Introduce new permission structure for rollout management. (#624)

* Introduce new permission structure for rollout management.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* JavaDocs

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Add target read check for filters.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
Kai Zimmermann
2018-02-07 12:39:20 +01:00
committed by GitHub
parent d1038b1b6d
commit 1a6ab123e3
8 changed files with 116 additions and 58 deletions

View File

@@ -78,7 +78,7 @@ public class MgmtRolloutResourceTest extends AbstractManagementApiIntegrationTes
@Test @Test
@Description("Testing that creating rollout with insufficient permission returns forbidden") @Description("Testing that creating rollout with insufficient permission returns forbidden")
@WithUser(allSpPermissions = true, removeFromAllPermission = "ROLLOUT_MANAGEMENT") @WithUser(allSpPermissions = true, removeFromAllPermission = "CREATE_ROLLOUT")
public void createRolloutWithInsufficientPermissionReturnsForbidden() throws Exception { public void createRolloutWithInsufficientPermissionReturnsForbidden() throws Exception {
final DistributionSet dsA = testdataFactory.createDistributionSet(""); final DistributionSet dsA = testdataFactory.createDistributionSet("");
mvc.perform(post("/rest/v1/rollouts") mvc.perform(post("/rest/v1/rollouts")

View File

@@ -71,7 +71,7 @@ public interface RolloutManagement {
* otherwise. * otherwise.
* *
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.IS_SYSTEM_CODE)
void handleRollouts(); void handleRollouts();
/** /**
@@ -123,7 +123,7 @@ public interface RolloutManagement {
* @throws ConstraintViolationException * @throws ConstraintViolationException
* if rollout or group parameters are invalid. * if rollout or group parameters are invalid.
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE)
Rollout create(@NotNull RolloutCreate create, int amountGroup, @NotNull RolloutGroupConditions conditions); Rollout create(@NotNull RolloutCreate create, int amountGroup, @NotNull RolloutGroupConditions conditions);
/** /**
@@ -157,7 +157,7 @@ public interface RolloutManagement {
* @throws ConstraintViolationException * @throws ConstraintViolationException
* if rollout or group parameters are invalid * if rollout or group parameters are invalid
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE)
Rollout create(@NotNull RolloutCreate rollout, @NotNull List<RolloutGroupCreate> groups, Rollout create(@NotNull RolloutCreate rollout, @NotNull List<RolloutGroupCreate> groups,
RolloutGroupConditions conditions); RolloutGroupConditions conditions);
@@ -312,7 +312,7 @@ public interface RolloutManagement {
* Only running rollouts can be paused. * Only running rollouts can be paused.
* *
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE)
void pauseRollout(@NotNull Long rolloutId); void pauseRollout(@NotNull Long rolloutId);
/** /**
@@ -329,7 +329,7 @@ public interface RolloutManagement {
* if given rollout is not in {@link RolloutStatus#PAUSED}. Only * if given rollout is not in {@link RolloutStatus#PAUSED}. Only
* paused rollouts can be resumed. * paused rollouts can be resumed.
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE)
void resumeRollout(@NotNull Long rolloutId); void resumeRollout(@NotNull Long rolloutId);
/** /**
@@ -350,7 +350,7 @@ public interface RolloutManagement {
* if given rollout is not in {@link RolloutStatus#READY}. Only * if given rollout is not in {@link RolloutStatus#READY}. Only
* ready rollouts can be started. * ready rollouts can be started.
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE)
Rollout start(@NotNull Long rolloutId); Rollout start(@NotNull Long rolloutId);
/** /**
@@ -368,7 +368,7 @@ public interface RolloutManagement {
* reference * reference
* *
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE)
Rollout update(@NotNull RolloutUpdate update); Rollout update(@NotNull RolloutUpdate update);
/** /**
@@ -379,7 +379,7 @@ public interface RolloutManagement {
* @param rolloutId * @param rolloutId
* the ID of the rollout to be deleted * the ID of the rollout to be deleted
*/ */
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE) @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE)
void delete(@NotNull Long rolloutId); void delete(@NotNull Long rolloutId);
} }

