[IOT-1895] [IOT-2179] [IOT-1957] /acl2 Resource 93/19593/21
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Wed, 3 May 2017 07:59:24 +0000 (00:59 -0700)
committerRandeep Singh <randeep.s@samsung.com>
Sat, 13 May 2017 09:53:58 +0000 (09:53 +0000)
ACE2 adds the "wc" property to the "resource" type, and the
"conntype" property to the "subject" type, allowing for more
flexible wildcards, and removing possible unintended collisions.

/acl2 also conforms to a different schema, so the CBOR encode/
decode functions are updated.

The unit tests are currently still using oic.sec.ace structures,
and will need to be updated to oic.sec.ace2 (see IOT-2192)

Updated provisiongclient and provisioning .json/.dat files to
use /acl2.

[x] update OicSecAce_t to support ace2
[x] update OicSecResource_t to support */+/- rsrc wildcards
[x] update AclToCBORPayload() to support /acl2
[x] update JSONToAclBin() to support /acl2
[x] update CBORPayloadToAcl() to support /acl2
[x] remove /oic/sec/acl resource
[x] verify provclient/justworks using above revisions
[x] verify unitttest using above revisions

Change-Id: If5a7105ac223537cd2249cec519e5657f651da3e
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19593
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>
38 files changed:
resource/csdk/security/include/internal/aclresource.h
resource/csdk/security/include/internal/srmresourcestrings.h
resource/csdk/security/include/securevirtualresourcetypes.h
resource/csdk/security/provisioning/sample/oic_svr_db_client.dat
resource/csdk/security/provisioning/sample/oic_svr_db_client.json
resource/csdk/security/provisioning/sample/oic_svr_db_randompin_with_empty_deviceid.dat
resource/csdk/security/provisioning/sample/oic_svr_db_randompin_with_empty_deviceid.json
resource/csdk/security/provisioning/sample/oic_svr_db_server_justworks.dat
resource/csdk/security/provisioning/sample/oic_svr_db_server_justworks.json
resource/csdk/security/provisioning/sample/oic_svr_db_server_mvjustworks.dat
resource/csdk/security/provisioning/sample/oic_svr_db_server_mvjustworks.json
resource/csdk/security/provisioning/sample/oic_svr_db_server_preconfpin.dat
resource/csdk/security/provisioning/sample/oic_svr_db_server_preconfpin.json
resource/csdk/security/provisioning/sample/oic_svr_db_server_randompin.dat
resource/csdk/security/provisioning/sample/oic_svr_db_server_randompin.json
resource/csdk/security/provisioning/sample/oic_svr_db_subowner_client.dat
resource/csdk/security/provisioning/sample/oic_svr_db_subowner_client.json
resource/csdk/security/provisioning/sample/provisioningclient.c
resource/csdk/security/provisioning/src/ocprovisioningmanager.c
resource/csdk/security/provisioning/src/ownershiptransfermanager.c
resource/csdk/security/provisioning/src/secureresourceprovider.c
resource/csdk/security/src/aclresource.c
resource/csdk/security/src/dpairingresource.c
resource/csdk/security/src/policyengine.c
resource/csdk/security/src/secureresourcemanager.c
resource/csdk/security/src/srmresourcestrings.c
resource/csdk/security/tool/json2cbor.c
resource/csdk/security/unittest/aclresourcetest.cpp
resource/provisioning/examples/cloud.dat
resource/provisioning/examples/cloud.json
resource/provisioning/examples/oic_svr_db_client.dat
resource/provisioning/examples/oic_svr_db_client.json
resource/provisioning/examples/oic_svr_db_subowner_client.dat
resource/provisioning/examples/oic_svr_db_subowner_client.json
service/easy-setup/sampleapp/mediator/android/EasySetup/app/src/main/assets/oic_svr_db_client.dat
service/easy-setup/sampleapp/mediator/android/EasySetup/app/src/main/assets/oic_svr_db_client.json
service/resource-encapsulation/unittests/oic_svr_db_re_client.dat
service/resource-encapsulation/unittests/oic_svr_db_re_client.json

index cd9f1f5..07b3889 100644 (file)
@@ -59,12 +59,25 @@ const OicSecAce_t* GetACLResourceData(const OicUuid_t* subjectId, OicSecAce_t **
  * @param[out] savePtr is used internally by @ref GetACLResourceDataByRoles to maintain index between
  *                     successive calls for the same roles list.
  *
- * @note On the first call to @ref GETAclResourceDataByRoles, savePtr should point to NULL.
- * 
+ * @note On the first call to @ref GetACLResourceDataByRoles, savePtr should point to NULL.
+ *
  * @return reference to @ref OicSecAce_t if ACE is found, else NULL.
  */
 const OicSecAce_t* GetACLResourceDataByRoles(const OicSecRole_t *roles, size_t roleCount, OicSecAce_t **savePtr);
 
+/**
+ * This method is used by PolicyEngine to retrieve ACLs for a given conntype.
+ *
+ * @param[in] conntype Conntype to match in ACE.
+ * @param[out] savePtr is used internally by @ref GetACLResourceDataByConntype to maintain index between
+ *                     successive calls for the same roles list.
+ *
+ * @note On the first call to @ref GetACLResourceDataByConntype, savePtr should point to NULL.
+ *
+ * @return reference to @ref OicSecAce_t if ACE is found, else NULL.
+ */
+const OicSecAce_t* GetACLResourceDataByConntype(const OicSecConntype_t conntype, OicSecAce_t **savePtr);
+
 /**
  * This function converts ACL data into CBOR format.
  *
index f8c7532..40feb04 100644 (file)
@@ -40,7 +40,9 @@ extern const char * OIC_RSRC_TYPE_SEC_ACL;
 extern const char * OIC_RSRC_ACL_URI;
 extern const char * OIC_JSON_ACL_NAME;
 extern const char * OIC_JSON_ACLIST_NAME;
+extern const char * OIC_JSON_ACLIST2_NAME;
 extern const char * OIC_JSON_ACES_NAME;
+extern const char * OIC_JSON_ACEID_NAME;
 
 extern const char * OIC_RSRC_TYPE_SEC_ACL2;
 extern const char * OIC_RSRC_ACL2_URI;
@@ -106,6 +108,7 @@ extern const char * OIC_JSON_VER_NAME;
 //reset profile
 extern const char * OIC_JSON_RESET_PF_NAME;
 extern const char * OIC_JSON_SUBJECTID_NAME;
+extern const char * OIC_JSON_SUBJECT_NAME;
 extern const char * OIC_JSON_RESOURCES_NAME;
 extern const char * OIC_JSON_AMSS_NAME;
 extern const char * OIC_JSON_AMS_NAME;
@@ -174,6 +177,14 @@ extern const char * OIC_JSON_SEC_V_NAME;
 extern const char * OIC_JSON_DOS_NAME;
 extern const char * OIC_JSON_S_NAME;
 extern const char * OIC_JSON_P_NAME;
+extern const char * OIC_JSON_UUID_NAME;
+extern const char * OIC_JSON_CONNTYPE_NAME;
+extern const char * OIC_JSON_AUTHCRYPT_NAME;
+extern const char * OIC_JSON_ANONCLEAR_NAME;
+extern const char * OIC_JSON_WC_NAME;
+extern const char * OIC_JSON_WC_PLUS_NAME;
+extern const char * OIC_JSON_WC_MINUS_NAME;
+extern const char * OIC_JSON_WC_ASTERISK_NAME;
 
 extern const char * OIC_JSON_EMPTY_STRING;
 
index 9bfad0e..feef24f 100644 (file)
@@ -432,6 +432,14 @@ struct OicSecOpt
     bool                revstat;
 };
 
+typedef enum OicSecAceResourceWildcard
+{
+    NO_WILDCARD = 0,
+    ALL_DISCOVERABLE,       // maps to "+" in JSON/CBOR
+    ALL_NON_DISCOVERABLE,   // maps to "-" in JSON/CBOR
+    ALL_RESOURCES           // maps to "*" in JSON/CBOR
+} OicSecAceResourceWildcard_t;
+
 struct OicSecRsrc
 {
     char *href; // 0:R:S:Y:String
@@ -440,6 +448,7 @@ struct OicSecRsrc
     size_t typeLen; // the number of elts in types
     char** interfaces; // 3:R:S:N:String Array
     size_t interfaceLen; // the number of elts in interfaces
+    OicSecAceResourceWildcard_t wildcard;
     OicSecRsrc_t *next;
 };
 
@@ -463,7 +472,8 @@ typedef enum
 typedef enum
 {
     OicSecAceUuidSubject = 0, /* Default to this type. */
-    OicSecAceRoleSubject
+    OicSecAceRoleSubject,
+    OicSecAceConntypeSubject
 } OicSecAceSubjectType;
 
 /**
@@ -477,6 +487,12 @@ struct OicSecRole
     char authority[ROLEAUTHORITY_LENGTH];   // 1:R:S:N:String
 };
 
+typedef enum OicSecConntype
+{
+    AUTH_CRYPT, // any subject requesting over authenticated and encrypted channel
+    ANON_CLEAR, // any subject requesting over anonymous and unencrypted channel
+} OicSecConntype_t;
+
 struct OicSecAce
 {
     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
@@ -485,10 +501,12 @@ struct OicSecAce
     {
         OicUuid_t subjectuuid;          // Only valid for subjectType == OicSecAceUuidSubject
         OicSecRole_t subjectRole;       // Only valid for subjectType == OicSecAceRoleSubject
+        OicSecConntype_t subjectConn;   // Only valid for subjectType == OicSecAceConntypeSubject
     };
     OicSecRsrc_t *resources;            // 1:R:M:Y:Resource
     uint16_t permission;                // 2:R:S:Y:UINT16
     OicSecValidity_t *validities;       // 3:R:M:N:Time-interval
+    uint16_t aceid;                     // mandatory in ACE2
 #ifdef MULTIPLE_OWNER
     OicUuid_t* eownerID;                //4:R:S:N:oic.uuid
 #endif
index 86434cc..3bc4c7a 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_client.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_client.dat differ
index 3e802d7..5ae26e7 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
+                            "rt": ["oic.r.cred"],\r
+                            "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/pstat",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
+                            "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
-                }\r
-            ]\r
-        },\r
+                "permission": 31\r
+            }\r
+        ],\r
         "rowneruuid" : "61646D69-6E44-6576-6963-655575696430"\r
     },\r
     "pstat": {\r
index a2a81fa..a077ceb 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_randompin_with_empty_deviceid.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_randompin_with_empty_deviceid.dat differ
index aac2964..274e112 100644 (file)
 {
     "acl": {
-        "aclist": {
-            "aces": [
-                {
-                    "subjectuuid": "*",
-                    "resources": [
+        "aclist2": [
+            {
+                "aceid": 1,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/res",
+                        "rel": "",
+                        "rt": ["oic.wk.res"],
+                        "if": ["oic.if.ll"]
+                    },{
+                        "href": "/oic/d",
+                        "rel": "",
+                        "rt": ["oic.wk.d"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    },{
+                        "href": "/oic/p",
+                        "rel": "",
+                        "rt": ["oic.wk.p"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    }
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 2,
+                "subject": {
+                  "conntype": "auth-crypt"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/res",
+                        "rel": "",
+                        "rt": ["oic.wk.res"],
+                        "if": ["oic.if.ll"]
+                    },{
+                        "href": "/oic/d",
+                        "rel": "",
+                        "rt": ["oic.wk.d"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    },{
+                        "href": "/oic/p",
+                        "rel": "",
+                        "rt": ["oic.wk.p"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    }
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 3,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/sec/doxm",
+                        "rel": "",
+                        "rt": ["oic.r.doxm"],
+                        "if": ["oic.if.baseline"]
+                    }
+                ],
+                "permission": 6
+            },
+            {
+                "aceid": 4,
+                "subject": {
+                  "conntype": "auth-crypt"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/sec/doxm",
+                        "rel": "",
+                        "rt": ["oic.r.doxm"],
+                        "if": ["oic.if.baseline"]
+                    }
+                ],
+                "permission": 6
+            },
+            {
+                "aceid": 5,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
                         {
-                            "href": "/oic/res",
+                            "href": "/oic/sec/roles",
                             "rel": "",
-                            "rt": ["oic.wk.res"],
-                            "if": ["oic.if.ll"]
-                        },{
-                            "href": "/oic/d",
-                            "rel": "",
-                            "rt": ["oic.wk.d"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        },{
-                            "href": "/oic/p",
-                            "rel": "",
-                            "rt": ["oic.wk.p"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
+                            "rt": ["oic.r.cred"],
+                            "if": ["oic.if.baseline"]
                         }
                     ],
-                    "permission": 2
+                "permission": 31
+            },
+            {
+                "aceid": 6,
+                "subject": {
+                  "conntype": "auth-crypt"
                 },
-                {
-                    "subjectuuid": "*",
-                    "resources": [
+                "resources": [
                         {
-                            "href": "/oic/sec/doxm",
-                            "rel": "",
-                            "rt": ["oic.r.doxm"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/sec/pstat",
-                            "rel": "",
-                            "rt": ["oic.r.pstat"],
-                            "if": ["oic.if.baseline"]
-                        },
-                        {
-                            "href": "/oic/sec/cred",
+                            "href": "/oic/sec/roles",
                             "rel": "",
                             "rt": ["oic.r.cred"],
                             "if": ["oic.if.baseline"]
                         }
                     ],
-                    "permission": 6
-                }
-            ]
-        },
-        "rowneruuid" : ""
+                "permission": 31
+            }
+        ],
+        "rowneruuid": ""
     },
     "pstat": {
         "dos": {"s": 1, "p": false},
         "isop": false,
-        "deviceuuid": "",
-        "rowneruuid": "",
         "cm": 2,
         "tm": 0,
         "om": 4,
-        "sm": 4
-        },
+        "sm": 4,
+        "rowneruuid": ""
+    },
     "doxm": {
         "oxms": [0, 1],
         "oxmsel": 0,
index 63cf5e3..4cf4d0e 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_server_justworks.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_server_justworks.dat differ
index c3ca791..88a6936 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
-                        {\r
-                            "href": "/oic/sec/pstat",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/cred",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 6\r
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
                         {\r
                             "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 31\r
-                }            \r
-            ]\r
-        },\r
-        "rowneruuid" : "6A757374-776F-726B-4465-765575696430"\r
+                "permission": 31\r
+            }\r
+        ],\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     },\r
     "pstat": {\r
         "dos": {"s": 1, "p": false},\r
         "isop": false,\r
-        "deviceuuid": "6A757374-776F-726B-4465-765575696430",\r
-        "rowneruuid": "6A757374-776F-726B-4465-765575696430",\r
         "cm": 2,\r
         "tm": 0,\r
         "om": 4,\r
-        "sm": 4\r
-        },\r
+        "sm": 4,\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
+    },\r
     "doxm": {\r
         "oxms": [0],\r
         "oxmsel": 0,\r
         "sct": 1,\r
         "owned": false,\r
-        "deviceuuid": "6A757374-776F-726B-4465-765575696430",\r
-        "devowneruuid": "",\r
-        "rowneruuid": "6A757374-776F-726B-4465-765575696430"\r
+        "deviceuuid": "12345678-1234-1234-1234-123456789012",\r
+        "devowneruuid": "00000000-0000-0000-0000-000000000000",\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     }\r
 }\r
index 86a7555..360183b 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_server_mvjustworks.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_server_mvjustworks.dat differ
index b55a2ea..9393bea 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
-                        {\r
-                            "href": "/oic/sec/pstat",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/cred",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 6\r
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
                         {\r
                             "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 31\r
-                }\r
-            ]\r
-        },\r
-        "rowneruuid" : "6D766A75-7374-776F-726B-735575696430"\r
+                "permission": 31\r
+            }\r
+        ],\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     },\r
     "pstat": {\r
         "dos": {"s": 1, "p": false},\r
         "isop": false,\r
-        "deviceuuid": "6D766A75-7374-776F-726B-735575696430",\r
-        "rowneruuid": "6D766A75-7374-776F-726B-735575696430",\r
         "cm": 2,\r
         "tm": 0,\r
         "om": 4,\r
-        "sm": 4\r
-        },\r
+        "sm": 4,\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
+    },\r
     "doxm": {\r
         "oxms": [0, 65281],\r
         "oxmsel": 0,\r
         "sct": 1,\r
         "owned": false,\r
-        "deviceuuid": "6D766A75-7374-776F-726B-735575696430",\r
-        "devowneruuid": "",\r
-        "rowneruuid": "6D766A75-7374-776F-726B-735575696430"\r
+        "deviceuuid": "12345678-1234-1234-1234-123456789012",\r
+        "devowneruuid": "00000000-0000-0000-0000-000000000000",\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     }\r
 }\r
index 8c0bbda..491a570 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_server_preconfpin.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_server_preconfpin.dat differ
index 8e3668c..34ed9f1 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
-                        {\r
-                            "href": "/oic/sec/pstat",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/cred",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 6\r
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
                         {\r
                             "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 31\r
-                }\r
-            ]\r
-        },\r
-        "rowneruuid" : "50726563-6F6E-6669-6775-72656450494E"\r
+                "permission": 31\r
+            }\r
+        ],\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     },\r
     "pstat": {\r
         "dos": {"s": 1, "p": false},\r
         "isop": false,\r
-        "deviceuuid": "50726563-6F6E-6669-6775-72656450494E",\r
-        "rowneruuid": "50726563-6F6E-6669-6775-72656450494E",\r
         "cm": 2,\r
         "tm": 0,\r
         "om": 4,\r
-        "sm": 4\r
-        },\r
+        "sm": 4,\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
+    },\r
     "doxm": {\r
         "oxms": [0, 65280],\r
         "oxmsel": 0,\r
         "sct": 1,\r
         "owned": false,\r
-        "deviceuuid": "50726563-6F6E-6669-6775-72656450494E",\r
-        "devowneruuid": "",\r
-        "rowneruuid": "50726563-6F6E-6669-6775-72656450494E"\r
+        "deviceuuid": "12345678-1234-1234-1234-123456789012",\r
+        "devowneruuid": "00000000-0000-0000-0000-000000000000",\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     }\r
 }\r
index 21294f9..3ee32b3 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_server_randompin.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_server_randompin.dat differ
index b3cf03a..ee9205d 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
-                        {\r
-                            "href": "/oic/sec/pstat",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/cred",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 6\r
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
                         {\r
                             "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 31\r
-                }\r
-            ]\r
-        },\r
-        "rowneruuid" : "72616E64-5069-6E44-6576-557569643030"\r
+                "permission": 31\r
+            }\r
+        ],\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     },\r
     "pstat": {\r
         "dos": {"s": 1, "p": false},\r
         "isop": false,\r
-        "deviceuuid": "72616E64-5069-6E44-6576-557569643030",\r
-        "rowneruuid": "72616E64-5069-6E44-6576-557569643030",\r
         "cm": 2,\r
         "tm": 0,\r
         "om": 4,\r
-        "sm": 4\r
-        },\r
+        "sm": 4,\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
+    },\r
     "doxm": {\r
         "oxms": [0, 1],\r
         "oxmsel": 0,\r
         "sct": 1,\r
         "owned": false,\r
-        "deviceuuid": "72616E64-5069-6E44-6576-557569643030",\r
-        "devowneruuid": "",\r
-        "rowneruuid": "72616E64-5069-6E44-6576-557569643030"\r
+        "deviceuuid": "12345678-1234-1234-1234-123456789012",\r
+        "devowneruuid": "00000000-0000-0000-0000-000000000000",\r
+        "rowneruuid": "00000000-0000-0000-0000-000000000000"\r
     }\r
 }\r
index 6fd824c..88538e2 100644 (file)
Binary files a/resource/csdk/security/provisioning/sample/oic_svr_db_subowner_client.dat and b/resource/csdk/security/provisioning/sample/oic_svr_db_subowner_client.dat differ
index f0ec6de..1f12fa3 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
-                        {\r
-                            "href": "/oic/sec/pstat",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
-                            "if": ["oic.if.baseline"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/sec/pconf",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.pconf"],\r
+                        "if": ["oic.if.baseline"]\r
+                    },{\r
+                        "href": "/oic/sec/dpairing",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.dpairing"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/pconf",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pconf"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/sec/pconf",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.pconf"],\r
+                        "if": ["oic.if.baseline"]\r
+                    },{\r
+                        "href": "/oic/sec/dpairing",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.dpairing"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/dpairing",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.r.dpairing"],\r
+                            "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
-                }, \r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
                         {\r
                             "href": "/oic/sec/roles",\r
                             "rel": "",\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 31\r
-                }\r
-            ]\r
-        },\r
+                "permission": 31\r
+            }\r
+        ],\r
         "rowneruuid" : "5375624F-776E-6572-436C-69656E743030"\r
     },\r
     "pstat": {\r
index 5fce3ad..8d9d180 100644 (file)
@@ -323,7 +323,7 @@ static void getCsrCB(void* ctx, size_t nOfRes, OCPMGetCsrResult_t* arr, bool has
         }
         else
         {
-            size_t lst_cnt;\r
+            size_t lst_cnt;
             for (lst_cnt = 0; nOfRes > lst_cnt; ++lst_cnt)
             {
                 printf("     [%" PRIuPTR "] ", lst_cnt + 1);
@@ -873,8 +873,8 @@ static int provisionCred(void)
  *   3. Saves this root as a trust anchor locally.
  *   4. Generate and store an IoTivity key and cert (issued from the CA root cert).
  *      This is an EE cert the CA/OBT will use in DTLS.
- *   
- *   The CA's key and cert are written to g_caKeyPem and g_caCertPem (resp.). 
+ *
+ *   The CA's key and cert are written to g_caKeyPem and g_caCertPem (resp.).
  */
 static int setupCA()
 {
@@ -932,7 +932,7 @@ static int setupCA()
         goto exit;
     }
 
