Execute rollouts and auto assignments in the correct user context (#1100)

* Execute rollouts and auto assignments in correct user context Signed-off-by: Stefan Behl <stefan.behl@bosch.io> * Fix PR review findings Signed-off-by: Stefan Behl <stefan.behl@bosch.io> * Cleanup usage of lenient Signed-off-by: Stefan Behl <stefan.behl@bosch.io>
2021-04-15 12:23:14 +02:00
parent eaf6be8c94
commit cf67467fb5
14 changed files with 354 additions and 90 deletions
--- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java
+++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java
@@ -8,16 +8,25 @@
 */
 package org.eclipse.hawkbit.autoconfigure.security;

+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import org.eclipse.hawkbit.autoconfigure.security.MultiUserProperties.User;
 import org.eclipse.hawkbit.im.authentication.PermissionService;
 import org.eclipse.hawkbit.security.DdiSecurityProperties;
+import org.eclipse.hawkbit.security.InMemoryUserAuthoritiesResolver;
 import org.eclipse.hawkbit.security.HawkbitSecurityProperties;
 import org.eclipse.hawkbit.security.SecurityContextTenantAware;
 import org.eclipse.hawkbit.security.SecurityTokenGenerator;
 import org.eclipse.hawkbit.security.SpringSecurityAuditorAware;
 import org.eclipse.hawkbit.security.SystemSecurityContext;
 import org.eclipse.hawkbit.tenancy.TenantAware;
+import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -28,23 +37,57 @@ import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.util.CollectionUtils;

 /**
 * {@link EnableAutoConfiguration Auto-configuration} for security.
 */
@Configuration
-@EnableConfigurationProperties({ DdiSecurityProperties.class, HawkbitSecurityProperties.class })
+@EnableConfigurationProperties({ SecurityProperties.class, DdiSecurityProperties.class, HawkbitSecurityProperties.class,
+        MultiUserProperties.class })
 public class SecurityAutoConfiguration {

    /**
+     * Creates a {@link TenantAware} bean based on the given
+     * {@link UserAuthoritiesResolver}.
+     * 
+     * @param authoritiesResolver
+     *            The user authorities/roles resolver
+     * 
     * @return the {@link TenantAware} singleton bean which holds the current
     *         {@link TenantAware} service and make it accessible in beans which
     *         cannot access the service directly, e.g. JPA entities.
     */
    @Bean
    @ConditionalOnMissingBean
-    public TenantAware tenantAware() {
-        return new SecurityContextTenantAware();
+    public TenantAware tenantAware(final UserAuthoritiesResolver authoritiesResolver) {
+        return new SecurityContextTenantAware(authoritiesResolver);
+    }
+
+    /**
+     * Creates a {@link UserAuthoritiesResolver} bean that is responsible for
+     * resolving user authorities/roles.
+     *
+     * @param securityProperties
+     *            The Spring {@link SecurityProperties} for the security user
+     * @param multiUserProperties
+     *            The {@link MultiUserProperties} for the managed users
+     *
+     * @return an {@link InMemoryUserAuthoritiesResolver} bean
+     */
+    @Bean
+    @ConditionalOnMissingBean
+    public UserAuthoritiesResolver inMemoryAuthoritiesResolver(final SecurityProperties securityProperties,
+            final MultiUserProperties multiUserProperties) {
+        final List<User> multiUsers = multiUserProperties.getUsers();
+        final Map<String, List<String>> usersToPermissions;
+        if (!CollectionUtils.isEmpty(multiUsers)) {
+            usersToPermissions = multiUsers.stream().collect(Collectors.toMap(User::getUsername, User::getPermissions));
+        } else {
+            usersToPermissions = Collections.singletonMap(securityProperties.getUser().getName(),
+                    securityProperties.getUser().getRoles());
+        }
+        return new InMemoryUserAuthoritiesResolver(usersToPermissions);
    }

    /**