[IOT-2271] [IOT-2308] fix hard-coded ACL for discovery and onboarding 71/19971/12
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Wed, 17 May 2017 02:34:21 +0000 (19:34 -0700)
committerRandeep Singh <randeep.s@samsung.com>
Mon, 22 May 2017 06:53:53 +0000 (06:53 +0000)
The GetDefaultACL() function needed to be updated to /acl2 format.
Fixed the printACL() function to support ace2 as well.
Fixed aclresourcetest.cpp unit tests.
Updated related .json and .dat files.

Change-Id: Id1a14067e3c9d743cab489c733486fcea1e91d52
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19971
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Dmitriy Zhuravlev <d.zhuravlev@samsung.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>
resource/csdk/security/include/internal/acl_logging.h
resource/csdk/security/src/aclresource.c
resource/csdk/security/src/policyengine.c
resource/csdk/security/unittest/aclresourcetest.cpp
resource/csdk/security/unittest/oic_unittest_acl1.dat
resource/csdk/security/unittest/oic_unittest_acl1.json
resource/csdk/security/unittest/oic_unittest_default_acl.dat
resource/csdk/security/unittest/oic_unittest_default_acl.json

index a78584b..e46b795 100644 (file)
@@ -48,6 +48,8 @@ INLINE_API void printACE(LogLevel level, const OicSecAce_t *ace)
         return;
     }
 
+    OIC_LOG_V(level, ACL_TAG, "    aceid = %d", ace->aceid);
+
     OIC_LOG_V(level, ACL_TAG, "    permission = %#x", (uint32_t)ace->permission);
 
     // Log the subject
@@ -62,6 +64,23 @@ INLINE_API void printACE(LogLevel level, const OicSecAce_t *ace)
         OIC_LOG_V(level, ACL_TAG, "    role id = %s", ace->subjectRole.id);
         OIC_LOG_V(level, ACL_TAG, "    authority = %s", ace->subjectRole.authority);
     }
+    else if (ace->subjectType == OicSecAceConntypeSubject)
+    {
+        const char *conntype;
+        if (ANON_CLEAR == ace->subjectConn)
+        {
+            conntype = "ANON_CLEAR";
+        }
+        else if (AUTH_CRYPT == ace->subjectConn)
+        {
+            conntype = "AUTH_CRYPT";
+        }
+        else
+        {
+            conntype = "Unknown conntype in subjectConn";
+        }
+        OIC_LOG_V(level, ACL_TAG, "    conntype = %s", conntype);
+    }
     else
     {
         OIC_LOG(level, ACL_TAG, "    subject = (subject of unknown type)");
index e8f5379..88b1df1 100644 (file)
@@ -661,7 +661,6 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl,
             OicSecRsrc_t* rsrc = NULL;
             LL_FOREACH(ace->resources, rsrc)
             {
-
                 CborEncoder rMap;
                 size_t rsrcMapSize = 0;
                 if (NULL != rsrc->href)
@@ -684,6 +683,7 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl,
                 {
                     rsrcMapSize++;
                 }
+
                 OIC_LOG_V(DEBUG, TAG, "%s resource map size = "PRIuPTR, __func__, rsrcMapSize);
 
                 cborEncoderResult = cbor_encoder_create_map(&resources, &rMap, rsrcMapSize);
@@ -2577,7 +2577,7 @@ static OCEntityHandlerResult HandleACLGetRequest(const OCEntityHandlerRequest *e
         {
             OIC_LOG_V(WARNING, TAG, "%s: gAcl is NULL", __func__);
         }
-        
+
         targetAcl.aces = NULL;
 
         // 'Subject' field is MUST for processing a querystring in REST request.
@@ -2929,15 +2929,14 @@ OCStackResult GetDefaultACL(OicSecAcl_t** defaultAcl)
     OCStackResult ret = OC_STACK_ERROR;
     OicUuid_t ownerId = { .id = { 0 } };
     OicSecAcl_t *acl = NULL;
-    OicSecAce_t *readOnlyAce = NULL;
-    OicSecAce_t *readWriteAce = NULL;
-    OicSecAce_t *fullPermAce = NULL;
+    OicSecAce_t *readOnlyAceAnon = NULL;
+    OicSecAce_t *readOnlyAceAuth = NULL;
+    OicSecAce_t *readWriteDeleteAceAnon = NULL;
+    OicSecAce_t *readWriteDeleteAceAuth = NULL;
     OicSecRsrc_t* resRsrc = NULL;
     OicSecRsrc_t* deviceRsrc = NULL;
     OicSecRsrc_t* platformRsrc = NULL;
     OicSecRsrc_t* doxmRsrc = NULL;
-    OicSecRsrc_t* pstatRsrc = NULL;
-    OicSecRsrc_t* credRsrc = NULL;
     OicSecRsrc_t* rolesRsrc = NULL;
 
     /*
@@ -2961,168 +2960,122 @@ OCStackResult GetDefaultACL(OicSecAcl_t** defaultAcl)
     acl = (OicSecAcl_t *) OICCalloc(1, sizeof(OicSecAcl_t));
     VERIFY_NOT_NULL(TAG, acl, ERROR);
 
-    // Default ACE allowing read-only access, for discovery
-    readOnlyAce = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
-    VERIFY_NOT_NULL(TAG, readOnlyAce, ERROR);
-    readOnlyAce->permission = PERMISSION_READ;
-    readOnlyAce->validities = NULL;
-    LL_APPEND(acl->aces, readOnlyAce);
+    // ACE allowing read-only access to /res, /d and /p by "ANON_CLEAR" subjects
+    readOnlyAceAnon = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
+    VERIFY_NOT_NULL(TAG, readOnlyAceAnon, ERROR);
+    readOnlyAceAnon->aceid = 1;
+    readOnlyAceAnon->permission = PERMISSION_READ;
+    readOnlyAceAnon->validities = NULL;
+    LL_APPEND(acl->aces, readOnlyAceAnon);
 
-    // Subject -- Mandatory
-    readOnlyAce->subjectType = OicSecAceUuidSubject;
-    memcpy(&readOnlyAce->subjectuuid, &WILDCARD_SUBJECT_ID, sizeof(readOnlyAce->subjectuuid));
+    // Subject is conntype "ANON_CLEAR" (e.g. CoAP) wildcard
+    readOnlyAceAnon->subjectType = OicSecAceConntypeSubject;
+    readOnlyAceAnon->subjectConn = ANON_CLEAR;
 
-    // Resources -- Mandatory
+    // Resources are /res, /d and /p
     // /oic/res
     resRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
     VERIFY_NOT_NULL(TAG, resRsrc, ERROR);
-    LL_APPEND(readOnlyAce->resources, resRsrc);
+    LL_APPEND(readOnlyAceAnon->resources, resRsrc);
     resRsrc->href = OICStrdup(OC_RSRVD_WELL_KNOWN_URI);
     VERIFY_NOT_NULL(TAG, (resRsrc->href), ERROR);
-    resRsrc->typeLen = 1;
-    resRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, resRsrc->types, ERROR);
-    resRsrc->types[0] = OICStrdup(OC_RSRVD_RESOURCE_TYPE_RES);
-    VERIFY_NOT_NULL(TAG, resRsrc->types[0], ERROR);
-    resRsrc->interfaceLen = 2;
-    resRsrc->interfaces = (char**)OICCalloc(resRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, resRsrc->interfaces, ERROR);
-    resRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, resRsrc->interfaces[0], ERROR);
-    resRsrc->interfaces[1] = OICStrdup(OC_RSRVD_INTERFACE_READ);
-    VERIFY_NOT_NULL(TAG, resRsrc->interfaces[1], ERROR);
 
     // /oic/d
     deviceRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
     VERIFY_NOT_NULL(TAG, deviceRsrc, ERROR);
-    LL_APPEND(readOnlyAce->resources, deviceRsrc);
+    LL_APPEND(readOnlyAceAnon->resources, deviceRsrc);
     deviceRsrc->href = OICStrdup(OC_RSRVD_DEVICE_URI);
     VERIFY_NOT_NULL(TAG, (deviceRsrc->href), ERROR);
-    deviceRsrc->typeLen = 1;
-    deviceRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, deviceRsrc->types, ERROR);
-    deviceRsrc->types[0] = OICStrdup(OC_RSRVD_RESOURCE_TYPE_DEVICE);
-    VERIFY_NOT_NULL(TAG, deviceRsrc->types[0], ERROR);
-    deviceRsrc->interfaceLen = 2;
-    deviceRsrc->interfaces = (char**)OICCalloc(deviceRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, deviceRsrc->interfaces, ERROR);
-    deviceRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, deviceRsrc->interfaces[0], ERROR);
-    deviceRsrc->interfaces[1] = OICStrdup(OC_RSRVD_INTERFACE_READ);
-    VERIFY_NOT_NULL(TAG, deviceRsrc->interfaces[1], ERROR);
 
     // /oic/p
     platformRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
     VERIFY_NOT_NULL(TAG, platformRsrc, ERROR);
-    LL_APPEND(readOnlyAce->resources, platformRsrc);
+    LL_APPEND(readOnlyAceAnon->resources, platformRsrc);
     platformRsrc->href = OICStrdup(OC_RSRVD_PLATFORM_URI);
     VERIFY_NOT_NULL(TAG, (platformRsrc->href), ERROR);
-    platformRsrc->typeLen = 1;
-    platformRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, platformRsrc->types, ERROR);
-    platformRsrc->types[0] = OICStrdup(OC_RSRVD_RESOURCE_TYPE_PLATFORM);
-    VERIFY_NOT_NULL(TAG, platformRsrc->types[0], ERROR);
-    platformRsrc->interfaceLen = 2;
-    platformRsrc->interfaces = (char**)OICCalloc(platformRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, platformRsrc->interfaces, ERROR);
-    platformRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, platformRsrc->interfaces[0], ERROR);
-    platformRsrc->interfaces[1] = OICStrdup(OC_RSRVD_INTERFACE_READ);
-    VERIFY_NOT_NULL(TAG, platformRsrc->interfaces[1], ERROR);
-
-    // Default ACE allowing read + write access, for ownership transfer
-    readWriteAce = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
-    VERIFY_NOT_NULL(TAG, readWriteAce, ERROR);
-    readWriteAce->permission = PERMISSION_READ | PERMISSION_WRITE;
-    readWriteAce->validities = NULL;
-    LL_APPEND(acl->aces, readWriteAce);
 
-    // Subject -- Mandatory
-    readWriteAce->subjectType = OicSecAceUuidSubject;
-    memcpy(&readWriteAce->subjectuuid, &WILDCARD_SUBJECT_ID, sizeof(readWriteAce->subjectuuid));
+    // ACE allowing read-only access to /res, /d and /p by "AUTH_CRYPT" subjects
+    readOnlyAceAuth = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
+    VERIFY_NOT_NULL(TAG, readOnlyAceAuth, ERROR);
+    readOnlyAceAuth->aceid = 2;
+    readOnlyAceAuth->permission = PERMISSION_READ;
+    readOnlyAceAuth->validities = NULL;
+    LL_APPEND(acl->aces, readOnlyAceAuth);
+
+    // Subject is conntype "AUTH_CRYPT" (e.g. CoAPS) wildcard
+    readOnlyAceAuth->subjectType = OicSecAceConntypeSubject;
+    readOnlyAceAuth->subjectConn = AUTH_CRYPT;
+
+    // Resources are /res, /d and /p
+    // /oic/res
+    resRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
+    VERIFY_NOT_NULL(TAG, resRsrc, ERROR);
+    LL_APPEND(readOnlyAceAuth->resources, resRsrc);
+    resRsrc->href = OICStrdup(OC_RSRVD_WELL_KNOWN_URI);
+    VERIFY_NOT_NULL(TAG, (resRsrc->href), ERROR);
+
+    // /oic/d
+    deviceRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
+    VERIFY_NOT_NULL(TAG, deviceRsrc, ERROR);
+    LL_APPEND(readOnlyAceAuth->resources, deviceRsrc);
+    deviceRsrc->href = OICStrdup(OC_RSRVD_DEVICE_URI);
+    VERIFY_NOT_NULL(TAG, (deviceRsrc->href), ERROR);
+
+    // /oic/p
+    platformRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
+    VERIFY_NOT_NULL(TAG, platformRsrc, ERROR);
+    LL_APPEND(readOnlyAceAuth->resources, platformRsrc);
+    platformRsrc->href = OICStrdup(OC_RSRVD_PLATFORM_URI);
+    VERIFY_NOT_NULL(TAG, (platformRsrc->href), ERROR);
 
