From 4e5f582978fc76bf2662e94ba0fb4a6d0d7cf38e Mon Sep 17 00:00:00 2001 From: Rune Harlyk Date: Tue, 9 Jul 2024 20:05:31 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=AA=84=20Formats=20SecuritySettingsServic?= =?UTF-8?q?e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SecuritySettingsService.cpp | 132 ++++++------------ .../ESP32-sveltekit/SecuritySettingsService.h | 36 ++--- 2 files changed, 58 insertions(+), 110 deletions(-) diff --git a/esp32/lib/ESP32-sveltekit/SecuritySettingsService.cpp b/esp32/lib/ESP32-sveltekit/SecuritySettingsService.cpp index 3d5f518..1f18296 100644 --- a/esp32/lib/ESP32-sveltekit/SecuritySettingsService.cpp +++ b/esp32/lib/ESP32-sveltekit/SecuritySettingsService.cpp @@ -16,20 +16,16 @@ #if FT_ENABLED(FT_SECURITY) -SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) : _server(server), - _httpEndpoint(SecuritySettings::read, SecuritySettings::update, this, server, SECURITY_SETTINGS_PATH, this), - _fsPersistence(SecuritySettings::read, SecuritySettings::update, this, fs, SECURITY_SETTINGS_FILE), - _jwtHandler(FACTORY_JWT_SECRET) -{ - addUpdateHandler([&](const String &originId) - { configureJWTHandler(); }, - false); +SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) + : _server(server), + _httpEndpoint(SecuritySettings::read, SecuritySettings::update, this, server, SECURITY_SETTINGS_PATH, this), + _fsPersistence(SecuritySettings::read, SecuritySettings::update, this, fs, SECURITY_SETTINGS_FILE), + _jwtHandler(FACTORY_JWT_SECRET) { + addUpdateHandler([&](const String &originId) { configureJWTHandler(); }, false); } -void SecuritySettingsService::begin() -{ - _server->on(GENERATE_TOKEN_PATH, - HTTP_GET, +void SecuritySettingsService::begin() { + _server->on(GENERATE_TOKEN_PATH, HTTP_GET, wrapRequest(std::bind(&SecuritySettingsService::generateToken, this, std::placeholders::_1), AuthenticationPredicates::IS_ADMIN)); @@ -40,21 +36,16 @@ void SecuritySettingsService::begin() configureJWTHandler(); } -Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) -{ +Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) { // Load the parameters from the request, as they are only loaded later with the regular handler - if (request->hasHeader(AUTHORIZATION_HEADER)) - { + if (request->hasHeader(AUTHORIZATION_HEADER)) { auto value = request->header(AUTHORIZATION_HEADER); // ESP_LOGV("SecuritySettingsService", "Authorization header: %s", value.c_str()); - if (value.startsWith(AUTHORIZATION_HEADER_PREFIX)) - { + if (value.startsWith(AUTHORIZATION_HEADER_PREFIX)) { value = value.substring(AUTHORIZATION_HEADER_PREFIX_LEN); return authenticateJWT(value); } - } - else if (request->hasParam(ACCESS_TOKEN_PARAMATER)) - { + } else if (request->hasParam(ACCESS_TOKEN_PARAMATER)) { String value = request->getParam(ACCESS_TOKEN_PARAMATER)->value(); // ESP_LOGV("SecuritySettingsService", "Access token parameter: %s", value.c_str()); return authenticateJWT(value); @@ -62,23 +53,16 @@ Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *requ return Authentication(); } -void SecuritySettingsService::configureJWTHandler() -{ - _jwtHandler.setSecret(_state.jwtSecret); -} +void SecuritySettingsService::configureJWTHandler() { _jwtHandler.setSecret(_state.jwtSecret); } -Authentication SecuritySettingsService::authenticateJWT(String &jwt) -{ +Authentication SecuritySettingsService::authenticateJWT(String &jwt) { JsonDocument payloadDocument; _jwtHandler.parseJWT(jwt, payloadDocument); - if (payloadDocument.is()) - { + if (payloadDocument.is()) { JsonObject parsedPayload = payloadDocument.as(); String username = parsedPayload["username"]; - for (User _user : _state.users) - { - if (_user.username == username && validatePayload(parsedPayload, &_user)) - { + for (User _user : _state.users) { + if (_user.username == username && validatePayload(parsedPayload, &_user)) { return Authentication(_user); } } @@ -86,44 +70,36 @@ Authentication SecuritySettingsService::authenticateJWT(String &jwt) return Authentication(); } -Authentication SecuritySettingsService::authenticate(const String &username, const String &password) -{ - for (User _user : _state.users) - { - if (_user.username == username && _user.password == password) - { +Authentication SecuritySettingsService::authenticate(const String &username, const String &password) { + for (User _user : _state.users) { + if (_user.username == username && _user.password == password) { return Authentication(_user); } } return Authentication(); } -inline void populateJWTPayload(JsonObject &payload, User *user) -{ +inline void populateJWTPayload(JsonObject &payload, User *user) { payload["username"] = user->username; payload["admin"] = user->admin; } -boolean SecuritySettingsService::validatePayload(JsonObject &parsedPayload, User *user) -{ +boolean SecuritySettingsService::validatePayload(JsonObject &parsedPayload, User *user) { JsonDocument jsonDocument; JsonObject payload = jsonDocument.to(); populateJWTPayload(payload, user); return payload == parsedPayload; } -String SecuritySettingsService::generateJWT(User *user) -{ +String SecuritySettingsService::generateJWT(User *user) { JsonDocument jsonDocument; JsonObject payload = jsonDocument.to(); populateJWTPayload(payload, user); return _jwtHandler.buildJWT(payload); } -PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) -{ - return [this, predicate](PsychicRequest *request) - { +PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) { + return [this, predicate](PsychicRequest *request) { // ESP_LOGV("SecuritySettingsService", "Authenticating filter request: %s", request->uri().c_str()); // ESP_LOGV("SecuritySettingsService", "Request Method: %s", request->methodStr().c_str()); @@ -131,12 +107,10 @@ PsychicRequestFilterFunction SecuritySettingsService::filterRequest(Authenticati // This is a temporary fix until the PsychicHttp websocket handler is fixed to not send a bogus filter request // Check if we have a bogus filter request and return true - if (request->uri().isEmpty() && request->method() == HTTP_DELETE) - { + if (request->uri().isEmpty() && request->method() == HTTP_DELETE) { // ESP_LOGV("SecuritySettingsService", "Bogus filter request - allowing"); return true; - } - else + } else request->loadParams(); Authentication authentication = authenticateRequest(request); @@ -146,39 +120,32 @@ PsychicRequestFilterFunction SecuritySettingsService::filterRequest(Authenticati }; } -PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest, AuthenticationPredicate predicate) -{ - return [this, onRequest, predicate](PsychicRequest *request) - { +PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest, + AuthenticationPredicate predicate) { + return [this, onRequest, predicate](PsychicRequest *request) { Authentication authentication = authenticateRequest(request); - if (!predicate(authentication)) - { + if (!predicate(authentication)) { return request->reply(401); } return onRequest(request); }; } -PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest, AuthenticationPredicate predicate) -{ - return [this, onRequest, predicate](PsychicRequest *request, JsonVariant &json) - { +PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest, + AuthenticationPredicate predicate) { + return [this, onRequest, predicate](PsychicRequest *request, JsonVariant &json) { Authentication authentication = authenticateRequest(request); - if (!predicate(authentication)) - { + if (!predicate(authentication)) { return request->reply(401); } return onRequest(request, json); }; } -esp_err_t SecuritySettingsService::generateToken(PsychicRequest *request) -{ +esp_err_t SecuritySettingsService::generateToken(PsychicRequest *request) { String usernameParam = request->getParam("username")->value(); - for (User _user : _state.users) - { - if (_user.username == usernameParam) - { + for (User _user : _state.users) { + if (_user.username == usernameParam) { PsychicJsonResponse response = PsychicJsonResponse(request, false); JsonObject root = response.getRoot(); root["token"] = generateJWT(&_user); @@ -192,38 +159,29 @@ esp_err_t SecuritySettingsService::generateToken(PsychicRequest *request) User ADMIN_USER = User(FACTORY_ADMIN_USERNAME, FACTORY_ADMIN_PASSWORD, true); -SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) : SecurityManager() -{ -} -SecuritySettingsService::~SecuritySettingsService() -{ -} +SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) : SecurityManager() {} +SecuritySettingsService::~SecuritySettingsService() {} -PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) -{ - return [this, predicate](PsychicRequest *request) - { +PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) { + return [this, predicate](PsychicRequest *request) { // ESP_LOGV("SecuritySettingsService", "Security disabled - all requests are allowed"); return true; }; } // Return the admin user on all request - disabling security features -Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) -{ +Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) { return Authentication(ADMIN_USER); } // Return the function unwrapped PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest, - AuthenticationPredicate predicate) -{ + AuthenticationPredicate predicate) { return onRequest; } PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest, - AuthenticationPredicate predicate) -{ + AuthenticationPredicate predicate) { return onRequest; } diff --git a/esp32/lib/ESP32-sveltekit/SecuritySettingsService.h b/esp32/lib/ESP32-sveltekit/SecuritySettingsService.h index 41bafcf..36571e9 100644 --- a/esp32/lib/ESP32-sveltekit/SecuritySettingsService.h +++ b/esp32/lib/ESP32-sveltekit/SecuritySettingsService.h @@ -48,21 +48,18 @@ #if FT_ENABLED(FT_SECURITY) -class SecuritySettings -{ -public: +class SecuritySettings { + public: String jwtSecret; std::list users; - static void read(SecuritySettings &settings, JsonObject &root) - { + static void read(SecuritySettings &settings, JsonObject &root) { // secret root["jwt_secret"] = settings.jwtSecret; // users JsonArray users = root.to(); - for (User user : settings.users) - { + for (User user : settings.users) { JsonObject userRoot = users.add(); userRoot["username"] = user.username; userRoot["password"] = user.password; @@ -70,22 +67,17 @@ public: } } - static StateUpdateResult update(JsonObject &root, SecuritySettings &settings) - { + static StateUpdateResult update(JsonObject &root, SecuritySettings &settings) { // secret settings.jwtSecret = root["jwt_secret"] | SettingValue::format(FACTORY_JWT_SECRET); // users settings.users.clear(); - if (root["users"].is()) - { - for (JsonVariant user : root["users"].as()) - { + if (root["users"].is()) { + for (JsonVariant user : root["users"].as()) { settings.users.push_back(User(user["username"], user["password"], user["admin"])); } - } - else - { + } else { settings.users.push_back(User(FACTORY_ADMIN_USERNAME, FACTORY_ADMIN_PASSWORD, true)); settings.users.push_back(User(FACTORY_GUEST_USERNAME, FACTORY_GUEST_PASSWORD, false)); } @@ -93,9 +85,8 @@ public: } }; -class SecuritySettingsService : public StatefulService, public SecurityManager -{ -public: +class SecuritySettingsService : public StatefulService, public SecurityManager { + public: SecuritySettingsService(PsychicHttpServer *server, FS *fs); void begin(); @@ -109,7 +100,7 @@ public: PsychicHttpRequestCallback wrapRequest(PsychicHttpRequestCallback onRequest, AuthenticationPredicate predicate); PsychicJsonRequestCallback wrapCallback(PsychicJsonRequestCallback onRequest, AuthenticationPredicate predicate); -private: + private: PsychicHttpServer *_server; HttpEndpoint _httpEndpoint; @@ -133,9 +124,8 @@ private: #else -class SecuritySettingsService : public SecurityManager -{ -public: +class SecuritySettingsService : public SecurityManager { + public: SecuritySettingsService(PsychicHttpServer *server, FS *fs); ~SecuritySettingsService();