- ensure use of HTTP POST method : HTTP GET should only be used for information retrieval and not to perform server side effect operations (see HTTP standard https://tools.ietf.org/html/rfc7231#section-4.2.1) - a transaction token is now required for these administrative form submissions to ensure the request can not be included in an external site and performed silently/by mistake by the user browserpull/122/head
luccioman
8 years ago
parent
df5970df6d
commit
cde237b687
@ -1,3 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
cd "`dirname $0`"
|
||||
./apicall.sh "/IndexControlURLs_p.html?deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=on" > /dev/null
|
||||
./protectedPostApiCall.sh "IndexControlURLs_p.html" "deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=on"
|
||||
@ -1,3 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
cd "`dirname $0`"
|
||||
./apicall.sh "/IndexControlURLs_p.html?deleteIndex=off&deleteSolr=off&deleteCache=on&deleteCrawlQueues=off&deleteRobots=on&deleteSearchFl=on&deletecomplete=" > /dev/null
|
||||
./protectedPostApiCall.sh "IndexControlURLs_p.html" "deleteIndex=off&deleteSolr=off&deleteCache=on&deleteCrawlQueues=off&deleteRobots=on&deleteSearchFl=on&deletecomplete="
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
cd "`dirname $0`"
|
||||
./apicall.sh "/IndexControlURLs_p.html?deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=off" > /dev/null
|
||||
./protectedPostApiCall.sh "IndexControlURLs_p.html" "deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=off"
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
cd "`dirname $0`"
|
||||
./apicall.sh "/IndexControlURLs_p.html?urlhashdeleteall=&urlstring=$1" > /dev/null
|
||||
./protectedPostApiCall.sh "IndexControlURLs_p.html" "urlhashdeleteall=&urlstring=$1"
|
||||
|
||||
@ -0,0 +1,77 @@
|
||||
#!/usr/bin/env sh
|
||||
# Call a YaCy HTTP POST API URL protected by HTTP authentication and transaction token validation
|
||||
# $1 : API path
|
||||
# $2 : POST parameters (example : "param1=value1¶m2=value2")
|
||||
#
|
||||
# Authentication options :
|
||||
# - enable unauthenticated local access as administrator : set adminAccountForLocalhost=true in the DATA/SETTINGS/yacy.conf file
|
||||
# - OR use the legacy Basic HTTP authentication mode (unsecured for remote access): set the "auth-method" to BASIC in the defaults/web.xml file
|
||||
# - OR use the Digest HTTP authentication mode : set the "auth-method" to DIGEST in the defaults/web.xml file.
|
||||
# With that last option, the script will run in interactive mode as default, prompting for the administrator password.
|
||||
# To run in batch mode, you must first export an environment variable filled with the clear-text administrator password before using this script :
|
||||
# For example with > export YACY_ADMIN_PASSWORD=your_admin_password
|
||||
#
|
||||
|
||||
cd "`dirname $0`"
|
||||
port=$(grep ^port= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)
|
||||
admin=$(grep ^adminAccountUserName= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)
|
||||
adminAccountForLocalhost=$(grep ^adminAccountForLocalhost= ../DATA/SETTINGS/yacy.conf | cut -d= -f2)
|
||||
|
||||
if grep "<auth-method>BASIC</auth-method>" ../defaults/web.xml > /dev/null; then
|
||||
# When authentication method is in basic mode, use directly the password hash from the configuration file
|
||||
YACY_ADMIN_PASSWORD=$(grep ^adminAccountBase64MD5= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)
|
||||
fi
|
||||
|
||||
if which curl > /dev/null; then
|
||||
