opensmarthouse
diff --git a/‎.gitattributes‎
Lines changed: 2 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎bom/opensmarthouse-dependencies/pom.xml‎
Lines changed: 1 addition & 1 deletion b/‎bom/opensmarthouse-dependencies/pom.xml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bom/opensmarthouse-test/pom.xml‎
Lines changed: 5 additions & 0 deletions b/‎bom/opensmarthouse-test/pom.xml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bom/opensmarthouse/pom.xml‎
Lines changed: 5 additions & 0 deletions b/‎bom/opensmarthouse/pom.xml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bundles/org.opensmarthouse.core.audio.core/src/main/java/org/openhab/core/audio/internal/AudioServlet.java‎
Lines changed: 11 additions & 6 deletions b/‎bundles/org.opensmarthouse.core.audio.core/src/main/java/org/openhab/core/audio/internal/AudioServlet.java‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎bundles/org.opensmarthouse.core.audio/.classpath‎
Lines changed: 2 additions & 0 deletions b/‎bundles/org.opensmarthouse.core.audio/.classpath‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎bundles/org.opensmarthouse.core.auth.core/pom.xml‎
Lines changed: 22 additions & 0 deletions b/‎bundles/org.opensmarthouse.core.auth.core/pom.xml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎bundles/org.opensmarthouse.core.auth.core/src/main/java/org/openhab/core/internal/auth/UserRegistryImpl.java‎
Lines changed: 129 additions & 15 deletions b/‎bundles/org.opensmarthouse.core.auth.core/src/main/java/org/openhab/core/internal/auth/UserRegistryImpl.java‎
Lines changed: 129 additions & 15 deletions
@@ -0,0 +1,2 @@
+.java text=auto
+.xml text=auto
@@ -46,3 +46,4 @@ Californium.properties
 
 generated/
 
+backport-patches/
@@ -251,7 +251,7 @@
       <dependency>
         <groupId>org.jmdns</groupId>
         <artifactId>jmdns</artifactId>
-        <version>3.5.5</version>
+        <version>3.5.6</version>
         <scope>compile</scope>
       </dependency>
 
 
@@ -21,26 +21,31 @@
       <groupId>org.hamcrest</groupId>
       <artifactId>hamcrest-library</artifactId>
       <version>2.2</version>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-api</artifactId>
       <version>5.6.2</version>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-params</artifactId>
       <version>5.6.2</version>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>biz.aQute.bnd</groupId>
       <artifactId>biz.aQute.tester.junit-platform</artifactId>
       <version>5.1.2</version>
+      <scope>test</scope>
      </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-junit-jupiter</artifactId>
       <version>3.4.6</version>
+      <scope>test</scope>
     </dependency>
 
       <dependency>
 
@@ -97,6 +97,11 @@
         <artifactId>org.opensmarthouse.core.audio.core</artifactId>
         <version>${project.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.opensmarthouse.core.bundles</groupId>
+        <artifactId>org.opensmarthouse.core.cache</artifactId>
+        <version>${project.version}</version>
+      </dependency>
       <dependency>
         <groupId>org.opensmarthouse.core.bundles</groupId>
         <artifactId>org.opensmarthouse.core.ephemeris</artifactId>
 
@@ -34,7 +34,7 @@
 import org.openhab.core.audio.AudioHTTPServer;
 import org.openhab.core.audio.AudioStream;
 import org.openhab.core.audio.FixedLengthAudioStream;
-import org.openhab.core.io.http.servlet.SmartHomeServlet;
+import org.openhab.core.io.http.servlet.OpenHABServlet;
 import org.osgi.service.component.annotations.Activate;
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Deactivate;
@@ -49,7 +49,7 @@
  */
 @NonNullByDefault
 @Component
-public class AudioServlet extends SmartHomeServlet implements AudioHTTPServer {
+public class AudioServlet extends OpenHABServlet implements AudioHTTPServer {
 
     private static final long serialVersionUID = -3364664035854567854L;
 
@@ -132,15 +132,20 @@ private String substringBefore(String str, String separator) {
     }
 
     @Override
-    protected void doGet(@NonNullByDefault({}) HttpServletRequest req, @NonNullByDefault({}) HttpServletResponse resp)
-            throws ServletException, IOException {
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         removeTimedOutStreams();
 
-        final String streamId = substringBefore(substringAfterLast(req.getRequestURI(), "/"), ".");
+        String requestURI = req.getRequestURI();
+        if (requestURI == null) {
+            resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "requestURI is null");
+            return;
+        }
+
+        final String streamId = substringBefore(substringAfterLast(requestURI, "/"), ".");
 
         try (final InputStream stream = prepareInputStream(streamId, resp)) {
             if (stream == null) {
-                logger.debug("Received request for invalid stream id at {}", req.getRequestURI());
+                logger.debug("Received request for invalid stream id at {}", requestURI);
                 resp.sendError(HttpServletResponse.SC_NOT_FOUND);
             } else {
                 stream.transferTo(resp.getOutputStream());
 
