Changhoon Yoon
Committed by Gerrit Code Review

ONOS-1993 Implement API-level permission checking + security util code location replacement

Change-Id: I7bf20eda9c12ed2a44334504333b093057764cd2
Showing 30 changed files with 427 additions and 56 deletions
......@@ -15,12 +15,16 @@
*/
package org.onosproject.net.packet;
import org.onosproject.core.Permission;
import org.onosproject.net.flow.DefaultTrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment;
import org.onosproject.net.flow.TrafficTreatment.Builder;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Default implementation of a packet context.
*/
......@@ -53,21 +57,29 @@ public abstract class DefaultPacketContext implements PacketContext {
@Override
public long time() {
checkPermission(Permission.PACKET_READ);
return time;
}
@Override
public InboundPacket inPacket() {
checkPermission(Permission.PACKET_READ);
return inPkt;
}
@Override
public OutboundPacket outPacket() {
checkPermission(Permission.PACKET_READ);
return outPkt;
}
@Override
public Builder treatmentBuilder() {
checkPermission(Permission.PACKET_READ);
return builder;
}
......@@ -76,11 +88,15 @@ public abstract class DefaultPacketContext implements PacketContext {
@Override
public boolean block() {
checkPermission(Permission.PACKET_WRITE);
return this.block.getAndSet(true);
}
@Override
public boolean isHandled() {
checkPermission(Permission.PACKET_READ);
return this.block.get();
}
}
}
\ No newline at end of file
......
......@@ -14,21 +14,26 @@
* limitations under the License.
*/
package org.onosproject.security.util;
package org.onosproject.security;
import org.onosproject.core.Permission;
/**
* Checks if the caller has the required permission to call each API.
* Aids SM-ONOS to perform API-level permission checking.
*/
public final class AppGuard {
private AppGuard() {
}
public static boolean check(String perm) {
/**
* Checks if the caller has the required permission only when security-mode is enabled.
* @param permission permission to be checked
*/
public static void checkPermission(Permission permission) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
System.getSecurityManager().checkPermission(new AppPermission(perm));
System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
}
return true;
}
}
......
......@@ -14,7 +14,7 @@
* limitations under the License.
*/
package org.onosproject.security.util;
package org.onosproject.security;
import java.security.BasicPermission;
......@@ -23,10 +23,19 @@ import java.security.BasicPermission;
*/
public class AppPermission extends BasicPermission {
/**
* Creates new application permission using the supplied data.
* @param name permission name
*/
public AppPermission(String name) {
super(name.toUpperCase(), "");
}
/**
* Creates new application permission using the supplied data.
* @param name permission name
* @param actions permission action
*/
public AppPermission(String name, String actions) {
super(name.toUpperCase(), actions);
}
......
......@@ -42,6 +42,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onosproject.app.ApplicationEvent.Type.*;
import static org.onosproject.security.AppGuard.checkPermission;
import static org.slf4j.LoggerFactory.getLogger;
/**
......@@ -91,29 +92,39 @@ public class ApplicationManager implements ApplicationService, ApplicationAdminS
@Override
public Set<Application> getApplications() {
checkPermission(Permission.APP_READ);
return store.getApplications();
}
@Override
public ApplicationId getId(String name) {
checkPermission(Permission.APP_READ);
checkNotNull(name, "Name cannot be null");
return store.getId(name);
}
@Override
public Application getApplication(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getApplication(appId);
}
@Override
public ApplicationState getState(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getState(appId);
}
@Override
public Set<Permission> getPermissions(ApplicationId appId) {
checkPermission(Permission.APP_READ);
checkNotNull(appId, APP_ID_NULL);
return store.getPermissions(appId);
}
......@@ -155,11 +166,15 @@ public class ApplicationManager implements ApplicationService, ApplicationAdminS
@Override
public void addListener(ApplicationListener listener) {
checkPermission(Permission.APP_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(ApplicationListener listener) {
checkPermission(Permission.APP_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -28,6 +28,7 @@ import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.cfg.ComponentConfigStore;
import org.onosproject.cfg.ComponentConfigStoreDelegate;
import org.onosproject.cfg.ConfigProperty;
import org.onosproject.core.Permission;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
......@@ -43,6 +44,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Implementation of the centralized component configuration service.
......@@ -84,11 +87,15 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public Set<String> getComponentNames() {
checkPermission(Permission.CONFIG_READ);
return ImmutableSet.copyOf(properties.keySet());
}
@Override
public void registerProperties(Class<?> componentClass) {
checkPermission(Permission.CONFIG_WRITE);
String componentName = componentClass.getName();
String resourceName = componentClass.getSimpleName() + RESOURCE_EXT;
try (InputStream ris = componentClass.getResourceAsStream(resourceName)) {
......@@ -111,6 +118,8 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void unregisterProperties(Class<?> componentClass, boolean clear) {
checkPermission(Permission.CONFIG_WRITE);
String componentName = componentClass.getName();
checkNotNull(componentName, COMPONENT_NULL);
Map<String, ConfigProperty> cps = properties.remove(componentName);
......@@ -127,12 +136,16 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public Set<ConfigProperty> getProperties(String componentName) {
checkPermission(Permission.CONFIG_READ);
Map<String, ConfigProperty> map = properties.get(componentName);
return map != null ? ImmutableSet.copyOf(map.values()) : null;
}
@Override
public void setProperty(String componentName, String name, String value) {
checkPermission(Permission.CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
store.setProperty(componentName, name, value);
......@@ -140,6 +153,8 @@ public class ComponentConfigManager implements ComponentConfigService {
@Override
public void unsetProperty(String componentName, String name) {
checkPermission(Permission.CONFIG_WRITE);
checkNotNull(componentName, COMPONENT_NULL);
checkNotNull(name, PROPERTY_NULL);
store.unsetProperty(componentName, name);
......
