From 0dbf10168a307d357b7c9f46dfa8067ab05fcbed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=9F=A9=E9=9C=87?= <hanzhen10@huawei.com>
Date: Tue, 25 Jan 2022 17:33:04 +0800
Subject: [PATCH] when updateCred token is invalid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 韩震 <hanzhen10@huawei.com>
---
 common/hal_sdk/useridm_interface.cpp |  5 ++++-
 common/idm/inc/idm_session.h         |  3 +++
 common/idm/inc/user_idm_funcs.h      |  2 +-
 common/idm/src/idm_session.c         | 20 ++++++++++++++++++++
 common/idm/src/user_idm_funcs.c      | 17 +++++++++++++----
 5 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/common/hal_sdk/useridm_interface.cpp b/common/hal_sdk/useridm_interface.cpp
index 549cd93..986f704 100644
--- a/common/hal_sdk/useridm_interface.cpp
+++ b/common/hal_sdk/useridm_interface.cpp
@@ -207,6 +207,7 @@ int32_t DeleteUserEnforce(int32_t userId, std::vector<CredentialInfo> &credentia
         GlobalUnLock();
         return ret;
     }
+    RefreshValidTokenTime();
     for (int i = 0; i < num; i++) {
         CredentialInfo credentialInfo;
         if (memcpy_s(&credentialInfo, sizeof(CredentialInfo),
@@ -247,7 +248,8 @@ int32_t DeleteUser(int32_t userId, std::vector<uint8_t> authToken, std::vector<C
         GlobalUnLock();
         return ret;
     }
-    if (challenge != authTokenStruct.challenge || UserAuthTokenVerify(&authTokenStruct) != RESULT_SUCCESS) {
+    if (challenge != authTokenStruct.challenge || !IsValidTokenTime(authTokenStruct.time) ||
+        UserAuthTokenVerify(&authTokenStruct) != RESULT_SUCCESS) {
         LOG_ERROR("verify token failed");
         GlobalUnLock();
         return RESULT_BAD_SIGN;
@@ -279,6 +281,7 @@ int32_t UpdateCredential(std::vector<uint8_t> enrollToken, uint64_t &credentialI
         GlobalUnLock();
         return ret;
     }
+    RefreshValidTokenTime();
     if (memcpy_s(&deletedCredential, sizeof(CredentialInfo), &credentialInfoHal, sizeof(CredentialInfoHal)) != EOK) {
         LOG_ERROR("copy failed");
         GlobalUnLock();
diff --git a/common/idm/inc/idm_session.h b/common/idm/inc/idm_session.h
index e0acda7..b0e8b87 100644
--- a/common/idm/inc/idm_session.h
+++ b/common/idm/inc/idm_session.h
@@ -31,4 +31,7 @@ ResultCode GetUserId(int32_t *userId);
 ResultCode GetChallenge(uint64_t *challenge);
 ResultCode GetScheduleId(uint64_t *scheduleId);
 
+void RefreshValidTokenTime();
+bool IsValidTokenTime(uint64_t tokenTime);
+
 #endif // USER_IDM_SESSION_H
\ No newline at end of file
diff --git a/common/idm/inc/user_idm_funcs.h b/common/idm/inc/user_idm_funcs.h
index 4702d0c..87b5ae9 100644
--- a/common/idm/inc/user_idm_funcs.h
+++ b/common/idm/inc/user_idm_funcs.h
@@ -23,8 +23,8 @@
 typedef struct {
     uint8_t token[AUTH_TOKEN_LEN];
     int32_t userId;
-    uint32_t authSubType;
     uint32_t authType;
+    uint64_t authSubType;
 } PermissionCheckParam;
 
 typedef struct {
diff --git a/common/idm/src/idm_session.c b/common/idm/src/idm_session.c
index e44511f..f460d26 100644
--- a/common/idm/src/idm_session.c
+++ b/common/idm/src/idm_session.c
@@ -31,6 +31,7 @@ struct SessionInfo {
     bool isScheduleValid;
     int32_t userId;
     uint64_t time;
+    uint64_t validAuthTokenTime;
     uint64_t challenge;
 } *g_session;
 
@@ -82,12 +83,31 @@ ResultCode OpenEditSession(int32_t userId, uint64_t *challenge)
         return RESULT_GENERAL_ERROR;
     }
     g_session->time = GetSystemTime();
+    g_session->validAuthTokenTime = g_session->time;
 
     *challenge = g_session->challenge;
     g_session->isScheduleValid = false;
     return RESULT_SUCCESS;
 }
 
+void RefreshValidTokenTime()
+{
+    if (!IsSessionExist()) {
+        LOG_ERROR("session is invalid");
+        return;
+    }
+    g_session->validAuthTokenTime = GetSystemTime();
+}
+
+bool IsValidTokenTime(uint64_t tokenTime)
+{
+    if (!IsSessionExist()) {
+        LOG_ERROR("session is invalid");
+        return false;
+    }
+    return tokenTime >= g_session->validAuthTokenTime;
+}
+
 ResultCode CloseEditSession()
 {
     if (!IsSessionExist()) {
diff --git a/common/idm/src/user_idm_funcs.c b/common/idm/src/user_idm_funcs.c
index fd1af40..fa3e7a7 100644
--- a/common/idm/src/user_idm_funcs.c
+++ b/common/idm/src/user_idm_funcs.c
@@ -31,11 +31,16 @@ static int32_t PinPermissionCheck(int32_t userId, UserAuthTokenHal *authToken)
     if (ret == RESULT_NOT_FOUND) {
         return RESULT_SUCCESS;
     } else if (ret == RESULT_SUCCESS) {
+        LOG_INFO("pin already exists, legal token is required");
         uint64_t challenge;
         ret = GetChallenge(&challenge);
         if (ret != RESULT_SUCCESS || challenge != authToken->challenge) {
-            LOG_ERROR("check challenge failed");
-            return RESULT_BAD_SIGN;
+            LOG_ERROR("check challenge failed, token is invalid");
+            return RESULT_BAD_MATCH;
+        }
+        if (!IsValidTokenTime(authToken->time)) {
+            LOG_ERROR("check token time failed, token is invalid");
+            return RESULT_VERIFY_TOKEN_FAIL;
         }
         return UserAuthTokenVerify(authToken);
     } else {
@@ -55,8 +60,12 @@ static int32_t FacePermissionCheck(int32_t userId, UserAuthTokenHal *authToken)
     uint64_t challenge;
     ret = GetChallenge(&challenge);
     if (ret != RESULT_SUCCESS || challenge != authToken->challenge) {
-        LOG_ERROR("check challenge failed");
-        return RESULT_BAD_SIGN;
+        LOG_ERROR("check challenge failed, token is invalid");
+        return RESULT_BAD_MATCH;
+    }
+    if (!IsValidTokenTime(authToken->time)) {
+        LOG_ERROR("check token time failed, token is invalid");
+        return RESULT_VERIFY_TOKEN_FAIL;
     }
     return UserAuthTokenVerify(authToken);
 }
-- 
Gitee