Alpha Security Release

[bwssytems]

If you are interested in testing the new alpha release for security, grab it here https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha/ha-bridge-4.5.0alpha.jar

Bridge Control Tab has the 'Update Security Button' - hopefully self explanatory

[audiofreak9]

Works for me using EXEC and Harmony devices, not able to test HUE Api security.

Do you use cookies or sessions? How long do they persist?

I would suggest adding the Login/Logout link as a main item in the navbar, rather than under Help.

[bwssytems]

It is session based, so only for as long as the session is active

[jc259]

Is it v5.4.0alpha or should it be v4.50alpha. I noticed an error on my synology in docker that it was trying to pull from https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-5.4.0alpha.jar

[bwssytems]

Dyslexia... The jar Is 5.4.0alpha, but it will be 4.5.0 when released

[tuicemen]

I love the new security feature. Question: if we are to send a push,pull,get, how would the credentials be added? I see they are required( at least for the first call) Would we simply add @username:password to the end of the url?

[jc259]

This link https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-5.4.0alpha.jar fails to download anything

but the following one works.. https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-4.5.0alpha.jar

Should that be the case?

Sorry if these aren't great questions, I'm a bit new to github.

This is what I am seeing on the synology docker log.

Latest version on bwssystems github repo is 5.4.0alpha
Installing version '5.4.0alpha' --2017-03-31 21:27:20-- https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-5.4.0alpha.jar
Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112 Connecting to github.com (github.com)|192.30.253.113|:443... connected. HTTP request sent, awaiting response... 404 Not Found
2017-03-31 21:27:21 ERROR 404: Not Found.

Setting correct permissions Parameters used:
Server IP : 192.168.9.199
Server Port : 8999
Starting Home Automation Bridge Error: Unable to access jarfile ha-bridge-5.4.0alpha.jar

[jc259]

I ended up just copying the files over that I downloaded from https://github.com/bwssytems/ha-bridge/releases/download/v5.4.0alpha/ha-bridge-4.5.0alpha.jar

and renamed the file ha-bridge-4.5.0alpha.jar to ha-brdige-5.4.0alpha.jar and the docker container started up ok :)

[bwssytems]

Fixed the link

@tuicemen The security is session based. You will need to save your http session credentials

[tuicemen]

understood. however if I add a user& password but don't log in then go to postman and attempt to make a Get call http://localhost/api/devices and use basic authorization I get a {"message":"User not authenticated"}

[bwssytems]

Well, looks like I will need to change this to basic auth control, that will make it easier

[tuicemen]

I tested with adding a couple of users and the UI works fine for both custom http sends and scripts saved to the Secure Folder for scripts/executables. It also works for devices with direct path calls to a program. I also am not able to test HUE Api security. Removal of users works and reverts bridge back to non secure

[jc259]

Thanks for fixing the link. I deleted the file I manually copied and now the package starts up fine and downloads the latest version.

[tuicemen]

Suggestion: In the (bridge control tab) if you click on Save once the bridge reloads your presented with several 401 errors.(12 in total on that page) All ending with "User not authenticated with status: Unauthorized - 401" Perhaps this could be reduced to just one stating re-login is needed as thats what is required. Or just display the login screen

[tuicemen]

Issue: After clicking save in bridge control and a re-login scripts in the script folder no longer work nor do direct exec calls Custom http calls still work

[bwssytems]

So, I will be implementing Basic Auth method that can be used. As far as the re-init goes, the re-initialization is removing the authenticated users and I will need to keep that from re-init to re-init.

[bwssytems]

Ok, implemented changes: https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha-2/ha-bridge-4.5.0alpha-2.jar

[tuicemen]

Excellent! Is it possible to add/remove a user with a PUT?

[tuicemen]

Saving bridge data still results in exec calls failing, all worked prior to doing a save. Wondering if it may be my scripts folder not being same as default.

[bwssytems]

Hmmm, maybe the way I'm interpreting the execGarden when it is not set.

[bwssytems]

And yes, you can add/remove users with a put. The structure is a base64 encoded JSON string that is {"username":"theuser","password":"thepassword"} And of course you don't need the password when removing a user.

The calls are /system/adduser and /system/deluser

[tuicemen]

Ok I think I figured it out doing some logging. I set my scripts folder to just scripts and all worked fine prior to doing a save. after the save I looked in the log and now all exec calls start with scripts/ So for a c:/program files..... call it now is scripts/c:/program files.... Scripts located in the scripts folder the calls now look like this scripts/scripts/"the script"

[bwssytems]

Interesting, so the execGarden is the directory and you do not put a path on the actual exec calls as it will only try to execute the item in that directory only

[tuicemen]

I Updated security settings for the Secure Folder for scripts/executables to nothing. this got my calls to C:\program files..... working however my script folder calls in the log look like this /scripts/"the script"
Not sure why the initial forward slash is still there for those and not the others

[tuicemen]

I attempted to re-save after changing the Secure Folder hoping that would revert some things but get this

04-03-2017 19:36:56.930 ERROR   Error file is not writable: data\habridge.config    com.bwssystems.HABridge.BridgeSettings
04-03-2017 19:36:56.937 ERROR   Error writing the file: data\habridge.config message: data\habridge.config  com.bwssystems.HABridge.BridgeSettings
04-03-2017 19:36:56.938 ERROR   Error writing the file: data\habridge.config message: data\habridge.config.old  com.bwssystems.HABridge.BridgeSettings

[bwssytems]

I will test this as well as it is the portion that I did very little

[tuicemen]

With the bridge not secure I attempted to add a user using postman and get a 500 error Does the bridge require it to already be in secure mode with some user already configured to do this?