......@@ -33,6 +33,7 @@ import org.onosproject.cluster.ClusterStore;
import org.onosproject.cluster.ClusterStoreDelegate;
import org.onosproject.cluster.ControllerNode;
import org.onosproject.cluster.NodeId;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.EventDeliveryService;
import org.slf4j.Logger;
......@@ -42,6 +43,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Implementation of the cluster service.
......@@ -88,22 +91,30 @@ public class ClusterManager implements ClusterService, ClusterAdminService {
@Override
public ControllerNode getLocalNode() {
checkPermission(Permission.CLUSTER_READ);
return store.getLocalNode();
}
@Override
public Set<ControllerNode> getNodes() {
checkPermission(Permission.CLUSTER_READ);
return store.getNodes();
}
@Override
public ControllerNode getNode(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getNode(nodeId);
}
@Override
public ControllerNode.State getState(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkNotNull(nodeId, INSTANCE_ID_NULL);
return store.getState(nodeId);
}
......@@ -111,6 +122,8 @@ public class ClusterManager implements ClusterService, ClusterAdminService {
@Override
public DateTime getLastUpdated(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
return store.getLastUpdated(nodeId);
}
......@@ -144,11 +157,15 @@ public class ClusterManager implements ClusterService, ClusterAdminService {
@Override
public void addListener(ClusterEventListener listener) {
checkPermission(Permission.CLUSTER_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(ClusterEventListener listener) {
checkPermission(Permission.CLUSTER_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -32,6 +32,7 @@ import org.onosproject.cluster.ControllerNode;
import org.onosproject.cluster.NodeId;
import org.onosproject.cluster.RoleInfo;
import org.onosproject.core.MetricsHelper;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.mastership.MastershipAdminService;
......@@ -62,6 +63,8 @@ import static org.onlab.metrics.MetricsUtil.stopTimer;
import static org.onosproject.cluster.ControllerNode.State.ACTIVE;
import static org.onosproject.net.MastershipRole.MASTER;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
@Component(immediate = true)
@Service
......@@ -142,12 +145,16 @@ public class MastershipManager
@Override
public MastershipRole getLocalRole(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getRole(clusterService.getLocalNode().id(), deviceId);
}
@Override
public void relinquishMastership(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_WRITE);
store.relinquishRole(clusterService.getLocalNode().id(), deviceId)
.whenComplete((event, error) -> {
if (event != null) {
......@@ -158,6 +165,8 @@ public class MastershipManager
@Override
public CompletableFuture<MastershipRole> requestRoleFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_WRITE);
checkNotNull(deviceId, DEVICE_ID_NULL);
final Context timer = startTimer(requestRoleTimer);
return store.requestRole(deviceId).whenComplete((result, error) -> stopTimer(timer));
......@@ -166,18 +175,24 @@ public class MastershipManager
@Override
public NodeId getMasterFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getMaster(deviceId);
}
@Override
public Set<DeviceId> getDevicesOf(NodeId nodeId) {
checkPermission(Permission.CLUSTER_READ);
checkNotNull(nodeId, NODE_ID_NULL);
return store.getDevices(nodeId);
}
@Override
public RoleInfo getNodesFor(DeviceId deviceId) {
checkPermission(Permission.CLUSTER_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getNodes(deviceId);
}
......@@ -189,12 +204,16 @@ public class MastershipManager
@Override
public void addListener(MastershipListener listener) {
checkPermission(Permission.CLUSTER_EVENT);
checkNotNull(listener);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(MastershipListener listener) {
checkPermission(Permission.CLUSTER_EVENT);
checkNotNull(listener);
listenerRegistry.removeListener(listener);
}
......
......@@ -31,6 +31,7 @@ import org.onosproject.core.ApplicationIdStore;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdBlockStore;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.core.Version;
import org.onosproject.event.EventDeliveryService;
import org.osgi.service.component.ComponentContext;
......@@ -44,6 +45,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Strings.isNullOrEmpty;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Core service implementation.
......@@ -97,21 +100,29 @@ public class CoreManager implements CoreService {
@Override
public Version version() {
checkPermission(Permission.APP_READ);
return version;
}
@Override
public Set<ApplicationId> getAppIds() {
checkPermission(Permission.APP_READ);
return applicationIdStore.getAppIds();
}
@Override
public ApplicationId getAppId(Short id) {
checkPermission(Permission.APP_READ);
return applicationIdStore.getAppId(id);
}
@Override
public ApplicationId getAppId(String name) {
checkPermission(Permission.APP_READ);
return applicationIdStore.getAppId(name);
}
......
......@@ -25,6 +25,7 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.cluster.ClusterService;
import org.onosproject.cluster.NodeId;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.mastership.MastershipEvent;
......@@ -68,6 +69,8 @@ import static java.util.concurrent.Executors.newSingleThreadScheduledExecutor;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.net.MastershipRole.*;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides implementation of the device SB &amp; NB APIs.
