1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "clone_app_permission_test.h"
17 #include <thread>
18
19 #include "accesstoken_kit.h"
20 #include "accesstoken_log.h"
21 #include "access_token_error.h"
22 #include "nativetoken_kit.h"
23 #include "token_setproc.h"
24 #include "tokenid_kit.h"
25
26 using namespace testing::ext;
27 using namespace OHOS::Security::AccessToken;
28
29 namespace {
30 static const std::string PERMISSION_ALL = "ohos.permission.CAMERA";
31 static const std::string PERMISSION_FULL_CONTROL = "ohos.permission.WRITE_MEDIA";
32 static const std::string PERMISSION_NOT_DISPLAYED = "ohos.permission.ANSWER_CALL";
33 static const std::string TEST_PERMISSION_GRANT = "ohos.permission.GRANT_SENSITIVE_PERMISSIONS";
34 static const std::string TEST_PERMISSION_REVOKE = "ohos.permission.REVOKE_SENSITIVE_PERMISSIONS";
35 static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {LOG_CORE,
36 SECURITY_DOMAIN_ACCESSTOKEN, "AccessTokenKitExtensionTest"};
37
38 HapInfoParams g_infoParmsCommon = {
39 .userID = 1,
40 .bundleName = "CloneAppPermissionTest",
41 .instIndex = 0,
42 .dlpType = DLP_COMMON,
43 .appIDDesc = "CloneAppPermissionTest"
44 };
45
46 HapInfoParams g_infoParmsCommonClone1 = {
47 .userID = 1,
48 .bundleName = "CloneAppPermissionTest",
49 .instIndex = 5, // clone app index is 5
50 .dlpType = DLP_COMMON,
51 .appIDDesc = "CloneAppPermissionTest"
52 };
53
54 HapInfoParams g_infoParmsCommonClone2 = {
55 .userID = 1,
56 .bundleName = "CloneAppPermissionTest",
57 .instIndex = 6, // clone app index is 6
58 .dlpType = DLP_COMMON,
59 .appIDDesc = "CloneAppPermissionTest"
60 };
61
62 HapInfoParams g_infoParmsFullControl = {
63 .userID = 1,
64 .bundleName = "CloneAppPermissionTest",
65 .instIndex = 1,
66 .dlpType = DLP_FULL_CONTROL,
67 .appIDDesc = "CloneAppPermissionTest"
68 };
69
70 HapInfoParams g_infoParmsReadOnly = {
71 .userID = 1,
72 .bundleName = "CloneAppPermissionTest",
73 .instIndex = 2,
74 .dlpType = DLP_READ,
75 .appIDDesc = "CloneAppPermissionTest"
76 };
77
78 PermissionStateFull g_stateFullControl = {
79 .permissionName = "ohos.permission.WRITE_MEDIA",
80 .isGeneral = true,
81 .resDeviceID = {"local"},
82 .grantStatus = {PermissionState::PERMISSION_DENIED},
83 .grantFlags = {0}
84 };
85
86 PermissionStateFull g_stateAll = {
87 .permissionName = "ohos.permission.CAMERA",
88 .isGeneral = true,
89 .resDeviceID = {"local"},
90 .grantStatus = {PermissionState::PERMISSION_DENIED},
91 .grantFlags = {0}
92 };
93
94 HapPolicyParams g_policyParams = {
95 .apl = APL_NORMAL,
96 .domain = "test.domain",
97 .permList = {},
98 .permStateList = {g_stateFullControl, g_stateAll}
99 };
100
101 }
102
TearDownTestCase()103 void CloneAppPermissionTest::TearDownTestCase()
104 {
