Committed by
Jonathan Hart
ONOS-4774, ONOS-4775, ONOS-4776 + some minor fixes
Change-Id: I0d3438f36f0ce9ce0152d295d6f2d749d7f13bed
Showing
7 changed files
with
82 additions
and
55 deletions
| ... | @@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand { | ... | @@ -109,14 +109,12 @@ public class ReviewCommand extends AbstractShellCommand { |
| 109 | print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | 109 | print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); |
| 110 | } | 110 | } |
| 111 | break; | 111 | break; |
| 112 | - case 4: | 112 | + default: |
| 113 | - for (Permission perm: assortedMap.get(4)) { | 113 | + for (Permission perm: assortedMap.get(type)) { |
| 114 | print("\t[Other] " + perm.getClass().getSimpleName() + | 114 | print("\t[Other] " + perm.getClass().getSimpleName() + |
| 115 | - " " + perm.getName() + " (" + perm.getActions() + ")"); | 115 | + " " + perm.getName() + " (" + perm.getActions() + ")"); |
| 116 | } | 116 | } |
| 117 | break; | 117 | break; |
| 118 | - default: | ||
| 119 | - break; | ||
| 120 | } | 118 | } |
| 121 | } | 119 | } |
| 122 | } | 120 | } | ... | ... |
| ... | @@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { | ... | @@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { |
| 82 | TUNNEL_WRITE, | 82 | TUNNEL_WRITE, |
| 83 | TUNNEL_EVENT, | 83 | TUNNEL_EVENT, |
| 84 | UI_READ, | 84 | UI_READ, |
| 85 | - UI_WRITE | 85 | + UI_WRITE, |
| 86 | + ADMIN | ||
| 86 | } | 87 | } |
| 87 | 88 | ||
| 88 | protected Type type; | 89 | protected Type type; | ... | ... |
This diff is collapsed. Click to expand it.
| 1 | /* | 1 | /* |
| 2 | - * Copyright 2015 Open Networking Laboratory | 2 | + * Copyright 2015-present Open Networking Laboratory |
| 3 | * | 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. | 5 | * you may not use this file except in compliance with the License. |
| ... | @@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; | ... | @@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; |
| 38 | import org.onosproject.security.store.SecurityModeStore; | 38 | import org.onosproject.security.store.SecurityModeStore; |
| 39 | import org.onosproject.security.store.SecurityModeStoreDelegate; | 39 | import org.onosproject.security.store.SecurityModeStoreDelegate; |
| 40 | import org.osgi.framework.BundleContext; | 40 | import org.osgi.framework.BundleContext; |
| 41 | +import org.osgi.framework.FrameworkEvent; | ||
| 41 | import org.osgi.framework.FrameworkUtil; | 42 | import org.osgi.framework.FrameworkUtil; |
| 42 | import org.osgi.framework.ServicePermission; | 43 | import org.osgi.framework.ServicePermission; |
| 43 | -import org.osgi.service.log.LogEntry; | 44 | +import org.osgi.framework.FrameworkListener; |
| 44 | -import org.osgi.service.log.LogListener; | ||
| 45 | -import org.osgi.service.log.LogReaderService; | ||
| 46 | import org.osgi.service.permissionadmin.PermissionInfo; | 45 | import org.osgi.service.permissionadmin.PermissionInfo; |
| 47 | 46 | ||
| 47 | +import java.io.FilePermission; | ||
| 48 | +import java.lang.reflect.ReflectPermission; | ||
| 49 | +import java.net.SocketPermission; | ||
| 48 | import java.security.AccessControlException; | 50 | import java.security.AccessControlException; |
| 49 | import java.security.Permission; | 51 | import java.security.Permission; |
| 52 | +import java.security.SecurityPermission; | ||
| 50 | import java.util.ArrayList; | 53 | import java.util.ArrayList; |
| 51 | import java.util.List; | 54 | import java.util.List; |
| 52 | import java.util.Map; | 55 | import java.util.Map; |
| ... | @@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { |
| 76 | protected ApplicationAdminService appAdminService; | 79 | protected ApplicationAdminService appAdminService; |
| 77 | 80 | ||
| 78 | @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) | 81 | @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) |
| 79 | - protected LogReaderService logReaderService; | ||
| 80 | - | ||
| 81 | - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) | ||
| 82 | protected EventDeliveryService eventDispatcher; | 82 | protected EventDeliveryService eventDispatcher; |
| 83 | 83 | ||
