Groupcast Access Control: EXPERIMENTAL #42066
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an experimental groupcast access control feature by implementing a wrapper around the existing AccessControl system. The wrapper allows virtual ACL entries to be automatically managed by the Groupcast cluster without modifying the ACL entries handled by the Access Control cluster.
Key changes:
- Adds a new
PersistentArraytemplate class for managing persistent storage of array data - Implements
GroupcastAccessControlDelegateto manage groupcast-specific ACL entries - Introduces
ExtendedAccessControlDelegateto combine primary and secondary access control delegates
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| src/lib/support/PersistentArray.h | New template class for persistent array storage with serialization support |
| src/lib/support/DefaultStorageKeyAllocator.h | Adds storage key allocation for groupcast access control data |
| src/app/server/Server.h | Integrates extended access control delegate into server initialization |
| src/app/server/Server.cpp | Declares static instance of ExtendedAccessControlDelegate |
| src/access/examples/GroupcastAccessControlDelegate.h | Header defining interface for groupcast access control |
| src/access/examples/GroupcastAccessControlDelegate.cpp | Implementation of groupcast-specific access control delegate |
| src/access/examples/ExtendedAccessControlDelegate.h | Header for delegate that combines primary and secondary access controls |
| src/access/examples/ExtendedAccessControlDelegate.cpp | Implementation of the extended access control wrapper |
| src/access/ExtendedAccessControlDelegate.h | Duplicate header file for extended access control delegate |
| src/access/ExtendedAccessControlDelegate.cpp | Duplicate implementation file for extended access control delegate |
| src/access/BUILD.gn | Updates build configuration to include new delegate files |
Comments suppressed due to low confidence (1)
src/lib/support/PersistentArray.h:1
- The equality operator should return
truewhen fabric indices are equal, not when they are different. Change!=to==.
/*
|
|
||
| virtual CHIP_ERROR Next(Entry & entry) override | ||
| { | ||
| if(mIndex < sList.Count()) { |
There was a problem hiding this comment.
Missing space after if keyword. Should be if (mIndex < sList.Count()).
| if(mIndex < sList.Count()) { | |
| if (mIndex < sList.Count()) { |
| // FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME | ||
| FabricIndex fabric_index = 1; | ||
| // FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME FIXME |
There was a problem hiding this comment.
Hardcoded fabric index value needs to be replaced with proper fabric index handling. This appears in multiple methods (GetEntryCount, CreateEntry, ReadEntry, UpdateEntry, DeleteEntry).
|
|
||
| AccessControl::Delegate * GetAccessControlDelegate(PersistentStorageDelegate *storage) { | ||
| static AccessControlDelegate sDelegate; | ||
| if(storage) { |
There was a problem hiding this comment.
Missing space after if keyword. Should be if (storage).
| if(storage) { | |
| if (storage) { |
| if(mFirst) { | ||
| mFirst->Release(); | ||
| } | ||
| if(mSecond) { |
There was a problem hiding this comment.
Missing space after if keyword. Should be if (mFirst) and if (mSecond).
| if(CHIP_NO_ERROR == mError) { | ||
| mError = mFirst->Next(entry); | ||
| } | ||
| if(mSecond && (CHIP_ERROR_SENTINEL == mError)) { |
There was a problem hiding this comment.
Missing space after if keyword. Should be if (CHIP_NO_ERROR == mError) and if (mSecond && (CHIP_ERROR_SENTINEL == mError)).
| // Capabilities | ||
| CHIP_ERROR ExtendedAccessControlDelegate::GetMaxEntriesPerFabric(size_t & value) const | ||
| { | ||
| ChipLogDetail(DeviceLayer, "~~~ ExtendedAccessControlDelegate::GetMaxEntriesPerFabric: #%p/%p\n", mPrimary, mSecondary); |
There was a problem hiding this comment.
