Extend access control management (#1493)

* Fix ACM related executions.

* Introduce access controller for actions. Resolve some todos and fix distribution set invalidation strategy.

* Do only check for access if returned values are access controlled.

* Fix review findings.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.com>

---------

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.com>
This commit is contained in:
Michael Herdt
2023-12-01 07:50:41 +01:00
committed by GitHub
parent a6fa75697f
commit 960ab6872d
16 changed files with 332 additions and 258 deletions

View File

@@ -22,6 +22,9 @@ import org.springframework.security.access.prepost.PreAuthorize;
public interface RolloutExecutor {
/**
* This execution should only be triggered by the system as a background job and
* not available via API.
*
* Process rollout based on its current {@link Rollout#getStatus()}.
*
* For {@link RolloutStatus#CREATING} that means creating the
@@ -29,9 +32,9 @@ public interface RolloutExecutor {
* {@link RolloutStatus#READY}.
*
* For {@link RolloutStatus#READY} that means switching to
* {@link RolloutStatus#STARTING} if the {@link Rollout#getStartAt()} is set
* and time of calling this method is beyond this point in time. This auto
* start mechanism is optional. Call {@link #start(Long)} otherwise.
* {@link RolloutStatus#STARTING} if the {@link Rollout#getStartAt()} is set and
* time of calling this method is beyond this point in time. This auto start
* mechanism is optional. Call {@link #start(Long)} otherwise.
*
* For {@link RolloutStatus#STARTING} that means starting the first
* {@link RolloutGroup}s in line and when finished switch to
@@ -45,8 +48,7 @@ public interface RolloutExecutor {
* rollout was already {@link RolloutStatus#RUNNING} which results in status
* change {@link RolloutStatus#DELETED} or hard delete from the persistence
* otherwise.
*
*/
@PreAuthorize(SpringEvalExpressions.IS_SYSTEM_CODE)
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE)
void execute(Rollout rollout);
}

