handle basic authentication for domain-server admin

2025-04-14 23:28:27 +02:00 · 2014-08-04 15:25:14 -07:00 · 2014-08-04 15:25:14 -07:00 · 10c94023f1
commit 10c94023f1
parent 2c1277ef37
1 changed files with 62 additions and 2 deletions
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@ -1280,6 +1280,9 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
    const QByteArray HTTP_COOKIE_HEADER_KEY = "Cookie";
    const QString ADMIN_USERS_CONFIG_KEY = "admin-users";
    const QString ADMIN_ROLES_CONFIG_KEY = "admin-roles";
+    const QString BASIC_AUTH_CONFIG_KEY = "basic-auth";
+    
+    const QByteArray UNAUTHENTICATED_BODY = "You do not have permission to access this domain-server.";
    
    if (!_oauthProviderURL.isEmpty()
        && (_argumentVariantMap.contains(ADMIN_USERS_CONFIG_KEY) || _argumentVariantMap.contains(ADMIN_ROLES_CONFIG_KEY))) {
@ -1293,6 +1296,11 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
            cookieUUID = cookieUUIDRegex.cap(1);
        }
        
+        if (_argumentVariantMap.contains(BASIC_AUTH_CONFIG_KEY)) {
+            qDebug() << "Config file contains web admin settings for OAuth and basic HTTP authentication."
+                << "These cannot be combined - using OAuth for authentication.";
+        }
+        
        if (!cookieUUID.isNull() && _cookieSessionHash.contains(cookieUUID)) {
            // pull the QJSONObject for the user with this cookie UUID
            DomainServerWebSessionData sessionData = _cookieSessionHash.value(cookieUUID);
@ -1315,8 +1323,7 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
                }
            }
            
-            QString unauthenticatedRequest = "You do not have permission to access this domain-server.";
-            connection->respond(HTTPConnection::StatusCode401, unauthenticatedRequest.toUtf8());
+            connection->respond(HTTPConnection::StatusCode401, UNAUTHENTICATED_BODY);
            
            // the user does not have allowed username or role, return 401
            return false;
@ -1340,6 +1347,59 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
            // we don't know about this user yet, so they are not yet authenticated
            return false;
        }
+    } else if (_argumentVariantMap.contains(BASIC_AUTH_CONFIG_KEY)) {
+        // config file contains username and password combinations for basic auth
+        const QByteArray BASIC_AUTH_HEADER_KEY = "Authorization";
+        
+        // check if a username and password have been provided with the request
+        QString basicAuthString = connection->requestHeaders().value(BASIC_AUTH_HEADER_KEY);
+        
+        if (!basicAuthString.isEmpty()) {
+            QStringList splitAuthString = basicAuthString.split(' ');
+            QString base64String = splitAuthString.size() == 2 ? splitAuthString[1] : "";
+            QString credentialString = QByteArray::fromBase64(base64String.toLocal8Bit());
+            
+            if (!credentialString.isEmpty()) {
+                QStringList credentialList = credentialString.split(':');
+                if (credentialList.size() == 2) {
+                    QString username = credentialList[0];
+                    QString password = credentialList[1];
+                    
+                    // we've pulled a username and password - now check if there is a match in our basic auth hash
+                    QJsonObject basicAuthObject = _argumentVariantMap.value(BASIC_AUTH_CONFIG_KEY).toJsonValue().toObject();
+                    
+                    if (basicAuthObject.contains(username)) {
+                        const QString BASIC_AUTH_USER_PASSWORD_KEY = "password";
+                        QJsonObject userObject = basicAuthObject.value(username).toObject();
+                        
+                        if (userObject.contains(BASIC_AUTH_USER_PASSWORD_KEY)
+                            && userObject.value(BASIC_AUTH_USER_PASSWORD_KEY).toString() == password) {
+                            // this is username / password match - let this user in
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+        
+        // basic HTTP auth being used but no username and password are present
+        // or the username and password are not correct
+        // send back a 401 and ask for basic auth
+        
+        const QByteArray HTTP_AUTH_REQUEST_HEADER_KEY = "WWW-Authenticate";
+        static QString HTTP_AUTH_REALM_STRING = QString("Basic realm='%1 %2'")
+            .arg(_hostname.isEmpty() ? "localhost" : _hostname)
+            .arg("domain-server");
+        
+        Headers basicAuthHeader;
+        basicAuthHeader.insert(HTTP_AUTH_REQUEST_HEADER_KEY, HTTP_AUTH_REALM_STRING.toUtf8());
+        
+        connection->respond(HTTPConnection::StatusCode401, UNAUTHENTICATED_BODY,
+                            HTTPConnection::DefaultContentType, basicAuthHeader);
+        
+        // not authenticated, bubble up false
+        return false;
+        
    } else {
        // we don't have an OAuth URL + admin roles/usernames, so all users are authenticated
        return true;