[bwssytems]

Only when there are no users does it allow you to add a user without security. After that you need to be authenticated.

Also, I found the issues for the execGarden.

[tuicemen]

I also get a 500 error if I attempt to remove a user or add a new user when bridge is in the secure mode. I must be missing something.

[tuicemen]

So if successful adding a user should place the bridge in secure mode? I'll remove all users and attempt again.

[tuicemen]

OK so I must be doing something wrong Using postman with http://localhost/system/adduser and a body of {"username":Alex10,"password":123@Password} I get a 500 Internal Error returned

[bwssytems]

That is because it needs to be base 64 encoded, the whole json string

[bwssytems]

And also strings in json need to be quoted, even the values

[tuicemen]

Ok not sure how to do this in Postman (base 64 encoded) jason value would be like this then: {"username":"Alex10","password":"123@Password"} ?

[bwssytems]

Use an online converter and cut and paste

[tuicemen]

OK now I'm getting somewhere however it seems the password needs to be added twice as I get back { "message": "The two passwords do not match" }

[bwssytems]

Ahh, yes, it validates the two entries.....

[tuicemen]

so how do I add the second entry? {"username":"Alex10","password":"123@Password" &"123@Password"} doesn't work

[bwssytems]

Add another field called password2

[bwssytems]

Updated security issues for exec garden

https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha-3/ha-bridge-4.5.0alpha-3.jar

[tuicemen]

LOL just tried that prior to you posting
and it seems to work throws the bridge to login at least.

[bwssytems]

new link https://github.com/bwssytems/ha-bridge/releases/download/v4.5.0alpha-4/ha-bridge-4.5.0alpha-4.jar

Added something for another user not related to security

[tuicemen]

new build and add remove user works. exec commands work as long as I don't specify a Secure folder if I do I get this 04-04-2017 14:02:25.894 WARN Could not execute request: scripts/\C:/Alex10/Alex10.exe SENDPLC_B15_On with message: Cannot run program "scripts/\C:/Alex10/Alex10.exe": CreateProcess error=2, The system cannot find the file specified com.bwssystems.HABridge.plugins.exec.CommandHome

What is the reason for specifying a scripts folder? I can't access that folder anyways unless there is a call I don't know about. I already specify the script folder in my calls that use a script stored in that folder. specifying a secure scripts folder means I must reconfigure all my script calls and direct calls won't work.

[bwssytems]

The reason for the execGarden (not just a scripts folder) is to secure your system to only execute the items you put in that directory (i.e. a walled garden). If there was an enterprising individual that accessed your system without some security, they could execute items that would wreak havoc on your system.

[akurz42]

Purely cosmetic:

• when the login page loads it should default to the "User" field so that it's not necessary to click on the "User" field first.
• after entering the password in the respective field a login should be possible by just hitting return.

So basically a login should work like this:

• go to page
• type name
• tab
• type password
• return
• rock'n'roll

Cheers, Alex

[bwssytems]

@akurz42 Yep, that is something to implement, Thanks!

[tuicemen]

Ok I understand the walled garden, but if someone were to access my system what prevents them from just removing the wall as I did and typing in a script they wish to call? Since your still able to add/edit devices in secure mode a walled garden isn't any good if the gate is open.

If I wish to use this walled garden for scripts what would the device call be? it certainly isn't the path+ script name nor just the script name. both these fail Since this isn't a folder how do I add scripts to this execGarden?

[bwssytems]

I should probably put the execGarden in as a command line property like the hash key and not a security setting as that would fix the issues you just mentioned. As far as the call goes, you would not need a path any more as the execGarden is prepended to your call with the / or \ depending on the OS. So if you put a path in it will still append the execGarden.

[tuicemen]

OK setting the execGarden via a commandline call would be better. Since I'm using Windows 10 the ExecGarden is adding a backslash () instead of a forward slash(/) I removed the path from the call and get this: 04-04-2017 16:10:10.871 WARN Could not execute request: /scripts\OfficeLightOn.bat with message: Cannot run program "/scripts\OfficeLightOn.bat": CreateProcess error=2, The system cannot find the file specified com.bwssystems.HABridge.plugins.exec.CommandHome

[bwssytems]

Windows really uses backslashes and unix/linux/macOs use forward slashes. Also, it is best to set the directory specifically from the root i.e.: C:\Users\John\Documents\Applications

[bwssytems]

Alright, I will be closing this and opening a release candidate 1 thread. Thanks for all the help.