Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#926: inject configurable policy subjects into policies via new added JWT evaluating policy action #945

Merged
merged 57 commits into from Jan 25, 2021
Merged

#926: inject configurable policy subjects into policies via new added JWT evaluating policy action #945

merged 57 commits into from Jan 25, 2021

Conversation

thjaeckle
Copy link
Member

Fixes: #926

A blogpost contained in the PR describes the feature.

yufei-cai and others added 30 commits December 21, 2020 14:19
@yufei-cai
[eclipse-ditto#926] add ActivateSubject and ActivateSubjectResponse.
c0f94d0 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
Merge branch 'master' into feature/subject-activation
a02b599 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add a command to deactivate a token subject.
b859f81 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add a command to activate a subject on the policy…
f60d865 
… level.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add a command to deactivate a subject at the poli…
683ab71 
…cy level; relax timing requirement in ThingPersistenceActorSnapshottingTest.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add events for subject activation; rename Activat…
f595551 
…eSubjectForPolicy to ActivateSubjects.
@yufei-cai
[eclipse-ditto#926] add command and event strategies for ActivateSubj…
c9d1b91 
…ect.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add command and event strategies for ActivateSubj…
23d261f 
…ects.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] remove raw type usage in persistence actors.
e9f270f 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add irrelevant signals to registry tests of polic…
7a13c00 
…ies made visible due to ditto-model-placeholders.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add SubjectDeactivated and SubjectsDeactivated ev…
f0b601b 
…ents.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add command and event strategies for DeactivateSu…
474f077 
…bject(s)

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] extend authentication result to include JWT.
a2b7f19 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add HTTP API for activateTokenIntegration and dea…
3fc926d 
…ctivateTokenIntegration.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] Replace issuer 'integration' by token issuer in t…
0df160e 
…he default token integration subject ID.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] remove raw types from enforcements.
ca8349c 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] add policy enforcement for policy action commands.
097d6c6 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] remove raw types from preEnforcer.
6dc7cd7 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] make subject Id resolver of policy actions config…
e517083 
…urable.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] fix deserialization of PolicyActionFailedExceptio…
edc5200 
…n; fix status code when executing an action on a nonexistent policy entry.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] document policy token integration.
4cf48cc 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: moved policy actions to own package in co…
70849aa 
…mmands

* renamed classes to match the action name, e.g. "ActivateTokenIntegration"
* don't let PolicyActionCommand inherit PolicyModifyCommand
* added PolicyActionCommandResponse which the action responses implement
* added new Command.Category enum value "ACTION"
* moved PolicyActionFailedException to commands module
* adjusted routes to not use the route path from constants in the PolicyActionFailedException but use it from the action's NAME constant

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] fixed command registry tests by adding action com…
86723df 
…mand of new package

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: removed unnecessary action events
2a1d9c9 
* renamed required action events to SubjectsDeletedPartially and SubjectsModifiedPartially
* moved PolicyEntryPlaceholder to the "placeholders" module
* added new SubjectIdFromActionResolver interface with a default implementation using the PolicyEntryPlaceholder
* replaced Class.forName("") with loading classes via the Akka actorSystem

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@yufei-cai
[eclipse-ditto#926] Fix default subject ID resolver class name.
37b75c9 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] Remove unnecessary field subjectId from Activate-…
b7ce02b 
… and DeactivatePolicyTokenIntegrationResponse.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] Reject activateTokenIntegration actions on entrie…
850f995 
…s without READ permission for things.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: added unit test for OAuthTokenIntegration…
510640f 
…SubjectIdFactory

* added some javadoc fixes

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@yufei-cai
[eclipse-ditto#926] Mention in documentation the requirement for READ…
01e65e2 
… permission granted on things by the policy action activateTokenIntegration.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] document status 404 for policy actions.
676f25d 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle and others added 23 commits January 13, 2021 17:39
@thjaeckle
[eclipse-ditto#926] review: added missing javadocs for projected cache
67f872d 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: changed status code of repsonses to 204 -…
5c3af06 
… no content

* removed subjectId from DeactivateTokenIntegrationResponse

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: added check that only policy entries with…
9167eac 
… a subject contained in the authorized subjects are considered for activate/deactivate tokenIntegration actions

* removed check that only subjects containing an expiry should be deleted by the "deactivateTokenIntegration" action

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@yufei-cai
[eclipse-ditto#926] Add generic TopLevelActionCommand for policies.
7004aa6 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] Merge branch 'origin/feature/subject-activation'
74b2391 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>

