From 1fe7284f7cfe502289bf33a44f4657fc743d9802 Mon Sep 17 00:00:00 2001
From: high <pooop828@hotmail.com>
Date: Mon, 5 Sep 2011 02:44:46 -0400
Subject: [PATCH] Added SecureRest which implements token requirement for
 commands. Still must implement a Verify function and probably change
 SecureRest around a bit.

---
 TShockAPI/Rest.cs          | 74 +++++++++++++++++++++++++++++---------
 TShockAPI/SecureRest.cs    | 57 +++++++++++++++++++++++++++++
 TShockAPI/TShock.cs        |  2 +-
 TShockAPI/TShockAPI.csproj |  3 +-
 TShockAPI/Tools.cs         | 24 +++++++++----
 5 files changed, 134 insertions(+), 26 deletions(-)
 create mode 100644 TShockAPI/SecureRest.cs

diff --git a/TShockAPI/Rest.cs b/TShockAPI/Rest.cs
index 21b21924..7aa6b8a1 100644
--- a/TShockAPI/Rest.cs
+++ b/TShockAPI/Rest.cs
@@ -15,9 +15,9 @@ namespace TShockAPI
     /// Rest command delegate
     /// </summary>
     /// <param name="parameters">Parameters in the url</param>
-    /// <param name="request">Http request</param>
+    /// <param name="verbs">{x} in urltemplate</param>
     /// <returns>Response object or null to not handle request</returns>
-    public delegate object RestCommandD(RestVerbs verbs, IParameterCollection parameters, RequestEventArgs request);
+    public delegate object RestCommandD(RestVerbs verbs, IParameterCollection parameters);
     public class Rest : IDisposable
     {
         readonly List<RestCommand> commands = new List<RestCommand>();
@@ -62,7 +62,7 @@ namespace TShockAPI
 
         protected virtual void OnRequest(object sender, RequestEventArgs e)
         {
-            var obj = Process(sender, e);
+            var obj = ProcessRequest(sender, e);
             if (obj == null)
                 throw new NullReferenceException("obj");
             var str = JsonConvert.SerializeObject(obj, Formatting.Indented);
@@ -72,25 +72,40 @@ namespace TShockAPI
             return;
         }
 
-        protected virtual object Process(object sender, RequestEventArgs e)
+        protected virtual object ProcessRequest(object sender, RequestEventArgs e)
         {
             foreach (var com in commands)
             {
-                var matches = Regex.Matches(e.Request.Uri.AbsolutePath, com.UriMatch);
-                if (matches.Count == com.UriNames.Length)
+                var verbs = new RestVerbs();
+                if (com.HasVerbs)
                 {
-                    var verbs = new RestVerbs();
-                    for (int i = 0; i < matches.Count; i++)
-                        verbs.Add(com.UriNames[i], matches[i].Groups[1].Value);
+                    var match = Regex.Match(e.Request.Uri.AbsolutePath, com.UriVerbMatch);
+                    if (!match.Success)
+                        continue;
+                    if ((match.Groups.Count - 1) != com.UriVerbs.Length)
+                        continue;
 
-                    var obj = com.Callback(verbs, e.Request.Parameters, e);
-                    if (obj != null)
-                        return obj;
+                    for (int i = 0; i < com.UriVerbs.Length; i++)
+                        verbs.Add(com.UriVerbs[i], match.Groups[i + 1].Value);
                 }
+                else if (com.UriTemplate.ToLower() != e.Request.Uri.AbsolutePath.ToLower())
+                {
+                    continue;
+                }
+
+                var obj = ExecuteCommand(com, verbs, e.Request.Parameters);
+                if (obj != null)
+                    return obj;
+
             }
             return new Dictionary<string, string> { { "Error", "Invalid request" } };
         }
 
