Merge remote-tracking branch 'bosch-io/master'

Signed-off-by: Stanchev Aleksandar <[email protected]>

base/model/src/main/java/org/eclipse/ditto/base/model/common/LikeHelper.java

@@ -14,6 +14,8 @@
 
 import java.util.regex.Pattern;
 
+import javax.annotation.Nullable;
+
 /**
  * A helper to create "like" patterns.
  *
@@ -40,7 +42,8 @@ private LikeHelper() {
      * @param expression The wildcard expression to convert.
      * @return The regular expression, which can be compiled with {@link Pattern#compile(String)}.
      */
-    public static String convertToRegexSyntax(final String expression) {
+    @Nullable
+    public static String convertToRegexSyntax(@Nullable final String expression) {
         if (expression == null) {
             return null;
         }

deployment/helm/ditto/Chart.yaml

@@ -16,8 +16,8 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.3.3  # chart version is effectively set by release-job
-appVersion: 3.3.3
+version: 3.3.4  # chart version is effectively set by release-job
+appVersion: 3.3.4
 keywords:
   - iot-chart
   - digital-twin

deployment/helm/ditto/local-values.yaml

@@ -40,6 +40,12 @@ policies:
         - "ditto-originator"
         - "ditto-origin"
         - "correlation-id"
+    entityCreation:
+      grants:
+        - namespaces:
+          - "org.eclipse.ditto.room"
+          authSubjects:
+          - "connection:some"
 
 ## ----------------------------------------------------------------------------
 ## things configuration
@@ -58,6 +64,12 @@ things:
           - "ditto-originator"
           - "ditto-origin"
           - "correlation-id"
+    entityCreation:
+      grants:
+        - namespaces:
+          - "org.eclipse.ditto.room"
+          authSubjects:
+          - "connection:some"
 
 ## ----------------------------------------------------------------------------
 ## things-search configuration

deployment/helm/ditto/templates/policies-deployment.yaml

@@ -126,6 +126,24 @@ spec:
                 {{- range $index, $header := .Values.policies.config.persistence.events.historicalHeadersToPersist }}
                 "{{ printf "%s%d=%s" "-Dditto.policies.policy.event.historical-headers-to-persist." $index $header }}"
                 {{- end }}
+                {{- range $grantIdx, $grant := .Values.policies.config.entityCreation.grants }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.grant." $grantIdx ".resource-types.0" "policy" }}"
+                {{- range $namespaceIdx, $namespace := $grant.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $grant.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
+                {{- range $revokeIdx, $revoke := .Values.policies.config.entityCreation.revokes }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".resource-types.0" "policy" }}"
+                {{- range $namespaceIdx, $namespace := $revoke.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $revoke.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
                 {{ join " " .Values.policies.systemProps }}
             - name: MONGO_DB_SSL_ENABLED
               value: "{{ if .Values.dbconfig.policies.ssl }}true{{ else }}false{{ end }}"

deployment/helm/ditto/templates/things-deployment.yaml

@@ -126,6 +126,24 @@ spec:
                 {{- range $index, $header := .Values.things.config.persistence.events.historicalHeadersToPersist }}
                 "{{ printf "%s%d=%s" "-Dditto.things.thing.event.historical-headers-to-persist." $index $header }}"
                 {{- end }}
+                {{- range $grantIdx, $grant := .Values.things.config.entityCreation.grants }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.grant." $grantIdx ".resource-types.0" "thing" }}"
+                {{- range $namespaceIdx, $namespace := $grant.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $grant.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
+                {{- range $revokeIdx, $revoke := .Values.things.config.entityCreation.revokes }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".resource-types.0" "thing" }}"
+                {{- range $namespaceIdx, $namespace := $revoke.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $revoke.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
                 '-Dditto.things.wot.to-thing-description.json-template={{ .Values.things.config.wot.tdJsonTemplate | replace "\n" "" | replace "\\\"" "\"" }}'
                 {{ join " " .Values.things.systemProps }}
             - name: MONGO_DB_SSL_ENABLED

