[REST Auth] API tokens & openhab:users console command

[ghys]

This adds API tokens as a new credential type. Their format is:
oh.<name>.<random chars>

They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new openhab:users console command.

Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. user admin.items would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, and managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).

Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, even if the allowBasicAuth option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.

In short, this means that all these curl commands will work:

• curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox
• curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox
• curl -u '<token>' http://localhost:8080/rest/inbox (will prompt for a password, just hit Return);
• curl -u '<token>:' http://localhost:8080/rest/inbox (will not prompt for a password)
• curl http://<token>@localhost:8080/rest/inbox

2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.

Self-service for creating a token or changing the password is more
sensitive so these are handled with a servlet and pages devoid
of any JavaScript instead of REST API calls.

Closes openhab/openhab-webui#332

Signed-off-by: Yannick Schaus github@schaus.net

[ghys]

Examples:

openhab> openhab:users
Usage: openhab:users list - lists all users
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
Usage: openhab:users remove <userId> - removes the given user
Usage: openhab:users changePassword <userId> <newPassword> - changes the password of a user
Usage: openhab:users listApiTokens - lists the API keys for all users
Usage: openhab:users addApiToken <userId> <tokenName> <scope> - adds a new API token on behalf of the specified user for the specified scope
Usage: openhab:users rmApiToken <userId> <tokenName> - removes (revokes) the specified API token
Usage: openhab:users clearSessions <userId> - clear the refresh tokens associated with the user (will sign the user out of all sessions)
openhab> openhab:users add ysc P@ssword1 administrator
ysc (administrator)
User created.
openhab> openhab:users list
ysc (administrator)
openhab> openhab:users changePassword ysc P@ssword2
Password changed.
openhab> openhab:users addApiToken ysc service1 admin
oh.service1.IR71uwmszu0KRBEHo6GUC1BIJh7dHhv9yobyPCqwPgiOHFCT7sRjEcE3R6XfT9y6LsnR9ntk9KDGY5kchy1uBw
openhab> openhab:users addApiToken ysc service2 admin
oh.service2.GXOeP2weDRpHLXWirACcZfaz9FHh7PJhodMwHnt8NHCJWYSaSqNidvCdztHguCSQtBG885DgrWV8F3aaQQwPg
openhab> openhab:users addApiToken ysc service3 admin
oh.service3.XCIhrBGOQiNBrVdiFt2VopNgoVmQk75q9jZeOjJl9PEJpiK9V8pT9XvyKfSpoGtfmUCja9FwilHdQUL5eWDMPw
openhab> openhab:users listApiTokens
user=ysc (administrator), name=service1, createdTime=Mon Oct 19 20:17:40 CEST 2020, scope=admin
user=ysc (administrator), name=service2, createdTime=Mon Oct 19 20:17:46 CEST 2020, scope=admin
user=ysc (administrator), name=service3, createdTime=Mon Oct 19 20:17:50 CEST 2020, scope=admin
openhab> openhab:users rmApiToken ysc service1
API token revoked.
openhab> openhab:users rmApiToken ysc service2
API token revoked.
openhab> openhab:users rmApiToken ysc service3
API token revoked.
openhab> openhab:users listApiTokens
openhab> 

Note that the tokens are only printed on the console after they've been created, and they should be copy-pasted immediately, because they won't be retrievable afterwards.

[wborn]

It's nice to have some commands for this. 👍
I quickly scrolled through the code and saw a few minor improvements.

[ghys]

FTR, I'm not too happy with passwords being provided in clear on the command line (they are stored in the command history).
In Karaf you can set censor/mask properties to command arguments to hide them from view (apache/karaf@5228a23), but the openHAB console wrapper doesn't seem to allow that.

[ghys]

Finally went ahead and implemented the self-service pages for changing passwords and creating API tokens, at /changePassword and /createApiToken respectfully.

[wborn]

Thanks a lot for your awesome work!
I've added a few more (minor) comments below.

[wborn]

It would be nice if another maintainer can also have a look since this deals with security.

[lolodomo]

Just for helping any user, would it be possible to mention in the help of the new commands what values can be used for the <scope> parameter ? I see in your examples that you use admin but are there other possible values ?

In the case of my Remote openHAB binding that uses the openHAB REST API, in case the remote OH3 server was setup to require authorization for normal REST API, I understand I will have to create a token using your new console command and then use this token in the binding by injecting it in the header of each REST API call. Is it correct ?

[ghys]

The scope model is not clear yet, but I'll suggest something like this:

• Missing/empty scope, or all => no scope restrictions, authorize everything the user's role(s) normally allow (not sure it's a good idea)
• user => operations to interact with the system as a user: SSE events, view items, sitemaps, pages, persisted data; send item updates & commands; audio & voice; and their own profile (sessions & tokens);
• admin => operations to change the system: full access on things, inbox & discovery, items & links & metadata, UI components, rules, services, system info, addons & binding configuration...
• Eventually we'll have more granular scopes like admin.things, admin.rules...

in case the remote OH3 server was setup to require authorization for normal REST API, I understand I will have to create a token using your new console command and then use this token in the binding by injecting it in the header of each REST API call. Is it correct ?

yes currently, the "user" operations are unsecured but in case they are (you can switch that on now), you'll have to provide a token to access even the most basic operations that expose data, if you don't need admin access to make changes to the configuration then a scope of user should be fine. Normally you'll be able to specify multiple scopes (space-separated).
You can generate a token with the console command or with the /createApiToken page, see above. There will be a list in the UI in the user's profile page for them to view their current tokens and allowing to create new ones.

[lolodomo]

Ok thank you, I am waiting for the merge of this PR to test with my Remote openHAB binding.

[wborn]

Many thanks for addressing all my comments @ghys.

