Incorporated the review comments.
Signed-off-by: Gaurav <gaurav.sahay@in.bosch.com>
This commit is contained in:
@@ -9,16 +9,16 @@
|
||||
|
||||
-->
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
<groupId>org.eclipse.hawkbit</groupId>
|
||||
<artifactId>hawkbit-repository</artifactId>
|
||||
<version>0.2.0-SNAPSHOT</version>
|
||||
</parent>
|
||||
<artifactId>hawkbit-repository-api</artifactId>
|
||||
<name>hawkBit :: Repository API</name>
|
||||
|
||||
<dependencies>
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
<groupId>org.eclipse.hawkbit</groupId>
|
||||
<artifactId>hawkbit-repository</artifactId>
|
||||
<version>0.2.0-SNAPSHOT</version>
|
||||
</parent>
|
||||
<artifactId>hawkbit-repository-api</artifactId>
|
||||
<name>hawkBit :: Repository API</name>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.hawkbit</groupId>
|
||||
<artifactId>hawkbit-security-core</artifactId>
|
||||
@@ -36,14 +36,33 @@
|
||||
<groupId>cz.jirutka.rsql</groupId>
|
||||
<artifactId>rsql-parser</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.hateoas</groupId>
|
||||
<artifactId>spring-hateoas</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-configuration-processor</artifactId>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<!-- Optional -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-configuration-processor</artifactId>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
|
||||
<!-- TEST -->
|
||||
<dependency>
|
||||
<groupId>ru.yandex.qatools.allure</groupId>
|
||||
<artifactId>allure-junit-adaptor</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.easytesting</groupId>
|
||||
<artifactId>fest-assert-core</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.easytesting</groupId>
|
||||
<artifactId>fest-assert</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
||||
@@ -183,6 +183,8 @@ public interface ControllerManagement {
|
||||
* @return the security context of the target, in case no target exists for
|
||||
* the given controllerId {@code null} is returned
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER + SpringEvalExpressions.HAS_AUTH_OR
|
||||
+ SpringEvalExpressions.HAS_AUTH_READ_TARGET_SEC_TOKEN)
|
||||
String getSecurityTokenByControllerId(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
|
||||
@@ -285,7 +285,7 @@ public interface DistributionSetManagement {
|
||||
@NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
* finds all meta data by the given distribution set id.
|
||||
* Finds all meta data by the given distribution set id.
|
||||
*
|
||||
* @param distributionSetId
|
||||
* the distribution set id to retrieve the meta data from
|
||||
|
||||
@@ -340,6 +340,7 @@ public interface SoftwareManagement {
|
||||
* to search for
|
||||
* @return {@link List} of found {@link SoftwareModule}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
List<SoftwareModule> findSoftwareModulesById(@NotEmpty Collection<Long> ids);
|
||||
|
||||
/**
|
||||
@@ -484,7 +485,7 @@ public interface SoftwareManagement {
|
||||
SoftwareModuleType updateSoftwareModuleType(@NotNull SoftwareModuleType sm);
|
||||
|
||||
/**
|
||||
* finds all meta data by the given software module id.
|
||||
* Finds all meta data by the given software module id.
