ONOS-1767 SM-ONOS implementation
22a363e ONOS-17767 SM-ONOS impl
Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java b/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java
deleted file mode 100644
index f72b0b2..0000000
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import org.apache.karaf.shell.commands.Argument;
-import org.apache.karaf.shell.commands.Command;
-import org.onosproject.app.ApplicationAdminService;
-import org.onosproject.cli.AbstractShellCommand;
-import org.onosproject.core.Application;
-import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
-
-import java.util.Set;
-import java.util.stream.Collectors;
-
-/**
- * Manages application permissions.
- */
-@Command(scope = "onos", name = "perm",
- description = "Manages application permissions")
-public class PermissionCommand extends AbstractShellCommand {
-
- static final String ADD = "add";
- static final String REMOVE = "remove";
- static final String LIST = "list";
- static final String CLEAR = "clear";
-
-
- @Argument(index = 0, name = "command",
- description = "Command name (add|remove)",
- required = true, multiValued = false)
- String command = null;
-
- @Argument(index = 1, name = "name", description = "Application name",
- required = true, multiValued = false)
- String name = null;
-
- @Argument(index = 2, name = "permissions", description = "List of permissions",
- required = false, multiValued = true)
- String[] permissions = null;
-
- @Override
- protected void execute() {
- ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
- Set<Permission> newPermSet = Sets.newHashSet();
- if (command.equals(ADD)) {
- ApplicationId appId = applicationAdminService.getId(name);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- Application app = applicationAdminService.getApplication(appId);
-
- for (String perm : permissions) {
- try {
- Permission permission = Permission.valueOf(perm);
- newPermSet.add(permission);
- } catch (IllegalArgumentException e) {
- print("%s is not a valid permission.", perm);
- return;
- }
-
- }
- Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
- if (oldPermSet != null) {
- newPermSet.addAll(oldPermSet);
- } else {
- newPermSet.addAll(app.permissions());
- }
- applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
-
- } else if (command.equals(REMOVE)) {
- ApplicationId appId = applicationAdminService.getId(name);
- Application app = applicationAdminService.getApplication(appId);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
- if (oldPermSet == null) {
- oldPermSet = app.permissions();
- }
- Set<String> clearPermSet = Sets.newHashSet(permissions);
- newPermSet.addAll(oldPermSet.stream().filter(
- perm -> !clearPermSet.contains(perm.name().toUpperCase())).collect(Collectors.toList()));
- applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
- } else if (command.equals(CLEAR)) {
- ApplicationId appId = applicationAdminService.getId(name);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- applicationAdminService.setPermissions(appId, ImmutableSet.of());
- print("Cleared the permission list of %s.", appId.name());
- } else if (command.equals(LIST)) {
- ApplicationId appId = applicationAdminService.getId(name);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- Application app = applicationAdminService.getApplication(appId);
- Set<Permission> userPermissions = applicationAdminService.getPermissions(appId);
- Set<Permission> defaultPermissions = app.permissions();
- print("Application Role");
- print("\trole=%s", app.role().name());
-
- if (defaultPermissions != null) {
- if (!defaultPermissions.isEmpty()) {
- print("Default permissions (specified in app.xml)");
- for (Permission perm : defaultPermissions) {
- print("\tpermission=%s", perm.name());
- }
- } else {
- print("(No default permissions specified in app.xml)");
- }
- }
- if (userPermissions != null) {
- if (!userPermissions.isEmpty()) {
- print("User permissions");
- for (Permission perm : userPermissions) {
- print("\tpermission=%s", perm.name());
- }
- } else {
- print("(User has removed all the permissions");
- }
- }
-
- }
- }
-}
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java b/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java
deleted file mode 100644
index 1584a05..0000000
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import com.google.common.collect.ImmutableList;
-import org.onosproject.cli.AbstractChoicesCompleter;
-
-import java.util.List;
-
-import static org.onosproject.cli.security.PermissionCommand.*;
-/**
- * Permission command completer.
- */
-public class PermissionCommandCompleter extends AbstractChoicesCompleter {
- @Override
- protected List<String> choices() {
- return ImmutableList.of(ADD, REMOVE, CLEAR, LIST);
- }
-}
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java b/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java
deleted file mode 100644
index 30dff06..0000000
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import org.apache.karaf.shell.console.completer.ArgumentCompleter;
-import org.onosproject.cli.AbstractChoicesCompleter;
-import org.onosproject.core.Permission;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * Permission Name Completer.
- */
-public class PermissionNameCompleter extends AbstractChoicesCompleter {
- @Override
- protected List<String> choices() {
- List<String> permNames = new ArrayList<>();
-
- ArgumentCompleter.ArgumentList list = getArgumentList();
- String cmd = list.getArguments()[1];
- if (cmd.equals("add") || cmd.equals("remove")) {
- for (Permission perm : Permission.values()) {
- permNames.add(perm.name());
- }
- }
- return permNames;
- }
-
-
-}
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java b/cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
similarity index 76%
rename from cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java
rename to cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
index 36b85d9..73744f3 100644
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java
+++ b/cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
@@ -18,6 +18,7 @@
import org.apache.karaf.shell.console.completer.StringsCompleter;
import org.onosproject.app.ApplicationService;
+import org.onosproject.app.ApplicationState;
import org.onosproject.cli.AbstractCompleter;
import org.onosproject.core.Application;
@@ -25,27 +26,33 @@
import java.util.List;
import java.util.SortedSet;
+import static org.onosproject.app.ApplicationState.INSTALLED;
import static org.onosproject.cli.AbstractShellCommand.get;
/**
- * Application name completer for permission command.
+ * Application name completer for security review command.
*/
-public class PermissionApplicationNameCompleter extends AbstractCompleter {
+public class ReviewApplicationNameCompleter extends AbstractCompleter {
@Override
public int complete(String buffer, int cursor, List<String> candidates) {
// Delegate string completer
StringsCompleter delegate = new StringsCompleter();
- // Fetch our service and feed it's offerings to the string completer
ApplicationService service = get(ApplicationService.class);
Iterator<Application> it = service.getApplications().iterator();
SortedSet<String> strings = delegate.getStrings();
while (it.hasNext()) {
Application app = it.next();
- strings.add(app.id().name());
+ ApplicationState state = service.getState(app.id());
+// if (previousApps.contains(app.id().name())) {
+// continue;
+// }
+ if (state == INSTALLED) {
+ strings.add(app.id().name());
+ }
}
// Now let the completer do the work for figuring out what to offer.
return delegate.complete(buffer, cursor, candidates);
}
-}
+}
\ No newline at end of file
diff --git a/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java b/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java
new file mode 100644
index 0000000..9d17eb2
--- /dev/null
+++ b/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.cli.security;
+
+import org.apache.karaf.shell.commands.Argument;
+import org.apache.karaf.shell.commands.Command;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.cli.AbstractShellCommand;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.security.SecurityUtil;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+
+/**
+ * Application security policy review commands.
+ */
+@Command(scope = "onos", name = "review",
+ description = "Application security policy review interface")
+public class ReviewCommand extends AbstractShellCommand {
+
+ @Argument(index = 0, name = "name", description = "Application name",
+ required = true, multiValued = false)
+ String name = null;
+
+ @Argument(index = 1, name = "accept", description = "Option to accept policy",
+ required = false, multiValued = false)
+ String accept = null;
+
+ @Override
+ protected void execute() {
+ ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
+ ApplicationId appId = applicationAdminService.getId(name);
+ if (appId == null) {
+ print("No such application: %s", name);
+ return;
+ }
+ Application app = applicationAdminService.getApplication(appId);
+ SecurityAdminService smService = SecurityUtil.getSecurityService();
+ if (smService == null) {
+ print("Security Mode is disabled");
+ return;
+ }
+ if (accept == null) {
+ smService.review(appId);
+ printPolicy(smService, app);
+ } else if (accept.trim().equals("accept")) {
+ smService.acceptPolicy(appId);
+ printPolicy(smService, app);
+ } else {
+ print("Unknown command");
+ }
+ }
+
+ private void printPolicy(SecurityAdminService smService, Application app) {
+ print("\n*******************************");
+ print(" SM-ONOS APP REVIEW ");
+ print("*******************************");
+
+ print("Application name: %s ", app.id().name());
+ print("Application role: " + app.role());
+ print("\nDeveloper specified permissions: ");
+ printMap(smService.getPrintableSpecifiedPermissions(app.id()));
+ print("\nPermissions granted: ");
+ printMap(smService.getPrintableGrantedPermissions(app.id()));
+ print("\nAdditional permissions requested on runtime (POLICY VIOLATIONS): ");
+ printMap(smService.getPrintableRequestedPermissions(app.id()));
+ print("");
+
+ }
+ private void printMap(Map<Integer, List<Permission>> assortedMap) {
+ for (Integer type : assortedMap.keySet()) {
+ switch (type) {
+ case 0:
+ for (Permission perm: assortedMap.get(0)) {
+ print("\t[APP PERMISSION] " + perm.getName());
+ }
+ break;
+ case 1:
+ for (Permission perm: assortedMap.get(1)) {
+ print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+ }
+ break;
+ case 2:
+ for (Permission perm: assortedMap.get(2)) {
+ print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+ }
+ break;
+ case 3:
+ for (Permission perm: assortedMap.get(3)) {
+ print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+ }
+ break;
+ case 4:
+ for (Permission perm: assortedMap.get(4)) {
+ print("\t[Other] " + perm.getClass().getSimpleName() +
+ " " + perm.getName() + " (" + perm.getActions() + ")");
+ }
+ default:
+ break;
+ }
+ }
+ }
+}
diff --git a/cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml b/cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml
index 75680d8..640868f 100644
--- a/cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml
+++ b/cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml
@@ -21,11 +21,9 @@
</command>
<command>
- <action class="org.onosproject.cli.security.PermissionCommand"/>
+ <action class="org.onosproject.cli.security.ReviewCommand"/>
<completers>
- <ref component-id="permCommandCompleter"/>
- <ref component-id="permAppNameCompleter"/>
- <ref component-id="permNameCompleter"/>
+ <ref component-id="reviewAppNameCompleter"/>
</completers>
</command>
@@ -435,9 +433,7 @@
</command>
</command-bundle>
- <bean id="permAppNameCompleter" class="org.onosproject.cli.security.PermissionApplicationNameCompleter"/>
- <bean id="permCommandCompleter" class="org.onosproject.cli.security.PermissionCommandCompleter"/>
- <bean id="permNameCompleter" class="org.onosproject.cli.security.PermissionNameCompleter"/>
+ <bean id="reviewAppNameCompleter" class="org.onosproject.cli.security.ReviewApplicationNameCompleter"/>
<bean id="appCommandCompleter" class="org.onosproject.cli.app.ApplicationCommandCompleter"/>
<bean id="appNameCompleter" class="org.onosproject.cli.app.ApplicationNameCompleter"/>
<bean id="allAppNameCompleter" class="org.onosproject.cli.app.AllApplicationNamesCompleter"/>
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java b/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
index e0ea6ec..3713e21 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java b/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
index b3fab01..2561280 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
+import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationService.java b/core/api/src/main/java/org/onosproject/app/ApplicationService.java
index bb55da9..73dcc86 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationService.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationService.java
@@ -17,8 +17,8 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
import org.onosproject.event.ListenerService;
+import org.onosproject.security.Permission;
import java.util.Set;
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationStore.java b/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
index d20adb5..b3cdc43 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import org.onosproject.store.Store;
import java.io.InputStream;
diff --git a/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java b/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
index d24bace..710d0f9 100644
--- a/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
+++ b/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
+import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
diff --git a/core/api/src/main/java/org/onosproject/core/Application.java b/core/api/src/main/java/org/onosproject/core/Application.java
index 8cd063a..fca5384 100644
--- a/core/api/src/main/java/org/onosproject/core/Application.java
+++ b/core/api/src/main/java/org/onosproject/core/Application.java
@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
+import org.onosproject.security.Permission;
+
import java.net.URI;
import java.util.List;
import java.util.Optional;
diff --git a/core/api/src/main/java/org/onosproject/core/ApplicationRole.java b/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
index 71ae1e3..5fcb80b 100644
--- a/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
+++ b/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
@@ -23,9 +23,9 @@
ADMIN,
/**
- * Indicates that an application has a REGULAR role.
+ * Indicates that an application has a USER role.
*/
- REGULAR,
+ USER,
/**
* Indicates that an application role has not been specified.
diff --git a/core/api/src/main/java/org/onosproject/core/DefaultApplication.java b/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
index ab72c6f..d8062dd 100644
--- a/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
+++ b/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
+import org.onosproject.security.Permission;
+
import java.net.URI;
import java.util.Set;
import java.util.Optional;
diff --git a/core/api/src/main/java/org/onosproject/core/Permission.java b/core/api/src/main/java/org/onosproject/core/Permission.java
deleted file mode 100644
index 282388c..0000000
--- a/core/api/src/main/java/org/onosproject/core/Permission.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.onosproject.core;
-
-/**
- * Representation of an application permission.
- */
-public enum Permission {
- APP_READ,
- APP_EVENT,
- CONFIG_READ,
- CONFIG_WRITE,
- CLUSTER_READ,
- CLUSTER_WRITE,
- CLUSTER_EVENT,
- DEVICE_READ,
- DEVICE_EVENT,
- DRIVER_READ,
- DRIVER_WRITE,
- FLOWRULE_READ,
- FLOWRULE_WRITE,
- FLOWRULE_EVENT,
- GROUP_READ,
- GROUP_WRITE,
- GROUP_EVENT,
- HOST_READ,
- HOST_WRITE,
- HOST_EVENT,
- INTENT_READ,
- INTENT_WRITE,
- INTENT_EVENT,
- LINK_READ,
- LINK_WRITE,
- LINK_EVENT,
- PACKET_READ,
- PACKET_WRITE,
- PACKET_EVENT,
- STATISTIC_READ,
- TOPOLOGY_READ,
- TOPOLOGY_EVENT,
- TUNNEL_READ,
- TUNNEL_WRITE,
- TUNNEL_EVENT,
- STORAGE_WRITE
-}
diff --git a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
index b227b92..166269f 100644
--- a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
+++ b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
@@ -15,7 +15,6 @@
*/
package org.onosproject.net.packet;
-import org.onosproject.core.Permission;
import org.onosproject.net.flow.DefaultTrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment.Builder;
@@ -23,7 +22,7 @@
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
-
+import static org.onosproject.security.AppPermission.Type.*;
/**
* Default implementation of a packet context.
@@ -57,29 +56,25 @@
@Override
public long time() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return time;
}
@Override
public InboundPacket inPacket() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return inPkt;
}
@Override
public OutboundPacket outPacket() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return outPkt;
}
@Override
public Builder treatmentBuilder() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return builder;
}
@@ -88,15 +83,13 @@
@Override
public boolean block() {
- checkPermission(Permission.PACKET_WRITE);
-
+ checkPermission(PACKET_WRITE);
return this.block.getAndSet(true);
}
@Override
public boolean isHandled() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return this.block.get();
}
}
\ No newline at end of file
diff --git a/core/api/src/main/java/org/onosproject/security/AppGuard.java b/core/api/src/main/java/org/onosproject/security/AppGuard.java
index d3cc423..800135f 100644
--- a/core/api/src/main/java/org/onosproject/security/AppGuard.java
+++ b/core/api/src/main/java/org/onosproject/security/AppGuard.java
@@ -16,7 +16,6 @@
package org.onosproject.security;
-import org.onosproject.core.Permission;
/**
* Aids SM-ONOS to perform API-level permission checking.
@@ -30,10 +29,10 @@
* Checks if the caller has the required permission only when security-mode is enabled.
