Commit Graph

112 Commits

Author SHA1 Message Date
Avgustin Marinov
1f71e01318 Implement JSON security context serializer (new default) - smaller info and human readable (#2652)
keeps backward compatibility by being able to fallback to JAVA_SERIALIZATION

+ fix DMF messages with status code

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-09-05 13:35:45 +03:00
Avgustin Marinov
93f7e51565 Rename LocalArtifactRepository to ArtifactRepository (#2643)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-09-03 08:53:11 +03:00
Avgustin Marinov
2a636328a0 20250828 cleanup (#2639)
* Cleanup

* Refactor artifact management
2025-09-02 16:08:14 +03:00
Avgustin Marinov
b4edde8cc3 Refactor Management interfaces: find/get pattern (#2609)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-08-15 16:18:32 +03:00
Avgustin Marinov
c5bbbeaac7 Align DeploymentRequestBuilder with the rest of the builders (#2607)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-08-13 08:58:35 +03:00
Avgustin Marinov
441b78460d Improve Permission Management (#2604)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-08-12 14:09:27 +03:00
Avgustin Marinov
124fef189e Remove Rollout(Group) builders (#2603)
* Fix entityManager.merge for ds and sm

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

* Remove Rollout(Group) builders

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

* Remove EntityFactory

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

---------

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-08-11 14:01:03 +03:00
Avgustin Marinov
5217297c24 Fix Sonar findings (#2600)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-08-08 10:33:17 +03:00
Avgustin Marinov
c038c507a9 TargetManagement over RepositoryManagement (#2599)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-08-07 17:20:22 +03:00
Avgustin Marinov
08cacf9034 Soft Module metadata as complex map value (#2568)
---------

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-07-30 17:29:02 +03:00
Vasil Ilchev
4a8e60764f Remote Events migrated from Spring Bus to Spring Cloud Stream (#2563)
* Remote Events migrated from Spring Bus to Spring Cloud Stream

---------

Co-authored-by: vasilchev <vasil.ilchev@bosch.com>
2025-07-30 16:58:00 +03:00
Avgustin Marinov
10da0288d9 Fix sonar findings (#2572)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-07-30 10:13:23 +03:00
Avgustin Marinov
2b66449ff1 Fine grained repository permissions (#2562)
1. Introduce @PrreAuthorize check based on hasPermission - allowing custom processing (compared with non-modifiable hasAuthority/Role processing)
2. Dedicated permissions could be implemented on management api level. Check is made by plugged in PermissionEvaluator
3. Thus common XXX_REPOSITORY permissions could differ for extending services
4. Change create/update entity builder pattern - not via EntityFactory but via clean static lombok based builders (with fine fluent api).
5. Implement abstract repository management jpa class that handles the boilerplate code from extending classes in single place consistently -> AbsreactJpaRepositoryManagement
6. Register management api-s as **Sevice**-s instead of **Bean**-s in order to make easier maintainable and get away from heavy argument forwading
7. Simplify custom hawkbit repository registration + adding proxy to handle exception mapping at lower level - thus not depending on Aspects for converting exceptions
8. Implemented general purpose 'copy' utility (ObjectCopyUtil) that using getter/setter patterns is able to copy (e.g. Create/Update) objects to other objects (e.g. JPA entity objects)
2025-07-28 14:57:33 +03:00
Avgustin Marinov
e7373275bf Add distribution set and target type fine grained permissions (#2545)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-07-14 14:52:36 +03:00
Avgustin Marinov
edd6dabb90 Move artifact encryption to hawkbit-artifact-api where it does belong (#2540)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-07-10 11:57:44 +03:00
Avgustin Marinov
cd2c68081f Refactor RabbitMQ configuration (#2519)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-06-30 15:50:30 +03:00
Avgustin Marinov
2992f5c211 Refactor management api style (#2445)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-06-10 17:09:03 +03:00
Denislav Prinov
7aa33cd96b Refactoring the audit log message -> description field
Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>
2025-04-22 08:11:53 +03:00
Avgustin Marinov
36fa915cbc Improve @Value properties (#2352)
Implement recommendation from https://docs.spring.io/spring-boot/reference/features/external-config.html to use kebab case for @Values:

If you do want to use @Value, we recommend that you refer to property names using their canonical form (kebab-case using only lowercase letters). This will allow Spring Boot to use the same logic as it does when relaxed binding @ConfigurationProperties.

