-
-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow basic authentication to authorize API access #1713
Merged
Merged
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
46b5c2b
Allow basic authentication to authorize API access
ghys df00d2b
Add configurable service/config description
ghys c862a8a
Rename config option, case insensitive scheme matching
ghys 18818fe
Update bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-IN…
ghys 58f8910
Rename option to "implicitUserRole", enabled by default
ghys 348677d
Fix implicitUserRole value setting logic
ghys 0c9d044
Update bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-IN…
kaikreuzer File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
50 changes: 50 additions & 0 deletions
50
...th/src/main/java/org/openhab/core/io/rest/auth/internal/AnonymousUserSecurityContext.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/** | ||
* Copyright (c) 2010-2020 Contributors to the openHAB project | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Eclipse Public License 2.0 which is available at | ||
* http://www.eclipse.org/legal/epl-2.0 | ||
* | ||
* SPDX-License-Identifier: EPL-2.0 | ||
*/ | ||
package org.openhab.core.io.rest.auth.internal; | ||
|
||
import java.security.Principal; | ||
|
||
import javax.ws.rs.core.SecurityContext; | ||
|
||
import org.eclipse.jdt.annotation.NonNullByDefault; | ||
import org.eclipse.jdt.annotation.Nullable; | ||
import org.openhab.core.auth.Role; | ||
|
||
/** | ||
* This {@link SecurityContext} can be used to give anonymous users (i.e. unauthenticated requests) the "user" role. | ||
* | ||
* @author Yannick Schaus - initial contribution | ||
*/ | ||
@NonNullByDefault | ||
public class AnonymousUserSecurityContext implements SecurityContext { | ||
|
||
@Override | ||
public @Nullable Principal getUserPrincipal() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public boolean isUserInRole(@Nullable String role) { | ||
return role == null || Role.USER.equals(role); | ||
} | ||
|
||
@Override | ||
public boolean isSecure() { | ||
return false; | ||
} | ||
|
||
@Override | ||
public @Nullable String getAuthenticationScheme() { | ||
return null; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
...o.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
/** | ||
* Copyright (c) 2010-2020 Contributors to the openHAB project | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Eclipse Public License 2.0 which is available at | ||
* http://www.eclipse.org/legal/epl-2.0 | ||
* | ||
* SPDX-License-Identifier: EPL-2.0 | ||
*/ | ||
package org.openhab.core.io.rest.auth.internal; | ||
|
||
import java.security.Principal; | ||
|
||
import javax.ws.rs.core.SecurityContext; | ||
|
||
import org.eclipse.jdt.annotation.NonNullByDefault; | ||
import org.eclipse.jdt.annotation.Nullable; | ||
import org.openhab.core.auth.User; | ||
|
||
/** | ||
* This {@link SecurityContext} contains information about a user, roles and authorizations granted to a client | ||
* from a {@link User} instance. | ||
* | ||
* @author Yannick Schaus - initial contribution | ||
*/ | ||
@NonNullByDefault | ||
public class UserSecurityContext implements SecurityContext { | ||
|
||
private User user; | ||
private String authenticationScheme; | ||
|
||
/** | ||
* Constructs a security context from an instance of {@link User} | ||
* | ||
* @param user the user | ||
* @param authenticationScheme the scheme that was used to authenticate the user, e.g. "Basic" | ||
*/ | ||
public UserSecurityContext(User user, String authenticationScheme) { | ||
this.user = user; | ||
this.authenticationScheme = authenticationScheme; | ||
} | ||
|
||
@Override | ||
public Principal getUserPrincipal() { | ||
return user; | ||
} | ||
|
||
@Override | ||
public boolean isUserInRole(@Nullable String role) { | ||
return user.getRoles().contains(role); | ||
} | ||
|
||
@Override | ||
public boolean isSecure() { | ||
return true; | ||
} | ||
|
||
@Override | ||
public String getAuthenticationScheme() { | ||
return authenticationScheme; | ||
} | ||
} |
25 changes: 25 additions & 0 deletions
25
bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<config-description:config-descriptions | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xmlns:config-description="https://openhab.org/schemas/config-description/v1.0.0" | ||
xsi:schemaLocation="https://openhab.org/schemas/config-description/v1.0.0 https://openhab.org/schemas/config-description-1.0.0.xsd"> | ||
|
||
<config-description uri="system:restauth"> | ||
<parameter name="allowBasicAuth" type="boolean" required="false"> | ||
<label>Allow Basic Authentication</label> | ||
<default>false</default> | ||
<description>Allow the use of Basic authentication to access protected API resources, in addition to access tokens | ||
and API tokens.</description> | ||
</parameter> | ||
<parameter name="implicitUserRole" type="boolean" required="false"> | ||
<advanced>true</advanced> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe add default=true here, just to make it clear what is used when not being set? |
||
<label>Implicit user role for unauthenticated requests</label> | ||
<default>true</default> | ||
<description>By default, operations requiring the "user" role are available when unauthenticated. Disabling this | ||
option will enforce authorization for these operations. Warning: this will cause clients which don't | ||
support | ||
authorization to break.</description> | ||
kaikreuzer marked this conversation as resolved.
Show resolved
Hide resolved
|
||
</parameter> | ||
</config-description> | ||
|
||
</config-description:config-descriptions> |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add default=false here, just to make it clear what is used when not being set?