Use system role where necessary to invoke the getTenantMetadata method
Signed-off-by: Michael Hirsch <michael.hirsch@bosch-si.com>
This commit is contained in:
@@ -290,6 +290,9 @@ public class SecurityManagedConfiguration {
|
|||||||
@Autowired
|
@Autowired
|
||||||
private SecurityProperties springSecurityProperties;
|
private SecurityProperties springSecurityProperties;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private SystemSecurityContext systemSecurityContext;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void configure(final HttpSecurity http) throws Exception {
|
protected void configure(final HttpSecurity http) throws Exception {
|
||||||
|
|
||||||
@@ -318,9 +321,8 @@ public class SecurityManagedConfiguration {
|
|||||||
userAuthenticationFilter.destroy();
|
userAuthenticationFilter.destroy();
|
||||||
}
|
}
|
||||||
}, RequestHeaderAuthenticationFilter.class)
|
}, RequestHeaderAuthenticationFilter.class)
|
||||||
.addFilterAfter(
|
.addFilterAfter(new AuthenticationSuccessTenantMetadataCreationFilter(tenantAware, systemManagement,
|
||||||
new AuthenticationSuccessTenantMetadataCreationFilter(tenantAware, systemManagement),
|
systemSecurityContext), SessionManagementFilter.class)
|
||||||
SessionManagementFilter.class)
|
|
||||||
.authorizeRequests().anyRequest().authenticated()
|
.authorizeRequests().anyRequest().authenticated()
|
||||||
.antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
|
.antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
|
||||||
.hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
|
.hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
|
||||||
@@ -522,6 +524,9 @@ class TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler extends
|
|||||||
@Autowired
|
@Autowired
|
||||||
private SystemManagement systemManagement;
|
private SystemManagement systemManagement;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private SystemSecurityContext systemSecurityContext;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void onAuthenticationSuccess(final Authentication authentication) throws Exception {
|
public void onAuthenticationSuccess(final Authentication authentication) throws Exception {
|
||||||
|
|
||||||
@@ -536,7 +541,9 @@ class TenantMetadataSavedRequestAwareVaadinAuthenticationSuccessHandler extends
|
|||||||
// LoginView. This needs to be changed with the update of
|
// LoginView. This needs to be changed with the update of
|
||||||
// vaadin4spring 0.0.7 because it
|
// vaadin4spring 0.0.7 because it
|
||||||
// has been fixed.
|
// has been fixed.
|
||||||
systemManagement.getTenantMetadata("DEFAULT");
|
final String defaultTenant = "DEFAULT";
|
||||||
|
systemSecurityContext.runAsSystemAsTenant(() -> systemManagement.getTenantMetadata(defaultTenant),
|
||||||
|
defaultTenant);
|
||||||
}
|
}
|
||||||
|
|
||||||
super.onAuthenticationSuccess(authentication);
|
super.onAuthenticationSuccess(authentication);
|
||||||
@@ -550,11 +557,13 @@ class AuthenticationSuccessTenantMetadataCreationFilter implements Filter {
|
|||||||
|
|
||||||
private final TenantAware tenantAware;
|
private final TenantAware tenantAware;
|
||||||
private final SystemManagement systemManagement;
|
private final SystemManagement systemManagement;
|
||||||
|
private final SystemSecurityContext systemSecurityContext;
|
||||||
|
|
||||||
AuthenticationSuccessTenantMetadataCreationFilter(final TenantAware tenantAware,
|
AuthenticationSuccessTenantMetadataCreationFilter(final TenantAware tenantAware,
|
||||||
final SystemManagement systemManagement) {
|
final SystemManagement systemManagement, final SystemSecurityContext systemSecurityContext) {
|
||||||
this.tenantAware = tenantAware;
|
this.tenantAware = tenantAware;
|
||||||
this.systemManagement = systemManagement;
|
this.systemManagement = systemManagement;
|
||||||
|
this.systemSecurityContext = systemSecurityContext;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@@ -569,7 +578,8 @@ class AuthenticationSuccessTenantMetadataCreationFilter implements Filter {
|
|||||||
final String currentTenant = tenantAware.getCurrentTenant();
|
final String currentTenant = tenantAware.getCurrentTenant();
|
||||||
if (currentTenant != null) {
|
if (currentTenant != null) {
|
||||||
// lazy initialize tenant meta data after successful authentication
|
// lazy initialize tenant meta data after successful authentication
|
||||||
systemManagement.getTenantMetadata(currentTenant);
|
