1 /*
2  * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H
17 #define OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H
18 
19 #include <functional>
20 #include <map>
21 #include <vector>
22 #include <unordered_set>
23 
24 #include "app_mgr_interface.h"
25 #include "istorage_manager.h"
26 #include "tokenid_permission.h"
27 #include "uri.h"
28 #include "uri_permission_manager_stub.h"
29 
30 namespace OHOS::AAFwk {
31 namespace {
32 using ClearProxyCallback = std::function<void(const wptr<IRemoteObject>&)>;
33 using TokenId = Security::AccessToken::AccessTokenID;
34 constexpr int32_t DEFAULT_ABILITY_ID = -1;
35 }
36 
37 struct GrantInfo {
38     unsigned int flag;
39     const uint32_t fromTokenId;
40     const uint32_t targetTokenId;
41     bool autoRemove;
42     std::unordered_set<int32_t> abilityIds;
43 
AddAbilityIdOHOS::AAFwk::GrantInfo44     void AddAbilityId(int32_t abilityId)
45     {
46         if (abilityId != DEFAULT_ABILITY_ID) {
47             abilityIds.insert(abilityId);
48         }
49     }
50 
RemoveAbilityIdOHOS::AAFwk::GrantInfo51     bool RemoveAbilityId(int32_t abilityId)
52     {
53         return abilityIds.erase(abilityId) > 0;
54     }
55 
IsEmptyAbilityIdOHOS::AAFwk::GrantInfo56     bool IsEmptyAbilityId()
57     {
58         return abilityIds.empty();
59     }
60 
ClearAbilityIdsOHOS::AAFwk::GrantInfo61     void ClearAbilityIds()
62     {
63         abilityIds.clear();
64     }
65 };
66 
67 struct PolicyInfo final {
68 public:
69     std::string path;
70     uint64_t mode;
71 };
72 
73 class UriPermissionManagerStubImpl : public UriPermissionManagerStub,
74                                      public std::enable_shared_from_this<UriPermissionManagerStubImpl> {
75 public:
76     UriPermissionManagerStubImpl() = default;
77     virtual ~UriPermissionManagerStubImpl() = default;
78 
79     int GrantUriPermission(const Uri &uri, unsigned int flag, const std::string targetBundleName,
80         int32_t appIndex = 0, uint32_t initiatorTokenId = 0, int32_t abilityId = -1) override;
81     int GrantUriPermission(const std::vector<Uri> &uriVec, unsigned int flag,
82         const std::string targetBundleName, int32_t appIndex = 0, uint32_t initiatorTokenId = 0,
83         int32_t abilityId = -1) override;
84     int32_t GrantUriPermissionPrivileged(const std::vector<Uri> &uriVec, uint32_t flag,
85         const std::string &targetBundleName, int32_t appIndex, uint32_t initiatorTokenId,
86         int32_t abilityId) override;
87 
88     std::vector<bool> CheckUriAuthorization(const std::vector<std::string> &uriVec, uint32_t flag,
89         uint32_t tokenId) override;
90 
91     // only for foundation calling
92     void RevokeUriPermission(const TokenId tokenId, int32_t abilityId = -1) override;
93     int RevokeAllUriPermissions(uint32_t tokenId) override;
94     int RevokeUriPermissionManually(const Uri &uri, const std::string bundleName,
95         int32_t appIndex = 0) override;
96 
97     bool VerifyUriPermission(const Uri &uri, uint32_t flag, uint32_t tokenId) override;
98 
99 private:
100     template<typename T>
101     void ConnectManager(sptr<T> &mgr, int32_t serviceId);
102     int GrantUriPermissionImpl(const Uri &uri, unsigned int flag,
103         TokenId fromTokenId, TokenId targetTokenId, int32_t abilityId);
104     int AddTempUriPermission(const std::string &uri, unsigned int flag, TokenId fromTokenId,
105         TokenId targetTokenId, int32_t abilityId);
106 
107     int GrantBatchUriPermissionImpl(const std::vector<std::string> &uriVec, unsigned int flag,
108         TokenId initiatorTokenId, TokenId targetTokenId, int32_t abilityId);
109     int GrantBatchUriPermission(const std::vector<Uri> &uriVec, unsigned int flag, uint32_t initiatorTokenId,
110         uint32_t targetTokenId, int32_t abilityId);
111 
112     int32_t GrantBatchUriPermissionPrivileged(const std::vector<Uri> &uriVec, uint32_t flag,
113         uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId = -1);
114 
115     int32_t GrantBatchUriPermissionFor2In1Privileged(const std::vector<Uri> &uriVec, uint32_t flag,
116         uint32_t callerTokenId, uint32_t targetTokenId, int32_t abilityId = -1);
117 
118     int GrantSingleUriPermission(const Uri &uri, unsigned int flag, uint32_t callerTokenId, uint32_t targetTokenId,
119         int32_t abilityId);
120 
121     int32_t CheckCalledBySandBox();
122 
123     std::vector<bool> CheckUriPermission(TokenIdPermission &tokenIdPermission, const std::vector<Uri> &uriVec,
124         uint32_t flag);
125 
126     bool CheckUriTypeIsValid(Uri uri);
127 
128     int GrantUriPermissionInner(const std::vector<Uri> &uriVec, unsigned int flag, const std::string targetBundleName,
129         int32_t appIndex, uint32_t initiatorTokenId, int32_t abilityId = -1);
130 
131     int GrantUriPermissionFor2In1Inner(const std::vector<Uri> &uriVec, unsigned int flag,
132         const std::string &targetBundleName, int32_t appIndex, bool isSystemAppCall, uint32_t initiatorTokenId = 0,
133         int32_t abilityId = -1);
134 
135     void HandleUriPermission(
136         uint64_t tokenId, unsigned int flag, std::vector<PolicyInfo> &docsVec, bool isSystemAppCall);
137 
138     void CheckProxyUriPermission(TokenIdPermission &tokenIdPermission, const std::vector<Uri> &uriVec, uint32_t flag,
139         std::vector<bool> &result);
140 
141     int32_t DeleteShareFile(uint32_t targetTokenId, const std::vector<std::string> &uriVec);
142 
143     void RemoveUriRecord(std::vector<std::string> &uriList, const TokenId tokenId, int32_t abilityId);
144 
145     bool VerifySubDirUriPermission(const std::string &uriStr, uint32_t newFlag, uint32_t tokenId);
146 
147     bool IsDistributedSubDirUri(const std::string &inputUri, const std::string &cachedUri);
148 
149     class ProxyDeathRecipient : public IRemoteObject::DeathRecipient {
150     public:
ProxyDeathRecipient(ClearProxyCallback&& proxy)151         explicit ProxyDeathRecipient(ClearProxyCallback&& proxy) : proxy_(proxy) {}
152         ~ProxyDeathRecipient() = default;
153         virtual void OnRemoteDied([[maybe_unused]] const wptr<IRemoteObject>& remote) override;
154 
155     private:
156         ClearProxyCallback proxy_;
157     };
158 
159 private:
160     std::map<std::string, std::list<GrantInfo>> uriMap_;
161     std::mutex mutex_;
162     std::mutex mgrMutex_;
163     sptr<AppExecFwk::IAppMgr> appMgr_ = nullptr;
164     sptr<StorageManager::IStorageManager> storageManager_ = nullptr;
165 };
166 }  // namespace OHOS::AAFwk
167 #endif  // OHOS_ABILITY_RUNTIME_URI_PERMISSION_MANAGER_STUB_IMPL_H
168