From cfdbba92318717c09efe52a88c8ba60b995f5be9 Mon Sep 17 00:00:00 2001 From: Amine Alami <43780877+Alami-Amine@users.noreply.github.com> Date: Thu, 29 Aug 2024 17:16:41 +0200 Subject: [PATCH 1/8] Docker Image build fix: adding abseil as system lib (#35277) * image build fix: adding abseil to docker image * adding reference to issue --- integrations/docker/images/base/chip-build/Dockerfile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/integrations/docker/images/base/chip-build/Dockerfile b/integrations/docker/images/base/chip-build/Dockerfile index db209a82f20b87..37edf89730ecd9 100644 --- a/integrations/docker/images/base/chip-build/Dockerfile +++ b/integrations/docker/images/base/chip-build/Dockerfile @@ -123,6 +123,14 @@ RUN set -x \ ruff \ && : # last line +#TODO Issue #35280: this is only added as a workaround to bloaty build failures, remove it once bloaty fixes issue +# Clone and install abseil-cpp +RUN git clone https://github.com/abseil/abseil-cpp.git /tmp/abseil-cpp \ + && cd /tmp/abseil-cpp \ + && cmake -B build -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local \ + && cmake --build build --target install \ + && rm -rf /tmp/abseil-cpp + # Install bloat comparison tools RUN set -x \ && git clone https://github.com/google/bloaty.git \ From 3e529e1bb72dbe96ed9363f5a8a4687631ad6847 Mon Sep 17 00:00:00 2001 From: Raul Marquez <130402456+raul-marquez-csa@users.noreply.github.com> Date: Thu, 29 Aug 2024 09:01:45 -0700 Subject: [PATCH 2/8] Removes verification item (#35049) --- src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml b/src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml index 55aa1400ec1ac5..900428998445ea 100644 --- a/src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml +++ b/src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml @@ -37,7 +37,6 @@ tests: at least one entry the values of the Value fields that are not larger than 16 bits - for each Value field: Is the mode tag value a defined common tag value (Auto(0x0000), Quick(0x0001), Quiet(0x0002), LowNoise(0x0003), LowEnergy(0x0004), Vacation(0x0005), Min(0x0006), Max(0x0007), Night(0x0008), Day(0x0009)) or a defined cluster-derived tag value (No Optimization, Device Optimization, Local Optimization, Grid Optimization) or in the MfgTags (0x8000 to 0xBFFF) range - for at least one Value field: Is the mode tag value a defined common tag value (Auto(0x0000), Quick(0x0001), Quiet(0x0002), LowNoise(0x0003), LowEnergy(0x0004), Vacation(0x0005), Min(0x0006), Max(0x0007), Night(0x0008), Day(0x0009)) or a derived cluster value (RapidCool, RapidFreeze) - - if the Value field is in the MfgTags (0x8000 to 0xBFFF) range, the TagName field is a string with a length between 1 and 64 - Verify that at least one ModeOptionsStruct entry includes either the RapidCool semantic tag or the RapidFreeze semantic tag in the SemanticTags field - Save the Mode field values as supported_modes_dut on the TH (Chip-tool) and below is the sample log provided for the raspi platform: From 9a0add3be9c25a082ea26a36b807c8bfc00916ab Mon Sep 17 00:00:00 2001 From: Nivi Sarkar <55898241+nivi-apple@users.noreply.github.com> Date: Thu, 29 Aug 2024 09:03:49 -0700 Subject: [PATCH 3/8] Make fixes to match the test scripts to the test plan (#35265) * Make fixes to match the test scripts to the test plan - Set the PICS code for SetpointHoldExpiryTimestamp to 0 - Remove the test cases for GetRelayLog and GetRelayLogResponse - Update PICS code for Preset related commands * Restyled by prettier-yaml --------- Co-authored-by: Restyled.io --- src/app/tests/suites/certification/PICS.yaml | 7 ++++ .../certification/Test_TC_TSTAT_1_1.yaml | 33 ++++--------------- .../tests/suites/certification/ci-pics-values | 1 + 3 files changed, 14 insertions(+), 27 deletions(-) diff --git a/src/app/tests/suites/certification/PICS.yaml b/src/app/tests/suites/certification/PICS.yaml index be995be90b30b7..89638f4e631747 100644 --- a/src/app/tests/suites/certification/PICS.yaml +++ b/src/app/tests/suites/certification/PICS.yaml @@ -6494,6 +6494,13 @@ PICS: - label: "Does the device implement the Schedules attribute?" id: TSTAT.S.A0051 + - label: "Does the device implement the Schedules attribute?" + id: TSTAT.S.A0051 + + - label: + "Does the device implement the SetpointHoldExpiryTimestamp attribute?" + id: TSTAT.S.A0052 + # # server / commandsReceived # diff --git a/src/app/tests/suites/certification/Test_TC_TSTAT_1_1.yaml b/src/app/tests/suites/certification/Test_TC_TSTAT_1_1.yaml