Implement Action Access Control (#2687)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -9,7 +9,14 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.jpa.acm;
|
||||
|
||||
import java.lang.reflect.Proxy;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
|
||||
import jakarta.persistence.criteria.From;
|
||||
import jakarta.persistence.criteria.Join;
|
||||
import jakarta.persistence.criteria.Root;
|
||||
import jakarta.persistence.metamodel.EntityType;
|
||||
|
||||
import lombok.Getter;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
@@ -21,7 +28,9 @@ import org.eclipse.hawkbit.repository.SoftwareModuleTypeFields;
|
||||
import org.eclipse.hawkbit.repository.TagFields;
|
||||
import org.eclipse.hawkbit.repository.TargetFields;
|
||||
import org.eclipse.hawkbit.repository.TargetTypeFields;
|
||||
import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaAction_;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaDistributionSet;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaDistributionSetType;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule;
|
||||
@@ -31,6 +40,7 @@ import org.eclipse.hawkbit.repository.jpa.model.JpaTargetType;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.data.jpa.domain.Specification;
|
||||
|
||||
@Configuration
|
||||
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.enabled", havingValue = "true", matchIfMissing = true)
|
||||
@@ -42,11 +52,38 @@ public class DefaultAccessControllerConfiguration {
|
||||
return new DefaultAccessController<>(TargetFields.class, SpPermission.TARGET);
|
||||
}
|
||||
|
||||
// after adding support for internal action field search support it add matchIfMissing = true
|
||||
@Bean
|
||||
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.action.enabled", havingValue = "true", matchIfMissing = false)
|
||||
AccessController<JpaAction> actionAccessController() {
|
||||
return new DefaultAccessController<>(ActionFieldsInternal.class, SpPermission.TARGET);
|
||||
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.action.enabled", havingValue = "true", matchIfMissing = true)
|
||||
AccessController<JpaAction> actionAccessController(final AccessController<JpaTarget> targetAccessController) {
|
||||
return new AccessController<>() {
|
||||
|
||||
@Override
|
||||
@SuppressWarnings("unchecked")
|
||||
public Optional<Specification<JpaAction>> getAccessRules(final Operation operation) {
|
||||
return targetAccessController.getAccessRules(operation).map(targetSpec -> (actionRoot, query, cb) -> {
|
||||
final Join<JpaAction, JpaTarget> targetJoin = actionRoot.join(JpaAction_.target);
|
||||
final EntityType<JpaTarget> targetModel = query.from(JpaTarget.class).getModel();
|
||||
final Root<JpaTarget> targetRoot = (Root<JpaTarget>) Proxy.newProxyInstance(
|
||||
actionRoot.getClass().getClassLoader(),
|
||||
new Class[] { Root.class },
|
||||
(proxy, method, args) -> {
|
||||
if (method.getName().equals("getModel") && method.getParameterCount() == 0) {
|
||||
return targetModel;
|
||||
} else if (method.getDeclaringClass().isAssignableFrom(From.class)) {
|
||||
return method.invoke(targetJoin, args);
|
||||
} else {
|
||||
return method.invoke(this, args);
|
||||
}
|
||||
});
|
||||
return targetSpec.toPredicate(targetRoot, query, cb);
|
||||
});
|
||||
}
|
||||
|
||||
@Override
|
||||
public void assertOperationAllowed(final Operation operation, final JpaAction entity) throws InsufficientPermissionException {
|
||||
targetAccessController.assertOperationAllowed(operation, entity.getTarget());
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
Reference in New Issue
Block a user