......@@ -148,45 +151,61 @@ public class DeviceManager
@Override
public int getDeviceCount() {
checkPermission(Permission.DEVICE_READ);
return store.getDeviceCount();
}
@Override
public Iterable<Device> getDevices() {
checkPermission(Permission.DEVICE_READ);
return store.getDevices();
}
@Override
public Iterable<Device> getAvailableDevices() {
checkPermission(Permission.DEVICE_READ);
return store.getAvailableDevices();
}
@Override
public Device getDevice(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDevice(deviceId);
}
@Override
public MastershipRole getRole(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return mastershipService.getLocalRole(deviceId);
}
@Override
public List<Port> getPorts(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPorts(deviceId);
}
@Override
public List<PortStatistics> getPortStatistics(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getPortStatistics(deviceId);
}
@Override
public Port getPort(DeviceId deviceId, PortNumber portNumber) {
checkPermission(Permission.DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
checkNotNull(portNumber, PORT_NUMBER_NULL);
return store.getPort(deviceId, portNumber);
......@@ -194,6 +213,8 @@ public class DeviceManager
@Override
public boolean isAvailable(DeviceId deviceId) {
checkPermission(Permission.DEVICE_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.isAvailable(deviceId);
}
......@@ -224,11 +245,15 @@ public class DeviceManager
@Override
public void addListener(DeviceListener listener) {
checkPermission(Permission.DEVICE_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(DeviceListener listener) {
checkPermission(Permission.DEVICE_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -24,6 +24,7 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.DeviceId;
import org.onosproject.net.device.DeviceService;
......@@ -45,6 +46,8 @@ import java.util.stream.Collectors;
import static org.onlab.util.Tools.nullIsNotFound;
import static org.onosproject.net.AnnotationKeys.DRIVER;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Manages inventory of device drivers.
......@@ -105,6 +108,8 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<Driver> getDrivers() {
checkPermission(Permission.DRIVER_READ);
ImmutableSet.Builder<Driver> builder = ImmutableSet.builder();
drivers.values().forEach(builder::add);
return builder.build();
......@@ -112,6 +117,8 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Set<Driver> getDrivers(Class<? extends Behaviour> withBehaviour) {
checkPermission(Permission.DRIVER_READ);
return drivers.values().stream()
.filter(d -> d.hasBehaviour(withBehaviour))
.collect(Collectors.toSet());
......@@ -119,11 +126,15 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Driver getDriver(String driverName) {
checkPermission(Permission.DRIVER_READ);
return nullIsNotFound(drivers.get(driverName), NO_DRIVER);
}
@Override
public Driver getDriver(String mfr, String hw, String sw) {
checkPermission(Permission.DRIVER_READ);
// First attempt a literal search.
Driver driver = driverByKey.get(key(mfr, hw, sw));
if (driver != null) {
......@@ -149,6 +160,8 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public Driver getDriver(DeviceId deviceId) {
checkPermission(Permission.DRIVER_READ);
Device device = nullIsNotFound(deviceService.getDevice(deviceId), NO_DEVICE);
String driverName = device.annotations().value(DRIVER);
if (driverName != null) {
......@@ -161,6 +174,8 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
@Override
public DriverHandler createHandler(DeviceId deviceId, String... credentials) {
checkPermission(Permission.DRIVER_WRITE);
Driver driver = getDriver(deviceId);
return new DefaultDriverHandler(new DefaultDriverData(driver));
}
......
......@@ -35,6 +35,7 @@ import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.net.Device;
......@@ -77,6 +78,8 @@ import java.util.concurrent.atomic.AtomicBoolean;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.onlab.util.Tools.groupedThreads;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides implementation of the flow NB &amp; SB APIs.
......@@ -167,16 +170,22 @@ public class FlowRuleManager
@Override
public int getFlowRuleCount() {
checkPermission(Permission.FLOWRULE_READ);
return store.getFlowRuleCount();
}
@Override
public Iterable<FlowEntry> getFlowEntries(DeviceId deviceId) {
checkPermission(Permission.FLOWRULE_READ);
return store.getFlowEntries(deviceId);
}
@Override
public void applyFlowRules(FlowRule... flowRules) {
checkPermission(Permission.FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
builder.add(flowRules[i]);
......@@ -186,6 +195,8 @@ public class FlowRuleManager
@Override
public void removeFlowRules(FlowRule... flowRules) {
checkPermission(Permission.FLOWRULE_WRITE);
FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
for (int i = 0; i < flowRules.length; i++) {
builder.remove(flowRules[i]);
......@@ -195,11 +206,15 @@ public class FlowRuleManager
@Override
public void removeFlowRulesById(ApplicationId id) {
checkPermission(Permission.FLOWRULE_WRITE);
removeFlowRules(Iterables.toArray(getFlowRulesById(id), FlowRule.class));
}
@Override
public Iterable<FlowRule> getFlowRulesById(ApplicationId id) {
checkPermission(Permission.FLOWRULE_READ);
Set<FlowRule> flowEntries = Sets.newHashSet();
for (Device d : deviceService.getDevices()) {
for (FlowEntry flowEntry : store.getFlowEntries(d.id())) {
......@@ -213,6 +228,8 @@ public class FlowRuleManager
@Override
public Iterable<FlowRule> getFlowRulesByGroupId(ApplicationId appId, short groupId) {
checkPermission(Permission.FLOWRULE_READ);
Set<FlowRule> matches = Sets.newHashSet();
long toLookUp = ((long) appId.id() << 16) | groupId;
for (Device d : deviceService.getDevices()) {
......@@ -227,16 +244,22 @@ public class FlowRuleManager
@Override
public void apply(FlowRuleOperations ops) {
checkPermission(Permission.FLOWRULE_WRITE);
operationsService.submit(new FlowOperationsProcessor(ops));
}
@Override
public void addListener(FlowRuleListener listener) {
checkPermission(Permission.FLOWRULE_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(FlowRuleListener listener) {
checkPermission(Permission.FLOWRULE_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -27,6 +27,7 @@ import org.onlab.osgi.DefaultServiceDirectory;
import org.onlab.osgi.ServiceDirectory;
import org.onlab.util.ItemNotFoundException;
import org.onosproject.cluster.ClusterService;
import org.onosproject.core.Permission;
import org.onosproject.mastership.MastershipEvent;
import org.onosproject.mastership.MastershipListener;
import org.onosproject.mastership.MastershipService;
......@@ -59,6 +60,8 @@ import java.util.concurrent.ExecutorService;
import static java.util.concurrent.Executors.newFixedThreadPool;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides implementation of the flow objective programming service.