-    /* Set our own trust anchor so that we trust certs we've issued. */\r
+    /* Set our own trust anchor so that we trust certs we've issued. */
     res = OCSaveTrustCertChain((uint8_t*) g_caCertPem, caCertLen, OIC_ENCODING_PEM, &g_caCredId);
     if (OC_STACK_OK != res)
     {
@@ -1010,10 +1010,10 @@ exit:
 }
 
 /*
- * Create an identity certificate for a device, based on the information in its CSR. 
+ * Create an identity certificate for a device, based on the information in its CSR.
  * Assumes the csr has already been validated wtih OCVerifyCSRSignature.
  */
-static int createIdentityCertFromCSR(const char* caKeyPem, const char* caCertPem, char* csr, 
+static int createIdentityCertFromCSR(const char* caKeyPem, const char* caCertPem, char* csr,
     char** deviceCert)
 {
     char* publicKey = NULL;
@@ -1612,16 +1612,17 @@ static int getAcl(void)
         OIC_LOG(ERROR, TAG, "getDevInst: device instance empty");
         goto PVACL_ERROR;
     }
-    OCStackResult rst = OCGetACLResource((void*) g_ctx, dev, getAclCB);
+    // IOT-2219 add support for OIC 1.1 /oic/sec/acl URI
+    OCStackResult rst = OCGetACL2Resource((void*) g_ctx, dev, getAclCB);
     if(OC_STACK_OK != rst)
     {
-        OIC_LOG_V(ERROR, TAG, "OCGetACLResource API error: %d", rst);
+        OIC_LOG_V(ERROR, TAG, "OCGetACL2Resource API error: %d", rst);
 
         goto PVACL_ERROR;
     }
     if(waitCallbackRet())  // input |g_doneCB| flag implicitly
     {
-        OIC_LOG(ERROR, TAG, "OCGetACLResource callback error");
+        OIC_LOG(ERROR, TAG, "OCGetACL2Resource callback error");
         goto PVACL_ERROR;
     }
 
index 83f6da3..987dd5b 100644 (file)
@@ -354,10 +354,10 @@ OCStackResult OCProvisionACL(void* ctx, const OCProvisionDev_t *selectedDeviceIn
 {
     /*
      * Determine whether this is a version 1 or version 2 ACL. We can't just always use V2 here
-     * since we may be provisioning an IoTivity 1.2 device.
+     * since we may be provisioning an IoTivity 1.2 or earlier device.
+     * TODO IOT-2219 - reintroduce OIC 1.1 /acl (v1) support
      */
-
-    OicSecAclVersion_t aclVersion = OIC_SEC_ACL_V1; /* default to v1 */
+    OicSecAclVersion_t aclVersion = OIC_SEC_ACL_V2;
     if (acl->aces != NULL)
     {
         /* If any of the aces have the role subject, the ACL is v2 */
@@ -488,7 +488,7 @@ OCStackResult OCProvisionCredentials(void *ctx, OicSecCredType_t type, size_t ke
  * @param[in] type Type of credentials to be provisioned to the device.
  * @param[in] keySize size of key
  * @param[in] pDev1 Pointer to OCProvisionDev_t instance, representing the resource to be provisioned.
- * @param[in] pDev2 Pointer to OCProvisionDev_t instance, representing the resource to be provisioned. 
+ * @param[in] pDev2 Pointer to OCProvisionDev_t instance, representing the resource to be provisioned.
  *                  Use NULL to indicate the local device.
  * @param[in] role1 The role which the device indicated by pDev1 will have when communicating with pDev2.
  *                  Use NULL to associate no role with this credential.
@@ -1100,7 +1100,7 @@ static void AclProv1CB(void* ctx, size_t nOfRes, OCProvisionResult_t *arr, bool
     UpdateLinkResults(link, 1, arr[0].res);
     if (NULL != link->pDev2Acl)
     {
-        OCStackResult res =  SRPProvisionACL(ctx, link->pDev2, link->pDev2Acl, OIC_SEC_ACL_V1, &AclProv2CB);
+        OCStackResult res =  SRPProvisionACL(ctx, link->pDev2, link->pDev2Acl, OIC_SEC_ACL_V2, &AclProv2CB);
         if (OC_STACK_OK!=res)
         {
              UpdateLinkResults(link, 2, res);
@@ -1149,8 +1149,7 @@ static void ProvisionCredsCB(void* ctx, size_t nOfRes, OCProvisionResult_t *arr,
     }
     if (NULL != link->pDev1Acl)
     {
-
-        OCStackResult res =  SRPProvisionACL(ctx, link->pDev1, link->pDev1Acl, OIC_SEC_ACL_V1, &AclProv1CB);
+        OCStackResult res =  SRPProvisionACL(ctx, link->pDev1, link->pDev1Acl, OIC_SEC_ACL_V2, &AclProv1CB);
         if (OC_STACK_OK!=res)
         {
              OIC_LOG(ERROR, TAG, "Error while provisioning ACL for device 1");
@@ -1165,7 +1164,8 @@ static void ProvisionCredsCB(void* ctx, size_t nOfRes, OCProvisionResult_t *arr,
     else if (NULL!=link->pDev2Acl)
     {
         OIC_LOG(ERROR, TAG, "ACL for device 1 is NULL");
-        OCStackResult res =  SRPProvisionACL(ctx, link->pDev2, link->pDev2Acl, OIC_SEC_ACL_V1, &AclProv2CB);
+
+        OCStackResult res =  SRPProvisionACL(ctx, link->pDev2, link->pDev2Acl, OIC_SEC_ACL_V2, &AclProv2CB);
         if (OC_STACK_OK!=res)
         {
              OIC_LOG(ERROR, TAG, "Error while provisioning ACL for device 2");
index 21a144a..c2bf433 100644 (file)
@@ -1278,6 +1278,7 @@ static OCStackApplicationResult OwnerAclHandler(void *ctx, OCDoHandle UNUSED,
         if(NULL != selectedDeviceInfo)
         {
             //POST /oic/sec/doxm [{ ..., "owned":"TRUE" }]
+            OIC_LOG_V(DEBUG, TAG, "%s posting /doxm.owned = true.", __func__);
             res = PostOwnershipInformation(otmCtx);
             if(OC_STACK_OK != res)
             {
@@ -1659,7 +1660,7 @@ static OicSecAcl_t* GenerateOwnerAcl(const OicUuid_t* owner)
 {
     OicSecAcl_t* ownerAcl = (OicSecAcl_t*)OICCalloc(1, sizeof(OicSecAcl_t));
     OicSecAce_t* ownerAce = (OicSecAce_t*)OICCalloc(1, sizeof(OicSecAce_t));
-    OicSecRsrc_t* wildcardRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
+    OicSecRsrc_t* wildcardRsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t)); // TODO IOT-2192
     if(NULL == ownerAcl || NULL == ownerAce || NULL == wildcardRsrc)
     {
         OIC_LOG(ERROR, TAG, "Failed to memory allocation");
@@ -1771,7 +1772,7 @@ static OCStackResult PostOwnerAcl(OTMContext_t* otmCtx)
     if(!PMGenerateQuery(true,
                         deviceInfo->endpoint.addr, deviceInfo->securePort,
                         deviceInfo->connType,
-                        query, sizeof(query), OIC_RSRC_ACL_URI))
+                        query, sizeof(query), OIC_RSRC_ACL2_URI))
     {
         OIC_LOG(ERROR, TAG, "Failed to generate query");
         return OC_STACK_ERROR;
@@ -1803,7 +1804,8 @@ static OCStackResult PostOwnerAcl(OTMContext_t* otmCtx)
         goto error;
     }
 
-    res = AclToCBORPayload(ownerAcl, OIC_SEC_ACL_V1, &secPayload->securityData, &secPayload->payloadSize);
+    // TODO IOT-2052 change to V2
+    res = AclToCBORPayload(ownerAcl, OIC_SEC_ACL_V2, &secPayload->securityData, &secPayload->payloadSize);
     if (OC_STACK_OK != res)
     {
         OICFree(secPayload);
index 51253da..7c3ef79 100644 (file)
@@ -1021,6 +1021,7 @@ OCStackResult SRPProvisionACL(void *ctx, const OCProvisionDev_t *selectedDeviceI
     switch (aclVersion)
     {
     case OIC_SEC_ACL_V1:
+        OIC_LOG_V(WARNING, TAG, "%s using ACL v1... this should only be used for provisioning OIC 1.1 and earlier Servers.", __func__);
         uri = OIC_RSRC_ACL_URI;
         break;
     case OIC_SEC_ACL_V2:
@@ -1421,7 +1422,7 @@ static OCStackResult SendDeleteACLRequest(void* ctx,
     int snRet = 0;
                     //coaps://0.0.0.0:5684/oic/sec/acl?subjectuuid=(Canonical ENCODED UUID)
     snRet = snprintf(reqBuf, sizeof(reqBuf), SRP_FORM_DELETE_CREDENTIAL, addressEncoded,
-                     destDev->securePort, OIC_RSRC_ACL_URI, OIC_JSON_SUBJECTID_NAME, subID);
+                     destDev->securePort, OIC_RSRC_ACL2_URI, OIC_JSON_SUBJECTID_NAME, subID);
     OICFree(subID);
     if (snRet < 0)
     {
@@ -2535,7 +2536,7 @@ OCStackResult SRPResetDevice(const OCProvisionDev_t* pTargetDev,
         return OC_STACK_NO_MEMORY;
     }
 
-    pstat->dos.state = DOS_RESET; // Note [IOT-2052] in OCF 1.0 this is the only
+    pstat->dos.state = DOS_RESET; // TODO IOT-2052 in OCF 1.0 this is the only
                                   // value that needs to be set to cause RESET
     pstat->cm = RESET;
     pstat->isOp = false;
@@ -2819,6 +2820,7 @@ OCStackResult SRPGetACLResource(void *ctx, const OCProvisionDev_t *selectedDevic
     switch (aclVersion)
     {
     case OIC_SEC_ACL_V1:
+        OIC_LOG_V(WARNING, TAG, "%s using ACL v1... this should only be used for provisioning OIC 1.1 and earlier Servers.", __func__);
         uri = OIC_RSRC_ACL_URI;
         break;
     case OIC_SEC_ACL_V2:
index 9fd4a8b..76029b8 100644 (file)
 #define NUMBER_OF_DEFAULT_SEC_RSCS 2
 #define STRING_UUID_SIZE (UUID_LENGTH * 2 + 5)
 
-static const uint8_t ACL_MAP_SIZE = 4;
-static const uint8_t ACL_ACLIST_MAP_SIZE = 1;
-static const uint8_t ACL_ACES_MAP_SIZE = 3;
+static const uint8_t ACL_MAP_SIZE = 4; // aclist, rowneruuid, RT and IF
+static const uint8_t ACL_ACLIST_MAP_SIZE = 1; // aces object
+static const uint8_t ACL_ACLIST2_MAP_SIZE = 1; // array
+static const uint8_t ACL_ACE_MAP_SIZE = 3; // subject, resource, permissions
+static const uint8_t ACL_ACE2_MAP_SIZE = 4; // aceid, subject, resource, permissions
 static const uint8_t ACL_RESOURCE_MAP_SIZE = 3;
+static const uint8_t ACE_DID_MAP_SIZE = 1;
 static const uint8_t ACE_ROLE_MAP_SIZE = 1;
-
+static const uint8_t ACE_CONN_MAP_SIZE = 1;
 
 // CborSize is the default cbor payload size being used.
 static const uint16_t CBOR_SIZE = 2048*8;
@@ -181,6 +184,9 @@ OicSecAce_t* DuplicateACE(const OicSecAce_t* ace)
         case OicSecAceRoleSubject:
             memcpy(&newAce->subjectRole, &ace->subjectRole, sizeof(ace->subjectRole));
             break;
+        case OicSecAceConntypeSubject:
+            newAce->subjectConn = ace->subjectConn;
+            break;
         default:
             assert(!"Unsupported ACE type");
             OICFree(newAce);
@@ -194,10 +200,12 @@ OicSecAce_t* DuplicateACE(const OicSecAce_t* ace)
             VERIFY_NOT_NULL(TAG, newRsrc, ERROR);
             LL_APPEND(newAce->resources, newRsrc);
 
-            //href is mandatory
-            VERIFY_NOT_NULL(TAG, rsrc->href, ERROR);
-            newRsrc->href = (char*)OICStrdup(rsrc->href);
-            VERIFY_NOT_NULL(TAG, newRsrc->href, ERROR);
+            // href is not mandatory in OCF 1.0/ACE2
+            if (rsrc->href)
+            {
+                newRsrc->href = OICStrdup(rsrc->href);
+                VERIFY_NOT_NULL(TAG, newRsrc->href, ERROR);
+            }
 
             if(rsrc->rel)
             {
@@ -228,6 +236,8 @@ OicSecAce_t* DuplicateACE(const OicSecAce_t* ace)
                     VERIFY_NOT_NULL(TAG, (newRsrc->interfaces[i]), ERROR);
                 }
             }
+
+            newRsrc->wildcard = rsrc->wildcard;
         }
 
         //Permission
@@ -303,7 +313,8 @@ static size_t OicSecAclSize(const OicSecAcl_t *secAcl)
     return size;
 }
 
-OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t aclVersion, uint8_t **payload, size_t *size)
+OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl,
+    OicSecAclVersion_t aclVersion, uint8_t **payload, size_t *size)
 {
     if (NULL == secAcl || NULL == payload || NULL != *payload || NULL == size)
     {
@@ -314,7 +325,10 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
     switch (aclVersion)
     {
     case OIC_SEC_ACL_V1:
+        OIC_LOG_V(DEBUG, TAG, "%s encoding v1 ACL.", __func__);
+        break;
     case OIC_SEC_ACL_V2:
+        OIC_LOG_V(DEBUG, TAG, "%s encoding v2 ACL.", __func__);
         break;
     default:
         return OC_STACK_INVALID_PARAM;
@@ -332,6 +346,9 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
     size_t cborLen = *size;
     *size = 0;
     *payload = NULL;
+    char *subjectuuidstring = NULL;
+    const char *aclRsrcType = NULL;
+    const char *wcstring = NULL;
 
     if (cborLen == 0)
     {
@@ -343,33 +360,74 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
 
     cbor_encoder_init(&encoder, outPayload, cborLen, 0);
 
-    // Create ACL Map (aclist, rownerid)
+    // Create ACL Map which contains aclist or aclist2, rowneruuid, rt and if
     cborEncoderResult = cbor_encoder_create_map(&encoder, &aclMap, ACL_MAP_SIZE);
     VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating ACL Map.");
+    OIC_LOG_V(DEBUG, TAG, "%s starting encoding of %s resource.",
+        __func__, (OIC_SEC_ACL_V1 == aclVersion)?"v1 acl":"v2 acl2");
 
-    cborEncoderResult = cbor_encode_text_string(&aclMap, OIC_JSON_ACLIST_NAME,
-        strlen(OIC_JSON_ACLIST_NAME));
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding aclist Name Tag.");
+    // v1 uses "aclist" as the top-level tag, containing an "aces" object
+    if (OIC_SEC_ACL_V1 == aclVersion)
+    {
+        cborEncoderResult = cbor_encode_text_string(&aclMap, OIC_JSON_ACLIST_NAME,
+            strlen(OIC_JSON_ACLIST_NAME));
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding aclist Tag.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1 %s tag.", __func__, OIC_JSON_ACLIST_NAME);
+    }
+    // v2 uses "aclist2" as the top-level tag, containing an array of ace2 objects
+    else
+    {
+        cborEncoderResult = cbor_encode_text_string(&aclMap, OIC_JSON_ACLIST2_NAME,
+            strlen(OIC_JSON_ACLIST2_NAME));
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding aclist2 Tag.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_ACLIST2_NAME);
+    }
 
-    // Create ACLIST Map (aces)
-    cborEncoderResult = cbor_encoder_create_map(&aclMap, &aclListMap, ACL_ACLIST_MAP_SIZE);
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating ACLIST Map.");
+    // v1 puts "aces" inside an "aclist" object, so create size 1 map
+    if (OIC_SEC_ACL_V1 == aclVersion)
+    {
+        cborEncoderResult = cbor_encoder_create_map(&aclMap, &aclListMap, ACL_ACLIST_MAP_SIZE);
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating aclist Map.");
+        OIC_LOG_V(DEBUG, TAG, "%s created v1 %s map.", __func__, OIC_JSON_ACLIST_NAME);
 
-    cborEncoderResult = cbor_encode_text_string(&aclListMap, OIC_JSON_ACES_NAME,
-        strlen(OIC_JSON_ACES_NAME));
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding ACES Name Tag.");
+        // v1 precedes ACE object array with "ace" tag
+        cborEncoderResult = cbor_encode_text_string(&aclListMap, OIC_JSON_ACES_NAME,
+            strlen(OIC_JSON_ACES_NAME));
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding ACES Name Tag.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1 %s tag.", __func__, OIC_JSON_ACES_NAME);
+    }
 
-    // Create ACES Array
-    cborEncoderResult = cbor_encoder_create_array(&aclListMap, &acesArray, OicSecAclSize(secAcl));
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating ACES Array.");
+    // v1 Create ACE Array in aclist map
+    if (OIC_SEC_ACL_V1 == aclVersion)
+    {
+        cborEncoderResult = cbor_encoder_create_array(&aclListMap, &acesArray, OicSecAclSize(secAcl));
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating ACE Array.");
+        OIC_LOG_V(DEBUG, TAG, "%s created v1 ACE array.", __func__);
+    }
+    else
+    // v2 create ACE2 array in acl map
+    {
+        cborEncoderResult = cbor_encoder_create_array(&aclMap, &acesArray, OicSecAclSize(secAcl));
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating ACE2 Array.");
+        OIC_LOG_V(DEBUG, TAG, "%s created v2 ACE2 array.", __func__);
+    }
 
+    // encode the ACE objects
     ace = NULL;
     LL_FOREACH (acl->aces, ace)
     {
         CborEncoder oicSecAclMap;
-        // ACL Map size - Number of mandatory items
-        uint8_t aclMapSize = ACL_ACES_MAP_SIZE;
-        size_t inLen = 0;
+
+        uint8_t aceMapSize = 0;
+        // ACE object Map size
+        if(OIC_SEC_ACL_V1 == aclVersion)
+        {
+            aceMapSize = ACL_ACE_MAP_SIZE;
+        }
+        else
+        {
+            aceMapSize = ACL_ACE2_MAP_SIZE; // v2 has "aceid" so 1 more item
+        }
 
         // Version 1 doesn't support role subjects. If we have any, we can't comply with the request.
         if ((OIC_SEC_ACL_V2 > aclVersion) && (OicSecAceRoleSubject == ace->subjectType))
@@ -383,49 +441,124 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
         {
             if(validityElts->period)
             {
-                aclMapSize++;
+                aceMapSize++;
             }
             if(validityElts->recurrences)
             {
-                aclMapSize++;
+                aceMapSize++;
             }
         }
 
 #ifdef MULTIPLE_OWNER
         if(ace->eownerID)
         {
-            aclMapSize++;
+            aceMapSize++;
         }
 #endif //MULTIPLE_OWNER
 