if [ "$adminAccountForLocalhost" = "true" ]; then
|
||||
# localhost access as administrator without authentication is enabled
|
||||
|
||||
# retrieve the transaction token from the HTTP GET flavor of the URL
|
||||
transactionToken=$(curl -sSfI "http://127.0.0.1:$port/$1" | grep X-YaCy-Transaction-Token: | awk {'printf $2'} | tr -d '[:space:]')
|
||||
# send POST data including the transaction token
|
||||
curl -sSf -d "$2&transactionToken=$transactionToken" "http://127.0.0.1:$port/$1" > /dev/null
|
||||
|
||||
else
|
||||
if [ -z "$YACY_ADMIN_PASSWORD" ]; then
|
||||
# no password environment variable : we ask interactively for it only once (not using read -s to be POSIX compliant)
|
||||
stty -echo
|
||||
read -p "Enter host password for user '$admin':" YACY_ADMIN_PASSWORD
|
||||
stty echo
|
||||
printf "\n"
|
||||
fi
|
||||
|
||||
# retrieve the transaction token from the HTTP GET flavor of the URL
|
||||
transactionToken=$(curl -sSfI --anyauth -u "$admin:$YACY_ADMIN_PASSWORD" "http://127.0.0.1:$port/$1" | grep X-YaCy-Transaction-Token: | awk {'printf $2'} | tr -d '[:space:]')
|
||||
# send POST data including the transaction token
|
||||
curl -sSf --anyauth -u "$admin:$YACY_ADMIN_PASSWORD" -d "$2&transactionToken=$transactionToken" "http://127.0.0.1:$port/$1" > /dev/null
|
||||
|
||||
fi
|
||||
elif which wget > /dev/null; then
|
||||
|
||||
if [ "$adminAccountForLocalhost" = "true" ]; then
|
||||
# localhost access as administrator without authentication is enabled
|
||||
|
||||
# retrieve the transaction token from the HTTP GET flavor of the URL
|
||||
transactionToken=$(wget -q -t 1 -O - --save-headers --timeout=120 "http://127.0.0.1:$port/$1" | grep X-YaCy-Transaction-Token: | awk {'printf $2'} | tr -d '[:space:]')
|
||||
# send POST data including the transaction token
|
||||
wget -nv -t 1 -O /dev/null --timeout=120 --post-data "$2&transactionToken=$transactionToken" "http://127.0.0.1:$port/$1"
|
||||
|
||||
else
|
||||
if [ -z "$YACY_ADMIN_PASSWORD" ]; then
|
||||
# no password environment variable : we ask interactively for it only once (not using read -s to be POSIX compliant)
|
||||
stty -echo
|
||||
read -p "Enter host password for user '$admin':" YACY_ADMIN_PASSWORD
|
||||
stty echo
|
||||
printf "\n"
|
||||
fi
|
||||
|
||||
# retrieve the transaction token from the HTTP GET flavor of the URL
|
||||
transactionToken=$(wget -q -t 1 -O - --http-user "$admin" --http-password "$YACY_ADMIN_PASSWORD" --save-headers --timeout=120 "http://127.0.0.1:$port/$1" | grep X-YaCy-Transaction-Token: | awk {'printf $2'} | tr -d '[:space:]')
|
||||
# send POST data including the transaction token
|
||||
wget -nv -t 1 -O /dev/null --timeout=120 --http-user "$admin" --http-password "$YACY_ADMIN_PASSWORD" --post-data "$2&transactionToken=$transactionToken" "http://127.0.0.1:$port/$1"
|
||||
|
||||
fi
|
||||
else
|
||||
printf "Please install curl or wget\n" > /dev/stderr
|
||||
exit 1
|
||||
fi
|
||||
@ -0,0 +1,47 @@
|
||||
// BadTransactionException.java
|
||||
// Copyright 2017 by luccioman; https://github.com/luccioman
|
||||
//
|
||||
// This is a part of YaCy, a peer-to-peer based web search engine
|
||||
//
|
||||
// LICENSE
|
||||
//
|
||||
// This program is free software; you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation; either version 2 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this program; if not, write to the Free Software
|
||||
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
package net.yacy.data;
|
||||
|
||||
/**
|
||||
* Exception indicating a transaction is not valid.
