Changhoon Yoon
Committed by Jonathan Hart

ONOS-4774, ONOS-4775, ONOS-4776 + some minor fixes

Change-Id: I0d3438f36f0ce9ce0152d295d6f2d749d7f13bed
...@@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand { ...@@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand {
109 print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); 109 print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
110 } 110 }
111 break; 111 break;
112 - case 4: 112 + default:
113 - for (Permission perm: assortedMap.get(4)) { 113 + for (Permission perm: assortedMap.get(type)) {
114 print("\t[Other] " + perm.getClass().getSimpleName() + 114 print("\t[Other] " + perm.getClass().getSimpleName() +
115 - " " + perm.getName() + " (" + perm.getActions() + ")"); 115 + " " + perm.getName() + " (" + perm.getActions() + ")");
116 } 116 }
117 break; 117 break;
118 - default:
119 - break;
120 } 118 }
121 } 119 }
122 } 120 }
......
...@@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { ...@@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission {
82 TUNNEL_WRITE, 82 TUNNEL_WRITE,
83 TUNNEL_EVENT, 83 TUNNEL_EVENT,
84 UI_READ, 84 UI_READ,
85 - UI_WRITE 85 + UI_WRITE,
86 + ADMIN
86 } 87 }
87 88
88 protected Type type; 89 protected Type type;
......
1 /* 1 /*
2 - * Copyright 2015 Open Networking Laboratory 2 + * Copyright 2015-present Open Networking Laboratory
3 * 3 *
4 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License. 5 * you may not use this file except in compliance with the License.
...@@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; ...@@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener;
38 import org.onosproject.security.store.SecurityModeStore; 38 import org.onosproject.security.store.SecurityModeStore;
39 import org.onosproject.security.store.SecurityModeStoreDelegate; 39 import org.onosproject.security.store.SecurityModeStoreDelegate;
40 import org.osgi.framework.BundleContext; 40 import org.osgi.framework.BundleContext;
41 +import org.osgi.framework.FrameworkEvent;
41 import org.osgi.framework.FrameworkUtil; 42 import org.osgi.framework.FrameworkUtil;
42 import org.osgi.framework.ServicePermission; 43 import org.osgi.framework.ServicePermission;
43 -import org.osgi.service.log.LogEntry; 44 +import org.osgi.framework.FrameworkListener;
44 -import org.osgi.service.log.LogListener;
45 -import org.osgi.service.log.LogReaderService;
46 import org.osgi.service.permissionadmin.PermissionInfo; 45 import org.osgi.service.permissionadmin.PermissionInfo;
47 46
47 +import java.io.FilePermission;
48 +import java.lang.reflect.ReflectPermission;
49 +import java.net.SocketPermission;
48 import java.security.AccessControlException; 50 import java.security.AccessControlException;
49 import java.security.Permission; 51 import java.security.Permission;
52 +import java.security.SecurityPermission;
50 import java.util.ArrayList; 53 import java.util.ArrayList;
51 import java.util.List; 54 import java.util.List;
52 import java.util.Map; 55 import java.util.Map;
...@@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService {
76 protected ApplicationAdminService appAdminService; 79 protected ApplicationAdminService appAdminService;
77 80
78 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) 81 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
79 - protected LogReaderService logReaderService;
80 -
81 - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
82 protected EventDeliveryService eventDispatcher; 82 protected EventDeliveryService eventDispatcher;
83 83
84 private final Logger log = getLogger(getClass()); 84 private final Logger log = getLogger(getClass());
...@@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService {
88 88
89 private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); 89 private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
90 90
91 - private SecurityLogListener securityLogListener = new SecurityLogListener(); 91 + private SecurityEventListener securityEventListener = new SecurityEventListener();
92 92
93 private PermissionAdmin permissionAdmin = getPermissionAdmin(); 93 private PermissionAdmin permissionAdmin = getPermissionAdmin();
94 94
...@@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService {
96 public void activate() { 96 public void activate() {
97 97
98 eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); 98 eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
99 - logReaderService.addLogListener(securityLogListener); 99 + getBundleContext().addFrameworkListener(new SecurityEventListener());
100 100
101 if (System.getSecurityManager() == null) { 101 if (System.getSecurityManager() == null) {
102 log.warn("J2EE security manager is disabled."); 102 log.warn("J2EE security manager is disabled.");
