determineResourceNames() {
*
* @return the translated text, or null if the key could not be translated
*/
+ @Override
public String getText(String resource, String key, Locale locale) {
if ((key != null) && (!key.isEmpty())) {
Locale effectiveLocale = locale != null ? locale : localeProvider.getLocale();
@@ -167,6 +169,7 @@ public String getText(String resource, String key, Locale locale) {
*
* @return the translated text, or null if the key could not be translated
*/
+ @Override
public String getText(String key, Locale locale) {
return getText(null, key, locale);
}
diff --git a/bundles/org.opensmarthouse.core.i18n/src/main/java/org/openhab/core/i18n/ResourceTranslationProvider.java b/bundles/org.opensmarthouse.core.i18n/src/main/java/org/openhab/core/i18n/ResourceTranslationProvider.java
new file mode 100644
index 000000000..bcc28c57c
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.i18n/src/main/java/org/openhab/core/i18n/ResourceTranslationProvider.java
@@ -0,0 +1,55 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.i18n;
+
+import java.util.Locale;
+
+/**
+ * Interface for resource/translation provider which can be registered dynamically as a service.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+public interface ResourceTranslationProvider {
+
+ /**
+ * Returns a translation for the specified key in the specified locale (language) by only
+ * considering the specified resource section. The resource is equal to a base name and
+ * therefore it is mapped to one translation package (all files which belong to the base
+ * name).
+ *
+ * If no translation could be found, {@code null} is returned. If the location is not specified, the default
+ * location is used.
+ *
+ * @param resource the resource to be used for look-up (could be null or empty)
+ * @param key the key to be translated (could be null or empty)
+ * @param locale the locale (language) to be used (could be null)
+ *
+ * @return the translated text, or null if the key could not be translated
+ */
+ String getText(String resource, String key, Locale locale);
+
+ /**
+ * Returns a translation for the specified key in the specified locale (language)
+ * by considering all resources in the according bundle.
+ *
+ * If no translation could be found, {@code null} is returned. If the location is not specified, the default
+ * location is used.
+ *
+ * @param key the key to be translated (could be null or empty)
+ * @param locale the locale (language) to be used (could be null)
+ *
+ * @return the translated text, or null if the key could not be translated
+ */
+ String getText(String key, Locale locale);
+
+}
diff --git a/bundles/org.opensmarthouse.core.io.auth/NOTICE b/bundles/org.opensmarthouse.core.io.auth/NOTICE
new file mode 100755
index 000000000..bed08ed3f
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.auth/NOTICE
@@ -0,0 +1,13 @@
+This content is produced and maintained by the OpenSmartHouse project.
+
+* Project home: https://opensmarthouse.org
+
+== Declared Project Licenses
+
+This program and the accompanying materials are made available under the terms
+of the Eclipse Public License 2.0 which is available at
+https://www.eclipse.org/legal/epl-2.0/.
+
+== Source Code
+
+https://github.com/opensmarthouse/opensmarthouse-core
diff --git a/bundles/org.opensmarthouse.core.io.auth/pom.xml b/bundles/org.opensmarthouse.core.io.auth/pom.xml
new file mode 100755
index 000000000..432bcea7e
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.auth/pom.xml
@@ -0,0 +1,23 @@
+
+
+
+ 4.0.0
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.reactor.bundles
+ 0.9.3-SNAPSHOT
+
+
+ org.opensmarthouse.core.io.auth
+
+ OpenSmartHouse Core | Bundles | IO Authentication
+
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth
+
+
+
+
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/CredentialsExtractor.java b/bundles/org.opensmarthouse.core.io.auth/src/main/java/org/openhab/core/io/auth/CredentialsExtractor.java
similarity index 95%
rename from bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/CredentialsExtractor.java
rename to bundles/org.opensmarthouse.core.io.auth/src/main/java/org/openhab/core/io/auth/CredentialsExtractor.java
index 613791ed9..3fa5f4c03 100755
--- a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/CredentialsExtractor.java
+++ b/bundles/org.opensmarthouse.core.io.auth/src/main/java/org/openhab/core/io/auth/CredentialsExtractor.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.http.auth;
+package org.openhab.core.io.auth;
import java.util.Optional;
diff --git a/bundles/org.opensmarthouse.core.io.console.user/pom.xml b/bundles/org.opensmarthouse.core.io.console.user/pom.xml
index 0f2aa46e7..886894d85 100644
--- a/bundles/org.opensmarthouse.core.io.console.user/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.console.user/pom.xml
@@ -14,6 +14,10 @@
OpenSmartHouse Core | Bundles | Console | User
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.local
+
org.opensmarthouse.core.bundles
org.opensmarthouse.core.io.console
diff --git a/bundles/org.opensmarthouse.core.io.console.user/src/main/java/org/openhab/core/io/console/internal/extension/UserConsoleCommandExtension.java b/bundles/org.opensmarthouse.core.io.console.user/src/main/java/org/openhab/core/io/console/internal/extension/UserConsoleCommandExtension.java
index 1ffab9c47..b2744497e 100644
--- a/bundles/org.opensmarthouse.core.io.console.user/src/main/java/org/openhab/core/io/console/internal/extension/UserConsoleCommandExtension.java
+++ b/bundles/org.opensmarthouse.core.io.console.user/src/main/java/org/openhab/core/io/console/internal/extension/UserConsoleCommandExtension.java
@@ -17,10 +17,10 @@
import java.util.Set;
import org.eclipse.jdt.annotation.NonNullByDefault;
-import org.openhab.core.auth.ManagedUser;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserApiToken;
-import org.openhab.core.auth.UserRegistry;
+import org.openhab.core.auth.local.ManagedUser;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserApiToken;
+import org.openhab.core.auth.local.UserRegistry;
import org.openhab.core.io.console.Console;
import org.openhab.core.io.console.extensions.AbstractConsoleCommandExtension;
import org.openhab.core.io.console.extensions.ConsoleCommandExtension;
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.apitoken/NOTICE b/bundles/org.opensmarthouse.core.io.http.auth.apitoken/NOTICE
new file mode 100755
index 000000000..3e53bd427
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.apitoken/NOTICE
@@ -0,0 +1,18 @@
+This content is produced and maintained by the OpenSmartHouse project.
+
+* Project home: https://opensmarthouse.org
+
+Elements of this bundle are copyright to the following -:
+
+* The Eclipse Foundation, having come from the Eclipse SmartHome project
+* The openHAB project
+
+== Declared Project Licenses
+
+This program and the accompanying materials are made available under the terms
+of the Eclipse Public License 2.0 which is available at
+https://www.eclipse.org/legal/epl-2.0/.
+
+== Source Code
+
+https://github.com/opensmarthouse/opensmarthouse-core
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.apitoken/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth.apitoken/pom.xml
new file mode 100755
index 000000000..e6971de37
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.apitoken/pom.xml
@@ -0,0 +1,31 @@
+
+
+
+ 4.0.0
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.reactor.bundles
+ 0.9.3-SNAPSHOT
+
+
+ org.opensmarthouse.core.io.http.auth.apitoken
+
+ OpenSmartHouse Core | Bundles | HTTP/Apitoken Authentication
+
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.auth
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.facade
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.apitoken
+
+
+
+
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.apitoken/src/main/java/org/openhab/core/io/http/auth/apitoken/internal/ApitokenCredentialsExtractor.java b/bundles/org.opensmarthouse.core.io.http.auth.apitoken/src/main/java/org/openhab/core/io/http/auth/apitoken/internal/ApitokenCredentialsExtractor.java
new file mode 100644
index 000000000..7e3b7579f
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.apitoken/src/main/java/org/openhab/core/io/http/auth/apitoken/internal/ApitokenCredentialsExtractor.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.auth.apitoken.internal;
+
+import java.util.Optional;
+import org.openhab.core.auth.Credentials;
+import org.openhab.core.io.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+import org.osgi.service.component.annotations.Component;
+import org.openhab.core.auth.apitoken.UserApiTokenCredentials;
+
+/**
+ *
+ * @author Łukasz Dywicki - Extracted from {@link org.openhab.core.io.rest.auth.internal.AuthFilter}
+ */
+@Component(property = { "context=org.openhab.core.io.http.facade.HttpRequestDelegate" })
+public class ApitokenCredentialsExtractor implements CredentialsExtractor {
+
+ private static final String ALT_AUTH_HEADER = "X-OPENHAB-TOKEN";
+ private static final String API_TOKEN_PREFIX = "oh.";
+
+ @Override
+ public Optional retrieveCredentials(HttpRequestDelegate requestContext) {
+ return requestContext.getHeader(ALT_AUTH_HEADER)
+ .filter(token -> token.startsWith(API_TOKEN_PREFIX))
+ .map(token -> new UserApiTokenCredentials(token));
+ }
+}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.basic/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth.basic/pom.xml
index d92f0f284..0ea5f3a1c 100755
--- a/bundles/org.opensmarthouse.core.io.http.auth.basic/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.http.auth.basic/pom.xml
@@ -14,10 +14,21 @@
OpenSmartHouse Core | Bundles | HTTP Authentication Basic
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.password
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.auth
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.facade
+
org.opensmarthouse.core.bundles
org.opensmarthouse.core.io.http.auth
- ${project.version}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.basic/src/main/java/org/openhab/core/io/http/auth/basic/internal/BasicCredentialsExtractor.java b/bundles/org.opensmarthouse.core.io.http.auth.basic/src/main/java/org/openhab/core/io/http/auth/basic/internal/BasicCredentialsExtractor.java
index 2fc4a0a71..c72874052 100755
--- a/bundles/org.opensmarthouse.core.io.http.auth.basic/src/main/java/org/openhab/core/io/http/auth/basic/internal/BasicCredentialsExtractor.java
+++ b/bundles/org.opensmarthouse.core.io.http.auth.basic/src/main/java/org/openhab/core/io/http/auth/basic/internal/BasicCredentialsExtractor.java
@@ -18,26 +18,27 @@
import javax.servlet.http.HttpServletRequest;
import org.openhab.core.auth.Credentials;
-import org.openhab.core.auth.UsernamePasswordCredentials;
-import org.openhab.core.io.http.auth.CredentialsExtractor;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
+import org.openhab.core.io.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
import org.osgi.service.component.annotations.Component;
/**
* Extract user name and password from incoming request.
*
- * @author Łukasz Dywicki - Initial contribution.
+ * @author Łukasz Dywicki - Initial contribution, migration to Http request facade.
