Changhoon Yoon
Committed by Gerrit Code Review

ONOS-1767 SM-ONOS implementation

22a363e ONOS-17767 SM-ONOS impl

Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506
Showing 66 changed files with 2013 additions and 1094 deletions
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.cli.security;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.karaf.shell.commands.Argument;
import org.apache.karaf.shell.commands.Command;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.cli.AbstractShellCommand;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import java.util.Set;
import java.util.stream.Collectors;
/**
* Manages application permissions.
*/
@Command(scope = "onos", name = "perm",
description = "Manages application permissions")
public class PermissionCommand extends AbstractShellCommand {
static final String ADD = "add";
static final String REMOVE = "remove";
static final String LIST = "list";
static final String CLEAR = "clear";
@Argument(index = 0, name = "command",
description = "Command name (add|remove)",
required = true, multiValued = false)
String command = null;
@Argument(index = 1, name = "name", description = "Application name",
required = true, multiValued = false)
String name = null;
@Argument(index = 2, name = "permissions", description = "List of permissions",
required = false, multiValued = true)
String[] permissions = null;
@Override
protected void execute() {
ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
Set<Permission> newPermSet = Sets.newHashSet();
if (command.equals(ADD)) {
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
Application app = applicationAdminService.getApplication(appId);
for (String perm : permissions) {
try {
Permission permission = Permission.valueOf(perm);
newPermSet.add(permission);
} catch (IllegalArgumentException e) {
print("%s is not a valid permission.", perm);
return;
}
}
Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
if (oldPermSet != null) {
newPermSet.addAll(oldPermSet);
} else {
newPermSet.addAll(app.permissions());
}
applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
} else if (command.equals(REMOVE)) {
ApplicationId appId = applicationAdminService.getId(name);
Application app = applicationAdminService.getApplication(appId);
if (appId == null) {
print("No such application: %s", name);
return;
}
Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
if (oldPermSet == null) {
oldPermSet = app.permissions();
}
Set<String> clearPermSet = Sets.newHashSet(permissions);
newPermSet.addAll(oldPermSet.stream().filter(
perm -> !clearPermSet.contains(perm.name().toUpperCase())).collect(Collectors.toList()));
applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
} else if (command.equals(CLEAR)) {
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
applicationAdminService.setPermissions(appId, ImmutableSet.of());
print("Cleared the permission list of %s.", appId.name());
} else if (command.equals(LIST)) {
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
Application app = applicationAdminService.getApplication(appId);
Set<Permission> userPermissions = applicationAdminService.getPermissions(appId);
Set<Permission> defaultPermissions = app.permissions();
print("Application Role");
print("\trole=%s", app.role().name());
if (defaultPermissions != null) {
if (!defaultPermissions.isEmpty()) {
print("Default permissions (specified in app.xml)");
for (Permission perm : defaultPermissions) {
print("\tpermission=%s", perm.name());
}
} else {
print("(No default permissions specified in app.xml)");
}
}
if (userPermissions != null) {
if (!userPermissions.isEmpty()) {
print("User permissions");
for (Permission perm : userPermissions) {
print("\tpermission=%s", perm.name());
}
} else {
print("(User has removed all the permissions");
}
}
}
}
}
......@@ -18,6 +18,7 @@ package org.onosproject.cli.security;
import org.apache.karaf.shell.console.completer.StringsCompleter;
import org.onosproject.app.ApplicationService;
import org.onosproject.app.ApplicationState;
import org.onosproject.cli.AbstractCompleter;
import org.onosproject.core.Application;
......@@ -25,25 +26,31 @@ import java.util.Iterator;
import java.util.List;
import java.util.SortedSet;
import static org.onosproject.app.ApplicationState.INSTALLED;
import static org.onosproject.cli.AbstractShellCommand.get;
/**
* Application name completer for permission command.
* Application name completer for security review command.
*/
public class PermissionApplicationNameCompleter extends AbstractCompleter {
public class ReviewApplicationNameCompleter extends AbstractCompleter {
@Override
public int complete(String buffer, int cursor, List<String> candidates) {
// Delegate string completer
StringsCompleter delegate = new StringsCompleter();
// Fetch our service and feed it's offerings to the string completer
ApplicationService service = get(ApplicationService.class);
Iterator<Application> it = service.getApplications().iterator();
SortedSet<String> strings = delegate.getStrings();
while (it.hasNext()) {
Application app = it.next();
ApplicationState state = service.getState(app.id());
// if (previousApps.contains(app.id().name())) {
// continue;
// }
if (state == INSTALLED) {
strings.add(app.id().name());
}
}
// Now let the completer do the work for figuring out what to offer.
return delegate.complete(buffer, cursor, candidates);
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.cli.security;
import org.apache.karaf.shell.commands.Argument;
import org.apache.karaf.shell.commands.Command;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.cli.AbstractShellCommand;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.security.SecurityAdminService;
import org.onosproject.security.SecurityUtil;
import java.security.Permission;
import java.util.List;
import java.util.Map;
/**
* Application security policy review commands.
*/
@Command(scope = "onos", name = "review",
description = "Application security policy review interface")
public class ReviewCommand extends AbstractShellCommand {
@Argument(index = 0, name = "name", description = "Application name",
required = true, multiValued = false)
String name = null;
@Argument(index = 1, name = "accept", description = "Option to accept policy",
required = false, multiValued = false)
String accept = null;
@Override
protected void execute() {
ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
Application app = applicationAdminService.getApplication(appId);
SecurityAdminService smService = SecurityUtil.getSecurityService();
if (smService == null) {
print("Security Mode is disabled");
return;
}
if (accept == null) {
smService.review(appId);
printPolicy(smService, app);
} else if (accept.trim().equals("accept")) {
smService.acceptPolicy(appId);
printPolicy(smService, app);
} else {
print("Unknown command");
}
}
private void printPolicy(SecurityAdminService smService, Application app) {
print("\n*******************************");
print(" SM-ONOS APP REVIEW ");
print("*******************************");
print("Application name: %s ", app.id().name());
print("Application role: " + app.role());
print("\nDeveloper specified permissions: ");
printMap(smService.getPrintableSpecifiedPermissions(app.id()));
print("\nPermissions granted: ");
printMap(smService.getPrintableGrantedPermissions(app.id()));
print("\nAdditional permissions requested on runtime (POLICY VIOLATIONS): ");
printMap(smService.getPrintableRequestedPermissions(app.id()));
print("");
}
private void printMap(Map<Integer, List<Permission>> assortedMap) {
for (Integer type : assortedMap.keySet()) {
switch (type) {
case 0:
for (Permission perm: assortedMap.get(0)) {
print("\t[APP PERMISSION] " + perm.getName());
}
break;
case 1:
for (Permission perm: assortedMap.get(1)) {
print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 2:
for (Permission perm: assortedMap.get(2)) {
print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 3:
for (Permission perm: assortedMap.get(3)) {
print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 4:
for (Permission perm: assortedMap.get(4)) {
print("\t[Other] " + perm.getClass().getSimpleName() +
" " + perm.getName() + " (" + perm.getActions() + ")");
}
default:
break;
}
}
}
}
......@@ -21,11 +21,9 @@
</command>
<command>
<action class="org.onosproject.cli.security.PermissionCommand"/>
<action class="org.onosproject.cli.security.ReviewCommand"/>
<completers>
<ref component-id="permCommandCompleter"/>
<ref component-id="permAppNameCompleter"/>
<ref component-id="permNameCompleter"/>
<ref component-id="reviewAppNameCompleter"/>
</completers>
</command>
......@@ -435,9 +433,7 @@
</command>
</command-bundle>
<bean id="permAppNameCompleter" class="org.onosproject.cli.security.PermissionApplicationNameCompleter"/>
<bean id="permCommandCompleter" class="org.onosproject.cli.security.PermissionCommandCompleter"/>
<bean id="permNameCompleter" class="org.onosproject.cli.security.PermissionNameCompleter"/>
<bean id="reviewAppNameCompleter" class="org.onosproject.cli.security.ReviewApplicationNameCompleter"/>
<bean id="appCommandCompleter" class="org.onosproject.cli.app.ApplicationCommandCompleter"/>
<bean id="appNameCompleter" class="org.onosproject.cli.app.ApplicationNameCompleter"/>
<bean id="allAppNameCompleter" class="org.onosproject.cli.app.AllApplicationNamesCompleter"/>
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
......
......@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
......
......@@ -17,8 +17,8 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerService;
import org.onosproject.security.Permission;
import java.util.Set;
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.store.Store;
import java.io.InputStream;
......
......@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
......
......@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
import java.util.Optional;
......
......@@ -23,9 +23,9 @@ public enum ApplicationRole {
ADMIN,
/**
* Indicates that an application has a REGULAR role.
* Indicates that an application has a USER role.
*/
REGULAR,
USER,
/**
* Indicates that an application role has not been specified.
......
......@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.Set;
import java.util.Optional;
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.core;
/**
* Representation of an application permission.
*/
public enum Permission {
APP_READ,
APP_EVENT,
CONFIG_READ,
CONFIG_WRITE,
CLUSTER_READ,
CLUSTER_WRITE,
CLUSTER_EVENT,
DEVICE_READ,
DEVICE_EVENT,
DRIVER_READ,
DRIVER_WRITE,
FLOWRULE_READ,
FLOWRULE_WRITE,
FLOWRULE_EVENT,
GROUP_READ,
GROUP_WRITE,
GROUP_EVENT,
HOST_READ,
HOST_WRITE,
HOST_EVENT,
INTENT_READ,
INTENT_WRITE,
INTENT_EVENT,
LINK_READ,
LINK_WRITE,
LINK_EVENT,
PACKET_READ,
PACKET_WRITE,
PACKET_EVENT,
STATISTIC_READ,
TOPOLOGY_READ,
TOPOLOGY_EVENT,
TUNNEL_READ,
TUNNEL_WRITE,
TUNNEL_EVENT,
STORAGE_WRITE
}
......@@ -15,7 +15,6 @@
*/
package org.onosproject.net.packet;
import org.onosproject.core.Permission;
import org.onosproject.net.flow.DefaultTrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment.Builder;
......@@ -23,7 +22,7 @@ import org.onosproject.net.flow.TrafficTreatment.Builder;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Default implementation of a packet context.
......@@ -57,29 +56,25 @@ public abstract class DefaultPacketContext implements PacketContext {
@Override
public long time() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return time;
}
@Override
public InboundPacket inPacket() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return inPkt;
}
@Override
public OutboundPacket outPacket() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return outPkt;
}
@Override
public Builder treatmentBuilder() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return builder;
}
......@@ -88,15 +83,13 @@ public abstract class DefaultPacketContext implements PacketContext {
@Override
public boolean block() {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
return this.block.getAndSet(true);
}
@Override
public boolean isHandled() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return this.block.get();
}
}
\ No newline at end of file
......
......@@ -16,7 +16,6 @@
package org.onosproject.security;
import org.onosproject.core.Permission;
/**
* Aids SM-ONOS to perform API-level permission checking.
......@@ -30,10 +29,10 @@ public final class AppGuard {
* Checks if the caller has the required permission only when security-mode is enabled.
* @param permission permission to be checked
*/
public static void checkPermission(Permission permission) {
public static void checkPermission(AppPermission.Type permission) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
System.getSecurityManager().checkPermission(new AppPermission(permission));
}
}
}
......
......@@ -23,12 +23,57 @@ import java.security.BasicPermission;
*/
public class AppPermission extends BasicPermission {
public enum Type {
APP_READ,
APP_EVENT,
CONFIG_READ,
CONFIG_WRITE,
CLUSTER_READ,
CLUSTER_WRITE,
CLUSTER_EVENT,
DEVICE_READ,
DEVICE_EVENT,
DRIVER_READ,
DRIVER_WRITE,
FLOWRULE_READ,
FLOWRULE_WRITE,
FLOWRULE_EVENT,
GROUP_READ,
GROUP_WRITE,
GROUP_EVENT,
HOST_READ,
HOST_WRITE,
HOST_EVENT,
INTENT_READ,
INTENT_WRITE,
INTENT_EVENT,
LINK_READ,
LINK_WRITE,
LINK_EVENT,
PACKET_READ,
PACKET_WRITE,
PACKET_EVENT,
STATISTIC_READ,
TOPOLOGY_READ,
TOPOLOGY_EVENT,
TUNNEL_READ,
TUNNEL_WRITE,
TUNNEL_EVENT,
STORAGE_WRITE
}
protected Type type;
/**
* Creates new application permission using the supplied data.
* @param name permission name
*/
public AppPermission(String name) {
super(name.toUpperCase(), "");
try {
type = Type.valueOf(name);
} catch (IllegalArgumentException e) {
type = null;
}
}
/**
......@@ -38,6 +83,28 @@ public class AppPermission extends BasicPermission {
*/
public AppPermission(String name, String actions) {
super(name.toUpperCase(), actions);
try {
type = Type.valueOf(name);
} catch (IllegalArgumentException e) {
type = null;
}
}
/**
* Crates new application permission using the supplied data.
