modify permission check

Signed-off-by: 尹耀德 <yinyaode1@huawei.com>
Change-Id: I0aad6a7bb9710bd50152a6f50274be7e98b62b09

services/core_service/src/lib.rs

@@ -96,7 +96,7 @@ impl Ability for AssetAbility {
 
 fn start_service(handler: Handler) -> Result<()> {
     common_event::subscribe();
-    if handler.publish(AssetService::new(handler.clone())) {
+    if !handler.publish(AssetService::new(handler.clone())) {
         return log_throw_error!(ErrCode::IpcError, "Asset publish stub object failed");
     };
     Ok(())

services/core_service/src/operations/common/argument_check.rs

@@ -15,7 +15,7 @@
 
 //! This module is used to verify the validity of asset attributes.
 
-use asset_constants::ROOT_USER_UPPERBOUND;
+use asset_constants::{CallingInfo, ROOT_USER_UPPERBOUND};
 use asset_definition::{
     log_throw_error, Accessibility, AssetMap, AuthType, ConflictResolution, Conversion, ErrCode, Result, ReturnType,
     Tag, Value,

services/os_dependency/BUILD.gn

@@ -22,6 +22,7 @@ ohos_static_library("asset_os_dependency") {
   sources = [
     "src/bms_wrapper.cpp",
     "src/os_account_wrapper.cpp",
+    "src/permission_check_wrapper.cpp",
     "src/system_ability_wrapper.cpp",
     "src/system_event_wrapper.cpp",
   ]

services/os_dependency/inc/bms_wrapper.h

@@ -28,9 +28,6 @@ enum OwnerType {
 };
 
 int32_t GetOwnerInfo(int32_t userId, uint64_t uid, OwnerType *ownerType, uint8_t *ownerInfo, uint32_t *infoLen);
-bool CheckInteractPermission(void);
-bool CheckPersistentPermission(void);
-bool CheckSystemHapPermission(void);
 
 #ifdef __cplusplus
 }

services/os_dependency/inc/permission_check_wrapper.h

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PERMISSION_CHECK_WRAPPER
+#define PERMISSION_CHECK_WRAPPER
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+bool CheckInteractPermission(void);
+bool CheckPersistentPermission(void);
+bool CheckSystemHapPermission(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

services/os_dependency/src/bms_wrapper.cpp

@@ -21,7 +21,6 @@
 #include "accesstoken_kit.h"
 #include "bundle_mgr_client.h"
 #include "hap_token_info.h"
-#include "tokenid_kit.h"
 #include "ipc_skeleton.h"
 
 #include "asset_type.h"
@@ -65,31 +64,6 @@ int32_t GetProcessInfo(uint32_t tokenId, uint64_t uid, std::string &info)
     return ASSET_SUCCESS;
 }
 
-bool CheckSystemApp(void)
-{
-    auto accessTokenId = IPCSkeleton::GetCallingFullTokenID();
-    bool isSystemApp = TokenIdKit::IsSystemAppByFullTokenID(accessTokenId);
-    if (isSystemApp) {
-        LOGI("[INFO]Check system app success!");
-        return true;
-    } else {
-        LOGI("[INFO]Check system app failed");
-        return false;
-    }
-}
-
-bool CheckPermission(const char* permission)
-{
-    auto tokenId = IPCSkeleton::GetCallingTokenID();
-    int result = AccessTokenKit::VerifyAccessToken(tokenId, permission);
-    if (result == PERMISSION_GRANTED) {
-        LOGI("[INFO]Check permission success!");
-        return true;
-    } else {
-        LOGI("[INFO]Check permission failed, ret=%d", result);
-        return false;
-    }
-}
 } // namespace
 
 int32_t GetOwnerInfo(int32_t userId, uint64_t uid, OwnerType *ownerType, uint8_t *ownerInfo, uint32_t *infoLen)
@@ -128,26 +102,3 @@ int32_t GetOwnerInfo(int32_t userId, uint64_t uid, OwnerType *ownerType, uint8_t
     *infoLen = info.size();
     return ASSET_SUCCESS;
 }
-
-bool CheckPersistentPermission(void)
-{
-    const char* permission = "ohos.permission.STORE_PERSISTENT_DATA";
-    return CheckPermission(permission);
-}
-
-bool CheckInteractPermission(void)
-{
-    const char* permission = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
-    return CheckPermission(permission);
-}
-
-bool CheckSystemHapPermission(void)
-{
-    auto tokenId = IPCSkeleton::GetCallingTokenID();
-    ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
-    bool res = true;
-    if(tokenType == ATokenTypeEnum::TOKEN_HAP) {
-        res = CheckSystemApp();
-    }
-    return res;
-}

