diff --git a/hawkbit-autoconfigure/pom.xml b/hawkbit-autoconfigure/pom.xml index 3d4dba7d2..f0c14eac3 100644 --- a/hawkbit-autoconfigure/pom.xml +++ b/hawkbit-autoconfigure/pom.xml @@ -9,83 +9,84 @@ SPDX-License-Identifier: EPL-2.0 --> - - 4.0.0 - - org.eclipse.hawkbit - hawkbit-parent - ${revision} - - hawkbit-autoconfigure - hawkBit :: Spring Boot Autoconfigure + + 4.0.0 + + org.eclipse.hawkbit + hawkbit-parent + ${revision} + + hawkbit-autoconfigure + hawkBit :: Spring Boot Autoconfigure - - - org.eclipse.hawkbit - hawkbit-core - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-dmf-amqp - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-repository-jpa - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-http-security - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-security-core - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-ddi-resource - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-mgmt-resource - ${project.version} - true - - - org.eclipse.hawkbit - hawkbit-artifact-repository-filesystem - ${project.version} - true - - - org.springframework - spring-context-support - - - io.protostuff - protostuff-core - true - - - io.protostuff - protostuff-runtime - true - - - jakarta.servlet - jakarta.servlet-api - provided - - + + + org.eclipse.hawkbit + hawkbit-core + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-dmf-amqp + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-repository-jpa + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-http-security + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-security-core + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-ddi-resource + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-mgmt-resource + ${project.version} + true + + + org.eclipse.hawkbit + hawkbit-artifact-repository-filesystem + ${project.version} + true + + + org.springframework + spring-context-support + + + io.protostuff + protostuff-core + true + + + io.protostuff + protostuff-runtime + true + + + jakarta.servlet + jakarta.servlet-api + provided + + diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/PropertyHostnameResolverAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/PropertyHostnameResolverAutoConfiguration.java index 1710d872a..975a6c54a 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/PropertyHostnameResolverAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/PropertyHostnameResolverAutoConfiguration.java @@ -34,8 +34,7 @@ import org.springframework.context.annotation.PropertySource; public class PropertyHostnameResolverAutoConfiguration { /** - * @param serverProperties - * to get the servers URL + * @param serverProperties to get the servers URL * @return the default autoconfigure hostname resolver implementation which * is property based specified by the property {@link #url} */ @@ -52,8 +51,7 @@ public class PropertyHostnameResolverAutoConfiguration { } /** - * @param urlHandlerProperties - * for bean configuration + * @param urlHandlerProperties for bean configuration * @return PropertyBasedArtifactUrlHandler bean */ @Bean diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/cache/CacheAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/cache/CacheAutoConfiguration.java index 6f14a1d50..f79b64229 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/cache/CacheAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/cache/CacheAutoConfiguration.java @@ -9,6 +9,7 @@ */ package org.eclipse.hawkbit.autoconfigure.cache; +import com.github.benmanes.caffeine.cache.Caffeine; import org.eclipse.hawkbit.cache.TenancyCacheManager; import org.eclipse.hawkbit.cache.TenantAwareCacheManager; import org.eclipse.hawkbit.tenancy.TenantAware; @@ -22,8 +23,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Primary; -import com.github.benmanes.caffeine.cache.Caffeine; - /** * A configuration for configuring the spring {@link CacheManager} for specific * multi-tenancy caching. The caches between tenants must not interfere each diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/DDiApiAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/DDiApiAutoConfiguration.java index ddc929fae..e8780a802 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/DDiApiAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/DDiApiAutoConfiguration.java @@ -16,7 +16,6 @@ import org.springframework.context.annotation.Import; /** * Auto-Configuration for enabling the DDI REST-Resources. - * */ @Configuration @ConditionalOnClass(DdiApiConfiguration.class) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtApiAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtApiAutoConfiguration.java