aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/onos/apps/aaa
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/onos/apps/aaa')
-rw-r--r--framework/src/onos/apps/aaa/app.xml24
-rw-r--r--framework/src/onos/apps/aaa/features.xml26
-rw-r--r--framework/src/onos/apps/aaa/pom.xml93
-rw-r--r--framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java616
-rw-r--r--framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java500
-rw-r--r--framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java20
-rw-r--r--framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java43
-rw-r--r--framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java270
8 files changed, 1592 insertions, 0 deletions
diff --git a/framework/src/onos/apps/aaa/app.xml b/framework/src/onos/apps/aaa/app.xml
new file mode 100644
index 00000000..167a4192
--- /dev/null
+++ b/framework/src/onos/apps/aaa/app.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Copyright 2015 Open Networking Laboratory
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<app name="org.onosproject.aaa" origin="ATT" version="${project.version}"
+ featuresRepo="mvn:${project.groupId}/${project.artifactId}/${project.version}/xml/features"
+ features="${project.artifactId}">
+ <description>${project.description}</description>
+ <artifact>mvn:${project.groupId}/${project.artifactId}/${project.version}</artifact>
+ <artifact>mvn:${project.groupId}/onos-app-xos-integration/${project.version}</artifact>
+ <bundle>mvn:com.sun.jersey/jersey-client/1.19</bundle>
+</app>
diff --git a/framework/src/onos/apps/aaa/features.xml b/framework/src/onos/apps/aaa/features.xml
new file mode 100644
index 00000000..3825ec5c
--- /dev/null
+++ b/framework/src/onos/apps/aaa/features.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ ~ Copyright 2015 Open Networking Laboratory
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<features xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" name="${project.artifactId}-${project.version}">
+ <repository>mvn:${project.groupId}/${project.artifactId}/${project.version}/xml/features</repository>
+ <feature name="${project.artifactId}" version="${project.version}"
+ description="${project.description}">
+ <feature>onos-api</feature>
+ <bundle>mvn:com.sun.jersey/jersey-client/1.19</bundle>
+ <bundle>mvn:${project.groupId}/${project.artifactId}/${project.version}</bundle>
+ <bundle>mvn:${project.groupId}/onos-app-xos-integration/${project.version}</bundle>
+ </feature>
+</features>
diff --git a/framework/src/onos/apps/aaa/pom.xml b/framework/src/onos/apps/aaa/pom.xml
new file mode 100644
index 00000000..6f850750
--- /dev/null
+++ b/framework/src/onos/apps/aaa/pom.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Copyright 2014 Open Networking Laboratory
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+
+ <parent>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-apps</artifactId>
+ <version>1.3.0-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+
+ <artifactId>onos-app-aaa</artifactId>
+ <packaging>bundle</packaging>
+
+ <description>ONOS authentication application</description>
+
+ <properties>
+ <onos.app.name>org.onosproject.aaa</onos.app.name>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.compendium</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onlab-junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onlab-osgi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>org.apache.felix.scr.annotations</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-app-xos-integration</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-scr-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.onosproject</groupId>
+ <artifactId>onos-maven-plugin</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+</project>
diff --git a/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java
new file mode 100644
index 00000000..7e3de885
--- /dev/null
+++ b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/AAA.java
@@ -0,0 +1,616 @@
+/*
+ * Copyright 2015 AT&T Foundry
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onosproject.aaa;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.Maps;
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Deactivate;
+import org.apache.felix.scr.annotations.Modified;
+import org.apache.felix.scr.annotations.Property;
+import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
+import org.onlab.packet.DeserializationException;
+import org.onlab.packet.EAP;
+import org.onlab.packet.EAPOL;
+import org.onlab.packet.EthType;
+import org.onlab.packet.Ethernet;
+import org.onlab.packet.IPv4;
+import org.onlab.packet.Ip4Address;
+import org.onlab.packet.IpAddress;
+import org.onlab.packet.MacAddress;
+import org.onlab.packet.RADIUS;
+import org.onlab.packet.RADIUSAttribute;
+import org.onlab.packet.TpPort;
+import org.onlab.packet.UDP;
+import org.onlab.packet.VlanId;
+import org.onlab.util.Tools;
+import org.onosproject.cfg.ComponentConfigService;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.core.CoreService;
+import org.onosproject.net.ConnectPoint;
+import org.onosproject.net.DeviceId;
+import org.onosproject.net.Host;
+import org.onosproject.net.PortNumber;
+import org.onosproject.net.flow.DefaultTrafficSelector;
+import org.onosproject.net.flow.DefaultTrafficTreatment;
+import org.onosproject.net.flow.TrafficSelector;
+import org.onosproject.net.flow.TrafficTreatment;
+import org.onosproject.net.host.HostService;
+import org.onosproject.net.packet.DefaultOutboundPacket;
+import org.onosproject.net.packet.InboundPacket;
+import org.onosproject.net.packet.OutboundPacket;
+import org.onosproject.net.packet.PacketContext;
+import org.onosproject.net.packet.PacketProcessor;
+import org.onosproject.net.packet.PacketService;
+import org.onosproject.xosintegration.VoltTenantService;
+import org.osgi.service.component.ComponentContext;
+import org.slf4j.Logger;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.util.Collections;
+import java.util.Dictionary;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import static org.onosproject.net.packet.PacketPriority.CONTROL;
+import static org.slf4j.LoggerFactory.getLogger;
+
+
+/**
+ * AAA application for ONOS.
