From 600e4fba5f312054d9b534395d7db0367f9ddf3c Mon Sep 17 00:00:00 2001 From: Nathan Heldt-Sheller Date: Mon, 21 Nov 2016 11:41:01 -0800 Subject: [PATCH] [IOT-1582] Change "PUT" to count as "Create" and never as "Update" Per Core Spec conventions, even though PUT is technically legal for Create or Update, PUT is only ever used for Create. Therefore we need to change the CRUDN permission bit check in security layer. Updated Readme.scons.txt and README-building-and-running-secure-IoTivity- stack.txt to clarify build and use of secure IoTivity stack. Change-Id: Id362c9c0225e53240b2d1f844c5f05d55cfa2938 Signed-off-by: Nathan Heldt-Sheller Reviewed-on: https://gerrit.iotivity.org/gerrit/14579 Tested-by: jenkins-iotivity Reviewed-by: Phil Coval Reviewed-by: Kevin Kane Reviewed-by: Craig Pratt Reviewed-by: Greg Zaverucha Reviewed-by: Uze Choi (cherry picked from commit da4ccd548c926669896e844a672edb32f8de6d70) Reviewed-on: https://gerrit.iotivity.org/gerrit/14719 Reviewed-by: Randeep Singh --- Readme.scons.txt | 4 ++ ...-building-and-running-secure-IoTivity-stack.txt | 53 +++++++++++++++++++--- resource/csdk/security/src/policyengine.c | 9 +++- .../samples/linux/secure/occlientbasicops.cpp | 23 +++++++--- .../samples/linux/secure/ocserverbasicops.cpp | 5 +- 5 files changed, 77 insertions(+), 17 deletions(-) diff --git a/Readme.scons.txt b/Readme.scons.txt index cc56b27..c1a94a4 100644 --- a/Readme.scons.txt +++ b/Readme.scons.txt @@ -31,6 +31,10 @@ message to install tinycbor) ('' is the path to 'iotivity' project. If your device is x86, arm, or arm64, please change 'x86_64' to the proper arch) +3. To build and test IoTivity with Security enabled (required for certification) +follow the instructions found in: + /resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt + == How to build IoTivity projects == IoTivity includes a series of projects. You can find all these projects here: diff --git a/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt b/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt index bc19b1b..4ab7597 100644 --- a/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt +++ b/resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt @@ -1,6 +1,18 @@ -LAST UPDATED 9/29/2016 +LAST UPDATED 11/20/2016 -To build the IoTivity stack with the security features enabled: +To prepare the environment for building IoTivity: + +1) Install the tools and libraries for building IoTivity by following the + instructions in the /Readme.scons.txt file. + +2) In addition, install the sqlite3 developer library: + $ sudo apt-get install libsqlite3-dev + +3) Finally, download the mbedtls library: + $ git clone https://github.com/ARMmbed/mbedtls.git extlibs/mbedtls/mbedtls + +To build the IoTivity stack with the security features enabled (required for + certification): 1) Build IoTivity with security enabled: $ cd @@ -11,10 +23,39 @@ To build the IoTivity stack with the security features enabled: $ export LD_LIBRARY_PATH=/out/<...>/release $ ./ocserverbasicops & $ ./occlientbasicops -t 1 - NOTE: Console messages below indicate success: + NOTE: Console messages below indicate success (may not be at bottom of + response printout... search up a page or so on the console): "INFO: occlientbasicops: Uri -- /a/led - INFO: occlientbasicops: SECUREPORT udp: 51516 + INFO: occlientbasicops: SECUREPORT udp: 51516 <-- actual port may differ INFO: occlientbasicops: Secure -- YES" + Press to quit occlientbasicops, then run: $ ./occlientbasicops -t 2 - NOTE: Completion of 'GET' and 'PUT' query to /a/led indicates success! - + NOTE: receipt of of 'Get Response', 'Put Response' and 'Post Response' + from /a/led indicates success. + Example Response: + "33:43.222 INFO: occlientbasicops: Callback Context for PUT recvd successfully + 33:43.222 INFO: occlientbasicops: StackResult: OC_STACK_UNAUTHORIZED_REQ + 33:43.222 INFO: PayloadLog: NULL Payload + 33:43.222 INFO: occlientbasicops: =============> Put Response + 33:43.326 INFO: occlientbasicops: Callback Context for POST recvd successfully + 33:43.326 INFO: occlientbasicops: StackResult: UNKNOWN + 33:43.326 INFO: PayloadLog: Payload Type: Representation + 33:43.326 INFO: PayloadLog: Resource #1 + 33:43.326 INFO: PayloadLog: Values: + 33:43.326 INFO: PayloadLog: createduri(string):/a/led/0 + 33:43.326 INFO: occlientbasicops: =============> Post Response + 33:43.426 INFO: occlientbasicops: Callback Context for POST recvd successfully + 33:43.426 INFO: occlientbasicops: StackResult: UNKNOWN + 33:43.426 INFO: PayloadLog: Payload Type: Representation + 33:43.426 INFO: PayloadLog: Resource #1 + 