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-04-11 16:46:34 +03:00
Denislav Prinov
23154d70cc Audit Logging in HawkBit (#2314)
* Introduction of Audit Logging in hawkBit

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

* Introduction of Audit Logging in hawkBit

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

* Refactoring:

* applied code formatter
* audit moved into hawkbit-security-core
* minimize dependences
* use AuditorAware to retrieve user - so to be compatible with the logs into DB

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

* Move audit entities to security core

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

* Introduce audit log method types

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>

---------

Signed-off-by: Denislav Prinov <denislav.prinov@bosch.com>
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Co-authored-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-03-31 08:51:54 +03:00
Avgustin Marinov
21ec2e581a Fix AMQP retries when attribute characters are invalid (#2327)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-03-26 16:53:48 +02:00
Avgustin Marinov
beda747c67 Remove unnecessary JsonProperty annotations (#2296)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-02-25 08:40:14 +02:00
Avgustin Marinov
fbaa352f7f Sonar Fixes (10) (#2222)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-01-23 16:48:24 +02:00
Avgustin Marinov
bb9c9bfad8 Remove some of the field injections (Sonar recomendtion) (#2218)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-01-23 09:52:29 +02:00
Avgustin Marinov
5dabe9117a Fix SonarQube issues (2) (#2205)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-01-20 16:29:45 +02:00
Avgustin Marinov
b294798ae5 SystemManagement getTenantMetadata - fetch details, added method getTenantMetadataWithoutDetails (#2194)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-01-10 15:37:57 +02:00
Avgustin Marinov
39861e7790 Refactor action repository (#2118)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-12-05 11:41:41 +02:00
Avgustin Marinov
016bada08b Fix unused tenant param in AmqpMessageDispatcherService (#2101)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-23 11:15:56 +02:00
Avgustin Marinov
37dea970d2 Fix EventPublisherAuthConfiguration to run as system (#2099)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-22 17:59:25 +02:00
Avgustin Marinov
4de34eacc3 Fix AmqpMessageDispatcherServiceTest.testSendCancelRequest - set action tenant (#2098)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-22 17:36:07 +02:00
Avgustin Marinov
9df68e2d97 Fix DMF context (as system) (#2097)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-22 15:32:00 +02:00
Avgustin Marinov
ca2c50ffa5 Code refactoring of hawkbit-dmf-amqp (#2054)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-16 20:17:13 +02:00
Avgustin Marinov
56ff8168f9 Rename org.eclipse.hawkbit.api -> org.eclipse.hawkbit.artifact.repository.urlhandler (#1980)
_release_notes_

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-08 17:40:27 +02:00
Avgustin Marinov
3effa996dd Refactor tenancy classes (#1972)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-08 16:12:18 +02:00
Avgustin Marinov
7a0735c17e Remove AUTHENTICATION_EXCHANGE as unused (#1953)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2024-11-06 11:38:52 +02:00
Avgustin Marinov
8d3cc6d59f Fix sonar findings (#1951)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-11-05 16:19:29 +02:00
Avgustin Marinov
ec5b797d41 Code format hawkbit-dmf-amqp (#1936)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-11-05 11:24:04 +02:00
Avgustin Marinov
d958d8e82c Remove download by downloadId functionality (#1820)
This functionallity seems to get via AMQP (after some authentication)
a private (wihtout need of authentication) url to an artifact assigned
to the controller.

By default, DDI or DMF shall provide proper urls (for direct download)
to devices and if they have to be without authentication this shall be
solved in different ways - for instance separate download server providing
dedicated private / signed urls.

