Enforce access control (#14921)

* Enforce access control Issue #14454 * Forgot to save this file * Zap regen * Small logging changes in access control May not keep this for release but need it for the next few weeks. * Add another log * Add temp logs to debug nRF test failures on Zephyr * Temporarily change ChipLogDetail to ChipLogError * Change access control logs from detail to progress * Remove temporary logs * Add PermissiveAccessControlDelegate for tests This new delegate does not error and overrides the access control check to always allow. It is installed in the unit test context so that unit tests (e.g. of interaction model, which has access control baked in) can test units other than access control without failing due to access control, and without running with real access control and having to install real ACLs (that's for integration tests to do). * Fix logging I meant to do this in the last commit. * Add test helper dependency on access control
project-chip · Sep 5, 2023 · dd13dbe · dd13dbe
1 parent 85422fa
commit dd13dbe
Show file tree

Hide file tree

Showing 11 changed files with 166 additions and 50 deletions.
diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp
@@ -71,7 +71,7 @@ constexpr bool IsValidGroupNodeId(NodeId aNodeId)
     return chip::IsGroupId(aNodeId) && chip::IsValidGroupId(chip::GroupIdFromNodeId(aNodeId));
 }
 
-#if CHIP_DETAIL_LOGGING
+#if CHIP_PROGRESS_LOGGING
 
 char GetAuthModeStringForLogging(AuthMode authMode)
 {
@@ -152,7 +152,7 @@ char GetPrivilegeStringForLogging(Privilege privilege)
     return 'u';
 }
 
-#endif // CHIP_DETAIL_LOGGING
+#endif // CHIP_PROGRESS_LOGGING
 
 } // namespace
 
@@ -165,35 +165,44 @@ AccessControl::Delegate AccessControl::mDefaultDelegate;
 
 CHIP_ERROR AccessControl::Init()
 {
-    ChipLogDetail(DataManagement, "AccessControl: initializing");
+    ChipLogProgress(DataManagement, "AccessControl: initializing");
     return mDelegate.Init();
 }
 
 CHIP_ERROR AccessControl::Finish()
 {
-    ChipLogDetail(DataManagement, "AccessControl: finishing");
+    ChipLogProgress(DataManagement, "AccessControl: finishing");
     return mDelegate.Finish();
 }
 
 CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, const RequestPath & requestPath,
                                 Privilege requestPrivilege)
 {
-    // Don't check if using default delegate (e.g. test code that isn't testing access control)
-    ReturnErrorCodeIf(&mDelegate == &mDefaultDelegate, CHIP_NO_ERROR);
-
-#if CHIP_DETAIL_LOGGING
+#if CHIP_PROGRESS_LOGGING
     {
         char buf[6 * kCharsPerCatForLogging];
-        ChipLogDetail(DataManagement,
-                      "AccessControl: checking f=%u a=%c s=0x" ChipLogFormatX64 " t=%s c=" ChipLogFormatMEI " e=%" PRIu16 " p=%c",
-                      subjectDescriptor.fabricIndex, GetAuthModeStringForLogging(subjectDescriptor.authMode),
-                      ChipLogValueX64(subjectDescriptor.subject), GetCatStringForLogging(buf, sizeof(buf), subjectDescriptor.cats),
-                      ChipLogValueMEI(requestPath.cluster), requestPath.endpoint, GetPrivilegeStringForLogging(requestPrivilege));
+        ChipLogProgress(DataManagement,
+                        "AccessControl: checking f=%u a=%c s=0x" ChipLogFormatX64 " t=%s c=" ChipLogFormatMEI " e=%" PRIu16 " p=%c",
+                        subjectDescriptor.fabricIndex, GetAuthModeStringForLogging(subjectDescriptor.authMode),
+                        ChipLogValueX64(subjectDescriptor.subject),
+                        GetCatStringForLogging(buf, sizeof(buf), subjectDescriptor.cats), ChipLogValueMEI(requestPath.cluster),
+                        requestPath.endpoint, GetPrivilegeStringForLogging(requestPrivilege));
     }
 #endif
 
+    // TODO(#13867): this will go away
+    if (mDelegate.TemporaryCheckOverride())
+    {
+        ChipLogProgress(DataManagement, "AccessControl: temporary check override (this will go away)");
+        return CHIP_NO_ERROR;
+    }
+
     // Operational PASE not supported for v1.0, so PASE implies commissioning, which has highest privilege.
-    ReturnErrorCodeIf(subjectDescriptor.authMode == AuthMode::kPase, CHIP_NO_ERROR);
+    if (subjectDescriptor.authMode == AuthMode::kPase)
+    {
+        ChipLogProgress(DataManagement, "AccessControl: implicit admin (PASE)");
+        return CHIP_NO_ERROR;
+    }
 
