Darkages/SpotMicroESP32-Leika
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🪄 Formats SecuritySettingsService

Browse Source
This commit is contained in:
Rune Harlyk
2024-07-09 20:05:31 +02:00
committed by Rune Harlyk
parent 7d586eec90
commit 4e5f582978
2 changed files with 58 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files
esp32/lib/ESP32-sveltekit/SecuritySettingsService.cpp
+45 -87
View File
@@ -16,20 +16,16 @@
#if FT_ENABLED(FT_SECURITY) #if FT_ENABLED(FT_SECURITY)
SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) : _server(server), SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs)
_httpEndpoint(SecuritySettings::read, SecuritySettings::update, this, server, SECURITY_SETTINGS_PATH, this), : _server(server),
_fsPersistence(SecuritySettings::read, SecuritySettings::update, this, fs, SECURITY_SETTINGS_FILE), _httpEndpoint(SecuritySettings::read, SecuritySettings::update, this, server, SECURITY_SETTINGS_PATH, this),
_jwtHandler(FACTORY_JWT_SECRET) _fsPersistence(SecuritySettings::read, SecuritySettings::update, this, fs, SECURITY_SETTINGS_FILE),
{ _jwtHandler(FACTORY_JWT_SECRET) {
addUpdateHandler([&](const String &originId) addUpdateHandler([&](const String &originId) { configureJWTHandler(); }, false);
{ configureJWTHandler(); },
false);
} }
void SecuritySettingsService::begin() void SecuritySettingsService::begin() {
{ _server->on(GENERATE_TOKEN_PATH, HTTP_GET,
_server->on(GENERATE_TOKEN_PATH,
HTTP_GET,
wrapRequest(std::bind(&SecuritySettingsService::generateToken, this, std::placeholders::_1), wrapRequest(std::bind(&SecuritySettingsService::generateToken, this, std::placeholders::_1),
AuthenticationPredicates::IS_ADMIN)); AuthenticationPredicates::IS_ADMIN));
@@ -40,21 +36,16 @@ void SecuritySettingsService::begin()
configureJWTHandler(); configureJWTHandler();
} }
Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) {
{
// Load the parameters from the request, as they are only loaded later with the regular handler // Load the parameters from the request, as they are only loaded later with the regular handler
if (request->hasHeader(AUTHORIZATION_HEADER)) if (request->hasHeader(AUTHORIZATION_HEADER)) {
{
auto value = request->header(AUTHORIZATION_HEADER); auto value = request->header(AUTHORIZATION_HEADER);
// ESP_LOGV("SecuritySettingsService", "Authorization header: %s", value.c_str()); // ESP_LOGV("SecuritySettingsService", "Authorization header: %s", value.c_str());
if (value.startsWith(AUTHORIZATION_HEADER_PREFIX)) if (value.startsWith(AUTHORIZATION_HEADER_PREFIX)) {
{
value = value.substring(AUTHORIZATION_HEADER_PREFIX_LEN); value = value.substring(AUTHORIZATION_HEADER_PREFIX_LEN);
return authenticateJWT(value); return authenticateJWT(value);
} }
} } else if (request->hasParam(ACCESS_TOKEN_PARAMATER)) {
else if (request->hasParam(ACCESS_TOKEN_PARAMATER))
{
String value = request->getParam(ACCESS_TOKEN_PARAMATER)->value(); String value = request->getParam(ACCESS_TOKEN_PARAMATER)->value();
// ESP_LOGV("SecuritySettingsService", "Access token parameter: %s", value.c_str()); // ESP_LOGV("SecuritySettingsService", "Access token parameter: %s", value.c_str());
return authenticateJWT(value); return authenticateJWT(value);
@@ -62,23 +53,16 @@ Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *requ
return Authentication(); return Authentication();
} }
void SecuritySettingsService::configureJWTHandler() void SecuritySettingsService::configureJWTHandler() { _jwtHandler.setSecret(_state.jwtSecret); }
{
_jwtHandler.setSecret(_state.jwtSecret);
}
Authentication SecuritySettingsService::authenticateJWT(String &jwt) Authentication SecuritySettingsService::authenticateJWT(String &jwt) {
{
JsonDocument payloadDocument; JsonDocument payloadDocument;
_jwtHandler.parseJWT(jwt, payloadDocument); _jwtHandler.parseJWT(jwt, payloadDocument);
