aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/onos/core/security
diff options
context:
space:
mode:
authorAshlee Young <ashlee@onosfw.com>2015-09-09 22:15:21 -0700
committerAshlee Young <ashlee@onosfw.com>2015-09-09 22:15:21 -0700
commit13d05bc8458758ee39cb829098241e89616717ee (patch)
tree22a4d1ce65f15952f07a3df5af4b462b4697cb3a /framework/src/onos/core/security
parent6139282e1e93c2322076de4b91b1c85d0bc4a8b3 (diff)
ONOS checkin based on commit tag e796610b1f721d02f9b0e213cf6f7790c10ecd60
Change-Id: Ife8810491034fe7becdba75dda20de4267bd15cd
Diffstat (limited to 'framework/src/onos/core/security')
-rw-r--r--framework/src/onos/core/security/pom.xml65
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java433
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java289
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java20
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java315
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java41
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java48
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java25
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java43
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java104
-rw-r--r--framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java25
11 files changed, 1408 insertions, 0 deletions
diff --git a/framework/src/onos/core/security/pom.xml b/framework/src/onos/core/security/pom.xml
new file mode 100644
index 00000000..67e74a1e
--- /dev/null
+++ b/framework/src/onos/core/security/pom.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <artifactId>onos-core</artifactId>
+ <groupId>org.onosproject</groupId>
+ <version>1.3.0-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+
+ <artifactId>onos-security</artifactId>
+ <packaging>bundle</packaging>
+
+
+ <description>Security-Mode ONOS project</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.core</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.compendium</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>org.apache.felix.scr.annotations</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-core-serializers</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.karaf.features</groupId>
+ <artifactId>org.apache.karaf.features.core</artifactId>
+ </dependency>
+ <!-- Adding dependency to pull the artifact from Maven Central.
+ Note: This is just needed for the onos-security feature. -->
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>org.apache.felix.framework.security</artifactId>
+ <version>2.2.0.onos</version>
+ <scope>provided</scope>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-scr-plugin</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+
+</project> \ No newline at end of file
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java
new file mode 100644
index 00000000..8ae1a1ae
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java
@@ -0,0 +1,433 @@
+package org.onosproject.security.impl;
+
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+import org.onosproject.security.AppPermission;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.app.ApplicationService;
+import org.onosproject.cfg.ComponentConfigService;
+import org.onosproject.cluster.ClusterAdminService;
+import org.onosproject.cluster.ClusterService;
+import org.onosproject.core.CoreService;
+import org.onosproject.cluster.LeadershipService;
+import org.onosproject.mastership.MastershipAdminService;
+import org.onosproject.mastership.MastershipService;
+import org.onosproject.net.device.DeviceAdminService;
+import org.onosproject.net.device.DeviceService;
+import org.onosproject.net.device.DeviceClockService;
+import org.onosproject.net.driver.DriverAdminService;
+import org.onosproject.net.driver.DriverService;
+import org.onosproject.net.flow.FlowRuleService;
+import org.onosproject.net.flowobjective.FlowObjectiveService;
+import org.onosproject.net.group.GroupService;
+import org.onosproject.net.host.HostAdminService;
+import org.onosproject.net.host.HostService;
+import org.onosproject.net.intent.IntentService;
+import org.onosproject.net.intent.IntentExtensionService;
+import org.onosproject.net.intent.IntentClockService;
+import org.onosproject.net.intent.PartitionService;
+import org.onosproject.net.link.LinkAdminService;
+import org.onosproject.net.link.LinkService;
+import org.onosproject.net.packet.PacketService;
+import org.onosproject.net.proxyarp.ProxyArpService;
+import org.onosproject.net.resource.link.LinkResourceService;
+import org.onosproject.net.statistic.StatisticService;
+import org.onosproject.net.topology.PathService;
+import org.onosproject.net.topology.TopologyService;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.store.service.StorageAdminService;
+import org.onosproject.store.service.StorageService;
+import org.osgi.framework.BundlePermission;
+import org.osgi.framework.CapabilityPermission;
+import org.osgi.framework.ServicePermission;
+import org.osgi.framework.PackagePermission;
+import org.osgi.framework.AdaptPermission;
+import org.osgi.service.cm.ConfigurationPermission;
+
+import javax.net.ssl.SSLPermission;
+import javax.security.auth.AuthPermission;
+import javax.security.auth.PrivateCredentialPermission;
+import javax.security.auth.kerberos.DelegationPermission;
+import javax.sound.sampled.AudioPermission;
+import java.io.FilePermission;
+import java.io.SerializablePermission;
+import java.net.NetPermission;
+import java.net.SocketPermission;
+import java.security.Permissions;
+import java.sql.SQLPermission;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.List;
+import java.util.PropertyPermission;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.security.Permission;
