1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #include "dlp_permission_set_parser.h"
16 
17 #include <fcntl.h>
18 #include <memory>
19 #include <sys/stat.h>
20 #include <sys/types.h>
21 #include <unistd.h>
22 
23 #include "access_token_error.h"
24 #include "accesstoken_log.h"
25 #include "data_validator.h"
26 #include "dlp_permission_set_manager.h"
27 #include "securec.h"
28 
29 namespace OHOS {
30 namespace Security {
31 namespace AccessToken {
32 namespace {
33 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE, SECURITY_DOMAIN_ACCESSTOKEN, "DlpPermissionSetParser"};
34 std::recursive_mutex g_instanceMutex;
35 }
36 
37 // nlohmann json need the function named from_json to parse
from_json(const nlohmann::json & j,PermissionDlpMode & p)38 void from_json(const nlohmann::json& j, PermissionDlpMode& p)
39 {
40     if (j.find("name") == j.end() || (!j.at("name").is_string())) {
41         return;
42     }
43     p.permissionName = j.at("name").get<std::string>();
44     if (!DataValidator::IsProcessNameValid(p.permissionName)) {
45         return;
46     }
47 
48     if (j.find("dlpGrantRange") == j.end() || (!j.at("dlpGrantRange").is_string())) {
49         return;
50     }
51     std::string dlpModeStr = j.at("dlpGrantRange").get<std::string>();
52     if (dlpModeStr == "all") {
53         p.dlpMode = DLP_PERM_ALL;
54         return;
55     }
56     if (dlpModeStr == "full_control") {
57         p.dlpMode = DLP_PERM_FULL_CONTROL;
58         return;
59     }
60     p.dlpMode = DLP_PERM_NONE;
61     return;
62 }
63 
ParserDlpPermsRawData(const std::string & dlpPermsRawData,std::vector<PermissionDlpMode> & dlpPerms)64 int32_t DlpPermissionSetParser::ParserDlpPermsRawData(const std::string& dlpPermsRawData,
65     std::vector<PermissionDlpMode>& dlpPerms)
66 {
67     nlohmann::json jsonRes = nlohmann::json::parse(dlpPermsRawData, nullptr, false);
68     if (jsonRes.is_discarded()) {
69         ACCESSTOKEN_LOG_ERROR(LABEL, "JsonRes is invalid.");
70         return ERR_PARAM_INVALID;
71     }
72 
73     if ((jsonRes.find("dlpPermissions") != jsonRes.end()) && (jsonRes.at("dlpPermissions").is_array())) {
74         nlohmann::json dlpPermTokenJson = jsonRes.at("dlpPermissions").get<nlohmann::json>();
75         dlpPerms = dlpPermTokenJson.get<std::vector<PermissionDlpMode>>();
76     }
77 
78     return RET_SUCCESS;
79 }
80 
ReadCfgFile(std::string & dlpPermsRawData)81 int32_t DlpPermissionSetParser::ReadCfgFile(std::string& dlpPermsRawData)
82 {
83     int32_t fd = open(CLONE_PERMISSION_CONFIG_FILE.c_str(), O_RDONLY);
84     if (fd < 0) {
85         ACCESSTOKEN_LOG_ERROR(LABEL, "Open failed errno %{public}d.", errno);
86         return ERR_FILE_OPERATE_FAILED;
87     }
88     struct stat statBuffer;
89 
90     if (fstat(fd, &statBuffer) != 0) {
91         ACCESSTOKEN_LOG_ERROR(LABEL, "Fstat failed errno %{public}d.", errno);
92         close(fd);
93         return ERR_FILE_OPERATE_FAILED;
94     }
95 
96     if (statBuffer.st_size == 0) {
97         ACCESSTOKEN_LOG_ERROR(LABEL, "Config file size is 0.");
98         close(fd);
99         return ERR_PARAM_INVALID;
100     }
101     if (statBuffer.st_size > MAX_CLONE_PERMISSION_CONFIG_FILE_SIZE) {
102         ACCESSTOKEN_LOG_ERROR(LABEL, "Config file size is too large.");
103         close(fd);
104         return ERR_OVERSIZE;
105     }
106     dlpPermsRawData.reserve(statBuffer.st_size);
107 
108     char buff[MAX_BUFFER_SIZE] = { 0 };
109     ssize_t readLen = 0;
110     while ((readLen = read(fd, buff, MAX_BUFFER_SIZE)) > 0) {
111         dlpPermsRawData.append(buff, readLen);
112     }
113     close(fd);
114 
115     if (readLen == 0) {
116         return RET_SUCCESS;
117     }
118     return ERR_FILE_OPERATE_FAILED;
119 }
120 
Init()121 int32_t DlpPermissionSetParser::Init()
122 {
123     if (ready_) {
124         ACCESSTOKEN_LOG_ERROR(LABEL, "Dlp permission has been set.");
125         return RET_SUCCESS;
126     }
127 
128     std::string dlpPermsRawData;
129     int32_t ret = ReadCfgFile(dlpPermsRawData);
130     if (ret != RET_SUCCESS) {
131         ACCESSTOKEN_LOG_ERROR(LABEL, "ReadCfgFile failed.");
132         return ret;
133     }
134     std::vector<PermissionDlpMode> dlpPerms;
135     ret = ParserDlpPermsRawData(dlpPermsRawData, dlpPerms);
136     if (ret != RET_SUCCESS) {
137         ACCESSTOKEN_LOG_ERROR(LABEL, "ParserDlpPermsRawData failed.");
138         return ERR_FILE_OPERATE_FAILED;
139     }
140     DlpPermissionSetManager::GetInstance().ProcessDlpPermInfos(dlpPerms);
141 
142     ready_ = true;
143     ACCESSTOKEN_LOG_INFO(LABEL, "Init ok.");
144     return RET_SUCCESS;
145 }
146 
GetInstance()147 DlpPermissionSetParser& DlpPermissionSetParser::GetInstance()
148 {
149     static DlpPermissionSetParser* instance = nullptr;
150     if (instance == nullptr) {
151         std::lock_guard<std::recursive_mutex> lock(g_instanceMutex);
152         if (instance == nullptr) {
153             instance = new DlpPermissionSetParser();
154         }
155     }
156     return *instance;
157 }
158 } // namespace AccessToken
159 } // namespace Security
160 } // namespace OHOS
161