diff options
author | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:15:21 -0700 |
---|---|---|
committer | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:15:21 -0700 |
commit | 13d05bc8458758ee39cb829098241e89616717ee (patch) | |
tree | 22a4d1ce65f15952f07a3df5af4b462b4697cb3a /framework/src/onos/apps/aaa | |
parent | 6139282e1e93c2322076de4b91b1c85d0bc4a8b3 (diff) |
ONOS checkin based on commit tag e796610b1f721d02f9b0e213cf6f7790c10ecd60
Change-Id: Ife8810491034fe7becdba75dda20de4267bd15cd
Diffstat (limited to 'framework/src/onos/apps/aaa')
8 files changed, 1592 insertions, 0 deletions
diff --git a/framework/src/onos/apps/aaa/app.xml b/framework/src/onos/apps/aaa/app.xml new file mode 100644 index 00000000..167a4192 --- /dev/null +++ b/framework/src/onos/apps/aaa/app.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Copyright 2015 Open Networking Laboratory + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<app name="org.onosproject.aaa" origin="ATT" version="${project.version}" + featuresRepo="mvn:${project.groupId}/${project.artifactId}/${project.version}/xml/features" + features="${project.artifactId}"> + <description>${project.description}</description> + <artifact>mvn:${project.groupId}/${project.artifactId}/${project.version}</artifact> + <artifact>mvn:${project.groupId}/onos-app-xos-integration/${project.version}</artifact> + <bundle>mvn:com.sun.jersey/jersey-client/1.19</bundle> +</app> diff --git a/framework/src/onos/apps/aaa/features.xml b/framework/src/onos/apps/aaa/features.xml new file mode 100644 index 00000000..3825ec5c --- /dev/null +++ b/framework/src/onos/apps/aaa/features.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- + ~ Copyright 2015 Open Networking Laboratory + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<features xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" name="${project.artifactId}-${project.version}"> + <repository>mvn:${project.groupId}/${project.artifactId}/${project.version}/xml/features</repository> + <feature name="${project.artifactId}" version="${project.version}" + description="${project.description}"> + <feature>onos-api</feature> + <bundle>mvn:com.sun.jersey/jersey-client/1.19</bundle> + <bundle>mvn:${project.groupId}/${project.artifactId}/${project.version}</bundle> + <bundle>mvn:${project.groupId}/onos-app-xos-integration/${project.version}</bundle> + </feature> +</features> diff --git a/framework/src/onos/apps/aaa/pom.xml b/framework/src/onos/apps/aaa/pom.xml new file mode 100644 index 00000000..6f850750 --- /dev/null +++ b/framework/src/onos/apps/aaa/pom.xml @@ -0,0 +1,93 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Copyright 2014 Open Networking Laboratory + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + <modelVersion>4.0.0</modelVersion> + + + <parent> + <groupId>org.onosproject</groupId> + <artifactId>onos-apps</artifactId> + <version>1.3.0-SNAPSHOT</version> + <relativePath>../pom.xml</relativePath> + </parent> + + <artifactId>onos-app-aaa</artifactId> + <packaging>bundle</packaging> + + <description>ONOS authentication application</description> + + <properties> + <onos.app.name>org.onosproject.aaa</onos.app.name> + </properties> + + <dependencies> + <dependency> + <groupId>org.osgi</groupId> + <artifactId>org.osgi.compendium</artifactId> + </dependency> + + <dependency> + <groupId>org.onosproject</groupId> + <artifactId>onlab-junit</artifactId> + <scope>test</scope> + </dependency> + + <dependency> + <groupId>org.onosproject</groupId> + <artifactId>onos-api</artifactId> + <version>${project.version}</version> + </dependency> + + <dependency> + <groupId>org.onosproject</groupId> + <artifactId>onlab-osgi</artifactId> + <version>${project.version}</version> + </dependency> + + <dependency> + <groupId>org.apache.felix</groupId> + <artifactId>org.apache.felix.scr.annotations</artifactId> + </dependency> + + <dependency> + <groupId>org.onosproject</groupId> + <artifactId>onos-app-xos-integration</artifactId> + <version>${project.version}</version> + </dependency> + </dependencies> + + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + </plugin> + + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-scr-plugin</artifactId> + </plugin> + <plugin> + <groupId>org.onosproject</groupId> + <artifactId>onos-maven-plugin</artifactId> + </plugin> + </plugins> + </build> +</project> diff --git a/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java new file mode 100644 index 00000000..7e3de885 --- /dev/null +++ b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java @@ -0,0 +1,616 @@ +/* + * Copyright 2015 AT&T Foundry + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.onosproject.aaa; + +import com.google.common.base.Strings; +import com.google.common.collect.Maps; +import org.apache.felix.scr.annotations.Activate; +import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Deactivate; +import org.apache.felix.scr.annotations.Modified; +import org.apache.felix.scr.annotations.Property; +import org.apache.felix.scr.annotations.Reference; +import org.apache.felix.scr.annotations.ReferenceCardinality; +import org.onlab.packet.DeserializationException; +import org.onlab.packet.EAP; +import org.onlab.packet.EAPOL; +import org.onlab.packet.EthType; +import org.onlab.packet.Ethernet; +import org.onlab.packet.IPv4; +import org.onlab.packet.Ip4Address; +import org.onlab.packet.IpAddress; +import org.onlab.packet.MacAddress; +import org.onlab.packet.RADIUS; +import org.onlab.packet.RADIUSAttribute; +import org.onlab.packet.TpPort; +import org.onlab.packet.UDP; +import org.onlab.packet.VlanId; +import