Rename hawkbit-security-intenal -> hawkbit-security-controller (#2015)
as it is controller only related * DmfTenantSecurityToken renamed to ControllerSecurityToken - as it is such * hawkbit.security classes from http-security-internal moved to hawkbit.security.controller - as they are such and it is bad practice to have same package in multiple modules _release_notes_ Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -53,7 +53,7 @@
|
|||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.hawkbit</groupId>
|
<groupId>org.eclipse.hawkbit</groupId>
|
||||||
<artifactId>hawkbit-security-integration</artifactId>
|
<artifactId>hawkbit-security-controller</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
@@ -29,7 +29,6 @@ import org.eclipse.hawkbit.security.MdcHandler;
|
|||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
|
|||||||
@@ -25,8 +25,8 @@ import org.eclipse.hawkbit.rest.security.DosFilter;
|
|||||||
import org.eclipse.hawkbit.security.DdiSecurityProperties;
|
import org.eclipse.hawkbit.security.DdiSecurityProperties;
|
||||||
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
|
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
|
||||||
import org.eclipse.hawkbit.security.MdcHandler;
|
import org.eclipse.hawkbit.security.MdcHandler;
|
||||||
import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
|
import org.eclipse.hawkbit.security.controller.PreAuthTokenSourceTrustAuthenticationProvider;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||||
|
|||||||
@@ -23,9 +23,9 @@ import jakarta.servlet.http.HttpServletRequest;
|
|||||||
import jakarta.servlet.http.HttpServletResponse;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.security.DmfTenantSecurityToken;
|
|
||||||
import org.eclipse.hawkbit.security.PreAuthenticationFilter;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
|
import org.eclipse.hawkbit.security.controller.ControllerSecurityToken;
|
||||||
|
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.eclipse.hawkbit.util.UrlUtils;
|
import org.eclipse.hawkbit.util.UrlUtils;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
@@ -46,6 +46,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
protected TenantConfigurationManagement tenantConfigurationManagement;
|
protected TenantConfigurationManagement tenantConfigurationManagement;
|
||||||
protected TenantAware tenantAware;
|
protected TenantAware tenantAware;
|
||||||
protected SystemSecurityContext systemSecurityContext;
|
protected SystemSecurityContext systemSecurityContext;
|
||||||
|
|
||||||
private static final String TENANT_PLACE_HOLDER = "tenant";
|
private static final String TENANT_PLACE_HOLDER = "tenant";
|
||||||
private static final String CONTROLLER_ID_PLACE_HOLDER = "controllerId";
|
private static final String CONTROLLER_ID_PLACE_HOLDER = "controllerId";
|
||||||
/**
|
/**
|
||||||
@@ -53,12 +54,11 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
* containing the placeholder key for retrieving the principal from the URI
|
* containing the placeholder key for retrieving the principal from the URI
|
||||||
* request. e.g."/{tenant}/controller/v1/{controllerId}
|
* request. e.g."/{tenant}/controller/v1/{controllerId}
|
||||||
*/
|
*/
|
||||||
private static final String CONTROLLER_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER + "}/controller/v1" + "/{"
|
private static final String CONTROLLER_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER + "}/controller/v1" +
|
||||||
+ CONTROLLER_ID_PLACE_HOLDER + "}/**";
|
"/{" + CONTROLLER_ID_PLACE_HOLDER + "}/**";
|
||||||
private static final String CONTROLLER_DL_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER
|
private static final String CONTROLLER_DL_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER + "}/controller/artifacts/v1/**";
|
||||||
+ "}/controller/artifacts/v1/**";
|
|
||||||
private final AntPathMatcher pathExtractor;
|
|
||||||
|
|
||||||
|
private final AntPathMatcher pathExtractor;
|
||||||
private PreAuthenticationFilter abstractControllerAuthenticationFilter;
|
private PreAuthenticationFilter abstractControllerAuthenticationFilter;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -91,7 +91,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables((HttpServletRequest) request);
|
final ControllerSecurityToken securityToken = createTenantSecurityTokenVariables((HttpServletRequest) request);
|
||||||
if (securityToken == null) {
|
if (securityToken == null) {
|
||||||
chain.doFilter(request, response);
|
chain.doFilter(request, response);
|
||||||
return;
|
return;
|
||||||
@@ -120,7 +120,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected Object getPreAuthenticatedPrincipal(final HttpServletRequest request) {
|
protected Object getPreAuthenticatedPrincipal(final HttpServletRequest request) {
|
||||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
final ControllerSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
||||||
if (securityToken == null) {
|
if (securityToken == null) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
@@ -129,7 +129,7 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request) {
|
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request) {
|
||||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
final ControllerSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
||||||
if (securityToken == null) {
|
if (securityToken == null) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
@@ -144,11 +144,11 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
* Extracts tenant and controllerId from the request URI as path variables.
