Commit Graph

788 Commits

Author SHA1 Message Date
Yannick Schaus
6ff65df7d2
[REST Auth] Remove user access to things (#1807)
I can't think of a good reason why listing things or querying their status should be allowed for users.
The things layer should only be of concern to admins IMHO.
As noted here: https://community.openhab.org/t/oh3-will-list-all-your-things-even-if-you-are-not-logged-in/108006/3
passwords and other sensible information in configuration could end up being exposed without auth required.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-11-26 08:31:10 +01:00
silamon
9a12f95dee
Remove the groupname from the members if the group item is removed (#1833)
Remove the groupname from the members if the group item is removed.
This is implemented in the ManagedItemProvider.

Fixes #1785
Fixes #1392

Signed-off-by: Simon Lamon <simonlamon93@hotmail.com>
2020-11-22 12:24:38 +01:00
Jonathan Gilbert
60edebc111
Pass script context to script engines (#1837)
Signed-off-by: Jonathan Gilbert <jpg@trillica.com>
2020-11-22 10:52:22 +01:00
Yannick Schaus
065177b730
[rest] Add summary option to rules, things, UI components resources (#1827)
The /things, /rules, /ui/components endpoints retrieve all objects
in their entirety, which can become very big, i.e. channels, config
parameters, script rule modules or trees of UI components can
quickly add up to the size.

When the UI simply displays a list of those objects it retrieves all
this extra information but does nothing with it.

This introduces an optional ?summary=true query parameter for the
above resources to limit the output to pre-defined fields which are
deemed most relevant for displaying these lists, omitting the rest.

When the option is not set, the behavior remains unchanged so this
change is not API breaking. The API version has therefore not been
incremented. The client is responsible for adding the option to
retrieve summarized collections instead of the entire objects.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-11-21 18:40:48 +01:00
Kai Kreuzer
5330de0473
Avoid potential NPE (#1839)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-19 20:13:23 +01:00
Christoph Weitkamp
ddaf0d46fd
Added support for MetricPrefix combined with byte and use byte as default instead of octet (#1838)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-19 19:33:10 +01:00
Kai Kreuzer
63ec4342f2
Added expire functionality as core framework feature (#1803)
* Added expire functionality as core framework feature

Closes #1620

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-19 14:15:02 +01:00
Kai Kreuzer
70ca7655a2
Harden item creation by checking for validity of name (#1825)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-18 00:18:00 +01:00
Wouter Born
d5e7fe3ab3
Update LastNPE EEAs to 2.2.1 (#1821)
Signed-off-by: Wouter Born <github@maindrain.net>
2020-11-17 16:29:09 +01:00
Kai Kreuzer
94d6a80493
Create separate DSLScriptEngine instances for every handler (#1819)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-14 20:16:19 +01:00
silamon
d59d3c3cc2
[REST] Apply metadata selector regex on all namespaces (#1756)
* Change metadata selector

Fixes #1692

Signed-off-by: Simon Lamon <simonlamon93@hotmail.com>
2020-11-14 17:58:46 +01:00
Yannick Schaus
4e045204ac
[automation] Create Nashorn script engines with the proper class loader (#1799)
This should fix the issue reported here:
https://community.openhab.org/t/openhab-3-0-milestone-2-discussion/107564/8

where the Nashorn script engine would be created with the
current thread's class loader, causing JS code like this:
```
var Log = Java.type("org.openhab.core.model.script.actions.Log");
Log.logError("Experiments", "This is an OH error log");
Log.logWarn("Experiments", "This is an OH warn log");
Log.logInfo("Experiments", "This is an OH info log");
Log.logDebug("Experiments", "This is an OH debug log");
```
to run fine when the rule was triggered but fail to find the Log
class when run from the REST API's `/rest/rules/{ruleUID}/runnow`,
because in that case the generic createScriptEngine implementation
would return script engines using the JAX-RS class loader as the
"app" class loader.

