Refactoring/Improving source: security core (#1599)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-02-03 16:55:55 +02:00
committed by GitHub
parent e4c70f3f34
commit 9e31685757
7 changed files with 15 additions and 53 deletions

View File

@@ -48,12 +48,10 @@ public class DdiSecurityProperties {
* HTTP header field for common name of a DDI target client certificate.
*/
private String cnHeader = "X-Ssl-Client-Cn";
/**
* HTTP header field for issuer hash of a DDI target client certificate.
*/
private String sslIssuerHashHeader = "X-Ssl-Issuer-Hash-%d";
/**
* List of trusted (reverse proxy) IP addresses for performing DDI
* client certificate authentication.
@@ -66,6 +64,7 @@ public class DdiSecurityProperties {
*/
@Data
public static class Authentication {
private final Anonymous anonymous = new Anonymous();
private final Targettoken targettoken = new Targettoken();
private final Gatewaytoken gatewaytoken = new Gatewaytoken();
@@ -117,4 +116,4 @@ public class DdiSecurityProperties {
private boolean enabled = false;
}
}
}
}

View File

@@ -32,26 +32,21 @@ public class HawkbitSecurityProperties {
* Content Security policy Header for Manager UI.
*/
private String contentSecurityPolicy;
/**
* Secure access enforced.
*/
private boolean requireSsl;
/**
* With this property a list of allowed hostnames can be configured. All
* requests with different Host headers will be rejected.
*/
private List<String> allowedHostNames;
/**
* Add paths that will be ignored by {@link StrictHttpFirewall}.
* Add paths that will be ignored by {@link org.springframework.security.web.firewall.StrictHttpFirewall}.
*/
private List<String> httpFirewallIgnoredPaths;
/**
* Basic authentication realm, see
* https://tools.ietf.org/html/rfc2617#page-3 .
* Basic authentication realm, see https://tools.ietf.org/html/rfc2617#page-3 .
*/
private String basicRealm = "hawkBit";
@@ -65,22 +60,18 @@ public class HawkbitSecurityProperties {
* Flag to enable CORS.
*/
private boolean enabled = false;
/**
* Allowed origins for CORS.
*/
private List<String> allowedOrigins = Collections.singletonList("http://localhost");
/**
* Allowed headers for CORS.
*/
private List<String> allowedHeaders = Collections.singletonList("*");
/**
* Allowed methods for CORS.
*/
private List<String> allowedMethods = Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT");
/**
* Exposed headers for CORS.
*/
@@ -94,17 +85,14 @@ public class HawkbitSecurityProperties {
public static class Clients {
public static final String X_FORWARDED_FOR = "X-Forwarded-For";
/**
* Blacklisted client (IP addresses) for for DDI and Management API.
*/
private String blacklist = "";
/**
* Name of the http header from which the remote ip is extracted.
*/
private String remoteIpHeader = X_FORWARDED_FOR;
/**
* Set to <code>true</code> if DDI clients remote IP should be stored.
*/
@@ -122,84 +110,68 @@ public class HawkbitSecurityProperties {
* an action (0 to disable).
*/
private int maxStatusEntriesPerAction = 1000;
/**
* Maximum number of attributes that the controller can report;
*/
private int maxAttributeEntriesPerTarget = 100;
/**
* Maximum number of allowed groups per Rollout.
*/
private int maxRolloutGroupsPerRollout = 500;
/**
* Maximum number of messages per ActionStatus
*/
private int maxMessagesPerActionStatus = 50;
/**
* Maximum number of meta data entries per software module
*/
private int maxMetaDataEntriesPerSoftwareModule = 100;
/**
* Maximum number of meta data entries per distribution set
*/
private int maxMetaDataEntriesPerDistributionSet = 100;
/**
* Maximum number of meta data entries per target
*/
private int maxMetaDataEntriesPerTarget = 100;
/**
* Maximum number of software modules per distribution set
*/
private int maxSoftwareModulesPerDistributionSet = 100;
/**
* Maximum number of software modules per distribution set
*/
private int maxSoftwareModuleTypesPerDistributionSetType = 50;
/**
* Maximum number of artifacts per software module
*/
private int maxArtifactsPerSoftwareModule = 50;
/**
* Maximum number of targets per rollout group
*/
private int maxTargetsPerRolloutGroup = 20000;
/**
* Maximum number of overall actions targets per target
*/
private int maxActionsPerTarget = 2000;
/**
* Maximum number of actions resulting from a manual assignment of
* distribution sets and targets. Must be greater than 1000.
*/
private int maxTargetDistributionSetAssignmentsPerManualAssignment = 5000;
/**
* Maximum number of targets for an automatic distribution set
* assignment
*/
private int maxTargetsPerAutoAssignment = 20000;
/**
* Maximum size of artifacts in bytes. Defaults to 1 GB.
*/
private long maxArtifactSize = 1_073_741_824;
/**
* Maximum size of all artifacts in bytes. Defaults to 20 GB.
*/
private long maxArtifactStorage = 21_474_836_480L;
/**
* Maximum number of distribution set types per target types
*/
@@ -220,19 +192,16 @@ public class HawkbitSecurityProperties {
* True if filter is enabled.
*/
private boolean enabled = true;
/**
* White list of peer IP addresses for DOS filter (regular
* expression).
*/
private String whitelist = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}";
/**
* # Maximum number of allowed REST read/GET requests per second per
* client IP.
*/
private int maxRead = 200;
/**
* Maximum number of allowed REST write/(PUT/POST/etc.) requests per
* second per client IP.
@@ -240,4 +209,4 @@ public class HawkbitSecurityProperties {
private int maxWrite = 50;
}
}
}
}

