[#19807] Restrict lock operation for disabled users (door lock)

project-chip · Jul 28, 2022 · 3976706 · 3976706
1 parent 6920183
commit 3976706
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 8 deletions.
diff --git a/src/app/clusters/door-lock-server/door-lock-server.cpp b/src/app/clusters/door-lock-server/door-lock-server.cpp
@@ -230,7 +230,7 @@ bool DoorLockServer::GetNumberOfHolidaySchedulesSupported(chip::EndpointId endpo
 
 bool DoorLockServer::SendLockAlarmEvent(chip::EndpointId endpointId, DlAlarmCode alarmCode)
 {
-    Events::DoorLockAlarm::Type event { alarmCode };
+    Events::DoorLockAlarm::Type event{ alarmCode };
     SendEvent(endpointId, event);
 
     return true;
@@ -1585,7 +1585,8 @@ bool DoorLockServer::findUserIndexByCredential(chip::EndpointId endpointId, DlCr
 }
 
 bool DoorLockServer::findUserIndexByCredential(chip::EndpointId endpointId, DlCredentialType credentialType,
-                                               chip::ByteSpan credentialData, uint16_t & userIndex, uint16_t & credentialIndex)
+                                               chip::ByteSpan credentialData, uint16_t & userIndex, uint16_t & credentialIndex,
+                                               EmberAfPluginDoorLockUserInfo & userInfo)
 {
     uint16_t maxNumberOfUsers = 0;
     VerifyOrReturnError(GetAttribute(endpointId, Attributes::NumberOfTotalUsersSupported::Id,
@@ -1641,6 +1642,7 @@ bool DoorLockServer::findUserIndexByCredential(chip::EndpointId endpointId, DlCr
             {
                 userIndex       = i;
                 credentialIndex = i;
+                userInfo        = user;
                 return true;
             }
         }
@@ -3144,7 +3146,16 @@ bool DoorLockServer::HandleRemoteLockOperation(chip::app::CommandHandler * comma
                          chip::to_underlying(opType)));
 
         // Look up the user index and credential index -- it should be used in the Lock Operation event
-        findUserIndexByCredential(endpoint, DlCredentialType::kPin, pinCode.Value(), pinUserIdx, pinCredIdx);
+        EmberAfPluginDoorLockUserInfo user;
+        findUserIndexByCredential(endpoint, DlCredentialType::kPin, pinCode.Value(), pinUserIdx, pinCredIdx, user);
+
+        // If the user status is OccupiedDisabled we should deny the access and send out the appropriate event
+        VerifyOrExit(user.userStatus != DlUserStatus::kOccupiedDisabled, {
+            reason = DlOperationError::kDisabledUserDenied;
+            emberAfDoorLockClusterPrintln(
+                "Unable to perform remote lock operation: user is disabled [endpoint=%d, lock_op=%d, userIndex=%d]", endpoint,
+                to_underlying(opType), pinUserIdx);
+        });
 
         // [EM]: I don't think we should prevent door lock/unlocking if we couldn't find credential associated with user. I
         // think if the app thinks that PIN is correct the door should be unlocked.

diff --git a/src/app/clusters/door-lock-server/door-lock-server.h b/src/app/clusters/door-lock-server/door-lock-server.h
@@ -196,7 +196,7 @@ class DoorLockServer
                                    uint16_t & userIndex);
 
     bool findUserIndexByCredential(chip::EndpointId endpointId, DlCredentialType credentialType, chip::ByteSpan credentialData,
-                                   uint16_t & userIndex, uint16_t & credentialIndex);
+                                   uint16_t & userIndex, uint16_t & credentialIndex, EmberAfPluginDoorLockUserInfo & userInfo);
 
     EmberAfStatus createUser(chip::EndpointId endpointId, chip::FabricIndex creatorFabricIdx, chip::NodeId sourceNodeId,
                              uint16_t userIndex, const Nullable<chip::CharSpan> & userName, const Nullable<uint32_t> & userUniqueId,

diff --git a/src/app/tests/suites/DL_LockUnlock.yaml b/src/app/tests/suites/DL_LockUnlock.yaml
@@ -146,17 +146,104 @@ tests:
       response:
           error: FAILURE
 
-    # Clean-up
     - label: "Set OperatingMode to Normal"
       command: "writeAttribute"
       attribute: "OperatingMode"
       arguments:
           value: 0
 
-    - label: "Clean the created credential"
-      command: "ClearCredential"
+    - label: "Create a disabled user and credential"
+      command: "SetCredential"
       timedInteractionTimeoutMs: 10000
       arguments:
           values:
+              - name: "operationType"
+                value: 0
               - name: "credential"
-                value: { CredentialType: 1, CredentialIndex: 1 }
+                value: { CredentialType: 1, CredentialIndex: 2 }
+              - name: "credentialData"
+                value: "654321"
+              - name: "userIndex"
+                value: null
+              - name: "userStatus"
+                value: 3
+              - name: "userType"
+                value: null
+      response:
+          values:
+              - name: "status"
+                value: 0x00
+              - name: "userIndex"
+                value: 2
+              - name: "nextCredentialIndex"
+                value: 3
+
+    - label: "Try to unlock the door with disabled user PIN"
+      command: "UnlockDoor"
+      timedInteractionTimeoutMs: 10000
+      arguments:
+          values:
+              - name: "pinCode"
+                value: "654321"
+      response:
+          error: FAILURE
+
+    - label: "Verify that lock state attribute value is set to Locked"
+      command: "readAttribute"
+      attribute: "LockState"
+      response:
+          value: 1
+
+    - label: "Unlock the door with enabled user PIN"
+      command: "UnlockDoor"
+      timedInteractionTimeoutMs: 10000
+      arguments:
+          values:
+              - name: "pinCode"
+                value: "123456"
+
+    - label: "Verify that lock state attribute value is set to Unlocked"
+      command: "readAttribute"
+      attribute: "LockState"
+      response:
+          value: 2
+
+    - label: "Try to lock the door with disabled user PIN"
+      command: "LockDoor"
+      timedInteractionTimeoutMs: 10000
+      arguments:
+          values:
+              - name: "pinCode"
+                value: "654321"
+      response:
+          error: FAILURE
+
+    - label: "Verify that lock state attribute value stays Unlocked"
+      command: "readAttribute"
+      attribute: "LockState"
+      response:
+          value: 2
+
+    - label: "Lock the door with enabled user PIN"
+      command: "LockDoor"
+      timedInteractionTimeoutMs: 10000
+      arguments:
+          values:
+              - name: "pinCode"
+                value: "123456"
+
+    - label: "Verify that lock state attribute value is set to Locked"
+      command: "readAttribute"
+      attribute: "LockState"
+      response:
+          value: 1
+
+    # Clean-up
+
+    - label: "Clean all the users and credentials"
+      command: "ClearUser"
+      timedInteractionTimeoutMs: 10000
+      arguments:
+          values:
+              - name: "userIndex"
+                value: 0xFFFE