......@@ -212,11 +215,15 @@ public class FlowObjectiveManager implements FlowObjectiveService {
@Override
public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, filteringObjective));
}
@Override
public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
if (queueObjective(deviceId, forwardingObjective)) {
return;
}
......@@ -225,11 +232,15 @@ public class FlowObjectiveManager implements FlowObjectiveService {
@Override
public void next(DeviceId deviceId, NextObjective nextObjective) {
checkPermission(Permission.FLOWRULE_WRITE);
executorService.submit(new ObjectiveInstaller(deviceId, nextObjective));
}
@Override
public int allocateNextId() {
checkPermission(Permission.FLOWRULE_WRITE);
return flowObjectiveStore.allocateNextId();
}
......
......@@ -27,6 +27,7 @@ import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.net.DeviceId;
......@@ -52,6 +53,9 @@ import org.onosproject.net.provider.AbstractProviderRegistry;
import org.onosproject.net.provider.AbstractProviderService;
import org.slf4j.Logger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides implementation of the group service APIs.
*/
......@@ -100,6 +104,8 @@ public class GroupManager
*/
@Override
public void addGroup(GroupDescription groupDesc) {
checkPermission(Permission.GROUP_WRITE);
log.trace("In addGroup API");
store.storeGroupDescription(groupDesc);
}
......@@ -119,6 +125,8 @@ public class GroupManager
*/
@Override
public Group getGroup(DeviceId deviceId, GroupKey appCookie) {
checkPermission(Permission.GROUP_READ);
log.trace("In getGroup API");
return store.getGroup(deviceId, appCookie);
}
......@@ -141,6 +149,8 @@ public class GroupManager
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
log.trace("In addBucketsToGroup API");
store.updateGroupDescription(deviceId,
oldCookie,
......@@ -167,6 +177,8 @@ public class GroupManager
GroupBuckets buckets,
GroupKey newCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
log.trace("In removeBucketsFromGroup API");
store.updateGroupDescription(deviceId,
oldCookie,
......@@ -189,6 +201,8 @@ public class GroupManager
public void removeGroup(DeviceId deviceId,
GroupKey appCookie,
ApplicationId appId) {
checkPermission(Permission.GROUP_WRITE);
log.trace("In removeGroup API");
store.deleteGroupDescription(deviceId, appCookie);
}
......@@ -204,12 +218,16 @@ public class GroupManager
@Override
public Iterable<Group> getGroups(DeviceId deviceId,
ApplicationId appId) {
checkPermission(Permission.GROUP_READ);
log.trace("In getGroups API");
return store.getGroups(deviceId);
}
@Override
public Iterable<Group> getGroups(DeviceId deviceId) {
checkPermission(Permission.GROUP_READ);
log.trace("In getGroups API");
return store.getGroups(deviceId);
}
......@@ -221,6 +239,8 @@ public class GroupManager
*/
@Override
public void addListener(GroupListener listener) {
checkPermission(Permission.GROUP_EVENT);
log.trace("In addListener API");
listenerRegistry.addListener(listener);
}
......@@ -232,6 +252,8 @@ public class GroupManager
*/
@Override
public void removeListener(GroupListener listener) {
checkPermission(Permission.GROUP_EVENT);
log.trace("In removeListener API");
listenerRegistry.removeListener(listener);
}
......
......@@ -24,6 +24,7 @@ import org.apache.felix.scr.annotations.Service;
import org.onlab.packet.IpAddress;
import org.onlab.packet.MacAddress;
import org.onlab.packet.VlanId;
import org.onosproject.core.Permission;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.net.ConnectPoint;
......@@ -51,6 +52,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides basic implementation of the host SB &amp; NB APIs.
