Committed by
Gerrit Code Review
ONOS-4507,ONOS-4774, ONOS-4775, ONOS-4776 + some minor fixes
Change-Id: I9eaf17b03899074d4b63e01e920fada6797158a0
Showing
20 changed files
with
259 additions
and
114 deletions
... | @@ -45,6 +45,12 @@ public class ReviewCommand extends AbstractShellCommand { | ... | @@ -45,6 +45,12 @@ public class ReviewCommand extends AbstractShellCommand { |
45 | required = false, multiValued = false) | 45 | required = false, multiValued = false) |
46 | String accept = null; | 46 | String accept = null; |
47 | 47 | ||
48 | + | ||
49 | + public static final String ANSI_RESET = "\u001B[0m"; | ||
50 | + public static final String ANSI_RED = "\u001B[31m"; | ||
51 | + public static final String ANSI_GREEN = "\u001B[32m"; | ||
52 | + public static final String ANSI_YELLOW = "\u001B[33m"; | ||
53 | + | ||
48 | @Override | 54 | @Override |
49 | protected void execute() { | 55 | protected void execute() { |
50 | ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class); | 56 | ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class); |
... | @@ -86,38 +92,64 @@ public class ReviewCommand extends AbstractShellCommand { | ... | @@ -86,38 +92,64 @@ public class ReviewCommand extends AbstractShellCommand { |
86 | print(""); | 92 | print(""); |
87 | 93 | ||
88 | } | 94 | } |
95 | + | ||
96 | + /** | ||
97 | + * TYPES. | ||
98 | + * 0 - APP_PERM | ||
99 | + * 1 - ADMIN SERVICE | ||
100 | + * 2 - NB_SERVICE | ||
101 | + * 3 - SB_SERVICE | ||
102 | + * 4 - CLI_SERVICE | ||
103 | + * 5 - ETC_SERVICE | ||
104 | + * 6 - CRITICAL PERMISSIONS | ||
105 | + * 7 - ETC | ||
106 | + **/ | ||
89 | private void printMap(Map<Integer, List<Permission>> assortedMap) { | 107 | private void printMap(Map<Integer, List<Permission>> assortedMap) { |
90 | - for (Integer type : assortedMap.keySet()) { | 108 | + |
91 | - switch (type) { | 109 | + for (Permission perm: assortedMap.get(0)) { // APP PERM |
92 | - case 0: | 110 | + if (perm.getName().contains("WRITE")) { |
93 | - for (Permission perm: assortedMap.get(0)) { | 111 | + printYellow("\t[APP PERMISSION] " + perm.getName()); |
94 | - print("\t[APP PERMISSION] " + perm.getName()); | 112 | + } else { |
95 | - } | 113 | + printGreen("\t[APP PERMISSION] " + perm.getName()); |
96 | - break; | ||
97 | - case 1: | ||
98 | - for (Permission perm: assortedMap.get(1)) { | ||
99 | - print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
100 | - } | ||
101 | - break; | ||
102 | - case 2: | ||
103 | - for (Permission perm: assortedMap.get(2)) { | ||
104 | - print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
105 | - } | ||
106 | - break; | ||
107 | - case 3: | ||
108 | - for (Permission perm: assortedMap.get(3)) { | ||
109 | - print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
110 | - } | ||
111 | - break; | ||
112 | - case 4: | ||
113 | - for (Permission perm: assortedMap.get(4)) { | ||
114 | - print("\t[Other] " + perm.getClass().getSimpleName() + | ||
115 | - " " + perm.getName() + " (" + perm.getActions() + ")"); | ||
116 | - } | ||
117 | - break; | ||
118 | - default: | ||
119 | - break; | ||
120 | } | 114 | } |
121 | } | 115 | } |
116 | + | ||
117 | + for (Permission perm: assortedMap.get(4)) { | ||
118 | + printGreen("\t[CLI SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
119 | + } | ||
120 | + | ||
121 | + for (Permission perm: assortedMap.get(5)) { | ||
122 | + printYellow("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
123 | + } | ||
124 | + | ||
125 | + for (Permission perm: assortedMap.get(7)) { | ||
126 | + printYellow("\t[Other] " + perm.getClass().getSimpleName() + | ||
127 | + " " + perm.getName() + " (" + perm.getActions() + ")"); | ||
128 | + } | ||
129 | + | ||
130 | + for (Permission perm: assortedMap.get(1)) { // ADMIN SERVICES | ||
131 | + printRed("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
132 | + } | ||
133 | + | ||
134 | + for (Permission perm: assortedMap.get(3)) { // ADMIN SERVICES | ||
135 | + printRed("\t[SB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")"); | ||
136 | + } | ||
137 | + | ||
138 | + for (Permission perm: assortedMap.get(6)) { // CRITICAL SERVICES | ||
139 | + printRed("\t[CRITICAL PERMISSION] " + perm.getClass().getSimpleName() + | ||
140 | + " " + perm.getName() + " (" + perm.getActions() + ")"); | ||
141 | + } | ||
142 | + } | ||
143 | + | ||
144 | + private void printRed(String format, Object... args) { | ||
145 | + print(ANSI_RED + String.format(format, args) + ANSI_RESET); | ||
146 | + } | ||
147 | + | ||
148 | + private void printYellow(String format, Object... args) { | ||
149 | + print(ANSI_YELLOW + String.format(format, args) + ANSI_RESET); | ||
150 | + } | ||
151 | + | ||
152 | + private void printGreen(String format, Object... args) { | ||
153 | + print(ANSI_GREEN + String.format(format, args) + ANSI_RESET); | ||
122 | } | 154 | } |
123 | } | 155 | } | ... | ... |
... | @@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { | ... | @@ -82,7 +82,8 @@ public class AppPermission extends BasicPermission { |
82 | TUNNEL_WRITE, | 82 | TUNNEL_WRITE, |
83 | TUNNEL_EVENT, | 83 | TUNNEL_EVENT, |
84 | UI_READ, | 84 | UI_READ, |
85 | - UI_WRITE | 85 | + UI_WRITE, |
86 | + ADMIN | ||
86 | } | 87 | } |
87 | 88 | ||
88 | protected Type type; | 89 | protected Type type; | ... | ... |
... | @@ -55,6 +55,7 @@ import static org.onosproject.app.ApplicationEvent.Type.APP_DEACTIVATED; | ... | @@ -55,6 +55,7 @@ import static org.onosproject.app.ApplicationEvent.Type.APP_DEACTIVATED; |
55 | import static org.onosproject.app.ApplicationEvent.Type.APP_INSTALLED; | 55 | import static org.onosproject.app.ApplicationEvent.Type.APP_INSTALLED; |
56 | import static org.onosproject.app.ApplicationEvent.Type.APP_UNINSTALLED; | 56 | import static org.onosproject.app.ApplicationEvent.Type.APP_UNINSTALLED; |
57 | import static org.onosproject.security.AppGuard.checkPermission; | 57 | import static org.onosproject.security.AppGuard.checkPermission; |
58 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
58 | import static org.onosproject.security.AppPermission.Type.APP_READ; | 59 | import static org.onosproject.security.AppPermission.Type.APP_READ; |
59 | import static org.slf4j.LoggerFactory.getLogger; | 60 | import static org.slf4j.LoggerFactory.getLogger; |
60 | 61 | ||
... | @@ -151,6 +152,7 @@ public class ApplicationManager | ... | @@ -151,6 +152,7 @@ public class ApplicationManager |
151 | 152 | ||
152 | @Override | 153 | @Override |
153 | public Application install(InputStream appDescStream) { | 154 | public Application install(InputStream appDescStream) { |
155 | + checkPermission(ADMIN); | ||
154 | checkNotNull(appDescStream, "Application archive stream cannot be null"); | 156 | checkNotNull(appDescStream, "Application archive stream cannot be null"); |
155 | Application app = store.create(appDescStream); | 157 | Application app = store.create(appDescStream); |
156 | SecurityUtil.register(app.id()); | 158 | SecurityUtil.register(app.id()); |
... | @@ -159,12 +161,14 @@ public class ApplicationManager | ... | @@ -159,12 +161,14 @@ public class ApplicationManager |
159 | 161 | ||
160 | @Override | 162 | @Override |
161 | public void uninstall(ApplicationId appId) { | 163 | public void uninstall(ApplicationId appId) { |
164 | + checkPermission(ADMIN); | ||
162 | checkNotNull(appId, APP_ID_NULL); | 165 | checkNotNull(appId, APP_ID_NULL); |
163 | updateStoreAndWaitForNotificationHandling(appId, store::remove); | 166 | updateStoreAndWaitForNotificationHandling(appId, store::remove); |
164 | } | 167 | } |
165 | 168 | ||
166 | @Override | 169 | @Override |
167 | public void activate(ApplicationId appId) { | 170 | public void activate(ApplicationId appId) { |
171 | + checkPermission(ADMIN); | ||
168 | checkNotNull(appId, APP_ID_NULL); | 172 | checkNotNull(appId, APP_ID_NULL); |
169 | if (!SecurityUtil.isAppSecured(appId)) { | 173 | if (!SecurityUtil.isAppSecured(appId)) { |
170 | return; | 174 | return; |
... | @@ -174,12 +178,14 @@ public class ApplicationManager | ... | @@ -174,12 +178,14 @@ public class ApplicationManager |
174 | 178 | ||
175 | @Override | 179 | @Override |
176 | public void deactivate(ApplicationId appId) { | 180 | public void deactivate(ApplicationId appId) { |
181 | + checkPermission(ADMIN); | ||
177 | checkNotNull(appId, APP_ID_NULL); | 182 | checkNotNull(appId, APP_ID_NULL); |
178 | updateStoreAndWaitForNotificationHandling(appId, store::deactivate); | 183 | updateStoreAndWaitForNotificationHandling(appId, store::deactivate); |
179 | } | 184 | } |
180 | 185 | ||
181 | @Override | 186 | @Override |
182 | public void setPermissions(ApplicationId appId, Set<Permission> permissions) { | 187 | public void setPermissions(ApplicationId appId, Set<Permission> permissions) { |
188 | + checkPermission(ADMIN); | ||
183 | checkNotNull(appId, APP_ID_NULL); | 189 | checkNotNull(appId, APP_ID_NULL); |
184 | checkNotNull(permissions, "Permissions cannot be null"); | 190 | checkNotNull(permissions, "Permissions cannot be null"); |
