Commit Graph

1674 Commits

Author SHA1 Message Date
Yannick Schaus
4e045204ac
[automation] Create Nashorn script engines with the proper class loader (#1799)
This should fix the issue reported here:
https://community.openhab.org/t/openhab-3-0-milestone-2-discussion/107564/8

where the Nashorn script engine would be created with the
current thread's class loader, causing JS code like this:
```
var Log = Java.type("org.openhab.core.model.script.actions.Log");
Log.logError("Experiments", "This is an OH error log");
Log.logWarn("Experiments", "This is an OH warn log");
Log.logInfo("Experiments", "This is an OH info log");
Log.logDebug("Experiments", "This is an OH debug log");
```
to run fine when the rule was triggered but fail to find the Log
class when run from the REST API's `/rest/rules/{ruleUID}/runnow`,
because in that case the generic createScriptEngine implementation
would return script engines using the JAX-RS class loader as the
"app" class loader.

Note:
We also have an opportunity to restrict which classes are exposed
to the script with a ClassFilter to a specific set:
https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/jdk/nashorn/api/scripting/NashornScriptEngineFactory.html#getScriptEngine-java.lang.String:A-java.lang.ClassLoader-jdk.nashorn.api.scripting.ClassFilter-
This could prove useful to mitigate code execution vulnerabilities,
as the script code is modifiable remotely.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-11-14 15:17:33 +01:00
Christoph Weitkamp
7cb746ece1
Changed comparison from equals() to reference (#1817)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-14 13:46:03 +01:00
lolodomo
8102cffb7f
Log reason for rules/scripts refresh (#1812)
* Log reason for rules/scripts refresh

Fixes #1293

Signed-off-by: Laurent Garnier <lg.hc@free.fr>
2020-11-13 21:38:35 +01:00
Kai Kreuzer
7d2a505e13
[automation] Correctly map the state context variable of the ItemStateEvent to the implicit var newState (#1809)
Fixes #1802 

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-13 07:29:56 +01:00
Kai Kreuzer
c2b3885e9e
Do not provide unit information for plain number items (#1811)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-12 22:13:28 +01:00
Kai Kreuzer
48209e4a45
[automation] Fixes NPE when no command is given in a member-of-group trigger (#1806)
Fixes #1793 

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-11 16:27:31 +01:00
Christoph Weitkamp
53af3c99ad
Allow max, min and avg calculations on other types (#1563)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-10 22:40:55 +01:00
Sonic-Amiga
3b65a9c556
transport/mqtt: Introduce setUnsubscribeOnStop() function (#1724)
Some MQTT servers can be quirky, then do not handle Usubscribe request properly.
In this case we have to omit sending it. Introduce a boolean flag, telling
whether the request should be sent or not, and add a public function to set it.

iRobot built-in MQTT server is known to suffer from this problem.

Signed-off-by: Pavel Fedin <pavel_fedin@mail.ru>
2020-11-10 22:37:46 +01:00
Christoph Weitkamp
0b239692ce
Added NPE checks for result of 'getSymbolicName()' methods (#1795)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-10 22:36:21 +01:00
Christoph Weitkamp
91e16e0f80
Print 'ItemChannelLink' configuration in output of console commands (#1794)
* Print ItemChannelLink configuration in output of console commands

Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-05 09:22:01 +01:00
Wouter Born
2f2bfde500
Remove Map null annotation workarounds (#1780)
These workarounds to prevent false positives can be removed now the EEAs allow for proper null analysis.

Signed-off-by: Wouter Born <github@maindrain.net>
2020-11-03 22:12:22 +01:00
Wouter Born
0281c10036
[infrastructure] add external null-annotations (#1775)
Add EEAs and fix null analysis errors.

Related to:

* #888
* openhab/openhab-addons#8848

Signed-off-by: Wouter Born <github@maindrain.net>
2020-11-03 21:33:48 +01:00
Christoph Weitkamp
a598fa94f4
Fixed provider comparison (#1792)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-11-03 18:00:28 +01:00
Kai Kreuzer
35b0a1275e
[charts] Add support for QuantityTypes to DefaultChartProvider (#1789)
Fixes #1781

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-02 10:45:31 +01:00
Kai Kreuzer
5a9c5e7d87
strip unit from historic states (#1782)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-11-01 01:53:02 +01:00
Christoph Weitkamp
5683cc2472
Revert ordering of accepted data types for 'StringItem' (#1776)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-30 15:15:03 +01:00
Christoph Weitkamp
25683471e8
Revert ordering of accepted datatypes for StringItem (#1774)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-29 08:45:21 +01:00
radicale
ae26ce4618
Fixed typo in class name TrustAllTrustMananger. Will probably require changes in bindings as well. (#1773)
Signed-off-by: Alessandro Radicati <radicale@gmail.com>
2020-10-28 20:42:45 +01:00
Wouter Born
2cfdf1934e
Add .gitattributes (#1767)
Without this configuration there are Spotless issues with line endings on Windows.

