Merge remote-tracking branch 'eclipse/master' into
feature_split_repo_into_api_impl # Conflicts: # hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/DeploymentManagement.java # hawkbit-repository/src/main/java/org/eclipse/hawkbit/repository/model/Target.java Signed-off-by: Kai Zimmermann <kai.zimmermann@bosch-si.com>
This commit is contained in:
@@ -67,6 +67,7 @@ import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
import org.eclipse.hawkbit.repository.model.TargetUpdateStatus;
|
||||
import org.eclipse.hawkbit.repository.rsql.RSQLUtility;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.hibernate.validator.constraints.NotEmpty;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
@@ -131,6 +132,9 @@ public class JpaDeploymentManagement implements DeploymentManagement {
|
||||
@Autowired
|
||||
private AfterTransactionCommitExecutor afterCommit;
|
||||
|
||||
@Autowired
|
||||
private SystemSecurityContext systemSecurityContext;
|
||||
|
||||
@Override
|
||||
@Transactional(isolation = Isolation.READ_COMMITTED)
|
||||
@Modifying
|
||||
@@ -348,14 +352,14 @@ public class JpaDeploymentManagement implements DeploymentManagement {
|
||||
private void assignDistributionSetEvent(final JpaTarget target, final Long actionId,
|
||||
final List<JpaSoftwareModule> modules) {
|
||||
((JpaTargetInfo) target.getTargetInfo()).setUpdateStatus(TargetUpdateStatus.PENDING);
|
||||
|
||||
final String targetSecurityToken = systemSecurityContext.runAsSystem(() -> target.getSecurityToken());
|
||||
@SuppressWarnings({ "unchecked", "rawtypes" })
|
||||
final Collection<SoftwareModule> softwareModules = (Collection) modules;
|
||||
afterCommit.afterCommit(() -> {
|
||||
eventBus.post(new TargetInfoUpdateEvent(target.getTargetInfo()));
|
||||
eventBus.post(new TargetAssignDistributionSetEvent(target.getOptLockRevision(), target.getTenant(),
|
||||
target.getControllerId(), actionId, softwareModules, target.getTargetInfo().getAddress(),
|
||||
target.getSecurityToken()));
|
||||
targetSecurityToken));
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -44,6 +44,7 @@ import org.eclipse.hawkbit.repository.model.TargetInfo;
|
||||
import org.eclipse.hawkbit.repository.model.TargetTag;
|
||||
import org.eclipse.hawkbit.repository.model.helper.SecurityChecker;
|
||||
import org.eclipse.hawkbit.repository.model.helper.SecurityTokenGeneratorHolder;
|
||||
import org.eclipse.hawkbit.repository.model.helper.SystemSecurityContextHolder;
|
||||
import org.eclipse.persistence.annotations.CascadeOnDelete;
|
||||
import org.springframework.data.domain.Persistable;
|
||||
|
||||
@@ -210,11 +211,15 @@ public class JpaTarget extends AbstractJpaNamedEntity implements Persistable<Lon
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the securityToken
|
||||
* @return the securityToken if the current security context contains the
|
||||
* necessary permission {@link SpPermission#READ_TARGET_SEC_TOKEN}
|
||||
* or the current context is executed as system code, otherwise
|
||||
* {@code null}.
