leosac / access-control Goto Github PK

Current implementation only supports one control mode: it opens few seconds a door if the AuthRequest is authorized. Abstraction level should be added and end-user should be able to configure a list of control mode according to days / hours / . For instance:

• Always Open
• Always Close
• Default AuthRequests behavior
• Keep Open on first AuthRequest success, Close on second.
• ...

Current Leosac units are autonomous. We should be able to chains units as slaves and manage them only on a master unit. Communication should use web services #13.

Current LED / Buzzer behavior only works as #4. Generally speaking, we should manage LED1 (green), LED2 (red) and Buzzer if these devices defined on the door configuration. There is currently no support for LED2 if defined, and we should improve user feedback (unauthorized access should blink leds and buzz error, ...)

Implements base code to handle "Access Profile". A profile
holds the base configuration information about whether or not a user
will be granted access.
The profile control which days / hours the user has access. It also
controls what door the user has access to.

A user can have multiple access card, but only one access profile.
An access card maps to a user. The user's profile is then used to
grant or deny access.
Temporary access card also exists. Those maps directly to access profile.

A group can map to an access profile.
A user can be part of a group. If the user has a specific access
profile, his group profile shall be ignored.

This looks like this:

             Profile <------ user <------ cards
                       <------ temporary cards.
                       <------ group <----- user

This is related to authentications modules: mapping will vary (LDAP
backend to map user to group, SQL backend that holds acess profile
info, group membership, etc).

The control code should be reusable once the proper access profile,
group, user, and cards are correctly mapped.

Wiegand module support high and low GPIO pin.

1. Module code need to accept led and buzzer device too as part of a wiegand device.
2. Need to define and implements specific wiegand command (that will most likely map to buzzer/led command)

This requires #38 to be completed.

Leosac system should be accessible through a REST web service for all features and configurations. Need a proper ws authentication system and https communication support (certificates must be configurable).

The ON command with a timer is not implemented in sysfsgpio and will simply ignore the timer silently.

reasons:

• std::map::emplace()

Some wiegand reader support PIN code. The way the code is sent (using
wiegand protocol) may vary. We need to support this.

PIN Code handling may also vary. It can be coupled to the card ID, be
"installation specific" (for a raspi),

We need to support @Liryna changes to rpleth:

• Being able to receive a list of (valid) cards.
• keeping a list of all cards that were granted access.
• Sending the list card of card that weren't registered by the module.

Use case: this is to manage students's absence / presence.

Related to #13, a remote configuration infrastructure must be in
place. One shall be able to edit the configuration of any device from
a single place. In case the configuration change has impact over
multiple devices, propagation shall take place automatically.

In other words, we need device discovery and a way to replicate /
dispatch configuration.

Asserting triggered in /home/pi/leosac/leosac/src/modules/rpleth/RplethModule.cpp:316. This happens if the wiegand reader read garbage (only 2 bits for example).

This is due to card number conversion that fails because the input is invalid.

Add proper buzzer module with predefined "song".

It'll be very similar to LED module.

Change current hex content in xml format.
Ex:
de:ad:be:ef should become something like

    <card type="hex" length="32">de:ad:be:ef</card>

replace:

typedef std::map<int, std::string> GpioAliases;

by

using GpioAliases = std::map<int, std::string>;

for example

Current zmq branch has a lot of code duplication inside modules.

Need to define an abstract base class for modules that would work as a "implemementation helper".

Leosac should be configurable through a web interface. This interface is ideally independent from Leosac itself (but can run embedded into a Leaosac unit, ideally the master) and should only consume web services #13. That means a full HTML5 / JavaScript frontend without any server-side module should be good enough and much more flexible.

Rpleth protocol has network reconfiguration commands.
We should support these commands (GetDhcpState / SetDhcpState / SetReaderIp / SetReaderMac / SetReaderSubnet / SetReaderGateway / SetReaderPort / ResetReader) to avoid ssh connection for network reconfiguration.

We need to re-introduce the activity monitor in order to provide
general "health check" or "status report" in a visual way to the end
user.
For example, led could be controlled to tell if there is any network
activity, or to tell whether or not we are properly connected with
some devices.