-        cborEncoderResult = cbor_encoder_create_map(&acesArray, &oicSecAclMap, aclMapSize);
+        cborEncoderResult = cbor_encoder_create_map(&acesArray, &oicSecAclMap, aceMapSize);
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Creating ACES Map");
+        OIC_LOG_V(DEBUG, TAG, "%s created %s map.",
+            __func__, OIC_SEC_ACL_V1 == aclVersion?"v1 ACE":"v2 ACE2");
+
+        // v2 has an "aceid" property
+        if (OIC_SEC_ACL_V2 == aclVersion) // v2
+        {
+            cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, OIC_JSON_ACEID_NAME,
+                strlen(OIC_JSON_ACEID_NAME));
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding aceid Tag.");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_ACEID_NAME);
+            cborEncoderResult = cbor_encode_int(&oicSecAclMap, ace->aceid);
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding aceid Value.");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 aceid value %d.", __func__, ace->aceid);
+        }
+
+        // v1 has a "subjectuuid" tag, followed by a UUID string
+        if (OIC_SEC_ACL_V1 == aclVersion) //v1
+        {
+            cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, OIC_JSON_SUBJECTID_NAME,
+                strlen(OIC_JSON_SUBJECTID_NAME));
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding subjectuuid Tag.");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v1 %s tag.", __func__, OIC_JSON_SUBJECTID_NAME);
+        }
+        // v2 has a "subject" tag, and then one of three different subject types: UUID, roletype or conntype
+        else
+        {
+            cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, OIC_JSON_SUBJECT_NAME,
+                strlen(OIC_JSON_SUBJECT_NAME));
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding subject Tag.");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_SUBJECT_NAME);
+        }
 
-        // Subject -- Mandatory
-        cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, OIC_JSON_SUBJECTID_NAME,
-            strlen(OIC_JSON_SUBJECTID_NAME));
-        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding Subject Name Tag.");
+        // UUID type v1 or v2
         if (OicSecAceUuidSubject == ace->subjectType)
         {
-            inLen = (memcmp(&(ace->subjectuuid), &WILDCARD_SUBJECT_ID, sizeof(OicUuid_t)) == 0) ?
-                WILDCARD_SUBJECT_ID_LEN : sizeof(OicUuid_t);
-            if (inLen == WILDCARD_SUBJECT_ID_LEN)
+            size_t len = (0 == memcmp(&(ace->subjectuuid), &WILDCARD_SUBJECT_ID, sizeof(ace->subjectuuid))) ?
+                WILDCARD_SUBJECT_ID_LEN : sizeof(ace->subjectuuid);
+            if (WILDCARD_SUBJECT_ID_LEN == len)
             {
-                cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, WILDCARD_RESOURCE_URI,
-                    strlen(WILDCARD_RESOURCE_URI));
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding Subject Id wildcard Value.");
+                if (OIC_SEC_ACL_V1 == aclVersion) // v1
+                {
+                    cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, WILDCARD_RESOURCE_URI,
+                        strlen(WILDCARD_RESOURCE_URI));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding subjectuud wildcard URI value.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded subjectuuid wildcard value %s.", __func__, WILDCARD_RESOURCE_URI);
+                }
+                else // v2
+                {
+                    cborEncoderResult = CborUnknownError;
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "ACE has wildcard subjectuuid; cannot encode into oic.sec.ace2 object.");
+                }
             }
             else
             {
-                char *subject = NULL;
-                ret = ConvertUuidToStr(&ace->subjectuuid, &subject);
+                if (NULL != subjectuuidstring)
+                {
+                    OICFree(subjectuuidstring);
+                    subjectuuidstring = NULL;
+                }
+                ret = ConvertUuidToStr(&ace->subjectuuid, &subjectuuidstring);
                 cborEncoderResult = (OC_STACK_OK == ret) ? CborNoError : CborUnknownError;
                 VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed to convert subject UUID to string");
-                cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, subject, strlen(subject));
-                OICFree(subject);
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding Subject UUID Value");
+                OIC_LOG_V(DEBUG, TAG, "%s converted UUID to %s", __func__, subjectuuidstring);
+
+                // v1 encodes the UUID immediately after the "subjectuuid" tag encoded above
+                if (OIC_SEC_ACL_V1 == aclVersion)
+                {
+                    cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, subjectuuidstring, strlen(subjectuuidstring));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding subjectuuid Value");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1 UUID value %s.", __func__, subjectuuidstring);
+                }
+                // v2 encodes another tag and then the value, depending on the type (UUID, role or conn)
+                else
+                {
+                    // v2 UUID type uses "uuid" tag and then UUID string value
+                    CborEncoder didMap;
+
+                    cborEncoderResult = cbor_encoder_create_map(&oicSecAclMap, &didMap, ACE_DID_MAP_SIZE);
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating did map");
+                    OIC_LOG_V(DEBUG, TAG, "%s created v2 did map.", __func__);
+
+                    cborEncoderResult = cbor_encode_text_string(&didMap, OIC_JSON_UUID_NAME, strlen(OIC_JSON_UUID_NAME));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding uuid tag");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_UUID_NAME);
+
+                    cborEncoderResult = cbor_encode_text_string(&didMap, subjectuuidstring, strlen(subjectuuidstring));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding Subject UUID Value");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v2 UUID value %s.", __func__, subjectuuidstring);
+                    if (NULL != subjectuuidstring)
+                    {
+                        OICFree(subjectuuidstring);
+                        subjectuuidstring = NULL;
+                    }
+
+                    cborEncoderResult = cbor_encoder_close_container(&oicSecAclMap, &didMap);
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed closing did map");
+                    OIC_LOG_V(DEBUG, TAG, "%s closed v2 did map.", __func__);
+                }
             }
         }
+        // v2 roletype
         else if (OicSecAceRoleSubject == ace->subjectType)
         {
             assert(OIC_SEC_ACL_V2 <= aclVersion);
@@ -435,29 +568,76 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
 
             cborEncoderResult = cbor_encoder_create_map(&oicSecAclMap, &roleMap, ACE_ROLE_MAP_SIZE + includeAuthority?1:0);
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating role map");
+            OIC_LOG_V(DEBUG, TAG, "%s created v2 role map.", __func__);
 
             cborEncoderResult = cbor_encode_text_string(&roleMap, OIC_JSON_ROLE_NAME, strlen(OIC_JSON_ROLE_NAME));
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding roleid tag");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_ROLE_NAME);
 
             cborEncoderResult = cbor_encode_text_string(&roleMap, ace->subjectRole.id, strlen(ace->subjectRole.id));
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding roleid value");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 roleid value %s.", __func__, ace->subjectRole.id);
 
             if (includeAuthority)
             {
                 cborEncoderResult = cbor_encode_text_string(&roleMap, OIC_JSON_AUTHORITY_NAME, strlen(OIC_JSON_AUTHORITY_NAME));
                 VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding authority tag");
+                OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_AUTHORITY_NAME);
 
                 cborEncoderResult = cbor_encode_text_string(&roleMap, ace->subjectRole.authority, strlen(ace->subjectRole.authority));
                 VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding authority value");
+                OIC_LOG_V(DEBUG, TAG, "%s encoded v2 authority value %s.", __func__, ace->subjectRole.authority);
             }
 
             cborEncoderResult = cbor_encoder_close_container(&oicSecAclMap, &roleMap);
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed closing role map");
+            OIC_LOG_V(DEBUG, TAG, "%s closed v2 role map.", __func__);
+        }
+        // v2 conntype
+        else if (OicSecAceConntypeSubject == ace->subjectType)
+        {
+            assert(OIC_SEC_ACL_V2 <= aclVersion);
+            CborEncoder connMap;
+
+            cborEncoderResult = cbor_encoder_create_map(&oicSecAclMap, &connMap, ACE_CONN_MAP_SIZE);
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating conn map");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 conn map.", __func__);
+
+            cborEncoderResult = cbor_encode_text_string(&connMap, OIC_JSON_CONNTYPE_NAME, strlen(OIC_JSON_CONNTYPE_NAME));
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding conntype tag");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_CONNTYPE_NAME);
+
+            if (AUTH_CRYPT == ace->subjectConn)
+            {
+                cborEncoderResult = cbor_encode_text_string(&connMap, OIC_JSON_AUTHCRYPT_NAME, strlen(OIC_JSON_AUTHCRYPT_NAME));
+                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding auth-crypt value");
+                OIC_LOG_V(DEBUG, TAG, "%s encoded v2 conntype value %s.", __func__, OIC_JSON_AUTHCRYPT_NAME);
+            }
+            else if (ANON_CLEAR == ace->subjectConn)
+            {
+                cborEncoderResult = cbor_encode_text_string(&connMap, OIC_JSON_ANONCLEAR_NAME, strlen(OIC_JSON_AUTHCRYPT_NAME));
+                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed adding anon-clear value");
+                OIC_LOG_V(DEBUG, TAG, "%s encoded v2 conntype value %s.", __func__, OIC_JSON_ANONCLEAR_NAME);
+            }
+            else
+            {
+                OIC_LOG_V(ERROR, TAG, "%s unknown conntype value %d.", __func__, ace->subjectConn);
+                assert(!"unknown conntype value");
+                cborEncoderResult = CborUnknownError;
+                ret = OC_STACK_ERROR;
+                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "unknown conntype value");
+            }
+
+            cborEncoderResult = cbor_encoder_close_container(&oicSecAclMap, &connMap);
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed closing conn map");
+            ret = OC_STACK_ERROR;
+            OIC_LOG_V(DEBUG, TAG, "%s closed v2 conn map.", __func__);
         }
         else
         {
             assert(!"Unknown ACE subject type");
             cborEncoderResult = CborUnknownError;
+            ret = OC_STACK_ERROR;
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Unknown ACE subject type");
         }
 
@@ -467,6 +647,7 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
             cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, OIC_JSON_RESOURCES_NAME,
                 strlen(OIC_JSON_RESOURCES_NAME));
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding Resource Name Tag.");
+            OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_RESOURCES_NAME);
 
             size_t rsrcLen = 0;
             OicSecRsrc_t* rsrcElts = NULL;
@@ -476,7 +657,8 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
             }
 
             cborEncoderResult = cbor_encoder_create_array(&oicSecAclMap, &resources, rsrcLen);
-            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding Resource Name Array.");
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating resources Array.");
+            OIC_LOG_V(DEBUG, TAG, "%s created v1/v2 resources array.", __func__);
 
             OicSecRsrc_t* rsrc = NULL;
             LL_FOREACH(ace->resources, rsrc)
@@ -490,71 +672,127 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
                 }
 
                 cborEncoderResult = cbor_encoder_create_map(&resources, &rMap, rsrcMapSize);
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding Resource Map.");
+                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding Resource Map.");
+                OIC_LOG_V(DEBUG, TAG, "%s created v1/v2 resource map.", __func__);
 
-                //href -- Mandatory
-                VERIFY_NOT_NULL(TAG, rsrc->href, ERROR);
-                cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_HREF_NAME,
+                // href
+                if (NULL != rsrc->href)
+                {
+                    cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_HREF_NAME,
                         strlen(OIC_JSON_HREF_NAME));
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding HREF Name Tag.");
-                cborEncoderResult = cbor_encode_text_string(&rMap, rsrc->href, strlen(rsrc->href));
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding HREF Value in Map.");
-
-                //resource type -- Mandatory
-                cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_RT_NAME,
-                        strlen(OIC_JSON_RT_NAME));
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding RT Name Tag.");
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding HREF Name Tag.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_HREF_NAME);
+                    cborEncoderResult = cbor_encode_text_string(&rMap, rsrc->href, strlen(rsrc->href));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding HREF Value in Map.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 href value %s.", __func__, rsrc->href);
+                }
 
-                CborEncoder resourceTypes;
-                cborEncoderResult = cbor_encoder_create_array(&rMap, &resourceTypes, rsrc->typeLen);
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding RT Array.");
-                for(size_t i = 0; i < rsrc->typeLen; i++)
+                // resource type
+                if (rsrc->typeLen > 0)
                 {
-                    cborEncoderResult = cbor_encode_text_string(&resourceTypes, rsrc->types[i], strlen(rsrc->types[i]));
-                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding RT Value.");
+                    cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_RT_NAME,
+                        strlen(OIC_JSON_RT_NAME));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding RT Name Tag.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_RT_NAME);
+
+                    CborEncoder resourceTypes;
+                    cborEncoderResult = cbor_encoder_create_array(&rMap, &resourceTypes, rsrc->typeLen);
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating RT Array.");
+                    OIC_LOG_V(DEBUG, TAG, "%s created v1/v2 rt array.", __func__);
+                    for(size_t i = 0; i < rsrc->typeLen; i++)
+                    {
+                        cborEncoderResult = cbor_encode_text_string(&resourceTypes, rsrc->types[i], strlen(rsrc->types[i]));
+                        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding RT Value.");
+                        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 rt value %s.", __func__, rsrc->types[i]);
+                    }
+                    cborEncoderResult = cbor_encoder_close_container(&rMap, &resourceTypes);
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing resourceTypes.");
+                    OIC_LOG_V(DEBUG, TAG, "%s closed v1/v2 resource map.", __func__);
                 }
-                cborEncoderResult = cbor_encoder_close_container(&rMap, &resourceTypes);
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing resourceTypes.");
-
-                //interface -- Mandatory
-                cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_IF_NAME,
-                        strlen(OIC_JSON_IF_NAME));
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding IF Name Tag.");
 
-                CborEncoder interfaces;
-                cborEncoderResult = cbor_encoder_create_array(&rMap, &interfaces, rsrc->interfaceLen);
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding IF Array.");
-                for(size_t i = 0; i < rsrc->interfaceLen; i++)
+                // interface
+                if (rsrc->interfaceLen > 0)
                 {
-                    cborEncoderResult = cbor_encode_text_string(&interfaces, rsrc->interfaces[i], strlen(rsrc->interfaces[i]));
-                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding IF Value.");
+                    cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_IF_NAME,
+                        strlen(OIC_JSON_IF_NAME));
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding IF Name Tag.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_IF_NAME);
+
+                    CborEncoder interfaces;
+                    cborEncoderResult = cbor_encoder_create_array(&rMap, &interfaces, rsrc->interfaceLen);
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating IF Array.");
+                    OIC_LOG_V(DEBUG, TAG, "%s created v1/v2 IF array.", __func__);
+                    for(size_t i = 0; i < rsrc->interfaceLen; i++)
+                    {
+                        cborEncoderResult = cbor_encode_text_string(&interfaces, rsrc->interfaces[i], strlen(rsrc->interfaces[i]));
+                        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding IF Value.");
+                        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 IF value %s.", __func__, rsrc->interfaces[i]);
+                    }
+                    cborEncoderResult = cbor_encoder_close_container(&rMap, &interfaces);
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing interfaces.");
                 }
-                cborEncoderResult = cbor_encoder_close_container(&rMap, &interfaces);
-                VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing interfaces.");
 
-                //rel
+                // rel
                 if(rsrc->rel)
                 {
                     cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_REL_NAME,
                             strlen(OIC_JSON_REL_NAME));
-                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding REL Name Tag.");
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding REL Name Tag.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_REL_NAME);
                     cborEncoderResult = cbor_encode_text_string(&rMap, rsrc->rel, strlen(rsrc->rel));
-                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding REL Value.");
+                    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding REL Value.");
+                    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 rel value %s.", __func__, rsrc->rel);
+                }
+
+                // v2 supports wildcard
+                if (OIC_SEC_ACL_V2 == aclVersion)
+                {
+                    if (NO_WILDCARD != rsrc->wildcard)
+                    {
+                        cborEncoderResult = cbor_encode_text_string(&rMap, OIC_JSON_WC_NAME,
+                            strlen(OIC_JSON_WC_NAME));
+                        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding WC Name Tag.");
+                        OIC_LOG_V(DEBUG, TAG, "%s encoded v2 %s tag.", __func__, OIC_JSON_WC_NAME);
+                        switch(rsrc->wildcard)
+                        {
+                            case ALL_DISCOVERABLE:
+                            wcstring = OIC_JSON_WC_PLUS_NAME;
+                            break;
+                            case ALL_NON_DISCOVERABLE:
+                            wcstring = OIC_JSON_WC_PLUS_NAME;
+                            break;
+                            case ALL_RESOURCES:
+                            wcstring = OIC_JSON_WC_PLUS_NAME;
+                            break;
+                            default:
+                            OIC_LOG_V(ERROR, TAG, "%s: unknown ACE2 wildcard type.", __func__);
+                            VERIFY_CBOR_SUCCESS(TAG, CborUnknownError, "unknown ACE2 wildcard type");
+                            break;
+                        }
+                        cborEncoderResult = cbor_encode_text_string(&rMap, wcstring, strlen(wcstring));
+                        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding WC Value.");
+                        OIC_LOG_V(DEBUG, TAG, "%s encoded v2 wc value %s.", __func__, wcstring);
+                        wcstring = NULL;
+                    }
                 }
 
                 cborEncoderResult = cbor_encoder_close_container(&resources, &rMap);
                 VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing Resource Map.");
+                OIC_LOG_V(DEBUG, TAG, "%s closed v1/v2 resource map.", __func__);
             }
             cborEncoderResult = cbor_encoder_close_container(&oicSecAclMap, &resources);
             VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing Resource Name Array.");
+            OIC_LOG_V(DEBUG, TAG, "%s closed v1/v2 resources array.", __func__);
         }
 
         // Permissions -- Mandatory
         cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, OIC_JSON_PERMISSION_NAME,
             strlen(OIC_JSON_PERMISSION_NAME));
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding Permission Name Tag.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_PERMISSION_NAME);
         cborEncoderResult = cbor_encode_int(&oicSecAclMap, ace->permission);
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding Permission Name Value.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 permission value %d.", __func__, ace->permission);
 
         // TODO: Need to verfication for validity
         // Validity(Time-interval) -- Not Mandatory
@@ -638,21 +876,37 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
             VERIFY_SUCCESS(TAG, ret == OC_STACK_OK, ERROR);
             cborEncoderResult = cbor_encode_text_string(&oicSecAclMap, eowner, strlen(eowner));
             OICFree(eowner);
-            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding eownerId Value.");
+            VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding eownerId Value.");
         }
 #endif //MULTIPLE_OWNER
 
+        // close the map of the oic.sec.ace/ace2 object
         cborEncoderResult = cbor_encoder_close_container(&acesArray, &oicSecAclMap);
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing ACES Map.");
+        OIC_LOG_V(DEBUG, TAG, "%s closed v1/v2 aces map.", __func__);
     }
 
-    // Close ACES Array
-    cborEncoderResult = cbor_encoder_close_container(&aclListMap, &acesArray);
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing ACES Array.");
+    // close the v1 array of ace objects
+    if (OIC_SEC_ACL_V1 == aclVersion)
+    {
+        cborEncoderResult = cbor_encoder_close_container(&aclListMap, &acesArray);
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing ACE Array.");
+        OIC_LOG_V(DEBUG, TAG, "%s closed v1 ACE array.", __func__);
+    }
+    else
+    {
+        cborEncoderResult = cbor_encoder_close_container(&aclMap, &acesArray);
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing ACE2 Array.");
+        OIC_LOG_V(DEBUG, TAG, "%s closed v2 ACE2 array.", __func__);
+    }
 
-    // Close ACLIST Map
-    cborEncoderResult = cbor_encoder_close_container(&aclMap, &aclListMap);
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing ACLIST Map.");
+    // v1 has the aclist map to close (v2 just has the array, no extra map)
+    if (OIC_SEC_ACL_V1 == aclVersion)
+    {
+        cborEncoderResult = cbor_encoder_close_container(&aclMap, &aclListMap);
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing aclist/aclist2 Map.");
+        OIC_LOG_V(DEBUG, TAG, "%s closed v1/v2 aclist/aclist2 map.", __func__);
+    }
 
     // Rownerid
     {
@@ -660,10 +914,12 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
         cborEncoderResult = cbor_encode_text_string(&aclMap, OIC_JSON_ROWNERID_NAME,
             strlen(OIC_JSON_ROWNERID_NAME));
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding rownerid Name.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_ROWNERID_NAME);
         ret = ConvertUuidToStr(&secAcl->rownerID, &rowner);
         VERIFY_SUCCESS(TAG, ret == OC_STACK_OK, ERROR);
         cborEncoderResult = cbor_encode_text_string(&aclMap, rowner, strlen(rowner));
-        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding rownerid Value.");
+        VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding rownerid Value.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 rowneruuid value %s.", __func__, rowner);
         OICFree(rowner);
     }
 
