lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
3,593 Commits 1 Branch 0 Tags
21581c4ea4bfec27b0e9370ea9dc2ae6b950d981
Commit Graph

182 Commits

Author SHA1 Message Date
Avgustin Marinov
21581c4ea4 Fine-grained permissions (#2535) 
* Fine-grained permissions

Adds support for permissions of type <permission>(/<rsql filter scope>)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

* Apply review fixes

---------

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-07-10 13:51:49 +03:00
Avgustin Marinov
8c6d56f177 Make some test timeouts (await) configurable (#2525) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-07-02 12:45:26 +03:00
Avgustin Marinov
ef25aa59f0 Fix new line after @Test (#2486) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-06-20 17:42:55 +03:00
Avgustin Marinov
cb7f1107fe Remove allure (phase2) (#2483) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-06-20 15:51:06 +03:00
Avgustin Marinov
0ba4c7b790 Update documentation (#2451) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-06-13 13:19:35 +03:00
Denislav Prinov
7aa33cd96b Refactoring the audit log message -> description field 
Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>
 2025-04-22 08:11:53 +03:00
Avgustin Marinov
32990ab2ea Add CORS support for DDI API (#2337) 
For instance if used in remote swagger or web apps

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-04-02 09:01:02 +03:00
Denislav Prinov
c6d89f6c83 Audit log wildcard * introduction to include all parameters by default 
Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>
 2025-04-01 10:02:26 +03:00
Denislav Prinov
23154d70cc Audit Logging in HawkBit (#2314) 
* Introduction of Audit Logging in hawkBit

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

* Introduction of Audit Logging in hawkBit

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

* Refactoring:

* applied code formatter
* audit moved into hawkbit-security-core
* minimize dependences
* use AuditorAware to retrieve user - so to be compatible with the logs into DB

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

* Move audit entities to security core

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

* Introduce audit log method types

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

---------

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Co-authored-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-03-31 08:51:54 +03:00
Avgustin Marinov
1c3245e013 Remove SYSTEM_ADMIN imply ROLTE_TENANT_ADMIN (#2293) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-02-19 14:45:09 +02:00
Avgustin Marinov
76ce1cf052 Cleanup and improve the controller authentication (#2287) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2025-02-18 15:10:16 +02:00
Avgustin Marinov
849ea24632 Security artifacts moved in hawkbit-security-parent (#2016) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-12 12:50:36 +02:00
Avgustin Marinov
3effa996dd Refactor tenancy classes (#1972) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 16:12:18 +02:00
Avgustin Marinov
590dbc06ff Fix TenantAwareUserPropertes.User password (#1971) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 15:42:57 +02:00
Avgustin Marinov
a1e319ee37 Remove OidcUserManagementAutoConfiguration (#1969) 
[release notes]

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 14:32:17 +02:00
Avgustin Marinov
73253abce0 Refactor hawkbit-core (#1967) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 13:11:59 +02:00
Avgustin Marinov
ade5723c8c Remove unused TenantUserPasswordAuthenticationToken (#1966) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 12:29:19 +02:00
Avgustin Marinov
03baf2a4c2 Remvoe PermissionUtils class (#1965) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 11:36:16 +02:00
Avgustin Marinov
c69efe65b2 Remove PermissionsUtil (#1964) 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
 2024-11-08 11:31:09 +02:00
Avgustin Marinov
1c16bd66d3 Code format hawkbit2 (#1949) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-11-05 11:43:54 +02:00
Avgustin Marinov
d842bc2aaa Code format hawkbit (#1948) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-11-05 11:41:56 +02:00
Avgustin Marinov
71aa00ca7c Code format - hawkbit-security-core (#1925) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-11-05 09:21:55 +02:00
Avgustin Marinov
8da475dff0 MDC hanlder refactoring (#1911) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-10-23 09:20:15 +03:00
Avgustin Marinov
12928a5939 Fix/jparolloutshandlerlogging (#1819) 
Fix JpaExecutorHandler logging MDC context

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-13 09:30:09 +03:00
Avgustin Marinov
9bb61fd829 Add MDC context in SecurityContdxtTenantAware (#1818) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-13 09:06:53 +03:00
Avgustin Marinov
a99e80b41e MDCHandler - fix sonar findings (#1816) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-12 11:45:35 +03:00
Avgustin Marinov
e10542929a Small code clean-up (#1815) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-12 09:11:19 +03:00
Avgustin Marinov
e9759fecdb Fix MDCHandler unused import (#1814) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-12 08:45:27 +03:00
Avgustin Marinov
e1d928e92e Fix MDCHandler when authentication is null (#1813) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-12 08:43:01 +03:00
Avgustin Marinov
d851fa4d02 Remove hard servlet dependency from SystemSecurityContext (#1812) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-11 10:50:01 +03:00
Avgustin Marinov
e874cf5014 Feature/remove hard requirements for mdc (#1811) 
* Remove hard requirements for MDCHandler dependencies