     EntryIterator iterator;
     ReturnErrorOnFailure(Entries(iterator, &subjectDescriptor.fabricIndex));
@@ -297,6 +306,7 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
     }
 
     // No entry was found which passed all checks: access is denied.
+    ChipLogProgress(DataManagement, "AccessControl: denied");
     return CHIP_ERROR_ACCESS_DENIED;
 }
 
@@ -317,9 +327,9 @@ bool AccessControl::IsValid(const Entry & entry)
     SuccessOrExit(entry.GetSubjectCount(subjectCount));
     SuccessOrExit(entry.GetTargetCount(targetCount));
 
-    ChipLogDetail(DataManagement, "AccessControl: validating f=%u p=%c a=%c s=%d t=%d", fabricIndex,
-                  GetPrivilegeStringForLogging(privilege), GetAuthModeStringForLogging(authMode), static_cast<int>(subjectCount),
-                  static_cast<int>(targetCount));
+    ChipLogProgress(DataManagement, "AccessControl: validating f=%u p=%c a=%c s=%d t=%d", fabricIndex,
+                    GetPrivilegeStringForLogging(privilege), GetAuthModeStringForLogging(authMode), static_cast<int>(subjectCount),
+                    static_cast<int>(targetCount));
 
     // Fabric index must be defined.
     VerifyOrExit(fabricIndex != kUndefinedFabricIndex, log = "invalid fabric index");
@@ -342,7 +352,7 @@ bool AccessControl::IsValid(const Entry & entry)
         SuccessOrExit(entry.GetSubject(i, subject));
         const bool kIsCase  = authMode == AuthMode::kCase;
         const bool kIsGroup = authMode == AuthMode::kGroup;
-        ChipLogDetail(DataManagement, "  validating subject 0x" ChipLogFormatX64, ChipLogValueX64(subject));
+        ChipLogProgress(DataManagement, "  validating subject 0x" ChipLogFormatX64, ChipLogValueX64(subject));
         VerifyOrExit((kIsCase && IsValidCaseNodeId(subject)) || (kIsGroup && IsValidGroupNodeId(subject)), log = "invalid subject");
     }
 
@@ -376,6 +386,7 @@ AccessControl & GetAccessControl()
 
 void SetAccessControl(AccessControl & accessControl)
 {
+    ChipLogProgress(DataManagement, "AccessControl: setting");
     globalAccessControl = &accessControl;
 }
 

diff --git a/src/access/AccessControl.h b/src/access/AccessControl.h
@@ -344,6 +344,9 @@ class AccessControl
         virtual void SetListener(Listener & listener) { mListener = &listener; }
         virtual void ClearListener() { mListener = nullptr; }
 
+        // TODO(#13867): this will go away
+        virtual bool TemporaryCheckOverride() const { return false; }
+
     private:
         Listener * mListener = nullptr;
     };

diff --git a/src/access/BUILD.gn b/src/access/BUILD.gn
@@ -26,6 +26,8 @@ static_library("access") {
     "SubjectDescriptor.h",
     "examples/ExampleAccessControlDelegate.cpp",
     "examples/ExampleAccessControlDelegate.h",
+    "examples/PermissiveAccessControlDelegate.cpp",
+    "examples/PermissiveAccessControlDelegate.h",
   ]
 
   cflags = [ "-Wconversion" ]

diff --git a/src/access/examples/ExampleAccessControlDelegate.cpp b/src/access/examples/ExampleAccessControlDelegate.cpp
@@ -1065,11 +1065,11 @@ class AccessControlDelegate : public AccessControl::Delegate
 public:
     CHIP_ERROR Init() override
     {
-        ChipLogDetail(DataManagement, "Examples::AccessControlDelegate::Init");
+        ChipLogProgress(DataManagement, "Examples::AccessControlDelegate::Init");
         CHIP_ERROR err = LoadFromFlash();
         if (err != CHIP_NO_ERROR)
         {
-            ChipLogDetail(DataManagement, "AccessControl: unable to load stored ACL entries; using empty list instead");
+            ChipLogProgress(DataManagement, "AccessControl: unable to load stored ACL entries; using empty list instead");
             for (auto & storage : EntryStorage::acl)
             {
                 storage.Clear();
@@ -1080,7 +1080,7 @@ class AccessControlDelegate : public AccessControl::Delegate
 
     CHIP_ERROR Finish() override
     {
-        ChipLogDetail(DataManagement, "Examples::AccessControlDelegate::Finish");
+        ChipLogProgress(DataManagement, "Examples::AccessControlDelegate::Finish");
         return SaveToFlash();
     }
 