+import java.util.logging.LoggingPermission;
+
+import static org.onosproject.security.AppPermission.Type.*;
+
+public final class DefaultPolicyBuilder {
+
+ protected static ConcurrentHashMap<AppPermission.Type,
+ Set<String>> serviceDirectory = getServiceDirectory();
+
+ protected static List<Permission> defaultPermissions = getDefaultPerms();
+ protected static List<Permission> adminServicePermissions = getAdminDefaultPerms();
+
+ private DefaultPolicyBuilder(){
+ }
+
+ public static List<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) {
+ List<Permission> perms = Lists.newArrayList();
+ perms.addAll(defaultPermissions);
+ perms.addAll(convertToJavaPermissions(permissions));
+ return optimizePermissions(perms);
+ }
+
+ public static List<Permission> getAdminApplicationPermissions(
+ Set<org.onosproject.security.Permission> permissions) {
+ List<Permission> perms = Lists.newArrayList();
+ perms.addAll(defaultPermissions);
+ perms.addAll(adminServicePermissions);
+ for (AppPermission.Type perm : serviceDirectory.keySet()) {
+ perms.add(new AppPermission(perm));
+ }
+ perms.addAll(convertToJavaPermissions(permissions));
+ return optimizePermissions(perms);
+ }
+
+ public static List<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) {
+ List<Permission> result = Lists.newArrayList();
+ for (org.onosproject.security.Permission perm : permissions) {
+ Permission javaPerm = getPermission(perm);
+ if (javaPerm != null) {
+ if (javaPerm instanceof AppPermission) {
+ if (((AppPermission) javaPerm).getType() != null) {
+ AppPermission ap = (AppPermission) javaPerm;
+ result.add(ap);
+ if (serviceDirectory.containsKey(ap.getType())) {
+ for (String service : serviceDirectory.get(ap.getType())) {
+ result.add(new ServicePermission(service, ServicePermission.GET));
+ }
+ }
+ }
+ } else if (javaPerm instanceof ServicePermission) {
+ if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) {
+ result.add(javaPerm);
+ }
+ } else {
+ result.add(javaPerm);
+ }
+
+ }
+ }
+ return result;
+ }
+
+ public static Set<org.onosproject.security.Permission> convertToOnosPermissions(List<Permission> permissions) {
+ Set<org.onosproject.security.Permission> result = Sets.newHashSet();
+ for (Permission perm : permissions) {
+ org.onosproject.security.Permission onosPerm = getOnosPermission(perm);
+ if (onosPerm != null) {
+ result.add(onosPerm);
+ }
+ }
+ return result;
+ }
+
+ public static List<Permission> getDefaultPerms() {
+ List<Permission> permSet = Lists.newArrayList();
+ permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY));
+ permSet.add(new PackagePermission("*", PackagePermission.IMPORT));
+ permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT));
+ permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE));
+ return permSet;
+ }
+
+ private static List<Permission> getAdminDefaultPerms() {
+ List<Permission> permSet = Lists.newArrayList();
+ permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(MastershipAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DeviceAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DriverAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(LabelResourceAdminService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(TunnelAdminService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(CoreService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ClusterService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LeadershipService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(MastershipService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DeviceService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DeviceClockService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(DriverService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(FlowRuleService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(FlowObjectiveService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(GroupService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(HostService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(IntentService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(IntentClockService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(IntentExtensionService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(LinkResourceService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(LabelResourceService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(StatisticService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(PathService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(TopologyService.class.getName(), ServicePermission.GET));
+// permSet.add(new ServicePermission(TunnelService.class.getName(), ServicePermission.GET));
+ permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET));
+ return permSet;
+ }
+
+ public static Set<String> getNBServiceList() {
+ Set<String> permString = new HashSet<>();
+ for (Permission perm : getAdminDefaultPerms()) {
+ permString.add(perm.getName());
+ }
+ return permString;
+ }
+
+ private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() {
+
+ ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>();
+
+ serviceDirectory.put(APP_READ, ImmutableSet.of(
+ ApplicationService.class.getName(), CoreService.class.getName()));
+ serviceDirectory.put(APP_EVENT, ImmutableSet.of(
+ ApplicationService.class.getName(), CoreService.class.getName()));
+ serviceDirectory.put(CONFIG_READ, ImmutableSet.of(
+ ComponentConfigService.class.getName()));
+ serviceDirectory.put(CONFIG_WRITE, ImmutableSet.of(
+ ComponentConfigService.class.getName()));
+ serviceDirectory.put(CLUSTER_READ, ImmutableSet.of(
+ ClusterService.class.getName(), LeadershipService.class.getName(),
+ MastershipService.class.getName()));
