boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

removed concept of empty passwords as "no passwords used",

Browse Source 
because we now start YaCy with a default password (yacy).
This has impact of all function that check the current state of
password-protection that included the empty password situation,
including the warnings to set a password in case that none is set (which
cannot be the case any more).
pull/603/head
Michael Peter Christen 1 year ago
parent 2c60ff14bb
commit 4308aa5415
7 changed files with 49 additions and 79 deletions
Show Stats Download Patch File Download Diff File

13
htroot/ConfigAccounts_p.html
Unescape View File

@ -26,7 +26,12 @@
::
<p class="error">Username already used (not allowed).</p>
#(/error)#
#(passwordNotSetWarning)#::<div class="error">No password is set for the administration account. Please define a password for the admin account.</div>#(/passwordNotSetWarning)#
#(changedfltpw)#::
<div class="alert alert-danger" role="alert">
<b>WARNING</b> This YaCy instance can be administered with the account "admin" and the default password "yacy".
Change the password as soon as possible!
</div>
#(/changedfltpw)#
<fieldset><legend>Admin Account</legend>
<form action="ConfigAccounts_p.html" method="post" accept-charset="UTF-8">
@ -118,11 +123,9 @@
<dt><label for="address">Address</label>:</dt>
<dd><input type="text" id="address" name="address" value="#[address]#" /></dd>
<dt>Rights:</dt>
<dd>
#{rights}#
<dd>#{rights}#
<input type="checkbox" id="#[name]#" name="#[name]#"#(set)#:: checked="checked"#(/set)# /><label for="#[name]#">#[friendlyName]# right</label><br />
#{/rights}#
</dd>
#{/rights}#</dd>
<dt><label for="tlimit">Timelimit</label>:</dt>
<dd><input type="text" id="tlimit" name="timelimit" value="#[timelimit]#" /></dd>
<dt><label for="tused">Time used</label>:</dt>

9
htroot/Status_p.inc
Unescape View File

@ -18,16 +18,11 @@
</dd>
<dt>Protection</dt>
<dd>#(protection)#
<strong>Password is missing.</strong>
<strong>Default password is not changed</strong>
<a href="ConfigAccounts_p.html">[Configure]</a>
::
password-protected
#(/protection)#
#(unrestrictedLocalAccess)#
::
<br />Unrestricted access from localhost.
#(/unrestrictedLocalAccess)#
<a href="ConfigAccounts_p.html">[Configure]</a>
</dd>
<dt>Address</dt>

8
source/net/yacy/data/TransactionManager.java
Unescape View File

@ -63,18 +63,14 @@ public class TransactionManager {
*/
private static String getUserName(final RequestHeader header) {
String userName = header.getRemoteUser();
if (userName == null) userName = "admin"; // set a default to be able to create a transaction token
Switchboard sb = Switchboard.getSwitchboard();
if (sb != null) {
final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
final String adminAccountUserName = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
if (adminAccountBase64MD5.equals(sb.emptyPasswordAdminAccount)) {
// admin users with empty passwords do not need to authentify, thus do not have
// this header present. We just consider the name is "admin"
userName = adminAccountUserName;
}
if (userName == null && header.accessFromLocalhost()) {
if (header.accessFromLocalhost()) {
if (sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) {
/* Unauthenticated local access as administrator can be enabled */

7
source/net/yacy/htroot/ConfigAccounts_p.java
Unescape View File

@ -112,9 +112,10 @@ public class ConfigAccounts_p {
}
}
if (env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty() && !env.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) {
prop.put("passwordNotSetWarning", 1);
}
// set a warning in case that the default password was not changed
String currpw = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
String dfltpw = SwitchboardConstants.ADMIN_ACCOUNT_B64MD5_DEFAULT;
prop.put("changedfltpw", currpw.equals(dfltpw) ? "1" : "0");
prop.put(SwitchboardConstants.ADMIN_ACCOUNT_All_PAGES + ".checked", sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_All_PAGES, false) ? 1 : 0);
prop.put("localhost.checked", (localhostAccess) ? 1 : 0);

12
source/net/yacy/htroot/Status.java
Unescape View File

@ -131,14 +131,10 @@ public class Status
prop.put("privateStatusTable", "");
}
// password protection
if ( (sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").isEmpty())
&& (!sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) ) {
prop.put("protection", "0"); // not protected
prop.put("urgentSetPassword", "1");
} else {
prop.put("protection", "1"); // protected
}
// password protection: set a warning in case that the default password was not changed
String currpw = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
String dfltpw = SwitchboardConstants.ADMIN_ACCOUNT_B64MD5_DEFAULT;
prop.put("protection", currpw.equals(dfltpw) ? "0" : "1");
if ( sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false) ) {
prop.put("unrestrictedLocalAccess", 1);