@@ -671,41 +927,52 @@ OCStackResult AclToCBORPayload(const OicSecAcl_t *secAcl, OicSecAclVersion_t acl
     CborEncoder rtArray;
     cborEncoderResult = cbor_encode_text_string(&aclMap, OIC_JSON_RT_NAME,
             strlen(OIC_JSON_RT_NAME));
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding RT Name Tag.");
+    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding RT Tag.");
+    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_RT_NAME);
     cborEncoderResult = cbor_encoder_create_array(&aclMap, &rtArray, 1);
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding RT Value.");
+    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating RT array.");
+    OIC_LOG_V(DEBUG, TAG, "%s created %s array.", __func__, OIC_JSON_RT_NAME);
+    aclRsrcType = (OIC_SEC_ACL_V1 == aclVersion)?OIC_RSRC_TYPE_SEC_ACL:OIC_RSRC_TYPE_SEC_ACL2;
     for (size_t i = 0; i < 1; i++)
     {
-        cborEncoderResult = cbor_encode_text_string(&rtArray, OIC_RSRC_TYPE_SEC_ACL,
-                strlen(OIC_RSRC_TYPE_SEC_ACL));
+        cborEncoderResult = cbor_encode_text_string(&rtArray, aclRsrcType,
+                strlen(aclRsrcType));
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding RT Value.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, aclRsrcType);
     }
+    aclRsrcType = NULL;
     cborEncoderResult = cbor_encoder_close_container(&aclMap, &rtArray);
     VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing RT.");
+    OIC_LOG_V(DEBUG, TAG, "%s closed %s array.", __func__, OIC_JSON_RT_NAME);
 
     //IF-- Mandatory
     CborEncoder ifArray;
     cborEncoderResult = cbor_encode_text_string(&aclMap, OIC_JSON_IF_NAME,
              strlen(OIC_JSON_IF_NAME));
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding IF Name Tag.");
+    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding IF Name Tag.");
+    OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 %s tag.", __func__, OIC_JSON_IF_NAME);
     cborEncoderResult = cbor_encoder_create_array(&aclMap, &ifArray, 1);
-    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Addding IF Value.");
+    VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed creating IF array.");
+    OIC_LOG_V(DEBUG, TAG, "%s created %s array.", __func__, OIC_JSON_IF_NAME);
     for (size_t i = 0; i < 1; i++)
     {
         cborEncoderResult = cbor_encode_text_string(&ifArray, OC_RSRVD_INTERFACE_DEFAULT,
                 strlen(OC_RSRVD_INTERFACE_DEFAULT));
         VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Adding IF Value.");
+        OIC_LOG_V(DEBUG, TAG, "%s encoded v1/v2 IF value %s.", __func__, OC_RSRVD_INTERFACE_DEFAULT);
     }
     cborEncoderResult = cbor_encoder_close_container(&aclMap, &ifArray);
     VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing IF.");
+    OIC_LOG_V(DEBUG, TAG, "%s closed IF array.", __func__);
 
     // Close ACL Map
     cborEncoderResult = cbor_encoder_close_container(&encoder, &aclMap);
     VERIFY_CBOR_SUCCESS(TAG, cborEncoderResult, "Failed Closing ACL Map.");
+    OIC_LOG_V(DEBUG, TAG, "%s closed ACL map.", __func__);
 
     if (CborNoError == cborEncoderResult)
     {
-        OIC_LOG(DEBUG, TAG, "AclToCBORPayload Successed");
+        OIC_LOG(DEBUG, TAG, "AclToCBORPayload Succeeded");
         *size = cbor_encoder_get_buffer_size(&encoder, outPayload);
         *payload = outPayload;
         ret = OC_STACK_OK;
@@ -733,6 +1000,12 @@ exit:
         ret = OC_STACK_ERROR;
     }
 
+    if(NULL != subjectuuidstring)
+    {
+        OICFree(subjectuuidstring);
+        subjectuuidstring = NULL;
+    }
+
     return ret;
 }
 
@@ -1048,6 +1321,8 @@ exit:
 
 // This function converts CBOR format to ACL data.
 // Caller needs to invoke 'OICFree' on returned value when done using
+// TODO IOT-2220 this function is a prime example of why the SVR CBOR functions need
+// to be re-factored throughout.  It's even worse with the addition of /acl2.
 // note: This function is used in unit test hence not declared static,
 OicSecAcl_t* CBORPayloadToAcl(const uint8_t *cborPayload, const size_t size)
 {
@@ -1061,7 +1336,13 @@ OicSecAcl_t* CBORPayloadToAcl(const uint8_t *cborPayload, const size_t size)
     CborParser parser = { .end = NULL };
     CborError cborFindResult = CborNoError;
     char *tagName = NULL;
-    char *roleTagName = NULL;
+    char *subjectTag = NULL;
+    char *rMapName = NULL;
+    OicSecAclVersion_t aclistVersion = OIC_SEC_ACL_LATEST;
+    bool aclistTagJustFound = false;
+    bool aceArrayIsNextItem = false;
+    char *acName = NULL;
+    size_t readLen = 0;
 
     cbor_parser_init(cborPayload, size, 0, &parser, &aclCbor);
 
@@ -1071,7 +1352,6 @@ OicSecAcl_t* CBORPayloadToAcl(const uint8_t *cborPayload, const size_t size)
     // Enter ACL Map
     cborFindResult = cbor_value_enter_container(&aclCbor, &aclMap);
     VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering ACL Map.");
-
     while (cbor_value_is_valid(&aclMap))
     {
         size_t len = 0;
@@ -1085,375 +1365,521 @@ OicSecAcl_t* CBORPayloadToAcl(const uint8_t *cborPayload, const size_t size)
         }
         if(tagName)
         {
-            if (strcmp(tagName, OIC_JSON_ACLIST_NAME)  == 0)
+            OIC_LOG_V(DEBUG, TAG, "%s found %s tag.", __func__, tagName);
+            if (0 == strcmp(tagName, OIC_JSON_ACLIST_NAME))
+            {
+                OIC_LOG_V(DEBUG, TAG, "%s decoding v1 ACL.", __func__);
+                aclistVersion = OIC_SEC_ACL_V1;
+                aclistTagJustFound = true;
+            }
+            else if (0 == strcmp(tagName, OIC_JSON_ACLIST2_NAME))
             {
+                OIC_LOG_V(DEBUG, TAG, "%s decoding v2 ACL.", __func__);
+                aclistVersion = OIC_SEC_ACL_V2;
+                aclistTagJustFound = true;
+            }
+
+            CborValue aclistMap = { .parser = NULL, .ptr = NULL, .remaining = 0, .extra = 0, .type = 0, .flags = 0 };
+            if (aclistTagJustFound && OIC_SEC_ACL_V1 == aclistVersion)
+            {
+                aclistTagJustFound = false; // don't enter this check a second time
                 // Enter ACLIST Map
-                CborValue aclistMap = { .parser = NULL, .ptr = NULL, .remaining = 0, .extra = 0, .type = 0, .flags = 0 };
                 cborFindResult = cbor_value_enter_container(&aclMap, &aclistMap);
                 VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering ACLIST Map.");
+                OIC_LOG_V(DEBUG, TAG, "%s entered 'aclist' map.", __func__);
+
+                bool parsedAcesTag = false;
 
-                while (cbor_value_is_valid(&aclistMap))
+                // aclist always contains just "aces" tag and then the array so parse the tag
+                CborType acType = cbor_value_get_type(&aclistMap);
+                if (acType == CborTextStringType)
                 {
-                    char* acName = NULL;
-                    size_t readLen = 0;
-                    CborType acType = cbor_value_get_type(&aclistMap);
-                    if (acType == CborTextStringType)
+                    cborFindResult = cbor_value_dup_text_string(&aclistMap, &acName, &readLen, NULL);
+                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Name in ACLIST Map.");
+                    cborFindResult = cbor_value_advance(&aclistMap);
+                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Value in ACLIST Map.");
+                    if (acName)
                     {
-                        cborFindResult = cbor_value_dup_text_string(&aclistMap, &acName, &readLen, NULL);
-                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Name in ACLIST Map.");
-                        cborFindResult = cbor_value_advance(&aclistMap);
-                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Value in ACLIST Map.");
+                        if (strcmp(acName, OIC_JSON_ACES_NAME)  == 0)
+                        {
+                            OIC_LOG_V(DEBUG, TAG, "%s found %s tag.", __func__, acName);
+                            parsedAcesTag = true;
+                        }
                     }
+                }
+                if (parsedAcesTag)
+                {
+                    aceArrayIsNextItem = true;
+                }
+                else
+                {
+                    OIC_LOG_V(WARNING, TAG, "%s expected aces tag, not found!", __func__);
+                }
 
-                    if(acName)
+            }
+            else if (aclistTagJustFound && OIC_SEC_ACL_V2 == aclistVersion)
+            {
+                aclistTagJustFound = false; // don't enter this check a second time
+                aceArrayIsNextItem = true;
+                aclistMap = aclMap;
+            }
+
+            // just found either "aclist2" or "aces" tag; time to parse array
+            if (aceArrayIsNextItem)
+            {
+                aceArrayIsNextItem = false; // don't enter this block again
+                bool aclistMapDone = false;
+                while (cbor_value_is_valid(&aclistMap) && !aclistMapDone)
+                {
+                    // Enter ACES Array
+                    CborValue acesArray = { .parser = NULL, .ptr = NULL, .remaining = 0, .extra = 0, .type = 0, .flags = 0 };
+                    cborFindResult = cbor_value_enter_container(&aclistMap, &acesArray);
+                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering ACES Array.");
+                    OIC_LOG_V(DEBUG, TAG, "%s entered ace object array.", __func__);
+
+                    // decode array of ace or ace2 objects
+                    int acesCount = 0;
+                    OIC_LOG_V(DEBUG, TAG, "%s begin decoding ace/ace2 array.", __func__);
+                    while (cbor_value_is_valid(&acesArray))
                     {
-                        if (strcmp(acName, OIC_JSON_ACES_NAME)  == 0)
+                        acesCount++;
+                        CborValue aceMap = { .parser = NULL, .ptr = NULL, .remaining = 0, .extra = 0, .type = 0, .flags = 0 };
+                        cborFindResult = cbor_value_enter_container(&acesArray, &aceMap);
+                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering ACE Map.");
+                        OIC_LOG_V(DEBUG, TAG, "%s entered %s map.", __func__,
+                            (OIC_SEC_ACL_V1 == aclistVersion)?"ace":"ace2");
+
+                        OicSecAce_t *ace = NULL;
+                        ace = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
+                        VERIFY_NOT_NULL(TAG, ace, ERROR);
+                        LL_APPEND(acl->aces, ace);
+
+                        // parse this ACE/ACE2 object
+                        while (cbor_value_is_valid(&aceMap))
                         {
-                            // Enter ACES Array
-                            CborValue acesArray = { .parser = NULL, .ptr = NULL, .remaining = 0, .extra = 0, .type = 0, .flags = 0 };
-                            cborFindResult = cbor_value_enter_container(&aclistMap, &acesArray);
-                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering ACES Array.");
-
-                            int acesCount = 0;
-                            while (cbor_value_is_valid(&acesArray))
+                            char* name = NULL;
+                            size_t tempLen = 0;
+                            CborType aceMapType = cbor_value_get_type(&aceMap);
+                            if (aceMapType == CborTextStringType)
                             {
-                                acesCount++;
-                                CborValue aceMap = { .parser = NULL, .ptr = NULL, .remaining = 0, .extra = 0, .type = 0, .flags = 0 };
-                                cborFindResult = cbor_value_enter_container(&acesArray, &aceMap);
-                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering ACE Map.");
-
-                                OicSecAce_t *ace = NULL;
-                                ace = (OicSecAce_t *) OICCalloc(1, sizeof(OicSecAce_t));
-                                VERIFY_NOT_NULL(TAG, ace, ERROR);
-                                LL_APPEND(acl->aces, ace);
-
-                                while (cbor_value_is_valid(&aceMap))
+                                cborFindResult = cbor_value_dup_text_string(&aceMap, &name, &tempLen, NULL);
+                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Name in ACE Map.");
+                                OIC_LOG_V(DEBUG, TAG, "%s found %s tag.", __func__, name);
+                                cborFindResult = cbor_value_advance(&aceMap);
+                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Value in ACE Map.");
+                                OIC_LOG_V(DEBUG, TAG, "%s advanced to next value.", __func__);
+                            }
+                            if (name)
+                            {
+                                // aceid
+                                if (0 == strcmp(name, OIC_JSON_ACEID_NAME))
                                 {
-                                    char* name = NULL;
-                                    size_t tempLen = 0;
-                                    CborType aceMapType = cbor_value_get_type(&aceMap);
-                                    if (aceMapType == CborTextStringType)
+                                    uint64_t tmp64;
+                                    cborFindResult = cbor_value_get_uint64(&aceMap, &tmp64);
+                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding aceid Value.");
+                                    OIC_LOG_V(DEBUG, TAG, "%s read aceid value %d.", __func__, (uint16_t)tmp64);
+                                    ace->aceid = (uint16_t)tmp64;
+                                }
+                                // subjectuuid
+                                if (0 == strcmp(name, OIC_JSON_SUBJECTID_NAME)) // ace v1
+                                {
+                                    if (cbor_value_is_text_string(&aceMap))
                                     {
-                                        cborFindResult = cbor_value_dup_text_string(&aceMap, &name, &tempLen, NULL);
-                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Name in ACE Map.");
-                                        cborFindResult = cbor_value_advance(&aceMap);
-                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Value in ACE Map.");
+                                        char *subject = NULL;
+                                        cborFindResult = cbor_value_dup_text_string(&aceMap, &subject, &tempLen, NULL);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding subject Value.");
+                                        if (0 == strcmp(subject, WILDCARD_RESOURCE_URI))
+                                        {
+                                            ace->subjectuuid.id[0] = '*';
+                                            ace->subjectType = OicSecAceUuidSubject;
+                                            OIC_LOG_V(DEBUG, TAG, "%s found subjectuuid wildcard = '*'.", __func__);
+                                        }
+                                        else
+                                        {
+                                            ret = ConvertStrToUuid(subject, &ace->subjectuuid);
+                                            if (OC_STACK_OK != ret)
+                                            {
+                                                cborFindResult = CborUnknownError;
+                                                free(subject);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed converting subject UUID");
+                                            }
+                                            OIC_LOG_V(DEBUG, TAG, "%s found subjectuuid = %s.", __func__, subject);
+                                            ace->subjectType = OicSecAceUuidSubject;
+                                        }
+                                        free(subject);
                                     }
-                                    if (name)
+                                }
+                                // subject
+                                if (0 == strcmp(name, OIC_JSON_SUBJECT_NAME)) // ace2
+                                {
+                                    CborValue subjectMap;
+                                    memset(&subjectMap, 0, sizeof(subjectMap));
+                                    size_t unusedLen = 0;
+
+                                    if (cbor_value_is_container(&aceMap))
                                     {
-                                        // Subject -- Mandatory
-                                        if (strcmp(name, OIC_JSON_SUBJECTID_NAME) == 0)
+                                        // next container within subject is either didtype, roletype, or conntype
+                                        cborFindResult = cbor_value_enter_container(&aceMap, &subjectMap);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed entering subject map.");
+                                        OIC_LOG_V(DEBUG, TAG, "%s entered acl2 subject map.", __func__);
+
+                                        while (cbor_value_is_valid(&subjectMap) && cbor_value_is_text_string(&subjectMap))
                                         {
-                                            if (cbor_value_is_text_string(&aceMap))
+                                            cborFindResult = cbor_value_dup_text_string(&subjectMap, &subjectTag, &unusedLen, NULL);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting subject type tag name");
+                                            OIC_LOG_V(DEBUG, TAG, "%s found %s tag.", __func__, subjectTag);
+                                            cborFindResult = cbor_value_advance(&subjectMap);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed advancing subjectMap");
+                                            OIC_LOG_V(DEBUG, TAG, "%s advanced acl2 subject map.", __func__);
+                                            if (NULL != subjectTag)
                                             {
-                                                /* UUID-type subject */
-                                                char *subject = NULL;
-                                                cborFindResult = cbor_value_dup_text_string(&aceMap, &subject, &tempLen, NULL);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding subject Value.");
-                                                if (strcmp(subject, WILDCARD_RESOURCE_URI) == 0)
+                                                // didtype
+                                                if (0 == strcmp(subjectTag, OIC_JSON_UUID_NAME))
                                                 {
-                                                    ace->subjectuuid.id[0] = '*';
-                                                    ace->subjectType = OicSecAceUuidSubject;
+                                                    char *subject = NULL;
+                                                    if (cbor_value_is_valid(&subjectMap) && cbor_value_is_text_string(&subjectMap))
+                                                    {
+                                                        cborFindResult = cbor_value_dup_text_string(&subjectMap, &subject, &tempLen, NULL);
+                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding subject Value.");
+                                                        OIC_LOG_V(DEBUG, TAG, "%s read UUID = %s", __func__, subject);
+                                                        ret = ConvertStrToUuid(subject, &ace->subjectuuid);
+                                                        if (OC_STACK_OK != ret)
+                                                        {
+                                                            cborFindResult = CborUnknownError;
+                                                            free(subject);
+                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed converting subject UUID");
+                                                        }
+                                                        ace->subjectType = OicSecAceUuidSubject;
+                                                        free(subject);
+                                                    }
+                                                    else
+                                                    {
+                                                        OIC_LOG_V(WARNING, TAG, "%s uuid tag not followed by valid text string value.", __func__);
+                                                    }
                                                 }
-                                                else
+                                                // role
+                                                else if (0 == strcmp(subjectTag, OIC_JSON_ROLE_NAME))
                                                 {
-                                                    ret = ConvertStrToUuid(subject, &ace->subjectuuid);
-                                                    if (OC_STACK_OK != ret)
+                                                    ace->subjectType = OicSecAceRoleSubject;
+                                                    char *roleId = NULL;
+                                                    cborFindResult = cbor_value_dup_text_string(&subjectMap, &roleId, &unusedLen, NULL);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting role id value");
+                                                    if (strlen(roleId) >= sizeof(ace->subjectRole.id))
                                                     {
                                                         cborFindResult = CborUnknownError;
-                                                        free(subject);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed converting subject UUID");
+                                                        free(roleId);
+                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Role ID is too long");
                                                     }
-                                                    ace->subjectType = OicSecAceUuidSubject;
+                                                    OICStrcpy(ace->subjectRole.id, sizeof(ace->subjectRole.id), roleId);
+                                                    free(roleId);
                                                 }
-                                                free(subject);
-                                            }
-                                            else if (cbor_value_is_container(&aceMap))
-                                            {
-                                                /* Role subject */
-                                                size_t unusedLen = 0;
-                                                CborValue roleMap;
-                                                memset(&roleMap, 0, sizeof(roleMap));
-
-                                                cborFindResult = cbor_value_enter_container(&aceMap, &roleMap);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed entering role map");
-
-                                                while (cbor_value_is_valid(&roleMap) && cbor_value_is_text_string(&roleMap))
+                                                // authority
+                                                else if (0 == strcmp(subjectTag, OIC_JSON_AUTHORITY_NAME))
                                                 {
-                                                    cborFindResult = cbor_value_dup_text_string(&roleMap, &roleTagName, &unusedLen, NULL);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting role map tag name");
-                                                    cborFindResult = cbor_value_advance(&roleMap);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed advancing role map");
-
-                                                    if (NULL != roleTagName)
+                                                    ace->subjectType = OicSecAceRoleSubject;
+                                                    char *authorityName = NULL;
+                                                    cborFindResult = cbor_value_dup_text_string(&subjectMap, &authorityName, &unusedLen, NULL);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting role authority value");
+                                                    if (strlen(authorityName) >= sizeof(ace->subjectRole.authority))
                                                     {
-                                                        if (strcmp(roleTagName, OIC_JSON_ROLE_NAME) == 0)
-                                                        {
-                                                            char *roleId = NULL;
-                                                            cborFindResult = cbor_value_dup_text_string(&roleMap, &roleId, &unusedLen, NULL);
-                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting role id value");
-                                                            if (strlen(roleId) >= sizeof(ace->subjectRole.id))
-                                                            {
-                                                                cborFindResult = CborUnknownError;
-                                                                free(roleId);
-                                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Role ID is too long");
-                                                            }
-                                                            OICStrcpy(ace->subjectRole.id, sizeof(ace->subjectRole.id), roleId);
-                                                            free(roleId);
-                                                        }
-                                                        else if (strcmp(roleTagName, OIC_JSON_AUTHORITY_NAME) == 0)
-                                                        {
-                                                            char *authorityName = NULL;
-                                                            cborFindResult = cbor_value_dup_text_string(&roleMap, &authorityName, &unusedLen, NULL);
-                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting role authority value");
-                                                            if (strlen(authorityName) >= sizeof(ace->subjectRole.authority))
-                                                            {
-                                                                cborFindResult = CborUnknownError;
-                                                                free(authorityName);
-                                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Authority name is too long");
-                                                            }
-                                                            OICStrcpy(ace->subjectRole.authority, sizeof(ace->subjectRole.authority), authorityName);
-                                                            free(authorityName);
-                                                        }
-                                                        else
-                                                        {
-                                                            OIC_LOG_V(WARNING, TAG, "Unknown tag name in role map: %s", roleTagName);
-                                                        }
-
-                                                        free(roleTagName);
-                                                        roleTagName = NULL;
+                                                        cborFindResult = CborUnknownError;
+                                                        free(authorityName);
+                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Authority name is too long");
                                                     }
-
-                                                    if (cbor_value_is_valid(&roleMap))
+                                                    OICStrcpy(ace->subjectRole.authority, sizeof(ace->subjectRole.authority), authorityName);
+                                                    ace->subjectType = OicSecAceRoleSubject;
+                                                    free(authorityName);
+                                                }
+                                                // conntype
+                                                else if (0 == strcmp(subjectTag, OIC_JSON_CONNTYPE_NAME))
+                                                {
+                                                    char *conntype = NULL;
+                                                    cborFindResult = cbor_value_dup_text_string(&subjectMap, &conntype, &unusedLen, NULL);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed getting conntype value");
+                                                    OIC_LOG_V(DEBUG, TAG, "%s read conntype value %s.", __func__, conntype);
+                                                    if (0 == strcmp(conntype, OIC_JSON_AUTHCRYPT_NAME))
+                                                    {
+                                                        ace->subjectConn = AUTH_CRYPT;
+                                                    }
+                                                    else if (0 == strcmp(conntype, OIC_JSON_ANONCLEAR_NAME))
+                                                    {
+                                                        ace->subjectConn = ANON_CLEAR;
+                                                    }
+                                                    else
                                                     {
-                                                        cborFindResult = cbor_value_advance(&roleMap);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed advancing role map");
+                                                        cborFindResult = CborUnknownError;
+                                                        free(conntype);
+                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "conntype value not recognized.");
                                                     }
+                                                    ace->subjectType = OicSecAceConntypeSubject;
+                                                    free(conntype);
+                                                }
+                                                else
+                                                {
+                                                    OIC_LOG_V(WARNING, TAG, "Unknown tag in subject map: %s", subjectTag);
                                                 }
+                                            }
 