|
||||
*
|
||||
*/
|
||||
public class BadTransactionException extends RuntimeException {
|
||||
|
||||
/** Generated serialization id */
|
||||
private static final long serialVersionUID = -8128202785152200358L;
|
||||
|
||||
/**
|
||||
* Default constructor : use generic message
|
||||
*/
|
||||
public BadTransactionException() {
|
||||
super("Transaction is not valid");
|
||||
}
|
||||
|
||||
/**
|
||||
* @param message detail message
|
||||
*/
|
||||
public BadTransactionException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,180 @@
|
||||
// TransactionManager.java
|
||||
// Copyright 2017 by luccioman; https://github.com/luccioman
|
||||
//
|
||||
// This is a part of YaCy, a peer-to-peer based web search engine
|
||||
//
|
||||
// LICENSE
|
||||
//
|
||||
// This program is free software; you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation; either version 2 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this program; if not, write to the Free Software
|
||||
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
package net.yacy.data;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.MessageDigest;
|
||||
import java.util.UUID;
|
||||
|
||||
import org.apache.commons.codec.digest.HmacUtils;
|
||||
|
||||
import net.yacy.cora.order.Base64Order;
|
||||
import net.yacy.cora.protocol.HeaderFramework;
|
||||
import net.yacy.cora.protocol.RequestHeader;
|
||||
import net.yacy.http.servlets.DisallowedMethodException;
|
||||
import net.yacy.http.servlets.TemplateMissingParameterException;
|
||||
import net.yacy.search.Switchboard;
|
||||
import net.yacy.search.SwitchboardConstants;
|
||||
import net.yacy.server.serverObjects;
|
||||
|
||||
/**
|
||||
* This class provides transaction tokens generation and checking for protected operations.
|
||||
* These tokens should be designed to be hard to forge by an unauthenticated user.
|
||||
*/
|
||||
public class TransactionManager {
|
||||
|
||||
/** Parameter name of the transaction token */
|
||||
public static final String TRANSACTION_TOKEN_PARAM = "transactionToken";
|
||||
|
||||
/** Secret signing key valid until next server restart */
|
||||
private static final String SIGNING_KEY = UUID.randomUUID().toString();
|
||||
|
||||
/** Random token seed valid until next server restart */
|
||||
private static final String TOKEN_SEED = UUID.randomUUID().toString();
|
||||
|
||||
/**
|
||||
* @param header
|
||||
* current request header. Must not be null.
|
||||
* @return the name of the currently authenticated user (administrator user
|
||||
* name when the request comes from local host and unauthenticated local
|
||||
* access as administrator is enabled), or null when no authenticated.
|
||||
* @throws NullPointerException
|
||||
* when header parameter is null.
|
||||
*/
|
||||
private static String getCurrentUserName(final RequestHeader header) {
|
||||
String userName = header.getRemoteUser();
|
||||
|
||||
if (userName == null && header.accessFromLocalhost() && Switchboard.getSwitchboard() != null) {
|
||||
final String adminAccountUserName = Switchboard.getSwitchboard().getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
|
||||
final String adminAccountBase64MD5 = Switchboard.getSwitchboard().getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
|
||||
|
||||
if(Switchboard.getSwitchboard()
|
||||
.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false)) {
|
||||
/* Unauthenticated local access as administrator can be enabled */
|
||||
userName = adminAccountUserName;
|
||||
} else {
|
||||
/* authorization by encoded password, only for localhost access (used by bash scripts)*/
|
||||
String pass = Base64Order.standardCoder.encodeString(adminAccountUserName + ":" + adminAccountBase64MD5);
|
||||
|
||||
/* get the authorization string from the header */
|
||||
final String realmProp = (header.get(RequestHeader.AUTHORIZATION, "")).trim();
|
||||
final String realmValue = realmProp.isEmpty() ? null : realmProp.substring(6); // take out "BASIC "
|
||||
|
||||
if (pass.equals(realmValue)) { // assume realmValue as is in cfg
|
||||
userName = adminAccountUserName;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return userName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a transaction token to be used later on a protected HTTP post method
|
||||
* call on the same path with the currently authenticated user.
|
||||
*
|
||||
* @param header
|
||||
* current request header
|
||||
* @return a transaction token
|
||||
* @throws IllegalArgumentException
|
||||
* when header parameter is null or when the user is not authenticated.
|
||||
*/
|
||||
public static String getTransactionToken(final RequestHeader header) {
|
||||
if (header == null) {
|
||||
throw new IllegalArgumentException("Missing required header parameter");
|
||||
}
|
||||
|
||||
return getTransactionToken(header, header.getPathInfo());
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a transaction token to be used later on a protected HTTP post method
|
||||
* call on the specified path with the currently authenticated user.
