Support empty subjects in group ACL entries (#15608)

mlepage-google · pull[bot] · commit 1096376c95b2 · 2024-02-01T13:31:49.000Z
Spec was revised to allow empty subjects as wildcard for group auth mode (as for CASE auth mode). This PR updates the code, unit tests, and YAML tests. Fixes #15355
diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp
@@ -341,9 +341,6 @@ bool AccessControl::IsValid(const Entry & entry)
 
         // Privilege must not be administer.
         VerifyOrExit(privilege != Privilege::kAdminister, log = "invalid privilege");
-
-        // Subject must be present.
-        VerifyOrExit(subjectCount > 0, log = "invalid subject count");
     }
 
     for (size_t i = 0; i < subjectCount; ++i)
diff --git a/src/access/tests/TestAccessControl.cpp b/src/access/tests/TestAccessControl.cpp
@@ -1067,6 +1067,23 @@ void TestAclValidateAuthModeSubject(nlTestSuite * inSuite, void * inContext)
     // Each case tries to update the first entry, then add a second entry, then unconditionally delete it
     NL_TEST_ASSERT(inSuite, accessControl.CreateEntry(nullptr, entry) == CHIP_NO_ERROR);
 
+    // CASE and group may have empty subjects list
+    {
+        NL_TEST_ASSERT(inSuite, entry.RemoveSubject(0) == CHIP_NO_ERROR);
+
+        NL_TEST_ASSERT(inSuite, entry.SetAuthMode(AuthMode::kCase) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, accessControl.UpdateEntry(0, entry) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, accessControl.CreateEntry(nullptr, entry) == CHIP_NO_ERROR);
+        accessControl.DeleteEntry(1);
+
+        NL_TEST_ASSERT(inSuite, entry.SetAuthMode(AuthMode::kGroup) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, accessControl.UpdateEntry(0, entry) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, accessControl.CreateEntry(nullptr, entry) == CHIP_NO_ERROR);
+        accessControl.DeleteEntry(1);
+
+        NL_TEST_ASSERT(inSuite, entry.AddSubject(nullptr, kOperationalNodeId0) == CHIP_NO_ERROR);
+    }
+
     NL_TEST_ASSERT(inSuite, entry.SetAuthMode(AuthMode::kCase) == CHIP_NO_ERROR);
     for (auto subject : validCaseSubjects)
     {
@@ -1200,17 +1217,9 @@ void TestAclValidateAuthModeSubject(nlTestSuite * inSuite, void * inContext)
     // Next cases have no subject
     NL_TEST_ASSERT(inSuite, entry.RemoveSubject(0) == CHIP_NO_ERROR);
 
-    // Group must have subject
-    {
-        NL_TEST_ASSERT(inSuite, entry.SetAuthMode(AuthMode::kGroup) == CHIP_NO_ERROR);
-        NL_TEST_ASSERT(inSuite, accessControl.UpdateEntry(0, entry) != CHIP_NO_ERROR);
-        NL_TEST_ASSERT(inSuite, accessControl.CreateEntry(nullptr, entry) != CHIP_NO_ERROR);
-        accessControl.DeleteEntry(1);
-    }
-
     // PASE must have subject
     {
-        NL_TEST_ASSERT(inSuite, entry.SetAuthMode(AuthMode::kGroup) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, entry.SetAuthMode(AuthMode::kPase) == CHIP_NO_ERROR);
         NL_TEST_ASSERT(inSuite, accessControl.UpdateEntry(0, entry) != CHIP_NO_ERROR);
         NL_TEST_ASSERT(inSuite, accessControl.CreateEntry(nullptr, entry) != CHIP_NO_ERROR);
         accessControl.DeleteEntry(1);
diff --git a/src/app/tests/suites/TestGroupMessaging.yaml b/src/app/tests/suites/TestGroupMessaging.yaml
@@ -116,26 +116,26 @@ tests:
                   { FabricIndex: 1, GroupId: 0x0102, GroupKeySetID: 0x01a2 },
               ]
 
-    - label: "Install ACLs for test"
+    - label: "Install ACLs"
       cluster: "Access Control"
       command: "writeAttribute"
       attribute: "ACL"
       arguments:
           value: [
-                  # Any CASE can admin
+                  # Any CASE can administer
                   {
-                      FabricIndex: 1,
-                      Privilege: 5,
-                      AuthMode: 2,
+                      FabricIndex: 0,
+                      Privilege: 5, # administer
+                      AuthMode: 2, # case
                       Subjects: null,
                       Targets: null,
                   },
-                  # These groups can operate
+                  # Any group can operate
                   {
-                      FabricIndex: 1,
-                      Privilege: 3,
-                      AuthMode: 3,
-                      Subjects: [0x0101, 0x0102],
+                      FabricIndex: 0,
+                      Privilege: 3, # operate
+                      AuthMode: 3, # group
+                      Subjects: null,
                       Targets: null,
                   },
               ]
@@ -185,3 +185,19 @@ tests:
       endpoint: 1
       response:
           value: 1
+
+    - label: "Cleanup ACLs"
+      cluster: "Access Control"
+      command: "writeAttribute"
+      attribute: "ACL"
+      arguments:
+          value: [
+                  # Any CASE can administer
+                  {
+                      FabricIndex: 0,
+                      Privilege: 5, # administer
+                      AuthMode: 2, # case
+                      Subjects: null,
+                      Targets: null,
+                  },
+              ]
diff --git a/zzz_generated/chip-tool/zap-generated/test/Commands.h b/zzz_generated/chip-tool/zap-generated/test/Commands.h

Original file line number	Diff line number	Diff line change
`@@ -341,9 +341,6 @@ bool AccessControl::IsValid(const Entry & entry)`
`341`	`341`
`342`	`342`	`// Privilege must not be administer.`
`343`	`343`	`VerifyOrExit(privilege != Privilege::kAdminister, log = "invalid privilege");`
`344`		`-`
`345`		`- // Subject must be present.`
`346`		`- VerifyOrExit(subjectCount > 0, log = "invalid subject count");`
`347`	`344`	`}`
`348`	`345`
`349`	`346`	`for (size_t i = 0; i < subjectCount; ++i)`