Merge branch 'master' into feature/message-cluster-present-message-update

Author: lazarkov

examples/darwin-framework-tool/BUILD.gn

@@ -42,6 +42,9 @@ declare_args() {
   }
 
   enable_provisional_features = config_enable_yaml_tests
+
+  # Disable generating compiler database by default
+  generate_compilation_database = false
 }
 
 sdk = "macosx"
@@ -107,6 +110,12 @@ action("build-darwin-framework") {
     args += [ "--no-clang" ]
   }
 
+  if (generate_compilation_database) {
+    args += [ "--compdb" ]
+  } else {
+    args += [ "--no-compdb" ]
+  }
+
   if (config_enable_yaml_tests) {
     args += [ "--enable-encoding-sentinel-enum-values" ]
   } else {

scripts/build/build_darwin_framework.py

@@ -129,6 +129,9 @@ def build_darwin_framework(args):
     if args.enable_encoding_sentinel_enum_values:
         cflags += ["-DCHIP_CONFIG_IM_ENABLE_ENCODING_SENTINEL_ENUM_VALUES=1"]
 
+    if args.compdb:
+        cflags += ["-gen-cdb-fragment-path ", abs_path + '/compdb']
+
     command += ["OTHER_CFLAGS=" + ' '.join(cflags), "OTHER_LDFLAGS=" + ' '.join(ldflags)]
     command_result = run_command(command)
     print("Build Framework Result: {}".format(command_result))
@@ -172,6 +175,7 @@ def build_darwin_framework(args):
     parser.add_argument('--ble', action=argparse.BooleanOptionalAction)
     parser.add_argument('--clang', action=argparse.BooleanOptionalAction)
     parser.add_argument('--enable-encoding-sentinel-enum-values', action=argparse.BooleanOptionalAction)
+    parser.add_argument('--compdb', action=argparse.BooleanOptionalAction)
 
     args = parser.parse_args()
     build_darwin_framework(args)

scripts/helpers/generate_darwin_compdb.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2020-2023 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+JQ=$(which jq)
+if [ $? -ne 0 ]; then
+    echo "'jq' not detected in PATH. Install using: brew install jq"
+    exit 1
+fi
+
+set -e
+set -x
+
+source "$(dirname "$0")/../../scripts/activate.sh"
+CHIP_ROOT="$(dirname "$0")/../.."
+OUTPUT_DIR=$2
+
+# Build the framework
+scripts/examples/gn_build_example.sh "$@" generate_compilation_database=true
+
+# Clean up any stale DB files
+find "$OUTPUT_DIR" -iname compile_commands\*.json | xargs rm
+
+# Construct json from fragments generated by xcodebuild
+COMPDB_FRAGMENTS_DIR=$(find "$OUTPUT_DIR" -type d -name compdb)
+sed -e '1s/^/[\'$'\n''/' -e '$s/,$/\'$'\n'']/' "$COMPDB_FRAGMENTS_DIR"/*.json >"$OUTPUT_DIR"/compile_commands_darwin_framework.json
+
+# Get ninja to build comdb for the rest
+ninja -C "$OUTPUT_DIR" -t compdb >"$OUTPUT_DIR"/compile_commands_rest.json
+
+# Combine the generated compdb into one
+find "$OUTPUT_DIR" -iname compile_commands\*.json | xargs jq -s 'map(.[])' >"$OUTPUT_DIR"/compile_commands.json

src/controller/java/AndroidDeviceControllerWrapper.cpp

@@ -543,7 +543,8 @@ CHIP_ERROR AndroidDeviceControllerWrapper::UpdateDeviceAttestationDelegateBridge
     return err;
 }
 
-CHIP_ERROR AndroidDeviceControllerWrapper::UpdateAttestationTrustStoreBridge(jobject attestationTrustStoreDelegate)
+CHIP_ERROR AndroidDeviceControllerWrapper::UpdateAttestationTrustStoreBridge(jobject attestationTrustStoreDelegate,
+                                                                             jobject cdTrustKeys)
 {
     CHIP_ERROR err = CHIP_NO_ERROR;
 
@@ -566,6 +567,29 @@ CHIP_ERROR AndroidDeviceControllerWrapper::UpdateAttestationTrustStoreBridge(job
     }
     mDeviceAttestationVerifier = deviceAttestationVerifier;
 