-    // Resources -- Mandatory
+    // ACE allowing read, write and delete access to /doxm,
+    // to "ANON_CLEAR" (e.g. CoAP) subjects, for ownership transfer
+    readWriteDeleteAceAnon = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
+    VERIFY_NOT_NULL(TAG, readWriteDeleteAceAnon, ERROR);
+    readWriteDeleteAceAnon->aceid = 3;
+    readWriteDeleteAceAnon->permission = PERMISSION_READ | PERMISSION_WRITE | PERMISSION_DELETE;
+    readWriteDeleteAceAnon->validities = NULL;
+    LL_APPEND(acl->aces, readWriteDeleteAceAnon);
+
+    // Subject is conntype "ANON_CLEAR" (e.g. CoAP) wildcard
+    readWriteDeleteAceAnon->subjectType = OicSecAceConntypeSubject;
+    readWriteDeleteAceAnon->subjectConn = ANON_CLEAR;
+
+    // Resource is /doxm
     // /oic/sec/doxm
     doxmRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
     VERIFY_NOT_NULL(TAG, doxmRsrc, ERROR);
-    LL_APPEND(readWriteAce->resources, doxmRsrc);
+    LL_APPEND(readWriteDeleteAceAnon->resources, doxmRsrc);
     doxmRsrc->href = OICStrdup(OIC_RSRC_DOXM_URI);
     VERIFY_NOT_NULL(TAG, (doxmRsrc->href), ERROR);
-    doxmRsrc->typeLen = 1;
-    doxmRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, doxmRsrc->types, ERROR);
-    doxmRsrc->types[0] = OICStrdup(OIC_RSRC_TYPE_SEC_DOXM);
-    VERIFY_NOT_NULL(TAG, doxmRsrc->types[0], ERROR);
-    doxmRsrc->interfaceLen = 1;
-    doxmRsrc->interfaces = (char**)OICCalloc(doxmRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, doxmRsrc->interfaces, ERROR);
-    doxmRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, doxmRsrc->interfaces[0], ERROR);
-
-    // /oic/sec/pstat
-    pstatRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
-    VERIFY_NOT_NULL(TAG, pstatRsrc, ERROR);
-    LL_APPEND(readWriteAce->resources, pstatRsrc);
-    pstatRsrc->href = OICStrdup(OIC_RSRC_PSTAT_URI);
-    VERIFY_NOT_NULL(TAG, (pstatRsrc->href), ERROR);
-    pstatRsrc->typeLen = 1;
-    pstatRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, pstatRsrc->types, ERROR);
-    pstatRsrc->types[0] = OICStrdup(OIC_RSRC_TYPE_SEC_PSTAT);
-    VERIFY_NOT_NULL(TAG, pstatRsrc->types[0], ERROR);
-    pstatRsrc->interfaceLen = 1;
-    pstatRsrc->interfaces = (char**)OICCalloc(pstatRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, pstatRsrc->interfaces, ERROR);
-    pstatRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, pstatRsrc->interfaces[0], ERROR);
-
-    // /oic/sec/cred
-    credRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
-    VERIFY_NOT_NULL(TAG, credRsrc, ERROR);
-    LL_APPEND(readWriteAce->resources, credRsrc);
-    credRsrc->href = OICStrdup(OIC_RSRC_CRED_URI);
-    VERIFY_NOT_NULL(TAG, (credRsrc->href), ERROR);
-    credRsrc->typeLen = 1;
-    credRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, credRsrc->types, ERROR);
-    credRsrc->types[0] = OICStrdup(OIC_RSRC_TYPE_SEC_CRED);
-    VERIFY_NOT_NULL(TAG, credRsrc->types[0], ERROR);
-    credRsrc->interfaceLen = 2;
-    credRsrc->interfaces = (char**)OICCalloc(credRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, credRsrc->interfaces, ERROR);
-    credRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, credRsrc->interfaces[0], ERROR);
-    credRsrc->interfaces[1] = OICStrdup(OC_RSRVD_INTERFACE_READ);
-    VERIFY_NOT_NULL(TAG, credRsrc->interfaces[1], ERROR);
-
-    // Default ACE allowing full permissions (create, read, write, delete)
-    fullPermAce = (OicSecAce_t *)OICCalloc(1, sizeof(OicSecAce_t));
-    VERIFY_NOT_NULL(TAG, fullPermAce, ERROR);
-    fullPermAce->permission = PERMISSION_FULL_CONTROL;
-    fullPermAce->validities = NULL;
-    LL_APPEND(acl->aces, fullPermAce);
-
-    // Subject: set to wildcard "*"
-    fullPermAce->subjectType = OicSecAceUuidSubject;
-    memcpy(&fullPermAce->subjectuuid, &WILDCARD_SUBJECT_ID, sizeof(fullPermAce->subjectuuid));
-
-    // Resources -- Mandatory
+
+    // ACE allowing read, write and delete access to /doxm and /roles,
+    // to "AUTH_CRYPT" (e.g. CoAPS) subjects, for ownership transfer
+    readWriteDeleteAceAuth = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
+    VERIFY_NOT_NULL(TAG, readWriteDeleteAceAuth, ERROR);
+    readWriteDeleteAceAuth->aceid = 4;
+    readWriteDeleteAceAuth->permission = PERMISSION_READ | PERMISSION_WRITE | PERMISSION_DELETE;
+    readWriteDeleteAceAuth->validities = NULL;
+    LL_APPEND(acl->aces, readWriteDeleteAceAuth);
+
+    // Subject is conntype "AUTH_CRYPT" (e.g. CoAPS) wildcard
+    readWriteDeleteAceAuth->subjectType = OicSecAceConntypeSubject;
+    readWriteDeleteAceAuth->subjectConn = AUTH_CRYPT;
+
+    // Resources are /doxm and /roles
+    // /oic/sec/doxm
+    doxmRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
+    VERIFY_NOT_NULL(TAG, doxmRsrc, ERROR);
+    LL_APPEND(readWriteDeleteAceAuth->resources, doxmRsrc);
+    doxmRsrc->href = OICStrdup(OIC_RSRC_DOXM_URI);
+    VERIFY_NOT_NULL(TAG, (doxmRsrc->href), ERROR);
+
     // /oic/sec/roles
     rolesRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
     VERIFY_NOT_NULL(TAG, rolesRsrc, ERROR);
-    LL_APPEND(fullPermAce->resources, rolesRsrc);
+    LL_APPEND(readWriteDeleteAceAuth->resources, rolesRsrc);
     rolesRsrc->href = OICStrdup(OIC_RSRC_ROLES_URI);
     VERIFY_NOT_NULL(TAG, (rolesRsrc->href), ERROR);
-    rolesRsrc->typeLen = 1;
-    rolesRsrc->types = (char**)OICCalloc(1, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, rolesRsrc->types, ERROR);
-    rolesRsrc->types[0] = OICStrdup(OIC_RSRC_TYPE_SEC_CRED);
-    VERIFY_NOT_NULL(TAG, rolesRsrc->types[0], ERROR);
-    rolesRsrc->interfaceLen = 1;
-    rolesRsrc->interfaces = (char**)OICCalloc(rolesRsrc->interfaceLen, sizeof(char*));
-    VERIFY_NOT_NULL(TAG, rolesRsrc->interfaces, ERROR);
-    rolesRsrc->interfaces[0] = OICStrdup(OC_RSRVD_INTERFACE_DEFAULT);
-    VERIFY_NOT_NULL(TAG, rolesRsrc->interfaces[0], ERROR);
 
