From 13d05bc8458758ee39cb829098241e89616717ee Mon Sep 17 00:00:00 2001 From: Ashlee Young Date: Wed, 9 Sep 2015 22:15:21 -0700 Subject: ONOS checkin based on commit tag e796610b1f721d02f9b0e213cf6f7790c10ecd60 Change-Id: Ife8810491034fe7becdba75dda20de4267bd15cd --- framework/src/onos/core/security/pom.xml | 65 ++++ .../security/impl/DefaultPolicyBuilder.java | 433 +++++++++++++++++++++ .../security/impl/SecurityModeManager.java | 289 ++++++++++++++ .../onosproject/security/impl/package-info.java | 20 + .../store/DistributedSecurityModeStore.java | 315 +++++++++++++++ .../onosproject/security/store/SecurityInfo.java | 41 ++ .../security/store/SecurityModeEvent.java | 48 +++ .../security/store/SecurityModeListener.java | 25 ++ .../security/store/SecurityModeState.java | 43 ++ .../security/store/SecurityModeStore.java | 104 +++++ .../security/store/SecurityModeStoreDelegate.java | 25 ++ 11 files changed, 1408 insertions(+) create mode 100644 framework/src/onos/core/security/pom.xml create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java create mode 100644 framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java (limited to 'framework/src/onos/core/security') diff --git a/framework/src/onos/core/security/pom.xml b/framework/src/onos/core/security/pom.xml new file mode 100644 index 00000000..67e74a1e --- /dev/null +++ b/framework/src/onos/core/security/pom.xml @@ -0,0 +1,65 @@ + + + 4.0.0 + + + onos-core + org.onosproject + 1.3.0-SNAPSHOT + ../pom.xml + + + onos-security + bundle + + + Security-Mode ONOS project + + + + org.osgi + org.osgi.core + + + org.osgi + org.osgi.compendium + + + org.apache.felix + org.apache.felix.scr.annotations + + + org.onosproject + onos-api + + + org.onosproject + onos-core-serializers + ${project.version} + + + org.apache.karaf.features + org.apache.karaf.features.core + + + + org.onosproject + org.apache.felix.framework.security + 2.2.0.onos + provided + + + + + + + org.apache.felix + maven-scr-plugin + + + + + \ No newline at end of file diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java new file mode 100644 index 00000000..8ae1a1ae --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java @@ -0,0 +1,433 @@ +package org.onosproject.security.impl; + + +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; +import org.onosproject.security.AppPermission; +import org.onosproject.app.ApplicationAdminService; +import org.onosproject.app.ApplicationService; +import org.onosproject.cfg.ComponentConfigService; +import org.onosproject.cluster.ClusterAdminService; +import org.onosproject.cluster.ClusterService; +import org.onosproject.core.CoreService; +import org.onosproject.cluster.LeadershipService; +import org.onosproject.mastership.MastershipAdminService; +import org.onosproject.mastership.MastershipService; +import org.onosproject.net.device.DeviceAdminService; +import org.onosproject.net.device.DeviceService; +import org.onosproject.net.device.DeviceClockService; +import org.onosproject.net.driver.DriverAdminService; +import org.onosproject.net.driver.DriverService; +import org.onosproject.net.flow.FlowRuleService; +import org.onosproject.net.flowobjective.FlowObjectiveService; +import org.onosproject.net.group.GroupService; +import org.onosproject.net.host.HostAdminService; +import org.onosproject.net.host.HostService; +import org.onosproject.net.intent.IntentService; +import org.onosproject.net.intent.IntentExtensionService; +import org.onosproject.net.intent.IntentClockService; +import org.onosproject.net.intent.PartitionService; +import org.onosproject.net.link.LinkAdminService; +import org.onosproject.net.link.LinkService; +import org.onosproject.net.packet.PacketService; +import org.onosproject.net.proxyarp.ProxyArpService; +import org.onosproject.net.resource.link.LinkResourceService; +import org.onosproject.net.statistic.StatisticService; +import org.onosproject.net.topology.PathService; +import org.onosproject.net.topology.TopologyService; +import org.onosproject.security.SecurityAdminService; +import org.onosproject.store.service.StorageAdminService; +import org.onosproject.store.service.StorageService; +import org.osgi.framework.BundlePermission; +import org.osgi.framework.CapabilityPermission; +import org.osgi.framework.ServicePermission; +import org.osgi.framework.PackagePermission; +import org.osgi.framework.AdaptPermission; +import org.osgi.service.cm.ConfigurationPermission; + +import javax.net.ssl.SSLPermission; +import javax.security.auth.AuthPermission; +import javax.security.auth.PrivateCredentialPermission; +import javax.security.auth.kerberos.DelegationPermission; +import javax.sound.sampled.AudioPermission; +import java.io.FilePermission; +import java.io.SerializablePermission; +import java.net.NetPermission; +import java.net.SocketPermission; +import java.security.Permissions; +import java.sql.SQLPermission; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.List; +import java.util.PropertyPermission; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.security.Permission; +import java.util.logging.LoggingPermission; + +import static org.onosproject.security.AppPermission.Type.