Fine grained repository permissions (#2562)

1. Introduce @PrreAuthorize check based on hasPermission - allowing custom processing (compared with non-modifiable hasAuthority/Role processing)
2. Dedicated permissions could be implemented on management api level. Check is made by plugged in PermissionEvaluator
3. Thus common XXX_REPOSITORY permissions could differ for extending services
4. Change create/update entity builder pattern - not via EntityFactory but via clean static lombok based builders (with fine fluent api).
5. Implement abstract repository management jpa class that handles the boilerplate code from extending classes in single place consistently -> AbsreactJpaRepositoryManagement
6. Register management api-s as **Sevice**-s instead of **Bean**-s in order to make easier maintainable and get away from heavy argument forwading
7. Simplify custom hawkbit repository registration + adding proxy to handle exception mapping at lower level - thus not depending on Aspects for converting exceptions
8. Implemented general purpose 'copy' utility (ObjectCopyUtil) that using getter/setter patterns is able to copy (e.g. Create/Update) objects to other objects (e.g. JPA entity objects)
This commit is contained in:
Avgustin Marinov
2025-07-28 14:57:33 +03:00
committed by GitHub
parent 8cdbe54cbe
commit 2b66449ff1
214 changed files with 3456 additions and 4416 deletions

View File

@@ -18,7 +18,6 @@ import java.util.List;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.function.SingletonSupplier;
@@ -37,21 +36,9 @@ import org.springframework.util.function.SingletonSupplier;
@Slf4j
public final class SpPermission {
/**
* Permission to add new targets including their meta information.
*/
public static final String CREATE_TARGET = "CREATE_TARGET";
/**
* Permission to read the targets (list and filter).
*/
public static final String READ_TARGET = "READ_TARGET";
/**
* Permission to change/edit/update targets and to assign updates.
*/
public static final String UPDATE_TARGET = "UPDATE_TARGET";
/**
* Permission to delete targets.
*/
public static final String DELETE_TARGET = "DELETE_TARGET";
/**
* Permission to read the target security token. The security token is security
@@ -66,31 +53,14 @@ public final class SpPermission {
public static final String UPDATE_TARGET_TYPE = "UPDATE_TARGET_TYPE";
public static final String DELETE_TARGET_TYPE = "DELETE_TARGET_TYPE";
public static final String CREATE_DISTRIBUTION_SET = "CREATE_DISTRIBUTION_SET";
public static final String READ_DISTRIBUTION_SET = "READ_DISTRIBUTION_SET";
public static final String UPDATE_DISTRIBUTION_SET = "UPDATE_DISTRIBUTION_SET";
public static final String DELETE_DISTRIBUTION_SET = "DELETE_DISTRIBUTION_SET";
/**
* Permission to read distributions and artifacts.
*/
public static final String READ_REPOSITORY = "READ_REPOSITORY";
/**
* Permission to edit/update distributions and artifacts.
*/
public static final String UPDATE_REPOSITORY = "UPDATE_REPOSITORY";
/**
* Permission to add distributions and artifacts.
*/
public static final String CREATE_REPOSITORY = "CREATE_REPOSITORY";
/**
* Permission to delete distributions and artifacts.
*/
public static final String DELETE_REPOSITORY = "DELETE_REPOSITORY";
/**
* Permission to download repository artifacts of a software module.
*/
public static final String DOWNLOAD_REPOSITORY_ARTIFACT = "DOWNLOAD_REPOSITORY_ARTIFACT";
/**
@@ -109,51 +79,38 @@ public final class SpPermission {
*/
public static final String TENANT_CONFIGURATION = "TENANT_CONFIGURATION";
/**
* Permission to create a rollout.
*/
public static final String CREATE_ROLLOUT = "CREATE_ROLLOUT";
/**
* Permission to read a rollout.
*/
public static final String READ_ROLLOUT = "READ_ROLLOUT";
/**
