Commit 96bbf077 authored by Nathan Heldt-Sheller's avatar Nathan Heldt-Sheller Committed by Randeep

[IOT-1895] [IOT-2179] [IOT-1957] /acl2 Resource

ACE2 adds the "wc" property to the "resource" type, and the
"conntype" property to the "subject" type, allowing for more
flexible wildcards, and removing possible unintended collisions.

/acl2 also conforms to a different schema, so the CBOR encode/
decode functions are updated.

The unit tests are currently still using oic.sec.ace structures,
and will need to be updated to oic.sec.ace2 (see IOT-2192)

Updated provisiongclient and provisioning .json/.dat files to
use /acl2.

[x] update OicSecAce_t to support ace2
[x] update OicSecResource_t to support */+/- rsrc wildcards
[x] update AclToCBORPayload() to support /acl2
[x] update JSONToAclBin() to support /acl2
[x] update CBORPayloadToAcl() to support /acl2
[x] remove /oic/sec/acl resource
[x] verify provclient/justworks using above revisions
[x] verify unitttest using above revisions

Change-Id: If5a7105ac223537cd2249cec519e5657f651da3e
Signed-off-by: Nathan Heldt-Sheller's avatarNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19593Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
parent 40b6bca8
......@@ -59,12 +59,25 @@ const OicSecAce_t* GetACLResourceData(const OicUuid_t* subjectId, OicSecAce_t **
* @param[out] savePtr is used internally by @ref GetACLResourceDataByRoles to maintain index between
* successive calls for the same roles list.
*
* @note On the first call to @ref GETAclResourceDataByRoles, savePtr should point to NULL.
*
* @note On the first call to @ref GetACLResourceDataByRoles, savePtr should point to NULL.
*
* @return reference to @ref OicSecAce_t if ACE is found, else NULL.
*/
const OicSecAce_t* GetACLResourceDataByRoles(const OicSecRole_t *roles, size_t roleCount, OicSecAce_t **savePtr);
/**
* This method is used by PolicyEngine to retrieve ACLs for a given conntype.
*
* @param[in] conntype Conntype to match in ACE.
* @param[out] savePtr is used internally by @ref GetACLResourceDataByConntype to maintain index between
* successive calls for the same roles list.
*
* @note On the first call to @ref GetACLResourceDataByConntype, savePtr should point to NULL.
*
* @return reference to @ref OicSecAce_t if ACE is found, else NULL.
*/
const OicSecAce_t* GetACLResourceDataByConntype(const OicSecConntype_t conntype, OicSecAce_t **savePtr);
/**
* This function converts ACL data into CBOR format.
*
......
......@@ -40,7 +40,9 @@ extern const char * OIC_RSRC_TYPE_SEC_ACL;
extern const char * OIC_RSRC_ACL_URI;
extern const char * OIC_JSON_ACL_NAME;
extern const char * OIC_JSON_ACLIST_NAME;
extern const char * OIC_JSON_ACLIST2_NAME;
extern const char * OIC_JSON_ACES_NAME;
extern const char * OIC_JSON_ACEID_NAME;
extern const char * OIC_RSRC_TYPE_SEC_ACL2;
extern const char * OIC_RSRC_ACL2_URI;
......@@ -106,6 +108,7 @@ extern const char * OIC_JSON_VER_NAME;
//reset profile
extern const char * OIC_JSON_RESET_PF_NAME;
extern const char * OIC_JSON_SUBJECTID_NAME;
extern const char * OIC_JSON_SUBJECT_NAME;
extern const char * OIC_JSON_RESOURCES_NAME;
extern const char * OIC_JSON_AMSS_NAME;
extern const char * OIC_JSON_AMS_NAME;
......@@ -174,6 +177,14 @@ extern const char * OIC_JSON_SEC_V_NAME;
extern const char * OIC_JSON_DOS_NAME;
extern const char * OIC_JSON_S_NAME;
extern const char * OIC_JSON_P_NAME;
extern const char * OIC_JSON_UUID_NAME;
extern const char * OIC_JSON_CONNTYPE_NAME;
extern const char * OIC_JSON_AUTHCRYPT_NAME;
extern const char * OIC_JSON_ANONCLEAR_NAME;
extern const char * OIC_JSON_WC_NAME;
extern const char * OIC_JSON_WC_PLUS_NAME;
extern const char * OIC_JSON_WC_MINUS_NAME;
extern const char * OIC_JSON_WC_ASTERISK_NAME;
extern const char * OIC_JSON_EMPTY_STRING;
......
......@@ -432,6 +432,14 @@ struct OicSecOpt
bool revstat;
};
typedef enum OicSecAceResourceWildcard
{
NO_WILDCARD = 0,
ALL_DISCOVERABLE, // maps to "+" in JSON/CBOR
ALL_NON_DISCOVERABLE, // maps to "-" in JSON/CBOR
ALL_RESOURCES // maps to "*" in JSON/CBOR
} OicSecAceResourceWildcard_t;
struct OicSecRsrc
{
char *href; // 0:R:S:Y:String
......@@ -440,6 +448,7 @@ struct OicSecRsrc
size_t typeLen; // the number of elts in types
char** interfaces; // 3:R:S:N:String Array
size_t interfaceLen; // the number of elts in interfaces
OicSecAceResourceWildcard_t wildcard;
OicSecRsrc_t *next;
};
......@@ -463,7 +472,8 @@ typedef enum
typedef enum
{
OicSecAceUuidSubject = 0, /* Default to this type. */
OicSecAceRoleSubject
OicSecAceRoleSubject,
OicSecAceConntypeSubject
} OicSecAceSubjectType;