index 7ae06452b..23250e561 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtApiAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtApiAutoConfiguration.java @@ -16,7 +16,6 @@ import org.springframework.context.annotation.Import; /** * Auto-Configuration for enabling the Management API REST-Resources. - * */ @Configuration @ConditionalOnClass(MgmtApiConfiguration.class) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/JpaRepositoryAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/JpaRepositoryAutoConfiguration.java index f1b64e0ca..fad0efbef 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/JpaRepositoryAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/JpaRepositoryAutoConfiguration.java @@ -22,7 +22,6 @@ import org.springframework.integration.support.locks.LockRegistry; /** * Auto-Configuration for enabling JPA repository. - * */ @Configuration @ConditionalOnClass({ RepositoryApplicationConfiguration.class }) @@ -30,7 +29,6 @@ import org.springframework.integration.support.locks.LockRegistry; public class JpaRepositoryAutoConfiguration { /** - * * @return returns a VirtualPropertyReplacer */ @Bean diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/event/EventPublisherAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/event/EventPublisherAutoConfiguration.java index 244408d85..0f42ca608 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/event/EventPublisherAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/repository/event/EventPublisherAutoConfiguration.java @@ -11,6 +11,8 @@ package org.eclipse.hawkbit.autoconfigure.repository.event; import java.util.concurrent.Executor; +import io.protostuff.ProtostuffIOUtil; +import io.protostuff.Schema; import org.eclipse.hawkbit.event.BusProtoStuffMessageConverter; import org.eclipse.hawkbit.repository.event.ApplicationEventFilter; import org.eclipse.hawkbit.repository.event.remote.RemoteTenantAwareEvent; @@ -35,18 +37,15 @@ import org.springframework.context.support.AbstractApplicationContext; import org.springframework.core.ResolvableType; import org.springframework.messaging.converter.MessageConverter; -import io.protostuff.ProtostuffIOUtil; -import io.protostuff.Schema; - /** * Auto configuration for the event bus. - * */ @Configuration @RemoteApplicationEventScan(basePackages = "org.eclipse.hawkbit.repository.event.remote") @PropertySource("classpath:/hawkbit-eventbus-defaults.properties") @EnableConfigurationProperties(BusProperties.class) public class EventPublisherAutoConfiguration { + /** * Server internal event publisher that allows parallel event processing if * the event listener is marked as so. @@ -65,7 +64,7 @@ public class EventPublisherAutoConfiguration { /** * Bean for creating a singleton instance of the * {@link EventPublisherHolder} - * + * * @return the singleton instance of the {@link EventPublisherHolder} */ @Bean @@ -94,9 +93,8 @@ public class EventPublisherAutoConfiguration { /** * Constructor. - * - * @param tenantAware - * the tenant ware + * + * @param tenantAware the tenant ware */ protected TenantAwareApplicationEventPublisher(final TenantAware tenantAware, final ApplicationEventFilter applicationEventFilter) { @@ -136,8 +134,8 @@ public class EventPublisherAutoConfiguration { @ConditionalOnBusEnabled @ConditionalOnClass({ Schema.class, ProtostuffIOUtil.class }) protected static class BusProtoStuffAutoConfiguration { + /** - * * @return the protostuff io message converter */ @Bean diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerAutoConfiguration.java index 944a6efe7..f3aa7e729 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerAutoConfiguration.java @@ -21,7 +21,6 @@ import org.springframework.scheduling.annotation.AsyncConfigurer; import org.springframework.scheduling.annotation.EnableAsync; /** - * * Auto config fot the exception handler. */ @Configuration diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerThreadpoolProperties.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerThreadpoolProperties.java index 995247275..221d80d70 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerThreadpoolProperties.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/AsyncConfigurerThreadpoolProperties.java @@ -13,7 +13,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties; /** * Properties for the async configurer. - * */ @ConfigurationProperties("hawkbit.threadpool") public class AsyncConfigurerThreadpoolProperties { diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/ExecutorAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/ExecutorAutoConfiguration.java index 2f7ecf78e..c3a03dcc5 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/ExecutorAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/scheduling/ExecutorAutoConfiguration.java @@ -66,30 +66,6 @@ public class ExecutorAutoConfiguration { return new ConcurrentTaskExecutor(asyncExecutor()); } - /** - * @return central ThreadPoolExecutor for general purpose multi threaded - * operations. Tries an orderly shutdown when destroyed. - */ - private ThreadPoolExecutor threadPoolExecutor() { - final BlockingQueue blockingQueue = new ArrayBlockingQueue<>( - asyncConfigurerProperties.getQueuesize()); - return new ThreadPoolExecutor(asyncConfigurerProperties.getCorethreads(), - asyncConfigurerProperties.getMaxthreads(), asyncConfigurerProperties.getIdletimeout(), - TimeUnit.MILLISECONDS, blockingQueue, - threadFactory("central-executor-pool-%d"), - new PoolSizeExceededPolicy()); - } - - private static class PoolSizeExceededPolicy extends CallerRunsPolicy { - @Override - public void rejectedExecution(final Runnable r, final ThreadPoolExecutor executor) { - log.warn( - "Caller has to run on its own instead of centralExecutorService, reached limit of queue size {}", - executor.getQueue().size()); - super.rejectedExecution(r, executor); - } - } - /** * @return the executor for UI background processes. */ @@ -132,4 +108,29 @@ public class ExecutorAutoConfiguration { return thread; }; } + + /** + * @return central ThreadPoolExecutor for general purpose multi threaded + * operations. Tries an orderly shutdown when destroyed. + */ + private ThreadPoolExecutor threadPoolExecutor() { + final BlockingQueue blockingQueue = new ArrayBlockingQueue<>( + asyncConfigurerProperties.getQueuesize()); + return new ThreadPoolExecutor(asyncConfigurerProperties.getCorethreads(), + asyncConfigurerProperties.getMaxthreads(), asyncConfigurerProperties.getIdletimeout(), + TimeUnit.MILLISECONDS, blockingQueue, + threadFactory("central-executor-pool-%d"), + new PoolSizeExceededPolicy()); + } + + private static class PoolSizeExceededPolicy extends CallerRunsPolicy { + + @Override + public void rejectedExecution(final Runnable r, final ThreadPoolExecutor executor) { + log.warn( + "Caller has to run on its own instead of centralExecutorService, reached limit of queue size {}", + executor.getQueue().size()); + super.rejectedExecution(r, executor); + } + } } diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/EnableHawkbitManagedSecurityConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/EnableHawkbitManagedSecurityConfiguration.java index 045fec328..ddbe7b8f5 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/EnableHawkbitManagedSecurityConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/EnableHawkbitManagedSecurityConfiguration.java @@ -18,8 +18,6 @@ import org.springframework.context.annotation.Import; /** * Annotation to enable the managed security configuration. - * - * */ @Target(ElementType.TYPE) @Retention(RetentionPolicy.RUNTIME) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration.java index f7f374391..37bac9ae7 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration.java @@ -16,7 +16,6 @@ import java.util.Map; import java.util.Set; import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails; -import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.autoconfigure.security.oauth2.client.ClientsConfiguredCondition; @@ -67,7 +66,7 @@ public class OidcUserManagementAutoConfiguration { /** * @return a jwt authorities extractor which interprets the roles of a user - * as their authorities. + * as their authorities. */ @Bean @ConditionalOnMissingBean @@ -133,7 +132,7 @@ public class OidcUserManagementAutoConfiguration { */ public interface JwtAuthoritiesExtractor { - Set extract(final Jwt token, final ClientRegistration clientRegistration ); + Set extract(final Jwt token, final ClientRegistration clientRegistration); } /** diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java index 662b5c675..53ca6531d 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java @@ -19,8 +19,8 @@ import org.eclipse.hawkbit.im.authentication.SpRole; import org.eclipse.hawkbit.im.authentication.TenantAwareUserProperties; import org.eclipse.hawkbit.im.authentication.TenantAwareUserProperties.User; import org.eclipse.hawkbit.security.DdiSecurityProperties; -import org.eclipse.hawkbit.security.InMemoryUserAuthoritiesResolver; import org.eclipse.hawkbit.security.HawkbitSecurityProperties; +import org.eclipse.hawkbit.security.InMemoryUserAuthoritiesResolver; import org.eclipse.hawkbit.security.MdcHandler; import org.eclipse.hawkbit.security.SecurityContextSerializer; import