Note:
We also have an opportunity to restrict which classes are exposed
to the script with a ClassFilter to a specific set:
https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/jdk/nashorn/api/scripting/NashornScriptEngineFactory.html#getScriptEngine-java.lang.String:A-java.lang.ClassLoader-jdk.nashorn.api.scripting.ClassFilter-
This could prove useful to mitigate code execution vulnerabilities,
as the script code is modifiable remotely.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-11-14 15:17:33 +01:00
Christoph Weitkamp
7cb746ece1
Changed comparison from equals() to reference (#1817)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-14 13:46:03 +01:00
lolodomo
8102cffb7f
Log reason for rules/scripts refresh (#1812)
* Log reason for rules/scripts refresh

Fixes #1293

Signed-off-by: Laurent Garnier <lg.hc@free.fr>
2020-11-13 21:38:35 +01:00
Kai Kreuzer
7d2a505e13
[automation] Correctly map the state context variable of the ItemStateEvent to the implicit var newState (#1809)
Fixes #1802 

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-13 07:29:56 +01:00
Kai Kreuzer
c2b3885e9e
Do not provide unit information for plain number items (#1811)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-12 22:13:28 +01:00
Kai Kreuzer
48209e4a45
[automation] Fixes NPE when no command is given in a member-of-group trigger (#1806)
Fixes #1793 

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-11 16:27:31 +01:00
Christoph Weitkamp
53af3c99ad
Allow max, min and avg calculations on other types (#1563)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-10 22:40:55 +01:00
Sonic-Amiga
3b65a9c556
transport/mqtt: Introduce setUnsubscribeOnStop() function (#1724)
Some MQTT servers can be quirky, then do not handle Usubscribe request properly.
In this case we have to omit sending it. Introduce a boolean flag, telling
whether the request should be sent or not, and add a public function to set it.

iRobot built-in MQTT server is known to suffer from this problem.

Signed-off-by: Pavel Fedin <pavel_fedin@mail.ru>
2020-11-10 22:37:46 +01:00
Christoph Weitkamp
0b239692ce
Added NPE checks for result of 'getSymbolicName()' methods (#1795)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-10 22:36:21 +01:00
Christoph Weitkamp
91e16e0f80
Print 'ItemChannelLink' configuration in output of console commands (#1794)
* Print ItemChannelLink configuration in output of console commands

Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-05 09:22:01 +01:00
Wouter Born
2f2bfde500
Remove Map null annotation workarounds (#1780)
These workarounds to prevent false positives can be removed now the EEAs allow for proper null analysis.

Signed-off-by: Wouter Born <github@maindrain.net>
2020-11-03 22:12:22 +01:00
Wouter Born
0281c10036
[infrastructure] add external null-annotations (#1775)
Add EEAs and fix null analysis errors.

Related to:

* #888
* openhab/openhab-addons#8848

Signed-off-by: Wouter Born <github@maindrain.net>
2020-11-03 21:33:48 +01:00
Christoph Weitkamp
a598fa94f4
Fixed provider comparison (#1792)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-03 18:00:28 +01:00
Kai Kreuzer
35b0a1275e
[charts] Add support for QuantityTypes to DefaultChartProvider (#1789)
Fixes #1781

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-02 10:45:31 +01:00
Kai Kreuzer
5a9c5e7d87
strip unit from historic states (#1782)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-01 01:53:02 +01:00
Christoph Weitkamp
5683cc2472
Revert ordering of accepted data types for 'StringItem' (#1776)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-30 15:15:03 +01:00
Christoph Weitkamp
25683471e8
Revert ordering of accepted datatypes for StringItem (#1774)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-29 08:45:21 +01:00
radicale
ae26ce4618
Fixed typo in class name TrustAllTrustMananger. Will probably require changes in bindings as well. (#1773)
Signed-off-by: Alessandro Radicati <radicale@gmail.com>
2020-10-28 20:42:45 +01:00
Kai Kreuzer
749b8f17fe
[automation] Allow dashes in rule file names (#1750)
* Allow dashes in rule file names

Fixes #1728

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-25 20:19:00 +01:00
Yannick Schaus
3df4403268
[REST Auth] Clear session cookie only when deleting own session (#1758)
Fix https://github.com/openhab/openhab-webui/issues/441

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-25 19:52:12 +01:00
Christoph Weitkamp
172ee2f0ad
Replaced static inline declarations by List.of() method (#1755)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-25 15:20:30 +01:00
Christoph Weitkamp
acdbdfa4d7
[ui] Added unit test for read-only Number- and String-Items to not return a Selection Element (#1754)
* Added unit test for read-only Number- and String-Items to not return a Selection Element
* Improved usage of 'lastIndexOf'

Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-25 12:11:17 +01:00
Christoph Weitkamp
8744bc10fe
[cache] Added 'ByteArrayFileCache' (#1723)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-25 12:06:30 +01:00
Yannick Schaus
8b52cab5ef
[REST Auth] API tokens & openhab:users console command (#1735)
This adds API tokens as a new credential type. Their format is:
`oh.<name>.<random chars>`

The "oh." prefix is used to tell them apart from a JWT access token,
because they're both used as a Bearer authorization scheme, but there
is no semantic value attached to any of the other parts.

