Use system role where necessary to invoke the getTenantMetadata method

Signed-off-by: Michael Hirsch <michael.hirsch@bosch-si.com>
This commit is contained in:
Michael Hirsch
2016-08-02 12:51:08 +02:00
parent 9994d7c12a
commit fc4747083c
4 changed files with 66 additions and 60 deletions

View File

@@ -290,6 +290,9 @@ public class SecurityManagedConfiguration {
@Autowired @Autowired
private SecurityProperties springSecurityProperties; private SecurityProperties springSecurityProperties;
@Autowired
private SystemSecurityContext systemSecurityContext;
@Override @Override
protected void configure(final HttpSecurity http) throws Exception { protected void configure(final HttpSecurity http) throws Exception {
@@ -318,9 +321,8 @@ public class SecurityManagedConfiguration {
userAuthenticationFilter.destroy(); userAuthenticationFilter.destroy();
} }
}, RequestHeaderAuthenticationFilter.class) }, RequestHeaderAuthenticationFilter.class)
.addFilterAfter( .addFilterAfter(new AuthenticationSuccessTenantMetadataCreationFilter(tenantAware, systemManagement,
new AuthenticationSuccessTenantMetadataCreationFilter(tenantAware, systemManagement), systemSecurityContext), SessionManagementFilter.class)
SessionManagementFilter.class)
.authorizeRequests().anyRequest().authenticated() .authorizeRequests().anyRequest().authenticated()
.antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
.hasAnyAuthority(SpPermission.SYSTEM_ADMIN); .hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
@@ -522,6 +524,9 @@ class TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler extends
@Autowired @Autowired
private SystemManagement systemManagement; private SystemManagement systemManagement;
@Autowired
private SystemSecurityContext systemSecurityContext;
@Override @Override
public void onAuthenticationSuccess(final Authentication authentication) throws Exception { public void onAuthenticationSuccess(final Authentication authentication) throws Exception {
@@ -536,7 +541,9 @@ class TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler extends
// LoginView. This needs to be changed with the update of // LoginView. This needs to be changed with the update of
// vaadin4spring 0.0.7 because it // vaadin4spring 0.0.7 because it
// has been fixed. // has been fixed.
systemManagement.getTenantMetadata("DEFAULT"); final String defaultTenant = "DEFAULT";
systemSecurityContext.runAsSystemAsTenant(() -> systemManagement.getTenantMetadata(defaultTenant),
defaultTenant);
} }
super.onAuthenticationSuccess(authentication); super.onAuthenticationSuccess(authentication);
@@ -550,11 +557,13 @@ class AuthenticationSuccessTenantMetadataCreationFilter implements Filter {
private final TenantAware tenantAware; private final TenantAware tenantAware;
private final SystemManagement systemManagement; private final SystemManagement systemManagement;
private final SystemSecurityContext systemSecurityContext;
AuthenticationSuccessTenantMetadataCreationFilter(final TenantAware tenantAware, AuthenticationSuccessTenantMetadataCreationFilter(final TenantAware tenantAware,
final SystemManagement systemManagement) { final SystemManagement systemManagement, final SystemSecurityContext systemSecurityContext) {
this.tenantAware = tenantAware; this.tenantAware = tenantAware;
this.systemManagement = systemManagement; this.systemManagement = systemManagement;
this.systemSecurityContext = systemSecurityContext;
} }
@Override @Override
@@ -569,7 +578,8 @@ class AuthenticationSuccessTenantMetadataCreationFilter implements Filter {
final String currentTenant = tenantAware.getCurrentTenant(); final String currentTenant = tenantAware.getCurrentTenant();
if (currentTenant != null) { if (currentTenant != null) {
// lazy initialize tenant meta data after successful authentication // lazy initialize tenant meta data after successful authentication
systemManagement.getTenantMetadata(currentTenant); systemSecurityContext.runAsSystemAsTenant(() -> systemManagement.getTenantMetadata(currentTenant),
currentTenant);
} }
chain.doFilter(request, response); chain.doFilter(request, response);