org.eclipse.hawkbit.security.SecurityContextTenantAware; @@ -64,7 +64,6 @@ public class SecurityAutoConfiguration { * * @param authoritiesResolver The user authorities/roles resolver * @param securityContextSerializer The security context serializer. - * * @return the {@link ContextAware} singleton bean. */ @Bean @@ -111,8 +110,7 @@ public class SecurityAutoConfiguration { } /** - * @param tenantAware - * singleton bean + * @param tenantAware singleton bean * @return tenantAware {@link SystemSecurityContext} */ @Bean diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java index 07b2ed0d9..c74ae3ee4 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java @@ -83,11 +83,74 @@ import org.springframework.web.cors.CorsConfigurationSource; @PropertySource("classpath:hawkbit-security-defaults.properties") public class SecurityManagedConfiguration { - private static final int DOS_FILTER_ORDER = -200; public static final String ANONYMOUS_CONTROLLER_SECURITY_ENABLED_SHOULD_ONLY_BE_USED_FOR_DEVELOPMENT_PURPOSES = """ ****************** ** Anonymous controller security enabled, should only be used for development purposes ** ******************"""; + private static final int DOS_FILTER_ORDER = -200; + + /** + * Filter to protect the hawkBit server system management interface against too many requests. + * + * @param securityProperties for filter configuration + * @return the spring filter registration bean for registering a denial of service protection filter in the filter chain + */ + @Bean + @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = "enabled", matchIfMissing = true) + public FilterRegistrationBean dosSystemFilter(final HawkbitSecurityProperties securityProperties) { + final FilterRegistrationBean filterRegBean = dosFilter(Collections.emptyList(), + securityProperties.getDos().getFilter(), securityProperties.getClients()); + filterRegBean.setUrlPatterns(List.of("/system/*")); + filterRegBean.setOrder(DOS_FILTER_ORDER); + filterRegBean.setName("dosSystemFilter"); + + return filterRegBean; + } + + /** + * HttpFirewall which enables to define a list of allowed host names. + * + * @return the http firewall. + */ + @Bean + public HttpFirewall httpFirewall(final HawkbitSecurityProperties hawkbitSecurityProperties) { + final List allowedHostNames = hawkbitSecurityProperties.getAllowedHostNames(); + final IgnorePathsStrictHttpFirewall firewall = new IgnorePathsStrictHttpFirewall( + hawkbitSecurityProperties.getHttpFirewallIgnoredPaths()); + + if (!CollectionUtils.isEmpty(allowedHostNames)) { + firewall.setAllowedHostnames(hostName -> { + log.debug("Firewall check host: {}, allowed: {}", hostName, allowedHostNames.contains(hostName)); + return allowedHostNames.contains(hostName); + }); + } + return firewall; + } + + private static FilterRegistrationBean dosFilter(final Collection includeAntPaths, + final HawkbitSecurityProperties.Dos.Filter filterProperties, + final HawkbitSecurityProperties.Clients clientProperties) { + final FilterRegistrationBean filterRegBean = new FilterRegistrationBean<>(); + + filterRegBean.setFilter(new DosFilter(includeAntPaths, filterProperties.getMaxRead(), + filterProperties.getMaxWrite(), filterProperties.getWhitelist(), clientProperties.getBlacklist(), + clientProperties.getRemoteIpHeader())); + + return filterRegBean; + } + + private static AuthenticationManager setAuthenticationManager(final HttpSecurity http, final DdiSecurityProperties ddiSecurityConfiguration) + throws Exception { + // configure authentication manager + final AuthenticationManager authenticationManager = + http + .getSharedObject(AuthenticationManagerBuilder.class) + .authenticationProvider( + new PreAuthTokenSourceTrustAuthenticationProvider(ddiSecurityConfiguration.getRp().getTrustedIPs())) + .build(); + http.authenticationManager(authenticationManager); + return authenticationManager; + } /** * Security configuration for the hawkBit server DDI interface. @@ -137,7 +200,7 @@ public class SecurityManagedConfiguration { protected FilterRegistrationBean dosFilterDDI(final HawkbitSecurityProperties securityProperties) { final FilterRegistrationBean filterRegBean = dosFilter(List.of(DDI_ANT_MATCHERS), - securityProperties.getDos().getFilter(), securityProperties.getClients()); + securityProperties.getDos().getFilter(), securityProperties.getClients()); filterRegBean.setOrder(DOS_FILTER_ORDER); filterRegBean.setName("dosDDiFilter"); @@ -325,36 +388,6 @@ public class SecurityManagedConfiguration { } } - /** - * Filter to protect the hawkBit server system management interface against too many