+ */
+@Component(immediate = true)
+public class AAA {
+ // a list of our dependencies :
+ // to register with ONOS as an application - described next
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected CoreService coreService;
+
+ // to receive Packet-in events that we'll respond to
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected PacketService packetService;
+
+ // end host information
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected HostService hostService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected VoltTenantService voltTenantService;
+
+ // for verbose output
+ private final Logger log = getLogger(getClass());
+
+ // our application-specific event handler
+ private ReactivePacketProcessor processor = new ReactivePacketProcessor();
+
+ // our unique identifier
+ private ApplicationId appId;
+
+ // Map of state machines. Each state machine is represented by an
+ // unique identifier on the switch: dpid + port number
+ Map stateMachineMap = null;
+
+ // RADIUS server IP address
+ private static final String DEFAULT_RADIUS_IP = "192.168.1.10";
+ // NAS IP address
+ private static final String DEFAULT_NAS_IP = "192.168.1.11";
+ // RADIUS uplink port
+ private static final int DEFAULT_RADIUS_UPLINK = 2;
+ // RADIUS server shared secret
+ private static final String DEFAULT_RADIUS_SECRET = "ONOSecret";
+ // RADIUS MAC address
+ private static final String RADIUS_MAC_ADDRESS = "00:00:00:00:01:10";
+ // NAS MAC address
+ private static final String NAS_MAC_ADDRESS = "00:00:00:00:10:01";
+ // Radius Switch Id
+ private static final String DEFAULT_RADIUS_SWITCH = "of:90e2ba82f97791e9";
+ // Radius Port Number
+ private static final String DEFAULT_RADIUS_PORT = "129";
+
+ @Property(name = "radiusIpAddress", value = DEFAULT_RADIUS_IP,
+ label = "RADIUS IP Address")
+ private String radiusIpAddress = DEFAULT_RADIUS_IP;
+
+ @Property(name = "nasIpAddress", value = DEFAULT_NAS_IP,
+ label = "NAS IP Address")
+ private String nasIpAddress = DEFAULT_NAS_IP;
+
+ @Property(name = "radiusMacAddress", value = RADIUS_MAC_ADDRESS,
+ label = "RADIUS MAC Address")
+ private String radiusMacAddress = RADIUS_MAC_ADDRESS;
+
+ @Property(name = "nasMacAddress", value = NAS_MAC_ADDRESS,
+ label = "NAS MAC Address")
+ private String nasMacAddress = NAS_MAC_ADDRESS;
+
+ @Property(name = "radiusSecret", value = DEFAULT_RADIUS_SECRET,
+ label = "RADIUS shared secret")
+ private String radiusSecret = DEFAULT_RADIUS_SECRET;
+
+ @Property(name = "radiusSwitchId", value = DEFAULT_RADIUS_SWITCH,
+ label = "Radius switch")
+ private String radiusSwitch = DEFAULT_RADIUS_SWITCH;
+
+ @Property(name = "radiusPortNumber", value = DEFAULT_RADIUS_PORT,
+ label = "Radius port")
+ private String radiusPort = DEFAULT_RADIUS_PORT;
+
+ // Parsed RADIUS server IP address
+ protected InetAddress parsedRadiusIpAddress;
+
+ // Parsed NAS IP address
+ protected InetAddress parsedNasIpAddress;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected ComponentConfigService cfgService;
+
+ @Modified
+ public void modified(ComponentContext context) {
+ Dictionary<?, ?> properties = context.getProperties();
+
+ String s = Tools.get(properties, "radiusIpAddress");
+ try {
+ parsedRadiusIpAddress = InetAddress.getByName(s);
+ radiusIpAddress = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_IP : s;
+ } catch (UnknownHostException e) {
+ log.error("Invalid RADIUS IP address specification: {}", s);
+ }
+ try {
+ s = Tools.get(properties, "nasIpAddress");
+ parsedNasIpAddress = InetAddress.getByName(s);
+ nasIpAddress = Strings.isNullOrEmpty(s) ? DEFAULT_NAS_IP : s;
+ } catch (UnknownHostException e) {
+ log.error("Invalid NAS IP address specification: {}", s);
+ }
+
+ s = Tools.get(properties, "radiusMacAddress");
+ radiusMacAddress = Strings.isNullOrEmpty(s) ? RADIUS_MAC_ADDRESS : s;
+
+ s = Tools.get(properties, "nasMacAddress");
+ nasMacAddress = Strings.isNullOrEmpty(s) ? NAS_MAC_ADDRESS : s;
+
+ s = Tools.get(properties, "radiusSecret");
+ radiusSecret = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_SECRET : s;
+
+ s = Tools.get(properties, "radiusSwitchId");
+ radiusSwitch = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_SWITCH : s;
+
+ s = Tools.get(properties, "radiusPortNumber");
+ radiusPort = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_PORT : s;
+ }
+
+ @Activate
+ public void activate(ComponentContext context) {
+ cfgService.registerProperties(getClass());
+ modified(context);
+ // "org.onosproject.aaa" is the FQDN of our app
+ appId = coreService.registerApplication("org.onosproject.aaa");
+ // register our event handler
+ packetService.addProcessor(processor, PacketProcessor.director(2));
+ requestIntercepts();
+ // Instantiate the map of the state machines
+ stateMachineMap = Collections.synchronizedMap(Maps.newHashMap());
+
+ hostService.startMonitoringIp(IpAddress.valueOf(radiusIpAddress));
+
+ }
+
+ @Deactivate
+ public void deactivate() {
+ cfgService.unregisterProperties(getClass(), false);
+
+ appId = coreService.registerApplication("org.onosproject.aaa");
+ withdrawIntercepts();
+ // de-register and null our handler
+ packetService.removeProcessor(processor);
+ processor = null;
+ }
+
+ /**
+ * Request packet in via PacketService.
