홍길동 / onos

Go to a project
Toggle navigation Toggle navigation pinning
Changhoon Yoon
Committed by Jonathan Hart
2a62ef0a 1 parent 4dc99209

ONOS-4774, ONOS-4775, ONOS-4776 + some minor fixes 

Change-Id: I0d3438f36f0ce9ce0152d295d6f2d749d7f13bed
Inline Side-by-side
Showing 7 changed files with 145 additions and 91 deletions
...@@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand { ...@@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand {
109 print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); 109 print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
110 } 110 }
111 break; 111 break;
112 - case 4: 112 + default:
113 - for (Permission perm: assortedMap.get(4)) { 113 + for (Permission perm: assortedMap.get(type)) {
114 print("\t[Other] " + perm.getClass().getSimpleName() + 114 print("\t[Other] " + perm.getClass().getSimpleName() +
115 " " + perm.getName() + " (" + perm.getActions() + ")"); 115 " " + perm.getName() + " (" + perm.getActions() + ")");
116 } 116 }
117 break; 117 break;
118 - default:
119 - break;
120 } 118 }
121 } 119 }
122 } 120 }
......
...@@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { ...@@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission {
82 TUNNEL_WRITE, 82 TUNNEL_WRITE,
83 TUNNEL_EVENT, 83 TUNNEL_EVENT,
84 UI_READ, 84 UI_READ,
85 - UI_WRITE 85 + UI_WRITE,
86 + ADMIN
86 } 87 }
87 88
88 protected Type type; 89 protected Type type;
......
1 /* 1 /*
2 - * Copyright 2015 Open Networking Laboratory 2 + * Copyright 2015-present Open Networking Laboratory
3 * 3 *
4 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License. 5 * you may not use this file except in compliance with the License.
...@@ -17,7 +17,6 @@ package org.onosproject.security.impl; ...@@ -17,7 +17,6 @@ package org.onosproject.security.impl;
17 17
18 18
19 import com.google.common.collect.ImmutableSet; 19 import com.google.common.collect.ImmutableSet;
20 -import com.google.common.collect.Lists;
21 import com.google.common.collect.Sets; 20 import com.google.common.collect.Sets;
22 import org.onosproject.cluster.ClusterAdminService; 21 import org.onosproject.cluster.ClusterAdminService;
23 import org.onosproject.cluster.ClusterMetadataService; 22 import org.onosproject.cluster.ClusterMetadataService;
...@@ -33,8 +32,6 @@ import org.onosproject.net.config.NetworkConfigService; ...@@ -33,8 +32,6 @@ import org.onosproject.net.config.NetworkConfigService;
33 import org.onosproject.net.edge.EdgePortService; 32 import org.onosproject.net.edge.EdgePortService;
34 import org.onosproject.net.key.DeviceKeyAdminService; 33 import org.onosproject.net.key.DeviceKeyAdminService;
35 import org.onosproject.net.key.DeviceKeyService; 34 import org.onosproject.net.key.DeviceKeyService;
36 -import org.onosproject.net.newresource.ResourceAdminService;
37 -import org.onosproject.net.newresource.ResourceService;
38 import org.onosproject.net.region.RegionAdminService; 35 import org.onosproject.net.region.RegionAdminService;
39 import org.onosproject.net.region.RegionService; 36 import org.onosproject.net.region.RegionService;
40 import org.onosproject.net.statistic.FlowStatisticService; 37 import org.onosproject.net.statistic.FlowStatisticService;
...@@ -73,7 +70,6 @@ import org.onosproject.store.cluster.messaging.MessagingService; ...@@ -73,7 +70,6 @@ import org.onosproject.store.cluster.messaging.MessagingService;
73 import org.onosproject.store.primitives.PartitionAdminService; 70 import org.onosproject.store.primitives.PartitionAdminService;
74 import org.onosproject.store.primitives.PartitionService; 71 import org.onosproject.store.primitives.PartitionService;
75 import org.onosproject.store.service.LogicalClockService; 72 import org.onosproject.store.service.LogicalClockService;
76 -import org.onosproject.store.service.MutexExecutionService;
77 import org.onosproject.store.service.StorageAdminService; 73 import org.onosproject.store.service.StorageAdminService;
78 import org.onosproject.store.service.StorageService; 74 import org.onosproject.store.service.StorageService;
79 import org.onosproject.ui.UiExtensionService; 75 import org.onosproject.ui.UiExtensionService;
...@@ -84,6 +80,8 @@ import org.osgi.framework.CapabilityPermission; ...@@ -84,6 +80,8 @@ import org.osgi.framework.CapabilityPermission;
84 import org.osgi.framework.BundlePermission; 80 import org.osgi.framework.BundlePermission;
85 import org.osgi.framework.PackagePermission; 81 import org.osgi.framework.PackagePermission;