+        protected virtual object ExecuteCommand(RestCommand cmd, RestVerbs verbs, IParameterCollection parms)
+        {
+            return cmd.Callback(verbs, parms);
+        }
+
         #region Dispose
         public void Dispose()
         {
@@ -123,18 +138,43 @@ namespace TShockAPI
 
     public class RestCommand
     {
+        public string Name { get; protected set; }
         public string UriTemplate { get; protected set; }
-        public string UriMatch { get; protected set; }
-        public string[] UriNames { get; protected set; }
+        public string UriVerbMatch { get; protected set; }
+        public string[] UriVerbs { get; protected set; }
         public RestCommandD Callback { get; protected set; }
+        public bool RequiesToken { get; set; }
 
-        public RestCommand(string uritemplate, RestCommandD callback)
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="name">Used for identification</param>
+        /// <param name="uritemplate">Url template</param>
+        /// <param name="callback">Rest Command callback</param>
+        public RestCommand(string name, string uritemplate, RestCommandD callback)
         {
+            Name = name;
             UriTemplate = uritemplate;
-            UriMatch = string.Join("([^/]*)", Regex.Split(uritemplate, "\\{[^\\{\\}]*\\}"));
+            UriVerbMatch = string.Join("([^/]*)", Regex.Split(uritemplate, "\\{[^\\{\\}]*\\}"));
             var matches = Regex.Matches(uritemplate, "\\{([^\\{\\}]*)\\}");
-            UriNames = (from Match match in matches select match.Groups[1].Value).ToArray();
+            UriVerbs = (from Match match in matches select match.Groups[1].Value).ToArray();
             Callback = callback;
+            RequiesToken = true;
+        }
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="uritemplate">Url template</param>
+        /// <param name="callback">Rest Command callback</param>
+        public RestCommand(string uritemplate, RestCommandD callback)
+            : this(string.Empty, uritemplate, callback)
+        {
+
+        }
+
+        public bool HasVerbs
+        {
+            get { return UriVerbs.Length > 0; }
         }
     }
 }
diff --git a/TShockAPI/SecureRest.cs b/TShockAPI/SecureRest.cs
new file mode 100644
index 00000000..85c36ff2
--- /dev/null
+++ b/TShockAPI/SecureRest.cs
@@ -0,0 +1,57 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Text;
+using HttpServer;
+
+namespace TShockAPI
+{
+    public delegate bool VerifyD(string username, string password);
+    public class SecureRest : Rest
+    {
+        public Dictionary<string, object> Tokens { get; protected set; }
+        public event VerifyD Verify;
+        public SecureRest(IPAddress ip, int port)
+            : base(ip, port)
+        {
+            Tokens = new Dictionary<string, object>();
+            Register(new RestCommand("/token/new/{username}/{password}", newtoken) { RequiesToken = false });
+        }
+        object newtoken(RestVerbs verbs, IParameterCollection parameters)
+        {
+            var user = verbs["username"];
+            var pass = verbs["password"];
+
+            if (Verify != null && !Verify(user, pass))
+                return new Dictionary<string, string> { { "Error", "Failed to verify username/password" } };
+
+            string hash = string.Empty;
+            var rand = new Random();
+            var randbytes = new byte[20];
+            do
+            {
+                rand.NextBytes(randbytes);
+                hash = Tools.HashPassword(randbytes);
+            } while (Tokens.ContainsKey(hash));
+
+            Tokens.Add(hash, new Object());
+
+            return new Dictionary<string, string> { { "Token", hash } }; ;
+        }
+        protected override object ExecuteCommand(RestCommand cmd, RestVerbs verbs, IParameterCollection parms)
+        {
+            if (cmd.RequiesToken)
+            {
+                var strtoken = parms["token"];
+                if (strtoken == null)
+                    return new Dictionary<string, string> { { "Error", "Token Missing" } };
