Merge branch 'master' into feature_configurable_mgmt_sim_scenario
Conflicts: hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/RepositoryApplicationConfiguration.java Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
@@ -17,7 +17,7 @@ import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
|
||||
/**
|
||||
*
|
||||
* Service to check permissions.
|
||||
*
|
||||
*/
|
||||
public class PermissionService {
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
|
||||
/**
|
||||
* Utility method for creation of <tt>GrantedAuthority</tt> collections etc.
|
||||
*/
|
||||
public final class PermissionUtils {
|
||||
|
||||
private PermissionUtils() {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Create {@link GrantedAuthority} by a special role.
|
||||
*
|
||||
* @param roles
|
||||
* the roles
|
||||
* @return a list of {@link GrantedAuthority}
|
||||
*/
|
||||
public static List<GrantedAuthority> createAuthorityList(final Collection<String> roles) {
|
||||
final List<GrantedAuthority> authorities = new ArrayList<>(roles.size());
|
||||
|
||||
for (final String role : roles) {
|
||||
authorities.add(new SimpleGrantedAuthority(role));
|
||||
}
|
||||
|
||||
return authorities;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns all authorities.
|
||||
*
|
||||
* @return a list of {@link GrantedAuthority}
|
||||
*/
|
||||
public static List<GrantedAuthority> createAllAuthorityList() {
|
||||
return createAuthorityList(SpPermission.getAllAuthorities());
|
||||
}
|
||||
}
|
||||
@@ -9,7 +9,16 @@
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
import java.lang.annotation.Target;
|
||||
import java.lang.reflect.Field;
|
||||
import java.lang.reflect.Modifier;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
|
||||
@@ -35,6 +44,8 @@ import org.springframework.security.core.GrantedAuthority;
|
||||
*/
|
||||
public final class SpPermission {
|
||||
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(SpPermission.class);
|
||||
|
||||
/**
|
||||
* Permission to read the targets from the
|
||||
* {@link ProvisioningTargetRepository} including their meta information,
|
||||
@@ -139,6 +150,53 @@ public final class SpPermission {
|
||||
// Constants only
|
||||
}
|
||||
|
||||
/**
|
||||
* Return all permission.
|
||||
*
|
||||
* @return all permission
|
||||
*/
|
||||
public static Collection<String> getAllAuthorities() {
|
||||
return getAllAuthorities(Collections.emptyList());
|
||||
}
|
||||
|
||||
/**
|
||||
* Return all permission.
|
||||
*
|
||||
* @param exclusionRoles
|
||||
* roles which will excluded
|
||||
* @return all permissions
|
||||
*/
|
||||
public static Collection<String> getAllAuthorities(final String... exclusionRoles) {
|
||||
return getAllAuthorities(Arrays.asList(exclusionRoles));
|
||||
}
|
||||
|
||||
/**
|
||||
* Return all permission.
|
||||
*
|
||||
* @param exclusionRoles
|
||||
* roles which will excluded
|
||||
* @return all permissions
|
||||
*/
|
||||
public static Collection<String> getAllAuthorities(final Collection<String> exclusionRoles) {
|
||||
final List<String> allPermissions = new ArrayList<>();
|
||||
final Field[] declaredFields = SpPermission.class.getDeclaredFields();
|
||||
for (final Field field : declaredFields) {
|
||||
if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers())) {
|
||||
field.setAccessible(true);
|
||||
try {
|
||||
final String role = (String) field.get(null);
|
||||
if (!(exclusionRoles.contains(role))) {
|
||||
allPermissions.add(role);
|
||||
}
|
||||
} catch (final IllegalAccessException e) {
|
||||
LOGGER.error(e.getMessage(), e);
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
return allPermissions;
|
||||
}
|
||||
|
||||
/**
|
||||
* Contains all the spring security evaluation expressions for the
|
||||
* {@link PreAuthorize} annotation for method security.