requests. - * - * @param securityProperties for filter configuration - * @return the spring filter registration bean for registering a denial of service protection filter in the filter chain - */ - @Bean - @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = "enabled", matchIfMissing = true) - public FilterRegistrationBean dosSystemFilter(final HawkbitSecurityProperties securityProperties) { - final FilterRegistrationBean filterRegBean = dosFilter(Collections.emptyList(), - securityProperties.getDos().getFilter(), securityProperties.getClients()); - filterRegBean.setUrlPatterns(List.of("/system/*")); - filterRegBean.setOrder(DOS_FILTER_ORDER); - filterRegBean.setName("dosSystemFilter"); - - return filterRegBean; - } - - private static FilterRegistrationBean dosFilter(final Collection includeAntPaths, - final HawkbitSecurityProperties.Dos.Filter filterProperties, - final HawkbitSecurityProperties.Clients clientProperties) { - final FilterRegistrationBean filterRegBean = new FilterRegistrationBean<>(); - - filterRegBean.setFilter(new DosFilter(includeAntPaths, filterProperties.getMaxRead(), - filterProperties.getMaxWrite(), filterProperties.getWhitelist(), clientProperties.getBlacklist(), - clientProperties.getRemoteIpHeader())); - - return filterRegBean; - } - /** * Security configuration for the REST management API. */ @@ -394,15 +427,13 @@ public class SecurityManagedConfiguration { SecurityFilterChain filterChainREST( final HttpSecurity http, @Autowired(required = false) - @Qualifier("hawkbitOAuth2ResourceServerCustomizer") - final Customizer> oauth2ResourceServerCustomizer, + @Qualifier("hawkbitOAuth2ResourceServerCustomizer") final Customizer> oauth2ResourceServerCustomizer, // called just before build of the SecurityFilterChain. // could be used for instance to set authentication provider // Note: implementation of the customizer shall always take in account what is the already set by the // hawkBit @Autowired(required = false) - @Qualifier("hawkbitHttpSecurityCustomizer") - final Customizer httpSecurityCustomizer, + @Qualifier("hawkbitHttpSecurityCustomizer") final Customizer httpSecurityCustomizer, final SystemManagement systemManagement, final SystemSecurityContext systemSecurityContext) throws Exception { http @@ -410,9 +441,9 @@ public class SecurityManagedConfiguration { .authorizeHttpRequests(amrmRegistry -> amrmRegistry .requestMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") - .hasAnyAuthority(SpPermission.SYSTEM_ADMIN) + .hasAnyAuthority(SpPermission.SYSTEM_ADMIN) .anyRequest() - .authenticated()) + .authenticated()) .anonymous(AbstractHttpConfigurer::disable) .csrf(AbstractHttpConfigurer::disable) .requestCache(AbstractHttpConfigurer::disable) @@ -469,27 +500,6 @@ public class SecurityManagedConfiguration { } } - - /** - * HttpFirewall which enables to define a list of allowed host names. - * - * @return the http firewall. - */ - @Bean - public HttpFirewall httpFirewall(final HawkbitSecurityProperties hawkbitSecurityProperties) { - final List allowedHostNames = hawkbitSecurityProperties.getAllowedHostNames(); - final IgnorePathsStrictHttpFirewall firewall = new IgnorePathsStrictHttpFirewall( - hawkbitSecurityProperties.getHttpFirewallIgnoredPaths()); - - if (!CollectionUtils.isEmpty(allowedHostNames)) { - firewall.setAllowedHostnames(hostName -> { - log.debug("Firewall check host: {}, allowed: {}", hostName, allowedHostNames.contains(hostName)); - return allowedHostNames.contains(hostName); - }); - } - return firewall; - } - private static class IgnorePathsStrictHttpFirewall extends StrictHttpFirewall { private final Collection pathsToIgnore; @@ -503,6 +513,7 @@ public class SecurityManagedConfiguration { public FirewalledRequest getFirewalledRequest(final HttpServletRequest request) { if (pathsToIgnore != null && pathsToIgnore.contains(request.getRequestURI())) { return new FirewalledRequest(request) { + @Override public void reset() { // nothing to do @@ -512,16 +523,4 @@ public class SecurityManagedConfiguration { return super.getFirewalledRequest(request); } } - - private static AuthenticationManager setAuthenticationManager(final HttpSecurity http, final DdiSecurityProperties ddiSecurityConfiguration) throws Exception { - // configure authentication manager - final AuthenticationManager authenticationManager = - http - .getSharedObject(AuthenticationManagerBuilder.class) - .authenticationProvider( - new PreAuthTokenSourceTrustAuthenticationProvider(ddiSecurityConfiguration.getRp().getTrustedIPs())) - .build(); - http.authenticationManager(authenticationManager); - return authenticationManager; - } }