|
||||
*
|
||||
* @param header
|
||||
* current request header
|
||||
* @param path the relative path for which the token will be valid
|
||||
* @return a transaction token for the specified path
|
||||
* @throws IllegalArgumentException
|
||||
* when a parameter is null or when the user is not authenticated.
|
||||
*/
|
||||
public static String getTransactionToken(final RequestHeader header, final String path) {
|
||||
if (header == null) {
|
||||
throw new IllegalArgumentException("Missing required header parameter");
|
||||
}
|
||||
|
||||
/* Check this comes from an authenticated user */
|
||||
final String userName = getCurrentUserName(header);
|
||||
if (userName == null) {
|
||||
throw new IllegalArgumentException("User is not authenticated");
|
||||
}
|
||||
|
||||
/* Produce a token by signing a message with the server secret key :
|
||||
* The token is not unique per request and thus keeps the service stateless
|
||||
* (no need to store tokens until they are consumed).
|
||||
* On the other hand, it is supposed to remain hard enough to forge because the secret key and token seed
|
||||
* are initialized with a random value at each server startup */
|
||||
final String token = HmacUtils.hmacSha1Hex(SIGNING_KEY, TOKEN_SEED + userName + path);
|
||||
|
||||
|
||||
return token;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the current request is a valid HTTP POST transaction : the current user is authenticated,
|
||||
* and the request post parameters contain a valid transaction token.
|
||||
* @param header current request header
|
||||
* @param post request parameters
|
||||
* @throws IllegalArgumentException when a parameter is null.
|
||||
* @throws DisallowedMethodException when the HTTP method is something else than post
|
||||
* @throws TemplateMissingParameterException when the transaction token is missing
|
||||
* @throws BadTransactionException when a condition for valid transaction is not met.
|
||||
*/
|
||||
public static void checkPostTransaction(final RequestHeader header, final serverObjects post) {
|
||||
if (header == null || post == null) {
|
||||
throw new IllegalArgumentException("Missing required parameters.");
|
||||
}
|
||||
|
||||
if(!HeaderFramework.METHOD_POST.equals(header.getMethod())) {
|
||||
throw new DisallowedMethodException("HTTP POST method is the only one authorized.");
|
||||
}
|
||||
|
||||
String userName = getCurrentUserName(header);
|
||||
if (userName == null) {
|
||||
throw new BadTransactionException("User is not authenticated.");
|
||||
}
|
||||
|
||||
final String transactionToken = post.get(TRANSACTION_TOKEN_PARAM);
|
||||
if(transactionToken == null) {
|
||||
throw new TemplateMissingParameterException("Missing transaction token.");
|
||||
}
|
||||
|
||||
final String token = HmacUtils.hmacSha1Hex(SIGNING_KEY, TOKEN_SEED + userName + header.getPathInfo());
|
||||
|
||||
/* Compare the server generated token with the one received in the post parameters,
|
||||
* using a time constant function */
|
||||
if(!MessageDigest.isEqual(token.getBytes(StandardCharsets.UTF_8), transactionToken.getBytes(StandardCharsets.UTF_8))) {
|
||||
throw new BadTransactionException("Invalid transaction token.");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,47 @@
|
||||
// DisallowedMethodException.java
|
||||
// Copyright 2017 by luccioman; https://github.com/luccioman
|
||||
//
|
||||
// This is a part of YaCy, a peer-to-peer based web search engine
|
||||
//
|
||||
// LICENSE
|
||||
//
|
||||
// This program is free software; you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation; either version 2 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this program; if not, write to the Free Software
|
||||
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
package net.yacy.http.servlets;
|
||||
|
||||
/**
|
||||
* Exception indicating a request HTTP method is not allowed.
|
||||
*
|
||||
*/
|
||||
public class DisallowedMethodException extends RuntimeException {
|
||||
|
||||
/** Generated serialization id */
|
||||
private static final long serialVersionUID = -8128202785152200358L;
|
||||
|
||||
/**
|
||||
* Default constructor : use generic message
|
||||
*/
|
||||
public DisallowedMethodException() {
|
||||
super("HTTP method is not allowed");
|
||||
}
|
||||
|
||||
/**
|
||||
* @param message detail message
|
||||
*/
|
||||
public DisallowedMethodException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in new issue