|
||||
*
|
||||
* @param softwareModuleId
|
||||
* the software module id to retrieve the meta data from
|
||||
|
||||
@@ -61,6 +61,9 @@ public interface SystemManagement {
|
||||
/**
|
||||
* @return {@link TenantMetaData} of {@link TenantAware#getCurrentTenant()}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY + SpringEvalExpressions.HAS_AUTH_OR
|
||||
+ SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
|
||||
+ SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
|
||||
TenantMetaData getTenantMetadata();
|
||||
|
||||
/**
|
||||
@@ -77,6 +80,7 @@ public interface SystemManagement {
|
||||
* to retrieve data for
|
||||
* @return {@link TenantMetaData} of given tenant
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.IS_SYSTEM_CODE)
|
||||
TenantMetaData getTenantMetadata(@NotNull String tenant);
|
||||
|
||||
/**
|
||||
@@ -86,6 +90,7 @@ public interface SystemManagement {
|
||||
* to update
|
||||
* @return updated {@link TenantMetaData} entity
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
|
||||
TenantMetaData updateTenantMetadata(@NotNull TenantMetaData metaData);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ public class DistributionDeletedEvent extends AbstractDistributedEvent {
|
||||
/**
|
||||
* @param tenant
|
||||
* the tenant for this event
|
||||
* @param distributionSetId
|
||||
* @param distributionId
|
||||
* the ID of the distribution set which has been deleted
|
||||
*/
|
||||
public DistributionDeletedEvent(final String tenant, final Long distributionId) {
|
||||
|
||||
@@ -18,11 +18,10 @@ public class DistributionSetUpdateEvent extends AbstractBaseEntityEvent<Distribu
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tag
|
||||
* the tag which is updated
|
||||
* Constructor
|
||||
* @param ds Distribution Set
|
||||
*/
|
||||
public DistributionSetUpdateEvent(final DistributionSet ds) {
|
||||
super(ds);
|
||||
|
||||
@@ -1,25 +1,29 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.eventbus.event;
|
||||
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
|
||||
/**
|
||||
* Defines the {@link AbstractBaseEntityEvent} of updating a {@link Target}.
|
||||
*
|
||||
*/
|
||||
public class TargetUpdatedEvent extends AbstractBaseEntityEvent<Target> {
|
||||
|
||||
private static final long serialVersionUID = 5665118668865832477L;
|
||||
|
||||
public TargetUpdatedEvent(Target baseEntity) {
|
||||
super(baseEntity);
|
||||
}
|
||||
|
||||
}
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.eventbus.event;
|
||||
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
|
||||
/**
|
||||
* Defines the {@link AbstractBaseEntityEvent} of updating a {@link Target}.
|
||||
*
|
||||
*/
|
||||
public class TargetUpdatedEvent extends AbstractBaseEntityEvent<Target> {
|
||||
|
||||
private static final long serialVersionUID = 5665118668865832477L;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
* @param baseEntity Target entity
|
||||
*/
|
||||
public TargetUpdatedEvent(final Target baseEntity) {
|
||||
super(baseEntity);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,97 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.lang.reflect.Method;
|
||||
import java.lang.reflect.Modifier;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
|
||||
import com.google.common.reflect.ClassPath;
|
||||
|
||||
import ru.yandex.qatools.allure.annotations.Description;
|
||||
import ru.yandex.qatools.allure.annotations.Features;
|
||||
import ru.yandex.qatools.allure.annotations.Stories;
|
||||
|
||||
@Features("Unit Tests - Repository")
|
||||
@Stories("Security Test")
|
||||
public class RepositoryManagementMethodPreAuthorizeAnnotatedTest {
|
||||
|
||||
private static final Set<Method> METHOD_SECURITY_EXCLUSION = new HashSet<>();
|
||||
|
||||
static {
|
||||
METHOD_SECURITY_EXCLUSION.add(getMethod(SystemManagement.class, "currentTenant"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@Description("Verfies that repository methods are @PreAuthorize annotated")
|
||||
public void repositoryManagementMethodsArePreAuthorizedAnnotated()
|
||||
throws ClassNotFoundException, URISyntaxException, IOException {
|
||||
final List<Class<?>> findInterfacesInPackage = findInterfacesInPackage(getClass().getPackage(),
|
||||
Pattern.compile(".*Management"));
|
||||
|
||||
assertThat(findInterfacesInPackage).isNotEmpty();
|
||||
for (final Class<?> interfaceToCheck : findInterfacesInPackage) {
|
||||
assertDeclaredMethodsContainsPreAuthorizeAnnotaions(interfaceToCheck);
|
||||
}
|
||||
|
||||
// all exclusion should be used, otherwise the method exlusion should be
|
||||
// cleaned up again
|
||||
assertThat(METHOD_SECURITY_EXCLUSION).isEmpty();
|
||||
}
|
||||
|
||||
/**
|
||||
* asserts that the given methods are annotated with the
|
||||
* {@link PreAuthorize} annotation for security. Inherited methods are not
|
||||
* checked. The following methods are excluded due inherited from
|
||||
* {@link Object}, like equals() or toString().
