From 6a88f2a3f40deb644a9702e97b11598bc0ee0e72 Mon Sep 17 00:00:00 2001
From: Fabian Nonnenmacher <fabian.nonnenmacher@bosch-si.com>
Date: Fri, 29 Jan 2016 16:28:46 +0100
Subject: [PATCH] Added Permission for TenantConfiguration changes

- created SpringEvalExpression for the right to change tenant configuration
- added this authorization filter to every tenant configuration related method

Signed-off-by: Nonnenmacher Fabian <fabian.nonnenmacher@bosch-si.com>
---
 .../hawkbit/repository/TenantConfigurationManagement.java | 8 ++++++++
 .../eclipse/hawkbit/im/authentication/SpPermission.java   | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java b/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java
index 74c864748..522437bd0 100644
--- a/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java
+++ b/hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java
@@ -1,5 +1,6 @@
 package org.eclipse.hawkbit.repository;
 
+import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
 import org.eclipse.hawkbit.repository.model.TenantConfiguration;
 import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
 import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationKey;
@@ -14,6 +15,7 @@ import org.springframework.core.convert.support.ConfigurableConversionService;
 import org.springframework.core.convert.support.DefaultConversionService;
 import org.springframework.core.env.Environment;
 import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.validation.annotation.Validated;
 
@@ -69,7 +71,9 @@ public class TenantConfigurationManagement implements EnvironmentAware {
      *             if the property cannot be converted to the given
      *             {@code propertyType}
      */
+
     @Cacheable(value = "tenantConfiguration", key = "#configurationKey.getKeyName()")
+    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
     public <T> TenantConfigurationValue<T> getConfigurationValue(final TenantConfigurationKey configurationKey,
             final Class<T> propertyType) throws TenantConfigurationValidatorException {
 
@@ -116,6 +120,7 @@ public class TenantConfigurationManagement implements EnvironmentAware {
      *             if the property cannot be converted to the given
      *             {@code propertyType}
      */
+    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
     public TenantConfigurationValue<?> getConfigurationValue(final TenantConfigurationKey configurationKey)
             throws TenantConfigurationValidatorException {
         return getConfigurationValue(configurationKey, configurationKey.getDataType());
@@ -142,6 +147,7 @@ public class TenantConfigurationManagement implements EnvironmentAware {
      *             {@code propertyType}
      */
     @Cacheable(value = "tenantConfiguration", key = "#configurationKey.getKeyName()")
+    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
     public <T> T getGlobalConfigurationValue(final TenantConfigurationKey configurationKey, final Class<T> propertyType)
             throws TenantConfigurationValidatorException {
 
@@ -178,6 +184,7 @@ public class TenantConfigurationManagement implements EnvironmentAware {
     @CacheEvict(value = "tenantConfiguration", key = "#configurationKey.getKeyName()")
     @Transactional
     @Modifying
+    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
     public <T> TenantConfigurationValue<T> addOrUpdateConfiguration(final TenantConfigurationKey configurationKey,
             final T value) {
 
@@ -223,6 +230,7 @@ public class TenantConfigurationManagement implements EnvironmentAware {
     @CacheEvict(value = "tenantConfiguration", key = "#configurationKey.getKeyName()")
     @Transactional
     @Modifying
+    @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
     public void deleteConfiguration(final TenantConfigurationKey configurationKey) {
         tenantConfigurationRepository.deleteByKey(configurationKey.getKeyName());
     }
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
index d105f8d70..5d4ab9283 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
@@ -308,6 +308,13 @@ public final class SpPermission {
         public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_WRITE = HAS_AUTH_PREFIX + ROLLOUT_MANAGEMENT
                 + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX;
 
+        /**
+         * Spring security eval hasAuthority expression to check if spring
+         * context contains {@link SpPermission#TENANT_CONFIGURATION}
+         */
+        public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + TENANT_CONFIGURATION
+                + HAS_AUTH_SUFFIX;
+
         private SpringEvalExpressions() {
             // utility class
         }