC(ATM_DOMAIN, ATM_TAG, "db is nullptr."); return AccessTokenError::ERR_DATABASE_OPERATE_FAILED; } @@ -418,6 +422,7 @@ int32_t AccessTokenDb::DeleteAndInsertValues( res = RemoveValues(delDataTypes[i], delValues[i]); if (res != 0) { db->RollBack(); + LOGC(ATM_DOMAIN, ATM_TAG, "Remove values failed, res is %{public}d.", res); return res; } } @@ -427,6 +432,7 @@ int32_t AccessTokenDb::DeleteAndInsertValues( res = AddValues(addDataTypes[i], addValues[i]); if (res != 0) { db->RollBack(); + LOGC(ATM_DOMAIN, ATM_TAG, "Add values failed, res is %{public}d.", res); return res; } } @@ -436,6 +442,7 @@ int32_t AccessTokenDb::DeleteAndInsertValues( LOGE(ATM_DOMAIN, ATM_TAG, "Failed to commit, res is %{public}d.", res); int32_t result = RestoreAndCommitIfCorrupt(res, db); if (result != NativeRdb::E_OK) { + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to restore and commit, result is %{public}d.", result); return result; } } diff --git a/services/accesstokenmanager/main/cpp/src/dfx/hisysevent_adapter.cpp b/services/accesstokenmanager/main/cpp/src/dfx/hisysevent_adapter.cpp index 19ce1ffbbdaa3b8d8eb786a63bd5bae507e1ac1f..4511527a96c9bdb3f7ff32a00f1b1245b1686df5 100644 --- a/services/accesstokenmanager/main/cpp/src/dfx/hisysevent_adapter.cpp +++ b/services/accesstokenmanager/main/cpp/src/dfx/hisysevent_adapter.cpp @@ -63,12 +63,13 @@ void ReportSysCommonEventError(int32_t ipcCode, int32_t errCode) if (GetThreadErrorMsgLen() == 0) { return; } - int32_t ret = HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "ACCESSTOKEN_SERVICE_START_ERROR", + int32_t ret = HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "ACCESSTOKEN_EXCEPTION", HiviewDFX::HiSysEvent::EventType::FAULT, "SCENE_CODE", ipcCode, "ERROR_CODE", errCode, "ERROR_MSG", GetThreadErrorMsg()); if (ret != 0) { LOGE(ATM_DOMAIN, ATM_TAG, "Failed to write hisysevent write, ret %{public}d.", ret); } + ClearThreadErrorMsg(); } } // namespace AccessToken } // namespace Security diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp index 3c76de83742a6f80614a35cb0984109efd12599f..f9f9ca828dffb590e43c90eceb68ad98a6d72485 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_data_brief.cpp @@ -411,7 +411,7 @@ int32_t PermissionDataBrief::UpdatePermStateList( { auto iterPermData = requestedPermData_.find(tokenId); if (iterPermData == requestedPermData_.end()) { - LOGE(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenId); + LOGC(ATM_DOMAIN, ATM_TAG, "TokenID %{public}d is not exist.", tokenId); return ERR_TOKEN_INVALID; } std::vector& permBriefDatalist = requestedPermData_[tokenId]; @@ -420,12 +420,12 @@ int32_t PermissionDataBrief::UpdatePermStateList( return opCode == permData.permCode; }); if (iter == permBriefDatalist.end()) { - LOGE(ATM_DOMAIN, ATM_TAG, "Permission not request!"); + LOGC(ATM_DOMAIN, ATM_TAG, "Permission not request!"); return AccessTokenError::ERR_PARAM_INVALID; } if ((static_cast(iter->flag) & PERMISSION_SYSTEM_FIXED) == PERMISSION_SYSTEM_FIXED) { - LOGE(ATM_DOMAIN, ATM_TAG, "Permission fixed by system!"); + LOGC(ATM_DOMAIN, ATM_TAG, "Permission fixed by system!"); return AccessTokenError::ERR_PARAM_INVALID; } iter->status = isGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; @@ -450,7 +450,7 @@ int32_t PermissionDataBrief::UpdateSecCompGrantedPermList(AccessTokenID tokenId, if (status == PERMISSION_GRANTED) { return RET_SUCCESS; } else { - LOGE(ATM_DOMAIN, ATM_TAG, "Permission has been revoked by user."); + LOGC(ATM_DOMAIN, ATM_TAG, "Permission has been revoked by user."); return ERR_PERMISSION_DENIED; } } else { diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 30d1882b329f2182b9897e2b18ca9516f5f5312e..e8f12d45707d1506aae607d55be9b55aa2c81d92 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -32,6 +32,7 @@ #ifdef SUPPORT_SANDBOX_APP #include "dlp_permission_set_manager.h" #endif +#include "iaccess_token_manager.h" #include "ipc_skeleton.h" #include "hisysevent_adapter.h" #include "parameter.h" @@ -345,7 +346,7 @@ int32_t PermissionManager::UpdateTokenPermissionState( { std::shared_ptr infoPtr = AccessTokenInfoManager::GetInstance().GetHapTokenInfoInner(id); if (infoPtr == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u", id); + LOGC(ATM_DOMAIN, ATM_TAG, "tokenInfo is null, tokenId=%{public}u", id); return AccessTokenError::ERR_TOKENID_NOT_EXIST; } @@ -359,6 +360,7 @@ int32_t PermissionManager::UpdateTokenPermissionState( bool statusChanged = false; ret = infoPtr->UpdatePermissionStatus(permission, isGranted, flag, statusChanged); if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Update info perm status failed, ret is %{public}d", ret); HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", UPDATE_PERMISSION_STATUS_FAILED, "TOKENID", id, "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", ret, @@ -389,12 +391,12 @@ int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr AccessTokenID id, const std::string& permission, bool isGranted, uint32_t flag) { if (infoPtr->IsRemote()) { - LOGE(ATM_DOMAIN, ATM_TAG, "Remote token can not update"); + LOGC(ATM_DOMAIN, ATM_TAG, "Remote token can not update"); return AccessTokenError::ERR_IDENTITY_CHECK_FAILED; } if ((flag == PERMISSION_ALLOW_THIS_TIME) && isGranted) { if (!TempPermissionObserver::GetInstance().IsAllowGrantTempPermission(id, permission)) { - LOGE(ATM_DOMAIN, ATM_TAG, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str()); + LOGC(ATM_DOMAIN, ATM_TAG, "Id:%{public}d fail to grant permission:%{public}s", id, permission.c_str()); return ERR_IDENTITY_CHECK_FAILED; } } @@ -404,7 +406,7 @@ int32_t PermissionManager::UpdateTokenPermissionStateCheck(const std::shared_ptr if (hapDlpType != DLP_COMMON) { int32_t permDlpMode = DlpPermissionSetManager::GetInstance().GetPermDlpMode(permission); if (!DlpPermissionSetManager::GetInstance().IsPermDlpModeAvailableToDlpHap(hapDlpType, permDlpMode)) { - LOGD(ATM_DOMAIN, ATM_TAG, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id); + LOGC(ATM_DOMAIN, ATM_TAG, "%{public}s cannot to be granted to %{public}u", permission.c_str(), id); HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION_STATUS_ERROR", HiviewDFX::HiSysEvent::EventType::FAULT, "ERROR_CODE", DLP_CHECK_FAILED, "TOKENID", id, "PERM", permission, "BUNDLE_NAME", infoPtr->GetBundleName(), "INT_VAL1", hapDlpType, "INT_VAL2", permDlpMode); @@ -420,6 +422,8 @@ int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::st { int32_t ret = UpdateTokenPermissionState(tokenID, permissionName, isGranted, flag, needKill); if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Update permission %{public}u %{public}s failed, ret is %{public}d", tokenID, + permissionName.c_str(), ret); return ret; } @@ -432,10 +436,6 @@ int32_t PermissionManager::UpdatePermission(AccessTokenID tokenID, const std::st } #endif - // DFX - HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", - HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "TOKENID", tokenID, "PERMISSION_NAME", - permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted); return RET_SUCCESS; } @@ -443,15 +443,15 @@ int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const