185 | store.setPermissions(appId, permissions); | 191 | store.setPermissions(appId, permissions); | ... | ... |
... | @@ -58,6 +58,7 @@ import java.util.concurrent.atomic.AtomicReference; | ... | @@ -58,6 +58,7 @@ import java.util.concurrent.atomic.AtomicReference; |
58 | import static com.google.common.base.Preconditions.checkArgument; | 58 | import static com.google.common.base.Preconditions.checkArgument; |
59 | import static com.google.common.base.Preconditions.checkNotNull; | 59 | import static com.google.common.base.Preconditions.checkNotNull; |
60 | import static org.onosproject.security.AppGuard.checkPermission; | 60 | import static org.onosproject.security.AppGuard.checkPermission; |
61 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
61 | import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; | 62 | import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; |
62 | import static org.slf4j.LoggerFactory.getLogger; | 63 | import static org.slf4j.LoggerFactory.getLogger; |
63 | 64 | ||
... | @@ -135,6 +136,7 @@ public class ClusterManager | ... | @@ -135,6 +136,7 @@ public class ClusterManager |
135 | 136 | ||
136 | @Override | 137 | @Override |
137 | public void markFullyStarted(boolean started) { | 138 | public void markFullyStarted(boolean started) { |
139 | + checkPermission(ADMIN); | ||
138 | store.markFullyStarted(started); | 140 | store.markFullyStarted(started); |
139 | } | 141 | } |
140 | 142 | ||
... | @@ -146,6 +148,7 @@ public class ClusterManager | ... | @@ -146,6 +148,7 @@ public class ClusterManager |
146 | 148 | ||
147 | @Override | 149 | @Override |
148 | public void formCluster(Set<ControllerNode> nodes) { | 150 | public void formCluster(Set<ControllerNode> nodes) { |
151 | + checkPermission(ADMIN); | ||
149 | checkNotNull(nodes, "Nodes cannot be null"); | 152 | checkNotNull(nodes, "Nodes cannot be null"); |
150 | checkArgument(!nodes.isEmpty(), "Nodes cannot be empty"); | 153 | checkArgument(!nodes.isEmpty(), "Nodes cannot be empty"); |
151 | 154 | ||
... | @@ -163,6 +166,7 @@ public class ClusterManager | ... | @@ -163,6 +166,7 @@ public class ClusterManager |
163 | 166 | ||
164 | @Override | 167 | @Override |
165 | public ControllerNode addNode(NodeId nodeId, IpAddress ip, int tcpPort) { | 168 | public ControllerNode addNode(NodeId nodeId, IpAddress ip, int tcpPort) { |
169 | + checkPermission(ADMIN); | ||
166 | checkNotNull(nodeId, INSTANCE_ID_NULL); | 170 | checkNotNull(nodeId, INSTANCE_ID_NULL); |
167 | checkNotNull(ip, "IP address cannot be null"); | 171 | checkNotNull(ip, "IP address cannot be null"); |
168 | checkArgument(tcpPort > 5000, "TCP port must be > 5000"); | 172 | checkArgument(tcpPort > 5000, "TCP port must be > 5000"); |
... | @@ -171,6 +175,7 @@ public class ClusterManager | ... | @@ -171,6 +175,7 @@ public class ClusterManager |
171 | 175 | ||
172 | @Override | 176 | @Override |
173 | public void removeNode(NodeId nodeId) { | 177 | public void removeNode(NodeId nodeId) { |
178 | + checkPermission(ADMIN); | ||
174 | checkNotNull(nodeId, INSTANCE_ID_NULL); | 179 | checkNotNull(nodeId, INSTANCE_ID_NULL); |
175 | store.removeNode(nodeId); | 180 | store.removeNode(nodeId); |
176 | } | 181 | } | ... | ... |
... | @@ -46,6 +46,7 @@ import java.util.Enumeration; | ... | @@ -46,6 +46,7 @@ import java.util.Enumeration; |
46 | 46 | ||
47 | import static com.google.common.base.Preconditions.checkNotNull; | 47 | import static com.google.common.base.Preconditions.checkNotNull; |
48 | import static org.onosproject.security.AppGuard.checkPermission; | 48 | import static org.onosproject.security.AppGuard.checkPermission; |
49 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
49 | import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; | 50 | import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; |
50 | import static org.slf4j.LoggerFactory.getLogger; | 51 | import static org.slf4j.LoggerFactory.getLogger; |
51 | 52 | ||
... | @@ -103,6 +104,7 @@ public class ClusterMetadataManager | ... | @@ -103,6 +104,7 @@ public class ClusterMetadataManager |
103 | 104 | ||
104 | @Override | 105 | @Override |
105 | public void setClusterMetadata(ClusterMetadata metadata) { | 106 | public void setClusterMetadata(ClusterMetadata metadata) { |
107 | + checkPermission(ADMIN); | ||
106 | checkNotNull(metadata, "Cluster metadata cannot be null"); | 108 | checkNotNull(metadata, "Cluster metadata cannot be null"); |
107 | ClusterMetadataProvider primaryProvider = getPrimaryProvider(); | 109 | ClusterMetadataProvider primaryProvider = getPrimaryProvider(); |
108 | if (primaryProvider == null) { | 110 | if (primaryProvider == null) { | ... | ... |
... | @@ -15,6 +15,8 @@ | ... | @@ -15,6 +15,8 @@ |
15 | */ | 15 | */ |
16 | package org.onosproject.cluster.impl; | 16 | package org.onosproject.cluster.impl; |
17 | 17 | ||
18 | +import static org.onosproject.security.AppGuard.checkPermission; | ||
19 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
18 | import static org.slf4j.LoggerFactory.getLogger; | 20 | import static org.slf4j.LoggerFactory.getLogger; |
19 | 21 | ||
20 | import java.util.Map; | 22 | import java.util.Map; |
... | @@ -100,16 +102,19 @@ public class LeadershipManager | ... | @@ -100,16 +102,19 @@ public class LeadershipManager |
100 | 102 | ||
101 | @Override | 103 | @Override |
102 | public boolean transferLeadership(String topic, NodeId to) { | 104 | public boolean transferLeadership(String topic, NodeId to) { |
105 | + checkPermission(ADMIN); | ||
103 | return store.moveLeadership(topic, to); | 106 | return store.moveLeadership(topic, to); |
104 | } | 107 | } |
105 | 108 | ||
106 | @Override | 109 | @Override |
107 | public void unregister(NodeId nodeId) { | 110 | public void unregister(NodeId nodeId) { |
111 | + checkPermission(ADMIN); | ||
108 | store.removeRegistration(nodeId); | 112 | store.removeRegistration(nodeId); |
109 | } | 113 | } |
110 | 114 | ||
111 | @Override | 115 | @Override |
112 | public boolean promoteToTopOfCandidateList(String topic, NodeId nodeId) { | 116 | public boolean promoteToTopOfCandidateList(String topic, NodeId nodeId) { |
117 | + checkPermission(ADMIN); | ||
113 | return store.makeTopCandidate(topic, nodeId); | 118 | return store.makeTopCandidate(topic, nodeId); |
114 | } | 119 | } |
115 | } | 120 | } | ... | ... |
... | @@ -64,6 +64,7 @@ import static org.onlab.metrics.MetricsUtil.startTimer; | ... | @@ -64,6 +64,7 @@ import static org.onlab.metrics.MetricsUtil.startTimer; |
64 | import static org.onlab.metrics.MetricsUtil.stopTimer; | 64 | import static org.onlab.metrics.MetricsUtil.stopTimer; |
65 | import static org.onosproject.net.MastershipRole.MASTER; | 65 | import static org.onosproject.net.MastershipRole.MASTER; |
66 | import static org.onosproject.security.AppGuard.checkPermission; | 66 | import static org.onosproject.security.AppGuard.checkPermission; |
67 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
67 | import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; | 68 | import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; |
68 | import static org.onosproject.security.AppPermission.Type.CLUSTER_WRITE; | 69 | import static org.onosproject.security.AppPermission.Type.CLUSTER_WRITE; |
69 | import static org.slf4j.LoggerFactory.getLogger; | 70 | import static org.slf4j.LoggerFactory.getLogger; |
... | @@ -119,6 +120,7 @@ public class MastershipManager | ... | @@ -119,6 +120,7 @@ public class MastershipManager |
119 | 120 | ||
120 | @Override | 121 | @Override |
121 | public CompletableFuture<Void> setRole(NodeId nodeId, DeviceId deviceId, MastershipRole role) { | 122 | public CompletableFuture<Void> setRole(NodeId nodeId, DeviceId deviceId, MastershipRole role) { |
123 | + checkPermission(ADMIN); | ||
122 | checkNotNull(nodeId, NODE_ID_NULL); | 124 | checkNotNull(nodeId, NODE_ID_NULL); |
123 | checkNotNull(deviceId, DEVICE_ID_NULL); | 125 | checkNotNull(deviceId, DEVICE_ID_NULL); |
124 | checkNotNull(role, ROLE_NULL); | 126 | checkNotNull(role, ROLE_NULL); |
... | @@ -207,6 +209,7 @@ public class MastershipManager | ... | @@ -207,6 +209,7 @@ public class MastershipManager |
207 | 209 | ||
208 | @Override | 210 | @Override |
209 | public void balanceRoles() { | 211 | public void balanceRoles() { |
212 | + checkPermission(ADMIN); | ||
210 | List<ControllerNode> nodes = newArrayList(clusterService.getNodes()); | 213 | List<ControllerNode> nodes = newArrayList(clusterService.getNodes()); |
211 | Map<ControllerNode, Set<DeviceId>> controllerDevices = new HashMap<>(); | 214 | Map<ControllerNode, Set<DeviceId>> controllerDevices = new HashMap<>(); |
212 | int deviceCount = 0; | 215 | int deviceCount = 0; | ... | ... |
... | @@ -25,6 +25,7 @@ import static org.onosproject.net.MastershipRole.STANDBY; | ... | @@ -25,6 +25,7 @@ import static org.onosproject.net.MastershipRole.STANDBY; |