* @param type permission type
*/
public AppPermission(Type type) {
super(type.name(), "");
this.type = type;
}
/**
* Returns type of permission.
* @return application permission type
*/
public Type getType() {
return this.type;
}
}
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security;
public class Permission {
protected String classname;
protected String name;
protected String actions;
public Permission(String classname, String name, String actions) {
this.classname = classname;
this.name = name;
if (actions == null) {
this.actions = "";
} else {
this.actions = actions;
}
}
public Permission(String classname, String name) {
this.classname = classname;
this.name = name;
this.actions = "";
}
public String getClassName() {
return classname;
}
public String getName() {
return name;
}
public String getActions() {
return actions;
}
@Override
public int hashCode() {
return 0;
}
@Override
public boolean equals(Object thatPerm) {
if (this == thatPerm) {
return true;
}
if (!(thatPerm instanceof Permission)) {
return false;
}
Permission that = (Permission) thatPerm;
return (this.classname.equals(that.classname)) && (this.name.equals(that.name))
&& (this.actions.equals(that.actions));
}
@Override
public String toString() {
return String.format("(%s, %s, %s)", classname, name, actions);
}
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security;
import org.onosproject.core.ApplicationId;
import java.security.Permission;
import java.util.List;
import java.util.Map;
/**
* Security-Mode ONOS service.
*/
public interface SecurityAdminService {
/**
* Returns true if security policy has been enforced to specified application.
* @param appId application identifier
* @return true if secured.
*/
boolean isSecured(ApplicationId appId);
/**
* Changes SecurityModeState of specified application to REVIEWED.
* @param appId application identifier
*/
void review(ApplicationId appId);
/**
* Accepts and enforces security policy to specified application.
* @param appId application identifier
*/
void acceptPolicy(ApplicationId appId);
/**
* Register application to SM-ONOS subsystem.
* @param appId application identifier
*/
void register(ApplicationId appId);
/**
* Returns sorted developer specified permission Map.
* @param appId application identifier
* @return Map of list of permissions sorted by permission type
*/
Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId);
/**
* Returns sorted granted permission Map.
* @param appId application identifier
* @return Map of list of permissions sorted by permission type
*/
Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId);
/**
* Returns sorted requested permission Map.
* @param appId application identifier
* @return Map of list of permissions sorted by permission type
*/
Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId);
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security;
import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.osgi.ServiceNotFoundException;
import org.onosproject.core.ApplicationId;
/**
* Utility class to aid Security-Mode ONOS.
*/
public final class SecurityUtil {
protected static ServiceDirectory serviceDirectory = new DefaultServiceDirectory();
private SecurityUtil() {
}
public static boolean isSecurityModeEnabled() {
if (System.getSecurityManager() != null) {
try {
SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
if (securityService != null) {
return true;
}
} catch (ServiceNotFoundException e) {
return false;
}
}
return false;
}
public static SecurityAdminService getSecurityService() {
if (System.getSecurityManager() != null) {
try {
SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
if (securityService != null) {
return securityService;
}
} catch (ServiceNotFoundException e) {
return null;
}
}
return null;
}
public static boolean isAppSecured(ApplicationId appId) {
SecurityAdminService service = getSecurityService();
if (service != null) {
if (!service.isSecured(appId)) {
System.out.println("\n*******************************");
System.out.println(" SM-ONOS APP WARNING ");
System.out.println("*******************************");
System.out.println(appId.name() + " has not been secured.");
System.out.println("Please review before activating.");
return false;
}
}
return true;
}
public static void register(ApplicationId appId) {
SecurityAdminService service = getSecurityService();
if (service != null) {
service.register(appId);
}
}
}
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import java.util.Set;
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
import java.io.InputStream;
......
......@@ -19,8 +19,9 @@ import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import org.junit.Test;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.AppPermission;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
......@@ -40,7 +41,9 @@ public class DefaultApplicationDescriptionTest {
public static final String DESC = "Awesome application from Circus, Inc.";
public static final String ORIGIN = "Circus";
public static final ApplicationRole ROLE = ApplicationRole.ADMIN;
public static final Set<Permission> PERMS = ImmutableSet.of(Permission.FLOWRULE_WRITE, Permission.FLOWRULE_READ);
public static final Set<Permission> PERMS = ImmutableSet.of(
new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"),
new Permission(AppPermission.class.getName(), "FLOWRULE_READ"));
public static final URI FURL = URI.create("mvn:org.foo-features/1.2a/xml/features");
public static final List<String> FEATURES = ImmutableList.of("foo", "bar");
......
......@@ -33,6 +33,10 @@
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.core</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
......
......@@ -20,6 +20,7 @@ import com.google.common.collect.ImmutableSet;
import com.google.common.io.ByteStreams;
import com.google.common.io.Files;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.configuration.HierarchicalConfiguration;
import org.apache.commons.configuration.XMLConfiguration;
import org.onlab.util.Tools;
import org.onosproject.app.ApplicationDescription;
......@@ -28,9 +29,11 @@ import org.onosproject.app.ApplicationException;
import org.onosproject.app.ApplicationStoreDelegate;
import org.onosproject.app.DefaultApplicationDescription;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.AppPermission;
import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -79,7 +82,9 @@ public class ApplicationArchive
private static final String DESCRIPTION = "description";
private static final String ROLE = "security.role";
private static final String PERMISSIONS = "security.permissions.permission";
private static final String APP_PERMISSIONS = "security.permissions.app-perm";
private static final String NET_PERMISSIONS = "security.permissions.net-perm";
private static final String JAVA_PERMISSIONS = "security.permissions.java-perm";
private static final String OAR = ".oar";
private static final String APP_XML = "app.xml";
......@@ -386,13 +391,25 @@ public class ApplicationArchive
// Returns the set of Permissions specified in the app.xml file
private ImmutableSet<Permission> getPermissions(XMLConfiguration cfg) {
List<Permission> permissionList = new ArrayList();
for (Object o : cfg.getList(PERMISSIONS)) {
for (Object o : cfg.getList(APP_PERMISSIONS)) {
String name = (String) o;
try {
Permission perm = Permission.valueOf(name);
permissionList.add(perm);
} catch (IllegalArgumentException e) {
log.debug("Unknown permission specified: %s", name);
permissionList.add(new Permission(AppPermission.class.getName(), name));
}
for (Object o : cfg.getList(NET_PERMISSIONS)) {
//TODO: TO BE FLESHED OUT WHEN NETWORK PERMISSIONS ARE SUPPORTED
break;
}
List<HierarchicalConfiguration> fields =
cfg.configurationsAt(JAVA_PERMISSIONS);
for (HierarchicalConfiguration sub : fields) {
String classname = sub.getString("classname");
String name = sub.getString("name");
String actions = sub.getString("actions");
if (classname != null && name != null) {
permissionList.add(new Permission(classname, name, actions));
}
}
return ImmutableSet.copyOf(permissionList);
......
......@@ -31,7 +31,7 @@ import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.DefaultApplication;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.slf4j.Logger;
import java.io.InputStream;
......
......@@ -28,7 +28,8 @@ import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStoreAdapter;
import org.onosproject.core.DefaultApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.AppPermission;
import org.onosproject.security.Permission;
import java.io.File;
import java.io.IOException;
......@@ -114,7 +115,8 @@ public class SimpleApplicationStoreTest {
@Test
public void permissions() {
Application app = createTestApp();
ImmutableSet<Permission> permissions = ImmutableSet.of(Permission.FLOWRULE_WRITE);
ImmutableSet<Permission> permissions =
ImmutableSet.of(new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"));
store.setPermissions(app.id(), permissions);
assertEquals("incorrect app perms", 1, store.getPermissions(app.id()).size());
assertEquals("incorrect app state", INSTALLED, store.getState(app.id()));
......
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2015 Open Networking Laboratory
~
......@@ -21,8 +20,10 @@
<security>
<role>ADMIN</role>
<permissions>
<permission>FLOWRULE_WRITE</permission>
<permission>FLOWRULE_READ</permission>
<app-perm>FLOWRULE_WRITE</app-perm>
<app-perm>FLOWRULE_READ</app-perm>
</permissions>
</security>
</app>
......
......@@ -33,7 +33,8 @@ import org.onosproject.app.ApplicationStoreDelegate;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.security.SecurityUtil;
import org.slf4j.Logger;
import java.io.InputStream;
......@@ -41,6 +42,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.app.ApplicationEvent.Type.*;
import static org.onosproject.security.AppPermission.Type.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -87,34 +89,34 @@ public class ApplicationManager
@Override
public Set<Application> getApplications() {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return store.getApplications();
}
@Override
public ApplicationId getId(String name) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(name, "Name cannot be null");
return store.getId(name);
}
@Override
public Application getApplication(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getApplication(appId);
}
@Override
public ApplicationState getState(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getState(appId);
}
@Override
public Set<Permission> getPermissions(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getPermissions(appId);
}
......@@ -122,7 +124,9 @@ public class ApplicationManager
@Override
public Application install(InputStream appDescStream) {
checkNotNull(appDescStream, "Application archive stream cannot be null");
return store.create(appDescStream);
Application app = store.create(appDescStream);
SecurityUtil.register(app.id());
return app;
}
@Override
......@@ -138,6 +142,9 @@ public class ApplicationManager
@Override
public void activate(ApplicationId appId) {
checkNotNull(appId, APP_ID_NULL);
if (!SecurityUtil.isAppSecured(appId)) {
return;
}
store.activate(appId);
}
......
......@@ -31,7 +31,6 @@ import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.cfg.ComponentConfigStore;
import org.onosproject.cfg.ComponentConfigStoreDelegate;
import org.onosproject.cfg.ConfigProperty;
import org.onosproject.core.Permission;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
......@@ -50,6 +49,7 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -99,14 +99,14 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public Set<String> getComponentNames() {
checkPermission(Permission.CONFIG_READ);
checkPermission(CONFIG_READ);
return ImmutableSet.copyOf(properties.keySet());
}
@Override
public void registerProperties(Class<?> componentClass) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
String componentName = componentClass.getName();
String resourceName = componentClass.getSimpleName() + RESOURCE_EXT;
......@@ -130,7 +130,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void unregisterProperties(Class<?> componentClass, boolean clear) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
String componentName = componentClass.getName();
checkNotNull(componentName, COMPONENT_NULL);
......@@ -148,7 +148,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public Set<ConfigProperty> getProperties(String componentName) {
checkPermission(Permission.CONFIG_READ);
checkPermission(CONFIG_READ);
Map<String, ConfigProperty> map = properties.get(componentName);
return map != null ? ImmutableSet.copyOf(map.values()) : null;
......@@ -156,7 +156,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void setProperty(String componentName, String name, String value) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
......@@ -165,7 +165,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void unsetProperty(String componentName, String name) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
......
......@@ -34,7 +34,6 @@ import org.onosproject.cluster.ClusterStoreDelegate;
import org.onosproject.cluster.ControllerNode;
import org.onosproject.cluster.NodeId;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Permission;
import org.slf4j.Logger;
import java.util.Set;
......@@ -43,6 +42,8 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -86,26 +87,26 @@ public class ClusterManager
@Override
public ControllerNode getLocalNode() {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
return store.getLocalNode();
}
@Override
public Set<ControllerNode> getNodes() {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
return store.getNodes();
}
@Override
public ControllerNode getNode(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getNode(nodeId);
}
@Override
public ControllerNode.State getState(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getState(nodeId);
}
......@@ -113,7 +114,7 @@ public class ClusterManager
@Override
public DateTime getLastUpdated(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
return store.getLastUpdated(nodeId);
}
......
......@@ -32,7 +32,6 @@ import org.onosproject.cluster.NodeId;
import org.onosproject.cluster.RoleInfo;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.MetricsHelper;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipAdminService;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
......@@ -62,6 +61,8 @@ import static org.onosproject.cluster.ControllerNode.State.ACTIVE;
import static org.onosproject.net.MastershipRole.MASTER;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
@Component(immediate = true)
......@@ -136,7 +137,7 @@ public class MastershipManager
@Override
public MastershipRole getLocalRole(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getRole(clusterService.getLocalNode().id(), deviceId);
......@@ -144,7 +145,7 @@ public class MastershipManager
@Override
public CompletableFuture<Void> relinquishMastership(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_WRITE);
checkPermission(CLUSTER_WRITE);
return store.relinquishRole(localNodeId, deviceId)
.thenAccept(this::post)
.thenApply(v -> null);
......@@ -152,7 +153,7 @@ public class MastershipManager
@Override
public CompletableFuture<MastershipRole> requestRoleFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_WRITE);
checkPermission(CLUSTER_WRITE);
checkNotNull(deviceId, DEVICE_ID_NULL);
final Context timer = startTimer(requestRoleTimer);
......@@ -162,7 +163,7 @@ public class MastershipManager
@Override
public NodeId getMasterFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getMaster(deviceId);
......@@ -170,7 +171,7 @@ public class MastershipManager
@Override
public Set<DeviceId> getDevicesOf(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(nodeId, NODE_ID_NULL);
return store.getDevices(nodeId);
......@@ -178,7 +179,7 @@ public class MastershipManager
@Override
public RoleInfo getNodesFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getNodes(deviceId);
......