     // Device ID is the owner of this default ACL
     if (GetDoxmResourceData() != NULL)
index a41aaff..006956a 100644 (file)
@@ -249,6 +249,7 @@ bool IsRequestFromResourceOwner(SRMRequestContext_t *context)
     if (IsNilUuid(&context->subjectUuid))
     {
         // Nil subject is never rOwner
+        OIC_LOG_V(DEBUG, TAG, "%s: Nil UUID cannot be rowner.", __func__);
         retVal = false;
         goto exit;
     }
@@ -464,13 +465,14 @@ static void ProcessAccessRequest(SRMRequestContext_t *context)
 
         if (NULL != currentAce)
         {
-            OIC_LOG_V(DEBUG, TAG, "%s: found conntype %d match; processing for access.", __func__, conntype);
+            OIC_LOG_V(DEBUG, TAG, "%s: found conntype %s match; processing for access.",
+                __func__, (AUTH_CRYPT == conntype?"auth-crypt":"anon-clear"));
             ProcessMatchingACE(context, currentAce);
         }
         else
         {
-            OIC_LOG_V(INFO, TAG, "%s:no ACL found matching conntype %d for resource %s",
-                __func__, conntype, context->resourceUri);
+            OIC_LOG_V(INFO, TAG, "%s:no ACL found matching conntype %s for resource %s",
+                __func__, (AUTH_CRYPT == conntype?"auth-crypt":"anon-clear"), context->resourceUri);
         }
     } while ((NULL != currentAce) && !IsAccessGranted(context->responseVal));
 
index b37a642..aa62c7d 100644 (file)
@@ -40,6 +40,7 @@
 #include "ocpayloadcbor.h"
 #include "payload_logging.h"
 #include "security_internals.h"
+#include "acl_logging.h"
 
 using namespace std;
 
@@ -49,8 +50,7 @@ using namespace std;
 const char* DEFAULT_ACL_FILE_NAME = "oic_unittest_default_acl.dat";
 const char* ACL1_FILE_NAME = "oic_unittest_acl1.dat";
 
-#define NUM_ACE_FOR_WILDCARD_IN_ACL1_DAT (2)
-#define NUM_ACE_FOR_WILDCARD_IN_DEFAULT_ACL (3)
+#define NUM_ACE_FOR_ANON_CLEAR_IN_DEFAULT_ACL (2)
 
 static bool AddResourceToACE(OicSecAce_t* ace, const char* rsrcName,
                              const char* typeName, const char* interfaceName)
@@ -322,13 +322,27 @@ TEST(ACLResourceTest, ACLPostTest)
     ehReq.payload = (OCPayload *) securityPayload;
 
     ACLEntityHandler(OC_REQUEST_FLAG, &ehReq, NULL);
-
     OicSecAcl_t *acl = CBORPayloadToAcl(payload, size);
     ASSERT_TRUE(NULL != acl);
 
-    // Verify if SRM contains ACL for the subject
+    // Verify /acl2 Resource contains an ACE for a subject in acl local var
     OicSecAce_t *savePtr = NULL;
-    const OicSecAce_t* subjectAcl = GetACLResourceData(&(acl->aces->subjectuuid), &savePtr);
+    savePtr = acl->aces;
+    while(OicSecAceUuidSubject != savePtr->subjectType)
+    {
+        savePtr = savePtr->next;
+    }
+    OicUuid_t uuid = savePtr->subjectuuid;
+#ifndef NDEBUG
+    char uuidString[UUID_STRING_SIZE] = { 0 };
+    bool convertedUUID = OCConvertUuidToString(uuid.id, uuidString);
+    if (convertedUUID)
+    {
+        printf("asubjectuuidToFind.id = %s", uuidString);
+    }
+#endif
+    savePtr = NULL;
+    const OicSecAce_t* subjectAcl = GetACLResourceData(&uuid, &savePtr);
     ASSERT_TRUE(NULL != subjectAcl);
 
