src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.io.PrintWriter;
   7 import java.security.cert.X509Certificate;
   8 import java.util.HashMap;
   9 import java.util.Map;
  10
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13 import javax.servlet.http.HttpSession;
  14
  15 import org.cacert.gigi.GigiApiException;
  16 import org.cacert.gigi.database.GigiPreparedStatement;
  17 import org.cacert.gigi.database.GigiResultSet;
  18 import org.cacert.gigi.dbObjects.CertificateOwner;
  19 import org.cacert.gigi.dbObjects.Group;
  20 import org.cacert.gigi.dbObjects.User;
  21 import org.cacert.gigi.localisation.Language;
  22 import org.cacert.gigi.output.template.Form;
  23 import org.cacert.gigi.output.template.TranslateCommand;
  24 import org.cacert.gigi.pages.main.RegisterPage;
  25 import org.cacert.gigi.util.AuthorizationContext;
  26 import org.cacert.gigi.util.PasswordHash;
  27 import org.cacert.gigi.util.RateLimit;
  28 import org.cacert.gigi.util.ServerConstants;
  29
  30 public class LoginPage extends Page {
  31
  32     public static final RateLimit RATE_LIMIT = new RateLimit(10, 5 * 60 * 1000);
  33
  34     public class LoginForm extends Form {
  35
  36         public LoginForm(HttpServletRequest hsr) {
  37             super(hsr);
  38         }
  39
  40         @Override
  41         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
  42             if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) {
  43                 outputError(out, req, "Rate Limit Exceeded");
  44                 return false;
  45             }
  46             tryAuthWithUnpw(req);
  47             return false;
  48         }
  49
  50         @Override
  51         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
  52             getDefaultTemplate().output(out, l, vars);
  53         }
  54
  55     }
  56
  57     public static final String LOGIN_RETURNPATH = "login-returnpath";
  58
  59     public LoginPage() {
  60         super("Password Login");
  61     }
  62
  63     @Override
  64     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  65         if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePort())) {
  66             resp.getWriter().println(getLanguage(req).getTranslation("Authentication with certificate failed. Try another certificate or use a password."));
  67         } else {
  68             new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
  69         }
  70     }
  71
  72     @Override
  73     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  74         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  75         if (req.getSession().getAttribute("loggedin") == null) {
  76             X509Certificate cert = getCertificateFromRequest(req);
  77             if (cert != null) {
  78                 tryAuthWithCertificate(req, cert);
  79             }
  80             if (req.getMethod().equals("POST")) {
  81                 try {
  82                     Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
  83                 } catch (GigiApiException e) {
  84                 }
  85             }
  86         }
  87
  88         if (req.getSession().getAttribute("loggedin") != null) {
  89             String s = redir;
  90             if (s != null) {
  91                 if ( !s.startsWith("/")) {
  92                     s = "/" + s;
  93                 }
  94                 resp.sendRedirect(s);
  95             } else {
  96                 resp.sendRedirect("/");
  97             }
  98             return true;
  99         }
 100         return false;
 101     }
 102
 103     @Override
 104     public boolean needsLogin() {
 105         return false;
 106     }
 107
 108     private void tryAuthWithUnpw(HttpServletRequest req) {
 109         String un = req.getParameter("username");
 110         String pw = req.getParameter("password");
 111         try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'")) {
 112             ps.setString(1, un);
 113             GigiResultSet rs = ps.executeQuery();
 114             if (rs.next()) {
 115                 String dbHash = rs.getString(1);
 116                 String hash = PasswordHash.verifyHash(pw, dbHash);
 117                 if (hash != null) {
 118                     if ( !hash.equals(dbHash)) {
 119                         try (GigiPreparedStatement gps = new GigiPreparedStatement("UPDATE `users` SET `password`=? WHERE `email`=?")) {
 120                             gps.setString(1, hash);
 121                             gps.setString(2, un);
 122                             gps.executeUpdate();
 123                         }
 124                     }
 125                     loginSession(req, User.getById(rs.getInt(2)));
 126                     req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password"));
 127                 }
 128             }
 129         }
 130     }
 131
 132     public static User getUser(HttpServletRequest req) {
 133         AuthorizationContext ac = getAuthorizationContext(req);
 134         if (ac == null) {
 135             return null;
 136         }
 137         return ac.getActor();
 138     }
 139
 140     public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
 141         return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
 142     }
 143
 144     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
 145         String serial = extractSerialFormCert(x509Certificate);
 146         User user = fetchUserBySerial(serial);
 147         if (user == null) {
 148             return;
 149         }
 150         loginSession(req, user);
 151         req.getSession().setAttribute(CERT_SERIAL, serial);
 152         req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
 153         req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Certificate"));
 154     }
 155
 156     public static String extractSerialFormCert(X509Certificate x509Certificate) {
 157         return x509Certificate.getSerialNumber().toString(16).toUpperCase();
 158     }
 159
 160     public static User fetchUserBySerial(String serial) {
 161         if ( !serial.matches("[A-Fa-f0-9]+")) {
 162             throw new Error("serial malformed.");
 163         }
 164
 165         CertificateOwner o = CertificateOwner.getByEnabledSerial(serial);
 166         if (o == null || !(o instanceof User)) {
 167             return null;
 168         }
 169         return (User) o;
 170     }
 171
 172     public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
 173         X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
 174         X509Certificate uc = null;
 175         if (cert != null && cert[0] != null) {
 176             uc = cert[0];
 177         }
 178         return uc;
 179     }
 180
 181     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
 182
 183     private void loginSession(HttpServletRequest req, User user) {
 184         if (user.isInGroup(LOGIN_BLOCKED)) {
 185             return;
 186         }
 187         req.getSession().invalidate();
 188         HttpSession hs = req.getSession();
 189         hs.setAttribute(LOGGEDIN, true);
 190         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 191         hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
 192     }
 193
 194     @Override
 195     public boolean isPermitted(AuthorizationContext ac) {
 196         return ac == null;
 197     }
 198 }