From 01b8b0e409a6e1c30ff5e8ee025248531de2e3c3 Mon Sep 17 00:00:00 2001 From: zmx Date: Fri, 8 Apr 2022 16:51:21 +0800 Subject: [PATCH] hichain group check Signed-off-by: zmx Change-Id: Ibd1ab40d45a110fa01d2dc90fc7fe78d2ce71aba Signed-off-by: zmx --- services/dtbschedmgr/BUILD.gn | 1 + .../include/bundle/bundle_manager_internal.h | 4 + .../include/distributed_sched_adapter.h | 14 +- .../include/distributed_sched_interface.h | 2 +- .../include/distributed_sched_permission.h | 20 +++ .../src/bundle/bundle_manager_internal.cpp | 76 +++++++++- .../src/distributed_sched_adapter.cpp | 95 +++++++------ .../src/distributed_sched_permission.cpp | 130 ++++++++++++++++-- .../src/distributed_sched_service.cpp | 41 ++++-- .../src/distributed_sched_stub.cpp | 2 +- services/dtbschedmgr/test/BUILD.gn | 1 + 11 files changed, 315 insertions(+), 71 deletions(-) diff --git a/services/dtbschedmgr/BUILD.gn b/services/dtbschedmgr/BUILD.gn index 562e763e..acff52cc 100644 --- a/services/dtbschedmgr/BUILD.gn +++ b/services/dtbschedmgr/BUILD.gn @@ -59,6 +59,7 @@ ohos_shared_library("distributedschedsvr") { "access_token:libaccesstoken_sdk", "bundle_framework:appexecfwk_base", "bundle_framework:appexecfwk_core", + "deviceauth_standard:deviceauth_sdk", "distributeddatamgr:distributeddata_inner", "dsoftbus_standard:softbus_client", "eventhandler:libeventhandler", diff --git a/services/dtbschedmgr/include/bundle/bundle_manager_internal.h b/services/dtbschedmgr/include/bundle/bundle_manager_internal.h index 74e90bf8..97456e47 100755 --- a/services/dtbschedmgr/include/bundle/bundle_manager_internal.h +++ b/services/dtbschedmgr/include/bundle/bundle_manager_internal.h @@ -30,6 +30,10 @@ class BundleManagerInternal { public: static bool GetCallerAppIdFromBms(int32_t callingUid, std::string& appId); static bool GetCallerAppIdFromBms(const std::string& bundleName, std::string& appId); + static bool GetBundleNameListFromBms(int32_t callingUid, std::vector& bundleNameList); + static bool GetBundleNameListFromBms(int32_t callingUid, std::vector& u16BundleNameList); + static bool QueryAbilityInfo(const AAFwk::Want& want, AppExecFwk::AbilityInfo& abilityInfo); + static bool IsSameAppId(const std::string& callerAppId, const std::string& targetBundleName); static sptr GetBundleManager(); }; } // namespace DistributedSchedule diff --git a/services/dtbschedmgr/include/distributed_sched_adapter.h b/services/dtbschedmgr/include/distributed_sched_adapter.h index da912fff..084d3e2d 100644 --- a/services/dtbschedmgr/include/distributed_sched_adapter.h +++ b/services/dtbschedmgr/include/distributed_sched_adapter.h @@ -19,6 +19,8 @@ #include "ability_info.h" #include "ability_manager_client.h" #include "caller_info.h" +#include "device_auth.h" +#include "distributed_sched_interface.h" #include "event_handler.h" #include "if_system_ability_manager.h" #include "iremote_object.h" @@ -33,6 +35,8 @@ class DistributedSchedAdapter { DECLARE_SINGLE_INSTANCE(DistributedSchedAdapter); public: + using AccountInfo = IDistributedSched::AccountInfo; + void Init(); void UnInit(); @@ -41,11 +45,8 @@ public: int32_t DisconnectAbility(const sptr& connect); void DeviceOnline(const std::string& deviceId); void DeviceOffline(const std::string& deviceId); - bool QueryAbilityInfo(const OHOS::AAFwk::Want& want, AppExecFwk::AbilityInfo& abilityInfo); void ProcessConnectDied(const sptr& connect); - int32_t GetBundleNameListFromBms(int32_t uid, std::vector& u16BundleNameList); int32_t GetLocalMissionInfos(int32_t