Conflicts:
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/AbstractPolicyActionCommandStrategy.java
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategy.java
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategy.java
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/DeactivateTokenIntegrationStrategy.java
	services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategyTest.java
	services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategyTest.java
@yufei-cai
[eclipse-ditto#926] fix PolicyCommandEnforcementTest.
538172f 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: added factor "subject ID of authenticated…
de0a06f 
… JWT must also be present in policy entry" to documentation

* did some reformatting in the OpenAPI docs
* fixed supported placeholders for the action

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
use ThreadSafeDittoLoggingAdapter for connectivity ConsumerActors
3775fe9 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@yufei-cai
[eclipse-ditto#926] Delete Activate- and DeactivatePolicyTokenIntegra…
db46a6c 
…tion commands and responses.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@thjaeckle
[eclipse-ditto#926] adjusted OpenAPI doc wording "the -> a" subject
ce859dc 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] adjusted documentation wording about the action a…
21fe605 
…ctivateTokenIntegration

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@yufei-cai
[eclipse-ditto#926] Merge branch 'master' into feature/subject-activa…
1f02f79 
…tion

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>

Conflicts:
	services/concierge/enforcement/src/test/java/org/eclipse/ditto/services/concierge/enforcement/EnforcerRetrieverTest.java
	services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/mqtt/hivemq/AbstractMqttConsumerActor.java
	services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/rabbitmq/RabbitMQConsumerActor.java
@yufei-cai
[eclipse-ditto#926] improve type safety of AbstractCommandStrategies.
cfa9145 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] prevent random failing tests due to reordering of…
2c1aa95 
… policy entries.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@thjaeckle
[eclipse-ditto#926] review: renamed TopLevelActionCommand to TopLevel…
0a4d841 
…PolicyActionCommand

* use HttpStatus instead of deprecated HttpStatusCode enum
* policy routes method renamings
* some javadoc enhancements

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] added possibility to use JWT claims being a jsona…
3b2163c 
…rray of strings instead of only plain strings

* the JwtPlaceholder works the same
* added "expansion" algorithm to expand inlines JsonArrays to multiple SubjectIds to TokenIntegrationSubjectIdFactory
* adjusted PolicyActionCommands to work on multiple subjects/subjectIds
* adjusted the default token-integration-subject to "integration:{{policy-entry:label}}:{{jwt:aud}}"

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
added new Hono notification "application/vnd.eclipse-hono-device-prov…
9a6b7ad 
…isioning-notification" to default blocklist of DittoMessageMapper

* use ENABLE_PRE_AUTHENTICATION instead of deprecated DITTO_DUMMY_AUTH in deployment configs

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] moved "isApplicable" logic from strategies to Pol…
a1f6108 
…icyActionCommands

* also moved building the PolicyActionFailedException when not applicable for a PolicyActionCommand to the PolicyActionCommands
* added another test for a JWT with nested path

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] added Blogpost about the new policy actions feature
af546e3 
* added "Authenticated subjects" section to basic-auth
* adjusted the "Subjects" section in basic-policy to be more detailled
* fixed links

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] fixed internal server error cause by non-deserial…
ffb49b9 
…izable PolicyActionFailedException because of missing "message" in the exception JSON

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] use LinkedHashMaps and LinkedHashSets in policies…
5df4a8b 
… model in order to keep order when e.g. modifying policies

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] fix copyright header year for added files which f…
876276c 
…ail in license header year check

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle
[eclipse-ditto#926] javadoc error
8d030e8 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle thjaeckle added this to the 2.0.0 milestone Jan 22, 2021
@yufei-cai
[eclipse-ditto#926] fix grammar.
3dfeb3e 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
@yufei-cai
[eclipse-ditto#926] Prevent backtracking in TokenIntegrationSubjectId…
a492eb4 
…Factory; fix policy action event aggregation.

Changes

1. Replaced TokenIntegrationSubjectIdFactory.JSON_ARRAY_PATTERN
   by a regex using possessive qualifiers only.

2. Added a test for activating multiple subjects in multiple
   policy entries. Fixed it.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
yufei-cai
yufei-cai approved these changes Jan 25, 2021
View reviewed changes
Copy link
Contributor

@yufei-cai yufei-cai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thjaeckle thjaeckle merged commit 66a9029 into eclipse-ditto:master Jan 25, 2021
@thjaeckle thjaeckle deleted the feature/subject-activation branch January 25, 2021 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yufei-cai yufei-cai yufei-cai approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.0-M1
Development

Successfully merging this pull request may close these issues.

Support injection of temporary policy subjects from JWTs
2 participants
@thjaeckle @yufei-cai