|
* Extracts tenant and controllerId from the request URI as path variables.
|
||||||
*
|
*
|
||||||
* @param request the Http request to extract the path variables.
|
* @param request the Http request to extract the path variables.
|
||||||
* @return the extracted {@link DmfTenantSecurityToken} or {@code null} if the
|
* @return the extracted {@link ControllerSecurityToken} or {@code null} if the
|
||||||
* request does not match the pattern and no variables could be
|
* request does not match the pattern and no variables could be
|
||||||
* extracted
|
* extracted
|
||||||
*/
|
*/
|
||||||
protected DmfTenantSecurityToken createTenantSecurityTokenVariables(final HttpServletRequest request) {
|
protected ControllerSecurityToken createTenantSecurityTokenVariables(final HttpServletRequest request) {
|
||||||
final String requestURI = request.getRequestURI();
|
final String requestURI = request.getRequestURI();
|
||||||
|
|
||||||
if (pathExtractor.match(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI)) {
|
if (pathExtractor.match(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI)) {
|
||||||
@@ -173,14 +173,10 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private DmfTenantSecurityToken createTenantSecurityTokenVariables(final HttpServletRequest request,
|
private ControllerSecurityToken createTenantSecurityTokenVariables(final HttpServletRequest request,
|
||||||
final String tenant, final String controllerId) {
|
final String tenant, final String controllerId) {
|
||||||
final DmfTenantSecurityToken securityToken = new DmfTenantSecurityToken(tenant, null, controllerId, null);
|
final ControllerSecurityToken securityToken = new ControllerSecurityToken(tenant, null, controllerId, null);
|
||||||
|
Collections.list(request.getHeaderNames()).forEach(header -> securityToken.putHeader(header, request.getHeader(header)));
|
||||||
Collections.list(request.getHeaderNames())
|
|
||||||
.forEach(header -> securityToken.putHeader(header, request.getHeader(header)));
|
|
||||||
|
|
||||||
return securityToken;
|
return securityToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
@@ -14,7 +14,7 @@ import java.util.Map;
|
|||||||
import jakarta.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.security.TenantAwareWebAuthenticationDetails;
|
import org.eclipse.hawkbit.security.controller.TenantAwareWebAuthenticationDetails;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
||||||
import org.eclipse.hawkbit.util.UrlUtils;
|
import org.eclipse.hawkbit.util.UrlUtils;
|
||||||
import org.springframework.security.authentication.AuthenticationDetailsSource;
|
import org.springframework.security.authentication.AuthenticationDetailsSource;
|
||||||
|
|||||||
@@ -12,9 +12,9 @@ package org.eclipse.hawkbit.autoconfigure.ddi.security;
|
|||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.security.ControllerPreAuthenticatedAnonymousDownload;
|
|
||||||
import org.eclipse.hawkbit.security.PreAuthenticationFilter;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
|
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedAnonymousDownload;
|
||||||
|
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
|
|
||||||
|
|||||||
@@ -12,9 +12,9 @@ package org.eclipse.hawkbit.autoconfigure.ddi.security;
|
|||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.security.ControllerPreAuthenticateSecurityTokenFilter;
|
|
||||||
import org.eclipse.hawkbit.security.PreAuthenticationFilter;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
|
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticateSecurityTokenFilter;
|
||||||
|
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
|
|
||||||
|
|||||||
@@ -11,9 +11,9 @@ package org.eclipse.hawkbit.autoconfigure.ddi.security;
|
|||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.security.ControllerPreAuthenticatedGatewaySecurityTokenFilter;
|
|
||||||
import org.eclipse.hawkbit.security.PreAuthenticationFilter;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
|
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedGatewaySecurityTokenFilter;
|
||||||
|
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
|
|
||||||
|
|||||||
@@ -11,9 +11,9 @@ package org.eclipse.hawkbit.autoconfigure.ddi.security;
|
|||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.security.ControllerPreAuthenticatedSecurityHeaderFilter;
|
|
||||||
import org.eclipse.hawkbit.security.PreAuthenticationFilter;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
|
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedSecurityHeaderFilter;
|
||||||
|
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
|
|
||||||
|
|||||||
