From ba20dff39a897ff8dbd71260c42da923c9bdcf7a Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Mon, 12 Sep 2016 11:06:56 -0700 Subject: Move ODL-AAA-MOON under 'upstream' Directory Change-Id: Ie010fbe3899e151421940908dbe8675aade54e2d Signed-off-by: Trevor Bramwell (cherry picked from commit cf864337c13b4638c588badf3f589f9e39318c95) --- .../aaa/aaa-authz/aaa-authz-config/pom.xml | 43 +++++ .../src/main/resources/initial/08-authz-config.xml | 60 +++++++ .../aaa/aaa-authz/aaa-authz-model/pom.xml | 95 +++++++++++ .../src/main/yang/authorization-schema.yang | 190 +++++++++++++++++++++ .../aaa-authz/aaa-authz-restconf-config/pom.xml | 43 +++++ .../main/resources/initial/09-rest-connector.xml | 42 +++++ .../aaa/aaa-authz/aaa-authz-service/pom.xml | 152 +++++++++++++++++ .../aaa/authz/srv/AuthzBrokerImpl.java | 150 ++++++++++++++++ .../aaa/authz/srv/AuthzConsumerContextImpl.java | 46 +++++ .../authz/srv/AuthzDataReadWriteTransaction.java | 129 ++++++++++++++ .../aaa/authz/srv/AuthzDomDataBroker.java | 100 +++++++++++ .../aaa/authz/srv/AuthzProviderContextImpl.java | 47 +++++ .../aaa/authz/srv/AuthzReadOnlyTransaction.java | 69 ++++++++ .../aaa/authz/srv/AuthzServiceImpl.java | 121 +++++++++++++ .../aaa/authz/srv/AuthzWriteOnlyTransaction.java | 103 +++++++++++ .../yang/config/aaa_authz/srv/AuthzSrvModule.java | 76 +++++++++ .../aaa_authz/srv/AuthzSrvModuleFactory.java | 53 ++++++ .../src/main/yang/aaa-authz-service-impl.yang | 115 +++++++++++++ .../authz/srv/AuthzConsumerContextImplTest.java | 46 +++++ upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml | 23 +++ 20 files changed, 1703 insertions(+) create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java create mode 100644 upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml (limited to 'upstream/odl-aaa-moon/aaa/aaa-authz') diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml new file mode 100644 index 00000000..42237e41 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml @@ -0,0 +1,43 @@ + + + 4.0.0 + + org.opendaylight.aaa + aaa-parent + 0.3.2-Beryllium-SR2 + ../../parent + + + authz-service-config + AuthZ Service Configuration files + jar + + + + org.codehaus.mojo + build-helper-maven-plugin + + + attach-artifacts + + attach-artifact + + package + + + + ${project.build.directory}/classes/initial/${config.authz.service.configfile} + xml + config + + + + + + + + + + diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml new file mode 100644 index 00000000..5b59ca20 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml @@ -0,0 +1,60 @@ + + + + + + + + + + + authz:aaa-authz-service + aaa-authz-service + + + dom:dom-broker-osgi-registry + dom-broker + + + + binding:binding-data-broker + binding-data-broker + + + + RestConfService + Any + * + admin + + + + + + + + dom:dom-broker-osgi-registry + + authz-connector-default + + /modules/module[type='aaa-authz-service'][name='aaa-authz-service'] + + + + + + + + + + + urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv?module=aaa-authz-service-impl&revision=2014-07-01 + + + diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml new file mode 100644 index 00000000..ee6108bd --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml @@ -0,0 +1,95 @@ + + + 4.0.0 + + + org.opendaylight.aaa + aaa-parent + 0.3.2-Beryllium-SR2 + ../../parent + + + aaa-authz-model + ${project.artifactId} + + + + org.opendaylight.mdsal + yang-binding + + + org.opendaylight.mdsal.model + ietf-inet-types + + + org.opendaylight.mdsal.model + ietf-yang-types + + + org.opendaylight.mdsal.model + yang-ext + + + + + + + org.apache.felix + maven-bundle-plugin + true + + + org.apache.maven.plugins + maven-javadoc-plugin + + maven + + + + + aggregate + + site + + + + + org.opendaylight.yangtools + yang-maven-plugin + ${yangtools.version} + + + + generate-sources + + + src/main/yang + + + + org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl + + ${salGeneratorPath} + + + true + + + + + + + org.opendaylight.mdsal + maven-sal-api-gen-plugin + ${yangtools.version} + jar + + + + + + bundle + + diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang new file mode 100644 index 00000000..2e0cf9cb --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang @@ -0,0 +1,190 @@ +module authorization-schema { + yang-version 1; + namespace "urn:aaa:yang:authz:ds"; + prefix "authz"; + organization "TBD"; + + contact "wdec@cisco.com"; + + revision 2014-07-22 { + description + "Initial revision."; + } + + //Main module begins + + //TODO: Refactor service type as URI + + //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly + //the naming will derive from the OSGi bundle name of the AuthZ requesting party. + + typedef service-type { + type