+ */
+ private void requestIntercepts() {
+ TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
+ selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort());
+ packetService.requestPackets(selector.build(),
+ CONTROL, appId);
+
+ TrafficSelector radSelector = DefaultTrafficSelector.builder()
+ .matchEthType(EthType.EtherType.IPV4.ethType().toShort())
+ .matchIPProtocol(IPv4.PROTOCOL_UDP)
+ .matchUdpDst(TpPort.tpPort(1812))
+ .matchUdpSrc(TpPort.tpPort(1812))
+ .build();
+ packetService.requestPackets(radSelector, CONTROL, appId);
+ }
+
+ /**
+ * Cancel request for packet in via PacketService.
+ */
+ private void withdrawIntercepts() {
+ TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
+ selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort());
+ packetService.cancelPackets(selector.build(), CONTROL, appId);
+
+ TrafficSelector radSelector = DefaultTrafficSelector.builder()
+ .matchEthType(EthType.EtherType.IPV4.ethType().toShort())
+ .matchIPProtocol(IPv4.PROTOCOL_UDP)
+ .matchUdpDst(TpPort.tpPort(1812))
+ .matchUdpSrc(TpPort.tpPort(1812))
+ .build();
+ packetService.cancelPackets(radSelector, CONTROL, appId);
+ }
+
+ /**
+ * Builds an EAPOL packet based on the given parameters.
+ *
+ * @param dstMac destination MAC address
+ * @param srcMac source MAC address
+ * @param vlan vlan identifier
+ * @param eapolType EAPOL type
+ * @param eap EAP payload
+ * @return Ethernet frame
+ */
+ private static Ethernet buildEapolResponse(MacAddress dstMac, MacAddress srcMac,
+ short vlan, byte eapolType, EAP eap) {
+
+ Ethernet eth = new Ethernet();
+ eth.setDestinationMACAddress(dstMac.toBytes());
+ eth.setSourceMACAddress(srcMac.toBytes());
+ eth.setEtherType(EthType.EtherType.EAPOL.ethType().toShort());
+ if (vlan != Ethernet.VLAN_UNTAGGED) {
+ eth.setVlanID(vlan);
+ }
+ //eapol header
+ EAPOL eapol = new EAPOL();
+ eapol.setEapolType(eapolType);
+ eapol.setPacketLength(eap.getLength());
+
+ //eap part
+ eapol.setPayload(eap);
+
+ eth.setPayload(eapol);
+ eth.setPad(true);
+ return eth;
+ }
+
+ // our handler defined as a private inner class
+
+ /**
+ * Packet processor responsible for forwarding packets along their paths.
+ */
+ private class ReactivePacketProcessor implements PacketProcessor {
+ @Override
+ public void process(PacketContext context) {
+
+ // Extract the original Ethernet frame from the packet information
+ InboundPacket pkt = context.inPacket();
+ Ethernet ethPkt = pkt.parsed();
+ if (ethPkt == null) {
+ return;
+ }
+ // identify if incoming packet comes from supplicant (EAP) or RADIUS
+ switch (EthType.EtherType.lookup(ethPkt.getEtherType())) {
+ case EAPOL:
+ handleSupplicantPacket(context.inPacket());
+ break;
+ case IPV4:
+ IPv4 ipv4Packet = (IPv4) ethPkt.getPayload();
+ Ip4Address srcIp = Ip4Address.valueOf(ipv4Packet.getSourceAddress());
+ Ip4Address radiusIp4Address = Ip4Address.valueOf(parsedRadiusIpAddress);
+ if (srcIp.equals(radiusIp4Address) && ipv4Packet.getProtocol() == IPv4.PROTOCOL_UDP) {
+ // TODO: check for port as well when it's configurable
+ UDP udpPacket = (UDP) ipv4Packet.getPayload();
+
+ byte[] datagram = udpPacket.getPayload().serialize();
+ RADIUS radiusPacket;
+ try {
+ radiusPacket = RADIUS.deserializer().deserialize(datagram, 0, datagram.length);
+ } catch (DeserializationException e) {
+ log.warn("Unable to deserialize RADIUS packet:", e);
+ return;
+ }
+ handleRadiusPacket(radiusPacket);
+ }
+ break;
+ default:
+ return;
+ }
+ }
+
+
+ /**
+ * Handles PAE packets (supplicant).
+ *
+ * @param inPacket Ethernet packet coming from the supplicant
+ */
+ private void handleSupplicantPacket(InboundPacket inPacket) {
+ Ethernet ethPkt = inPacket.parsed();
+ // Where does it come from?
+ MacAddress srcMAC = ethPkt.getSourceMAC();
+
+ DeviceId deviceId = inPacket.receivedFrom().deviceId();
+ PortNumber portNumber = inPacket.receivedFrom().port();
+ String sessionId = deviceId.toString() + portNumber.toString();
+ StateMachine stateMachine = getStateMachine(sessionId);
+
+ EAPOL eapol = (EAPOL) ethPkt.getPayload();
+
+ switch (eapol.getEapolType()) {
+ case EAPOL.EAPOL_START:
+ try {
+ stateMachine.start();
+ stateMachine.supplicantConnectpoint = inPacket.receivedFrom();
+
+ //send an EAP Request/Identify to the supplicant
+ EAP eapPayload = new EAP(EAP.REQUEST, stateMachine.getIdentifier(), EAP.ATTR_IDENTITY, null);
+ Ethernet eth = buildEapolResponse(srcMAC, MacAddress.valueOf(1L),
+ ethPkt.getVlanID(), EAPOL.EAPOL_PACKET,
+ eapPayload);
+ stateMachine.supplicantAddress = srcMAC;
+ stateMachine.vlanId = ethPkt.getVlanID();
+
+ this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint);
+ } catch (StateMachineException e) {
+ e.printStackTrace();
+ }
+
+ break;
+ case EAPOL.EAPOL_PACKET:
+ //check if this is a Response/Identify or a Response/TLS
+ EAP eapPacket = (EAP) eapol.getPayload();
+
+ byte dataType = eapPacket.getDataType();
+ switch (dataType) {
+ case EAP.ATTR_IDENTITY:
+ try {
+ //request id access to RADIUS
+ RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
+ eapPacket.getIdentifier());
+ radiusPayload.setIdentifier(stateMachine.getIdentifier());
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
+ eapPacket.getData());
+ stateMachine.setUsername(eapPacket.getData());
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
+ AAA.this.parsedNasIpAddress.getAddress());
+
+ radiusPayload.encapsulateMessage(eapPacket);
+
+ // set Request Authenticator in StateMachine
+ stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
+ radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
+ sendRadiusMessage(radiusPayload);
+
+ //change the state to "PENDING"
+ stateMachine.requestAccess();
+ } catch (StateMachineException e) {
+ e.printStackTrace();
+ }
+ break;
+ case EAP.ATTR_MD5:
+ //verify if the EAP identifier corresponds to the challenge identifier from the client state
+ //machine.
