diff options
Diffstat (limited to 'odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa')
8 files changed, 765 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java new file mode 100644 index 00000000..d4ac79af --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java @@ -0,0 +1,150 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.Collection; + +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Consumer; +import org.opendaylight.controller.sal.core.api.Provider; +import org.osgi.framework.BundleContext; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzBrokerImpl implements Broker, AutoCloseable, Provider { + + private Broker broker; + private ProviderSession providerSession; + private AuthenticationService authenticationService; + + public void setBroker(Broker broker) { + this.broker = broker; + } + + @Override + public void close() throws Exception { + + } + + // Implements AuthzBroker handling of registering consumers or providers. + @Override + public ConsumerSession registerConsumer(Consumer consumer) { + + ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer)); + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, + this); + consumer.onSessionInitiated(authzConsumerContext); + return authzConsumerContext; + } + + @Override + public ConsumerSession registerConsumer(Consumer consumer, BundleContext bundleContext) { + + ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer), + bundleContext); + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, + this); + consumer.onSessionInitiated(authzConsumerContext); + return authzConsumerContext; + } + + @Override + public ProviderSession registerProvider(Provider provider) { + + ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider)); + AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, + this); + provider.onSessionInitiated(authzProviderContext); + return authzProviderContext; + } + + @Override + public ProviderSession registerProvider(Provider provider, BundleContext bundleContext) { + + // Allow the real broker to do its thing, while providing a wrapped + // callback + ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider), + bundleContext); + + // Create Authz ProviderContext + AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, + this); + + // Run onsessionInitiated on injected provider with the AuthZ provider + // context. + provider.onSessionInitiated(authzProviderContext); + return authzProviderContext; + + } + + // Handle the AuthZBroker registration with the real broker + @Override + public void onSessionInitiated(ProviderSession providerSession) { + + // Get now the real DOMDataBroker and register it with the + // AuthzDOMBroker together with the provider session + final DOMDataBroker domDataBroker = providerSession.getService(DOMDataBroker.class); + AuthzDomDataBroker.getInstance().setProviderSession(providerSession); + AuthzDomDataBroker.getInstance().setDomDataBroker(domDataBroker); + AuthzDomDataBroker.getInstance().setAuthService(this.authenticationService); + } + + @Override + public Collection<ProviderFunctionality> getProviderFunctionality() { + return null; + } + + public void setAuthenticationService(AuthenticationService authenticationService) { + this.authenticationService = authenticationService; + } + + // Wrapper for Provider + + public static class ProviderWrapper implements Provider { + private final Provider provider; + + public ProviderWrapper(Provider provider) { + this.provider = provider; + } + + @Override + public void onSessionInitiated(ProviderSession providerSession) { + // Do a Noop when the real broker calls back + } + + @Override + public Collection<ProviderFunctionality> getProviderFunctionality() { + // Allow the RestconfImpl to respond to this + return provider.getProviderFunctionality(); + } + } + + // Wrapper for Consumer + public static class ConsumerWrapper implements Consumer { + + private final Consumer consumer; + + public ConsumerWrapper(Consumer consumer) { + this.consumer = consumer; + } + + @Override + public void onSessionInitiated(ConsumerSession consumerSession) { + // Do a Noop when the real broker calls back + } + + @Override + public Collection<ConsumerFunctionality> getConsumerFunctionality() { + return consumer.getConsumerFunctionality(); + } + } +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java new file mode 100644 index 00000000..07ba51cd --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Broker.ConsumerSession; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.controller.sal.core.spi.ForwardingConsumerSession; + +/** + * Created by wdec on 28/08/2014. + */ +public class AuthzConsumerContextImpl extends ForwardingConsumerSession { + + private final Broker.ConsumerSession realSession; + + public AuthzConsumerContextImpl(Broker.ConsumerSession realSession, AuthzBrokerImpl authzBroker) { + this.realSession = realSession; + } + + @Override + protected ConsumerSession delegate() { + return realSession; + } + + @Override + public <T extends BrokerService> T getService(Class<T> tClass) { + T t; + // Check for class and return Authz broker only for DOMBroker + if (tClass == DOMDataBroker.class) { + t = (T) AuthzDomDataBroker.getInstance(); + } else { + t = realSession.getService(tClass); + } + // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); + return t; + } + +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java new file mode 100644 index 00000000..4cc232bc --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.base.Optional; +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; + +import org.opendaylight.controller.md.sal.common.api.TransactionStatus; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; +import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.common.RpcResult; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzDataReadWriteTransaction implements DOMDataReadWriteTransaction { + + private final DOMDataReadWriteTransaction domDataReadWriteTransaction; + + public AuthzDataReadWriteTransaction(DOMDataReadWriteTransaction domDataReadWriteTransaction) { + this.domDataReadWriteTransaction = domDataReadWriteTransaction; + } + + @Override + public boolean