25 | import static org.onosproject.net.optical.device.OchPortHelper.ochPortDescription; | 25 | import static org.onosproject.net.optical.device.OchPortHelper.ochPortDescription; |
26 | import static org.onosproject.net.optical.device.OduCltPortHelper.oduCltPortDescription; | 26 | import static org.onosproject.net.optical.device.OduCltPortHelper.oduCltPortDescription; |
27 | import static org.onosproject.security.AppGuard.checkPermission; | 27 | import static org.onosproject.security.AppGuard.checkPermission; |
28 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
28 | import static org.onosproject.security.AppPermission.Type.DEVICE_READ; | 29 | import static org.onosproject.security.AppPermission.Type.DEVICE_READ; |
29 | import static org.slf4j.LoggerFactory.getLogger; | 30 | import static org.slf4j.LoggerFactory.getLogger; |
30 | 31 | ||
... | @@ -247,6 +248,7 @@ public class DeviceManager | ... | @@ -247,6 +248,7 @@ public class DeviceManager |
247 | 248 | ||
248 | @Override | 249 | @Override |
249 | public void removeDevice(DeviceId deviceId) { | 250 | public void removeDevice(DeviceId deviceId) { |
251 | + checkPermission(ADMIN); | ||
250 | checkNotNull(deviceId, DEVICE_ID_NULL); | 252 | checkNotNull(deviceId, DEVICE_ID_NULL); |
251 | DeviceEvent event = store.removeDevice(deviceId); | 253 | DeviceEvent event = store.removeDevice(deviceId); |
252 | if (event != null) { | 254 | if (event != null) { |
... | @@ -258,6 +260,7 @@ public class DeviceManager | ... | @@ -258,6 +260,7 @@ public class DeviceManager |
258 | @Override | 260 | @Override |
259 | public void changePortState(DeviceId deviceId, PortNumber portNumber, | 261 | public void changePortState(DeviceId deviceId, PortNumber portNumber, |
260 | boolean enable) { | 262 | boolean enable) { |
263 | + checkPermission(ADMIN); | ||
261 | checkNotNull(deviceId, DEVICE_ID_NULL); | 264 | checkNotNull(deviceId, DEVICE_ID_NULL); |
262 | checkNotNull(deviceId, PORT_NUMBER_NULL); | 265 | checkNotNull(deviceId, PORT_NUMBER_NULL); |
263 | DeviceProvider provider = getProvider(deviceId); | 266 | DeviceProvider provider = getProvider(deviceId); | ... | ... |
... | @@ -85,11 +85,13 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS | ... | @@ -85,11 +85,13 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS |
85 | 85 | ||
86 | @Override | 86 | @Override |
87 | public Set<DriverProvider> getProviders() { | 87 | public Set<DriverProvider> getProviders() { |
88 | + checkPermission(ADMIN); | ||
88 | return ImmutableSet.copyOf(providers); | 89 | return ImmutableSet.copyOf(providers); |
89 | } | 90 | } |
90 | 91 | ||
91 | @Override | 92 | @Override |
92 | public void registerProvider(DriverProvider provider) { | 93 | public void registerProvider(DriverProvider provider) { |
94 | + checkPermission(ADMIN); | ||
93 | provider.getDrivers().forEach(driver -> { | 95 | provider.getDrivers().forEach(driver -> { |
94 | Driver d = addDriver(driver); | 96 | Driver d = addDriver(driver); |
95 | driverByKey.put(key(driver.manufacturer(), | 97 | driverByKey.put(key(driver.manufacturer(), |
... | @@ -101,6 +103,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS | ... | @@ -101,6 +103,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS |
101 | 103 | ||
102 | @Override | 104 | @Override |
103 | public void unregisterProvider(DriverProvider provider) { | 105 | public void unregisterProvider(DriverProvider provider) { |
106 | + checkPermission(ADMIN); | ||
104 | provider.getDrivers().forEach(driver -> { | 107 | provider.getDrivers().forEach(driver -> { |
105 | removeDriver(driver); | 108 | removeDriver(driver); |
106 | driverByKey.remove(key(driver.manufacturer(), | 109 | driverByKey.remove(key(driver.manufacturer(), | ... | ... |
... | @@ -191,6 +191,7 @@ public class HostManager | ... | @@ -191,6 +191,7 @@ public class HostManager |
191 | 191 | ||
192 | @Override | 192 | @Override |
193 | public void removeHost(HostId hostId) { | 193 | public void removeHost(HostId hostId) { |
194 | + checkPermission(ADMIN); | ||
194 | checkNotNull(hostId, HOST_ID_NULL); | 195 | checkNotNull(hostId, HOST_ID_NULL); |
195 | store.removeHost(hostId); | 196 | store.removeHost(hostId); |
196 | } | 197 | } | ... | ... |
... | @@ -37,6 +37,7 @@ import java.util.Collection; | ... | @@ -37,6 +37,7 @@ import java.util.Collection; |
37 | 37 | ||
38 | import static com.google.common.base.Preconditions.checkNotNull; | 38 | import static com.google.common.base.Preconditions.checkNotNull; |
39 | import static org.onosproject.security.AppGuard.checkPermission; | 39 | import static org.onosproject.security.AppGuard.checkPermission; |
40 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
40 | import static org.onosproject.security.AppPermission.Type.DEVICE_KEY_READ; | 41 | import static org.onosproject.security.AppPermission.Type.DEVICE_KEY_READ; |
41 | import static org.slf4j.LoggerFactory.getLogger; | 42 | import static org.slf4j.LoggerFactory.getLogger; |
42 | 43 | ||
... | @@ -71,12 +72,14 @@ public class DeviceKeyManager extends AbstractListenerManager<DeviceKeyEvent, De | ... | @@ -71,12 +72,14 @@ public class DeviceKeyManager extends AbstractListenerManager<DeviceKeyEvent, De |
71 | 72 | ||
72 | @Override | 73 | @Override |
73 | public void addKey(DeviceKey deviceKey) { | 74 | public void addKey(DeviceKey deviceKey) { |
75 | + checkPermission(ADMIN); | ||
74 | checkNotNull(deviceKey, "Device key cannot be null"); | 76 | checkNotNull(deviceKey, "Device key cannot be null"); |
75 | store.createOrUpdateDeviceKey(deviceKey); | 77 | store.createOrUpdateDeviceKey(deviceKey); |
76 | } | 78 | } |
77 | 79 | ||
78 | @Override | 80 | @Override |
79 | public void removeKey(DeviceKeyId deviceKeyId) { | 81 | public void removeKey(DeviceKeyId deviceKeyId) { |
82 | + checkPermission(ADMIN); | ||
80 | checkNotNull(deviceKeyId, "Device key identifier cannot be null"); | 83 | checkNotNull(deviceKeyId, "Device key identifier cannot be null"); |
81 | store.deleteDeviceKey(deviceKeyId); | 84 | store.deleteDeviceKey(deviceKeyId); |
82 | } | 85 | } | ... | ... |
... | @@ -182,6 +182,7 @@ public class LinkManager | ... | @@ -182,6 +182,7 @@ public class LinkManager |
182 | 182 | ||
183 | @Override | 183 | @Override |
184 | public void removeLinks(ConnectPoint connectPoint) { | 184 | public void removeLinks(ConnectPoint connectPoint) { |
185 | + checkPermission(ADMIN); | ||
185 | if (deviceService.getRole(connectPoint.deviceId()) != MastershipRole.MASTER) { | 186 | if (deviceService.getRole(connectPoint.deviceId()) != MastershipRole.MASTER) { |
186 | return; | 187 | return; |
187 | } | 188 | } |
... | @@ -190,6 +191,7 @@ public class LinkManager | ... | @@ -190,6 +191,7 @@ public class LinkManager |
190 | 191 | ||
191 | @Override | 192 | @Override |
192 | public void removeLinks(DeviceId deviceId) { | 193 | public void removeLinks(DeviceId deviceId) { |
194 | + checkPermission(ADMIN); | ||
193 | if (deviceService.getRole(deviceId) != MastershipRole.MASTER) { | 195 | if (deviceService.getRole(deviceId) != MastershipRole.MASTER) { |
194 | return; | 196 | return; |
195 | } | 197 | } |
... | @@ -198,6 +200,7 @@ public class LinkManager | ... | @@ -198,6 +200,7 @@ public class LinkManager |
198 | 200 | ||
199 | @Override | 201 | @Override |
200 | public void removeLink(ConnectPoint src, ConnectPoint dst) { | 202 | public void removeLink(ConnectPoint src, ConnectPoint dst) { |
203 | + checkPermission(ADMIN); | ||
201 | post(store.removeLink(src, dst)); | 204 | post(store.removeLink(src, dst)); |
202 | } | 205 | } |
203 | 206 | ... | ... |
... | @@ -42,6 +42,7 @@ import java.util.Set; | ... | @@ -42,6 +42,7 @@ import java.util.Set; |
42 | import static com.google.common.base.Preconditions.checkNotNull; | 42 | import static com.google.common.base.Preconditions.checkNotNull; |
43 | import static com.google.common.base.Preconditions.checkState; | 43 | import static com.google.common.base.Preconditions.checkState; |
44 | import static com.google.common.collect.ImmutableList.of; | 44 | import static com.google.common.collect.ImmutableList.of; |
45 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
45 | import static org.slf4j.LoggerFactory.getLogger; | 46 | import static org.slf4j.LoggerFactory.getLogger; |
46 | import static org.onosproject.security.AppGuard.checkPermission; | 47 | import static org.onosproject.security.AppGuard.checkPermission; |
47 | import static org.onosproject.security.AppPermission.Type.REGION_READ; | 48 | import static org.onosproject.security.AppPermission.Type.REGION_READ; |
... | @@ -85,6 +86,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi | ... | @@ -85,6 +86,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi |
85 | @Override | 86 | @Override |
86 | public Region createRegion(RegionId regionId, String name, Region.Type type, | 87 | public Region createRegion(RegionId regionId, String name, Region.Type type, |
87 | List<Set<NodeId>> masterNodeIds) { | 88 | List<Set<NodeId>> masterNodeIds) { |
89 | + checkPermission(ADMIN); | ||
88 | checkNotNull(regionId, REGION_ID_NULL); | 90 | checkNotNull(regionId, REGION_ID_NULL); |