+
+                object token;
+                if (!Tokens.TryGetValue(strtoken, out token))
+                    return new Dictionary<string, string> { { "Error", "Token Invalid" } };
+            }
+            return base.ExecuteCommand(cmd, verbs, parms);
+        }
+    }
+}
diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs
index a4b0bb0b..555f17b6 100644
--- a/TShockAPI/TShock.cs
+++ b/TShockAPI/TShock.cs
@@ -176,7 +176,7 @@ namespace TShockAPI
                 Regions = new RegionManager(DB);
                 Itembans = new ItemManager(DB);
                 RememberedPos = new RemeberedPosManager(DB);
-                RestApi = new Rest(IPAddress.Any, 8080);
+                RestApi = new SecureRest(IPAddress.Any, 8080);
                 RestManager = new RestManager(RestApi);
                 RestManager.RegisterRestfulCommands();
                 if (Config.EnableGeoIP)
diff --git a/TShockAPI/TShockAPI.csproj b/TShockAPI/TShockAPI.csproj
index adadb917..2fac0775 100644
--- a/TShockAPI/TShockAPI.csproj
+++ b/TShockAPI/TShockAPI.csproj
@@ -126,6 +126,7 @@
     </Compile>
     <Compile Include="Rest.cs" />
     <Compile Include="RestManager.cs" />
+    <Compile Include="SecureRest.cs" />
     <Compile Include="Tools.cs" />
     <Compile Include="TShock.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
@@ -182,7 +183,7 @@
   </PropertyGroup>
   <ProjectExtensions>
     <VisualStudio>
-      <UserProperties BuildVersion_IncrementBeforeBuild="False" BuildVersion_StartDate="2011/6/17" BuildVersion_BuildVersioningStyle="None.None.None.MonthAndDayStamp" BuildVersion_BuildAction="Both" BuildVersion_UpdateFileVersion="True" BuildVersion_UpdateAssemblyVersion="True" />
+      <UserProperties BuildVersion_UpdateAssemblyVersion="True" BuildVersion_UpdateFileVersion="True" BuildVersion_BuildAction="Both" BuildVersion_BuildVersioningStyle="None.None.None.MonthAndDayStamp" BuildVersion_StartDate="2011/6/17" BuildVersion_IncrementBeforeBuild="False" />
     </VisualStudio>
   </ProjectExtensions>
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
diff --git a/TShockAPI/Tools.cs b/TShockAPI/Tools.cs
index 94c98f1b..fc133b7b 100755
--- a/TShockAPI/Tools.cs
+++ b/TShockAPI/Tools.cs
@@ -535,23 +535,33 @@ namespace TShockAPI
         /// <summary>
         /// Returns a Sha256 string for a given string
         /// </summary>
-        /// <param name="password">string password</param>
+        /// <param name="bytes">bytes to hash</param>
         /// <returns>string sha256</returns>
-        public static string HashPassword(string password)
+        public static string HashPassword(byte[] bytes)
         {
-            if (string.IsNullOrEmpty(password) || password == "non-existant password")
-                return "non-existant password";
-
+            if (bytes == null)
+                throw new NullReferenceException("bytes");
             Func<HashAlgorithm> func;
             if (!HashTypes.TryGetValue(HashAlgo.ToLower(), out func))
                 throw new NotSupportedException("Hashing algorithm {0} is not supported".SFormat(HashAlgo.ToLower()));
 
             using (var hash = func())
             {
-                var bytes = hash.ComputeHash(Encoding.ASCII.GetBytes(password));
-                return bytes.Aggregate("", (s, b) => s + b.ToString("X2"));
+                var ret = hash.ComputeHash(bytes);
+                return ret.Aggregate("", (s, b) => s + b.ToString("X2"));
             }
         }
+        /// <summary>
+        /// Returns a Sha256 string for a given string
+        /// </summary>
+        /// <param name="bytes">bytes to hash</param>
+        /// <returns>string sha256</returns>
+        public static string HashPassword(string password)
+        {
+            if (string.IsNullOrEmpty(password) || password == "non-existant password")
+                return "non-existant password";
+            return HashPassword(Encoding.UTF8.GetBytes(password));
+        }
 
         /// <summary>
         /// Checks if the string contains any unprintable characters