From 4a47a304c44fe2e746bbe584b65a97706951c13d Mon Sep 17 00:00:00 2001 From: Heedo Kang Date: Mon, 29 Feb 2016 17:40:23 +0900 Subject: [PATCH] More APIs permission for new ONOS APIs Change-Id: I43fee65254adca451f77431bfbf5accdf95b81ab --- .../onosproject/security/AppPermission.java | 19 ++- .../onosproject/codec/impl/CodecManager.java | 7 + .../store/trivial/SimpleClusterStore.java | 6 + .../cluster/impl/ClusterMetadataManager.java | 29 ++-- .../cluster/impl/MastershipManager.java | 1 + .../onosproject/core/impl/CoreManager.java | 6 +- .../event/impl/CoreEventDispatcher.java | 4 + .../net/config/impl/NetworkConfigManager.java | 14 ++ .../net/edgeservice/impl/EdgeManager.java | 6 + .../FlowObjectiveCompositionManager.java | 1 + .../net/intent/impl/IntentManager.java | 3 + .../net/key/impl/DeviceKeyManager.java | 3 - .../net/newresource/impl/ResourceManager.java | 13 ++ .../net/packet/impl/PacketManager.java | 2 + .../net/region/impl/RegionManager.java | 6 + .../net/topology/impl/PathManager.java | 4 + .../net/topology/impl/TopologyManager.java | 4 + .../security/impl/DefaultPolicyBuilder.java | 126 +++++++++++++++--- .../impl/ClusterCommunicationManager.java | 12 ++ .../messaging/impl/NettyMessagingManager.java | 11 ++ .../store/core/impl/LogicalClockManager.java | 4 + .../persistence/impl/PersistenceManager.java | 4 + .../impl/MutexExecutionManager.java | 4 +- .../primitives/impl/PartitionManager.java | 8 ++ .../store/primitives/impl/StorageManager.java | 11 ++ .../ui/impl/UiExtensionManager.java | 8 ++ 26 files changed, 275 insertions(+), 41 deletions(-) diff --git a/core/api/src/main/java/org/onosproject/security/AppPermission.java b/core/api/src/main/java/org/onosproject/security/AppPermission.java index 2eafb7c7c5..4e4a3b037c 100644 --- a/core/api/src/main/java/org/onosproject/security/AppPermission.java +++ b/core/api/src/main/java/org/onosproject/security/AppPermission.java @@ -29,11 +29,16 @@ public class AppPermission extends BasicPermission { public enum Type { APP_READ, APP_EVENT, + APP_WRITE, CONFIG_READ, CONFIG_WRITE, + CONFIG_EVENT, CLUSTER_READ, CLUSTER_WRITE, CLUSTER_EVENT, + CODEC_READ, + CODEC_WRITE, + CLOCK_WRITE, DEVICE_KEY_EVENT, DEVICE_KEY_READ, DEVICE_KEY_WRITE, @@ -41,6 +46,8 @@ public class AppPermission extends BasicPermission { DEVICE_EVENT, DRIVER_READ, DRIVER_WRITE, + EVENT_READ, + EVENT_WRITE, FLOWRULE_READ, FLOWRULE_WRITE, FLOWRULE_EVENT, @@ -56,16 +63,26 @@ public class AppPermission extends BasicPermission { LINK_READ, LINK_WRITE, LINK_EVENT, + MUTEX_WRITE, PACKET_READ, PACKET_WRITE, PACKET_EVENT, + PERSISTENCE_WRITE, + PARTITION_READ, + PARTITION_EVENT, + RESOURCE_READ, + RESOURCE_WRITE, + RESOURCE_EVENT, + REGION_READ, STATISTIC_READ, + STORAGE_WRITE, TOPOLOGY_READ, TOPOLOGY_EVENT, TUNNEL_READ, TUNNEL_WRITE, TUNNEL_EVENT, - STORAGE_WRITE + UI_READ, + UI_WRITE } protected Type type; diff --git a/core/common/src/main/java/org/onosproject/codec/impl/CodecManager.java b/core/common/src/main/java/org/onosproject/codec/impl/CodecManager.java index 5bea2d3ee5..222397072a 100644 --- a/core/common/src/main/java/org/onosproject/codec/impl/CodecManager.java +++ b/core/common/src/main/java/org/onosproject/codec/impl/CodecManager.java @@ -69,6 +69,9 @@ import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.*; + /** * Implementation of the JSON codec brokering service. */ @@ -134,22 +137,26 @@ public class CodecManager implements CodecService { @Override public Set> getCodecs() { + checkPermission(CODEC_READ); return ImmutableSet.copyOf(codecs.keySet()); } @Override @SuppressWarnings("unchecked") public JsonCodec getCodec(Class entityClass) { + checkPermission(CODEC_READ); return codecs.get(entityClass); } @Override public void registerCodec(Class entityClass, JsonCodec codec) { + checkPermission(CODEC_WRITE); codecs.putIfAbsent(entityClass, codec); } @Override public void unregisterCodec(Class entityClass) { + checkPermission(CODEC_WRITE); codecs.remove(entityClass); } diff --git a/core/common/src/test/java/org/onosproject/store/trivial/SimpleClusterStore.java b/core/common/src/test/java/org/onosproject/store/trivial/SimpleClusterStore.java index 256abb742d..1a2799e8d8 100644 --- a/core/common/src/test/java/org/onosproject/store/trivial/SimpleClusterStore.java +++ b/core/common/src/test/java/org/onosproject/store/trivial/SimpleClusterStore.java @@ -41,6 +41,8 @@ import org.slf4j.Logger; import java.util.Set; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.*; import static org.slf4j.LoggerFactory.getLogger; /** @@ -119,21 +121,25 @@ public class SimpleClusterStore @Override public boolean isMine(Key intentKey) { + checkPermission(INTENT_READ); return true; } @Override public NodeId getLeader(Key intentKey) { + checkPermission(INTENT_READ); return instance.id(); } @Override public void addListener(IntentPartitionEventListener listener) { + checkPermission(INTENT_EVENT); listenerRegistry.addListener(listener); } @Override public void removeListener(IntentPartitionEventListener listener) { + checkPermission(INTENT_EVENT); listenerRegistry.removeListener(listener); } } diff --git a/core/net/src/main/java/org/onosproject/cluster/impl/ClusterMetadataManager.java b/core/net/src/main/java/org/onosproject/cluster/impl/ClusterMetadataManager.java index f655fcc861..2ec9ff3b90 100644 --- a/core/net/src/main/java/org/onosproject/cluster/impl/ClusterMetadataManager.java +++ b/core/net/src/main/java/org/onosproject/cluster/impl/ClusterMetadataManager.java @@ -15,17 +15,6 @@ */ package org.onosproject.cluster.impl; -import static com.google.common.base.Preconditions.checkNotNull; -import static org.slf4j.LoggerFactory.getLogger; - -import java.net.InetAddress; -import java.net.MalformedURLException; -import java.net.NetworkInterface; -import java.net.SocketException; -import java.net.URL; -import java.util.Collection; -import java.util.Enumeration; - import org.apache.felix.scr.annotations.Activate; import org.apache.felix.scr.annotations.Component; import org.apache.felix.scr.annotations.Deactivate; @@ -47,6 +36,19 @@ import org.onosproject.net.provider.AbstractProviderService; import org.onosproject.store.service.Versioned; import org.slf4j.Logger; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.NetworkInterface; +import java.net.SocketException; +import java.net.URL; +import java.util.Collection; +import java.util.Enumeration; + +import static com.google.common.base.Preconditions.checkNotNull; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.CLUSTER_READ; +import static org.slf4j.LoggerFactory.getLogger; + /** * Implementation