* @param permission permission to be checked
*/
- public static void checkPermission(Permission permission) {
+ public static void checkPermission(AppPermission.Type permission) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
- System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
+ System.getSecurityManager().checkPermission(new AppPermission(permission));
}
}
}
diff --git a/core/api/src/main/java/org/onosproject/security/AppPermission.java b/core/api/src/main/java/org/onosproject/security/AppPermission.java
index e5f8fa2..21a70d2 100644
--- a/core/api/src/main/java/org/onosproject/security/AppPermission.java
+++ b/core/api/src/main/java/org/onosproject/security/AppPermission.java
@@ -23,12 +23,57 @@
*/
public class AppPermission extends BasicPermission {
+ public enum Type {
+ APP_READ,
+ APP_EVENT,
+ CONFIG_READ,
+ CONFIG_WRITE,
+ CLUSTER_READ,
+ CLUSTER_WRITE,
+ CLUSTER_EVENT,
+ DEVICE_READ,
+ DEVICE_EVENT,
+ DRIVER_READ,
+ DRIVER_WRITE,
+ FLOWRULE_READ,
+ FLOWRULE_WRITE,
+ FLOWRULE_EVENT,
+ GROUP_READ,
+ GROUP_WRITE,
+ GROUP_EVENT,
+ HOST_READ,
+ HOST_WRITE,
+ HOST_EVENT,
+ INTENT_READ,
+ INTENT_WRITE,
+ INTENT_EVENT,
+ LINK_READ,
+ LINK_WRITE,
+ LINK_EVENT,
+ PACKET_READ,
+ PACKET_WRITE,
+ PACKET_EVENT,
+ STATISTIC_READ,
+ TOPOLOGY_READ,
+ TOPOLOGY_EVENT,
+ TUNNEL_READ,
+ TUNNEL_WRITE,
+ TUNNEL_EVENT,
+ STORAGE_WRITE
+ }
+
+ protected Type type;
/**
* Creates new application permission using the supplied data.
* @param name permission name
*/
public AppPermission(String name) {
super(name.toUpperCase(), "");
+ try {
+ type = Type.valueOf(name);
+ } catch (IllegalArgumentException e) {
+ type = null;
+ }
}
/**
@@ -38,6 +83,28 @@
*/
public AppPermission(String name, String actions) {
super(name.toUpperCase(), actions);
+ try {
+ type = Type.valueOf(name);
+ } catch (IllegalArgumentException e) {
+ type = null;
+ }
+ }
+
+ /**
+ * Crates new application permission using the supplied data.
+ * @param type permission type
+ */
+ public AppPermission(Type type) {
+ super(type.name(), "");
+ this.type = type;
+ }
+
+ /**
+ * Returns type of permission.
+ * @return application permission type
+ */
+ public Type getType() {
+ return this.type;
}
}
diff --git a/core/api/src/main/java/org/onosproject/security/Permission.java b/core/api/src/main/java/org/onosproject/security/Permission.java
new file mode 100644
index 0000000..75d9433
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/Permission.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+public class Permission {
+
+ protected String classname;
+ protected String name;
+ protected String actions;
+
+ public Permission(String classname, String name, String actions) {
+ this.classname = classname;
+ this.name = name;
+ if (actions == null) {
+ this.actions = "";
+ } else {
+ this.actions = actions;
+ }
+ }
+
+ public Permission(String classname, String name) {
+ this.classname = classname;
+ this.name = name;
+ this.actions = "";
+ }
+
+ public String getClassName() {
+ return classname;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public String getActions() {
+ return actions;
+ }
+
+ @Override
+ public int hashCode() {
+ return 0;
+ }
+
+ @Override
+ public boolean equals(Object thatPerm) {
+ if (this == thatPerm) {
+ return true;
+ }
+
+ if (!(thatPerm instanceof Permission)) {
+ return false;
+ }
+
+ Permission that = (Permission) thatPerm;
+ return (this.classname.equals(that.classname)) && (this.name.equals(that.name))
+ && (this.actions.equals(that.actions));
+ }
+
+ @Override
+ public String toString() {
+ return String.format("(%s, %s, %s)", classname, name, actions);
+ }
+}
diff --git a/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java b/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
new file mode 100644
index 0000000..16ea94d
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onosproject.core.ApplicationId;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Security-Mode ONOS service.
+ */
+public interface SecurityAdminService {
+
+ /**
+ * Returns true if security policy has been enforced to specified application.
+ * @param appId application identifier
+ * @return true if secured.
+ */
+ boolean isSecured(ApplicationId appId);
+
+ /**
+ * Changes SecurityModeState of specified application to REVIEWED.
+ * @param appId application identifier
+ */
+ void review(ApplicationId appId);
+
+ /**
+ * Accepts and enforces security policy to specified application.
+ * @param appId application identifier
+ */
+ void acceptPolicy(ApplicationId appId);
+
+ /**
+ * Register application to SM-ONOS subsystem.
+ * @param appId application identifier
+ */
+ void register(ApplicationId appId);
+
+ /**
+ * Returns sorted developer specified permission Map.
+ * @param appId application identifier
+ * @return Map of list of permissions sorted by permission type
+ */
+ Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId);
+
+ /**
+ * Returns sorted granted permission Map.
+ * @param appId application identifier
+ * @return Map of list of permissions sorted by permission type
+ */
+ Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId);
+
+ /**
+ * Returns sorted requested permission Map.
+ * @param appId application identifier
+ * @return Map of list of permissions sorted by permission type
+ */
+ Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId);
+
+
+}
diff --git a/core/api/src/main/java/org/onosproject/security/SecurityUtil.java b/core/api/src/main/java/org/onosproject/security/SecurityUtil.java
new file mode 100644
index 0000000..34b4e78
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/SecurityUtil.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onlab.osgi.DefaultServiceDirectory;
+import org.onlab.osgi.ServiceDirectory;
+import org.onlab.osgi.ServiceNotFoundException;
+import org.onosproject.core.ApplicationId;
+
+/**
+ * Utility class to aid Security-Mode ONOS.
+ */
+public final class SecurityUtil {
+
+ protected static ServiceDirectory serviceDirectory = new DefaultServiceDirectory();
+
+ private SecurityUtil() {
+ }
+
+ public static boolean isSecurityModeEnabled() {
+ if (System.getSecurityManager() != null) {
+ try {
+ SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+ if (securityService != null) {
+ return true;
+ }
+ } catch (ServiceNotFoundException e) {
+ return false;
+ }
+ }
+ return false;
+ }
+
+ public static SecurityAdminService getSecurityService() {
+ if (System.getSecurityManager() != null) {
+ try {
+ SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+ if (securityService != null) {
+ return securityService;
+ }
+ } catch (ServiceNotFoundException e) {
+ return null;
+ }
+ }
+ return null;
+ }
+
+ public static boolean isAppSecured(ApplicationId appId) {
+ SecurityAdminService service = getSecurityService();
+ if (service != null) {
+ if (!service.isSecured(appId)) {
+ System.out.println("\n*******************************");
+ System.out.println(" SM-ONOS APP WARNING ");
+ System.out.println("*******************************");
+ System.out.println(appId.name() + " has not been secured.");
+ System.out.println("Please review before activating.");
+ return false;
+ }
+ }
+ return true;
+ }
+ public static void register(ApplicationId appId) {
+ SecurityAdminService service = getSecurityService();
+ if (service != null) {
+ service.register(appId);
+ }
+ }
+}
diff --git a/core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java b/core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java
index 4e5ccf8..edcc209 100644
--- a/core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java
+++ b/core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
diff --git a/core/api/src/test/java/org/onosproject/app/ApplicationServiceAdapter.java b/core/api/src/test/java/org/onosproject/app/ApplicationServiceAdapter.java
index ff1822a..479cc59 100644
--- a/core/api/src/test/java/org/onosproject/app/ApplicationServiceAdapter.java
+++ b/core/api/src/test/java/org/onosproject/app/ApplicationServiceAdapter.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import java.util.Set;
diff --git a/core/api/src/test/java/org/onosproject/app/ApplicationStoreAdapter.java b/core/api/src/test/java/org/onosproject/app/ApplicationStoreAdapter.java
index 265c2a6..1a9ad8d 100644
--- a/core/api/src/test/java/org/onosproject/app/ApplicationStoreAdapter.java
+++ b/core/api/src/test/java/org/onosproject/app/ApplicationStoreAdapter.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
import java.io.InputStream;
diff --git a/core/api/src/test/java/org/onosproject/app/DefaultApplicationDescriptionTest.java b/core/api/src/test/java/org/onosproject/app/DefaultApplicationDescriptionTest.java
index 7f09872..d40d3fe 100644
--- a/core/api/src/test/java/org/onosproject/app/DefaultApplicationDescriptionTest.java
+++ b/core/api/src/test/java/org/onosproject/app/DefaultApplicationDescriptionTest.java
@@ -19,8 +19,9 @@
import com.google.common.collect.ImmutableSet;
import org.junit.Test;
import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
@@ -40,7 +41,9 @@
public static final String DESC = "Awesome application from Circus, Inc.";
public static final String ORIGIN = "Circus";
public static final ApplicationRole ROLE = ApplicationRole.ADMIN;
- public static final Set<Permission> PERMS = ImmutableSet.of(Permission.FLOWRULE_WRITE, Permission.FLOWRULE_READ);
+ public static final Set<Permission> PERMS = ImmutableSet.of(
+ new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"),
+ new Permission(AppPermission.class.getName(), "FLOWRULE_READ"));
public static final URI FURL = URI.create("mvn:org.foo-features/1.2a/xml/features");
public static final List<String> FEATURES = ImmutableList.of("foo", "bar");
diff --git a/core/common/pom.xml b/core/common/pom.xml
index 71eadbc..71c0fe4 100644
--- a/core/common/pom.xml
+++ b/core/common/pom.xml
@@ -33,6 +33,10 @@
<dependencies>
<dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.core</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-api</artifactId>
</dependency>
diff --git a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
index 1b1c23b..54f0fb8 100644
--- a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
+++ b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
@@ -20,6 +20,7 @@
import com.google.common.io.ByteStreams;
import com.google.common.io.Files;
import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.configuration.HierarchicalConfiguration;
import org.apache.commons.configuration.XMLConfiguration;
import org.onlab.util.Tools;
import org.onosproject.app.ApplicationDescription;
@@ -28,9 +29,11 @@
import org.onosproject.app.ApplicationStoreDelegate;
import org.onosproject.app.DefaultApplicationDescription;
import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.Permission;
import org.onosproject.store.AbstractStore;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -79,7 +82,9 @@
private static final String DESCRIPTION = "description";
private static final String ROLE = "security.role";
- private static final String PERMISSIONS = "security.permissions.permission";
+ private static final String APP_PERMISSIONS = "security.permissions.app-perm";
+ private static final String NET_PERMISSIONS = "security.permissions.net-perm";
+ private static final String JAVA_PERMISSIONS = "security.permissions.java-perm";
private static final String OAR = ".oar";
private static final String APP_XML = "app.xml";
@@ -386,13 +391,25 @@
// Returns the set of Permissions specified in the app.xml file
private ImmutableSet<Permission> getPermissions(XMLConfiguration cfg) {
List<Permission> permissionList = new ArrayList();
- for (Object o : cfg.getList(PERMISSIONS)) {
+
+ for (Object o : cfg.getList(APP_PERMISSIONS)) {
String name = (String) o;
- try {
- Permission perm = Permission.valueOf(name);
- permissionList.add(perm);
- } catch (IllegalArgumentException e) {
- log.debug("Unknown permission specified: %s", name);
+ permissionList.add(new Permission(AppPermission.class.getName(), name));
+ }
+ for (Object o : cfg.getList(NET_PERMISSIONS)) {
+ //TODO: TO BE FLESHED OUT WHEN NETWORK PERMISSIONS ARE SUPPORTED
+ break;
+ }
+
+ List<HierarchicalConfiguration> fields =
+ cfg.configurationsAt(JAVA_PERMISSIONS);
+ for (HierarchicalConfiguration sub : fields) {
+ String classname = sub.getString("classname");
+ String name = sub.getString("name");
+ String actions = sub.getString("actions");
+
+ if (classname != null && name != null) {
+ permissionList.add(new Permission(classname, name, actions));
}
}
return ImmutableSet.copyOf(permissionList);
diff --git a/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStore.java b/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStore.java
index d38b801..ea9a773 100644
--- a/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStore.java
+++ b/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStore.java
@@ -31,7 +31,7 @@
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.DefaultApplication;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import org.slf4j.Logger;
import java.io.InputStream;
diff --git a/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStoreTest.java b/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStoreTest.java
index 9631bd3..a1c7da3 100644
--- a/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStoreTest.java
+++ b/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStoreTest.java
@@ -28,7 +28,8 @@
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStoreAdapter;
import org.onosproject.core.DefaultApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.Permission;
import java.io.File;
import java.io.IOException;
@@ -114,7 +115,8 @@
@Test
public void permissions() {
Application app = createTestApp();
- ImmutableSet<Permission> permissions = ImmutableSet.of(Permission.FLOWRULE_WRITE);
+ ImmutableSet<Permission> permissions =
+ ImmutableSet.of(new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"));
store.setPermissions(app.id(), permissions);
assertEquals("incorrect app perms", 1, store.getPermissions(app.id()).size());
assertEquals("incorrect app state", INSTALLED, store.getState(app.id()));
diff --git a/core/common/src/test/resources/org/onosproject/common/app/app.xml b/core/common/src/test/resources/org/onosproject/common/app/app.xml
index 4a8d0f7..0d91a73 100644
--- a/core/common/src/test/resources/org/onosproject/common/app/app.xml
+++ b/core/common/src/test/resources/org/onosproject/common/app/app.xml
@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2015 Open Networking Laboratory
~
@@ -21,8 +20,10 @@
<security>
<role>ADMIN</role>
<permissions>
- <permission>FLOWRULE_WRITE</permission>
- <permission>FLOWRULE_READ</permission>
+ <app-perm>FLOWRULE_WRITE</app-perm>
+ <app-perm>FLOWRULE_READ</app-perm>
</permissions>
+
</security>
+
</app>
diff --git a/core/common/src/test/resources/org/onosproject/common/app/app.zip b/core/common/src/test/resources/org/onosproject/common/app/app.zip
index 0313f50..436cd75 100644
--- a/core/common/src/test/resources/org/onosproject/common/app/app.zip
+++ b/core/common/src/test/resources/org/onosproject/common/app/app.zip
Binary files differ
diff --git a/core/net/src/main/java/org/onosproject/app/impl/ApplicationManager.java b/core/net/src/main/java/org/onosproject/app/impl/ApplicationManager.java
index a96d805..161659f 100644
--- a/core/net/src/main/java/org/onosproject/app/impl/ApplicationManager.java
+++ b/core/net/src/main/java/org/onosproject/app/impl/ApplicationManager.java
@@ -33,7 +33,8 @@
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
+import org.onosproject.security.SecurityUtil;
import org.slf4j.Logger;
import java.io.InputStream;
@@ -41,6 +42,7 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.app.ApplicationEvent.Type.*;
+import static org.onosproject.security.AppPermission.Type.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
@@ -87,34 +89,34 @@
@Override
public Set<Application> getApplications() {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
return store.getApplications();
}
@Override
public ApplicationId getId(String name) {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
checkNotNull(name, "Name cannot be null");
return store.getId(name);
}
@Override
public Application getApplication(ApplicationId appId) {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getApplication(appId);
}
@Override
public ApplicationState getState(ApplicationId appId) {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getState(appId);
}
@Override
public Set<Permission> getPermissions(ApplicationId appId) {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getPermissions(appId);
}
@@ -122,7 +124,9 @@
@Override
public Application install(InputStream appDescStream) {
checkNotNull(appDescStream, "Application archive stream cannot be null");
- return store.create(appDescStream);
+ Application app = store.create(appDescStream);
+ SecurityUtil.register(app.id());
+ return app;
}
@Override
@@ -138,6 +142,9 @@
@Override
public void activate(ApplicationId appId) {
checkNotNull(appId, APP_ID_NULL);
+ if (!SecurityUtil.isAppSecured(appId)) {
+ return;
+ }
store.activate(appId);
}
diff --git a/core/net/src/main/java/org/onosproject/cfg/impl/ComponentConfigManager.java b/core/net/src/main/java/org/onosproject/cfg/impl/ComponentConfigManager.java
index 884d028..1933ee5 100644
--- a/core/net/src/main/java/org/onosproject/cfg/impl/ComponentConfigManager.java
+++ b/core/net/src/main/java/org/onosproject/cfg/impl/ComponentConfigManager.java
@@ -31,7 +31,6 @@
import org.onosproject.cfg.ComponentConfigStore;
import org.onosproject.cfg.ComponentConfigStoreDelegate;
import org.onosproject.cfg.ConfigProperty;
-import org.onosproject.core.Permission;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
@@ -50,6 +49,7 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -99,14 +99,14 @@
@Override