index dc16d0d8a6c4bb..ef8f688bf5e89c 100644 --- a/src/app/tests/suites/certification/Test_TC_TSTAT_1_1.yaml +++ b/src/app/tests/suites/certification/Test_TC_TSTAT_1_1.yaml @@ -606,17 +606,7 @@ tests: contains: [1, 2, 3] - label: - "Step 6c: TH reads the optional (GetRelayStatusLog) command in - AcceptedCommandList" - PICS: TSTAT.S.C04.Rsp - command: "readAttribute" - attribute: "AcceptedCommandList" - response: - constraints: - type: list - contains: [4] - - label: - "Step 6d: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in + "Step 6c: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in AcceptedCommandList" PICS: TSTAT.S.F08 command: "readAttribute" @@ -627,18 +617,7 @@ tests: contains: [6, 254] - label: - "Step 7a: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in - the GeneratedCommandList attribute." - PICS: TSTAT.S.Cfe.Rsp - command: "readAttribute" - attribute: "GeneratedCommandList" - response: - value: [0xFD] # AtomicResponse - constraints: - type: list - - - label: - "Step 7b: TH reads Feature dependent(TSTAT.S.F03(SCH)) commands in + "Step 7a: TH reads Feature dependent(TSTAT.S.F03(SCH)) commands in GeneratedCommandList" PICS: TSTAT.S.F03 command: "readAttribute" @@ -649,12 +628,12 @@ tests: contains: [0] - label: - "Step 7c: TH reads optional command (GetRelayStatusLogResponse) in - GeneratedCommandList" - PICS: TSTAT.S.C04.Rsp + "Step 7b: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in + the GeneratedCommandList attribute." + PICS: TSTAT.S.F08 & TSTAT.S.Cfe.Rsp command: "readAttribute" attribute: "GeneratedCommandList" response: + value: [0xFD] # AtomicResponse constraints: type: list - contains: [1] diff --git a/src/app/tests/suites/certification/ci-pics-values b/src/app/tests/suites/certification/ci-pics-values index 373f8e3c9aea9c..24abab5e9aacb3 100644 --- a/src/app/tests/suites/certification/ci-pics-values +++ b/src/app/tests/suites/certification/ci-pics-values @@ -1989,6 +1989,7 @@ TSTAT.S.A004a=1 TSTAT.S.A004e=1 TSTAT.S.A0050=1 TSTAT.S.A0051=0 +TSTAT.S.A0052=0 TSTAT.S.M.MinSetpointDeadBandWritable=1 TSTAT.S.M.HVACSystemTypeConfigurationWritable=0 From 68371622f60003b9264aa2e61149462a3cd24698 Mon Sep 17 00:00:00 2001 From: Yufeng Wang Date: Thu, 29 Aug 2024 09:31:17 -0700 Subject: [PATCH 4/8] Fix crash when try to read UniqueId from a legacy device (#35268) --- .../fabric-admin/device_manager/DeviceSynchronization.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/examples/fabric-admin/device_manager/DeviceSynchronization.cpp b/examples/fabric-admin/device_manager/DeviceSynchronization.cpp index 69ca9cdb722b23..3239f89046fb6e 100644 --- a/examples/fabric-admin/device_manager/DeviceSynchronization.cpp +++ b/examples/fabric-admin/device_manager/DeviceSynchronization.cpp @@ -72,6 +72,13 @@ void DeviceSynchronizer::OnAttributeData(const ConcreteDataAttributePath & path, VerifyOrDie(path.mEndpointId == kRootEndpointId); VerifyOrDie(path.mClusterId == Clusters::BasicInformation::Id); + CHIP_ERROR error = status.ToChipError(); + if (CHIP_NO_ERROR != error) + { + ChipLogError(NotSpecified, "Response Failure: %" CHIP_ERROR_FORMAT, error.Format()); + return; + } + switch (path.mAttributeId) { case Clusters::BasicInformation::Attributes::UniqueID::Id: From 95ee15751c0796979b6047e241f6a67fa8474e8d Mon Sep 17 00:00:00 2001 From: Romulo Quidute Filho <116586593+rquidute@users.noreply.github.com> Date: Thu, 29 Aug 2024 14:04:57 -0300 Subject: [PATCH 5/8] Add apps to chip cert bins image (#35207) * Add Apps to chip_cert_bins image * Minor fixes --- .../docker/images/chip-cert-bins/Dockerfile | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/integrations/docker/images/chip-cert-bins/Dockerfile b/integrations/docker/images/chip-cert-bins/Dockerfile index 99b4f38a0caa2b..c386359c718ed5 100644 --- a/integrations/docker/images/chip-cert-bins/Dockerfile +++ b/integrations/docker/images/chip-cert-bins/Dockerfile @@ -193,6 +193,9 @@ RUN case ${TARGETPLATFORM} in \ --target linux-x64-energy-management-ipv6only \ --target linux-x64-microwave-oven-ipv6only \ --target linux-x64-rvc-ipv6only \ + --target linux-x64-fabric-bridge-rpc-ipv6only \ + --target linux-x64-fabric-admin-rpc-ipv6only \ + --target linux-x64-network-manager-ipv6only \ build \ && mv out/linux-x64-chip-tool-ipv6only-platform-mdns/chip-tool out/chip-tool \ && mv out/linux-x64-shell-ipv6only-platform-mdns/chip-shell out/chip-shell \ @@ -213,6 +216,9 @@ RUN case ${TARGETPLATFORM} in \ && mv out/linux-x64-energy-management-ipv6only/chip-energy-management-app