Changhoon Yoon
Committed by Gerrit Code Review

ONOS-1767 SM-ONOS implementation

22a363e ONOS-17767 SM-ONOS impl

Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506
Showing 66 changed files with 976 additions and 778 deletions
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.cli.security;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.karaf.shell.commands.Argument;
import org.apache.karaf.shell.commands.Command;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.cli.AbstractShellCommand;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import java.util.Set;
import java.util.stream.Collectors;
/**
* Manages application permissions.
*/
@Command(scope = "onos", name = "perm",
description = "Manages application permissions")
public class PermissionCommand extends AbstractShellCommand {
static final String ADD = "add";
static final String REMOVE = "remove";
static final String LIST = "list";
static final String CLEAR = "clear";
@Argument(index = 0, name = "command",
description = "Command name (add|remove)",
required = true, multiValued = false)
String command = null;
@Argument(index = 1, name = "name", description = "Application name",
required = true, multiValued = false)
String name = null;
@Argument(index = 2, name = "permissions", description = "List of permissions",
required = false, multiValued = true)
String[] permissions = null;
@Override
protected void execute() {
ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
Set<Permission> newPermSet = Sets.newHashSet();
if (command.equals(ADD)) {
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
Application app = applicationAdminService.getApplication(appId);
for (String perm : permissions) {
try {
Permission permission = Permission.valueOf(perm);
newPermSet.add(permission);
} catch (IllegalArgumentException e) {
print("%s is not a valid permission.", perm);
return;
}
}
Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
if (oldPermSet != null) {
newPermSet.addAll(oldPermSet);
} else {
newPermSet.addAll(app.permissions());
}
applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
} else if (command.equals(REMOVE)) {
ApplicationId appId = applicationAdminService.getId(name);
Application app = applicationAdminService.getApplication(appId);
if (appId == null) {
print("No such application: %s", name);
return;
}
Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
if (oldPermSet == null) {
oldPermSet = app.permissions();
}
Set<String> clearPermSet = Sets.newHashSet(permissions);
newPermSet.addAll(oldPermSet.stream().filter(
perm -> !clearPermSet.contains(perm.name().toUpperCase())).collect(Collectors.toList()));
applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
} else if (command.equals(CLEAR)) {
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
applicationAdminService.setPermissions(appId, ImmutableSet.of());
print("Cleared the permission list of %s.", appId.name());
} else if (command.equals(LIST)) {
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
Application app = applicationAdminService.getApplication(appId);
Set<Permission> userPermissions = applicationAdminService.getPermissions(appId);
Set<Permission> defaultPermissions = app.permissions();
print("Application Role");
print("\trole=%s", app.role().name());
if (defaultPermissions != null) {
if (!defaultPermissions.isEmpty()) {
print("Default permissions (specified in app.xml)");
for (Permission perm : defaultPermissions) {
print("\tpermission=%s", perm.name());
}
} else {
print("(No default permissions specified in app.xml)");
}
}
if (userPermissions != null) {
if (!userPermissions.isEmpty()) {
print("User permissions");
for (Permission perm : userPermissions) {
print("\tpermission=%s", perm.name());
}
} else {
print("(User has removed all the permissions");
}
}
}
}
}
......@@ -18,6 +18,7 @@ package org.onosproject.cli.security;
import org.apache.karaf.shell.console.completer.StringsCompleter;
import org.onosproject.app.ApplicationService;
import org.onosproject.app.ApplicationState;
import org.onosproject.cli.AbstractCompleter;
import org.onosproject.core.Application;
......@@ -25,25 +26,31 @@ import java.util.Iterator;
import java.util.List;
import java.util.SortedSet;
import static org.onosproject.app.ApplicationState.INSTALLED;
import static org.onosproject.cli.AbstractShellCommand.get;
/**
* Application name completer for permission command.
* Application name completer for security review command.
*/
public class PermissionApplicationNameCompleter extends AbstractCompleter {
public class ReviewApplicationNameCompleter extends AbstractCompleter {
@Override
public int complete(String buffer, int cursor, List<String> candidates) {
// Delegate string completer
StringsCompleter delegate = new StringsCompleter();
// Fetch our service and feed it's offerings to the string completer
ApplicationService service = get(ApplicationService.class);
Iterator<Application> it = service.getApplications().iterator();
SortedSet<String> strings = delegate.getStrings();
while (it.hasNext()) {
Application app = it.next();
ApplicationState state = service.getState(app.id());
// if (previousApps.contains(app.id().name())) {
// continue;
// }
if (state == INSTALLED) {
strings.add(app.id().name());
}
}
// Now let the completer do the work for figuring out what to offer.
return delegate.complete(buffer, cursor, candidates);
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.cli.security;
import org.apache.karaf.shell.commands.Argument;
import org.apache.karaf.shell.commands.Command;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.cli.AbstractShellCommand;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.security.SecurityAdminService;
import org.onosproject.security.SecurityUtil;
import java.security.Permission;
import java.util.List;
import java.util.Map;
/**
* Application security policy review commands.
*/
@Command(scope = "onos", name = "review",
description = "Application security policy review interface")
public class ReviewCommand extends AbstractShellCommand {
@Argument(index = 0, name = "name", description = "Application name",
required = true, multiValued = false)
String name = null;
@Argument(index = 1, name = "accept", description = "Option to accept policy",
required = false, multiValued = false)
String accept = null;
@Override
protected void execute() {
ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
ApplicationId appId = applicationAdminService.getId(name);
if (appId == null) {
print("No such application: %s", name);
return;
}
Application app = applicationAdminService.getApplication(appId);
SecurityAdminService smService = SecurityUtil.getSecurityService();
if (smService == null) {
print("Security Mode is disabled");
return;
}
if (accept == null) {
smService.review(appId);
printPolicy(smService, app);
} else if (accept.trim().equals("accept")) {
smService.acceptPolicy(appId);
printPolicy(smService, app);
} else {
print("Unknown command");
}
}
private void printPolicy(SecurityAdminService smService, Application app) {
print("\n*******************************");
print(" SM-ONOS APP REVIEW ");
print("*******************************");
print("Application name: %s ", app.id().name());
print("Application role: " + app.role());
print("\nDeveloper specified permissions: ");
printMap(smService.getPrintableSpecifiedPermissions(app.id()));
print("\nPermissions granted: ");
printMap(smService.getPrintableGrantedPermissions(app.id()));
print("\nAdditional permissions requested on runtime (POLICY VIOLATIONS): ");
printMap(smService.getPrintableRequestedPermissions(app.id()));
print("");
}
private void printMap(Map<Integer, List<Permission>> assortedMap) {
for (Integer type : assortedMap.keySet()) {
switch (type) {
case 0:
for (Permission perm: assortedMap.get(0)) {
print("\t[APP PERMISSION] " + perm.getName());
}
break;
case 1:
for (Permission perm: assortedMap.get(1)) {
print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 2:
for (Permission perm: assortedMap.get(2)) {
print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 3:
for (Permission perm: assortedMap.get(3)) {
print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
}
break;
case 4:
for (Permission perm: assortedMap.get(4)) {
print("\t[Other] " + perm.getClass().getSimpleName() +
" " + perm.getName() + " (" + perm.getActions() + ")");
}
default:
break;
}
}
}
}
......@@ -21,11 +21,9 @@
</command>
<command>
<action class="org.onosproject.cli.security.PermissionCommand"/>
<action class="org.onosproject.cli.security.ReviewCommand"/>
<completers>
<ref component-id="permCommandCompleter"/>
<ref component-id="permAppNameCompleter"/>
<ref component-id="permNameCompleter"/>
<ref component-id="reviewAppNameCompleter"/>
</completers>
</command>
......@@ -435,9 +433,7 @@
</command>
</command-bundle>
<bean id="permAppNameCompleter" class="org.onosproject.cli.security.PermissionApplicationNameCompleter"/>
<bean id="permCommandCompleter" class="org.onosproject.cli.security.PermissionCommandCompleter"/>
<bean id="permNameCompleter" class="org.onosproject.cli.security.PermissionNameCompleter"/>
<bean id="reviewAppNameCompleter" class="org.onosproject.cli.security.ReviewApplicationNameCompleter"/>
<bean id="appCommandCompleter" class="org.onosproject.cli.app.ApplicationCommandCompleter"/>
<bean id="appNameCompleter" class="org.onosproject.cli.app.ApplicationNameCompleter"/>
<bean id="allAppNameCompleter" class="org.onosproject.cli.app.AllApplicationNamesCompleter"/>
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
......