public Set<String> getComponentNames() {
- checkPermission(Permission.CONFIG_READ);
+ checkPermission(CONFIG_READ);
return ImmutableSet.copyOf(properties.keySet());
}
@Override
public void registerProperties(Class<?> componentClass) {
- checkPermission(Permission.CONFIG_WRITE);
+ checkPermission(CONFIG_WRITE);
String componentName = componentClass.getName();
String resourceName = componentClass.getSimpleName() + RESOURCE_EXT;
@@ -130,7 +130,7 @@
@Override
public void unregisterProperties(Class<?> componentClass, boolean clear) {
- checkPermission(Permission.CONFIG_WRITE);
+ checkPermission(CONFIG_WRITE);
String componentName = componentClass.getName();
checkNotNull(componentName, COMPONENT_NULL);
@@ -148,7 +148,7 @@
@Override
public Set<ConfigProperty> getProperties(String componentName) {
- checkPermission(Permission.CONFIG_READ);
+ checkPermission(CONFIG_READ);
Map<String, ConfigProperty> map = properties.get(componentName);
return map != null ? ImmutableSet.copyOf(map.values()) : null;
@@ -156,7 +156,7 @@
@Override
public void setProperty(String componentName, String name, String value) {
- checkPermission(Permission.CONFIG_WRITE);
+ checkPermission(CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
@@ -165,7 +165,7 @@
@Override
public void unsetProperty(String componentName, String name) {
- checkPermission(Permission.CONFIG_WRITE);
+ checkPermission(CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
diff --git a/core/net/src/main/java/org/onosproject/cluster/impl/ClusterManager.java b/core/net/src/main/java/org/onosproject/cluster/impl/ClusterManager.java
index a823817..04d1dfd 100644
--- a/core/net/src/main/java/org/onosproject/cluster/impl/ClusterManager.java
+++ b/core/net/src/main/java/org/onosproject/cluster/impl/ClusterManager.java
@@ -34,7 +34,6 @@
import org.onosproject.cluster.ControllerNode;
import org.onosproject.cluster.NodeId;
import org.onosproject.event.AbstractListenerManager;
-import org.onosproject.core.Permission;
import org.slf4j.Logger;
import java.util.Set;
@@ -43,6 +42,8 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
@@ -86,26 +87,26 @@
@Override
public ControllerNode getLocalNode() {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
return store.getLocalNode();
}
@Override
public Set<ControllerNode> getNodes() {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
return store.getNodes();
}
@Override
public ControllerNode getNode(NodeId nodeId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getNode(nodeId);
}
@Override
public ControllerNode.State getState(NodeId nodeId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getState(nodeId);
}
@@ -113,7 +114,7 @@
@Override
public DateTime getLastUpdated(NodeId nodeId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
return store.getLastUpdated(nodeId);
}
diff --git a/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java b/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java
index 0ef66f4..56d369f 100644
--- a/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java
+++ b/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java
@@ -32,7 +32,6 @@
import org.onosproject.cluster.RoleInfo;
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.MetricsHelper;
-import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipAdminService;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
@@ -62,6 +61,8 @@
import static org.onosproject.net.MastershipRole.MASTER;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
@Component(immediate = true)
@@ -136,7 +137,7 @@
@Override
public MastershipRole getLocalRole(DeviceId deviceId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getRole(clusterService.getLocalNode().id(), deviceId);
@@ -144,7 +145,7 @@
@Override
public CompletableFuture<Void> relinquishMastership(DeviceId deviceId) {
- checkPermission(Permission.CLUSTER_WRITE);
+ checkPermission(CLUSTER_WRITE);
return store.relinquishRole(localNodeId, deviceId)
.thenAccept(this::post)
.thenApply(v -> null);
@@ -152,7 +153,7 @@
@Override
public CompletableFuture<MastershipRole> requestRoleFor(DeviceId deviceId) {
- checkPermission(Permission.CLUSTER_WRITE);
+ checkPermission(CLUSTER_WRITE);
checkNotNull(deviceId, DEVICE_ID_NULL);
final Context timer = startTimer(requestRoleTimer);
@@ -162,7 +163,7 @@
@Override
public NodeId getMasterFor(DeviceId deviceId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getMaster(deviceId);
@@ -170,7 +171,7 @@
@Override
public Set<DeviceId> getDevicesOf(NodeId nodeId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
checkNotNull(nodeId, NODE_ID_NULL);
return store.getDevices(nodeId);
@@ -178,7 +179,7 @@
@Override
public RoleInfo getNodesFor(DeviceId deviceId) {
- checkPermission(Permission.CLUSTER_READ);
+ checkPermission(CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getNodes(deviceId);
diff --git a/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java b/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java
index bb42103..0761229 100644
--- a/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java
+++ b/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java
@@ -31,7 +31,6 @@
import org.onosproject.core.CoreService;
import org.onosproject.core.IdBlockStore;
import org.onosproject.core.IdGenerator;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.event.EventDeliveryService;
import org.osgi.service.component.ComponentContext;
@@ -46,6 +45,8 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Strings.isNullOrEmpty;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
@@ -100,28 +101,28 @@
@Override
public Version version() {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
return version;
}
@Override
public Set<ApplicationId> getAppIds() {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
return applicationIdStore.getAppIds();
}
@Override
public ApplicationId getAppId(Short id) {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
return applicationIdStore.getAppId(id);
}
@Override
public ApplicationId getAppId(String name) {
- checkPermission(Permission.APP_READ);
+ checkPermission(APP_READ);
return applicationIdStore.getAppId(name);
}
diff --git a/core/net/src/main/java/org/onosproject/net/device/impl/DeviceManager.java b/core/net/src/main/java/org/onosproject/net/device/impl/DeviceManager.java
index 24ea9f9..d1bcae7 100644
--- a/core/net/src/main/java/org/onosproject/net/device/impl/DeviceManager.java
+++ b/core/net/src/main/java/org/onosproject/net/device/impl/DeviceManager.java
@@ -27,7 +27,6 @@
import org.onosproject.cluster.ClusterService;
import org.onosproject.cluster.NodeId;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
@@ -77,6 +76,7 @@
import static org.onosproject.net.MastershipRole.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -151,60 +151,60 @@
@Override
public int getDeviceCount() {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
return store.getDeviceCount();
}
@Override
public Iterable<Device> getDevices() {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
return store.getDevices();
}
@Override
public Iterable<Device> getAvailableDevices() {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
return store.getAvailableDevices();
}
@Override
public Device getDevice(DeviceId deviceId) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDevice(deviceId);
}
@Override
public MastershipRole getRole(DeviceId deviceId) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return mastershipService.getLocalRole(deviceId);
}
@Override
public List<Port> getPorts(DeviceId deviceId) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPorts(deviceId);
}
@Override
public List<PortStatistics> getPortStatistics(DeviceId deviceId) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortStatistics(deviceId);
}
@Override
public List<PortStatistics> getPortDeltaStatistics(DeviceId deviceId) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortDeltaStatistics(deviceId);
}
@Override
public Port getPort(DeviceId deviceId, PortNumber portNumber) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
checkNotNull(portNumber, PORT_NUMBER_NULL);
return store.getPort(deviceId, portNumber);
@@ -212,7 +212,7 @@
@Override
public boolean isAvailable(DeviceId deviceId) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.isAvailable(deviceId);
@@ -664,7 +664,7 @@
@Override
public Iterable<Device> getDevices(Type type) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
Set<Device> results = new HashSet<>();
Iterable<Device> devices = store.getDevices();
if (devices != null) {
@@ -679,7 +679,7 @@
@Override
public Iterable<Device> getAvailableDevices(Type type) {
- checkPermission(Permission.DEVICE_READ);
+ checkPermission(DEVICE_READ);
Set<Device> results = new HashSet<>();
Iterable<Device> availableDevices = store.getAvailableDevices();
if (availableDevices != null) {
diff --git a/core/net/src/main/java/org/onosproject/net/driver/impl/DriverManager.java b/core/net/src/main/java/org/onosproject/net/driver/impl/DriverManager.java
index b395307..53bf30a 100644
--- a/core/net/src/main/java/org/onosproject/net/driver/impl/DriverManager.java
+++ b/core/net/src/main/java/org/onosproject/net/driver/impl/DriverManager.java
@@ -24,7 +24,6 @@
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
-import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
@@ -47,6 +46,8 @@
import static org.onlab.util.Tools.nullIsNotFound;
import static org.onosproject.net.AnnotationKeys.DRIVER;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
@@ -108,7 +109,7 @@
@Override
public Set<Driver> getDrivers() {
- checkPermission(Permission.DRIVER_READ);
+ checkPermission(DRIVER_READ);
ImmutableSet.Builder<Driver> builder = ImmutableSet.builder();
drivers.values().forEach(builder::add);
@@ -117,7 +118,7 @@
@Override
public Set<Driver> getDrivers(Class<? extends Behaviour> withBehaviour) {
- checkPermission(Permission.DRIVER_READ);
+ checkPermission(DRIVER_READ);
return drivers.values().stream()
.filter(d -> d.hasBehaviour(withBehaviour))
@@ -126,14 +127,14 @@
@Override
public Driver getDriver(String driverName) {
- checkPermission(Permission.DRIVER_READ);
+ checkPermission(DRIVER_READ);
return nullIsNotFound(drivers.get(driverName), NO_DRIVER);
}
@Override
public Driver getDriver(String mfr, String hw, String sw) {
- checkPermission(Permission.DRIVER_READ);
+ checkPermission(DRIVER_READ);
// First attempt a literal search.
Driver driver = driverByKey.get(key(mfr, hw, sw));
@@ -160,7 +161,7 @@
@Override
public Driver getDriver(DeviceId deviceId) {
- checkPermission(Permission.DRIVER_READ);
+ checkPermission(DRIVER_READ);
Device device = nullIsNotFound(deviceService.getDevice(deviceId), NO_DEVICE);
String driverName = device.annotations().value(DRIVER);
@@ -174,7 +175,7 @@
@Override
public DriverHandler createHandler(DeviceId deviceId, String... credentials) {
- checkPermission(Permission.DRIVER_WRITE);
+ checkPermission(DRIVER_WRITE);
Driver driver = getDriver(deviceId);
return new DefaultDriverHandler(new DefaultDriverData(driver, deviceId));
diff --git a/core/net/src/main/java/org/onosproject/net/flow/impl/FlowRuleManager.java b/core/net/src/main/java/org/onosproject/net/flow/impl/FlowRuleManager.java
index 488d35c..a1d046c 100644
--- a/core/net/src/main/java/org/onosproject/net/flow/impl/FlowRuleManager.java
+++ b/core/net/src/main/java/org/onosproject/net/flow/impl/FlowRuleManager.java
@@ -36,7 +36,6 @@
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
-import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
@@ -79,6 +78,8 @@
import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_REMOVE_REQUESTED;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
@@ -165,19 +166,19 @@
@Override
public int getFlowRuleCount() {
- checkPermission(Permission.FLOWRULE_READ);
+ checkPermission(FLOWRULE_READ);
return store.getFlowRuleCount();
}
@Override
public Iterable<FlowEntry> getFlowEntries(DeviceId deviceId) {
- checkPermission(Permission.FLOWRULE_READ);
+ checkPermission(FLOWRULE_READ);
return store.getFlowEntries(deviceId);
}
@Override
public void applyFlowRules(FlowRule... flowRules) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
@@ -188,7 +189,7 @@
@Override
public void removeFlowRules(FlowRule... flowRules) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
@@ -199,13 +200,13 @@
@Override
public void removeFlowRulesById(ApplicationId id) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
removeFlowRules(Iterables.toArray(getFlowRulesById(id), FlowRule.class));
}
@Override
public Iterable<FlowRule> getFlowRulesById(ApplicationId id) {
- checkPermission(Permission.FLOWRULE_READ);
+ checkPermission(FLOWRULE_READ);
Set<FlowRule> flowEntries = Sets.newHashSet();
for (Device d : deviceService.getDevices()) {
@@ -220,7 +221,7 @@
@Override
public Iterable<FlowRule> getFlowRulesByGroupId(ApplicationId appId, short groupId) {
- checkPermission(Permission.FLOWRULE_READ);
+ checkPermission(FLOWRULE_READ);
Set<FlowRule> matches = Sets.newHashSet();
long toLookUp = ((long) appId.id() << 16) | groupId;
@@ -236,7 +237,7 @@
@Override
public void apply(FlowRuleOperations ops) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
operationsService.submit(new FlowOperationsProcessor(ops));
}
diff --git a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/FlowObjectiveManager.java b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/FlowObjectiveManager.java
index 7d0713b..a76a298 100644
--- a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/FlowObjectiveManager.java
+++ b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/FlowObjectiveManager.java
@@ -27,7 +27,6 @@
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
-import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
@@ -62,6 +61,8 @@
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
@@ -193,13 +194,13 @@
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, filteringObjective));
}
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
}
@@ -208,13 +209,13 @@
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, nextObjective));
}
@Override
public int allocateNextId() {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
diff --git a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java
index 1d25c2e..3ef98bd 100644
--- a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java
+++ b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java
@@ -27,7 +27,6 @@
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
-import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
@@ -65,6 +64,7 @@
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -217,7 +217,7 @@
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
List<FilteringObjective> filteringObjectives
= this.deviceCompositionTreeMap.get(deviceId).updateFilter(filteringObjective);
@@ -228,7 +228,7 @@
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
@@ -242,7 +242,7 @@
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
List<NextObjective> nextObjectives = this.deviceCompositionTreeMap.get(deviceId).updateNext(nextObjective);
for (NextObjective tmp : nextObjectives) {
@@ -252,7 +252,7 @@
@Override
public int allocateNextId() {
- checkPermission(Permission.FLOWRULE_WRITE);
+ checkPermission(FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
diff --git a/core/net/src/main/java/org/onosproject/net/group/impl/GroupManager.java b/core/net/src/main/java/org/onosproject/net/group/impl/GroupManager.java
index 6c43f24..96e9b19 100644
--- a/core/net/src/main/java/org/onosproject/net/group/impl/GroupManager.java
+++ b/core/net/src/main/java/org/onosproject/net/group/impl/GroupManager.java
@@ -23,7 +23,6 @@
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
@@ -51,6 +50,8 @@
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
@@ -96,7 +97,7 @@
*/
@Override
public void addGroup(GroupDescription groupDesc) {
- checkPermission(Permission.GROUP_WRITE);
+ checkPermission(GROUP_WRITE);
store.storeGroupDescription(groupDesc);
}
@@ -115,7 +116,7 @@
*/
@Override
public Group getGroup(DeviceId deviceId, GroupKey appCookie) {
- checkPermission(Permission.GROUP_READ);
+ checkPermission(GROUP_READ);
return store.getGroup(deviceId, appCookie);
}
@@ -137,7 +138,7 @@
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
- checkPermission(Permission.GROUP_WRITE);
+ checkPermission(GROUP_WRITE);
store.updateGroupDescription(deviceId,
oldCookie,
UpdateType.ADD,
@@ -163,7 +164,7 @@
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
- checkPermission(Permission.GROUP_WRITE);
+ checkPermission(GROUP_WRITE);
store.updateGroupDescription(deviceId,
oldCookie,
UpdateType.REMOVE,
@@ -185,7 +186,7 @@
public void removeGroup(DeviceId deviceId,
GroupKey appCookie,
ApplicationId appId) {
- checkPermission(Permission.GROUP_WRITE);
+ checkPermission(GROUP_WRITE);
store.deleteGroupDescription(deviceId, appCookie);
}
@@ -200,13 +201,13 @@
@Override
public Iterable<Group> getGroups(DeviceId deviceId,
ApplicationId appId) {
- checkPermission(Permission.GROUP_READ);
+ checkPermission(GROUP_READ);
return store.getGroups(deviceId);
}
@Override
public Iterable<Group> getGroups(DeviceId deviceId) {
- checkPermission(Permission.GROUP_READ);
+ checkPermission(GROUP_READ);
return store.getGroups(deviceId);
}
diff --git a/core/net/src/main/java/org/onosproject/net/host/impl/HostManager.java b/core/net/src/main/java/org/onosproject/net/host/impl/HostManager.java
index 99d401a..9926338 100644
--- a/core/net/src/main/java/org/onosproject/net/host/impl/HostManager.java
+++ b/core/net/src/main/java/org/onosproject/net/host/impl/HostManager.java
@@ -26,7 +26,6 @@
import org.onlab.packet.VlanId;
import org.onosproject.incubator.net.intf.InterfaceService;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
@@ -57,6 +56,7 @@
import static com.google.common.base.Preconditions.checkState;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides basic implementation of the host SB & NB APIs.
