Incorporated the review comments.

Signed-off-by: Gaurav <gaurav.sahay@in.bosch.com>
This commit is contained in:
Gaurav
2016-08-08 13:24:12 +02:00
27 changed files with 428 additions and 306 deletions

View File

@@ -183,6 +183,8 @@ public interface ControllerManagement {
* @return the security context of the target, in case no target exists for
* the given controllerId {@code null} is returned
*/
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER + SpringEvalExpressions.HAS_AUTH_OR
+ SpringEvalExpressions.HAS_AUTH_READ_TARGET_SEC_TOKEN)
String getSecurityTokenByControllerId(@NotEmpty String controllerId);
/**

View File

@@ -285,7 +285,7 @@ public interface DistributionSetManagement {
@NotNull Pageable pageable);
/**
* finds all meta data by the given distribution set id.
* Finds all meta data by the given distribution set id.
*
* @param distributionSetId
* the distribution set id to retrieve the meta data from

View File

@@ -340,6 +340,7 @@ public interface SoftwareManagement {
* to search for
* @return {@link List} of found {@link SoftwareModule}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
List<SoftwareModule> findSoftwareModulesById(@NotEmpty Collection<Long> ids);
/**
@@ -484,7 +485,7 @@ public interface SoftwareManagement {
SoftwareModuleType updateSoftwareModuleType(@NotNull SoftwareModuleType sm);
/**
* finds all meta data by the given software module id.
* Finds all meta data by the given software module id.
*
* @param softwareModuleId
* the software module id to retrieve the meta data from

View File

@@ -61,6 +61,9 @@ public interface SystemManagement {
/**
* @return {@link TenantMetaData} of {@link TenantAware#getCurrentTenant()}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY + SpringEvalExpressions.HAS_AUTH_OR
+ SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
+ SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
TenantMetaData getTenantMetadata();
/**
@@ -77,6 +80,7 @@ public interface SystemManagement {
* to retrieve data for
* @return {@link TenantMetaData} of given tenant
*/
@PreAuthorize(SpringEvalExpressions.IS_SYSTEM_CODE)
TenantMetaData getTenantMetadata(@NotNull String tenant);
/**
@@ -86,6 +90,7 @@ public interface SystemManagement {
* to update
* @return updated {@link TenantMetaData} entity
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
TenantMetaData updateTenantMetadata(@NotNull TenantMetaData metaData);
}
}

View File

@@ -22,7 +22,7 @@ public class DistributionDeletedEvent extends AbstractDistributedEvent {
/**
* @param tenant
* the tenant for this event
* @param distributionSetId
* @param distributionId
* the ID of the distribution set which has been deleted
*/
public DistributionDeletedEvent(final String tenant, final Long distributionId) {

View File

@@ -18,11 +18,10 @@ public class DistributionSetUpdateEvent extends AbstractBaseEntityEvent<Distribu
private static final long serialVersionUID = 1L;
/**
* Constructor.
*
* @param tag
* the tag which is updated
* Constructor
* @param ds Distribution Set
*/
public DistributionSetUpdateEvent(final DistributionSet ds) {
super(ds);

View File

@@ -1,25 +1,29 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.eclipse.hawkbit.repository.eventbus.event;
import org.eclipse.hawkbit.repository.model.Target;
/**
* Defines the {@link AbstractBaseEntityEvent} of updating a {@link Target}.
*
*/
public class TargetUpdatedEvent extends AbstractBaseEntityEvent<Target> {
private static final long serialVersionUID = 5665118668865832477L;
public TargetUpdatedEvent(Target baseEntity) {
super(baseEntity);
}
}
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.eclipse.hawkbit.repository.eventbus.event;
import org.eclipse.hawkbit.repository.model.Target;
/**
* Defines the {@link AbstractBaseEntityEvent} of updating a {@link Target}.
*
*/
public class TargetUpdatedEvent extends AbstractBaseEntityEvent<Target> {
private static final long serialVersionUID = 5665118668865832477L;
/**
* Constructor
* @param baseEntity Target entity
*/
public TargetUpdatedEvent(final Target baseEntity) {
super(baseEntity);
}
}

View File

@@ -0,0 +1,97 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.eclipse.hawkbit.repository;
import static org.fest.assertions.Assertions.assertThat;
import java.io.IOException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.net.URISyntaxException;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.junit.Test;
import org.springframework.security.access.prepost.PreAuthorize;
import com.google.common.reflect.ClassPath;
import ru.yandex.qatools.allure.annotations.Description;
import ru.yandex.qatools.allure.annotations.Features;
import ru.yandex.qatools.allure.annotations.Stories;
@Features("Unit Tests - Repository")
@Stories("Security Test")
public class RepositoryManagementMethodPreAuthorizeAnnotatedTest {
private static final Set<Method> METHOD_SECURITY_EXCLUSION = new HashSet<>();
static {
METHOD_SECURITY_EXCLUSION.add(getMethod(SystemManagement.class, "currentTenant"));
}
@Test
@Description("Verfies that repository methods are @PreAuthorize annotated")
public void repositoryManagementMethodsArePreAuthorizedAnnotated()
throws ClassNotFoundException, URISyntaxException, IOException {
final List<Class<?>> findInterfacesInPackage = findInterfacesInPackage(getClass().getPackage(),
Pattern.compile(".*Management"));
assertThat(findInterfacesInPackage).isNotEmpty();
for (final Class<?> interfaceToCheck : findInterfacesInPackage) {
assertDeclaredMethodsContainsPreAuthorizeAnnotaions(interfaceToCheck);
}
// all exclusion should be used, otherwise the method exlusion should be
// cleaned up again
assertThat(METHOD_SECURITY_EXCLUSION).isEmpty();
}
/**
* asserts that the given methods are annotated with the
* {@link PreAuthorize} annotation for security. Inherited methods are not
* checked. The following methods are excluded due inherited from
* {@link Object}, like equals() or toString().
*
* @param clazz
* the class to retrieve the public declared methods
*/
private static void assertDeclaredMethodsContainsPreAuthorizeAnnotaions(final Class<?> clazz) {
final Method[] declaredMethods = clazz.getDeclaredMethods();
for (final Method method : declaredMethods) {
final boolean methodExcluded = METHOD_SECURITY_EXCLUSION.contains(method);
if (methodExcluded || method.isSynthetic() || Modifier.isPublic(method.getModifiers())) {
// skip method because it should be excluded
METHOD_SECURITY_EXCLUSION.remove(method);
continue;
}
final PreAuthorize annotation = method.getAnnotation(PreAuthorize.class);
assertThat(annotation).as("The public method " + method.getName() + " in class " + clazz.getName()
+ " is not annoated with @PreAuthorize, security leak?").isNotNull();
}
}
private List<Class<?>> findInterfacesInPackage(final Package p, final Pattern includeFilter)
throws URISyntaxException, IOException, ClassNotFoundException {
return ClassPath.from(Thread.currentThread().getContextClassLoader()).getTopLevelClasses(p.getName()).stream()
.filter(clazzInfo -> includeFilter.matcher(clazzInfo.getSimpleName()).matches())
.map(clazzInfo -> clazzInfo.load()).filter(clazz -> clazz.isInterface()).collect(Collectors.toList());
}
private static Method getMethod(final Class<?> clazz, final String methodName, final Class<?>... parameterTypes) {
try {
return clazz.getMethod(methodName, parameterTypes);
} catch (NoSuchMethodException | SecurityException e) {
throw new RuntimeException(e.getMessage(), e);
}
}
}