OpenSim-Test/OpenSim/ApplicationPlugins/Rest/Inventory/RequestData.cs

/*
 * Copyright (c) Contributors, http://opensimulator.org/
 * See CONTRIBUTORS.TXT for a full list of copyright holders.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *     * Redistributions in binary form must reproduce the above copyright
 *       notice, this list of conditions and the following disclaimer in the
 *       documentation and/or other materials provided with the distribution.
 *     * Neither the name of the OpenSim Project nor the
 *       names of its contributors may be used to endorse or promote products
 *       derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 * 
 */

using System;
using System.IO;
using System.Reflection;
using System.Text;
using System.Security.Cryptography;
using System.Text.RegularExpressions;
using System.Collections.Generic;
using System.Collections.Specialized;
using OpenSim.Framework.Servers;
using libsecondlife;
using System.Xml;

namespace OpenSim.ApplicationPlugins.Rest.Inventory
{

    /// <summary>
    /// This class represents the current REST request. It
    /// encapsulates the request/response state and takes care 
    /// of response generation without exposing the REST handler
    /// to the actual mechanisms involved.
    ///
    /// This structure is created on entry to the Handler
    /// method and is disposed of upon return. It is part of
    /// the plug-in infrastructure, rather than the functionally
    /// specifici REST handler, and fundamental changes to 
    /// this should be reflected in the Rest HandlerVersion. The
    /// object is instantiated, and may be extended by, any
    /// given handler. See the inventory handler for an example
    /// of this.
    ///
    /// If possible, the underlying request/response state is not
    /// changed until the handler explicitly issues a Respond call.
    /// This ensures that the request/response pair can be safely
    /// processed by subsequent, unrelated, handlers even id the
    /// agent handler had completed much of its processing. Think
    /// of it as a transactional req/resp capability.
    /// </summary>

    internal class RequestData
    {

        // HTTP Server interface data

        internal OSHttpRequest        request = null;
        internal OSHttpResponse       response = null;

        // Request lifetime values

        internal NameValueCollection  headers = null;
        internal List<string>         removed_headers = null;
        internal byte[]               buffer = null;
        internal string               body = null;
        internal string               html = null;
        internal string               entity = null;
        internal string               path = null;
        internal string               method = null;
        internal string               statusDescription = null;
        internal string               redirectLocation = null;
        internal string[]             pathNodes = null;
        internal string[]             parameters = null;
        internal int                  statusCode = 0;
        internal bool                 handled = false;
        internal LLUUID               uuid = LLUUID.Zero;
        internal Encoding             encoding = Rest.Encoding;
        internal Uri                  uri = null;
        internal string               query = null;
        internal bool                 fail = false;
        internal string               hostname = "localhost";
        internal int                  port = 80;
        internal string               prefix = Rest.UrlPathSeparator;

        // Authentication related state
 
        internal bool                 authenticated = false;
        internal string               scheme = Rest.AS_DIGEST;
        internal string               realm = Rest.Realm;
        internal string               domain = null;
        internal string               nonce = null;
        internal string               cnonce = null;
        internal string               qop = Rest.Qop_Auth;
        internal string               opaque = null;
        internal string               stale = null;
        internal string               algorithm = Rest.Digest_MD5;
        internal string               authParms  = null;
        internal string               authPrefix = null;
        internal string               userName  = String.Empty;
        internal string               userPass  = String.Empty;
        internal LLUUID               client = LLUUID.Zero;

        // XML related state

        internal XmlWriter            writer = null;
        internal XmlReader            reader = null;

        // Internal working state

        private StringBuilder         sbuilder = new StringBuilder(1024);
        private MemoryStream          xmldata = null;

        private static readonly string[] EmptyPath = { String.Empty };

        // Session related tables. These are only needed if QOP is set to "auth-sess"
        // and for now at least, it is not. Session related authentication is of 
        // questionable merit in the context of REST anyway, but it is, arguably, more
        // secure.

        private static Dictionary<string,string>  cntable   = new Dictionary<string,string>();
        private static Dictionary<string,string>  sktable   = new Dictionary<string,string>();