View File

@@ -142,9 +142,29 @@ public final class SpPermission {
public static final String TENANT_CONFIGURATION = "TENANT_CONFIGURATION"; public static final String TENANT_CONFIGURATION = "TENANT_CONFIGURATION";
/** /**
* Permission to administrate a rollout management. * Permission to read a rollout.
*/ */
public static final String ROLLOUT_MANAGEMENT = "ROLLOUT_MANAGEMENT"; public static final String READ_ROLLOUT = "READ_ROLLOUT";
/**
* Permission to create a rollout.
*/
public static final String CREATE_ROLLOUT = "CREATE_ROLLOUT";
/**
* Permission to update a rollout.
*/
public static final String UPDATE_ROLLOUT = "UPDATE_ROLLOUT";
/**
* Permission to delete a rollout.
*/
public static final String DELETE_ROLLOUT = "DELETE_ROLLOUT";
/**
* Permission to start/stop/resume a rollout.
*/
public static final String HANDLE_ROLLOUT = "HANDLE_ROLLOUT";
private SpPermission() { private SpPermission() {
// Constants only // Constants only
@@ -389,29 +409,52 @@ public final class SpPermission {
/** /**
* Spring security eval hasAuthority expression to check if spring * Spring security eval hasAuthority expression to check if spring
* context contains {@link SpPermission#ROLLOUT_MANAGEMENT} or * context contains {@link SpPermission#READ_ROLLOUT} or
* {@link #IS_SYSTEM_CODE}. * {@link #IS_SYSTEM_CODE}.
*/ */
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + ROLLOUT_MANAGEMENT public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + READ_ROLLOUT + HAS_AUTH_SUFFIX
+ HAS_AUTH_SUFFIX + HAS_AUTH_OR + IS_SYSTEM_CODE; + HAS_AUTH_OR + IS_SYSTEM_CODE;
/** /**
* Spring security eval hasAuthority expression to check if spring * Spring security eval hasAuthority expression to check if spring
* context contains {@link SpPermission#ROLLOUT_MANAGEMENT} and * context contains {@link SpPermission#READ_ROLLOUT} and
* {@link SpPermission#READ_TARGET} or {@link #IS_SYSTEM_CODE}. * {@link SpPermission#READ_TARGET} or {@link #IS_SYSTEM_CODE}.
*/ */
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
+ ROLLOUT_MANAGEMENT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX + READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
+ BRACKET_CLOSE + HAS_AUTH_OR + IS_SYSTEM_CODE; + BRACKET_CLOSE + HAS_AUTH_OR + IS_SYSTEM_CODE;
/** /**
* Spring security eval hasAuthority expression to check if spring * Spring security eval hasAuthority expression to check if spring
* context contains {@link SpPermission#ROLLOUT_MANAGEMENT} and * context contains {@link SpPermission#CREATE_ROLLOUT} or
* {@link SpPermission#UPDATE_TARGET} or {@link #IS_SYSTEM_CODE}. * {@link #IS_SYSTEM_CODE}.
*/ */
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE = BRACKET_OPEN + HAS_AUTH_PREFIX public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + CREATE_ROLLOUT
+ ROLLOUT_MANAGEMENT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX + HAS_AUTH_OR + IS_SYSTEM_CODE;
+ HAS_AUTH_SUFFIX + BRACKET_CLOSE + HAS_AUTH_OR + IS_SYSTEM_CODE;
/**
* Spring security eval hasAuthority expression to check if spring
* context contains {@link SpPermission#HANDLE_ROLLOUT} or
* {@link #IS_SYSTEM_CODE}.
*/
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + HANDLE_ROLLOUT
+ HAS_AUTH_SUFFIX + HAS_AUTH_OR + IS_SYSTEM_CODE;
/**
* Spring security eval hasAuthority expression to check if spring
* context contains {@link SpPermission#UPDATE_ROLLOUT} or
* {@link #IS_SYSTEM_CODE}.
*/
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + UPDATE_ROLLOUT
+ HAS_AUTH_SUFFIX + HAS_AUTH_OR + IS_SYSTEM_CODE;
/**
* Spring security eval hasAuthority expression to check if spring
* context contains {@link SpPermission#DELETE_ROLLOUT} or
* {@link #IS_SYSTEM_CODE}.
*/
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + DELETE_ROLLOUT
+ HAS_AUTH_SUFFIX + HAS_AUTH_OR + IS_SYSTEM_CODE;
/** /**
* Spring security eval hasAuthority expression to check if spring * Spring security eval hasAuthority expression to check if spring

