Remove anonymous controller support (#2285)
It's not usable feature, and is error prone - someone could left anonymous enabled by mistake Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -13,12 +13,10 @@ import java.util.List;
|
|||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.ControllerTenantAwareAuthenticationDetailsSource;
|
import org.eclipse.hawkbit.autoconfigure.ddi.security.ControllerTenantAwareAuthenticationDetailsSource;
|
||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticateAnonymousDownloadFilter;
|
|
||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticateSecurityTokenFilter;
|
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticateSecurityTokenFilter;
|
||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter;
|
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter;
|
||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedSecurityHeaderFilter;
|
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedSecurityHeaderFilter;
|
||||||
import org.eclipse.hawkbit.ddi.rest.api.DdiRestConstants;
|
import org.eclipse.hawkbit.ddi.rest.api.DdiRestConstants;
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
|
||||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.rest.SecurityManagedConfiguration;
|
import org.eclipse.hawkbit.rest.SecurityManagedConfiguration;
|
||||||
@@ -39,9 +37,7 @@ import org.springframework.security.authentication.AuthenticationManager;
|
|||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Security configuration for the hawkBit server DDI download interface.
|
* Security configuration for the hawkBit server DDI download interface.
|
||||||
@@ -93,8 +89,7 @@ class ControllerDownloadSecurityConfiguration {
|
|||||||
@Bean
|
@Bean
|
||||||
@Order(300) // higher priority than HawkBit DDI security, so that the DDI DL security is applied first
|
@Order(300) // higher priority than HawkBit DDI security, so that the DDI DL security is applied first
|
||||||
protected SecurityFilterChain filterChainDDIDL(final HttpSecurity http) throws Exception {
|
protected SecurityFilterChain filterChainDDIDL(final HttpSecurity http) throws Exception {
|
||||||
final AuthenticationManager authenticationManager = ControllerSecurityConfiguration.setAuthenticationManager(
|
final AuthenticationManager authenticationManager = ControllerSecurityConfiguration.setAuthenticationManager(http, ddiSecurityConfiguration);
|
||||||
http, ddiSecurityConfiguration);
|
|
||||||
|
|
||||||
http
|
http
|
||||||
.securityMatcher(DDI_DL_ANT_MATCHER)
|
.securityMatcher(DDI_DL_ANT_MATCHER)
|
||||||
@@ -106,55 +101,35 @@ class ControllerDownloadSecurityConfiguration {
|
|||||||
|
|
||||||
final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();
|
final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();
|
||||||
|
|
||||||
if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {
|
final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
|
||||||
log.warn(
|
ddiSecurityConfiguration.getRp().getCnHeader(),
|
||||||
SecurityManagedConfiguration.ANONYMOUS_CONTROLLER_SECURITY_ENABLED_SHOULD_ONLY_BE_USED_FOR_DEVELOPMENT_PURPOSES);
|
ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
|
||||||
|
tenantAware, systemSecurityContext);
|
||||||
|
securityHeaderFilter.setAuthenticationManager(authenticationManager);
|
||||||
|
securityHeaderFilter.setCheckForPrincipalChanges(true);
|
||||||
|
securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||||
|
|
||||||
final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter(
|
final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
|
||||||
"controllerAnonymousFilter", "anonymous",
|
tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
|
||||||
List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
|
securityTokenFilter.setAuthenticationManager(authenticationManager);
|
||||||
anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
securityTokenFilter.setCheckForPrincipalChanges(true);
|
||||||
http
|
securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||||
.securityContext(AbstractHttpConfigurer::disable)
|
|
||||||
.anonymous(configurer -> configurer.authenticationFilter(anonymousFilter));
|
|
||||||
} else {
|
|
||||||
final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
|
|
||||||
ddiSecurityConfiguration.getRp().getCnHeader(),
|
|
||||||
ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
|
|
||||||
tenantAware, systemSecurityContext);
|
|
||||||
securityHeaderFilter.setAuthenticationManager(authenticationManager);
|
|
||||||
securityHeaderFilter.setCheckForPrincipalChanges(true);
|
|
||||||
securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
|
||||||
|
|
||||||
final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
|
final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
|
||||||
tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
|
tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
||||||
securityTokenFilter.setAuthenticationManager(authenticationManager);
|
gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager);
|
||||||
securityTokenFilter.setCheckForPrincipalChanges(true);
|
gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
|
||||||
securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||||
|
|
||||||
final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
|
http
|
||||||
tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
||||||
gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager);