numMissions, std::vector& missionInfos); - int32_t GetBundleNameListFromBms(int32_t uid, std::vector& bundleNameList); bool AllowMissionUid(int32_t uid); int32_t RegisterMissionListener(const sptr& listener); int32_t UnRegisterMissionListener(const sptr& listener); @@ -58,12 +59,15 @@ public: const sptr& callerToken); void ProcessCallerDied(const sptr& connect); void ProcessCalleeDied(const sptr& connect); - + bool InitHichainService(); + bool CheckAccessToGroup(const std::string& groupId, const std::string& targetBundleName); + bool GetRelatedGroups(const std::string& udid, const std::string& bundleName, std::string& returnGroups); private: void ProcessDeviceOffline(const std::string& deviceId); std::shared_ptr dmsAdapterHandler_; - friend class BundleManagerInternal; + const DeviceGroupManager* hichainGmInstance_ = nullptr; + std::mutex hichainLock_; }; } // namespace DistributedSchedule } // namespace OHOS diff --git a/services/dtbschedmgr/include/distributed_sched_interface.h b/services/dtbschedmgr/include/distributed_sched_interface.h index 61c69925..a69eaad1 100755 --- a/services/dtbschedmgr/include/distributed_sched_interface.h +++ b/services/dtbschedmgr/include/distributed_sched_interface.h @@ -37,7 +37,7 @@ public: DIFF_ACCOUNT_TYPE, }; struct AccountInfo { - int32_t accountType = SAME_ACCOUNT_TYPE; + int32_t accountType = DIFF_ACCOUNT_TYPE; std::vector groupIdList; }; diff --git a/services/dtbschedmgr/include/distributed_sched_permission.h b/services/dtbschedmgr/include/distributed_sched_permission.h index 8027fc96..afe2f0dd 100755 --- a/services/dtbschedmgr/include/distributed_sched_permission.h +++ b/services/dtbschedmgr/include/distributed_sched_permission.h @@ -19,10 +19,23 @@ #include #include "distributed_sched_interface.h" +#include "nlohmann/json.hpp" #include "single_instance.h" namespace OHOS { namespace DistributedSchedule { +struct GroupInfo { + std::string groupName; + std::string groupId; + std::string groupOwner; + int32_t groupType; + int32_t groupVisibility; + + GroupInfo() : groupName(""), groupId(""), groupOwner(""), groupType(0), groupVisibility(0) {} +}; + +void from_json(const nlohmann::json& jsonObject, GroupInfo& groupInfo); + class DistributedSchedPermission { DECLARE_SINGLE_INSTANCE(DistributedSchedPermission); @@ -35,11 +48,18 @@ public: int32_t CheckGetCallerPermission(const AAFwk::Want& want, const CallerInfo& callerInfo, const AccountInfo& accountInfo, const std::string& localDeviceId); int32_t CheckPermission(uint32_t accessToken, const std::string& permissionName) const; + int32_t GetAccountInfo(const std::string& remoteNetworkId, const CallerInfo& callerInfo, + AccountInfo& accountInfo); private: + bool GetRelatedGroups(const std::string& udid, const std::vector& bundleNames, + AccountInfo& accountInfo); + bool ParseGroupInfos(const std::string& returnGroupStr, std::vector& groupInfos); bool IsNativeCall(uint32_t accessToken) const; bool IsFoundationCall(uint32_t accessToken) const; bool VerifyPermission(uint32_t accessToken, const std::string& permissionName) const; + bool CheckAccountAccessPermission(const CallerInfo& callerInfo, + const AccountInfo& accountInfo, const std::string& targetBundleName); bool CheckComponentAccessPermission(const AppExecFwk::AbilityInfo& targetAbility, const CallerInfo& callerInfo, const AccountInfo& accountInfo, const AAFwk::Want& want) const; bool CheckCustomPermission(const AppExecFwk::AbilityInfo& targetAbility, diff --git