View File

@@ -31,7 +31,7 @@ public final class PermissionTest {
@Test @Test
@Description("Verify the get permission function") @Description("Verify the get permission function")
public void testGetPermissions() { public void testGetPermissions() {
final int allPermission = 15; final int allPermission = 19;
final int permissionWithoutSystem = allPermission - 3; final int permissionWithoutSystem = allPermission - 3;
final Collection<String> allAuthorities = SpPermission.getAllAuthorities(); final Collection<String> allAuthorities = SpPermission.getAllAuthorities();
final List<GrantedAuthority> allAuthoritiesList = PermissionUtils.createAllAuthorityList(); final List<GrantedAuthority> allAuthoritiesList = PermissionUtils.createAllAuthorityList();

View File

@@ -14,11 +14,11 @@ import org.eclipse.hawkbit.im.authentication.PermissionService;
import org.eclipse.hawkbit.im.authentication.SpPermission; import org.eclipse.hawkbit.im.authentication.SpPermission;
/** /**
* Bean which contains all SP permissions. * Bean which contains all permissions.
* *
*/ */
public class SpPermissionChecker implements Serializable { public class SpPermissionChecker implements Serializable {
private static final long serialVersionUID = 2757865286212875704L; private static final long serialVersionUID = 1L;
protected transient PermissionService permissionService; protected transient PermissionService permissionService;
@@ -27,7 +27,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP monitor View Permission. * Gets the monitor View Permission.
* *
* @return SYSTEM_MONITOR boolean value * @return SYSTEM_MONITOR boolean value
*/ */
@@ -36,7 +36,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP diagnosis retrieval Permission. * Gets the diagnosis retrieval Permission.
* *
* @return SYSTEM_DIAG boolean value * @return SYSTEM_DIAG boolean value
*/ */
@@ -45,7 +45,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP read Target & Dist Permission. * Gets the read Target & Dist Permission.
* *
* @return TARGET_REPOSITORY_READ boolean value * @return TARGET_REPOSITORY_READ boolean value
*/ */
@@ -54,7 +54,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP read Target Permission. * Gets the read Target Permission.
* *
* @return READ_TARGET boolean value * @return READ_TARGET boolean value
*/ */
@@ -63,7 +63,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP create Target Permission. * Gets the create Target Permission.
* *
* @return READ_TARGET boolean value * @return READ_TARGET boolean value
*/ */
@@ -72,7 +72,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP update Target Permission. * Gets the update Target Permission.
* *
* @return READ_TARGET boolean value * @return READ_TARGET boolean value
*/ */
@@ -81,7 +81,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP delete Target Permission. * Gets the delete Target Permission.
* *
* @return READ_TARGET boolean value * @return READ_TARGET boolean value
*/ */
@@ -90,7 +90,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP READ Repository Permission. * Gets the READ Repository Permission.
* *
* @return READ_REPOSITORY boolean value * @return READ_REPOSITORY boolean value
*/ */
@@ -99,7 +99,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP create Repository Permission. * Gets the create Repository Permission.
* *
* @return CREATE_REPOSITORY boolean value * @return CREATE_REPOSITORY boolean value
*/ */
@@ -108,7 +108,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP update Repository Permission. * Gets the update Repository Permission.
* *
* @return UPDATE_REPOSITORY boolean value * @return UPDATE_REPOSITORY boolean value
*/ */
@@ -117,7 +117,7 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP delete Repository Permission. * Has the delete Repository Permission.
* *
* @return DELETE_REPOSITORY boolean value * @return DELETE_REPOSITORY boolean value
*/ */
@@ -126,41 +126,47 @@ public class SpPermissionChecker implements Serializable {
} }
/** /**
* Gets the SP rollout create permission. * Has the rollout update permission.
* *
* @return permission for rollout update * @return permission for rollout update
*/ */
public boolean hasRolloutUpdatePermission() { public boolean hasRolloutUpdatePermission() {
return hasUpdateTargetPermission() && hasReadRepositoryPermission() return hasRolloutReadPermission() && permissionService.hasPermission(SpPermission.UPDATE_ROLLOUT);
&& permissionService.hasPermission(SpPermission.ROLLOUT_MANAGEMENT);
} }
/** /**
* Gets the SP rollout create permission. * @return <code>true</code> if rollout create permission
*
* @return permission for rollout create
*/ */
public boolean hasRolloutCreatePermission() { public boolean hasRolloutCreatePermission() {
return hasUpdateTargetPermission() && hasReadRepositoryPermission() return hasTargetReadPermission() && hasReadRepositoryPermission()
&& permissionService.hasPermission(SpPermission.ROLLOUT_MANAGEMENT); && permissionService.hasPermission(SpPermission.CREATE_ROLLOUT);
} }
/** /**
* * @return <code>true</code> if rollout read permission
* Gets the SP rollout read permission.
*
* @return Gets the SP rollout read permission.
*/ */
public boolean hasRolloutReadPermission() { public boolean hasRolloutReadPermission() {
return permissionService.hasPermission(SpPermission.ROLLOUT_MANAGEMENT); return permissionService.hasPermission(SpPermission.READ_ROLLOUT);
}
/**
* @return <code>true</code> if rollout delete permission
*/
public boolean hasRolloutDeletePermission() {
return hasRolloutReadPermission() && permissionService.hasPermission(SpPermission.DELETE_ROLLOUT);
}
/**
* @return <code>true</code> if rollout handle permission.
*/
public boolean hasRolloutHandlePermission() {
return hasRolloutReadPermission() && permissionService.hasPermission(SpPermission.HANDLE_ROLLOUT);
} }
/** /**
* Gets the SP rollout targets read permission.
*
* @return permission to read rollout targets * @return permission to read rollout targets
*/ */
public boolean hasRolloutTargetsReadPermission() { public boolean hasRolloutTargetsReadPermission() {
return hasTargetReadPermission() && permissionService.hasPermission(SpPermission.ROLLOUT_MANAGEMENT); return hasTargetReadPermission() && permissionService.hasPermission(SpPermission.READ_ROLLOUT);
} }
} }