|
.anonymous(AbstractHttpConfigurer::disable)
|
||||||
gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
|
.addFilter(securityHeaderFilter)
|
||||||
gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
.addFilter(securityTokenFilter)
|
||||||
|
.addFilter(gatewaySecurityTokenFilter)
|
||||||
final HttpControllerPreAuthenticateAnonymousDownloadFilter controllerAnonymousDownloadFilter = new HttpControllerPreAuthenticateAnonymousDownloadFilter(
|
.exceptionHandling(configurer -> configurer.authenticationEntryPoint(
|
||||||
tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
||||||
controllerAnonymousDownloadFilter.setAuthenticationManager(authenticationManager);
|
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
||||||
controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true);
|
|
||||||
controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
|
||||||
|
|
||||||
http
|
|
||||||
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
|
||||||
.anonymous(AbstractHttpConfigurer::disable)
|
|
||||||
.addFilter(securityHeaderFilter)
|
|
||||||
.addFilter(securityTokenFilter)
|
|
||||||
.addFilter(gatewaySecurityTokenFilter)
|
|
||||||
.addFilter(controllerAnonymousDownloadFilter)
|
|
||||||
.exceptionHandling(configurer -> configurer.authenticationEntryPoint(
|
|
||||||
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
|
||||||
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
|
||||||
}
|
|
||||||
|
|
||||||
MdcHandler.Filter.addMdcFilter(http);
|
MdcHandler.Filter.addMdcFilter(http);
|
||||||
|
|
||||||
|
|||||||
@@ -17,7 +17,6 @@ import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthentic
|
|||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter;
|
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedGatewaySecurityTokenFilter;
|
||||||
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedSecurityHeaderFilter;
|
import org.eclipse.hawkbit.autoconfigure.ddi.security.HttpControllerPreAuthenticatedSecurityHeaderFilter;
|
||||||
import org.eclipse.hawkbit.ddi.rest.api.DdiRestConstants;
|
import org.eclipse.hawkbit.ddi.rest.api.DdiRestConstants;
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
|
||||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.rest.SecurityManagedConfiguration;
|
import org.eclipse.hawkbit.rest.SecurityManagedConfiguration;
|
||||||
@@ -41,9 +40,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Security configuration for the hawkBit server DDI interface.
|
* Security configuration for the hawkBit server DDI interface.
|
||||||
@@ -53,8 +50,7 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
|
|||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class ControllerSecurityConfiguration {
|
class ControllerSecurityConfiguration {
|
||||||
|
|
||||||
private static final String[] DDI_ANT_MATCHERS = {
|
private static final String[] DDI_ANT_MATCHERS = { DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/**" };
|
||||||
DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/**" };
|
|
||||||
|
|
||||||
private final ControllerManagement controllerManagement;
|
private final ControllerManagement controllerManagement;
|
||||||
private final TenantConfigurationManagement tenantConfigurationManagement;
|
private final TenantConfigurationManagement tenantConfigurationManagement;
|
||||||
@@ -108,47 +104,36 @@ class ControllerSecurityConfiguration {
|
|||||||
}
|
}
|
||||||
|
|
||||||
final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();
|
final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();
|
||||||
if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {
|
|
||||||
log.warn(SecurityManagedConfiguration.ANONYMOUS_CONTROLLER_SECURITY_ENABLED_SHOULD_ONLY_BE_USED_FOR_DEVELOPMENT_PURPOSES);
|
|
||||||
|
|
||||||
final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter(
|
final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
|
||||||
"controllerAnonymousFilter", "anonymous",
|
ddiSecurityConfiguration.getRp().getCnHeader(),
|
||||||
List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
|
ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
|
||||||
anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
tenantAware, systemSecurityContext);
|
||||||
http
|
securityHeaderFilter.setAuthenticationManager(authenticationManager);
|
||||||
.securityContext(AbstractHttpConfigurer::disable)
|
securityHeaderFilter.setCheckForPrincipalChanges(true);
|
||||||
.anonymous(configurer -> configurer.authenticationFilter(anonymousFilter));
|
securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||||
} else {
|
|
||||||
final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
|
|
||||||
ddiSecurityConfiguration.getRp().getCnHeader(),
|
|
||||||
ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
|
|
||||||
tenantAware, systemSecurityContext);
|
|
||||||
securityHeaderFilter.setAuthenticationManager(authenticationManager);
|
|
||||||
securityHeaderFilter.setCheckForPrincipalChanges(true);
|
|
||||||
securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
|
||||||
|
|
||||||
final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
|
final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
|
||||||
tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
|
tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
|
||||||
securityTokenFilter.setAuthenticationManager(authenticationManager);
|
securityTokenFilter.setAuthenticationManager(authenticationManager);
