Skip to content

Commit

Permalink
Remove access control temporary override (#16536)
Browse files Browse the repository at this point in the history
The "empty" default delegate now denies access.

The delegate can now override the check, or proceed with
the standard check.

The "permissive" example delegate still permits access, by
overriding the check.

The "normal" example delegate still performs a standard check,
by not overriding the check.

Fixes #13867
  • Loading branch information
mlepage-google authored and pull[bot] committed Jul 24, 2023
1 parent b859589 commit a2a758d
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 9 deletions.
12 changes: 8 additions & 4 deletions src/access/AccessControl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -206,11 +206,14 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
}
#endif

// TODO(#13867): this will go away
if (mDelegate->TemporaryCheckOverride())
{
ChipLogProgress(DataManagement, "AccessControl: temporary check override (this will go away)");
return CHIP_NO_ERROR;
CHIP_ERROR result = mDelegate->Check(subjectDescriptor, requestPath, requestPrivilege);
if (result != CHIP_ERROR_NOT_IMPLEMENTED)
{
ChipLogProgress(DataManagement, "AccessControl: %s (delegate)",
(result == CHIP_NO_ERROR) ? "allowed" : (result == CHIP_ERROR_ACCESS_DENIED) ? "denied" : "error");
return result;
}
}

// Operational PASE not supported for v1.0, so PASE implies commissioning, which has highest privilege.
Expand Down Expand Up @@ -318,6 +321,7 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
}

// Entry passed all checks: access is allowed.
ChipLogProgress(DataManagement, "AccessControl: allowed");
return CHIP_NO_ERROR;
}

Expand Down
13 changes: 10 additions & 3 deletions src/access/AccessControl.h
Original file line number Diff line number Diff line change
Expand Up @@ -341,13 +341,20 @@ class AccessControl
// Iteration
virtual CHIP_ERROR Entries(EntryIterator & iterator, const FabricIndex * fabricIndex) const { return CHIP_NO_ERROR; }

// Check
// Return CHIP_NO_ERROR if allowed, CHIP_ERROR_ACCESS_DENIED if denied,
// CHIP_ERROR_NOT_IMPLEMENTED to use the default check algorithm (against entries),
// or any other CHIP_ERROR if another error occurred.
virtual CHIP_ERROR Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath,
Privilege requestPrivilege)
{
return CHIP_ERROR_ACCESS_DENIED;
}

// Listening
virtual void SetListener(Listener & listener) { mListener = &listener; }
virtual void ClearListener() { mListener = nullptr; }

// TODO(#13867): this will go away
virtual bool TemporaryCheckOverride() const { return false; }

private:
Listener * mListener = nullptr;
};
Expand Down
8 changes: 8 additions & 0 deletions src/access/examples/ExampleAccessControlDelegate.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ using chip::kUndefinedNodeId;
using chip::Access::AccessControl;
using chip::Access::AuthMode;
using chip::Access::Privilege;
using chip::Access::RequestPath;
using chip::Access::SubjectDescriptor;

using Entry = chip::Access::AccessControl::Entry;
using EntryIterator = chip::Access::AccessControl::EntryIterator;
Expand Down Expand Up @@ -1237,6 +1239,12 @@ class AccessControlDelegate : public AccessControl::Delegate
return CHIP_ERROR_BUFFER_TOO_SMALL;
}

CHIP_ERROR Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath,
Privilege requestPrivilege) override
{
return CHIP_ERROR_NOT_IMPLEMENTED;
}

public:
void SetStorageDelegate(chip::PersistentStorageDelegate * storageDelegate) { mStorageDelegate = storageDelegate; }

Expand Down
8 changes: 6 additions & 2 deletions src/access/examples/PermissiveAccessControlDelegate.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,12 @@ class AccessControlDelegate : public AccessControl::Delegate
// Iteration
CHIP_ERROR Entries(EntryIterator & iterator, const FabricIndex * fabricIndex) const override { return CHIP_NO_ERROR; }

// TODO(#13867): this will go away
bool TemporaryCheckOverride() const override { return true; }
// Check
CHIP_ERROR Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath,
Privilege requestPrivilege) override
{
return CHIP_NO_ERROR;
}
};

} // namespace
Expand Down

0 comments on commit a2a758d

Please sign in to comment.