1 /*
2  * Copyright (c) 2022 Nordic Semiconductor ASA
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 #define LOG_MODULE_NAME net_lwm2m_ac_control
8 #define LOG_LEVEL	CONFIG_LWM2M_LOG_LEVEL
9 
10 #include <zephyr/logging/log.h>
11 LOG_MODULE_REGISTER(LOG_MODULE_NAME);
12 
13 #include "lwm2m_obj_access_control.h"
14 
15 #include <stdint.h>
16 
17 #include <zephyr/init.h>
18 
19 #define READ		BIT(0)
20 #define WRITE		BIT(1)
21 #define ACEXEC		BIT(2)
22 #define DELETE		BIT(3)
23 #define CREATE		BIT(4)
24 
25 /* For compatibility with lwm2m_op_perms */
26 #define WRITE_ATTR	BIT(8)
27 #define DISCOVER	BIT(9)
28 
operation_to_acperm(int operation)29 static int operation_to_acperm(int operation)
30 {
31 	switch (operation) {
32 	case LWM2M_OP_READ:
33 		return READ;
34 
35 	case LWM2M_OP_WRITE:
36 		return WRITE;
37 
38 	case LWM2M_OP_EXECUTE:
39 		return ACEXEC;
40 
41 	case LWM2M_OP_DELETE:
42 		return DELETE;
43 
44 	case LWM2M_OP_CREATE:
45 		return CREATE;
46 
47 	case LWM2M_OP_WRITE_ATTR:
48 		return WRITE_ATTR;
49 
50 	case LWM2M_OP_DISCOVER:
51 		return DISCOVER;
52 	default:
53 		return 0;
54 	}
55 }
56 
57 #define ACCESS_CONTROL_VERSION_MAJOR 1
58 #define ACCESS_CONTROL_VERSION_MINOR 0
59 #define AC_OBJ_ID			LWM2M_OBJECT_ACCESS_CONTROL_ID
60 #define MAX_SERVER_COUNT	CONFIG_LWM2M_SERVER_INSTANCE_COUNT
61 #define MAX_INSTANCE_COUNT	CONFIG_LWM2M_ACCESS_CONTROL_INSTANCE_COUNT
62 #define OBJ_LVL_MAX_ID		65535
63 
64 #define ACCESS_CONTROL_OBJECT_ID			0
65 #define ACCESS_CONTROL_OBJECT_INSTANCE_ID	1
66 #define ACCESS_CONTROL_ACL_ID				2
67 #define ACCESS_CONTROL_ACCESS_CONTROL_OWNER	3
68 #define ACCESS_CONTROL_MAX_ID				4
69 
70 
71 struct ac_data {
72 	uint16_t obj_id;
73 	uint16_t obj_inst_id;
74 	int16_t acl[MAX_SERVER_COUNT + 1];
75 	uint16_t ac_owner;
76 };
77 
78 static struct ac_data ac_data[MAX_INSTANCE_COUNT];
79 
80 static struct lwm2m_engine_obj ac_obj;
81 static struct lwm2m_engine_obj_field fields[] = {
82 	OBJ_FIELD_DATA(ACCESS_CONTROL_OBJECT_ID, RW, U16),
83 	OBJ_FIELD_DATA(ACCESS_CONTROL_OBJECT_INSTANCE_ID, RW, U16),
84 	/* Mark obj id and obj_inst id is RO, but needs to be written to by bootstrap server */
85 	OBJ_FIELD_DATA(ACCESS_CONTROL_ACL_ID, RW_OPT, U16),
86 	OBJ_FIELD_DATA(ACCESS_CONTROL_ACCESS_CONTROL_OWNER, RW, U16),
87 };
88 
89 static struct lwm2m_engine_obj_inst inst[MAX_INSTANCE_COUNT];
90 static struct lwm2m_engine_res res[MAX_INSTANCE_COUNT][ACCESS_CONTROL_MAX_ID];
91 /* Calculated as follows:
92  * + ACCESS_CONTROL_MAX_ID - 1 (not counting the acl instance)
93  * + MAX_SERVER_COUNT + 1 (one acl for every server plus default)
94  */
95 static struct lwm2m_engine_res_inst res_inst[MAX_INSTANCE_COUNT]
96 					    [MAX_SERVER_COUNT + ACCESS_CONTROL_MAX_ID];
97 
obj_inst_to_index(uint16_t obj_id,uint16_t obj_inst_id)98 static int obj_inst_to_index(uint16_t obj_id, uint16_t obj_inst_id)
99 {
100 	int i, ret = -ENOENT;
101 
102 	for (i = 0; i < ARRAY_SIZE(inst); i++) {
103 		if (inst[i].obj && ac_data[i].obj_id == obj_id &&
104 		    ac_data[i].obj_inst_id == obj_inst_id) {
105 			ret = i;
106 			break;
107 		}
108 	}
109 	return ret;
110 }
111 
available_obj_inst_id(int obj_inst_id)112 static bool available_obj_inst_id(int obj_inst_id)
113 {
114 	for (int index = 0; index < ARRAY_SIZE(inst); index++) {
115 		if (inst[index].obj && inst[index].obj_inst_id == obj_inst_id) {
116 			return false;
117 		}
118 	}
119 	return true;
120 }
121 