if (payloadDocument.is<JsonObject>()) if (payloadDocument.is<JsonObject>()) {
{
JsonObject parsedPayload = payloadDocument.as<JsonObject>(); JsonObject parsedPayload = payloadDocument.as<JsonObject>();
String username = parsedPayload["username"]; String username = parsedPayload["username"];
for (User _user : _state.users) for (User _user : _state.users) {
{ if (_user.username == username && validatePayload(parsedPayload, &_user)) {
if (_user.username == username && validatePayload(parsedPayload, &_user))
{
return Authentication(_user); return Authentication(_user);
} }
} }
@@ -86,44 +70,36 @@ Authentication SecuritySettingsService::authenticateJWT(String &jwt)
return Authentication(); return Authentication();
} }
Authentication SecuritySettingsService::authenticate(const String &username, const String &password) Authentication SecuritySettingsService::authenticate(const String &username, const String &password) {
{ for (User _user : _state.users) {
for (User _user : _state.users) if (_user.username == username && _user.password == password) {
{
if (_user.username == username && _user.password == password)
{
return Authentication(_user); return Authentication(_user);
} }
} }
return Authentication(); return Authentication();
} }
inline void populateJWTPayload(JsonObject &payload, User *user) inline void populateJWTPayload(JsonObject &payload, User *user) {
{
payload["username"] = user->username; payload["username"] = user->username;
payload["admin"] = user->admin; payload["admin"] = user->admin;
} }
boolean SecuritySettingsService::validatePayload(JsonObject &parsedPayload, User *user) boolean SecuritySettingsService::validatePayload(JsonObject &parsedPayload, User *user) {
{
JsonDocument jsonDocument; JsonDocument jsonDocument;
JsonObject payload = jsonDocument.to<JsonObject>(); JsonObject payload = jsonDocument.to<JsonObject>();
populateJWTPayload(payload, user); populateJWTPayload(payload, user);
return payload == parsedPayload; return payload == parsedPayload;
} }
String SecuritySettingsService::generateJWT(User *user) String SecuritySettingsService::generateJWT(User *user) {
{
JsonDocument jsonDocument; JsonDocument jsonDocument;
JsonObject payload = jsonDocument.to<JsonObject>(); JsonObject payload = jsonDocument.to<JsonObject>();
populateJWTPayload(payload, user); populateJWTPayload(payload, user);
return _jwtHandler.buildJWT(payload); return _jwtHandler.buildJWT(payload);
} }
PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) {
{ return [this, predicate](PsychicRequest *request) {
return [this, predicate](PsychicRequest *request)
{
// ESP_LOGV("SecuritySettingsService", "Authenticating filter request: %s", request->uri().c_str()); // ESP_LOGV("SecuritySettingsService", "Authenticating filter request: %s", request->uri().c_str());
// ESP_LOGV("SecuritySettingsService", "Request Method: %s", request->methodStr().c_str()); // ESP_LOGV("SecuritySettingsService", "Request Method: %s", request->methodStr().c_str());
@@ -131,12 +107,10 @@ PsychicRequestFilterFunction SecuritySettingsService::filterRequest(Authenticati
// This is a temporary fix until the PsychicHttp websocket handler is fixed to not send a bogus filter request // This is a temporary fix until the PsychicHttp websocket handler is fixed to not send a bogus filter request
// Check if we have a bogus filter request and return true // Check if we have a bogus filter request and return true
if (request->uri().isEmpty() && request->method() == HTTP_DELETE) if (request->uri().isEmpty() && request->method() == HTTP_DELETE) {
{
// ESP_LOGV("SecuritySettingsService", "Bogus filter request - allowing"); // ESP_LOGV("SecuritySettingsService", "Bogus filter request - allowing");
return true; return true;
} } else
else
request->loadParams(); request->loadParams();