deployment/helm/ditto/values.yaml

@@ -62,7 +62,7 @@ global:
   # jwtOnly controls whether only OpenID-Connect authentication is supported
   #  if false, both OpenID-Connect and basicAuth via nginx (see above "basicAuthUsers" and "hashedBasicAuthUsers") is used
   #  ref: https://www.eclipse.dev/ditto/installation-operating.html#openid-connect
-  jwtOnly: true
+  jwtOnly: false
   # jvmOptions defines the JVM options applied to all Ditto services running in the JVM, it is put in JAVA_TOOL_OPTIONS
   jvmOptions: >
     -XX:+ExitOnOutOfMemoryError
@@ -553,6 +553,23 @@ policies:
         interval: 15m
         # threshold configures the threshold after how many changes to a Policy to do a snapshot
         threshold: 5
+    # entityCreation by default, Ditto allows anyone to create a new entity (policy in this case) in any namespace.
+    #  However, this behavior can be customized, and the ability to create new entities can be restricted:
+    entityCreation:
+      # grants contains the list of creation config entries which would allow the creation of entities
+      #  An empty list would *not* allow any entity to be created.
+      #  You must have at least one entry, even if it is without restrictions.
+      grants:
+        -  # namespaces holds the list of namespaces this entry applies to. An empty list would match any.
+          #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          namespaces: []
+           # authSubjects holds list of authentication subjects this entry applies to. An empty list would match any.
+           #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          authSubjects: []
+      # revokes contains the list of creation config entries which would reject the creation of entities
+      revokes: []
+      # - namespaces: []
+      #   authSubjects: []
 
 ## ----------------------------------------------------------------------------
 ## things configuration
@@ -724,6 +741,23 @@ things:
         interval: 15m
         # the threshold after how many changes to a Thing to do a snapshot
         threshold: 50
+    # entityCreation by default, Ditto allows anyone to create a new entity (thing in this case) in any namespace.
+    #  However, this behavior can be customized, and the ability to create new entities can be restricted:
+    entityCreation:
+      # grants contains the list of creation config entries which would allow the creation of entities
+      #  An empty list would *not* allow any entity to be created.
+      #  You must have at least one entry, even if it is without restrictions.
+      grants:
+        -  # namespaces holds the list of namespaces this entry applies to. An empty list would match any.
+          #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          namespaces: []
+          # authSubjects holds list of authentication subjects this entry applies to. An empty list would match any.
+          #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          authSubjects: []
+      # revokes contains the list of creation config entries which would reject the creation of entities
+      revokes: []
+      # - namespaces: []
+      #   authSubjects: []
     # policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
     policiesEnforcer:
       # cache holds the configuration of policy enforcer caching

documentation/src/main/resources/_data/sidebars/ditto_sidebar.yml

@@ -23,6 +23,9 @@ entries:
       - title: Release Notes
         output: web
         folderitems:
+          - title: 3.3.4
+            url: /release_notes_334.html
+            output: web
           - title: 3.3.3
             url: /release_notes_333.html
             output: web

documentation/src/main/resources/pages/ditto/installation-operating.md

@@ -260,16 +260,24 @@ The basic schema is:
 ```
 # restrict entity creation
 ditto.entity-creation {
-   grant = [
-      {
-         resource-types = [],
-         namespace = []
-         auth-subjects = []
-      }
-   ]
-   revoke = [
-      # same as "grant", but rejecting requests which already passed "grant"
-   ]
+   # this default entry allows every authenticated "auth-subject" to create any "resource-type" in any "namespace":
+  grant = [
+    {
+      resource-types = [
+//        "policy"
+//        "thing"
+      ]
+      namespaces = [
+//        "org.eclipse.ditto*"
+      ]
+      auth-subjects = [
+//        "pre:ditto-*"
+      ]
+    }
+  ]
+  revoke = [
+    # same as "grant", but rejecting requests which already passed "grant"
+  ]
 }
 ```
 

documentation/src/main/resources/pages/ditto/release_notes_334.md

@@ -0,0 +1,49 @@
+---
+title: Release notes 3.3.4
+tags: [release_notes]
+published: true
+keywords: release notes, announcements, changelog
+summary: "Version 3.3.4 of Eclipse Ditto, released on 11.07.2023"
+permalink: release_notes_334.html
+---
+
+This is a bugfix release, no new features since [3.3.3](release_notes_333.html) were added.
+
+## Changelog
+
+Compared to the latest release [3.3.3](release_notes_333.html), the following changes and bugfixes were added.
+
+### Changes
+
+
+### Bugfixes
+
+This is a complete list of the
+[merged pull requests](https://github.com/eclipse-ditto/ditto/pulls?q=is%3Apr+milestone%3A3.3.4).
+
+#### [Fix that CreationRestrictionPreEnforcer did not work](https://github.com/eclipse-ditto/ditto/pull/1682)
+
+The previously added [restriction configuration of creating new entities](installation-operating.html#restricting-entity-creation)
+did no longer work with Ditto 3.x - as some changes were done in Ditto 3.x regarding extension loading.
+
+This is now fixed and creating new entities can be configured again.
+
+
+### Helm Chart
+
+The [Ditto Helm Chart](https://github.com/eclipse-ditto/ditto/tree/master/deployment/helm), which was enhanced and changed 
+a lot for version 3.3.0, contained some configuration bugs which are also addressed with this bugfix release.
+
+#### [Add support for entity creation via Helm configuration](https://github.com/eclipse-ditto/ditto/pull/1684)
+
+In order to make use of the [restriction for creating new entities](installation-operating.html#restricting-entity-creation), 
+the Helm chart was enhanced with configuration options for creating policies and things.
+
+#### [Fix default value of 'jwtOnly' being 'true' in Helm chart ](https://github.com/eclipse-ditto/ditto/pull/1686)
+
+Former versions of the Helm chart configured by default `jwtOnly: false` which meant that it was possible to authenticate 
+users at Ditto's HTTP or WebSocket API via the nginx `.htpasswd` file approach.
+
+The new Helm chart changed the default to `jwtOnly: true` which broke this very simple approach of authenticating users.
+
+So the default was changed back to allow nginx authentication.