|
||||||
securityTokenFilter.setCheckForPrincipalChanges(true);
|
securityTokenFilter.setCheckForPrincipalChanges(true);
|
||||||
securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||||
|
|
||||||
final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
|
final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
|
||||||
tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
||||||
gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager);
|
gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager);
|
||||||
gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
|
gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
|
||||||
gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||||
|
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
||||||
.anonymous(AbstractHttpConfigurer::disable)
|
.anonymous(AbstractHttpConfigurer::disable)
|
||||||
.addFilter(securityHeaderFilter)
|
.addFilter(securityHeaderFilter)
|
||||||
.addFilter(securityTokenFilter)
|
.addFilter(securityTokenFilter)
|
||||||
.addFilter(gatewaySecurityTokenFilter)
|
.addFilter(gatewaySecurityTokenFilter)
|
||||||
.exceptionHandling(configurer -> configurer.authenticationEntryPoint(
|
.exceptionHandling(configurer -> configurer.authenticationEntryPoint(
|
||||||
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
||||||
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
||||||
}
|
|
||||||
|
|
||||||
MdcHandler.Filter.addMdcFilter(http);
|
MdcHandler.Filter.addMdcFilter(http);
|
||||||
|
|
||||||
|
|||||||
@@ -1,52 +0,0 @@
|
|||||||
/**
|
|
||||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
|
|
||||||
*
|
|
||||||
* This program and the accompanying materials are made
|
|
||||||
* available under the terms of the Eclipse Public License 2.0
|
|
||||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
|
||||||
*
|
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
|
||||||
*/
|
|
||||||
package org.eclipse.hawkbit.autoconfigure.ddi.security;
|
|
||||||
|
|
||||||
import lombok.extern.slf4j.Slf4j;
|
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
|
||||||
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedAnonymousDownload;
|
|
||||||
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
|
||||||
import org.slf4j.Logger;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* An pre-authenticated processing filter which add the
|
|
||||||
* {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
|
|
||||||
* security context in case the anonymous download is allowed through
|
|
||||||
* configuration.
|
|
||||||
*/
|
|
||||||
@Slf4j
|
|
||||||
public class HttpControllerPreAuthenticateAnonymousDownloadFilter extends AbstractHttpControllerAuthenticationFilter {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Constructor.
|
|
||||||
*
|
|
||||||
* @param tenantConfigurationManagement the system management service to retrieve configuration properties
|
|
||||||
* @param tenantAware the tenant aware service to get configuration for the specific tenant
|
|
||||||
* @param systemSecurityContext the system security context
|
|
||||||
*/
|
|
||||||
public HttpControllerPreAuthenticateAnonymousDownloadFilter(
|
|
||||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
|
||||||
final SystemSecurityContext systemSecurityContext) {
|
|
||||||
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected PreAuthenticationFilter createControllerAuthenticationFilter() {
|
|
||||||
return new ControllerPreAuthenticatedAnonymousDownload(tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected Logger log() {
|
|
||||||
return log;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -13,7 +13,7 @@ import lombok.extern.slf4j.Slf4j;
|
|||||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticateSecurityTokenFilter;
|
import org.eclipse.hawkbit.security.controller.ControllerPreAuthenticatedSecurityTokenFilter;
|
||||||
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
import org.eclipse.hawkbit.security.controller.PreAuthenticationFilter;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
@@ -56,7 +56,7 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected PreAuthenticationFilter createControllerAuthenticationFilter() {
|
protected PreAuthenticationFilter createControllerAuthenticationFilter() {
|
||||||
return new ControllerPreAuthenticateSecurityTokenFilter(tenantConfigurationManagement, controllerManagement,
|
return new ControllerPreAuthenticatedSecurityTokenFilter(tenantConfigurationManagement, controllerManagement,
|
||||||
tenantAware, systemSecurityContext);
|
tenantAware, systemSecurityContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,56 +0,0 @@
|
|||||||
/**
|
|
||||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
|
|
||||||
*
|
|
||||||
* This program and the accompanying materials are made
|
|
||||||
* available under the terms of the Eclipse Public License 2.0
|
|
||||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
|
||||||
*
|
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
|
||||||
*/
|
|
||||||
package org.eclipse.hawkbit.security.controller;
|
|
||||||
|
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
|
||||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A pre-authenticated processing filter which add the
|
|
||||||
* {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
|
|
||||||
* security context in case the anonymous download is allowed through
|
|
||||||
* configuration.