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

---------

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-09 18:12:58 +03:00
Avgustin Marinov
8c2d1037bb Fix Sonar findings (#1810) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-09 17:43:50 +03:00
Avgustin Marinov
9dd493d783 Fix MDCHandler for servlets. Config enable -> enabled (#1808) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-09 16:38:20 +03:00
Avgustin Marinov
141d167a81 Improve MDCHolder method names (#1807) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-09 14:31:14 +03:00
Avgustin Marinov
c8321fdb44 Feature/add tenant and user into mdc (#1806) 
* Add MDC

* Add tenant/user into MDC in order to be possible to be used in logging

Enabled by default. Could be disabled via hawkbit.logging.mdchandler.enable=false

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

---------

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-09 14:27:07 +03:00
Avgustin Marinov
bcafdbdb86 Remove contentSecurityPolicy - UI leftover (#1805) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-08-09 08:22:41 +03:00
Avgustin Marinov
6106d3c16c Fix sonar findings (#1792) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-07-29 13:50:42 +03:00
Avgustin Marinov
9cc9b23398 Make noop default password encoder for StaticAuthenticationProvider (#1791) 
if no provider is specified for the password

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-07-29 11:51:13 +03:00
Avgustin Marinov
3a34ded4f6 Support for simultaneous base and OAuth authentication (#1785) 
* Remove _OidcAuthenticationSuccessHandler_:
  * _OAuth2AuthenticationToken.setDetails_ is made by jwt authentication converter
  * get tenant data (with potentially creating tenant) is done via a filter added in filterChainREST
* _filterChainREST_ uses _Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>>_ as configuration for OAuth. Thus it is not bound with oauth client configuration
* _OidcUserManagementAutoConfiguration_ - now registers (if conditions are met) Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> which covers both - oauth legacy filter from filterChainREST and OidcBearerTokenAuthenticationFilter
* Since oauth clients are not related to hawkBit anymore (since removal of legacy UI) and the proper configuration would be via resource server or whatever, the _OidcUserManagementAutoConfiguration_ is DEPRECATED and for removal
* _UserAuthenticationFilter_ is removed
* Enabled sumiltaneous base and oauth authentication. Still, by default, if OAuth configured http authentication is disabled. However, if OAuth it is configured (via _Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>>)_ and **hawkbit.server.security.allowHttpBasicOnOAuthEnabled** is set to **true** then http auth would be also enabled
* _OidcUserManagementAutoConfiguration_ could be disabled with **hawkbit.server.security.oAuth2OnClientsConfig.enabled=false**

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-07-26 10:59:15 +03:00
Avgustin Marinov
6b8917e229 Remove MultitenancyIndicator as not used (#1787) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-07-26 09:34:11 +03:00
Avgustin Marinov
6e6f96a0f4 Fix lastModifiedBy on modification perfomed by the JpaRolloutExecutor (#1748) 
1. The auditor is got on transaction commit - so haven't used the tenant & user context until now - write system
2. The start/stop/delete are called by the user (saved in lastModifiedBy) but then executed in JpaRolloutExecutor

So the change is:
1. Fix auditor for actions taken by JpaRolloutExecutor to be the createdBy
2. for start/stop/delete the auditor is set to the lastModifiedBy for the transaction (hence all action taken)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-06-21 08:27:24 +03:00
Avgustin Marinov
8d9cfcb17b Remove PermissionService - unused (#1717) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-04-18 12:47:26 +03:00
Avgustin Marinov
1f2dd28ab6 [#1712] Fix READ_TENANT_CONFIGURATION hierarchy and add tests (#1714) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-04-12 17:39:31 +03:00
Avgustin Marinov
3611a8eccd [#1712] Introduce READ_TENANT_CONFIGURATION permission (#1713) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-04-12 14:30:29 +03:00
Avgustin Marinov
1640025a25 Apply role hierarchy in hasPermission checks (#1675) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-03-07 18:52:50 +02:00
Avgustin Marinov
536bb19382 Add Roles and Hierarchies (#1673) 
Adds Roles (SpRole -> TENANT_ADMIN, REPOSITORY_ADMIN, ...) and
intuitive hierarcy rules for them

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-03-01 12:35:40 +02:00
Avgustin Marinov
f45d8f0180 Fix TenantAwareUserProperies (#1672) 
Fixed in order to get properties of form hawkbit.security.user.<username>.<property>

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-02-29 16:03:11 +02:00
Avgustin Marinov
311922c4aa Move static config based auth provider in security-core (#1671) 
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-02-29 15:18:44 +02:00
Avgustin Marinov
a0db5ff70e Rename UserTenantAware to TenantAwareUser (#1668) 
in order to be compatible with other TenantAware entities

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-02-27 08:43:40 +02:00
Avgustin Marinov
24d70827b7 Improve hawkBit user management (#1666) 
1. Definded with properties users (static) are configured using property map (no need of indexes)
2. AuthenticationProvider that authenticates them is always registered (if not needed - don't configure them)
3. UserDetailsService (in case of missing - won't be registered)
4. Spring security user (spring.security.username) will be registered together with other users (if any). If any - it will be system-wide, otherwise tenant-scoped.
5. UserPrincipal renamed to TenantAwareUser in order to match its purpose.
6. Some if its fields are removes as not needed - to be closer to spring security user
7. DefaultRolloutApprovalStrategy now use UserAuthoritiesResolver instead of UserDetailsService as the central point of truth

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
 2024-02-26 16:56:37 +02:00