View File

@@ -8,6 +8,10 @@
*/ */
package org.eclipse.hawkbit.ddi.rest.resource; package org.eclipse.hawkbit.ddi.rest.resource;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION;
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
import static org.fest.assertions.api.Assertions.assertThat; import static org.fest.assertions.api.Assertions.assertThat;
import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.Matchers.startsWith; import static org.hamcrest.Matchers.startsWith;
@@ -23,7 +27,6 @@ import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.eclipse.hawkbit.im.authentication.SpPermission; import org.eclipse.hawkbit.im.authentication.SpPermission;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.model.Action; import org.eclipse.hawkbit.repository.model.Action;
import org.eclipse.hawkbit.repository.model.DistributionSet; import org.eclipse.hawkbit.repository.model.DistributionSet;
import org.eclipse.hawkbit.repository.model.Target; import org.eclipse.hawkbit.repository.model.Target;
@@ -57,7 +60,8 @@ public class DdiRootControllerTest extends AbstractRestIntegrationTestWithMongoD
@Test @Test
@Description("Ensures that targets cannot be created e.g. in plug'n play scenarios when tenant does not exists but can be created if the tenant exists.") @Description("Ensures that targets cannot be created e.g. in plug'n play scenarios when tenant does not exists but can be created if the tenant exists.")
@WithUser(tenantId = "tenantDoesNotExists", allSpPermissions = true, authorities = "ROLE_CONTROLLER", autoCreateTenant = false) @WithUser(tenantId = "tenantDoesNotExists", allSpPermissions = true, authorities = { CONTROLLER_ROLE,
SYSTEM_ROLE }, autoCreateTenant = false)
public void targetCannotBeRegisteredIfTenantDoesNotExistsButWhenExists() throws Exception { public void targetCannotBeRegisteredIfTenantDoesNotExistsButWhenExists() throws Exception {
mvc.perform(get("/default-tenant/", tenantAware.getCurrentTenant())).andDo(MockMvcResultPrinter.print()) mvc.perform(get("/default-tenant/", tenantAware.getCurrentTenant())).andDo(MockMvcResultPrinter.print())
@@ -91,13 +95,11 @@ public class DdiRootControllerTest extends AbstractRestIntegrationTestWithMongoD
// make a poll, audit information should not be changed, run as // make a poll, audit information should not be changed, run as
// controller principal! // controller principal!
securityRule.runAs( securityRule.runAs(WithSpringAuthorityRule.withUser("controller", CONTROLLER_ROLE_ANONYMOUS), () -> {
WithSpringAuthorityRule.withUser("controller", SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS), () -> { mvc.perform(get("/{tenant}/controller/v1/" + knownTargetControllerId, tenantAware.getCurrentTenant()))
mvc.perform( .andDo(MockMvcResultPrinter.print()).andExpect(status().isOk());
get("/{tenant}/controller/v1/" + knownTargetControllerId, tenantAware.getCurrentTenant())) return null;
.andDo(MockMvcResultPrinter.print()).andExpect(status().isOk()); });
return null;
});
// verify that audit information has not changed // verify that audit information has not changed
final Target targetVerify = targetManagement.findTargetByControllerID(knownTargetControllerId); final Target targetVerify = targetManagement.findTargetByControllerID(knownTargetControllerId);
@@ -143,22 +145,19 @@ public class DdiRootControllerTest extends AbstractRestIntegrationTestWithMongoD
@Description("Ensures that tenant specific polling time, which is saved in the db, is delivered to the controller.") @Description("Ensures that tenant specific polling time, which is saved in the db, is delivered to the controller.")
@WithUser(principal = "knownpricipal", allSpPermissions = false) @WithUser(principal = "knownpricipal", allSpPermissions = false)
public void pollWithModifiedGloablPollingTime() throws Exception { public void pollWithModifiedGloablPollingTime() throws Exception {
securityRule.runAs( securityRule.runAs(WithSpringAuthorityRule.withUser("tenantadmin", HAS_AUTH_TENANT_CONFIGURATION), () -> {
WithSpringAuthorityRule.withUser("tenantadmin", SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION), tenantConfigurationManagement.addOrUpdateConfiguration(TenantConfigurationKey.POLLING_TIME_INTERVAL,
() -> { "00:02:00");
tenantConfigurationManagement.addOrUpdateConfiguration(TenantConfigurationKey.POLLING_TIME_INTERVAL, return null;
"00:02:00"); });
return null;
});
securityRule.runAs( securityRule.runAs(WithSpringAuthorityRule.withUser("controller", CONTROLLER_ROLE_ANONYMOUS), () -> {
WithSpringAuthorityRule.withUser("controller", SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS), () -> { mvc.perform(get("/{tenant}/controller/v1/4711", tenantAware.getCurrentTenant()))
mvc.perform(get("/{tenant}/controller/v1/4711", tenantAware.getCurrentTenant())) .andDo(MockMvcResultPrinter.print()).andExpect(status().isOk())
.andDo(MockMvcResultPrinter.print()).andExpect(status().isOk()) .andExpect(content().contentType(MediaTypes.HAL_JSON))
.andExpect(content().contentType(MediaTypes.HAL_JSON)) .andExpect(jsonPath("$config.polling.sleep", equalTo("00:02:00")));
.andExpect(jsonPath("$config.polling.sleep", equalTo("00:02:00"))); return null;
return null; });
});
} }
@Test @Test