of ClusterMetadataService. */ @@ -77,6 +79,7 @@ public class ClusterMetadataManager @Override public ClusterMetadata getClusterMetadata() { + checkPermission(CLUSTER_READ); Versioned metadata = getProvider().getClusterMetadata(); return metadata.value(); } @@ -85,11 +88,13 @@ public class ClusterMetadataManager @Override protected ClusterMetadataProviderService createProviderService( ClusterMetadataProvider provider) { + checkPermission(CLUSTER_READ); return new InternalClusterMetadataProviderService(provider); } @Override public ControllerNode getLocalNode() { + checkPermission(CLUSTER_READ); if (localNode == null) { establishSelfIdentity(); } @@ -188,4 +193,4 @@ public class ClusterMetadataManager // TODO: notify listeners } } -} \ No newline at end of file +} diff --git a/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java b/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java index 56d369fd7a..50a33502aa 100644 --- a/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java +++ b/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java @@ -187,6 +187,7 @@ public class MastershipManager @Override public MastershipTerm getMastershipTerm(DeviceId deviceId) { + checkPermission(CLUSTER_READ); return store.getTermFor(deviceId); } diff --git a/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java b/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java index eae8cf6af4..6b4f76e31c 100644 --- a/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java +++ b/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java @@ -50,8 +50,7 @@ import java.util.Set; import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Strings.isNullOrEmpty; import static org.onosproject.security.AppGuard.checkPermission; -import static org.onosproject.security.AppPermission.Type.APP_READ; - +import static org.onosproject.security.AppPermission.Type.*; /** @@ -149,12 +148,14 @@ public class CoreManager implements CoreService { @Override public ApplicationId registerApplication(String name) { + checkPermission(APP_WRITE); checkNotNull(name, "Application ID cannot be null"); return applicationIdStore.registerApplication(name); } @Override public ApplicationId registerApplication(String name, Runnable preDeactivate) { + checkPermission(APP_WRITE); ApplicationId id = registerApplication(name); appService.registerDeactivateHook(id, preDeactivate); return id; @@ -162,6 +163,7 @@ public class CoreManager implements CoreService { @Override public IdGenerator getIdGenerator(String topic) { + checkPermission(APP_READ); IdBlockAllocator allocator = new StoreBasedIdBlockAllocator(topic, idBlockStore); return new BlockAllocatorBasedIdGenerator(allocator); } diff --git a/core/net/src/main/java/org/onosproject/event/impl/CoreEventDispatcher.java b/core/net/src/main/java/org/onosproject/event/impl/CoreEventDispatcher.java index e63ecdf15a..3d9df6b364 100644 --- a/core/net/src/main/java/org/onosproject/event/impl/CoreEventDispatcher.java +++ b/core/net/src/main/java/org/onosproject/event/impl/CoreEventDispatcher.java @@ -38,6 +38,8 @@ import static java.util.concurrent.Executors.newSingleThreadExecutor; import static org.onlab.util.Tools.groupedThreads; import static org.slf4j.LoggerFactory.getLogger; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.*; /** * Simple implementation of an event dispatching service. */ @@ -96,6 +98,7 @@ public class CoreEventDispatcher extends DefaultEventSinkRegistry @Override public void setDispatchTimeLimit(long millis) { + checkPermission(EVENT_WRITE); checkArgument(millis >= WATCHDOG_MS, "Time limit must be greater than %s", WATCHDOG_MS); maxProcessMillis = millis; @@ -103,6 +106,7 @@ public class CoreEventDispatcher extends DefaultEventSinkRegistry @Override public long getDispatchTimeLimit() { + checkPermission(EVENT_READ); return maxProcessMillis; } diff --git a/core/net/src/main/java/org/onosproject/net/config/impl/NetworkConfigManager.java b/core/net/src/main/java/org/onosproject/net/config/impl/NetworkConfigManager.java index 9f041e6115..2353c1e197 100644 --- a/core/net/src/main/java/org/onosproject/net/config/impl/NetworkConfigManager.java +++ b/core/net/src/main/java/org/onosproject/net/config/impl/NetworkConfigManager.java @@ -42,6 +42,8 @@ import java.util.Objects; import java.util.Set; import static com.google.common.base.Preconditions.checkNotNull; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.*; /** * Implementation of the network configuration subsystem. @@ -142,6 +144,7 @@ public class NetworkConfigManager @Override public Set getSubjectClasses() { + checkPermission(CONFIG_READ); ImmutableSet.Builder builder = ImmutableSet.builder(); factories.forEach((k, v) -> builder.add(k.subjectClass)); return builder.build(); @@ -149,16 +152,19 @@ public class NetworkConfigManager @Override public SubjectFactory getSubjectFactory(String subjectClassKey) { + checkPermission(CONFIG_READ); return subjectClasses.get(subjectClassKey); } @Override public SubjectFactory getSubjectFactory(Class subjectClass) { + checkPermission(CONFIG_READ); return subjectClassKeys.get(subjectClass); } @Override public Class getConfigClass(String subjectClassKey, String configKey) { + checkPermission(CONFIG_READ); checkNotNull(subjectClassKey, NULL_SCKEY_MSG); checkNotNull(configKey, NULL_CKEY_MSG); return configClasses.get(new ConfigIdentifier(subjectClassKey, configKey)); @@ -166,12 +172,14 @@ public class NetworkConfigManager @Override public Set getSubjects(Class subjectClass) { + checkPermission(CONFIG_READ); checkNotNull(subjectClass, NULL_SCLASS_MSG); return store.getSubjects(subjectClass); } @Override public > Set getSubjects(Class subjectClass, Class configClass) { + checkPermission(CONFIG_READ); checkNotNull(subjectClass, NULL_SCLASS_MSG); checkNotNull(configClass, NULL_CCLASS_MSG); return store.getSubjects(subjectClass, configClass); @@ -179,6 +187,7 @@ public class NetworkConfigManager @Override public Set> getConfigs(S subject) { + checkPermission(CONFIG_READ); checkNotNull(subject, NULL_SUBJECT_MSG); Set>> configClasses = store.getConfigClasses(subject); ImmutableSet.Builder> cfg = ImmutableSet.builder(); @@ -188,6 +197,7 @@ public class NetworkConfigManager @Override public > C getConfig(S subject, Class configClass) { + checkPermission(CONFIG_READ); checkNotNull(subject, NULL_SUBJECT_MSG); checkNotNull(configClass, NULL_CCLASS_MSG); return store.getConfig(subject, configClass); @@ -196,6 +206,7 @@ public class NetworkConfigManager @Override public > C addConfig(S subject, Class