Authentication authentication = authenticateRequest(request); Authentication authentication = authenticateRequest(request);
@@ -146,39 +120,32 @@ PsychicRequestFilterFunction SecuritySettingsService::filterRequest(Authenticati
}; };
} }
PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest, AuthenticationPredicate predicate) PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest,
{ AuthenticationPredicate predicate) {
return [this, onRequest, predicate](PsychicRequest *request) return [this, onRequest, predicate](PsychicRequest *request) {
{
Authentication authentication = authenticateRequest(request); Authentication authentication = authenticateRequest(request);
if (!predicate(authentication)) if (!predicate(authentication)) {
{
return request->reply(401); return request->reply(401);
} }
return onRequest(request); return onRequest(request);
}; };
} }
PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest, AuthenticationPredicate predicate) PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest,
{ AuthenticationPredicate predicate) {
return [this, onRequest, predicate](PsychicRequest *request, JsonVariant &json) return [this, onRequest, predicate](PsychicRequest *request, JsonVariant &json) {
{
Authentication authentication = authenticateRequest(request); Authentication authentication = authenticateRequest(request);
if (!predicate(authentication)) if (!predicate(authentication)) {
{
return request->reply(401); return request->reply(401);
} }
return onRequest(request, json); return onRequest(request, json);
}; };
} }
esp_err_t SecuritySettingsService::generateToken(PsychicRequest *request) esp_err_t SecuritySettingsService::generateToken(PsychicRequest *request) {
{
String usernameParam = request->getParam("username")->value(); String usernameParam = request->getParam("username")->value();
for (User _user : _state.users) for (User _user : _state.users) {
{ if (_user.username == usernameParam) {
if (_user.username == usernameParam)
{
PsychicJsonResponse response = PsychicJsonResponse(request, false); PsychicJsonResponse response = PsychicJsonResponse(request, false);
JsonObject root = response.getRoot(); JsonObject root = response.getRoot();
root["token"] = generateJWT(&_user); root["token"] = generateJWT(&_user);
@@ -192,38 +159,29 @@ esp_err_t SecuritySettingsService::generateToken(PsychicRequest *request)
User ADMIN_USER = User(FACTORY_ADMIN_USERNAME, FACTORY_ADMIN_PASSWORD, true); User ADMIN_USER = User(FACTORY_ADMIN_USERNAME, FACTORY_ADMIN_PASSWORD, true);
SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) : SecurityManager() SecuritySettingsService::SecuritySettingsService(PsychicHttpServer *server, FS *fs) : SecurityManager() {}
{ SecuritySettingsService::~SecuritySettingsService() {}
}
SecuritySettingsService::~SecuritySettingsService()
{
}
PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) PsychicRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) {
{ return [this, predicate](PsychicRequest *request) {
return [this, predicate](PsychicRequest *request)
{
// ESP_LOGV("SecuritySettingsService", "Security disabled - all requests are allowed"); // ESP_LOGV("SecuritySettingsService", "Security disabled - all requests are allowed");
return true; return true;
}; };
} }
// Return the admin user on all request - disabling security features // Return the admin user on all request - disabling security features
Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) Authentication SecuritySettingsService::authenticateRequest(PsychicRequest *request) {
{
return Authentication(ADMIN_USER); return Authentication(ADMIN_USER);
} }
// Return the function unwrapped // Return the function unwrapped
PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest, PsychicHttpRequestCallback SecuritySettingsService::wrapRequest(PsychicHttpRequestCallback onRequest,
AuthenticationPredicate predicate) AuthenticationPredicate predicate) {