@@ -118,66 +118,66 @@
@Override
public int getHostCount() {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
return store.getHostCount();
}
@Override
public Iterable<Host> getHosts() {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
return store.getHosts();
}
@Override
public Host getHost(HostId hostId) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
checkNotNull(hostId, HOST_ID_NULL);
return store.getHost(hostId);
}
@Override
public Set<Host> getHostsByVlan(VlanId vlanId) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
return store.getHosts(vlanId);
}
@Override
public Set<Host> getHostsByMac(MacAddress mac) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
checkNotNull(mac, "MAC address cannot be null");
return store.getHosts(mac);
}
@Override
public Set<Host> getHostsByIp(IpAddress ip) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
checkNotNull(ip, "IP address cannot be null");
return store.getHosts(ip);
}
@Override
public Set<Host> getConnectedHosts(ConnectPoint connectPoint) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
checkNotNull(connectPoint, "Connection point cannot be null");
return store.getConnectedHosts(connectPoint);
}
@Override
public Set<Host> getConnectedHosts(DeviceId deviceId) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
checkNotNull(deviceId, "Device ID cannot be null");
return store.getConnectedHosts(deviceId);
}
@Override
public void startMonitoringIp(IpAddress ip) {
- checkPermission(Permission.HOST_EVENT);
+ checkPermission(HOST_EVENT);
monitor.addMonitoringFor(ip);
}
@Override
public void stopMonitoringIp(IpAddress ip) {
- checkPermission(Permission.HOST_EVENT);
+ checkPermission(HOST_EVENT);
monitor.stopMonitoring(ip);
}
@@ -212,13 +212,13 @@
@Override
public Set<PortAddresses> getAddressBindings() {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
return store.getAddressBindings();
}
@Override
public Set<PortAddresses> getAddressBindingsForPort(ConnectPoint connectPoint) {
- checkPermission(Permission.HOST_READ);
+ checkPermission(HOST_READ);
return store.getAddressBindingsForPort(connectPoint);
}
diff --git a/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java b/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java
index d974009..4c828e7 100644
--- a/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java
+++ b/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java
@@ -25,7 +25,6 @@
import org.onosproject.event.AbstractListenerManager;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
-import org.onosproject.core.Permission;
import org.onosproject.net.flow.FlowRule;
import org.onosproject.net.flow.FlowRuleOperations;
import org.onosproject.net.flow.FlowRuleOperationsContext;
@@ -67,6 +66,8 @@
import static org.onosproject.net.intent.impl.phase.IntentProcessPhase.newInitialPhase;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
* An implementation of intent service.
@@ -138,7 +139,7 @@
@Override
public void submit(Intent intent) {
- checkPermission(Permission.INTENT_WRITE);
+ checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.INSTALL_REQ, null);
store.addPending(data);
@@ -146,7 +147,7 @@
@Override
public void withdraw(Intent intent) {
- checkPermission(Permission.INTENT_WRITE);
+ checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.WITHDRAW_REQ, null);
store.addPending(data);
@@ -154,7 +155,7 @@
@Override
public void purge(Intent intent) {
- checkPermission(Permission.INTENT_WRITE);
+ checkPermission(INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.PURGE_REQ, null);
store.addPending(data);
@@ -162,45 +163,45 @@
@Override
public Intent getIntent(Key key) {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
return store.getIntent(key);
}
@Override
public Iterable<Intent> getIntents() {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
return store.getIntents();
}
@Override
public Iterable<IntentData> getIntentData() {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
return store.getIntentData(false, 0);
}
@Override
public long getIntentCount() {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
return store.getIntentCount();
}
@Override
public IntentState getIntentState(Key intentKey) {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getIntentState(intentKey);
}
@Override
public List<Intent> getInstallableIntents(Key intentKey) {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getInstallableIntents(intentKey);
}
@Override
public boolean isLocal(Key intentKey) {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
return store.isMaster(intentKey);
}
@@ -221,7 +222,7 @@
@Override
public Iterable<Intent> getPending() {
- checkPermission(Permission.INTENT_READ);
+ checkPermission(INTENT_READ);
return store.getPending();
}
diff --git a/core/net/src/main/java/org/onosproject/net/link/impl/LinkManager.java b/core/net/src/main/java/org/onosproject/net/link/impl/LinkManager.java
index b4cc17c..157288a 100644
--- a/core/net/src/main/java/org/onosproject/net/link/impl/LinkManager.java
+++ b/core/net/src/main/java/org/onosproject/net/link/impl/LinkManager.java
@@ -25,7 +25,6 @@
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
import org.onosproject.net.config.NetworkConfigEvent;
import org.onosproject.net.config.NetworkConfigListener;
import org.onosproject.net.config.NetworkConfigService;
@@ -59,6 +58,7 @@
import static org.onosproject.net.LinkKey.linkKey;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -111,19 +111,19 @@
@Override
public int getLinkCount() {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
return store.getLinkCount();
}
@Override
public Iterable<Link> getLinks() {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
return store.getLinks();
}
@Override
public Iterable<Link> getActiveLinks() {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
return FluentIterable.from(getLinks())
.filter(new Predicate<Link>() {
@@ -136,7 +136,7 @@
@Override
public Set<Link> getDeviceLinks(DeviceId deviceId) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return Sets.union(store.getDeviceEgressLinks(deviceId),
store.getDeviceIngressLinks(deviceId));
@@ -144,21 +144,21 @@
@Override
public Set<Link> getDeviceEgressLinks(DeviceId deviceId) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceEgressLinks(deviceId);
}
@Override
public Set<Link> getDeviceIngressLinks(DeviceId deviceId) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceIngressLinks(deviceId);
}
@Override
public Set<Link> getLinks(ConnectPoint connectPoint) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return Sets.union(store.getEgressLinks(connectPoint),
store.getIngressLinks(connectPoint));
@@ -166,21 +166,21 @@
@Override
public Set<Link> getEgressLinks(ConnectPoint connectPoint) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getEgressLinks(connectPoint);
}
@Override
public Set<Link> getIngressLinks(ConnectPoint connectPoint) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getIngressLinks(connectPoint);
}
@Override
public Link getLink(ConnectPoint src, ConnectPoint dst) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
checkNotNull(src, CONNECT_POINT_NULL);
checkNotNull(dst, CONNECT_POINT_NULL);
return store.getLink(src, dst);
diff --git a/core/net/src/main/java/org/onosproject/net/packet/impl/PacketManager.java b/core/net/src/main/java/org/onosproject/net/packet/impl/PacketManager.java
index b093fe1..75239fd 100644
--- a/core/net/src/main/java/org/onosproject/net/packet/impl/PacketManager.java
+++ b/core/net/src/main/java/org/onosproject/net/packet/impl/PacketManager.java
@@ -23,7 +23,6 @@
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
-import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
@@ -63,7 +62,7 @@
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
-
+import static org.onosproject.security.AppPermission.Type.*;
/**
* Provides a basic implementation of the packet SB & NB APIs.
@@ -126,14 +125,14 @@
@Override
public void addProcessor(PacketProcessor processor, int priority) {
- checkPermission(Permission.PACKET_EVENT);
+ checkPermission(PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.put(priority, processor);
}
@Override
public void removeProcessor(PacketProcessor processor) {
- checkPermission(Permission.PACKET_EVENT);
+ checkPermission(PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.values().remove(processor);
}
@@ -141,7 +140,7 @@
@Override
public void requestPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
@@ -154,7 +153,7 @@
@Override
public void cancelPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
@@ -246,7 +245,7 @@
@Override
public void emit(OutboundPacket packet) {
- checkPermission(Permission.PACKET_WRITE);
+ checkPermission(PACKET_WRITE);
checkNotNull(packet, "Packet cannot be null");
store.emit(packet);
}
diff --git a/core/net/src/main/java/org/onosproject/net/proxyarp/impl/ProxyArpManager.java b/core/net/src/main/java/org/onosproject/net/proxyarp/impl/ProxyArpManager.java
index 474dd67..398260f 100644
--- a/core/net/src/main/java/org/onosproject/net/proxyarp/impl/ProxyArpManager.java
+++ b/core/net/src/main/java/org/onosproject/net/proxyarp/impl/ProxyArpManager.java
@@ -33,7 +33,6 @@
import org.onlab.packet.ndp.NeighborAdvertisement;
import org.onlab.packet.ndp.NeighborDiscoveryOptions;
import org.onlab.packet.ndp.NeighborSolicitation;
-import org.onosproject.core.Permission;
import org.onosproject.incubator.net.intf.Interface;
import org.onosproject.incubator.net.intf.InterfaceService;
import org.onosproject.net.ConnectPoint;
@@ -61,6 +60,7 @@
import static org.onosproject.net.HostId.hostId;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
@Component(immediate = true)
@@ -110,7 +110,8 @@
@Override
public boolean isKnown(IpAddress addr) {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
+
checkNotNull(addr, MAC_ADDR_NULL);
Set<Host> hosts = hostService.getHostsByIp(addr);
return !hosts.isEmpty();
@@ -118,7 +119,8 @@
@Override
public void reply(Ethernet eth, ConnectPoint inPort) {
- checkPermission(Permission.PACKET_WRITE);
+ checkPermission(PACKET_WRITE);
+
checkNotNull(eth, REQUEST_NULL);
if (eth.getEtherType() == Ethernet.TYPE_ARP) {
@@ -316,7 +318,8 @@
@Override
public void forward(Ethernet eth, ConnectPoint inPort) {
- checkPermission(Permission.PACKET_WRITE);
+ checkPermission(PACKET_WRITE);
+
checkNotNull(eth, REQUEST_NULL);
Host h = hostService.getHost(hostId(eth.getDestinationMAC(),
@@ -333,7 +336,7 @@
@Override
public boolean handlePacket(PacketContext context) {
- checkPermission(Permission.PACKET_WRITE);
+ checkPermission(PACKET_WRITE);
InboundPacket pkt = context.inPacket();
Ethernet ethPkt = pkt.parsed();
diff --git a/core/net/src/main/java/org/onosproject/net/resource/impl/LinkResourceManager.java b/core/net/src/main/java/org/onosproject/net/resource/impl/LinkResourceManager.java
index 5762c0a..57a271a 100644
--- a/core/net/src/main/java/org/onosproject/net/resource/impl/LinkResourceManager.java
+++ b/core/net/src/main/java/org/onosproject/net/resource/impl/LinkResourceManager.java
@@ -23,7 +23,6 @@
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.event.AbstractListenerManager;
-import org.onosproject.core.Permission;
import org.onosproject.net.Link;
import org.onosproject.net.intent.IntentId;
import org.onosproject.net.resource.ResourceAllocation;
@@ -58,6 +57,7 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -150,7 +150,7 @@
@Override
public LinkResourceAllocations requestResources(LinkResourceRequest req) {
- checkPermission(Permission.LINK_WRITE);
+ checkPermission(LINK_WRITE);
// TODO Concatenate multiple bandwidth requests.
// TODO Support multiple lambda resource requests.
@@ -213,7 +213,7 @@
@Override
public void releaseResources(LinkResourceAllocations allocations) {
- checkPermission(Permission.LINK_WRITE);
+ checkPermission(LINK_WRITE);
final LinkResourceEvent event = store.releaseResources(allocations);
if (event != null) {
post(event);
@@ -223,32 +223,32 @@
@Override
public LinkResourceAllocations updateResources(LinkResourceRequest req,
LinkResourceAllocations oldAllocations) {
- checkPermission(Permission.LINK_WRITE);
+ checkPermission(LINK_WRITE);
releaseResources(oldAllocations);
return requestResources(req);
}
@Override
public Iterable<LinkResourceAllocations> getAllocations() {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
return store.getAllocations();
}
@Override
public Iterable<LinkResourceAllocations> getAllocations(Link link) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
return store.getAllocations(link);
}
@Override
public LinkResourceAllocations getAllocations(IntentId intentId) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
return store.getAllocations(intentId);
}
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
Set<ResourceAllocation> freeRes = store.getFreeResources(link);
Set<ResourceRequest> result = new HashSet<>();
@@ -274,7 +274,7 @@
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link,
LinkResourceAllocations allocations) {
- checkPermission(Permission.LINK_READ);
+ checkPermission(LINK_READ);
Set<ResourceAllocation> allocatedRes = allocations.getResourceAllocation(link);
Set<ResourceRequest> result = Sets.newHashSet(getAvailableResources(link));
diff --git a/core/net/src/main/java/org/onosproject/net/statistic/impl/StatisticManager.java b/core/net/src/main/java/org/onosproject/net/statistic/impl/StatisticManager.java
index a07f196..996ad14e 100644
--- a/core/net/src/main/java/org/onosproject/net/statistic/impl/StatisticManager.java
+++ b/core/net/src/main/java/org/onosproject/net/statistic/impl/StatisticManager.java
@@ -27,7 +27,6 @@
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.GroupId;
-import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.Link;
import org.onosproject.net.Path;
@@ -51,6 +50,7 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -86,14 +86,14 @@
@Override
public Load load(Link link) {
- checkPermission(Permission.STATISTIC_READ);
+ checkPermission(STATISTIC_READ);
return load(link.src());
}
@Override
public Load load(Link link, ApplicationId appId, Optional<GroupId> groupId) {
- checkPermission(Permission.STATISTIC_READ);
+ checkPermission(STATISTIC_READ);
Statistics stats = getStatistics(link.src());
if (!stats.isValid()) {
@@ -114,14 +114,14 @@
@Override
public Load load(ConnectPoint connectPoint) {
- checkPermission(Permission.STATISTIC_READ);
+ checkPermission(STATISTIC_READ);
return loadInternal(connectPoint);
}
@Override
public Link max(Path path) {
- checkPermission(Permission.STATISTIC_READ);
+ checkPermission(STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
@@ -140,7 +140,7 @@
@Override
public Link min(Path path) {
- checkPermission(Permission.STATISTIC_READ);
+ checkPermission(STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
@@ -159,7 +159,7 @@
@Override
public FlowRule highestHitter(ConnectPoint connectPoint) {
- checkPermission(Permission.STATISTIC_READ);
+ checkPermission(STATISTIC_READ);
Set<FlowEntry> hitters = statisticStore.getCurrentStatistic(connectPoint);
if (hitters.isEmpty()) {
diff --git a/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java b/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java
index 0852447..a238c7f 100644
--- a/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java
+++ b/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java
@@ -24,7 +24,6 @@
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
-import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DefaultEdgeLink;
import org.onosproject.net.DefaultPath;
@@ -51,6 +50,7 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -88,14 +88,14 @@
@Override
public Set<Path> getPaths(ElementId src, ElementId dst) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
return getPaths(src, dst, null);
}
@Override
public Set<Path> getPaths(ElementId src, ElementId dst, LinkWeight weight) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(src, ELEMENT_ID_NULL);
checkNotNull(dst, ELEMENT_ID_NULL);
diff --git a/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java b/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java
index 0a0db62..04c4f1c1 100644
--- a/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java
+++ b/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java
@@ -22,7 +22,6 @@
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
import org.onosproject.event.Event;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DeviceId;
@@ -51,6 +50,8 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
/**
* Provides basic implementation of the topology SB & NB APIs.