| 84 | private final Logger log = getLogger(getClass()); | 84 | private final Logger log = getLogger(getClass()); |
| ... | @@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { |
| 88 | 88 | ||
| 89 | private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); | 89 | private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); |
| 90 | 90 | ||
| 91 | - private SecurityLogListener securityLogListener = new SecurityLogListener(); | 91 | + private SecurityEventListener securityEventListener = new SecurityEventListener(); |
| 92 | 92 | ||
| 93 | private PermissionAdmin permissionAdmin = getPermissionAdmin(); | 93 | private PermissionAdmin permissionAdmin = getPermissionAdmin(); |
| 94 | 94 | ||
| ... | @@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { |
| 96 | public void activate() { | 96 | public void activate() { |
| 97 | 97 | ||
| 98 | eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); | 98 | eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); |
| 99 | - logReaderService.addLogListener(securityLogListener); | 99 | + getBundleContext().addFrameworkListener(new SecurityEventListener()); |
| 100 | 100 | ||
| 101 | if (System.getSecurityManager() == null) { | 101 | if (System.getSecurityManager() == null) { |
| 102 | log.warn("J2EE security manager is disabled."); | 102 | log.warn("J2EE security manager is disabled."); |
| ... | @@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { |
| 116 | @Deactivate | 116 | @Deactivate |
| 117 | public void deactivate() { | 117 | public void deactivate() { |
| 118 | eventDispatcher.removeSink(SecurityModeEvent.class); | 118 | eventDispatcher.removeSink(SecurityModeEvent.class); |
| 119 | - logReaderService.removeLogListener(securityLogListener); | 119 | + getBundleContext().removeFrameworkListener(securityEventListener); |
| 120 | store.unsetDelegate(delegate); | 120 | store.unsetDelegate(delegate); |
| 121 | log.info("Stopped"); | 121 | log.info("Stopped"); |
| 122 | 122 | ||
| ... | @@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { |
| 169 | DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); | 169 | DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); |
| 170 | } | 170 | } |
| 171 | 171 | ||
| 172 | - private class SecurityLogListener implements LogListener { | 172 | + private class SecurityEventListener implements FrameworkListener { |
| 173 | @Override | 173 | @Override |
| 174 | - public void logged(LogEntry entry) { | 174 | + public void frameworkEvent(FrameworkEvent event) { |
| 175 | - if (entry.getException() != null && | 175 | + if (event.getType() != FrameworkEvent.ERROR) { |
| 176 | - entry.getException() instanceof AccessControlException) { | 176 | + return; |
| 177 | - String location = entry.getBundle().getLocation(); | 177 | + } |
| 178 | - Permission javaPerm = | 178 | + Throwable throwable = event.getThrowable(); |
| 179 | - ((AccessControlException) entry.getException()).getPermission(); | 179 | + if (throwable == null || !(throwable instanceof AccessControlException)) { |
| 180 | - org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm); | 180 | + return; |
| 181 | - if (permission == null) { | ||
| 182 | - log.warn("Unsupported permission requested."); | ||
| 183 | - return; | ||
| 184 | - } | ||
| 185 | - store.getApplicationIds(location).stream().filter( | ||
| 186 | - appId -> store.isSecured(appId) && | ||
| 187 | - appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { | ||
| 188 | - store.requestPermission(appId, permission); | ||
| 189 | - print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", | ||
| 190 | - appId.name(), location, permission.toString()); | ||
| 191 | - }); | ||
| 192 | } | 181 | } |
| 182 | + String bundleLocation = event.getBundle().getLocation(); | ||
| 183 | + Permission nativePerm = ((AccessControlException) throwable).getPermission(); | ||
| 184 | + org.onosproject.security.Permission onosPerm = DefaultPolicyBuilder.getOnosPermission(nativePerm); | ||
| 185 | + | ||
| 186 | + if (onosPerm == null) { | ||
| 187 | + log.warn("Unsupported permission requested: " + nativePerm.toString()); | ||
| 188 | + return; | ||
| 189 | + } | ||
| 190 | + | ||
| 191 | + store.getApplicationIds(bundleLocation).stream().filter( | ||
| 192 | + appId -> store.isSecured(appId) && | ||
