Refactor hawkbit core and security (#2833)
* Refactor hawkbit core and security * improve access to the base core features - static * thus easiear access * and less boilerplate passing of instances Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com> * Refactor context classes * make JSON context serialization default * AccessContext * Split hawkbit-security-core to other modules and remove it --------- Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -10,6 +10,7 @@
|
||||
package org.eclipse.hawkbit.security.controller;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
@@ -21,14 +22,13 @@ import jakarta.servlet.http.HttpServletResponse;
|
||||
|
||||
import lombok.AccessLevel;
|
||||
import lombok.NoArgsConstructor;
|
||||
import org.eclipse.hawkbit.security.DdiSecurityProperties;
|
||||
import org.eclipse.hawkbit.util.UrlUtils;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.util.AntPathMatcher;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
import org.springframework.web.util.UriUtils;
|
||||
|
||||
/**
|
||||
* An abstraction for all controller based security to parse the e.g. the tenant name from the URL and the controller ID from the URL to do
|
||||
@@ -119,8 +119,9 @@ public class AuthenticationFilters {
|
||||
authenticator.log().debug("retrieving principal from URI request {}", requestURI);
|
||||
final Map<String, String> extractUriTemplateVariables = pathExtractor
|
||||
.extractUriTemplateVariables(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI);
|
||||
final String controllerId = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(CONTROLLER_ID_PLACE_HOLDER));
|
||||
final String tenant = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(TENANT_PLACE_HOLDER));
|
||||
final String controllerId = UriUtils.decode(extractUriTemplateVariables.get(CONTROLLER_ID_PLACE_HOLDER),
|
||||
StandardCharsets.UTF_8);
|
||||
final String tenant = UriUtils.decode(extractUriTemplateVariables.get(TENANT_PLACE_HOLDER), StandardCharsets.UTF_8);
|
||||
authenticator.log().trace("Parsed tenant {} and controllerId {} from path request {}", tenant, controllerId, requestURI);
|
||||
return createTenantSecurityTokenVariables(request, tenant, controllerId);
|
||||
} else {
|
||||
@@ -147,8 +148,8 @@ public class AuthenticationFilters {
|
||||
// source ip matches the given pattern -> authenticated
|
||||
return true;
|
||||
} else {
|
||||
authenticator.log().debug(
|
||||
"The remote source IP address {} is not in the list of trusted IP addresses {}", remoteAddress, authorizedSourceIps);
|
||||
authenticator.log().debug("The remote source IP address {} is not in the list of trusted IP addresses {}",
|
||||
remoteAddress, authorizedSourceIps);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -9,16 +9,15 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.security.controller;
|
||||
|
||||
import static org.eclipse.hawkbit.context.AccessContext.asSystemAsTenant;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import lombok.EqualsAndHashCode;
|
||||
import org.eclipse.hawkbit.im.authentication.SpRole;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.eclipse.hawkbit.auth.SpRole;
|
||||
import org.eclipse.hawkbit.repository.helper.TenantConfigHelper;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
||||
import org.slf4j.Logger;
|
||||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
@@ -32,10 +31,10 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
public interface Authenticator {
|
||||
|
||||
/**
|
||||
* If the authentication mechanism is not enabled for the tenant - it just returns null.
|
||||
* If the authentication mechanism is supported, the filter extracts from the security token the related credentials,
|
||||
* If the auth mechanism is not enabled for the tenant - it just returns null.
|
||||
* If the auth mechanism is supported, the filter extracts from the security token the related credentials,
|
||||
* validate them (do authenticate the caller).
|
||||
* If validation / authentication is successful returns an authenticated authentication object. Otherwise,
|
||||
* If validation / auth is successful returns an authenticated auth object. Otherwise,
|
||||
* throws BadCredentialsException.