out/chip-energy-management-app \ && mv out/linux-x64-microwave-oven-ipv6only/chip-microwave-oven-app out/chip-microwave-oven-app \ && mv out/linux-x64-rvc-ipv6only/chip-rvc-app out/chip-rvc-app \ + && mv out/linux-x64-fabric-bridge-rpc-ipv6only/fabric-bridge-app out/fabric-bridge-app \ + && mv out/linux-x64-fabric-admin-rpc-ipv6only/fabric-admin out/fabric-admin \ + && mv out/linux-x64-network-manager-ipv6only/matter-network-manager-app out/matter-network-manager-app \ ;; \ "linux/arm64")\ set -x \ @@ -237,6 +243,9 @@ RUN case ${TARGETPLATFORM} in \ --target linux-arm64-energy-management-ipv6only \ --target linux-arm64-microwave-oven-ipv6only \ --target linux-arm64-rvc-ipv6only \ + --target linux-arm64-fabric-bridge-rpc-ipv6only \ + --target linux-arm64-fabric-admin-rpc-ipv6only \ + --target linux-arm64-network-manager-ipv6only \ build \ && mv out/linux-arm64-chip-tool-ipv6only-platform-mdns/chip-tool out/chip-tool \ && mv out/linux-arm64-shell-ipv6only-platform-mdns/chip-shell out/chip-shell \ @@ -257,6 +266,9 @@ RUN case ${TARGETPLATFORM} in \ && mv out/linux-arm64-energy-management-ipv6only/chip-energy-management-app out/chip-energy-management-app \ && mv out/linux-arm64-microwave-oven-ipv6only/chip-microwave-oven-app out/chip-microwave-oven-app \ && mv out/linux-arm64-rvc-ipv6only/chip-rvc-app out/chip-rvc-app \ + && mv out/linux-arm64-fabric-bridge-rpc-ipv6only/fabric-bridge-app out/fabric-bridge-app \ + && mv out/linux-arm64-fabric-admin-rpc-ipv6only/fabric-admin out/fabric-admin \ + && mv out/linux-arm64-network-manager-ipv6only/matter-network-manager-app out/matter-network-manager-app \ ;; \ *) ;; \ esac @@ -290,6 +302,9 @@ COPY --from=chip-build-cert-bins /root/connectedhomeip/out/lit-icd-app lit-icd-a COPY --from=chip-build-cert-bins /root/connectedhomeip/out/chip-energy-management-app chip-energy-management-app COPY --from=chip-build-cert-bins /root/connectedhomeip/out/chip-microwave-oven-app chip-microwave-oven-app COPY --from=chip-build-cert-bins /root/connectedhomeip/out/chip-rvc-app chip-rvc-app +COPY --from=chip-build-cert-bins /root/connectedhomeip/out/fabric-bridge-app fabric-bridge-app +COPY --from=chip-build-cert-bins /root/connectedhomeip/out/fabric-admin fabric-admin +COPY --from=chip-build-cert-bins /root/connectedhomeip/out/matter-network-manager-app matter-network-manager-app # Stage 3.1: Setup the Matter Python environment COPY --from=chip-build-cert-bins /root/connectedhomeip/out/python_lib python_lib @@ -304,6 +319,6 @@ COPY --from=chip-build-cert-bins /root/connectedhomeip/src/python_testing/requir RUN pip install --break-system-packages -r /tmp/requirements.txt && rm /tmp/requirements.txt # PIP requires MASON package compilation, which seems to require a JDK -RUN set -x && DEBIAN_FRONTEND=noninteractive apt-get install -fy openjdk-8-jdk +RUN set -x && DEBIAN_FRONTEND=noninteractive apt-get update; apt-get install -fy openjdk-8-jdk RUN pip install --break-system-packages --no-cache-dir python_lib/controller/python/chip*.whl From 9c598998609cc756d2c79fe7975721b76f92b07b Mon Sep 17 00:00:00 2001 From: shripad621git <79364691+shripad621git@users.noreply.github.com> Date: Thu, 29 Aug 2024 22:44:06 +0530 Subject: [PATCH 6/8] Fixed the crash due to packet buffers running out of space in CommandHandlerImpl. (#35279) * Fixed the crash due to packet buffers running out of space in CommandHandlerImpl * Update src/app/CommandHandlerImpl.h Co-authored-by: Terence Hampson --------- Co-authored-by: Terence Hampson --- src/app/CommandHandlerImpl.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/app/CommandHandlerImpl.h b/src/app/CommandHandlerImpl.h index 55e356bcceb35a..ddd499658e15d9 100644 --- a/src/app/CommandHandlerImpl.h +++ b/src/app/CommandHandlerImpl.h @@ -294,7 +294,12 @@ class CommandHandlerImpl : public CommandHandler { return CHIP_NO_ERROR; } - ReturnErrorOnFailure(RollbackResponse()); + // The error value of RollbackResponse is not important if it fails, we prioritize + // conveying the error generated by addResponseFunction to the caller. + if (RollbackResponse() != CHIP_NO_ERROR) + { + return err; + } // If we failed to add a command due to lack of space in the // packet, we will make another attempt to add the response using // an additional InvokeResponseMessage. From 9c778ceeae57914b1bde8669e9369d2ef6288ef2 Mon Sep 17 00:00:00 2001 From: Terence Hampson Date: Thu, 29 Aug 2024 20:04:40 +0200 Subject: [PATCH 7/8] Fix Fabric Sync test script issues discovered on TH (#35283) --- src/python_testing/TC_CCTRL_2_2.py | 9 ++++++--- src/python_testing/TC_CCTRL_2_3.py | 9 ++++++--- src/python_testing/TC_MCORE_FS_1_1.py | 9 ++++++--- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/src/python_testing/TC_CCTRL_2_2.py b/src/python_testing/TC_CCTRL_2_2.py index 4d11692d14ba24..8080f9db324ff3 100644 --- a/src/python_testing/TC_CCTRL_2_2.py +++ b/src/python_testing/TC_CCTRL_2_2.py @@ -53,11 +53,14 @@ async def setup_class(self): self.port = 5543 discriminator = random.randint(0, 4095) passcode = 20202021 - app_args = f'--secured-device-port {self.port} --discriminator {discriminator} --passcode {passcode} --KVS {self.kvs}' - cmd = f'{app} {app_args}' + cmd = [app] + cmd.extend(['--secured-device-port', str(5543)]) + cmd.extend(['--discriminator', str(discriminator)]) + cmd.extend(['--passcode', str(passcode)]) + cmd.extend(['--KVS', self.kvs]) # TODO: Determine if we want these logs cooked or pushed to somewhere else logging.info("Starting TH_SERVER") - self.app_process = subprocess.Popen(cmd, bufsize=0, shell=True) + self.app_process = subprocess.Popen(cmd) logging.info("TH_SERVER started") time.sleep(3) diff --git a/src/python_testing/TC_CCTRL_2_3.py b/src/python_testing/TC_CCTRL_2_3.py index c733235f635ff8..9baa0856412d5f 100644 --- a/src/python_testing/TC_CCTRL_2_3.py +++ b/src/python_testing/TC_CCTRL_2_3.py @@ -52,11 +52,14 @@ async def setup_class(self): self.port = 5543 discriminator = random.randint(0, 4095) passcode = 20202021 - app_args = f'--secured-device-port {self.port} --discriminator {discriminator} --passcode {passcode} --KVS {self.kvs}' - cmd = f'{app} {app_args}' + cmd = [app] + cmd.extend(['--secured-device-port', str(5543)]) + cmd.extend(['--discriminator', str(discriminator)]) + cmd.extend(['--passcode', str(passcode)]) + cmd.extend(['--KVS', self.kvs]) # TODO: Determine if we want these logs cooked or pushed to somewhere else logging.info("Starting TH_SERVER") - self.app_process = subprocess.Popen(cmd, bufsize=0, shell=True) + self.app_process = subprocess.Popen(cmd) logging.info("TH_SERVER started") time.sleep(3) diff --git a/src/python_testing/TC_MCORE_FS_1_1.py b/src/python_testing/TC_MCORE_FS_1_1.py index f64b718e96f2e8..27978af3dee234 100755 --- a/src/python_testing/TC_MCORE_FS_1_1.py +++ b/src/python_testing/TC_MCORE_FS_1_1.py @@ -45,11 +45,14 @@ async def setup_class(self): self.port = 5543 discriminator = random.randint(0, 4095) passcode = 20202021 - app_args = f'--secured-device-port {self.port} --discriminator {discriminator} --passcode {passcode} --KVS {self.kvs}' - cmd = f'{app} {app_args}' + cmd = [app] + cmd.extend(['--secured-device-port', str(5543)]) + cmd.extend(['--discriminator', str(discriminator)]) + cmd.extend(['--passcode', str(passcode)]) + cmd.extend(['--KVS', self.kvs]) # TODO: Determine if we want these logs cooked or pushed to somewhere else logging.info("Starting application to acts mock a server portion of TH_FSA") - self.app_process = subprocess.Popen(cmd, bufsize=0, shell=True) + self.app_process = subprocess.Popen(cmd) logging.info("Started application to acts mock a server portion of TH_FSA") time.sleep(3) From 401a2a0eb00f3365dd096e685548b04be07b475b Mon Sep 17 00:00:00 2001 From: Thomas Lea <35579828+tleacmcsa@users.noreply.github.com> Date: Thu, 29 Aug 2024 13:06:01 -0500 Subject: [PATCH 8/8] M-ACL: switch from UnsupportedAccess to AccessRestricted (#35263) * Implement new AccessRestricted error code * [NXP][Zephyr] Provide AP band in connection request parameters (#35181) Signed-off-by: Axel Le Bourhis * added missed ERROR_CODES.md update * fixed build issue * restyled * fix return type in CodegenDataModelProvider_Write.cpp * fix review comments --------- Signed-off-by: Axel Le Bourhis Co-authored-by: Axel Le Bourhis <45206070+axelnxp@users.noreply.github.com> --- docs/ERROR_CODES.md | 2 ++ src/access/AccessControl.cpp | 5 ----- src/access/AccessRestrictionProvider.cpp | 20 ------------------- .../tests/TestAccessRestrictionProvider.cpp | 2 +- src/app/CommandHandlerImpl.cpp | 5 +++-- src/app/EventManagement.cpp | 4 +++- .../CodegenDataModelProvider_Read.cpp | 8 +++++--- .../CodegenDataModelProvider_Write.cpp | 4 ++-- src/app/reporting/Engine.cpp | 11 ++++++---- .../util/ember-compatibility-functions.cpp | 12 +++++++---- .../chip/devicecontroller/model/Status.java | 1 + .../src/matter/controller/model/Status.kt | 1 + .../python/chip/interaction_model/__init__.py | 1 + src/lib/core/CHIPError.cpp | 3 +++ src/lib/core/CHIPError.h | 9 ++++++++- src/lib/core/tests/TestCHIPErrorStr.cpp | 1 + .../interaction_model/StatusCodeList.h | 1 + src/python_testing/TC_ACL_2_11.py | 16 +++++++-------- 18 files changed, 55 insertions(+), 51 deletions(-) diff --git a/docs/ERROR_CODES.md b/docs/ERROR_CODES.md index 5799c7a3f1b885..ff549e6df6b6dc 100644 --- a/docs/ERROR_CODES.md +++ b/docs/ERROR_CODES.md @@ -118,6 +118,7 @@ This file was **AUTOMATICALLY** generated by | 165 | 0xA5 | `CHIP_ERROR_ACCESS_DENIED` | | 166 | 0xA6 | `CHIP_ERROR_UNKNOWN_RESOURCE_ID` | | 167 | 0xA7 | `CHIP_ERROR_VERSION_MISMATCH` | +| 168 | 0xA8 | `CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL` | | 171 | 0xAB | `CHIP_ERROR_EVENT_ID_FOUND` | | 172 | 0xAC | `CHIP_ERROR_INTERNAL` | | 173 | 0xAD | `CHIP_ERROR_OPEN_FAILED` | @@ -252,6 +253,7 @@ This file was **AUTOMATICALLY** generated by | 1426 | 0x592 | `DATA_VERSION_MISMATCH` | | 1428 | 0x594 | `TIMEOUT` | | 1436 | 0x59C | `BUSY` | +| 1437 | 0x59D | `ACCESS_RESTRICTED` | | 1475 | 0x5C3 | `UNSUPPORTED_CLUSTER` | | 1477 | 0x5C5 | `NO_UPSTREAM_SUBSCRIPTION` | | 1478 | 0x5C6 | `NEEDS_TIMED_INTERACTION` | diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp index 8302fb0b122265..c9da05e51038cc 100644 --- a/src/access/AccessControl.cpp +++ b/src/access/AccessControl.cpp @@ -538,12 +538,7 @@ CHIP_ERROR AccessControl::CheckARL(const SubjectDescriptor & subjectDescriptor, if (result != CHIP_NO_ERROR) { ChipLogProgress(DataManagement, "AccessControl: %s", -#if 0 - // TODO(#35177): new error code coming when access check plumbing are fixed in callers (result == CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL) ? "denied (restricted)" : "denied (restriction error)"); -#else - (result == CHIP_ERROR_ACCESS_DENIED) ? "denied (restricted)" : "denied (restriction error)"); -#endif return result; } diff --git a/src/access/AccessRestrictionProvider.cpp b/src/access/AccessRestrictionProvider.cpp index 23e8082353abc8..e1a818fde0fc41 100644 --- a/src/access/AccessRestrictionProvider.cpp +++ b/src/access/AccessRestrictionProvider.cpp @@ -197,45 +197,25 @@ CHIP_ERROR AccessRestrictionProvider::DoCheck(const std::vector & entries if (requestPath.requestType == RequestType::kAttributeReadRequest || requestPath.requestType == RequestType::kAttributeWriteRequest) { -#if 0 - // TODO(#35177): use new ARL error code when access checks are fixed return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL; -#else - return CHIP_ERROR_ACCESS_DENIED; -#endif } break; case Type::kAttributeWriteForbidden: if (requestPath.requestType == RequestType::kAttributeWriteRequest) { -#if 0 - // TODO(#35177): use new ARL error code when access checks are fixed return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL; -#else - return CHIP_ERROR_ACCESS_DENIED; -#endif } break; case Type::kCommandForbidden: if (requestPath.requestType == RequestType::kCommandInvokeRequest) { -#if 0 - // TODO(#35177): use new ARL error code when access checks are fixed return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL; -#else - return CHIP_ERROR_ACCESS_DENIED; -#endif } break; case Type::kEventForbidden: if (requestPath.requestType == RequestType::kEventReadRequest) { -#if 0 - // TODO(#35177): use new ARL error code when access checks are fixed return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL; -#else - return CHIP_ERROR_ACCESS_DENIED; -#endif } break; } diff --git a/src/access/tests/TestAccessRestrictionProvider.cpp b/src/access/tests/TestAccessRestrictionProvider.cpp index ddf58ae2488f4d..723d023e48b2ff 100644 --- a/src/access/tests/TestAccessRestrictionProvider.cpp +++ b/src/access/tests/TestAccessRestrictionProvider.cpp @@ -174,7 +174,7 @@ void RunChecks(const CheckData * checkData, size_t count) { for (size_t i = 0; i < count; i++) { - CHIP_ERROR expectedResult = checkData[i].allow ? CHIP_NO_ERROR : CHIP_ERROR_ACCESS_DENIED; + CHIP_ERROR expectedResult = checkData[i].allow ? CHIP_NO_ERROR : CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL; EXPECT_EQ(accessControl.Check(checkData[i].subjectDescriptor, checkData[i].requestPath, checkData[i].privilege), expectedResult); } diff --git a/src/app/CommandHandlerImpl.cpp b/src/app/CommandHandlerImpl.cpp index 1945e7e5e69dc3..366199a3b9f1d4 100644 --- a/src/app/CommandHandlerImpl.cpp +++ b/src/app/CommandHandlerImpl.cpp @@ -410,12 +410,13 @@ Status CommandHandlerImpl::ProcessCommandDataIB(CommandDataIB::Parser & aCommand err = Access::GetAccessControl().Check(subjectDescriptor, requestPath, requestPrivilege); if (err != CHIP_NO_ERROR) { - if (err != CHIP_ERROR_ACCESS_DENIED) + if ((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL)) { return FallibleAddStatus(concretePath, Status::Failure) != CHIP_NO_ERROR ? Status::Failure : Status::Success; } // TODO: when wildcard invokes are supported, handle them to discard rather than fail with status - return FallibleAddStatus(concretePath, Status::UnsupportedAccess) != CHIP_NO_ERROR ? Status::Failure : Status::Success; + Status status = err == CHIP_ERROR_ACCESS_DENIED ? Status::UnsupportedAccess : Status::AccessRestricted; + return FallibleAddStatus(concretePath, status) != CHIP_NO_ERROR ? Status::Failure : Status::Success; } } diff --git a/src/app/EventManagement.cpp b/src/app/EventManagement.cpp index 2419d564d0bc7a..7c0df844872b47 100644 --- a/src/app/EventManagement.cpp +++ b/src/app/EventManagement.cpp @@ -563,7 +563,9 @@ CHIP_ERROR EventManagement::CheckEventContext(EventLoadOutContext * eventLoadOut Access::GetAccessControl().Check(eventLoadOutContext->mSubjectDescriptor, requestPath, requestPrivilege); if (accessControlError != CHIP_NO_ERROR) { - ReturnErrorCodeIf(accessControlError != CHIP_ERROR_ACCESS_DENIED, accessControlError); + ReturnErrorCodeIf((accessControlError != CHIP_ERROR_ACCESS_DENIED) && + (accessControlError != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), + accessControlError); ret = CHIP_ERROR_UNEXPECTED_EVENT; } diff --git a/src/app/codegen-data-model-provider/CodegenDataModelProvider_Read.cpp b/src/app/codegen-data-model-provider/CodegenDataModelProvider_Read.cpp index de17d1059be127..82baba4835c8b5 100644 --- a/src/app/codegen-data-model-provider/CodegenDataModelProvider_Read.cpp +++ b/src/app/codegen-data-model-provider/CodegenDataModelProvider_Read.cpp @@ -281,15 +281,17 @@ DataModel::ActionReturnStatus CodegenDataModelProvider::ReadAttribute(const Data RequiredPrivilege::ForReadAttribute(request.path)); if (err != CHIP_NO_ERROR) { - ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err); + ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err); // Implementation of 8.4.3.2 of the spec for path expansion if (request.path.mExpanded) { return CHIP_NO_ERROR; } - // access denied has a specific code for IM - return CHIP_IM_GLOBAL_STATUS(UnsupportedAccess); + + // access denied and access restricted have specific codes for IM + return err == CHIP_ERROR_ACCESS_DENIED ? CHIP_IM_GLOBAL_STATUS(UnsupportedAccess) + : CHIP_IM_GLOBAL_STATUS(AccessRestricted); } } diff --git a/src/app/codegen-data-model-provider/CodegenDataModelProvider_Write.cpp b/src/app/codegen-data-model-provider/CodegenDataModelProvider_Write.cpp index 7420427f84909b..d5f50454b18085 100644 --- a/src/app/codegen-data-model-provider/CodegenDataModelProvider_Write.cpp +++ b/src/app/codegen-data-model-provider/CodegenDataModelProvider_Write.cpp @@ -287,10 +287,10 @@ DataModel::ActionReturnStatus CodegenDataModelProvider::WriteAttribute(const Dat if (err != CHIP_NO_ERROR) { - ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err); + ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err); // TODO: when wildcard/group writes are supported, handle them to discard rather than fail with status - return Status::UnsupportedAccess; + return err == CHIP_ERROR_ACCESS_DENIED ? Status::UnsupportedAccess : Status::AccessRestricted; } } diff --git a/src/app/reporting/Engine.cpp b/src/app/reporting/Engine.cpp index 99d038a8c35471..2dfbec1fdf5d6d 100644 --- a/src/app/reporting/Engine.cpp +++ b/src/app/reporting/Engine.cpp @@ -346,23 +346,26 @@ CHIP_ERROR Engine::CheckAccessDeniedEventPaths(TLV::TLVWriter & aWriter, bool & Access::Privilege requestPrivilege = RequiredPrivilege::ForReadEvent(path); err = Access::GetAccessControl().Check(apReadHandler->GetSubjectDescriptor(), requestPath, requestPrivilege); - if (err != CHIP_ERROR_ACCESS_DENIED) + if ((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL)) { ReturnErrorOnFailure(err); } else { TLV::TLVWriter checkpoint = aWriter; - err = EventReportIB::ConstructEventStatusIB(aWriter, path, StatusIB(Status::UnsupportedAccess)); + err = EventReportIB::ConstructEventStatusIB(aWriter, path, + err == CHIP_ERROR_ACCESS_DENIED ? StatusIB(Status::UnsupportedAccess) + : StatusIB(Status::AccessRestricted)); + if (err != CHIP_NO_ERROR) { aWriter = checkpoint; break; } aHasEncodedData = true; - ChipLogDetail(InteractionModel, "Access to event (%u, " ChipLogFormatMEI ", " ChipLogFormatMEI ") denied by ACL", + ChipLogDetail(InteractionModel, "Access to event (%u, " ChipLogFormatMEI ", " ChipLogFormatMEI ") denied by %s", current->mValue.mEndpointId, ChipLogValueMEI(current->mValue.mClusterId), - ChipLogValueMEI(current->mValue.mEventId)); + ChipLogValueMEI(current->mValue.mEventId), err == CHIP_ERROR_ACCESS_DENIED ? "ACL" : "ARL"); } current = current->mpNext; } diff --git a/src/app/util/ember-compatibility-functions.cpp b/src/app/util/ember-compatibility-functions.cpp index ad0542a9ff0614..7dadac8695fd63 100644 --- a/src/app/util/ember-compatibility-functions.cpp +++ b/src/app/util/ember-compatibility-functions.cpp @@ -302,12 +302,13 @@ CHIP_ERROR ReadSingleClusterData(const SubjectDescriptor & aSubjectDescriptor, b CHIP_ERROR err = Access::GetAccessControl().Check(aSubjectDescriptor, requestPath, requestPrivilege); if (err != CHIP_NO_ERROR) { - ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err); + ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err); if (aPath.mExpanded) { return CHIP_NO_ERROR; } - return CHIP_IM_GLOBAL_STATUS(UnsupportedAccess); + return err == CHIP_ERROR_ACCESS_DENIED ? CHIP_IM_GLOBAL_STATUS(UnsupportedAccess) + : CHIP_IM_GLOBAL_STATUS(AccessRestricted); } } @@ -701,9 +702,12 @@ CHIP_ERROR WriteSingleClusterData(const SubjectDescriptor & aSubjectDescriptor, } if (err != CHIP_NO_ERROR) { - ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err); + ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err); // TODO: when wildcard/group writes are supported, handle them to discard rather than fail with status - return apWriteHandler->AddStatus(aPath, Protocols::InteractionModel::Status::UnsupportedAccess); + return apWriteHandler->AddStatus(aPath, + err == CHIP_ERROR_ACCESS_DENIED + ? Protocols::InteractionModel::Status::UnsupportedAccess + : Protocols::InteractionModel::Status::AccessRestricted); } apWriteHandler->CacheACLCheckResult({ aPath, requestPrivilege }); } diff --git a/src/controller/java/src/chip/devicecontroller/model/Status.java b/src/controller/java/src/chip/devicecontroller/model/Status.java index 28abd36465689b..7a7eaa27ad5348 100644 --- a/src/controller/java/src/chip/devicecontroller/model/Status.java +++ b/src/controller/java/src/chip/devicecontroller/model/Status.java @@ -57,6 +57,7 @@ public enum Code { Reserved99(0x99), Reserved9a(0x9a), Busy(0x9c), + AccessRestricted(0x9d), Deprecatedc0(0xc0), Deprecatedc1(0xc1), Deprecatedc2(0xc2), diff --git a/src/controller/java/src/matter/controller/model/Status.kt b/src/controller/java/src/matter/controller/model/Status.kt index fa12f0b1cb25a5..84d06f550e9fac 100644 --- a/src/controller/java/src/matter/controller/model/Status.kt +++ b/src/controller/java/src/matter/controller/model/Status.kt @@ -57,6 +57,7 @@ data class Status(val status: Int, val clusterStatus: Int?) { RESERVED99(0X99), RESERVED9A(0X9A), BUSY(0X9C), + ACCESS_RESTRICTED(0x9D), DEPRECATEDC0(0XC0), DEPRECATEDC1(0XC1), DEPRECATEDC2(0XC2), diff --git a/src/controller/python/chip/interaction_model/__init__.py b/src/controller/python/chip/interaction_model/__init__.py index ec100846b085a5..39ade4e2f7f467 100644 --- a/src/controller/python/chip/interaction_model/__init__.py +++ b/src/controller/python/chip/interaction_model/__init__.py @@ -73,6 +73,7 @@ class Status(enum.IntEnum): Reserved99 = 0x99 Reserved9a = 0x9a Busy = 0x9c + AccessRestricted = 0x9d Deprecatedc0 = 0xc0 Deprecatedc1 = 0xc1 Deprecatedc2 = 0xc2 diff --git a/src/lib/core/CHIPError.cpp b/src/lib/core/CHIPError.cpp index 2b2461ca79d09c..31959718b94380 100644 --- a/src/lib/core/CHIPError.cpp +++ b/src/lib/core/CHIPError.cpp @@ -362,6 +362,9 @@ bool FormatCHIPError(char * buf, uint16_t bufSize, CHIP_ERROR err) case CHIP_ERROR_VERSION_MISMATCH.AsInteger(): desc = "Version mismatch"; break; + case CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL.AsInteger(): + desc = "The CHIP message's access is restricted by ARL"; + break; case CHIP_EVENT_ID_FOUND.AsInteger(): desc = "Event ID matching criteria was found"; break; diff --git a/src/lib/core/CHIPError.h b/src/lib/core/CHIPError.h index 84b0de1a47f3ba..0a002d89c088f5 100644 --- a/src/lib/core/CHIPError.h +++ b/src/lib/core/CHIPError.h @@ -1484,7 +1484,14 @@ using CHIP_ERROR = ::chip::ChipError; */ #define CHIP_ERROR_VERSION_MISMATCH CHIP_CORE_ERROR(0xa7) -// AVAILABLE: 0xa8 +/** + * @def CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL + * + * @brief + * The CHIP message is not granted access for further processing due to Access Restriction List. + */ +#define CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL CHIP_CORE_ERROR(0xa8) + // AVAILABLE: 0xa9 // AVAILABLE: 0xaa diff --git a/src/lib/core/tests/TestCHIPErrorStr.cpp b/src/lib/core/tests/TestCHIPErrorStr.cpp index d466eb281fe0fb..01130aca4261d7 100644 --- a/src/lib/core/tests/TestCHIPErrorStr.cpp +++ b/src/lib/core/tests/TestCHIPErrorStr.cpp @@ -140,6 +140,7 @@ static const CHIP_ERROR kTestElements[] = CHIP_ERROR_ACCESS_DENIED, CHIP_ERROR_UNKNOWN_RESOURCE_ID, CHIP_ERROR_VERSION_MISMATCH, + CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL, CHIP_EVENT_ID_FOUND, CHIP_ERROR_INTERNAL, CHIP_ERROR_OPEN_FAILED, diff --git a/src/protocols/interaction_model/StatusCodeList.h b/src/protocols/interaction_model/StatusCodeList.h index 5538478d76ce52..da059ac4596180 100644 --- a/src/protocols/interaction_model/StatusCodeList.h +++ b/src/protocols/interaction_model/StatusCodeList.h @@ -61,6 +61,7 @@ CHIP_IM_STATUS_CODE(Reserved98 , Reserved98 , 0x98) CHIP_IM_STATUS_CODE(Reserved99 , Reserved99 , 0x99) CHIP_IM_STATUS_CODE(Reserved9a , Reserved9a , 0x9a) CHIP_IM_STATUS_CODE(Busy , BUSY , 0x9c) +CHIP_IM_STATUS_CODE(AccessRestricted , ACCESS_RESTRICTED , 0x9d) CHIP_IM_STATUS_CODE(Deprecatedc0 , Deprecatedc0 , 0xc0) CHIP_IM_STATUS_CODE(Deprecatedc1 , Deprecatedc1 , 0xc1) CHIP_IM_STATUS_CODE(Deprecatedc2 , Deprecatedc2 , 0xc2) diff --git a/src/python_testing/TC_ACL_2_11.py b/src/python_testing/TC_ACL_2_11.py index a979b1ca3f5b1a..2ac145d7645d17 100644 --- a/src/python_testing/TC_ACL_2_11.py +++ b/src/python_testing/TC_ACL_2_11.py @@ -73,9 +73,9 @@ def steps_TC_ACL_2_11(self) -> list[TestStep]: TestStep(2, "TH1 reads DUT Endpoint 0 AccessControl cluster CommissioningARL attribute"), TestStep(3, "TH1 reads DUT Endpoint 0 AccessControl cluster ARL attribute"), TestStep(4, "For each entry in ARL, iterate over each restriction and attempt access the restriction's ID on the Endpoint and Cluster in the ARL entry.", - "If the restriction is Type AttributeAccessForbidden, read the restriction's attribute ID and verify the response is UNSUPPORTED_ACCESS." - "If the restriction is Type AttributeWriteForbidden, write restriction's the attribute ID and verify the response is UNSUPPORTED_ACCESS." - "If the restriction is Type CommandForbidden, invoke the restriction's command ID and verify the response is UNSUPPORTED_ACCESS."), + "If the restriction is Type AttributeAccessForbidden, read the restriction's attribute ID and verify the response is ACCESS_RESTRICTED." + "If the restriction is Type AttributeWriteForbidden, write restriction's the attribute ID and verify the response is ACCESS_RESTRICTED." + "If the restriction is Type CommandForbidden, invoke the restriction's command ID and verify the response is ACCESS_RESTRICTED."), TestStep(5, "TH1 sends DUT Endpoint 0 AccessControl cluster command ReviewFabricRestrictions"), TestStep(6, "Wait for up to 1 hour. Follow instructions provided by device maker to remove all access restrictions", "AccessRestrictionReviewUpdate event is received"), @@ -119,15 +119,15 @@ async def test_TC_ACL_2_11(self): command = ALL_ACCEPTED_COMMANDS[C1][ID1] if restriction_type == AccessControl.Enums.AccessRestrictionTypeEnum.kAttributeAccessForbidden: - await self.read_single_attribute_expect_error(cluster=cluster, attribute=attribute, error=Status.UnsupportedAccess, endpoint=E1) + await self.read_single_attribute_expect_error(cluster=cluster, attribute=attribute, error=Status.AccessRestricted, endpoint=E1) elif restriction_type == AccessControl.Enums.AccessRestrictionTypeEnum.kAttributeWriteForbidden: status = await self.write_single_attribute(attribute_value=attribute, endpoint_id=E1) - asserts.assert_equal(status, Status.UnsupportedAccess, - f"Failed to verify UNSUPPORTED_ACCESS when writing to Attribute {ID1} Cluster {C1} Endpoint {E1}") + asserts.assert_equal(status, Status.AccessRestricted, + f"Failed to verify ACCESS_RESTRICTED when writing to Attribute {ID1} Cluster {C1} Endpoint {E1}") elif restriction_type == AccessControl.Enums.AccessRestrictionTypeEnum.kCommandForbidden: result = await self.send_single_cmd(cmd=command, endpoint=E1) - asserts.assert_equal(result.status, Status.UnsupportedAccess, - f"Failed to verify UNSUPPORTED_ACCESS when sending command {ID1} to Cluster {C1} Endpoint {E1}") + asserts.assert_equal(result.status, Status.AccessRestricted, + f"Failed to verify ACCESS_RESTRICTED when sending command {ID1} to Cluster {C1} Endpoint {E1}") # Belongs to step 6, but needs to be subscribed before executing step 5: begin arru_queue = queue.Queue()