| 193 | + appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { | ||
| 194 | + store.requestPermission(appId, onosPerm); | ||
| 195 | + print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", | ||
| 196 | + appId.name(), bundleLocation, onosPerm.toString()); | ||
| 197 | + }); | ||
| 193 | } | 198 | } |
| 194 | } | 199 | } |
| 195 | 200 | ||
| ... | @@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { |
| 213 | * 0 - APP_PERM | 218 | * 0 - APP_PERM |
| 214 | * 1 - ADMIN SERVICE | 219 | * 1 - ADMIN SERVICE |
| 215 | * 2 - NB_SERVICE | 220 | * 2 - NB_SERVICE |
| 216 | - * 3 - ETC_SERVICE | 221 | + * 3 - SB_SERVICE |
| 217 | - * 4 - ETC | 222 | + * 4 - CLI_SERVICE |
| 223 | + * 5 - ETC_SERVICE | ||
| 224 | + * 6 - CRITICAL PERMISSIONS | ||
| 225 | + * 7 - ETC | ||
| 218 | * @param perms | 226 | * @param perms |
| 219 | */ | 227 | */ |
| 220 | - private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) { | 228 | + private Map<Integer, List<Permission>> getPrintablePermissionMap(Set<Permission> perms) { |
| 221 | ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); | 229 | ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); |
| 222 | sortedMap.put(0, new ArrayList()); | 230 | sortedMap.put(0, new ArrayList()); |
| 223 | sortedMap.put(1, new ArrayList()); | 231 | sortedMap.put(1, new ArrayList()); |
| 224 | sortedMap.put(2, new ArrayList()); | 232 | sortedMap.put(2, new ArrayList()); |
| 225 | sortedMap.put(3, new ArrayList()); | 233 | sortedMap.put(3, new ArrayList()); |
| 226 | sortedMap.put(4, new ArrayList()); | 234 | sortedMap.put(4, new ArrayList()); |
| 235 | + sortedMap.put(5, new ArrayList()); | ||
| 236 | + sortedMap.put(6, new ArrayList()); | ||
| 237 | + sortedMap.put(7, new ArrayList()); | ||
| 238 | + | ||
| 227 | for (Permission perm : perms) { | 239 | for (Permission perm : perms) { |
| 228 | - if (perm instanceof ServicePermission) { | 240 | + if (perm instanceof AppPermission) { |
| 229 | - if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) { | 241 | + sortedMap.get(0).add(perm); |
| 230 | - if (perm.getName().contains("Admin")) { | 242 | + } else if (perm instanceof ServicePermission) { |
| 243 | + String permName = perm.getName().trim(); | ||
| 244 | + if (DefaultPolicyBuilder.getNBServiceList().contains(permName)) { // ONOS NB SERVICES | ||
| 245 | + if (permName.contains("Admin")) { | ||
| 231 | sortedMap.get(1).add(perm); | 246 | sortedMap.get(1).add(perm); |
| 232 | } else { | 247 | } else { |
| 233 | sortedMap.get(2).add(perm); | 248 | sortedMap.get(2).add(perm); |
| 234 | } | 249 | } |
| 235 | - } else { | 250 | + } else if (permName.contains("org.onosproject") && permName.contains("Provider")) { //ONOS SB SERVICES |
| 236 | sortedMap.get(3).add(perm); | 251 | sortedMap.get(3).add(perm); |
| 252 | + } else if (DefaultPolicyBuilder.getCliServiceList().contains(permName)) { //CLI SERVICES | ||
| 253 | + sortedMap.get(4).add(perm); | ||
| 254 | + } else if (permName.contains("Security")) { //CRITICAL SERVICES | ||
| 255 | + sortedMap.get(6).add(perm); | ||
| 256 | + } else { | ||
| 257 | + sortedMap.get(5).add(perm); | ||
| 237 | } | 258 | } |
| 238 | - } else if (perm instanceof AppPermission) { | 259 | + } else if (perm instanceof RuntimePermission || perm instanceof SocketPermission || |
| 239 | - sortedMap.get(0).add(perm); | 260 | + perm instanceof FilePermission || perm instanceof SecurityPermission || |
| 261 | + perm instanceof ReflectPermission) { // CRITICAL PERMISSIONS | ||
| 262 | + sortedMap.get(6).add(perm); | ||
| 240 | } else { | 263 | } else { |
| 241 | - sortedMap.get(4).add(perm); | 264 | + boolean isDefault = false; |
| 265 | + for (Permission dPerm : DefaultPolicyBuilder.getDefaultPerms()) { | ||
| 266 | + if (perm.implies(dPerm)) { | ||
| 267 | + isDefault = true; | ||
| 268 | + break; | ||
| 269 | + } | ||
| 270 | + } | ||
| 271 | + if (!isDefault) { | ||
| 272 | + sortedMap.get(7).add(perm); | ||
| 273 | + } | ||
| 242 | } | 274 | } |
| 243 | } | 275 | } |
| 244 | return sortedMap; | 276 | return sortedMap; |
| ... | @@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { |
| 261 | 293 | ||
| 262 | 294 | ||
| 263 | 295 | ||
