From c906c2f2eb6ec61989d2729c4685c49cce0f4ffd Mon Sep 17 00:00:00 2001
From: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Date: Thu, 25 Sep 2025 16:53:19 +0300
Subject: [PATCH] Type Access Controllers enabled by default if AC is enabled
 (#2694)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
---
 .../eclipse/hawkbit/repository/ArtifactManagement.java |  2 +-
 .../jpa/acm/AccessControllerConfiguration.java         |  6 +++---
 .../jpa/acm/TargetTypeAccessControllerTest.java        |  2 +-
 .../jpa/management/ArtifactManagementTest.java         |  2 +-
 .../hawkbit/im/authentication/SpPermission.java        | 10 +++++-----
 .../org/eclipse/hawkbit/im/authentication/SpRole.java  |  2 +-
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java
index 7f68b5ae3..ddfe51867 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java
@@ -62,7 +62,7 @@ public interface ArtifactManagement extends PermissionSupport {
      * @param isEncrypted flag to indicate if artifact is encrypted.
      * @return loaded {@link StoredArtifactInfo}
      */
-    @PreAuthorize("hasAuthority('" + SpPermission.SOFTWARE_MODULE_DOWNLOAD + "')" + " or " + SpringEvalExpressions.IS_CONTROLLER)
+    @PreAuthorize("hasAuthority('" + SpPermission.READ_SOFTWARE_MODULE_DOWNLOAD + "')" + " or " + SpringEvalExpressions.IS_CONTROLLER)
     ArtifactStream getArtifactStream(@NotEmpty String sha1Hash, long softwareModuleId, final boolean isEncrypted);
 
     /**
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java
index 0d54612d5..267590a12 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java
@@ -107,7 +107,7 @@ public class AccessControllerConfiguration {
     }
 
     @Bean
-    @ConditionalOnProperty(name = "hawkbit.acm.access-controller.target-type.enabled", havingValue = "true")
+    @ConditionalOnProperty(name = "hawkbit.acm.access-controller.target-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaTargetType> targetTypeAccessController() {
         return new DefaultAccessController<>(TargetTypeFields.class, SpPermission.TARGET_TYPE);
     }
@@ -119,7 +119,7 @@ public class AccessControllerConfiguration {
     }
 
     @Bean
-    @ConditionalOnProperty(name = "hawkbit.acm.access-controller.software-module-type.enabled", havingValue = "true")
+    @ConditionalOnProperty(name = "hawkbit.acm.access-controller.software-module-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaSoftwareModuleType> softwareModuleTypeAccessController() {
         return new DefaultAccessController<>(SoftwareModuleTypeFields.class, SpPermission.SOFTWARE_MODULE_TYPE);
     }
@@ -131,7 +131,7 @@ public class AccessControllerConfiguration {
     }
 
     @Bean
-    @ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set-type.enabled", havingValue = "true")
+    @ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaDistributionSetType> distributionSetTypeAccessController() {
         return new DefaultAccessController<>(DistributionSetTypeFields.class, SpPermission.DISTRIBUTION_SET_TYPE);
     }
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java
index d1363af08..7a44cd586 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/acm/TargetTypeAccessControllerTest.java
@@ -38,7 +38,7 @@ import org.springframework.test.context.TestPropertySource;
  * Story: Test Target Type Access Controller
  */
 @ContextConfiguration(classes = { AccessControllerConfiguration.class })
-@TestPropertySource(properties = { "hawkbit.acm.access-controller.target-type.enabled=true", "hawkbit.acm.access-controller.enabled=true" })
+@TestPropertySource(properties = "hawkbit.acm.access-controller.enabled=true")
 class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
 
     /**
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementTest.java
index e28497278..28c12b08f 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementTest.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementTest.java
@@ -400,7 +400,7 @@ class ArtifactManagementTest extends AbstractJpaIntegrationTest {
      */
     @Test
     @WithUser(allSpPermissions = true, removeFromAllPermission = {
-            SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT, SpPermission.SOFTWARE_MODULE_DOWNLOAD,
+            SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT, SpPermission.READ_SOFTWARE_MODULE_DOWNLOAD,
             SpRole.CONTROLLER_ROLE, SpRole.CONTROLLER_ROLE_ANONYMOUS })
     void getArtifactBinaryWithoutDownloadArtifactThrowsPermissionDenied() {
         assertThatExceptionOfType(InsufficientPermissionException.class)
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
index ff5c57f6d..0d87cbe97 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java
@@ -68,13 +68,13 @@ public final class SpPermission {
     public static final String UPDATE_DISTRIBUTION_SET = UPDATE_PREFIX + DISTRIBUTION_SET;
 
