1 //******************************************************************
3 // Copyright 2015 Intel Mobile Communications GmbH All Rights Reserved.
5 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
11 // http://www.apache.org/licenses/LICENSE-2.0
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
19 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
22 #include "oic_malloc.h"
23 #include "policyengine.h"
25 #include "resourcemanager.h"
26 #include "securevirtualresourcetypes.h"
27 #include "srmresourcestrings.h"
29 #include "aclresource.h"
30 #include "srmutility.h"
31 #include "doxmresource.h"
32 #include "iotvticalendar.h"
33 #include "pstatresource.h"
34 #include "dpairingresource.h"
35 #include "pconfresource.h"
36 #include "amaclresource.h"
37 #include "credresource.h"
41 uint16_t GetPermissionFromCAMethod_t(const CAMethod_t method)
47 perm = (uint16_t)PERMISSION_READ;
49 case CA_POST: // For now we treat all PUT & POST as Write
50 case CA_PUT: // because we don't know if resource exists yet.
51 perm = (uint16_t)PERMISSION_WRITE;
54 perm = (uint16_t)PERMISSION_DELETE;
56 default: // if not recognized, must assume requesting full control
57 perm = (uint16_t)PERMISSION_FULL_CONTROL;
64 * Compares two OicUuid_t structs.
66 * @return true if the two OicUuid_t structs are equal, else false.
68 static bool UuidCmp(OicUuid_t *firstId, OicUuid_t *secondId)
70 // TODO use VERIFY macros to check for null when they are merged.
71 if(NULL == firstId || NULL == secondId)
75 // Check empty uuid string
76 if('\0' == firstId->id[0] || '\0' == secondId->id[0])
80 for(int i = 0; i < UUID_LENGTH; i++)
82 if(firstId->id[i] != secondId->id[i])
90 void SetPolicyEngineState(PEContext_t *context, const PEState_t state)
97 // Clear stateful context variables.
98 memset(&context->subject, 0, sizeof(context->subject));
99 memset(&context->resource, 0, sizeof(context->resource));
100 context->permission = 0x0;
101 context->matchingAclFound = false;
102 context->amsProcessing = false;
103 context->retVal = ACCESS_DENIED_POLICY_ENGINE_ERROR;
105 if (context->amsMgrContext)
107 if (context->amsMgrContext->requestInfo)
109 FreeCARequestInfo(context->amsMgrContext->requestInfo);
111 OICFree(context->amsMgrContext->endpoint);
112 memset(context->amsMgrContext, 0, sizeof(AmsMgrContext_t));
116 context->state = state;
120 * Compare the request's subject to DevOwner.
122 * @return true if context->subjectId == GetDoxmDevOwner(), else false.
124 static bool IsRequestFromDevOwner(PEContext_t *context)
134 if(OC_STACK_OK == GetDoxmDevOwnerId(&ownerid))
136 retVal = UuidCmp(&context->subject, &ownerid);
142 // TODO - remove these function placeholders as they are implemented
143 // in the resource entity handler code.
144 // Note that because many SVRs do not have a rowner, in those cases we
145 // just return "OC_STACK_ERROR" which results in a "false" return by
146 // IsRequestFromResourceOwner().
147 // As these SVRs are revised to have a rowner, these functions should be
148 // replaced (see pstatresource.c for example of GetPstatRownerId).
150 OCStackResult GetCrlRownerId(OicUuid_t *rowner)
153 return OC_STACK_ERROR;
156 OCStackResult GetSaclRownerId(OicUuid_t *rowner)
159 return OC_STACK_ERROR;
162 OCStackResult GetSvcRownerId(OicUuid_t *rowner)
165 return OC_STACK_ERROR;
168 static GetSvrRownerId_t GetSvrRownerId[OIC_SEC_SVR_TYPE_COUNT] = {
182 * Compare the request's subject to resource.ROwner.
184 * @return true if context->subjectId equals SVR rowner id, else return false
186 bool IsRequestFromResourceOwner(PEContext_t *context)
189 OicUuid_t resourceOwner;
196 if((OIC_R_ACL_TYPE <= context->resourceType) && \
197 (OIC_SEC_SVR_TYPE_COUNT > context->resourceType))
199 if(OC_STACK_OK == GetSvrRownerId[(int)context->resourceType](&resourceOwner))
201 retVal = UuidCmp(&context->subject, &resourceOwner);
207 OIC_LOG(INFO, TAG, "PE.IsRequestFromResourceOwner(): returning true");
211 OIC_LOG(INFO, TAG, "PE.IsRequestFromResourceOwner(): returning false");
217 inline static bool IsRequestSubjectEmpty(PEContext_t *context)
219 OicUuid_t emptySubject = {.id={}};
226 return (memcmp(&context->subject, &emptySubject, sizeof(OicUuid_t)) == 0) ?
