From b92faaa834423bb97f615ec0c679c5157fd9078d Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 22 Feb 2017 17:48:32 -0800 Subject: [PATCH] [IOT-1841] Allow OT sessions to post to /pstat Until yesterday, IOT-1831 was hiding IOT-1841, a bug in the implementation of IOT-1801. Change-Id: Icada8099f8c4cef9c271db8f672caa55cd63f0f5 Signed-off-by: Dan Mihai Reviewed-on: https://gerrit.iotivity.org/gerrit/17459 Reviewed-by: Kevin Kane Tested-by: jenkins-iotivity Reviewed-by: Greg Zaverucha Reviewed-by: Nathan Heldt-Sheller --- resource/csdk/connectivity/api/cacommon.h | 2 +- resource/csdk/security/src/policyengine.c | 25 ++++++++++++++++++++++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/resource/csdk/connectivity/api/cacommon.h b/resource/csdk/connectivity/api/cacommon.h index 319200b..ef60fc9 100755 --- a/resource/csdk/connectivity/api/cacommon.h +++ b/resource/csdk/connectivity/api/cacommon.h @@ -330,7 +330,7 @@ typedef struct /** * Endpoint used for security administration - a special type of identity that * bypasses Access Control Entry checks for SVR resources, while the device is - * not owned yet. + * not ready for normal operation yet. */ #define CA_SECURE_ENDPOINT_ATTRIBUTE_ADMINISTRATOR 0x1 diff --git a/resource/csdk/security/src/policyengine.c b/resource/csdk/security/src/policyengine.c index 9f056ca..b0582ec 100644 --- a/resource/csdk/security/src/policyengine.c +++ b/resource/csdk/security/src/policyengine.c @@ -118,10 +118,22 @@ static bool IsRequestFromDevOwner(SRMRequestContext_t *context) __func__, retVal ? "" : "NOT "); } + return retVal; +} + +/** + * Check if the request has been received from a session used for Ownership Transfer. + * + * @return true if the CA_SECURE_ENDPOINT_ATTRIBUTE_ADMINISTRATOR bit is set, else false. + */ +static bool IsRequestFromOwnershipTransferSession(SRMRequestContext_t *context) +{ + bool retVal = false; + #if defined(__WITH_DTLS__) || defined(__WITH_TLS__) //Ownership Transfer sessions are allowed to bypass SVR ACEs, while this - //Device is not owned yet. - if (!retVal && (NULL != context->endPoint)) + //Device is not ready for normal operation yet. + if ((NULL != context) && (NULL != context->endPoint)) { uint32_t allAttributes; if (CAGetSecureEndpointAttributes(context->endPoint, &allAttributes) && @@ -449,7 +461,7 @@ static void ProcessAccessRequest(SRMRequestContext_t *context) } else { - OIC_LOG_V(INFO, TAG, "%s:no ACL found matching subject for resource %s", + OIC_LOG_V(INFO, TAG, "%s:no ACE found matching subject for resource %s", __func__, context->resourceUri); } } while ((NULL != currentAce) @@ -519,6 +531,13 @@ void CheckPermission(SRMRequestContext_t *context) } } #endif //MULTIPLE_OWNER + else if (!GetPstatIsop() && + (NOT_A_SVR_RESOURCE != context->resourceType) && + IsRequestFromOwnershipTransferSession(context)) + { + OIC_LOG(INFO, TAG, "CheckPermission: granting access to OT session request"); + context->responseVal = ACCESS_GRANTED; + } // Else request is a "normal" request that must be tested against ACL. else { -- 2.7.4