import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.cacert.gigi.dbObjects.Certificate;
import org.cacert.gigi.dbObjects.CertificateOwner;
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.pages.LoginPage;
return;
}
String serial = LoginPage.extractSerialFormCert(cert);
+ Certificate clientCert = Certificate.getBySerial(serial);
CertificateOwner u = CertificateOwner.getByEnabledSerial(serial);
- if (u == null) {
+ if (u == null || clientCert == null) {
resp.sendError(403, "Error, cert authing required. Serial not found: " + serial);
return;
}
resp.sendError(500, "Error, no query String allowed.");
return;
}
+ process(req, resp, u, clientCert);
+ }
+
+ protected void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException {
process(req, resp, u);
}
import org.cacert.gigi.dbObjects.CATS;
import org.cacert.gigi.dbObjects.CertificateOwner;
-import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.User;
-public class CATSImport extends APIPoint {
+public class CATSImport extends CATSRestrictedApi {
public static final String PATH = "/cats/import";
@Override
- public void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u) throws IOException {
- if ( !(u instanceof Organisation)) {
- resp.sendError(500, "Error, invalid cert");
- return;
- }
- if ( !((Organisation) u).isSelfOrganisation()) {
- resp.sendError(500, "Error, invalid cert");
- return;
-
- }
+ public void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String target = req.getParameter("mid");
String testType = req.getParameter("variant");
String date = req.getParameter("date");
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.cacert.gigi.dbObjects.Certificate;
import org.cacert.gigi.dbObjects.CertificateOwner;
-import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.User;
-public class CATSResolve extends APIPoint {
+public class CATSResolve extends CATSRestrictedApi {
public static final String PATH = "/cats/resolve";
@Override
- public void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u) throws IOException {
- if ( !(u instanceof Organisation)) {
- resp.sendError(500, "Error, invalid cert");
- return;
- }
- if ( !((Organisation) u).isSelfOrganisation()) {
- resp.sendError(500, "Error, invalid cert");
- return;
- }
+ public void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String target = req.getParameter("serial");
if (target == null) {
resp.sendError(500, "Error, requires a serial parameter");
return;
}
-
- CertificateOwner o = CertificateOwner.getByEnabledSerial(target.toLowerCase());
+ target = target.toLowerCase();
+ Certificate clientCert = Certificate.getBySerial(target);
+ if (clientCert == null) {
+ resp.sendError(500, "Error, requires valid serial");
+ return;
+ }
+ CertificateOwner o = CertificateOwner.getByEnabledSerial(target);
if ( !(o instanceof User)) {
resp.sendError(500, "Error, requires valid serial");
return;
--- /dev/null
+package org.cacert.gigi.api;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Certificate.SANType;
+import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.dbObjects.CertificateOwner;
+import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.util.ServerConstants;
+
+public abstract class CATSRestrictedApi extends APIPoint {
+
+ @Override
+ public final void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException {
+ if ( !(u instanceof Organisation)) {
+ resp.sendError(500, "Error, invalid cert");
+ return;
+ }
+ if ( !((Organisation) u).isSelfOrganisation()) {
+ resp.sendError(500, "Error, invalid cert");
+ return;
+ }
+ if ( !hasMail(clientCert, ServerConstants.getQuizMailAddress())) {
+ resp.sendError(500, "Error, invalid cert");
+ return;
+ }
+ processAuthenticated(req, resp);
+ }
+
+ public abstract void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException;
+
+ public boolean hasMail(Certificate clientCert, String mail) {
+ for (SubjectAlternateName a : clientCert.getSANs()) {
+ if (a.getType() == SANType.EMAIL && a.getName().equals(mail)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
return "board@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", "");
}
+ public static String getQuizMailAddress() {
+ return "quiz@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", "");
+ }
+
}
import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.User;
+import org.cacert.gigi.util.ServerConstants;
import org.junit.BeforeClass;
public class RestrictedApiTest extends ClientTest {
protected static X509Certificate ce;
+ protected static Organisation selfOrg;
+
public RestrictedApiTest() {
makeAssurer(id);
}
grant(u, Group.ORGASSURER);
clearCaches();
u = User.getById(u.getId());
- Organisation o = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
- assertTrue(o.isSelfOrganisation());
+ selfOrg = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
+ assertTrue(selfOrg.isSelfOrganisation());
KeyPair kp = generateKeypair();
- String key1 = generatePEMCSR(kp, "EMAIL=cats@cacert.org");
- Certificate c = new Certificate(o, u, Certificate.buildDN("EMAIL", "cats@cacert.org"), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getByName("client-orga"), new Certificate.SubjectAlternateName(SANType.EMAIL, "cats@cacert.org"));
+ String key1 = generatePEMCSR(kp, "EMAIL=" + ServerConstants.getQuizMailAddress());
+ Certificate apiCert = new Certificate(selfOrg, u, Certificate.buildDN("EMAIL", ServerConstants.getQuizMailAddress()), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getByName("client-orga"), new Certificate.SubjectAlternateName(SANType.EMAIL, ServerConstants.getQuizMailAddress()));
pk = kp.getPrivate();
- await(c.issue(null, "2y", u));
- ce = c.cert();
- c.setLoginEnabled(true);
+ await(apiCert.issue(null, "2y", u));
+ ce = apiCert.cert();
+ apiCert.setLoginEnabled(true);
} catch (IOException e) {
throw new Error(e);
} catch (GigiApiException e) {