src/org/cacert/gigi/Gigi.java

   1 package org.cacert.gigi;
   2
   3 import java.io.BufferedReader;
   4 import java.io.File;
   5 import java.io.FileInputStream;
   6 import java.io.IOException;
   7 import java.io.InputStreamReader;
   8 import java.security.cert.X509Certificate;
   9 import java.sql.PreparedStatement;
  10 import java.sql.ResultSet;
  11 import java.sql.SQLException;
  12 import java.util.Calendar;
  13 import java.util.HashMap;
  14
  15 import javax.servlet.ServletException;
  16 import javax.servlet.http.HttpServlet;
  17 import javax.servlet.http.HttpServletRequest;
  18 import javax.servlet.http.HttpServletResponse;
  19 import javax.servlet.http.HttpSession;
  20
  21 import org.cacert.gigi.database.DatabaseConnection;
  22 import org.cacert.gigi.pages.LoginPage;
  23 import org.cacert.gigi.pages.MainPage;
  24 import org.cacert.gigi.pages.Page;
  25 import org.cacert.gigi.pages.main.RegisterPage;
  26 import org.cacert.gigi.util.PasswordHash;
  27 import org.eclipse.jetty.util.log.Log;
  28
  29 public class Gigi extends HttpServlet {
  30         public static final String LOGGEDIN = "loggedin";
  31         public static final String USER = "user";
  32         private static final long serialVersionUID = -6386785421902852904L;
  33         private String[] baseTemplate;
  34         private HashMap<String, Page> pages = new HashMap<String, Page>();
  35
  36         @Override
  37         public void init() throws ServletException {
  38                 pages.put("/login", new LoginPage("CACert - Login"));
  39                 pages.put("/", new MainPage("CACert - Home"));
  40                 pages.put(RegisterPage.PATH, new RegisterPage());
  41                 String templ = "";
  42                 try {
  43                         BufferedReader reader = new BufferedReader(new InputStreamReader(
  44                                         new FileInputStream(new File("templates/base.html"))));
  45                         String tmp;
  46                         while ((tmp = reader.readLine()) != null) {
  47                                 templ += tmp;
  48                         }
  49                         baseTemplate = templ.split("\\$content\\$");
  50                 } catch (Exception e) {
  51                         Log.getLogger(Gigi.class).warn("Error loading template!", e);
  52                 }
  53                 super.init();
  54
  55         }
  56
  57         @Override
  58         protected void service(HttpServletRequest req, HttpServletResponse resp)
  59                         throws ServletException, IOException {
  60                 X509Certificate[] cert = (X509Certificate[]) req
  61                                 .getAttribute("javax.servlet.request.X509Certificate");
  62                 HttpSession hs = req.getSession();
  63                 if (hs.getAttribute(LOGGEDIN) == null) {
  64                         if (cert != null) {
  65                                 tryAuthWithCertificate(req, cert[0]);
  66                                 hs = req.getSession();
  67                         }
  68                 }
  69                 if (((Boolean) hs.getAttribute("loggedin"))
  70                                 && req.getPathInfo().equals("/login")) {
  71                         resp.sendRedirect("/");
  72                         return;
  73                 }
  74                 if (req.getMethod().equals("POST") && req.getPathInfo() != null
  75                                 && req.getPathInfo().equals("/login")) {
  76                         authWithUnpw(req);
  77                         resp.sendRedirect("/");
  78                         return;
  79                 }
  80                 if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
  81                         if (hs != null) {
  82                                 hs.setAttribute(LOGGEDIN, null);
  83                                 hs.invalidate();
  84                         }
  85                         resp.sendRedirect("/");
  86                         return;
  87                 }
  88
  89                 if ((hs == null || !((Boolean) hs.getAttribute("loggedin")))
  90                                 && !"/login".equals(req.getPathInfo())) {
  91                         System.out.println(req.getPathInfo());
  92                         resp.sendRedirect("/login");
  93                         return;
  94                 }
  95                 if (pages.containsKey(req.getPathInfo())) {
  96                         String b0 = baseTemplate[0];
  97                         Page p = pages.get(req.getPathInfo());
  98                         b0 = makeDynTempl(b0, p);
  99                         resp.setContentType("text/html; charset=utf-8");
 100                         resp.getWriter().print(b0);
 101                         if (hs != null && hs.getAttribute(LOGGEDIN) != null) {
 102                                 resp.getWriter().println(
 103                                                 "Hi " + ((User) hs.getAttribute(USER)).getFname());
 104                         }
 105                         if (req.getMethod().equals("POST")) {
 106                                 p.doPost(req, resp);
 107                         } else {
 108                                 p.doGet(req, resp);
 109                         }
 110                         String b1 = baseTemplate[1];
 111                         b1 = makeDynTempl(b1, p);
 112                         resp.getWriter().print(b1);
 113                 } else {
 114                         resp.sendError(404, "Page not found.");
 115                 }
 116
 117         }
 118         private String makeDynTempl(String in, Page p) {
 119                 int year = Calendar.getInstance().get(Calendar.YEAR);
 120                 in = in.replaceAll("\\$title\\$", p.getTitle());
 121                 in = in.replaceAll("\\$year\\$", year + "");
 122                 return in;
 123         }
 124         private void authWithUnpw(HttpServletRequest req) {
 125                 String un = req.getParameter("username");
 126                 String pw = req.getParameter("password");
 127                 try {
 128                         PreparedStatement ps = DatabaseConnection.getInstance().prepare(
 129                                         "SELECT `password`, `id` FROM `users` WHERE `email`=?");
 130                         ps.setString(1, un);
 131                         ResultSet rs = ps.executeQuery();
 132                         if (rs.next()) {
 133                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
 134                                         HttpSession hs = req.getSession();
 135                                         hs.setAttribute(LOGGEDIN, true);
 136                                         hs.setAttribute(USER, new User(rs.getInt(2)));
 137                                 }
 138                         }
 139                         rs.close();
 140                 } catch (SQLException e) {
 141                         e.printStackTrace();
 142                 }
 143         }
 144         private void tryAuthWithCertificate(HttpServletRequest req,
 145                         X509Certificate x509Certificate) {
 146                 String serial = x509Certificate.getSerialNumber().toString(16)
 147                                 .toUpperCase();
 148                 try {
 149                         PreparedStatement ps = DatabaseConnection
 150                                         .getInstance()
 151                                         .prepare(
 152                                                         "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
 153                                                                         + "'0000-00-00 00:00:00'");
 154                         ps.setString(1, serial);
 155                         ResultSet rs = ps.executeQuery();
 156                         if (rs.next()) {
 157                                 HttpSession hs = req.getSession();
 158                                 hs.setAttribute(LOGGEDIN, true);
 159                                 hs.setAttribute(USER, new User(rs.getInt(1)));
 160                         }
 161                         rs.close();
 162                 } catch (SQLException e) {
 163                         e.printStackTrace();
 164                 }
 165         }
 166 }