Migrate PASE session to newly created fabric (#13712)

* Place PASESession on new fabric PASE sessions start with no fabric, but during commissioning, after OperationalCredentialsCluster::AddNOC, they should be placed on the newly commissioned fabric so administrative actions pertaining to the newly commissioned fabric can be performed over the PASE session, if desired. Work towards issue #10242 * Change SecureSession::NewFabric to alter mFabric This makes it easier to also have it be the accessing fabric after the change.
project-chip · Jan 20, 2022 · f765050 · f765050
1 parent a415736
commit f765050
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 4 deletions.
diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
@@ -453,6 +453,9 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co
     err = Server::GetInstance().GetFabricTable().Store(fabricIndex);
     VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
 
+    // Notify the secure session of the new fabric.
+    commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->NewFabric(fabricIndex);
+
     // We might have a new operational identity, so we should start advertising it right away.
     app::DnssdServer::Instance().AdvertiseOperational();
 

diff --git a/src/transport/SecureSession.cpp b/src/transport/SecureSession.cpp
@@ -32,9 +32,9 @@ Access::SubjectDescriptor SecureSession::GetSubjectDescriptor() const
     }
     else if (IsPAKEKeyId(mPeerNodeId))
     {
-        subjectDescriptor.authMode = Access::AuthMode::kPase;
-        subjectDescriptor.subject  = mPeerNodeId;
-        // TODO(#10242): PASE *can* have fabric in some situations
+        subjectDescriptor.authMode    = Access::AuthMode::kPase;
+        subjectDescriptor.subject     = mPeerNodeId;
+        subjectDescriptor.fabricIndex = mFabric;
     }
     else
     {

diff --git a/src/transport/SecureSession.h b/src/transport/SecureSession.h
@@ -114,6 +114,23 @@ class SecureSession : public Session
     uint16_t GetPeerSessionId() const { return mPeerSessionId; }
     FabricIndex GetFabricIndex() const { return mFabric; }
 
+    // Should only be called for PASE sessions, which start with undefined fabric,
+    // to migrate to a newly commissioned fabric after successful
+    // OperationalCredentialsCluster::AddNOC
+    CHIP_ERROR NewFabric(FabricIndex fabricIndex)
+    {
+#if 0
+        // TODO(#13711): this check won't work until the issue is addressed
+        if (mSecureSessionType == Type::kPASE)
+        {
+            mFabric = fabricIndex;
+        }
+#else
+        mFabric = fabricIndex;
+#endif
+        return CHIP_NO_ERROR;
+    }
+
     System::Clock::Timestamp GetLastActivityTime() const { return mLastActivityTime; }
     void MarkActive() { mLastActivityTime = System::SystemClock().GetMonotonicTimestamp(); }
 
@@ -139,7 +156,10 @@ class SecureSession : public Session
     const CATValues mPeerCATs;
     const uint16_t mLocalSessionId;
     const uint16_t mPeerSessionId;
-    const FabricIndex mFabric;
+
+    // PASE sessions start with undefined fabric, but are migrated to a newly
+    // commissioned fabric after successful OperationalCredentialsCluster::AddNOC
+    FabricIndex mFabric;
 
     PeerAddress mPeerAddress;
     System::Clock::Timestamp mLastActivityTime;