|
||||
*
|
||||
* @param controllerSecurityToken the securityToken
|
||||
@@ -47,23 +46,10 @@ public interface Authenticator {
|
||||
|
||||
abstract class AbstractAuthenticator implements Authenticator {
|
||||
|
||||
protected final TenantConfigurationManagement tenantConfigurationManagement;
|
||||
protected final TenantAware tenantAware;
|
||||
protected final SystemSecurityContext systemSecurityContext;
|
||||
private final Callable<Boolean> isEnabledGetter;
|
||||
|
||||
protected AbstractAuthenticator(
|
||||
final TenantConfigurationManagement tenantConfigurationManagement,
|
||||
final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
|
||||
this.tenantConfigurationManagement = tenantConfigurationManagement;
|
||||
this.tenantAware = tenantAware;
|
||||
this.systemSecurityContext = systemSecurityContext;
|
||||
isEnabledGetter = () -> systemSecurityContext.runAsSystem(
|
||||
() -> tenantConfigurationManagement.getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue());
|
||||
}
|
||||
|
||||
protected boolean isEnabled(final ControllerSecurityToken securityToken) {
|
||||
return tenantAware.runAsTenant(securityToken.getTenant(), isEnabledGetter);
|
||||
return asSystemAsTenant(
|
||||
securityToken.getTenant(),
|
||||
() -> TenantConfigHelper.getAsSystem(getTenantConfigurationKey(), Boolean.class));
|
||||
}
|
||||
|
||||
protected abstract String getTenantConfigurationKey();
|
||||
|
||||
@@ -0,0 +1,108 @@
|
||||
/**
|
||||
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
|
||||
*
|
||||
* This program and the accompanying materials are made
|
||||
* available under the terms of the Eclipse Public License 2.0
|
||||
* which is available at https://www.eclipse.org/legal/epl-2.0/
|
||||
*
|
||||
* SPDX-License-Identifier: EPL-2.0
|
||||
*/
|
||||
package org.eclipse.hawkbit.security.controller;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import lombok.Data;
|
||||
import lombok.EqualsAndHashCode;
|
||||
import lombok.Getter;
|
||||
import lombok.ToString;
|
||||
import org.springframework.boot.context.properties.ConfigurationProperties;
|
||||
|
||||
/**
|
||||
* The common properties for DDI security.
|
||||
*/
|
||||
@Getter
|
||||
@EqualsAndHashCode
|
||||
@ToString
|
||||
@ConfigurationProperties("hawkbit.server.ddi.security")
|
||||
public class DdiSecurityProperties {
|
||||
|
||||
private final Rp rp = new Rp();
|
||||
private final Authentication authentication = new Authentication();
|
||||
|
||||
public Authentication getAuthentication() {
|
||||
return authentication;
|
||||
}
|
||||
|
||||
public Rp getRp() {
|
||||
return rp;
|
||||
}
|
||||
|
||||
/**
|
||||
* Reverse proxy configuration. Defines the security properties for
|
||||
* authenticating controllers behind a reverse proxy which terminates the
|
||||
* SSL session at the reverse proxy but adding request header which contains
|
||||
* the CN of the certificate.
|
||||
*/
|
||||
@Data
|
||||
public static class Rp {
|
||||
|
||||
/**
|
||||
* HTTP header field for common name of a DDI target client certificate.
|
||||
*/
|
||||
private String cnHeader = "X-Ssl-Client-Cn";
|
||||
/**
|
||||
* HTTP header field for issuer hash of a DDI target client certificate.
|
||||
*/
|
||||
private String sslIssuerHashHeader = "X-Ssl-Issuer-Hash-%d";
|
||||
/**
|
||||
* List of trusted (reverse proxy) IP addresses for performing DDI
|
||||
* client certificate auth.
|
||||
*/
|
||||
private List<String> trustedIPs;
|
||||
}
|
||||
|
||||
/**
|
||||
* DDI Authentication options.
|
||||
*/
|
||||
@Data
|
||||
public static class Authentication {
|
||||
|
||||
private final Targettoken targettoken = new Targettoken();
|
||||
private final Gatewaytoken gatewaytoken = new Gatewaytoken();
|
||||
|
||||
/**
|
||||
* Target token auth. Tokens are defined per target.
|
||||
*/
|
||||
@Data
|
||||
public static class Targettoken {
|
||||
|
||||
/**
|
||||
* Set to true to enable target token auth.
|
||||
*/
|
||||
private boolean enabled = false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gateway token auth. Tokens are defined per tenant. Use with care!
|
||||
*/
|
||||
@Data
|
||||
public static class Gatewaytoken {
|
||||
|
||||
/**
|
||||
* Gateway token based auth enabled.
|
||||
*/
|
||||
private boolean enabled = false;
|
||||
|
||||
/**
|
||||
* Default gateway token name.
|
||||
*/
|
||||
private String name = "";
|
||||
|
||||
/**
|
||||
* Default gateway token itself.