{
return onRequest; return onRequest;
} }
PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest, PsychicJsonRequestCallback SecuritySettingsService::wrapCallback(PsychicJsonRequestCallback onRequest,
AuthenticationPredicate predicate) AuthenticationPredicate predicate) {
{
return onRequest; return onRequest;
} }
esp32/lib/ESP32-sveltekit/SecuritySettingsService.h
+13 -23
View File
@@ -48,21 +48,18 @@
#if FT_ENABLED(FT_SECURITY) #if FT_ENABLED(FT_SECURITY)
class SecuritySettings class SecuritySettings {
{ public:
public:
String jwtSecret; String jwtSecret;
std::list<User> users; std::list<User> users;
static void read(SecuritySettings &settings, JsonObject &root) static void read(SecuritySettings &settings, JsonObject &root) {
{
// secret // secret
root["jwt_secret"] = settings.jwtSecret; root["jwt_secret"] = settings.jwtSecret;
// users // users
JsonArray users = root.to<JsonArray>(); JsonArray users = root.to<JsonArray>();
for (User user : settings.users) for (User user : settings.users) {
{
JsonObject userRoot = users.add<JsonObject>(); JsonObject userRoot = users.add<JsonObject>();
userRoot["username"] = user.username; userRoot["username"] = user.username;
userRoot["password"] = user.password; userRoot["password"] = user.password;
@@ -70,22 +67,17 @@ public:
} }
} }
static StateUpdateResult update(JsonObject &root, SecuritySettings &settings) static StateUpdateResult update(JsonObject &root, SecuritySettings &settings) {
{
// secret // secret
settings.jwtSecret = root["jwt_secret"] | SettingValue::format(FACTORY_JWT_SECRET); settings.jwtSecret = root["jwt_secret"] | SettingValue::format(FACTORY_JWT_SECRET);
// users // users
settings.users.clear(); settings.users.clear();
if (root["users"].is<JsonArray>()) if (root["users"].is<JsonArray>()) {
{ for (JsonVariant user : root["users"].as<JsonArray>()) {
for (JsonVariant user : root["users"].as<JsonArray>())
{
settings.users.push_back(User(user["username"], user["password"], user["admin"])); settings.users.push_back(User(user["username"], user["password"], user["admin"]));
} }
} } else {
else
{
settings.users.push_back(User(FACTORY_ADMIN_USERNAME, FACTORY_ADMIN_PASSWORD, true)); settings.users.push_back(User(FACTORY_ADMIN_USERNAME, FACTORY_ADMIN_PASSWORD, true));
settings.users.push_back(User(FACTORY_GUEST_USERNAME, FACTORY_GUEST_PASSWORD, false)); settings.users.push_back(User(FACTORY_GUEST_USERNAME, FACTORY_GUEST_PASSWORD, false));
} }
@@ -93,9 +85,8 @@ public:
} }
}; };
class SecuritySettingsService : public StatefulService<SecuritySettings>, public SecurityManager class SecuritySettingsService : public StatefulService<SecuritySettings>, public SecurityManager {
{ public:
public:
SecuritySettingsService(PsychicHttpServer *server, FS *fs); SecuritySettingsService(PsychicHttpServer *server, FS *fs);
void begin(); void begin();
@@ -109,7 +100,7 @@ public:
PsychicHttpRequestCallback wrapRequest(PsychicHttpRequestCallback onRequest, AuthenticationPredicate predicate); PsychicHttpRequestCallback wrapRequest(PsychicHttpRequestCallback onRequest, AuthenticationPredicate predicate);
PsychicJsonRequestCallback wrapCallback(PsychicJsonRequestCallback onRequest, AuthenticationPredicate predicate); PsychicJsonRequestCallback wrapCallback(PsychicJsonRequestCallback onRequest, AuthenticationPredicate predicate);
private: private:
PsychicHttpServer *_server; PsychicHttpServer *_server;
HttpEndpoint<SecuritySettings> _httpEndpoint; HttpEndpoint<SecuritySettings> _httpEndpoint;
@@ -133,9 +124,8 @@ private:
#else #else
class SecuritySettingsService : public SecurityManager class SecuritySettingsService : public SecurityManager {
{ public:
public:
SecuritySettingsService(PsychicHttpServer *server, FS *fs); SecuritySettingsService(PsychicHttpServer *server, FS *fs);
~SecuritySettingsService(); ~SecuritySettingsService();