diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index b8bf3536d688f2a122aa85564269ce0c168acbb9..50df8617b39b450a72233a1ab83772f121739cca 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -188,6 +188,8 @@ protected: uint32_t GetCredentialType(std::shared_ptr context, const JsonItemObject &credInfo); bool HaveSameTokenId(std::shared_ptr context, const std::vector &tokenIdHashList); void SetProcessInfo(std::shared_ptr context); + bool IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string &credId, + const DistributedDeviceProfile::AccessControlProfile &profile); }; class AuthSrcConfirmState : public DmAuthState { diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp index 1e1c7b3c63a24ff149c7646e6bbfc41f25adea25..411188a111cfa394ede55ddaf1702caaa657e0f9 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp @@ -457,6 +457,12 @@ void AuthSrcConfirmState::CheckCredIdInAclForP2P(std::shared_ptr const DistributedDeviceProfile::AccessControlProfile &profile, JsonObject &credInfo, uint32_t bindType, bool &checkResult) { + if (!DmAuthState::IsMatchCredentialAndP2pACL(credInfo, credId, profile)) { + LOGE("acl bindlevel and credential authorizedScope not match"); + DeleteAcl(context, profile); + credInfo.Erase(credId); + return; + } if (credInfo[credId][FILED_CRED_TYPE].Get() == bindType) { std::vector appList; credInfo[credId][FILED_AUTHORIZED_APP_LIST].Get(appList); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index ceca621c89d21e4b4d7e48efd517403b49fb329d..490247779e028bd5d313c4650864c84f84decf57 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -564,6 +564,12 @@ void AuthSinkNegotiateStateMachine::CheckCredIdInAclForP2P(std::shared_ptr() == bindType) { std::vector appList; credInfo[credId][FILED_AUTHORIZED_APP_LIST].Get(appList); diff --git a/services/implementation/src/authentication_v2/dm_auth_state.cpp b/services/implementation/src/authentication_v2/dm_auth_state.cpp index df52e3b14afdd2e64a177f8cad34ca24ead13297..5364cf8ee2fb278077c4cb13cfea3febe77c04d2 100644 --- a/services/implementation/src/authentication_v2/dm_auth_state.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_state.cpp @@ -852,5 +852,23 @@ void DmAuthState::GetPeerDeviceId(std::shared_ptr context, std::s } LOGE("failed"); } + +bool DmAuthState::IsMatchCredentialAndP2pACL(JsonObject &credInfo, std::string &credId, + const DistributedDeviceProfile::AccessControlProfile &profile) +{ + if (!credInfo.Contains(credId) || !credInfo[credId].Contains(FILED_AUTHORIZED_SCOPE) || + !credInfo[credId][FILED_AUTHORIZED_SCOPE].IsNumberInteger()) { + return false; + } + int32_t authorizedScope = credInfo[credId][FILED_AUTHORIZED_SCOPE].Get(); + if (authorizedScope == static_cast(DM_AUTH_SCOPE_USER) && profile.GetBindLevel() == USER) { + return true; + } + if (authorizedScope == static_cast(DM_AUTH_SCOPE_APP) && + (profile.GetBindLevel() == SERVICE || profile.GetBindLevel() == APP)) { + return true; + } + return false; +} } // namespace DistributedHardware } // namespace OHOS