[IOT-2931] additional ACE2 Resource wildcards 39/24339/3
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Wed, 7 Mar 2018 08:27:03 +0000 (00:27 -0800)
committerNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Fri, 9 Mar 2018 18:48:36 +0000 (18:48 +0000)
Resource wildcards (*, + and -) are redefined in Bangkok to narrow
scope and reduce the number of Resources to which they apply.  New def'ns
are:
"+" All discoverable NCRs which expose at least one Secure Endpoint
"-" All discoverable NCRs which expose at least one Unsecure Endpoint
"*" All NCRs

Change-Id: Ia5b145cd366c71aea3c4a8716930638430aea711
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
resource/csdk/security/include/experimental/securevirtualresourcetypes.h
resource/csdk/security/include/internal/secureresourcemanager.h
resource/csdk/security/include/srmutility.h
resource/csdk/security/src/aclresource.c
resource/csdk/security/src/policyengine.c
resource/csdk/security/src/secureresourcemanager.c
resource/csdk/security/src/srmutility.c
resource/csdk/security/tool/json2cbor.c

index db4a542..e3bb8ed 100644 (file)
@@ -432,12 +432,17 @@ struct OicSecOpt
     bool                revstat;
 };
 
+/**
+ * Note: the Resource wildcard definitions changed in OCF Bangkok specifation.
+ * IoTivity now implements the revised Resource wildcard behavior, which is
+ * more restrictive (i.e. the wildcards map to a subset of the prior Resources).
+ */
 typedef enum OicSecAceResourceWildcard
 {
     NO_WILDCARD = 0,
-    ALL_DISCOVERABLE,       // maps to "+" in JSON/CBOR
-    ALL_NON_DISCOVERABLE,   // maps to "-" in JSON/CBOR
-    ALL_RESOURCES           // maps to "*" in JSON/CBOR
+    ALL_DISCOVERABLE_NCRS_WITH_OC_SECURE,       // maps to "+" in JSON/CBOR
+    ALL_DISCOVERABLE_NCRS_WITH_OC_NONSECURE,    // maps to "-" in JSON/CBOR
+    ALL_NCRS                                    // maps to "*" in JSON/CBOR
 } OicSecAceResourceWildcard_t;
 
 struct OicSecRsrc
index b67ad71..84bf80f 100644 (file)
@@ -49,6 +49,8 @@ typedef struct SRMRequestContext
     bool                    responseSent;                       // Is servicing this request complete?
     SRMAccessResponse_t     responseVal;                        // The SRM internal response code
     const CARequestInfo_t   *requestInfo;                       // ptr to info for this request
+    bool                    resourceIsOcSecure;                 // Was Resource created w OC_SECURE bit set?
+    bool                    resourceIsOcNonsecure;              // Was Resource created w OC_NONSECURE bit set?
     bool                    secureChannel;                      // Was request recv'd over secure channel?
     bool                    slowResponseSent;                   // Is a full response still needed?
     OicSecDiscoverable_t    discoverable;                       // Is resource discoverable?
index 0bf3857..61043d1 100644 (file)
@@ -179,6 +179,14 @@ OCStackResult OC_CALL ConvertStrToUuid(const char* strUuid, OicUuid_t* uuid);
  */
 bool IsDeviceConfigurationResourceUri(const char *uri);
 