@@ -91,27 +92,27 @@
@Override
public Topology currentTopology() {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
return store.currentTopology();
}
@Override
public boolean isLatest(Topology topology) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.isLatest(topology);
}
@Override
public Set<TopologyCluster> getClusters(Topology topology) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getClusters(topology);
}
@Override
public TopologyCluster getCluster(Topology topology, ClusterId clusterId) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_ID_NULL);
return store.getCluster(topology, clusterId);
@@ -119,7 +120,7 @@
@Override
public Set<DeviceId> getClusterDevices(Topology topology, TopologyCluster cluster) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterDevices(topology, cluster);
@@ -127,7 +128,7 @@
@Override
public Set<Link> getClusterLinks(Topology topology, TopologyCluster cluster) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterLinks(topology, cluster);
@@ -135,14 +136,14 @@
@Override
public TopologyGraph getGraph(Topology topology) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getGraph(topology);
}
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
checkNotNull(dst, DEVICE_ID_NULL);
@@ -151,7 +152,7 @@
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
@@ -162,7 +163,7 @@
@Override
public boolean isInfrastructure(Topology topology, ConnectPoint connectPoint) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isInfrastructure(topology, connectPoint);
@@ -170,7 +171,7 @@
@Override
public boolean isBroadcastPoint(Topology topology, ConnectPoint connectPoint) {
- checkPermission(Permission.TOPOLOGY_READ);
+ checkPermission(TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isBroadcastPoint(topology, connectPoint);
diff --git a/core/security/impl/pom.xml b/core/security/impl/pom.xml
deleted file mode 100644
index 33791c9..0000000
--- a/core/security/impl/pom.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Copyright 2015 Open Networking Laboratory
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
- -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>onos-security</artifactId>
- <groupId>org.onosproject</groupId>
- <version>1.3.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <packaging>bundle</packaging>
-
- <artifactId>onos-security-impl</artifactId>
-
- <description>Security-mode ONOS components</description>
-
- <dependencies>
- <dependency>
- <groupId>org.osgi</groupId>
- <artifactId>org.osgi.core</artifactId>
- </dependency>
- <dependency>
- <groupId>org.onosproject</groupId>
- <artifactId>onos-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.karaf.features</groupId>
- <artifactId>org.apache.karaf.features.core</artifactId>
- </dependency>
- </dependencies>
-
-</project>
\ No newline at end of file
diff --git a/core/security/impl/src/main/java/org/onosproject/security/impl/PolicyBuilder.java b/core/security/impl/src/main/java/org/onosproject/security/impl/PolicyBuilder.java
deleted file mode 100644
index 3c15e08..0000000
--- a/core/security/impl/src/main/java/org/onosproject/security/impl/PolicyBuilder.java
+++ /dev/null
@@ -1,316 +0,0 @@
-package org.onosproject.security.impl;
-
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import org.onosproject.core.Permission;
-import org.onosproject.security.AppPermission;
-import org.osgi.service.permissionadmin.PermissionInfo;
-
-import org.onosproject.app.ApplicationAdminService;
-import org.onosproject.app.ApplicationService;
-import org.onosproject.cfg.ComponentConfigService;
-import org.onosproject.cluster.ClusterAdminService;
-import org.onosproject.cluster.ClusterService;
-import org.onosproject.core.CoreService;
-import org.onosproject.cluster.LeadershipService;
-import org.onosproject.mastership.MastershipAdminService;
-import org.onosproject.mastership.MastershipService;
-import org.onosproject.net.device.DeviceAdminService;
-import org.onosproject.net.device.DeviceService;
-import org.onosproject.net.device.DeviceClockService;
-import org.onosproject.net.driver.DriverAdminService;
-import org.onosproject.net.driver.DriverService;
-import org.onosproject.net.flow.FlowRuleService;
-import org.onosproject.net.flowobjective.FlowObjectiveService;
-import org.onosproject.net.group.GroupService;
-import org.onosproject.net.host.HostAdminService;
-import org.onosproject.net.host.HostService;
-import org.onosproject.net.intent.IntentService;
-import org.onosproject.net.intent.IntentExtensionService;
-import org.onosproject.net.intent.IntentClockService;
-import org.onosproject.net.intent.PartitionService;
-import org.onosproject.net.link.LinkAdminService;
-import org.onosproject.net.link.LinkService;
-import org.onosproject.net.packet.PacketService;
-import org.onosproject.net.proxyarp.ProxyArpService;
-import org.onosproject.net.resource.link.LinkResourceService;
-import org.onosproject.net.statistic.StatisticService;
-import org.onosproject.net.topology.PathService;
-import org.onosproject.net.topology.TopologyService;
-import org.onosproject.store.service.StorageAdminService;
-import org.onosproject.store.service.StorageService;
-import org.osgi.framework.ServicePermission;
-import org.osgi.framework.PackagePermission;
-import org.osgi.framework.AdaptPermission;
-
-
-import java.util.Collections;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.stream.Collectors;
-
-public final class PolicyBuilder {
-
- private PolicyBuilder(){
- }
-
- public static PermissionInfo[] getApplicationPermissions(Map<Permission, Set<String>> serviceDirectory,
- Set<Permission> permissions) {
- Set<PermissionInfo> permSet = Sets.newHashSet();
- Collections.addAll(permSet, getDefaultPerms());
- for (Permission perm : permissions) {
- permSet.add(new PermissionInfo(AppPermission.class.getName(), perm.name(), ""));
- permSet.addAll(serviceDirectory.get(perm).stream().map(service -> new PermissionInfo(
- ServicePermission.class.getName(), service, ServicePermission.GET)).collect(Collectors.toList()));
- }
- PermissionInfo[] permissionInfos = new PermissionInfo[permSet.size()];
- return permSet.toArray(permissionInfos);
- }
-
- public static PermissionInfo[] getAdminApplicationPermissions(Map<Permission, Set<String>> serviceDirectory) {
- Set<PermissionInfo> permSet = Sets.newHashSet();
- Collections.addAll(permSet, getDefaultPerms());
- Collections.addAll(permSet, getAdminDefaultPerms());
- permSet.addAll(serviceDirectory.keySet().stream().map(perm ->
- new PermissionInfo(AppPermission.class.getName(), perm.name(), "")).collect(Collectors.toList()));
- PermissionInfo[] permissionInfos = new PermissionInfo[permSet.size()];
- return permSet.toArray(permissionInfos);
- }
-
- public static PermissionInfo[] getDefaultPerms() {
- return new PermissionInfo[]{
- new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.EXPORTONLY),
- new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.IMPORT),
- new PermissionInfo(AdaptPermission.class.getName(), "*", AdaptPermission.ADAPT),
- };
- }
- public static PermissionInfo[] getAdminDefaultPerms() {
- return new PermissionInfo[]{
- new PermissionInfo(ServicePermission.class.getName(),
- ApplicationAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- ClusterAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- MastershipAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- DeviceAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- HostAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- LinkAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- DriverAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- StorageAdminService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// LabelResourceAdminService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// TunnelAdminService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- ApplicationService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- ComponentConfigService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- CoreService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- ClusterService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- LeadershipService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- MastershipService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- DeviceService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- DeviceClockService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- DriverService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- FlowRuleService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- FlowObjectiveService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- GroupService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- HostService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- IntentService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- IntentClockService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- IntentExtensionService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- PartitionService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- LinkService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- LinkResourceService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// LabelResourceService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- PacketService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- ProxyArpService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- StatisticService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- PathService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- TopologyService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// TunnelService.class.getName(), ServicePermission.GET),
- new PermissionInfo(ServicePermission.class.getName(),
- StorageService.class.getName(), ServicePermission.GET),
- };
- }
-
-
- public static Map<Permission, Set<String>> getServiceDirectory() {
-
- Map<Permission, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
-
- serviceDirectory.put(Permission.APP_READ, ImmutableSet.of(
- ApplicationService.class.getName(), CoreService.class.getName()));
- serviceDirectory.put(Permission.APP_EVENT, ImmutableSet.of(
- ApplicationService.class.getName(), CoreService.class.getName()));
- serviceDirectory.put(Permission.CONFIG_READ, ImmutableSet.of(
- ComponentConfigService.class.getName()));
- serviceDirectory.put(Permission.CONFIG_WRITE, ImmutableSet.of(
- ComponentConfigService.class.getName()));
- serviceDirectory.put(Permission.CLUSTER_READ, ImmutableSet.of(
- ClusterService.class.getName(), LeadershipService.class.getName(),
- MastershipService.class.getName()));
- serviceDirectory.put(Permission.CLUSTER_WRITE, ImmutableSet.of(
- LeadershipService.class.getName(), MastershipService.class.getName()));
- serviceDirectory.put(Permission.CLUSTER_EVENT, ImmutableSet.of(
- ClusterService.class.getName(), LeadershipService.class.getName(),
- MastershipService.class.getName()));
- serviceDirectory.put(Permission.DEVICE_READ, ImmutableSet.of(
- DeviceService.class.getName(), DeviceClockService.class.getName()));
- serviceDirectory.put(Permission.DEVICE_EVENT, ImmutableSet.of(
- DeviceService.class.getName()));
- serviceDirectory.put(Permission.DRIVER_READ, ImmutableSet.of(
- DriverService.class.getName()));
- serviceDirectory.put(Permission.DRIVER_WRITE, ImmutableSet.of(
- DriverService.class.getName()));
- serviceDirectory.put(Permission.FLOWRULE_READ, ImmutableSet.of(
- FlowRuleService.class.getName()));
- serviceDirectory.put(Permission.FLOWRULE_WRITE, ImmutableSet.of(
- FlowRuleService.class.getName(), FlowObjectiveService.class.getName()));
- serviceDirectory.put(Permission.FLOWRULE_EVENT, ImmutableSet.of(
- FlowRuleService.class.getName()));
- serviceDirectory.put(Permission.GROUP_READ, ImmutableSet.of(
- GroupService.class.getName()));
- serviceDirectory.put(Permission.GROUP_WRITE, ImmutableSet.of(
- GroupService.class.getName()));
- serviceDirectory.put(Permission.GROUP_EVENT, ImmutableSet.of(
- GroupService.class.getName()));
- serviceDirectory.put(Permission.HOST_WRITE, ImmutableSet.of(
- HostService.class.getName()));
- serviceDirectory.put(Permission.HOST_EVENT, ImmutableSet.of(
- HostService.class.getName()));
- serviceDirectory.put(Permission.INTENT_READ, ImmutableSet.of(
- IntentService.class.getName(), PartitionService.class.getName(),
- IntentClockService.class.getName()));
- serviceDirectory.put(Permission.INTENT_WRITE, ImmutableSet.of(
- IntentService.class.getName()));
- serviceDirectory.put(Permission.INTENT_EVENT, ImmutableSet.of(
- IntentService.class.getName()));
-// serviceDirectory.put(Permission.LINK_READ, ImmutableSet.of(
-// LinkService.class.getName(), LinkResourceService.class.getName(),
-// LabelResourceService.class.getName()));
-// serviceDirectory.put(Permission.LINK_WRITE, ImmutableSet.of(
-// LinkResourceService.class.getName(), LabelResourceService.class.getName()));
-// serviceDirectory.put(Permission.LINK_EVENT, ImmutableSet.of(
-// LinkService.class.getName(), LinkResourceService.class.getName(),
-// LabelResourceService.class.getName()));
- serviceDirectory.put(Permission.PACKET_READ, ImmutableSet.of(
- PacketService.class.getName(), ProxyArpService.class.getName()));
- serviceDirectory.put(Permission.PACKET_WRITE, ImmutableSet.of(
- PacketService.class.getName(), ProxyArpService.class.getName()));
- serviceDirectory.put(Permission.PACKET_EVENT, ImmutableSet.of(
- PacketService.class.getName()));
- serviceDirectory.put(Permission.STATISTIC_READ, ImmutableSet.of(
- StatisticService.class.getName()));
- serviceDirectory.put(Permission.TOPOLOGY_READ, ImmutableSet.of(
- TopologyService.class.getName(), PathService.class.getName()));
- serviceDirectory.put(Permission.TOPOLOGY_EVENT, ImmutableSet.of(
- TopologyService.class.getName()));
-// serviceDirectory.put(Permission.TUNNEL_READ, ImmutableSet.of(
-// TunnelService.class.getName()));
-// serviceDirectory.put(Permission.TUNNEL_WRITE, ImmutableSet.of(
-// TunnelService.class.getName()));
-// serviceDirectory.put(Permission.TUNNEL_EVENT, ImmutableSet.of(
-// TunnelService.class.getName()));
- serviceDirectory.put(Permission.STORAGE_WRITE, ImmutableSet.of(
- StorageService.class.getName()));
-
- return serviceDirectory;
- }
-}
-
-
-// public static PermissionInfo[] getNonAdminPerms() {
-// return new PermissionInfo[]{
-// new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.EXPORTONLY),
-// new PermissionInfo(PackagePermission.class.getName(), "*", PackagePermission.IMPORT),
-// new PermissionInfo(AdaptPermission.class.getName(), "*", AdaptPermission.ADAPT),
-// new PermissionInfo(ServicePermission.class.getName(),
-// ApplicationService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// ComponentConfigService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// CoreService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// ClusterService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// LeadershipService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// MastershipService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// DeviceService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// DeviceClockService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// DriverService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// FlowRuleService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// FlowObjectiveService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// GroupService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// HostService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// HostClockService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// IntentService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// IntentClockService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// IntentExtensionService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// PartitionService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// LinkService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// LinkResourceService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// LabelResourceService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// PacketService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// ProxyArpService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// StatisticService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// PathService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// TopologyService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// TunnelService.class.getName(), ServicePermission.GET),
-// new PermissionInfo(ServicePermission.class.getName(),
-// StorageService.class.getName(), ServicePermission.GET),
-// };
-// }
diff --git a/core/security/impl/src/main/java/org/onosproject/security/impl/SecurityModeManager.java b/core/security/impl/src/main/java/org/onosproject/security/impl/SecurityModeManager.java
deleted file mode 100644
index 021ff00..0000000
--- a/core/security/impl/src/main/java/org/onosproject/security/impl/SecurityModeManager.java
+++ /dev/null
@@ -1,262 +0,0 @@
-package org.onosproject.security.impl;
-
-import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.Reference;
-import org.apache.felix.scr.annotations.ReferenceCardinality;
-import org.apache.felix.scr.annotations.Activate;
-import org.apache.felix.scr.annotations.Deactivate;
-import org.apache.karaf.features.BundleInfo;
-import org.apache.karaf.features.Feature;
-import org.apache.karaf.features.FeaturesService;
-
-import org.onosproject.app.ApplicationAdminService;
-import org.onosproject.app.ApplicationEvent;
-import org.onosproject.app.ApplicationListener;
-import org.onosproject.app.ApplicationState;
-import org.onosproject.core.Application;
-import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
-import org.onosproject.security.AppPermission;
-import org.osgi.framework.Bundle;
-import org.osgi.framework.BundleContext;
-import org.osgi.framework.BundleEvent;
-import org.osgi.framework.BundleListener;
-import org.osgi.framework.FrameworkUtil;
-import org.osgi.framework.PackagePermission;
-import org.osgi.framework.ServicePermission;
-import org.osgi.service.log.LogEntry;
-import org.osgi.service.log.LogListener;
-import org.osgi.service.log.LogReaderService;
-import org.osgi.service.permissionadmin.PermissionInfo;
-
-import java.security.AccessControlException;
-import java.security.AllPermission;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.stream.Collectors;
-
-import org.osgi.service.permissionadmin.PermissionAdmin;
-import org.slf4j.Logger;
-
-import static org.slf4j.LoggerFactory.getLogger;
-
-/**
- * Security-Mode ONOS management implementation.