        // This dictionary is used to keep track fo all of the parameters discovered
        // when the authorisation header is anaylsed.

        private        Dictionary<string,string>  authparms = new Dictionary<string,string>();

        // These regular expressions are used to decipher the various header entries.

        private static Regex schema      = new Regex("^\\s*(?<scheme>\\w+)\\s*.*",
                                                     RegexOptions.Compiled | RegexOptions.IgnoreCase);
        
        private static Regex basicParms  = new Regex("^\\s*(?:\\w+)\\s+(?<pval>\\S+)\\s*",
                                                     RegexOptions.Compiled | RegexOptions.IgnoreCase);
        
        private static Regex digestParm1 = new Regex("\\s*(?<parm>\\w+)\\s*=\\s*\"(?<pval>\\S+)\"",
                                                     RegexOptions.Compiled | RegexOptions.IgnoreCase);
        
        private static Regex digestParm2 = new Regex("\\s*(?<parm>\\w+)\\s*=\\s*(?<pval>[^\\p{P}\\s]+)",
                                                     RegexOptions.Compiled | RegexOptions.IgnoreCase);
        
        private static Regex reuserPass  = new Regex("\\s*(?<user>\\w+)\\s*:\\s*(?<pass>\\S*)",
                                                     RegexOptions.Compiled | RegexOptions.IgnoreCase);
        
        // For efficiency, we create static instances of these objects

        private static MD5   md5hash     = MD5.Create();
        
        private static StringComparer sc = StringComparer.OrdinalIgnoreCase;

        // Constructor
        
        internal RequestData(OSHttpRequest p_request, OSHttpResponse p_response, string qprefix)
        {

            request  = p_request;
            response = p_response;

            sbuilder.Length = 0;

            encoding = request.ContentEncoding;
            if (encoding == null)
            {
                encoding = Rest.Encoding;
            }

            method = request.HttpMethod.ToLower();
            initUrl();

            initParameters(qprefix.Length);

        }

        // Just for convenience...

        internal string MsgId
        {
            get { return Rest.MsgId; }
        }

        // Defer authentication check until requested

        internal bool IsAuthenticated
        {
            get
            { 
                if (Rest.Authenticate)
                {
                    if (!authenticated)
                    {
                        authenticate();
                    }

                    return authenticated;
                }
                else return true;
            }
        }

        /// <summary>
        /// The REST handler has requested authentication. Authentication
        /// is considered to be with respect to the current values for
        /// Realm, domain, etc.
        ///
        /// This method checks to see if the current request is already
        /// authenticated for this domain. If it is, then it returns 
        /// true. If it is not, then it issues a challenge to the client
        /// and responds negatively to the request.
        /// </summary>

        private void authenticate()
        {

            string authdata  = request.Headers.Get("Authorization");
            string reqscheme = String.Empty;

            // If we don't have an authorization header, then this
            // user is certainly not authorized. This is the typical
            // pivot for the 1st request by a client.

            if (authdata == null)
            {
                Rest.Log.DebugFormat("{0} Challenge reason: No authorization data", MsgId);
                DoChallenge();
            }
            
            // So, we have authentication data, now we have to check to
            // see what we got and whether or not it is valid for the
            // current domain. To do this we need to interpret the data
            // provided in the Authorization header. First we need to
            // identify the scheme being used and route accordingly.

            MatchCollection matches = schema.Matches(authdata);

            foreach (Match m in matches)
            {
                Rest.Log.DebugFormat("{0} Scheme matched : {1}", MsgId, m.Groups["scheme"].Value);
                reqscheme = m.Groups["scheme"].Value.ToLower();
            }

            // If we want a specific authentication mechanism, make sure
            // we get it.

            if (scheme != null && scheme.ToLower() != reqscheme)
            {
                Rest.Log.DebugFormat("{0} Challenge reason: Required scheme not accepted", MsgId);
                DoChallenge();
            }

