Add initial prototype of AccessControl module

- Not complete, always allows actions - Not hooked up to interaction model or messaging layer - Progress toward issues project-chip#10236 and project-chip#10249 - Fully isolated as a module - Has unit tests
mlepage-google · Oct 15, 2021 · 2eed92c · 2eed92c
1 parent efc17de
commit 2eed92c
Show file tree

Hide file tree

Showing 22 changed files with 1,478 additions and 1 deletion.
diff --git a/src/BUILD.gn b/src/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Project CHIP Authors
+# Copyright (c) 2020-2021 Project CHIP Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -44,6 +44,7 @@ if (chip_build_tests) {
 
   chip_test_group("tests") {
     deps = [
+      "${chip_root}/src/access/tests",
       "${chip_root}/src/app/tests",
       "${chip_root}/src/crypto/tests",
       "${chip_root}/src/inet/tests",

diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp
@@ -0,0 +1,93 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *      Access control module.
+ */
+
+#include "AccessControl.h"
+
+#include "Config.h"
+#include "DataProvider.h"
+
+namespace {
+
+chip::access::Config::DataProvider dataProviderInstance;
+chip::access::AccessControl accessControlInstance(dataProviderInstance);
+
+} // namespace
+
+namespace chip {
+namespace access {
+
+AccessControl * AccessControl::mInstance = &accessControlInstance;
+
+CHIP_ERROR AccessControl::Init()
+{
+    ChipLogDetail(DataManagement, "access control: initializing");
+    return mDataProvider.Init();
+}
+
+void AccessControl::Finish()
+{
+    ChipLogDetail(DataManagement, "access control: finishing");
+    mDataProvider.Finish();
+}
+
+CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath, Privilege privilege)
+{
+    CHIP_ERROR err = CHIP_ERROR_ACCESS_DENIED;
+
+    EntryIterator* iterator = mDataProvider.Entries(subjectDescriptor.fabricIndex);
+#if 0
+    ReturnErrorCodeIf(iterator == nullptr, CHIP_ERROR_INTERNAL);
+#else
+    // TODO: until we have an actual implementation, allow access
+    ReturnErrorCodeIf(iterator == nullptr, CHIP_NO_ERROR);
+#endif
+
+    while (iterator->HasNext())
+    {
+        ChipLogDetail(DataManagement, "Checking entry");
+        auto & entry = iterator->Next();
+
+        if (!entry.MatchesPrivilege(privilege))
+            continue;
+        ChipLogDetail(DataManagement, "  --> matched privilege");
+        if (!entry.MatchesAuthMode(subjectDescriptor.authMode))
+            continue;
+        ChipLogDetail(DataManagement, "  --> matched authmode");
+        // TODO: check CATs (subject1, subject2)
+        if (!entry.MatchesSubject(subjectDescriptor.subject))
+            continue;
+        ChipLogDetail(DataManagement, "  --> matched subject");
+        if (!entry.MatchesTarget(requestPath.endpoint, requestPath.cluster))
+            continue;
+        ChipLogDetail(DataManagement, "  --> matched target");
+
+        err = CHIP_NO_ERROR;
+        break;
+    }
+
+    iterator->Release();
+    return err;
+}
+
+} // namespace access
+} // namespace chip
diff --git a/src/access/AccessControl.h b/src/access/AccessControl.h
@@ -0,0 +1,114 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *      Access control module.
+ */
+
+#pragma once
+
+#include "Privilege.h"
+#include "RequestPath.h"
+#include "SubjectDescriptor.h"
+
+#include <lib/core/CHIPCore.h>
+
+namespace chip {
+namespace access {
+
+class DataProvider;
+
+/**
+ * @class AccessControl
+ *
+ * @brief Access control module.
+ */
+class AccessControl
+{
+public:
+    /**
+     * Create an access control module. One is provided by default (see
+     * GetInstance) but others can be created as needed (e.g. for testing). An
+     * uninitialized DataProvider must be provided, and the module must then be
+     * initialized before use, and deinitialized when finished.