105 AccessTokenID tokenId = AccessTokenKit::GetHapTokenID(1, "PermissionEnvironment", 0);
106 int32_t ret = AccessTokenKit::DeleteToken(tokenId);
107 EXPECT_EQ(RET_SUCCESS, ret);
108 }
109
SetUp()110 void CloneAppPermissionTest::SetUp()
111 {
112 ACCESSTOKEN_LOG_INFO(LABEL, "SetUp ok.");
113 }
114
TearDown()115 void CloneAppPermissionTest::TearDown()
116 {
117 }
118
SetUpTestCase()119 void CloneAppPermissionTest::SetUpTestCase()
120 {
121 HapInfoParams infoParmsEnvironment = {
122 .userID = 1,
123 .bundleName = "PermissionEnvironment",
124 .instIndex = 0,
125 .dlpType = DLP_COMMON,
126 .appIDDesc = "PermissionEnvironment",
127 .isSystemApp = true
128 };
129 PermissionStateFull stateGrant = {
130 .permissionName = TEST_PERMISSION_GRANT,
131 .isGeneral = true,
132 .resDeviceID = {"local"},
133 .grantStatus = {PermissionState::PERMISSION_GRANTED},
134 .grantFlags = {0}
135 };
136 PermissionStateFull stateRevoke = {
137 .permissionName = TEST_PERMISSION_REVOKE,
138 .isGeneral = true,
139 .resDeviceID = {"local"},
140 .grantStatus = {PermissionState::PERMISSION_GRANTED},
141 .grantFlags = {0}
142 };
143 HapPolicyParams policyParams = {
144 .apl = APL_NORMAL,
145 .domain = "test.domain",
146 .permList = {},
147 .permStateList = {stateGrant, stateRevoke}
148 };
149 AccessTokenIDEx tokenIdEx = {0};
150 tokenIdEx = AccessTokenKit::AllocHapToken(infoParmsEnvironment, policyParams);
151 EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID);
152 EXPECT_EQ(true, TokenIdKit::IsSystemAppByFullTokenID(tokenIdEx.tokenIDEx));
153 EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIDEx));
154 ACCESSTOKEN_LOG_INFO(LABEL, "SetUpTestCase ok.");
155 }
156
AllocHapTokenId(HapInfoParams info,HapPolicyParams policy)157 static AccessTokenID AllocHapTokenId(HapInfoParams info, HapPolicyParams policy)
158 {
159 AccessTokenIDEx tokenIdEx = {0};
160 tokenIdEx = AccessTokenKit::AllocHapToken(info, policy);
161 AccessTokenID tokenId = tokenIdEx.tokenIdExStruct.tokenID;
162 EXPECT_NE(0, tokenId);
163 int ret = AccessTokenKit::VerifyAccessToken(tokenId, PERMISSION_FULL_CONTROL, false);
164 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
165 ret = AccessTokenKit::VerifyAccessToken(tokenId, PERMISSION_ALL, false);
166 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
167 uint32_t flag;
168 ret = AccessTokenKit::GetPermissionFlag(tokenId, PERMISSION_FULL_CONTROL, flag);
169 EXPECT_EQ(flag, PERMISSION_DEFAULT_FLAG);
170 EXPECT_EQ(ret, RET_SUCCESS);
171 ret = AccessTokenKit::GetPermissionFlag(tokenId, PERMISSION_ALL, flag);
172 EXPECT_EQ(flag, PERMISSION_DEFAULT_FLAG);
173 EXPECT_EQ(ret, RET_SUCCESS);
174 return tokenId;
175 }
176
177 /**
178 * @tc.name: OriginApp01
179 * @tc.desc: main app grant permission.
