Finalize and polish fine-grained permission (#2660)

* Remove _REPOSITORY_ permissions -> replaced with _SOFTWARE_MODULE_, _SOFTWARE_MODULE_TYPE_, _DISTRIBUTION_SET_, _DISTRIBUTION_SET_TYPE_ permissions
* Still kept _ROLE_REPOSITORY_ADMIN_ role granting all repository fine-graned permissions
* Added dedicated _TARGET_TYPE_ permission set - the _TARGET_ permissions just grant _READ_TARGET_TYPE_ (analogically _SOFTWARE_MODULE_ permissions grant _READ_SOFTWARE_MODULE_TYPE_ and _DISTRIBUTION_SET_ grants _READ_DISTRIBUTON_SET_TYPE_
* Hierarcy is not configurable - could be completely replaced by setting spring application property org.eclipse.hawkbit.hierarchy or could be extended by adding rules using org.eclipse.hawkbit.hierarchy.ext

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

Author: avgustinmm

hawkbit-mgmt/hawkbit-mgmt-resource/src/main/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtDistributionSetResource.java

@@ -17,7 +17,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.Optional;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import jakarta.validation.ValidationException;
@@ -88,7 +88,6 @@ public class MgmtDistributionSetResource implements MgmtDistributionSetRestApi {
     private final DeploymentManagement deployManagement;
     private final SystemManagement systemManagement;
     private final MgmtDistributionSetMapper mgmtDistributionSetMapper;
-    private final SystemSecurityContext systemSecurityContext;
     private final TenantConfigHelper tenantConfigHelper;
 
     @SuppressWarnings("java:S107")
@@ -112,7 +111,6 @@ public class MgmtDistributionSetResource implements MgmtDistributionSetRestApi {
         this.tenantConfigHelper = TenantConfigHelper.usingContext(systemSecurityContext, tenantConfigurationManagement);
         this.mgmtDistributionSetMapper = mgmtDistributionSetMapper;
         this.systemManagement = systemManagement;
-        this.systemSecurityContext = systemSecurityContext;
     }
 
     @Override
@@ -144,23 +142,27 @@ public ResponseEntity<MgmtDistributionSet> getDistributionSet(final Long distrib
     public ResponseEntity<List<MgmtDistributionSet>> createDistributionSets(final List<MgmtDistributionSetRequestBodyPost> sets) {
         log.debug("creating {} distribution sets", sets.size());
         // set default Ds type if ds type is null
-        final String defaultDsKey = systemSecurityContext.runAsSystem(systemManagement.getTenantMetadata().getDefaultDsType()::getKey);
+        final String defaultDsKey = systemManagement.getTenantMetadata().getDefaultDsType().getKey();
         sets.stream().filter(ds -> ds.getType() == null).forEach(ds -> ds.setType(defaultDsKey));
 
-        //check if there is already deleted DS Type
-        for (final MgmtDistributionSetRequestBodyPost ds : sets) {
-            final Optional<? extends DistributionSetType> opt = distributionSetTypeManagement.findByKey(ds.getType());
-            opt.ifPresent(dsType -> {
-                if (dsType.isDeleted()) {
-                    final String text = "Cannot create Distribution Set from type with key {0}. Distribution Set Type already deleted!";
-                    final String message = MessageFormat.format(text, dsType.getKey());
-                    throw new ValidationException(message);
-                }
-            });
-        }
-
-        final Collection<? extends DistributionSet> createdDSets = distributionSetManagement
-                .create(mgmtDistributionSetMapper.fromRequest(sets));
+        // check if target ds types exist and are not deleted, also caches them
+        final Map<String, DistributionSetType> dsTypeKeyToDsType = sets.stream()
+                .map(MgmtDistributionSetRequestBodyPost::getType)
+                .distinct()
+                .collect(Collectors.toMap(
+                        Function.identity(),
+                        dsTypeKey ->
+                                distributionSetTypeManagement.findByKey(dsTypeKey).map(dsType -> {
+                                    if (dsType.isDeleted()) {
+                                        throw new ValidationException(MessageFormat.format(
+                                                "Cannot create Distribution Set from type with key {0}. Distribution Set Type already deleted!",
+                                                dsTypeKey));
+                                    }
+                                    return dsType;
+                                }).orElseThrow(() -> new EntityNotFoundException(DistributionSetType.class,  dsTypeKey))));
+
+        final Collection<? extends DistributionSet> createdDSets =
+                distributionSetManagement.create(mgmtDistributionSetMapper.fromRequest(sets, defaultDsKey, dsTypeKeyToDsType));
 