            // In the future, these could be made into plug-ins...
            // But for now at least we have no reason to use anything other
            // then MD5. TLS/SSL are taken care of elsewhere.

            switch (reqscheme)
            {
            case "digest" :
                Rest.Log.DebugFormat("{0} Digest authentication offered", MsgId);
                DoDigest(authdata);
                break;

            case "basic" :
                Rest.Log.DebugFormat("{0} Basic authentication offered", MsgId);
                DoBasic(authdata);
                break;
            }

            // If the current header is invalid, then a challenge is still needed.

            if (!authenticated)
            {
                Rest.Log.DebugFormat("{0} Challenge reason: Authentication failed", MsgId);
                DoChallenge();
            }

        }

        /// <summary>
        /// Construct the necessary WWW-Authenticate headers and fail the request
        /// with a NOT AUTHORIZED response. The parameters are the union of values
        /// required by the supported schemes.
        /// </summary>

        private void DoChallenge()
        {
            Flush();
            nonce = Rest.NonceGenerator(); // should be unique per 401 (and it is)
            Challenge(scheme, realm, domain, nonce, opaque, stale, algorithm, qop, authParms);
            Fail(Rest.HttpStatusCodeNotAuthorized, Rest.HttpStatusDescNotAuthorized);
        }

        /// <summary>
        /// Interpret a BASIC authorization claim
        /// This is here for completeness, it is not used.
        /// </summary>

        private void DoBasic(string authdata)
        {

            string response = null;

            MatchCollection matches = basicParms.Matches(authdata);

            // In the case of basic authentication there is
            // only expected to be a single argument.

            foreach (Match m in matches)
            {
                authparms.Add("response",m.Groups["pval"].Value);
                Rest.Log.DebugFormat("{0} Parameter matched : {1} = {2}", 
                                     MsgId, "response", m.Groups["pval"].Value);
            }

            // Did we get a valid response?

            if (authparms.TryGetValue("response", out response))
            {
                // Decode
                response = Rest.Base64ToString(response);
                Rest.Log.DebugFormat("{0} Auth response is: <{1}>", MsgId, response);

                // Extract user & password
                Match m = reuserPass.Match(response);
                userName = m.Groups["user"].Value;
                userPass = m.Groups["pass"].Value;

                // Validate against user database
                authenticated = Validate(userName,userPass);
            }

        }

        /// <summary>
        /// This is an RFC2617 compliant HTTP MD5 Digest authentication
        /// implementation. It has been tested with Firefox, Java HTTP client,
        /// and Miscrosoft's Internet Explorer V7.
        /// </summary>

        private void DoDigest(string authdata)
        {

            string response = null;

            MatchCollection matches = digestParm1.Matches(authdata);

            // Collect all of the supplied parameters and store them
            // in a dictionary (for ease of access)

            foreach (Match m in matches)
            {
                authparms.Add(m.Groups["parm"].Value,m.Groups["pval"].Value);
                Rest.Log.DebugFormat("{0} String Parameter matched : {1} = {2}", 
                                     MsgId, m.Groups["parm"].Value,m.Groups["pval"].Value);
            }

            // And pick up any tokens too

            matches = digestParm2.Matches(authdata);

            foreach (Match m in matches)
            {
                authparms.Add(m.Groups["parm"].Value,m.Groups["pval"].Value);
                Rest.Log.DebugFormat("{0} Tokenized Parameter matched : {1} = {2}", 
                                     MsgId, m.Groups["parm"].Value,m.Groups["pval"].Value);
            }

            // A response string MUST be returned, otherwise we are
            // NOT authenticated.

            Rest.Log.DebugFormat("{0} Validating authorization parameters", MsgId);

            if (authparms.TryGetValue("response", out response))
            {

                string temp   = null;

                do
                {

                    string nck = null;
                    string ncl = null;

                    // The userid is sent in clear text. Needed for the
                    // verification.

                    authparms.TryGetValue("username", out userName);

                    // All URI's of which this is a prefix are
                    // optimistically considered to be authenticated by the
                    // client. This is also needed to verify the response.

                    authparms.TryGetValue("uri", out authPrefix);

                    // There MUST be a nonce string present. We're not preserving any server
                    // side state and we can;t validate the MD5 unless the lcient returns it
                    // to us, as it should.

                    if (!authparms.TryGetValue("nonce", out nonce))
                    {
                        Rest.Log.WarnFormat("{0} Authentication failed: nonce missing", MsgId); 
                        break;
                    }

                    // If there is an opaque string present, it had better
                    // match what we sent.

                    if (authparms.TryGetValue("opaque", out temp))
                    {
                        if (temp != opaque)
                        {
                            Rest.Log.WarnFormat("{0} Authentication failed: bad opaque value", MsgId); 
                            break;
                        }
                    }

                    // If an algorithm string is present, it had better
                    // match what we sent.

                    if (authparms.TryGetValue("algorithm", out temp))
                    {
                        if (temp != algorithm)
                        {
                            Rest.Log.WarnFormat("{0} Authentication failed: bad algorithm value", MsgId); 
                            break;
                        }
                    }

                    // Quality of protection considerations...

                    if (authparms.TryGetValue("qop", out temp))
                    {

                        qop = temp.ToLower(); // replace with actual value used

                        // if QOP was specified then
                        // these MUST be present.

                        if (!authparms.ContainsKey("cnonce"))
                        {
                            Rest.Log.WarnFormat("{0} Authentication failed: cnonce missing", MsgId); 
                            break;
                        }

                        cnonce = authparms["cnonce"];

                        if (!authparms.ContainsKey("nc"))
                        {
                            Rest.Log.WarnFormat("{0} Authentication failed: cnonce counter missing", MsgId); 
                            break;
                        }

                        nck = authparms["nc"];

                        if (cntable.TryGetValue(cnonce, out ncl))
                        {
                            if (Rest.Hex2Int(ncl) <= Rest.Hex2Int(nck))
                            {
                                Rest.Log.WarnFormat("{0} Authentication failed: bad cnonce counter", MsgId); 
                                break;
                            }
                            cntable[cnonce] = nck;
                        }
                        else
                        {
                            lock (cntable) cntable.Add(cnonce, nck);
                        }

                    }
                    else
                    {

                        qop = String.Empty;

                        // if QOP was not specified then
                        // these MUST NOT be present.
                        if (authparms.ContainsKey("cnonce"))
                        {
                            Rest.Log.WarnFormat("{0} Authentication failed: invalid cnonce", MsgId); 
                            break;
                        }
                        if (authparms.ContainsKey("nc"))
                        {
                            Rest.Log.WarnFormat("{0} Authentication failed: invalid cnonce counter[2]", MsgId); 
                            break;
                        }
                    }

                    // Validate the supplied userid/password info

                    authenticated = ValidateDigest(userName, nonce, cnonce, nck, authPrefix, response);

                } 
                while (false);

            }

        }

        // Indicate that authentication is required

        internal void Challenge(string scheme, string realm, string domain, string nonce,
                                string opaque, string stale, string alg,
                                string qop, string auth)
        {

            sbuilder.Length = 0;

            if (scheme == null || scheme == Rest.AS_DIGEST)
            {

                sbuilder.Append(Rest.AS_DIGEST);
                sbuilder.Append(" ");

                if (realm != null)
                {
                    sbuilder.Append("realm=");
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(realm);
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (nonce != null)
                {
                    sbuilder.Append("nonce=");
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(nonce);
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (opaque != null)
                {
                    sbuilder.Append("opaque=");
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(opaque);
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (stale != null)
                {
                    sbuilder.Append("stale=");
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(stale);
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (alg != null)
                {
                    sbuilder.Append("algorithm=");
                    sbuilder.Append(alg);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (qop != String.Empty)
                {
                    sbuilder.Append("qop=");
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(qop);
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (auth != null)
                {
                    sbuilder.Append(auth);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (Rest.Domains.Count != 0)
                {
                    sbuilder.Append("domain=");
                    sbuilder.Append(Rest.CS_DQUOTE);
                    foreach (string dom in Rest.Domains.Values)
                    {
                        sbuilder.Append(dom);
                        sbuilder.Append(Rest.CS_SPACE);
                    }
                    if (sbuilder[sbuilder.Length-1] == Rest.C_SPACE)
                    {
                        sbuilder.Length = sbuilder.Length-1;
                    }
                    sbuilder.Append(Rest.CS_DQUOTE);
                    sbuilder.Append(Rest.CS_COMMA);
                }

                if (sbuilder[sbuilder.Length-1] == Rest.C_COMMA)
                {
                    sbuilder.Length = sbuilder.Length-1;
                }

                AddHeader(Rest.HttpHeaderWWWAuthenticate,sbuilder.ToString());

            }

            if (scheme == null || scheme == Rest.AS_BASIC)
            {

                sbuilder.Append(Rest.AS_BASIC);

                if (realm != null)
                {
                    sbuilder.Append(" realm=\"");
                    sbuilder.Append(realm);
                    sbuilder.Append("\"");
                }
                AddHeader(Rest.HttpHeaderWWWAuthenticate,sbuilder.ToString());
            }

        }

        private bool Validate(string user, string pass)
        {
            Rest.Log.DebugFormat("{0} Validating {1}:{2}", MsgId, user, pass);
            return user == "awebb" && pass == getPassword(user);
        }

        private string getPassword(string user)
        {
            return Rest.GodKey;
        }

        // Validate the request-digest
        private bool ValidateDigest(string user, string nonce, string cnonce, string nck, string uri, string response)
        {

            string patt = null;
            string payl = String.Empty;
            string KDS  = null;
            string HA1  = null;
            string HA2  = null;
            string pass = getPassword(user);

            // Generate H(A1)

            if (algorithm == Rest.Digest_MD5Sess)
            {
                if (!sktable.ContainsKey(cnonce))
                {
                    patt = String.Format("{0}:{1}:{2}:{3}:{4}", user, realm, pass, nonce, cnonce);
                    HA1  = HashToString(patt);
                    sktable.Add(cnonce, HA1);
                }
                else
                {
                    HA1  = sktable[cnonce];
                }
            }
            else
            {
                patt = String.Format("{0}:{1}:{2}", user, realm, pass);
                HA1  = HashToString(patt);
            }

            // Generate H(A2)

            if (qop == "auth-int")
            {
                patt = String.Format("{0}:{1}:{2}", request.HttpMethod, uri, HashToString(payl));
            }
            else
            {
                patt = String.Format("{0}:{1}", request.HttpMethod, uri);
            }

            HA2  = HashToString(patt);

            // Generate Digest
              
            if (qop != String.Empty)
            {
                patt = String.Format("{0}:{1}:{2}:{3}:{4}:{5}", HA1, nonce, nck, cnonce, qop, HA2);
            }
            else
            {
                patt = String.Format("{0}:{1}:{2}", HA1, nonce, HA2);
            }

            KDS = HashToString(patt);

            // Compare the generated sequence with the original

            return (0 == sc.Compare(KDS, response));

        }

        private string HashToString(string pattern)
        {

            Rest.Log.DebugFormat("{0} Generate <{1}>", MsgId, pattern);

            byte[] hash = md5hash.ComputeHash(encoding.GetBytes(pattern));

            sbuilder.Length = 0;

            for (int i = 0; i < hash.Length; i++)
            {
                sbuilder.Append(hash[i].ToString("x2"));
            }

            Rest.Log.DebugFormat("{0} Hash = <{1}>", MsgId, sbuilder.ToString());

            return sbuilder.ToString();

        }

        internal void Complete()
        {
            statusCode = Rest.HttpStatusCodeOK;
            statusDescription = Rest.HttpStatusDescOK;
        }

        internal void Redirect(string Url, bool temp)
        {

            redirectLocation = Url;

            if (temp)
            {
                statusCode = Rest.HttpStatusCodeTemporaryRedirect;
                statusDescription = Rest.HttpStatusDescTemporaryRedirect;
            }
            else
            {
                statusCode = Rest.HttpStatusCodePermanentRedirect;
                statusDescription = Rest.HttpStatusDescPermanentRedirect;
            }

