X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2FLoginPage.java;h=58adcda2dacb1a3ab1aa3be2592f847554f58fde;hp=ed01ceb6ccc90e9817cbe1fc64546f136ecaa08e;hb=50b8341607e23812216349ef37711e5a85d957c3;hpb=f1f20db659050299bb4bab64d083b4e193ae3f61

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index ed01ceb6..58adcda2 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -16,11 +16,14 @@ import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.database.DatabaseConnection;
 import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.database.GigiResultSet;
+import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.util.AuthorizationContext;
 import org.cacert.gigi.util.PasswordHash;
+import org.cacert.gigi.util.ServerConstants;
 
 public class LoginPage extends Page {
 
@@ -51,16 +54,20 @@ public class LoginPage extends Page {
 
     @Override
     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
+        if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePort())) {
+            resp.getWriter().println(getLanguage(req).getTranslation("Authentication with certificate failed. Try another certificate or use a password."));
+        } else {
+            new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
+        }
     }
 
     @Override
     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
         if (req.getSession().getAttribute("loggedin") == null) {
-            X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
-            if (cert != null && cert[0] != null) {
-                tryAuthWithCertificate(req, cert[0]);
+            X509Certificate cert = getCertificateFromRequest(req);
+            if (cert != null) {
+                tryAuthWithCertificate(req, cert);
             }
             if (req.getMethod().equals("POST")) {
                 try {
@@ -114,21 +121,52 @@ public class LoginPage extends Page {
     }
 
     public static User getUser(HttpServletRequest req) {
-        return (User) req.getSession().getAttribute(USER);
+        AuthorizationContext ac = getAuthorizationContext(req);
+        if (ac == null) {
+            return null;
+        }
+        return ac.getActor();
+    }
+
+    public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
+        return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
     }
 
     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
-        String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase();
-        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
-        ps.setString(1, serial);
-        GigiResultSet rs = ps.executeQuery();
-        if (rs.next()) {
-            loginSession(req, User.getById(rs.getInt(1)));
-            req.getSession().setAttribute(CERT_SERIAL, serial);
-            req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
-            req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
+        String serial = extractSerialFormCert(x509Certificate);
+        User user = fetchUserBySerial(serial);
+        if (user == null) {
+            return;
         }
-        rs.close();
+        loginSession(req, user);
+        req.getSession().setAttribute(CERT_SERIAL, serial);
+        req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
+        req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
+    }
+
+    public static String extractSerialFormCert(X509Certificate x509Certificate) {
+        return x509Certificate.getSerialNumber().toString(16).toUpperCase();
+    }
+
+    public static User fetchUserBySerial(String serial) {
+        if ( !serial.matches("[A-Fa-f0-9]+")) {
+            throw new Error("serial malformed.");
+        }
+
+        CertificateOwner o = CertificateOwner.getByEnabledSerial(serial);
+        if (o == null || !(o instanceof User)) {
+            return null;
+        }
+        return (User) o;
+    }
+
+    public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
+        X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
+        X509Certificate uc = null;
+        if (cert != null && cert[0] != null) {
+            uc = cert[0];
+        }
+        return uc;
     }
 
     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
@@ -141,11 +179,11 @@ public class LoginPage extends Page {
         HttpSession hs = req.getSession();
         hs.setAttribute(LOGGEDIN, true);
         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
-        hs.setAttribute(USER, user);
+        hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
     }
 
     @Override
-    public boolean isPermitted(User u) {
-        return u == null;
+    public boolean isPermitted(AuthorizationContext ac) {
+        return ac == null;
     }
 }