Allow basic authentication to authorize API access

bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java

@@ -13,6 +13,7 @@
 package org.openhab.core.io.rest.auth.internal;
 
 import java.io.IOException;
+import java.util.Base64;
 
 import javax.annotation.Priority;
 import javax.security.sasl.AuthenticationException;
@@ -26,6 +27,9 @@
 import javax.ws.rs.ext.Provider;
 
 import org.openhab.core.auth.Authentication;
+import org.openhab.core.auth.User;
+import org.openhab.core.auth.UserRegistry;
+import org.openhab.core.auth.UsernamePasswordCredentials;
 import org.openhab.core.io.rest.JSONResponse;
 import org.openhab.core.io.rest.RESTConstants;
 import org.osgi.service.component.annotations.Component;
@@ -35,10 +39,11 @@
 import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsExtension;
 
 /**
- * This filter is responsible for parsing a token provided with a request, and hydrating a {@link SecurityContext} from
- * the claims contained in the token.
+ * This filter is responsible for parsing credentials provided with a request, and hydrating a {@link SecurityContext}
+ * from these credentials if they are valid.
  *
  * @author Yannick Schaus - initial contribution
+ * @author Yannick Schaus - Allow basic authentication
  */
 @PreMatching
 @Component
@@ -52,6 +57,9 @@ public class AuthFilter implements ContainerRequestFilter {
     @Reference
     private JwtHelper jwtHelper;
 
+    @Reference
+    private UserRegistry userRegistry;
+
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
         try {
@@ -63,6 +71,25 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
                         Authentication auth = jwtHelper.verifyAndParseJwtAccessToken(authParts[1]);
                         requestContext.setSecurityContext(new JwtSecurityContext(auth));
                         return;
+                    } else if ("Basic".equals(authParts[0])) {
+                        try {
+                            String[] decodedCredentials = new String(Base64.getDecoder().decode(authParts[1]), "UTF-8")
+                                    .split(":");
+                            if (decodedCredentials.length != 2) {
+                                throw new AuthenticationException("Invalid Basic authentication credential format");
+                            }
+                            UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(
+                                    decodedCredentials[0], decodedCredentials[1]);
+                            Authentication auth = userRegistry.authenticate(credentials);
+                            User user = userRegistry.get(auth.getUsername());
+                            if (user == null) {
+                                throw new org.openhab.core.auth.AuthenticationException("User not found in registry");
+                            }
+                            requestContext.setSecurityContext(new UserSecurityContext(user, "Basic"));
+                            return;
+                        } catch (org.openhab.core.auth.AuthenticationException e) {
+                            throw new AuthenticationException("Invalid user name or password");
+                        }
                     }
                 }
             }
@@ -74,7 +101,7 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
                 return;
             }
         } catch (AuthenticationException e) {
-            requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid token"));
+            requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials"));
         }
     }
 }

bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java

@@ -0,0 +1,65 @@
+/**
+ * Copyright (c) 2010-2020 Contributors to the openHAB project
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.openhab.core.io.rest.auth.internal;
+
+import java.security.Principal;
+
+import javax.ws.rs.core.SecurityContext;
+
+import org.eclipse.jdt.annotation.NonNullByDefault;
+import org.eclipse.jdt.annotation.Nullable;
+import org.openhab.core.auth.User;
+
+/**
+ * This {@link SecurityContext} contains information about a user, roles and authorizations granted to a client
+ * from a {@link User} instance.
+ *
+ * @author Yannick Schaus - initial contribution
+ */
+@NonNullByDefault
+public class UserSecurityContext implements SecurityContext {
+
+    private User user;
+    private String authenticationScheme;
+
+    /**
+     * Constructs a security context from an instance of {@link User}
+     *
+     * @param user the user
+     * @param authenticationScheme the scheme that was used to authenticate the user, e.g. "Basic"
+     */
+    public UserSecurityContext(User user, String authenticationScheme) {
+        this.user = user;
+        this.authenticationScheme = authenticationScheme;
+    }
+
+    @Override
+    public Principal getUserPrincipal() {
+        return user;
+    }
+
+    @Override
+    public boolean isUserInRole(@Nullable String role) {
+        return user.getRoles().contains(role);
+    }
+
+    @Override
+    public boolean isSecure() {
+        return true;
+    }
+
+    @Override
+    public String getAuthenticationScheme() {
+        return authenticationScheme;
+    }
+}