Better handling of SSE security.

Moved out password credentials out of core package (they are not mandatory kind of creds any more). Added session cookie authentication. Signed-off-by: Łukasz Dywicki <luke@code-house.org>
opensmarthouse · Feb 12, 2021 · acadc15 · acadc15
1 parent 4a5d662
commit acadc15
Show file tree

Hide file tree

Showing 27 changed files with 392 additions and 22 deletions.
diff --git a/bom/opensmarthouse/pom.xml b/bom/opensmarthouse/pom.xml
@@ -227,6 +227,16 @@
         <artifactId>org.opensmarthouse.core.auth.apitoken</artifactId>
         <version>${project.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.opensmarthouse.core.bundles</groupId>
+        <artifactId>org.opensmarthouse.core.auth.apitoken.provider</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.opensmarthouse.core.bundles</groupId>
+        <artifactId>org.opensmarthouse.core.auth.cookie</artifactId>
+        <version>${project.version}</version>
+      </dependency>
       <dependency>
         <groupId>org.opensmarthouse.core.bundles</groupId>
         <artifactId>org.opensmarthouse.core.auth.core</artifactId>
@@ -267,6 +277,11 @@
         <artifactId>org.opensmarthouse.core.auth.oauth2client.core</artifactId>
         <version>${project.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.opensmarthouse.core.bundles</groupId>
+        <artifactId>org.opensmarthouse.core.auth.password</artifactId>
+        <version>${project.version}</version>
+      </dependency>
       <dependency>
         <groupId>org.opensmarthouse.core.bundles</groupId>
         <artifactId>org.opensmarthouse.core.io.net</artifactId>

diff --git a/bundles/org.opensmarthouse.core.auth.cookie/pom.xml b/bundles/org.opensmarthouse.core.auth.cookie/pom.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.opensmarthouse.core.bundles</groupId>
+    <artifactId>org.opensmarthouse.core.reactor.bundles</artifactId>
+    <version>0.9.2-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>org.opensmarthouse.core.auth.cookie</artifactId>
+
+  <name>OpenSmartHouse Core | Bundles | Cookie Credentials</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth</artifactId>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/...thouse.core.auth.cookie/src/main/java/org/openhab/core/auth/cookie/CookieCredentials.java b/...thouse.core.auth.cookie/src/main/java/org/openhab/core/auth/cookie/CookieCredentials.java
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.auth.cookie;
+
+import org.openhab.core.auth.Credentials;
+
+/**
+ * Credentials which represent key/value pair coming from HTTP cookie.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+public class CookieCredentials implements Credentials {
+
+  private final String name;
+  private final String value;
+
+  public CookieCredentials(String name, String value) {
+    this.name = name;
+    this.value = value;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public String getValue() {
+    return value;
+  }
+
+  @Override
+  public String getScheme() {
+    return "cookie";
+  }
+
+}
diff --git a/bundles/org.opensmarthouse.core.auth.jaas/pom.xml b/bundles/org.opensmarthouse.core.auth.jaas/pom.xml
@@ -18,6 +18,10 @@
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.auth</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth.password</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.auth.local</artifactId>

diff --git a/...th.jaas/src/main/java/org/openhab/core/auth/jaas/internal/JaasAuthenticationProvider.java b/...th.jaas/src/main/java/org/openhab/core/auth/jaas/internal/JaasAuthenticationProvider.java
@@ -35,7 +35,7 @@
 import org.openhab.core.auth.AuthenticationResult;
 import org.openhab.core.auth.Credentials;
 import org.openhab.core.auth.local.GenericUser;
-import org.openhab.core.auth.UsernamePasswordCredentials;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
 import org.openhab.core.config.core.ConfigurableService;
 import org.osgi.framework.Constants;
 import org.osgi.service.component.annotations.Activate;

diff --git a/bundles/org.opensmarthouse.core.auth.local.provider/pom.xml b/bundles/org.opensmarthouse.core.auth.local.provider/pom.xml
@@ -18,6 +18,10 @@
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.auth.local</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth.password</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.auth.apitoken</artifactId>

diff --git a/...al.provider/src/main/java/org/openhab/core/auth/local/core/internal/UserRegistryImpl.java b/...al.provider/src/main/java/org/openhab/core/auth/local/core/internal/UserRegistryImpl.java
@@ -34,11 +34,11 @@
 import org.openhab.core.auth.local.GenericUser;
 import org.openhab.core.auth.local.ManagedUser;
 import org.openhab.core.auth.local.User;
-import org.openhab.core.auth.UsernamePasswordCredentials;
 import org.openhab.core.auth.local.UserApiToken;
 import org.openhab.core.auth.local.UserProvider;
 import org.openhab.core.auth.local.UserRegistry;
 import org.openhab.core.auth.local.UserSession;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
 import org.openhab.core.common.registry.AbstractRegistry;
 import org.osgi.framework.BundleContext;
 import org.osgi.service.component.annotations.Activate;