- */
-
-//TODO : implement a dedicated distributed store for SM-ONOS
-
-@Component(immediate = true)
-public class SecurityModeManager {
-
- @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
- protected ApplicationAdminService appAdminService;
-
- @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
- protected FeaturesService featuresService;
-
- @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
- protected LogReaderService logReaderService;
-
- private final Logger log = getLogger(getClass());
-
- private SecurityBundleListener securityBundleListener = new SecurityBundleListener();
-
- private SecurityApplicationListener securityApplicationListener = new SecurityApplicationListener();
-
- private SecurityLogListener securityLogListener = new SecurityLogListener();
-
- private Bundle bundle = null;
-
- private BundleContext bundleContext = null;
-
- private PermissionAdmin permissionAdmin = null;
-
- private Map<String, ApplicationId> appTracker = null;
-
- private Map<Permission, Set<String>> serviceDirectory = null;
-
-
- @Activate
- public void activate() {
- if (System.getSecurityManager() == null) {
- log.warn("J2EE security manager is disabled.");
- deactivate();
- return;
- }
- bundle = FrameworkUtil.getBundle(this.getClass());
- bundleContext = bundle.getBundleContext();
-
- bundleContext.addBundleListener(securityBundleListener);
- appAdminService.addListener(securityApplicationListener);
- logReaderService.addLogListener(securityLogListener);
- appTracker = new ConcurrentHashMap<>();
-
- permissionAdmin = getPermissionAdmin(bundleContext);
- if (permissionAdmin == null) {
- log.warn("Permission Admin not found.");
- this.deactivate();
- return;
- }
-
- serviceDirectory = PolicyBuilder.getServiceDirectory();
-
- PermissionInfo[] allPerm = {
- new PermissionInfo(AllPermission.class.getName(), "", ""), };
-
- permissionAdmin.setPermissions(bundle.getLocation(), allPerm);
- log.warn("Security-Mode Started");
- }
-
-
- @Deactivate
- public void deactivate() {
- bundleContext.removeBundleListener(securityBundleListener);
- appAdminService.removeListener(securityApplicationListener);
- logReaderService.removeLogListener(securityLogListener);
- log.info("Stopped");
-
- }
-
- private class SecurityApplicationListener implements ApplicationListener {
-
- @Override
- public void event(ApplicationEvent event) {
- //App needs to be restarted
- if (event.type() == ApplicationEvent.Type.APP_PERMISSIONS_CHANGED) {
- if (appAdminService.getState(event.subject().id()) == ApplicationState.ACTIVE) {
- appAdminService.deactivate(event.subject().id());
- print("Permissions updated (%s). Deactivating...",
- event.subject().id().name());
- }
- }
- }
- }
-
- private class SecurityBundleListener implements BundleListener {
-
- @Override
- public void bundleChanged(BundleEvent event) {
- switch (event.getType()) {
- case BundleEvent.INSTALLED:
- setPermissions(event);
- break;
- case BundleEvent.UNINSTALLED:
- clearPermissions(event);
- break;
- default:
- break;
- }
- }
- }
-
- private void clearPermissions(BundleEvent bundleEvent) {
- if (appTracker.containsKey(bundleEvent.getBundle().getLocation())) {
- permissionAdmin.setPermissions(bundleEvent.getBundle().getLocation(), new PermissionInfo[]{});
- appTracker.remove(bundleEvent.getBundle().getLocation());
- }
- }
-
- // find the location of the installed bundle and enforce policy
- private void setPermissions(BundleEvent bundleEvent) {
- for (Application app : appAdminService.getApplications()) {
- if (getBundleLocations(app).contains(bundleEvent.getBundle().getLocation())) {
- String location = bundleEvent.getBundle().getLocation();
-
- Set<org.onosproject.core.Permission> permissions =
- appAdminService.getPermissions(app.id());
-
- //Permissions granted by user overrides the permissions specified in App.Xml file
- if (permissions == null) {
- permissions = app.permissions();
- }
-
- if (permissions.isEmpty()) {
- print("Application %s has not been granted any permission.", app.id().name());
- }
-
- PermissionInfo[] perms = null;
-
- switch (app.role()) {
- case ADMIN:
- perms = PolicyBuilder.getAdminApplicationPermissions(serviceDirectory);
- break;
- case REGULAR:
- perms = PolicyBuilder.getApplicationPermissions(serviceDirectory, permissions);
- break;
- case UNSPECIFIED:
- default:
- //no role has been assigned.
- perms = PolicyBuilder.getDefaultPerms();
- log.warn("Application %s has no role assigned.", app.id().name());
- break;
- }
- permissionAdmin.setPermissions(location, perms);
- appTracker.put(location, app.id());
- break;
- }
- }
- }
-
- //TODO: dispatch security policy violation event via distributed store
- //immediately notify and deactivate the application upon policy violation
- private class SecurityLogListener implements LogListener {
- @Override
- public void logged(LogEntry entry) {
- if (entry != null) {
- if (entry.getException() != null) {
- ApplicationId applicationId = appTracker.get(entry.getBundle().getLocation());
- if (applicationId != null) {
- if (appAdminService.getState(applicationId).equals(ApplicationState.ACTIVE)) {
- if (entry.getException() instanceof AccessControlException) {
- java.security.Permission permission =
- ((AccessControlException) entry.getException()).getPermission();
- handleException(applicationId.name(), permission);
- appAdminService.deactivate(applicationId);
- }
- }
- }
- }
- }
- }
- }
-
- private void handleException(String name, java.security.Permission perm) {
- if (perm instanceof ServicePermission || perm instanceof PackagePermission) {
- print("%s has attempted to %s %s.", name, perm.getActions(), perm.getName());
- } else if (perm instanceof AppPermission) {
- print("%s has attempted to call an NB API that requires %s permission.",
- name, perm.getName().toUpperCase());
- } else {
- print("%s has attempted to perform an action that requires %s", name, perm.toString());
- }
- print("POLICY VIOLATION: Deactivating %s.", name);
-
- }
- private void print(String format, Object... args) {
- System.out.println(String.format("SM-ONOS: " + format, args));
- log.warn(String.format(format, args));
- }
-
- private List<String> getBundleLocations(Application app) {
- List<String> locations = new ArrayList();
- for (String name : app.features()) {
- try {
- Feature feature = featuresService.getFeature(name);
- locations.addAll(
- feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
- } catch (Exception e) {
- return locations;
- }
- }
- return locations;
- }
-
- private PermissionAdmin getPermissionAdmin(BundleContext context) {
- return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
- }
-
-}
diff --git a/core/security/pom.xml b/core/security/pom.xml
index 852e166..eb1e4bc 100644
--- a/core/security/pom.xml
+++ b/core/security/pom.xml
@@ -12,10 +12,46 @@
</parent>
<artifactId>onos-security</artifactId>
- <packaging>pom</packaging>
- <modules>
- <module>impl</module>
- </modules>
+ <packaging>bundle</packaging>
- <description>Security-mode ONOS project root</description>
+
+ <description>Security-Mode ONOS project</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.core</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.compendium</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>org.apache.felix.scr.annotations</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-core-serializers</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.karaf.features</groupId>
+ <artifactId>org.apache.karaf.features.core</artifactId>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-scr-plugin</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+
</project>
\ No newline at end of file
diff --git a/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java b/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java
new file mode 100644
index 0000000..8ae1a1a
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java
@@ -0,0 +1,433 @@
+package org.onosproject.security.impl;
+
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+import org.onosproject.security.AppPermission;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.app.ApplicationService;
+import org.onosproject.cfg.ComponentConfigService;
+import org.onosproject.cluster.ClusterAdminService;
+import org.onosproject.cluster.ClusterService;
+import org.onosproject.core.CoreService;
+import org.onosproject.cluster.LeadershipService;
+import org.onosproject.mastership.MastershipAdminService;
+import org.onosproject.mastership.MastershipService;
+import org.onosproject.net.device.DeviceAdminService;
+import org.onosproject.net.device.DeviceService;
+import org.onosproject.net.device.DeviceClockService;
+import org.onosproject.net.driver.DriverAdminService;
+import org.onosproject.net.driver.DriverService;
+import org.onosproject.net.flow.FlowRuleService;
+import org.onosproject.net.flowobjective.FlowObjectiveService;
+import org.onosproject.net.group.GroupService;
+import org.onosproject.net.host.HostAdminService;
+import org.onosproject.net.host.HostService;
+import org.onosproject.net.intent.IntentService;
+import org.onosproject.net.intent.IntentExtensionService;
+import org.onosproject.net.intent.IntentClockService;
+import org.onosproject.net.intent.PartitionService;
+import org.onosproject.net.link.LinkAdminService;
+import org.onosproject.net.link.LinkService;
+import org.onosproject.net.packet.PacketService;
+import org.onosproject.net.proxyarp.ProxyArpService;
+import org.onosproject.net.resource.link.LinkResourceService;
+import org.onosproject.net.statistic.StatisticService;
+import org.onosproject.net.topology.PathService;
+import org.onosproject.net.topology.TopologyService;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.store.service.StorageAdminService;
+import org.onosproject.store.service.StorageService;
+import org.osgi.framework.BundlePermission;
+import org.osgi.framework.CapabilityPermission;
+import org.osgi.framework.ServicePermission;
+import org.osgi.framework.PackagePermission;
+import org.osgi.framework.AdaptPermission;
+import org.osgi.service.cm.ConfigurationPermission;
+
+import javax.net.ssl.SSLPermission;
+import javax.security.auth.AuthPermission;
+import javax.security.auth.PrivateCredentialPermission;
+import javax.security.auth.kerberos.DelegationPermission;
+import javax.sound.sampled.AudioPermission;
+import java.io.FilePermission;
+import java.io.SerializablePermission;
+import java.net.NetPermission;
+import java.net.SocketPermission;
+import java.security.Permissions;
+import java.sql.SQLPermission;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.List;
+import java.util.PropertyPermission;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.security.Permission;
+import java.util.logging.LoggingPermission;
+
+import static org.onosproject.security.AppPermission.Type.*;
+
+public final class DefaultPolicyBuilder {
+
+ protected static ConcurrentHashMap<AppPermission.Type,
+ Set<String>> serviceDirectory = getServiceDirectory();
+
+ protected static List<Permission> defaultPermissions = getDefaultPerms();
+ protected static List<Permission> adminServicePermissions = getAdminDefaultPerms();
+
+ private DefaultPolicyBuilder(){
+ }
+
+ public static List<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) {
+ List<Permission> perms = Lists.newArrayList();
+ perms.addAll(defaultPermissions);
+ perms.addAll(convertToJavaPermissions(permissions));
+ return optimizePermissions(perms);
+ }
+
+ public static List<Permission> getAdminApplicationPermissions(
+ Set<org.onosproject.security.Permission> permissions) {
+ List<Permission> perms = Lists.newArrayList();
+ perms.addAll(defaultPermissions);
+ perms.addAll(adminServicePermissions);
+ for (AppPermission.Type perm : serviceDirectory.keySet()) {
+ perms.add(new AppPermission(perm));
+ }
+ perms.addAll(convertToJavaPermissions(permissions));
+ return optimizePermissions(perms);
+ }
+
+ public static List<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) {
+ List<Permission> result = Lists.newArrayList();
+ for (org.onosproject.security.Permission perm : permissions) {
+ Permission javaPerm = getPermission(perm);
+ if (javaPerm != null) {
+ if (javaPerm instanceof AppPermission) {
+ if (((AppPermission) javaPerm).getType() != null) {
+ AppPermission ap = (AppPermission) javaPerm;
+ result.add(ap);
+ if (serviceDirectory.containsKey(ap.getType())) {
+ for (String service : serviceDirectory.get(ap.getType())) {
+ result.add(new ServicePermission(service, ServicePermission.GET));
+ }
+ }
+ }
+ } else if (javaPerm instanceof ServicePermission) {
+ if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) {
+ result.add(javaPerm);
+ }
+ } else {
+ result.add(javaPerm);
+ }
+
+ }
+ }
+ return result;
+ }
+
+ public static Set<org.onosproject.security.Permission> convertToOnosPermissions(List<Permission> permissions) {
+ Set<org.onosproject.security.Permission> result = Sets.newHashSet();
+ for (Permission perm : permissions) {
+ org.onosproject.security.Permission onosPerm = getOnosPermission(perm);
+ if (onosPerm != null) {
+ result.add(onosPerm);
+ }
+ }
+ return result;
+ }
+
+ public static List<Permission> getDefaultPerms() {
+ List<Permission> permSet = Lists.newArrayList();
+ permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY));
+ permSet.add(new PackagePermission("*", PackagePermission.IMPORT));
+ permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT));
+ permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE));
+ return permSet;
+ }
+
+ private static List<Permission> getAdminDefaultPerms() {
+ List<Permission> permSet = Lists.newArrayList();
+ permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(MastershipAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DeviceAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DriverAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(LabelResourceAdminService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(TunnelAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(CoreService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ClusterService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LeadershipService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(MastershipService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DeviceService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DeviceClockService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DriverService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(FlowRuleService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(FlowObjectiveService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(GroupService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(HostService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(IntentService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(IntentClockService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(IntentExtensionService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LinkResourceService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(LabelResourceService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(StatisticService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(PathService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(TopologyService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(TunnelService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET));
+ return permSet;
+ }
+
+ public static Set<String> getNBServiceList() {
+ Set<String> permString = new HashSet<>();
+ for (Permission perm : getAdminDefaultPerms()) {
+ permString.add(perm.getName());
+ }
+ return permString;
+ }
+
+ private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() {
+
+ ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
+
+ serviceDirectory.put(APP_READ, ImmutableSet.of(
+ ApplicationService.class.getName(), CoreService.class.getName()));
+ serviceDirectory.put(APP_EVENT, ImmutableSet.of(
+ ApplicationService.class.getName(), CoreService.class.getName()));
+ serviceDirectory.put(CONFIG_READ, ImmutableSet.of(
+ ComponentConfigService.class.getName()));
+ serviceDirectory.put(CONFIG_WRITE, ImmutableSet.of(
+ ComponentConfigService.class.getName()));
+ serviceDirectory.put(CLUSTER_READ, ImmutableSet.of(
+ ClusterService.class.getName(), LeadershipService.class.getName(),
+ MastershipService.class.getName()));
+ serviceDirectory.put(CLUSTER_WRITE, ImmutableSet.of(
+ LeadershipService.class.getName(), MastershipService.class.getName()));
+ serviceDirectory.put(CLUSTER_EVENT, ImmutableSet.of(
+ ClusterService.class.getName(), LeadershipService.class.getName(),
+ MastershipService.class.getName()));
+ serviceDirectory.put(DEVICE_READ, ImmutableSet.of(
+ DeviceService.class.getName(), DeviceClockService.class.getName()));
+ serviceDirectory.put(DEVICE_EVENT, ImmutableSet.of(
+ DeviceService.class.getName()));
+ serviceDirectory.put(DRIVER_READ, ImmutableSet.of(
+ DriverService.class.getName()));
+ serviceDirectory.put(DRIVER_WRITE, ImmutableSet.of(
+ DriverService.class.getName()));
+ serviceDirectory.put(FLOWRULE_READ, ImmutableSet.of(
+ FlowRuleService.class.getName()));
+ serviceDirectory.put(FLOWRULE_WRITE, ImmutableSet.of(
+ FlowRuleService.class.getName(), FlowObjectiveService.class.getName()));
+ serviceDirectory.put(FLOWRULE_EVENT, ImmutableSet.of(
+ FlowRuleService.class.getName()));
+ serviceDirectory.put(GROUP_READ, ImmutableSet.of(
+ GroupService.class.getName()));
+ serviceDirectory.put(GROUP_WRITE, ImmutableSet.of(
+ GroupService.class.getName()));
+ serviceDirectory.put(GROUP_EVENT, ImmutableSet.of(
+ GroupService.class.getName()));
+ serviceDirectory.put(HOST_READ, ImmutableSet.of(
+ HostService.class.getName()));
+ serviceDirectory.put(HOST_WRITE, ImmutableSet.of(
+ HostService.class.getName()));
+ serviceDirectory.put(HOST_EVENT, ImmutableSet.of(
+ HostService.class.getName()));
+ serviceDirectory.put(INTENT_READ, ImmutableSet.of(
+ IntentService.class.getName(), PartitionService.class.getName(),
+ IntentClockService.class.getName()));
+ serviceDirectory.put(INTENT_WRITE, ImmutableSet.of(
+ IntentService.class.getName()));
+ serviceDirectory.put(INTENT_EVENT, ImmutableSet.of(
+ IntentService.class.getName()));
+// serviceDirectory.put(LINK_READ, ImmutableSet.of(
+// LinkService.class.getName(), LinkResourceService.class.getName(),