...@@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService {
116 @Deactivate 116 @Deactivate
117 public void deactivate() { 117 public void deactivate() {
118 eventDispatcher.removeSink(SecurityModeEvent.class); 118 eventDispatcher.removeSink(SecurityModeEvent.class);
119 - logReaderService.removeLogListener(securityLogListener); 119 + getBundleContext().removeFrameworkListener(securityEventListener);
120 store.unsetDelegate(delegate); 120 store.unsetDelegate(delegate);
121 log.info("Stopped"); 121 log.info("Stopped");
122 122
...@@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService {
169 DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); 169 DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
170 } 170 }
171 171
172 - private class SecurityLogListener implements LogListener { 172 + private class SecurityEventListener implements FrameworkListener {
173 @Override 173 @Override
174 - public void logged(LogEntry entry) { 174 + public void frameworkEvent(FrameworkEvent event) {
175 - if (entry.getException() != null && 175 + if (event.getType() != FrameworkEvent.ERROR) {
176 - entry.getException() instanceof AccessControlException) { 176 + return;
177 - String location = entry.getBundle().getLocation(); 177 + }
178 - Permission javaPerm = 178 + Throwable throwable = event.getThrowable();
179 - ((AccessControlException) entry.getException()).getPermission(); 179 + if (throwable == null || !(throwable instanceof AccessControlException)) {
180 - org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm); 180 + return;
181 - if (permission == null) {
182 - log.warn("Unsupported permission requested.");
183 - return;
184 - }
185 - store.getApplicationIds(location).stream().filter(
186 - appId -> store.isSecured(appId) &&
187 - appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
188 - store.requestPermission(appId, permission);
189 - print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
190 - appId.name(), location, permission.toString());
191 - });
192 } 181 }
182 + String bundleLocation = event.getBundle().getLocation();
183 + Permission nativePerm = ((AccessControlException) throwable).getPermission();
184 + org.onosproject.security.Permission onosPerm = DefaultPolicyBuilder.getOnosPermission(nativePerm);
185 +
186 + if (onosPerm == null) {
187 + log.warn("Unsupported permission requested: " + nativePerm.toString());
188 + return;
189 + }
190 +
191 + store.getApplicationIds(bundleLocation).stream().filter(
192 + appId -> store.isSecured(appId) &&
193 + appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
194 + store.requestPermission(appId, onosPerm);
195 + print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
196 + appId.name(), bundleLocation, onosPerm.toString());
197 + });
193 } 198 }
194 } 199 }
195 200
...@@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService {
213 * 0 - APP_PERM 218 * 0 - APP_PERM
214 * 1 - ADMIN SERVICE 219 * 1 - ADMIN SERVICE
215 * 2 - NB_SERVICE 220 * 2 - NB_SERVICE
216 - * 3 - ETC_SERVICE 221 + * 3 - SB_SERVICE
217 - * 4 - ETC 222 + * 4 - CLI_SERVICE
223 + * 5 - ETC_SERVICE
224 + * 6 - CRITICAL PERMISSIONS
225 + * 7 - ETC
218 * @param perms 226 * @param perms
219 */ 227 */
220 - private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) { 228 + private Map<Integer, List<Permission>> getPrintablePermissionMap(Set<Permission> perms) {
221 ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); 229 ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
222 sortedMap.put(0, new ArrayList()); 230 sortedMap.put(0, new ArrayList());
223 sortedMap.put(1, new ArrayList()); 231 sortedMap.put(1, new ArrayList());
224 sortedMap.put(2, new ArrayList()); 232 sortedMap.put(2, new ArrayList());
225 sortedMap.put(3, new ArrayList()); 233 sortedMap.put(3, new ArrayList());
226 sortedMap.put(4, new ArrayList()); 234 sortedMap.put(4, new ArrayList());
235 + sortedMap.put(5, new ArrayList());
236 + sortedMap.put(6, new ArrayList());
237 + sortedMap.put(7, new ArrayList());
238 +
227 for (Permission perm : perms) { 239 for (Permission perm : perms) {
228 - if (perm instanceof ServicePermission) { 240 + if (perm instanceof AppPermission) {
229 - if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) { 241 + sortedMap.get(0).add(perm);
230 - if (perm.getName().contains("Admin")) { 242 + } else if (perm instanceof ServicePermission) {
243 + String permName = perm.getName().trim();
244 + if (DefaultPolicyBuilder.getNBServiceList().contains(permName)) { // ONOS NB SERVICES
245 + if (permName.contains("Admin")) {
231 sortedMap.get(1).add(perm); 246 sortedMap.get(1).add(perm);
232 } else { 247 } else {
233 sortedMap.get(2).add(perm); 248 sortedMap.get(2).add(perm);
234 } 249 }