89 | checkNotNull(name, NAME_NULL); | 91 | checkNotNull(name, NAME_NULL); |
90 | checkNotNull(name, REGION_TYPE_NULL); | 92 | checkNotNull(name, REGION_TYPE_NULL); |
... | @@ -94,6 +96,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi | ... | @@ -94,6 +96,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi |
94 | @Override | 96 | @Override |
95 | public Region updateRegion(RegionId regionId, String name, Region.Type type, | 97 | public Region updateRegion(RegionId regionId, String name, Region.Type type, |
96 | List<Set<NodeId>> masterNodeIds) { | 98 | List<Set<NodeId>> masterNodeIds) { |
99 | + checkPermission(ADMIN); | ||
97 | checkNotNull(regionId, REGION_ID_NULL); | 100 | checkNotNull(regionId, REGION_ID_NULL); |
98 | checkNotNull(name, NAME_NULL); | 101 | checkNotNull(name, NAME_NULL); |
99 | checkNotNull(name, REGION_TYPE_NULL); | 102 | checkNotNull(name, REGION_TYPE_NULL); |
... | @@ -102,12 +105,14 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi | ... | @@ -102,12 +105,14 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi |
102 | 105 | ||
103 | @Override | 106 | @Override |
104 | public void removeRegion(RegionId regionId) { | 107 | public void removeRegion(RegionId regionId) { |
108 | + checkPermission(ADMIN); | ||
105 | checkNotNull(regionId, REGION_ID_NULL); | 109 | checkNotNull(regionId, REGION_ID_NULL); |
106 | store.removeRegion(regionId); | 110 | store.removeRegion(regionId); |
107 | } | 111 | } |
108 | 112 | ||
109 | @Override | 113 | @Override |
110 | public void addDevices(RegionId regionId, Collection<DeviceId> deviceIds) { | 114 | public void addDevices(RegionId regionId, Collection<DeviceId> deviceIds) { |
115 | + checkPermission(ADMIN); | ||
111 | checkNotNull(regionId, REGION_ID_NULL); | 116 | checkNotNull(regionId, REGION_ID_NULL); |
112 | checkNotNull(deviceIds, DEVICE_IDS_NULL); | 117 | checkNotNull(deviceIds, DEVICE_IDS_NULL); |
113 | checkState(!deviceIds.isEmpty(), DEVICE_IDS_EMPTY); | 118 | checkState(!deviceIds.isEmpty(), DEVICE_IDS_EMPTY); |
... | @@ -116,6 +121,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi | ... | @@ -116,6 +121,7 @@ public class RegionManager extends AbstractListenerManager<RegionEvent, RegionLi |
116 | 121 | ||
117 | @Override | 122 | @Override |
118 | public void removeDevices(RegionId regionId, Collection<DeviceId> deviceIds) { | 123 | public void removeDevices(RegionId regionId, Collection<DeviceId> deviceIds) { |
124 | + checkPermission(ADMIN); | ||
119 | checkNotNull(regionId, REGION_ID_NULL); | 125 | checkNotNull(regionId, REGION_ID_NULL); |
120 | checkNotNull(deviceIds, DEVICE_IDS_NULL); | 126 | checkNotNull(deviceIds, DEVICE_IDS_NULL); |
121 | checkState(!deviceIds.isEmpty(), DEVICE_IDS_EMPTY); | 127 | checkState(!deviceIds.isEmpty(), DEVICE_IDS_EMPTY); | ... | ... |
... | @@ -46,6 +46,7 @@ import java.util.stream.Collectors; | ... | @@ -46,6 +46,7 @@ import java.util.stream.Collectors; |
46 | 46 | ||
47 | import static com.google.common.base.Preconditions.checkNotNull; | 47 | import static com.google.common.base.Preconditions.checkNotNull; |
48 | import static org.onosproject.security.AppGuard.checkPermission; | 48 | import static org.onosproject.security.AppGuard.checkPermission; |
49 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
49 | import static org.onosproject.security.AppPermission.Type.RESOURCE_WRITE; | 50 | import static org.onosproject.security.AppPermission.Type.RESOURCE_WRITE; |
50 | import static org.onosproject.security.AppPermission.Type.RESOURCE_READ; | 51 | import static org.onosproject.security.AppPermission.Type.RESOURCE_READ; |
51 | import static org.slf4j.LoggerFactory.getLogger; | 52 | import static org.slf4j.LoggerFactory.getLogger; |
... | @@ -109,6 +110,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent | ... | @@ -109,6 +110,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent |
109 | 110 | ||
110 | @Override | 111 | @Override |
111 | public boolean release(ResourceConsumer consumer) { | 112 | public boolean release(ResourceConsumer consumer) { |
113 | + checkPermission(RESOURCE_WRITE); | ||
112 | checkNotNull(consumer); | 114 | checkNotNull(consumer); |
113 | 115 | ||
114 | Collection<ResourceAllocation> allocations = getResourceAllocations(consumer); | 116 | Collection<ResourceAllocation> allocations = getResourceAllocations(consumer); |
... | @@ -201,6 +203,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent | ... | @@ -201,6 +203,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent |
201 | 203 | ||
202 | @Override | 204 | @Override |
203 | public boolean register(List<Resource> resources) { | 205 | public boolean register(List<Resource> resources) { |
206 | + checkPermission(ADMIN); | ||
204 | checkNotNull(resources); | 207 | checkNotNull(resources); |
205 | 208 | ||
206 | return store.register(resources); | 209 | return store.register(resources); |
... | @@ -208,6 +211,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent | ... | @@ -208,6 +211,7 @@ public final class ResourceManager extends AbstractListenerManager<ResourceEvent |
208 | 211 | ||
209 | @Override | 212 | @Override |
210 | public boolean unregister(List<ResourceId> ids) { | 213 | public boolean unregister(List<ResourceId> ids) { |
214 | + checkPermission(ADMIN); | ||
211 | checkNotNull(ids); | 215 | checkNotNull(ids); |
212 | 216 | ||
213 | return store.unregister(ids); | 217 | return store.unregister(ids); | ... | ... |
... | @@ -17,7 +17,6 @@ package org.onosproject.security.impl; | ... | @@ -17,7 +17,6 @@ package org.onosproject.security.impl; |
17 | 17 | ||
18 | 18 | ||
19 | import com.google.common.collect.ImmutableSet; | 19 | import com.google.common.collect.ImmutableSet; |
20 | -import com.google.common.collect.Lists; | ||
21 | import com.google.common.collect.Sets; | 20 | import com.google.common.collect.Sets; |
22 | import org.onosproject.cluster.ClusterAdminService; | 21 | import org.onosproject.cluster.ClusterAdminService; |
23 | import org.onosproject.cluster.ClusterMetadataService; | 22 | import org.onosproject.cluster.ClusterMetadataService; |
... | @@ -33,10 +32,9 @@ import org.onosproject.net.config.NetworkConfigService; | ... | @@ -33,10 +32,9 @@ import org.onosproject.net.config.NetworkConfigService; |
33 | import org.onosproject.net.edge.EdgePortService; | 32 | import org.onosproject.net.edge.EdgePortService; |
34 | import org.onosproject.net.key.DeviceKeyAdminService; | 33 | import org.onosproject.net.key.DeviceKeyAdminService; |
35 | import org.onosproject.net.key.DeviceKeyService; | 34 | import org.onosproject.net.key.DeviceKeyService; |
36 | -import org.onosproject.net.resource.ResourceAdminService; | ||
37 | -import org.onosproject.net.resource.ResourceService; | ||
38 | import org.onosproject.net.region.RegionAdminService; | 35 | import org.onosproject.net.region.RegionAdminService; |
39 | import org.onosproject.net.region.RegionService; | 36 | import org.onosproject.net.region.RegionService; |
37 | +import org.onosproject.net.resource.ResourceService; | ||
40 | import org.onosproject.net.statistic.FlowStatisticService; | 38 | import org.onosproject.net.statistic.FlowStatisticService; |
41 | import org.onosproject.persistence.PersistenceService; | 39 | import org.onosproject.persistence.PersistenceService; |
42 | import org.onosproject.security.AppPermission; | 40 | import org.onosproject.security.AppPermission; |
... | @@ -83,6 +81,8 @@ import org.osgi.framework.CapabilityPermission; | ... | @@ -83,6 +81,8 @@ import org.osgi.framework.CapabilityPermission; |
83 | import org.osgi.framework.BundlePermission; | 81 | import org.osgi.framework.BundlePermission; |
84 | import org.osgi.framework.PackagePermission; | 82 | import org.osgi.framework.PackagePermission; |
85 | import org.osgi.service.cm.ConfigurationPermission; | 83 | import org.osgi.service.cm.ConfigurationPermission; |
84 | +import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; | ||
85 | +import org.osgi.service.permissionadmin.PermissionAdmin; | ||
86 | 86 | ||
87 | import javax.net.ssl.SSLPermission; | 87 | import javax.net.ssl.SSLPermission; |
88 | import javax.security.auth.AuthPermission; | 88 | import javax.security.auth.AuthPermission; |
... | @@ -96,10 +96,7 @@ import java.net.NetPermission; | ... | @@ -96,10 +96,7 @@ import java.net.NetPermission; |
96 | import java.net.SocketPermission; | 96 | import java.net.SocketPermission; |
97 | import java.security.Permissions; | 97 | import java.security.Permissions; |
98 | import java.sql.SQLPermission; | 98 | import java.sql.SQLPermission; |
99 | -import java.util.ArrayList; | ||
100 | import java.util.Enumeration; | 99 | import java.util.Enumeration; |
101 | -import java.util.HashSet; | ||
102 | -import java.util.List; | ||
103 | import java.util.PropertyPermission; | 100 | import java.util.PropertyPermission; |
104 | import java.util.Set; | 101 | import java.util.Set; |