231 * Bitwise check to see if 'permission' contains 'request'.
233 * @param permission is the allowed CRUDN permission.
234 * @param request is the CRUDN permission being requested.
236 * @return true if 'permission' bits include all 'request' bits.
238 static inline bool IsPermissionAllowingRequest(const uint16_t permission,
239 const uint16_t request)
241 if (request == (request & permission))
252 * Compare the passed subject to the wildcard (aka anonymous) subjectId.
254 * @return true if 'subject' is the wildcard, false if it is not.
256 static inline bool IsWildCardSubject(OicUuid_t *subject)
263 // Because always comparing to string literal, use strcmp()
264 if(0 == memcmp(subject, &WILDCARD_SUBJECT_ID, sizeof(OicUuid_t)))
275 * Copy the subject, resource and permission into the context fields.
277 static void CopyParamsToContext(PEContext_t *context,
278 const OicUuid_t *subjectId,
279 const char *resource,
280 const uint16_t requestedPermission)
284 if (NULL == context || NULL == subjectId || NULL == resource)
289 memcpy(&context->subject, subjectId, sizeof(OicUuid_t));
291 // Copy the resource string into context.
292 length = strlen(resource) + 1;
295 strncpy(context->resource, resource, length);
296 context->resource[length - 1] = '\0';
299 // Assign the permission field.
300 context->permission = requestedPermission;
304 * Check whether 'resource' is getting accessed within the valid time period.
306 * @param acl is the ACL to check.
308 * @return true if access is within valid time period or if the period or recurrence is not present.
309 * false if period and recurrence present and the access is not within valid time period.
311 static bool IsAccessWithinValidTime(const OicSecAcl_t *acl)
313 #ifndef WITH_ARDUINO //Period & Recurrence not supported on Arduino due
314 //lack of absolute time
315 if (NULL== acl || NULL == acl->periods || 0 == acl->prdRecrLen)
320 //periods & recurrences rules are paired.
321 if (NULL == acl->recurrences)
326 for (size_t i = 0; i < acl->prdRecrLen; i++)
328 if (IOTVTICAL_VALID_ACCESS == IsRequestWithinValidTime(acl->periods[i],
329 acl->recurrences[i]))
331 OIC_LOG(INFO, TAG, "Access request is in allowed time period");
335 OIC_LOG(ERROR, TAG, "Access request is in invalid time period");
344 * Check whether 'resource' is in the passed ACL.
346 * @param resource is the resource being searched.
347 * @param acl is the ACL to check.
349 * @return true if 'resource' found, otherwise false.
351 static bool IsResourceInAcl(const char *resource, const OicSecAcl_t *acl)
353 if (NULL== acl || NULL == resource)
358 for (size_t n = 0; n < acl->resourcesLen; n++)
360 if (0 == strcmp(resource, acl->resources[n]) || // TODO null terms?
361 0 == strcmp(WILDCARD_RESOURCE_URI, acl->resources[n]))
371 * Find ACLs containing context->subject.
372 * Search each ACL for requested resource.
373 * If resource found, check for context->permission and period validity.
374 * If the ACL is not found locally and AMACL for the resource is found
375 * then sends the request to AMS service for the ACL.
376 * Set context->retVal to result from first ACL found which contains
377 * correct subject AND resource.
379 static void ProcessAccessRequest(PEContext_t *context)
381 OIC_LOG(DEBUG, TAG, "Entering ProcessAccessRequest()");
384 const OicSecAcl_t *currentAcl = NULL;
385 OicSecAcl_t *savePtr = NULL;
387 // Start out assuming subject not found.
388 context->retVal = ACCESS_DENIED_SUBJECT_NOT_FOUND;
390 // Loop through all ACLs with a matching Subject searching for the right
391 // ACL for this request.
394 OIC_LOG_V(DEBUG, TAG, "%s: getting ACL..." ,__func__);
395 currentAcl = GetACLResourceData(&context->subject, &savePtr);
397 if (NULL != currentAcl)
399 // Found the subject, so how about resource?
400 OIC_LOG_V(DEBUG, TAG, "%s:found ACL matching subject" ,__func__);
402 // Subject was found, so err changes to Rsrc not found for now.
403 context->retVal = ACCESS_DENIED_RESOURCE_NOT_FOUND;
404 OIC_LOG_V(DEBUG, TAG, "%s:Searching for resource..." ,__func__);
405 if (IsResourceInAcl(context->resource, currentAcl))
407 OIC_LOG_V(INFO, TAG, "%s:found matching resource in ACL" ,__func__);
408 context->matchingAclFound = true;
410 // Found the resource, so it's down to valid period & permission.
