fixup! Fix issues reported by SonarCloud and add tests

iotivity · Mar 25, 2024 · 1aea124 · 1aea124
1 parent eb26241
commit 1aea124
Show file tree

Hide file tree

Showing 14 changed files with 374 additions and 151 deletions.
diff --git a/api/cloud/oc_cloud_rd.c b/api/cloud/oc_cloud_rd.c
@@ -160,8 +160,8 @@ static void
 cloud_publish_resources(oc_cloud_context_t *ctx)
 {
 #ifdef OC_SECURITY
-  if (!oc_sec_pstat_is_in_dos_state(ctx->device,
-                                    OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP))) {
+  if (!oc_device_is_in_dos_state(ctx->device,
+                                 OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP))) {
     OC_CLOUD_DBG("cannot publish resource links when not in RFNOP");
     return;
   }
@@ -253,8 +253,8 @@ cloud_delete_resources(oc_cloud_context_t *ctx)
 {
   assert(ctx->rd_delete_resources != NULL);
 #ifdef OC_SECURITY
-  if (!oc_sec_pstat_is_in_dos_state(ctx->device,
-                                    OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP))) {
+  if (!oc_device_is_in_dos_state(ctx->device,
+                                 OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP))) {
     OC_CLOUD_DBG("cannot unpublish resource links when not in RFNOP");
     return;
   }

diff --git a/api/oc_core_res.c b/api/oc_core_res.c
@@ -733,8 +733,7 @@ oc_core_get_resource_type_by_uri(const char *uri, size_t uri_len)
   }
 #endif /* OC_CLIENT && OC_SERVER && OC_CLOUD */
 #ifdef OC_SECURITY
-  if (core_is_resource_uri(uri, uri_len, "/oic/sec/pstat",
-                           OC_CHAR_ARRAY_LEN("/oic/sec/pstat"))) {
+  if (oc_sec_is_pstat_resource_uri(oc_string_view(uri, uri_len))) {
     return OCF_SEC_PSTAT;
   }
   if (oc_sec_is_doxm_resource_uri(oc_string_view(uri, uri_len))) {

diff --git a/api/oc_etag.c b/api/oc_etag.c
@@ -441,8 +441,7 @@ static bool
 etag_can_update_device(size_t device)
 {
 #ifdef OC_SECURITY
-  return oc_sec_pstat_is_in_dos_state(device,
-                                      OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP));
+  return oc_device_is_in_dos_state(device, OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP));
 #else  /* OC_SECURITY */
   (void)device;
   return true;

diff --git a/security/oc_acl.c b/security/oc_acl.c
@@ -23,19 +23,13 @@
 #include "api/oc_helpers_internal.h"
 #include "api/oc_platform_internal.h"
 #include "api/oc_ri_internal.h"
-#include "oc_acl_internal.h"
 #include "oc_api.h"
-#include "oc_certs_validate_internal.h"
-#include "oc_config.h"
 #include "oc_core_res.h"
-#include "oc_cred_internal.h"
-#include "oc_doxm_internal.h"
-#include "oc_pstat_internal.h"
-#include "oc_rep.h"
-#include "oc_roles_internal.h"
 #include "oc_store.h"
-#include "oc_tls_internal.h"
 #include "port/oc_assert.h"
+#include "port/oc_random.h"
+#include "security/oc_acl_internal.h"
+#include "security/oc_pstat_internal.h"
 #include "util/oc_features.h"
 #include "util/oc_macros_internal.h"
 

diff --git a/security/oc_acl_util.c b/security/oc_acl_util.c
@@ -43,6 +43,7 @@
 #include <stdint.h>
 
 #if OC_DBG_IS_ENABLED
+
 static void
 print_acls(size_t device)
 {
@@ -101,6 +102,7 @@ print_acls(size_t device)
     ace = ace->next;
   }
 }
+
 #endif /* OC_DBG_IS_ENABLED */
 