86 import org.osgi.service.cm.ConfigurationPermission; 82 import org.osgi.service.cm.ConfigurationPermission;
83 +import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
84 +import org.osgi.service.permissionadmin.PermissionAdmin;
87 85
88 import javax.net.ssl.SSLPermission; 86 import javax.net.ssl.SSLPermission;
89 import javax.security.auth.AuthPermission; 87 import javax.security.auth.AuthPermission;
...@@ -97,10 +95,7 @@ import java.net.NetPermission; ...@@ -97,10 +95,7 @@ import java.net.NetPermission;
97 import java.net.SocketPermission; 95 import java.net.SocketPermission;
98 import java.security.Permissions; 96 import java.security.Permissions;
99 import java.sql.SQLPermission; 97 import java.sql.SQLPermission;
100 -import java.util.ArrayList;
101 import java.util.Enumeration; 98 import java.util.Enumeration;
102 -import java.util.HashSet;
103 -import java.util.List;
104 import java.util.PropertyPermission; 99 import java.util.PropertyPermission;
105 import java.util.Set; 100 import java.util.Set;
106 import java.util.concurrent.ConcurrentHashMap; 101 import java.util.concurrent.ConcurrentHashMap;
...@@ -114,24 +109,39 @@ public final class DefaultPolicyBuilder { ...@@ -114,24 +109,39 @@ public final class DefaultPolicyBuilder {
114 protected static ConcurrentHashMap<AppPermission.Type, 109 protected static ConcurrentHashMap<AppPermission.Type,
115 Set<String>> serviceDirectory = getServiceDirectory(); 110 Set<String>> serviceDirectory = getServiceDirectory();
116 111
117 - protected static List<Permission> defaultPermissions = getDefaultPerms(); 112 + protected static Set<Permission> defaultPermissions = getDefaultPerms();
118 - protected static List<Permission> adminServicePermissions = getAdminDefaultPerms(); 113 + protected static Set<Permission> adminServicePermissions = getAdminDefaultPerms();
119 114
120 private DefaultPolicyBuilder(){ 115 private DefaultPolicyBuilder(){
121 } 116 }
122 117
123 - public static List<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) { 118 + public static Set<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) {
124 - List<Permission> perms = Lists.newArrayList(); 119 +
120 + Set<Permission> perms = Sets.newHashSet();
125 perms.addAll(defaultPermissions); 121 perms.addAll(defaultPermissions);
126 perms.addAll(convertToJavaPermissions(permissions)); 122 perms.addAll(convertToJavaPermissions(permissions));
123 + for (Permission perm : perms) {
124 + if (perm instanceof AppPermission && ((AppPermission) perm).getType() == ADMIN) {
125 + perms.remove(perm);
126 + } else if (perm instanceof ServicePermission) {
127 + if (perm.getName().contains(SecurityAdminService.class.getName())) {
128 + perms.remove(perm);
129 + } else if (perm.getName().contains(PermissionAdmin.class.getName())) {
130 + perms.remove(perm);
131 + } else if (perm.getName().contains(ConditionalPermissionAdmin.class.getName())) {
132 + perms.remove(perm);
133 + }
134 + }
135 + }
127 return optimizePermissions(perms); 136 return optimizePermissions(perms);
128 } 137 }
129 138
130 - public static List<Permission> getAdminApplicationPermissions( 139 + public static Set<Permission> getAdminApplicationPermissions(
131 Set<org.onosproject.security.Permission> permissions) { 140 Set<org.onosproject.security.Permission> permissions) {
132 - List<Permission> perms = Lists.newArrayList(); 141 + Set<Permission> perms = Sets.newHashSet();
133 perms.addAll(defaultPermissions); 142 perms.addAll(defaultPermissions);
134 perms.addAll(adminServicePermissions); 143 perms.addAll(adminServicePermissions);
144 + perms.add(new AppPermission(ADMIN));
135 for (AppPermission.Type perm : serviceDirectory.keySet()) { 145 for (AppPermission.Type perm : serviceDirectory.keySet()) {
136 perms.add(new AppPermission(perm)); 146 perms.add(new AppPermission(perm));
137 } 147 }
...@@ -139,8 +149,8 @@ public final class DefaultPolicyBuilder { ...@@ -139,8 +149,8 @@ public final class DefaultPolicyBuilder {
139 return optimizePermissions(perms); 149 return optimizePermissions(perms);
140 } 150 }
141 151
142 - public static List<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) { 152 + public static Set<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) {
143 - List<Permission> result = Lists.newArrayList(); 153 + Set<Permission> result = Sets.newHashSet();
144 for (org.onosproject.security.Permission perm : permissions) { 154 for (org.onosproject.security.Permission perm : permissions) {