......@@ -109,56 +112,76 @@ public class HostManager
@Override
public int getHostCount() {
checkPermission(Permission.HOST_READ);
return store.getHostCount();
}
@Override
public Iterable<Host> getHosts() {
checkPermission(Permission.HOST_READ);
return store.getHosts();
}
@Override
public Host getHost(HostId hostId) {
checkPermission(Permission.HOST_READ);
checkNotNull(hostId, HOST_ID_NULL);
return store.getHost(hostId);
}
@Override
public Set<Host> getHostsByVlan(VlanId vlanId) {
checkPermission(Permission.HOST_READ);
return store.getHosts(vlanId);
}
@Override
public Set<Host> getHostsByMac(MacAddress mac) {
checkPermission(Permission.HOST_READ);
checkNotNull(mac, "MAC address cannot be null");
return store.getHosts(mac);
}
@Override
public Set<Host> getHostsByIp(IpAddress ip) {
checkPermission(Permission.HOST_READ);
checkNotNull(ip, "IP address cannot be null");
return store.getHosts(ip);
}
@Override
public Set<Host> getConnectedHosts(ConnectPoint connectPoint) {
checkPermission(Permission.HOST_READ);
checkNotNull(connectPoint, "Connection point cannot be null");
return store.getConnectedHosts(connectPoint);
}
@Override
public Set<Host> getConnectedHosts(DeviceId deviceId) {
checkPermission(Permission.HOST_READ);
checkNotNull(deviceId, "Device ID cannot be null");
return store.getConnectedHosts(deviceId);
}
@Override
public void startMonitoringIp(IpAddress ip) {
checkPermission(Permission.HOST_EVENT);
monitor.addMonitoringFor(ip);
}
@Override
public void stopMonitoringIp(IpAddress ip) {
checkPermission(Permission.HOST_EVENT);
monitor.stopMonitoring(ip);
}
......@@ -169,11 +192,15 @@ public class HostManager
@Override
public void addListener(HostListener listener) {
checkPermission(Permission.HOST_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(HostListener listener) {
checkPermission(Permission.HOST_EVENT);
listenerRegistry.removeListener(listener);
}
......@@ -203,11 +230,15 @@ public class HostManager
@Override
public Set<PortAddresses> getAddressBindings() {
checkPermission(Permission.HOST_READ);
return store.getAddressBindings();
}
@Override
public Set<PortAddresses> getAddressBindingsForPort(ConnectPoint connectPoint) {
checkPermission(Permission.HOST_READ);
return store.getAddressBindingsForPort(connectPoint);
}
......
......@@ -24,6 +24,7 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.CoreService;
import org.onosproject.core.IdGenerator;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.net.flow.FlowRule;
......@@ -65,6 +66,8 @@ import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.net.intent.IntentState.*;
import static org.onosproject.net.intent.impl.phase.IntentProcessPhase.newInitialPhase;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* An implementation of Intent Manager.
......@@ -139,6 +142,8 @@ public class IntentManager
@Override
public void submit(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.INSTALL_REQ, null);
store.addPending(data);
......@@ -146,6 +151,8 @@ public class IntentManager
@Override
public void withdraw(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.WITHDRAW_REQ, null);
store.addPending(data);
......@@ -153,6 +160,8 @@ public class IntentManager
@Override
public void purge(Intent intent) {
checkPermission(Permission.INTENT_WRITE);
checkNotNull(intent, INTENT_NULL);
IntentData data = new IntentData(intent, IntentState.PURGE_REQ, null);
store.addPending(data);
......@@ -160,43 +169,59 @@ public class IntentManager
@Override
public Intent getIntent(Key key) {
checkPermission(Permission.INTENT_READ);
return store.getIntent(key);
}
@Override
public Iterable<Intent> getIntents() {
checkPermission(Permission.INTENT_READ);
return store.getIntents();
}
@Override
public long getIntentCount() {
checkPermission(Permission.INTENT_READ);
return store.getIntentCount();
}
@Override
public IntentState getIntentState(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getIntentState(intentKey);
}
@Override
public List<Intent> getInstallableIntents(Key intentKey) {
checkPermission(Permission.INTENT_READ);
checkNotNull(intentKey, INTENT_ID_NULL);
return store.getInstallableIntents(intentKey);
}
@Override
public boolean isLocal(Key intentKey) {
checkPermission(Permission.INTENT_READ);
return store.isMaster(intentKey);
}
@Override
public void addListener(IntentListener listener) {
checkPermission(Permission.INTENT_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(IntentListener listener) {
checkPermission(Permission.INTENT_EVENT);
listenerRegistry.removeListener(listener);
}
......@@ -217,6 +242,8 @@ public class IntentManager
@Override
public Iterable<Intent> getPending() {
checkPermission(Permission.INTENT_READ);
return store.getPending();
}
......
......@@ -24,6 +24,7 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.net.ConnectPoint;
......@@ -52,6 +53,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides basic implementation of the link SB &amp; NB APIs.