         log.debug("{} distribution sets created, return status {}", sets.size(), HttpStatus.CREATED);
         return new ResponseEntity<>(MgmtDistributionSetMapper.toResponseDistributionSets(createdDSets), HttpStatus.CREATED);

hawkbit-mgmt/hawkbit-mgmt-resource/src/main/java/org/eclipse/hawkbit/mgmt/rest/resource/mapper/MgmtDistributionSetMapper.java

@@ -17,6 +17,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -63,8 +64,38 @@ public class MgmtDistributionSetMapper {
         this.systemManagement = systemManagement;
     }
 
-    public List<DistributionSetManagement.Create> fromRequest(final Collection<MgmtDistributionSetRequestBodyPost> sets) {
-        return sets.stream().map(this::fromRequest).toList();
+    public List<DistributionSetManagement.Create> fromRequest(
+            final Collection<MgmtDistributionSetRequestBodyPost> sets,
+            final String defaultDsKey, final Map<String, DistributionSetType> dsTypeKeyToDsType) {
+        return sets.stream().<DistributionSetManagement.Create>map(dsRest -> {
+            final Set<Long> modules = new HashSet<>();
+            if (dsRest.getOs() != null) {
+                modules.add(dsRest.getOs().getId());
+            }
+            if (dsRest.getApplication() != null) {
+                modules.add(dsRest.getApplication().getId());
+            }
+            if (dsRest.getRuntime() != null) {
+                modules.add(dsRest.getRuntime().getId());
+            }
+            if (dsRest.getModules() != null) {
+                dsRest.getModules().forEach(module -> modules.add(module.getId()));
+            }
+            // distribution set type, if null by the REST call shall be replaced with the default tenant DS  type
+            final String dsTypeKey = Objects.requireNonNull(dsRest.getType(), "Distribution set type must not be null");
+            final DistributionSetType dsType = dsTypeKeyToDsType.get(dsTypeKey);
+            if (dsType == null) {
+                // type should never null, cache is prefilled with all types
+                throw new EntityNotFoundException(DistributionSetType.class, defaultDsKey);
+            }
+            return DistributionSetManagement.Create.builder()
+                    .type(dsType)
+                    .name(dsRest.getName()).version(dsRest.getVersion())
+                    .description(dsRest.getDescription())
+                    .modules(findSoftwareModuleWithExceptionIfNotFound(modules))
+                    .requiredMigrationStep(dsRest.getRequiredMigrationStep())
+                    .build();
+        }).toList();
     }
 
     public static MgmtDistributionSet toResponse(final DistributionSet distributionSet) {
@@ -170,36 +201,6 @@ public static List<MgmtDistributionSet> toResponseFromDsList(final List<? extend
         return sets.stream().map(MgmtDistributionSetMapper::toResponse).toList();
     }
 
