홍길동 / onos

Go to a project
Toggle navigation Toggle navigation pinning
Changhoon Yoon
Committed by Gerrit Code Review
6a306f21 1 parent 1a5491ec

ONOS-4507,ONOS-4774, ONOS-4775, ONOS-4776 + some minor fixes 

Change-Id: I9eaf17b03899074d4b63e01e920fada6797158a0
Inline Side-by-side
Showing 20 changed files with 259 additions and 114 deletions
......@@ -45,6 +45,12 @@ public class ReviewCommand extends AbstractShellCommand {
required = false, multiValued = false)
String accept = null;
public static final String ANSI_RESET = "\u001B[0m";
public static final String ANSI_RED = "\u001B[31m";
public static final String ANSI_GREEN = "\u001B[32m";
public static final String ANSI_YELLOW = "\u001B[33m";
@Override
protected void execute() {
ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
......@@ -86,38 +92,64 @@ public class ReviewCommand extends AbstractShellCommand {
print("");
}
/**
* TYPES.
* 0 - APP_PERM
* 1 - ADMIN SERVICE
* 2 - NB_SERVICE
* 3 - SB_SERVICE
* 4 - CLI_SERVICE
* 5 - ETC_SERVICE
* 6 - CRITICAL PERMISSIONS
* 7 - ETC
**/
private void printMap(Map<Integer, List<Permission>> assortedMap) {
for (Integer type : assortedMap.keySet()) {
switch (type) {
case 0:
for (Permission perm: assortedMap.get(0)) {
print("\t[APP PERMISSION] " + perm.getName());
}
break;
case 1:
for (Permission perm: assortedMap.get(1)) {
print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 2:
for (Permission perm: assortedMap.get(2)) {
print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 3:
for (Permission perm: assortedMap.get(3)) {
print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 4:
for (Permission perm: assortedMap.get(4)) {
print("\t[Other] " + perm.getClass().getSimpleName() +
" " + perm.getName() + " (" + perm.getActions() + ")");
}
break;
default:
break;
for (Permission perm: assortedMap.get(0)) { // APP PERM
if (perm.getName().contains("WRITE")) {
printYellow("\t[APP PERMISSION] " + perm.getName());
} else {
printGreen("\t[APP PERMISSION] " + perm.getName());
}
}
for (Permission perm: assortedMap.get(4)) {
printGreen("\t[CLI SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
for (Permission perm: assortedMap.get(5)) {
printYellow("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
for (Permission perm: assortedMap.get(7)) {
printYellow("\t[Other] " + perm.getClass().getSimpleName() +
" " + perm.getName() + " (" + perm.getActions() + ")");
}
for (Permission perm: assortedMap.get(1)) { // ADMIN SERVICES
printRed("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
for (Permission perm: assortedMap.get(3)) { // ADMIN SERVICES
printRed("\t[SB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
for (Permission perm: assortedMap.get(6)) { // CRITICAL SERVICES
printRed("\t[CRITICAL PERMISSION] " + perm.getClass().getSimpleName() +
" " + perm.getName() + " (" + perm.getActions() + ")");
}
}
private void printRed(String format, Object... args) {
print(ANSI_RED + String.format(format, args) + ANSI_RESET);
}
private void printYellow(String format, Object... args) {
print(ANSI_YELLOW + String.format(format, args) + ANSI_RESET);
}
private void printGreen(String format, Object... args) {
print(ANSI_GREEN + String.format(format, args) + ANSI_RESET);
}
}
......
......@@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission {
TUNNEL_WRITE,
TUNNEL_EVENT,
UI_READ,
UI_WRITE
UI_WRITE,
ADMIN
}
protected Type type;
......
