Add multi-user support (#829)
This allows optionally configuring multiple static users with varying permissions. If used, Spring Security user/password are ignored. Otherwise, the old behavior is retained. Signed-off-by: Stefan Schake <stefan.schake@devolo.de>
This commit is contained in:
committed by
Dominic Schabel
parent
d34e7f35c5
commit
7c04ca1967
@@ -9,7 +9,7 @@ Authorization is handled separately for _Direct Device Integration (DDI) API_ an
|
|||||||
|
|
||||||
However, keep in mind that hawkBit does not offer an off the shelf authentication provider to leverage these permissions and the underlying multi user/tenant capabilities of hawkBit. Check out [Spring security documentation](http://projects.spring.io/spring-security/) for further information. In hawkBit [SecurityAutoConfiguration](https://github.com/eclipse/hawkbit/blob/master/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java) is a good starting point for integration.
|
However, keep in mind that hawkBit does not offer an off the shelf authentication provider to leverage these permissions and the underlying multi user/tenant capabilities of hawkBit. Check out [Spring security documentation](http://projects.spring.io/spring-security/) for further information. In hawkBit [SecurityAutoConfiguration](https://github.com/eclipse/hawkbit/blob/master/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java) is a good starting point for integration.
|
||||||
|
|
||||||
The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions.
|
The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions. Additionally, the application properties may be configured for multiple static users; see [Multiple Users](#multiple-users) for details.
|
||||||
|
|
||||||
## DDI API
|
## DDI API
|
||||||
An authenticated target is permitted to:
|
An authenticated target is permitted to:
|
||||||
@@ -21,6 +21,26 @@ A target might be permitted to download artifacts without authentication (if ena
|
|||||||
|
|
||||||
## Management API and UI
|
## Management API and UI
|
||||||
|
|
||||||
|
### Multiple Users
|
||||||
|
hawkBit optionally supports configuring multiple static users through the application properties. In this case, the user and password Spring security properties are ignored.
|
||||||
|
An example configuration is given below.
|
||||||
|
|
||||||
|
hawkbit.server.im.users[0].username=admin
|
||||||
|
hawkbit.server.im.users[0].password={noop}admin
|
||||||
|
hawkbit.server.im.users[0].firstname=Test
|
||||||
|
hawkbit.server.im.users[0].lastname=Admin
|
||||||
|
hawkbit.server.im.users[0].email=admin@test.de
|
||||||
|
hawkbit.server.im.users[0].permissions=ALL
|
||||||
|
|
||||||
|
hawkbit.server.im.users[1].username=test
|
||||||
|
hawkbit.server.im.users[1].password={noop}test
|
||||||
|
hawkbit.server.im.users[1].firstname=Test
|
||||||
|
hawkbit.server.im.users[1].lastname=Tester
|
||||||
|
hawkbit.server.im.users[1].email=test@tester.com
|
||||||
|
hawkbit.server.im.users[1].permissions=READ_TARGET,UPDATE_TARGET,CREATE_TARGET,DELETE_TARGET
|
||||||
|
|
||||||
|
A permissions value of `ALL` will provide that user will all possible permissions. Passwords need to be specified with the used password encoder in brackets. In this example, `noop` is used as the plaintext encoder. For production use, it is recommended to use a hash function designed for passwords such as *bcrypt*. See this [blog post](https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-storage-format) for more information on password encoders in Spring Security.
|
||||||
|
|
||||||
### Delivered Permissions
|
### Delivered Permissions
|
||||||
- READ_/UPDATE_/CREATE_/DELETE_TARGETS for:
|
- READ_/UPDATE_/CREATE_/DELETE_TARGETS for:
|
||||||
- Target entities including metadata (that includes also the installed and assigned distribution sets)
|
- Target entities including metadata (that includes also the installed and assigned distribution sets)
|
||||||
|
|||||||
@@ -9,6 +9,8 @@
|
|||||||
package org.eclipse.hawkbit.autoconfigure.security;
|
package org.eclipse.hawkbit.autoconfigure.security;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.eclipse.hawkbit.im.authentication.MultitenancyIndicator;
|
import org.eclipse.hawkbit.im.authentication.MultitenancyIndicator;
|
||||||
@@ -17,6 +19,7 @@ import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
|
|||||||
import org.eclipse.hawkbit.im.authentication.UserPrincipal;
|
import org.eclipse.hawkbit.im.authentication.UserPrincipal;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||||
import org.springframework.boot.autoconfigure.security.SecurityProperties;
|
import org.springframework.boot.autoconfigure.security.SecurityProperties;
|
||||||
|
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
@@ -24,11 +27,11 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider
|
|||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.authentication.configuration.GlobalAuthenticationConfigurerAdapter;
|
import org.springframework.security.config.annotation.authentication.configuration.GlobalAuthenticationConfigurerAdapter;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.security.core.userdetails.User;
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
import org.springframework.security.core.userdetails.User.UserBuilder;
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Auto-configuration for the in-memory-user-management.
