From: Randeep Singh <randeep.s@samsung.com>
Date: Fri, 30 Sep 2016 06:31:21 +0000 (+0530)
Subject: [IOT-1366] coaps request for secure resource
X-Git-Tag: 1.3.0~1055^2~123
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=83bb7964f0d0e92cb18a48273092198f1c7afd7e;p=platform%2Fupstream%2Fiotivity.git

[IOT-1366] coaps request for secure resource

with this patch, all the request coming over insecure channel for secured resource will be rejected

Change-Id: I5b24c4095d99f6b6f6080b1f46f1fd4d9f0d8e20
Signed-off-by: Randeep Singh <randeep.s@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/12621
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
(cherry picked from commit 811d62de05664975cc2b36585ba719167d1bc1ea)
Reviewed-on: https://gerrit.iotivity.org/gerrit/12875
---

diff --git a/resource/csdk/octbstack_product.def b/resource/csdk/octbstack_product.def
index 1f457bc..4b226b0 100644
--- a/resource/csdk/octbstack_product.def
+++ b/resource/csdk/octbstack_product.def
@@ -106,3 +106,4 @@ OCSetHeaderOption
 OCGetHeaderOption
 OCGetDeviceId
 OCSetDeviceId
+FindResourceByUri
diff --git a/resource/csdk/security/src/secureresourcemanager.c b/resource/csdk/security/src/secureresourcemanager.c
index f9644d4..694c646 100644
--- a/resource/csdk/security/src/secureresourcemanager.c
+++ b/resource/csdk/security/src/secureresourcemanager.c
@@ -32,6 +32,8 @@
 #include "securevirtualresourcetypes.h"
 #include "secureresourcemanager.h"
 #include "srmresourcestrings.h"
+#include "ocresourcehandler.h"
+
 #ifdef __WITH_TLS__
 #include "pkix_interface.h"
 #endif //__WITH_TLS__
@@ -137,6 +139,7 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ
 {
     OIC_LOG(DEBUG, TAG, "Received request from remote device");
 
+    bool isRequestOverSecureChannel = false;
     if (!endPoint || !requestInfo)
     {
         OIC_LOG(ERROR, TAG, "Invalid arguments");
@@ -145,8 +148,16 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ
 
     // Copy the subjectID
     OicUuid_t subjectId = {.id = {0}};
+    OicUuid_t nullSubjectId = {.id = {0}};
     memcpy(subjectId.id, requestInfo->info.identity.id, sizeof(subjectId.id));
 
+    // if subject id is null that means request is sent thru coap.
+    if (memcmp(subjectId.id, nullSubjectId.id, sizeof(subjectId.id)) != 0)
+    {
+        OIC_LOG(INFO, TAG, "request over secure channel");
+        isRequestOverSecureChannel = true;
+    }
+
     //Check the URI has the query and skip it before checking the permission
     char *uri = strstr(requestInfo->info.resourceUri, "?");
     int position = 0;
@@ -170,6 +181,33 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ
 
     SetResourceRequestType(&g_policyEngineContext, newUri);
 
+     // Form a 'Error', 'slow response' or 'access deny' response and send to peer
+    CAResponseInfo_t responseInfo = {.result = CA_EMPTY};
+    memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info));
+    responseInfo.info.payload = NULL;
+    responseInfo.info.dataType = CA_RESPONSE_DATA;
+
+    OCResource *resPtr = FindResourceByUri(newUri);
+    if (NULL != resPtr)
+    {
+        // check whether request is for secure resource or not and it should not be a SVR resource
+        if (((resPtr->resourceProperties) & OC_SECURE)
+                            && (g_policyEngineContext.resourceType == NOT_A_SVR_RESOURCE))
+        {
+           // if resource is secure and request is over insecure channel
+            if (!isRequestOverSecureChannel)
+            {
+                // Reject all the requests over coap for secure resource.
+                responseInfo.result = CA_FORBIDDEN_REQ;
+                if (CA_STATUS_OK != CASendResponse(endPoint, &responseInfo))
+                {
+                    OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!");
+                }
+                return;
+            }
+        }
+    }
+
     //New request are only processed if the policy engine state is AWAITING_REQUEST.
     if (AWAITING_REQUEST == g_policyEngineContext.state)
     {
@@ -190,12 +228,6 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ
         return;
     }
 
-    // Form a 'Error', 'slow response' or 'access deny' response and send to peer
-    CAResponseInfo_t responseInfo = {.result = CA_EMPTY};
-    memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info));
-    responseInfo.info.payload = NULL;
-    responseInfo.info.dataType = CA_RESPONSE_DATA;
-
     VERIFY_NON_NULL(TAG, gRequestHandler, ERROR);
 
     if (ACCESS_WAITING_FOR_AMS == response)
diff --git a/resource/csdk/stack/include/internal/ocresourcehandler.h b/resource/csdk/stack/include/internal/ocresourcehandler.h
index ba25f5d..fbc1b9b 100644
--- a/resource/csdk/stack/include/internal/ocresourcehandler.h
+++ b/resource/csdk/stack/include/internal/ocresourcehandler.h
@@ -25,6 +25,10 @@
 #include "ocstackinternal.h"
 #include "ocserverrequest.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif // __cplusplus
+
 /**
  * Common JSON string components used by the stack to build JSON strings.
  * These details are exposed in ocstackconfig.h file in the form of documentation.
@@ -185,5 +189,8 @@ OCStackResult BuildResponseRepresentation(const OCResource *resourcePtr,
  */
 OCStackResult EntityHandlerCodeToOCStackCode(OCEntityHandlerResult ehResult);
 
+#ifdef __cplusplus
+}
+#endif // __cplusplus
 #endif //OC_RESOURCEHANDLER_H