+// LabelResourceService.class.getName()));
+// serviceDirectory.put(LINK_WRITE, ImmutableSet.of(
+// LinkResourceService.class.getName(), LabelResourceService.class.getName()));
+// serviceDirectory.put(LINK_EVENT, ImmutableSet.of(
+// LinkService.class.getName(), LinkResourceService.class.getName(),
+// LabelResourceService.class.getName()));
+ serviceDirectory.put(PACKET_READ, ImmutableSet.of(
+ PacketService.class.getName(), ProxyArpService.class.getName()));
+ serviceDirectory.put(PACKET_WRITE, ImmutableSet.of(
+ PacketService.class.getName(), ProxyArpService.class.getName()));
+ serviceDirectory.put(PACKET_EVENT, ImmutableSet.of(
+ PacketService.class.getName()));
+ serviceDirectory.put(STATISTIC_READ, ImmutableSet.of(
+ StatisticService.class.getName()));
+ serviceDirectory.put(TOPOLOGY_READ, ImmutableSet.of(
+ TopologyService.class.getName(), PathService.class.getName()));
+ serviceDirectory.put(TOPOLOGY_EVENT, ImmutableSet.of(
+ TopologyService.class.getName()));
+// serviceDirectory.put(TUNNEL_READ, ImmutableSet.of(
+// TunnelService.class.getName()));
+// serviceDirectory.put(TUNNEL_WRITE, ImmutableSet.of(
+// TunnelService.class.getName()));
+// serviceDirectory.put(TUNNEL_EVENT, ImmutableSet.of(
+// TunnelService.class.getName()));
+ serviceDirectory.put(STORAGE_WRITE, ImmutableSet.of(
+ StorageService.class.getName()));
+
+ return serviceDirectory;
+ }
+
+
+ public static org.onosproject.security.Permission getOnosPermission(Permission permission) {
+ if (permission instanceof AppPermission) {
+ return new org.onosproject.security.Permission(AppPermission.class.getName(), permission.getName(), "");
+ } else if (permission instanceof FilePermission) {
+ return new org.onosproject.security.Permission(
+ FilePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SerializablePermission) {
+ return new org.onosproject.security.Permission(
+ SerializablePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof NetPermission) {
+ return new org.onosproject.security.Permission(
+ NetPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof RuntimePermission) {
+ return new org.onosproject.security.Permission(
+ RuntimePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SocketPermission) {
+ return new org.onosproject.security.Permission(
+ SocketPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SQLPermission) {
+ return new org.onosproject.security.Permission(
+ SQLPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof PropertyPermission) {
+ return new org.onosproject.security.Permission(
+ PropertyPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof LoggingPermission) {
+ return new org.onosproject.security.Permission(
+ LoggingPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SSLPermission) {
+ return new org.onosproject.security.Permission(
+ SSLPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof AuthPermission) {
+ return new org.onosproject.security.Permission(
+ AuthPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof PrivateCredentialPermission) {
+ return new org.onosproject.security.Permission(
+ PrivateCredentialPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof DelegationPermission) {
+ return new org.onosproject.security.Permission(
+ DelegationPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof javax.security.auth.kerberos.ServicePermission) {
+ return new org.onosproject.security.Permission(
+ javax.security.auth.kerberos.ServicePermission.class.getName(), permission.getName(),
+ permission.getActions());
+ } else if (permission instanceof AudioPermission) {
+ return new org.onosproject.security.Permission(
+ AudioPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof AdaptPermission) {
+ return new org.onosproject.security.Permission(
+ AdaptPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof BundlePermission) {
+ return new org.onosproject.security.Permission(
+ BundlePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof CapabilityPermission) {
+ return new org.onosproject.security.Permission(
+ CapabilityPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof PackagePermission) {
+ return new org.onosproject.security.Permission(
+ PackagePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof ServicePermission) {
+ return new org.onosproject.security.Permission(
+ ServicePermission.class.getName(), permission.getName(), permission.getActions());
+ }
+ return null;
+ }
+
+ private static Permission getPermission(org.onosproject.security.Permission permission) {
+
+ String classname = permission.getClassName();
+ String name = permission.getName();
+ String actions = permission.getActions();
+
+ if (classname == null || name == null) {
+ return null;
+ }
+ classname = classname.trim();
+ name = name.trim();
+ actions = actions.trim();
+
+ if (AppPermission.class.getName().equals(classname)) {
+ return new AppPermission(name);
+ } else if (FilePermission.class.getName().equals(classname)) {
+ return new FilePermission(name, actions);
+ } else if (SerializablePermission.class.getName().equals(classname)) {
+ return new SerializablePermission(name, actions);
+ } else if (NetPermission.class.getName().equals(classname)) {
+ return new NetPermission(name, actions);
+ } else if (RuntimePermission.class.getName().equals(classname)) {
+ return new RuntimePermission(name, actions);
+ } else if (SocketPermission.class.getName().equals(classname)) {
+ return new SocketPermission(name, actions);
+ } else if (SQLPermission.class.getName().equals(classname)) {
+ return new SQLPermission(name, actions);
+ } else if (PropertyPermission.class.getName().equals(classname)) {
+ return new PropertyPermission(name, actions);
+ } else if (LoggingPermission.class.getName().equals(classname)) {
+ return new LoggingPermission(name, actions);
+ } else if (SSLPermission.class.getName().equals(classname)) {
+ return new SSLPermission(name, actions);
+ } else if (AuthPermission.class.getName().equals(classname)) {
+ return new AuthPermission(name, actions);
+ } else if (PrivateCredentialPermission.class.getName().equals(classname)) {
+ return new PrivateCredentialPermission(name, actions);
+ } else if (DelegationPermission.class.getName().equals(classname)) {
+ return new DelegationPermission(name, actions);
+ } else if (javax.security.auth.kerberos.ServicePermission.class.getName().equals(classname)) {
+ return new javax.security.auth.kerberos.ServicePermission(name, actions);
+ } else if (AudioPermission.class.getName().equals(classname)) {
+ return new AudioPermission(name, actions);
+ } else if (AdaptPermission.class.getName().equals(classname)) {
+ return new AdaptPermission(name, actions);
+ } else if (BundlePermission.class.getName().equals(classname)) {
+ return new BundlePermission(name, actions);
+ } else if (CapabilityPermission.class.getName().equals(classname)) {
+ return new CapabilityPermission(name, actions);
+ } else if (PackagePermission.class.getName().equals(classname)) {
+ return new PackagePermission(name, actions);
+ } else if (ServicePermission.class.getName().equals(classname)) {
+ return new ServicePermission(name, actions);
+ }
+
+ //AllPermission, SecurityPermission, UnresolvedPermission
+ //AWTPermission, AdminPermission(osgi), ReflectPermission not allowed
+ return null;
+
+ }
+ private static List<Permission> optimizePermissions(List<Permission> perms) {
+ Permissions permissions = listToPermissions(perms);
+ return permissionsToList(permissions);
+ }
+
+ private static List<Permission> permissionsToList(Permissions perms) {
+ List<Permission> permissions = new ArrayList<>();
+ Enumeration<Permission> e = perms.elements();
+ while (e.hasMoreElements()) {
+ permissions.add(e.nextElement());
+ }
+ return permissions;
+ }
+
+ private static Permissions listToPermissions(List<Permission> perms) {
+ Permissions permissions = new Permissions();
+ for (Permission perm : perms) {
+ permissions.add(perm);
+ }
+ return permissions;
+ }
+}
+
diff --git a/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java b/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java
new file mode 100644
index 0000000..30b0f8b
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java
@@ -0,0 +1,289 @@
+package org.onosproject.security.impl;
+
+import com.google.common.collect.Lists;
+
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Deactivate;
+import org.apache.felix.scr.annotations.Service;
+
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.app.ApplicationState;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+
+import org.onosproject.event.EventDeliveryService;
+import org.onosproject.event.ListenerRegistry;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.security.store.SecurityModeEvent;
+import org.onosproject.security.store.SecurityModeListener;
+import org.onosproject.security.store.SecurityModeStore;
+import org.onosproject.security.store.SecurityModeStoreDelegate;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.FrameworkUtil;
+import org.osgi.framework.ServicePermission;
+import org.osgi.service.log.LogEntry;
+import org.osgi.service.log.LogListener;
+import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
+
+import java.security.AccessControlException;
+import java.security.Permission;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.osgi.service.permissionadmin.PermissionAdmin;
+import org.slf4j.Logger;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+
+
+/**
+ * Security-Mode ONOS management implementation.
+ */
+
+@Component(immediate = true)
+@Service
+public class SecurityModeManager implements SecurityAdminService {
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected SecurityModeStore store;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected ApplicationAdminService appAdminService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected LogReaderService logReaderService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected EventDeliveryService eventDispatcher;
+
+ private final Logger log = getLogger(getClass());
+
+ protected final ListenerRegistry<SecurityModeEvent, SecurityModeListener>
+ listenerRegistry = new ListenerRegistry<>();
+
+ private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
+
+ private SecurityLogListener securityLogListener = new SecurityLogListener();
+
+ private PermissionAdmin permissionAdmin = getPermissionAdmin();
+
+
+ @Activate
+ public void activate() {
+
+ eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
+ // add Listeners
+ logReaderService.addLogListener(securityLogListener);
+
+ store.setDelegate(delegate);
+
+ if (System.getSecurityManager() == null) {
+ log.warn("J2EE security manager is disabled.");
+ deactivate();
+ return;
+ }
+ if (permissionAdmin == null) {
+ log.warn("Permission Admin not found.");
+ deactivate();
+ return;
+ }
+
+ log.info("Security-Mode Started");
+ }
+
+ @Deactivate
+ public void deactivate() {
+ eventDispatcher.removeSink(SecurityModeEvent.class);
+ logReaderService.removeLogListener(securityLogListener);
+ store.unsetDelegate(delegate);
+ log.info("Stopped");
+
+ }
+
+ @Override
+ public boolean isSecured(ApplicationId appId) {
+ if (store.getState(appId) == null) {
+ store.registerApplication(appId);
+ }
+ return store.isSecured(appId);
+ }
+
+
+ @Override
+ public void review(ApplicationId appId) {
+ if (store.getState(appId) == null) {
+ store.registerApplication(appId);
+ }
+ store.reviewPolicy(appId);
+ }
+
+ @Override
+ public void acceptPolicy(ApplicationId appId) {
+ if (store.getState(appId) == null) {
+ store.registerApplication(appId);
+ }
+ store.acceptPolicy(appId, DefaultPolicyBuilder.convertToOnosPermissions(getMaximumPermissions(appId)));
+ }
+
+ @Override
+ public void register(ApplicationId appId) {
+ store.registerApplication(appId);
+ }
+
+ @Override
+ public Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId) {
+ return getPrintablePermissionMap(getMaximumPermissions(appId));
+ }
+
+ @Override
+ public Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId) {
+ return getPrintablePermissionMap(
+ DefaultPolicyBuilder.convertToJavaPermissions(store.getGrantedPermissions(appId)));
+ }
+
+ @Override
+ public Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId) {
+ return getPrintablePermissionMap(
+ DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
+ }
+
+ private class SecurityLogListener implements LogListener {
+ @Override
+ public void logged(LogEntry entry) {
+ if (entry.getException() != null &&
+ entry.getException() instanceof AccessControlException) {
+ String location = entry.getBundle().getLocation();
+ Permission javaPerm =
+ ((AccessControlException) entry.getException()).getPermission();
+ org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm);
+ if (permission == null) {
+ log.warn("Unsupported permission requested.");
+ return;
+ }
+ store.getApplicationIds(location).stream().filter(
+ appId -> store.isSecured(appId) &&
+ appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
+ store.requestPermission(appId, permission);
+ print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
+ appId.name(), location, permission.toString());
+ });
+ }
+ }
+ }
+
+ private class InternalStoreDelegate implements SecurityModeStoreDelegate {
+ @Override
+ public void notify(SecurityModeEvent event) {
+ if (event.type() == SecurityModeEvent.Type.POLICY_ACCEPTED) {
+ setLocalPermissions(event.subject());
+ log.info("{} POLICY ACCEPTED and ENFORCED", event.subject().name());
+ } else if (event.type() == SecurityModeEvent.Type.POLICY_VIOLATED) {
+ log.info("{} POLICY VIOLATED", event.subject().name());
+ } else if (event.type() == SecurityModeEvent.Type.POLICY_REVIEWED) {
+ log.info("{} POLICY REVIEWED", event.subject().name());
+ }
+ eventDispatcher.post(event);
+ }
+ }
+
+ /**
+ * TYPES.
+ * 0 - APP_PERM
+ * 1 - ADMIN SERVICE
+ * 2 - NB_SERVICE
+ * 3 - ETC_SERVICE
+ * 4 - ETC
+ * @param perms
+ */
+ private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) {
+ ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
+ sortedMap.put(0, new ArrayList());
+ sortedMap.put(1, new ArrayList());
+ sortedMap.put(2, new ArrayList());
+ sortedMap.put(3, new ArrayList());
+ sortedMap.put(4, new ArrayList());
+ for (Permission perm : perms) {
+ if (perm instanceof ServicePermission) {
+ if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) {
+ if (perm.getName().contains("Admin")) {
+ sortedMap.get(1).add(perm);
+ } else {
+ sortedMap.get(2).add(perm);
+ }
+ } else {
+ sortedMap.get(3).add(perm);
+ }
+ } else if (perm instanceof AppPermission) {
+ sortedMap.get(0).add(perm);
+ } else {
+ sortedMap.get(4).add(perm);
+ }
+ }
+ return sortedMap;
+ }
+
+ private void setLocalPermissions(ApplicationId applicationId) {
+ for (String location : store.getBundleLocations(applicationId)) {
+ permissionAdmin.setPermissions(location, permissionsToInfo(store.getGrantedPermissions(applicationId)));
+ }
+ }
+
+ private PermissionInfo[] permissionsToInfo(Set<org.onosproject.security.Permission> permissions) {
+ List<PermissionInfo> result = Lists.newArrayList();
+ for (org.onosproject.security.Permission perm : permissions) {
+ result.add(new PermissionInfo(perm.getClassName(), perm.getName(), perm.getActions()));
+ }
+ PermissionInfo[] permissionInfos = new PermissionInfo[result.size()];
+ return result.toArray(permissionInfos);
+ }
+
+
+
+ private List<Permission> getMaximumPermissions(ApplicationId appId) {
+ Application app = appAdminService.getApplication(appId);
+ if (app == null) {
+ print("Unknown application.");
+ return null;
+ }
+ List<Permission> appPerms;
+ switch (app.role()) {
+ case ADMIN:
+ appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
+ break;
+ case USER:
+ appPerms = DefaultPolicyBuilder.getUserApplicationPermissions(app.permissions());
+ break;
+ case UNSPECIFIED:
+ default:
+ appPerms = DefaultPolicyBuilder.getDefaultPerms();
+ break;
+ }
+
+ return appPerms;
+ }
+
+
+ private void print(String format, Object... args) {
+ System.out.println(String.format("SM-ONOS: " + format, args));
+ log.warn(String.format(format, args));
+ }
+
+ private PermissionAdmin getPermissionAdmin() {
+ BundleContext context = getBundleContext();
+ return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
+ }
+
+ private BundleContext getBundleContext() {
+ return FrameworkUtil.getBundle(this.getClass()).getBundleContext();
+
+ }
+}
\ No newline at end of file
diff --git a/core/security/impl/src/main/java/org/onosproject/security/impl/package-info.java b/core/security/src/main/java/org/onosproject/security/impl/package-info.java
similarity index 100%
rename from core/security/impl/src/main/java/org/onosproject/security/impl/package-info.java
rename to core/security/src/main/java/org/onosproject/security/impl/package-info.java
diff --git a/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java b/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java
new file mode 100644
index 0000000..ac16966
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java
@@ -0,0 +1,315 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Deactivate;
+import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
+import org.apache.felix.scr.annotations.Service;
+import org.apache.karaf.features.BundleInfo;
+import org.apache.karaf.features.Feature;
+import org.apache.karaf.features.FeaturesService;
+
+import org.onlab.util.KryoNamespace;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.Permission;
+import org.onosproject.store.AbstractStore;
+import org.onosproject.store.serializers.KryoNamespaces;
+import org.onosproject.store.service.ConsistentMap;
+import org.onosproject.store.service.EventuallyConsistentMap;
+import org.onosproject.store.service.LogicalClockService;
+import org.onosproject.store.service.MapEvent;
+import org.onosproject.store.service.MapEventListener;
+import org.onosproject.store.service.Serializer;
+import org.onosproject.store.service.StorageService;
+import org.slf4j.Logger;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.stream.Collectors;
+
+import static org.onosproject.security.store.SecurityModeState.*;
+import static org.slf4j.LoggerFactory.getLogger;
+
+/**
+ * Manages application permissions granted/requested to applications.
+ * Uses both gossip-based and RAFT-based distributed data store.
