Merge pull request #577 from openweave/feature/CredentialCaching

Access Control relaxation for fetching device credentials over a PASE session

Author: Jay Logue

src/lib/core/WeaveFabricState.cpp

@@ -278,6 +278,8 @@ WEAVE_ERROR WeaveFabricState::Init(GroupKeyStoreBase *groupKeyStore)
 
 #endif
 
+    sessionEndCallbackList = NULL;
+
     State = kState_Initialized;
 
     return WEAVE_NO_ERROR;
@@ -382,6 +384,8 @@ WEAVE_ERROR WeaveFabricState::RemoveSessionKey(uint16_t keyId, uint64_t peerNode
 
     RemoveSessionKey(sessionKey);
 
+    NotifySessionEndSubscribers(keyId, peerNodeId);
+
 exit:
     return err;
 }
@@ -1312,6 +1316,59 @@ bool WeaveFabricState::FindOrAllocPeerEntry(uint64_t peerNodeId, bool allocEntry
     return retVal;
 }
 
+/*
+ * This method is used by provisioning servers to register callbacks with the
+ * WeaveFabricState to be notified when the current session is closed.
+ *
+ * @param[in]  sessionEndCb       The context containing the callback function
+ *                                pointer.
+ *
+ * @retval WEAVE_ERROR            Weave error encountered.
+ *
+ */
+WEAVE_ERROR WeaveFabricState::RegisterSessionEndCallback(SessionEndCbCtxt *sessionEndCb)
+{
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+    SessionEndCbCtxt *iter = sessionEndCallbackList;
+
+    VerifyOrExit(sessionEndCb, err = WEAVE_ERROR_INVALID_ARGUMENT);
+
+    sessionEndCb->next = NULL;
+    if (sessionEndCallbackList == NULL)
+    {
+        sessionEndCallbackList = sessionEndCb;
+        ExitNow();
+    }
+
+    while (iter->next)
+    {
+        iter = iter->next;
+    }
+
+    iter->next = sessionEndCb;
+
+exit:
+    return err;
+}
+
+/*
+ * Notify the registered callbacks when the given session is closed and removed
+ * from the session table.
+ */
+void WeaveFabricState::NotifySessionEndSubscribers(uint16_t keyId, uint64_t peerNodeId)
+{
+    SessionEndCbCtxt *iter = sessionEndCallbackList;
+
+    while (iter)
+    {
+        if (iter->OnSessionRemoved)
+        {
+            iter->OnSessionRemoved(keyId, peerNodeId, iter->context);
+        }
+        iter = iter->next;
+    }
+}
+
 WEAVE_ERROR WeaveFabricState::GetPassword(uint8_t pwSrc, const char *& ps, uint16_t& pwLen)
 {
     switch (pwSrc)

src/lib/core/WeaveFabricState.h

@@ -506,7 +506,6 @@ class NL_DLL_EXPORT WeaveFabricState
     IPAddress ListenIPv6Addr;
 #endif
 
-
     WEAVE_ERROR Init(void);
     WEAVE_ERROR Init(nl::Weave::Profiles::Security::AppKeys::GroupKeyStoreBase *groupKeyStore);
     WEAVE_ERROR Shutdown(void);
@@ -568,6 +567,18 @@ class NL_DLL_EXPORT WeaveFabricState
     WEAVE_ERROR CheckMsgEncForAppGroup(const WeaveMessageInfo *msgInfo, uint32_t appGroupGlobalId, uint32_t rootKeyId, bool requireRotatingKey);
 #endif // WEAVE_CONFIG_USE_APP_GROUP_KEYS_FOR_MSG_ENC
 
+    typedef void (*SessionEndCbFunct)(uint16_t keyId, uint64_t peerNodeId, void *context);
+
+    // Callback context provided by provisioning servers when registering with
+    // WeaveFabricState to be notified when session ends.
+    struct SessionEndCbCtxt
+    {
+        SessionEndCbFunct OnSessionRemoved;
+        void *context;
+        SessionEndCbCtxt *next;
+    };
+
+    WEAVE_ERROR RegisterSessionEndCallback(SessionEndCbCtxt *sessionEndCb);
 private:
     PeerIndexType PeerCount;
     MonotonicallyIncreasingCounter NextUnencUDPMsgId;
@@ -619,6 +630,11 @@ class NL_DLL_EXPORT WeaveFabricState
     // Record of all active shared session end nodes.
     SharedSessionEndNode SharedSessionsNodes[WEAVE_CONFIG_MAX_SHARED_SESSIONS_END_NODES];
 