 static uint16_t
@@ -164,25 +166,17 @@ static bool
 eval_access(oc_method_t method, uint16_t permission)
 {
   if (permission != 0) {
-    switch (method) {
-    case OC_GET:
-      if ((permission & OC_PERM_RETRIEVE) || (permission & OC_PERM_NOTIFY)) {
-        return true;
-      }
-      break;
-    case OC_PUT:
-    case OC_POST:
-      if ((permission & OC_PERM_CREATE) || (permission & OC_PERM_UPDATE)) {
-        return true;
-      }
-      break;
-    case OC_DELETE:
-      if (permission & OC_PERM_DELETE) {
-        return true;
-      }
-      break;
-    default:
-      break;
+    if (method == OC_GET) {
+      return (permission & OC_PERM_RETRIEVE) != 0 ||
+             (permission & OC_PERM_NOTIFY) != 0;
+    }
+
+    if (method == OC_POST || method == OC_PUT) {
+      return (permission & OC_PERM_CREATE) != 0 ||
+             (permission & OC_PERM_UPDATE) != 0;
+    }
+    if (method == OC_DELETE) {
+      return (permission & OC_PERM_DELETE) != 0;
     }
   }
   return false;
@@ -258,7 +252,7 @@ oc_sec_check_acl_by_uuid(const oc_uuid_t *uuid, size_t device,
   }
   const oc_sec_pstat_t *pstat = oc_sec_get_pstat(device);
   if (memcmp(uuid->id, pstat->rowneruuid.id, sizeof(uuid->id)) == 0 &&
-      uri_len == 14 && memcmp(uri, "/oic/sec/pstat", 14) == 0) {
+      oc_sec_is_pstat_resource_uri(oc_string_view(uri, uri_len))) {
     OC_DBG("oc_acl: peer's UUID matches pstat's rowneruuid");
     return true;
   }
@@ -287,39 +281,41 @@ oc_sec_check_acl(oc_method_t method, const oc_resource_t *resource,
     is_vertical = oc_core_is_vertical_resource(resource, resource->device);
   }
 
-  const oc_sec_pstat_t *pstat = oc_sec_get_pstat(endpoint->device);
-  /* All unicast requests which are not received over the open Device DOC
-   * shall be rejected with an appropriate error message (e.g. forbidden),
-   * regardless of the configuration of the ACEs in the "/oic/sec/acl2"
-   * Resource.
-   */
-  if (pstat->s == OC_DOS_RFOTM && !(endpoint->flags & SECURED) &&
-      oc_tls_num_peers(endpoint->device) == 1) {
-    OC_DBG("oc_sec_check_acl: unencrypted request received while DOC is open - "
-           "access forbidden");
-    return false;
-  }
+  const oc_sec_pstat_t *ps = oc_sec_get_pstat(endpoint->device);
+  oc_dostype_t dos = ps->s;
+  if (dos == OC_DOS_RFOTM && (endpoint->flags & SECURED) == 0) {
+    /* All unicast requests which are not received over the open Device DOC
+     * shall be rejected with an appropriate error message (e.g. forbidden),
+     * regardless of the configuration of the ACEs in the "/oic/sec/acl2"
+     * Resource.
+     */
+    if (oc_tls_num_peers(endpoint->device) == 1) {
+      OC_DBG(
+        "oc_sec_check_acl: unencrypted request received while DOC is open - "
+        "access forbidden");
+      return false;
+    }
 
 #ifdef OC_HAS_FEATURE_RESOURCE_ACCESS_IN_RFOTM
-  /* Allow access to resources in RFOTM mode if the feature is enabled and
-   * permission match the method. */
-  if (pstat->s == OC_DOS_RFOTM && !(endpoint->flags & SECURED) &&
-      (resource->properties & OC_ACCESS_IN_RFOTM) == OC_ACCESS_IN_RFOTM &&
-      eval_access(method, resource->anon_permission_in_rfotm)) {
-    OC_DBG("oc_sec_check_acl: access granted to %s via anon permission in "
-           "RFOTM state",
-           oc_string(resource->uri));
-    return true;
-  }
+    /* Allow access to resources in RFOTM mode if the feature is enabled and
+     * permission match the method. */
+    if ((resource->properties & OC_ACCESS_IN_RFOTM) == OC_ACCESS_IN_RFOTM &&
+        eval_access(method, (uint16_t)resource->anon_permission_in_rfotm)) {
+      OC_DBG("oc_sec_check_acl: access granted to %s via anon permission in "
+             "RFOTM state",
+             oc_string(resource->uri));
+      return true;
+    }
 #endif /* OC_HAS_FEATURE_RESOURCE_ACCESS_IN_RFOTM */
+  }
 