|
* Auto-configuration for the in-memory-user-management.
|
||||||
@@ -36,12 +39,17 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
|||||||
*/
|
*/
|
||||||
@Configuration
|
@Configuration
|
||||||
@ConditionalOnMissingBean(UserDetailsService.class)
|
@ConditionalOnMissingBean(UserDetailsService.class)
|
||||||
|
@EnableConfigurationProperties({ MultiUserProperties.class })
|
||||||
public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticationConfigurerAdapter {
|
public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticationConfigurerAdapter {
|
||||||
|
|
||||||
private final SecurityProperties securityProperties;
|
private final SecurityProperties securityProperties;
|
||||||
|
|
||||||
InMemoryUserManagementAutoConfiguration(final SecurityProperties securityProperties) {
|
private final MultiUserProperties multiUserProperties;
|
||||||
|
|
||||||
|
InMemoryUserManagementAutoConfiguration(final SecurityProperties securityProperties,
|
||||||
|
final MultiUserProperties multiUserProperties) {
|
||||||
this.securityProperties = securityProperties;
|
this.securityProperties = securityProperties;
|
||||||
|
this.multiUserProperties = multiUserProperties;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@@ -57,17 +65,62 @@ public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticatio
|
|||||||
@Bean
|
@Bean
|
||||||
@ConditionalOnMissingBean
|
@ConditionalOnMissingBean
|
||||||
UserDetailsService userDetailsService() {
|
UserDetailsService userDetailsService() {
|
||||||
final InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserPrincipalDetailsManager();
|
final String defaultTenant = "DEFAULT";
|
||||||
inMemoryUserDetailsManager.setAuthenticationManager(null);
|
final List<UserPrincipal> userPrincipals = new ArrayList<>();
|
||||||
final SecurityProperties.User user = securityProperties.getUser();
|
for (MultiUserProperties.User user : multiUserProperties.getUsers()) {
|
||||||
final UserBuilder userBuilder = User.builder().username(user.getName()).password(user.getPassword())
|
List<GrantedAuthority> authorityList;
|
||||||
.authorities(PermissionUtils.createAllAuthorityList());
|
// Allows ALL as a shorthand for all permissions
|
||||||
final List<String> roles = user.getRoles();
|
if (user.getPermissions().size() == 1 && user.getPermissions().get(0).equals("ALL")) {
|
||||||
if (!roles.isEmpty()) {
|
authorityList = PermissionUtils.createAllAuthorityList();
|
||||||
userBuilder.roles(roles.toArray(new String[roles.size()]));
|
} else {
|
||||||
|
authorityList = new ArrayList<>(user.getPermissions().size());
|
||||||
|
for (final String permission : user.getPermissions()) {
|
||||||
|
authorityList.add(new SimpleGrantedAuthority(permission));
|
||||||
|
authorityList.add(new SimpleGrantedAuthority("ROLE_" + permission));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
final UserPrincipal userPrincipal = new UserPrincipal(user.getUsername(), user.getPassword(),
|
||||||
|
user.getFirstname(), user.getLastname(), user.getUsername(), user.getEmail(), defaultTenant,
|
||||||
|
authorityList);
|
||||||
|
userPrincipals.add(userPrincipal);
|
||||||
}
|
}
|
||||||
inMemoryUserDetailsManager.createUser(userBuilder.build());
|
|
||||||
return inMemoryUserDetailsManager;
|
// If no users are configured through the multi user properties, set up
|
||||||
|
// the default user from security properties
|
||||||
|
if (userPrincipals.isEmpty()) {
|
||||||
|
final String name = securityProperties.getUser().getName();
|
||||||
|
final String password = securityProperties.getUser().getPassword();
|
||||||
|
userPrincipals.add(new UserPrincipal(name, password, name, name, name, null, defaultTenant,
|
||||||
|
PermissionUtils.createAllAuthorityList()));
|
||||||
|
}
|
||||||
|
|
||||||
|
return new FixedInMemoryUserPrincipalUserDetailsService(userPrincipals);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class FixedInMemoryUserPrincipalUserDetailsService implements UserDetailsService {
|
||||||
|
private final HashMap<String, UserPrincipal> userPrincipalMap = new HashMap<>();
|
||||||
|
|
||||||
|
public FixedInMemoryUserPrincipalUserDetailsService(Collection<UserPrincipal> userPrincipals) {
|
||||||
|
for (UserPrincipal user : userPrincipals) {
|
||||||
|
userPrincipalMap.put(user.getUsername(), user);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static UserPrincipal clone(UserPrincipal a) {
|
||||||
|
return new UserPrincipal(a.getUsername(), a.getPassword(), a.getFirstname(), a.getLastname(),
|
||||||
|
a.getLoginname(), a.getEmail(), a.getTenant(), a.getAuthorities());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
|
||||||
|
UserPrincipal userPrincipal = userPrincipalMap.get(username);
|
||||||
|
if (userPrincipal == null)
|
||||||
|
throw new UsernameNotFoundException("No such user");
|
||||||
|
// Spring mutates the data, so we must return a copy here
|
||||||
|
