From 21809cc9df29ddea76d20ee5f0157ad10f79d47f Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Fri, 26 Sep 2014 12:09:29 -0700
Subject: [PATCH] fix http username with no password

---
 domain-server/src/DomainServer.cpp            | 28 ++++++++-----------
 .../src/DomainServerSettingsManager.h         |  2 +-
 libraries/shared/src/HifiConfigVariantMap.cpp | 20 ++++++++++++-
 libraries/shared/src/HifiConfigVariantMap.h   |  2 ++
 4 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/domain-server/src/DomainServer.cpp b/domain-server/src/DomainServer.cpp
index 338d3a4fa3..c4d3b5f977 100644
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@@ -1402,11 +1402,12 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
     const QByteArray HTTP_COOKIE_HEADER_KEY = "Cookie";
     const QString ADMIN_USERS_CONFIG_KEY = "admin-users";
     const QString ADMIN_ROLES_CONFIG_KEY = "admin-roles";
-    const QString BASIC_AUTH_CONFIG_KEY = "basic-auth";
+    const QString BASIC_AUTH_USERNAME_KEY_PATH = "security.http-username";
+    const QString BASIC_AUTH_PASSWORD_KEY_PATH = "security.http-password";
     
     const QByteArray UNAUTHENTICATED_BODY = "You do not have permission to access this domain-server.";
     
-    const QVariantMap& settingsMap = _settingsManager.getSettingsMap();
+    QVariantMap& settingsMap = _settingsManager.getSettingsMap();
     
     if (!_oauthProviderURL.isEmpty()
         && (settingsMap.contains(ADMIN_USERS_CONFIG_KEY) || settingsMap.contains(ADMIN_ROLES_CONFIG_KEY))) {
@@ -1420,7 +1421,7 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
             cookieUUID = cookieUUIDRegex.cap(1);
         }
         
-        if (settingsMap.contains(BASIC_AUTH_CONFIG_KEY)) {
+        if (valueForKeyPath(settingsMap, BASIC_AUTH_USERNAME_KEY_PATH)) {
             qDebug() << "Config file contains web admin settings for OAuth and basic HTTP authentication."
                 << "These cannot be combined - using OAuth for authentication.";
         }
@@ -1471,7 +1472,7 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
             // we don't know about this user yet, so they are not yet authenticated
             return false;
         }
-    } else if (settingsMap.contains(BASIC_AUTH_CONFIG_KEY)) {
+    } else if (valueForKeyPath(settingsMap, BASIC_AUTH_USERNAME_KEY_PATH)) {
         // config file contains username and password combinations for basic auth
         const QByteArray BASIC_AUTH_HEADER_KEY = "Authorization";
         
@@ -1486,21 +1487,16 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
             if (!credentialString.isEmpty()) {
                 QStringList credentialList = credentialString.split(':');
                 if (credentialList.size() == 2) {
-                    QString username = credentialList[0];
-                    QString password = credentialList[1];
+                    QString headerUsername = credentialList[0];
+                    QString headerPassword = credentialList[1];
                     
                     // we've pulled a username and password - now check if there is a match in our basic auth hash
-                    QJsonObject basicAuthObject = settingsMap.value(BASIC_AUTH_CONFIG_KEY).toJsonValue().toObject();
+                    QString settingsUsername = valueForKeyPath(settingsMap, BASIC_AUTH_USERNAME_KEY_PATH)->toString();
+                    const QVariant* settingsPasswordVariant = valueForKeyPath(settingsMap, BASIC_AUTH_PASSWORD_KEY_PATH);
+                    QString settingsPassword = settingsPasswordVariant ? settingsPasswordVariant->toString() : "";
                     
-                    if (basicAuthObject.contains(username)) {
-                        const QString BASIC_AUTH_USER_PASSWORD_KEY = "password";
-                        QJsonObject userObject = basicAuthObject.value(username).toObject();
-                        
-                        if (userObject.contains(BASIC_AUTH_USER_PASSWORD_KEY)
-                            && userObject.value(BASIC_AUTH_USER_PASSWORD_KEY).toString() == password) {
-                            // this is username / password match - let this user in
-                            return true;
-                        }
+                    if (settingsUsername == headerUsername && headerPassword == settingsPassword) {
+                        return true;
                     }
                 }
             }
diff --git a/domain-server/src/DomainServerSettingsManager.h b/domain-server/src/DomainServerSettingsManager.h
index 0b97a821ef..996a27b96b 100644
--- a/domain-server/src/DomainServerSettingsManager.h
+++ b/domain-server/src/DomainServerSettingsManager.h
@@ -27,7 +27,7 @@ public:
     void loadSettingsMap(const QStringList& argumentList);
     
     QByteArray getJSONSettingsMap() const;
-    const QVariantMap& getSettingsMap() const { return _settingsMap; }
+    QVariantMap& getSettingsMap() { return _settingsMap; }
 private:
     void recurseJSONObjectAndOverwriteSettings(const QJsonObject& postedObject, QVariantMap& settingsVariant,
                                                QJsonArray descriptionArray);
diff --git a/libraries/shared/src/HifiConfigVariantMap.cpp b/libraries/shared/src/HifiConfigVariantMap.cpp
index 7f8921752d..e0f89174fc 100644
--- a/libraries/shared/src/HifiConfigVariantMap.cpp
+++ b/libraries/shared/src/HifiConfigVariantMap.cpp
@@ -150,10 +150,28 @@ void HifiConfigVariantMap::addMissingValuesToExistingMap(QVariantMap& existingMa
             
             if (newMap[key].canConvert(QMetaType::QVariantMap) && existingMap[key].canConvert(QMetaType::QVariantMap)) {
                 // there's a variant map below and the existing map has one too, so we need to keep recursing
-                addMissingValuesToExistingMap(*reinterpret_cast<QVariantMap*>(existingMap[key].data()), newMap[key].toMap());
+                addMissingValuesToExistingMap(*static_cast<QVariantMap*>(existingMap[key].data()), newMap[key].toMap());
             }
         } else {
             existingMap[key] = newMap[key];
         }
     }
 }
+
+const QVariant* valueForKeyPath(QVariantMap& variantMap, const QString& keyPath) {
+    int dotIndex = keyPath.indexOf('.');
+    
+    QString firstKey = (dotIndex == -1) ? keyPath : keyPath.mid(0, dotIndex);
+    
+    qDebug() << "Checking for" << firstKey;
+    
+    if (variantMap.contains(firstKey)) {
+        if (dotIndex == -1) {
+            return &variantMap[firstKey];
+        } else if (variantMap[firstKey].canConvert(QMetaType::QVariantMap)) {
+            return valueForKeyPath(*static_cast<QVariantMap*>(variantMap[firstKey].data()), keyPath.mid(dotIndex + 1));
+        }
+    }
+    
+    return NULL;
+}
diff --git a/libraries/shared/src/HifiConfigVariantMap.h b/libraries/shared/src/HifiConfigVariantMap.h
index eae5de26d5..b1b6b55aa2 100644
--- a/libraries/shared/src/HifiConfigVariantMap.h
+++ b/libraries/shared/src/HifiConfigVariantMap.h
@@ -24,4 +24,6 @@ private:
     static void addMissingValuesToExistingMap(QVariantMap& existingMap, const QVariantMap& newMap);
 };
 
+const QVariant* valueForKeyPath(QVariantMap& variantMap, const QString& keyPath);
+
 #endif // hifi_HifiConfigVariantMap_h