Add distribution set and target type fine grained permissions (#2545)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -10,7 +10,7 @@
|
||||
package org.eclipse.hawkbit.ddi.rest.resource;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.TENANT_CONFIGURATION;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.callAs;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.getAs;
|
||||
|
||||
@@ -14,7 +14,7 @@ import java.util.List;
|
||||
import java.util.Objects;
|
||||
|
||||
import lombok.EqualsAndHashCode;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
@@ -77,7 +77,7 @@ public interface Authenticator {
|
||||
private static class AuthenticatedController extends AbstractAuthenticationToken {
|
||||
|
||||
private static final Collection<GrantedAuthority> CONTROLLER_AUTHORITY =
|
||||
List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
private final String controllerId;
|
||||
|
||||
AuthenticatedController(final String tenant, final String controllerId) {
|
||||
|
||||
@@ -13,6 +13,7 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.test.util.WithUser;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.http.HttpStatus;
|
||||
@@ -39,7 +40,7 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
|
||||
* Tests whether request succeed if a role is granted for the user
|
||||
*/
|
||||
@Test
|
||||
@WithUser(authorities = { SpPermission.SpringEvalExpressions.CONTROLLER_ROLE }, autoCreateTenant = false)
|
||||
@WithUser(authorities = { SpringEvalExpressions.CONTROLLER_ROLE }, autoCreateTenant = false)
|
||||
void successIfHasRole() throws Exception {
|
||||
mvc.perform(get("/DEFAULT/controller/v1/controllerId"))
|
||||
.andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));
|
||||
|
||||
@@ -36,7 +36,7 @@ import org.eclipse.hawkbit.dmf.json.model.DmfAttributeUpdate;
|
||||
import org.eclipse.hawkbit.dmf.json.model.DmfAutoConfirmation;
|
||||
import org.eclipse.hawkbit.dmf.json.model.DmfCreateThing;
|
||||
import org.eclipse.hawkbit.dmf.json.model.DmfUpdateMode;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.ConfirmationManagement;
|
||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||
import org.eclipse.hawkbit.repository.EntityFactory;
|
||||
|
||||
@@ -14,7 +14,7 @@ import java.util.Collections;
|
||||
import java.util.Objects;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemCache;
|
||||
import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemStatisticsRest;
|
||||
import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemTenantServiceUsage;
|
||||
|
||||
@@ -69,7 +69,9 @@ class MgmtTargetTypeResourceTest extends AbstractManagementApiIntegrationTest {
|
||||
* GET targettypes returns Forbidden when permission is missing
|
||||
*/
|
||||
@Test
|
||||
@WithUser(principal = "targetTypeTester", allSpPermissions = true, removeFromAllPermission = { SpPermission.READ_TARGET })
|
||||
@WithUser(
|
||||
principal = "targetTypeTester", allSpPermissions = true,
|
||||
removeFromAllPermission = { SpPermission.READ_TARGET, SpPermission.READ_TARGET_TYPE })
|
||||
void getTargetTypesWithoutPermission() throws Exception {
|
||||
mvc.perform(get(TARGETTYPES_ENDPOINT).accept(MediaType.APPLICATION_JSON))
|
||||
.andDo(MockMvcResultPrinter.print())
|
||||
|
||||
@@ -52,7 +52,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
|
||||
* Tests whether request returns distribution set if a role with scope is granted for the user
|
||||
*/
|
||||
@Test
|
||||
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne" }, autoCreateTenant = false)
|
||||
@WithUser(authorities = {
|
||||
SpPermission.CREATE_REPOSITORY,
|
||||
SpPermission.READ_REPOSITORY,
|
||||
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
|
||||
void successIfHasRoleWithScope() throws Exception {
|
||||
createDsOne("successIfHasRoleWithScope");
|
||||
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
|
||||
@@ -65,7 +68,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
|
||||
* Tests whether request doesn't return distribution set if a role with scope doesn't grant access
|
||||
*/
|
||||
@Test
|
||||
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne2" }, autoCreateTenant = false)
|
||||
@WithUser(authorities = {
|
||||
SpPermission.CREATE_REPOSITORY,
|
||||
SpPermission.READ_REPOSITORY,
|
||||
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
|
||||
void failIfHasNoForbiddingScope() throws Exception {
|
||||
createDsOne("failIfHasNoForbiddingScope");
|
||||
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
|
||||
|
||||
@@ -52,7 +52,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
|
||||
* Tests whether request returns distribution set if a role with scope is granted for the user
|
||||
*/
|
||||
@Test
|
||||
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne" }, autoCreateTenant = false)
|
||||
@WithUser(authorities = {
|
||||
SpPermission.CREATE_REPOSITORY,
|
||||
SpPermission.READ_REPOSITORY,
|
||||
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
|
||||
void successIfHasRoleWithScope() throws Exception {
|
||||
createDsOne("successIfHasRoleWithScope");
|
||||
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
|
||||
@@ -65,7 +68,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
|
||||
* Tests whether request doesn't return distribution set if a role with scope doesn't grant access
|
||||
*/
|
||||
@Test
|
||||
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne2" }, autoCreateTenant = false)
|
||||
@WithUser(authorities = {
|
||||
SpPermission.CREATE_REPOSITORY,
|
||||
SpPermission.READ_REPOSITORY,
|
||||
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
|
||||
void failIfHasNoForbiddingScope() throws Exception {
|
||||
createDsOne("failIfHasNoForbiddingScope");
|
||||
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
|
||||
|
||||
@@ -17,7 +17,7 @@ import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.repository.artifact.model.DbArtifact;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.exception.ArtifactDeleteFailedException;
|
||||
import org.eclipse.hawkbit.repository.exception.ArtifactUploadFailedException;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;
|
||||
|
||||
@@ -15,7 +15,7 @@ import java.util.Optional;
|
||||
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.model.Action;
|
||||
import org.eclipse.hawkbit.repository.model.AutoConfirmationStatus;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
@@ -34,7 +34,7 @@ public interface ConfirmationManagement {
|
||||
* @param remark optional field to set a remark
|
||||
* @return the persisted {@link AutoConfirmationStatus}
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
AutoConfirmationStatus activateAutoConfirmation(@NotEmpty String controllerId, final String initiator, final String remark);
|
||||
|
||||
/**
|
||||
@@ -44,7 +44,7 @@ public interface ConfirmationManagement {
|
||||
* @param code optional value to specify a code for the created action status
|
||||
* @param messages optional value to specify message for the created action status
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
Action confirmAction(long actionId, Integer code, Collection<String> messages);
|
||||
|
||||
/**
|
||||
@@ -54,7 +54,7 @@ public interface ConfirmationManagement {
|
||||
* @param code optional value to specify a code for the created action status
|
||||
* @param messages optional value to specify message for the created action status
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
Action denyAction(long actionId, Integer code, Collection<String> messages);
|
||||
|
||||
/**
|
||||
@@ -62,7 +62,7 @@ public interface ConfirmationManagement {
|
||||
*
|
||||
* @param controllerId to disable auto confirmation for
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
void deactivateAutoConfirmation(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -71,8 +71,8 @@ public interface ConfirmationManagement {
|
||||
* @param controllerId to check the state for
|
||||
* @return instance of {@link AutoConfirmationStatus} wrapped in an {@link Optional}. Present if active and empty if disabled.
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER + SpPermission.SpringEvalExpressions.HAS_AUTH_OR +
|
||||
SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER + SpringEvalExpressions.HAS_AUTH_OR +
|
||||
SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
Optional<AutoConfirmationStatus> getStatus(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -81,6 +81,6 @@ public interface ConfirmationManagement {
|
||||
* @param controllerId of the target to check
|
||||
* @return a list of {@link Action}
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
List<Action> findActiveActionsWaitingConfirmation(@NotEmpty String controllerId);
|
||||
}
|
||||
@@ -20,7 +20,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.ActionStatusCreate;
|
||||
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
|
||||
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
|
||||
|
||||
@@ -19,7 +19,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.event.remote.TargetAssignDistributionSetEvent;
|
||||
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
|
||||
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
|
||||
|
||||
@@ -9,6 +9,9 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_DISTRIBUTION_SET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_DISTRIBUTION_SET;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
@@ -17,7 +20,7 @@ import java.util.Optional;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.DistributionSetCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.DistributionSetUpdate;
|
||||
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
|
||||
@@ -51,7 +54,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id to look for.
|
||||
* @return {@link DistributionSet}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Optional<DistributionSet> getWithDetails(long id);
|
||||
|
||||
/**
|
||||
@@ -61,7 +64,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return the found valid {@link DistributionSet}
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
DistributionSet getOrElseThrowException(long id);
|
||||
|
||||
/**
|
||||
@@ -69,7 +72,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
*
|
||||
* @param distributionSet the ID of the {@link DistributionSet} to be set to invalid
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
void invalidate(DistributionSet distributionSet);
|
||||
|
||||
/**
|
||||
@@ -85,7 +88,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @throws AssignmentQuotaExceededException if the maximum number of {@link SoftwareModule}s is exceeded for the addressed
|
||||
* {@link DistributionSet}.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
DistributionSet assignSoftwareModules(long id, @NotEmpty Collection<Long> moduleIds);
|
||||
|
||||
/**
|
||||
@@ -97,7 +100,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @throws EntityNotFoundException if given module or DS does not exist
|
||||
* @throws EntityReadOnlyException if use tries to change the {@link DistributionSet} s while the DS is already in use.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
DistributionSet unassignSoftwareModule(long id, long moduleId);
|
||||
|
||||
/**
|
||||
@@ -108,7 +111,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return list of assigned ds
|
||||
* @throws EntityNotFoundException if tag with given ID does not exist or (at least one) of the distribution sets.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
List<DistributionSet> assignTag(@NotEmpty Collection<Long> ids, long tagId);
|
||||
|
||||
/**
|
||||
@@ -119,7 +122,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return list of assigned ds
|
||||
* @throws EntityNotFoundException if tag with given ID does not exist or (at least one) of the distribution sets.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
List<DistributionSet> unassignTag(@NotEmpty Collection<Long> ids, long tagId);
|
||||
|
||||
/**
|
||||
@@ -131,7 +134,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @throws EntityAlreadyExistsException in case one of the meta-data entry already exists for the specific key
|
||||
* @throws AssignmentQuotaExceededException if the maximum number of meta-data entries is exceeded for the addressed {@link DistributionSet}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
void createMetadata(long id, @NotEmpty Map<String, String> metadata);
|
||||
|
||||
/**
|
||||
@@ -141,7 +144,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return a paged result of all meta-data entries for a given distribution set id
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Map<String, String> getMetadata(long id);
|
||||
|
||||
/**
|
||||
@@ -152,7 +155,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param value meta data-entry to be new value
|
||||
* @throws EntityNotFoundException in case the meta-data entry does not exist and cannot be updated
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
void updateMetadata(long id, @NotNull String key, @NotNull String value);
|
||||
|
||||
/**
|
||||
@@ -162,7 +165,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param key of the meta-data element
|
||||
* @throws EntityNotFoundException if given set does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
void deleteMetadata(long id, @NotEmpty String key);
|
||||
|
||||
/**
|
||||
@@ -171,7 +174,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id the distribution set id
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
void lock(final long id);
|
||||
|
||||
/**
|
||||
@@ -182,7 +185,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id the distribution set id
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
|
||||
void unlock(final long id);
|
||||
|
||||
/**
|
||||
@@ -193,7 +196,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
* @throws InvalidDistributionSetException if distribution set with given ID is invalidated
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
DistributionSet getValid(long id);
|
||||
|
||||
/**
|
||||
@@ -205,7 +208,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @throws InvalidDistributionSetException if distribution set with given ID is invalidated
|
||||
* @throws IncompleteDistributionSetException if distribution set with given ID is incomplete
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
DistributionSet getValidAndComplete(long id);
|
||||
|
||||
/**
|
||||
@@ -215,7 +218,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return the distribution set which is associated with the action
|
||||
* @throws EntityNotFoundException if action with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Optional<DistributionSet> findByAction(long actionId);
|
||||
|
||||
/**
|
||||
@@ -225,7 +228,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param version version of {@link DistributionSet}
|
||||
* @return the page with the found {@link DistributionSet}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Optional<DistributionSet> findByNameAndVersion(@NotEmpty String distributionName, @NotEmpty String version);
|
||||
|
||||
/**
|
||||
@@ -236,7 +239,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param pageable the pagination parameter
|
||||
* @return all found {@link DistributionSet}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Slice<DistributionSet> findByCompleted(Boolean complete, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -246,7 +249,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param pageable page parameter
|
||||
* @return the page of found {@link DistributionSet}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Slice<DistributionSet> findByDistributionSetFilter(@NotNull DistributionSetFilter distributionSetFilter, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -260,7 +263,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
|
||||
* @throws EntityNotFoundException of distribution set tag with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Page<DistributionSet> findByTag(long tagId, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -272,7 +275,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return the page of found {@link DistributionSet}
|
||||
* @throws EntityNotFoundException of distribution set tag with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Page<DistributionSet> findByRsqlAndTag(@NotNull String rsql, long tagId, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -282,7 +285,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* nor <code>null</code> to count both.