|
||||
*
|
||||
* @param clazz
|
||||
* the class to retrieve the public declared methods
|
||||
*/
|
||||
private static void assertDeclaredMethodsContainsPreAuthorizeAnnotaions(final Class<?> clazz) {
|
||||
final Method[] declaredMethods = clazz.getDeclaredMethods();
|
||||
for (final Method method : declaredMethods) {
|
||||
final boolean methodExcluded = METHOD_SECURITY_EXCLUSION.contains(method);
|
||||
if (methodExcluded || method.isSynthetic() || Modifier.isPublic(method.getModifiers())) {
|
||||
// skip method because it should be excluded
|
||||
METHOD_SECURITY_EXCLUSION.remove(method);
|
||||
continue;
|
||||
}
|
||||
final PreAuthorize annotation = method.getAnnotation(PreAuthorize.class);
|
||||
assertThat(annotation).as("The public method " + method.getName() + " in class " + clazz.getName()
|
||||
+ " is not annoated with @PreAuthorize, security leak?").isNotNull();
|
||||
}
|
||||
}
|
||||
|
||||
private List<Class<?>> findInterfacesInPackage(final Package p, final Pattern includeFilter)
|
||||
throws URISyntaxException, IOException, ClassNotFoundException {
|
||||
return ClassPath.from(Thread.currentThread().getContextClassLoader()).getTopLevelClasses(p.getName()).stream()
|
||||
.filter(clazzInfo -> includeFilter.matcher(clazzInfo.getSimpleName()).matches())
|
||||
.map(clazzInfo -> clazzInfo.load()).filter(clazz -> clazz.isInterface()).collect(Collectors.toList());
|
||||
}
|
||||
|
||||
private static Method getMethod(final Class<?> clazz, final String methodName, final Class<?>... parameterTypes) {
|
||||
try {
|
||||
return clazz.getMethod(methodName, parameterTypes);
|
||||
} catch (NoSuchMethodException | SecurityException e) {
|
||||
throw new RuntimeException(e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -484,12 +484,7 @@ public class JpaDistributionSetManagement implements DistributionSetManagement {
|
||||
throwMetadataKeyAlreadyExists(metadata.getId().getKey());
|
||||
}
|
||||
|
||||
final DistributionSet latestDistributionSet = findDistributionSetById(metadata.getDistributionSet().getId());
|
||||
// merge base distribution set so optLockRevision gets updated and audit
|
||||
// log written because
|
||||
// modifying metadata is modifying the base distribution set itself for
|
||||
// auditing purposes.
|
||||
entityManager.merge((JpaDistributionSet) latestDistributionSet).setLastModifiedAt(0L);
|
||||
touch(metadata.getDistributionSet());
|
||||
return distributionSetMetadataRepository.save(metadata);
|
||||
}
|
||||
|
||||
@@ -504,7 +499,7 @@ public class JpaDistributionSetManagement implements DistributionSetManagement {
|
||||
for (final JpaDistributionSetMetadata distributionSetMetadata : metadata) {
|
||||
checkAndThrowAlreadyIfDistributionSetMetadataExists(distributionSetMetadata.getId());
|
||||
}
|
||||
metadata.forEach(m -> entityManager.merge((JpaDistributionSet) findDistributionSetById(m.getDistributionSet().getId())).setLastModifiedAt(0L));
|
||||
metadata.forEach(m -> touch(m.getDistributionSet()));
|
||||
|
||||
return new ArrayList<>(
|
||||
(Collection<? extends DistributionSetMetadata>) distributionSetMetadataRepository.save(metadata));
|
||||
@@ -520,8 +515,7 @@ public class JpaDistributionSetManagement implements DistributionSetManagement {
|
||||
findOne(metadata.getDistributionSet(), metadata.getKey());
|
||||
// touch it to update the lock revision because we are modifying the
|
||||
// DS indirectly
|
||||
final DistributionSet latestDistributionSet = findDistributionSetById(metadata.getDistributionSet().getId());
|
||||
entityManager.merge((JpaDistributionSet) latestDistributionSet).setLastModifiedAt(0L);
|
||||
touch(metadata.getDistributionSet());;
|
||||
return distributionSetMetadataRepository.save(metadata);
|
||||
}
|
||||
|
||||
@@ -529,11 +523,23 @@ public class JpaDistributionSetManagement implements DistributionSetManagement {
|
||||
@Transactional(isolation = Isolation.READ_UNCOMMITTED)
|
||||
@Modifying
|
||||
public void deleteDistributionSetMetadata(final DistributionSet distributionSet, final String key) {
|
||||
final DistributionSet latestDistributionSet = findDistributionSetById(distributionSet.getId());
|
||||
entityManager.merge((JpaDistributionSet) latestDistributionSet).setLastModifiedAt(0L);
|
||||
touch(distributionSet);
|
||||
distributionSetMetadataRepository.delete(new DsMetadataCompositeKey(distributionSet, key));
|
||||
}
|
||||
|
||||
/**
|
||||
* Method to get the latest distribution set based on ds ID after the metadata changes for that distribution set.
