diff --git a/obuspa/Makefile b/obuspa/Makefile index 78e98a740..ddcb8f877 100644 --- a/obuspa/Makefile +++ b/obuspa/Makefile @@ -5,13 +5,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=obuspa -PKG_VERSION:=7.0.5.24 +PKG_VERSION:=8.0.1.1 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git -PKG_SOURCE_VERSION:=371d2c96d1d410b3d52cfe65505750843f2d1d6e +PKG_SOURCE_VERSION:=58158036ce83bacfe40a31254f910190d0d8afc0 PKG_MAINTAINER:=Vivek Dutta PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip @@ -96,16 +96,19 @@ define Package/obuspa/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DIR) $(1)/etc/obuspa + $(INSTALL_DIR) $(1)/etc/obuspa/roles $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DIR) $(1)/etc/udhcpc.user.d $(INSTALL_BIN) $(PKG_BUILD_DIR)/obuspa $(1)/usr/sbin/ $(INSTALL_BIN) ./files/etc/init.d/obuspa $(1)/etc/init.d/ $(INSTALL_DATA) ./files/etc/config/obuspa $(1)/etc/config/ - $(INSTALL_DATA) ./files/etc/obuspa/roles.json $(1)/etc/obuspa/roles.json + $(INSTALL_DATA) ./files/etc/obuspa/roles/*.json $(1)/etc/obuspa/roles/ + $(INSTALL_DATA) ./files/etc/obuspa/usp_utils.sh $(1)/etc/obuspa/ + echo "$(CONFIG_BBF_VENDOR_PREFIX)" > $(1)/etc/obuspa/vendor_prefix $(INSTALL_DATA) ./files/etc/obuspa/dmcaching_exclude.json $(1)/etc/obuspa/dmcaching_exclude.json $(INSTALL_BIN) ./files/etc/uci-defaults/01-fix-upgrade-uci $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/uci-defaults/02-obuspa-dhcp-option $(1)/etc/uci-defaults/ + $(INSTALL_BIN) ./files/etc/uci-defaults/60-generate-ctrust-defaults $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user $(1)/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user $(BBFDM_INSTALL_CORE_PLUGIN) ./files/etc/bbfdm/json/USPAgent.json $(1) ifeq ($(CONFIG_OBUSPA_ENABLE_TEST_CONTROLLER),y) diff --git a/obuspa/files/etc/config/obuspa b/obuspa/files/etc/config/obuspa index 7dbf51a73..14e01c1f6 100644 --- a/obuspa/files/etc/config/obuspa +++ b/obuspa/files/etc/config/obuspa @@ -5,7 +5,6 @@ config obuspa 'global' option log_level '2' option prototrace '0' option db_file '/etc/obuspa/usp.db' - option role_file '/etc/obuspa/roles.json' option dm_caching_exclude '/etc/obuspa/dmcaching_exclude.json' #option trust_cert '/etc/obuspa/ca.pem' #option client_cert '/etc/obuspa/client.pem' diff --git a/obuspa/files/etc/init.d/obuspa b/obuspa/files/etc/init.d/obuspa index cd663694d..9cc550a22 100755 --- a/obuspa/files/etc/init.d/obuspa +++ b/obuspa/files/etc/init.d/obuspa @@ -10,7 +10,7 @@ CONFIGURATION=obuspa ENV_PROFILE="/root/.profile" KEEP_FILE="/lib/upgrade/keep.d/obuspa" -RESET_FILE="/tmp/obuspa/obuspa_param_reset.txt" +RESET_FILE="/tmp/obuspa/fw_defaults" SQL_DB_FILE="/tmp/obuspa/usp.db" DB_DUMP="/tmp/obuspa/usp.dump_$(date +%s)" @@ -19,6 +19,7 @@ INSTANCE_COUNT=0 . /lib/functions/network.sh . /usr/share/libubox/jshn.sh +. /etc/obuspa/usp_utils.sh global_init() { @@ -76,7 +77,7 @@ db_set() dump_db() { - ${PROG} -v0 -f ${SQL_DB_FILE} -c show database |awk '/^Device./ || /^Internal./ {print $1 " \"" $3 "\""}' | sort > ${DB_DUMP} + ${PROG} -v0 -f ${SQL_DB_FILE} -c show database |grep "^Internal.\|^Device."