PreAuthorize annotations reviewed and added/adapted where necessary

default method implementations from ManagementAPI interfaces moved to classes.

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DeploymentManagement.java

@@ -403,6 +403,7 @@ Slice<Action> findActionsByTarget(@NotNull String rsqlParam, @NotEmpty String co
      * @return assigned {@link DistributionSet}
      * @throws EntityNotFoundException if target with given ID does not exist
      */
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
     Optional<DistributionSet> getAssignedDistributionSet(@NotEmpty String controllerId);
 
     /**
@@ -413,6 +414,7 @@ Slice<Action> findActionsByTarget(@NotNull String rsqlParam, @NotEmpty String co
      * @return installed {@link DistributionSet}
      * @throws EntityNotFoundException if target with given ID does not exist
      */
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
     Optional<DistributionSet> getInstalledDistributionSet(@NotEmpty String controllerId);
 
     /**

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/DistributionSetInvalidationManagement.java

@@ -12,6 +12,7 @@
 import org.eclipse.hawkbit.repository.model.DistributionSet;
 import org.eclipse.hawkbit.repository.model.DistributionSetInvalidation;
 import org.eclipse.hawkbit.repository.model.DistributionSetInvalidationCount;
+import org.springframework.security.access.prepost.PreAuthorize;
 
 /**
  * A DistributionSetInvalidationManagement service provides operations to
@@ -24,6 +25,8 @@ public interface DistributionSetInvalidationManagement {
      * cancels all auto assignments referring this {@link DistributionSet} and
      * can not be undone. Optionally, all rollouts and actions referring this
      * {@link DistributionSet} can be canceled.
+     * <p>
+     * {@link PreAuthorize} missing intentionally as it relies on the permission set defined in the management api methods that it calls internally.
      *
      * @param distributionSetInvalidation defines the {@link DistributionSet} and options what should be
      *         canceled
@@ -33,6 +36,8 @@ public interface DistributionSetInvalidationManagement {
     /**
      * Counts all entities for a list of {@link DistributionSet}s that will be
      * canceled when invalidation is called for those {@link DistributionSet}s.
+     * <p>
+     * {@link PreAuthorize} missing intentionally as it relies on the permission set defined in the management api methods that it calls internally.
      *
      * @param distributionSetInvalidation defines the {@link DistributionSet} and options what should be
      *         canceled

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TargetManagement.java

@@ -59,8 +59,7 @@ public interface TargetManagement {
      * @return number of found {@link Target}s.
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
-            + SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
     long countByAssignedDistributionSet(long distributionSetId);
 
     /**
@@ -81,8 +80,7 @@ public interface TargetManagement {
      * @return number of found {@link Target}s.
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
-            + SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
     long countByInstalledDistributionSet(long distributionSetId);
 
     /**
@@ -93,8 +91,7 @@ public interface TargetManagement {
      * @return <code>true</code> if a {@link Target} exists.
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET + SpringEvalExpressions.HAS_AUTH_OR
-            + SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
     boolean existsByInstalledOrAssignedDistributionSet(long distributionSetId);
 
     /**
@@ -225,7 +222,7 @@ public interface TargetManagement {
      * @return a page of the found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
     Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(@NotNull Pageable pageRequest,
             long distributionSetId, @NotNull String rsqlParam);
 
@@ -239,7 +236,7 @@ Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(@NotNull
      * @return the count of found {@link Target}s
      * @throws EntityNotFoundException if distribution set with given ID does not exist
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_READ_TARGET)
     long countByRsqlAndNonDSAndCompatibleAndUpdatable(long distributionSetId, @NotNull String rsqlParam);
 
     /**
@@ -254,17 +251,17 @@ Slice<Target> findByTargetFilterQueryAndNonDSAndCompatibleAndUpdatable(@NotNull
      *         withs
      * @return a page of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     Slice<Target> findByTargetFilterQueryAndNotInRolloutGroupsAndCompatibleAndUpdatable(@NotNull Pageable pageRequest,
             @NotEmpty Collection<Long> groups, @NotNull String targetFilterQuery,
             @NotNull DistributionSetType distributionSetType);
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     Slice<Target> findByNotInGEGroupAndNotInActiveActionGEWeightOrInRolloutAndTargetFilterQueryAndCompatibleAndUpdatable(
             @NotNull Pageable pageRequest, final long rolloutId, final int weight, final long firstGroupId, @NotNull String targetFilterQuery,
             @NotNull DistributionSetType distributionSetType);
 
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     long countByActionsInRolloutGroup(final long rolloutGroupId);
 
     /**
@@ -277,7 +274,7 @@ Slice<Target> findByNotInGEGroupAndNotInActiveActionGEWeightOrInRolloutAndTarget
      * @param rolloutId rolloutId of the rollout to be retried.
      * @return a page of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     Slice<Target> findByFailedRolloutAndNotInRolloutGroups(@NotNull Pageable pageRequest,
             @NotEmpty Collection<Long> groups, @NotNull String rolloutId);
 