@@ -3,11 +3,13 @@
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-11">
 		<attributes>
 			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="annotationpath" value="target/dependency"/>
 		</attributes>
 	</classpathentry>
 	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
 		<attributes>
 			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="annotationpath" value="target/dependency"/>
 		</attributes>
 	</classpathentry>
 	<classpathentry excluding="**" kind="src" output="target/classes" path="src/main/resources">
 
@@ -26,6 +26,28 @@
       <groupId>org.osgi</groupId>
       <artifactId>osgi.cmpn</artifactId>
     </dependency>
+    
+    <dependency>
+      <groupId>org.osgi</groupId>
+      <artifactId>osgi.enroute.hamcrest.wrapper</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-params</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-junit-jupiter</artifactId>
+    </dependency>
+    
   </dependencies>
 
 </project>
@@ -31,8 +31,11 @@
 import org.openhab.core.auth.Credentials;
 import org.openhab.core.auth.ManagedUser;
 import org.openhab.core.auth.User;
+import org.openhab.core.auth.UserApiToken;
+import org.openhab.core.auth.UserApiTokenCredentials;
 import org.openhab.core.auth.UserProvider;
 import org.openhab.core.auth.UserRegistry;
+import org.openhab.core.auth.UserSession;
 import org.openhab.core.auth.UsernamePasswordCredentials;
 import org.openhab.core.common.registry.AbstractRegistry;
 import org.osgi.framework.BundleContext;
@@ -56,7 +59,9 @@ public class UserRegistryImpl extends AbstractRegistry<User, String, UserProvide
 
     private final Logger logger = LoggerFactory.getLogger(UserRegistryImpl.class);
 
-    private static final int ITERATIONS = 65536;
+    private static final int PASSWORD_ITERATIONS = 65536;
+    private static final int APITOKEN_ITERATIONS = 1024;
+    private static final String APITOKEN_PREFIX = "oh";
     private static final int KEY_LENGTH = 512;
     private static final String ALGORITHM = "PBKDF2WithHmacSHA512";
     private static final SecureRandom RAND = new SecureRandom();
@@ -87,7 +92,7 @@ protected void unsetManagedProvider(ManagedUserProvider managedProvider) {
     @Override
     public User register(String username, String password, Set<String> roles) {
         String passwordSalt = generateSalt(KEY_LENGTH / 8).get();
-        String passwordHash = hashPassword(password, passwordSalt).get();
+        String passwordHash = hash(password, passwordSalt, PASSWORD_ITERATIONS).get();
         ManagedUser user = new ManagedUser(username, passwordSalt, passwordHash);
         user.setRoles(new HashSet<>(roles));
         super.add(user);
@@ -106,11 +111,11 @@ private Optional<String> generateSalt(final int length) {
         return Optional.of(Base64.getEncoder().encodeToString(salt));
     }
 
-    private Optional<String> hashPassword(String password, String salt) {
+    private Optional<String> hash(String password, String salt, int iterations) {
         char[] chars = password.toCharArray();
         byte[] bytes = salt.getBytes();
 
-        PBEKeySpec spec = new PBEKeySpec(chars, bytes, ITERATIONS, KEY_LENGTH);
+        PBEKeySpec spec = new PBEKeySpec(chars, bytes, iterations, KEY_LENGTH);
 
         Arrays.fill(chars, Character.MIN_VALUE);
 
@@ -119,7 +124,7 @@ private Optional<String> hashPassword(String password, String salt) {
             byte[] securePassword = fac.generateSecret(spec).getEncoded();
             return Optional.of(Base64.getEncoder().encodeToString(securePassword));
         } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
-            logger.error("Exception encountered in hashPassword", e);
+            logger.error("Exception encountered while hashing", e);
             return Optional.empty();
         } finally {
             spec.clearPassword();
@@ -128,23 +133,132 @@ private Optional<String> hashPassword(String password, String salt) {
 
