add: configuration of CommunityCA
authorINOPIAE <m.maengel@inopiae.de>
Thu, 4 Jun 2020 12:26:27 +0000 (14:26 +0200)
committerLucas Werkmeister <mail@lucaswerkmeister.de>
Sat, 4 Jul 2020 17:13:05 +0000 (19:13 +0200)
Change-Id: Ic83a157173ca51f14e22ed9ceeb993e989b09625

config/gigi.properties.template
src/club/wpia/gigi/Gigi.java
src/club/wpia/gigi/pages/MainPage.java
src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ [new file with mode: 0644]
src/club/wpia/gigi/pages/account/MyDetailsForm.java
src/club/wpia/gigi/pages/wot/RequestTTPPage.java
src/club/wpia/gigi/util/ServerConstants.java
tests/club/wpia/gigi/TestCommunityCAOff.java [new file with mode: 0644]
tests/club/wpia/gigi/TestCommunityCAOn.java [new file with mode: 0644]
tests/club/wpia/gigi/testUtils/ManagedTest.java

index 85f2afd..252b2be 100644 (file)
@@ -23,6 +23,9 @@ time.verificationMaxAgeMonths=24
 appName=SomeCA
 appIdentifier=someca
 
+#to use Gigi without public RA Agent functionality remove # from next line
+#communityCA=true
+
 #mail.support=support@wpia.local
 #mail.board=board@wpia.local
 #mail.quiz=quiz@wpia.local
index d33d546..aa892a5 100644 (file)
@@ -189,7 +189,15 @@ public final class Gigi extends HttpServlet {
             putPage(SupportOrgDomainPage.PATH + "*", new SupportOrgDomainPage(), null);
             putPage(ChangePasswordPage.PATH, new ChangePasswordPage(), account);
             putPage(History.PATH, new History(false), account);
-            putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class), account);
+
+            putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class) {
+
+                @Override
+                public boolean isPermitted(AuthorizationContext ac) {
+                    return super.isPermitted(ac) && !ServerConstants.isCommunityCA();
+                }
+            }, account);
+
             putPage(History.SUPPORT_PATH, new History(true), null);
             putPage(UserTrainings.PATH, new UserTrainings(false), account);
             putPage(MyDetails.PATH, new MyDetails(), account);
@@ -214,7 +222,13 @@ public final class Gigi extends HttpServlet {
             }
 
             try {
-                putPage("/wot/rules", new StaticPage("Verification Rules", VerifyPage.class.getResourceAsStream("Rules.templ")), wot);
+                putPage("/wot/rules", new StaticPage("Verification Rules", VerifyPage.class.getResourceAsStream("Rules.templ")) {
+
+                    @Override
+                    public boolean isPermitted(AuthorizationContext ac) {
+                        return super.isPermitted(ac) && !ServerConstants.isCommunityCA();
+                    }
+                }, wot);
             } catch (UnsupportedEncodingException e) {
                 throw new ServletException(e);
             }
@@ -310,12 +324,10 @@ public final class Gigi extends HttpServlet {
         }
 
         try {
-            final FileChannel knownPasswordHashesFile = FileChannel.open(
-                FileSystems.getDefault().getPath(knownPasswordHashesPath));
+            final FileChannel knownPasswordHashesFile = FileChannel.open(FileSystems.getDefault().getPath(knownPasswordHashesPath));
             return new DelegatingPasswordChecker(new PasswordChecker[] {
-                    new PasswordStrengthChecker(),
-                    new PasswordHashChecker(knownPasswordHashesFile, sha1)
-                });
+                    new PasswordStrengthChecker(), new PasswordHashChecker(knownPasswordHashesFile, sha1)
+            });
         } catch (IOException e) {
             if (knownPasswordHashesRequired) {
                 throw new RuntimeException("Error while opening password hash database, refusing startup", e);
index 02232f2..20e9179 100644 (file)
@@ -19,11 +19,14 @@ import club.wpia.gigi.localisation.Language;
 import club.wpia.gigi.output.GroupList;
 import club.wpia.gigi.output.template.IterableDataset;
 import club.wpia.gigi.output.template.Template;
+import club.wpia.gigi.util.ServerConstants;
 
 public class MainPage extends Page {
 
     private static final Template notLog = new Template(MainPage.class.getResource("MainPageNotLogin.templ"));
 
+    private static final Template notLogCommunity = new Template(MainPage.class.getResource("MainPageNotLoginCommunity.templ"));
+
     public MainPage() {
         super("Home");
     }
@@ -41,7 +44,6 @@ public class MainPage extends Page {
             vars.put("vp", u.getVerificationPoints());
             vars.put("xp", u.getExperiencePoints());
 