| 264 | - private List<Permission> getMaximumPermissions(ApplicationId appId) { | 296 | + private Set<Permission> getMaximumPermissions(ApplicationId appId) { |
| 265 | Application app = appAdminService.getApplication(appId); | 297 | Application app = appAdminService.getApplication(appId); |
| 266 | if (app == null) { | 298 | if (app == null) { |
| 267 | print("Unknown application."); | 299 | print("Unknown application."); |
| 268 | return null; | 300 | return null; |
| 269 | } | 301 | } |
| 270 | - List<Permission> appPerms; | 302 | + Set<Permission> appPerms; |
| 271 | switch (app.role()) { | 303 | switch (app.role()) { |
| 272 | case ADMIN: | 304 | case ADMIN: |
| 273 | appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); | 305 | appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); |
| ... | @@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { |
| 300 | 332 | ||
| 301 | } | 333 | } |
| 302 | 334 | ||
| 303 | - | ||
| 304 | } | 335 | } |
| ... | \ No newline at end of file | ... | \ No newline at end of file | ... | ... |
| 1 | /* | 1 | /* |
| 2 | - * Copyright 2015 Open Networking Laboratory | 2 | + * Copyright 2015-present Open Networking Laboratory |
| 3 | * | 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. | 5 | * you may not use this file except in compliance with the License. |
| ... | @@ -88,13 +88,10 @@ public class DistributedSecurityModeStore | ... | @@ -88,13 +88,10 @@ public class DistributedSecurityModeStore |
| 88 | .register(KryoNamespaces.API) | 88 | .register(KryoNamespaces.API) |
| 89 | .register(SecurityModeState.class) | 89 | .register(SecurityModeState.class) |
| 90 | .register(SecurityInfo.class) | 90 | .register(SecurityInfo.class) |
| 91 | - .register(Permission.class) | ||
| 92 | .build()); | 91 | .build()); |
| 93 | 92 | ||
| 94 | private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() | 93 | private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() |
| 95 | - .register(KryoNamespaces.API) | 94 | + .register(KryoNamespaces.API); |
| 96 | - .register(Permission.class); | ||
| 97 | - | ||
| 98 | @Activate | 95 | @Activate |
| 99 | public void activate() { | 96 | public void activate() { |
| 100 | states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder() | 97 | states = storageService.<ApplicationId, SecurityInfo>consistentMapBuilder() | ... | ... |
| ... | @@ -110,7 +110,7 @@ function enable_security_mode() { | ... | @@ -110,7 +110,7 @@ function enable_security_mode() { |
| 110 | 110 | ||
| 111 | mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 111 | mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
| 112 | cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 112 | cp $FELIX_CFG_ADMIN $ONOS_STAGE/$KARAF_DIST/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
| 113 | - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ | 113 | + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \ |
| 114 | $ONOS_STAGE/$KARAF_DIST/etc/startup.properties | 114 | $ONOS_STAGE/$KARAF_DIST/etc/startup.properties |
| 115 | 115 | ||
| 116 | # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end | 116 | # SM-ONOS step 2: stage ONOS Felix framework security (this is already done by karaf assembly); end | ... | ... |
| ... | @@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then | ... | @@ -105,7 +105,7 @@ if [ "$SECURE" = "true" ]; then |
| 105 | 105 | ||
| 106 | mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 106 | mkdir -p $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
| 107 | cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 | 107 | cp $FELIX_CFG_ADMIN $KARAF_ROOT/system/org/apache/felix/org.apache.felix.configadmin/1.6.0 |
| 108 | - perl -pi.old -e "s|org.apache.felix.configadmin/1.8.0|org.apache.felix.configadmin/1.6.0|g" \ | 108 | + perl -pi.old -e "s|^(.*org.apache.felix.configadmin.*)|mvn\\\\:org.apache.felix/org.apache.felix.configadmin/1.6.0 = 10|" \ |
| 109 | $KARAF_ROOT/etc/startup.properties | 109 | $KARAF_ROOT/etc/startup.properties |
| 110 | 110 | ||
| 111 | # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end | 111 | # SM-ONOS step 2: stage ONOS Felix framework security (will get downloaded on demand); end | ... | ... |
-
Please register or login to post a comment