Current Authentication module is too simple. A new auth module should be created with support of the following features:

• Users: firstname, lastname, email, enabled, optional groups, optional schedules, optional validity start, optional validity end
• Groups: name, optional schedules
• Schedules: name, days, hours
• Cards: name, cardid, enabled, user, optional schedules, optional validity start, optional validity end

We should also support holidays and 3*8 organization.

New logging library seems very good (spdlog). Current logging macros use spdlog's std::cout sink.

• Need to cleanup code that helps setup previous logging code.
• Need to customize spdlog backend so we can log to syslog.

Rpleth either stream all read card or bulk send via special command

first draft in commit b34e834

Need to specc message passing between "auth source module" (such as Module::Wiegand) and other parts of the system.

Need formal a well defined spec, that will be implementable by other "auth source" module.

This should probably be documented in a special doxygen page. Not "inline" documentation.

Some exceptions are not caught when thrown in worker threads

It now always blink/beep on stable-fix branch.

Make this configurable for branch develop.

[ 19%] Building CXX object src/CMakeFiles/leosac_lib.dir/core/moduleprotocol/moduleprotocol.cpp.o
In file included from /home/linaro/leosac/src/core/moduleprotocol/imoduleprotocol.hpp:12:0,
                 from /home/linaro/leosac/src/core/icore.hpp:13,
                 from /home/linaro/leosac/src/modules/imodule.hpp:11,
                 from /home/linaro/leosac/src/core/moduleprotocol/moduleprotocol.hpp:19,
                 from /home/linaro/leosac/src/core/moduleprotocol/moduleprotocol.cpp:7:
/home/linaro/leosac/src/core/moduleprotocol/authrequest.hpp: In instantiation of 'constexpr std::pair<_T1, _T2>::pair(_U1&&, _U2&&) [with _U1 = long unsigned int&; _U2 = AuthRequest&; <template-parameter-2-3> = void; _T1 = const long unsigned int; _T2 = AuthRequest]':
/usr/include/c++/4.8/bits/stl_tree.h:140:49:   required from 'std::_Rb_tree_node<_Val>::_Rb_tree_node(_Args&& ...) [with _Args = {long unsigned int&, AuthRequest&}; _Val = std::pair<const long unsigned int, AuthRequest>]'
/usr/include/c++/4.8/ext/new_allocator.h:120:4:   required from 'void __gnu_cxx::new_allocator<_Tp>::construct(_Up*, _Args&& ...) [with _Up = std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> >; _Args = {long unsigned int&, AuthRequest&}; _Tp = std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> >]'
/usr/include/c++/4.8/bits/alloc_traits.h:254:4:   required from 'static typename std::enable_if<std::allocator_traits<_Alloc>::__construct_helper<_Tp, _Args>::value, void>::type std::allocator_traits<_Alloc>::_S_construct(_Alloc&, _Tp*, _Args&& ...) [with _Tp = std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> >; _Args = {long unsigned int&, AuthRequest&}; _Alloc = std::allocator<std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> > >; typename std::enable_if<std::allocator_traits<_Alloc>::__construct_helper<_Tp, _Args>::value, void>::type = void]'
/usr/include/c++/4.8/bits/alloc_traits.h:393:57:   required from 'static decltype (_S_construct(__a, __p, (forward<_Args>)(std::allocator_traits::construct::__args)...)) std::allocator_traits<_Alloc>::construct(_Alloc&, _Tp*, _Args&& ...) [with _Tp = std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> >; _Args = {long unsigned int&, AuthRequest&}; _Alloc = std::allocator<std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> > >; decltype (_S_construct(__a, __p, (forward<_Args>)(std::allocator_traits::construct::__args)...)) = <type error>]'