View File

@@ -9,17 +9,16 @@
*/
package org.eclipse.hawkbit.security;
import lombok.NoArgsConstructor;
/**
* Constants related to security.
*/
@NoArgsConstructor
public final class SecurityConstants {
/**
* Logger prefix used for security logging.
*/
public static final String SECURITY_LOG_PREFIX = "server-security";
private SecurityConstants() {
}
}
}

View File

@@ -32,4 +32,4 @@ public class SecurityTokenGenerator {
public String generateToken() {
return new String(Hex.encode(SECURE_RANDOM.generateKey()));
}
}
}

View File

@@ -49,4 +49,4 @@ public class SpringSecurityAuditorAware implements AuditorAware<String> {
private static boolean isAuthenticationInvalid(final Authentication authentication) {
return authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() == null;
}
}
}

View File

@@ -16,13 +16,14 @@ import java.util.regex.Pattern;
import jakarta.servlet.http.HttpServletRequest;
import lombok.NoArgsConstructor;
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
/**
* A utility which determines the correct IP of a connected {@link Target}. E.g
* from a {@link HttpServletRequest}.
*
*/
@NoArgsConstructor
// Exception squid:S2083 - false positive, file paths not handled here
@SuppressWarnings("squid:S2083")
public final class IpUtil {
@@ -39,10 +40,6 @@ public final class IpUtil {
// v6 address with [] amd (optionally) port
private static final Pattern IPV6_ADDRESS_WITH_PORT_PATTERN = Pattern.compile("\\[(?<address>([0-9a-f]{1,4}:){7}([0-9a-f]){1,4})](:[0-9]{1,5})?");
private IpUtil() {
}
/**
* Retrieves the string based IP address from a given
* {@link HttpServletRequest} by either the configured {@link HawkbitSecurityProperties.Clients#getRemoteIpHeader()}

View File

@@ -9,16 +9,14 @@
*/
package org.eclipse.hawkbit.util;
import lombok.NoArgsConstructor;
import org.springframework.web.util.UriUtils;
import java.nio.charset.StandardCharsets;
@NoArgsConstructor
public class UrlUtils {
private UrlUtils() {
// Util classes should not have public constructors
}
public static String decodeUriValue(String value) {
return UriUtils.decode(value, StandardCharsets.UTF_8);
}