--- /dev/null
+package org.cacert.gigi.api;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Certificate.SANType;
+import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.dbObjects.CertificateOwner;
+import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.util.ServerConstants;
+
+public abstract class CATSRestrictedApi extends APIPoint {
+
+ @Override
+ public final void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException {
+ if ( !(u instanceof Organisation)) {
+ resp.sendError(500, "Error, invalid cert");
+ return;
+ }
+ if ( !((Organisation) u).isSelfOrganisation()) {
+ resp.sendError(500, "Error, invalid cert");
+ return;
+ }
+ if ( !hasMail(clientCert, ServerConstants.getQuizMailAddress())) {
+ resp.sendError(500, "Error, invalid cert");
+ return;
+ }
+ processAuthenticated(req, resp);
+ }
+
+ public abstract void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException;
+
+ public boolean hasMail(Certificate clientCert, String mail) {
+ for (SubjectAlternateName a : clientCert.getSANs()) {
+ if (a.getType() == SANType.EMAIL && a.getName().equals(mail)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}