Improve hawkBit user management (#1666)

1. Definded with properties users (static) are configured using property map (no need of indexes)
2. AuthenticationProvider that authenticates them is always registered (if not needed - don't configure them)
3. UserDetailsService (in case of missing - won't be registered)
4. Spring security user (spring.security.username) will be registered together with other users (if any). If any - it will be system-wide, otherwise tenant-scoped.
5. UserPrincipal renamed to TenantAwareUser in order to match its purpose.
6. Some if its fields are removes as not needed - to be closer to spring security user
7. DefaultRolloutApprovalStrategy now use UserAuthoritiesResolver instead of UserDetailsService as the central point of truth

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-02-26 16:56:37 +02:00
committed by GitHub
parent 783a5be2dd
commit 24d70827b7
16 changed files with 266 additions and 327 deletions

View File

@@ -11,18 +11,24 @@ package org.eclipse.hawkbit.autoconfigure.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import java.util.function.Supplier;
import java.util.regex.Pattern;
import org.eclipse.hawkbit.im.authentication.MultitenancyIndicator;
import org.eclipse.hawkbit.im.authentication.PermissionUtils;
import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
import org.eclipse.hawkbit.im.authentication.UserPrincipal;
import org.eclipse.hawkbit.im.authentication.UserTenantAware;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -30,110 +36,130 @@ import org.springframework.security.config.annotation.authentication.configurati
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.util.ObjectUtils;
/**
* Auto-configuration for the in-memory-user-management.
*
* Autoconfiguration for the in-memory-user-management.
*/
@Configuration
@ConditionalOnMissingBean(UserDetailsService.class)
@EnableConfigurationProperties({ MultiUserProperties.class })
@Order(Ordered.HIGHEST_PRECEDENCE)
@EnableConfigurationProperties({ TenantAwareUserProperties.class })
public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticationConfigurerAdapter {
private static final String DEFAULT_TENANT = "DEFAULT";
private final SecurityProperties securityProperties;
private final UserDetailsService userDetailsService;
private final MultiUserProperties multiUserProperties;
InMemoryUserManagementAutoConfiguration(final SecurityProperties securityProperties,
final MultiUserProperties multiUserProperties) {
this.securityProperties = securityProperties;
this.multiUserProperties = multiUserProperties;
InMemoryUserManagementAutoConfiguration(
final SecurityProperties securityProperties,
final TenantAwareUserProperties userTenantAwareProperties,
final Optional<PasswordEncoder> passwordEncoder) {
userDetailsService = userDetailsService(
securityProperties, userTenantAwareProperties, passwordEncoder.orElse(null));
}
@Override
public void configure(final AuthenticationManagerBuilder auth) throws Exception {
public void configure(final AuthenticationManagerBuilder auth) {
final DaoAuthenticationProvider userDaoAuthenticationProvider = new TenantDaoAuthenticationProvider();
userDaoAuthenticationProvider.setUserDetailsService(userDetailsService());
userDaoAuthenticationProvider.setUserDetailsService(userDetailsService);
auth.authenticationProvider(userDaoAuthenticationProvider);
}
/**
* @return the user details service to load a user from memory user manager.
*/
@Bean
@ConditionalOnMissingBean
UserDetailsService userDetailsService() {
final List<UserPrincipal> userPrincipals = new ArrayList<>();
for (final MultiUserProperties.User user : multiUserProperties.getUsers()) {
final List<String> permissions = user.getPermissions();
List<GrantedAuthority> authorityList;
// Allows ALL as a shorthand for all permissions
if (permissions.size() == 1 && "ALL".equals(permissions.get(0))) {
authorityList = PermissionUtils.createAllAuthorityList();
} else {
authorityList = createAuthoritiesFromList(permissions);
}
final UserPrincipal userPrincipal = new UserPrincipal(user.getUsername(), user.getPassword(),
user.getFirstname(), user.getLastname(), user.getUsername(), user.getEmail(), DEFAULT_TENANT,
authorityList);
private static UserDetailsService userDetailsService(
final SecurityProperties securityProperties,
final TenantAwareUserProperties userTenantAwareProperties,
final PasswordEncoder passwordEncoder) {
final List<User> userPrincipals = new ArrayList<>();
userTenantAwareProperties.getUsers().forEach((username, user) -> {
final UserTenantAware userPrincipal = new UserTenantAware(
username, password(user.getPassword(), passwordEncoder),
createAuthorities(user.getRoles(), Collections::emptyList),