105 | import java.util.concurrent.ConcurrentHashMap; | 102 | import java.util.concurrent.ConcurrentHashMap; |
... | @@ -113,24 +110,39 @@ public final class DefaultPolicyBuilder { | ... | @@ -113,24 +110,39 @@ public final class DefaultPolicyBuilder { |
113 | protected static ConcurrentHashMap<AppPermission.Type, | 110 | protected static ConcurrentHashMap<AppPermission.Type, |
114 | Set<String>> serviceDirectory = getServiceDirectory(); | 111 | Set<String>> serviceDirectory = getServiceDirectory(); |
115 | 112 | ||
116 | - protected static List<Permission> defaultPermissions = getDefaultPerms(); | 113 | + protected static Set<Permission> defaultPermissions = getDefaultPerms(); |
117 | - protected static List<Permission> adminServicePermissions = getAdminDefaultPerms(); | 114 | + protected static Set<Permission> adminServicePermissions = getAdminDefaultPerms(); |
118 | 115 | ||
119 | private DefaultPolicyBuilder(){ | 116 | private DefaultPolicyBuilder(){ |
120 | } | 117 | } |
121 | 118 | ||
122 | - public static List<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) { | 119 | + public static Set<Permission> getUserApplicationPermissions(Set<org.onosproject.security.Permission> permissions) { |
123 | - List<Permission> perms = Lists.newArrayList(); | 120 | + |
121 | + Set<Permission> perms = Sets.newHashSet(); | ||
124 | perms.addAll(defaultPermissions); | 122 | perms.addAll(defaultPermissions); |
125 | perms.addAll(convertToJavaPermissions(permissions)); | 123 | perms.addAll(convertToJavaPermissions(permissions)); |
124 | + for (Permission perm : perms) { | ||
125 | + if (perm instanceof AppPermission && ((AppPermission) perm).getType() == ADMIN) { | ||
126 | + perms.remove(perm); | ||
127 | + } else if (perm instanceof ServicePermission) { | ||
128 | + if (perm.getName().contains(SecurityAdminService.class.getName())) { | ||
129 | + perms.remove(perm); | ||
130 | + } else if (perm.getName().contains(PermissionAdmin.class.getName())) { | ||
131 | + perms.remove(perm); | ||
132 | + } else if (perm.getName().contains(ConditionalPermissionAdmin.class.getName())) { | ||
133 | + perms.remove(perm); | ||
134 | + } | ||
135 | + } | ||
136 | + } | ||
126 | return optimizePermissions(perms); | 137 | return optimizePermissions(perms); |
127 | } | 138 | } |
128 | 139 | ||
129 | - public static List<Permission> getAdminApplicationPermissions( | 140 | + public static Set<Permission> getAdminApplicationPermissions( |
130 | Set<org.onosproject.security.Permission> permissions) { | 141 | Set<org.onosproject.security.Permission> permissions) { |
131 | - List<Permission> perms = Lists.newArrayList(); | 142 | + Set<Permission> perms = Sets.newHashSet(); |
132 | perms.addAll(defaultPermissions); | 143 | perms.addAll(defaultPermissions); |
133 | perms.addAll(adminServicePermissions); | 144 | perms.addAll(adminServicePermissions); |
145 | + perms.add(new AppPermission(ADMIN)); | ||
134 | for (AppPermission.Type perm : serviceDirectory.keySet()) { | 146 | for (AppPermission.Type perm : serviceDirectory.keySet()) { |
135 | perms.add(new AppPermission(perm)); | 147 | perms.add(new AppPermission(perm)); |
136 | } | 148 | } |
... | @@ -138,8 +150,8 @@ public final class DefaultPolicyBuilder { | ... | @@ -138,8 +150,8 @@ public final class DefaultPolicyBuilder { |
138 | return optimizePermissions(perms); | 150 | return optimizePermissions(perms); |
139 | } | 151 | } |
140 | 152 | ||
141 | - public static List<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) { | 153 | + public static Set<Permission> convertToJavaPermissions(Set<org.onosproject.security.Permission> permissions) { |
142 | - List<Permission> result = Lists.newArrayList(); | 154 | + Set<Permission> result = Sets.newHashSet(); |
143 | for (org.onosproject.security.Permission perm : permissions) { | 155 | for (org.onosproject.security.Permission perm : permissions) { |
144 | Permission javaPerm = getPermission(perm); | 156 | Permission javaPerm = getPermission(perm); |
145 | if (javaPerm != null) { | 157 | if (javaPerm != null) { |
... | @@ -152,6 +164,9 @@ public final class DefaultPolicyBuilder { | ... | @@ -152,6 +164,9 @@ public final class DefaultPolicyBuilder { |
152 | result.add(new ServicePermission(service, ServicePermission.GET)); | 164 | result.add(new ServicePermission(service, ServicePermission.GET)); |
153 | } | 165 | } |
154 | } | 166 | } |
167 | + if (ap.getType() == CONFIG_WRITE) { | ||
168 | + result.addAll(getConfigServicePerms()); | ||
169 | + } | ||
155 | } | 170 | } |
156 | } else if (javaPerm instanceof ServicePermission) { | 171 | } else if (javaPerm instanceof ServicePermission) { |
157 | if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) { | 172 | if (!javaPerm.getName().contains(SecurityAdminService.class.getName())) { |
... | @@ -166,7 +181,7 @@ public final class DefaultPolicyBuilder { | ... | @@ -166,7 +181,7 @@ public final class DefaultPolicyBuilder { |
166 | return result; | 181 | return result; |
167 | } | 182 | } |
168 | 183 | ||
169 | - public static Set<org.onosproject.security.Permission> convertToOnosPermissions(List<Permission> permissions) { | 184 | + public static Set<org.onosproject.security.Permission> convertToOnosPermissions(Set<Permission> permissions) { |
170 | Set<org.onosproject.security.Permission> result = Sets.newHashSet(); | 185 | Set<org.onosproject.security.Permission> result = Sets.newHashSet(); |
171 | for (Permission perm : permissions) { | 186 | for (Permission perm : permissions) { |
172 | org.onosproject.security.Permission onosPerm = getOnosPermission(perm); | 187 | org.onosproject.security.Permission onosPerm = getOnosPermission(perm); |
... | @@ -177,18 +192,27 @@ public final class DefaultPolicyBuilder { | ... | @@ -177,18 +192,27 @@ public final class DefaultPolicyBuilder { |
177 | return result; | 192 | return result; |
178 | } | 193 | } |
179 | 194 | ||
180 | - public static List<Permission> getDefaultPerms() { | 195 | + public static Set<Permission> getDefaultPerms() { |
181 | - List<Permission> permSet = Lists.newArrayList(); | 196 | + Set<Permission> permSet = Sets.newHashSet(); |
197 | + // slf4j-logging requirement | ||
198 | + permSet.add( | ||
199 | + new AdaptPermission("(adaptClass=org.osgi.framework.wiring.BundleRevision)", AdaptPermission.ADAPT)); | ||
200 | + // package-permissions | ||
182 | permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY)); | 201 | permSet.add(new PackagePermission("*", PackagePermission.EXPORTONLY)); |
183 | permSet.add(new PackagePermission("*", PackagePermission.IMPORT)); | 202 | permSet.add(new PackagePermission("*", PackagePermission.IMPORT)); |
184 | - permSet.add(new AdaptPermission("*", AdaptPermission.ADAPT)); | 203 | + return permSet; |
204 | + } | ||
205 | + | ||
206 | + | ||
207 | + private static Set<Permission> getConfigServicePerms() { | ||
208 | + Set<Permission> permSet = Sets.newHashSet(); | ||
209 | + permSet.add(new AdminPermission("(name=org.onosproject.onos-core-net)", AdminPermission.METADATA)); | ||
185 | permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE)); | 210 | permSet.add(new ConfigurationPermission("*", ConfigurationPermission.CONFIGURE)); |
186 | - permSet.add(new AdminPermission("*", AdminPermission.METADATA)); | ||
187 | return permSet; | 211 | return permSet; |
188 | } | 212 | } |
189 | 213 | ||
190 | - private static List<Permission> getAdminDefaultPerms() { | 214 | + private static Set<Permission> getAdminDefaultPerms() { |
191 | - List<Permission> permSet = Lists.newArrayList(); | 215 | + Set<Permission> permSet = Sets.newHashSet(); |
192 | permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET)); | 216 | permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET)); |
193 | permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET)); | 217 | permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET)); |
194 | permSet.add(new ServicePermission(LeadershipAdminService.class.getName(), ServicePermission.GET)); | 218 | permSet.add(new ServicePermission(LeadershipAdminService.class.getName(), ServicePermission.GET)); |
... | @@ -199,11 +223,9 @@ public final class DefaultPolicyBuilder { | ... | @@ -199,11 +223,9 @@ public final class DefaultPolicyBuilder { |
199 | permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET)); | 223 | permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET)); |
200 | permSet.add(new ServicePermission(DeviceKeyAdminService.class.getName(), ServicePermission.GET)); | 224 | permSet.add(new ServicePermission(DeviceKeyAdminService.class.getName(), ServicePermission.GET)); |
201 | permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET)); | 225 | permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET)); |
202 | - permSet.add(new ServicePermission(ResourceAdminService.class.getName(), ServicePermission.GET)); | ||
203 | permSet.add(new ServicePermission(RegionAdminService.class.getName(), ServicePermission.GET)); | 226 | permSet.add(new ServicePermission(RegionAdminService.class.getName(), ServicePermission.GET)); |