......@@ -55,6 +55,7 @@ import static org.onosproject.app.ApplicationEvent.Type.APP_DEACTIVATED;
import static org.onosproject.app.ApplicationEvent.Type.APP_INSTALLED;
import static org.onosproject.app.ApplicationEvent.Type.APP_UNINSTALLED;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.APP_READ;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -151,6 +152,7 @@ public class ApplicationManager
@Override
public Application install(InputStream appDescStream) {
checkPermission(ADMIN);
checkNotNull(appDescStream, "Application archive stream cannot be null");
Application app = store.create(appDescStream);
SecurityUtil.register(app.id());
......@@ -159,12 +161,14 @@ public class ApplicationManager
@Override
public void uninstall(ApplicationId appId) {
checkPermission(ADMIN);
checkNotNull(appId, APP_ID_NULL);
updateStoreAndWaitForNotificationHandling(appId, store::remove);
}
@Override
public void activate(ApplicationId appId) {
checkPermission(ADMIN);
checkNotNull(appId, APP_ID_NULL);
if (!SecurityUtil.isAppSecured(appId)) {
return;
......@@ -174,12 +178,14 @@ public class ApplicationManager
@Override
public void deactivate(ApplicationId appId) {
checkPermission(ADMIN);
checkNotNull(appId, APP_ID_NULL);
updateStoreAndWaitForNotificationHandling(appId, store::deactivate);
}
@Override
public void setPermissions(ApplicationId appId, Set<Permission> permissions) {
checkPermission(ADMIN);
checkNotNull(appId, APP_ID_NULL);
checkNotNull(permissions, "Permissions cannot be null");
store.setPermissions(appId, permissions);
......
......@@ -58,6 +58,7 @@ import java.util.concurrent.atomic.AtomicReference;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.CLUSTER_READ;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -135,6 +136,7 @@ public class ClusterManager
@Override
public void markFullyStarted(boolean started) {
checkPermission(ADMIN);
store.markFullyStarted(started);
}
......@@ -146,6 +148,7 @@ public class ClusterManager
@Override
public void formCluster(Set<ControllerNode> nodes) {
checkPermission(ADMIN);
checkNotNull(nodes, "Nodes cannot be null");
checkArgument(!nodes.isEmpty(), "Nodes cannot be empty");
......@@ -163,6 +166,7 @@ public class ClusterManager
@Override
public ControllerNode addNode(NodeId nodeId, IpAddress ip, int tcpPort) {
checkPermission(ADMIN);
checkNotNull(nodeId, INSTANCE_ID_NULL);
checkNotNull(ip, "IP address cannot be null");
checkArgument(tcpPort > 5000, "TCP port must be > 5000");
......@@ -171,6 +175,7 @@ public class ClusterManager
@Override
public void removeNode(NodeId nodeId) {
checkPermission(ADMIN);
checkNotNull(nodeId, INSTANCE_ID_NULL);
store.removeNode(nodeId);
}
......
......@@ -46,6 +46,7 @@ import java.util.Enumeration;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.CLUSTER_READ;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -103,6 +104,7 @@ public class ClusterMetadataManager
@Override
public void setClusterMetadata(ClusterMetadata metadata) {
checkPermission(ADMIN);
checkNotNull(metadata, "Cluster metadata cannot be null");
ClusterMetadataProvider primaryProvider = getPrimaryProvider();
if (primaryProvider == null) {
......
......@@ -15,6 +15,8 @@
*/
package org.onosproject.cluster.impl;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.slf4j.LoggerFactory.getLogger;
import java.util.Map;
......@@ -100,16 +102,19 @@ public class LeadershipManager
@Override
public boolean transferLeadership(String topic, NodeId to) {
checkPermission(ADMIN);
return store.moveLeadership(topic, to);
}
@Override
public void unregister(NodeId nodeId) {
checkPermission(ADMIN);
store.removeRegistration(nodeId);
}
@Override
public boolean promoteToTopOfCandidateList(String topic, NodeId nodeId) {
checkPermission(ADMIN);
return store.makeTopCandidate(topic, nodeId);
}
}
......
......@@ -64,6 +64,7 @@ import static org.onlab.metrics.MetricsUtil.startTimer;
import static org.onlab.metrics.MetricsUtil.stopTimer;
import static org.onosproject.net.MastershipRole.MASTER;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.CLUSTER_READ;
import static org.onosproject.security.AppPermission.Type.CLUSTER_WRITE;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -119,6 +120,7 @@ public class MastershipManager
@Override
public CompletableFuture<Void> setRole(NodeId nodeId, DeviceId deviceId, MastershipRole role) {
checkPermission(ADMIN);
checkNotNull(nodeId, NODE_ID_NULL);
checkNotNull(deviceId, DEVICE_ID_NULL);
checkNotNull(role, ROLE_NULL);
......@@ -207,6 +209,7 @@ public class MastershipManager
@Override
public void balanceRoles() {
checkPermission(ADMIN);
List<ControllerNode> nodes = newArrayList(clusterService.getNodes());
Map<ControllerNode, Set<DeviceId>> controllerDevices = new HashMap<>();
int deviceCount = 0;
......
