From 09a945f50c4c4c99c1f70446560c570c052367dd Mon Sep 17 00:00:00 2001 From: Marc Lepage Date: Wed, 19 Jan 2022 17:21:48 -0500 Subject: [PATCH] OpCreds AddNOC creates admin ACL entry OperationalCredentialCluster::AddNOC command is supposed to create an ACL entry for the newly created operational fabric, for administering the CASE admin subject provided in the AddNOc command. --- .../operational-credentials-server.cpp | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp index aa4f268b21604c..d43cf0a60c4a13 100644 --- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp +++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp @@ -20,6 +20,7 @@ * @brief Implementation for the Operational Credentials Cluster ***************************************************************************/ +#include #include #include #include @@ -59,6 +60,24 @@ namespace { constexpr uint8_t kDACCertificate = 1; constexpr uint8_t kPAICertificate = 2; +CHIP_ERROR CreateAccessControlEntryForNewFabricAdministrator(FabricIndex fabricIndex, NodeId subject) +{ + Access::AccessControl::Entry entry; + ReturnErrorOnFailure(Access::GetAccessControl().PrepareEntry(entry)); + ReturnErrorOnFailure(entry.SetFabricIndex(fabricIndex)); + ReturnErrorOnFailure(entry.SetPrivilege(Access::Privilege::kAdminister)); + ReturnErrorOnFailure(entry.SetAuthMode(Access::AuthMode::kCase)); + ReturnErrorOnFailure(entry.AddSubject(nullptr, subject)); + ReturnErrorOnFailure(Access::GetAccessControl().CreateEntry(nullptr, entry)); + + emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: ACL entry created for Fabric %" PRIX8 " CASE Admin NodeId 0x" ChipLogFormatX64, + fabricIndex, ChipLogValueX64(subject)); + + // TODO: event notification for newly created ACL entry + + return CHIP_NO_ERROR; +} + class OperationalCredentialsAttrAccess : public AttributeAccessInterface { public: @@ -453,6 +472,11 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co err = Server::GetInstance().GetFabricTable().Store(fabricIndex); VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err)); + // Keep this after other possible failures, so it doesn't need to be rolled back in case of + // subsequent failures. This should only typically fail if there is no space for the new entry. + err = CreateAccessControlEntryForNewFabricAdministrator(fabricIndex, commandData.caseAdminNode); + VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err)); + // We might have a new operational identity, so we should start advertising it right away. app::DnssdServer::Instance().AdvertiseOperational();