Small security improvements (#1412)

Typos fixed Disables empty string gateway token for sure. Test if the gateway token is not empty string ecplicitly. Empty string is the default value and if accepted could be a security vulnerability (e.g. enabling gateway token authentication and using empty string as token). According to https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.4 the header value shall not have trailing spaces and the http server shall already have trimmed them. So if execution passes start with "GatewayToken " then token shall not be empty. But but let's check anyway In UI first set key then enable the gateway token authentication. Otherwise the key might be left empty (default). This however shall not be really problem since (because of token trimming) the empty token will be rejected anyway. Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2023-08-16 14:25:17 +03:00
parent a5dba29e74
commit acff82f60f
10 changed files with 71 additions and 69 deletions
--- a/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpAuthenticationMessageHandler.java
+++ b/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpAuthenticationMessageHandler.java
@@ -119,18 +119,18 @@ public class AmqpAuthenticationMessageHandler extends BaseAmqpService {
     * this file because it's not assigned to an action and not assigned to this
     * controller. Otherwise no controllerId is set = anonymous download
     * 
-     * @param secruityToken
+     * @param securityToken
     *            the security token which holds the target ID to check on
     * @param sha1Hash
     *            of the artifact to verify if the given target is allowed to
     *            download it
     */
-    private void checkIfArtifactIsAssignedToTarget(final DmfTenantSecurityToken secruityToken, final String sha1Hash) {
+    private void checkIfArtifactIsAssignedToTarget(final DmfTenantSecurityToken securityToken, final String sha1Hash) {

-        if (secruityToken.getControllerId() != null) {
-            checkByControllerId(sha1Hash, secruityToken.getControllerId());
-        } else if (secruityToken.getTargetId() != null) {
-            checkByTargetId(sha1Hash, secruityToken.getTargetId());
+        if (securityToken.getControllerId() != null) {
+            checkByControllerId(sha1Hash, securityToken.getControllerId());
+        } else if (securityToken.getTargetId() != null) {
+            checkByTargetId(sha1Hash, securityToken.getTargetId());
        } else {
            LOG.info("anonymous download no authentication check for artifact {}", sha1Hash);
        }
@@ -198,15 +198,15 @@ public class AmqpAuthenticationMessageHandler extends BaseAmqpService {
    @SuppressWarnings("squid:S1166")
    private Message handleAuthenticationMessage(final Message message) {
        final DmfDownloadResponse authenticationResponse = new DmfDownloadResponse();
-        final DmfTenantSecurityToken secruityToken = convertMessage(message, DmfTenantSecurityToken.class);
-        final FileResource fileResource = secruityToken.getFileResource();
+        final DmfTenantSecurityToken securityToken = convertMessage(message, DmfTenantSecurityToken.class);
+        final FileResource fileResource = securityToken.getFileResource();
        try {
-            SecurityContextHolder.getContext().setAuthentication(authenticationManager.doAuthenticate(secruityToken));
+            SecurityContextHolder.getContext().setAuthentication(authenticationManager.doAuthenticate(securityToken));

            final Artifact artifact = findArtifactByFileResource(fileResource)
                    .orElseThrow(EntityNotFoundException::new);

-            checkIfArtifactIsAssignedToTarget(secruityToken, artifact.getSha1Hash());
+            checkIfArtifactIsAssignedToTarget(securityToken, artifact.getSha1Hash());

            final DmfArtifact dmfArtifact = convertDbArtifact(artifact);

--- a/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentication.java
+++ b/hawkbit-dmf/hawkbit-dmf-amqp/src/main/java/org/eclipse/hawkbit/amqp/AmqpControllerAuthentication.java
@@ -145,14 +145,14 @@ public class AmqpControllerAuthentication {
    }

    private static PreAuthenticatedAuthenticationToken createAuthentication(final PreAuthenticationFilter filter,
-            final DmfTenantSecurityToken secruityToken) {
+            final DmfTenantSecurityToken securityToken) {

-        if (!filter.isEnable(secruityToken)) {
+        if (!filter.isEnable(securityToken)) {
            return null;
        }

-        final Object principal = filter.getPreAuthenticatedPrincipal(secruityToken);
-        final Object credentials = filter.getPreAuthenticatedCredentials(secruityToken);
+        final Object principal = filter.getPreAuthenticatedPrincipal(securityToken);
+        final Object credentials = filter.getPreAuthenticatedCredentials(securityToken);

        if (principal == null) {
            LOGGER.debug("No pre-authenticated principal found in message");