145 Permission javaPerm = getPermission(perm); 155 Permission javaPerm = getPermission(perm);
146 if (javaPerm != null) { 156 if (javaPerm != null) {
...@@ -153,6 +163,9 @@ public final class DefaultPolicyBuilder { ...@@ -153,6 +163,9 @@ public final class DefaultPolicyBuilder {
153 result.add(new ServicePermission(service, ServicePermission.GET)); 163 result.add(new ServicePermission(service, ServicePermission.GET));
154 } 164 }
155 } 165 }
166 + if (ap.getType() == CONFIG_WRITE) {
167 + result.addAll(getConfigServicePerms());
168 + }
156 } 169 }
157 } else if (javaPerm instanceof ServicePermission) { 170 } else if (javaPerm instanceof ServicePermission) {
158 if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) { 171 if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) {
...@@ -167,7 +180,7 @@ public final class DefaultPolicyBuilder { ...@@ -167,7 +180,7 @@ public final class DefaultPolicyBuilder {
167 return result; 180 return result;
168 } 181 }
169 182
170 - public static Set<org.onosproject.security.Permission> convertToOnosPermissions(List<Permission> permissions) { 183 + public static Set<org.onosproject.security.Permission> convertToOnosPermissions(Set<Permission> permissions) {
171 Set<org.onosproject.security.Permission> result = Sets.newHashSet(); 184 Set<org.onosproject.security.Permission> result = Sets.newHashSet();
172 for (Permission perm : permissions) { 185 for (Permission perm : permissions) {
173 org.onosproject.security.Permission onosPerm = getOnosPermission(perm); 186 org.onosproject.security.Permission onosPerm = getOnosPermission(perm);
...@@ -178,18 +191,27 @@ public final class DefaultPolicyBuilder { ...@@ -178,18 +191,27 @@ public final class DefaultPolicyBuilder {
178 return result; 191 return result;
179 } 192 }
180 193
181 - public static List<Permission> getDefaultPerms() { 194 + public static Set<Permission> getDefaultPerms() {
182 - List<Permission> permSet = Lists.newArrayList(); 195 + Set<Permission> permSet = Sets.newHashSet();
196 + // slf4j-logging requirement
197 + permSet.add(
198 + new AdaptPermission("(adaptClass=org.osgi.framework.wiring.BundleRevision)", AdaptPermission.ADAPT));
199 + // package-permissions
183 permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY)); 200 permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY));
184 permSet.add(new PackagePermission("*", PackagePermission.IMPORT)); 201 permSet.add(new PackagePermission("*", PackagePermission.IMPORT));
185 - permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT)); 202 + return permSet;
203 + }
204 +
205 +
206 + private static Set<Permission> getConfigServicePerms() {
207 + Set<Permission> permSet = Sets.newHashSet();
208 + permSet.add(new AdminPermission("(name=org.onosproject.onos-core-net)", AdminPermission.METADATA));
186 permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE)); 209 permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE));
187 - permSet.add(new AdminPermission("*", AdminPermission.METADATA));
188 return permSet; 210 return permSet;
189 } 211 }
190 212
191 - private static List<Permission> getAdminDefaultPerms() { 213 + private static Set<Permission> getAdminDefaultPerms() {
192 - List<Permission> permSet = Lists.newArrayList(); 214 + Set<Permission> permSet = Sets.newHashSet();
193 permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET)); 215 permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET));
194 permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET)); 216 permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET));
195 permSet.add(new ServicePermission(LeadershipAdminService.class.getName(), ServicePermission.GET)); 217 permSet.add(new ServicePermission(LeadershipAdminService.class.getName(), ServicePermission.GET));
...@@ -200,11 +222,9 @@ public final class DefaultPolicyBuilder { ...@@ -200,11 +222,9 @@ public final class DefaultPolicyBuilder {
200 permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET)); 222 permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET));
201 permSet.add(new ServicePermission(DeviceKeyAdminService.class.getName(), ServicePermission.GET)); 223 permSet.add(new ServicePermission(DeviceKeyAdminService.class.getName(), ServicePermission.GET));
202 permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET)); 224 permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET));
