diff --git a/frameworks/accesstoken/include/i_accesstoken_manager.h b/frameworks/accesstoken/include/i_accesstoken_manager.h index a9d38c17d7a2e5f89d7ec57f39da7371b41c312c..f620e2f56612dd2db108b3b23a846b3fd1c71937 100644 --- a/frameworks/accesstoken/include/i_accesstoken_manager.h +++ b/frameworks/accesstoken/include/i_accesstoken_manager.h @@ -39,6 +39,7 @@ public: DECLARE_INTERFACE_DESCRIPTOR(u"ohos.security.accesstoken.IAccessTokenManager"); virtual int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName) = 0; + virtual int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) = 0; virtual int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) = 0; virtual int GetDefPermissions(AccessTokenID tokenID, std::vector& permList) = 0; virtual int GetReqPermissions( @@ -96,6 +97,7 @@ public: SET_REMOTE_NATIVE_TOKEN_INFO = 0xff2a, DELETE_REMOTE_TOKEN_INFO = 0xff2b, DELETE_REMOTE_DEVICE_TOKEN = 0xff2c, + VERIFY_NATIVETOKEN = 0xff2d, GET_NATIVE_REMOTE_TOKEN = 0xff2f, DUMP_TOKENINFO = 0xff30, diff --git a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h index abad9656cc764446d4ef90a20ce2f308732cf8e6..9f6243cd28d79589546e508c249dfad6bd1dd7f4 100644 --- a/interfaces/innerkits/accesstoken/include/accesstoken_kit.h +++ b/interfaces/innerkits/accesstoken/include/accesstoken_kit.h @@ -43,6 +43,7 @@ public: static int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes); static int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes); static int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); + static int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName); static int VerifyAccessToken( AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName); static int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp index 17e4e4622a7505a5c7d83935374e3b8311f8a974..9a660715964ce4d89057bfda99a1db177330345f 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp @@ -167,6 +167,21 @@ int AccessTokenKit::VerifyAccessToken( return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName); } +int AccessTokenKit::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__); + if (tokenID == 0) { + ACCESSTOKEN_LOG_ERROR(LABEL, "tokenID=%{public}d is invalid", tokenID); + return PERMISSION_DENIED; + } + if (!DataValidator::IsPermissionNameValid(permissionName)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "permissionName is invalid"); + return PERMISSION_DENIED; + } + ACCESSTOKEN_LOG_INFO(LABEL, "tokenID=%{public}d, permissionName=%{public}s", tokenID, permissionName.c_str()); + return AccessTokenManagerClient::GetInstance().VerifyNativeToken(tokenID, permissionName); +} + int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult) { ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called", __func__); diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp index 2d18c4b00b632e41d0d4fbb39aaa2681bca1cf78..51e2d60b51881871a7da75d177b11a6394147e3b 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.cpp @@ -54,6 +54,17 @@ int AccessTokenManagerClient::VerifyAccessToken(AccessTokenID tokenID, const std return proxy->VerifyAccessToken(tokenID, permissionName); } +int AccessTokenManagerClient::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_DEBUG(LABEL, "%{public}s: called!", __func__); + auto proxy = GetProxy(); + if (proxy == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "proxy is null"); + return PERMISSION_DENIED; + } + return proxy->VerifyNativeToken(tokenID, permissionName); +} + int AccessTokenManagerClient::GetDefPermission( const std::string& permissionName, PermissionDef& permissionDefResult) { diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h index d0c3157048d5ef1041eef1829965adb767cec7fc..74df766ed959bff3d915bbaeb9b84371cf345685 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_client.h @@ -41,6 +41,7 @@ public: virtual ~AccessTokenManagerClient(); int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName); int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); int GetDefPermissions(AccessTokenID tokenID, std::vector& permList); int GetReqPermissions( diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp index c43e1761b10015a45f452ecc09d18c9f97465ae6..218f1da474a91586075d3b401e2beff8b63b15bb 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.cpp @@ -66,6 +66,38 @@ int AccessTokenManagerProxy::VerifyAccessToken(AccessTokenID tokenID, const std: return result; } +int AccessTokenManagerProxy::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + MessageParcel data; + data.WriteInterfaceToken(IAccessTokenManager::GetDescriptor()); + if (!data.WriteUint32(tokenID)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to write tokenID"); + return PERMISSION_DENIED; + } + if (!data.WriteString(permissionName)) { + ACCESSTOKEN_LOG_ERROR(LABEL, "Failed to write permissionName"); + return PERMISSION_DENIED; + } + + MessageParcel reply; + MessageOption option(MessageOption::TF_SYNC); + sptr remote = Remote(); + if (remote == nullptr) { + ACCESSTOKEN_LOG_ERROR(LABEL, "remote service null."); + return PERMISSION_DENIED; + } + int32_t requestResult = remote->SendRequest( + static_cast(IAccessTokenManager::InterfaceCode::VERIFY_NATIVETOKEN), data, reply, option); + if (requestResult != NO_ERROR) { + ACCESSTOKEN_LOG_ERROR(LABEL, "request fail, result: %{public}d", requestResult); + return PERMISSION_DENIED; + } + + int32_t result = reply.ReadInt32(); + ACCESSTOKEN_LOG_DEBUG(LABEL, "result from server data = %{public}d", result); + return result; +} + int AccessTokenManagerProxy::GetDefPermission( const std::string& permissionName, PermissionDefParcel& permissionDefResult) { diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h index d1c297e360c5265c5376438e8d160fbd9b95342f..5463e216bfd43999769b4aaea6aa1ba9858f0992 100644 --- a/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h +++ b/interfaces/innerkits/accesstoken/src/accesstoken_manager_proxy.h @@ -39,6 +39,7 @@ public: virtual ~AccessTokenManagerProxy() override; int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName) override; + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) override; int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) override; int GetDefPermissions(AccessTokenID tokenID, std::vector& permList) override; int GetReqPermissions( diff --git a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp index f2c4c60964696930212b4d611819418ad2bfe4fd..37d277463f6db009979476b807a5a26ea5af7873 100644 --- a/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp +++ b/interfaces/innerkits/accesstoken/test/unittest/src/accesstoken_kit_test.cpp @@ -3063,3 +3063,35 @@ HWTEST_F(AccessTokenKitTest, SetRemoteNativeTokenInfo001, TestSize.Level1) { ACCESSTOKEN_LOG_INFO(LABEL, "GetAllNativeTokenInfo001 start."); } + +HWTEST_F(AccessTokenKitTest, VerifyNativeToken001, TestSize.Level1) +{ + ACCESSTOKEN_LOG_INFO(LABEL, "VerifyNativeToken001 start."); + + const char **dcaps = (const char **)malloc(sizeof(char *) * 1); + dcaps[0] = "AT_CAP_01"; + int dcapNum = 1; + + char apl3[32]; + strcpy(apl3, "system_core"); + char apl2[32]; + strcpy(apl2, "system_basic"); + char apl1[32]; + strcpy(apl1, "normal"); + + uint64_t tokenIdApl3 = GetAccessTokenId("ProcessNativeTokenInfos007_003", dcaps, dcapNum, apl3); + ASSERT_NE(tokenIdApl3, 0); + uint64_t tokenIdApl2 = GetAccessTokenId("ProcessNativeTokenInfos007_002", dcaps, dcapNum, apl2); + ASSERT_NE(tokenIdApl2, 0); + uint64_t tokenIdApl1 = GetAccessTokenId("ProcessNativeTokenInfos007_001", dcaps, dcapNum, apl1); + ASSERT_NE(tokenIdApl1, 0); + ACCESSTOKEN_LOG_INFO(LABEL, "tokenIdApl1 = %{public}llu.", tokenIdApl1); + + const std::string permissionName = "ohos.permission.SEND_MESSAGES"; + int ret = AccessTokenKit::VerifyNativeToken(tokenIdApl3, permissionName); + ASSERT_EQ(ret, PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyNativeToken(tokenIdApl2, permissionName); + ASSERT_EQ(ret, PERMISSION_GRANTED); + ret = AccessTokenKit::VerifyNativeToken(tokenIdApl1, permissionName); + ASSERT_EQ(ret, PERMISSION_DENIED); +} \ No newline at end of file diff --git a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h index fcc3087cc2f0876d193a737b6fe6937ffc146a39..683a8f611e56e41a30cfca5b0bd8b7f448b52c1a 