They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new `openhab:users` console command.

Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. `user admin.items` would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, _and_ managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).

Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, **even if the allowBasicAuth** option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.

In short, this means that all these curl commands will work:
- `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox`
- `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox`
- `curl -u '<token>[:]' http://localhost:8080/rest/inbox`
- `curl http://<token>@localhost:8080/rest/inbox`

2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.
Self-service for creating a token or changing the password is more
sensitive so these should be handled with a servlet and pages devoid
of any JavaScript instead of REST API calls, therefore for now they'll
have to be done with the console.

This also fixes regressions introduced with #1713 - the operations
annotated with @RolesAllowed({ Role.USER }) only were not authorized
for administrators anymore.

* Generate a unique salt for each token

Reusing the password salt is bad practice, and changing the
password changes the salt as well which makes all tokens
invalid.

Put the salt in the same field as the hash (concatenated
with a separator) to avoid modifying the JSON DB schema.

* Fix API token authentication, make scope available to security context

The X-OPENHAB-TOKEN header now has priority over the Authorization
header to credentials, if both are set.

* Add self-service pages to change password & create new API token

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-25 12:04:40 +01:00
Christoph Weitkamp
dd92288e97
Added nullness annotations, ctor injection (#1747)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-24 10:08:38 +02:00
Christoph Weitkamp
5d75bce553
Sort audio sinks (#1744)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-21 23:56:44 +02:00
Wouter Born
584c85a07f
[automation] Improve rule debugging (#1742)
* Add rule UID to error message
* Add exception with stacktrace when debug level is enabled

Related to #1734

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-20 15:50:25 +02:00
Yannick Schaus
d262b6f5bc
Add missing roles checks (#1739)
(I included these fixes in #1735 but extracted them in a stanalone
PR because it's easier to review and a little more urgent.)

As a result of the refactoring in #1713, the operations annotated with
`@RolesAllowed` containing `Role.USER` are not anymore automatically
considered accessible to all users, regardless of their actual roles.

4 operations are therefore now denied to admins if they only have the
`Role.ADMIN` role, as the first admininistrator is created only with
that role the UI encounters unexpected access denied errors and breaks.
(See https://github.com/openhab/openhab-webui/issues/422).

Closes https://github.com/openhab/openhab-webui/issues/422.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-20 08:20:39 +02:00
Wouter Born
0ac14b9f8f
Fix IAE when enabling debug logging on PersistenceManagerImpl (#1737)
Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-19 22:47:28 +02:00
Christoph Weitkamp
7d70a97b77
Fixed IndexOutOfBoundsException in ScriptModuleTypeProvider (#1730)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-19 13:41:58 +02:00
Wouter Born
b2c045d0fe
Fix build by wrapping lines (#1729)
Caused by #1713

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-19 11:42:26 +02:00
Yannick Schaus
e26c49b9bf
Allow basic authentication to authorize API access (#1713)
* Allow basic authentication to authorize API access

Closes #1699.

Note, this opens a minor security issue that allows an attacker
to brute force passwords by making calls to the API - contrary to
the authorization page, the credentials parsing for the REST API
is stateless & doesn't have a lock mechanism to lock user accounts
after too many failed login attempts.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-18 20:59:51 +02:00
Wouter Born
4c31c0b3ff
Fix issues with configuration PIDs (#1727)
* Fixes warnings about "using different service PIDs"
* Fixes missing default values

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-18 18:02:13 +02:00
Wouter Born
3d88e91952
Open ProviderTracker asynchronously when activating AbstractRegistry (#1719)
* Open ProviderTracker asynchronously when activating AbstractRegistry

Fixes #890

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-18 00:31:13 +02:00
Christoph Weitkamp
4ba70778d1
Added validation for relation between ThingUID and BridgeUID (#1704)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-17 17:59:34 +02:00
Wouter Born
605c1c238c
Add Automation extension type (#1722)
Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-17 15:08:53 +02:00
Kai Kreuzer
5d830d64f0
Fixed missing item resolution of DSL scripts created through the UI (#1720)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-15 23:04:30 +02:00
Kai Kreuzer
70fed5a9c2
Fixed initialization of group items with aggregation functions (#1718)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-15 23:03:22 +02:00
Kai Kreuzer
e9ffff9f01
Fixed name of measurement systems (#1717)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-14 22:46:55 +02:00