|
||||
* @return count of all found {@link DistributionSet}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
long countByCompleted(Boolean complete);
|
||||
|
||||
/**
|
||||
@@ -291,7 +294,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param distributionSetFilter has details of filters to be applied.
|
||||
* @return count of {@link DistributionSet}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
long countByDistributionSetFilter(@NotNull DistributionSetFilter distributionSetFilter);
|
||||
|
||||
/**
|
||||
@@ -302,7 +305,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @return number of {@link DistributionSet}s
|
||||
* @throws EntityNotFoundException if type with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
long countByTypeId(long typeId);
|
||||
|
||||
/**
|
||||
@@ -312,7 +315,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id to check
|
||||
* @return <code>true</code> if in use
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
boolean isInUse(long id);
|
||||
|
||||
/**
|
||||
@@ -322,7 +325,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id to look for
|
||||
* @return List of Statistics for {@link org.eclipse.hawkbit.repository.model.Rollout}s status counts
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
List<Statistic> countRolloutsByStatusForDistributionSet(@NotNull Long id);
|
||||
|
||||
/**
|
||||
@@ -332,7 +335,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id to look for
|
||||
* @return List of Statistics for {@link org.eclipse.hawkbit.repository.model.Action}s status counts
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
List<Statistic> countActionsByStatusForDistributionSet(@NotNull Long id);
|
||||
|
||||
/**
|
||||
@@ -342,6 +345,6 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
|
||||
* @param id to look for
|
||||
* @return number of {@link org.eclipse.hawkbit.repository.builder.AutoAssignDistributionSetUpdate}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
|
||||
Long countAutoAssignmentsForDistributionSet(@NotNull Long id);
|
||||
}
|
||||
@@ -14,7 +14,7 @@ import java.util.Optional;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.TagCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.TagUpdate;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
|
||||
|
||||
@@ -14,7 +14,7 @@ import java.util.Optional;
|
||||
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.DistributionSetTypeCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.DistributionSetTypeUpdate;
|
||||
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
|
||||
|
||||
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityReadOnlyException;
|
||||
import org.eclipse.hawkbit.repository.exception.RSQLParameterSyntaxException;
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
|
||||
import org.eclipse.hawkbit.repository.model.Rollout;
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
|
||||
@@ -13,7 +13,7 @@ import java.util.Optional;
|
||||
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
|
||||
import org.eclipse.hawkbit.repository.exception.RSQLParameterSyntaxException;
|
||||
import org.eclipse.hawkbit.repository.exception.RSQLParameterUnsupportedFieldException;
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
|
||||
import org.eclipse.hawkbit.repository.model.Rollout;
|
||||
import org.eclipse.hawkbit.repository.model.RolloutGroup;
|
||||
|
||||
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.DynamicRolloutGroupTemplate;
|
||||
import org.eclipse.hawkbit.repository.builder.RolloutCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.RolloutGroupCreate;
|
||||
|
||||
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.SoftwareModuleCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.SoftwareModuleMetadataCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.SoftwareModuleMetadataUpdate;
|
||||
|
||||
@@ -13,7 +13,7 @@ import java.util.Optional;
|
||||
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.SoftwareModuleTypeCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.SoftwareModuleTypeUpdate;
|
||||
import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
|
||||
|
||||
@@ -13,7 +13,7 @@ import java.util.function.Consumer;
|
||||
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.model.DistributionSetType;
|
||||
import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
|
||||
import org.eclipse.hawkbit.repository.model.TenantMetaData;
|
||||
|
||||
@@ -15,7 +15,7 @@ import jakarta.validation.ConstraintViolationException;
|
||||
import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.AutoAssignDistributionSetUpdate;
|
||||
import org.eclipse.hawkbit.repository.builder.TargetFilterQueryCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.TargetFilterQueryUpdate;
|
||||
|
||||
@@ -9,6 +9,20 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_CLOSE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_OPEN;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_AND;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_PREFIX;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_SUFFIX;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
@@ -21,7 +35,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.repository.builder.TargetCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.TargetUpdate;
|
||||
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
|
||||
@@ -53,6 +67,11 @@ public interface TargetManagement {
|
||||
String DETAILS_TAGS = "tags";
|
||||
String DETAILS_ACTIONS = "actions";
|
||||
|
||||
String HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET = BRACKET_OPEN +
|
||||
HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX +
|
||||
HAS_AUTH_AND +
|
||||
HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX +
|
||||
BRACKET_CLOSE;
|
||||
/**
|
||||
* Counts number of targets with the given distribution set assigned.
|
||||
*
|
||||
@@ -60,7 +79,7 @@ public interface TargetManagement {
|
||||
* @return number of found {@link Target}s.
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
long countByAssignedDistributionSet(long distributionSetId);
|
||||
|
||||
/**
|
||||
@@ -71,7 +90,7 @@ public interface TargetManagement {
|
||||
* @return the found number {@link Target}s
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByFilters(@NotNull final FilterParams filterParams);
|
||||
|
||||
/**
|
||||
@@ -81,7 +100,7 @@ public interface TargetManagement {
|
||||
* @return number of found {@link Target}s.
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
long countByInstalledDistributionSet(long distributionSetId);
|
||||
|
||||
/**
|
||||
@@ -92,7 +111,7 @@ public interface TargetManagement {
|
||||
* @return <code>true</code> if a {@link Target} exists.
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
boolean existsByInstalledOrAssignedDistributionSet(long distributionSetId);
|
||||
|
||||
/**
|
||||
@@ -101,7 +120,7 @@ public interface TargetManagement {
|
||||
* @param rsql filter definition in RSQL syntax
|
||||
* @return the found number of {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByRsql(@NotEmpty String rsql);
|
||||
|
||||
/**
|
||||
@@ -110,7 +129,7 @@ public interface TargetManagement {
|
||||
* @param rsql filter definition in RSQL syntax
|
||||
* @return the found number of {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByRsqlAndUpdatable(@NotEmpty String rsql);
|
||||
|
||||
/**
|
||||
@@ -122,7 +141,7 @@ public interface TargetManagement {
|
||||
* compatible with
|
||||
* @return the found number of{@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByRsqlAndCompatible(@NotEmpty String rsql, @NotNull Long distributionSetIdTypeId);
|
||||
|
||||
/**
|
||||
@@ -134,7 +153,7 @@ public interface TargetManagement {
|
||||
* compatible with
|
||||
* @return the found number of{@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByRsqlAndCompatibleAndUpdatable(@NotEmpty String rsql, @NotNull Long distributionSetIdTypeId);
|
||||
|
||||
/**
|
||||
@@ -147,7 +166,7 @@ public interface TargetManagement {
|
||||
* compatible with
|
||||
* @return the found number of{@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByFailedInRollout(@NotEmpty String rolloutId, @NotNull Long dsTypeId);
|
||||
|
||||
/**
|
||||
@@ -157,7 +176,7 @@ public interface TargetManagement {
|
||||
* @return the found number of {@link Target}s
|
||||
* @throws EntityNotFoundException if {@link TargetFilterQuery} with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long countByTargetFilterQuery(long targetFilterQueryId);
|
||||
|
||||
/**
|
||||
@@ -165,7 +184,7 @@ public interface TargetManagement {
|
||||
*
|
||||
* @return number of targets
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
long count();
|
||||
|
||||
/**
|
||||
@@ -176,7 +195,7 @@ public interface TargetManagement {
|
||||
* @throws EntityAlreadyExistsException given target already exists.
