Skip to content

Commit

Permalink
Added CASE Authenticated Tags Support to Access Control Check. (#12689)
Browse files Browse the repository at this point in the history
* Added CASE Authenticated Tags Support to Access Control Check.

  -- Added CATValues field to the SubjectDescriptor struct
  -- Moved declaration of CASEAuthTag and CATValues into separate file src/lib/core/CASEAuthTag.h
  -- Added new CAT test cases to TestAccessControl.cpp
  -- Minor test cleanups

* fixed typo in the TestDeleteEntry() access control test.
  • Loading branch information
emargolis authored and pull[bot] committed Oct 21, 2023
1 parent 87d714a commit 1480042
Show file tree
Hide file tree
Showing 17 changed files with 504 additions and 391 deletions.
44 changes: 40 additions & 4 deletions src/access/AccessControl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@

namespace {

using chip::CATValues;
using chip::FabricIndex;
using chip::NodeId;
using namespace chip::Access;

AccessControl defaultAccessControl;
Expand Down Expand Up @@ -115,12 +117,46 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
{
NodeId subject = kUndefinedNodeId;
ReturnErrorOnFailure(entry.GetSubject(i, subject));
if (subject == subjectDescriptor.subjects[0])
if (IsOperationalNodeId(subject))
{
subjectMatched = true;
break;
if (subject == subjectDescriptor.subject)
{
subjectMatched = true;
break;
}
}
else if (IsGroupId(subject))
{
VerifyOrReturnError(authMode == AuthMode::kGroup, CHIP_ERROR_INVALID_ARGUMENT);
if (subject == subjectDescriptor.subject)
{
subjectMatched = true;
break;
}
}
// TODO: Add the implicit admit for PASE after the spec is updated.
else if (IsPAKEKeyId(subject))
{
VerifyOrReturnError(authMode == AuthMode::kPase, CHIP_ERROR_INVALID_ARGUMENT);
if (subject == subjectDescriptor.subject)
{
subjectMatched = true;
break;
}
}
else if (IsCASEAuthTag(subject))
{
VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INVALID_ARGUMENT);
if (subjectDescriptor.cats.CheckSubjectAgainstCATs(subject))
{
subjectMatched = true;
break;
}
}
else
{
return CHIP_ERROR_INVALID_ARGUMENT;
}
// TODO: check against CATs in subject descriptor
}
if (!subjectMatched)
{
Expand Down
9 changes: 6 additions & 3 deletions src/access/SubjectDescriptor.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

#include "AuthMode.h"

#include <lib/core/CASEAuthTag.h>
#include <lib/core/DataModelTypes.h>
#include <lib/core/NodeId.h>

Expand All @@ -36,9 +37,11 @@ struct SubjectDescriptor

// NOTE: due to packing there should be free bytes here

// Holds subjects according to auth mode, and the latter two are only valid
// if auth mode is CASE.
NodeId subjects[3] = { kUndefinedNodeId, kUndefinedNodeId, kUndefinedNodeId };
// Holds subject according to auth mode.
NodeId subject = kUndefinedNodeId;

// CASE Authenticated Tags (CATs) only valid if auth mode is CASE.
CATValues cats;
};

} // namespace Access
Expand Down
Loading

0 comments on commit 1480042

Please sign in to comment.