@@ -18,8 +18,8 @@ import java.util.Collections;
|
|||||||
import io.qameta.allure.Description;
|
import io.qameta.allure.Description;
|
||||||
import io.qameta.allure.Feature;
|
import io.qameta.allure.Feature;
|
||||||
import io.qameta.allure.Story;
|
import io.qameta.allure.Story;
|
||||||
import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider;
|
import org.eclipse.hawkbit.security.controller.PreAuthTokenSourceTrustAuthenticationProvider;
|
||||||
import org.eclipse.hawkbit.security.TenantAwareWebAuthenticationDetails;
|
import org.eclipse.hawkbit.security.controller.TenantAwareWebAuthenticationDetails;
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.junit.jupiter.api.extension.ExtendWith;
|
import org.junit.jupiter.api.extension.ExtendWith;
|
||||||
import org.mockito.Mock;
|
import org.mockito.Mock;
|
||||||
|
|||||||
@@ -35,7 +35,7 @@
|
|||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.hawkbit</groupId>
|
<groupId>org.eclipse.hawkbit</groupId>
|
||||||
<artifactId>hawkbit-security-integration</artifactId>
|
<artifactId>hawkbit-security-controller</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
@@ -30,7 +30,7 @@
|
|||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.hawkbit</groupId>
|
<groupId>org.eclipse.hawkbit</groupId>
|
||||||
<artifactId>hawkbit-security-integration</artifactId>
|
<artifactId>hawkbit-security-controller</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
@@ -29,7 +29,7 @@
|
|||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.hawkbit</groupId>
|
<groupId>org.eclipse.hawkbit</groupId>
|
||||||
<artifactId>hawkbit-security-integration</artifactId>
|
<artifactId>hawkbit-security-core</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
@@ -16,10 +16,8 @@ import java.util.List;
|
|||||||
import jakarta.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.security.DdiSecurityProperties;
|
|
||||||
import org.eclipse.hawkbit.rest.security.DosFilter;
|
import org.eclipse.hawkbit.rest.security.DosFilter;
|
||||||
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
|
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
|
||||||
import org.eclipse.hawkbit.security.PreAuthTokenSourceTrustAuthenticationProvider;
|
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||||
import org.springframework.context.annotation.AdviceMode;
|
import org.springframework.context.annotation.AdviceMode;
|
||||||
@@ -28,10 +26,7 @@ import org.springframework.context.annotation.Configuration;
|
|||||||
import org.springframework.context.annotation.PropertySource;
|
import org.springframework.context.annotation.PropertySource;
|
||||||
import org.springframework.core.Ordered;
|
import org.springframework.core.Ordered;
|
||||||
import org.springframework.core.annotation.Order;
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.web.firewall.FirewalledRequest;
|
import org.springframework.security.web.firewall.FirewalledRequest;
|
||||||
import org.springframework.security.web.firewall.HttpFirewall;
|
import org.springframework.security.web.firewall.HttpFirewall;
|
||||||
|
|||||||
@@ -17,9 +17,9 @@
|
|||||||
<artifactId>hawkbit-parent</artifactId>
|
<artifactId>hawkbit-parent</artifactId>
|
||||||
<version>${revision}</version>
|
<version>${revision}</version>
|
||||||
</parent>
|
</parent>
|
||||||
<artifactId>hawkbit-security-integration</artifactId>
|
|
||||||
<name>hawkBit :: Security Integration</name>
|
|
||||||
|
|
||||||
|
<artifactId>hawkbit-security-controller</artifactId>
|
||||||
|
<name>hawkBit :: Security :: Controller</name>
|
||||||
|
|
||||||
<dependencies>
|
<dependencies>
|
||||||
<dependency>
|
<dependency>
|
||||||
@@ -27,6 +27,7 @@
|
|||||||
<artifactId>hawkbit-repository-api</artifactId>
|
<artifactId>hawkbit-repository-api</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.springframework.security</groupId>
|
<groupId>org.springframework.security</groupId>
|
||||||
<artifactId>spring-security-web</artifactId>
|
<artifactId>spring-security-web</artifactId>
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
@@ -15,6 +15,7 @@ import java.util.Collection;
|
|||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.springframework.security.core.GrantedAuthority;
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
@@ -31,8 +32,9 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
|
|||||||
protected final SystemSecurityContext systemSecurityContext;
|
protected final SystemSecurityContext systemSecurityContext;
|
||||||
private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
|
private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
|
||||||
|
|
||||||
protected AbstractControllerAuthenticationFilter(final TenantConfigurationManagement systemManagement,
