ONOS-1767 SM-ONOS implementation
22a363e ONOS-17767 SM-ONOS impl
Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java b/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
index e0ea6ec..3713e21 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import java.io.InputStream;
import java.util.Set;
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java b/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
index b3fab01..2561280 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
+import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationService.java b/core/api/src/main/java/org/onosproject/app/ApplicationService.java
index bb55da9..73dcc86 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationService.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationService.java
@@ -17,8 +17,8 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
import org.onosproject.event.ListenerService;
+import org.onosproject.security.Permission;
import java.util.Set;
diff --git a/core/api/src/main/java/org/onosproject/app/ApplicationStore.java b/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
index d20adb5..b3cdc43 100644
--- a/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
@@ -17,7 +17,7 @@
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
import org.onosproject.store.Store;
import java.io.InputStream;
diff --git a/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java b/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
index d24bace..710d0f9 100644
--- a/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
+++ b/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
@@ -16,8 +16,8 @@
package org.onosproject.app;
import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
import org.onosproject.core.Version;
+import org.onosproject.security.Permission;
import java.net.URI;
import java.util.List;
diff --git a/core/api/src/main/java/org/onosproject/core/Application.java b/core/api/src/main/java/org/onosproject/core/Application.java
index 8cd063a..fca5384 100644
--- a/core/api/src/main/java/org/onosproject/core/Application.java
+++ b/core/api/src/main/java/org/onosproject/core/Application.java
@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
+import org.onosproject.security.Permission;
+
import java.net.URI;
import java.util.List;
import java.util.Optional;
diff --git a/core/api/src/main/java/org/onosproject/core/ApplicationRole.java b/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
index 71ae1e3..5fcb80b 100644
--- a/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
+++ b/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
@@ -23,9 +23,9 @@
ADMIN,
/**
- * Indicates that an application has a REGULAR role.
+ * Indicates that an application has a USER role.
*/
- REGULAR,
+ USER,
/**
* Indicates that an application role has not been specified.
diff --git a/core/api/src/main/java/org/onosproject/core/DefaultApplication.java b/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
index ab72c6f..d8062dd 100644
--- a/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
+++ b/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
@@ -15,6 +15,8 @@
*/
package org.onosproject.core;
+import org.onosproject.security.Permission;
+
import java.net.URI;
import java.util.Set;
import java.util.Optional;
diff --git a/core/api/src/main/java/org/onosproject/core/Permission.java b/core/api/src/main/java/org/onosproject/core/Permission.java
deleted file mode 100644
index 282388c..0000000
--- a/core/api/src/main/java/org/onosproject/core/Permission.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.onosproject.core;
-
-/**
- * Representation of an application permission.
- */
-public enum Permission {
- APP_READ,
- APP_EVENT,
- CONFIG_READ,
- CONFIG_WRITE,
- CLUSTER_READ,
- CLUSTER_WRITE,
- CLUSTER_EVENT,
- DEVICE_READ,
- DEVICE_EVENT,
- DRIVER_READ,
- DRIVER_WRITE,
- FLOWRULE_READ,
- FLOWRULE_WRITE,
- FLOWRULE_EVENT,
- GROUP_READ,
- GROUP_WRITE,
- GROUP_EVENT,
- HOST_READ,
- HOST_WRITE,
- HOST_EVENT,
- INTENT_READ,
- INTENT_WRITE,
- INTENT_EVENT,
- LINK_READ,
- LINK_WRITE,
- LINK_EVENT,
- PACKET_READ,
- PACKET_WRITE,
- PACKET_EVENT,
- STATISTIC_READ,
- TOPOLOGY_READ,
- TOPOLOGY_EVENT,
- TUNNEL_READ,
- TUNNEL_WRITE,
- TUNNEL_EVENT,
- STORAGE_WRITE
-}
diff --git a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
index b227b92..166269f 100644
--- a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
+++ b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
@@ -15,7 +15,6 @@
*/
package org.onosproject.net.packet;
-import org.onosproject.core.Permission;
import org.onosproject.net.flow.DefaultTrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment.Builder;
@@ -23,7 +22,7 @@
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
-
+import static org.onosproject.security.AppPermission.Type.*;
/**
* Default implementation of a packet context.