View File

@@ -69,9 +69,11 @@ public interface TargetManagement {
/**
* Counts number of targets with the given distribution set assigned.
*
* @param distributionSetId to search for
* @param distributionSetId
* to search for
* @return number of found {@link Target}s.
* @throws EntityNotFoundException if distribution set with given ID does not exist
* @throws EntityNotFoundException
* if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
+ SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@@ -81,8 +83,8 @@ public interface TargetManagement {
* Count {@link Target}s for all the given filter parameters.
*
* @param filterParams
* the filters to apply; only filters are enabled that have
* non-null value; filters are AND-gated
* the filters to apply; only filters are enabled that have non-null
* value; filters are AND-gated
*
* @return the found number {@link Target}s
*
@@ -95,21 +97,25 @@ public interface TargetManagement {
/**
* Get the count of targets with the given distribution set id.
*
* @param distributionSetId to search for
* @param distributionSetId
* to search for
* @return number of found {@link Target}s.
* @throws EntityNotFoundException if distribution set with given ID does not exist
* @throws EntityNotFoundException
* if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
+ SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
long countByInstalledDistributionSet(long distributionSetId);
/**
* Checks if there is already a {@link Target} that has the given
* distribution set Id assigned or installed.
* Checks if there is already a {@link Target} that has the given distribution
* set Id assigned or installed.
*
* @param distributionSetId to search for
* @param distributionSetId
* to search for
* @return <code>true</code> if a {@link Target} exists.
* @throws EntityNotFoundException if distribution set with given ID does not exist
* @throws EntityNotFoundException
* if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
+ SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@@ -126,23 +132,47 @@ public interface TargetManagement {
long countByRsql(@NotEmpty String rsqlParam);
/**
* Count all targets for given {@link TargetFilterQuery} and that are
* compatible with the passed {@link DistributionSetType}.
* Count {@link TargetFilterQuery}s for given target filter query with UPDATE permission.
*
* @param rsqlParam
* filter definition in RSQL syntax
* @param distributionSetId
* @return the found number of {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
long countByRsqlAndUpdatable(@NotEmpty String rsqlParam);
/**
* Count all targets for given {@link TargetFilterQuery} and that are compatible
* with the passed {@link DistributionSetType}.
*
* @param rsqlParam
* filter definition in RSQL syntax
* @param distributionSetIdTypeId
* ID of the {@link DistributionSetType} the targets need to be
* compatible with
* @return the found number of{@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
long countByRsqlAndCompatible(@NotEmpty String rsqlParam, @NotNull Long distributionSetId);
long countByRsqlAndCompatible(@NotEmpty String rsqlParam, @NotNull Long distributionSetIdTypeId);
/**
* Count all targets with failed actions for specific Rollout
* and that are compatible with the passed {@link DistributionSetType}
* and created after given timestamp
* Count all targets for given {@link TargetFilterQuery} and that are compatible
* with the passed {@link DistributionSetType} and UPDATE permission.
*
* @param rsqlParam
* filter definition in RSQL syntax
* @param distributionSetIdTypeId
* ID of the {@link DistributionSetType} the targets need to be
* compatible with
* @return the found number of{@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
long countByRsqlAndCompatibleAndUpdatable(@NotEmpty String rsqlParam, @NotNull Long distributionSetIdTypeId);
/**
* Count all targets with failed actions for specific Rollout and that are
* compatible with the passed {@link DistributionSetType} and created after
* given timestamp
*
* @param rolloutId
* rolloutId of the rollout to be retried.
@@ -185,18 +215,17 @@ public interface TargetManagement {
* @throws EntityAlreadyExistsException
* given target already exists.
* @throws ConstraintViolationException
* if fields are not filled as specified. Check
* {@link TargetCreate} for field constraints.
* if fields are not filled as specified. Check {@link TargetCreate}
* for field constraints.
*
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
Target create(@NotNull @Valid TargetCreate create);
/**
* creates multiple {@link Target}s. If the given {@link Target}s
* already exists in the DB an {@link EntityAlreadyExistsException} is
* thrown. {@link Target}s contain all objects of the parameter targets,
* including duplicates.
* creates multiple {@link Target}s. If the given {@link Target}s already exists
* in the DB an {@link EntityAlreadyExistsException} is thrown. {@link Target}s
* contain all objects of the parameter targets, including duplicates.
*
* @param creates
* to be created.
@@ -205,8 +234,8 @@ public interface TargetManagement {
* @throws EntityAlreadyExistsException
* of one of the given targets already exist.
* @throws ConstraintViolationException
* if fields are not filled as specified. Check
* {@link TargetCreate} for field constraints.
