feat: container temporary credentials #5965
Conversation
Signed-off-by: MMaiero <[email protected]>
Signed-off-by: MMaiero <[email protected]>
MMaiero
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a temporary identity service feature for container authentication that allows containers to be provisioned with temporary credentials for accessing Kura REST APIs, enhancing security by eliminating the need for persistent credentials.
- Implements
TemporaryIdentityServiceAPI and core functionality for managing in-memory temporary identities - Adds container identity integration to automatically provision temporary credentials for containers
- Introduces REST authentication provider for validating temporary tokens
Reviewed Changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| kura/org.eclipse.kura.api/src/main/java/org/eclipse/kura/identity/TemporaryIdentityService.java | Defines the new API interface for temporary identity management |
| kura/org.eclipse.kura.core.identity/src/main/java/org/eclipse/kura/core/identity/IdentityServiceImpl.java | Implements temporary identity service functionality within the existing identity service |
| kura/org.eclipse.kura.core.identity/src/main/java/org/eclipse/kura/core/identity/TemporaryIdentity.java | Data model for temporary identity objects with permissions and tokens |
| kura/org.eclipse.kura.rest.provider/src/main/java/org/eclipse/kura/internal/rest/auth/TemporaryTokenAuthenticationProvider.java | REST authentication provider for validating temporary tokens |
| kura/org.eclipse.kura.rest.provider/src/main/java/org/eclipse/kura/internal/rest/provider/AuthenticationFilter.java | Updates authentication filter to support temporary token validation |
| kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java | Container integration to create and inject temporary credentials |
| kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java | Configuration options for container identity integration |
| kura/test/org.eclipse.kura.core.identity.test/src/main/java/org/eclipse/kura/core/identity/test/TemporaryIdentityServiceTest.java | Comprehensive test suite for temporary identity functionality |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| // Check if this is a temporary token principal by examining the class name | ||
| if (requestUser.getClass().getSimpleName().contains("TemporaryToken")) { | ||
| return isTemporaryUserInRole(requestUser, role); | ||
| } |
There was a problem hiding this comment.
Using class name comparison is fragile and error-prone. Consider using instanceof check or implementing a marker interface/method to identify temporary token principals instead of string comparison on class name.
| // Get the token using reflection | ||
| final String token = (String) principal.getClass().getMethod("getToken").invoke(principal); |
There was a problem hiding this comment.
Using reflection to access the token is fragile and can fail at runtime. Consider defining an interface with a getToken() method that the TemporaryTokenPrincipal can implement, allowing for type-safe access.
| .setDeviceList(baseConfig.getContainerDevices()) | ||
| .setFrameworkManaged(baseConfig.isFrameworkManaged()) | ||
| .setLoggingType(baseConfig.getContainerLoggingType()) | ||
| .setContainerNetowrkConfiguration(baseConfig.getContainerNetworkConfiguration()) |
There was a problem hiding this comment.
There is a typo in the method name. It should be "setContainerNetworkConfiguration" instead of "setContainerNetowrkConfiguration".
| .setContainerNetowrkConfiguration(baseConfig.getContainerNetworkConfiguration()) | |
| .setContainerNetworkConfiguration(baseConfig.getContainerNetworkConfiguration()) |
|
Brief description of the PR. [e.g. Added
nullcheck onobjectto avoidNullPointerException]Related Issue: This PR fixes/closes {issue number}
Description of the solution adopted: A more detailed description of the changes made to solve/close one or more issues. If the PR is simple and easy to understand this section can be skipped
Screenshots: If applicable, add screenshots to help explain your solution
Manual Tests: Optional description of the tests performed to check correct functioning of changes, useful for an efficient review
Any side note on the changes made: Description of any other change that has been made, which is not directly linked to the issue resolution [e.g. Code clean up/Sonar issue resolution]