|
||||
* @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetCreate} for field constraints.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_CREATE_TARGET)
|
||||
Target create(@NotNull @Valid TargetCreate create);
|
||||
|
||||
/**
|
||||
@@ -190,7 +209,7 @@ public interface TargetManagement {
|
||||
* @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetCreate}
|
||||
* for field constraints.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_CREATE_TARGET)
|
||||
List<Target> create(@NotNull @Valid Collection<TargetCreate> creates);
|
||||
|
||||
/**
|
||||
@@ -199,7 +218,7 @@ public interface TargetManagement {
|
||||
* @param ids the IDs of the targets to be deleted
|
||||
* @throws EntityNotFoundException if (at least one) of the given target IDs does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_DELETE_TARGET)
|
||||
void delete(@NotEmpty Collection<Long> ids);
|
||||
|
||||
/**
|
||||
@@ -208,7 +227,7 @@ public interface TargetManagement {
|
||||
* @param controllerId the controller ID of the target to be deleted
|
||||
* @throws EntityNotFoundException if target with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_DELETE_TARGET)
|
||||
void deleteByControllerID(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -222,7 +241,7 @@ public interface TargetManagement {
|
||||
* @return a page of the found {@link Target}s
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(
|
||||
long distributionSetId, @NotNull String rsql, @NotNull Pageable pageable);
|
||||
|
||||
@@ -236,7 +255,7 @@ public interface TargetManagement {
|
||||
* @return the count of found {@link Target}s
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
long countByRsqlAndNonDSAndCompatibleAndUpdatable(long distributionSetId, @NotNull String rsql);
|
||||
|
||||
/**
|
||||
@@ -251,7 +270,7 @@ public interface TargetManagement {
|
||||
* @param pageable the pageable to enhance the query for paging and sorting
|
||||
* @return a page of the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
Slice<Target> findByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(
|
||||
@NotEmpty Collection<Long> groups, @NotNull String rsql, @NotNull DistributionSetType distributionSetType,
|
||||
@NotNull Pageable pageable);
|
||||
@@ -266,7 +285,7 @@ public interface TargetManagement {
|
||||
* @param distributionSetType type of the {@link DistributionSet} the targets must be compatible with
|
||||
* @return count of the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
long countByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(
|
||||
@NotNull String rsql, @NotEmpty Collection<Long> groups, @NotNull DistributionSetType distributionSetType);
|
||||
|
||||
@@ -280,7 +299,7 @@ public interface TargetManagement {
|
||||
* @param pageable the pageable to enhance the query for paging and sorting
|
||||
* @return a page of the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
Slice<Target> findByFailedRolloutAndNotInRolloutGroups(
|
||||
@NotNull String rolloutId, @NotEmpty Collection<Long> groups, @NotNull Pageable pageable);
|
||||
|
||||
@@ -293,14 +312,14 @@ public interface TargetManagement {
|
||||
* @param groups the list of {@link RolloutGroup}s
|
||||
* @return count of the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
long countByFailedRolloutAndNotInRolloutGroups(@NotNull String rolloutId, @NotEmpty Collection<Long> groups);
|
||||
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
Slice<Target> findByRsqlAndNoOverridingActionsAndNotInRolloutAndCompatibleAndUpdatable(
|
||||
final long rolloutId, @NotNull String rsql, @NotNull DistributionSetType distributionSetType, @NotNull Pageable pageable);
|
||||
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
|
||||
long countByActionsInRolloutGroup(final long rolloutGroupId);
|
||||
|
||||
/**
|
||||
@@ -312,7 +331,7 @@ public interface TargetManagement {
|
||||
* @return the found {@link Target}s
|
||||
* @throws EntityNotFoundException if rollout group with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Slice<Target> findByInRolloutGroupWithoutAction(long group, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -323,7 +342,7 @@ public interface TargetManagement {
|
||||
* @return the found {@link Target}s
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
Page<Target> findByAssignedDistributionSet(long distributionSetId, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -338,7 +357,7 @@ public interface TargetManagement {
|
||||
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
Page<Target> findByAssignedDistributionSetAndRsql(long distributionSetId, @NotNull String rsql, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -347,7 +366,7 @@ public interface TargetManagement {
|
||||
* @param controllerIDs to look for.
|
||||
* @return List of found{@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
List<Target> getByControllerID(@NotEmpty Collection<String> controllerIDs);
|
||||
|
||||
/**
|
||||
@@ -356,7 +375,7 @@ public interface TargetManagement {
|
||||
* @param controllerId to look for.
|
||||
* @return {@link Target}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Optional<Target> getByControllerID(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -366,25 +385,25 @@ public interface TargetManagement {
|
||||
* @param detailsKey the key of the details to include, e.g. {@link #DETAILS_AUTO_CONFIRMATION_STATUS}
|
||||
* @return {@link Target}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Target getWithDetails(@NotEmpty String controllerId, String detailsKey);
|
||||
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
default Target getWithDetails(@NotEmpty String controllerId) {
|
||||
return getWithDetails(controllerId, DETAILS_BASE);
|
||||
}
|
||||
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
default Target getWithAutoConfigurationStatus(@NotEmpty String controllerId) {
|
||||
return getWithDetails(controllerId, DETAILS_AUTO_CONFIRMATION_STATUS);
|
||||
}
|
||||
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
default Target getWithTags(@NotEmpty String controllerId) {
|
||||
return getWithDetails(controllerId, DETAILS_TAGS);
|
||||
}
|
||||
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
default Target getWithActions(@NotEmpty String controllerId) {
|
||||
return getWithDetails(controllerId, DETAILS_ACTIONS);
|
||||
}
|
||||
@@ -399,7 +418,7 @@ public interface TargetManagement {
|
||||
* @return the found {@link Target}s
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Slice<Target> findByFilters(@NotNull FilterParams filterParams, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -410,7 +429,7 @@ public interface TargetManagement {
|
||||
* @return the found {@link Target}s
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
Page<Target> findByInstalledDistributionSet(long distributionSetId, @NotNull Pageable pageReq);
|
||||
|
||||
/**
|
||||
@@ -426,7 +445,7 @@ public interface TargetManagement {
|
||||
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
|
||||
* @throws EntityNotFoundException if distribution set with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
Page<Target> findByInstalledDistributionSetAndRsql(long distributionSetId, @NotNull String rsql, @NotNull Pageable pageReq);
|
||||
|
||||
/**
|
||||
@@ -436,7 +455,7 @@ public interface TargetManagement {
|
||||
* @param pageable page parameter
|
||||
* @return the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Page<Target> findByUpdateStatus(@NotNull TargetUpdateStatus status, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -445,7 +464,7 @@ public interface TargetManagement {
|
||||
* @param pageable pagination parameter
|
||||
* @return the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Slice<Target> findAll(@NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -458,7 +477,7 @@ public interface TargetManagement {
|
||||
* given {@code fieldNameProvider}
|
||||
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Slice<Target> findByRsql(@NotNull String rsql, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -472,7 +491,7 @@ public interface TargetManagement {
|
||||
* given {@code fieldNameProvider}
|
||||
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Slice<Target> findByTargetFilterQuery(long targetFilterQueryId, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -483,7 +502,7 @@ public interface TargetManagement {
|
||||
* @return list of matching targets
|
||||
* @throws EntityNotFoundException if target tag with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Page<Target> findByTag(long tagId, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -498,7 +517,7 @@ public interface TargetManagement {
|
||||
* given {@code fieldNameProvider}
|
||||
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Page<Target> findByRsqlAndTag(@NotNull String rsql, long tagId, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -510,7 +529,7 @@ public interface TargetManagement {
|
||||
* @param targetFilterQuery to execute
|
||||
* @return true if it matches
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
|
||||
boolean isTargetMatchingQueryAndDSNotAssignedAndCompatibleAndUpdatable(
|
||||
@NotNull String controllerId, long distributionSetId, @NotNull String targetFilterQuery);
|
||||
|
||||
@@ -523,7 +542,7 @@ public interface TargetManagement {
|
||||
* @return {@link TargetTypeAssignmentResult} with all meta-data of the assignment outcome.
|
||||
* @throws EntityNotFoundException if target type with given id does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
TargetTypeAssignmentResult assignType(@NotEmpty Collection<String> controllerIds, @NotNull Long typeId);
|
||||
|
||||
/**
|
||||
@@ -532,7 +551,7 @@ public interface TargetManagement {
|
||||
* @param controllerIds to remove the type from
|
||||
* @return {@link TargetTypeAssignmentResult} with all meta-data of the assignment outcome.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
TargetTypeAssignmentResult unassignType(@NotEmpty Collection<String> controllerIds);
|
||||
|
||||
/**
|
||||
@@ -544,7 +563,7 @@ public interface TargetManagement {
|
||||
* @return list of assigned targets
|
||||
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId, final Consumer<Collection<String>> notFoundHandler);
|
||||
|
||||
/**
|
||||
@@ -555,7 +574,7 @@ public interface TargetManagement {
|
||||
* @return list of assigned targets
|
||||
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
|
||||
|
||||
/**
|
||||
@@ -567,7 +586,7 @@ public interface TargetManagement {
|
||||
* @return list of unassigned targets
|
||||
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId, final Consumer<Collection<String>> notFoundHandler);
|
||||
|
||||
/**
|
||||
@@ -578,7 +597,7 @@ public interface TargetManagement {
|
||||
* @return list of unassigned targets
|
||||
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
|
||||
|
||||
/**
|
||||
@@ -587,7 +606,7 @@ public interface TargetManagement {
|
||||
* @param controllerId to un-assign for
|
||||
* @return the unassigned target
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
Target unassignType(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -598,7 +617,7 @@ public interface TargetManagement {
|
||||
* @return the unassigned target
|
||||
* @throws EntityNotFoundException if TargetType with given target ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
Target assignType(@NotEmpty String controllerId, @NotNull Long targetTypeId);
|
||||
|
||||
/**
|
||||
@@ -610,7 +629,7 @@ public interface TargetManagement {
|
||||
* @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetUpdate}
|
||||
* for field constraints.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
Target update(@NotNull @Valid TargetUpdate update);
|
||||
|
||||
/**
|
||||
@@ -619,7 +638,7 @@ public interface TargetManagement {
|
||||
* @param id to look for
|
||||
* @return {@link Target}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Optional<Target> get(long id);
|
||||
|
||||
/**
|
||||
@@ -628,7 +647,7 @@ public interface TargetManagement {
|
||||
* @param ids the ids to for
|
||||
* @return the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
List<Target> get(@NotNull Collection<Long> ids);
|
||||
|
||||
/**
|
||||
@@ -637,7 +656,7 @@ public interface TargetManagement {
|
||||
* @param controllerId of target
|
||||
* @return {@code true} if target with given ID exists
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
boolean existsByControllerId(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -647,7 +666,7 @@ public interface TargetManagement {
|
||||
* @return the found Tag set
|
||||
* @throws EntityNotFoundException if target with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Set<TargetTag> getTags(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -657,7 +676,7 @@ public interface TargetManagement {
|
||||
* @return controller attributes as key/value pairs
|
||||
* @throws EntityNotFoundException if target with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Map<String, String> getControllerAttributes(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -666,7 +685,7 @@ public interface TargetManagement {
|
||||
* @param controllerId of the target
|
||||
* @throws EntityNotFoundException if target with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
|
||||
void requestControllerAttributes(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -676,7 +695,7 @@ public interface TargetManagement {
|
||||
* @return {@code true}: update of controller attributes triggered.
|
||||
* {@code false}: update of controller attributes not requested.
