//# 1 errors, 109 messages
//#
/*
    //#BasicAuthenticator.java:1:1: class: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator
    //#BasicAuthenticator.java:1:1: method: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator.org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init
 * Copyright 2005 David M Johnson (For RSS and Atom In Action)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.roller.weblogger.webservices.adminprotocol;

import java.util.StringTokenizer;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;

/**
 * This class implements HTTP basic authentication for roller.
 *
 * @author jtb
 */
class BasicAuthenticator extends Authenticator {
    /** Creates a new instance of HttpBasicAuthenticator */
    public BasicAuthenticator(HttpServletRequest req) {
        super(req);
    //#BasicAuthenticator.java:30: method: void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator.org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)
    //#BasicAuthenticator.java:30: Warning: suspicious precondition
    //#    the precondition for this.__Tag is not a contiguous range of values
    //#    severity: SUPPRESSED
    //#    class: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator
    //#    method: void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)
    //#    suspicious precondition index: [1]
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): __Dispatch_Table.setRequest(Ljavax/servlet/http/HttpServletRequest;)V
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): __Dispatch_Table.setRoller(Lorg/apache/roller/weblogger/business/Weblogger;)V
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/Authenticator]
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator]
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[others]
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Dispatch_Table.setRequest(Ljavax/servlet/http/HttpServletRequest;)V
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Dispatch_Table.setRoller(Lorg/apache/roller/weblogger/business/Weblogger;)V
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): req
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this
    //#input(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.__Tag
    //#output(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.__Tag
    //#output(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.request
    //#output(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.roller
    //#pre[1] (void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.__Tag in {org/apache/roller/weblogger/webservices/adminprotocol/Authenticator, org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator}
    //#post(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.__Tag == old this.__Tag
    //#post(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.__Tag in {org/apache/roller/weblogger/webservices/adminprotocol/Authenticator, org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator}
    //#post(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): this.request == req
    //#post(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): init'ed(this.request)
    //#post(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): init'ed(this.roller)
    //#unanalyzed(void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)): Effects-of-calling:org.apache.roller.weblogger.business.WebloggerFactory:getWeblogger
    }
    //#BasicAuthenticator.java:31: end of method: void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator.org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)
    
    public void authenticate() throws HandlerException {
        setUserName(null);
    //#BasicAuthenticator.java:34: method: void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator.authenticate()
    //#input(void authenticate()): "ERROR: Could not get user: "._tainted
    //#input(void authenticate()): "ERROR: Unknown user: "._tainted
    //#input(void authenticate()): "ERROR: User is disabled: "._tainted
    //#input(void authenticate()): "ERROR: User is not authorized: "._tainted
    //#input(void authenticate()): "ERROR: User must have the admin role to use the RAP endpoint: "._tainted
    //#input(void authenticate()): __Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator]
    //#input(void authenticate()): __Descendant_Table[others]
    //#input(void authenticate()): __Dispatch_Table.getRequest()Ljavax/servlet/http/HttpServletRequest;
    //#input(void authenticate()): __Dispatch_Table.getRoller()Lorg/apache/roller/weblogger/business/Weblogger;
    //#input(void authenticate()): __Dispatch_Table.getUserData(Ljava/lang/String;)Lorg/apache/roller/weblogger/pojos/User;
    //#input(void authenticate()): __Dispatch_Table.getUserName()Ljava/lang/String;
    //#input(void authenticate()): __Dispatch_Table.setUserName(Ljava/lang/String;)V
    //#input(void authenticate()): __Dispatch_Table.verifyUser(Ljava/lang/String;Ljava/lang/String;)V
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/Authenticator]
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator]
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[others]
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Dispatch_Table.getRoller()Lorg/apache/roller/weblogger/business/Weblogger;
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Dispatch_Table.getUserData(Ljava/lang/String;)Lorg/apache/roller/weblogger/pojos/User;
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.java.lang.Boolean.FALSE
    //#input(void authenticate()): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.java.lang.Boolean.TRUE
    //#input(void authenticate()): this
    //#input(void authenticate()): this.__Tag
    //#input(void authenticate()): this.request
    //#input(void authenticate()): this.roller
    //#output(void authenticate()): java.lang.String:substring(...)._tainted
    //#output(void authenticate()): this.userName
    //#new obj(void authenticate()): java.lang.String:substring(...)
    //#pre[2] (void authenticate()): this.__Tag == org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator
    //#pre[3] (void authenticate()): this.request != null
    //#pre[4] (void authenticate()): (soft) this.roller != null
    //#presumption(void authenticate()): java.lang.String:indexOf(...)@47 <= 4_294_967_294
    //#presumption(void authenticate()): javax.servlet.http.HttpServletRequest:getHeader(...)@36 != null
    //#post(void authenticate()): init'ed(java.lang.String:substring(...)._tainted)
    //#post(void authenticate()): this.userName == One-of{null, &java.lang.String:substring(...)}
    //#unanalyzed(void authenticate()): Effects-of-calling:getUserData
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.pojos.User:getPassword
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.config.WebloggerConfig:getProperty
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.Boolean:valueOf
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.Boolean:booleanValue
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.util.Utilities:encodePassword
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.String:trim
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.pojos.User:getUserName
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.String:equals
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.StringBuilder
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.StringBuilder:append
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.StringBuilder:toString
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.webservices.adminprotocol.HandlerException
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.Exception
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.pojos.User:hasRole
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.pojos.User:getEnabled
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.business.Weblogger:getUserManager
    //#unanalyzed(void authenticate()): Effects-of-calling:org.apache.roller.weblogger.business.UserManager:getUserByUserName
    //#unanalyzed(void authenticate()): Effects-of-calling:java.lang.Throwable:__curr_excep_obj
    //#test_vector(void authenticate()): java.lang.String:equalsIgnoreCase(...)@44: {0}, {1}
    //#test_vector(void authenticate()): java.lang.String:indexOf(...)@47: {-1}, {-2_147_483_648..-2, 0..4_294_967_294}
    //#test_vector(void authenticate()): java.util.StringTokenizer:hasMoreTokens(...)@42: {0}, {1}
        
