From cace8bd20ecb18874054d5093bb1a2233d80c96d Mon Sep 17 00:00:00 2001 From: Avgustin Marinov Date: Mon, 17 Feb 2025 17:17:49 +0200 Subject: [PATCH] Remove anonymous controller support (#2285) It's not usable feature, and is error prone - someone could left anonymous enabled by mistake Signed-off-by: Avgustin Marinov --- ...ntrollerDownloadSecurityConfiguration.java | 79 +++++++------------ .../ddi/ControllerSecurityConfiguration.java | 69 +++++++--------- ...reAuthenticateAnonymousDownloadFilter.java | 52 ------------ ...lerPreAuthenticateSecurityTokenFilter.java | 4 +- ...llerPreAuthenticatedAnonymousDownload.java | 56 ------------- ...rollerPreAuthenticatedAnonymousFilter.java | 46 ----------- ...rPreAuthenticatedSecurityTokenFilter.java} | 4 +- ...PreAuthenticatedAnonymousDownloadTest.java | 58 -------------- .../security/DdiSecurityProperties.java | 13 --- 9 files changed, 58 insertions(+), 323 deletions(-) delete mode 100644 hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java delete mode 100644 hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownload.java delete mode 100644 hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousFilter.java rename hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/{ControllerPreAuthenticateSecurityTokenFilter.java => ControllerPreAuthenticatedSecurityTokenFilter.java} (96%) delete mode 100644 hawkbit-security/hawkbit-security-controller/src/test/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownloadTest.java diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java index 2cc95d581..457eef9a1 100644 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java +++ b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java @@ -13,12 +13,10 @@ import java.util.List; import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.autoconfigure.ddi.security.ControllerTenantAwareAuthenticationDetailsSource; -import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticateAnonymousDownloadFilter; import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticateSecurityTokenFilter; import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter; import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedSecurityHeaderFilter; import org.eclipse.hawkbit.ddi.rest.api.DdiRestConstants; -import org.eclipse.hawkbit.im.authentication.SpPermission; import org.eclipse.hawkbit.repository.ControllerManagement; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.rest.SecurityManagedConfiguration; @@ -39,9 +37,7 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; -import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.web.SecurityFilterChain; -import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; /** * Security configuration for the hawkBit server DDI download interface. @@ -93,8 +89,7 @@ class ControllerDownloadSecurityConfiguration { @Bean @Order(300) // higher priority than HawkBit DDI security, so that the DDI DL security is applied first protected SecurityFilterChain filterChainDDIDL(final HttpSecurity http) throws Exception { - final AuthenticationManager authenticationManager = ControllerSecurityConfiguration.setAuthenticationManager( - http, ddiSecurityConfiguration); + final AuthenticationManager authenticationManager = ControllerSecurityConfiguration.setAuthenticationManager(http, ddiSecurityConfiguration); http .securityMatcher(DDI_DL_ANT_MATCHER) @@ -106,55 +101,35 @@ class ControllerDownloadSecurityConfiguration { final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource(); - if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) { - log.warn( - SecurityManagedConfiguration.ANONYMOUS_CONTROLLER_SECURITY_ENABLED_SHOULD_ONLY_BE_USED_FOR_DEVELOPMENT_PURPOSES); + final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( + ddiSecurityConfiguration.getRp().getCnHeader(), + ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement, + tenantAware, systemSecurityContext); + securityHeaderFilter.setAuthenticationManager(authenticationManager); + securityHeaderFilter.setCheckForPrincipalChanges(true); + securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter( - "controllerAnonymousFilter", "anonymous", - List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS))); - anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - http - .securityContext(AbstractHttpConfigurer::disable) - .anonymous(configurer -> configurer.authenticationFilter(anonymousFilter)); - } else { - final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( - ddiSecurityConfiguration.getRp().getCnHeader(), - ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement, - tenantAware, systemSecurityContext); - securityHeaderFilter.setAuthenticationManager(authenticationManager); - securityHeaderFilter.setCheckForPrincipalChanges(true); - securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); + final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( + tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); + securityTokenFilter.setAuthenticationManager(authenticationManager); + securityTokenFilter.setCheckForPrincipalChanges(true); + securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( - tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); - securityTokenFilter.setAuthenticationManager(authenticationManager); - securityTokenFilter.setCheckForPrincipalChanges(true); - securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); + final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( + tenantConfigurationManagement, tenantAware, systemSecurityContext); + gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager); + gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); + gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( - tenantConfigurationManagement, tenantAware, systemSecurityContext); - gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager); - gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); - gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - - final HttpControllerPreAuthenticateAnonymousDownloadFilter controllerAnonymousDownloadFilter = new HttpControllerPreAuthenticateAnonymousDownloadFilter( - tenantConfigurationManagement, tenantAware, systemSecurityContext); - controllerAnonymousDownloadFilter.setAuthenticationManager(authenticationManager); - controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true); - controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - - http - .