Skip to content

Commit

Permalink
refactoring (usage of constant names for attributes of authentication
Browse files Browse the repository at this point in the history 
check)
  • Loading branch information
@Orbiter
Orbiter committed Jan 5, 2014
1 parent b9d36e4 commit 7d6fc79
Show file tree
Hide file tree
Showing 12 changed files with 55 additions and 51 deletions.
3 changes: 2 additions & 1 deletion htroot/Collage.java
View file
Expand Up @@ -29,6 +29,7 @@
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.crawler.data.ResultImages;
import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;
import net.yacy.server.serverObjects;
import net.yacy.server.serverSwitch;

Expand Down Expand Up @@ -95,7 +96,7 @@ public static serverObjects respond(final RequestHeader header, final serverObje
// check if this loads a page from localhost, which must be prevented to protect the server
// against attacks to the administration interface when localhost access is granted
if ((Domains.isLocal(baseURL.getHost(), null) || Domains.isLocal(imageURL.getHost(), null)) &&
sb.getConfigBool("adminAccountForLocalhost", false)) continue;
sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) continue;

final long z = imgZIndex[i];
prop.put("imgurl_list_" + c + "_url",
Expand Down
16 changes: 8 additions & 8 deletions htroot/ConfigAccounts_p.java
View file
Expand Up @@ -55,7 +55,7 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
UserDB.Entry entry = null;

// admin password
boolean localhostAccess = sb.getConfigBool("adminAccountForLocalhost", false);
boolean localhostAccess = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);
if (post != null && post.containsKey("setAdmin")) {
localhostAccess = Domains.isLocalhost(post.get("access", ""));
final String user = (post == null) ? "" : post.get("adminuser", "");
Expand All @@ -66,37 +66,37 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
if (user.length() > 0 && pw1.length() > 3 && pw1.equals(pw2)) {
// check passed. set account:
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(user + ":" + pw1)));
env.setConfig("adminAccount", "");
env.setConfig("adminAccountUserName",user);
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT, "");
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME,user);
}

if (localhostAccess) {

sb.setConfig("adminAccountForLocalhost", true);
sb.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, true);
// if an localhost access is configured, check if a local password is given
// if not, set a random password
if (env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty()) {
// make a 'random' password
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "0000" + sb.genRandomPassword());
env.setConfig("adminAccount", "");
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT, "");
}
} else {
sb.setConfig("adminAccountForLocalhost", false);
sb.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);
if (env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
// make shure that the user can still use the interface after a random password was set
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
}
}
}

if (env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty() && !env.getConfigBool("adminAccountForLocalhost", false)) {
if (env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty() && !env.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) {
prop.put("passwordNotSetWarning", 1);
}

prop.put("localhost.checked", (localhostAccess) ? 1 : 0);
prop.put("account.checked", (localhostAccess) ? 0 : 1);
prop.put("statusPassword", localhostAccess ? "0" : "1");
prop.put("defaultUser", env.getConfig("adminAccountUserName", "admin"));
prop.put("defaultUser", env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin"));

//default values
prop.put("current_user", "newuser");
Expand Down
2 changes: 1 addition & 1 deletion htroot/ConfigBasic.java
View file
Expand Up @@ -234,7 +234,7 @@ public static serverObjects respond(final RequestHeader header, final serverObje
prop.put("setUseCase_repositoryPath", sb.getConfig("repositoryPath", "/DATA/HTROOT/repository"));

// check if values are proper
final boolean properPassword = (sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").length() > 0) || sb.getConfigBool("adminAccountForLocalhost", false);
final boolean properPassword = (sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").length() > 0) || sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);
final boolean properName = (sb.peers.mySeed().getName().length() >= 3) && (!(Seed.isDefaultPeerName(sb.peers.mySeed().getName())));
final boolean properPort = (sb.peers.mySeed().isSenior()) || (sb.peers.mySeed().isPrincipal());

Expand Down
4 changes: 2 additions & 2 deletions htroot/SettingsAck_p.java
View file
Expand Up @@ -93,8 +93,8 @@ public static serverObjects respond(final RequestHeader header, final serverObje
}
// check passed. set account:
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(user + ":" + pw1)));
env.setConfig("adminAccount", "");
env.setConfig("adminAccountUserName", user);
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT, "");
env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, user);
prop.put("info", "5");//admin account changed
prop.putHTML("info_user", user);
return prop;
Expand Down
4 changes: 2 additions & 2 deletions htroot/Status.java
View file
Expand Up @@ -131,14 +131,14 @@ public static serverObjects respond(