*; + +public final class DefaultPolicyBuilder { + + protected static ConcurrentHashMap> serviceDirectory = getServiceDirectory(); + + protected static List defaultPermissions = getDefaultPerms(); + protected static List adminServicePermissions = getAdminDefaultPerms(); + + private DefaultPolicyBuilder(){ + } + + public static List getUserApplicationPermissions(Set permissions) { + List perms = Lists.newArrayList(); + perms.addAll(defaultPermissions); + perms.addAll(convertToJavaPermissions(permissions)); + return optimizePermissions(perms); + } + + public static List getAdminApplicationPermissions( + Set permissions) { + List perms = Lists.newArrayList(); + perms.addAll(defaultPermissions); + perms.addAll(adminServicePermissions); + for (AppPermission.Type perm : serviceDirectory.keySet()) { + perms.add(new AppPermission(perm)); + } + perms.addAll(convertToJavaPermissions(permissions)); + return optimizePermissions(perms); + } + + public static List convertToJavaPermissions(Set permissions) { + List result = Lists.newArrayList(); + for (org.onosproject.security.Permission perm : permissions) { + Permission javaPerm = getPermission(perm); + if (javaPerm != null) { + if (javaPerm instanceof AppPermission) { + if (((AppPermission) javaPerm).getType() != null) { + AppPermission ap = (AppPermission) javaPerm; + result.add(ap); + if (serviceDirectory.containsKey(ap.getType())) { + for (String service : serviceDirectory.get(ap.getType())) { + result.add(new ServicePermission(service, ServicePermission.GET)); + } + } + } + } else if (javaPerm instanceof ServicePermission) { + if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) { + result.add(javaPerm); + } + } else { + result.add(javaPerm); + } + + } + } + return result; + } + + public static Set convertToOnosPermissions(List permissions) { + Set result = Sets.newHashSet(); + for (Permission perm : permissions) { + org.onosproject.security.Permission onosPerm = getOnosPermission(perm); + if (onosPerm != null) { + result.add(onosPerm); + } + } + return result; + } + + public static List getDefaultPerms() { + List permSet = Lists.newArrayList(); + permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY)); + permSet.add(new PackagePermission("*", PackagePermission.IMPORT)); + permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT)); + permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE)); + return permSet; + } + + private static List getAdminDefaultPerms() { + List permSet = Lists.newArrayList(); + permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(MastershipAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DeviceAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DriverAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(LabelResourceAdminService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(TunnelAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(CoreService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ClusterService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LeadershipService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(MastershipService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DeviceService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DeviceClockService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DriverService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(FlowRuleService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(FlowObjectiveService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(GroupService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(HostService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(IntentService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(IntentClockService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(IntentExtensionService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LinkResourceService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(LabelResourceService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(StatisticService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(PathService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(TopologyService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(TunnelService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET)); + return permSet; + } + + public static Set getNBServiceList() { + Set permString = new HashSet<>(); + for (Permission perm : getAdminDefaultPerms()) { + permString.add(perm.getName()); + } + return permString; + } + + private static ConcurrentHashMap> getServiceDirectory() { + + ConcurrentHashMap> serviceDirectory = new ConcurrentHashMap<>(); + + serviceDirectory.put(APP_READ, ImmutableSet.of( + ApplicationService.class.getName(), CoreService.class.getName())); + serviceDirectory.put(APP_EVENT, ImmutableSet.of( + ApplicationService.class.getName(), CoreService.class.getName())); + serviceDirectory.put(CONFIG_READ, ImmutableSet.of( + ComponentConfigService.class.getName())); + serviceDirectory.put(CONFIG_WRITE, ImmutableSet.of( + ComponentConfigService.class.getName())); + serviceDirectory.put(CLUSTER_READ, ImmutableSet.of( + ClusterService.class.getName(), LeadershipService.class.getName(), + MastershipService.class.getName())); + serviceDirectory.put(CLUSTER_WRITE, ImmutableSet.of( + LeadershipService.class.getName(), MastershipService.class.getName())); + serviceDirectory.put(CLUSTER_EVENT, ImmutableSet.of( + ClusterService.class.getName(), LeadershipService.class.getName(), + MastershipService.class.getName())); + serviceDirectory.put(DEVICE_READ, ImmutableSet.of( + DeviceService.class.getName(), DeviceClockService.class.getName())); + serviceDirectory.put(DEVICE_EVENT, ImmutableSet.of( + DeviceService.class.getName())); + serviceDirectory.put(DRIVER_READ, ImmutableSet.of( + DriverService.class.getName())); + serviceDirectory.put(DRIVER_WRITE, ImmutableSet.of( + DriverService.class.getName())); + serviceDirectory.put(FLOWRULE_READ, ImmutableSet.of( + FlowRuleService.class.getName())); + serviceDirectory.put(FLOWRULE_WRITE, ImmutableSet.of( + FlowRuleService.class.getName(), FlowObjectiveService.class.getName())); + serviceDirectory.put(FLOWRULE_EVENT, ImmutableSet.of( + FlowRuleService.class.getName())); + serviceDirectory.put(GROUP_READ, ImmutableSet.of( + GroupService.class.getName())); + serviceDirectory.put(GROUP_WRITE, ImmutableSet.of( + GroupService.class.getName())); + serviceDirectory.put(GROUP_EVENT, ImmutableSet.of( + GroupService.class.getName())); + serviceDirectory.put(HOST_READ, ImmutableSet.of( + HostService.class.getName())); + serviceDirectory.put(HOST_WRITE, ImmutableSet.of( + HostService.class.getName())); + serviceDirectory.put(HOST_EVENT, ImmutableSet.of( + HostService.class.getName())); + serviceDirectory.put(INTENT_READ, ImmutableSet.of( + IntentService.class.getName(), PartitionService.class.getName(), + IntentClockService.class.getName())); + serviceDirectory.put(INTENT_WRITE, ImmutableSet.of( + IntentService.class.getName())); + serviceDirectory.put(INTENT_EVENT, ImmutableSet.of( + IntentService.class.getName())); +// serviceDirectory.put(LINK_READ, ImmutableSet.of( +// LinkService.class.getName(), LinkResourceService.class.getName(), +// LabelResourceService.class.getName())); +// serviceDirectory.put(LINK_WRITE, ImmutableSet.of( +// LinkResourceService.class.getName(), LabelResourceService.class.getName())); +// serviceDirectory.put(LINK_EVENT, ImmutableSet.of( +// LinkService.class.getName(), LinkResourceService.class.getName(), +// LabelResourceService.class.getName())); + serviceDirectory.put(PACKET_READ, ImmutableSet.of( + PacketService.class.getName(), ProxyArpService.class.getName())); + serviceDirectory.put(PACKET_WRITE, ImmutableSet.of( + PacketService.class.getName(), ProxyArpService.class.getName())); + serviceDirectory.put(PACKET_EVENT, ImmutableSet.of( + PacketService.class.getName())); + serviceDirectory.put(STATISTIC_READ, ImmutableSet.of( + StatisticService.class.getName())); + serviceDirectory.put(TOPOLOGY_READ, ImmutableSet.of( + TopologyService.class.getName(), PathService.class.getName())); + serviceDirectory.put(TOPOLOGY_EVENT, ImmutableSet.of( + TopologyService.class.getName())); +// serviceDirectory.put(TUNNEL_READ, ImmutableSet.of( +// TunnelService.class.getName())); +// serviceDirectory.put(TUNNEL_WRITE, ImmutableSet.of( +// TunnelService.class.getName())); +// serviceDirectory.put(TUNNEL_EVENT, ImmutableSet.of( +// TunnelService.class.getName())); + serviceDirectory.put(STORAGE_WRITE, ImmutableSet.of( + StorageService.class.getName())); + + return serviceDirectory; + } + + + public static org.onosproject.security.Permission getOnosPermission(Permission permission) { + if (permission instanceof AppPermission) { + return new org.onosproject.security.Permission(AppPermission.class.getName(), permission.getName(), ""); + } else if (permission instanceof FilePermission) { + return new org.onosproject.security.Permission( + FilePermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof SerializablePermission) { + return new org.onosproject.security.Permission( + SerializablePermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof NetPermission) { + return new org.onosproject.security.Permission( + NetPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof RuntimePermission) { + return new org.onosproject.security.Permission( + RuntimePermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof SocketPermission) { + return new org.onosproject.security.Permission( + SocketPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof SQLPermission) { + return new org.onosproject.security.Permission( + SQLPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof PropertyPermission) { + return new org.onosproject.security.Permission( + PropertyPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof LoggingPermission) { + return new org.onosproject.security.Permission( + LoggingPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof SSLPermission) { + return new org.onosproject.security.Permission( + SSLPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof AuthPermission) { + return new org.onosproject.security.Permission( + AuthPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof PrivateCredentialPermission) { + return new org.onosproject.security.Permission( + PrivateCredentialPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof DelegationPermission) { + return new org.onosproject.security.Permission( + DelegationPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof javax.security.auth.kerberos.ServicePermission) { + return new org.onosproject.security.Permission( + javax.security.auth.kerberos.ServicePermission.class.getName(), permission.getName(), + permission.getActions()); + } else if (permission instanceof AudioPermission) { + return new org.onosproject.security.Permission( + AudioPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof AdaptPermission) { + return new org.onosproject.security.Permission( + AdaptPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof BundlePermission) { + return new org.onosproject.security.Permission( + BundlePermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof CapabilityPermission) { + return new org.onosproject.security.Permission( + CapabilityPermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof PackagePermission) { + return new org.onosproject.security.Permission( + PackagePermission.class.getName(), permission.getName(), permission.getActions()); + } else if (permission instanceof ServicePermission) { + return new