     /**
-     * Deprecated since 0.10.0, use {@link #SOFTWARE_MODULE_DOWNLOAD} instead
+     * Deprecated since 0.10.0, use {@link #READ_SOFTWARE_MODULE_DOWNLOAD} instead
      *
-     * @deprecated since 0.10.0, use {@link #SOFTWARE_MODULE_DOWNLOAD} instead
+     * @deprecated since 0.10.0, use {@link #READ_SOFTWARE_MODULE_DOWNLOAD} instead
      */
     @Deprecated(since = "0.10.0", forRemoval = true)
     public static final String DOWNLOAD_REPOSITORY_ARTIFACT = "DOWNLOAD_REPOSITORY_ARTIFACT";
-    public static final String SOFTWARE_MODULE_DOWNLOAD = SOFTWARE_MODULE + "_DOWNLOAD";
+    public static final String READ_SOFTWARE_MODULE_DOWNLOAD = READ_PREFIX + SOFTWARE_MODULE + "_DOWNLOAD";
 
     /**
      * Permission to read the tenant settings.
@@ -118,7 +118,7 @@ public final class SpPermission {
             READ_PREFIX + SOFTWARE_MODULE + IMPLY_READ + SOFTWARE_MODULE_TYPE + LINE_BREAK +
             UPDATE_PREFIX + SOFTWARE_MODULE + IMPLY_READ + SOFTWARE_MODULE_TYPE + LINE_BREAK +
             DELETE_PREFIX + SOFTWARE_MODULE + IMPLY_READ + SOFTWARE_MODULE_TYPE + LINE_BREAK +
-            DOWNLOAD_REPOSITORY_ARTIFACT + IMPLY + SOFTWARE_MODULE_DOWNLOAD + LINE_BREAK;
+            DOWNLOAD_REPOSITORY_ARTIFACT + IMPLY + READ_SOFTWARE_MODULE_DOWNLOAD + LINE_BREAK;
     public static final String DISTRIBUTION_SET_HIERARCHY =
             CREATE_PREFIX + DISTRIBUTION_SET + IMPLY_READ + DISTRIBUTION_SET_TYPE + LINE_BREAK +
             READ_PREFIX + DISTRIBUTION_SET + IMPLY_READ + DISTRIBUTION_SET_TYPE + LINE_BREAK +
@@ -148,7 +148,7 @@ public final class SpPermission {
         // special
         allPermissions.add(READ_TARGET_SECURITY_TOKEN);
         allPermissions.add(READ_GATEWAY_SECURITY_TOKEN);
-        allPermissions.add(SOFTWARE_MODULE_DOWNLOAD);
+        allPermissions.add(READ_SOFTWARE_MODULE_DOWNLOAD);
         allPermissions.add(APPROVE_ROLLOUT);
         allPermissions.add(HANDLE_ROLLOUT);
 
diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
index 2b10ff832..0e1359dba 100644
--- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
+++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpRole.java
@@ -51,7 +51,7 @@ public final class SpRole {
             REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
             REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
             REPOSITORY_ADMIN + IMPLIES + SpPermission.DELETE_PREFIX + SpPermission.SOFTWARE_MODULE + LINE_BREAK +
-            REPOSITORY_ADMIN + IMPLIES + SpPermission.SOFTWARE_MODULE_DOWNLOAD + LINE_BREAK +
+            REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_SOFTWARE_MODULE_DOWNLOAD + LINE_BREAK +
             REPOSITORY_ADMIN + IMPLIES + SpPermission.CREATE_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +
             REPOSITORY_ADMIN + IMPLIES + SpPermission.READ_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +
             REPOSITORY_ADMIN + IMPLIES + SpPermission.UPDATE_PREFIX + SpPermission.SOFTWARE_MODULE_TYPE + LINE_BREAK +