Feature user management (openWB#3119)

* restrict access to mosquitto and apache

* move mosquitto setup to own file

* implement dis-/enabling unencrypted access

* migrate simpleAPI

* adopt lxde session

* implement switching between acl and dynsec

* fix mosquitto setup

* fix apache setup

* fix dynsec setup

* migrate simpleAPI to localhost 1884

* add official mosquitto apt repository

* configuration changes on boot only

* fix disabling user management

* add resetUserManagement command

* upgrade npm packages

* fix mosquitto.acl permissions

* mosquitto: add ws listener on localhost

* Koala: adopt mqtt options

* upgrade theme and display wrappers to mqtt 5.14.1

* roles for theme and display wrapper

* koala: login handling

* koala: improve handling of invalid credentials

* restructure security topics

* koala: fix charge point display

* classic: migrate mqtt package

* Update command.py

* Update default-dynamic-security.json

* restructure dynsec methods

* check acl roles at start

* updated default and template acls

* add acl roles for components and io

* access controlled commands (#4)

* access controlled commands

* classic theme: fix publishing

* koala: change command topics

* koala: reset values on publish error

* allow changing admin password

* fix handling missing topics in shell scripts

* clean mosquitto.conf after restore to allow downgrading

* include user management specific files in backup/restore process

* fix reload in theme and display wrapper

* remove dynsec settings on factory reset

* detect dynsec plugin path

* resubscribe on reconnect

* fix deleting mosquitto configuration on restore

* fix battery card display for missing permissions

* adjust role acls

* koala: fix manual soc update for charge points

* fix charge point sum ACL

* ACL migration

* add more topics to basic system role

* fix counter role ACL

* add roles for status, charge log, chart and general settings access

* catch login error

* koala: reload on failed login

* koala: make grid and home optional in flow chart

* koala: only display datasets with configured ACLs in history chart

* koala: refactor daily totals chart for individual components

* enable apache http on localhost:81

* replace router.go(0) with location.reload()

* koala: warn if default credentials are used

* refactor security topic structure

* theme/display wrapper: fix missed publish function upgrade

* standard-legacy theme: fix missed smart home upgrade to mqtt 5.14.1

* restructure permission topics

* complete settings roles

* fix default security roles

* add default user group

* prepare cards theme for mqtt auth

* add version to default dynamic security roles

* rename some roles for easier parsing

* update acls (openWB#3106)

* update acls

* clean mosquitto conf.d on update

* reset password

* fix updating ACLs on startup

* fix token request

* minor fixes for password reset

* fix removing outdated ACL roles

* improve login and password reset dialogues

* koala: require data protection acknowledge for password reset

* koala: layout enhancements

* cards: login handling (temporary)

* cards: adopt logic for missing topics

* Cards: add parameter "hide_login"

* display wrapper: check for stored credentials

* cards display: layout fixes

* cleanup

* cards display: improve logout

* add stored credentials to backup

* fix local display startup

* add "userManagementSupported" flag for themes

* cards: updated dependencies

* koala: remove warning about anonymous connection

* add mqtt chargepoint role

* add io-device write rule

* add mqtt soc write rule (partial)

* integrate mqtt component write rules

* integrate "others/#" data

* fix adding roles on startup

* add display clients

* fix local display without internal charge point (standalone)

* fix factory and user management reset

* koala: modify mqtt connect message

* koala: updated packages

* cards: updated packages

* update default ACLs

* fix initializing user management

* display hostname

* HTTP-API: support basic auth for user management

* update default role for active bat control

* fix surplus charge configuration role

* modify acls for io configuration

* modify login/-out modals

* optimize password reset dialog

* fix init_user_management file check

* reload display after user management initialization

* fix initialization of roles and clients

Author: benderl

.htaccess

@@ -7,4 +7,5 @@
 RedirectMatch 404 \.conf$
 RedirectMatch 404 \.ini$
 RedirectMatch 404 \.py$
+RedirectMatch 404 \.sh$
 ErrorDocument 404 /openWB/web/error.html

data/clients/.gitignore

@@ -0,0 +1 @@
+*.json

data/clients/.htaccess

@@ -0,0 +1,3 @@
+<Files "*.json">
+	Require all denied
+</Files>

data/config/apache/000-default.conf

@@ -1,4 +1,4 @@
-# openwb-version:5
+# openwb-version:6
 <VirtualHost *:80>
 	# The ServerName directive sets the request scheme, hostname and port that
 	# the server uses to identify itself. This is used when creating
@@ -37,9 +37,9 @@
 	# after it has been globally disabled with "a2disconf".
 	#Include conf-available/serve-cgi-bin.conf
 
