Refactoring/Improving source: security core (#1599)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -48,12 +48,10 @@ public class DdiSecurityProperties {
|
|||||||
* HTTP header field for common name of a DDI target client certificate.
|
* HTTP header field for common name of a DDI target client certificate.
|
||||||
*/
|
*/
|
||||||
private String cnHeader = "X-Ssl-Client-Cn";
|
private String cnHeader = "X-Ssl-Client-Cn";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* HTTP header field for issuer hash of a DDI target client certificate.
|
* HTTP header field for issuer hash of a DDI target client certificate.
|
||||||
*/
|
*/
|
||||||
private String sslIssuerHashHeader = "X-Ssl-Issuer-Hash-%d";
|
private String sslIssuerHashHeader = "X-Ssl-Issuer-Hash-%d";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* List of trusted (reverse proxy) IP addresses for performing DDI
|
* List of trusted (reverse proxy) IP addresses for performing DDI
|
||||||
* client certificate authentication.
|
* client certificate authentication.
|
||||||
@@ -66,6 +64,7 @@ public class DdiSecurityProperties {
|
|||||||
*/
|
*/
|
||||||
@Data
|
@Data
|
||||||
public static class Authentication {
|
public static class Authentication {
|
||||||
|
|
||||||
private final Anonymous anonymous = new Anonymous();
|
private final Anonymous anonymous = new Anonymous();
|
||||||
private final Targettoken targettoken = new Targettoken();
|
private final Targettoken targettoken = new Targettoken();
|
||||||
private final Gatewaytoken gatewaytoken = new Gatewaytoken();
|
private final Gatewaytoken gatewaytoken = new Gatewaytoken();
|
||||||
@@ -117,4 +116,4 @@ public class DdiSecurityProperties {
|
|||||||
private boolean enabled = false;
|
private boolean enabled = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -32,26 +32,21 @@ public class HawkbitSecurityProperties {
|
|||||||
* Content Security policy Header for Manager UI.
|
* Content Security policy Header for Manager UI.
|
||||||
*/
|
*/
|
||||||
private String contentSecurityPolicy;
|
private String contentSecurityPolicy;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Secure access enforced.
|
* Secure access enforced.
|
||||||
*/
|
*/
|
||||||
private boolean requireSsl;
|
private boolean requireSsl;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* With this property a list of allowed hostnames can be configured. All
|
* With this property a list of allowed hostnames can be configured. All
|
||||||
* requests with different Host headers will be rejected.
|
* requests with different Host headers will be rejected.
|
||||||
*/
|
*/
|
||||||
private List<String> allowedHostNames;
|
private List<String> allowedHostNames;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add paths that will be ignored by {@link StrictHttpFirewall}.
|
* Add paths that will be ignored by {@link org.springframework.security.web.firewall.StrictHttpFirewall}.
|
||||||
*/
|
*/
|
||||||
private List<String> httpFirewallIgnoredPaths;
|
private List<String> httpFirewallIgnoredPaths;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Basic authentication realm, see
|
* Basic authentication realm, see https://tools.ietf.org/html/rfc2617#page-3 .
|
||||||
* https://tools.ietf.org/html/rfc2617#page-3 .
|
|
||||||
*/
|
*/
|
||||||
private String basicRealm = "hawkBit";
|
private String basicRealm = "hawkBit";
|
||||||
|
|
||||||
@@ -65,22 +60,18 @@ public class HawkbitSecurityProperties {
|
|||||||
* Flag to enable CORS.
|
* Flag to enable CORS.
|
||||||
*/
|
*/
|
||||||
private boolean enabled = false;
|
private boolean enabled = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allowed origins for CORS.
|
* Allowed origins for CORS.
|
||||||
*/
|
*/
|
||||||
private List<String> allowedOrigins = Collections.singletonList("http://localhost");
|
private List<String> allowedOrigins = Collections.singletonList("http://localhost");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allowed headers for CORS.
|
* Allowed headers for CORS.
|
||||||
*/
|
*/
|
||||||
private List<String> allowedHeaders = Collections.singletonList("*");
|
private List<String> allowedHeaders = Collections.singletonList("*");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allowed methods for CORS.
|
* Allowed methods for CORS.
|
||||||
*/
|
*/
|
||||||
private List<String> allowedMethods = Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT");
|
private List<String> allowedMethods = Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Exposed headers for CORS.
|
* Exposed headers for CORS.
|
||||||
*/
|
*/
|
||||||
@@ -94,17 +85,14 @@ public class HawkbitSecurityProperties {
|
|||||||
public static class Clients {
|
public static class Clients {
|
||||||
|
|
||||||
public static final String X_FORWARDED_FOR = "X-Forwarded-For";
|
public static final String X_FORWARDED_FOR = "X-Forwarded-For";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Blacklisted client (IP addresses) for for DDI and Management API.
|
* Blacklisted client (IP addresses) for for DDI and Management API.
|
||||||
*/
|
*/
|
||||||
private String blacklist = "";
|
private String blacklist = "";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Name of the http header from which the remote ip is extracted.
