Finalize and polish fine-grained permission (#2660)

* Remove _REPOSITORY_ permissions -> replaced with _SOFTWARE_MODULE_, _SOFTWARE_MODULE_TYPE_, _DISTRIBUTION_SET_, _DISTRIBUTION_SET_TYPE_ permissions * Still kept _ROLE_REPOSITORY_ADMIN_ role granting all repository fine-graned permissions * Added dedicated _TARGET_TYPE_ permission set - the _TARGET_ permissions just grant _READ_TARGET_TYPE_ (analogically _SOFTWARE_MODULE_ permissions grant _READ_SOFTWARE_MODULE_TYPE_ and _DISTRIBUTION_SET_ grants _READ_DISTRIBUTON_SET_TYPE_ * Hierarcy is not configurable - could be completely replaced by setting spring application property org.eclipse.hawkbit.hierarchy or could be extended by adding rules using org.eclipse.hawkbit.hierarchy.ext Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-09-09 15:42:11 +03:00
parent f2e6344775
commit ae3a004da0
16 changed files with 182 additions and 219 deletions
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/Hierarchy.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/Hierarchy.java
@@ -21,7 +21,6 @@ public class Hierarchy {
            SpPermission.SOFTWARE_MODULE_HIERARCHY +
            SpPermission.DISTRIBUTION_SET_HIERARCHY +
            SpPermission.TENANT_CONFIGURATION_HIERARCHY +
-            SpRole.DEFAULT_ROLE_HIERARCHY +
-            SpPermission.REPOSITORY_HIERARCHY;
+            SpRole.DEFAULT_ROLE_HIERARCHY;
    // @formatter:on
 }
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
@@ -67,11 +67,14 @@ public final class SpPermission {
    public static final String READ_DISTRIBUTION_SET = READ_PREFIX + DISTRIBUTION_SET;
    public static final String UPDATE_DISTRIBUTION_SET = UPDATE_PREFIX + DISTRIBUTION_SET;

-    public static final String CREATE_REPOSITORY = "CREATE_REPOSITORY";
-    public static final String READ_REPOSITORY = "READ_REPOSITORY";
-    public static final String UPDATE_REPOSITORY = "UPDATE_REPOSITORY";
-    public static final String DELETE_REPOSITORY = "DELETE_REPOSITORY";
+    /**
+     * Deprecated since 0.10.0, use {@link #SOFTWARE_MODULE_DOWNLOAD_ARTIFACT} instead
+     *
+     * @deprecated since 0.10.0, use {@link #SOFTWARE_MODULE_DOWNLOAD_ARTIFACT} instead
+     */
+    @Deprecated(since = "0.10.0", forRemoval = true)
    public static final String DOWNLOAD_REPOSITORY_ARTIFACT = "DOWNLOAD_REPOSITORY_ARTIFACT";
+    public static final String SOFTWARE_MODULE_DOWNLOAD_ARTIFACT = SOFTWARE_MODULE + "_DOWNLOAD_ARTIFACT";

    /**
     * Permission to read the tenant settings.
@@ -124,27 +127,6 @@ public final class SpPermission {
            TENANT_CONFIGURATION + IMPLY_UPDATE + TENANT_CONFIGURATION + "\n" +
            TENANT_CONFIGURATION + IMPLY_DELETE + TENANT_CONFIGURATION + "\n" +
            TENANT_CONFIGURATION + " > " + READ_GATEWAY_SECURITY_TOKEN + "\n";
-    public static final String REPOSITORY_HIERARCHY =
-            CREATE_REPOSITORY + IMPLY_CREATE + TARGET_TYPE + "\n" +
-            READ_REPOSITORY + IMPLY_READ + TARGET_TYPE + "\n" +
-            UPDATE_REPOSITORY + IMPLY_UPDATE + TARGET_TYPE + "\n" +
-            DELETE_REPOSITORY + IMPLY_DELETE + TARGET_TYPE + "\n" +
-            CREATE_REPOSITORY + IMPLY_CREATE + SOFTWARE_MODULE + "\n" +
-            READ_REPOSITORY + IMPLY_READ + SOFTWARE_MODULE + "\n" +
-            UPDATE_REPOSITORY + IMPLY_UPDATE + SOFTWARE_MODULE + "\n" +
-            DELETE_REPOSITORY + IMPLY_DELETE + SOFTWARE_MODULE + "\n" +
-            CREATE_REPOSITORY + IMPLY_CREATE + SOFTWARE_MODULE_TYPE + "\n" +
-            READ_REPOSITORY + IMPLY_READ + SOFTWARE_MODULE_TYPE + "\n" +
-            UPDATE_REPOSITORY + IMPLY_UPDATE + SOFTWARE_MODULE_TYPE + "\n" +
-            DELETE_REPOSITORY + IMPLY_DELETE + SOFTWARE_MODULE_TYPE + "\n" +
-            CREATE_REPOSITORY + IMPLY_CREATE + DISTRIBUTION_SET + "\n" +
-            READ_REPOSITORY + IMPLY_READ + DISTRIBUTION_SET + "\n" +
-            UPDATE_REPOSITORY + IMPLY_UPDATE + DISTRIBUTION_SET + "\n" +
-            DELETE_REPOSITORY + IMPLY_DELETE + DISTRIBUTION_SET + "\n" +
-            CREATE_REPOSITORY + IMPLY_CREATE + DISTRIBUTION_SET_TYPE + "\n" +
-            READ_REPOSITORY + IMPLY_READ + DISTRIBUTION_SET_TYPE + "\n" +
-            UPDATE_REPOSITORY + IMPLY_UPDATE + DISTRIBUTION_SET_TYPE + "\n" +
-            DELETE_REPOSITORY + IMPLY_DELETE + DISTRIBUTION_SET_TYPE + "\n";

