Closed bwssytems closed 7 years ago
Works for me using EXEC and Harmony devices, not able to test HUE Api security.
Do you use cookies or sessions? How long do they persist?
I would suggest adding the Login/Logout link as a main item in the navbar, rather than under Help.
It is session based, so only for as long as the session is active
Is it v5.4.0alpha or should it be v4.50alpha. I noticed an error on my synology in docker that it was trying to pull from https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-5.4.0alpha.jar
Dyslexia... The jar Is 5.4.0alpha, but it will be 4.5.0 when released
I love the new security feature. Question: if we are to send a push,pull,get, how would the credentials be added? I see they are required( at least for the first call) Would we simply add @username:password to the end of the url?
This link https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-5.4.0alpha.jar fails to download anything
but the following one works.. https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-4.5.0alpha.jar
Should that be the case?
Sorry if these aren't great questions, I'm a bit new to github.
This is what I am seeing on the synology docker log.
Latest version on bwssystems github repo is 5.4.0alpha
Installing version '5.4.0alpha'
--2017-03-31 21:27:20-- https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-5.4.0alpha.jar
Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
Connecting to github.com (github.com)|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2017-03-31 21:27:21 ERROR 404: Not Found.
Setting correct permissions
Parameters used:
Server IP : 192.168.9.199
Server Port : 8999
Starting Home Automation Bridge
Error: Unable to access jarfile ha-bridge-5.4.0alpha.jar
I ended up just copying the files over that I downloaded from https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-4.5.0alpha.jar
and renamed the file ha-bridge-4.5.0alpha.jar to ha-brdige-5.4.0alpha.jar and the docker container started up ok :)
Fixed the link
@tuicemen The security is session based. You will need to save your http session credentials
understood. however if I add a user& password but don't log in then go to postman and attempt to make a Get call http://localhost/api/devices and use basic authorization I get a {"message":"User not authenticated"}
Well, looks like I will need to change this to basic auth control, that will make it easier
I tested with adding a couple of users and the UI works fine for both custom http sends and scripts saved to the Secure Folder for scripts/executables. It also works for devices with direct path calls to a program. I also am not able to test HUE Api security. Removal of users works and reverts bridge back to non secure
Thanks for fixing the link. I deleted the file I manually copied and now the package starts up fine and downloads the latest version.
Suggestion: In the (bridge control tab) if you click on Save once the bridge reloads your presented with several 401 errors.(12 in total on that page) All ending with "User not authenticated with status: Unauthorized - 401" Perhaps this could be reduced to just one stating re-login is needed as thats what is required. Or just display the login screen
Issue: After clicking save in bridge control and a re-login scripts in the script folder no longer work nor do direct exec calls Custom http calls still work
So, I will be implementing Basic Auth method that can be used. As far as the re-init goes, the re-initialization is removing the authenticated users and I will need to keep that from re-init to re-init.
Ok, implemented changes: https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha-2/ha-bridge-4.5.0alpha-2.jar
Excellent! Is it possible to add/remove a user with a PUT?
Saving bridge data still results in exec calls failing, all worked prior to doing a save. Wondering if it may be my scripts folder not being same as default.
Hmmm, maybe the way I'm interpreting the execGarden when it is not set.
And yes, you can add/remove users with a put. The structure is a base64 encoded JSON string that is {"username":"theuser","password":"thepassword"} And of course you don't need the password when removing a user.
The calls are /system/adduser and /system/deluser
Ok I think I figured it out doing some logging. I set my scripts folder to just scripts and all worked fine prior to doing a save. after the save I looked in the log and now all exec calls start with scripts/ So for a c:/program files..... call it now is scripts/c:/program files.... Scripts located in the scripts folder the calls now look like this scripts/scripts/"the script"
Interesting, so the execGarden is the directory and you do not put a path on the actual exec calls as it will only try to execute the item in that directory only
I Updated security settings for the Secure Folder for scripts/executables to nothing.
this got my calls to C:\program files..... working however my script folder calls in the log look like this /scripts/"the script"
Not sure why the initial forward slash is still there for those and not the others
I attempted to re-save after changing the Secure Folder hoping that would revert some things but get this
04-03-2017 19:36:56.930 ERROR Error file is not writable: data\habridge.config com.bwssystems.HABridge.BridgeSettings
04-03-2017 19:36:56.937 ERROR Error writing the file: data\habridge.config message: data\habridge.config com.bwssystems.HABridge.BridgeSettings
04-03-2017 19:36:56.938 ERROR Error writing the file: data\habridge.config message: data\habridge.config.old com.bwssystems.HABridge.BridgeSettings
I will test this as well as it is the portion that I did very little
With the bridge not secure I attempted to add a user using postman and get a 500 error Does the bridge require it to already be in secure mode with some user already configured to do this?
