Merge pull request #21 from kedars/feature/cat_in_acl

Feature/CAT in ACL

Author: kedars

matter/src/acl.rs

@@ -15,7 +15,10 @@
  *    limitations under the License.
  */
 
-use std::sync::{Arc, Mutex, MutexGuard, RwLock};
+use std::{
+    fmt::Display,
+    sync::{Arc, Mutex, MutexGuard, RwLock},
+};
 
 use crate::{
     data_model::objects::{Access, Privilege},
@@ -24,6 +27,7 @@ use crate::{
     interaction_model::messages::GenericPath,
     sys::Psm,
     tlv::{FromTLV, TLVElement, TLVList, TLVWriter, TagType, ToTLV},
+    transport::session::MAX_CAT_IDS_PER_NOC,
     utils::writebuf::WriteBuf,
 };
 use log::error;
@@ -67,23 +71,112 @@ impl ToTLV for AuthMode {
     }
 }
 
+/// An accessor can have as many identities: one node id and Upto MAX_CAT_IDS_PER_NOC
+const MAX_ACCESSOR_SUBJECTS: usize = 1 + MAX_CAT_IDS_PER_NOC;
+/// The CAT Prefix used in Subjects
+pub const NOC_CAT_SUBJECT_PREFIX: u64 = 0xFFFF_FFFD_0000_0000;
+const NOC_CAT_ID_MASK: u64 = 0xFFFF_0000;
+const NOC_CAT_VERSION_MASK: u64 = 0xFFFF;
+
+fn is_noc_cat(id: u64) -> bool {
+    (id & NOC_CAT_SUBJECT_PREFIX) == NOC_CAT_SUBJECT_PREFIX
+}
+
+fn get_noc_cat_id(id: u64) -> u64 {
+    (id & NOC_CAT_ID_MASK) >> 16
+}
+
+fn get_noc_cat_version(id: u64) -> u64 {
+    id & NOC_CAT_VERSION_MASK
+}
+
+/// Generate CAT that is embeddedable in the NoC
+/// This only generates the 32-bit CAT ID
+pub fn gen_noc_cat(id: u16, version: u16) -> u32 {
+    ((id as u32) << 16) | version as u32
+}
+
+pub struct AccessorSubjects([u64; MAX_ACCESSOR_SUBJECTS]);
+
+impl AccessorSubjects {
+    pub fn new(id: u64) -> Self {
+        let mut a = Self(Default::default());
+        a.0[0] = id;
+        a
+    }
+
+    pub fn add_catid(&mut self, subject: u32) -> Result<(), Error> {
+        for (i, val) in self.0.iter().enumerate() {
+            if *val == 0 {
+                self.0[i] = NOC_CAT_SUBJECT_PREFIX | (subject as u64);
+                return Ok(());
+            }
+        }
+        Err(Error::NoSpace)
+    }
+
+    /// Match the match_subject with any of the current subjects
+    /// If a NOC CAT is specified, CAT aware matching is also performed
+    pub fn matches(&self, acl_subject: u64) -> bool {
+        for v in self.0.iter() {
+            if *v == 0 {
+                continue;
+            }
+
+            if *v == acl_subject {
+                return true;
+            } else {
+                // NOC CAT match
+                if is_noc_cat(*v)
+                    && is_noc_cat(acl_subject)
+                    && (get_noc_cat_id(*v) == get_noc_cat_id(acl_subject))
+                    && (get_noc_cat_version(*v) >= get_noc_cat_version(acl_subject))
+                {
+                    return true;
+                }
+            }
+        }
+
+        false
+    }
+}
+
+impl Display for AccessorSubjects {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> {
+        write!(f, "[")?;
+        for i in self.0 {
+            if is_noc_cat(i) {
+                write!(f, "CAT({} - {})", get_noc_cat_id(i), get_noc_cat_version(i))?;
+            } else if i != 0 {
+                write!(f, "{}, ", i)?;
+            }
+        }
+        write!(f, "]")
+    }
+}
+
 /// The Accessor Object
 pub struct Accessor {
     /// The fabric index of the accessor
     pub fab_idx: u8,
-    /// Accessor's identified: could be node-id, NoC CAT, group id
-    id: u64,
+    /// Accessor's subject: could be node-id, NoC CAT, group id
+    subjects: AccessorSubjects,
     /// The Authmode of this session
     auth_mode: AuthMode,
     // TODO: Is this the right place for this though, or should we just use a global-acl-handle-get
     acl_mgr: Arc<AclMgr>,
 }
 
