* Allow basic authentication to authorize API access
Closes#1699.
Note, this opens a minor security issue that allows an attacker
to brute force passwords by making calls to the API - contrary to
the authorization page, the credentials parsing for the REST API
is stateless & doesn't have a lock mechanism to lock user accounts
after too many failed login attempts.
Signed-off-by: Yannick Schaus <github@schaus.net>
Xtext uses a cache for looking up classes when rules are run.
It also adds a null class value to this cache when a class is not found.
Once a value has entered the cache it will not be updated.
This causes the cache to return the wrong class (or the null value) when
calling static methods on ActionService and ThingActions classes that
were added/updated.
With the changes in this PR Xtext will be configured to use a custom cache
that updates the ActionService and ThingActions class references.
The PR also has a fix for the AnnotatedThingActionModuleTypeProvider not
properly sending ModuleType removed events when all ThingActions
registrations have been removed.
Fixes#1265Fixes#1694
Signed-off-by: Wouter Born <github@maindrain.net>
When one of the engines is unset the ScriptModuleTypeProvider clears all parameter options instead of only those that apply to that engine.
This fixes the Nashorn engine missing from the parameter options on the first openHAB startup.
Signed-off-by: Wouter Born <github@maindrain.net>
Catch specific exceptions and don't log errors but instead add an appropriate message and preserve the stacktrace.
Signed-off-by: Wouter Born <github@maindrain.net>
* Prevent IllegalStateException when closing SSE sink
* Simplify code and log exceptions on debug
There seem to be no issues anymore with the exception handling when SSE clients disconnect so simplify the exception handling.
Suppressing exceptions based on error message is also likely to break when new exceptions are added or messages change.
There are also still exceptions that get logged with "failure" but from which the code seems to recover without any issues.
Fixes#1499
Signed-off-by: Wouter Born <github@maindrain.net>
Since there are no more action add-ons in the distribution, I'd suggest to remove these from the `KarafAddonService` so they won't appear in the UI menus.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Fixes bugs (vulnerabilities/performance issues)
* Supports OSGi better
* Prevents illegal reflective access warnings on newer Java versions
* Supports java.time converters
For XStream release notes see: https://x-stream.github.io/changes.html
The XmlDocumentReader which uses XStream has also been modified to configure XStream security to prevent "Security framework of XStream not initialized, XStream is probably vulnerable" warnings.
Signed-off-by: Wouter Born <github@maindrain.net>
Upgrades to:
* Xtext 2.23.0
* Xtend 2.23.0
* LSP 0.9.0
For Xtext release notes see: https://www.eclipse.org/Xtext/releasenotes.html#/releasenotes/2020/09/01/version-2-23-0
The Xtext dependencies are now managed using their BOM which makes it easier to keep them in sync.
Because Xtext depends on a newer ASM version some runtime dependencies were also upgraded:
* ASM 8.0.1
* Pax Web 7.2.15
* XBean 4.17.0
Signed-off-by: Wouter Born <github@maindrain.net>
* Filter empty i18n config parameter options
There are many locales that do not have a country resulting in these empty parameter options.
Related to #1662
Signed-off-by: Wouter Born <github@maindrain.net>
* Add listener to SseBroadcaster so sseEventSinkRemoved events are handled
* Use Instant instead of long for tracking subscription creation times
* Run cleanup every 2 minutes instead of every 5 minutes
Fixes#1674
Signed-off-by: Wouter Born <github@maindrain.net>
This removes the remaining deprecated MQTT transport code which was not part of #1668.
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
The handleUpdate method was deprecated when profiles were introduced (see eclipse-archived/smarthome#4108).
Instead the "follow profile" can be used which forwards item updates as commands to handlers.
This profile works with any binding instead of only those that implement the handleUpdate method.