+ if (eapPacket.getIdentifier() == stateMachine.getChallengeIdentifier()) {
+ //send the RADIUS challenge response
+ RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
+ eapPacket.getIdentifier());
+ radiusPayload.setIdentifier(stateMachine.getChallengeIdentifier());
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
+ stateMachine.getUsername());
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
+ AAA.this.parsedNasIpAddress.getAddress());
+
+ radiusPayload.encapsulateMessage(eapPacket);
+
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
+ stateMachine.getChallengeState());
+ radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
+ sendRadiusMessage(radiusPayload);
+ }
+ break;
+ case EAP.ATTR_TLS:
+ try {
+ //request id access to RADIUS
+ RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
+ eapPacket.getIdentifier());
+ radiusPayload.setIdentifier(stateMachine.getIdentifier());
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
+ stateMachine.getUsername());
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
+ AAA.this.parsedNasIpAddress.getAddress());
+
+ radiusPayload.encapsulateMessage(eapPacket);
+
+ radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
+ stateMachine.getChallengeState());
+ stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
+
+ radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
+
+ sendRadiusMessage(radiusPayload);
+ // TODO: this gets called on every fragment, should only be called at TLS-Start
+ stateMachine.requestAccess();
+ } catch (StateMachineException e) {
+ e.printStackTrace();
+ }
+ break;
+ default:
+ return;
+ }
+ break;
+ default:
+ return;
+ }
+ }
+
+ /**
+ * Handles RADIUS packets.
+ *
+ * @param radiusPacket RADIUS packet coming from the RADIUS server.
+ */
+ private void handleRadiusPacket(RADIUS radiusPacket) {
+ StateMachine stateMachine = getStateMachineById(radiusPacket.getIdentifier());
+ if (stateMachine == null) {
+ log.error("Invalid session identifier, exiting...");
+ return;
+ }
+
+ EAP eapPayload = new EAP();
+ Ethernet eth = null;
+ switch (radiusPacket.getCode()) {
+ case RADIUS.RADIUS_CODE_ACCESS_CHALLENGE:
+ byte[] challengeState = radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_STATE).getValue();
+ eapPayload = radiusPacket.decapsulateMessage();
+ stateMachine.setChallengeInfo(eapPayload.getIdentifier(), challengeState);
+ eth = buildEapolResponse(stateMachine.supplicantAddress,
+ MacAddress.valueOf(1L), stateMachine.vlanId, EAPOL.EAPOL_PACKET,
+ eapPayload);
+ this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint);
+ break;
+ case RADIUS.RADIUS_CODE_ACCESS_ACCEPT:
+ try {
+ //send an EAPOL - Success to the supplicant.
+ byte[] eapMessage =
+ radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE).getValue();
+ eapPayload = new EAP();
+ eapPayload = (EAP) eapPayload.deserialize(eapMessage, 0, eapMessage.length);
+ eth = buildEapolResponse(stateMachine.supplicantAddress,
+ MacAddress.valueOf(1L), stateMachine.vlanId, EAPOL.EAPOL_PACKET,
+ eapPayload);
+ this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint);
+
+ stateMachine.authorizeAccess();
+ } catch (StateMachineException e) {
+ e.printStackTrace();
+ }
+ break;
+ case RADIUS.RADIUS_CODE_ACCESS_REJECT:
+ try {
+ stateMachine.denyAccess();
+ } catch (StateMachineException e) {
+ e.printStackTrace();
+ }
+ break;
+ default:
+ log.warn("Unknown RADIUS message received with code: {}", radiusPacket.getCode());
+ }
+ }
+
+ private StateMachine getStateMachineById(byte identifier) {
+ StateMachine stateMachine = null;
+ Set stateMachineSet = stateMachineMap.entrySet();
+
+ synchronized (stateMachineMap) {
+ Iterator itr = stateMachineSet.iterator();
+ while (itr.hasNext()) {
+ Map.Entry entry = (Map.Entry) itr.next();
+ stateMachine = (StateMachine) entry.getValue();
+ if (identifier == stateMachine.getIdentifier()) {
+ //the state machine has already been created for this session session
+ stateMachine = (StateMachine) entry.getValue();
+ break;
+ }
+ }
+ }
+
+ return stateMachine;
+ }
+
+ private StateMachine getStateMachine(String sessionId) {
+ StateMachine stateMachine = null;
+ Set stateMachineSet = stateMachineMap.entrySet();
+
+ synchronized (stateMachineMap) {
+ Iterator itr = stateMachineSet.iterator();
+ while (itr.hasNext()) {
+
+ Map.Entry entry = (Map.Entry) itr.next();
+ if (sessionId.equals(entry.getKey())) {
+ //the state machine has already been created for this session session
+ stateMachine = (StateMachine) entry.getValue();
+ break;
+ }
+ }
+ }
+
+ if (stateMachine == null) {
+ stateMachine = new StateMachine(sessionId, voltTenantService);
+ stateMachineMap.put(sessionId, stateMachine);
+ }
+
+ return stateMachine;
+ }
+
+ private void sendRadiusMessage(RADIUS radiusMessage) {
+ Set<Host> hosts = hostService.getHostsByIp(IpAddress.valueOf(radiusIpAddress));
+ Optional<Host> odst = hosts.stream().filter(h -> h.vlan().toShort() == VlanId.UNTAGGED).findFirst();