-                                                /* Make sure at least the id is present. */
+                                            // If roletype, make sure at least the id is present.
+                                            if(OicSecAceRoleSubject == ace->subjectType)
+                                            {
                                                 if ('\0' == ace->subjectRole.id[0])
                                                 {
                                                     cborFindResult = CborUnknownError;
                                                     VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "ID for role was not present in role map");
                                                 }
-
-                                                ace->subjectType = OicSecAceRoleSubject;
                                             }
-                                            else
+
+                                            // advance to next elt in subject map
+                                            if (cbor_value_is_valid(&subjectMap))
                                             {
-                                                cborFindResult = CborUnknownError;
-                                                OIC_LOG_V(ERROR, TAG, "Unknown subject value type: %d", cbor_value_get_type(&aceMap));
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Type of subject value was not expected");
+                                                cborFindResult = cbor_value_advance(&subjectMap);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed advancing subject map");
+                                                OIC_LOG_V(DEBUG, TAG, "%s advanced ace2 subject map.", __func__);
                                             }
                                         }
+                                    }
+                                    else
+                                    {
+                                        cborFindResult = CborUnknownError;
+                                        OIC_LOG_V(ERROR, TAG, "Unknown subject value type: %d", cbor_value_get_type(&aceMap));
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Type of subject value was not expected");
+                                    }
+                                }
 
-                                        // Resources -- Mandatory
-                                        if (strcmp(name, OIC_JSON_RESOURCES_NAME) == 0)
-                                        {
-                                            CborValue resources = { .parser = NULL };
-                                            cborFindResult = cbor_value_enter_container(&aceMap, &resources);
-                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering a Resource Array.");
+                                // Resources -- Mandatory
+                                if (0 == strcmp(name, OIC_JSON_RESOURCES_NAME))
+                                {
+                                    CborValue resources = { .parser = NULL };
+                                    cborFindResult = cbor_value_enter_container(&aceMap, &resources);
+                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering a Resource Array.");
+                                    OIC_LOG_V(DEBUG, TAG, "%s entered resources array.", __func__);
+                                    int resourceCount = 0;
 
-                                            while (cbor_value_is_valid(&resources))
+                                    while (cbor_value_is_valid(&resources))
+                                    {
+                                        // rMap is the map of the current Resource being decoded
+                                        CborValue rMap = { .parser = NULL  };
+                                        cborFindResult = cbor_value_enter_container(&resources, &rMap);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering Resource Map");
+                                        resourceCount++;
+                                        OIC_LOG_V(DEBUG, TAG, "%s entered resource map for resource #%d.", __func__, resourceCount);
+
+                                        OicSecRsrc_t* rsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
+                                        VERIFY_NOT_NULL(TAG, rsrc, ERROR);
+                                        LL_APPEND(ace->resources, rsrc);
+
+                                        while(cbor_value_is_valid(&rMap))
+                                        {
+                                            if (NULL != rMapName)
                                             {
-                                                // rMap
-                                                CborValue rMap = { .parser = NULL  };
-                                                cborFindResult = cbor_value_enter_container(&resources, &rMap);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering Resource Map");
-
-                                                OicSecRsrc_t* rsrc = (OicSecRsrc_t*)OICCalloc(1, sizeof(OicSecRsrc_t));
-                                                VERIFY_NOT_NULL(TAG, rsrc, ERROR);
-                                                LL_APPEND(ace->resources, rsrc);
-
-                                                while(cbor_value_is_valid(&rMap))
-                                                {
-                                                    char *rMapName = NULL;
-                                                    size_t rMapNameLen = 0;
-                                                    cborFindResult = cbor_value_dup_text_string(&rMap, &rMapName, &rMapNameLen, NULL);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding RMap Data Name Tag.");
-                                                    cborFindResult = cbor_value_advance(&rMap);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding RMap Data Value.");
-
-                                                    // "href"
-                                                    if (0 == strcmp(OIC_JSON_HREF_NAME, rMapName))
-                                                    {
-                                                        cborFindResult = cbor_value_dup_text_string(&rMap, &rsrc->href, &tempLen, NULL);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Href Value.");
-                                                    }
-
-                                                    // "rt"
-                                                    if (0 == strcmp(OIC_JSON_RT_NAME, rMapName) && cbor_value_is_array(&rMap))
-                                                    {
-                                                        cbor_value_get_array_length(&rMap, &rsrc->typeLen);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding RT array length.");
-                                                        VERIFY_SUCCESS(TAG, (0 != rsrc->typeLen), ERROR);
-
-                                                        rsrc->types = (char**)OICCalloc(rsrc->typeLen, sizeof(char*));
-                                                        VERIFY_NOT_NULL(TAG, rsrc->types, ERROR);
+                                                free(rMapName);
+                                                rMapName = NULL;
+                                            }
+                                            size_t rMapNameLen = 0;
+                                            cborFindResult = cbor_value_dup_text_string(&rMap, &rMapName, &rMapNameLen, NULL);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding RMap Data Name Tag.");
+                                            OIC_LOG_V(DEBUG, TAG, "%s found %s tag in resource #%d map.", __func__, rMapName, resourceCount);
+                                            cborFindResult = cbor_value_advance(&rMap);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed advancing RMap Data Value.");
+                                            OIC_LOG_V(DEBUG, TAG, "%s advanced resource map.", __func__);
 
-                                                        CborValue resourceTypes;
-                                                        cborFindResult = cbor_value_enter_container(&rMap, &resourceTypes);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering RT Array.");
+                                            // "href"
+                                            if (0 == strcmp(OIC_JSON_HREF_NAME, rMapName))
+                                            {
+                                                cborFindResult = cbor_value_dup_text_string(&rMap, &rsrc->href, &tempLen, NULL);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Href Value.");
+                                                OIC_LOG_V(DEBUG, TAG, "%s found href = %s.", __func__, rsrc->href);
+                                            }
 
-                                                        for(size_t i = 0; cbor_value_is_valid(&resourceTypes) && cbor_value_is_text_string(&resourceTypes); i++)
-                                                        {
-                                                            cborFindResult = cbor_value_dup_text_string(&resourceTypes, &(rsrc->types[i]), &readLen, NULL);
-                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding resource type.");
-                                                            cborFindResult = cbor_value_advance(&resourceTypes);
-                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing resource type.");
-                                                        }
-                                                    }
+                                            // "rt"
+                                            if (0 == strcmp(OIC_JSON_RT_NAME, rMapName) && cbor_value_is_array(&rMap))
+                                            {
+                                                cbor_value_get_array_length(&rMap, &rsrc->typeLen);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding RT array length.");
+                                                VERIFY_SUCCESS(TAG, (0 != rsrc->typeLen), ERROR);
 
-                                                    // "if"
-                                                    if (0 == strcmp(OIC_JSON_IF_NAME, rMapName) && cbor_value_is_array(&rMap))
-                                                    {
-                                                        cbor_value_get_array_length(&rMap, &rsrc->interfaceLen);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding IF array length.");
-                                                        VERIFY_SUCCESS(TAG, (0 != rsrc->interfaceLen), ERROR);
+                                                rsrc->types = (char**)OICCalloc(rsrc->typeLen, sizeof(char*));
+                                                VERIFY_NOT_NULL(TAG, rsrc->types, ERROR);
 
-                                                        rsrc->interfaces = (char**)OICCalloc(rsrc->interfaceLen, sizeof(char*));
-                                                        VERIFY_NOT_NULL(TAG, rsrc->interfaces, ERROR);
+                                                CborValue resourceTypes;
+                                                cborFindResult = cbor_value_enter_container(&rMap, &resourceTypes);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering RT Array.");
 
-                                                        CborValue interfaces;
-                                                        cborFindResult = cbor_value_enter_container(&rMap, &interfaces);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering IF Array.");
+                                                for(size_t i = 0; cbor_value_is_valid(&resourceTypes) && cbor_value_is_text_string(&resourceTypes); i++)
+                                                {
+                                                    cborFindResult = cbor_value_dup_text_string(&resourceTypes, &(rsrc->types[i]), &readLen, NULL);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding resource type.");
+                                                    OIC_LOG_V(DEBUG, TAG, "%s found rt = %s.", __func__, rsrc->types[i]);
+                                                    cborFindResult = cbor_value_advance(&resourceTypes);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing resource type.");
+                                                }
+                                            }
 
-                                                        for(size_t i = 0; cbor_value_is_valid(&interfaces) && cbor_value_is_text_string(&interfaces); i++)
-                                                        {
-                                                            cborFindResult = cbor_value_dup_text_string(&interfaces, &(rsrc->interfaces[i]), &readLen, NULL);
-                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding IF type.");
-                                                            cborFindResult = cbor_value_advance(&interfaces);
-                                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing IF type.");
-                                                        }
-                                                    }
+                                            // "if"
+                                            if (0 == strcmp(OIC_JSON_IF_NAME, rMapName) && cbor_value_is_array(&rMap))
+                                            {
+                                                cbor_value_get_array_length(&rMap, &rsrc->interfaceLen);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding IF array length.");
+                                                VERIFY_SUCCESS(TAG, (0 != rsrc->interfaceLen), ERROR);
 
-                                                    // "rel"
-                                                    if (0 == strcmp(OIC_JSON_REL_NAME, rMapName))
-                                                    {
-                                                        cborFindResult = cbor_value_dup_text_string(&rMap, &rsrc->rel, &tempLen, NULL);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding REL Value.");
-                                                    }
+                                                rsrc->interfaces = (char**)OICCalloc(rsrc->interfaceLen, sizeof(char*));
+                                                VERIFY_NOT_NULL(TAG, rsrc->interfaces, ERROR);
 
-                                                    if (cbor_value_is_valid(&rMap))
-                                                    {
-                                                        cborFindResult = cbor_value_advance(&rMap);
-                                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Rlist Map.");
-                                                    }
-                                                    OICFree(rMapName);
-                                                }
+                                                CborValue interfaces;
+                                                cborFindResult = cbor_value_enter_container(&rMap, &interfaces);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Entering IF Array.");
 
-                                                if (cbor_value_is_valid(&resources))
+                                                for(size_t i = 0; cbor_value_is_valid(&interfaces) && cbor_value_is_text_string(&interfaces); i++)
                                                 {
-                                                    cborFindResult = cbor_value_advance(&resources);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Resource Array.");
+                                                    cborFindResult = cbor_value_dup_text_string(&interfaces, &(rsrc->interfaces[i]), &readLen, NULL);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding IF type.");
+                                                    OIC_LOG_V(DEBUG, TAG, "%s found if = %s.", __func__, rsrc->interfaces[i]);
+                                                    cborFindResult = cbor_value_advance(&interfaces);
+                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing IF type.");
                                                 }
                                             }
+
+                                            // "rel"
+                                            if (0 == strcmp(OIC_JSON_REL_NAME, rMapName))
+                                            {
+                                                cborFindResult = cbor_value_dup_text_string(&rMap, &rsrc->rel, &tempLen, NULL);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding REL Value.");
+                                                OIC_LOG_V(DEBUG, TAG, "%s found rel = %s.", __func__, rsrc->rel);
+                                            }
+
+                                            if (cbor_value_is_valid(&rMap))
+                                            {
+                                                cborFindResult = cbor_value_advance(&rMap);
+                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing rMap.");
+                                                OIC_LOG_V(DEBUG, TAG, "%s advanced rMap.", __func__);
+                                            }
                                         }
 
-                                        // Permissions -- Mandatory
-                                        if (strcmp(name, OIC_JSON_PERMISSION_NAME) == 0)
+                                        OIC_LOG_V(DEBUG, TAG, "%s finished decoding resource #%d.", __func__, resourceCount);
+
+                                        if (cbor_value_is_valid(&resources))
                                         {
-                                            uint64_t tmp64;
-                                            cborFindResult = cbor_value_get_uint64(&aceMap, &tmp64);
-                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a PERM Value.");
-                                            ace->permission = (uint16_t)tmp64;
+                                            cborFindResult = cbor_value_advance(&resources);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing Resource Array.");
+                                            OIC_LOG_V(DEBUG, TAG, "%s advanced resources map.", __func__);
                                         }
+                                    }
+                                } // end resources decoding
 
-                                        // TODO: Need to verfication for validity
-                                        // Validity -- Not mandatory
-                                        if(strcmp(name, OIC_JSON_VALIDITY_NAME) == 0)
-                                        {
-                                            CborValue validitiesMap = {.parser = NULL};
-                                            size_t validitySize = 0;
+                                // Permissions -- Mandatory
+                                if (strcmp(name, OIC_JSON_PERMISSION_NAME) == 0)
+                                {
+                                    uint64_t tmp64;
+                                    cborFindResult = cbor_value_get_uint64(&aceMap, &tmp64);
+                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a PERM Value.");
+                                    ace->permission = (uint16_t)tmp64;
+                                    OIC_LOG_V(DEBUG, TAG, "%s found permission = %d.", __func__, ace->permission);
+                                }
 
-                                            cborFindResult = cbor_value_get_array_length(&aceMap, &validitySize);
-                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a Validity Array Length.");
+                                // TODO: Need to verfication for validity
+                                // Validity -- Not mandatory
+                                if(strcmp(name, OIC_JSON_VALIDITY_NAME) == 0)
+                                {
+                                    CborValue validitiesMap = {.parser = NULL};
+                                    size_t validitySize = 0;
 
-                                            cborFindResult = cbor_value_enter_container(&aceMap, &validitiesMap);
-                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a validity Array Map.");
+                                    cborFindResult = cbor_value_get_array_length(&aceMap, &validitySize);
+                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a Validity Array Length.");
 
-                                            while(cbor_value_is_valid(&validitiesMap))
-                                            {
-                                                OicSecValidity_t* validity = (OicSecValidity_t*)OICCalloc(1, sizeof(OicSecValidity_t));
-                                                VERIFY_NOT_NULL(TAG, validity, ERROR);
-                                                LL_APPEND(ace->validities, validity);
+                                    cborFindResult = cbor_value_enter_container(&aceMap, &validitiesMap);
+                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a validity Array Map.");
 
-                                                CborValue validityMap  = {.parser = NULL};
+                                    while(cbor_value_is_valid(&validitiesMap))
+                                    {
+                                        OicSecValidity_t* validity = (OicSecValidity_t*)OICCalloc(1, sizeof(OicSecValidity_t));
+                                        VERIFY_NOT_NULL(TAG, validity, ERROR);
+                                        LL_APPEND(ace->validities, validity);
+
+                                        CborValue validityMap  = {.parser = NULL};
                                                 //period (string)
-                                                cborFindResult = cbor_value_enter_container(&validitiesMap, &validityMap);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a validity Map.");
+                                        cborFindResult = cbor_value_enter_container(&validitiesMap, &validityMap);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a validity Map.");
 
-                                                size_t vmLen = 0;
-                                                cborFindResult =cbor_value_dup_text_string(&validityMap, &validity->period, &vmLen, NULL);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a Period value.");
+                                        size_t vmLen = 0;
+                                        cborFindResult =cbor_value_dup_text_string(&validityMap, &validity->period, &vmLen, NULL);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a Period value.");
 
                                                 //recurrence (string array)
-                                                CborValue recurrenceMap  = {.parser = NULL};
-                                                cborFindResult = cbor_value_enter_container(&validityMap, &recurrenceMap);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a recurrence array.");
+                                        CborValue recurrenceMap  = {.parser = NULL};
+                                        cborFindResult = cbor_value_enter_container(&validityMap, &recurrenceMap);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a recurrence array.");
 
-                                                cborFindResult = cbor_value_get_array_length(&recurrenceMap, &validity->recurrenceLen);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Adding Recurrence Array.");
+                                        cborFindResult = cbor_value_get_array_length(&recurrenceMap, &validity->recurrenceLen);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Adding Recurrence Array.");
 
-                                                validity->recurrences = (char**)OICCalloc(validity->recurrenceLen, sizeof(char*));
-                                                VERIFY_NOT_NULL(TAG, validity->recurrences, ERROR);
+                                        validity->recurrences = (char**)OICCalloc(validity->recurrenceLen, sizeof(char*));
+                                        VERIFY_NOT_NULL(TAG, validity->recurrences, ERROR);
 
-                                                for(size_t i = 0; cbor_value_is_text_string(&recurrenceMap) && i < validity->recurrenceLen; i++)
-                                                {
-                                                    cborFindResult = cbor_value_dup_text_string(&recurrenceMap, &validity->recurrences[i], &vmLen, NULL);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a recurrence Value.");
-
-                                                    cborFindResult = cbor_value_advance(&recurrenceMap);
-                                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing a recurrences Array.");
-                                                }
+                                        for(size_t i = 0; cbor_value_is_text_string(&recurrenceMap) && i < validity->recurrenceLen; i++)
+                                        {
+                                            cborFindResult = cbor_value_dup_text_string(&recurrenceMap, &validity->recurrences[i], &vmLen, NULL);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding a recurrence Value.");
 
-                                                cborFindResult = cbor_value_advance(&validitiesMap);
-                                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing a validities Array.");
-                                            }
+                                            cborFindResult = cbor_value_advance(&recurrenceMap);
+                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing a recurrences Array.");
                                         }
 
-#ifdef MULTIPLE_OWNER
-                                        // eowner uuid -- Not Mandatory
-                                        if (strcmp(name, OIC_JSON_EOWNERID_NAME)  == 0)
-                                        {
-                                            char *eowner = NULL;
-                                            cborFindResult = cbor_value_dup_text_string(&aceMap, &eowner, &tempLen, NULL);
-                                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding eownerId Value.");
-                                            if(NULL == ace->eownerID)
-                                            {
-                                                ace->eownerID = (OicUuid_t*)OICCalloc(1, sizeof(OicUuid_t));
-                                                VERIFY_NOT_NULL(TAG, ace->eownerID, ERROR);
-                                            }
-                                            ret = ConvertStrToUuid(eowner, ace->eownerID);
-                                            OICFree(eowner);
-                                            VERIFY_SUCCESS(TAG, OC_STACK_OK == ret , ERROR);
-                                        }
-#endif //MULTIPLE_OWNER
-                                        OICFree(name);
+                                        cborFindResult = cbor_value_advance(&validitiesMap);
+                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing a validities Array.");
                                     }
-
-                                    if (aceMapType != CborMapType && cbor_value_is_valid(&aceMap))
+                                }
+#ifdef MULTIPLE_OWNER
+                                // eowner uuid -- Not Mandatory
+                                if (strcmp(name, OIC_JSON_EOWNERID_NAME)  == 0)
+                                {
+                                    char *eowner = NULL;
+                                    cborFindResult = cbor_value_dup_text_string(&aceMap, &eowner, &tempLen, NULL);
+                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding eownerId Value.");
+                                    if(NULL == ace->eownerID)
                                     {
-                                        cborFindResult = cbor_value_advance(&aceMap);
-                                        VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing the Array.");
+                                        ace->eownerID = (OicUuid_t*)OICCalloc(1, sizeof(OicUuid_t));
+                                        VERIFY_NOT_NULL(TAG, ace->eownerID, ERROR);
                                     }
+                                    ret = ConvertStrToUuid(eowner, ace->eownerID);
+                                    OICFree(eowner);
+                                    VERIFY_SUCCESS(TAG, OC_STACK_OK == ret , ERROR);
                                 }
+#endif //MULTIPLE_OWNER
+                                OIC_LOG_V(DEBUG, TAG, "%s finished decoding %s.", __func__, name);
+                                OICFree(name);
+                            }
 
