demus/openhab-core
1
0
Fork 0
mirror of https://github.com/danieldemus/openhab-core.git synced 2025-01-11 05:41:52 +01:00
Code Issues 1 Packages Projects Releases Wiki Activity

Add cache for Basic Authentication (#2101)

Browse Source 
Also-by: Sebastian Gerber <github@sgerber.de>
Signed-off-by: Kai Kreuzer <kai@openhab.org>
This commit is contained in:
spacemanspiff2007 2021-03-30 22:55:26 +02:00 committed by GitHub
parent 6568dc1478
commit 4964b51160
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 233 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java
View File

@ -13,8 +13,13 @@
package org.openhab.core.io.rest.auth.internal;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.util.Base64;
import java.util.Map;
import java.util.Random;
import javax.annotation.Priority;
import javax.ws.rs.Priorities;
@ -26,6 +31,7 @@ import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
import org.openhab.core.auth.Authentication;
import org.openhab.core.auth.AuthenticationException;
@ -33,12 +39,14 @@ import org.openhab.core.auth.User;
import org.openhab.core.auth.UserApiTokenCredentials;
import org.openhab.core.auth.UserRegistry;
import org.openhab.core.auth.UsernamePasswordCredentials;
import org.openhab.core.common.registry.RegistryChangeListener;
import org.openhab.core.config.core.ConfigurableService;
import org.openhab.core.io.rest.JSONResponse;
import org.openhab.core.io.rest.RESTConstants;
import org.osgi.framework.Constants;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.jaxrs.whiteboard.JaxrsWhiteboardConstants;
@ -54,6 +62,8 @@ import org.slf4j.LoggerFactory;
* @author Yannick Schaus - initial contribution
* @author Yannick Schaus - Allow basic authentication
* @author Yannick Schaus - Add support for API tokens
* @author Sebastian Gerber - Add basic auth caching
* @author Kai Kreuzer - Add null annotations, constructor initialization
*/
@PreMatching
@Component(configurationPid = "org.openhab.restauth", property = Constants.SERVICE_PID + "=org.openhab.restauth")
@ -62,6 +72,7 @@ import org.slf4j.LoggerFactory;
@JaxrsApplicationSelect("(" + JaxrsWhiteboardConstants.JAX_RS_NAME + "=" + RESTConstants.JAX_RS_NAME + ")")
@Priority(Priorities.AUTHENTICATION)
@Provider
@NonNullByDefault
public class AuthFilter implements ContainerRequestFilter {
private final Logger logger = LoggerFactory.getLogger(AuthFilter.class);
@ -71,19 +82,49 @@ public class AuthFilter implements ContainerRequestFilter {
protected static final String CONFIG_URI = "system:restauth";
private static final String CONFIG_ALLOW_BASIC_AUTH = "allowBasicAuth";
private static final String CONFIG_IMPLICIT_USER_ROLE = "implicitUserRole";
private static final String CONFIG_CACHE_EXPIRATION = "cacheExpiration";
private boolean allowBasicAuth = false;
private boolean implicitUserRole = true;
private Long cacheExpiration = 6L;
@Reference
private JwtHelper jwtHelper;
private ExpiringUserSecurityContextCache authCache = new ExpiringUserSecurityContextCache(
Duration.ofHours(cacheExpiration).toMillis());
@Reference
private UserRegistry userRegistry;
private final byte[] RANDOM_BYTES = new byte[32];
private final JwtHelper jwtHelper;
private final UserRegistry userRegistry;
private RegistryChangeListener<User> userRegistryListener = new RegistryChangeListener<User>() {
@Override
public void added(User element) {
return;
}
@Override
public void removed(User element) {
authCache.clear();
}
@Override
public void updated(User oldElement, User element) {
authCache.clear();
}
};
@Activate
public AuthFilter(@Reference JwtHelper jwtHelper, @Reference UserRegistry userRegistry) {
this.jwtHelper = jwtHelper;
this.userRegistry = userRegistry;
new Random().nextBytes(RANDOM_BYTES);
}
@Activate
protected void activate(Map<String, Object> config) {
modified(config);
userRegistry.addRegistryChangeListener(userRegistryListener);
}
@Modified
@ -93,6 +134,37 @@ public class AuthFilter implements ContainerRequestFilter {
allowBasicAuth = value != null && "true".equals(value.toString());
value = properties.get(CONFIG_IMPLICIT_USER_ROLE);
implicitUserRole = value == null || !"false".equals(value.toString());
value = properties.get(CONFIG_CACHE_EXPIRATION);
if (value != null) {
try {
cacheExpiration = Long.valueOf(value.toString());
} catch (NumberFormatException e) {
logger.warn("Ignoring invalid configuration value '{}' for cacheExpiration parameter.", value);
}
}
authCache.clear();
}
}
@Deactivate
protected void deactivate() {
userRegistry.removeRegistryChangeListener(userRegistryListener);