@@ -57,29 +56,25 @@
@Override
public long time() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return time;
}
@Override
public InboundPacket inPacket() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return inPkt;
}
@Override
public OutboundPacket outPacket() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return outPkt;
}
@Override
public Builder treatmentBuilder() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return builder;
}
@@ -88,15 +83,13 @@
@Override
public boolean block() {
- checkPermission(Permission.PACKET_WRITE);
-
+ checkPermission(PACKET_WRITE);
return this.block.getAndSet(true);
}
@Override
public boolean isHandled() {
- checkPermission(Permission.PACKET_READ);
-
+ checkPermission(PACKET_READ);
return this.block.get();
}
}
\ No newline at end of file
diff --git a/core/api/src/main/java/org/onosproject/security/AppGuard.java b/core/api/src/main/java/org/onosproject/security/AppGuard.java
index d3cc423..800135f 100644
--- a/core/api/src/main/java/org/onosproject/security/AppGuard.java
+++ b/core/api/src/main/java/org/onosproject/security/AppGuard.java
@@ -16,7 +16,6 @@
package org.onosproject.security;
-import org.onosproject.core.Permission;
/**
* Aids SM-ONOS to perform API-level permission checking.
@@ -30,10 +29,10 @@
* Checks if the caller has the required permission only when security-mode is enabled.
* @param permission permission to be checked
*/
- public static void checkPermission(Permission permission) {
+ public static void checkPermission(AppPermission.Type permission) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
- System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
+ System.getSecurityManager().checkPermission(new AppPermission(permission));
}
}
}
diff --git a/core/api/src/main/java/org/onosproject/security/AppPermission.java b/core/api/src/main/java/org/onosproject/security/AppPermission.java
index e5f8fa2..21a70d2 100644
--- a/core/api/src/main/java/org/onosproject/security/AppPermission.java
+++ b/core/api/src/main/java/org/onosproject/security/AppPermission.java
@@ -23,12 +23,57 @@
*/
public class AppPermission extends BasicPermission {
+ public enum Type {
+ APP_READ,
+ APP_EVENT,
+ CONFIG_READ,
+ CONFIG_WRITE,
+ CLUSTER_READ,
+ CLUSTER_WRITE,
+ CLUSTER_EVENT,
+ DEVICE_READ,
+ DEVICE_EVENT,
+ DRIVER_READ,
+ DRIVER_WRITE,
+ FLOWRULE_READ,
+ FLOWRULE_WRITE,
+ FLOWRULE_EVENT,
+ GROUP_READ,
+ GROUP_WRITE,
+ GROUP_EVENT,
+ HOST_READ,
+ HOST_WRITE,
+ HOST_EVENT,
+ INTENT_READ,
+ INTENT_WRITE,
+ INTENT_EVENT,
+ LINK_READ,
+ LINK_WRITE,
+ LINK_EVENT,
+ PACKET_READ,
+ PACKET_WRITE,
+ PACKET_EVENT,
+ STATISTIC_READ,
+ TOPOLOGY_READ,
+ TOPOLOGY_EVENT,
+ TUNNEL_READ,
+ TUNNEL_WRITE,
+ TUNNEL_EVENT,
+ STORAGE_WRITE
+ }
+
+ protected Type type;
/**
* Creates new application permission using the supplied data.
* @param name permission name
*/
public AppPermission(String name) {
super(name.toUpperCase(), "");
+ try {
+ type = Type.valueOf(name);
+ } catch (IllegalArgumentException e) {
+ type = null;
+ }
}
/**
@@ -38,6 +83,28 @@
*/
public AppPermission(String name, String actions) {
super(name.toUpperCase(), actions);
+ try {
+ type = Type.valueOf(name);
+ } catch (IllegalArgumentException e) {
+ type = null;
+ }
+ }
+
+ /**
+ * Crates new application permission using the supplied data.
+ * @param type permission type
+ */
+ public AppPermission(Type type) {
+ super(type.name(), "");
+ this.type = type;
+ }
+
+ /**
+ * Returns type of permission.