......@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
......
......@@ -17,8 +17,8 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerService;
import org.onosproject.security.Permission;
import java.util.Set;
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.store.Store;
import java.io.InputStream;
......
......@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
......
......@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
import java.util.Optional;
......
......@@ -23,9 +23,9 @@ public enum ApplicationRole {
ADMIN,
/**
* Indicates that an application has a REGULAR role.
* Indicates that an application has a USER role.
*/
REGULAR,
USER,
/**
* Indicates that an application role has not been specified.
......
......@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.Set;
import java.util.Optional;
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.core;
/**
* Representation of an application permission.
*/
public enum Permission {
APP_READ,
APP_EVENT,
CONFIG_READ,
CONFIG_WRITE,
CLUSTER_READ,
CLUSTER_WRITE,
CLUSTER_EVENT,
DEVICE_READ,
DEVICE_EVENT,
DRIVER_READ,
DRIVER_WRITE,
FLOWRULE_READ,
FLOWRULE_WRITE,
FLOWRULE_EVENT,
GROUP_READ,
GROUP_WRITE,
GROUP_EVENT,
HOST_READ,
HOST_WRITE,
HOST_EVENT,
INTENT_READ,
INTENT_WRITE,
INTENT_EVENT,
LINK_READ,
LINK_WRITE,
LINK_EVENT,
PACKET_READ,
PACKET_WRITE,
PACKET_EVENT,
STATISTIC_READ,
TOPOLOGY_READ,
TOPOLOGY_EVENT,
TUNNEL_READ,
TUNNEL_WRITE,
TUNNEL_EVENT,
STORAGE_WRITE
}
......@@ -15,7 +15,6 @@
*/
package org.onosproject.net.packet;
import org.onosproject.core.Permission;
import org.onosproject.net.flow.DefaultTrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment.Builder;
......@@ -23,7 +22,7 @@ import org.onosproject.net.flow.TrafficTreatment.Builder;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Default implementation of a packet context.
......@@ -57,29 +56,25 @@ public abstract class DefaultPacketContext implements PacketContext {
@Override
public long time() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return time;
}
@Override
public InboundPacket inPacket() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return inPkt;
}
@Override
public OutboundPacket outPacket() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return outPkt;
}
@Override
public Builder treatmentBuilder() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return builder;
}
......@@ -88,15 +83,13 @@ public abstract class DefaultPacketContext implements PacketContext {
@Override
public boolean block() {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
return this.block.getAndSet(true);
}
@Override
public boolean isHandled() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return this.block.get();
}
}
\ No newline at end of file
......
......@@ -16,7 +16,6 @@
package org.onosproject.security;
import org.onosproject.core.Permission;
/**
* Aids SM-ONOS to perform API-level permission checking.
......@@ -30,10 +29,10 @@ public final class AppGuard {
* Checks if the caller has the required permission only when security-mode is enabled.
* @param permission permission to be checked
*/
public static void checkPermission(Permission permission) {
public static void checkPermission(AppPermission.Type permission) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
System.getSecurityManager().checkPermission(new AppPermission(permission));
}
}
}
......
......@@ -23,12 +23,57 @@ import java.security.BasicPermission;
*/
public class AppPermission extends BasicPermission {
public enum Type {
APP_READ,
APP_EVENT,
CONFIG_READ,
CONFIG_WRITE,
CLUSTER_READ,
CLUSTER_WRITE,
CLUSTER_EVENT,
DEVICE_READ,
DEVICE_EVENT,
DRIVER_READ,
DRIVER_WRITE,
FLOWRULE_READ,
FLOWRULE_WRITE,
FLOWRULE_EVENT,
GROUP_READ,
GROUP_WRITE,
GROUP_EVENT,
HOST_READ,
HOST_WRITE,
HOST_EVENT,
INTENT_READ,
INTENT_WRITE,
INTENT_EVENT,
LINK_READ,
LINK_WRITE,
LINK_EVENT,
PACKET_READ,
PACKET_WRITE,
PACKET_EVENT,
STATISTIC_READ,
TOPOLOGY_READ,
TOPOLOGY_EVENT,
TUNNEL_READ,
TUNNEL_WRITE,
TUNNEL_EVENT,
STORAGE_WRITE
}
protected Type type;
/**
* Creates new application permission using the supplied data.
* @param name permission name
*/
public AppPermission(String name) {
super(name.toUpperCase(), "");
try {
type = Type.valueOf(name);
} catch (IllegalArgumentException e) {
type = null;
}
}
/**
......@@ -38,6 +83,28 @@ public class AppPermission extends BasicPermission {
*/
public AppPermission(String name, String actions) {
super(name.toUpperCase(), actions);
try {
type = Type.valueOf(name);
} catch (IllegalArgumentException e) {
type = null;
}
}
/**
* Crates new application permission using the supplied data.
* @param type permission type
*/
public AppPermission(Type type) {
super(type.name(), "");
this.type = type;
}
/**
* Returns type of permission.
* @return application permission type
*/
public Type getType() {
return this.type;
}
}
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security;
public class Permission {
protected String classname;
protected String name;
protected String actions;
public Permission(String classname, String name, String actions) {
this.classname = classname;
this.name = name;
if (actions == null) {
this.actions = "";
} else {
this.actions = actions;
}
}
public Permission(String classname, String name) {
this.classname = classname;
this.name = name;
this.actions = "";
}
public String getClassName() {
return classname;
}
public String getName() {
return name;
}
public String getActions() {
return actions;
}
@Override
public int hashCode() {
return 0;
}
@Override
public boolean equals(Object thatPerm) {
if (this == thatPerm) {
return true;
}
if (!(thatPerm instanceof Permission)) {
return false;
}
Permission that = (Permission) thatPerm;
return (this.classname.equals(that.classname)) && (this.name.equals(that.name))
&& (this.actions.equals(that.actions));
}
@Override
public String toString() {
return String.format("(%s, %s, %s)", classname, name, actions);
}
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security;
import org.onosproject.core.ApplicationId;
import java.security.Permission;
import java.util.List;
import java.util.Map;
/**
* Security-Mode ONOS service.
*/
public interface SecurityAdminService {
/**
* Returns true if security policy has been enforced to specified application.
* @param appId application identifier
* @return true if secured.
*/
boolean isSecured(ApplicationId appId);
/**
* Changes SecurityModeState of specified application to REVIEWED.
* @param appId application identifier
*/
void review(ApplicationId appId);
/**
* Accepts and enforces security policy to specified application.
* @param appId application identifier
*/
void acceptPolicy(ApplicationId appId);
/**
* Register application to SM-ONOS subsystem.
* @param appId application identifier
*/
void register(ApplicationId appId);
/**
* Returns sorted developer specified permission Map.
* @param appId application identifier
* @return Map of list of permissions sorted by permission type
*/
Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId);
/**
* Returns sorted granted permission Map.
* @param appId application identifier
* @return Map of list of permissions sorted by permission type
*/
Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId);
/**
* Returns sorted requested permission Map.
* @param appId application identifier
* @return Map of list of permissions sorted by permission type
*/
Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId);
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security;
import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.osgi.ServiceNotFoundException;
import org.onosproject.core.ApplicationId;
/**
* Utility class to aid Security-Mode ONOS.