}
private @Nullable String getCacheKey(String credentials) {
if (cacheExpiration == 0) {
// caching is disabled
return null;
}
try {
final MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(RANDOM_BYTES);
return new String(md.digest(credentials.getBytes()));
} catch (NoSuchAlgorithmException e) {
// SHA-256 is available for all java distributions so this code will actually never run
// If it does we'll just flood the cache with random values
logger.warn("SHA-256 is not available. Cache for basic auth disabled!");
return null;
}
}
@ -111,36 +183,59 @@ public class AuthFilter implements ContainerRequestFilter {
}
}
private SecurityContext authenticateUsernamePassword(String username, String password)
throws AuthenticationException {
UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(username, password);
private SecurityContext authenticateBasicAuth(String credentialString) throws AuthenticationException {
final String cacheKey = getCacheKey(credentialString);
if (cacheKey != null) {
final UserSecurityContext cachedValue = authCache.get(cacheKey);
if (cachedValue != null) {
return cachedValue;
}
}
String[] decodedCredentials = new String(Base64.getDecoder().decode(credentialString), StandardCharsets.UTF_8)
.split(":");
if (decodedCredentials.length != 2) {
throw new AuthenticationException("Invalid Basic authentication credential format");
}
UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(decodedCredentials[0],
decodedCredentials[1]);
Authentication auth = userRegistry.authenticate(credentials);
User user = userRegistry.get(auth.getUsername());
if (user == null) {
throw new AuthenticationException("User not found in registry");
}
return new UserSecurityContext(user, auth, "Basic");
UserSecurityContext context = new UserSecurityContext(user, auth, "Basic");
if (cacheKey != null) {
authCache.put(cacheKey, context);
}
return context;
}
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
try {
String altTokenHeader = requestContext.getHeaderString(ALT_AUTH_HEADER);
if (altTokenHeader != null) {
requestContext.setSecurityContext(authenticateBearerToken(altTokenHeader));
return;
}
public void filter(@Nullable ContainerRequestContext requestContext) throws IOException {
if (requestContext != null) {
try {
String altTokenHeader = requestContext.getHeaderString(ALT_AUTH_HEADER);
if (altTokenHeader != null) {
requestContext.setSecurityContext(authenticateBearerToken(altTokenHeader));
return;
}
String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authHeader != null) {
String[] authParts = authHeader.split(" ");
if (authParts.length == 2) {
if ("Bearer".equalsIgnoreCase(authParts[0])) {
requestContext.setSecurityContext(authenticateBearerToken(authParts[1]));
return;
} else if ("Basic".equalsIgnoreCase(authParts[0])) {
try {
String[] decodedCredentials = new String(Base64.getDecoder().decode(authParts[1]), "UTF-8")
String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authHeader != null) {
String[] authParts = authHeader.split(" ");
if (authParts.length == 2) {
String authType = authParts[0];
String authValue = authParts[1];
if ("Bearer".equalsIgnoreCase(authType)) {
requestContext.setSecurityContext(authenticateBearerToken(authValue));
return;
} else if ("Basic".equalsIgnoreCase(authType)) {
String[] decodedCredentials = new String(Base64.getDecoder().decode(authValue), "UTF-8")
.split(":");
if (decodedCredentials.length > 2) {
throw new AuthenticationException("Invalid Basic authentication credential format");
@ -154,25 +249,17 @@ public class AuthFilter implements ContainerRequestFilter {
throw new AuthenticationException(
"Basic authentication with username/password is not allowed");
}
requestContext.setSecurityContext(
authenticateUsernamePassword(decodedCredentials[0], decodedCredentials[1]));
requestContext.setSecurityContext(authenticateBasicAuth(authValue));
}
return;
} catch (AuthenticationException e) {
throw new AuthenticationException("Invalid Basic authentication credentials", e);
}
}
} else if (implicitUserRole) {
requestContext.setSecurityContext(new AnonymousUserSecurityContext());
}
} catch (AuthenticationException e) {
logger.warn("Unauthorized API request: {}", e.getMessage());
requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials"));
}
if (implicitUserRole) {
requestContext.setSecurityContext(new AnonymousUserSecurityContext());
}
} catch (AuthenticationException e) {
logger.warn("Unauthorized API request: {}", e.getMessage());
requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials"));
}
}
}