|
|
||||||
*/
|
|
||||||
public class ControllerPreAuthenticatedAnonymousDownload extends AbstractControllerAuthenticationFilter {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Constructor.
|
|
||||||
*
|
|
||||||
* @param tenantConfigurationManagement the tenant management service to retrieve configuration
|
|
||||||
* properties
|
|
||||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
|
||||||
* tenant
|
|
||||||
* @param systemSecurityContext the system security context to get access to tenant
|
|
||||||
* configuration
|
|
||||||
*/
|
|
||||||
public ControllerPreAuthenticatedAnonymousDownload(
|
|
||||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
|
||||||
final SystemSecurityContext systemSecurityContext) {
|
|
||||||
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected String getTenantConfigurationKey() {
|
|
||||||
return TenantConfigurationKey.ANONYMOUS_DOWNLOAD_MODE_ENABLED;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,46 +0,0 @@
|
|||||||
/**
|
|
||||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
|
|
||||||
*
|
|
||||||
* This program and the accompanying materials are made
|
|
||||||
* available under the terms of the Eclipse Public License 2.0
|
|
||||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
|
||||||
*
|
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
|
||||||
*/
|
|
||||||
package org.eclipse.hawkbit.security.controller;
|
|
||||||
|
|
||||||
import org.eclipse.hawkbit.security.DdiSecurityProperties;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* An anonymous controller filter which is only enabled in case of anonymous
|
|
||||||
* access is granted. This should only be for development purposes.
|
|
||||||
*
|
|
||||||
* @see org.eclipse.hawkbit.security.DdiSecurityProperties
|
|
||||||
*/
|
|
||||||
public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticationFilter {
|
|
||||||
|
|
||||||
private final DdiSecurityProperties ddiSecurityConfiguration;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param ddiSecurityConfiguration the security configuration which holds the configuration if
|
|
||||||
* anonymous is enabled or not
|
|
||||||
*/
|
|
||||||
public ControllerPreAuthenticatedAnonymousFilter(final DdiSecurityProperties ddiSecurityConfiguration) {
|
|
||||||
this.ddiSecurityConfiguration = ddiSecurityConfiguration;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean isEnable(final ControllerSecurityToken securityToken) {
|
|
||||||
return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public HeaderAuthentication getPreAuthenticatedPrincipal(final ControllerSecurityToken securityToken) {
|
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public HeaderAuthentication getPreAuthenticatedCredentials(final ControllerSecurityToken securityToken) {
|
|
||||||
return new HeaderAuthentication(securityToken.getControllerId(), securityToken.getControllerId());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -27,7 +27,7 @@ import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.T
|
|||||||
* 5d8fSD54fdsFG98DDsa.}
|
* 5d8fSD54fdsFG98DDsa.}
|
||||||
*/
|
*/
|
||||||
@Slf4j
|
@Slf4j
|
||||||
public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractControllerAuthenticationFilter {
|
public class ControllerPreAuthenticatedSecurityTokenFilter extends AbstractControllerAuthenticationFilter {
|
||||||
|
|
||||||
private static final String TARGET_SECURITY_TOKEN_AUTH_SCHEME = "TargetToken ";
|
private static final String TARGET_SECURITY_TOKEN_AUTH_SCHEME = "TargetToken ";
|
||||||
private static final int OFFSET_TARGET_TOKEN = TARGET_SECURITY_TOKEN_AUTH_SCHEME.length();
|
private static final int OFFSET_TARGET_TOKEN = TARGET_SECURITY_TOKEN_AUTH_SCHEME.length();
|
||||||
@@ -46,7 +46,7 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
|
|||||||
* @param systemSecurityContext the system security context to get access to tenant
|
* @param systemSecurityContext the system security context to get access to tenant
|
||||||
* configuration
|
* configuration
|
||||||
*/
|
*/
|
||||||
