In additions, command->registers tests have been once made more
readable, covering all the corner cases with integers.
Signed-off-by: Sami Salonen <ssalonen@gmail.com>
use full filename without extension as uid for rules provided by DSL files
fix bug where rule filenames with common prefix and "." resulted in same uid
Signed-off-by: Leon Kiefer <leon.k97@gmx.de>
This contains an update to the messages for the login,
change password, create API token pages from Crowdin
in ISO-8859 format.
Contains a completed German translation update, and
the following new completed languages:
- Czech
- Finnish
- Hungarian
- Portuguese (Brazil)
- Swedish
- Ukrainian
Dutch, French, Italian are unchanged from RC1.
Signed-off-by: Yannick Schaus <github@schaus.net>
The "summary" mode for `/rest/things` introduced in https://github.com/openhab/openhab-core/pull/1827
leads to these warnings in the console:
```
Field 'firmwareStatus' could not be eliminated: Can not set final org.openhab.core.thing.firmware.dto.FirmwareStatusDTO field org.openhab.core.io.rest.core.thing.EnrichedThingDTO.firmwareStatus to null value
```
The easiest solution to remove those warnings is to add it again to the list of fields included in the summaries.
Signed-off-by: Yannick Schaus <github@schaus.net>
This is the PR with the messages.properties files in
Dutch, German (partial) and Italian extracted from
#1929 and converted to the proper ISO-8859 encoding.
Signed-off-by: Yannick Schaus <github@schaus.net>
This implements localized messages for the authorize, change
password and create API token pages using a resource bundle.
Messages in English & French are included.
Signed-off-by: Yannick Schaus <github@schaus.net>
Related to #1791
Also-by: Christoph Weitkamp <github@christophweitkamp.de>
Also-by: Mark <m.stroeve@appsoftware.nl>
Signed-off-by: Laurent Garnier <lg.hc@free.fr>
I can't think of a good reason why listing things or querying their status should be allowed for users.
The things layer should only be of concern to admins IMHO.
As noted here: https://community.openhab.org/t/oh3-will-list-all-your-things-even-if-you-are-not-logged-in/108006/3
passwords and other sensible information in configuration could end up being exposed without auth required.
Signed-off-by: Yannick Schaus <github@schaus.net>
Remove the groupname from the members if the group item is removed.
This is implemented in the ManagedItemProvider.
Fixes#1785Fixes#1392
Signed-off-by: Simon Lamon <simonlamon93@hotmail.com>
The /things, /rules, /ui/components endpoints retrieve all objects
in their entirety, which can become very big, i.e. channels, config
parameters, script rule modules or trees of UI components can
quickly add up to the size.
When the UI simply displays a list of those objects it retrieves all
this extra information but does nothing with it.
This introduces an optional ?summary=true query parameter for the
above resources to limit the output to pre-defined fields which are
deemed most relevant for displaying these lists, omitting the rest.
When the option is not set, the behavior remains unchanged so this
change is not API breaking. The API version has therefore not been
incremented. The client is responsible for adding the option to
retrieve summarized collections instead of the entire objects.
Signed-off-by: Yannick Schaus <github@schaus.net>
This should fix the issue reported here:
https://community.openhab.org/t/openhab-3-0-milestone-2-discussion/107564/8
where the Nashorn script engine would be created with the
current thread's class loader, causing JS code like this:
```
var Log = Java.type("org.openhab.core.model.script.actions.Log");
Log.logError("Experiments", "This is an OH error log");
Log.logWarn("Experiments", "This is an OH warn log");
Log.logInfo("Experiments", "This is an OH info log");
Log.logDebug("Experiments", "This is an OH debug log");
```
to run fine when the rule was triggered but fail to find the Log
class when run from the REST API's `/rest/rules/{ruleUID}/runnow`,
because in that case the generic createScriptEngine implementation
would return script engines using the JAX-RS class loader as the
"app" class loader.
Note:
We also have an opportunity to restrict which classes are exposed
to the script with a ClassFilter to a specific set:
https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/jdk/nashorn/api/scripting/NashornScriptEngineFactory.html#getScriptEngine-java.lang.String:A-java.lang.ClassLoader-jdk.nashorn.api.scripting.ClassFilter-
This could prove useful to mitigate code execution vulnerabilities,
as the script code is modifiable remotely.
Signed-off-by: Yannick Schaus <github@schaus.net>
Some MQTT servers can be quirky, then do not handle Usubscribe request properly.