203 - permSet.add(new ServicePermission(ResourceAdminService.class.getName(), ServicePermission.GET));
204 permSet.add(new ServicePermission(RegionAdminService.class.getName(), ServicePermission.GET)); 225 permSet.add(new ServicePermission(RegionAdminService.class.getName(), ServicePermission.GET));
205 permSet.add(new ServicePermission(PartitionAdminService.class.getName(), ServicePermission.GET)); 226 permSet.add(new ServicePermission(PartitionAdminService.class.getName(), ServicePermission.GET));
206 permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET)); 227 permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET));
207 -
208 permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET)); 228 permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET));
209 permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET)); 229 permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET));
210 permSet.add(new ServicePermission(ClusterMetadataService.class.getName(), ServicePermission.GET)); 230 permSet.add(new ServicePermission(ClusterMetadataService.class.getName(), ServicePermission.GET));
...@@ -233,7 +253,7 @@ public final class DefaultPolicyBuilder { ...@@ -233,7 +253,7 @@ public final class DefaultPolicyBuilder {
233 permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET)); 253 permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET));
234 // permSet.add(new ServicePermission(MulticastRouteService.class.getName(), ServicePermission.GET)); 254 // permSet.add(new ServicePermission(MulticastRouteService.class.getName(), ServicePermission.GET));
235 // permSet.add(new ServicePermission(MeterService.class.getName(), ServicePermission.GET)); 255 // permSet.add(new ServicePermission(MeterService.class.getName(), ServicePermission.GET));
236 - permSet.add(new ServicePermission(ResourceService.class.getName(), ServicePermission.GET)); 256 +// permSet.add(new ServicePermission(ResourceService.class.getName(), ServicePermission.GET));
237 permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET)); 257 permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET));
238 permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET)); 258 permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET));
239 permSet.add(new ServicePermission(RegionService.class.getName(), ServicePermission.GET)); 259 permSet.add(new ServicePermission(RegionService.class.getName(), ServicePermission.GET));
...@@ -248,7 +268,7 @@ public final class DefaultPolicyBuilder { ...@@ -248,7 +268,7 @@ public final class DefaultPolicyBuilder {
248 permSet.add(new ServicePermission(MessagingService.class.getName(), ServicePermission.GET)); 268 permSet.add(new ServicePermission(MessagingService.class.getName(), ServicePermission.GET));
249 permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET)); 269 permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET));
250 permSet.add(new ServicePermission(LogicalClockService.class.getName(), ServicePermission.GET)); 270 permSet.add(new ServicePermission(LogicalClockService.class.getName(), ServicePermission.GET));
251 - permSet.add(new ServicePermission(MutexExecutionService.class.getName(), ServicePermission.GET)); 271 +// permSet.add(new ServicePermission(MutexExecutionService.class.getName(), ServicePermission.GET));
252 permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET)); 272 permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET));
253 permSet.add(new ServicePermission(UiExtensionService.class.getName(), ServicePermission.GET)); 273 permSet.add(new ServicePermission(UiExtensionService.class.getName(), ServicePermission.GET));
254 274
...@@ -256,13 +276,22 @@ public final class DefaultPolicyBuilder { ...@@ -256,13 +276,22 @@ public final class DefaultPolicyBuilder {
256 } 276 }
257 277
258 public static Set<String> getNBServiceList() { 278 public static Set<String> getNBServiceList() {
259 - Set<String> permString = new HashSet<>(); 279 + Set<String> permString = Sets.newHashSet();
260 for (Permission perm : getAdminDefaultPerms()) { 280 for (Permission perm : getAdminDefaultPerms()) {
261 permString.add(perm.getName()); 281 permString.add(perm.getName());
262 } 282 }
263 return permString; 283 return permString;
264 } 284 }
265 285
286 + public static Set<String> getCliServiceList() {
287 + Set<String> permString = Sets.newHashSet();
288 + permString.add("org.apache.felix.service.command.Function");