180 * @tc.type: FUNC
181 * @tc.require:Issue Number
182 */
183 HWTEST_F(CloneAppPermissionTest, OriginApp01, TestSize.Level1)
184 {
185 int ret;
186 auto policyParams = g_policyParams;
187 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
188 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
189 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
190 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
191 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
192
193 // grant common app
194 ret = AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
195 EXPECT_EQ(RET_SUCCESS, ret);
196 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
197 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
198 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
199 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
200 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
201 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
202 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
203 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
204 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
205 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
206
207 ret = AccessTokenKit::DeleteToken(tokenCommon);
208 EXPECT_EQ(RET_SUCCESS, ret);
209 ret = AccessTokenKit::DeleteToken(tokenFullControl);
210 EXPECT_EQ(RET_SUCCESS, ret);
211 ret = AccessTokenKit::DeleteToken(tokenRead);
212 EXPECT_EQ(RET_SUCCESS, ret);
213 ret = AccessTokenKit::DeleteToken(tokenClone1);
214 EXPECT_EQ(RET_SUCCESS, ret);
215 ret = AccessTokenKit::DeleteToken(tokenClone2);
216 EXPECT_EQ(RET_SUCCESS, ret);
217 }
218
219 /**
220 * @tc.name: OriginApp02
221 * @tc.desc: main app revoke permission.
222 * @tc.type: FUNC
223 * @tc.require:Issue Number
224 */
225 HWTEST_F(CloneAppPermissionTest, OriginApp02, TestSize.Level1)
226 {
227 int ret;
228 auto policyParams = g_policyParams;
229 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
230 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
231 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
232 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
233 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
234
235 // grant common app
236 ret = AccessTokenKit::RevokePermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
237 EXPECT_EQ(RET_SUCCESS, ret);
238 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
239 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
240 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
241 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
242 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
243 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
244 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
245 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
246 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
247 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
248 uint32_t flag;
249 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
250 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
251 EXPECT_EQ(ret, RET_SUCCESS);
252
253 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
254 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
255 EXPECT_EQ(ret, RET_SUCCESS);
256
257 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
258 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
259 EXPECT_EQ(ret, RET_SUCCESS);
260
261 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
262 EXPECT_EQ(flag, 0);
263 EXPECT_EQ(ret, RET_SUCCESS);
264
265 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
266 EXPECT_EQ(flag, 0);
267 EXPECT_EQ(ret, RET_SUCCESS);
268
269 ret = AccessTokenKit::DeleteToken(tokenCommon);
270 EXPECT_EQ(RET_SUCCESS, ret);
271 ret = AccessTokenKit::DeleteToken(tokenFullControl);
272 EXPECT_EQ(RET_SUCCESS, ret);
273 ret = AccessTokenKit::DeleteToken(tokenRead);
274 EXPECT_EQ(RET_SUCCESS, ret);
275 ret = AccessTokenKit::DeleteToken(tokenClone1);
276 EXPECT_EQ(RET_SUCCESS, ret);
277 ret = AccessTokenKit::DeleteToken(tokenClone2);
278 EXPECT_EQ(RET_SUCCESS, ret);
279 }
280
281 /**
282 * @tc.name: OriginApp03
283 * @tc.desc: main app clear permission.
284 * @tc.type: FUNC
285 * @tc.require:Issue Number
286 */
287 HWTEST_F(CloneAppPermissionTest, OriginApp03, TestSize.Level1)
288 {
289 int ret;
290 auto policyParams = g_policyParams;
291 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
292 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
293 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
294 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
295 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
296
297 AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
298 AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
299 AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED);
300
301 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
302 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
303 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
304 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
305 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
306 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
307 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
308 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
309
310
311 ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenCommon);
312 EXPECT_EQ(ret, RET_SUCCESS);
313
314 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
315 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
316 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
317 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
318 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
319 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
320 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
321 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
322 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
323 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
324
325 uint32_t flag;
326 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
327 EXPECT_EQ(flag, 0);
328 EXPECT_EQ(ret, RET_SUCCESS);
329
330 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
331 EXPECT_EQ(flag, 0);
332 EXPECT_EQ(ret, RET_SUCCESS);
333
334 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
335 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
336 EXPECT_EQ(ret, RET_SUCCESS);
337
338 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
339 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
340 EXPECT_EQ(ret, RET_SUCCESS);
341
342 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenCommon));
343 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenFullControl));
344 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenRead));
345 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone1));
346 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone2));
347 }
348
349 /**
350 * @tc.name: ReadDlp01
351 * @tc.desc: read mode dlp app grant permission.