See: openhab/openhab-addons#8712

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-26 22:24:59 +01:00
Kai Kreuzer
749b8f17fe
[automation] Allow dashes in rule file names (#1750)
* Allow dashes in rule file names

Fixes #1728

Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-25 20:19:00 +01:00
Yannick Schaus
3df4403268
[REST Auth] Clear session cookie only when deleting own session (#1758)
Fix https://github.com/openhab/openhab-webui/issues/441

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-25 19:52:12 +01:00
Christoph Weitkamp
172ee2f0ad
Replaced static inline declarations by List.of() method (#1755)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-25 15:20:30 +01:00
Christoph Weitkamp
acdbdfa4d7
[ui] Added unit test for read-only Number- and String-Items to not return a Selection Element (#1754)
* Added unit test for read-only Number- and String-Items to not return a Selection Element
* Improved usage of 'lastIndexOf'

Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-25 12:11:17 +01:00
Christoph Weitkamp
8744bc10fe
[cache] Added 'ByteArrayFileCache' (#1723)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-25 12:06:30 +01:00
Yannick Schaus
8b52cab5ef
[REST Auth] API tokens & openhab:users console command (#1735)
This adds API tokens as a new credential type. Their format is:
`oh.<name>.<random chars>`

The "oh." prefix is used to tell them apart from a JWT access token,
because they're both used as a Bearer authorization scheme, but there
is no semantic value attached to any of the other parts.

They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new `openhab:users` console command.

Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. `user admin.items` would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, _and_ managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).

Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, **even if the allowBasicAuth** option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.

In short, this means that all these curl commands will work:
- `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox`
- `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox`
- `curl -u '<token>[:]' http://localhost:8080/rest/inbox`
- `curl http://<token>@localhost:8080/rest/inbox`

2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.
Self-service for creating a token or changing the password is more
sensitive so these should be handled with a servlet and pages devoid
of any JavaScript instead of REST API calls, therefore for now they'll
have to be done with the console.

This also fixes regressions introduced with #1713 - the operations
annotated with @RolesAllowed({ Role.USER }) only were not authorized
for administrators anymore.

* Generate a unique salt for each token

Reusing the password salt is bad practice, and changing the
password changes the salt as well which makes all tokens
invalid.

Put the salt in the same field as the hash (concatenated
with a separator) to avoid modifying the JSON DB schema.

* Fix API token authentication, make scope available to security context

The X-OPENHAB-TOKEN header now has priority over the Authorization
header to credentials, if both are set.

* Add self-service pages to change password & create new API token

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-25 12:04:40 +01:00
Christoph Weitkamp
dd92288e97
Added nullness annotations, ctor injection (#1747)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-24 10:08:38 +02:00
Christoph Weitkamp
5d75bce553
Sort audio sinks (#1744)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-21 23:56:44 +02:00
Wouter Born
584c85a07f
[automation] Improve rule debugging (#1742)
* Add rule UID to error message
* Add exception with stacktrace when debug level is enabled

Related to #1734

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-20 15:50:25 +02:00
Yannick Schaus
d262b6f5bc
Add missing roles checks (#1739)
(I included these fixes in #1735 but extracted them in a stanalone
PR because it's easier to review and a little more urgent.)

As a result of the refactoring in #1713, the operations annotated with
`@RolesAllowed` containing `Role.USER` are not anymore automatically
considered accessible to all users, regardless of their actual roles.

4 operations are therefore now denied to admins if they only have the
`Role.ADMIN` role, as the first admininistrator is created only with
that role the UI encounters unexpected access denied errors and breaks.
(See https://github.com/openhab/openhab-webui/issues/422).

Closes https://github.com/openhab/openhab-webui/issues/422.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-20 08:20:39 +02:00
Wouter Born
0ac14b9f8f
Fix IAE when enabling debug logging on PersistenceManagerImpl (#1737)
Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-19 22:47:28 +02:00
Christoph Weitkamp
7d70a97b77
Fixed IndexOutOfBoundsException in ScriptModuleTypeProvider (#1730)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-19 13:41:58 +02:00
Wouter Born
b2c045d0fe
Fix build by wrapping lines (#1729)
Caused by #1713

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-19 11:42:26 +02:00
Yannick Schaus
e26c49b9bf
Allow basic authentication to authorize API access (#1713)
* Allow basic authentication to authorize API access

Closes #1699.