a/services/dtbschedmgr/src/bundle/bundle_manager_internal.cpp b/services/dtbschedmgr/src/bundle/bundle_manager_internal.cpp index abff5904..e8f37eba 100644 --- a/services/dtbschedmgr/src/bundle/bundle_manager_internal.cpp +++ b/services/dtbschedmgr/src/bundle/bundle_manager_internal.cpp @@ -32,9 +32,12 @@ IMPLEMENT_SINGLE_INSTANCE(BundleManagerInternal); bool BundleManagerInternal::GetCallerAppIdFromBms(int32_t callingUid, std::string& appId) { std::vector bundleNameList; - int32_t ret = DistributedSchedAdapter::GetInstance().GetBundleNameListFromBms(callingUid, bundleNameList); - if (ret != ERR_OK || bundleNameList.empty()) { - HILOGE("GetBundleNameListFromBms error"); + if (!GetBundleNameListFromBms(callingUid, bundleNameList)) { + HILOGE("GetBundleNameListFromBms failed"); + return false; + } + if (bundleNameList.empty()) { + HILOGE("bundleNameList empty"); return false; } // getting an arbitrary bundlename for they sharing a same appId, here we get the first one @@ -58,6 +61,73 @@ bool BundleManagerInternal::GetCallerAppIdFromBms(const std::string& bundleName, return true; } +bool BundleManagerInternal::GetBundleNameListFromBms(int32_t callingUid, std::vector& bundleNameList) +{ + auto bundleMgr = GetBundleManager(); + if (bundleMgr == nullptr) { + HILOGE("failed to get bms"); + return false; + } + bool result = bundleMgr->GetBundlesForUid(callingUid, bundleNameList); + if (!result) { + HILOGE("GetBundlesForUid failed, result: %{public}d", result); + return false; + } + return result; +} + +bool BundleManagerInternal::GetBundleNameListFromBms(int32_t callingUid, + std::vector& u16BundleNameList) +{ + std::vector bundleNameList; + if (!GetBundleNameListFromBms(callingUid, bundleNameList)) { + HILOGE("GetBundleNameListFromBms failed"); + return false; + } + for (const std::string& bundleName : bundleNameList) { + u16BundleNameList.emplace_back(Str8ToStr16(bundleName)); + } + return true; +} + +bool BundleManagerInternal::QueryAbilityInfo(const AAFwk::Want& want, AppExecFwk::AbilityInfo& abilityInfo) +{ + std::vector ids; + int32_t ret = OsAccountManager::QueryActiveOsAccountIds(ids); + if (ret != ERR_OK || ids.empty()) { + return false; + } + auto bundleMgr = GetBundleManager(); + if (bundleMgr == nullptr) { + HILOGE("failed to get bms"); + return false; + } + bool result = bundleMgr->QueryAbilityInfo(want, AppExecFwk::AbilityInfoFlag::GET_ABILITY_INFO_DEFAULT + | AppExecFwk::AbilityInfoFlag::GET_ABILITY_INFO_WITH_PERMISSION, ids[0], abilityInfo); + if (!result) { + HILOGE("QueryAbilityInfo failed"); + return false; + } + return true; +} + +bool BundleManagerInternal::IsSameAppId(const std::string& callerAppId, const std::string& targetBundleName) +{ + if (targetBundleName.empty() || callerAppId.empty()) { + HILOGE("targetBundleName:%{public}s or callerAppId:%s is empty", + targetBundleName.c_str(), callerAppId.c_str()); + return false; + } + HILOGD("callerAppId:%s", callerAppId.c_str()); + std::string calleeAppId; + if (!GetCallerAppIdFromBms(targetBundleName, calleeAppId)) { + HILOGE("GetCallerAppIdFromBms failed"); + return false; + } + HILOGD("calleeAppId:%s", calleeAppId.c_str()); + return callerAppId == calleeAppId; +} + sptr BundleManagerInternal::GetBundleManager() { sptr samgrProxy = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); diff --git a/services/dtbschedmgr/src/distributed_sched_adapter.cpp b/services/dtbschedmgr/src/distributed_sched_adapter.cpp index 22866cbb..c8b723f0 100644 --- a/services/dtbschedmgr/src/distributed_sched_adapter.cpp +++ b/services/dtbschedmgr/src/distributed_sched_adapter.cpp @@ -15,8 +15,6 @@ #include "distributed_sched_adapter.h" -#include "ability_manager_client.h" -#include "bundle/bundle_manager_internal.h" #include "datetime_ex.h" #include "distributed_sched_service.h" #include "dtbschedmgr_device_info_storage.h" @@ -130,27 +128,6 @@ void DistributedSchedAdapter::DeviceOffline(const std::string& deviceId) } } -bool DistributedSchedAdapter::QueryAbilityInfo(const OHOS::AAFwk::Want& want, AppExecFwk::AbilityInfo& abilityInfo) -{ - std::vector ids; - ErrCode ret = OsAccountManager::QueryActiveOsAccountIds(ids); - if (ret != ERR_OK || ids.empty()) { - return false; - } - auto bundleMgr = BundleManagerInternal::GetBundleManager(); - if (bundleMgr == nullptr) { - HILOGE("QueryAbilityInfo failed to get bms"); - return false; - } - bool result = bundleMgr->QueryAbilityInfo(want, AppExecFwk::AbilityInfoFlag::GET_ABILITY_INFO_DEFAULT - | AppExecFwk::AbilityInfoFlag::GET_ABILITY_INFO_WITH_PERMISSION, ids[0], abilityInfo); - if (!result) { - HILOGE("QueryAbilityInfo fail"); - return false; - } - return true; -} - void DistributedSchedAdapter::ProcessDeviceOffline(const std::string& deviceId) { HILOGD("ProcessDeviceOffline"); @@ -244,33 +221,65 @@ int32_t DistributedSchedAdapter::StartAbilityByCall(const OHOS::AAFwk::Want& wan return ret; } -int32_t DistributedSchedAdapter::GetBundleNameListFromBms(int32_t uid, - std::vector& u16BundleNameList) +bool DistributedSchedAdapter::InitHichainService() { - vector bundleNameList; - int32_t ret = GetBundleNameListFromBms(uid, bundleNameList); - if (ret != ERR_OK) { - HILOGE("GetBundleNameListFromBms failed"); - return ret; + if (hichainGmInstance_ != nullptr) { + HILOGI("hichain GmInstance is already exist"); + return true; } - for (const string& bundleName : bundleNameList) { - u16BundleNameList.emplace_back(Str8ToStr16(bundleName)); + if (InitDeviceAuthService() != ERR_OK) { + HILOGE("hichain init DeviceAuthService failed"); + return false; } - return ERR_OK; + hichainGmInstance_ = GetGmInstance(); + if (hichainGmInstance_ == nullptr) { + HILOGE("hichain get GmInstance failed"); + return false; + } + return true; } -int32_t DistributedSchedAdapter::GetBundleNameListFromBms(int32_t uid, std::vector& bundleNameList) +bool DistributedSchedAdapter::CheckAccessToGroup(const std::string& groupId, const std::string& targetBundleName) { - auto bundleMgr = BundleManagerInternal::GetBundleManager(); - if (bundleMgr == nullptr) { - HILOGE("GetBundleNameListFromBms failed to get bms"); - return OBJECT_NULL; + std::lock_guard autoLock(hichainLock_); + int64_t begin = GetTickCount(); + if (!InitHichainService()) { + return false; } - std::string identity = IPCSkeleton::ResetCallingIdentity(); - bool result = bundleMgr->GetBundlesForUid(uid, bundleNameList); - IPCSkeleton::SetCallingIdentity(identity); - HILOGD("GetBundleNameListFromBms %{public}d", result); - return result ? ERR_OK : BUNDLE_MANAGER_SERVICE_ERR; + int32_t ret = hichainGmInstance_->checkAccessToGroup(ANY_OS_ACCOUNT, targetBundleName.c_str(), + groupId.c_str()); + HILOGI("[PerformanceTest] checkAccessToGroup spend %{public}" PRId64 " ms", GetTickCount() - begin); + if (ret != ERR_OK) { + HILOGE("hichain checkAccessToGroup failed, ret:%{public}d", ret); + return false; + } + HILOGD("hichain checkAccessToGroup success"); + return true; +} + +bool DistributedSchedAdapter::GetRelatedGroups(const std::string& udid, const