systemSecurityContext.runAsSystemAsTenant(() -> systemManagement.getTenantMetadata(currentTenant),
|
||||||
|
currentTenant);
|
||||||
}
|
}
|
||||||
|
|
||||||
chain.doFilter(request, response);
|
chain.doFilter(request, response);
|
||||||
|
|||||||
@@ -8,6 +8,10 @@
|
|||||||
*/
|
*/
|
||||||
package org.eclipse.hawkbit.ddi.rest.resource;
|
package org.eclipse.hawkbit.ddi.rest.resource;
|
||||||
|
|
||||||
|
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE;
|
||||||
|
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS;
|
||||||
|
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION;
|
||||||
|
import static org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions.SYSTEM_ROLE;
|
||||||
import static org.fest.assertions.api.Assertions.assertThat;
|
import static org.fest.assertions.api.Assertions.assertThat;
|
||||||
import static org.hamcrest.CoreMatchers.equalTo;
|
import static org.hamcrest.CoreMatchers.equalTo;
|
||||||
import static org.hamcrest.Matchers.startsWith;
|
import static org.hamcrest.Matchers.startsWith;
|
||||||
@@ -23,7 +27,6 @@ import java.util.ArrayList;
|
|||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
import org.eclipse.hawkbit.im.authentication.SpPermission;
|
||||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
|
||||||
import org.eclipse.hawkbit.repository.model.Action;
|
import org.eclipse.hawkbit.repository.model.Action;
|
||||||
import org.eclipse.hawkbit.repository.model.DistributionSet;
|
import org.eclipse.hawkbit.repository.model.DistributionSet;
|
||||||
import org.eclipse.hawkbit.repository.model.Target;
|
import org.eclipse.hawkbit.repository.model.Target;
|
||||||
@@ -57,7 +60,8 @@ public class DdiRootControllerTest extends AbstractRestIntegrationTestWithMongoD
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Description("Ensures that targets cannot be created e.g. in plug'n play scenarios when tenant does not exists but can be created if the tenant exists.")
|
@Description("Ensures that targets cannot be created e.g. in plug'n play scenarios when tenant does not exists but can be created if the tenant exists.")
|
||||||
@WithUser(tenantId = "tenantDoesNotExists", allSpPermissions = true, authorities = "ROLE_CONTROLLER", autoCreateTenant = false)
|
@WithUser(tenantId = "tenantDoesNotExists", allSpPermissions = true, authorities = { CONTROLLER_ROLE,
|
||||||
|
SYSTEM_ROLE }, autoCreateTenant = false)
|
||||||
public void targetCannotBeRegisteredIfTenantDoesNotExistsButWhenExists() throws Exception {
|
public void targetCannotBeRegisteredIfTenantDoesNotExistsButWhenExists() throws Exception {
|
||||||
|
|
||||||
mvc.perform(get("/default-tenant/", tenantAware.getCurrentTenant())).andDo(MockMvcResultPrinter.print())
|
mvc.perform(get("/default-tenant/", tenantAware.getCurrentTenant())).andDo(MockMvcResultPrinter.print())
|
||||||
@@ -91,13 +95,11 @@ public class DdiRootControllerTest extends AbstractRestIntegrationTestWithMongoD
|
|||||||
|
|
||||||
// make a poll, audit information should not be changed, run as
|
// make a poll, audit information should not be changed, run as
|
||||||
// controller principal!
|
// controller principal!
|
||||||
securityRule.runAs(
|
securityRule.runAs(WithSpringAuthorityRule.withUser("controller", CONTROLLER_ROLE_ANONYMOUS), () -> {
|
||||||
WithSpringAuthorityRule.withUser("controller", SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS), () -> {
|
mvc.perform(get("/{tenant}/controller/v1/" + knownTargetControllerId, tenantAware.getCurrentTenant()))
|
||||||
mvc.perform(
|
.andDo(MockMvcResultPrinter.print()).andExpect(status().isOk());
|
||||||
get("/{tenant}/controller/v1/" + knownTargetControllerId, tenantAware.getCurrentTenant()))
|
return null;
|
||||||
.andDo(MockMvcResultPrinter.print()).andExpect(status().isOk());
|
});
|
||||||
return null;
|
|
||||||
});
|
|
||||||
|
|
||||||
// verify that audit information has not changed
|
// verify that audit information has not changed
|
||||||
final Target targetVerify = targetManagement.findTargetByControllerID(knownTargetControllerId);
|
final Target targetVerify = targetManagement.findTargetByControllerID(knownTargetControllerId);
|
||||||
@@ -143,22 +145,19 @@ public class DdiRootControllerTest extends AbstractRestIntegrationTestWithMongoD
|
|||||||
@Description("Ensures that tenant specific polling time, which is saved in the db, is delivered to the controller.")
|
@Description("Ensures that tenant specific polling time, which is saved in the db, is delivered to the controller.")
