Refactoring/Improving source: security core (#1599)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-02-03 16:55:55 +02:00
committed by GitHub
parent e4c70f3f34
commit 9e31685757
7 changed files with 15 additions and 53 deletions

View File

@@ -48,12 +48,10 @@ public class DdiSecurityProperties {
* HTTP header field for common name of a DDI target client certificate. * HTTP header field for common name of a DDI target client certificate.
*/ */
private String cnHeader = "X-Ssl-Client-Cn"; private String cnHeader = "X-Ssl-Client-Cn";
/** /**
* HTTP header field for issuer hash of a DDI target client certificate. * HTTP header field for issuer hash of a DDI target client certificate.
*/ */
private String sslIssuerHashHeader = "X-Ssl-Issuer-Hash-%d"; private String sslIssuerHashHeader = "X-Ssl-Issuer-Hash-%d";
/** /**
* List of trusted (reverse proxy) IP addresses for performing DDI * List of trusted (reverse proxy) IP addresses for performing DDI
* client certificate authentication. * client certificate authentication.
@@ -66,6 +64,7 @@ public class DdiSecurityProperties {
*/ */
@Data @Data
public static class Authentication { public static class Authentication {
private final Anonymous anonymous = new Anonymous(); private final Anonymous anonymous = new Anonymous();
private final Targettoken targettoken = new Targettoken(); private final Targettoken targettoken = new Targettoken();
private final Gatewaytoken gatewaytoken = new Gatewaytoken(); private final Gatewaytoken gatewaytoken = new Gatewaytoken();
@@ -117,4 +116,4 @@ public class DdiSecurityProperties {
private boolean enabled = false; private boolean enabled = false;
} }
} }
} }