* if fields are not filled as specified. Check {@link TargetCreate}
* for field constraints.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
List<Target> create(@NotNull @Valid Collection<TargetCreate> creates);
@@ -253,12 +282,12 @@ public interface TargetManagement {
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(@NotNull Pageable pageRequest,
long distributionSetId, @NotNull String rsqlParam);
long distributionSetId, @NotNull String rsqlParam);
/**
* Counts all targets for all the given parameter {@link TargetFilterQuery}
* and that don't have the specified distribution set in their action
* history and are compatible with the passed {@link DistributionSetType}.
* Counts all targets for all the given parameter {@link TargetFilterQuery} and
* that don't have the specified distribution set in their action history and
* are compatible with the passed {@link DistributionSetType}.
*
* @param distributionSetId
* id of the {@link DistributionSet}
@@ -273,9 +302,9 @@ public interface TargetManagement {
long countByRsqlAndNonDSAndCompatibleAndUpdatable(long distributionSetId, @NotNull String rsqlParam);
/**
* Finds all targets for all the given parameter {@link TargetFilterQuery}
* and that are not assigned to one of the {@link RolloutGroup}s and are
* compatible with the passed {@link DistributionSetType}.
* Finds all targets for all the given parameter {@link TargetFilterQuery} and
* that are not assigned to one of the {@link RolloutGroup}s and are compatible
* with the passed {@link DistributionSetType}.
*
* @param pageRequest
* the pageRequest to enhance the query for paging and sorting
@@ -284,8 +313,8 @@ public interface TargetManagement {
* @param rsqlParam
* filter definition in RSQL syntax
* @param distributionSetType
* type of the {@link DistributionSet} the targets must be
* compatible withs
* type of the {@link DistributionSet} the targets must be compatible
* withs
* @return a page of the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@@ -294,9 +323,9 @@ public interface TargetManagement {
@NotNull DistributionSetType distributionSetType);
/**
* Finds all targets with failed actions for specific Rollout
* and that are not assigned to one of the retried {@link RolloutGroup}s and are
* compatible with the passed {@link DistributionSetType}.
* Finds all targets with failed actions for specific Rollout and that are not
* assigned to one of the retried {@link RolloutGroup}s and are compatible with
* the passed {@link DistributionSetType}.
*
* @param pageRequest
* the pageRequest to enhance the query for paging and sorting
@@ -308,12 +337,12 @@ public interface TargetManagement {
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
Slice<Target> findByFailedRolloutAndNotInRolloutGroups(@NotNull Pageable pageRequest,
@NotEmpty Collection<Long> groups, @NotNull String rolloutId);
@NotEmpty Collection<Long> groups, @NotNull String rolloutId);
/**
* Counts all targets for all the given parameter {@link TargetFilterQuery}
* and that are not assigned to one of the {@link RolloutGroup}s and are
* compatible with the passed {@link DistributionSetType}.
* Counts all targets for all the given parameter {@link TargetFilterQuery} and
* that are not assigned to one of the {@link RolloutGroup}s and are compatible
* with the passed {@link DistributionSetType}.
*
* @param groups
* the list of {@link RolloutGroup}s
@@ -329,9 +358,9 @@ public interface TargetManagement {
@NotNull String rsqlParam, @NotNull DistributionSetType distributionSetType);
/**
* Counts all targets with failed actions for specific Rollout
* and that are not assigned to one of the {@link RolloutGroup}s and are
* compatible with the passed {@link DistributionSetType}.
* Counts all targets with failed actions for specific Rollout and that are not
* assigned to one of the {@link RolloutGroup}s and are compatible with the
* passed {@link DistributionSetType}.
*
* @param groups
* the list of {@link RolloutGroup}s
@@ -343,8 +372,8 @@ public interface TargetManagement {
long countByFailedRolloutAndNotInRolloutGroups(@NotEmpty Collection<Long> groups, @NotNull String rolloutId);
/**
* Finds all targets of the provided {@link RolloutGroup} that have no
* Action for the RolloutGroup.
* Finds all targets of the provided {@link RolloutGroup} that have no Action
* for the RolloutGroup.
*
* @param pageRequest
* the pageRequest to enhance the query for paging and sorting
@@ -376,8 +405,8 @@ public interface TargetManagement {
Page<Target> findByAssignedDistributionSet(@NotNull Pageable pageReq, long distributionSetId);
/**
* Retrieves {@link Target}s by the assigned {@link DistributionSet}
* possible including additional filtering based on the given {@code spec}.
* Retrieves {@link Target}s by the assigned {@link DistributionSet} possible
* including additional filtering based on the given {@code spec}.
*
* @param pageReq
* page parameter
@@ -420,14 +449,14 @@ public interface TargetManagement {
Optional<Target> getByControllerID(@NotEmpty String controllerId);
/**
* Filter {@link Target}s for all the given parameters. If all parameters
* except pageable are null, all available {@link Target}s are returned.
* Filter {@link Target}s for all the given parameters. If all parameters except
* pageable are null, all available {@link Target}s are returned.