@@ -292,7 +289,7 @@ Slice<Target> findByFailedRolloutAndNotInRolloutGroups(@NotNull Pageable pageReq
      *         with
      * @return count of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     long countByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(@NotEmpty Collection<Long> groups,
             @NotNull String rsqlParam, @NotNull DistributionSetType distributionSetType);
 
@@ -305,7 +302,7 @@ long countByRsqlAndNotInRolloutGroupsAndCompatibleAndUpdatable(@NotEmpty Collect
      * @param rolloutId rolloutId of the rollout to be retried.
      * @return count of the found {@link Target}s
      */
-    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_TARGET)
+    @PreAuthorize(SpringEvalExpressions.HAS_AUTH_ROLLOUT_MANAGEMENT_READ_AND_TARGET_READ)
     long countByFailedRolloutAndNotInRolloutGroups(@NotEmpty Collection<Long> groups, @NotNull String rolloutId);
 
     /**
@@ -526,9 +523,7 @@ Page<Target> findByInstalledDistributionSetAndRsql(@NotNull Pageable pageReq, lo
      * @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
      */
     @PreAuthorize(SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY_AND_UPDATE_TARGET)
-    default List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId) {
-        return assignTag(controllerIds, targetTagId, null);
-    }
+    List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
 
     /**
      * Un-assign a {@link TargetTag} assignment to given {@link Target}s.
@@ -551,9 +546,7 @@ default List<Target> assignTag(@NotEmpty Collection<String> controllerIds, long
      * @throws EntityNotFoundException if given targetTagId or at least one of the targets do not exist
      */
     @PreAuthorize(SpringEvalExpressions.HAS_AUTH_UPDATE_TARGET)
-    default List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId) {
-        return unassignTag(controllerIds, targetTagId, null);
-    }
+    List<Target> unassignTag(@NotEmpty Collection<String> controllerIds, long targetTagId);
 
     /**
      * Un-assign a {@link TargetType} assignment to given {@link Target}.

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/TenantConfigurationManagement.java

@@ -10,10 +10,6 @@
 package org.eclipse.hawkbit.repository;
 
 import java.io.Serializable;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.LocalDateTime;
-import java.time.ZoneId;
 import java.util.Map;
 import java.util.function.Function;
 
@@ -22,8 +18,6 @@
 import org.eclipse.hawkbit.repository.model.PollStatus;
 import org.eclipse.hawkbit.repository.model.Target;
 import org.eclipse.hawkbit.repository.model.TenantConfigurationValue;
-import org.eclipse.hawkbit.tenancy.configuration.DurationHelper;
-import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey;
 import org.springframework.core.convert.ConversionFailedException;
 import org.springframework.core.env.Environment;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -126,25 +120,6 @@ <T extends Serializable> TenantConfigurationValue<T> getConfigurationValue(Strin
     @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_TENANT_CONFIGURATION_READ)
     <T> T getGlobalConfigurationValue(String configurationKeyName, Class<T> propertyType);
 
-    // PreAuthorize for TENANT_CONFIGURATION_READ won't be applied but actually we want just read target
     @PreAuthorize(value = SpringEvalExpressions.HAS_AUTH_READ_TARGET)
-    default Function<Target, PollStatus> pollStatusResolver() {
-        final Duration pollTime = DurationHelper.formattedStringToDuration(
-                getConfigurationValue(TenantConfigurationKey.POLLING_TIME_INTERVAL, String.class).getValue());
-        final Duration overdueTime = DurationHelper.formattedStringToDuration(
-                getConfigurationValue(TenantConfigurationKey.POLLING_OVERDUE_TIME_INTERVAL, String.class)
-                        .getValue());
-        return target -> {
-            final Long lastTargetQuery = target.getLastTargetQuery();
-            if (lastTargetQuery == null) {
-                return null;
-            }
-            final LocalDateTime currentDate = LocalDateTime.now();
-            final LocalDateTime lastPollDate = LocalDateTime.ofInstant(Instant.ofEpochMilli(lastTargetQuery),
-                    ZoneId.systemDefault());
-            final LocalDateTime nextPollDate = lastPollDate.plus(pollTime);
-            final LocalDateTime overdueDate = nextPollDate.plus(overdueTime);
-            return new PollStatus(lastPollDate, nextPollDate, overdueDate, currentDate);
-        };
-    }
+    Function<Target, PollStatus> pollStatusResolver();
 }

hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaDistributionSetManagement.java

