Add distribution set and target type fine grained permissions (#2545)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-07-14 14:52:36 +03:00
committed by GitHub
parent c3fdd9fcc8
commit e7373275bf
53 changed files with 506 additions and 476 deletions

View File

@@ -10,7 +10,7 @@
package org.eclipse.hawkbit.ddi.rest.resource;
import static org.assertj.core.api.Assertions.assertThat;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.im.authentication.SpPermission.TENANT_CONFIGURATION;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.callAs;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.getAs;

View File

@@ -14,7 +14,7 @@ import java.util.List;
import java.util.Objects;
import lombok.EqualsAndHashCode;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.tenancy.TenantAware;
@@ -77,7 +77,7 @@ public interface Authenticator {
private static class AuthenticatedController extends AbstractAuthenticationToken {
private static final Collection<GrantedAuthority> CONTROLLER_AUTHORITY =
List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE));
private final String controllerId;
AuthenticatedController(final String tenant, final String controllerId) {

View File

@@ -13,6 +13,7 @@ import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.test.util.WithUser;
import org.junit.jupiter.api.Test;
import org.springframework.http.HttpStatus;
@@ -39,7 +40,7 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
* Tests whether request succeed if a role is granted for the user
*/
@Test
@WithUser(authorities = { SpPermission.SpringEvalExpressions.CONTROLLER_ROLE }, autoCreateTenant = false)
@WithUser(authorities = { SpringEvalExpressions.CONTROLLER_ROLE }, autoCreateTenant = false)
void successIfHasRole() throws Exception {
mvc.perform(get("/DEFAULT/controller/v1/controllerId"))
.andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));

View File

@@ -36,7 +36,7 @@ import org.eclipse.hawkbit.dmf.json.model.DmfAttributeUpdate;
import org.eclipse.hawkbit.dmf.json.model.DmfAutoConfirmation;
import org.eclipse.hawkbit.dmf.json.model.DmfCreateThing;
import org.eclipse.hawkbit.dmf.json.model.DmfUpdateMode;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.ConfirmationManagement;
import org.eclipse.hawkbit.repository.ControllerManagement;
import org.eclipse.hawkbit.repository.EntityFactory;

View File

@@ -14,7 +14,7 @@ import java.util.Collections;
import java.util.Objects;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemCache;
import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemStatisticsRest;
import org.eclipse.hawkbit.mgmt.json.model.systemmanagement.MgmtSystemTenantServiceUsage;

View File

@@ -69,7 +69,9 @@ class MgmtTargetTypeResourceTest extends AbstractManagementApiIntegrationTest {
* GET targettypes returns Forbidden when permission is missing
*/
@Test
@WithUser(principal = "targetTypeTester", allSpPermissions = true, removeFromAllPermission = { SpPermission.READ_TARGET })
@WithUser(
principal = "targetTypeTester", allSpPermissions = true,
removeFromAllPermission = { SpPermission.READ_TARGET, SpPermission.READ_TARGET_TYPE })
void getTargetTypesWithoutPermission() throws Exception {
mvc.perform(get(TARGETTYPES_ENDPOINT).accept(MediaType.APPLICATION_JSON))
.andDo(MockMvcResultPrinter.print())

View File

@@ -52,7 +52,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
* Tests whether request returns distribution set if a role with scope is granted for the user
*/
@Test
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne" }, autoCreateTenant = false)
@WithUser(authorities = {
SpPermission.CREATE_REPOSITORY,
SpPermission.READ_REPOSITORY,
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
void successIfHasRoleWithScope() throws Exception {
createDsOne("successIfHasRoleWithScope");
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
@@ -65,7 +68,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
* Tests whether request doesn't return distribution set if a role with scope doesn't grant access
*/
@Test
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne2" }, autoCreateTenant = false)
@WithUser(authorities = {
SpPermission.CREATE_REPOSITORY,
SpPermission.READ_REPOSITORY,
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
void failIfHasNoForbiddingScope() throws Exception {
createDsOne("failIfHasNoForbiddingScope");
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {

View File

@@ -52,7 +52,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
* Tests whether request returns distribution set if a role with scope is granted for the user
*/
@Test
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne" }, autoCreateTenant = false)
@WithUser(authorities = {
SpPermission.CREATE_REPOSITORY,
SpPermission.READ_REPOSITORY,
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
void successIfHasRoleWithScope() throws Exception {
createDsOne("successIfHasRoleWithScope");
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {
@@ -65,7 +68,10 @@ class PreAuthorizeEnabledTest extends AbstractSecurityTest {
* Tests whether request doesn't return distribution set if a role with scope doesn't grant access
*/
@Test
@WithUser(authorities = { SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY + "/name==DsOne2" }, autoCreateTenant = false)
@WithUser(authorities = {
SpPermission.CREATE_REPOSITORY,
SpPermission.READ_REPOSITORY,
SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
void failIfHasNoForbiddingScope() throws Exception {
createDsOne("failIfHasNoForbiddingScope");
mvc.perform(get("/rest/v1/distributionsets")).andExpect(result -> {

View File

@@ -17,7 +17,7 @@ import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.repository.artifact.model.DbArtifact;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.exception.ArtifactDeleteFailedException;
import org.eclipse.hawkbit.repository.exception.ArtifactUploadFailedException;
import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;

View File

@@ -15,7 +15,7 @@ import java.util.Optional;
import jakarta.validation.constraints.NotEmpty;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.model.Action;
import org.eclipse.hawkbit.repository.model.AutoConfirmationStatus;
import org.eclipse.hawkbit.tenancy.TenantAware;
@@ -34,7 +34,7 @@ public interface ConfirmationManagement {
* @param remark optional field to set a remark
* @return the persisted {@link AutoConfirmationStatus}
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
AutoConfirmationStatus activateAutoConfirmation(@NotEmpty String controllerId, final String initiator, final String remark);
/**
@@ -44,7 +44,7 @@ public interface ConfirmationManagement {
* @param code optional value to specify a code for the created action status
* @param messages optional value to specify message for the created action status
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
Action confirmAction(long actionId, Integer code, Collection<String> messages);
/**
@@ -54,7 +54,7 @@ public interface ConfirmationManagement {
* @param code optional value to specify a code for the created action status
* @param messages optional value to specify message for the created action status
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
Action denyAction(long actionId, Integer code, Collection<String> messages);
/**
@@ -62,7 +62,7 @@ public interface ConfirmationManagement {
*
* @param controllerId to disable auto confirmation for
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
void deactivateAutoConfirmation(@NotEmpty String controllerId);
/**
@@ -71,8 +71,8 @@ public interface ConfirmationManagement {
* @param controllerId to check the state for
* @return instance of {@link AutoConfirmationStatus} wrapped in an {@link Optional}. Present if active and empty if disabled.
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.IS_CONTROLLER + SpPermission.SpringEvalExpressions.HAS_AUTH_OR +
SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(SpringEvalExpressions.IS_CONTROLLER + SpringEvalExpressions.HAS_AUTH_OR +
SpringEvalExpressions.HAS_AUTH_READ_TARGET)
Optional<AutoConfirmationStatus> getStatus(@NotEmpty String controllerId);
/**
@@ -81,6 +81,6 @@ public interface ConfirmationManagement {
* @param controllerId of the target to check
* @return a list of {@link Action}
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
List<Action> findActiveActionsWaitingConfirmation(@NotEmpty String controllerId);
}

View File

@@ -20,7 +20,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.ActionStatusCreate;
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;

View File

@@ -19,7 +19,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.event.remote.TargetAssignDistributionSetEvent;
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;

