From 6de6b5078cbc9fc5d8b9315d39cd11dad17188ad Mon Sep 17 00:00:00 2001 From: Andrei Litvin Date: Fri, 31 Jan 2025 12:21:10 -0500 Subject: [PATCH] Set up an `kInternalDeviceAccess` Auth mode to be used by internal requests when building subject descriptors (#37174) * Support a new auth mode of "internal" * Restyle * Rename kInternal to kInternalDeviceAccess --------- Co-authored-by: Andrei Litvin --- examples/common/pigweed/rpc_services/Attributes.h | 4 ++-- src/access/AccessControl.cpp | 2 ++ src/access/AuthMode.h | 9 +++++---- src/app/dynamic_server/AccessControl.cpp | 3 ++- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/examples/common/pigweed/rpc_services/Attributes.h b/examples/common/pigweed/rpc_services/Attributes.h index cfbb400ae2f7f2..eff2af5d66db31 100644 --- a/examples/common/pigweed/rpc_services/Attributes.h +++ b/examples/common/pigweed/rpc_services/Attributes.h @@ -192,7 +192,7 @@ class Attributes : public pw_rpc::nanopb::Attributes::Service return ::pw::Status::NotFound(); } - Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kPase }; + Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kInternalDeviceAccess }; app::DataModel::WriteAttributeRequest write_request; write_request.path = path; write_request.operationFlags.Set(app::DataModel::OperationFlags::kInternal); @@ -343,7 +343,7 @@ class Attributes : public pw_rpc::nanopb::Attributes::Service ::pw::Status ReadAttributeIntoTlvBuffer(const app::ConcreteAttributePath & path, MutableByteSpan & tlvBuffer) { - Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kPase }; + Access::SubjectDescriptor subjectDescriptor{ .authMode = chip::Access::AuthMode::kInternalDeviceAccess }; app::AttributeReportIBs::Builder attributeReports; TLV::TLVWriter writer; TLV::TLVType outer; diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp index ba149a6a225b54..a223d250529dda 100644 --- a/src/access/AccessControl.cpp +++ b/src/access/AccessControl.cpp @@ -98,6 +98,8 @@ char GetAuthModeStringForLogging(AuthMode authMode) { case AuthMode::kNone: return 'n'; + case AuthMode::kInternalDeviceAccess: + return 'i'; case AuthMode::kPase: return 'p'; case AuthMode::kCase: diff --git a/src/access/AuthMode.h b/src/access/AuthMode.h index c5a2d76820855a..eadaec1d1da9cf 100644 --- a/src/access/AuthMode.h +++ b/src/access/AuthMode.h @@ -27,10 +27,11 @@ namespace Access { // Auth mode should have only one value expressed, which should not be None. enum class AuthMode : uint8_t { - kNone = 0, - kPase = 1 << 5, - kCase = 1 << 6, - kGroup = 1 << 7 + kNone = 0, + kInternalDeviceAccess = 1 << 4, // Not part of an external interaction + kPase = 1 << 5, + kCase = 1 << 6, + kGroup = 1 << 7 }; } // namespace Access diff --git a/src/app/dynamic_server/AccessControl.cpp b/src/app/dynamic_server/AccessControl.cpp index 75385f49308792..17298956eaf51a 100644 --- a/src/app/dynamic_server/AccessControl.cpp +++ b/src/app/dynamic_server/AccessControl.cpp @@ -63,7 +63,8 @@ class AccessControlDelegate : public Access::AccessControl::Delegate return CHIP_ERROR_ACCESS_DENIED; } - if (subjectDescriptor.authMode != AuthMode::kCase && subjectDescriptor.authMode != AuthMode::kPase) + if (subjectDescriptor.authMode != AuthMode::kCase && subjectDescriptor.authMode != AuthMode::kPase && + subjectDescriptor.authMode != AuthMode::kInternalDeviceAccess) { // No idea who is asking; deny for now. return CHIP_ERROR_ACCESS_DENIED;