OpCreds AddNOC creates admin ACL entry (#13736)

OperationalCredentialCluster::AddNOC command creates an ACL entry for the newly created operational fabric, for administering the CASE admin subject provided in the AddNOC command.
project-chip · Jan 25, 2022 · 0902641 · 0902641
1 parent c428576
commit 0902641
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
@@ -20,6 +20,7 @@
  * @brief Implementation for the Operational Credentials Cluster
  ***************************************************************************/
 
+#include <access/AccessControl.h>
 #include <app-common/zap-generated/af-structs.h>
 #include <app-common/zap-generated/attributes/Accessors.h>
 #include <app-common/zap-generated/cluster-objects.h>
@@ -59,6 +60,24 @@ namespace {
 constexpr uint8_t kDACCertificate = 1;
 constexpr uint8_t kPAICertificate = 2;
 
+CHIP_ERROR CreateAccessControlEntryForNewFabricAdministrator(FabricIndex fabricIndex, NodeId subject)
+{
+    Access::AccessControl::Entry entry;
+    ReturnErrorOnFailure(Access::GetAccessControl().PrepareEntry(entry));
+    ReturnErrorOnFailure(entry.SetFabricIndex(fabricIndex));
+    ReturnErrorOnFailure(entry.SetPrivilege(Access::Privilege::kAdminister));
+    ReturnErrorOnFailure(entry.SetAuthMode(Access::AuthMode::kCase));
+    ReturnErrorOnFailure(entry.AddSubject(nullptr, subject));
+    ReturnErrorOnFailure(Access::GetAccessControl().CreateEntry(nullptr, entry));
+
+    emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: ACL entry created for Fabric %" PRIX8 " CASE Admin NodeId 0x" ChipLogFormatX64,
+                   fabricIndex, ChipLogValueX64(subject));
+
+    // TODO: event notification for newly created ACL entry
+
+    return CHIP_NO_ERROR;
+}
+
 class OperationalCredentialsAttrAccess : public AttributeAccessInterface
 {
 public:
@@ -484,6 +503,11 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co
     err = Server::GetInstance().GetFabricTable().Store(fabricIndex);
     VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
 
+    // Keep this after other possible failures, so it doesn't need to be rolled back in case of
+    // subsequent failures. This should only typically fail if there is no space for the new entry.
+    err = CreateAccessControlEntryForNewFabricAdministrator(fabricIndex, commandData.caseAdminNode);
+    VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
+
     // Notify the secure session of the new fabric.
     commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->NewFabric(fabricIndex);