+ serviceDirectory.put(CLUSTER_WRITE, ImmutableSet.of(
+ LeadershipService.class.getName(), MastershipService.class.getName()));
+ serviceDirectory.put(CLUSTER_EVENT, ImmutableSet.of(
+ ClusterService.class.getName(), LeadershipService.class.getName(),
+ MastershipService.class.getName()));
+ serviceDirectory.put(DEVICE_READ, ImmutableSet.of(
+ DeviceService.class.getName(), DeviceClockService.class.getName()));
+ serviceDirectory.put(DEVICE_EVENT, ImmutableSet.of(
+ DeviceService.class.getName()));
+ serviceDirectory.put(DRIVER_READ, ImmutableSet.of(
+ DriverService.class.getName()));
+ serviceDirectory.put(DRIVER_WRITE, ImmutableSet.of(
+ DriverService.class.getName()));
+ serviceDirectory.put(FLOWRULE_READ, ImmutableSet.of(
+ FlowRuleService.class.getName()));
+ serviceDirectory.put(FLOWRULE_WRITE, ImmutableSet.of(
+ FlowRuleService.class.getName(), FlowObjectiveService.class.getName()));
+ serviceDirectory.put(FLOWRULE_EVENT, ImmutableSet.of(
+ FlowRuleService.class.getName()));
+ serviceDirectory.put(GROUP_READ, ImmutableSet.of(
+ GroupService.class.getName()));
+ serviceDirectory.put(GROUP_WRITE, ImmutableSet.of(
+ GroupService.class.getName()));
+ serviceDirectory.put(GROUP_EVENT, ImmutableSet.of(
+ GroupService.class.getName()));
+ serviceDirectory.put(HOST_READ, ImmutableSet.of(
+ HostService.class.getName()));
+ serviceDirectory.put(HOST_WRITE, ImmutableSet.of(
+ HostService.class.getName()));
+ serviceDirectory.put(HOST_EVENT, ImmutableSet.of(
+ HostService.class.getName()));
+ serviceDirectory.put(INTENT_READ, ImmutableSet.of(
+ IntentService.class.getName(), PartitionService.class.getName(),
+ IntentClockService.class.getName()));
+ serviceDirectory.put(INTENT_WRITE, ImmutableSet.of(
+ IntentService.class.getName()));
+ serviceDirectory.put(INTENT_EVENT, ImmutableSet.of(
+ IntentService.class.getName()));
+// serviceDirectory.put(LINK_READ, ImmutableSet.of(
+// LinkService.class.getName(), LinkResourceService.class.getName(),
+// LabelResourceService.class.getName()));
+// serviceDirectory.put(LINK_WRITE, ImmutableSet.of(
+// LinkResourceService.class.getName(), LabelResourceService.class.getName()));
+// serviceDirectory.put(LINK_EVENT, ImmutableSet.of(
+// LinkService.class.getName(), LinkResourceService.class.getName(),
+// LabelResourceService.class.getName()));
+ serviceDirectory.put(PACKET_READ, ImmutableSet.of(
+ PacketService.class.getName(), ProxyArpService.class.getName()));
+ serviceDirectory.put(PACKET_WRITE, ImmutableSet.of(
+ PacketService.class.getName(), ProxyArpService.class.getName()));
+ serviceDirectory.put(PACKET_EVENT, ImmutableSet.of(
+ PacketService.class.getName()));
+ serviceDirectory.put(STATISTIC_READ, ImmutableSet.of(
+ StatisticService.class.getName()));
+ serviceDirectory.put(TOPOLOGY_READ, ImmutableSet.of(
+ TopologyService.class.getName(), PathService.class.getName()));
+ serviceDirectory.put(TOPOLOGY_EVENT, ImmutableSet.of(
+ TopologyService.class.getName()));
+// serviceDirectory.put(TUNNEL_READ, ImmutableSet.of(
+// TunnelService.class.getName()));
+// serviceDirectory.put(TUNNEL_WRITE, ImmutableSet.of(
+// TunnelService.class.getName()));
+// serviceDirectory.put(TUNNEL_EVENT, ImmutableSet.of(
+// TunnelService.class.getName()));
+ serviceDirectory.put(STORAGE_WRITE, ImmutableSet.of(
+ StorageService.class.getName()));
+
+ return serviceDirectory;
+ }
+
+
+ public static org.onosproject.security.Permission getOnosPermission(Permission permission) {
+ if (permission instanceof AppPermission) {
+ return new org.onosproject.security.Permission(AppPermission.class.getName(), permission.getName(), "");
+ } else if (permission instanceof FilePermission) {
+ return new org.onosproject.security.Permission(
+ FilePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SerializablePermission) {
+ return new org.onosproject.security.Permission(
+ SerializablePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof NetPermission) {
+ return new org.onosproject.security.Permission(
+ NetPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof RuntimePermission) {
+ return new org.onosproject.security.Permission(
+ RuntimePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SocketPermission) {
+ return new org.onosproject.security.Permission(
+ SocketPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SQLPermission) {
+ return new org.onosproject.security.Permission(
+ SQLPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof PropertyPermission) {
+ return new org.onosproject.security.Permission(
+ PropertyPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof LoggingPermission) {
+ return new org.onosproject.security.Permission(
+ LoggingPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof SSLPermission) {
+ return new org.onosproject.security.Permission(
+ SSLPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof AuthPermission) {
+ return new org.onosproject.security.Permission(
+ AuthPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof PrivateCredentialPermission) {
+ return new org.onosproject.security.Permission(
+ PrivateCredentialPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof DelegationPermission) {
+ return new org.onosproject.security.Permission(
+ DelegationPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof javax.security.auth.kerberos.ServicePermission) {
+ return new org.onosproject.security.Permission(
+ javax.security.auth.kerberos.ServicePermission.class.getName(), permission.getName(),
+ permission.getActions());
+ } else if (permission instanceof AudioPermission) {
+ return new org.onosproject.security.Permission(
+ AudioPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof AdaptPermission) {
+ return new org.onosproject.security.Permission(
+ AdaptPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof BundlePermission) {
+ return new org.onosproject.security.Permission(
+ BundlePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof CapabilityPermission) {
+ return new org.onosproject.security.Permission(
+ CapabilityPermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof PackagePermission) {
+ return new org.onosproject.security.Permission(
+ PackagePermission.class.getName(), permission.getName(), permission.getActions());
+ } else if (permission instanceof ServicePermission) {
+ return new org.onosproject.security.Permission(
+ ServicePermission.class.getName(), permission.getName(), permission.getActions());
+ }
+ return null;
+ }
+
+ private static Permission getPermission(org.onosproject.security.Permission permission) {
+
+ String classname = permission.getClassName();
+ String name = permission.getName();
+ String actions = permission.getActions();
+
+ if (classname == null || name == null) {
+ return null;
+ }
+ classname = classname.trim();
+ name = name.trim();
+ actions = actions.trim();
+
+ if (AppPermission.class.getName().equals(classname)) {
+ return new AppPermission(name);
+ } else if (FilePermission.class.getName().equals(classname)) {
+ return new FilePermission(name, actions);
+ } else if (SerializablePermission.class.getName().equals(classname)) {
+ return new SerializablePermission(name, actions);
+ } else if (NetPermission.class.getName().equals(classname)) {
+ return new NetPermission(name, actions);
+ } else if (RuntimePermission.class.getName().equals(classname)) {
+ return new RuntimePermission(name, actions);
+ } else if (SocketPermission.class.getName().equals(classname)) {
+ return new SocketPermission(name, actions);
+ } else if (SQLPermission.class.getName().equals(classname)) {
+ return new SQLPermission(name, actions);
+ } else if (PropertyPermission.class.getName().equals(classname)) {
+ return new PropertyPermission(name, actions);
+ } else if (LoggingPermission.class.getName().equals(classname)) {
+ return new LoggingPermission(name, actions);
+ } else if (SSLPermission.class.getName().equals(classname)) {
+ return new SSLPermission(name, actions);
+ } else if (AuthPermission.class.getName().equals(classname)) {
+ return new AuthPermission(name, actions);
+ } else if (PrivateCredentialPermission.class.getName().equals(classname)) {
+ return new PrivateCredentialPermission(name, actions);
+ } else if (DelegationPermission.class.getName().equals(classname)) {
+ return new DelegationPermission(name, actions);
+ } else if (javax.security.auth.kerberos.ServicePermission.class.getName().equals(classname)) {
+ return new javax.security.auth.kerberos.ServicePermission(name, actions);
+ } else if (AudioPermission.class.getName().equals(classname)) {
+ return new AudioPermission(name, actions);
+ } else if (AdaptPermission.class.getName().equals(classname)) {
+ return new AdaptPermission(name, actions);
+ } else if (BundlePermission.class.getName().equals(classname)) {
+ return new BundlePermission(name, actions);
+ } else if (CapabilityPermission.class.getName().equals(classname)) {
+ return new CapabilityPermission(name, actions);
+ } else if (PackagePermission.class.getName().equals(classname)) {
+ return new PackagePermission(name, actions);
+ } else if (ServicePermission.class.getName().equals(classname)) {
+ return new ServicePermission(name, actions);
+ }
+
+ //AllPermission, SecurityPermission, UnresolvedPermission
+ //AWTPermission, AdminPermission(osgi), ReflectPermission not allowed
+ return null;
+
+ }
+ private static List<Permission> optimizePermissions(List<Permission> perms) {
+ Permissions permissions = listToPermissions(perms);
+ return permissionsToList(permissions);
+ }
+
+ private static List<Permission> permissionsToList(Permissions perms) {
+ List<Permission> permissions = new ArrayList<>();
+ Enumeration<Permission> e = perms.elements();
+ while (e.hasMoreElements()) {
+ permissions.add(e.nextElement());
+ }
+ return permissions;
+ }
+
+ private static Permissions listToPermissions(List<Permission> perms) {
+ Permissions permissions = new Permissions();
+ for (Permission perm : perms) {
+ permissions.add(perm);
+ }
+ return permissions;
+ }
+}
+
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java
new file mode 100644
index 00000000..30b0f8bb
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java
@@ -0,0 +1,289 @@
+package org.onosproject.security.impl;
+
+import com.google.common.collect.Lists;
+
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Deactivate;
+import org.apache.felix.scr.annotations.Service;
+
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.app.ApplicationState;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+
+import org.onosproject.event.EventDeliveryService;
+import org.onosproject.event.ListenerRegistry;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.security.store.SecurityModeEvent;
+import org.onosproject.security.store.SecurityModeListener;
+import org.onosproject.security.store.SecurityModeStore;
+import org.onosproject.security.store.SecurityModeStoreDelegate;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.FrameworkUtil;
+import org.osgi.framework.ServicePermission;
+import org.osgi.service.log.LogEntry;
+import org.osgi.service.log.LogListener;
+import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
+
+import java.security.AccessControlException;
+import java.security.Permission;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.osgi.service.permissionadmin.PermissionAdmin;
+import org.slf4j.Logger;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+
+
+/**
+ * Security-Mode ONOS management implementation.