This functinallity is not a real hawkBit part but more like something
intended to solve some edge cases.
Since it is complicated, heeds support, doesn't solve wide spread use
cases, and could be achieved with other means - better to be removed.

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-08-14 17:28:46 +03:00
Avgustin Marinov
da3a6470ec Refactoring/Improving source: dmf (#1611)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-02-04 11:05:38 +02:00
Avgustin Marinov
791b87b27b Reduce dependency on Guava 2 (#1590)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-02-03 00:43:10 +02:00
Avgustin Marinov
ee5e12a300 Test lombok on AmqpProperties (#1585)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-02-03 00:15:15 +02:00
Avgustin Marinov
bce69676d2 Reduce dependency on Guava (#1589)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-02-02 22:21:46 +02:00
Avgustin Marinov
537a942021 Made implicit tenant meta data creation configurable (#1575)
In hawkBit up to 0.4.1 it was true - getTenantMetadate created implicitly a tenant metadata.  It was disable in latest commits - but now it is made optional - disabled by default

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-01-30 15:46:39 +02:00
Stanislav Trailov
cbc2185561 Make Amqp Handler service conditional in order to add possibility to be overriden (#1567)
Signed-off-by: TRS1SF3 <Stanislav.Trailov@bosch.io>
2024-01-26 17:41:32 +02:00
charvadzo
49a5509e89 Enable specifying target type when created using DMF API (#1472)
Extension of DMF API with possibility of setting target
type name when creating target. If a target type with the
provided name is found (was created beforehand) then it
is associated with the new target.

Signed-off-by: Ondrej Charvat <ondrej.charvat@proton.me>
2024-01-22 15:01:00 +02:00
charvadzo
af56b71d53 Provide artifact last modified timestamp on DMF API (#1470)
Sets lastModified filed of DmfArtifact DTO according to artifact's last modification timestamp so it is server over DMF.

Signed-off-by: Ondrej Charvat <ondrej.charvat@proton.me>
2024-01-22 10:33:26 +02:00
Avgustin Marinov
7440d90f59 [#1383] Spring Boot 3 migration Step 2 (#1559)
* [#1383] Spring Boot 3 migration Step 2

Some of the steps:

1. Change spring version parent and versions in root pom.xml
2. update eclipselink versions
3. javax.annotation -> jakarta.annotation (*.java)
4. javax.persistence -> jakarta.persistence (*.java)
5. javax.servlet -> jakarta.servlet (*.java, pom.xml)
6. javax.validation:validation-api -> jakarta.validation:jakarta.validation-api (pom.xml)
7. javax.validation -> jakarta.validation (*.java)
8. javax.transaction -> jakarta.transaction (*.java)
9. replace spring-cloud-stream-binder-test (hawkbit-repository-test) with
```
<dependency>
   <groupId>org.springframework.cloud</groupId>
   <artifactId>spring-cloud-stream-test-binder</artifactId>
</dependency>
```
, TestSupportBinderAutoConfiguration.class }) -> })
@Import(TestChannelBinderConfiguration.class)
10. Set to Simple UI standard parent
11. requestMatchers to securityMatcher
12. @SpringBootApplication(scanBasePackages = "org.eclipse.hawkbit") (otherwise for instance flyway doesn't work - suffix is default ".sql", not H2.sql and don't differentiate dbs? strange is there a change?)
13. @NonEmpty for Long leads to validation exception - replaced with @NotNull
14. RSQLUtilityTest.correctRsqlBuildsPredicate - fixed - mock query builder add method
15. https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#spring-mvc-and-webflux-url-matching-changes - aliases as targers/ return 404 - remove trailing slash
16. firewall tests (allowedHostNameWithNotAllowedHost) doesn't throw 'rejected exception' but return 400 instead (as probably is expected anyway)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com

* Fix tenant listing to do not mix with multitenancy

Tenant metadata is not multitenancy aware while depend on distribution set type
which is. Thus querying all tenant metadata (in non tenant context) sometimes leads to
resolution of distribution set type which is tenant scoped and leads to problems.

