Cleanup and improve the controller authentication (eclipse-hawkbit#2287)

Signed-off-by: Avgustin Marinov <[email protected]>

hawkbit-security/hawkbit-security-controller/pom.xml → hawkbit-ddi/hawkbit-ddi-security/pom.xml

@@ -14,11 +14,11 @@
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.eclipse.hawkbit</groupId>
-        <artifactId>hawkbit-security-parent</artifactId>
+        <artifactId>hawkbit-ddi-parent</artifactId>
         <version>${revision}</version>
     </parent>
 
-    <artifactId>hawkbit-security-controller</artifactId>
+    <artifactId>hawkbit-ddi-security</artifactId>
     <name>hawkBit :: Security :: Controller</name>
 
     <dependencies>

hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/AuthenticationFilters.java

@@ -0,0 +1,165 @@
+/**
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.hawkbit.security.controller;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import org.eclipse.hawkbit.security.DdiSecurityProperties;
+import org.eclipse.hawkbit.util.UrlUtils;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * An abstraction for all controller based security to parse the e.g. the tenant name from the URL and the controller ID from the URL to do
+ * security checks based on this information.
+ */
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class AuthenticationFilters {
+
+    public static class GatewayTokenAuthenticationFilter extends AbstractAuthenticationFilter {
+
+        public GatewayTokenAuthenticationFilter(final GatewayTokenAuthenticator authenticator, final DdiSecurityProperties ddiSecurityProperties) {
+            super(authenticator, ddiSecurityProperties);
+        }
+    }
+
+    public static class SecurityHeaderAuthenticationFilter extends AbstractAuthenticationFilter {
+
+        public SecurityHeaderAuthenticationFilter(final SecurityHeaderAuthenticator authenticator, final DdiSecurityProperties ddiSecurityProperties) {
+            super(authenticator, ddiSecurityProperties);
+        }
+    }
+
+    public static class SecurityTokenAuthenticationFilter extends AbstractAuthenticationFilter {
+
+        public SecurityTokenAuthenticationFilter(final SecurityTokenAuthenticator authenticator, final DdiSecurityProperties ddiSecurityProperties) {
+            super(authenticator, ddiSecurityProperties);
+        }
+    }
+
+    /**
+     * An abstraction for all controller based security to parse the e.g. the tenant name from the URL and the controller ID from the URL to do
+     * security checks based on this information.
+     */
+    public static abstract class AbstractAuthenticationFilter extends OncePerRequestFilter {
+
+        private static final String TENANT_PLACE_HOLDER = "tenant";
+        private static final String CONTROLLER_ID_PLACE_HOLDER = "controllerId";
+        /**
+         * requestURIPathPattern the request URI path pattern in ANT style containing the placeholder key for retrieving the principal from the URI
+         * request. e.g."/{tenant}/controller/v1/{controllerId}
+         */
+        private static final String CONTROLLER_REQUEST_ANT_PATTERN =
+                "/{" + TENANT_PLACE_HOLDER + "}/controller/v1/{" + CONTROLLER_ID_PLACE_HOLDER + "}/**";
+        private static final String CONTROLLER_DL_REQUEST_ANT_PATTERN =
+                "/{" + TENANT_PLACE_HOLDER + "}/controller/artifacts/v1/**";
+
+        private final SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
+        private final AntPathMatcher pathExtractor = new AntPathMatcher();
+        private final Authenticator authenticator;
+        private final List<String> authorizedSourceIps;
+
+        protected AbstractAuthenticationFilter(final Authenticator authenticator, final DdiSecurityProperties ddiSecurityProperties) {
+            this.authenticator = authenticator;
+            authorizedSourceIps = ddiSecurityProperties.getRp().getTrustedIPs();
+        }
+
+        @Override
+        protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain)
+                throws IOException, ServletException {
+            if (acceptIPAddress(request)) {
+                final Authentication currentAuthentication = SecurityContextHolder.getContext().getAuthentication();
+                if (currentAuthentication == null || !currentAuthentication.isAuthenticated()) {
+                    final ControllerSecurityToken securityToken = createTenantSecurityTokenVariables(request);
+                    if (securityToken != null) {
+                        final Authentication authentication = authenticator.authenticate(securityToken);
+                        if (authentication != null) {
+                            SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
+                            context.setAuthentication(authentication);
+                            this.securityContextHolderStrategy.setContext(context);
+                        }
+                    }
+                } else {
+                    authenticator.log().trace("Request is already authenticated. Skip filter");
+                }
+            }
+
+            chain.doFilter(request, response);
+        }
+
+        /**
+         * Extracts tenant and controllerId from the request URI as path variables.
+         *
+         * @param request the Http request to extract the path variables.
+         * @return the extracted {@link ControllerSecurityToken} or {@code null} if the request does not match the pattern and no variables could be
+         *         extracted
+         */
+        private ControllerSecurityToken createTenantSecurityTokenVariables(final HttpServletRequest request) {
+            final String requestURI = request.getRequestURI();
+            if (pathExtractor.match(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI)) {
+                authenticator.log().debug("retrieving principal from URI request {}", requestURI);
+                final Map<String, String> extractUriTemplateVariables = pathExtractor
+                        .extractUriTemplateVariables(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI);
+                final String controllerId = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(CONTROLLER_ID_PLACE_HOLDER));
+                final String tenant = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(TENANT_PLACE_HOLDER));
+                authenticator.log().trace("Parsed tenant {} and controllerId {} from path request {}", tenant, controllerId, requestURI);
+                return createTenantSecurityTokenVariables(request, tenant, controllerId);
+            } else if (pathExtractor.match(request.getContextPath() + CONTROLLER_DL_REQUEST_ANT_PATTERN, requestURI)) {
+                authenticator.log().debug("retrieving path variables from URI request {}", requestURI);
+                final Map<String, String> extractUriTemplateVariables = pathExtractor.extractUriTemplateVariables(
+                        request.getContextPath() + CONTROLLER_DL_REQUEST_ANT_PATTERN, requestURI);
+                final String tenant = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(TENANT_PLACE_HOLDER));
+                authenticator.log().trace("Parsed tenant {} from path request {}", tenant, requestURI);
+                return createTenantSecurityTokenVariables(request, tenant, "anonymous");
+            } else {
+                authenticator.log().trace("request {} does not match the path pattern {}, request gets ignored", requestURI, CONTROLLER_REQUEST_ANT_PATTERN);
+                return null;
+            }
+        }
+
+        private ControllerSecurityToken createTenantSecurityTokenVariables(
+                final HttpServletRequest request, final String tenant, final String controllerId) {
+            final ControllerSecurityToken securityToken = new ControllerSecurityToken(tenant, null, controllerId, null);
+            Collections.list(request.getHeaderNames()).forEach(header -> securityToken.putHeader(header, request.getHeader(header)));
+            return securityToken;
+        }
+
+        private boolean acceptIPAddress(final HttpServletRequest request) {
+            if (authorizedSourceIps == null) {
+                // no trusted IP check, because no authorizedSourceIPs configuration
+                return true;
+            }
+
+            final String remoteAddress = request.getRemoteAddr();
+            if (authorizedSourceIps.contains(remoteAddress)) {
+                // source ip matches the given pattern -> authenticated
+                return true;
+            } else {
+                authenticator.log().debug(
+                        "The remote source IP address {} is not in the list of trusted IP addresses {}", remoteAddress, authorizedSourceIps);
+                return false;
+            }
+        }
+    }
+}

hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/Authenticator.java

@@ -0,0 +1,101 @@
+/**
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.hawkbit.security.controller;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Objects;
+
+import lombok.EqualsAndHashCode;
+import org.eclipse.hawkbit.im.authentication.SpPermission;
+import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
+import org.eclipse.hawkbit.security.SystemSecurityContext;
+import org.eclipse.hawkbit.tenancy.TenantAware;
+import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
+import org.slf4j.Logger;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+/**
+ * Interface for Authentication mechanism.
+ */
+public interface Authenticator {
+
+    /**
+     * If the authentication mechanism is not enabled for the tenant - it just returns null.
+     * If the authentication mechanism is supported, the filter extracts from the security token the related credentials,
+     * validate them (do authenticate the caller).
+     * If validation / authentication is successful returns an authenticated authentication object. Otherwise,
+     * throws BadCredentialsException.
+     *
+     * @param controllerSecurityToken the securityToken
+     * @return the extracted tenant and controller id
+     */
+    Authentication authenticate(ControllerSecurityToken controllerSecurityToken);
+
+    Logger log();
+
+    abstract class AbstractAuthenticator implements Authenticator {
+
+        protected final TenantConfigurationManagement tenantConfigurationManagement;
+        protected final TenantAware tenantAware;
+        protected final SystemSecurityContext systemSecurityContext;
+        private final TenantAware.TenantRunner<Boolean> isEnabledTenantRunner;
+
+        protected AbstractAuthenticator(
+                final TenantConfigurationManagement tenantConfigurationManagement,
+                final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
+            this.tenantConfigurationManagement = tenantConfigurationManagement;
+            this.tenantAware = tenantAware;
+            this.systemSecurityContext = systemSecurityContext;
+            isEnabledTenantRunner = () -> systemSecurityContext.runAsSystem(
+                    () -> tenantConfigurationManagement.getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue());
+        }
+
+        protected boolean isEnabled(final ControllerSecurityToken securityToken) {
+            return tenantAware.runAsTenant(securityToken.getTenant(), isEnabledTenantRunner);
+        }
+
+        protected abstract String getTenantConfigurationKey();
+
+        protected Authentication authenticatedController(final String tenant, final String controllerId) {
+            Objects.requireNonNull(tenant, "tenant must not be null");
+            Objects.requireNonNull(controllerId, "controllerId must not be null");
+            return new AuthenticatedController(tenant, controllerId);
+        }
+
+        @EqualsAndHashCode(callSuper = true)
+        private static class AuthenticatedController extends AbstractAuthenticationToken {
+
+            private static final Collection<GrantedAuthority> CONTROLLER_AUTHORITY =
+                    List.of(new SimpleGrantedAuthority(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE));
+            private final String controllerId;
+
+            AuthenticatedController(final String tenant, final String controllerId) {
+                super(CONTROLLER_AUTHORITY);
+                super.setDetails(new TenantAwareAuthenticationDetails(tenant, true));
+                this.controllerId = controllerId;
+                setAuthenticated(true);
+            }
+
+            @Override
+            public Object getCredentials() {
+                return null;
+            }
+
+            @Override
+            public Object getPrincipal() {
+                return controllerId;
+            }
+        }
+    }
+}

