1 //******************************************************************
3 // Copyright 2015 Intel Mobile Communications GmbH All Rights Reserved.
5 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
11 // http://www.apache.org/licenses/LICENSE-2.0
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
19 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
24 #include "cainterface.h"
25 #include "resourcemanager.h"
26 #include "credresource.h"
27 #include "policyengine.h"
28 #include "srmutility.h"
30 #include "oic_string.h"
31 #include "oic_malloc.h"
32 #include "securevirtualresourcetypes.h"
33 #include "secureresourcemanager.h"
34 #include "srmresourcestrings.h"
35 #include "ocresourcehandler.h"
37 #if defined( __WITH_TLS__) || defined(__WITH_DTLS__)
38 #include "pkix_interface.h"
39 #endif //__WITH_TLS__ or __WITH_DTLS__
42 //Request Callback handler
43 static CARequestCallback gRequestHandler = NULL;
44 //Response Callback handler
45 static CAResponseCallback gResponseHandler = NULL;
46 //Error Callback handler
47 static CAErrorCallback gErrorHandler = NULL;
48 //Persistent Storage callback handler for open/read/write/close/unlink
49 static OCPersistentStorage *gPersistentStorageHandler = NULL;
50 //Provisioning response callback
51 static SPResponseCallback gSPResponseHandler = NULL;
54 * A single global Policy Engine context will suffice as long
55 * as SRM is single-threaded.
57 PEContext_t g_policyEngineContext;
60 * Function to register provisoning API's response callback.
61 * @param respHandler response handler callback.
63 void SRMRegisterProvisioningResponseHandler(SPResponseCallback respHandler)
65 gSPResponseHandler = respHandler;
68 void SetResourceRequestType(PEContext_t *context, const char *resourceUri)
70 context->resourceType = GetSvrTypeFromUri(resourceUri);
73 static void SRMSendUnAuthorizedAccessresponse(PEContext_t *context)
75 CAResponseInfo_t responseInfo = {.result = CA_EMPTY};
77 if (NULL == context ||
78 NULL == context->amsMgrContext->requestInfo)
80 OIC_LOG_V(ERROR, TAG, "%s : NULL Parameter(s)",__func__);
84 memcpy(&responseInfo.info, &(context->amsMgrContext->requestInfo->info),
85 sizeof(responseInfo.info));
86 responseInfo.info.payload = NULL;
87 responseInfo.result = CA_UNAUTHORIZED_REQ;
88 responseInfo.info.dataType = CA_RESPONSE_DATA;
90 if (CA_STATUS_OK == CASendResponse(context->amsMgrContext->endpoint, &responseInfo))
92 OIC_LOG(DEBUG, TAG, "Succeed in sending response to a unauthorized request!");
96 OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!");
100 void SRMSendResponse(SRMAccessResponse_t responseVal)
102 OIC_LOG(DEBUG, TAG, "Sending response to remote device");
104 if (IsAccessGranted(responseVal) && gRequestHandler)
106 OIC_LOG_V(INFO, TAG, "%s : Access granted. Passing Request to RI layer", __func__);
107 if (!g_policyEngineContext.amsMgrContext->endpoint ||
108 !g_policyEngineContext.amsMgrContext->requestInfo)
110 OIC_LOG_V(ERROR, TAG, "%s : Invalid arguments", __func__);
111 SRMSendUnAuthorizedAccessresponse(&g_policyEngineContext);
114 gRequestHandler(g_policyEngineContext.amsMgrContext->endpoint,
115 g_policyEngineContext.amsMgrContext->requestInfo);
119 OIC_LOG_V(INFO, TAG, "%s : ACCESS_DENIED.", __func__);
120 SRMSendUnAuthorizedAccessresponse(&g_policyEngineContext);
124 //Resetting PE state to AWAITING_REQUEST
125 SetPolicyEngineState(&g_policyEngineContext, AWAITING_REQUEST);
129 * Handle the request from the SRM.
131 * @param endPoint object from which the response is received.
132 * @param requestInfo contains information for the request.