289 + permString.add("org.apache.karaf.shell.console.CompletableFunction");
290 + permString.add("org.apache.karaf.shell.commands.CommandWithAction");
291 + permString.add("org.osgi.service.blueprint.container.BlueprintContainer");
292 + return permString;
293 + }
294 +
266 private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() { 295 private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() {
267 296
268 ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>(); 297 ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
...@@ -360,12 +389,12 @@ public final class DefaultPolicyBuilder { ...@@ -360,12 +389,12 @@ public final class DefaultPolicyBuilder {
360 EventDeliveryService.class.getName())); 389 EventDeliveryService.class.getName()));
361 serviceDirectory.put(EVENT_WRITE, ImmutableSet.of( 390 serviceDirectory.put(EVENT_WRITE, ImmutableSet.of(
362 EventDeliveryService.class.getName())); 391 EventDeliveryService.class.getName()));
363 - serviceDirectory.put(RESOURCE_READ, ImmutableSet.of( 392 +// serviceDirectory.put(RESOURCE_READ, ImmutableSet.of(
364 - ResourceService.class.getName())); 393 +// ResourceService.class.getName()));
365 - serviceDirectory.put(RESOURCE_WRITE, ImmutableSet.of( 394 +// serviceDirectory.put(RESOURCE_WRITE, ImmutableSet.of(
366 - ResourceService.class.getName())); 395 +// ResourceService.class.getName()));
367 - serviceDirectory.put(RESOURCE_EVENT, ImmutableSet.of( 396 +// serviceDirectory.put(RESOURCE_EVENT, ImmutableSet.of(
368 - ResourceService.class.getName())); 397 +// ResourceService.class.getName()));
369 serviceDirectory.put(REGION_READ, ImmutableSet.of( 398 serviceDirectory.put(REGION_READ, ImmutableSet.of(
370 RegionService.class.getName())); 399 RegionService.class.getName()));
371 serviceDirectory.put(PERSISTENCE_WRITE, ImmutableSet.of( 400 serviceDirectory.put(PERSISTENCE_WRITE, ImmutableSet.of(
...@@ -376,8 +405,8 @@ public final class DefaultPolicyBuilder { ...@@ -376,8 +405,8 @@ public final class DefaultPolicyBuilder {
376 PartitionService.class.getName())); 405 PartitionService.class.getName()));
377 serviceDirectory.put(CLOCK_WRITE, ImmutableSet.of( 406 serviceDirectory.put(CLOCK_WRITE, ImmutableSet.of(
378 LogicalClockService.class.getName())); 407 LogicalClockService.class.getName()));
379 - serviceDirectory.put(MUTEX_WRITE, ImmutableSet.of( 408 +// serviceDirectory.put(MUTEX_WRITE, ImmutableSet.of(
380 - MutexExecutionService.class.getName())); 409 +// MutexExecutionService.class.getName()));
381 410
382 return serviceDirectory; 411 return serviceDirectory;
383 } 412 }
...@@ -515,18 +544,16 @@ public final class DefaultPolicyBuilder { ...@@ -515,18 +544,16 @@ public final class DefaultPolicyBuilder {
515 return new ReflectPermission(name, actions); 544 return new ReflectPermission(name, actions);
516 } 545 }
517 546
518 - //AllPermission, SecurityPermission, UnresolvedPermission
519 - //AWTPermission, ReflectPermission not allowed
520 return null; 547 return null;
521 548
522 } 549 }
523 - private static List<Permission> optimizePermissions(List<Permission> perms) { 550 + private static Set<Permission> optimizePermissions(Set<Permission> perms) {
524 Permissions permissions = listToPermissions(perms); 551 Permissions permissions = listToPermissions(perms);
525 return permissionsToList(permissions); 552 return permissionsToList(permissions);
526 } 553 }
527 554
528 - private static List<Permission> permissionsToList(Permissions perms) { 555 + private static Set<Permission> permissionsToList(Permissions perms) {
529 - List<Permission> permissions = new ArrayList<>(); 556 + Set<Permission> permissions = Sets.newHashSet();
530 Enumeration<Permission> e = perms.elements(); 557 Enumeration<Permission> e = perms.elements();
531 while (e.hasMoreElements()) { 558 while (e.hasMoreElements()) {
532 permissions.add(e.nextElement()); 559 permissions.add(e.nextElement());
...@@ -534,7 +561,7 @@ public final class DefaultPolicyBuilder { ...@@ -534,7 +561,7 @@ public final class DefaultPolicyBuilder {
534 return permissions; 561 return permissions;
535 } 562 }
536 563
537 - private static Permissions listToPermissions(List<Permission> perms) { 564 + private static Permissions listToPermissions(Set<Permission> perms) {
538 Permissions permissions = new Permissions(); 565 Permissions permissions = new Permissions();
539 for (Permission perm : perms) { 566 for (Permission perm : perms) {
540 permissions.add(perm); 567 permissions.add(perm);
......
