Browse Source

Validate admin against authlist, adding utility for generating authlist entries, minor refactoring of metrics.

Matt Clark 1 year ago
parent
commit
c86bb23830

+ 6 - 0
README.md

@@ -82,6 +82,12 @@ Some users will want to generate a large number of barcodes with one request - a
 https://barcodeapi.org/multi.html?Barcode1&Barcode2&dm/A%20Data%20Matrix&qr/And%20QR/Automatic
 ```
 
+### Add Admin
+
+```
+java -cp server.jar org.barcodeapi.core.utils.AuthUtils username pa@ssw0rd >> config/authlist.conf
+```
+
 ## Third-Party
 
 BarcodeAPI.org is only made possible with the use of third-party software.

+ 1 - 1
config/authlist.conf

@@ -1 +1 @@
-admin:password
+admin:5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

+ 0 - 1
src/main/java/org/barcodeapi/core/ServerRuntime.java

@@ -32,7 +32,6 @@ public class ServerRuntime {
 			_RUNTIME_HOST = InetAddress.getLocalHost().getCanonicalHostName();
 			StatsCollector.getInstance()//
 					.setValue(_RUNTIME_HOST, "system", "host");
-
 		} catch (UnknownHostException e) {
 			throw new RuntimeException(e);
 		}

+ 12 - 0
src/main/java/org/barcodeapi/core/utils/AuthUtils.java

@@ -0,0 +1,12 @@
+package org.barcodeapi.core.utils;
+
+public class AuthUtils {
+
+	public static void main(String[] args) {
+
+		String passHash = StringUtils.sumSHA256(args[1].getBytes());
+		String userAuth = String.format("%s:%s", args[0], passHash);
+
+		System.out.println(userAuth);
+	}
+}

+ 1 - 1
src/main/java/org/barcodeapi/core/utils/StringUtils.java

@@ -54,7 +54,7 @@ public class StringUtils {
 		return options;
 	}
 
-	public static String generateChecksum(byte[] in) {
+	public static String sumSHA256(byte[] in) {
 
 		try {
 

+ 21 - 9
src/main/java/org/barcodeapi/server/core/RestHandler.java

@@ -2,12 +2,14 @@ package org.barcodeapi.server.core;
 
 import java.io.IOException;
 import java.net.InetAddress;
+import java.util.Base64;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.barcodeapi.core.utils.StringUtils;
 import org.barcodeapi.server.core.Log.LOG;
 import org.barcodeapi.server.session.CachedSession;
 import org.barcodeapi.server.session.SessionCache;
@@ -57,6 +59,10 @@ public abstract class RestHandler extends AbstractHandler {
 			throws IOException, ServletException {
 
 		long timeStart = System.currentTimeMillis();
+		getStats().hitCounter("request", "count");
+		getStats().hitCounter("request", "method", request.getMethod());
+		getStats().hitCounter("request", "target", _NAME, "count");
+		getStats().hitCounter("request", "target", _NAME, "method", request.getMethod());
 
 		// skip if already handled
 		if (!baseRequest.isHandled()) {
@@ -113,7 +119,7 @@ public abstract class RestHandler extends AbstractHandler {
 
 			getStats().hitCounter("request", "authfail", request.getMethod());
 			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-			response.setHeader("WWW-Authenticate", "Basic realm=Welcome");
+			response.setHeader("WWW-Authenticate", "Basic realm=BarcodeAPI.org Admin API");
 			return;
 		}
 
@@ -127,15 +133,10 @@ public abstract class RestHandler extends AbstractHandler {
 			e.printStackTrace();
 		}
 
-		long targetTime = System.currentTimeMillis() - timeStart;
-
 		// hit the counters
-		getStats().hitCounter("request", "count");
+		long targetTime = System.currentTimeMillis() - timeStart;
 		getStats().hitCounter(targetTime, "request", "time");
-		getStats().hitCounter("request", "method", request.getMethod());
-		getStats().hitCounter("request", "target", _NAME, "count");
 		getStats().hitCounter(targetTime, "request", "target", _NAME, "time");
-		getStats().hitCounter("request", "target", _NAME, "method", request.getMethod());
 	}
 
 	protected abstract void onRequest(HttpServletRequest request, HttpServletResponse response) throws Exception;
@@ -157,9 +158,20 @@ public abstract class RestHandler extends AbstractHandler {
 
 	protected boolean validateAdmin(HttpServletRequest request) {
 
+		// false if no authentication
 		String auth = request.getHeader("Authorization");
-		System.out.println("Got: " + auth);
-		return false;
+		if (auth == null || !auth.startsWith("Basic")) {
+			return false;
+		}
+
+		String authString = auth.substring(6);
+		String decode = new String(Base64.getDecoder().decode(authString));
+		String[] unpw = decode.split(":");
+
+		String passHash = StringUtils.sumSHA256(unpw[1].getBytes());
+		String userAuth = String.format("%s:%s", unpw[0], passHash);
+
+		return Authlist.getAuthlist().contains(userAuth);
 	}
 
 	protected CachedSession getSession(HttpServletRequest request) {