+ */
+
+@Component(immediate = true)
+@Service
+public class SecurityModeManager implements SecurityAdminService {
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected SecurityModeStore store;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected ApplicationAdminService appAdminService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected LogReaderService logReaderService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected EventDeliveryService eventDispatcher;
+
+ private final Logger log = getLogger(getClass());
+
+ protected final ListenerRegistry<SecurityModeEvent, SecurityModeListener>
+ listenerRegistry = new ListenerRegistry<>();
+
+ private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
+
+ private SecurityLogListener securityLogListener = new SecurityLogListener();
+
+ private PermissionAdmin permissionAdmin = getPermissionAdmin();
+
+
+ @Activate
+ public void activate() {
+
+ eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
+ // add Listeners
+ logReaderService.addLogListener(securityLogListener);
+
+ store.setDelegate(delegate);
+
+ if (System.getSecurityManager() == null) {
+ log.warn("J2EE security manager is disabled.");
+ deactivate();
+ return;
+ }
+ if (permissionAdmin == null) {
+ log.warn("Permission Admin not found.");
+ deactivate();
+ return;
+ }
+
+ log.info("Security-Mode Started");
+ }
+
+ @Deactivate
+ public void deactivate() {
+ eventDispatcher.removeSink(SecurityModeEvent.class);
+ logReaderService.removeLogListener(securityLogListener);
+ store.unsetDelegate(delegate);
+ log.info("Stopped");
+
+ }
+
+ @Override
+ public boolean isSecured(ApplicationId appId) {
+ if (store.getState(appId) == null) {
+ store.registerApplication(appId);
+ }
+ return store.isSecured(appId);
+ }
+
+
+ @Override
+ public void review(ApplicationId appId) {
+ if (store.getState(appId) == null) {
+ store.registerApplication(appId);
+ }
+ store.reviewPolicy(appId);
+ }
+
+ @Override
+ public void acceptPolicy(ApplicationId appId) {
+ if (store.getState(appId) == null) {
+ store.registerApplication(appId);
+ }
+ store.acceptPolicy(appId, DefaultPolicyBuilder.convertToOnosPermissions(getMaximumPermissions(appId)));
+ }
+
+ @Override
+ public void register(ApplicationId appId) {
+ store.registerApplication(appId);
+ }
+
+ @Override
+ public Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId) {
+ return getPrintablePermissionMap(getMaximumPermissions(appId));
+ }
+
+ @Override
+ public Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId) {
+ return getPrintablePermissionMap(
+ DefaultPolicyBuilder.convertToJavaPermissions(store.getGrantedPermissions(appId)));
+ }
+
+ @Override
+ public Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId) {
+ return getPrintablePermissionMap(
+ DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
+ }
+
+ private class SecurityLogListener implements LogListener {
+ @Override
+ public void logged(LogEntry entry) {
+ if (entry.getException() != null &&
+ entry.getException() instanceof AccessControlException) {
+ String location = entry.getBundle().getLocation();
+ Permission javaPerm =
+ ((AccessControlException) entry.getException()).getPermission();
+ org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm);
+ if (permission == null) {
+ log.warn("Unsupported permission requested.");
+ return;
+ }
+ store.getApplicationIds(location).stream().filter(
+ appId -> store.isSecured(appId) &&
+ appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
+ store.requestPermission(appId, permission);
+ print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
+ appId.name(), location, permission.toString());
+ });
+ }
+ }
+ }
+
+ private class InternalStoreDelegate implements SecurityModeStoreDelegate {
+ @Override
+ public void notify(SecurityModeEvent event) {
+ if (event.type() == SecurityModeEvent.Type.POLICY_ACCEPTED) {
+ setLocalPermissions(event.subject());
+ log.info("{} POLICY ACCEPTED and ENFORCED", event.subject().name());
+ } else if (event.type() == SecurityModeEvent.Type.POLICY_VIOLATED) {
+ log.info("{} POLICY VIOLATED", event.subject().name());
+ } else if (event.type() == SecurityModeEvent.Type.POLICY_REVIEWED) {
+ log.info("{} POLICY REVIEWED", event.subject().name());
+ }
+ eventDispatcher.post(event);
+ }
+ }
+
+ /**
+ * TYPES.
+ * 0 - APP_PERM
+ * 1 - ADMIN SERVICE
+ * 2 - NB_SERVICE
+ * 3 - ETC_SERVICE
+ * 4 - ETC
+ * @param perms
+ */
+ private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) {
+ ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
+ sortedMap.put(0, new ArrayList());
+ sortedMap.put(1, new ArrayList());
+ sortedMap.put(2, new ArrayList());
+ sortedMap.put(3, new ArrayList());
+ sortedMap.put(4, new ArrayList());
+ for (Permission perm : perms) {
+ if (perm instanceof ServicePermission) {
+ if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) {
+ if (perm.getName().contains("Admin")) {
+ sortedMap.get(1).add(perm);
+ } else {
+ sortedMap.get(2).add(perm);
+ }
+ } else {
+ sortedMap.get(3).add(perm);
+ }
+ } else if (perm instanceof AppPermission) {
+ sortedMap.get(0).add(perm);
+ } else {
+ sortedMap.get(4).add(perm);
+ }
+ }
+ return sortedMap;
+ }
+
+ private void setLocalPermissions(ApplicationId applicationId) {
+ for (String location : store.getBundleLocations(applicationId)) {
+ permissionAdmin.setPermissions(location, permissionsToInfo(store.getGrantedPermissions(applicationId)));
+ }
+ }
+
+ private PermissionInfo[] permissionsToInfo(Set<org.onosproject.security.Permission> permissions) {
+ List<PermissionInfo> result = Lists.newArrayList();
+ for (org.onosproject.security.Permission perm : permissions) {
+ result.add(new PermissionInfo(perm.getClassName(), perm.getName(), perm.getActions()));
+ }
+ PermissionInfo[] permissionInfos = new PermissionInfo[result.size()];
+ return result.toArray(permissionInfos);
+ }
+
+
+
+ private List<Permission> getMaximumPermissions(ApplicationId appId) {
+ Application app = appAdminService.getApplication(appId);
+ if (app == null) {
+ print("Unknown application.");
+ return null;
+ }
+ List<Permission> appPerms;
+ switch (app.role()) {
+ case ADMIN:
+ appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
+ break;
+ case USER:
+ appPerms = DefaultPolicyBuilder.getUserApplicationPermissions(app.permissions());
+ break;
+ case UNSPECIFIED:
+ default:
+ appPerms = DefaultPolicyBuilder.getDefaultPerms();
+ break;
+ }
+
+ return appPerms;
+ }
+
+
+ private void print(String format, Object... args) {
+ System.out.println(String.format("SM-ONOS: " + format, args));
+ log.warn(String.format(format, args));
+ }
+
+ private PermissionAdmin getPermissionAdmin() {
+ BundleContext context = getBundleContext();
+ return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
+ }
+
+ private BundleContext getBundleContext() {
+ return FrameworkUtil.getBundle(this.getClass()).getBundleContext();
+
+ }
+} \ No newline at end of file
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java
new file mode 100644
index 00000000..387f6ecf
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Implementation of the security mode.