     // Perform cleanup
@@ -351,19 +365,19 @@ TEST(ACLResourceTest, GetACLResourceTests)
     ASSERT_TRUE(acl1 != NULL);
     EXPECT_EQ(OC_STACK_OK, SetDefaultACL(acl1));
 
-    // Verify that the default ACL file contains 3 ACE entries for the 'WILDCARD' subject
+    // Verify that the default ACL file contains 2 ACE entries for the 'ANON_CLEAR' conntype subject
     const OicSecAce_t *ace = NULL;
     OicSecAce_t *savePtr = NULL;
-    OicUuid_t subject = WILDCARD_SUBJECT_ID;
+    OicSecConntype_t subjectConn = ANON_CLEAR;
     int count = 0;
 
     do
     {
-        ace = GetACLResourceData(&subject, &savePtr);
+        ace = GetACLResourceDataByConntype(subjectConn, &savePtr);
         count = (NULL != ace) ? count + 1 : count;
     } while (ace != NULL);
 
-    EXPECT_EQ(count, NUM_ACE_FOR_WILDCARD_IN_DEFAULT_ACL);
+    EXPECT_EQ(count, NUM_ACE_FOR_ANON_CLEAR_IN_DEFAULT_ACL);
 
     /* Perform cleanup */
     DeInitACLResource();
@@ -377,20 +391,20 @@ TEST(ACLResourceTest, DefaultAclAllowsRolesAccess)
     ASSERT_TRUE(acl1 != NULL);
     EXPECT_EQ(OC_STACK_OK, SetDefaultACL(acl1));
 
-    /* Verify that the default ACL file allows access to the roles resource */
+    /* Verify that the default ACL file allows AUTH_CRYPT RUD access to the /roles resource */
     const OicSecAce_t *ace = NULL;
     OicSecAce_t *savePtr = NULL;
-    OicUuid_t subject = WILDCARD_SUBJECT_ID;
+    OicSecConntype_t subjectConn = AUTH_CRYPT;
     int found = 0;
 