......@@ -31,7 +31,6 @@ import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdBlockStore;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.event.EventDeliveryService;
import org.osgi.service.component.ComponentContext;
......@@ -46,6 +45,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Strings.isNullOrEmpty;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -100,28 +101,28 @@ public class CoreManager implements CoreService {
@Override
public Version version() {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return version;
}
@Override
public Set<ApplicationId> getAppIds() {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return applicationIdStore.getAppIds();
}
@Override
public ApplicationId getAppId(Short id) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return applicationIdStore.getAppId(id);
}
@Override
public ApplicationId getAppId(String name) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return applicationIdStore.getAppId(name);
}
......
......@@ -27,7 +27,6 @@ import org.apache.felix.scr.annotations.Service;
import org.onosproject.cluster.ClusterService;
import org.onosproject.cluster.NodeId;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
......@@ -77,6 +76,7 @@ import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.net.MastershipRole.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -151,60 +151,60 @@ public class DeviceManager
@Override
public int getDeviceCount() {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
return store.getDeviceCount();
}
@Override
public Iterable<Device> getDevices() {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
return store.getDevices();
}
@Override
public Iterable<Device> getAvailableDevices() {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
return store.getAvailableDevices();
}
@Override
public Device getDevice(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDevice(deviceId);
}
@Override
public MastershipRole getRole(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return mastershipService.getLocalRole(deviceId);
}
@Override
public List<Port> getPorts(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPorts(deviceId);
}
@Override
public List<PortStatistics> getPortStatistics(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortStatistics(deviceId);
}
@Override
public List<PortStatistics> getPortDeltaStatistics(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortDeltaStatistics(deviceId);
}
@Override
public Port getPort(DeviceId deviceId, PortNumber portNumber) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
checkNotNull(portNumber, PORT_NUMBER_NULL);
return store.getPort(deviceId, portNumber);
......@@ -212,7 +212,7 @@ public class DeviceManager
@Override
public boolean isAvailable(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.isAvailable(deviceId);
......@@ -664,7 +664,7 @@ public class DeviceManager
@Override
public Iterable<Device> getDevices(Type type) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
Set<Device> results = new HashSet<>();
Iterable<Device> devices = store.getDevices();
if (devices != null) {
......@@ -679,7 +679,7 @@ public class DeviceManager
@Override
public Iterable<Device> getAvailableDevices(Type type) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
Set<Device> results = new HashSet<>();
Iterable<Device> availableDevices = store.getAvailableDevices();
if (availableDevices != null) {
......
......@@ -24,7 +24,6 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
......@@ -47,6 +46,8 @@ import java.util.stream.Collectors;
import static org.onlab.util.Tools.nullIsNotFound;
import static org.onosproject.net.AnnotationKeys.DRIVER;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -108,7 +109,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<Driver> getDrivers() {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
ImmutableSet.Builder<Driver> builder = ImmutableSet.builder();
drivers.values().forEach(builder::add);
......@@ -117,7 +118,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<Driver> getDrivers(Class<? extends Behaviour> withBehaviour) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
return drivers.values().stream()
.filter(d -> d.hasBehaviour(withBehaviour))
......@@ -126,14 +127,14 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Driver getDriver(String driverName) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
return nullIsNotFound(drivers.get(driverName), NO_DRIVER);
}
@Override
public Driver getDriver(String mfr, String hw, String sw) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
// First attempt a literal search.
Driver driver = driverByKey.get(key(mfr, hw, sw));
......@@ -160,7 +161,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Driver getDriver(DeviceId deviceId) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
Device device = nullIsNotFound(deviceService.getDevice(deviceId), NO_DEVICE);
String driverName = device.annotations().value(DRIVER);
......@@ -174,7 +175,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public DriverHandler createHandler(DeviceId deviceId, String... credentials) {
checkPermission(Permission.DRIVER_WRITE);
checkPermission(DRIVER_WRITE);
Driver driver = getDriver(deviceId);
return new DefaultDriverHandler(new DefaultDriverData(driver, deviceId));
......
......@@ -36,7 +36,6 @@ import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
......@@ -79,6 +78,8 @@ import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_ADD_REQUESTED;
import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_REMOVE_REQUESTED;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -165,19 +166,19 @@ public class FlowRuleManager
@Override
public int getFlowRuleCount() {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
return store.getFlowRuleCount();
}
@Override
public Iterable<FlowEntry> getFlowEntries(DeviceId deviceId) {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
return store.getFlowEntries(deviceId);
}
@Override
public void applyFlowRules(FlowRule... flowRules) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
......@@ -188,7 +189,7 @@ public class FlowRuleManager
@Override
public void removeFlowRules(FlowRule... flowRules) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
......@@ -199,13 +200,13 @@ public class FlowRuleManager
@Override
public void removeFlowRulesById(ApplicationId id) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
removeFlowRules(Iterables.toArray(getFlowRulesById(id), FlowRule.class));
}
@Override
public Iterable<FlowRule> getFlowRulesById(ApplicationId id) {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
Set<FlowRule> flowEntries = Sets.newHashSet();
for (Device d : deviceService.getDevices()) {
......@@ -220,7 +221,7 @@ public class FlowRuleManager
@Override
public Iterable<FlowRule> getFlowRulesByGroupId(ApplicationId appId, short groupId) {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
Set<FlowRule> matches = Sets.newHashSet();
long toLookUp = ((long) appId.id() << 16) | groupId;
......@@ -236,7 +237,7 @@ public class FlowRuleManager
@Override
public void apply(FlowRuleOperations ops) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
operationsService.submit(new FlowOperationsProcessor(ops));
}
......
......@@ -27,7 +27,6 @@ import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
......@@ -62,6 +61,8 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -193,13 +194,13 @@ public class FlowObjectiveManager implements FlowObjectiveService {
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, filteringObjective));
}
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
}
......@@ -208,13 +209,13 @@ public class FlowObjectiveManager implements FlowObjectiveService {
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, nextObjective));
}
@Override
public int allocateNextId() {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
......
......@@ -27,7 +27,6 @@ import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
......@@ -65,6 +64,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -217,7 +217,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
List<FilteringObjective> filteringObjectives
= this.deviceCompositionTreeMap.get(deviceId).updateFilter(filteringObjective);
......@@ -228,7 +228,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
......@@ -242,7 +242,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
List<NextObjective> nextObjectives = this.deviceCompositionTreeMap.get(deviceId).updateNext(nextObjective);
for (NextObjective tmp : nextObjectives) {
......@@ -252,7 +252,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public int allocateNextId() {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
......
......@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
......@@ -51,6 +50,8 @@ import java.util.Collections;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -96,7 +97,7 @@ public class GroupManager
*/
@Override
public void addGroup(GroupDescription groupDesc) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.storeGroupDescription(groupDesc);
}
......@@ -115,7 +116,7 @@ public class GroupManager
*/
@Override
public Group getGroup(DeviceId deviceId, GroupKey appCookie) {
checkPermission(Permission.GROUP_READ);
checkPermission(GROUP_READ);
return store.getGroup(deviceId, appCookie);
}
......@@ -137,7 +138,7 @@ public class GroupManager
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.updateGroupDescription(deviceId,
oldCookie,
UpdateType.ADD,
......@@ -163,7 +164,7 @@ public class GroupManager
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.updateGroupDescription(deviceId,
oldCookie,
UpdateType.REMOVE,
......@@ -185,7 +186,7 @@ public class GroupManager
public void removeGroup(DeviceId deviceId,
GroupKey appCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.deleteGroupDescription(deviceId, appCookie);
}
......@@ -200,13 +201,13 @@ public class GroupManager
@Override
public Iterable<Group> getGroups(DeviceId deviceId,
ApplicationId appId) {
checkPermission(Permission.GROUP_READ);
checkPermission(GROUP_READ);
return store.getGroups(deviceId);
}
@Override
public Iterable<Group> getGroups(DeviceId deviceId) {
checkPermission(Permission.GROUP_READ);
checkPermission(GROUP_READ);
return store.getGroups(deviceId);
}
......
......@@ -26,7 +26,6 @@ import org.onlab.packet.MacAddress;
import org.onlab.packet.VlanId;
import org.onosproject.incubator.net.intf.InterfaceService;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
......@@ -57,6 +56,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides basic implementation of the host SB &amp; NB APIs.
......@@ -118,66 +118,66 @@ public class HostManager
@Override
public int getHostCount() {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getHostCount();
}
@Override
public Iterable<Host> getHosts() {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getHosts();
}
@Override
public Host getHost(HostId hostId) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(hostId, HOST_ID_NULL);
return store.getHost(hostId);
}
@Override
public Set<Host> getHostsByVlan(VlanId vlanId) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getHosts(vlanId);
}
@Override
public Set<Host> getHostsByMac(MacAddress mac) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(mac, "MAC address cannot be null");
return store.getHosts(mac);
}
@Override
public Set<Host> getHostsByIp(IpAddress ip) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(ip, "IP address cannot be null");
return store.getHosts(ip);
}
@Override
public Set<Host> getConnectedHosts(ConnectPoint connectPoint) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(connectPoint, "Connection point cannot be null");
return store.getConnectedHosts(connectPoint);
}
@Override
public Set<Host> getConnectedHosts(DeviceId deviceId) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(deviceId, "Device ID cannot be null");
return store.getConnectedHosts(deviceId);
}
@Override
public void startMonitoringIp(IpAddress ip) {
checkPermission(Permission.HOST_EVENT);
checkPermission(HOST_EVENT);
monitor.addMonitoringFor(ip);
}
@Override
public void stopMonitoringIp(IpAddress ip) {
checkPermission(Permission.HOST_EVENT);
checkPermission(HOST_EVENT);
monitor.stopMonitoring(ip);
}
......@@ -212,13 +212,13 @@ public class HostManager
@Override
public Set<PortAddresses> getAddressBindings() {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getAddressBindings();
}
@Override
public Set<PortAddresses> getAddressBindingsForPort(ConnectPoint connectPoint) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getAddressBindingsForPort(connectPoint);
}
......
......@@ -25,7 +25,6 @@ import org.apache.felix.scr.annotations.Service;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.net.flow.FlowRule;
import org.onosproject.net.flow.FlowRuleOperations;
import org.onosproject.net.flow.FlowRuleOperationsContext;
......@@ -67,6 +66,8 @@ import static org.onosproject.net.intent.constraint.PartialFailureConstraint.int
import static org.onosproject.net.intent.impl.phase.IntentProcessPhase.newInitialPhase;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* An implementation of intent service.
......@@ -138,7 +139,7 @@ public class IntentManager
@Override
public void submit(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.INSTALL_REQ, null);
store.addPending(data);
......@@ -146,7 +147,7 @@ public class IntentManager
@Override
public void withdraw(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.WITHDRAW_REQ, null);
store.addPending(data);
......@@ -154,7 +155,7 @@ public class IntentManager
@Override
public void purge(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.PURGE_REQ, null);
store.addPending(data);
......@@ -162,45 +163,45 @@ public class IntentManager
@Override
public Intent getIntent(Key key) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntent(key);
}
@Override
public Iterable<Intent> getIntents() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntents();
}
@Override
public Iterable<IntentData> getIntentData() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntentData(false, 0);
}
@Override
public long getIntentCount() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntentCount();
}
@Override
public IntentState getIntentState(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getIntentState(intentKey);
}
@Override
public List<Intent> getInstallableIntents(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getInstallableIntents(intentKey);
}
@Override
public boolean isLocal(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.isMaster(intentKey);
}
......@@ -221,7 +222,7 @@ public class IntentManager
@Override
public Iterable<Intent> getPending() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getPending();
}
......
