Code format hawkbit-security-integration (#1934)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
@@ -9,7 +9,7 @@
|
||||
SPDX-License-Identifier: EPL-2.0
|
||||
|
||||
-->
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
|
||||
@@ -28,8 +28,8 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
|
||||
|
||||
protected final TenantConfigurationManagement tenantConfigurationManagement;
|
||||
protected final TenantAware tenantAware;
|
||||
private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
|
||||
protected final SystemSecurityContext systemSecurityContext;
|
||||
private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
|
||||
|
||||
protected AbstractControllerAuthenticationFilter(final TenantConfigurationManagement systemManagement,
|
||||
final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
|
||||
@@ -39,14 +39,20 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
|
||||
this.configurationKeyTenantRunner = new SecurityConfigurationKeyTenantRunner();
|
||||
}
|
||||
|
||||
protected abstract String getTenantConfigurationKey();
|
||||
|
||||
@Override
|
||||
public boolean isEnable(final DmfTenantSecurityToken securityToken) {
|
||||
return tenantAware.runAsTenant(securityToken.getTenant(), configurationKeyTenantRunner);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Collection<GrantedAuthority> getSuccessfulAuthenticationAuthorities() {
|
||||
return Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
protected abstract String getTenantConfigurationKey();
|
||||
|
||||
private final class SecurityConfigurationKeyTenantRunner implements TenantAware.TenantRunner<Boolean> {
|
||||
|
||||
@Override
|
||||
public Boolean run() {
|
||||
|
||||
@@ -56,9 +62,4 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public Collection<GrantedAuthority> getSuccessfulAuthenticationAuthorities() {
|
||||
return Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,17 +36,13 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tenantConfigurationManagement
|
||||
* the tenant management service to retrieve configuration
|
||||
* @param tenantConfigurationManagement the tenant management service to retrieve configuration
|
||||
* properties
|
||||
* @param controllerManagement
|
||||
* the controller management to retrieve the specific target
|
||||
* @param controllerManagement the controller management to retrieve the specific target
|
||||
* security token to verify
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param systemSecurityContext
|
||||
* the system security context to get access to tenant
|
||||
* @param systemSecurityContext the system security context to get access to tenant
|
||||
* configuration
|
||||
*/
|
||||
public ControllerPreAuthenticateSecurityTokenFilter(
|
||||
@@ -86,6 +82,11 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
||||
.orElse(null);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String getTenantConfigurationKey() {
|
||||
return TenantConfigurationKey.AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED;
|
||||
}
|
||||
|
||||
private String resolveControllerId(final DmfTenantSecurityToken securityToken) {
|
||||
if (securityToken.getControllerId() != null) {
|
||||
return securityToken.getControllerId();
|
||||
@@ -94,9 +95,4 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
||||
() -> controllerManagement.get(securityToken.getTargetId()), securityToken.getTenant());
|
||||
return foundTarget.map(Target::getControllerId).orElse(null);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String getTenantConfigurationKey() {
|
||||
return TenantConfigurationKey.AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -25,14 +25,11 @@ public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControl
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tenantConfigurationManagement
|
||||
* the tenant management service to retrieve configuration
|
||||
* @param tenantConfigurationManagement the tenant management service to retrieve configuration
|
||||
* properties
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param systemSecurityContext
|
||||
* the system security context to get access to tenant
|
||||
* @param systemSecurityContext the system security context to get access to tenant
|
||||
* configuration
|
||||
*/
|
||||
public ControllerPreAuthenticatedAnonymousDownload(
|
||||
|
||||
@@ -20,14 +20,18 @@ public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticat
|
||||
private final DdiSecurityProperties ddiSecurityConfiguration;
|
||||
|
||||
/**
|
||||
* @param ddiSecurityConfiguration
|
||||
* the security configuration which holds the configuration if
|
||||
* @param ddiSecurityConfiguration the security configuration which holds the configuration if
|
||||
* anonymous is enabled or not
|
||||
*/
|
||||
public ControllerPreAuthenticatedAnonymousFilter(final DdiSecurityProperties ddiSecurityConfiguration) {
|
||||
this.ddiSecurityConfiguration = ddiSecurityConfiguration;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isEnable(final DmfTenantSecurityToken securityToken) {
|
||||
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
|
||||
}
|
||||
|
||||
@Override
|
||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final DmfTenantSecurityToken securityToken) {
|
||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
||||
@@ -37,9 +41,4 @@ public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticat
|
||||
public HeaderAuthentication getPreAuthenticatedCredentials(final DmfTenantSecurityToken securityToken) {
|
||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isEnable(final DmfTenantSecurityToken securityToken) {
|
||||
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
|
||||
}
|
||||
}
|
||||
@@ -34,14 +34,11 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tenantConfigurationManagement
|
||||
* the tenant management service to retrieve configuration
|
||||
* @param tenantConfigurationManagement the tenant management service to retrieve configuration
|
||||
* properties
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param systemSecurityContext
|
||||
* the system security context to get access to tenant
|
||||
* @param systemSecurityContext the system security context to get access to tenant
|
||||
* configuration
|
||||
*/
|
||||
public ControllerPreAuthenticatedGatewaySecurityTokenFilter(
|
||||
|
||||
@@ -52,19 +52,14 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param caCommonNameHeader
|
||||
* the http-header which holds the common-name of the certificate
|
||||
* @param caAuthorityNameHeader
|
||||
* the http-header which holds the ca-authority name of the
|
||||
* @param caCommonNameHeader the http-header which holds the common-name of the certificate
|
||||
* @param caAuthorityNameHeader the http-header which holds the ca-authority name of the
|
||||
* certificate
|
||||
* @param tenantConfigurationManagement
|
||||
* the tenant management service to retrieve configuration
|
||||
* @param tenantConfigurationManagement the tenant management service to retrieve configuration
|
||||
* properties
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param systemSecurityContext
|
||||
* the system security context to get access to tenant
|
||||
* @param systemSecurityContext the system security context to get access to tenant
|
||||
* configuration
|
||||
*/
|
||||
public ControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader,
|
||||
@@ -113,6 +108,15 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
|
||||
.collect(Collectors.toSet());
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String getTenantConfigurationKey() {
|
||||
return TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_ENABLED;
|
||||
}
|
||||
|
||||
private static List<String> splitMultiHashBySemicolon(final String knownIssuerHashes) {
|
||||
return Arrays.stream(knownIssuerHashes.split("[;,]")).map(String::toLowerCase).collect(Collectors.toList());
|
||||
}
|
||||
|
||||
/**
|
||||
* Iterates over the {@link #sslIssuerHashBasicHeader} basic header
|
||||
* {@code X-Ssl-Issuer-Hash-%d} and try to find the same hash as known. It's ok
|
||||
@@ -142,20 +146,12 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String getTenantConfigurationKey() {
|
||||
return TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_ENABLED;
|
||||
}
|
||||
|
||||
private final class GetSecurityAuthorityNameTenantRunner implements TenantAware.TenantRunner<String> {
|
||||
|
||||
@Override
|
||||
public String run() {
|
||||
return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement.getConfigurationValue(
|
||||
TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, String.class).getValue());
|
||||
}
|
||||
}
|
||||
|
||||
private static List<String> splitMultiHashBySemicolon(final String knownIssuerHashes) {
|
||||
return Arrays.stream(knownIssuerHashes.split("[;,]")).map(String::toLowerCase).collect(Collectors.toList());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -28,16 +28,14 @@ import lombok.Data;
|
||||
public class DmfTenantSecurityToken {
|
||||
|
||||
public static final String AUTHORIZATION_HEADER = "Authorization";
|
||||
|
||||
@JsonProperty
|
||||
private String tenant;
|
||||
@JsonProperty
|
||||
private final Long tenantId;
|
||||
@JsonProperty
|
||||
private final String controllerId;
|
||||
@JsonProperty
|
||||
private final Long targetId;
|
||||
|
||||
@JsonProperty
|
||||
private String tenant;
|
||||
@JsonProperty
|
||||
private Map<String, String> headers;
|
||||
|
||||
@@ -82,8 +80,7 @@ public class DmfTenantSecurityToken {
|
||||
/**
|
||||
* Gets a header value.
|
||||
*
|
||||
* @param name
|
||||
* of header
|
||||
* @param name of header
|
||||
* @return the value
|
||||
*/
|
||||
public String getHeader(final String name) {
|
||||
@@ -99,7 +96,6 @@ public class DmfTenantSecurityToken {
|
||||
*
|
||||
* @param name of the header
|
||||
* @param value of the header
|
||||
*
|
||||
* @return the previous value associated with the <tt>name</tt>, or <tt>null</tt> if there was no mapping for <tt>name</tt>.
|
||||
*/
|
||||
public String putHeader(final String name, final String value) {
|
||||
|
||||
@@ -13,11 +13,9 @@ package org.eclipse.hawkbit.security;
|
||||
* The authentication principal and credentials object which holds the
|
||||
* controller-id and the authority name from the http-headers as principal or
|
||||
* from the http-url and tenant configuration for the credentials.
|
||||
*
|
||||
*
|
||||
*
|
||||
*/
|
||||
final class HeaderAuthentication {
|
||||
|
||||
private final String controllerId;
|
||||
private final String headerAuth;
|
||||
|
||||
|
||||
@@ -54,8 +54,7 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
|
||||
* source IP addresses which are trusted and should be checked against the
|
||||
* request remote IP address.
