Committed by
Jonathan Hart
ONOS-4774, ONOS-4775, ONOS-4776 + some minor fixes
Change-Id: I0d3438f36f0ce9ce0152d295d6f2d749d7f13bed
Showing
7 changed files
with
82 additions
and
55 deletions
... | @@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand { | ... | @@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand { |
109 | print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | 109 | print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); |
110 | } | 110 | } |
111 | break; | 111 | break; |
112 | - case 4: | 112 | + default: |
113 | - for (Permission perm: assortedMap.get(4)) { | 113 | + for (Permission perm: assortedMap.get(type)) { |
114 | print("\t[Other] " + perm.getClass().getSimpleName() + | 114 | print("\t[Other] " + perm.getClass().getSimpleName() + |
115 | - " " + perm.getName() + " (" + perm.getActions() + ")"); | 115 | + " " + perm.getName() + " (" + perm.getActions() + ")"); |
116 | } | 116 | } |
117 | break; | 117 | break; |
118 | - default: | ||
119 | - break; | ||
120 | } | 118 | } |
121 | } | 119 | } |
122 | } | 120 | } | ... | ... |
... | @@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { | ... | @@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { |
82 | TUNNEL_WRITE, | 82 | TUNNEL_WRITE, |
83 | TUNNEL_EVENT, | 83 | TUNNEL_EVENT, |
84 | UI_READ, | 84 | UI_READ, |
85 | - UI_WRITE | 85 | + UI_WRITE, |
86 | + ADMIN | ||
86 | } | 87 | } |
87 | 88 | ||
88 | protected Type type; | 89 | protected Type type; | ... | ... |
This diff is collapsed. Click to expand it.
1 | /* | 1 | /* |
2 | - * Copyright 2015 Open Networking Laboratory | 2 | + * Copyright 2015-present Open Networking Laboratory |
3 | * | 3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | * you may not use this file except in compliance with the License. | 5 | * you may not use this file except in compliance with the License. |
... | @@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; | ... | @@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; |
38 | import org.onosproject.security.store.SecurityModeStore; | 38 | import org.onosproject.security.store.SecurityModeStore; |
39 | import org.onosproject.security.store.SecurityModeStoreDelegate; | 39 | import org.onosproject.security.store.SecurityModeStoreDelegate; |
40 | import org.osgi.framework.BundleContext; | 40 | import org.osgi.framework.BundleContext; |
41 | +import org.osgi.framework.FrameworkEvent; | ||
41 | import org.osgi.framework.FrameworkUtil; | 42 | import org.osgi.framework.FrameworkUtil; |
42 | import org.osgi.framework.ServicePermission; | 43 | import org.osgi.framework.ServicePermission; |
43 | -import org.osgi.service.log.LogEntry; | 44 | +import org.osgi.framework.FrameworkListener; |
44 | -import org.osgi.service.log.LogListener; | ||
45 | -import org.osgi.service.log.LogReaderService; | ||
46 | import org.osgi.service.permissionadmin.PermissionInfo; | 45 | import org.osgi.service.permissionadmin.PermissionInfo; |
47 | 46 | ||
47 | +import java.io.FilePermission; | ||
48 | +import java.lang.reflect.ReflectPermission; | ||
49 | +import java.net.SocketPermission; | ||
48 | import java.security.AccessControlException; | 50 | import java.security.AccessControlException; |
49 | import java.security.Permission; | 51 | import java.security.Permission; |
52 | +import java.security.SecurityPermission; | ||
50 | import java.util.ArrayList; | 53 | import java.util.ArrayList; |
51 | import java.util.List; | 54 | import java.util.List; |
52 | import java.util.Map; | 55 | import java.util.Map; |
... | @@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { |
76 | protected ApplicationAdminService appAdminService; | 79 | protected ApplicationAdminService appAdminService; |
77 | 80 | ||
78 | @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) | 81 | @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) |
79 | - protected LogReaderService logReaderService; | ||
80 | - | ||
81 | - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) | ||
82 | protected EventDeliveryService eventDispatcher; | 82 | protected EventDeliveryService eventDispatcher; |