......@@ -25,7 +25,6 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
......@@ -59,6 +58,7 @@ import static com.google.common.base.Preconditions.checkState;
import static org.onosproject.net.LinkKey.linkKey;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -111,19 +111,19 @@ public class LinkManager
@Override
public int getLinkCount() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getLinkCount();
}
@Override
public Iterable<Link> getLinks() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getLinks();
}
@Override
public Iterable<Link> getActiveLinks() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return FluentIterable.from(getLinks())
.filter(new Predicate<Link>() {
......@@ -136,7 +136,7 @@ public class LinkManager
@Override
public Set<Link> getDeviceLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return Sets.union(store.getDeviceEgressLinks(deviceId),
store.getDeviceIngressLinks(deviceId));
......@@ -144,21 +144,21 @@ public class LinkManager
@Override
public Set<Link> getDeviceEgressLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceEgressLinks(deviceId);
}
@Override
public Set<Link> getDeviceIngressLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceIngressLinks(deviceId);
}
@Override
public Set<Link> getLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return Sets.union(store.getEgressLinks(connectPoint),
store.getIngressLinks(connectPoint));
......@@ -166,21 +166,21 @@ public class LinkManager
@Override
public Set<Link> getEgressLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getEgressLinks(connectPoint);
}
@Override
public Set<Link> getIngressLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getIngressLinks(connectPoint);
}
@Override
public Link getLink(ConnectPoint src, ConnectPoint dst) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(src, CONNECT_POINT_NULL);
checkNotNull(dst, CONNECT_POINT_NULL);
return store.getLink(src, dst);
......
......@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
......@@ -63,7 +62,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides a basic implementation of the packet SB &amp; NB APIs.
......@@ -126,14 +125,14 @@ public class PacketManager
@Override
public void addProcessor(PacketProcessor processor, int priority) {
checkPermission(Permission.PACKET_EVENT);
checkPermission(PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.put(priority, processor);
}
@Override
public void removeProcessor(PacketProcessor processor) {
checkPermission(Permission.PACKET_EVENT);
checkPermission(PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.values().remove(processor);
}
......@@ -141,7 +140,7 @@ public class PacketManager
@Override
public void requestPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
......@@ -154,7 +153,7 @@ public class PacketManager
@Override
public void cancelPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
......@@ -246,7 +245,7 @@ public class PacketManager
@Override
public void emit(OutboundPacket packet) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
checkNotNull(packet, "Packet cannot be null");
store.emit(packet);
}
......
......@@ -33,7 +33,6 @@ import org.onlab.packet.VlanId;
import org.onlab.packet.ndp.NeighborAdvertisement;
import org.onlab.packet.ndp.NeighborDiscoveryOptions;
import org.onlab.packet.ndp.NeighborSolicitation;
import org.onosproject.core.Permission;
import org.onosproject.incubator.net.intf.Interface;
import org.onosproject.incubator.net.intf.InterfaceService;
import org.onosproject.net.ConnectPoint;
......@@ -61,6 +60,7 @@ import static org.onlab.packet.VlanId.vlanId;
import static org.onosproject.net.HostId.hostId;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
@Component(immediate = true)
......@@ -110,7 +110,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public boolean isKnown(IpAddress addr) {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
checkNotNull(addr, MAC_ADDR_NULL);
Set<Host> hosts = hostService.getHostsByIp(addr);
return !hosts.isEmpty();
......@@ -118,7 +119,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public void reply(Ethernet eth, ConnectPoint inPort) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
checkNotNull(eth, REQUEST_NULL);
if (eth.getEtherType() == Ethernet.TYPE_ARP) {
......@@ -316,7 +318,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public void forward(Ethernet eth, ConnectPoint inPort) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
checkNotNull(eth, REQUEST_NULL);
Host h = hostService.getHost(hostId(eth.getDestinationMAC(),
......@@ -333,7 +336,7 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public boolean handlePacket(PacketContext context) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
InboundPacket pkt = context.inPacket();
Ethernet ethPkt = pkt.parsed();
......
......@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Permission;
import org.onosproject.net.Link;
import org.onosproject.net.intent.IntentId;
import org.onosproject.net.resource.ResourceAllocation;
......@@ -58,6 +57,7 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -150,7 +150,7 @@ public class LinkResourceManager
@Override
public LinkResourceAllocations requestResources(LinkResourceRequest req) {
checkPermission(Permission.LINK_WRITE);
checkPermission(LINK_WRITE);
// TODO Concatenate multiple bandwidth requests.
// TODO Support multiple lambda resource requests.
......@@ -213,7 +213,7 @@ public class LinkResourceManager
@Override
public void releaseResources(LinkResourceAllocations allocations) {
checkPermission(Permission.LINK_WRITE);
checkPermission(LINK_WRITE);
final LinkResourceEvent event = store.releaseResources(allocations);
if (event != null) {
post(event);
......@@ -223,32 +223,32 @@ public class LinkResourceManager
@Override
public LinkResourceAllocations updateResources(LinkResourceRequest req,
LinkResourceAllocations oldAllocations) {
checkPermission(Permission.LINK_WRITE);
checkPermission(LINK_WRITE);
releaseResources(oldAllocations);
return requestResources(req);
}
@Override
public Iterable<LinkResourceAllocations> getAllocations() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getAllocations();
}
@Override
public Iterable<LinkResourceAllocations> getAllocations(Link link) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getAllocations(link);
}
@Override
public LinkResourceAllocations getAllocations(IntentId intentId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getAllocations(intentId);
}
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
Set<ResourceAllocation> freeRes = store.getFreeResources(link);
Set<ResourceRequest> result = new HashSet<>();
......@@ -274,7 +274,7 @@ public class LinkResourceManager
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link,
LinkResourceAllocations allocations) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
Set<ResourceAllocation> allocatedRes = allocations.getResourceAllocation(link);
Set<ResourceRequest> result = Sets.newHashSet(getAvailableResources(link));
......
......@@ -27,7 +27,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.GroupId;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.Link;
import org.onosproject.net.Path;
......@@ -51,6 +50,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -86,14 +86,14 @@ public class StatisticManager implements StatisticService {
@Override
public Load load(Link link) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
return load(link.src());
}
@Override
public Load load(Link link, ApplicationId appId, Optional<GroupId> groupId) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
Statistics stats = getStatistics(link.src());
if (!stats.isValid()) {
......@@ -114,14 +114,14 @@ public class StatisticManager implements StatisticService {
@Override
public Load load(ConnectPoint connectPoint) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
return loadInternal(connectPoint);
}
@Override
public Link max(Path path) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
......@@ -140,7 +140,7 @@ public class StatisticManager implements StatisticService {
@Override
public Link min(Path path) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
......@@ -159,7 +159,7 @@ public class StatisticManager implements StatisticService {
@Override
public FlowRule highestHitter(ConnectPoint connectPoint) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
Set<FlowEntry> hitters = statisticStore.getCurrentStatistic(connectPoint);
if (hitters.isEmpty()) {
......
......@@ -24,7 +24,6 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DefaultEdgeLink;
import org.onosproject.net.DefaultPath;
......@@ -51,6 +50,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -88,14 +88,14 @@ public class PathManager implements PathService {
@Override
public Set<Path> getPaths(ElementId src, ElementId dst) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
return getPaths(src, dst, null);
}
@Override
public Set<Path> getPaths(ElementId src, ElementId dst, LinkWeight weight) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(src, ELEMENT_ID_NULL);
checkNotNull(dst, ELEMENT_ID_NULL);
......
......@@ -22,7 +22,6 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.event.Event;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DeviceId;
......@@ -51,6 +50,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides basic implementation of the topology SB &amp; NB APIs.
......@@ -91,27 +92,27 @@ public class TopologyManager
@Override
public Topology currentTopology() {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
return store.currentTopology();
}
@Override
public boolean isLatest(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.isLatest(topology);
}
@Override
public Set<TopologyCluster> getClusters(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getClusters(topology);
}
@Override
public TopologyCluster getCluster(Topology topology, ClusterId clusterId) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_ID_NULL);
return store.getCluster(topology, clusterId);
......@@ -119,7 +120,7 @@ public class TopologyManager
@Override
public Set<DeviceId> getClusterDevices(Topology topology, TopologyCluster cluster) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterDevices(topology, cluster);
......@@ -127,7 +128,7 @@ public class TopologyManager
@Override
public Set<Link> getClusterLinks(Topology topology, TopologyCluster cluster) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterLinks(topology, cluster);
......@@ -135,14 +136,14 @@ public class TopologyManager
@Override
public TopologyGraph getGraph(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getGraph(topology);
}
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
checkNotNull(dst, DEVICE_ID_NULL);
......@@ -151,7 +152,7 @@ public class TopologyManager
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
......@@ -162,7 +163,7 @@ public class TopologyManager
@Override
public boolean isInfrastructure(Topology topology, ConnectPoint connectPoint) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isInfrastructure(topology, connectPoint);
......@@ -170,7 +171,7 @@ public class TopologyManager
@Override
public boolean isBroadcastPoint(Topology topology, ConnectPoint connectPoint) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isBroadcastPoint(topology, connectPoint);
......
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2015 Open Networking Laboratory
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>onos-security</artifactId>
<groupId>org.onosproject</groupId>
<version>1.3.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<packaging>bundle</packaging>
<artifactId>onos-security-impl</artifactId>
<description>Security-mode ONOS components</description>
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.core</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
<dependency>
<groupId>org.apache.karaf.features</groupId>
<artifactId>org.apache.karaf.features.core</artifactId>
</dependency>
</dependencies>
</project>
\ No newline at end of file
package org.onosproject.security.impl;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.onosproject.core.Permission;
import org.onosproject.security.AppPermission;
import org.osgi.service.permissionadmin.PermissionInfo;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.app.ApplicationService;
import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.cluster.ClusterAdminService;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.CoreService;
import org.onosproject.cluster.LeadershipService;
import org.onosproject.mastership.MastershipAdminService;
import org.onosproject.mastership.MastershipService;
import org.onosproject.net.device.DeviceAdminService;
import org.onosproject.net.device.DeviceService;
import org.onosproject.net.device.DeviceClockService;
import org.onosproject.net.driver.DriverAdminService;
import org.onosproject.net.driver.DriverService;
import org.onosproject.net.flow.FlowRuleService;
import org.onosproject.net.flowobjective.FlowObjectiveService;
import org.onosproject.net.group.GroupService;
import org.onosproject.net.host.HostAdminService;
import org.onosproject.net.host.HostService;
import org.onosproject.net.intent.IntentService;
import org.onosproject.net.intent.IntentExtensionService;
import org.onosproject.net.intent.IntentClockService;
import org.onosproject.net.intent.PartitionService;
import org.onosproject.net.link.LinkAdminService;
import org.onosproject.net.link.LinkService;
import org.onosproject.net.packet.PacketService;
import org.onosproject.net.proxyarp.ProxyArpService;
import org.onosproject.net.resource.link.LinkResourceService;
import org.onosproject.net.statistic.StatisticService;
import org.onosproject.net.topology.PathService;
import org.onosproject.net.topology.TopologyService;
import org.onosproject.store.service.StorageAdminService;
import org.onosproject.store.service.StorageService;
import org.osgi.framework.ServicePermission;
import org.osgi.framework.PackagePermission;
import org.osgi.framework.AdaptPermission;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
public final class PolicyBuilder {
private PolicyBuilder(){
}
public static PermissionInfo[] getApplicationPermissions(Map<Permission, Set<String>> serviceDirectory,
Set<Permission> permissions) {
Set<PermissionInfo> permSet = Sets.newHashSet();
Collections.addAll(permSet, getDefaultPerms());
for (Permission perm : permissions) {
permSet.add(new PermissionInfo(AppPermission.class.getName(), perm.name(), ""));
permSet.addAll(serviceDirectory.get(perm).stream().map(service -> new PermissionInfo(
ServicePermission.class.getName(), service, ServicePermission.GET)).collect(Collectors.toList()));
}
PermissionInfo[] permissionInfos = new PermissionInfo[permSet.size()];
return permSet.toArray(permissionInfos);
}
public static PermissionInfo[] getAdminApplicationPermissions(Map<Permission, Set<String>> serviceDirectory) {
Set<PermissionInfo> permSet = Sets.newHashSet();
Collections.addAll(permSet, getDefaultPerms());
Collections.addAll(permSet, getAdminDefaultPerms());
permSet.addAll(serviceDirectory.keySet().stream().map(perm ->
new PermissionInfo(AppPermission.class.getName(), perm.name(), "")).collect(Collectors.toList()));
PermissionInfo[] permissionInfos = new PermissionInfo[permSet.size()];
return permSet.toArray(permissionInfos);
}
public static PermissionInfo[] getDefaultPerms() {
return new PermissionInfo[]{
new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.EXPORTONLY),
new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.IMPORT),
new PermissionInfo(AdaptPermission.class.getName(), "*", AdaptPermission.ADAPT),
};
}
public static PermissionInfo[] getAdminDefaultPerms() {
return new PermissionInfo[]{
new PermissionInfo(ServicePermission.class.getName(),
ApplicationAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
ClusterAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
MastershipAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
DeviceAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
HostAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
LinkAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
DriverAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
StorageAdminService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// LabelResourceAdminService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// TunnelAdminService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
ApplicationService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
ComponentConfigService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
CoreService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