|
||||
* @param distributionSet Distribution set
|
||||
*/
|
||||
private void touch(final DistributionSet distributionSet) {
|
||||
final DistributionSet latestDistributionSet = findDistributionSetById(distributionSet.getId());
|
||||
// merge base distribution set so optLockRevision gets updated and audit
|
||||
// log written because
|
||||
// modifying metadata is modifying the base distribution set itself for
|
||||
// auditing purposes.
|
||||
entityManager.merge((JpaDistributionSet) latestDistributionSet).setLastModifiedAt(0L);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Page<DistributionSetMetadata> findDistributionSetMetadataByDistributionSetId(final Long distributionSetId,
|
||||
final Pageable pageable) {
|
||||
|
||||
@@ -1,42 +1,47 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.jpa.model;
|
||||
|
||||
import org.eclipse.persistence.descriptors.DescriptorEvent;
|
||||
|
||||
/**
|
||||
*
|
||||
* Holds details of action(Create/Update) and @link{DescriptorEvent}.
|
||||
*
|
||||
*/
|
||||
public class DescriptorEventDetails {
|
||||
|
||||
enum ActionType {
|
||||
CREATE, UPDATE;
|
||||
}
|
||||
|
||||
private DescriptorEvent descriptorEvent;
|
||||
|
||||
private ActionType actiontype;
|
||||
|
||||
public DescriptorEventDetails(ActionType actionType,
|
||||
DescriptorEvent descriptorEvent) {
|
||||
this.descriptorEvent = descriptorEvent;
|
||||
this.actiontype = actionType;
|
||||
}
|
||||
|
||||
public DescriptorEvent getDescriptorEvent() {
|
||||
return descriptorEvent;
|
||||
}
|
||||
|
||||
public ActionType getActiontype() {
|
||||
return actiontype;
|
||||
}
|
||||
|
||||
}
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.jpa.model;
|
||||
|
||||
import org.eclipse.persistence.descriptors.DescriptorEvent;
|
||||
|
||||
/**
|
||||
*
|
||||
* Holds details of action(Create/Update) and @link{DescriptorEvent}.
|
||||
*
|
||||
*/
|
||||
public class DescriptorEventDetails {
|
||||
|
||||
enum ActionType {
|
||||
CREATE, UPDATE;
|
||||
}
|
||||
|
||||
private final DescriptorEvent descriptorEvent;
|
||||
|
||||
private final ActionType actiontype;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
* @param actionType Action type
|
||||
* @param descriptorEvent Descriptor Event
|
||||
*/
|
||||
public DescriptorEventDetails(final ActionType actionType,
|
||||
final DescriptorEvent descriptorEvent) {
|
||||
this.descriptorEvent = descriptorEvent;
|
||||
this.actiontype = actionType;
|
||||
}
|
||||
|
||||
public DescriptorEvent getDescriptorEvent() {
|
||||
return descriptorEvent;
|
||||
}
|
||||
|
||||
public ActionType getActiontype() {
|
||||
return actiontype;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,42 +1,53 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.jpa.model.helper;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.eclipse.hawkbit.repository.eventbus.event.AbstractPropertyChangeEvent;
|
||||
import org.eclipse.hawkbit.repository.model.TenantAwareBaseEntity;
|
||||
import org.eclipse.persistence.descriptors.DescriptorEvent;
|
||||
import org.eclipse.persistence.internal.sessions.ObjectChangeSet;
|
||||
import org.eclipse.persistence.queries.UpdateObjectQuery;
|
||||
import org.eclipse.persistence.sessions.changesets.DirectToFieldChangeRecord;
|
||||
|
||||
public class EntityPropertyChangeHelper<T extends TenantAwareBaseEntity> {
|
||||
|
||||
|
||||
public static <T extends TenantAwareBaseEntity> Map<String, AbstractPropertyChangeEvent<T>.Values> getChangeSet(
|
||||
final Class<T> clazz, final DescriptorEvent event) {
|
||||
final T rolloutGroup = clazz.cast(event.getObject());
|
||||
final ObjectChangeSet changeSet = ((UpdateObjectQuery) event.getQuery())
|
||||
.getObjectChangeSet();
|
||||