ObjectUtils.isEmpty(user.getTenant()) ? DEFAULT_TENANT : user.getTenant());
userPrincipals.add(userPrincipal);
}
});
// If no users are configured through the multi user properties, set up
// the default user from security properties
// If no tenant users are configured through the tenant user properties, set up
// the default user from spring security properties as super DEFAULT tenant user
if (userPrincipals.isEmpty()) {
final String name = securityProperties.getUser().getName();
final String password = securityProperties.getUser().getPassword();
final List<String> roles = securityProperties.getUser().getRoles();
final List<GrantedAuthority> authorityList = roles.isEmpty() ? PermissionUtils.createAllAuthorityList()
: createAuthoritiesFromList(roles);
userPrincipals
.add(new UserPrincipal(name, password, name, name, name, null, DEFAULT_TENANT, authorityList));
.add(new UserTenantAware(
securityProperties.getUser().getName(),
password(securityProperties.getUser().getPassword(), passwordEncoder),
createAuthorities(
securityProperties.getUser().getRoles(), PermissionUtils::createAllAuthorityList),
DEFAULT_TENANT));
} else if (securityProperties != null && securityProperties.getUser() != null &&
!securityProperties.getUser().isPasswordGenerated()) {
// otherwise if the security user is explicitly setup (no autogenerated password)
// set it up as generic non tenant user
userPrincipals
.add(new User(
securityProperties.getUser().getName(),
password(securityProperties.getUser().getPassword(), passwordEncoder),
createAuthorities(
securityProperties.getUser().getRoles(), PermissionUtils::createAllAuthorityList)));
}
return new FixedInMemoryUserPrincipalUserDetailsService(userPrincipals);
return new FixedInMemoryTenantAwareUserDetailsService(userPrincipals);
}
private static List<GrantedAuthority> createAuthoritiesFromList(final List<String> userAuthorities) {
final List<GrantedAuthority> grantedAuthorityList = new ArrayList<>(userAuthorities.size());
for (final String permission : userAuthorities) {
private static String password(final String password, final PasswordEncoder passwordEncoder) {
return passwordEncoder == null && !Pattern.compile("^\\{.+}.*$").matcher(password).matches() ?
"{noop}" + password : password;
}
private static List<GrantedAuthority> createAuthorities(
final List<String> userPermissions, final Supplier<List<GrantedAuthority>> defaultRolesSupplier) {
if (ObjectUtils.isEmpty(userPermissions)) {
return defaultRolesSupplier.get();
}
// Allows ALL as a shorthand for all permissions
if (userPermissions.size() == 1 && "ALL".equals(userPermissions.get(0))) {
return PermissionUtils.createAllAuthorityList();
}
final List<GrantedAuthority> grantedAuthorityList = new ArrayList<>(userPermissions.size());
for (final String permission : userPermissions) {
grantedAuthorityList.add(new SimpleGrantedAuthority(permission));
grantedAuthorityList.add(new SimpleGrantedAuthority("ROLE_" + permission));
}
return grantedAuthorityList;
}
private static class FixedInMemoryUserPrincipalUserDetailsService implements UserDetailsService {
private final HashMap<String, UserPrincipal> userPrincipalMap = new HashMap<>();
private static class FixedInMemoryTenantAwareUserDetailsService implements UserDetailsService {
public FixedInMemoryUserPrincipalUserDetailsService(final Collection<UserPrincipal> userPrincipals) {
for (final UserPrincipal user : userPrincipals) {
userPrincipalMap.put(user.getUsername(), user);
private final HashMap<String, User> userMap = new HashMap<>();
private FixedInMemoryTenantAwareUserDetailsService(final Collection<User> userPrincipals) {
for (final User user : userPrincipals) {
userMap.put(user.getUsername(), user);
}
}
private static UserPrincipal clone(final UserPrincipal a) {
return new UserPrincipal(a.getUsername(), a.getPassword(), a.getFirstname(), a.getLastname(),
a.getLoginname(), a.getEmail(), a.getTenant(), a.getAuthorities());
}
@Override
public UserDetails loadUserByUsername(final String username) {
final UserPrincipal userPrincipal = userPrincipalMap.get(username);
if (userPrincipal == null) {
final User user = userMap.get(username);
if (user == null) {
throw new UsernameNotFoundException("No such user");
}
// Spring mutates the data, so we must return a copy here
return clone(userPrincipal);
return clone(user);
}
private static User clone(final User user) {
if (user instanceof UserTenantAware) {
return new UserTenantAware(user.getUsername(), user.getPassword(), user.getAuthorities(),
((UserTenantAware)user).getTenant());
} else {
return new User(user.getUsername(), user.getPassword(), user.getAuthorities());
}
}
}
/**
@@ -156,4 +182,4 @@ public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticatio
return result;
}
}
}
}

