• Kishen Maloor's avatar
    oc_roles:support /oic/sec/roles & role assertion · 607319ee
    Kishen Maloor authored
    This change adds support for the /oic/sec/roles resource on Servers
    for role-based access-control using role certificates, as well as Client
    hooks and APIs to assert roles provisioned to it.
    
    As /oic/sec/roles shares its schema in large part with /oic/sec/cred,
    oc_cred has been updated so its GET/POST/DELETE handlers may also be
    used to service requests to /oic/sec/roles. With an awareness of which
    of the two resources is being currently handled, some logic
    has been added to oc_cred to perform the appropriate actions for each
    resource type. This enables reuse of existing code and flows for parsing
    requests to /oic/sec/cred for /oic/sec/roles, and checking for credid
    uniqueness, while accounting for minor behavioral differences.
    
    oc_sec_cred_t objects are however recorded separately for the two
    resources and oc_roles stores all roles (in oc_sec_cred_t objects) asserted
    via requests to /oic/sec/roles. Also, the encoding function for the
    /oic/sec/roles response representation is separate from that of /oic/sec/cred.
    
    oc_roles provides internal APIs for managing role assertions
    on the Server-side and to help assert roles on the Client-side.
    
    On the Server-side, all roles asserted by various Clients are
    indexed by (D)TLS session in oc_roles. As all asserted roles must be valid
    when they're used for role-based access-control, the Server-side
    stores a parsed role certificate for each role asserted in an
    associated mbedTLS object in memory which may be directly queried for
    a validity check by the access-control flow at the time of handling a
    Client request to a resource. A new void* parameter has been added to
    oc_sec_cred_t to store a handle to this mbedtls_x509_crt object.
    oc_roles automatically frees these mbedtls_x509_crt objects
    for role certificates when the role is freed.
    
    On the Client-side, oc_roles tracks all roles provisioned to
    the Client in its /oic/sec/cred resource by the OBT/CMS for its use. It
    provides APIs for a Client to list all roles available to it, and for
    asserting a role to a Server via a request to /oic/sec/roles.
    
    Change-Id: Id25dbc767141da06f65a46fad1a740da2633d15e
    Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
    Reviewed-on: https://gerrit.iotivity.org/gerrit/27802
    607319ee
oc_pki.c 9.83 KB