diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp index 3842fbd4eb0d47..f91af0517ab9c2 100644 --- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp +++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp @@ -20,6 +20,7 @@ * @brief Implementation for the Operational Credentials Cluster ***************************************************************************/ +#include #include #include #include @@ -59,6 +60,24 @@ namespace { constexpr uint8_t kDACCertificate = 1; constexpr uint8_t kPAICertificate = 2; +CHIP_ERROR CreateAccessControlEntryForNewFabricAdministrator(FabricIndex fabricIndex, NodeId subject) +{ + Access::AccessControl::Entry entry; + ReturnErrorOnFailure(Access::GetAccessControl().PrepareEntry(entry)); + ReturnErrorOnFailure(entry.SetFabricIndex(fabricIndex)); + ReturnErrorOnFailure(entry.SetPrivilege(Access::Privilege::kAdminister)); + ReturnErrorOnFailure(entry.SetAuthMode(Access::AuthMode::kCase)); + ReturnErrorOnFailure(entry.AddSubject(nullptr, subject)); + ReturnErrorOnFailure(Access::GetAccessControl().CreateEntry(nullptr, entry)); + + emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: ACL entry created for Fabric %" PRIX8 " CASE Admin NodeId 0x" ChipLogFormatX64, + fabricIndex, ChipLogValueX64(subject)); + + // TODO: event notification for newly created ACL entry + + return CHIP_NO_ERROR; +} + class OperationalCredentialsAttrAccess : public AttributeAccessInterface { public: @@ -484,6 +503,11 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co err = Server::GetInstance().GetFabricTable().Store(fabricIndex); VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err)); + // Keep this after other possible failures, so it doesn't need to be rolled back in case of + // subsequent failures. This should only typically fail if there is no space for the new entry. + err = CreateAccessControlEntryForNewFabricAdministrator(fabricIndex, commandData.caseAdminNode); + VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err)); + // Notify the secure session of the new fabric. commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->NewFabric(fabricIndex);