95
bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/ExpiringUserSecurityContextCache.java Normal file
View File

@ -0,0 +1,95 @@
/**
* Copyright (c) 2010-2021 Contributors to the openHAB project
*
* See the NOTICE file(s) distributed with this work for additional
* information.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.openhab.core.io.rest.auth.internal;
import java.util.LinkedHashMap;
import java.util.Map;
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.eclipse.jdt.annotation.Nullable;
/**
* This class provides a cache for up to 10 UserSecurityContexts.
* Entries have a lifetime and are removed from the cache upon the next
* get call.
*
* @author Kai Kreuzer - Initial contribution
*
*/
@NonNullByDefault
public class ExpiringUserSecurityContextCache {
final static private int MAX_SIZE = 10;
final static private int CLEANUP_FREQUENCY = 10;
final private long keepPeriod;
final private Map<String, Entry> entryMap;
private int calls = 0;
ExpiringUserSecurityContextCache(long expirationTime) {
this.keepPeriod = expirationTime;
entryMap = new LinkedHashMap<>() {
private static final long serialVersionUID = -1220310861591070462L;
protected boolean removeEldestEntry(Map.@Nullable Entry<String, Entry> eldest) {
return size() > MAX_SIZE;
}
};
}
synchronized @Nullable UserSecurityContext get(String key) {
calls++;
if (calls >= CLEANUP_FREQUENCY) {
entryMap.keySet().forEach(k -> getEntry(k));
calls = 0;
}
Entry entry = getEntry(key);
if (entry != null) {
return entry.value;
}
return null;
}
synchronized void put(String key, UserSecurityContext value) {
entryMap.put(key, new Entry(System.currentTimeMillis(), value));
}
synchronized void clear() {
entryMap.clear();
}
private @Nullable Entry getEntry(String key) {
Entry entry = entryMap.get(key);
if (entry != null) {
final long curTimeMillis = System.currentTimeMillis();
long entryAge = curTimeMillis - entry.timestamp;
if (entryAge < 0 || entryAge >= keepPeriod) {
entryMap.remove(key);
entry = null;
} else {
entry.timestamp = curTimeMillis;
}
}
return entry;
}
static class Entry {
public long timestamp;
final public UserSecurityContext value;
Entry(long timestamp, UserSecurityContext value) {
this.timestamp = timestamp;
this.value = value;
}
}
}

12
bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml
View File

@ -11,6 +11,18 @@
<description>Allow the use of Basic authentication to access protected API resources, in addition to access tokens
and API tokens.</description>
</parameter>
<parameter name="cacheExpiration" type="integer" min="0">
<advanced>true</advanced>
<label>Cache Expiration Time</label>
<default>6</default>
<unitLabel>h</unitLabel>
<description>When basic authentication is activated, credentials are put in a cache in order to speed up request
authorization.
The entries in the cache expire after a while in order to not keep credentials in memory indefinitely.
This value defines the expiration time in hours.
Set it to 0 for disabling the cache.
</description>
</parameter>
<parameter name="implicitUserRole" type="boolean" required="false">
<advanced>true</advanced>
<label>Implicit user role for unauthenticated requests</label>