......@@ -102,16 +105,22 @@ public class LinkManager
@Override
public int getLinkCount() {
checkPermission(Permission.LINK_READ);
return store.getLinkCount();
}
@Override
public Iterable<Link> getLinks() {
checkPermission(Permission.LINK_READ);
return store.getLinks();
}
@Override
public Iterable<Link> getActiveLinks() {
checkPermission(Permission.LINK_READ);
return FluentIterable.from(getLinks())
.filter(new Predicate<Link>() {
......@@ -124,6 +133,8 @@ public class LinkManager
@Override
public Set<Link> getDeviceLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return Sets.union(store.getDeviceEgressLinks(deviceId),
store.getDeviceIngressLinks(deviceId));
......@@ -131,18 +142,24 @@ public class LinkManager
@Override
public Set<Link> getDeviceEgressLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceEgressLinks(deviceId);
}
@Override
public Set<Link> getDeviceIngressLinks(DeviceId deviceId) {
checkPermission(Permission.LINK_READ);
checkNotNull(deviceId, DEVICE_ID_NULL);
return store.getDeviceIngressLinks(deviceId);
}
@Override
public Set<Link> getLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return Sets.union(store.getEgressLinks(connectPoint),
store.getIngressLinks(connectPoint));
......@@ -150,18 +167,24 @@ public class LinkManager
@Override
public Set<Link> getEgressLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getEgressLinks(connectPoint);
}
@Override
public Set<Link> getIngressLinks(ConnectPoint connectPoint) {
checkPermission(Permission.LINK_READ);
checkNotNull(connectPoint, CONNECT_POINT_NULL);
return store.getIngressLinks(connectPoint);
}
@Override
public Link getLink(ConnectPoint src, ConnectPoint dst) {
checkPermission(Permission.LINK_READ);
checkNotNull(src, CONNECT_POINT_NULL);
checkNotNull(dst, CONNECT_POINT_NULL);
return store.getLink(src, dst);
......@@ -185,11 +208,15 @@ public class LinkManager
@Override
public void addListener(LinkListener listener) {
checkPermission(Permission.LINK_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(LinkListener listener) {
checkPermission(Permission.LINK_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -23,6 +23,7 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.CoreService;
import org.onosproject.core.Permission;
import org.onosproject.net.Device;
import org.onosproject.net.device.DeviceEvent;
import org.onosproject.net.device.DeviceListener;
......@@ -60,6 +61,8 @@ import java.util.concurrent.ConcurrentHashMap;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides a basic implementation of the packet SB &amp; NB APIs.
......@@ -113,12 +116,16 @@ public class PacketManager
@Override
public void addProcessor(PacketProcessor processor, int priority) {
checkPermission(Permission.PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.put(priority, processor);
}
@Override
public void removeProcessor(PacketProcessor processor) {
checkPermission(Permission.PACKET_EVENT);
checkNotNull(processor, "Processor cannot be null");
processors.values().remove(processor);
}
......@@ -126,6 +133,8 @@ public class PacketManager
@Override
public void requestPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId) {
checkPermission(Permission.PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
......@@ -140,6 +149,8 @@ public class PacketManager
@Override
public void requestPackets(TrafficSelector selector, PacketPriority priority,
ApplicationId appId, FlowRule.Type tableType) {
checkPermission(Permission.PACKET_READ);
checkNotNull(selector, "Selector cannot be null");
checkNotNull(appId, "Application ID cannot be null");
checkNotNull(tableType, "Table Type cannot be null. For requesting packets +"
......@@ -205,6 +216,8 @@ public class PacketManager
@Override
public void emit(OutboundPacket packet) {
checkPermission(Permission.PACKET_WRITE);
checkNotNull(packet, "Packet cannot be null");
store.emit(packet);
......
......@@ -36,6 +36,7 @@ import org.onlab.packet.VlanId;
import org.onlab.packet.ndp.NeighborAdvertisement;
import org.onlab.packet.ndp.NeighborDiscoveryOptions;
import org.onlab.packet.ndp.NeighborSolicitation;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.Device;
import org.onosproject.net.Host;
......@@ -70,6 +71,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
@Component(immediate = true)
@Service
......@@ -123,6 +126,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public boolean isKnown(IpAddress addr) {
checkPermission(Permission.PACKET_READ);
checkNotNull(addr, MAC_ADDR_NULL);
Set<Host> hosts = hostService.getHostsByIp(addr);
return !hosts.isEmpty();
......@@ -130,6 +135,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public void reply(Ethernet eth, ConnectPoint inPort) {
checkPermission(Permission.PACKET_WRITE);
checkNotNull(eth, REQUEST_NULL);
if (eth.getEtherType() == Ethernet.TYPE_ARP) {
......@@ -353,6 +360,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public void forward(Ethernet eth, ConnectPoint inPort) {
checkPermission(Permission.PACKET_WRITE);
checkNotNull(eth, REQUEST_NULL);
Host h = hostService.getHost(HostId.hostId(eth.getDestinationMAC(),
......@@ -371,6 +380,8 @@ public class ProxyArpManager implements ProxyArpService {
@Override
public boolean handlePacket(PacketContext context) {
checkPermission(Permission.PACKET_WRITE);
InboundPacket pkt = context.inPacket();
Ethernet ethPkt = pkt.parsed();
......
......@@ -21,6 +21,7 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.EventDeliveryService;
import org.onosproject.net.Link;
......@@ -56,6 +57,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides basic implementation of link resources allocation.
......@@ -150,6 +153,8 @@ public class LinkResourceManager implements LinkResourceService {
@Override
public LinkResourceAllocations requestResources(LinkResourceRequest req) {
checkPermission(Permission.LINK_WRITE);
// TODO Concatenate multiple bandwidth requests.
// TODO Support multiple lambda resource requests.
// TODO Throw appropriate exception.