std::string& bundleName, + std::string& returnGroups) +{ + std::lock_guard autoLock(hichainLock_); + int64_t begin = GetTickCount(); + if (!InitHichainService()) { + return false; + } + uint32_t groupNum = 0; + char* groupsJsonStr = nullptr; + int32_t ret = hichainGmInstance_->getRelatedGroups(ANY_OS_ACCOUNT, bundleName.c_str(), udid.c_str(), + &groupsJsonStr, &groupNum); + HILOGI("[PerformanceTest] getRelatedGroups spend %{public}" PRId64 " ms", GetTickCount() - begin); + if (ret != ERR_OK) { + HILOGE("hichain getRelatedGroups failed, ret:%{public}d", ret); + return false; + } + if (groupsJsonStr == nullptr || groupNum == 0) { + HILOGE("groupsJsonStr is nullptr"); + return false; + } + returnGroups = groupsJsonStr; + return true; } #ifdef SUPPORT_DISTRIBUTED_MISSION_MANAGER diff --git a/services/dtbschedmgr/src/distributed_sched_permission.cpp b/services/dtbschedmgr/src/distributed_sched_permission.cpp index 9a7e8662..3dad9fc8 100644 --- a/services/dtbschedmgr/src/distributed_sched_permission.cpp +++ b/services/dtbschedmgr/src/distributed_sched_permission.cpp @@ -16,9 +16,11 @@ #include "distributed_sched_permission.h" #include "accesstoken_kit.h" +#include "adapter/dnetwork_adapter.h" #include "bundle/bundle_manager_internal.h" #include "caller_info.h" #include "datetime_ex.h" +#include "device_auth_defines.h" #include "distributed_sched_adapter.h" #include "dtbschedmgr_log.h" #include "ipc_skeleton.h" @@ -31,6 +33,20 @@ const std::string TAG = "DistributedSchedPermission"; const std::string FOUNDATION_PROCESS_NAME = "foundation"; } IMPLEMENT_SINGLE_INSTANCE(DistributedSchedPermission); +void from_json(const nlohmann::json& jsonObject, GroupInfo& groupInfo) +{ + try { + jsonObject.at(FIELD_GROUP_NAME).get_to(groupInfo.groupName); + jsonObject.at(FIELD_GROUP_ID).get_to(groupInfo.groupId); + jsonObject.at(FIELD_GROUP_OWNER).get_to(groupInfo.groupOwner); + jsonObject.at(FIELD_GROUP_TYPE).get_to(groupInfo.groupType); + jsonObject.at(FIELD_GROUP_VISIBILITY).get_to(groupInfo.groupVisibility); + } catch (nlohmann::detail::type_error& ex) { + HILOGE("from_json type error"); + } catch (nlohmann::detail::out_of_range& ex) { + HILOGE("from_json out of range"); + } +} int32_t DistributedSchedPermission::CheckDPermission(const AAFwk::Want& want, const CallerInfo& callerInfo, const AccountInfo& accountInfo, const AppExecFwk::AbilityInfo& abilityInfo, const std::string& localDeviceId) @@ -49,9 +65,14 @@ int32_t DistributedSchedPermission::CheckDPermission(const AAFwk::Want& want, co targetAbility.visible); HILOGD("callerType:%{public}d accountType:%{public}d callerUid:%{public}d AccessTokenID:%{public}u", callerInfo.callerType, accountInfo.accountType, callerInfo.uid, callerInfo.accessToken); + // 1.check account access permission in no account networking environment. + if (!CheckAccountAccessPermission(callerInfo, accountInfo, targetAbility.bundleName)) { + HILOGE("CheckAccountAccessPermission denied or failed!"); + return DMS_ACCOUNT_ACCESS_PERMISSION_DENIED; + } // 2.check component access permission, when the ability is not visible. if (!CheckComponentAccessPermission(targetAbility, callerInfo, accountInfo, want)) { - HILOGE("CheckComponentAccessPermission denied or failed! the caller component do not have permission"); + HILOGE("CheckComponentAccessPermission denied or failed! the callee component do not have permission"); return DMS_COMPONENT_ACCESS_PERMISSION_DENIED; } // 3.check application custom permissions @@ -63,14 +84,79 @@ int32_t DistributedSchedPermission::CheckDPermission(const AAFwk::Want& want, co return ERR_OK; } +int32_t DistributedSchedPermission::GetAccountInfo(const std::string& remoteNetworkId, + const CallerInfo& callerInfo, AccountInfo& accountInfo) +{ + if (remoteNetworkId.empty()) { + HILOGE("remoteNetworkId is empty"); + return ERR_NULL_OBJECT; + } + std::string udid = DnetworkAdapter::GetInstance()->GetUdidByNetworkId(remoteNetworkId); + if (udid.empty()) { + HILOGE("udid is empty"); + return ERR_NULL_OBJECT; + } + if (!GetRelatedGroups(udid, callerInfo.bundleNames, accountInfo)) { + HILOGE("GetRelatedGroups failed"); + return INVALID_PARAMETERS_ERR; + } + return ERR_OK; +} + +bool DistributedSchedPermission::GetRelatedGroups(const std::string& udid, + const std::vector& bundleNames, AccountInfo& accountInfo) +{ + for (const auto& bundleName : bundleNames) { + std::string returnGroups; + if (!DistributedSchedAdapter::GetInstance().GetRelatedGroups(udid, bundleName, returnGroups)) { + continue; + } + std::vector groupInfos; + if (!ParseGroupInfos(returnGroups, groupInfos)) { + continue; + } + for (const auto& groupInfo : groupInfos) { + // check group type is whether (same count or point to point) or not + if (groupInfo.groupType != GroupType::IDENTICAL_ACCOUNT_GROUP + && groupInfo.groupType != GroupType::PEER_TO_PEER_GROUP) { + continue; + } + accountInfo.groupIdList.push_back(groupInfo.groupId); + if (groupInfo.groupType == GroupType::IDENTICAL_ACCOUNT_GROUP + && accountInfo.accountType != IDistributedSched::SAME_ACCOUNT_TYPE) { + accountInfo.accountType = IDistributedSched::SAME_ACCOUNT_TYPE; + } + } + } + if (accountInfo.groupIdList.empty()) { + HILOGE("groupIdList is empty"); + return false; + } + return true; +} + +bool DistributedSchedPermission::ParseGroupInfos(const std::string& returnGroupStr, std::vector& groupInfos) +{ + nlohmann::json groupInfoJson = nlohmann::json::parse(returnGroupStr, nullptr, false); + if (groupInfoJson.is_discarded()) { + HILOGE("returnGroupStr parse failed"); + return false; + } + HILOGD("groupInfoJson:%{public}s", groupInfoJson.dump().c_str()); + groupInfos = groupInfoJson.get>(); + if (groupInfos.empty()) { + HILOGE("groupInfos is empty"); + return false; + } + return true; +} + bool DistributedSchedPermission::getTargetAbility(const AAFwk::Want& want, const AppExecFwk::AbilityInfo& abilityInfo, const std::string& localDeviceId, AppExecFwk::AbilityInfo& targetAbility, const CallerInfo& callerInfo) const { - HILOGD("getTargetAbility"); - bool result = DistributedSchedAdapter::GetInstance().QueryAbilityInfo(want, targetAbility); - if (!result) { - HILOGE("getTargetAbility QueryAbilityInfo fail"); + if (!BundleManagerInternal::QueryAbilityInfo(want, targetAbility)) { + HILOGE("QueryAbilityInfo failed"); return false; } return true; @@ -120,7 +206,6 @@ bool DistributedSchedPermission::IsFoundationCall(uint32_t accessToken) const AccessToken::NativeTokenInfo nativeTokenInfo; int32_t result = AccessToken::AccessTokenKit::GetNativeTokenInfo(accessToken, nativeTokenInfo); if (result == ERR_OK && nativeTokenInfo.processName == FOUNDATION_PROCESS_NAME) { - HILOGD("foundation called."); return true; } HILOGE("not foundation called, processName:%{private}s", nativeTokenInfo.processName.c_str()); @@ -131,7 +216,6 @@ bool DistributedSchedPermission::IsNativeCall(uint32_t accessToken) const { auto tokenType = AccessToken::AccessTokenKit::GetTokenTypeFlag(accessToken); if (tokenType == AccessToken::ATokenTypeEnum::TOKEN_NATIVE) { - HILOGD("caller tokenType is native, verify success."); return true; } HILOGE("not native called."); @@ -149,15 +233,43 @@ bool DistributedSchedPermission::VerifyPermission(uint32_t accessToken, const st return true; } +bool DistributedSchedPermission::CheckAccountAccessPermission(const CallerInfo& callerInfo, + const AccountInfo& accountInfo, const std::string& targetBundleName) +{ + if (accountInfo.accountType == IDistributedSched::SAME_ACCOUNT_TYPE) { + HILOGD("no need to check"); + return true; + } + if (targetBundleName.empty() || accountInfo.groupIdList.empty()) { + HILOGE("targetBundleName or groupIdList is empty"); + return false; + } + + for (const auto& groupId : accountInfo.groupIdList) { + HILOGD("groupId:%{public}s targetBundleName:%{public}s", groupId.c_str(), targetBundleName.c_str()); + if (DistributedSchedAdapter::GetInstance().CheckAccessToGroup(groupId, targetBundleName)) { + return true; + } + } + HILOGE("check account permission failed"); + return false; +} + bool DistributedSchedPermission::CheckComponentAccessPermission(const AppExecFwk::AbilityInfo& targetAbility, const CallerInfo& callerInfo, const AccountInfo& accountInfo, const AAFwk::Want& want) const { // reject directly when in no account networking environment and target ability is not visible, if (!targetAbility.visible) { - HILOGE("CheckComponentAccessPermission target ability is not visible, permission denied!"); + HILOGE("target ability is not visible, permission denied!"); return false; } - HILOGD("CheckComponentAccessPermission success"); + // when in the migration scenario, make sure the appId is the same. + if ((want.GetFlags() & AAFwk::Want::FLAG_ABILITY_CONTINUATION) != 0 + && !BundleManagerInternal::IsSameAppId(callerInfo.callerAppId, targetAbility.bundleName)) { + HILOGE("the appId is different in the migration scenario, permission denied!"); + return false; + } + HILOGD("check component permission success"); return true; } diff --git a/services/dtbschedmgr/src/distributed_sched_service.cpp b/services/dtbschedmgr/src/distributed_sched_service.cpp index c92095a0..cc269bc7 100755 --- a/services/dtbschedmgr/src/distributed_sched_service.cpp +++ b/services/dtbschedmgr/src/distributed_sched_service.cpp @@ -139,7 +139,20 @@ int32_t DistributedSchedService::StartRemoteAbility(const OHOS::AAFwk::Want& wan callerInfo.sourceDeviceId = localDeviceId; callerInfo.uid = callerUid; callerInfo.accessToken = accessToken; + if (!BundleManagerInternal::GetCallerAppIdFromBms(callerInfo.uid, callerInfo.callerAppId)) { + HILOGE("GetCallerAppIdFromBms failed"); + return INVALID_PARAMETERS_ERR; + } + if (!BundleManagerInternal::GetBundleNameListFromBms(callerInfo.uid, callerInfo.bundleNames)) { + HILOGE("GetBundleNameListFromBms failed"); + return INVALID_PARAMETERS_ERR; + } AccountInfo accountInfo; + int32_t ret = DistributedSchedPermission::GetInstance().GetAccountInfo(deviceId, callerInfo, accountInfo); + if (ret != ERR_OK) { + HILOGE("GetAccountInfo failed"); + return ret; + } HILOGI("[PerformanceTest] StartRemoteAbility transact begin"); int32_t result = remoteDms->StartAbilityFromRemote(want, abilityInfo, requestCode, callerInfo, accountInfo); HILOGI("[PerformanceTest] StartRemoteAbility transact end"); @@ -541,15 +554,12 @@ int32_t DistributedSchedService::ConnectRemoteAbility(const OHOS::AAFwk::Want& w return checkResult; } } - if (!BundleManagerInternal::GetCallerAppIdFromBms(callerInfo.uid, callerInfo.callerAppId)) { - HILOGE("ConnectRemoteAbility