*/
public final class SecurityUtil {
protected static ServiceDirectory serviceDirectory = new DefaultServiceDirectory();
private SecurityUtil() {
}
public static boolean isSecurityModeEnabled() {
if (System.getSecurityManager() != null) {
try {
SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
if (securityService != null) {
return true;
}
} catch (ServiceNotFoundException e) {
return false;
}
}
return false;
}
public static SecurityAdminService getSecurityService() {
if (System.getSecurityManager() != null) {
try {
SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
if (securityService != null) {
return securityService;
}
} catch (ServiceNotFoundException e) {
return null;
}
}
return null;
}
public static boolean isAppSecured(ApplicationId appId) {
SecurityAdminService service = getSecurityService();
if (service != null) {
if (!service.isSecured(appId)) {
System.out.println("\n*******************************");
System.out.println(" SM-ONOS APP WARNING ");
System.out.println("*******************************");
System.out.println(appId.name() + " has not been secured.");
System.out.println("Please review before activating.");
return false;
}
}
return true;
}
public static void register(ApplicationId appId) {
SecurityAdminService service = getSecurityService();
if (service != null) {
service.register(appId);
}
}
}
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import java.util.Set;
......
......@@ -17,7 +17,7 @@ package org.onosproject.app;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
import java.io.InputStream;
......
......@@ -19,8 +19,9 @@ import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import org.junit.Test;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.AppPermission;
import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
......@@ -40,7 +41,9 @@ public class DefaultApplicationDescriptionTest {
public static final String DESC = "Awesome application from Circus, Inc.";
public static final String ORIGIN = "Circus";
public static final ApplicationRole ROLE = ApplicationRole.ADMIN;
public static final Set<Permission> PERMS = ImmutableSet.of(Permission.FLOWRULE_WRITE, Permission.FLOWRULE_READ);
public static final Set<Permission> PERMS = ImmutableSet.of(
new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"),
new Permission(AppPermission.class.getName(), "FLOWRULE_READ"));
public static final URI FURL = URI.create("mvn:org.foo-features/1.2a/xml/features");
public static final List<String> FEATURES = ImmutableList.of("foo", "bar");
......
......@@ -33,6 +33,10 @@
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.core</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
......
......@@ -20,6 +20,7 @@ import com.google.common.collect.ImmutableSet;
import com.google.common.io.ByteStreams;
import com.google.common.io.Files;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.configuration.HierarchicalConfiguration;
import org.apache.commons.configuration.XMLConfiguration;
import org.onlab.util.Tools;
import org.onosproject.app.ApplicationDescription;
......@@ -28,9 +29,11 @@ import org.onosproject.app.ApplicationException;
import org.onosproject.app.ApplicationStoreDelegate;
import org.onosproject.app.DefaultApplicationDescription;
import org.onosproject.core.ApplicationRole;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.security.AppPermission;
import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -79,7 +82,9 @@ public class ApplicationArchive
private static final String DESCRIPTION = "description";
private static final String ROLE = "security.role";
private static final String PERMISSIONS = "security.permissions.permission";
private static final String APP_PERMISSIONS = "security.permissions.app-perm";
private static final String NET_PERMISSIONS = "security.permissions.net-perm";
private static final String JAVA_PERMISSIONS = "security.permissions.java-perm";
private static final String OAR = ".oar";
private static final String APP_XML = "app.xml";
......@@ -386,13 +391,25 @@ public class ApplicationArchive
// Returns the set of Permissions specified in the app.xml file
private ImmutableSet<Permission> getPermissions(XMLConfiguration cfg) {
List<Permission> permissionList = new ArrayList();
for (Object o : cfg.getList(PERMISSIONS)) {
for (Object o : cfg.getList(APP_PERMISSIONS)) {
String name = (String) o;
try {
Permission perm = Permission.valueOf(name);
permissionList.add(perm);
} catch (IllegalArgumentException e) {
log.debug("Unknown permission specified: %s", name);
permissionList.add(new Permission(AppPermission.class.getName(), name));
}
for (Object o : cfg.getList(NET_PERMISSIONS)) {
//TODO: TO BE FLESHED OUT WHEN NETWORK PERMISSIONS ARE SUPPORTED
break;
}
List<HierarchicalConfiguration> fields =
cfg.configurationsAt(JAVA_PERMISSIONS);
for (HierarchicalConfiguration sub : fields) {
String classname = sub.getString("classname");
String name = sub.getString("name");
String actions = sub.getString("actions");
if (classname != null && name != null) {
permissionList.add(new Permission(classname, name, actions));
}
}
return ImmutableSet.copyOf(permissionList);
......
......@@ -31,7 +31,7 @@ import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.DefaultApplication;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.slf4j.Logger;
import java.io.InputStream;
......
......@@ -28,7 +28,8 @@ import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStoreAdapter;
import org.onosproject.core.DefaultApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.AppPermission;
import org.onosproject.security.Permission;
import java.io.File;
import java.io.IOException;
......@@ -114,7 +115,8 @@ public class SimpleApplicationStoreTest {
@Test
public void permissions() {
Application app = createTestApp();
ImmutableSet<Permission> permissions = ImmutableSet.of(Permission.FLOWRULE_WRITE);
ImmutableSet<Permission> permissions =
ImmutableSet.of(new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"));
store.setPermissions(app.id(), permissions);
assertEquals("incorrect app perms", 1, store.getPermissions(app.id()).size());
assertEquals("incorrect app state", INSTALLED, store.getState(app.id()));
......
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2015 Open Networking Laboratory
~
......@@ -21,8 +20,10 @@
<security>
<role>ADMIN</role>
<permissions>
<permission>FLOWRULE_WRITE</permission>
<permission>FLOWRULE_READ</permission>
<app-perm>FLOWRULE_WRITE</app-perm>
<app-perm>FLOWRULE_READ</app-perm>
</permissions>
</security>
</app>
......
......@@ -33,7 +33,8 @@ import org.onosproject.app.ApplicationStoreDelegate;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.security.SecurityUtil;
import org.slf4j.Logger;
import java.io.InputStream;
......@@ -41,6 +42,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.app.ApplicationEvent.Type.*;
import static org.onosproject.security.AppPermission.Type.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
......@@ -87,34 +89,34 @@ public class ApplicationManager
@Override
public Set<Application> getApplications() {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return store.getApplications();
}
@Override
public ApplicationId getId(String name) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(name, "Name cannot be null");
return store.getId(name);
}
@Override
public Application getApplication(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getApplication(appId);
}
@Override
public ApplicationState getState(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getState(appId);
}
@Override
public Set<Permission> getPermissions(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getPermissions(appId);
}
......@@ -122,7 +124,9 @@ public class ApplicationManager
@Override
public Application install(InputStream appDescStream) {
checkNotNull(appDescStream, "Application archive stream cannot be null");
return store.create(appDescStream);
Application app = store.create(appDescStream);
SecurityUtil.register(app.id());
return app;
}
@Override
......@@ -138,6 +142,9 @@ public class ApplicationManager
@Override
public void activate(ApplicationId appId) {
checkNotNull(appId, APP_ID_NULL);
if (!SecurityUtil.isAppSecured(appId)) {
return;
}
store.activate(appId);
}
......
......@@ -31,7 +31,6 @@ import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.cfg.ComponentConfigStore;
import org.onosproject.cfg.ComponentConfigStoreDelegate;
import org.onosproject.cfg.ConfigProperty;
import org.onosproject.core.Permission;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
......@@ -50,6 +49,7 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -99,14 +99,14 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public Set<String> getComponentNames() {
checkPermission(Permission.CONFIG_READ);
checkPermission(CONFIG_READ);
return ImmutableSet.copyOf(properties.keySet());
}
@Override
public void registerProperties(Class<?> componentClass) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
String componentName = componentClass.getName();
String resourceName = componentClass.getSimpleName() + RESOURCE_EXT;
......@@ -130,7 +130,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void unregisterProperties(Class<?> componentClass, boolean clear) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
String componentName = componentClass.getName();
checkNotNull(componentName, COMPONENT_NULL);
......@@ -148,7 +148,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public Set<ConfigProperty> getProperties(String componentName) {
checkPermission(Permission.CONFIG_READ);
checkPermission(CONFIG_READ);
Map<String, ConfigProperty> map = properties.get(componentName);
return map != null ? ImmutableSet.copyOf(map.values()) : null;
......@@ -156,7 +156,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void setProperty(String componentName, String name, String value) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
......@@ -165,7 +165,7 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void unsetProperty(String componentName, String name) {
checkPermission(Permission.CONFIG_WRITE);
checkPermission(CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
......
