Add custom privileges for opcreds cluster (#16590)

One attribute and most commands require administer privilege.
(This cluster has no events.)

Commissioning chip-all-clusters-app via chip-tool on Linux results
in the following commands and their required privilege:

GeneralCommissioning/ArmFailSafe --> 0x30 0x0 --> operate
GeneralCommissioning/SetRegulatoryConfig --> 0x30 0x2 --> operate
OperationalCredentials/CertificateChainRequest --> 0x3e 0x2 --> administer
OperationalCredentials/CertificateChainRequest --> 0x3e 0x2 --> administer
OperationalCredentials/AttestationRequest --> 0x3e 0x0 --> administer
OperationalCredentials/CSRRequest --> 0x3e 0x4 --> administer
OperationalCredentials/AddTrustedRootCertificate --> 0x3e 0xb --> administer
OperationalCredentials/AddNOC --> 0x3e 0x6 --> administer
GeneralCommissioning/CommissioningComplete --> 0x30 0x4 --> operate

The last is satisfied over CASE (via the AddNOC installed ACL) and the
others before it are satisfied by implicit administer privilege over
PASE during commissioning.

Author: mlepage-google

src/app/zap-templates/zcl/data-model/chip/operational-credentials-cluster.xml

@@ -55,7 +55,10 @@ limitations under the License.
     <define>OPERATIONAL_CREDENTIALS_CLUSTER</define>
     <description>This cluster is used to add or remove Operational Credentials on a Commissionee or Node, as well as manage the associated Fabrics.</description>
 
-    <attribute side="server" code="0x0000" define="NOCS" type="ARRAY" entryType="NOCStruct" writable="false" optional="false">NOCs</attribute>
+    <attribute side="server" code="0x0000" define="NOCS" type="ARRAY" entryType="NOCStruct" writable="false" optional="false">
+      <description>NOCs</description>
+      <access op="read" privilege="administer"/>
+    </attribute>
     <attribute side="server" code="0x0001" define="FABRICS" type="ARRAY" entryType="FabricDescriptor" writable="false" optional="false">Fabrics</attribute>
     <attribute side="server" code="0x0002" define="SUPPORTED_FABRICS" type="INT8U" writable="false" optional="false">SupportedFabrics</attribute>
     <attribute side="server" code="0x0003" define="COMMISSIONED_FABRICS" type="INT8U" writable="false" optional="false">CommissionedFabrics</attribute>
@@ -65,6 +68,7 @@ limitations under the License.
     <command source="client" code="0x00" name="AttestationRequest" response="AttestationResponse" optional="false">
       <description>Sender is requesting attestation information from the receiver.</description>
       <arg name="AttestationNonce" type="OCTET_STRING"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="server" code="0x01" name="AttestationResponse" optional="false">
@@ -76,6 +80,7 @@ limitations under the License.
     <command source="client" code="0x02" name="CertificateChainRequest" response="CertificateChainResponse" optional="false">
       <description>Sender is requesting a device attestation certificate from the receiver.</description>
       <arg name="CertificateType" type="INT8U"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="server" code="0x03" name="CertificateChainResponse" optional="false">
@@ -86,6 +91,7 @@ limitations under the License.
     <command source="client" code="0x04" name="CSRRequest" response="CSRResponse" optional="false">
       <description>Sender is requesting a certificate signing request (CSR) from the receiver.</description>
       <arg name="CSRNonce" type="OCTET_STRING"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <!-- TODO: Fix to match chip-spec:#3346 -->
@@ -102,12 +108,14 @@ limitations under the License.
       <arg name="IPKValue" type="OCTET_STRING"/>
       <arg name="CaseAdminNode" type="NODE_ID"/>
       <arg name="AdminVendorId" type="INT16U"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="client" code="0x07" name="UpdateNOC" response="NOCResponse" optional="false">
       <description>Sender is requesting to update the node operational certificates.</description>
       <arg name="NOCValue" type="OCTET_STRING"/>
       <arg name="ICACValue" type="OCTET_STRING" optional="true"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="server" code="0x08" name="NOCResponse" optional="false">
@@ -120,21 +128,25 @@ limitations under the License.
     <command source="client" code="0x09" name="UpdateFabricLabel" response="NOCResponse" optional="false">
       <description>This command SHALL be used by an Administrative Node to set the user-visible Label field for a given Fabric, as reflected by entries in the Fabrics attribute.</description>
       <arg name="Label" type="CHAR_STRING" length="32"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="client" code="0x0a" name="RemoveFabric" response="NOCResponse" optional="false">
       <description>This command is used by Administrative Nodes to remove a given fabric index and delete all associated fabric-scoped data.</description>
       <arg name="FabricIndex" type="fabric_idx"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="client" code="0x0b" name="AddTrustedRootCertificate" optional="false">
       <description>This command SHALL add a Trusted Root CA Certificate, provided as its CHIP Certificate representation.</description>
       <arg name="RootCertificate" type="OCTET_STRING"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
     <command source="client" code="0x0c" name="RemoveTrustedRootCertificate" optional="false">
       <description>This command SHALL remove a Trusted Root CA Certificate, provided as its CHIP Certificate representation.</description>
       <arg name="TrustedRootIdentifier" type="OCTET_STRING"/>
+      <access op="invoke" privilege="administer"/>
     </command>
 
   </cluster>