-                                if (cbor_value_is_valid(&acesArray))
-                                {
-                                    cborFindResult = cbor_value_advance(&acesArray);
-                                    VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing ACL Array.");
-                                }
+                            if (aceMapType != CborMapType && cbor_value_is_valid(&aceMap))
+                            {
+                                cborFindResult = cbor_value_advance(&aceMap);
+                                VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing the Array.");
+                                OIC_LOG_V(DEBUG, TAG, "%s advanced aceMap.", __func__);
                             }
+                        } // end decoding ACE/ACE2 object
+
+                        OIC_LOG_V(DEBUG, TAG, "%s finished decoding ace #%d.", __func__, acesCount);
+
+                        // advance to next ACE/ACE2 object in acesArray
+                        if (cbor_value_is_valid(&acesArray))
+                        {
+                            cborFindResult = cbor_value_advance(&acesArray);
+                            VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing ACL Array.");
                         }
-                        OICFree(acName);
-                    }
+                    } // end ace array while loop
+
+                    OIC_LOG_V(DEBUG, TAG, "%s finished decoding ace/ace2 array.", __func__);
 
                     if (cbor_value_is_valid(&aclistMap))
                     {
                         cborFindResult = cbor_value_advance(&aclistMap);
                         VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing ACLIST Map.");
+                        OIC_LOG_V(DEBUG, TAG, "%s advanced aclist map.", __func__);
+                    }
+
+                    if (OIC_SEC_ACL_V2 == aclistVersion)
+                    {
+                        aclistMapDone = true;
                     }
                 }
             }
@@ -1490,8 +1916,19 @@ exit:
         acl = NULL;
     }
 
+    if(NULL != subjectTag)
+    {
+        free(subjectTag);
+        subjectTag = NULL;
+    }
+
+    if (NULL != rMapName)
+    {
+        free(rMapName);
+        rMapName = NULL;
+    }
+
     free(tagName);
-    free(roleTagName);
 
     return acl;
 }
@@ -1953,7 +2390,7 @@ static OCStackResult RemoveAllAce(void)
     OIC_LOG(INFO, TAG, "IN RemoveAllAce");
 
     //Backup the current ACL
-    ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_LATEST, &aclBackup, &backupSize);
+    ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_V2, &aclBackup, &backupSize);
     if(OC_STACK_OK == ret)
     {
         // Remove all ACE from ACL
@@ -1964,7 +2401,7 @@ static OCStackResult RemoveAllAce(void)
         }
 
         //Generate empty ACL payload
-        ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_LATEST, &payload, &size);
+        ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_V2, &payload, &size);
         if (OC_STACK_OK == ret )
         {
             //Update the PS.
@@ -2125,6 +2562,10 @@ static OCEntityHandlerResult HandleACLPostRequest(const OCEntityHandlerRequest *
         ehRet = OC_EH_NOT_ACCEPTABLE;
         goto exit;
     }
+    else
+    {
+        ehRet = OC_EH_OK;
+    }
 
     ehRet = OC_EH_OK;
 
@@ -2180,7 +2621,7 @@ static OCEntityHandlerResult HandleACLPostRequest(const OCEntityHandlerRequest *
                 size_t cborSize = 0;
                 uint8_t *cborPayload = NULL;
 
-                if (OC_STACK_OK == AclToCBORPayload(gAcl, OIC_SEC_ACL_LATEST, &cborPayload, &cborSize))
+                if (OC_STACK_OK == AclToCBORPayload(gAcl, OIC_SEC_ACL_V2, &cborPayload, &cborSize))
                 {
                     if (UpdateSecureResourceInPS(OIC_JSON_ACL_NAME, cborPayload, cborSize) == OC_STACK_OK)
                     {
@@ -2269,7 +2710,7 @@ OCEntityHandlerResult ACLEntityHandler(OCEntityHandlerFlag flag, OCEntityHandler
         switch (ehRequest->method)
         {
             case OC_REST_GET:
-                ehRet = HandleACLGetRequest(ehRequest, OIC_SEC_ACL_V1);
+                ehRet = HandleACLGetRequest(ehRequest, OIC_SEC_ACL_V2);
                 break;
 
             case OC_REST_POST:
@@ -2335,21 +2776,6 @@ static OCStackResult CreateACLResource()
 {
     OCStackResult ret;
 
-    ret = OCCreateResource(&gAclHandle,
-                           OIC_RSRC_TYPE_SEC_ACL,
-                           OC_RSRVD_INTERFACE_DEFAULT,
-                           OIC_RSRC_ACL_URI,
-                           ACLEntityHandler,
-                           NULL,
-                           OC_SECURE |
-                           OC_DISCOVERABLE);
-
-    if (OC_STACK_OK != ret)
-    {
-        OIC_LOG(FATAL, TAG, "Unable to instantiate ACL resource");
-        DeInitACLResource();
-    }
-
     ret = OCCreateResource(&gAcl2Handle,
                            OIC_RSRC_TYPE_SEC_ACL2,
                            OC_RSRVD_INTERFACE_DEFAULT,
@@ -2779,6 +3205,59 @@ const OicSecAce_t* GetACLResourceDataByRoles(const OicSecRole_t *roles, size_t r
     return NULL;
 }
 
+const OicSecAce_t* GetACLResourceDataByConntype(const OicSecConntype_t conntype, OicSecAce_t **savePtr)
+{
+    OicSecAce_t *ace = NULL;
+    OicSecAce_t *begin = NULL;
+
+    OIC_LOG_V(DEBUG, TAG, "IN: %s(%d)", __func__, conntype);
+
+    if ((NULL == savePtr) || (NULL == gAcl))
+    {
+        OIC_LOG(ERROR, TAG, "Invalid parameters to GetACLResourceDataByConntype");
+        return NULL;
+    }
+
+    // savePtr MUST point to NULL if this is the 'first' call to retrieve ACL.
+    if (NULL == *savePtr)
+    {
+        begin = gAcl->aces;
+    }
+    else
+    {
+        // If this is a 'successive' call, search for location pointed by
+        // savePtr and assign 'begin' to the next ACE after it in the linked
+        // list and start searching from there.
+        LL_FOREACH(gAcl->aces, ace)
+        {
+            if (ace == *savePtr)
+            {
+                begin = ace->next;
+            }
+        }
+    }
+
+    // Find the next ACE corresponding to the conntype, and return it.
+    LL_FOREACH(begin, ace)
+    {
+        if (OicSecAceConntypeSubject == ace->subjectType)
+        {
+            if (conntype == ace->subjectConn)
+            {
+                *savePtr = ace;
+                return ace;
+            }
+        }
+    }
+
+    // Cleanup in case no ACE is found
+    *savePtr = NULL;
+
+    OIC_LOG_V(DEBUG, TAG, "OUT: %s(%d)", __func__, conntype);
+
+    return NULL;
+}
+
 OCStackResult AppendACLObject(const OicSecAcl_t* acl)
 {
     OCStackResult ret = OC_STACK_ERROR;
@@ -2808,7 +3287,7 @@ OCStackResult AppendACLObject(const OicSecAcl_t* acl)
 
     size_t size = 0;
     uint8_t *payload = NULL;
-    ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_LATEST, &payload, &size);
+    ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_V2, &payload, &size);
     if (OC_STACK_OK == ret)
     {
         ret = UpdateSecureResourceInPS(OIC_JSON_ACL_NAME, payload, size);
@@ -3061,7 +3540,7 @@ OCStackResult UpdateDefaultSecProvACE()
 
                 size_t size = 0;
                 uint8_t *payload = NULL;
-                if (OC_STACK_OK == AclToCBORPayload(gAcl, OIC_SEC_ACL_LATEST, &payload, &size))
+                if (OC_STACK_OK == AclToCBORPayload(gAcl, OIC_SEC_ACL_V2, &payload, &size))
                 {
                     if (UpdateSecureResourceInPS(OIC_JSON_ACL_NAME, payload, size) == OC_STACK_OK)
                     {
@@ -3097,7 +3576,7 @@ OCStackResult SetAclRownerId(const OicUuid_t* newROwner)
         memcpy(prevId.id, gAcl->rownerID.id, sizeof(prevId.id));
         memcpy(gAcl->rownerID.id, newROwner->id, sizeof(newROwner->id));
 
-        ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_LATEST, &cborPayload, &size);
+        ret = AclToCBORPayload(gAcl, OIC_SEC_ACL_V2, &cborPayload, &size);
         VERIFY_SUCCESS(TAG, OC_STACK_OK == ret, ERROR);
 
         ret = UpdateSecureResourceInPS(OIC_JSON_ACL_NAME, cborPayload, size);
index 1de78f5..ef64526 100644 (file)
@@ -633,6 +633,7 @@ static OCEntityHandlerResult HandleDpairingPutRequest (const OCEntityHandlerRequ
 
             size_t size = 0;
             uint8_t *payload = NULL;
+            // TODO IOT-2052 update to /acl2
             if (OC_STACK_OK == AclToCBORPayload(acl, OIC_SEC_ACL_V1, &payload, &size))
             {
                 AppendACL(payload, size);
index 052bed4..7ea5a2e 100644 (file)
@@ -37,6 +37,7 @@
 #include "amaclresource.h"
 #include "credresource.h"
 #include "rolesresource.h"
+#include "deviceonboardingstate.h"
 
 #define TAG "OIC_SRM_PE"
 
@@ -78,19 +79,24 @@ uint16_t GetPermissionFromCAMethod_t(const CAMethod_t method)
 static bool IsRequestFromDevOwner(SRMRequestContext_t *context)
 {
     bool retVal = false;
+    OicSecDoxm_t* doxm = NULL;
 
-    if(NULL == context)
+    if (NULL == context)
     {
-        return retVal;
+        return false;
     }
 
-    OicSecDoxm_t* doxm = (OicSecDoxm_t*) GetDoxmResourceData();
+    if (IsNilUuid(&context->subjectUuid))
+    {
+        // Nil subject is never devOwner
+        retVal = false;
+        goto exit;
+    }
+
+    doxm = (OicSecDoxm_t*) GetDoxmResourceData();
     if (doxm)
     {
         retVal = UuidCmp(&doxm->owner, &context->subjectUuid);
-        OIC_LOG_V(DEBUG, TAG, "%s: request was %s received from device owner",
-            __func__, retVal ? "" : "NOT ");
-
         if (!retVal)
         {
             OIC_LOG(DEBUG, TAG, "Owner UUID  :");
@@ -99,7 +105,9 @@ static bool IsRequestFromDevOwner(SRMRequestContext_t *context)
             OIC_LOG_BUFFER(DEBUG, TAG, (const uint8_t *)&context->subjectUuid.id, sizeof(&context->subjectUuid.id));
         }
     }
-
+exit:
+    OIC_LOG_V(DEBUG, TAG, "%s: request was %sreceived from device owner",
+            __func__, retVal ? "" : "NOT ");
     return retVal;
 }
 
@@ -144,11 +152,19 @@ static bool IsRequestFromSubOwner(SRMRequestContext_t *context)
 {
     bool retVal = false;
 
+    if (IsNilUuid(&context->subjectUuid))
+    {
+        // Nil subject is never subOwner
+        retVal = false;
+        goto exit;
+    }
+
     if (NULL != context)
     {
         retVal = IsSubOwner(&context->subjectUuid);
     }
 
+exit:
     OIC_LOG_V(INFO, TAG, "%s: returning %s", __func__, retVal ? "true" : "false");
     return retVal;
 }
@@ -230,6 +246,13 @@ bool IsRequestFromResourceOwner(SRMRequestContext_t *context)
         return false;
     }
 
+    if (IsNilUuid(&context->subjectUuid))
+    {
+        // Nil subject is never rOwner
+        retVal = false;
+        goto exit;
+    }
+
     if((OIC_R_ACL_TYPE <= context->resourceType) && \
         (OIC_SEC_SVR_TYPE_COUNT > context->resourceType))
     {
@@ -240,7 +263,7 @@ bool IsRequestFromResourceOwner(SRMRequestContext_t *context)
             retVal = UuidCmp(&context->subjectUuid, &resourceOwner);
         }
     }
-
+exit:
     OIC_LOG_V(INFO, TAG, "%s: returning %s", __func__, retVal ? "true" : "false");
     return retVal;
 }
@@ -351,7 +374,7 @@ static bool IsResourceInAce(const char *resource, const OicSecAce_t *ace)
     LL_FOREACH(ace->resources, rsrc)
     {
          if (0 == strcmp(resource, rsrc->href) || // TODO null terms?
-             0 == strcmp(WILDCARD_RESOURCE_URI, rsrc->href))
+             0 == strcmp(WILDCARD_RESOURCE_URI, rsrc->href)) // TODO IOT-2192
          {
              return true;
          }
@@ -362,14 +385,14 @@ static bool IsResourceInAce(const char *resource, const OicSecAce_t *ace)
 static void ProcessMatchingACE(SRMRequestContext_t *context, const OicSecAce_t *currentAce)
 {
     // Found the subject, so how about resource?
-    OIC_LOG_V(DEBUG, TAG, "%s:found ACE matching subject", __func__);
+    OIC_LOG_V(DEBUG, TAG, "%s: found ACE matching subject.", __func__);
 
     // Subject was found, so err changes to Rsrc not found for now.
     context->responseVal = ACCESS_DENIED_RESOURCE_NOT_FOUND;
-    OIC_LOG_V(DEBUG, TAG, "%s:Searching for resource...", __func__);
+    OIC_LOG_V(DEBUG, TAG, "%s: Searching for resource...", __func__);
     if (IsResourceInAce(context->resourceUri, currentAce))
     {
-        OIC_LOG_V(INFO, TAG, "%s:found matching resource in ACE", __func__);
+        OIC_LOG_V(INFO, TAG, "%s: found matching resource in ACE.", __func__);
 
         // Found the resource, so it's down to valid period & permission.
         context->responseVal = ACCESS_DENIED_INVALID_PERIOD;
@@ -386,13 +409,9 @@ static void ProcessMatchingACE(SRMRequestContext_t *context, const OicSecAce_t *
 }
 
 /**
- * Find ACLs containing context->subject.
- * Search each ACL for requested resource.
- * If resource found, check for context->permission and period validity.
- * If the ACL is not found locally and AMACL for the resource is found
- * then sends the request to AMS service for the ACL.
- * Set context->retVal to result from first ACL found which contains
- * correct subject AND resource.
+ * Search for an ACE that matches the Resource URI, by conntype, subjectuuid, or roles.
+ * For each matching ACE, check whether it grants permission.
+ * If any ACE grants permission, set responseVal to ACCESS_GRANTED.
  */
 static void ProcessAccessRequest(SRMRequestContext_t *context)
 {
@@ -407,65 +426,92 @@ static void ProcessAccessRequest(SRMRequestContext_t *context)
     const OicSecAce_t *currentAce = NULL;
     OicSecAce_t *aceSavePtr = NULL;
 
-    OIC_LOG_V(DEBUG, TAG, "Entering ProcessAccessRequest(%s)",
-        context->resourceUri);
-
     // Start out assuming subject not found.
     context->responseVal = ACCESS_DENIED_SUBJECT_NOT_FOUND;
 
-    // Loop through all ACLs with a matching Subject searching for the right
-    // ACL for this request.
+    // First, check for a conntype ACE that matches.
+    OicSecConntype_t conntype;
+    if (context->secureChannel)
+    {
+        conntype = AUTH_CRYPT;
+    }
+    else
+    {
+        conntype = ANON_CLEAR;
+    }
     do
     {
-        currentAce = GetACLResourceData(&context->subjectUuid, &aceSavePtr);
+        currentAce = GetACLResourceDataByConntype(conntype, &aceSavePtr);
 
         if (NULL != currentAce)
         {
+            OIC_LOG_V(DEBUG, TAG, "%s: found conntype %d match; processing for access.", __func__, conntype);
             ProcessMatchingACE(context, currentAce);
         }
         else
         {
-            OIC_LOG_V(INFO, TAG, "%s:no ACL found matching subject for resource %s",
-                __func__, context->resourceUri);
+            OIC_LOG_V(INFO, TAG, "%s:no ACL found matching conntype %d for resource %s",
+                __func__, conntype, context->resourceUri);
         }
     } while ((NULL != currentAce) && !IsAccessGranted(context->responseVal));
 
-#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
-        // If no subject ACE granted access, try role ACEs.
-        if (!IsAccessGranted(context->responseVal))
+    // If not granted via conntype, try Subject-based match.
+    if (!IsAccessGranted(context->responseVal))
+    {
+        currentAce = NULL;
+        aceSavePtr = NULL;
+        do
         {
-            currentAce = NULL;
-            aceSavePtr = NULL;
-            OicSecRole_t *roles = NULL;
-            size_t roleCount = 0;
-            OCStackResult res = GetEndpointRoles(context->endPoint, &roles, &roleCount);
-            if (OC_STACK_OK != res)
+            currentAce = GetACLResourceData(&context->subjectUuid, &aceSavePtr);
+
+            if (NULL != currentAce)
             {
-                OIC_LOG_V(ERROR, TAG, "Error getting asserted roles for endpoint: %d", res);
+                ProcessMatchingACE(context, currentAce);
             }
             else
             {
-                OIC_LOG_V(DEBUG, TAG, "Found %u asserted roles for endpoint", (unsigned int) roleCount);
-                do
-                {
-                    currentAce = GetACLResourceDataByRoles(roles, roleCount, &aceSavePtr);
-                    if (NULL != currentAce)
-                    {
-                        ProcessMatchingACE(context, currentAce);
-                    }
-                    else
-                    {
-                        OIC_LOG_V(INFO, TAG, "%s:no ACL found matching roles for resource %s",
-                            __func__, context->resourceUri);
-                    }
-                } while ((NULL != currentAce) && !IsAccessGranted(context->responseVal));
-
-                OICFree(roles);
+                OIC_LOG_V(INFO, TAG, "%s:no ACL found matching subject for resource %s",
+                    __func__, context->resourceUri);
             }
+        } while ((NULL != currentAce) && !IsAccessGranted(context->responseVal));
+    }
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+    // If no subject ACE granted access, try role ACEs.
+    if (!IsAccessGranted(context->responseVal))
+    {
+        currentAce = NULL;
+        aceSavePtr = NULL;
+        OicSecRole_t *roles = NULL;
+        size_t roleCount = 0;
+        OCStackResult res = GetEndpointRoles(context->endPoint, &roles, &roleCount);
+        if (OC_STACK_OK != res)
+        {
+            OIC_LOG_V(ERROR, TAG, "Error getting asserted roles for endpoint: %d", res);
+        }
+        else
+        {
+            OIC_LOG_V(DEBUG, TAG, "Found %u asserted roles for endpoint", (unsigned int) roleCount);
+            do
+            {
+                currentAce = GetACLResourceDataByRoles(roles, roleCount, &aceSavePtr);
+                if (NULL != currentAce)
+                {
+                    ProcessMatchingACE(context, currentAce);
+                }
+                else
+                {
+                    OIC_LOG_V(INFO, TAG, "%s:no ACL found matching roles for resource %s",
+                        __func__, context->resourceUri);
+                }
+            } while ((NULL != currentAce) && !IsAccessGranted(context->responseVal));
+
+            OICFree(roles);
         }
+    }
 #endif /* defined(__WITH_DTLS__) || defined(__WITH_TLS__) */
 
-    OIC_LOG_V(INFO, TAG, "%s:Leaving with responseVal = %s", __func__,
+    OIC_LOG_V(INFO, TAG, "%s: returning with responseVal = %s", __func__,
         IsAccessGranted(context->responseVal) ? "ACCESS_GRANTED" : "ACCESS_DENIED");
     return;
 }
@@ -476,84 +522,52 @@ void CheckPermission(SRMRequestContext_t *context)
     assert(0 != context->requestedPermission);
     assert(0 == (context->requestedPermission & ~PERMISSION_FULL_CONTROL));
 
