Abstract classes should not have public constructors.
Constructors of abstract classes can only be called in constructors of their subclasses.
So there is no point in making them public.
The protected modifier should be enough.
Signed-off-by: Wouter Born <github@maindrain.net>
Method references are more readable because they refer to class names and usually result in less code.
Signed-off-by: Wouter Born <github@maindrain.net>
Simplifies the code by using List.of, List.copyOf etc. where possible which results in less code and imports.
Signed-off-by: Wouter Born <github@maindrain.net>
Stream.toList was introduced in Java 16 and creates an unmodifiable List so it can be used to simplify code whenever the List is not expected to be modified.
Signed-off-by: Wouter Born <github@maindrain.net>
See: https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/StringBuilder.html
> This class provides an API compatible with StringBuffer, but with no guarantee of synchronization.
> This class is designed for use as a drop-in replacement for StringBuffer in places where the string buffer was being used by a single thread (as is generally the case).
> Where possible, it is recommended that this class be used in preference to StringBuffer as it will be faster under most implementations.
Signed-off-by: Wouter Born <github@maindrain.net>
* Implement command completion in console for openhab command
And subcommands can implement it if they want. At the least the
CommandConsoleExtension's description will now be visible in
tab-completion.
I've also implemented detailed completion for openhab:items,
openhab:status, openhab:send, and openhab:update.
Signed-off-by: Cody Cutrer <cody@cutrer.us>
* Add more null annotations
* Fix mock name
Adds null annotations to most of the tests as well as a few other classes.
Also fixes a few other SAT findings.
Fixes ~300 SAT findings in total.
Signed-off-by: Wouter Born <github@maindrain.net>
This adds API tokens as a new credential type. Their format is:
`oh.<name>.<random chars>`
The "oh." prefix is used to tell them apart from a JWT access token,
because they're both used as a Bearer authorization scheme, but there
is no semantic value attached to any of the other parts.
They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new `openhab:users` console command.
Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. `user admin.items` would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, _and_ managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).
Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, **even if the allowBasicAuth** option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.
In short, this means that all these curl commands will work:
- `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox`
- `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox`
- `curl -u '<token>[:]' http://localhost:8080/rest/inbox`
- `curl http://<token>@localhost:8080/rest/inbox`
2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.
Self-service for creating a token or changing the password is more
sensitive so these should be handled with a servlet and pages devoid
of any JavaScript instead of REST API calls, therefore for now they'll
have to be done with the console.
This also fixes regressions introduced with #1713 - the operations
annotated with @RolesAllowed({ Role.USER }) only were not authorized
for administrators anymore.
* Generate a unique salt for each token
Reusing the password salt is bad practice, and changing the
password changes the salt as well which makes all tokens
invalid.
Put the salt in the same field as the hash (concatenated
with a separator) to avoid modifying the JSON DB schema.
* Fix API token authentication, make scope available to security context
The X-OPENHAB-TOKEN header now has priority over the Authorization
header to credentials, if both are set.
* Add self-service pages to change password & create new API token
Signed-off-by: Yannick Schaus <github@schaus.net>
* Use !isEmpty() instead of "size() > 0" or "size() != 0"
!isEmpty() expresses the intent more clearly and is therefore preferred.
Counting the number of elements can also be an expensive operation e.g. when using linked lists.
Co-Authored-By: Christoph Weitkamp <github@christophweitkamp.de>
Signed-off-by: Wouter Born <github@maindrain.net>
Fixes the SAT warning: First javadoc author should have "Initial contribution" contribution description.
Signed-off-by: Wouter Born <github@maindrain.net>
