src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.io.PrintWriter;
   7 import java.security.cert.X509Certificate;
   8 import java.util.HashMap;
   9 import java.util.Map;
  10
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13 import javax.servlet.http.HttpSession;
  14
  15 import org.cacert.gigi.GigiApiException;
  16 import org.cacert.gigi.database.GigiPreparedStatement;
  17 import org.cacert.gigi.database.GigiResultSet;
  18 import org.cacert.gigi.dbObjects.CertificateOwner;
  19 import org.cacert.gigi.dbObjects.Group;
  20 import org.cacert.gigi.dbObjects.User;
  21 import org.cacert.gigi.localisation.Language;
  22 import org.cacert.gigi.output.template.Form;
  23 import org.cacert.gigi.output.template.TranslateCommand;
  24 import org.cacert.gigi.util.AuthorizationContext;
  25 import org.cacert.gigi.util.PasswordHash;
  26 import org.cacert.gigi.util.ServerConstants;
  27
  28 public class LoginPage extends Page {
  29
  30     public class LoginForm extends Form {
  31
  32         public LoginForm(HttpServletRequest hsr) {
  33             super(hsr);
  34         }
  35
  36         @Override
  37         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
  38             tryAuthWithUnpw(req);
  39             return false;
  40         }
  41
  42         @Override
  43         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
  44             getDefaultTemplate().output(out, l, vars);
  45         }
  46
  47     }
  48
  49     public static final String LOGIN_RETURNPATH = "login-returnpath";
  50
  51     public LoginPage() {
  52         super("Password Login");
  53     }
  54
  55     @Override
  56     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  57         if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePort())) {
  58             resp.getWriter().println(getLanguage(req).getTranslation("Authentication with certificate failed. Try another certificate or use a password."));
  59         } else {
  60             new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
  61         }
  62     }
  63
  64     @Override
  65     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  66         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  67         if (req.getSession().getAttribute("loggedin") == null) {
  68             X509Certificate cert = getCertificateFromRequest(req);
  69             if (cert != null) {
  70                 tryAuthWithCertificate(req, cert);
  71             }
  72             if (req.getMethod().equals("POST")) {
  73                 try {
  74                     Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
  75                 } catch (GigiApiException e) {
  76                 }
  77             }
  78         }
  79
  80         if (req.getSession().getAttribute("loggedin") != null) {
  81             String s = redir;
  82             if (s != null) {
  83                 if ( !s.startsWith("/")) {
  84                     s = "/" + s;
  85                 }
  86                 resp.sendRedirect(s);
  87             } else {
  88                 resp.sendRedirect("/");
  89             }
  90             return true;
  91         }
  92         return false;
  93     }
  94
  95     @Override
  96     public boolean needsLogin() {
  97         return false;
  98     }
  99
 100     private void tryAuthWithUnpw(HttpServletRequest req) {
 101         String un = req.getParameter("username");
 102         String pw = req.getParameter("password");
 103         try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'")) {
 104             ps.setString(1, un);
 105             GigiResultSet rs = ps.executeQuery();
 106             if (rs.next()) {
 107                 String dbHash = rs.getString(1);
 108                 String hash = PasswordHash.verifyHash(pw, dbHash);
 109                 if (hash != null) {
 110                     if ( !hash.equals(dbHash)) {
 111                         try (GigiPreparedStatement gps = new GigiPreparedStatement("UPDATE `users` SET `password`=? WHERE `email`=?")) {
 112                             gps.setString(1, hash);
 113                             gps.setString(2, un);
 114                             gps.executeUpdate();
 115                         }
 116                     }
 117                     loginSession(req, User.getById(rs.getInt(2)));
 118                     req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password"));
 119                 }
 120             }
 121         }
 122     }
 123
 124     public static User getUser(HttpServletRequest req) {
 125         AuthorizationContext ac = getAuthorizationContext(req);
 126         if (ac == null) {
 127             return null;
 128         }
 129         return ac.getActor();
 130     }
 131
 132     public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
 133         return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
 134     }
 135
 136     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
 137         String serial = extractSerialFormCert(x509Certificate);
 138         User user = fetchUserBySerial(serial);
 139         if (user == null) {
 140             return;
 141         }
 142         loginSession(req, user);
 143         req.getSession().setAttribute(CERT_SERIAL, serial);
 144         req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
 145         req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Certificate"));
 146     }
 147
 148     public static String extractSerialFormCert(X509Certificate x509Certificate) {
 149         return x509Certificate.getSerialNumber().toString(16).toUpperCase();
 150     }
 151
 152     public static User fetchUserBySerial(String serial) {
 153         if ( !serial.matches("[A-Fa-f0-9]+")) {
 154             throw new Error("serial malformed.");
 155         }
 156
 157         CertificateOwner o = CertificateOwner.getByEnabledSerial(serial);
 158         if (o == null || !(o instanceof User)) {
 159             return null;
 160         }
 161         return (User) o;
 162     }
 163
 164     public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
 165         X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
 166         X509Certificate uc = null;
 167         if (cert != null && cert[0] != null) {
 168             uc = cert[0];
 169         }
 170         return uc;
 171     }
 172
 173     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
 174
 175     private void loginSession(HttpServletRequest req, User user) {
 176         if (user.isInGroup(LOGIN_BLOCKED)) {
 177             return;
 178         }
 179         req.getSession().invalidate();
 180         HttpSession hs = req.getSession();
 181         hs.setAttribute(LOGGEDIN, true);
 182         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 183         hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
 184     }
 185
 186     @Override
 187     public boolean isPermitted(AuthorizationContext ac) {
 188         return ac == null;
 189     }
 190 }