    // @formatter:on
    private static final SingletonSupplier<List<String>> ALL_AUTHORITIES = SingletonSupplier.of(() -> {
@@ -163,7 +145,7 @@ public final class SpPermission {
        // special
        allPermissions.add(READ_TARGET_SECURITY_TOKEN);
        allPermissions.add(READ_GATEWAY_SECURITY_TOKEN);
-        allPermissions.add(DOWNLOAD_REPOSITORY_ARTIFACT);
+        allPermissions.add(SOFTWARE_MODULE_DOWNLOAD_ARTIFACT);
        allPermissions.add(APPROVE_ROLLOUT);
        allPermissions.add(HANDLE_ROLLOUT);

@@ -176,6 +158,9 @@ public final class SpPermission {
        // system permission, (!) take care with
        allPermissions.add(SYSTEM_ADMIN);

+        // add deprecated permissions
+        allPermissions.add(DOWNLOAD_REPOSITORY_ARTIFACT);
+
        return Collections.unmodifiableList(allPermissions);
    });

--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
@@ -46,6 +46,24 @@ public final class SpRole {
            TARGET_ADMIN + IMPLIES + SpPermission.READ_TARGET_TYPE + LINE_BREAK +
            TARGET_ADMIN + IMPLIES + SpPermission.UPDATE_TARGET_TYPE + LINE_BREAK +
            TARGET_ADMIN + IMPLIES + SpPermission.DELETE_TARGET_TYPE + LINE_BREAK;
+    public static final String REPOSITORY_ADMIN_HIERARCHY =
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.CREATE_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.DELETE_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.SOFTWARE_MODULE_DOWNLOAD_ARTIFACT + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.CREATE_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.DELETE_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.CREATE_PREFIX + SpPermission.DISTRIBUTION_SET + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_PREFIX + SpPermission.DISTRIBUTION_SET + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_PREFIX + SpPermission.DISTRIBUTION_SET + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.DELETE_PREFIX + SpPermission.DISTRIBUTION_SET + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.CREATE_PREFIX + SpPermission.DISTRIBUTION_SET_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_PREFIX + SpPermission.DISTRIBUTION_SET_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_PREFIX + SpPermission.DISTRIBUTION_SET_TYPE + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.DELETE_PREFIX + SpPermission.DISTRIBUTION_SET_TYPE + LINE_BREAK;
    public static final String ROLLOUT_ADMIN_HIERARCHY =
            ROLLOUT_ADMIN + IMPLIES + SpPermission.CREATE_ROLLOUT + LINE_BREAK +
            ROLLOUT_ADMIN + IMPLIES + SpPermission.READ_ROLLOUT + LINE_BREAK +
@@ -56,23 +74,17 @@ public final class SpRole {
    public static final String TENANT_ADMIN_HIERARCHY =
            TENANT_ADMIN + IMPLIES + TARGET_ADMIN + LINE_BREAK +
            TENANT_ADMIN + IMPLIES + REPOSITORY_ADMIN + LINE_BREAK +
-            TENANT_ADMIN + IMPLIES + SpPermission.TENANT_CONFIGURATION + LINE_BREAK +
-            TENANT_ADMIN + IMPLIES + ROLLOUT_ADMIN + LINE_BREAK;
+            TENANT_ADMIN + IMPLIES + ROLLOUT_ADMIN + LINE_BREAK +
+            TENANT_ADMIN + IMPLIES + SpPermission.TENANT_CONFIGURATION + LINE_BREAK;
    public static final String SYSTEM_ROLE_HIERARCHY =
            SYSTEM_ROLE + IMPLIES + TENANT_ADMIN + LINE_BREAK +
            SYSTEM_ROLE + IMPLIES + SpPermission.SYSTEM_ADMIN + LINE_BREAK;
-    public static final String REPOSITORY_ADMIN_HIERARCHY =
-            REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_REPOSITORY + LINE_BREAK +
-            REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_REPOSITORY + LINE_BREAK +
-            REPOSITORY_ADMIN + IMPLIES + SpPermission.CREATE_REPOSITORY + LINE_BREAK +
-            REPOSITORY_ADMIN + IMPLIES + SpPermission.DELETE_REPOSITORY + LINE_BREAK +
-            REPOSITORY_ADMIN + IMPLIES + SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT + LINE_BREAK;

    public static final String DEFAULT_ROLE_HIERARCHY =
            TARGET_ADMIN_HIERARCHY +
+            REPOSITORY_ADMIN_HIERARCHY +
            ROLLOUT_ADMIN_HIERARCHY +
            TENANT_ADMIN_HIERARCHY +
-            SYSTEM_ROLE_HIERARCHY +
-            REPOSITORY_ADMIN_HIERARCHY;
+            SYSTEM_ROLE_HIERARCHY;
    // @formatter:on
 }