add security and filters for anonymous download via http and amqp

requests

Signed-off-by: Michael Hirsch <michael.hirsch@bosch-si.com>
This commit is contained in:
Michael Hirsch
2016-03-23 16:17:53 +01:00
parent cdac7185c4
commit 1cb7519ace
13 changed files with 304 additions and 35 deletions

View File

@@ -0,0 +1,69 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.eclipse.hawkbit.security;
import java.util.Collection;
import org.eclipse.hawkbit.dmf.json.model.TenantSecurityToken;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationKey;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import com.google.common.collect.Lists;
/**
* An pre-authenticated processing filter which add the
* {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
* security context in case the anonymous download is allowed through
* configuration.
*/
public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControllerAuthenticationFilter {
/**
* Constructor.
*
* @param tenantConfigurationManagement
* the tenant management service to retrieve configuration
* properties
* @param tenantAware
* the tenant aware service to get configuration for the specific
* tenant
* @param systemSecurityContext
* the system security context to get access to tenant
* configuration
*/
public ControllerPreAuthenticatedAnonymousDownload(
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
final SystemSecurityContext systemSecurityContext) {
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
}
@Override
public HeaderAuthentication getPreAuthenticatedPrincipal(final TenantSecurityToken secruityToken) {
return new HeaderAuthentication(secruityToken.getControllerId(), secruityToken.getControllerId());
}
@Override
public HeaderAuthentication getPreAuthenticatedCredentials(final TenantSecurityToken secruityToken) {
return new HeaderAuthentication(secruityToken.getControllerId(), secruityToken.getControllerId());
}
@Override
protected TenantConfigurationKey getTenantConfigurationKey() {
return TenantConfigurationKey.ANONYMOUS_DOWNLOAD_MODE_ENABLED;
}
@Override
public Collection<GrantedAuthority> getSuccessfulAuthenticationAuthorities() {
return Lists.newArrayList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_DOWNLOAD_ROLE));
}
}

View File

@@ -0,0 +1,47 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.eclipse.hawkbit.security;
import org.eclipse.hawkbit.dmf.json.model.TenantSecurityToken;
/**
* An anonymous controller filter which is only enabled in case of anonymous
* access is granted. This should only be for development purposes.
*
* @see DdiSecurityProperties
*/
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenficationFilter {
private final DdiSecurityProperties ddiSecurityConfiguration;
/**
* @param ddiSecurityConfiguration
* the security configuration which holds the configuration if
* anonymous is enabled or not
*/
public ControllerPreAuthenticatedAnonymousFilter(final DdiSecurityProperties ddiSecurityConfiguration) {
this.ddiSecurityConfiguration = ddiSecurityConfiguration;
}
@Override
public HeaderAuthentication getPreAuthenticatedPrincipal(final TenantSecurityToken secruityToken) {
return new HeaderAuthentication(secruityToken.getControllerId(), secruityToken.getControllerId());
}
@Override
public HeaderAuthentication getPreAuthenticatedCredentials(final TenantSecurityToken secruityToken) {
return new HeaderAuthentication(secruityToken.getControllerId(), secruityToken.getControllerId());
}
@Override
public boolean isEnable(final TenantSecurityToken secruityToken) {
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
}
}

View File

@@ -109,6 +109,7 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
if (successAuthentication) {
final Collection<GrantedAuthority> controllerAuthorities = new ArrayList<>();
controllerAuthorities.add(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
controllerAuthorities.add(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_DOWNLOAD_ROLE));
final PreAuthenticatedAuthenticationToken successToken = new PreAuthenticatedAuthenticationToken(principal,
credentials, controllerAuthorities);
successToken.setDetails(tokenDetails);

View File

@@ -8,7 +8,12 @@
*/
package org.eclipse.hawkbit.security;
import java.util.Collection;
import java.util.Collections;
import org.eclipse.hawkbit.dmf.json.model.TenantSecurityToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
/**
* Interface for Pre Authenfication.
@@ -45,4 +50,16 @@ public interface PreAuthenficationFilter {
*/
HeaderAuthentication getPreAuthenticatedCredentials(TenantSecurityToken secruityToken);
/**
* Allows to add additional authorities to the successful authenticated
* token.
*
* @return the authorities granted to the principal, or an empty collection
* if the token has not been authenticated. Never null.
* @see Authentication#getAuthorities()
*/
default Collection<GrantedAuthority> getSuccessfulAuthenticationAuthorities() {
return Collections.emptyList();
};
}