So, now listing tenant lists just their ids - not fill entities.

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

---------

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2024-01-20 15:57:17 +02:00
Avgustin Marinov
b982039a74 Feature/ctx aware and access controller2 (#1456)
* Introduce the AccessControlManager and use if for the TargetManagement and TargetTypeManagement.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Extend the access control manager by an API to serialize the current active context and persist it for scheduled background operations like auto-assignment.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Verify modification is permitted before performing automatic assignment

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Start with controlling distribution set type access. Perform some refactoring.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Support distribution set access control. Increase character limit to 512 chars for access control context. Refactor default implementations.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Introduce ContextRunner and define admin execution to check for duplicates before creating/updating entities.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Introduce Software Module, Module Type and Artifact control management. Fix tests.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Introduce access controlling test base. Add first test verifying the read operations for target types.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Finalize target type access controlling test.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Introduce ContextRunnerTest and TargetAccessControllingTest.
Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Introduce DistributionSetAccessControllingTest and fix missing access control specifications.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Extend test cases. Include only updatable targets into rollout.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Fix action visibility.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Modifiable->Updatable & UPDATE check where needed

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* ContextRunner superseded by ContextAware

+ ContextRunner remaned to ContextAware (move as a cenral entry/concept).
  It now extends (and replace) TenantAware
+ SecurityContextTenantAware becomes ContextAware
+ Pluggable serialization mechanism
  (default Java serialization of contexts) for SecurityContextTenantAware
  (using SecurityContextSerializer)
+ AccessControl methods are added to ensure no entities fill be retrieved
  just to call access control - so, if all permitted - no additional db
  queries will be made
+ &lt;repo type&gt;AccessControl classes removed and replaced with
  AccessControl &lt;repo type&gt; generics
+ AccessControlService removed - every AccessControl is registered and
  overiden independently
+ access_control_context in DB increased to 4k (in order to support java
  security context serialization)
+ needed adaptaion of implemtation and tests done

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* Refactor SoftModules & DistSets

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* Refactoring of the Repositories

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* Repostiotory level permissions

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* Improvements

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* Simplification of AccessControl interface

* Simplifications & management package

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

* Implementation improvements

+ Artifact management & repo reviewed and tuned
+ Action(Status) management & repo reviewed and tuned
+ SoftwareModule(Type/Meta) management & repo reviewed and tuned
+ DistributionSet(Type/Tag/Meta) management(+Invalidation) & repo reviewed and tuned
+ Target(Tag/Type/Meta) management & repo reviewed and tuned
+ TargetQueryFilter management & repo reviewed and tuned

* Apply suggestions from code review

Suggestions accepted. Thanks @herdt-michael

Co-authored-by: Michael Herdt <michael.herdt@bosch.com>

* Apply suggestions from code review 2

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>

---------

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
Co-authored-by: Michael Herdt <Michael.Herdt@bosch.com>
2023-11-16 11:07:06 +02:00
Avgustin Marinov
9c86729a68 [#1393,#1008] Switch to Eclipse v2.0 license (#1427)
Switching license from EPL v1 to v2. Following
https://www.eclipse.org/legal/epl-2.0/faq.php#h.tci84nlsqpgw

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2023-09-14 11:03:20 +03:00
Avgustin Marinov
acff82f60f Small security improvements (#1412)
Typos fixed

Disables empty string gateway token for sure. Test if the gateway token is not empty string ecplicitly.
Empty string is the default value and if accepted could be a security vulnerability (e.g. enabling gateway token
authentication and using empty string as token). According to https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.4
the header value shall not have trailing spaces and the http server shall already have trimmed them. So if execution passes
start with "GatewayToken " then token shall not be empty. But but let's check anyway

In UI first set key then enable the gateway token authentication. Otherwise the key might be left empty (default). This however
shall not be really problem since (because of token trimming) the empty token will be rejected anyway.

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
2023-08-16 14:25:17 +03:00