forked from project-chip/connectedhomeip
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add initial prototype of AccessControl module
- Not complete, always allows actions - Not hooked up to interaction model or messaging layer - Progress toward issues project-chip#10236 and project-chip#10249 - Fully isolated as a module - Has unit tests
- Loading branch information
1 parent
efc17de
commit 2eed92c
Showing
22 changed files
with
1,478 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/* | ||
* | ||
* Copyright (c) 2021 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* Access control module. | ||
*/ | ||
|
||
#include "AccessControl.h" | ||
|
||
#include "Config.h" | ||
#include "DataProvider.h" | ||
|
||
namespace { | ||
|
||
chip::access::Config::DataProvider dataProviderInstance; | ||
chip::access::AccessControl accessControlInstance(dataProviderInstance); | ||
|
||
} // namespace | ||
|
||
namespace chip { | ||
namespace access { | ||
|
||
AccessControl * AccessControl::mInstance = &accessControlInstance; | ||
|
||
CHIP_ERROR AccessControl::Init() | ||
{ | ||
ChipLogDetail(DataManagement, "access control: initializing"); | ||
return mDataProvider.Init(); | ||
} | ||
|
||
void AccessControl::Finish() | ||
{ | ||
ChipLogDetail(DataManagement, "access control: finishing"); | ||
mDataProvider.Finish(); | ||
} | ||
|
||
CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath, Privilege privilege) | ||
{ | ||
CHIP_ERROR err = CHIP_ERROR_ACCESS_DENIED; | ||
|
||
EntryIterator* iterator = mDataProvider.Entries(subjectDescriptor.fabricIndex); | ||
#if 0 | ||
ReturnErrorCodeIf(iterator == nullptr, CHIP_ERROR_INTERNAL); | ||
#else | ||
// TODO: until we have an actual implementation, allow access | ||
ReturnErrorCodeIf(iterator == nullptr, CHIP_NO_ERROR); | ||
#endif | ||
|
||
while (iterator->HasNext()) | ||
{ | ||
ChipLogDetail(DataManagement, "Checking entry"); | ||
auto & entry = iterator->Next(); | ||
|
||
if (!entry.MatchesPrivilege(privilege)) | ||
continue; | ||
ChipLogDetail(DataManagement, " --> matched privilege"); | ||
if (!entry.MatchesAuthMode(subjectDescriptor.authMode)) | ||
continue; | ||
ChipLogDetail(DataManagement, " --> matched authmode"); | ||
// TODO: check CATs (subject1, subject2) | ||
if (!entry.MatchesSubject(subjectDescriptor.subject)) | ||
continue; | ||
ChipLogDetail(DataManagement, " --> matched subject"); | ||
if (!entry.MatchesTarget(requestPath.endpoint, requestPath.cluster)) | ||
continue; | ||
ChipLogDetail(DataManagement, " --> matched target"); | ||
|
||
err = CHIP_NO_ERROR; | ||
break; | ||
} | ||
|
||
iterator->Release(); | ||
return err; | ||
} | ||
|
||
} // namespace access | ||
} // namespace chip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
/* | ||
* | ||
* Copyright (c) 2021 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* Access control module. | ||
*/ | ||
|
||
#pragma once | ||
|
||
#include "Privilege.h" | ||
#include "RequestPath.h" | ||
#include "SubjectDescriptor.h" | ||
|
||
#include <lib/core/CHIPCore.h> | ||
|
||
namespace chip { | ||
namespace access { | ||
|
||
class DataProvider; | ||
|
||
/** | ||
* @class AccessControl | ||
* | ||
* @brief Access control module. | ||
*/ | ||
class AccessControl | ||
{ | ||
public: | ||
/** | ||
* Create an access control module. One is provided by default (see | ||
* GetInstance) but others can be created as needed (e.g. for testing). An | ||
* uninitialized DataProvider must be provided, and the module must then be | ||
* initialized before use, and deinitialized when finished. | ||
*/ | ||
AccessControl(DataProvider & dataProvider) | ||
: mDataProvider(dataProvider) | ||
{ | ||
} | ||
|
||
AccessControl(const AccessControl &) = delete; | ||
AccessControl & operator=(const AccessControl &) = delete; | ||