|sed '{s/=> /"/g;s/$/"/g}' | sort > ${DB_DUMP} } # if db present then check if it matches with existing instances @@ -147,44 +148,6 @@ update_keep() fi } -get_role_index_from_json() -{ - local role="$1" - local role_def_file="$2" - local num=0 - local roles_obj - - # In case of role is empty or file not present - if [ -z "${role}" ] || [ ! -f "${role_def_file}" ]; then - echo "${num}" - return ${num} - fi - - json_init - json_load_file "${role_def_file}" - - json_select roles - json_get_keys roles_obj - - for k in ${roles_obj}; do - local rname - json_select "$k" - json_get_var rname name - json_select .. - - if [ "${rname}" != "Untrusted" ] && [ "${rname}" != "full_access" ]; then - num=$(( num + 1 )) - fi - - if [ "${role}" = "${rname}" ]; then - echo "${num}" - return ${num} - fi - done - - return ${num} -} - validate_obuspa_section() { uci_validate_section ${CONFIGURATION} obuspa "${1}" \ @@ -201,8 +164,7 @@ validate_obuspa_section() 'max_cache_time:uinteger' \ 'ipc_timeout:uinteger' \ 'log_dest:string' \ - 'db_file:string' \ - 'role_file:file' + 'db_file:string' } validate_localagent_section() @@ -316,6 +278,33 @@ update_reset_reason() fi } +get_role_index() +{ + local name drole + + name="${1}" + drole="Device.LocalAgent.ControllerTrust.Role.2" + if [ -z "${name}" ]; then + log "No role name provided, use Untrusted role index 2" + echo "${drole}" + return 0 + fi + + # Get if from CTRUST file first if present, then from dbdump and then use default Untrusted role + if [ -f "${CTRUST_RESET_FILE}" ]; then + val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${CTRUST_RESET_FILE} |grep $name)" + val="$(echo ${val/.Name /,}|cut -d, -f 1)" + echo "$val" + elif [ -f "${DB_DUMP}" ]; then + val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${DB_DUMP} |grep $name)" + val="$(echo ${val/.Name /,}|cut -d, -f 1)" + echo "$val" + else + log "Not able to get role ${name}, use Untrusted role" + echo "${drole}" + fi +} + configure_controller() { local EndpointID Enable @@ -447,49 +436,6 @@ configure_subscription() uci_remove obuspa "${1}" } -check_json_load() -{ - local ret - - ret=0 - if [ -f "${role_def_file}" ]; then - json_init - if json_load_file "${role_def_file}" 2>&1 |grep -q Failed; then - log "failed to load [${role_def_file}]" - ret=1 - fi - fi - json_init - return ${ret} -} - -get_role_index() -{ - local role="Device.LocalAgent.ControllerTrust.Role" - local idx=0 - local role_name="$1" - local role_def_file - - role_def_file=$(uci -q get obuspa.global.role_file 2>/dev/null) - case "${role_name}" in - 'full_access') - idx=1; - ;; - 'Untrusted') - idx=2; - ;; - *) - local ji=0 - - if check_json_load; then - ji=$(get_role_index_from_json "${role_name}" "${role_def_file}") - fi - idx=$(( ji + 2 )) # Add predefined roles - esac - - echo "${role}.${idx}" -} - configure_challenges() { local Enable Description role_name Role Value Retries LockoutPeriod @@ -870,6 +816,7 @@ sync_update_sec() config_get _sync "${1}" _sync "" if [ -z "${_sync}" ]; then uci_remove obuspa "${1}" + log "Deleting obuspa.${1} section ..." else uci_remove obuspa "${1}" _sync fi @@ -950,7 +897,7 @@ reverse_update_db_with_uci() # Create factory reset file db_init() { - local reason + local reason role_file reason="${1}" mkdir -p /tmp/obuspa/ @@ -958,12 +905,19 @@ db_init() # Load configuration config_load $CONFIGURATION config_get SQL_DB_FILE global db_file "/tmp/obuspa/usp.db" + config_get role_file global role_file "" if [ -f "${SQL_DB_FILE}.old" ] && [ ! -f "${SQL_DB_FILE}" ]; then log "Copying old db, since new db not present ..." mv ${SQL_DB_FILE}.old ${SQL_DB_FILE} fi + if [ -f "${role_file}" ]; then + configure_ctrust_role "${role_file}" + uci_set obuspa global role_file "" + uci commit ${CONFIGURATION} + fi + # Dump datamodel parameters from DB if [ -f "${SQL_DB_FILE}" ]; then dump_db @@ -986,9 +940,6 @@ db_init() reverse_update_db_with_uci fi - # Remove ControllerTrust.Role., if present in db for backward compatibility - delete_sql_db_entry_with_pattern "Device.LocalAgent.ControllerTrust.Role." - # Remove