|
||||
*/
|
||||
@ToString.Exclude
|
||||
private String key = "";
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -9,16 +9,12 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.security.controller;
|
||||
|
||||
import static org.eclipse.hawkbit.context.AccessContext.asSystemAsTenant;
|
||||
import static org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey.AUTHENTICATION_GATEWAY_SECURITY_TOKEN_ENABLED;
|
||||
import static org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey.AUTHENTICATION_GATEWAY_SECURITY_TOKEN_KEY;
|
||||
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||
import org.eclipse.hawkbit.repository.helper.TenantConfigHelper;
|
||||
import org.slf4j.Logger;
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
||||
@@ -35,22 +31,6 @@ public class GatewayTokenAuthenticator extends Authenticator.AbstractAuthenticat
|
||||
public static final String GATEWAY_SECURITY_TOKEN_AUTH_SCHEME = "GatewayToken ";
|
||||
private static final int OFFSET_GATEWAY_TOKEN = GATEWAY_SECURITY_TOKEN_AUTH_SCHEME.length();
|
||||
|
||||
private final Callable<String> gatewaySecurityTokenKeyGetter;
|
||||
|
||||
public GatewayTokenAuthenticator(
|
||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
||||
final SystemSecurityContext systemSecurityContext) {
|
||||
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
||||
gatewaySecurityTokenKeyGetter = () -> {
|
||||
log.trace("retrieving configuration value for configuration key {}", AUTHENTICATION_GATEWAY_SECURITY_TOKEN_KEY);
|
||||
|
||||
return systemSecurityContext
|
||||
.runAsSystem(() -> tenantConfigurationManagement
|
||||
.getConfigurationValue(AUTHENTICATION_GATEWAY_SECURITY_TOKEN_KEY, String.class)
|
||||
.getValue());
|
||||
};
|
||||
}
|
||||
|
||||
@Override
|
||||
public Authentication authenticate(final ControllerSecurityToken controllerSecurityToken) {
|
||||
final String authHeader = controllerSecurityToken.getHeader(ControllerSecurityToken.AUTHORIZATION_HEADER);
|
||||
@@ -63,7 +43,7 @@ public class GatewayTokenAuthenticator extends Authenticator.AbstractAuthenticat
|
||||
}
|
||||
|
||||
if (!isEnabled(controllerSecurityToken)) {
|
||||
log.debug("The gateway token authentication is disabled");
|
||||
log.debug("The gateway token auth is disabled");
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -71,8 +51,14 @@ public class GatewayTokenAuthenticator extends Authenticator.AbstractAuthenticat
|
||||
final String presentedToken = authHeader.substring(OFFSET_GATEWAY_TOKEN);
|
||||
|
||||
// validate if the presented token is the same as the gateway token
|
||||
return presentedToken.equals(tenantAware.runAsTenant(controllerSecurityToken.getTenant(), gatewaySecurityTokenKeyGetter))
|
||||
? authenticatedController(controllerSecurityToken.getTenant(), controllerSecurityToken.getControllerId()) : null;
|
||||
return presentedToken.equals(asSystemAsTenant(
|
||||
controllerSecurityToken.getTenant(),
|
||||
() -> {
|
||||
log.trace("retrieving configuration value for configuration key {}", AUTHENTICATION_GATEWAY_SECURITY_TOKEN_KEY);
|
||||
return TenantConfigHelper.getAsSystem(AUTHENTICATION_GATEWAY_SECURITY_TOKEN_KEY, String.class);
|
||||
}))
|
||||
? authenticatedController(controllerSecurityToken.getTenant(), controllerSecurityToken.getControllerId())
|
||||
: null;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -9,14 +9,14 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.security.controller;
|
||||
|
||||
import static org.eclipse.hawkbit.context.AccessContext.asSystemAsTenant;
|
||||
import static org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey.AUTHENTICATION_HEADER_AUTHORITY_NAME;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.eclipse.hawkbit.repository.helper.TenantConfigHelper;
|
||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
@@ -29,7 +29,7 @@ import org.springframework.security.core.Authentication;
|
||||
@Slf4j
|
||||
public class SecurityHeaderAuthenticator extends Authenticator.AbstractAuthenticator {
|
||||
|
||||
private static final Logger LOG_SECURITY_AUTH = LoggerFactory.getLogger("server-security.authentication");
|
||||
private static final Logger LOG_SECURITY_AUTH = LoggerFactory.getLogger("server-security.auth");
|
||||
|
||||
// Example Headers with Cert Information
|
||||
// Clientip: 217.24.201.180
|
||||
@@ -48,18 +48,9 @@ public class SecurityHeaderAuthenticator extends Authenticator.AbstractAuthentic
|
||||
// header exists multiple times in the request for all trusted chains.