@@ -153,7 +153,6 @@ public JpaDistributionSetManagement(
     @Transactional
     @Retryable(retryFor = { ConcurrencyFailureException.class }, maxAttempts = Constants.TX_RT_MAX,
             backoff = @Backoff(delay = Constants.TX_RT_DELAY))
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_REPOSITORY)
     public List<DistributionSet> create(final Collection<DistributionSetCreate> creates) {
         final List<JpaDistributionSet> toCreate = creates.stream().map(JpaDistributionSetCreate.class::cast)
                 .map(this::setDefaultTypeIfMissing).map(JpaDistributionSetCreate::build).toList();
@@ -209,7 +208,6 @@ public DistributionSet update(final DistributionSetUpdate u) {
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public long count() {
         return distributionSetRepository.count(DistributionSetSpecification.isNotDeleted());
     }
@@ -218,7 +216,6 @@ public long count() {
     @Transactional
     @Retryable(retryFor = { ConcurrencyFailureException.class }, maxAttempts = Constants.TX_RT_MAX,
             backoff = @Backoff(delay = Constants.TX_RT_DELAY))
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_REPOSITORY)
     public void delete(final long id) {
         delete(List.of(id));
     }
@@ -227,7 +224,6 @@ public void delete(final long id) {
     @Transactional
     @Retryable(retryFor = { ConcurrencyFailureException.class }, maxAttempts = Constants.TX_RT_MAX,
             backoff = @Backoff(delay = Constants.TX_RT_DELAY))
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_REPOSITORY)
     public void delete(final Collection<Long> distributionSetIDs) {
         getDistributionSets(distributionSetIDs); // throws EntityNotFoundException if any of these do not exists
         final List<JpaDistributionSet> setsFound = distributionSetRepository.findAll(
@@ -268,32 +264,27 @@ public void delete(final Collection<Long> distributionSetIDs) {
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public List<DistributionSet> get(final Collection<Long> ids) {
         return Collections.unmodifiableList(getDistributionSets(ids));
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public boolean exists(final long id) {
         return distributionSetRepository.existsById(id);
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public Optional<DistributionSet> get(final long id) {
         return distributionSetRepository.findById(id).map(DistributionSet.class::cast);
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public Slice<DistributionSet> findAll(final Pageable pageable) {
         return JpaManagementHelper.findAllWithoutCountBySpec(distributionSetRepository, pageable, List.of(
                 DistributionSetSpecification.isNotDeleted()));
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public Page<DistributionSet> findByRsql(final Pageable pageable, final String rsqlParam) {
         return JpaManagementHelper.findAllWithCountBySpec(distributionSetRepository, pageable, List.of(
                 RSQLUtility.buildRsqlSpecification(rsqlParam, DistributionSetFields.class, virtualPropertyReplacer,

hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaDistributionSetTagManagement.java

@@ -74,7 +74,6 @@ public JpaDistributionSetTagManagement(
     @Transactional
     @Retryable(retryFor = { ConcurrencyFailureException.class }, maxAttempts = Constants.TX_RT_MAX,
             backoff = @Backoff(delay = Constants.TX_RT_DELAY))
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_CREATE_REPOSITORY)
     public List<DistributionSetTag> create(final Collection<TagCreate> dst) {
         final List<JpaDistributionSetTag> toCreate = dst.stream().map(JpaTagCreate.class::cast)
                 .map(JpaTagCreate::buildDistributionSetTag).toList();
@@ -111,7 +110,6 @@ public DistributionSetTag update(final TagUpdate u) {
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public long count() {
         return distributionSetTagRepository.count();
     }
@@ -120,7 +118,6 @@ public long count() {
     @Transactional
     @Retryable(retryFor = { ConcurrencyFailureException.class }, maxAttempts = Constants.TX_RT_MAX,
             backoff = @Backoff(delay = Constants.TX_RT_DELAY))
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_REPOSITORY)
     public void delete(final long id) {
         distributionSetTagRepository.deleteById(id);
     }
@@ -129,7 +126,6 @@ public void delete(final long id) {
     @Transactional
     @Retryable(retryFor = { ConcurrencyFailureException.class }, maxAttempts = Constants.TX_RT_MAX,
             backoff = @Backoff(delay = Constants.TX_RT_DELAY))
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_DELETE_REPOSITORY)
     public void delete(final Collection<Long> ids) {
         final List<JpaDistributionSetTag> setsFound = distributionSetTagRepository.findAllById(ids);
 
@@ -142,31 +138,26 @@ public void delete(final Collection<Long> ids) {
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public List<DistributionSetTag> get(final Collection<Long> ids) {
         return Collections.unmodifiableList(distributionSetTagRepository.findAllById(ids));
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public boolean exists(final long id) {
         return distributionSetTagRepository.existsById(id);
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public Optional<DistributionSetTag> get(final long id) {
         return distributionSetTagRepository.findById(id).map(DistributionSetTag.class::cast);
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public Slice<DistributionSetTag> findAll(final Pageable pageable) {
         return JpaManagementHelper.findAllWithoutCountBySpec(distributionSetTagRepository, pageable, null);
     }
 
     @Override
-    @PreAuthorize(SpPermission.SpringEvalExpressions.HAS_AUTH_READ_REPOSITORY)
     public Page<DistributionSetTag> findByRsql(final Pageable pageable, final String rsqlParam) {
         final Specification<JpaDistributionSetTag> spec = RSQLUtility.buildRsqlSpecification(rsqlParam, DistributionSetTagFields.class,
                 virtualPropertyReplacer, database);