Code format hawkbit-http-security (#1935)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-11-05 11:20:37 +02:00
committed by GitHub
parent 51ac49db64
commit ea56402aaa
8 changed files with 135 additions and 158 deletions

View File

@@ -9,7 +9,8 @@
SPDX-License-Identifier: EPL-2.0 SPDX-License-Identifier: EPL-2.0
--> -->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<parent> <parent>
<artifactId>hawkbit-parent</artifactId> <artifactId>hawkbit-parent</artifactId>

View File

@@ -40,9 +40,11 @@ import org.springframework.util.AntPathMatcher;
*/ */
public abstract class AbstractHttpControllerAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter { public abstract class AbstractHttpControllerAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
protected TenantConfigurationManagement tenantConfigurationManagement;
protected TenantAware tenantAware;
protected SystemSecurityContext systemSecurityContext;
private static final String TENANT_PLACE_HOLDER = "tenant"; private static final String TENANT_PLACE_HOLDER = "tenant";
private static final String CONTROLLER_ID_PLACE_HOLDER = "controllerId"; private static final String CONTROLLER_ID_PLACE_HOLDER = "controllerId";
/** /**
* requestURIPathPattern the request URI path pattern in ANT style * requestURIPathPattern the request URI path pattern in ANT style
* containing the placeholder key for retrieving the principal from the URI * containing the placeholder key for retrieving the principal from the URI
@@ -50,13 +52,8 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
*/ */
private static final String CONTROLLER_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER + "}/controller/v1" + "/{" private static final String CONTROLLER_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER + "}/controller/v1" + "/{"
+ CONTROLLER_ID_PLACE_HOLDER + "}/**"; + CONTROLLER_ID_PLACE_HOLDER + "}/**";
private static final String CONTROLLER_DL_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER private static final String CONTROLLER_DL_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER
+ "}/controller/artifacts/v1/**"; + "}/controller/artifacts/v1/**";
protected TenantConfigurationManagement tenantConfigurationManagement;
protected TenantAware tenantAware;
protected SystemSecurityContext systemSecurityContext;
private final AntPathMatcher pathExtractor; private final AntPathMatcher pathExtractor;
private PreAuthenticationFilter abstractControllerAuthenticationFilter; private PreAuthenticationFilter abstractControllerAuthenticationFilter;
@@ -106,8 +103,6 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
} }
} }
protected abstract PreAuthenticationFilter createControllerAuthenticationFilter();
@Override @Override
protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response,
final Authentication authResult) throws IOException, ServletException { final Authentication authResult) throws IOException, ServletException {
@@ -120,6 +115,26 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
super.successfulAuthentication(request, response, authTokenWithGrantedAuthorities); super.successfulAuthentication(request, response, authTokenWithGrantedAuthorities);
} }
@Override
protected Object getPreAuthenticatedPrincipal(final HttpServletRequest request) {
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
if (securityToken == null) {
return null;
}
return abstractControllerAuthenticationFilter.getPreAuthenticatedPrincipal(securityToken);
}
@Override
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request) {
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
if (securityToken == null) {
return null;
}
return abstractControllerAuthenticationFilter.getPreAuthenticatedCredentials(securityToken);
}
protected abstract PreAuthenticationFilter createControllerAuthenticationFilter();
protected abstract Logger log(); protected abstract Logger log();
/** /**
@@ -165,22 +180,4 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
return securityToken; return securityToken;
} }
@Override
protected Object getPreAuthenticatedPrincipal(final HttpServletRequest request) {
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
if (securityToken == null) {
return null;
}
return abstractControllerAuthenticationFilter.getPreAuthenticatedPrincipal(securityToken);
}
@Override
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request) {
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
if (securityToken == null) {
return null;
}
return abstractControllerAuthenticationFilter.getPreAuthenticatedCredentials(securityToken);
}
} }