+
+ Host dst;
+ if (!odst.isPresent()) {
+ log.info("Radius server {} is not present", radiusIpAddress);
+ return;
+ } else {
+ dst = odst.get();
+ }
+
+ UDP udp = new UDP();
+ IPv4 ip4Packet = new IPv4();
+ Ethernet ethPkt = new Ethernet();
+ radiusMessage.setParent(udp);
+ udp.setDestinationPort((short) 1812);
+ udp.setSourcePort((short) 1812); // TODO: make this configurable
+ udp.setPayload(radiusMessage);
+ udp.setParent(ip4Packet);
+ ip4Packet.setSourceAddress(AAA.this.nasIpAddress);
+ ip4Packet.setDestinationAddress(AAA.this.radiusIpAddress);
+ ip4Packet.setProtocol(IPv4.PROTOCOL_UDP);
+ ip4Packet.setPayload(udp);
+ ip4Packet.setParent(ethPkt);
+ ethPkt.setDestinationMACAddress(radiusMacAddress);
+ ethPkt.setSourceMACAddress(nasMacAddress);
+ ethPkt.setEtherType(Ethernet.TYPE_IPV4);
+ ethPkt.setPayload(ip4Packet);
+
+ TrafficTreatment treatment = DefaultTrafficTreatment.builder()
+ .setOutput(PortNumber.portNumber(Integer.parseInt(radiusPort))).build();
+ OutboundPacket packet = new DefaultOutboundPacket(DeviceId.deviceId(radiusSwitch),
+ treatment, ByteBuffer.wrap(ethPkt.serialize()));
+ packetService.emit(packet);
+
+ }
+
+ /**
+ * Send the ethernet packet to the supplicant.
+ *
+ * @param ethernetPkt the ethernet packet
+ * @param connectPoint the connect point to send out
+ */
+ private void sendPacketToSupplicant(Ethernet ethernetPkt, ConnectPoint connectPoint) {
+ TrafficTreatment treatment = DefaultTrafficTreatment.builder().setOutput(connectPoint.port()).build();
+ OutboundPacket packet = new DefaultOutboundPacket(connectPoint.deviceId(),
+ treatment, ByteBuffer.wrap(ethernetPkt.serialize()));
+ packetService.emit(packet);
+ }
+
+ }
+
+}
diff --git a/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java
new file mode 100644
index 00000000..60959ada
--- /dev/null
+++ b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/StateMachine.java
@@ -0,0 +1,500 @@
+/*
+ *
+ * Copyright 2015 AT&T Foundry
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onosproject.aaa;
+
+import org.onlab.packet.MacAddress;
+import org.onosproject.net.ConnectPoint;
+import org.onosproject.xosintegration.VoltTenant;
+import org.onosproject.xosintegration.VoltTenantService;
+import org.slf4j.Logger;
+
+import java.util.BitSet;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+/**
+ * AAA Finite State Machine.
+ */
+
+class StateMachine {
+ //INDEX to identify the state in the transition table
+ static final int STATE_IDLE = 0;
+ static final int STATE_STARTED = 1;
+ static final int STATE_PENDING = 2;
+ static final int STATE_AUTHORIZED = 3;
+ static final int STATE_UNAUTHORIZED = 4;
+
+ //INDEX to identify the transition in the transition table
+ static final int TRANSITION_START = 0; // --> started
+ static final int TRANSITION_REQUEST_ACCESS = 1;
+ static final int TRANSITION_AUTHORIZE_ACCESS = 2;
+ static final int TRANSITION_DENY_ACCESS = 3;
+ static final int TRANSITION_LOGOFF = 4;
+
+ //map of access identifiers (issued at EAPOL START)
+ static BitSet bitSet = new BitSet();
+ private final VoltTenantService voltService;
+
+ private int identifier = -1;
+ private byte challengeIdentifier;
+ private byte[] challengeState;
+ private byte[] username;
+ private byte[] requestAuthenticator;
+
+ // Supplicant connectivity info
+ protected ConnectPoint supplicantConnectpoint;
+ protected MacAddress supplicantAddress;
+ protected short vlanId;
+
+ private String sessionId = null;
+
+ private final Logger log = getLogger(getClass());
+
+
+ private State[] states = {
+ new Idle(), new Started(), new Pending(), new Authorized(), new Unauthorized()
+ };
+
+
+ //State transition table
+ /*
+
+ state IDLE | STARTED | PENDING | AUTHORIZED | UNAUTHORIZED
+ ////
+ input
+ ----------------------------------------------------------------------------------------------------
+
+ START STARTED | _ | _ | _ | _
+
+ REQUEST_ACCESS _ | PENDING | _ | _ | _
+
+ AUTHORIZE_ACCESS _ | _ | AUTHORIZED | _ | _
+
+ DENY_ACCESS _ | - | UNAUTHORIZED | _ | _
+
+ LOGOFF _ | _ | _ | IDLE | IDLE
+ */
+
+ private int[] idleTransition =
+ {STATE_STARTED, STATE_IDLE, STATE_IDLE, STATE_IDLE, STATE_IDLE};
+ private int[] startedTransition =
+ {STATE_STARTED, STATE_PENDING, STATE_STARTED, STATE_STARTED, STATE_STARTED};
+ private int[] pendingTransition =
+ {STATE_PENDING, STATE_PENDING, STATE_AUTHORIZED, STATE_UNAUTHORIZED, STATE_PENDING};
+ private int[] authorizedTransition =
+ {STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_IDLE};
+ private int[] unauthorizedTransition =
+ {STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_IDLE};
+
+ //THE TRANSITION TABLE
+ private int[][] transition =
+ {idleTransition, startedTransition, pendingTransition, authorizedTransition,
+ unauthorizedTransition};
+
+ private int currentState = STATE_IDLE;
+
+
+ /**
+ * State Machine Constructor.