-	ProxyPass "/ws" "ws://localhost:9001"
-	# ToDo: remove the next line when main page is using vue.js
-	ProxyPass "/mqtt" "ws://localhost:9001"
+	# Proxy WebSocket and MQTT connections to Mosquitto
+	# ToDo: remove /mqtt target once all clients use /ws
+	ProxyPassMatch "^/(ws|mqtt)(/|$)" "ws://127.0.0.1:9003/"
 </VirtualHost>
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

data/config/apache/apache-openwb-ssl.conf

@@ -1,4 +1,4 @@
-# openwb-version:6
+# openwb-version:8
 <IfModule mod_ssl.c>
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
@@ -139,9 +139,10 @@
 		#		nokeepalive ssl-unclean-shutdown \
 		#		downgrade-1.0 force-response-1.0
 
-		ProxyPass "/ws" "ws://localhost:9001"
-		# ToDo: remove the next line when main page is using vue.js
-		ProxyPass "/mqtt" "ws://localhost:9001"
+		# Proxy WebSocket and MQTT connections to Mosquitto
+		# ToDo: remove /mqtt target once all clients use /ws
+		ProxyPassMatch "^/(ws|mqtt)(/|$)" "ws://127.0.0.1:9003/"
+
 	</VirtualHost>
 </IfModule>
 

data/config/apache/apache-redirect-ssl.conf

@@ -0,0 +1,29 @@
+# openwb-version:1
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	#CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	# redirect all HTTP traffic to HTTPS
+	RewriteEngine On
+	RewriteCond %{HTTPS} off
+	RewriteRule ^/?(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

data/config/apache/localhost.conf

@@ -0,0 +1,47 @@
+# openwb-version:2
+Listen 127.0.0.1:81
+
+<VirtualHost *:81>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	#CustomLog ${APACHE_LOG_DIR}/access.log combined
+	<Directory /var/www/>
+		AllowOverride All
+		Require all granted
+		Options -Indexes
+	</Directory>
+	<Directory /var/www/html/openWB/ramdisk>
+		Options +Indexes
+	</Directory>
+	<Directory /var/www/html/openWB/data/backup>
+		Options +Indexes
+	</Directory>
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+
+	# Proxy WebSocket and MQTT connections to Mosquitto
+	# ToDo: remove /mqtt target once all clients use /ws
+	ProxyPassMatch "^/(ws|mqtt)(/|$)" "ws://127.0.0.1:9003/"
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

data/config/display/lxdeautostart

@@ -1,7 +1,7 @@
-# openwb-version:1
+# openwb-version:4
 # enable screen blanking / power management
 xset s 15
 # Start Chromium in kiosk mode
 sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' ~/.config/chromium/'Local State'
 sed -i 's/"exited_cleanly":false/"exited_cleanly":true/; s/"exit_type":"[^"]\+"/"exit_type":"Normal"/' ~/.config/chromium/Default/Preferences
-chromium --start-fullscreen --kiosk --incognito --noerrdialogs --disable-translate --no-first-run --fast --fast-start --disable-infobars --disable-features=TranslateUI --disk-cache-dir=/dev/null  --password-store=basic --disable-pinch --overscroll-history-navigation=disabled --disable-features=TouchpadOverscrollHistoryNavigation http://localhost/openWB/web/display/
+chromium --start-fullscreen --kiosk --incognito --noerrdialogs --disable-translate --no-first-run --fast --fast-start --disable-infobars --disable-features=TranslateUI --disk-cache-dir=/dev/null --password-store=basic --disable-pinch --overscroll-history-navigation=disabled --disable-features=TouchpadOverscrollHistoryNavigation --ignore-certificate-errors --allow-insecure-localhost http://127.0.0.1:81/openWB/web/display/

…ta/config/mosquitto/mosquitto_local.conf …fig/mosquitto/local/mosquitto_local.confdata/config/mosquitto/mosquitto_local.conf renamed to data/config/mosquitto/local/mosquitto_local.conf data/config/mosquitto/mosquitto_local.conf renamed to data/config/mosquitto/local/mosquitto_local.conf

@@ -5,8 +5,6 @@ persistence_location /var/lib/mosquitto_local/
 log_type error
 log_type warning
 log_dest file /var/log/mosquitto/mosquitto_local.log
-# timestamp format currently not supported in stretch or buster with mosquitto 1.5
-# only enable on bullseye and newer
 log_timestamp_format %Y-%m-%dT%H:%M:%S
 
 include_dir /etc/mosquitto/conf_local.d