Fix system context resolving in ACM (#2737)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-10-10 12:02:16 +03:00
committed by GitHub
parent e7d9ee7990
commit 3447ac3b1b
17 changed files with 97 additions and 129 deletions

View File

@@ -12,6 +12,7 @@ package org.eclipse.hawkbit.audit;
import java.util.Optional;
import lombok.NoArgsConstructor;
import org.eclipse.hawkbit.security.SecurityContextTenantAware;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.AuditorAware;
@@ -42,7 +43,7 @@ public class AuditContextProvider {
public AuditContext getAuditContext() {
return new AuditContext(
Optional.ofNullable(resolver.resolveTenant()).orElse("n/a"),
Optional.ofNullable(auditorAware).flatMap(AuditorAware::getCurrentAuditor).orElse("system"));
Optional.ofNullable(auditorAware).flatMap(AuditorAware::getCurrentAuditor).orElse(SecurityContextTenantAware.SYSTEM_USER));
}
public record AuditContext(String tenant, String username) {}

View File

@@ -84,7 +84,7 @@ public class MdcHandler {
final String user = springSecurityAuditorAware
.getCurrentAuditor()
.filter(username -> !username.equals("system")) // null and system are the same - system user
.filter(username -> !username.equals(SecurityContextTenantAware.SYSTEM_USER)) // null and system are the same - system user
.orElse(null);
return callWithTenantAndUser0(callable, tenant, user);

View File

@@ -40,6 +40,7 @@ import org.springframework.security.oauth2.core.oidc.user.OidcUser;
*/
public class SecurityContextTenantAware implements ContextAware {
// Note! no system user shall be used as a regular user!
public static final String SYSTEM_USER = "system";
private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
@@ -181,7 +182,8 @@ public class SecurityContextTenantAware implements ContextAware {
private final TenantAwareUser principal;
private final TenantAwareAuthenticationDetails tenantAwareAuthenticationDetails;
private AuthenticationDelegate(final Authentication delegate, final String tenant, final String username,
private AuthenticationDelegate(
final Authentication delegate, final String tenant, final String username,
final Collection<? extends GrantedAuthority> authorities) {
this.delegate = delegate;
principal = new TenantAwareUser(username, username, authorities, tenant);

View File

@@ -54,6 +54,22 @@ public class SystemSecurityContext {
this.roleHierarchy = roleHierarchy;
}
/**
* Runs a given {@link Runnable} within a system security context, which is permitted to call secured system code. Often the system needs
* to call secured methods by its own without relying on the current security context e.g. if the current security context does not contain
* the necessary permission it's necessary to execute code as system code to execute necessary methods and functionality. <br/>
* The security context will be switched to the system code and back after the callable is called. <br/>
* The system code is executed for a current tenant by using the {@link TenantAware#getCurrentTenant()}.
*
* @param runnable the runnable to call within the system security context
*/
public void runAsSystem(final Runnable runnable) {
runAsSystemAsTenant(() -> {
runnable.run();
return null;
}, tenantAware.getCurrentTenant());
}
/**
* Runs a given {@link Callable} within a system security context, which is permitted to call secured system code. Often the system needs
* to call secured methods by its own without relying on the current security context e.g. if the current security context does not contain
@@ -120,7 +136,7 @@ public class SystemSecurityContext {
/**
* @return {@code true} if the current running code is running as system code block.
*/
public boolean isCurrentThreadSystemCode() {
public static boolean isCurrentThreadSystemCode() {
return SecurityContextHolder.getContext().getAuthentication() instanceof SystemCodeAuthentication;
}