Remove anonymous controller support (#2285)

It's not usable feature, and is error prone - someone could left anonymous enabled by mistake

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-02-17 17:17:49 +02:00
committed by GitHub
parent 59f2eed87b
commit cace8bd20e
9 changed files with 58 additions and 323 deletions

View File

@@ -1,56 +0,0 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.security.controller;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
/**
* A pre-authenticated processing filter which add the
* {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
* security context in case the anonymous download is allowed through
* configuration.
*/
public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControllerAuthenticationFilter {
/**
* Constructor.
*
* @param tenantConfigurationManagement the tenant management service to retrieve configuration
* properties
* @param tenantAware the tenant aware service to get configuration for the specific
* tenant
* @param systemSecurityContext the system security context to get access to tenant
* configuration
*/
public ControllerPreAuthenticatedAnonymousDownload(
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
final SystemSecurityContext systemSecurityContext) {
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
}
@Override
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
}
@Override
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
}
@Override
protected String getTenantConfigurationKey() {
return TenantConfigurationKey.ANONYMOUS_DOWNLOAD_MODE_ENABLED;
}
}

View File

@@ -1,46 +0,0 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.security.controller;
import org.eclipse.hawkbit.security.DdiSecurityProperties;
/**
* An anonymous controller filter which is only enabled in case of anonymous
* access is granted. This should only be for development purposes.
*
* @see org.eclipse.hawkbit.security.DdiSecurityProperties
*/
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticationFilter {
private final DdiSecurityProperties ddiSecurityConfiguration;
/**
* @param ddiSecurityConfiguration the security configuration which holds the configuration if
* anonymous is enabled or not
*/
public ControllerPreAuthenticatedAnonymousFilter(final DdiSecurityProperties ddiSecurityConfiguration) {
this.ddiSecurityConfiguration = ddiSecurityConfiguration;
}
@Override
public boolean isEnable(final ControllerSecurityToken securityToken) {
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
}
@Override
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
}
@Override
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
}
}

View File

@@ -27,7 +27,7 @@ import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.T
* 5d8fSD54fdsFG98DDsa.}
*/
@Slf4j
public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractControllerAuthenticationFilter {
public class ControllerPreAuthenticatedSecurityTokenFilter extends AbstractControllerAuthenticationFilter {
private static final String TARGET_SECURITY_TOKEN_AUTH_SCHEME = "TargetToken ";
private static final int OFFSET_TARGET_TOKEN = TARGET_SECURITY_TOKEN_AUTH_SCHEME.length();
@@ -46,7 +46,7 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
* @param systemSecurityContext the system security context to get access to tenant
* configuration
*/
public ControllerPreAuthenticateSecurityTokenFilter(
public ControllerPreAuthenticatedSecurityTokenFilter(
final TenantConfigurationManagement tenantConfigurationManagement,
final ControllerManagement controllerManagement, final TenantAware tenantAware,
final SystemSecurityContext systemSecurityContext) {

View File

@@ -1,58 +0,0 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.security.controller;
import static org.assertj.core.api.Assertions.assertThat;
import io.qameta.allure.Feature;
import io.qameta.allure.Story;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@Feature("Unit Tests - Security")
@Story("Exclude path aware shallow ETag filter")
@ExtendWith(MockitoExtension.class)
class ControllerPreAuthenticatedAnonymousDownloadTest {
private ControllerPreAuthenticatedAnonymousDownload underTest;
@Mock
private TenantConfigurationManagement tenantConfigurationManagementMock;
@Mock
private TenantAware tenantAwareMock;
@BeforeEach
void before() {
underTest = new ControllerPreAuthenticatedAnonymousDownload(tenantConfigurationManagementMock, tenantAwareMock,
new SystemSecurityContext(tenantAwareMock));
}
@Test
void useCorrectTenantConfiguationKey() {
assertThat(underTest.getTenantConfigurationKey()).as("Should be using the correct tenant configuration key")
.isEqualTo(underTest.getTenantConfigurationKey());
}
@Test
void successfulAuthenticationAdditionalAuthoritiesForDownload() {
assertThat(underTest.getSuccessfulAuthenticationAuthorities())
.as("Additional authorities should be containing the download anonymous role")
.contains(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
}
}