1 /* 1 /*
2 - * Copyright 2015 Open Networking Laboratory 2 + * Copyright 2015-present Open Networking Laboratory
3 * 3 *
4 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License. 5 * you may not use this file except in compliance with the License.
...@@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; ...@@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener;
38 import org.onosproject.security.store.SecurityModeStore; 38 import org.onosproject.security.store.SecurityModeStore;
39 import org.onosproject.security.store.SecurityModeStoreDelegate; 39 import org.onosproject.security.store.SecurityModeStoreDelegate;
40 import org.osgi.framework.BundleContext; 40 import org.osgi.framework.BundleContext;
41 +import org.osgi.framework.FrameworkEvent;
41 import org.osgi.framework.FrameworkUtil; 42 import org.osgi.framework.FrameworkUtil;
42 import org.osgi.framework.ServicePermission; 43 import org.osgi.framework.ServicePermission;
43 -import org.osgi.service.log.LogEntry; 44 +import org.osgi.framework.FrameworkListener;
44 -import org.osgi.service.log.LogListener;
45 -import org.osgi.service.log.LogReaderService;
46 import org.osgi.service.permissionadmin.PermissionInfo; 45 import org.osgi.service.permissionadmin.PermissionInfo;
47 46
47 +import java.io.FilePermission;
48 +import java.lang.reflect.ReflectPermission;
49 +import java.net.SocketPermission;
48 import java.security.AccessControlException; 50 import java.security.AccessControlException;
49 import java.security.Permission; 51 import java.security.Permission;
52 +import java.security.SecurityPermission;
50 import java.util.ArrayList; 53 import java.util.ArrayList;
51 import java.util.List; 54 import java.util.List;
52 import java.util.Map; 55 import java.util.Map;
...@@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService {
76 protected ApplicationAdminService appAdminService; 79 protected ApplicationAdminService appAdminService;
77 80
78 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) 81 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
79 - protected LogReaderService logReaderService;
80 -
81 - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
82 protected EventDeliveryService eventDispatcher; 82 protected EventDeliveryService eventDispatcher;
83 83
84 private final Logger log = getLogger(getClass()); 84 private final Logger log = getLogger(getClass());
...@@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService {
88 88
89 private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); 89 private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
90 90
91 - private SecurityLogListener securityLogListener = new SecurityLogListener(); 91 + private SecurityEventListener securityEventListener = new SecurityEventListener();
92 92
93 private PermissionAdmin permissionAdmin = getPermissionAdmin(); 93 private PermissionAdmin permissionAdmin = getPermissionAdmin();
94 94
...@@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService {
96 public void activate() { 96 public void activate() {
97 97
98 eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); 98 eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
99 - logReaderService.addLogListener(securityLogListener); 99 + getBundleContext().addFrameworkListener(new SecurityEventListener());
100 100
101 if (System.getSecurityManager() == null) { 101 if (System.getSecurityManager() == null) {
102 log.warn("J2EE security manager is disabled."); 102 log.warn("J2EE security manager is disabled.");
...@@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService {
116 @Deactivate 116 @Deactivate
117 public void deactivate() { 117 public void deactivate() {
118 eventDispatcher.removeSink(SecurityModeEvent.class); 118 eventDispatcher.removeSink(SecurityModeEvent.class);
119 - logReaderService.removeLogListener(securityLogListener); 119 + getBundleContext().removeFrameworkListener(securityEventListener);
120 store.unsetDelegate(delegate); 120 store.unsetDelegate(delegate);
121 log.info("Stopped"); 121 log.info("Stopped");
122 122
...@@ -169,29 +169,34 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -169,29 +169,34 @@ public class SecurityModeManager implements SecurityAdminService {
169 DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); 169 DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
170 } 170 }
171 171
172 - private class SecurityLogListener implements LogListener { 172 + private class SecurityEventListener implements FrameworkListener {
