Fix system context resolving in ACM (#2737)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -12,6 +12,7 @@ package org.eclipse.hawkbit.audit;
|
||||
import java.util.Optional;
|
||||
|
||||
import lombok.NoArgsConstructor;
|
||||
import org.eclipse.hawkbit.security.SecurityContextTenantAware;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.data.domain.AuditorAware;
|
||||
@@ -42,7 +43,7 @@ public class AuditContextProvider {
|
||||
public AuditContext getAuditContext() {
|
||||
return new AuditContext(
|
||||
Optional.ofNullable(resolver.resolveTenant()).orElse("n/a"),
|
||||
Optional.ofNullable(auditorAware).flatMap(AuditorAware::getCurrentAuditor).orElse("system"));
|
||||
Optional.ofNullable(auditorAware).flatMap(AuditorAware::getCurrentAuditor).orElse(SecurityContextTenantAware.SYSTEM_USER));
|
||||
}
|
||||
|
||||
public record AuditContext(String tenant, String username) {}
|
||||
|
||||
@@ -84,7 +84,7 @@ public class MdcHandler {
|
||||
|
||||
final String user = springSecurityAuditorAware
|
||||
.getCurrentAuditor()
|
||||
.filter(username -> !username.equals("system")) // null and system are the same - system user
|
||||
.filter(username -> !username.equals(SecurityContextTenantAware.SYSTEM_USER)) // null and system are the same - system user
|
||||
.orElse(null);
|
||||
|
||||
return callWithTenantAndUser0(callable, tenant, user);
|
||||
|
||||
@@ -40,6 +40,7 @@ import org.springframework.security.oauth2.core.oidc.user.OidcUser;
|
||||
*/
|
||||
public class SecurityContextTenantAware implements ContextAware {
|
||||
|
||||
// Note! no system user shall be used as a regular user!
|
||||
public static final String SYSTEM_USER = "system";
|
||||
|
||||
private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
|
||||
@@ -181,7 +182,8 @@ public class SecurityContextTenantAware implements ContextAware {
|
||||
private final TenantAwareUser principal;
|
||||
private final TenantAwareAuthenticationDetails tenantAwareAuthenticationDetails;
|
||||
|
||||
private AuthenticationDelegate(final Authentication delegate, final String tenant, final String username,
|
||||
private AuthenticationDelegate(
|
||||
final Authentication delegate, final String tenant, final String username,
|
||||
final Collection<? extends GrantedAuthority> authorities) {
|
||||
this.delegate = delegate;
|
||||
principal = new TenantAwareUser(username, username, authorities, tenant);
|
||||
|
||||
@@ -54,6 +54,22 @@ public class SystemSecurityContext {
|
||||
this.roleHierarchy = roleHierarchy;
|
||||
}
|
||||
|
||||
/**
|
||||
* Runs a given {@link Runnable} within a system security context, which is permitted to call secured system code. Often the system needs
|
||||
* to call secured methods by its own without relying on the current security context e.g. if the current security context does not contain
|
||||
* the necessary permission it's necessary to execute code as system code to execute necessary methods and functionality. <br/>
|
||||
* The security context will be switched to the system code and back after the callable is called. <br/>
|
||||
* The system code is executed for a current tenant by using the {@link TenantAware#getCurrentTenant()}.
|
||||
*
|
||||
* @param runnable the runnable to call within the system security context
|
||||
*/
|
||||
public void runAsSystem(final Runnable runnable) {
|
||||
runAsSystemAsTenant(() -> {
|
||||
runnable.run();
|
||||
return null;
|
||||
}, tenantAware.getCurrentTenant());
|
||||
}
|
||||
|
||||
/**
|
||||
* Runs a given {@link Callable} within a system security context, which is permitted to call secured system code. Often the system needs
|
||||
* to call secured methods by its own without relying on the current security context e.g. if the current security context does not contain
|
||||
@@ -120,7 +136,7 @@ public class SystemSecurityContext {
|
||||
/**
|
||||
* @return {@code true} if the current running code is running as system code block.
|
||||
*/
|
||||
public boolean isCurrentThreadSystemCode() {
|
||||
public static boolean isCurrentThreadSystemCode() {
|
||||
return SecurityContextHolder.getContext().getAuthentication() instanceof SystemCodeAuthentication;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user