import club.wpia.gigi.GigiApiException;
import club.wpia.gigi.dbObjects.Certificate;
+import club.wpia.gigi.dbObjects.Certificate.CertificateStatus;
import club.wpia.gigi.dbObjects.CertificateProfile;
import club.wpia.gigi.dbObjects.Job;
import club.wpia.gigi.dbObjects.Organisation;
import club.wpia.gigi.dbObjects.User;
-import club.wpia.gigi.dbObjects.Certificate.CertificateStatus;
import club.wpia.gigi.pages.account.certs.CertificateRequest;
import club.wpia.gigi.util.AuthorizationContext;
import club.wpia.gigi.util.CertExporter;
return;
}
}
- AuthorizationContext ctx = new AuthorizationContext(u, u);
+ AuthorizationContext ctx = new AuthorizationContext(u, u, true);
String asOrg = req.getParameter("asOrg");
if (asOrg != null) {
try {
resp.sendError(500, "Error, Organisation with id " + i + " not found.");
return;
} else {
- ctx = new AuthorizationContext(o0, u);
+ ctx = new AuthorizationContext(o0, u, true);
}
} catch (NumberFormatException e) {
resp.sendError(500, "Error, as Org is not an integer");
import java.io.PrintWriter;
import java.math.BigInteger;
import java.security.cert.X509Certificate;
+import java.util.Date;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import club.wpia.gigi.GigiApiException;
import club.wpia.gigi.database.GigiPreparedStatement;
import club.wpia.gigi.database.GigiResultSet;
+import club.wpia.gigi.dbObjects.Certificate;
import club.wpia.gigi.dbObjects.CertificateOwner;
import club.wpia.gigi.dbObjects.Group;
import club.wpia.gigi.dbObjects.User;
}
}
- loginSession(req, user);
+ loginSession(req, user, false);
req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password"));
return;
}
private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
BigInteger serial = extractSerialFormCert(x509Certificate);
+ Certificate c = Certificate.getBySerial(serial);
User user = fetchUserBySerial(serial);
if (user == null) {
return;
}
- loginSession(req, user);
+ if (c.getExpiryDate().before(new Date()) || c.getRevocationDate() != null || c.isLoginEnabled() == false) {
+ return;
+ }
+ loginSession(req, user, true);
req.getSession().setAttribute(CERT_SERIAL, serial);
req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Certificate"));
private static final Group LOGIN_BLOCKED = Group.BLOCKED_LOGIN;
- private void loginSession(HttpServletRequest req, User user) {
+ private void loginSession(HttpServletRequest req, User user, boolean isStronglyAuthenticated) {
if (user.isInGroup(LOGIN_BLOCKED)) {
return;
}
HttpSession hs = req.getSession();
hs.setAttribute(LOGGEDIN, true);
hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
- hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
+ hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user, isStronglyAuthenticated));
}
@Override
throw new GigiApiException("Ticket format malformed");
} else if (req.getParameter("deleteTicket") != null) {
AuthorizationContext ac = LoginPage.getAuthorizationContext(req);
- req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(ac.getActor(), ac.getActor()));
+ req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(ac.getActor(), ac.getActor(), ac.isStronglyAuthenticated()));
return new RedirectResult(SupportEnterTicketPage.PATH);
}
throw new GigiApiException("No valid action given.");
if (toMod == Group.SUPPORTER) {
user.revoke(toMod);
AuthorizationContext ac = LoginPage.getAuthorizationContext(req);
- req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(ac.getActor(), ac.getActor()));
+ req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(ac.getActor(), ac.getActor(), ac.isStronglyAuthenticated()));
return new RedirectResult(MyDetails.PATH);
}
}
@Override
public SubmissionResult submit(HttpServletRequest req) throws GigiApiException {
+ AuthorizationContext sessionAc = (AuthorizationContext) req.getSession().getAttribute(Gigi.AUTH_CONTEXT);
if (req.getParameter("org-leave") != null) {
- req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(target.getActor(), target.getActor()));
+ req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(target.getActor(), target.getActor(), sessionAc.isStronglyAuthenticated()));
return new RedirectResult(SwitchOrganisation.PATH);
}
Enumeration<String> i = req.getParameterNames();
for (Organisation org : target.getActor().getOrganisations()) {
if (org.getId() == orgId) {
- req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(org, target.getActor()));
+ req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(org, target.getActor(), sessionAc.isStronglyAuthenticated()));
return new RedirectResult(SwitchOrganisation.PATH);
}
}
private final String supporterTicketId;
- public AuthorizationContext(CertificateOwner target, User actor) {
+ private final boolean isStronglyAuthenticated;
+
+ public AuthorizationContext(CertificateOwner target, User actor, boolean isStronglyAuthenticated) {
if (actor == null) {
throw new Error("Internal Error: The actor of an AuthorizationContext must not be null!");
}
this.target = target;
this.actor = actor;
this.supporterTicketId = null;
+ this.isStronglyAuthenticated = isStronglyAuthenticated;
}
public AuthorizationContext(User actor, String supporterTicket) throws GigiApiException {
throw new GigiApiException("requires a supporter");
}
this.supporterTicketId = supporterTicket;
+ this.isStronglyAuthenticated = true;
}
public CertificateOwner getTarget() {
public boolean canVerify() {
return target instanceof User && ((User) target).canVerify();
}
+
+ public boolean isStronglyAuthenticated() {
+ return isStronglyAuthenticated;
+ }
}
import club.wpia.gigi.dbObjects.Group;
import club.wpia.gigi.pages.account.certs.CertificateRequest;
import club.wpia.gigi.testUtils.ClientTest;
-import club.wpia.gigi.testUtils.TestEmailReceiver.TestMail;
import club.wpia.gigi.util.AuthorizationContext;
import club.wpia.gigi.util.TimeConditions;
AuthorizationContext ac;
public TestCertificateRequest() throws GeneralSecurityException, IOException, GigiApiException {
- ac = new AuthorizationContext(u, u);
+ ac = new AuthorizationContext(u, u, false);
makeAgent(u.getId());
}
KeyPair kp = generateKeypair();
String csr = generatePEMCSR(kp, "CN=test");
- CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), csr);
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u, false), csr);
cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, null, "email:" + email + "\n");
cert = cr.draft();
Job j = cert.issue(null, "2y", u);
KeyPair kp = generateKeypair();
priv = kp.getPrivate();
String csr = generatePEMCSR(kp, "CN=test");
- CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), csr);
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u, false), csr);
cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, null, "email:" + email + "\n");
cert = cr.draft();
Job j = cert.issue(null, "2y", u);
KeyPair kp = generateKeypair();
priv = kp.getPrivate();
String csr = generatePEMCSR(kp, "CN=test");
- CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), csr);
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u, false), csr);
cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, null, "email:" + email + "\n");
cert = cr.draft();
Job j = cert.issue(null, "2y", u);
--- /dev/null
+package club.wpia.gigi.util;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+import club.wpia.gigi.testUtils.ClientBusinessTest;
+
+public class TestAuthorizationContext extends ClientBusinessTest {
+
+ @Test
+ public void testStronglyAuthenticated() {
+ AuthorizationContext ac = new AuthorizationContext(u, u, true);
+ assertTrue(ac.isStronglyAuthenticated());
+ }
+
+ @Test
+ public void testNotStronglyAuthenticated() {
+ AuthorizationContext ac = new AuthorizationContext(u, u, false);
+ assertFalse(ac.isStronglyAuthenticated());
+ }
+
+}
Domain d = new Domain(u, u, PublicSuffixes.getInstance().getRegistrablePart(domain));
verify(d);
String csr = generatePEMCSR(generateKeypair(), "CN=test");
- CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), csr);
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u, false), csr);
try {
cr.update("", Digest.SHA512.toString(), "server", null, null, "dns:" + domain + "\n");
} catch (GigiApiException e) {
}
sess.setAttribute(LOGGEDIN, true);
sess.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
- sess.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
+ // ac.isStronglyAuthenticated() set to true to bypass
+ // certificate login for testing
+ sess.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user, true));
req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Ticket"));
resp.getWriter().println("ticket consumed");
ticketUsed = true;
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ AuthorizationContext sessionAc = (AuthorizationContext) req.getSession().getAttribute(Gigi.AUTH_CONTEXT);
if (req.getParameter("create") != null) {
String prefix = req.getParameter("prefix");
String domain = req.getParameter("suffix");
byte[] res = s.getEncoded(sign);
- CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), Base64.getEncoder().encodeToString(res), "challenge");
+ CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u, sessionAc.isStronglyAuthenticated()), Base64.getEncoder().encodeToString(res), "challenge");
cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, "", "email:" + u.getEmail());
Certificate draft = cr.draft();
draft.issue(null, "2y", u).waitFor(10000);