|
* Name of the http header from which the remote ip is extracted.
|
||||||
*/
|
*/
|
||||||
private String remoteIpHeader = X_FORWARDED_FOR;
|
private String remoteIpHeader = X_FORWARDED_FOR;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set to <code>true</code> if DDI clients remote IP should be stored.
|
* Set to <code>true</code> if DDI clients remote IP should be stored.
|
||||||
*/
|
*/
|
||||||
@@ -122,84 +110,68 @@ public class HawkbitSecurityProperties {
|
|||||||
* an action (0 to disable).
|
* an action (0 to disable).
|
||||||
*/
|
*/
|
||||||
private int maxStatusEntriesPerAction = 1000;
|
private int maxStatusEntriesPerAction = 1000;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of attributes that the controller can report;
|
* Maximum number of attributes that the controller can report;
|
||||||
*/
|
*/
|
||||||
private int maxAttributeEntriesPerTarget = 100;
|
private int maxAttributeEntriesPerTarget = 100;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of allowed groups per Rollout.
|
* Maximum number of allowed groups per Rollout.
|
||||||
*/
|
*/
|
||||||
private int maxRolloutGroupsPerRollout = 500;
|
private int maxRolloutGroupsPerRollout = 500;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of messages per ActionStatus
|
* Maximum number of messages per ActionStatus
|
||||||
*/
|
*/
|
||||||
private int maxMessagesPerActionStatus = 50;
|
private int maxMessagesPerActionStatus = 50;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of meta data entries per software module
|
* Maximum number of meta data entries per software module
|
||||||
*/
|
*/
|
||||||
private int maxMetaDataEntriesPerSoftwareModule = 100;
|
private int maxMetaDataEntriesPerSoftwareModule = 100;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of meta data entries per distribution set
|
* Maximum number of meta data entries per distribution set
|
||||||
*/
|
*/
|
||||||
private int maxMetaDataEntriesPerDistributionSet = 100;
|
private int maxMetaDataEntriesPerDistributionSet = 100;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of meta data entries per target
|
* Maximum number of meta data entries per target
|
||||||
*/
|
*/
|
||||||
private int maxMetaDataEntriesPerTarget = 100;
|
private int maxMetaDataEntriesPerTarget = 100;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of software modules per distribution set
|
* Maximum number of software modules per distribution set
|
||||||
*/
|
*/
|
||||||
private int maxSoftwareModulesPerDistributionSet = 100;
|
private int maxSoftwareModulesPerDistributionSet = 100;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of software modules per distribution set
|
* Maximum number of software modules per distribution set
|
||||||
*/
|
*/
|
||||||
private int maxSoftwareModuleTypesPerDistributionSetType = 50;
|
private int maxSoftwareModuleTypesPerDistributionSetType = 50;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of artifacts per software module
|
* Maximum number of artifacts per software module
|
||||||
*/
|
*/
|
||||||
private int maxArtifactsPerSoftwareModule = 50;
|
private int maxArtifactsPerSoftwareModule = 50;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of targets per rollout group
|
* Maximum number of targets per rollout group
|
||||||
*/
|
*/
|
||||||
private int maxTargetsPerRolloutGroup = 20000;
|
private int maxTargetsPerRolloutGroup = 20000;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of overall actions targets per target
|
* Maximum number of overall actions targets per target
|
||||||
*/
|
*/
|
||||||
private int maxActionsPerTarget = 2000;
|
private int maxActionsPerTarget = 2000;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of actions resulting from a manual assignment of
|
* Maximum number of actions resulting from a manual assignment of
|
||||||
* distribution sets and targets. Must be greater than 1000.
|
* distribution sets and targets. Must be greater than 1000.
|
||||||
*/
|
*/
|
||||||
private int maxTargetDistributionSetAssignmentsPerManualAssignment = 5000;
|
private int maxTargetDistributionSetAssignmentsPerManualAssignment = 5000;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of targets for an automatic distribution set
|
* Maximum number of targets for an automatic distribution set
|
||||||
* assignment
|
* assignment
|
||||||
*/
|
*/
|
||||||
private int maxTargetsPerAutoAssignment = 20000;
|
private int maxTargetsPerAutoAssignment = 20000;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum size of artifacts in bytes. Defaults to 1 GB.
|
* Maximum size of artifacts in bytes. Defaults to 1 GB.
|
||||||
*/
|
*/
|
||||||
private long maxArtifactSize = 1_073_741_824;
|
private long maxArtifactSize = 1_073_741_824;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum size of all artifacts in bytes. Defaults to 20 GB.
|
* Maximum size of all artifacts in bytes. Defaults to 20 GB.
|
||||||
*/
|
*/
|
||||||
private long maxArtifactStorage = 21_474_836_480L;
|
private long maxArtifactStorage = 21_474_836_480L;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of distribution set types per target types
|
* Maximum number of distribution set types per target types
|
||||||
*/
|
*/
|
||||||
@@ -220,19 +192,16 @@ public class HawkbitSecurityProperties {
|
|||||||
* True if filter is enabled.
|
* True if filter is enabled.
|
||||||
*/
|
*/
|
||||||
private boolean enabled = true;
|
private boolean enabled = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* White list of peer IP addresses for DOS filter (regular
|
* White list of peer IP addresses for DOS filter (regular
|
||||||
* expression).
|
* expression).
|
||||||
*/
|
*/
|
||||||
private String whitelist = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}";
|
private String whitelist = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* # Maximum number of allowed REST read/GET requests per second per
|
* # Maximum number of allowed REST read/GET requests per second per
|
||||||
* client IP.
|
* client IP.
|
||||||
*/
|
*/
|
||||||
private int maxRead = 200;
|
private int maxRead = 200;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of allowed REST write/(PUT/POST/etc.) requests per
|
* Maximum number of allowed REST write/(PUT/POST/etc.) requests per
|
||||||
* second per client IP.
|
* second per client IP.
|
||||||
@@ -240,4 +209,4 @@ public class HawkbitSecurityProperties {
|
|||||||
private int maxWrite = 50;
|
private int maxWrite = 50;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -9,17 +9,16 @@
|
|||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.security;
|
package org.eclipse.hawkbit.security;
|
||||||
|
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constants related to security.
|
* Constants related to security.
|
||||||
*/
|
*/
|
||||||
|
@NoArgsConstructor
|
||||||
public final class SecurityConstants {
|
public final class SecurityConstants {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Logger prefix used for security logging.
|
* Logger prefix used for security logging.
|
||||||
*/
|
*/
|
||||||
public static final String SECURITY_LOG_PREFIX = "server-security";
|
public static final String SECURITY_LOG_PREFIX = "server-security";
|
||||||
|
}
|
||||||
private SecurityConstants() {
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -32,4 +32,4 @@ public class SecurityTokenGenerator {
|
|||||||
public String generateToken() {
|
public String generateToken() {
|
||||||
return new String(Hex.encode(SECURE_RANDOM.generateKey()));
|
return new String(Hex.encode(SECURE_RANDOM.generateKey()));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -49,4 +49,4 @@ public class SpringSecurityAuditorAware implements AuditorAware<String> {
|
|||||||
private static boolean isAuthenticationInvalid(final Authentication authentication) {
|
private static boolean isAuthenticationInvalid(final Authentication authentication) {
|
||||||
return authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() == null;
|
return authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() == null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -16,13 +16,14 @@ import java.util.regex.Pattern;
|
|||||||
|
|
||||||
import jakarta.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
|
import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A utility which determines the correct IP of a connected {@link Target}. E.g
|
* A utility which determines the correct IP of a connected {@link Target}. E.g
|
||||||
* from a {@link HttpServletRequest}.
|
* from a {@link HttpServletRequest}.
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
|
@NoArgsConstructor
|
||||||
// Exception squid:S2083 - false positive, file paths not handled here
|
// Exception squid:S2083 - false positive, file paths not handled here
|
||||||
@SuppressWarnings("squid:S2083")
|
@SuppressWarnings("squid:S2083")
|
||||||
public final class IpUtil {
|
public final class IpUtil {
|
||||||
@@ -39,10 +40,6 @@ public final class IpUtil {
|
|||||||
// v6 address with [] amd (optionally) port
|
// v6 address with [] amd (optionally) port
|
||||||
private static final Pattern IPV6_ADDRESS_WITH_PORT_PATTERN = Pattern.compile("\\[(?<address>([0-9a-f]{1,4}:){7}([0-9a-f]){1,4})](:[0-9]{1,5})?");
|
private static final Pattern IPV6_ADDRESS_WITH_PORT_PATTERN = Pattern.compile("\\[(?<address>([0-9a-f]{1,4}:){7}([0-9a-f]){1,4})](:[0-9]{1,5})?");
|
||||||
|
|
||||||
private IpUtil() {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieves the string based IP address from a given
|
* Retrieves the string based IP address from a given
|
||||||
* {@link HttpServletRequest} by either the configured {@link HawkbitSecurityProperties.Clients#getRemoteIpHeader()}
|
* {@link HttpServletRequest} by either the configured {@link HawkbitSecurityProperties.Clients#getRemoteIpHeader()}
|
||||||
|
|||||||
@@ -9,16 +9,14 @@
|
|||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.util;
|
package org.eclipse.hawkbit.util;
|
||||||
|
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
import org.springframework.web.util.UriUtils;
|
import org.springframework.web.util.UriUtils;
|
||||||
|
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
|
|
||||||
|
@NoArgsConstructor
|
||||||
public class UrlUtils {
|
public class UrlUtils {
|
||||||
|
|
||||||
private UrlUtils() {
|
|
||||||
// Util classes should not have public constructors
|
|
||||||
}
|
|
||||||
|
|
||||||
public static String decodeUriValue(String value) {
|
public static String decodeUriValue(String value) {
|
||||||
return UriUtils.decode(value, StandardCharsets.UTF_8);
|
return UriUtils.decode(value, StandardCharsets.UTF_8);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user