org.onlab.util.Tools; +import org.onosproject.cfg.ComponentConfigService; +import org.onosproject.core.ApplicationId; +import org.onosproject.core.CoreService; +import org.onosproject.net.ConnectPoint; +import org.onosproject.net.DeviceId; +import org.onosproject.net.Host; +import org.onosproject.net.PortNumber; +import org.onosproject.net.flow.DefaultTrafficSelector; +import org.onosproject.net.flow.DefaultTrafficTreatment; +import org.onosproject.net.flow.TrafficSelector; +import org.onosproject.net.flow.TrafficTreatment; +import org.onosproject.net.host.HostService; +import org.onosproject.net.packet.DefaultOutboundPacket; +import org.onosproject.net.packet.InboundPacket; +import org.onosproject.net.packet.OutboundPacket; +import org.onosproject.net.packet.PacketContext; +import org.onosproject.net.packet.PacketProcessor; +import org.onosproject.net.packet.PacketService; +import org.onosproject.xosintegration.VoltTenantService; +import org.osgi.service.component.ComponentContext; +import org.slf4j.Logger; + +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.nio.ByteBuffer; +import java.util.Collections; +import java.util.Dictionary; +import java.util.Iterator; +import java.util.Map; +import java.util.Optional; +import java.util.Set; + +import static org.onosproject.net.packet.PacketPriority.CONTROL; +import static org.slf4j.LoggerFactory.getLogger; + + +/** + * AAA application for ONOS. + */ +@Component(immediate = true) +public class AAA { + // a list of our dependencies : + // to register with ONOS as an application - described next + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected CoreService coreService; + + // to receive Packet-in events that we'll respond to + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected PacketService packetService; + + // end host information + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected HostService hostService; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected VoltTenantService voltTenantService; + + // for verbose output + private final Logger log = getLogger(getClass()); + + // our application-specific event handler + private ReactivePacketProcessor processor = new ReactivePacketProcessor(); + + // our unique identifier + private ApplicationId appId; + + // Map of state machines. Each state machine is represented by an + // unique identifier on the switch: dpid + port number + Map stateMachineMap = null; + + // RADIUS server IP address + private static final String DEFAULT_RADIUS_IP = "192.168.1.10"; + // NAS IP address + private static final String DEFAULT_NAS_IP = "192.168.1.11"; + // RADIUS uplink port + private static final int DEFAULT_RADIUS_UPLINK = 2; + // RADIUS server shared secret + private static final String DEFAULT_RADIUS_SECRET = "ONOSecret"; + // RADIUS MAC address + private static final String RADIUS_MAC_ADDRESS = "00:00:00:00:01:10"; + // NAS MAC address + private static final String NAS_MAC_ADDRESS = "00:00:00:00:10:01"; + // Radius Switch Id + private static final String DEFAULT_RADIUS_SWITCH = "of:90e2ba82f97791e9"; + // Radius Port Number + private static final String DEFAULT_RADIUS_PORT = "129"; + + @Property(name = "radiusIpAddress", value = DEFAULT_RADIUS_IP, + label = "RADIUS IP Address") + private String radiusIpAddress = DEFAULT_RADIUS_IP; + + @Property(name = "nasIpAddress", value = DEFAULT_NAS_IP, + label = "NAS IP Address") + private String nasIpAddress = DEFAULT_NAS_IP; + + @Property(name = "radiusMacAddress", value = RADIUS_MAC_ADDRESS, + label = "RADIUS MAC Address") + private String radiusMacAddress = RADIUS_MAC_ADDRESS; + + @Property(name = "nasMacAddress", value = NAS_MAC_ADDRESS, + label = "NAS MAC Address") + private String nasMacAddress = NAS_MAC_ADDRESS; + + @Property(name = "radiusSecret", value = DEFAULT_RADIUS_SECRET, + label = "RADIUS shared secret") + private String radiusSecret = DEFAULT_RADIUS_SECRET; + + @Property(name = "radiusSwitchId", value = DEFAULT_RADIUS_SWITCH, + label = "Radius switch") + private String radiusSwitch = DEFAULT_RADIUS_SWITCH; + + @Property(name = "radiusPortNumber", value = DEFAULT_RADIUS_PORT, + label = "Radius port") + private String radiusPort = DEFAULT_RADIUS_PORT; + + // Parsed RADIUS server IP address + protected InetAddress parsedRadiusIpAddress; + + // Parsed NAS IP address + protected InetAddress parsedNasIpAddress; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected ComponentConfigService cfgService; + + @Modified + public void modified(ComponentContext context) { + Dictionary<?, ?> properties = context.getProperties(); + + String s = Tools.get(properties, "radiusIpAddress"); + try { + parsedRadiusIpAddress = InetAddress.getByName(s); + radiusIpAddress = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_IP : s; + } catch (UnknownHostException e) { + log.error("Invalid RADIUS IP address specification: {}", s); + } + try { + s = Tools.get(properties, "nasIpAddress"); + parsedNasIpAddress = InetAddress.getByName(s); + nasIpAddress = Strings.isNullOrEmpty(s) ? DEFAULT_NAS_IP : s; + } catch (UnknownHostException e) { + log.error("Invalid NAS IP address specification: {}", s); + } + + s = Tools.get(properties, "radiusMacAddress"); + radiusMacAddress = Strings.isNullOrEmpty(s) ? RADIUS_MAC_ADDRESS : s; + + s = Tools.get(properties, "nasMacAddress"); + nasMacAddress = Strings.isNullOrEmpty(s) ? NAS_MAC_ADDRESS : s; + + s = Tools.get(properties, "radiusSecret"); + radiusSecret = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_SECRET : s; + + s = Tools.get(properties, "radiusSwitchId"); + radiusSwitch = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_SWITCH : s; + + s = Tools.get(properties, "radiusPortNumber"); + radiusPort = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_PORT : s; + } + + @Activate + public void activate(ComponentContext context) { + cfgService.registerProperties(getClass()); + modified(context); + // "org.onosproject.aaa" is the FQDN of our app + appId = coreService.registerApplication("org.onosproject.aaa"); + // register our event handler + packetService.addProcessor(processor, PacketProcessor.director(2)); + requestIntercepts(); + // Instantiate the map of the state machines + stateMachineMap = Collections.synchronizedMap(Maps.newHashMap()); + + hostService.startMonitoringIp(IpAddress.valueOf(radiusIpAddress)); + + } + + @Deactivate + public void deactivate() { + cfgService.unregisterProperties(getClass(), false); + + appId = coreService.registerApplication("org.onosproject.aaa"); + withdrawIntercepts(); + // de-register and null our handler + packetService.removeProcessor(processor); + processor = null; + } + + /** + * Request packet in via PacketService. + */ + private void requestIntercepts() { + TrafficSelector.Builder selector = DefaultTrafficSelector.builder(); + selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort()); + packetService.requestPackets(selector.build(), + CONTROL, appId); + + TrafficSelector radSelector = DefaultTrafficSelector.builder() + .matchEthType(EthType.EtherType.IPV4.ethType().toShort()) + .matchIPProtocol(IPv4.PROTOCOL_UDP) + .matchUdpDst(TpPort.tpPort(1812)) + .matchUdpSrc(TpPort.tpPort(1812)) + .build(); + packetService.requestPackets(radSelector, CONTROL, appId); + } + + /** + * Cancel request for packet in via PacketService. + */ + private void withdrawIntercepts() { + TrafficSelector.Builder selector = DefaultTrafficSelector.builder(); + selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort()); + packetService.cancelPackets(selector.build(), CONTROL, appId); + + TrafficSelector radSelector = DefaultTrafficSelector.builder() + .matchEthType(EthType.EtherType.IPV4.ethType().toShort()) + .matchIPProtocol(IPv4.PROTOCOL_UDP) + .matchUdpDst(TpPort.tpPort(1812)) + .matchUdpSrc(TpPort.tpPort(1812)) + .build(); + packetService.cancelPackets(radSelector, CONTROL, appId); + } + + /** + * Builds an EAPOL packet based on the given parameters. + * + * @param dstMac destination MAC address + * @param srcMac source MAC address + * @param vlan vlan identifier + * @param eapolType EAPOL type + * @param eap EAP payload + * @return Ethernet frame + */ + private static Ethernet buildEapolResponse(MacAddress dstMac, MacAddress srcMac, + short vlan, byte eapolType, EAP eap) { + + Ethernet eth = new Ethernet(); + eth.setDestinationMACAddress(dstMac.toBytes()); + eth.setSourceMACAddress(srcMac.toBytes()); + eth.setEtherType(EthType.EtherType.EAPOL.ethType().toShort()); + if (vlan != Ethernet.VLAN_UNTAGGED) { + eth.setVlanID(vlan); + } + //eapol header + EAPOL eapol = new EAPOL(); + eapol.setEapolType(eapolType); + eapol.setPacketLength(eap.getLength()); + + //eap part + eapol.setPayload(eap); + + eth.setPayload(eapol); + eth.setPad(true); + return eth; + } + + // our handler defined as a private inner class + + /** + * Packet processor responsible for forwarding packets along their paths. + */ + private class ReactivePacketProcessor implements PacketProcessor { + @Override + public void process(PacketContext context) { + + // Extract the original Ethernet frame from the packet information + InboundPacket pkt = context.inPacket(); + Ethernet ethPkt = pkt.parsed(); + if (ethPkt == null) { + return; + } + // identify if incoming packet comes from supplicant (EAP) or RADIUS + switch (EthType.EtherType.lookup(ethPkt.getEtherType())) { + case EAPOL: + handleSupplicantPacket(context.inPacket()); + break; + case IPV4: + IPv4 ipv4Packet = (IPv4) ethPkt.getPayload(); + Ip4Address srcIp = Ip4Address.valueOf(ipv4Packet.getSourceAddress()); + Ip4Address radiusIp4Address = Ip4Address.valueOf(parsedRadiusIpAddress); + if (srcIp.equals(radiusIp4Address) && ipv4Packet.getProtocol() == IPv4.PROTOCOL_UDP) { + // TODO: check for port as well when it's configurable + UDP udpPacket = (UDP) ipv4Packet.getPayload(); + + byte[] datagram = udpPacket.getPayload().serialize(); + RADIUS radiusPacket; + try { + radiusPacket = RADIUS.deserializer().deserialize(datagram, 0, datagram.length); + } catch (DeserializationException e) { + log.warn("Unable to deserialize RADIUS packet:", e); + return; + } + handleRadiusPacket(radiusPacket); + } + break; + default: + return; + } + } + + + /** + * Handles PAE packets (supplicant). + * + * @param inPacket Ethernet packet coming from the supplicant + */ + private void handleSupplicantPacket(InboundPacket inPacket) { + Ethernet ethPkt = inPacket.parsed(); + // Where does it come from? + MacAddress srcMAC = ethPkt.getSourceMAC(); + + DeviceId deviceId = inPacket.receivedFrom().deviceId(); + PortNumber portNumber = inPacket.receivedFrom().port(); + String sessionId = deviceId.toString() + portNumber.toString(); + StateMachine stateMachine = getStateMachine(sessionId); + + EAPOL eapol = (EAPOL) ethPkt.getPayload(); + + switch (eapol.getEapolType()) { + case EAPOL.EAPOL_START: + try { + stateMachine.start(); + stateMachine.supplicantConnectpoint = inPacket.receivedFrom(); + + //send an EAP Request/Identify to the supplicant + EAP eapPayload = new EAP(EAP.REQUEST, stateMachine.getIdentifier(), EAP.ATTR_IDENTITY, null); + Ethernet eth = buildEapolResponse(srcMAC, MacAddress.valueOf(1L), + ethPkt.getVlanID(), EAPOL.EAPOL_PACKET, + eapPayload); + stateMachine.supplicantAddress = srcMAC; + stateMachine.vlanId = ethPkt.getVlanID(); + + this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint); + } catch (StateMachineException e) { + e.printStackTrace(); + } + + break; + case EAPOL.EAPOL_PACKET: + //check if this is a Response/Identify or a Response/TLS + EAP eapPacket = (EAP) eapol.getPayload(); + + byte dataType = eapPacket.getDataType(); + switch (dataType) { + case EAP.ATTR_IDENTITY: + try { + //request id access to RADIUS + RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST, + eapPacket.getIdentifier()); + radiusPayload.setIdentifier(stateMachine.getIdentifier()); + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME, + eapPacket.getData()); + stateMachine.setUsername(eapPacket.getData()); + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP, + AAA.this.parsedNasIpAddress.getAddress()); + + radiusPayload.encapsulateMessage(eapPacket); + + // set Request Authenticator in StateMachine + stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode()); + radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret); + sendRadiusMessage(radiusPayload); + + //change the state to "PENDING" + stateMachine.requestAccess(); + } catch (StateMachineException e) { + e.printStackTrace(); + } + break; + case EAP.ATTR_MD5: + //verify if the EAP identifier corresponds to the challenge identifier from the client state + //machine. + if (eapPacket.getIdentifier() == stateMachine.getChallengeIdentifier()) { + //send the RADIUS challenge response + RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST, + eapPacket.getIdentifier()); + radiusPayload.setIdentifier(stateMachine.getChallengeIdentifier()); + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME, + stateMachine.getUsername()); + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP, + AAA.this.parsedNasIpAddress.getAddress()); + + radiusPayload.encapsulateMessage(eapPacket); + + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE, + stateMachine.getChallengeState()); + radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret); + sendRadiusMessage(radiusPayload); + } + break; + case EAP.ATTR_TLS: + try { + //request id access to RADIUS + RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST, + eapPacket.getIdentifier()); + radiusPayload.setIdentifier(stateMachine.getIdentifier()); + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME, + stateMachine.getUsername()); + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP, + AAA.this.parsedNasIpAddress.getAddress()); + + radiusPayload.encapsulateMessage(eapPacket); + + radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE, + stateMachine.getChallengeState()); + stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode()); + + radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret); + + sendRadiusMessage(radiusPayload); + // TODO: this gets called on every fragment, should only be called at TLS-Start + stateMachine.requestAccess(); + } catch (StateMachineException e) { + e.printStackTrace(); + } + break; + default: + return; + } + break; + default: + return; + } + } + + /** + * Handles RADIUS packets. + * + * @param radiusPacket RADIUS packet coming from the RADIUS server. + */ + private void handleRadiusPacket(RADIUS radiusPacket) { + StateMachine stateMachine = getStateMachineById(radiusPacket.getIdentifier()); + if (stateMachine == null) { + log.error("Invalid session identifier, exiting..."); + return; + } + + EAP eapPayload = new EAP(); + Ethernet eth = null; + switch (radiusPacket.getCode()) { + case RADIUS.RADIUS_CODE_ACCESS_CHALLENGE: + byte[] challengeState = radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_STATE).getValue(); + eapPayload = radiusPacket.decapsulateMessage(); + stateMachine.setChallengeInfo(eapPayload.getIdentifier(), challengeState); + eth = buildEapolResponse(stateMachine.supplicantAddress, + MacAddress.valueOf(1L), stateMachine.vlanId, EAPOL.EAPOL_PACKET, + eapPayload); + this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint); + break; + case RADIUS.RADIUS_CODE_ACCESS_ACCEPT: + try { + //send an EAPOL - Success to the supplicant. + byte[] eapMessage = + radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE).getValue(); + eapPayload = new EAP(); + eapPayload = (EAP) eapPayload.deserialize(eapMessage, 0, eapMessage.length); + eth = buildEapolResponse(stateMachine.supplicantAddress, + MacAddress.valueOf(1L), stateMachine.vlanId, EAPOL.EAPOL_PACKET, + eapPayload); + this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint); + + stateMachine.authorizeAccess(); + } catch (StateMachineException e) { + e.printStackTrace(); + } + break; + case RADIUS.RADIUS_CODE_ACCESS_REJECT: + try { + stateMachine.denyAccess(); + } catch (StateMachineException e) { + e.printStackTrace(); + } + break; + default: + log.warn("Unknown RADIUS message received with code: {}", radiusPacket.getCode()); + } + } + + private StateMachine getStateMachineById(byte identifier) { + StateMachine stateMachine = null; + Set stateMachineSet = stateMachineMap.entrySet(); + + synchronized (stateMachineMap) { + Iterator itr = stateMachineSet.iterator(); + while (itr.hasNext()) { + Map.Entry entry = (Map.Entry) itr.next(); + stateMachine = (StateMachine) entry.getValue(); + if (identifier == stateMachine.getIdentifier()) { + //the state machine has already been created for this session session + stateMachine = (StateMachine) entry.getValue(); + break; + } + } + } + + return stateMachine; + } + + private StateMachine getStateMachine(String sessionId) { + StateMachine stateMachine = null; + Set