|
||||
private final String sslIssuerHashBasicHeader;
|
||||
|
||||
private final Callable<String> sslIssuerNameConfigGetter;
|
||||
|
||||
public SecurityHeaderAuthenticator(
|
||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
||||
final SystemSecurityContext systemSecurityContext,
|
||||
final String caCommonNameHeader, final String caAuthorityNameHeader) {
|
||||
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
||||
public SecurityHeaderAuthenticator(final String caCommonNameHeader, final String caAuthorityNameHeader) {
|
||||
this.caCommonNameHeader = caCommonNameHeader;
|
||||
this.sslIssuerHashBasicHeader = caAuthorityNameHeader;
|
||||
sslIssuerNameConfigGetter = () -> systemSecurityContext.runAsSystem(
|
||||
() -> tenantConfigurationManagement.getConfigurationValue(
|
||||
TenantConfigurationKey.AUTHENTICATION_HEADER_AUTHORITY_NAME, String.class).getValue());
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -76,13 +67,15 @@ public class SecurityHeaderAuthenticator extends Authenticator.AbstractAuthentic
|
||||
}
|
||||
|
||||
if (!isEnabled(controllerSecurityToken)) {
|
||||
log.debug("The gateway header authentication is disabled");
|
||||
log.debug("The gateway header auth is disabled");
|
||||
return null;
|
||||
}
|
||||
|
||||
final String sslIssuerHashValue = getIssuerHashHeader(
|
||||
controllerSecurityToken,
|
||||
tenantAware.runAsTenant(controllerSecurityToken.getTenant(), sslIssuerNameConfigGetter));
|
||||
asSystemAsTenant(
|
||||
controllerSecurityToken.getTenant(),
|
||||
() -> TenantConfigHelper.getAsSystem(AUTHENTICATION_HEADER_AUTHORITY_NAME, String.class)));
|
||||
if (sslIssuerHashValue == null) {
|
||||
log.debug("The request contains the 'common name' header but trusted hash is not found");
|
||||
return null;
|
||||
@@ -115,7 +108,8 @@ public class SecurityHeaderAuthenticator extends Authenticator.AbstractAuthentic
|
||||
|
||||
// iterate over the headers until we get a null header.
|
||||
String foundHash;
|
||||
for (int iHeader = 1; (foundHash = controllerSecurityToken.getHeader(String.format(sslIssuerHashBasicHeader, iHeader))) != null; iHeader++) {
|
||||
for (int iHeader = 1; (foundHash = controllerSecurityToken.getHeader(
|
||||
String.format(sslIssuerHashBasicHeader, iHeader))) != null; iHeader++) {
|
||||
if (knownHashes.contains(foundHash.toLowerCase())) {
|
||||
if (log.isTraceEnabled()) {
|
||||
log.trace("Found matching ssl issuer hash at position {}", iHeader);
|
||||
|
||||
@@ -9,11 +9,10 @@
|
||||
*/
|
||||
package org.eclipse.hawkbit.security.controller;
|
||||
|
||||
import static org.eclipse.hawkbit.context.AccessContext.asSystemAsTenant;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
|
||||
import org.slf4j.Logger;
|
||||
import org.springframework.security.core.Authentication;
|
||||
@@ -32,11 +31,7 @@ public class SecurityTokenAuthenticator extends Authenticator.AbstractAuthentica
|
||||
|
||||
private final ControllerManagement controllerManagement;
|
||||
|
||||
public SecurityTokenAuthenticator(
|
||||
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
|
||||
final SystemSecurityContext systemSecurityContext,
|
||||
final ControllerManagement controllerManagement) {
|
||||
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
|
||||
public SecurityTokenAuthenticator(final ControllerManagement controllerManagement) {
|
||||
this.controllerManagement = controllerManagement;
|
||||
}
|
||||
|
||||
@@ -52,21 +47,20 @@ public class SecurityTokenAuthenticator extends Authenticator.AbstractAuthentica
|
||||
}
|
||||
|
||||
if (!isEnabled(controllerSecurityToken)) {
|
||||
log.debug("The target security token authentication is disabled");
|
||||
log.debug("The target security token auth is disabled");
|
||||
return null;
|
||||
}
|
||||
|
||||
log.debug("Found 'authorization' header starting with '{}'", TARGET_SECURITY_TOKEN_AUTH_SCHEME);
|
||||
final String presentedToken = authHeader.substring(OFFSET_TARGET_TOKEN);
|
||||
|
||||
return systemSecurityContext.runAsSystemAsTenant(() -> controllerSecurityToken.getTargetId() != null
|
||||
final String tenant = controllerSecurityToken.getTenant();
|
||||
return asSystemAsTenant(tenant, () -> controllerSecurityToken.getTargetId() != null
|
||||
? controllerManagement.find(controllerSecurityToken.getTargetId())
|
||||
: controllerManagement.findByControllerId(controllerSecurityToken.getControllerId()),
