Incorporated the review comments.
Signed-off-by: Gaurav <gaurav.sahay@in.bosch.com>
This commit is contained in:
@@ -183,6 +183,8 @@ public interface ControllerManagement {
|
||||
* @return the security context of the target, in case no target exists for
|
||||
* the given controllerId {@code null} is returned
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER + SpringEvalExpressions.HAS_AUTH_OR
|
||||
+ SpringEvalExpressions.HAS_AUTH_READ_TARGET_SEC_TOKEN)
|
||||
String getSecurityTokenByControllerId(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
|
||||
@@ -285,7 +285,7 @@ public interface DistributionSetManagement {
|
||||
@NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
* finds all meta data by the given distribution set id.
|
||||
* Finds all meta data by the given distribution set id.
|
||||
*
|
||||
* @param distributionSetId
|
||||
* the distribution set id to retrieve the meta data from
|
||||
|
||||
@@ -340,6 +340,7 @@ public interface SoftwareManagement {
|
||||
* to search for
|
||||
* @return {@link List} of found {@link SoftwareModule}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
List<SoftwareModule> findSoftwareModulesById(@NotEmpty Collection<Long> ids);
|
||||
|
||||
/**
|
||||
@@ -484,7 +485,7 @@ public interface SoftwareManagement {
|
||||
SoftwareModuleType updateSoftwareModuleType(@NotNull SoftwareModuleType sm);
|
||||
|
||||
/**
|
||||
* finds all meta data by the given software module id.
|
||||
* Finds all meta data by the given software module id.
|
||||
*
|
||||
* @param softwareModuleId
|
||||
* the software module id to retrieve the meta data from
|
||||
|
||||
@@ -61,6 +61,9 @@ public interface SystemManagement {
|
||||
/**
|
||||
* @return {@link TenantMetaData} of {@link TenantAware#getCurrentTenant()}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY + SpringEvalExpressions.HAS_AUTH_OR
|
||||
+ SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
|
||||
+ SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
|
||||
TenantMetaData getTenantMetadata();
|
||||
|
||||
/**
|
||||
@@ -77,6 +80,7 @@ public interface SystemManagement {
|
||||
* to retrieve data for
|
||||
* @return {@link TenantMetaData} of given tenant
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.IS_SYSTEM_CODE)
|
||||
TenantMetaData getTenantMetadata(@NotNull String tenant);
|
||||
|
||||
/**
|
||||
@@ -86,6 +90,7 @@ public interface SystemManagement {
|
||||
* to update
|
||||
* @return updated {@link TenantMetaData} entity
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION)
|
||||
TenantMetaData updateTenantMetadata(@NotNull TenantMetaData metaData);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ public class DistributionDeletedEvent extends AbstractDistributedEvent {
|
||||
/**
|
||||
* @param tenant
|
||||
* the tenant for this event
|
||||
* @param distributionSetId
|
||||
* @param distributionId
|
||||
* the ID of the distribution set which has been deleted
|
||||
*/
|
||||
public DistributionDeletedEvent(final String tenant, final Long distributionId) {
|
||||
|
||||
@@ -18,11 +18,10 @@ public class DistributionSetUpdateEvent extends AbstractBaseEntityEvent<Distribu
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tag
|
||||
* the tag which is updated
|
||||
* Constructor
|
||||
* @param ds Distribution Set
|
||||
*/
|
||||
public DistributionSetUpdateEvent(final DistributionSet ds) {
|
||||
super(ds);
|
||||
|
||||
@@ -1,25 +1,29 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.eventbus.event;
|
||||
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
|
||||
/**
|
||||
* Defines the {@link AbstractBaseEntityEvent} of updating a {@link Target}.
|
||||
*
|
||||
*/
|
||||
public class TargetUpdatedEvent extends AbstractBaseEntityEvent<Target> {
|
||||
|
||||
private static final long serialVersionUID = 5665118668865832477L;
|
||||
|
||||
public TargetUpdatedEvent(Target baseEntity) {
|
||||
super(baseEntity);
|
||||
}
|
||||
|
||||
}
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository.eventbus.event;
|
||||
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
|
||||
/**
|
||||
* Defines the {@link AbstractBaseEntityEvent} of updating a {@link Target}.
