ONOS-1767 SM-ONOS implementation
22a363e ONOS-17767 SM-ONOS impl
Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java b/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java
deleted file mode 100644
index f72b0b2..0000000
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import org.apache.karaf.shell.commands.Argument;
-import org.apache.karaf.shell.commands.Command;
-import org.onosproject.app.ApplicationAdminService;
-import org.onosproject.cli.AbstractShellCommand;
-import org.onosproject.core.Application;
-import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
-
-import java.util.Set;
-import java.util.stream.Collectors;
-
-/**
- * Manages application permissions.
- */
-@Command(scope = "onos", name = "perm",
- description = "Manages application permissions")
-public class PermissionCommand extends AbstractShellCommand {
-
- static final String ADD = "add";
- static final String REMOVE = "remove";
- static final String LIST = "list";
- static final String CLEAR = "clear";
-
-
- @Argument(index = 0, name = "command",
- description = "Command name (add|remove)",
- required = true, multiValued = false)
- String command = null;
-
- @Argument(index = 1, name = "name", description = "Application name",
- required = true, multiValued = false)
- String name = null;
-
- @Argument(index = 2, name = "permissions", description = "List of permissions",
- required = false, multiValued = true)
- String[] permissions = null;
-
- @Override
- protected void execute() {
- ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
- Set<Permission> newPermSet = Sets.newHashSet();
- if (command.equals(ADD)) {
- ApplicationId appId = applicationAdminService.getId(name);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- Application app = applicationAdminService.getApplication(appId);
-
- for (String perm : permissions) {
- try {
- Permission permission = Permission.valueOf(perm);
- newPermSet.add(permission);
- } catch (IllegalArgumentException e) {
- print("%s is not a valid permission.", perm);
- return;
- }
-
- }
- Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
- if (oldPermSet != null) {
- newPermSet.addAll(oldPermSet);
- } else {
- newPermSet.addAll(app.permissions());
- }
- applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
-
- } else if (command.equals(REMOVE)) {
- ApplicationId appId = applicationAdminService.getId(name);
- Application app = applicationAdminService.getApplication(appId);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
- if (oldPermSet == null) {
- oldPermSet = app.permissions();
- }
- Set<String> clearPermSet = Sets.newHashSet(permissions);
- newPermSet.addAll(oldPermSet.stream().filter(
- perm -> !clearPermSet.contains(perm.name().toUpperCase())).collect(Collectors.toList()));
- applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
- } else if (command.equals(CLEAR)) {
- ApplicationId appId = applicationAdminService.getId(name);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- applicationAdminService.setPermissions(appId, ImmutableSet.of());
- print("Cleared the permission list of %s.", appId.name());
- } else if (command.equals(LIST)) {
- ApplicationId appId = applicationAdminService.getId(name);
- if (appId == null) {
- print("No such application: %s", name);
- return;
- }
- Application app = applicationAdminService.getApplication(appId);
- Set<Permission> userPermissions = applicationAdminService.getPermissions(appId);
- Set<Permission> defaultPermissions = app.permissions();
- print("Application Role");
- print("\trole=%s", app.role().name());
-
- if (defaultPermissions != null) {
- if (!defaultPermissions.isEmpty()) {
- print("Default permissions (specified in app.xml)");
- for (Permission perm : defaultPermissions) {
- print("\tpermission=%s", perm.name());
- }
- } else {
- print("(No default permissions specified in app.xml)");
- }
- }
- if (userPermissions != null) {
- if (!userPermissions.isEmpty()) {
- print("User permissions");
- for (Permission perm : userPermissions) {
- print("\tpermission=%s", perm.name());
- }
- } else {
- print("(User has removed all the permissions");
- }
- }
-
- }
- }
-}
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java b/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java
deleted file mode 100644
index 1584a05..0000000
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import com.google.common.collect.ImmutableList;
-import org.onosproject.cli.AbstractChoicesCompleter;
-
-import java.util.List;
-
-import static org.onosproject.cli.security.PermissionCommand.*;
-/**
- * Permission command completer.
- */
-public class PermissionCommandCompleter extends AbstractChoicesCompleter {
- @Override
- protected List<String> choices() {
- return ImmutableList.of(ADD, REMOVE, CLEAR, LIST);
- }
-}
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java b/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java
deleted file mode 100644
index 30dff06..0000000
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import org.apache.karaf.shell.console.completer.ArgumentCompleter;
-import org.onosproject.cli.AbstractChoicesCompleter;
-import org.onosproject.core.Permission;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * Permission Name Completer.
