Change DevOwner access policy to address JIRA 1369

This changes the Policy Engine to grant requests from DevOwner
without checking ACLs ONLY if the device is not in Ready for Normal
Operation state, AND the request is for a SVR.

Change-Id: I9aa4314cc2beb9fdb4629c1e63ea6971f7cc8909
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/12585
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>
(cherry picked from commit 7e0ed7dff05620d4cbcc335724a62bc0adbd4eaf)
Reviewed-on: https://gerrit.iotivity.org/gerrit/12757

diff --git a/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt b/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt
index efb6851..bc19b1b 100644 (file)
--- a/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt
+++ b/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt
@@ -1,4 +1,4 @@
-LAST UPDATED 5/27/2015
+LAST UPDATED 9/29/2016
 
 To build the IoTivity stack with the security features enabled:
 
@@ -11,7 +11,10 @@ To build the IoTivity stack with the security features enabled:
        $ export LD_LIBRARY_PATH=<iotivity-base>/out/<...>/release
        $ ./ocserverbasicops &
        $ ./occlientbasicops -t 1
-        Message "INFO: occlientbasicops: Secure -- YES" indicates success!
+        NOTE: Console messages below indicate success:
+         "INFO: occlientbasicops: Uri -- /a/led
+          INFO: occlientbasicops: SECUREPORT udp: 51516
+          INFO: occlientbasicops: Secure -- YES"
        $ ./occlientbasicops -t 2
-        Completion of 'GET' and 'PUT' query successfully indicates success!
+        NOTE: Completion of 'GET' and 'PUT' query to /a/led indicates success!
 

diff --git a/resource/csdk/security/src/policyengine.c b/resource/csdk/security/src/policyengine.c
index fd9f2ed..43b721e 100644 (file)
--- a/resource/csdk/security/src/policyengine.c
+++ b/resource/csdk/security/src/policyengine.c
@@ -476,9 +476,13 @@ SRMAccessResponse_t CheckPermission(PEContext_t     *context,
             CopyParamsToContext(context, subjectId, resource, requestedPermission);
         }
 
-        // Before doing any processing, check if request coming
-        // from DevOwner and if so, always GRANT.
-        if (IsRequestFromDevOwner(context))
+        // Before doing any ACL processing, check if request a) coming
+        // from DevOwner AND b) the device is not in Ready for Normal Operation
+        // state (which in IoTivity is equivalent to isOp == true) AND c)
+        // the request is for a SVR resource.  If all 3 are met, grant request.
+        if (IsRequestFromDevOwner(context) // if from DevOwner
+            && (GetPstatIsop() == false) // AND if isOp == false
+            && (context->resourceType != NOT_A_SVR_RESOURCE)) // AND if SVR type
         {
             context->retVal = ACCESS_GRANTED;
         }