+ */
+@Component(immediate = true)
+@Service
+public class DistributedSecurityModeStore
+ extends AbstractStore<SecurityModeEvent, SecurityModeStoreDelegate>
+ implements SecurityModeStore {
+
+ private final Logger log = getLogger(getClass());
+
+ private ConsistentMap<ApplicationId, SecurityInfo> states;
+ private EventuallyConsistentMap<ApplicationId, Set<Permission>> violations;
+
+ private ConcurrentHashMap<String, Set<ApplicationId>> localBundleAppDirectory;
+ private ConcurrentHashMap<ApplicationId, Set<String>> localAppBundleDirectory;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected StorageService storageService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected LogicalClockService clockService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected ApplicationAdminService applicationAdminService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected FeaturesService featuresService;
+
+ private static final Serializer STATE_SERIALIZER = Serializer.using(new KryoNamespace.Builder()
+ .register(KryoNamespaces.API)
+ .register(SecurityModeState.class)
+ .register(SecurityInfo.class)
+ .register(Permission.class)
+ .build());
+
+ private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder()
+ .register(KryoNamespaces.API)
+ .register(Permission.class);
+
+ @Activate
+ public void activate() {
+ states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder()
+ .withName("smonos-sdata")
+ .withSerializer(STATE_SERIALIZER)
+ .build();
+
+ states.addListener(new SecurityStateListener());
+
+ violations = storageService.<ApplicationId, Set<Permission>>eventuallyConsistentMapBuilder()
+ .withName("smonos-rperms")
+ .withSerializer(VIOLATION_SERIALIZER)
+ .withTimestampProvider((k, v) -> clockService.getTimestamp())
+ .build();
+
+ localBundleAppDirectory = new ConcurrentHashMap<>();
+ localAppBundleDirectory = new ConcurrentHashMap<>();
+
+ log.info("Started");
+
+ }
+
+ @Deactivate
+ public void deactivate() {
+ violations.destroy();
+ log.info("Stopped");
+ }
+
+
+ @Override
+ public Set<String> getBundleLocations(ApplicationId appId) {
+ Set<String> locations = localAppBundleDirectory.get(appId);
+ return locations != null ? locations : Sets.newHashSet();
+ }
+
+ @Override
+ public Set<ApplicationId> getApplicationIds(String location) {
+ Set<ApplicationId> appIds = localBundleAppDirectory.get(location);
+ return appIds != null ? appIds : Sets.newHashSet();
+ }
+
+ @Override
+ public Set<Permission> getRequestedPermissions(ApplicationId appId) {
+ Set<Permission> permissions = violations.get(appId);
+ return permissions != null ? permissions : ImmutableSet.of();
+ }
+
+ @Override
+ public Set<Permission> getGrantedPermissions(ApplicationId appId) {
+ return states.asJavaMap().getOrDefault(appId, new SecurityInfo(ImmutableSet.of(), null)).getPermissions();
+ }
+
+ @Override
+ public void requestPermission(ApplicationId appId, Permission permission) {
+
+ states.computeIf(appId, securityInfo -> (securityInfo == null || securityInfo.getState() != POLICY_VIOLATED),
+ (id, securityInfo) -> new SecurityInfo(securityInfo.getPermissions(), POLICY_VIOLATED));
+ violations.compute(appId, (k, v) -> v == null ? Sets.newHashSet(permission) : addAndGet(v, permission));
+ }
+
+ private Set<Permission> addAndGet(Set<Permission> oldSet, Permission newPerm) {
+ oldSet.add(newPerm);
+ return oldSet;
+ }
+
+ @Override
+ public boolean isSecured(ApplicationId appId) {
+ SecurityInfo info = states.get(appId).value();
+ return info == null ? false : info.getState().equals(SECURED);
+ }
+
+ @Override
+ public void reviewPolicy(ApplicationId appId) {
+ Application app = applicationAdminService.getApplication(appId);
+ if (app == null) {
+ log.warn("Unknown Application");
+ return;
+ }
+ states.computeIfPresent(appId, (applicationId, securityInfo) -> {
+ if (securityInfo.getState().equals(INSTALLED)) {
+ return new SecurityInfo(ImmutableSet.of(), REVIEWED);
+ }
+ return securityInfo;
+ });
+ }
+
+ @Override
+ public void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet) {
+
+ Application app = applicationAdminService.getApplication(appId);
+ if (app == null) {
+ log.warn("Unknown Application");
+ return;
+ }
+
+ states.computeIf(appId,
+ securityInfo -> (securityInfo != null),
+ (id, securityInfo) -> {
+ switch (securityInfo.getState()) {
+ case POLICY_VIOLATED:
+ System.out.println(
+ "This application has violated the security policy. Please uninstall.");
+ return securityInfo;
+ case SECURED:
+ System.out.println(
+ "The policy has been accepted already. To review policy, review [app.name]");
+ return securityInfo;
+ case INSTALLED:
+ System.out.println("Please review the security policy prior to accept them");
+ log.warn("Application has not been reviewed");
+ return securityInfo;
+ case REVIEWED:
+ return new SecurityInfo(permissionSet, SECURED);
+ default:
+ return securityInfo;
+ }
+ });
+ }
+
+ private final class SecurityStateListener
+ implements MapEventListener<ApplicationId, SecurityInfo> {
+
+ @Override
+ public void event(MapEvent<ApplicationId, SecurityInfo> event) {
+
+ if (delegate == null) {
+ return;
+ }
+ ApplicationId appId = event.key();
+ SecurityInfo info = event.value().value();
+
+ if (event.type() == MapEvent.Type.INSERT || event.type() == MapEvent.Type.UPDATE) {
+ switch (info.getState()) {
+ case POLICY_VIOLATED:
+ notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_VIOLATED, appId));
+ break;
+ case SECURED:
+ notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_ACCEPTED, appId));
+ default:
+ break;
+ }
+ } else if (event.type() == MapEvent.Type.REMOVE) {
+ removeAppFromDirectories(appId);
+ }
+ }
+ }
+
+ private void removeAppFromDirectories(ApplicationId appId) {
+ for (String location : localAppBundleDirectory.get(appId)) {
+ localBundleAppDirectory.get(location).remove(appId);
+ }
+ violations.remove(appId);
+ states.remove(appId);
+ localAppBundleDirectory.remove(appId);
+ }
+
+ @Override
+ public boolean registerApplication(ApplicationId appId) {
+ Application app = applicationAdminService.getApplication(appId);
+ if (app == null) {
+ log.warn("Unknown application.");
+ return false;
+ }
+ localAppBundleDirectory.put(appId, getBundleLocations(app));
+ for (String location : localAppBundleDirectory.get(appId)) {
+ if (!localBundleAppDirectory.containsKey(location)) {
+ localBundleAppDirectory.put(location, new HashSet<>());
+ }
+ if (!localBundleAppDirectory.get(location).contains(appId)) {
+ localBundleAppDirectory.get(location).add(appId);
+ }
+ }
+ states.put(appId, new SecurityInfo(Sets.newHashSet(), INSTALLED));
+ return true;
+ }
+
+ @Override
+ public void unregisterApplication(ApplicationId appId) {
+ if (localAppBundleDirectory.containsKey(appId)) {
+ for (String location : localAppBundleDirectory.get(appId)) {
+ if (localBundleAppDirectory.get(location).size() == 1) {
+ localBundleAppDirectory.remove(location);
+ } else {
+ localBundleAppDirectory.get(location).remove(appId);
+ }
+ }
+ localAppBundleDirectory.remove(appId);
+ }
+ }
+
+ @Override
+ public SecurityModeState getState(ApplicationId appId) {
+ return states.asJavaMap().getOrDefault(appId, new SecurityInfo(null, null)).getState();
+ }
+
+ private Set<String> getBundleLocations(Application app) {
+ Set<String> locations = new HashSet<>();
+ for (String name : app.features()) {
+ try {
+ Feature feature = featuresService.getFeature(name);
+ locations.addAll(
+ feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
+ } catch (Exception e) {
+ return locations;
+ }
+ }
+ return locations;
+ }
+
+ @Override
+ public void setDelegate(SecurityModeStoreDelegate delegate) {
+ super.setDelegate(delegate);
+ }
+
+ @Override
+ public void unsetDelegate(SecurityModeStoreDelegate delegate) {
+ super.setDelegate(delegate);
+ }
+}
\ No newline at end of file
diff --git a/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java b/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java
new file mode 100644
index 0000000..4dcb7da
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.security.Permission;
+
+import java.util.Set;
+
+/**
+ * Security-Mode ONOS security policy and state representation for distributed store.
+ */
+public class SecurityInfo {
+
+ protected Set<Permission> grantedPermissions;
+ protected SecurityModeState state;
+
+ public SecurityInfo(Set<Permission> perms, SecurityModeState state) {
+ this.grantedPermissions = perms;
+ this.state = state;
+ }
+ public Set<Permission> getPermissions() {
+ return grantedPermissions;
+ }
+ public SecurityModeState getState() {
+ return state;
+ }
+}
diff --git a/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java b/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java
new file mode 100644
index 0000000..59da67b
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.event.AbstractEvent;
+
+/**
+ * Security-Mode ONOS notifications.
+ */
+public class SecurityModeEvent extends AbstractEvent<SecurityModeEvent.Type, ApplicationId> {
+
+ protected SecurityModeEvent(Type type, ApplicationId subject) {
+ super(type, subject);
+ }
+
+ public enum Type {
+
+ /**
+ * Signifies that security policy has been accepted.
+ */
+ POLICY_ACCEPTED,
+
+ /**
+ * Signifies that security policy has been reviewed.
+ */
+ POLICY_REVIEWED,
+
+ /**
+ * Signifies that application has violated security policy.
+ */
+ POLICY_VIOLATED,
+ }
+}
diff --git a/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java b/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java
new file mode 100644
index 0000000..2745e0c
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.event.EventListener;
+
+/**
+ * Security-Mode ONOS event listener.
+ */
+public interface SecurityModeListener extends EventListener<SecurityModeEvent> {
+}
diff --git a/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java b/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java
new file mode 100644
index 0000000..999c5f9
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+/**
+ * Representation of Security-Mode ONOS application review state.
+ */
+public enum SecurityModeState {
+
+ /**
+ * Indicates that operator has accepted application security policy.
+ */
+ SECURED,
+
+ /**
+ * Indicates that application security policy has been reviewed.
+ */
+ REVIEWED,
+
+ /**
+ * Indicates that application has been installed.
+ */
+ INSTALLED,
+
+ /**
+ * Indicates that application has violated security policy.
+ */
+ POLICY_VIOLATED,
+}
diff --git a/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java b/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java
new file mode 100644
index 0000000..7e6b653
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.Permission;
+import org.onosproject.store.Store;
+
+import java.util.Set;
+
+/**
+ * Security-Mode ONOS distributed store service.
+ */
+public interface SecurityModeStore extends Store<SecurityModeEvent, SecurityModeStoreDelegate> {
+
+ /**
+ * Updates the local bundle-application directories.
+ * @param appId application identifier
+ * @return true if successfully registered.
+ */
+ boolean registerApplication(ApplicationId appId);
+
+ /**
+ * Removes application info from the local bundle-application directories.
+ * @param appId application identifier
+ */
+ void unregisterApplication(ApplicationId appId);
+
+ /**
+ * Returns state of the specified application.
+ * @param appId application identifier
+ * @return Security-Mode State of application
+ */
+ SecurityModeState getState(ApplicationId appId);
+
+ /**
+ * Returns bundle locations of specified application.
+ * @param appId application identifier
+ * @return set of bundle location strings
+ */
+ Set<String> getBundleLocations(ApplicationId appId);
+
+ /**
+ * Returns application identifiers that are associated with given bundle location.
+ * @param location OSGi bundle location
+ * @return set of application identifiers
+ */
+ Set<ApplicationId> getApplicationIds(String location);
+
+ /**
+ * Returns a list of permissions that have been requested by given application.
+ * @param appId application identifier
+ * @return list of permissions
+ */
+ Set<Permission> getRequestedPermissions(ApplicationId appId);
+
+ /**
+ * Returns an array of permissions that have been granted to given application.
+ * @param appId application identifier
+ * @return array of permissionInfo
+ */
+ Set<Permission> getGrantedPermissions(ApplicationId appId);
+
+ /**
+ * Request permission that is required to run given application.
+ * @param appId application identifier
+ * @param permission permission
+ */
+ void requestPermission(ApplicationId appId, Permission permission);
+
+ /**
+ * Returns true if given application has been secured.
+ * @param appId application identifier
+ * @return true indicates secured
+ */
+ boolean isSecured(ApplicationId appId);
+
+ /**
+ * Notifies SM-ONOS that operator has reviewed the policy.
+ * @param appId application identifier
+ */
+ void reviewPolicy(ApplicationId appId);
+
+ /**
+ * Accept the current security policy of given application.
+ * @param appId application identifier
+ * @param permissionSet array of PermissionInfo
+ */
+ void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet);
+}
\ No newline at end of file
diff --git a/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java b/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java
new file mode 100644
index 0000000..d933a14
--- /dev/null
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.store.StoreDelegate;
+
+/**
+ * Security-Mode distributed store delegate abstraction.
+ */
+public interface SecurityModeStoreDelegate extends StoreDelegate<SecurityModeEvent> {
+}
diff --git a/core/store/dist/src/main/java/org/onosproject/store/app/GossipApplicationStore.java b/core/store/dist/src/main/java/org/onosproject/store/app/GossipApplicationStore.java
index 0c902bf..6764c22 100644
--- a/core/store/dist/src/main/java/org/onosproject/store/app/GossipApplicationStore.java
+++ b/core/store/dist/src/main/java/org/onosproject/store/app/GossipApplicationStore.java
@@ -38,7 +38,7 @@
import org.onosproject.core.ApplicationId;
import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.DefaultApplication;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import org.onosproject.store.cluster.messaging.ClusterCommunicationService;
import org.onosproject.store.cluster.messaging.MessageSubject;
import org.onosproject.store.serializers.KryoNamespaces;
diff --git a/features/features.xml b/features/features.xml
index 2f8c209..ad9a08d 100644
--- a/features/features.xml
+++ b/features/features.xml
@@ -135,7 +135,7 @@
<feature>onos-api</feature>
<!-- FIXME Release when stable (before Drake) -->
<bundle>mvn:org.onosproject/org.apache.felix.framework.security/2.2.0.onos-SNAPSHOT</bundle>
- <bundle>mvn:org.onosproject/onos-security-impl/@ONOS-VERSION</bundle>
+ <bundle>mvn:org.onosproject/onos-security/@ONOS-VERSION</bundle>
</feature>
</features>
diff --git a/openflow/api/src/main/java/org/onosproject/openflow/controller/DefaultOpenFlowPacketContext.java b/openflow/api/src/main/java/org/onosproject/openflow/controller/DefaultOpenFlowPacketContext.java
index f4ca827..da2bd16 100644
--- a/openflow/api/src/main/java/org/onosproject/openflow/controller/DefaultOpenFlowPacketContext.java
+++ b/openflow/api/src/main/java/org/onosproject/openflow/controller/DefaultOpenFlowPacketContext.java
@@ -17,7 +17,6 @@
import org.onlab.packet.DeserializationException;
import org.onlab.packet.Ethernet;
-import org.onosproject.core.Permission;
import org.projectfloodlight.openflow.protocol.OFPacketIn;
import org.projectfloodlight.openflow.protocol.OFPacketOut;
import org.projectfloodlight.openflow.protocol.OFVersion;
@@ -34,6 +33,7 @@
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
/**
@@ -57,7 +57,7 @@
@Override
public void send() {
- checkPermission(Permission.PACKET_WRITE);
+ checkPermission(PACKET_WRITE);
if (block() && isBuilt.get()) {
sw.sendMsg(pktout);
@@ -97,7 +97,7 @@
@Override
public Ethernet parsed() {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
try {
return Ethernet.deserializer().deserialize(pktin.getData(), 0, pktin.getData().length);
@@ -111,7 +111,7 @@
@Override
public Dpid dpid() {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
return new Dpid(sw.getId());
}
@@ -130,7 +130,7 @@
@Override
public Integer inPort() {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
return pktinInPort().getPortNumber();
}
@@ -144,7 +144,7 @@
@Override
public byte[] unparsed() {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
return pktin.getData().clone();
@@ -160,21 +160,21 @@
@Override
public boolean block() {
- checkPermission(Permission.PACKET_WRITE);
+ checkPermission(PACKET_WRITE);
return free.getAndSet(false);
}
@Override
public boolean isHandled() {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
return !free.get();
}
@Override
public boolean isBuffered() {
- checkPermission(Permission.PACKET_READ);
+ checkPermission(PACKET_READ);
return isBuffered;
}