reset file if present [ -f "${RESET_FILE}" ] && mv ${RESET_FILE} ${RESET_FILE}.old @@ -1017,21 +968,18 @@ db_init() mv ${DB_DUMP} ${RESET_FILE} fi - return 0; + if [ -f "${CTRUST_RESET_FILE}" ]; then + cat ${CTRUST_RESET_FILE} >> ${RESET_FILE} + rm ${CTRUST_RESET_FILE} + fi } start_service() { - local enabled role_file + local enabled mkdir -p /tmp/obuspa/ config_load obuspa config_get_bool enabled global enabled 0 - config_get role_file global role_file "" - # Use the default role file if not defined in uci, but present in path - if [ -z "${role_file}" ] && [ -f "/etc/obuspa/roles.json" ] ; then - uci -q set obuspa.global.role_file="/etc/obuspa/roles.json" - uci_commit obuspa - fi procd_open_instance ${CONFIGURATION} if [ "${enabled}" -eq 1 ]; then diff --git a/obuspa/files/etc/obuspa/roles.json b/obuspa/files/etc/obuspa/roles/admin.json similarity index 77% rename from obuspa/files/etc/obuspa/roles.json rename to obuspa/files/etc/obuspa/roles/admin.json index 4c2a771e4..fde465eb2 100644 --- a/obuspa/files/etc/obuspa/roles.json +++ b/obuspa/files/etc/obuspa/roles/admin.json @@ -1,60 +1,5 @@ { "roles": [ - { - "name": "full_access", - "permission": [ - { - "object": "Device.", - "perm": [ - "PERMIT_ALL" - ] - } - ] - }, - { - "name": "Untrusted", - "permission": [ - { - "object": "Device.", - "perm": [ - "PERMIT_NONE" - ] - }, - { - "object": "Device.DeviceInfo.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO" - ] - }, - { - "object": "Device.DeviceInfo.ProcessStatus.", - "perm": [ - "PERMIT_NONE" - ] - }, - { - "object": "Device.DeviceInfo.VendorConfigFile.", - "perm": [ - "PERMIT_NONE" - ] - }, - { - "object": "Device.DeviceInfo.VendorLogFile.", - "perm": [ - "PERMIT_NONE" - ] - }, - { - "object": "Device.DeviceInfo.Processor.", - "perm": [ - "PERMIT_NONE" - ] - } - ] - }, { "name": "admin", "permission": [ @@ -591,134 +536,6 @@ ] } ] - }, - { - "name": "user", - "permission": [ - { - "object": "Device.", - "perm": [ - "PERMIT_NONE" - ] - }, - { - "object": "Device.DeviceInfo.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object":"Device.Hosts.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object":"Device.IEEE1905.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object":"Device.DynamicDNS.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object":"Device.PeriodicStatistics.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object": "Device.LocalAgent.Subscription.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_ADD", - "PERMIT_SET", - "PERMIT_DEL", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object": "Device.WiFi.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_SUBS_VAL_CHANGE", - "PERMIT_SUBS_OBJ_ADD", - "PERMIT_SUBS_OBJ_DEL" - ] - }, - { - "object": "Device.WiFi.AccessPoint.{i}.WPS.InitiateWPSPBC()", - "perm": [ - "PERMIT_OPER", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - }, - { - "object": "Device.WiFi.DataElements.Network.SetSSID()", - "perm": [ - "PERMIT_OPER", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - } - ] - }, - { - "name": "extender", - "permission": [ - { - "object": "Device.", - "perm": [ - "PERMIT_NONE" - ] - }, - { - "object": "Device.SSH.", - "perm": [ - "PERMIT_GET", - "PERMIT_GET_INST", - "PERMIT_OBJ_INFO", - "PERMIT_CMD_INFO", - "PERMIT_OPER", - "PERMIT_SUBS_VAL_CHANGE", - "PERMIT_SUBS_OBJ_ADD", - "PERMIT_SUBS_OBJ_DEL", - "PERMIT_SUBS_EVT_OPER_COMP" - ] - } - ] - }, - { - "name": "undefined-4" } ] } diff --git a/obuspa/files/etc/obuspa/roles/extender.json b/obuspa/files/etc/obuspa/roles/extender.json new file mode 100644 index 000000000..dd67c7f43 --- /dev/null +++ b/obuspa/files/etc/obuspa/roles/extender.json @@ -0,0 +1,29 @@ +{ + "roles": [ + { + "name": "extender", + "permission": [ + { + "object": "Device.", + "perm": [ + "PERMIT_NONE" + ] + }, + { + "object": "Device.SSH.