+/**
+ * Is the URI for a Non0Configuration Resource as defined
+ * by Security Specification.
+ *
+ * @return true IFF the uri is for a NCR
+ */
+bool IsNonConfigurationResourceUri(const char *uri);
+
 /**
  * Compares two OicUuid_t structs.
  *
index 89279be..65ea366 100644 (file)
@@ -823,13 +823,13 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl,
                         OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_WC_NAME);
                         switch(rsrc->wildcard)
                         {
-                            case ALL_DISCOVERABLE:
+                            case ALL_DISCOVERABLE_NCRS_WITH_OC_SECURE:
                             wcstring = OIC_JSON_WC_PLUS_NAME;
                             break;
-                            case ALL_NON_DISCOVERABLE:
+                            case ALL_DISCOVERABLE_NCRS_WITH_OC_NONSECURE:
                             wcstring = OIC_JSON_WC_MINUS_NAME;
                             break;
-                            case ALL_RESOURCES:
+                            case ALL_NCRS:
                             wcstring = OIC_JSON_WC_ASTERISK_NAME;
                             break;
                             default:
@@ -1815,7 +1815,7 @@ static OicSecAcl_t* CBORPayloadToAclVersionOpt(const uint8_t *cborPayload, const
                                                 {
                                                     free(rsrc->href);
                                                     rsrc->href = NULL;
-                                                    rsrc->wildcard = ALL_RESOURCES;
+                                                    rsrc->wildcard = ALL_NCRS;
                                                     OIC_LOG_V(DEBUG, TAG, "%s: replaced \"*\" href with wildcard = ALL_RESOURCES.",
                                                         __func__);
                                                 }
@@ -1890,18 +1890,18 @@ static OicSecAcl_t* CBORPayloadToAclVersionOpt(const uint8_t *cborPayload, const
                                                 OIC_LOG_V(DEBUG, TAG, "%s found wc = %s.", __func__, wc);
                                                 if (0 == strcmp(OIC_JSON_WC_ASTERISK_NAME, wc))
                                                 {
-                                                    rsrc->wildcard = ALL_RESOURCES;
-                                                    OIC_LOG_V(DEBUG, TAG, "%s set wildcard = ALL_RESOURCES.", __func__);
+                                                    rsrc->wildcard = ALL_NCRS;
+                                                    OIC_LOG_V(DEBUG, TAG, "%s set wildcard = ALL_NCRS.", __func__);
                                                 }
                                                 else if (0 == strcmp(OIC_JSON_WC_PLUS_NAME, wc))
                                                 {
-                                                    rsrc->wildcard = ALL_DISCOVERABLE;
-                                                    OIC_LOG_V(DEBUG, TAG, "%s set wildcard = ALL_DISCOVERABLE.", __func__);
+                                                    rsrc->wildcard = ALL_DISCOVERABLE_NCRS_WITH_OC_SECURE;
+                                                    OIC_LOG_V(DEBUG, TAG, "%s set wildcard = ALL_DISCOVERABLE_NCRS_WITH_OC_SECURE.", __func__);
                                                 }
                                                 else if (0 == strcmp(OIC_JSON_WC_MINUS_NAME, wc))
                                                 {
-                                                    rsrc->wildcard = ALL_NON_DISCOVERABLE;
-                                                    OIC_LOG_V(DEBUG, TAG, "%s set wildcard = ALL_NON_DISCOVERABLE.", __func__);
+                                                    rsrc->wildcard = ALL_DISCOVERABLE_NCRS_WITH_OC_NONSECURE;
+                                                    OIC_LOG_V(DEBUG, TAG, "%s set wildcard = ALL_DISCOVERABLE_NCRS_WITH_OC_NONSECURE.", __func__);
                                                 }
                                                 else
                                                 {
index 3c3b701..90a01c1 100644 (file)
@@ -602,11 +602,26 @@ static bool IsResourceInAce(SRMRequestContext_t *context, const OicSecAce_t *ace
         {
             if (NO_WILDCARD != rsrc->wildcard)
             {
-                if ((ALL_RESOURCES == rsrc->wildcard) ||
-                    (ALL_DISCOVERABLE == rsrc->wildcard &&
-                        DISCOVERABLE_TRUE == context->discoverable) ||
-                    (ALL_NON_DISCOVERABLE == rsrc->wildcard &&
-                        DISCOVERABLE_FALSE == context->discoverable))
+                if  (IsNonConfigurationResourceUri(context->resourceUri) &&
+                        (
+                            // "*" matches all NCRs
+                            (
+                                (ALL_NCRS == rsrc->wildcard)
+                            ) ||
+                            // "+" matches all discoverable NCRs that expose at least one Secure Endpoint
+                            (
+                                (ALL_DISCOVERABLE_NCRS_WITH_OC_SECURE == rsrc->wildcard) &&
+                                (DISCOVERABLE_TRUE == context->discoverable) &&
+                                (true == context->resourceIsOcSecure)
+                            ) ||
+                            // "-" matches all discoverable NCRs that expose at least one Unsecure Endpoint
+                            (
+                                (ALL_DISCOVERABLE_NCRS_WITH_OC_NONSECURE == rsrc->wildcard) &&
+                                (DISCOVERABLE_TRUE == context->discoverable) &&
+                                (true == context->resourceIsOcNonsecure)
+                            )
+                        )
+                    )
                 {
                     OIC_LOG_V(DEBUG, TAG, "%s: found wc type %d matching resource.",
                         __func__, rsrc->wildcard);
index 799a750..727e3b9 100644 (file)
@@ -163,7 +163,7 @@ static void SetResourceUriAndType(SRMRequestContext_t *context)
     return;
 }
 