configClass) { + checkPermission(CONFIG_WRITE); checkNotNull(subject, NULL_SUBJECT_MSG); checkNotNull(configClass, NULL_CCLASS_MSG); return store.createConfig(subject, configClass); @@ -203,6 +214,7 @@ public class NetworkConfigManager @Override public > C applyConfig(S subject, Class configClass, JsonNode json) { + checkPermission(CONFIG_WRITE); checkNotNull(subject, NULL_SUBJECT_MSG); checkNotNull(configClass, NULL_CCLASS_MSG); checkNotNull(json, NULL_JSON_MSG); @@ -213,6 +225,7 @@ public class NetworkConfigManager @SuppressWarnings("unchecked") public > C applyConfig(String subjectClassKey, S subject, String configKey, JsonNode json) { + checkPermission(CONFIG_WRITE); checkNotNull(subjectClassKey, NULL_SCKEY_MSG); checkNotNull(subject, NULL_SUBJECT_MSG); checkNotNull(configKey, NULL_CKEY_MSG); @@ -229,6 +242,7 @@ public class NetworkConfigManager @Override public > void removeConfig(S subject, Class configClass) { + checkPermission(CONFIG_WRITE); checkNotNull(subject, NULL_SUBJECT_MSG); checkNotNull(configClass, NULL_CCLASS_MSG); store.clearConfig(subject, configClass); diff --git a/core/net/src/main/java/org/onosproject/net/edgeservice/impl/EdgeManager.java b/core/net/src/main/java/org/onosproject/net/edgeservice/impl/EdgeManager.java index 7340fc5b8b..314d10f942 100644 --- a/core/net/src/main/java/org/onosproject/net/edgeservice/impl/EdgeManager.java +++ b/core/net/src/main/java/org/onosproject/net/edgeservice/impl/EdgeManager.java @@ -56,6 +56,8 @@ import static org.onosproject.net.device.DeviceEvent.Type.*; import static org.onosproject.net.edge.EdgePortEvent.Type.EDGE_PORT_ADDED; import static org.onosproject.net.edge.EdgePortEvent.Type.EDGE_PORT_REMOVED; import static org.slf4j.LoggerFactory.getLogger; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.*; /** * This is an implementation of the edge net service. @@ -107,11 +109,13 @@ public class EdgeManager @Override public boolean isEdgePoint(ConnectPoint point) { + checkPermission(TOPOLOGY_READ); return !topologyService.isInfrastructure(topologyService.currentTopology(), point); } @Override public Iterable getEdgePoints() { + checkPermission(TOPOLOGY_READ); ImmutableSet.Builder builder = ImmutableSet.builder(); connectionPoints.forEach((k, v) -> v.forEach(builder::add)); return builder.build(); @@ -119,6 +123,7 @@ public class EdgeManager @Override public Iterable getEdgePoints(DeviceId deviceId) { + checkPermission(TOPOLOGY_READ); ImmutableSet.Builder builder = ImmutableSet.builder(); Set set = connectionPoints.get(deviceId); if (set != null) { @@ -129,6 +134,7 @@ public class EdgeManager @Override public void emitPacket(ByteBuffer data, Optional treatment) { + checkPermission(PACKET_WRITE); TrafficTreatment.Builder builder = treatment.map(DefaultTrafficTreatment::builder) .orElse(DefaultTrafficTreatment.builder()); getEdgePoints().forEach(p -> packetService.emit(packet(builder, p, data))); diff --git a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java index a64b9761ec..2041b5b919 100644 --- a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java +++ b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java @@ -272,6 +272,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService { @Override public void initPolicy(String policy) { + checkPermission(FLOWRULE_WRITE); this.policy = policy; deviceService.getDevices().forEach(device -> this.deviceCompositionTreeMap.put(device.id(), FlowObjectiveCompositionUtil.parsePolicyString(policy))); diff --git a/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java b/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java index 60b279f0dd..61fc0df41a 100644 --- a/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java +++ b/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java @@ -282,16 +282,19 @@ public class IntentManager @Override public void registerCompiler(Class cls, IntentCompiler compiler) { + checkPermission(INTENT_WRITE); compilerRegistry.registerCompiler(cls, compiler); } @Override public void unregisterCompiler(Class cls) { + checkPermission(INTENT_WRITE); compilerRegistry.unregisterCompiler(cls); } @Override public Map, IntentCompiler> getCompilers() { + checkPermission(INTENT_READ); return compilerRegistry.getCompilers(); } diff --git a/core/net/src/main/java/org/onosproject/net/key/impl/DeviceKeyManager.java b/core/net/src/main/java/org/onosproject/net/key/impl/DeviceKeyManager.java index 3bff95f5bb..8d0841a820 100644 --- a/core/net/src/main/java/org/onosproject/net/key/impl/DeviceKeyManager.java +++ b/core/net/src/main/java/org/onosproject/net/key/impl/DeviceKeyManager.java @@ -38,7 +38,6 @@ import java.util.Collection; import static com.google.common.base.Preconditions.checkNotNull; import static org.onosproject.security.AppGuard.checkPermission; import static org.onosproject.security.AppPermission.Type.DEVICE_KEY_READ; -import static org.onosproject.security.AppPermission.Type.DEVICE_KEY_WRITE; import static org.slf4j.LoggerFactory.getLogger; /** @@ -72,14 +71,12 @@ public class DeviceKeyManager extends AbstractListenerManager allocate(ResourceConsumer consumer, List resources) { + checkPermission(RESOURCE_WRITE); checkNotNull(consumer); checkNotNull(resources); @@ -97,6 +101,7 @@ public final class ResourceManager extends AbstractListenerManager allocations) { + checkPermission(RESOURCE_WRITE); checkNotNull(allocations); return store.release(allocations); @@ -112,6 +117,7 @@ public final class ResourceManager extends AbstractListenerManager getResourceAllocations(ResourceId id) { + checkPermission(RESOURCE_READ); checkNotNull(id); return store.getResourceAllocations(id); @@ -119,6 +125,7 @@ public final class ResourceManager extends AbstractListenerManager Collection getResourceAllocations(DiscreteResourceId parent, Class cls) { + checkPermission(RESOURCE_READ); checkNotNull(parent); checkNotNull(cls); @@ -131,6 +138,7 @@ public final class ResourceManager extends AbstractListenerManager getResourceAllocations(ResourceConsumer consumer) { + checkPermission(RESOURCE_READ); checkNotNull(consumer); Collection resources = store.getResources(consumer); @@ -141,6 +149,7 @@ public final class ResourceManager extends AbstractListenerManager getAvailableResources(DiscreteResourceId parent) { + checkPermission(RESOURCE_READ); checkNotNull(parent); Set children = store.getChildResources(parent); @@ -152,6 +161,7 @@ public final class ResourceManager extends AbstractListenerManager Set getAvailableResources(DiscreteResourceId parent, Class cls) { + checkPermission(RESOURCE_READ); checkNotNull(parent); checkNotNull(cls); @@ -163,6 +173,7 @@ public final class ResourceManager extends AbstractListenerManager Set getAvailableResourceValues(DiscreteResourceId parent, Class cls) { + checkPermission(RESOURCE_READ); checkNotNull(parent); checkNotNull(cls); @@ -174,6 +185,7 @@ public final class ResourceManager extends AbstractListenerManager getRegisteredResources(DiscreteResourceId parent) { + checkPermission(RESOURCE_READ); checkNotNull(parent); return store.getChildResources(parent); @@ -181,6 +193,7 @@ public final class ResourceManager extends AbstractListenerManager getProcessors() { + checkPermission(PACKET_READ); return ImmutableList.copyOf(processors); } @@ -233,6 +234,7 @@ public class PacketManager @Override public List getRequests() { + checkPermission(PACKET_READ); return store.existingRequests(); } diff --git a/core/net/src/main/java/org/onosproject/net/region/impl/RegionManager.java b/core/net/src/main/java/org/onosproject/net/region/impl/RegionManager.java index 52634eaa45..f0580bdd64 100644 --- a/core/net/src/main/java/org/onosproject/net/region/impl/RegionManager.java +++ b/core/net/src/main/java/org/onosproject/net/region/impl/RegionManager.java @@ -43,6 +43,8 @@ import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkState; import static com.google.common.collect.ImmutableList.of; import static org.slf4j.LoggerFactory.getLogger; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.REGION_READ; /** * Provides implementation of the region service APIs. @@ -122,23 +124,27 @@ public class RegionManager extends AbstractListenerManager getRegions() { + checkPermission(REGION_READ); return store.getRegions(); } @Override public Region getRegion(RegionId regionId) { + checkPermission(REGION_READ); checkNotNull(regionId, REGION_ID_NULL); return store.getRegion(regionId); } @Override public Region getRegionForDevice(DeviceId deviceId) { + checkPermission(REGION_READ); checkNotNull(deviceId, DEVICE_ID_NULL); return store.getRegionForDevice(deviceId); } @Override public Set getRegionDevices(RegionId regionId) { + checkPermission(REGION_READ); checkNotNull(regionId, REGION_ID_NULL); return store.getRegionDevices(regionId); } diff --git a/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java b/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java index 08071ec90e..dc289e2991 100644 --- a/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java +++ b/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java @@ -134,11 +134,13 @@ public class PathManager implements PathService { @Override public Set getDisjointPaths(ElementId src, ElementId dst) { + checkPermission(TOPOLOGY_READ); return getDisjointPaths(src, dst, (LinkWeight) null); } @Override public Set getDisjointPaths(ElementId src, ElementId dst, LinkWeight weight) { + checkPermission(TOPOLOGY_READ); checkNotNull(src, ELEMENT_ID_NULL); checkNotNull(dst, ELEMENT_ID_NULL); @@ -173,12 +175,14 @@ public class PathManager implements PathService { @Override public Set getDisjointPaths(ElementId src, ElementId dst, Map riskProfile) { + checkPermission(TOPOLOGY_READ); return getDisjointPaths(src, dst, null, riskProfile); } @Override public Set getDisjointPaths(ElementId src, ElementId dst, LinkWeight weight, Map riskProfile) { + checkPermission(TOPOLOGY_READ); checkNotNull(src, ELEMENT_ID_NULL); checkNotNull(dst, ELEMENT_ID_NULL); diff --git a/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java b/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java index 4425e1c1d9..8c21730a80 100644 --- a/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java +++ b/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java @@ -166,6 +166,7 @@ public class TopologyManager @Override public Set getDisjointPaths(Topology topology, DeviceId src, DeviceId dst) { + checkPermission(TOPOLOGY_READ); checkNotNull(topology, TOPOLOGY_NULL); checkNotNull(src, DEVICE_ID_NULL); checkNotNull(dst, DEVICE_ID_NULL); @@ -175,6 +176,7 @@ public class TopologyManager @Override public Set getDisjointPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight) { + checkPermission(TOPOLOGY_READ); checkNotNull(topology, TOPOLOGY_NULL); checkNotNull(src, DEVICE_ID_NULL); checkNotNull(dst, DEVICE_ID_NULL); @@ -185,6 +187,7 @@ public class TopologyManager @Override public Set getDisjointPaths(Topology topology, DeviceId src, DeviceId dst, Map riskProfile) { + checkPermission(TOPOLOGY_READ); checkNotNull(topology, TOPOLOGY_NULL); checkNotNull(src, DEVICE_ID_NULL); checkNotNull(dst, DEVICE_ID_NULL); @@ -195,6 +198,7 @@ public class TopologyManager public Set getDisjointPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight, Map riskProfile) { + checkPermission(TOPOLOGY_READ); checkNotNull(topology, TOPOLOGY_NULL); checkNotNull(src, DEVICE_ID_NULL); checkNotNull(dst, DEVICE_ID_NULL); diff --git a/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java b/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java index 59273b1d1e..033952fa3b 100644 --- a/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java +++ b/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java @@ -19,14 +19,31 @@ package org.onosproject.security.impl; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; import com.google.common.collect.Sets; +import org.onosproject.cluster.ClusterAdminService; +import org.onosproject.cluster.ClusterMetadataService; +import org.onosproject.cluster.ClusterService; +import org.onosproject.cluster.ClusterMetadataAdminService; +import org.onosproject.cluster.LeadershipService; +import org.onosproject.cluster.LeadershipAdminService; +import org.onosproject.codec.CodecService; +import org.onosproject.event.EventDeliveryService; +import org.onosproject.mastership.MastershipTermService; +import org.onosproject.net.config.BasicNetworkConfigService; +import org.onosproject.net.config.NetworkConfigService; +import org.onosproject.net.edge.EdgePortService; +import org.onosproject.net.key.DeviceKeyAdminService; +import org.onosproject.net.key.DeviceKeyService; +import org.onosproject.net.newresource.ResourceAdminService; +import org.onosproject.net.newresource.ResourceService; +import org.onosproject.net.region.RegionAdminService; +import org.onosproject.net.region.RegionService; +import org.onosproject.net.statistic.FlowStatisticService; +import org.onosproject.persistence.PersistenceService; import org.onosproject.security.AppPermission; import org.onosproject.app.ApplicationAdminService; import org.onosproject.app.ApplicationService; import org.onosproject.cfg.ComponentConfigService; -import