View File

@@ -9,6 +9,9 @@
*/
package org.eclipse.hawkbit.repository;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_DISTRIBUTION_SET;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_DISTRIBUTION_SET;
import java.util.Collection;
import java.util.List;
import java.util.Map;
@@ -17,7 +20,7 @@ import java.util.Optional;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.DistributionSetCreate;
import org.eclipse.hawkbit.repository.builder.DistributionSetUpdate;
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
@@ -51,7 +54,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id to look for.
* @return {@link DistributionSet}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Optional<DistributionSet> getWithDetails(long id);
/**
@@ -61,7 +64,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return the found valid {@link DistributionSet}
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
DistributionSet getOrElseThrowException(long id);
/**
@@ -69,7 +72,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
*
* @param distributionSet the ID of the {@link DistributionSet} to be set to invalid
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
void invalidate(DistributionSet distributionSet);
/**
@@ -85,7 +88,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @throws AssignmentQuotaExceededException if the maximum number of {@link SoftwareModule}s is exceeded for the addressed
* {@link DistributionSet}.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
DistributionSet assignSoftwareModules(long id, @NotEmpty Collection<Long> moduleIds);
/**
@@ -97,7 +100,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @throws EntityNotFoundException if given module or DS does not exist
* @throws EntityReadOnlyException if use tries to change the {@link DistributionSet} s while the DS is already in use.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
DistributionSet unassignSoftwareModule(long id, long moduleId);
/**
@@ -108,7 +111,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return list of assigned ds
* @throws EntityNotFoundException if tag with given ID does not exist or (at least one) of the distribution sets.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
List<DistributionSet> assignTag(@NotEmpty Collection<Long> ids, long tagId);
/**
@@ -119,7 +122,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return list of assigned ds
* @throws EntityNotFoundException if tag with given ID does not exist or (at least one) of the distribution sets.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
List<DistributionSet> unassignTag(@NotEmpty Collection<Long> ids, long tagId);
/**
@@ -131,7 +134,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @throws EntityAlreadyExistsException in case one of the meta-data entry already exists for the specific key
* @throws AssignmentQuotaExceededException if the maximum number of meta-data entries is exceeded for the addressed {@link DistributionSet}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
void createMetadata(long id, @NotEmpty Map<String, String> metadata);
/**
@@ -141,7 +144,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return a paged result of all meta-data entries for a given distribution set id
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Map<String, String> getMetadata(long id);
/**
@@ -152,7 +155,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param value meta data-entry to be new value
* @throws EntityNotFoundException in case the meta-data entry does not exist and cannot be updated
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
void updateMetadata(long id, @NotNull String key, @NotNull String value);
/**
@@ -162,7 +165,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param key of the meta-data element
* @throws EntityNotFoundException if given set does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
void deleteMetadata(long id, @NotEmpty String key);
/**
@@ -171,7 +174,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id the distribution set id
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
void lock(final long id);
/**
@@ -182,7 +185,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id the distribution set id
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_DISTRIBUTION_SET)
void unlock(final long id);
/**
@@ -193,7 +196,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @throws EntityNotFoundException if distribution set with given ID does not exist
* @throws InvalidDistributionSetException if distribution set with given ID is invalidated
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
DistributionSet getValid(long id);
/**
@@ -205,7 +208,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @throws InvalidDistributionSetException if distribution set with given ID is invalidated
* @throws IncompleteDistributionSetException if distribution set with given ID is incomplete
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
DistributionSet getValidAndComplete(long id);
/**
@@ -215,7 +218,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return the distribution set which is associated with the action
* @throws EntityNotFoundException if action with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Optional<DistributionSet> findByAction(long actionId);
/**
@@ -225,7 +228,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param version version of {@link DistributionSet}
* @return the page with the found {@link DistributionSet}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Optional<DistributionSet> findByNameAndVersion(@NotEmpty String distributionName, @NotEmpty String version);
/**
@@ -236,7 +239,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param pageable the pagination parameter
* @return all found {@link DistributionSet}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Slice<DistributionSet> findByCompleted(Boolean complete, @NotNull Pageable pageable);
/**
@@ -246,7 +249,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param pageable page parameter
* @return the page of found {@link DistributionSet}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Slice<DistributionSet> findByDistributionSetFilter(@NotNull DistributionSetFilter distributionSetFilter, @NotNull Pageable pageable);
/**
@@ -260,7 +263,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
* @throws EntityNotFoundException of distribution set tag with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Page<DistributionSet> findByTag(long tagId, @NotNull Pageable pageable);
/**
@@ -272,7 +275,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return the page of found {@link DistributionSet}
* @throws EntityNotFoundException of distribution set tag with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Page<DistributionSet> findByRsqlAndTag(@NotNull String rsql, long tagId, @NotNull Pageable pageable);
/**
@@ -282,7 +285,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* nor <code>null</code> to count both.
* @return count of all found {@link DistributionSet}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
long countByCompleted(Boolean complete);
/**
@@ -291,7 +294,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param distributionSetFilter has details of filters to be applied.
* @return count of {@link DistributionSet}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
long countByDistributionSetFilter(@NotNull DistributionSetFilter distributionSetFilter);
/**
@@ -302,7 +305,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @return number of {@link DistributionSet}s
* @throws EntityNotFoundException if type with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
long countByTypeId(long typeId);
/**
@@ -312,7 +315,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id to check
* @return <code>true</code> if in use
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
boolean isInUse(long id);
/**
@@ -322,7 +325,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id to look for
* @return List of Statistics for {@link org.eclipse.hawkbit.repository.model.Rollout}s status counts
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
List<Statistic> countRolloutsByStatusForDistributionSet(@NotNull Long id);
/**
@@ -332,7 +335,7 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id to look for
* @return List of Statistics for {@link org.eclipse.hawkbit.repository.model.Action}s status counts
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
List<Statistic> countActionsByStatusForDistributionSet(@NotNull Long id);
/**
@@ -342,6 +345,6 @@ public interface DistributionSetManagement extends RepositoryManagement<Distribu
* @param id to look for
* @return number of {@link org.eclipse.hawkbit.repository.builder.AutoAssignDistributionSetUpdate}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET)
Long countAutoAssignmentsForDistributionSet(@NotNull Long id);
}

View File

@@ -14,7 +14,7 @@ import java.util.Optional;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.TagCreate;
import org.eclipse.hawkbit.repository.builder.TagUpdate;
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;

View File

@@ -14,7 +14,7 @@ import java.util.Optional;
import jakarta.validation.constraints.NotEmpty;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.DistributionSetTypeCreate;
import org.eclipse.hawkbit.repository.builder.DistributionSetTypeUpdate;
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;

View File

@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
import org.eclipse.hawkbit.repository.exception.EntityReadOnlyException;
import org.eclipse.hawkbit.repository.exception.RSQLParameterSyntaxException;

View File

@@ -9,7 +9,7 @@
*/
package org.eclipse.hawkbit.repository;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.model.Rollout;
import org.eclipse.hawkbit.repository.model.Target;

View File

@@ -13,7 +13,7 @@ import java.util.Optional;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
import org.eclipse.hawkbit.repository.exception.RSQLParameterSyntaxException;
import org.eclipse.hawkbit.repository.exception.RSQLParameterUnsupportedFieldException;

View File

@@ -9,7 +9,7 @@
*/
package org.eclipse.hawkbit.repository;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.model.Rollout;
import org.eclipse.hawkbit.repository.model.RolloutGroup;

View File

@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.DynamicRolloutGroupTemplate;
import org.eclipse.hawkbit.repository.builder.RolloutCreate;
import org.eclipse.hawkbit.repository.builder.RolloutGroupCreate;

View File

@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.SoftwareModuleCreate;
import org.eclipse.hawkbit.repository.builder.SoftwareModuleMetadataCreate;
import org.eclipse.hawkbit.repository.builder.SoftwareModuleMetadataUpdate;

View File

@@ -13,7 +13,7 @@ import java.util.Optional;
import jakarta.validation.constraints.NotEmpty;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.SoftwareModuleTypeCreate;
import org.eclipse.hawkbit.repository.builder.SoftwareModuleTypeUpdate;
import org.eclipse.hawkbit.repository.model.SoftwareModuleType;

View File

@@ -13,7 +13,7 @@ import java.util.function.Consumer;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.model.DistributionSetType;
import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
import org.eclipse.hawkbit.repository.model.TenantMetaData;

View File

@@ -15,7 +15,7 @@ import jakarta.validation.ConstraintViolationException;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.AutoAssignDistributionSetUpdate;
import org.eclipse.hawkbit.repository.builder.TargetFilterQueryCreate;
import org.eclipse.hawkbit.repository.builder.TargetFilterQueryUpdate;