33:43.426 INFO: PayloadLog: Values: + 33:43.426 INFO: PayloadLog: createduri(string):/a/led/1 + 33:43.426 INFO: occlientbasicops: =============> Post Response + 33:43.526 INFO: occlientbasicops: Callback Context for POST recvd successfully + 33:43.526 INFO: occlientbasicops: StackResult: UNKNOWN + 33:43.526 INFO: PayloadLog: Payload Type: Representation + 33:43.526 INFO: PayloadLog: Resource #1 + 33:43.526 INFO: PayloadLog: Values: + 33:43.526 INFO: PayloadLog: state(bool):true + 33:43.526 INFO: PayloadLog: power(int):15 + 33:43.526 INFO: occlientbasicops: =============> Post Response" diff --git a/resource/csdk/security/src/policyengine.c b/resource/csdk/security/src/policyengine.c index 5aea971..d5ba721 100644 --- a/resource/csdk/security/src/policyengine.c +++ b/resource/csdk/security/src/policyengine.c @@ -47,10 +47,15 @@ uint16_t GetPermissionFromCAMethod_t(const CAMethod_t method) case CA_GET: perm = (uint16_t)PERMISSION_READ; break; - case CA_POST: // For now we treat all PUT & POST as Write - case CA_PUT: // because we don't know if resource exists yet. + case CA_POST: // Treat all POST as Write (Update) because + // we don't know if resource exists yet. + // This will be addressed in IoTivity impl of OCF 1.0 perm = (uint16_t)PERMISSION_WRITE; break; + case CA_PUT: // Per convention, OIC/OCF uses PUT only for Create, + // never for Update. + perm = (uint16_t)PERMISSION_CREATE; + break; case CA_DELETE: perm = (uint16_t)PERMISSION_DELETE; break; diff --git a/resource/csdk/stack/samples/linux/secure/occlientbasicops.cpp b/resource/csdk/stack/samples/linux/secure/occlientbasicops.cpp index 9890e39..10aa3ff 100644 --- a/resource/csdk/stack/samples/linux/secure/occlientbasicops.cpp +++ b/resource/csdk/stack/samples/linux/secure/occlientbasicops.cpp @@ -204,12 +204,12 @@ OCStackApplicationResult discoveryReqCB(void*, OCDoHandle, case TEST_NON_CON_OP: InitGetRequest(OC_LOW_QOS); InitPutRequest(OC_LOW_QOS); - //InitPostRequest(OC_LOW_QOS); + InitPostRequest(OC_LOW_QOS); break; case TEST_CON_OP: InitGetRequest(OC_HIGH_QOS); InitPutRequest(OC_HIGH_QOS); - //InitPostRequest(OC_HIGH_QOS); + InitPostRequest(OC_HIGH_QOS); break; } } @@ -219,7 +219,6 @@ OCStackApplicationResult discoveryReqCB(void*, OCDoHandle, return (UnicastDiscovery) ? OC_STACK_DELETE_TRANSACTION : OC_STACK_KEEP_TRANSACTION ; } - int InitPutRequest(OCQualityOfService qos) { OIC_LOG_V(INFO, TAG, "Executing %s", __func__); @@ -241,6 +240,10 @@ int InitPostRequest(OCQualityOfService qos) OIC_LOG_V(INFO, TAG, "Executing %s", __func__); std::ostringstream query; query << coapServerResource; + if(WithTcp) + { + endpoint.adapter = OC_ADAPTER_TCP; + } endpoint.flags = (OCTransportFlags)(endpoint.flags|OC_SECURE); // First POST operation (to create an LED instance) @@ -262,10 +265,16 @@ int InitPostRequest(OCQualityOfService qos) OIC_LOG(INFO, TAG, "Second POST call did not succeed"); } - // This POST operation will update the original resourced /a/led - return (InvokeOCDoResource(query, OC_REST_POST, &endpoint, - ((qos == OC_HIGH_QOS) ? OC_HIGH_QOS: OC_LOW_QOS), - postReqCB, NULL, 0)); + // This POST operation will update the original resourced /a/led (as long as + // the server is set to max 2 /lcd resources) + result = InvokeOCDoResource(query, OC_REST_POST, &endpoint, + ((qos == OC_HIGH_QOS) ? OC_HIGH_QOS: OC_LOW_QOS), + postReqCB, NULL, 0); + if (OC_STACK_OK != result) + { + OIC_LOG(INFO, TAG, "Third POST call did not succeed"); + } + return result; } int InitGetRequest(OCQualityOfService qos) diff --git a/resource/csdk/stack/samples/linux/secure/ocserverbasicops.cpp b/resource/csdk/stack/samples/linux/secure/ocserverbasicops.cpp index 61db06a..6ebc856 100644 --- a/resource/csdk/stack/samples/linux/secure/ocserverbasicops.cpp +++ b/resource/csdk/stack/samples/linux/secure/ocserverbasicops.cpp @@ -95,7 +95,8 @@ OCRepPayload* constructResponse (OCEntityHandlerRequest *ehRequest) gResourceUri = (char *) "/a/led/1"; } - if(OC_REST_PUT == ehRequest->method) + if(OC_REST_PUT == ehRequest->method + || OC_REST_POST == ehRequest->method) { // Get pointer to query int64_t pow; @@ -168,7 +169,7 @@ OCEntityHandlerResult ProcessPostRequest (OCEntityHandlerRequest *ehRequest, * resource is created with default representation (if representation is included in * POST payload it can be used as initial values) as long as the instance is * lesser than max new instance count. Once max instance count is reached, POST on - * /a/led updated the representation of /a/led (just like PUT) + * /a/led updated the representation of /a/led. */ if (ehRequest->resource == LED.handle) -- 2.7.4