org.onosproject.cluster.ClusterAdminService; -import org.onosproject.cluster.ClusterService; import org.onosproject.core.CoreService; -import org.onosproject.cluster.LeadershipService; import org.onosproject.mastership.MastershipAdminService; import org.onosproject.mastership.MastershipService; import org.onosproject.net.device.DeviceAdminService; @@ -47,13 +64,19 @@ import org.onosproject.net.link.LinkAdminService; import org.onosproject.net.link.LinkService; import org.onosproject.net.packet.PacketService; import org.onosproject.net.proxyarp.ProxyArpService; -import org.onosproject.net.resource.link.LinkResourceService; import org.onosproject.net.statistic.StatisticService; import org.onosproject.net.topology.PathService; import org.onosproject.net.topology.TopologyService; import org.onosproject.security.SecurityAdminService; +import org.onosproject.store.cluster.messaging.ClusterCommunicationService; +import org.onosproject.store.cluster.messaging.MessagingService; +import org.onosproject.store.primitives.PartitionAdminService; +import org.onosproject.store.primitives.PartitionService; +import org.onosproject.store.service.LogicalClockService; +import org.onosproject.store.service.MutexExecutionService; import org.onosproject.store.service.StorageAdminService; import org.onosproject.store.service.StorageService; +import org.onosproject.ui.UiExtensionService; import org.osgi.framework.ServicePermission; import org.osgi.framework.AdminPermission; import org.osgi.framework.AdaptPermission; @@ -169,23 +192,35 @@ public final class DefaultPolicyBuilder { List permSet = Lists.newArrayList(); permSet.add(new ServicePermission(ApplicationAdminService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(ClusterAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LeadershipAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ClusterMetadataAdminService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(MastershipAdminService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(DeviceAdminService.class.getName(), ServicePermission.GET)); - permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET)); - permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(DriverAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(HostAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DeviceKeyAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LinkAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ResourceAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(RegionAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(PartitionAdminService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(StorageAdminService.class.getName(), ServicePermission.GET)); -// permSet.add(new ServicePermission(LabelResourceAdminService.class.getName(), ServicePermission.GET)); -// permSet.add(new ServicePermission(TunnelAdminService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ApplicationService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(ComponentConfigService.class.getName(), ServicePermission.GET)); - permSet.add(new ServicePermission(CoreService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ClusterMetadataService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(ClusterService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(LeadershipService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(CodecService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(CoreService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(EventDeliveryService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(MastershipService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(MastershipTermService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(BasicNetworkConfigService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(NetworkConfigService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(DeviceService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(DeviceClockService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(DriverService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(EdgePortService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(FlowRuleService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(FlowObjectiveService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(GroupService.class.getName(), ServicePermission.GET)); @@ -194,16 +229,29 @@ public final class DefaultPolicyBuilder { permSet.add(new ServicePermission(IntentClockService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(IntentExtensionService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(IntentPartitionService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(DeviceKeyService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(LinkService.class.getName(), ServicePermission.GET)); - permSet.add(new ServicePermission(LinkResourceService.class.getName(), ServicePermission.GET)); -// permSet.add(new ServicePermission(LabelResourceService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(MulticastRouteService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(MeterService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ResourceService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(PacketService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(ProxyArpService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(RegionService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(LinkResourceService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(FlowStatisticService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(StatisticService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(PathService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(TopologyService.class.getName(), ServicePermission.GET)); -// permSet.add(new ServicePermission(TunnelService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(PersistenceService.class.getName(), ServicePermission.GET)); +// permSet.add(new ServicePermission(ApiDocService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(ClusterCommunicationService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(MessagingService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(PartitionService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(LogicalClockService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(MutexExecutionService.class.getName(), ServicePermission.GET)); permSet.add(new ServicePermission(StorageService.class.getName(), ServicePermission.GET)); + permSet.add(new ServicePermission(UiExtensionService.class.getName(), ServicePermission.GET)); + return