352 * @tc.type: FUNC
353 * @tc.require:Issue Number
354 */
355 HWTEST_F(CloneAppPermissionTest, ReadDlp01, TestSize.Level1)
356 {
357 int ret;
358 auto policyParams = g_policyParams;
359 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
360 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
361 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
362 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
363 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
364
365 // grant common app
366 ret = AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
367 EXPECT_EQ(RET_SUCCESS, ret);
368 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
369 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
370 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
371 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
372 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
373 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
374 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
375 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
376 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
377 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
378
379 ret = AccessTokenKit::DeleteToken(tokenCommon);
380 EXPECT_EQ(RET_SUCCESS, ret);
381 ret = AccessTokenKit::DeleteToken(tokenFullControl);
382 EXPECT_EQ(RET_SUCCESS, ret);
383 ret = AccessTokenKit::DeleteToken(tokenRead);
384 EXPECT_EQ(RET_SUCCESS, ret);
385 ret = AccessTokenKit::DeleteToken(tokenClone1);
386 EXPECT_EQ(RET_SUCCESS, ret);
387 ret = AccessTokenKit::DeleteToken(tokenClone2);
388 EXPECT_EQ(RET_SUCCESS, ret);
389 }
390
391 /**
392 * @tc.name: ReadDlp02
393 * @tc.desc: read mode dlp app revoke permission.
394 * @tc.type: FUNC
395 * @tc.require:Issue Number
396 */
397 HWTEST_F(CloneAppPermissionTest, ReadDlp02, TestSize.Level1)
398 {
399 int ret;
400 auto policyParams = g_policyParams;
401 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
402 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
403 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
404 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
405 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
406
407 // grant common app
408 ret = AccessTokenKit::RevokePermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
409 EXPECT_EQ(RET_SUCCESS, ret);
410 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
411 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
412 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
413 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
414 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
415 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
416 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
417 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
418 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
419 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
420
421 uint32_t flag;
422 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
423 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
424 EXPECT_EQ(ret, RET_SUCCESS);
425
426 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
427 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
428 EXPECT_EQ(ret, RET_SUCCESS);
429
430 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
431 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
432 EXPECT_EQ(ret, RET_SUCCESS);
433
434 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
435 EXPECT_EQ(flag, 0);
436 EXPECT_EQ(ret, RET_SUCCESS);
437
438 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
439 EXPECT_EQ(flag, 0);
440 EXPECT_EQ(ret, RET_SUCCESS);
441
442 ret = AccessTokenKit::DeleteToken(tokenCommon);
443 EXPECT_EQ(RET_SUCCESS, ret);
444 ret = AccessTokenKit::DeleteToken(tokenFullControl);
445 EXPECT_EQ(RET_SUCCESS, ret);
446 ret = AccessTokenKit::DeleteToken(tokenRead);
447 EXPECT_EQ(RET_SUCCESS, ret);
448 ret = AccessTokenKit::DeleteToken(tokenClone1);
449 EXPECT_EQ(RET_SUCCESS, ret);
450 ret = AccessTokenKit::DeleteToken(tokenClone2);
451 EXPECT_EQ(RET_SUCCESS, ret);
452 }
453
454 /**
455 * @tc.name: ReadDlp03
456 * @tc.desc: read mode dlp app clear permission.