|
||||
*
|
||||
*/
|
||||
public class TargetUpdatedEvent extends AbstractBaseEntityEvent<Target> {
|
||||
|
||||
private static final long serialVersionUID = 5665118668865832477L;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
* @param baseEntity Target entity
|
||||
*/
|
||||
public TargetUpdatedEvent(final Target baseEntity) {
|
||||
super(baseEntity);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,97 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.lang.reflect.Method;
|
||||
import java.lang.reflect.Modifier;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
|
||||
import com.google.common.reflect.ClassPath;
|
||||
|
||||
import ru.yandex.qatools.allure.annotations.Description;
|
||||
import ru.yandex.qatools.allure.annotations.Features;
|
||||
import ru.yandex.qatools.allure.annotations.Stories;
|
||||
|
||||
@Features("Unit Tests - Repository")
|
||||
@Stories("Security Test")
|
||||
public class RepositoryManagementMethodPreAuthorizeAnnotatedTest {
|
||||
|
||||
private static final Set<Method> METHOD_SECURITY_EXCLUSION = new HashSet<>();
|
||||
|
||||
static {
|
||||
METHOD_SECURITY_EXCLUSION.add(getMethod(SystemManagement.class, "currentTenant"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@Description("Verfies that repository methods are @PreAuthorize annotated")
|
||||
public void repositoryManagementMethodsArePreAuthorizedAnnotated()
|
||||
throws ClassNotFoundException, URISyntaxException, IOException {
|
||||
final List<Class<?>> findInterfacesInPackage = findInterfacesInPackage(getClass().getPackage(),
|
||||
Pattern.compile(".*Management"));
|
||||
|
||||
assertThat(findInterfacesInPackage).isNotEmpty();
|
||||
for (final Class<?> interfaceToCheck : findInterfacesInPackage) {
|
||||
assertDeclaredMethodsContainsPreAuthorizeAnnotaions(interfaceToCheck);
|
||||
}
|
||||
|
||||
// all exclusion should be used, otherwise the method exlusion should be
|
||||
// cleaned up again
|
||||
assertThat(METHOD_SECURITY_EXCLUSION).isEmpty();
|
||||
}
|
||||
|
||||
/**
|
||||
* asserts that the given methods are annotated with the
|
||||
* {@link PreAuthorize} annotation for security. Inherited methods are not
|
||||
* checked. The following methods are excluded due inherited from
|
||||
* {@link Object}, like equals() or toString().
|
||||
*
|
||||
* @param clazz
|
||||
* the class to retrieve the public declared methods
|
||||
*/
|
||||
private static void assertDeclaredMethodsContainsPreAuthorizeAnnotaions(final Class<?> clazz) {
|
||||
final Method[] declaredMethods = clazz.getDeclaredMethods();
|
||||
for (final Method method : declaredMethods) {
|
||||
final boolean methodExcluded = METHOD_SECURITY_EXCLUSION.contains(method);
|
||||
if (methodExcluded || method.isSynthetic() || Modifier.isPublic(method.getModifiers())) {
|
||||
// skip method because it should be excluded
|
||||
METHOD_SECURITY_EXCLUSION.remove(method);
|
||||
continue;
|
||||
}
|
||||
final PreAuthorize annotation = method.getAnnotation(PreAuthorize.class);
|
||||
assertThat(annotation).as("The public method " + method.getName() + " in class " + clazz.getName()
|
||||
+ " is not annoated with @PreAuthorize, security leak?").isNotNull();
|
||||
}
|
||||
}
|
||||
|
||||
private List<Class<?>> findInterfacesInPackage(final Package p, final Pattern includeFilter)
|
||||
throws URISyntaxException, IOException, ClassNotFoundException {
|
||||
return ClassPath.from(Thread.currentThread().getContextClassLoader()).getTopLevelClasses(p.getName()).stream()
|
||||
.filter(clazzInfo -> includeFilter.matcher(clazzInfo.getSimpleName()).matches())
|
||||
.map(clazzInfo -> clazzInfo.load()).filter(clazz -> clazz.isInterface()).collect(Collectors.toList());
|
||||
}
|
||||
|
||||
private static Method getMethod(final Class<?> clazz, final String methodName, final Class<?>... parameterTypes) {
|
||||
try {
|
||||
return clazz.getMethod(methodName, parameterTypes);
|
||||
} catch (NoSuchMethodException | SecurityException e) {
|
||||
throw new RuntimeException(e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user