merged mailadd and mail overviwer to one page

[gigi.git] / src / org / cacert / gigi / Gigi.java

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index b6aa90ebd5386b26f3742d41e7090a10829a297b..2741b7329ca6eb491f72cd524891ae1b820fde70 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -16,6 +16,8 @@ import javax.servlet.http.HttpSession;
 
 import org.cacert.gigi.database.DatabaseConnection;
 import org.cacert.gigi.email.EmailProvider;
+import org.cacert.gigi.output.Menu;
+import org.cacert.gigi.output.MenuItem;
 import org.cacert.gigi.output.Outputable;
 import org.cacert.gigi.output.Template;
 import org.cacert.gigi.pages.LoginPage;
@@ -23,7 +25,8 @@ import org.cacert.gigi.pages.MainPage;
 import org.cacert.gigi.pages.Page;
 import org.cacert.gigi.pages.TestSecure;
 import org.cacert.gigi.pages.Verify;
-import org.cacert.gigi.pages.account.MailAdd;
+import org.cacert.gigi.pages.account.ChangePasswordPage;
+import org.cacert.gigi.pages.account.MailCertificateAdd;
 import org.cacert.gigi.pages.account.MailCertificates;
 import org.cacert.gigi.pages.account.MailOverview;
 import org.cacert.gigi.pages.account.MyDetails;
@@ -37,11 +40,13 @@ public class Gigi extends HttpServlet {
        private static final long serialVersionUID = -6386785421902852904L;
        private Template baseTemplate;
        private HashMap<String, Page> pages = new HashMap<String, Page>();
+       Menu m;
 
        public Gigi(Properties conf) {
                EmailProvider.init(conf);
                DatabaseConnection.init(conf);
        }
+
        @Override
        public void init() throws ServletException {
                pages.put("/login", new LoginPage("CACert - Login"));
@@ -49,26 +54,27 @@ public class Gigi extends HttpServlet {
                pages.put("/secure", new TestSecure());
                pages.put(Verify.PATH, new Verify());
                pages.put(AssurePage.PATH + "/*", new AssurePage());
-               pages.put(MailCertificates.PATH, new MailCertificates());
+               pages.put(MailCertificates.PATH + "/*", new MailCertificates());
                pages.put(MyDetails.PATH, new MyDetails());
+               pages.put(ChangePasswordPage.PATH, new ChangePasswordPage());
                pages.put(RegisterPage.PATH, new RegisterPage());
-               pages.put(MailOverview.DEFAULT_PATH, new MailOverview(
-                               "My email addresses"));
-               pages.put(MailAdd.DEFAULT_PATH, new MailAdd("Add new email"));
-               baseTemplate = new Template(new InputStreamReader(
-                               Gigi.class.getResourceAsStream("Gigi.templ")));
+               pages.put(MailCertificateAdd.PATH, new MailCertificateAdd());
+               pages.put(MailOverview.DEFAULT_PATH, new MailOverview("My email addresses"));
+               baseTemplate = new Template(new InputStreamReader(Gigi.class.getResourceAsStream("Gigi.templ")));
+               m = new Menu("Certificates", "cert", new MenuItem(MailOverview.DEFAULT_PATH, "Emails"), new MenuItem("",
+                               "Client Certificates"), new MenuItem("", "Domains"), new MenuItem("", "Server Certificates"));
                super.init();
 
        }
+
        @Override
-       protected void service(final HttpServletRequest req,
-                       final HttpServletResponse resp) throws ServletException,
+       protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException,
                        IOException {
                addXSSHeaders(resp);
-               if (req.getHeader("Origin") != null) {
-                       resp.getWriter().println("No cross domain access allowed.");
-                       return;
-               }
+               // if (req.getHeader("Origin") != null) {
+               // resp.getWriter().println("No cross domain access allowed.");
+               // return;
+               // }
                HttpSession hs = req.getSession();
                if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
                        if (hs != null) {
@@ -98,8 +104,7 @@ public class Gigi extends HttpServlet {
                        Outputable content = new Outputable() {
 
                                @Override
-                               public void output(PrintWriter out, Language l,
-                                               Map<String, Object> vars) {
+                               public void output(PrintWriter out, Language l, Map<String, Object> vars) {
                                        try {
                                                if (req.getMethod().equals("POST")) {
                                                        p.doPost(req, resp);
@@ -112,6 +117,7 @@ public class Gigi extends HttpServlet {
 
                                }
                        };
+                       vars.put("menu", m);
                        vars.put("title", p.getTitle());
                        vars.put("static", ServerConstants.getStaticHostNamePort());
                        vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
@@ -122,6 +128,7 @@ public class Gigi extends HttpServlet {
                }
 
        }
+
        private Page getPage(String pathInfo) {
                if (pathInfo.endsWith("/") && !pathInfo.equals("/")) {
                        pathInfo = pathInfo.substring(0, pathInfo.length() - 1);
@@ -146,13 +153,31 @@ public class Gigi extends HttpServlet {
        }
 
        public static void addXSSHeaders(HttpServletResponse hsr) {
-               hsr.addHeader("Access-Control-Allow-Origin",
-                               "http://cacert.org https://localhost");
+               hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePort() + " https://"
+                               + ServerConstants.getSecureHostNamePort());
                hsr.addHeader("Access-Control-Max-Age", "60");
-               hsr.addHeader("Content-Security-Policy", "default-src 'self' https://"
-                               + ServerConstants.getStaticHostNamePort()
-                               + ";frame-ancestors 'none'");
-               // ;report-uri https://felix.dogcraft.de/report.php
 
+               hsr.addHeader("Content-Security-Policy", getDefaultCSP());
+               hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
+
+       }
+
+       private static String defaultCSP = null;
+
+       private static String getDefaultCSP() {
+               if (defaultCSP == null) {
+                       StringBuffer csp = new StringBuffer();
+                       csp.append("default-src 'none';");
+                       csp.append("font-src https://" + ServerConstants.getStaticHostNamePort());
+                       csp.append(";img-src https://" + ServerConstants.getStaticHostNamePort());
+                       csp.append(";media-src 'none'; object-src 'none';");
+                       csp.append("script-src https://" + ServerConstants.getStaticHostNamePort());
+                       csp.append(";style-src https://" + ServerConstants.getStaticHostNamePort());
+                       csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://"
+                                       + ServerConstants.getWwwHostNamePort());
+                       csp.append("report-url https://api.cacert.org/security/csp/report");
+                       defaultCSP = csp.toString();
+               }
+               return defaultCSP;
        }
 }