+ */
+package org.onosproject.security.impl; \ No newline at end of file
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java
new file mode 100644
index 00000000..ac16966c
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java
@@ -0,0 +1,315 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Deactivate;
+import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
+import org.apache.felix.scr.annotations.Service;
+import org.apache.karaf.features.BundleInfo;
+import org.apache.karaf.features.Feature;
+import org.apache.karaf.features.FeaturesService;
+
+import org.onlab.util.KryoNamespace;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.Permission;
+import org.onosproject.store.AbstractStore;
+import org.onosproject.store.serializers.KryoNamespaces;
+import org.onosproject.store.service.ConsistentMap;
+import org.onosproject.store.service.EventuallyConsistentMap;
+import org.onosproject.store.service.LogicalClockService;
+import org.onosproject.store.service.MapEvent;
+import org.onosproject.store.service.MapEventListener;
+import org.onosproject.store.service.Serializer;
+import org.onosproject.store.service.StorageService;
+import org.slf4j.Logger;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.stream.Collectors;
+
+import static org.onosproject.security.store.SecurityModeState.*;
+import static org.slf4j.LoggerFactory.getLogger;
+
+/**
+ * Manages application permissions granted/requested to applications.
+ * Uses both gossip-based and RAFT-based distributed data store.
+ */
+@Component(immediate = true)
+@Service
+public class DistributedSecurityModeStore
+ extends AbstractStore<SecurityModeEvent, SecurityModeStoreDelegate>
+ implements SecurityModeStore {
+
+ private final Logger log = getLogger(getClass());
+
+ private ConsistentMap<ApplicationId, SecurityInfo> states;
+ private EventuallyConsistentMap<ApplicationId, Set<Permission>> violations;
+
+ private ConcurrentHashMap<String, Set<ApplicationId>> localBundleAppDirectory;
+ private ConcurrentHashMap<ApplicationId, Set<String>> localAppBundleDirectory;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected StorageService storageService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected LogicalClockService clockService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected ApplicationAdminService applicationAdminService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected FeaturesService featuresService;
+
+ private static final Serializer STATE_SERIALIZER = Serializer.using(new KryoNamespace.Builder()
+ .register(KryoNamespaces.API)
+ .register(SecurityModeState.class)
+ .register(SecurityInfo.class)
+ .register(Permission.class)
+ .build());
+
+ private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder()
+ .register(KryoNamespaces.API)
+ .register(Permission.class);
+
+ @Activate
+ public void activate() {
+ states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder()
+ .withName("smonos-sdata")
+ .withSerializer(STATE_SERIALIZER)
+ .build();
+
+ states.addListener(new SecurityStateListener());
+
+ violations = storageService.<ApplicationId, Set<Permission>>eventuallyConsistentMapBuilder()
+ .withName("smonos-rperms")
+ .withSerializer(VIOLATION_SERIALIZER)
+ .withTimestampProvider((k, v) -> clockService.getTimestamp())
+ .build();
+
+ localBundleAppDirectory = new ConcurrentHashMap<>();
+ localAppBundleDirectory = new ConcurrentHashMap<>();
+
+ log.info("Started");
+
+ }
+
+ @Deactivate
+ public void deactivate() {
+ violations.destroy();
+ log.info("Stopped");
+ }
+
+
+ @Override
+ public Set<String> getBundleLocations(ApplicationId appId) {
+ Set<String> locations = localAppBundleDirectory.get(appId);
+ return locations != null ? locations : Sets.newHashSet();
+ }
+
+ @Override
+ public Set<ApplicationId> getApplicationIds(String location) {
+ Set<ApplicationId> appIds = localBundleAppDirectory.get(location);
+ return appIds != null ? appIds : Sets.newHashSet();
+ }
+
+ @Override
+ public Set<Permission> getRequestedPermissions(ApplicationId appId) {
+ Set<Permission> permissions = violations.get(appId);
+ return permissions != null ? permissions : ImmutableSet.of();
+ }
+
+ @Override
+ public Set<Permission> getGrantedPermissions(ApplicationId appId) {
+ return states.asJavaMap().getOrDefault(appId, new SecurityInfo(ImmutableSet.of(), null)).getPermissions();
+ }
+
+ @Override
+ public void requestPermission(ApplicationId appId, Permission permission) {
+
+ states.computeIf(appId, securityInfo -> (securityInfo == null || securityInfo.getState() != POLICY_VIOLATED),
+ (id, securityInfo) -> new SecurityInfo(securityInfo.getPermissions(), POLICY_VIOLATED));
+ violations.compute(appId, (k, v) -> v == null ? Sets.newHashSet(permission) : addAndGet(v, permission));
+ }
+
+ private Set<Permission> addAndGet(Set<Permission> oldSet, Permission newPerm) {