|
protected AbstractControllerAuthenticationFilter(
|
||||||
final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
|
final TenantConfigurationManagement systemManagement, final TenantAware tenantAware,
|
||||||
|
final SystemSecurityContext systemSecurityContext) {
|
||||||
this.tenantConfigurationManagement = systemManagement;
|
this.tenantConfigurationManagement = systemManagement;
|
||||||
this.tenantAware = tenantAware;
|
this.tenantAware = tenantAware;
|
||||||
this.systemSecurityContext = systemSecurityContext;
|
this.systemSecurityContext = systemSecurityContext;
|
||||||
@@ -40,7 +42,7 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isEnable(final DmfTenantSecurityToken securityToken) {
|
public boolean isEnable(final ControllerSecurityToken securityToken) {
|
||||||
return tenantAware.runAsTenant(securityToken.getTenant(), configurationKeyTenantRunner);
|
return tenantAware.runAsTenant(securityToken.getTenant(), configurationKeyTenantRunner);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
|
|
||||||
@@ -15,6 +15,7 @@ import lombok.extern.slf4j.Slf4j;
|
|||||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.repository.model.Target;
|
import org.eclipse.hawkbit.repository.model.Target;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||||
|
|
||||||
@@ -54,9 +55,9 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
||||||
final String controllerId = resolveControllerId(securityToken);
|
final String controllerId = resolveControllerId(securityToken);
|
||||||
final String authHeader = securityToken.getHeader(DmfTenantSecurityToken.AUTHORIZATION_HEADER);
|
final String authHeader = securityToken.getHeader(ControllerSecurityToken.AUTHORIZATION_HEADER);
|
||||||
if ((authHeader != null) && authHeader.startsWith(TARGET_SECURITY_TOKEN_AUTH_SCHEME)) {
|
if ((authHeader != null) && authHeader.startsWith(TARGET_SECURITY_TOKEN_AUTH_SCHEME)) {
|
||||||
log.debug("found authorization header with scheme {} using target security token for authentication",
|
log.debug("found authorization header with scheme {} using target security token for authentication",
|
||||||
TARGET_SECURITY_TOKEN_AUTH_SCHEME);
|
TARGET_SECURITY_TOKEN_AUTH_SCHEME);
|
||||||
@@ -69,7 +70,7 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedCredentials(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
||||||
final Optional<Target> target = systemSecurityContext.runAsSystemAsTenant(() -> {
|
final Optional<Target> target = systemSecurityContext.runAsSystemAsTenant(() -> {
|
||||||
if (securityToken.getTargetId() != null) {
|
if (securityToken.getTargetId() != null) {
|
||||||
return controllerManagement.get(securityToken.getTargetId());
|
return controllerManagement.get(securityToken.getTargetId());
|
||||||
@@ -87,7 +88,7 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
|||||||
return TenantConfigurationKey.AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED;
|
return TenantConfigurationKey.AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED;
|
||||||
}
|
}
|
||||||
|
|
||||||
private String resolveControllerId(final DmfTenantSecurityToken securityToken) {
|
private String resolveControllerId(final ControllerSecurityToken securityToken) {
|
||||||
if (securityToken.getControllerId() != null) {
|
if (securityToken.getControllerId() != null) {
|
||||||
return securityToken.getControllerId();
|
return securityToken.getControllerId();
|
||||||
}
|
}
|
||||||
@@ -7,15 +7,16 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* An pre-authenticated processing filter which add the
|
* A pre-authenticated processing filter which add the
|
||||||
* {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
|
* {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
|
||||||
* security context in case the anonymous download is allowed through
|
* security context in case the anonymous download is allowed through
|
||||||
* configuration.
|
* configuration.
|
||||||
@@ -39,12 +40,12 @@ public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControl
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedCredentials(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -7,13 +7,15 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
|
import org.eclipse.hawkbit.security.DdiSecurityProperties;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* An anonymous controller filter which is only enabled in case of anonymous
|
* An anonymous controller filter which is only enabled in case of anonymous
|
||||||
* access is granted. This should only be for development purposes.
|
* access is granted. This should only be for development purposes.