......@@ -25,6 +25,7 @@ import static org.onosproject.net.MastershipRole.STANDBY;
import static org.onosproject.net.optical.device.OchPortHelper.ochPortDescription;
import static org.onosproject.net.optical.device.OduCltPortHelper.oduCltPortDescription;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.DEVICE_READ;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -247,6 +248,7 @@ public class DeviceManager
@Override
public void removeDevice(DeviceId deviceId) {
checkPermission(ADMIN);
checkNotNull(deviceId, DEVICE_ID_NULL);
DeviceEvent event = store.removeDevice(deviceId);
if (event != null) {
......@@ -258,6 +260,7 @@ public class DeviceManager
@Override
public void changePortState(DeviceId deviceId, PortNumber portNumber,
boolean enable) {
checkPermission(ADMIN);
checkNotNull(deviceId, DEVICE_ID_NULL);
checkNotNull(deviceId, PORT_NUMBER_NULL);
DeviceProvider provider = getProvider(deviceId);
......
......@@ -85,11 +85,13 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<DriverProvider> getProviders() {
checkPermission(ADMIN);
return ImmutableSet.copyOf(providers);
}
@Override
public void registerProvider(DriverProvider provider) {
checkPermission(ADMIN);
provider.getDrivers().forEach(driver -> {
Driver d = addDriver(driver);
driverByKey.put(key(driver.manufacturer(),
......@@ -101,6 +103,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public void unregisterProvider(DriverProvider provider) {
checkPermission(ADMIN);
provider.getDrivers().forEach(driver -> {
removeDriver(driver);
driverByKey.remove(key(driver.manufacturer(),
......
......@@ -191,6 +191,7 @@ public class HostManager
@Override
public void removeHost(HostId hostId) {
checkPermission(ADMIN);
checkNotNull(hostId, HOST_ID_NULL);
store.removeHost(hostId);
}
......
......@@ -37,6 +37,7 @@ import java.util.Collection;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.DEVICE_KEY_READ;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -71,12 +72,14 @@ public class DeviceKeyManager extends AbstractListenerManager<DeviceKeyEvent, De
@Override
public void addKey(DeviceKey deviceKey) {
checkPermission(ADMIN);
checkNotNull(deviceKey, "Device key cannot be null");
store.createOrUpdateDeviceKey(deviceKey);
}
@Override
public void removeKey(DeviceKeyId deviceKeyId) {
checkPermission(ADMIN);
checkNotNull(deviceKeyId, "Device key identifier cannot be null");
store.deleteDeviceKey(deviceKeyId);
}
......
......@@ -182,6 +182,7 @@ public class LinkManager
@Override
public void removeLinks(ConnectPoint connectPoint) {
checkPermission(ADMIN);
if (deviceService.getRole(connectPoint.deviceId()) != MastershipRole.MASTER) {
return;
}
......@@ -190,6 +191,7 @@ public class LinkManager
@Override
public void removeLinks(DeviceId deviceId) {
checkPermission(ADMIN);
if (deviceService.getRole(deviceId) != MastershipRole.MASTER) {
return;
}
......@@ -198,6 +200,7 @@ public class LinkManager
@Override
public void removeLink(ConnectPoint src, ConnectPoint dst) {
checkPermission(ADMIN);
post(store.removeLink(src, dst));
}
......