     @Override
     public Authentication authenticate(Credentials credentials) throws AuthenticationException {
-        UsernamePasswordCredentials usernamePasswordCreds = (UsernamePasswordCredentials) credentials;
-        User user = this.get(usernamePasswordCreds.getUsername());
-        if (user == null) {
-            throw new AuthenticationException("User not found: " + usernamePasswordCreds.getUsername());
+        if (credentials instanceof UsernamePasswordCredentials) {
+            UsernamePasswordCredentials usernamePasswordCreds = (UsernamePasswordCredentials) credentials;
+            User user = get(usernamePasswordCreds.getUsername());
+            if (user == null) {
+                throw new AuthenticationException("User not found: " + usernamePasswordCreds.getUsername());
+            }
+
+            ManagedUser managedUser = (ManagedUser) user;
+            String hashedPassword = hash(usernamePasswordCreds.getPassword(), managedUser.getPasswordSalt(),
+                    PASSWORD_ITERATIONS).get();
+            if (!hashedPassword.equals(managedUser.getPasswordHash())) {
+                throw new AuthenticationException("Wrong password for user " + usernamePasswordCreds.getUsername());
+            }
+
+            return new Authentication(managedUser.getName(), managedUser.getRoles().stream().toArray(String[]::new));
+        } else if (credentials instanceof UserApiTokenCredentials) {
+            UserApiTokenCredentials apiTokenCreds = (UserApiTokenCredentials) credentials;
+            String[] apiTokenParts = apiTokenCreds.getApiToken().split("\\.");
+            if (apiTokenParts.length != 3 || !APITOKEN_PREFIX.equals(apiTokenParts[0])) {
+                throw new AuthenticationException("Invalid API token format");
+            }
+            for (User user : getAll()) {
+                ManagedUser managedUser = (ManagedUser) user;
+                for (UserApiToken userApiToken : managedUser.getApiTokens()) {
+                    // only check if the name in the token matches
+                    if (!userApiToken.getName().equals(apiTokenParts[1])) {
+                        continue;
+                    }
+                    String[] existingTokenHashAndSalt = userApiToken.getApiToken().split(":");
+                    String incomingTokenHash = hash(apiTokenCreds.getApiToken(), existingTokenHashAndSalt[1],
+                            APITOKEN_ITERATIONS).get();
+
+                    if (incomingTokenHash.equals(existingTokenHashAndSalt[0])) {
+                        return new Authentication(managedUser.getName(),
+                                managedUser.getRoles().stream().toArray(String[]::new), userApiToken.getScope());
+                    }
+                }
+            }
+
+            throw new AuthenticationException("Unknown API token");
+        }
+
+        throw new IllegalArgumentException("Invalid credential type");
+    }
+
+    @Override
+    public void changePassword(User user, String newPassword) {
+        if (!(user instanceof ManagedUser)) {
+            throw new IllegalArgumentException("User is not managed: " + user.getName());
+        }
+
+        ManagedUser managedUser = (ManagedUser) user;
+        String passwordSalt = generateSalt(KEY_LENGTH / 8).get();
+        String passwordHash = hash(newPassword, passwordSalt, PASSWORD_ITERATIONS).get();
+        managedUser.setPasswordSalt(passwordSalt);
+        managedUser.setPasswordHash(passwordHash);
+        update(user);
+    }
+
+    @Override
+    public void addUserSession(User user, UserSession session) {
+        if (!(user instanceof ManagedUser)) {
+            throw new IllegalArgumentException("User is not managed: " + user.getName());
+        }
+
+        ManagedUser managedUser = (ManagedUser) user;
+        managedUser.getSessions().add(session);
+        update(user);
+    }
+
+    @Override
+    public void removeUserSession(User user, UserSession session) {
+        if (!(user instanceof ManagedUser)) {
+            throw new IllegalArgumentException("User is not managed: " + user.getName());
         }
+
+        ManagedUser managedUser = (ManagedUser) user;
+        managedUser.getSessions().remove(session);
+        update(user);
+    }
+
+    @Override
+    public void clearSessions(User user) {
         if (!(user instanceof ManagedUser)) {
-            throw new AuthenticationException("User is not managed: " + usernamePasswordCreds.getUsername());
+            throw new IllegalArgumentException("User is not managed: " + user.getName());
         }
 
         ManagedUser managedUser = (ManagedUser) user;
-        String hashedPassword = hashPassword(usernamePasswordCreds.getPassword(), managedUser.getPasswordSalt()).get();
-        if (!hashedPassword.equals(managedUser.getPasswordHash())) {
-            throw new AuthenticationException("Wrong password for user " + usernamePasswordCreds.getUsername());
+        managedUser.getSessions().clear();
+        update(user);
+    }
+
+    @Override
+    public String addUserApiToken(User user, String name, String scope) {
+        if (!(user instanceof ManagedUser)) {
+            throw new IllegalArgumentException("User is not managed: " + user.getName());
+        }
+        if (!name.matches("[a-zA-Z0-9]*")) {
+            throw new IllegalArgumentException("API token name format invalid, alphanumeric characters only");
         }
 
-        Authentication authentication = new Authentication(managedUser.getName());
-        return authentication;
+        ManagedUser managedUser = (ManagedUser) user;
+        String tokenSalt = generateSalt(KEY_LENGTH / 8).get();
+        byte[] rnd = new byte[64];
+        RAND.nextBytes(rnd);
+        String token = APITOKEN_PREFIX + "." + name + "."
+                + Base64.getEncoder().encodeToString(rnd).replaceAll("(\\+|/|=)", "");
+        String tokenHash = hash(token, tokenSalt, APITOKEN_ITERATIONS).get();
+
+        UserApiToken userApiToken = new UserApiToken(name, tokenHash + ":" + tokenSalt, scope);
+
+        managedUser.getApiTokens().add(userApiToken);
+        update(user);
+
+        return token;
+    }
+
+    @Override
+    public void removeUserApiToken(User user, UserApiToken userApiToken) {
+        if (!(user instanceof ManagedUser)) {
+            throw new IllegalArgumentException("User is not managed: " + user.getName());
+        }
+
+        ManagedUser managedUser = (ManagedUser) user;
+        managedUser.getApiTokens().remove(userApiToken);
+        update(user);
     }
 
     @Override
Original file line number	Diff line number	Diff line change
`@@ -46,3 +46,4 @@ Californium.properties`
`46`	`46`
`47`	`47`	`generated/`
`48`	`48`
	`49`	`+backport-patches/`