Implement Action Access Control (#2687)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-09-23 13:31:17 +03:00
committed by GitHub
parent 9ab0a8628e
commit b702ea41d1
2 changed files with 136 additions and 4 deletions

View File

@@ -9,7 +9,14 @@
*/
package org.eclipse.hawkbit.repository.jpa.acm;
import java.lang.reflect.Proxy;
import java.util.List;
import java.util.Optional;
import jakarta.persistence.criteria.From;
import jakarta.persistence.criteria.Join;
import jakarta.persistence.criteria.Root;
import jakarta.persistence.metamodel.EntityType;
import lombok.Getter;
import org.eclipse.hawkbit.im.authentication.SpPermission;
@@ -21,7 +28,9 @@ import org.eclipse.hawkbit.repository.SoftwareModuleTypeFields;
import org.eclipse.hawkbit.repository.TagFields;
import org.eclipse.hawkbit.repository.TargetFields;
import org.eclipse.hawkbit.repository.TargetTypeFields;
import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
import org.eclipse.hawkbit.repository.jpa.model.JpaAction_;
import org.eclipse.hawkbit.repository.jpa.model.JpaDistributionSet;
import org.eclipse.hawkbit.repository.jpa.model.JpaDistributionSetType;
import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule;
@@ -31,6 +40,7 @@ import org.eclipse.hawkbit.repository.jpa.model.JpaTargetType;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.jpa.domain.Specification;
@Configuration
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.enabled", havingValue = "true", matchIfMissing = true)
@@ -42,11 +52,38 @@ public class DefaultAccessControllerConfiguration {
return new DefaultAccessController<>(TargetFields.class, SpPermission.TARGET);
}
// after adding support for internal action field search support it add matchIfMissing = true
@Bean
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.action.enabled", havingValue = "true", matchIfMissing = false)
AccessController<JpaAction> actionAccessController() {
return new DefaultAccessController<>(ActionFieldsInternal.class, SpPermission.TARGET);
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.action.enabled", havingValue = "true", matchIfMissing = true)
AccessController<JpaAction> actionAccessController(final AccessController<JpaTarget> targetAccessController) {
return new AccessController<>() {
@Override
@SuppressWarnings("unchecked")
public Optional<Specification<JpaAction>> getAccessRules(final Operation operation) {
return targetAccessController.getAccessRules(operation).map(targetSpec -> (actionRoot, query, cb) -> {
final Join<JpaAction, JpaTarget> targetJoin = actionRoot.join(JpaAction_.target);
final EntityType<JpaTarget> targetModel = query.from(JpaTarget.class).getModel();
final Root<JpaTarget> targetRoot = (Root<JpaTarget>) Proxy.newProxyInstance(
actionRoot.getClass().getClassLoader(),
new Class[] { Root.class },
(proxy, method, args) -> {
if (method.getName().equals("getModel") && method.getParameterCount() == 0) {
return targetModel;
} else if (method.getDeclaringClass().isAssignableFrom(From.class)) {
return method.invoke(targetJoin, args);
} else {
return method.invoke(this, args);
}
});
return targetSpec.toPredicate(targetRoot, query, cb);
});
}
@Override
public void assertOperationAllowed(final Operation operation, final JpaAction entity) throws InsufficientPermissionException {
targetAccessController.assertOperationAllowed(operation, entity.getTarget());
}
};
}
@Bean