+    context->responseVal = ACCESS_DENIED_POLICY_ENGINE_ERROR;
+
     // Before doing any ACL processing, check if request is a) coming
-    // from DevOwner AND b) the device is in Ready for OTM or Reset state
-    // (which in IoTivity is equivalent to isOp == false && owned == false)
+    // from DevOwner AND b) the device is in Ready for OTM or SRESET state
     // AND c) the request is for a SVR resource.
     // If all 3 conditions are met, grant request.
-    // TODO_IoTivity_1.3 [IOT-2023] use pstat.dos instead of these two checks.
-    bool isDeviceOwned = true; // default to value that will NOT grant access
-    bool isop = false;
-
-    context->responseVal = ACCESS_DENIED_POLICY_ENGINE_ERROR;
-
-    VERIFY_SUCCESS(TAG, OC_STACK_OK == GetPstatIsop(&isop), ERROR);
-    VERIFY_SUCCESS(TAG, OC_STACK_OK == GetDoxmIsOwned(&isDeviceOwned), ERROR);
+    OicSecDostype_t dos;
+    VERIFY_SUCCESS(TAG, OC_STACK_OK == GetDos(&dos), ERROR);
 
     // Test for implicit access.
-    if (IsRequestFromDevOwner(context) &&       // if from DevOwner
-            !isop &&                            // AND if pstat->isOp == false
-            !isDeviceOwned &&                   // AND if doxm->isOwned == false
-            (NOT_A_SVR_RESOURCE != context->resourceType)) // AND if is SVR type
+    if (IsRequestFromDevOwner(context) &&
+        ((DOS_RFOTM == dos.state) || (DOS_SRESET == dos.state)) &&
+        (NOT_A_SVR_RESOURCE != context->resourceType))
     {
-        OIC_LOG(INFO, TAG, "CheckPermission: granting access to device owner");
+        OIC_LOG_V(INFO, TAG, "%s: granting implicit access to device owner", __func__);
         context->responseVal = ACCESS_GRANTED;
     }
     // If not granted via DevOwner status and not a subowner,
-    // then check if request is for a SVR and coming from rowner
+    // then check if request is for a SVR and coming from rowner.
     else if (IsRequestFromResourceOwner(context))
     {
-        OIC_LOG(INFO, TAG, "CheckPermission: granting access to resource owner");
+        OIC_LOG_V(INFO, TAG, "%s: granting implicit access to resource owner", __func__);
         context->responseVal = ACCESS_GRANTED;
     }
-#ifdef MULTIPLE_OWNER // TODO Samsung reviewer: per above comment, should this
-                      // go above IsRequestFromResourceOwner() call, or here?
+#ifdef MULTIPLE_OWNER
     // Then check if request from SubOwner.
     else if (IsRequestFromSubOwner(context))
     {
         if (IsValidRequestFromSubOwner(context))
         {
-            OIC_LOG(INFO, TAG, "CheckPermission: granting access to device sub-owner");
+            OIC_LOG_V(INFO, TAG, "%s: granting implicit access to device sub-owner", __func__);
             context->responseVal = ACCESS_GRANTED;
         }
     }
 #endif //MULTIPLE_OWNER
-    else if (!isop &&
+    else if ((DOS_RFNOP != dos.state) &&
              (NOT_A_SVR_RESOURCE != context->resourceType) &&
              IsRequestFromOwnershipTransferSession(context))
     {
-        OIC_LOG(INFO, TAG, "CheckPermission: granting access to OT session request");
+        OIC_LOG_V(INFO, TAG, "%s: granting implicit access to OT session request", __func__);
         context->responseVal = ACCESS_GRANTED;
     }
     // Else request is a "normal" request that must be tested against ACL.
     else
     {
-        OicUuid_t saveSubjectUuid = {.id={0}};
-        // bool isSubEmpty = IsRequestSubjectEmpty(context);
-
         ProcessAccessRequest(context);
-
-        // TODO_IoTivity_1.3: ensure check order results in Union permissions
-        // If access not already granted, and requested subject != wildcard,
-        // try looking for a wildcard ACE that grants access.
-        // See JIRA ticket 1795 (https://jira.iotivity.org/browse/IOT-1795)
-        if (ACCESS_GRANTED != context->responseVal &&
-            !IsWildCardSubject(&context->subjectUuid))
-        {
-            // Save subject to restore context after wildcard subject check.
-            memcpy(&saveSubjectUuid, &context->subjectUuid,
-                sizeof(context->subjectUuid));
-
-            // Set context->subjectUuid to WILDCARD_SUBJECT_ID.
-            memset(&context->subjectUuid, 0, sizeof(context->subjectUuid));
-            memcpy(&context->subjectUuid,
-                &WILDCARD_SUBJECT_ID, sizeof(context->subjectUuid));
-            ProcessAccessRequest(context);
-
-            // Restore subjectUuid.
-            memcpy(&context->subjectUuid,
-                &saveSubjectUuid, sizeof(context->subjectUuid));
-        }
     }
 
 exit:
index d08cd11..2da87c8 100644 (file)
@@ -165,55 +165,6 @@ void SetResourceUriAndType(SRMRequestContext_t *context)
     return;
 }
 
-// Check if this request is asking to access a "sec" = true resource
-// over an unsecure channel.  This type of request is forbidden with
-// the exception of a few SVRs (see Security Specification).
-void CheckRequestForSecResourceOverUnsecureChannel(SRMRequestContext_t *context)
-{
-    OIC_LOG_V(DEBUG, TAG, "%s: secureChannel = %u, resourceType = %d, URI = %s",
-        __func__, (uint32_t)context->secureChannel,
-        context->resourceType, context->resourceUri);
-
-    // if request is over unsecure channel, check resource type
-    if (false == context->secureChannel)
-    {
-        OCResource *resPtr = FindResourceByUri(context->resourceUri);
-
-        if (NULL != resPtr)
-        {
-            OIC_LOG_V(DEBUG, TAG, "%s: OC_SECURE = %s",
-                __func__, ((resPtr->resourceProperties) & OC_SECURE) ? "true" : "false");
-
-            // All vertical secure resources and SVR resources other than
-            // DOXM & PSTAT should reject requests over unsecure channel.
-            if ((((resPtr->resourceProperties) & OC_SECURE)
-                && (context->resourceType == NOT_A_SVR_RESOURCE))
-                || ((context->resourceType < OIC_SEC_SVR_TYPE_COUNT)
-                    && (context->resourceType != OIC_R_DOXM_TYPE)
-                    && (context->resourceType != OIC_R_PSTAT_TYPE)))
-            {
-                // Reject all the requests over coap for secure resource.
-                context->responseVal = ACCESS_DENIED_SEC_RESOURCE_OVER_UNSECURE_CHANNEL;
-                context->responseInfo.result = CA_FORBIDDEN_REQ;
-                SRMSendResponse(context);
-            }
-            else
-            {
-                OIC_LOG_V(DEBUG, TAG, "%s: Allowing unsecured access", __func__);
-            }
-        }
-        else
-        {
-            // if resource not found and request is over unsecure channel, reject
-            context->responseVal = ACCESS_DENIED_SEC_RESOURCE_OVER_UNSECURE_CHANNEL;
-            context->responseInfo.result = CA_FORBIDDEN_REQ;
-            SRMSendResponse(context);
-        }
-    }
-
-    return;
-}
-
 void ClearRequestContext(SRMRequestContext_t *context)
 {
     if (NULL == context)
@@ -292,81 +243,76 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ
 
     ClearRequestContext(ctx);
 
-    if (!endPoint || !requestInfo)
+    if ((NULL == endPoint) || (NULL == requestInfo))
     {
-        OIC_LOG(ERROR, TAG, "Invalid endPoint or requestInfo; can't process.");
+        OIC_LOG_V(ERROR, TAG, "%s: Invalid endPoint or requestInfo; can't process.", __func__);
+        goto exit;
     }
-    else
-    {
-        ctx->endPoint = endPoint;
-        ctx->requestInfo = requestInfo;
-        ctx->requestedPermission = GetPermissionFromCAMethod_t(requestInfo->method);
 
-        // Copy the subjectID, truncating to 16-byte UUID (32 hex-digits).
-        // TODO IOT-1894 "Determine appropriate CA_MAX_ENDPOINT_IDENTITY_LEN"
-        ctx->subjectIdType = SUBJECT_ID_TYPE_UUID; // only supported type for now
-        memcpy(ctx->subjectUuid.id,
-            requestInfo->info.identity.id, sizeof(ctx->subjectUuid.id));
+    ctx->endPoint = endPoint;
+    ctx->requestInfo = requestInfo;
+    ctx->requestedPermission = GetPermissionFromCAMethod_t(requestInfo->method);
+
+    // Copy the subjectID, truncating to 16-byte UUID (32 hex-digits).
+    // TODO IOT-1894 "Determine appropriate CA_MAX_ENDPOINT_IDENTITY_LEN"
+    ctx->subjectIdType = SUBJECT_ID_TYPE_UUID; // only supported type for now
+    memcpy(ctx->subjectUuid.id,
+        requestInfo->info.identity.id, sizeof(ctx->subjectUuid.id));
 
 #ifndef NDEBUG // if debug build, log the ID being used for matching ACEs
-        if (SUBJECT_ID_TYPE_UUID == ctx->subjectIdType)
+    if (SUBJECT_ID_TYPE_UUID == ctx->subjectIdType)
+    {
+        char strUuid[UUID_STRING_SIZE] = "UUID_ERROR";
+        if (OCConvertUuidToString(ctx->subjectUuid.id, strUuid))
+        {
+            OIC_LOG_V(DEBUG, TAG, "ctx->subjectUuid for request: %s.", strUuid);
+        }
+        else
         {
-            char strUuid[UUID_STRING_SIZE] = "UUID_ERROR";
-            if (OCConvertUuidToString(ctx->subjectUuid.id, strUuid))
-            {
-                OIC_LOG_V(DEBUG, TAG, "ctx->subjectUuid for request: %s.", strUuid);
-            }
-            else
-            {
-                OIC_LOG(ERROR, TAG, "failed to convert ctx->subjectUuid to str.");
-            }
+            OIC_LOG(ERROR, TAG, "failed to convert ctx->subjectUuid to str.");
         }
+    }
 #endif
 
-        // Set secure channel boolean.
-        ctx->secureChannel = isRequestOverSecureChannel(ctx);
+    // Set secure channel boolean.
+    ctx->secureChannel = isRequestOverSecureChannel(ctx);
 
-        // Set resource URI and type.
-        SetResourceUriAndType(ctx);
+    // Set resource URI and type.
+    SetResourceUriAndType(ctx);
 
-        // Initialize responseInfo.
-        memcpy(&(ctx->responseInfo.info), &(requestInfo->info),
-            sizeof(ctx->responseInfo.info));
-        ctx->responseInfo.info.payload = NULL;
-        ctx->responseInfo.result = CA_INTERNAL_SERVER_ERROR;
-        ctx->responseInfo.info.dataType = CA_RESPONSE_DATA;
+    // Initialize responseInfo.
+    memcpy(&(ctx->responseInfo.info), &(requestInfo->info),
+        sizeof(ctx->responseInfo.info));
+    ctx->responseInfo.info.payload = NULL;
+    ctx->responseInfo.result = CA_INTERNAL_SERVER_ERROR;
+    ctx->responseInfo.info.dataType = CA_RESPONSE_DATA;
 
-        // Before consulting ACL, check if this is a forbidden request type.
-        CheckRequestForSecResourceOverUnsecureChannel(ctx);
 
-        // If DENIED response wasn't sent already, then it's time to check ACL.
-        if (false == ctx->responseSent)
-        {
 #ifdef MULTIPLE_OWNER // TODO Samsung: please verify that these two calls belong
                       // here inside this conditional statement.
-            // In case of ACL and CRED, The payload required to verify the payload.
-            // Payload information will be used for subowner's permission verification.
-            ctx->payload = (uint8_t*)requestInfo->info.payload;
-            ctx->payloadSize = requestInfo->info.payloadSize;
+    // In case of ACL and CRED, The payload required to verify the payload.
+    // Payload information will be used for subowner's permission verification.
+    ctx->payload = (uint8_t*)requestInfo->info.payload;
+    ctx->payloadSize = requestInfo->info.payloadSize;
 #endif //MULTIPLE_OWNER
 
-            OIC_LOG_V(DEBUG, TAG, "Processing request with uri, %s for method %d",
-                ctx->requestInfo->info.resourceUri, ctx->requestInfo->method);
-            CheckPermission(ctx);
-            OIC_LOG_V(DEBUG, TAG, "Request for permission %d received responseVal %d.",
-                ctx->requestedPermission, ctx->responseVal);
+    OIC_LOG_V(DEBUG, TAG, "Processing request with uri, %s for method %d",
+        ctx->requestInfo->info.resourceUri, ctx->requestInfo->method);
 
-            // Now that we have determined the correct response and set responseVal,
-            // we generate and send the response to the requester.
-            SRMGenerateResponse(ctx);
-        }
-    }
+    CheckPermission(ctx);
+
+    OIC_LOG_V(DEBUG, TAG, "Request for permission %d received responseVal %d.",
+        ctx->requestedPermission, ctx->responseVal);
+
+    // Now that we have determined the correct response and set responseVal,
+    // we generate and send the response to the requester.
+    SRMGenerateResponse(ctx);
 
     if (false == ctx->responseSent)
     {
         OIC_LOG(ERROR, TAG, "Exiting SRM without responding to requester!");
     }
-
+exit:
     return;
 }
 
index 3e62a62..9cfbcc3 100644 (file)
@@ -35,7 +35,9 @@ const char * OIC_RSRC_TYPE_SEC_ACL = "oic.r.acl";
 const char * OIC_RSRC_ACL_URI =  "/oic/sec/acl";
 const char * OIC_JSON_ACL_NAME = "acl";
 const char * OIC_JSON_ACLIST_NAME = "aclist";
+const char * OIC_JSON_ACLIST2_NAME = "aclist2";
 const char * OIC_JSON_ACES_NAME = "aces";
+const char * OIC_JSON_ACEID_NAME = "aceid";
 
 const char * OIC_RSRC_TYPE_SEC_ACL2 = "oic.r.acl2";
 const char * OIC_RSRC_ACL2_URI = "/oic/sec/acl2";
@@ -127,6 +129,7 @@ const char * OIC_JSON_TM_NAME = "tm";
 const char * OIC_JSON_OM_NAME = "om";
 const char * OIC_JSON_SM_NAME = "sm";
 const char * OIC_JSON_CREDID_NAME = "credid";
+const char * OIC_JSON_SUBJECT_NAME = "subject";
 const char * OIC_JSON_SUBJECTID_NAME = "subjectuuid";
 const char * OIC_JSON_ROLEID_NAME = "roleid";
 const char * OIC_JSON_ROLE_NAME = "role";
@@ -170,6 +173,14 @@ const char * OIC_JSON_SEC_V_NAME = "secv";
 const char * OIC_JSON_DOS_NAME = "dos";
 const char * OIC_JSON_S_NAME = "s";
 const char * OIC_JSON_P_NAME = "p";
+const char * OIC_JSON_UUID_NAME = "uuid";
+const char * OIC_JSON_CONNTYPE_NAME = "conntype";
+const char * OIC_JSON_AUTHCRYPT_NAME = "auth-crypt";
+const char * OIC_JSON_ANONCLEAR_NAME = "anon-clear";
+const char * OIC_JSON_WC_NAME = "wc";
+const char * OIC_JSON_WC_PLUS_NAME = "+";
+const char * OIC_JSON_WC_MINUS_NAME = "-";
+const char * OIC_JSON_WC_ASTERISK_NAME = "*";
 
 const char * OIC_JSON_EMPTY_STRING = "";
 
index 012cb30..c7cb535 100644 (file)
@@ -50,7 +50,8 @@
 
 static OicSecPstat_t* JSONToPstatBin(const char * jsonStr);
 static OicSecDoxm_t* JSONToDoxmBin(const char * jsonStr);
-static OicSecAcl_t *JSONToAclBin(const char * jsonStr);
+static OicSecAcl_t *JSONToAclBin(OicSecAclVersion_t *aclVersion,
+    const char * jsonStr);
 static OicSecAmacl_t* JSONToAmaclBin(const char * jsonStr);
 static OicSecCred_t* JSONToCredBin(const char * jsonStr);
 static OCDeviceProperties* JSONToDPBin(const char *jsonStr);
@@ -122,13 +123,14 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
     jsonRoot = cJSON_Parse(jsonStr);
 
     cJSON *value = cJSON_GetObjectItem(jsonRoot, OIC_JSON_ACL_NAME);
-    //printf("ACL json : \n%s\n", cJSON_PrintUnformatted(value));
+    printf("/acl json : \n%s\n", cJSON_PrintUnformatted(value));
     size_t aclCborSize = 0;
     if (NULL != value)
     {
-        OicSecAcl_t *acl = JSONToAclBin(jsonStr);
+        OicSecAclVersion_t version = OIC_SEC_ACL_V2; // default to V2
+        OicSecAcl_t *acl = JSONToAclBin(&version, jsonStr);
         VERIFY_NOT_NULL(TAG, acl, FATAL);
-        ret = AclToCBORPayload(acl, OIC_SEC_ACL_V2, &aclCbor, &aclCborSize);
+        ret = AclToCBORPayload(acl, version, &aclCbor, &aclCborSize);
         if(OC_STACK_OK != ret)
         {
             OIC_LOG (ERROR, TAG, "Failed converting Acl to Cbor Payload");
@@ -138,8 +140,13 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
         printf("ACL Cbor Size: %" PRIuPTR "\n", aclCborSize);
         DeleteACLList(acl);
     }
+    else
+    {
+        printf("JSON contains no /acl\n");
+    }
 
     value = cJSON_GetObjectItem(jsonRoot, OIC_JSON_PSTAT_NAME);
+    printf("/pstat json : \n%s\n", cJSON_PrintUnformatted(value));
     size_t pstatCborSize = 0;
     if (NULL != value)
     {
@@ -155,7 +162,13 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
         printf("PSTAT Cbor Size: %" PRIuPTR "\n", pstatCborSize);
         DeletePstatBinData(pstat);
     }
+    else
+    {
+        printf("JSON contains no /pstat\n");
+    }
+
     value = cJSON_GetObjectItem(jsonRoot, OIC_JSON_DOXM_NAME);
+    printf("/doxm json : \n%s\n", cJSON_PrintUnformatted(value));
     size_t doxmCborSize = 0;
     if (NULL != value)
     {
@@ -171,7 +184,13 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
         printf("DOXM Cbor Size: %" PRIuPTR "\n", doxmCborSize);
         DeleteDoxmBinData(doxm);
     }
+    else
+    {
+        printf("JSON contains no /doxm\n");
+    }
+
     value = cJSON_GetObjectItem(jsonRoot, OIC_JSON_AMACL_NAME);
+    printf("/amacl json : \n%s\n", cJSON_PrintUnformatted(value));
     size_t amaclCborSize = 0;
     if (NULL != value)
     {
@@ -187,8 +206,13 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
         printf("AMACL Cbor Size: %" PRIuPTR "\n", amaclCborSize);
         DeleteAmaclList(amacl);
     }
+    else
+    {
+        printf("JSON contains no /amacl\n");
+    }
+
     value = cJSON_GetObjectItem(jsonRoot, OIC_JSON_CRED_NAME);
-    //printf("CRED json : \n%s\n", cJSON_PrintUnformatted(value));
+    printf("/cred json : \n%s\n", cJSON_PrintUnformatted(value));
     size_t credCborSize = 0;
     int secureFlag = 0;
     if (NULL != value)
@@ -205,6 +229,11 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
         printf("CRED Cbor Size: %" PRIuPTR "\n", credCborSize);
         DeleteCredList(cred);
     }
+    else
+    {
+        printf("JSON contains no /cred\n");
+    }
+
     value = cJSON_GetObjectItem(jsonRoot, OC_JSON_DEVICE_PROPS_NAME);
     size_t dpCborSize = 0;
     if (NULL != value)
@@ -219,6 +248,10 @@ static void ConvertJsonToCBOR(const char *jsonFileName, const char *cborFileName
         }
         printf("Device Properties Cbor Size: %" PRIuPTR "\n", dpCborSize);
     }
+    else
+    {
+        printf("JSON contains no deviceProps\n");
+    }
 
     CborEncoder encoder;
     size_t cborSize = aclCborSize + pstatCborSize + doxmCborSize + credCborSize + amaclCborSize + dpCborSize;
@@ -310,8 +343,14 @@ exit:
     return;
 }
 
-OicSecAcl_t* JSONToAclBin(const char * jsonStr)
+OicSecAcl_t* JSONToAclBin(OicSecAclVersion_t *aclVersion, const char * jsonStr)
 {
+    printf("IN %s\n", __func__);
+    if(NULL == jsonStr)
+    {
+        return NULL;
+    }
+
     OCStackResult ret = OC_STACK_ERROR;
     OicSecAcl_t * headAcl = (OicSecAcl_t*)OICCalloc(1, sizeof(OicSecAcl_t));
     VERIFY_NOT_NULL_RETURN(TAG, headAcl, ERROR, NULL);
@@ -327,14 +366,32 @@ OicSecAcl_t* JSONToAclBin(const char * jsonStr)
 
     cJSON *jsonAclObj = NULL;
 
