ONOS checkin based on commit tag e796610b1f721d02f9b0e213cf6f7790c10ecd60

Change-Id: Ife8810491034fe7becdba75dda20de4267bd15cd
author: Ashlee Young <ashlee@onosfw.com> 2015-09-09 22:15:21 -0700
committer: Ashlee Young <ashlee@onosfw.com> 2015-09-09 22:15:21 -0700
commit: 13d05bc8458758ee39cb829098241e89616717ee (patch)
tree: 22a4d1ce65f15952f07a3df5af4b462b4697cb3a /framework/src/onos/core/api/src/main/java/org/onosproject/security
parent: 6139282e1e93c2322076de4b91b1c85d0bc4a8b3 (diff)
6 files changed, 404 insertions, 0 deletions
diff --git a/framework/src/onos/core/api/src/main/java/org/onosproject/security/AppGuard.java b/framework/src/onos/core/api/src/main/java/org/onosproject/security/AppGuard.java
new file mode 100644
index 00000000..800135f4
--- /dev/null
+++ b/framework/src/onos/core/api/src/main/java/org/onosproject/security/AppGuard.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+
+/**
+ * Aids SM-ONOS to perform API-level permission checking.
+ */
+public final class AppGuard {
+
+    private AppGuard() {
+    }
+
+    /**
+     * Checks if the caller has the required permission only when security-mode is enabled.
+     * @param permission permission to be checked
+     */
+    public static void checkPermission(AppPermission.Type permission) {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            System.getSecurityManager().checkPermission(new AppPermission(permission));
+        }
+    }
+}
diff --git a/framework/src/onos/core/api/src/main/java/org/onosproject/security/AppPermission.java b/framework/src/onos/core/api/src/main/java/org/onosproject/security/AppPermission.java
new file mode 100644
index 00000000..21a70d2b
--- /dev/null
+++ b/framework/src/onos/core/api/src/main/java/org/onosproject/security/AppPermission.java
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import java.security.BasicPermission;
+
+/**
+ * Implementation of API access permission.
+ */
+public class AppPermission extends BasicPermission {
+
+    public enum Type {
+        APP_READ,
+        APP_EVENT,
+        CONFIG_READ,
+        CONFIG_WRITE,
+        CLUSTER_READ,
+        CLUSTER_WRITE,
+        CLUSTER_EVENT,
+        DEVICE_READ,
+        DEVICE_EVENT,
+        DRIVER_READ,
+        DRIVER_WRITE,
+        FLOWRULE_READ,
+        FLOWRULE_WRITE,
+        FLOWRULE_EVENT,
+        GROUP_READ,
+        GROUP_WRITE,
+        GROUP_EVENT,
+        HOST_READ,
+        HOST_WRITE,
+        HOST_EVENT,
+        INTENT_READ,
+        INTENT_WRITE,
+        INTENT_EVENT,
+        LINK_READ,
+        LINK_WRITE,
+        LINK_EVENT,
+        PACKET_READ,
+        PACKET_WRITE,
+        PACKET_EVENT,
+        STATISTIC_READ,
+        TOPOLOGY_READ,
+        TOPOLOGY_EVENT,
+        TUNNEL_READ,
+        TUNNEL_WRITE,
+        TUNNEL_EVENT,
+        STORAGE_WRITE
+    }
+
+    protected Type type;
+    /**
+     * Creates new application permission using the supplied data.
+     * @param name permission name
+     */
+    public AppPermission(String name) {
+        super(name.toUpperCase(), "");
+        try {
+            type = Type.valueOf(name);
+        } catch (IllegalArgumentException e) {
+            type = null;
+        }
+    }
+
+    /**
+     * Creates new application permission using the supplied data.
+     * @param name permission name
+     * @param actions permission action
+     */
+    public AppPermission(String name, String actions) {
+        super(name.toUpperCase(), actions);
+        try {
+            type = Type.valueOf(name);
+        } catch (IllegalArgumentException e) {
+            type = null;
+        }
+    }
+
+    /**
+     * Crates new application permission using the supplied data.
+     * @param type permission type
+     */
+    public AppPermission(Type type) {
+        super(type.name(), "");
+        this.type = type;
+    }
+
+    /**
+     * Returns type of permission.
+     * @return application permission type
+     */
+    public Type getType() {
+        return this.type;
+    }
+
+}
diff --git a/framework/src/onos/core/api/src/main/java/org/onosproject/security/Permission.java b/framework/src/onos/core/api/src/main/java/org/onosproject/security/Permission.java
new file mode 100644
index 00000000..75d9433f
--- /dev/null
+++ b/framework/src/onos/core/api/src/main/java/org/onosproject/security/Permission.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+public class Permission {
+
+    protected String classname;
+    protected String name;
+    protected String actions;
+
+    public Permission(String classname, String name, String actions) {
+        this.classname = classname;
+        this.name = name;
+        if (actions == null) {
+            this.actions = "";
+        } else {
+            this.actions = actions;
+        }
+    }
+
+    public Permission(String classname, String name) {
+        this.classname = classname;
+        this.name = name;
+        this.actions = "";
+    }
+
+    public String getClassName() {
+       return classname;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getActions() {
+        return actions;
+    }
+
+    @Override
+    public int hashCode() {
+        return 0;
+    }
+
+    @Override
+    public boolean equals(Object thatPerm) {
+        if (this == thatPerm) {
+            return true;
+        }
+
+        if (!(thatPerm instanceof Permission)) {
+            return false;
+        }
+
+        Permission that = (Permission) thatPerm;
+        return (this.classname.equals(that.classname)) && (this.name.equals(that.name))
+                && (this.actions.equals(that.actions));
+    }
+
+    @Override
+    public String toString() {
+        return String.format("(%s, %s, %s)", classname, name, actions);
+    }
+}
diff --git a/framework/src/onos/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java b/framework/src/onos/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
new file mode 100644
index 00000000..16ea94d1
--- /dev/null
+++ b/framework/src/onos/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onosproject.core.ApplicationId;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Security-Mode ONOS service.
