ONOS-1993 Implement API-level permission checking + security util code location replacement
Change-Id: I7bf20eda9c12ed2a44334504333b093057764cd2
diff --git a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
index ffea2d8..b227b92 100644
--- a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
+++ b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
@@ -15,12 +15,16 @@
*/
package org.onosproject.net.packet;
+import org.onosproject.core.Permission;
import org.onosproject.net.flow.DefaultTrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment.Builder;
import java.util.concurrent.atomic.AtomicBoolean;
+import static org.onosproject.security.AppGuard.checkPermission;
+
+
/**
* Default implementation of a packet context.
*/
@@ -53,21 +57,29 @@
@Override
public long time() {
+ checkPermission(Permission.PACKET_READ);
+
return time;
}
@Override
public InboundPacket inPacket() {
+ checkPermission(Permission.PACKET_READ);
+
return inPkt;
}
@Override
public OutboundPacket outPacket() {
+ checkPermission(Permission.PACKET_READ);
+
return outPkt;
}
@Override
public Builder treatmentBuilder() {
+ checkPermission(Permission.PACKET_READ);
+
return builder;
}
@@ -76,11 +88,15 @@
@Override
public boolean block() {
+ checkPermission(Permission.PACKET_WRITE);
+
return this.block.getAndSet(true);
}
@Override
public boolean isHandled() {
+ checkPermission(Permission.PACKET_READ);
+
return this.block.get();
}
-}
+}
\ No newline at end of file
diff --git a/core/api/src/main/java/org/onosproject/security/AppGuard.java b/core/api/src/main/java/org/onosproject/security/AppGuard.java
new file mode 100644
index 0000000..d3cc423
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/AppGuard.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onosproject.core.Permission;
+
+/**
+ * Aids SM-ONOS to perform API-level permission checking.
+ */
+public final class AppGuard {
+
+ private AppGuard() {
+ }
+
+ /**
+ * Checks if the caller has the required permission only when security-mode is enabled.
+ * @param permission permission to be checked
+ */
+ public static void checkPermission(Permission permission) {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null) {
+ System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
+ }
+ }
+}
diff --git a/core/api/src/main/java/org/onosproject/security/AppPermission.java b/core/api/src/main/java/org/onosproject/security/AppPermission.java
new file mode 100644
index 0000000..e5f8fa2
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/AppPermission.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import java.security.BasicPermission;
+
+/**
+ * Implementation of API access permission.
+ */
+public class AppPermission extends BasicPermission {
+
+ /**
+ * Creates new application permission using the supplied data.
+ * @param name permission name
+ */
+ public AppPermission(String name) {
+ super(name.toUpperCase(), "");
+ }
+
+ /**
+ * Creates new application permission using the supplied data.
+ * @param name permission name
+ * @param actions permission action
+ */
+ public AppPermission(String name, String actions) {
+ super(name.toUpperCase(), actions);
+ }
+
+}