bool isGranted, uint32_t flag) { if (!PermissionValidator::IsPermissionNameValid(permissionName)) { - LOGE(ATM_DOMAIN, ATM_TAG, "permissionName: %{public}s, Invalid params!", permissionName.c_str()); + LOGC(ATM_DOMAIN, ATM_TAG, "permissionName: %{public}s, Invalid params!", permissionName.c_str()); return AccessTokenError::ERR_PARAM_INVALID; } if (!IsDefinedPermission(permissionName)) { - LOGE(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str()); + LOGC(ATM_DOMAIN, ATM_TAG, "No definition for permission: %{public}s!", permissionName.c_str()); return AccessTokenError::ERR_PERMISSION_NOT_EXIST; } if (!PermissionValidator::IsPermissionFlagValid(flag)) { - LOGE(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag); + LOGC(ATM_DOMAIN, ATM_TAG, "flag: %{public}d, Invalid params!", flag); return AccessTokenError::ERR_PARAM_INVALID; } bool needKill = false; @@ -465,18 +465,45 @@ int32_t PermissionManager::CheckAndUpdatePermission(AccessTokenID tokenID, const return UpdatePermission(tokenID, permissionName, isGranted, flag, needKill); } +int32_t PermissionManager::CheckAndUpdatePermissionInner(AccessTokenID tokenID, const std::string& permissionName, + bool isGranted, uint32_t flag) +{ + HapTokenInfo hapInfo; + AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo); + ClearThreadErrorMsg(); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", + HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMOM_START, + "TOKENID", tokenID, "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex, + "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted); + + int32_t ret = CheckAndUpdatePermission(tokenID, permissionName, isGranted, flag); + + uint32_t newFlag = flag; + if (ret == RET_SUCCESS && GetPermissionFlag(tokenID, permissionName, flag) == RET_SUCCESS) { + flag = newFlag; + } + + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_PERMISSION", + HiviewDFX::HiSysEvent::EventType::BEHAVIOR, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH, + "TOKENID", tokenID, "PERMISSION_NAME", permissionName, "PERMISSION_FLAG", flag, "GRANTED_FLAG", isGranted, + "ERROR_CODE", ret); + ReportSysCommonEventError(static_cast(isGranted ? IAccessTokenManagerIpcCode::COMMAND_GRANT_PERMISSION : + IAccessTokenManagerIpcCode::COMMAND_REVOKE_PERMISSION), ret); + return ret; +} + int32_t PermissionManager::GrantPermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag) { LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d", tokenID, permissionName.c_str(), flag); - return CheckAndUpdatePermission(tokenID, permissionName, true, flag); + return CheckAndUpdatePermissionInner(tokenID, permissionName, true, flag); } int32_t PermissionManager::RevokePermission(AccessTokenID tokenID, const std::string& permissionName, uint32_t flag) { LOGI(ATM_DOMAIN, ATM_TAG, "TokenID: %{public}u, permissionName: %{public}s, flag: %{public}d", tokenID, permissionName.c_str(), flag); - return CheckAndUpdatePermission(tokenID, permissionName, false, flag); + return CheckAndUpdatePermissionInner(tokenID, permissionName, false, flag); } int32_t PermissionManager::GrantPermissionForSpecifiedTime( diff --git a/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp b/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp index ccb878ac6e04331fee9a7f2da4861c312c4f9720..d965600c06dd08953f9478e708696c9ca8aa10e0 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/temp_permission_observer.cpp @@ -425,12 +425,12 @@ bool TempPermissionObserver::IsAllowGrantTempPermission(AccessTokenID tokenID, c { HapTokenInfo