......@@ -211,6 +216,8 @@ public class LinkResourceManager implements LinkResourceService {
@Override
public void releaseResources(LinkResourceAllocations allocations) {
checkPermission(Permission.LINK_WRITE);
final LinkResourceEvent event = store.releaseResources(allocations);
if (event != null) {
post(event);
......@@ -220,27 +227,37 @@ public class LinkResourceManager implements LinkResourceService {
@Override
public LinkResourceAllocations updateResources(LinkResourceRequest req,
LinkResourceAllocations oldAllocations) {
releaseResources(oldAllocations);
checkPermission(Permission.LINK_WRITE);
releaseResources(oldAllocations);
return requestResources(req);
}
@Override
public Iterable<LinkResourceAllocations> getAllocations() {
checkPermission(Permission.LINK_READ);
return store.getAllocations();
}
@Override
public Iterable<LinkResourceAllocations> getAllocations(Link link) {
checkPermission(Permission.LINK_READ);
return store.getAllocations(link);
}
@Override
public LinkResourceAllocations getAllocations(IntentId intentId) {
checkPermission(Permission.LINK_READ);
return store.getAllocations(intentId);
}
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link) {
checkPermission(Permission.LINK_READ);
Set<ResourceAllocation> freeRes = store.getFreeResources(link);
Set<ResourceRequest> result = new HashSet<>();
for (ResourceAllocation alloc : freeRes) {
......@@ -265,6 +282,8 @@ public class LinkResourceManager implements LinkResourceService {
@Override
public Iterable<ResourceRequest> getAvailableResources(Link link,
LinkResourceAllocations allocations) {
checkPermission(Permission.LINK_READ);
Set<ResourceRequest> result = new HashSet<>();
Set<ResourceAllocation> allocatedRes = allocations.getResourceAllocation(link);
result = (Set<ResourceRequest>) getAvailableResources(link);
......@@ -274,11 +293,15 @@ public class LinkResourceManager implements LinkResourceService {
@Override
public void addListener(LinkResourceListener listener) {
checkPermission(Permission.LINK_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(LinkResourceListener listener) {
checkPermission(Permission.LINK_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -27,6 +27,7 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.GroupId;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.Link;
import org.onosproject.net.Path;
......@@ -49,6 +50,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides an implementation of the Statistic Service.
......@@ -83,11 +86,15 @@ public class StatisticManager implements StatisticService {
@Override
public Load load(Link link) {
return load(link.src());
checkPermission(Permission.STATISTIC_READ);
return load(link.src());
}
@Override
public Load load(Link link, ApplicationId appId, Optional<GroupId> groupId) {
checkPermission(Permission.STATISTIC_READ);
Statistics stats = getStatistics(link.src());
if (!stats.isValid()) {
return new DefaultLoad();
......@@ -107,11 +114,15 @@ public class StatisticManager implements StatisticService {
@Override
public Load load(ConnectPoint connectPoint) {
checkPermission(Permission.STATISTIC_READ);
return loadInternal(connectPoint);
}
@Override
public Link max(Path path) {
checkPermission(Permission.STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
}
......@@ -129,6 +140,8 @@ public class StatisticManager implements StatisticService {
@Override
public Link min(Path path) {
checkPermission(Permission.STATISTIC_READ);
if (path.links().isEmpty()) {
return null;
}
......@@ -146,6 +159,8 @@ public class StatisticManager implements StatisticService {
@Override
public FlowRule highestHitter(ConnectPoint connectPoint) {
checkPermission(Permission.STATISTIC_READ);
Set<FlowEntry> hitters = statisticStore.getCurrentStatistic(connectPoint);
if (hitters.isEmpty()) {
return null;
......
......@@ -24,6 +24,7 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.DefaultEdgeLink;
import org.onosproject.net.DefaultPath;
......@@ -49,6 +50,8 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides implementation of a path selection service atop the current
......@@ -85,11 +88,15 @@ public class PathManager implements PathService {
@Override
public Set<Path> getPaths(ElementId src, ElementId dst) {
checkPermission(Permission.TOPOLOGY_READ);
return getPaths(src, dst, null);
}
@Override
public Set<Path> getPaths(ElementId src, ElementId dst, LinkWeight weight) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(src, ELEMENT_ID_NULL);
checkNotNull(dst, ELEMENT_ID_NULL);
......
......@@ -21,6 +21,7 @@ import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.onosproject.core.Permission;
import org.onosproject.event.ListenerRegistry;
import org.onosproject.event.Event;
import org.onosproject.event.EventDeliveryService;
......@@ -51,6 +52,7 @@ import java.util.Set;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.slf4j.LoggerFactory.getLogger;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Provides basic implementation of the topology SB &amp; NB APIs.
......@@ -97,23 +99,31 @@ public class TopologyManager
@Override
public Topology currentTopology() {
checkPermission(Permission.TOPOLOGY_READ);
return store.currentTopology();
}
@Override
public boolean isLatest(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.isLatest(topology);
}
@Override
public Set<TopologyCluster> getClusters(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getClusters(topology);
}
@Override
public TopologyCluster getCluster(Topology topology, ClusterId clusterId) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_ID_NULL);
return store.getCluster(topology, clusterId);
......@@ -121,6 +131,8 @@ public class TopologyManager
@Override
public Set<DeviceId> getClusterDevices(Topology topology, TopologyCluster cluster) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterDevices(topology, cluster);
......@@ -128,6 +140,8 @@ public class TopologyManager
@Override
public Set<Link> getClusterLinks(Topology topology, TopologyCluster cluster) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(topology, CLUSTER_NULL);
return store.getClusterLinks(topology, cluster);
......@@ -135,12 +149,16 @@ public class TopologyManager
@Override
public TopologyGraph getGraph(Topology topology) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
return store.getGraph(topology);
}
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
checkNotNull(dst, DEVICE_ID_NULL);
......@@ -149,6 +167,8 @@ public class TopologyManager
@Override
public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(src, DEVICE_ID_NULL);
checkNotNull(dst, DEVICE_ID_NULL);
......@@ -158,6 +178,8 @@ public class TopologyManager
@Override
public boolean isInfrastructure(Topology topology, ConnectPoint connectPoint) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isInfrastructure(topology, connectPoint);
......@@ -165,6 +187,8 @@ public class TopologyManager
@Override
public boolean isBroadcastPoint(Topology topology, ConnectPoint connectPoint) {
checkPermission(Permission.TOPOLOGY_READ);
checkNotNull(topology, TOPOLOGY_NULL);
checkNotNull(connectPoint, CONNECTION_POINT_NULL);
return store.isBroadcastPoint(topology, connectPoint);
......@@ -172,11 +196,15 @@ public class TopologyManager
@Override
public void addListener(TopologyListener listener) {
checkPermission(Permission.TOPOLOGY_EVENT);
listenerRegistry.addListener(listener);
}
@Override
public void removeListener(TopologyListener listener) {
checkPermission(Permission.TOPOLOGY_EVENT);
listenerRegistry.removeListener(listener);
}
......