cancel() { + if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { + return domDataReadWriteTransaction.cancel(); + } + return false; + } + + @Override + public void delete(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Delete)) { + domDataReadWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); + } + } + + @Override + public CheckedFuture<Void, TransactionCommitFailedException> submit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { + return domDataReadWriteTransaction.submit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Deprecated + @Override + public ListenableFuture<RpcResult<TransactionStatus>> commit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { + return domDataReadWriteTransaction.commit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Read)) { + return domDataReadWriteTransaction.read(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture<Boolean, ReadFailedException> exists( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Exists)) { + return domDataReadWriteTransaction.exists(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public void put(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Put)) { + domDataReadWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public void merge(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Merge)) { + domDataReadWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return domDataReadWriteTransaction.getIdentifier(); + } + return null; + } +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java new file mode 100644 index 00000000..911f5a48 --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.Map; +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.TransactionChainListener; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBrokerExtension; +import org.opendaylight.controller.md.sal.dom.api.DOMDataChangeListener; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMTransactionChain; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.yangtools.concepts.ListenerRegistration; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzDomDataBroker implements BrokerService, DOMDataBroker { + + private DOMDataBroker domDataBroker; + private Broker.ProviderSession providerSession; + + private volatile AuthenticationService authService; + + final static AuthzDomDataBroker INSTANCE = new AuthzDomDataBroker(); + + public static AuthzDomDataBroker getInstance() { + return INSTANCE; + } + + public void setDomDataBroker(DOMDataBroker domDataBroker) { + this.domDataBroker = domDataBroker; + } + + public void setProviderSession(Broker.ProviderSession providerSession) { + this.providerSession = providerSession; + } + + public void setAuthService(AuthenticationService authService) { + this.authService = authService; + } + + public AuthenticationService getAuthService() { + return this.authService; + } + + @Override + public DOMDataReadOnlyTransaction newReadOnlyTransaction() { + // new Authz transaction + inject real DOM Transaction + DOMDataReadOnlyTransaction ro = domDataBroker.newReadOnlyTransaction(); + + // return domDataBroker.newReadOnlyTransaction(); //Return original + return new AuthzReadOnlyTransaction(ro); + } + + @Override + public Map<Class<? extends DOMDataBrokerExtension>, DOMDataBrokerExtension> getSupportedExtensions() { + return domDataBroker.getSupportedExtensions(); + } + + @Override + public DOMDataReadWriteTransaction newReadWriteTransaction() { + // return new Authz transaction + inject real DOM Transaction + DOMDataReadWriteTransaction rw = domDataBroker.newReadWriteTransaction(); + return new AuthzDataReadWriteTransaction(rw); + } + + @Override + public DOMDataWriteTransaction newWriteOnlyTransaction() { + DOMDataWriteTransaction wo = domDataBroker.newWriteOnlyTransaction(); + return new AuthzWriteOnlyTransaction(wo); + } + + @Override + public ListenerRegistration<DOMDataChangeListener> registerDataChangeListener( + LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, + DOMDataChangeListener domDataChangeListener, DataChangeScope dataChangeScope) { + return domDataBroker.registerDataChangeListener(logicalDatastoreType, + yangInstanceIdentifier, domDataChangeListener, dataChangeScope); + } + + @Override + public DOMTransactionChain createTransactionChain( + TransactionChainListener transactionChainListener) { + return domDataBroker.createTransactionChain(transactionChainListener); + } +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java new file mode 100644 index 00000000..dbfea6ed --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Broker.ProviderSession; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.controller.sal.core.spi.ForwardingProviderSession; + +/** + * Created by wdec on 28/08/2014. + */ +public class AuthzProviderContextImpl extends ForwardingProviderSession { + + private final Broker.ProviderSession realSession; + + public AuthzProviderContextImpl(Broker.ProviderSession providerSession, + AuthzBrokerImpl authzBroker) { + this.realSession = providerSession; + } + + @Override + protected ProviderSession delegate() { + // TODO Auto-generated method stub + return realSession; + } + + @Override + public <T extends BrokerService> T getService(Class<T> tClass) { + T t; + // Check for class and return Authz broker only for DOMBroker + if (tClass == DOMDataBroker.class) { + t = (T) AuthzDomDataBroker.getInstance(); + } else { + t = realSession.getService(tClass); + } + // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); + return t; + } +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java new file mode 100644 index 00000000..c46ffe7c --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.base.Optional; +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; + +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 28/08/2014. + */ + +public class AuthzReadOnlyTransaction implements DOMDataReadOnlyTransaction { + + private final DOMDataReadOnlyTransaction ro; + + public AuthzReadOnlyTransaction(DOMDataReadOnlyTransaction ro) { + this.ro = ro; + } + + @Override + public void close() { + ro.close(); + } + + @Override + public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Read)) { + return