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
boolean isControllerAttributesRequested(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -686,7 +705,7 @@ public interface TargetManagement {
|
||||
* @param pageable page parameter
|
||||
* @return the found {@link Target}s
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET)
|
||||
Page<Target> findByControllerAttributesRequested(@NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -698,7 +717,7 @@ public interface TargetManagement {
|
||||
* @throws EntityAlreadyExistsException in case one of the metad-ata entry already exists for the specific key
|
||||
* @throws AssignmentQuotaExceededException if the maximum number of meta-data entries is exceeded for the addressed {@link Target}
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
|
||||
void createMetadata(@NotEmpty String controllerId, @NotEmpty Map<String, String> metadata);
|
||||
|
||||
/**
|
||||
@@ -708,7 +727,7 @@ public interface TargetManagement {
|
||||
* @return the found target meta-data
|
||||
* @throws EntityNotFoundException if target with given ID does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_READ_REPOSITORY)
|
||||
Map<String, String> getMetadata(@NotEmpty String controllerId);
|
||||
|
||||
/**
|
||||
@@ -719,7 +738,7 @@ public interface TargetManagement {
|
||||
* @param value meta data-entry to be new value
|
||||
* @throws EntityNotFoundException in case the meta-data entry does not exist and cannot be updated
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
|
||||
void updateMetadata(@NotEmpty String controllerId, @NotNull String key, @NotNull String value);
|
||||
|
||||
/**
|
||||
@@ -729,6 +748,6 @@ public interface TargetManagement {
|
||||
* @param key of the meta data element
|
||||
* @throws EntityNotFoundException if given target does not exist
|
||||
*/
|
||||
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
|
||||
void deleteMetadata(@NotEmpty String controllerId, @NotEmpty String key);
|
||||
}
|
||||
@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.builder.TagCreate;
|
||||
import org.eclipse.hawkbit.repository.builder.TagUpdate;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;
|
||||
|
||||
@@ -9,6 +9,16 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_CLOSE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_OPEN;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_AND;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET_TYPE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET_TYPE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_PREFIX;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_TARGET_TYPE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_SUFFIX;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET_TYPE;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
@@ -31,58 +41,64 @@ import org.springframework.security.access.prepost.PreAuthorize;
|
||||
*/
|
||||
public interface TargetTypeManagement {
|
||||
|
||||
String HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE = BRACKET_OPEN +
|
||||
HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX +
|
||||
HAS_AUTH_AND +
|
||||
HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET_TYPE + HAS_AUTH_SUFFIX +
|
||||
BRACKET_CLOSE;
|
||||
|
||||
/**
|
||||
* @param key as {@link TargetType#getKey()}
|
||||
* @return {@link TargetType}
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
Optional<TargetType> getByKey(@NotEmpty String key);
|
||||
|
||||
/**
|
||||
* @param name as {@link TargetType#getName()}
|
||||
* @return {@link TargetType}
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
Optional<TargetType> getByName(@NotEmpty String name);
|
||||
|
||||
/**
|
||||
* @return total count
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
long count();
|
||||
|
||||
/**
|
||||
* @param name as {@link TargetType#getName()}
|
||||
* @return total count by name
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
long countByName(String name);
|
||||
|
||||
/**
|
||||
* @param create TargetTypeCreate
|
||||
* @return targetType
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_CREATE_TARGET_TYPE)
|
||||
TargetType create(@NotNull @Valid TargetTypeCreate create);
|
||||
|
||||
/**
|
||||
* @param creates List of TargetTypeCreate
|
||||
* @return List of targetType
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_CREATE_TARGET_TYPE)
|
||||
List<TargetType> create(@NotEmpty @Valid Collection<TargetTypeCreate> creates);
|
||||
|
||||
/**
|
||||
* @param id targetTypeId
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_DELETE_TARGET_TYPE)
|
||||
void delete(@NotNull Long id);
|
||||
|
||||
/**
|
||||
* @param pageable Page
|
||||
* @return TargetType page
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
Slice<TargetType> findAll(@NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -90,7 +106,7 @@ public interface TargetTypeManagement {
|
||||
* @param pageable Page
|
||||
* @return Target type
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
Page<TargetType> findByRsql(@NotEmpty String rsql, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
@@ -100,28 +116,28 @@ public interface TargetTypeManagement {
|
||||
* @param pageable page parameter
|
||||
* @return the page of found {@link TargetType}
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
Slice<TargetType> findByName(String name, @NotNull Pageable pageable);
|
||||
|
||||
/**
|
||||
* @param id Target type ID
|
||||
* @return Target Type
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
Optional<TargetType> get(long id);
|
||||
|
||||
/**
|
||||
* @param ids List of Target type ID
|
||||
* @return Target type list
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
|
||||
List<TargetType> get(@NotEmpty Collection<Long> ids);
|
||||
|
||||
/**
|
||||
* @param update TargetTypeUpdate
|
||||
* @return Target Type
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_UPDATE_TARGET_TYPE)
|
||||
TargetType update(@NotNull @Valid TargetTypeUpdate update);
|
||||
|
||||
/**
|
||||
@@ -129,15 +145,14 @@ public interface TargetTypeManagement {
|
||||
* @param distributionSetTypeIds Distribution set ID
|
||||
* @return Target type
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
TargetType assignCompatibleDistributionSetTypes(long id,
|
||||
@NotEmpty Collection<Long> distributionSetTypeIds);
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE)
|
||||
TargetType assignCompatibleDistributionSetTypes(long id, @NotEmpty Collection<Long> distributionSetTypeIds);
|
||||
|
||||
/**
|
||||
* @param id Target type ID
|
||||
* @param distributionSetTypeIds Distribution set ID
|
||||
* @return Target type
|
||||
*/
|
||||
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
|
||||
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE)
|
||||
TargetType unassignDistributionSetType(long id, long distributionSetTypeIds);
|
||||
}
|
||||
}
|
||||
@@ -13,7 +13,7 @@ import java.io.Serializable;
|
||||
import java.util.Map;
|
||||
import java.util.function.Function;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.exception.TenantConfigurationValidatorException;
|
||||
import org.eclipse.hawkbit.repository.model.PollStatus;
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.repository;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.report.model.TenantUsage;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@ import java.util.Optional;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.aopalliance.intercept.MethodInvocation;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.im.authentication.Hierarchy;
|
||||
import org.eclipse.hawkbit.tenancy.configuration.ControllerPollProperties;
|
||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||
@@ -49,7 +49,7 @@ public class RepositoryConfiguration {
|
||||
@Bean
|
||||
@ConditionalOnMissingBean
|
||||
static RoleHierarchy roleHierarchy() {
|
||||
return RoleHierarchyImpl.fromHierarchy(SpRole.DEFAULT_ROLE_HIERARCHY);
|
||||
return RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT);
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@@ -18,7 +18,6 @@ import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.ContextAware;
|
||||
@@ -27,11 +26,8 @@ import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
|
||||
import org.eclipse.hawkbit.repository.jpa.ql.EntityMatcher;
|
||||
import org.eclipse.hawkbit.repository.jpa.rsql.RsqlUtility;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.data.jpa.domain.Specification;
|
||||
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.util.ObjectUtils;
|
||||
|
||||
@@ -41,10 +37,7 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
|
||||
private final Class<A> rsqlQueryFieldType;
|
||||
private final Map<Operation, List<String>> permissions = new EnumMap<>(Operation.class);
|
||||
|
||||
@Value("${hawkbit.jpa.security.default-access-controller.strict:false}")
|
||||
private boolean strict;
|
||||
private ContextAware contextAware;
|
||||
private RoleHierarchy roleHierarchy;
|
||||
|
||||
public DefaultAccessController(final Class<A> rsqlQueryFieldType, final String... permissionTypes) {
|
||||
if (ObjectUtils.isEmpty(permissionTypes)) {
|
||||
@@ -64,11 +57,6 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
|
||||
this.contextAware = contextAware;
|
||||
}
|
||||
|
||||
@Autowired(required = false)
|
||||
void setRoleHierarchy(final RoleHierarchy roleHierarchy) {
|
||||
this.roleHierarchy = roleHierarchy;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Optional<Specification<T>> getAccessRules(final Operation operation) {
|
||||
if (contextAware.getCurrentTenant() != null && SYSTEM_USER.equals(contextAware.getCurrentUsername())) {
|
||||
@@ -104,43 +92,26 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
|
||||
|
||||
// returns null if ALL entities are accessible, otherwise returns a list of scopes
|
||||
// throws InsufficientPermissionException if no matching authority found (should not happen - should be already checked with @PreAuthorize)
|
||||
// java:S1168 - returns null with purpose to indicate no scopes, privately used with attention
|
||||
// java:S1168 - better readable at one place
|
||||
@SuppressWarnings({ "java:S1168", "java:S1168" })
|
||||
@SuppressWarnings("java:S1168") // java:S1168 - returns null with purpose to indicate no scopes, privately used with attention
|
||||
private List<String> getScopes(final Operation operation) {
|
||||
final List<String> operationPermissions = permissions.get(operation);
|
||||
final List<String> scopes = SecurityContextHolder.getContext().getAuthentication().getAuthorities().stream()
|
||||
.map(GrantedAuthority::getAuthority)
|
||||
.map(Permission::from)
|
||||
.flatMap(permission -> roleHierarchy == null
|
||||
? (operationPermissions.contains(permission.name()) ? Stream.of(permission) : Stream.empty())
|
||||
: roleHierarchy.getReachableGrantedAuthorities(List.of(new SimpleGrantedAuthority(permission.name())))
|
||||
.stream()
|
||||
.map(GrantedAuthority::getAuthority)
|
||||
.filter(operationPermissions::contains)
|
||||
.map(reachableAuthority -> new Permission(reachableAuthority, permission.scope())))
|
||||
.filter(permission -> operationPermissions.contains(permission.name()))
|
||||
.map(Permission::scope)
|
||||
.distinct() // remove duplicates
|
||||
.toList();
|
||||
if (scopes.isEmpty()) {
|
||||
// no matching authority found for the operation
|
||||
// the needed permission should have already been checked with @PreAuthorize
|
||||
// could happen, for instance, in controller management, that checks ROLE_CONTROLLER and on its behalf
|
||||
// calls pure repository methods as privileged
|
||||
if (strict) {
|
||||
throw new InsufficientPermissionException(
|
||||
String.format(
|
||||
"No matching authority found for operation %s" +
|
||||
" (expects %s, should not happen - shall have already been checked with @PreAuthorize)",
|
||||
operation, operationPermissions));
|
||||
} else {
|
||||
// TODO - maybe in some future we could adapt permissions so controller roles to somehow apply what is needed
|
||||
// and to do not "assume" and to throw exception always
|
||||
log.debug(
|
||||
"[{}] No matching authority found for operation {} (expects {}), they shall have already been checked with @PreAuthorize)",
|
||||
rsqlQueryFieldType, operation, operationPermissions);
|
||||
return null;
|
||||
}
|
||||
// no matching permission scope found for the operation
|
||||
// the required for the method permissions should have already been checked with @PreAuthorize
|
||||
// however it could happen that there is no entity permission, e.g.:
|
||||
// * in controller management, that checks ROLE_CONTROLLER and on its behalf calls pure repository methods as privileged
|
||||
// * in case the entity permission(s) are implied - e.g. there is READ_REPOSITORY which implies READ_DISTRIBUTION_SET
|
||||
log.debug(
|
||||
"[{}] No matching authority found for operation {} (expects {}), they shall have already been checked with @PreAuthorize)",
|
||||
rsqlQueryFieldType, operation, operationPermissions);
|
||||
return null;
|
||||
} else if (scopes.contains(null)) {
|
||||
return null; // not scoped at all
|
||||
} else {
|
||||
|
||||
@@ -32,12 +32,12 @@ public class DefaultAccessControllerConfiguration {
|
||||
@Bean
|
||||
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.target-type.enabled", havingValue = "true", matchIfMissing = true)
|
||||
AccessController<JpaTargetType> targetTypeAccessController() {
|
||||
return new DefaultAccessController<>(TargetTypeFields.class, "TARGET", "TARGET_TYPE");
|
||||
return new DefaultAccessController<>(TargetTypeFields.class, "TARGET_TYPE");
|
||||
}
|
||||
|
||||
@Bean
|
||||
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set.enabled", havingValue = "true", matchIfMissing = true)
|
||||
AccessController<JpaDistributionSet> distributionSetAccessController() {
|
||||
return new DefaultAccessController<>(DistributionSetFields.class, "REPOSITORY", "DISTRIBUTION_SET");
|
||||
return new DefaultAccessController<>(DistributionSetFields.class, "DISTRIBUTION_SET");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@ import jakarta.validation.constraints.NotNull;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.ContextAware;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.repository.DistributionSetManagement;
|
||||
import org.eclipse.hawkbit.repository.QuotaManagement;
|
||||
import org.eclipse.hawkbit.repository.RepositoryProperties;
|
||||
@@ -200,7 +201,7 @@ public class JpaRolloutManagement implements RolloutManagement {
|
||||
// scheduled rollout, the creator shall have permissions to start rollout
|
||||
if (rolloutRequest.getStartAt() != null && rolloutRequest.getStartAt() != Long.MAX_VALUE && // if scheduled rollout
|
||||
!systemSecurityContext.hasPermission(SpPermission.HANDLE_ROLLOUT) &&
|
||||
!systemSecurityContext.hasPermission(SpPermission.SpringEvalExpressions.SYSTEM_ROLE)) {
|
||||
!systemSecurityContext.hasPermission(SpRole.SYSTEM_ROLE)) {
|
||||
throw new InsufficientPermissionException("You need permission to start rollouts to create a scheduled rollout");
|
||||
}
|
||||
if (dynamicRolloutGroupTemplate != null && !rolloutRequest.isDynamic()) {
|
||||
|
||||
@@ -11,9 +11,10 @@ package org.eclipse.hawkbit.repository.jpa.acm;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_DISTRIBUTION_SET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_REPOSITORY;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_REPOSITORY;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_DISTRIBUTION_SET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUser;
|
||||
@@ -38,6 +39,9 @@ import org.springframework.data.domain.Pageable;
|
||||
import org.springframework.test.context.ContextConfiguration;
|
||||
|
||||
/**
|
||||
* Note: Still all test gets READ_REPOSITORY since find methods are inherited with request for READ_REPOSITORY. However,
|
||||
* using READ_DISTRIBUTION_SET scoping - the scopes still work.