|
||||||
*
|
*
|
||||||
* @see DdiSecurityProperties
|
* @see org.eclipse.hawkbit.security.DdiSecurityProperties
|
||||||
*/
|
*/
|
||||||
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticationFilter {
|
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticationFilter {
|
||||||
|
|
||||||
@@ -28,17 +30,17 @@ public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticat
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isEnable(final DmfTenantSecurityToken securityToken) {
|
public boolean isEnable(final ControllerSecurityToken securityToken) {
|
||||||
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
|
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedCredentials(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -7,10 +7,11 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||||
|
|
||||||
@@ -48,8 +49,8 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
||||||
final String authHeader = securityToken.getHeader(DmfTenantSecurityToken.AUTHORIZATION_HEADER);
|
final String authHeader = securityToken.getHeader(ControllerSecurityToken.AUTHORIZATION_HEADER);
|
||||||
if (authHeader != null &&
|
if (authHeader != null &&
|
||||||
authHeader.startsWith(GATEWAY_SECURITY_TOKEN_AUTH_SCHEME) &&
|
authHeader.startsWith(GATEWAY_SECURITY_TOKEN_AUTH_SCHEME) &&
|
||||||
authHeader.length() > OFFSET_GATEWAY_TOKEN) { // disables empty string token
|
authHeader.length() > OFFSET_GATEWAY_TOKEN) { // disables empty string token
|
||||||
@@ -65,7 +66,7 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedCredentials(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
||||||
final String gatewayToken = tenantAware.runAsTenant(securityToken.getTenant(),
|
final String gatewayToken = tenantAware.runAsTenant(securityToken.getTenant(),
|
||||||
gatewaySecurityTokenKeyConfigRunner);
|
gatewaySecurityTokenKeyConfigRunner);
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), gatewayToken);
|
return new HeaderAuthentication(securityToken.getControllerId(), gatewayToken);
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
@@ -15,6 +15,7 @@ import java.util.stream.Collectors;
|
|||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
@@ -23,7 +24,7 @@ import org.slf4j.LoggerFactory;
|
|||||||
/**
|
/**
|
||||||
* A pre-authenticated processing filter which extracts the principal from a
|
* A pre-authenticated processing filter which extracts the principal from a
|
||||||
* request URI and the credential from a request header in a the
|
* request URI and the credential from a request header in a the
|
||||||
* {@link DmfTenantSecurityToken}.
|
* {@link ControllerSecurityToken}.
|
||||||
*/
|
*/
|
||||||
@Slf4j
|
@Slf4j
|
||||||
public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractControllerAuthenticationFilter {
|
public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractControllerAuthenticationFilter {
|
||||||
@@ -71,7 +72,7 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final DmfTenantSecurityToken securityToken) {
|
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
||||||
// retrieve the common name header and the authority name header from
|
// retrieve the common name header and the authority name header from
|
||||||
// the http request and combine them together
|
// the http request and combine them together
|
||||||
final String commonNameValue = securityToken.getHeader(caCommonNameHeader);
|
final String commonNameValue = securityToken.getHeader(caCommonNameHeader);
|
||||||
@@ -92,7 +93,7 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Object getPreAuthenticatedCredentials(final DmfTenantSecurityToken securityToken) {
|
public Object getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
||||||
final String authorityNameConfigurationValue = tenantAware.runAsTenant(securityToken.getTenant(),
|
final String authorityNameConfigurationValue = tenantAware.runAsTenant(securityToken.getTenant(),
|
||||||
sslIssuerNameConfigTenantRunner);
|
sslIssuerNameConfigTenantRunner);
|
||||||
|
|
||||||
@@ -124,7 +125,7 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
|
|||||||
* this tenant.
