// // YaCyLegacyCredentials // Copyright 2011 by Florian Richter // First released 16.04.2011 at http://yacy.net // // $LastChangedDate$ // $LastChangedRevision$ // $LastChangedBy$ // // This library is free software; you can redistribute it and/or // modify it under the terms of the GNU Lesser General Public // License as published by the Free Software Foundation; either // version 2.1 of the License, or (at your option) any later version. // // This library is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU // Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with this program in the file lgpl21.txt // If not, see . // package net.yacy.http; import net.yacy.cora.order.Base64Order; import net.yacy.cora.order.Digest; import net.yacy.search.Switchboard; import net.yacy.search.SwitchboardConstants; import net.yacy.server.serverAccessTracker; import org.eclipse.jetty.util.security.Credential; /** * implementation of YaCy's old admin password as jetty Credential * supporting BASIC and DIGEST authentication * and using MD5 encryptet passwords/credentials. Following RFC recommendation (to use the realm in MD5 hash) * expecting a MD5 hash in format MD5( username:realm:password ), realm configured in yacy.init adminRealm * (exception: old style credential MD5( username:password ) still accepted with BASIC auth) * */ public class YaCyLegacyCredential extends Credential { private static final long serialVersionUID = -3527894085562480001L; private String hash; // remember password hash (for new style with prefix of used encryption supported "MD5:" ) private String foruser; // remember the user as YaCy credential is username:pwd (not just pwd) private boolean isBase64enc; // remember hash encoding false = encodeMD5Hex(usr:pwd) ; true = encodeMD5Hex(Base64Order.standardCoder.encodeString(usr:pw)) private Credential c; /** * internal hash function for admin account * * @param pw clear password * @return hash string */ public static String calcHash(String pw) { // old style hash return Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(pw)); } @Override public boolean check(Object credentials) { if (credentials instanceof Credential) { // for DIGEST auth if (this.c == null) { /* credential may be null after switching from BASIC to DIGEST authentication without re-encoding the password */ return false; } Credential credential = (Credential) credentials; return credential.check(this.c); } if (credentials instanceof String) { // for BASIC auth final String pw = (String) credentials; if (isBase64enc) { // for old B64MD5 admin hashes if (serverAccessTracker.timeSinceAccessFromLocalhost() < 100) { // we allow localhost accesses also to submit the hash as password // this is very important since that method is used by the scripts in bin/ which are based on bin/apicall.sh // the cleartext password is not stored anywhere, but we must find a way to allow scripts to steer a peer. // this is the exception that makes that possible. // TODO: it should be better to check the actual access IP here, but that is not handed over to Credential classes :( if ((pw).equals(this.hash)) return true; } // exception for admin use old style MD5hash (user:password) return calcHash(foruser + ":" + pw).equals(this.hash); // for admin user } // normal users (and new admin pwd) for BASIC auth if (hash.startsWith("MD5:") && hash != null) { String realm = Switchboard.getSwitchboard().getConfig(SwitchboardConstants.ADMIN_REALM, ""); boolean success = Digest.encodeMD5Hex(foruser + ":" + realm + ":" + pw).equals(hash.substring(4)); // exception: allow the hash as pwd (used in bin/apicall.sh) if (!success && foruser.equals(Switchboard.getSwitchboard().getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin"))) { if (pw.equals(hash)) { if (serverAccessTracker.timeSinceAccessFromLocalhost() < 100) { return true; } } } return success; } return Digest.encodeMD5Hex(foruser + ":" + pw).equals(hash); // for old userdb hashes } throw new UnsupportedOperationException(); } /** * create Credential object from config file hash * * @param configHash hash as in config file hash(adminuser:pwd) * @return */ public static Credential getCredentialForAdmin(String username, String configHash) { YaCyLegacyCredential yc = new YaCyLegacyCredential(); if (configHash.startsWith("MD5:")) { yc.isBase64enc = false; yc.c = Credential.getCredential(configHash); } else { yc.isBase64enc = true; } yc.foruser = username; yc.hash = configHash; return yc; } /** * create Credential object from password * * @param username * @param configHash encodeMD5Hex("user:realm:pwd") as stored in UserDB * @return */ public static Credential getCredentialForUserDB(String username, String configHash) { YaCyLegacyCredential yc = new YaCyLegacyCredential(); yc.c = Credential.getCredential(configHash); // creates a MD5 hash credential yc.foruser = username; yc.isBase64enc = false; yc.hash = configHash; return yc; } }