modified log-in detail to enable admin-login from localhost with stored

hash even if localhost access is disabled. This is urgently needed for the apicall.sh script since that is used for high-availability set-up (checkalive and indexdump for index mirroring)
11 years ago · c951945666
parent 9bd71fdbb4
commit c951945666
2 changed files with 15 additions and 3 deletions
--- a/bin/apicall.sh
+++ b/bin/apicall.sh
@ -4,9 +4,10 @@ port=$(grep ^port= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)
 pw=$(grep ^adminAccountBase64MD5= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)

 if which curl &>/dev/null; then
-  curl -s --header "Authorization: realm=$pw" "http://127.0.0.1:$port/$1"
+  curl -s -u admin:$pw "http://127.0.0.1:$port/$1"
 elif which wget &>/dev/null; then
-  wget -q -t 1 --timeout=120 --header "Authorization: realm=$pw" "http://127.0.0.1:$port/$1" -O -
+  wget -q -t 1 --timeout=120 --http-user admin --http-password pw "http://127.0.0.1:$port/$1" -O -
 else
  exit 1
 fi
+
--- a/source/net/yacy/http/YaCyLegacyCredential.java
+++ b/source/net/yacy/http/YaCyLegacyCredential.java
@ -26,6 +26,7 @@ package net.yacy.http;

 import net.yacy.cora.order.Base64Order;
 import net.yacy.cora.order.Digest;
+import net.yacy.server.serverAccessTracker;

 import org.eclipse.jetty.util.security.Credential;

@ -55,7 +56,17 @@ public class YaCyLegacyCredential extends Credential {
    public boolean check(Object credentials) {
        if (credentials instanceof String) {
            final String pw = (String) credentials;
-            if (isBase64enc) return calcHash(foruser + ":" + pw).equals(this.hash); // for admin user
+            if (isBase64enc) {
+                if (serverAccessTracker.timeSinceAccessFromLocalhost() < 100) {
+                    // we allow localhost accesses also to submit the hash as password
+                    // this is very important since that method is used by the scripts in bin/ which are based on bin/apicall.sh
+                    // the cleartext password is not stored anywhere, but we must find a way to allow scripts to steer a peer.
+                    // this is the exception that makes that possible.
+                    // TODO: it should be better to check the actual access IP here, but that is not handed over to Credential classes :(
+                    if (pw.equals(this.hash)) return true;
+                }
+                return calcHash(foruser + ":" + pw).equals(this.hash); // for admin user
+            }
            // normal users
            return Digest.encodeMD5Hex(foruser + ":" + pw).equals(this.hash);
        }