View File

@@ -1,85 +0,0 @@
/**
* Copyright (c) 2019 devolo AG and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.autoconfigure.security;
import java.util.ArrayList;
import java.util.List;
import org.springframework.boot.context.properties.ConfigurationProperties;
@ConfigurationProperties("hawkbit.server.im")
public class MultiUserProperties {
private List<User> users = new ArrayList<>();
public List<User> getUsers() {
return users;
}
public void setUsers(List<User> users) {
this.users = users;
}
public static class User {
private String username;
private String password;
private String firstname;
private String lastname;
private String email;
private List<String> permissions = new ArrayList<>();
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getFirstname() {
return firstname;
}
public void setFirstname(String firstname) {
this.firstname = firstname;
}
public String getLastname() {
return lastname;
}
public void setLastname(String lastname) {
this.lastname = lastname;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
public List<String> getPermissions() {
return permissions;
}
public void setPermissions(List<String> permissions) {
this.permissions = permissions;
}
}
}

View File

@@ -46,7 +46,6 @@ import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;

View File

@@ -15,7 +15,7 @@ import java.util.Map;
import java.util.stream.Collectors;
import org.eclipse.hawkbit.ContextAware;
import org.eclipse.hawkbit.autoconfigure.security.MultiUserProperties.User;
import org.eclipse.hawkbit.autoconfigure.security.TenantAwareUserProperties.User;
import org.eclipse.hawkbit.im.authentication.PermissionService;
import org.eclipse.hawkbit.security.DdiSecurityProperties;
import org.eclipse.hawkbit.security.InMemoryUserAuthoritiesResolver;
@@ -47,18 +47,17 @@ import org.springframework.util.CollectionUtils;
* {@link EnableAutoConfiguration Auto-configuration} for security.
*/
@Configuration
@EnableConfigurationProperties({ SecurityProperties.class, DdiSecurityProperties.class, HawkbitSecurityProperties.class,
MultiUserProperties.class })
@EnableConfigurationProperties({
SecurityProperties.class,
DdiSecurityProperties.class, HawkbitSecurityProperties.class, TenantAwareUserProperties.class })
public class SecurityAutoConfiguration {
/**
* Creates a {@link ContextAware} (hence {@link TenantAware}) bean based on the given
* {@link UserAuthoritiesResolver} and {@link SecurityContextSerializer}.
*
* @param authoritiesResolver
* The user authorities/roles resolver
* @param securityContextSerializer
* The security context serializer.
* @param authoritiesResolver The user authorities/roles resolver
* @param securityContextSerializer The security context serializer.
*
* @return the {@link ContextAware} singleton bean.
*/
@@ -74,21 +73,19 @@ public class SecurityAutoConfiguration {
* Creates a {@link UserAuthoritiesResolver} bean that is responsible for
* resolving user authorities/roles.
*
* @param securityProperties
* The Spring {@link SecurityProperties} for the security user
* @param multiUserProperties
* The {@link MultiUserProperties} for the managed users
*
* @param securityProperties The Spring {@link SecurityProperties} for the security user
* @param userTenantAwareProperties The {@link TenantAwareUserProperties} for the managed users
* @return an {@link InMemoryUserAuthoritiesResolver} bean
*/
@Bean
@ConditionalOnMissingBean
public UserAuthoritiesResolver inMemoryAuthoritiesResolver(final SecurityProperties securityProperties,
final MultiUserProperties multiUserProperties) {
final List<User> multiUsers = multiUserProperties.getUsers();
final TenantAwareUserProperties userTenantAwareProperties) {
final Map<String, User> userTenantAwares = userTenantAwareProperties.getUsers();
final Map<String, List<String>> usersToPermissions;
if (!CollectionUtils.isEmpty(multiUsers)) {
usersToPermissions = multiUsers.stream().collect(Collectors.toMap(User::getUsername, User::getPermissions));
if (!CollectionUtils.isEmpty(userTenantAwares)) {
usersToPermissions = userTenantAwares.entrySet().stream().collect(
Collectors.toMap(Map.Entry::getKey, e -> e.getValue().getRoles()));
} else {
usersToPermissions = Collections.singletonMap(securityProperties.getUser().getName(),
securityProperties.getUser().getRoles());
@@ -108,7 +105,7 @@ public class SecurityAutoConfiguration {
/**
* Creates the auditor aware.
*
*
* @return the spring security auditor aware
*/
@Bean

View File

@@ -98,18 +98,15 @@ import org.springframework.web.cors.CorsConfigurationSource;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, mode = AdviceMode.ASPECTJ, proxyTargetClass = true, securedEnabled = true)
@Order(value = Ordered.HIGHEST_PRECEDENCE)
@PropertySource("classpath:/hawkbit-security-defaults.properties")
@Order(Ordered.HIGHEST_PRECEDENCE)
@PropertySource("classpath:hawkbit-security-defaults.properties")
public class SecurityManagedConfiguration {
private static final int DOS_FILTER_ORDER = -200;
/**
* @return the {@link UserAuthenticationFilter} to include into the hawkBit
* security configuration.
* @throws Exception
* lazy bean exception maybe if the authentication manager
* cannot be instantiated
* @return the {@link UserAuthenticationFilter} to include into the hawkBit security configuration.
* @throws Exception lazy bean exception maybe if the authentication manager cannot be instantiated
*/
@Bean
@ConditionalOnMissingBean

View File

@@ -0,0 +1,40 @@
/**
* Copyright (c) 2019 devolo AG and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.autoconfigure.security;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import lombok.Data;
import lombok.ToString;
import org.springframework.boot.context.properties.ConfigurationProperties;
/**
* Configuration for hawwkBit static users.
*/
@Data
@ToString
@ConfigurationProperties("hawkbit.security.user")
public class TenantAwareUserProperties {
private Map<String, User> users = new HashMap<>();
@Data
@ToString
public static class User {
@ToString.Exclude
private String password;
private List<String> roles = new ArrayList<>();
private String tenant;
}
}