ContextQMD
Back to Connectedhomeip

Access Control

docs/development_controllers/matter-repl/Matter_Access_Control.ipynb

1.5.1.04.0 KB
Original Source

Access Control

<a href="http://35.236.121.59/hub/user-redirect/git-pull?repo=https%3A%2F%2Fgithub.com%2Fproject-chip%2Fconnectedhomeip&urlpath=lab%2Ftree%2Fconnectedhomeip%2Fdocs%2Fguides%2Frepl%2FMatter%2520-%2520Access%2520Control.ipynb&branch=master"> </a> </br>

This document explains how to use Access Control in Matter, and will be updated as development proceeds.

What Does and Doesn’t Work Right Now?

Briefly, you can read and write the entire ACL attribute in the all-clusters-app, but Access Control isn’t yet turned on, so it won’t affect interactions. There’s almost no error checking when writing the ACL attribute (e.g. ensuring subjects match auth mode, only your fabric can be written, etc.) so exercise caution for now.

Clear Persisted Storage

Let's clear out our persisted storage (if one exists) to start from a clean slate.

python
import os, subprocess

if os.path.isfile('/tmp/repl-storage.json'):
    os.remove('/tmp/repl-storage.json')

# So that the all-clusters-app won't boot with stale prior state.
os.system('rm -rf /tmp/chip_*')

Initialization

Let's first begin by setting up by importing some key modules that are needed to make it easier for us to interact with the Matter stack.

NOTE: This is not needed if you launch the REPL from the command-line.

python
%reset -f
import importlib.util
spec = importlib.util.find_spec('matter.ReplStartup')
%run {spec.origin}

Commission and Setup Server

Launch Server

Let's launch an instance of the chip-all-clusters-app.

python
import time, os
import subprocess
os.system('pkill -f chip-all-clusters-app')
time.sleep(1)

appPath = '../../../out/linux-x64-all-clusters/chip-all-clusters-app'
process = subprocess.Popen(appPath, stdout=subprocess.DEVNULL)
time.sleep(1)

Commission Target

Commission the target with a NodeId of 2.

python
await devCtrl.CommissionOnNetwork(2, 20202021)

Bootstrap ACLs

During Commissioning, an ACL that assigns Administer rights to the commissioner(i.e. matter-repl) was automatically installed on the commissionee.

python
await devCtrl.ReadAttribute(2, [ (0, Clusters.OperationalCredentials)], returnClusterObject=True)

Automatically Installed ACL

python
data = await devCtrl.ReadAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl) ] )
data
python
acl = data[0][matter.clusters.Objects.AccessControl][matter.clusters.Objects.AccessControl.Attributes.Acl]
acl

Installing a CASE ACL

python
acl.append(Clusters.AccessControl.Structs.AccessControlEntryStruct(
    fabricIndex = 1,
    privilege = Clusters.AccessControl.Enums.AccessControlEntryPrivilegeEnum.kOperate,
    authMode = Clusters.AccessControl.Enums.AccessControlEntryAuthModeEnum.kCase,
    targets = [ Clusters.AccessControl.Structs.AccessControlTargetStruct(
        endpoint = 1,
    ) ] ) )
acl
python
await devCtrl.WriteAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl( acl ) ) ] )
python
await devCtrl.ReadAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl ) ] )

Installing a Group ACL

python
acl.append( Clusters.AccessControl.Structs.AccessControlEntryStruct(
    privilege = Clusters.AccessControl.Enums.AccessControlEntryPrivilegeEnum.kManage,
    authMode = Clusters.AccessControl.Enums.AccessControlEntryAuthModeEnum.kGroup,
    subjects = [ 123, 456 ],
    targets = [
      Clusters.AccessControl.Structs.AccessControlTargetStruct(
        cluster = Clusters.OnOff.id,
      ),
      Clusters.AccessControl.Structs.AccessControlTargetStruct(
        endpoint = 1,
      ),
      Clusters.AccessControl.Structs.AccessControlTargetStruct(
        cluster = Clusters.LevelControl.id,
        endpoint = 2,
      ) ] ) )
acl
python
await devCtrl.WriteAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl( acl ) ) ] )
python
await devCtrl.ReadAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl ) ] )