-    private DistributionSetManagement.Create fromRequest(final MgmtDistributionSetRequestBodyPost dsRest) {
-        final Set<Long> modules = new HashSet<>();
-        if (dsRest.getOs() != null) {
-            modules.add(dsRest.getOs().getId());
-        }
-        if (dsRest.getApplication() != null) {
-            modules.add(dsRest.getApplication().getId());
-        }
-        if (dsRest.getRuntime() != null) {
-            modules.add(dsRest.getRuntime().getId());
-        }
-        if (dsRest.getModules() != null) {
-            dsRest.getModules().forEach(module -> modules.add(module.getId()));
-        }
-        return DistributionSetManagement.Create.builder()
-                .type(Optional.ofNullable(dsRest.getType())
-                        // if the type is supplied the type MUST exist
-                        .map(typeKey -> distributionSetTypeManagement
-                                .findByKey(typeKey)
-                                .orElseThrow(() -> new EntityNotFoundException(DistributionSetType.class, typeKey)))
-                        .map(DistributionSetType.class::cast)
-                        // if here, the type is not supplied, use the default type
-                        .orElseGet(() -> systemManagement.getTenantMetadata().getDefaultDsType()))
-                .name(dsRest.getName()).version(dsRest.getVersion())
-                .description(dsRest.getDescription())
-                .modules(findSoftwareModuleWithExceptionIfNotFound(modules))
-                .requiredMigrationStep(dsRest.getRequiredMigrationStep())
-                .build();
-    }
-
     private Set<? extends SoftwareModule> findSoftwareModuleWithExceptionIfNotFound(final Set<Long> softwareModuleIds) {
          if (CollectionUtils.isEmpty(softwareModuleIds)) {
             return Collections.emptySet();

hawkbit-mgmt/hawkbit-mgmt-resource/src/test/java/org/eclipse/hawkbit/mgmt/rest/resource/MgmtTargetTypeResourceTest.java

@@ -73,7 +73,6 @@ class MgmtTargetTypeResourceTest extends AbstractManagementApiIntegrationTest {
             principal = "targetTypeTester", allSpPermissions = true,
             removeFromAllPermission = {
                     SpPermission.CREATE_TARGET, SpPermission.READ_TARGET, SpPermission.UPDATE_TARGET, SpPermission.DELETE_TARGET,
-                    SpPermission.CREATE_REPOSITORY, SpPermission.READ_REPOSITORY, SpPermission.UPDATE_REPOSITORY, SpPermission.DELETE_REPOSITORY,
                     SpPermission.READ_TARGET_TYPE })
     void getTargetTypesWithoutPermission() throws Exception {
         mvc.perform(get(TARGETTYPES_ENDPOINT).accept(MediaType.APPLICATION_JSON))

hawkbit-mgmt/hawkbit-mgmt-server/src/test/java/org/eclipse/hawkbit/app/mgmt/PreAuthorizeEnabledTest.java

@@ -29,32 +29,31 @@
 class PreAuthorizeEnabledTest extends AbstractSecurityTest {
 
     /**
-     * Tests whether request fail if a role is forbidden for the user
+     * Tests whether request succeed if a role is granted for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.READ_TARGET }, autoCreateTenant = false)
-    void failIfNoRole() throws Exception {
+    @WithUser(authorities = { SpPermission.READ_DISTRIBUTION_SET }, autoCreateTenant = false)
+    void successIfHasRole() throws Exception {
         mvc.perform(get("/rest/v1/distributionsets")).andExpect(result ->
-                assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.FORBIDDEN.value()));
+                assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));
     }
 
     /**
-     * Tests whether request succeed if a role is granted for the user
+     * Tests whether request fail if a role is forbidden for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.READ_REPOSITORY }, autoCreateTenant = false)
-    void successIfHasRole() throws Exception {
+    @WithUser(authorities = { SpPermission.READ_TARGET }, autoCreateTenant = false)
+    void failIfNoRole() throws Exception {
         mvc.perform(get("/rest/v1/distributionsets")).andExpect(result ->
-                assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));
+                assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.FORBIDDEN.value()));
     }
 