GetCallerAppIdFromBms failed"); + HILOGE("GetCallerAppIdFromBms failed"); return INVALID_PARAMETERS_ERR; } - int32_t ret = DistributedSchedAdapter::GetInstance().GetBundleNameListFromBms( - callerInfo.uid, callerInfo.bundleNames); - if (ret != ERR_OK) { - HILOGE("ConnectRemoteAbility GetBundleNameListFromBms failed"); + if (!BundleManagerInternal::GetBundleNameListFromBms(callerInfo.uid, callerInfo.bundleNames)) { + HILOGE("GetBundleNameListFromBms failed"); return INVALID_PARAMETERS_ERR; } @@ -573,7 +583,11 @@ int32_t DistributedSchedService::TryConnectRemoteAbility(const OHOS::AAFwk::Want HILOGE("TryConnectRemoteAbility invalid parameters"); return INVALID_PARAMETERS_ERR; } - + int32_t ret = DistributedSchedPermission::GetInstance().GetAccountInfo(remoteDeviceId, callerInfo, accountInfo); + if (ret != ERR_OK) { + HILOGE("GetAccountInfo failed"); + return ret; + } int32_t retryTimes = BIND_CONNECT_RETRY_TIMES; int32_t result = REMOTE_DEVICE_BIND_ABILITY_ERR; while (retryTimes--) { @@ -652,7 +666,12 @@ int32_t DistributedSchedService::TryStartRemoteAbilityByCall(const OHOS::AAFwk:: } HILOGD("[PerformanceTest] TryStartRemoteAbilityByCall RPC begin"); AccountInfo accountInfo; - int result = remoteDms->StartAbilityByCallFromRemote(want, connect, callerInfo, accountInfo); + int32_t ret = DistributedSchedPermission::GetInstance().GetAccountInfo(remoteDeviceId, callerInfo, accountInfo); + if (ret != ERR_OK) { + HILOGE("GetAccountInfo failed"); + return ret; + } + int32_t result = remoteDms->StartAbilityByCallFromRemote(want, connect, callerInfo, accountInfo); HILOGD("[PerformanceTest] TryStartRemoteAbilityByCall RPC end"); if (result != ERR_OK) { HILOGE("TryStartRemoteAbilityByCall failed, result : %{public}d", result); @@ -682,7 +701,11 @@ int32_t DistributedSchedService::StartRemoteAbilityByCall(const OHOS::AAFwk::Wan callerInfo.sourceDeviceId = localDeviceId; callerInfo.accessToken = accessToken; if (!BundleManagerInternal::GetCallerAppIdFromBms(callerInfo.uid, callerInfo.callerAppId)) { - HILOGE("StartRemoteAbilityByCall GetCallerAppIdFromBms failed"); + HILOGE("GetCallerAppIdFromBms failed"); + return INVALID_PARAMETERS_ERR; + } + if (!BundleManagerInternal::GetBundleNameListFromBms(callerInfo.uid, callerInfo.bundleNames)) { + HILOGE("GetBundleNameListFromBms failed"); return INVALID_PARAMETERS_ERR; } int32_t ret = TryStartRemoteAbilityByCall(want, connect, callerInfo); diff --git a/services/dtbschedmgr/src/distributed_sched_stub.cpp b/services/dtbschedmgr/src/distributed_sched_stub.cpp index 5c5b6af9..2ccb45f0 100755 --- a/services/dtbschedmgr/src/distributed_sched_stub.cpp +++ b/services/dtbschedmgr/src/distributed_sched_stub.cpp @@ -155,7 +155,7 @@ int32_t DistributedSchedStub::StartAbilityFromRemoteInner(MessageParcel& data, M HILOGW("request DENIED!"); return DMS_PERMISSION_DENIED; } - + shared_ptr want(data.ReadParcelable()); if (want == nullptr) { HILOGW("want readParcelable failed!"); diff --git a/services/dtbschedmgr/test/BUILD.gn b/services/dtbschedmgr/test/BUILD.gn index 2133cd6f..514131df 100644 --- a/services/dtbschedmgr/test/BUILD.gn +++ b/services/dtbschedmgr/test/BUILD.gn @@ -37,6 +37,7 @@ dsched_external_deps = [ "access_token:libaccesstoken_sdk", "bundle_framework:appexecfwk_base", "bundle_framework:appexecfwk_core", + "deviceauth_standard:deviceauth_sdk", "distributeddatamgr:distributeddata_inner", "dsoftbus_standard:softbus_client", "eventhandler:libeventhandler",