src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.io.PrintWriter;
   7 import java.security.cert.X509Certificate;
   8 import java.util.HashMap;
   9 import java.util.Map;
  10
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13 import javax.servlet.http.HttpSession;
  14
  15 import org.cacert.gigi.GigiApiException;
  16 import org.cacert.gigi.database.DatabaseConnection;
  17 import org.cacert.gigi.database.GigiPreparedStatement;
  18 import org.cacert.gigi.database.GigiResultSet;
  19 import org.cacert.gigi.dbObjects.Group;
  20 import org.cacert.gigi.dbObjects.User;
  21 import org.cacert.gigi.localisation.Language;
  22 import org.cacert.gigi.output.template.Form;
  23 import org.cacert.gigi.util.PasswordHash;
  24
  25 public class LoginPage extends Page {
  26
  27     public class LoginForm extends Form {
  28
  29         public LoginForm(HttpServletRequest hsr) {
  30             super(hsr);
  31         }
  32
  33         @Override
  34         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
  35             tryAuthWithUnpw(req);
  36             return false;
  37         }
  38
  39         @Override
  40         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
  41             getDefaultTemplate().output(out, l, vars);
  42         }
  43
  44     }
  45
  46     public static final String LOGIN_RETURNPATH = "login-returnpath";
  47
  48     public LoginPage(String title) {
  49         super(title);
  50     }
  51
  52     @Override
  53     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  54         new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
  55     }
  56
  57     @Override
  58     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  59         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  60         if (req.getSession().getAttribute("loggedin") == null) {
  61             X509Certificate cert = getCertificateFromRequest(req);
  62             if (cert != null) {
  63                 tryAuthWithCertificate(req, cert);
  64             }
  65             if (req.getMethod().equals("POST")) {
  66                 try {
  67                     Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
  68                 } catch (GigiApiException e) {
  69                 }
  70             }
  71         }
  72
  73         if (req.getSession().getAttribute("loggedin") != null) {
  74             String s = redir;
  75             if (s != null) {
  76                 if ( !s.startsWith("/")) {
  77                     s = "/" + s;
  78                 }
  79                 resp.sendRedirect(s);
  80             } else {
  81                 resp.sendRedirect("/");
  82             }
  83             return true;
  84         }
  85         return false;
  86     }
  87
  88     @Override
  89     public boolean needsLogin() {
  90         return false;
  91     }
  92
  93     private void tryAuthWithUnpw(HttpServletRequest req) {
  94         String un = req.getParameter("username");
  95         String pw = req.getParameter("password");
  96         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'");
  97         ps.setString(1, un);
  98         GigiResultSet rs = ps.executeQuery();
  99         if (rs.next()) {
 100             String dbHash = rs.getString(1);
 101             String hash = PasswordHash.verifyHash(pw, dbHash);
 102             if (hash != null) {
 103                 if ( !hash.equals(dbHash)) {
 104                     GigiPreparedStatement gps = DatabaseConnection.getInstance().prepare("UPDATE `users` SET `password`=? WHERE `email`=?");
 105                     gps.setString(1, hash);
 106                     gps.setString(2, un);
 107                     gps.executeUpdate();
 108                 }
 109                 loginSession(req, User.getById(rs.getInt(2)));
 110                 req.getSession().setAttribute(LOGIN_METHOD, "Password");
 111             }
 112         }
 113         rs.close();
 114     }
 115
 116     public static User getUser(HttpServletRequest req) {
 117         return (User) req.getSession().getAttribute(USER);
 118     }
 119
 120     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
 121         String serial = extractSerialFormCert(x509Certificate);
 122         User user = fetchUserBySerial(serial);
 123         if (user == null) {
 124             return;
 125         }
 126         loginSession(req, user);
 127         req.getSession().setAttribute(CERT_SERIAL, serial);
 128         req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
 129         req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
 130     }
 131
 132     public static String extractSerialFormCert(X509Certificate x509Certificate) {
 133         return x509Certificate.getSerialNumber().toString(16).toUpperCase();
 134     }
 135
 136     public static User fetchUserBySerial(String serial) {
 137         if ( !serial.matches("[A-Fa-f0-9]+")) {
 138             throw new Error("serial malformed.");
 139         }
 140         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
 141         ps.setString(1, serial.toLowerCase());
 142         GigiResultSet rs = ps.executeQuery();
 143         User user = null;
 144         if (rs.next()) {
 145             user = User.getById(rs.getInt(1));
 146         } else {
 147             System.out.println("User with serial " + serial + " not found.");
 148         }
 149         rs.close();
 150         return user;
 151     }
 152
 153     public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
 154         X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
 155         X509Certificate uc = null;
 156         if (cert != null && cert[0] != null) {
 157             uc = cert[0];
 158         }
 159         return uc;
 160     }
 161
 162     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
 163
 164     private void loginSession(HttpServletRequest req, User user) {
 165         if (user.isInGroup(LOGIN_BLOCKED)) {
 166             return;
 167         }
 168         req.getSession().invalidate();
 169         HttpSession hs = req.getSession();
 170         hs.setAttribute(LOGGEDIN, true);
 171         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 172         hs.setAttribute(USER, user);
 173     }
 174
 175     @Override
 176     public boolean isPermitted(User u) {
 177         return u == null;
 178     }
 179 }