View File

@@ -9,6 +9,20 @@
*/
package org.eclipse.hawkbit.repository;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_CLOSE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_OPEN;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_AND;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_PREFIX;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_SUFFIX;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET;
import java.util.Collection;
import java.util.List;
import java.util.Map;
@@ -21,7 +35,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.repository.builder.TargetCreate;
import org.eclipse.hawkbit.repository.builder.TargetUpdate;
import org.eclipse.hawkbit.repository.exception.AssignmentQuotaExceededException;
@@ -53,6 +67,11 @@ public interface TargetManagement {
String DETAILS_TAGS = "tags";
String DETAILS_ACTIONS = "actions";
String HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET = BRACKET_OPEN +
HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX +
HAS_AUTH_AND +
HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX +
BRACKET_CLOSE;
/**
* Counts number of targets with the given distribution set assigned.
*
@@ -60,7 +79,7 @@ public interface TargetManagement {
* @return number of found {@link Target}s.
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
long countByAssignedDistributionSet(long distributionSetId);
/**
@@ -71,7 +90,7 @@ public interface TargetManagement {
* @return the found number {@link Target}s
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByFilters(@NotNull final FilterParams filterParams);
/**
@@ -81,7 +100,7 @@ public interface TargetManagement {
* @return number of found {@link Target}s.
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
long countByInstalledDistributionSet(long distributionSetId);
/**
@@ -92,7 +111,7 @@ public interface TargetManagement {
* @return <code>true</code> if a {@link Target} exists.
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
boolean existsByInstalledOrAssignedDistributionSet(long distributionSetId);
/**
@@ -101,7 +120,7 @@ public interface TargetManagement {
* @param rsql filter definition in RSQL syntax
* @return the found number of {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByRsql(@NotEmpty String rsql);
/**
@@ -110,7 +129,7 @@ public interface TargetManagement {
* @param rsql filter definition in RSQL syntax
* @return the found number of {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByRsqlAndUpdatable(@NotEmpty String rsql);
/**
@@ -122,7 +141,7 @@ public interface TargetManagement {
* compatible with
* @return the found number of{@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByRsqlAndCompatible(@NotEmpty String rsql, @NotNull Long distributionSetIdTypeId);
/**
@@ -134,7 +153,7 @@ public interface TargetManagement {
* compatible with
* @return the found number of{@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByRsqlAndCompatibleAndUpdatable(@NotEmpty String rsql, @NotNull Long distributionSetIdTypeId);
/**
@@ -147,7 +166,7 @@ public interface TargetManagement {
* compatible with
* @return the found number of{@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByFailedInRollout(@NotEmpty String rolloutId, @NotNull Long dsTypeId);
/**
@@ -157,7 +176,7 @@ public interface TargetManagement {
* @return the found number of {@link Target}s
* @throws EntityNotFoundException if {@link TargetFilterQuery} with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long countByTargetFilterQuery(long targetFilterQueryId);
/**
@@ -165,7 +184,7 @@ public interface TargetManagement {
*
* @return number of targets
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
long count();
/**
@@ -176,7 +195,7 @@ public interface TargetManagement {
* @throws EntityAlreadyExistsException given target already exists.
* @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetCreate} for field constraints.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
@PreAuthorize(HAS_AUTH_CREATE_TARGET)
Target create(@NotNull @Valid TargetCreate create);
/**
@@ -190,7 +209,7 @@ public interface TargetManagement {
* @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetCreate}
* for field constraints.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
@PreAuthorize(HAS_AUTH_CREATE_TARGET)
List<Target> create(@NotNull @Valid Collection<TargetCreate> creates);
/**
@@ -199,7 +218,7 @@ public interface TargetManagement {
* @param ids the IDs of the targets to be deleted
* @throws EntityNotFoundException if (at least one) of the given target IDs does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
@PreAuthorize(HAS_AUTH_DELETE_TARGET)
void delete(@NotEmpty Collection<Long> ids);
/**
@@ -208,7 +227,7 @@ public interface TargetManagement {
* @param controllerId the controller ID of the target to be deleted
* @throws EntityNotFoundException if target with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
@PreAuthorize(HAS_AUTH_DELETE_TARGET)
void deleteByControllerID(@NotEmpty String controllerId);
/**
@@ -222,7 +241,7 @@ public interface TargetManagement {
* @return a page of the found {@link Target}s
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(
long distributionSetId, @NotNull String rsql, @NotNull Pageable pageable);
@@ -236,7 +255,7 @@ public interface TargetManagement {
* @return the count of found {@link Target}s
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
long countByRsqlAndNonDSAndCompatibleAndUpdatable(long distributionSetId, @NotNull String rsql);
/**
@@ -251,7 +270,7 @@ public interface TargetManagement {
* @param pageable the pageable to enhance the query for paging and sorting
* @return a page of the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
Slice<Target> findByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(
@NotEmpty Collection<Long> groups, @NotNull String rsql, @NotNull DistributionSetType distributionSetType,
@NotNull Pageable pageable);
@@ -266,7 +285,7 @@ public interface TargetManagement {
* @param distributionSetType type of the {@link DistributionSet} the targets must be compatible with
* @return count of the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
long countByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(
@NotNull String rsql, @NotEmpty Collection<Long> groups, @NotNull DistributionSetType distributionSetType);
@@ -280,7 +299,7 @@ public interface TargetManagement {
* @param pageable the pageable to enhance the query for paging and sorting
* @return a page of the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
Slice<Target> findByFailedRolloutAndNotInRolloutGroups(
@NotNull String rolloutId, @NotEmpty Collection<Long> groups, @NotNull Pageable pageable);
@@ -293,14 +312,14 @@ public interface TargetManagement {
* @param groups the list of {@link RolloutGroup}s
* @return count of the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
long countByFailedRolloutAndNotInRolloutGroups(@NotNull String rolloutId, @NotEmpty Collection<Long> groups);
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
Slice<Target> findByRsqlAndNoOverridingActionsAndNotInRolloutAndCompatibleAndUpdatable(
final long rolloutId, @NotNull String rsql, @NotNull DistributionSetType distributionSetType, @NotNull Pageable pageable);
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
@PreAuthorize(HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
long countByActionsInRolloutGroup(final long rolloutGroupId);
/**
@@ -312,7 +331,7 @@ public interface TargetManagement {
* @return the found {@link Target}s
* @throws EntityNotFoundException if rollout group with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Slice<Target> findByInRolloutGroupWithoutAction(long group, @NotNull Pageable pageable);
/**
@@ -323,7 +342,7 @@ public interface TargetManagement {
* @return the found {@link Target}s
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
Page<Target> findByAssignedDistributionSet(long distributionSetId, @NotNull Pageable pageable);
/**
@@ -338,7 +357,7 @@ public interface TargetManagement {
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
Page<Target> findByAssignedDistributionSetAndRsql(long distributionSetId, @NotNull String rsql, @NotNull Pageable pageable);
/**
@@ -347,7 +366,7 @@ public interface TargetManagement {
* @param controllerIDs to look for.
* @return List of found{@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
List<Target> getByControllerID(@NotEmpty Collection<String> controllerIDs);
/**
@@ -356,7 +375,7 @@ public interface TargetManagement {
* @param controllerId to look for.
* @return {@link Target}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Optional<Target> getByControllerID(@NotEmpty String controllerId);
/**
@@ -366,25 +385,25 @@ public interface TargetManagement {
* @param detailsKey the key of the details to include, e.g. {@link #DETAILS_AUTO_CONFIRMATION_STATUS}
* @return {@link Target}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Target getWithDetails(@NotEmpty String controllerId, String detailsKey);
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
default Target getWithDetails(@NotEmpty String controllerId) {
return getWithDetails(controllerId, DETAILS_BASE);
}
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
default Target getWithAutoConfigurationStatus(@NotEmpty String controllerId) {
return getWithDetails(controllerId, DETAILS_AUTO_CONFIRMATION_STATUS);
}
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
default Target getWithTags(@NotEmpty String controllerId) {
return getWithDetails(controllerId, DETAILS_TAGS);
}
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
default Target getWithActions(@NotEmpty String controllerId) {
return getWithDetails(controllerId, DETAILS_ACTIONS);
}
@@ -399,7 +418,7 @@ public interface TargetManagement {
* @return the found {@link Target}s
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Slice<Target> findByFilters(@NotNull FilterParams filterParams, @NotNull Pageable pageable);
/**
@@ -410,7 +429,7 @@ public interface TargetManagement {
* @return the found {@link Target}s
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
Page<Target> findByInstalledDistributionSet(long distributionSetId, @NotNull Pageable pageReq);
/**
@@ -426,7 +445,7 @@ public interface TargetManagement {
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
* @throws EntityNotFoundException if distribution set with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
Page<Target> findByInstalledDistributionSetAndRsql(long distributionSetId, @NotNull String rsql, @NotNull Pageable pageReq);
/**
@@ -436,7 +455,7 @@ public interface TargetManagement {
* @param pageable page parameter
* @return the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Page<Target> findByUpdateStatus(@NotNull TargetUpdateStatus status, @NotNull Pageable pageable);
/**
@@ -445,7 +464,7 @@ public interface TargetManagement {
* @param pageable pagination parameter
* @return the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Slice<Target> findAll(@NotNull Pageable pageable);
/**
@@ -458,7 +477,7 @@ public interface TargetManagement {
* given {@code fieldNameProvider}
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Slice<Target> findByRsql(@NotNull String rsql, @NotNull Pageable pageable);
/**
@@ -472,7 +491,7 @@ public interface TargetManagement {
* given {@code fieldNameProvider}
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Slice<Target> findByTargetFilterQuery(long targetFilterQueryId, @NotNull Pageable pageable);
/**
@@ -483,7 +502,7 @@ public interface TargetManagement {
* @return list of matching targets
* @throws EntityNotFoundException if target tag with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Page<Target> findByTag(long tagId, @NotNull Pageable pageable);
/**
@@ -498,7 +517,7 @@ public interface TargetManagement {
* given {@code fieldNameProvider}
* @throws RSQLParameterSyntaxException if the RSQL syntax is wrong
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Page<Target> findByRsqlAndTag(@NotNull String rsql, long tagId, @NotNull Pageable pageable);
/**
@@ -510,7 +529,7 @@ public interface TargetManagement {
* @param targetFilterQuery to execute
* @return true if it matches
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_READ_TARGET)
boolean isTargetMatchingQueryAndDSNotAssignedAndCompatibleAndUpdatable(
@NotNull String controllerId, long distributionSetId, @NotNull String targetFilterQuery);
@@ -523,7 +542,7 @@ public interface TargetManagement {
* @return {@link TargetTypeAssignmentResult} with all meta-data of the assignment outcome.
* @throws EntityNotFoundException if target type with given id does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
TargetTypeAssignmentResult assignType(@NotEmpty Collection<String> controllerIds, @NotNull Long typeId);
/**
@@ -532,7 +551,7 @@ public interface TargetManagement {
* @param controllerIds to remove the type from
* @return {@link TargetTypeAssignmentResult} with all meta-data of the assignment outcome.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
TargetTypeAssignmentResult unassignType(@NotEmpty Collection<String> controllerIds);
/**
@@ -544,7 +563,7 @@ public interface TargetManagement {
* @return list of assigned targets
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId, final Consumer<Collection<String>> notFoundHandler);
/**
@@ -555,7 +574,7 @@ public interface TargetManagement {
* @return list of assigned targets
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
/**
@@ -567,7 +586,7 @@ public interface TargetManagement {
* @return list of unassigned targets
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId, final Consumer<Collection<String>> notFoundHandler);
/**
@@ -578,7 +597,7 @@ public interface TargetManagement {
* @return list of unassigned targets
* @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
/**
@@ -587,7 +606,7 @@ public interface TargetManagement {
* @param controllerId to un-assign for
* @return the unassigned target
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
Target unassignType(@NotEmpty String controllerId);
/**
@@ -598,7 +617,7 @@ public interface TargetManagement {
* @return the unassigned target
* @throws EntityNotFoundException if TargetType with given target ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
Target assignType(@NotEmpty String controllerId, @NotNull Long targetTypeId);
/**
@@ -610,7 +629,7 @@ public interface TargetManagement {
* @throws ConstraintViolationException if fields are not filled as specified. Check {@link TargetUpdate}
* for field constraints.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
Target update(@NotNull @Valid TargetUpdate update);
/**
@@ -619,7 +638,7 @@ public interface TargetManagement {
* @param id to look for
* @return {@link Target}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Optional<Target> get(long id);
/**
@@ -628,7 +647,7 @@ public interface TargetManagement {
* @param ids the ids to for
* @return the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
List<Target> get(@NotNull Collection<Long> ids);
/**
@@ -637,7 +656,7 @@ public interface TargetManagement {
* @param controllerId of target
* @return {@code true} if target with given ID exists
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
boolean existsByControllerId(@NotEmpty String controllerId);
/**
@@ -647,7 +666,7 @@ public interface TargetManagement {
* @return the found Tag set
* @throws EntityNotFoundException if target with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Set<TargetTag> getTags(@NotEmpty String controllerId);
/**
@@ -657,7 +676,7 @@ public interface TargetManagement {
* @return controller attributes as key/value pairs
* @throws EntityNotFoundException if target with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Map<String, String> getControllerAttributes(@NotEmpty String controllerId);
/**
@@ -666,7 +685,7 @@ public interface TargetManagement {
* @param controllerId of the target
* @throws EntityNotFoundException if target with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET)
void requestControllerAttributes(@NotEmpty String controllerId);
/**
@@ -676,7 +695,7 @@ public interface TargetManagement {
* @return {@code true}: update of controller attributes triggered.
* {@code false}: update of controller attributes not requested.
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
boolean isControllerAttributesRequested(@NotEmpty String controllerId);
/**
@@ -686,7 +705,7 @@ public interface TargetManagement {
* @param pageable page parameter
* @return the found {@link Target}s
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET)
Page<Target> findByControllerAttributesRequested(@NotNull Pageable pageable);
/**
@@ -698,7 +717,7 @@ public interface TargetManagement {
* @throws EntityAlreadyExistsException in case one of the metad-ata entry already exists for the specific key
* @throws AssignmentQuotaExceededException if the maximum number of meta-data entries is exceeded for the addressed {@link Target}
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
void createMetadata(@NotEmpty String controllerId, @NotEmpty Map<String, String> metadata);
/**
@@ -708,7 +727,7 @@ public interface TargetManagement {
* @return the found target meta-data
* @throws EntityNotFoundException if target with given ID does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
@PreAuthorize(HAS_AUTH_READ_REPOSITORY)
Map<String, String> getMetadata(@NotEmpty String controllerId);
/**
@@ -719,7 +738,7 @@ public interface TargetManagement {
* @param value meta data-entry to be new value
* @throws EntityNotFoundException in case the meta-data entry does not exist and cannot be updated
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
void updateMetadata(@NotEmpty String controllerId, @NotNull String key, @NotNull String value);
/**
@@ -729,6 +748,6 @@ public interface TargetManagement {
* @param key of the meta data element
* @throws EntityNotFoundException if given target does not exist
*/
@PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_REPOSITORY)
@PreAuthorize(HAS_AUTH_UPDATE_REPOSITORY)
void deleteMetadata(@NotEmpty String controllerId, @NotEmpty String key);
}

View File

@@ -18,7 +18,7 @@ import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.builder.TagCreate;
import org.eclipse.hawkbit.repository.builder.TagUpdate;
import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;

View File

@@ -9,6 +9,16 @@
*/
package org.eclipse.hawkbit.repository;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_CLOSE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.BRACKET_OPEN;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_AND;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET_TYPE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET_TYPE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_PREFIX;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_READ_TARGET_TYPE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_SUFFIX;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET_TYPE;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
@@ -31,58 +41,64 @@ import org.springframework.security.access.prepost.PreAuthorize;
*/
public interface TargetTypeManagement {
String HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE = BRACKET_OPEN +
HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX +
HAS_AUTH_AND +
HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET_TYPE + HAS_AUTH_SUFFIX +
BRACKET_CLOSE;
/**
* @param key as {@link TargetType#getKey()}
* @return {@link TargetType}
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
Optional<TargetType> getByKey(@NotEmpty String key);
/**
* @param name as {@link TargetType#getName()}
* @return {@link TargetType}
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
Optional<TargetType> getByName(@NotEmpty String name);
/**
* @return total count
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
long count();
/**
* @param name as {@link TargetType#getName()}
* @return total count by name
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
long countByName(String name);
/**
* @param create TargetTypeCreate
* @return targetType
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
@PreAuthorize(HAS_AUTH_CREATE_TARGET_TYPE)
TargetType create(@NotNull @Valid TargetTypeCreate create);
/**
* @param creates List of TargetTypeCreate
* @return List of targetType
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_TARGET)
@PreAuthorize(HAS_AUTH_CREATE_TARGET_TYPE)
List<TargetType> create(@NotEmpty @Valid Collection<TargetTypeCreate> creates);
/**
* @param id targetTypeId
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_TARGET)
@PreAuthorize(HAS_AUTH_DELETE_TARGET_TYPE)
void delete(@NotNull Long id);
/**
* @param pageable Page
* @return TargetType page
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
Slice<TargetType> findAll(@NotNull Pageable pageable);
/**
@@ -90,7 +106,7 @@ public interface TargetTypeManagement {
* @param pageable Page
* @return Target type
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
Page<TargetType> findByRsql(@NotEmpty String rsql, @NotNull Pageable pageable);
/**
@@ -100,28 +116,28 @@ public interface TargetTypeManagement {
* @param pageable page parameter
* @return the page of found {@link TargetType}
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
Slice<TargetType> findByName(String name, @NotNull Pageable pageable);
/**
* @param id Target type ID
* @return Target Type
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
Optional<TargetType> get(long id);
/**
* @param ids List of Target type ID
* @return Target type list
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_TARGET)
@PreAuthorize(HAS_AUTH_READ_TARGET_TYPE)
List<TargetType> get(@NotEmpty Collection<Long> ids);
/**
* @param update TargetTypeUpdate
* @return Target Type
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_UPDATE_TARGET_TYPE)
TargetType update(@NotNull @Valid TargetTypeUpdate update);
/**
@@ -129,15 +145,14 @@ public interface TargetTypeManagement {
* @param distributionSetTypeIds Distribution set ID
* @return Target type
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
TargetType assignCompatibleDistributionSetTypes(long id,
@NotEmpty Collection<Long> distributionSetTypeIds);
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE)
TargetType assignCompatibleDistributionSetTypes(long id, @NotEmpty Collection<Long> distributionSetTypeIds);
/**
* @param id Target type ID
* @param distributionSetTypeIds Distribution set ID
* @return Target type
*/
@PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
@PreAuthorize(HAS_AUTH_READ_DISTRIBUTION_SET_AND_UPDATE_TARGET_TYPE)
TargetType unassignDistributionSetType(long id, long distributionSetTypeIds);
}
}

View File

@@ -13,7 +13,7 @@ import java.io.Serializable;
import java.util.Map;
import java.util.function.Function;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.exception.TenantConfigurationValidatorException;
import org.eclipse.hawkbit.repository.model.PollStatus;
import org.eclipse.hawkbit.repository.model.Target;

View File

@@ -9,7 +9,7 @@
*/
package org.eclipse.hawkbit.repository;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.report.model.TenantUsage;
import org.springframework.security.access.prepost.PreAuthorize;

View File

@@ -15,7 +15,7 @@ import java.util.Optional;
import java.util.function.Supplier;
import org.aopalliance.intercept.MethodInvocation;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.im.authentication.Hierarchy;
import org.eclipse.hawkbit.tenancy.configuration.ControllerPollProperties;
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -49,7 +49,7 @@ public class RepositoryConfiguration {
@Bean
@ConditionalOnMissingBean
static RoleHierarchy roleHierarchy() {
return RoleHierarchyImpl.fromHierarchy(SpRole.DEFAULT_ROLE_HIERARCHY);
return RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT);
}
@Bean

View File

@@ -18,7 +18,6 @@ import java.util.Map;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.ContextAware;
@@ -27,11 +26,8 @@ import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
import org.eclipse.hawkbit.repository.jpa.ql.EntityMatcher;
import org.eclipse.hawkbit.repository.jpa.rsql.RsqlUtility;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.data.jpa.domain.Specification;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.ObjectUtils;
@@ -41,10 +37,7 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
private final Class<A> rsqlQueryFieldType;
private final Map<Operation, List<String>> permissions = new EnumMap<>(Operation.class);
@Value("${hawkbit.jpa.security.default-access-controller.strict:false}")
private boolean strict;
private ContextAware contextAware;
private RoleHierarchy roleHierarchy;
public DefaultAccessController(final Class<A> rsqlQueryFieldType, final String... permissionTypes) {
if (ObjectUtils.isEmpty(permissionTypes)) {
@@ -64,11 +57,6 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
this.contextAware = contextAware;
}
@Autowired(required = false)
void setRoleHierarchy(final RoleHierarchy roleHierarchy) {
this.roleHierarchy = roleHierarchy;
}
@Override
public Optional<Specification<T>> getAccessRules(final Operation operation) {
if (contextAware.getCurrentTenant() != null && SYSTEM_USER.equals(contextAware.getCurrentUsername())) {
@@ -104,43 +92,26 @@ public class DefaultAccessController<A extends Enum<A> & RsqlQueryField, T> impl
// returns null if ALL entities are accessible, otherwise returns a list of scopes
// throws InsufficientPermissionException if no matching authority found (should not happen - should be already checked with @PreAuthorize)
// java:S1168 - returns null with purpose to indicate no scopes, privately used with attention
// java:S1168 - better readable at one place
@SuppressWarnings({ "java:S1168", "java:S1168" })
@SuppressWarnings("java:S1168") // java:S1168 - returns null with purpose to indicate no scopes, privately used with attention
private List<String> getScopes(final Operation operation) {
final List<String> operationPermissions = permissions.get(operation);
final List<String> scopes = SecurityContextHolder.getContext().getAuthentication().getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.map(Permission::from)
.flatMap(permission -> roleHierarchy == null
? (operationPermissions.contains(permission.name()) ? Stream.of(permission) : Stream.empty())
: roleHierarchy.getReachableGrantedAuthorities(List.of(new SimpleGrantedAuthority(permission.name())))
.stream()
.map(GrantedAuthority::getAuthority)
.filter(operationPermissions::contains)
.map(reachableAuthority -> new Permission(reachableAuthority, permission.scope())))
.filter(permission -> operationPermissions.contains(permission.name()))
.map(Permission::scope)
.distinct() // remove duplicates
.toList();
if (scopes.isEmpty()) {
// no matching authority found for the operation
// the needed permission should have already been checked with @PreAuthorize
// could happen, for instance, in controller management, that checks ROLE_CONTROLLER and on its behalf
// calls pure repository methods as privileged
if (strict) {
throw new InsufficientPermissionException(
String.format(
"No matching authority found for operation %s" +
" (expects %s, should not happen - shall have already been checked with @PreAuthorize)",
operation, operationPermissions));
} else {
// TODO - maybe in some future we could adapt permissions so controller roles to somehow apply what is needed
// and to do not "assume" and to throw exception always
log.debug(
"[{}] No matching authority found for operation {} (expects {}), they shall have already been checked with @PreAuthorize)",
rsqlQueryFieldType, operation, operationPermissions);
return null;
}
// no matching permission scope found for the operation
// the required for the method permissions should have already been checked with @PreAuthorize
// however it could happen that there is no entity permission, e.g.:
// * in controller management, that checks ROLE_CONTROLLER and on its behalf calls pure repository methods as privileged
// * in case the entity permission(s) are implied - e.g. there is READ_REPOSITORY which implies READ_DISTRIBUTION_SET
log.debug(
"[{}] No matching authority found for operation {} (expects {}), they shall have already been checked with @PreAuthorize)",
rsqlQueryFieldType, operation, operationPermissions);
return null;
} else if (scopes.contains(null)) {
return null; // not scoped at all
} else {

View File

@@ -32,12 +32,12 @@ public class DefaultAccessControllerConfiguration {
@Bean
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.target-type.enabled", havingValue = "true", matchIfMissing = true)
AccessController<JpaTargetType> targetTypeAccessController() {
return new DefaultAccessController<>(TargetTypeFields.class, "TARGET", "TARGET_TYPE");
return new DefaultAccessController<>(TargetTypeFields.class, "TARGET_TYPE");
}
@Bean
@ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set.enabled", havingValue = "true", matchIfMissing = true)
AccessController<JpaDistributionSet> distributionSetAccessController() {
return new DefaultAccessController<>(DistributionSetFields.class, "REPOSITORY", "DISTRIBUTION_SET");
return new DefaultAccessController<>(DistributionSetFields.class, "DISTRIBUTION_SET");
}
}

View File

@@ -29,6 +29,7 @@ import jakarta.validation.constraints.NotNull;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.ContextAware;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.DistributionSetManagement;
import org.eclipse.hawkbit.repository.QuotaManagement;
import org.eclipse.hawkbit.repository.RepositoryProperties;
@@ -200,7 +201,7 @@ public class JpaRolloutManagement implements RolloutManagement {
// scheduled rollout, the creator shall have permissions to start rollout
if (rolloutRequest.getStartAt() != null && rolloutRequest.getStartAt() != Long.MAX_VALUE && // if scheduled rollout
!systemSecurityContext.hasPermission(SpPermission.HANDLE_ROLLOUT) &&
!systemSecurityContext.hasPermission(SpPermission.SpringEvalExpressions.SYSTEM_ROLE)) {
!systemSecurityContext.hasPermission(SpRole.SYSTEM_ROLE)) {
throw new InsufficientPermissionException("You need permission to start rollouts to create a scheduled rollout");
}
if (dynamicRolloutGroupTemplate != null && !rolloutRequest.isDynamic()) {

View File

@@ -11,9 +11,10 @@ package org.eclipse.hawkbit.repository.jpa.acm;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_DISTRIBUTION_SET;
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_REPOSITORY;
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_REPOSITORY;
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_DISTRIBUTION_SET;
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUser;
@@ -38,6 +39,9 @@ import org.springframework.data.domain.Pageable;
import org.springframework.test.context.ContextConfiguration;
/**
* Note: Still all test gets READ_REPOSITORY since find methods are inherited with request for READ_REPOSITORY. However,
* using READ_DISTRIBUTION_SET scoping - the scopes still work.
* <p/>
* Feature: Component Tests - Access Control<br/>
* Story: Test Distribution Set Access Controller
*/
@@ -56,7 +60,8 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
final Action hiddenAction = testdataFactory.performAssignment(hidden);
runAs(withUser("user",
READ_REPOSITORY + "/id==" + permitted.getId(),
READ_REPOSITORY,
READ_DISTRIBUTION_SET + "/id==" + permitted.getId(),
READ_TARGET +"/controllerId==" + permittedAction.getTarget().getControllerId()), () -> {
final Long permittedActionId = permitted.getId();
@@ -125,8 +130,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
final SoftwareModule swModule = testdataFactory.createSoftwareModuleOs();
runAs(withUser("user",
READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
UPDATE_REPOSITORY + "/id==" + permitted.getId()), () -> {
READ_REPOSITORY,
READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId()), () -> {
// verify distributionSetManagement#assignSoftwareModules
final List<Long> singleModuleIdList = Collections.singletonList(swModule.getId());
assertThat(distributionSetManagement.assignSoftwareModules(permitted.getId(), singleModuleIdList))
@@ -185,8 +191,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
distributionSetManagement.assignTag(Arrays.asList(permitted.getId(), readOnly.getId(), hidden.getId()), dsTagId);
runAs(withUser("user",
READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
UPDATE_REPOSITORY + "/id==" + permitted.getId()), () -> {
READ_REPOSITORY,
READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId()), () -> {
assertThat(distributionSetManagement.findByTag(dsTagId, Pageable.unpaged()).get().map(Identifiable::getId)
.toList()).containsOnly(permitted.getId(), readOnly.getId());
@@ -252,8 +259,9 @@ class DistributionSetAccessControllerTest extends AbstractJpaIntegrationTest {
.create(entityFactory.targetFilterQuery().create().name("test").query("id==*"));
runAs(withUser("user",
READ_REPOSITORY + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
UPDATE_REPOSITORY + "/id==" + permitted.getId(),
READ_REPOSITORY,
READ_DISTRIBUTION_SET + "/id==" + permitted.getId() + " or id==" + readOnly.getId(),
UPDATE_DISTRIBUTION_SET + "/id==" + permitted.getId(),
// read / update target needed to update target filter query
READ_TARGET, UPDATE_TARGET), () -> {
assertThat(targetFilterQueryManagement

View File

@@ -11,15 +11,13 @@ package org.eclipse.hawkbit.repository.jpa.acm;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.eclipse.hawkbit.im.authentication.SpPermission.DELETE_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET;
import static org.eclipse.hawkbit.im.authentication.SpPermission.DELETE_TARGET_TYPE;
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TARGET_TYPE;
import static org.eclipse.hawkbit.im.authentication.SpPermission.UPDATE_TARGET_TYPE;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUser;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Stream;
import org.eclipse.hawkbit.repository.Identifiable;
import org.eclipse.hawkbit.repository.builder.TargetTypeCreate;
@@ -27,8 +25,6 @@ import org.eclipse.hawkbit.repository.builder.TargetTypeUpdate;
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
import org.eclipse.hawkbit.repository.exception.InsufficientPermissionException;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.jpa.model.JpaTargetType;
import org.eclipse.hawkbit.repository.jpa.specifications.TargetTypeSpecification;
import org.eclipse.hawkbit.repository.model.TargetType;
import org.junit.jupiter.api.Test;
import org.springframework.data.domain.Pageable;
@@ -49,7 +45,7 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
final TargetType permittedTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type1"));
final TargetType hiddenTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
runAs(withUser("user", READ_TARGET + "/id==" + permittedTargetType.getId()), () -> {
runAs(withUser("user", READ_TARGET_TYPE + "/id==" + permittedTargetType.getId()), () -> {
// verify targetTypeManagement#findAll
assertThat(targetTypeManagement.findAll(Pageable.unpaged()).get().map(Identifiable::getId).toList())
.containsOnly(permittedTargetType.getId());
@@ -111,8 +107,8 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
final TargetType readOnlyTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
runAs(withUser("user",
READ_TARGET + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
DELETE_TARGET + "/id==" + manageableTargetType.getId()), () -> {
READ_TARGET_TYPE + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
DELETE_TARGET_TYPE + "/id==" + manageableTargetType.getId()), () -> {
// delete the manageableTargetType
targetTypeManagement.delete(manageableTargetType.getId());
@@ -132,8 +128,8 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
final TargetType readOnlyTargetType = targetTypeManagement.create(entityFactory.targetType().create().name("type2"));
runAs(withUser("user",
READ_TARGET + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
UPDATE_TARGET + "/id==" + manageableTargetType.getId()), () -> {
READ_TARGET_TYPE + "/id==" + manageableTargetType.getId() + " or id==" + readOnlyTargetType.getId(),
UPDATE_TARGET_TYPE + "/id==" + manageableTargetType.getId()), () -> {
// update the manageableTargetType
targetTypeManagement.update(entityFactory.targetType().update(manageableTargetType.getId())
.name(manageableTargetType.getName() + "/new").description("newDesc"));
@@ -151,7 +147,7 @@ class TargetTypeAccessControllerTest extends AbstractJpaIntegrationTest {
*/
@Test
void verifyTargetTypeCreationBlockedByAccessController() {
runAs(withUser("user", READ_TARGET, UPDATE_TARGET), () -> {
runAs(withUser("user", READ_TARGET_TYPE, UPDATE_TARGET_TYPE), () -> {
// verify targetTypeManagement#create for any type
final TargetTypeCreate targetTypeCreate = entityFactory.targetType().create().name("type1");
assertThatThrownBy(() -> targetTypeManagement.create(targetTypeCreate))

View File

@@ -13,6 +13,7 @@ import java.io.ByteArrayInputStream;
import java.util.List;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.model.ArtifactUpload;
import org.eclipse.hawkbit.repository.test.util.WithUser;
@@ -59,7 +60,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getPermissionCheck() {
assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -70,7 +71,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -79,7 +80,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findFirstBySHA1PermissionCheck() {
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -88,7 +89,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getByFilenamePermissionCheck() {
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.READ_REPOSITORY));
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -113,7 +114,7 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void loadArtifactBinaryPermissionCheck() {
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
}

View File

@@ -12,6 +12,7 @@ package org.eclipse.hawkbit.repository.jpa.management;
import java.util.List;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.junit.jupiter.api.Test;
@@ -45,7 +46,7 @@ class ConfirmationManagementSecurityTest extends AbstractJpaIntegrationTest {
void getStatusPermissionsCheck() {
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.READ_TARGET),
List.of(SpPermission.CREATE_TARGET));
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET));
}
/**

View File

@@ -13,7 +13,8 @@ import java.net.URI;
import java.util.List;
import java.util.Map;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.exception.CancelActionNotAllowedException;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.jpa.model.JpaAction;
@@ -33,7 +34,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void addCancelActionStatusPermissionsCheck() {
assertPermissions(() -> controllerManagement.addCancelActionStatus(entityFactory.actionStatus().create(0L)),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -41,7 +42,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getSoftwareModulePermissionsCheck() {
assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.getSoftwareModule(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -50,7 +51,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findTargetVisibleMetaDataBySoftwareModuleIdPermissionsCheck() {
assertPermissions(() -> controllerManagement.findTargetVisibleMetaDataBySoftwareModuleId(List.of(1L)),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -59,7 +60,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void addInformationalActionStatusPermissionsCheck() {
assertPermissions(() -> controllerManagement.addInformationalActionStatus(entityFactory.actionStatus().create(0L)),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -68,7 +69,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void addUpdateActionStatusPermissionsCheck() {
assertPermissions(() -> controllerManagement.addUpdateActionStatus(entityFactory.actionStatus().create(0L)),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -77,7 +78,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findActiveActionWithHighestWeightPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActiveActionWithHighestWeight("controllerId"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -86,7 +87,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findActiveActionsWithHighestWeightPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActiveActionsWithHighestWeight("controllerId", 1),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -94,7 +95,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void findActionWithDetailsPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.findActionWithDetails(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -103,7 +104,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findActionStatusByActionPermissionsCheck() {
assertPermissions(() -> controllerManagement.findActionStatusByAction(1L, Pageable.unpaged()),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -112,7 +113,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void findOrRegisterTargetIfItDoesNotExistPermissionsCheck() {
assertPermissions(() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress")),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -122,7 +123,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void findOrRegisterTargetIfItDoesNotExistWithDetailsPermissionsCheck() {
assertPermissions(
() -> controllerManagement.findOrRegisterTargetIfItDoesNotExist("controllerId", URI.create("someaddress"), "name", "type"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -131,7 +132,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getActionForDownloadByTargetAndSoftwareModulePermissionsCheck() {
assertPermissions(() -> controllerManagement.getActionForDownloadByTargetAndSoftwareModule("controllerId", 1L),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -139,7 +140,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getPollingTimePermissionsCheck() {
assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.getPollingTime(null), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -156,7 +157,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
// expected since action is not found
}
return null;
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -165,7 +166,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void hasTargetArtifactAssignedPermissionsCheck() {
assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned("controllerId", "sha1Hash"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -174,7 +175,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void hasTargetArtifactAssignedByIdPermissionsCheck() {
assertPermissions(() -> controllerManagement.hasTargetArtifactAssigned(1L, "sha1Hash"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -183,7 +184,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void updateControllerAttributesPermissionsCheck() {
assertPermissions(() -> controllerManagement.updateControllerAttributes("controllerId", Map.of(), null),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -192,9 +193,9 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getByControllerIdPermissionsCheck() {
assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.getByControllerId("controllerId"),
List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
List.of(SpRole.SYSTEM_ROLE));
}
/**
@@ -202,8 +203,8 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getPermissionsCheck() {
assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
assertPermissions(() -> controllerManagement.get(1L), List.of(SpringEvalExpressions.CONTROLLER_ROLE));
assertPermissions(() -> controllerManagement.get(1L), List.of(SpRole.SYSTEM_ROLE));
}
/**
@@ -212,7 +213,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getActionHistoryMessagesPermissionsCheck() {
assertPermissions(() -> controllerManagement.getActionHistoryMessages(1L, 1),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -229,7 +230,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
// expected since action is not found
}
return null;
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -240,7 +241,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
controllerManagement.updateActionExternalRef(1L, "externalRef");
return null;
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -249,7 +250,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void getActionByExternalRefPermissionsCheck() {
assertPermissions(() -> controllerManagement.getActionByExternalRef("externalRef"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -260,7 +261,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
controllerManagement.deleteExistingTarget("controllerId");
return null;
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -271,7 +272,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
final Target target = testdataFactory.createTarget();
assertPermissions(
() -> controllerManagement.getInstalledActionByTarget(target),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -281,7 +282,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
void activateAutoConfirmationPermissionsCheck() {
assertPermissions(
() -> controllerManagement.activateAutoConfirmation("controllerId", "initiator", "remark"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -292,7 +293,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
controllerManagement.deactivateAutoConfirmation("controllerId");
return null;
}, List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
}, List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
/**
@@ -301,7 +302,7 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void updateOfflineAssignedVersionPermissionsCheck() {
assertPermissions(() -> controllerManagement.updateOfflineAssignedVersion("controllerId", "distributionName", "version"),
List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
List.of(SpringEvalExpressions.CONTROLLER_ROLE));
}
}

View File

@@ -12,8 +12,8 @@ package org.eclipse.hawkbit.repository.jpa.management;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.repository.jpa.configuration.Constants.TX_RT_MAX;
import static org.eclipse.hawkbit.repository.model.Action.ActionType.DOWNLOAD_ONLY;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;

View File

@@ -13,6 +13,7 @@ import java.util.List;
import java.util.Set;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.model.Action;
import org.eclipse.hawkbit.repository.model.DeploymentRequest;
@@ -273,7 +274,7 @@ class DeploymentManagementSecurityTest extends AbstractJpaIntegrationTest {
@Test
void deleteActionsByStatusAndLastModifiedBeforePermissionsCheck() {
assertPermissions(() -> deploymentManagement.deleteActionsByStatusAndLastModifiedBefore(Set.of(Action.Status.CANCELED), 1L),
List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
List.of(SpRole.SYSTEM_ROLE));
}
/**

View File

@@ -32,6 +32,7 @@ import org.assertj.core.api.Assertions;
import org.assertj.core.api.Condition;
import org.awaitility.Awaitility;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.Identifiable;
import org.eclipse.hawkbit.repository.OffsetBasedPageRequest;
import org.eclipse.hawkbit.repository.builder.RolloutCreate;
@@ -1436,7 +1437,7 @@ class RolloutManagementTest extends AbstractJpaIntegrationTest {
SpPermission.READ_REPOSITORY, SpPermission.READ_TARGET, SpPermission.CREATE_ROLLOUT, SpPermission.HANDLE_ROLLOUT);
final WithUser userWithSystemRole = SecurityContextSwitch.withUser(
"user_with_system_role",
SpPermission.SpringEvalExpressions.SYSTEM_ROLE);
SpRole.SYSTEM_ROLE);
final String filter = "controllerId==" + rolloutName + "-*";
// create scheduled rollout fails without handle rollout permission

View File

@@ -13,6 +13,8 @@ import java.util.List;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.junit.jupiter.api.Test;
@@ -50,7 +52,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> {
systemManagement.forEachTenant(log::info);
return null;
}, List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
}, List.of(SpRole.SYSTEM_ROLE));
}
/**
@@ -77,7 +79,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -88,7 +90,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
assertPermissions(() -> systemManagement.getTenantMetadataWithoutDetails(), List.of(SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY));
}
/**
@@ -96,7 +98,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void getTenantMetadataByTenantPermissionsCheck() {
assertPermissions(() -> systemManagement.getTenantMetadata(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
assertPermissions(() -> systemManagement.getTenantMetadata(1L), List.of(SpRole.SYSTEM_ROLE));
}
/**
@@ -104,7 +106,7 @@ class SystemManagementSecurityTest extends AbstractJpaIntegrationTest {
*/
@Test
void createTenantMetadataPermissionsCheck() {
assertPermissions(() -> systemManagement.createTenantMetadata("tenant"), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE));
assertPermissions(() -> systemManagement.createTenantMetadata("tenant"), List.of(SpRole.SYSTEM_ROLE));
}
/**

View File

@@ -15,7 +15,7 @@ import java.io.ByteArrayInputStream;
import java.util.List;
import java.util.Random;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest;
import org.eclipse.hawkbit.repository.model.ArtifactUpload;
import org.eclipse.hawkbit.repository.model.DistributionSet;
@@ -137,27 +137,27 @@ class SystemManagementTest extends AbstractJpaIntegrationTest {
for (int i = 0; i < tenants; i++) {
final String tenantname = "TENANT" + i;
SecurityContextSwitch.getAs(SecurityContextSwitch.withUserAndTenant("bumlux", tenantname, true, true, false,
SpringEvalExpressions.SYSTEM_ROLE), () -> {
systemManagement.getTenantMetadataWithoutDetails();
if (artifactSize > 0) {
createTestArtifact(random);
createDeletedTestArtifact(random);
}
if (targets > 0) {
final List<Target> createdTargets = createTestTargets(targets);
if (updates > 0) {
for (int x = 0; x < updates; x++) {
final DistributionSet ds = testdataFactory
.createDistributionSet("to be deployed" + x, true);
assignDistributionSet(ds, createdTargets);
SecurityContextSwitch.getAs(SecurityContextSwitch.withUserAndTenant("bumlux", tenantname, true, true, false, SpRole.SYSTEM_ROLE),
() -> {
systemManagement.getTenantMetadataWithoutDetails();
if (artifactSize > 0) {
createTestArtifact(random);
createDeletedTestArtifact(random);
}
}
}
if (targets > 0) {
final List<Target> createdTargets = createTestTargets(targets);
if (updates > 0) {
for (int x = 0; x < updates; x++) {
final DistributionSet ds = testdataFactory
.createDistributionSet("to be deployed" + x, true);
return null;
});
assignDistributionSet(ds, createdTargets);
}
}
}
return null;
});
}
return random;

View File

@@ -17,6 +17,7 @@ import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.atomic.AtomicLong;
import org.eclipse.hawkbit.ContextAware;
import org.eclipse.hawkbit.im.authentication.Hierarchy;
import org.eclipse.hawkbit.repository.artifact.ArtifactFilesystemProperties;
import org.eclipse.hawkbit.repository.artifact.ArtifactFilesystemRepository;
import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
@@ -24,7 +25,6 @@ import org.eclipse.hawkbit.repository.artifact.urlhandler.ArtifactUrlHandlerProp
import org.eclipse.hawkbit.repository.artifact.urlhandler.PropertyBasedArtifactUrlHandler;
import org.eclipse.hawkbit.cache.TenantAwareCacheManager;
import org.eclipse.hawkbit.event.BusProtoStuffMessageConverter;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.repository.ArtifactManagement;
import org.eclipse.hawkbit.repository.ControllerManagement;
import org.eclipse.hawkbit.repository.DeploymentManagement;
@@ -140,7 +140,7 @@ public class TestConfiguration implements AsyncConfigurer {
@Bean
SystemSecurityContext systemSecurityContext(final TenantAware tenantAware) {
return new SystemSecurityContext(tenantAware, RoleHierarchyImpl.fromHierarchy(SpRole.DEFAULT_ROLE_HIERARCHY));
return new SystemSecurityContext(tenantAware, RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT));
}
@Bean

View File

@@ -11,8 +11,8 @@ package org.eclipse.hawkbit.repository.test.util;
import static org.assertj.core.api.Assertions.assertThat;
import static org.eclipse.hawkbit.im.authentication.SpPermission.READ_TENANT_CONFIGURATION;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpRole.SYSTEM_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpringEvalExpressions.CONTROLLER_ROLE;
import java.io.File;
import java.io.IOException;
@@ -29,8 +29,6 @@ import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.FileUtils;
import org.awaitility.Awaitility;
import org.awaitility.core.ConditionFactory;
import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
import org.eclipse.hawkbit.repository.artifact.exception.ArtifactStoreException;
import org.eclipse.hawkbit.repository.ArtifactManagement;
import org.eclipse.hawkbit.repository.ConfirmationManagement;
import org.eclipse.hawkbit.repository.ControllerManagement;
@@ -53,6 +51,8 @@ import org.eclipse.hawkbit.repository.TargetManagement;
import org.eclipse.hawkbit.repository.TargetTagManagement;
import org.eclipse.hawkbit.repository.TargetTypeManagement;
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
import org.eclipse.hawkbit.repository.artifact.ArtifactRepository;
import org.eclipse.hawkbit.repository.artifact.exception.ArtifactStoreException;
import org.eclipse.hawkbit.repository.exception.EntityNotFoundException;
import org.eclipse.hawkbit.repository.model.Action;
import org.eclipse.hawkbit.repository.model.Action.ActionType;