204 | permSet.add(new ServicePermission(PartitionAdminService.class.getName(), ServicePermission.GET)); | 227 | permSet.add(new ServicePermission(PartitionAdminService.class.getName(), ServicePermission.GET)); |
205 | permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET)); | 228 | permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET)); |
206 | - | ||
207 | permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET)); | 229 | permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET)); |
208 | permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET)); | 230 | permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET)); |
209 | permSet.add(new ServicePermission(ClusterMetadataService.class.getName(), ServicePermission.GET)); | 231 | permSet.add(new ServicePermission(ClusterMetadataService.class.getName(), ServicePermission.GET)); |
... | @@ -247,6 +269,7 @@ public final class DefaultPolicyBuilder { | ... | @@ -247,6 +269,7 @@ public final class DefaultPolicyBuilder { |
247 | permSet.add(new ServicePermission(MessagingService.class.getName(), ServicePermission.GET)); | 269 | permSet.add(new ServicePermission(MessagingService.class.getName(), ServicePermission.GET)); |
248 | permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET)); | 270 | permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET)); |
249 | permSet.add(new ServicePermission(LogicalClockService.class.getName(), ServicePermission.GET)); | 271 | permSet.add(new ServicePermission(LogicalClockService.class.getName(), ServicePermission.GET)); |
272 | +// permSet.add(new ServicePermission(MutexExecutionService.class.getName(), ServicePermission.GET)); | ||
250 | permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET)); | 273 | permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET)); |
251 | permSet.add(new ServicePermission(UiExtensionService.class.getName(), ServicePermission.GET)); | 274 | permSet.add(new ServicePermission(UiExtensionService.class.getName(), ServicePermission.GET)); |
252 | 275 | ||
... | @@ -254,13 +277,22 @@ public final class DefaultPolicyBuilder { | ... | @@ -254,13 +277,22 @@ public final class DefaultPolicyBuilder { |
254 | } | 277 | } |
255 | 278 | ||
256 | public static Set<String> getNBServiceList() { | 279 | public static Set<String> getNBServiceList() { |
257 | - Set<String> permString = new HashSet<>(); | 280 | + Set<String> permString = Sets.newHashSet(); |
258 | for (Permission perm : getAdminDefaultPerms()) { | 281 | for (Permission perm : getAdminDefaultPerms()) { |
259 | permString.add(perm.getName()); | 282 | permString.add(perm.getName()); |
260 | } | 283 | } |
261 | return permString; | 284 | return permString; |
262 | } | 285 | } |
263 | 286 | ||
287 | + public static Set<String> getCliServiceList() { | ||
288 | + Set<String> permString = Sets.newHashSet(); | ||
289 | + permString.add("org.apache.felix.service.command.Function"); | ||
290 | + permString.add("org.apache.karaf.shell.console.CompletableFunction"); | ||
291 | + permString.add("org.apache.karaf.shell.commands.CommandWithAction"); | ||
292 | + permString.add("org.osgi.service.blueprint.container.BlueprintContainer"); | ||
293 | + return permString; | ||
294 | + } | ||
295 | + | ||
264 | private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() { | 296 | private static ConcurrentHashMap<AppPermission.Type, Set<String>> getServiceDirectory() { |
265 | 297 | ||
266 | ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>(); | 298 | ConcurrentHashMap<AppPermission.Type, Set<String>> serviceDirectory = new ConcurrentHashMap<>(); |
... | @@ -320,14 +352,10 @@ public final class DefaultPolicyBuilder { | ... | @@ -320,14 +352,10 @@ public final class DefaultPolicyBuilder { |
320 | IntentService.class.getName(), IntentExtensionService.class.getName())); | 352 | IntentService.class.getName(), IntentExtensionService.class.getName())); |
321 | serviceDirectory.put(INTENT_EVENT, ImmutableSet.of( | 353 | serviceDirectory.put(INTENT_EVENT, ImmutableSet.of( |
322 | IntentService.class.getName(), IntentPartitionService.class.getName())); | 354 | IntentService.class.getName(), IntentPartitionService.class.getName())); |
323 | -// serviceDirectory.put(LINK_READ, ImmutableSet.of( | 355 | + serviceDirectory.put(LINK_READ, ImmutableSet.of( |
324 | -// LinkService.class.getName(), LinkResourceService.class.getName(), | 356 | + LinkService.class.getName())); |
325 | -// LabelResourceService.class.getName())); | 357 | + serviceDirectory.put(LINK_WRITE, ImmutableSet.of()); |
326 | -// serviceDirectory.put(LINK_WRITE, ImmutableSet.of( | 358 | + serviceDirectory.put(LINK_EVENT, ImmutableSet.of(LinkService.class.getName())); |
327 | -// LinkResourceService.class.getName(), LabelResourceService.class.getName())); | ||
328 | -// serviceDirectory.put(LINK_EVENT, ImmutableSet.of( | ||
329 | -// LinkService.class.getName(), LinkResourceService.class.getName(), | ||
330 | -// LabelResourceService.class.getName())); | ||
331 | serviceDirectory.put(PACKET_READ, ImmutableSet.of( | 359 | serviceDirectory.put(PACKET_READ, ImmutableSet.of( |
332 | PacketService.class.getName(), ProxyArpService.class.getName())); | 360 | PacketService.class.getName(), ProxyArpService.class.getName())); |
333 | serviceDirectory.put(PACKET_WRITE, ImmutableSet.of( | 361 | serviceDirectory.put(PACKET_WRITE, ImmutableSet.of( |
... | @@ -374,6 +402,8 @@ public final class DefaultPolicyBuilder { | ... | @@ -374,6 +402,8 @@ public final class DefaultPolicyBuilder { |
374 | PartitionService.class.getName())); | 402 | PartitionService.class.getName())); |
375 | serviceDirectory.put(CLOCK_WRITE, ImmutableSet.of( | 403 | serviceDirectory.put(CLOCK_WRITE, ImmutableSet.of( |
376 | LogicalClockService.class.getName())); | 404 | LogicalClockService.class.getName())); |
405 | +// serviceDirectory.put(MUTEX_WRITE, ImmutableSet.of( | ||
406 | +// MutexExecutionService.class.getName())); | ||
377 | 407 | ||
378 | return serviceDirectory; | 408 | return serviceDirectory; |
379 | } | 409 | } |
... | @@ -511,18 +541,16 @@ public final class DefaultPolicyBuilder { | ... | @@ -511,18 +541,16 @@ public final class DefaultPolicyBuilder { |
511 | return new ReflectPermission(name, actions); | 541 | return new ReflectPermission(name, actions); |
512 | } | 542 | } |
513 | 543 | ||
514 | - //AllPermission, SecurityPermission, UnresolvedPermission | ||
515 | - //AWTPermission, ReflectPermission not allowed | ||
516 | return null; | 544 | return null; |
517 | 545 | ||
518 | } | 546 | } |
519 | - private static List<Permission> optimizePermissions(List<Permission> perms) { | 547 | + private static Set<Permission> optimizePermissions(Set<Permission> perms) { |
520 | Permissions permissions = listToPermissions(perms); | 548 | Permissions permissions = listToPermissions(perms); |
521 | return permissionsToList(permissions); | 549 | return permissionsToList(permissions); |
522 | } | 550 | } |
523 | 551 | ||
524 | - private static List<Permission> permissionsToList(Permissions perms) { | 552 | + private static Set<Permission> permissionsToList(Permissions perms) { |
525 | - List<Permission> permissions = new ArrayList<>(); | 553 | + Set<Permission> permissions = Sets.newHashSet(); |
526 | Enumeration<Permission> e = perms.elements(); | 554 | Enumeration<Permission> e = perms.elements(); |
527 | while (e.hasMoreElements()) { | 555 | while (e.hasMoreElements()) { |
528 | permissions.add(e.nextElement()); | 556 | permissions.add(e.nextElement()); |
... | @@ -530,11 +558,11 @@ public final class DefaultPolicyBuilder { | ... | @@ -530,11 +558,11 @@ public final class DefaultPolicyBuilder { |
530 | return permissions; | 558 | return permissions; |
531 | } | 559 | } |
532 | 560 | ||
533 | - private static Permissions listToPermissions(List<Permission> perms) { | 561 | + private static Permissions listToPermissions(Set<Permission> perms) { |
534 | Permissions permissions = new Permissions(); | 562 | Permissions permissions = new Permissions(); |
535 | for (Permission perm : perms) { | 563 | for (Permission perm : perms) { |
536 | permissions.add(perm); | 564 | permissions.add(perm); |
537 | } | 565 | } |
538 | return permissions; | 566 | return permissions; |
539 | } | 567 | } |
540 | -} | 568 | +} |
... | \ No newline at end of file | ... | \ No newline at end of file | ... | ... |
... | @@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; | ... | @@ -38,15 +38,18 @@ import org.onosproject.security.store.SecurityModeListener; |
38 | import org.onosproject.security.store.SecurityModeStore; | 38 | import org.onosproject.security.store.SecurityModeStore; |
39 | import org.onosproject.security.store.SecurityModeStoreDelegate; | 39 | import org.onosproject.security.store.SecurityModeStoreDelegate; |
40 | import org.osgi.framework.BundleContext; | 40 | import org.osgi.framework.BundleContext; |
41 | +import org.osgi.framework.FrameworkEvent; | ||
41 | import org.osgi.framework.FrameworkUtil; | 42 | import org.osgi.framework.FrameworkUtil; |