+    // Linked list of registered modules to be notified when session closes
+    SessionEndCbCtxt *sessionEndCallbackList;
+
+    void NotifySessionEndSubscribers(uint16_t keyId, uint64_t peerNodeId);
+
     bool FindSharedSessionEndNode(uint64_t endNodeId, const WeaveSessionKey *sessionKey);
 
 #if WEAVE_CONFIG_USE_APP_GROUP_KEYS_FOR_MSG_ENC

src/lib/profiles/fabric-provisioning/FabricProvisioning.cpp

@@ -67,14 +67,22 @@ FabricProvisioningServer::FabricProvisioningServer()
  */
 WEAVE_ERROR FabricProvisioningServer::Init(WeaveExchangeManager *exchangeMgr)
 {
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+
     FabricState = exchangeMgr->FabricState;
     ExchangeMgr = exchangeMgr;
     mDelegate = NULL;
     mCurClientOp = NULL;
+    memset(&mFabricConfigAccessSession, 0, sizeof(mFabricConfigAccessSession));
 
     // Register to receive unsolicited Service Provisioning messages from the exchange manager.
-    WEAVE_ERROR err =
+    err =
         ExchangeMgr->RegisterUnsolicitedMessageHandler(kWeaveProfile_FabricProvisioning, HandleClientRequest, this);
+    SuccessOrExit(err);
+
+    err = RegisterSessionEndCallbackWithFabricState();
+
+exit:
 
     return err;
 }
@@ -152,6 +160,55 @@ WEAVE_ERROR FabricProvisioningServer::SendStatusReport(uint32_t statusProfileId,
     return err;
 }
 
+/**
+ * Indicates if the session with the given node id and the session key id is
+ * authorized to retrieve fabric config information.
+ *
+ * @return Returns 'true' if the given peer is privileged, else
+ * 'false'.
+ */
+
+bool FabricProvisioningServer::SessionHasFabricConfigAccessPrivilege(uint16_t keyId, uint64_t peerNodeId) const
+{
+    return (peerNodeId == mFabricConfigAccessSession.PeerNodeId &&
+            keyId == mFabricConfigAccessSession.SessionKeyId);
+}
+
+void FabricProvisioningServer::GrantFabricConfigAccessPrivilege(uint16_t keyId, uint64_t peerNodeId)
+{
+    mFabricConfigAccessSession.PeerNodeId = peerNodeId;
+    mFabricConfigAccessSession.SessionKeyId = keyId;
+}
+
+void FabricProvisioningServer::ClearFabricConfigAccessPrivilege(void)
+{
+    memset(&mFabricConfigAccessSession, 0, sizeof(mFabricConfigAccessSession));
+}
+
+void FabricProvisioningServer::HandleSessionEnd(uint16_t keyId, uint64_t peerNodeId, void *context)
+{
+    FabricProvisioningServer *server = static_cast<FabricProvisioningServer *>(context);
+
+    // Clear the privileged session when notified of its removal by FabricState
+    if (server->SessionHasFabricConfigAccessPrivilege(keyId, peerNodeId))
+    {
+        server->ClearFabricConfigAccessPrivilege();
+    }
+}
+
+WEAVE_ERROR FabricProvisioningServer::RegisterSessionEndCallbackWithFabricState(void)
+{
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+
+    mSessionEndCbCtxt.OnSessionRemoved = HandleSessionEnd;
+    mSessionEndCbCtxt.context = this;
+    mSessionEndCbCtxt.next = NULL;
+
+    err = FabricState->RegisterSessionEndCallback(&mSessionEndCbCtxt);
+
+    return err;
+}
+
 void FabricProvisioningServer::HandleClientRequest(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
                                                    uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf)
 {
@@ -210,6 +267,13 @@ void FabricProvisioningServer::HandleClientRequest(ExchangeContext *ec, const IP
             server->FabricState->ClearFabricState();
         SuccessOrExit(err);
 
