!80 新增组件自定义权限校验

Merge pull request !80 from caochao123/local
2024-11-23 06:20:07 +00:00 · 2021-10-08 06:58:31 +00:00 · 2021-10-08 06:58:31 +00:00 · 009f3a4427
commit 009f3a4427
parent f13e62e50b 55ab017688
6 changed files with 136 additions and 1 deletions
--- a/services/dtbschedmgr/BUILD.gn
+++ b/services/dtbschedmgr/BUILD.gn
@ -21,7 +21,10 @@ group("unittest") {

 config("distributed_sched_config") {
  visibility = [ ":*" ]
-  include_dirs = [ "include" ]
+  include_dirs = [
+    "include",
+    "base/security/permission/interfaces/innerkits/permission_standard/distributedpermission/main/cpp/include",
+  ]
 }

 ohos_shared_library("distributedschedsvr") {
@ -50,6 +53,7 @@ ohos_shared_library("distributedschedsvr") {

  deps = [
    "//base/hiviewdfx/hilog/interfaces/native/innerkits:libhilog",
+    "//base/security/permission/interfaces/innerkits/permission_standard/distributedpermission:distributed_permission_innerkits",
    "//foundation/aafwk/standard/interfaces/innerkits/ability_manager:ability_manager",
    "//foundation/aafwk/standard/interfaces/innerkits/base:base",
    "//foundation/aafwk/standard/interfaces/innerkits/want:want",
--- a/services/dtbschedmgr/include/distributed_sched_permission.h
+++ b/services/dtbschedmgr/include/distributed_sched_permission.h
@ -36,6 +36,8 @@ public:
        const CallerInfo& callerInfo, const AccountInfo& accountInfo, const AAFwk::Want& want) const;

 private:
+    bool CheckCustomPermission(const AppExecFwk::AbilityInfo& abilityInfo, const CallerInfo& callerInfo);
+    int32_t AllocateDuid(int32_t rUid, const std::string& deviceId);
    bool getTargetAbility(const AAFwk::Want& want, const AppExecFwk::AbilityInfo& abilityInfo,
        const std::string& localDeviceId, AppExecFwk::AbilityInfo& targetAbility, const CallerInfo& callerInfo) const;
 };
--- a/services/dtbschedmgr/src/distributed_sched_permission.cpp
+++ b/services/dtbschedmgr/src/distributed_sched_permission.cpp
@ -13,16 +13,73 @@
 * limitations under the License.
 */

+#include <cinttypes>
+
 #include "distributed_sched_permission.h"

 #include "caller_info.h"
+#include "datetime_ex.h"
+#include "distributed_permission_kit.h"
 #include "distributed_sched_adapter.h"
 #include "dtbschedmgr_log.h"

+using namespace OHOS::Security;
+
 namespace OHOS {
 namespace DistributedSchedule {
+namespace {
+constexpr int32_t ERROR_DUID = -1;
+constexpr int32_t PERMISSION_GRANTED = 0;
+}
+
 IMPLEMENT_SINGLE_INSTANCE(DistributedSchedPermission);

+bool DistributedSchedPermission::CheckCustomPermission(const AppExecFwk::AbilityInfo& abilityInfo,
+    const CallerInfo& callerInfo)
+{
+    const auto& permissions = abilityInfo.permissions;
+    if (permissions.empty()) {
+        HILOGI("CheckCustomPermission no need any permission, so granted!");
+        return true;
+    }
+    int32_t duid = callerInfo.duid;
+    if (callerInfo.callerType == CALLER_TYPE_HARMONY) {
+        duid = AllocateDuid(callerInfo.uid, callerInfo.sourceDeviceId);
+        HILOGD("CheckCustomPermission AllocateDuid uid = %{public}d, duid = %{public}d", callerInfo.uid, duid);
+    }
+    if (duid < 0) {
+        HILOGE("CheckCustomPermission duid invalid!");
+        return false;
+    }
+    for (const auto& permission : permissions) {
+        if (permission.empty()) {
+            continue;
+        }
+        auto result = Permission::DistributedPermissionKit::CheckDPermission(duid, permission);
+        if (result == PERMISSION_GRANTED) {
+            HILOGD("CheckCustomPermission duid:%{public}d, permission:%{public}s GRANTED!",
+                duid, permission.c_str());
+            return true;
+        }
+        HILOGI("CheckCustomPermission duid:%{public}d, permission:%{public}s check failed!",
+            duid, permission.c_str());
+    }
+    return false;
+}
+
+int32_t DistributedSchedPermission::AllocateDuid(int32_t rUid, const std::string& deviceId)
+{
+    if (rUid < 0 || deviceId.empty()) {
+        HILOGE("DistributedSchedPermission::AllocateDuid invalid parameters!");
+        return ERROR_DUID;
+    }
+    int64_t begin = GetTickCount();
+    auto duid = Permission::DistributedPermissionKit::AllocateDuid(deviceId, rUid);
+    int64_t end = GetTickCount();
+    HILOGI("DistributedSchedPermission::AllocateDuid spend:%{public}" PRId64 " ms", (end - begin));
+    return duid;
+}
+
 int32_t DistributedSchedPermission::CheckDPermission(const AAFwk::Want& want, const CallerInfo& callerInfo,
    const AccountInfo& accountInfo, const AppExecFwk::AbilityInfo& abilityInfo, const std::string& localDeviceId)
 {
@ -43,6 +100,11 @@ int32_t DistributedSchedPermission::CheckDPermission(const AAFwk::Want& want, co
        HILOGE("CheckComponentAccessPermission denied or failed! the caller component do not have permission");
        return DMS_COMPONENT_ACCESS_PERMISSION_DENIED;
    }
+    // 3.check application custom permissions.
+    if (!CheckCustomPermission(targetAbility, callerInfo)) {
+        HILOGE("CheckCustomPermission denied or failed! the caller component do not have permission!");
+        return DMS_COMPONENT_ACCESS_PERMISSION_DENIED;
+    }
    HILOGI("CheckDPermission success!!");
    return ERR_OK;
 }
--- a/services/dtbschedmgr/src/distributed_sched_service.cpp
+++ b/services/dtbschedmgr/src/distributed_sched_service.cpp
@ -117,7 +117,9 @@ int32_t DistributedSchedService::StartRemoteAbility(const OHOS::AAFwk::Want& wan
        return INVALID_PARAMETERS_ERR;
    }
    CallerInfo callerInfo;
+    callerInfo.uid = IPCSkeleton::GetCallingUid();
    callerInfo.sourceDeviceId = localDeviceId;
+    callerInfo.callerType = CALLER_TYPE_HARMONY;
    AccountInfo accountInfo;
    HILOGI("[PerformanceTest] DistributedSchedService StartRemoteAbility transact begin");
    int32_t result = remoteDms->StartAbilityFromRemote(want, abilityInfo, requestCode, callerInfo, accountInfo);
--- a/services/dtbschedmgr/test/BUILD.gn
+++ b/services/dtbschedmgr/test/BUILD.gn
@ -24,6 +24,7 @@ dsched_configs =