/usr/include/c++/4.8/bits/stl_tree.h:408:36:   required from 'std::_Rb_tree_node<_Val>* std::_Rb_tree<_Key, _Val, _KeyOfValue, _Compare, _Alloc>::_M_create_node(_Args&& ...) [with _Args = {long unsigned int&, AuthRequest&}; _Key = long unsigned int; _Val = std::pair<const long unsigned int, AuthRequest>; _KeyOfValue = std::_Select1st<std::pair<const long unsigned int, AuthRequest> >; _Compare = std::less<long unsigned int>; _Alloc = std::allocator<std::pair<const long unsigned int, AuthRequest> >; std::_Rb_tree<_Key, _Val, _KeyOfValue, _Compare, _Alloc>::_Link_type = std::_Rb_tree_node<std::pair<const long unsigned int, AuthRequest> >*]'
/usr/include/c++/4.8/bits/stl_tree.h:1619:64:   required from 'std::pair<std::_Rb_tree_iterator<_Val>, bool> std::_Rb_tree<_Key, _Val, _KeyOfValue, _Compare, _Alloc>::_M_emplace_unique(_Args&& ...) [with _Args = {long unsigned int&, AuthRequest&}; _Key = long unsigned int; _Val = std::pair<const long unsigned int, AuthRequest>; _KeyOfValue = std::_Select1st<std::pair<const long unsigned int, AuthRequest> >; _Compare = std::less<long unsigned int>; _Alloc = std::allocator<std::pair<const long unsigned int, AuthRequest> >]'
/usr/include/c++/4.8/bits/stl_map.h:541:64:   required from 'std::pair<typename std::_Rb_tree<_Key, std::pair<const _Key, _Tp>, std::_Select1st<std::pair<const _Key, _Tp> >, _Compare, typename _Alloc::rebind<std::pair<const _Key, _Tp> >::other>::iterator, bool> std::map<_Key, _Tp, _Compare, _Alloc>::emplace(_Args&& ...) [with _Args = {long unsigned int&, AuthRequest&}; _Key = long unsigned int; _Tp = AuthRequest; _Compare = std::less<long unsigned int>; _Alloc = std::allocator<std::pair<const long unsigned int, AuthRequest> >; typename std::_Rb_tree<_Key, std::pair<const _Key, _Tp>, std::_Select1st<std::pair<const _Key, _Tp> >, _Compare, typename _Alloc::rebind<std::pair<const _Key, _Tp> >::other>::iterator = std::_Rb_tree_iterator<std::pair<const long unsigned int, AuthRequest> >]'
/home/linaro/leosac/src/core/moduleprotocol/moduleprotocol.cpp:73:43:   required from here
/home/linaro/leosac/src/core/moduleprotocol/authrequest.hpp:32:5: warning: unused parameter 'other' [-Wunused-parameter]
In file included from /usr/include/c++/4.8/bits/stl_algobase.h:64:0,
                 from /usr/include/c++/4.8/bits/stl_tree.h:61,
                 from /usr/include/c++/4.8/map:60,
                 from /home/linaro/leosac/src/core/moduleprotocol/moduleprotocol.hpp:12,
                 from /home/linaro/leosac/src/core/moduleprotocol/moduleprotocol.cpp:7:
/usr/include/c++/4.8/bits/stl_pair.h:145:64: note: synthesized method 'AuthRequest::AuthRequest(const AuthRequest&)' first required here

Warning coming from gcc default denerated method

Wiegand reader can read data in both bytes order.
It is currently not possible to switch between those two in the module.

An option should be added to allow this. It should be a per-reader option.

.

When using raspberry_pifacedigital as platform's name, this triggers the use of another GPIOProvider implementation.

This implementation must use 1 thread to perform read() / write() and wait() on GPIO pins (because it uses SPI bus).

Currently, writing to a GPIO is delayed. all write are queued, and performed when the wait_for_input function return (that wait for interrupt on Piface). So the delay is something between 0 and timeout (currently 200)ms.

UnixSocket::send does not properly check send() return value. It could return less that expected but still more than 0.

Add support for storing:

• Direction (in or out)
• Edge mode for Raspberry Pi
• ActiveLow status
• Value, if direction is out

Needs a better way to handle path:

• Path to factory config file.
• Path to network management script.

Currently it doesn't work well with leosac started as a system daemon. stable-fix has those hardcoded, develop needs something better. See becbfd2

Add CMake variable for platform-specific builds

• Example: -DPLATFORM=Raspi

Since architecture change we mostly used PiFaceDigital and its GPIO support.
GPIO through sysfs is partially implemented for the new architecture.

Need to finish this.