Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2015 Open Networking Laboratory |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Changhoon Yoon | 541ef71 | 2015-05-23 17:18:34 +0900 | [diff] [blame] | 17 | package org.onosproject.security; |
| 18 | |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 19 | import java.security.AccessController; |
| 20 | import java.security.AccessControlContext; |
Thomas Vachuska | 4c571ae | 2015-09-10 16:31:59 -0700 | [diff] [blame] | 21 | import com.google.common.annotations.Beta; |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 22 | import com.google.common.cache.Cache; |
| 23 | import com.google.common.cache.CacheBuilder; |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 24 | import java.util.concurrent.ExecutionException; |
| 25 | import java.util.concurrent.TimeUnit; |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 26 | /** |
Changhoon Yoon | 541ef71 | 2015-05-23 17:18:34 +0900 | [diff] [blame] | 27 | * Aids SM-ONOS to perform API-level permission checking. |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 28 | */ |
Thomas Vachuska | 4c571ae | 2015-09-10 16:31:59 -0700 | [diff] [blame] | 29 | @Beta |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 30 | public final class AppGuard { |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 31 | private AppGuard() { |
Heedo Kang | d8241c7 | 2016-02-29 18:49:05 +0900 | [diff] [blame] | 32 | |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 33 | } |
| 34 | |
Changhoon Yoon | 541ef71 | 2015-05-23 17:18:34 +0900 | [diff] [blame] | 35 | /** |
| 36 | * Checks if the caller has the required permission only when security-mode is enabled. |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 37 | * |
Changhoon Yoon | 541ef71 | 2015-05-23 17:18:34 +0900 | [diff] [blame] | 38 | * @param permission permission to be checked |
| 39 | */ |
Changhoon Yoon | b856b81 | 2015-08-10 03:47:19 +0900 | [diff] [blame] | 40 | public static void checkPermission(AppPermission.Type permission) { |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 41 | SecurityManager sm = System.getSecurityManager(); |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 42 | if (sm == null) { |
| 43 | return; |
| 44 | } |
Heedo Kang | d8241c7 | 2016-02-29 18:49:05 +0900 | [diff] [blame] | 45 | AccessControlContext context = AccessController.getContext(); |
| 46 | if (context == null) { |
| 47 | sm.checkPermission(new AppPermission((permission))); |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 48 | } else { |
Heedo Kang | d8241c7 | 2016-02-29 18:49:05 +0900 | [diff] [blame] | 49 | int contextHash = context.hashCode() ^ permission.hashCode(); |
| 50 | PermissionCheckCache.getInstance().checkCache(contextHash, new AppPermission(permission)); |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 51 | } |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 52 | } |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 53 | |
Changhoon Yoon | e71dfa4 | 2015-12-04 21:49:25 +0900 | [diff] [blame] | 54 | private static final class PermissionCheckCache { |
| 55 | |
| 56 | private static final Cache<Integer, Boolean> CACHE = CacheBuilder.newBuilder() |
| 57 | .maximumSize(1000) |
| 58 | .expireAfterAccess(10, TimeUnit.MINUTES) |
| 59 | .build(); |
| 60 | |
| 61 | private PermissionCheckCache() { |
| 62 | } |
| 63 | |
| 64 | private static class SingletonHelper { |
| 65 | private static final PermissionCheckCache INSTANCE = new PermissionCheckCache(); |
| 66 | } |
| 67 | |
| 68 | public static PermissionCheckCache getInstance() { |
| 69 | return SingletonHelper.INSTANCE; |
| 70 | } |
| 71 | |
| 72 | public static void checkCache(int key, AppPermission perm) { |
| 73 | try { |
| 74 | CACHE.get(key, () -> { |
| 75 | System.getSecurityManager().checkPermission(perm); |
| 76 | return true; |
| 77 | }); |
| 78 | } catch (ExecutionException e) { |
| 79 | System.getSecurityManager().checkPermission(perm); |
| 80 | } |
| 81 | } |
| 82 | } |
Changhoon Yoon | 23dee8f | 2015-05-18 22:19:49 +0900 | [diff] [blame] | 83 | } |