42 | import org.osgi.framework.ServicePermission; | 43 | import org.osgi.framework.ServicePermission; |
43 | -import org.osgi.service.log.LogEntry; | 44 | +import org.osgi.framework.FrameworkListener; |
44 | -import org.osgi.service.log.LogListener; | ||
45 | -import org.osgi.service.log.LogReaderService; | ||
46 | import org.osgi.service.permissionadmin.PermissionInfo; | 45 | import org.osgi.service.permissionadmin.PermissionInfo; |
47 | 46 | ||
47 | +import java.io.FilePermission; | ||
48 | +import java.lang.reflect.ReflectPermission; | ||
49 | +import java.net.SocketPermission; | ||
48 | import java.security.AccessControlException; | 50 | import java.security.AccessControlException; |
49 | import java.security.Permission; | 51 | import java.security.Permission; |
52 | +import java.security.SecurityPermission; | ||
50 | import java.util.ArrayList; | 53 | import java.util.ArrayList; |
51 | import java.util.List; | 54 | import java.util.List; |
52 | import java.util.Map; | 55 | import java.util.Map; |
... | @@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -76,9 +79,6 @@ public class SecurityModeManager implements SecurityAdminService { |
76 | protected ApplicationAdminService appAdminService; | 79 | protected ApplicationAdminService appAdminService; |
77 | 80 | ||
78 | @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) | 81 | @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) |
79 | - protected LogReaderService logReaderService; | ||
80 | - | ||
81 | - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) | ||
82 | protected EventDeliveryService eventDispatcher; | 82 | protected EventDeliveryService eventDispatcher; |
83 | 83 | ||
84 | private final Logger log = getLogger(getClass()); | 84 | private final Logger log = getLogger(getClass()); |
... | @@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -88,7 +88,7 @@ public class SecurityModeManager implements SecurityAdminService { |
88 | 88 | ||
89 | private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); | 89 | private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate(); |
90 | 90 | ||
91 | - private SecurityLogListener securityLogListener = new SecurityLogListener(); | 91 | + private SecurityEventListener securityEventListener = new SecurityEventListener(); |
92 | 92 | ||
93 | private PermissionAdmin permissionAdmin = getPermissionAdmin(); | 93 | private PermissionAdmin permissionAdmin = getPermissionAdmin(); |
94 | 94 | ||
... | @@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -96,7 +96,7 @@ public class SecurityModeManager implements SecurityAdminService { |
96 | public void activate() { | 96 | public void activate() { |
97 | 97 | ||
98 | eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); | 98 | eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry); |
99 | - logReaderService.addLogListener(securityLogListener); | 99 | + getBundleContext().addFrameworkListener(new SecurityEventListener()); |
100 | 100 | ||
101 | if (System.getSecurityManager() == null) { | 101 | if (System.getSecurityManager() == null) { |
102 | log.warn("J2EE security manager is disabled."); | 102 | log.warn("J2EE security manager is disabled."); |
... | @@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -116,7 +116,7 @@ public class SecurityModeManager implements SecurityAdminService { |
116 | @Deactivate | 116 | @Deactivate |
117 | public void deactivate() { | 117 | public void deactivate() { |
118 | eventDispatcher.removeSink(SecurityModeEvent.class); | 118 | eventDispatcher.removeSink(SecurityModeEvent.class); |
119 | - logReaderService.removeLogListener(securityLogListener); | 119 | + getBundleContext().removeFrameworkListener(securityEventListener); |
120 | store.unsetDelegate(delegate); | 120 | store.unsetDelegate(delegate); |
121 | log.info("Stopped"); | 121 | log.info("Stopped"); |
122 | 122 | ||
... | @@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -169,27 +169,32 @@ public class SecurityModeManager implements SecurityAdminService { |
169 | DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); | 169 | DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId))); |
170 | } | 170 | } |
171 | 171 | ||
172 | - private class SecurityLogListener implements LogListener { | 172 | + private class SecurityEventListener implements FrameworkListener { |
173 | @Override | 173 | @Override |
174 | - public void logged(LogEntry entry) { | 174 | + public void frameworkEvent(FrameworkEvent event) { |
175 | - if (entry.getException() != null && | 175 | + if (event.getType() != FrameworkEvent.ERROR) { |
176 | - entry.getException() instanceof AccessControlException) { | 176 | + return; |
177 | - String location = entry.getBundle().getLocation(); | 177 | + } |
178 | - Permission javaPerm = | 178 | + Throwable throwable = event.getThrowable(); |
179 | - ((AccessControlException) entry.getException()).getPermission(); | 179 | + if (throwable == null || !(throwable instanceof AccessControlException)) { |
180 | - org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm); | 180 | + return; |
181 | - if (permission == null) { | ||
182 | - log.warn("Unsupported permission requested."); | ||
183 | - return; | ||
184 | - } | ||
185 | - store.getApplicationIds(location).stream().filter( | ||
186 | - appId -> store.isSecured(appId) && | ||
187 | - appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { | ||
188 | - store.requestPermission(appId, permission); | ||
189 | - print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", | ||
190 | - appId.name(), location, permission.toString()); | ||
191 | - }); | ||
192 | } | 181 | } |
182 | + String bundleLocation = event.getBundle().getLocation(); | ||
183 | + Permission nativePerm = ((AccessControlException) throwable).getPermission(); | ||
184 | + org.onosproject.security.Permission onosPerm = DefaultPolicyBuilder.getOnosPermission(nativePerm); | ||
185 | + | ||
186 | + if (onosPerm == null) { | ||
187 | + log.warn("Unsupported permission requested: " + nativePerm.toString()); | ||
188 | + return; | ||
189 | + } | ||
190 | + | ||
191 | + store.getApplicationIds(bundleLocation).stream().filter( | ||
192 | + appId -> store.isSecured(appId) && | ||
193 | + appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> { | ||
194 | + store.requestPermission(appId, onosPerm); | ||
195 | + print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ", | ||
196 | + appId.name(), bundleLocation, onosPerm.toString()); | ||
197 | + }); | ||
193 | } | 198 | } |
194 | } | 199 | } |
195 | 200 | ||
... | @@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -213,32 +218,59 @@ public class SecurityModeManager implements SecurityAdminService { |
213 | * 0 - APP_PERM | 218 | * 0 - APP_PERM |
214 | * 1 - ADMIN SERVICE | 219 | * 1 - ADMIN SERVICE |
215 | * 2 - NB_SERVICE | 220 | * 2 - NB_SERVICE |
216 | - * 3 - ETC_SERVICE | 221 | + * 3 - SB_SERVICE |
217 | - * 4 - ETC | 222 | + * 4 - CLI_SERVICE |
223 | + * 5 - ETC_SERVICE | ||
224 | + * 6 - CRITICAL PERMISSIONS | ||
225 | + * 7 - ETC | ||
218 | * @param perms | 226 | * @param perms |
219 | */ | 227 | */ |
220 | - private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) { | 228 | + private Map<Integer, List<Permission>> getPrintablePermissionMap(Set<Permission> perms) { |
221 | ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); | 229 | ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>(); |
222 | sortedMap.put(0, new ArrayList()); | 230 | sortedMap.put(0, new ArrayList()); |
223 | sortedMap.put(1, new ArrayList()); | 231 | sortedMap.put(1, new ArrayList()); |
224 | sortedMap.put(2, new ArrayList()); | 232 | sortedMap.put(2, new ArrayList()); |
225 | sortedMap.put(3, new ArrayList()); | 233 | sortedMap.put(3, new ArrayList()); |
226 | sortedMap.put(4, new ArrayList()); | 234 | sortedMap.put(4, new ArrayList()); |
235 | + sortedMap.put(5, new ArrayList()); | ||
236 | + sortedMap.put(6, new ArrayList()); | ||
237 | + sortedMap.put(7, new ArrayList()); | ||
238 | + | ||
227 | for (Permission perm : perms) { | 239 | for (Permission perm : perms) { |
228 | - if (perm instanceof ServicePermission) { | 240 | + if (perm instanceof AppPermission) { |
229 | - if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) { | 241 | + sortedMap.get(0).add(perm); |
230 | - if (perm.getName().contains("Admin")) { | 242 | + } else if (perm instanceof ServicePermission) { |
243 | + String permName = perm.getName().trim(); | ||
244 | + if (DefaultPolicyBuilder.getNBServiceList().contains(permName)) { // ONOS NB SERVICES | ||
245 | + if (permName.contains("Admin")) { | ||
231 | sortedMap.get(1).add(perm); | 246 | sortedMap.get(1).add(perm); |
232 | } else { | 247 | } else { |
233 | sortedMap.get(2).add(perm); | 248 | sortedMap.get(2).add(perm); |
234 | } | 249 | } |
235 | - } else { | 250 | + } else if (permName.contains("org.onosproject") && permName.contains("Provider")) { //ONOS SB SERVICES |
236 | sortedMap.get(3).add(perm); | 251 | sortedMap.get(3).add(perm); |