......@@ -42,6 +42,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import static com.google.common.collect.ImmutableList.of;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.REGION_READ;
......@@ -85,6 +86,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi
@Override
public Region createRegion(RegionId regionId, String name, Region.Type type,
List<Set<NodeId>> masterNodeIds) {
checkPermission(ADMIN);
checkNotNull(regionId, REGION_ID_NULL);
checkNotNull(name, NAME_NULL);
checkNotNull(name, REGION_TYPE_NULL);
......@@ -94,6 +96,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi
@Override
public Region updateRegion(RegionId regionId, String name, Region.Type type,
List<Set<NodeId>> masterNodeIds) {
checkPermission(ADMIN);
checkNotNull(regionId, REGION_ID_NULL);
checkNotNull(name, NAME_NULL);
checkNotNull(name, REGION_TYPE_NULL);
......@@ -102,12 +105,14 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi
@Override
public void removeRegion(RegionId regionId) {
checkPermission(ADMIN);
checkNotNull(regionId, REGION_ID_NULL);
store.removeRegion(regionId);
}
@Override
public void addDevices(RegionId regionId, Collection<DeviceId> deviceIds) {
checkPermission(ADMIN);
checkNotNull(regionId, REGION_ID_NULL);
checkNotNull(deviceIds, DEVICE_IDS_NULL);
checkState(!deviceIds.isEmpty(), DEVICE_IDS_EMPTY);
......@@ -116,6 +121,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi
@Override
public void removeDevices(RegionId regionId, Collection<DeviceId> deviceIds) {
checkPermission(ADMIN);
checkNotNull(regionId, REGION_ID_NULL);
checkNotNull(deviceIds, DEVICE_IDS_NULL);
checkState(!deviceIds.isEmpty(), DEVICE_IDS_EMPTY);
......
......@@ -46,6 +46,7 @@ import java.util.stream.Collectors;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.onosproject.security.AppPermission.Type.RESOURCE_WRITE;
import static org.onosproject.security.AppPermission.Type.RESOURCE_READ;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -109,6 +110,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent
@Override
public boolean release(ResourceConsumer consumer) {
checkPermission(RESOURCE_WRITE);
checkNotNull(consumer);
Collection<ResourceAllocation> allocations = getResourceAllocations(consumer);
......@@ -201,6 +203,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent
@Override
public boolean register(List<Resource> resources) {
checkPermission(ADMIN);
checkNotNull(resources);
return store.register(resources);
......@@ -208,6 +211,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent
@Override
public boolean unregister(List<ResourceId> ids) {
checkPermission(ADMIN);
checkNotNull(ids);
return store.unregister(ids);
......
......@@ -17,7 +17,6 @@ package org.onosproject.security.impl;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import org.onosproject.cluster.ClusterAdminService;
import org.onosproject.cluster.ClusterMetadataService;
......@@ -33,10 +32,9 @@ import org.onosproject.net.config.NetworkConfigService;
import org.onosproject.net.edge.EdgePortService;
import org.onosproject.net.key.DeviceKeyAdminService;
import org.onosproject.net.key.DeviceKeyService;
import org.onosproject.net.resource.ResourceAdminService;
import org.onosproject.net.resource.ResourceService;
import org.onosproject.net.region.RegionAdminService;
import org.onosproject.net.region.RegionService;
import org.onosproject.net.resource.ResourceService;
import org.onosproject.net.statistic.FlowStatisticService;
import org.onosproject.persistence.PersistenceService;
import org.onosproject.security.AppPermission;
......@@ -83,6 +81,8 @@ import org.osgi.framework.CapabilityPermission;
import org.osgi.framework.BundlePermission;
import org.osgi.framework.PackagePermission;
import org.osgi.service.cm.ConfigurationPermission;
import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
import org.osgi.service.permissionadmin.PermissionAdmin;
import javax.net.ssl.SSLPermission;
import javax.security.auth.AuthPermission;
......@@ -96,10 +96,7 @@ import java.net.NetPermission;
import java.net.SocketPermission;
import java.security.Permissions;
import java.sql.SQLPermission;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.PropertyPermission;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
......@@ -113,24 +110,39 @@ public final class DefaultPolicyBuilder {
protected static ConcurrentHashMap<AppPermission.Type,
