fix: correct authorization checking for support accessing certificates
[gigi.git] / src / club / wpia / gigi / pages / account / certs / Certificates.java
1 package club.wpia.gigi.pages.account.certs;
2
3 import java.io.IOException;
4 import java.io.PrintWriter;
5 import java.net.URLEncoder;
6 import java.security.GeneralSecurityException;
7 import java.security.cert.X509Certificate;
8 import java.util.HashMap;
9 import java.util.List;
10 import java.util.Map;
11
12 import javax.servlet.ServletOutputStream;
13 import javax.servlet.http.HttpServletRequest;
14 import javax.servlet.http.HttpServletResponse;
15
16 import club.wpia.gigi.dbObjects.Certificate;
17 import club.wpia.gigi.dbObjects.Certificate.CertificateStatus;
18 import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
19 import club.wpia.gigi.dbObjects.CertificateOwner;
20 import club.wpia.gigi.dbObjects.Organisation;
21 import club.wpia.gigi.dbObjects.SupportedUser;
22 import club.wpia.gigi.dbObjects.User;
23 import club.wpia.gigi.localisation.Language;
24 import club.wpia.gigi.output.TrustchainIterable;
25 import club.wpia.gigi.output.template.Form;
26 import club.wpia.gigi.output.template.IterableDataset;
27 import club.wpia.gigi.output.template.Template;
28 import club.wpia.gigi.pages.HandlesMixedRequest;
29 import club.wpia.gigi.pages.LoginPage;
30 import club.wpia.gigi.pages.Page;
31 import club.wpia.gigi.util.AuthorizationContext;
32 import club.wpia.gigi.util.CertExporter;
33 import club.wpia.gigi.util.PEM;
34
35 public class Certificates extends Page implements HandlesMixedRequest {
36
37     private static final Template certDisplay = new Template(Certificates.class.getResource("CertificateDisplay.templ"));
38
39     public static final String PATH = "/account/certs";
40
41     public static final String SUPPORT_PATH = "/support/certs";
42
43     private final boolean support;
44
45     public Certificates(boolean support) {
46         super(support ? "Support Certificates" : "Certificates");
47         this.support = support;
48     }
49
50     @Override
51     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
52         if ("POST".equals(req.getMethod())) {
53             return beforePost(req, resp);
54         }
55
56         String pi = req.getPathInfo().substring(PATH.length());
57         if (pi.length() == 0) {
58             return false;
59         }
60         pi = pi.substring(1);
61         boolean crt = false;
62         boolean cer = false;
63         resp.setContentType("application/pkix-cert");
64         if (req.getParameter("install") != null) {
65             resp.setContentType("application/x-x509-user-cert");
66         }
67         if (pi.endsWith(".crt")) {
68             crt = true;
69             pi = pi.substring(0, pi.length() - 4);
70         } else if (pi.endsWith(".cer")) {
71             cer = true;
72             pi = pi.substring(0, pi.length() - 4);
73         }
74         String serial = pi;
75         try {
76             Certificate c = Certificate.getBySerial(serial);
77             if (c == null || ( !support && LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId())) {
78                 resp.sendError(404);
79                 return true;
80             }
81             if ( !crt && !cer) {
82                 return false;
83             }
84             ServletOutputStream out = resp.getOutputStream();
85             boolean doChain = req.getParameter("chain") != null;
86             boolean includeAnchor = req.getParameter("noAnchor") == null;
87             boolean includeLeaf = req.getParameter("noLeaf") == null;
88             if (crt) {
89                 CertExporter.writeCertCrt(c, out, doChain, includeAnchor, includeLeaf);
90             } else if (cer) {
91                 CertExporter.writeCertCer(c, out, doChain, includeAnchor);
92             }
93         } catch (IllegalArgumentException e) {
94             resp.sendError(404);
95             return true;
96         } catch (GeneralSecurityException e) {
97             resp.sendError(404);
98             return true;
99         }
100
101         return true;
102     }
103
104     @Override
105     public boolean beforePost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
106         if (support && "revoke".equals(req.getParameter("action"))) {
107             return Form.getForm(req, RevokeSingleCertForm.class).submitExceptionProtected(req, resp);
108         }
109         if ( !req.getPathInfo().equals(PATH)) {
110             resp.sendError(500);
111             return true;
112         }
113         return Form.getForm(req, CertificateModificationForm.class).submitExceptionProtected(req, resp);
114     }
115
116     @Override
117     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
118         if (req.getQueryString() != null && !req.getQueryString().equals("") && !req.getQueryString().equals("withRevoked")) {
119             return;// Block actions by get parameters.