@@ -1140,7 +1140,7 @@ class AccessControlDelegate : public AccessControl::Delegate
                 CHIP_ERROR saveError = SaveToFlash();
                 if (saveError != CHIP_NO_ERROR && saveError != CHIP_ERROR_INCORRECT_STATE)
                 {
-                    ChipLogDetail(DataManagement, "CreateEntry failed to save to flash");
+                    ChipLogProgress(DataManagement, "CreateEntry failed to save to flash");
                 }
             }
             return err;
@@ -1172,7 +1172,7 @@ class AccessControlDelegate : public AccessControl::Delegate
                 CHIP_ERROR saveError = SaveToFlash();
                 if (saveError != CHIP_NO_ERROR && saveError != CHIP_ERROR_INCORRECT_STATE)
                 {
-                    ChipLogDetail(DataManagement, "UpdateEntry failed to save to flash");
+                    ChipLogProgress(DataManagement, "UpdateEntry failed to save to flash");
                 }
             }
             return err;
@@ -1215,7 +1215,7 @@ class AccessControlDelegate : public AccessControl::Delegate
             CHIP_ERROR saveError = SaveToFlash();
             if (saveError != CHIP_NO_ERROR && saveError != CHIP_ERROR_INCORRECT_STATE)
             {
-                ChipLogDetail(DataManagement, "DeleteEntry failed to save to flash");
+                ChipLogProgress(DataManagement, "DeleteEntry failed to save to flash");
             }
             return CHIP_NO_ERROR;
         }

diff --git a/src/access/examples/PermissiveAccessControlDelegate.cpp b/src/access/examples/PermissiveAccessControlDelegate.cpp
@@ -0,0 +1,80 @@
+/*
+ *
+ *    Copyright (c) 2022 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "PermissiveAccessControlDelegate.h"
+
+namespace {
+
+using namespace chip;
+using namespace chip::Access;
+
+using Entry         = chip::Access::AccessControl::Entry;
+using EntryIterator = chip::Access::AccessControl::EntryIterator;
+using Target        = Entry::Target;
+
+class AccessControlDelegate : public AccessControl::Delegate
+{
+public:
+    CHIP_ERROR Init() override { return CHIP_NO_ERROR; }
+    CHIP_ERROR Finish() override { return CHIP_NO_ERROR; }
+
+    // Capabilities
+    CHIP_ERROR GetMaxEntryCount(size_t & value) const override
+    {
+        value = 0;
+        return CHIP_NO_ERROR;
+    }
+
+    // Actualities
+    CHIP_ERROR GetEntryCount(size_t & value) const override
+    {
+        value = 0;
+        return CHIP_NO_ERROR;
+    }
+
+    // Preparation
+    CHIP_ERROR PrepareEntry(Entry & entry) override { return CHIP_NO_ERROR; }
+
+    // CRUD
+    CHIP_ERROR CreateEntry(size_t * index, const Entry & entry, FabricIndex * fabricIndex) override { return CHIP_NO_ERROR; }
+    CHIP_ERROR ReadEntry(size_t index, Entry & entry, const FabricIndex * fabricIndex) const override { return CHIP_NO_ERROR; }
+    CHIP_ERROR UpdateEntry(size_t index, const Entry & entry, const FabricIndex * fabricIndex) override { return CHIP_NO_ERROR; }
+    CHIP_ERROR DeleteEntry(size_t index, const FabricIndex * fabricIndex) override { return CHIP_NO_ERROR; }
+
+    // Iteration
+    CHIP_ERROR Entries(EntryIterator & iterator, const FabricIndex * fabricIndex) const override { return CHIP_NO_ERROR; }
+
+    // TODO(#13867): this will go away
+    bool TemporaryCheckOverride() const override { return true; }
+};
+
+} // namespace
+
+namespace chip {
+namespace Access {
+namespace Examples {
+
+AccessControl::Delegate & GetPermissiveAccessControlDelegate()
+{
+    static AccessControlDelegate accessControlDelegate;
+    return accessControlDelegate;
+}
+
+} // namespace Examples
+} // namespace Access
+} // namespace chip
diff --git a/src/access/examples/PermissiveAccessControlDelegate.h b/src/access/examples/PermissiveAccessControlDelegate.h
@@ -0,0 +1,29 @@
+/*
+ *
+ *    Copyright (c) 2022 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include "access/AccessControl.h"
+
+namespace chip {
+namespace Access {
+namespace Examples {
+
+AccessControl::Delegate & GetPermissiveAccessControlDelegate();
+
+} // namespace Examples
+} // namespace Access
+} // namespace chip
diff --git a/src/app/CommandHandler.cpp b/src/app/CommandHandler.cpp
@@ -274,12 +274,6 @@ CHIP_ERROR CommandHandler::ProcessCommandDataIB(CommandDataIB::Parser & aCommand
         Access::Privilege requestPrivilege = RequiredPrivilege::ForInvokeCommand(concretePath);
         err                                = Access::GetAccessControl().Check(subjectDescriptor, requestPath, requestPrivilege);
         if (err != CHIP_NO_ERROR)
-        {
-            // Grace period until ACLs are in place
-            ChipLogError(DataManagement, "AccessControl: overriding DENY (for now)");
-            err = CHIP_NO_ERROR;
-        }
-        if (err != CHIP_NO_ERROR)
         {
             if (err != CHIP_ERROR_ACCESS_DENIED)
             {
@@ -408,12 +402,6 @@ CHIP_ERROR CommandHandler::ProcessGroupCommandDataIB(CommandDataIB::Parser & aCo
             Access::Privilege requestPrivilege = RequiredPrivilege::ForInvokeCommand(concretePath);
             err                                = Access::GetAccessControl().Check(subjectDescriptor, requestPath, requestPrivilege);
             if (err != CHIP_NO_ERROR)
-            {
-                // Grace period until ACLs are in place
-                ChipLogError(DataManagement, "AccessControl: overriding DENY (for now)");
-                err = CHIP_NO_ERROR;
-            }
-            if (err != CHIP_NO_ERROR)
             {
                 // TODO: handle errors that aren't CHIP_ERROR_ACCESS_DENIED, etc.
                 continue;