5
source/net/yacy/http/YaCySecurityHandler.java
Unescape View File

@ -84,10 +84,6 @@ public class YaCySecurityHandler extends ConstraintSecurityHandler {
// Pages suffixed with "_p" are by the way always considered protected
protectedPage = protectedPage || (pathInContext.indexOf("_p.") > 0);
// ..except that the password for the admin account is empty
final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
protectedPage = protectedPage && !adminAccountBase64MD5.equals(sb.emptyPasswordAdminAccount);
// check "/gsa" and "/solr" if not publicSearchpage
if (!protectedPage && !sb.getConfigBool(SwitchboardConstants.PUBLIC_SEARCHPAGE, true)) {
protectedPage = pathInContext.startsWith("/solr/") || pathInContext.startsWith("/gsa/");
@ -98,6 +94,7 @@ public class YaCySecurityHandler extends ConstraintSecurityHandler {
return null;
} else if (accessFromLocalhost) {
// last chance to authorize using the admin from localhost
final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
final String credentials = request.getHeader(RequestHeader.AUTHORIZATION);
if (credentials != null && credentials.length() < 120 && credentials.startsWith("Basic ")) { // Basic credentials are short "Basic " + b64(user:pwd)
final String foruser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");

26
source/net/yacy/search/Switchboard.java
Unescape View File

@ -316,7 +316,6 @@ public final class Switchboard extends serverSwitch {
private boolean startupAction = true; // this is set to false after the first event
private static Switchboard sb;
public HashMap<String, Object[]> crawlJobsStatus = new HashMap<>();
public String emptyPasswordAdminAccount;
public Switchboard(final File dataPath, final File appPath, final String initPath, final String configPath) {
super(dataPath, appPath, initPath, configPath);
@ -449,9 +448,6 @@ public final class Switchboard extends serverSwitch {
}
}.start();
// define the "non-password password"
this.emptyPasswordAdminAccount = this.encodeDigestAuth(this.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME,"admin"), "");
// init the language detector
this.log.config("Loading language profiles");
try {
@ -3907,13 +3903,10 @@ public final class Switchboard extends serverSwitch {
/**
* check authentication status for request access shall be granted if return value >= 2; these are the
* cases where an access is granted to protected pages:
* - a password is not configured: auth-level 2
* - access from localhost is granted and access comes from localhost: auth-level 3
* - a password is configured and access comes from localhost and the realm-value
* - access comes from localhost and the realm-value
* of a http-authentify String is equal to the stored base64MD5: auth-level 3
* - an empty password is configured an access comes from anywhere: auth-level 3
* This may be used in cluster installations where the cluster has an outside protection but inside is none needed.
* - a password is configured and access comes with matching http-authentify: auth-level 4
* - access comes with matching http-authentify: auth-level 4
*
* @param requestHeader
* - requestHeader.AUTHORIZATION = B64encode("adminname:password") or = B64encode("adminname:valueOf_Base64MD5cft")
@ -3931,19 +3924,6 @@ public final class Switchboard extends serverSwitch {
return 4; // hard-authenticated, quick return
}
// authorization in case that there is no account stored
final String adminAccountUserName = this.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
final String adminAccountBase64MD5 = this.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
if ( adminAccountBase64MD5.isEmpty() ) {
this.adminAuthenticationLastAccess = System.currentTimeMillis();
return 2; // no password stored; this should not happen for older peers
}
// authorization in case that administrators have stored an empty password; this authorizes all users as admin regardless of the give auth
if (adminAccountBase64MD5.equals(this.emptyPasswordAdminAccount)) {
return 3; // everyone is admin from everywhere
}
// authorization for localhost, only if flag is set to grant localhost access as admin
final boolean accessFromLocalhost = requestHeader.accessFromLocalhost();
if (accessFromLocalhost && this.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) {
@ -3980,6 +3960,8 @@ public final class Switchboard extends serverSwitch {
}
// authorization by encoded password, only for localhost access
final String adminAccountUserName = this.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
final String adminAccountBase64MD5 = this.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
final String pass = Base64Order.standardCoder.encodeString(adminAccountUserName + ":" + adminAccountBase64MD5);
if ( accessFromLocalhost && (pass.equals(realmValue)) ) { // assume realmValue as is in cfg
this.adminAuthenticationLastAccess = System.currentTimeMillis();

Write Preview
Loading…
Cancel
Save