......@@ -34,7 +34,6 @@ import org.onosproject.cluster.ClusterStoreDelegate;
import org.onosproject.cluster.ControllerNode;
import org.onosproject.cluster.NodeId;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Permission;
import org.slf4j.Logger;
import java.util.Set;
......@@ -43,6 +42,8 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -86,26 +87,26 @@ public class ClusterManager
@Override
public ControllerNode getLocalNode() {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
return store.getLocalNode();
}
@Override
public Set<ControllerNode> getNodes() {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
return store.getNodes();
}
@Override
public ControllerNode getNode(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getNode(nodeId);
}
@Override
public ControllerNode.State getState(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getState(nodeId);
}
......@@ -113,7 +114,7 @@ public class ClusterManager
@Override
public DateTime getLastUpdated(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
return store.getLastUpdated(nodeId);
}
......
......@@ -32,7 +32,6 @@ import org.onosproject.cluster.NodeId;
import org.onosproject.cluster.RoleInfo;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.MetricsHelper;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipAdminService;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
......@@ -62,6 +61,8 @@ import static org.onosproject.cluster.ControllerNode.State.ACTIVE;
import static org.onosproject.net.MastershipRole.MASTER;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
@Component(immediate = true)
......@@ -136,7 +137,7 @@ public class MastershipManager
@Override
public MastershipRole getLocalRole(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getRole(clusterService.getLocalNode().id(), deviceId);
......@@ -144,7 +145,7 @@ public class MastershipManager
@Override
public CompletableFuture<Void> relinquishMastership(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_WRITE);
checkPermission(CLUSTER_WRITE);
return store.relinquishRole(localNodeId, deviceId)
.thenAccept(this::post)
.thenApply(v -> null);
......@@ -152,7 +153,7 @@ public class MastershipManager
@Override
public CompletableFuture<MastershipRole> requestRoleFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_WRITE);
checkPermission(CLUSTER_WRITE);
checkNotNull(deviceId, DEVICE_ID_NULL);
final Context timer = startTimer(requestRoleTimer);
......@@ -162,7 +163,7 @@ public class MastershipManager
@Override
public NodeId getMasterFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getMaster(deviceId);
......@@ -170,7 +171,7 @@ public class MastershipManager
@Override
public Set<DeviceId> getDevicesOf(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(nodeId, NODE_ID_NULL);
return store.getDevices(nodeId);
......@@ -178,7 +179,7 @@ public class MastershipManager
@Override
public RoleInfo getNodesFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getNodes(deviceId);
......
......@@ -31,7 +31,6 @@ import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdBlockStore;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.event.EventDeliveryService;
import org.osgi.service.component.ComponentContext;
......@@ -46,6 +45,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Strings.isNullOrEmpty;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -100,28 +101,28 @@ public class CoreManager implements CoreService {
@Override
public Version version() {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return version;
}
@Override
public Set<ApplicationId> getAppIds() {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return applicationIdStore.getAppIds();
}
@Override
public ApplicationId getAppId(Short id) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return applicationIdStore.getAppId(id);
}
@Override
public ApplicationId getAppId(String name) {
checkPermission(Permission.APP_READ);
checkPermission(APP_READ);
return applicationIdStore.getAppId(name);
}
......
......@@ -27,7 +27,6 @@ import org.apache.felix.scr.annotations.Service;
import org.onosproject.cluster.ClusterService;
import org.onosproject.cluster.NodeId;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
......@@ -77,6 +76,7 @@ import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.net.MastershipRole.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -151,60 +151,60 @@ public class DeviceManager
@Override
public int getDeviceCount() {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
return store.getDeviceCount();
}
@Override
public Iterable<Device> getDevices() {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
return store.getDevices();
}
@Override
public Iterable<Device> getAvailableDevices() {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
return store.getAvailableDevices();
}
@Override
public Device getDevice(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDevice(deviceId);
}
@Override
public MastershipRole getRole(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return mastershipService.getLocalRole(deviceId);
}
@Override
public List<Port> getPorts(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPorts(deviceId);
}
@Override
public List<PortStatistics> getPortStatistics(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortStatistics(deviceId);
}
@Override
public List<PortStatistics> getPortDeltaStatistics(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortDeltaStatistics(deviceId);
}
@Override
public Port getPort(DeviceId deviceId, PortNumber portNumber) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
checkNotNull(portNumber, PORT_NUMBER_NULL);
return store.getPort(deviceId, portNumber);
......@@ -212,7 +212,7 @@ public class DeviceManager
@Override
public boolean isAvailable(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.isAvailable(deviceId);
......@@ -664,7 +664,7 @@ public class DeviceManager
@Override
public Iterable<Device> getDevices(Type type) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
Set<Device> results = new HashSet<>();
Iterable<Device> devices = store.getDevices();
if (devices != null) {
......@@ -679,7 +679,7 @@ public class DeviceManager
@Override
public Iterable<Device> getAvailableDevices(Type type) {
checkPermission(Permission.DEVICE_READ);
checkPermission(DEVICE_READ);
Set<Device> results = new HashSet<>();
Iterable<Device> availableDevices = store.getAvailableDevices();
if (availableDevices != null) {
......
......@@ -24,7 +24,6 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
......@@ -47,6 +46,8 @@ import java.util.stream.Collectors;
import static org.onlab.util.Tools.nullIsNotFound;
import static org.onosproject.net.AnnotationKeys.DRIVER;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -108,7 +109,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<Driver> getDrivers() {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
ImmutableSet.Builder<Driver> builder = ImmutableSet.builder();
drivers.values().forEach(builder::add);
......@@ -117,7 +118,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<Driver> getDrivers(Class<? extends Behaviour> withBehaviour) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
return drivers.values().stream()
.filter(d -> d.hasBehaviour(withBehaviour))
......@@ -126,14 +127,14 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Driver getDriver(String driverName) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
return nullIsNotFound(drivers.get(driverName), NO_DRIVER);
}
@Override
public Driver getDriver(String mfr, String hw, String sw) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
// First attempt a literal search.
Driver driver = driverByKey.get(key(mfr, hw, sw));
......@@ -160,7 +161,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Driver getDriver(DeviceId deviceId) {
checkPermission(Permission.DRIVER_READ);
checkPermission(DRIVER_READ);
Device device = nullIsNotFound(deviceService.getDevice(deviceId), NO_DEVICE);
String driverName = device.annotations().value(DRIVER);
......@@ -174,7 +175,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public DriverHandler createHandler(DeviceId deviceId, String... credentials) {
checkPermission(Permission.DRIVER_WRITE);
checkPermission(DRIVER_WRITE);
Driver driver = getDriver(deviceId);
return new DefaultDriverHandler(new DefaultDriverData(driver, deviceId));
......
......@@ -36,7 +36,6 @@ import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
......@@ -79,6 +78,8 @@ import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_ADD_REQUESTED;
import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_REMOVE_REQUESTED;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -165,19 +166,19 @@ public class FlowRuleManager
@Override
public int getFlowRuleCount() {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
return store.getFlowRuleCount();
}
@Override
public Iterable<FlowEntry> getFlowEntries(DeviceId deviceId) {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
return store.getFlowEntries(deviceId);
}
@Override
public void applyFlowRules(FlowRule... flowRules) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
......@@ -188,7 +189,7 @@ public class FlowRuleManager
@Override
public void removeFlowRules(FlowRule... flowRules) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
......@@ -199,13 +200,13 @@ public class FlowRuleManager
@Override
public void removeFlowRulesById(ApplicationId id) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
removeFlowRules(Iterables.toArray(getFlowRulesById(id), FlowRule.class));
}
@Override
public Iterable<FlowRule> getFlowRulesById(ApplicationId id) {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
Set<FlowRule> flowEntries = Sets.newHashSet();
for (Device d : deviceService.getDevices()) {
......@@ -220,7 +221,7 @@ public class FlowRuleManager
@Override
public Iterable<FlowRule> getFlowRulesByGroupId(ApplicationId appId, short groupId) {
checkPermission(Permission.FLOWRULE_READ);
checkPermission(FLOWRULE_READ);
Set<FlowRule> matches = Sets.newHashSet();
long toLookUp = ((long) appId.id() << 16) | groupId;
......@@ -236,7 +237,7 @@ public class FlowRuleManager
@Override
public void apply(FlowRuleOperations ops) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
operationsService.submit(new FlowOperationsProcessor(ops));
}
......