|
||||||
@WithUser(principal = "knownpricipal", allSpPermissions = false)
|
@WithUser(principal = "knownpricipal", allSpPermissions = false)
|
||||||
public void pollWithModifiedGloablPollingTime() throws Exception {
|
public void pollWithModifiedGloablPollingTime() throws Exception {
|
||||||
securityRule.runAs(
|
securityRule.runAs(WithSpringAuthorityRule.withUser("tenantadmin", HAS_AUTH_TENANT_CONFIGURATION), () -> {
|
||||||
WithSpringAuthorityRule.withUser("tenantadmin", SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION),
|
tenantConfigurationManagement.addOrUpdateConfiguration(TenantConfigurationKey.POLLING_TIME_INTERVAL,
|
||||||
() -> {
|
"00:02:00");
|
||||||
tenantConfigurationManagement.addOrUpdateConfiguration(TenantConfigurationKey.POLLING_TIME_INTERVAL,
|
return null;
|
||||||
"00:02:00");
|
});
|
||||||
return null;
|
|
||||||
});
|
|
||||||
|
|
||||||
securityRule.runAs(
|
securityRule.runAs(WithSpringAuthorityRule.withUser("controller", CONTROLLER_ROLE_ANONYMOUS), () -> {
|
||||||
WithSpringAuthorityRule.withUser("controller", SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS), () -> {
|
mvc.perform(get("/{tenant}/controller/v1/4711", tenantAware.getCurrentTenant()))
|
||||||
mvc.perform(get("/{tenant}/controller/v1/4711", tenantAware.getCurrentTenant()))
|
.andDo(MockMvcResultPrinter.print()).andExpect(status().isOk())
|
||||||
.andDo(MockMvcResultPrinter.print()).andExpect(status().isOk())
|
.andExpect(content().contentType(MediaTypes.HAL_JSON))
|
||||||
.andExpect(content().contentType(MediaTypes.HAL_JSON))
|
.andExpect(jsonPath("$config.polling.sleep", equalTo("00:02:00")));
|
||||||
.andExpect(jsonPath("$config.polling.sleep", equalTo("00:02:00")));
|
return null;
|
||||||
return null;
|
});
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|||||||
@@ -39,6 +39,7 @@ import org.eclipse.hawkbit.repository.model.DistributionSetMetadata;
|
|||||||
import org.eclipse.hawkbit.repository.model.SoftwareModule;
|
import org.eclipse.hawkbit.repository.model.SoftwareModule;
|
||||||
import org.eclipse.hawkbit.repository.model.Target;
|
import org.eclipse.hawkbit.repository.model.Target;
|
||||||
import org.eclipse.hawkbit.repository.model.TargetWithActionType;
|
import org.eclipse.hawkbit.repository.model.TargetWithActionType;
|
||||||
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
@@ -81,6 +82,9 @@ public class MgmtDistributionSetResource implements MgmtDistributionSetRestApi {
|
|||||||
@Autowired
|
@Autowired
|
||||||
private DistributionSetManagement distributionSetManagement;
|
private DistributionSetManagement distributionSetManagement;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private SystemSecurityContext systemSecurityContext;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public ResponseEntity<PagedList<MgmtDistributionSet>> getDistributionSets(
|
public ResponseEntity<PagedList<MgmtDistributionSet>> getDistributionSets(
|
||||||
@RequestParam(value = MgmtRestConstants.REQUEST_PARAMETER_PAGING_OFFSET, defaultValue = MgmtRestConstants.REQUEST_PARAMETER_PAGING_DEFAULT_OFFSET) final int pagingOffsetParam,
|
@RequestParam(value = MgmtRestConstants.REQUEST_PARAMETER_PAGING_OFFSET, defaultValue = MgmtRestConstants.REQUEST_PARAMETER_PAGING_DEFAULT_OFFSET) final int pagingOffsetParam,
|
||||||
@@ -119,8 +123,9 @@ public class MgmtDistributionSetResource implements MgmtDistributionSetRestApi {
|
|||||||
|
|
||||||
LOG.debug("creating {} distribution sets", sets.size());
|
LOG.debug("creating {} distribution sets", sets.size());
|
||||||
// set default Ds type if ds type is null
|
// set default Ds type if ds type is null
|
||||||
sets.stream().filter(ds -> ds.getType() == null).forEach(ds -> ds.setType(this.systemManagement
|
final String defaultDsKey = systemSecurityContext.runAsSystem(() -> this.systemManagement
|
||||||
.getTenantMetadata(this.currentTenant.getCurrentTenant()).getDefaultDsType().getKey()));
|
.getTenantMetadata(this.currentTenant.getCurrentTenant()).getDefaultDsType().getKey());
|
||||||
|
sets.stream().filter(ds -> ds.getType() == null).forEach(ds -> ds.setType(defaultDsKey));
|
||||||
|
|
||||||
final Iterable<DistributionSet> createdDSets = this.distributionSetManagement
|
final Iterable<DistributionSet> createdDSets = this.distributionSetManagement
|
||||||