access_control_add(uint16_t obj_id,uint16_t obj_inst_id,int server_obj_inst_id)122 void access_control_add(uint16_t obj_id, uint16_t obj_inst_id, int server_obj_inst_id)
123 {
124 	/* If ac_obj not created */
125 	if (!ac_obj.fields) {
126 		return;
127 	}
128 
129 	if (obj_id == AC_OBJ_ID) {
130 		return;
131 	}
132 
133 	if (obj_inst_to_index(obj_id, obj_inst_id) >= 0) {
134 		LOG_DBG("Access control for obj_inst /%d/%d already exist", obj_id, obj_inst_id);
135 		return;
136 	}
137 
138 	int index, avail = -1;
139 
140 	for (index = 0; index < ARRAY_SIZE(inst); index++) {
141 		/* Save first available slot index */
142 		if (avail < 0 && !inst[index].obj) {
143 			avail = index;
144 		}
145 	}
146 
147 	if (avail < 0) {
148 		LOG_ERR("Can not create access control instance - no more room: %u", obj_inst_id);
149 		return;
150 	}
151 
152 	int ssid;
153 
154 	if (server_obj_inst_id < 0) {
155 		ssid = CONFIG_LWM2M_SERVER_DEFAULT_SSID;
156 	} else {
157 		ssid = lwm2m_server_get_ssid(server_obj_inst_id);
158 	}
159 
160 	if (ssid < 0) {
161 		LOG_DBG("No server object instance %d - using default", server_obj_inst_id);
162 		ssid = CONFIG_LWM2M_SERVER_DEFAULT_SSID;
163 	}
164 
165 	int ac_obj_inst_id = avail;
166 
167 	while (!available_obj_inst_id(ac_obj_inst_id)) {
168 		ac_obj_inst_id++;
169 	}
170 	struct lwm2m_engine_obj_inst *obj_inst = NULL;
171 
172 	lwm2m_create_obj_inst(AC_OBJ_ID, ac_obj_inst_id, &obj_inst);
173 	ac_data[avail].obj_id = obj_id;
174 	ac_data[avail].obj_inst_id = obj_inst_id;
175 	ac_data[avail].ac_owner = ssid;
176 }
177 
access_control_add_obj(uint16_t obj_id,int server_obj_inst_id)178 void access_control_add_obj(uint16_t obj_id, int server_obj_inst_id)
179 {
180 	access_control_add(obj_id, OBJ_LVL_MAX_ID, server_obj_inst_id);
181 }
182 
access_control_remove(uint16_t obj_id,uint16_t obj_inst_id)183 void access_control_remove(uint16_t obj_id, uint16_t obj_inst_id)
184 {
185 	/* If ac_obj not created */
186 	if (!ac_obj.fields) {
187 		return;
188 	}
189 
190 	if (obj_id == AC_OBJ_ID) {
191 		return;
192 	}
193 
194 	int idx = obj_inst_to_index(obj_id, obj_inst_id);
195 
196 	if (idx < 0) {
197 		LOG_DBG("Cannot remove access control for /%d/%d - not found", obj_id, obj_inst_id);
198 		return;
199 	}
200 
201 	ac_data[idx].obj_id = 0;
202 	ac_data[idx].obj_inst_id = 0;
203 	ac_data[idx].ac_owner = 0;
204 	for (int i = 0; i < MAX_SERVER_COUNT + 1; i++) {
205 		ac_data[idx].acl[i] = 0;
206 	}
207 	lwm2m_delete_obj_inst(AC_OBJ_ID, idx);
208 }
209 
access_control_remove_obj(uint16_t obj_id)210 void access_control_remove_obj(uint16_t obj_id)
211 {
212 	access_control_remove(obj_id, OBJ_LVL_MAX_ID);
213 }
214 
check_acl_table(uint16_t obj_id,uint16_t obj_inst_id,uint16_t short_server_id,uint16_t access)215 static bool check_acl_table(uint16_t obj_id, uint16_t obj_inst_id, uint16_t short_server_id,
216 			    uint16_t access)
217 {
218 	/* Get the index of the ac instance regarding obj_id and obj_inst_id */
219 	int idx = obj_inst_to_index(obj_id, obj_inst_id);
220 
221 	if (idx < 0) {
222 		LOG_DBG("Access control for obj_inst /%d/%d not found", obj_id, obj_inst_id);
223 		return false;
224 	}
225 
226 	uint16_t access_rights = 0;
227 	uint16_t default_rights = 0;
228 	bool server_has_acl = false;
229 
230 	for (int i = 0; i < MAX_SERVER_COUNT + 1; i++) {
231 		int res_inst_id = res_inst[idx][ACCESS_CONTROL_ACL_ID + i].res_inst_id;
232 		/* If server has access or if default exist */
233 		if (res_inst_id == short_server_id) {