......@@ -27,7 +27,6 @@ import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
......@@ -62,6 +61,8 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -193,13 +194,13 @@ public class FlowObjectiveManager implements FlowObjectiveService {
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, filteringObjective));
}
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
}
......@@ -208,13 +209,13 @@ public class FlowObjectiveManager implements FlowObjectiveService {
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, nextObjective));
}
@Override
public int allocateNextId() {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
......
......@@ -27,7 +27,6 @@ import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
......@@ -65,6 +64,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -217,7 +217,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
List<FilteringObjective> filteringObjectives
= this.deviceCompositionTreeMap.get(deviceId).updateFilter(filteringObjective);
......@@ -228,7 +228,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
......@@ -242,7 +242,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
List<NextObjective> nextObjectives = this.deviceCompositionTreeMap.get(deviceId).updateNext(nextObjective);
for (NextObjective tmp : nextObjectives) {
......@@ -252,7 +252,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
@Override
public int allocateNextId() {
checkPermission(Permission.FLOWRULE_WRITE);
checkPermission(FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
......
......@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
......@@ -51,6 +50,8 @@ import java.util.Collections;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -96,7 +97,7 @@ public class GroupManager
*/
@Override
public void addGroup(GroupDescription groupDesc) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.storeGroupDescription(groupDesc);
}
......@@ -115,7 +116,7 @@ public class GroupManager
*/
@Override
public Group getGroup(DeviceId deviceId, GroupKey appCookie) {
checkPermission(Permission.GROUP_READ);
checkPermission(GROUP_READ);
return store.getGroup(deviceId, appCookie);
}
......@@ -137,7 +138,7 @@ public class GroupManager
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.updateGroupDescription(deviceId,
oldCookie,
UpdateType.ADD,
......@@ -163,7 +164,7 @@ public class GroupManager
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.updateGroupDescription(deviceId,
oldCookie,
UpdateType.REMOVE,
......@@ -185,7 +186,7 @@ public class GroupManager
public void removeGroup(DeviceId deviceId,
GroupKey appCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
checkPermission(GROUP_WRITE);
store.deleteGroupDescription(deviceId, appCookie);
}
......@@ -200,13 +201,13 @@ public class GroupManager
@Override
public Iterable<Group> getGroups(DeviceId deviceId,
ApplicationId appId) {
checkPermission(Permission.GROUP_READ);
checkPermission(GROUP_READ);
return store.getGroups(deviceId);
}
@Override
public Iterable<Group> getGroups(DeviceId deviceId) {
checkPermission(Permission.GROUP_READ);
checkPermission(GROUP_READ);
return store.getGroups(deviceId);
}
......
......@@ -26,7 +26,6 @@ import org.onlab.packet.MacAddress;
import org.onlab.packet.VlanId;
import org.onosproject.incubator.net.intf.InterfaceService;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
......@@ -57,6 +56,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides basic implementation of the host SB &amp; NB APIs.
......@@ -118,66 +118,66 @@ public class HostManager
@Override
public int getHostCount() {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getHostCount();
}
@Override
public Iterable<Host> getHosts() {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getHosts();
}
@Override
public Host getHost(HostId hostId) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(hostId, HOST_ID_NULL);
return store.getHost(hostId);
}
@Override
public Set<Host> getHostsByVlan(VlanId vlanId) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getHosts(vlanId);
}
@Override
public Set<Host> getHostsByMac(MacAddress mac) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(mac, "MAC address cannot be null");
return store.getHosts(mac);
}
@Override
public Set<Host> getHostsByIp(IpAddress ip) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(ip, "IP address cannot be null");
return store.getHosts(ip);
}
@Override
public Set<Host> getConnectedHosts(ConnectPoint connectPoint) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(connectPoint, "Connection point cannot be null");
return store.getConnectedHosts(connectPoint);
}
@Override
public Set<Host> getConnectedHosts(DeviceId deviceId) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
checkNotNull(deviceId, "Device ID cannot be null");
return store.getConnectedHosts(deviceId);
}
@Override
public void startMonitoringIp(IpAddress ip) {
checkPermission(Permission.HOST_EVENT);
checkPermission(HOST_EVENT);
monitor.addMonitoringFor(ip);
}
@Override
public void stopMonitoringIp(IpAddress ip) {
checkPermission(Permission.HOST_EVENT);
checkPermission(HOST_EVENT);
monitor.stopMonitoring(ip);
}
......@@ -212,13 +212,13 @@ public class HostManager
@Override
public Set<PortAddresses> getAddressBindings() {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getAddressBindings();
}
@Override
public Set<PortAddresses> getAddressBindingsForPort(ConnectPoint connectPoint) {
checkPermission(Permission.HOST_READ);
checkPermission(HOST_READ);
return store.getAddressBindingsForPort(connectPoint);
}
......
......@@ -25,7 +25,6 @@ import org.apache.felix.scr.annotations.Service;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.net.flow.FlowRule;
import org.onosproject.net.flow.FlowRuleOperations;
import org.onosproject.net.flow.FlowRuleOperationsContext;
......@@ -67,6 +66,8 @@ import static org.onosproject.net.intent.constraint.PartialFailureConstraint.int
import static org.onosproject.net.intent.impl.phase.IntentProcessPhase.newInitialPhase;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* An implementation of intent service.
......@@ -138,7 +139,7 @@ public class IntentManager
@Override
public void submit(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.INSTALL_REQ, null);
store.addPending(data);
......@@ -146,7 +147,7 @@ public class IntentManager
@Override
public void withdraw(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.WITHDRAW_REQ, null);
store.addPending(data);
......@@ -154,7 +155,7 @@ public class IntentManager
@Override
public void purge(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.PURGE_REQ, null);
store.addPending(data);
......@@ -162,45 +163,45 @@ public class IntentManager
@Override
public Intent getIntent(Key key) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntent(key);
}
@Override
public Iterable<Intent> getIntents() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntents();
}
@Override
public Iterable<IntentData> getIntentData() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntentData(false, 0);
}
@Override
public long getIntentCount() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getIntentCount();
}
@Override
public IntentState getIntentState(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getIntentState(intentKey);
}
@Override
public List<Intent> getInstallableIntents(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getInstallableIntents(intentKey);
}
@Override
public boolean isLocal(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.isMaster(intentKey);
}
......@@ -221,7 +222,7 @@ public class IntentManager
@Override
public Iterable<Intent> getPending() {
checkPermission(Permission.INTENT_READ);
checkPermission(INTENT_READ);
return store.getPending();
}
......
......@@ -25,7 +25,6 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
......@@ -59,6 +58,7 @@ import static com.google.common.base.Preconditions.checkState;
import static org.onosproject.net.LinkKey.linkKey;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -111,19 +111,19 @@ public class LinkManager
@Override
public int getLinkCount() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getLinkCount();
}
@Override
public Iterable<Link> getLinks() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getLinks();
}
@Override
public Iterable<Link> getActiveLinks() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return FluentIterable.from(getLinks())
.filter(new Predicate<Link>() {
......@@ -136,7 +136,7 @@ public class LinkManager
@Override
public Set<Link> getDeviceLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return Sets.union(store.getDeviceEgressLinks(deviceId),
store.getDeviceIngressLinks(deviceId));
......@@ -144,21 +144,21 @@ public class LinkManager
@Override
public Set<Link> getDeviceEgressLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceEgressLinks(deviceId);
}
@Override
public Set<Link> getDeviceIngressLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceIngressLinks(deviceId);
}
@Override
public Set<Link> getLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return Sets.union(store.getEgressLinks(connectPoint),
store.getIngressLinks(connectPoint));
......@@ -166,21 +166,21 @@ public class LinkManager
@Override
public Set<Link> getEgressLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getEgressLinks(connectPoint);
}
@Override
public Set<Link> getIngressLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getIngressLinks(connectPoint);
}
@Override
public Link getLink(ConnectPoint src, ConnectPoint dst) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
checkNotNull(src, CONNECT_POINT_NULL);
checkNotNull(dst, CONNECT_POINT_NULL);
return store.getLink(src, dst);
......