stateMachineSet = stateMachineMap.entrySet(); + + synchronized (stateMachineMap) { + Iterator itr = stateMachineSet.iterator(); + while (itr.hasNext()) { + + Map.Entry entry = (Map.Entry) itr.next(); + if (sessionId.equals(entry.getKey())) { + //the state machine has already been created for this session session + stateMachine = (StateMachine) entry.getValue(); + break; + } + } + } + + if (stateMachine == null) { + stateMachine = new StateMachine(sessionId, voltTenantService); + stateMachineMap.put(sessionId, stateMachine); + } + + return stateMachine; + } + + private void sendRadiusMessage(RADIUS radiusMessage) { + Set<Host> hosts = hostService.getHostsByIp(IpAddress.valueOf(radiusIpAddress)); + Optional<Host> odst = hosts.stream().filter(h -> h.vlan().toShort() == VlanId.UNTAGGED).findFirst(); + + Host dst; + if (!odst.isPresent()) { + log.info("Radius server {} is not present", radiusIpAddress); + return; + } else { + dst = odst.get(); + } + + UDP udp = new UDP(); + IPv4 ip4Packet = new IPv4(); + Ethernet ethPkt = new Ethernet(); + radiusMessage.setParent(udp); + udp.setDestinationPort((short) 1812); + udp.setSourcePort((short) 1812); // TODO: make this configurable + udp.setPayload(radiusMessage); + udp.setParent(ip4Packet); + ip4Packet.setSourceAddress(AAA.this.nasIpAddress); + ip4Packet.setDestinationAddress(AAA.this.radiusIpAddress); + ip4Packet.setProtocol(IPv4.PROTOCOL_UDP); + ip4Packet.setPayload(udp); + ip4Packet.setParent(ethPkt); + ethPkt.setDestinationMACAddress(radiusMacAddress); + ethPkt.setSourceMACAddress(nasMacAddress); + ethPkt.setEtherType(Ethernet.TYPE_IPV4); + ethPkt.setPayload(ip4Packet); + + TrafficTreatment treatment = DefaultTrafficTreatment.builder() + .setOutput(PortNumber.portNumber(Integer.parseInt(radiusPort))).build(); + OutboundPacket packet = new DefaultOutboundPacket(DeviceId.deviceId(radiusSwitch), + treatment, ByteBuffer.wrap(ethPkt.serialize())); + packetService.emit(packet); + + } + + /** + * Send the ethernet packet to the supplicant. + * + * @param ethernetPkt the ethernet packet + * @param connectPoint the connect point to send out + */ + private void sendPacketToSupplicant(Ethernet ethernetPkt, ConnectPoint connectPoint) { + TrafficTreatment treatment = DefaultTrafficTreatment.builder().setOutput(connectPoint.port()).build(); + OutboundPacket packet = new DefaultOutboundPacket(connectPoint.deviceId(), + treatment, ByteBuffer.wrap(ethernetPkt.serialize())); + packetService.emit(packet); + } + + } + +} diff --git a/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java new file mode 100644 index 00000000..60959ada --- /dev/null +++ b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java @@ -0,0 +1,500 @@ +/* + * + * Copyright 2015 AT&T Foundry + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onosproject.aaa; + +import org.onlab.packet.MacAddress; +import org.onosproject.net.ConnectPoint; +import org.onosproject.xosintegration.VoltTenant; +import org.onosproject.xosintegration.VoltTenantService; +import org.slf4j.Logger; + +import java.util.BitSet; + +import static org.slf4j.LoggerFactory.getLogger; + +/** + * AAA Finite State Machine. + */ + +class StateMachine { + //INDEX to identify the state in the transition table + static final int STATE_IDLE = 0; + static final int STATE_STARTED = 1; + static final int STATE_PENDING = 2; + static final int STATE_AUTHORIZED = 3; + static final int STATE_UNAUTHORIZED = 4; + + //INDEX to identify the transition in the transition table + static final int TRANSITION_START = 0; // --> started + static final int TRANSITION_REQUEST_ACCESS = 1; + static final int TRANSITION_AUTHORIZE_ACCESS = 2; + static final int TRANSITION_DENY_ACCESS = 3; + static final int TRANSITION_LOGOFF = 4; + + //map of access identifiers (issued at EAPOL START) + static BitSet bitSet = new BitSet(); + private final VoltTenantService voltService; + + private int identifier = -1; + private byte challengeIdentifier; + private byte[] challengeState; + private byte[] username; + private byte[] requestAuthenticator; + + // Supplicant connectivity info + protected ConnectPoint supplicantConnectpoint; + protected MacAddress supplicantAddress; + protected short vlanId; + + private String sessionId = null; + + private final Logger log = getLogger(getClass()); + + + private State[] states = { + new Idle(), new Started(), new Pending(), new Authorized(), new Unauthorized() + }; + + + //State transition table + /* + + state IDLE | STARTED | PENDING | AUTHORIZED | UNAUTHORIZED + //// + input + ---------------------------------------------------------------------------------------------------- + + START STARTED | _ | _ | _ | _ + + REQUEST_ACCESS _ | PENDING | _ | _ | _ + + AUTHORIZE_ACCESS _ | _ | AUTHORIZED | _ | _ + + DENY_ACCESS _ | - | UNAUTHORIZED | _ | _ + + LOGOFF _ | _ | _ | IDLE | IDLE + */ + + private int[] idleTransition = + {STATE_STARTED, STATE_IDLE, STATE_IDLE, STATE_IDLE, STATE_IDLE}; + private int[] startedTransition = + {STATE_STARTED, STATE_PENDING, STATE_STARTED, STATE_STARTED, STATE_STARTED}; + private int[] pendingTransition = + {STATE_PENDING, STATE_PENDING, STATE_AUTHORIZED, STATE_UNAUTHORIZED, STATE_PENDING}; + private int[] authorizedTransition = + {STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_IDLE}; + private int[] unauthorizedTransition = + {STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_IDLE}; + + //THE TRANSITION TABLE + private int[][] transition = + {idleTransition, startedTransition, pendingTransition, authorizedTransition, + unauthorizedTransition}; + + private int currentState = STATE_IDLE; + + + /** + * State Machine Constructor. + * + * @param sessionId session Id represented by the switch dpid + port number + * @param voltService volt service reference + */ + public StateMachine(String sessionId, VoltTenantService voltService) { + log.info("Creating a new state machine for {}", sessionId); + this.sessionId = sessionId; + this.voltService = voltService; + + } + + /** + * Get the client id that is requesting for access. + * + * @return The client id. + */ + public String getSessionId() { + return this.sessionId; + } + + /** + * Create the identifier for the state machine (happens when goes to STARTED state). + */ + private void createIdentifier() throws StateMachineException { + log.debug("Creating Identifier."); + int index = -1; + + try { + //find the first available spot for identifier assignment + index = StateMachine.bitSet.nextClearBit(0); + + //there is a limit of 256 identifiers + if (index == 256) { + throw new StateMachineException("Cannot handle any new identifier. Limit is 256."); + } + } catch (IndexOutOfBoundsException e) { + throw new StateMachineException(e.getMessage()); + } + + log.info("Assigning identifier {}", index); + StateMachine.bitSet.set(index); + this.identifier = index; + } + + /** + * Set the challenge identifier and the state issued by the RADIUS. + * + * @param challengeIdentifier The challenge identifier set into the EAP packet from the RADIUS message. + * @param challengeState The challenge state from the RADIUS. + */ + protected void setChallengeInfo(byte challengeIdentifier, byte[] challengeState) { + this.challengeIdentifier = challengeIdentifier; + this.challengeState = challengeState; + } + + /** + * Set the challenge identifier issued by the RADIUS on the access challenge request. + * + * @param challengeIdentifier The challenge identifier set into the EAP packet from the RADIUS message. + */ + protected void setChallengeIdentifier(byte challengeIdentifier) { + log.info("Set Challenge Identifier to {}", challengeIdentifier); + this.challengeIdentifier = challengeIdentifier; + } + + /** + * Get the challenge EAP identifier set by the RADIUS. + * + * @return The challenge EAP identifier. + */ + protected byte getChallengeIdentifier() { + return this.challengeIdentifier; + } + + + /** + * Set the challenge state info issued by the RADIUS. + * + * @param challengeState The challenge state from the RADIUS. + */ + protected void setChallengeState(byte[] challengeState) { + log.info("Set Challenge State"); + this.challengeState = challengeState; + } + + /** + * Get the challenge state set by the RADIUS. + * + * @return The challenge state. + */ + protected byte[] getChallengeState() { + return this.challengeState; + } + + /** + * Set the username. + * + * @param username The username sent to the RADIUS upon access request. + */ + protected void setUsername(byte[] username) { + this.username = username; + } + + + /** + * Get the username. + * + * @return The requestAuthenticator. + */ + protected byte[] getReqeustAuthenticator() { + return this.requestAuthenticator; + } + + /** + * Set the username. + * + * @param authenticator The username sent to the RADIUS upon access request. + */ + protected void setRequestAuthenticator(byte[] authenticator) { + this.requestAuthenticator = authenticator; + } + + + /** + * Get the username. + * + * @return The username. + */ + protected byte[] getUsername() { + return this.username; + } + + /** + * Return the identifier of the state machine. + * + * @return The state machine identifier. + */ + public byte getIdentifier() { + return (byte) this.identifier; + } + + + protected void deleteIdentifier() { + if (this.identifier != -1) { + log.info("Freeing up " + this.identifier); + //this state machine should be deleted and free up the identifier + StateMachine.bitSet.clear(this.identifier); + this.identifier = -1; + } + } + + + /** + * Move to the next state. + * + * @param msg + */ + private void next(int msg) { + currentState = transition[currentState][msg]; + log.info("Current State " + currentState); + } + + /** + * Client has requested the start action to allow network access. + * + * @throws StateMachineException if authentication protocol is violated + */ + public void start() throws StateMachineException { + try { + states[currentState].start(); + //move to the next state + next(TRANSITION_START); + createIdentifier(); + } catch (StateMachineInvalidTransitionException e) { + e.printStackTrace(); + } + } + + /** + * An Identification information has been sent by the supplicant. + * Move to the next state if possible. + * + * @throws StateMachineException if authentication protocol is violated + */ + public void requestAccess() throws StateMachineException { + try { + states[currentState].requestAccess(); + //move to the next state + next(TRANSITION_REQUEST_ACCESS); + } catch (StateMachineInvalidTransitionException e) { + e.printStackTrace(); + } + } + + /** + * RADIUS has accepted the identification. + * Move to the next state if possible. + * + * @throws StateMachineException if authentication protocol is violated + */ + public void authorizeAccess() throws StateMachineException { + try { + states[currentState].radiusAccepted(); + //move to the next state + next(TRANSITION_AUTHORIZE_ACCESS); + + if (voltService != null) { + voltService.addTenant( + VoltTenant.builder() + .withHumanReadableName("VCPE-" + this.identifier) + .withId(this.identifier) + .withProviderService(1) + .withServiceSpecificId(String.valueOf(this.identifier)) + .withPort(this.supplicantConnectpoint) + .withVlanId(String.valueOf(this.vlanId)).build()); + } + + deleteIdentifier(); + } catch (StateMachineInvalidTransitionException e) { + e.printStackTrace(); + } + + } + + /** + * RADIUS has denied the identification. + * Move to the next state if possible. + * + * @throws StateMachineException if authentication protocol is violated + */ + public void denyAccess() throws StateMachineException { + try { + states[currentState].radiusDenied(); + //move to the next state + next(TRANSITION_DENY_ACCESS); + deleteIdentifier(); + } catch (StateMachineInvalidTransitionException e) { + e.printStackTrace(); + } + } + + /** + * Logoff request has been requested. + * Move to the next state if possible. + * + * @throws StateMachineException if authentication protocol is violated + */ + public void logoff() throws StateMachineException { + try { + states[currentState].logoff(); + //move to the next state + next(TRANSITION_LOGOFF); + } catch (StateMachineInvalidTransitionException e) { + e.printStackTrace(); + } + } + + /** + * Get the current state. + * + * @return The current state. Could be STATE_IDLE, STATE_STARTED, STATE_PENDING, STATE_AUTHORIZED, + * STATE_UNAUTHORIZED. + */ + public int getState() { + return currentState; + } + + + public String toString() { + return ("sessionId: " + this.sessionId) + "\t" + ("identifier: " + this.identifier) + "\t" + + ("state: " + this.currentState); + } +} + +// FIXME: A source file should contain no more than one top-level entity! + +abstract class State { + private final Logger log = getLogger(getClass()); + + private String name = "State"; + + public void start() throws StateMachineInvalidTransitionException { + log.warn("START transition from this state is not allowed."); + } + + public void requestAccess() throws StateMachineInvalidTransitionException { + log.warn("REQUEST ACCESS transition from this state is not allowed."); + } + + public void radiusAccepted() throws StateMachineInvalidTransitionException { + log.warn("AUTHORIZE ACCESS transition from this state is not allowed."); + } + + public void radiusDenied() throws StateMachineInvalidTransitionException { + log.warn("DENY ACCESS transition from this state is not allowed."); + } + + public void logoff() throws StateMachineInvalidTransitionException { + log.warn("LOGOFF transition from this state is not allowed."); + } +} + +/** + * Idle state: supplicant is logged of from the network. + */ +class Idle extends State { + private final Logger log = getLogger(getClass()); + private String name = "IDLE_STATE"; + + public void start() { + log.info("Moving from IDLE state to STARTED state."); + } +} + +/** + * Started state: supplicant has entered the network and informed the authenticator. + */ +class Started extends State { + private final Logger log = getLogger(getClass()); + private String name = "STARTED_STATE"; + + public void requestAccess() { + log.info("Moving from STARTED state to PENDING state."); + } +} + +/** + * Pending state: supplicant has been identified by the authenticator but has not access yet. + */ +class Pending extends State { + private final Logger log = getLogger(getClass()); + private String name = "PENDING_STATE"; + + public void radiusAccepted() { + log.info("Moving from PENDING state to AUTHORIZED state."); + } + + public void radiusDenied() { + log.info("Moving from PENDING state to UNAUTHORIZED state."); + } +} + +/** + * Authorized state: supplicant port has been accepted, access is granted. + */ +class Authorized extends State { + private final Logger log = getLogger(getClass()); + private String name = "AUTHORIZED_STATE"; + + public void logoff() { + + log.info("Moving from AUTHORIZED state to IDLE state."); + } +} + +/** + * Unauthorized state: supplicant port has been rejected, access is denied. + */ +class Unauthorized extends State { + private final Logger log = getLogger(getClass()); + private String name = "UNAUTHORIZED_STATE"; + + public void logoff() { + log.info("Moving from UNAUTHORIZED state to IDLE state."); + } +} + + +/** + * Exception for the State Machine. + */ +class StateMachineException extends Exception { + public StateMachineException(String message) { + super(message); + + } +} + +/** + * Exception raised when the transition from one state to another is invalid. + */ +class StateMachineInvalidTransitionException extends StateMachineException { + public StateMachineInvalidTransitionException(String message) { + super(message); + } +} diff --git a/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java new file mode 100644 index 00000000..19c5a5d6 --- /dev/null +++ b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2014 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * AAA implmentation. + */ +package org.onosproject.aaa; diff --git a/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java new file mode 100644 index 00000000..1b581ab1 --- /dev/null +++ b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java @@ -0,0 +1,43 @@ +/* + * Copyright 2014 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.onosproject.aaa; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +/** + * Set of tests of the ONOS application component. + */ +public class AAATest { + + private AAA aaa; + + @Before + public void setUp() { + + } + + @After + public void tearDown() { + } + + @Test + public void basics() { + + } + +} diff --git a/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java new file mode 100644 index 00000000..2fe44ab9 --- /dev/null +++ b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java @@ -0,0 +1,270 @@ +/* + * + * Copyright 2015 AT&T Foundry + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.onosproject.aaa; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + + +public class StateMachineTest { + StateMachine stateMachine = null; + + @Before + public void setUp() { + System.out.println("Set Up."); + StateMachine.bitSet.clear(); + stateMachine = new StateMachine("session0", null); + } + + @After + public void tearDown() { + System.out.println("Tear Down."); + StateMachine.bitSet.clear(); + stateMachine = null; + } + + @Test + /** + * Test all the basic inputs from state to state: IDLE -> STARTED -> PENDING -> AUTHORIZED -> IDLE + */ + public void basic() throws StateMachineException { + System.out.println("======= BASIC =======."); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED); + + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + } + + @Test + /** + * Test all inputs from an IDLE state (starting with the ones that are not impacting the current state) + */ + public void testIdleState() throws StateMachineException { + System.out.println("======= IDLE STATE TEST =======."); + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + + stateMachine.denyAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED); + } + + @Test + /** + * Test all inputs from an STARTED state (starting with the ones that are not impacting the current state) + */ + public void testStartedState() throws StateMachineException { + System.out.println("======= STARTED STATE TEST =======."); + stateMachine.start(); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED); + + stateMachine.denyAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED); + + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + } + + @Test + /** + * Test all inputs from a PENDING state (starting with the ones that are not impacting the current state). + * The next valid state for this test is AUTHORIZED + */ + public void testPendingStateToAuthorized() throws StateMachineException { + System.out.println("======= PENDING STATE TEST (AUTHORIZED) =======."); + stateMachine.start(); + stateMachine.requestAccess(); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + + stateMachine.denyAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + } + + @Test + /** + * Test all inputs from an PENDING state (starting with the ones that are not impacting the current state). + * The next valid state for this test is UNAUTHORIZED + */ + public void testPendingStateToUnauthorized() throws StateMachineException { + System.out.println("======= PENDING STATE TEST (DENIED) =======."); + stateMachine.start(); + stateMachine.requestAccess(); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING); + + stateMachine.denyAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED); + } + + @Test + /** + * Test all inputs from an AUTHORIZED state (starting with the ones that are not impacting the current state). + */ + public void testAuthorizedState() throws StateMachineException { + System.out.println("======= AUTHORIZED STATE TEST =======."); + stateMachine.start(); + stateMachine.requestAccess(); + stateMachine.authorizeAccess(); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + + stateMachine.denyAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + } + + @Test + /** + * Test all inputs from an UNAUTHORIZED state (starting with the ones that are not impacting the current state). + */ + public void testUnauthorizedState() throws StateMachineException { + System.out.println("======= UNAUTHORIZED STATE TEST =======."); + stateMachine.start(); + stateMachine.requestAccess(); + stateMachine.denyAccess(); + + stateMachine.start(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED); + + stateMachine.requestAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED); + + stateMachine.authorizeAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED); + + stateMachine.denyAccess(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED); + + stateMachine.logoff(); + Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE); + } + + + @Test + public void testIdentifierAvailability() throws StateMachineException { + System.out.println("======= IDENTIFIER TEST =======."); + byte identifier = stateMachine.getIdentifier(); + System.out.println("State: " + stateMachine.getState()); + System.out.println("Identifier: " + Byte.toUnsignedInt(identifier)); + Assert.assertEquals(-1, identifier); + stateMachine.start(); + + + StateMachine sm247 = null; + StateMachine sm3 = null; + + + //create 255 others state machines + for (int i = 1; i <= 255; i++) { + StateMachine sm = new StateMachine("session" + i, null); + sm.start(); + byte id = sm.getIdentifier(); + Assert.assertEquals(i, Byte.toUnsignedInt(id)); + if (i == 3) { + sm3 = sm; + System.out.println("SM3: " + sm3.toString()); + } + if (i == 247) { + sm247 = sm; + System.out.println("SM247: " + sm247.toString()); + } + } + + //simulate the state machine for a specific session and logoff so we can free up a spot for an identifier + //let's choose identifier 247 then we free up 3 + sm247.requestAccess(); + sm247.authorizeAccess(); + sm247.logoff(); + sm247 = null; + + sm3.requestAccess(); + sm3.authorizeAccess(); + sm3.logoff(); + sm3 = null; + + StateMachine otherSM3 = new StateMachine("session3b", null); + otherSM3.start(); + otherSM3.requestAccess(); + byte id3 = otherSM3.getIdentifier(); + Assert.assertEquals(3, Byte.toUnsignedInt(id3)); + + StateMachine otherSM247 = new StateMachine("session247b", null); + otherSM247.start(); + otherSM247.requestAccess(); + byte id247 = otherSM247.getIdentifier(); + Assert.assertEquals(247, Byte.toUnsignedInt(id247)); + + } +} |