*/
-@Component(property = { "context=javax.servlet.http.HttpServletRequest" })
-public class BasicCredentialsExtractor implements CredentialsExtractor {
+@Component(property = { "context=org.openhab.core.io.http.facade.HttpRequestDelegate" })
+public class BasicCredentialsExtractor implements CredentialsExtractor {
@Override
- public Optional retrieveCredentials(HttpServletRequest request) {
- String authenticationHeader = request.getHeader("Authorization");
-
- if (authenticationHeader == null) {
- return Optional.empty();
- }
+ public Optional retrieveCredentials(HttpRequestDelegate request) {
+ return request.getAuthorizationHeader()
+ .filter(header -> header.contains(" "))
+ .flatMap(this::process);
+ }
+ private Optional process(String authenticationHeader) {
String[] tokens = authenticationHeader.split(" ");
if (tokens.length == 2) {
String authType = tokens[0];
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.cookie/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth.cookie/pom.xml
new file mode 100755
index 000000000..c1fa0498d
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.cookie/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.reactor.bundles
+ 0.9.3-SNAPSHOT
+
+
+ org.opensmarthouse.core.io.http.auth.cookie
+
+ OpenSmartHouse Core | Bundles | HTTP Cookie Authentication
+
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.cookie
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.auth
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.facade
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.auth
+
+
+
+
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.cookie/src/main/java/org/openhab/core/io/http/auth/cookie/internal/CookieCredentialsExtractor.java b/bundles/org.opensmarthouse.core.io.http.auth.cookie/src/main/java/org/openhab/core/io/http/auth/cookie/internal/CookieCredentialsExtractor.java
new file mode 100755
index 000000000..cfb64689e
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.cookie/src/main/java/org/openhab/core/io/http/auth/cookie/internal/CookieCredentialsExtractor.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.auth.cookie.internal;
+
+import java.util.Optional;
+
+import org.openhab.core.auth.Credentials;
+import org.openhab.core.auth.cookie.CookieCredentials;
+import org.openhab.core.io.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.Cookie;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+import org.osgi.service.component.annotations.Component;
+
+/**
+ * Extract session information from cookie inincoming request.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+@Component(property = { "context=org.openhab.core.io.http.facade.HttpRequestDelegate" })
+public class CookieCredentialsExtractor implements CredentialsExtractor {
+
+ public static final String SESSIONID_COOKIE_NAME = "X-OPENHAB-SESSIONID";
+
+ @Override
+ public Optional retrieveCredentials(HttpRequestDelegate request) {
+ return request.getCookie(SESSIONID_COOKIE_NAME).map(this::process);
+ }
+
+ private CookieCredentials process(Cookie cookie) {
+ return new CookieCredentials(cookie.getName(), cookie.getValue());
+ }
+}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.jwt/NOTICE b/bundles/org.opensmarthouse.core.io.http.auth.jwt/NOTICE
new file mode 100755
index 000000000..3e53bd427
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.jwt/NOTICE
@@ -0,0 +1,18 @@
+This content is produced and maintained by the OpenSmartHouse project.
+
+* Project home: https://opensmarthouse.org
+
+Elements of this bundle are copyright to the following -:
+
+* The Eclipse Foundation, having come from the Eclipse SmartHome project
+* The openHAB project
+
+== Declared Project Licenses
+
+This program and the accompanying materials are made available under the terms
+of the Eclipse Public License 2.0 which is available at
+https://www.eclipse.org/legal/epl-2.0/.
+
+== Source Code
+
+https://github.com/opensmarthouse/opensmarthouse-core
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.jwt/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth.jwt/pom.xml
new file mode 100755
index 000000000..09473249d
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.jwt/pom.xml
@@ -0,0 +1,31 @@
+
+
+
+ 4.0.0
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.reactor.bundles
+ 0.9.3-SNAPSHOT
+
+
+ org.opensmarthouse.core.io.http.auth.jwt
+
+ OpenSmartHouse Core | Bundles | HTTP/JWT Authentication
+
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.auth
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.facade
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.jwt
+
+
+
+
diff --git a/bundles/org.opensmarthouse.core.io.http.auth.jwt/src/main/java/org/openhab/core/io/http/auth/jwt/internal/JwtCredentialsExtractor.java b/bundles/org.opensmarthouse.core.io.http.auth.jwt/src/main/java/org/openhab/core/io/http/auth/jwt/internal/JwtCredentialsExtractor.java
new file mode 100644
index 000000000..2dc6beaf0
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth.jwt/src/main/java/org/openhab/core/io/http/auth/jwt/internal/JwtCredentialsExtractor.java
@@ -0,0 +1,47 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.auth.jwt.internal;
+
+import java.util.Optional;
+import org.openhab.core.auth.Credentials;
+import org.openhab.core.auth.jwt.JWTCredentials;
+import org.openhab.core.io.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+import org.osgi.service.component.annotations.Component;
+
+/**
+ * An extractor of request credentials which rely on token sent in authorization header.
+ *
+ * @author Łukasz Dywicki - Extracted from {@link org.openhab.core.io.rest.auth.internal.AuthFilter}
+ */
+@Component(property = { "context=org.openhab.core.io.http.facade.HttpRequestDelegate" })
+public class JwtCredentialsExtractor implements CredentialsExtractor {
+
+ @Override
+ public Optional retrieveCredentials(HttpRequestDelegate request) {
+ return request.getAuthorizationHeader()
+ .filter(header -> header.contains(" "))
+ .flatMap(this::process);
+ }
+
+ private Optional process(String authenticationHeader) {
+ String[] tokens = authenticationHeader.split(" ");
+ if (tokens.length == 2) {
+ if ("bearer".equalsIgnoreCase(tokens[0])) {
+ return Optional.of(new JWTCredentials(tokens[1]));
+ }
+ }
+
+ return Optional.empty();
+ }
+}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth/pom.xml
index a5ccff547..2ac561417 100755
--- a/bundles/org.opensmarthouse.core.io.http.auth/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.http.auth/pom.xml
@@ -18,6 +18,18 @@
org.opensmarthouse.core.bundles
org.opensmarthouse.core.auth
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.password
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.auth
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.facade
+
org.opensmarthouse.core.bundles
org.opensmarthouse.core.io.http
@@ -26,6 +38,10 @@
org.opensmarthouse.core.bundles
org.opensmarthouse.core.i18n
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.local
+
org.eclipse.jetty
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java
index 217ec6962..5d27bb49c 100644
--- a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java
+++ b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java
@@ -26,16 +26,17 @@
import java.util.UUID;
import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
-import org.openhab.core.auth.Authentication;
import org.openhab.core.auth.AuthenticationException;
-import org.openhab.core.auth.AuthenticationProvider;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserRegistry;
-import org.openhab.core.auth.UsernamePasswordCredentials;
+import org.openhab.core.auth.AuthenticationManager;
+import org.openhab.core.auth.AuthenticationResult;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserRegistry;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
import org.openhab.core.i18n.LocaleProvider;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Reference;
@@ -60,7 +61,7 @@ public abstract class AbstractAuthPageServlet extends HttpServlet {
protected HttpService httpService;
protected UserRegistry userRegistry;
- protected AuthenticationProvider authProvider;
+ protected AuthenticationManager authManager;
protected LocaleProvider localeProvider;
protected @Nullable Instant lastAuthenticationFailure;
protected int authenticationFailureCount = 0;
@@ -70,11 +71,11 @@ public abstract class AbstractAuthPageServlet extends HttpServlet {
protected String pageTemplate;
public AbstractAuthPageServlet(BundleContext bundleContext, @Reference HttpService httpService,
- @Reference UserRegistry userRegistry, @Reference AuthenticationProvider authProvider,
+ @Reference UserRegistry userRegistry, @Reference AuthenticationManager authManager,
@Reference LocaleProvider localeProvider) {
this.httpService = httpService;
this.userRegistry = userRegistry;
- this.authProvider = authProvider;
+ this.authManager = authManager;
this.localeProvider = localeProvider;
pageTemplate = "";
@@ -130,12 +131,12 @@ protected User login(String username, String password) throws AuthenticationExce
}
// Authenticate the user with the supplied credentials
- UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(username, password);
- Authentication auth = authProvider.authenticate(credentials);
- logger.debug("Login successful: {}", auth.getUsername());
+ UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(username, password, HttpServletRequest.FORM_AUTH);
+ AuthenticationResult auth = authManager.authenticate(credentials);
+ logger.debug("Login successful: {}", auth.getPrincipal());
lastAuthenticationFailure = null;
authenticationFailureCount = 0;
- User user = userRegistry.get(auth.getUsername());
+ User user = userRegistry.get(auth.getAuthentication().getUsername());
if (user == null) {
throw new AuthenticationException("User not found");
}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthenticationHandler.java b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthenticationHandler.java
index 45577f354..654712ca3 100755
--- a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthenticationHandler.java
+++ b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthenticationHandler.java
@@ -25,11 +25,13 @@
import org.openhab.core.auth.Authentication;
import org.openhab.core.auth.AuthenticationException;
import org.openhab.core.auth.AuthenticationManager;
+import org.openhab.core.auth.AuthenticationResult;
import org.openhab.core.auth.Credentials;
import org.openhab.core.io.http.Handler;
import org.openhab.core.io.http.HandlerContext;
import org.openhab.core.io.http.HandlerPriorities;
-import org.openhab.core.io.http.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+import org.openhab.core.io.auth.CredentialsExtractor;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
@@ -54,7 +56,7 @@ public class AuthenticationHandler implements Handler {
private final Logger logger = LoggerFactory.getLogger(AuthenticationHandler.class);
- private final List> extractors = new CopyOnWriteArrayList<>();
+ private final List> extractors = new CopyOnWriteArrayList<>();
private AuthenticationManager authenticationManager;
@@ -77,14 +79,14 @@ public void handle(final HttpServletRequest request, final HttpServletResponse r
}
int found = 0, failed = 0;
- for (CredentialsExtractor extractor : extractors) {
- Optional extracted = extractor.retrieveCredentials(request);
+ for (CredentialsExtractor extractor : extractors) {
+ Optional extracted = extractor.retrieveCredentials(new ServletRequestDelegate(request));
if (extracted.isPresent()) {
found++;
Credentials credentials = extracted.get();
try {
- Authentication authentication = authenticationManager.authenticate(credentials);
- request.setAttribute(Authentication.class.getName(), authentication);
+ AuthenticationResult authentication = authenticationManager.authenticate(credentials);
+ request.setAttribute(Authentication.class.getName(), authentication.getAuthentication());
context.execute(request, response);
return;
} catch (AuthenticationException e) {
@@ -167,12 +169,12 @@ public void unsetAuthenticationManager(AuthenticationManager authenticationManag
this.authenticationManager = null;
}
- @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, target = "(context=javax.servlet.http.HttpServletRequest)")
- public void addCredentialsExtractor(CredentialsExtractor extractor) {
+ @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, target = "(context=org.openhab.core.io.http.facade.HttpRequestDelegate)")
+ public void addCredentialsExtractor(CredentialsExtractor extractor) {
this.extractors.add(extractor);
}
- public void removeCredentialsExtractor(CredentialsExtractor extractor) {
+ public void removeCredentialsExtractor(CredentialsExtractor extractor) {
this.extractors.remove(extractor);
}
}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthorizePageServlet.java b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthorizePageServlet.java
index d53eb5605..b1c26a228 100755
--- a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthorizePageServlet.java
+++ b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthorizePageServlet.java
@@ -26,12 +26,12 @@
import org.eclipse.jdt.annotation.Nullable;
import org.eclipse.jetty.http.HttpStatus;
import org.openhab.core.auth.AuthenticationException;
-import org.openhab.core.auth.AuthenticationProvider;
-import org.openhab.core.auth.ManagedUser;
-import org.openhab.core.auth.PendingToken;
+import org.openhab.core.auth.AuthenticationManager;
+import org.openhab.core.auth.local.ManagedUser;
+import org.openhab.core.auth.local.PendingToken;
import org.openhab.core.auth.Role;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserRegistry;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserRegistry;
import org.openhab.core.i18n.LocaleProvider;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
@@ -64,9 +64,9 @@ public class AuthorizePageServlet extends AbstractAuthPageServlet {
@Activate
public AuthorizePageServlet(BundleContext bundleContext, @Reference HttpService httpService,
- @Reference UserRegistry userRegistry, @Reference AuthenticationProvider authProvider,
+ @Reference UserRegistry userRegistry, @Reference AuthenticationManager authManager,
@Reference LocaleProvider localeProvider) {
- super(bundleContext, httpService, userRegistry, authProvider, localeProvider);
+ super(bundleContext, httpService, userRegistry, authManager, localeProvider);
try {
httpService.registerServlet("/auth", this, null, null);
} catch (NamespaceException | ServletException e) {
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ChangePasswordPageServlet.java b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ChangePasswordPageServlet.java
index fa0dcfdd7..abc8efa09 100644
--- a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ChangePasswordPageServlet.java
+++ b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ChangePasswordPageServlet.java
@@ -21,10 +21,11 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.openhab.core.auth.AuthenticationException;
+import org.openhab.core.auth.AuthenticationManager;
import org.openhab.core.auth.AuthenticationProvider;
-import org.openhab.core.auth.ManagedUser;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserRegistry;
+import org.openhab.core.auth.local.ManagedUser;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserRegistry;
import org.openhab.core.i18n.LocaleProvider;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
@@ -52,9 +53,9 @@ public class ChangePasswordPageServlet extends AbstractAuthPageServlet {
@Activate
public ChangePasswordPageServlet(BundleContext bundleContext, @Reference HttpService httpService,
- @Reference UserRegistry userRegistry, @Reference AuthenticationProvider authProvider,
+ @Reference UserRegistry userRegistry, @Reference AuthenticationManager authManager,
@Reference LocaleProvider localeProvider) {
- super(bundleContext, httpService, userRegistry, authProvider, localeProvider);
+ super(bundleContext, httpService, userRegistry, authManager, localeProvider);
try {
httpService.registerServlet("/changePassword", this, null, null);
} catch (NamespaceException | ServletException e) {
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/CreateAPITokenPageServlet.java b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/CreateAPITokenPageServlet.java
index 2575386cb..c87d4c3f5 100644
--- a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/CreateAPITokenPageServlet.java
+++ b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/CreateAPITokenPageServlet.java
@@ -21,10 +21,11 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.openhab.core.auth.AuthenticationException;
+import org.openhab.core.auth.AuthenticationManager;
import org.openhab.core.auth.AuthenticationProvider;
-import org.openhab.core.auth.ManagedUser;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserRegistry;
+import org.openhab.core.auth.local.ManagedUser;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserRegistry;
import org.openhab.core.i18n.LocaleProvider;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
@@ -52,9 +53,9 @@ public class CreateAPITokenPageServlet extends AbstractAuthPageServlet {
@Activate
public CreateAPITokenPageServlet(BundleContext bundleContext, @Reference HttpService httpService,
- @Reference UserRegistry userRegistry, @Reference AuthenticationProvider authProvider,
+ @Reference UserRegistry userRegistry, @Reference AuthenticationManager authManager,
@Reference LocaleProvider localeProvider) {
- super(bundleContext, httpService, userRegistry, authProvider, localeProvider);
+ super(bundleContext, httpService, userRegistry, authManager, localeProvider);
try {
httpService.registerServlet("/createApiToken", this, null, null);
} catch (NamespaceException | ServletException e) {
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ServletRequestDelegate.java b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ServletRequestDelegate.java
new file mode 100644
index 000000000..a20b97794
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ServletRequestDelegate.java
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.auth.internal;
+
+import java.util.Arrays;
+import java.util.Optional;
+import javax.servlet.http.HttpServletRequest;
+import org.openhab.core.io.http.facade.Cookie;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+
+/**
+ * Servlet request wrapper.
+ *
+ * @author Łukasz Dywicki - Initial contribution
+ */
+public class ServletRequestDelegate implements HttpRequestDelegate {
+
+ private final HttpServletRequest request;
+
+ public ServletRequestDelegate(HttpServletRequest request) {
+ this.request = request;
+ }
+
+ @Override
+ public Optional getHeader(String headerName) {
+ return Optional.ofNullable(request.getHeader(headerName));
+ }
+
+ @Override
+ public Optional getCookie(String cookieName) {
+ return Arrays.stream(request.getCookies()).filter(cookie -> cookieName.equals(cookie.getName()))
+ .map(cookie -> new Cookie(cookie.getName(), cookie.getValue()))
+ .findFirst();
+ }
+}
diff --git a/bundles/org.opensmarthouse.core.io.http.facade/NOTICE b/bundles/org.opensmarthouse.core.io.http.facade/NOTICE
new file mode 100755
index 000000000..bed08ed3f
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.facade/NOTICE
@@ -0,0 +1,13 @@
+This content is produced and maintained by the OpenSmartHouse project.
+
+* Project home: https://opensmarthouse.org
+
+== Declared Project Licenses
+
+This program and the accompanying materials are made available under the terms
+of the Eclipse Public License 2.0 which is available at
+https://www.eclipse.org/legal/epl-2.0/.
+
+== Source Code
+
+https://github.com/opensmarthouse/opensmarthouse-core
diff --git a/bundles/org.opensmarthouse.core.io.http.facade/pom.xml b/bundles/org.opensmarthouse.core.io.http.facade/pom.xml
new file mode 100755
index 000000000..04305d13e
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.facade/pom.xml
@@ -0,0 +1,17 @@
+
+
+
+ 4.0.0
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.reactor.bundles
+ 0.9.3-SNAPSHOT
+
+
+ org.opensmarthouse.core.io.http.facade
+
+ OpenSmartHouse Core | Bundles | IO HTTP Facade
+ Server side HTTP api facade
+
+
diff --git a/bundles/org.opensmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/Cookie.java b/bundles/org.opensmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/Cookie.java
new file mode 100644
index 000000000..1e684dc2e
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/Cookie.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.facade;
+
+/**
+ * An unified (facade) version of http cookie.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+public class Cookie {
+
+ private final String name;
+ private final String value;
+
+ public Cookie(String name, String value) {
+ this.name = name;
+ this.value = value;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public String getValue() {
+ return value;
+ }
+
+}
diff --git a/bundles/org.opensmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/HttpRequestDelegate.java b/bundles/org.opensmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/HttpRequestDelegate.java
new file mode 100644
index 000000000..675042045
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/HttpRequestDelegate.java
@@ -0,0 +1,31 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.facade;
+
+import java.util.Optional;
+
+/**
+ * A thin abstraction layer over HTTP request to bridge servlet and JAX-RS api.
+ *
+ * @author Łukasz Dywicki - Initial contribution
+ */
+public interface HttpRequestDelegate {
+
+ Optional getHeader(String headerName);
+
+ default Optional getAuthorizationHeader() {
+ return getHeader("Authorization");
+ }
+
+ Optional getCookie(String cookieName);
+}
\ No newline at end of file
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth.local/pom.xml b/bundles/org.opensmarthouse.core.io.rest.auth.local/pom.xml
new file mode 100755
index 000000000..5c32d2d85
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/pom.xml
@@ -0,0 +1,52 @@
+
+
+
+ 4.0.0
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.reactor.bundles
+ 0.9.3-SNAPSHOT
+
+
+ org.opensmarthouse.core.io.rest.auth.local
+
+ OpenSmartHouse Core | Bundles | REST | Local (o)Auth 2 Server
+
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.config
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.cookie
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.auth.jwt
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.rest
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.rest.auth
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core
+
+
+
+ javax.annotation
+ javax.annotation-api
+
+
+ org.bitbucket.b_c
+ jose4j
+
+
+
+
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtHelper.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/JwtHelper.java
similarity index 90%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtHelper.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/JwtHelper.java
index 5212d063f..f9731cda0 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtHelper.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/JwtHelper.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import java.io.BufferedReader;
import java.io.File;
@@ -39,7 +39,7 @@
import org.jose4j.lang.JoseException;
import org.openhab.core.auth.Authentication;
import org.openhab.core.auth.AuthenticationException;
-import org.openhab.core.auth.User;
+import org.openhab.core.auth.local.User;
import org.opensmarthouse.core.OpenSmartHouse;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
@@ -117,7 +117,9 @@ public String getJwtAccessToken(User user, String clientId, String scope, int to
jwtClaims.setClaim("client_id", clientId);
jwtClaims.setClaim("scope", scope);
jwtClaims.setStringListClaim("role",
- new ArrayList<>(user.getRoles() != null ? user.getRoles() : Collections.emptySet()));
+ new ArrayList<>(user.getRoles() != null ? user.getRoles() : Collections.emptySet()));
+ jwtClaims.setStringListClaim("permissions",
+ new ArrayList<>(user.getPermissions() != null ? user.getPermissions() : Collections.emptySet()));
JsonWebSignature jws = new JsonWebSignature();
jws.setPayload(jwtClaims.toJson());
@@ -149,10 +151,16 @@ public Authentication verifyAndParseJwtAccessToken(String jwt) throws Authentica
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);
String username = jwtClaims.getSubject();
List roles = jwtClaims.getStringListClaimValue("role");
+ List permissions = jwtClaims.getStringListClaimValue("permissions");
String scope = jwtClaims.getStringClaimValue("scope");
- return new Authentication(username, roles.toArray(new String[roles.size()]), scope);
+ return new Authentication(username, toArray(roles), scope, toArray(permissions));
} catch (InvalidJwtException | MalformedClaimException e) {
throw new AuthenticationException("Error while processing JWT token", e);
}
}
+
+ protected String[] toArray(List entries) {
+ return entries.toArray(new String[entries.size()]);
+ }
+
}
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/LocalJwtAuthenticationProvider.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/LocalJwtAuthenticationProvider.java
new file mode 100644
index 000000000..c45d782f6
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/LocalJwtAuthenticationProvider.java
@@ -0,0 +1,54 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.rest.auth.local.internal;
+
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthenticationException;
+import org.openhab.core.auth.AuthenticationProvider;
+import org.openhab.core.auth.AuthenticationResult;
+import org.openhab.core.auth.Credentials;
+import org.openhab.core.auth.jwt.JWTCredentials;
+import org.openhab.core.auth.local.GenericUser;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+
+@Component
+public class LocalJwtAuthenticationProvider implements AuthenticationProvider {
+
+ private final JwtHelper jwtHelper;
+
+ @Activate
+ public LocalJwtAuthenticationProvider(@Reference JwtHelper jwtHelper) {
+ this.jwtHelper = jwtHelper;
+ }
+
+ @Override
+ public AuthenticationResult authenticate(Credentials credentials) throws AuthenticationException {
+ if (!(credentials instanceof JWTCredentials)) {
+ throw new IllegalArgumentException("Unsupported credentials");
+ }
+
+ String token = ((JWTCredentials) credentials).getToken();
+ Authentication authentication = jwtHelper.verifyAndParseJwtAccessToken(token);
+ return new AuthenticationResult(
+ new GenericUser(authentication.getUsername()), credentials.getScheme(), authentication
+ );
+ }
+
+ @Override
+ public boolean supports(Class type) {
+ return JWTCredentials.class.isAssignableFrom(type);
+ }
+
+}
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/SessionCookieAuthenticationProvider.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/SessionCookieAuthenticationProvider.java
new file mode 100644
index 000000000..8e214e268
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/SessionCookieAuthenticationProvider.java
@@ -0,0 +1,77 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.rest.auth.local.internal;
+
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthenticationException;
+import org.openhab.core.auth.AuthenticationProvider;
+import org.openhab.core.auth.AuthenticationResult;
+import org.openhab.core.auth.Credentials;
+import org.openhab.core.auth.cookie.CookieCredentials;
+import org.openhab.core.auth.local.GenericUser;
+import org.openhab.core.auth.local.ManagedUser;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserRegistry;
+import org.openhab.core.auth.local.UserSession;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+
+/**
+ * An authentication provider which rely on session cookie and try bo bind it with one of existing users.
+ *
+ * This logic (possibly in similar shape) originally was located in JAXRS authentication filter.
+ * The advantage of this provider is possibility to use shared cookie authentication both for servlet
+ * and REST resources.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+@Component
+public class SessionCookieAuthenticationProvider implements AuthenticationProvider {
+
+ private final UserRegistry registry;
+
+ @Activate
+ public SessionCookieAuthenticationProvider(@Reference UserRegistry registry) {
+ this.registry = registry;
+ }
+
+ @Override
+ public AuthenticationResult authenticate(Credentials credentials) throws AuthenticationException {
+ if (!(credentials instanceof CookieCredentials)) {
+ throw new IllegalArgumentException("Unsupported credentials");
+ }
+
+ String session = ((CookieCredentials) credentials).getValue();
+ for (User user : registry.getAll()) {
+ if (user instanceof ManagedUser) {
+ ManagedUser managed = (ManagedUser) user;
+ for (UserSession userSession : managed.getSessions()) {
+ if (session.equals(userSession.getSessionId())) {
+ return new AuthenticationResult(new GenericUser(user.getName()), credentials.getScheme(),
+ new Authentication(user.getName(), user.getRoles(), null, user.getPermissions())
+ );
+ }
+ }
+ }
+ }
+
+ throw new AuthenticationException("Failed to authenticate cookie");
+ }
+
+ @Override
+ public boolean supports(Class type) {
+ return CookieCredentials.class.isAssignableFrom(type);
+ }
+
+}
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenEndpointException.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenEndpointException.java
similarity index 97%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenEndpointException.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenEndpointException.java
index 088cd8666..fdb256f5a 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenEndpointException.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenEndpointException.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.openhab.core.auth.AuthenticationException;
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResource.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResource.java
similarity index 97%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResource.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResource.java
index d5a557ef8..6d267463c 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResource.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResource.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import java.net.URI;
import java.security.MessageDigest;
@@ -43,17 +43,17 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
import org.jose4j.base64url.Base64Url;
-import org.openhab.core.auth.ManagedUser;
-import org.openhab.core.auth.PendingToken;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserApiToken;
-import org.openhab.core.auth.UserRegistry;
-import org.openhab.core.auth.UserSession;
+import org.openhab.core.auth.local.ManagedUser;
+import org.openhab.core.auth.local.PendingToken;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.auth.local.UserApiToken;
+import org.openhab.core.auth.local.UserRegistry;
+import org.openhab.core.auth.local.UserSession;
import org.openhab.core.io.rest.JSONResponse;
import org.openhab.core.io.rest.RESTConstants;
import org.openhab.core.io.rest.RESTResource;
import org.openhab.core.io.rest.Stream2JSONInputStream;
-import org.openhab.core.io.rest.auth.internal.TokenEndpointException.ErrorType;
+import org.openhab.core.io.rest.auth.local.internal.TokenEndpointException.ErrorType;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResponseDTO.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResponseDTO.java
similarity index 94%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResponseDTO.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResponseDTO.java
index 82d4fd718..40f1e261a 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResponseDTO.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResponseDTO.java
@@ -10,9 +10,9 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
-import org.openhab.core.auth.User;
+import org.openhab.core.auth.local.User;
/**
* A DTO object for a successful token endpoint response, as per RFC 6749, Section 5.1.
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResponseErrorDTO.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResponseErrorDTO.java
similarity index 94%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResponseErrorDTO.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResponseErrorDTO.java
index 263f607a4..530bdb23e 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResponseErrorDTO.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/TokenResponseErrorDTO.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
/**
* A DTO object for an unsuccessful token endpoint response, as per RFC 6749, Section 5.2.
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserApiTokenDTO.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserApiTokenDTO.java
similarity index 93%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserApiTokenDTO.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserApiTokenDTO.java
index 885391d1e..fcf15fb4b 100644
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserApiTokenDTO.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserApiTokenDTO.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import java.util.Date;
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserDTO.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserDTO.java
similarity index 88%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserDTO.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserDTO.java
index b713e6c11..011823105 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserDTO.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserDTO.java
@@ -10,11 +10,11 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import java.util.Collection;
-import org.openhab.core.auth.User;
+import org.openhab.core.auth.local.User;
/**
* A DTO representing a {@link User}.
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserSecurityContext.java
similarity index 59%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserSecurityContext.java
index 449718f86..13dfbe885 100644
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserSecurityContext.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import java.security.Principal;
@@ -19,7 +19,8 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
import org.openhab.core.auth.Authentication;
-import org.openhab.core.auth.User;
+import org.openhab.core.auth.local.User;
+import org.openhab.core.io.rest.auth.AuthenticationSecurityContext;
/**
* This {@link SecurityContext} contains information about a user, roles and authorizations granted to a client
@@ -30,31 +31,39 @@
@NonNullByDefault
public class UserSecurityContext implements AuthenticationSecurityContext {
- private User user;
- private Authentication authentication;
- private String authenticationScheme;
+ private final Principal principal;
+ private final Authentication authentication;
+ private final String authenticationScheme;
+ private final boolean secure;
+
+ public UserSecurityContext(Principal principal, Authentication authentication,
+ String scheme) {
+ this(principal, authentication, scheme, false);
+ }
/**
- * Constructs a security context from an instance of {@link User}
+ * Constructs a security context from an instance of Principal.
*
- * @param user the user
- * @param the related {@link Authentication}
+ * @param principal the principal
+ * @param authentication the related {@link Authentication}
* @param authenticationScheme the scheme that was used to authenticate the user, e.g. "Basic"
+ * @param secure determine if request was done over secure channel - ie. HTTPs.
*/
- public UserSecurityContext(User user, Authentication authentication, String authenticationScheme) {
- this.user = user;
+ public UserSecurityContext(Principal principal, Authentication authentication, String authenticationScheme, boolean secure) {
this.authentication = authentication;
+ this.principal = principal;
this.authenticationScheme = authenticationScheme;
+ this.secure = secure;
}
@Override
public Principal getUserPrincipal() {
- return user;
+ return principal;
}
@Override
public boolean isUserInRole(@Nullable String role) {
- return user.getRoles().contains(role);
+ return authentication.getRoles().contains(role);
}
@Override
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSessionDTO.java b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserSessionDTO.java
similarity index 94%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSessionDTO.java
rename to bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserSessionDTO.java
index 07888c6ba..f0166c7c6 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSessionDTO.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth.local/src/main/java/org/openhab/core/io/rest/auth/local/internal/UserSessionDTO.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth.local.internal;
import java.util.Date;
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/pom.xml b/bundles/org.opensmarthouse.core.io.rest.auth/pom.xml
index 739011eda..a03f44ac8 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/pom.xml
@@ -39,6 +39,17 @@
org.bitbucket.b_c
jose4j
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.http.facade
+ 0.9.3-SNAPSHOT
+ compile
+
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.auth
+ compile
+
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthenticationSecurityContext.java b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/AuthenticationSecurityContext.java
similarity index 89%
rename from bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthenticationSecurityContext.java
rename to bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/AuthenticationSecurityContext.java
index 28033bc76..e4b80aa70 100644
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthenticationSecurityContext.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/AuthenticationSecurityContext.java
@@ -10,7 +10,7 @@
*
* SPDX-License-Identifier: EPL-2.0
*/
-package org.openhab.core.io.rest.auth.internal;
+package org.openhab.core.io.rest.auth;
import javax.ws.rs.core.SecurityContext;
@@ -27,5 +27,5 @@ public interface AuthenticationSecurityContext extends SecurityContext {
*
* @return the authentication instance
*/
- public Authentication getAuthentication();
+ Authentication getAuthentication();
}
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/ApplicationSecurityContext.java b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/ApplicationSecurityContext.java
new file mode 100755
index 000000000..20474b938
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/ApplicationSecurityContext.java
@@ -0,0 +1,64 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.rest.auth.internal;
+
+import java.security.Principal;
+import javax.ws.rs.core.SecurityContext;
+import org.eclipse.jdt.annotation.NonNullByDefault;
+import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.io.rest.auth.AuthenticationSecurityContext;
+
+@NonNullByDefault
+public class ApplicationSecurityContext implements AuthenticationSecurityContext {
+
+ private Authentication authentication;
+ private final boolean secure;
+ private final String scheme;
+
+ public ApplicationSecurityContext(Authentication authentication, boolean secure, String scheme) {
+ this.authentication = authentication;
+ this.secure = secure;
+ this.scheme = scheme;
+ }
+
+ @Override
+ public Principal getUserPrincipal() {
+ return new Principal() {
+ @Override
+ public String getName() {
+ return authentication.getUsername();
+ }
+ };
+ }
+
+ @Override
+ public boolean isUserInRole(@Nullable String role) {
+ return authentication.getRoles().contains(role);
+ }
+
+ @Override
+ public boolean isSecure() {
+ return secure;
+ }
+
+ @Override
+ public String getAuthenticationScheme() {
+ return scheme;
+ }
+
+ @Override
+ public Authentication getAuthentication() {
+ return authentication;
+ }
+}
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java
index b7d351b26..537bf9b4a 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java
@@ -13,34 +13,35 @@
package org.openhab.core.io.rest.auth.internal;
import java.io.IOException;
-import java.util.Base64;
+import java.util.List;
import java.util.Map;
-
+import java.util.Optional;
+import java.util.concurrent.CopyOnWriteArrayList;
import javax.annotation.Priority;
import javax.ws.rs.Priorities;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
-import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
-
import org.eclipse.jdt.annotation.Nullable;
-import org.openhab.core.auth.Authentication;
import org.openhab.core.auth.AuthenticationException;
-import org.openhab.core.auth.User;
-import org.openhab.core.auth.UserApiTokenCredentials;
-import org.openhab.core.auth.UserRegistry;
-import org.openhab.core.auth.UsernamePasswordCredentials;
+import org.openhab.core.auth.AuthenticationManager;
+import org.openhab.core.auth.AuthenticationResult;
+import org.openhab.core.auth.Credentials;
import org.openhab.core.config.core.ConfigurableService;
-import org.openhab.core.io.rest.JSONResponse;
+import org.openhab.core.io.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
import org.openhab.core.io.rest.RESTConstants;
import org.osgi.framework.Constants;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.component.annotations.ReferenceCardinality;
+import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.jaxrs.whiteboard.JaxrsWhiteboardConstants;
import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsApplicationSelect;
import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsExtension;
@@ -65,21 +66,15 @@
public class AuthFilter implements ContainerRequestFilter {
private final Logger logger = LoggerFactory.getLogger(AuthFilter.class);
- private static final String ALT_AUTH_HEADER = "X-OPENHAB-TOKEN";
- private static final String API_TOKEN_PREFIX = "oh.";
-
protected static final String CONFIG_URI = "system:restauth";
- private static final String CONFIG_ALLOW_BASIC_AUTH = "allowBasicAuth";
- private static final String CONFIG_IMPLICIT_USER_ROLE = "implicitUserRole";
- private boolean allowBasicAuth = false;
- private boolean implicitUserRole = true;
+ private boolean enabled = true;
@Reference
- private JwtHelper jwtHelper;
+ private AuthenticationManager authenticationManager;
+
+ private List> extractors = new CopyOnWriteArrayList<>();
- @Reference
- private UserRegistry userRegistry;
@Activate
protected void activate(Map config) {
@@ -88,91 +83,56 @@ protected void activate(Map config) {
@Modified
protected void modified(@Nullable Map properties) {
- if (properties != null) {
- Object value = properties.get(CONFIG_ALLOW_BASIC_AUTH);
- allowBasicAuth = value != null && "true".equals(value.toString());
- value = properties.get(CONFIG_IMPLICIT_USER_ROLE);
- implicitUserRole = value == null || !"false".equals(value.toString());
- }
- }
- private SecurityContext authenticateBearerToken(String token) throws AuthenticationException {
- if (token.startsWith(API_TOKEN_PREFIX)) {
- UserApiTokenCredentials credentials = new UserApiTokenCredentials(token);
- Authentication auth = userRegistry.authenticate(credentials);
- User user = userRegistry.get(auth.getUsername());
- if (user == null) {
- throw new AuthenticationException("User not found in registry");
- }
- return new UserSecurityContext(user, auth, "ApiToken");
- } else {
- Authentication auth = jwtHelper.verifyAndParseJwtAccessToken(token);
- return new JwtSecurityContext(auth);
- }
- }
-
- private SecurityContext authenticateUsernamePassword(String username, String password)
- throws AuthenticationException {
- UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(username, password);
- Authentication auth = userRegistry.authenticate(credentials);
- User user = userRegistry.get(auth.getUsername());
- if (user == null) {
- throw new AuthenticationException("User not found in registry");
- }
- return new UserSecurityContext(user, auth, "Basic");
}
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
- try {
- String altTokenHeader = requestContext.getHeaderString(ALT_AUTH_HEADER);
- if (altTokenHeader != null) {
- requestContext.setSecurityContext(authenticateBearerToken(altTokenHeader));
+ if (this.enabled) {
+ if (authenticationManager == null) {
+ Response response = Response.status(Status.UNAUTHORIZED).entity("Failed to authenticate request.").build();
+ requestContext.abortWith(response);
return;
}
- String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
- if (authHeader != null) {
- String[] authParts = authHeader.split(" ");
- if (authParts.length == 2) {
- if ("Bearer".equalsIgnoreCase(authParts[0])) {
- requestContext.setSecurityContext(authenticateBearerToken(authParts[1]));
+ int found = 0, failed = 0;
+ for (CredentialsExtractor extractor : extractors) {
+ Optional extracted = extractor.retrieveCredentials(new JaxRsRequestDelegate(requestContext));
+ if (extracted.isPresent()) {
+ found++;
+ Credentials credentials = extracted.get();
+ try {
+ AuthenticationResult authentication = authenticationManager.authenticate(credentials);
+ requestContext.setSecurityContext(new ApplicationSecurityContext(authentication.getAuthentication(), false, authentication.getScheme()));
return;
- } else if ("Basic".equalsIgnoreCase(authParts[0])) {
- try {
- String[] decodedCredentials = new String(Base64.getDecoder().decode(authParts[1]), "UTF-8")
- .split(":");
- if (decodedCredentials.length > 2) {
- throw new AuthenticationException("Invalid Basic authentication credential format");
- }
- switch (decodedCredentials.length) {
- case 1:
- requestContext.setSecurityContext(authenticateBearerToken(decodedCredentials[0]));
- break;
- case 2:
- if (!allowBasicAuth) {
- throw new AuthenticationException(
- "Basic authentication with username/password is not allowed");
- }
- requestContext.setSecurityContext(
- authenticateUsernamePassword(decodedCredentials[0], decodedCredentials[1]));
- }
-
- return;
- } catch (AuthenticationException e) {
- throw new AuthenticationException("Invalid Basic authentication credentials", e);
+ } catch (AuthenticationException e) {
+ failed++;
+ if (logger.isDebugEnabled()) {
+ logger.debug("Failed to authenticate using credentials {}", credentials, e);
+ } else {
+ logger.info("Failed to authenticate using credentials {}", credentials);
}
}
}
}
- if (implicitUserRole) {
+ if (true) {
requestContext.setSecurityContext(new AnonymousUserSecurityContext());
+ return;
}
- } catch (AuthenticationException e) {
- logger.warn("Unauthorized API request: {}", e.getMessage());
- requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials"));
+ Response response = Response.status(Status.UNAUTHORIZED).entity("Could not authenticate request. Found " + found
+ + " credentials in request out of which " + failed + " were invalid").build();
+ requestContext.abortWith(response);
}
}
+
+ @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, target = "(context=org.openhab.core.io.http.facade.HttpRequestDelegate)")
+ public void addCredentialsExtractor(CredentialsExtractor extractor) {
+ this.extractors.add(extractor);
+ }
+
+ public void removeCredentialsExtractor(CredentialsExtractor extractor) {
+ this.extractors.remove(extractor);
+ }
}
\ No newline at end of file
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthzFilter.java b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthzFilter.java
new file mode 100644
index 000000000..d99422031
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthzFilter.java
@@ -0,0 +1,66 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.rest.auth.internal;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.container.ContainerResponseFilter;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+import org.openhab.core.auth.MutableAuthenticationContextHolder;
+import org.openhab.core.io.rest.RESTConstants;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.jaxrs.whiteboard.JaxrsWhiteboardConstants;
+import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsApplicationSelect;
+import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsExtension;
+
+/**
+ * A propagation of security context through {@link org.openhab.core.auth.AuthenticationContextHolder}.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+@Component
+@JaxrsExtension
+@JaxrsApplicationSelect("(" + JaxrsWhiteboardConstants.JAX_RS_NAME + "=" + RESTConstants.JAX_RS_NAME + ")")
+@Priority(Priorities.AUTHORIZATION)
+@Provider
+public class AuthzFilter implements ContainerRequestFilter, ContainerResponseFilter {
+
+ private final MutableAuthenticationContextHolder authenticationContextHolder;
+
+ @Activate
+ public AuthzFilter(@Reference MutableAuthenticationContextHolder authenticationContextHolder) {
+ this.authenticationContextHolder = authenticationContextHolder;
+ }
+
+ @Override
+ public void filter(ContainerRequestContext requestContext) throws IOException {
+ SecurityContext securityContext = requestContext.getSecurityContext();
+ if (securityContext instanceof ApplicationSecurityContext) {
+ authenticationContextHolder.setAuthentication(((ApplicationSecurityContext) securityContext).getAuthentication());
+ }
+ }
+
+ @Override
+ public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
+ authenticationContextHolder.setAuthentication(null);
+ }
+
+}
\ No newline at end of file
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JaxRsRequestDelegate.java b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JaxRsRequestDelegate.java
new file mode 100644
index 000000000..6e1092fe8
--- /dev/null
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JaxRsRequestDelegate.java
@@ -0,0 +1,46 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.rest.auth.internal;
+
+import java.util.Optional;
+import javax.ws.rs.container.ContainerRequestContext;
+import org.openhab.core.io.http.facade.Cookie;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+
+/**
+ * JAX-RS request wrapper.
+ *
+ * @author Łukasz Dywicki - Initial contribution
+ */
+public class JaxRsRequestDelegate implements HttpRequestDelegate {
+
+ private final ContainerRequestContext request;
+
+ public JaxRsRequestDelegate(ContainerRequestContext request) {
+ this.request = request;
+ }
+
+ @Override
+ public Optional getHeader(String headerName) {
+ return Optional.ofNullable(request.getHeaderString(headerName));
+ }
+
+ @Override
+ public Optional getCookie(String cookieName) {
+ if (request.getCookies().containsKey(cookieName)) {
+ javax.ws.rs.core.Cookie cookie = request.getCookies().get(cookieName);
+ return Optional.of(new Cookie(cookie.getName(), cookie.getValue()));
+ }
+ return Optional.empty();
+ }
+}
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtSecurityContext.java b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtSecurityContext.java
index ae47ec7ba..5e87692de 100755
--- a/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtSecurityContext.java
+++ b/bundles/org.opensmarthouse.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/JwtSecurityContext.java
@@ -19,7 +19,7 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
import org.openhab.core.auth.Authentication;
-import org.openhab.core.auth.GenericUser;
+import org.openhab.core.io.rest.auth.AuthenticationSecurityContext;
/**
* This {@link SecurityContext} contains information about a user, roles and authorizations granted to a client as
@@ -38,7 +38,12 @@ public JwtSecurityContext(Authentication authentication) {
@Override
public Principal getUserPrincipal() {
- return new GenericUser(authentication.getUsername());
+ return new Principal() {
+ @Override
+ public String getName() {
+ return authentication.getUsername();
+ }
+ };
}
@Override
diff --git a/bundles/org.opensmarthouse.core.io.rest.item/pom.xml b/bundles/org.opensmarthouse.core.io.rest.item/pom.xml
index 256265fa2..71fc17bf8 100755
--- a/bundles/org.opensmarthouse.core.io.rest.item/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.rest.item/pom.xml
@@ -51,6 +51,10 @@
org.osgi
osgi.enroute.hamcrest.wrapper
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.rest.auth
+
diff --git a/bundles/org.opensmarthouse.core.io.rest.item/src/main/java/org/openhab/core/io/rest/core/internal/item/ItemResource.java b/bundles/org.opensmarthouse.core.io.rest.item/src/main/java/org/openhab/core/io/rest/core/internal/item/ItemResource.java
index 0c0b70e84..34b192e0b 100755
--- a/bundles/org.opensmarthouse.core.io.rest.item/src/main/java/org/openhab/core/io/rest/core/internal/item/ItemResource.java
+++ b/bundles/org.opensmarthouse.core.io.rest.item/src/main/java/org/openhab/core/io/rest/core/internal/item/ItemResource.java
@@ -47,8 +47,13 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthenticationContextHolder;
+import org.openhab.core.auth.AuthorizationManager;
+import org.openhab.core.auth.Permissions;
import org.openhab.core.auth.Role;
import org.openhab.core.events.EventPublisher;
+import org.openhab.core.i18n.TranslationProvider;
import org.openhab.core.io.rest.DTOMapper;
import org.openhab.core.io.rest.JSONResponse;
import org.openhab.core.io.rest.LocaleService;
@@ -145,13 +150,21 @@ public class ItemResource implements RESTResource {
*/
private static void respectForwarded(final UriBuilder uriBuilder, final @Context HttpHeaders httpHeaders) {
Optional.ofNullable(httpHeaders.getHeaderString("X-Forwarded-Host")).ifPresent(host -> {
+ if (host.contains(",")) {
+ host = host.split(",")[0];
+ }
final String[] parts = host.split(":");
uriBuilder.host(parts[0]);
if (parts.length > 1) {
uriBuilder.port(Integer.parseInt(parts[1]));
}
});
- Optional.ofNullable(httpHeaders.getHeaderString("X-Forwarded-Proto")).ifPresent(uriBuilder::scheme);
+ Optional.ofNullable(httpHeaders.getHeaderString("X-Forwarded-Proto")).map(scheme -> {
+ if (scheme.contains(",")) {
+ return scheme.split(",")[0];
+ }
+ return scheme;
+ }).ifPresent(uriBuilder::scheme);
}
private final Logger logger = LoggerFactory.getLogger(ItemResource.class);
@@ -161,9 +174,12 @@ private static void respectForwarded(final UriBuilder uriBuilder, final @Context
private final ItemBuilderFactory itemBuilderFactory;
private final ItemRegistry itemRegistry;
private final LocaleService localeService;
+ private final TranslationProvider translationProvider;
private final ManagedItemProvider managedItemProvider;
private final MetadataRegistry metadataRegistry;
private final MetadataSelectorMatcher metadataSelectorMatcher;
+ private final AuthorizationManager authorizationManager;
+ private final AuthenticationContextHolder authenticationContextHolder;
@Activate
public ItemResource(//
@@ -172,17 +188,23 @@ public ItemResource(//
final @Reference ItemBuilderFactory itemBuilderFactory, //
final @Reference ItemRegistry itemRegistry, //
final @Reference LocaleService localeService, //
+ final @Reference TranslationProvider translationProvider, //
final @Reference ManagedItemProvider managedItemProvider,
final @Reference MetadataRegistry metadataRegistry,
- final @Reference MetadataSelectorMatcher metadataSelectorMatcher) {
+ final @Reference MetadataSelectorMatcher metadataSelectorMatcher,
+ final @Reference AuthorizationManager authorizationManager,
+ final @Reference AuthenticationContextHolder authenticationContextHolder) {
this.dtoMapper = dtoMapper;
this.eventPublisher = eventPublisher;
this.itemBuilderFactory = itemBuilderFactory;
this.itemRegistry = itemRegistry;
this.localeService = localeService;
+ this.translationProvider = translationProvider;
this.managedItemProvider = managedItemProvider;
this.metadataRegistry = metadataRegistry;
this.metadataSelectorMatcher = metadataSelectorMatcher;
+ this.authorizationManager = authorizationManager;
+ this.authenticationContextHolder = authenticationContextHolder;
}
private UriBuilder uriBuilder(final UriInfo uriInfo, final HttpHeaders httpHeaders) {
@@ -209,10 +231,13 @@ public Response getItems(final @Context UriInfo uriInfo, final @Context HttpHead
final UriBuilder uriBuilder = uriBuilder(uriInfo, httpHeaders);
uriBuilder.path("{itemName}");
+ final Authentication authentication = authenticationContextHolder.getAuthentication();
Stream itemStream = getItems(type, tags).stream() //
+ .filter(item -> authorizationManager.hasPermission(Permissions.READ, item, authentication))
.map(item -> EnrichedItemDTOMapper.map(item, recursive, null, uriBuilder, locale)) //
.peek(dto -> addMetadata(dto, namespaces, null)) //
- .peek(dto -> dto.editable = isEditable(dto.name));
+ .peek(dto -> dto.editable = isEditable(dto.name))
+ .peek(dto -> dto.label = translationProvider.getText(null, "item." + dto.name, dto.label, locale));
itemStream = dtoMapper.limitToFields(itemStream, fields);
return Response.ok(new Stream2JSONInputStream(itemStream)).build();
}
@@ -228,6 +253,11 @@ public Response getItemData(final @Context UriInfo uriInfo, final @Context HttpH
@HeaderParam(HttpHeaders.ACCEPT_LANGUAGE) @Parameter(description = "language") @Nullable String language,
@QueryParam("metadata") @Parameter(description = "metadata selector") @Nullable String namespaceSelector,
@PathParam("itemname") @Parameter(description = "item name") String itemname) {
+
+ if (!authorizationManager.hasPermission(Permissions.READ, itemname, Item.class, authenticationContextHolder.getAuthentication())) {
+ return Response.status(Status.UNAUTHORIZED).build();
+ }
+
final Locale locale = localeService.getLocale(language);
final Set namespaces = splitAndFilterNamespaces(namespaceSelector, locale);
@@ -239,6 +269,7 @@ public Response getItemData(final @Context UriInfo uriInfo, final @Context HttpH
EnrichedItemDTO dto = EnrichedItemDTOMapper.map(item, true, null, uriBuilder(uriInfo, httpHeaders), locale);
addMetadata(dto, namespaces, null);
dto.editable = isEditable(dto.name);
+ dto.label = translationProvider.getText(null, "item." + dto.name, dto.label, locale);
return JSONResponse.createResponse(Status.OK, dto, null);
} else {
return getItemNotFoundResponse(itemname);
@@ -262,6 +293,10 @@ private Set splitAndFilterNamespaces(@Nullable String namespaceSelector,
@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = String.class))),
@ApiResponse(responseCode = "404", description = "Item not found") })
public Response getPlainItemState(@PathParam("itemname") @Parameter(description = "item name") String itemname) {
+ if (!authorizationManager.hasPermission(Permissions.STATE, itemname, Item.class, authenticationContextHolder.getAuthentication())) {
+ return Response.status(Status.UNAUTHORIZED).build();
+ }
+
// get item
Item item = getItem(itemname);
@@ -287,6 +322,11 @@ public Response putItemState(
@HeaderParam(HttpHeaders.ACCEPT_LANGUAGE) @Parameter(description = "language") @Nullable String language,
@PathParam("itemname") @Parameter(description = "item name") String itemname,
@Parameter(description = "valid item state (e.g. ON, OFF)", required = true) String value) {
+
+ if (!authorizationManager.hasPermission(Permissions.STATE, itemname, Item.class, authenticationContextHolder.getAuthentication())) {
+ return Response.status(Status.UNAUTHORIZED).build();
+ }
+
final Locale locale = localeService.getLocale(language);
// get Item
@@ -321,6 +361,11 @@ public Response putItemState(
@ApiResponse(responseCode = "400", description = "Item command null") })
public Response postItemCommand(@PathParam("itemname") @Parameter(description = "item name") String itemname,
@Parameter(description = "valid item command (e.g. ON, OFF, UP, DOWN, REFRESH)", required = true) String value) {
+
+ if (!authorizationManager.hasPermission(Permissions.COMMAND, itemname, Item.class, authenticationContextHolder.getAuthentication())) {
+ return Response.status(Status.UNAUTHORIZED).build();
+ }
+
Item item = getItem(itemname);
Command command = null;
if (item != null) {
@@ -718,7 +763,7 @@ private JsonObject buildStatusObject(String itemName, String status, @Nullable S
/**
* helper: Response to be sent to client if a Thing cannot be found