83 | 83 | ||
84 | private final Logger log = getLogger(getClass()); | 84 | private final Logger log = getLogger(getClass()); |
... | @@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { |
88 | 88 | ||
89 | private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); | 89 | private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); |
90 | 90 | ||
91 | - private SecurityLogListener securityLogListener = new SecurityLogListener(); | 91 | + private SecurityEventListener securityEventListener = new SecurityEventListener(); |
92 | 92 | ||
93 | private PermissionAdmin permissionAdmin = getPermissionAdmin(); | 93 | private PermissionAdmin permissionAdmin = getPermissionAdmin(); |
94 | 94 | ||
... | @@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { |
96 | public void activate() { | 96 | public void activate() { |
97 | 97 | ||
98 | eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); | 98 | eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); |
99 | - logReaderService.addLogListener(securityLogListener); | 99 | + getBundleContext().addFrameworkListener(new SecurityEventListener()); |
100 | 100 | ||
101 | if (System.getSecurityManager() == null) { | 101 | if (System.getSecurityManager() == null) { |
102 | log.warn("J2EE security manager is disabled."); | 102 | log.warn("J2EE security manager is disabled."); |
... | @@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { |
116 | @Deactivate | 116 | @Deactivate |
117 | public void deactivate() { | 117 | public void deactivate() { |
118 | eventDispatcher.removeSink(SecurityModeEvent.class); | 118 | eventDispatcher.removeSink(SecurityModeEvent.class); |
119 | - logReaderService.removeLogListener(securityLogListener); | 119 | + getBundleContext().removeFrameworkListener(securityEventListener); |
120 | store.unsetDelegate(delegate); | 120 | store.unsetDelegate(delegate); |
121 | log.info("Stopped"); | 121 | log.info("Stopped"); |
122 | 122 | ||
... | @@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { |
169 | DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); | 169 | DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); |
170 | } | 170 | } |
171 | 171 | ||
172 | - private class SecurityLogListener implements LogListener { | 172 | + private class SecurityEventListener implements FrameworkListener { |
173 | @Override | 173 | @Override |
174 | - public void logged(LogEntry entry) { | 174 | + public void frameworkEvent(FrameworkEvent event) { |
175 | - if (entry.getException() != null && | 175 | + if (event.getType() != FrameworkEvent.ERROR) { |
176 | - entry.getException() instanceof AccessControlException) { | 176 | + return; |
177 | - String location = entry.getBundle().getLocation(); | 177 | + } |
178 | - Permission javaPerm = | 178 | + Throwable throwable = event.getThrowable(); |
179 | - ((AccessControlException) entry.getException()).getPermission(); | 179 | + if (throwable == null || !(throwable instanceof AccessControlException)) { |
180 | - org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm); | 180 | + return; |
181 | - if (permission == null) { | ||
182 | - log.warn("Unsupported permission requested."); | ||
183 | - return; | ||
184 | - } | ||
185 | - store.getApplicationIds(location).stream().filter( | ||
186 | - appId -> store.isSecured(appId) && | ||
187 | - appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { | ||
188 | - store.requestPermission(appId, permission); | ||
189 | - print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", | ||
190 | - appId.name(), location, permission.toString()); | ||
191 | - }); | ||
192 | } | 181 | } |
182 | + String bundleLocation = event.getBundle().getLocation(); | ||
183 | + Permission nativePerm = ((AccessControlException) throwable).getPermission(); | ||
184 | + org.onosproject.security.Permission onosPerm = DefaultPolicyBuilder.getOnosPermission(nativePerm); | ||
185 | + | ||
186 | + if (onosPerm == null) { | ||
187 | + log.warn("Unsupported permission requested: " + nativePerm.toString()); | ||
188 | + return; | ||
