Update oc_sec_apply_acl callback (#233)

* security: add custom data tag to acl structure * Update oc_sec_apply_acl callback Provide additional data to oc_sec_on_apply_acl_cb_t callback to be able to distinguish between a created ace, a replaced ace and a duplicate ace.
iotivity · Apr 14, 2022 · 4745cdf · 4745cdf
1 parent 639104b
commit 4745cdf
Show file tree

Hide file tree

Showing 5 changed files with 291 additions and 134 deletions.
diff --git a/include/oc_acl.h b/include/oc_acl.h
@@ -125,6 +125,7 @@ typedef struct oc_sec_ace_t
   oc_ace_subject_t subject;           ///< subject
   int aceid;                          ///< ACE identifier
   oc_ace_permissions_t permission;    ///< permissions
+  oc_string_t tag;                    ///< custom user tag
 } oc_sec_ace_t;
 
 /**
@@ -136,23 +137,68 @@ typedef struct oc_sec_ace_t
 OC_API
 oc_sec_acl_t *oc_sec_get_acl(size_t device);
 
+/**
+ * @brief Remove access control entry from given device
+ *
+ * @param ace Access control entry to remove
+ * @param device Index of the device
+ */
+OC_API
+void oc_sec_remove_ace(oc_sec_ace_t *ace, size_t device);
+
+/**
+ * @brief Get access control entry with given aceid from given device
+ *
+ * @param device Index of the device
+ * @return Access control list
+ */
+OC_API
+oc_sec_ace_t *oc_sec_get_ace_by_aceid(int aceid, size_t device);
+
+/**
+ * @brief Remove access control entry with aceid from given device
+ *
+ * @param aceid Access control entry id
+ * @param device Index of the device
+ * @return true Access control entry with given id was found and removed
+ * @return false Otherwise
+ */
+OC_API
+bool oc_sec_remove_ace_by_aceid(int aceid, size_t device);
+
 /**
  * @brief Add initial access control list for core resources of a device
  *
  * @param device Index of the device
+ * @return true On success
+ * @return false On failure
  */
 OC_API
-void oc_sec_acl_add_bootstrap_acl(size_t device);
+bool oc_sec_acl_add_bootstrap_acl(size_t device);
+
+typedef struct oc_sec_on_apply_acl_data_t
+{
+  oc_uuid_t rowneruuid; ///< Uuid of the resource owner
+  oc_sec_ace_t *ace;    ///< New or updated access control entry
+  const oc_sec_ace_t
+    *replaced_ace;       ///< In case of replacement of an existing ACE this is
+                         ///< the original ACE that was replaced; the
+                         ///< ACE will be deallocated after the call of
+                         ///< oc_sec_on_apply_acl_cb_t from oc_sec_apply_acl
+  bool created;          ///< True if a new ACE was created; False if the ACE
+                         ///< replaced an already existing ACE or it was a
+                         ///< duplicate and the operation was skipped
+  bool created_resource; ///< At least one new resource was created in the ACE
+} oc_sec_on_apply_acl_data_t;
 
 /**
  * @brief Callback invoked with a created / updated access control entry
  *
- * @param rowneruuid Uuid of the resource owner
- * @param ace New or updated access control entry
+ * @param data Data with new/updated ACL data
  * @param user_data User data passed from the caller
  */
-typedef void (*oc_sec_on_apply_acl_cb_t)(oc_uuid_t rowneruuid,
-                                         oc_sec_ace_t *ace, void *user_data);
+typedef void (*oc_sec_on_apply_acl_cb_t)(oc_sec_on_apply_acl_data_t data,
+                                         void *user_data);
 
 /**
  * @brief Parse payload and add/update access control list
@@ -162,8 +208,8 @@ typedef void (*oc_sec_on_apply_acl_cb_t)(oc_uuid_t rowneruuid,
  * @param on_apply_ace_cb Callback invoked when a new access control entry is
  * added or updated
  * @param on_apply_ace_data User data passed to the on_apply_ace_cb function
- * @return int -1 On failure
- * @return int 0 Payload was successfully parsed
+ * @return -1 On failure
+ * @return 0 Payload was successfully parsed
  */
 OC_API
 int oc_sec_apply_acl(oc_rep_t *rep, size_t device,

diff --git a/include/oc_cred.h b/include/oc_cred.h
@@ -121,7 +121,7 @@ typedef struct oc_sec_creds_t
 } oc_sec_creds_t;
 
 /**
- * @brief read credential usaga
+ * @brief read credential usage
  *
  * @param credusage credential usage as type
  * @return const char* credential usage as string
@@ -167,7 +167,7 @@ const char *oc_cred_credtype_string(oc_sec_credtype_t credtype);
 
 typedef struct oc_sec_on_apply_cred_data_t
 {
-  oc_sec_cred_t *cred; ///< New or updated credential
+  oc_sec_cred_t *cred; ///< new or updated credential
   const oc_sec_cred_t
     *replaced;  ///< in case of modification of an existing credential this is
                 ///< the original credential that has been replaced; the
@@ -179,10 +179,10 @@ typedef struct oc_sec_on_apply_cred_data_t
 } oc_sec_on_apply_cred_data_t;
 
 /**
- * @brief Callback invoked with a created / updated credential
+ * @brief callback invoked with a created / updated credential
  *
- * @param data Data with new/updated credential data
- * @param user_data User data passed from the caller
+ * @param data data with new/updated credential data
+ * @param user_data user data passed from the caller
  */
 typedef void (*oc_sec_on_apply_cred_cb_t)(oc_sec_on_apply_cred_data_t data,
                                           void *user_data);