org.onosproject.security.Permission( + ServicePermission.class.getName(), permission.getName(), permission.getActions()); + } + return null; + } + + private static Permission getPermission(org.onosproject.security.Permission permission) { + + String classname = permission.getClassName(); + String name = permission.getName(); + String actions = permission.getActions(); + + if (classname == null || name == null) { + return null; + } + classname = classname.trim(); + name = name.trim(); + actions = actions.trim(); + + if (AppPermission.class.getName().equals(classname)) { + return new AppPermission(name); + } else if (FilePermission.class.getName().equals(classname)) { + return new FilePermission(name, actions); + } else if (SerializablePermission.class.getName().equals(classname)) { + return new SerializablePermission(name, actions); + } else if (NetPermission.class.getName().equals(classname)) { + return new NetPermission(name, actions); + } else if (RuntimePermission.class.getName().equals(classname)) { + return new RuntimePermission(name, actions); + } else if (SocketPermission.class.getName().equals(classname)) { + return new SocketPermission(name, actions); + } else if (SQLPermission.class.getName().equals(classname)) { + return new SQLPermission(name, actions); + } else if (PropertyPermission.class.getName().equals(classname)) { + return new PropertyPermission(name, actions); + } else if (LoggingPermission.class.getName().equals(classname)) { + return new LoggingPermission(name, actions); + } else if (SSLPermission.class.getName().equals(classname)) { + return new SSLPermission(name, actions); + } else if (AuthPermission.class.getName().equals(classname)) { + return new AuthPermission(name, actions); + } else if (PrivateCredentialPermission.class.getName().equals(classname)) { + return new PrivateCredentialPermission(name, actions); + } else if (DelegationPermission.class.getName().equals(classname)) { + return new DelegationPermission(name, actions); + } else if (javax.security.auth.kerberos.ServicePermission.class.getName().equals(classname)) { + return new javax.security.auth.kerberos.ServicePermission(name, actions); + } else if (AudioPermission.class.getName().equals(classname)) { + return new AudioPermission(name, actions); + } else if (AdaptPermission.class.getName().equals(classname)) { + return new AdaptPermission(name, actions); + } else if (BundlePermission.class.getName().equals(classname)) { + return new BundlePermission(name, actions); + } else if (CapabilityPermission.class.getName().equals(classname)) { + return new CapabilityPermission(name, actions); + } else if (PackagePermission.class.getName().equals(classname)) { + return new PackagePermission(name, actions); + } else if (ServicePermission.class.getName().equals(classname)) { + return new ServicePermission(name, actions); + } + + //AllPermission, SecurityPermission, UnresolvedPermission + //AWTPermission, AdminPermission(osgi), ReflectPermission not allowed + return null; + + } + private static List optimizePermissions(List perms) { + Permissions permissions = listToPermissions(perms); + return permissionsToList(permissions); + } + + private static List permissionsToList(Permissions perms) { + List permissions = new ArrayList<>(); + Enumeration e = perms.elements(); + while (e.hasMoreElements()) { + permissions.add(e.nextElement()); + } + return permissions; + } + + private static Permissions listToPermissions(List perms) { + Permissions permissions = new Permissions(); + for (Permission perm : perms) { + permissions.add(perm); + } + return permissions; + } +} + diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java new file mode 100644 index 00000000..30b0f8bb --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java @@ -0,0 +1,289 @@ +package org.onosproject.security.impl; + +import com.google.common.collect.Lists; + +import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Reference; +import org.apache.felix.scr.annotations.ReferenceCardinality; +import org.apache.felix.scr.annotations.Activate; +import org.apache.felix.scr.annotations.Deactivate; +import org.apache.felix.scr.annotations.Service; + +import org.onosproject.app.ApplicationAdminService; +import org.onosproject.app.ApplicationState; +import org.onosproject.core.Application; +import org.onosproject.core.ApplicationId; + +import org.onosproject.event.EventDeliveryService; +import org.onosproject.event.ListenerRegistry; +import org.onosproject.security.AppPermission; +import org.onosproject.security.SecurityAdminService; +import org.onosproject.security.store.SecurityModeEvent; +import org.onosproject.security.store.SecurityModeListener; +import org.onosproject.security.store.SecurityModeStore; +import org.onosproject.security.store.SecurityModeStoreDelegate; +import org.osgi.framework.BundleContext; +import org.osgi.framework.FrameworkUtil; +import org.osgi.framework.ServicePermission; +import org.osgi.service.log.LogEntry; +import org.osgi.service.log.LogListener; +import org.osgi.service.log.LogReaderService; +import org.osgi.service.permissionadmin.PermissionInfo; + +import java.security.AccessControlException; +import java.security.Permission; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; + +import org.osgi.service.permissionadmin.PermissionAdmin; +import org.slf4j.Logger; + +import static org.slf4j.LoggerFactory.getLogger; + + + +/** + * Security-Mode ONOS management implementation. + */ + +@Component(immediate = true) +@Service +public class SecurityModeManager implements SecurityAdminService { + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected SecurityModeStore store; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected ApplicationAdminService appAdminService; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected LogReaderService logReaderService; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected EventDeliveryService eventDispatcher; + + private final Logger log = getLogger(getClass()); + + protected final ListenerRegistry + listenerRegistry = new ListenerRegistry<>(); + + private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); + + private SecurityLogListener securityLogListener = new SecurityLogListener(); + + private PermissionAdmin permissionAdmin = getPermissionAdmin(); + + + @Activate + public void activate() { + + eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); + // add Listeners + logReaderService.addLogListener(securityLogListener); + + store.setDelegate(delegate); + + if (System.getSecurityManager() == null) { + log.warn("J2EE security manager is disabled."); + deactivate(); + return; + } + if (permissionAdmin == null) { + log.warn("Permission Admin not found."); + deactivate(); + return; + } + + log.info("Security-Mode Started"); + } + + @Deactivate + public void deactivate() { + eventDispatcher.removeSink(SecurityModeEvent.class); + logReaderService.removeLogListener(securityLogListener); + store.unsetDelegate(delegate); + log.info("Stopped"); + + } + + @Override + public boolean isSecured(ApplicationId appId) { + if (store.getState(appId) == null) { + store.registerApplication(appId); + } + return store.isSecured(appId); + } + + + @Override + public void review(ApplicationId appId) { + if (store.getState(appId) == null) { + store.registerApplication(appId); + } + store.reviewPolicy(appId); + } + + @Override + public void acceptPolicy(ApplicationId appId) { + if (store.getState(appId) == null) { + store.registerApplication(appId); + } + store.acceptPolicy(appId, DefaultPolicyBuilder.convertToOnosPermissions(getMaximumPermissions(appId))); + } + + @Override + public void register(ApplicationId appId) { + store.registerApplication(appId); + } + + @Override + public Map> getPrintableSpecifiedPermissions(ApplicationId appId) { + return getPrintablePermissionMap(getMaximumPermissions(appId)); + } + + @Override + public Map> getPrintableGrantedPermissions(ApplicationId appId) { + return getPrintablePermissionMap( + DefaultPolicyBuilder.convertToJavaPermissions(store.getGrantedPermissions(appId))); + } + + @Override + public Map> getPrintableRequestedPermissions(ApplicationId appId) { + return getPrintablePermissionMap( + DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); + } + + private class SecurityLogListener implements LogListener { + @Override + public void logged(LogEntry entry) { + if (entry.getException() != null && + entry.getException() instanceof AccessControlException) { + String location = entry.getBundle().getLocation(); + Permission javaPerm = + ((AccessControlException) entry.getException()).getPermission(); + org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm); + if (permission == null) { + log.warn("Unsupported permission requested."); + return; + } + store.getApplicationIds(location).stream().filter( + appId -> store.isSecured(appId) && + appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { + store.requestPermission(appId, permission); + print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", + appId.name(), location, permission.toString()); + }); + } + } + } + + private class InternalStoreDelegate implements SecurityModeStoreDelegate { + @Override + public void notify(SecurityModeEvent event) { + if (event.type() == SecurityModeEvent.Type.POLICY_ACCEPTED) { + setLocalPermissions(event.subject()); + log.info("{} POLICY ACCEPTED and ENFORCED", event.subject().name()); + } else if (event.type() == SecurityModeEvent.Type.POLICY_VIOLATED) { + log.info("{} POLICY VIOLATED", event.subject().name()); + } else if (event.type() == SecurityModeEvent.Type.POLICY_REVIEWED) { + log.info("{} POLICY REVIEWED", event.subject().name()); + } + eventDispatcher.post(event); + } + } + + /** + * TYPES. + * 0 - APP_PERM + * 1 - ADMIN SERVICE + * 2 - NB_SERVICE + * 3 - ETC_SERVICE + * 4 - ETC + * @param perms + */ + private Map> getPrintablePermissionMap(List perms) { + ConcurrentHashMap> sortedMap = new ConcurrentHashMap<>(); + sortedMap.put(0, new ArrayList()); + sortedMap.put(1, new ArrayList()); + sortedMap.put(2, new ArrayList()); + sortedMap.put(3, new ArrayList()); + sortedMap.put(4, new ArrayList()); + for (Permission perm : perms) { + if (perm instanceof ServicePermission) { + if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) { + if (perm.getName().contains("Admin")) { + sortedMap.get(1).add(perm); + } else { + sortedMap.get(2).add(perm); + } + } else { + sortedMap.get(3).add(perm); + } + } else if (perm instanceof AppPermission) { + sortedMap.get(0).add(perm); + } else { + sortedMap.get(4).add(perm); + } + } + return sortedMap; + } + + private void setLocalPermissions(ApplicationId applicationId) { + for (String location : store.getBundleLocations(applicationId)) { + permissionAdmin.setPermissions(location, permissionsToInfo(store.getGrantedPermissions(applicationId))); + } + } + + private PermissionInfo[] permissionsToInfo(Set permissions) { + List result = Lists.newArrayList(); + for (org.onosproject.security.Permission perm : permissions) { + result.add(new PermissionInfo(perm.getClassName(), perm.getName(), perm.getActions())); + } + PermissionInfo[] permissionInfos = new PermissionInfo[result.size()]; + return result.toArray(permissionInfos); + } + + + + private List getMaximumPermissions(ApplicationId appId) { + Application app = appAdminService.getApplication(appId); + if (app == null) { + print("Unknown application."); + return null; + } + List appPerms; + switch (app.role()) { + case ADMIN: + appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); + break; + case USER: + appPerms = DefaultPolicyBuilder.getUserApplicationPermissions(app.permissions()); + break; + case UNSPECIFIED: + default: + appPerms = DefaultPolicyBuilder.getDefaultPerms(); + break; + } + + return appPerms; + } + + + private void print(String format, Object... args) { + System.out.println(String.format("SM-ONOS: " + format, args)); + log.warn(String.format(format, args)); + } + + private PermissionAdmin getPermissionAdmin() { + BundleContext context = getBundleContext(); + return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName())); + } + + private BundleContext getBundleContext() { + return FrameworkUtil.getBundle(this.getClass()).getBundleContext(); + + } +} \ No newline at end of file diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java new file mode 100644 index 00000000..387f6ecf --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/impl/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Implementation of the security mode. + */ +package org.onosproject.security.impl; \ No newline at end of file diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java new file mode 100644 index 00000000..ac16966c --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java @@ -0,0 +1,315 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Sets; + +import org.apache.felix.scr.annotations.Activate; +import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Deactivate; +import org.apache.felix.scr.annotations.Reference; +import org.apache.felix.scr.annotations.ReferenceCardinality; +import org.apache.felix.scr.annotations.Service; +import org.apache.karaf.features.BundleInfo; +import org.apache.karaf.features.Feature; +import org.apache.karaf.features.FeaturesService; + +import org.onlab.util.KryoNamespace; +import org.onosproject.app.ApplicationAdminService; +import org.onosproject.core.Application; +import org.onosproject.core.ApplicationId; +import org.onosproject.security.Permission; +import org.onosproject.store.AbstractStore; +import org.onosproject.store.serializers.KryoNamespaces; +import org.onosproject.store.service.ConsistentMap; +import org.onosproject.store.service.EventuallyConsistentMap; +import org.onosproject.store.service.LogicalClockService; +import org.onosproject.store.service.MapEvent; +import org.onosproject.store.service.MapEventListener; +import org.onosproject.store.service.Serializer; +import org.onosproject.store.service.StorageService; +import org.slf4j.Logger; + +import java.util.HashSet; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.stream.Collectors; + +import static org.onosproject.security.store.SecurityModeState.*; +import static org.slf4j.LoggerFactory.getLogger; + +/** + * Manages application permissions granted/requested to applications. + * Uses both gossip-based and RAFT-based distributed data store. + */ +@Component(immediate = true) +@Service +public class DistributedSecurityModeStore + extends AbstractStore + implements SecurityModeStore { + + private final Logger log = getLogger(getClass()); + + private ConsistentMap states; + private EventuallyConsistentMap> violations; + + private ConcurrentHashMap> localBundleAppDirectory; + private ConcurrentHashMap> localAppBundleDirectory; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected StorageService storageService; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected LogicalClockService clockService; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected ApplicationAdminService applicationAdminService; + + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) + protected FeaturesService featuresService; + + private static final Serializer STATE_SERIALIZER = Serializer.using(new KryoNamespace.Builder() + .register(KryoNamespaces.API) + .register(SecurityModeState.class) + .register(SecurityInfo.class) + .register(Permission.class) + .build()); + + private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() + .register(KryoNamespaces.API) + .register(Permission.class); + + @Activate + public void activate() { + states = storageService.consistentMapBuilder() + .withName("smonos-sdata") + .withSerializer(STATE_SERIALIZER) + .build(); + + states.addListener(new SecurityStateListener()); + + violations = storageService.>eventuallyConsistentMapBuilder() + .withName("smonos-rperms") + .withSerializer(VIOLATION_SERIALIZER) + .withTimestampProvider((k, v) -> clockService.getTimestamp()) + .build(); + + localBundleAppDirectory = new ConcurrentHashMap<>(); + localAppBundleDirectory = new ConcurrentHashMap<>(); + + log.info("Started"); + + } + + @Deactivate + public void deactivate() { + violations.destroy(); + log.info("Stopped"); + } + + + @Override + public Set getBundleLocations(ApplicationId appId) { + Set locations = localAppBundleDirectory.get(appId); + return locations != null ? locations : Sets.newHashSet(); + } + + @Override + public Set getApplicationIds(String location) { + Set appIds = localBundleAppDirectory.get(location); + return appIds != null ? appIds : Sets.newHashSet(); + } + + @Override + public Set getRequestedPermissions(ApplicationId appId) { + Set permissions = violations.get(appId); + return permissions != null ? permissions : ImmutableSet.of(); + } + + @Override + public Set getGrantedPermissions(ApplicationId appId) { + return states.asJavaMap().getOrDefault(appId, new SecurityInfo(ImmutableSet.of(), null)).getPermissions(); + } + + @Override + public void requestPermission(ApplicationId appId, Permission permission) { + + states.computeIf(appId, securityInfo -> (securityInfo == null || securityInfo.getState() != POLICY_VIOLATED), + (id, securityInfo) -> new SecurityInfo(securityInfo.getPermissions(), POLICY_VIOLATED)); + violations.compute(appId, (k, v) -> v == null ? Sets.newHashSet(permission) : addAndGet(v, permission)); + } + + private Set addAndGet(Set oldSet, Permission newPerm) { + oldSet.add(newPerm); + return oldSet; + } + + @Override + public boolean isSecured(ApplicationId appId) { + SecurityInfo info = states.get(appId).value(); + return info == null ? false : info.getState().equals(SECURED); + } + + @Override + public void reviewPolicy(ApplicationId appId) { + Application app = applicationAdminService.getApplication(appId); + if (app == null) { + log.warn("Unknown Application"); + return; + } + states.computeIfPresent(appId, (applicationId, securityInfo) -> { + if (securityInfo.getState().equals(INSTALLED)) { + return new SecurityInfo(ImmutableSet.of(), REVIEWED); + } + return securityInfo; + }); + } + + @Override + public void acceptPolicy(ApplicationId appId, Set permissionSet) { + + Application app = applicationAdminService.getApplication(appId); + if (app == null) { + log.warn("Unknown Application"); + return; + } + + states.computeIf(appId, + securityInfo -> (securityInfo != null), + (id, securityInfo) -> { + switch (securityInfo.getState()) { + case POLICY_VIOLATED: + System.out.println( + "This application has violated the security policy. Please uninstall."); + return securityInfo; + case SECURED: + System.out.println( + "The policy has been accepted already. To review policy, review [app.name]"); + return securityInfo; + case INSTALLED: + System.out.println("Please review the security policy prior to accept them"); + log.warn("Application has not been reviewed"); + return securityInfo; + case REVIEWED: + return new SecurityInfo(permissionSet, SECURED); + default: + return securityInfo; + } + }); + } + + private final class SecurityStateListener + implements MapEventListener { + + @Override + public void event(MapEvent event) { + + if (delegate == null) { + return; + } + ApplicationId appId = event.key(); + SecurityInfo info = event.value().value(); + + if (event.type() == MapEvent.Type.INSERT || event.type() == MapEvent.Type.UPDATE) { + switch (info.getState()) { + case POLICY_VIOLATED: + notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_VIOLATED, appId)); + break; + case SECURED: + notifyDelegate(new SecurityModeEvent(SecurityModeEvent.Type.POLICY_ACCEPTED, appId)); + default: + break; + } + } else if (event.type() == MapEvent.Type.REMOVE) { + removeAppFromDirectories(appId); + } + } + } + + private void removeAppFromDirectories(ApplicationId appId) { + for (String location : localAppBundleDirectory.get(appId)) { + localBundleAppDirectory.get(location).remove(appId); + } + violations.remove(appId); + states.remove(appId); + localAppBundleDirectory.remove(appId); + } + + @Override + public boolean registerApplication(ApplicationId appId) { + Application app = applicationAdminService.getApplication(appId); + if (app == null) { + log.warn("Unknown application."); + return false; + } + localAppBundleDirectory.put(appId, getBundleLocations(app)); + for (String location : localAppBundleDirectory.get(appId)) { + if (!localBundleAppDirectory.containsKey(location)) { + localBundleAppDirectory.put(location, new HashSet<>()); + } + if (!localBundleAppDirectory.get(location).contains(appId)) { + localBundleAppDirectory.get(location).add(appId); + } + } + states.put(appId, new SecurityInfo(Sets.newHashSet(), INSTALLED)); + return true; + } + + @Override + public void unregisterApplication(ApplicationId appId) { + if (localAppBundleDirectory.containsKey(appId)) { + for (String location : localAppBundleDirectory.get(appId)) { + if (localBundleAppDirectory.get(location).size() == 1) { + localBundleAppDirectory.remove(location); + } else { + localBundleAppDirectory.get(location).remove(appId); + } + } + localAppBundleDirectory.remove(appId); + } + } + + @Override + public SecurityModeState getState(ApplicationId appId) { + return states.asJavaMap().getOrDefault(appId, new SecurityInfo(null, null)).getState(); + } + + private Set getBundleLocations(Application app) { + Set locations = new HashSet<>(); + for (String name : app.features()) { + try { + Feature feature = featuresService.getFeature(name); + locations.addAll( + feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList())); + } catch (Exception e) { + return locations; + } + } + return locations; + } + + @Override + public void setDelegate(SecurityModeStoreDelegate delegate) { + super.setDelegate(delegate); + } + + @Override + public void unsetDelegate(SecurityModeStoreDelegate delegate) { + super.setDelegate(delegate); + } +} \ No newline at end of file diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java new file mode 100644 index 00000000..4dcb7dae --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java @@ -0,0 +1,41 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +import org.onosproject.security.Permission; + +import java.util.Set; + +/** + * Security-Mode ONOS security policy and state representation for distributed store. + */ +public class SecurityInfo { + + protected