UPD: copy the login page from old software
[gigi.git] / src / org / cacert / gigi / pages / LoginPage.java
1 package org.cacert.gigi.pages;
2
3 import static org.cacert.gigi.Gigi.*;
4
5 import java.io.IOException;
6 import java.io.PrintWriter;
7 import java.security.cert.X509Certificate;
8 import java.util.HashMap;
9 import java.util.Map;
10
11 import javax.servlet.http.HttpServletRequest;
12 import javax.servlet.http.HttpServletResponse;
13 import javax.servlet.http.HttpSession;
14
15 import org.cacert.gigi.GigiApiException;
16 import org.cacert.gigi.database.DatabaseConnection;
17 import org.cacert.gigi.database.GigiPreparedStatement;
18 import org.cacert.gigi.database.GigiResultSet;
19 import org.cacert.gigi.dbObjects.Group;
20 import org.cacert.gigi.dbObjects.User;
21 import org.cacert.gigi.localisation.Language;
22 import org.cacert.gigi.output.Form;
23 import org.cacert.gigi.util.PasswordHash;
24
25 public class LoginPage extends Page {
26
27     public class LoginForm extends Form {
28
29         public LoginForm(HttpServletRequest hsr) {
30             super(hsr);
31         }
32
33         @Override
34         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
35             tryAuthWithUnpw(req);
36             return false;
37         }
38
39         @Override
40         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
41             getDefaultTemplate().output(out, l, vars);
42         }
43
44     }
45
46     public static final String LOGIN_RETURNPATH = "login-returnpath";
47
48     public LoginPage(String title) {
49         super(title);
50     }
51
52     @Override
53     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
54         new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
55     }
56
57     @Override
58     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
59         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
60         if (req.getSession().getAttribute("loggedin") == null) {
61             X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
62             if (cert != null && cert[0] != null) {
63                 tryAuthWithCertificate(req, cert[0]);
64             }
65             if (req.getMethod().equals("POST")) {
66                 try {
67                     Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
68                 } catch (GigiApiException e) {
69                 }
70             }
71         }
72
73         if (req.getSession().getAttribute("loggedin") != null) {
74             String s = redir;
75             if (s != null) {
76                 if ( !s.startsWith("/")) {
77                     s = "/" + s;
78                 }
79                 resp.sendRedirect(s);
80             } else {
81                 resp.sendRedirect("/");
82             }
83             return true;
84         }
85         return false;
86     }
87
88     @Override
89     public boolean needsLogin() {
90         return false;
91     }
92
93     private void tryAuthWithUnpw(HttpServletRequest req) {
94         String un = req.getParameter("username");
95         String pw = req.getParameter("password");
96         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'");
97         ps.setString(1, un);
98         GigiResultSet rs = ps.executeQuery();
99         if (rs.next()) {
100             if (PasswordHash.verifyHash(pw, rs.getString(1))) {
101                 loginSession(req, User.getById(rs.getInt(2)));
102             }
103         }
104         rs.close();
105     }
106
107     public static User getUser(HttpServletRequest req) {
108         return (User) req.getSession().getAttribute(USER);
109     }
110
111     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
112         String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase();
113         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
114         ps.setString(1, serial);
115         GigiResultSet rs = ps.executeQuery();
116         if (rs.next()) {
117             loginSession(req, User.getById(rs.getInt(1)));
118         }
119         rs.close();
120     }
121
122     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
123
124     private void loginSession(HttpServletRequest req, User user) {
125         if (user.isInGroup(LOGIN_BLOCKED)) {
126             return;
127         }
128         req.getSession().invalidate();
129         HttpSession hs = req.getSession();
130         hs.setAttribute(LOGGEDIN, true);
131         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
132         hs.setAttribute(USER, user);
133     }
134
135     @Override
136     public boolean isPermitted(User u) {
137         return u == null;
138     }
139 }