Refactoring/Improving source: sec integration (#1607)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-02-03 18:08:13 +02:00
committed by GitHub
parent d388b8afdd
commit a15db4cd92
5 changed files with 28 additions and 43 deletions

View File

@@ -12,11 +12,10 @@ package org.eclipse.hawkbit.security;
import java.util.Arrays;
import java.util.Collection;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -24,10 +23,9 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
* An abstraction for all controller based security. Check if the tenant
* configuration is enabled.
*/
@Slf4j
public abstract class AbstractControllerAuthenticationFilter implements PreAuthenticationFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(AbstractControllerAuthenticationFilter.class);
protected final TenantConfigurationManagement tenantConfigurationManagement;
protected final TenantAware tenantAware;
private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
@@ -52,7 +50,7 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
@Override
public Boolean run() {
LOGGER.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey());
log.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey());
return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement
.getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue());
}

View File

@@ -11,13 +11,12 @@ package org.eclipse.hawkbit.security;
import java.util.Optional;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.repository.ControllerManagement;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.repository.model.Target;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* An pre-authenticated processing filter which extracts (if enabled through
@@ -25,13 +24,10 @@ import org.slf4j.LoggerFactory;
* security-token with the {@code Authorization} HTTP header.
* {@code Example Header: Authorization: TargetToken
* 5d8fSD54fdsFG98DDsa.}
*
*
*
*/
@Slf4j
public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractControllerAuthenticationFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(ControllerPreAuthenticateSecurityTokenFilter.class);
private static final String TARGET_SECURITY_TOKEN_AUTH_SCHEME = "TargetToken ";
private static final int OFFSET_TARGET_TOKEN = TARGET_SECURITY_TOKEN_AUTH_SCHEME.length();
@@ -66,11 +62,11 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
final String controllerId = resolveControllerId(securityToken);
final String authHeader = securityToken.getHeader(DmfTenantSecurityToken.AUTHORIZATION_HEADER);
if ((authHeader != null) && authHeader.startsWith(TARGET_SECURITY_TOKEN_AUTH_SCHEME)) {
LOGGER.debug("found authorization header with scheme {} using target security token for authentication",
log.debug("found authorization header with scheme {} using target security token for authentication",
TARGET_SECURITY_TOKEN_AUTH_SCHEME);
return new HeaderAuthentication(controllerId, authHeader.substring(OFFSET_TARGET_TOKEN));
}
LOGGER.debug(
log.debug(
"security token filter is enabled but requst does not contain either the necessary path variables {} or the authorization header with scheme {}",
securityToken, TARGET_SECURITY_TOKEN_AUTH_SCHEME);
return null;

View File

@@ -9,11 +9,10 @@
*/
package org.eclipse.hawkbit.security;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* An pre-authenticated processing filter which extracts (if enabled through
@@ -23,14 +22,10 @@ import org.slf4j.LoggerFactory;
* gateway security token which can be set via the {@code TenantsecurityToken}
* header. {@code Example Header: Authorization: GatewayToken
* 5d8fSD54fdsFG98DDsa.}
*
*
*
*/
@Slf4j
public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends AbstractControllerAuthenticationFilter {
private static final Logger LOGGER = LoggerFactory
.getLogger(ControllerPreAuthenticatedGatewaySecurityTokenFilter.class);
private static final String GATEWAY_SECURITY_TOKEN_AUTH_SCHEME = "GatewayToken ";
private static final int OFFSET_GATEWAY_TOKEN = GATEWAY_SECURITY_TOKEN_AUTH_SCHEME.length();
@@ -61,12 +56,12 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
if (authHeader != null &&
authHeader.startsWith(GATEWAY_SECURITY_TOKEN_AUTH_SCHEME) &&
authHeader.length() > OFFSET_GATEWAY_TOKEN) { // disables empty string token
LOGGER.debug("found authorization header with scheme {} using target security token for authentication",
log.debug("found authorization header with scheme {} using target security token for authentication",
GATEWAY_SECURITY_TOKEN_AUTH_SCHEME);
return new HeaderAuthentication(securityToken.getControllerId(),
authHeader.substring(OFFSET_GATEWAY_TOKEN));
}
LOGGER.debug(
log.debug(
"security token filter is enabled but request does not contain either the necessary security token {} or the authorization header with scheme {}",
securityToken, GATEWAY_SECURITY_TOKEN_AUTH_SCHEME);
return null;
@@ -88,7 +83,7 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
@Override
public String run() {
LOGGER.trace("retrieving configuration value for configuration key {}",
log.trace("retrieving configuration value for configuration key {}",
TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY);
return systemSecurityContext