Only when there are no users does it allow you to add a user without security. After that you need to be authenticated.
Also, I found the issues for the execGarden.
I also get a 500 error if I attempt to remove a user or add a new user when bridge is in the secure mode. I must be missing something.
So if successful adding a user should place the bridge in secure mode? I'll remove all users and attempt again.
OK so I must be doing something wrong Using postman with http://localhost/system/adduser and a body of {"username":Alex10,"password":123@Password} I get a 500 Internal Error returned
That is because it needs to be base 64 encoded, the whole json string
And also strings in json need to be quoted, even the values
Ok not sure how to do this in Postman (base 64 encoded) jason value would be like this then: {"username":"Alex10","password":"123@Password"} ?
Use an online converter and cut and paste
OK now I'm getting somewhere however it seems the password needs to be added twice as I get back { "message": "The two passwords do not match" }
Ahh, yes, it validates the two entries.....
so how do I add the second entry? {"username":"Alex10","password":"123@Password" &"123@Password"} doesn't work
Add another field called password2
Updated security issues for exec garden
https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha-3/ha-bridge-4.5.0alpha-3.jar
LOL just tried that prior to you posting
and it seems to work throws the bridge to login at least.
new link https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha-4/ha-bridge-4.5.0alpha-4.jar
Added something for another user not related to security
new build and add remove user works.
exec commands work as long as I don't specify a Secure folder if I do I get this
04-04-2017 14:02:25.894 WARN Could not execute request: scripts/\C:/Alex10/Alex10.exe SENDPLC_B15_On with message: Cannot run program "scripts/\C:/Alex10/Alex10.exe": CreateProcess error=2, The system cannot find the file specified com.bwssystems.HABridge.plugins.exec.CommandHome
What is the reason for specifying a scripts folder? I can't access that folder anyways unless there is a call I don't know about. I already specify the script folder in my calls that use a script stored in that folder. specifying a secure scripts folder means I must reconfigure all my script calls and direct calls won't work.
The reason for the execGarden (not just a scripts folder) is to secure your system to only execute the items you put in that directory (i.e. a walled garden). If there was an enterprising individual that accessed your system without some security, they could execute items that would wreak havoc on your system.
Purely cosmetic:
So basically a login should work like this:
Cheers, Alex
@akurz42 Yep, that is something to implement, Thanks!
Ok I understand the walled garden, but if someone were to access my system what prevents them from just removing the wall as I did and typing in a script they wish to call? Since your still able to add/edit devices in secure mode a walled garden isn't any good if the gate is open.
If I wish to use this walled garden for scripts what would the device call be? it certainly isn't the path+ script name nor just the script name. both these fail Since this isn't a folder how do I add scripts to this execGarden?
I should probably put the execGarden in as a command line property like the hash key and not a security setting as that would fix the issues you just mentioned. As far as the call goes, you would not need a path any more as the execGarden is prepended to your call with the / or \ depending on the OS. So if you put a path in it will still append the execGarden.
OK setting the execGarden via a commandline call would be better.
Since I'm using Windows 10 the ExecGarden is adding a backslash () instead of a forward slash(/)
I removed the path from the call and get this:
04-04-2017 16:10:10.871 WARN Could not execute request: /scripts\OfficeLightOn.bat with message: Cannot run program "/scripts\OfficeLightOn.bat": CreateProcess error=2, The system cannot find the file specified com.bwssystems.HABridge.plugins.exec.CommandHome
Windows really uses backslashes and unix/linux/macOs use forward slashes. Also, it is best to set the directory specifically from the root i.e.: C:\Users\John\Documents\Applications
Alright, I will be closing this and opening a release candidate 1 thread. Thanks for all the help.
If you are interested in testing the new alpha release for security, grab it here https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha/ha-bridge-4.5.0alpha.jar
Bridge Control Tab has the 'Update Security Button' - hopefully self explanatory