189 | + } | ||
190 | + | ||
191 | + store.getApplicationIds(bundleLocation).stream().filter( | ||
192 | + appId -> store.isSecured(appId) && | ||
193 | + appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { | ||
194 | + store.requestPermission(appId, onosPerm); | ||
195 | + print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", | ||
196 | + appId.name(), bundleLocation, onosPerm.toString()); | ||
197 | + }); | ||
193 | } | 198 | } |
194 | } | 199 | } |
195 | 200 | ||
... | @@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { |
213 | * 0 - APP_PERM | 218 | * 0 - APP_PERM |
214 | * 1 - ADMIN SERVICE | 219 | * 1 - ADMIN SERVICE |
215 | * 2 - NB_SERVICE | 220 | * 2 - NB_SERVICE |
216 | - * 3 - ETC_SERVICE | 221 | + * 3 - SB_SERVICE |
217 | - * 4 - ETC | 222 | + * 4 - CLI_SERVICE |
223 | + * 5 - ETC_SERVICE | ||
224 | + * 6 - CRITICAL PERMISSIONS | ||
225 | + * 7 - ETC | ||
218 | * @param perms | 226 | * @param perms |
219 | */ | 227 | */ |
220 | - private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) { | 228 | + private Map<Integer, List<Permission>> getPrintablePermissionMap(Set<Permission> perms) { |
221 | ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); | 229 | ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); |
222 | sortedMap.put(0, new ArrayList()); | 230 | sortedMap.put(0, new ArrayList()); |
223 | sortedMap.put(1, new ArrayList()); | 231 | sortedMap.put(1, new ArrayList()); |
224 | sortedMap.put(2, new ArrayList()); | 232 | sortedMap.put(2, new ArrayList()); |
225 | sortedMap.put(3, new ArrayList()); | 233 | sortedMap.put(3, new ArrayList()); |
226 | sortedMap.put(4, new ArrayList()); | 234 | sortedMap.put(4, new ArrayList()); |
235 | + sortedMap.put(5, new ArrayList()); | ||
236 | + sortedMap.put(6, new ArrayList()); | ||
237 | + sortedMap.put(7, new ArrayList()); | ||
238 | + | ||
227 | for (Permission perm : perms) { | 239 | for (Permission perm : perms) { |
228 | - if (perm instanceof ServicePermission) { | 240 | + if (perm instanceof AppPermission) { |
229 | - if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) { | 241 | + sortedMap.get(0).add(perm); |
230 | - if (perm.getName().contains("Admin")) { | 242 | + } else if (perm instanceof ServicePermission) { |
243 | + String permName = perm.getName().trim(); | ||
244 | + if (DefaultPolicyBuilder.getNBServiceList().contains(permName)) { // ONOS NB SERVICES | ||
245 | + if (permName.contains("Admin")) { | ||
231 | sortedMap.get(1).add(perm); | 246 | sortedMap.get(1).add(perm); |
232 | } else { | 247 | } else { |
233 | sortedMap.get(2).add(perm); | 248 | sortedMap.get(2).add(perm); |
234 | } | 249 | } |
235 | - } else { | 250 | + } else if (permName.contains("org.onosproject") && permName.contains("Provider")) { //ONOS SB SERVICES |
236 | sortedMap.get(3).add(perm); | 251 | sortedMap.get(3).add(perm); |
252 | + } else if (DefaultPolicyBuilder.getCliServiceList().contains(permName)) { //CLI SERVICES | ||
253 | + sortedMap.get(4).add(perm); | ||
254 | + } else if (permName.contains("Security")) { //CRITICAL SERVICES | ||
255 | + sortedMap.get(6).add(perm); | ||
256 | + } else { | ||
257 | + sortedMap.get(5).add(perm); | ||
237 | } | 258 | } |
238 | - } else if (perm instanceof AppPermission) { | 259 | + } else if (perm instanceof RuntimePermission || perm instanceof SocketPermission || |
239 | - sortedMap.get(0).add(perm); | 260 | + perm instanceof FilePermission || perm instanceof SecurityPermission || |
261 | + perm instanceof ReflectPermission) { // CRITICAL PERMISSIONS | ||
262 | + sortedMap.get(6).add(perm); | ||
240 | } else { | 263 | } else { |
241 | - sortedMap.get(4).add(perm); | 264 | + boolean isDefault = false; |
265 | + for (Permission dPerm : DefaultPolicyBuilder.getDefaultPerms()) { | ||
266 | + if (perm.implies(dPerm)) { | ||
267 | + isDefault = true; | ||
268 | + break; | ||
269 | + } | ||
270 | + } | ||
271 | + if (!isDefault) { | ||
272 | + sortedMap.get(7).add(perm); | ||
273 | + } | ||
242 | } | 274 | } |
243 | } | 275 | } |
244 | return sortedMap; | 276 | return sortedMap; |