string; + } + + //Resource denotes the actual resource that is the subject of the AuthZ request. + + typedef resource-type { + type string; + default "*"; + + //Examples of resources: + //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1 + //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/* + //RPC: /operations/example-ops:reboot + //Wildcarded RPC: /operations/example-ops:* + //Notification: /notifications/example-ops:startup + } + + //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin" + + typedef role-type { + type string; + } + + //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com + + typedef domain-type { + type string; + } + + //Action denotes the requested AuthZ action on the resource + //TODO: Refactor as identities to allow for augmentation. + + typedef action-type { + type enumeration { + enum put; + enum commit; + enum exists; + enum getIdentifier; + enum read; + enum cancel; + enum submit; + enum delete; + enum merge; + enum any; + } + default "any"; + } + + typedef authorization-response-type { + type enumeration { + enum not-authorized { value 0; } + enum authorized { value 1; } + } + } + + typedef authorization-duration-type { + type uint32; + } + + // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action. + // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both? + + grouping authorization-grp { + list policies { + key "service"; + leaf service { + type service-type; + } + leaf action { + type action-type; + } + leaf resource { + type resource-type; + mandatory true; + } + leaf role { + type role-type; + mandatory true; + } + leaf authorization { + type authorization-response-type; + } + } + } + + // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action. + + container simple-authorization { + uses authorization-grp; + } + + // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain, + // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain. + // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com. + + + container domain-authorization { + list domains { + key "domain-name"; + leaf domain-name { + type domain-type; + } + uses authorization-grp; + list authz-domain-chain { + key "priority"; + leaf priority { + type uint32; + } + leaf domain-name { + type leafref { + path "/additional-domain-authz/domains/domain-name"; + } + } + } + } +} + +container additional-domain-authz { + list domains { + key "domain-name"; + leaf domain-name { + type domain-type; + } + uses authorization-grp; + } + } + + + + /* The following is the AuthZ RPC definition */ + + rpc req-authorization { + description + "Check Authorization for a given combination of action and role. + A not-authorized will be returned if unsuccessful."; + + input { + leaf domain-name { + type domain-type; + } + leaf service { + type service-type; + } + leaf action { + type action-type; + mandatory true; + } + + leaf resource { + type resource-type; + mandatory true; + } + leaf role { + type role-type; + mandatory true; + } + + } + + output { + + leaf authorization-response { + type authorization-response-type; + mandatory true; + } + + } + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml new file mode 100644 index 00000000..6104be4b --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml @@ -0,0 +1,43 @@ + + + 4.0.0 + + org.opendaylight.aaa + aaa-parent + 0.3.2-Beryllium-SR2 + ../../parent + + + authz-restconf-config + + AuthZ Restconf Connector Configuration file + jar + + + + org.codehaus.mojo + build-helper-maven-plugin + + + attach-artifacts + + attach-artifact + + package + + + + ${project.build.directory}/classes/initial/${config.restconf.configfile} + xml + config + + + + + + + + + diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml new file mode 100644 index 00000000..deba6558 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml @@ -0,0 +1,42 @@ + + + + + + + + + rest:rest-connector-impl + rest-connector-default-impl + 8185 + + dom:dom-broker-osgi-registry + authz-connector-default + + + + + + + rest:rest-connector + + rest-connector-default + + /modules/module[type='rest-connector-impl'][name='rest-connector-default-impl'] + + + + + + + + + urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector?module=opendaylight-rest-connector&revision=2014-07-24 + + diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml new file mode 100644 index 00000000..2c150ce7 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml @@ -0,0 +1,152 @@ + + + + + + org.opendaylight.aaa + aaa-parent + 0.3.2-Beryllium-SR2 + ../../parent + + 4.0.0 + + aaa-authz-service + bundle + + + + org.opendaylight.controller + sal-binding-util + + + org.opendaylight.controller + sal-common-util + + + org.opendaylight.yangtools + yang-data-api + + + commons-codec + commons-codec + + + org.opendaylight.controller + sal-binding-api + + + org.opendaylight.controller + config-api + + + org.opendaylight.controller + sal-binding-config + + + org.opendaylight.aaa + aaa-authz-model + + + org.opendaylight.aaa + aaa-authn-api + + + org.opendaylight.controller + sal-core-api + + + org.opendaylight.controller + sal-core-spi + + + org.jboss.resteasy + jaxrs-api + provided + + + + + junit + junit + test + + + org.mockito + mockito-all + test + + + org.slf4j + slf4j-simple + test + + + + + + + + org.apache.felix + maven-bundle-plugin + true + + + + org.opendaylight.aaa.config.yang.aaa_srv, + + + + + + org.opendaylight.yangtools + yang-maven-plugin + ${yangtools.version} + + + config + + generate-sources + + + + + + org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator + + ${jmxGeneratorPath} + + + urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang + + + + + org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl + ${salGeneratorPath} + + + true + + + + + + org.opendaylight.controller + yang-jmx-generator-plugin + ${config.version} + + + org.opendaylight.mdsal + maven-sal-api-gen-plugin + ${yangtools.version} + + + + + + + diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java new file mode 100644 index 00000000..d4ac79af --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java @@ -0,0 +1,150 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.Collection; + +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Consumer; +import org.opendaylight.controller.sal.core.api.Provider; +import org.osgi.framework.BundleContext; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzBrokerImpl implements Broker, AutoCloseable, Provider { + + private Broker broker; + private ProviderSession providerSession; + private AuthenticationService authenticationService; + + public void setBroker(Broker broker) { + this.broker = broker; + } + + @Override + public void close() throws Exception { + + } + + // Implements AuthzBroker handling of registering consumers or providers. + @Override + public ConsumerSession registerConsumer(Consumer consumer) { + + ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer)); + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, + this); + consumer.onSessionInitiated(authzConsumerContext); + return authzConsumerContext; + } + + @Override + public ConsumerSession registerConsumer(Consumer consumer, BundleContext bundleContext) { + + ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer), + bundleContext); + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, + this); + consumer.onSessionInitiated(authzConsumerContext); + return authzConsumerContext; + } + + @Override + public ProviderSession registerProvider(Provider provider) { + + ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider)); + AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, + this); + provider.onSessionInitiated(authzProviderContext); + return authzProviderContext; + } + + @Override + public ProviderSession registerProvider(Provider provider, BundleContext bundleContext) { + + // Allow the real broker to do its thing, while providing a wrapped + // callback + ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider), + bundleContext); + + // Create Authz ProviderContext + AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, + this); + + // Run onsessionInitiated on injected provider with the AuthZ provider + // context. + provider.onSessionInitiated(authzProviderContext); + return authzProviderContext; + + } + + // Handle the AuthZBroker registration with the real broker + @Override + public void onSessionInitiated(ProviderSession providerSession) { + + // Get now the real DOMDataBroker and register it with the + // AuthzDOMBroker together with the provider session + final DOMDataBroker domDataBroker = providerSession.getService(DOMDataBroker.class); + AuthzDomDataBroker.getInstance().setProviderSession(providerSession); + AuthzDomDataBroker.getInstance().setDomDataBroker(domDataBroker); + AuthzDomDataBroker.getInstance().setAuthService(this.authenticationService); + } + + @Override + public Collection getProviderFunctionality() { + return null; + } + + public void setAuthenticationService(AuthenticationService authenticationService) { + this.authenticationService = authenticationService; + } + + // Wrapper for Provider + + public static class ProviderWrapper implements Provider { + private final Provider provider; + + public ProviderWrapper(Provider provider) { + this.provider = provider; + } + + @Override + public void onSessionInitiated(ProviderSession providerSession) { + // Do a Noop when the real broker calls back + } + + @Override + public Collection getProviderFunctionality() { + // Allow the RestconfImpl to respond to this + return provider.getProviderFunctionality(); + } + } + + // Wrapper for Consumer + public static class ConsumerWrapper implements Consumer { + + private final Consumer consumer; + + public ConsumerWrapper(Consumer consumer) { + this.consumer = consumer; + } + + @Override + public void onSessionInitiated(ConsumerSession consumerSession) { + // Do a Noop when the real broker calls back + } + + @Override + public Collection getConsumerFunctionality() { + return consumer.getConsumerFunctionality(); + } + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java new file mode 100644 index 00000000..07ba51cd --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Broker.ConsumerSession; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.controller.sal.core.spi.ForwardingConsumerSession; + +/** + * Created by wdec on 28/08/2014. + */ +public class AuthzConsumerContextImpl extends ForwardingConsumerSession { + + private final Broker.ConsumerSession realSession; + + public AuthzConsumerContextImpl(Broker.ConsumerSession realSession, AuthzBrokerImpl authzBroker) { + this.realSession = realSession; + } + + @Override + protected ConsumerSession delegate() { + return realSession; + } + + @Override + public T getService(Class tClass) { + T t; + // Check for class and return Authz broker only for DOMBroker + if (tClass == DOMDataBroker.class) { + t = (T) AuthzDomDataBroker.getInstance(); + } else { + t = realSession.getService(tClass); + } + // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); + return t; + } + +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java new file mode 100644 index 00000000..4cc232bc --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.base.Optional; +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; + +import org.opendaylight.controller.md.sal.common.api.TransactionStatus; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; +import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.common.RpcResult; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzDataReadWriteTransaction implements DOMDataReadWriteTransaction { + + private final DOMDataReadWriteTransaction domDataReadWriteTransaction; + + public AuthzDataReadWriteTransaction(DOMDataReadWriteTransaction domDataReadWriteTransaction) { + this.domDataReadWriteTransaction = domDataReadWriteTransaction; + } + + @Override + public boolean cancel() { + if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { + return domDataReadWriteTransaction.cancel(); + } + return false; + } + + @Override + public void delete(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Delete)) { + domDataReadWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); + } + } + + @Override + public CheckedFuture submit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { + return domDataReadWriteTransaction.submit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Deprecated + @Override + public ListenableFuture> commit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { + return domDataReadWriteTransaction.commit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture>, ReadFailedException> read( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Read)) { + return domDataReadWriteTransaction.read(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture exists( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Exists)) { + return domDataReadWriteTransaction.exists(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public void put(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Put)) { + domDataReadWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public void merge(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Merge)) { + domDataReadWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return domDataReadWriteTransaction.getIdentifier(); + } + return null; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java new file mode 100644 index 00000000..911f5a48 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.Map; +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.TransactionChainListener; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBrokerExtension; +import org.opendaylight.controller.md.sal.dom.api.DOMDataChangeListener; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMTransactionChain; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.yangtools.concepts.ListenerRegistration; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzDomDataBroker implements BrokerService, DOMDataBroker { + + private DOMDataBroker domDataBroker; + private Broker.ProviderSession providerSession; + + private volatile AuthenticationService authService; + + final static AuthzDomDataBroker