-    while((ace = GetACLResourceData(&subject, &savePtr)) != NULL)
+    while((ace = GetACLResourceDataByConntype(subjectConn, &savePtr)) != NULL)
     {
         ASSERT_TRUE(ace->resources != NULL);
         OicSecRsrc_t* rsrc = NULL;
         LL_FOREACH(ace->resources, rsrc)
         {
             if ((strcmp(rsrc->href, OIC_RSRC_ROLES_URI) == 0) &&
-                (ace->permission == PERMISSION_FULL_CONTROL))
+                (ace->permission == (PERMISSION_READ | PERMISSION_WRITE | PERMISSION_DELETE)))
             {
                 found = 1;
                 break;
index c9c486c..c864d47 100644 (file)
@@ -1 +1 @@
-¿caclY\ 3¦¤faclist¡daces\85£ksubjectuuida*iresources\83¤dhrefh/oic/resbrt\81joic.wk.resbif\81ioic.if.llcrel`¤dhreff/oic/dbrt\81hoic.wk.dbif\82ooic.if.baselinehoic.if.rcrel`¤dhreff/oic/pbrt\81hoic.wk.pbif\82ooic.if.baselinehoic.if.rcrel`jpermission\ 2£ksubjectuuida*iresources\82¤dhrefm/oic/sec/doxmbrt\81joic.r.doxmbif\81ooic.if.baselinecrel`¤dhrefn/oic/sec/pstatbrt\81koic.r.pstatbif\81ooic.if.baselinecrel`jpermission\ 6£ksubjectuuida*iresources\81¤dhrefn/oic/sec/rolesbrt\81joic.r.credbif\81ooic.if.baselinecrel`jpermission\18\1f£ksubjectuuidx$31313131-3131-3131-3131-313131313131iresources\82¤dhrefj/oic/lightbrt\81hoic.corebif\81ooic.if.baselinecrel`¤dhrefh/oic/fanbrt\81hoic.corebif\81ooic.if.baselinecrel`jpermission\18\1f£ksubjectuuidx$33333333-3333-3333-3333-333333333333iresources\82¤dhrefj/oic/lightbrt\81hoic.corebif\81ooic.if.baselinecrel`¤dhrefk/oic/garagebrt\81hoic.corebif\81ooic.if.baselinecrel`jpermission\18\1fjrowneruuidx$32323232-3232-3232-3232-323232323232brt\81ioic.r.aclbif\81ooic.if.baselineÿ
\ No newline at end of file
+¿caclY\ 2ˤgaclist2\86¤eaceid\ 1gsubject¡hconntypejanon-cleariresources\83¡dhrefh/oic/res¡dhreff/oic/d¡dhreff/oic/pjpermission\ 2¤eaceid\ 2gsubject¡hconntypejauth-cryptiresources\83¡dhrefh/oic/res¡dhreff/oic/d¡dhreff/oic/pjpermission\ 2¤eaceid\ 3gsubject¡hconntypejanon-cleariresources\81¡dhrefm/oic/sec/doxmjpermission\ e¤eaceid\ 4gsubject¡hconntypejauth-cryptiresources\82¡dhrefm/oic/sec/doxm¡dhrefn/oic/sec/rolesjpermission\ e¤eaceid\ 5gsubject¡duuidx$31313131-3131-3131-3131-313131313131iresources\82¡dhrefj/oic/light¡dhrefk/oic/garagejpermission\18\1f¤eaceid\ 6gsubject¡duuidx$33333333-3333-3333-3333-333333333333iresources\82¡dhrefj/oic/light¡dhrefk/oic/garagejpermission\18\1fjrowneruuidx$32323232-3232-3232-3232-323232323232brt\81joic.r.acl2bif\81ooic.if.baselineÿ
\ No newline at end of file
index 436de17..7a86a1a 100644 (file)
@@ -1,99 +1,62 @@
 {
     "acl": {
-        "aclist": {
-            "aces": [
-                {
-                    "subjectuuid": "*",
-                    "resources": [
-                        {
-                            "href": "/oic/res",
-                            "rel": "",
-                            "rt": ["oic.wk.res"],
-                            "if": ["oic.if.ll"]
-                        },
-                        {
-                            "href": "/oic/d",
-                            "rel": "",
-                            "rt": ["oic.wk.d"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        },
-                        {
-                            "href": "/oic/p",
-                            "rel": "",
-                            "rt": ["oic.wk.p"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        }
-                    ],
-                    "permission": 2
-                },
-                {
-                    "subjectuuid": "*",
-                    "resources": [
-                        {
-                            "href": "/oic/sec/doxm",
-                            "rel": "",
-                            "rt": ["oic.r.doxm"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/sec/pstat",
-                            "rel": "",
-                            "rt": ["oic.r.pstat"],
-                            "if": ["oic.if.baseline"]
-                        }
-                    ],
-                    "permission": 6
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/roles",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.cred"],\r
-                            "if": ["oic.if.baseline"]\r
-                        }\r
-                    ],\r
-                    "permission": 31\r
-                }, 
-                {
-                    "subjectuuid": "31313131-3131-3131-3131-313131313131",
-                    "resources": [
-                        {
-                            "href": "/oic/light",
-                            "rel": "",
-                            "rt": ["oic.core"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/fan",
-                            "rel": "",
-                            "rt": ["oic.core"],
-                            "if": ["oic.if.baseline"]
-                        }
-                    ],
-                    "permission": 31
-                },
-                {
-                    "subjectuuid": "33333333-3333-3333-3333-333333333333",
-                    "resources": [
-                        {
-                            "href": "/oic/light",
-                            "rel": "",
-                            "rt": ["oic.core"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/garage",
-                            "rel": "",
-                            "rt": ["oic.core"],
-                            "if": ["oic.if.baseline"]
-                        }
-                    ],
-                    "permission": 31
-                }
-            ]
-        },
+        "aclist2": [
+            {
+                "aceid": 1,
+                "subject": { "conntype": "anon-clear" },
+                "resources": [
+                    { "href": "/oic/res" },
+                    { "href": "/oic/d" },
+                    { "href": "/oic/p"}
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 2,
+                "subject": { "conntype": "auth-crypt" },
+                "resources": [