* Permission to update a rollout.
*/
public static final String UPDATE_ROLLOUT = "UPDATE_ROLLOUT";
/**
* Permission to delete a rollout.
*/
public static final String DELETE_ROLLOUT = "DELETE_ROLLOUT";
/**
* Permission to approve or deny a rollout prior to starting.
*/
/** Permission to approve or deny a rollout prior to starting. */
public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
/**
* Permission to start/stop/resume a rollout.
*/
/** Permission to start/stop/resume a rollout. */
public static final String HANDLE_ROLLOUT = "HANDLE_ROLLOUT";
/**
* Permission to administrate the system on a global, i.e. tenant independent scale. That includes the deletion of tenants.
*/
/** Permission to administrate the system on a global, i.e. tenant independent scale. That includes the deletion of tenants. */
public static final String SYSTEM_ADMIN = "SYSTEM_ADMIN";
private static final String IMPLIES = " > ";
private static final String LINE_BREAK = "\n";
public static final String TARGET_HIERARCHY =
CREATE_TARGET + IMPLIES + CREATE_TARGET_TYPE + LINE_BREAK +
READ_TARGET + IMPLIES + READ_TARGET_TYPE + LINE_BREAK +
UPDATE_TARGET + IMPLIES + UPDATE_TARGET_TYPE + LINE_BREAK +
DELETE_TARGET + IMPLIES + DELETE_TARGET_TYPE + LINE_BREAK;
public static final String REPOSITORY_HIERARCHY =
CREATE_REPOSITORY + IMPLIES + CREATE_DISTRIBUTION_SET + LINE_BREAK +
READ_REPOSITORY + IMPLIES + READ_DISTRIBUTION_SET + LINE_BREAK +
UPDATE_REPOSITORY + IMPLIES + UPDATE_DISTRIBUTION_SET + LINE_BREAK +
DELETE_REPOSITORY + IMPLIES + DELETE_DISTRIBUTION_SET + LINE_BREAK;
public static final String TENANT_CONFIGURATION_HIERARCHY =
TENANT_CONFIGURATION + IMPLIES + READ_TENANT_CONFIGURATION + LINE_BREAK +
TENANT_CONFIGURATION + IMPLIES + READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
public static final String TARGET_HIERARCHY = """
CREATE_TARGET > CREATE_TARGET_TYPE
READ_TARGET > READ_TARGET_TYPE
UPDATE_TARGET > UPDATE_TARGET_TYPE
DELETE_TARGET > DELETE_TARGET_TYPE
""";
public static final String REPOSITORY_HIERARCHY = """
CREATE_REPOSITORY > CREATE_DISTRIBUTION_SET
READ_REPOSITORY > READ_DISTRIBUTION_SET
UPDATE_REPOSITORY > UPDATE_DISTRIBUTION_SET
DELETE_REPOSITORY > DELETE_DISTRIBUTION_SET
CREATE_REPOSITORY > CREATE_SOFTWARE_MODULE
READ_REPOSITORY > READ_SOFTWARE_MODULE
UPDATE_REPOSITORY > UPDATE_SOFTWARE_MODULE
DELETE_REPOSITORY > DELETE_SOFTWARE_MODULE
""";
public static final String TENANT_CONFIGURATION_HIERARCHY = """
TENANT_CONFIGURATION > READ_TENANT_CONFIGURATION
TENANT_CONFIGURATION > READ_GATEWAY_SECURITY_TOKEN
""";
private static final SingletonSupplier<List<String>> ALL_AUTHORITIES = SingletonSupplier.of(() -> {
final List<String> allPermissions = new ArrayList<>();
@@ -171,6 +128,7 @@ public final class SpPermission {
}
return Collections.unmodifiableList(allPermissions);
});
/**
* Return all permission.
*

View File

@@ -66,13 +66,12 @@ public final class SpringEvalExpressions {
public static final String HAS_AUTH_READ_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.READ_TARGET_TYPE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET_TYPE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.UPDATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
// evaluated to <permission>_<permissionGroup> (e.g. DISTRIBUTION_SET_CREATE)
public static final String HAS_CREATE_REPOSITORY = "hasPermission(#root, 'CREATE')";
public static final String HAS_READ_REPOSITORY = "hasPermission(#root, 'READ')";
public static final String HAS_UPDATE_REPOSITORY = "hasPermission(#root, 'UPDATE')";
public static final String HAS_DELETE_REPOSITORY = "hasPermission(#root, 'DELETE')";
public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
+ SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX