X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Fclub%2Fwpia%2Fgigi%2FGigi.java;h=d33d546d9558cf02882f21365ce030c4e80eb31b;hp=863122c7f117b45169f6262c42adff7e7afee486;hb=46eea3386b6003bd243061cb215196f0f9240c90;hpb=d78ce634f5b5a4cc8ee00332b1c942cdae61adf7

diff --git a/src/club/wpia/gigi/Gigi.java b/src/club/wpia/gigi/Gigi.java
index 863122c7..d33d546d 100644
--- a/src/club/wpia/gigi/Gigi.java
+++ b/src/club/wpia/gigi/Gigi.java
@@ -3,7 +3,13 @@ package club.wpia.gigi;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.UnsupportedEncodingException;
+import java.math.BigInteger;
+import java.nio.channels.FileChannel;
+import java.nio.file.FileSystems;
+import java.nio.file.NoSuchFileException;
 import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 import java.util.Calendar;
 import java.util.Collections;
@@ -34,6 +40,7 @@ import club.wpia.gigi.output.SimpleMenuItem;
 import club.wpia.gigi.output.SimpleUntranslatedMenuItem;
 import club.wpia.gigi.output.template.Form.CSRFException;
 import club.wpia.gigi.output.template.Outputable;
+import club.wpia.gigi.output.template.PlainOutputable;
 import club.wpia.gigi.output.template.Template;
 import club.wpia.gigi.output.template.TranslateCommand;
 import club.wpia.gigi.pages.AboutPage;
@@ -46,11 +53,11 @@ import club.wpia.gigi.pages.Page;
 import club.wpia.gigi.pages.PasswordResetPage;
 import club.wpia.gigi.pages.RootCertPage;
 import club.wpia.gigi.pages.StaticPage;
-import club.wpia.gigi.pages.TestSecure;
 import club.wpia.gigi.pages.Verify;
 import club.wpia.gigi.pages.account.ChangePasswordPage;
 import club.wpia.gigi.pages.account.FindAgentAccess;
 import club.wpia.gigi.pages.account.History;
+import club.wpia.gigi.pages.account.MyContracts;
 import club.wpia.gigi.pages.account.MyDetails;
 import club.wpia.gigi.pages.account.UserTrainings;
 import club.wpia.gigi.pages.account.certs.CertificateAdd;
@@ -63,16 +70,24 @@ import club.wpia.gigi.pages.admin.support.FindCertPage;
 import club.wpia.gigi.pages.admin.support.FindUserByDomainPage;
 import club.wpia.gigi.pages.admin.support.FindUserByEmailPage;
 import club.wpia.gigi.pages.admin.support.SupportEnterTicketPage;
+import club.wpia.gigi.pages.admin.support.SupportOrgDomainPage;
 import club.wpia.gigi.pages.admin.support.SupportUserDetailsPage;
 import club.wpia.gigi.pages.error.AccessDenied;
 import club.wpia.gigi.pages.error.PageNotFound;
+import club.wpia.gigi.pages.main.CertStatusRequestPage;
+import club.wpia.gigi.pages.main.KeyCompromisePage;
 import club.wpia.gigi.pages.main.RegisterPage;
 import club.wpia.gigi.pages.orga.CreateOrgPage;
+import club.wpia.gigi.pages.orga.SwitchOrganisation;
 import club.wpia.gigi.pages.orga.ViewOrgPage;
 import club.wpia.gigi.pages.statistics.StatisticsRoles;
 import club.wpia.gigi.pages.wot.Points;
 import club.wpia.gigi.pages.wot.RequestTTPPage;
 import club.wpia.gigi.pages.wot.VerifyPage;
+import club.wpia.gigi.passwords.DelegatingPasswordChecker;
+import club.wpia.gigi.passwords.PasswordChecker;
+import club.wpia.gigi.passwords.PasswordHashChecker;
+import club.wpia.gigi.passwords.PasswordStrengthChecker;
 import club.wpia.gigi.ping.PingerDaemon;
 import club.wpia.gigi.util.AuthorizationContext;
 import club.wpia.gigi.util.DomainAssessment;
@@ -110,11 +125,17 @@ public final class Gigi extends HttpServlet {
             return m;
         }
 