|
||||
*
|
||||
* @param authorizedSourceIps
|
||||
* a list of IP addresses.
|
||||
* @param authorizedSourceIps a list of IP addresses.
|
||||
*/
|
||||
public PreAuthTokenSourceTrustAuthenticationProvider(final List<String> authorizedSourceIps) {
|
||||
this.authorizedSourceIps = authorizedSourceIps;
|
||||
@@ -66,8 +65,7 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
|
||||
* source IP addresses which are trusted and should be checked against the
|
||||
* request remote IP address.
|
||||
*
|
||||
* @param authorizedSourceIps
|
||||
* a list of IP addresses.
|
||||
* @param authorizedSourceIps a list of IP addresses.
|
||||
*/
|
||||
public PreAuthTokenSourceTrustAuthenticationProvider(final String... authorizedSourceIps) {
|
||||
this.authorizedSourceIps = new ArrayList<>();
|
||||
@@ -104,8 +102,12 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
|
||||
throw new BadCredentialsException("The provided principal and credentials are not match");
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(final Class<?> authentication) {
|
||||
return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* The credentials may either be of type HeaderAuthentication or of type
|
||||
* Collection<HeaderAuthentication> depending on the authentication mode in
|
||||
* use (the latter is used in case of trusted reverse-proxy). It is checked
|
||||
@@ -115,13 +117,10 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
|
||||
* special header set by the reverse-proxy which extracted the CN from the
|
||||
* certificate.
|
||||
*
|
||||
* @param principal
|
||||
* the {@link HeaderAuthentication} from the header
|
||||
* @param credentials
|
||||
* a single {@link HeaderAuthentication} or a Collection of
|
||||
* @param principal the {@link HeaderAuthentication} from the header
|
||||
* @param credentials a single {@link HeaderAuthentication} or a Collection of
|
||||
* HeaderAuthentication
|
||||
* @param tokenDetails
|
||||
* authentication details
|
||||
* @param tokenDetails authentication details
|
||||
* @return <code>true</code> if authentication succeeded, otherwise
|
||||
* <code>false</code>
|
||||
*/
|
||||
@@ -172,9 +171,4 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(final Class<?> authentication) {
|
||||
return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -19,9 +19,6 @@ import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
|
||||
* authenticating the requested controller e.g. based on the security header and
|
||||
* trusted IP address we need the remote address of the http request to verify
|
||||
* the e.g. the reverse proxy is trusted and allowed to set the header.
|
||||
*
|
||||
*
|
||||
*
|
||||
*/
|
||||
public class TenantAwareWebAuthenticationDetails extends TenantAwareAuthenticationDetails {
|
||||
|
||||
@@ -29,12 +26,9 @@ public class TenantAwareWebAuthenticationDetails extends TenantAwareAuthenticati
|
||||
private final String remoteAddress;
|
||||
|
||||
/**
|
||||
* @param tenant
|
||||
* the current tenant
|
||||
* @param remoteAddress
|
||||
* the remote address of this web request
|
||||
* @param controller
|
||||
* {@code true} indicates this is an controller HTTP request
|
||||
* @param tenant the current tenant
|
||||
* @param remoteAddress the remote address of this web request
|
||||
* @param controller {@code true} indicates this is an controller HTTP request
|
||||
* otherwise {@code false}.
|
||||
*/
|
||||
public TenantAwareWebAuthenticationDetails(final String tenant, final String remoteAddress,
|
||||
|
||||
@@ -11,6 +11,8 @@ package org.eclipse.hawkbit.security;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
import io.qameta.allure.Feature;
|
||||
import io.qameta.allure.Story;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
@@ -21,9 +23,6 @@ import org.mockito.Mock;
|
||||
import org.mockito.junit.jupiter.MockitoExtension;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
|
||||
import io.qameta.allure.Feature;
|
||||
import io.qameta.allure.Story;
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
|
||||
@@ -14,6 +14,9 @@ import static org.mockito.Mockito.when;
|
||||
|
||||
import java.util.Collection;
|
||||
|
||||
import io.qameta.allure.Description;
|
||||
import io.qameta.allure.Feature;
|
||||
import io.qameta.allure.Story;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
|
||||
import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
|
||||
@@ -24,10 +27,6 @@ import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.jupiter.MockitoExtension;
|
||||
|
||||
import io.qameta.allure.Description;
|
||||
import io.qameta.allure.Feature;
|
||||
import io.qameta.allure.Story;
|
||||
|
||||
@Feature("Unit Tests - Security")
|
||||
@Story("Issuer hash based authentication")
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
|
||||
Reference in New Issue
Block a user