From f7e9f9be5fae062f830f6306447ccfe71228bb89 Mon Sep 17 00:00:00 2001
From: reger <reger18@arcor.de>
Date: Tue, 29 Nov 2016 03:20:33 +0100
Subject: [PATCH] move Digest auth checks from DefaultServlet to
 adminAuthenticated, eliminating the need to modify http header on Servlet
 container handled Digest authentication, to simulate Basic auth for YaCy
 servlets.

---
 .../http/servlets/YaCyDefaultServlet.java     | 27 -------------------
 source/net/yacy/search/Switchboard.java       | 22 ++++++++++++---
 2 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/source/net/yacy/http/servlets/YaCyDefaultServlet.java b/source/net/yacy/http/servlets/YaCyDefaultServlet.java
index 2f20d741f..38f80f7df 100644
--- a/source/net/yacy/http/servlets/YaCyDefaultServlet.java
+++ b/source/net/yacy/http/servlets/YaCyDefaultServlet.java
@@ -69,8 +69,6 @@ import net.yacy.cora.protocol.RequestHeader;
 import net.yacy.cora.util.ByteBuffer;
 import net.yacy.cora.util.ConcurrentLog;
 import net.yacy.data.InvalidURLLicenceException;
-import net.yacy.data.UserDB.AccessRight;
-import net.yacy.data.UserDB.Entry;
 import net.yacy.kelondro.util.FileUtils;
 import net.yacy.kelondro.util.MemoryControl;
 import net.yacy.kelondro.util.NamePrefixThreadFactory;
@@ -738,31 +736,6 @@ public class YaCyDefaultServlet extends HttpServlet  {
 
         legacyRequestHeader.put(HeaderFramework.CONNECTION_PROP_PATH, target); // target may contain a server side include (SSI)
         legacyRequestHeader.put(HeaderFramework.CONNECTION_PROP_EXT, targetExt);
-        Switchboard sb = Switchboard.getSwitchboard();
-        if (legacyRequestHeader.containsKey(RequestHeader.AUTHORIZATION)) {
-            if (HttpServletRequest.BASIC_AUTH.equalsIgnoreCase(request.getAuthType())) {
-            } else {
-                // handle DIGEST auth for legacyHeader (create username:md5pwdhash
-                if (request.getUserPrincipal() != null) {
-                    String userpassEncoded = request.getHeader(RequestHeader.AUTHORIZATION); // e.g. "Basic AdminMD5hash"
-                    if (userpassEncoded != null) {
-                        if (request.isUserInRole(AccessRight.ADMIN_RIGHT.toString()) && !sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5,"").isEmpty()) {
-                            // fake admin authentication for legacyRequestHeader (as e.g. DIGEST is not supported by legacyRequestHeader)
-                            legacyRequestHeader.put(RequestHeader.AUTHORIZATION, HttpServletRequest.BASIC_AUTH + " "
-                                    + sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, ""));
-                        } else {
-                            // fake Basic auth header for Digest auth  (Basic username:md5pwdhash)
-                            String username = request.getRemoteUser();
-                            Entry user = sb.userDB.getEntry(username);
-                            if (user != null) {
-                                legacyRequestHeader.put(RequestHeader.AUTHORIZATION, HttpServletRequest.BASIC_AUTH + " "
-                                        + username + ":" + user.getMD5EncodedUserPwd());
-                            }
-                        }
-                    }
-                }
-            }
-        }
         return legacyRequestHeader;
     }
 
diff --git a/source/net/yacy/search/Switchboard.java b/source/net/yacy/search/Switchboard.java
index 444713709..274f2a6fd 100644
--- a/source/net/yacy/search/Switchboard.java
+++ b/source/net/yacy/search/Switchboard.java
@@ -82,6 +82,7 @@ import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
+import javax.servlet.http.HttpServletRequest;
 
 import org.apache.solr.common.SolrDocument;
 import org.apache.solr.common.SolrInputDocument;
@@ -143,6 +144,7 @@ import net.yacy.data.BookmarksDB;
 import net.yacy.data.ListManager;
 import net.yacy.data.MessageBoard;
 import net.yacy.data.UserDB;
+import net.yacy.data.UserDB.AccessRight;
 import net.yacy.data.WorkTables;
 import net.yacy.data.wiki.WikiBoard;
 import net.yacy.data.wiki.WikiCode;
@@ -3530,9 +3532,23 @@ public final class Switchboard extends serverSwitch {
             return 1;
         }
 
-        // security check against too long authorization strings
-        if ( realmValue.length() > 256 ) {
-            return 0;
+        if (HttpServletRequest.BASIC_AUTH.equalsIgnoreCase(requestHeader.getAuthType())) {
+            // security check against too long authorization strings (for BASIC auth)
+            if (realmValue.length() > 256) {
+                return 0;
+            }
+        } else {
+            // handle DIGEST auth by servlet container
+            if (requestHeader.getUserPrincipal() != null) { // user is authenticated (by Servlet container)
+                if (requestHeader.isUserInRole(AccessRight.ADMIN_RIGHT.toString())) {
+                    // we could double check admin right (but we trust embedded container)
+                    // String username = requestHeader.getUserPrincipal().getName();
+                    // if ((username.equalsIgnoreCase(sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin")))
+                    //        || (sb.userDB.getEntry(username).hasRight(AccessRight.ADMIN_RIGHT)))
+                    adminAuthenticationLastAccess = System.currentTimeMillis();
+                    return 4; // has admin right
+                }
+            }
         }
 
         // authorization by encoded password, only for localhost access