src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.io.PrintWriter;
   7 import java.security.cert.X509Certificate;
   8 import java.util.HashMap;
   9 import java.util.Map;
  10
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13 import javax.servlet.http.HttpSession;
  14
  15 import org.cacert.gigi.GigiApiException;
  16 import org.cacert.gigi.database.DatabaseConnection;
  17 import org.cacert.gigi.database.GigiPreparedStatement;
  18 import org.cacert.gigi.database.GigiResultSet;
  19 import org.cacert.gigi.dbObjects.Group;
  20 import org.cacert.gigi.dbObjects.User;
  21 import org.cacert.gigi.localisation.Language;
  22 import org.cacert.gigi.output.template.Form;
  23 import org.cacert.gigi.util.AuthorizationContext;
  24 import org.cacert.gigi.util.PasswordHash;
  25 import org.cacert.gigi.util.ServerConstants;
  26
  27 public class LoginPage extends Page {
  28
  29     public class LoginForm extends Form {
  30
  31         public LoginForm(HttpServletRequest hsr) {
  32             super(hsr);
  33         }
  34
  35         @Override
  36         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
  37             tryAuthWithUnpw(req);
  38             return false;
  39         }
  40
  41         @Override
  42         protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
  43             getDefaultTemplate().output(out, l, vars);
  44         }
  45
  46     }
  47
  48     public static final String LOGIN_RETURNPATH = "login-returnpath";
  49
  50     public LoginPage(String title) {
  51         super(title);
  52     }
  53
  54     @Override
  55     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  56         if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePort())) {
  57             resp.getWriter().println(getLanguage(req).getTranslation("Authentication with certificate failed. Try another certificate or use a password."));
  58         } else {
  59             new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
  60         }
  61     }
  62
  63     @Override
  64     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  65         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  66         if (req.getSession().getAttribute("loggedin") == null) {
  67             X509Certificate cert = getCertificateFromRequest(req);
  68             if (cert != null) {
  69                 tryAuthWithCertificate(req, cert);
  70             }
  71             if (req.getMethod().equals("POST")) {
  72                 try {
  73                     Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
  74                 } catch (GigiApiException e) {
  75                 }
  76             }
  77         }
  78
  79         if (req.getSession().getAttribute("loggedin") != null) {
  80             String s = redir;
  81             if (s != null) {
  82                 if ( !s.startsWith("/")) {
  83                     s = "/" + s;
  84                 }
  85                 resp.sendRedirect(s);
  86             } else {
  87                 resp.sendRedirect("/");
  88             }
  89             return true;
  90         }
  91         return false;
  92     }
  93
  94     @Override
  95     public boolean needsLogin() {
  96         return false;
  97     }
  98
  99     private void tryAuthWithUnpw(HttpServletRequest req) {
 100         String un = req.getParameter("username");
 101         String pw = req.getParameter("password");
 102         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'");
 103         ps.setString(1, un);
 104         GigiResultSet rs = ps.executeQuery();
 105         if (rs.next()) {
 106             String dbHash = rs.getString(1);
 107             String hash = PasswordHash.verifyHash(pw, dbHash);
 108             if (hash != null) {
 109                 if ( !hash.equals(dbHash)) {
 110                     GigiPreparedStatement gps = DatabaseConnection.getInstance().prepare("UPDATE `users` SET `password`=? WHERE `email`=?");
 111                     gps.setString(1, hash);
 112                     gps.setString(2, un);
 113                     gps.executeUpdate();
 114                 }
 115                 loginSession(req, User.getById(rs.getInt(2)));
 116                 req.getSession().setAttribute(LOGIN_METHOD, "Password");
 117             }
 118         }
 119         rs.close();
 120     }
 121
 122     public static User getUser(HttpServletRequest req) {
 123         AuthorizationContext ac = getAuthorizationContext(req);
 124         if (ac == null) {
 125             return null;
 126         }
 127         return ac.getActor();
 128     }
 129
 130     public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
 131         return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
 132     }
 133
 134     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
 135         String serial = extractSerialFormCert(x509Certificate);
 136         User user = fetchUserBySerial(serial);
 137         if (user == null) {
 138             return;
 139         }
 140         loginSession(req, user);
 141         req.getSession().setAttribute(CERT_SERIAL, serial);
 142         req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
 143         req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
 144     }
 145
 146     public static String extractSerialFormCert(X509Certificate x509Certificate) {
 147         return x509Certificate.getSerialNumber().toString(16).toUpperCase();
 148     }
 149
 150     public static User fetchUserBySerial(String serial) {
 151         if ( !serial.matches("[A-Fa-f0-9]+")) {
 152             throw new Error("serial malformed.");
 153         }
 154         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
 155         ps.setString(1, serial.toLowerCase());
 156         GigiResultSet rs = ps.executeQuery();
 157         User user = null;
 158         if (rs.next()) {
 159             user = User.getById(rs.getInt(1));
 160         } else {
 161             System.out.println("User with serial " + serial + " not found.");
 162         }
 163         rs.close();
 164         return user;
 165     }
 166
 167     public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
 168         X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
 169         X509Certificate uc = null;
 170         if (cert != null && cert[0] != null) {
 171             uc = cert[0];
 172         }
 173         return uc;
 174     }
 175
 176     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
 177
 178     private void loginSession(HttpServletRequest req, User user) {
 179         if (user.isInGroup(LOGIN_BLOCKED)) {
 180             return;
 181         }
 182         req.getSession().invalidate();
 183         HttpSession hs = req.getSession();
 184         hs.setAttribute(LOGGEDIN, true);
 185         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 186         hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
 187     }
 188
 189     @Override
 190     public boolean isPermitted(AuthorizationContext ac) {
 191         return ac == null;
 192     }
 193 }