+     */
+    AccessControl(DataProvider & dataProvider)
+        : mDataProvider(dataProvider)
+    {
+    }
+
+    AccessControl(const AccessControl &) = delete;
+    AccessControl & operator=(const AccessControl &) = delete;
+
+    /**
+     * Initialize the access control module. Will also initialize its data
+     * provider.
+     * 
+     * @retval various errors, probably fatal.
+     * @retval #CHIP_NO_ERROR on success.
+     */
+    CHIP_ERROR Init();
+
+    /**
+     * Deinitialize the access control module. Will also deinitialize its data
+     * provider.
+     */
+    void Finish();
+
+    /**
+     * Check whether access (by a subject descriptor, to a request path,
+     * requiring a privilege) should be allowed or denied.
+     *
+     * @retval #CHIP_ERROR_ACCESS_DENIED if denied.
+     * @retval other errors should be treated as denied.
+     * @retval #CHIP_NO_ERROR if allowed.
+     */
+    CHIP_ERROR Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath, Privilege privilege);
+
+public:
+    /**
+     * Get the configured instance, for general use (i.e. non-testing). By
+     * default an instance is preconfigured, but advanced use can configure
+     * alternate instances, or even clear the configured instance.
+     *
+     * @retval nullptr if configured so.
+     */
+    static AccessControl * GetInstance()
+    {
+        return mInstance;
+    }
+
+    /**
+     * Set the configured instance, for advanced use (e.g. testing). Does not
+     * call Init or Finish (so ensure that happens appropriately). The
+     * configured instance can be cleared (by setting to nullptr).
+     */
+    static void SetInstance(AccessControl * instance)
+    {
+        mInstance = instance;
+    }
+
+private:
+    DataProvider & mDataProvider;
+
+    static AccessControl * mInstance;
+};
+
+} // namespace access
+} // namespace chip
diff --git a/src/access/AuthMode.cpp b/src/access/AuthMode.cpp
@@ -0,0 +1,30 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *      Access control auth mode.
+ */
+
+#include "AuthMode.h"
+
+namespace chip {
+namespace access {
+
+} // namespace access
+} // namespace chip
diff --git a/src/access/AuthMode.h b/src/access/AuthMode.h
@@ -0,0 +1,44 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *      Access control auth mode.
+ */
+
+#pragma once
+
+namespace chip {
+namespace access {
+
+/**
+ * @enum AuthMode
+ *
+ * @brief Access control auth modes. Expressed as bit flags so they can be
+ * combined with privileges.
+ */
+enum AuthMode
+{
+    None = 0,
+    Pase = 1 << 5,
+    Case = 1 << 6,
+    Group = 1 << 7
+};
+
+} // namespace access
+} // namespace chip
diff --git a/src/access/BUILD.gn b/src/access/BUILD.gn
@@ -0,0 +1,48 @@
+# Copyright (c) 2021 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build_overrides/chip.gni")
+
+static_library("access") {
+  output_name = "libaccess"
+
+  sources = [
+    "AccessControl.cpp",
+    "AccessControl.h",
+    "AuthMode.cpp",
+    "AuthMode.h",
+    "BasicTypes.cpp",
+    "BasicTypes.h",
+    "Config.cpp",
+    "Config.h",
+    "DataProvider.cpp",
+    "DataProvider.h",
+    "DataProviderImpl.cpp",
+    "DataProviderImpl.h",
+    "Privilege.cpp",
+    "Privilege.h",
+    "RequestPath.cpp",
+    "RequestPath.h",
+    "SubjectDescriptor.cpp",
+    "SubjectDescriptor.h",
+  ]
+
+  cflags = [ "-Wconversion" ]
+
+  public_deps = [
+    "${chip_root}/src/lib/core",
+    "${chip_root}/src/lib/support",
+    "${chip_root}/src/platform",
+  ]
+}
diff --git a/src/access/BasicTypes.cpp b/src/access/BasicTypes.cpp
@@ -0,0 +1,30 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *      Basic types used by access control.
+ */
+
+#include "BasicTypes.h"
+
+namespace chip {
+namespace access {
+
+} // namespace access
+} // namespace chip