+ *
+ * @param sessionId session Id represented by the switch dpid + port number
+ * @param voltService volt service reference
+ */
+ public StateMachine(String sessionId, VoltTenantService voltService) {
+ log.info("Creating a new state machine for {}", sessionId);
+ this.sessionId = sessionId;
+ this.voltService = voltService;
+
+ }
+
+ /**
+ * Get the client id that is requesting for access.
+ *
+ * @return The client id.
+ */
+ public String getSessionId() {
+ return this.sessionId;
+ }
+
+ /**
+ * Create the identifier for the state machine (happens when goes to STARTED state).
+ */
+ private void createIdentifier() throws StateMachineException {
+ log.debug("Creating Identifier.");
+ int index = -1;
+
+ try {
+ //find the first available spot for identifier assignment
+ index = StateMachine.bitSet.nextClearBit(0);
+
+ //there is a limit of 256 identifiers
+ if (index == 256) {
+ throw new StateMachineException("Cannot handle any new identifier. Limit is 256.");
+ }
+ } catch (IndexOutOfBoundsException e) {
+ throw new StateMachineException(e.getMessage());
+ }
+
+ log.info("Assigning identifier {}", index);
+ StateMachine.bitSet.set(index);
+ this.identifier = index;
+ }
+
+ /**
+ * Set the challenge identifier and the state issued by the RADIUS.
+ *
+ * @param challengeIdentifier The challenge identifier set into the EAP packet from the RADIUS message.
+ * @param challengeState The challenge state from the RADIUS.
+ */
+ protected void setChallengeInfo(byte challengeIdentifier, byte[] challengeState) {
+ this.challengeIdentifier = challengeIdentifier;
+ this.challengeState = challengeState;
+ }
+
+ /**
+ * Set the challenge identifier issued by the RADIUS on the access challenge request.
+ *
+ * @param challengeIdentifier The challenge identifier set into the EAP packet from the RADIUS message.
+ */
+ protected void setChallengeIdentifier(byte challengeIdentifier) {
+ log.info("Set Challenge Identifier to {}", challengeIdentifier);
+ this.challengeIdentifier = challengeIdentifier;
+ }
+
+ /**
+ * Get the challenge EAP identifier set by the RADIUS.
+ *
+ * @return The challenge EAP identifier.
+ */
+ protected byte getChallengeIdentifier() {
+ return this.challengeIdentifier;
+ }
+
+
+ /**
+ * Set the challenge state info issued by the RADIUS.
+ *
+ * @param challengeState The challenge state from the RADIUS.
+ */
+ protected void setChallengeState(byte[] challengeState) {
+ log.info("Set Challenge State");
+ this.challengeState = challengeState;
+ }
+
+ /**
+ * Get the challenge state set by the RADIUS.
+ *
+ * @return The challenge state.
+ */
+ protected byte[] getChallengeState() {
+ return this.challengeState;
+ }
+
+ /**
+ * Set the username.
+ *
+ * @param username The username sent to the RADIUS upon access request.
+ */
+ protected void setUsername(byte[] username) {
+ this.username = username;
+ }
+
+
+ /**
+ * Get the username.
+ *
+ * @return The requestAuthenticator.
+ */
+ protected byte[] getReqeustAuthenticator() {
+ return this.requestAuthenticator;
+ }
+
+ /**
+ * Set the username.
+ *
+ * @param authenticator The username sent to the RADIUS upon access request.
+ */
+ protected void setRequestAuthenticator(byte[] authenticator) {
+ this.requestAuthenticator = authenticator;
+ }
+
+
+ /**
+ * Get the username.
+ *
+ * @return The username.
+ */
+ protected byte[] getUsername() {
+ return this.username;
+ }
+
+ /**
+ * Return the identifier of the state machine.
+ *
+ * @return The state machine identifier.
+ */
+ public byte getIdentifier() {
+ return (byte) this.identifier;
+ }
+
+
+ protected void deleteIdentifier() {
+ if (this.identifier != -1) {
+ log.info("Freeing up " + this.identifier);
+ //this state machine should be deleted and free up the identifier
+ StateMachine.bitSet.clear(this.identifier);
+ this.identifier = -1;
+ }
+ }
+
+
+ /**
+ * Move to the next state.
+ *
+ * @param msg
+ */
+ private void next(int msg) {
+ currentState = transition[currentState][msg];
+ log.info("Current State " + currentState);
+ }
+
+ /**
+ * Client has requested the start action to allow network access.
+ *
+ * @throws StateMachineException if authentication protocol is violated
+ */
+ public void start() throws StateMachineException {
+ try {
+ states[currentState].start();
+ //move to the next state
+ next(TRANSITION_START);
+ createIdentifier();
+ } catch (StateMachineInvalidTransitionException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * An Identification information has been sent by the supplicant.
+ * Move to the next state if possible.
+ *
+ * @throws StateMachineException if authentication protocol is violated
+ */
+ public void requestAccess() throws StateMachineException {
+ try {
+ states[currentState].requestAccess();
+ //move to the next state
+ next(TRANSITION_REQUEST_ACCESS);
+ } catch (StateMachineInvalidTransitionException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * RADIUS has accepted the identification.