tokenInfo; if (AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, tokenInfo) != RET_SUCCESS) { - LOGE(ATM_DOMAIN, ATM_TAG, "Invalid tokenId(%{public}d)", tokenID); + LOGC(ATM_DOMAIN, ATM_TAG, "Invalid tokenId(%{public}d)", tokenID); return false; } auto iterator = std::find(g_tempPermission.begin(), g_tempPermission.end(), permissionName); if (iterator == g_tempPermission.end()) { - LOGW(ATM_DOMAIN, ATM_TAG, "Permission is not available to temp grant: %{public}s!", permissionName.c_str()); + LOGC(ATM_DOMAIN, ATM_TAG, "Permission is not available to temp grant: %{public}s!", permissionName.c_str()); return false; } return CheckPermissionState(tokenID, permissionName, tokenInfo.bundleName); diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 353ad782c7815e6a610d6a0d8a1be7b50f4fb239..092e41cdbdf3c85fe7bce15568c16623a9855fdc 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -24,6 +24,7 @@ #include "accesstoken_dfx_define.h" #include "accesstoken_id_manager.h" #include "accesstoken_info_manager.h" +#include "accesstoken_service_ipc_interface_code.h" #include "constant_common.h" #include "data_validator.h" #include "hap_token_info.h" @@ -45,6 +46,7 @@ #include "short_grant_manager.h" #include "string_ex.h" #include "system_ability_definition.h" +#include "time_util.h" #include "token_field_const.h" #ifdef TOKEN_SYNC_ENABLE #include "token_modify_notifier.h" @@ -666,8 +668,25 @@ int AccessTokenManagerService::DeleteToken(AccessTokenID tokenID) if (this->GetTokenType(tokenID) != TOKEN_HAP) { return AccessTokenError::ERR_PARAM_INVALID; } + + int64_t beginTime = TimeUtil::GetCurrentTimestamp(); + + HapTokenInfo hapInfo; + AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenID, hapInfo); + ClearThreadErrorMsg(); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "SCENE_CODE", CommonSceneCode::AT_COMMOM_START, + "TOKENID", tokenID, "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex); + // only support hap token deletion - return AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + int32_t ret = AccessTokenInfoManager::GetInstance().RemoveHapTokenInfo(tokenID); + + int64_t endTime = TimeUtil::GetCurrentTimestamp(); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH, + "TOKENID", tokenID, "DURATION", endTime - beginTime, "ERROR_CODE", ret); + ReportSysCommonEventError(static_cast(IAccessTokenManagerIpcCode::COMMAND_DELETE_TOKEN), ret); + return ret; } int AccessTokenManagerService::GetTokenType(AccessTokenID tokenID) @@ -715,6 +734,56 @@ int32_t AccessTokenManagerService::AllocLocalTokenID( return ERR_OK; } +int32_t AccessTokenManagerService::UpdateHapTokenCore(AccessTokenIDEx& tokenIdEx, const UpdateHapInfoParams& info, + const HapPolicyParcel& policyParcel, HapInfoCheckResultIdl& resultInfoIdl) +{ + std::vector InitializedList; + resultInfoIdl.realResult = ERR_OK; + HapInfoCheckResult permCheckResult; + if (!PermissionManager::GetInstance().InitPermissionList( + info.appDistributionType, policyParcel.hapPolicy, InitializedList, permCheckResult)) { + resultInfoIdl.realResult = ERROR; + resultInfoIdl.permissionName = permCheckResult.permCheckResult.permissionName; + int32_t rule = permCheckResult.permCheckResult.rule; + resultInfoIdl.rule = static_cast(rule); + LOGC(ATM_DOMAIN, ATM_TAG, "InitPermissionList failed, tokenId=%{public}u.", tokenIdEx.tokenIdExStruct.tokenID); + ReportSysCommonEventError(static_cast(IAccessTokenManagerIpcCode::COMMAND_UPDATE_HAP_TOKEN), + ERR_PERM_REQUEST_CFG_FAILED); + return ERR_OK; + } + + int32_t ret = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, info, + InitializedList, policyParcel.hapPolicy); + return ret; +} + +static void DumpEventInfo(const HapPolicy& policy, AccessTokenDfxInfo& dfxInfo) +{ + dfxInfo.permInfo = std::to_string(policy.permStateList.size()) + " : ["; + for (const auto& permState : policy.permStateList) { + dfxInfo.permInfo.append(permState.permissionName + ", "); + } + dfxInfo.permInfo.append("]"); + + dfxInfo.aclInfo = std::to_string(policy.aclRequestedList.size()) + " : ["; + for (const auto& perm : policy.aclRequestedList) { + dfxInfo.aclInfo.append(perm + ", "); + } + dfxInfo.aclInfo.append("]"); + + dfxInfo.preauthInfo = std::to_string(policy.preAuthorizationInfo.size()) + " : ["; + for (const auto& preAuthInfo : policy.preAuthorizationInfo) { + dfxInfo.preauthInfo.append(preAuthInfo.permissionName + ", "); + } + dfxInfo.preauthInfo.append("]"); + + dfxInfo.extendInfo = std::to_string(policy.aclExtendedMap.size()) + " : {"; + for (const auto& aclExtend : policy.aclExtendedMap) { + dfxInfo.extendInfo.append(aclExtend.first + ": " + aclExtend.second + ", "); + } + dfxInfo.extendInfo.append("}"); +} + int32_t AccessTokenManagerService::UpdateHapToken(uint64_t& fullTokenId, const UpdateHapInfoParamsIdl& infoIdl, const HapPolicyParcel& policyParcel, HapInfoCheckResultIdl& resultInfoIdl) { @@ -732,23 +801,33 @@ int32_t AccessTokenManagerService::UpdateHapToken(uint64_t& fullTokenId, const U info.apiVersion = infoIdl.apiVersion; info.isSystemApp = infoIdl.isSystemApp; info.appDistributionType = infoIdl.appDistributionType; - std::vector InitializedList; - resultInfoIdl.realResult = ERR_OK; - HapInfoCheckResult permCheckResult; - if (!PermissionManager::GetInstance().InitPermissionList( - info.appDistributionType, policyParcel.hapPolicy, InitializedList, permCheckResult)) { - resultInfoIdl.realResult = ERROR; - resultInfoIdl.permissionName = permCheckResult.permCheckResult.permissionName; - int32_t rule = permCheckResult.permCheckResult.rule; - resultInfoIdl.rule = static_cast(rule); - return ERR_OK; - } - int32_t ret = AccessTokenInfoManager::GetInstance().UpdateHapToken(tokenIdEx, info, - InitializedList, policyParcel.hapPolicy); + int64_t beginTime = TimeUtil::GetCurrentTimestamp(); + HapTokenInfo hapInfo; + AccessTokenInfoManager::GetInstance().GetHapTokenInfo(tokenIdEx.tokenIdExStruct.tokenID, hapInfo); + ClearThreadErrorMsg(); + + AccessTokenDfxInfo dfxInfo; + DumpEventInfo(policyParcel.hapPolicy, dfxInfo); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_HAP", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "SCENE_CODE", CommonSceneCode::AT_COMMOM_START, + "TOKENID", tokenIdEx.tokenIdExStruct.tokenID, "TOKENIDEX", tokenIdEx.tokenIDEx, + "USERID", hapInfo.userID, "BUNDLENAME", hapInfo.bundleName, "INSTINDEX", hapInfo.instIndex, + "PERM_INFO", dfxInfo.permInfo, "ACL_INFO", dfxInfo.aclInfo, "PREAUTH_INFO", dfxInfo.preauthInfo, + "EXTEND_INFO", dfxInfo.extendInfo); + + int32_t ret = UpdateHapTokenCore(tokenIdEx, info, policyParcel, resultInfoIdl); fullTokenId = tokenIdEx.tokenIDEx; + + int64_t endTime = TimeUtil::GetCurrentTimestamp(); + HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_HAP", + HiviewDFX::HiSysEvent::EventType::STATISTIC, "SCENE_CODE", CommonSceneCode::AT_COMMON_FINISH, + "TOKENID", tokenIdEx.tokenIdExStruct.tokenID, "TOKENIDEX", tokenIdEx.tokenIDEx, + "DURATION", endTime - beginTime, "ERROR_CODE", ret); + ReportSysCommonEventError(static_cast(IAccessTokenManagerIpcCode::COMMAND_UPDATE_HAP_TOKEN), ret); return ret; } + int32_t AccessTokenManagerService::GetTokenIDByUserID(int32_t