-    // aclist
     jsonAclObj = cJSON_GetObjectItem(jsonAclMap, OIC_JSON_ACLIST_NAME);
+    if (jsonAclObj)
+    {
+        printf("Found 'aclist' tag... resource is oic.r.acl type.\n");
+        *aclVersion = OIC_SEC_ACL_V1;
+    }
+    else
+    {
+        jsonAclObj = cJSON_GetObjectItem(jsonAclMap, OIC_JSON_ACLIST2_NAME);
+        VERIFY_NOT_NULL(TAG, jsonAclObj, ERROR);
+        printf("Found 'aclist2' tag... resource is oic.r.acl2 type.\n");
+        *aclVersion = OIC_SEC_ACL_V2;
+    }
     VERIFY_NOT_NULL(TAG, jsonAclObj, ERROR);
 
-    // aclist-aces
     cJSON *jsonAclArray = NULL;
-    jsonAclArray = cJSON_GetObjectItem(jsonAclObj, OIC_JSON_ACES_NAME);
-    VERIFY_NOT_NULL(TAG, jsonAclArray, ERROR);
+
+    if (OIC_SEC_ACL_V1 == *aclVersion) // aclist-aces
+    {
+        jsonAclArray = cJSON_GetObjectItem(jsonAclObj, OIC_JSON_ACES_NAME);
+        VERIFY_NOT_NULL(TAG, jsonAclArray, ERROR);
+    }
+    else
+    {
+        jsonAclArray = jsonAclObj;
+    }
 
     if (cJSON_Array == jsonAclArray->type)
     {
@@ -353,19 +410,73 @@ OicSecAcl_t* JSONToAclBin(const char * jsonStr)
             LL_APPEND(headAcl->aces, ace);
 
             cJSON *jsonObj = NULL;
-            jsonObj = cJSON_GetObjectItem(jsonAcl, OIC_JSON_SUBJECTID_NAME);
-            VERIFY_NOT_NULL(TAG, jsonObj, ERROR);
-            VERIFY_SUCCESS(TAG, cJSON_String == jsonObj->type, ERROR);
-            if(strcmp(jsonObj->valuestring, WILDCARD_RESOURCE_URI) == 0)
+
+            if (OIC_SEC_ACL_V2 == *aclVersion)
             {
-                ace->subjectuuid.id[0] = '*';
+                jsonObj = cJSON_GetObjectItem(jsonAcl, OIC_JSON_ACEID_NAME);
+                VERIFY_NOT_NULL(TAG, jsonObj, ERROR);
+                VERIFY_SUCCESS(TAG, cJSON_Number == jsonObj->type, ERROR);
+                VERIFY_SUCCESS(TAG, jsonObj->valueint <= UINT16_MAX, ERROR);
+                ace->aceid = (uint16_t)jsonObj->valueint;
             }
-            else
+
+            if (OIC_SEC_ACL_V1 == *aclVersion)
             {
-                ret = ConvertStrToUuid(jsonObj->valuestring, &ace->subjectuuid);
-                VERIFY_SUCCESS(TAG, OC_STACK_OK == ret, ERROR);
+                jsonObj = cJSON_GetObjectItem(jsonAcl, OIC_JSON_SUBJECTID_NAME);
+                VERIFY_NOT_NULL(TAG, jsonObj, ERROR);
+                VERIFY_SUCCESS(TAG, cJSON_String == jsonObj->type, ERROR);
+
+                if(strcmp(jsonObj->valuestring, WILDCARD_RESOURCE_URI) == 0)
+                {
+                    ace->subjectuuid.id[0] = '*';
+                }
+                else
+                {
+                    ret = ConvertStrToUuid(jsonObj->valuestring, &ace->subjectuuid);
+                    VERIFY_SUCCESS(TAG, OC_STACK_OK == ret, ERROR);
+                }
+                ace->subjectType = OicSecAceUuidSubject;
+            }
+            else // v2
+            {
+                jsonObj = cJSON_GetObjectItem(jsonAcl, OIC_JSON_SUBJECT_NAME);
+                VERIFY_NOT_NULL(TAG, jsonObj, ERROR);
+                VERIFY_SUCCESS(TAG, cJSON_Object == jsonObj->type, ERROR);
+
+                // Enter the object and get "uuid" string...
+                cJSON *uuidJson = NULL;
+                uuidJson = cJSON_GetObjectItem(jsonObj, OIC_JSON_UUID_NAME);
+                if (uuidJson) // "uuid" type
+                {
+                    VERIFY_NOT_NULL(TAG, uuidJson, ERROR);
+                    VERIFY_SUCCESS(TAG, cJSON_String == uuidJson->type, ERROR);
+                    ret = ConvertStrToUuid(uuidJson->valuestring, &ace->subjectuuid);
+                    VERIFY_SUCCESS(TAG, OC_STACK_OK == ret, ERROR);
+                    ace->subjectType = OicSecAceUuidSubject;
+                }
+                else // "conntype"
+                {
+                    cJSON *conntypeJson = NULL;
+                    conntypeJson = cJSON_GetObjectItem(jsonObj, OIC_JSON_CONNTYPE_NAME);
+                    VERIFY_NOT_NULL(TAG, conntypeJson, ERROR);
+                    VERIFY_SUCCESS(TAG, cJSON_String == conntypeJson->type, ERROR);
+                    char *connTypeStr = NULL;
+                    connTypeStr = OICStrdup(conntypeJson->valuestring);
+                    VERIFY_NOT_NULL(TAG, connTypeStr, ERROR);
+                    if (0 == strcmp(connTypeStr, OIC_JSON_ANONCLEAR_NAME))
+                    {
+                        ace->subjectConn = ANON_CLEAR;
+                        ace->subjectType = OicSecAceConntypeSubject;
+                    }
+                    else if (0 == strcmp(connTypeStr, OIC_JSON_AUTHCRYPT_NAME))
+                    {
+                        ace->subjectConn = AUTH_CRYPT;
+                        ace->subjectType = OicSecAceConntypeSubject;
+                    }
+                    VERIFY_SUCCESS(TAG, ace->subjectType == OicSecAceConntypeSubject, ERROR);
+                }
+                // */  RESUME HERE
             }
-            ace->subjectType = OicSecAceUuidSubject;
             // Resources -- Mandatory
             jsonObj = cJSON_GetObjectItem(jsonAcl, OIC_JSON_RESOURCES_NAME);
             VERIFY_NOT_NULL(TAG, jsonObj, ERROR);
@@ -553,6 +664,7 @@ exit:
         DeleteACLList(headAcl);
         headAcl = NULL;
     }
+    printf("OUT %s: %s\n", __func__, (headAcl != NULL) ? "success" : "failure");
     return headAcl;
 }
 
@@ -735,7 +847,7 @@ exit:
 
 OicSecPstat_t* JSONToPstatBin(const char * jsonStr)
 {
-    printf("IN JSONToPstatBin\n");
+    printf("IN %s\n", __func__);
     if(NULL == jsonStr)
     {
         return NULL;
index 9bffc4f..fa94659 100644 (file)
@@ -128,7 +128,7 @@ TEST(ACLResourceTest, CBORDefaultACLConversion)
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/p", "oic.wk.p", "oic.if.r"));
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/res/types/d", "oic.wk.unknow", "oic.if.r"));
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/ad", "oic.wk.ad", "oic.if.baseline"));
-    EXPECT_EQ(true, AddResourceToACE(ace, "/oic/sec/acl", "oic.r.acl", "oic.if.baseline"));
+    EXPECT_EQ(true, AddResourceToACE(ace, "/oic/sec/acl2", "oic.r.acl2", "oic.if.baseline"));
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/sec/doxm", "oic.r.doxm" ,"oic.if.baseline"));
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/sec/pstat", "oic.r.pstat" ,"oic.if.baseline"));
 
@@ -136,7 +136,7 @@ TEST(ACLResourceTest, CBORDefaultACLConversion)
 
     size_t defaultAclSize = 0;
     uint8_t *defaultPsStorage = NULL;
-    OCStackResult convRet = AclToCBORPayload(defaultAcl, OIC_SEC_ACL_LATEST, &defaultPsStorage, &defaultAclSize);
+    OCStackResult convRet = AclToCBORPayload(defaultAcl, OIC_SEC_ACL_V1, &defaultPsStorage, &defaultAclSize);
     EXPECT_EQ(OC_STACK_OK, convRet);
     ASSERT_TRUE(NULL != defaultPsStorage);
     EXPECT_NE(static_cast<size_t>(0), defaultAclSize);
@@ -188,7 +188,7 @@ TEST(ACLResourceTest, CBORACLConversion)
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/p", "oic.wk.p", "oic.if.r"));
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/res/types/d", "oic.wk.unknow", "oic.if.r"));
     EXPECT_EQ(true, AddResourceToACE(ace, "/oic/ad", "oic.wk.ad", "oic.if.baseline"));
-    EXPECT_EQ(true, AddResourceToACE(ace, "/oic/sec/acl", "oic.r.acl", "oic.if.baseline"));
+    EXPECT_EQ(true, AddResourceToACE(ace, "/oic/sec/acl2", "oic.r.acl2", "oic.if.baseline"));
     LL_APPEND(secAcl->aces, ace);
 
     OicSecAce_t *ace1 = (OicSecAce_t*)OICCalloc(1, sizeof(OicSecAce_t));
@@ -451,7 +451,7 @@ TEST(ACLResourceTest, ACLDeleteWithSingleResourceTest)
     //GET CBOR POST payload
     size_t size = 0;
     uint8_t  *payload = NULL;
-    EXPECT_EQ(OC_STACK_OK, AclToCBORPayload(&acl, OIC_SEC_ACL_LATEST, &payload, &size));
+    EXPECT_EQ(OC_STACK_OK, AclToCBORPayload(&acl, OIC_SEC_ACL_V1, &payload, &size));
     ASSERT_TRUE(NULL != payload);
 
     // Security Payload
@@ -511,7 +511,7 @@ TEST(ACLResourceTest, ACLDeleteWithMultiResourceTest)
     //GET CBOR POST payload
     size_t size = 0;
     uint8_t *payload = NULL;
-    EXPECT_EQ(OC_STACK_OK, AclToCBORPayload(&acl, OIC_SEC_ACL_LATEST, &payload, &size));
+    EXPECT_EQ(OC_STACK_OK, AclToCBORPayload(&acl, OIC_SEC_ACL_V1, &payload, &size));
     ASSERT_TRUE(NULL != payload);
 
     // Security Payload
@@ -578,7 +578,7 @@ TEST(ACLResourceTest, ACLGetWithQueryTest)
     //GET CBOR POST payload
     size_t size = 0;
     uint8_t *payload = NULL;
-    EXPECT_EQ(OC_STACK_OK, AclToCBORPayload(&acl, OIC_SEC_ACL_LATEST, &payload, &size));
+    EXPECT_EQ(OC_STACK_OK, AclToCBORPayload(&acl, OIC_SEC_ACL_V1, &payload, &size));
     ASSERT_TRUE(NULL != payload);
 
     // Security Payload
index 86434cc..025c39b 100644 (file)
Binary files a/resource/provisioning/examples/cloud.dat and b/resource/provisioning/examples/cloud.dat differ
index 31657f1..850fb8b 100644 (file)
 {
     "acl": {
-        "aclist": {
-            "aces": [
-                {
-                    "subjectuuid": "*",
-                    "resources": [
+        "aclist2": [
+            {
+                "aceid": 1,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/res",
+                        "rel": "",
+                        "rt": ["oic.wk.res"],
+                        "if": ["oic.if.ll"]
+                    },{
+                        "href": "/oic/d",
+                        "rel": "",
+                        "rt": ["oic.wk.d"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    },{
+                        "href": "/oic/p",
+                        "rel": "",
+                        "rt": ["oic.wk.p"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    }
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 2,
+                "subject": {
+                  "conntype": "auth-crypt"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/res",
+                        "rel": "",
+                        "rt": ["oic.wk.res"],
+                        "if": ["oic.if.ll"]
+                    },{
+                        "href": "/oic/d",
+                        "rel": "",
+                        "rt": ["oic.wk.d"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    },{
+                        "href": "/oic/p",
+                        "rel": "",
+                        "rt": ["oic.wk.p"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    }
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 3,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/sec/doxm",
+                        "rel": "",
+                        "rt": ["oic.r.doxm"],
+                        "if": ["oic.if.baseline"]
+                    }
+                ],
+                "permission": 6
+            },
+            {
+                "aceid": 4,
+                "subject": {
+                  "conntype": "auth-crypt"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/sec/doxm",
+                        "rel": "",
+                        "rt": ["oic.r.doxm"],
+                        "if": ["oic.if.baseline"]
+                    }
+                ],
+                "permission": 6
+            },
+            {
+                "aceid": 5,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
                         {
-                            "href": "/oic/res",
-                            "rel": "",
-                            "rt": ["oic.wk.res"],
-                            "if": ["oic.if.ll"]
-                        },{
-                            "href": "/oic/d",
+                            "href": "/oic/sec/roles",
                             "rel": "",
-                            "rt": ["oic.wk.d"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        },{
-                            "href": "/oic/p",
-                            "rel": "",
-                            "rt": ["oic.wk.p"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
+                            "rt": ["oic.r.cred"],
+                            "if": ["oic.if.baseline"]
                         }
                     ],
-                    "permission": 2
+                "permission": 31
+            },
+            {
+                "aceid": 6,
+                "subject": {
+                  "conntype": "auth-crypt"
                 },
-                {
-                    "subjectuuid": "*",
-                    "resources": [
-                        {
-                            "href": "/oic/sec/doxm",
-                            "rel": "",
-                            "rt": ["oic.r.doxm"],
-                            "if": ["oic.if.baseline"]
-                        },
+                "resources": [
                         {
-                            "href": "/oic/sec/pstat",
+                            "href": "/oic/sec/roles",
                             "rel": "",
-                            "rt": ["oic.r.pstat"],
+                            "rt": ["oic.r.cred"],
                             "if": ["oic.if.baseline"]
                         }
                     ],
-                    "permission": 2
-                }
-            ]
-        },
+                "permission": 31
+            }
+        ],
         "rowneruuid" : "61646D69-6E44-6576-6963-655575696430"
     },
     "pstat": {
index 86434cc..025c39b 100644 (file)
Binary files a/resource/provisioning/examples/oic_svr_db_client.dat and b/resource/provisioning/examples/oic_svr_db_client.dat differ
index 7cf5d6e..5ae26e7 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },\r
-                        {\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/p",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
+                            "rt": ["oic.r.cred"],\r
+                            "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/pstat",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
+                            "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
-                }\r
-            ]\r
-        },\r
+                "permission": 31\r
+            }\r
+        ],\r
         "rowneruuid" : "61646D69-6E44-6576-6963-655575696430"\r
     },\r
     "pstat": {\r
index 7de6747..ed0db99 100644 (file)
Binary files a/resource/provisioning/examples/oic_svr_db_subowner_client.dat and b/resource/provisioning/examples/oic_svr_db_subowner_client.dat differ
index acd4ac8..1f12fa3 100644 (file)
 {\r
     "acl": {\r
-        "aclist": {\r
-            "aces": [\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/res",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.res"],\r
-                            "if": ["oic.if.ll"]\r
-                        },{\r
-                            "href": "/oic/d",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.d"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        },{\r
-                            "href": "/oic/p",\r
-                            "rel": "",\r
-                            "rt": ["oic.wk.p"],\r
-                            "if": ["oic.if.baseline", "oic.if.r"]\r
-                        }\r
-                    ],\r
-                    "permission": 2\r
+        "aclist2": [\r
+            {\r
+                "aceid": 1,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/doxm",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.doxm"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/sec/pconf",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.pconf"],\r
+                        "if": ["oic.if.baseline"]\r
+                    },{\r
+                        "href": "/oic/sec/dpairing",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.dpairing"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 2,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/res",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.res"],\r
+                        "if": ["oic.if.ll"]\r
+                    },{\r
+                        "href": "/oic/d",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.d"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/p",\r
+                        "rel": "",\r
+                        "rt": ["oic.wk.p"],\r
+                        "if": ["oic.if.baseline", "oic.if.r"]\r
+                    },{\r
+                        "href": "/oic/sec/pconf",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.pconf"],\r
+                        "if": ["oic.if.baseline"]\r
+                    },{\r
+                        "href": "/oic/sec/dpairing",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.dpairing"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 2\r
+            },\r
+            {\r
+                "aceid": 3,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 4,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
+                },\r
+                "resources": [\r
+                    {\r
+                        "href": "/oic/sec/doxm",\r
+                        "rel": "",\r
+                        "rt": ["oic.r.doxm"],\r
+                        "if": ["oic.if.baseline"]\r
+                    }\r
+                ],\r
+                "permission": 6\r
+            },\r
+            {\r
+                "aceid": 5,\r
+                "subject": {\r
+                  "conntype": "anon-clear"\r
+                },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/pstat",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.r.pstat"],\r
+                            "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
+                "permission": 31\r
+            },\r
+            {\r
+                "aceid": 6,\r
+                "subject": {\r
+                  "conntype": "auth-crypt"\r
                 },\r
-                {\r
-                    "subjectuuid": "*",\r
-                    "resources": [\r
-                        {\r
-                            "href": "/oic/sec/pconf",\r
-                            "rel": "",\r
-                            "rt": ["oic.r.pconf"],\r
-                            "if": ["oic.if.baseline"]\r
-                        },\r
+                "resources": [\r
                         {\r
-                            "href": "/oic/sec/dpairing",\r
+                            "href": "/oic/sec/roles",\r
                             "rel": "",\r
-                            "rt": ["oic.r.dpairing"],\r
+                            "rt": ["oic.r.cred"],\r
                             "if": ["oic.if.baseline"]\r
                         }\r
                     ],\r
-                    "permission": 2\r
-                }\r
-            ]\r
-        },\r
+                "permission": 31\r
+            }\r
+        ],\r
         "rowneruuid" : "5375624F-776E-6572-436C-69656E743030"\r
     },\r
     "pstat": {\r
index 86434cc..025c39b 100644 (file)
Binary files a/service/easy-setup/sampleapp/mediator/android/EasySetup/app/src/main/assets/oic_svr_db_client.dat and b/service/easy-setup/sampleapp/mediator/android/EasySetup/app/src/main/assets/oic_svr_db_client.dat differ
index bbf2144..850fb8b 100644 (file)
 {
     "acl": {
-        "aclist": {
-            "aces": [
-                {
-                    "subjectuuid": "*",
-                    "resources": [
-                        {
-                            "href": "/oic/res",
-                            "rel": "",
-                            "rt": ["oic.wk.res"],
-                            "if": ["oic.if.ll"]
-                        },
-                        {
-                            "href": "/oic/d",
-                            "rel": "",
-                            "rt": ["oic.wk.d"],
-                            "if": ["oic.if.baseline", "oic.if.r"]
-                        },
+        "aclist2": [
+            {
+                "aceid": 1,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/res",
+                        "rel": "",
+                        "rt": ["oic.wk.res"],
+                        "if": ["oic.if.ll"]
+                    },{
+                        "href": "/oic/d",
+                        "rel": "",
+                        "rt": ["oic.wk.d"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    },{
+                        "href": "/oic/p",
+                        "rel": "",
+                        "rt": ["oic.wk.p"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    }
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 2,
+                "subject": {
+                  "conntype": "auth-crypt"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/res",
+                        "rel": "",
+                        "rt": ["oic.wk.res"],
+                        "if": ["oic.if.ll"]
+                    },{
+                        "href": "/oic/d",
+                        "rel": "",
+                        "rt": ["oic.wk.d"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    },{
+                        "href": "/oic/p",
+                        "rel": "",
+                        "rt": ["oic.wk.p"],
+                        "if": ["oic.if.baseline", "oic.if.r"]
+                    }
+                ],
+                "permission": 2
+            },
+            {
+                "aceid": 3,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/sec/doxm",
+                        "rel": "",
+                        "rt": ["oic.r.doxm"],
+                        "if": ["oic.if.baseline"]
+                    }
+                ],
+                "permission": 6
+            },
+            {
+                "aceid": 4,
+                "subject": {
+                  "conntype": "auth-crypt"
+                },
+                "resources": [
+                    {
+                        "href": "/oic/sec/doxm",
+                        "rel": "",
+                        "rt": ["oic.r.doxm"],
+                        "if": ["oic.if.baseline"]
+                    }
+                ],
+                "permission": 6
+            },
+            {
+                "aceid": 5,
+                "subject": {
+                  "conntype": "anon-clear"
+                },
+                "resources": [
                         {
-                            "href": "/oic/p",
+                            "href": "/oic/sec/roles",
                             "rel": "",
-                            "rt": ["oic.wk.p"],
-&n