playing with some ideas for security management

5 years ago · eca14cf81c
4 changed files with 75 additions and 27 deletions
--- a/data/config/securitySettings.json
+++ b/data/config/securitySettings.json
@ -1,5 +1,6 @@
 {
    "jwt_secret":"esp8266-react",
+    "roles": ["admin", "guest"],
    "users": [
        {
            "username": "admin",
--- a/src/SecurityManager.cpp
+++ b/src/SecurityManager.cpp
@ -1,51 +1,84 @@
 #include <SecurityManager.h>

 SecurityManager::SecurityManager(AsyncWebServer* server, FS* fs) : SettingsPersistence(fs, SECURITY_SETTINGS_FILE) {
+  server->on(USERS_PATH, HTTP_GET, std::bind(&SecurityManager::fetchUsers, this, std::placeholders::_1));
 }

 SecurityManager::~SecurityManager() {}

 void SecurityManager::readFromJsonObject(JsonObject& root) {
+  // secret  
  _jwtSecret = root["jwt_secret"] | DEFAULT_JWT_SECRET;

-  while (_numUsers > 0){
-    delete _users[--_numUsers];
+  // roles
+  _roles.clear();
+  if (root["roles"].is<JsonArray>()) {
+    JsonArray roles = root["roles"];
+    for (JsonVariant role : roles) {
+      _roles.push_back(role.as<String>());
+    }
  }

+  // users
+  _users.clear();
  if (root["users"].is<JsonArray>()) {
    JsonArray users = root["users"];
-    _numUsers = 0;
-    // TODO - complete defence against bad data
-    for (int i =0; i < min(SECURITY_MANAGER_MAX_USERS, (int) users.size()); i++){
-      JsonObject user = users[i];
-      String username =  user["username"];;
+    for (JsonVariant user : users) {
+      String username =  user["username"];
      String password = user["password"];
      String role = user["role"];
-      _users[_numUsers++] = new User(username, password, role);
+      _users.push_back(User(username, password, role));
    }
  }
 }

 void SecurityManager::writeToJsonObject(JsonObject& root) {
-  // TODO
+  // secret
+  root["jwt_secret"] = _jwtSecret;
+
+  // roles
+  JsonArray roles = root.createNestedArray("roles");
+  for (String _role : _roles) {
+    roles.add(_role);
+  }
+
+  // users
+  JsonArray users = root.createNestedArray("users");
+  for (User _user : _users) {
+    JsonObject user = users.createNestedObject();
+    user["username"] = _user.getUsername();
+    user["password"] = _user.getPassword();
+    user["role"] = _user.getRole();
+  }
+}
+
+void SecurityManager::fetchUsers(AsyncWebServerRequest *request) {
+  AsyncJsonResponse * response = new AsyncJsonResponse(MAX_USERS_SIZE);
+  JsonObject jsonObject = response->getRoot();  
+  writeToJsonObject(jsonObject);
+  response->setLength();
+  request->send(response);
 }

 void SecurityManager::begin() {
-  // TODO
+  readFromFS();
 }

 User SecurityManager::verifyUser(String jwt) {
  // TODO
  return NOT_AUTHENTICATED;
 }
-User authenticate(String username, String password) {
-  // TODO
+
+User SecurityManager::authenticate(String username, String password) {
+  for (User _user : _users) {
+    if (_user.getUsername() == username && _user.getPassword() == password){
+      return _user;
+    }
+  }
  return NOT_AUTHENTICATED;
 }

-String generateJWT(User user) {
+String SecurityManager::generateJWT(User user) {
  // TODO
  return "";
 }
-
-
--- a/src/SecurityManager.h
+++ b/src/SecurityManager.h
@ -1,5 +1,8 @@
-#ifndef APSettingsConfig_h
-#define APSettingsConfig_h
+#ifndef SecurityManager_h
+#define SecurityManager_h
+
+#include <list>
+#include <ArduinoJWT.h>

 #include <SettingsService.h>
 #include <DNSServer.h>
@ -8,16 +11,17 @@
 #define DEFAULT_JWT_SECRET "esp8266-react"

 #define SECURITY_SETTINGS_FILE "/config/securitySettings.json"
+
+#define USERS_PATH "/rest/users"
 #define AUTHENTICATE_PATH "/rest/authenticate"

 #define SECURITY_MANAGER_MAX_USERS 5

-#define UNAUTHENTICATED_USERNAME ""
+#define UNAUTHENTICATED_USERNAME "_anonymous"
 #define UNAUTHENTICATED_PASSWORD ""
 #define UNAUTHENTICATED_ROLE ""

-#define ROLE_ADMIN "admin"
-#define ROLE_GUEST "guest"
+#define MAX_USERS_SIZE 1024

 class User {
  private:
@ -38,9 +42,6 @@ class User {
    bool isAuthenticated() {
      return _username != UNAUTHENTICATED_USERNAME;
    }
-    bool isAdmin() {
-      return isAuthenticated() && _username == ROLE_ADMIN;
-    }
 };

 const User NOT_AUTHENTICATED = User(UNAUTHENTICATED_USERNAME, UNAUTHENTICATED_PASSWORD, UNAUTHENTICATED_ROLE);
@ -55,7 +56,7 @@ class SecurityManager :  public SettingsPersistence {
    void begin();

    User verifyUser(String jwt);
-    User authenticate();
+    User authenticate(String username, String password);
    String generateJWT(User user);

  protected:
@ -65,10 +66,17 @@ class SecurityManager :  public SettingsPersistence {

  private:

+    // server instance
+    AsyncWebServer* _server;
+
    // access point settings
    String _jwtSecret;
-    User *_users[SECURITY_MANAGER_MAX_USERS];
-    int _numUsers;
+    std::list<String> _roles;
+    std::list<User> _users;
+
+    // endpoint functions
+    void fetchUsers(AsyncWebServerRequest *request);
+
 };

-#endif // end APSettingsConfig_h
+#endif // end SecurityManager_h
--- a/src/main.cpp
+++ b/src/main.cpp
@ -18,11 +18,14 @@
 #include <NTPStatus.h>
 #include <OTASettingsService.h>
 #include <APStatus.h>
+#include <SecurityManager.h>

 #define SERIAL_BAUD_RATE 115200

 AsyncWebServer server(80);

+SecurityManager securityManager = SecurityManager(&server, &SPIFFS);
+
 WiFiSettingsService wifiSettingsService = WiFiSettingsService(&server, &SPIFFS);
 APSettingsService apSettingsService = APSettingsService(&server, &SPIFFS);
 NTPSettingsService ntpSettingsService = NTPSettingsService(&server, &SPIFFS);
@ -40,6 +43,9 @@ void setup() {
    Serial.begin(SERIAL_BAUD_RATE);
    SPIFFS.begin();

+    // start security manager
+    securityManager.begin();
+
    // start services
    ntpSettingsService.begin();
    otaSettingsService.begin();