+ oldSet.add(newPerm);
+ return oldSet;
+ }
+
+ @Override
+ public boolean isSecured(ApplicationId appId) {
+ SecurityInfo info = states.get(appId).value();
+ return info == null ? false : info.getState().equals(SECURED);
+ }
+
+ @Override
+ public void reviewPolicy(ApplicationId appId) {
+ Application app = applicationAdminService.getApplication(appId);
+ if (app == null) {
+ log.warn("Unknown Application");
+ return;
+ }
+ states.computeIfPresent(appId, (applicationId, securityInfo) -> {
+ if (securityInfo.getState().equals(INSTALLED)) {
+ return new SecurityInfo(ImmutableSet.of(), REVIEWED);
+ }
+ return securityInfo;
+ });
+ }
+
+ @Override
+ public void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet) {
+
+ Application app = applicationAdminService.getApplication(appId);
+ if (app == null) {
+ log.warn("Unknown Application");
+ return;
+ }
+
+ states.computeIf(appId,
+ securityInfo -> (securityInfo != null),
+ (id, securityInfo) -> {
+ switch (securityInfo.getState()) {
+ case POLICY_VIOLATED:
+ System.out.println(
+ "This application has violated the security policy. Please uninstall.");
+ return securityInfo;
+ case SECURED:
+ System.out.println(
+ "The policy has been accepted already. To review policy, review [app.name]");
+ return securityInfo;
+ case INSTALLED:
+ System.out.println("Please review the security policy prior to accept them");
+ log.warn("Application has not been reviewed");
+ return securityInfo;
+ case REVIEWED:
+ return new SecurityInfo(permissionSet, SECURED);
+ default:
+ return securityInfo;
+ }
+ });
+ }
+
+ private final class SecurityStateListener
+ implements MapEventListener<ApplicationId, SecurityInfo> {
+
+ @Override
+ public void event(MapEvent<ApplicationId, SecurityInfo> event) {
+
+ if (delegate == null) {
+ return;
+ }
+ ApplicationId appId = event.key();
+ SecurityInfo info = event.value().value();
+
+ if (event.type() == MapEvent.Type.INSERT || event.type() == MapEvent.Type.UPDATE) {
+ switch (info.getState()) {
+ case POLICY_VIOLATED:
+ notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_VIOLATED, appId));
+ break;
+ case SECURED:
+ notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_ACCEPTED, appId));
+ default:
+ break;
+ }
+ } else if (event.type() == MapEvent.Type.REMOVE) {
+ removeAppFromDirectories(appId);
+ }
+ }
+ }
+
+ private void removeAppFromDirectories(ApplicationId appId) {
+ for (String location : localAppBundleDirectory.get(appId)) {
+ localBundleAppDirectory.get(location).remove(appId);
+ }
+ violations.remove(appId);
+ states.remove(appId);
+ localAppBundleDirectory.remove(appId);
+ }
+
+ @Override
+ public boolean registerApplication(ApplicationId appId) {
+ Application app = applicationAdminService.getApplication(appId);
+ if (app == null) {
+ log.warn("Unknown application.");
+ return false;
+ }
+ localAppBundleDirectory.put(appId, getBundleLocations(app));
+ for (String location : localAppBundleDirectory.get(appId)) {
+ if (!localBundleAppDirectory.containsKey(location)) {
+ localBundleAppDirectory.put(location, new HashSet<>());
+ }
+ if (!localBundleAppDirectory.get(location).contains(appId)) {
+ localBundleAppDirectory.get(location).add(appId);
+ }
+ }
+ states.put(appId, new SecurityInfo(Sets.newHashSet(), INSTALLED));
+ return true;
+ }
+
+ @Override
+ public void unregisterApplication(ApplicationId appId) {
+ if (localAppBundleDirectory.containsKey(appId)) {
+ for (String location : localAppBundleDirectory.get(appId)) {
+ if (localBundleAppDirectory.get(location).size() == 1) {
+ localBundleAppDirectory.remove(location);
+ } else {
+ localBundleAppDirectory.get(location).remove(appId);
+ }
+ }
+ localAppBundleDirectory.remove(appId);
+ }
+ }
+
+ @Override
+ public SecurityModeState getState(ApplicationId appId) {
+ return states.asJavaMap().getOrDefault(appId, new SecurityInfo(null, null)).getState();
+ }
+
+ private Set<String> getBundleLocations(Application app) {
+ Set<String> locations = new HashSet<>();
+ for (String name : app.features()) {
+ try {
+ Feature feature = featuresService.getFeature(name);
+ locations.addAll(
+ feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
+ } catch (Exception e) {
+ return locations;
+ }
+ }
+ return locations;
+ }
+
+ @Override
+ public void setDelegate(SecurityModeStoreDelegate delegate) {
+ super.setDelegate(delegate);
+ }
+
+ @Override
+ public void unsetDelegate(SecurityModeStoreDelegate delegate) {
+ super.setDelegate(delegate);
+ }
+} \ No newline at end of file
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java
new file mode 100644
index 00000000..4dcb7dae
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.security.Permission;
+
+import java.util.Set;
+
+/**
+ * Security-Mode ONOS security policy and state representation for distributed store.