+    if (cdTrustKeys != nullptr)
+    {
+        WellKnownKeysTrustStore * cdTrustStore = mDeviceAttestationVerifier->GetCertificationDeclarationTrustStore();
+        VerifyOrExit(cdTrustStore != nullptr, err = CHIP_ERROR_INCORRECT_STATE);
+
+        jint size;
+        err = JniReferences::GetInstance().GetListSize(cdTrustKeys, size);
+        VerifyOrExit(err == CHIP_NO_ERROR, err = CHIP_ERROR_INVALID_ARGUMENT);
+
+        for (jint i = 0; i < size; i++)
+        {
+            jobject jTrustKey = nullptr;
+            err               = JniReferences::GetInstance().GetListItem(cdTrustKeys, i, jTrustKey);
+
+            VerifyOrExit(err == CHIP_NO_ERROR, err = CHIP_ERROR_INVALID_ARGUMENT);
+
+            JNIEnv * env = JniReferences::GetInstance().GetEnvForCurrentThread();
+            JniByteArray jniTrustKey(env, static_cast<jbyteArray>(jTrustKey));
+            err = cdTrustStore->AddTrustedKey(jniTrustKey.byteSpan());
+            VerifyOrExit(err == CHIP_NO_ERROR, err = CHIP_ERROR_INVALID_ARGUMENT);
+        }
+    }
+
     mController->SetDeviceAttestationVerifier(mDeviceAttestationVerifier);
 
 exit:

src/controller/java/AndroidDeviceControllerWrapper.h

@@ -202,7 +202,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
     CHIP_ERROR UpdateDeviceAttestationDelegateBridge(jobject deviceAttestationDelegate, chip::Optional<uint16_t> expiryTimeoutSecs,
                                                      bool shouldWaitAfterDeviceAttestation);
 
-    CHIP_ERROR UpdateAttestationTrustStoreBridge(jobject attestationTrustStoreDelegate);
+    CHIP_ERROR UpdateAttestationTrustStoreBridge(jobject attestationTrustStoreDelegate, jobject cdTrustKeys);
 
     CHIP_ERROR StartOTAProvider(jobject otaProviderDelegate);
 

src/controller/java/CHIPDeviceController-JNI.cpp

@@ -533,7 +533,7 @@ JNI_METHOD(void, setDeviceAttestationDelegate)
 }
 
 JNI_METHOD(void, setAttestationTrustStoreDelegate)
-(JNIEnv * env, jobject self, jlong handle, jobject attestationTrustStoreDelegate)
+(JNIEnv * env, jobject self, jlong handle, jobject attestationTrustStoreDelegate, jobject cdTrustKeys)
 {
     chip::DeviceLayer::StackLock lock;
     CHIP_ERROR err                           = CHIP_NO_ERROR;
@@ -544,7 +544,7 @@ JNI_METHOD(void, setAttestationTrustStoreDelegate)
     if (attestationTrustStoreDelegate != nullptr)
     {
         jobject attestationTrustStoreDelegateRef = env->NewGlobalRef(attestationTrustStoreDelegate);
-        err                                      = wrapper->UpdateAttestationTrustStoreBridge(attestationTrustStoreDelegateRef);
+        err = wrapper->UpdateAttestationTrustStoreBridge(attestationTrustStoreDelegateRef, cdTrustKeys);
         SuccessOrExit(err);
     }
 

src/controller/java/src/chip/devicecontroller/ChipDeviceController.java

@@ -19,6 +19,7 @@
 
 import android.bluetooth.BluetoothGatt;
 import android.util.Log;
+import chip.devicecontroller.ChipDeviceController.CompletionListener;
 import chip.devicecontroller.GetConnectedDeviceCallbackJni.GetConnectedDeviceCallback;
 import chip.devicecontroller.model.AttributeWriteRequest;
 import chip.devicecontroller.model.ChipAttributePath;
@@ -117,10 +118,18 @@ public void setDeviceAttestationDelegate(
    * paa certificates before commissioning.
    *
    * @param attestationTrustStoreDelegate Delegate for attestation trust store
+   * @param cdTrustKeys certification Declaration Trust Keys
    */
+  public void setAttestationTrustStoreDelegate(
+      AttestationTrustStoreDelegate attestationTrustStoreDelegate,
+      @Nullable List<byte[]> cdTrustKeys) {
+    setAttestationTrustStoreDelegate(
+        deviceControllerPtr, attestationTrustStoreDelegate, cdTrustKeys);
+  }
+
   public void setAttestationTrustStoreDelegate(
       AttestationTrustStoreDelegate attestationTrustStoreDelegate) {
-    setAttestationTrustStoreDelegate(deviceControllerPtr, attestationTrustStoreDelegate);
+    setAttestationTrustStoreDelegate(deviceControllerPtr, attestationTrustStoreDelegate, null);
   }
 
