New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#926: inject configurable policy subjects into policies via new added JWT evaluating policy action #945
Merged
thjaeckle
merged 57 commits into
eclipse-ditto:master
from
bosch-io:feature/subject-activation
Jan 25, 2021
Merged
#926: inject configurable policy subjects into policies via new added JWT evaluating policy action #945
thjaeckle
merged 57 commits into
eclipse-ditto:master
from
bosch-io:feature/subject-activation
Jan 25, 2021
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
… level. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…cy level; relax timing requirement in ThingPersistenceActorSnapshottingTest. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…eSubjectForPolicy to ActivateSubjects.
…ect. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…ects. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…ies made visible due to ditto-model-placeholders. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…ents. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…bject(s) Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…ctivateTokenIntegration. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…he default token integration subject ID. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…urable. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…n; fix status code when executing an action on a nonexistent policy entry. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…mmands * renamed classes to match the action name, e.g. "ActivateTokenIntegration" * don't let PolicyActionCommand inherit PolicyModifyCommand * added PolicyActionCommandResponse which the action responses implement * added new Command.Category enum value "ACTION" * moved PolicyActionFailedException to commands module * adjusted routes to not use the route path from constants in the PolicyActionFailedException but use it from the action's NAME constant Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…mand of new package Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
* renamed required action events to SubjectsDeletedPartially and SubjectsModifiedPartially * moved PolicyEntryPlaceholder to the "placeholders" module * added new SubjectIdFromActionResolver interface with a default implementation using the PolicyEntryPlaceholder * replaced Class.forName("") with loading classes via the Akka actorSystem Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
… and DeactivatePolicyTokenIntegrationResponse. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…s without READ permission for things. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…SubjectIdFactory * added some javadoc fixes Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
… permission granted on things by the policy action activateTokenIntegration. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
… no content * removed subjectId from DeactivateTokenIntegrationResponse Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
… a subject contained in the authorized subjects are considered for activate/deactivate tokenIntegration actions * removed check that only subjects containing an expiry should be deleted by the "deactivateTokenIntegration" action Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io> Conflicts: services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/AbstractPolicyActionCommandStrategy.java services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategy.java services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategy.java services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/DeactivateTokenIntegrationStrategy.java services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategyTest.java services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategyTest.java
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
… JWT must also be present in policy entry" to documentation * did some reformatting in the OpenAPI docs * fixed supported placeholders for the action Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…tion commands and responses. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…ctivateTokenIntegration Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…tion Signed-off-by: Yufei Cai <yufei.cai@bosch.io> Conflicts: services/concierge/enforcement/src/test/java/org/eclipse/ditto/services/concierge/enforcement/EnforcerRetrieverTest.java services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/mqtt/hivemq/AbstractMqttConsumerActor.java services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/rabbitmq/RabbitMQConsumerActor.java
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
… policy entries. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…PolicyActionCommand * use HttpStatus instead of deprecated HttpStatusCode enum * policy routes method renamings * some javadoc enhancements Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…rray of strings instead of only plain strings * the JwtPlaceholder works the same * added "expansion" algorithm to expand inlines JsonArrays to multiple SubjectIds to TokenIntegrationSubjectIdFactory * adjusted PolicyActionCommands to work on multiple subjects/subjectIds * adjusted the default token-integration-subject to "integration:{{policy-entry:label}}:{{jwt:aud}}" Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…isioning-notification" to default blocklist of DittoMessageMapper * use ENABLE_PRE_AUTHENTICATION instead of deprecated DITTO_DUMMY_AUTH in deployment configs Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…icyActionCommands * also moved building the PolicyActionFailedException when not applicable for a PolicyActionCommand to the PolicyActionCommands * added another test for a JWT with nested path Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
* added "Authenticated subjects" section to basic-auth * adjusted the "Subjects" section in basic-policy to be more detailled * fixed links Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…izable PolicyActionFailedException because of missing "message" in the exception JSON Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
… model in order to keep order when e.g. modifying policies Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
…ail in license header year check Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
…Factory; fix policy action event aggregation. Changes 1. Replaced TokenIntegrationSubjectIdFactory.JSON_ARRAY_PATTERN by a regex using possessive qualifiers only. 2. Added a test for activating multiple subjects in multiple policy entries. Fixed it. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
yufei-cai
approved these changes
Jan 25, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #926
A blogpost contained in the PR describes the feature.