Set<String>> serviceDirectory = getServiceDirectory();
protected static List<Permission> defaultPermissions = getDefaultPerms();
protected static List<Permission> adminServicePermissions = getAdminDefaultPerms();
protected static Set<Permission> defaultPermissions = getDefaultPerms();
protected static Set<Permission> adminServicePermissions = getAdminDefaultPerms();
private DefaultPolicyBuilder(){
}
public static List<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) {
List<Permission> perms = Lists.newArrayList();
public static Set<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) {
Set<Permission> perms = Sets.newHashSet();
perms.addAll(defaultPermissions);
perms.addAll(convertToJavaPermissions(permissions));
for (Permission perm : perms) {
if (perm instanceof AppPermission && ((AppPermission) perm).getType() == ADMIN) {
perms.remove(perm);
} else if (perm instanceof ServicePermission) {
if (perm.getName().contains(SecurityAdminService.class.getName())) {
perms.remove(perm);
} else if (perm.getName().contains(PermissionAdmin.class.getName())) {
perms.remove(perm);
} else if (perm.getName().contains(ConditionalPermissionAdmin.class.getName())) {
perms.remove(perm);
}
}
}
return optimizePermissions(perms);
}
public static List<Permission> getAdminApplicationPermissions(
public static Set<Permission> getAdminApplicationPermissions(
Set<org.onosproject.security.Permission> permissions) {
List<Permission> perms = Lists.newArrayList();
Set<Permission> perms = Sets.newHashSet();
perms.addAll(defaultPermissions);
perms.addAll(adminServicePermissions);
perms.add(new AppPermission(ADMIN));
for (AppPermission.Type perm : serviceDirectory.keySet()) {
perms.add(new AppPermission(perm));
}
......@@ -138,8 +150,8 @@ public final class DefaultPolicyBuilder {
return optimizePermissions(perms);
}
public static List<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) {
List<Permission> result = Lists.newArrayList();
public static Set<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) {
Set<Permission> result = Sets.newHashSet();
for (org.onosproject.security.Permission perm : permissions) {
Permission javaPerm = getPermission(perm);
if (javaPerm != null) {
......@@ -152,6 +164,9 @@ public final class DefaultPolicyBuilder {
result.add(new ServicePermission(service, ServicePermission.GET));
}
}
if (ap.getType() == CONFIG_WRITE) {
result.addAll(getConfigServicePerms());
}
}
} else if (javaPerm instanceof ServicePermission) {
if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) {
......@@ -166,7 +181,7 @@ public final class DefaultPolicyBuilder {
return result;
}
public static Set<org.onosproject.security.Permission> convertToOnosPermissions(List<Permission> permissions) {
public static Set<org.onosproject.security.Permission> convertToOnosPermissions(Set<Permission> permissions) {
Set<org.onosproject.security.Permission> result = Sets.newHashSet();
for (Permission perm : permissions) {
org.onosproject.security.Permission onosPerm = getOnosPermission(perm);
......@@ -177,18 +192,27 @@ public final class DefaultPolicyBuilder {
return result;
}
public static List<Permission> getDefaultPerms() {
List<Permission> permSet = Lists.newArrayList();
public static Set<Permission> getDefaultPerms() {
Set<Permission> permSet = Sets.newHashSet();
// slf4j-logging requirement
permSet.add(
new AdaptPermission("(adaptClass=org.osgi.framework.wiring.BundleRevision)", AdaptPermission.ADAPT));
// package-permissions
permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY));
permSet.add(new PackagePermission("*", PackagePermission.IMPORT));
permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT));
return permSet;
}
private static Set<Permission> getConfigServicePerms() {
Set<Permission> permSet = Sets.newHashSet();
permSet.add(new AdminPermission("(name=org.onosproject.onos-core-net)", AdminPermission.METADATA));
permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE));
permSet.add(new AdminPermission("*", AdminPermission.METADATA));
return permSet;
}
private static List<Permission> getAdminDefaultPerms() {
List<Permission> permSet = Lists.newArrayList();
private static Set<Permission> getAdminDefaultPerms() {
Set<Permission> permSet = Sets.newHashSet();
permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LeadershipAdminService.class.getName(), ServicePermission.GET));