100644 --- a/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h +++ b/services/accesstokenmanager/main/cpp/include/permission/permission_manager.h @@ -38,6 +38,7 @@ public: void AddDefPermissions(std::shared_ptr tokenInfo, bool updateFlag); void RemoveDefPermissions(AccessTokenID tokenID); int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName); int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); int GetDefPermissions(AccessTokenID tokenID, std::vector& permList); int GetReqPermissions( diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h index 011605648aab8e435a1fadb139db42d826779ba9..589b641e4c4c041fbff4f6b1e5af55a2b8dd052d 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_service.h @@ -41,6 +41,7 @@ public: AccessTokenIDEx AllocHapToken(const HapInfoParcel& info, const HapPolicyParcel& policy) override; int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName) override; + int VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) override; int GetDefPermission(const std::string& permissionName, PermissionDefParcel& permissionDefResult) override; int GetDefPermissions(AccessTokenID tokenID, std::vector& permList) override; int GetReqPermissions( diff --git a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h index 269ce13966086831e3f301fba8ff699b5d61baba..e382958009b8b38f089a78c0e9c7e33e55c0d060 100644 --- a/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h +++ b/services/accesstokenmanager/main/cpp/include/service/accesstoken_manager_stub.h @@ -35,6 +35,7 @@ public: private: void VerifyAccessTokenInner(MessageParcel& data, MessageParcel& reply); + void VerifyNativeTokenInner(MessageParcel& data, MessageParcel& reply); void GetDefPermissionInner(MessageParcel& data, MessageParcel& reply); void GetDefPermissionsInner(MessageParcel& data, MessageParcel& reply); void GetReqPermissionsInner(MessageParcel& data, MessageParcel& reply); diff --git a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp index 392991accf696a8e87599592c28755716b56fbe2..cf795e7b321c88316f82ffd7219dce09ef0b0ae3 100644 --- a/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp +++ b/services/accesstokenmanager/main/cpp/src/permission/permission_manager.cpp @@ -117,6 +117,30 @@ int PermissionManager::VerifyAccessToken(AccessTokenID tokenID, const std::strin return permPolicySet->VerifyPermissStatus(permissionName); } +int PermissionManager::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_INFO(LABEL, + "%{public}s called, tokenID: 0x%{public}x, permissionName: %{public}s", __func__, + tokenID, permissionName.c_str()); + + PermissionDef permissionInfo; + NativeTokenInfo nativeTokenInfo; + int res = PermissionManager::GetDefPermission(permissionName, permissionInfo); + if (res != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "GetDefPermission in %{public}s failed", __func__); + return PERMISSION_DENIED; + } + res = AccessTokenInfoManager::GetInstance().GetNativeTokenInfo(tokenID, nativeTokenInfo); + if (res != RET_SUCCESS) { + ACCESSTOKEN_LOG_ERROR(LABEL, "GetNativeTokenInfo in %{public}s failed", __func__); + return PERMISSION_DENIED; + } + if (permissionInfo.availableLevel > nativeTokenInfo.apl) { + return PERMISSION_DENIED; + } + return PERMISSION_GRANTED; +} + int PermissionManager::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult) { ACCESSTOKEN_LOG_INFO(LABEL, "%{public}s called, permissionName: %{public}s", __func__, permissionName.c_str()); diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp index 7127e00861b825bb145a21e92aa21edd32e82ed9..20123787e2449beb1b35753b68f770658c59daaf 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_service.cpp @@ -82,6 +82,14 @@ int AccessTokenManagerService::VerifyAccessToken(AccessTokenID tokenID, const st return PermissionManager::GetInstance().VerifyAccessToken(tokenID, permissionName); } +int AccessTokenManagerService::VerifyNativeToken(AccessTokenID tokenID, const std::string& permissionName) +{ + ACCESSTOKEN_LOG_INFO(LABEL, + "%{public}s called, tokenID: 0x%{public}x, permissionName: %{public}s", __func__, + tokenID, permissionName.c_str()); + return