Set grantedPermissions; + protected SecurityModeState state; + + public SecurityInfo(Set perms, SecurityModeState state) { + this.grantedPermissions = perms; + this.state = state; + } + public Set getPermissions() { + return grantedPermissions; + } + public SecurityModeState getState() { + return state; + } +} diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java new file mode 100644 index 00000000..59da67b5 --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java @@ -0,0 +1,48 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +import org.onosproject.core.ApplicationId; +import org.onosproject.event.AbstractEvent; + +/** + * Security-Mode ONOS notifications. + */ +public class SecurityModeEvent extends AbstractEvent { + + protected SecurityModeEvent(Type type, ApplicationId subject) { + super(type, subject); + } + + public enum Type { + + /** + * Signifies that security policy has been accepted. + */ + POLICY_ACCEPTED, + + /** + * Signifies that security policy has been reviewed. + */ + POLICY_REVIEWED, + + /** + * Signifies that application has violated security policy. + */ + POLICY_VIOLATED, + } +} diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java new file mode 100644 index 00000000..2745e0c0 --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java @@ -0,0 +1,25 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +import org.onosproject.event.EventListener; + +/** + * Security-Mode ONOS event listener. + */ +public interface SecurityModeListener extends EventListener { +} diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java new file mode 100644 index 00000000..999c5f9f --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java @@ -0,0 +1,43 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +/** + * Representation of Security-Mode ONOS application review state. + */ +public enum SecurityModeState { + + /** + * Indicates that operator has accepted application security policy. + */ + SECURED, + + /** + * Indicates that application security policy has been reviewed. + */ + REVIEWED, + + /** + * Indicates that application has been installed. + */ + INSTALLED, + + /** + * Indicates that application has violated security policy. + */ + POLICY_VIOLATED, +} diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java new file mode 100644 index 00000000..7e6b6533 --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java @@ -0,0 +1,104 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +import org.onosproject.core.ApplicationId; +import org.onosproject.security.Permission; +import org.onosproject.store.Store; + +import java.util.Set; + +/** + * Security-Mode ONOS distributed store service. + */ +public interface SecurityModeStore extends Store { + + /** + * Updates the local bundle-application directories. + * @param appId application identifier + * @return true if successfully registered. + */ + boolean registerApplication(ApplicationId appId); + + /** + * Removes application info from the local bundle-application directories. + * @param appId application identifier + */ + void unregisterApplication(ApplicationId appId); + + /** + * Returns state of the specified application. + * @param appId application identifier + * @return Security-Mode State of application + */ + SecurityModeState getState(ApplicationId appId); + + /** + * Returns bundle locations of specified application. + * @param appId application identifier + * @return set of bundle location strings + */ + Set getBundleLocations(ApplicationId appId); + + /** + * Returns application identifiers that are associated with given bundle location. + * @param location OSGi bundle location + * @return set of application identifiers + */ + Set getApplicationIds(String location); + + /** + * Returns a list of permissions that have been requested by given application. + * @param appId application identifier + * @return list of permissions + */ + Set getRequestedPermissions(ApplicationId appId); + + /** + * Returns an array of permissions that have been granted to given application. + * @param appId application identifier + * @return array of permissionInfo + */ + Set getGrantedPermissions(ApplicationId appId); + + /** + * Request permission that is required to run given application. + * @param appId application identifier + * @param permission permission + */ + void requestPermission(ApplicationId appId, Permission permission); + + /** + * Returns true if given application has been secured. + * @param appId application identifier + * @return true indicates secured + */ + boolean isSecured(ApplicationId appId); + + /** + * Notifies SM-ONOS that operator has reviewed the policy. + * @param appId application identifier + */ + void reviewPolicy(ApplicationId appId); + + /** + * Accept the current security policy of given application. + * @param appId application identifier + * @param permissionSet array of PermissionInfo + */ + void acceptPolicy(ApplicationId appId, Set permissionSet); +} \ No newline at end of file diff --git a/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java new file mode 100644 index 00000000..d933a148 --- /dev/null +++ b/framework/src/onos/core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java @@ -0,0 +1,25 @@ +/* + * Copyright 2015 Open Networking Laboratory + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onosproject.security.store; + +import org.onosproject.store.StoreDelegate; + +/** + * Security-Mode distributed store delegate abstraction. + */ +public interface SecurityModeStoreDelegate extends StoreDelegate { +} -- cgit 1.2.3-korg