252 | + } else if (DefaultPolicyBuilder.getCliServiceList().contains(permName)) { //CLI SERVICES | ||
253 | + sortedMap.get(4).add(perm); | ||
254 | + } else if (permName.contains("Security")) { //CRITICAL SERVICES | ||
255 | + sortedMap.get(6).add(perm); | ||
256 | + } else { | ||
257 | + sortedMap.get(5).add(perm); | ||
237 | } | 258 | } |
238 | - } else if (perm instanceof AppPermission) { | 259 | + } else if (perm instanceof RuntimePermission || perm instanceof SocketPermission || |
239 | - sortedMap.get(0).add(perm); | 260 | + perm instanceof FilePermission || perm instanceof SecurityPermission || |
261 | + perm instanceof ReflectPermission) { // CRITICAL PERMISSIONS | ||
262 | + sortedMap.get(6).add(perm); | ||
240 | } else { | 263 | } else { |
241 | - sortedMap.get(4).add(perm); | 264 | + boolean isDefault = false; |
265 | + for (Permission dPerm : DefaultPolicyBuilder.getDefaultPerms()) { | ||
266 | + if (perm.implies(dPerm)) { | ||
267 | + isDefault = true; | ||
268 | + break; | ||
269 | + } | ||
270 | + } | ||
271 | + if (!isDefault) { | ||
272 | + sortedMap.get(7).add(perm); | ||
273 | + } | ||
242 | } | 274 | } |
243 | } | 275 | } |
244 | return sortedMap; | 276 | return sortedMap; |
... | @@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -261,13 +293,13 @@ public class SecurityModeManager implements SecurityAdminService { |
261 | 293 | ||
262 | 294 | ||
263 | 295 | ||
264 | - private List<Permission> getMaximumPermissions(ApplicationId appId) { | 296 | + private Set<Permission> getMaximumPermissions(ApplicationId appId) { |
265 | Application app = appAdminService.getApplication(appId); | 297 | Application app = appAdminService.getApplication(appId); |
266 | if (app == null) { | 298 | if (app == null) { |
267 | print("Unknown application."); | 299 | print("Unknown application."); |
268 | return null; | 300 | return null; |
269 | } | 301 | } |
270 | - List<Permission> appPerms; | 302 | + Set<Permission> appPerms; |
271 | switch (app.role()) { | 303 | switch (app.role()) { |
272 | case ADMIN: | 304 | case ADMIN: |
273 | appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); | 305 | appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions()); |
... | @@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { | ... | @@ -300,5 +332,4 @@ public class SecurityModeManager implements SecurityAdminService { |
300 | 332 | ||
301 | } | 333 | } |
302 | 334 | ||
303 | - | ||
304 | } | 335 | } |
... | \ No newline at end of file | ... | \ No newline at end of file | ... | ... |
... | @@ -93,12 +93,10 @@ public class DistributedSecurityModeStore | ... | @@ -93,12 +93,10 @@ public class DistributedSecurityModeStore |
93 | .register(KryoNamespaces.API) | 93 | .register(KryoNamespaces.API) |
94 | .register(SecurityModeState.class) | 94 | .register(SecurityModeState.class) |
95 | .register(SecurityInfo.class) | 95 | .register(SecurityInfo.class) |
96 | - .register(Permission.class) | ||
97 | .build()); | 96 | .build()); |
98 | 97 | ||
99 | private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() | 98 | private static final KryoNamespace.Builder VIOLATION_SERIALIZER = KryoNamespace.newBuilder() |
100 | - .register(KryoNamespaces.API) | 99 | + .register(KryoNamespaces.API); |
101 | - .register(Permission.class); | ||
102 | 100 | ||
103 | @Activate | 101 | @Activate |
104 | public void activate() { | 102 | public void activate() { | ... | ... |
... | @@ -74,6 +74,8 @@ import static com.google.common.base.Preconditions.checkArgument; | ... | @@ -74,6 +74,8 @@ import static com.google.common.base.Preconditions.checkArgument; |
74 | import static org.onlab.util.Tools.get; | 74 | import static org.onlab.util.Tools.get; |
75 | import static org.onlab.util.Tools.isNullOrEmpty; | 75 | import static org.onlab.util.Tools.isNullOrEmpty; |
76 | import static org.onosproject.net.topology.TopologyEvent.Type.TOPOLOGY_CHANGED; | 76 | import static org.onosproject.net.topology.TopologyEvent.Type.TOPOLOGY_CHANGED; |
77 | +import static org.onosproject.security.AppGuard.checkPermission; | ||
78 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
77 | import static org.slf4j.LoggerFactory.getLogger; | 79 | import static org.slf4j.LoggerFactory.getLogger; |
78 | 80 | ||
79 | /** | 81 | /** |
... | @@ -316,11 +318,13 @@ public class DistributedTopologyStore | ... | @@ -316,11 +318,13 @@ public class DistributedTopologyStore |
316 | 318 | ||
317 | @Override | 319 | @Override |
318 | public void setDefaultLinkWeight(LinkWeight linkWeight) { | 320 | public void setDefaultLinkWeight(LinkWeight linkWeight) { |
321 | + checkPermission(ADMIN); | ||
319 | DefaultTopology.setDefaultLinkWeight(linkWeight); | 322 | DefaultTopology.setDefaultLinkWeight(linkWeight); |
320 | } | 323 | } |
321 | 324 | ||
322 | @Override | 325 | @Override |
323 | public void setDefaultGraphPathSearch(GraphPathSearch<TopologyVertex, TopologyEdge> graphPathSearch) { | 326 | public void setDefaultGraphPathSearch(GraphPathSearch<TopologyVertex, TopologyEdge> graphPathSearch) { |
327 | + checkPermission(ADMIN); | ||
324 | DefaultTopology.setDefaultGraphPathSearch(graphPathSearch); | 328 | DefaultTopology.setDefaultGraphPathSearch(graphPathSearch); |
325 | } | 329 | } |
326 | 330 | ... | ... |
... | @@ -16,6 +16,7 @@ | ... | @@ -16,6 +16,7 @@ |
16 | 16 | ||
17 | package org.onosproject.store.primitives.impl; | 17 | package org.onosproject.store.primitives.impl; |
18 | 18 | ||
19 | +import static org.onosproject.security.AppPermission.Type.ADMIN; | ||
19 | import static org.slf4j.LoggerFactory.getLogger; | 20 | import static org.slf4j.LoggerFactory.getLogger; |
20 | 21 | ||
21 | import java.io.File; | 22 | import java.io.File; |
... | @@ -152,6 +153,7 @@ public class PartitionManager extends AbstractListenerManager<PartitionEvent, Pa | ... | @@ -152,6 +153,7 @@ public class PartitionManager extends AbstractListenerManager<PartitionEvent, Pa |
152 | 153 | ||
153 | @Override | 154 | @Override |
154 | public List<PartitionInfo> partitionInfo() { | 155 | public List<PartitionInfo> partitionInfo() { |
156 | + checkPermission(ADMIN); | ||
155 | return partitions.values() | 157 | return partitions.values() |
156 | .stream() | 158 | .stream() |
157 | .flatMap(x -> Tools.stream(x.info())) | 159 | .flatMap(x -> Tools.stream(x.info())) |
... | @@ -177,6 +179,7 @@ public class PartitionManager extends AbstractListenerManager<PartitionEvent, Pa | ... | @@ -177,6 +179,7 @@ public class PartitionManager extends AbstractListenerManager<PartitionEvent, Pa |
177 | 179 | ||
178 | @Override | 180 | @Override |
179 | public List<PartitionClientInfo> partitionClientInfo() { | 181 | public List<PartitionClientInfo> partitionClientInfo() { |
182 | + checkPermission(ADMIN); | ||
180 | return partitions.values() | 183 | return partitions.values() |
181 | .stream() | 184 | .stream() |
182 | .map(StoragePartition::client) | 185 | .map(StoragePartition::client) | ... | ... |
... | @@ -172,11 +172,13 @@ public class StorageManager implements StorageService, StorageAdminService { | ... | @@ -172,11 +172,13 @@ public class StorageManager implements StorageService, StorageAdminService { |
172 | 172 | ||
173 | @Override | 173 | @Override |
174 | public List<MapInfo> getMapInfo() { | 174 | public List<MapInfo> getMapInfo() { |
175 | + checkPermission(ADMIN); | ||
175 | return listMapInfo(federatedPrimitiveCreator); | 176 | return listMapInfo(federatedPrimitiveCreator); |
176 | } | 177 | } |
177 | 178 | ||
178 | @Override | 179 | @Override |
179 | public Map<String, Long> getCounters() { | 180 | public Map<String, Long> getCounters() { |
181 | + checkPermission(ADMIN); | ||
180 | Map<String, Long> counters = Maps.newConcurrentMap(); | 182 | Map<String, Long> counters = Maps.newConcurrentMap(); |
181 | federatedPrimitiveCreator.getAsyncAtomicCounterNames() | 183 | federatedPrimitiveCreator.getAsyncAtomicCounterNames() |
182 | .forEach(name -> counters.put(name, | 184 | .forEach(name -> counters.put(name, |
... | @@ -186,11 +188,13 @@ public class StorageManager implements StorageService, StorageAdminService { | ... | @@ -186,11 +188,13 @@ public class StorageManager implements StorageService, StorageAdminService { |
186 | 188 | ||
187 | @Override | 189 | @Override |
188 | public List<PartitionInfo> getPartitionInfo() { | 190 | public List<PartitionInfo> getPartitionInfo() { |
191 | + checkPermission(ADMIN); | ||
189 | return partitionAdminService.partitionInfo(); | 192 | return partitionAdminService.partitionInfo(); |
190 | } | 193 | } |
191 | 194 | ||
192 | @Override | 195 | @Override |
193 | public Collection<TransactionId> getPendingTransactions() { | 196 | public Collection<TransactionId> getPendingTransactions() { |
197 | + checkPermission(ADMIN); | ||
194 | return Futures.getUnchecked(transactions.keySet()); | 198 | return Futures.getUnchecked(transactions.keySet()); |
195 | } | 199 | } |
196 | 200 | ... | ... |
-
Please register or login to post a comment