+        private Menu createMenu(Outputable name) {
+            Menu m = new Menu(name);
+            categories.add(m);
+            return m;
+        }
+
         public MenuCollector generateMenu() throws ServletException {
             putPage("/denied", new AccessDenied(), null);
             putPage("/error", new PageNotFound(), null);
             putPage("/login", new LoginPage(), null);
-            Menu mainMenu = createMenu("SomeCA.org");
+            Menu mainMenu = createMenu(new PlainOutputable(ServerConstants.getAppName()));
             mainMenu.addItem(new SimpleMenuItem("https://" + ServerConstants.getHostNamePort(Host.WWW) + "/login", "Password Login") {
 
                 @Override
@@ -134,17 +155,18 @@ public final class Gigi extends HttpServlet {
             putPage(StatisticsRoles.PATH, new StatisticsRoles(), mainMenu);
             putPage("/about", new AboutPage(), mainMenu);
             putPage(RegisterPage.PATH, new RegisterPage(), mainMenu);
+            putPage(CertStatusRequestPage.PATH, new CertStatusRequestPage(), mainMenu);
+            putPage(KeyCompromisePage.PATH, new KeyCompromisePage(), mainMenu);
 
-            putPage("/secure", new TestSecure(), null);
             putPage(Verify.PATH, new Verify(), null);
             Menu certificates = createMenu("Certificates");
             putPage(Certificates.PATH + "/*", new Certificates(false), certificates);
             putPage(CertificateAdd.PATH, new CertificateAdd(), certificates);
-            putPage(MailOverview.DEFAULT_PATH, new MailOverview(), certificates);
-            putPage(DomainOverview.PATH, new DomainOverview(), certificates);
-            putPage(EditDomain.PATH + "*", new EditDomain(), null);
 
             Menu wot = createMenu("Verification");
+            putPage(MailOverview.DEFAULT_PATH, new MailOverview(), wot);
+            putPage(DomainOverview.PATH, new DomainOverview(), wot);
+            putPage(EditDomain.PATH + "*", new EditDomain(), null);
             putPage(VerifyPage.PATH + "/*", new VerifyPage(), wot);
             putPage(Points.PATH, new Points(false), wot);
             putPage(RequestTTPPage.PATH, new RequestTTPPage(), wot);
@@ -154,6 +176,7 @@ public final class Gigi extends HttpServlet {
             putPage(TTPAdminPage.PATH + "/*", new TTPAdminPage(), admMenu);
             putPage(CreateOrgPage.DEFAULT_PATH, new CreateOrgPage(), orgAdm);
             putPage(ViewOrgPage.DEFAULT_PATH + "/*", new ViewOrgPage(), orgAdm);
+            putPage(SwitchOrganisation.PATH, new SwitchOrganisation(), orgAdm);
 
             Menu support = createMenu("Support Console");
             putPage(SupportEnterTicketPage.PATH, new SupportEnterTicketPage(), support);
@@ -163,6 +186,7 @@ public final class Gigi extends HttpServlet {
 
             Menu account = createMenu("My Account");
             putPage(SupportUserDetailsPage.PATH + "*", new SupportUserDetailsPage(), null);
+            putPage(SupportOrgDomainPage.PATH + "*", new SupportOrgDomainPage(), null);
             putPage(ChangePasswordPage.PATH, new ChangePasswordPage(), account);
             putPage(History.PATH, new History(false), account);
             putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class), account);
@@ -172,6 +196,7 @@ public final class Gigi extends HttpServlet {
             putPage(UserTrainings.SUPPORT_PATH, new UserTrainings(true), null);
             putPage(Points.SUPPORT_PATH, new Points(true), null);
             putPage(Certificates.SUPPORT_PATH + "/*", new Certificates(true), null);
+            putPage(MyContracts.PATH, new MyContracts(), null);
 
             putPage(PasswordResetPage.PATH, new PasswordResetPage(), null);
             putPage(LogoutPage.PATH, new LogoutPage(), null);
@@ -231,6 +256,8 @@ public final class Gigi extends HttpServlet {
 
     private static Gigi instance;
 