services/os_dependency/src/permission_check_wrapper.cpp

@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "permission_check_wrapper.h"
+
+#include <cstring>
+#include "securec.h"
+
+#include "accesstoken_kit.h"
+#include "tokenid_kit.h"
+#include "ipc_skeleton.h"
+
+#include "asset_type.h"
+#include "asset_log.h"
+
+using namespace OHOS;
+using namespace Security::AccessToken;
+
+namespace {
+bool CheckSystemApp(void)
+{
+    auto accessTokenId = IPCSkeleton::GetCallingFullTokenID();
+    bool isSystemApp = TokenIdKit::IsSystemAppByFullTokenID(accessTokenId);
+    if (isSystemApp) {
+        LOGI("[INFO]Check system app success!");
+        return true;
+    } else {
+        LOGI("[INFO]Check system app failed");
+        return false;
+    }
+}
+
+bool CheckPermission(const char* permission)
+{
+    auto tokenId = IPCSkeleton::GetCallingTokenID();
+    int result = AccessTokenKit::VerifyAccessToken(tokenId, permission);
+    if (result == PERMISSION_GRANTED) {
+        LOGI("[INFO]Check permission success!");
+        return true;
+    } else {
+        LOGI("[INFO]Check permission failed, ret=%d", result);
+        return false;
+    }
+}
+} // namespace
+
+bool CheckPersistentPermission(void)
+{
+    const char* permission = "ohos.permission.STORE_PERSISTENT_DATA";
+    return CheckPermission(permission);
+}
+
+bool CheckInteractPermission(void)
+{
+    const char* permission = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS";
+    return CheckPermission(permission);
+}
+
+bool CheckSystemHapPermission(void)
+{
+    auto tokenId = IPCSkeleton::GetCallingTokenID();
+    ATokenTypeEnum tokenType = AccessTokenKit::GetTokenTypeFlag(tokenId);
+    bool res = true;
+    if(tokenType == ATokenTypeEnum::TOKEN_HAP) {
+        res = CheckSystemApp();
+    }
+    return res;
+}

test/unittest/module_test/inc/permission_check_wrapper_test.h

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PERMISSION_CHECK_WRAPPER_TEST_H
+#define PERMISSION_CHECK_WRAPPER_TEST_H
+
+namespace UnitTest::AssetPermissionCheckWrapperTest {
+int AssetPermissionCheckWrapperTest001(void);
+int AssetPermissionCheckWrapperTest002(void);
+int AssetPermissionCheckWrapperTest003(void);
+}
+
+#endif // BMS_WRAPPER_TEST_H

test/unittest/module_test/inc/sec_asset_api_test.h

@@ -24,6 +24,7 @@ int AssetSystemApiTest001(void);
 int AssetSystemApiTest002(void);
 int AssetSystemApiTest003(void);
 int AssetSystemApiTest004(void);
+int AssetSystemApiTest005(void);
 }
 
 #endif // SEC_ASSET_API_TEST_H

test/unittest/module_test/src/bms_wrapper_test.cpp

@@ -113,37 +113,4 @@ HWTEST_F(AssetBmsWrapperTest, AssetBmsWrapperTest004, TestSize.Level0)
     uint64_t uid = 0;
     ASSERT_EQ(SEC_ASSET_INVALID_ARGUMENT, GetOwnerInfo(userId, uid, &ownerType, ownerInfo, infoLen));
 }
-
-/**
- * @tc.name: AssetBmsWrapperTest.AssetBmsWrapperTest005
- * @tc.desc: Test asset func CheckPersistentPermission, expect BMS_ERROR
- * @tc.type: FUNC
- * @tc.result:0
- */
-HWTEST_F(AssetBmsWrapperTest, AssetBmsWrapperTest005, TestSize.Level0)
-{
-    ASSERT_EQ(false, CheckPersistentPermission());
-}
-
-/**
- * @tc.name: AssetBmsWrapperTest.AssetBmsWrapperTest006
- * @tc.desc: Test asset func CheckInteractPermission, expect ERROR
- * @tc.type: FUNC
- * @tc.result:0
- */
-HWTEST_F(AssetBmsWrapperTest, AssetBmsWrapperTest006, TestSize.Level0)
-{
-    ASSERT_EQ(true, CheckInteractPermission());
-}
-
-/**
- * @tc.name: AssetBmsWrapperTest.AssetBmsWrapperTest007
- * @tc.desc: Test asset func CheckSystemHapPermission, expect ERROR
- * @tc.type: FUNC
- * @tc.result:0
- */
-HWTEST_F(AssetBmsWrapperTest, AssetBmsWrapperTest007, TestSize.Level0)
-{
-    ASSERT_EQ(true, CheckSystemHapPermission());
-}
 }

