From 2be492261598d4ee006af422b57ac946919098b3 Mon Sep 17 00:00:00 2001 From: Fabian Nonnenmacher Date: Fri, 5 Feb 2016 11:01:06 +0100 Subject: [PATCH] Added System Security Context as attribute to AbstractControllerAuthenticationFilter This is necessary, because the tenant configuration methods are only accessable with specific permissions. With the SystemSecurityContext methods can be executed as SystemRunner and therefor we can set permissions. * updated the chaine of condtructors to set the context in the filter class * added SystemRunner permission to TenantConfigurationManagement * Autowired the system context to AMQP and HTTP controller Signed-off-by: Nonnenmacher Fabian --- .../SecurityManagedConfiguration.java | 9 ++++++--- .../amqp/AmqpControllerAuthentfication.java | 10 +++++++--- ...actHttpControllerAuthenticationFilter.java | 4 +++- ...lerPreAuthenticateSecurityTokenFilter.java | 6 +++--- ...thenticatedGatewaySecurityTokenFilter.java | 8 +++++--- ...rPreAuthenticatedSecurityHeaderFilter.java | 6 +++--- .../TenantConfigurationManagement.java | 3 ++- ...bstractControllerAuthenticationFilter.java | 9 ++++++--- ...lerPreAuthenticateSecurityTokenFilter.java | 12 +++++++---- ...thenticatedGatewaySecurityTokenFilter.java | 20 +++++++++++++------ ...rPreAuthenticatedSecurityHeaderFilter.java | 14 +++++++------ 11 files changed, 65 insertions(+), 36 deletions(-) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java index c7301efd1..73baa6c5a 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java @@ -39,6 +39,7 @@ import org.eclipse.hawkbit.security.HttpControllerPreAuthenticatedSecurityHeader import org.eclipse.hawkbit.security.HttpDownloadAuthenticationFilter; import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider; import org.eclipse.hawkbit.security.SecurityProperties; +import org.eclipse.hawkbit.security.SystemSecurityContext; import org.eclipse.hawkbit.tenancy.TenantAware; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -127,6 +128,8 @@ public class SecurityManagedConfiguration implements EnvironmentAware { private SecurityProperties securityConfiguration; @Autowired private org.springframework.boot.autoconfigure.security.SecurityProperties springSecurityProperties; + @Autowired + private SystemSecurityContext systemSecurityContext; @Override protected void configure(final HttpSecurity http) throws Exception { @@ -134,19 +137,19 @@ public class SecurityManagedConfiguration implements EnvironmentAware { final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( securityConfiguration.getRpCnHeader(), securityConfiguration.getRpSslIssuerHashHeader(), - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); securityHeaderFilter.setAuthenticationManager(authenticationManager()); securityHeaderFilter.setCheckForPrincipalChanges(true); securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( - tenantConfigurationManagement, tenantAware, controllerManagement); + tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); securityTokenFilter.setAuthenticationManager(authenticationManager()); securityTokenFilter.setCheckForPrincipalChanges(true); securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager()); gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); diff --git a/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java b/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java index f19907a99..c708ac0c7 100644 --- a/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java +++ b/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentfication.java @@ -24,6 +24,7 @@ import org.eclipse.hawkbit.security.ControllerPreAuthenticatedSecurityHeaderFilt import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider; import org.eclipse.hawkbit.security.PreAuthenficationFilter; import org.eclipse.hawkbit.security.SecurityProperties; +import org.eclipse.hawkbit.security.SystemSecurityContext; import org.eclipse.hawkbit.tenancy.TenantAware; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -57,6 +58,9 @@ public class AmqpControllerAuthentfication { @Autowired private SecurityProperties secruityProperties; + @Autowired + private SystemSecurityContext systemSecurityContext; + /** * Constructor. */ @@ -74,16 +78,16 @@ public class AmqpControllerAuthentfication { private void addFilter() { final ControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new ControllerPreAuthenticatedGatewaySecurityTokenFilter( - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); filterChain.add(gatewaySecurityTokenFilter); final ControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new ControllerPreAuthenticatedSecurityHeaderFilter( secruityProperties.getRpCnHeader(), secruityProperties.getRpSslIssuerHashHeader(), - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); filterChain.add(securityHeaderFilter); final ControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new ControllerPreAuthenticateSecurityTokenFilter( - tenantConfigurationManagement, controllerManagement, tenantAware); + tenantConfigurationManagement, controllerManagement, tenantAware, systemSecurityContext); filterChain.add(securityTokenFilter); filterChain.add(new CoapAnonymousPreAuthenticatedFilter()); diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java index e4d79b3c4..adb2858b9 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java @@ -57,6 +57,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac + "}/controller/artifacts/v1/**"; protected TenantConfigurationManagement tenantConfigurationManagement; protected TenantAware tenantAware; + protected SystemSecurityContext systemSecurityContext; private final AntPathMatcher pathExtractor; @@ -71,9 +72,10 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac * the tenant aware service */ public AbstractHttpControllerAuthenticationFilter(final TenantConfigurationManagement tenantConfigurationManagement, - final TenantAware tenantAware) { + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { this.tenantConfigurationManagement = tenantConfigurationManagement; this.tenantAware = tenantAware; + this.systemSecurityContext = systemSecurityContext; pathExtractor = new AntPathMatcher(); } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java index e18a90008..c7106e6dd 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java @@ -47,15 +47,15 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt */ public HttpControllerPreAuthenticateSecurityTokenFilter( final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, - final ControllerManagement controllerManagement) { - super(tenantConfigurationManagement, tenantAware); + final ControllerManagement controllerManagement, final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.controllerManagement = controllerManagement; } @Override protected PreAuthenficationFilter createControllerAuthenticationFilter() { return new ControllerPreAuthenticateSecurityTokenFilter(tenantConfigurationManagement, controllerManagement, - tenantAware); + tenantAware, systemSecurityContext); } } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java index b62ac1db4..3d32811ce 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java @@ -35,13 +35,15 @@ public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter * tenant */ public HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( - final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, + final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); } @Override