X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2FLoginPage.java;h=d25eacfb43bc0036aa4a8ae7c6fe9070a980b55f;hp=ed01ceb6ccc90e9817cbe1fc64546f136ecaa08e;hb=dc10b875c132eb7840a6b9827ec93916076d34f7;hpb=a1a980dd0cc65f33a6189eb81a164fe79abb647c diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java index ed01ceb6..d25eacfb 100644 --- a/src/org/cacert/gigi/pages/LoginPage.java +++ b/src/org/cacert/gigi/pages/LoginPage.java @@ -20,6 +20,7 @@ import org.cacert.gigi.dbObjects.Group; import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.localisation.Language; import org.cacert.gigi.output.template.Form; +import org.cacert.gigi.util.AuthorizationContext; import org.cacert.gigi.util.PasswordHash; public class LoginPage extends Page { @@ -58,9 +59,9 @@ public class LoginPage extends Page { public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException { String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH); if (req.getSession().getAttribute("loggedin") == null) { - X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); - if (cert != null && cert[0] != null) { - tryAuthWithCertificate(req, cert[0]); + X509Certificate cert = getCertificateFromRequest(req); + if (cert != null) { + tryAuthWithCertificate(req, cert); } if (req.getMethod().equals("POST")) { try { @@ -114,21 +115,57 @@ public class LoginPage extends Page { } public static User getUser(HttpServletRequest req) { - return (User) req.getSession().getAttribute(USER); + AuthorizationContext ac = getAuthorizationContext(req); + if (ac == null) { + return null; + } + return ac.getActor(); + } + + public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) { + return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT)); } private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) { - String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase(); + String serial = extractSerialFormCert(x509Certificate); + User user = fetchUserBySerial(serial); + if (user == null) { + return; + } + loginSession(req, user); + req.getSession().setAttribute(CERT_SERIAL, serial); + req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN()); + req.getSession().setAttribute(LOGIN_METHOD, "Certificate"); + } + + public static String extractSerialFormCert(X509Certificate x509Certificate) { + return x509Certificate.getSerialNumber().toString(16).toUpperCase(); + } + + public static User fetchUserBySerial(String serial) { + if ( !serial.matches("[A-Fa-f0-9]+")) { + throw new Error("serial malformed."); + } GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL"); - ps.setString(1, serial); + ps.setString(1, serial.toLowerCase()); GigiResultSet rs = ps.executeQuery(); + User user = null; if (rs.next()) { - loginSession(req, User.getById(rs.getInt(1))); - req.getSession().setAttribute(CERT_SERIAL, serial); - req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN()); - req.getSession().setAttribute(LOGIN_METHOD, "Certificate"); + user = User.getById(rs.getInt(1)); + } else { + System.out.println("User with serial " + serial + " not found."); } rs.close(); + return user; + } + + public static X509Certificate getCertificateFromRequest(HttpServletRequest req) { + X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); + X509Certificate uc = null; + if (cert != null && cert[0] != null) { + uc = cert[0]; + } + return uc; } private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin"); @@ -141,7 +178,7 @@ public class LoginPage extends Page { HttpSession hs = req.getSession(); hs.setAttribute(LOGGEDIN, true); hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale()); - hs.setAttribute(USER, user); + hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user)); } @Override