diff --git a/...rovider/src/test/java/org/openhab/core/auth/local/core/internal/UserRegistryImplTest.java b/...rovider/src/test/java/org/openhab/core/auth/local/core/internal/UserRegistryImplTest.java
@@ -28,7 +28,7 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.openhab.core.auth.local.ManagedUser;
 import org.openhab.core.auth.local.User;
-import org.openhab.core.auth.UsernamePasswordCredentials;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
 import org.openhab.core.auth.local.UserSession;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.ServiceEvent;

diff --git a/...ore/auth/UsernamePasswordCredentials.java → ...password/UsernamePasswordCredentials.java b/...ore/auth/UsernamePasswordCredentials.java → ...password/UsernamePasswordCredentials.java
@@ -10,7 +10,9 @@
  *
  * SPDX-License-Identifier: EPL-2.0
  */
-package org.openhab.core.auth;
+package org.openhab.core.auth.password;
+
+import org.openhab.core.auth.Credentials;
 
 /**
  * Credentials which represent user name and password.

diff --git a/bundles/org.opensmarthouse.core.auth/src/main/java/org/openhab/core/auth/Authentication.java b/bundles/org.opensmarthouse.core.auth/src/main/java/org/openhab/core/auth/Authentication.java
@@ -71,10 +71,22 @@ public Authentication(String username, String[] roles, String scope) {
      * @param permissions permissions associated with authentication
      */
     public Authentication(String username, String[] roles, String scope, String[] permissions) {
+        this(username, Set.of(roles), scope, Set.of(permissions));
+    }
+
+    /**
+     * Creates a new instance with a specific scope
+     *
+     * @param username name of the user associated to this authentication instance
+     * @param roles a variable list of roles that the user possesses.
+     * @param scope a scope this authentication is valid for
+     * @param permissions permissions associated with authentication
+     */
+    public Authentication(String username, Set<String> roles, String scope, Set<String> permissions) {
         this.username = username;
-        this.roles = Set.of(roles);
+        this.roles = roles;
         this.scope = scope;
-        this.permissions = Set.of(permissions);
+        this.permissions = permissions;
     }
 
     /**

diff --git a/bundles/org.opensmarthouse.core.io.http.auth.basic/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth.basic/pom.xml
@@ -14,6 +14,10 @@
   <name>OpenSmartHouse Core | Bundles | HTTP Authentication Basic</name>
 
   <dependencies>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth.password</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.io.auth</artifactId>

diff --git a/...src/main/java/org/openhab/core/io/http/auth/basic/internal/BasicCredentialsExtractor.java b/...src/main/java/org/openhab/core/io/http/auth/basic/internal/BasicCredentialsExtractor.java
@@ -18,7 +18,7 @@
 import javax.servlet.http.HttpServletRequest;
 
 import org.openhab.core.auth.Credentials;
-import org.openhab.core.auth.UsernamePasswordCredentials;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
 import org.openhab.core.io.auth.CredentialsExtractor;
 import org.openhab.core.io.http.facade.HttpRequestDelegate;
 import org.osgi.service.component.annotations.Component;