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) - .anonymous(AbstractHttpConfigurer::disable) - .addFilter(securityHeaderFilter) - .addFilter(securityTokenFilter) - .addFilter(gatewaySecurityTokenFilter) - .addFilter(controllerAnonymousDownloadFilter) - .exceptionHandling(configurer -> configurer.authenticationEntryPoint( - (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()))) - .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); - } + http + .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) + .anonymous(AbstractHttpConfigurer::disable) + .addFilter(securityHeaderFilter) + .addFilter(securityTokenFilter) + .addFilter(gatewaySecurityTokenFilter) + .exceptionHandling(configurer -> configurer.authenticationEntryPoint( + (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()))) + .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); MdcHandler.Filter.addMdcFilter(http); diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java index 09331da82..76481941c 100644 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java +++ b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java @@ -17,7 +17,6 @@ import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthentic import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter; import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedSecurityHeaderFilter; import org.eclipse.hawkbit.ddi.rest.api.DdiRestConstants; -import org.eclipse.hawkbit.im.authentication.SpPermission; import org.eclipse.hawkbit.repository.ControllerManagement; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.rest.SecurityManagedConfiguration; @@ -41,9 +40,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; -import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.web.SecurityFilterChain; -import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; /** * Security configuration for the hawkBit server DDI interface. @@ -53,8 +50,7 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi @EnableWebSecurity class ControllerSecurityConfiguration { - private static final String[] DDI_ANT_MATCHERS = { - DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/**" }; + private static final String[] DDI_ANT_MATCHERS = { DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/**" }; private final ControllerManagement controllerManagement; private final TenantConfigurationManagement tenantConfigurationManagement; @@ -108,47 +104,36 @@ class ControllerSecurityConfiguration { } final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource(); - if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) { - log.warn(SecurityManagedConfiguration.ANONYMOUS_CONTROLLER_SECURITY_ENABLED_SHOULD_ONLY_BE_USED_FOR_DEVELOPMENT_PURPOSES); - final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter( - "controllerAnonymousFilter", "anonymous", - List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS))); - anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - http - .securityContext(AbstractHttpConfigurer::disable) - .anonymous(configurer -> configurer.authenticationFilter(anonymousFilter)); - } else { - final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( - ddiSecurityConfiguration.getRp().getCnHeader(), - ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement, - tenantAware, systemSecurityContext); - securityHeaderFilter.setAuthenticationManager(authenticationManager); - securityHeaderFilter.setCheckForPrincipalChanges(true); - securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); + final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( + ddiSecurityConfiguration.getRp().getCnHeader(), + ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement, + tenantAware, systemSecurityContext); + securityHeaderFilter.setAuthenticationManager(authenticationManager); + securityHeaderFilter.setCheckForPrincipalChanges(true); + securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( - tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); - securityTokenFilter.setAuthenticationManager(authenticationManager); - securityTokenFilter.setCheckForPrincipalChanges(true); - securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); + final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( + tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); + securityTokenFilter.setAuthenticationManager(authenticationManager); + securityTokenFilter.setCheckForPrincipalChanges(true); + securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( - tenantConfigurationManagement, tenantAware, systemSecurityContext); - gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager); - gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); - gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); + final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( + tenantConfigurationManagement, tenantAware, systemSecurityContext); + gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager); + gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); + gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); - http - .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) - .anonymous(AbstractHttpConfigurer::disable) - .addFilter(securityHeaderFilter) - .addFilter(securityTokenFilter) - .addFilter(gatewaySecurityTokenFilter) - .exceptionHandling(configurer -> configurer.authenticationEntryPoint( - (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()))) - .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); - } + http + .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) + .anonymous(AbstractHttpConfigurer::disable) + .addFilter(securityHeaderFilter) + .addFilter(securityTokenFilter) + .addFilter(gatewaySecurityTokenFilter) + .exceptionHandling(configurer -> configurer.authenticationEntryPoint( + (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()))) + .