Code format hawkbit-http-security (#1935)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
@@ -9,7 +9,8 @@
|
||||
SPDX-License-Identifier: EPL-2.0
|
||||
|
||||
-->
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
<artifactId>hawkbit-parent</artifactId>
|
||||
|
||||
@@ -40,9 +40,11 @@ import org.springframework.util.AntPathMatcher;
|
||||
*/
|
||||
public abstract class AbstractHttpControllerAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
|
||||
|
||||
protected TenantConfigurationManagement tenantConfigurationManagement;
|
||||
protected TenantAware tenantAware;
|
||||
protected SystemSecurityContext systemSecurityContext;
|
||||
private static final String TENANT_PLACE_HOLDER = "tenant";
|
||||
private static final String CONTROLLER_ID_PLACE_HOLDER = "controllerId";
|
||||
|
||||
/**
|
||||
* requestURIPathPattern the request URI path pattern in ANT style
|
||||
* containing the placeholder key for retrieving the principal from the URI
|
||||
@@ -50,13 +52,8 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
||||
*/
|
||||
private static final String CONTROLLER_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER + "}/controller/v1" + "/{"
|
||||
+ CONTROLLER_ID_PLACE_HOLDER + "}/**";
|
||||
|
||||
private static final String CONTROLLER_DL_REQUEST_ANT_PATTERN = "/{" + TENANT_PLACE_HOLDER
|
||||
+ "}/controller/artifacts/v1/**";
|
||||
protected TenantConfigurationManagement tenantConfigurationManagement;
|
||||
protected TenantAware tenantAware;
|
||||
protected SystemSecurityContext systemSecurityContext;
|
||||
|
||||
private final AntPathMatcher pathExtractor;
|
||||
|
||||
private PreAuthenticationFilter abstractControllerAuthenticationFilter;
|
||||
@@ -106,8 +103,6 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
||||
}
|
||||
}
|
||||
|
||||
protected abstract PreAuthenticationFilter createControllerAuthenticationFilter();
|
||||
|
||||
@Override
|
||||
protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response,
|
||||
final Authentication authResult) throws IOException, ServletException {
|
||||
@@ -120,6 +115,26 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
||||
super.successfulAuthentication(request, response, authTokenWithGrantedAuthorities);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Object getPreAuthenticatedPrincipal(final HttpServletRequest request) {
|
||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
||||
if (securityToken == null) {
|
||||
return null;
|
||||
}
|
||||
return abstractControllerAuthenticationFilter.getPreAuthenticatedPrincipal(securityToken);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request) {
|
||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
||||
if (securityToken == null) {
|
||||
return null;
|
||||
}
|
||||
return abstractControllerAuthenticationFilter.getPreAuthenticatedCredentials(securityToken);
|
||||
}
|
||||
|
||||
protected abstract PreAuthenticationFilter createControllerAuthenticationFilter();
|
||||
|
||||
protected abstract Logger log();
|
||||
|
||||
/**
|
||||
@@ -165,22 +180,4 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
|
||||
return securityToken;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Object getPreAuthenticatedPrincipal(final HttpServletRequest request) {
|
||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
||||
if (securityToken == null) {
|
||||
return null;
|
||||
}
|
||||
return abstractControllerAuthenticationFilter.getPreAuthenticatedPrincipal(securityToken);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request) {
|
||||
final DmfTenantSecurityToken securityToken = createTenantSecurityTokenVariables(request);
|
||||
if (securityToken == null) {
|
||||
return null;
|
||||
}
|
||||
return abstractControllerAuthenticationFilter.getPreAuthenticatedCredentials(securityToken);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -20,6 +20,8 @@ import jakarta.servlet.ServletException;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
|
||||
import com.github.benmanes.caffeine.cache.Cache;
|
||||
import com.github.benmanes.caffeine.cache.Caffeine;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.util.IpUtil;
|
||||
import org.slf4j.Logger;
|
||||
@@ -29,9 +31,6 @@ import org.springframework.http.HttpStatus;
|
||||
import org.springframework.util.AntPathMatcher;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
|
||||
import com.github.benmanes.caffeine.cache.Cache;
|
||||
import com.github.benmanes.caffeine.cache.Caffeine;
|
||||
|
||||
/**
|
||||
* Filter for protection against denial of service attacks. It reduces the
|
||||
* maximum number of request per seconds which can be separately configured for
|
||||
@@ -66,22 +65,15 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
/**
|
||||
* Filter constructor including configuration.
|
||||
*
|
||||
* @param includeAntPaths
|
||||
* paths where filter should hit
|
||||
*
|
||||
* @param maxRead
|
||||
* Maximum number of allowed REST read/GET requests per second
|
||||
* @param includeAntPaths paths where filter should hit
|
||||
* @param maxRead Maximum number of allowed REST read/GET requests per second
|
||||
* per client
|
||||
* @param maxWrite
|
||||
* Maximum number of allowed REST write/(PUT/POST/etc.) requests
|
||||
* @param maxWrite Maximum number of allowed REST write/(PUT/POST/etc.) requests
|
||||
* per second per client
|
||||
* @param ipDosWhiteListPattern
|
||||
* {@link Pattern} with with white list of peer IP addresses for
|
||||
* @param ipDosWhiteListPattern {@link Pattern} with with white list of peer IP addresses for
|
||||
* DOS filter
|
||||
* @param ipBlackListPattern
|
||||
* {@link Pattern} with black listed IP addresses
|
||||
* @param forwardHeader
|
||||
* the header containing the forwarded IP address e.g.