View File

@@ -20,6 +20,8 @@ import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.eclipse.hawkbit.util.IpUtil; import org.eclipse.hawkbit.util.IpUtil;
import org.slf4j.Logger; import org.slf4j.Logger;
@@ -29,9 +31,6 @@ import org.springframework.http.HttpStatus;
import org.springframework.util.AntPathMatcher; import org.springframework.util.AntPathMatcher;
import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.filter.OncePerRequestFilter;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
/** /**
* Filter for protection against denial of service attacks. It reduces the * Filter for protection against denial of service attacks. It reduces the
* maximum number of request per seconds which can be separately configured for * maximum number of request per seconds which can be separately configured for
@@ -66,22 +65,15 @@ public class DosFilter extends OncePerRequestFilter {
/** /**
* Filter constructor including configuration. * Filter constructor including configuration.
* *
* @param includeAntPaths * @param includeAntPaths paths where filter should hit
* paths where filter should hit * @param maxRead Maximum number of allowed REST read/GET requests per second
*
* @param maxRead
* Maximum number of allowed REST read/GET requests per second
* per client * per client
* @param maxWrite * @param maxWrite Maximum number of allowed REST write/(PUT/POST/etc.) requests
* Maximum number of allowed REST write/(PUT/POST/etc.) requests
* per second per client * per second per client
* @param ipDosWhiteListPattern * @param ipDosWhiteListPattern {@link Pattern} with with white list of peer IP addresses for
* {@link Pattern} with with white list of peer IP addresses for
* DOS filter * DOS filter
* @param ipBlackListPattern * @param ipBlackListPattern {@link Pattern} with black listed IP addresses
* {@link Pattern} with black listed IP addresses * @param forwardHeader the header containing the forwarded IP address e.g.
* @param forwardHeader
* the header containing the forwarded IP address e.g.
* {@code x-forwarded-for} * {@code x-forwarded-for}
*/ */
public DosFilter(final Collection<String> includeAntPaths, final int maxRead, final int maxWrite, public DosFilter(final Collection<String> includeAntPaths, final int maxRead, final int maxWrite,
@@ -104,15 +96,6 @@ public class DosFilter extends OncePerRequestFilter {
} }
} }
private boolean shouldInclude(final HttpServletRequest request) {
if (includeAntPaths == null || includeAntPaths.isEmpty()) {
return true;
}
return includeAntPaths.stream()
.anyMatch(pattern -> antMatcher.match(request.getContextPath() + pattern, request.getRequestURI()));
}
@Override @Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException { final FilterChain filterChain) throws ServletException, IOException {
@@ -148,6 +131,25 @@ public class DosFilter extends OncePerRequestFilter {
} }
} }
private static boolean checkIpFails(final String ip) {
return ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip);
}
private static boolean handleMissingIpAddress(final HttpServletResponse response) {
log.error("Failed to get peer IP address");
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
return false;
}
private boolean shouldInclude(final HttpServletRequest request) {
if (includeAntPaths == null || includeAntPaths.isEmpty()) {
return true;
}
return includeAntPaths.stream()
.anyMatch(pattern -> antMatcher.match(request.getContextPath() + pattern, request.getRequestURI()));
}
/** /**
* @return false if the given ip address is on the blacklist and further * @return false if the given ip address is on the blacklist and further
* processing of the request if forbidden * processing of the request if forbidden
@@ -161,16 +163,6 @@ public class DosFilter extends OncePerRequestFilter {
return true; return true;
} }
private static boolean checkIpFails(final String ip) {
return ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip);
}
private static boolean handleMissingIpAddress(final HttpServletResponse response) {
log.error("Failed to get peer IP address");
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
return false;
}
private boolean handleWriteRequest(final HttpServletResponse response, final String ip) { private boolean handleWriteRequest(final HttpServletResponse response, final String ip) {
boolean processChain = true; boolean processChain = true;
final AtomicInteger count = writeCountCache.getIfPresent(ip); final AtomicInteger count = writeCountCache.getIfPresent(ip);

View File

@@ -36,17 +36,13 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt
/** /**
* Constructor. * Constructor.
* *
* @param tenantConfigurationManagement * @param tenantConfigurationManagement the system management service to retrieve configuration
* the system management service to retrieve configuration
* properties * properties
* @param tenantAware * @param tenantAware the tenant aware service to get configuration for the specific
* the tenant aware service to get configuration for the specific
* tenant * tenant
* @param controllerManagement * @param controllerManagement the controller management to retrieve the specific target
* the controller management to retrieve the specific target
* security token to verify * security token to verify
* @param systemSecurityContext * @param systemSecurityContext the system security context
* the system security context
*/ */
public HttpControllerPreAuthenticateSecurityTokenFilter( public HttpControllerPreAuthenticateSecurityTokenFilter(
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,

View File

@@ -28,14 +28,11 @@ public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter
/** /**
* Constructor. * Constructor.
* *
* @param tenantConfigurationManagement * @param tenantConfigurationManagement the system management service to retrieve configuration
* the system management service to retrieve configuration
* properties * properties
* @param tenantAware * @param tenantAware the tenant aware service to get configuration for the specific
* the tenant aware service to get configuration for the specific
* tenant * tenant
* @param systemSecurityContext * @param systemSecurityContext the system security context
* the system security context
*/ */
public HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( public HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,

View File

@@ -31,20 +31,15 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract
* does not match the current request then only the existence of the * does not match the current request then only the existence of the
* configured header field is checked. * configured header field is checked.
* *
* @param caCommonNameHeader * @param caCommonNameHeader the http-header which holds the common-name of the certificate
* the http-header which holds the common-name of the certificate * @param caAuthorityNameHeader the http-header which holds the ca-authority name of the
* @param caAuthorityNameHeader
* the http-header which holds the ca-authority name of the
* certificate * certificate
* @param tenantConfigurationManagement * @param tenantConfigurationManagement the tenant configuration management service to retrieve
* the tenant configuration management service to retrieve
* configuration properties to check if the header authentication * configuration properties to check if the header authentication
* is enabled for this tenant * is enabled for this tenant
* @param tenantAware * @param tenantAware the tenant aware service to get configuration for the specific
* the tenant aware service to get configuration for the specific
* tenant * tenant
* @param systemSecurityContext * @param systemSecurityContext the system security context
* the system security context
*/ */
public HttpControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader, public HttpControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader,
final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement, final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement,

View File

@@ -15,6 +15,9 @@ import static org.mockito.Mockito.when;
import java.util.Collections; import java.util.Collections;
import io.qameta.allure.Description;
import io.qameta.allure.Feature;
import io.qameta.allure.Story;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock; import org.mockito.Mock;
@@ -24,10 +27,6 @@ import org.springframework.security.authentication.InsufficientAuthenticationExc
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import io.qameta.allure.Description;
import io.qameta.allure.Feature;
import io.qameta.allure.Story;
@Feature("Unit Tests - Security") @Feature("Unit Tests - Security")
@Story("PreAuthToken Source TrustAuthentication Provider Test") @Story("PreAuthToken Source TrustAuthentication Provider Test")
@ExtendWith(MockitoExtension.class) @ExtendWith(MockitoExtension.class)