 dsched_deps = [
  "//base/hiviewdfx/hilog/interfaces/native/innerkits:libhilog",
+  "//base/security/permission/interfaces/innerkits/permission_standard/distributedpermission:distributed_permission_innerkits",
  "//foundation/aafwk/standard/interfaces/innerkits/ability_manager:ability_manager",
  "//foundation/aafwk/standard/interfaces/innerkits/base:base",
  "//foundation/aafwk/standard/interfaces/innerkits/want:want",
--- a/services/dtbschedmgr/test/unittest/distributed_sched_permission_test.cpp
+++ b/services/dtbschedmgr/test/unittest/distributed_sched_permission_test.cpp
@ -128,5 +128,69 @@ HWTEST_F(DistributedSchedPermissionTest, CheckDPermission_004, TestSize.Level0)
    EXPECT_TRUE(ret == INVALID_PARAMETERS_ERR);
    DTEST_LOG << "DistributedSchedPermissionTest CheckDPermission_004 end ret:" << ret << std::endl;
 }
+
+/**
+ * @tc.name: CheckDPermission_005
+ * @tc.desc: call CheckDPermission with illegal parameter
+ * @tc.type: FUNC
+ * @tc.require: #I4CGU4
+ */
+HWTEST_F(DistributedSchedPermissionTest, CheckDPermission_005, TestSize.Level0)
+{
+    DTEST_LOG << "CheckDPermission_005 begin" << std::endl;
+    AAFwk::Want want;
+    CallerInfo callerInfo;
+    callerInfo.callerType = CALLER_TYPE_HARMONY;
+    IDistributedSched::AccountInfo accountInfo;
+    AppExecFwk::AbilityInfo abilityInfo;
+    string localDeviceId;
+    int32_t ret = DistributedSchedPermission::GetInstance().CheckDPermission(want, callerInfo, accountInfo, abilityInfo,
+        localDeviceId);
+    EXPECT_TRUE(ret != ERR_OK);
+    DTEST_LOG << "CheckDPermission_005 end result:" << ret << std::endl;
+}
+
+/**
+ * @tc.name: CheckDPermission_006
+ * @tc.desc: call CheckDPermission with different account type
+ * @tc.type: FUNC
+ * @tc.require: #I4CGU4
+ */
+HWTEST_F(DistributedSchedPermissionTest, CheckDPermission_006, TestSize.Level1)
+{
+    DTEST_LOG << "CheckDPermission_006 begin" << std::endl;
+    AAFwk::Want want;
+    CallerInfo callerInfo;
+    IDistributedSched::AccountInfo accountInfo;
+    accountInfo.accountType = IDistributedSched::DIFF_ACCOUNT_TYPE;
+    AppExecFwk::AbilityInfo abilityInfo;
+    string localDeviceId = "255.255.255.255";
+    int32_t ret = DistributedSchedPermission::GetInstance().CheckDPermission(want, callerInfo, accountInfo, abilityInfo,
+        localDeviceId);
+    EXPECT_TRUE(ret != ERR_OK);
+    DTEST_LOG << "CheckDPermission_006 end result:" << ret << std::endl;
+}
+
+/**
+ * @tc.name: CheckDPermission_007
+ * @tc.desc: call CheckDPermission with illegal ability info
+ * @tc.type: FUNC
+ * @tc.require: #I4CGU4
+ */
+HWTEST_F(DistributedSchedPermissionTest, CheckDPermission_007, TestSize.Level0)
+{
+    DTEST_LOG << "CheckDPermission_007 begin" << std::endl;
+    AAFwk::Want want;
+    CallerInfo callerInfo;
+    callerInfo.callerType = CALLER_TYPE_HARMONY;
+    IDistributedSched::AccountInfo accountInfo;
+    AppExecFwk::AbilityInfo abilityInfo;
+    abilityInfo.visible = true;
+    string localDeviceId;
+    int32_t ret = DistributedSchedPermission::GetInstance().CheckDPermission(want, callerInfo, accountInfo, abilityInfo,
+        localDeviceId);
+    EXPECT_TRUE(ret != ERR_OK);
+    DTEST_LOG << "CheckDPermission_007 end result:" << ret << std::endl;
+}
 } // namespace DistributedSchedule
 } // namespace OHOS