View File

@@ -13,6 +13,7 @@ import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
@@ -23,11 +24,10 @@ import org.slf4j.LoggerFactory;
* A pre-authenticated processing filter which extracts the principal from a
* request URI and the credential from a request header in a the
* {@link DmfTenantSecurityToken}.
*
*/
@Slf4j
public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractControllerAuthenticationFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(ControllerPreAuthenticatedSecurityHeaderFilter.class);
private static final Logger LOG_SECURITY_AUTH = LoggerFactory.getLogger("server-security.authentication");
private final GetSecurityAuthorityNameTenantRunner sslIssuerNameConfigTenantRunner = new GetSecurityAuthorityNameTenantRunner();
@@ -83,11 +83,11 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
final String knownSslIssuerConfigurationValue = tenantAware.runAsTenant(securityToken.getTenant(),
sslIssuerNameConfigTenantRunner);
final String sslIssuerHashValue = getIssuerHashHeader(securityToken, knownSslIssuerConfigurationValue);
if (commonNameValue != null && LOGGER.isTraceEnabled()) {
LOGGER.trace("Found commonNameHeader {}={}, using as credentials", caCommonNameHeader, commonNameValue);
if (commonNameValue != null && log.isTraceEnabled()) {
log.trace("Found commonNameHeader {}={}, using as credentials", caCommonNameHeader, commonNameValue);
}
if (sslIssuerHashValue != null && LOGGER.isTraceEnabled()) {
LOGGER.trace("Found sslIssuerHash ****, using as credentials for tenant {}", securityToken.getTenant());
if (sslIssuerHashValue != null && log.isTraceEnabled()) {
log.trace("Found sslIssuerHash ****, using as credentials for tenant {}", securityToken.getTenant());
}
if (commonNameValue != null && sslIssuerHashValue != null) {
@@ -129,8 +129,8 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
String foundHash;
while ((foundHash = securityToken.getHeader(String.format(sslIssuerHashBasicHeader, iHeader))) != null) {
if (knownHashes.contains(foundHash.toLowerCase())) {
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Found matching ssl issuer hash at position {}", iHeader);
if (log.isTraceEnabled()) {
log.trace("Found matching ssl issuer hash at position {}", iHeader);
}
return foundHash.toLowerCase();
}

View File

@@ -13,8 +13,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
@@ -36,13 +35,10 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA
* from e.g. a certificate provided by an reverse proxy. Due this request is
* only allowed from a specific source address this authentication manager can
* also check the remote IP address of the request.
*
*
*
*/
public class PreAuthTokenSourceTrustAuthenticationProvider implements AuthenticationProvider {
private static final Logger LOGGER = LoggerFactory.getLogger(PreAuthenticatedAuthenticationToken.class);
@Slf4j
public class PreAuthTokenSourceTrustAuthenticationProvider implements AuthenticationProvider
private final List<String> authorizedSourceIps;
/**
@@ -154,7 +150,7 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica
if (!(tokenDetails instanceof TenantAwareWebAuthenticationDetails)) {
// is not of type WebAuthenticationDetails, then we cannot
// determine the remote address!
LOGGER.error(
log.error(
"Cannot determine the controller remote-ip-address based on the given authentication token - {} , token details are not TenantAwareWebAuthenticationDetails! ",
tokenDetails);
success = false;