INSTANCE = new AuthzDomDataBroker(); + + public static AuthzDomDataBroker getInstance() { + return INSTANCE; + } + + public void setDomDataBroker(DOMDataBroker domDataBroker) { + this.domDataBroker = domDataBroker; + } + + public void setProviderSession(Broker.ProviderSession providerSession) { + this.providerSession = providerSession; + } + + public void setAuthService(AuthenticationService authService) { + this.authService = authService; + } + + public AuthenticationService getAuthService() { + return this.authService; + } + + @Override + public DOMDataReadOnlyTransaction newReadOnlyTransaction() { + // new Authz transaction + inject real DOM Transaction + DOMDataReadOnlyTransaction ro = domDataBroker.newReadOnlyTransaction(); + + // return domDataBroker.newReadOnlyTransaction(); //Return original + return new AuthzReadOnlyTransaction(ro); + } + + @Override + public Map, DOMDataBrokerExtension> getSupportedExtensions() { + return domDataBroker.getSupportedExtensions(); + } + + @Override + public DOMDataReadWriteTransaction newReadWriteTransaction() { + // return new Authz transaction + inject real DOM Transaction + DOMDataReadWriteTransaction rw = domDataBroker.newReadWriteTransaction(); + return new AuthzDataReadWriteTransaction(rw); + } + + @Override + public DOMDataWriteTransaction newWriteOnlyTransaction() { + DOMDataWriteTransaction wo = domDataBroker.newWriteOnlyTransaction(); + return new AuthzWriteOnlyTransaction(wo); + } + + @Override + public ListenerRegistration registerDataChangeListener( + LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, + DOMDataChangeListener domDataChangeListener, DataChangeScope dataChangeScope) { + return domDataBroker.registerDataChangeListener(logicalDatastoreType, + yangInstanceIdentifier, domDataChangeListener, dataChangeScope); + } + + @Override + public DOMTransactionChain createTransactionChain( + TransactionChainListener transactionChainListener) { + return domDataBroker.createTransactionChain(transactionChainListener); + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java new file mode 100644 index 00000000..dbfea6ed --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Broker.ProviderSession; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.controller.sal.core.spi.ForwardingProviderSession; + +/** + * Created by wdec on 28/08/2014. + */ +public class AuthzProviderContextImpl extends ForwardingProviderSession { + + private final Broker.ProviderSession realSession; + + public AuthzProviderContextImpl(Broker.ProviderSession providerSession, + AuthzBrokerImpl authzBroker) { + this.realSession = providerSession; + } + + @Override + protected ProviderSession delegate() { + // TODO Auto-generated method stub + return realSession; + } + + @Override + public T getService(Class tClass) { + T t; + // Check for class and return Authz broker only for DOMBroker + if (tClass == DOMDataBroker.class) { + t = (T) AuthzDomDataBroker.getInstance(); + } else { + t = realSession.getService(tClass); + } + // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); + return t; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java new file mode 100644 index 00000000..c46ffe7c --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.base.Optional; +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; + +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 28/08/2014. + */ + +public class AuthzReadOnlyTransaction implements DOMDataReadOnlyTransaction { + + private final DOMDataReadOnlyTransaction ro; + + public AuthzReadOnlyTransaction(DOMDataReadOnlyTransaction ro) { + this.ro = ro; + } + + @Override + public void close() { + ro.close(); + } + + @Override + public CheckedFuture>, ReadFailedException> read( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Read)) { + return ro.read(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture exists( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(ActionType.Exists)) { + return ro.exists(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return ro.getIdentifier(); + } + return null; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java new file mode 100644 index 00000000..fb344812 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.List; +import org.opendaylight.aaa.api.Authentication; +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.config.yang.config.aaa_authz.srv.Policies; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.AuthorizationResponseType; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; + +/** + * @author lmukkama Date: 9/2/14 + */ +public class AuthzServiceImpl { + + private static List listPolicies; + + private static final String WILDCARD_TOKEN = "*"; + + public static boolean