test/unittest/module_test/src/permission_check_wrapper_test.cpp

@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "permission_check_wrapper_test.h"
+
+#include <cstring>
+#include <gtest/gtest.h>
+
+#include "sec_asset_type.h"
+#include "permission_check_wrapper.h"
+
+using namespace testing::ext;
+namespace UnitTest::AssetPermissionCheckWrapperTest {
+class AssetPermissionCheckWrapperTest : public testing::Test {
+public:
+    static void SetUpTestCase(void);
+
+    static void TearDownTestCase(void);
+
+    void SetUp(void);
+
+    void TearDown(void);
+};
+
+void AssetPermissionCheckWrapperTest::SetUpTestCase(void)
+{
+}
+
+void AssetPermissionCheckWrapperTest::TearDownTestCase(void)
+{
+}
+
+void AssetPermissionCheckWrapperTest::SetUp(void)
+{
+}
+
+void AssetPermissionCheckWrapperTest::TearDown(void)
+{
+}
+
+/**
+ * @tc.name: AssetPermissionCheckWrapperTest.AssetPermissionCheckWrapperTest001
+ * @tc.desc: Test asset func CheckPersistentPermission, expect ERROR
+ * @tc.type: FUNC
+ * @tc.result:0
+ */
+HWTEST_F(AssetPermissionCheckWrapperTest, AssetPermissionCheckWrapperTest001, TestSize.Level0)
+{
+    ASSERT_EQ(false, CheckPersistentPermission());
+}
+
+/**
+ * @tc.name: AssetPermissionCheckWrapperTest.AssetPermissionCheckWrapperTest002
+ * @tc.desc: Test asset func CheckInteractPermission, expect ERROR
+ * @tc.type: FUNC
+ * @tc.result:0
+ */
+HWTEST_F(AssetPermissionCheckWrapperTest, AssetPermissionCheckWrapperTest002, TestSize.Level0)
+{
+    ASSERT_EQ(false, CheckInteractPermission());
+}
+
+/**
+ * @tc.name: AssetPermissionCheckWrapperTest.AssetPermissionCheckWrapperTest003
+ * @tc.desc: Test asset func CheckSystemHapPermission, expect SUCCESS
+ * @tc.type: FUNC
+ * @tc.result:0
+ */
+HWTEST_F(AssetPermissionCheckWrapperTest, AssetPermissionCheckWrapperTest003, TestSize.Level0)
+{
+    ASSERT_EQ(true, CheckSystemHapPermission());
+}
+}

test/unittest/module_test/src/sec_asset_api_test.cpp

@@ -310,20 +310,31 @@ HWTEST_F(AssetSystemApiTest, AssetSystemApiTest004, TestSize.Level0)
 
 /**
  * @tc.name: AssetSystemApiTest.AssetSystemApiTest005
- * @tc.desc: Test asset func AssetAdd expect ERROR
+ * @tc.desc: Test asset func AssetUpdate expect SUCCESS
  * @tc.type: FUNC
  * @tc.result:0
  */
 HWTEST_F(AssetSystemApiTest, AssetSystemApiTest005, TestSize.Level0)
 {
     AssetBlob funcName = { .size = strlen(__func__), .data = reinterpret_cast<uint8_t*>(const_cast<char*>(__func__)) };
-    AssetAttr attr[] = {
+    AssetAttr addAttr[] = {
         { .tag = SEC_ASSET_TAG_ALIAS, .value.blob = funcName },
         { .tag = SEC_ASSET_TAG_SECRET, .value.blob = funcName },
-        { .tag = SEC_ASSET_TAG_USER_ID, .value.u32 = SPECIFIC_USER_ID - 1 },
+        { .tag = SEC_ASSET_TAG_USER_ID, .value.u32 = SPECIFIC_USER_ID },
         { .tag = SEC_ASSET_TAG_ACCESSIBILITY, .value.u32 = SEC_ASSET_ACCESSIBILITY_DEVICE_UNLOCKED },
-        { .tag = SEC_ASSET_TAG_AUTH_TYPE, .value.u32 = SEC_ASSET_AUTH_TYPE_ANY }
     };
-    ASSERT_EQ(SEC_ASSET_INVALID_ARGUMENT, AssetAdd(attr, ARRAY_SIZE(attr)));
+    ASSERT_EQ(SEC_ASSET_SUCCESS, AssetAdd(addAttr, ARRAY_SIZE(addAttr)));
+
+    AssetAttr queryAttr[] = {
+        { .tag = SEC_ASSET_TAG_ALIAS, .value.blob = funcName }
+    };
+    const char *secretNew = "secret_new";
+    AssetAttr updateAttr[] = {
+        { .tag = SEC_ASSET_TAG_SECRET, .value.blob =
+            { .size = strlen(secretNew), .data = reinterpret_cast<uint8_t*>(const_cast<char*>(secretNew)) } }
+    };
+    ASSERT_EQ(SEC_ASSET_SUCCESS, AssetUpdate(queryAttr, ARRAY_SIZE(queryAttr), updateAttr, ARRAY_SIZE(updateAttr)));
+
+    ASSERT_EQ(SEC_ASSET_SUCCESS, RemoveByAlias(__func__));
 }
 }