+                    { "href": "/oic/res" },
+                    { "href": "/oic/d" },
+                    { "href": "/oic/p"}
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 3,
+                "subject": { "conntype": "anon-clear" },
+                "resources": [
+                    { "href": "/oic/sec/doxm" }
+                ],
+                "permission": 14
+            },
+            {
+                "aceid": 4,
+                "subject": { "conntype": "auth-crypt" },
+                "resources": [
+                    { "href": "/oic/sec/doxm" },
+                    { "href": "/oic/sec/roles" }
+                ],
+                "permission": 14
+            },
+            {
+                "aceid": 5,
+                "subject": { "uuid": "31313131-3131-3131-3131-313131313131" },
+                "resources": [
+                    { "href": "/oic/light" },
+                    { "href": "/oic/garage" }
+                ],
+                "permission": 31
+            },
+            {
+                "aceid": 6,
+                "subject": { "uuid": "33333333-3333-3333-3333-333333333333" },
+                "resources": [
+                    { "href": "/oic/light" },
+                    { "href": "/oic/garage" }
+                ],
+                "permission": 31
+            }
+        ],
         "rowneruuid" : "32323232-3232-3232-3232-323232323232"
     }
 }
index 82a5a3d..cdfc832 100644 (file)
@@ -1 +1 @@
-¿caclY\ 2q¤faclist¡daces\83£ksubjectuuida*iresources\83¤dhrefh/oic/resbrt\81joic.wk.resbif\81ioic.if.llcrel`¤dhreff/oic/dbrt\81hoic.wk.dbif\82ooic.if.baselinehoic.if.rcrel`¤dhreff/oic/pbrt\81hoic.wk.pbif\82ooic.if.baselinehoic.if.rcrel`jpermission\ 2£ksubjectuuida*iresources\83¤dhrefm/oic/sec/doxmbrt\81joic.r.doxmbif\81ooic.if.baselinecrel`¤dhrefn/oic/sec/pstatbrt\81koic.r.pstatbif\81ooic.if.baselinecrel`¤dhrefm/oic/sec/credbrt\81joic.r.credbif\81ooic.if.baselinecrel`jpermission\ 6£ksubjectuuida*iresources\81¤dhrefn/oic/sec/rolesbrt\81joic.r.credbif\81ooic.if.baselinecrel`jpermission\18\1fjrowneruuidx$32323232-3232-3232-3232-323232323232brt\81ioic.r.aclbif\81ooic.if.baselineÿ
\ No newline at end of file
+¿caclY\ 1ݤgaclist2\84¤eaceid\ 1gsubject¡hconntypejanon-cleariresources\83¡dhrefh/oic/res¡dhreff/oic/d¡dhreff/oic/pjpermission\ 2¤eaceid\ 2gsubject¡hconntypejauth-cryptiresources\83¡dhrefh/oic/res¡dhreff/oic/d¡dhreff/oic/pjpermission\ 2¤eaceid\ 3gsubject¡hconntypejanon-cleariresources\81¡dhrefm/oic/sec/doxmjpermission\ e¤eaceid\ 4gsubject¡hconntypejauth-cryptiresources\82¡dhrefm/oic/sec/doxm¡dhrefn/oic/sec/rolesjpermission\ ejrowneruuidx$32323232-3232-3232-3232-323232323232brt\81joic.r.acl2bif\81ooic.if.baselineÿ
\ No newline at end of file
index 89f4c4c..876fdc8 100644 (file)
@@ -1,69 +1,44 @@
 {
     "acl": {
-        "aclist": {
-            "aces": [
-                {
-                    "subjectuuid": "*",
-                    "resources": [
-                        {
-                            "href": "/oic/res",
-                            "rel": "",
-                            "rt": ["oic.wk.res"],
-                            "if": ["oic.if.ll"]
-                        },
-                        {
-                            "href": "/oic/d",
-                            "rel": "",
-                            "rt": ["oic.wk.d"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        },
-                        {
-                            "href": "/oic/p",
-                            "rel": "",
-                            "rt": ["oic.wk.p"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        }
-                    ],
-                    "permission": 2
-                },
-                {
-                    "subjectuuid": "*",
-                    "resources": [
-                        {
-                            "href": "/oic/sec/doxm",
-                            "rel": "",
-                            "rt": ["oic.r.doxm"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/sec/pstat",
-                            "rel": "",
-                            "rt": ["oic.r.pstat"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/sec/cred",
-                            "rel": "",
-                            "rt": ["oic.r.cred"],
-                            "if": ["oic.if.baseline"]
-                        }
-                    ],
-                    "permission": 6
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/roles",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.cred"],\r
-                            "if": ["oic.if.baseline"]\r
-                        }\r
-                    ],\r
-                    "permission": 31\r
-                } 
-            ]
-        },
+        "aclist2": [
+            {
+                "aceid": 1,
+                "subject": { "conntype": "anon-clear" },
+                "resources": [
+                    { "href": "/oic/res" },
+                    { "href": "/oic/d" },
+                    { "href": "/oic/p"}
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 2,
+                "subject": { "conntype": "auth-crypt" },
+                "resources": [
+                    { "href": "/oic/res" },
+                    { "href": "/oic/d" },
+                    { "href": "/oic/p"}
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 3,
+                "subject": { "conntype": "anon-clear" },
+                "resources": [
+                    { "href": "/oic/sec/doxm" }
+                ],
+                "permission": 14
+            },
+            {
+                "aceid": 4,
+                "subject": { "conntype": "auth-crypt" },
+                "resources": [
+                    { "href": "/oic/sec/doxm" },
+                    { "href": "/oic/sec/roles" }
+                ],
+                "permission": 14
+            }
+        ],
         "rowneruuid" : "32323232-3232-3232-3232-323232323232"
     }
-}
+}
\ No newline at end of file