return changeSet
|
||||
.getChanges()
|
||||
.stream()
|
||||
.filter(record -> record instanceof DirectToFieldChangeRecord)
|
||||
.map(record -> (DirectToFieldChangeRecord) record)
|
||||
.collect(
|
||||
Collectors.toMap(
|
||||
record -> record.getAttribute(),
|
||||
record -> new AbstractPropertyChangeEvent<T>(
|
||||
rolloutGroup, null).new Values(record
|
||||
.getOldValue(), record.getNewValue())));
|
||||
}
|
||||
|
||||
}
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.jpa.model.helper;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.eclipse.hawkbit.repository.eventbus.event.AbstractPropertyChangeEvent;
|
||||
import org.eclipse.hawkbit.repository.model.TenantAwareBaseEntity;
|
||||
import org.eclipse.persistence.descriptors.DescriptorEvent;
|
||||
import org.eclipse.persistence.internal.sessions.ObjectChangeSet;
|
||||
import org.eclipse.persistence.queries.UpdateObjectQuery;
|
||||
import org.eclipse.persistence.sessions.changesets.DirectToFieldChangeRecord;
|
||||
|
||||
/**
|
||||
*Helper class to get the change set for the property changes in the Entity.
|
||||
*
|
||||
* @param <T>
|
||||
*/
|
||||
public class EntityPropertyChangeHelper<T extends TenantAwareBaseEntity> {
|
||||
|
||||
|
||||
/**
|
||||
* To get the map of entity property change set
|
||||
* @param clazz
|
||||
* @param event
|
||||
* @return the map of the changeSet
|
||||
*/
|
||||
public static <T extends TenantAwareBaseEntity> Map<String, AbstractPropertyChangeEvent<T>.Values> getChangeSet(
|
||||
final Class<T> clazz, final DescriptorEvent event) {
|
||||
final T rolloutGroup = clazz.cast(event.getObject());
|
||||
final ObjectChangeSet changeSet = ((UpdateObjectQuery) event.getQuery())
|
||||
.getObjectChangeSet();
|
||||
return changeSet
|
||||
.getChanges()
|
||||
.stream()
|
||||
.filter(record -> record instanceof DirectToFieldChangeRecord)
|
||||
.map(record -> (DirectToFieldChangeRecord) record)
|
||||
.collect(
|
||||
Collectors.toMap(
|
||||
record -> record.getAttribute(),
|
||||
record -> new AbstractPropertyChangeEvent<T>(
|
||||
rolloutGroup, null).new Values(record
|
||||
.getOldValue(), record.getNewValue())));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,63 +0,0 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.jpa;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.lang.reflect.Modifier;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
|
||||
public class MethodSecurityUtil {
|
||||
|
||||
private static final Set<String> METHOD_SECURITY_EXCLUSION = new HashSet<>();
|
||||
|
||||
static {
|
||||
METHOD_SECURITY_EXCLUSION.add("equals");
|
||||
METHOD_SECURITY_EXCLUSION.add("toString");
|
||||
METHOD_SECURITY_EXCLUSION.add("hashCode");
|
||||
METHOD_SECURITY_EXCLUSION.add("clone");
|
||||
METHOD_SECURITY_EXCLUSION.add("setEnvironment");
|
||||
// this method shouldn't be public on the DeploymentManagemeht but it is
|
||||
METHOD_SECURITY_EXCLUSION.add("setOverrideObsoleteUpdateActions");
|
||||
METHOD_SECURITY_EXCLUSION.add("isOverrideObsoleteUpdateActions");
|
||||
// this method must be public accessible without security because it's
|
||||
// necessary to acccess
|
||||
// the security-token of a target without being authenticated because
|
||||
// the security-token is
|
||||
// the authentication process
|
||||
// ControllerManagement#getSecurityTokenByControllerId()
|
||||
METHOD_SECURITY_EXCLUSION.add("getSecurityTokenByControllerId");
|
||||
}
|
||||
|
||||
/**
|
||||
* asserts that the given methods are annotated with the
|
||||
* {@link PreAuthorize} annotation for security. Inherited methods are not
|
||||
* checked. The following methods are excluded due inherited from
|
||||
* {@link Object}, like equals() or toString().