|
||||
controllerSecurityToken.getTenant())
|
||||
: controllerManagement.findByControllerId(controllerSecurityToken.getControllerId()))
|
||||
// validate if the presented token is the same as the one set for the target
|
||||
.filter(target -> presentedToken.equals(
|
||||
systemSecurityContext.runAsSystemAsTenant(target::getSecurityToken, controllerSecurityToken.getTenant())))
|
||||
.map(target -> authenticatedController(controllerSecurityToken.getTenant(), target.getControllerId()))
|
||||
.filter(target -> presentedToken.equals(asSystemAsTenant(tenant, target::getSecurityToken)))
|
||||
.map(target -> authenticatedController(tenant, target.getControllerId()))
|
||||
.orElse(null);
|
||||
}
|
||||
|
||||
|
||||
@@ -16,10 +16,8 @@ import static org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationPrope
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.repository.helper.TenantConfigHelper;
|
||||
import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
|
||||
import org.eclipse.hawkbit.security.SecurityContextTenantAware;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
@@ -28,7 +26,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
|
||||
|
||||
/**
|
||||
* Feature: Unit Tests - Security<br/>
|
||||
* Story: Gateway token authentication
|
||||
* Story: Gateway token auth
|
||||
*/
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
class GatewayTokenAuthenticatorTest {
|
||||
@@ -48,17 +46,15 @@ class GatewayTokenAuthenticatorTest {
|
||||
|
||||
@Mock
|
||||
private TenantConfigurationManagement tenantConfigurationManagementMock;
|
||||
@Mock
|
||||
private UserAuthoritiesResolver authoritiesResolver;
|
||||
|
||||
@BeforeEach
|
||||
void before() {
|
||||
final SecurityContextTenantAware tenantAware = new SecurityContextTenantAware(authoritiesResolver);
|
||||
authenticator = new GatewayTokenAuthenticator(tenantConfigurationManagementMock, tenantAware, new SystemSecurityContext(tenantAware));
|
||||
TenantConfigHelper.setTenantConfigurationManagement(tenantConfigurationManagementMock);
|
||||
authenticator = new GatewayTokenAuthenticator();
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests successful authentication with gateway token
|
||||
* Tests successful auth with gateway token
|
||||
*/
|
||||
@Test
|
||||
void testWithGwToken() {
|
||||
@@ -74,7 +70,7 @@ class GatewayTokenAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if gateway token doesn't match, the authentication fails
|
||||
* Tests that if gateway token doesn't match, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithBadGwToken() {
|
||||
@@ -88,7 +84,7 @@ class GatewayTokenAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if gateway token miss, the authentication fails
|
||||
* Tests that if gateway token miss, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithoutGwToken() {
|
||||
@@ -96,7 +92,7 @@ class GatewayTokenAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if disabled, the authentication fails
|
||||
* Tests that if disabled, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithGwTokenButDisabled() {
|
||||
|
||||
@@ -15,10 +15,8 @@ import static org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationPrope
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.repository.helper.TenantConfigHelper;
|
||||
import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
|
||||
import org.eclipse.hawkbit.security.SecurityContextTenantAware;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
@@ -57,20 +55,15 @@ class SecurityHeaderAuthenticatorTest {
|
||||
|
||||
@Mock
|
||||
private TenantConfigurationManagement tenantConfigurationManagementMock;
|
||||
@Mock
|
||||
private UserAuthoritiesResolver authoritiesResolver;
|
||||
|
||||
@BeforeEach
|
||||
void before() {
|
||||
final SecurityContextTenantAware tenantAware = new SecurityContextTenantAware(authoritiesResolver);
|
||||
authenticator = new SecurityHeaderAuthenticator(
|
||||
tenantConfigurationManagementMock, tenantAware,
|
||||
new SystemSecurityContext(tenantAware), CA_COMMON_NAME, "X-Ssl-Issuer-Hash-%d"
|
||||
);
|
||||
TenantConfigHelper.setTenantConfigurationManagement(tenantConfigurationManagementMock);
|
||||
authenticator = new SecurityHeaderAuthenticator(CA_COMMON_NAME, "X-Ssl-Issuer-Hash-%d");
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests successful authentication with multiple a single hashes
