]> WPIA git - gigi.git/commitdiff
projects / gigi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1473ab8)
fix: restrict access to CATS-API even more
authorFelix Dörre <felix@dogcraft.de>
Fri, 30 Dec 2016 12:01:43 +0000 (13:01 +0100)
committerFelix Dörre <felix@dogcraft.de>
Wed, 4 Jan 2017 11:22:50 +0000 (12:22 +0100)
Change-Id: Idb32bf7e12e0f2704541108afb9a5fcc3e0762a7

src/org/cacert/gigi/api/APIPoint.java patch | blob | history
src/org/cacert/gigi/api/CATSImport.java patch | blob | history
src/org/cacert/gigi/api/CATSResolve.java patch | blob | history
src/org/cacert/gigi/api/CATSRestrictedApi.java [new file with mode: 0644] patch | blob
src/org/cacert/gigi/util/ServerConstants.java patch | blob | history
tests/org/cacert/gigi/testUtils/RestrictedApiTest.java patch | blob | history

diff --git a/src/org/cacert/gigi/api/APIPoint.java b/src/org/cacert/gigi/api/APIPoint.java
index 8987afdb4bf5f628e61c49c4448cdbfaebb7d32c..72a555b1539a5a89ba51f2bb564c9d1453877f68 100644 (file)
--- a/src/org/cacert/gigi/api/APIPoint.java
+++ b/src/org/cacert/gigi/api/APIPoint.java
@@ -6,6 +6,7 @@ import java.security.cert.X509Certificate;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.cacert.gigi.dbObjects.Certificate;
 import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.pages.LoginPage;
 import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.pages.LoginPage;
@@ -19,8 +20,9 @@ public abstract class APIPoint {
             return;
         }
         String serial = LoginPage.extractSerialFormCert(cert);
             return;
         }
         String serial = LoginPage.extractSerialFormCert(cert);
+        Certificate clientCert = Certificate.getBySerial(serial);
         CertificateOwner u = CertificateOwner.getByEnabledSerial(serial);
         CertificateOwner u = CertificateOwner.getByEnabledSerial(serial);
-        if (u == null) {
+        if (u == null || clientCert == null) {
             resp.sendError(403, "Error, cert authing required. Serial not found: " + serial);
             return;
         }
             resp.sendError(403, "Error, cert authing required. Serial not found: " + serial);
             return;
         }
@@ -42,6 +44,10 @@ public abstract class APIPoint {
             resp.sendError(500, "Error, no query String allowed.");
             return;
         }
             resp.sendError(500, "Error, no query String allowed.");
             return;
         }
+        process(req, resp, u, clientCert);
+    }
+
+    protected void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException {
         process(req, resp, u);
     }
 
         process(req, resp, u);
     }
 
diff --git a/src/org/cacert/gigi/api/CATSImport.java b/src/org/cacert/gigi/api/CATSImport.java
index 49960cd45387c2caf9cdced6d090cda761c35835..afa0f2a6fdbc6fd73896e06e0ca22b667e51ba49 100644 (file)
--- a/src/org/cacert/gigi/api/CATSImport.java
+++ b/src/org/cacert/gigi/api/CATSImport.java
@@ -8,24 +8,14 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.dbObjects.CATS;
 import org.cacert.gigi.dbObjects.CertificateOwner;
 
 import org.cacert.gigi.dbObjects.CATS;
 import org.cacert.gigi.dbObjects.CertificateOwner;
-import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.User;
 
 import org.cacert.gigi.dbObjects.User;
 
-public class CATSImport extends APIPoint {
+public class CATSImport extends CATSRestrictedApi {
 
     public static final String PATH = "/cats/import";
 
     @Override
 
     public static final String PATH = "/cats/import";
 
     @Override
-    public void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u) throws IOException {
-        if ( !(u instanceof Organisation)) {
-            resp.sendError(500, "Error, invalid cert");
-            return;
-        }
-        if ( !((Organisation) u).isSelfOrganisation()) {
-            resp.sendError(500, "Error, invalid cert");
-            return;
-
-        }
+    public void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         String target = req.getParameter("mid");
         String testType = req.getParameter("variant");
         String date = req.getParameter("date");
         String target = req.getParameter("mid");
         String testType = req.getParameter("variant");
         String date = req.getParameter("date");
diff --git a/src/org/cacert/gigi/api/CATSResolve.java b/src/org/cacert/gigi/api/CATSResolve.java
index 0e9f2a01e08bfc71f8a7760e0485d256936d02ba..332885a97f08411df3d50cb3f48843b27767be04 100644 (file)
--- a/src/org/cacert/gigi/api/CATSResolve.java
+++ b/src/org/cacert/gigi/api/CATSResolve.java
@@ -5,31 +5,28 @@ import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.cacert.gigi.dbObjects.Certificate;
 import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.CertificateOwner;
-import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.User;
 
 import org.cacert.gigi.dbObjects.User;
 
-public class CATSResolve extends APIPoint {
+public class CATSResolve extends CATSRestrictedApi {
 
     public static final String PATH = "/cats/resolve";
 
     @Override
 
     public static final String PATH = "/cats/resolve";
 
