These workarounds to prevent false positives can be removed now the EEAs allow for proper null analysis.
Signed-off-by: Wouter Born <github@maindrain.net>
This adds API tokens as a new credential type. Their format is:
`oh.<name>.<random chars>`
The "oh." prefix is used to tell them apart from a JWT access token,
because they're both used as a Bearer authorization scheme, but there
is no semantic value attached to any of the other parts.
They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new `openhab:users` console command.
Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. `user admin.items` would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, _and_ managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).
Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, **even if the allowBasicAuth** option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.
In short, this means that all these curl commands will work:
- `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox`
- `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox`
- `curl -u '<token>[:]' http://localhost:8080/rest/inbox`
- `curl http://<token>@localhost:8080/rest/inbox`
2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.
Self-service for creating a token or changing the password is more
sensitive so these should be handled with a servlet and pages devoid
of any JavaScript instead of REST API calls, therefore for now they'll
have to be done with the console.
This also fixes regressions introduced with #1713 - the operations
annotated with @RolesAllowed({ Role.USER }) only were not authorized
for administrators anymore.
* Generate a unique salt for each token
Reusing the password salt is bad practice, and changing the
password changes the salt as well which makes all tokens
invalid.
Put the salt in the same field as the hash (concatenated
with a separator) to avoid modifying the JSON DB schema.
* Fix API token authentication, make scope available to security context
The X-OPENHAB-TOKEN header now has priority over the Authorization
header to credentials, if both are set.
* Add self-service pages to change password & create new API token
Signed-off-by: Yannick Schaus <github@schaus.net>
* Migrates all tests to the JUnit 5 Jupiter API
* Updates bnd to 5.1.2
* Updates maven-surefire-plugin to 3.0.0-M5
* Updates Mockito to 3.4.6
* Updates Hamcrest to 2.2
* Removes org.openhab.core.boot POM dependencies
Signed-off-by: Wouter Born <github@maindrain.net>
Replaces the way an array is declared with the way "prefered for java", because the [] is part of the TYPE and not the NAME.
Signed-off-by: Paul Vogel <pavog@users.noreply.github.com>
* Fix for handling inverted cron ranges
This fix adds support for inverted cron ranged. For example SUN-WEN.
It also works all ranges and also with additional increments.
Closes#1516
Signed-off-by: Hilbrand Bouwkamp <hilbrand@h72.nl>
* Add and fix more null annotations
* Add more @NonNullByDefault and @Nullable annotations
* Remove unnecessary @NonNull annotations
* Fix a few other trivial SAT issues
* Add constructor injection for MDNSDiscoveryService
Signed-off-by: Wouter Born <github@maindrain.net>
* Clarify return values for implementation
* Dynamic state/command provider should not return original descritpion
* Added ERROR log message
* Added integration test for CommandDescriptionProvider
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
* Metadata-based state & command description providers
Implements #1185.
These providers will look into item metadata, which
can be managed by UIs with the API, to set or override
the item's state description (pattern, options, read
only...) or command description.
Signed-off-by: Yannick Schaus <github@schaus.net>
* UI component registries initial implementation
This is an initial implementation of #1355.
It was simple enough to make to be proposed as
a PR already without waiting for remarks on the RFC.
The SitemapProvider for the `system:sitemap`
namespace as described in #1355 is not part of
this PR.
Signed-off-by: Yannick Schaus <github@schaus.net>
* var and varh were missing
* var is basically an alternate form of WATT
* kvarh was incorrectly marked as a division between kvar and hour
* Volt-Ampere added to the units
This unit for apparent power in an electrical circuit. Useful for smart meters and solar inverters.
Signed-off-by: Nagy Attila Gabor <mrbig@sneaker.hu>
* Added public method to remove all members from a group
* Spelling in itest method names
* File encoding
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
Make sure Throwables are not be substituted into log messages so they can be formatted according to the logging configuration.
Signed-off-by: Wouter Born <github@maindrain.net>
Fixes SAT errors/warnings in resources and tests reported by SAT 0.8.0-SNAPSHOT.
Related to openhab/static-code-analysis#363
Signed-off-by: Wouter Born <github@maindrain.net>
* Added nullness annotations to o.o.c.binding.xml
* Use local variables
* Removed unuused import
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
Adds null annotations to all registries, the interfaces they implement and a few other classes.
Also-by: Christoph Weitkamp <github@christophweitkamp.de>
Signed-off-by: Wouter Born <github@maindrain.net>
* Use !isEmpty() instead of "size() > 0" or "size() != 0"
!isEmpty() expresses the intent more clearly and is therefore preferred.
Counting the number of elements can also be an expensive operation e.g. when using linked lists.
Co-Authored-By: Christoph Weitkamp <github@christophweitkamp.de>
Signed-off-by: Wouter Born <github@maindrain.net>