I just did some testing on a local build and it seems that duplicate sessions end up in users.json, they also show up in the UI so the number of user sessions did not match what I expected, so I was triggered to investigate:

  "johndoe": {
    "class": "org.openhab.core.auth.ManagedUser",
    "value": {
      "name": "johndoe",
      "passwordHash": "SZXFDGrobzJMLiFNQFvQJyhkpQePuIfPDrFM2wncIxCnNszAPYBnpd/vU0GqTDHgMAB9erA3wfTXttaXyx4+HQ\u003d\u003d",
      "passwordSalt": "/L85mMFRatxrpLgsM+9JlawfhSPbez2GGTe7y1emvfzlVZOsJlnP9RVxtDA7w+X8YX8wJbMz2EJHTfaCm+WM9w\u003d\u003d",
      "roles": [
        "administrator"
      ],
      "sessions": [
        {
          "sessionId": "ef5822a1-91bb-47f5-82e1-c6390b9e9fb6",
          "refreshToken": "da8fe178ab344076bf80438fd5f5f14f",
          "createdTime": "Oct 23, 2020, 11:52:06 AM",
          "lastRefreshTime": "Oct 23, 2020, 11:52:06 AM",
          "clientId": "http://localhost:8080",
          "redirectUri": "http://localhost:8080",
          "scope": "admin",
          "sessionCookie": true
        },
        {
          "sessionId": "ef5822a1-91bb-47f5-82e1-c6390b9e9fb6",
          "refreshToken": "da8fe178ab344076bf80438fd5f5f14f",
          "createdTime": "Oct 23, 2020, 11:52:06 AM",
          "lastRefreshTime": "Oct 23, 2020, 11:52:06 AM",
          "clientId": "http://localhost:8080",
          "redirectUri": "http://localhost:8080",
          "scope": "admin",
          "sessionCookie": true
        },
        {
          "sessionId": "ddb26127-3942-43e8-a519-ec5b46cee9dc",
          "refreshToken": "0298b62ce5f444f296684627b880ed21",
          "createdTime": "Oct 23, 2020, 11:52:17 AM",
          "lastRefreshTime": "Oct 23, 2020, 11:53:18 AM",
          "clientId": "http://localhost:8080",
          "redirectUri": "http://localhost:8080",
          "scope": "admin",
          "sessionCookie": true
        }
      ],
      "apiTokens": []
    }
  },

But using multiple users does work nice as do the commands I've tested 👍

[ghys]

Strange, I've never noticed these session duplications before, maybe it's due to a change in this PR...?

[wborn]

It is reproducible when you sign out of your session using the UI.
Instead of removing the session from the file it is duplicated.

[wborn]

Shouldn't there also be a DELETE operation for a specific session in TokenResource? If you click the delete button on whatever session in the UI it always navigates to /logout and thus deletes the current session.

[ghys]

Shouldn't there also be a DELETE operation for a specific session in TokenResource? If you click the delete button on whatever session in the UI it always navigates to /logout and thus deletes the current session.

Are you sure? I initially thought of it as the counterpart to /auth/token so it accepts the application/x-www-form-urlencoded content type with an id parameter which is the first part of the session id.
But a DELETE operation could make sense as well...

[wborn]

I didn't notice there was an id parameter in the logout operation to make this work. So that way there is indeed no need for an operation for deleting sessions . I'll retest deleting other sessions and see if I can make some sense of what happens.

While looking at the code in TokenResource, I also noticed some null analysis warnings. It would be nice to see those fixed too. 🙂

[wborn]

I'll retest deleting other sessions and see if I can make some sense of what happens.

I see that it can properly delete other sessions but it looks like the frontend has some logic to also remove its own session data in the browser regardless of the session it deletes.

[openhab-bot]

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/openhab3-forgot-password/107069/2

[openhab-bot]

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/openhab3-forgot-password/107069/2

[ghys]

While looking at the code in TokenResource, I also noticed some null analysis warnings. It would be nice to see those fixed too. 🙂

Done.

Not sure what you mean by:

see that it can properly delete other sessions but it looks like the frontend has some logic to also remove its own session data in the browser regardless of the session it deletes.

It shouldn't be "regardless of the session it deletes", normally it only does that if you click "Sign out of this session".

[wborn]

It all seems to work well now. 👍 The deleting other sessions issue doesn't seem to be related to these changes so I'll create an issue for that.

[lolodomo]

@ghys: I just tried the new mode where the user REST API is fully secured.
The remote openHAB binding is working when you provide the expected token. Good.

In this mode, I tried to launch Basic UI and I was surprised to see that it works, even if it is without SSE subscriptions.
Is it expected ? That would mean that some RES API are still unsecured in this mode ?

[ghys]

In this mode, I tried to launch Basic UI and I was surprised to see that it works, even if it is without SSE subscriptions.
Is it expected ? That would mean that some RES API are still unsecured in this mode ?

Basic UI renders its pages using servlets, so it's not unexpected that it "works" (displays something) because the auth layer only applies to the REST API. You won't be able to send commands or get updates since those parts are handled with API calls.

[kaikreuzer]

@ghys How easy would it be to adapt our HttpContextFactoryServiceImpl (which is used by those servlets) to also consider the auth configuration?

[lolodomo]

I will try again but I believe BasicUI was displaying the current items values.

[ghys]

How easy would it be to adapt our HttpContextFactoryServiceImpl (which is used by those servlets) to also consider the auth configuration?

I think we can forego the need for a token for the servlets and simply rely on the session cookie - i.e. the user would need to open a session with the main UI first and then the cookie will identify the session which could be reused by Basic UI and others.
However Basic UI still needs to make API calls and for that it will need a token. Basic UI can reuse the refresh token that the main UI puts in the local storage to get an access token (that's what HABPanel does).