protected PreAuthenficationFilter createControllerAuthenticationFilter() { - return new ControllerPreAuthenticatedGatewaySecurityTokenFilter(tenantConfigurationManagement, tenantAware); + return new ControllerPreAuthenticatedGatewaySecurityTokenFilter(tenantConfigurationManagement, tenantAware, + systemSecurityContext); } } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java index 5a67dda14..58e6be4a9 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java @@ -45,8 +45,8 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract */ public HttpControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader, final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement, - final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.caCommonNameHeader = caCommonNameHeader; this.caAuthorityNameHeader = caAuthorityNameHeader; } @@ -54,7 +54,7 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract @Override protected PreAuthenficationFilter createControllerAuthenticationFilter() { return new ControllerPreAuthenticatedSecurityHeaderFilter(caCommonNameHeader, caAuthorityNameHeader, - tenantConfigurationManagement, tenantAware); + tenantConfigurationManagement, tenantAware, systemSecurityContext); } } diff --git a/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java b/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java index 85432e8a2..2697abf6e 100644 --- a/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java +++ b/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java @@ -73,7 +73,8 @@ public class TenantConfigurationManagement implements EnvironmentAware { */ @Cacheable(value = "tenantConfiguration", key = "#configurationKey.getKeyName()") - @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION) + @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION + SpringEvalExpressions.HAS_AUTH_OR + + SpringEvalExpressions.IS_SYSTEM_CODE) public TenantConfigurationValue getConfigurationValue(final TenantConfigurationKey configurationKey, final Class propertyType) throws TenantConfigurationValidatorException { diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java index 552bbae06..d22c432cf 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java @@ -29,11 +29,13 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe protected final TenantConfigurationManagement tenantConfigurationManagement; protected final TenantAware tenantAware; private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner; + protected final SystemSecurityContext systemSecurityContext; protected AbstractControllerAuthenticationFilter(final TenantConfigurationManagement systemManagement, - final TenantAware tenantAware) { + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { this.tenantConfigurationManagement = systemManagement; this.tenantAware = tenantAware; + this.systemSecurityContext = systemSecurityContext; this.configurationKeyTenantRunner = new SecurityConfigurationKeyTenantRunner(); } @@ -53,9 +55,10 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe private final class SecurityConfigurationKeyTenantRunner implements TenantAware.TenantRunner { @Override public Boolean run() { + LOGGER.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey()); - return tenantConfigurationManagement.getConfigurationValue(getTenantConfigurationKey(), Boolean.class) - .getValue(); + return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement + .getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue()); } } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java index c1dd49e0a..c30f60711 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java @@ -45,8 +45,8 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro /** * Constructor. * - * @param systemManagement - * the system management service to retrieve configuration + * @param tenantConfigurationManagement + * the tenant management service to retrieve configuration * properties * @param controllerManagement * the controller management to retrieve the specific target @@ -54,11 +54,15 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro * @param tenantAware * the tenant aware service to get configuration for the specific * tenant + * @param systemSecurityContext + * the system security context to get access to tenant + * configuration */ public ControllerPreAuthenticateSecurityTokenFilter( final TenantConfigurationManagement tenantConfigurationManagement, - final ControllerManagement controllerManagement, final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final ControllerManagement controllerManagement, final TenantAware tenantAware, + final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.controllerManagement = controllerManagement; } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java index 95308d671..765589df4 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java @@ -39,16 +39,20 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra /** * Constructor. * - * @param systemManagement - * the system management service to retrieve configuration + * @param tenantConfigurationManagement + * the tenant management service to retrieve configuration * properties * @param tenantAware * the tenant aware service to get configuration for the specific * tenant + * @param systemSecurityContext + * the system security context to get access to tenant + * configuration */ public ControllerPreAuthenticatedGatewaySecurityTokenFilter( - final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, + final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); } @Override @@ -84,8 +88,12 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra public String run() { LOGGER.trace("retrieving configuration value for configuration key {}", TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY); - return tenantConfigurationManagement.getConfigurationValue( - TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class).getValue(); + + return systemSecurityContext + .runAsSystem(() -> tenantConfigurationManagement + .getConfigurationValue( + TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class) + .getValue()); } } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java index 21289b71c..c74d9182a 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java @@ -56,18 +56,20 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont * @param caAuthorityNameHeader * the http-header which holds the ca-authority name of the * certificate - * @param systemManagement - * the system management service to retrieve configuration - * properties to check if the header authentication is enabled - * for this tenant + * @param tenantConfigurationManagement + * the tenant management service to retrieve configuration + * properties * @param tenantAware * the tenant aware service to get configuration for the specific * tenant + * @param systemSecurityContext + * the system security context to get access to tenant + * configuration */ public ControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader, final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement, - final TenantAware tenantAware) { - super(tenantConfigurationManagement, tenantAware); + final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { + super(tenantConfigurationManagement, tenantAware, systemSecurityContext); this.caCommonNameHeader = caCommonNameHeader; this.sslIssuerHashBasicHeader = caAuthorityNameHeader; }