+ */
+public class SecurityInfo {
+
+ protected Set<Permission> grantedPermissions;
+ protected SecurityModeState state;
+
+ public SecurityInfo(Set<Permission> perms, SecurityModeState state) {
+ this.grantedPermissions = perms;
+ this.state = state;
+ }
+ public Set<Permission> getPermissions() {
+ return grantedPermissions;
+ }
+ public SecurityModeState getState() {
+ return state;
+ }
+}
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java
new file mode 100644
index 00000000..59da67b5
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.event.AbstractEvent;
+
+/**
+ * Security-Mode ONOS notifications.
+ */
+public class SecurityModeEvent extends AbstractEvent<SecurityModeEvent.Type, ApplicationId> {
+
+ protected SecurityModeEvent(Type type, ApplicationId subject) {
+ super(type, subject);
+ }
+
+ public enum Type {
+
+ /**
+ * Signifies that security policy has been accepted.
+ */
+ POLICY_ACCEPTED,
+
+ /**
+ * Signifies that security policy has been reviewed.
+ */
+ POLICY_REVIEWED,
+
+ /**
+ * Signifies that application has violated security policy.
+ */
+ POLICY_VIOLATED,
+ }
+}
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java
new file mode 100644
index 00000000..2745e0c0
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.event.EventListener;
+
+/**
+ * Security-Mode ONOS event listener.
+ */
+public interface SecurityModeListener extends EventListener<SecurityModeEvent> {
+}
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java
new file mode 100644
index 00000000..999c5f9f
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+/**
+ * Representation of Security-Mode ONOS application review state.
+ */
+public enum SecurityModeState {
+
+ /**
+ * Indicates that operator has accepted application security policy.
+ */
+ SECURED,
+
+ /**
+ * Indicates that application security policy has been reviewed.
+ */
+ REVIEWED,
+
+ /**
+ * Indicates that application has been installed.
+ */
+ INSTALLED,
+
+ /**
+ * Indicates that application has violated security policy.
+ */
+ POLICY_VIOLATED,
+}
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java
new file mode 100644
index 00000000..7e6b6533
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.Permission;
+import org.onosproject.store.Store;
+
+import java.util.Set;
+
+/**
+ * Security-Mode ONOS distributed store service.
+ */
+public interface SecurityModeStore extends Store<SecurityModeEvent, SecurityModeStoreDelegate> {
+
+ /**
+ * Updates the local bundle-application directories.
+ * @param appId application identifier
+ * @return true if successfully registered.
+ */
+ boolean registerApplication(ApplicationId appId);
+
+ /**
+ * Removes application info from the local bundle-application directories.
+ * @param appId application identifier
+ */
+ void unregisterApplication(ApplicationId appId);
+
+ /**
+ * Returns state of the specified application.
+ * @param appId application identifier
+ * @return Security-Mode State of application
+ */
+ SecurityModeState getState(ApplicationId appId);
+
+ /**
+ * Returns bundle locations of specified application.
+ * @param appId application identifier
+ * @return set of bundle location strings
+ */
+ Set<String> getBundleLocations(ApplicationId appId);
+
+ /**
+ * Returns application identifiers that are associated with given bundle location.
+ * @param location OSGi bundle location
+ * @return set of application identifiers
+ */
+ Set<ApplicationId> getApplicationIds(String location);
+
+ /**
+ * Returns a list of permissions that have been requested by given application.
+ * @param appId application identifier
+ * @return list of permissions
+ */
+ Set<Permission> getRequestedPermissions(ApplicationId appId);
+
+ /**
+ * Returns an array of permissions that have been granted to given application.
+ * @param appId application identifier
+ * @return array of permissionInfo
+ */
+ Set<Permission> getGrantedPermissions(ApplicationId appId);
+
+ /**
+ * Request permission that is required to run given application.
+ * @param appId application identifier
+ * @param permission permission
+ */
+ void requestPermission(ApplicationId appId, Permission permission);
+
+ /**
+ * Returns true if given application has been secured.
+ * @param appId application identifier
+ * @return true indicates secured
+ */
+ boolean isSecured(ApplicationId appId);
+
+ /**
+ * Notifies SM-ONOS that operator has reviewed the policy.
+ * @param appId application identifier
+ */
+ void reviewPolicy(ApplicationId appId);
+
+ /**
+ * Accept the current security policy of given application.
+ * @param appId application identifier
+ * @param permissionSet array of PermissionInfo
+ */
+ void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet);
+} \ No newline at end of file
diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java
new file mode 100644
index 00000000..d933a148
--- /dev/null
+++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.store.StoreDelegate;
+
+/**
+ * Security-Mode distributed store delegate abstraction.
+ */
+public interface SecurityModeStoreDelegate extends StoreDelegate<SecurityModeEvent> {
+}