Anonymous download activated does not result in general DDI anonymous (#616)

* Fix unintended anonymous access in DDI API.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix ant matcher.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
Kai Zimmermann
2017-12-19 17:53:17 +01:00
committed by GitHub
parent 7d0bf3a162
commit 5d774dc70a
17 changed files with 199 additions and 93 deletions

View File

@@ -8,19 +8,22 @@
*/
package org.eclipse.hawkbit.security;
import java.util.Arrays;
import java.util.Collection;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
/**
* An abstraction for all controller based security. Check if the tenant
* configuration is enabled.
*
*
*
*/
public abstract class AbstractControllerAuthenticationFilter implements PreAuthentificationFilter {
public abstract class AbstractControllerAuthenticationFilter implements PreAuthenticationFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(AbstractControllerAuthenticationFilter.class);
@@ -54,4 +57,9 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
}
}
@Override
public Collection<GrantedAuthority> getSuccessfulAuthenticationAuthorities() {
return Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
}
}

View File

@@ -8,15 +8,10 @@
*/
package org.eclipse.hawkbit.security;
import java.util.Arrays;
import java.util.Collection;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
/**
* An pre-authenticated processing filter which add the
@@ -59,9 +54,4 @@ public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControl
protected String getTenantConfigurationKey() {
return TenantConfigurationKey.ANONYMOUS_DOWNLOAD_MODE_ENABLED;
}
@Override
public Collection<GrantedAuthority> getSuccessfulAuthenticationAuthorities() {
return Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_DOWNLOAD_ROLE));
}
}

View File

@@ -14,7 +14,7 @@ package org.eclipse.hawkbit.security;
*
* @see DdiSecurityProperties
*/
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthentificationFilter {
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticationFilter {
private final DdiSecurityProperties ddiSecurityConfiguration;

View File

@@ -12,7 +12,6 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
@@ -20,7 +19,6 @@ import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
/**
@@ -91,19 +89,17 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
final Object credentials = token.getCredentials();
final Object principal = token.getPrincipal();
final Object tokenDetails = token.getDetails();
final Collection<GrantedAuthority> authorities = token.getAuthorities();
if (principal == null) {
throw new BadCredentialsException("The provided principal and credentials are not match");
}
boolean successAuthentication = calculateAuthenticationSuccess(principal, credentials, tokenDetails);
final boolean successAuthentication = calculateAuthenticationSuccess(principal, credentials, tokenDetails);
if (successAuthentication) {
final Collection<GrantedAuthority> controllerAuthorities = new ArrayList<>();
controllerAuthorities.add(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
controllerAuthorities.add(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_DOWNLOAD_ROLE));
final PreAuthenticatedAuthenticationToken successToken = new PreAuthenticatedAuthenticationToken(principal,
credentials, controllerAuthorities);
credentials, authorities);
successToken.setDetails(tokenDetails);
return successToken;
}
@@ -132,7 +128,8 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
* @return <code>true</code> if authentication succeeded, otherwise
* <code>false</code>
*/
private boolean calculateAuthenticationSuccess(Object principal, Object credentials, Object tokenDetails) {
private boolean calculateAuthenticationSuccess(final Object principal, final Object credentials,
final Object tokenDetails) {
boolean successAuthentication = false;
if (credentials instanceof Collection) {
final Collection<?> multiValueCredentials = (Collection<?>) credentials;

View File

@@ -15,9 +15,9 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
/**
* Interface for Pre Authentification.
* Interface for Pre Authentication.
*/
public interface PreAuthentificationFilter {
public interface PreAuthenticationFilter {
/**
* Check if the filter is enabled.

View File

@@ -56,6 +56,6 @@ public class ControllerPreAuthenticatedAnonymousDownloadTest {
public void successfulAuthenticationAdditionalAuthoritiesForDownload() {
assertThat(underTest.getSuccessfulAuthenticationAuthorities())
.as("Additional authorities should be containing the download anonymous role")
.contains(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_DOWNLOAD_ROLE));
.contains(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
}
}