src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.io.PrintWriter;
   7 import java.security.cert.X509Certificate;
   8 import java.util.HashMap;
   9 import java.util.Map;
  10
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13 import javax.servlet.http.HttpSession;
  14
  15 import org.cacert.gigi.GigiApiException;
  16 import org.cacert.gigi.database.DatabaseConnection;
  17 import org.cacert.gigi.database.GigiPreparedStatement;
  18 import org.cacert.gigi.database.GigiResultSet;
  19 import org.cacert.gigi.dbObjects.Group;
  20 import org.cacert.gigi.dbObjects.User;
  21 import org.cacert.gigi.localisation.Language;
  22 import org.cacert.gigi.output.template.Form;
  23 import org.cacert.gigi.util.AuthorizationContext;
  24 import org.cacert.gigi.util.PasswordHash;
  25
  26 public class LoginPage extends Page {
  27
  28     public class LoginForm extends Form {
  29
  30         public LoginForm(HttpServletRequest hsr) {
  31             super(hsr);
  32         }
  33
  34         @Override
  35         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
  36             tryAuthWithUnpw(req);
  37             return false;
  38         }
  39
  40         @Override
  41         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
  42             getDefaultTemplate().output(out, l, vars);
  43         }
  44
  45     }
  46
  47     public static final String LOGIN_RETURNPATH = "login-returnpath";
  48
  49     public LoginPage(String title) {
  50         super(title);
  51     }
  52
  53     @Override
  54     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  55         new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
  56     }
  57
  58     @Override
  59     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  60         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  61         if (req.getSession().getAttribute("loggedin") == null) {
  62             X509Certificate cert = getCertificateFromRequest(req);
  63             if (cert != null) {
  64                 tryAuthWithCertificate(req, cert);
  65             }
  66             if (req.getMethod().equals("POST")) {
  67                 try {
  68                     Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
  69                 } catch (GigiApiException e) {
  70                 }
  71             }
  72         }
  73
  74         if (req.getSession().getAttribute("loggedin") != null) {
  75             String s = redir;
  76             if (s != null) {
  77                 if ( !s.startsWith("/")) {
  78                     s = "/" + s;
  79                 }
  80                 resp.sendRedirect(s);
  81             } else {
  82                 resp.sendRedirect("/");
  83             }
  84             return true;
  85         }
  86         return false;
  87     }
  88
  89     @Override
  90     public boolean needsLogin() {
  91         return false;
  92     }
  93
  94     private void tryAuthWithUnpw(HttpServletRequest req) {
  95         String un = req.getParameter("username");
  96         String pw = req.getParameter("password");
  97         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'");
  98         ps.setString(1, un);
  99         GigiResultSet rs = ps.executeQuery();
 100         if (rs.next()) {
 101             String dbHash = rs.getString(1);
 102             String hash = PasswordHash.verifyHash(pw, dbHash);
 103             if (hash != null) {
 104                 if ( !hash.equals(dbHash)) {
 105                     GigiPreparedStatement gps = DatabaseConnection.getInstance().prepare("UPDATE `users` SET `password`=? WHERE `email`=?");
 106                     gps.setString(1, hash);
 107                     gps.setString(2, un);
 108                     gps.executeUpdate();
 109                 }
 110                 loginSession(req, User.getById(rs.getInt(2)));
 111                 req.getSession().setAttribute(LOGIN_METHOD, "Password");
 112             }
 113         }
 114         rs.close();
 115     }
 116
 117     public static User getUser(HttpServletRequest req) {
 118         AuthorizationContext ac = getAuthorizationContext(req);
 119         if (ac == null) {
 120             return null;
 121         }
 122         return ac.getActor();
 123     }
 124
 125     public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
 126         return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
 127     }
 128
 129     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
 130         String serial = extractSerialFormCert(x509Certificate);
 131         User user = fetchUserBySerial(serial);
 132         if (user == null) {
 133             return;
 134         }
 135         loginSession(req, user);
 136         req.getSession().setAttribute(CERT_SERIAL, serial);
 137         req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
 138         req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
 139     }
 140
 141     public static String extractSerialFormCert(X509Certificate x509Certificate) {
 142         return x509Certificate.getSerialNumber().toString(16).toUpperCase();
 143     }
 144
 145     public static User fetchUserBySerial(String serial) {
 146         if ( !serial.matches("[A-Fa-f0-9]+")) {
 147             throw new Error("serial malformed.");
 148         }
 149         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
 150         ps.setString(1, serial.toLowerCase());
 151         GigiResultSet rs = ps.executeQuery();
 152         User user = null;
 153         if (rs.next()) {
 154             user = User.getById(rs.getInt(1));
 155         } else {
 156             System.out.println("User with serial " + serial + " not found.");
 157         }
 158         rs.close();
 159         return user;
 160     }
 161
 162     public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
 163         X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
 164         X509Certificate uc = null;
 165         if (cert != null && cert[0] != null) {
 166             uc = cert[0];
 167         }
 168         return uc;
 169     }
 170
 171     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
 172
 173     private void loginSession(HttpServletRequest req, User user) {
 174         if (user.isInGroup(LOGIN_BLOCKED)) {
 175             return;
 176         }
 177         req.getSession().invalidate();
 178         HttpSession hs = req.getSession();
 179         hs.setAttribute(LOGGEDIN, true);
 180         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 181         hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
 182     }
 183
 184     @Override
 185     public boolean isPermitted(User u) {
 186         return u == null;
 187     }
 188 }