134 void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requestInfo)
136 OIC_LOG(DEBUG, TAG, "Received request from remote device");
138 bool isRequestOverSecureChannel = false;
139 if (!endPoint || !requestInfo)
141 OIC_LOG(ERROR, TAG, "Invalid arguments");
145 // Copy the subjectID
146 OicUuid_t subjectId = {.id = {0}};
147 OicUuid_t nullSubjectId = {.id = {0}};
148 memcpy(subjectId.id, requestInfo->info.identity.id, sizeof(subjectId.id));
150 // if subject id is null that means request is sent thru coap.
151 if (memcmp(subjectId.id, nullSubjectId.id, sizeof(subjectId.id)) != 0)
153 OIC_LOG(INFO, TAG, "request over secure channel");
154 isRequestOverSecureChannel = true;
157 //Check the URI has the query and skip it before checking the permission
158 char *uri = strstr(requestInfo->info.resourceUri, "?");
162 //Skip query and pass the resource uri
163 position = uri - requestInfo->info.resourceUri;
167 position = strlen(requestInfo->info.resourceUri);
169 if (MAX_URI_LENGTH < position || 0 > position)
171 OIC_LOG(ERROR, TAG, "Incorrect URI length");
174 SRMAccessResponse_t response = ACCESS_DENIED;
175 char newUri[MAX_URI_LENGTH + 1];
176 OICStrcpyPartial(newUri, MAX_URI_LENGTH + 1, requestInfo->info.resourceUri, position);
178 SetResourceRequestType(&g_policyEngineContext, newUri);
180 // Form a 'Error', 'slow response' or 'access deny' response and send to peer
181 CAResponseInfo_t responseInfo = {.result = CA_EMPTY};
182 memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info));
183 responseInfo.info.payload = NULL;
184 responseInfo.info.dataType = CA_RESPONSE_DATA;
186 OCResource *resPtr = FindResourceByUri(newUri);
189 // check whether request is for secure resource or not and it should not be a SVR resource
190 if (((resPtr->resourceProperties) & OC_SECURE)
191 && (g_policyEngineContext.resourceType == NOT_A_SVR_RESOURCE))
193 // if resource is secure and request is over insecure channel
194 if (!isRequestOverSecureChannel)
196 // Reject all the requests over coap for secure resource.
197 responseInfo.result = CA_FORBIDDEN_REQ;
198 if (CA_STATUS_OK != CASendResponse(endPoint, &responseInfo))
200 OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!");
206 #ifdef _ENABLE_MULTIPLE_OWNER_
208 * In case of ACL and CRED, The payload required to verify the payload.
209 * Payload information will be used for subowner's permission verification.
211 g_policyEngineContext.payload = (uint8_t*)requestInfo->info.payload;
212 g_policyEngineContext.payloadSize = requestInfo->info.payloadSize;
213 #endif //_ENABLE_MULTIPLE_OWNER_
215 //New request are only processed if the policy engine state is AWAITING_REQUEST.
216 if (AWAITING_REQUEST == g_policyEngineContext.state)
218 OIC_LOG_V(DEBUG, TAG, "Processing request with uri, %s for method, %d",
219 requestInfo->info.resourceUri, requestInfo->method);
220 response = CheckPermission(&g_policyEngineContext, &subjectId, newUri,
221 GetPermissionFromCAMethod_t(requestInfo->method));
225 OIC_LOG_V(INFO, TAG, "PE state %d. Ignoring request with uri, %s for method, %d",
226 g_policyEngineContext.state, requestInfo->info.resourceUri, requestInfo->method);
229 if (IsAccessGranted(response) && gRequestHandler)
231 gRequestHandler(endPoint, requestInfo);
235 VERIFY_NON_NULL(TAG, gRequestHandler, ERROR);
237 if (ACCESS_WAITING_FOR_AMS == response)
239 OIC_LOG(INFO, TAG, "Sending slow response");
241 UpdateAmsMgrContext(&g_policyEngineContext, endPoint, requestInfo);
242 responseInfo.result = CA_EMPTY;
243 responseInfo.info.type = CA_MSG_ACKNOWLEDGE;
248 * TODO Enhance this logic more to decide between
249 * CA_UNAUTHORIZED_REQ or CA_FORBIDDEN_REQ depending
250 * upon SRMAccessResponseReasonCode_t
252 OIC_LOG(INFO, TAG, "Sending for regular response");
253 responseInfo.result = CA_UNAUTHORIZED_REQ;
256 if (CA_STATUS_OK != CASendResponse(endPoint, &responseInfo))
258 OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!");
262 responseInfo.result = CA_INTERNAL_SERVER_ERROR;
263 if (CA_STATUS_OK != CASendResponse(endPoint, &responseInfo))
265 OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!");
270 * Handle the response from the SRM.