permSet; } @@ -223,15 +271,21 @@ public final class DefaultPolicyBuilder { ApplicationService.class.getName(), CoreService.class.getName())); serviceDirectory.put(APP_EVENT, ImmutableSet.of( ApplicationService.class.getName(), CoreService.class.getName())); + serviceDirectory.put(APP_WRITE, ImmutableSet.of( + CoreService.class.getName())); serviceDirectory.put(CONFIG_READ, ImmutableSet.of( - ComponentConfigService.class.getName())); + ComponentConfigService.class.getName(), NetworkConfigService.class.getName())); serviceDirectory.put(CONFIG_WRITE, ImmutableSet.of( - ComponentConfigService.class.getName())); + ComponentConfigService.class.getName(), NetworkConfigService.class.getName())); + serviceDirectory.put(CONFIG_EVENT, ImmutableSet.of( + NetworkConfigService.class.getName())); serviceDirectory.put(CLUSTER_READ, ImmutableSet.of( ClusterService.class.getName(), LeadershipService.class.getName(), - MastershipService.class.getName())); + MastershipService.class.getName(), ClusterMetadataService.class.getName(), + MastershipTermService.class.getName())); serviceDirectory.put(CLUSTER_WRITE, ImmutableSet.of( - LeadershipService.class.getName(), MastershipService.class.getName())); + LeadershipService.class.getName(), MastershipService.class.getName(), + ClusterCommunicationService.class.getName(), MessagingService.class.getName())); serviceDirectory.put(CLUSTER_EVENT, ImmutableSet.of( ClusterService.class.getName(), LeadershipService.class.getName(), MastershipService.class.getName())); @@ -263,11 +317,11 @@ public final class DefaultPolicyBuilder { HostService.class.getName())); serviceDirectory.put(INTENT_READ, ImmutableSet.of( IntentService.class.getName(), IntentPartitionService.class.getName(), - IntentClockService.class.getName())); + IntentClockService.class.getName(), IntentExtensionService.class.getName())); serviceDirectory.put(INTENT_WRITE, ImmutableSet.of( - IntentService.class.getName())); + IntentService.class.getName(), IntentExtensionService.class.getName())); serviceDirectory.put(INTENT_EVENT, ImmutableSet.of( - IntentService.class.getName())); + IntentService.class.getName(), IntentPartitionService.class.getName())); // serviceDirectory.put(LINK_READ, ImmutableSet.of( // LinkService.class.getName(), LinkResourceService.class.getName(), // LabelResourceService.class.getName())); @@ -279,13 +333,15 @@ public final class DefaultPolicyBuilder { serviceDirectory.put(PACKET_READ, ImmutableSet.of( PacketService.class.getName(), ProxyArpService.class.getName())); serviceDirectory.put(PACKET_WRITE, ImmutableSet.of( - PacketService.class.getName(), ProxyArpService.class.getName())); + PacketService.class.getName(), ProxyArpService.class.getName(), + EdgePortService.class.getName())); serviceDirectory.put(PACKET_EVENT, ImmutableSet.of( PacketService.class.getName())); serviceDirectory.put(STATISTIC_READ, ImmutableSet.of( - StatisticService.class.getName())); + StatisticService.class.getName(), FlowStatisticService.class.getName())); serviceDirectory.put(TOPOLOGY_READ, ImmutableSet.of( - TopologyService.class.getName(), PathService.class.getName())); + TopologyService.class.getName(), PathService.class.getName(), + EdgePortService.class.getName())); serviceDirectory.put(TOPOLOGY_EVENT, ImmutableSet.of( TopologyService.class.getName())); // serviceDirectory.put(TUNNEL_READ, ImmutableSet.of( @@ -296,6 +352,32 @@ public final class DefaultPolicyBuilder { // TunnelService.class.getName())); serviceDirectory.put(STORAGE_WRITE, ImmutableSet.of( StorageService.class.getName())); + serviceDirectory.put(CODEC_READ, ImmutableSet.of( + CodecService.class.getName())); + serviceDirectory.put(CODEC_WRITE, ImmutableSet.of( + CodecService.class.getName())); + serviceDirectory.put(EVENT_READ, ImmutableSet.of( + EventDeliveryService.class.getName())); + serviceDirectory.put(EVENT_WRITE, ImmutableSet.of( + EventDeliveryService.class.getName())); + serviceDirectory.put(RESOURCE_READ, ImmutableSet.of( + ResourceService.class.getName())); + serviceDirectory.put(RESOURCE_WRITE, ImmutableSet.of( + ResourceService.class.getName())); + serviceDirectory.put(RESOURCE_EVENT, ImmutableSet.of( + ResourceService.class.getName())); + serviceDirectory.put(REGION_READ, ImmutableSet.of( + RegionService.class.getName())); + serviceDirectory.put(PERSISTENCE_WRITE, ImmutableSet.of( + PersistenceService.class.getName())); + serviceDirectory.put(PARTITION_READ, ImmutableSet.of( + PartitionService.class.getName())); + serviceDirectory.put(PARTITION_EVENT, ImmutableSet.of( + PartitionService.class.getName())); + serviceDirectory.put(CLOCK_WRITE, ImmutableSet.of( + LogicalClockService.class.getName())); + serviceDirectory.put(MUTEX_WRITE, ImmutableSet.of( + MutexExecutionService.class.getName())); return serviceDirectory; } diff --git a/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/ClusterCommunicationManager.java b/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/ClusterCommunicationManager.java index 1d962d087d..6ce41b3ca0 100644 --- a/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/ClusterCommunicationManager.java +++ b/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/ClusterCommunicationManager.java @@ -50,6 +50,8 @@ import java.util.stream.Collectors; import static com.google.common.base.Preconditions.checkArgument; import static com.google.common.base.Preconditions.checkNotNull; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.CLUSTER_WRITE; @Component(immediate = true) @Service @@ -94,6 +96,7 @@ public class ClusterCommunicationManager public void broadcast(M message, MessageSubject subject, Function encoder) { + checkPermission(CLUSTER_WRITE); multicast(message, subject, encoder, @@ -108,6 +111,7 @@ public class ClusterCommunicationManager public void broadcastIncludeSelf(M message, MessageSubject subject, Function encoder) { + checkPermission(CLUSTER_WRITE); multicast(message, subject, encoder, @@ -122,6 +126,7 @@ public class ClusterCommunicationManager MessageSubject subject, Function encoder, NodeId toNodeId) { + checkPermission(CLUSTER_WRITE); try { byte[] payload = new ClusterMessage( localNodeId, @@ -139,6 +144,7 @@ public class ClusterCommunicationManager MessageSubject subject, Function encoder, Set nodes) { + checkPermission(CLUSTER_WRITE); byte[] payload = new ClusterMessage( localNodeId, subject, @@ -153,6 +159,7 @@ public class ClusterCommunicationManager Function encoder, Function decoder, NodeId toNodeId) { + checkPermission(CLUSTER_WRITE); try { ClusterMessage envelope = new ClusterMessage( clusterService.getLocalNode().id(), @@ -193,6 +200,7 @@ public class ClusterCommunicationManager public void addSubscriber(MessageSubject subject, ClusterMessageHandler subscriber, ExecutorService executor) { + checkPermission(CLUSTER_WRITE); messagingService.registerHandler(subject.value(), new InternalClusterMessageHandler(subscriber), executor); @@ -200,6 +208,7 @@ public class ClusterCommunicationManager @Override public void removeSubscriber(MessageSubject subject) { + checkPermission(CLUSTER_WRITE); messagingService.unregisterHandler(subject.value()); } @@ -209,6 +218,7 @@ public class ClusterCommunicationManager Function handler, Function encoder, Executor executor) { + checkPermission(CLUSTER_WRITE); messagingService.registerHandler(subject.value(), new InternalMessageResponder(decoder, encoder, m -> { CompletableFuture responseFuture = new CompletableFuture<>(); @@ -228,6 +238,7 @@ public class ClusterCommunicationManager Function decoder, Function> handler, Function encoder) { + checkPermission(CLUSTER_WRITE); messagingService.registerHandler(subject.value(), new InternalMessageResponder<>(decoder, encoder, handler)); } @@ -237,6 +248,7 @@ public class ClusterCommunicationManager Function decoder, Consumer handler, Executor executor) { + checkPermission(CLUSTER_WRITE); messagingService.registerHandler(subject.value(), new InternalMessageConsumer<>(decoder, handler), executor); diff --git a/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/NettyMessagingManager.java b/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/NettyMessagingManager.java index 2f883e1e51..53611f353b 100644 --- a/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/NettyMessagingManager.java +++ b/core/store/dist/src/main/java/org/onosproject/store/cluster/messaging/impl/NettyMessagingManager.java @@ -82,6 +82,9 @@ import java.util.function.BiConsumer; import java.util.function.BiFunction; import java.util.function.Consumer; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.CLUSTER_WRITE; + /** * Netty based MessagingService. */ @@ -213,6 +216,7 @@ public class NettyMessagingManager implements MessagingService { @Override public CompletableFuture sendAsync(Endpoint ep, String type, byte[] payload) { + checkPermission(CLUSTER_WRITE); InternalMessage message = new InternalMessage(messageIdGenerator.incrementAndGet(), localEp, type, @@ -221,6 +225,7 @@ public class NettyMessagingManager implements MessagingService { } protected CompletableFuture sendAsync(Endpoint ep, InternalMessage message) { + checkPermission(CLUSTER_WRITE); if (ep.equals(localEp)) { try { dispatchLocally(message); @@ -247,11 +252,13 @@ public class NettyMessagingManager implements MessagingService { @Override public CompletableFuture sendAndReceive(Endpoint ep, String type, byte[] payload) { + checkPermission(CLUSTER_WRITE); return sendAndReceive(ep, type, payload, MoreExecutors.directExecutor()); } @Override public CompletableFuture sendAndReceive(Endpoint ep, String type, byte[] payload, Executor executor) { + checkPermission(CLUSTER_WRITE); CompletableFuture response = new CompletableFuture<>(); Callback callback = new Callback(response, executor); Long messageId = messageIdGenerator.incrementAndGet(); @@ -266,11 +273,13 @@ public class NettyMessagingManager implements MessagingService { @Override public void registerHandler(String type, BiConsumer handler, Executor executor) { + checkPermission(CLUSTER_WRITE); handlers.put(type, message -> executor.execute(() -> handler.accept(message.sender(), message.payload()))); } @Override public void registerHandler(String type, BiFunction handler, Executor executor) { + checkPermission(CLUSTER_WRITE); handlers.put(type, message -> executor.execute(() -> { byte[] responsePayload = null; Status status = Status.OK; @@ -285,6 +294,7 @@ public class NettyMessagingManager implements MessagingService { @Override public void registerHandler(String type, BiFunction> handler) { + checkPermission(CLUSTER_WRITE); handlers.put(type, message -> { handler.apply(message.sender(), message.payload()).whenComplete((result, error) -> { Status status = error == null ? Status.OK : Status.ERROR_HANDLER_EXCEPTION; @@ -295,6 +305,7 @@ public class NettyMessagingManager implements MessagingService { @Override public void unregisterHandler(String type) { + checkPermission(CLUSTER_WRITE); handlers.remove(type); } diff --git a/core/store/dist/src/main/java/org/onosproject/store/core/impl/LogicalClockManager.java b/core/store/dist/src/main/java/org/onosproject/store/core/impl/LogicalClockManager.java index 4b2f7808aa..c09442569f 100644 --- a/core/store/dist/src/main/java/org/onosproject/store/core/impl/LogicalClockManager.java +++ b/core/store/dist/src/main/java/org/onosproject/store/core/impl/LogicalClockManager.java @@ -30,6 +30,9 @@ import org.onosproject.store.service.LogicalClockService; import org.onosproject.store.service.StorageService; import org.slf4j.Logger; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.CLOCK_WRITE; + /** * LogicalClockService implementation based on a AtomicCounter. */ @@ -62,6 +65,7 @@ public class LogicalClockManager implements LogicalClockService { @Override public Timestamp getTimestamp() { + checkPermission(CLOCK_WRITE); return new LogicalTimestamp(atomicCounter.incrementAndGet()); } } \ No newline at end of file diff --git a/core/store/persistence/src/main/java/org/onosproject/persistence/impl/PersistenceManager.java b/core/store/persistence/src/main/java/org/onosproject/persistence/impl/PersistenceManager.java index 05c577c0f3..b7dc6ab4b9 100644 --- a/core/store/persistence/src/main/java/org/onosproject/persistence/impl/PersistenceManager.java +++ b/core/store/persistence/src/main/java/org/onosproject/persistence/impl/PersistenceManager.java @@ -36,6 +36,8 @@ import java.util.Set; import java.util.Timer; import java.util.TimerTask; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.PERSISTENCE_WRITE; import static org.slf4j.LoggerFactory.getLogger; /** @@ -122,10 +124,12 @@ public class PersistenceManager implements PersistenceService { } public PersistentMapBuilder persistentMapBuilder() { + checkPermission(PERSISTENCE_WRITE); return new DefaultPersistentMapBuilder<>(localDB); } public PersistentSetBuilder persistentSetBuilder() { + checkPermission(PERSISTENCE_WRITE); return new DefaultPersistentSetBuilder<>(localDB); } diff --git a/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/MutexExecutionManager.java b/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/MutexExecutionManager.java index 5946fdb517..431a240486 100644 --- a/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/MutexExecutionManager.java +++ b/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/MutexExecutionManager.java @@ -50,7 +50,8 @@ import org.slf4j.Logger; import com.google.common.base.MoreObjects; import com.google.common.collect.Lists; import com.google.common.collect.Maps; - +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.MUTEX_WRITE; /** * Implementation of a MutexExecutionService. */ @@ -103,6 +104,7 @@ public class MutexExecutionManager implements MutexExecutionService { @Override public CompletableFuture execute(MutexTask task, String exclusionPath, Executor executor) { + checkPermission(MUTEX_WRITE); return lock(exclusionPath) .thenApply(state -> activeTasks.computeIfAbsent(exclusionPath, k -> new InnerMutexTask(exclusionPath, diff --git a/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/PartitionManager.java b/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/PartitionManager.java index a083a8b2ac..d4699a2f8f 100644 --- a/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/PartitionManager.java +++ b/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/PartitionManager.java @@ -55,6 +55,9 @@ import org.slf4j.Logger; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Maps; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.PARTITION_READ; + /** * Implementation of {@code PartitionService} and {@code PartitionAdminService}. */ @@ -116,27 +119,32 @@ public class PartitionManager extends AbstractListenerManager getAllPartitionIds() { + checkPermission(PARTITION_READ); return partitions.keySet(); } @Override public DistributedPrimitiveCreator getDistributedPrimitiveCreator(PartitionId partitionId) { + checkPermission(PARTITION_READ); return partitions.get(partitionId).client(); } @Override public Set getConfiguredMembers(PartitionId partitionId) { + checkPermission(PARTITION_READ); StoragePartition partition = partitions.get(partitionId); return ImmutableSet.copyOf(partition.getMembers()); } @Override public Set getActiveMembersMembers(PartitionId partitionId) { + checkPermission(PARTITION_READ); // TODO: This needs to query metadata to determine currently active // members of partition return getConfiguredMembers(partitionId); diff --git a/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/StorageManager.java b/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/StorageManager.java index 6410a403c3..6ba2667008 100644 --- a/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/StorageManager.java +++ b/core/store/primitives/src/main/java/org/onosproject/store/primitives/impl/StorageManager.java @@ -61,6 +61,9 @@ import com.google.common.collect.ImmutableMap; import com.google.common.collect.Maps; import com.google.common.util.concurrent.Futures; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.*; + /** * Implementation for {@code StorageService} and {@code StorageAdminService}. */ @@ -117,6 +120,7 @@ public class StorageManager implements StorageService, StorageAdminService { @Override public EventuallyConsistentMapBuilder eventuallyConsistentMapBuilder() { + checkPermission(STORAGE_WRITE); return new EventuallyConsistentMapBuilderImpl<>(clusterService, clusterCommunicator, persistenceService); @@ -124,27 +128,32 @@ public class StorageManager implements StorageService, StorageAdminService { @Override public ConsistentMapBuilder consistentMapBuilder() { + checkPermission(STORAGE_WRITE); return new NewDefaultConsistentMapBuilder<>(federatedPrimitiveCreator); } @Override public DistributedSetBuilder setBuilder() { + checkPermission(STORAGE_WRITE); return new DefaultDistributedSetBuilder<>(() -> this.consistentMapBuilder()); } @Override public DistributedQueueBuilder queueBuilder() { + checkPermission(STORAGE_WRITE); // TODO: implement throw new UnsupportedOperationException(); } @Override public AtomicCounterBuilder atomicCounterBuilder() { + checkPermission(STORAGE_WRITE); return new NewDefaultAtomicCounterBuilder(federatedPrimitiveCreator); } @Override public AtomicValueBuilder atomicValueBuilder() { + checkPermission(STORAGE_WRITE); Supplier> mapBuilderSupplier = () -> this.consistentMapBuilder() .withName("onos-atomic-values") @@ -154,6 +163,7 @@ public class StorageManager implements StorageService, StorageAdminService { @Override public TransactionContextBuilder transactionContextBuilder() { + checkPermission(STORAGE_WRITE); return new NewDefaultTransactionContextBuilder(transactionIdGenerator.get(), federatedPrimitiveCreator, transactionCoordinator); @@ -161,6 +171,7 @@ public class StorageManager implements StorageService, StorageAdminService { @Override public LeaderElectorBuilder leaderElectorBuilder() { + checkPermission(STORAGE_WRITE); return new DefaultLeaderElectorBuilder(federatedPrimitiveCreator); } diff --git a/web/gui/src/main/java/org/onosproject/ui/impl/UiExtensionManager.java b/web/gui/src/main/java/org/onosproject/ui/impl/UiExtensionManager.java index c29ebe1731..9bfa3e3b0e 100644 --- a/web/gui/src/main/java/org/onosproject/ui/impl/UiExtensionManager.java +++ b/web/gui/src/main/java/org/onosproject/ui/impl/UiExtensionManager.java @@ -45,6 +45,10 @@ import static java.util.stream.Collectors.toSet; import static org.onosproject.ui.UiView.Category.NETWORK; import static org.onosproject.ui.UiView.Category.PLATFORM; +import static org.onosproject.security.AppGuard.checkPermission; +import static org.onosproject.security.AppPermission.Type.UI_READ; +import static org.onosproject.security.AppPermission.Type.UI_WRITE; + /** * Manages the user interface extensions. */ @@ -136,6 +140,7 @@ public class UiExtensionManager implements UiExtensionService, SpriteService { @Override public synchronized void register(UiExtension extension) { + checkPermission(UI_WRITE); if (!extensions.contains(extension)) { extensions.add(extension); for (UiView view : extension.views()) { @@ -146,6 +151,7 @@ public class UiExtensionManager implements UiExtensionService, SpriteService { @Override public synchronized void unregister(UiExtension extension) { + checkPermission(UI_WRITE); extensions.remove(extension); extension.views().stream() .map(UiView::id).collect(toSet()).forEach(views::remove); @@ -153,11 +159,13 @@ public class UiExtensionManager implements UiExtensionService, SpriteService { @Override public synchronized List getExtensions() { + checkPermission(UI_READ); return ImmutableList.copyOf(extensions); } @Override public synchronized UiExtension getViewExtension(String viewId) { + checkPermission(UI_READ); return views.get(viewId); }