ClusterService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
LeadershipService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
MastershipService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
DeviceService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
DeviceClockService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
DriverService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
FlowRuleService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
FlowObjectiveService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
GroupService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
HostService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
IntentService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
IntentClockService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
IntentExtensionService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
PartitionService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
LinkService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
LinkResourceService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// LabelResourceService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
PacketService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
ProxyArpService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
StatisticService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
PathService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
TopologyService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// TunnelService.class.getName(), ServicePermission.GET),
new PermissionInfo(ServicePermission.class.getName(),
StorageService.class.getName(), ServicePermission.GET),
};
}
public static Map<Permission, Set<String>> getServiceDirectory() {
Map<Permission, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
serviceDirectory.put(Permission.APP_READ, ImmutableSet.of(
ApplicationService.class.getName(), CoreService.class.getName()));
serviceDirectory.put(Permission.APP_EVENT, ImmutableSet.of(
ApplicationService.class.getName(), CoreService.class.getName()));
serviceDirectory.put(Permission.CONFIG_READ, ImmutableSet.of(
ComponentConfigService.class.getName()));
serviceDirectory.put(Permission.CONFIG_WRITE, ImmutableSet.of(
ComponentConfigService.class.getName()));
serviceDirectory.put(Permission.CLUSTER_READ, ImmutableSet.of(
ClusterService.class.getName(), LeadershipService.class.getName(),
MastershipService.class.getName()));
serviceDirectory.put(Permission.CLUSTER_WRITE, ImmutableSet.of(
LeadershipService.class.getName(), MastershipService.class.getName()));
serviceDirectory.put(Permission.CLUSTER_EVENT, ImmutableSet.of(
ClusterService.class.getName(), LeadershipService.class.getName(),
MastershipService.class.getName()));
serviceDirectory.put(Permission.DEVICE_READ, ImmutableSet.of(
DeviceService.class.getName(), DeviceClockService.class.getName()));
serviceDirectory.put(Permission.DEVICE_EVENT, ImmutableSet.of(
DeviceService.class.getName()));
serviceDirectory.put(Permission.DRIVER_READ, ImmutableSet.of(
DriverService.class.getName()));
serviceDirectory.put(Permission.DRIVER_WRITE, ImmutableSet.of(
DriverService.class.getName()));
serviceDirectory.put(Permission.FLOWRULE_READ, ImmutableSet.of(
FlowRuleService.class.getName()));
serviceDirectory.put(Permission.FLOWRULE_WRITE, ImmutableSet.of(
FlowRuleService.class.getName(), FlowObjectiveService.class.getName()));
serviceDirectory.put(Permission.FLOWRULE_EVENT, ImmutableSet.of(
FlowRuleService.class.getName()));
serviceDirectory.put(Permission.GROUP_READ, ImmutableSet.of(
GroupService.class.getName()));
serviceDirectory.put(Permission.GROUP_WRITE, ImmutableSet.of(
GroupService.class.getName()));
serviceDirectory.put(Permission.GROUP_EVENT, ImmutableSet.of(
GroupService.class.getName()));
serviceDirectory.put(Permission.HOST_WRITE, ImmutableSet.of(
HostService.class.getName()));
serviceDirectory.put(Permission.HOST_EVENT, ImmutableSet.of(
HostService.class.getName()));
serviceDirectory.put(Permission.INTENT_READ, ImmutableSet.of(
IntentService.class.getName(), PartitionService.class.getName(),
IntentClockService.class.getName()));
serviceDirectory.put(Permission.INTENT_WRITE, ImmutableSet.of(
IntentService.class.getName()));
serviceDirectory.put(Permission.INTENT_EVENT, ImmutableSet.of(
IntentService.class.getName()));
// serviceDirectory.put(Permission.LINK_READ, ImmutableSet.of(
// LinkService.class.getName(), LinkResourceService.class.getName(),
// LabelResourceService.class.getName()));
// serviceDirectory.put(Permission.LINK_WRITE, ImmutableSet.of(
// LinkResourceService.class.getName(), LabelResourceService.class.getName()));
// serviceDirectory.put(Permission.LINK_EVENT, ImmutableSet.of(
// LinkService.class.getName(), LinkResourceService.class.getName(),
// LabelResourceService.class.getName()));
serviceDirectory.put(Permission.PACKET_READ, ImmutableSet.of(
PacketService.class.getName(), ProxyArpService.class.getName()));
serviceDirectory.put(Permission.PACKET_WRITE, ImmutableSet.of(
PacketService.class.getName(), ProxyArpService.class.getName()));
serviceDirectory.put(Permission.PACKET_EVENT, ImmutableSet.of(
PacketService.class.getName()));
serviceDirectory.put(Permission.STATISTIC_READ, ImmutableSet.of(
StatisticService.class.getName()));
serviceDirectory.put(Permission.TOPOLOGY_READ, ImmutableSet.of(
TopologyService.class.getName(), PathService.class.getName()));
serviceDirectory.put(Permission.TOPOLOGY_EVENT, ImmutableSet.of(
TopologyService.class.getName()));
// serviceDirectory.put(Permission.TUNNEL_READ, ImmutableSet.of(
// TunnelService.class.getName()));
// serviceDirectory.put(Permission.TUNNEL_WRITE, ImmutableSet.of(
// TunnelService.class.getName()));
// serviceDirectory.put(Permission.TUNNEL_EVENT, ImmutableSet.of(
// TunnelService.class.getName()));
serviceDirectory.put(Permission.STORAGE_WRITE, ImmutableSet.of(
StorageService.class.getName()));
return serviceDirectory;
}
}
// public static PermissionInfo[] getNonAdminPerms() {
// return new PermissionInfo[]{
// new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.EXPORTONLY),
// new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.IMPORT),
// new PermissionInfo(AdaptPermission.class.getName(), "*", AdaptPermission.ADAPT),
// new PermissionInfo(ServicePermission.class.getName(),
// ApplicationService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// ComponentConfigService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// CoreService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// ClusterService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// LeadershipService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// MastershipService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// DeviceService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// DeviceClockService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// DriverService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// FlowRuleService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// FlowObjectiveService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// GroupService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// HostService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// HostClockService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// IntentService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// IntentClockService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// IntentExtensionService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// PartitionService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// LinkService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// LinkResourceService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// LabelResourceService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// PacketService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// ProxyArpService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// StatisticService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// PathService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// TopologyService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// TunnelService.class.getName(), ServicePermission.GET),
// new PermissionInfo(ServicePermission.class.getName(),
// StorageService.class.getName(), ServicePermission.GET),
// };
// }
package org.onosproject.security.impl;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.karaf.features.BundleInfo;
import org.apache.karaf.features.Feature;
import org.apache.karaf.features.FeaturesService;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.app.ApplicationEvent;
import org.onosproject.app.ApplicationListener;
import org.onosproject.app.ApplicationState;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.AppPermission;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.BundleEvent;
import org.osgi.framework.BundleListener;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.PackagePermission;
import org.osgi.framework.ServicePermission;
import org.osgi.service.log.LogEntry;
import org.osgi.service.log.LogListener;
import org.osgi.service.log.LogReaderService;
import org.osgi.service.permissionadmin.PermissionInfo;
import java.security.AccessControlException;
import java.security.AllPermission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.osgi.service.permissionadmin.PermissionAdmin;
import org.slf4j.Logger;
import static org.slf4j.LoggerFactory.getLogger;
/**
* Security-Mode ONOS management implementation.
*/
//TODO : implement a dedicated distributed store for SM-ONOS
@Component(immediate = true)
public class SecurityModeManager {
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected ApplicationAdminService appAdminService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected FeaturesService featuresService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected LogReaderService logReaderService;
private final Logger log = getLogger(getClass());
private SecurityBundleListener securityBundleListener = new SecurityBundleListener();
private SecurityApplicationListener securityApplicationListener = new SecurityApplicationListener();
private SecurityLogListener securityLogListener = new SecurityLogListener();
private Bundle bundle = null;
private BundleContext bundleContext = null;
private PermissionAdmin permissionAdmin = null;
private Map<String, ApplicationId> appTracker = null;
private Map<Permission, Set<String>> serviceDirectory = null;
@Activate
public void activate() {
if (System.getSecurityManager() == null) {
log.warn("J2EE security manager is disabled.");
deactivate();
return;
}
bundle = FrameworkUtil.getBundle(this.getClass());
bundleContext = bundle.getBundleContext();
bundleContext.addBundleListener(securityBundleListener);
appAdminService.addListener(securityApplicationListener);
logReaderService.addLogListener(securityLogListener);
appTracker = new ConcurrentHashMap<>();
permissionAdmin = getPermissionAdmin(bundleContext);
if (permissionAdmin == null) {
log.warn("Permission Admin not found.");
this.deactivate();
return;
}
serviceDirectory = PolicyBuilder.getServiceDirectory();
PermissionInfo[] allPerm = {
new PermissionInfo(AllPermission.class.getName(), "", ""), };
permissionAdmin.setPermissions(bundle.getLocation(), allPerm);
log.warn("Security-Mode Started");
}
@Deactivate
public void deactivate() {
bundleContext.removeBundleListener(securityBundleListener);
appAdminService.removeListener(securityApplicationListener);
logReaderService.removeLogListener(securityLogListener);
log.info("Stopped");
}
private class SecurityApplicationListener implements ApplicationListener {
@Override
public void event(ApplicationEvent event) {
//App needs to be restarted
if (event.type() == ApplicationEvent.Type.APP_PERMISSIONS_CHANGED) {
if (appAdminService.getState(event.subject().id()) == ApplicationState.ACTIVE) {
appAdminService.deactivate(event.subject().id());
print("Permissions updated (%s). Deactivating...",
event.subject().id().name());
}
}
}
}
private class SecurityBundleListener implements BundleListener {
@Override
public void bundleChanged(BundleEvent event) {
switch (event.getType()) {
case BundleEvent.INSTALLED:
setPermissions(event);
break;
case BundleEvent.UNINSTALLED:
clearPermissions(event);
break;
default:
break;
}
}
}
private void clearPermissions(BundleEvent bundleEvent) {
if (appTracker.containsKey(bundleEvent.getBundle().getLocation())) {
permissionAdmin.setPermissions(bundleEvent.getBundle().getLocation(), new PermissionInfo[]{});
appTracker.remove(bundleEvent.getBundle().getLocation());
}
}
// find the location of the installed bundle and enforce policy
private void setPermissions(BundleEvent bundleEvent) {
for (Application app : appAdminService.getApplications()) {
if (getBundleLocations(app).contains(bundleEvent.getBundle().getLocation())) {
String location = bundleEvent.getBundle().getLocation();
Set<org.onosproject.core.Permission> permissions =
appAdminService.getPermissions(app.id());
//Permissions granted by user overrides the permissions specified in App.Xml file
if (permissions == null) {
permissions = app.permissions();
}
if (permissions.isEmpty()) {
print("Application %s has not been granted any permission.", app.id().name());
}
PermissionInfo[] perms = null;
switch (app.role()) {
case ADMIN:
perms = PolicyBuilder.getAdminApplicationPermissions(serviceDirectory);
break;
case REGULAR:
perms = PolicyBuilder.getApplicationPermissions(serviceDirectory, permissions);
break;
case UNSPECIFIED:
default:
//no role has been assigned.
perms = PolicyBuilder.getDefaultPerms();
log.warn("Application %s has no role assigned.", app.id().name());
break;
}
permissionAdmin.setPermissions(location, perms);
appTracker.put(location, app.id());
break;
}
}
}
//TODO: dispatch security policy violation event via distributed store
//immediately notify and deactivate the application upon policy violation
private class SecurityLogListener implements LogListener {
@Override
public void logged(LogEntry entry) {
if (entry != null) {
if (entry.getException() != null) {
ApplicationId applicationId = appTracker.get(entry.getBundle().getLocation());
if (applicationId != null) {
if (appAdminService.getState(applicationId).equals(ApplicationState.ACTIVE)) {
if (entry.getException() instanceof AccessControlException) {
java.security.Permission permission =
((AccessControlException) entry.getException()).getPermission();
handleException(applicationId.name(), permission);
appAdminService.deactivate(applicationId);
}
}
}
}
}
}
}
private void handleException(String name, java.security.Permission perm) {
if (perm instanceof ServicePermission || perm instanceof PackagePermission) {
print("%s has attempted to %s %s.", name, perm.getActions(), perm.getName());
} else if (perm instanceof AppPermission) {
print("%s has attempted to call an NB API that requires %s permission.",
name, perm.getName().toUpperCase());
} else {
print("%s has attempted to perform an action that requires %s", name, perm.toString());
}
print("POLICY VIOLATION: Deactivating %s.", name);
}
private void print(String format, Object... args) {
System.out.println(String.format("SM-ONOS: " + format, args));
log.warn(String.format(format, args));
}
private List<String> getBundleLocations(Application app) {
List<String> locations = new ArrayList();
for (String name : app.features()) {
try {
Feature feature = featuresService.getFeature(name);
locations.addAll(
feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
} catch (Exception e) {
return locations;
}
}
return locations;
}
private PermissionAdmin getPermissionAdmin(BundleContext context) {
return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
}
}
......@@ -12,10 +12,46 @@
</parent>
<artifactId>onos-security</artifactId>
<packaging>pom</packaging>
<modules>
<module>impl</module>
</modules>
<packaging>bundle</packaging>
<description>Security-Mode ONOS project</description>
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.core</artifactId>
</dependency>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.compendium</artifactId>
</dependency>
<dependency>
<groupId>org.apache.felix</groupId>
<artifactId>org.apache.felix.scr.annotations</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-core-serializers</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.karaf.features</groupId>
<artifactId>org.apache.karaf.features.core</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-scr-plugin</artifactId>
</plugin>
</plugins>
</build>
<description>Security-mode ONOS project root</description>
</project>
\ No newline at end of file
......