......@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
......@@ -63,7 +62,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides a basic implementation of the packet SB &amp; NB APIs.
......@@ -126,14 +125,14 @@ public class PacketManager
@Override
public void addProcessor(PacketProcessor processor, int priority) {
checkPermission(Permission.PACKET_EVENT);
checkPermission(PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.put(priority, processor);
}
@Override
public void removeProcessor(PacketProcessor processor) {
checkPermission(Permission.PACKET_EVENT);
checkPermission(PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.values().remove(processor);
}
......@@ -141,7 +140,7 @@ public class PacketManager
@Override
public void requestPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
......@@ -154,7 +153,7 @@ public class PacketManager
@Override
public void cancelPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
......@@ -246,7 +245,7 @@ public class PacketManager
@Override
public void emit(OutboundPacket packet) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
checkNotNull(packet, "Packet cannot be null");
store.emit(packet);
}
......
......@@ -33,7 +33,6 @@ import org.onlab.packet.VlanId;
import org.onlab.packet.ndp.NeighborAdvertisement;
import org.onlab.packet.ndp.NeighborDiscoveryOptions;
import org.onlab.packet.ndp.NeighborSolicitation;
import org.onosproject.core.Permission;
import org.onosproject.incubator.net.intf.Interface;
import org.onosproject.incubator.net.intf.InterfaceService;
import org.onosproject.net.ConnectPoint;
......@@ -61,6 +60,7 @@ import static org.onlab.packet.VlanId.vlanId;
import static org.onosproject.net.HostId.hostId;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
@Component(immediate = true)
......@@ -110,7 +110,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public boolean isKnown(IpAddress addr) {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
checkNotNull(addr, MAC_ADDR_NULL);
Set<Host> hosts = hostService.getHostsByIp(addr);
return !hosts.isEmpty();
......@@ -118,7 +119,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public void reply(Ethernet eth, ConnectPoint inPort) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
checkNotNull(eth, REQUEST_NULL);
if (eth.getEtherType() == Ethernet.TYPE_ARP) {
......@@ -316,7 +318,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public void forward(Ethernet eth, ConnectPoint inPort) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
checkNotNull(eth, REQUEST_NULL);
Host h = hostService.getHost(hostId(eth.getDestinationMAC(),
......@@ -333,7 +336,7 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public boolean handlePacket(PacketContext context) {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
InboundPacket pkt = context.inPacket();
Ethernet ethPkt = pkt.parsed();
......
......@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Permission;
import org.onosproject.net.Link;
import org.onosproject.net.intent.IntentId;
import org.onosproject.net.resource.ResourceAllocation;
......@@ -58,6 +57,7 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -150,7 +150,7 @@ public class LinkResourceManager
@Override
public LinkResourceAllocations requestResources(LinkResourceRequest req) {
checkPermission(Permission.LINK_WRITE);
checkPermission(LINK_WRITE);
// TODO Concatenate multiple bandwidth requests.
// TODO Support multiple lambda resource requests.
......@@ -213,7 +213,7 @@ public class LinkResourceManager
@Override
public void releaseResources(LinkResourceAllocations allocations) {
checkPermission(Permission.LINK_WRITE);
checkPermission(LINK_WRITE);
final LinkResourceEvent event = store.releaseResources(allocations);
if (event != null) {
post(event);
......@@ -223,32 +223,32 @@ public class LinkResourceManager
@Override
public LinkResourceAllocations updateResources(LinkResourceRequest req,
LinkResourceAllocations oldAllocations) {
checkPermission(Permission.LINK_WRITE);
checkPermission(LINK_WRITE);
releaseResources(oldAllocations);
return requestResources(req);
}
@Override
public Iterable<LinkResourceAllocations> getAllocations() {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getAllocations();
}
@Override
public Iterable<LinkResourceAllocations> getAllocations(Link link) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getAllocations(link);
}
@Override
public LinkResourceAllocations getAllocations(IntentId intentId) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
return store.getAllocations(intentId);
}
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
Set<ResourceAllocation> freeRes = store.getFreeResources(link);
Set<ResourceRequest> result = new HashSet<>();
......@@ -274,7 +274,7 @@ public class LinkResourceManager
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link,
LinkResourceAllocations allocations) {
checkPermission(Permission.LINK_READ);
checkPermission(LINK_READ);
Set<ResourceAllocation> allocatedRes = allocations.getResourceAllocation(link);
Set<ResourceRequest> result = Sets.newHashSet(getAvailableResources(link));
......
......@@ -27,7 +27,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.GroupId;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.Link;
import org.onosproject.net.Path;
......@@ -51,6 +50,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -86,14 +86,14 @@ public class StatisticManager implements StatisticService {
@Override
public Load load(Link link) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
return load(link.src());
}
@Override
public Load load(Link link, ApplicationId appId, Optional<GroupId> groupId) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
Statistics stats = getStatistics(link.src());
if (!stats.isValid()) {
......@@ -114,14 +114,14 @@ public class StatisticManager implements StatisticService {
@Override
public Load load(ConnectPoint connectPoint) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
return loadInternal(connectPoint);
}
@Override
public Link max(Path path) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
......@@ -140,7 +140,7 @@ public class StatisticManager implements StatisticService {
@Override
public Link min(Path path) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
......@@ -159,7 +159,7 @@ public class StatisticManager implements StatisticService {
@Override
public FlowRule highestHitter(ConnectPoint connectPoint) {
checkPermission(Permission.STATISTIC_READ);
checkPermission(STATISTIC_READ);
Set<FlowEntry> hitters = statisticStore.getCurrentStatistic(connectPoint);
if (hitters.isEmpty()) {
......
......@@ -24,7 +24,6 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DefaultEdgeLink;
import org.onosproject.net.DefaultPath;
......@@ -51,6 +50,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -88,14 +88,14 @@ public class PathManager implements PathService {
@Override
public Set<Path> getPaths(ElementId src, ElementId dst) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
return getPaths(src, dst, null);
}
@Override
public Set<Path> getPaths(ElementId src, ElementId dst, LinkWeight weight) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(src, ELEMENT_ID_NULL);
checkNotNull(dst, ELEMENT_ID_NULL);
......
......@@ -22,7 +22,6 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.Permission;
import org.onosproject.event.Event;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DeviceId;
......@@ -51,6 +50,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides basic implementation of the topology SB &amp; NB APIs.
......@@ -91,27 +92,27 @@ public class TopologyManager
@Override
public Topology currentTopology() {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
return store.currentTopology();
}
@Override
public boolean isLatest(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.isLatest(topology);
}
@Override
public Set<TopologyCluster> getClusters(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getClusters(topology);
}
@Override
public TopologyCluster getCluster(Topology topology, ClusterId clusterId) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_ID_NULL);
return store.getCluster(topology, clusterId);
......@@ -119,7 +120,7 @@ public class TopologyManager
@Override
public Set<DeviceId> getClusterDevices(Topology topology, TopologyCluster cluster) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterDevices(topology, cluster);
......@@ -127,7 +128,7 @@ public class TopologyManager
@Override
public Set<Link> getClusterLinks(Topology topology, TopologyCluster cluster) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterLinks(topology, cluster);
......@@ -135,14 +136,14 @@ public class TopologyManager
@Override
public TopologyGraph getGraph(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getGraph(topology);
}
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
checkNotNull(dst, DEVICE_ID_NULL);
......@@ -151,7 +152,7 @@ public class TopologyManager
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
......@@ -162,7 +163,7 @@ public class TopologyManager
@Override
public boolean isInfrastructure(Topology topology, ConnectPoint connectPoint) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isInfrastructure(topology, connectPoint);
......@@ -170,7 +171,7 @@ public class TopologyManager
@Override
public boolean isBroadcastPoint(Topology topology, ConnectPoint connectPoint) {
checkPermission(Permission.TOPOLOGY_READ);
checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isBroadcastPoint(topology, connectPoint);
......