userID, std::vector& tokenIds) { LOGD(ATM_DOMAIN, ATM_TAG, "UserID: %{public}d", userID); @@ -1270,7 +1349,7 @@ int32_t AccessTokenManagerService::CallbackExit(uint32_t code, int32_t result) #ifdef HICOLLIE_ENABLE HiviewDFX::XCollie::GetInstance().CancelTimer(g_timerId); #endif // HICOLLIE_ENABLE - ReportSysCommonEventError(code, 0); + ClearThreadErrorMsg(); return ERR_OK; } } // namespace AccessToken diff --git a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp index 3b517f9b71904a20dd850c3949110c13a67da5af..0dc6bae9772121b41ebcc2cd8f6ab7c5be9974d3 100644 --- a/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/token/accesstoken_info_manager.cpp @@ -275,14 +275,14 @@ std::shared_ptr AccessTokenInfoManager::GetHapTokenInfoInnerF std::vector hapTokenResults; int32_t ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_HAP_INFO, conditionValue, hapTokenResults); if (ret != RET_SUCCESS || hapTokenResults.empty()) { - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from hap_token_table, err: %{public}d, " + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from hap_token_table, err: %{public}d, " "hapSize: %{public}zu, mapSize: %{public}zu.", id, ret, hapTokenResults.size(), hapTokenInfoMap_.size()); return nullptr; } std::vector permStateRes; ret = AccessTokenDb::GetInstance().Find(AtmDataType::ACCESSTOKEN_PERMISSION_STATE, conditionValue, permStateRes); if (ret != RET_SUCCESS) { - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from perm_state_table, err: %{public}d, " + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from perm_state_table, err: %{public}d, " "mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size()); return nullptr; } @@ -291,7 +291,7 @@ std::shared_ptr AccessTokenInfoManager::GetHapTokenInfoInnerF ret = AccessTokenDb::GetInstance().Find( AtmDataType::ACCESSTOKEN_PERMISSION_EXTEND_VALUE, conditionValue, extendedPermRes); if (ret != RET_SUCCESS) { // extendedPermRes may be empty - LOGE(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from perm_extend_value_table, err: %{public}d, " + LOGC(ATM_DOMAIN, ATM_TAG, "Failed to find Id(%{public}u) from perm_extend_value_table, err: %{public}d, " "mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size()); return nullptr; } @@ -299,7 +299,7 @@ std::shared_ptr AccessTokenInfoManager::GetHapTokenInfoInnerF std::shared_ptr hap = std::make_shared(); ret = hap->RestoreHapTokenInfo(id, hapTokenResults[0], permStateRes, extendedPermRes); if (ret != RET_SUCCESS) { - LOGE(ATM_DOMAIN, ATM_TAG, "Id %{public}u restore failed, err: %{public}d, mapSize: %{public}zu.", + LOGC(ATM_DOMAIN, ATM_TAG, "Id %{public}u restore failed, err: %{public}d, mapSize: %{public}zu.", id, ret, hapTokenInfoMap_.size()); return nullptr; } @@ -404,7 +404,7 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) { ATokenTypeEnum type = AccessTokenIDManager::GetInstance().GetTokenIdType(id); if (type != TOKEN_HAP) { - LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is not hap.", id); + LOGC(ATM_DOMAIN, ATM_TAG, "Token %{public}u is not hap.", id); return ERR_PARAM_INVALID; } std::shared_ptr info; @@ -415,17 +415,17 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) AccessTokenIDManager::GetInstance().ReleaseTokenId(id); if (hapTokenInfoMap_.count(id) == 0) { - LOGE(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u no exist.", id); + LOGC(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u no exist.", id); return ERR_TOKENID_NOT_EXIST; } info = hapTokenInfoMap_[id]; if (info == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u is null.", id); + LOGC(ATM_DOMAIN, ATM_TAG, "Hap token %{public}u is null.", id); return ERR_TOKEN_INVALID; } if (info->IsRemote()) { - LOGE(ATM_DOMAIN, ATM_TAG, "Remote hap token %{public}u can not delete.", id); + LOGC(ATM_DOMAIN, ATM_TAG, "Remote hap token %{public}u can not delete.", id); return ERR_IDENTITY_CHECK_FAILED; } std::string HapUniqueKey = GetHapUniqueStr(info); @@ -435,7 +435,10 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) } hapTokenInfoMap_.erase(id); } - RemoveHapTokenInfoFromDb(info); + int32_t ret = RemoveHapTokenInfoFromDb(info); + if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Remove info from db failed, ret is %{public}d", ret); + } LOGI(ATM_DOMAIN, ATM_TAG, "Remove hap token %{public}u ok!", id); PermissionStateNotify(info, id); @@ -443,10 +446,6 @@ int AccessTokenInfoManager::RemoveHapTokenInfo(AccessTokenID id) TokenModifyNotifier::GetInstance().NotifyTokenDelete(id); #endif - HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "DEL_HAP", HiviewDFX::HiSysEvent::EventType::STATISTIC, - "TOKENID", info->GetTokenID(), "USERID", info->GetUserID(), "BUNDLENAME", info->GetBundleName(), - "INSTINDEX", info->GetInstIndex()); - return RET_SUCCESS; } @@ -630,17 +629,17 @@ int32_t AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const { AccessTokenID tokenID = tokenIdEx.tokenIdExStruct.tokenID; if (!DataValidator::IsAppIDDescValid(info.appIDDesc)) { - LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u parm format error!", tokenID); + LOGC(ATM_DOMAIN, ATM_TAG, "Token %{public}u parm format error!", tokenID); return AccessTokenError::ERR_PARAM_INVALID; } std::shared_ptr infoPtr = GetHapTokenInfoInner(tokenID); if (infoPtr == nullptr) { - LOGE(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid, can not update!", tokenID); + LOGC(ATM_DOMAIN, ATM_TAG, "Token %{public}u is invalid, can not update!", tokenID); return AccessTokenError::ERR_TOKENID_NOT_EXIST; } if (infoPtr->IsRemote()) { - LOGE(ATM_DOMAIN, ATM_TAG, "Remote hap token %{public}u can not update!", tokenID); + LOGC(ATM_DOMAIN, ATM_TAG, "Remote hap token %{public}u can not update!", tokenID); return ERR_IDENTITY_CHECK_FAILED; } if (info.isSystemApp) { @@ -655,15 +654,12 @@ int32_t AccessTokenInfoManager::UpdateHapToken(AccessTokenIDEx& tokenIdEx, const int32_t ret = AddHapTokenInfoToDb(infoPtr, info.appIDDesc, hapPolicy, true); if (ret != RET_SUCCESS) { + LOGC(ATM_DOMAIN, ATM_TAG, "Add hap info %{public}u to db failed!", tokenID); return ret; } LOGI(ATM_DOMAIN, ATM_TAG, "Token %{public}u bundle name %{public}s user %{public}d \ inst %{public}d tokenAttr %{public}d update ok!", tokenID, infoPtr->GetBundleName().c_str(), infoPtr->GetUserID(), infoPtr->GetInstIndex(), infoPtr->GetHapInfoBasic().tokenAttr); - // DFX - HiSysEventWrite(HiviewDFX::HiSysEvent::Domain::ACCESS_TOKEN, "UPDATE_HAP", - HiviewDFX::HiSysEvent::EventType::STATISTIC, "TOKENID", tokenID, "USERID", - infoPtr->GetUserID(), "BUNDLENAME", infoPtr->GetBundleName(), "INSTINDEX", infoPtr->GetInstIndex()); #ifdef TOKEN_SYNC_ENABLE TokenModifyNotifier::GetInstance().NotifyTokenModify(tokenID); @@ -961,11 +957,11 @@ int AccessTokenInfoManager::AddHapTokenInfoToDb(const std::shared_ptrIsRemote()) { - LOGE(ATM_DOMAIN, ATM_TAG, "It is a remote hap!"); + LOGC(ATM_DOMAIN, ATM_TAG, "It is a remote hap!"); return AccessTokenError::ERR_TOKENID_NOT_EXIST; } AccessTokenID tokenID = hapInfo->GetTokenID(); @@ -1044,7 +1040,7 @@ int AccessTokenInfoManager::RemoveHapTokenInfoFromDb(const std::shared_ptr