+ */
+public interface SecurityAdminService {
+
+    /**
+     * Returns true if security policy has been enforced to specified application.
+     * @param appId application identifier
+     * @return true if secured.
+     */
+    boolean isSecured(ApplicationId appId);
+
+    /**
+     * Changes SecurityModeState of specified application to REVIEWED.
+     * @param appId application identifier
+     */
+    void review(ApplicationId appId);
+
+    /**
+     * Accepts and enforces security policy to specified application.
+     * @param appId application identifier
+     */
+    void acceptPolicy(ApplicationId appId);
+
+    /**
+     * Register application to SM-ONOS subsystem.
+     * @param appId application identifier
+     */
+    void register(ApplicationId appId);
+
+    /**
+     * Returns sorted developer specified permission Map.
+     * @param appId application identifier
+     * @return Map of list of permissions sorted by permission type
+     */
+    Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId);
+
+    /**
+     * Returns sorted granted permission Map.
+     * @param appId application identifier
+     * @return Map of list of permissions sorted by permission type
+     */
+    Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId);
+
+    /**
+     * Returns sorted requested permission Map.
+     * @param appId application identifier
+     * @return Map of list of permissions sorted by permission type
+     */
+    Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId);
+
+
+}
diff --git a/framework/src/onos/core/api/src/main/java/org/onosproject/security/SecurityUtil.java b/framework/src/onos/core/api/src/main/java/org/onosproject/security/SecurityUtil.java
new file mode 100644
index 00000000..34b4e78a
--- /dev/null
+++ b/framework/src/onos/core/api/src/main/java/org/onosproject/security/SecurityUtil.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onlab.osgi.DefaultServiceDirectory;
+import org.onlab.osgi.ServiceDirectory;
+import org.onlab.osgi.ServiceNotFoundException;
+import org.onosproject.core.ApplicationId;
+
+/**
+ * Utility class to aid Security-Mode ONOS.
+ */
+public final class SecurityUtil {
+
+    protected static ServiceDirectory serviceDirectory = new DefaultServiceDirectory();
+
+    private SecurityUtil() {
+    }
+
+    public static boolean isSecurityModeEnabled() {
+        if (System.getSecurityManager() != null) {
+            try {
+                SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+                if (securityService != null) {
+                    return true;
+                }
+            } catch (ServiceNotFoundException e) {
+                return false;
+            }
+        }
+        return false;
+    }
+
+    public static SecurityAdminService getSecurityService() {
+        if (System.getSecurityManager() != null) {
+            try {
+                SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+                if (securityService != null) {
+                    return securityService;
+                }
+            } catch (ServiceNotFoundException e) {
+                return null;
+            }
+        }
+        return null;
+    }
+
+    public static boolean isAppSecured(ApplicationId appId) {
+        SecurityAdminService service = getSecurityService();
+        if (service != null) {
+            if (!service.isSecured(appId)) {
+                System.out.println("\n*******************************");
+                System.out.println("      SM-ONOS APP WARNING      ");
+                System.out.println("*******************************");
+                System.out.println(appId.name() + " has not been secured.");
+                System.out.println("Please review before activating.");
+                return false;
+            }
+        }
+        return true;
+    }
+    public static void register(ApplicationId appId) {
+        SecurityAdminService service = getSecurityService();
+        if (service != null) {
+            service.register(appId);
+        }
+    }
+}
diff --git a/framework/src/onos/core/api/src/main/java/org/onosproject/security/package-info.java b/framework/src/onos/core/api/src/main/java/org/onosproject/security/package-info.java
new file mode 100644
index 00000000..88c3529d
--- /dev/null
+++ b/framework/src/onos/core/api/src/main/java/org/onosproject/security/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Application security constructs.
+ */
+package org.onosproject.security;
+\ No newline at end of file
author	Ashlee Young <ashlee@onosfw.com>	2015-09-09 22:15:21 -0700
committer	Ashlee Young <ashlee@onosfw.com>	2015-09-09 22:15:21 -0700
commit	13d05bc8458758ee39cb829098241e89616717ee (patch)
tree	22a4d1ce65f15952f07a3df5af4b462b4697cb3a /framework/src/onos/core/api/src/main/java/org/onosproject/security
parent	6139282e1e93c2322076de4b91b1c85d0bc4a8b3 (diff)