// password protection
if ( (sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty())
&& (!sb.getConfigBool("adminAccountForLocalhost", false)) ) {
&& (!sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) ) {
prop.put("protection", "0"); // not protected
prop.put("urgentSetPassword", "1");
} else {
prop.put("protection", "1"); // protected
}

if ( sb.getConfigBool("adminAccountForLocalhost", false) ) {
if ( sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false) ) {
prop.put("unrestrictedLocalAccess", 1);
}

Expand Down
3 changes: 2 additions & 1 deletion source/net/yacy/http/Jetty8YaCySecurityHandler.java
View file
Expand Up @@ -33,6 +33,7 @@
import net.yacy.cora.protocol.Domains;
import net.yacy.data.UserDB.AccessRight;
import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;

import org.eclipse.jetty.http.HttpSchemes;
import org.eclipse.jetty.security.RoleInfo;
Expand Down Expand Up @@ -168,7 +169,7 @@ protected boolean isAuthMandatory(Request baseRequest, Response base_response, O
@Override
protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) {
final Switchboard sb = Switchboard.getSwitchboard();
final boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
final boolean adminAccountForLocalhost = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);
//final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, "");

String refererHost;
Expand Down
21 changes: 10 additions & 11 deletions source/net/yacy/http/YaCyLegacyCredential.java
View file
Expand Up @@ -26,6 +26,7 @@

import net.yacy.cora.order.Base64Order;
import net.yacy.cora.order.Digest;

import org.eclipse.jetty.util.security.Credential;


Expand All @@ -39,7 +40,7 @@ public class YaCyLegacyCredential extends Credential {
private String hash;
private String foruser; // remember the user as YaCy credential is username:pwd (not just pwd)
private boolean isBase64enc; // remember hash encoding false = encodeMD5Hex(usr:pwd) ; true = encodeMD5Hex(Base64Order.standardCoder.encodeString(usr:pw))

/**
* internal hash function
*
Expand All @@ -54,11 +55,9 @@ private static String calcHash(String pw) {
public boolean check(Object credentials) {
if (credentials instanceof String) {
final String pw = (String) credentials;
if (isBase64enc) { // for adminuser
return calcHash(foruser + ":" + pw).equals(this.hash);
} else { // for user
return Digest.encodeMD5Hex(foruser + ":" + pw).equals(this.hash);
}
if (isBase64enc) return calcHash(foruser + ":" + pw).equals(this.hash); // for admin user
// normal users
return Digest.encodeMD5Hex(foruser + ":" + pw).equals(this.hash);
}
throw new UnsupportedOperationException();
}
Expand All @@ -70,8 +69,8 @@ public boolean check(Object credentials) {
*/
public static Credential getCredentialsFromConfig(String username, String configHash) {
YaCyLegacyCredential c = new YaCyLegacyCredential();
c.foruser=username;
c.isBase64enc=true;
c.foruser = username;
c.isBase64enc = true;
c.hash = configHash;
return c;
}
Expand All @@ -84,9 +83,9 @@ public static Credential getCredentialsFromConfig(String username, String config
*/
public static Credential getCredentials(String username, String configHash) {
YaCyLegacyCredential c = new YaCyLegacyCredential();
c.foruser=username;
c.isBase64enc = false;
c.hash = configHash;
c.foruser = username;
c.isBase64enc = false;
c.hash = configHash;
//c.hash = calcHash(user + ":" + password);
return c;
}
Expand Down
31 changes: 15 additions & 16 deletions source/net/yacy/http/YaCyLoginService.java
View file
Expand Up @@ -49,7 +49,7 @@ protected UserIdentity loadUser(String username) {

// TODO: implement legacy credentials
final Switchboard sb = Switchboard.getSwitchboard();
String adminuser = sb.getConfig("adminAccountUserName", "admin");
String adminuser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
if (username.equals(adminuser)) {
final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
// in YaCy the credential hash is composed of username:pwd so the username is needed to create valid credential
Expand All @@ -66,23 +66,22 @@ protected UserIdentity loadUser(String username) {
subject.setReadOnly();
IdentityService is = getIdentityService();
return is.newUserIdentity(subject, userPrincipal, new String[]{AccessRight.ADMIN_RIGHT.toString()});
} else { // get user data from UserDB
Entry user = sb.userDB.getEntry(username);
if (user != null) {
if (user.hasRight(AccessRight.ADMIN_RIGHT)) {
String[] role = new String[]{AccessRight.ADMIN_RIGHT.toString()};
}
Entry user = sb.userDB.getEntry(username);
if (user != null) {
if (user.hasRight(AccessRight.ADMIN_RIGHT)) {
String[] role = new String[]{AccessRight.ADMIN_RIGHT.toString()};

Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credential);
subject.setReadOnly();
IdentityService is = getIdentityService();
Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credential);
subject.setReadOnly();
IdentityService is = getIdentityService();

return is.newUserIdentity(subject, userPrincipal, role);
}
}
return is.newUserIdentity(subject, userPrincipal, role);
}
}
return null;
}
Expand Down
4 changes: 2 additions & 2 deletions source/net/yacy/migration.java
View file
Expand Up @@ -234,9 +234,9 @@ public static void migrateWorkFiles(final Switchboard sb){
public static void presetPasswords(final Switchboard sb) {
// set preset accounts/passwords
String acc;
if ((acc = sb.getConfig("adminAccount", "")).length() > 0) {
if ((acc = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT, "")).length() > 0) {
sb.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(acc)));
sb.setConfig("adminAccount", "");
sb.setConfig(SwitchboardConstants.ADMIN_ACCOUNT, "");
}

// fix unsafe old passwords
Expand Down
9 changes: 5 additions & 4 deletions source/net/yacy/search/Switchboard.java
View file
Expand Up @@ -208,6 +208,7 @@
import net.yacy.utils.crypt;

import com.google.common.io.Files;

import net.yacy.http.YaCyHttpServer;


Expand Down Expand Up @@ -886,7 +887,7 @@ public void run() {
// that an automatic authorization of localhost is done, because in this case crawls from local
// addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
// addresses that can steer a YaCy peer
if ( !getConfigBool("adminAccountForLocalhost", false) ) {
if ( !getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false) ) {
if ( getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000") ) {
// the password was set automatically with a random value.
// We must remove that here to prevent that a user cannot log in any more
Expand Down Expand Up @@ -2056,11 +2057,11 @@ public boolean cleanupJob() {
}

// set a random password if no password is configured
if ( getConfigBool("adminAccountForLocalhost", false)
if ( getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)
&& getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty() ) {
// make a 'random' password
setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "0000" + this.genRandomPassword());
setConfig("adminAccount", "");
setConfig(SwitchboardConstants.ADMIN_ACCOUNT, "");
}

// stop greedylearning if limit is reached
Expand Down Expand Up @@ -3242,7 +3243,7 @@ public int adminAuthenticated(final RequestHeader requestHeader) {

// authorization for localhost, only if flag is set to grant localhost access as admin
final boolean accessFromLocalhost = requestHeader.accessFromLocalhost();
if ( getConfigBool("adminAccountForLocalhost", false) && accessFromLocalhost ) {
if ( getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false) && accessFromLocalhost ) {
adminAuthenticationLastAccess = System.currentTimeMillis();
return 3; // soft-authenticated for localhost
}
Expand Down
7 changes: 5 additions & 2 deletions source/net/yacy/search/SwitchboardConstants.java
View file
Expand Up @@ -41,8 +41,11 @@ public final class SwitchboardConstants {
* <p>Name of the setting holding the authentication hash for the static <code>admin</code>-account. It is calculated
* by first encoding <code>username:password</code> as Base64 and hashing it using {@link MapTools#encodeMD5Hex(String)}.</p>
*/
public static final String ADMIN_ACCOUNT_B64MD5 = "adminAccountBase64MD5";

public static final String ADMIN_ACCOUNT = "adminAccount";
public static final String ADMIN_ACCOUNT_B64MD5 = "adminAccountBase64MD5";
public static final String ADMIN_ACCOUNT_USER_NAME = "adminAccountUserName"; // by default 'admin'
public static final String ADMIN_ACCOUNT_FOR_LOCALHOST = "adminAccountForLocalhost";

public static final int CRAWLJOB_SYNC = 0;
public static final int CRAWLJOB_STATUS = 1;
// 20_dhtdistribution
Expand Down
2 changes: 1 addition & 1 deletion source/net/yacy/yacy.java
View file
Expand Up @@ -355,7 +355,7 @@ public void run() {
final boolean browserPopUpTrigger = sb.getConfig(SwitchboardConstants.BROWSER_POP_UP_TRIGGER, "true").equals("true");
if (browserPopUpTrigger) try {
final String browserPopUpPage = sb.getConfig(SwitchboardConstants.BROWSER_POP_UP_PAGE, "ConfigBasic.html");
//boolean properPW = (sb.getConfig("adminAccount", "").isEmpty()) && (sb.getConfig(httpd.ADMIN_ACCOUNT_B64MD5, "").length() > 0);
//boolean properPW = (sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT, "").isEmpty()) && (sb.getConfig(httpd.ADMIN_ACCOUNT_B64MD5, "").length() > 0);
//if (!properPW) browserPopUpPage = "ConfigBasic.html";
Browser.openBrowser(("http://localhost:"+port) + "/" + browserPopUpPage);
// Browser.openBrowser((server.withSSL()?"https":"http") + "://localhost:" + serverCore.getPortNr(port) + "/" + browserPopUpPage);
Expand Down

0 comments on commit 7d6fc79

Please sign in to comment.