|
||||
* <p/>
|
||||
* Feature: Component Tests - Access Control<br/>
|
||||
* Story: Test Distribution Set Access Controller
|
||||
*/
|
||||
@@ -56,7 +60,8 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
final Action hiddenAction = testdataFactory.performAssignment(hidden);
|
||||
|
||||
runAs(withUser("user",
|
||||
READ_REPOSITORY + "/id==" + permitted.getId(),
|
||||
READ_REPOSITORY,
|
||||
READ_DISTRIBUTION_SET + "/id==" + permitted.getId(),
|
||||
READ_TARGET +"/controllerId==" + permittedAction.getTarget().getControllerId()), () -> {
|
||||
final Long permittedActionId = permitted.getId();
|
||||
|
||||
@@ -125,8 +130,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
final SoftwareModule swModule = testdataFactory.createSoftwareModuleOs();
|
||||
|
||||
runAs(withUser("user",
|
||||
READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
|
||||
UPDATE_REPOSITORY + "/id==" + permitted.getId()), () -> {
|
||||
READ_REPOSITORY,
|
||||
READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
|
||||
UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId()), () -> {
|
||||
// verify distributionSetManagement#assignSoftwareModules
|
||||
final List<Long> singleModuleIdList = Collections.singletonList(swModule.getId());
|
||||
assertThat(distributionSetManagement.assignSoftwareModules(permitted.getId(), singleModuleIdList))
|
||||
@@ -185,8 +191,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
distributionSetManagement.assignTag(Arrays.asList(permitted.getId(), readOnly.getId(), hidden.getId()), dsTagId);
|
||||
|
||||
runAs(withUser("user",
|
||||
READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
|
||||
UPDATE_REPOSITORY + "/id==" + permitted.getId()), () -> {
|
||||
READ_REPOSITORY,
|
||||
READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
|
||||
UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId()), () -> {
|
||||
assertThat(distributionSetManagement.findByTag(dsTagId, Pageable.unpaged()).get().map(Identifiable::getId)
|
||||
.toList()).containsOnly(permitted.getId(), readOnly.getId());
|
||||
|
||||
@@ -252,8 +259,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
.create(entityFactory.targetFilterQuery().create().name("test").query("id==*"));
|
||||
|
||||
runAs(withUser("user",
|
||||
READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
|
||||
UPDATE_REPOSITORY + "/id==" + permitted.getId(),
|
||||
READ_REPOSITORY,
|
||||
READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
|
||||
UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId(),
|
||||
// read / update target needed to update target filter query
|
||||
READ_TARGET, UPDATE_TARGET), () -> {
|
||||
assertThat(targetFilterQueryManagement
|
||||
|
||||
@@ -11,15 +11,13 @@ package org.eclipse.hawkbit.repository.jpa.acm;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.DELETE_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.DELETE_TARGET_TYPE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET_TYPE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET_TYPE;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUser;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import org.eclipse.hawkbit.repository.Identifiable;
|
||||
import org.eclipse.hawkbit.repository.builder.TargetTypeCreate;
|
||||
@@ -27,8 +25,6 @@ import org.eclipse.hawkbit.repository.builder.TargetTypeUpdate;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
|
||||
import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaTargetType;
|
||||
import org.eclipse.hawkbit.repository.jpa.specifications.TargetTypeSpecification;
|
||||
import org.eclipse.hawkbit.repository.model.TargetType;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.data.domain.Pageable;
|
||||
@@ -49,7 +45,7 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
final TargetType permittedTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type1"));
|
||||
final TargetType hiddenTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
|
||||
|
||||
runAs(withUser("user", READ_TARGET + "/id==" + permittedTargetType.getId()), () -> {
|
||||
runAs(withUser("user", READ_TARGET_TYPE + "/id==" + permittedTargetType.getId()), () -> {
|
||||
// verify targetTypeManagement#findAll
|
||||
assertThat(targetTypeManagement.findAll(Pageable.unpaged()).get().map(Identifiable::getId).toList())
|
||||
.containsOnly(permittedTargetType.getId());
|
||||
@@ -111,8 +107,8 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
final TargetType readOnlyTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
|
||||
|
||||
runAs(withUser("user",
|
||||
READ_TARGET + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
|
||||
DELETE_TARGET + "/id==" + manageableTargetType.getId()), () -> {
|
||||
READ_TARGET_TYPE + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
|
||||
DELETE_TARGET_TYPE + "/id==" + manageableTargetType.getId()), () -> {
|
||||
// delete the manageableTargetType
|
||||
targetTypeManagement.delete(manageableTargetType.getId());
|
||||
|
||||
@@ -132,8 +128,8 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
final TargetType readOnlyTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
|
||||
|
||||
runAs(withUser("user",
|
||||
READ_TARGET + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
|
||||
UPDATE_TARGET + "/id==" + manageableTargetType.getId()), () -> {
|
||||
READ_TARGET_TYPE + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
|
||||
UPDATE_TARGET_TYPE + "/id==" + manageableTargetType.getId()), () -> {
|
||||
// update the manageableTargetType
|
||||
targetTypeManagement.update(entityFactory.targetType().update(manageableTargetType.getId())
|
||||
.name(manageableTargetType.getName() + "/new").description("newDesc"));
|
||||
@@ -151,7 +147,7 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void verifyTargetTypeCreationBlockedByAccessController() {
|
||||
runAs(withUser("user", READ_TARGET, UPDATE_TARGET), () -> {
|
||||
runAs(withUser("user", READ_TARGET_TYPE, UPDATE_TARGET_TYPE), () -> {
|
||||
// verify targetTypeManagement#create for any type
|
||||
final TargetTypeCreate targetTypeCreate = entityFactory.targetType().create().name("type1");
|
||||
assertThatThrownBy(() -> targetTypeManagement.create(targetTypeCreate))
|
||||
|
||||
@@ -13,6 +13,7 @@ import java.io.ByteArrayInputStream;
|
||||
import java.util.List;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.eclipse.hawkbit.repository.model.ArtifactUpload;
|
||||
import org.eclipse.hawkbit.repository.test.util.WithUser;
|
||||
@@ -59,7 +60,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void getPermissionCheck() {
|
||||
assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.READ_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -70,7 +71,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
|
||||
List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -79,7 +80,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void findFirstBySHA1PermissionCheck() {
|
||||
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.READ_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -88,7 +89,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void getByFilenamePermissionCheck() {
|
||||
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.READ_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -113,7 +114,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void loadArtifactBinaryPermissionCheck() {
|
||||
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -12,6 +12,7 @@ package org.eclipse.hawkbit.repository.jpa.management;
|
||||
import java.util.List;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
@@ -45,7 +46,7 @@ class ConfirmationManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
void getStatusPermissionsCheck() {
|
||||
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.READ_TARGET),
|
||||
List.of(SpPermission.CREATE_TARGET));
|
||||
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
|
||||
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -13,7 +13,8 @@ import java.net.URI;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
|
||||
@@ -33,7 +34,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void addCancelActionStatusPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.addCancelActionStatus(entityFactory.actionStatus().create(0L)),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -41,7 +42,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void getSoftwareModulePermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -50,7 +51,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void findTargetVisibleMetaDataBySoftwareModuleIdPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.findTargetVisibleMetaDataBySoftwareModuleId(List.of(1L)),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -59,7 +60,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void addInformationalActionStatusPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.addInformationalActionStatus(entityFactory.actionStatus().create(0L)),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -68,7 +69,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void addUpdateActionStatusPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.addUpdateActionStatus(entityFactory.actionStatus().create(0L)),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -77,7 +78,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void findActiveActionWithHighestWeightPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.findActiveActionWithHighestWeight("controllerId"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -86,7 +87,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void findActiveActionsWithHighestWeightPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.findActiveActionsWithHighestWeight("controllerId", 1),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -94,7 +95,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void findActionWithDetailsPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -103,7 +104,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void findActionStatusByActionPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.findActionStatusByAction(1L, Pageable.unpaged()),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -112,7 +113,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void findOrRegisterTargetIfItDoesNotExistPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress")),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -122,7 +123,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
void findOrRegisterTargetIfItDoesNotExistWithDetailsPermissionsCheck() {
|
||||
assertPermissions(
|
||||
() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress"), "name", "type"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -131,7 +132,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void getActionForDownloadByTargetAndSoftwareModulePermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.getActionForDownloadByTargetAndSoftwareModule("controllerId", 1L),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -139,7 +140,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void getPollingTimePermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -156,7 +157,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
// expected since action is not found
|
||||
}
|
||||
return null;
|
||||
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -165,7 +166,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void hasTargetArtifactAssignedPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned("controllerId", "sha1Hash"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -174,7 +175,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void hasTargetArtifactAssignedByIdPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned(1L, "sha1Hash"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -183,7 +184,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void updateControllerAttributesPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.updateControllerAttributes("controllerId", Map.of(), null),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -192,9 +193,9 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void getByControllerIdPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