/**
......@@ -477,6 +487,12 @@ struct OicSecRole
char authority[ROLEAUTHORITY_LENGTH]; // 1:R:S:N:String
};
typedef enum OicSecConntype
{
AUTH_CRYPT, // any subject requesting over authenticated and encrypted channel
ANON_CLEAR, // any subject requesting over anonymous and unencrypted channel
} OicSecConntype_t;
struct OicSecAce
{
// <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
......@@ -485,10 +501,12 @@ struct OicSecAce
{
OicUuid_t subjectuuid; // Only valid for subjectType == OicSecAceUuidSubject
OicSecRole_t subjectRole; // Only valid for subjectType == OicSecAceRoleSubject
OicSecConntype_t subjectConn; // Only valid for subjectType == OicSecAceConntypeSubject
};
OicSecRsrc_t *resources; // 1:R:M:Y:Resource
uint16_t permission; // 2:R:S:Y:UINT16
OicSecValidity_t *validities; // 3:R:M:N:Time-interval
uint16_t aceid; // mandatory in ACE2
#ifdef MULTIPLE_OWNER
OicUuid_t* eownerID; //4:R:S:N:oic.uuid
#endif
......
{
"acl": {
"aclist": {
"aces": [
{
"subjectuuid": "*",
"resources": [
"aclist2": [
{
"aceid": 1,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
},
{
"aceid": 2,
"subject": {
"conntype": "auth-crypt"
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
},
{
"aceid": 3,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
},
{
"aceid": 4,
"subject": {
"conntype": "auth-crypt"
},
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
},
{
"aceid": 5,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"href": "/oic/sec/roles",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
"rt": ["oic.r.cred"],
"if": ["oic.if.baseline"]
}
],
"permission": 2
"permission": 31
},
{
"aceid": 6,
"subject": {
"conntype": "auth-crypt"
},
{
"subjectuuid": "*",
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
},
"resources": [
{
"href": "/oic/sec/pstat",
"href": "/oic/sec/roles",
"rel": "",
"rt": ["oic.r.pstat"],
"rt": ["oic.r.cred"],
"if": ["oic.if.baseline"]
}
],
"permission": 2
}
]
},
"permission": 31
}
],
"rowneruuid" : "61646D69-6E44-6576-6963-655575696430"
},
"pstat": {
......
{
"acl": {
"aclist": {
"aces": [
{
"subjectuuid": "*",
"resources": [
"aclist2": [
{
"aceid": 1,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
},
{
"aceid": 2,
"subject": {
"conntype": "auth-crypt"
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
},
{
"aceid": 3,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
},
{
"aceid": 4,
"subject": {
"conntype": "auth-crypt"
},
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
},
{
"aceid": 5,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/res",
"href": "/oic/sec/roles",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
"rt": ["oic.r.cred"],
"if": ["oic.if.baseline"]
}
],
"permission": 2
"permission": 31
},
{
"aceid": 6,
"subject": {
"conntype": "auth-crypt"
},
{
"subjectuuid": "*",
"resources": [
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
},
{
"href": "/oic/sec/pstat",
"rel": "",
"rt": ["oic.r.pstat"],
"if": ["oic.if.baseline"]
},
{
"href": "/oic/sec/cred",
"href": "/oic/sec/roles",
"rel": "",
"rt": ["oic.r.cred"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
}
]
},
"rowneruuid" : ""
"permission": 31
}
],
"rowneruuid": ""
},
"pstat": {
"dos": {"s": 1, "p": false},
"isop": false,
"deviceuuid": "",
"rowneruuid": "",
"cm": 2,
"tm": 0,
"om": 4,
"sm": 4
},
"sm": 4,
"rowneruuid": ""
},
"doxm": {
"oxms": [0, 1],
"oxmsel": 0,
......
{
"acl": {
"aclist": {
"aces": [
{
"subjectuuid": "*",
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
"aclist2": [
{
"aceid": 1,
"subject": {
"conntype": "anon-clear"
},
{
"subjectuuid": "*",
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
},
{
"href": "/oic/sec/pstat",
"rel": "",
"rt": ["oic.r.pstat"],
"if": ["oic.if.baseline"]
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
},
{
"aceid": 2,
"subject": {
"conntype": "auth-crypt"
},
"resources": [
{
"href": "/oic/res",
"rel": "",
"rt": ["oic.wk.res"],
"if": ["oic.if.ll"]
},{
"href": "/oic/d",
"rel": "",
"rt": ["oic.wk.d"],
"if": ["oic.if.baseline", "oic.if.r"]
},{
"href": "/oic/p",
"rel": "",
"rt": ["oic.wk.p"],
"if": ["oic.if.baseline", "oic.if.r"]
}
],
"permission": 2
},
{
"aceid": 3,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
},
{
"aceid": 4,
"subject": {
"conntype": "auth-crypt"
},
"resources": [
{
"href": "/oic/sec/doxm",
"rel": "",
"rt": ["oic.r.doxm"],
"if": ["oic.if.baseline"]
}
],
"permission": 6
},
{
"aceid": 5,
"subject": {
"conntype": "anon-clear"
},
"resources": [
{
"href": "/oic/sec/cred",
"href": "/oic/sec/roles",
"rel": "",
"rt": ["oic.r.cred"],
"if": ["oic.if.baseline"]
}