diff --git a/docs/content/concepts/authorization.md b/docs/content/concepts/authorization.md index ad75f9cd0..db6143f60 100644 --- a/docs/content/concepts/authorization.md +++ b/docs/content/concepts/authorization.md @@ -9,7 +9,7 @@ Authorization is handled separately for _Direct Device Integration (DDI) API_ an However, keep in mind that hawkBit does not offer an off the shelf authentication provider to leverage these permissions and the underlying multi user/tenant capabilities of hawkBit. Check out [Spring security documentation](http://projects.spring.io/spring-security/) for further information. In hawkBit [SecurityAutoConfiguration](https://github.com/eclipse/hawkbit/blob/master/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java) is a good starting point for integration. -The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions. +The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions. Additionally, the application properties may be configured for multiple static users; see [Multiple Users](#multiple-users) for details. ## DDI API An authenticated target is permitted to: @@ -21,6 +21,26 @@ A target might be permitted to download artifacts without authentication (if ena ## Management API and UI +### Multiple Users +hawkBit optionally supports configuring multiple static users through the application properties. In this case, the user and password Spring security properties are ignored. +An example configuration is given below. + + hawkbit.server.im.users[0].username=admin + hawkbit.server.im.users[0].password={noop}admin + hawkbit.server.im.users[0].firstname=Test + hawkbit.server.im.users[0].lastname=Admin + hawkbit.server.im.users[0].email=admin@test.de + hawkbit.server.im.users[0].permissions=ALL + + hawkbit.server.im.users[1].username=test + hawkbit.server.im.users[1].password={noop}test + hawkbit.server.im.users[1].firstname=Test + hawkbit.server.im.users[1].lastname=Tester + hawkbit.server.im.users[1].email=test@tester.com + hawkbit.server.im.users[1].permissions=READ_TARGET,UPDATE_TARGET,CREATE_TARGET,DELETE_TARGET + +A permissions value of `ALL` will provide that user will all possible permissions. Passwords need to be specified with the used password encoder in brackets. In this example, `noop` is used as the plaintext encoder. For production use, it is recommended to use a hash function designed for passwords such as *bcrypt*. See this [blog post](https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-storage-format) for more information on password encoders in Spring Security. + ### Delivered Permissions - READ_/UPDATE_/CREATE_/DELETE_TARGETS for: - Target entities including metadata (that includes also the installed and assigned distribution sets) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/InMemoryUserManagementAutoConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/InMemoryUserManagementAutoConfiguration.java index e80c8220c..6abf52547 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/InMemoryUserManagementAutoConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/InMemoryUserManagementAutoConfiguration.java @@ -9,6 +9,8 @@ package org.eclipse.hawkbit.autoconfigure.security; import java.util.ArrayList; +import java.util.Collection; +import java.util.HashMap; import java.util.List; import org.eclipse.hawkbit.im.authentication.MultitenancyIndicator; @@ -17,6 +19,7 @@ import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails; import org.eclipse.hawkbit.im.authentication.UserPrincipal; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.security.SecurityProperties; +import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; @@ -24,11 +27,11 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.configuration.GlobalAuthenticationConfigurerAdapter; import org.springframework.security.core.Authentication; -import org.springframework.security.core.userdetails.User; -import org.springframework.security.core.userdetails.User.UserBuilder; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.core.userdetails.UsernameNotFoundException; /** * Auto-configuration for the in-memory-user-management. @@ -36,12 +39,17 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager; */ @Configuration @ConditionalOnMissingBean(UserDetailsService.class) +@EnableConfigurationProperties({ MultiUserProperties.class }) public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticationConfigurerAdapter { private final SecurityProperties securityProperties; - InMemoryUserManagementAutoConfiguration(final SecurityProperties securityProperties) { + private final MultiUserProperties multiUserProperties; + + InMemoryUserManagementAutoConfiguration(final SecurityProperties securityProperties, + final MultiUserProperties multiUserProperties) { this.securityProperties = securityProperties; + this.multiUserProperties = multiUserProperties; } @Override @@ -57,17 +65,62 @@ public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticatio @Bean @ConditionalOnMissingBean UserDetailsService userDetailsService() { - final InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserPrincipalDetailsManager(); - inMemoryUserDetailsManager.setAuthenticationManager(null); - final SecurityProperties.User user = securityProperties.getUser(); - final UserBuilder userBuilder = User.builder().username(user.getName()).password(user.getPassword()) - .authorities(PermissionUtils.createAllAuthorityList()); - final List roles = user.getRoles(); - if (!roles.isEmpty()) { - userBuilder.roles(roles.toArray(new String[roles.size()])); + final String defaultTenant = "DEFAULT"; + final List userPrincipals = new ArrayList<>(); + for (MultiUserProperties.User user : multiUserProperties.getUsers()) { + List authorityList; + // Allows