Note, this opens a minor security issue that allows an attacker
to brute force passwords by making calls to the API - contrary to
the authorization page, the credentials parsing for the REST API
is stateless & doesn't have a lock mechanism to lock user accounts
after too many failed login attempts.

Signed-off-by: Yannick Schaus <github@schaus.net>
2020-10-18 20:59:51 +02:00
Wouter Born
4c31c0b3ff
Fix issues with configuration PIDs (#1727)
* Fixes warnings about "using different service PIDs"
* Fixes missing default values

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-18 18:02:13 +02:00
Wouter Born
3d88e91952
Open ProviderTracker asynchronously when activating AbstractRegistry (#1719)
* Open ProviderTracker asynchronously when activating AbstractRegistry

Fixes #890

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-18 00:31:13 +02:00
Christoph Weitkamp
4ba70778d1
Added validation for relation between ThingUID and BridgeUID (#1704)
Signed-off-by: Christoph Weitkamp <github@christophweitkamp.de>
2020-10-17 17:59:34 +02:00
Wouter Born
605c1c238c
Add Automation extension type (#1722)
Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-17 15:08:53 +02:00
Wouter Born
a70dd39a6b
Fix JSR223 JavaScript files not loading (#1725)
This adds a missing feature required for being able to load JSR223 JavaScript rules out of the box.

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-17 15:03:36 +02:00
Kai Kreuzer
8a3d438c4f
upgraded JmDNS to version 3.5.6 (#1721)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-16 12:52:25 +02:00
Kai Kreuzer
5d830d64f0
Fixed missing item resolution of DSL scripts created through the UI (#1720)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-15 23:04:30 +02:00
Kai Kreuzer
70fed5a9c2
Fixed initialization of group items with aggregation functions (#1718)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-15 23:03:22 +02:00
Kai Kreuzer
e9ffff9f01
Fixed name of measurement systems (#1717)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-14 22:46:55 +02:00
Wouter Born
0d1a15ef34
Update ActionService and ThingActions classes in Xtext cache (#1714)
Xtext uses a cache for looking up classes when rules are run.
It also adds a null class value to this cache when a class is not found.

Once a value has entered the cache it will not be updated.
This causes the cache to return the wrong class (or the null value) when
calling static methods on ActionService and ThingActions classes that
were added/updated.

With the changes in this PR Xtext will be configured to use a custom cache
that updates the ActionService and ThingActions class references.

The PR also has a fix for the AnnotatedThingActionModuleTypeProvider not
properly sending ModuleType removed events when all ThingActions
registrations have been removed.

Fixes #1265
Fixes #1694

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-13 23:17:57 +02:00
Wouter Born
7d8126e89f
Fix ScriptEngine parameter option removal (#1716)
When one of the engines is unset the ScriptModuleTypeProvider clears all parameter options instead of only those that apply to that engine.
This fixes the Nashorn engine missing from the parameter options on the first openHAB startup.

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-13 23:13:30 +02:00
Connor Petty
a29490a545
Fix and cleanup logging in ExecUtil (#1705)
* Fix and cleanup logging in ExecUtil

Signed-off-by: Connor Petty <mistercpp2000+gitsignoff@gmail.com>
2020-10-11 22:19:42 +02:00
Wouter Born
ab1fa65aa1
Improve JwtHelper exception handling (#1712)
Catch specific exceptions and don't log errors but instead add an appropriate message and preserve the stacktrace.

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-11 10:03:39 +02:00
Wouter Born
23e8f18e7f
Use openhab-addons-deps Maven repository for all Xtext Orbit bundle dependencies (#1711)
Fixes #960

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-11 09:58:51 +02:00
Kai Kreuzer
351fcb1852
Include measurement system in REST root resource (#1710)
Signed-off-by: Kai Kreuzer <kai@openhab.org>
2020-10-10 20:04:25 +02:00
Wouter Born
76f51026aa
Simplify core features to prevent unnecessary bundle refreshes (#1709)
It seems that when multiple features install the same bundle it may cause Karaf to refresh bundles when (un)installing features.
When the (redundant) openhab-core-automation feature is removed and the serial dependencies are merged into the openhab-transport-serial feature these restarts due these bundle refreshes no longer occur.

Fixes #1322, #1354

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-10 18:24:13 +02:00
Wouter Born
159aefffa5
Remove unused DBus Transport (#1708)
Related to #960

Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-10 08:08:22 +02:00