+ * Move to the next state if possible.
+ *
+ * @throws StateMachineException if authentication protocol is violated
+ */
+ public void authorizeAccess() throws StateMachineException {
+ try {
+ states[currentState].radiusAccepted();
+ //move to the next state
+ next(TRANSITION_AUTHORIZE_ACCESS);
+
+ if (voltService != null) {
+ voltService.addTenant(
+ VoltTenant.builder()
+ .withHumanReadableName("VCPE-" + this.identifier)
+ .withId(this.identifier)
+ .withProviderService(1)
+ .withServiceSpecificId(String.valueOf(this.identifier))
+ .withPort(this.supplicantConnectpoint)
+ .withVlanId(String.valueOf(this.vlanId)).build());
+ }
+
+ deleteIdentifier();
+ } catch (StateMachineInvalidTransitionException e) {
+ e.printStackTrace();
+ }
+
+ }
+
+ /**
+ * RADIUS has denied the identification.
+ * Move to the next state if possible.
+ *
+ * @throws StateMachineException if authentication protocol is violated
+ */
+ public void denyAccess() throws StateMachineException {
+ try {
+ states[currentState].radiusDenied();
+ //move to the next state
+ next(TRANSITION_DENY_ACCESS);
+ deleteIdentifier();
+ } catch (StateMachineInvalidTransitionException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * Logoff request has been requested.
+ * Move to the next state if possible.
+ *
+ * @throws StateMachineException if authentication protocol is violated
+ */
+ public void logoff() throws StateMachineException {
+ try {
+ states[currentState].logoff();
+ //move to the next state
+ next(TRANSITION_LOGOFF);
+ } catch (StateMachineInvalidTransitionException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * Get the current state.
+ *
+ * @return The current state. Could be STATE_IDLE, STATE_STARTED, STATE_PENDING, STATE_AUTHORIZED,
+ * STATE_UNAUTHORIZED.
+ */
+ public int getState() {
+ return currentState;
+ }
+
+
+ public String toString() {
+ return ("sessionId: " + this.sessionId) + "\t" + ("identifier: " + this.identifier) + "\t" +
+ ("state: " + this.currentState);
+ }
+}
+
+// FIXME: A source file should contain no more than one top-level entity!
+
+abstract class State {
+ private final Logger log = getLogger(getClass());
+
+ private String name = "State";
+
+ public void start() throws StateMachineInvalidTransitionException {
+ log.warn("START transition from this state is not allowed.");
+ }
+
+ public void requestAccess() throws StateMachineInvalidTransitionException {
+ log.warn("REQUEST ACCESS transition from this state is not allowed.");
+ }
+
+ public void radiusAccepted() throws StateMachineInvalidTransitionException {
+ log.warn("AUTHORIZE ACCESS transition from this state is not allowed.");
+ }
+
+ public void radiusDenied() throws StateMachineInvalidTransitionException {
+ log.warn("DENY ACCESS transition from this state is not allowed.");
+ }
+
+ public void logoff() throws StateMachineInvalidTransitionException {
+ log.warn("LOGOFF transition from this state is not allowed.");
+ }
+}
+
+/**
+ * Idle state: supplicant is logged of from the network.
+ */
+class Idle extends State {
+ private final Logger log = getLogger(getClass());
+ private String name = "IDLE_STATE";
+
+ public void start() {
+ log.info("Moving from IDLE state to STARTED state.");
+ }
+}
+
+/**
+ * Started state: supplicant has entered the network and informed the authenticator.
+ */
+class Started extends State {
+ private final Logger log = getLogger(getClass());
+ private String name = "STARTED_STATE";
+
+ public void requestAccess() {
+ log.info("Moving from STARTED state to PENDING state.");
+ }
+}
+
+/**
+ * Pending state: supplicant has been identified by the authenticator but has not access yet.
+ */
+class Pending extends State {
+ private final Logger log = getLogger(getClass());
+ private String name = "PENDING_STATE";
+
+ public void radiusAccepted() {
+ log.info("Moving from PENDING state to AUTHORIZED state.");
+ }
+
+ public void radiusDenied() {
+ log.info("Moving from PENDING state to UNAUTHORIZED state.");
+ }
+}
+
+/**
+ * Authorized state: supplicant port has been accepted, access is granted.
+ */
+class Authorized extends State {
+ private final Logger log = getLogger(getClass());
+ private String name = "AUTHORIZED_STATE";
+
+ public void logoff() {
+
+ log.info("Moving from AUTHORIZED state to IDLE state.");
+ }
+}
+
+/**
+ * Unauthorized state: supplicant port has been rejected, access is denied.
+ */
+class Unauthorized extends State {
+ private final Logger log = getLogger(getClass());
+ private String name = "UNAUTHORIZED_STATE";
+
+ public void logoff() {
+ log.info("Moving from UNAUTHORIZED state to IDLE state.");
+ }
+}
+
+
+/**
+ * Exception for the State Machine.
+ */
+class StateMachineException extends Exception {
+ public StateMachineException(String message) {
+ super(message);
+
+ }
+}
+
+/**
+ * Exception raised when the transition from one state to another is invalid.
+ */
+class StateMachineInvalidTransitionException extends StateMachineException {
+ public StateMachineInvalidTransitionException(String message) {
+ super(message);
+ }
+}
diff --git a/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java
new file mode 100644
index 00000000..19c5a5d6
--- /dev/null
+++ b/framework/src/onos/apps/aaa/src/main/java/org/onosproject/aaa/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2014 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AAA implmentation.
+ */
+package org.onosproject.aaa;
diff --git a/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java
new file mode 100644
index 00000000..1b581ab1
--- /dev/null
+++ b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/AAATest.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2014 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onosproject.aaa;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Set of tests of the ONOS application component.