PermissionManager::GetInstance().VerifyNativeToken(tokenID, permissionName); +} + int AccessTokenManagerService::GetDefPermission( const std::string& permissionName, PermissionDefParcel& permissionDefResult) { diff --git a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp index 27ef4f38a156a1af345d1fd087dd0ab77c42756e..fe3f37809cb89040ca44a0b1468ced6f2efc9f2f 100644 --- a/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp +++ b/services/accesstokenmanager/main/cpp/src/service/accesstoken_manager_stub.cpp @@ -68,6 +68,14 @@ void AccessTokenManagerStub::VerifyAccessTokenInner(MessageParcel& data, Message reply.WriteInt32(result); } +void AccessTokenManagerStub::VerifyNativeTokenInner(MessageParcel& data, MessageParcel& reply) +{ + AccessTokenID tokenID = data.ReadUint32(); + std::string permissionName = data.ReadString(); + int result = this->VerifyNativeToken(tokenID, permissionName); + reply.WriteInt32(result); +} + void AccessTokenManagerStub::GetDefPermissionInner(MessageParcel& data, MessageParcel& reply) { std::string permissionName = data.ReadString(); @@ -404,6 +412,8 @@ AccessTokenManagerStub::AccessTokenManagerStub() { requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_ACCESSTOKEN)] = &AccessTokenManagerStub::VerifyAccessTokenInner; + requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::VERIFY_NATIVETOKEN)] = + &AccessTokenManagerStub::VerifyNativeTokenInner; requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::GET_DEF_PERMISSION)] = &AccessTokenManagerStub::GetDefPermissionInner; requestFuncMap_[static_cast(IAccessTokenManager::InterfaceCode::GET_DEF_PERMISSIONS)] = diff --git a/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp b/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp index c1602a6592841e51db97ed65f2b63e48993cdb78..943cf600a45a18ddb8756bd304b11941beca5f6f 100644 --- a/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp +++ b/services/accesstokenmanager/test/unittest/cpp/src/native_token_receptor_test.cpp @@ -27,6 +27,7 @@ #include #include "accesstoken_info_manager.h" +#include "permission_manager.h" #include "data_storage.h" #include "field_const.h" #define private public @@ -570,3 +571,50 @@ HWTEST_F(NativeTokenReceptorTest, init001, TestSize.Level1) ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenId); ASSERT_EQ(ret, RET_SUCCESS); } + +/** + * @tc.name: init001 + * @tc.desc: test get native cfg + * @tc.type: FUNC + * @tc.require: Issue Number + */ +HWTEST_F(NativeTokenReceptorTest, ProcessNativeTokenInfos007, TestSize.Level1) +{ + ACCESSTOKEN_LOG_INFO(LABEL, "test ProcessNativeTokenInfos007!"); + + const char **dcaps = (const char **)malloc(sizeof(char *) * 1); + dcaps[0] = "AT_CAP_01"; + int dcapNum = 1; + + char apl3[32]; + strcpy(apl3, "system_core"); + char apl2[32]; + strcpy(apl2, "system_basic"); + char apl1[32]; + strcpy(apl1, "normal"); + + uint64_t tokenIdApl3 = ::GetAccessTokenId("ProcessNativeTokenInfos007_003", dcaps, dcapNum, apl3); + ASSERT_NE(tokenIdApl3, 0); + uint64_t tokenIdApl2 = ::GetAccessTokenId("ProcessNativeTokenInfos007_002", dcaps, dcapNum, apl2); + ASSERT_NE(tokenIdApl2, 0); + uint64_t tokenIdApl1 = ::GetAccessTokenId("ProcessNativeTokenInfos007_001", dcaps, dcapNum, apl1); + ASSERT_NE(tokenIdApl1, 0); + + NativeTokenReceptor::GetInstance().Init(); + const std::string permission = "ohos.permission.SEND_MESSAGES"; + int ret = PermissionManager::GetInstance().VerifyNativeToken(tokenIdApl3, permission); + ASSERT_EQ(ret, PERMISSION_GRANTED); + + ret = PermissionManager::GetInstance().VerifyNativeToken(tokenIdApl2, permission); + ASSERT_EQ(ret, PERMISSION_GRANTED); + + ret = PermissionManager::GetInstance().VerifyNativeToken(tokenIdApl1, permission); + ASSERT_EQ(ret, PERMISSION_DENIED); + + ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenIdApl3); + ASSERT_EQ(ret, RET_SUCCESS); + ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenIdApl2); + ASSERT_EQ(ret, RET_SUCCESS); + ret = AccessTokenInfoManager::GetInstance().RemoveNativeTokenInfo(tokenIdApl1); + ASSERT_EQ(ret, RET_SUCCESS); +} \ No newline at end of file