173 @Override 173 @Override
174 - public void logged(LogEntry entry) { 174 + public void frameworkEvent(FrameworkEvent event) {
175 - if (entry.getException() != null && 175 + if (event.getType() != FrameworkEvent.ERROR) {
176 - entry.getException() instanceof AccessControlException) { 176 + return;
177 - String location = entry.getBundle().getLocation(); 177 + }
178 - Permission javaPerm = 178 + Throwable throwable = event.getThrowable();
179 - ((AccessControlException) entry.getException()).getPermission(); 179 + if (throwable == null || !(throwable instanceof AccessControlException)) {
180 - org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm);
181 - if (permission == null) {
182 - log.warn("Unsupported permission requested.");
183 return; 180 return;
184 } 181 }
185 - store.getApplicationIds(location).stream().filter( 182 + String bundleLocation = event.getBundle().getLocation();
183 + Permission nativePerm = ((AccessControlException) throwable).getPermission();
184 + org.onosproject.security.Permission onosPerm = DefaultPolicyBuilder.getOnosPermission(nativePerm);
185 +
186 + if (onosPerm == null) {
187 + log.warn("Unsupported permission requested: " + nativePerm.toString());
188 + return;
189 + }
190 +
191 + store.getApplicationIds(bundleLocation).stream().filter(
186 appId -> store.isSecured(appId) && 192 appId -> store.isSecured(appId) &&
187 appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { 193 appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
188 - store.requestPermission(appId, permission); 194 + store.requestPermission(appId, onosPerm);
189 print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", 195 print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
190 - appId.name(), location, permission.toString()); 196 + appId.name(), bundleLocation, onosPerm.toString());
191 }); 197 });
192 } 198 }
193 } 199 }
194 - }
195 200
196 private class InternalStoreDelegate implements SecurityModeStoreDelegate { 201 private class InternalStoreDelegate implements SecurityModeStoreDelegate {
197 @Override 202 @Override
...@@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService {
213 * 0 - APP_PERM 218 * 0 - APP_PERM
214 * 1 - ADMIN SERVICE 219 * 1 - ADMIN SERVICE
215 * 2 - NB_SERVICE 220 * 2 - NB_SERVICE
216 - * 3 - ETC_SERVICE 221 + * 3 - SB_SERVICE
217 - * 4 - ETC 222 + * 4 - CLI_SERVICE
223 + * 5 - ETC_SERVICE
224 + * 6 - CRITICAL PERMISSIONS
225 + * 7 - ETC
218 * @param perms 226 * @param perms
219 */ 227 */
220 - private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) { 228 + private Map<Integer, List<Permission>> getPrintablePermissionMap(Set<Permission> perms) {
221 ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); 229 ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
222 sortedMap.put(0, new ArrayList()); 230 sortedMap.put(0, new ArrayList());
223 sortedMap.put(1, new ArrayList()); 231 sortedMap.put(1, new ArrayList());
224 sortedMap.put(2, new ArrayList()); 232 sortedMap.put(2, new ArrayList());
225 sortedMap.put(3, new ArrayList()); 233 sortedMap.put(3, new ArrayList());
226 sortedMap.put(4, new ArrayList()); 234 sortedMap.put(4, new ArrayList());
235 + sortedMap.put(5, new ArrayList());
236 + sortedMap.put(6, new ArrayList());
237 + sortedMap.put(7, new ArrayList());
238 +
227 for (Permission perm : perms) { 239 for (Permission perm : perms) {
228 - if (perm instanceof ServicePermission) { 240 + if (perm instanceof AppPermission) {
229 - if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) { 241 + sortedMap.get(0).add(perm);
230 - if (perm.getName().contains("Admin")) { 242 + } else if (perm instanceof ServicePermission) {
243 + String permName = perm.getName().trim();
244 + if (DefaultPolicyBuilder.getNBServiceList().contains(permName)) { // ONOS NB SERVICES
245 + if (permName.contains("Admin")) {
231 sortedMap.get(1).add(perm); 246 sortedMap.get(1).add(perm);
232 } else { 247 } else {
233 sortedMap.get(2).add(perm); 248 sortedMap.get(2).add(perm);
234 } 249 }
235 - } else { 250 + } else if (permName.contains("org.onosproject") && permName.contains("Provider")) { //ONOS SB SERVICES
236 sortedMap.get(3).add(perm); 251 sortedMap.get(3).add(perm);
252 + } else if (DefaultPolicyBuilder.getCliServiceList().contains(permName)) { //CLI SERVICES
253 + sortedMap.get(4).add(perm);
