X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;ds=sidebyside;f=src%2Fclub%2Fwpia%2Fgigi%2Fpages%2FLoginPage.java;h=fccfea1d2e8db8f0d793af85d7ca930dd9618f33;hb=3889444cb95132e342e4b7156245dd032ed3b16b;hp=854fa31b419cc38d10ab7be45065389382cc5658;hpb=d71624703243c182beb0f946ebc582e0366a4686;p=gigi.git diff --git a/src/club/wpia/gigi/pages/LoginPage.java b/src/club/wpia/gigi/pages/LoginPage.java index 854fa31b..fccfea1d 100644 --- a/src/club/wpia/gigi/pages/LoginPage.java +++ b/src/club/wpia/gigi/pages/LoginPage.java @@ -4,7 +4,9 @@ import static club.wpia.gigi.Gigi.*; import java.io.IOException; import java.io.PrintWriter; +import java.math.BigInteger; import java.security.cert.X509Certificate; +import java.util.Date; import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -14,6 +16,7 @@ import javax.servlet.http.HttpSession; import club.wpia.gigi.GigiApiException; import club.wpia.gigi.database.GigiPreparedStatement; import club.wpia.gigi.database.GigiResultSet; +import club.wpia.gigi.dbObjects.Certificate; import club.wpia.gigi.dbObjects.CertificateOwner; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.dbObjects.User; @@ -26,6 +29,7 @@ import club.wpia.gigi.util.PasswordHash; import club.wpia.gigi.util.RateLimit; import club.wpia.gigi.util.RateLimit.RateLimitException; import club.wpia.gigi.util.ServerConstants; +import club.wpia.gigi.util.ServerConstants.Host; public class LoginPage extends Page { @@ -61,7 +65,7 @@ public class LoginPage extends Page { @Override public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { - if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePortSecure())) { + if (req.getHeader("Host").equals(ServerConstants.getHostNamePortSecure(Host.SECURE))) { resp.getWriter().println(getLanguage(req).getTranslation("Authentication with certificate failed. Try another certificate or use a password.")); } else { new LoginForm(req).output(resp.getWriter(), getLanguage(req), getDefaultVars(req)); @@ -118,24 +122,31 @@ public class LoginPage extends Page { try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'")) { ps.setString(1, un); GigiResultSet rs = ps.executeQuery(); - if (rs.next()) { - String dbHash = rs.getString(1); - String hash = PasswordHash.verifyHash(pw, dbHash); - if (hash != null) { - if ( !hash.equals(dbHash)) { - try (GigiPreparedStatement gps = new GigiPreparedStatement("UPDATE `users` SET `password`=? WHERE `email`=?")) { - gps.setString(1, hash); - gps.setString(2, un); - gps.executeUpdate(); - } + if ( !rs.next()) { + throw new GigiApiException("Username and password didn't match."); + } + + User user = User.getById(rs.getInt(2)); + if (user == null) { + throw new GigiApiException("Username and password didn't match."); + } + + String dbHash = rs.getString(1); + String hash = PasswordHash.verifyHash(pw, dbHash); + if (hash != null) { + if ( !hash.equals(dbHash)) { + try (GigiPreparedStatement gps = new GigiPreparedStatement("UPDATE `users` SET `password`=? WHERE `email`=?")) { + gps.setString(1, hash); + gps.setString(2, un); + gps.executeUpdate(); } - loginSession(req, User.getById(rs.getInt(2))); - req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password")); - return; } + + loginSession(req, user, false); + req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password")); + return; } } - throw new GigiApiException("Username and password didn't match."); } public static User getUser(HttpServletRequest req) { @@ -151,26 +162,26 @@ public class LoginPage extends Page { } private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) { - String serial = extractSerialFormCert(x509Certificate); + BigInteger serial = extractSerialFormCert(x509Certificate); + Certificate c = Certificate.getBySerial(serial); User user = fetchUserBySerial(serial); if (user == null) { return; } - loginSession(req, user); + if (c.getExpiryDate().before(new Date()) || c.getRevocationDate() != null || c.isLoginEnabled() == false) { + return; + } + loginSession(req, user, true); req.getSession().setAttribute(CERT_SERIAL, serial); req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN()); req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Certificate")); } - public static String extractSerialFormCert(X509Certificate x509Certificate) { - return x509Certificate.getSerialNumber().toString(16).toLowerCase(); + public static BigInteger extractSerialFormCert(X509Certificate x509Certificate) { + return x509Certificate.getSerialNumber(); } - public static User fetchUserBySerial(String serial) { - if ( !serial.matches("[a-f0-9]+")) { - throw new Error("serial malformed."); - } - + public static User fetchUserBySerial(BigInteger serial) { CertificateOwner o = CertificateOwner.getByEnabledSerial(serial); if (o == null || !(o instanceof User)) { return null; @@ -187,9 +198,9 @@ public class LoginPage extends Page { return uc; } - private static final Group LOGIN_BLOCKED = Group.BLOCKEDLOGIN; + private static final Group LOGIN_BLOCKED = Group.BLOCKED_LOGIN; - private void loginSession(HttpServletRequest req, User user) { + private void loginSession(HttpServletRequest req, User user, boolean isStronglyAuthenticated) { if (user.isInGroup(LOGIN_BLOCKED)) { return; } @@ -198,7 +209,7 @@ public class LoginPage extends Page { HttpSession hs = req.getSession(); hs.setAttribute(LOGGEDIN, true); hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale()); - hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user)); + hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user, isStronglyAuthenticated)); } @Override