|
* this tenant.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("java:S2629") // check if debug is enabled is maybe heavier then evaluation
|
@SuppressWarnings("java:S2629") // check if debug is enabled is maybe heavier then evaluation
|
||||||
private String getIssuerHashHeader(final DmfTenantSecurityToken securityToken, final String knownIssuerHashes) {
|
private String getIssuerHashHeader(final ControllerSecurityToken securityToken, final String knownIssuerHashes) {
|
||||||
// there may be several knownIssuerHashes configured for the tenant
|
// there may be several knownIssuerHashes configured for the tenant
|
||||||
final List<String> knownHashes = splitMultiHashBySemicolon(knownIssuerHashes);
|
final List<String> knownHashes = splitMultiHashBySemicolon(knownIssuerHashes);
|
||||||
|
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.TreeMap;
|
import java.util.TreeMap;
|
||||||
@@ -25,16 +25,17 @@ import lombok.Data;
|
|||||||
@Data
|
@Data
|
||||||
@JsonInclude(Include.NON_NULL)
|
@JsonInclude(Include.NON_NULL)
|
||||||
@JsonIgnoreProperties(ignoreUnknown = true)
|
@JsonIgnoreProperties(ignoreUnknown = true)
|
||||||
public class DmfTenantSecurityToken {
|
public class ControllerSecurityToken {
|
||||||
|
|
||||||
public static final String AUTHORIZATION_HEADER = "Authorization";
|
public static final String AUTHORIZATION_HEADER = "Authorization";
|
||||||
|
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
private final Long tenantId;
|
private final Long tenantId;
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
private final String controllerId;
|
|
||||||
@JsonProperty
|
|
||||||
private final Long targetId;
|
private final Long targetId;
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
|
private final String controllerId;
|
||||||
|
@JsonProperty
|
||||||
private String tenant;
|
private String tenant;
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
private Map<String, String> headers;
|
private Map<String, String> headers;
|
||||||
@@ -48,7 +49,8 @@ public class DmfTenantSecurityToken {
|
|||||||
* @param targetId alternative target identification by technical ID
|
* @param targetId alternative target identification by technical ID
|
||||||
*/
|
*/
|
||||||
@JsonCreator
|
@JsonCreator
|
||||||
public DmfTenantSecurityToken(@JsonProperty("tenant") final String tenant,
|
public ControllerSecurityToken(
|
||||||
|
@JsonProperty("tenant") final String tenant,
|
||||||
@JsonProperty("tenantId") final Long tenantId, @JsonProperty("controllerId") final String controllerId,
|
@JsonProperty("tenantId") final Long tenantId, @JsonProperty("controllerId") final String controllerId,
|
||||||
@JsonProperty("targetId") final Long targetId) {
|
@JsonProperty("targetId") final Long targetId) {
|
||||||
this.tenant = tenant;
|
this.tenant = tenant;
|
||||||
@@ -63,20 +65,10 @@ public class DmfTenantSecurityToken {
|
|||||||
* @param tenant the tenant for the security token
|
* @param tenant the tenant for the security token
|
||||||
* @param controllerId the ID of the controller for the security token
|
* @param controllerId the ID of the controller for the security token
|
||||||
*/
|
*/
|
||||||
public DmfTenantSecurityToken(final String tenant, final String controllerId) {
|
public ControllerSecurityToken(final String tenant, final String controllerId) {
|
||||||
this(tenant, null, controllerId, null);
|
this(tenant, null, controllerId, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Constructor.
|
|
||||||
*
|
|
||||||
* @param tenantId the tenant for the security token
|
|
||||||
* @param targetId target identification by technical ID
|
|
||||||
*/
|
|
||||||
public DmfTenantSecurityToken(final Long tenantId, final Long targetId) {
|
|
||||||
this(null, tenantId, null, targetId);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets a header value.
|
* Gets a header value.
|
||||||
*
|
*
|
||||||
@@ -96,12 +88,12 @@ public class DmfTenantSecurityToken {
|
|||||||
*
|
*
|
||||||
* @param name of the header
|
* @param name of the header
|
||||||
* @param value of the header
|
* @param value of the header
|
||||||
* @return the previous value associated with the <tt>name</tt>, or <tt>null</tt> if there was no mapping for <tt>name</tt>.
|
|
||||||
*/
|
*/
|
||||||
public String putHeader(final String name, final String value) {
|
public void putHeader(final String name, final String value) {
|
||||||
if (headers == null) {
|
if (headers == null) {
|
||||||
headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
|
headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
|
||||||
}
|
}
|
||||||
return headers.put(name, value);
|
|
||||||
|
headers.put(name, value);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The authentication principal and credentials object which holds the
|
* The authentication principal and credentials object which holds the
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
@@ -26,7 +26,7 @@ public interface PreAuthenticationFilter {
|
|||||||
* @param securityToken the secruity info
|
* @param securityToken the secruity info
|
||||||
* @return <code>true</code> is enabled <code>false</code> diabled
|
* @return <code>true</code> is enabled <code>false</code> diabled
|
||||||
*/
|
*/
|
||||||
boolean isEnable(DmfTenantSecurityToken securityToken);
|
boolean isEnable(ControllerSecurityToken securityToken);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extract the principal information from the current securityToken.
|
* Extract the principal information from the current securityToken.
|
||||||
@@ -34,7 +34,7 @@ public interface PreAuthenticationFilter {
|
|||||||
* @param securityToken the securityToken
|
* @param securityToken the securityToken
|
||||||
* @return the extracted tenant and controller id
|
* @return the extracted tenant and controller id
|
||||||
*/
|
*/
|
||||||
HeaderAuthentication getPreAuthenticatedPrincipal(DmfTenantSecurityToken securityToken);
|
HeaderAuthentication getPreAuthenticatedPrincipal(ControllerSecurityToken securityToken);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extract the principal credentials from the current securityToken.