+ */
+public class AAATest {
+
+ private AAA aaa;
+
+ @Before
+ public void setUp() {
+
+ }
+
+ @After
+ public void tearDown() {
+ }
+
+ @Test
+ public void basics() {
+
+ }
+
+}
diff --git a/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java
new file mode 100644
index 00000000..2fe44ab9
--- /dev/null
+++ b/framework/src/onos/apps/aaa/src/test/java/org/onosproject/aaa/StateMachineTest.java
@@ -0,0 +1,270 @@
+/*
+ *
+ * Copyright 2015 AT&T Foundry
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.onosproject.aaa;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+
+public class StateMachineTest {
+ StateMachine stateMachine = null;
+
+ @Before
+ public void setUp() {
+ System.out.println("Set Up.");
+ StateMachine.bitSet.clear();
+ stateMachine = new StateMachine("session0", null);
+ }
+
+ @After
+ public void tearDown() {
+ System.out.println("Tear Down.");
+ StateMachine.bitSet.clear();
+ stateMachine = null;
+ }
+
+ @Test
+ /**
+ * Test all the basic inputs from state to state: IDLE -> STARTED -> PENDING -> AUTHORIZED -> IDLE
+ */
+ public void basic() throws StateMachineException {
+ System.out.println("======= BASIC =======.");
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+ }
+
+ @Test
+ /**
+ * Test all inputs from an IDLE state (starting with the ones that are not impacting the current state)
+ */
+ public void testIdleState() throws StateMachineException {
+ System.out.println("======= IDLE STATE TEST =======.");
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+ stateMachine.denyAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+ }
+
+ @Test
+ /**
+ * Test all inputs from an STARTED state (starting with the ones that are not impacting the current state)
+ */
+ public void testStartedState() throws StateMachineException {
+ System.out.println("======= STARTED STATE TEST =======.");
+ stateMachine.start();
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+ stateMachine.denyAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+ }
+
+ @Test
+ /**
+ * Test all inputs from a PENDING state (starting with the ones that are not impacting the current state).
+ * The next valid state for this test is AUTHORIZED
+ */
+ public void testPendingStateToAuthorized() throws StateMachineException {
+ System.out.println("======= PENDING STATE TEST (AUTHORIZED) =======.");
+ stateMachine.start();
+ stateMachine.requestAccess();
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+ stateMachine.denyAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+ }
+
+ @Test
+ /**
+ * Test all inputs from an PENDING state (starting with the ones that are not impacting the current state).
+ * The next valid state for this test is UNAUTHORIZED
+ */
+ public void testPendingStateToUnauthorized() throws StateMachineException {
+ System.out.println("======= PENDING STATE TEST (DENIED) =======.");
+ stateMachine.start();
+ stateMachine.requestAccess();
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+ stateMachine.denyAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+ }
+
+ @Test
+ /**
+ * Test all inputs from an AUTHORIZED state (starting with the ones that are not impacting the current state).
+ */
+ public void testAuthorizedState() throws StateMachineException {
+ System.out.println("======= AUTHORIZED STATE TEST =======.");
+ stateMachine.start();
+ stateMachine.requestAccess();
+ stateMachine.authorizeAccess();
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+ stateMachine.denyAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+ }
+
+ @Test
+ /**
+ * Test all inputs from an UNAUTHORIZED state (starting with the ones that are not impacting the current state).
+ */
+ public void testUnauthorizedState() throws StateMachineException {
+ System.out.println("======= UNAUTHORIZED STATE TEST =======.");
+ stateMachine.start();
+ stateMachine.requestAccess();
+ stateMachine.denyAccess();
+
+ stateMachine.start();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+ stateMachine.requestAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+ stateMachine.authorizeAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+ stateMachine.denyAccess();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+ stateMachine.logoff();
+ Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+ }
+
+
+ @Test
+ public void testIdentifierAvailability() throws StateMachineException {
+ System.out.println("======= IDENTIFIER TEST =======.");
+ byte identifier = stateMachine.getIdentifier();
+ System.out.println("State: " + stateMachine.getState());
+ System.out.println("Identifier: " + Byte.toUnsignedInt(identifier));
+ Assert.assertEquals(-1, identifier);
+ stateMachine.start();
+
+
+ StateMachine sm247 = null;
+ StateMachine sm3 = null;
+
+
+ //create 255 others state machines
+ for (int i = 1; i <= 255; i++) {
+ StateMachine sm = new StateMachine("session" + i, null);
+ sm.start();
+ byte id = sm.getIdentifier();
+ Assert.assertEquals(i, Byte.toUnsignedInt(id));
+ if (i == 3) {
+ sm3 = sm;
+ System.out.println("SM3: " + sm3.toString());
+ }
+ if (i == 247) {
+ sm247 = sm;
+ System.out.println("SM247: " + sm247.toString());
+ }
+ }
+
+ //simulate the state machine for a specific session and logoff so we can free up a spot for an identifier
+ //let's choose identifier 247 then we free up 3
+ sm247.requestAccess();
+ sm247.authorizeAccess();
+ sm247.logoff();
+ sm247 = null;
+
+ sm3.requestAccess();
+ sm3.authorizeAccess();
+ sm3.logoff();
+ sm3 = null;
+
+ StateMachine otherSM3 = new StateMachine("session3b", null);
+ otherSM3.start();
+ otherSM3.requestAccess();
+ byte id3 = otherSM3.getIdentifier();
+ Assert.assertEquals(3, Byte.toUnsignedInt(id3));
+
+ StateMachine otherSM247 = new StateMachine("session247b", null);
+ otherSM247.start();
+ otherSM247.requestAccess();
+ byte id247 = otherSM247.getIdentifier();
+ Assert.assertEquals(247, Byte.toUnsignedInt(id247));
+
+ }
+}