Debug logging statements should be removed or converted to proper debug macros before merging experimental code.
| ChipLogDetail(DeviceLayer, "~~~ ExtendedAccessControlDelegate::GetMaxEntriesPerFabric: #%p/%p\n", mPrimary, mSecondary); |
| // Iteration | ||
| CHIP_ERROR ExtendedAccessControlDelegate::Entries(AccessControl::EntryIterator & iterator, const FabricIndex * fabricIndex) const { | ||
| VerifyOrReturnError(nullptr != mPrimary || nullptr != mSecondary, CHIP_ERROR_INCORRECT_STATE); | ||
| ChipLogDetail(DeviceLayer, "~~~ ExtendedAccessControlDelegate::Entries: #%p/%p\n", mPrimary, mSecondary); |
There was a problem hiding this comment.
Debug logging statements should be removed or converted to proper debug macros before merging experimental code.
| ChipLogDetail(DeviceLayer, "~~~ ExtendedAccessControlDelegate::Entries: #%p/%p\n", mPrimary, mSecondary); |
| entry.subject_count = 0; | ||
| memset(entry.subjects, 0x00, sizeof(entry.subjects)); | ||
| entry.target_count = 0; | ||
| for(size_t i=0; i < kMaxTargets; i++) { |
There was a problem hiding this comment.
Missing spaces around operators. Should be for (size_t i = 0; i < kMaxTargets; i++).
| for(size_t i=0; i < kMaxTargets; i++) { | |
| for (size_t i = 0; i < kMaxTargets; i++) { |
| "examples/ExtendedAccessControlDelegate.cpp", | ||
| "examples/ExtendedAccessControlDelegate.h", | ||
| "examples/GroupcastAccessControlDelegate.cpp", | ||
| "examples/GroupcastAccessControlDelegate.h", |
There was a problem hiding this comment.
Files are duplicated in both src/access/examples/ and src/access/ directories. These duplicate files (ExtendedAccessControlDelegate.h/cpp) should be consolidated to a single location.
| ReturnErrorOnFailure(this->Load()); | ||
| for (size_t i = this->mCount; (this->mCount > 0) && (i > 0); --i) | ||
| { | ||
| return Remove(i - 1); |
There was a problem hiding this comment.
The loop will only execute once due to the unconditional return statement inside. The return should be changed to ReturnErrorOnFailure(Remove(i - 1)); to continue removing all entries.
| return Remove(i - 1); | |
| ReturnErrorOnFailure(Remove(i - 1)); |
|
PR #42066: Size comparison from ee2ab5e to acd89dd Increases above 0.2%:
Full report (3 builds for realtek, stm32)
|
| } | ||
|
|
||
|
|
||
| void ExtendedAccessControlDelegate::Release() {} |
There was a problem hiding this comment.
Extended should be renamed to Auxiliary everywhere
| AccessControl::EntryIterator first; | ||
| ReturnErrorOnFailure(mPrimary->Entries(first, fabricIndex)); // TODO: OPTIONAL fabricIndex | ||
| AccessControl::EntryIterator::Delegate *it1 = &first.GetDelegate(); | ||
| // Secondary | ||
| AccessControl::EntryIterator second; | ||
| ReturnErrorOnFailure(mSecondary->Entries(second, fabricIndex)); | ||
| AccessControl::EntryIterator::Delegate *it2 = &second.GetDelegate(); |
There was a problem hiding this comment.
What difference between primary and secondary?
| } | ||
|
|
||
| // Groupcast | ||
| static StorageKeyName GroupcastAccess(chip::FabricIndex fabric) { return StorageKeyName::Formatted("f/%x/ga", fabric); } |
There was a problem hiding this comment.
What is stored there?
2 participants
Summary
Adds a wrapper to the AccessControl, so virtual ACL entries may be automatically added by the Groupcast cluster, without affecting the actual ACL entries managed by the Access Control cluster.
Related issues
Testing
Readability checklist
The checklist below will help the reviewer finish PR review in time and keep the
code readable:
descriptive
“When in Rome…”
rule (coding style)
See: Pull Request Guidelines