View File

@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.components;
import static java.util.concurrent.TimeUnit.SECONDS; import static java.util.concurrent.TimeUnit.SECONDS;
import java.util.Map; import java.util.Map;
import java.util.Objects;
import java.util.Set; import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicInteger;
@@ -71,7 +72,8 @@ public abstract class AbstractNotificationView extends VerticalLayout implements
return; return;
} }
eventContainer.getEvents().stream().filter(this::noEventMatch).forEach(event -> { eventContainer.getEvents().stream().filter(Objects::nonNull).filter(event -> noEventMatch(event))
.forEach(event -> {
notificationUnreadButton.incrementUnreadNotification(this, eventContainer); notificationUnreadButton.incrementUnreadNotification(this, eventContainer);
viewUnreadNotifcations.incrementAndGet(); viewUnreadNotifcations.incrementAndGet();
}); });

View File

@@ -59,6 +59,6 @@ public class RolloutViewMenuItem extends AbstractDashboardMenuItemNotification {
@Override @Override
public List<String> getPermissions() { public List<String> getPermissions() {
return Arrays.asList(SpPermission.ROLLOUT_MANAGEMENT); return Arrays.asList(SpPermission.READ_ROLLOUT);
} }
} }

View File

@@ -195,8 +195,7 @@ public class RolloutListGrid extends AbstractGrid<LazyQueryContainer> {
if (!rolloutUIState.isShowRollOuts() || rolloutChangeEvent.getRolloutId() == null) { if (!rolloutUIState.isShowRollOuts() || rolloutChangeEvent.getRolloutId() == null) {
return; return;
} }
final Optional<Rollout> rollout = rolloutManagement final Optional<Rollout> rollout = rolloutManagement.getWithDetailedStatus(rolloutChangeEvent.getRolloutId());
.getWithDetailedStatus(rolloutChangeEvent.getRolloutId());
if (!rollout.isPresent()) { if (!rollout.isPresent()) {
return; return;
@@ -745,6 +744,14 @@ public class RolloutListGrid extends AbstractGrid<LazyQueryContainer> {
if (!permissionChecker.hasRolloutCreatePermission()) { if (!permissionChecker.hasRolloutCreatePermission()) {
modifiableColumnsList.remove(VIRT_PROP_COPY); modifiableColumnsList.remove(VIRT_PROP_COPY);
} }
if (!permissionChecker.hasRolloutDeletePermission()) {
modifiableColumnsList.remove(VIRT_PROP_DELETE);
}
if (!permissionChecker.hasRolloutHandlePermission()) {
modifiableColumnsList.remove(VIRT_PROP_PAUSE);
modifiableColumnsList.remove(VIRT_PROP_RUN);
}
setColumns(modifiableColumnsList.toArray()); setColumns(modifiableColumnsList.toArray());
} }