120         }
121
122         if (support && "revoke".equals(req.getParameter("action"))) {
123             if (Form.printFormErrors(req, resp.getWriter())) {
124                 Form.getForm(req, RevokeSingleCertForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
125             }
126             return;
127         }
128         if ( !req.getPathInfo().equals(PATH)) {
129             resp.sendError(500);
130             return;
131         }
132         Form.getForm(req, CertificateModificationForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
133     }
134
135     @Override
136     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
137         PrintWriter out = resp.getWriter();
138         String pi = req.getPathInfo().substring(PATH.length());
139         if (pi.length() != 0) {
140             pi = pi.substring(1);
141
142             String serial = pi;
143             Certificate c = Certificate.getBySerial(serial);
144             Language l = LoginPage.getLanguage(req);
145
146             if (c == null || ( !support && LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId())) {
147                 resp.sendError(404);
148                 return;
149             }
150             Map<String, Object> vars = getDefaultVars(req);
151             vars.put("serial", URLEncoder.encode(serial, "UTF-8"));
152
153             CertificateStatus st = c.getStatus();
154
155             if (support) {
156                 vars.put("support", "support");
157                 CertificateOwner user = c.getOwner();
158                 if (st == CertificateStatus.ISSUED) {
159                     if (user instanceof User) {
160                         vars.put("revokeForm", new RevokeSingleCertForm(req, c, new SupportedUser((User) user, getUser(req), LoginPage.getAuthorizationContext(req).getSupporterTicketId())));
161                     }
162                 }
163             }
164
165             CertificateOwner co = c.getOwner();
166             int ownerId = co.getId();
167             vars.put("certid", c.getStatus());
168             if (co instanceof Organisation) {
169                 vars.put("type", l.getTranslation("Organisation Acount"));
170                 vars.put("name", Organisation.getById(ownerId).getName());
171                 vars.put("link", ""); // TODO
172             } else {
173                 vars.put("type", l.getTranslation("Personal Account"));
174                 vars.put("name", User.getById(ownerId).getPreferredName());
175                 vars.put("link", "/support/user/" + ownerId + "/");
176             }
177             vars.put("status", c.getStatus());
178             vars.put("DN", c.getDistinguishedName());
179             vars.put("digest", c.getMessageDigest());
180             vars.put("profile", c.getProfile().getVisibleName());
181             vars.put("fingerprint", "TBD"); // TODO function needs to be
182                                             // implemented in Certificate.java
183             try {
184
185                 if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
186                     X509Certificate certx = c.cert();
187                     vars.put("issued", certx.getNotBefore());
188                     vars.put("expire", certx.getNotAfter());
189                     vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
190                 } else {
191                     vars.put("issued", l.getTranslation("N/A"));
192                     vars.put("expire", l.getTranslation("N/A"));
193                     vars.put("cert", l.getTranslation("N/A"));
194                 }
195                 if (st == CertificateStatus.REVOKED) {
196                     vars.put("revoked", c.getRevocationDate());
197                 } else {
198                     vars.put("revoked", l.getTranslation("N/A"));
199                 }
200                 if (st == CertificateStatus.ISSUED || st == CertificateStatus.REVOKED) {
201                     vars.put("trustchain", new TrustchainIterable(c.getParent()));
202                     try {
203                         vars.put("cert", PEM.encode("CERTIFICATE", c.cert().getEncoded()));
204                     } catch (GeneralSecurityException e) {
205                         e.printStackTrace();
206                     }
207                 } else {
208                     vars.put("trustchain", l.getTranslation("N/A"));
209                     vars.put("cert", l.getTranslation("N/A"));
210                 }
211                 final List<SubjectAlternateName> san = c.getSANs();
212                 vars.put("san", new IterableDataset() {
213
214                     int j = 0;
215
216                     @Override
217                     public boolean next(Language l, Map<String, Object> vars) {
218                         if (j == san.size()) {
219                             return false;
220                         }
221                         vars.put("entry", san.get(j).getName() + (j < san.size() - 1 ? ", " : ""));
222                         j++;
223                         return true;
224                     }
225                 });
226                 vars.put("login", c.isLoginEnabled());
227             } catch (GeneralSecurityException e) {
228                 e.printStackTrace();
229             }
230             certDisplay.output(out, getLanguage(req), vars);
231
232             return;
233         }
234
235         HashMap<String, Object> vars = new HashMap<String, Object>();
236         new CertificateModificationForm(req, req.getParameter("withRevoked") != null).output(out, getLanguage(req), vars);
237     }
238
239     @Override
240     public boolean isPermitted(AuthorizationContext ac) {
241         if (ac == null) {
242             return false;
243         }
244         if (support) {
245             return ac.canSupport();
246         } else {
247             return true;
248         }
249     }
250 }