View File

@@ -39,6 +39,7 @@ import org.eclipse.hawkbit.repository.model.DistributionSetMetadata;
import org.eclipse.hawkbit.repository.model.SoftwareModule; import org.eclipse.hawkbit.repository.model.SoftwareModule;
import org.eclipse.hawkbit.repository.model.Target; import org.eclipse.hawkbit.repository.model.Target;
import org.eclipse.hawkbit.repository.model.TargetWithActionType; import org.eclipse.hawkbit.repository.model.TargetWithActionType;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.tenancy.TenantAware; import org.eclipse.hawkbit.tenancy.TenantAware;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -81,6 +82,9 @@ public class MgmtDistributionSetResource implements MgmtDistributionSetRestApi {
@Autowired @Autowired
private DistributionSetManagement distributionSetManagement; private DistributionSetManagement distributionSetManagement;
@Autowired
private SystemSecurityContext systemSecurityContext;
@Override @Override
public ResponseEntity<PagedList<MgmtDistributionSet>> getDistributionSets( public ResponseEntity<PagedList<MgmtDistributionSet>> getDistributionSets(
@RequestParam(value = MgmtRestConstants.REQUEST_PARAMETER_PAGING_OFFSET, defaultValue = MgmtRestConstants.REQUEST_PARAMETER_PAGING_DEFAULT_OFFSET) final int pagingOffsetParam, @RequestParam(value = MgmtRestConstants.REQUEST_PARAMETER_PAGING_OFFSET, defaultValue = MgmtRestConstants.REQUEST_PARAMETER_PAGING_DEFAULT_OFFSET) final int pagingOffsetParam,
@@ -119,8 +123,9 @@ public class MgmtDistributionSetResource implements MgmtDistributionSetRestApi {
LOG.debug("creating {} distribution sets", sets.size()); LOG.debug("creating {} distribution sets", sets.size());
// set default Ds type if ds type is null // set default Ds type if ds type is null
sets.stream().filter(ds -> ds.getType() == null).forEach(ds -> ds.setType(this.systemManagement final String defaultDsKey = systemSecurityContext.runAsSystem(() -> this.systemManagement
.getTenantMetadata(this.currentTenant.getCurrentTenant()).getDefaultDsType().getKey())); .getTenantMetadata(this.currentTenant.getCurrentTenant()).getDefaultDsType().getKey());
sets.stream().filter(ds -> ds.getType() == null).forEach(ds -> ds.setType(defaultDsKey));
final Iterable<DistributionSet> createdDSets = this.distributionSetManagement final Iterable<DistributionSet> createdDSets = this.distributionSetManagement
.createDistributionSets(MgmtDistributionSetMapper.dsFromRequest(sets, this.softwareManagement, .createDistributionSets(MgmtDistributionSetMapper.dsFromRequest(sets, this.softwareManagement,