            Fail(statusCode, statusDescription, true);

        }

        // Fail for an arbitrary reason. Just a failure with
        // headers.

        internal void Fail(int code, string message)
        {
            Fail(code, message, true);
        }

        // More adventurous. This failure also includes a 
        // specified entity.

        internal void Fail(int code, string message, string data)
        {
            buffer = null;
            body   = data;
            Fail(code, message, false);
        }

        internal void Fail(int code, string message, bool reset)
        {

            statusCode        = code;
            statusDescription = message;

            if (reset)
            {
                buffer            = null;
                body              = null;
            }

            if (Rest.DEBUG)
            {
                Rest.Log.DebugFormat("{0}     Scheme = {1}", MsgId, scheme);
                Rest.Log.DebugFormat("{0}      Realm = {1}", MsgId, realm);
                Rest.Log.DebugFormat("{0}     Domain = {1}", MsgId, domain);
                Rest.Log.DebugFormat("{0}      Nonce = {1}", MsgId, nonce);
                Rest.Log.DebugFormat("{0}     CNonce = {1}", MsgId, cnonce);
                Rest.Log.DebugFormat("{0}     Opaque = {1}", MsgId, opaque);
                Rest.Log.DebugFormat("{0}      Stale = {1}", MsgId, stale);
                Rest.Log.DebugFormat("{0}  Algorithm = {1}", MsgId, algorithm);
                Rest.Log.DebugFormat("{0}        QOP = {1}", MsgId, qop);
                Rest.Log.DebugFormat("{0} AuthPrefix = {1}", MsgId, authPrefix);
                Rest.Log.DebugFormat("{0}   UserName = {1}", MsgId, userName);
                Rest.Log.DebugFormat("{0}   UserPass = {1}", MsgId, userPass);
            }

            fail = true;

            Respond("Failure response");
           
            RestException re = new RestException(message+" <"+code+">");

            re.statusCode = code;
            re.statusDesc = message;
            re.httpmethod = method;
            re.httppath   = path;

            throw re;

        }

        // Reject this request

        internal void Reject()
        {
            Fail(Rest.HttpStatusCodeNotImplemented, Rest.HttpStatusDescNotImplemented);
        }

        // This MUST be called by an agent handler before it returns 
        // control to Handle, otherwise the request will be ignored.
        // This is called implciitly for the REST stream handlers and
        // is harmless if it is called twice.

        internal virtual bool Respond(string reason)
        {

            Rest.Log.DebugFormat("{0} Respond ENTRY, handled = {1}, reason = {2}", MsgId, handled, reason);

            if (!handled)
            {

                Rest.Log.DebugFormat("{0} Generating Response", MsgId);

                // Process any arbitrary headers collected

                BuildHeaders();

                // A Head request can NOT have a body!
                if (method != Rest.HEAD)
                {

                    Rest.Log.DebugFormat("{0} Response is not abbreviated", MsgId);

                    if (writer != null)
                    {
                        Rest.Log.DebugFormat("{0} XML Response handler extension ENTRY", MsgId);
                        Rest.Log.DebugFormat("{0} XML Response exists", MsgId);
                        writer.Flush();
                        writer.Close();
                        if (!fail)
                        {
                            buffer = xmldata.ToArray();
                            AddHeader("Content-Type","application/xml");
                        }
                        xmldata.Close();
                        Rest.Log.DebugFormat("{0} XML Response encoded", MsgId);
                        Rest.Log.DebugFormat("{0} XML Response handler extension EXIT", MsgId);
                    }

                    // If buffer != null, then we assume that 
                    // this has already been done some other
                    // way. For example, transfer encoding might
                    // have been done.