   /* NCRs are accessible only in RFNOP */
-  if (!is_DCR && pstat->s != OC_DOS_RFNOP) {
+  if (!is_DCR && dos != OC_DOS_RFNOP) {
     OC_DBG("oc_sec_check_acl: resource is NCR and dos is not RFNOP");
     return false;
   }
   /* anon-clear access to vertical resources is prohibited */
-  if (is_vertical && !(endpoint->flags & SECURED)) {
+  if (is_vertical && (endpoint->flags & SECURED) == 0) {
     OC_DBG("oc_sec_check_acl: anon-clear access to vertical resources is "
            "prohibited");
     return false;
@@ -329,60 +325,59 @@ oc_sec_check_acl(oc_method_t method, const oc_resource_t *resource,
    * Resource.
    */
   const oc_tls_peer_t *peer = oc_tls_get_peer(endpoint);
-  if (peer && peer->doc && is_DCR) {
+  if (is_DCR && peer && peer->doc) {
     OC_DBG("oc_sec_check_acl: connection is DOC and request directed to DCR - "
            "access granted");
     return true;
   }
 
   if (method == OC_GET &&
-      oc_sec_check_acl_on_get(resource, pstat->s == OC_DOS_RFOTM)) {
+      oc_sec_check_acl_on_get(resource, dos == OC_DOS_RFOTM)) {
+    OC_DBG("oc_sec_check_acl: access granted to %s via special GET rule",
+           oc_string(resource->uri));
     return true;
   }
 
   /* Requests over unsecured channel prior to DOC */
-  if (pstat->s == OC_DOS_RFOTM && oc_tls_num_peers(endpoint->device) == 0) {
+  if (dos == OC_DOS_RFOTM && oc_tls_num_peers(endpoint->device) == 0) {
     /* Anonymous Retrieve and Updates requests to “/oic/sec/doxm” shall be
        granted.
     */
     if (oc_sec_is_doxm_resource_uri(oc_string_view2(&resource->uri))) {
-      OC_DBG("oc_sec_check_acl: RW access granted to /doxm  prior to DOC");
+      OC_DBG("oc_sec_check_acl: RW access granted to doxm prior to DOC");
       return true;
     }
     /* All Retrieve requests to the “/oic/sec/pstat” Resource shall be
-       granted.
-    */
-    if (oc_string_len(resource->uri) == 14 &&
-        memcmp(oc_string(resource->uri), "/oic/sec/pstat", 14) == 0 &&
-        method == OC_GET) {
+       granted. */
+    if (method == OC_GET &&
+        oc_sec_is_pstat_resource_uri(oc_string_view2(&resource->uri))) {
       OC_DBG("oc_sec_check_acl: R access granted to pstat prior to DOC");
       return true;
     }
     /* Reject all other requests */
+    OC_DBG("oc_sec_check_acl: access denied to %s prior to DOC",
+           oc_string(resource->uri));
     return false;
   }
 
-  if ((pstat->s == OC_DOS_RFPRO || pstat->s == OC_DOS_RFNOP ||
-       pstat->s == OC_DOS_SRESET) &&
-      !(endpoint->flags & SECURED)) {
-    /* anon-clear requests to SVRs while the
-     * dos is RFPRO, RFNOP or SRESET should not be authorized
-     * regardless of the ACL configuration.
-     */
-    if (is_SVR) {
-      OC_DBG("oc_sec_check_acl: anon-clear access to SVRs in RFPRO, RFNOP and "
-             "SRESET is prohibited");
-      return false;
-    }
+  /* anon-clear requests to SVRs while the dos is RFPRO, RFNOP or SRESET should
+   * not be authorized regardless of the ACL configuration */
+  if (is_SVR &&
+      oc_sec_pstat_is_in_dos_state(ps, OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFPRO) |
+                                         OC_PSTAT_DOS_ID_FLAG(OC_DOS_RFNOP) |
+                                         OC_PSTAT_DOS_ID_FLAG(OC_DOS_SRESET)) &&
+      (endpoint->flags & SECURED) == 0) {
+    OC_DBG("oc_sec_check_acl: anon-clear access to SVRs in RFPRO, RFNOP and "
+           "SRESET is prohibited");
+    return false;
   }
 
   const oc_uuid_t *uuid = &endpoint->di;
   if (uuid != NULL) {
     if (oc_sec_check_acl_by_uuid(uuid, endpoint->device, resource)) {
       return true;
     }
-    if ((pstat->s == OC_DOS_RFPRO || pstat->s == OC_DOS_RFNOP ||
-         pstat->s == OC_DOS_SRESET) &&
+    if ((dos == OC_DOS_RFPRO || dos == OC_DOS_RFNOP || dos == OC_DOS_SRESET) &&
         oc_string_is_cstr_equal(&resource->uri, OCF_SEC_ROLES_URI,
                                 OC_CHAR_ARRAY_LEN(OCF_SEC_ROLES_URI))) {
       OC_DBG("oc_acl: peer has implicit access to /oic/sec/roles in RFPRO, "

diff --git a/security/oc_obt.c b/security/oc_obt.c
@@ -871,7 +871,7 @@ switch_dos(oc_device_t *device, oc_dostype_t dos, oc_obt_status_cb_t cb,
   d->cb.cb = cb;
   d->cb.data = data;
 