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_OPER", + "PERMIT_SUBS_VAL_CHANGE", + "PERMIT_SUBS_OBJ_ADD", + "PERMIT_SUBS_OBJ_DEL", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + } + ] + } + ] +} diff --git a/obuspa/files/etc/obuspa/roles/full_access.json b/obuspa/files/etc/obuspa/roles/full_access.json new file mode 100644 index 000000000..1e2997f22 --- /dev/null +++ b/obuspa/files/etc/obuspa/roles/full_access.json @@ -0,0 +1,15 @@ +{ + "roles": [ + { + "name": "full_access", + "permission": [ + { + "object": "Device.", + "perm": [ + "PERMIT_ALL" + ] + } + ] + } + ] +} diff --git a/obuspa/files/etc/obuspa/roles/user.json b/obuspa/files/etc/obuspa/roles/user.json new file mode 100644 index 000000000..7e6c65f0f --- /dev/null +++ b/obuspa/files/etc/obuspa/roles/user.json @@ -0,0 +1,104 @@ +{ + "roles": [ + { + "name": "user", + "permission": [ + { + "object": "Device.", + "perm": [ + "PERMIT_NONE" + ] + }, + { + "object": "Device.DeviceInfo.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object":"Device.Hosts.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object":"Device.IEEE1905.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object":"Device.DynamicDNS.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object":"Device.PeriodicStatistics.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object": "Device.LocalAgent.Subscription.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_ADD", + "PERMIT_SET", + "PERMIT_DEL", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object": "Device.WiFi.", + "perm": [ + "PERMIT_GET", + "PERMIT_GET_INST", + "PERMIT_OBJ_INFO", + "PERMIT_CMD_INFO", + "PERMIT_SUBS_VAL_CHANGE", + "PERMIT_SUBS_OBJ_ADD", + "PERMIT_SUBS_OBJ_DEL" + ] + }, + { + "object": "Device.WiFi.AccessPoint.{i}.WPS.InitiateWPSPBC()", + "perm": [ + "PERMIT_OPER", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + }, + { + "object": "Device.WiFi.DataElements.Network.SetSSID()", + "perm": [ + "PERMIT_OPER", + "PERMIT_SUBS_EVT_OPER_COMP" + ] + } + ] + } + ] +} diff --git a/obuspa/files/etc/obuspa/usp_utils.sh b/obuspa/files/etc/obuspa/usp_utils.sh new file mode 100755 index 000000000..7cecc86b0 --- /dev/null +++ b/obuspa/files/etc/obuspa/usp_utils.sh @@ -0,0 +1,218 @@ +#!/bin/sh + +CTRUST_RESET_FILE="/tmp/obuspa/ctrust_reset" +VENDOR_PREFIX_FILE="/etc/obuspa/vendor_prefix" +FW_DEFAULT_ROLE_DIR="/etc/obuspa/roles" + + +# include jshn.sh +if [ -f "/usr/local/share/libubox/jshn.sh" ]; then + . /usr/local/share/libubox/jshn.sh +else + . /usr/share/libubox/jshn.sh +fi + +db_add() +{ + local param value + + param="${1}" + shift + value="$*" + + if [ -n "${param}" ] && [ -n "${value}" ]; then + echo "${param} \"${value}\"">>${CTRUST_RESET_FILE} + else + echo >>${CTRUST_RESET_FILE} + fi +} + +get_param_permission() +{ + local input rinst pinst path prefix + local pperm operm cperm iperm + + pperm="----" + operm="----" + cperm="----" + iperm="----" + + path="${1}" + shift + rinst="${1}" + shift + pinst="${1}" + shift + input="${@}" + + for p in ${input}; do + case ${p} in + PERMIT_GET) + pperm="r${pperm:1:4}" + ;; + PERMIT_SET) + pperm="${pperm:0:1}w${pperm:2:4}" + ;; + PERMIT_SUBS_VAL_CHANGE) + pperm="${pperm:0:3}n" + ;; + PERMIT_OBJ_INFO) + operm="r${operm:1:4}" + ;; + PERMIT_ADD) + operm="${operm:0:1}w${operm:2:4}" + ;; + PERMIT_SUBS_OBJ_ADD) + operm="${operm:0:3}n" + ;; + PERMIT_GET_INST) + iperm="r${iperm:1:4}" + ;; + PERMIT_DEL) + iperm="${iperm:0:1}w${iperm:2:4}" + ;; + PERMIT_SUBS_OBJ_DEL) + iperm="${iperm:0:3}n" + ;; + PERMIT_CMD_INFO) + cperm="r${cperm:1:4}" + ;; + PERMIT_OPER) + cperm="${cperm:0:2}x${cperm:3:4}" + ;; + PERMIT_SUBS_EVT_OPER_COMP) + cperm="${cperm:0:3}n" + ;; + PERMIT_NONE) + pperm="----" + iperm="----" + cperm="----" + operm="----" + ;; + PERMIT_ALL) + pperm="rw-n" + iperm="rw-n" + operm="rw-n" + cperm="r-xn" + ;; + esac + done + + if [ -f "${VENDOR_PREFIX_FILE}" ]; then + prefix="$(cat ${VENDOR_PREFIX_FILE})" + else + prefix="X_IOPSYS_XX_" + fi + + path="${path//\{i\}/*}" + path="${path//\{BBF_VENDOR_PREFIX\}/${prefix}}" + + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.Alias cpe-${pinst} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.Enable 1 + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.Order ${pinst} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.Targets ${path} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.Param ${pperm} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.Obj ${operm} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.InstantiatedObj ${iperm} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Permission.${pinst}.CommandEvent ${cperm} +} + +configure_permission() +{ + local obj inst name rinst + + obj="${1}" + inst="${2}" + name="${3}" + rinst="${4}" + + if [ -z "${inst}" ]; then + return 0 + fi + + json_select ${inst} + + json_get_var path object + json_get_values perm perm + + get_param_permission "${path}" "${rinst}" "${inst}" "${perm}" + db_add + + json_select .. +} + + +configure_roles() +{ + local rinst rname + + if [ "$#" -ne 2 ]; then + echo "Illegal number of parameters" + exit 1 + fi + + json_select $2 + json_get_var rname name + + if [ "${rname}" = "full_access" ]; then + rinst=1 + rname="Full Access" + elif [ "${rname}" = "Untrusted" ]; then + rinst=2 + else + rinst="$2" + fi + + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Alias cpe-${rinst} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Enable 1 + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Name ${rname} + + json_for_each_item configure_permission permission "${name}" ${rinst} + json_select .. +} + +configure_roles_dir() +{ + local rinst rname + + if [ "$#" -ne 3 ]; then + echo "Illegal number of parameters" + exit 1 + fi + + rinst="${3}" + json_select $2 + json_get_var rname name + + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Alias cpe-${rinst} + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Enable 1 + db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Name ${rname} + + json_for_each_item configure_permission permission "${name}" ${rinst} + json_select .. + break +} + +configure_ctrust_role() +{ + local num + local roles_obj + + mkdir -p /tmp/obuspa/ + if [ -f "${1}" ]; then + json_init + json_load_file "${1}" + json_for_each_item configure_roles roles + else + num=3 + for f in $(ls -1 ${FW_DEFAULT_ROLE_DIR}); do + echo "Loading $f ....." + json_init + json_load_file "${FW_DEFAULT_ROLE_DIR}/${f}" + json_for_each_item configure_roles_dir roles ${num} + num=$((num + 1)) + done + fi +} + +# configure_ctrust_role "${@}" diff --git a/obuspa/files/etc/uci-defaults/60-generate-ctrust-defaults b/obuspa/files/etc/uci-defaults/60-generate-ctrust-defaults new file mode 100644 index 000000000..480efa262 --- /dev/null +++ b/obuspa/files/etc/uci-defaults/60-generate-ctrust-defaults @@ -0,0 +1,15 @@ +#!