package org.onosproject.security.impl;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import org.onosproject.security.AppPermission;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.app.ApplicationService;
import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.cluster.ClusterAdminService;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.CoreService;
import org.onosproject.cluster.LeadershipService;
import org.onosproject.mastership.MastershipAdminService;
import org.onosproject.mastership.MastershipService;
import org.onosproject.net.device.DeviceAdminService;
import org.onosproject.net.device.DeviceService;
import org.onosproject.net.device.DeviceClockService;
import org.onosproject.net.driver.DriverAdminService;
import org.onosproject.net.driver.DriverService;
import org.onosproject.net.flow.FlowRuleService;
import org.onosproject.net.flowobjective.FlowObjectiveService;
import org.onosproject.net.group.GroupService;
import org.onosproject.net.host.HostAdminService;
import org.onosproject.net.host.HostService;
import org.onosproject.net.intent.IntentService;
import org.onosproject.net.intent.IntentExtensionService;
import org.onosproject.net.intent.IntentClockService;
import org.onosproject.net.intent.PartitionService;
import org.onosproject.net.link.LinkAdminService;
import org.onosproject.net.link.LinkService;
import org.onosproject.net.packet.PacketService;
import org.onosproject.net.proxyarp.ProxyArpService;
import org.onosproject.net.resource.link.LinkResourceService;
import org.onosproject.net.statistic.StatisticService;
import org.onosproject.net.topology.PathService;
import org.onosproject.net.topology.TopologyService;
import org.onosproject.security.SecurityAdminService;
import org.onosproject.store.service.StorageAdminService;
import org.onosproject.store.service.StorageService;
import org.osgi.framework.BundlePermission;
import org.osgi.framework.CapabilityPermission;
import org.osgi.framework.ServicePermission;
import org.osgi.framework.PackagePermission;
import org.osgi.framework.AdaptPermission;
import org.osgi.service.cm.ConfigurationPermission;
import javax.net.ssl.SSLPermission;
import javax.security.auth.AuthPermission;
import javax.security.auth.PrivateCredentialPermission;
import javax.security.auth.kerberos.DelegationPermission;
import javax.sound.sampled.AudioPermission;
import java.io.FilePermission;
import java.io.SerializablePermission;
import java.net.NetPermission;
import java.net.SocketPermission;
import java.security.Permissions;
import java.sql.SQLPermission;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.PropertyPermission;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.security.Permission;
import java.util.logging.LoggingPermission;
import static org.onosproject.security.AppPermission.Type.*;
public final class DefaultPolicyBuilder {
protected static ConcurrentHashMap<AppPermission.Type,
Set<String>> serviceDirectory = getServiceDirectory();
protected static List<Permission> defaultPermissions = getDefaultPerms();
protected static List<Permission> adminServicePermissions = getAdminDefaultPerms();
private DefaultPolicyBuilder(){
}
public static List<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) {
List<Permission> perms = Lists.newArrayList();
perms.addAll(defaultPermissions);
perms.addAll(convertToJavaPermissions(permissions));
return optimizePermissions(perms);
}
public static List<Permission> getAdminApplicationPermissions(
Set<org.onosproject.security.Permission> permissions) {
List<Permission> perms = Lists.newArrayList();
perms.addAll(defaultPermissions);
perms.addAll(adminServicePermissions);
for (AppPermission.Type perm : serviceDirectory.keySet()) {
perms.add(new AppPermission(perm));
}
perms.addAll(convertToJavaPermissions(permissions));
return optimizePermissions(perms);
}
public static List<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) {
List<Permission> result = Lists.newArrayList();
for (org.onosproject.security.Permission perm : permissions) {
Permission javaPerm = getPermission(perm);
if (javaPerm != null) {
if (javaPerm instanceof AppPermission) {
if (((AppPermission) javaPerm).getType() != null) {
AppPermission ap = (AppPermission) javaPerm;
result.add(ap);
if (serviceDirectory.containsKey(ap.getType())) {
for (String service : serviceDirectory.get(ap.getType())) {
result.add(new ServicePermission(service, ServicePermission.GET));
}
}
}
} else if (javaPerm instanceof ServicePermission) {
if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) {
result.add(javaPerm);
}
} else {
result.add(javaPerm);
}
}
}
return result;
}
public static Set<org.onosproject.security.Permission> convertToOnosPermissions(List<Permission> permissions) {
Set<org.onosproject.security.Permission> result = Sets.newHashSet();
for (Permission perm : permissions) {
org.onosproject.security.Permission onosPerm = getOnosPermission(perm);
if (onosPerm != null) {
result.add(onosPerm);
}
}
return result;
}
public static List<Permission> getDefaultPerms() {
List<Permission> permSet = Lists.newArrayList();
permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY));
permSet.add(new PackagePermission("*", PackagePermission.IMPORT));
permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT));
permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE));
return permSet;
}
private static List<Permission> getAdminDefaultPerms() {
List<Permission> permSet = Lists.newArrayList();
permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(MastershipAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(DeviceAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(DriverAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET));
// permSet.add(new ServicePermission(LabelResourceAdminService.class.getName(), ServicePermission.GET));
// permSet.add(new ServicePermission(TunnelAdminService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(CoreService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ClusterService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LeadershipService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(MastershipService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(DeviceService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(DeviceClockService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(DriverService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(FlowRuleService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(FlowObjectiveService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(GroupService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(HostService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(IntentService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(IntentClockService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(IntentExtensionService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(LinkResourceService.class.getName(), ServicePermission.GET));
// permSet.add(new ServicePermission(LabelResourceService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(StatisticService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(PathService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(TopologyService.class.getName(), ServicePermission.GET));
// permSet.add(new ServicePermission(TunnelService.class.getName(), ServicePermission.GET));
permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET));
return permSet;
}
public static Set<String> getNBServiceList() {
Set<String> permString = new HashSet<>();
for (Permission perm : getAdminDefaultPerms()) {
permString.add(perm.getName());
}
return permString;
}
private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() {
ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
serviceDirectory.put(APP_READ, ImmutableSet.of(
ApplicationService.class.getName(), CoreService.class.getName()));
serviceDirectory.put(APP_EVENT, ImmutableSet.of(
ApplicationService.class.getName(), CoreService.class.getName()));
serviceDirectory.put(CONFIG_READ, ImmutableSet.of(
ComponentConfigService.class.getName()));
serviceDirectory.put(CONFIG_WRITE, ImmutableSet.of(
ComponentConfigService.class.getName()));
serviceDirectory.put(CLUSTER_READ, ImmutableSet.of(
ClusterService.class.getName(), LeadershipService.class.getName(),
MastershipService.class.getName()));
serviceDirectory.put(CLUSTER_WRITE, ImmutableSet.of(
LeadershipService.class.getName(), MastershipService.class.getName()));
serviceDirectory.put(CLUSTER_EVENT, ImmutableSet.of(
ClusterService.class.getName(), LeadershipService.class.getName(),
MastershipService.class.getName()));
serviceDirectory.put(DEVICE_READ, ImmutableSet.of(
DeviceService.class.getName(), DeviceClockService.class.getName()));
serviceDirectory.put(DEVICE_EVENT, ImmutableSet.of(
DeviceService.class.getName()));
serviceDirectory.put(DRIVER_READ, ImmutableSet.of(
DriverService.class.getName()));
serviceDirectory.put(DRIVER_WRITE, ImmutableSet.of(
DriverService.class.getName()));
serviceDirectory.put(FLOWRULE_READ, ImmutableSet.of(
FlowRuleService.class.getName()));
serviceDirectory.put(FLOWRULE_WRITE, ImmutableSet.of(
FlowRuleService.class.getName(), FlowObjectiveService.class.getName()));
serviceDirectory.put(FLOWRULE_EVENT, ImmutableSet.of(
FlowRuleService.class.getName()));
serviceDirectory.put(GROUP_READ, ImmutableSet.of(
GroupService.class.getName()));
serviceDirectory.put(GROUP_WRITE, ImmutableSet.of(
GroupService.class.getName()));
serviceDirectory.put(GROUP_EVENT, ImmutableSet.of(
GroupService.class.getName()));
serviceDirectory.put(HOST_READ, ImmutableSet.of(
HostService.class.getName()));
serviceDirectory.put(HOST_WRITE, ImmutableSet.of(
HostService.class.getName()));
serviceDirectory.put(HOST_EVENT, ImmutableSet.of(
HostService.class.getName()));
serviceDirectory.put(INTENT_READ, ImmutableSet.of(
IntentService.class.getName(), PartitionService.class.getName(),
IntentClockService.class.getName()));
serviceDirectory.put(INTENT_WRITE, ImmutableSet.of(
IntentService.class.getName()));
serviceDirectory.put(INTENT_EVENT, ImmutableSet.of(
IntentService.class.getName()));
// serviceDirectory.put(LINK_READ, ImmutableSet.of(
// LinkService.class.getName(), LinkResourceService.class.getName(),
// LabelResourceService.class.getName()));
// serviceDirectory.put(LINK_WRITE, ImmutableSet.of(
// LinkResourceService.class.getName(), LabelResourceService.class.getName()));
// serviceDirectory.put(LINK_EVENT, ImmutableSet.of(
// LinkService.class.getName(), LinkResourceService.class.getName(),
// LabelResourceService.class.getName()));
serviceDirectory.put(PACKET_READ, ImmutableSet.of(
PacketService.class.getName(), ProxyArpService.class.getName()));
serviceDirectory.put(PACKET_WRITE, ImmutableSet.of(
PacketService.class.getName(), ProxyArpService.class.getName()));
serviceDirectory.put(PACKET_EVENT, ImmutableSet.of(
PacketService.class.getName()));
serviceDirectory.put(STATISTIC_READ, ImmutableSet.of(
StatisticService.class.getName()));
serviceDirectory.put(TOPOLOGY_READ, ImmutableSet.of(
TopologyService.class.getName(), PathService.class.getName()));
serviceDirectory.put(TOPOLOGY_EVENT, ImmutableSet.of(
TopologyService.class.getName()));
// serviceDirectory.put(TUNNEL_READ, ImmutableSet.of(
// TunnelService.class.getName()));
// serviceDirectory.put(TUNNEL_WRITE, ImmutableSet.of(
// TunnelService.class.getName()));
// serviceDirectory.put(TUNNEL_EVENT, ImmutableSet.of(
// TunnelService.class.getName()));
serviceDirectory.put(STORAGE_WRITE, ImmutableSet.of(
StorageService.class.getName()));
return serviceDirectory;
}
public static org.onosproject.security.Permission getOnosPermission(Permission permission) {
if (permission instanceof AppPermission) {
return new org.onosproject.security.Permission(AppPermission.class.getName(), permission.getName(), "");
} else if (permission instanceof FilePermission) {
return new org.onosproject.security.Permission(
FilePermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof SerializablePermission) {
return new org.onosproject.security.Permission(
SerializablePermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof NetPermission) {
return new org.onosproject.security.Permission(
NetPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof RuntimePermission) {
return new org.onosproject.security.Permission(
RuntimePermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof SocketPermission) {
return new org.onosproject.security.Permission(
SocketPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof SQLPermission) {
return new org.onosproject.security.Permission(
SQLPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof PropertyPermission) {
return new org.onosproject.security.Permission(
PropertyPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof LoggingPermission) {
return new org.onosproject.security.Permission(
LoggingPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof SSLPermission) {
return new org.onosproject.security.Permission(
SSLPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof AuthPermission) {
return new org.onosproject.security.Permission(
AuthPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof PrivateCredentialPermission) {
return new org.onosproject.security.Permission(
PrivateCredentialPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof DelegationPermission) {
return new org.onosproject.security.Permission(
DelegationPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof javax.security.auth.kerberos.ServicePermission) {
return new org.onosproject.security.Permission(
javax.security.auth.kerberos.ServicePermission.class.getName(), permission.getName(),
permission.getActions());
} else if (permission instanceof AudioPermission) {
return new org.onosproject.security.Permission(
AudioPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof AdaptPermission) {
return new org.onosproject.security.Permission(
AdaptPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof BundlePermission) {
return new org.onosproject.security.Permission(
BundlePermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof CapabilityPermission) {
return new org.onosproject.security.Permission(
CapabilityPermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof PackagePermission) {
return new org.onosproject.security.Permission(
PackagePermission.class.getName(), permission.getName(), permission.getActions());
} else if (permission instanceof ServicePermission) {
return new org.onosproject.security.Permission(
ServicePermission.class.getName(), permission.getName(), permission.getActions());
}
return null;
}
private static Permission getPermission(org.onosproject.security.Permission permission) {
String classname = permission.getClassName();
String name = permission.getName();
String actions = permission.getActions();
if (classname == null || name == null) {
return null;
}
classname = classname.trim();
name = name.trim();
actions = actions.trim();
if (AppPermission.class.getName().equals(classname)) {
return new AppPermission(name);
} else if (FilePermission.class.getName().equals(classname)) {
return new FilePermission(name, actions);
} else if (SerializablePermission.class.getName().equals(classname)) {
return new SerializablePermission(name, actions);
} else if (NetPermission.class.getName().equals(classname)) {
return new NetPermission(name, actions);
} else if (RuntimePermission.class.getName().equals(classname)) {
return new RuntimePermission(name, actions);
} else if (SocketPermission.class.getName().equals(classname)) {
return new SocketPermission(name, actions);
} else if (SQLPermission.class.getName().equals(classname)) {
return new SQLPermission(name, actions);
} else if (PropertyPermission.class.getName().equals(classname)) {
return new PropertyPermission(name, actions);
} else if (LoggingPermission.class.getName().equals(classname)) {
return new LoggingPermission(name, actions);
} else if (SSLPermission.class.getName().equals(classname)) {
return new SSLPermission(name, actions);
} else if (AuthPermission.class.getName().equals(classname)) {
return new AuthPermission(name, actions);
} else if (PrivateCredentialPermission.class.getName().equals(classname)) {
return new PrivateCredentialPermission(name, actions);
} else if (DelegationPermission.class.getName().equals(classname)) {
return new DelegationPermission(name, actions);
} else if (javax.security.auth.kerberos.ServicePermission.class.getName().equals(classname)) {
return new javax.security.auth.kerberos.ServicePermission(name, actions);
} else if (AudioPermission.class.getName().equals(classname)) {
return new AudioPermission(name, actions);
} else if (AdaptPermission.class.getName().equals(classname)) {
return new AdaptPermission(name, actions);
} else if (BundlePermission.class.getName().equals(classname)) {
return new BundlePermission(name, actions);
} else if (CapabilityPermission.class.getName().equals(classname)) {
return new CapabilityPermission(name, actions);
} else if (PackagePermission.class.getName().equals(classname)) {
return new PackagePermission(name, actions);
} else if (ServicePermission.class.getName().equals(classname)) {
return new ServicePermission(name, actions);
}
//AllPermission, SecurityPermission, UnresolvedPermission
//AWTPermission, AdminPermission(osgi), ReflectPermission not allowed
return null;
}
private static List<Permission> optimizePermissions(List<Permission> perms) {
Permissions permissions = listToPermissions(perms);
return permissionsToList(permissions);
}
private static List<Permission> permissionsToList(Permissions perms) {
List<Permission> permissions = new ArrayList<>();
Enumeration<Permission> e = perms.elements();
while (e.hasMoreElements()) {
permissions.add(e.nextElement());
}
return permissions;
}
private static Permissions listToPermissions(List<Permission> perms) {
Permissions permissions = new Permissions();
for (Permission perm : perms) {
permissions.add(perm);
}
return permissions;
}
}
package org.onosproject.security.impl;
import com.google.common.collect.Lists;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.app.ApplicationState;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.security.AppPermission;
import org.onosproject.security.SecurityAdminService;
import org.onosproject.security.store.SecurityModeEvent;
import org.onosproject.security.store.SecurityModeListener;
import org.onosproject.security.store.SecurityModeStore;
import org.onosproject.security.store.SecurityModeStoreDelegate;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServicePermission;
import org.osgi.service.log.LogEntry;
import org.osgi.service.log.LogListener;
import org.osgi.service.log.LogReaderService;
import org.osgi.service.permissionadmin.PermissionInfo;
import java.security.AccessControlException;
import java.security.Permission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.osgi.service.permissionadmin.PermissionAdmin;
import org.slf4j.Logger;
import static org.slf4j.LoggerFactory.getLogger;
/**
* Security-Mode ONOS management implementation.
*/
@Component(immediate = true)
@Service
public class SecurityModeManager implements SecurityAdminService {
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected SecurityModeStore store;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected ApplicationAdminService appAdminService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected LogReaderService logReaderService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected EventDeliveryService eventDispatcher;
private final Logger log = getLogger(getClass());
protected final ListenerRegistry<SecurityModeEvent, SecurityModeListener>
listenerRegistry = new ListenerRegistry<>();
private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
private SecurityLogListener securityLogListener = new SecurityLogListener();
private PermissionAdmin permissionAdmin = getPermissionAdmin();
@Activate
public void activate() {
eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
// add Listeners
logReaderService.addLogListener(securityLogListener);
store.setDelegate(delegate);
if (System.getSecurityManager() == null) {
log.warn("J2EE security manager is disabled.");
deactivate();
return;
}
if (permissionAdmin == null) {
log.warn("Permission Admin not found.");
deactivate();
return;
}
log.info("Security-Mode Started");
}
@Deactivate
public void deactivate() {
eventDispatcher.removeSink(SecurityModeEvent.class);
logReaderService.removeLogListener(securityLogListener);
store.unsetDelegate(delegate);
log.info("Stopped");
}
@Override
public boolean isSecured(ApplicationId appId) {
if (store.getState(appId) == null) {
store.registerApplication(appId);
}
return store.isSecured(appId);
}
@Override
public void review(ApplicationId appId) {
if (store.getState(appId) == null) {
store.registerApplication(appId);
}
store.reviewPolicy(appId);
}
@Override
public void acceptPolicy(ApplicationId appId) {
if (store.getState(appId) == null) {
store.registerApplication(appId);
}
store.acceptPolicy(appId, DefaultPolicyBuilder.convertToOnosPermissions(getMaximumPermissions(appId)));
}
@Override
public void register(ApplicationId appId) {
store.registerApplication(appId);
}
@Override
public Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId) {
return getPrintablePermissionMap(getMaximumPermissions(appId));
}
@Override
public Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId) {
return getPrintablePermissionMap(
DefaultPolicyBuilder.convertToJavaPermissions(store.getGrantedPermissions(appId)));
}
@Override
public Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId) {
return getPrintablePermissionMap(
DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
}
private class SecurityLogListener implements LogListener {
@Override
public void logged(LogEntry entry) {
if (entry.getException() != null &&
entry.getException() instanceof AccessControlException) {
String location = entry.getBundle().getLocation();
Permission javaPerm =
((AccessControlException) entry.getException()).getPermission();
org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm);
if (permission == null) {
log.warn("Unsupported permission requested.");
return;
}
store.getApplicationIds(location).stream().filter(
appId -> store.isSecured(appId) &&
appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
store.requestPermission(appId, permission);
print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
appId.name(), location, permission.toString());
});
}
}
}
private class InternalStoreDelegate implements SecurityModeStoreDelegate {
@Override
public void notify(SecurityModeEvent event) {
if (event.type() == SecurityModeEvent.Type.POLICY_ACCEPTED) {
setLocalPermissions(event.subject());
log.info("{} POLICY ACCEPTED and ENFORCED", event.subject().name());
} else if (event.type() == SecurityModeEvent.Type.POLICY_VIOLATED) {
log.info("{} POLICY VIOLATED", event.subject().name());
} else if (event.type() == SecurityModeEvent.Type.POLICY_REVIEWED) {
log.info("{} POLICY REVIEWED", event.subject().name());
}
eventDispatcher.post(event);
}
}
/**
* TYPES.
* 0 - APP_PERM
* 1 - ADMIN SERVICE
* 2 - NB_SERVICE
* 3 - ETC_SERVICE
* 4 - ETC
* @param perms
*/
private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) {
ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
sortedMap.put(0, new ArrayList());
sortedMap.put(1, new ArrayList());
sortedMap.put(2, new ArrayList());
sortedMap.put(3, new ArrayList());
sortedMap.put(4, new ArrayList());
for (Permission perm : perms) {
if (perm instanceof ServicePermission) {
if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) {
if (perm.getName().contains("Admin")) {
sortedMap.get(1).add(perm);
} else {
sortedMap.get(2).add(perm);
}
} else {
sortedMap.get(3).add(perm);
}
} else if (perm instanceof AppPermission) {
sortedMap.get(0).add(perm);
} else {
sortedMap.get(4).add(perm);
}
}
return sortedMap;
}
private void setLocalPermissions(ApplicationId applicationId) {
for (String location : store.getBundleLocations(applicationId)) {
permissionAdmin.setPermissions(location, permissionsToInfo(store.getGrantedPermissions(applicationId)));
}
}
private PermissionInfo[] permissionsToInfo(Set<org.onosproject.security.Permission> permissions) {
List<PermissionInfo> result = Lists.newArrayList();
for (org.onosproject.security.Permission perm : permissions) {
result.add(new PermissionInfo(perm.getClassName(), perm.getName(), perm.getActions()));
}
PermissionInfo[] permissionInfos = new PermissionInfo[result.size()];
return result.toArray(permissionInfos);
}
private List<Permission> getMaximumPermissions(ApplicationId appId) {
Application app = appAdminService.getApplication(appId);
if (app == null) {
print("Unknown application.");
return null;
}
List<Permission> appPerms;
switch (app.role()) {
case ADMIN:
appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
break;
case USER:
appPerms = DefaultPolicyBuilder.getUserApplicationPermissions(app.permissions());
break;
case UNSPECIFIED:
default:
appPerms = DefaultPolicyBuilder.getDefaultPerms();
break;
}
return appPerms;
}
private void print(String format, Object... args) {
System.out.println(String.format("SM-ONOS: " + format, args));
log.warn(String.format(format, args));
}
private PermissionAdmin getPermissionAdmin() {
BundleContext context = getBundleContext();
return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
}
private BundleContext getBundleContext() {
return FrameworkUtil.getBundle(this.getClass()).getBundleContext();
}
}
\ No newline at end of file
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.apache.karaf.features.BundleInfo;
import org.apache.karaf.features.Feature;
import org.apache.karaf.features.FeaturesService;
import org.onlab.util.KryoNamespace;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
import org.onosproject.store.serializers.KryoNamespaces;
import org.onosproject.store.service.ConsistentMap;
import org.onosproject.store.service.EventuallyConsistentMap;
import org.onosproject.store.service.LogicalClockService;
import org.onosproject.store.service.MapEvent;
import org.onosproject.store.service.MapEventListener;
import org.onosproject.store.service.Serializer;
import org.onosproject.store.service.StorageService;
import org.slf4j.Logger;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import static org.onosproject.security.store.SecurityModeState.*;
import static org.slf4j.LoggerFactory.getLogger;
/**
* Manages application permissions granted/requested to applications.
* Uses both gossip-based and RAFT-based distributed data store.