234 			access_rights |= ac_data[idx].acl[i];
235 			server_has_acl = true;
236 		} else if (res_inst_id == 0) {
237 			default_rights |= ac_data[idx].acl[i];
238 		}
239 	}
240 
241 	if (server_has_acl) {
242 		return (access_rights & access) == access;
243 	}
244 
245 	/* Full access if server is the ac_owner and no acl is specified for that server */
246 	if (ac_data[idx].ac_owner == short_server_id) {
247 		return true;
248 	}
249 
250 	/* Return default rights */
251 	return (default_rights & access) == access;
252 }
253 
access_control_check_access(uint16_t obj_id,uint16_t obj_inst_id,uint16_t server_obj_inst,uint16_t operation,bool bootstrap_mode)254 int access_control_check_access(uint16_t obj_id, uint16_t obj_inst_id, uint16_t server_obj_inst,
255 				uint16_t operation, bool bootstrap_mode)
256 {
257 #if defined(CONFIG_LWM2M_RD_CLIENT_SUPPORT_BOOTSTRAP)
258 	if (bootstrap_mode) {
259 		return 0; /* Full access for bootstrap servers */
260 	}
261 #else
262 	ARG_UNUSED(bootstrap_mode);
263 #endif
264 	/* If ac_obj not created */
265 	if (!ac_obj.fields) {
266 		return 0;
267 	}
268 	uint16_t access = operation_to_acperm(operation);
269 	int short_server_id = lwm2m_server_get_ssid(server_obj_inst);
270 
271 	if (short_server_id < 0) {
272 		LOG_ERR("No server obj instance %u exist", server_obj_inst);
273 		return -EACCES;
274 	}
275 
276 	if (obj_id == AC_OBJ_ID) {
277 		switch (access) {
278 		case READ:
279 			return 0;
280 		case ACEXEC:
281 		case DELETE:
282 		case CREATE:
283 			return -EPERM; /* Method not allowed */
284 		case WRITE:	       /* Only ac_owner can write to ac_obj */
285 			for (int index = 0; index < ARRAY_SIZE(inst); index++) {
286 				if (inst[index].obj && inst[index].obj_inst_id == obj_inst_id) {
287 					if (ac_data[index].ac_owner == short_server_id) {
288 						return 0;
289 					}
290 				}
291 			}
292 			return -EACCES;
293 
294 		default:
295 			return -EACCES;
296 		}
297 	}
298 
299 	/* only DISCOVER, WRITE_ATTR and CREATE allowed on object */
300 	if (obj_inst_id == OBJ_LVL_MAX_ID) {
301 		if (access == DISCOVER || access == WRITE_ATTR) {
302 			return 0;
303 		}
304 
305 		if (access != CREATE) {
306 			return -EACCES;
307 		}
308 	}
309 
310 	if (access == CREATE) {
311 		obj_inst_id = OBJ_LVL_MAX_ID;
312 	}
313 
314 	if (check_acl_table(obj_id, obj_inst_id, short_server_id, access)) {
315 		return 0;
316 	}
317 
318 	return -EACCES;
319 }
320 
add_existing_objects(void)321 static void add_existing_objects(void)
322 {
323 	/* register all objects in the sys-list */
324 	struct lwm2m_engine_obj *obj;
325 
326 	SYS_SLIST_FOR_EACH_CONTAINER(lwm2m_engine_obj_list(), obj, node) {
327 		access_control_add_obj(obj->obj_id, -1);
328 	}
329 
330 	/* register all object instances in the sys-list */
331 	struct lwm2m_engine_obj_inst *obj_inst;
332 
333 	SYS_SLIST_FOR_EACH_CONTAINER(lwm2m_engine_obj_inst_list(), obj_inst, node) {
334 		access_control_add(obj_inst->obj->obj_id, obj_inst->obj_inst_id, -1);
335 	}
336 }
337 
write_validate_cb(uint16_t obj_inst_id,uint16_t res_id,uint16_t res_inst_id,uint8_t * data,uint16_t data_len,bool last_block,size_t total_size)338 static int write_validate_cb(uint16_t obj_inst_id, uint16_t res_id, uint16_t res_inst_id,
339 			     uint8_t *data, uint16_t data_len, bool last_block, size_t total_size)
340 {
341 	/* validates and removes acl instances for non-existing servers */
342 
343 	if (res_inst_id == 0) {
344 		return 0;
345 	}
346 