ro.read(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture<Boolean, ReadFailedException> exists( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(ActionType.Exists)) { + return ro.exists(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return ro.getIdentifier(); + } + return null; + } +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java new file mode 100644 index 00000000..fb344812 --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.List; +import org.opendaylight.aaa.api.Authentication; +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.config.yang.config.aaa_authz.srv.Policies; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.AuthorizationResponseType; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; + +/** + * @author lmukkama Date: 9/2/14 + */ +public class AuthzServiceImpl { + + private static List<Policies> listPolicies; + + private static final String WILDCARD_TOKEN = "*"; + + public static boolean isAuthorized(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, ActionType actionType) { + + AuthorizationResponseType authorizationResponseType = AuthzServiceImpl.reqAuthorization( + actionType, logicalDatastoreType, yangInstanceIdentifier); + return authorizationResponseType.equals(AuthorizationResponseType.Authorized); + } + + public static boolean isAuthorized(ActionType actionType) { + AuthorizationResponseType authorizationResponseType = AuthzServiceImpl + .reqAuthorization(actionType); + return authorizationResponseType.equals(AuthorizationResponseType.Authorized); + } + + public static void setPolicies(List<Policies> policies) { + + AuthzServiceImpl.listPolicies = policies; + } + + public static AuthorizationResponseType reqAuthorization(ActionType actionType) { + + AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() + .getAuthService(); + if (authenticationService != null && AuthzServiceImpl.listPolicies != null + && AuthzServiceImpl.listPolicies.size() > 0) { + Authentication authentication = authenticationService.get(); + if (authentication != null && authentication.roles() != null + && authentication.roles().size() > 0) { + return checkAuthorization(actionType, authentication); + } + } + return AuthorizationResponseType.NotAuthorized; + } + + public static AuthorizationResponseType reqAuthorization(ActionType actionType, + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() + .getAuthService(); + + if (authenticationService != null && AuthzServiceImpl.listPolicies != null + && AuthzServiceImpl.listPolicies.size() > 0) { + // Authentication Service exists. Can do authorization checks + Authentication authentication = authenticationService.get(); + + if (authentication != null && authentication.roles() != null + && authentication.roles().size() > 0) { + // Authentication claim object exists with atleast one role + return checkAuthorization(actionType, authentication, logicalDatastoreType, + yangInstanceIdentifier); + } + } + + return AuthorizationResponseType.Authorized; + } + + private static AuthorizationResponseType checkAuthorization(ActionType actionType, + Authentication authentication, LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + for (Policies policy : AuthzServiceImpl.listPolicies) { + + // Action type is compared as string, since its type is string in + // the config yang. Comparison is case insensitive + if (authentication.roles().contains(policy.getRole().getValue()) + && (policy.getResource().getValue().equals(WILDCARD_TOKEN) || policy + .getResource().getValue().equals(yangInstanceIdentifier.toString())) + && (policy.getAction().toLowerCase() + .equals(ActionType.Any.name().toLowerCase()) || actionType.name() + .toLowerCase().equals(policy.getAction().toLowerCase()))) { + + return AuthorizationResponseType.Authorized; + } + + } + + // For helium release we unauthorize other requests. + return AuthorizationResponseType.NotAuthorized; + } + + private static AuthorizationResponseType checkAuthorization(ActionType actionType, + Authentication authentication) { + + for (Policies policy : AuthzServiceImpl.listPolicies) { + if (authentication.roles().contains(policy.getRole().getValue()) + && (policy.getAction().equalsIgnoreCase(ActionType.Any.name()) || policy + .getAction().equalsIgnoreCase(actionType.name()))) { + return AuthorizationResponseType.Authorized; + } + } + return AuthorizationResponseType.NotAuthorized; + } +} diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java new file mode 100644 index 00000000..1123b928 --- /dev/null +++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; + +import org.opendaylight.controller.md.sal.common.api.TransactionStatus; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.common.RpcResult; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 02/09/2014. + */ +public class AuthzWriteOnlyTransaction implements DOMDataWriteTransaction { + + private final DOMDataWriteTransaction domDataWriteTransaction; + + public AuthzWriteOnlyTransaction(DOMDataWriteTransaction wo) { + this.domDataWriteTransaction = wo; + } + + @Override + public void put(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Put)) { + domDataWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public void merge(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Merge)) { + domDataWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public boolean cancel() { + if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { + return domDataWriteTransaction.cancel(); + } + return false; + } + + @Override + public void delete(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Delete)) { + domDataWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); + } + } + + @Override + public CheckedFuture<Void, TransactionCommitFailedException> submit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { + return domDataWriteTransaction.submit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Deprecated + @Override + public ListenableFuture<RpcResult<TransactionStatus>> commit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { + return domDataWriteTransaction.commit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return domDataWriteTransaction.getIdentifier(); + } + return null; + } +} |