|
||||
List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
|
||||
List.of(SpRole.SYSTEM_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -202,8 +203,8 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void getPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
|
||||
assertPermissions(() -> controllerManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
assertPermissions(() -> controllerManagement.get(1L), List.of(SpRole.SYSTEM_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -212,7 +213,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void getActionHistoryMessagesPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.getActionHistoryMessages(1L, 1),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -229,7 +230,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
// expected since action is not found
|
||||
}
|
||||
return null;
|
||||
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -240,7 +241,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> {
|
||||
controllerManagement.updateActionExternalRef(1L, "externalRef");
|
||||
return null;
|
||||
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -249,7 +250,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void getActionByExternalRefPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.getActionByExternalRef("externalRef"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -260,7 +261,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> {
|
||||
controllerManagement.deleteExistingTarget("controllerId");
|
||||
return null;
|
||||
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -271,7 +272,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
final Target target = testdataFactory.createTarget();
|
||||
assertPermissions(
|
||||
() -> controllerManagement.getInstalledActionByTarget(target),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -281,7 +282,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
void activateAutoConfirmationPermissionsCheck() {
|
||||
assertPermissions(
|
||||
() -> controllerManagement.activateAutoConfirmation("controllerId", "initiator", "remark"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -292,7 +293,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> {
|
||||
controllerManagement.deactivateAutoConfirmation("controllerId");
|
||||
return null;
|
||||
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -301,7 +302,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void updateOfflineAssignedVersionPermissionsCheck() {
|
||||
assertPermissions(() -> controllerManagement.updateOfflineAssignedVersion("controllerId", "distributionName", "version"),
|
||||
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -12,8 +12,8 @@ package org.eclipse.hawkbit.repository.jpa.management;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatNoException;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
|
||||
import static org.eclipse.hawkbit.repository.jpa.configuration.Constants.TX_RT_MAX;
|
||||
import static org.eclipse.hawkbit.repository.model.Action.ActionType.DOWNLOAD_ONLY;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
|
||||
|
||||
@@ -13,6 +13,7 @@ import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.eclipse.hawkbit.repository.model.Action;
|
||||
import org.eclipse.hawkbit.repository.model.DeploymentRequest;
|
||||
@@ -273,7 +274,7 @@ class DeploymentManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
@Test
|
||||
void deleteActionsByStatusAndLastModifiedBeforePermissionsCheck() {
|
||||
assertPermissions(() -> deploymentManagement.deleteActionsByStatusAndLastModifiedBefore(Set.of(Action.Status.CANCELED), 1L),
|
||||
List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
|
||||
List.of(SpRole.SYSTEM_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -32,6 +32,7 @@ import org.assertj.core.api.Assertions;
|
||||
import org.assertj.core.api.Condition;
|
||||
import org.awaitility.Awaitility;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.repository.Identifiable;
|
||||
import org.eclipse.hawkbit.repository.OffsetBasedPageRequest;
|
||||
import org.eclipse.hawkbit.repository.builder.RolloutCreate;
|
||||
@@ -1436,7 +1437,7 @@ class RolloutManagementTest extends AbstractJpaIntegrationTest {
|
||||
SpPermission.READ_REPOSITORY, SpPermission.READ_TARGET, SpPermission.CREATE_ROLLOUT, SpPermission.HANDLE_ROLLOUT);
|
||||
final WithUser userWithSystemRole = SecurityContextSwitch.withUser(
|
||||
"user_with_system_role",
|
||||
SpPermission.SpringEvalExpressions.SYSTEM_ROLE);
|
||||
SpRole.SYSTEM_ROLE);
|
||||
|
||||
final String filter = "controllerId==" + rolloutName + "-*";
|
||||
// create scheduled rollout fails without handle rollout permission
|
||||
|
||||
@@ -13,6 +13,8 @@ import java.util.List;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
@@ -50,7 +52,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> {
|
||||
systemManagement.forEachTenant(log::info);
|
||||
return null;
|
||||
}, List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
|
||||
}, List.of(SpRole.SYSTEM_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -77,7 +79,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -88,7 +90,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -96,7 +98,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void getTenantMetadataByTenantPermissionsCheck() {
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
|
||||
assertPermissions(() -> systemManagement.getTenantMetadata(1L), List.of(SpRole.SYSTEM_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -104,7 +106,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
|
||||
*/
|
||||
@Test
|
||||
void createTenantMetadataPermissionsCheck() {
|
||||
assertPermissions(() -> systemManagement.createTenantMetadata("tenant"), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
|
||||
assertPermissions(() -> systemManagement.createTenantMetadata("tenant"), List.of(SpRole.SYSTEM_ROLE));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -15,7 +15,7 @@ import java.io.ByteArrayInputStream;
|
||||
import java.util.List;
|
||||
import java.util.Random;
|
||||
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
|
||||
import org.eclipse.hawkbit.repository.model.ArtifactUpload;
|
||||
import org.eclipse.hawkbit.repository.model.DistributionSet;
|
||||
@@ -137,27 +137,27 @@ class SystemManagementTest extends AbstractJpaIntegrationTest {
|
||||
|
||||
for (int i = 0; i < tenants; i++) {
|
||||
final String tenantname = "TENANT" + i;
|
||||
SecurityContextSwitch.getAs(SecurityContextSwitch.withUserAndTenant("bumlux", tenantname, true, true, false,
|
||||
SpringEvalExpressions.SYSTEM_ROLE), () -> {
|
||||
systemManagement.getTenantMetadataWithoutDetails();
|
||||
if (artifactSize > 0) {
|
||||
createTestArtifact(random);
|
||||
createDeletedTestArtifact(random);
|
||||
}
|
||||
if (targets > 0) {
|
||||
final List<Target> createdTargets = createTestTargets(targets);
|
||||
if (updates > 0) {
|
||||
for (int x = 0; x < updates; x++) {
|
||||
final DistributionSet ds = testdataFactory
|
||||
.createDistributionSet("to be deployed" + x, true);
|
||||
|
||||
assignDistributionSet(ds, createdTargets);
|
||||
SecurityContextSwitch.getAs(SecurityContextSwitch.withUserAndTenant("bumlux", tenantname, true, true, false, SpRole.SYSTEM_ROLE),
|
||||
() -> {
|
||||
systemManagement.getTenantMetadataWithoutDetails();
|
||||
if (artifactSize > 0) {
|
||||
createTestArtifact(random);
|
||||
createDeletedTestArtifact(random);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (targets > 0) {
|
||||
final List<Target> createdTargets = createTestTargets(targets);
|
||||
if (updates > 0) {
|
||||
for (int x = 0; x < updates; x++) {
|
||||
final DistributionSet ds = testdataFactory
|
||||
.createDistributionSet("to be deployed" + x, true);
|
||||
|
||||
return null;
|
||||
});
|
||||
assignDistributionSet(ds, createdTargets);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
});
|
||||
}
|
||||
|
||||
return random;
|
||||
|
||||
@@ -17,6 +17,7 @@ import java.util.concurrent.ScheduledExecutorService;
|
||||
import java.util.concurrent.atomic.AtomicLong;
|
||||
|
||||
import org.eclipse.hawkbit.ContextAware;
|
||||
import org.eclipse.hawkbit.im.authentication.Hierarchy;
|
||||
import org.eclipse.hawkbit.repository.artifact.ArtifactFilesystemProperties;
|
||||
import org.eclipse.hawkbit.repository.artifact.ArtifactFilesystemRepository;
|
||||
import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
|
||||
@@ -24,7 +25,6 @@ import org.eclipse.hawkbit.repository.artifact.urlhandler.ArtifactUrlHandlerProp
|
||||
import org.eclipse.hawkbit.repository.artifact.urlhandler.PropertyBasedArtifactUrlHandler;
|
||||
import org.eclipse.hawkbit.cache.TenantAwareCacheManager;
|
||||
import org.eclipse.hawkbit.event.BusProtoStuffMessageConverter;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.repository.ArtifactManagement;
|
||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||
import org.eclipse.hawkbit.repository.DeploymentManagement;
|
||||
@@ -140,7 +140,7 @@ public class TestConfiguration implements AsyncConfigurer {
|
||||
|
||||
@Bean
|
||||
SystemSecurityContext systemSecurityContext(final TenantAware tenantAware) {
|
||||
return new SystemSecurityContext(tenantAware, RoleHierarchyImpl.fromHierarchy(SpRole.DEFAULT_ROLE_HIERARCHY));
|
||||
return new SystemSecurityContext(tenantAware, RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT));
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@@ -11,8 +11,8 @@ package org.eclipse.hawkbit.repository.test.util;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TENANT_CONFIGURATION;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpRole.SYSTEM_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
@@ -29,8 +29,6 @@ import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.awaitility.Awaitility;
|
||||
import org.awaitility.core.ConditionFactory;
|
||||
import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
|
||||
import org.eclipse.hawkbit.repository.artifact.exception.ArtifactStoreException;
|
||||
import org.eclipse.hawkbit.repository.ArtifactManagement;
|
||||
import org.eclipse.hawkbit.repository.ConfirmationManagement;
|
||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||
@@ -53,6 +51,8 @@ import org.eclipse.hawkbit.repository.TargetManagement;
|
||||
import org.eclipse.hawkbit.repository.TargetTagManagement;
|
||||
import org.eclipse.hawkbit.repository.TargetTypeManagement;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
|
||||
import org.eclipse.hawkbit.repository.artifact.exception.ArtifactStoreException;
|
||||
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
|
||||
import org.eclipse.hawkbit.repository.model.Action;
|
||||
import org.eclipse.hawkbit.repository.model.Action.ActionType;
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
package org.eclipse.hawkbit.repository.test.util;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
|
||||
import static org.eclipse.hawkbit.im.authentication.SpRole.SYSTEM_ROLE;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
|
||||
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUserAndTenant;
|
||||
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
/**
|
||||
* Copyright (c) 2025 Contributors to the Eclipse Foundation
|
||||
*
|
||||
* This program and the accompanying materials are made
|
||||
* available under the terms of the Eclipse Public License 2.0
|
||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
||||
*
|
||||
* SPDX-License-Identifier: EPL-2.0
|
||||
*/
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
public class Hierarchy {
|
||||
|
||||
public static final String DEFAULT =
|
||||
SpPermission.TARGET_HIERARCHY +
|
||||
SpPermission.REPOSITORY_HIERARCHY +
|
||||
SpPermission.TENANT_CONFIGURATION_HIERARCHY +
|
||||
SpRole.DEFAULT_ROLE_HIERARCHY;
|
||||
}
|
||||
@@ -35,11 +35,22 @@ import org.springframework.security.core.GrantedAuthority;
|
||||
@Slf4j
|
||||
public final class SpPermission {
|
||||
|
||||
/**
|
||||
* Permission to add new targets including their meta information.
