X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2FGigi.java;h=38a2f0ab35abf5633806205b34a0c22c81990c08;hb=02bd4aa9865e7a57c805ea11802729016d08ad49;hp=78c3373e16a9c12d0f43abdf5ac5f0ba827c83eb;hpb=5587d66ad8b14e851e07eb4ff214e2dc49c7c57e;p=gigi.git

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 78c3373e..38a2f0ab 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -1,7 +1,6 @@
 package org.cacert.gigi;
 
 import java.io.IOException;
-import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.Calendar;
 import java.util.HashMap;
@@ -16,17 +15,22 @@ import javax.servlet.http.HttpSession;
 
 import org.cacert.gigi.database.DatabaseConnection;
 import org.cacert.gigi.email.EmailProvider;
+import org.cacert.gigi.output.Menu;
+import org.cacert.gigi.output.MenuItem;
 import org.cacert.gigi.output.Outputable;
 import org.cacert.gigi.output.Template;
+import org.cacert.gigi.output.Form.CSRFError;
 import org.cacert.gigi.pages.LoginPage;
 import org.cacert.gigi.pages.MainPage;
 import org.cacert.gigi.pages.Page;
 import org.cacert.gigi.pages.TestSecure;
 import org.cacert.gigi.pages.Verify;
-import org.cacert.gigi.pages.account.MailAdd;
+import org.cacert.gigi.pages.account.ChangePasswordPage;
+import org.cacert.gigi.pages.account.MailCertificateAdd;
 import org.cacert.gigi.pages.account.MailCertificates;
 import org.cacert.gigi.pages.account.MailOverview;
 import org.cacert.gigi.pages.account.MyDetails;
+import org.cacert.gigi.pages.error.PageNotFound;
 import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.pages.wot.AssurePage;
 import org.cacert.gigi.util.ServerConstants;
@@ -37,38 +41,42 @@ public class Gigi extends HttpServlet {
 	private static final long serialVersionUID = -6386785421902852904L;
 	private Template baseTemplate;
 	private HashMap<String, Page> pages = new HashMap<String, Page>();
+	Menu m;
 
 	public Gigi(Properties conf) {
 		EmailProvider.init(conf);
 		DatabaseConnection.init(conf);
 	}
+
 	@Override
 	public void init() throws ServletException {
+		pages.put("/error", new PageNotFound());
 		pages.put("/login", new LoginPage("CACert - Login"));
 		pages.put("/", new MainPage("CACert - Home"));
 		pages.put("/secure", new TestSecure());
 		pages.put(Verify.PATH, new Verify());
 		pages.put(AssurePage.PATH + "/*", new AssurePage());
-		pages.put(MailCertificates.PATH, new MailCertificates());
+		pages.put(MailCertificates.PATH + "/*", new MailCertificates());
 		pages.put(MyDetails.PATH, new MyDetails());
+		pages.put(ChangePasswordPage.PATH, new ChangePasswordPage());
 		pages.put(RegisterPage.PATH, new RegisterPage());
-		pages.put(MailOverview.DEFAULT_PATH, new MailOverview(
-				"My email addresses"));
-		pages.put(MailAdd.DEFAULT_PATH, new MailAdd("Add new email"));
-		baseTemplate = new Template(new InputStreamReader(
-				Gigi.class.getResourceAsStream("Gigi.templ")));
+		pages.put(MailCertificateAdd.PATH, new MailCertificateAdd());
+		pages.put(MailOverview.DEFAULT_PATH, new MailOverview("My email addresses"));
+		baseTemplate = new Template(Gigi.class.getResource("Gigi.templ"));
+		m = new Menu("Certificates", "cert", new MenuItem(MailOverview.DEFAULT_PATH, "Emails"), new MenuItem("",
+			"Client Certificates"), new MenuItem("", "Domains"), new MenuItem("", "Server Certificates"));
 		super.init();
 
 	}
+
 	@Override
-	protected void service(final HttpServletRequest req,
-			final HttpServletResponse resp) throws ServletException,
-			IOException {
+	protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException,
+		IOException {
 		addXSSHeaders(resp);
-		if (req.getHeader("Origin") != null) {
-			resp.getWriter().println("No cross domain access allowed.");
-			return;
-		}
+		// if (req.getHeader("Origin") != null) {
+		// resp.getWriter().println("No cross domain access allowed.");
+		// return;
+		// }
 		HttpSession hs = req.getSession();
 		if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
 			if (hs != null) {
@@ -98,8 +106,7 @@ public class Gigi extends HttpServlet {
 			Outputable content = new Outputable() {
 
 				@Override
-				public void output(PrintWriter out, Language l,
-						Map<String, Object> vars) {
+				public void output(PrintWriter out, Language l, Map<String, Object> vars) {
 					try {
 						if (req.getMethod().equals("POST")) {
 							p.doPost(req, resp);
@@ -108,10 +115,17 @@ public class Gigi extends HttpServlet {
 						}
 					} catch (IOException e) {
 						e.printStackTrace();
+					} catch (CSRFError err) {
+						try {
+							resp.sendError(500, "CSRF invalid");
+						} catch (IOException e) {
+							e.printStackTrace();
+						}
 					}
 
 				}
 			};
+			vars.put("menu", m);
 			vars.put("title", p.getTitle());
 			vars.put("static", ServerConstants.getStaticHostNamePort());
 			vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
@@ -122,6 +136,7 @@ public class Gigi extends HttpServlet {
 		}
 
 	}
+
 	private Page getPage(String pathInfo) {
 		if (pathInfo.endsWith("/") && !pathInfo.equals("/")) {
 			pathInfo = pathInfo.substring(0, pathInfo.length() - 1);
@@ -146,32 +161,28 @@ public class Gigi extends HttpServlet {
 	}
 
 	public static void addXSSHeaders(HttpServletResponse hsr) {
-		hsr.addHeader("Access-Control-Allow-Origin", "https://"
-				+ ServerConstants.getWwwHostNamePort() + " https://"
-				+ ServerConstants.getSecureHostNamePort());
+		hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePort() + " https://"
+			+ ServerConstants.getSecureHostNamePort());
 		hsr.addHeader("Access-Control-Max-Age", "60");
 
 		hsr.addHeader("Content-Security-Policy", getDefaultCSP());
 		hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
 
 	}
+
 	private static String defaultCSP = null;
+
 	private static String getDefaultCSP() {
 		if (defaultCSP == null) {
 			StringBuffer csp = new StringBuffer();
 			csp.append("default-src 'none';");
-			csp.append("font-src https://"
-					+ ServerConstants.getStaticHostNamePort());
-			csp.append(";img-src https://"
-					+ ServerConstants.getStaticHostNamePort());
+			csp.append("font-src https://" + ServerConstants.getStaticHostNamePort());
+			csp.append(";img-src https://" + ServerConstants.getStaticHostNamePort());
 			csp.append(";media-src 'none'; object-src 'none';");
-			csp.append("script-src https://"
-					+ ServerConstants.getStaticHostNamePort());
-			csp.append(";style-src https://"
-					+ ServerConstants.getStaticHostNamePort());
-			csp.append(";form-action https://"
-					+ ServerConstants.getSecureHostNamePort() + " https://"
-					+ ServerConstants.getWwwHostNamePort());
+			csp.append("script-src https://" + ServerConstants.getStaticHostNamePort());
+			csp.append(";style-src https://" + ServerConstants.getStaticHostNamePort());
+			csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://"
+				+ ServerConstants.getWwwHostNamePort());
 			csp.append("report-url https://api.cacert.org/security/csp/report");
 			defaultCSP = csp.toString();
 		}