From 3bfb38f15b11c6b30d34fb041e03139d4a5c30d3 Mon Sep 17 00:00:00 2001 From: Nathan Heldt-Sheller Date: Thu, 29 Sep 2016 15:10:20 -0700 Subject: [PATCH] Change DevOwner access policy to address JIRA 1369 This changes the Policy Engine to grant requests from DevOwner without checking ACLs ONLY if the device is not in Ready for Normal Operation state, AND the request is for a SVR. Change-Id: I9aa4314cc2beb9fdb4629c1e63ea6971f7cc8909 Signed-off-by: Nathan Heldt-Sheller Reviewed-on: https://gerrit.iotivity.org/gerrit/12585 Tested-by: jenkins-iotivity Reviewed-by: Kevin Kane Reviewed-by: Randeep Singh (cherry picked from commit 7e0ed7dff05620d4cbcc335724a62bc0adbd4eaf) Reviewed-on: https://gerrit.iotivity.org/gerrit/12757 --- .../README-building-and-running-secure-IoTivity-stack.txt | 9 ++++++--- resource/csdk/security/src/policyengine.c | 10 +++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt b/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt index efb6851..bc19b1b 100644 --- a/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt +++ b/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt @@ -1,4 +1,4 @@ -LAST UPDATED 5/27/2015 +LAST UPDATED 9/29/2016 To build the IoTivity stack with the security features enabled: @@ -11,7 +11,10 @@ To build the IoTivity stack with the security features enabled: $ export LD_LIBRARY_PATH=/out/<...>/release $ ./ocserverbasicops & $ ./occlientbasicops -t 1 - Message "INFO: occlientbasicops: Secure -- YES" indicates success! + NOTE: Console messages below indicate success: + "INFO: occlientbasicops: Uri -- /a/led + INFO: occlientbasicops: SECUREPORT udp: 51516 + INFO: occlientbasicops: Secure -- YES" $ ./occlientbasicops -t 2 - Completion of 'GET' and 'PUT' query successfully indicates success! + NOTE: Completion of 'GET' and 'PUT' query to /a/led indicates success! diff --git a/resource/csdk/security/src/policyengine.c b/resource/csdk/security/src/policyengine.c index fd9f2ed..43b721e 100644 --- a/resource/csdk/security/src/policyengine.c +++ b/resource/csdk/security/src/policyengine.c @@ -476,9 +476,13 @@ SRMAccessResponse_t CheckPermission(PEContext_t *context, CopyParamsToContext(context, subjectId, resource, requestedPermission); } - // Before doing any processing, check if request coming - // from DevOwner and if so, always GRANT. - if (IsRequestFromDevOwner(context)) + // Before doing any ACL processing, check if request a) coming + // from DevOwner AND b) the device is not in Ready for Normal Operation + // state (which in IoTivity is equivalent to isOp == true) AND c) + // the request is for a SVR resource. If all 3 are met, grant request. + if (IsRequestFromDevOwner(context) // if from DevOwner + && (GetPstatIsop() == false) // AND if isOp == false + && (context->resourceType != NOT_A_SVR_RESOURCE)) // AND if SVR type { context->retVal = ACCESS_GRANTED; } -- 2.7.4