+ * @return application permission type
+ */
+ public Type getType() {
+ return this.type;
}
}
diff --git a/core/api/src/main/java/org/onosproject/security/Permission.java b/core/api/src/main/java/org/onosproject/security/Permission.java
new file mode 100644
index 0000000..75d9433
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/Permission.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+public class Permission {
+
+ protected String classname;
+ protected String name;
+ protected String actions;
+
+ public Permission(String classname, String name, String actions) {
+ this.classname = classname;
+ this.name = name;
+ if (actions == null) {
+ this.actions = "";
+ } else {
+ this.actions = actions;
+ }
+ }
+
+ public Permission(String classname, String name) {
+ this.classname = classname;
+ this.name = name;
+ this.actions = "";
+ }
+
+ public String getClassName() {
+ return classname;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public String getActions() {
+ return actions;
+ }
+
+ @Override
+ public int hashCode() {
+ return 0;
+ }
+
+ @Override
+ public boolean equals(Object thatPerm) {
+ if (this == thatPerm) {
+ return true;
+ }
+
+ if (!(thatPerm instanceof Permission)) {
+ return false;
+ }
+
+ Permission that = (Permission) thatPerm;
+ return (this.classname.equals(that.classname)) && (this.name.equals(that.name))
+ && (this.actions.equals(that.actions));
+ }
+
+ @Override
+ public String toString() {
+ return String.format("(%s, %s, %s)", classname, name, actions);
+ }
+}
diff --git a/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java b/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
new file mode 100644
index 0000000..16ea94d
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onosproject.core.ApplicationId;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Security-Mode ONOS service.
+ */
+public interface SecurityAdminService {
+
+ /**
+ * Returns true if security policy has been enforced to specified application.
+ * @param appId application identifier
+ * @return true if secured.
+ */
+ boolean isSecured(ApplicationId appId);
+
+ /**
+ * Changes SecurityModeState of specified application to REVIEWED.
+ * @param appId application identifier
+ */
+ void review(ApplicationId appId);
+
+ /**
+ * Accepts and enforces security policy to specified application.
+ * @param appId application identifier
+ */
+ void acceptPolicy(ApplicationId appId);
+
+ /**
+ * Register application to SM-ONOS subsystem.
+ * @param appId application identifier
+ */
+ void register(ApplicationId appId);
+
+ /**
+ * Returns sorted developer specified permission Map.
+ * @param appId application identifier
+ * @return Map of list of permissions sorted by permission type
+ */
+ Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId);
+
+ /**
+ * Returns sorted granted permission Map.
+ * @param appId application identifier
+ * @return Map of list of permissions sorted by permission type
+ */
+ Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId);
+
+ /**
+ * Returns sorted requested permission Map.
+ * @param appId application identifier
+ * @return Map of list of permissions sorted by permission type
+ */
+ Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId);
+
+
+}
diff --git a/core/api/src/main/java/org/onosproject/security/SecurityUtil.java b/core/api/src/main/java/org/onosproject/security/SecurityUtil.java
new file mode 100644
index 0000000..34b4e78
--- /dev/null
+++ b/core/api/src/main/java/org/onosproject/security/SecurityUtil.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onlab.osgi.DefaultServiceDirectory;
+import org.onlab.osgi.ServiceDirectory;
+import org.onlab.osgi.ServiceNotFoundException;
+import org.onosproject.core.ApplicationId;
+
+/**
+ * Utility class to aid Security-Mode ONOS.
+ */
+public final class SecurityUtil {
+
+ protected static ServiceDirectory serviceDirectory = new DefaultServiceDirectory();
+
+ private SecurityUtil() {
+ }
+
+ public static boolean isSecurityModeEnabled() {
+ if (System.getSecurityManager() != null) {
+ try {
+ SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+ if (securityService != null) {
+ return true;
+ }
+ } catch (ServiceNotFoundException e) {
+ return false;
+ }
+ }
+ return false;
+ }
+
+ public static SecurityAdminService getSecurityService() {
+ if (System.getSecurityManager() != null) {
+ try {
+ SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+ if (securityService != null) {
+ return securityService;
+ }
+ } catch (ServiceNotFoundException e) {
+ return null;
+ }
+ }
+ return null;
+ }
+
+ public static boolean isAppSecured(ApplicationId appId) {
+ SecurityAdminService service = getSecurityService();
+ if (service != null) {
+ if (!service.isSecured(appId)) {
+ System.out.println("\n*******************************");
+ System.out.println(" SM-ONOS APP WARNING ");
+ System.out.println("*******************************");
+ System.out.println(appId.name() + " has not been secured.");
+ System.out.println("Please review before activating.");
+ return false;
+ }
+ }
+ return true;
+ }
+ public static void register(ApplicationId appId) {
+ SecurityAdminService service = getSecurityService();
+ if (service != null) {
+ service.register(appId);
+ }
+ }
+}