 impl Accessor {
-    pub fn new(fab_idx: u8, id: u64, auth_mode: AuthMode, acl_mgr: Arc<AclMgr>) -> Self {
+    pub fn new(
+        fab_idx: u8,
+        subjects: AccessorSubjects,
+        auth_mode: AuthMode,
+        acl_mgr: Arc<AclMgr>,
+    ) -> Self {
         Self {
             fab_idx,
-            id,
+            subjects,
             auth_mode,
             acl_mgr,
         }
@@ -196,6 +289,10 @@ impl AclEntry {
         Ok(())
     }
 
+    pub fn add_subject_catid(&mut self, cat_id: u32) -> Result<(), Error> {
+        self.add_subject(NOC_CAT_SUBJECT_PREFIX | cat_id as u64)
+    }
+
     pub fn add_target(&mut self, target: Target) -> Result<(), Error> {
         let index = self
             .targets
@@ -215,7 +312,7 @@ impl AclEntry {
         let mut entries_exist = false;
         for i in self.subjects.iter().flatten() {
             entries_exist = true;
-            if accessor.id == *i {
+            if accessor.subjects.matches(*i) {
                 allow = true;
             }
         }
@@ -467,8 +564,8 @@ impl AclMgr {
             }
         }
         error!(
-            "ACL Disallow for src id {} fab idx {}",
-            req.accessor.id, req.accessor.fab_idx
+            "ACL Disallow for subjects {} fab idx {}",
+            req.accessor.subjects, req.accessor.fab_idx
         );
         error!("{}", self);
         false
@@ -490,6 +587,7 @@ impl std::fmt::Display for AclMgr {
 #[allow(clippy::bool_assert_comparison)]
 mod tests {
     use crate::{
+        acl::{gen_noc_cat, AccessorSubjects},
         data_model::objects::{Access, Privilege},
         interaction_model::messages::GenericPath,
     };
@@ -501,7 +599,7 @@ mod tests {
     fn test_basic_empty_subject_target() {
         let am = Arc::new(AclMgr::new_with(false).unwrap());
         am.erase_all();
-        let accessor = Accessor::new(2, 112233, AuthMode::Case, am.clone());
+        let accessor = Accessor::new(2, AccessorSubjects::new(112233), AuthMode::Case, am.clone());
         let path = GenericPath::new(Some(1), Some(1234), None);
         let mut req = AccessReq::new(&accessor, &path, Access::READ);
         req.set_target_perms(Access::RWVA);
@@ -529,7 +627,7 @@ mod tests {
     fn test_subject() {
         let am = Arc::new(AclMgr::new_with(false).unwrap());
         am.erase_all();
-        let accessor = Accessor::new(2, 112233, AuthMode::Case, am.clone());
+        let accessor = Accessor::new(2, AccessorSubjects::new(112233), AuthMode::Case, am.clone());
         let path = GenericPath::new(Some(1), Some(1234), None);
         let mut req = AccessReq::new(&accessor, &path, Access::READ);
         req.set_target_perms(Access::RWVA);
@@ -547,11 +645,81 @@ mod tests {
         assert_eq!(req.allow(), true);
     }
 