View File

@@ -32,26 +32,21 @@ public class HawkbitSecurityProperties {
* Content Security policy Header for Manager UI. * Content Security policy Header for Manager UI.
*/ */
private String contentSecurityPolicy; private String contentSecurityPolicy;
/** /**
* Secure access enforced. * Secure access enforced.
*/ */
private boolean requireSsl; private boolean requireSsl;
/** /**
* With this property a list of allowed hostnames can be configured. All * With this property a list of allowed hostnames can be configured. All
* requests with different Host headers will be rejected. * requests with different Host headers will be rejected.
*/ */
private List<String> allowedHostNames; private List<String> allowedHostNames;
/** /**
* Add paths that will be ignored by {@link StrictHttpFirewall}. * Add paths that will be ignored by {@link org.springframework.security.web.firewall.StrictHttpFirewall}.
*/ */
private List<String> httpFirewallIgnoredPaths; private List<String> httpFirewallIgnoredPaths;
/** /**
* Basic authentication realm, see * Basic authentication realm, see https://tools.ietf.org/html/rfc2617#page-3 .
* https://tools.ietf.org/html/rfc2617#page-3 .
*/ */
private String basicRealm = "hawkBit"; private String basicRealm = "hawkBit";
@@ -65,22 +60,18 @@ public class HawkbitSecurityProperties {
* Flag to enable CORS. * Flag to enable CORS.
*/ */
private boolean enabled = false; private boolean enabled = false;
/** /**
* Allowed origins for CORS. * Allowed origins for CORS.
*/ */
private List<String> allowedOrigins = Collections.singletonList("http://localhost"); private List<String> allowedOrigins = Collections.singletonList("http://localhost");
/** /**
* Allowed headers for CORS. * Allowed headers for CORS.
*/ */
private List<String> allowedHeaders = Collections.singletonList("*"); private List<String> allowedHeaders = Collections.singletonList("*");
/** /**
* Allowed methods for CORS. * Allowed methods for CORS.
*/ */
private List<String> allowedMethods = Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT"); private List<String> allowedMethods = Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT");
/** /**
* Exposed headers for CORS. * Exposed headers for CORS.
*/ */
@@ -94,17 +85,14 @@ public class HawkbitSecurityProperties {
public static class Clients { public static class Clients {
public static final String X_FORWARDED_FOR = "X-Forwarded-For"; public static final String X_FORWARDED_FOR = "X-Forwarded-For";
/** /**
* Blacklisted client (IP addresses) for for DDI and Management API. * Blacklisted client (IP addresses) for for DDI and Management API.
*/ */
private String blacklist = ""; private String blacklist = "";
/** /**
* Name of the http header from which the remote ip is extracted. * Name of the http header from which the remote ip is extracted.
*/ */
private String remoteIpHeader = X_FORWARDED_FOR; private String remoteIpHeader = X_FORWARDED_FOR;
/** /**
* Set to <code>true</code> if DDI clients remote IP should be stored. * Set to <code>true</code> if DDI clients remote IP should be stored.
*/ */
@@ -122,84 +110,68 @@ public class HawkbitSecurityProperties {
* an action (0 to disable). * an action (0 to disable).
*/ */
private int maxStatusEntriesPerAction = 1000; private int maxStatusEntriesPerAction = 1000;
/** /**
* Maximum number of attributes that the controller can report; * Maximum number of attributes that the controller can report;
*/ */
private int maxAttributeEntriesPerTarget = 100; private int maxAttributeEntriesPerTarget = 100;
/** /**
* Maximum number of allowed groups per Rollout. * Maximum number of allowed groups per Rollout.
*/ */
private int maxRolloutGroupsPerRollout = 500; private int maxRolloutGroupsPerRollout = 500;
/** /**
* Maximum number of messages per ActionStatus * Maximum number of messages per ActionStatus
*/ */
private int maxMessagesPerActionStatus = 50; private int maxMessagesPerActionStatus = 50;
/** /**
* Maximum number of meta data entries per software module * Maximum number of meta data entries per software module
*/ */
private int maxMetaDataEntriesPerSoftwareModule = 100; private int maxMetaDataEntriesPerSoftwareModule = 100;
/** /**
* Maximum number of meta data entries per distribution set * Maximum number of meta data entries per distribution set
*/ */
private int maxMetaDataEntriesPerDistributionSet = 100; private int maxMetaDataEntriesPerDistributionSet = 100;
/** /**
* Maximum number of meta data entries per target * Maximum number of meta data entries per target
*/ */
private int maxMetaDataEntriesPerTarget = 100; private int maxMetaDataEntriesPerTarget = 100;
/** /**
* Maximum number of software modules per distribution set * Maximum number of software modules per distribution set
*/ */
private int maxSoftwareModulesPerDistributionSet = 100; private int maxSoftwareModulesPerDistributionSet = 100;
/** /**
* Maximum number of software modules per distribution set * Maximum number of software modules per distribution set
*/ */
private int maxSoftwareModuleTypesPerDistributionSetType = 50; private int maxSoftwareModuleTypesPerDistributionSetType = 50;
/** /**
* Maximum number of artifacts per software module * Maximum number of artifacts per software module
*/ */
private int maxArtifactsPerSoftwareModule = 50; private int maxArtifactsPerSoftwareModule = 50;
/** /**
* Maximum number of targets per rollout group * Maximum number of targets per rollout group
*/ */
private int maxTargetsPerRolloutGroup = 20000; private int maxTargetsPerRolloutGroup = 20000;
/** /**
* Maximum number of overall actions targets per target * Maximum number of overall actions targets per target
*/ */
private int maxActionsPerTarget = 2000; private int maxActionsPerTarget = 2000;
/** /**
* Maximum number of actions resulting from a manual assignment of * Maximum number of actions resulting from a manual assignment of
* distribution sets and targets. Must be greater than 1000. * distribution sets and targets. Must be greater than 1000.
*/ */
private int maxTargetDistributionSetAssignmentsPerManualAssignment = 5000; private int maxTargetDistributionSetAssignmentsPerManualAssignment = 5000;
/** /**
* Maximum number of targets for an automatic distribution set * Maximum number of targets for an automatic distribution set
* assignment * assignment
*/ */
private int maxTargetsPerAutoAssignment = 20000; private int maxTargetsPerAutoAssignment = 20000;
/** /**
* Maximum size of artifacts in bytes. Defaults to 1 GB. * Maximum size of artifacts in bytes. Defaults to 1 GB.
*/ */
private long maxArtifactSize = 1_073_741_824; private long maxArtifactSize = 1_073_741_824;
/** /**
* Maximum size of all artifacts in bytes. Defaults to 20 GB. * Maximum size of all artifacts in bytes. Defaults to 20 GB.
*/ */
private long maxArtifactStorage = 21_474_836_480L; private long maxArtifactStorage = 21_474_836_480L;
/** /**
* Maximum number of distribution set types per target types * Maximum number of distribution set types per target types
*/ */
@@ -220,19 +192,16 @@ public class HawkbitSecurityProperties {
* True if filter is enabled. * True if filter is enabled.
*/ */
private boolean enabled = true; private boolean enabled = true;
/** /**
* White list of peer IP addresses for DOS filter (regular * White list of peer IP addresses for DOS filter (regular
* expression). * expression).
*/ */
private String whitelist = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}"; private String whitelist = "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}";
/** /**
* # Maximum number of allowed REST read/GET requests per second per * # Maximum number of allowed REST read/GET requests per second per
* client IP. * client IP.
*/ */
private int maxRead = 200; private int maxRead = 200;
/** /**
* Maximum number of allowed REST write/(PUT/POST/etc.) requests per * Maximum number of allowed REST write/(PUT/POST/etc.) requests per
* second per client IP. * second per client IP.
@@ -240,4 +209,4 @@ public class HawkbitSecurityProperties {
private int maxWrite = 50; private int maxWrite = 50;
} }
} }
} }

View File

@@ -9,17 +9,16 @@
*/ */
package org.eclipse.hawkbit.security; package org.eclipse.hawkbit.security;
import lombok.NoArgsConstructor;
/** /**
* Constants related to security. * Constants related to security.
*/ */
@NoArgsConstructor
public final class SecurityConstants { public final class SecurityConstants {
/** /**
* Logger prefix used for security logging. * Logger prefix used for security logging.
*/ */
public static final String SECURITY_LOG_PREFIX = "server-security"; public static final String SECURITY_LOG_PREFIX = "server-security";
}
private SecurityConstants() {
}
}

View File

@@ -32,4 +32,4 @@ public class SecurityTokenGenerator {
public String generateToken() { public String generateToken() {
return new String(Hex.encode(SECURE_RANDOM.generateKey())); return new String(Hex.encode(SECURE_RANDOM.generateKey()));
} }
} }

View File

@@ -49,4 +49,4 @@ public class SpringSecurityAuditorAware implements AuditorAware<String> {
private static boolean isAuthenticationInvalid(final Authentication authentication) { private static boolean isAuthenticationInvalid(final Authentication authentication) {
return authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() == null; return authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() == null;
} }
} }

View File

@@ -16,13 +16,14 @@ import java.util.regex.Pattern;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import lombok.NoArgsConstructor;
import org.eclipse.hawkbit.security.HawkbitSecurityProperties; import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
/** /**
* A utility which determines the correct IP of a connected {@link Target}. E.g * A utility which determines the correct IP of a connected {@link Target}. E.g
* from a {@link HttpServletRequest}. * from a {@link HttpServletRequest}.
*
*/ */
@NoArgsConstructor
// Exception squid:S2083 - false positive, file paths not handled here // Exception squid:S2083 - false positive, file paths not handled here
@SuppressWarnings("squid:S2083") @SuppressWarnings("squid:S2083")
public final class IpUtil { public final class IpUtil {
@@ -39,10 +40,6 @@ public final class IpUtil {
// v6 address with [] amd (optionally) port // v6 address with [] amd (optionally) port
private static final Pattern IPV6_ADDRESS_WITH_PORT_PATTERN = Pattern.compile("\\[(?<address>([0-9a-f]{1,4}:){7}([0-9a-f]){1,4})](:[0-9]{1,5})?"); private static final Pattern IPV6_ADDRESS_WITH_PORT_PATTERN = Pattern.compile("\\[(?<address>([0-9a-f]{1,4}:){7}([0-9a-f]){1,4})](:[0-9]{1,5})?");
private IpUtil() {
}
/** /**
* Retrieves the string based IP address from a given * Retrieves the string based IP address from a given
* {@link HttpServletRequest} by either the configured {@link HawkbitSecurityProperties.Clients#getRemoteIpHeader()} * {@link HttpServletRequest} by either the configured {@link HawkbitSecurityProperties.Clients#getRemoteIpHeader()}

View File

@@ -9,16 +9,14 @@
*/ */
package org.eclipse.hawkbit.util; package org.eclipse.hawkbit.util;
import lombok.NoArgsConstructor;
import org.springframework.web.util.UriUtils; import org.springframework.web.util.UriUtils;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
@NoArgsConstructor
public class UrlUtils { public class UrlUtils {
private UrlUtils() {
// Util classes should not have public constructors
}
public static String decodeUriValue(String value) { public static String decodeUriValue(String value) {
return UriUtils.decode(value, StandardCharsets.UTF_8); return UriUtils.decode(value, StandardCharsets.UTF_8);
} }