254 + } else if (permName.contains("Security")) { //CRITICAL SERVICES
255 + sortedMap.get(6).add(perm);
256 + } else {
257 + sortedMap.get(5).add(perm);
237 } 258 }
238 - } else if (perm instanceof AppPermission) { 259 + } else if (perm instanceof RuntimePermission || perm instanceof SocketPermission ||
239 - sortedMap.get(0).add(perm); 260 + perm instanceof FilePermission || perm instanceof SecurityPermission ||
261 + perm instanceof ReflectPermission) { // CRITICAL PERMISSIONS
262 + sortedMap.get(6).add(perm);
240 } else { 263 } else {
241 - sortedMap.get(4).add(perm); 264 + boolean isDefault = false;
265 + for (Permission dPerm : DefaultPolicyBuilder.getDefaultPerms()) {
266 + if (perm.implies(dPerm)) {
267 + isDefault = true;
268 + break;
269 + }
270 + }
271 + if (!isDefault) {
272 + sortedMap.get(7).add(perm);
273 + }
242 } 274 }
243 } 275 }
244 return sortedMap; 276 return sortedMap;
...@@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService {
261 293
262 294
263 295
264 - private List<Permission> getMaximumPermissions(ApplicationId appId) { 296 + private Set<Permission> getMaximumPermissions(ApplicationId appId) {
265 Application app = appAdminService.getApplication(appId); 297 Application app = appAdminService.getApplication(appId);
266 if (app == null) { 298 if (app == null) {
267 print("Unknown application."); 299 print("Unknown application.");
268 return null; 300 return null;
269 } 301 }
270 - List<Permission> appPerms; 302 + Set<Permission> appPerms;
271 switch (app.role()) { 303 switch (app.role()) {
272 case ADMIN: 304 case ADMIN:
273 appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); 305 appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
...@@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService {
300 332
301 } 333 }
302 334
303 -
304 } 335 }
...\ No newline at end of file ...\ No newline at end of file
......
1 /* 1 /*
2 - * Copyright 2015 Open Networking Laboratory 2 + * Copyright 2015-present Open Networking Laboratory
3 * 3 *
4 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License. 5 * you may not use this file except in compliance with the License.
...@@ -88,13 +88,10 @@ public class DistributedSecurityModeStore ...@@ -88,13 +88,10 @@ public class DistributedSecurityModeStore
88 .register(KryoNamespaces.API) 88 .register(KryoNamespaces.API)
89 .register(SecurityModeState.class) 89 .register(SecurityModeState.class)
90 .register(SecurityInfo.class) 90 .register(SecurityInfo.class)
91 - .register(Permission.class)
92 .build()); 91 .build());
93 92
94 private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() 93 private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder()
95 - .register(KryoNamespaces.API) 94 + .register(KryoNamespaces.API);
96 - .register(Permission.class);
97 -
98 @Activate 95 @Activate
99 public void activate() { 96 public void activate() {
100 states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder() 97 states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder()
......
...@@ -110,7 +110,7 @@ function enable_security_mode() { ...@@ -110,7 +110,7 @@ function enable_security_mode() {
110 110
111 mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 111 mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
112 cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 112 cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
113 - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ 113 + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \
114 $ONOS_STAGE/$KARAF_DIST/etc/startup.properties 114 $ONOS_STAGE/$KARAF_DIST/etc/startup.properties
115 115
116 # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end 116 # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end
......
...@@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then ...@@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then
105 105
106 mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 106 mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
107 cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 107 cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
108 - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ 108 + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \
109 $KARAF_ROOT/etc/startup.properties 109 $KARAF_ROOT/etc/startup.properties
110 110
111 # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end 111 # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end
......