+    #[test]
+    fn test_cat() {
+        let am = Arc::new(AclMgr::new_with(false).unwrap());
+        am.erase_all();
+
+        let allow_cat = 0xABCD;
+        let disallow_cat = 0xCAFE;
+        let v2 = 2;
+        let v3 = 3;
+        // Accessor has nodeif and CAT 0xABCD_0002
+        let mut subjects = AccessorSubjects::new(112233);
+        subjects.add_catid(gen_noc_cat(allow_cat, v2)).unwrap();
+
+        let accessor = Accessor::new(2, subjects, AuthMode::Case, am.clone());
+        let path = GenericPath::new(Some(1), Some(1234), None);
+        let mut req = AccessReq::new(&accessor, &path, Access::READ);
+        req.set_target_perms(Access::RWVA);
+
+        // Deny for CAT id mismatch
+        let mut new = AclEntry::new(2, Privilege::VIEW, AuthMode::Case);
+        new.add_subject_catid(gen_noc_cat(disallow_cat, v2))
+            .unwrap();
+        am.add(new).unwrap();
+        assert_eq!(req.allow(), false);
+
+        // Deny of CAT version mismatch
+        let mut new = AclEntry::new(2, Privilege::VIEW, AuthMode::Case);
+        new.add_subject_catid(gen_noc_cat(allow_cat, v3)).unwrap();
+        am.add(new).unwrap();
+        assert_eq!(req.allow(), false);
+
+        // Allow for CAT match
+        let mut new = AclEntry::new(2, Privilege::VIEW, AuthMode::Case);
+        new.add_subject_catid(gen_noc_cat(allow_cat, v2)).unwrap();
+        am.add(new).unwrap();
+        assert_eq!(req.allow(), true);
+    }
+
+    #[test]
+    fn test_cat_version() {
+        let am = Arc::new(AclMgr::new_with(false).unwrap());
+        am.erase_all();
+
+        let allow_cat = 0xABCD;
+        let disallow_cat = 0xCAFE;
+        let v2 = 2;
+        let v3 = 3;
+        // Accessor has nodeif and CAT 0xABCD_0003
+        let mut subjects = AccessorSubjects::new(112233);
+        subjects.add_catid(gen_noc_cat(allow_cat, v3)).unwrap();
+
+        let accessor = Accessor::new(2, subjects, AuthMode::Case, am.clone());
+        let path = GenericPath::new(Some(1), Some(1234), None);
+        let mut req = AccessReq::new(&accessor, &path, Access::READ);
+        req.set_target_perms(Access::RWVA);
+
+        // Deny for CAT id mismatch
+        let mut new = AclEntry::new(2, Privilege::VIEW, AuthMode::Case);
+        new.add_subject_catid(gen_noc_cat(disallow_cat, v2))
+            .unwrap();
+        am.add(new).unwrap();
+        assert_eq!(req.allow(), false);
+
+        // Allow for CAT match and version more than ACL version
+        let mut new = AclEntry::new(2, Privilege::VIEW, AuthMode::Case);
+        new.add_subject_catid(gen_noc_cat(allow_cat, v2)).unwrap();
+        am.add(new).unwrap();
+        assert_eq!(req.allow(), true);
+    }
+
     #[test]
     fn test_target() {
         let am = Arc::new(AclMgr::new_with(false).unwrap());
         am.erase_all();
-        let accessor = Accessor::new(2, 112233, AuthMode::Case, am.clone());
+        let accessor = Accessor::new(2, AccessorSubjects::new(112233), AuthMode::Case, am.clone());
         let path = GenericPath::new(Some(1), Some(1234), None);
         let mut req = AccessReq::new(&accessor, &path, Access::READ);
         req.set_target_perms(Access::RWVA);
@@ -612,7 +780,8 @@ mod tests {
     fn test_privilege() {
         let am = Arc::new(AclMgr::new_with(false).unwrap());
         am.erase_all();
-        let accessor = Accessor::new(2, 112233, AuthMode::Case, am.clone());
+
+        let accessor = Accessor::new(2, AccessorSubjects::new(112233), AuthMode::Case, am.clone());
         let path = GenericPath::new(Some(1), Some(1234), None);
 
         // Create an Exact Match ACL with View privilege

matter/src/cert/mod.rs

@@ -318,6 +318,19 @@ impl DistNames {
                 }
             })
     }
+
+    fn u32_arr(&self, match_id: DnTags, output: &mut [u32]) {
+        let mut out_index = 0;
+        for (_, val) in self.dn.iter().filter(|(id, _)| *id == match_id as u8) {
+            if let DistNameValue::Uint(a) = val {
+                if out_index < output.len() {
+                    // CatIds are actually just 32-bit
+                    output[out_index] = *a as u32;
+                    out_index += 1;
+                }
+            }
+        }
+    }
 }
 
 const PRINTABLE_STR_THRESHOLD: u8 = 0x80;
@@ -543,6 +556,10 @@ impl Cert {
         self.subject.u64(DnTags::NodeId).ok_or(Error::NoNodeId)
     }
 
