diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java index c7301efd1..73baa6c5a 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java @@ -39,6 +39,7 @@ import org.eclipse.hawkbit.security.HttpControllerPreAuthenticatedSecurityHeader import org.eclipse.hawkbit.security.HttpDownloadAuthenticationFilter; import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider; import org.eclipse.hawkbit.security.SecurityProperties; +import org.eclipse.hawkbit.security.SystemSecurityContext; import org.eclipse.hawkbit.tenancy.TenantAware; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -127,6 +128,8 @@ public class SecurityManagedConfiguration implements EnvironmentAware { private SecurityProperties securityConfiguration; @Autowired private org.springframework.boot.autoconfigure.security.SecurityProperties springSecurityProperties; + @Autowired + private SystemSecurityContext systemSecurityContext; @Override protected void configure(final HttpSecurity http) throws Exception { @@ -134,19 +137,19 @@ public class SecurityManagedConfiguration implements EnvironmentAware { final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( securityConfiguration.getRpCnHeader(), securityConfiguration.getRpSslIssuerHashHeader(), - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); securityHeaderFilter.setAuthenticationManager(authenticationManager()); securityHeaderFilter.setCheckForPrincipalChanges(true); securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( - tenantConfigurationManagement, tenantAware, controllerManagement); + tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); securityTokenFilter.setAuthenticationManager(authenticationManager()); securityTokenFilter.setCheckForPrincipalChanges(true); securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager()); gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); diff --git a/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java b/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java index f19907a99..c708ac0c7 100644 --- a/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java +++ b/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java @@ -24,6 +24,7 @@ import org.eclipse.hawkbit.security.ControllerPreAuthenticatedSecurityHeaderFilt import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider; import org.eclipse.hawkbit.security.PreAuthenficationFilter; import org.eclipse.hawkbit.security.SecurityProperties; +import org.eclipse.hawkbit.security.SystemSecurityContext; import org.eclipse.hawkbit.tenancy.TenantAware; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -57,6 +58,9 @@ public class AmqpControllerAuthentfication { @Autowired private SecurityProperties secruityProperties; + @Autowired + private SystemSecurityContext systemSecurityContext; + /** * Constructor. */ @@ -74,16 +78,16 @@ public class AmqpControllerAuthentfication { private void addFilter() { final ControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new ControllerPreAuthenticatedGatewaySecurityTokenFilter( - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); filterChain.add(gatewaySecurityTokenFilter); final ControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new ControllerPreAuthenticatedSecurityHeaderFilter( secruityProperties.getRpCnHeader(), secruityProperties.getRpSslIssuerHashHeader(), - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); filterChain.add(securityHeaderFilter); final ControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new ControllerPreAuthenticateSecurityTokenFilter( - tenantConfigurationManagement, controllerManagement, tenantAware); + tenantConfigurationManagement, controllerManagement, tenantAware, systemSecurityContext); filterChain.add(securityTokenFilter); filterChain.add(new CoapAnonymousPreAuthenticatedFilter()); diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java index e4d79b3c4..adb2858b9 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java @@ -57,6 +57,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac + "}/controller/artifacts/v1/**"; protected TenantConfigurationManagement tenantConfigurationManagement; protected TenantAware tenantAware; + protected SystemSecurityContext systemSecurityContext; private final AntPathMatcher pathExtractor; @@ -71,9 +72,10 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac * the tenant aware service */ public AbstractHttpControllerAuthenticationFilter(final TenantConfigurationManagement tenantConfigurationManagement, - final TenantAware tenantAware) { + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { this.tenantConfigurationManagement = tenantConfigurationManagement; this.tenantAware = tenantAware; + this.systemSecurityContext = systemSecurityContext; pathExtractor = new AntPathMatcher(); } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java index e18a90008..c7106e6dd 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java @@ -47,15 +47,15 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt */ public HttpControllerPreAuthenticateSecurityTokenFilter( final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, - final ControllerManagement controllerManagement) { - super(tenantConfigurationManagement, tenantAware); + final ControllerManagement controllerManagement, final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.controllerManagement = controllerManagement; } @Override protected PreAuthenficationFilter createControllerAuthenticationFilter() { return new ControllerPreAuthenticateSecurityTokenFilter(tenantConfigurationManagement, controllerManagement, - tenantAware); + tenantAware, systemSecurityContext); } } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java index b62ac1db4..3d32811ce 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java @@ -35,13 +35,15 @@ public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter * tenant */ public HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( - final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, + final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); } @Override protected PreAuthenficationFilter createControllerAuthenticationFilter() { - return new ControllerPreAuthenticatedGatewaySecurityTokenFilter(tenantConfigurationManagement, tenantAware); + return new ControllerPreAuthenticatedGatewaySecurityTokenFilter(tenantConfigurationManagement, tenantAware, + systemSecurityContext); } } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java index 5a67dda14..58e6be4a9 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java @@ -45,8 +45,8 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract */ public HttpControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader, final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement, - final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.caCommonNameHeader = caCommonNameHeader; this.caAuthorityNameHeader = caAuthorityNameHeader; } @@ -54,7 +54,7 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract @Override protected PreAuthenficationFilter createControllerAuthenticationFilter() { return new ControllerPreAuthenticatedSecurityHeaderFilter(caCommonNameHeader, caAuthorityNameHeader, - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); } } diff --git a/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java b/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java index 85432e8a2..2697abf6e 100644 --- a/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java +++ b/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java @@ -73,7 +73,8 @@ public class TenantConfigurationManagement implements EnvironmentAware { */ @Cacheable(value = "tenantConfiguration", key = "#configurationKey.getKeyName()") - @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION) + @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION + SpringEvalExpressions.HAS_AUTH_OR + + SpringEvalExpressions.IS_SYSTEM_CODE) public TenantConfigurationValue getConfigurationValue(final TenantConfigurationKey configurationKey, final Class propertyType) throws TenantConfigurationValidatorException { diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java index 552bbae06..d22c432cf 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java @@ -29,11 +29,13 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe protected final TenantConfigurationManagement tenantConfigurationManagement; protected final TenantAware tenantAware; private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner; + protected final SystemSecurityContext systemSecurityContext; protected AbstractControllerAuthenticationFilter(final TenantConfigurationManagement systemManagement, - final TenantAware tenantAware) { + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { this.tenantConfigurationManagement = systemManagement; this.tenantAware = tenantAware; + this.systemSecurityContext = systemSecurityContext; this.configurationKeyTenantRunner = new SecurityConfigurationKeyTenantRunner(); } @@ -53,9 +55,10 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe private final class SecurityConfigurationKeyTenantRunner implements TenantAware.TenantRunner { @Override public Boolean run() { + LOGGER.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey()); - return tenantConfigurationManagement.getConfigurationValue(getTenantConfigurationKey(), Boolean.class) - .getValue(); + return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement + .getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue()); } } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java index c1dd49e0a..c30f60711 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java @@ -45,8 +45,8 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro /** * Constructor. * - * @param systemManagement - * the system management service to retrieve configuration + * @param tenantConfigurationManagement + * the tenant management service to retrieve configuration * properties * @param controllerManagement * the controller management to retrieve the specific target @@ -54,11 +54,15 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro * @param tenantAware * the tenant aware service to get configuration for the specific * tenant + * @param systemSecurityContext + * the system security context to get access to tenant + * configuration */ public ControllerPreAuthenticateSecurityTokenFilter( final TenantConfigurationManagement tenantConfigurationManagement, - final ControllerManagement controllerManagement, final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final ControllerManagement controllerManagement, final TenantAware tenantAware, + final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.controllerManagement = controllerManagement; } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java index 95308d671..765589df4 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java @@ -39,16 +39,20 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra /** * Constructor. * - * @param systemManagement - * the system management service to retrieve configuration + * @param tenantConfigurationManagement + * the tenant management service to retrieve configuration * properties * @param tenantAware * the tenant aware service to get configuration for the specific * tenant + * @param systemSecurityContext + * the system security context to get access to tenant + * configuration */ public ControllerPreAuthenticatedGatewaySecurityTokenFilter( - final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, + final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); } @Override @@ -84,8 +88,12 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra public String run() { LOGGER.trace("retrieving configuration value for configuration key {}", TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY); - return tenantConfigurationManagement.getConfigurationValue( - TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class).getValue(); + + return systemSecurityContext + .runAsSystem(() -> tenantConfigurationManagement + .getConfigurationValue( + TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class) + .getValue()); } } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java index 21289b71c..c74d9182a 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java @@ -56,18 +56,20 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont * @param caAuthorityNameHeader * the http-header which holds the ca-authority name of the * certificate - * @param systemManagement - * the system management service to retrieve configuration - * properties to check if the header authentication is enabled - * for this tenant + * @param tenantConfigurationManagement + * the tenant management service to retrieve configuration + * properties * @param tenantAware * the tenant aware service to get configuration for the specific * tenant + * @param systemSecurityContext + * the system security context to get access to tenant + * configuration */ public ControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader, final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement, - final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.caCommonNameHeader = caCommonNameHeader; this.sslIssuerHashBasicHeader = caAuthorityNameHeader; }