272 * @param endPoint points to the remote endpoint.
273 * @param responseInfo contains response information from the endpoint.
275 void SRMResponseHandler(const CAEndpoint_t *endPoint, const CAResponseInfo_t *responseInfo)
277 OIC_LOG(DEBUG, TAG, "Received response from remote device");
279 // isProvResponse flag is to check whether response is catered by provisioning APIs or not.
280 // When token sent by CA response matches with token generated by provisioning request,
281 // gSPResponseHandler returns true and response is not sent to RI layer. In case
282 // gSPResponseHandler is null and isProvResponse is false response then the response is for
284 bool isProvResponse = false;
286 if (gSPResponseHandler)
288 isProvResponse = gSPResponseHandler(endPoint, responseInfo);
290 if (!isProvResponse && gResponseHandler)
292 gResponseHandler(endPoint, responseInfo);
297 * Handle the error from the SRM.
299 * @param endPoint is the remote endpoint.
300 * @param errorInfo contains error information from the endpoint.
302 void SRMErrorHandler(const CAEndpoint_t *endPoint, const CAErrorInfo_t *errorInfo)
304 OIC_LOG_V(INFO, TAG, "Received error from remote device with result, %d for request uri, %s",
305 errorInfo->result, errorInfo->info.resourceUri);
308 gErrorHandler(endPoint, errorInfo);
312 OCStackResult SRMRegisterHandler(CARequestCallback reqHandler,
313 CAResponseCallback respHandler,
314 CAErrorCallback errHandler)
316 OIC_LOG(DEBUG, TAG, "SRMRegisterHandler !!");
317 if( !reqHandler || !respHandler || !errHandler)
319 OIC_LOG(ERROR, TAG, "Callback handlers are invalid");
320 return OC_STACK_INVALID_PARAM;
322 gRequestHandler = reqHandler;
323 gResponseHandler = respHandler;
324 gErrorHandler = errHandler;
327 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
328 CARegisterHandler(SRMRequestHandler, SRMResponseHandler, SRMErrorHandler);
330 CARegisterHandler(reqHandler, respHandler, errHandler);
331 #endif /* __WITH_DTLS__ */
335 OCStackResult SRMRegisterPersistentStorageHandler(OCPersistentStorage* persistentStorageHandler)
337 OIC_LOG(DEBUG, TAG, "SRMRegisterPersistentStorageHandler !!");
338 if(!persistentStorageHandler)
340 OIC_LOG(ERROR, TAG, "The persistent storage handler is invalid");
341 return OC_STACK_INVALID_PARAM;
343 gPersistentStorageHandler = persistentStorageHandler;
347 OCPersistentStorage* SRMGetPersistentStorageHandler()
349 return gPersistentStorageHandler;
352 OCStackResult SRMInitSecureResources()
354 // TODO: temporarily returning OC_STACK_OK every time until default
355 // behavior (for when SVR DB is missing) is settled.