In this case we have to omit sending it. Introduce a boolean flag, telling
whether the request should be sent or not, and add a public function to set it.
iRobot built-in MQTT server is known to suffer from this problem.
Signed-off-by: Pavel Fedin <pavel_fedin@mail.ru>
These workarounds to prevent false positives can be removed now the EEAs allow for proper null analysis.
Signed-off-by: Wouter Born <github@maindrain.net>
* Added unit test for read-only Number- and String-Items to not return a Selection Element
* Improved usage of 'lastIndexOf'
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
This adds API tokens as a new credential type. Their format is:
`oh.<name>.<random chars>`
The "oh." prefix is used to tell them apart from a JWT access token,
because they're both used as a Bearer authorization scheme, but there
is no semantic value attached to any of the other parts.
They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new `openhab:users` console command.
Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. `user admin.items` would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, _and_ managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).
Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, **even if the allowBasicAuth** option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.
In short, this means that all these curl commands will work:
- `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox`
- `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox`
- `curl -u '<token>[:]' http://localhost:8080/rest/inbox`
- `curl http://<token>@localhost:8080/rest/inbox`
2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.
Self-service for creating a token or changing the password is more
sensitive so these should be handled with a servlet and pages devoid
of any JavaScript instead of REST API calls, therefore for now they'll
have to be done with the console.
This also fixes regressions introduced with #1713 - the operations
annotated with @RolesAllowed({ Role.USER }) only were not authorized
for administrators anymore.
* Generate a unique salt for each token
Reusing the password salt is bad practice, and changing the
password changes the salt as well which makes all tokens
invalid.
Put the salt in the same field as the hash (concatenated
with a separator) to avoid modifying the JSON DB schema.
* Fix API token authentication, make scope available to security context
The X-OPENHAB-TOKEN header now has priority over the Authorization
header to credentials, if both are set.
* Add self-service pages to change password & create new API token
Signed-off-by: Yannick Schaus <github@schaus.net>
* Add rule UID to error message
* Add exception with stacktrace when debug level is enabled
Related to #1734
Signed-off-by: Wouter Born <github@maindrain.net>
(I included these fixes in #1735 but extracted them in a stanalone
PR because it's easier to review and a little more urgent.)
As a result of the refactoring in #1713, the operations annotated with
`@RolesAllowed` containing `Role.USER` are not anymore automatically
considered accessible to all users, regardless of their actual roles.
4 operations are therefore now denied to admins if they only have the
`Role.ADMIN` role, as the first admininistrator is created only with
that role the UI encounters unexpected access denied errors and breaks.
(See https://github.com/openhab/openhab-webui/issues/422).
Closes https://github.com/openhab/openhab-webui/issues/422.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Allow basic authentication to authorize API access
Closes#1699.
Note, this opens a minor security issue that allows an attacker
to brute force passwords by making calls to the API - contrary to
the authorization page, the credentials parsing for the REST API
is stateless & doesn't have a lock mechanism to lock user accounts
after too many failed login attempts.
Signed-off-by: Yannick Schaus <github@schaus.net>
Xtext uses a cache for looking up classes when rules are run.
It also adds a null class value to this cache when a class is not found.
Once a value has entered the cache it will not be updated.
This causes the cache to return the wrong class (or the null value) when
calling static methods on ActionService and ThingActions classes that
were added/updated.
With the changes in this PR Xtext will be configured to use a custom cache
that updates the ActionService and ThingActions class references.
The PR also has a fix for the AnnotatedThingActionModuleTypeProvider not
properly sending ModuleType removed events when all ThingActions
registrations have been removed.
Fixes#1265Fixes#1694
Signed-off-by: Wouter Born <github@maindrain.net>
When one of the engines is unset the ScriptModuleTypeProvider clears all parameter options instead of only those that apply to that engine.
This fixes the Nashorn engine missing from the parameter options on the first openHAB startup.
Signed-off-by: Wouter Born <github@maindrain.net>
Catch specific exceptions and don't log errors but instead add an appropriate message and preserve the stacktrace.
Signed-off-by: Wouter Born <github@maindrain.net>
* Prevent IllegalStateException when closing SSE sink
* Simplify code and log exceptions on debug
There seem to be no issues anymore with the exception handling when SSE clients disconnect so simplify the exception handling.