*
- * @param thingUID
+ * @param itemname
* @return Response configured for 'item not found'
*/
private static Response getItemNotFoundResponse(String itemname) {
diff --git a/bundles/org.opensmarthouse.core.io.rest.persistence/pom.xml b/bundles/org.opensmarthouse.core.io.rest.persistence/pom.xml
index 6f18bd31f..9e7bc22f3 100755
--- a/bundles/org.opensmarthouse.core.io.rest.persistence/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.rest.persistence/pom.xml
@@ -26,6 +26,10 @@
javax.annotation
javax.annotation-api
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.rest.auth
+
diff --git a/bundles/org.opensmarthouse.core.io.rest.persistence/src/main/java/org/openhab/core/io/rest/core/internal/persistence/PersistenceResource.java b/bundles/org.opensmarthouse.core.io.rest.persistence/src/main/java/org/openhab/core/io/rest/core/internal/persistence/PersistenceResource.java
index bb8b317e8..d50250e77 100755
--- a/bundles/org.opensmarthouse.core.io.rest.persistence/src/main/java/org/openhab/core/io/rest/core/internal/persistence/PersistenceResource.java
+++ b/bundles/org.opensmarthouse.core.io.rest.persistence/src/main/java/org/openhab/core/io/rest/core/internal/persistence/PersistenceResource.java
@@ -20,6 +20,8 @@
import java.util.List;
import java.util.Locale;
+import java.util.Set;
+import java.util.function.BiFunction;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
@@ -37,6 +39,11 @@
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthenticationContextHolder;
+import org.openhab.core.auth.AuthorizationManager;
+import org.openhab.core.auth.AuthorizationManagerFilters;
+import org.openhab.core.auth.Permissions;
import org.openhab.core.auth.Role;
import org.openhab.core.i18n.TimeZoneProvider;
import org.openhab.core.io.rest.JSONResponse;
@@ -53,6 +60,7 @@
import org.openhab.core.persistence.FilterCriteria.Ordering;
import org.openhab.core.persistence.HistoricItem;
import org.openhab.core.persistence.ModifiablePersistenceService;
+import org.openhab.core.persistence.PersistenceItemInfo;
import org.openhab.core.persistence.PersistenceService;
import org.openhab.core.persistence.PersistenceServiceRegistry;
import org.openhab.core.persistence.QueryablePersistenceService;
@@ -115,17 +123,23 @@ public class PersistenceResource implements RESTResource {
private final LocaleService localeService;
private final PersistenceServiceRegistry persistenceServiceRegistry;
private final TimeZoneProvider timeZoneProvider;
+ private final AuthorizationManager authorizationManager;
+ private final AuthenticationContextHolder authenticationContextHolder;
@Activate
public PersistenceResource( //
final @Reference ItemRegistry itemRegistry, //
final @Reference LocaleService localeService,
final @Reference PersistenceServiceRegistry persistenceServiceRegistry,
- final @Reference TimeZoneProvider timeZoneProvider) {
+ final @Reference TimeZoneProvider timeZoneProvider,
+ final @Reference AuthorizationManager authorizationManager,
+ final @Reference AuthenticationContextHolder authenticationContextHolder) {
this.itemRegistry = itemRegistry;
this.localeService = localeService;
this.persistenceServiceRegistry = persistenceServiceRegistry;
this.timeZoneProvider = timeZoneProvider;
+ this.authorizationManager = authorizationManager;
+ this.authenticationContextHolder = authenticationContextHolder;
}
@GET
@@ -172,6 +186,10 @@ public Response httpGetPersistenceItemData(@Context HttpHeaders headers,
@Parameter(description = "Page number of data to return. This parameter will enable paging.") @QueryParam("page") int pageNumber,
@Parameter(description = "The length of each page.") @QueryParam("pagelength") int pageLength,
@Parameter(description = "Gets one value before and after the requested period.") @QueryParam("boundary") boolean boundary) {
+
+ if (!authorizationManager.hasPermission(Permissions.READ, itemName, Item.class, authenticationContextHolder.getAuthentication())) {
+ return Response.status(Status.UNAUTHORIZED).build();
+ }
return getItemHistoryDTO(serviceId, itemName, startTime, endTime, pageNumber, pageLength, boundary);
}
@@ -184,6 +202,7 @@ public Response httpGetPersistenceItemData(@Context HttpHeaders headers,
@ApiResponse(responseCode = "200", description = "OK", content = @Content(array = @ArraySchema(schema = @Schema(implementation = String.class)))),
@ApiResponse(responseCode = "400", description = "Invalid filter parameters"),
@ApiResponse(responseCode = "404", description = "Unknown persistence service") })
+
public Response httpDeletePersistenceServiceItem(@Context HttpHeaders headers,
@Parameter(description = "Id of the persistence service.", required = true) @QueryParam("serviceId") String serviceId,
@Parameter(description = "The item name.") @PathParam("itemname") String itemName,
@@ -361,7 +380,7 @@ private Response getItemHistoryDTO(@Nullable String serviceId, String itemName,
/**
* Gets a list of persistence services currently configured in the system
*
- * @return list of persistence services as {@link ServiceBean}
+ * @return list of persistence services as {@link PersistenceServiceDTO}
*/
private List getPersistenceServiceList(Locale locale) {
List dtoList = new ArrayList<>();
@@ -407,7 +426,9 @@ private Response getServiceItemList(@Nullable String serviceId) {
QueryablePersistenceService qService = (QueryablePersistenceService) service;
- return JSONResponse.createResponse(Status.OK, qService.getItemInfo(), "");
+ Set itemInfo = AuthorizationManagerFilters.filter(authenticationContextHolder.getAuthentication(),
+ new AuthorizationCheck(authorizationManager), qService.getItemInfo());
+ return JSONResponse.createResponse(Status.OK, itemInfo, "");
}
private Response deletePersistenceItemData(@Nullable String serviceId, String itemName, @Nullable String timeBegin,
@@ -508,4 +529,18 @@ private Response putItemState(@Nullable String serviceId, String itemName, Strin
mService.store(item, Date.from(dateTime.toInstant()), state);
return Response.status(Status.OK).build();
}
+
+ static class AuthorizationCheck implements BiFunction {
+
+ private final AuthorizationManager authorizationManager;
+
+ AuthorizationCheck(AuthorizationManager authorizationManager) {
+ this.authorizationManager = authorizationManager;
+ }
+
+ @Override
+ public Boolean apply(Authentication auth, PersistenceItemInfo info) {
+ return authorizationManager.hasPermission(Permissions.READ, info.getName(), Item.class, auth);
+ }
+ }
}
\ No newline at end of file
diff --git a/bundles/org.opensmarthouse.core.io.rest.sse/pom.xml b/bundles/org.opensmarthouse.core.io.rest.sse/pom.xml
index f0eaa224d..0d7a498ea 100755
--- a/bundles/org.opensmarthouse.core.io.rest.sse/pom.xml
+++ b/bundles/org.opensmarthouse.core.io.rest.sse/pom.xml
@@ -44,6 +44,10 @@
junit
junit
+
+ org.opensmarthouse.core.bundles
+ org.opensmarthouse.core.io.rest.auth
+
diff --git a/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/SseResource.java b/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/SseResource.java
index 6aee746e9..bc177108a 100755
--- a/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/SseResource.java
+++ b/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/SseResource.java
@@ -12,16 +12,20 @@
*/
package org.openhab.core.io.rest.sse;
+import static org.openhab.core.io.rest.sse.internal.SseSinkItemInfo.canAccessItem;
import static org.openhab.core.io.rest.sse.internal.SseSinkItemInfo.hasConnectionId;
import static org.openhab.core.io.rest.sse.internal.SseSinkItemInfo.tracksItem;
+import static org.openhab.core.io.rest.sse.internal.SseSinkTopicInfo.hasItemAccess;
import static org.openhab.core.io.rest.sse.internal.SseSinkTopicInfo.matchesTopic;
import java.io.IOException;
+import java.util.LinkedHashSet;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
+import java.util.function.Predicate;
import javax.annotation.security.RolesAllowed;
import javax.inject.Singleton;
import javax.servlet.http.HttpServletResponse;
@@ -36,22 +40,31 @@
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
+import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.sse.OutboundSseEvent;
import javax.ws.rs.sse.Sse;
import javax.ws.rs.sse.SseEventSink;
import org.eclipse.jdt.annotation.NonNullByDefault;
+import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthenticationContextHolder;
+import org.openhab.core.auth.AuthorizationManager;
+import org.openhab.core.auth.Permissions;
import org.openhab.core.auth.Role;
import org.openhab.core.events.Event;
import org.openhab.core.io.rest.RESTConstants;
import org.openhab.core.io.rest.RESTResource;
import org.openhab.core.io.rest.SseBroadcaster;
+import org.openhab.core.io.rest.auth.AuthenticationSecurityContext;
import org.openhab.core.io.rest.sse.internal.SseItemStatesEventBuilder;
import org.openhab.core.io.rest.sse.internal.SsePublisher;
import org.openhab.core.io.rest.sse.internal.SseSinkItemInfo;
import org.openhab.core.io.rest.sse.internal.SseSinkTopicInfo;
import org.openhab.core.io.rest.sse.internal.dto.EventDTO;
import org.openhab.core.io.rest.sse.internal.util.SseUtil;
+import org.openhab.core.items.Item;
+import org.openhab.core.items.events.ItemEvent;
import org.openhab.core.items.events.ItemStateChangedEvent;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
@@ -104,11 +117,16 @@ public class SseResource implements RESTResource, SsePublisher {
private final SseBroadcaster itemStatesBroadcaster = new SseBroadcaster<>();
private final SseItemStatesEventBuilder itemStatesEventBuilder;
private final SseBroadcaster topicBroadcaster = new SseBroadcaster<>();
+ private final AuthorizationManager authorizationManager;
+ private final AuthenticationContextHolder authenticationContextHolder;
private ExecutorService executorService;
@Activate
- public SseResource(@Reference SseItemStatesEventBuilder itemStatesEventBuilder) {
+ public SseResource(@Reference SseItemStatesEventBuilder itemStatesEventBuilder, @Reference