public ControllerPreAuthenticateSecurityTokenFilter(
|
public ControllerPreAuthenticatedSecurityTokenFilter(
|
||||||
final TenantConfigurationManagement tenantConfigurationManagement,
|
final TenantConfigurationManagement tenantConfigurationManagement,
|
||||||
final ControllerManagement controllerManagement, final TenantAware tenantAware,
|
final ControllerManagement controllerManagement, final TenantAware tenantAware,
|
||||||
final SystemSecurityContext systemSecurityContext) {
|
final SystemSecurityContext systemSecurityContext) {
|
||||||
@@ -1,58 +0,0 @@
|
|||||||
/**
|
|
||||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
|
|
||||||
*
|
|
||||||
* This program and the accompanying materials are made
|
|
||||||
* available under the terms of the Eclipse Public License 2.0
|
|
||||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
|
||||||
*
|
|
||||||
* SPDX-License-Identifier: EPL-2.0
|
|
||||||
*/
|
|
||||||
package org.eclipse.hawkbit.security.controller;
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
|
||||||
|
|
||||||
import io.qameta.allure.Feature;
|
|
||||||
import io.qameta.allure.Story;
|
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
|
||||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
|
||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
|
||||||
import org.junit.jupiter.api.BeforeEach;
|
|
||||||
import org.junit.jupiter.api.Test;
|
|
||||||
import org.junit.jupiter.api.extension.ExtendWith;
|
|
||||||
import org.mockito.Mock;
|
|
||||||
import org.mockito.junit.jupiter.MockitoExtension;
|
|
||||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
||||||
|
|
||||||
@Feature("Unit Tests - Security")
|
|
||||||
@Story("Exclude path aware shallow ETag filter")
|
|
||||||
@ExtendWith(MockitoExtension.class)
|
|
||||||
class ControllerPreAuthenticatedAnonymousDownloadTest {
|
|
||||||
|
|
||||||
private ControllerPreAuthenticatedAnonymousDownload underTest;
|
|
||||||
|
|
||||||
@Mock
|
|
||||||
private TenantConfigurationManagement tenantConfigurationManagementMock;
|
|
||||||
|
|
||||||
@Mock
|
|
||||||
private TenantAware tenantAwareMock;
|
|
||||||
|
|
||||||
@BeforeEach
|
|
||||||
void before() {
|
|
||||||
underTest = new ControllerPreAuthenticatedAnonymousDownload(tenantConfigurationManagementMock, tenantAwareMock,
|
|
||||||
new SystemSecurityContext(tenantAwareMock));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
void useCorrectTenantConfiguationKey() {
|
|
||||||
assertThat(underTest.getTenantConfigurationKey()).as("Should be using the correct tenant configuration key")
|
|
||||||
.isEqualTo(underTest.getTenantConfigurationKey());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
void successfulAuthenticationAdditionalAuthoritiesForDownload() {
|
|
||||||
assertThat(underTest.getSuccessfulAuthenticationAuthorities())
|
|
||||||
.as("Additional authorities should be containing the download anonymous role")
|
|
||||||
.contains(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -67,7 +67,6 @@ public class DdiSecurityProperties {
|
|||||||
@Data
|
@Data
|
||||||
public static class Authentication {
|
public static class Authentication {
|
||||||
|
|
||||||
private final Anonymous anonymous = new Anonymous();
|
|
||||||
private final Targettoken targettoken = new Targettoken();
|
private final Targettoken targettoken = new Targettoken();
|
||||||
private final Gatewaytoken gatewaytoken = new Gatewaytoken();
|
private final Gatewaytoken gatewaytoken = new Gatewaytoken();
|
||||||
|
|
||||||
@@ -105,17 +104,5 @@ public class DdiSecurityProperties {
|
|||||||
@ToString.Exclude
|
@ToString.Exclude
|
||||||
private String key = "";
|
private String key = "";
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Anonymous authentication.
|
|
||||||
*/
|
|
||||||
@Data
|
|
||||||
public static class Anonymous {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Set to true to enable anonymous DDI client authentication.
|
|
||||||
*/
|
|
||||||
private boolean enabled = false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user