!1743 add permission check and throw account not found exception

Merge pull request !1743 from jidong/dev0413

frameworks/domain_account/src/domain_account_client.cpp

@@ -191,6 +191,7 @@ ErrCode DomainAccountClient::UpdateAccountToken(const DomainAccountInfo &info, c
 
 ErrCode DomainAccountClient::IsAuthenticationExpired(const DomainAccountInfo &info, bool &isExpired)
 {
+    isExpired = true;
     auto proxy = GetDomainAccountProxy();
     if (proxy == nullptr) {
         ACCOUNT_LOGE("Get domain account proxy failed.");

frameworks/domain_account/test/moduletest/src/domain_account_client_mock_plugin_so_module_test.cpp

@@ -354,6 +354,9 @@ HWTEST_F(DomainAccountClientMockPluginSoModuleTest, DomainAccountClientModuleTes
 HWTEST_F(DomainAccountClientMockPluginSoModuleTest, DomainAccountClientModuleTest_IsAuthenticationExpired_001,
          TestSize.Level0)
 {
+    AccessTokenID tokenID;
+    ASSERT_TRUE(AllocPermission({"ohos.permission.MANAGE_LOCAL_ACCOUNTS"}, tokenID));
+    setuid(EDM_UID);
     DomainAccountInfo domainInfo;
     domainInfo.accountName_ = "testaccount";
     domainInfo.domain_ = "test.example.com";
@@ -364,7 +367,10 @@ HWTEST_F(DomainAccountClientMockPluginSoModuleTest, DomainAccountClientModuleTes
     InnerDomainAccountManager::GetInstance().LoaderLib("", WRONG_SO);
     EXPECT_EQ(DomainAccountClient::GetInstance().IsAuthenticationExpired(domainInfo, isExpired),
               ERR_DOMAIN_ACCOUNT_SERVICE_PLUGIN_NOT_EXIST);
+    EXPECT_TRUE(isExpired);
     InnerDomainAccountManager::GetInstance().CloseLib();
+    setuid(ROOT_UID);
+    ASSERT_TRUE(RecoveryPermission(tokenID));
 }
 
 /**
@@ -381,9 +387,10 @@ HWTEST_F(DomainAccountClientMockPluginSoModuleTest, DomainAccountClientModuleTes
     domainInfo.domain_ = "test.example.com";
     domainInfo.accountId_ = "testid";
 
-    bool isExpired = true;
+    bool isExpired = false;
     InnerDomainAccountManager::GetInstance().LoaderLib("", RIGHT_SO);
-    EXPECT_EQ(DomainAccountClient::GetInstance().IsAuthenticationExpired(domainInfo, isExpired), ERR_OK);
+    EXPECT_EQ(DomainAccountClient::GetInstance().IsAuthenticationExpired(domainInfo, isExpired),
+        ERR_DOMAIN_ACCOUNT_SERVICE_NOT_DOMAIN_ACCOUNT);
     EXPECT_TRUE(isExpired);
     InnerDomainAccountManager::GetInstance().CloseLib();
 }
@@ -538,4 +545,36 @@ HWTEST_F(DomainAccountClientMockPluginSoModuleTest, DomainAccountClientModuleTes
     EXPECT_EQ(OsAccountManager::GetOsAccountLocalIdFromDomain(domainInfo, userId), ERR_OK);
     EXPECT_EQ(OsAccountManager::RemoveOsAccount(userId), ERR_OK);
 }
-#endif
+#endif
+
+/**
+ * @tc.name: DomainAccountClientModuleTest_IsAuthenticationExpired_006
+ * @tc.desc: IsAuthenticationExpired failed without permission.
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(DomainAccountClientMockPluginSoModuleTest, DomainAccountClientModuleTest_IsAuthenticationExpired_006,
+         TestSize.Level0)
+{
+    AccessTokenID tokenID;
+    ASSERT_TRUE(AllocPermission({}, tokenID));
+    setuid(EDM_UID);
+    DomainAccountInfo domainInfo;
+    domainInfo.accountName_ = "testaccount";
+    domainInfo.domain_ = "test.example.com";
+    domainInfo.accountId_ = "testid";
+
+    bool isExpired = false;
+    EXPECT_EQ(DomainAccountClient::GetInstance().IsAuthenticationExpired(domainInfo, isExpired),
+        ERR_ACCOUNT_COMMON_PERMISSION_DENIED);
+    EXPECT_TRUE(isExpired);
+    setuid(ROOT_UID);
+    ASSERT_TRUE(RecoveryPermission(tokenID));
+    ASSERT_TRUE(AllocPermission({"ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS"}, tokenID));
+    setuid(EDM_UID);
+    EXPECT_EQ(DomainAccountClient::GetInstance().IsAuthenticationExpired(domainInfo, isExpired),
+        ERR_DOMAIN_ACCOUNT_SERVICE_NOT_DOMAIN_ACCOUNT);
+    EXPECT_TRUE(isExpired);
+    setuid(ROOT_UID);
+    ASSERT_TRUE(RecoveryPermission(tokenID));
+}

