Added System Security Context as attribute to AbstractControllerAuthenticationFilter

This is necessary, because the tenant configuration methods are only accessable with specific permissions.
With the SystemSecurityContext methods can be executed as SystemRunner and therefor we can set permissions.

* updated the chaine of condtructors to set the context in the filter class
* added SystemRunner permission to TenantConfigurationManagement
* Autowired the system context to AMQP and HTTP controller

Signed-off-by: Nonnenmacher Fabian <fabian.nonnenmacher@bosch-si.com>

hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java

@@ -39,6 +39,7 @@ import org.eclipse.hawkbit.security.HttpControllerPreAuthenticatedSecurityHeader
 import org.eclipse.hawkbit.security.HttpDownloadAuthenticationFilter;
 import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider;
 import org.eclipse.hawkbit.security.SecurityProperties;
+import org.eclipse.hawkbit.security.SystemSecurityContext;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -127,6 +128,8 @@ public class SecurityManagedConfiguration implements EnvironmentAware {
         private SecurityProperties securityConfiguration;
         @Autowired
         private org.springframework.boot.autoconfigure.security.SecurityProperties springSecurityProperties;
+        @Autowired
+        private SystemSecurityContext systemSecurityContext;
 
         @Override
         protected void configure(final HttpSecurity http) throws Exception {
@@ -134,19 +137,19 @@ public class SecurityManagedConfiguration implements EnvironmentAware {
 
             final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
                     securityConfiguration.getRpCnHeader(), securityConfiguration.getRpSslIssuerHashHeader(),
-                    tenantConfigurationManagement, tenantAware);
+                    tenantConfigurationManagement, tenantAware, systemSecurityContext);
             securityHeaderFilter.setAuthenticationManager(authenticationManager());
             securityHeaderFilter.setCheckForPrincipalChanges(true);
             securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
 
             final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
-                    tenantConfigurationManagement, tenantAware, controllerManagement);
+                    tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
             securityTokenFilter.setAuthenticationManager(authenticationManager());
             securityTokenFilter.setCheckForPrincipalChanges(true);
             securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
 
             final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
-                    tenantConfigurationManagement, tenantAware);
+                    tenantConfigurationManagement, tenantAware, systemSecurityContext);
             gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager());
             gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
             gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java

@@ -24,6 +24,7 @@ import org.eclipse.hawkbit.security.ControllerPreAuthenticatedSecurityHeaderFilt
 import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider;
 import org.eclipse.hawkbit.security.PreAuthenficationFilter;
 import org.eclipse.hawkbit.security.SecurityProperties;
+import org.eclipse.hawkbit.security.SystemSecurityContext;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -57,6 +58,9 @@ public class AmqpControllerAuthentfication {
     @Autowired
     private SecurityProperties secruityProperties;
 
+    @Autowired
+    private SystemSecurityContext systemSecurityContext;
+
     /**
      * Constructor.
      */
@@ -74,16 +78,16 @@ public class AmqpControllerAuthentfication {
 
     private void addFilter() {
         final ControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new ControllerPreAuthenticatedGatewaySecurityTokenFilter(
-                tenantConfigurationManagement, tenantAware);
+                tenantConfigurationManagement, tenantAware, systemSecurityContext);
         filterChain.add(gatewaySecurityTokenFilter);
 
         final ControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new ControllerPreAuthenticatedSecurityHeaderFilter(
                 secruityProperties.getRpCnHeader(), secruityProperties.getRpSslIssuerHashHeader(),
-                tenantConfigurationManagement, tenantAware);
+                tenantConfigurationManagement, tenantAware, systemSecurityContext);
         filterChain.add(securityHeaderFilter);
 
         final ControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new ControllerPreAuthenticateSecurityTokenFilter(
-                tenantConfigurationManagement, controllerManagement, tenantAware);
+                tenantConfigurationManagement, controllerManagement, tenantAware, systemSecurityContext);
         filterChain.add(securityTokenFilter);
 
         filterChain.add(new CoapAnonymousPreAuthenticatedFilter());

hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java

@@ -57,6 +57,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
             + "}/controller/artifacts/v1/**";
     protected TenantConfigurationManagement tenantConfigurationManagement;
     protected TenantAware tenantAware;
+    protected SystemSecurityContext systemSecurityContext;
 
     private final AntPathMatcher pathExtractor;
 
@@ -71,9 +72,10 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
      *            the tenant aware service
      */
     public AbstractHttpControllerAuthenticationFilter(final TenantConfigurationManagement tenantConfigurationManagement,
-            final TenantAware tenantAware) {
+            final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
         this.tenantConfigurationManagement = tenantConfigurationManagement;
         this.tenantAware = tenantAware;
+        this.systemSecurityContext = systemSecurityContext;
         pathExtractor = new AntPathMatcher();
     }
 

hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java

@@ -47,15 +47,15 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt
      */
     public HttpControllerPreAuthenticateSecurityTokenFilter(
             final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
-            final ControllerManagement controllerManagement) {
-        super(tenantConfigurationManagement, tenantAware);
+            final ControllerManagement controllerManagement, final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
         this.controllerManagement = controllerManagement;
     }
 
     @Override
     protected PreAuthenficationFilter createControllerAuthenticationFilter() {
         return new ControllerPreAuthenticateSecurityTokenFilter(tenantConfigurationManagement, controllerManagement,
-                tenantAware);
+                tenantAware, systemSecurityContext);
     }
 
 }

hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java

@@ -35,13 +35,15 @@ public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter
      *            tenant
      */
     public HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
-            final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) {
-        super(tenantConfigurationManagement, tenantAware);
+            final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
+            final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
     }
 