-
             vars.put("catsinfo", false);
             if (u.canVerify() && !u.hasValidRAChallenge()) {
                 vars.put("catsinfo", true);
@@ -136,7 +138,11 @@ public class MainPage extends Page {
             getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
 
         } else {
-            notLog.output(resp.getWriter(), getLanguage(req), vars);
+            if (ServerConstants.isCommunityCA()) {
+                notLogCommunity.output(resp.getWriter(), getLanguage(req), vars);
+            } else {
+                notLog.output(resp.getWriter(), getLanguage(req), vars);
+            }
         }
     }
 
diff --git a/src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ b/src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ
new file mode 100644 (file)
index 0000000..aee37d7
--- /dev/null
@@ -0,0 +1,18 @@
+<h3><?=_What is ${appName}??></h3>
+
+<p><?=_${appName} is a public Certificate Authority (CA) that issues affordable certificates. The service is provided by !'<a href="//wpia.club" target="_blank">'WPIA (World Privacy and Identity Association)!'</a>'.?></p>
+
+<p><?=_One goal of WPIA is to promote awareness and education on computer security through the use of encryption technologies, in particular by providing cryptographic certificates.?></p>
+<p><?=_Client certificates can be used to digitally sign and encrypt both emails and documents. Furthermore client certificates can authenticate and authorize users connecting to websites and applications without the need of a password.
+On the other hand, server certificates can be used to establish secure internet connections with the Transport Layer Security protocol (TLS).?></p>
+
+<p><?=_${appName} provides a community based service, which only verifies the email or the domain but NOT the identity of the person behind it. The duration of a certificate is therefore 6 months only.?></p>
+
+<p><?=_WPIA is working on a solution to provide a service to verify your digital identity to assure that data signed with your certificate is related to your person. As soon as this service is available ${appName} will replaced with a new CA.?></p>
+
+<p><?=_If you are interested - !'<a href="/register">'join ${appName}!'</a>' as fellow for free and get your own certificates.?></p>
+
+<hr/>
+
+<p><?=_For general documentation and help, please visit the ${appName} !(/kb/gigi)FAQ!'</a>'.?>
+<?=_For specific policies, see the ${appName} !(/policy)Policies page!'</a>'.?></p>
\ No newline at end of file
index bf7cbcf..0f775b9 100644 (file)
@@ -20,6 +20,7 @@ import club.wpia.gigi.output.GroupSelector;
 import club.wpia.gigi.output.NameInput;
 import club.wpia.gigi.output.template.Form;
 import club.wpia.gigi.output.template.Template;
+import club.wpia.gigi.util.ServerConstants;
 
 public class MyDetailsForm extends Form {
 
@@ -176,10 +177,12 @@ public class MyDetailsForm extends Form {
         vars.put("groupSelector", selectedGroup);
         roles.output(out, l, vars);
 
-        boolean hasSignedContract = Contract.hasSignedContract(target, Contract.ContractType.RA_AGENT_CONTRACT);
-        vars.put("contractsign", hasSignedContract ? "disabled" : "");
-        vars.put("contractrevoke", hasSignedContract ? "" : "disabled");
-        contracts.output(out, l, vars);
+        if ( !ServerConstants.isCommunityCA()) {
+            boolean hasSignedContract = Contract.hasSignedContract(target, Contract.ContractType.RA_AGENT_CONTRACT);
+            vars.put("contractsign", hasSignedContract ? "disabled" : "");
+            vars.put("contractrevoke", hasSignedContract ? "" : "disabled");
+            contracts.output(out, l, vars);
+        }
     }
 
 }
index 7d13023..de77751 100644 (file)
@@ -12,6 +12,7 @@ import club.wpia.gigi.output.template.Form;
 import club.wpia.gigi.pages.LoginPage;
 import club.wpia.gigi.pages.Page;
 import club.wpia.gigi.util.AuthorizationContext;
+import club.wpia.gigi.util.ServerConstants;
 
 public class RequestTTPPage extends Page {
 
@@ -63,7 +64,7 @@ public class RequestTTPPage extends Page {
 
     @Override
     public boolean isPermitted(AuthorizationContext ac) {
-        return ac != null && ac.getTarget() instanceof User;
+        return ac != null && ac.getTarget() instanceof User && !ServerConstants.isCommunityCA();
     }
 
 }
index e2d459b..db14184 100644 (file)
@@ -76,6 +76,8 @@ public class ServerConstants {
 
     private static String mailQuizAdmin;
 