|
||||
*/
|
||||
@Override
|
||||
public String getSecurityToken() {
|
||||
if (SecurityChecker.hasPermission(SpPermission.READ_TARGET_SEC_TOKEN)) {
|
||||
if (SystemSecurityContextHolder.getInstance().getSystemSecurityContext().isCurrentThreadSystemCode()
|
||||
|| SecurityChecker.hasPermission(SpPermission.READ_TARGET_SEC_TOKEN)) {
|
||||
return securityToken;
|
||||
}
|
||||
return null;
|
||||
|
||||
@@ -48,6 +48,7 @@ import org.eclipse.hawkbit.repository.model.DistributionSetType;
|
||||
import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
|
||||
import org.eclipse.hawkbit.repository.utils.RepositoryDataGenerator.DatabaseCleanupUtil;
|
||||
import org.eclipse.hawkbit.security.DosFilter;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
@@ -198,6 +199,9 @@ public abstract class AbstractIntegrationTest implements EnvironmentAware {
|
||||
@Autowired
|
||||
protected RolloutRepository rolloutRepository;
|
||||
|
||||
@Autowired
|
||||
protected SystemSecurityContext systemSecurityContext;
|
||||
|
||||
protected MockMvc mvc;
|
||||
|
||||
@Autowired
|
||||
|
||||
@@ -160,19 +160,23 @@ public class WithSpringAuthorityRule implements TestRule {
|
||||
}
|
||||
|
||||
public static WithUser withUser(final String principal, final String... authorities) {
|
||||
return withUserAndTenant(principal, "default", true, authorities);
|
||||
return withUserAndTenant(principal, "default", true, true, authorities);
|
||||
}
|
||||
|
||||
public static WithUser withUser(final String principal, final boolean allSpPermision, final String... authorities) {
|
||||
return withUserAndTenant(principal, "default", true, allSpPermision, authorities);
|
||||
}
|
||||
|
||||
public static WithUser withUser(final boolean autoCreateTenant) {
|
||||
return withUserAndTenant("bumlux", "default", autoCreateTenant, new String[] {});
|
||||
return withUserAndTenant("bumlux", "default", autoCreateTenant, true, new String[] {});
|
||||
}
|
||||
|
||||
public static WithUser withUserAndTenant(final String principal, final String tenant, final String... authorities) {
|
||||
return withUserAndTenant(principal, tenant, true, new String[] {});
|
||||
return withUserAndTenant(principal, tenant, true, true, new String[] {});
|
||||
}
|
||||
|
||||
public static WithUser withUserAndTenant(final String principal, final String tenant,
|
||||
final boolean autoCreateTenant, final String... authorities) {
|
||||
final boolean autoCreateTenant, final boolean allSpPermission, final String... authorities) {
|
||||
return new WithUser() {
|
||||
|
||||
@Override
|
||||
@@ -197,7 +201,7 @@ public class WithSpringAuthorityRule implements TestRule {
|
||||
|
||||
@Override
|
||||
public boolean allSpPermissions() {
|
||||
return true;
|
||||
return allSpPermission;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -32,6 +32,7 @@ import org.eclipse.hawkbit.AbstractIntegrationTest;
|
||||
import org.eclipse.hawkbit.TestDataUtil;
|
||||
import org.eclipse.hawkbit.WithSpringAuthorityRule;
|
||||
import org.eclipse.hawkbit.WithUser;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;
|
||||
import org.eclipse.hawkbit.repository.exception.TenantNotExistException;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
|
||||
@@ -58,6 +59,36 @@ import ru.yandex.qatools.allure.annotations.Stories;
|
||||
@Stories("Target Management")
|
||||
public class TargetManagementTest extends AbstractIntegrationTest {
|
||||
|
||||
@Test
|
||||
@Description("Ensures that retrieving the target security is only permitted with the necessary permissions.")
|
||||
public void getTargetSecurityTokenOnlyWithCorrectPermission() throws Exception {
|
||||
final Target createdTarget = targetManagement.createTarget(new JpaTarget("targetWithSecurityToken"));
|
||||
|
||||
// retrieve security token only with READ_TARGET_SEC_TOKEN permission
|
||||
final String securityTokenWithReadPermission = securityRule.runAs(WithSpringAuthorityRule
|
||||
.withUser("OnlyTargetReadPermission", false, SpPermission.READ_TARGET_SEC_TOKEN.toString()), () -> {
|
||||
return createdTarget.getSecurityToken();
|
||||
});
|
||||
|
||||
// retrieve security token as system code execution
|
||||
final String securityTokenAsSystemCode = systemSecurityContext.runAsSystem(() -> {
|
||||
return createdTarget.getSecurityToken();
|
||||
});
|
||||
|
||||
// retrieve security token without any permissions
|
||||
final String securityTokenWithoutPermission = securityRule
|
||||
.runAs(WithSpringAuthorityRule.withUser("NoPermission", false), () -> {
|
||||
return createdTarget.getSecurityToken();
|
||||
});
|
||||
|
||||
assertThat(createdTarget.getSecurityToken()).isNotNull();
|
||||
assertThat(securityTokenWithReadPermission).isNotNull();
|
||||
assertThat(securityTokenAsSystemCode).isNotNull();
|
||||
|
||||
assertThat(securityTokenWithoutPermission).isNull();
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
@Description("Ensures that targets cannot be created e.g. in plug'n play scenarios when tenant does not exists.")
|
||||
@WithUser(tenantId = "tenantWhichDoesNotExists", allSpPermissions = true, autoCreateTenant = false)
|
||||
|
||||
Reference in New Issue
Block a user