|
||||
*/
|
||||
public static final String CREATE_TARGET = "CREATE_TARGET";
|
||||
/**
|
||||
* Permission to read the targets (list and filter).
|
||||
*/
|
||||
public static final String READ_TARGET = "READ_TARGET";
|
||||
|
||||
/**
|
||||
* Permission to change/edit/update targets and to assign updates.
|
||||
*/
|
||||
public static final String UPDATE_TARGET = "UPDATE_TARGET";
|
||||
/**
|
||||
* Permission to delete targets.
|
||||
*/
|
||||
public static final String DELETE_TARGET = "DELETE_TARGET";
|
||||
/**
|
||||
* Permission to read the target security token. The security token is security
|
||||
* concerned and should be protected. So the combination
|
||||
@@ -48,36 +59,28 @@ public final class SpPermission {
|
||||
*/
|
||||
public static final String READ_TARGET_SEC_TOKEN = "READ_TARGET_SECURITY_TOKEN";
|
||||
|
||||
/**
|
||||
* Permission to change/edit/update targets and to assign updates.
|
||||
*/
|
||||
public static final String UPDATE_TARGET = "UPDATE_TARGET";
|
||||
public static final String CREATE_TARGET_TYPE = "CREATE_TARGET_TYPE";
|
||||
public static final String READ_TARGET_TYPE = "READ_TARGET_TYPE";
|
||||
public static final String UPDATE_TARGET_TYPE = "UPDATE_TARGET_TYPE";
|
||||
public static final String DELETE_TARGET_TYPE = "DELETE_TARGET_TYPE";
|
||||
|
||||
/**
|
||||
* Permission to add new targets including their meta information.
|
||||
*/
|
||||
public static final String CREATE_TARGET = "CREATE_TARGET";
|
||||
|
||||
/**
|
||||
* Permission to delete targets.
|
||||
*/
|
||||
public static final String DELETE_TARGET = "DELETE_TARGET";
|
||||
public static final String CREATE_DISTRIBUTION_SET = "CREATE_DISTRIBUTION_SET";
|
||||
public static final String READ_DISTRIBUTION_SET = "READ_DISTRIBUTION_SET";
|
||||
public static final String UPDATE_DISTRIBUTION_SET = "UPDATE_DISTRIBUTION_SET";
|
||||
public static final String DELETE_DISTRIBUTION_SET = "DELETE_DISTRIBUTION_SET";
|
||||
|
||||
/**
|
||||
* Permission to read distributions and artifacts.
|
||||
*/
|
||||
public static final String READ_REPOSITORY = "READ_REPOSITORY";
|
||||
|
||||
/**
|
||||
* Permission to edit/update distributions and artifacts.
|
||||
*/
|
||||
public static final String UPDATE_REPOSITORY = "UPDATE_REPOSITORY";
|
||||
|
||||
/**
|
||||
* Permission to add distributions and artifacts.
|
||||
*/
|
||||
public static final String CREATE_REPOSITORY = "CREATE_REPOSITORY";
|
||||
|
||||
/**
|
||||
* Permission to delete distributions and artifacts.
|
||||
*/
|
||||
@@ -92,7 +95,6 @@ public final class SpPermission {
|
||||
* Permission to read the tenant settings.
|
||||
*/
|
||||
public static final String READ_TENANT_CONFIGURATION = "READ_TENANT_CONFIGURATION";
|
||||
|
||||
/**
|
||||
* Permission to read the gateway security token. The gateway security token is security
|
||||
* concerned and should be protected. So in addition to {@linkplain #READ_TENANT_CONFIGURATION},
|
||||
@@ -100,47 +102,57 @@ public final class SpPermission {
|
||||
* implies both permissions - so it is sufficient to read the gateway security token.
|
||||
*/
|
||||
public static final String READ_GATEWAY_SEC_TOKEN = "READ_GATEWAY_SECURITY_TOKEN";
|
||||
|
||||
/**
|
||||
* Permission to administrate the tenant settings.
|
||||
*/
|
||||
public static final String TENANT_CONFIGURATION = "TENANT_CONFIGURATION";
|
||||
|
||||
/**
|
||||
* Permission to read a rollout.
|
||||
*/
|
||||
public static final String READ_ROLLOUT = "READ_ROLLOUT";
|
||||
|
||||
/**
|
||||
* Permission to create a rollout.
|
||||
*/
|
||||
public static final String CREATE_ROLLOUT = "CREATE_ROLLOUT";
|
||||
|
||||
/**
|
||||
* Permission to read a rollout.
|
||||
*/
|
||||
public static final String READ_ROLLOUT = "READ_ROLLOUT";
|
||||
/**
|
||||
* Permission to update a rollout.
|
||||
*/
|
||||
public static final String UPDATE_ROLLOUT = "UPDATE_ROLLOUT";
|
||||
|
||||
/**
|
||||
* Permission to delete a rollout.
|
||||
*/
|
||||
public static final String DELETE_ROLLOUT = "DELETE_ROLLOUT";
|
||||
|
||||
/**
|
||||
* Permission to approve or deny a rollout prior to starting.
|
||||
*/
|
||||
public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
|
||||
/**
|
||||
* Permission to start/stop/resume a rollout.
|
||||
*/
|
||||
public static final String HANDLE_ROLLOUT = "HANDLE_ROLLOUT";
|
||||
|
||||
/**
|
||||
* Permission to approve or deny a rollout prior to starting.
|
||||
*/
|
||||
public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
|
||||
|
||||
/**
|
||||
* Permission to administrate the system on a global, i.e. tenant independent scale. That includes the deletion of tenants.
|
||||
*/
|
||||
public static final String SYSTEM_ADMIN = "SYSTEM_ADMIN";
|
||||
|
||||
private static final String IMPLIES = " > ";
|
||||
private static final String LINE_BREAK = "\n";
|
||||
public static final String TARGET_HIERARCHY =
|
||||
CREATE_TARGET + IMPLIES + CREATE_TARGET_TYPE + LINE_BREAK +
|
||||
READ_TARGET + IMPLIES + READ_TARGET_TYPE + LINE_BREAK +
|
||||
UPDATE_TARGET + IMPLIES + UPDATE_TARGET_TYPE + LINE_BREAK +
|
||||
DELETE_TARGET + IMPLIES + DELETE_TARGET_TYPE + LINE_BREAK;
|
||||
public static final String REPOSITORY_HIERARCHY =
|
||||
CREATE_REPOSITORY + IMPLIES + CREATE_DISTRIBUTION_SET + LINE_BREAK +
|
||||
READ_REPOSITORY + IMPLIES + READ_DISTRIBUTION_SET + LINE_BREAK +
|
||||
UPDATE_REPOSITORY + IMPLIES + UPDATE_DISTRIBUTION_SET + LINE_BREAK +
|
||||
DELETE_REPOSITORY + IMPLIES + DELETE_DISTRIBUTION_SET + LINE_BREAK;
|
||||
public static final String TENANT_CONFIGURATION_HIERARCHY =
|
||||
TENANT_CONFIGURATION + IMPLIES + READ_TENANT_CONFIGURATION + LINE_BREAK +
|
||||
TENANT_CONFIGURATION + IMPLIES + READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
|
||||
|
||||
/**
|
||||
* Return all permission.
|
||||
*
|
||||
@@ -150,7 +162,8 @@ public final class SpPermission {
|
||||
final List<String> allPermissions = new ArrayList<>();
|
||||
final Field[] declaredFields = SpPermission.class.getDeclaredFields();
|
||||
for (final Field field : declaredFields) {
|
||||
if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers())) {
|
||||
if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers()) && Modifier.isFinal(field.getModifiers()) &&
|
||||
String.class.equals(field.getType())) {
|
||||
try {
|
||||
final String role = (String) field.get(null);
|
||||
allPermissions.add(role);
|
||||
@@ -161,82 +174,4 @@ public final class SpPermission {
|
||||
}
|
||||
return allPermissions;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Contains all the spring security evaluation expressions for the {@link PreAuthorize} annotation for method security.
|
||||
* </p>
|
||||
* <p>
|
||||
* Examples:
|
||||
* {@code
|
||||
* hasRole([role]) Returns true if the current principal has the specified role.
|
||||
* hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
|
||||
* principal Allows direct access to the principal object representing the current user
|
||||
* authentication Allows direct access to the current Authentication object obtained from the SecurityContext
|
||||
* permitAll Always evaluates to true
|
||||
* denyAll Always evaluates to false
|
||||
* isAnonymous() Returns true if the current principal is an anonymous user
|
||||
* isRememberMe() Returns true if the current principal is a remember-me user
|
||||
* isAuthenticated() Returns true if the user is not anonymous
|
||||
* isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
|
||||
* }
|
||||
* </p>
|
||||
*/
|
||||
@NoArgsConstructor(access = AccessLevel.PRIVATE)
|
||||
public static final class SpringEvalExpressions {
|
||||
|
||||
public static final String BRACKET_OPEN = "(";
|
||||
public static final String BRACKET_CLOSE = ")";
|
||||
public static final String HAS_AUTH_PREFIX = "hasAuthority" + BRACKET_OPEN + "'";
|
||||
public static final String HAS_AUTH_SUFFIX = "'" + BRACKET_CLOSE;
|
||||
public static final String HAS_AUTH_AND = " and ";
|
||||
public static final String HAS_AUTH_OR = " or ";
|
||||
|
||||
/**
|
||||
* The role which contains the spring security context in case the system is executing code which is necessary to be privileged.
|
||||
*/
|
||||
public static final String SYSTEM_ROLE = "ROLE_SYSTEM_CODE";
|
||||
|
||||
/**
|
||||
* The role which contains in the spring security context in case ancontroller is authenticated.
|
||||
*/
|
||||
public static final String CONTROLLER_ROLE = "ROLE_CONTROLLER";
|
||||
/**
|
||||
* The role which contained in the spring security context in case that a controller is authenticated, but only as 'anonymous'.
|
||||
*/
|
||||
public static final String CONTROLLER_ROLE_ANONYMOUS = "ROLE_CONTROLLER_ANONYMOUS";
|
||||
|
||||
public static final String IS_SYSTEM_CODE = HAS_AUTH_PREFIX + SYSTEM_ROLE + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_UPDATE_TARGET = HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_SYSTEM_ADMIN = HAS_AUTH_PREFIX + SYSTEM_ADMIN + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_TARGET = HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_CREATE_TARGET = HAS_AUTH_PREFIX + CREATE_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DELETE_TARGET = HAS_AUTH_PREFIX + DELETE_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
|
||||
+ READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX
|
||||
+ BRACKET_CLOSE;
|
||||
public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + READ_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
|
||||
+ READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
|
||||
+ BRACKET_CLOSE;
|
||||
public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + READ_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
|
||||
+ READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
|
||||
+ BRACKET_CLOSE;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + CREATE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + HANDLE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_APPROVE = HAS_AUTH_PREFIX + APPROVE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + UPDATE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + DELETE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_TENANT_CONFIGURATION_READ = HAS_AUTH_PREFIX + READ_TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String IS_CONTROLLER = "hasAnyRole('" + CONTROLLER_ROLE_ANONYMOUS + "', '" + CONTROLLER_ROLE + "')";
|
||||
public static final String IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = IS_CONTROLLER + HAS_AUTH_OR + HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
|
||||
}
|
||||
}
|
||||
@@ -9,8 +9,6 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
|
||||
|
||||
import lombok.AccessLevel;
|
||||
import lombok.NoArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
@@ -27,6 +25,11 @@ public final class SpRole {
|
||||
public static final String ROLLOUT_ADMIN = "ROLE_ROLLOUT_ADMIN";
|
||||
public static final String TENANT_ADMIN = "ROLE_TENANT_ADMIN";
|
||||
|
||||
/**
|
||||
* The role which contains the spring security context in case the system is executing code which is necessary to be privileged.
