#638 require pocket testing enabled rather than HMAC for alarm testing

supervisor/session/pocket.lua

@@ -39,7 +39,8 @@ local PERIODICS = {
 ---@param sessions svsessions_list list of computer sessions, read-only
 ---@param facility facility facility data table
 ---@param fp_ok boolean if the front panel UI is running
-function pocket.new_session(id, s_addr, i_seq_num, in_queue, out_queue, timeout, sessions, facility, fp_ok)
+---@param allow_test boolean if this should allow pocket testing commands
+function pocket.new_session(id, s_addr, i_seq_num, in_queue, out_queue, timeout, sessions, facility, fp_ok, allow_test)
     -- print a log message to the terminal as long as the UI isn't running
     local function println(message) if not fp_ok then util.println_ts(message) end end
 
@@ -143,7 +144,7 @@ function pocket.new_session(id, s_addr, i_seq_num, in_queue, out_queue, timeout,
                 local valid = false
 
                 -- attempt to set a tone state
-                if pkt.scada_frame.is_authenticated() then
+                if allow_test then
                     if pkt.length == 2 then
                         if type(pkt.data[1]) == "number" and type(pkt.data[2]) == "boolean" then
                             valid = true
@@ -151,22 +152,16 @@ function pocket.new_session(id, s_addr, i_seq_num, in_queue, out_queue, timeout,
                             -- try to set tone states, then send back if testing is allowed
                             local allow_testing, test_tone_states = facility.diag_set_test_tone(pkt.data[1], pkt.data[2])
                             _send_mgmt(MGMT_TYPE.DIAG_TONE_SET, { allow_testing, test_tone_states })
-                        else
-                            log.debug(log_tag .. "SCADA diag tone set packet data type mismatch")
-                        end
-                    else
-                        log.debug(log_tag .. "SCADA diag tone set packet length mismatch")
-                    end
-                else
-                    log.debug(log_tag .. "DIAG_TONE_SET is blocked without HMAC for security")
-                end
+                        else log.debug(log_tag .. "SCADA diag tone set packet data type mismatch") end
+                    else log.debug(log_tag .. "SCADA diag tone set packet length mismatch") end
+                else log.warning(log_tag .. "DIAG_TONE_SET is blocked without pocket test commands enabled") end
 
                 if not valid then _send_mgmt(MGMT_TYPE.DIAG_TONE_SET, { false }) end
             elseif pkt.type == MGMT_TYPE.DIAG_ALARM_SET then
                 local valid = false
 
                 -- attempt to set an alarm state
-                if pkt.scada_frame.is_authenticated() then
+                if allow_test then
                     if pkt.length == 2 then
                         if type(pkt.data[1]) == "number" and type(pkt.data[2]) == "boolean" then
                             valid = true
@@ -174,15 +169,9 @@ function pocket.new_session(id, s_addr, i_seq_num, in_queue, out_queue, timeout,
                             -- try to set alarm states, then send back if testing is allowed
                             local allow_testing, test_alarm_states = facility.diag_set_test_alarm(pkt.data[1], pkt.data[2])
                             _send_mgmt(MGMT_TYPE.DIAG_ALARM_SET, { allow_testing, test_alarm_states })
-                        else
-                            log.debug(log_tag .. "SCADA diag alarm set packet data type mismatch")
-                        end
-                    else
-                        log.debug(log_tag .. "SCADA diag alarm set packet length mismatch")
-                    end
-                else
-                    log.debug(log_tag .. "DIAG_ALARM_SET is blocked without HMAC for security")
-                end
+                        else log.debug(log_tag .. "SCADA diag alarm set packet data type mismatch") end
+                    else log.debug(log_tag .. "SCADA diag alarm set packet length mismatch") end
+                else log.warning(log_tag .. "DIAG_ALARM_SET is blocked without pocket test commands enabled") end
 
                 if not valid then _send_mgmt(MGMT_TYPE.DIAG_ALARM_SET, { false }) end
             elseif pkt.type == MGMT_TYPE.INFO_LIST_CMP then

supervisor/session/svsessions.lua

@@ -623,7 +623,7 @@ function svsessions.establish_pdg_session(nic, source_addr, i_seq_num, version)
 
     local id = self.next_ids.pdg
 
-    pdg_s.instance = pocket.new_session(id, source_addr, i_seq_num, pdg_s.in_queue, pdg_s.out_queue, self.config.PKT_Timeout, self.sessions, self.facility, self.fp_ok)
+    pdg_s.instance = pocket.new_session(id, source_addr, i_seq_num, pdg_s.in_queue, pdg_s.out_queue, self.config.PKT_Timeout, self.sessions, self.facility, self.fp_ok, self.config.PocketTest)
     table.insert(self.sessions.pdg, pdg_s)
 
     local mt = {