356 InitSecureResources();
357 OCStackResult ret = OC_STACK_OK;
358 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
359 if (CA_STATUS_OK != CAregisterPskCredentialsHandler(GetDtlsPskCredentials))
361 OIC_LOG(ERROR, TAG, "Failed to revert TLS credential handler.");
362 ret = OC_STACK_ERROR;
364 CAregisterPkixInfoHandler(GetPkixInfo);
365 CAregisterGetCredentialTypesHandler(InitCipherSuiteList);
366 #endif // __WITH_DTLS__ or __WITH_TLS__
370 void SRMDeInitSecureResources()
372 DestroySecureResources();
375 OCStackResult SRMInitPolicyEngine()
377 return InitPolicyEngine(&g_policyEngineContext);
380 void SRMDeInitPolicyEngine()
382 DeInitPolicyEngine(&g_policyEngineContext);
385 bool SRMIsSecurityResourceURI(const char* uri)
392 const char *rsrcs[] = {
401 OIC_RSRC_DPAIRING_URI,
403 OC_RSRVD_PROV_CRL_URL
406 // Remove query from Uri for resource string comparison
407 size_t uriLen = strlen(uri);
408 char *query = strchr (uri, '?');
411 uriLen = query - uri;
414 for (size_t i = 0; i < sizeof(rsrcs)/sizeof(rsrcs[0]); i++)
416 size_t svrLen = strlen(rsrcs[i]);
418 if ((uriLen == svrLen) &&
419 (strncmp(uri, rsrcs[i], svrLen) == 0))
429 * Get the Secure Virtual Resource (SVR) type from the URI.
430 * @param uri [IN] Pointer to URI in question.
431 * @return The OicSecSvrType_t of the URI passed (note: if not a Secure Virtual
432 Resource, e.g. /a/light, will return "NOT_A_SVR_TYPE" enum value)
434 static const char URI_QUERY_CHAR = '?';
435 OicSecSvrType_t GetSvrTypeFromUri(const char* uri)
439 return NOT_A_SVR_RESOURCE;
442 // Remove query from Uri for resource string comparison
443 size_t uriLen = strlen(uri);
444 char *query = strchr (uri, URI_QUERY_CHAR);
447 uriLen = query - uri;
452 svrLen = strlen(OIC_RSRC_ACL_URI);
455 if(0 == strncmp(uri, OIC_RSRC_ACL_URI, svrLen))
457 return OIC_R_ACL_TYPE;
461 svrLen = strlen(OIC_RSRC_AMACL_URI);
464 if(0 == strncmp(uri, OIC_RSRC_AMACL_URI, svrLen))
466 return OIC_R_AMACL_TYPE;
470 svrLen = strlen(OIC_RSRC_CRED_URI);
473 if(0 == strncmp(uri, OIC_RSRC_CRED_URI, svrLen))
475 return OIC_R_CRED_TYPE;
479 svrLen = strlen(OIC_RSRC_CRL_URI);
482 if(0 == strncmp(uri, OIC_RSRC_CRL_URI, svrLen))
484 return OIC_R_CRL_TYPE;
488 svrLen = strlen(OIC_RSRC_DOXM_URI);
491 if(0 == strncmp(uri, OIC_RSRC_DOXM_URI, svrLen))
493 return OIC_R_DOXM_TYPE;
497 svrLen = strlen(OIC_RSRC_DPAIRING_URI);
500 if(0 == strncmp(uri, OIC_RSRC_DPAIRING_URI, svrLen))
502 return OIC_R_DPAIRING_TYPE;
506 svrLen = strlen(OIC_RSRC_PCONF_URI);
509 if(0 == strncmp(uri, OIC_RSRC_PCONF_URI, svrLen))
511 return OIC_R_PCONF_TYPE;
515 svrLen = strlen(OIC_RSRC_PSTAT_URI);
518 if(0 == strncmp(uri, OIC_RSRC_PSTAT_URI, svrLen))
520 return OIC_R_PSTAT_TYPE;
524 svrLen = strlen(OIC_RSRC_SVC_URI);
527 if(0 == strncmp(uri, OIC_RSRC_SVC_URI, svrLen))
529 return OIC_R_SVC_TYPE;
533 svrLen = strlen(OIC_RSRC_SACL_URI);
536 if(0 == strncmp(uri, OIC_RSRC_SACL_URI, svrLen))
538 return OIC_R_SACL_TYPE;
542 return NOT_A_SVR_RESOURCE;