|
||||
*/
|
||||
public static final String SYSTEM_ROLE = "ROLE_SYSTEM_CODE";
|
||||
|
||||
private static final String IMPLIES = " > ";
|
||||
private static final String LINE_BREAK = "\n";
|
||||
public static final String TARGET_ADMIN_HIERARCHY =
|
||||
@@ -48,9 +51,6 @@ public final class SpRole {
|
||||
ROLLOUT_ADMIN + IMPLIES + SpPermission.DELETE_ROLLOUT + LINE_BREAK +
|
||||
ROLLOUT_ADMIN + IMPLIES + SpPermission.HANDLE_ROLLOUT + LINE_BREAK +
|
||||
ROLLOUT_ADMIN + IMPLIES + SpPermission.APPROVE_ROLLOUT + LINE_BREAK;
|
||||
public static final String TENANT_CONFIGURATION_HIERARCHY =
|
||||
SpPermission.TENANT_CONFIGURATION + IMPLIES + SpPermission.READ_TENANT_CONFIGURATION + LINE_BREAK +
|
||||
SpPermission.TENANT_CONFIGURATION + IMPLIES + SpPermission.READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
|
||||
public static final String TENANT_ADMIN_HIERARCHY =
|
||||
TENANT_ADMIN + IMPLIES + TARGET_ADMIN + LINE_BREAK +
|
||||
TENANT_ADMIN + IMPLIES + REPOSITORY_ADMIN + LINE_BREAK +
|
||||
@@ -64,7 +64,6 @@ public final class SpRole {
|
||||
TARGET_ADMIN_HIERARCHY +
|
||||
REPOSITORY_ADMIN_HIERARCHY +
|
||||
ROLLOUT_ADMIN_HIERARCHY +
|
||||
TENANT_CONFIGURATION_HIERARCHY +
|
||||
TENANT_ADMIN_HIERARCHY +
|
||||
SYSTEM_ROLE_HIERARCHY;
|
||||
}
|
||||
@@ -0,0 +1,99 @@
|
||||
/**
|
||||
* Copyright (c) 2025 Contributors to the Eclipse Foundation
|
||||
*
|
||||
* This program and the accompanying materials are made
|
||||
* available under the terms of the Eclipse Public License 2.0
|
||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
||||
*
|
||||
* SPDX-License-Identifier: EPL-2.0
|
||||
*/
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
import lombok.AccessLevel;
|
||||
import lombok.NoArgsConstructor;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Contains all the spring security evaluation expressions for the {@link PreAuthorize} annotation for method security.
|
||||
* </p>
|
||||
* <p>
|
||||
* Examples:
|
||||
* {@code
|
||||
* hasRole([role]) Returns true if the current principal has the specified role.
|
||||
* hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
|
||||
* principal Allows direct access to the principal object representing the current user
|
||||
* authentication Allows direct access to the current Authentication object obtained from the SecurityContext
|
||||
* permitAll Always evaluates to true
|
||||
* denyAll Always evaluates to false
|
||||
* isAnonymous() Returns true if the current principal is an anonymous user
|
||||
* isRememberMe() Returns true if the current principal is a remember-me user
|
||||
* isAuthenticated() Returns true if the user is not anonymous
|
||||
* isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
|
||||
* }
|
||||
* </p>
|
||||
*/
|
||||
@NoArgsConstructor(access = AccessLevel.PRIVATE)
|
||||
public final class SpringEvalExpressions {
|
||||
|
||||
public static final String BRACKET_OPEN = "(";
|
||||
public static final String BRACKET_CLOSE = ")";
|
||||
public static final String HAS_AUTH_PREFIX = "hasAuthority" + BRACKET_OPEN + "'";
|
||||
public static final String HAS_AUTH_SUFFIX = "'" + BRACKET_CLOSE;
|
||||
public static final String HAS_AUTH_AND = " and ";
|
||||
public static final String HAS_AUTH_OR = " or ";
|
||||
|
||||
/**
|
||||
* The role which contains in the spring security context in case ancontroller is authenticated.
|
||||
*/
|
||||
public static final String CONTROLLER_ROLE = "ROLE_CONTROLLER";
|
||||
/**
|
||||
* The role which contained in the spring security context in case that a controller is authenticated, but only as 'anonymous'.
|
||||
*/
|
||||
public static final String CONTROLLER_ROLE_ANONYMOUS = "ROLE_CONTROLLER_ANONYMOUS";
|
||||
|
||||
public static final String IS_SYSTEM_CODE = HAS_AUTH_PREFIX + SpRole.SYSTEM_ROLE + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_SYSTEM_ADMIN = HAS_AUTH_PREFIX + SpPermission.SYSTEM_ADMIN + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_CREATE_TARGET = HAS_AUTH_PREFIX + SpPermission.CREATE_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_UPDATE_TARGET = HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_TARGET = HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DELETE_TARGET = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_CREATE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.CREATE_TARGET_TYPE + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_UPDATE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET_TYPE + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.READ_TARGET_TYPE + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DELETE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET_TYPE + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_CREATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.CREATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_UPDATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.UPDATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DELETE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.DELETE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
|
||||
+ SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX
|
||||
+ BRACKET_CLOSE;
|
||||
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + SpPermission.CREATE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + SpPermission.READ_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + SpPermission.UPDATE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + SpPermission.DELETE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_APPROVE = HAS_AUTH_PREFIX + SpPermission.APPROVE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + SpPermission.HANDLE_ROLLOUT + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
|
||||
+ SpPermission.READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX
|
||||
+ BRACKET_CLOSE;
|
||||
|
||||
public static final String HAS_AUTH_TENANT_CONFIGURATION_READ = HAS_AUTH_PREFIX + SpPermission.READ_TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
|
||||
public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + SpPermission.TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
|
||||
|
||||
public static final String IS_CONTROLLER = "hasAnyRole('" + CONTROLLER_ROLE_ANONYMOUS + "', '" + CONTROLLER_ROLE + "')";
|
||||
public static final String IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = IS_CONTROLLER + HAS_AUTH_OR + HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
|
||||
}
|
||||
@@ -19,7 +19,7 @@ import java.util.function.Function;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.eclipse.hawkbit.ContextAware;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAwareUser;
|
||||
@@ -42,8 +42,7 @@ public class SecurityContextTenantAware implements ContextAware {
|
||||
|
||||
public static final String SYSTEM_USER = "system";
|
||||
|
||||
private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES =
|
||||
List.of(new SimpleGrantedAuthority(SpringEvalExpressions.SYSTEM_ROLE));
|
||||
private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
|
||||
|
||||
private final UserAuthoritiesResolver authoritiesResolver;
|
||||
private final SecurityContextSerializer securityContextSerializer;
|
||||
|
||||
@@ -18,8 +18,10 @@ import java.util.concurrent.Callable;
|
||||
import jakarta.validation.constraints.NotEmpty;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
|
||||
import lombok.Getter;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
||||
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
|
||||
@@ -161,19 +163,25 @@ public class SystemSecurityContext {
|
||||
|
||||
/**
|
||||
* An implementation of the Spring's {@link Authentication} object which is used within a system security code block and
|
||||
* wraps the original authentication object. The wrapped object contains the necessary {@link SpringEvalExpressions#SYSTEM_ROLE}
|
||||
* wraps the original authentication object. The wrapped object contains the necessary {@link SpRole#SYSTEM_ROLE}
|
||||
* which is allowed to execute all secured methods.
|
||||
*/
|
||||
@Getter
|
||||
public static final class SystemCodeAuthentication implements Authentication {
|
||||
|
||||
@Serial
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
private static final List<SimpleGrantedAuthority> AUTHORITIES = List.of(new SimpleGrantedAuthority(SpringEvalExpressions.SYSTEM_ROLE));
|
||||
private final Authentication oldAuthentication;
|
||||
private static final List<SimpleGrantedAuthority> AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
|
||||
|
||||
private final Object credentials;
|
||||
private final Object details;
|
||||
private final Object principal;
|
||||
|
||||
private SystemCodeAuthentication(final Authentication oldAuthentication) {
|
||||
this.oldAuthentication = oldAuthentication;
|
||||
credentials = oldAuthentication != null ? oldAuthentication.getCredentials() : null;
|
||||
details = oldAuthentication != null ? oldAuthentication.getDetails() : null;
|
||||
principal = oldAuthentication != null ? oldAuthentication.getPrincipal() : null;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -186,21 +194,6 @@ public class SystemSecurityContext {
|
||||
return AUTHORITIES;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return oldAuthentication != null ? oldAuthentication.getCredentials() : null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getDetails() {
|
||||
return oldAuthentication != null ? oldAuthentication.getDetails() : null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return oldAuthentication != null ? oldAuthentication.getPrincipal() : null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAuthenticated() {
|
||||
return true;
|
||||
|
||||
@@ -1,49 +0,0 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
|
||||
*
|
||||
* This program and the accompanying materials are made
|
||||
* available under the terms of the Eclipse Public License 2.0
|
||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
||||
*
|
||||
* SPDX-License-Identifier: EPL-2.0
|
||||
*/
|
||||
package org.eclipse.hawkbit.im.authentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
/**
|
||||
* Test {@link SpPermission}.
|
||||
* <p/>
|
||||
* Feature: Unit Tests - Security<br/>
|
||||
* Story: Permission Test
|
||||
*/
|
||||
final class SpPermissionTest {
|
||||
|
||||
/**
|
||||
* Try to double check if all permissions works as expected
|
||||
*/
|
||||
@Test
|
||||
void shouldReturnAllPermissions() {
|
||||
List<String> expected = new LinkedList<>();
|
||||
ReflectionUtils.doWithFields(SpPermission.class, f -> {
|
||||
if (ReflectionUtils.isPublicStaticFinal(f) && String.class.equals(f.getType())) {
|
||||
try {
|
||||
expected.add((String) f.get(null));
|
||||
} catch (IllegalAccessException | IllegalArgumentException e) {
|
||||
// skip
|
||||
}
|
||||
}
|
||||
});
|
||||
final Collection<String> allAuthorities = SpPermission.getAllAuthorities();
|
||||
assertThat(allAuthorities)
|
||||
.hasSize(20)
|
||||
.containsAll(expected);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user