+        if (msgInfo->EncryptionType != kWeaveEncryptionType_None &&
+            WeaveKeyId::IsSessionKey(msgInfo->KeyId))
+        {
+            // Authorize the current session for privileged access to secret fabric config information
+            server->GrantFabricConfigAccessPrivilege(msgInfo->KeyId, msgInfo->SourceNodeId);
+        }
+
         break;
 
     case kMsgType_LeaveFabric:
@@ -310,6 +374,10 @@ void FabricProvisioningServer::HandleClientRequest(ExchangeContext *ec, const IP
 void FabricProvisioningDelegate::EnforceAccessControl(ExchangeContext *ec, uint32_t msgProfileId, uint8_t msgType,
         const WeaveMessageInfo *msgInfo, AccessControlResult& result)
 {
+#if WEAVE_CONFIG_REQUIRE_AUTH_FABRIC_PROV
+    FabricProvisioningServer *server = static_cast<FabricProvisioningServer *>(ec->AppState);
+#endif
+
     // If the result has not already been determined by a subclass...
     if (result == kAccessControlResult_NotDetermined)
     {
@@ -328,7 +396,9 @@ void FabricProvisioningDelegate::EnforceAccessControl(ExchangeContext *ec, uint3
 
         case kMsgType_LeaveFabric:
         case kMsgType_GetFabricConfig:
-            if (msgInfo->PeerAuthMode == kWeaveAuthMode_CASE_AccessToken)
+            if (msgInfo->PeerAuthMode == kWeaveAuthMode_CASE_AccessToken ||
+                (msgInfo->PeerAuthMode == kWeaveAuthMode_PASE_PairingCode && !IsPairedToAccount() &&
+                 server->SessionHasFabricConfigAccessPrivilege(msgInfo->KeyId, msgInfo->SourceNodeId)))
             {
                 result = kAccessControlResult_Accepted;
             }

src/lib/profiles/fabric-provisioning/FabricProvisioning.h

@@ -187,6 +187,9 @@ class NL_DLL_EXPORT FabricProvisioningServer : public WeaveServerBase
 
     void SetDelegate(FabricProvisioningDelegate *delegate);
 
+    // Check if the session is marked as privileged to retrieve fabric config information.
+    bool SessionHasFabricConfigAccessPrivilege(uint16_t keyId, uint64_t peerNodeId) const;
+
     virtual WEAVE_ERROR SendSuccessResponse(void);
     virtual WEAVE_ERROR SendStatusReport(uint32_t statusProfileId, uint16_t statusCode, WEAVE_ERROR sysError = WEAVE_NO_ERROR);
 
@@ -198,7 +201,27 @@ class NL_DLL_EXPORT FabricProvisioningServer : public WeaveServerBase
     static void HandleClientRequest(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, uint32_t profileId,
             uint8_t msgType, PacketBuffer *payload);
 
+    // Utility functions for managing registration with/notification from WeaveFabricState
+    // about whether the current security session is privileged to
+    // access fabric config information.
+    void GrantFabricConfigAccessPrivilege(uint16_t keyId, uint64_t peerNodeId);
+    void ClearFabricConfigAccessPrivilege(void);
+    static void HandleSessionEnd(uint16_t keyId, uint64_t peerNodeId, void *context);
+    WEAVE_ERROR RegisterSessionEndCallbackWithFabricState(void);
+
+    // Indicates the session that is privileged to
+    // retrieve fabric config information.
+    struct FabricConfigAccessSession
+    {
+        uint64_t PeerNodeId;
+        uint16_t SessionKeyId;
+    };
+    FabricConfigAccessSession mFabricConfigAccessSession;
+
+    nl::Weave::WeaveFabricState::SessionEndCbCtxt mSessionEndCbCtxt;
+
     FabricProvisioningServer(const FabricProvisioningServer&);   // not defined
+
 };
 
 

src/lib/profiles/network-provisioning/NetworkProvisioning.cpp

@@ -66,17 +66,25 @@ NetworkProvisioningServer::NetworkProvisioningServer()
  */
 WEAVE_ERROR NetworkProvisioningServer::Init(WeaveExchangeManager *exchangeMgr)
 {
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+
     ExchangeMgr = exchangeMgr;
     FabricState = exchangeMgr->FabricState;
     mCurOp = NULL;
     mDelegate = NULL;
     mLastOpResult.StatusProfileId = kWeaveProfile_Common;
     mLastOpResult.StatusCode = Common::kStatus_Success;
     mLastOpResult.SysError = WEAVE_NO_ERROR;
+    memset(&mCredentialAccessSession, 0, sizeof(mCredentialAccessSession));
 
