import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
+import java.nio.channels.FileChannel;
+import java.nio.file.FileSystems;
+import java.nio.file.NoSuchFileException;
import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Collections;
import club.wpia.gigi.pages.OneFormPage;
import club.wpia.gigi.pages.Page;
import club.wpia.gigi.pages.PasswordResetPage;
+import club.wpia.gigi.pages.PolicyPage;
import club.wpia.gigi.pages.RootCertPage;
import club.wpia.gigi.pages.StaticPage;
import club.wpia.gigi.pages.Verify;
import club.wpia.gigi.pages.account.ChangePasswordPage;
import club.wpia.gigi.pages.account.FindAgentAccess;
import club.wpia.gigi.pages.account.History;
+import club.wpia.gigi.pages.account.MyContracts;
import club.wpia.gigi.pages.account.MyDetails;
import club.wpia.gigi.pages.account.UserTrainings;
import club.wpia.gigi.pages.account.certs.CertificateAdd;
import club.wpia.gigi.pages.wot.Points;
import club.wpia.gigi.pages.wot.RequestTTPPage;
import club.wpia.gigi.pages.wot.VerifyPage;
+import club.wpia.gigi.passwords.DelegatingPasswordChecker;
+import club.wpia.gigi.passwords.PasswordChecker;
+import club.wpia.gigi.passwords.PasswordHashChecker;
+import club.wpia.gigi.passwords.PasswordStrengthChecker;
import club.wpia.gigi.ping.PingerDaemon;
import club.wpia.gigi.util.AuthorizationContext;
import club.wpia.gigi.util.DomainAssessment;
putPage("/roots", new RootCertPage(truststore), mainMenu);
putPage(StatisticsRoles.PATH, new StatisticsRoles(), mainMenu);
putPage("/about", new AboutPage(), mainMenu);
+ putPage("/policy", new PolicyPage(), mainMenu);
putPage(RegisterPage.PATH, new RegisterPage(), mainMenu);
putPage(CertStatusRequestPage.PATH, new CertStatusRequestPage(), mainMenu);
putPage(KeyCompromisePage.PATH, new KeyCompromisePage(), mainMenu);
putPage(SupportOrgDomainPage.PATH + "*", new SupportOrgDomainPage(), null);
putPage(ChangePasswordPage.PATH, new ChangePasswordPage(), account);
putPage(History.PATH, new History(false), account);
- putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class), account);
+
+ putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class) {
+
+ @Override
+ public boolean isPermitted(AuthorizationContext ac) {
+ return super.isPermitted(ac) && !ServerConstants.isCommunityCA();
+ }
+ }, account);
+
putPage(History.SUPPORT_PATH, new History(true), null);
putPage(UserTrainings.PATH, new UserTrainings(false), account);
putPage(MyDetails.PATH, new MyDetails(), account);
putPage(UserTrainings.SUPPORT_PATH, new UserTrainings(true), null);
putPage(Points.SUPPORT_PATH, new Points(true), null);
putPage(Certificates.SUPPORT_PATH + "/*", new Certificates(true), null);
+ putPage(MyContracts.PATH, new MyContracts(), null);
putPage(PasswordResetPage.PATH, new PasswordResetPage(), null);
putPage(LogoutPage.PATH, new LogoutPage(), null);
}
try {
- putPage("/wot/rules", new StaticPage("Verification Rules", VerifyPage.class.getResourceAsStream("Rules.templ")), wot);
+ putPage("/wot/rules", new StaticPage("Verification Rules", VerifyPage.class.getResourceAsStream("Rules.templ")) {
+
+ @Override
+ public boolean isPermitted(AuthorizationContext ac) {
+ return super.isPermitted(ac) && !ServerConstants.isCommunityCA();
+ }
+ }, wot);
} catch (UnsupportedEncodingException e) {
throw new ServletException(e);
}
private static Gigi instance;
+ private static PasswordChecker passwordChecker;
+
private static final Template baseTemplate = new Template(Gigi.class.getResource("Gigi.templ"));
private PingerDaemon pinger;
this.truststore = truststore;
pinger = new PingerDaemon(truststore);
pinger.start();
+ Gigi.passwordChecker = getPasswordChecker(conf);
+ }
+ }
+
+ private PasswordChecker getPasswordChecker(Properties conf) {
+ final String knownPasswordHashesPath;
+ final boolean knownPasswordHashesRequired;
+ String knownPasswordHashesConfig = conf.getProperty("knownPasswordHashes");
+ if (knownPasswordHashesConfig != null) {
+ knownPasswordHashesPath = knownPasswordHashesConfig;
+ knownPasswordHashesRequired = true;
+ } else {
+ knownPasswordHashesPath = "/usr/share/pwned-passwords/pwned-passwords.bin";
+ knownPasswordHashesRequired = false;
+ }
+
+ final MessageDigest sha1;
+ try {
+ sha1 = MessageDigest.getInstance("SHA-1");
+ } catch (NoSuchAlgorithmException e) {
+ throw new RuntimeException(e);
+ }
+
+ try {
+ final FileChannel knownPasswordHashesFile = FileChannel.open(FileSystems.getDefault().getPath(knownPasswordHashesPath));
+ return new DelegatingPasswordChecker(new PasswordChecker[] {
+ new PasswordStrengthChecker(), new PasswordHashChecker(knownPasswordHashesFile, sha1)
+ });
+ } catch (IOException e) {
+ if (knownPasswordHashesRequired) {
+ throw new RuntimeException("Error while opening password hash database, refusing startup", e);
+ } else {
+ System.err.println("Warning: A problem was encountered while opening the password hash database, passwords will be checked only by strength.");
+ if ( !(e instanceof NoSuchFileException)) {
+ e.printStackTrace();
+ }
+ return new PasswordStrengthChecker();
+ }
}
}
instance.pinger.interrupt();
}
+ public static PasswordChecker getPasswordChecker() {
+ if (passwordChecker == null) {
+ throw new IllegalStateException("Not yet initialized!");
+ }
+ return passwordChecker;
+ }
+
+ public static void setPasswordChecker(PasswordChecker passwordChecker) {
+ Gigi.passwordChecker = passwordChecker;
+ }
+
}