......@@ -199,11 +223,9 @@ public final class DefaultPolicyBuilder {
permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(DeviceKeyAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ResourceAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(RegionAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(PartitionAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ClusterMetadataService.class.getName(), ServicePermission.GET));
......@@ -247,6 +269,7 @@ public final class DefaultPolicyBuilder {
permSet.add(new ServicePermission(MessagingService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LogicalClockService.class.getName(), ServicePermission.GET));
// permSet.add(new ServicePermission(MutexExecutionService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(UiExtensionService.class.getName(), ServicePermission.GET));
......@@ -254,13 +277,22 @@ public final class DefaultPolicyBuilder {
}
public static Set<String> getNBServiceList() {
Set<String> permString = new HashSet<>();
Set<String> permString = Sets.newHashSet();
for (Permission perm : getAdminDefaultPerms()) {
permString.add(perm.getName());
}
return permString;
}
public static Set<String> getCliServiceList() {
Set<String> permString = Sets.newHashSet();
permString.add("org.apache.felix.service.command.Function");
permString.add("org.apache.karaf.shell.console.CompletableFunction");
permString.add("org.apache.karaf.shell.commands.CommandWithAction");
permString.add("org.osgi.service.blueprint.container.BlueprintContainer");
return permString;
}
private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() {
ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
......@@ -320,14 +352,10 @@ public final class DefaultPolicyBuilder {
IntentService.class.getName(), IntentExtensionService.class.getName()));
serviceDirectory.put(INTENT_EVENT, ImmutableSet.of(
IntentService.class.getName(), IntentPartitionService.class.getName()));
// serviceDirectory.put(LINK_READ, ImmutableSet.of(
// LinkService.class.getName(), LinkResourceService.class.getName(),
// LabelResourceService.class.getName()));
// serviceDirectory.put(LINK_WRITE, ImmutableSet.of(
// LinkResourceService.class.getName(), LabelResourceService.class.getName()));
// serviceDirectory.put(LINK_EVENT, ImmutableSet.of(
// LinkService.class.getName(), LinkResourceService.class.getName(),
// LabelResourceService.class.getName()));
serviceDirectory.put(LINK_READ, ImmutableSet.of(
LinkService.class.getName()));
serviceDirectory.put(LINK_WRITE, ImmutableSet.of());
serviceDirectory.put(LINK_EVENT, ImmutableSet.of(LinkService.class.getName()));
serviceDirectory.put(PACKET_READ, ImmutableSet.of(
PacketService.class.getName(), ProxyArpService.class.getName()));
serviceDirectory.put(PACKET_WRITE, ImmutableSet.of(
......@@ -374,6 +402,8 @@ public final class DefaultPolicyBuilder {
PartitionService.class.getName()));
serviceDirectory.put(CLOCK_WRITE, ImmutableSet.of(
LogicalClockService.class.getName()));
// serviceDirectory.put(MUTEX_WRITE, ImmutableSet.of(
// MutexExecutionService.class.getName()));
return serviceDirectory;
}
......@@ -511,18 +541,16 @@ public final class DefaultPolicyBuilder {
return new ReflectPermission(name, actions);
}
//AllPermission, SecurityPermission, UnresolvedPermission
//AWTPermission, ReflectPermission not allowed
return null;
}
private static List<Permission> optimizePermissions(List<Permission> perms) {
private static Set<Permission> optimizePermissions(Set<Permission> perms) {
Permissions permissions = listToPermissions(perms);
return permissionsToList(permissions);
}
private static List<Permission> permissionsToList(Permissions perms) {
List<Permission> permissions = new ArrayList<>();
private static Set<Permission> permissionsToList(Permissions perms) {
Set<Permission> permissions = Sets.newHashSet();
Enumeration<Permission> e = perms.elements();
while (e.hasMoreElements()) {
permissions.add(e.nextElement());
......@@ -530,11 +558,11 @@ public final class DefaultPolicyBuilder {
return permissions;
}
private static Permissions listToPermissions(List<Permission> perms) {
private static Permissions listToPermissions(Set<Permission> perms) {
Permissions permissions = new Permissions();
for (Permission perm : perms) {
permissions.add(perm);
}
return permissions;
}
}
}
\ No newline at end of file
......
