Set up an kInternalDeviceAccess Auth mode to be used by internal re…

…quests when building subject descriptors (#37174) * Support a new auth mode of "internal" * Restyle * Rename kInternal to kInternalDeviceAccess --------- Co-authored-by: Andrei Litvin <[email protected]>
project-chip · Jan 31, 2025 · 6de6b50 · 6de6b50
1 parent 48ca754
commit 6de6b50
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 7 deletions.
diff --git a/examples/common/pigweed/rpc_services/Attributes.h b/examples/common/pigweed/rpc_services/Attributes.h
@@ -192,7 +192,7 @@ class Attributes : public pw_rpc::nanopb::Attributes::Service<Attributes>
             return ::pw::Status::NotFound();
         }
 
-        Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kPase };
+        Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kInternalDeviceAccess };
         app::DataModel::WriteAttributeRequest write_request;
         write_request.path = path;
         write_request.operationFlags.Set(app::DataModel::OperationFlags::kInternal);
@@ -343,7 +343,7 @@ class Attributes : public pw_rpc::nanopb::Attributes::Service<Attributes>
 
     ::pw::Status ReadAttributeIntoTlvBuffer(const app::ConcreteAttributePath & path, MutableByteSpan & tlvBuffer)
     {
-        Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kPase };
+        Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kInternalDeviceAccess };
         app::AttributeReportIBs::Builder attributeReports;
         TLV::TLVWriter writer;
         TLV::TLVType outer;

diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp
@@ -98,6 +98,8 @@ char GetAuthModeStringForLogging(AuthMode authMode)
     {
     case AuthMode::kNone:
         return 'n';
+    case AuthMode::kInternalDeviceAccess:
+        return 'i';
     case AuthMode::kPase:
         return 'p';
     case AuthMode::kCase:

diff --git a/src/access/AuthMode.h b/src/access/AuthMode.h
@@ -27,10 +27,11 @@ namespace Access {
 // Auth mode should have only one value expressed, which should not be None.
 enum class AuthMode : uint8_t
 {
-    kNone  = 0,
-    kPase  = 1 << 5,
-    kCase  = 1 << 6,
-    kGroup = 1 << 7
+    kNone                 = 0,
+    kInternalDeviceAccess = 1 << 4, // Not part of an external interaction
+    kPase                 = 1 << 5,
+    kCase                 = 1 << 6,
+    kGroup                = 1 << 7
 };
 
 } // namespace Access

diff --git a/src/app/dynamic_server/AccessControl.cpp b/src/app/dynamic_server/AccessControl.cpp
@@ -63,7 +63,8 @@ class AccessControlDelegate : public Access::AccessControl::Delegate
             return CHIP_ERROR_ACCESS_DENIED;
         }
 
-        if (subjectDescriptor.authMode != AuthMode::kCase && subjectDescriptor.authMode != AuthMode::kPase)
+        if (subjectDescriptor.authMode != AuthMode::kCase && subjectDescriptor.authMode != AuthMode::kPase &&
+            subjectDescriptor.authMode != AuthMode::kInternalDeviceAccess)
         {
             // No idea who is asking; deny for now.
             return CHIP_ERROR_ACCESS_DENIED;