return clone(userPrincipal);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -90,19 +143,4 @@ public class InMemoryUserManagementAutoConfiguration extends GlobalAuthenticatio
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static final class InMemoryUserPrincipalDetailsManager extends InMemoryUserDetailsManager {
|
|
||||||
|
|
||||||
private InMemoryUserPrincipalDetailsManager() {
|
|
||||||
super(new ArrayList<>());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public UserDetails loadUserByUsername(final String username) {
|
|
||||||
final UserDetails loadUserByUsername = super.loadUserByUsername(username);
|
|
||||||
return new UserPrincipal(loadUserByUsername.getUsername(), loadUserByUsername.getPassword(),
|
|
||||||
loadUserByUsername.getUsername(), loadUserByUsername.getUsername(),
|
|
||||||
loadUserByUsername.getUsername(), null, "DEFAULT", loadUserByUsername.getAuthorities());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,84 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (c) 2019 devolo AG and others.
|
||||||
|
*
|
||||||
|
* All rights reserved. This program and the accompanying materials
|
||||||
|
* are made available under the terms of the Eclipse Public License v1.0
|
||||||
|
* which accompanies this distribution, and is available at
|
||||||
|
* http://www.eclipse.org/legal/epl-v10.html
|
||||||
|
*/
|
||||||
|
package org.eclipse.hawkbit.autoconfigure.security;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.springframework.boot.context.properties.ConfigurationProperties;
|
||||||
|
|
||||||
|
@ConfigurationProperties("hawkbit.server.im")
|
||||||
|
public class MultiUserProperties {
|
||||||
|
private List<User> users = new ArrayList<>();
|
||||||
|
|
||||||
|
public List<User> getUsers() {
|
||||||
|
return users;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUsers(List<User> users) {
|
||||||
|
this.users = users;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static class User {
|
||||||
|
private String username;
|
||||||
|
private String password;
|
||||||
|
private String firstname;
|
||||||
|
private String lastname;
|
||||||
|
private String email;
|
||||||
|
private List<String> permissions = new ArrayList<>();
|
||||||
|
|
||||||
|
public String getUsername() {
|
||||||
|
return username;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUsername(String username) {
|
||||||
|
this.username = username;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getPassword() {
|
||||||
|
return password;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setPassword(String password) {
|
||||||
|
this.password = password;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getFirstname() {
|
||||||
|
return firstname;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setFirstname(String firstname) {
|
||||||
|
this.firstname = firstname;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getLastname() {
|
||||||
|
return lastname;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setLastname(String lastname) {
|
||||||
|
this.lastname = lastname;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getEmail() {
|
||||||
|
return email;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setEmail(String email) {
|
||||||
|
this.email = email;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<String> getPermissions() {
|
||||||
|
return permissions;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setPermissions(List<String> permissions) {
|
||||||
|
this.permissions = permissions;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
6
licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt
Normal file
6
licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
Copyright (c) 2019 devolo AG and others.
|
||||||
|
|
||||||
|
All rights reserved. This program and the accompanying materials
|
||||||
|
are made available under the terms of the Eclipse Public License v1.0
|
||||||
|
which accompanies this distribution, and is available at
|
||||||
|
http://www.eclipse.org/legal/epl-v10.html
|
||||||
1
pom.xml
1
pom.xml
@@ -324,6 +324,7 @@
|
|||||||
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_BOSCH.txt</validHeader>
|
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_BOSCH.txt</validHeader>
|
||||||
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_MICROSOFT_18.txt</validHeader>
|
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_MICROSOFT_18.txt</validHeader>
|
||||||
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_BOSCH_18.txt</validHeader>
|
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_BOSCH_18.txt</validHeader>
|
||||||
|
<validHeader>licenses/LICENSE_HEADER_TEMPLATE_DEVOLO_19.txt</validHeader>
|
||||||
</validHeaders>
|
</validHeaders>
|
||||||
<excludes>
|
<excludes>
|
||||||
<exclude>**/banner.txt</exclude>
|
<exclude>**/banner.txt</exclude>
|
||||||
|
|||||||
Reference in New Issue
Block a user