......@@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener;
import org.onosproject.security.store.SecurityModeStore;
import org.onosproject.security.store.SecurityModeStoreDelegate;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkEvent;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServicePermission;
import org.osgi.service.log.LogEntry;
import org.osgi.service.log.LogListener;
import org.osgi.service.log.LogReaderService;
import org.osgi.framework.FrameworkListener;
import org.osgi.service.permissionadmin.PermissionInfo;
import java.io.FilePermission;
import java.lang.reflect.ReflectPermission;
import java.net.SocketPermission;
import java.security.AccessControlException;
import java.security.Permission;
import java.security.SecurityPermission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
......@@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService {
protected ApplicationAdminService appAdminService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected LogReaderService logReaderService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected EventDeliveryService eventDispatcher;
private final Logger log = getLogger(getClass());
......@@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService {
private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
private SecurityLogListener securityLogListener = new SecurityLogListener();
private SecurityEventListener securityEventListener = new SecurityEventListener();
private PermissionAdmin permissionAdmin = getPermissionAdmin();
......@@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService {
public void activate() {
eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
logReaderService.addLogListener(securityLogListener);
getBundleContext().addFrameworkListener(new SecurityEventListener());
if (System.getSecurityManager() == null) {
log.warn("J2EE security manager is disabled.");
......@@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService {
@Deactivate
public void deactivate() {
eventDispatcher.removeSink(SecurityModeEvent.class);
logReaderService.removeLogListener(securityLogListener);
getBundleContext().removeFrameworkListener(securityEventListener);
store.unsetDelegate(delegate);
log.info("Stopped");
......@@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService {
DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
}
private class SecurityLogListener implements LogListener {
private class SecurityEventListener implements FrameworkListener {
@Override
public void logged(LogEntry entry) {
if (entry.getException() != null &&
entry.getException() instanceof AccessControlException) {
String location = entry.getBundle().getLocation();
Permission javaPerm =
((AccessControlException) entry.getException()).getPermission();
org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm);
if (permission == null) {
log.warn("Unsupported permission requested.");
return;
}
store.getApplicationIds(location).stream().filter(
appId -> store.isSecured(appId) &&
appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
store.requestPermission(appId, permission);
print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
appId.name(), location, permission.toString());
});
public void frameworkEvent(FrameworkEvent event) {
if (event.getType() != FrameworkEvent.ERROR) {
return;
}
Throwable throwable = event.getThrowable();
if (throwable == null || !(throwable instanceof AccessControlException)) {
return;
}
String bundleLocation = event.getBundle().getLocation();
Permission nativePerm = ((AccessControlException) throwable).getPermission();
org.onosproject.security.Permission onosPerm = DefaultPolicyBuilder.getOnosPermission(nativePerm);
if (onosPerm == null) {
log.warn("Unsupported permission requested: " + nativePerm.toString());
return;
}
store.getApplicationIds(bundleLocation).stream().filter(
appId -> store.isSecured(appId) &&
appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
store.requestPermission(appId, onosPerm);
print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
appId.name(), bundleLocation, onosPerm.toString());
});
}
}
......@@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService {
* 0 - APP_PERM
* 1 - ADMIN SERVICE
* 2 - NB_SERVICE
* 3 - ETC_SERVICE
* 4 - ETC
* 3 - SB_SERVICE
* 4 - CLI_SERVICE
* 5 - ETC_SERVICE
* 6 - CRITICAL PERMISSIONS
* 7 - ETC
* @param perms
*/
private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) {
private Map<Integer, List<Permission>> getPrintablePermissionMap(Set<Permission> perms) {
ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
sortedMap.put(0, new ArrayList());
sortedMap.put(1, new ArrayList());
sortedMap.put(2, new ArrayList());
sortedMap.put(3, new ArrayList());
sortedMap.put(4, new ArrayList());
sortedMap.put(5, new ArrayList());
sortedMap.put(6, new ArrayList());
sortedMap.put(7, new ArrayList());
for (Permission perm : perms) {
if (perm instanceof ServicePermission) {
if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) {
if (perm.getName().contains("Admin")) {
if (perm instanceof AppPermission) {
sortedMap.get(0).add(perm);
} else if (perm instanceof ServicePermission) {
String permName = perm.getName().trim();
if (DefaultPolicyBuilder.getNBServiceList().contains(permName)) { // ONOS NB SERVICES
if (permName.contains("Admin")) {
sortedMap.get(1).add(perm);
} else {
sortedMap.get(2).add(perm);
}
} else {
} else if (permName.contains("org.onosproject") && permName.contains("Provider")) { //ONOS SB SERVICES
sortedMap.get(3).add(perm);
} else if (DefaultPolicyBuilder.getCliServiceList().contains(permName)) { //CLI SERVICES
sortedMap.get(4).add(perm);
} else if (permName.contains("Security")) { //CRITICAL SERVICES
sortedMap.get(6).add(perm);
} else {
sortedMap.get(5).add(perm);
}
} else if (perm instanceof AppPermission) {
sortedMap.get(0).add(perm);
} else if (perm instanceof RuntimePermission || perm instanceof SocketPermission ||
perm instanceof FilePermission || perm instanceof SecurityPermission ||
perm instanceof ReflectPermission) { // CRITICAL PERMISSIONS
sortedMap.get(6).add(perm);
} else {
sortedMap.get(4).add(perm);
boolean isDefault = false;
for (Permission dPerm : DefaultPolicyBuilder.getDefaultPerms()) {
if (perm.implies(dPerm)) {
isDefault = true;
break;
}
}
if (!isDefault) {
sortedMap.get(7).add(perm);
}
}
}
return sortedMap;
......@@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService {
private List<Permission> getMaximumPermissions(ApplicationId appId) {
private Set<Permission> getMaximumPermissions(ApplicationId appId) {
Application app = appAdminService.getApplication(appId);
if (app == null) {
print("Unknown application.");
return null;
}
List<Permission> appPerms;
Set<Permission> appPerms;
switch (app.role()) {
case ADMIN:
appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
......@@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService {
}
}
\ No newline at end of file
......