... | @@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { |
261 | 293 | ||
262 | 294 | ||
263 | 295 | ||
264 | - private List<Permission> getMaximumPermissions(ApplicationId appId) { | 296 | + private Set<Permission> getMaximumPermissions(ApplicationId appId) { |
265 | Application app = appAdminService.getApplication(appId); | 297 | Application app = appAdminService.getApplication(appId); |
266 | if (app == null) { | 298 | if (app == null) { |
267 | print("Unknown application."); | 299 | print("Unknown application."); |
268 | return null; | 300 | return null; |
269 | } | 301 | } |
270 | - List<Permission> appPerms; | 302 | + Set<Permission> appPerms; |
271 | switch (app.role()) { | 303 | switch (app.role()) { |
272 | case ADMIN: | 304 | case ADMIN: |
273 | appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); | 305 | appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); |
... | @@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { |
300 | 332 | ||
301 | } | 333 | } |
302 | 334 | ||
303 | - | ||
304 | } | 335 | } |
... | \ No newline at end of file | ... | \ No newline at end of file | ... | ... |
1 | /* | 1 | /* |
2 | - * Copyright 2015 Open Networking Laboratory | 2 | + * Copyright 2015-present Open Networking Laboratory |
3 | * | 3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | * you may not use this file except in compliance with the License. | 5 | * you may not use this file except in compliance with the License. |
... | @@ -88,13 +88,10 @@ public class DistributedSecurityModeStore | ... | @@ -88,13 +88,10 @@ public class DistributedSecurityModeStore |
88 | .register(KryoNamespaces.API) | 88 | .register(KryoNamespaces.API) |
89 | .register(SecurityModeState.class) | 89 | .register(SecurityModeState.class) |
90 | .register(SecurityInfo.class) | 90 | .register(SecurityInfo.class) |
91 | - .register(Permission.class) | ||
92 | .build()); | 91 | .build()); |
93 | 92 | ||
94 | private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() | 93 | private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() |
95 | - .register(KryoNamespaces.API) | 94 | + .register(KryoNamespaces.API); |
96 | - .register(Permission.class); | ||
97 | - | ||
98 | @Activate | 95 | @Activate |
99 | public void activate() { | 96 | public void activate() { |
100 | states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder() | 97 | states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder() | ... | ... |
... | @@ -110,7 +110,7 @@ function enable_security_mode() { | ... | @@ -110,7 +110,7 @@ function enable_security_mode() { |
110 | 110 | ||
111 | mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 111 | mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
112 | cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 112 | cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
113 | - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ | 113 | + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \ |
114 | $ONOS_STAGE/$KARAF_DIST/etc/startup.properties | 114 | $ONOS_STAGE/$KARAF_DIST/etc/startup.properties |
115 | 115 | ||
116 | # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end | 116 | # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end | ... | ... |
... | @@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then | ... | @@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then |
105 | 105 | ||
106 | mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 106 | mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
107 | cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 107 | cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
108 | - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ | 108 | + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \ |
109 | $KARAF_ROOT/etc/startup.properties | 109 | $KARAF_ROOT/etc/startup.properties |
110 | 110 | ||
111 | # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end | 111 | # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end | ... | ... |
-
Please register or login to post a comment