-static void SetDiscoverable(SRMRequestContext_t *context)
+static void SetDiscoverableAndOcSecureFlags(SRMRequestContext_t *context)
 {
     if (NULL == context)
     {
@@ -198,6 +198,33 @@ static void SetDiscoverable(SRMRequestContext_t *context)
         OIC_LOG_V(DEBUG, TAG, "%s: resource %s is NOT OC_DISCOVERABLE.",
                   __func__, context->resourceUri);
     }
+
+    if (OC_SECURE == (resource->resourceProperties & OC_SECURE))
+    {
+        context->resourceIsOcSecure = true;
+        OIC_LOG_V(DEBUG, TAG, "%s: resource %s is OC_SECURE.",
+                  __func__, context->resourceUri);
+    }
+    else
+    {
+        context->resourceIsOcSecure = false;
+        OIC_LOG_V(DEBUG, TAG, "%s: resource %s is *not* OC_SECURE.",
+                  __func__, context->resourceUri);
+    }
+    // Reminder: a Resource can set both flags, and expose both an
+    // unsecure (e.g. CoAP) and secure (e.g. CoAPS) endpoint.
+    if (OC_NONSECURE == (resource->resourceProperties & OC_NONSECURE))
+    {
+        context->resourceIsOcNonsecure = true;
+        OIC_LOG_V(DEBUG, TAG, "%s: resource %s is OC_NONSECURE.",
+                  __func__, context->resourceUri);
+    }
+    else
+    {
+        context->resourceIsOcNonsecure = false;
+        OIC_LOG_V(DEBUG, TAG, "%s: resource %s is *not* OC_NONSECURE.",
+                  __func__, context->resourceUri);
+    }
 }
 
 static void ClearRequestContext(SRMRequestContext_t *context)
@@ -334,8 +361,8 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ
     // Set resource URI and type.
     SetResourceUriAndType(ctx);
 
-    // Set discoverable enum.
-    SetDiscoverable(ctx);
+    // Set discoverable enum, and OC_SECURE and/or OC_NONSECURE flags.
+    SetDiscoverableAndOcSecureFlags(ctx);
 
     // Initialize responseInfo.
     memcpy(&(ctx->responseInfo.info), &(requestInfo->info),
index 4f26dea..02e42c9 100644 (file)
@@ -332,5 +332,17 @@ bool IsDeviceConfigurationResourceUri(const char *uri)
         }
     }
 
+    OIC_LOG_V(INFO, TAG, "%s: resource %s is not DCR => resource is NCR.", __func__, uri);
     return false;
 }
+
+/**
+ * Is the URI for a Non0Configuration Resource as defined
+ * by Security Specification.
+ *
+ * @return true IFF the uri is for a NCR
+ */
+bool IsNonConfigurationResourceUri(const char *uri)
+{
+    return !IsDeviceConfigurationResourceUri(uri);
+}
index 3d226a3..6e948b0 100644 (file)
@@ -712,8 +712,8 @@ OicSecAcl_t *JSONToAclBin(OicSecAclVersion_t *aclVersion, const char *jsonStr)
                     {
                         free(rsrc->href);
                         rsrc->href = NULL;
-                        rsrc->wildcard = ALL_RESOURCES;
-                        OIC_LOG_V(DEBUG, TAG, "%s: replaced \"*\" href with wildcard = ALL_RESOURCES.",
+                        rsrc->wildcard = ALL_NCRS;
+                        OIC_LOG_V(DEBUG, TAG, "%s: replaced \"*\" href with wildcard = ALL_NCRS.",
                                   __func__);
                     }
                 }
@@ -786,15 +786,15 @@ OicSecAcl_t *JSONToAclBin(OicSecAclVersion_t *aclVersion, const char *jsonStr)
                     VERIFY_NOT_NULL(TAG, wc, ERROR);
                     if (0 == strcmp(OIC_JSON_WC_ASTERISK_NAME, wc))
                     {
-                        rsrc->wildcard = ALL_RESOURCES;
+                        rsrc->wildcard = ALL_NCRS;
                     }
                     else if (0 == strcmp(OIC_JSON_WC_PLUS_NAME, wc))
                     {
-                        rsrc->wildcard = ALL_DISCOVERABLE;
+                        rsrc->wildcard = ALL_DISCOVERABLE_NCRS_WITH_OC_SECURE;
                     }
                     else if (0 == strcmp(OIC_JSON_WC_MINUS_NAME, wc))
                     {
-                        rsrc->wildcard = ALL_NON_DISCOVERABLE;
+                        rsrc->wildcard = ALL_DISCOVERABLE_NCRS_WITH_OC_NONSECURE;
                     }
                     else
                     {