services/accountmgr/src/domain_account/domain_account_stub.cpp

@@ -29,6 +29,7 @@ const std::string MANAGE_LOCAL_ACCOUNTS = "ohos.permission.MANAGE_LOCAL_ACCOUNTS
 const std::string GET_LOCAL_ACCOUNTS = "ohos.permission.GET_LOCAL_ACCOUNTS";
 const std::string ACCESS_USER_AUTH_INTERNAL = "ohos.permission.ACCESS_USER_AUTH_INTERNAL";
 const std::string GET_DOMAIN_ACCOUNTS = "ohos.permission.GET_DOMAIN_ACCOUNTS";
+const std::string INTERACT_ACROSS_LOCAL_ACCOUNTS = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
 }
 
 const std::map<DomainAccountInterfaceCode, DomainAccountStub::DomainAccountStubFunc> stubFuncMap = {
@@ -507,7 +508,7 @@ ErrCode DomainAccountStub::CheckPermission(DomainAccountInterfaceCode code, int3
     if (uid == 0) {
         return ERR_OK;
     }
-    std::string permissionName;
+    std::vector<std::string> orPermissions;
     switch (code) {
         case DomainAccountInterfaceCode::REGISTER_PLUGIN:
         case DomainAccountInterfaceCode::UNREGISTER_PLUGIN:
@@ -518,27 +519,34 @@ ErrCode DomainAccountStub::CheckPermission(DomainAccountInterfaceCode code, int3
         case DomainAccountInterfaceCode::REMOVE_SERVER_CONFIG:
         case DomainAccountInterfaceCode::GET_ACCOUNT_SERVER_CONFIG:
         case DomainAccountInterfaceCode::DOMAIN_UPDATE_ACCOUNT_INFO:
-            permissionName = MANAGE_LOCAL_ACCOUNTS;
+            orPermissions.emplace_back(MANAGE_LOCAL_ACCOUNTS);
             break;
         case DomainAccountInterfaceCode::DOMAIN_ACCOUNT_STATUS_ENQUIRY:
         case DomainAccountInterfaceCode::DOMAIN_ACCOUNT_STATUS_LISTENER_REGISTER:
         case DomainAccountInterfaceCode::DOMAIN_ACCOUNT_STATUS_LISTENER_UNREGISTER:
-            permissionName = GET_LOCAL_ACCOUNTS;
+            orPermissions.emplace_back(GET_LOCAL_ACCOUNTS);
             break;
         case DomainAccountInterfaceCode::DOMAIN_AUTH:
         case DomainAccountInterfaceCode::DOMAIN_AUTH_USER:
-            permissionName = ACCESS_USER_AUTH_INTERNAL;
+            orPermissions.emplace_back(ACCESS_USER_AUTH_INTERNAL);
             break;
         case DomainAccountInterfaceCode::DOMAIN_GET_ACCOUNT_INFO:
-            permissionName = GET_DOMAIN_ACCOUNTS;
+            orPermissions.emplace_back(GET_DOMAIN_ACCOUNTS);
+            break;
+        case DomainAccountInterfaceCode::DOMAIN_IS_AUTHENTICATION_EXPIRED:
+            orPermissions.emplace_back(MANAGE_LOCAL_ACCOUNTS);
+            orPermissions.emplace_back(INTERACT_ACROSS_LOCAL_ACCOUNTS);
             break;
         default:
             break;
     }
-    if (permissionName.empty()) {
-        return ERR_OK;
+    for (const auto &permission : orPermissions) {
+        errCode = AccountPermissionManager::VerifyPermission(permission);
+        if (errCode == ERR_OK) {
+            return ERR_OK;
+        }
     }
-    return AccountPermissionManager::VerifyPermission(permissionName);
+    return ERR_ACCOUNT_COMMON_PERMISSION_DENIED;
 }
 }  // namespace AccountSA
 }  // namespace OHOS

services/accountmgr/src/domain_account/inner_domain_account_manager.cpp

@@ -1084,7 +1084,7 @@ ErrCode InnerDomainAccountManager::IsAuthenticationExpired(const DomainAccountIn
     if (result != ERR_OK) {
         ACCOUNT_LOGI("The target domain account not found, isExpired=true.");
         isExpired = true;
-        return ERR_OK;
+        return ERR_DOMAIN_ACCOUNT_SERVICE_NOT_DOMAIN_ACCOUNT;
     }
     std::vector<uint8_t> accountToken;
     if (!GetTokenFromMap(userId, accountToken)) {