411 context->retVal = ACCESS_DENIED_INVALID_PERIOD;
412 if (IsAccessWithinValidTime(currentAcl))
414 context->retVal = ACCESS_DENIED_INSUFFICIENT_PERMISSION;
415 if (IsPermissionAllowingRequest(currentAcl->permission, context->permission))
417 context->retVal = ACCESS_GRANTED;
424 OIC_LOG_V(INFO, TAG, "%s:no ACL found matching subject for resource %s",__func__, context->resource);
426 } while ((NULL != currentAcl) && (false == context->matchingAclFound));
428 if (IsAccessGranted(context->retVal))
430 OIC_LOG_V(INFO, TAG, "%s:Leaving ProcessAccessRequest(ACCESS_GRANTED)", __func__);
434 OIC_LOG_V(INFO, TAG, "%s:Leaving ProcessAccessRequest(ACCESS_DENIED)", __func__);
439 OIC_LOG_V(ERROR, TAG, "%s:Leaving ProcessAccessRequest(context is NULL)", __func__);
443 SRMAccessResponse_t CheckPermission(PEContext_t *context,
444 const OicUuid_t *subjectId,
445 const char *resource,
446 const uint16_t requestedPermission)
448 SRMAccessResponse_t retVal = ACCESS_DENIED_POLICY_ENGINE_ERROR;
450 VERIFY_NON_NULL(TAG, context, ERROR);
451 VERIFY_NON_NULL(TAG, subjectId, ERROR);
452 VERIFY_NON_NULL(TAG, resource, ERROR);
454 // Each state machine context can only be processing one request at a time.
455 // Therefore if the context is not in AWAITING_REQUEST or AWAITING_AMS_RESPONSE
456 // state, return error. Otherwise, change to BUSY state and begin processing request.
457 if (AWAITING_REQUEST == context->state || AWAITING_AMS_RESPONSE == context->state)
459 if (AWAITING_REQUEST == context->state)
461 SetPolicyEngineState(context, BUSY);
462 CopyParamsToContext(context, subjectId, resource, requestedPermission);
465 // Before doing any processing, check if request coming
466 // from DevOwner and if so, always GRANT.
467 if (IsRequestFromDevOwner(context))
469 context->retVal = ACCESS_GRANTED;
471 // Then check if request is for a SVR and coming from rowner
472 else if (IsRequestFromResourceOwner(context))
474 context->retVal = ACCESS_GRANTED;
476 // Else request is a "normal" request that must be tested against ACL
479 OicUuid_t saveSubject = {.id={}};
480 bool isSubEmpty = IsRequestSubjectEmpty(context);
482 ProcessAccessRequest(context);
484 // If matching ACL not found, and subject != wildcard, try wildcard.
485 if ((false == context->matchingAclFound) && \
486 (false == IsWildCardSubject(&context->subject)))
488 //Saving subject for Amacl check
489 memcpy(&saveSubject, &context->subject,sizeof(OicUuid_t));
491 //Setting context subject to WILDCARD_SUBJECT_ID
492 //TODO: change ProcessAccessRequest method signature to
493 //ProcessAccessRequest(context, subject) so that context
494 //subject is not tempered.
495 memset(&context->subject, 0, sizeof(context->subject));
496 memcpy(&context->subject, &WILDCARD_SUBJECT_ID,sizeof(OicUuid_t));
497 ProcessAccessRequest(context); // TODO anonymous subj can result
498 // in confusing err code return.
501 //No local ACE found for the request so checking Amacl resource
502 if (ACCESS_GRANTED != context->retVal)
504 //If subject is not empty then restore the original subject
505 //else keep the subject to WILDCARD_SUBJECT_ID
508 memcpy(&context->subject, &saveSubject, sizeof(OicUuid_t));
511 //FoundAmaclForRequest method checks for Amacl and fills up
512 //context->amsMgrContext->amsDeviceId with the AMS deviceId
513 //if Amacl was found for the requested resource.
514 if(FoundAmaclForRequest(context))
516 ProcessAMSRequest(context);
523 context->retVal = ACCESS_DENIED_POLICY_ENGINE_ERROR;
526 // Capture retVal before resetting state for next request.
527 retVal = context->retVal;
529 if (!context->amsProcessing)
531 OIC_LOG(INFO, TAG, "Resetting PE context and PE State to AWAITING_REQUEST");
532 SetPolicyEngineState(context, AWAITING_REQUEST);
539 OCStackResult InitPolicyEngine(PEContext_t *context)
543 return OC_STACK_ERROR;
546 context->amsMgrContext = (AmsMgrContext_t *)OICCalloc(1, sizeof(AmsMgrContext_t));
547 if(NULL == context->amsMgrContext)
549 return OC_STACK_ERROR;
552 SetPolicyEngineState(context, AWAITING_REQUEST);
556 void DeInitPolicyEngine(PEContext_t *context)
560 SetPolicyEngineState(context, STOPPED);
561 OICFree(context->amsMgrContext);