                    if (buffer == null)
                    {
                        if (body != null && body.Length > 0)
                        {
                            Rest.Log.DebugFormat("{0} String-based entity", MsgId);
                            buffer = encoding.GetBytes(body);
                        }
                    }

                    if (buffer != null)
                    {
                        Rest.Log.DebugFormat("{0} Buffer-based entity", MsgId);
                        if (response.Headers.Get("Content-Encoding") == null)
                            response.ContentEncoding = encoding;
                        response.ContentLength64 = buffer.Length;
                        response.SendChunked     = false;
                        response.KeepAlive       = false;
                    }

                }

                // Set the status code & description. If nothing
                // has been stored, we consider that a success

                if (statusCode == 0)
                {
                    Complete();
                }

                response.StatusCode = statusCode;

                if (response.StatusCode == (int)OSHttpStatusCode.RedirectMovedTemporarily || 
                    response.StatusCode == (int)OSHttpStatusCode.RedirectMovedPermanently)
                {
                    response.RedirectLocation = redirectLocation;
                }

                if (statusDescription != null)
                {
                    response.StatusDescription = statusDescription;
                }

                // Finally we send back our response, consuming
                // any exceptions that doing so might produce.

                // We've left the setting of handled' until the
                // last minute because the header settings included
                // above are pretty harmless. But everything from
                // here on down probably leaves the response 
                // element unusable by anyone else.

                handled = true;

                if (buffer != null && buffer.Length != 0)
                {
                    Rest.Log.DebugFormat("{0} Entity buffer, length = {1} : <{2}>", 
                                         MsgId, buffer.Length, encoding.GetString(buffer));
                    response.OutputStream.Write(buffer, 0, buffer.Length);
                }

                response.OutputStream.Close();

                if (request.InputStream != null)
                {
                    request.InputStream.Close();
                }

            }

            Rest.Log.DebugFormat("{0} Respond EXIT, handled = {1}, reason = {2}", MsgId, handled, reason);

            return handled;

        }

        // Add a header to the table. If the header 
        // already exists, it is replaced.

        internal void AddHeader(string hdr, string data)
        {

            if (headers == null)
            {
                headers = new NameValueCollection();
            }

            headers[hdr] = data;

        }

        // Keep explicit track of any headers which
        // are to be removed.

        internal void RemoveHeader(string hdr)
        {

            if (removed_headers == null)
            {
                removed_headers = new List<string>();
            }

            removed_headers.Add(hdr);

            if (headers != null)
            {
                headers.Remove(hdr);
            }

        }

        // Should it prove necessary, we could always
        // restore the header collection from a cloned
        // copy, but for now we'll assume that that is
        // not necessary.

        private void BuildHeaders()
        {
            if (removed_headers != null)
            {
                foreach (string h in removed_headers)
                {
                    Rest.Log.DebugFormat("{0} Removing header: <{1}>", MsgId, h);
                    response.Headers.Remove(h);
                }
            }
            if (headers!= null)
            {
                for (int i = 0; i < headers.Count; i++)
                {
                    Rest.Log.DebugFormat("{0}   Adding header: <{1}: {2}>", 
                                         MsgId, headers.GetKey(i), headers.Get(i));
                    response.Headers.Add(headers.GetKey(i), headers.Get(i));
                }
            }
        }

        /// <summary>
        /// Helper methods for deconstructing and reconstructing
        /// URI path data.
        /// </summary>

        private void initUrl()
        {

            uri = request.Url;

            if (query == null)
            {
                query = uri.Query;
            }

            // If the path has not been previously initialized,
            // do so now.

            if (path == null)
            {
                path = uri.AbsolutePath;
                if (path.EndsWith(Rest.UrlPathSeparator))
                    path = path.Substring(0,path.Length-1);
                path = Uri.UnescapeDataString(path);
            }

            // If we succeeded in getting a path, perform any
            // additional pre-processing required.

            if (path != null) 
            {
                if (Rest.ExtendedEscape)
                {
                    // Handle "+". Not a standard substitution, but
                    // common enough...
                    path      = path.Replace(Rest.C_PLUS,Rest.C_SPACE);
                }
                pathNodes = path.Split(Rest.CA_PATHSEP);
            }
            else
            {
                pathNodes = EmptyPath;
            }