+    private static PasswordChecker passwordChecker;
+
     private static final Template baseTemplate = new Template(Gigi.class.getResource("Gigi.templ"));
 
     private PingerDaemon pinger;
@@ -259,6 +286,46 @@ public final class Gigi extends HttpServlet {
             this.truststore = truststore;
             pinger = new PingerDaemon(truststore);
             pinger.start();
+            Gigi.passwordChecker = getPasswordChecker(conf);
+        }
+    }
+
+    private PasswordChecker getPasswordChecker(Properties conf) {
+        final String knownPasswordHashesPath;
+        final boolean knownPasswordHashesRequired;
+        String knownPasswordHashesConfig = conf.getProperty("knownPasswordHashes");
+        if (knownPasswordHashesConfig != null) {
+            knownPasswordHashesPath = knownPasswordHashesConfig;
+            knownPasswordHashesRequired = true;
+        } else {
+            knownPasswordHashesPath = "/usr/share/pwned-passwords/pwned-passwords.bin";
+            knownPasswordHashesRequired = false;
+        }
+
+        final MessageDigest sha1;
+        try {
+            sha1 = MessageDigest.getInstance("SHA-1");
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+
+        try {
+            final FileChannel knownPasswordHashesFile = FileChannel.open(
+                FileSystems.getDefault().getPath(knownPasswordHashesPath));
+            return new DelegatingPasswordChecker(new PasswordChecker[] {
+                    new PasswordStrengthChecker(),
+                    new PasswordHashChecker(knownPasswordHashesFile, sha1)
+                });
+        } catch (IOException e) {
+            if (knownPasswordHashesRequired) {
+                throw new RuntimeException("Error while opening password hash database, refusing startup", e);
+            } else {
+                System.err.println("Warning: A problem was encountered while opening the password hash database, passwords will be checked only by strength.");
+                if ( !(e instanceof NoSuchFileException)) {
+                    e.printStackTrace();
+                }
+                return new PasswordStrengthChecker();
+            }
         }
     }
 
@@ -350,11 +417,11 @@ public final class Gigi extends HttpServlet {
             return;
         }
         HttpSession hs = req.getSession();
-        String clientSerial = (String) hs.getAttribute(CERT_SERIAL);
+        BigInteger clientSerial = (BigInteger) hs.getAttribute(CERT_SERIAL);
         if (clientSerial != null) {
             X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
             if (cert == null || cert[0] == null//
-                    || !cert[0].getSerialNumber().toString(16).toLowerCase().equals(clientSerial) //
+                    || !cert[0].getSerialNumber().equals(clientSerial) //
                     || !cert[0].getIssuerDN().equals(hs.getAttribute(CERT_ISSUER))) {
                 hs.invalidate();
                 resp.sendError(403, "Certificate mismatch.");
@@ -386,7 +453,12 @@ public final class Gigi extends HttpServlet {
                 resp.sendError(403);
                 return;
             }
-            if (p.beforeTemplate(req, resp)) {
+            try {
+                if (p.beforeTemplate(req, resp)) {
+                    return;
+                }
+            } catch (CSRFException e) {
+                resp.sendError(500, "CSRF invalid");
                 return;
             }
             HashMap<String, Object> vars = new HashMap<String, Object>();
@@ -430,12 +502,14 @@ public final class Gigi extends HttpServlet {
             } else {
                 req.setAttribute(LINK_HOST, ServerConstants.getHostNamePort(Host.LINK));
             }
+            vars.put(Gigi.LINK_HOST, req.getAttribute(Gigi.LINK_HOST));
             if (currentAuthContext != null) {
                 // TODO maybe move this information into the AuthContext object
                 vars.put("loginMethod", req.getSession().getAttribute(LOGIN_METHOD));
                 vars.put("authContext", currentAuthContext);
 
             }
+            vars.put("appName", ServerConstants.getAppName());
             resp.setContentType("text/html; charset=utf-8");
             baseTemplate.output(resp.getWriter(), lang, vars);
         } else {
@@ -500,4 +574,15 @@ public final class Gigi extends HttpServlet {
         instance.pinger.interrupt();
     }
 
+    public static PasswordChecker getPasswordChecker() {
+        if (passwordChecker == null) {
+            throw new IllegalStateException("Not yet initialized!");
+        }
+        return passwordChecker;
+    }
+
+    public static void setPasswordChecker(PasswordChecker passwordChecker) {
+        Gigi.passwordChecker = passwordChecker;
+    }
+
 }