+    private static boolean communityCA;
+
     public static void init(Properties conf) {
         securePort = port = "";
         if ( !conf.getProperty("https.port").equals("443")) {
@@ -105,6 +107,7 @@ public class ServerConstants {
         mailBoard = conf.getProperty("mail.board", "board@" + suffix);
         mailQuiz = conf.getProperty("mail.quiz", "quiz@" + suffix);
         mailQuizAdmin = conf.getProperty("mail.quizAdmin", "quiz-admin@" + suffix);
+        communityCA = conf.getProperty("communityCA", "false").equalsIgnoreCase("true");
     }
 
     public static String getHostName(Host h) {
@@ -181,4 +184,8 @@ public class ServerConstants {
         return appIdentifier;
     }
 
+    public static boolean isCommunityCA() {
+        return communityCA;
+    }
+
 }
diff --git a/tests/club/wpia/gigi/TestCommunityCAOff.java b/tests/club/wpia/gigi/TestCommunityCAOff.java
new file mode 100644 (file)
index 0000000..461d225
--- /dev/null
@@ -0,0 +1,64 @@
+package club.wpia.gigi;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import org.junit.Test;
+
+import club.wpia.gigi.testUtils.ClientTest;
+import club.wpia.gigi.testUtils.IOUtils;
+
+public class TestCommunityCAOff extends ClientTest {
+
+    protected static boolean isCommunityCATest = false;
+
+    @Test
+    public void testMenuLoggedIn() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException {
+        String content = IOUtils.readURL(get("/"));
+
+        // Menu SomCA
+        // add RA Agent Status in later software version
+
+        // Menu Verification
+        testContent(content, "href=\"/wot/ttp\">Request TTP", !isCommunityCATest);
+        testContent(content, "href=\"/wot/rules\">Verification Rules", !isCommunityCATest);
+
+        // Menu My Details
+        testContent(content, "href=\"/account/find-agent\">Access to Find Agent", !isCommunityCATest);
+
+        assertThat(content, (containsString("Logged in")));
+
+    }
+
+    @Test
+    public void testMenuLoggedOut() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException {
+        String content = IOUtils.readURL(get("/logout"));
+        content = IOUtils.readURL(get("/"));
+
+        // Menu SomCA
+        // add RA Agent Status in later software version
+
+        assertThat(content, not((containsString("Logged in"))));
+
+        // text on not login page
+        testContent(content, "therefore 6 months only.", isCommunityCATest);
+    }
+
+    @Test
+    public void testMyDetails() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException {
+        String content = IOUtils.readURL(get("/account/details"));
+        testContent(content, "RA Agent Contract", !isCommunityCATest);
+    }
+
+    private void testContent(String content, String reference, boolean visible) {
+        if (visible) {
+            assertThat(content, containsString(reference));
+        } else {
+            assertThat(content, not(containsString(reference)));
+        }
+
+    }
+}
diff --git a/tests/club/wpia/gigi/TestCommunityCAOn.java b/tests/club/wpia/gigi/TestCommunityCAOn.java
new file mode 100644 (file)
index 0000000..b829e21
--- /dev/null
@@ -0,0 +1,19 @@
+package club.wpia.gigi;
+
+import java.util.Properties;
+
+import org.junit.BeforeClass;
+
+import club.wpia.gigi.testUtils.ManagedTest;
+
+public class TestCommunityCAOn extends TestCommunityCAOff {
+
+    @BeforeClass
+    public static void initEnvironmentHook() {
+        Properties additionalConfig = new Properties();
+        additionalConfig.setProperty("communityCA", "true");
+        isCommunityCATest = true;
+        ManagedTest.initEnvironment(additionalConfig);
+    }
+
+}
index 4a8324b..a6d51be 100644 (file)
@@ -26,6 +26,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.sql.SQLException;
 import java.util.Locale;
+import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -104,8 +105,17 @@ public class ManagedTest extends ConfiguredTest {
     private static boolean inited = false;
 
     public static Properties initEnvironment() {
+        return initEnvironment(new Properties());
+    }
+
+    public static Properties initEnvironment(Properties additionalConfig) {
         try {
             Properties mainProps = ConfiguredTest.initEnvironment();
+            for (Entry<Object, Object> i : additionalConfig.entrySet()) {
+                if (i.getKey() instanceof String && i.getValue() instanceof String) {
+                    mainProps.setProperty((String) i.getKey(), (String) i.getValue());
+                }
+            }
             if (inited) {
                 return mainProps;
             }