            // Request server context info

            hostname = uri.Host;
            port     = uri.Port;

        }

        internal int initParameters(int prfxlen)
        {

            if (prfxlen < path.Length-1)
            {
                parameters = path.Substring(prfxlen+1).Split(Rest.CA_PATHSEP);
            }
            else
            {
                parameters = new string[0];
            }
 
            // Generate a debug list of the decoded parameters

            if (Rest.DEBUG && prfxlen < path.Length-1)
            {
                Rest.Log.DebugFormat("{0} URI: Parameters: {1}", MsgId, path.Substring(prfxlen));
                for (int i = 0; i < parameters.Length; i++)
                { 
                    Rest.Log.DebugFormat("{0} Parameter[{1}]: {2}", MsgId, i, parameters[i]);
                }
            }

            return parameters.Length;

        }
                
        internal string[] PathNodes
        {
            get
            { 
                if (pathNodes == null)
                {
                    initUrl();
                }
                return pathNodes;
            }
        }
        
        internal string BuildUrl(int first, int last)
        {
           
            if (pathNodes == null)
            {
                initUrl();
            }

            if (first < 0)
            {
                first = first + pathNodes.Length;
            }

            if (last < 0)
            {
                last = last + pathNodes.Length;
                if (last < 0)
                {
                    return Rest.UrlPathSeparator;
                }
            }

            sbuilder.Length = 0;
            sbuilder.Append(Rest.UrlPathSeparator);

            if (first <= last)
            {
                for (int i = first; i <= last; i++)
                {
                    sbuilder.Append(pathNodes[i]);
                    sbuilder.Append(Rest.UrlPathSeparator);
                }
            }
            else
            {
                for (int i = last; i >= first; i--)
                {
                    sbuilder.Append(pathNodes[i]);
                    sbuilder.Append(Rest.UrlPathSeparator);
                }
            }

            return sbuilder.ToString();

        }

        // Setup the XML writer for output

        internal void initXmlWriter()
        {
            XmlWriterSettings settings = new XmlWriterSettings();
            xmldata = new MemoryStream();
            settings.Indent = true;
            settings.IndentChars = "    ";
            settings.Encoding = encoding;
            settings.CloseOutput = false;
            settings.OmitXmlDeclaration = true;
            settings.ConformanceLevel = ConformanceLevel.Fragment;
            writer = XmlWriter.Create(xmldata, settings);
        }

        internal void initXmlReader()
        {
            XmlReaderSettings        settings = new XmlReaderSettings();
            settings.ConformanceLevel             = ConformanceLevel.Fragment;
            settings.IgnoreComments               = true;
            settings.IgnoreWhitespace             = true;
            settings.IgnoreProcessingInstructions = true;
            settings.ValidationType               = ValidationType.None;
            // reader = XmlReader.Create(new StringReader(entity),settings);
            reader = XmlReader.Create(request.InputStream,settings);
        }

        private void Flush()
        {
            byte[] dbuffer = new byte[8192];
            while (request.InputStream.Read(dbuffer,0,dbuffer.Length) != 0);
            return;
        }

        // This allows us to make errors a bit more apparent in REST

        internal void SendHtml(string text)
        {
            SendHtml("OpenSim REST Interface 1.0", text);
        }

        internal void SendHtml(string title, string text)
        {

            AddHeader(Rest.HttpHeaderContentType, "text/html");
            sbuilder.Length = 0;

            sbuilder.Append("<html>");
            sbuilder.Append("<head>");
            sbuilder.Append("<title>");
            sbuilder.Append(title);
            sbuilder.Append("</title>");
            sbuilder.Append("</head>");

            sbuilder.Append("<body>");
            sbuilder.Append("<br />");
            sbuilder.Append("<p>");
            sbuilder.Append(text);
            sbuilder.Append("</p>");
            sbuilder.Append("</body>");
            sbuilder.Append("</html>");

            html = sbuilder.ToString();

        }
    }
}