|
||
/** | ||
* Initialize the access control module. Will also initialize its data | ||
* provider. | ||
* | ||
* @retval various errors, probably fatal. | ||
* @retval #CHIP_NO_ERROR on success. | ||
*/ | ||
CHIP_ERROR Init(); | ||
|
||
/** | ||
* Deinitialize the access control module. Will also deinitialize its data | ||
* provider. | ||
*/ | ||
void Finish(); | ||
|
||
/** | ||
* Check whether access (by a subject descriptor, to a request path, | ||
* requiring a privilege) should be allowed or denied. | ||
* | ||
* @retval #CHIP_ERROR_ACCESS_DENIED if denied. | ||
* @retval other errors should be treated as denied. | ||
* @retval #CHIP_NO_ERROR if allowed. | ||
*/ | ||
CHIP_ERROR Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath, Privilege privilege); | ||
|
||
public: | ||
/** | ||
* Get the configured instance, for general use (i.e. non-testing). By | ||
* default an instance is preconfigured, but advanced use can configure | ||
* alternate instances, or even clear the configured instance. | ||
* | ||
* @retval nullptr if configured so. | ||
*/ | ||
static AccessControl * GetInstance() | ||
{ | ||
return mInstance; | ||
} | ||
|
||
/** | ||
* Set the configured instance, for advanced use (e.g. testing). Does not | ||
* call Init or Finish (so ensure that happens appropriately). The | ||
* configured instance can be cleared (by setting to nullptr). | ||
*/ | ||
static void SetInstance(AccessControl * instance) | ||
{ | ||
mInstance = instance; | ||
} | ||
|
||
private: | ||
DataProvider & mDataProvider; | ||
|
||
static AccessControl * mInstance; | ||
}; | ||
|
||
} // namespace access | ||
} // namespace chip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* | ||
* Copyright (c) 2021 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* Access control auth mode. | ||
*/ | ||
|
||
#include "AuthMode.h" | ||
|
||
namespace chip { | ||
namespace access { | ||
|
||
} // namespace access | ||
} // namespace chip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
/* | ||
* | ||
* Copyright (c) 2021 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* Access control auth mode. | ||
*/ | ||
|
||
#pragma once | ||
|
||
namespace chip { | ||
namespace access { | ||
|
||
/** | ||
* @enum AuthMode | ||
* | ||
* @brief Access control auth modes. Expressed as bit flags so they can be | ||
* combined with privileges. | ||
*/ | ||
enum AuthMode | ||
{ | ||
None = 0, | ||
Pase = 1 << 5, | ||
Case = 1 << 6, | ||
Group = 1 << 7 | ||
}; | ||
|
||
} // namespace access | ||
} // namespace chip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# Copyright (c) 2021 Project CHIP Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
import("//build_overrides/chip.gni") | ||
|
||
static_library("access") { | ||
output_name = "libaccess" | ||
|
||
sources = [ | ||
"AccessControl.cpp", | ||
"AccessControl.h", | ||
"AuthMode.cpp", | ||
"AuthMode.h", | ||
"BasicTypes.cpp", | ||
"BasicTypes.h", | ||
"Config.cpp", | ||
"Config.h", | ||
"DataProvider.cpp", | ||
"DataProvider.h", | ||
"DataProviderImpl.cpp", | ||
"DataProviderImpl.h", | ||
"Privilege.cpp", | ||
"Privilege.h", | ||
"RequestPath.cpp", | ||
"RequestPath.h", | ||
"SubjectDescriptor.cpp", | ||
"SubjectDescriptor.h", | ||
] | ||
|
||
cflags = [ "-Wconversion" ] | ||
|
||
public_deps = [ | ||
"${chip_root}/src/lib/core", | ||
"${chip_root}/src/lib/support", | ||
"${chip_root}/src/platform", | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* | ||
* Copyright (c) 2021 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* Basic types used by access control. | ||
*/ | ||
|
||
#include "BasicTypes.h" | ||
|
||
namespace chip { | ||
namespace access { | ||
|
||
} // namespace access | ||
} // namespace chip |
Oops, something went wrong.