Skip to content

Commit

Permalink
Disallow operational PASE in AccessControl::Check
Browse files Browse the repository at this point in the history 
We won't have explicit operational PASE ACL entries
for v1.0. We will enforce that PASE is only during
commissioning, therefore all PASE subjects will be
granted administer privilege.

Past v1.0, if/when we want operational PASE (requires
solving some tricky multi-fabric issues), we'll have
to check against PASE subjects in entries, and also
for implicite PASE administer privilege during
commissioning we'll have to verify that the incoming
PASE subject is commissioning (otherwise it should
not get that implicit privilege escalation).

Part of issue project-chip#10242
  • Loading branch information
@mlepage-google
mlepage-google committed Jan 28, 2022
1 parent 28ed85a commit 45c18d2
Showing 1 changed file with 13 additions and 16 deletions.
29 changes: 13 additions & 16 deletions src/access/AccessControl.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
// Don't check if using default delegate (e.g. test code that isn't testing access control)
ReturnErrorCodeIf(&mDelegate == &mDefaultDelegate, CHIP_NO_ERROR);

// Operational PASE not supported for v1.0, so PASE implies commissioning, which has highest privilege.
ReturnErrorCodeIf(subjectDescriptor.authMode == AuthMode::kPase, CHIP_NO_ERROR);

EntryIterator iterator;
ReturnErrorOnFailure(Entries(iterator, &subjectDescriptor.fabricIndex));

Expand All @@ -96,6 +99,8 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
{
AuthMode authMode = AuthMode::kNone;
ReturnErrorOnFailure(entry.GetAuthMode(authMode));
// Operational PASE not supported for v1.0.
VerifyOrReturnError(authMode == AuthMode::kCase || authMode == AuthMode::kGroup, CHIP_ERROR_INCORRECT_STATE);
if (authMode != subjectDescriptor.authMode)
{
continue;
Expand All @@ -119,43 +124,35 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
ReturnErrorOnFailure(entry.GetSubject(i, subject));
if (IsOperationalNodeId(subject))
{
VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INCORRECT_STATE);
if (subject == subjectDescriptor.subject)
{
subjectMatched = true;
break;
}
}
else if (IsGroupId(subject))
else if (IsCASEAuthTag(subject))
{
VerifyOrReturnError(authMode == AuthMode::kGroup, CHIP_ERROR_INVALID_ARGUMENT);
if (subject == subjectDescriptor.subject)
VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INCORRECT_STATE);
if (subjectDescriptor.cats.CheckSubjectAgainstCATs(subject))
{
subjectMatched = true;
break;
}
}
// TODO: Add the implicit admit for PASE after the spec is updated.
else if (IsPAKEKeyId(subject))
else if (IsGroupId(subject))
{
VerifyOrReturnError(authMode == AuthMode::kPase, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(authMode == AuthMode::kGroup, CHIP_ERROR_INCORRECT_STATE);
if (subject == subjectDescriptor.subject)
{
subjectMatched = true;
break;
}
}
else if (IsCASEAuthTag(subject))
{
VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INVALID_ARGUMENT);
if (subjectDescriptor.cats.CheckSubjectAgainstCATs(subject))
{
subjectMatched = true;
break;
}
}
else
{
return CHIP_ERROR_INVALID_ARGUMENT;
// Operational PASE not supported for v1.0.
return CHIP_ERROR_INCORRECT_STATE;
}
}
if (!subjectMatched)
Expand Down

0 comments on commit 45c18d2

Please sign in to comment.