     @Override
     protected PreAuthenficationFilter createControllerAuthenticationFilter() {
-        return new ControllerPreAuthenticatedGatewaySecurityTokenFilter(tenantConfigurationManagement, tenantAware);
+        return new ControllerPreAuthenticatedGatewaySecurityTokenFilter(tenantConfigurationManagement, tenantAware,
+                systemSecurityContext);
     }
 
 }

hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java

@@ -45,8 +45,8 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract
      */
     public HttpControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader,
             final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement,
-            final TenantAware tenantAware) {
-        super(tenantConfigurationManagement, tenantAware);
+            final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
         this.caCommonNameHeader = caCommonNameHeader;
         this.caAuthorityNameHeader = caAuthorityNameHeader;
     }
@@ -54,7 +54,7 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract
     @Override
     protected PreAuthenficationFilter createControllerAuthenticationFilter() {
         return new ControllerPreAuthenticatedSecurityHeaderFilter(caCommonNameHeader, caAuthorityNameHeader,
-                tenantConfigurationManagement, tenantAware);
+                tenantConfigurationManagement, tenantAware, systemSecurityContext);
     }
 
 }

hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java

@@ -73,7 +73,8 @@ public class TenantConfigurationManagement implements EnvironmentAware {
      */
 
     @Cacheable(value = "tenantConfiguration", key = "#configurationKey.getKeyName()")
-    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
+    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION + SpringEvalExpressions.HAS_AUTH_OR
+            + SpringEvalExpressions.IS_SYSTEM_CODE)
     public <T> TenantConfigurationValue<T> getConfigurationValue(final TenantConfigurationKey configurationKey,
             final Class<T> propertyType) throws TenantConfigurationValidatorException {
 

hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java

@@ -29,11 +29,13 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
     protected final TenantConfigurationManagement tenantConfigurationManagement;
     protected final TenantAware tenantAware;
     private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
+    protected final SystemSecurityContext systemSecurityContext;
 
     protected AbstractControllerAuthenticationFilter(final TenantConfigurationManagement systemManagement,
-            final TenantAware tenantAware) {
+            final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
         this.tenantConfigurationManagement = systemManagement;
         this.tenantAware = tenantAware;
+        this.systemSecurityContext = systemSecurityContext;
         this.configurationKeyTenantRunner = new SecurityConfigurationKeyTenantRunner();
     }
 
@@ -53,9 +55,10 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
     private final class SecurityConfigurationKeyTenantRunner implements TenantAware.TenantRunner<Boolean> {
         @Override
         public Boolean run() {
+
             LOGGER.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey());
-            return tenantConfigurationManagement.getConfigurationValue(getTenantConfigurationKey(), Boolean.class)
-                    .getValue();
+            return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement
+                    .getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue());
         }
 
     }

hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java

@@ -45,8 +45,8 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
     /**
      * Constructor.
      * 
-     * @param systemManagement
-     *            the system management service to retrieve configuration
+     * @param tenantConfigurationManagement
+     *            the tenant management service to retrieve configuration
      *            properties
      * @param controllerManagement
      *            the controller management to retrieve the specific target
@@ -54,11 +54,15 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
      * @param tenantAware
      *            the tenant aware service to get configuration for the specific
      *            tenant
+     * @param systemSecurityContext
+     *            the system security context to get access to tenant
+     *            configuration
      */
     public ControllerPreAuthenticateSecurityTokenFilter(
             final TenantConfigurationManagement tenantConfigurationManagement,
-            final ControllerManagement controllerManagement, final TenantAware tenantAware) {
-        super(tenantConfigurationManagement, tenantAware);
+            final ControllerManagement controllerManagement, final TenantAware tenantAware,
+            final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
         this.controllerManagement = controllerManagement;
     }
 

hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java

@@ -39,16 +39,20 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
     /**
      * Constructor.
      * 
-     * @param systemManagement
-     *            the system management service to retrieve configuration
+     * @param tenantConfigurationManagement
+     *            the tenant management service to retrieve configuration
      *            properties
      * @param tenantAware
      *            the tenant aware service to get configuration for the specific
      *            tenant
+     * @param systemSecurityContext
+     *            the system security context to get access to tenant
+     *            configuration
      */
     public ControllerPreAuthenticatedGatewaySecurityTokenFilter(
-            final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) {
-        super(tenantConfigurationManagement, tenantAware);
+            final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
+            final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
     }
 
     @Override
@@ -84,8 +88,12 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
         public String run() {
             LOGGER.trace("retrieving configuration value for configuration key {}",
                     TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY);
-            return tenantConfigurationManagement.getConfigurationValue(
-                    TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class).getValue();
+
+            return systemSecurityContext
+                    .runAsSystem(() -> tenantConfigurationManagement
+                            .getConfigurationValue(
+                                    TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class)
+                            .getValue());
         }
     }
 

hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java

@@ -56,18 +56,20 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
      * @param caAuthorityNameHeader
      *            the http-header which holds the ca-authority name of the
      *            certificate
-     * @param systemManagement
-     *            the system management service to retrieve configuration
-     *            properties to check if the header authentication is enabled
-     *            for this tenant
+     * @param tenantConfigurationManagement
+     *            the tenant management service to retrieve configuration
+     *            properties
      * @param tenantAware
      *            the tenant aware service to get configuration for the specific
      *            tenant
+     * @param systemSecurityContext
+     *            the system security context to get access to tenant
+     *            configuration
      */
     public ControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader,
             final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement,
-            final TenantAware tenantAware) {
-        super(tenantConfigurationManagement, tenantAware);
+            final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
         this.caCommonNameHeader = caCommonNameHeader;
         this.sslIssuerHashBasicHeader = caAuthorityNameHeader;
     }