Suppressing exceptions based on error message is also likely to break when new exceptions are added or messages change.
There are also still exceptions that get logged with "failure" but from which the code seems to recover without any issues.
Fixes#1499
Signed-off-by: Wouter Born <github@maindrain.net>
Since there are no more action add-ons in the distribution, I'd suggest to remove these from the `KarafAddonService` so they won't appear in the UI menus.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Fixes bugs (vulnerabilities/performance issues)
* Supports OSGi better
* Prevents illegal reflective access warnings on newer Java versions
* Supports java.time converters
For XStream release notes see: https://x-stream.github.io/changes.html
The XmlDocumentReader which uses XStream has also been modified to configure XStream security to prevent "Security framework of XStream not initialized, XStream is probably vulnerable" warnings.
Signed-off-by: Wouter Born <github@maindrain.net>
Upgrades to:
* Xtext 2.23.0
* Xtend 2.23.0
* LSP 0.9.0
For Xtext release notes see: https://www.eclipse.org/Xtext/releasenotes.html#/releasenotes/2020/09/01/version-2-23-0
The Xtext dependencies are now managed using their BOM which makes it easier to keep them in sync.
Because Xtext depends on a newer ASM version some runtime dependencies were also upgraded:
* ASM 8.0.1
* Pax Web 7.2.15
* XBean 4.17.0
Signed-off-by: Wouter Born <github@maindrain.net>
* Filter empty i18n config parameter options
There are many locales that do not have a country resulting in these empty parameter options.
Related to #1662
Signed-off-by: Wouter Born <github@maindrain.net>
* Add listener to SseBroadcaster so sseEventSinkRemoved events are handled
* Use Instant instead of long for tracking subscription creation times
* Run cleanup every 2 minutes instead of every 5 minutes
Fixes#1674
Signed-off-by: Wouter Born <github@maindrain.net>
This removes the remaining deprecated MQTT transport code which was not part of #1668.
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
The handleUpdate method was deprecated when profiles were introduced (see eclipse-archived/smarthome#4108).
Instead the "follow profile" can be used which forwards item updates as commands to handlers.
This profile works with any binding instead of only those that implement the handleUpdate method.
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
* Fix item channel links not properly initialized
* Add ChannelLinkNotifierOSGiTest
* Send at most one channelLinked event per linked thing channel when activating ChannelLinkNotifier
* Send channelUnlinked event only if all items are unlinked
* Use Registry stream instead of getAll
Fixes#1596
Signed-off-by: Wouter Born <github@maindrain.net>
Removes:
* ConfigOptionProvider.getParameterOptions(URI, String, Locale) (see also #1541)
* DiscoveryListener.removeOlderResults(DiscoveryService, long, Collection<ThingTypeUID>)
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
The path is incorrect because a bug was introduced in #1650.
This results in the MapTransformationServiceTest failing so it was disabled in openhab/openhab-addons#8519.
Signed-off-by: Wouter Born <github@maindrain.net>
The rules are often not instantiated within 5 seconds.
On a Raspberry Pi 3B it can take 12 seconds before rules are instantiated.
The code has also been improved with proper null annotations.
Related to #1637
Signed-off-by: Wouter Born <github@maindrain.net>
Also added "org.eclipse.jdt.annotation" to the test BOM so we can use "org.eclipse.jdt.annotation.Checks" in itests.
That class has many useful methods that help with writing more readable test code when using the Eclipse JDT null analysis annotations.
After running the resolver on the itests a lot of bundles were removed from the itest.bndrun files.
Signed-off-by: Wouter Born <github@maindrain.net>
Currently the AuthFilter will try to find a token in the
X-OPENHAB-TOKEN HTTP header - only when it finds a cookie
named X-OPENHAB-AUTH-HEADER. It can cause problems because
browsers or proxies might block the cookie from being sent
for various reasons (for instance if there's a path set
for it).
There is no downside IMHO to always try to fallback to
checking the X-OPENHAB-TOKEN header for a token, if and
only if it's not already provided in the Authorization
header. It is the responsibility of the client to decide
how it wants to authorize the request among the available
options - by checking a cookie, or something else entirely.
Also removed the '?api_key=' option because Swagger UI
doesn't provide tokens that way anymore.
Signed-off-by: Yannick Schaus <github@schaus.net>
The ResponseBuilder's "encoding()" function sets the http header "Content-Encoding", which is used to compress the media type and not to specify the character encoding.