   /**
@@ -1367,7 +1376,9 @@ private native void setDeviceAttestationDelegate(
       long deviceControllerPtr, int failSafeExpiryTimeoutSecs, DeviceAttestationDelegate delegate);
 
   private native void setAttestationTrustStoreDelegate(
-      long deviceControllerPtr, AttestationTrustStoreDelegate delegate);
+      long deviceControllerPtr,
+      AttestationTrustStoreDelegate delegate,
+      @Nullable List<byte[]> cdTrustKeys);
 
   private native void startOTAProvider(long deviceControllerPtr, OTAProviderDelegate delegate);
 

src/darwin/Framework/CHIP/Matter.h

@@ -19,6 +19,7 @@
 
 #define MTR_INCLUDED_FROM_UMBRELLA_HEADER
 
+#import <Matter/MTRAccessGrant.h>
 #import <Matter/MTRAsyncCallbackWorkQueue.h>
 #import <Matter/MTRBackwardsCompatShims.h>
 #import <Matter/MTRBaseClusters.h>
@@ -45,6 +46,7 @@
 #import <Matter/MTRDeviceControllerParameters.h>
 #import <Matter/MTRDeviceControllerStartupParams.h>
 #import <Matter/MTRDeviceControllerStorageDelegate.h>
+#import <Matter/MTRDeviceTypeRevision.h>
 #import <Matter/MTRDiagnosticLogsType.h>
 #import <Matter/MTRError.h>
 #import <Matter/MTRFabricInfo.h>
@@ -56,6 +58,9 @@
 #import <Matter/MTROnboardingPayloadParser.h>
 #import <Matter/MTROperationalCertificateIssuer.h>
 #import <Matter/MTRQRCodeSetupPayloadParser.h>
+#import <Matter/MTRServerAttribute.h>
+#import <Matter/MTRServerCluster.h>
+#import <Matter/MTRServerEndpoint.h>
 #import <Matter/MTRSetupPayload.h>
 #import <Matter/MTRStorage.h>
 #import <Matter/MTRStructsObjc.h>

src/darwin/Framework/CHIP/ServerEndpoint/MTRAccessGrant.h

@@ -0,0 +1,80 @@
+/**
+ *    Copyright (c) 2024 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+#import <Matter/MTRBaseClusters.h>
+#import <Matter/MTRDefines.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * An access grant, which can be represented as an entry in the Matter Access
+ * Control cluster.
+ */
+MTR_NEWLY_AVAILABLE
+@interface MTRAccessGrant : NSObject <NSCopying>
+
+- (instancetype)init NS_UNAVAILABLE;
++ (instancetype)new NS_UNAVAILABLE;
+
+/**
+ * Grant access at the provided level to a specific node on the fabric.  The
+ * provided nodeID must be an operational node identifier.
+ */
++ (nullable MTRAccessGrant *)accessGrantForNodeID:(NSNumber *)nodeID privilege:(MTRAccessControlEntryPrivilege)privilege;
+
+/**
+ * Grant access to any node on the fabric that has a matching CASE Authenticated
+ * Tag in its operational certificate.  The provided caseAuthenticatedTag must
+ * be a 32-bit unsigned integer with lower 16 bits not 0, per the Matter
+ * specification.
+ */
++ (nullable MTRAccessGrant *)accessGrantForCASEAuthenticatedTag:(NSNumber *)caseAuthenticatedTag privilege:(MTRAccessControlEntryPrivilege)privilege;
+
+/**
+ * Grant access to any node on the fabric that is communicating with us via
+ * group messages sent to the given group.  The provided groupID must be a valid
+ * group identifier in the range 1-65535.
+ */
++ (nullable MTRAccessGrant *)accessGrantForGroupID:(NSNumber *)groupID privilege:(MTRAccessControlEntryPrivilege)privilege;
+
+/**
+ * Grant access to any node on the fabric, as long as it's communicating with us
+ * over a unicast authenticated channel.
+ */
++ (MTRAccessGrant *)accessGrantForAllNodesWithPrivilege:(MTRAccessControlEntryPrivilege)privilege;
+
+/**
+ * The matter access control subject ID that access has been granted for.  Nil
+ * when access has been granted for all subjects (e.g. via initForAllNodesWithPrivilege).
+ */
+@property (nonatomic, copy, readonly, nullable) NSNumber * subjectID;
+
+/**
+ * The privilege that has been granted
+ */
+@property (nonatomic, assign, readonly) MTRAccessControlEntryPrivilege grantedPrivilege;
+
+/**
+ * The type of authentication mode the access grant is
+ * for. MTRAccessControlEntryAuthModeCASE for unicast messages and
+ * MTRAccessControlEntryAuthModeGroup for groupcast ones.
+ */
+@property (nonatomic, assign, readonly) MTRAccessControlEntryAuthMode authenticationMode;
+
+@end
+
+NS_ASSUME_NONNULL_END