     @Override
-    public void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u) throws IOException {
-        if ( !(u instanceof Organisation)) {
-            resp.sendError(500, "Error, invalid cert");
-            return;
-        }
-        if ( !((Organisation) u).isSelfOrganisation()) {
-            resp.sendError(500, "Error, invalid cert");
-            return;
-        }
+    public void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         String target = req.getParameter("serial");
         if (target == null) {
             resp.sendError(500, "Error, requires a serial parameter");
             return;
         }
         String target = req.getParameter("serial");
         if (target == null) {
             resp.sendError(500, "Error, requires a serial parameter");
             return;
         }
-
-        CertificateOwner o = CertificateOwner.getByEnabledSerial(target.toLowerCase());
+        target = target.toLowerCase();
+        Certificate clientCert = Certificate.getBySerial(target);
+        if (clientCert == null) {
+            resp.sendError(500, "Error, requires valid serial");
+            return;
+        }
+        CertificateOwner o = CertificateOwner.getByEnabledSerial(target);
         if ( !(o instanceof User)) {
             resp.sendError(500, "Error, requires valid serial");
             return;
         if ( !(o instanceof User)) {
             resp.sendError(500, "Error, requires valid serial");
             return;
diff --git a/src/org/cacert/gigi/api/CATSRestrictedApi.java b/src/org/cacert/gigi/api/CATSRestrictedApi.java
new file mode 100644 (file)
index 0000000..b7ff83a
--- /dev/null
+++ b/src/org/cacert/gigi/api/CATSRestrictedApi.java
@@ -0,0 +1,44 @@
+package org.cacert.gigi.api;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Certificate.SANType;
+import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.dbObjects.CertificateOwner;
+import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.util.ServerConstants;
+
+public abstract class CATSRestrictedApi extends APIPoint {
+
+    @Override
+    public final void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException {
+        if ( !(u instanceof Organisation)) {
+            resp.sendError(500, "Error, invalid cert");
+            return;
+        }
+        if ( !((Organisation) u).isSelfOrganisation()) {
+            resp.sendError(500, "Error, invalid cert");
+            return;
+        }
+        if ( !hasMail(clientCert, ServerConstants.getQuizMailAddress())) {
+            resp.sendError(500, "Error, invalid cert");
+            return;
+        }
+        processAuthenticated(req, resp);
+    }
+
+    public abstract void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException;
+
+    public boolean hasMail(Certificate clientCert, String mail) {
+        for (SubjectAlternateName a : clientCert.getSANs()) {
+            if (a.getType() == SANType.EMAIL && a.getName().equals(mail)) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
diff --git a/src/org/cacert/gigi/util/ServerConstants.java b/src/org/cacert/gigi/util/ServerConstants.java
index cab50b4efef10177205e89632b37902f030901b9..0a6b5ae4ce13fa740f5ea8d201bd73d2b8aac25e 100644 (file)
--- a/src/org/cacert/gigi/util/ServerConstants.java
+++ b/src/org/cacert/gigi/util/ServerConstants.java
@@ -114,4 +114,8 @@ public class ServerConstants {
         return "board@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", "");
     }
 
         return "board@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", "");
     }
 
+    public static String getQuizMailAddress() {
+        return "quiz@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", "");
+    }
+
 }
 }
diff --git a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
index e4ec22b98ddf381b0f31847b753b105114b24901..4fbfc4f009fd05a7c7c29165479869132e00866c 100644 (file)
--- a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
+++ b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
@@ -22,6 +22,7 @@ import org.cacert.gigi.dbObjects.Digest;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.User;
+import org.cacert.gigi.util.ServerConstants;
 import org.junit.BeforeClass;
 
 public class RestrictedApiTest extends ClientTest {
 import org.junit.BeforeClass;
 
 public class RestrictedApiTest extends ClientTest {
@@ -30,6 +31,8 @@ public class RestrictedApiTest extends ClientTest {
 
     protected static X509Certificate ce;
 
 
     protected static X509Certificate ce;
 
+    protected static Organisation selfOrg;
+
     public RestrictedApiTest() {
         makeAssurer(id);
     }
     public RestrictedApiTest() {
         makeAssurer(id);
     }
@@ -42,15 +45,15 @@ public class RestrictedApiTest extends ClientTest {
             grant(u, Group.ORGASSURER);
             clearCaches();
             u = User.getById(u.getId());
             grant(u, Group.ORGASSURER);
             clearCaches();
             u = User.getById(u.getId());
-            Organisation o = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
-            assertTrue(o.isSelfOrganisation());
+            selfOrg = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
+            assertTrue(selfOrg.isSelfOrganisation());
             KeyPair kp = generateKeypair();
             KeyPair kp = generateKeypair();
-            String key1 = generatePEMCSR(kp, "EMAIL=cats@cacert.org");
-            Certificate c = new Certificate(o, u, Certificate.buildDN("EMAIL", "cats@cacert.org"), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getByName("client-orga"), new Certificate.SubjectAlternateName(SANType.EMAIL, "cats@cacert.org"));
+            String key1 = generatePEMCSR(kp, "EMAIL=" + ServerConstants.getQuizMailAddress());
+            Certificate apiCert = new Certificate(selfOrg, u, Certificate.buildDN("EMAIL", ServerConstants.getQuizMailAddress()), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getByName("client-orga"), new Certificate.SubjectAlternateName(SANType.EMAIL, ServerConstants.getQuizMailAddress()));
             pk = kp.getPrivate();
             pk = kp.getPrivate();
-            await(c.issue(null, "2y", u));
-            ce = c.cert();
-            c.setLoginEnabled(true);
+            await(apiCert.issue(null, "2y", u));
+            ce = apiCert.cert();
+            apiCert.setLoginEnabled(true);
         } catch (IOException e) {
             throw new Error(e);
         } catch (GigiApiException e) {
         } catch (IOException e) {
             throw new Error(e);
         } catch (GigiApiException e) {
WPIA Certificate Web Issuance Platform