|
||||
|
||||
@@ -8,8 +8,10 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.security;
|
||||
|
||||
import static java.util.concurrent.TimeUnit.SECONDS;
|
||||
import static org.eclipse.hawkbit.security.SecurityConstants.SECURITY_LOG_PREFIX;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@@ -31,25 +33,21 @@ import com.google.common.cache.CacheBuilder;
|
||||
/**
|
||||
* Filter for protection against denial of service attacks. It reduces the
|
||||
* maximum number of request per seconds which can be separately configured for
|
||||
* read (GET) and write (PUT/POST/DELETE) requests. requests
|
||||
*
|
||||
*
|
||||
*
|
||||
*
|
||||
* read (GET) and write (PUT/POST/DELETE) requests.
|
||||
*/
|
||||
public class DosFilter extends OncePerRequestFilter {
|
||||
|
||||
private static final Logger LOG = LoggerFactory.getLogger(DosFilter.class);
|
||||
private static final Logger LOG_DOS = LoggerFactory.getLogger("server-security.dos");
|
||||
private static final Logger LOG_BLACKLIST = LoggerFactory.getLogger("server-security.blacklist");
|
||||
private static final Logger LOG_DOS = LoggerFactory.getLogger(SECURITY_LOG_PREFIX + ".dos");
|
||||
private static final Logger LOG_BLACKLIST = LoggerFactory.getLogger(SECURITY_LOG_PREFIX + ".blacklist");
|
||||
|
||||
private final Pattern ipAdressBlacklist;
|
||||
|
||||
private final Cache<String, AtomicInteger> readCountCache = CacheBuilder.newBuilder()
|
||||
.expireAfterAccess(1, TimeUnit.SECONDS).build();
|
||||
private final Cache<String, AtomicInteger> readCountCache = CacheBuilder.newBuilder().expireAfterAccess(1, SECONDS)
|
||||
.build();
|
||||
|
||||
private final Cache<String, AtomicInteger> writeCountCache = CacheBuilder.newBuilder()
|
||||
.expireAfterAccess(1, TimeUnit.SECONDS).build();
|
||||
private final Cache<String, AtomicInteger> writeCountCache = CacheBuilder.newBuilder().expireAfterAccess(1, SECONDS)
|
||||
.build();
|
||||
|
||||
private final Integer maxRead;
|
||||
private final Integer maxWrite;
|
||||
@@ -78,7 +76,7 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
*/
|
||||
public DosFilter(final Integer maxRead, final Integer maxWrite, final String ipDosWhiteListPattern,
|
||||
final String ipBlackListPattern, final String forwardHeader) {
|
||||
super();
|
||||
|
||||
this.maxRead = maxRead;
|
||||
this.maxWrite = maxWrite;
|
||||
this.forwardHeader = forwardHeader;
|
||||
@@ -96,14 +94,6 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see
|
||||
* org.springframework.web.filter.OncePerRequestFilter#doFilterInternal(
|
||||
* javax.servlet.http. HttpServletRequest,
|
||||
* javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain)
|
||||
*/
|
||||
@Override
|
||||
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
|
||||
final FilterChain filterChain) throws ServletException, IOException {
|
||||
@@ -152,11 +142,9 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
}
|
||||
|
||||
private static boolean handleMissingIpAddress(final HttpServletResponse response) {
|
||||
boolean processChain;
|
||||
LOG.error("Failed to get peer IP adress");
|
||||
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
|
||||
processChain = false;
|
||||
return processChain;
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean handleWriteRequest(final HttpServletResponse response, final String ip) {
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.security;
|
||||
|
||||
/**
|
||||
* Constants related to security.
|
||||
*/
|
||||
public final class SecurityConstants {
|
||||
|
||||
/**
|
||||
* Logger prefix used for security logging.