isAuthorized(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, ActionType actionType) { + + AuthorizationResponseType authorizationResponseType = AuthzServiceImpl.reqAuthorization( + actionType, logicalDatastoreType, yangInstanceIdentifier); + return authorizationResponseType.equals(AuthorizationResponseType.Authorized); + } + + public static boolean isAuthorized(ActionType actionType) { + AuthorizationResponseType authorizationResponseType = AuthzServiceImpl + .reqAuthorization(actionType); + return authorizationResponseType.equals(AuthorizationResponseType.Authorized); + } + + public static void setPolicies(List policies) { + + AuthzServiceImpl.listPolicies = policies; + } + + public static AuthorizationResponseType reqAuthorization(ActionType actionType) { + + AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() + .getAuthService(); + if (authenticationService != null && AuthzServiceImpl.listPolicies != null + && AuthzServiceImpl.listPolicies.size() > 0) { + Authentication authentication = authenticationService.get(); + if (authentication != null && authentication.roles() != null + && authentication.roles().size() > 0) { + return checkAuthorization(actionType, authentication); + } + } + return AuthorizationResponseType.NotAuthorized; + } + + public static AuthorizationResponseType reqAuthorization(ActionType actionType, + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() + .getAuthService(); + + if (authenticationService != null && AuthzServiceImpl.listPolicies != null + && AuthzServiceImpl.listPolicies.size() > 0) { + // Authentication Service exists. Can do authorization checks + Authentication authentication = authenticationService.get(); + + if (authentication != null && authentication.roles() != null + && authentication.roles().size() > 0) { + // Authentication claim object exists with atleast one role + return checkAuthorization(actionType, authentication, logicalDatastoreType, + yangInstanceIdentifier); + } + } + + return AuthorizationResponseType.Authorized; + } + + private static AuthorizationResponseType checkAuthorization(ActionType actionType, + Authentication authentication, LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + for (Policies policy : AuthzServiceImpl.listPolicies) { + + // Action type is compared as string, since its type is string in + // the config yang. Comparison is case insensitive + if (authentication.roles().contains(policy.getRole().getValue()) + && (policy.getResource().getValue().equals(WILDCARD_TOKEN) || policy + .getResource().getValue().equals(yangInstanceIdentifier.toString())) + && (policy.getAction().toLowerCase() + .equals(ActionType.Any.name().toLowerCase()) || actionType.name() + .toLowerCase().equals(policy.getAction().toLowerCase()))) { + + return AuthorizationResponseType.Authorized; + } + + } + + // For helium release we unauthorize other requests. + return AuthorizationResponseType.NotAuthorized; + } + + private static AuthorizationResponseType checkAuthorization(ActionType actionType, + Authentication authentication) { + + for (Policies policy : AuthzServiceImpl.listPolicies) { + if (authentication.roles().contains(policy.getRole().getValue()) + && (policy.getAction().equalsIgnoreCase(ActionType.Any.name()) || policy + .getAction().equalsIgnoreCase(actionType.name()))) { + return AuthorizationResponseType.Authorized; + } + } + return AuthorizationResponseType.NotAuthorized; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java new file mode 100644 index 00000000..1123b928 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; + +import org.opendaylight.controller.md.sal.common.api.TransactionStatus; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.common.RpcResult; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 02/09/2014. + */ +public class AuthzWriteOnlyTransaction implements DOMDataWriteTransaction { + + private final DOMDataWriteTransaction domDataWriteTransaction; + + public AuthzWriteOnlyTransaction(DOMDataWriteTransaction wo) { + this.domDataWriteTransaction = wo; + } + + @Override + public void put(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Put)) { + domDataWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public void merge(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Merge)) { + domDataWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public boolean cancel() { + if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { + return domDataWriteTransaction.cancel(); + } + return false; + } + + @Override + public void delete(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Delete)) { + domDataWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); + } + } + + @Override + public CheckedFuture submit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { + return domDataWriteTransaction.submit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Deprecated + @Override + public ListenableFuture> commit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { + return domDataWriteTransaction.commit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return domDataWriteTransaction.getIdentifier(); + } + return null; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java new file mode 100644 index 00000000..a590b982 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.controller.config.yang.config.aaa_authz.srv; + +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.aaa.authz.srv.AuthzBrokerImpl; +import org.opendaylight.aaa.authz.srv.AuthzServiceImpl; +import org.osgi.framework.BundleContext; +import org.osgi.framework.ServiceReference; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class AuthzSrvModule extends + org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModule { + private static final Logger LOG = LoggerFactory.getLogger(AuthzSrvModule.class); + private static boolean simple_config_switch; + private BundleContext bundleContext; + + public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, + org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) { + super(identifier, dependencyResolver); + } + + public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, + org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, + org.opendaylight.controller.config.yang.config.aaa_authz.srv.AuthzSrvModule oldModule, + java.lang.AutoCloseable oldInstance) { + super(identifier, dependencyResolver, oldModule, oldInstance); + } + + @Override + public void customValidation() { + // checkNotNull(getDomBroker(), domBrokerJmxAttribute); + } + + @Override + public java.lang.AutoCloseable createInstance() { + + // Get new AuthZ Broker + final AuthzBrokerImpl authzBrokerImpl = new AuthzBrokerImpl(); + + // Provide real broker to the new Authz broker + authzBrokerImpl.setBroker(getDomBrokerDependency()); + + // Get AuthN service reference and register it with the authzBroker + ServiceReference authServiceReference = bundleContext + .getServiceReference(AuthenticationService.class); + AuthenticationService as = bundleContext.getService(authServiceReference); + authzBrokerImpl.setAuthenticationService(as); + + // Set the policies list to authz serviceimpl + AuthzServiceImpl.setPolicies(getPolicies()); + + // Register AuthZ broker with the real Broker as a provider; triggers + // "onSessionInitiated" in AuthzBrokerImpl + getDomBrokerDependency().registerProvider(authzBrokerImpl); + // TODO ActionType is of type string, not ENUM due to improper + // serialization of ENUMs by config/netconf subsystem. This needs to be + // fixed as soon as config/netconf fixes the problem. + getAction(); + + LOG.info("AuthZ Service Initialized from Config subsystem"); + return authzBrokerImpl; + + } + + public void setBundleContext(BundleContext bundleContext) { + this.bundleContext = bundleContext; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java new file mode 100644 index 00000000..3ff67f54 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +/* + * Generated file + * + * Generated from: yang module name: aaa-authz-service-impl yang module local name: aaa-authz-service + * Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator + * Generated at: Thu Jul 24 11:19:40 CEST 2014 + * + * Do not modify this file unless it is present under src/main directory + */ +package org.opendaylight.controller.config.yang.config.aaa_authz.srv; + +import org.opendaylight.controller.config.api.DependencyResolver; +import org.opendaylight.controller.config.api.DynamicMBeanWithInstance; +import org.opendaylight.controller.config.spi.Module; +import org.osgi.framework.BundleContext; + +public class AuthzSrvModuleFactory extends + org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModuleFactory { + + @Override + public org.opendaylight.controller.config.spi.Module createModule(String instanceName, + org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, + org.osgi.framework.BundleContext bundleContext) { + + final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName, + dependencyResolver, bundleContext); + + module.setBundleContext(bundleContext); + + return module; + + } + + @Override + public Module createModule(final String instanceName, + final DependencyResolver dependencyResolver, final DynamicMBeanWithInstance old, + final BundleContext bundleContext) throws Exception { + final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName, + dependencyResolver, old, bundleContext); + + module.setBundleContext(bundleContext); + + return module; + } +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang new file mode 100644 index 00000000..954d0480 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang @@ -0,0 +1,115 @@ +module aaa-authz-service-impl { + + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv"; + prefix "aaa-authz-srv-impl"; + + import config { prefix config; revision-date 2013-04-05; } + import rpc-context { prefix rpcx; revision-date 2013-06-17; } + import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; } + import opendaylight-md-sal-dom {prefix dom;} + import authorization-schema { prefix authzs; revision-date 2014-07-22; } + import ietf-inet-types {prefix inet; revision-date 2010-09-24;} + + description + "This module contains the base YANG definitions for + AuthZ implementation."; + + revision "2014-07-01" { + description + "Initial revision."; + } + + + // This is the definition of the service implementation as a module identity. + identity aaa-authz-service { + base config:module-type; + // Specifies the prefix for generated java classes. + config:java-name-prefix AuthzSrv; + config:provided-service dom:dom-broker-osgi-registry; + } + + // Augments the 'configuration' choice node under modules/module. + + augment "/config:modules/config:module/config:configuration" { + case aaa-authz-service { + when "/config:modules/config:module/config:type = 'aaa-authz-service'"; + +//Defines reference to the intended broker under the AuthZ broker + + container dom-broker { + uses config:service-ref { + refine type { + mandatory true; + config:required-identity dom:dom-broker-osgi-registry; + } + } + } + + container data-broker { + uses config:service-ref { + refine type { + mandatory true; + config:required-identity mdsal:binding-data-broker; + + } + } + } + +//Simple Authz data leafs: + + leaf authz-role { + type string; + } + leaf service { + type authzs:service-type; + } + + // ENUMs cannot be used right now (config subsystem + netconf cannot properly serialize enums), using strings instead + // In the generated module use Enum.valueOf from that string. + // Expected values are following strnigs: create, read, update, delete, execute, subscribe, any; + leaf action { + type string; + description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any"; + //type authzs:action-type; + + } + leaf resource { + type authzs:resource-type; + + } + leaf role { + type authzs:role-type; + } + + + + //TODO: Check why uses below doesn't make the outer list be part of the source name-space in yang code generator. + //uses authzs:authorization-grp; + list policies { + key "service"; + leaf service { + type authzs:service-type; + } + // Grouping uses ENUMs and enums are not correctly serialized in Config + Netconf + // Same as with action one level ip + leaf action { + type string; + description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any"; + //type authzs:action-type; + } + leaf resource { + type authzs:resource-type; + + } + leaf role { + type authzs:role-type; + + } + } + + + } + } + +} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java new file mode 100644 index 00000000..fb033341 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.junit.Assert; +import org.junit.Before; +import org.mockito.Mockito; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Provider; + +public class AuthzConsumerContextImplTest { + + private Broker.ConsumerSession realconsumercontext; + private Provider realprovidercontext; + private AuthzBrokerImpl authzBroker; + private Broker realbroker; + + @Before + public void beforeTest() { + realconsumercontext = Mockito.mock(Broker.ConsumerSession.class); + realprovidercontext = Mockito.mock(Provider.class); + realbroker = Mockito.mock(Broker.class); + realbroker.registerProvider(realprovidercontext); + authzBroker = Mockito.mock(AuthzBrokerImpl.class); + } + + @org.junit.Test + public void testGetService() throws Exception { + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl( + realconsumercontext, authzBroker); + + Assert.assertEquals("Expected Authz session context", + authzConsumerContext.getService(DOMDataBroker.class).getClass(), + AuthzDomDataBroker.class); + // Assert.assertEquals("Expected Authz session context", + // authzConsumerContext.getService(SchemaService.class).getClass(), + // SchemaService.class); + } +} \ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml new file mode 100644 index 00000000..a5e37680 --- /dev/null +++ b/upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml @@ -0,0 +1,23 @@ + + + 4.0.0 + + org.opendaylight.aaa + aaa-parent + 0.3.2-Beryllium-SR2 + ../parent + + + aaa-authz + ${project.artifactId} + pom + + + aaa-authz-model + aaa-authz-service + aaa-authz-config + aaa-authz-restconf-config + + -- cgit 1.2.3-korg