457 * @tc.type: FUNC
458 * @tc.require:Issue Number
459 */
460 HWTEST_F(CloneAppPermissionTest, ReadDlp03, TestSize.Level1)
461 {
462 int ret;
463 auto policyParams = g_policyParams;
464 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
465 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
466 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
467 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
468 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
469
470 AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
471 AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
472 AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED);
473
474 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
475 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
476 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
477 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
478 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
479 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
480 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
481 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
482
483
484 ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenRead);
485 EXPECT_EQ(ret, RET_SUCCESS);
486 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
487 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
488 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
489 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
490 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
491 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
492 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
493 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
494 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
495 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
496 uint32_t flag;
497 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
498 EXPECT_EQ(flag, 0);
499 EXPECT_EQ(ret, RET_SUCCESS);
500
501 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
502 EXPECT_EQ(flag, 0);
503 EXPECT_EQ(ret, RET_SUCCESS);
504
505 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
506 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
507 EXPECT_EQ(ret, RET_SUCCESS);
508
509 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
510 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
511 EXPECT_EQ(ret, RET_SUCCESS);
512
513 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenCommon));
514 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenFullControl));
515 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenRead));
516 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone1));
517 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone2));
518 }
519
520
521 /**
522 * @tc.name: CloneApp01
523 * @tc.desc: clone app grant permission.
524 * @tc.type: FUNC
525 * @tc.require:Issue Number
526 */
527 HWTEST_F(CloneAppPermissionTest, CloneApp01, TestSize.Level1)
528 {
529 int ret;
530 auto policyParams = g_policyParams;
531 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
532 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
533 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
534 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
535 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
536
537 // grant common app
538 ret = AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
539 EXPECT_EQ(RET_SUCCESS, ret);
540 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
541 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
542 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
543 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
544 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
545 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
546 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
547 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
548 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
549 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
550
551 ret = AccessTokenKit::DeleteToken(tokenCommon);
552 EXPECT_EQ(RET_SUCCESS, ret);
553 ret = AccessTokenKit::DeleteToken(tokenFullControl);
554 EXPECT_EQ(RET_SUCCESS, ret);
555 ret = AccessTokenKit::DeleteToken(tokenRead);
556 EXPECT_EQ(RET_SUCCESS, ret);
557 ret = AccessTokenKit::DeleteToken(tokenClone1);
558 EXPECT_EQ(RET_SUCCESS, ret);
559 ret = AccessTokenKit::DeleteToken(tokenClone2);
560 EXPECT_EQ(RET_SUCCESS, ret);
561 }
562
563 /**
564 * @tc.name: CloneApp02
565 * @tc.desc: clone app grant permission.
566 * @tc.type: FUNC
567 * @tc.require:Issue Number
568 */
569 HWTEST_F(CloneAppPermissionTest, CloneApp02, TestSize.Level1)
570 {
571 int ret;
572 auto policyParams = g_policyParams;
573 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
574 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
575 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
576 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
577 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
578
579 // grant common app
580 ret = AccessTokenKit::RevokePermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
581 EXPECT_EQ(RET_SUCCESS, ret);
582 uint32_t flag;
583 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
584 EXPECT_EQ(flag, 0);
585 EXPECT_EQ(ret, RET_SUCCESS);
586
587 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
588 EXPECT_EQ(flag, 0);
589 EXPECT_EQ(ret, RET_SUCCESS);
590
591 ret = AccessTokenKit::GetPermissionFlag(tokenRead, PERMISSION_ALL, flag);
592 EXPECT_EQ(flag, 0);
593 EXPECT_EQ(ret, RET_SUCCESS);
594
595 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
596 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
597 EXPECT_EQ(ret, RET_SUCCESS);
598
599 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
600 EXPECT_EQ(flag, 0);
601 EXPECT_EQ(ret, RET_SUCCESS);
602
603 ret = AccessTokenKit::DeleteToken(tokenCommon);
604 EXPECT_EQ(RET_SUCCESS, ret);
605 ret = AccessTokenKit::DeleteToken(tokenFullControl);
606 EXPECT_EQ(RET_SUCCESS, ret);
607 ret = AccessTokenKit::DeleteToken(tokenRead);
608 EXPECT_EQ(RET_SUCCESS, ret);
609 ret = AccessTokenKit::DeleteToken(tokenClone1);
610 EXPECT_EQ(RET_SUCCESS, ret);
611 ret = AccessTokenKit::DeleteToken(tokenClone2);
612 EXPECT_EQ(RET_SUCCESS, ret);
613 }
614
615 /**
616 * @tc.name: CloneApp03
617 * @tc.desc: clone app clear permission.