|
* Extract the principal credentials from the current securityToken.
|
||||||
@@ -42,7 +42,7 @@ public interface PreAuthenticationFilter {
|
|||||||
* @param securityToken the securityToken
|
* @param securityToken the securityToken
|
||||||
* @return the extracted tenant and controller id
|
* @return the extracted tenant and controller id
|
||||||
*/
|
*/
|
||||||
Object getPreAuthenticatedCredentials(DmfTenantSecurityToken securityToken);
|
Object getPreAuthenticatedCredentials(ControllerSecurityToken securityToken);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allows to add additional authorities to the successful authenticated token.
|
* Allows to add additional authorities to the successful authenticated token.
|
||||||
@@ -7,7 +7,9 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
|
import java.io.Serial;
|
||||||
|
|
||||||
import jakarta.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
@@ -22,7 +24,9 @@ import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
|||||||
*/
|
*/
|
||||||
public class TenantAwareWebAuthenticationDetails extends TenantAwareAuthenticationDetails {
|
public class TenantAwareWebAuthenticationDetails extends TenantAwareAuthenticationDetails {
|
||||||
|
|
||||||
|
@Serial
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
|
|
||||||
private final String remoteAddress;
|
private final String remoteAddress;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
|
||||||
@@ -15,6 +15,7 @@ import io.qameta.allure.Feature;
|
|||||||
import io.qameta.allure.Story;
|
import io.qameta.allure.Story;
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.junit.jupiter.api.BeforeEach;
|
import org.junit.jupiter.api.BeforeEach;
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
*
|
*
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
* SPDX-License-Identifier: EPL-2.0
|
||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security.controller;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
import static org.mockito.Mockito.when;
|
import static org.mockito.Mockito.when;
|
||||||
@@ -19,6 +19,9 @@ import io.qameta.allure.Feature;
|
|||||||
import io.qameta.allure.Story;
|
import io.qameta.allure.Story;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
|
import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
|
||||||
|
import org.eclipse.hawkbit.security.SecurityContextSerializer;
|
||||||
|
import org.eclipse.hawkbit.security.SecurityContextTenantAware;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
|
import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
|
||||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||||
import org.junit.jupiter.api.BeforeEach;
|
import org.junit.jupiter.api.BeforeEach;
|
||||||
@@ -62,14 +65,15 @@ public class ControllerPreAuthenticatedSecurityHeaderFilterTest {
|
|||||||
@BeforeEach
|
@BeforeEach
|
||||||
public void before() {
|
public void before() {
|
||||||
final SecurityContextTenantAware tenantAware = new SecurityContextTenantAware(authoritiesResolver, securityContextSerializer);
|
final SecurityContextTenantAware tenantAware = new SecurityContextTenantAware(authoritiesResolver, securityContextSerializer);
|
||||||
underTest = new ControllerPreAuthenticatedSecurityHeaderFilter(CA_COMMON_NAME, "X-Ssl-Issuer-Hash-%d",
|
underTest = new ControllerPreAuthenticatedSecurityHeaderFilter(
|
||||||
|
CA_COMMON_NAME, "X-Ssl-Issuer-Hash-%d",
|
||||||
tenantConfigurationManagementMock, tenantAware, new SystemSecurityContext(tenantAware));
|
tenantConfigurationManagementMock, tenantAware, new SystemSecurityContext(tenantAware));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Description("Tests the filter for issuer hash based authentication with a single known hash")
|
@Description("Tests the filter for issuer hash based authentication with a single known hash")
|
||||||
public void testIssuerHashBasedAuthenticationWithSingleKnownHash() {
|
public void testIssuerHashBasedAuthenticationWithSingleKnownHash() {
|
||||||
final DmfTenantSecurityToken securityToken = prepareSecurityToken(SINGLE_HASH);
|
final ControllerSecurityToken securityToken = prepareSecurityToken(SINGLE_HASH);
|
||||||
// use single known hash
|
// use single known hash
|
||||||
when(tenantConfigurationManagementMock.getConfigurationValue(