|
||||
* @param ipBlackListPattern {@link Pattern} with black listed IP addresses
|
||||
* @param forwardHeader the header containing the forwarded IP address e.g.
|
||||
* {@code x-forwarded-for}
|
||||
*/
|
||||
public DosFilter(final Collection<String> includeAntPaths, final int maxRead, final int maxWrite,
|
||||
@@ -104,15 +96,6 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
}
|
||||
}
|
||||
|
||||
private boolean shouldInclude(final HttpServletRequest request) {
|
||||
if (includeAntPaths == null || includeAntPaths.isEmpty()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return includeAntPaths.stream()
|
||||
.anyMatch(pattern -> antMatcher.match(request.getContextPath() + pattern, request.getRequestURI()));
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
|
||||
final FilterChain filterChain) throws ServletException, IOException {
|
||||
@@ -148,6 +131,25 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean checkIpFails(final String ip) {
|
||||
return ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip);
|
||||
}
|
||||
|
||||
private static boolean handleMissingIpAddress(final HttpServletResponse response) {
|
||||
log.error("Failed to get peer IP address");
|
||||
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean shouldInclude(final HttpServletRequest request) {
|
||||
if (includeAntPaths == null || includeAntPaths.isEmpty()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return includeAntPaths.stream()
|
||||
.anyMatch(pattern -> antMatcher.match(request.getContextPath() + pattern, request.getRequestURI()));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return false if the given ip address is on the blacklist and further
|
||||
* processing of the request if forbidden
|
||||
@@ -161,16 +163,6 @@ public class DosFilter extends OncePerRequestFilter {
|
||||
return true;
|
||||
}
|
||||
|
||||
private static boolean checkIpFails(final String ip) {
|
||||
return ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip);
|
||||
}
|
||||
|
||||
private static boolean handleMissingIpAddress(final HttpServletResponse response) {
|
||||
log.error("Failed to get peer IP address");
|
||||
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean handleWriteRequest(final HttpServletResponse response, final String ip) {
|
||||
boolean processChain = true;
|
||||
final AtomicInteger count = writeCountCache.getIfPresent(ip);
|
||||
|
||||
@@ -36,17 +36,13 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tenantConfigurationManagement
|
||||
* the system management service to retrieve configuration
|
||||
* @param tenantConfigurationManagement the system management service to retrieve configuration
|
||||
* properties
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param controllerManagement
|
||||
* the controller management to retrieve the specific target
|
||||
* @param controllerManagement the controller management to retrieve the specific target
|
||||
* security token to verify
|
||||
* @param systemSecurityContext
|
||||
* the system security context
|
||||
* @param systemSecurityContext the system security context
|
||||
*/
|
||||
public HttpControllerPreAuthenticateSecurityTokenFilter(
|
||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
||||
|
||||
@@ -28,14 +28,11 @@ public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param tenantConfigurationManagement
|
||||
* the system management service to retrieve configuration
|
||||
* @param tenantConfigurationManagement the system management service to retrieve configuration
|
||||
* properties
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param systemSecurityContext
|
||||
* the system security context
|
||||
* @param systemSecurityContext the system security context
|
||||
*/
|
||||
public HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
|
||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
||||
|
||||
@@ -31,20 +31,15 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract
|
||||
* does not match the current request then only the existence of the
|
||||
* configured header field is checked.
|
||||
*
|
||||
* @param caCommonNameHeader
|
||||
* the http-header which holds the common-name of the certificate
|
||||
* @param caAuthorityNameHeader
|
||||
* the http-header which holds the ca-authority name of the
|
||||
* @param caCommonNameHeader the http-header which holds the common-name of the certificate
|
||||
* @param caAuthorityNameHeader the http-header which holds the ca-authority name of the
|
||||
* certificate
|
||||
* @param tenantConfigurationManagement
|
||||
* the tenant configuration management service to retrieve
|
||||
* @param tenantConfigurationManagement the tenant configuration management service to retrieve
|
||||
* configuration properties to check if the header authentication
|
||||
* is enabled for this tenant
|
||||
* @param tenantAware
|
||||
* the tenant aware service to get configuration for the specific
|
||||
* @param tenantAware the tenant aware service to get configuration for the specific
|
||||
* tenant
|
||||
* @param systemSecurityContext
|
||||
* the system security context
|
||||
* @param systemSecurityContext the system security context
|
||||
*/
|
||||
public HttpControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader,
|
||||
final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement,
|
||||
|
||||
@@ -15,6 +15,9 @@ import static org.mockito.Mockito.when;
|
||||
|
||||
import java.util.Collections;
|
||||
|
||||
import io.qameta.allure.Description;
|
||||
import io.qameta.allure.Feature;
|
||||
import io.qameta.allure.Story;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.mockito.Mock;
|
||||
@@ -24,10 +27,6 @@ import org.springframework.security.authentication.InsufficientAuthenticationExc
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
|
||||
|
||||
import io.qameta.allure.Description;
|
||||
import io.qameta.allure.Feature;
|
||||
import io.qameta.allure.Story;
|
||||
|
||||
@Feature("Unit Tests - Security")
|
||||
@Story("PreAuthToken Source TrustAuthentication Provider Test")
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
|
||||
Reference in New Issue
Block a user