diff --git a/bundles/org.opensmarthouse.core.io.http.auth.cookie/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth.cookie/pom.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.opensmarthouse.core.bundles</groupId>
+    <artifactId>org.opensmarthouse.core.reactor.bundles</artifactId>
+    <version>0.9.2-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>org.opensmarthouse.core.io.http.auth.cookie</artifactId>
+
+  <name>OpenSmartHouse Core | Bundles | HTTP Cookie Authentication</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth.cookie</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.io.auth</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.io.http.facade</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.io.http.auth</artifactId>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/...c/main/java/org/openhab/core/io/http/auth/cookie/internal/CookieCredentialsExtractor.java b/...c/main/java/org/openhab/core/io/http/auth/cookie/internal/CookieCredentialsExtractor.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.auth.cookie.internal;
+
+import java.util.Optional;
+
+import org.openhab.core.auth.Credentials;
+import org.openhab.core.auth.cookie.CookieCredentials;
+import org.openhab.core.io.auth.CredentialsExtractor;
+import org.openhab.core.io.http.facade.Cookie;
+import org.openhab.core.io.http.facade.HttpRequestDelegate;
+import org.osgi.service.component.annotations.Component;
+
+/**
+ * Extract session information from cookie inincoming request.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+@Component(property = { "context=org.openhab.core.io.http.facade.HttpRequestDelegate" })
+public class CookieCredentialsExtractor implements CredentialsExtractor<HttpRequestDelegate> {
+
+    public static final String SESSIONID_COOKIE_NAME = "X-OPENHAB-SESSIONID";
+
+    @Override
+    public Optional<Credentials> retrieveCredentials(HttpRequestDelegate request) {
+        return request.getCookie(SESSIONID_COOKIE_NAME).map(this::process);
+    }
+
+    private CookieCredentials process(Cookie cookie) {
+        return new CookieCredentials(cookie.getName(), cookie.getValue());
+    }
+}
diff --git a/bundles/org.opensmarthouse.core.io.http.auth/pom.xml b/bundles/org.opensmarthouse.core.io.http.auth/pom.xml
@@ -18,6 +18,10 @@
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.auth</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth.password</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.io.auth</artifactId>

diff --git a/...tp.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java b/...tp.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java
@@ -33,11 +33,10 @@
 import org.eclipse.jdt.annotation.Nullable;
 import org.openhab.core.auth.AuthenticationException;
 import org.openhab.core.auth.AuthenticationManager;
-import org.openhab.core.auth.AuthenticationProvider;
 import org.openhab.core.auth.AuthenticationResult;
 import org.openhab.core.auth.local.User;
 import org.openhab.core.auth.local.UserRegistry;
-import org.openhab.core.auth.UsernamePasswordCredentials;
+import org.openhab.core.auth.password.UsernamePasswordCredentials;
 import org.openhab.core.i18n.LocaleProvider;
 import org.osgi.framework.BundleContext;
 import org.osgi.service.component.annotations.Reference;

diff --git a/...ttp.auth/src/main/java/org/openhab/core/io/http/auth/internal/ServletRequestDelegate.java b/...ttp.auth/src/main/java/org/openhab/core/io/http/auth/internal/ServletRequestDelegate.java
@@ -12,8 +12,10 @@
  */
 package org.openhab.core.io.http.auth.internal;
 
+import java.util.Arrays;
 import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
+import org.openhab.core.io.http.facade.Cookie;
 import org.openhab.core.io.http.facade.HttpRequestDelegate;
 
 /**
@@ -34,4 +36,10 @@ public Optional<String> getHeader(String headerName) {
     return Optional.ofNullable(request.getHeader(headerName));
   }
 
+  @Override
+  public Optional<Cookie> getCookie(String cookieName) {
+    return Arrays.stream(request.getCookies()).filter(cookie -> cookieName.equals(cookie.getName()))
+        .map(cookie -> new Cookie(cookie.getName(), cookie.getValue()))
+        .findFirst();
+  }
 }
diff --git a/...nsmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/Cookie.java b/...nsmarthouse.core.io.http.facade/src/main/java/org/openhab/core/io/http/facade/Cookie.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (c) 2019-2020 Contributors to the OpenSmartHouse project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.http.facade;
+
+/**
+ * An unified (facade) version of http cookie.
+ *
+ * @author Łukasz Dywicki - Initial contribution.
+ */
+public class Cookie {
+
+  private final String name;
+  private final String value;
+
+  public Cookie(String name, String value) {
+    this.name = name;
+    this.value = value;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public String getValue() {
+    return value;
+  }
+
+}
diff --git a/...ore.io.http.facade/src/main/java/org/openhab/core/io/http/facade/HttpRequestDelegate.java b/...ore.io.http.facade/src/main/java/org/openhab/core/io/http/facade/HttpRequestDelegate.java
@@ -26,4 +26,6 @@ public interface HttpRequestDelegate {
   default Optional<String> getAuthorizationHeader() {
     return getHeader("Authorization");
   }
+
+  Optional<Cookie> getCookie(String cookieName);
 }
diff --git a/bundles/org.opensmarthouse.core.io.rest.auth.local/pom.xml b/bundles/org.opensmarthouse.core.io.rest.auth.local/pom.xml
@@ -18,6 +18,10 @@
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.config</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.opensmarthouse.core.bundles</groupId>
+      <artifactId>org.opensmarthouse.core.auth.cookie</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.opensmarthouse.core.bundles</groupId>
       <artifactId>org.opensmarthouse.core.auth.jwt</artifactId>