|
when(tenantConfigurationManagementMock.getConfigurationValue(
|
||||||
TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, String.class))
|
TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, String.class))
|
||||||
@@ -92,7 +96,7 @@ public class ControllerPreAuthenticatedSecurityHeaderFilterTest {
|
|||||||
@Test
|
@Test
|
||||||
@Description("Tests the filter for issuer hash based authentication with unknown hash")
|
@Description("Tests the filter for issuer hash based authentication with unknown hash")
|
||||||
public void testIssuerHashBasedAuthenticationWithUnknownHash() {
|
public void testIssuerHashBasedAuthenticationWithUnknownHash() {
|
||||||
final DmfTenantSecurityToken securityToken = prepareSecurityToken(UNKNOWN_HASH);
|
final ControllerSecurityToken securityToken = prepareSecurityToken(UNKNOWN_HASH);
|
||||||
// use single known hash
|
// use single known hash
|
||||||
when(tenantConfigurationManagementMock.getConfigurationValue(
|
when(tenantConfigurationManagementMock.getConfigurationValue(
|
||||||
TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, String.class))
|
TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, String.class))
|
||||||
@@ -103,8 +107,8 @@ public class ControllerPreAuthenticatedSecurityHeaderFilterTest {
|
|||||||
@Test
|
@Test
|
||||||
@Description("Tests different values for issuer hash header and inspects the credentials")
|
@Description("Tests different values for issuer hash header and inspects the credentials")
|
||||||
public void useDifferentValuesForIssuerHashHeader() {
|
public void useDifferentValuesForIssuerHashHeader() {
|
||||||
final DmfTenantSecurityToken securityToken1 = prepareSecurityToken(SINGLE_HASH);
|
final ControllerSecurityToken securityToken1 = prepareSecurityToken(SINGLE_HASH);
|
||||||
final DmfTenantSecurityToken securityToken2 = prepareSecurityToken(SECOND_HASH);
|
final ControllerSecurityToken securityToken2 = prepareSecurityToken(SECOND_HASH);
|
||||||
|
|
||||||
final HeaderAuthentication expected1 = new HeaderAuthentication(CA_COMMON_NAME_VALUE, SINGLE_HASH);
|
final HeaderAuthentication expected1 = new HeaderAuthentication(CA_COMMON_NAME_VALUE, SINGLE_HASH);
|
||||||
final HeaderAuthentication expected2 = new HeaderAuthentication(CA_COMMON_NAME_VALUE, SECOND_HASH);
|
final HeaderAuthentication expected2 = new HeaderAuthentication(CA_COMMON_NAME_VALUE, SECOND_HASH);
|
||||||
@@ -129,8 +133,8 @@ public class ControllerPreAuthenticatedSecurityHeaderFilterTest {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static DmfTenantSecurityToken prepareSecurityToken(final String issuerHashHeaderValue) {
|
private static ControllerSecurityToken prepareSecurityToken(final String issuerHashHeaderValue) {
|
||||||
final DmfTenantSecurityToken securityToken = new DmfTenantSecurityToken("DEFAULT", CA_COMMON_NAME_VALUE);
|
final ControllerSecurityToken securityToken = new ControllerSecurityToken("DEFAULT", CA_COMMON_NAME_VALUE);
|
||||||
securityToken.putHeader(CA_COMMON_NAME, CA_COMMON_NAME_VALUE);
|
securityToken.putHeader(CA_COMMON_NAME, CA_COMMON_NAME_VALUE);
|
||||||
securityToken.putHeader(X_SSL_ISSUER_HASH_1, issuerHashHeaderValue);
|
securityToken.putHeader(X_SSL_ISSUER_HASH_1, issuerHashHeaderValue);
|
||||||
return securityToken;
|
return securityToken;
|
||||||
@@ -33,7 +33,7 @@
|
|||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.hawkbit</groupId>
|
<groupId>org.eclipse.hawkbit</groupId>
|
||||||
<artifactId>hawkbit-security-integration</artifactId>
|
<artifactId>hawkbit-security-controller</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
2
pom.xml
2
pom.xml
@@ -134,7 +134,7 @@
|
|||||||
<modules>
|
<modules>
|
||||||
<module>hawkbit-core</module>
|
<module>hawkbit-core</module>
|
||||||
<module>hawkbit-security-core</module>
|
<module>hawkbit-security-core</module>
|
||||||
<module>hawkbit-security-integration</module>
|
<module>hawkbit-security-controller</module>
|
||||||
<module>hawkbit-artifact</module>
|
<module>hawkbit-artifact</module>
|
||||||
<module>hawkbit-repository</module>
|
<module>hawkbit-repository</module>
|
||||||
<module>hawkbit-autoconfigure</module>
|
<module>hawkbit-autoconfigure</module>
|
||||||
|
|||||||
Reference in New Issue
Block a user