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2015 Open Networking Laboratory
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>onos-security</artifactId>
<groupId>org.onosproject</groupId>
<version>1.3.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<packaging>bundle</packaging>
<artifactId>onos-security-impl</artifactId>
<description>Security-mode ONOS components</description>
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.core</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
<dependency>
<groupId>org.apache.karaf.features</groupId>
<artifactId>org.apache.karaf.features.core</artifactId>
</dependency>
</dependencies>
</project>
\ No newline at end of file
package org.onosproject.security.impl;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.karaf.features.BundleInfo;
import org.apache.karaf.features.Feature;
import org.apache.karaf.features.FeaturesService;
import org.onosproject.app.ApplicationAdminService;
import org.onosproject.app.ApplicationEvent;
import org.onosproject.app.ApplicationListener;
import org.onosproject.app.ApplicationState;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.AppPermission;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.BundleEvent;
import org.osgi.framework.BundleListener;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.PackagePermission;
import org.osgi.framework.ServicePermission;
import org.osgi.service.log.LogEntry;
import org.osgi.service.log.LogListener;
import org.osgi.service.log.LogReaderService;
import org.osgi.service.permissionadmin.PermissionInfo;
import java.security.AccessControlException;
import java.security.AllPermission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.osgi.service.permissionadmin.PermissionAdmin;
import org.slf4j.Logger;
import static org.slf4j.LoggerFactory.getLogger;
/**
* Security-Mode ONOS management implementation.
*/
//TODO : implement a dedicated distributed store for SM-ONOS
@Component(immediate = true)
public class SecurityModeManager {
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected ApplicationAdminService appAdminService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected FeaturesService featuresService;
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected LogReaderService logReaderService;
private final Logger log = getLogger(getClass());
private SecurityBundleListener securityBundleListener = new SecurityBundleListener();
private SecurityApplicationListener securityApplicationListener = new SecurityApplicationListener();
private SecurityLogListener securityLogListener = new SecurityLogListener();
private Bundle bundle = null;
private BundleContext bundleContext = null;
private PermissionAdmin permissionAdmin = null;
private Map<String, ApplicationId> appTracker = null;
private Map<Permission, Set<String>> serviceDirectory = null;
@Activate
public void activate() {
if (System.getSecurityManager() == null) {
log.warn("J2EE security manager is disabled.");
deactivate();
return;
}
bundle = FrameworkUtil.getBundle(this.getClass());
bundleContext = bundle.getBundleContext();
bundleContext.addBundleListener(securityBundleListener);
appAdminService.addListener(securityApplicationListener);
logReaderService.addLogListener(securityLogListener);
appTracker = new ConcurrentHashMap<>();
permissionAdmin = getPermissionAdmin(bundleContext);
if (permissionAdmin == null) {
log.warn("Permission Admin not found.");
this.deactivate();
return;
}
serviceDirectory = PolicyBuilder.getServiceDirectory();
PermissionInfo[] allPerm = {
new PermissionInfo(AllPermission.class.getName(), "", ""), };
permissionAdmin.setPermissions(bundle.getLocation(), allPerm);
log.warn("Security-Mode Started");
}
@Deactivate
public void deactivate() {
bundleContext.removeBundleListener(securityBundleListener);
appAdminService.removeListener(securityApplicationListener);
logReaderService.removeLogListener(securityLogListener);
log.info("Stopped");
}
private class SecurityApplicationListener implements ApplicationListener {
@Override
public void event(ApplicationEvent event) {
//App needs to be restarted
if (event.type() == ApplicationEvent.Type.APP_PERMISSIONS_CHANGED) {
if (appAdminService.getState(event.subject().id()) == ApplicationState.ACTIVE) {
appAdminService.deactivate(event.subject().id());
print("Permissions updated (%s). Deactivating...",
event.subject().id().name());
}
}
}
}
private class SecurityBundleListener implements BundleListener {
@Override
public void bundleChanged(BundleEvent event) {
switch (event.getType()) {
case BundleEvent.INSTALLED:
setPermissions(event);
break;
case BundleEvent.UNINSTALLED:
clearPermissions(event);
break;
default:
break;
}
}
}
private void clearPermissions(BundleEvent bundleEvent) {
if (appTracker.containsKey(bundleEvent.getBundle().getLocation())) {
permissionAdmin.setPermissions(bundleEvent.getBundle().getLocation(), new PermissionInfo[]{});
appTracker.remove(bundleEvent.getBundle().getLocation());
}
}
// find the location of the installed bundle and enforce policy
private void setPermissions(BundleEvent bundleEvent) {
for (Application app : appAdminService.getApplications()) {
if (getBundleLocations(app).contains(bundleEvent.getBundle().getLocation())) {
String location = bundleEvent.getBundle().getLocation();
Set<org.onosproject.core.Permission> permissions =
appAdminService.getPermissions(app.id());
//Permissions granted by user overrides the permissions specified in App.Xml file
if (permissions == null) {
permissions = app.permissions();
}
if (permissions.isEmpty()) {
print("Application %s has not been granted any permission.", app.id().name());
}
PermissionInfo[] perms = null;
switch (app.role()) {
case ADMIN:
perms = PolicyBuilder.getAdminApplicationPermissions(serviceDirectory);
break;
case REGULAR:
perms = PolicyBuilder.getApplicationPermissions(serviceDirectory, permissions);
break;
case UNSPECIFIED:
default:
//no role has been assigned.
perms = PolicyBuilder.getDefaultPerms();
log.warn("Application %s has no role assigned.", app.id().name());
break;
}
permissionAdmin.setPermissions(location, perms);
appTracker.put(location, app.id());
break;
}
}
}
//TODO: dispatch security policy violation event via distributed store
//immediately notify and deactivate the application upon policy violation
private class SecurityLogListener implements LogListener {
@Override
public void logged(LogEntry entry) {
if (entry != null) {
if (entry.getException() != null) {
ApplicationId applicationId = appTracker.get(entry.getBundle().getLocation());
if (applicationId != null) {
if (appAdminService.getState(applicationId).equals(ApplicationState.ACTIVE)) {
if (entry.getException() instanceof AccessControlException) {
java.security.Permission permission =
((AccessControlException) entry.getException()).getPermission();
handleException(applicationId.name(), permission);
appAdminService.deactivate(applicationId);
}
}
}
}
}
}
}
private void handleException(String name, java.security.Permission perm) {
if (perm instanceof ServicePermission || perm instanceof PackagePermission) {
print("%s has attempted to %s %s.", name, perm.getActions(), perm.getName());
} else if (perm instanceof AppPermission) {
print("%s has attempted to call an NB API that requires %s permission.",
name, perm.getName().toUpperCase());
} else {
print("%s has attempted to perform an action that requires %s", name, perm.toString());
}
print("POLICY VIOLATION: Deactivating %s.", name);
}
private void print(String format, Object... args) {
System.out.println(String.format("SM-ONOS: " + format, args));
log.warn(String.format(format, args));
}
private List<String> getBundleLocations(Application app) {
List<String> locations = new ArrayList();
for (String name : app.features()) {
try {
Feature feature = featuresService.getFeature(name);
locations.addAll(
feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
} catch (Exception e) {
return locations;
}
}
return locations;
}
private PermissionAdmin getPermissionAdmin(BundleContext context) {
return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
}
}
......@@ -12,10 +12,46 @@
</parent>
<artifactId>onos-security</artifactId>
<packaging>pom</packaging>
<modules>
<module>impl</module>
</modules>
<packaging>bundle</packaging>
<description>Security-Mode ONOS project</description>
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.core</artifactId>
</dependency>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>org.osgi.compendium</artifactId>
</dependency>
<dependency>
<groupId>org.apache.felix</groupId>
<artifactId>org.apache.felix.scr.annotations</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-core-serializers</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.karaf.features</groupId>
<artifactId>org.apache.karaf.features.core</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-scr-plugin</artifactId>
</plugin>
</plugins>
</build>
<description>Security-mode ONOS project root</description>
</project>
\ No newline at end of file
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import org.onosproject.security.Permission;
import java.util.Set;
/**
* Security-Mode ONOS security policy and state representation for distributed store.