        String authHeader = getRequest().getHeader("Authorization");
        if (authHeader == null) {
            throw new UnauthorizedException("ERROR: Authorization header was not set");
        }
        
        StringTokenizer st = new StringTokenizer(authHeader);
        if (st.hasMoreTokens()) {
            String basic = st.nextToken();
            if (basic.equalsIgnoreCase("Basic")) {
                String credentials = st.nextToken();
                String userPass = new String(Base64.decodeBase64(credentials.getBytes()));
    //#BasicAuthenticator.java:46: Warning: method not available
    //#    -- call on byte[] org.apache.commons.codec.binary.Base64:decodeBase64(byte[])
    //#    severity: INFORMATIONAL
    //#    class: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator
    //#    method: void authenticate()
    //#    unanalyzed callee: byte[] org.apache.commons.codec.binary.Base64:decodeBase64(byte[])
                int p = userPass.indexOf(":");
                if (p != -1) {
                    String userName = userPass.substring(0, p);
                    String password = userPass.substring(p+1);
                    verifyUser(userName, password);
                    
                    //success
                    setUserName(userName);
                }
            }
        }

        // FIX from Nick Lothian, see 
        if (getUserName() == null) {
    //#BasicAuthenticator.java:60: ?org/apache/roller/weblogger/webservices/adminprotocol/UnauthorizedException check
    //#    getUserName(...) != null
    //#    severity: LOW
    //#    class: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator
    //#    method: void authenticate()
    //#    basic block: bb_5
    //#    assertion: getUserName(...) != null
    //#    VN: this.userName == null
    //#    Expected: {0}
    //#    Bad: {1}
    //#    Attribs:  Int  Exp in +/-1000  Exp singleton  Bad singleton  Bad overlaps +/-1000  Bad > Exp
               throw new UnauthorizedException("ERROR: Could not authorize user");
        }

    }
    //#BasicAuthenticator.java:64: end of method: void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator.authenticate()
}
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator]
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.authenticate()V
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getRequest()Ljavax/servlet/http/HttpServletRequest;
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getRoller()Lorg/apache/roller/weblogger/business/Weblogger;
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getUserData(Ljava/lang/String;)Lorg/apache/roller/weblogger/pojos/User;
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getUserName()Ljava/lang/String;
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.setRequest(Ljavax/servlet/http/HttpServletRequest;)V
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.setRoller(Lorg/apache/roller/weblogger/business/Weblogger;)V
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.setUserName(Ljava/lang/String;)V
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.verifyUser(Ljava/lang/String;Ljava/lang/String;)V
    //#output(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator]
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator] == &__Dispatch_Table
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.__Descendant_Table[org/apache/roller/weblogger/webservices/adminprotocol/BasicAuthenticator] == &__Dispatch_Table
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.authenticate()V == &authenticate
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getRequest()Ljavax/servlet/http/HttpServletRequest; == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.getRequest
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getRoller()Lorg/apache/roller/weblogger/business/Weblogger; == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.getRoller
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getUserData(Ljava/lang/String;)Lorg/apache/roller/weblogger/pojos/User; == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.getUserData
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.getUserName()Ljava/lang/String; == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.getUserName
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.setRequest(Ljavax/servlet/http/HttpServletRequest;)V == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.setRequest
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.setRoller(Lorg/apache/roller/weblogger/business/Weblogger;)V == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.setRoller
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.setUserName(Ljava/lang/String;)V == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.setUserName
    //#post(org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init): __Dispatch_Table.verifyUser(Ljava/lang/String;Ljava/lang/String;)V == &org/apache/roller/weblogger/webservices/adminprotocol/Authenticator.verifyUser
    //#BasicAuthenticator.java:: end of method: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator.org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init
    //#BasicAuthenticator.java:: end of class: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator