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); MdcHandler.Filter.addMdcFilter(http); diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java deleted file mode 100644 index 5bd52f5e9..000000000 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Copyright (c) 2015 Bosch Software Innovations GmbH and others - * - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - */ -package org.eclipse.hawkbit.autoconfigure.ddi.security; - -import lombok.extern.slf4j.Slf4j; -import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions; -import org.eclipse.hawkbit.repository.TenantConfigurationManagement; -import org.eclipse.hawkbit.security.SystemSecurityContext; -import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedAnonymousDownload; -import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter; -import org.eclipse.hawkbit.tenancy.TenantAware; -import org.slf4j.Logger; - -/** - * An pre-authenticated processing filter which add the - * {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the - * security context in case the anonymous download is allowed through - * configuration. - */ -@Slf4j -public class HttpControllerPreAuthenticateAnonymousDownloadFilter extends AbstractHttpControllerAuthenticationFilter { - - /** - * Constructor. - * - * @param tenantConfigurationManagement the system management service to retrieve configuration properties - * @param tenantAware the tenant aware service to get configuration for the specific tenant - * @param systemSecurityContext the system security context - */ - public HttpControllerPreAuthenticateAnonymousDownloadFilter( - final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, - final SystemSecurityContext systemSecurityContext) { - super(tenantConfigurationManagement, tenantAware, systemSecurityContext); - } - - @Override - protected PreAuthenticationFilter createControllerAuthenticationFilter() { - return new ControllerPreAuthenticatedAnonymousDownload(tenantConfigurationManagement, tenantAware, systemSecurityContext); - } - - @Override - protected Logger log() { - return log; - } -} \ No newline at end of file diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateSecurityTokenFilter.java index bad813fe1..4622c085c 100644 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/security/HttpControllerPreAuthenticateSecurityTokenFilter.java @@ -13,7 +13,7 @@ import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.ControllerManagement; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.security.SystemSecurityContext; -import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticateSecurityTokenFilter; +import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedSecurityTokenFilter; import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter; import org.eclipse.hawkbit.tenancy.TenantAware; import org.slf4j.Logger; @@ -56,7 +56,7 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt @Override protected PreAuthenticationFilter createControllerAuthenticationFilter() { - return new ControllerPreAuthenticateSecurityTokenFilter(tenantConfigurationManagement, controllerManagement, + return new ControllerPreAuthenticatedSecurityTokenFilter(tenantConfigurationManagement, controllerManagement, tenantAware, systemSecurityContext); } diff --git a/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownload.java b/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownload.java deleted file mode 100644 index 3a813ffa7..000000000 --- a/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownload.java +++ /dev/null @@ -1,56 +0,0 @@ -/** - * Copyright (c) 2015 Bosch Software Innovations GmbH and others - * - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - */ -package org.eclipse.hawkbit.security.controller; - -import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions; -import org.eclipse.hawkbit.repository.TenantConfigurationManagement; -import org.eclipse.hawkbit.security.SystemSecurityContext; -import org.eclipse.hawkbit.tenancy.TenantAware; -import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey; - -/** - * A pre-authenticated processing filter which add the - * {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the - * security context in case the anonymous download is allowed through - * configuration. - */ -public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControllerAuthenticationFilter { - - /** - * Constructor. - * - * @param tenantConfigurationManagement the tenant management service to retrieve configuration - * properties - * @param tenantAware the tenant aware service to get configuration for the specific - * tenant - * @param systemSecurityContext the system security context to get access to tenant - * configuration - */ - public ControllerPreAuthenticatedAnonymousDownload( - final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, - final SystemSecurityContext systemSecurityContext) { - super(tenantConfigurationManagement, tenantAware, systemSecurityContext); - } - - @Override - public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) { - return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId()); - } - - @Override - public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) { - return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId()); - } - - @Override - protected String getTenantConfigurationKey() { - return TenantConfigurationKey.ANONYMOUS_DOWNLOAD_MODE_ENABLED; - } -} \ No newline at end of file diff --git a/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousFilter.java b/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousFilter.java deleted file mode 100644 index ce1a9fe8b..000000000 --- a/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousFilter.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Copyright (c) 2015 Bosch Software Innovations GmbH and others - * - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - */ -package org.eclipse.hawkbit.security.controller; - -import org.eclipse.hawkbit.security.DdiSecurityProperties; - -/** - * An anonymous controller filter which is only enabled in case of anonymous - * access is granted. This should only be for development purposes. - * - * @see org.eclipse.hawkbit.security.DdiSecurityProperties - */ -public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticationFilter { - - private final DdiSecurityProperties ddiSecurityConfiguration; - - /** - * @param ddiSecurityConfiguration the security configuration which holds the configuration if - * anonymous is enabled or not - */ - public ControllerPreAuthenticatedAnonymousFilter(final DdiSecurityProperties ddiSecurityConfiguration) { - this.ddiSecurityConfiguration = ddiSecurityConfiguration; - } - - @Override - public boolean isEnable(final ControllerSecurityToken securityToken) { - return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled(); - } - - @Override - public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) { - return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId()); - } - - @Override - public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) { - return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId()); - } -} \ No newline at end of file diff --git a/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedSecurityTokenFilter.java similarity index 96% rename from hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticateSecurityTokenFilter.java rename to hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedSecurityTokenFilter.java index 836b003b5..aa30529d9 100644 --- a/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-security/hawkbit-security-controller/src/main/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedSecurityTokenFilter.java @@ -27,7 +27,7 @@ import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.T * 5d8fSD54fdsFG98DDsa.} */ @Slf4j -public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractControllerAuthenticationFilter { +public class ControllerPreAuthenticatedSecurityTokenFilter extends AbstractControllerAuthenticationFilter { private static final String TARGET_SECURITY_TOKEN_AUTH_SCHEME = "TargetToken "; private static final int OFFSET_TARGET_TOKEN = TARGET_SECURITY_TOKEN_AUTH_SCHEME.length(); @@ -46,7 +46,7 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro * @param systemSecurityContext the system security context to get access to tenant * configuration */ - public ControllerPreAuthenticateSecurityTokenFilter( + public ControllerPreAuthenticatedSecurityTokenFilter( final TenantConfigurationManagement tenantConfigurationManagement, final ControllerManagement controllerManagement, final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) { diff --git a/hawkbit-security/hawkbit-security-controller/src/test/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownloadTest.java b/hawkbit-security/hawkbit-security-controller/src/test/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownloadTest.java deleted file mode 100644 index 8e28c46c7..000000000 --- a/hawkbit-security/hawkbit-security-controller/src/test/java/org/eclipse/hawkbit/security/controller/ControllerPreAuthenticatedAnonymousDownloadTest.java +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Copyright (c) 2015 Bosch Software Innovations GmbH and others - * - * This program and the accompanying materials are made - * available under the terms of the Eclipse Public License 2.0 - * which is available at https://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - */ -package org.eclipse.hawkbit.security.controller; - -import static org.assertj.core.api.Assertions.assertThat; - -import io.qameta.allure.Feature; -import io.qameta.allure.Story; -import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions; -import org.eclipse.hawkbit.repository.TenantConfigurationManagement; -import org.eclipse.hawkbit.security.SystemSecurityContext; -import org.eclipse.hawkbit.tenancy.TenantAware; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; -import org.mockito.Mock; -import org.mockito.junit.jupiter.MockitoExtension; -import org.springframework.security.core.authority.SimpleGrantedAuthority; - -@Feature("Unit Tests - Security") -@Story("Exclude path aware shallow ETag filter") -@ExtendWith(MockitoExtension.class) -class ControllerPreAuthenticatedAnonymousDownloadTest { - - private ControllerPreAuthenticatedAnonymousDownload underTest; - - @Mock - private TenantConfigurationManagement tenantConfigurationManagementMock; - - @Mock - private TenantAware tenantAwareMock; - - @BeforeEach - void before() { - underTest = new ControllerPreAuthenticatedAnonymousDownload(tenantConfigurationManagementMock, tenantAwareMock, - new SystemSecurityContext(tenantAwareMock)); - } - - @Test - void useCorrectTenantConfiguationKey() { - assertThat(underTest.getTenantConfigurationKey()).as("Should be using the correct tenant configuration key") - .isEqualTo(underTest.getTenantConfigurationKey()); - } - - @Test - void successfulAuthenticationAdditionalAuthoritiesForDownload() { - assertThat(underTest.getSuccessfulAuthenticationAuthorities()) - .as("Additional authorities should be containing the download anonymous role") - .contains(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE)); - } -} diff --git a/hawkbit-security/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DdiSecurityProperties.java b/hawkbit-security/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DdiSecurityProperties.java index 7794441b1..25f9fe3ed 100644 --- a/hawkbit-security/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DdiSecurityProperties.java +++ b/hawkbit-security/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DdiSecurityProperties.java @@ -67,7 +67,6 @@ public class DdiSecurityProperties { @Data public static class Authentication { - private final Anonymous anonymous = new Anonymous(); private final Targettoken targettoken = new Targettoken(); private final Gatewaytoken gatewaytoken = new Gatewaytoken(); @@ -105,17 +104,5 @@ public class DdiSecurityProperties { @ToString.Exclude private String key = ""; } - - /** - * Anonymous authentication. - */ - @Data - public static class Anonymous { - - /** - * Set to true to enable anonymous DDI client authentication. - */ - private boolean enabled = false; - } } } \ No newline at end of file