     // Register to receive unsolicited Network Provisioning messages from the exchange manager.
-    WEAVE_ERROR err =
+    err =
         ExchangeMgr->RegisterUnsolicitedMessageHandler(kWeaveProfile_NetworkProvisioning, HandleRequest, this);
+    SuccessOrExit(err);
+
+    err = RegisterSessionEndCallbackWithFabricState();
+
+exit:
 
     return err;
 }
@@ -196,6 +204,14 @@ WEAVE_ERROR NetworkProvisioningServer::SendAddNetworkComplete(uint32_t networkId
     VerifyOrExit(mDelegate != NULL, err = WEAVE_ERROR_INCORRECT_STATE);
     VerifyOrExit(mCurOp != NULL, err = WEAVE_ERROR_INCORRECT_STATE);
 
+    // Authorize the current session for privileged access to secret
+    // credential information.
+    if (mCurOp->EncryptionType != kWeaveEncryptionType_None &&
+        WeaveKeyId::IsSessionKey(mCurOp->KeyId))
+    {
+        GrantCredentialAccessPrivilege(mCurOp->KeyId, mCurOp->PeerNodeId);
+    }
+
     respBuf = PacketBuffer::NewWithAvailableSize(respLen);
     VerifyOrExit(respBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
 
@@ -306,6 +322,55 @@ WEAVE_ERROR NetworkProvisioningServer::SendStatusReport(uint32_t statusProfileId
     return err;
 }
 
+/**
+ * Indicates if the session with the given node id and the session key id is
+ * authorized to retrieve secret credential information.
+ *
+ * @return Returns 'true' if the given peer is privileged, else
+ * 'false'.
+ */
+
+bool NetworkProvisioningServer::SessionHasCredentialAccessPrivilege(uint16_t keyId, uint64_t peerNodeId) const
+{
+    return (peerNodeId == mCredentialAccessSession.PeerNodeId &&
+            keyId == mCredentialAccessSession.SessionKeyId);
+}
+
+void NetworkProvisioningServer::GrantCredentialAccessPrivilege(uint16_t keyId, uint64_t peerNodeId)
+{
+    mCredentialAccessSession.PeerNodeId = peerNodeId;
+    mCredentialAccessSession.SessionKeyId = keyId;
+}
+
+void NetworkProvisioningServer::ClearCredentialAccessPrivilege(void)
+{
+    memset(&mCredentialAccessSession, 0, sizeof(mCredentialAccessSession));
+}
+
+void NetworkProvisioningServer::HandleSessionEnd(uint16_t keyId, uint64_t peerNodeId, void *context)
+{
+    NetworkProvisioningServer *server = static_cast<NetworkProvisioningServer *>(context);
+
+    // Clear the privileged session when notified of its removal by FabricState
+    if (server->SessionHasCredentialAccessPrivilege(keyId, peerNodeId))
+    {
+        server->ClearCredentialAccessPrivilege();
+    }
+}
+
+WEAVE_ERROR NetworkProvisioningServer::RegisterSessionEndCallbackWithFabricState(void)
+{
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+
+    mSessionEndCbCtxt.OnSessionRemoved = HandleSessionEnd;
+    mSessionEndCbCtxt.context = this;
+    mSessionEndCbCtxt.next = NULL;
+
+    err = FabricState->RegisterSessionEndCallback(&mSessionEndCbCtxt);
+
+    return err;
+}
+
 void NetworkProvisioningServer::HandleRequest(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, uint32_t profileId,
         uint8_t msgType, PacketBuffer *payload)
 {
@@ -406,9 +471,11 @@ void NetworkProvisioningServer::HandleRequest(ExchangeContext *ec, const IPPacke
         // According to Weave Device Access Control Policy,
         // When servicing a GetNetworks message from a peer that has authenticated using PASE/PairingCode,
         // a device in an unpaired state must reject the message with an access denied error if the peer has
-        // set the IncludeCredentials flag.
+        // set the IncludeCredentials flag and the current session is not privileged to retrieve secret
+        // credentials.
         if (msgInfo->PeerAuthMode == kWeaveAuthMode_PASE_PairingCode && !delegate->IsPairedToAccount()
-                && (flags & kGetNetwork_IncludeCredentials) != 0)
+                && (flags & kGetNetwork_IncludeCredentials) != 0
+                && !server->SessionHasCredentialAccessPrivilege(msgInfo->KeyId, msgInfo->SourceNodeId))
         {
             server->SendStatusReport(kWeaveProfile_Common, Common::kStatus_AccessDenied);
             break;