hawkbit-ddi/hawkbit-ddi-security/src/main/java/org/eclipse/hawkbit/security/controller/GatewayTokenAuthenticator.java

@@ -0,0 +1,83 @@
+/**
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.hawkbit.security.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
+import org.eclipse.hawkbit.security.SystemSecurityContext;
+import org.eclipse.hawkbit.tenancy.TenantAware;
+import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
+import org.slf4j.Logger;
+import org.springframework.security.core.Authentication;
+
+/**
+ * An authenticator which extracts (if enabled through configuration) the possibility to authenticate a target based through
+ * a gateway security token. This is commonly used for targets connected indirectly via a gateway. This gateway controls multiple targets
+ * under the gateway security token which can be set via the {@code Authorization} header.
+ * <p>
+ * {@code Example Header: Authorization: GatewayToken 5d8fSD54fdsFG98DDsa.}
+ */
+@Slf4j
+public class GatewayTokenAuthenticator extends Authenticator.AbstractAuthenticator {
+
+    public static final String GATEWAY_SECURITY_TOKEN_AUTH_SCHEME = "GatewayToken ";
+    private static final int OFFSET_GATEWAY_TOKEN = GATEWAY_SECURITY_TOKEN_AUTH_SCHEME.length();
+
+    private final TenantAware.TenantRunner<String> gatewaySecurityTokenKeyConfigRunner;
+
+    public GatewayTokenAuthenticator(
+            final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
+            final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
+        gatewaySecurityTokenKeyConfigRunner = () -> {
+            log.trace("retrieving configuration value for configuration key {}",
+                    TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY);
+
+            return systemSecurityContext
+                    .runAsSystem(() -> tenantConfigurationManagement
+                            .getConfigurationValue(TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class)
+                            .getValue());
+        };
+    }
+
+    @Override
+    public Authentication authenticate(final ControllerSecurityToken controllerSecurityToken) {
+        final String authHeader = controllerSecurityToken.getHeader(ControllerSecurityToken.AUTHORIZATION_HEADER);
+        if (authHeader == null) {
+            log.debug("The request doesn't contain the 'authorization' header");
+            return null;
+        } else if (!authHeader.startsWith(GATEWAY_SECURITY_TOKEN_AUTH_SCHEME)) {
+            log.debug("The request contains the 'authorization' header but it doesn't start with '{}'", GATEWAY_SECURITY_TOKEN_AUTH_SCHEME);
+            return null;
+        }
+
+        if (!isEnabled(controllerSecurityToken)) {
+            log.debug("The gateway token authentication is disabled");
+            return null;
+        }
+
+        log.debug("Found 'authorization' header starting with '{}'", GATEWAY_SECURITY_TOKEN_AUTH_SCHEME);
+        final String presentedToken = authHeader.substring(OFFSET_GATEWAY_TOKEN);
+
+        // validate if the presented token is the same as the gateway token
+        return presentedToken.equals(tenantAware.runAsTenant(controllerSecurityToken.getTenant(), gatewaySecurityTokenKeyConfigRunner))
+                ? authenticatedController(controllerSecurityToken.getTenant(), controllerSecurityToken.getControllerId()) : null;
+    }
+
+    @Override
+    public Logger log() {
+        return log;
+    }
+
+    @Override
+    protected String getTenantConfigurationKey() {
+        return TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED;
+    }
+}