......@@ -93,12 +93,10 @@ public class DistributedSecurityModeStore
.register(KryoNamespaces.API)
.register(SecurityModeState.class)
.register(SecurityInfo.class)
.register(Permission.class)
.build());
private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder()
.register(KryoNamespaces.API)
.register(Permission.class);
.register(KryoNamespaces.API);
@Activate
public void activate() {
......
......@@ -74,6 +74,8 @@ import static com.google.common.base.Preconditions.checkArgument;
import static org.onlab.util.Tools.get;
import static org.onlab.util.Tools.isNullOrEmpty;
import static org.onosproject.net.topology.TopologyEvent.Type.TOPOLOGY_CHANGED;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.slf4j.LoggerFactory.getLogger;
/**
......@@ -316,11 +318,13 @@ public class DistributedTopologyStore
@Override
public void setDefaultLinkWeight(LinkWeight linkWeight) {
checkPermission(ADMIN);
DefaultTopology.setDefaultLinkWeight(linkWeight);
}
@Override
public void setDefaultGraphPathSearch(GraphPathSearch<TopologyVertex, TopologyEdge> graphPathSearch) {
checkPermission(ADMIN);
DefaultTopology.setDefaultGraphPathSearch(graphPathSearch);
}
......
......@@ -16,6 +16,7 @@
package org.onosproject.store.primitives.impl;
import static org.onosproject.security.AppPermission.Type.ADMIN;
import static org.slf4j.LoggerFactory.getLogger;
import java.io.File;
......@@ -152,6 +153,7 @@ public class PartitionManager extends AbstractListenerManager<PartitionEvent, Pa
@Override
public List<PartitionInfo> partitionInfo() {
checkPermission(ADMIN);
return partitions.values()
.stream()
.flatMap(x -> Tools.stream(x.info()))
......@@ -177,6 +179,7 @@ public class PartitionManager extends AbstractListenerManager<PartitionEvent, Pa
@Override
public List<PartitionClientInfo> partitionClientInfo() {
checkPermission(ADMIN);
return partitions.values()
.stream()
.map(StoragePartition::client)
......
......@@ -172,11 +172,13 @@ public class StorageManager implements StorageService, StorageAdminService {
@Override
public List<MapInfo> getMapInfo() {
checkPermission(ADMIN);
return listMapInfo(federatedPrimitiveCreator);
}
@Override
public Map<String, Long> getCounters() {
checkPermission(ADMIN);
Map<String, Long> counters = Maps.newConcurrentMap();
federatedPrimitiveCreator.getAsyncAtomicCounterNames()
.forEach(name -> counters.put(name,
......@@ -186,11 +188,13 @@ public class StorageManager implements StorageService, StorageAdminService {
@Override
public List<PartitionInfo> getPartitionInfo() {
checkPermission(ADMIN);
return partitionAdminService.partitionInfo();
}
@Override
public Collection<TransactionId> getPendingTransactions() {
checkPermission(ADMIN);
return Futures.getUnchecked(transactions.keySet());
}
......