*
* @param pageable
* page parameters
* @param filterParams
* the filters to apply; only filters are enabled that have
* non-null value; filters are AND-gated
* the filters to apply; only filters are enabled that have non-null
* value; filters are AND-gated
*
* @return the found {@link Target}s
*
@@ -454,8 +483,8 @@ public interface TargetManagement {
Page<Target> findByInstalledDistributionSet(@NotNull Pageable pageReq, long distributionSetId);
/**
* retrieves {@link Target}s by the installed {@link DistributionSet}
* including additional filtering based on the given {@code spec}.
* retrieves {@link Target}s by the installed {@link DistributionSet} including
* additional filtering based on the given {@code spec}.
*
* @param pageReq
* page parameter
@@ -480,8 +509,7 @@ public interface TargetManagement {
@NotNull String rsqlParam);
/**
* Retrieves the {@link Target} which have a certain
* {@link TargetUpdateStatus}.
* Retrieves the {@link Target} which have a certain {@link TargetUpdateStatus}.
*
* @param pageable
* page parameter
@@ -629,9 +657,9 @@ public interface TargetManagement {
/**
* Initiates {@link TargetType} assignment to given {@link Target}s. If some
* targets in the list have the {@link TargetType} not yet assigned, they
* will get assigned. If all targets are already of that type, there will be
* no un-assignment.
* targets in the list have the {@link TargetType} not yet assigned, they will
* get assigned. If all targets are already of that type, there will be no
* un-assignment.
*
* @param controllerIds
* to set the type to
@@ -647,8 +675,8 @@ public interface TargetManagement {
TargetTypeAssignmentResult assignType(@NotEmpty Collection<String> controllerIds, @NotNull Long typeId);
/**
* Initiates {@link TargetType} un-assignment to given {@link Target}s. The
* type of the targets will be set to {@code null}
* Initiates {@link TargetType} un-assignment to given {@link Target}s. The type
* of the targets will be set to {@code null}
*
* @param controllerIds
* to remove the type from
@@ -710,8 +738,8 @@ public interface TargetManagement {
* @throws EntityNotFoundException
* if given target does not exist
* @throws ConstraintViolationException
* if fields are not filled as specified. Check
* {@link TargetUpdate} for field constraints.
* if fields are not filled as specified. Check {@link TargetUpdate}
* for field constraints.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
Target update(@NotNull @Valid TargetUpdate update);
@@ -797,30 +825,29 @@ public interface TargetManagement {
boolean existsByControllerId(@NotEmpty String controllerId);
/**
* Verify if a target matches a specific target filter query, does not have
* a specific DS already assigned and is compatible with it.
* Verify if a target matches a specific target filter query, does not have a
* specific DS already assigned and is compatible with it.
*
* @param controllerId
* of the {@link org.eclipse.hawkbit.repository.model.Target} to
* check
* @param distributionSetId
* of the
* {@link org.eclipse.hawkbit.repository.model.DistributionSet}
* to consider
* {@link org.eclipse.hawkbit.repository.model.DistributionSet} to
* consider
* @param targetFilterQuery
* to execute
* @return true if it matches
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
boolean isTargetMatchingQueryAndDSNotAssignedAndCompatible(@NotNull String controllerId, long distributionSetId,
@NotNull String targetFilterQuery);
boolean isTargetMatchingQueryAndDSNotAssignedAndCompatibleAndUpdatable(@NotNull String controllerId,
long distributionSetId, @NotNull String targetFilterQuery);
/**
* Creates a list of target meta data entries.
*
* @param controllerId
* {@link Target} controller id the metadata has to be created
* for
* {@link Target} controller id the metadata has to be created for
* @param metadata
* the meta data entries to create or update
* @return the updated or created target metadata entries
@@ -829,12 +856,12 @@ public interface TargetManagement {
* if given target does not exist
*
* @throws EntityAlreadyExistsException
* in case one of the metadata entry already exists for the
* specific key
* in case one of the metadata entry already exists for the specific
* key
*
* @throws AssignmentQuotaExceededException
* if the maximum number of {@link MetaData} entries is exceeded
* for the addressed {@link Target}
* if the maximum number of {@link MetaData} entries is exceeded for
* the addressed {@link Target}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
List<TargetMetadata> createMetaData(@NotEmpty String controllerId, @NotEmpty Collection<MetaData> metadata);
@@ -928,15 +955,13 @@ public interface TargetManagement {
* Updates a target meta data value if corresponding entry exists.
*
* @param controllerId
* {@link Target} controller id of the metadata entry to be
* updated
* {@link Target} controller id of the metadata entry to be updated
* @param metadata
* meta data entry to be updated
* @return the updated meta data entry
*
* @throws EntityNotFoundException
* in case the metadata entry does not exist and cannot be
* updated
* in case the metadata entry does not exist and cannot be updated
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
TargetMetadata updateMetadata(@NotEmpty String controllerId, @NotNull MetaData metadata);