|
||||
*
|
||||
* @param clazz
|
||||
* the class to retrieve the public declared methods
|
||||
*/
|
||||
public static void assertDeclaredMethodsContainsPreAuthorizeAnnotaions(final Class<?> clazz) {
|
||||
final Method[] declaredMethods = clazz.getDeclaredMethods();
|
||||
for (final Method method : declaredMethods) {
|
||||
if (!METHOD_SECURITY_EXCLUSION.contains(method.getName()) && !method.isSynthetic()
|
||||
&& Modifier.isPublic(method.getModifiers())) {
|
||||
final PreAuthorize annotation = method.getAnnotation(PreAuthorize.class);
|
||||
assertThat(annotation).as(
|
||||
"The public method " + method.getName() + " is not annoated with @PreAuthorize, security leak?")
|
||||
.isNotNull();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -14,10 +14,10 @@ import java.io.ByteArrayInputStream;
|
||||
import java.util.List;
|
||||
import java.util.Random;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule;
|
||||
import org.eclipse.hawkbit.repository.model.DistributionSet;
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
import org.eclipse.hawkbit.repository.model.TenantMetaData;
|
||||
import org.eclipse.hawkbit.repository.report.model.TenantUsage;
|
||||
import org.eclipse.hawkbit.repository.test.util.WithSpringAuthorityRule;
|
||||
import org.junit.Test;
|
||||
@@ -30,15 +30,6 @@ import ru.yandex.qatools.allure.annotations.Stories;
|
||||
@Stories("System Management")
|
||||
public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB {
|
||||
|
||||
@Test
|
||||
@Description("Ensures that you can create a tenant without setting the necessary security context which holds a current tenant")
|
||||
public void createInitialTenantWithoutSecurityContext() {
|
||||
securityRule.clear();
|
||||
final String tenantToBeCreated = "newTenantToCreate";
|
||||
final TenantMetaData tenantMetadata = systemManagement.getTenantMetadata(tenantToBeCreated);
|
||||
assertThat(tenantMetadata).isNotNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Description("Ensures that findTenants returns all tenants and not only restricted to the tenant which currently is logged in")
|
||||
public void findTenantsReturnsAllTenantsNotOnlyWhichLoggedIn() throws Exception {
|
||||
@@ -109,26 +100,27 @@ public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB
|
||||
|
||||
for (int i = 0; i < tenants; i++) {
|
||||
final String tenantname = "tenant" + i;
|
||||
securityRule.runAs(WithSpringAuthorityRule.withUserAndTenant("bumlux", tenantname), () -> {
|
||||
systemManagement.getTenantMetadata(tenantname);
|
||||
if (artifactSize > 0) {
|
||||
createTestArtifact(random);
|
||||
createDeletedTestArtifact(random);
|
||||
}
|
||||
if (targets > 0) {
|
||||
final List<Target> createdTargets = createTestTargets(targets);
|
||||
if (updates > 0) {
|
||||
for (int x = 0; x < updates; x++) {
|
||||
final DistributionSet ds = testdataFactory.createDistributionSet("to be deployed" + x,
|
||||
true);
|
||||
|
||||
deploymentManagement.assignDistributionSet(ds, createdTargets);
|
||||
securityRule.runAs(WithSpringAuthorityRule.withUserAndTenant("bumlux", tenantname, true, true,
|
||||
SpringEvalExpressions.SYSTEM_ROLE), () -> {
|
||||
systemManagement.getTenantMetadata(tenantname);
|
||||
if (artifactSize > 0) {
|
||||
createTestArtifact(random);
|
||||
createDeletedTestArtifact(random);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (targets > 0) {
|
||||
final List<Target> createdTargets = createTestTargets(targets);
|
||||
if (updates > 0) {
|
||||