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
* Use Streams for filtering, mapping and checking predicates
* Add exception to warnings/errors when debug logging is enabled
* Use final featuresService field so method arguments can be removed
Fixes#1486
Signed-off-by: Wouter Born <github@maindrain.net>
The changes in #1614 caused null analysis errors in CommunicationManager.createCallback and caused unnecessary null check warnings in ProfileCallbackImpl.
Signed-off-by: Wouter Born <github@maindrain.net>
Closes https://github.com/openhab/openhab-webui/issues/309.
This only honors the scheme as reported by the `prefers-color-scheme` CSS media feature, i.e. local overrides for the main UI are not taken into account.
Tweak submit button styles to mimic the main UI's desktop theme.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Migrates all tests to the JUnit 5 Jupiter API
* Updates bnd to 5.1.2
* Updates maven-surefire-plugin to 3.0.0-M5
* Updates Mockito to 3.4.6
* Updates Hamcrest to 2.2
* Removes org.openhab.core.boot POM dependencies
Signed-off-by: Wouter Born <github@maindrain.net>
This adds basic information about the runtime in the response
to the root `/rest` API resource, mostly for display purposes
by UIs: the version, build string and the location of the
configuration and user data folders.
Signed-off-by: Yannick Schaus <github@schaus.net>
The getAll() method in the ConfigDescriptionResource does not have a nickname set in its ApiOperation annotation.
Swagger uses the method name (getAll) as default operationId which is not unique.
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
In order to change to a valid type since the documentation suggests "Valid values are "List", "Set" or "Map". Any other value will be ignored.".
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
In order to change to a valid type since the documentation suggests "Valid values are "List", "Set" or "Map". Any other value will be ignored.".
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
Replaces the way an array is declared with the way "prefered for java", because the [] is part of the TYPE and not the NAME.
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
In order to change to a valid type since the documentation suggests "Valid values are "List", "Set" or "Map". Any other value will be ignored.".
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
* Fix for handling inverted cron ranges
This fix adds support for inverted cron ranged. For example SUN-WEN.
It also works all ranges and also with additional increments.
Closes#1516
Signed-off-by: Hilbrand Bouwkamp <hilbrand@h72.nl>
It is easier to use the ConfigurableService properties when it's possible to annotate classes using a ComponentPropertyType.
Signed-off-by: Wouter Born <github@maindrain.net>
* Migrate to JAX-RS Whiteboard
* Upgrade Jackson and Swagger TP feature dependencies
The upstream JAX-RS Whiteboard feature is not used because the version ranges currently do not work with Karaf on Windows.
See: https://issues.apache.org/jira/browse/KARAF-6536
* Update Felix logback to 1.0.2
This version adds the jul-to-slf4j bridge (FELIX-6027).
JUL is used by CXF and using the bridge we can use logback to reduce the verbosity of the info logging whenever org.apache.cxf.endpoint.ServerImpl creates endpoints.
* Update Aries Whiteboard to 1.0.8
* Removes the hated default web application (ARIES-1931)
* Improves performance
* Uses CXF 3.2.12
* Don't reuse SSE event builders
SSE event builders are not thread-safe.
It also causes the wrong default values being used.
Also-by: Markus Rathgeb <maggu2810@gmail.com>
Signed-off-by: Wouter Born <github@maindrain.net>
* Improve SerialPortManager.getIdentifiers() JavaDoc
The current JavaDocs do not clearly state that it does not always return all identifiers.
E.g. it will not return any RFC2217 identifiers or undiscovered RXTX port identifiers.
So it should not be used to search for an identifier when the serial port name is known.
This method is useful for listing available port options in UIs and logging.
Signed-off-by: Wouter Born <github@maindrain.net>
The first version of nrjavaserial with OSGi manifest entries is 3.12.0.
The interface has not changed and is still the same with nrjavaserial 5.x.
So using 3.12.0 as compile time dependency and defining a [3.12,6) version range using bnd.bnd files allows for maximum flexibility.
Signed-off-by: Wouter Born <github@maindrain.net>
Previously, the state values were compared only if the item state was instanceof DecimalType
which did not work for channels that had a dimension specifier, such as Type:Length. The itemState
instance was of type QuantityType<Quantity<BigDecimal>> and therefore was never compared in the rules
Signed-off-by: Sebastian Irimia <aisebastian@yahoo.com>
* Remove deprecated `TrustManagerProvider`
It was deprecated since the introduction of the `ExtensibleTrustManager` (https://github.com/eclipse/smarthome/pull/6281).