/bin/sh + +. /lib/functions.sh +. /etc/obuspa/usp_utils.sh + +rfile="$(uci -q get obuspa.global.role_file)" + +# Reset the role_file if present +if [ -n "${rfile}" ]; then + uci -q set obuspa.global.role_file="" +fi + +configure_ctrust_role "${rfile}" + +exit 0 diff --git a/obuspa/patches/0001-validate-controller-mtp.patch b/obuspa/patches/0001-validate-controller-mtp.patch index 6f5e703a7..169ee852c 100644 --- a/obuspa/patches/0001-validate-controller-mtp.patch +++ b/obuspa/patches/0001-validate-controller-mtp.patch @@ -1,22 +1,23 @@ diff --git a/src/core/device.h b/src/core/device.h -index 5ca0782..ee6d88c 100644 +index 5e367b7..db154a5 100644 --- a/src/core/device.h +++ b/src/core/device.h -@@ -157,6 +157,9 @@ int DEVICE_CONTROLLER_Start(void); - void DEVICE_CONTROLLER_Stop(void); - int DEVICE_CONTROLLER_FindInstanceByEndpointId(char *endpoint_id); - int DEVICE_CONTROLLER_QueueBinaryMessage(mtp_send_item_t *msi, char *endpoint_id, char *usp_msg_id, mtp_reply_to_t *mtp_reply_to, time_t expiry_time); +@@ -330,6 +330,10 @@ int DEVICE_MTP_ValidateMqttReference(dm_req_t *req, char *value); + void DEVICE_CONTROLLER_SetRolesFromMqtt(int mqtt_instance, int role_instance); + char *DEVICE_CONTROLLER_GetControllerTopic(int mqtt_instance); + +#ifdef OBUSPA_CONTROLLER_MTP_VERIFY +bool DEVICE_CONTROLLER_IsMTPAllowed(char *endpoint_id, mtp_reply_to_t *mrt); +#endif - bool DEVICE_CONTROLLER_IsMTPConfigured(char *endpoint_id, mtp_protocol_t protocol); - char *DEVICE_CONTROLLER_FindEndpointIdByInstance(int instance); - char *DEVICE_CONTROLLER_FindEndpointByMTP(mtp_reply_to_t *mrt); ++ + #ifndef REMOVE_USP_BROKER + int DEVICE_SUBSCRIPTION_RouteNotification(Usp__Msg *usp, int instance); + bool DEVICE_SUBSCRIPTION_MarkVendorLayerSubs(int broker_instance, subs_notify_t notify_type, char *path, int group_id); diff --git a/src/core/device_controller.c b/src/core/device_controller.c -index ae609f5..a6335f5 100644 +index 97ca11d..19c91f1 100644 --- a/src/core/device_controller.c +++ b/src/core/device_controller.c -@@ -900,6 +900,78 @@ int DEVICE_CONTROLLER_QueueBinaryMessage(mtp_send_item_t *msi, char *endpoint_id +@@ -952,6 +952,78 @@ int DEVICE_CONTROLLER_QueueBinaryMessage(mtp_send_item_t *msi, char *endpoint_id return USP_ERR_OK; } @@ -96,12 +97,12 @@ index ae609f5..a6335f5 100644 ** ** DEVICE_CONTROLLER_IsMTPConfigured diff --git a/src/core/msg_handler.c b/src/core/msg_handler.c -index 8313342..a953562 100644 +index 2a04d39..0b3074b 100644 --- a/src/core/msg_handler.c +++ b/src/core/msg_handler.c -@@ -759,6 +759,15 @@ int ValidateUspRecord(UspRecord__Record *rec, mtp_reply_to_t *mrt) - return USP_ERR_RECORD_FIELD_INVALID; - } +@@ -1206,6 +1206,15 @@ int ValidateUspRecord(UspRecord__Record *rec, mtp_conn_t *mtpc) + usp_service_instance = USP_BROKER_GetUspServiceInstance(rec->from_id, 0); + #endif +#ifdef OBUSPA_CONTROLLER_MTP_VERIFY + // Exit if the controller is not allowed to use the MTP on which the message was received @@ -112,6 +113,6 @@ index 8313342..a953562 100644 + } +#endif + - // Exit if the controller is unknown + // Exit if the endpoint sending the message is unknown cur_msg_controller_instance = DEVICE_CONTROLLER_FindInstanceByEndpointId(rec->from_id); - if (cur_msg_controller_instance == INVALID) + if ((cur_msg_controller_instance == INVALID) && (usp_service_instance == INVALID)) diff --git a/obuspa/patches/0003-set-internal-role-fix.patch b/obuspa/patches/0003-set-internal-role-fix.patch deleted file mode 100644 index ea2f024b1..000000000 --- a/obuspa/patches/0003-set-internal-role-fix.patch +++ /dev/null @@ -1,84 +0,0 @@ ---- a/src/core/cli_server.c -+++ b/src/core/cli_server.c -@@ -780,6 +780,7 @@ int ExecuteCli_Set(char *arg1, char *arg - goto exit; - } - -+ SetControllerRoleForInternal(); - // Exit if unable to start a transaction - err = DM_TRANS_Start(&trans); - if (err != USP_ERR_OK) -@@ -865,6 +866,7 @@ int ExecuteCli_Add(char *arg1, char *arg - goto exit; - } - -+ SetControllerRoleForInternal(); - // Exit if unable to start a transaction - err = DM_TRANS_Start(&trans); - if (err != USP_ERR_OK) -@@ -976,6 +978,7 @@ int ExecuteCli_Del(char *arg1, char *arg - goto exit; - } - -+ SetControllerRoleForInternal(); - // Exit if unable to start a transaction - err = DM_TRANS_Start(&trans); - if (err != USP_ERR_OK) ---- a/src/core/data_model.h -+++ b/src/core/data_model.h -@@ -325,6 +325,8 @@ void DATA_MODEL_DumpSchema(void); - void DATA_MODEL_DumpInstances(void); - char DATA_MODEL_GetJSONParameterType(char *path); - int DATA_MODEL_SetParameterInDatabase(char *path, char *value); -+void SetControllerRoleForInternal(); -+void SetControllerDummyID(); - - int DM_PRIV_InitSetRequest(dm_req_t *req, dm_node_t *node, char *path, dm_instances_t *inst, char *new_value); - void DM_PRIV_RequestInit(dm_req_t *req, dm_node_t *node, char *path, dm_instances_t *inst); ---- a/src/core/dm_exec.c -+++ b/src/core/dm_exec.c -@@ -1207,6 +1207,7 @@ void ProcessMessageQueueSocketActivity(s - return; - } - -+ SetControllerDummyID(); // To make sure session handler does not break with internal services - switch(msg.type) - { - case kDmExecMsg_ProcessUspRecord: ---- a/src/core/msg_handler.c -+++ b/src/core/msg_handler.c -@@ -902,6 +902,34 @@ char *MtpSendItemToString(mtp_send_item_ - - /*********************************************************************//** - ** -+** SetControllerDummyID -+** -+** Sets the role for internal user -+** -+** -+**************************************************************************/ -+void SetControllerDummyID() -+{ -+ cur_msg_controller_info.endpoint_id = "CLI_Utility"; -+} -+ -+/*********************************************************************//** -+** -+** SetControllerRoleForInternal -+** -+** Sets the role for internal user -+** -+** -+**************************************************************************/ -+void SetControllerRoleForInternal() -+{ -+ cur_msg_combined_role.inherited = kCTrustRole_Untrusted; -+ cur_msg_combined_role.assigned = kCTrustRole_FullAccess; -+ SetControllerDummyID(); -+} -+ -+/*********************************************************************//** -+** - ** CacheControllerRoleForCurMsg - ** - ** Retrieves the role to use for the specified controller, and caches it locally, so that diff --git a/obuspa/patches/0012-check_mqtt_host_alive.patch b/obuspa/patches/0012-check_mqtt_host_alive.patch index 271a3e8be..4652c4fb4 100644 --- a/obuspa/patches/0012-check_mqtt_host_alive.patch +++ b/obuspa/patches/0012-check_mqtt_host_alive.patch @@ -1,8 +1,17 @@ diff --git a/src/core/mqtt.c b/src/core/mqtt.c -index 04a1a9c..00b95a4 100644 +index 70a10c2..e8a39cf 100644 --- a/src/core/mqtt.c +++ b/src/core/mqtt.c -@@ -2124,6 +2124,75 @@ exit: +@@ -63,6 +63,8 @@ + + #include + ++#include ++ + // Defines for MQTT Property Values + #define PUBLISH 0x30 + #define CONTENT_TYPE 3 +@@ -2180,6 +2182,75 @@ exit: } } @@ -78,7 +87,7 @@ index 04a1a9c..00b95a4 100644 /*********************************************************************//** ** ** PerformMqttClientConnect -@@ -2193,6 +2262,14 @@ int PerformMqttClientConnect(mqtt_client_t *client) +@@ -2249,6 +2320,14 @@ int PerformMqttClientConnect(mqtt_client_t *client) keep_alive = 5; }