Improve Permission Management (#2604)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-08-12 14:09:27 +03:00
committed by GitHub
parent 5b299e0a62
commit 441b78460d
40 changed files with 361 additions and 351 deletions

View File

@@ -13,7 +13,7 @@ import java.io.ByteArrayInputStream;
import java.util.List;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.model.ArtifactUpload;
import org.eclipse.hawkbit.repository.test.util.WithUser;
@@ -60,7 +60,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getPermissionCheck() {
assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> artifactManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.get(1L), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -71,7 +71,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -80,7 +80,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findFirstBySHA1PermissionCheck() {
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -89,7 +89,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getByFilenamePermissionCheck() {
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -114,7 +114,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void loadArtifactBinaryPermissionCheck() {
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
}

View File

@@ -27,6 +27,7 @@ import java.util.concurrent.Callable;
import jakarta.validation.ConstraintViolationException;
import org.apache.commons.io.IOUtils;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.artifact.model.DbArtifact;
import org.eclipse.hawkbit.repository.artifact.model.DbArtifactHash;
import org.eclipse.hawkbit.im.authentication.SpPermission;
@@ -425,7 +426,8 @@ class ArtifactManagementTest extends AbstractJpaIntegrationTest {
* Trys and fails to load an artifact without required permission. Checks if expected InsufficientPermissionException is thrown.
*/
@Test
@WithUser(allSpPermissions = true, removeFromAllPermission = { SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT })
@WithUser(allSpPermissions = true, removeFromAllPermission = {
SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT, SpRole.CONTROLLER_ROLE, SpRole.CONTROLLER_ROLE_ANONYMOUS })
void loadArtifactBinaryWithoutDownloadArtifactThrowsPermissionDenied() {
assertThatExceptionOfType(InsufficientPermissionException.class)
.as("Should not have worked with missing permission.")

View File

@@ -12,7 +12,7 @@ package org.eclipse.hawkbit.repository.jpa.management;
import java.util.List;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.junit.jupiter.api.Test;
@@ -46,7 +46,7 @@ class ConfirmationManagementSecurityTest extends AbstractJpaIntegrationTest {
void getStatusPermissionsCheck() {
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.READ_TARGET),
List.of(SpPermission.CREATE_TARGET));
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
}
/**

View File

@@ -14,7 +14,6 @@ import java.util.List;
import java.util.Map;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
@@ -37,7 +36,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void addCancelActionStatusPermissionsCheck() {
assertPermissions(() -> controllerManagement.addCancelActionStatus(
ActionStatusCreate.builder().actionId(0L).status(Action.Status.DOWNLOADED).build()),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -45,7 +44,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getSoftwareModulePermissionsCheck() {
assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -54,7 +53,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findTargetVisibleMetaDataBySoftwareModuleIdPermissionsCheck() {
assertPermissions(() -> controllerManagement.findTargetVisibleMetaDataBySoftwareModuleId(List.of(1L)),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -64,7 +63,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void addInformationalActionStatusPermissionsCheck() {
assertPermissions(() -> controllerManagement.addInformationalActionStatus(
ActionStatusCreate.builder().actionId(0L).status(Action.Status.DOWNLOADED).build()),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -74,7 +73,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void addUpdateActionStatusPermissionsCheck() {
assertPermissions(() -> controllerManagement.addUpdateActionStatus(
ActionStatusCreate.builder().actionId(0L).status(Action.Status.DOWNLOADED).build()),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -83,7 +82,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findActiveActionWithHighestWeightPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActiveActionWithHighestWeight("controllerId"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -92,7 +91,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findActiveActionsWithHighestWeightPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActiveActionsWithHighestWeight("controllerId", 1),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -100,7 +99,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void findActionWithDetailsPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -109,7 +108,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findActionStatusByActionPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActionStatusByAction(1L, Pageable.unpaged()),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -118,7 +117,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findOrRegisterTargetIfItDoesNotExistPermissionsCheck() {
assertPermissions(() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress")),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -128,7 +127,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void findOrRegisterTargetIfItDoesNotExistWithDetailsPermissionsCheck() {
assertPermissions(
() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress"), "name", "type"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -137,7 +136,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getActionForDownloadByTargetAndSoftwareModulePermissionsCheck() {
assertPermissions(() -> controllerManagement.getActionForDownloadByTargetAndSoftwareModule("controllerId", 1L),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -145,7 +144,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getPollingTimePermissionsCheck() {
assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -162,7 +161,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
// expected since action is not found
}
return null;
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -171,7 +170,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void hasTargetArtifactAssignedPermissionsCheck() {
assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned("controllerId", "sha1Hash"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -180,7 +179,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void hasTargetArtifactAssignedByIdPermissionsCheck() {
assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned(1L, "sha1Hash"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -189,7 +188,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void updateControllerAttributesPermissionsCheck() {
assertPermissions(() -> controllerManagement.updateControllerAttributes("controllerId", Map.of(), null),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -198,7 +197,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getByControllerIdPermissionsCheck() {
assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
List.of(SpRole.SYSTEM_ROLE));
}
@@ -208,7 +207,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getPermissionsCheck() {
assertPermissions(() -> controllerManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.get(1L), List.of(SpRole.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.get(1L), List.of(SpRole.SYSTEM_ROLE));
}
@@ -218,7 +217,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getActionHistoryMessagesPermissionsCheck() {
assertPermissions(() -> controllerManagement.getActionHistoryMessages(1L, 1),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -235,7 +234,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
// expected since action is not found
}
return null;
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -246,7 +245,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
controllerManagement.updateActionExternalRef(1L, "externalRef");
return null;
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -255,7 +254,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getActionByExternalRefPermissionsCheck() {
assertPermissions(() -> controllerManagement.getActionByExternalRef("externalRef"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -266,7 +265,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
controllerManagement.deleteExistingTarget("controllerId");
return null;
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -277,7 +276,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
final Target target = testdataFactory.createTarget();
assertPermissions(
() -> controllerManagement.getInstalledActionByTarget(target),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -287,7 +286,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void activateAutoConfirmationPermissionsCheck() {
assertPermissions(
() -> controllerManagement.activateAutoConfirmation("controllerId", "initiator", "remark"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -298,7 +297,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
controllerManagement.deactivateAutoConfirmation("controllerId");
return null;
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpRole.CONTROLLER_ROLE));
}
/**
@@ -307,7 +306,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void updateOfflineAssignedVersionPermissionsCheck() {
assertPermissions(() -> controllerManagement.updateOfflineAssignedVersion("controllerId", "distributionName", "version"),
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpRole.CONTROLLER_ROLE));
}
}

View File

@@ -12,8 +12,8 @@ package org.eclipse.hawkbit.repository.jpa.management;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.im.authentication.SpRole.CONTROLLER_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpRole.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.repository.jpa.configuration.Constants.TX_RT_MAX;
import static org.eclipse.hawkbit.repository.model.Action.ActionType.DOWNLOAD_ONLY;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;

View File

@@ -55,7 +55,8 @@ class DeploymentManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void offlineAssignedDistributionSetsPermissionsCheck() {
assertPermissions(() -> deploymentManagement.offlineAssignedDistributionSets(List.of()), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> deploymentManagement.offlineAssignedDistributionSets(List.of()),
List.of(SpPermission.READ_REPOSITORY, SpPermission.UPDATE_TARGET));
}
/**

View File

@@ -14,7 +14,6 @@ import java.util.List;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.junit.jupiter.api.Test;
@@ -79,7 +78,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -90,7 +89,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpRole.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**