+ AuthorizationManager authorizationManager, @Reference AuthenticationContextHolder authenticationContextHolder) {
+ this.authorizationManager = authorizationManager;
+ this.authenticationContextHolder = authenticationContextHolder;
this.executorService = Executors.newSingleThreadExecutor();
this.itemStatesEventBuilder = itemStatesEventBuilder;
}
@@ -156,14 +174,14 @@ private void addCommonResponseHeaders(final HttpServletResponse response) {
@Operation(operationId = "getEvents", summary = "Get all events.", responses = {
@ApiResponse(responseCode = "200", description = "OK"),
@ApiResponse(responseCode = "400", description = "Topic is empty or contains invalid characters") })
- public void listen(@Context final SseEventSink sseEventSink, @Context final HttpServletResponse response,
+ public void listen(@Context final SseEventSink sseEventSink, @Context final HttpServletResponse response, @Context SecurityContext securityContext,
@QueryParam("topics") @Parameter(description = "topics") String eventFilter) {
if (!SseUtil.isValidTopicFilter(eventFilter)) {
response.setStatus(Status.BAD_REQUEST.getStatusCode());
return;
}
- topicBroadcaster.add(sseEventSink, new SseSinkTopicInfo(eventFilter));
+ topicBroadcaster.add(sseEventSink, new SseSinkTopicInfo(eventFilter, retrieveAuthentication(securityContext)));
addCommonResponseHeaders(response);
}
@@ -172,7 +190,13 @@ private void handleEventBroadcastTopic(Event event) {
final EventDTO eventDTO = SseUtil.buildDTO(event);
final OutboundSseEvent sseEvent = SseUtil.buildEvent(sse.newEventBuilder(), eventDTO);
- topicBroadcaster.sendIf(sseEvent, matchesTopic(eventDTO.topic));
+ Predicate predicate = (sink) -> true;
+ if (event instanceof ItemEvent) {
+ String item = ((ItemEvent) event).getItemName();
+ predicate = hasItemAccess(authorizationManager, item);
+ }
+
+ topicBroadcaster.sendIf(sseEvent, matchesTopic(eventDTO.topic).and(predicate));
}
/**
@@ -186,8 +210,8 @@ private void handleEventBroadcastTopic(Event event) {
@Produces(MediaType.SERVER_SENT_EVENTS)
@Operation(operationId = "initNewStateTacker", summary = "Initiates a new item state tracker connection", responses = {
@ApiResponse(responseCode = "200", description = "OK") })
- public void getStateEvents(@Context final SseEventSink sseEventSink, @Context final HttpServletResponse response) {
- final SseSinkItemInfo sinkItemInfo = new SseSinkItemInfo();
+ public void getStateEvents(@Context final SseEventSink sseEventSink, @Context final HttpServletResponse response, @Context SecurityContext securityContext) {
+ final SseSinkItemInfo sinkItemInfo = new SseSinkItemInfo(retrieveAuthentication(securityContext));
itemStatesBroadcaster.add(sseEventSink, sinkItemInfo);
addCommonResponseHeaders(response);
@@ -208,7 +232,7 @@ public void getStateEvents(@Context final SseEventSink sseEventSink, @Context fi
@Operation(operationId = "updateItemListForStateUpdates", summary = "Changes the list of items a SSE connection will receive state updates to.", responses = {
@ApiResponse(responseCode = "200", description = "OK"),
@ApiResponse(responseCode = "404", description = "Unknown connectionId") })
- public Object updateTrackedItems(@PathParam("connectionId") String connectionId,
+ public Object updateTrackedItems(@PathParam("connectionId") String connectionId, @Context SecurityContext securityContext,
@Parameter(description = "items") Set itemNames) {
Optional itemStateInfo = itemStatesBroadcaster.getInfoIf(hasConnectionId(connectionId))
.findFirst();
@@ -216,9 +240,17 @@ public Object updateTrackedItems(@PathParam("connectionId") String connectionId,
return Response.status(Status.NOT_FOUND).build();
}
+ Set subscribedItemNames = new LinkedHashSet<>();
+ @Nullable Authentication authentication = retrieveAuthentication(securityContext);
+ for (String item : itemNames) {
+ if (authorizationManager.hasPermission(Permissions.READ, item, Item.class, authentication)) {
+ subscribedItemNames.add(item);
+ }
+ }
+
itemStateInfo.get().updateTrackedItems(itemNames);
- OutboundSseEvent itemStateEvent = itemStatesEventBuilder.buildEvent(sse.newEventBuilder(), itemNames);
+ OutboundSseEvent itemStateEvent = itemStatesEventBuilder.buildEvent(sse.newEventBuilder(), subscribedItemNames);
if (itemStateEvent != null) {
itemStatesBroadcaster.sendIf(itemStateEvent, hasConnectionId(connectionId));
}
@@ -233,7 +265,9 @@ public Object updateTrackedItems(@PathParam("connectionId") String connectionId,
*/
public void handleEventBroadcastItemState(final ItemStateChangedEvent stateChangeEvent) {
String itemName = stateChangeEvent.getItemName();
- boolean isTracked = itemStatesBroadcaster.getInfoIf(info -> true).anyMatch(tracksItem(itemName));
+ boolean isTracked = itemStatesBroadcaster.getInfoIf(info -> true).anyMatch(tracksItem(itemName)
+ .and(canAccessItem(authorizationManager, itemName))
+ );
if (isTracked) {
OutboundSseEvent event = itemStatesEventBuilder.buildEvent(sse.newEventBuilder(), Set.of(itemName));
if (event != null) {
@@ -241,4 +275,20 @@ public void handleEventBroadcastItemState(final ItemStateChangedEvent stateChang
}
}
}
+
+ /**
+ * The security context propagated through ThreadLocal is sometimes lost hence use of this
+ * helper method which allows attaching of security context managed by request container itself.
+ *
+ * @param securityContext Request security context.
+ * @return Authentication or null if it cannot be found.
+ */
+ @Nullable
+ private Authentication retrieveAuthentication(SecurityContext securityContext) {
+ return Optional.ofNullable(securityContext)
+ .filter(AuthenticationSecurityContext.class::isInstance)
+ .map(AuthenticationSecurityContext.class::cast)
+ .map(AuthenticationSecurityContext::getAuthentication)
+ .orElse(authenticationContextHolder.getAuthentication());
+ }
}
\ No newline at end of file
diff --git a/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkItemInfo.java b/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkItemInfo.java
index 560b4d263..aa315cc7c 100644
--- a/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkItemInfo.java
+++ b/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkItemInfo.java
@@ -18,6 +18,11 @@
import java.util.function.Predicate;
import org.eclipse.jdt.annotation.NonNullByDefault;
+import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthorizationManager;
+import org.openhab.core.auth.Permissions;
+import org.openhab.core.items.Item;
/**
* The specific information we need to hold for a SSE sink which tracks item state updates.
@@ -29,6 +34,11 @@ public class SseSinkItemInfo {
private final String connectionId = UUID.randomUUID().toString();
private final Set trackedItems = new CopyOnWriteArraySet<>();
+ private final @Nullable Authentication authentication;
+
+ public SseSinkItemInfo(@Nullable Authentication authentication) {
+ this.authentication = authentication;
+ }
/**
* Gets the connection identifier of this {@link SseSinkItemInfo}
@@ -56,4 +66,13 @@ public static Predicate hasConnectionId(String connectionId) {
public static Predicate tracksItem(String itemName) {
return info -> info.trackedItems.contains(itemName);
}
+
+ public static Predicate canAccessItem(AuthorizationManager manager, String itemName) {
+ return info -> {
+ if (info.authentication == null) {
+ return false;
+ }
+ return manager.hasPermission(Permissions.READ, itemName, Item.class, info.authentication);
+ };
+ }
}
diff --git a/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkTopicInfo.java b/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkTopicInfo.java
index 1d11be620..2f11deae9 100644
--- a/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkTopicInfo.java
+++ b/bundles/org.opensmarthouse.core.io.rest.sse/src/main/java/org/openhab/core/io/rest/sse/internal/SseSinkTopicInfo.java
@@ -16,7 +16,12 @@
import java.util.function.Predicate;
import org.eclipse.jdt.annotation.NonNullByDefault;
+import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.AuthorizationManager;
+import org.openhab.core.auth.Permissions;
import org.openhab.core.io.rest.sse.internal.util.SseUtil;
+import org.openhab.core.items.Item;
/**
* The specific information we need to hold for a SSE sink which subscribes to event topics.
@@ -27,12 +32,23 @@
public class SseSinkTopicInfo {
private final List regexFilters;
+ private final @Nullable Authentication authentication;
- public SseSinkTopicInfo(String topicFilter) {
+ public SseSinkTopicInfo(String topicFilter, @Nullable Authentication authentication) {
this.regexFilters = SseUtil.convertToRegex(topicFilter);
+ this.authentication = authentication;
}
public static Predicate matchesTopic(final String topic) {
return info -> info.regexFilters.stream().anyMatch(topic::matches);
}
+
+ public static Predicate hasItemAccess(final AuthorizationManager manager, final String item) {
+ return info -> {
+ if (info.authentication == null) {
+ return false;
+ }
+ return manager.hasPermission(Permissions.READ, item, Item.class, info.authentication);
+ };
+ }
}
\ No newline at end of file
diff --git a/bundles/org.opensmarthouse.core.io.rest/src/main/java/org/openhab/core/io/rest/Stream2JSONInputStream.java b/bundles/org.opensmarthouse.core.io.rest/src/main/java/org/openhab/core/io/rest/Stream2JSONInputStream.java
index 50f9b6fca..09594bed8 100755
--- a/bundles/org.opensmarthouse.core.io.rest/src/main/java/org/openhab/core/io/rest/Stream2JSONInputStream.java
+++ b/bundles/org.opensmarthouse.core.io.rest/src/main/java/org/openhab/core/io/rest/Stream2JSONInputStream.java
@@ -17,6 +17,7 @@
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.util.Iterator;
+import java.util.function.Predicate;
import java.util.stream.Stream;
import org.openhab.core.library.types.DateTimeType;
@@ -41,6 +42,7 @@ public class Stream2JSONInputStream extends InputStream implements JSONInputStre
private boolean firstIteratorElement;
private final Gson gson = new GsonBuilder().setDateFormat(DateTimeType.DATE_PATTERN_WITH_TZ_AND_MS).create();
+ private Predicate