235 - } else { 250 + } else if (permName.contains("org.onosproject") && permName.contains("Provider")) { //ONOS SB SERVICES
236 sortedMap.get(3).add(perm); 251 sortedMap.get(3).add(perm);
252 + } else if (DefaultPolicyBuilder.getCliServiceList().contains(permName)) { //CLI SERVICES
253 + sortedMap.get(4).add(perm);
254 + } else if (permName.contains("Security")) { //CRITICAL SERVICES
255 + sortedMap.get(6).add(perm);
256 + } else {
257 + sortedMap.get(5).add(perm);
237 } 258 }
238 - } else if (perm instanceof AppPermission) { 259 + } else if (perm instanceof RuntimePermission || perm instanceof SocketPermission ||
239 - sortedMap.get(0).add(perm); 260 + perm instanceof FilePermission || perm instanceof SecurityPermission ||
261 + perm instanceof ReflectPermission) { // CRITICAL PERMISSIONS
262 + sortedMap.get(6).add(perm);
240 } else { 263 } else {
241 - sortedMap.get(4).add(perm); 264 + boolean isDefault = false;
265 + for (Permission dPerm : DefaultPolicyBuilder.getDefaultPerms()) {
266 + if (perm.implies(dPerm)) {
267 + isDefault = true;
268 + break;
269 + }
270 + }
271 + if (!isDefault) {
272 + sortedMap.get(7).add(perm);
273 + }
242 } 274 }
243 } 275 }
244 return sortedMap; 276 return sortedMap;
...@@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService {
261 293
262 294
263 295
264 - private List<Permission> getMaximumPermissions(ApplicationId appId) { 296 + private Set<Permission> getMaximumPermissions(ApplicationId appId) {
265 Application app = appAdminService.getApplication(appId); 297 Application app = appAdminService.getApplication(appId);
266 if (app == null) { 298 if (app == null) {
267 print("Unknown application."); 299 print("Unknown application.");
268 return null; 300 return null;
269 } 301 }
270 - List<Permission> appPerms; 302 + Set<Permission> appPerms;
271 switch (app.role()) { 303 switch (app.role()) {
272 case ADMIN: 304 case ADMIN:
273 appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); 305 appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
...@@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { ...@@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService {
300 332
301 } 333 }
302 334
303 -
304 } 335 }
...\ No newline at end of file ...\ No newline at end of file
......
1 /* 1 /*
2 - * Copyright 2015 Open Networking Laboratory 2 + * Copyright 2015-present Open Networking Laboratory
3 * 3 *
4 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License. 5 * you may not use this file except in compliance with the License.
...@@ -88,13 +88,10 @@ public class DistributedSecurityModeStore ...@@ -88,13 +88,10 @@ public class DistributedSecurityModeStore
88 .register(KryoNamespaces.API) 88 .register(KryoNamespaces.API)
89 .register(SecurityModeState.class) 89 .register(SecurityModeState.class)
90 .register(SecurityInfo.class) 90 .register(SecurityInfo.class)
91 - .register(Permission.class)
92 .build()); 91 .build());
93 92
94 private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() 93 private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder()
95 - .register(KryoNamespaces.API) 94 + .register(KryoNamespaces.API);
96 - .register(Permission.class);
97 -
98 @Activate 95 @Activate
99 public void activate() { 96 public void activate() {
100 states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder() 97 states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder()
......
...@@ -110,7 +110,7 @@ function enable_security_mode() { ...@@ -110,7 +110,7 @@ function enable_security_mode() {
110 110
111 mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 111 mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
112 cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 112 cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
113 - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ 113 + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \
114 $ONOS_STAGE/$KARAF_DIST/etc/startup.properties 114 $ONOS_STAGE/$KARAF_DIST/etc/startup.properties
115 115
116 # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end 116 # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end
......
...@@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then ...@@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then
105 105
106 mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 106 mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
107 cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 107 cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0
108 - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ 108 + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \
109 $KARAF_ROOT/etc/startup.properties 109 $KARAF_ROOT/etc/startup.properties
110 110
111 # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end 111 # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end
......