*/
public class SecurityInfo {
protected Set<Permission> grantedPermissions;
protected SecurityModeState state;
public SecurityInfo(Set<Permission> perms, SecurityModeState state) {
this.grantedPermissions = perms;
this.state = state;
}
public Set<Permission> getPermissions() {
return grantedPermissions;
}
public SecurityModeState getState() {
return state;
}
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import org.onosproject.core.ApplicationId;
import org.onosproject.event.AbstractEvent;
/**
* Security-Mode ONOS notifications.
*/
public class SecurityModeEvent extends AbstractEvent<SecurityModeEvent.Type, ApplicationId> {
protected SecurityModeEvent(Type type, ApplicationId subject) {
super(type, subject);
}
public enum Type {
/**
* Signifies that security policy has been accepted.
*/
POLICY_ACCEPTED,
/**
* Signifies that security policy has been reviewed.
*/
POLICY_REVIEWED,
/**
* Signifies that application has violated security policy.
*/
POLICY_VIOLATED,
}
}
......@@ -14,20 +14,12 @@
* limitations under the License.
*/
package org.onosproject.cli.security;
package org.onosproject.security.store;
import com.google.common.collect.ImmutableList;
import org.onosproject.cli.AbstractChoicesCompleter;
import org.onosproject.event.EventListener;
import java.util.List;
import static org.onosproject.cli.security.PermissionCommand.*;
/**
* Permission command completer.
* Security-Mode ONOS event listener.
*/
public class PermissionCommandCompleter extends AbstractChoicesCompleter {
@Override
protected List<String> choices() {
return ImmutableList.of(ADD, REMOVE, CLEAR, LIST);
}
public interface SecurityModeListener extends EventListener<SecurityModeEvent> {
}
......
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
/**
* Representation of Security-Mode ONOS application review state.
*/
public enum SecurityModeState {
/**
* Indicates that operator has accepted application security policy.
*/
SECURED,
/**
* Indicates that application security policy has been reviewed.
*/
REVIEWED,
/**
* Indicates that application has been installed.
*/
INSTALLED,
/**
* Indicates that application has violated security policy.
*/
POLICY_VIOLATED,
}
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.onosproject.security.store;
import org.onosproject.core.ApplicationId;
import org.onosproject.security.Permission;
import org.onosproject.store.Store;
import java.util.Set;
/**
* Security-Mode ONOS distributed store service.
*/
public interface SecurityModeStore extends Store<SecurityModeEvent, SecurityModeStoreDelegate> {
/**
* Updates the local bundle-application directories.
* @param appId application identifier
* @return true if successfully registered.
*/
boolean registerApplication(ApplicationId appId);
/**
* Removes application info from the local bundle-application directories.
* @param appId application identifier
*/
void unregisterApplication(ApplicationId appId);
/**
* Returns state of the specified application.
* @param appId application identifier
* @return Security-Mode State of application
*/
SecurityModeState getState(ApplicationId appId);
/**
* Returns bundle locations of specified application.
* @param appId application identifier
* @return set of bundle location strings
*/
Set<String> getBundleLocations(ApplicationId appId);
/**
* Returns application identifiers that are associated with given bundle location.
* @param location OSGi bundle location
* @return set of application identifiers
*/
Set<ApplicationId> getApplicationIds(String location);
/**
* Returns a list of permissions that have been requested by given application.
* @param appId application identifier
* @return list of permissions
*/
Set<Permission> getRequestedPermissions(ApplicationId appId);
/**
* Returns an array of permissions that have been granted to given application.
* @param appId application identifier
* @return array of permissionInfo
*/
Set<Permission> getGrantedPermissions(ApplicationId appId);
/**
* Request permission that is required to run given application.
* @param appId application identifier
* @param permission permission
*/
void requestPermission(ApplicationId appId, Permission permission);
/**
* Returns true if given application has been secured.
* @param appId application identifier
* @return true indicates secured
*/
boolean isSecured(ApplicationId appId);
/**
* Notifies SM-ONOS that operator has reviewed the policy.
* @param appId application identifier
*/
void reviewPolicy(ApplicationId appId);
/**
* Accept the current security policy of given application.
* @param appId application identifier
* @param permissionSet array of PermissionInfo
*/
void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet);
}
\ No newline at end of file
......@@ -14,32 +14,12 @@
* limitations under the License.
*/
package org.onosproject.cli.security;
package org.onosproject.security.store;
import org.apache.karaf.shell.console.completer.ArgumentCompleter;
import org.onosproject.cli.AbstractChoicesCompleter;
import org.onosproject.core.Permission;
import java.util.ArrayList;
import java.util.List;
import org.onosproject.store.StoreDelegate;
/**
* Permission Name Completer.
* Security-Mode distributed store delegate abstraction.
*/
public class PermissionNameCompleter extends AbstractChoicesCompleter {
@Override
protected List<String> choices() {
List<String> permNames = new ArrayList<>();
ArgumentCompleter.ArgumentList list = getArgumentList();
String cmd = list.getArguments()[1];
if (cmd.equals("add") || cmd.equals("remove")) {
for (Permission perm : Permission.values()) {
permNames.add(perm.name());
}
}
return permNames;
}
public interface SecurityModeStoreDelegate extends StoreDelegate<SecurityModeEvent> {
}
......
......@@ -38,7 +38,7 @@ import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.DefaultApplication;
import org.onosproject.core.Permission;
import org.onosproject.security.Permission;
import org.onosproject.store.cluster.messaging.ClusterCommunicationService;
import org.onosproject.store.cluster.messaging.MessageSubject;
import org.onosproject.store.serializers.KryoNamespaces;
......
......@@ -135,7 +135,7 @@
<feature>onos-api</feature>
<!-- FIXME Release when stable (before Drake) -->
<bundle>mvn:org.onosproject/org.apache.felix.framework.security/2.2.0.onos-SNAPSHOT</bundle>
<bundle>mvn:org.onosproject/onos-security-impl/@ONOS-VERSION</bundle>
<bundle>mvn:org.onosproject/onos-security/@ONOS-VERSION</bundle>
</feature>
</features>
......
......@@ -17,7 +17,6 @@ package org.onosproject.openflow.controller;
import org.onlab.packet.DeserializationException;
import org.onlab.packet.Ethernet;
import org.onosproject.core.Permission;
import org.projectfloodlight.openflow.protocol.OFPacketIn;
import org.projectfloodlight.openflow.protocol.OFPacketOut;
import org.projectfloodlight.openflow.protocol.OFVersion;
......@@ -34,6 +33,7 @@ import java.util.Collections;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.onosproject.security.AppPermission.Type.*;
/**
......@@ -57,7 +57,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public void send() {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
if (block() && isBuilt.get()) {
sw.sendMsg(pktout);
......@@ -97,7 +97,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Ethernet parsed() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
try {
return Ethernet.deserializer().deserialize(pktin.getData(), 0, pktin.getData().length);
......@@ -111,7 +111,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Dpid dpid() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return new Dpid(sw.getId());
}
......@@ -130,7 +130,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Integer inPort() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return pktinInPort().getPortNumber();
}
......@@ -144,7 +144,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public byte[] unparsed() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return pktin.getData().clone();
......@@ -160,21 +160,21 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public boolean block() {
checkPermission(Permission.PACKET_WRITE);
checkPermission(PACKET_WRITE);
return free.getAndSet(false);
}
@Override
public boolean isHandled() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return !free.get();
}
@Override
public boolean isBuffered() {
checkPermission(Permission.PACKET_READ);
checkPermission(PACKET_READ);
return isBuffered;
}
......