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
* Fix item channel links not properly initialized
* Add ChannelLinkNotifierOSGiTest
* Send at most one channelLinked event per linked thing channel when activating ChannelLinkNotifier
* Send channelUnlinked event only if all items are unlinked
* Use Registry stream instead of getAll
Fixes#1596
Signed-off-by: Wouter Born <github@maindrain.net>
Removes:
* ConfigOptionProvider.getParameterOptions(URI, String, Locale) (see also #1541)
* DiscoveryListener.removeOlderResults(DiscoveryService, long, Collection<ThingTypeUID>)
Related to #1408
Signed-off-by: Wouter Born <github@maindrain.net>
The path is incorrect because a bug was introduced in #1650.
This results in the MapTransformationServiceTest failing so it was disabled in openhab/openhab-addons#8519.
Signed-off-by: Wouter Born <github@maindrain.net>
The rules are often not instantiated within 5 seconds.
On a Raspberry Pi 3B it can take 12 seconds before rules are instantiated.
The code has also been improved with proper null annotations.
Related to #1637
Signed-off-by: Wouter Born <github@maindrain.net>
Also added "org.eclipse.jdt.annotation" to the test BOM so we can use "org.eclipse.jdt.annotation.Checks" in itests.
That class has many useful methods that help with writing more readable test code when using the Eclipse JDT null analysis annotations.
After running the resolver on the itests a lot of bundles were removed from the itest.bndrun files.
Signed-off-by: Wouter Born <github@maindrain.net>
Currently the AuthFilter will try to find a token in the
X-OPENHAB-TOKEN HTTP header - only when it finds a cookie
named X-OPENHAB-AUTH-HEADER. It can cause problems because
browsers or proxies might block the cookie from being sent
for various reasons (for instance if there's a path set
for it).
There is no downside IMHO to always try to fallback to
checking the X-OPENHAB-TOKEN header for a token, if and
only if it's not already provided in the Authorization
header. It is the responsibility of the client to decide
how it wants to authorize the request among the available
options - by checking a cookie, or something else entirely.
Also removed the '?api_key=' option because Swagger UI
doesn't provide tokens that way anymore.
Signed-off-by: Yannick Schaus <github@schaus.net>
The ResponseBuilder's "encoding()" function sets the http header "Content-Encoding", which is used to compress the media type and not to specify the character encoding.
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
* Use Streams for filtering, mapping and checking predicates
* Add exception to warnings/errors when debug logging is enabled
* Use final featuresService field so method arguments can be removed
Fixes#1486
Signed-off-by: Wouter Born <github@maindrain.net>
The changes in #1614 caused null analysis errors in CommunicationManager.createCallback and caused unnecessary null check warnings in ProfileCallbackImpl.
Signed-off-by: Wouter Born <github@maindrain.net>
Closes https://github.com/openhab/openhab-webui/issues/309.
This only honors the scheme as reported by the `prefers-color-scheme` CSS media feature, i.e. local overrides for the main UI are not taken into account.
Tweak submit button styles to mimic the main UI's desktop theme.
Signed-off-by: Yannick Schaus <github@schaus.net>
* Migrates all tests to the JUnit 5 Jupiter API
* Updates bnd to 5.1.2
* Updates maven-surefire-plugin to 3.0.0-M5
* Updates Mockito to 3.4.6
* Updates Hamcrest to 2.2
* Removes org.openhab.core.boot POM dependencies
Signed-off-by: Wouter Born <github@maindrain.net>
This adds basic information about the runtime in the response
to the root `/rest` API resource, mostly for display purposes
by UIs: the version, build string and the location of the
configuration and user data folders.
Signed-off-by: Yannick Schaus <github@schaus.net>
The getAll() method in the ConfigDescriptionResource does not have a nickname set in its ApiOperation annotation.
Swagger uses the method name (getAll) as default operationId which is not unique.
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
In order to change to a valid type since the documentation suggests "Valid values are "List", "Set" or "Map". Any other value will be ignored.".
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
In order to change to a valid type since the documentation suggests "Valid values are "List", "Set" or "Map". Any other value will be ignored.".
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