View File

@@ -14,10 +14,10 @@ import java.io.ByteArrayInputStream;
import java.util.List; import java.util.List;
import java.util.Random; import java.util.Random;
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule; import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule;
import org.eclipse.hawkbit.repository.model.DistributionSet; import org.eclipse.hawkbit.repository.model.DistributionSet;
import org.eclipse.hawkbit.repository.model.Target; import org.eclipse.hawkbit.repository.model.Target;
import org.eclipse.hawkbit.repository.model.TenantMetaData;
import org.eclipse.hawkbit.repository.report.model.TenantUsage; import org.eclipse.hawkbit.repository.report.model.TenantUsage;
import org.eclipse.hawkbit.repository.test.util.WithSpringAuthorityRule; import org.eclipse.hawkbit.repository.test.util.WithSpringAuthorityRule;
import org.junit.Test; import org.junit.Test;
@@ -30,15 +30,6 @@ import ru.yandex.qatools.allure.annotations.Stories;
@Stories("System Management") @Stories("System Management")
public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB { public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB {
@Test
@Description("Ensures that you can create a tenant without setting the necessary security context which holds a current tenant")
public void createInitialTenantWithoutSecurityContext() {
securityRule.clear();
final String tenantToBeCreated = "newTenantToCreate";
final TenantMetaData tenantMetadata = systemManagement.getTenantMetadata(tenantToBeCreated);
assertThat(tenantMetadata).isNotNull();
}
@Test @Test
@Description("Ensures that findTenants returns all tenants and not only restricted to the tenant which currently is logged in") @Description("Ensures that findTenants returns all tenants and not only restricted to the tenant which currently is logged in")
public void findTenantsReturnsAllTenantsNotOnlyWhichLoggedIn() throws Exception { public void findTenantsReturnsAllTenantsNotOnlyWhichLoggedIn() throws Exception {
@@ -109,26 +100,27 @@ public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB
for (int i = 0; i < tenants; i++) { for (int i = 0; i < tenants; i++) {
final String tenantname = "tenant" + i; final String tenantname = "tenant" + i;
securityRule.runAs(WithSpringAuthorityRule.withUserAndTenant("bumlux", tenantname), () -> { securityRule.runAs(WithSpringAuthorityRule.withUserAndTenant("bumlux", tenantname, true, true,
systemManagement.getTenantMetadata(tenantname); SpringEvalExpressions.SYSTEM_ROLE), () -> {
if (artifactSize > 0) { systemManagement.getTenantMetadata(tenantname);
createTestArtifact(random); if (artifactSize > 0) {
createDeletedTestArtifact(random); createTestArtifact(random);
} createDeletedTestArtifact(random);
if (targets > 0) {
final List<Target> createdTargets = createTestTargets(targets);
if (updates > 0) {
for (int x = 0; x < updates; x++) {
final DistributionSet ds = testdataFactory.createDistributionSet("to be deployed" + x,
true);
deploymentManagement.assignDistributionSet(ds, createdTargets);
} }
} if (targets > 0) {
} final List<Target> createdTargets = createTestTargets(targets);
if (updates > 0) {
for (int x = 0; x < updates; x++) {
final DistributionSet ds = testdataFactory
.createDistributionSet("to be deployed" + x, true);
return null; deploymentManagement.assignDistributionSet(ds, createdTargets);
}); }
}
}
return null;
});
} }
return random; return random;