ALL as a shorthand for all permissions + if (user.getPermissions().size() == 1 && user.getPermissions().get(0).equals("ALL")) { + authorityList = PermissionUtils.createAllAuthorityList(); + } else { + authorityList = new ArrayList<>(user.getPermissions().size()); + for (final String permission : user.getPermissions()) { + authorityList.add(new SimpleGrantedAuthority(permission)); + authorityList.add(new SimpleGrantedAuthority("ROLE_" + permission)); + } + } + + final UserPrincipal userPrincipal = new UserPrincipal(user.getUsername(), user.getPassword(), + user.getFirstname(), user.getLastname(), user.getUsername(), user.getEmail(), defaultTenant, + authorityList); + userPrincipals.add(userPrincipal); } - inMemoryUserDetailsManager.createUser(userBuilder.build()); - return inMemoryUserDetailsManager; + + // If no users are configured through the multi user properties, set up + // the default user from security properties + if (userPrincipals.isEmpty()) { + final String name = securityProperties.getUser().getName(); + final String password = securityProperties.getUser().getPassword(); + userPrincipals.add(new UserPrincipal(name, password, name, name, name, null, defaultTenant, + PermissionUtils.createAllAuthorityList())); + } + + return new FixedInMemoryUserPrincipalUserDetailsService(userPrincipals); + } + + private static class FixedInMemoryUserPrincipalUserDetailsService implements UserDetailsService { + private final HashMap userPrincipalMap = new HashMap<>(); + + public FixedInMemoryUserPrincipalUserDetailsService(Collection userPrincipals) { + for (UserPrincipal user : userPrincipals) { + userPrincipalMap.put(user.getUsername(), user); + } + } + + private static UserPrincipal clone(UserPrincipal a) { + return new UserPrincipal(a.getUsername(), a.getPassword(), a.getFirstname(), a.getLastname(), + a.getLoginname(), a.getEmail(), a.getTenant(), a.getAuthorities()); + } + + @Override + public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { + UserPrincipal userPrincipal = userPrincipalMap.get(username); + if (userPrincipal == null) + throw new UsernameNotFoundException("No such user"); + // Spring mutates the data, so we must return a copy here + return clone(userPrincipal); + } + } /** @@ -90,19 +143,4 @@ public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticatio return result; } } - - private static final class InMemoryUserPrincipalDetailsManager extends InMemoryUserDetailsManager { - - private InMemoryUserPrincipalDetailsManager() { - super(new ArrayList<>()); - } - - @Override - public UserDetails loadUserByUsername(final String username) { - final UserDetails loadUserByUsername = super.loadUserByUsername(username); - return new UserPrincipal(loadUserByUsername.getUsername(), loadUserByUsername.getPassword(), - loadUserByUsername.getUsername(), loadUserByUsername.getUsername(), - loadUserByUsername.getUsername(), null, "DEFAULT", loadUserByUsername.getAuthorities()); - } - } } diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/MultiUserProperties.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/MultiUserProperties.java new file mode 100644 index 000000000..d23a71c32 --- /dev/null +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/MultiUserProperties.java @@ -0,0 +1,84 @@ +/** + * Copyright (c) 2019 devolo AG and others. + * + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-v10.html + */ +package org.eclipse.hawkbit.autoconfigure.security; + +import java.util.ArrayList; +import java.util.List; + +import org.springframework.boot.context.properties.ConfigurationProperties; + +@ConfigurationProperties("hawkbit.server.im") +public class MultiUserProperties { + private List users = new ArrayList<>(); + + public List getUsers() { + return users; + } + + public void setUsers(List users) { + this.users = users; + } + + public static class User { + private String username; + private String password; + private String firstname; + private String lastname; + private String email; + private List permissions = new ArrayList<>(); + + public String getUsername() { + return username; + } + + public void setUsername(String username) { + this.username = username; + } + + public String getPassword() { + return password; + } + + public void setPassword(String password) { + this.password = password; + } + + public String getFirstname() { + return firstname; + } + + public void setFirstname(String firstname) { + this.firstname = firstname; + } + + public String getLastname() { + return lastname; + } + + public void setLastname(String lastname) { + this.lastname = lastname; + } + + public String getEmail() { + return email; + } + + public void setEmail(String email) { + this.email = email; + } + + public List getPermissions() { + return permissions; + } + + public void setPermissions(List permissions) { + this.permissions = permissions; + } + } +} diff --git a/licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt b/licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt new file mode 100644 index 000000000..b0074a9e3 --- /dev/null +++ b/licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt @@ -0,0 +1,6 @@ +Copyright (c) 2019 devolo AG and others. + +All rights reserved. This program and the accompanying materials +are made available under the terms of the Eclipse Public License v1.0 +which accompanies this distribution, and is available at +http://www.eclipse.org/legal/epl-v10.html diff --git a/pom.xml b/pom.xml index 438569e5a..7f7e5b66a 100644 --- a/pom.xml +++ b/pom.xml @@ -324,6 +324,7 @@ licenses/LICENSE_HEADER_TEMPLATE_BOSCH.txt licenses/LICENSE_HEADER_TEMPLATE_MICROSOFT_18.txt licenses/LICENSE_HEADER_TEMPLATE_BOSCH_18.txt + licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt **/banner.txt