-  if (!oc_init_post("/oic/sec/pstat", ep, NULL, &pstat_POST_dos1_to_dos2,
+  if (!oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &pstat_POST_dos1_to_dos2,
                     HIGH_QOS, d)) {
     OC_ERR("Could not init POST request to /oic/sec/pstat");
     goto err_switch_dos;

diff --git a/security/oc_obt_otm_cert.c b/security/oc_obt_otm_cert.c
@@ -76,7 +76,7 @@ obt_cert_15(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_cert_16, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_cert_16, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_object(root, dos);
     oc_rep_set_int(dos, s, OC_DOS_RFNOP);
@@ -244,7 +244,7 @@ obt_cert_12(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_cert_13, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_cert_13, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_object(root, dos);
     oc_rep_set_int(dos, s, OC_DOS_RFPRO);
@@ -422,7 +422,7 @@ obt_cert_8(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_cert_9, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_cert_9, HIGH_QOS, o)) {
     const oc_uuid_t *my_uuid = oc_core_get_device_id(0);
     char uuid[OC_UUID_LEN];
     oc_uuid_to_str(my_uuid, uuid, OC_UUID_LEN);
@@ -609,7 +609,7 @@ obt_cert_3(oc_client_response_t *data)
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
   oc_tls_close_connection(ep);
   oc_tls_select_cert_ciphersuite();
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_cert_4, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_cert_4, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_int(root, om, 4);
     oc_rep_end_root_object();

diff --git a/security/oc_obt_otm_justworks.c b/security/oc_obt_otm_justworks.c
@@ -75,7 +75,7 @@ obt_jw_15(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_jw_16, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_jw_16, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_object(root, dos);
     oc_rep_set_int(dos, s, OC_DOS_RFNOP);
@@ -243,7 +243,7 @@ obt_jw_12(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_jw_13, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_jw_13, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_object(root, dos);
     oc_rep_set_int(dos, s, OC_DOS_RFPRO);
@@ -421,7 +421,7 @@ obt_jw_8(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_jw_9, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_jw_9, HIGH_QOS, o)) {
     const oc_uuid_t *my_uuid = oc_core_get_device_id(0);
     char uuid[OC_UUID_LEN];
     oc_uuid_to_str(my_uuid, uuid, OC_UUID_LEN);
@@ -608,7 +608,7 @@ obt_jw_3(oc_client_response_t *data)
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
   oc_tls_close_connection(ep);
   oc_tls_select_anon_ciphersuite();
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_jw_4, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_jw_4, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_int(root, om, 4);
     oc_rep_end_root_object();

diff --git a/security/oc_obt_otm_randompin.c b/security/oc_obt_otm_randompin.c
@@ -76,7 +76,7 @@ obt_rdp_13(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_rdp_14, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_rdp_14, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_object(root, dos);
     oc_rep_set_int(dos, s, OC_DOS_RFNOP);
@@ -244,7 +244,7 @@ obt_rdp_10(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_rdp_11, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_rdp_11, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_object(root, dos);
     oc_rep_set_int(dos, s, OC_DOS_RFPRO);
@@ -422,7 +422,7 @@ obt_rdp_6(oc_client_response_t *data)
    */
   const oc_device_t *device = o->device;
   const oc_endpoint_t *ep = oc_obt_get_secure_endpoint(device->endpoint);
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_rdp_7, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_rdp_7, HIGH_QOS, o)) {
     const oc_uuid_t *my_uuid = oc_core_get_device_id(0);
     char uuid[OC_UUID_LEN];
     oc_uuid_to_str(my_uuid, uuid, OC_UUID_LEN);
@@ -671,7 +671,7 @@ oc_obt_perform_random_pin_otm(const oc_uuid_t *uuid, const unsigned char *pin,
   oc_tls_close_connection(ep);
   oc_tls_select_psk_ciphersuite();
   oc_tls_use_pin_obt_psk_identity();
-  if (oc_init_post("/oic/sec/pstat", ep, NULL, &obt_rdp_2, HIGH_QOS, o)) {
+  if (oc_init_post(OCF_SEC_PSTAT_URI, ep, NULL, &obt_rdp_2, HIGH_QOS, o)) {
     oc_rep_start_root_object();
     oc_rep_set_int(root, om, 4);
     oc_rep_end_root_object();