618 * @tc.type: FUNC
619 * @tc.require:Issue Number
620 */
621 HWTEST_F(CloneAppPermissionTest, CloneApp03, TestSize.Level1)
622 {
623 int ret;
624 auto policyParams = g_policyParams;
625 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
626 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
627 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
628 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
629 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
630
631 AccessTokenKit::GrantPermission(tokenRead, PERMISSION_ALL, PERMISSION_USER_FIXED);
632 AccessTokenKit::GrantPermission(tokenClone1, PERMISSION_ALL, PERMISSION_USER_FIXED);
633 AccessTokenKit::GrantPermission(tokenClone2, PERMISSION_ALL, PERMISSION_USER_FIXED);
634
635 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
636 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
637 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
638 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
639 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
640 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
641 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
642 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
643
644
645 ret = AccessTokenKit::ClearUserGrantedPermissionState(tokenClone1);
646 EXPECT_EQ(ret, RET_SUCCESS);
647 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
648 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
649 ret = AccessTokenKit::VerifyAccessToken(tokenFullControl, PERMISSION_ALL);
650 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
651 ret = AccessTokenKit::VerifyAccessToken(tokenRead, PERMISSION_ALL);
652 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
653 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
654 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
655 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
656 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
657 uint32_t flag;
658 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
659 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
660 EXPECT_EQ(ret, RET_SUCCESS);
661
662 ret = AccessTokenKit::GetPermissionFlag(tokenFullControl, PERMISSION_ALL, flag);
663 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
664 EXPECT_EQ(ret, RET_SUCCESS);
665
666 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
667 EXPECT_EQ(flag, 0);
668 EXPECT_EQ(ret, RET_SUCCESS);
669
670 ret = AccessTokenKit::GetPermissionFlag(tokenClone2, PERMISSION_ALL, flag);
671 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
672 EXPECT_EQ(ret, RET_SUCCESS);
673
674 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenCommon));
675 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenFullControl));
676 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenRead));
677 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone1));
678 EXPECT_EQ(RET_SUCCESS, AccessTokenKit::DeleteToken(tokenClone2));
679 }
680
681
682 /**
683 * @tc.name: CloneApp04
684 * @tc.desc: The permissions of the clone application do not inherit the permissions of the main application
685 * @tc.type: FUNC
686 * @tc.require:Issue Number
687 */
688 HWTEST_F(CloneAppPermissionTest, CloneApp04, TestSize.Level1)
689 {
690 int ret;
691 uint32_t flag;
692 auto policyParams = g_policyParams;
693 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
694 ret = AccessTokenKit::GrantPermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
695 EXPECT_EQ(RET_SUCCESS, ret);
696 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
697 EXPECT_EQ(ret, PermissionState::PERMISSION_GRANTED);
698 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
699 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
700 EXPECT_EQ(ret, RET_SUCCESS);
701