diff --git a/src/app/tests/AppTestContext.cpp b/src/app/tests/AppTestContext.cpp
@@ -16,10 +16,18 @@
 
 #include <app/tests/AppTestContext.h>
 
+#include <access/AccessControl.h>
+#include <access/examples/PermissiveAccessControlDelegate.h>
 #include <app/InteractionModelEngine.h>
 #include <lib/support/CodeUtils.h>
 #include <lib/support/ErrorStr.h>
 
+namespace {
+
+chip::Access::AccessControl permissiveAccessControl(chip::Access::Examples::GetPermissiveAccessControlDelegate());
+
+} // namespace
+
 namespace chip {
 namespace Test {
 
@@ -28,11 +36,16 @@ CHIP_ERROR AppContext::Init()
     ReturnErrorOnFailure(Super::Init());
     ReturnErrorOnFailure(chip::app::InteractionModelEngine::GetInstance()->Init(&GetExchangeManager()));
 
+    Access::SetAccessControl(permissiveAccessControl);
+    ReturnErrorOnFailure(Access::GetAccessControl().Init());
+
     return CHIP_NO_ERROR;
 }
 
 CHIP_ERROR AppContext::Shutdown()
 {
+    ReturnErrorOnFailure(Access::GetAccessControl().Finish());
+
     chip::app::InteractionModelEngine::GetInstance()->Shutdown();
     ReturnErrorOnFailure(Super::Shutdown());
 

diff --git a/src/app/tests/BUILD.gn b/src/app/tests/BUILD.gn
@@ -31,6 +31,7 @@ static_library("helpers") {
   cflags = [ "-Wconversion" ]
 
   deps = [
+    "${chip_root}/src/access",
     "${chip_root}/src/lib/support",
     "${chip_root}/src/messaging/tests:helpers",
     "${chip_root}/src/transport/raw/tests:helpers",

diff --git a/src/app/tests/TestCommandInteraction.cpp b/src/app/tests/TestCommandInteraction.cpp
@@ -602,7 +602,8 @@ void TestCommandInteraction::TestCommandHandlerWithProcessReceivedEmptyDataMsg(n
             chip::isCommandDispatched = false;
             GenerateInvokeRequest(apSuite, apContext, commandDatabuf, false /*aNeedCommandData*/, messageIsTimed);
             err = commandHandler.ProcessInvokeRequest(std::move(commandDatabuf), transactionIsTimed);
-            NL_TEST_ASSERT(apSuite, err == CHIP_NO_ERROR && chip::isCommandDispatched == (messageIsTimed == transactionIsTimed));
+            NL_TEST_ASSERT(apSuite, err == CHIP_NO_ERROR);
+            NL_TEST_ASSERT(apSuite, chip::isCommandDispatched == (messageIsTimed == transactionIsTimed));
         }
     }
 }
@@ -767,7 +768,7 @@ const nlTest sTests[] =
 // clang-format off
 nlTestSuite sSuite =
 {
-    "TestReadInteraction",
+    "TestCommandInteraction",
     &sTests[0],
     TestContext::Initialize,
     TestContext::Finalize