|
||||
* Tests successful auth with multiple a single hashes
|
||||
*/
|
||||
@Test
|
||||
void testWithSingleKnownHash() {
|
||||
@@ -86,7 +79,7 @@ class SecurityHeaderAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests successful authentication with multiple hashes
|
||||
* Tests successful auth with multiple hashes
|
||||
*/
|
||||
@Test
|
||||
void testWithMultipleKnownHashes() {
|
||||
@@ -107,7 +100,7 @@ class SecurityHeaderAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if the hash is unknown, the authentication fails
|
||||
* Tests that if the hash is unknown, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithUnknownHash() {
|
||||
@@ -121,7 +114,7 @@ class SecurityHeaderAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if CN doesn't match the CN in the security token, the authentication fails
|
||||
* Tests that if CN doesn't match the CN in the security token, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithNonMatchingCN() {
|
||||
@@ -133,7 +126,7 @@ class SecurityHeaderAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if the hash miss, the authentication fails
|
||||
* Tests that if the hash miss, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithoutHash() {
|
||||
@@ -141,7 +134,7 @@ class SecurityHeaderAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if disabled, the authentication fails
|
||||
* Tests that if disabled, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithSingleKnownHashButDisabled() {
|
||||
|
||||
@@ -17,11 +17,9 @@ import java.util.Optional;
|
||||
|
||||
import org.eclipse.hawkbit.repository.ControllerManagement;
|
||||
import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
|
||||
import org.eclipse.hawkbit.repository.helper.TenantConfigHelper;
|
||||
import org.eclipse.hawkbit.repository.model.Target;
|
||||
import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
|
||||
import org.eclipse.hawkbit.security.SecurityContextTenantAware;
|
||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||
import org.eclipse.hawkbit.tenancy.UserAuthoritiesResolver;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
@@ -31,7 +29,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
|
||||
|
||||
/**
|
||||
* Feature: Unit Tests - Security<br/>
|
||||
* Story: Gateway token authentication
|
||||
* Story: Gateway token auth
|
||||
*/
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
class SecurityTokenAuthenticatorTest {
|
||||
@@ -51,19 +49,15 @@ class SecurityTokenAuthenticatorTest {
|
||||
private TenantConfigurationManagement tenantConfigurationManagementMock;
|
||||
@Mock
|
||||
private ControllerManagement controllerManagementMock;
|
||||
@Mock
|
||||
private UserAuthoritiesResolver authoritiesResolver;
|
||||
|
||||
@BeforeEach
|
||||
void before() {
|
||||
final SecurityContextTenantAware tenantAware = new SecurityContextTenantAware(authoritiesResolver);
|
||||
authenticator = new SecurityTokenAuthenticator(
|
||||
tenantConfigurationManagementMock, tenantAware,
|
||||
new SystemSecurityContext(tenantAware), controllerManagementMock);
|
||||
TenantConfigHelper.setTenantConfigurationManagement(tenantConfigurationManagementMock);
|
||||
authenticator = new SecurityTokenAuthenticator(controllerManagementMock);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests successful authentication with gateway token
|
||||
* Tests successful auth with gateway token
|
||||
*/
|
||||
@Test
|
||||
void testWithSecToken() {
|
||||
@@ -82,7 +76,7 @@ class SecurityTokenAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if gateway token doesn't match, the authentication fails
|
||||
* Tests that if gateway token doesn't match, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithBadSecToken() {
|
||||
@@ -94,7 +88,7 @@ class SecurityTokenAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if gateway token miss, the authentication fails
|
||||
* Tests that if gateway token miss, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithoutSecToken() {
|
||||
@@ -102,7 +96,7 @@ class SecurityTokenAuthenticatorTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that if disabled, the authentication fails
|
||||
* Tests that if disabled, the auth fails
|
||||
*/
|
||||
@Test
|
||||
void testWithSecTokenButDisabled() {
|
||||
|
||||
Reference in New Issue
Block a user