     /**
      * Tests whether request returns distribution set if a role with scope is granted for the user
      */
     @Test
     @WithUser(authorities = {
-            SpPermission.CREATE_REPOSITORY,
-            SpPermission.READ_REPOSITORY,
+            "CREATE_DISTRIBUTION_SET", "READ_DISTRIBUTION_SET_TYPE",
             SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
     void successIfHasRoleWithScope() throws Exception {
         createDsOne("successIfHasRoleWithScope");
@@ -69,8 +68,7 @@ void successIfHasRoleWithScope() throws Exception {
      */
     @Test
     @WithUser(authorities = {
-            SpPermission.CREATE_REPOSITORY,
-            SpPermission.READ_REPOSITORY,
+            "CREATE_DISTRIBUTION_SET", "READ_DISTRIBUTION_SET_TYPE",
             SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
     void failIfHasNoForbiddingScope() throws Exception {
         createDsOne("failIfHasNoForbiddingScope");
@@ -99,8 +97,7 @@ void onlyDSIfNoTenantConfig() throws Exception {
         mvc.perform(get("/rest/v1/system/configs")).andExpect(result -> {
             // returns default DS type because of READ_TARGET
             assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value());
-            assertThat(new ObjectMapper().reader().readValue(result.getResponse().getContentAsString(), HashMap.class))
-                    .hasSize(1);
+            assertThat(new ObjectMapper().reader().readValue(result.getResponse().getContentAsString(), HashMap.class)).hasSize(1);
         });
     }
 

hawkbit-monolith/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/PreAuthorizeEnabledTest.java

@@ -29,32 +29,31 @@
 class PreAuthorizeEnabledTest extends AbstractSecurityTest {
 
     /**
-     * Tests whether request fail if a role is forbidden for the user
+     * Tests whether request succeed if a role is granted for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.READ_TARGET }, autoCreateTenant = false)
-    void failIfNoRole() throws Exception {
+    @WithUser(authorities = { SpPermission.READ_DISTRIBUTION_SET }, autoCreateTenant = false)
+    void successIfHasRole() throws Exception {
         mvc.perform(get("/rest/v1/distributionsets"))
-                .andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.FORBIDDEN.value()));
+                .andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));
     }
 
     /**
-     * Tests whether request succeed if a role is granted for the user
+     * Tests whether request fail if a role is forbidden for the user
      */
     @Test
-    @WithUser(authorities = { SpPermission.READ_REPOSITORY }, autoCreateTenant = false)
-    void successIfHasRole() throws Exception {
+    @WithUser(authorities = { SpPermission.READ_TARGET }, autoCreateTenant = false)
+    void failIfNoRole() throws Exception {
         mvc.perform(get("/rest/v1/distributionsets"))
-                .andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value()));
+                .andExpect(result -> assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.FORBIDDEN.value()));
     }
 
     /**
      * Tests whether request returns distribution set if a role with scope is granted for the user
      */
     @Test
     @WithUser(authorities = {
-            SpPermission.CREATE_REPOSITORY,
-            SpPermission.READ_REPOSITORY,
+            "CREATE_DISTRIBUTION_SET", "READ_DISTRIBUTION_SET_TYPE",
             SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne" }, autoCreateTenant = false)
     void successIfHasRoleWithScope() throws Exception {
         createDsOne("successIfHasRoleWithScope");
@@ -69,8 +68,7 @@ void successIfHasRoleWithScope() throws Exception {
      */
     @Test
     @WithUser(authorities = {
-            SpPermission.CREATE_REPOSITORY,
-            SpPermission.READ_REPOSITORY,
+            "CREATE_DISTRIBUTION_SET", "READ_DISTRIBUTION_SET_TYPE",
             SpPermission.READ_DISTRIBUTION_SET + "/name==DsOne2" }, autoCreateTenant = false)
     void failIfHasNoForbiddingScope() throws Exception {
         createDsOne("failIfHasNoForbiddingScope");
@@ -100,8 +98,7 @@ void onlyDSIfNoTenantConfig() throws Exception {
                 .andExpect(result -> {
                     // returns default DS type because of READ_TARGET
                     assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.OK.value());
-                    assertThat(new ObjectMapper().reader().readValue(result.getResponse().getContentAsString(), HashMap.class))
-                            .hasSize(1);
+                    assertThat(new ObjectMapper().reader().readValue(result.getResponse().getContentAsString(), HashMap.class)).hasSize(1);
                 });
     }
 