*/
@Component(immediate = true)
@Service
public class DistributedSecurityModeStore
extends AbstractStore<SecurityModeEvent, SecurityModeStoreDelegate>
implements SecurityModeStore {
private final Logger log = getLogger(getClass());
private ConsistentMap<ApplicationId, SecurityInfo> states;
private EventuallyConsistentMap<ApplicationId, Set<Permission>> violations;
private ConcurrentHashMap<String, Set<ApplicationId>> localBundleAppDirectory;
private ConcurrentHashMap<ApplicationId, Set<String>> localAppBundleDirectory;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected StorageService storageService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected LogicalClockService clockService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected ApplicationAdminService applicationAdminService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected FeaturesService featuresService;
private static final Serializer STATE_SERIALIZER = Serializer.using(new KryoNamespace.Builder()
.register(KryoNamespaces.API)
.register(SecurityModeState.class)
.register(SecurityInfo.class)
.register(Permission.class)
.build());
private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder()
.register(KryoNamespaces.API)
.register(Permission.class);
@Activate
public void activate() {
states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder()
.withName("smonos-sdata")
.withSerializer(STATE_SERIALIZER)
.build();
states.addListener(new SecurityStateListener());
violations = storageService.<ApplicationId, Set<Permission>>eventuallyConsistentMapBuilder()
.withName("smonos-rperms")
.withSerializer(VIOLATION_SERIALIZER)
.withTimestampProvider((k, v) -> clockService.getTimestamp())
.build();
localBundleAppDirectory = new ConcurrentHashMap<>();
localAppBundleDirectory = new ConcurrentHashMap<>();
log.info("Started");
}
@Deactivate
public void deactivate() {
violations.destroy();
log.info("Stopped");
}
@Override
public Set<String> getBundleLocations(ApplicationId appId) {
Set<String> locations = localAppBundleDirectory.get(appId);
return locations != null ? locations : Sets.newHashSet();
}
@Override
public Set<ApplicationId> getApplicationIds(String location) {
Set<ApplicationId> appIds = localBundleAppDirectory.get(location);
return appIds != null ? appIds : Sets.newHashSet();
}
@Override
public Set<Permission> getRequestedPermissions(ApplicationId appId) {
Set<Permission> permissions = violations.get(appId);
return permissions != null ? permissions : ImmutableSet.of();
}
@Override
public Set<Permission> getGrantedPermissions(ApplicationId appId) {
return states.asJavaMap().getOrDefault(appId, new SecurityInfo(ImmutableSet.of(), null)).getPermissions();
}
@Override
public void requestPermission(ApplicationId appId, Permission permission) {
states.computeIf(appId, securityInfo -> (securityInfo == null || securityInfo.getState() != POLICY_VIOLATED),
(id, securityInfo) -> new SecurityInfo(securityInfo.getPermissions(), POLICY_VIOLATED));
violations.compute(appId, (k, v) -> v == null ? Sets.newHashSet(permission) : addAndGet(v, permission));
}
private Set<Permission> addAndGet(Set<Permission> oldSet, Permission newPerm) {
oldSet.add(newPerm);
return oldSet;
}
@Override
public boolean isSecured(ApplicationId appId) {
SecurityInfo info = states.get(appId).value();
return info == null ? false : info.getState().equals(SECURED);
}
@Override
public void reviewPolicy(ApplicationId appId) {
Application app = applicationAdminService.getApplication(appId);
if (app == null) {
log.warn("Unknown Application");
return;
}
states.computeIfPresent(appId, (applicationId, securityInfo) -> {
if (securityInfo.getState().equals(INSTALLED)) {
return new SecurityInfo(ImmutableSet.of(), REVIEWED);
}
return securityInfo;
});
}
@Override
public void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet) {
Application app = applicationAdminService.getApplication(appId);
if (app == null) {
log.warn("Unknown Application");
return;
}
states.computeIf(appId,
securityInfo -> (securityInfo != null),
(id, securityInfo) -> {
switch (securityInfo.getState()) {
case POLICY_VIOLATED:
System.out.println(
"This application has violated the security policy. Please uninstall.");
return securityInfo;
case SECURED:
System.out.println(
"The policy has been accepted already. To review policy, review [app.name]");
return securityInfo;
case INSTALLED:
System.out.println("Please review the security policy prior to accept them");
log.warn("Application has not been reviewed");
return securityInfo;
case REVIEWED:
return new SecurityInfo(permissionSet, SECURED);
default:
return securityInfo;
}
});
}
private final class SecurityStateListener
implements MapEventListener<ApplicationId, SecurityInfo> {
@Override
public void event(MapEvent<ApplicationId, SecurityInfo> event) {
if (delegate == null) {
return;
}
ApplicationId appId = event.key();
SecurityInfo info = event.value().value();
if (event.type() == MapEvent.Type.INSERT || event.type() == MapEvent.Type.UPDATE) {
switch (info.getState()) {
case POLICY_VIOLATED:
notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_VIOLATED, appId));
break;
case SECURED:
notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_ACCEPTED, appId));
default:
break;
}
} else if (event.type() == MapEvent.Type.REMOVE) {
removeAppFromDirectories(appId);
}
}
}
private void removeAppFromDirectories(ApplicationId appId) {
for (String location : localAppBundleDirectory.get(appId)) {
localBundleAppDirectory.get(location).remove(appId);
}
violations.remove(appId);
states.remove(appId);
localAppBundleDirectory.remove(appId);
}
@Override
public boolean registerApplication(ApplicationId appId) {
Application app = applicationAdminService.getApplication(appId);
if (app == null) {
log.warn("Unknown application.");
return false;
}
localAppBundleDirectory.put(appId, getBundleLocations(app));
for (String location : localAppBundleDirectory.get(appId)) {
if (!localBundleAppDirectory.containsKey(location)) {
localBundleAppDirectory.put(location, new HashSet<>());
}
if (!localBundleAppDirectory.get(location).contains(appId)) {
localBundleAppDirectory.get(location).add(appId);
}
}
states.put(appId, new SecurityInfo(Sets.newHashSet(), INSTALLED));
return true;
}
@Override
public void unregisterApplication(ApplicationId appId) {
if (localAppBundleDirectory.containsKey(appId)) {
for (String location : localAppBundleDirectory.get(appId)) {
if (localBundleAppDirectory.get(location).size() == 1) {
localBundleAppDirectory.remove(location);
} else {
localBundleAppDirectory.get(location).remove(appId);
}
}
localAppBundleDirectory.remove(appId);
}
}
@Override
public SecurityModeState getState(ApplicationId appId) {
return states.asJavaMap().getOrDefault(appId, new SecurityInfo(null, null)).getState();
}
private Set<String> getBundleLocations(Application app) {
Set<String> locations = new HashSet<>();
for (String name : app.features()) {
try {
Feature feature = featuresService.getFeature(name);
locations.addAll(
feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
} catch (Exception e) {
return locations;
}
}
return locations;
}
@Override
public void setDelegate(SecurityModeStoreDelegate delegate) {
super.setDelegate(delegate);
}
@Override
public void unsetDelegate(SecurityModeStoreDelegate delegate) {
super.setDelegate(delegate);
}
}
\ No newline at end of file
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import org.onosproject.security.Permission;
import java.util.Set;
/**
* Security-Mode ONOS security policy and state representation for distributed store.
*/
public class SecurityInfo {
protected Set<Permission> grantedPermissions;
protected SecurityModeState state;
public SecurityInfo(Set<Permission> perms, SecurityModeState state) {
this.grantedPermissions = perms;
this.state = state;
}
public Set<Permission> getPermissions() {
return grantedPermissions;
}
public SecurityModeState getState() {
return state;
}
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import org.onosproject.core.ApplicationId;
import org.onosproject.event.AbstractEvent;
/**
* Security-Mode ONOS notifications.
*/
public class SecurityModeEvent extends AbstractEvent<SecurityModeEvent.Type, ApplicationId> {
protected SecurityModeEvent(Type type, ApplicationId subject) {
super(type, subject);
}
public enum Type {
/**
* Signifies that security policy has been accepted.
*/
POLICY_ACCEPTED,
/**
* Signifies that security policy has been reviewed.
*/
POLICY_REVIEWED,
/**
* Signifies that application has violated security policy.
*/
POLICY_VIOLATED,
}
}
......@@ -14,20 +14,12 @@
* limitations under the License.
*/
package org.onosproject.cli.security;
package org.onosproject.security.store;
import com.google.common.collect.ImmutableList;
import org.onosproject.cli.AbstractChoicesCompleter;
import org.onosproject.event.EventListener;
import java.util.List;
import static org.onosproject.cli.security.PermissionCommand.*;
/**
* Permission command completer.
* Security-Mode ONOS event listener.
*/
public class PermissionCommandCompleter extends AbstractChoicesCompleter {
@Override
protected List<String> choices() {
return ImmutableList.of(ADD, REMOVE, CLEAR, LIST);
}
public interface SecurityModeListener extends EventListener<SecurityModeEvent> {
}
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
/**
* Representation of Security-Mode ONOS application review state.
*/
public enum SecurityModeState {
/**
* Indicates that operator has accepted application security policy.
*/
SECURED,
/**
* Indicates that application security policy has been reviewed.
*/
REVIEWED,
/**
* Indicates that application has been installed.
*/
INSTALLED,
/**
* Indicates that application has violated security policy.
*/
POLICY_VIOLATED,
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import org.onosproject.core.ApplicationId;
import org.onosproject.security.Permission;
import org.onosproject.store.Store;
import java.util.Set;
/**
* Security-Mode ONOS distributed store service.
*/
public interface SecurityModeStore extends Store<SecurityModeEvent, SecurityModeStoreDelegate> {
/**
* Updates the local bundle-application directories.
* @param appId application identifier
* @return true if successfully registered.
*/
boolean registerApplication(ApplicationId appId);
/**
* Removes application info from the local bundle-application directories.
* @param appId application identifier
*/
void unregisterApplication(ApplicationId appId);
/**
* Returns state of the specified application.
* @param appId application identifier
* @return Security-Mode State of application
*/
SecurityModeState getState(ApplicationId appId);
/**
* Returns bundle locations of specified application.
* @param appId application identifier
* @return set of bundle location strings
*/
Set<String> getBundleLocations(ApplicationId appId);
/**
* Returns application identifiers that are associated with given bundle location.
* @param location OSGi bundle location
* @return set of application identifiers
*/
Set<ApplicationId> getApplicationIds(String location);
/**
* Returns a list of permissions that have been requested by given application.
* @param appId application identifier
* @return list of permissions
*/
Set<Permission> getRequestedPermissions(ApplicationId appId);
/**
* Returns an array of permissions that have been granted to given application.
* @param appId application identifier
* @return array of permissionInfo
*/
Set<Permission> getGrantedPermissions(ApplicationId appId);
/**
* Request permission that is required to run given application.
* @param appId application identifier
* @param permission permission
*/
void requestPermission(ApplicationId appId, Permission permission);
/**
* Returns true if given application has been secured.
* @param appId application identifier
* @return true indicates secured
*/
boolean isSecured(ApplicationId appId);
/**
* Notifies SM-ONOS that operator has reviewed the policy.
* @param appId application identifier
*/
void reviewPolicy(ApplicationId appId);
/**
* Accept the current security policy of given application.
* @param appId application identifier
* @param permissionSet array of PermissionInfo
*/
void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet);
}
\ No newline at end of file
......@@ -14,32 +14,12 @@
* limitations under the License.
*/
package org.onosproject.cli.security;
package org.onosproject.security.store;
import org.apache.karaf.shell.console.completer.ArgumentCompleter;
import org.onosproject.cli.AbstractChoicesCompleter;
import org.onosproject.core.Permission;
import java.util.ArrayList;
import java.util.List;
import org.onosproject.store.StoreDelegate;
/**
* Permission Name Completer.
* Security-Mode distributed store delegate abstraction.
*/
public class PermissionNameCompleter extends AbstractChoicesCompleter {
@Override
protected List<String> choices() {
List<String> permNames = new ArrayList<>();
ArgumentCompleter.ArgumentList list = getArgumentList();
String cmd = list.getArguments()[1];
if (cmd.equals("add") || cmd.equals("remove")) {
for (Permission perm : Permission.values()) {
permNames.add(perm.name());
}
}
return permNames;
}
public interface SecurityModeStoreDelegate extends StoreDelegate<SecurityModeEvent> {
}
......
......@@ -38,7 +38,7 @@ import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.DefaultApplication;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.store.cluster.messaging.ClusterCommunicationService;
import org.onosproject.store.cluster.messaging.MessageSubject;
import org.onosproject.store.serializers.KryoNamespaces;
......
......@@ -135,7 +135,7 @@
<feature>onos-api</feature>
<!-- FIXME Release when stable (before Drake) -->
<bundle>mvn:org.onosproject/org.apache.felix.framework.security/2.2.0.onos-SNAPSHOT</bundle>
<bundle>mvn:org.onosproject/onos-security-impl/@ONOS-VERSION</bundle>
<bundle>mvn:org.onosproject/onos-security/@ONOS-VERSION</bundle>
</feature>
</features>
......
......@@ -17,7 +17,6 @@ package org.onosproject.openflow.controller;
import org.onlab.packet.DeserializationException;
import org.onlab.packet.Ethernet;
import org.onosproject.core.Permission;
import org.projectfloodlight.openflow.protocol.OFPacketIn;
import org.projectfloodlight.openflow.protocol.OFPacketOut;
import org.projectfloodlight.openflow.protocol.OFVersion;
......@@ -34,6 +33,7 @@ import java.util.Collections;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -57,7 +57,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public void send() {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
if (block() && isBuilt.get()) {
sw.sendMsg(pktout);
......@@ -97,7 +97,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Ethernet parsed() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
try {
return Ethernet.deserializer().deserialize(pktin.getData(), 0, pktin.getData().length);
......@@ -111,7 +111,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Dpid dpid() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return new Dpid(sw.getId());
}
......@@ -130,7 +130,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Integer inPort() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return pktinInPort().getPortNumber();
}
......@@ -144,7 +144,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public byte[] unparsed() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return pktin.getData().clone();
......@@ -160,21 +160,21 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public boolean block() {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
return free.getAndSet(false);
}
@Override
public boolean isHandled() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return !free.get();
}
@Override
public boolean isBuffered() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return isBuffered;
}
......