......@@ -47,14 +47,19 @@
<artifactId>onos-api</artifactId>
</dependency>
<dependency>
<groupId>org.onosproject</groupId>
<artifactId>onos-security-util</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.karaf.features</groupId>
<artifactId>org.apache.karaf.features.core</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-scr-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
\ No newline at end of file
......
......@@ -5,7 +5,7 @@ import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.commons.collections.FastHashMap;
import org.onosproject.core.Permission;
import org.onosproject.security.util.AppPermission;
import org.onosproject.security.AppPermission;
import org.osgi.service.permissionadmin.PermissionInfo;
import org.onosproject.app.ApplicationAdminService;
......
......@@ -17,7 +17,7 @@ import org.onosproject.app.ApplicationState;
import org.onosproject.core.Application;
import org.onosproject.core.ApplicationId;
import org.onosproject.core.Permission;
import org.onosproject.security.util.AppPermission;
import org.onosproject.security.AppPermission;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.BundleEvent;
......@@ -109,7 +109,6 @@ public class SecurityModeManager {
permissionAdmin.setPermissions(bundle.getLocation(), allPerm);
log.warn("Security-Mode Started");
}
......
......@@ -14,7 +14,6 @@
<artifactId>onos-security</artifactId>
<packaging>pom</packaging>
<modules>
<module>util</module>
<module>impl</module>
</modules>
......
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<artifactId>onos-security</artifactId>
<groupId>org.onosproject</groupId>
<version>1.2.0-SNAPSHOT</version>
</parent>
<artifactId>onos-security-util</artifactId>
<packaging>bundle</packaging>
</project>
/*
* Copyright 2015 Open Networking Laboratory
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Security mode utilities.
*/
package org.onosproject.security.util;
\ No newline at end of file
......@@ -132,9 +132,9 @@
<feature name="onos-security" version="@FEATURE-VERSION"
description="Security-Mode ONOS">
<!--<bundle>mvn:org.onosproject/onos-security-felix/2.2.0-ONOS</bundle>-->
<feature>onos-api</feature>
<bundle>mvn:org.onosproject/org.apache.felix.framework.security/2.2.0.onos-SNAPSHOT</bundle>
<bundle>mvn:org.onosproject/onos-security-impl/@ONOS-VERSION</bundle>
<bundle>mvn:org.onosproject/onos-security-util/@ONOS-VERSION</bundle>
</feature>
<!-- Deprecated! For standalone testing only. -->
......
......@@ -17,6 +17,7 @@ package org.onosproject.openflow.controller;
import org.onlab.packet.Ethernet;
import org.onosproject.core.Permission;
import org.projectfloodlight.openflow.protocol.OFPacketIn;
import org.projectfloodlight.openflow.protocol.OFPacketOut;
import org.projectfloodlight.openflow.protocol.OFVersion;
......@@ -30,6 +31,9 @@ import java.nio.BufferUnderflowException;
import java.util.Collections;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.onosproject.security.AppGuard.checkPermission;
/**
* Default implementation of an OpenFlowPacketContext.
*/
......@@ -51,6 +55,8 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public void send() {
checkPermission(Permission.PACKET_WRITE);
if (block() && isBuilt.get()) {
sw.sendMsg(pktout);
}
......@@ -89,6 +95,8 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Ethernet parsed() {
checkPermission(Permission.PACKET_READ);
Ethernet eth = new Ethernet();
try {
eth.deserialize(pktin.getData(), 0, pktin.getData().length);
......@@ -100,6 +108,8 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Dpid dpid() {
checkPermission(Permission.PACKET_READ);
return new Dpid(sw.getId());
}
......@@ -117,6 +127,8 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public Integer inPort() {
checkPermission(Permission.PACKET_READ);
return pktinInPort().getPortNumber();
}
......@@ -129,6 +141,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public byte[] unparsed() {
checkPermission(Permission.PACKET_READ);
return pktin.getData().clone();
......@@ -144,16 +157,22 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
@Override
public boolean block() {
checkPermission(Permission.PACKET_WRITE);
return free.getAndSet(false);
}
@Override
public boolean isHandled() {
checkPermission(Permission.PACKET_READ);
return !free.get();
}
@Override
public boolean isBuffered() {
checkPermission(Permission.PACKET_READ);
return isBuffered;
}
......