702 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
703 ret = AccessTokenKit::VerifyAccessToken(tokenClone1, PERMISSION_ALL);
704 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
705 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
706 EXPECT_EQ(flag, 0);
707 EXPECT_EQ(ret, RET_SUCCESS);
708
709 ret = AccessTokenKit::RevokePermission(tokenCommon, PERMISSION_ALL, PERMISSION_USER_FIXED);
710 EXPECT_EQ(RET_SUCCESS, ret);
711 ret = AccessTokenKit::VerifyAccessToken(tokenCommon, PERMISSION_ALL);
712 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
713 ret = AccessTokenKit::GetPermissionFlag(tokenCommon, PERMISSION_ALL, flag);
714 EXPECT_EQ(flag, PERMISSION_USER_FIXED);
715 EXPECT_EQ(ret, RET_SUCCESS);
716
717 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
718 ret = AccessTokenKit::VerifyAccessToken(tokenClone2, PERMISSION_ALL);
719 EXPECT_EQ(ret, PermissionState::PERMISSION_DENIED);
720 ret = AccessTokenKit::GetPermissionFlag(tokenClone1, PERMISSION_ALL, flag);
721 EXPECT_EQ(flag, 0);
722 EXPECT_EQ(ret, RET_SUCCESS);
723
724 ret = AccessTokenKit::DeleteToken(tokenCommon);
725 EXPECT_EQ(RET_SUCCESS, ret);
726 ret = AccessTokenKit::DeleteToken(tokenClone1);
727 EXPECT_EQ(RET_SUCCESS, ret);
728 ret = AccessTokenKit::DeleteToken(tokenClone2);
729 EXPECT_EQ(RET_SUCCESS, ret);
730 }
731
732 /**
733 * @tc.name: CloneApp05
734 * @tc.desc: create a clone app
735 * @tc.type: FUNC
736 * @tc.require:Issue Number
737 */
738 HWTEST_F(CloneAppPermissionTest, CloneApp05, TestSize.Level1)
739 {
740 int ret;
741 auto policyParams = g_policyParams;
742 int32_t cloneFlag;
743 int32_t dlpFlag;
744 AccessTokenIDInner *idInner = nullptr;
745 AccessTokenID tokenCommon = AllocHapTokenId(g_infoParmsCommon, policyParams);
746 AccessTokenID tokenFullControl = AllocHapTokenId(g_infoParmsFullControl, policyParams);
747 AccessTokenID tokenRead = AllocHapTokenId(g_infoParmsReadOnly, policyParams);
748 AccessTokenID tokenClone1 = AllocHapTokenId(g_infoParmsCommonClone1, policyParams);
749 AccessTokenID tokenClone2 = AllocHapTokenId(g_infoParmsCommonClone2, policyParams);
750
751 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenCommon);
752 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
753 EXPECT_EQ(cloneFlag, 0);
754 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
755 EXPECT_EQ(dlpFlag, 0);
756
757 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenFullControl);
758 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
759 EXPECT_EQ(cloneFlag, 0);
760 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
761 EXPECT_EQ(dlpFlag, 1);
762
763 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenRead);
764 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
765 EXPECT_EQ(cloneFlag, 0);
766 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
767 EXPECT_EQ(dlpFlag, 1);
768
769 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenClone1);
770 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
771 EXPECT_EQ(cloneFlag, 1);
772 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
773 EXPECT_EQ(dlpFlag, 0);
774
775 idInner = reinterpret_cast<AccessTokenIDInner *>(&tokenClone2);
776 cloneFlag = static_cast<int32_t>(idInner->cloneFlag);
777 EXPECT_EQ(cloneFlag, 1);
778 dlpFlag = static_cast<int32_t>(idInner->dlpFlag);
779 EXPECT_EQ(dlpFlag, 0);
780
781 ret = AccessTokenKit::DeleteToken(tokenCommon);
782 EXPECT_EQ(RET_SUCCESS, ret);
783 ret = AccessTokenKit::DeleteToken(tokenFullControl);
784 EXPECT_EQ(RET_SUCCESS, ret);
785 ret = AccessTokenKit::DeleteToken(tokenRead);
786 EXPECT_EQ(RET_SUCCESS, ret);
787 ret = AccessTokenKit::DeleteToken(tokenClone1);
788 EXPECT_EQ(RET_SUCCESS, ret);
789 ret = AccessTokenKit::DeleteToken(tokenClone2);
790 EXPECT_EQ(RET_SUCCESS, ret);
791 }