internal/utils/config/src/main/resources/ditto-entity-creation.conf

@@ -2,7 +2,20 @@
 ditto.entity-creation {
 
   # this default entry allows every authenticated "auth-subject" to create any "resource-type" in any "namespace":
-  grant = [{}]
+  grant = [
+    {
+      resource-types = [
+//        "policy"
+//        "thing"
+      ]
+      namespaces = [
+//        "org.eclipse.ditto*"
+      ]
+      auth-subjects = [
+//        "pre:ditto-*"
+      ]
+    }
+  ]
   # same as "grant", but rejecting requests which already passed "grant"
   revoke = []
 }

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/config/DefaultCreationRestrictionConfig.java

@@ -30,23 +30,27 @@
 @Immutable
 public final class DefaultCreationRestrictionConfig implements CreationRestrictionConfig {
 
-    private static final String RESOURCE_TYPES_CONFIG_PATH = "resource-types";
-    private static final String NAMESPACES_CONFIG_PATH = "namespaces";
-    private static final String AUTH_SUBJECTS_CONFIG_PATH = "auth-subjects";
-
     private final Set<String> resourceTypes;
     private final List<Pattern> namespacePatterns;
     private final List<Pattern> authSubjectPatterns;
 
     private DefaultCreationRestrictionConfig(final ConfigWithFallback configWithFallback) {
-        this.resourceTypes = Set.copyOf(configWithFallback.getStringList(RESOURCE_TYPES_CONFIG_PATH));
-        this.namespacePatterns = compile(List.copyOf(configWithFallback.getStringList(NAMESPACES_CONFIG_PATH)));
-        this.authSubjectPatterns = compile(List.copyOf(configWithFallback.getStringList(AUTH_SUBJECTS_CONFIG_PATH)));
+        this.resourceTypes = Set.copyOf(configWithFallback.getStringList(
+                CreationRestrictionConfigValues.RESOURCE_TYPES.getConfigPath()
+        ));
+        this.namespacePatterns = compile(List.copyOf(configWithFallback.getStringList(
+                CreationRestrictionConfigValues.NAMESPACES.getConfigPath())
+        ));
+        this.authSubjectPatterns = compile(List.copyOf(configWithFallback.getStringList(
+                CreationRestrictionConfigValues.AUTH_SUBJECTS.getConfigPath())
+        ));
     }
 
     private static List<Pattern> compile(final List<String> patterns) {
         return patterns.stream()
-                .map(expression -> Pattern.compile(LikeHelper.convertToRegexSyntax(expression)))
+                .map(LikeHelper::convertToRegexSyntax)
+                .filter(Objects::nonNull)
+                .map(Pattern::compile)
                 .toList();
     }
 

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/config/DefaultEntityCreationConfig.java

@@ -28,7 +28,7 @@
 @Immutable
 public final class DefaultEntityCreationConfig implements EntityCreationConfig {
 
-    private static final String CONFIG_PATH = "entity-creation";
+    private static final String CONFIG_PATH = "ditto.entity-creation";
 
     private final List<CreationRestrictionConfig> grant;
     private final List<CreationRestrictionConfig> revoke;

policies/enforcement/src/main/java/org/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer.java

@@ -55,7 +55,9 @@ public final class CreationRestrictionPreEnforcer implements PreEnforcer {
      */
     @SuppressWarnings("unused")
     public CreationRestrictionPreEnforcer(final ActorSystem actorSystem, final Config config) {
-        this.config = DefaultEntityCreationConfig.of(config);
+        // explicitly use the ActorSystem config instead of the PreEnforcer config - as the config is loaded from
+        // file "ditto-entity-creation.conf" and extending with system properties of that file should not be broken
+        this.config = DefaultEntityCreationConfig.of(actorSystem.settings().config());
     }
 
     boolean canCreate(final Context context) {

policies/enforcement/src/test/resources/entity-creation/default.conf

@@ -1,4 +1,4 @@
-entity-creation {
+ditto.entity-creation {
     grant = [{}]
     revoke = []
 }

policies/enforcement/src/test/resources/entity-creation/restricted1.conf

@@ -1,4 +1,4 @@
-entity-creation {
+ditto.entity-creation {
     grant = [
         {
             resource-types = ["policy"]