for (int x = 0; x < updates; x++) {
|
||||
final DistributionSet ds = testdataFactory
|
||||
.createDistributionSet("to be deployed" + x, true);
|
||||
|
||||
return null;
|
||||
});
|
||||
deploymentManagement.assignDistributionSet(ds, createdTargets);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
});
|
||||
}
|
||||
|
||||
return random;
|
||||
|
||||
@@ -8,6 +8,9 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.test.util;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
|
||||
|
||||
import org.eclipse.hawkbit.ExcludePathAwareShallowETagFilter;
|
||||
import org.eclipse.hawkbit.repository.ArtifactManagement;
|
||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||
@@ -58,7 +61,7 @@ import org.springframework.web.context.WebApplicationContext;
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
@WebAppConfiguration
|
||||
@ActiveProfiles({ "test" })
|
||||
@WithUser(principal = "bumlux", allSpPermissions = true, authorities = "ROLE_CONTROLLER")
|
||||
@WithUser(principal = "bumlux", allSpPermissions = true, authorities = { CONTROLLER_ROLE, SYSTEM_ROLE })
|
||||
@SpringApplicationConfiguration(classes = { TestConfiguration.class })
|
||||
// destroy the context after each test class because otherwise we get problem
|
||||
// when context is
|
||||
|
||||
@@ -16,6 +16,7 @@ import java.util.List;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.helper.SystemManagementHolder;
|
||||
import org.junit.rules.TestRule;
|
||||
@@ -56,10 +57,10 @@ public class WithSpringAuthorityRule implements TestRule {
|
||||
annotation = description.getTestClass().getAnnotation(WithUser.class);
|
||||
}
|
||||
if (annotation != null) {
|
||||
setSecurityContext(annotation);
|
||||
if (annotation.autoCreateTenant()) {
|
||||
SystemManagementHolder.getInstance().getSystemManagement().getTenantMetadata(annotation.tenantId());
|
||||
createTenant(annotation.tenantId());
|
||||
}
|
||||
setSecurityContext(annotation);
|
||||
}
|
||||
return oldContext;
|
||||
}
|
||||
@@ -158,7 +159,7 @@ public class WithSpringAuthorityRule implements TestRule {
|
||||
final SecurityContext oldContext = SecurityContextHolder.getContext();
|
||||
setSecurityContext(withUser);
|
||||
if (withUser.autoCreateTenant()) {
|
||||
SystemManagementHolder.getInstance().getSystemManagement().getTenantMetadata(withUser.tenantId());
|
||||
createTenant(withUser.tenantId());
|
||||
}
|
||||
try {
|
||||
return callable.call();
|
||||
@@ -166,6 +167,18 @@ public class WithSpringAuthorityRule implements TestRule {
|
||||
after(oldContext);
|
||||
}
|
||||
}
|
||||
|
||||
private void createTenant(final String tenantId) throws Exception {
|
||||
final SecurityContext oldContext = SecurityContextHolder.getContext();
|
||||
setSecurityContext(privilegedUser());
|
||||
try
|
||||
{
|
||||
SystemManagementHolder.getInstance().getSystemManagement().getTenantMetadata(tenantId);
|
||||
}finally
|
||||
{
|
||||
after(oldContext);
|
||||
}
|
||||
}
|
||||
|
||||
public static WithUser withUser(final String principal, final String... authorities) {
|
||||
return withUserAndTenant(principal, "default", true, true, authorities);
|
||||
@@ -254,7 +267,7 @@ public class WithSpringAuthorityRule implements TestRule {
|
||||
|
||||
@Override
|
||||
public String[] authorities() {
|
||||
return new String[] { "ROLE_CONTROLLER" };
|
||||
return new String[] { "ROLE_CONTROLLER", "ROLE_SYSTEM_CODE" };
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
Reference in New Issue
Block a user