347 	/* If there is a server instance with ssid == res_inst_id, return */
348 	if (lwm2m_server_short_id_to_inst(res_inst_id) >= 0) {
349 		return 0;
350 	}
351 
352 	/* if that res inst id does not match any ssid's, remove it */
353 	int idx = -1;
354 
355 	for (int i = 0; i < ARRAY_SIZE(inst); i++) {
356 		if (inst[i].obj && inst[i].obj_inst_id == obj_inst_id) {
357 			idx = i;
358 			break;
359 		}
360 	}
361 
362 	if (idx < 0) {
363 		LOG_ERR("Object instance not found - %u", obj_inst_id);
364 		return -ENOENT;
365 	}
366 
367 	for (int i = 0; i < ARRAY_SIZE(inst); i++) {
368 		if (res_inst[idx][ACCESS_CONTROL_ACL_ID + i].res_inst_id == res_inst_id) {
369 			res_inst[idx][ACCESS_CONTROL_ACL_ID + i].res_inst_id =
370 				RES_INSTANCE_NOT_CREATED;
371 			break;
372 		}
373 	}
374 	return 0;
375 }
376 
ac_create(uint16_t obj_inst_id)377 static struct lwm2m_engine_obj_inst *ac_create(uint16_t obj_inst_id)
378 {
379 	int index, avail = -1, i = 0, j = 0;
380 
381 	/* Check that there is no other instance with this ID */
382 	for (index = 0; index < ARRAY_SIZE(inst); index++) {
383 		if (inst[index].obj && inst[index].obj_inst_id == obj_inst_id) {
384 			LOG_ERR("Can not create access control instance - "
385 				"already existing: %u",
386 				obj_inst_id);
387 			return NULL;
388 		}
389 
390 		/* Save first available slot index */
391 		if (avail < 0 && !inst[index].obj) {
392 			avail = index;
393 		}
394 	}
395 
396 	if (avail < 0) {
397 		LOG_ERR("Can not create access control instance - no more room: %u", obj_inst_id);
398 		return NULL;
399 	}
400 
401 	/* Set default values */
402 	(void)memset(res[avail], 0, sizeof(res[avail][0]) * ARRAY_SIZE(res[avail]));
403 	init_res_instance(res_inst[avail], ARRAY_SIZE(res_inst[avail]));
404 
405 	/* initialize instance resource data */
406 	INIT_OBJ_RES_DATA(ACCESS_CONTROL_OBJECT_ID, res[avail], i, res_inst[avail], j,
407 			  &ac_data[avail].obj_id, sizeof(ac_data[avail].obj_id));
408 	INIT_OBJ_RES_DATA(ACCESS_CONTROL_OBJECT_INSTANCE_ID, res[avail], i, res_inst[avail], j,
409 			  &ac_data[avail].obj_inst_id, sizeof(ac_data[avail].obj_inst_id));
410 	INIT_OBJ_RES(ACCESS_CONTROL_ACL_ID, res[avail], i, res_inst[avail], j, MAX_SERVER_COUNT + 1,
411 		     true, false, ac_data[avail].acl, sizeof(ac_data[avail].acl[0]), NULL, NULL,
412 		     write_validate_cb, NULL, NULL);
413 	INIT_OBJ_RES_DATA(ACCESS_CONTROL_ACCESS_CONTROL_OWNER, res[avail], i, res_inst[avail], j,
414 			  &ac_data[avail].ac_owner, sizeof(ac_data[avail].ac_owner));
415 
416 	inst[avail].resources = res[avail];
417 	inst[avail].resource_count = i;
418 
419 	LOG_DBG("Create access control instance: %d", obj_inst_id);
420 	return &inst[avail];
421 }
422 
ac_control_init(void)423 static int ac_control_init(void)
424 {
425 	ac_obj.obj_id = LWM2M_OBJECT_ACCESS_CONTROL_ID;
426 	ac_obj.version_major = ACCESS_CONTROL_VERSION_MAJOR;
427 	ac_obj.version_minor = ACCESS_CONTROL_VERSION_MINOR;
428 	ac_obj.is_core = true;
429 	ac_obj.fields = fields;
430 	ac_obj.field_count = ARRAY_SIZE(fields);
431 	ac_obj.max_instance_count = ARRAY_SIZE(inst);
432 	ac_obj.create_cb = ac_create;
433 	lwm2m_register_obj(&ac_obj);
434 
435 	if (!IS_ENABLED(CONFIG_LWM2M_RD_CLIENT_SUPPORT_BOOTSTRAP)) {
436 		/* add the objects/object instances that were created before the ac control */
437 		add_existing_objects();
438 	}
439 	return 0;
440 }
441 
442 SYS_INIT(ac_control_init, APPLICATION, CONFIG_KERNEL_INIT_PRIORITY_DEFAULT);
443