View File

@@ -10,7 +10,7 @@
package org.eclipse.hawkbit.repository.test.util;
import static org.assertj.core.api.Assertions.assertThat;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpRole.SYSTEM_ROLE;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.runAs;
import static org.eclipse.hawkbit.repository.test.util.SecurityContextSwitch.withUserAndTenant;

View File

@@ -0,0 +1,19 @@
/**
* Copyright (c) 2025 Contributors to the Eclipse Foundation
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.im.authentication;
public class Hierarchy {
public static final String DEFAULT =
SpPermission.TARGET_HIERARCHY +
SpPermission.REPOSITORY_HIERARCHY +
SpPermission.TENANT_CONFIGURATION_HIERARCHY +
SpRole.DEFAULT_ROLE_HIERARCHY;
}

View File

@@ -35,11 +35,22 @@ import org.springframework.security.core.GrantedAuthority;
@Slf4j
public final class SpPermission {
/**
* Permission to add new targets including their meta information.
*/
public static final String CREATE_TARGET = "CREATE_TARGET";
/**
* Permission to read the targets (list and filter).
*/
public static final String READ_TARGET = "READ_TARGET";
/**
* Permission to change/edit/update targets and to assign updates.
*/
public static final String UPDATE_TARGET = "UPDATE_TARGET";
/**
* Permission to delete targets.
*/
public static final String DELETE_TARGET = "DELETE_TARGET";
/**
* Permission to read the target security token. The security token is security
* concerned and should be protected. So the combination
@@ -48,36 +59,28 @@ public final class SpPermission {
*/
public static final String READ_TARGET_SEC_TOKEN = "READ_TARGET_SECURITY_TOKEN";
/**
* Permission to change/edit/update targets and to assign updates.
*/
public static final String UPDATE_TARGET = "UPDATE_TARGET";
public static final String CREATE_TARGET_TYPE = "CREATE_TARGET_TYPE";
public static final String READ_TARGET_TYPE = "READ_TARGET_TYPE";
public static final String UPDATE_TARGET_TYPE = "UPDATE_TARGET_TYPE";
public static final String DELETE_TARGET_TYPE = "DELETE_TARGET_TYPE";
/**
* Permission to add new targets including their meta information.
*/
public static final String CREATE_TARGET = "CREATE_TARGET";
/**
* Permission to delete targets.
*/
public static final String DELETE_TARGET = "DELETE_TARGET";
public static final String CREATE_DISTRIBUTION_SET = "CREATE_DISTRIBUTION_SET";
public static final String READ_DISTRIBUTION_SET = "READ_DISTRIBUTION_SET";
public static final String UPDATE_DISTRIBUTION_SET = "UPDATE_DISTRIBUTION_SET";
public static final String DELETE_DISTRIBUTION_SET = "DELETE_DISTRIBUTION_SET";
/**
* Permission to read distributions and artifacts.
*/
public static final String READ_REPOSITORY = "READ_REPOSITORY";
/**
* Permission to edit/update distributions and artifacts.
*/
public static final String UPDATE_REPOSITORY = "UPDATE_REPOSITORY";
/**
* Permission to add distributions and artifacts.
*/
public static final String CREATE_REPOSITORY = "CREATE_REPOSITORY";
/**
* Permission to delete distributions and artifacts.
*/
@@ -92,7 +95,6 @@ public final class SpPermission {
* Permission to read the tenant settings.
*/
public static final String READ_TENANT_CONFIGURATION = "READ_TENANT_CONFIGURATION";
/**
* Permission to read the gateway security token. The gateway security token is security
* concerned and should be protected. So in addition to {@linkplain #READ_TENANT_CONFIGURATION},
@@ -100,47 +102,57 @@ public final class SpPermission {
* implies both permissions - so it is sufficient to read the gateway security token.
*/
public static final String READ_GATEWAY_SEC_TOKEN = "READ_GATEWAY_SECURITY_TOKEN";
/**
* Permission to administrate the tenant settings.
*/
public static final String TENANT_CONFIGURATION = "TENANT_CONFIGURATION";
/**
* Permission to read a rollout.
*/
public static final String READ_ROLLOUT = "READ_ROLLOUT";
/**
* Permission to create a rollout.
*/
public static final String CREATE_ROLLOUT = "CREATE_ROLLOUT";
/**
* Permission to read a rollout.
*/
public static final String READ_ROLLOUT = "READ_ROLLOUT";
/**
* Permission to update a rollout.
*/
public static final String UPDATE_ROLLOUT = "UPDATE_ROLLOUT";
/**
* Permission to delete a rollout.
*/
public static final String DELETE_ROLLOUT = "DELETE_ROLLOUT";
/**
* Permission to approve or deny a rollout prior to starting.
*/
public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
/**
* Permission to start/stop/resume a rollout.
*/
public static final String HANDLE_ROLLOUT = "HANDLE_ROLLOUT";
/**
* Permission to approve or deny a rollout prior to starting.
*/
public static final String APPROVE_ROLLOUT = "APPROVE_ROLLOUT";
/**
* Permission to administrate the system on a global, i.e. tenant independent scale. That includes the deletion of tenants.
*/
public static final String SYSTEM_ADMIN = "SYSTEM_ADMIN";
private static final String IMPLIES = " > ";
private static final String LINE_BREAK = "\n";
public static final String TARGET_HIERARCHY =
CREATE_TARGET + IMPLIES + CREATE_TARGET_TYPE + LINE_BREAK +
READ_TARGET + IMPLIES + READ_TARGET_TYPE + LINE_BREAK +
UPDATE_TARGET + IMPLIES + UPDATE_TARGET_TYPE + LINE_BREAK +
DELETE_TARGET + IMPLIES + DELETE_TARGET_TYPE + LINE_BREAK;
public static final String REPOSITORY_HIERARCHY =
CREATE_REPOSITORY + IMPLIES + CREATE_DISTRIBUTION_SET + LINE_BREAK +
READ_REPOSITORY + IMPLIES + READ_DISTRIBUTION_SET + LINE_BREAK +
UPDATE_REPOSITORY + IMPLIES + UPDATE_DISTRIBUTION_SET + LINE_BREAK +
DELETE_REPOSITORY + IMPLIES + DELETE_DISTRIBUTION_SET + LINE_BREAK;
public static final String TENANT_CONFIGURATION_HIERARCHY =
TENANT_CONFIGURATION + IMPLIES + READ_TENANT_CONFIGURATION + LINE_BREAK +
TENANT_CONFIGURATION + IMPLIES + READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
/**
* Return all permission.
*
@@ -150,7 +162,8 @@ public final class SpPermission {
final List<String> allPermissions = new ArrayList<>();
final Field[] declaredFields = SpPermission.class.getDeclaredFields();
for (final Field field : declaredFields) {
if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers())) {
if (Modifier.isPublic(field.getModifiers()) && Modifier.isStatic(field.getModifiers()) && Modifier.isFinal(field.getModifiers()) &&
String.class.equals(field.getType())) {
try {
final String role = (String) field.get(null);
allPermissions.add(role);
@@ -161,82 +174,4 @@ public final class SpPermission {
}
return allPermissions;
}
/**
* <p>
* Contains all the spring security evaluation expressions for the {@link PreAuthorize} annotation for method security.
* </p>
* <p>
* Examples:
* {@code
* hasRole([role]) Returns true if the current principal has the specified role.
* hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
* principal Allows direct access to the principal object representing the current user
* authentication Allows direct access to the current Authentication object obtained from the SecurityContext
* permitAll Always evaluates to true
* denyAll Always evaluates to false
* isAnonymous() Returns true if the current principal is an anonymous user
* isRememberMe() Returns true if the current principal is a remember-me user
* isAuthenticated() Returns true if the user is not anonymous
* isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
* }
* </p>
*/
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public static final class SpringEvalExpressions {
public static final String BRACKET_OPEN = "(";
public static final String BRACKET_CLOSE = ")";
public static final String HAS_AUTH_PREFIX = "hasAuthority" + BRACKET_OPEN + "'";
public static final String HAS_AUTH_SUFFIX = "'" + BRACKET_CLOSE;
public static final String HAS_AUTH_AND = " and ";
public static final String HAS_AUTH_OR = " or ";
/**
* The role which contains the spring security context in case the system is executing code which is necessary to be privileged.
*/
public static final String SYSTEM_ROLE = "ROLE_SYSTEM_CODE";
/**
* The role which contains in the spring security context in case ancontroller is authenticated.
*/
public static final String CONTROLLER_ROLE = "ROLE_CONTROLLER";
/**
* The role which contained in the spring security context in case that a controller is authenticated, but only as 'anonymous'.
*/
public static final String CONTROLLER_ROLE_ANONYMOUS = "ROLE_CONTROLLER_ANONYMOUS";
public static final String IS_SYSTEM_CODE = HAS_AUTH_PREFIX + SYSTEM_ROLE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_TARGET = HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_SYSTEM_ADMIN = HAS_AUTH_PREFIX + SYSTEM_ADMIN + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_TARGET = HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_CREATE_TARGET = HAS_AUTH_PREFIX + CREATE_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_TARGET = HAS_AUTH_PREFIX + DELETE_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
+ READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + UPDATE_TARGET + HAS_AUTH_SUFFIX
+ BRACKET_CLOSE;
public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + READ_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
+ READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
+ BRACKET_CLOSE;
public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + READ_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
+ READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + READ_TARGET + HAS_AUTH_SUFFIX
+ BRACKET_CLOSE;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + CREATE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + HANDLE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_APPROVE = HAS_AUTH_PREFIX + APPROVE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + UPDATE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + DELETE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_TENANT_CONFIGURATION_READ = HAS_AUTH_PREFIX + READ_TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
public static final String IS_CONTROLLER = "hasAnyRole('" + CONTROLLER_ROLE_ANONYMOUS + "', '" + CONTROLLER_ROLE + "')";
public static final String IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = IS_CONTROLLER + HAS_AUTH_OR + HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
}
}