- */
-public class PermissionNameCompleter extends AbstractChoicesCompleter {
- @Override
- protected List<String> choices() {
- List<String> permNames = new ArrayList<>();
-
- ArgumentCompleter.ArgumentList list = getArgumentList();
- String cmd = list.getArguments()[1];
- if (cmd.equals("add") || cmd.equals("remove")) {
- for (Permission perm : Permission.values()) {
- permNames.add(perm.name());
- }
- }
- return permNames;
- }
-
-
-}
diff --git a/cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java b/cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
similarity index 76%
rename from cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java
rename to cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
index 36b85d9..73744f3 100644
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java
+++ b/cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
@@ -18,6 +18,7 @@
import org.apache.karaf.shell.console.completer.StringsCompleter;
import org.onosproject.app.ApplicationService;
+import org.onosproject.app.ApplicationState;
import org.onosproject.cli.AbstractCompleter;
import org.onosproject.core.Application;
@@ -25,27 +26,33 @@
import java.util.List;
import java.util.SortedSet;
+import static org.onosproject.app.ApplicationState.INSTALLED;
import static org.onosproject.cli.AbstractShellCommand.get;
/**
- * Application name completer for permission command.
+ * Application name completer for security review command.
*/
-public class PermissionApplicationNameCompleter extends AbstractCompleter {
+public class ReviewApplicationNameCompleter extends AbstractCompleter {
@Override
public int complete(String buffer, int cursor, List<String> candidates) {
// Delegate string completer
StringsCompleter delegate = new StringsCompleter();
- // Fetch our service and feed it's offerings to the string completer
ApplicationService service = get(ApplicationService.class);
Iterator<Application> it = service.getApplications().iterator();
SortedSet<String> strings = delegate.getStrings();
while (it.hasNext()) {
Application app = it.next();
- strings.add(app.id().name());
+ ApplicationState state = service.getState(app.id());
+// if (previousApps.contains(app.id().name())) {
+// continue;
+// }
+ if (state == INSTALLED) {
+ strings.add(app.id().name());
+ }
}
// Now let the completer do the work for figuring out what to offer.
return delegate.complete(buffer, cursor, candidates);
}
-}
+}
\ No newline at end of file
diff --git a/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java b/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java
new file mode 100644
index 0000000..9d17eb2
--- /dev/null
+++ b/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.cli.security;
+
+import org.apache.karaf.shell.commands.Argument;
+import org.apache.karaf.shell.commands.Command;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.cli.AbstractShellCommand;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.security.SecurityUtil;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+
+/**
+ * Application security policy review commands.
+ */
+@Command(scope = "onos", name = "review",
+ description = "Application security policy review interface")
+public class ReviewCommand extends AbstractShellCommand {
+
+ @Argument(index = 0, name = "name", description = "Application name",
+ required = true, multiValued = false)
+ String name = null;
+
+ @Argument(index = 1, name = "accept", description = "Option to accept policy",
+ required = false, multiValued = false)
+ String accept = null;
+
+ @Override
+ protected void execute() {
+ ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
+ ApplicationId appId = applicationAdminService.getId(name);
+ if (appId == null) {
+ print("No such application: %s", name);
+ return;
+ }
+ Application app = applicationAdminService.getApplication(appId);
+ SecurityAdminService smService = SecurityUtil.getSecurityService();
+ if (smService == null) {
+ print("Security Mode is disabled");
+ return;
+ }
+ if (accept == null) {
+ smService.review(appId);
+ printPolicy(smService, app);
+ } else if (accept.trim().equals("accept")) {
+ smService.acceptPolicy(appId);
+ printPolicy(smService, app);
+ } else {
+ print("Unknown command");
+ }
+ }
+
+ private void printPolicy(SecurityAdminService smService, Application app) {
+ print("\n*******************************");
+ print(" SM-ONOS APP REVIEW ");
+ print("*******************************");
+
+ print("Application name: %s ", app.id().name());
+ print("Application role: " + app.role());
+ print("\nDeveloper specified permissions: ");
+ printMap(smService.getPrintableSpecifiedPermissions(app.id()));
+ print("\nPermissions granted: ");
+ printMap(smService.getPrintableGrantedPermissions(app.id()));
+ print("\nAdditional permissions requested on runtime (POLICY VIOLATIONS): ");
+ printMap(smService.getPrintableRequestedPermissions(app.id()));
+ print("");
+
+ }
+ private void printMap(Map<Integer, List<Permission>> assortedMap) {
+ for (Integer type : assortedMap.keySet()) {
+ switch (type) {
+ case 0:
+ for (Permission perm: assortedMap.get(0)) {
+ print("\t[APP PERMISSION] " + perm.getName());
+ }
+ break;
+ case 1:
+ for (Permission perm: assortedMap.get(1)) {
+ print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+ }
+ break;
+ case 2:
+ for (Permission perm: assortedMap.get(2)) {
+ print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+ }
+ break;
+ case 3:
+ for (Permission perm: assortedMap.get(3)) {
+ print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+ }
+ break;
+ case 4:
+ for (Permission perm: assortedMap.get(4)) {
+ print("\t[Other] " + perm.getClass().getSimpleName() +
+ " " + perm.getName() + " (" + perm.getActions() + ")");
+ }
+ default:
+ break;
+ }
+ }
+ }
+}