+    pub fn get_cat_ids(&self, output: &mut [u32]) {
+        self.subject.u32_arr(DnTags::NocCat, output)
+    }
+
     pub fn get_fabric_id(&self) -> Result<u64, Error> {
         self.subject.u64(DnTags::FabricId).ok_or(Error::NoFabricId)
     }

matter/src/data_model/core.rs

@@ -23,7 +23,7 @@ use super::{
     system_model::descriptor::DescriptorCluster,
 };
 use crate::{
-    acl::{AccessReq, Accessor, AclMgr, AuthMode},
+    acl::{AccessReq, Accessor, AccessorSubjects, AclMgr, AuthMode},
     error::*,
     fabric::FabricMgr,
     interaction_model::{
@@ -219,14 +219,29 @@ impl DataModel {
 
     fn sess_to_accessor(&self, sess: &Session) -> Accessor {
         match sess.get_session_mode() {
-            SessionMode::Case(c) => Accessor::new(
-                c,
-                sess.get_peer_node_id().unwrap_or_default(),
-                AuthMode::Case,
+            SessionMode::Case(c) => {
+                let mut subject =
+                    AccessorSubjects::new(sess.get_peer_node_id().unwrap_or_default());
+                for i in c.cat_ids {
+                    if i != 0 {
+                        let _ = subject.add_catid(i);
+                    }
+                }
+                Accessor::new(c.fab_idx, subject, AuthMode::Case, self.acl_mgr.clone())
+            }
+            SessionMode::Pase => Accessor::new(
+                0,
+                AccessorSubjects::new(1),
+                AuthMode::Pase,
+                self.acl_mgr.clone(),
+            ),
+
+            SessionMode::PlainText => Accessor::new(
+                0,
+                AccessorSubjects::new(1),
+                AuthMode::Invalid,
                 self.acl_mgr.clone(),
             ),
-            SessionMode::Pase => Accessor::new(0, 1, AuthMode::Pase, self.acl_mgr.clone()),
-            SessionMode::PlainText => Accessor::new(0, 1, AuthMode::Invalid, self.acl_mgr.clone()),
         }
     }
 

matter/src/data_model/sdm/failsafe.rs

@@ -89,10 +89,15 @@ impl FailSafe {
                 match c.noc_state {
                     NocState::NocNotRecvd => return Err(Error::Invalid),
                     NocState::AddNocRecvd(idx) | NocState::UpdateNocRecvd(idx) => {
-                        if SessionMode::Case(idx) != session_mode {
-                            error!(
-                                "Received disarm in separate session from previous Add/Update NOC"
-                            );
+                        if let SessionMode::Case(c) = session_mode {
+                            if c.fab_idx != idx {
+                                error!(
+                                    "Received disarm in separate session from previous Add/Update NOC"
+                                );
+                                return Err(Error::Invalid);
+                            }
+                        } else {
+                            error!("Received disarm in a non-CASE session");
                             return Err(Error::Invalid);
                         }
                     }

matter/src/data_model/sdm/noc.rs

@@ -248,11 +248,11 @@ impl NocCluster {
             .map_err(|_| IMStatusCode::InvalidDataType)?;
 
         let (result, fab_idx) =
-            if let SessionMode::Case(fab_idx) = cmd_req.trans.session.get_session_mode() {
-                if self.fabric_mgr.set_label(fab_idx, label).is_err() {
-                    (NocStatus::LabelConflict, fab_idx)
+            if let SessionMode::Case(c) = cmd_req.trans.session.get_session_mode() {
+                if self.fabric_mgr.set_label(c.fab_idx, label).is_err() {
+                    (NocStatus::LabelConflict, c.fab_idx)
                 } else {
-                    (NocStatus::Ok, fab_idx)
+                    (NocStatus::Ok, c.fab_idx)
                 }
             } else {
                 // Update Fabric Label not allowed