View File

@@ -9,8 +9,6 @@
*/
package org.eclipse.hawkbit.im.authentication;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import lombok.extern.slf4j.Slf4j;
@@ -27,6 +25,11 @@ public final class SpRole {
public static final String ROLLOUT_ADMIN = "ROLE_ROLLOUT_ADMIN";
public static final String TENANT_ADMIN = "ROLE_TENANT_ADMIN";
/**
* The role which contains the spring security context in case the system is executing code which is necessary to be privileged.
*/
public static final String SYSTEM_ROLE = "ROLE_SYSTEM_CODE";
private static final String IMPLIES = " > ";
private static final String LINE_BREAK = "\n";
public static final String TARGET_ADMIN_HIERARCHY =
@@ -48,9 +51,6 @@ public final class SpRole {
ROLLOUT_ADMIN + IMPLIES + SpPermission.DELETE_ROLLOUT + LINE_BREAK +
ROLLOUT_ADMIN + IMPLIES + SpPermission.HANDLE_ROLLOUT + LINE_BREAK +
ROLLOUT_ADMIN + IMPLIES + SpPermission.APPROVE_ROLLOUT + LINE_BREAK;
public static final String TENANT_CONFIGURATION_HIERARCHY =
SpPermission.TENANT_CONFIGURATION + IMPLIES + SpPermission.READ_TENANT_CONFIGURATION + LINE_BREAK +
SpPermission.TENANT_CONFIGURATION + IMPLIES + SpPermission.READ_GATEWAY_SEC_TOKEN + LINE_BREAK;
public static final String TENANT_ADMIN_HIERARCHY =
TENANT_ADMIN + IMPLIES + TARGET_ADMIN + LINE_BREAK +
TENANT_ADMIN + IMPLIES + REPOSITORY_ADMIN + LINE_BREAK +
@@ -64,7 +64,6 @@ public final class SpRole {
TARGET_ADMIN_HIERARCHY +
REPOSITORY_ADMIN_HIERARCHY +
ROLLOUT_ADMIN_HIERARCHY +
TENANT_CONFIGURATION_HIERARCHY +
TENANT_ADMIN_HIERARCHY +
SYSTEM_ROLE_HIERARCHY;
}

View File

@@ -0,0 +1,99 @@
/**
* Copyright (c) 2025 Contributors to the Eclipse Foundation
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.im.authentication;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import org.springframework.security.access.prepost.PreAuthorize;
/**
* <p>
* Contains all the spring security evaluation expressions for the {@link PreAuthorize} annotation for method security.
* </p>
* <p>
* Examples:
* {@code
* hasRole([role]) Returns true if the current principal has the specified role.
* hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)
* principal Allows direct access to the principal object representing the current user
* authentication Allows direct access to the current Authentication object obtained from the SecurityContext
* permitAll Always evaluates to true
* denyAll Always evaluates to false
* isAnonymous() Returns true if the current principal is an anonymous user
* isRememberMe() Returns true if the current principal is a remember-me user
* isAuthenticated() Returns true if the user is not anonymous
* isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
* }
* </p>
*/
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public final class SpringEvalExpressions {
public static final String BRACKET_OPEN = "(";
public static final String BRACKET_CLOSE = ")";
public static final String HAS_AUTH_PREFIX = "hasAuthority" + BRACKET_OPEN + "'";
public static final String HAS_AUTH_SUFFIX = "'" + BRACKET_CLOSE;
public static final String HAS_AUTH_AND = " and ";
public static final String HAS_AUTH_OR = " or ";
/**
* The role which contains in the spring security context in case ancontroller is authenticated.
*/
public static final String CONTROLLER_ROLE = "ROLE_CONTROLLER";
/**
* The role which contained in the spring security context in case that a controller is authenticated, but only as 'anonymous'.
*/
public static final String CONTROLLER_ROLE_ANONYMOUS = "ROLE_CONTROLLER_ANONYMOUS";
public static final String IS_SYSTEM_CODE = HAS_AUTH_PREFIX + SpRole.SYSTEM_ROLE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_SYSTEM_ADMIN = HAS_AUTH_PREFIX + SpPermission.SYSTEM_ADMIN + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_CREATE_TARGET = HAS_AUTH_PREFIX + SpPermission.CREATE_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_TARGET = HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_TARGET = HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_TARGET = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_CREATE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.CREATE_TARGET_TYPE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET_TYPE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.READ_TARGET_TYPE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_TARGET_TYPE = HAS_AUTH_PREFIX + SpPermission.DELETE_TARGET_TYPE + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_CREATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.CREATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.UPDATE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.READ_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_DISTRIBUTION_SET = HAS_AUTH_PREFIX + SpPermission.DELETE_DISTRIBUTION_SET + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_CREATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.CREATE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_UPDATE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.UPDATE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DELETE_REPOSITORY = HAS_AUTH_PREFIX + SpPermission.DELETE_REPOSITORY + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_DOWNLOAD_ARTIFACT = HAS_AUTH_PREFIX + SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = BRACKET_OPEN + HAS_AUTH_PREFIX
+ SpPermission.READ_REPOSITORY + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.UPDATE_TARGET + HAS_AUTH_SUFFIX
+ BRACKET_CLOSE;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_CREATE = HAS_AUTH_PREFIX + SpPermission.CREATE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ = HAS_AUTH_PREFIX + SpPermission.READ_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_UPDATE = HAS_AUTH_PREFIX + SpPermission.UPDATE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_DELETE = HAS_AUTH_PREFIX + SpPermission.DELETE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_APPROVE = HAS_AUTH_PREFIX + SpPermission.APPROVE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_HANDLE = HAS_AUTH_PREFIX + SpPermission.HANDLE_ROLLOUT + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ = BRACKET_OPEN + HAS_AUTH_PREFIX
+ SpPermission.READ_ROLLOUT + HAS_AUTH_SUFFIX + HAS_AUTH_AND + HAS_AUTH_PREFIX + SpPermission.READ_TARGET + HAS_AUTH_SUFFIX
+ BRACKET_CLOSE;
public static final String HAS_AUTH_TENANT_CONFIGURATION_READ = HAS_AUTH_PREFIX + SpPermission.READ_TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
public static final String HAS_AUTH_TENANT_CONFIGURATION = HAS_AUTH_PREFIX + SpPermission.TENANT_CONFIGURATION + HAS_AUTH_SUFFIX;
public static final String IS_CONTROLLER = "hasAnyRole('" + CONTROLLER_ROLE_ANONYMOUS + "', '" + CONTROLLER_ROLE + "')";
public static final String IS_CONTROLLER_OR_HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET = IS_CONTROLLER + HAS_AUTH_OR + HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET;
}

View File

@@ -19,7 +19,7 @@ import java.util.function.Function;
import java.util.function.Supplier;
import org.eclipse.hawkbit.ContextAware;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
import org.eclipse.hawkbit.tenancy.TenantAwareUser;
@@ -42,8 +42,7 @@ public class SecurityContextTenantAware implements ContextAware {
public static final String SYSTEM_USER = "system";
private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES =
List.of(new SimpleGrantedAuthority(SpringEvalExpressions.SYSTEM_ROLE));
private static final Collection<? extends GrantedAuthority> SYSTEM_AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
private final UserAuthoritiesResolver authoritiesResolver;
private final SecurityContextSerializer securityContextSerializer;

View File

@@ -18,8 +18,10 @@ import java.util.concurrent.Callable;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.im.authentication.SpRole;
import org.eclipse.hawkbit.im.authentication.SpringEvalExpressions;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -161,19 +163,25 @@ public class SystemSecurityContext {
/**
* An implementation of the Spring's {@link Authentication} object which is used within a system security code block and
* wraps the original authentication object. The wrapped object contains the necessary {@link SpringEvalExpressions#SYSTEM_ROLE}
* wraps the original authentication object. The wrapped object contains the necessary {@link SpRole#SYSTEM_ROLE}
* which is allowed to execute all secured methods.
*/
@Getter
public static final class SystemCodeAuthentication implements Authentication {
@Serial
private static final long serialVersionUID = 1L;
private static final List<SimpleGrantedAuthority> AUTHORITIES = List.of(new SimpleGrantedAuthority(SpringEvalExpressions.SYSTEM_ROLE));
private final Authentication oldAuthentication;
private static final List<SimpleGrantedAuthority> AUTHORITIES = List.of(new SimpleGrantedAuthority(SpRole.SYSTEM_ROLE));
private final Object credentials;
private final Object details;
private final Object principal;
private SystemCodeAuthentication(final Authentication oldAuthentication) {
this.oldAuthentication = oldAuthentication;
credentials = oldAuthentication != null ? oldAuthentication.getCredentials() : null;
details = oldAuthentication != null ? oldAuthentication.getDetails() : null;
principal = oldAuthentication != null ? oldAuthentication.getPrincipal() : null;
}
@Override
@@ -186,21 +194,6 @@ public class SystemSecurityContext {
return AUTHORITIES;
}
@Override
public Object getCredentials() {
return oldAuthentication != null ? oldAuthentication.getCredentials() : null;
}
@Override
public Object getDetails() {
return oldAuthentication != null ? oldAuthentication.getDetails() : null;
}
@Override
public Object getPrincipal() {
return oldAuthentication != null ? oldAuthentication.getPrincipal() : null;
}
@Override
public boolean isAuthenticated() {
return true;

View File

@@ -1,49 +0,0 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.im.authentication;
import static org.assertj.core.api.Assertions.assertThat;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
import org.junit.jupiter.api.Test;
import org.springframework.util.ReflectionUtils;
/**
* Test {@link SpPermission}.
* <p/>
* Feature: Unit Tests - Security<br/>
* Story: Permission Test
*/
final class SpPermissionTest {
/**
* Try to double check if all permissions works as expected
*/
@Test
void shouldReturnAllPermissions() {
List<String> expected = new LinkedList<>();
ReflectionUtils.doWithFields(SpPermission.class, f -> {
if (ReflectionUtils.isPublicStaticFinal(f) && String.class.equals(f.getType())) {
try {
expected.add((String) f.get(null));
} catch (IllegalAccessException | IllegalArgumentException e) {
// skip
}
}
});
final Collection<String> allAuthorities = SpPermission.getAllAuthorities();
assertThat(allAuthorities)
.hasSize(20)
.containsAll(expected);
}
}