UIC-3222: Better handling of rejection of credential due to security rules

silabs-borisl · rzr · commit 58e310e8aa7f · 2025-10-13T17:39:47.000+02:00
Works both when adding a credential and modifying it
diff --git a/applications/zpc/components/zwave_command_classes/src/zwave_command_class_user_credential.cpp b/applications/zpc/components/zwave_command_classes/src/zwave_command_class_user_credential.cpp
@@ -601,17 +601,41 @@ sl_status_t zwave_command_class_user_credential_credential_handle_report(
 
     // Helper function to clean up pending credentials slot nodes
     auto clean_up_pending_credentials_slot_nodes = [&]() {
-      auto nodes = get_credential_identifier_nodes(
-        endpoint_node,
-        {user_id, REPORTED_ATTRIBUTE},
-        {credential_type, DESIRED_OR_REPORTED_ATTRIBUTE},
-        {credential_slot, DESIRED_ATTRIBUTE});
-
-      nodes.slot_node.delete_node();
-      sl_log_debug(LOG_TAG, "Cleaning temporary credential slot node : %d (credential type %d, user %d)",
-                   credential_slot,
-                   credential_type,
-                   user_id);
+      try {
+        auto nodes = get_credential_identifier_nodes(
+          endpoint_node,
+          {user_id, REPORTED_ATTRIBUTE},
+          {credential_type, DESIRED_OR_REPORTED_ATTRIBUTE},
+          {credential_slot, DESIRED_ATTRIBUTE});
+
+        nodes.slot_node.delete_node();
+        sl_log_debug(LOG_TAG,
+                     "Cleaning temporary credential slot node : %d (credential "
+                     "type %d, user %d)",
+                     credential_slot,
+                     credential_type,
+                     user_id);
+      } catch (const std::exception &e) {
+        // Try again with reported attribute
+        // That should not trigger an error, but if it does it means that something went wrong
+        auto nodes = get_credential_identifier_nodes(
+          endpoint_node,
+          {user_id, REPORTED_ATTRIBUTE},
+          {credential_type, DESIRED_OR_REPORTED_ATTRIBUTE},
+          {credential_slot, REPORTED_ATTRIBUTE});
+
+        sl_log_debug(
+          LOG_TAG,
+          "Cleaning desired values of credential slot node : %d (credential "
+          "type %d, user %d)",
+          credential_slot,
+          credential_type,
+          user_id);
+
+        for (auto child: nodes.slot_node.children()) {
+          child.clear_desired();
+        }
+      }
     };
 
     // We should have a valid user id if we receive this report
diff --git a/applications/zpc/components/zwave_command_classes/test/zwave_command_class_user_credential_test.cpp b/applications/zpc/components/zwave_command_classes/test/zwave_command_class_user_credential_test.cpp
@@ -2550,11 +2550,56 @@ void test_user_credential_credential_set_error_report_cred_duplicate_happy_case(
   helper_test_credential_rejected_case(0x07);
 }
 
-void test_user_credential_credential_set_error_report_cred_security_rule_happy_case()
+void test_user_credential_credential_set_error_report_cred_security_rule_add_happy_case()
 {
   helper_test_credential_rejected_case(0x08);
 }
 
+void test_user_credential_credential_set_error_report_cred_security_rule_modify_happy_case()
+{
+  user_credential_user_unique_id_t user_id = 12;
+  user_credential_type_t credential_type   = 1;
+  user_credential_slot_t credential_slot   = 1;
+  uint8_t crb                              = 1;
+  auto credential_data                     = string_to_uint8_vector("1212");
+
+  auto valid_user_node
+    = cpp_endpoint_id_node.emplace_node(ATTRIBUTE(USER_UNIQUE_ID), user_id);
+  auto valid_cred_type_node
+    = valid_user_node.emplace_node(ATTRIBUTE(CREDENTIAL_TYPE), credential_type);
+  auto valid_cred_slot_node
+    = valid_cred_type_node.emplace_node(ATTRIBUTE(CREDENTIAL_SLOT),
+                                        credential_slot,
+                                        REPORTED_ATTRIBUTE);
+
+  auto crb_node
+    = valid_cred_slot_node.emplace_node(ATTRIBUTE(CREDENTIAL_READ_BACK),
+                                        crb,
+                                        DESIRED_ATTRIBUTE);
+  auto credential_data_node
+    = valid_cred_slot_node.emplace_node(ATTRIBUTE(CREDENTIAL_DATA),
+                                        credential_data,
+                                        DESIRED_ATTRIBUTE);
+
+  helper_simulate_credential_report_frame(0x08,
+                                          user_id,
+                                          credential_type,
+                                          credential_slot,
+                                          crb,
+                                          credential_data,
+                                          0,
+                                          2,
+                                          0,
+                                          0);
+
+  // Check if the rejected report has cleared all desired values
+  TEST_ASSERT_FALSE_MESSAGE(crb_node.desired_exists(),
+                            "CRB desired value should NOT exist");
+
+  TEST_ASSERT_FALSE_MESSAGE(credential_data_node.desired_exists(),
+                            "Credential data desired value should NOT exist");
+}
+
 void test_user_credential_remove_all_users_happy_case()
 {
   helper_set_version(1);