.createDistributionSets(MgmtDistributionSetMapper.dsFromRequest(sets, this.softwareManagement,
|
.createDistributionSets(MgmtDistributionSetMapper.dsFromRequest(sets, this.softwareManagement,
|
||||||
|
|||||||
@@ -14,10 +14,10 @@ import java.io.ByteArrayInputStream;
|
|||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Random;
|
import java.util.Random;
|
||||||
|
|
||||||
|
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||||
import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule;
|
import org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule;
|
||||||
import org.eclipse.hawkbit.repository.model.DistributionSet;
|
import org.eclipse.hawkbit.repository.model.DistributionSet;
|
||||||
import org.eclipse.hawkbit.repository.model.Target;
|
import org.eclipse.hawkbit.repository.model.Target;
|
||||||
import org.eclipse.hawkbit.repository.model.TenantMetaData;
|
|
||||||
import org.eclipse.hawkbit.repository.report.model.TenantUsage;
|
import org.eclipse.hawkbit.repository.report.model.TenantUsage;
|
||||||
import org.eclipse.hawkbit.repository.test.util.WithSpringAuthorityRule;
|
import org.eclipse.hawkbit.repository.test.util.WithSpringAuthorityRule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
@@ -30,15 +30,6 @@ import ru.yandex.qatools.allure.annotations.Stories;
|
|||||||
@Stories("System Management")
|
@Stories("System Management")
|
||||||
public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB {
|
public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB {
|
||||||
|
|
||||||
@Test
|
|
||||||
@Description("Ensures that you can create a tenant without setting the necessary security context which holds a current tenant")
|
|
||||||
public void createInitialTenantWithoutSecurityContext() {
|
|
||||||
securityRule.clear();
|
|
||||||
final String tenantToBeCreated = "newTenantToCreate";
|
|
||||||
final TenantMetaData tenantMetadata = systemManagement.getTenantMetadata(tenantToBeCreated);
|
|
||||||
assertThat(tenantMetadata).isNotNull();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Description("Ensures that findTenants returns all tenants and not only restricted to the tenant which currently is logged in")
|
@Description("Ensures that findTenants returns all tenants and not only restricted to the tenant which currently is logged in")
|
||||||
public void findTenantsReturnsAllTenantsNotOnlyWhichLoggedIn() throws Exception {
|
public void findTenantsReturnsAllTenantsNotOnlyWhichLoggedIn() throws Exception {
|
||||||
@@ -109,26 +100,27 @@ public class SystemManagementTest extends AbstractJpaIntegrationTestWithMongoDB
|
|||||||
|
|
||||||
for (int i = 0; i < tenants; i++) {
|
for (int i = 0; i < tenants; i++) {
|
||||||
final String tenantname = "tenant" + i;
|
final String tenantname = "tenant" + i;
|
||||||
securityRule.runAs(WithSpringAuthorityRule.withUserAndTenant("bumlux", tenantname), () -> {
|
securityRule.runAs(WithSpringAuthorityRule.withUserAndTenant("bumlux", tenantname, true, true,
|
||||||
systemManagement.getTenantMetadata(tenantname);
|
SpringEvalExpressions.SYSTEM_ROLE), () -> {
|
||||||
if (artifactSize > 0) {
|
systemManagement.getTenantMetadata(tenantname);
|
||||||
createTestArtifact(random);
|
if (artifactSize > 0) {
|
||||||
createDeletedTestArtifact(random);
|
createTestArtifact(random);
|
||||||
}
|
createDeletedTestArtifact(random);
|
||||||
if (targets > 0) {
|
|
||||||
final List<Target> createdTargets = createTestTargets(targets);
|
|
||||||
if (updates > 0) {
|
|
||||||
for (int x = 0; x < updates; x++) {
|
|
||||||
final DistributionSet ds = testdataFactory.createDistributionSet("to be deployed" + x,
|
|
||||||
true);
|
|
||||||
|
|
||||||
deploymentManagement.assignDistributionSet(ds, createdTargets);
|
|
||||||
}
|
}
|
||||||
}
|
if (targets > 0) {
|
||||||
}
|
final List<Target> createdTargets = createTestTargets(targets);
|
||||||
|
if (updates > 0) {
|
||||||
|
for (int x = 0; x < updates; x++) {
|
||||||
|
final DistributionSet ds = testdataFactory
|
||||||
|
.createDistributionSet("to be deployed" + x, true);
|
||||||
|
|
||||||
return null;
|
deploymentManagement.assignDistributionSet(ds, createdTargets);
|
||||||
});
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
return random;
|
return random;
|
||||||
|
|||||||
Reference in New Issue
Block a user