|
||||
*/
|
||||
public static final String SECURITY_LOG_PREFIX = "server-security";
|
||||
|
||||
private SecurityConstants() {
|
||||
|
||||
}
|
||||
}
|
||||
@@ -14,12 +14,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
|
||||
/**
|
||||
* Auditor class that allows {@link BaseEntity}s to insert currenlt logged in
|
||||
* user for repository changes.
|
||||
*
|
||||
*
|
||||
*
|
||||
*
|
||||
* Auditor class that allows BaseEntitys to insert current logged in user for
|
||||
* repository changes.
|
||||
*
|
||||
*/
|
||||
public class SpringSecurityAuditorAware implements AuditorAware<String> {
|
||||
@@ -29,16 +25,21 @@ public class SpringSecurityAuditorAware implements AuditorAware<String> {
|
||||
|
||||
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
|
||||
if (authentication == null || !authentication.isAuthenticated()) {
|
||||
if (isAuthenticationInvalid(authentication)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (authentication.getPrincipal() != null) {
|
||||
if (authentication.getPrincipal() instanceof UserDetails) {
|
||||
return ((UserDetails) authentication.getPrincipal()).getUsername();
|
||||
}
|
||||
return authentication.getPrincipal().toString();
|
||||
return getCurrentAuditor(authentication);
|
||||
}
|
||||
|
||||
private String getCurrentAuditor(final Authentication authentication) {
|
||||
if (authentication.getPrincipal() instanceof UserDetails) {
|
||||
return ((UserDetails) authentication.getPrincipal()).getUsername();
|
||||
}
|
||||
return null;
|
||||
return authentication.getPrincipal().toString();
|
||||
}
|
||||
|
||||
private static boolean isAuthenticationInvalid(final Authentication authentication) {
|
||||
return authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() == null;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
import static org.fest.assertions.api.Assertions.assertThat;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.context.annotation.Description;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
|
||||
import ru.yandex.qatools.allure.annotations.Features;
|
||||
import ru.yandex.qatools.allure.annotations.Stories;
|
||||
|
||||
/**
|
||||
* Test {@link SpPermission}.
|
||||
*/
|
||||
@Features("Unit Tests - Security")
|
||||
@Stories("Permission Test")
|
||||
public final class PermissionTest {
|
||||
|
||||
@Test
|
||||
@Description("Verify the get permission function")
|
||||
public void testGetPermissions() {
|
||||
final int allPermission = 15;
|
||||
final int permissionWithoutSystem = allPermission - 3;
|
||||
final Collection<String> allAuthorities = SpPermission.getAllAuthorities();
|
||||
final List<GrantedAuthority> allAuthoritiesList = PermissionUtils.createAllAuthorityList();
|
||||
assertThat(allAuthorities).hasSize(allPermission);
|
||||
assertThat(allAuthoritiesList).hasSize(allPermission);
|
||||
assertThat(allAuthoritiesList.stream().map(authority -> authority.getAuthority()).collect(Collectors.toList()))
|
||||
.containsAll(allAuthorities);
|
||||
|
||||
final Collection<String> authoritiesWithoutSystem = SpPermission.getAllAuthorities(SpPermission.SYSTEM_ADMIN,
|
||||
SpPermission.SYSTEM_DIAG, SpPermission.SYSTEM_MONITOR);
|
||||
final List<GrantedAuthority> authoritiesListWithoutSystem = PermissionUtils.createAuthorityList(SpPermission
|
||||
.getAllAuthorities(SpPermission.SYSTEM_ADMIN, SpPermission.SYSTEM_DIAG, SpPermission.SYSTEM_MONITOR));
|
||||
|
||||
assertThat(authoritiesWithoutSystem).hasSize(permissionWithoutSystem);
|
||||
assertThat(authoritiesListWithoutSystem).hasSize(permissionWithoutSystem);
|
||||
assertThat(authoritiesListWithoutSystem.stream().map(authority -> authority.getAuthority())
|
||||
.collect(Collectors.toList())).containsAll(authoritiesWithoutSystem);
|
||||
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user