Change DevOwner access policy to address JIRA 1369 85/12585/3
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Thu, 29 Sep 2016 22:10:20 +0000 (15:10 -0700)
committerRandeep Singh <randeep.s@samsung.com>
Tue, 4 Oct 2016 09:21:19 +0000 (09:21 +0000)
This changes the Policy Engine to grant requests from DevOwner
without checking ACLs ONLY if the device is not in Ready for Normal
Operation state, AND the request is for a SVR.

Change-Id: I9aa4314cc2beb9fdb4629c1e63ea6971f7cc8909
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/12585
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>
resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt
resource/csdk/security/src/policyengine.c

index efb6851..bc19b1b 100644 (file)
@@ -1,4 +1,4 @@
-LAST UPDATED 5/27/2015
+LAST UPDATED 9/29/2016
 
 To build the IoTivity stack with the security features enabled:
 
@@ -11,7 +11,10 @@ To build the IoTivity stack with the security features enabled:
        $ export LD_LIBRARY_PATH=<iotivity-base>/out/<...>/release
        $ ./ocserverbasicops &
        $ ./occlientbasicops -t 1
-        Message "INFO: occlientbasicops: Secure -- YES" indicates success!
+        NOTE: Console messages below indicate success:
+         "INFO: occlientbasicops: Uri -- /a/led
+          INFO: occlientbasicops: SECUREPORT udp: 51516
+          INFO: occlientbasicops: Secure -- YES"
        $ ./occlientbasicops -t 2
-        Completion of 'GET' and 'PUT' query successfully indicates success!
+        NOTE: Completion of 'GET' and 'PUT' query to /a/led indicates success!
 
index fd9f2ed..43b721e 100644 (file)
@@ -476,9 +476,13 @@ SRMAccessResponse_t CheckPermission(PEContext_t     *context,
             CopyParamsToContext(context, subjectId, resource, requestedPermission);
         }
 
-        // Before doing any processing, check if request coming
-        // from DevOwner and if so, always GRANT.
-        if (IsRequestFromDevOwner(context))
+        // Before doing any ACL processing, check if request a) coming
+        // from DevOwner AND b) the device is not in Ready for Normal Operation
+        // state (which in IoTivity is equivalent to isOp == true) AND c)
+        // the request is for a SVR resource.  If all 3 are met, grant request.
+        if (IsRequestFromDevOwner(context) // if from DevOwner
+            && (GetPstatIsop() == false) // AND if isOp == false
+            && (context->resourceType != NOT_A_SVR_RESOURCE)) // AND if SVR type
         {
             context->retVal = ACCESS_GRANTED;
         }