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ArtifactManagement.java

@@ -62,7 +62,7 @@ default String permissionGroup() {
      * @param isEncrypted flag to indicate if artifact is encrypted.
      * @return loaded {@link StoredArtifactInfo}
      */
-    @PreAuthorize("hasAuthority('" + SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT + "')" + " or " + SpringEvalExpressions.IS_CONTROLLER)
+    @PreAuthorize("hasAuthority('DOWNLOAD_REPOSITORY_ARTIFACT') or hasAuthority('" + SpPermission.SOFTWARE_MODULE_DOWNLOAD_ARTIFACT + "')" + " or " + SpringEvalExpressions.IS_CONTROLLER)
     ArtifactStream getArtifactStream(@NotEmpty String sha1Hash, long softwareModuleId, final boolean isEncrypted);
 
     /**

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/SystemManagement.java

@@ -74,7 +74,7 @@ public interface SystemManagement {
     /**
      * @return {@link TenantMetaData} of {@link TenantAware#getCurrentTenant()}
      */
-    @PreAuthorize("hasAuthority('" + SpPermission.READ_REPOSITORY + "')" + " or "
+    @PreAuthorize("hasAuthority('" + SpPermission.READ_DISTRIBUTION_SET + "')" + " or "
             + "hasAuthority('READ_" + SpPermission.TARGET + "')" + " or "
             + "hasAuthority('READ_" + SpPermission.TENANT_CONFIGURATION + "')" + " or "
             + SpringEvalExpressions.IS_CONTROLLER)
@@ -83,7 +83,7 @@ public interface SystemManagement {
     /**
      * @return {@link TenantMetaData} of {@link TenantAware#getCurrentTenant()} without details ({@link TenantMetaData#getDefaultDsType()})
      */
-    @PreAuthorize("hasAuthority('" + SpPermission.READ_REPOSITORY + "')" + " or "
+    @PreAuthorize("hasAuthority('" + SpPermission.READ_DISTRIBUTION_SET + "')" + " or "
             + "hasAuthority('READ_" + SpPermission.TARGET + "')" + " or "
             + "hasAuthority('READ_" + SpPermission.TENANT_CONFIGURATION + "')" + " or "
             + SpringEvalExpressions.IS_CONTROLLER)

hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/RepositoryConfiguration.java

@@ -19,6 +19,7 @@
 import org.eclipse.hawkbit.im.authentication.Hierarchy;
 import org.eclipse.hawkbit.tenancy.configuration.ControllerPollProperties;
 import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.ApplicationContext;
@@ -38,6 +39,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.util.ObjectUtils;
 import org.springframework.util.function.SingletonSupplier;
 
 /**
@@ -52,8 +54,16 @@ public class RepositoryConfiguration {
 
     @Bean
     @ConditionalOnMissingBean
-    static RoleHierarchy roleHierarchy() {
-        return RoleHierarchyImpl.fromHierarchy(Hierarchy.DEFAULT);
+    @SuppressWarnings("java:S3358") // java:S3358 better readable this way
+    RoleHierarchy roleHierarchy(
+            // if configured replaces the hierarchy completely
+            @Value("${org.eclipse.hawkbit.hierarchy:}") final String hierarchy,
+            // if the "hierarchy" property is empty, and this property is configured it is appended to the default hierarchy
+            @Value("${org.eclipse.hawkbit.hierarchy.ext:}") final String hierarchyExt) {
+        return RoleHierarchyImpl.fromHierarchy(
+                ObjectUtils.isEmpty(hierarchy)
+                        ? (ObjectUtils.isEmpty(hierarchyExt) ? Hierarchy.DEFAULT : Hierarchy.DEFAULT + hierarchyExt)
+                        : hierarchy);
     }
 
     @Bean