Annotation of access control metadata to two clusters #11542
Conversation
project-chip#11204 project-chip#11286 Annotated the operational-credentials-cluster.xml and onoff-cluster.xml based on the Matter Specs, section 11.18, and appclusters, respectively. Normalized the <access> elements. Note that the writeable <attribute> attribute indicates if a field is writeable, or not. The <access> elements qualifies provileges on a per operation basis. updated all <struct> elements to include <item> fieldId; updated NodeOperationalCertStatus to include missing item elements; updated NOCStruct to include a missing item element; Normalized fabric_idx usage across the two updated cluster xml files.
| <item name="FabricIndex" type="INT8U"/> | ||
| <item name="NOC" type="OCTET_STRING"/> | ||
| <item fieldId="0" name="FabricIndex" type="fabric_idx"/> | ||
| <item fieldId="1" name="NOC" type="OCTET_STRING" length="400" isFabricSensitive="true"/> |
There was a problem hiding this comment.
Is isFabricSensitive an alias for the equivalent of an access tag?
There was a problem hiding this comment.
This was suggested on Nov 1st: https://csamembers.slack.com/archives/C02FTN42KEE/p1635797498010800?thread_ts=1635795804.009300&cid=C02FTN42KEE
| <!-- 400 = 400 bytes for root cert --> | ||
| <attribute side="server" code="0x0004" define="TRUSTED_ROOTS" type="ARRAY" entryType="OCTET_STRING" length="400" writable="false" optional="false">TrustedRootCertificates</attribute> | ||
| <attribute side="server" code="0x0005" define="CURRENT_FABRIC_INDEX" type="fabric_idx" writable="false" optional="false">CurrentFabricIndex</attribute> | ||
| <attribute side="server" code="0x0004" define="TRUSTED_ROOTS" type="ARRAY" entryType="OCTET_STRING" length="400" writable="false" optional="false"> |
There was a problem hiding this comment.
The 400 length for an array here doesn't make sense
There was a problem hiding this comment.
This is the topic that needs group resolution :)
src/app/zap-templates/zcl/data-model/chip/operational-credentials-cluster.xml
Outdated
Show resolved
Hide resolved
| </command> | ||
|
|
||
| <command source="server" code="0x01" name="AttestationResponse" optional="false"> | ||
| <description>An attestation information confirmation from the server.</description> | ||
| <arg name="AttestationElements" type="OCTET_STRING"/> | ||
| <arg name="Signature" type="OCTET_STRING"/> | ||
| <access op="invoke" privilege="administer"/> | ||
| </command> | ||
|
|
||
| <command source="client" code="0x02" name="CertificateChainRequest" optional="false"> |
There was a problem hiding this comment.
Add response="CertificateChainResponse"
There was a problem hiding this comment.
Did the comment refer to the already existing response?
<command source="server" code="0x03" name="CertificateChainResponse" optional="false">
<description>A device attestation certificate (DAC) or product attestation intermediate (PAI) certificate from the server.</description>
<arg name="Certificate" type="OCTET_STRING"/>
</command>
| <arg name="StatusCode" type="INT8U"/> | ||
| <arg name="FabricIndex" type="INT8U"/> | ||
| <arg name="FabricIndex" type="fabric_idx"/> | ||
| <arg name="DebugText" type="CHAR_STRING"/> |
There was a problem hiding this comment.
Need the field IDs for these args
There was a problem hiding this comment.
None of the cluster xml files include a fieldId in the attributes. To make sure I understand the requirement, is this format correct?
<command source="server" code="0x08" name="NOCResponse" optional="false">
<description>Response to AddNOC or UpdateNOC commands.</description>
<arg fieldId="0" name="StatusCode" type="INT8U"/>
<arg fieldId="1" name="FabricIndex" type="fabric_idx"/>
<arg fieldId="2" name="DebugText" type="CHAR_STRING"/>
</command>
There was a problem hiding this comment.
The last commit made the above assumption. If incorrect, we can rollback the changes and work on determining the right format.
…lege. Removed <access> for response commands, as there are no privileges for command responses.
tcarmelveilleux
changed the title
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
This stale pull request has been automatically closed. Thank you for your contributions. |
Problem
Started annotating the XML cluster files with Access Control XML elements.
Normalized Normalized fabric_idx usage across the two updated cluster xml files.
fabric_idxis not used uniformly #11286 (Type fabric_idx is not used uniformly)Issue #11204
Issue #11286
Issue #10246
Change overview
Annotated the operational-credentials-cluster.xml and onoff-cluster.xml based on the Matter Specs, section 11.18, and appclusters, respectively.
Normalized the elements. Note that the writeable attribute indicates if a field is writeable, or not. The elements qualifies provileges on a per operation basis:
Normalized fabric_idx usage across the two updated cluster xml files.
Testing
How was this tested? (at least one bullet point required)