tweak Jetty credentials to work with YaCy UserDB

- user entry in UserDB with admin right can login to access protected pages
- dto. admin user, choosen username is stored in conf (adminAccountUserName=)

defaults/yacy.init

@@ -384,6 +384,7 @@ use_proxyAccounts=true
 #adminAccount=admin:mysecretpassword
 adminAccount=
 adminAccountBase64MD5=
+adminAccountUserName=admin
 
 # special access handling for users from localhost:
 # access from localhost may be granted with administration authority

htroot/ConfigAccounts_p.java

@@ -67,6 +67,7 @@ public class ConfigAccounts_p {
                 // check passed. set account:
                 env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(user + ":" + pw1)));
                 env.setConfig("adminAccount", "");
+                env.setConfig("adminAccountUserName",user);
             }
 
             if (localhostAccess) {

htroot/SettingsAck_p.java

@@ -94,6 +94,7 @@ public class SettingsAck_p {
             // check passed. set account:
             env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(user + ":" + pw1)));
             env.setConfig("adminAccount", "");
+            env.setConfig("adminAccountUserName", user);
             prop.put("info", "5");//admin account changed
             prop.putHTML("info_user", user);
             return prop;

source/net/yacy/http/Jetty8YaCySecurityHandler.java

@@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import net.yacy.cora.document.id.MultiProtocolURL;
 import net.yacy.cora.protocol.Domains;
+import net.yacy.data.UserDB.AccessRight;
 import net.yacy.search.Switchboard;
 
 import org.eclipse.jetty.http.HttpSchemes;
@@ -189,13 +190,12 @@ public class Jetty8YaCySecurityHandler extends SecurityHandler {
             protectedPage = pathInContext.startsWith("/solr/") || pathInContext.startsWith("/gsa/");                        
         }
         //final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
-        //final boolean yacyBot = request.getHeader("User-Agent").startsWith("yacybot");
      
         if (protectedPage) { // TODO: none public site
             if (!grantedForLocalhost) {
                 RoleInfo roleinfo = new RoleInfo();
                 roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
-                roleinfo.addRole("admin"); //YaCyLoginService assigns "admin" role to admin user
+                roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role
                 return roleinfo;
             } // can omit else, as if grantedForLocalhost==true no constraint applies
               // TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?

source/net/yacy/http/YaCyLegacyCredential.java

@@ -38,9 +38,11 @@ public class YaCyLegacyCredential extends Credential {
     private static final long serialVersionUID = -3527894085562480001L;
     private String hash;
     private String foruser; // remember the user as YaCy credential is username:pwd (not just pwd)
+    private boolean isBase64enc; // remember hash encoding  false = encodeMD5Hex(usr:pwd) ; true = encodeMD5Hex(Base64Order.standardCoder.encodeString(usr:pw))
 
     /**
      * internal hash function
+     *
      * @param clear password
      * @return hash string
      */
@@ -52,32 +54,40 @@ public class YaCyLegacyCredential extends Credential {
     public boolean check(Object credentials) {
         if (credentials instanceof String) {
             final String pw = (String) credentials;
+            if (isBase64enc) { // for adminuser
                 return calcHash(foruser + ":" + pw).equals(this.hash);                
+            } else { // for user
+                return Digest.encodeMD5Hex(foruser + ":" + pw).equals(this.hash);
+            }
         }
         throw new UnsupportedOperationException();
     }
 	
 	/**
 	 * create Credential object from config file hash
-	 * @param configHash hash as in config file
+	 * @param configHash hash as in config file hash(adminuser:pwd)
 	 * @return
 	 */
-	public static Credential getCredentialsFromConfig(String user, String configHash) {
+	public static Credential getCredentialsFromConfig(String username, String configHash) {
 		YaCyLegacyCredential c = new YaCyLegacyCredential();
-                c.foruser=user;
+                c.foruser=username;
+                c.isBase64enc=true;
 		c.hash = configHash;
 		return c;
 	}
 	
 	/**
 	 * create Credential object from password
-	 * @param password
+         * @param username
+	 * @param configHash encodeMD5Hex("user:pwd") as stored in UserDB
 	 * @return
 	 */
-	public static Credential getCredentials(String user, String password) {
+	public static Credential getCredentials(String username, String configHash) {
 		YaCyLegacyCredential c = new YaCyLegacyCredential();
-                c.foruser=user;
-		c.hash = calcHash(user + ":" + password);
+                c.foruser=username;
+                c.isBase64enc = false;
+                c.hash = configHash;
+		//c.hash = calcHash(user + ":" + password);
 		return c;
 	}
 

source/net/yacy/http/YaCyLoginService.java

@@ -28,6 +28,8 @@ import java.io.IOException;
 import java.security.Principal;
 
 import javax.security.auth.Subject;
+import net.yacy.data.UserDB.AccessRight;
+import net.yacy.data.UserDB.Entry;
 
 import net.yacy.search.Switchboard;
 import net.yacy.search.SwitchboardConstants;
@@ -44,9 +46,11 @@ public class YaCyLoginService extends MappedLoginService {
 
     @Override
     protected UserIdentity loadUser(String username) {
-		/*if(username.equals("admin"))*/ {
+
         // TODO: implement legacy credentials
         final Switchboard sb = Switchboard.getSwitchboard();
+        String adminuser = sb.getConfig("adminAccount", "admin");
+        if (username.equals(adminuser)) {
             final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
             // in YaCy the credential hash is composed of username:pwd so the username is needed to create valid credential 
             // not just the password (as usually in Jetty). As the accountname for the std. adminuser is not stored a useridentity 
@@ -61,9 +65,27 @@ public class YaCyLoginService extends MappedLoginService {
             subject.getPrivateCredentials().add(credential);
             subject.setReadOnly();
             IdentityService is = getIdentityService();
-			return is.newUserIdentity(subject, userPrincipal, new String[]{"admin"});
+            return is.newUserIdentity(subject, userPrincipal, new String[]{AccessRight.ADMIN_RIGHT.toString()});
+        } else { // get user data from UserDB            
+            Entry user = sb.userDB.getEntry(username);
+            if (user != null) {
+                String[] role;
+                if (user.hasRight(AccessRight.ADMIN_RIGHT)) {
+                    role = new String[]{AccessRight.ADMIN_RIGHT.toString()};
+
+                    Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
+                    Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
+                    Subject subject = new Subject();
+                    subject.getPrincipals().add(userPrincipal);
+                    subject.getPrivateCredentials().add(credential);
+                    subject.setReadOnly();
+                    IdentityService is = getIdentityService();
+
+                    return is.newUserIdentity(subject, userPrincipal, role);
+                } 
+            }
         }
-	//	return null;
+        return null;
     }
 	
 	@Override