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
* Add and fix more null annotations
* Add more @NonNullByDefault and @Nullable annotations
* Remove unnecessary @NonNull annotations
* Fix a few other trivial SAT issues
* Add constructor injection for MDNSDiscoveryService
Signed-off-by: Wouter Born <github@maindrain.net>
* Clarify return values for implementation
* Dynamic state/command provider should not return original descritpion
* Added ERROR log message
* Added integration test for CommandDescriptionProvider
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
* Added API for ScriptEngineFactory implementations to pull presets
Existing API only allows engine factory implementors to request presets are pushed into existing scopes, rather than returning them directory, so that they can be bound into module or library systems. This change allows implementors to capture the presets requested (and potentially ignore any pushed), and therefore expose them via idiomatic import mechanisms for the language being implemented
Signed-off-by: Jonathan Gilbert <jpg@trillica.com>
For ESH it made sense to use this but nowadays these UIs are no longer part of openhab-core and the demo app used for development is in openhab-distro.
Furthermore it provides links to UIs that are no longer part of OH3, uses ESH logos and the new Default UI is also using / so it throws exceptions.
See: https://github.com/openhab/openhab-distro/pull/1084#issuecomment-596226652
Signed-off-by: Wouter Born <github@maindrain.net>
* removed ThingLinkManager and with it the auto-linking feature and "Simple Mode"
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* removed feature from REST API as well
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* removed tests
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* fixed default service pid and removed esh traces in service configuration
* fixed default service.cfg location
Signed-off-by: Kai Kreuzer <kai@openhab.org>
This fixes a NPE which occurs when a ItemStateChangedEvent
is broadcasted by the ItemStatesSseBroadcaster while some
SseStateEventOutputs haven't initialized their list of
tracked items.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Metadata-based state & command description providers
Implements #1185.
These providers will look into item metadata, which
can be managed by UIs with the API, to set or override
the item's state description (pattern, options, read
only...) or command description.
Signed-off-by: Yannick Schaus <github@schaus.net>
* UI component registries initial implementation
This is an initial implementation of #1355.
It was simple enough to make to be proposed as
a PR already without waiting for remarks on the RFC.
The SitemapProvider for the `system:sitemap`
namespace as described in #1355 is not part of
this PR.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Fix bug in ChannelDTOMapper
* Add AutoUpdatePolicy to ChannelDTO
Also-by: Christoph Weitkamp <github@christophweitkamp.de>
Signed-off-by: Simon Lamon <simonlamon93@hotmail.com>
When a thing is enabled, the `ThingManagerImpl` takes care of calling `ThingHandler#initialize()`.
That makes totally sense if the thing was disabled before. However, if `setEnabled(thingUID, true)` is called for a thing which was already enabled, it causes an additional initialization.
Since concurrent hanlder initializations may cause trouble, it is safer to prevent this. Therefore enabling a thing (including starting its thing handler) should only be performed if the thing is disabled.
Signed-off-by: Michael Reitler <michael.dicke@smail.inf.h-brs.de>
* var and varh were missing
* var is basically an alternate form of WATT
* kvarh was incorrectly marked as a division between kvar and hour
* Volt-Ampere added to the units
This unit for apparent power in an electrical circuit. Useful for smart meters and solar inverters.
Signed-off-by: Nagy Attila Gabor <mrbig@sneaker.hu>
* [voice] Simplify lifecycle by using constructor injection
* Removed usage of org.apache.commons.lang.ArrayUtils
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
* Added public method to remove all members from a group
* Spelling in itest method names
* File encoding
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
* replaced Joda Time by Java Time
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* removed joda from target platform feature
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* updated tests
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* fixed persistence extension tests
Signed-off-by: Kai Kreuzer <kai@openhab.org>
* Minor code improvements; Added nullness annotations to ThingActions and ThingHandlerService
* Revert renaming of 'thingRegistry' property
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
These filters help reduce payloads for UIs which
retrieve ad-hoc information rather than maintaining
a global state.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Refactor dashboard tiles into core
Move the tile concept from the dashboard UI to the
org.openhab.core.ui bundle, and add a REST resource
(/rest/ui/tiles) to retrieve the list of tiles i.e.
registered UIs.
Signed-off-by: Yannick Schaus <github@schaus.net>