add: ensure that for Support actions there is a valid Support Challenge
authorINOPIAE <m.maengel@inopiae.de>
Tue, 16 Jul 2019 20:04:28 +0000 (22:04 +0200)
committerINOPIAE <m.maengel@inopiae.de>
Sun, 8 Sep 2019 19:27:23 +0000 (21:27 +0200)
related to issue #150

Change-Id: Ibdec5fc46cde59a0f19cefa50f5d3c3508849717

src/club/wpia/gigi/pages/MainPage.java
src/club/wpia/gigi/pages/MainPage.templ
src/club/wpia/gigi/pages/admin/support/SupportEnterTicketPage.java
src/club/wpia/gigi/util/AuthorizationContext.java
tests/club/wpia/gigi/pages/TestMain.java
tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java
tests/club/wpia/gigi/testUtils/SEClientTest.java

index a486618..9b7e079 100644 (file)
@@ -47,6 +47,10 @@ public class MainPage extends Page {
                 vars.put("catsinfo", true);
                 vars.put("catsra", true);
             }
+            if (u.isInGroup(Group.SUPPORTER) && !u.hasValidSupportChallenge()) {
+                vars.put("catsinfo", true);
+                vars.put("catssupport", true);
+            }
             Certificate[] c = u.getCertificates(false);
             vars.put("c-no", c.length);
 
index 8f9f873..52b805b 100644 (file)
@@ -17,6 +17,9 @@
   <? if($catsra) { ?>
     <p><?=_To add a verification you need to pass the RA Agent Challenge.?></p>
   <? } ?>
+  <? if($catssupport) { ?>
+    <p><?=_To act as supporter you need to pass the Support Challenge.?></p>
+  <? } ?>
   </div>
 <? } ?>
 <div class="card card-body bg-light">
index 14b1faa..3db0881 100644 (file)
@@ -47,7 +47,7 @@ public class SupportEnterTicketPage extends Page {
 
     @Override
     public boolean isPermitted(AuthorizationContext ac) {
-        return ac != null && ac.isInGroup(Group.SUPPORTER) && ac.isStronglyAuthenticated();
+        return ac != null && ac.isInGroup(Group.SUPPORTER) && ac.isStronglyAuthenticated() && ac.getActor().hasValidSupportChallenge();
     }
 
 }
index 66c6545..0cc653c 100644 (file)
@@ -79,7 +79,7 @@ public class AuthorizationContext implements Outputable, Serializable {
     }
 
     public boolean canSupport() {
-        return getSupporterTicketId() != null && isInGroup(Group.SUPPORTER) && isStronglyAuthenticated();
+        return getSupporterTicketId() != null && isInGroup(Group.SUPPORTER) && isStronglyAuthenticated() && ((User) target).hasValidSupportChallenge();
     }
 
     private static final SprintfCommand sp = new SprintfCommand("Logged in as {0} via {1}.", Arrays.asList("${username", "${loginMethod"));
index e6dce45..47c4c15 100644 (file)
@@ -117,5 +117,30 @@ public class TestMain extends ClientTest {
         authenticate((HttpURLConnection) uc);
         content = IOUtils.readURL(uc);
         assertThat(content, not(containsString("you need to pass the RA Agent Challenge")));
+
+        // test Support challenge
+        uc = new URL("https://" + getSecureServerName()).openConnection();
+        authenticate((HttpURLConnection) uc);
+        content = IOUtils.readURL(uc);
+        assertThat(content, not(containsString("you need to pass the Support Challenge")));
+
+        grant(u, Group.SUPPORTER);
+        cookie = login(loginPrivateKey, loginCertificate.cert());
+        uc = new URL("https://" + getSecureServerName()).openConnection();
+        authenticate((HttpURLConnection) uc);
+        content = IOUtils.readURL(uc);
+        assertThat(content, containsString("you need to pass the Support Challenge"));
+
+        addChallengeInPast(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME);
+        uc = new URL("https://" + getSecureServerName()).openConnection();
+        authenticate((HttpURLConnection) uc);
+        content = IOUtils.readURL(uc);
+        assertThat(content, containsString("you need to pass the Support Challenge"));
+
+        addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME);
+        uc = new URL("https://" + getSecureServerName()).openConnection();
+        authenticate((HttpURLConnection) uc);
+        content = IOUtils.readURL(uc);
+        assertThat(content, not(containsString("you need to pass the Support Challenge")));
     }
 }
index ac4c23b..7562ed0 100644 (file)
@@ -12,7 +12,9 @@ import java.util.Random;
 import org.junit.Test;
 
 import club.wpia.gigi.GigiApiException;
+import club.wpia.gigi.dbObjects.CATS.CATSType;
 import club.wpia.gigi.dbObjects.Group;
+import club.wpia.gigi.dbObjects.User;
 import club.wpia.gigi.pages.admin.support.FindCertPage;
 import club.wpia.gigi.pages.admin.support.FindUserByDomainPage;
 import club.wpia.gigi.pages.admin.support.FindUserByEmailPage;
@@ -25,6 +27,7 @@ public class TestSEAdminTicketSetting extends ClientTest {
 
     public TestSEAdminTicketSetting() throws IOException, GigiApiException {
         grant(u, Group.SUPPORTER);
+        addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME);
         cookie = cookieWithCertificateLogin(u);
     }
 
@@ -111,4 +114,17 @@ public class TestSEAdminTicketSetting extends ClientTest {
         assertEquals(403, get(cookiePW, FindCertPage.PATH).getResponseCode());
     }
 
+    @Test
+    public void testNoSupportChallenge() throws MalformedURLException, UnsupportedEncodingException, IOException, GigiApiException {
+        User supporter1 = User.getById(createVerificationUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
+        grant(supporter1, Group.SUPPORTER);
+        loginCertificate = null;
+        cookie = cookieWithCertificateLogin(supporter1);
+
+        assertEquals(403, get(SupportEnterTicketPage.PATH).getResponseCode());
+        assertEquals(403, get(FindUserByEmailPage.PATH).getResponseCode());
+        assertEquals(403, get(FindUserByDomainPage.PATH).getResponseCode());
+        assertEquals(403, get(FindCertPage.PATH).getResponseCode());
+    }
+
 }
index a779672..32cb1d8 100644 (file)
@@ -5,6 +5,7 @@ import static org.junit.Assert.*;
 import java.io.IOException;
 
 import club.wpia.gigi.GigiApiException;
+import club.wpia.gigi.dbObjects.CATS.CATSType;
 import club.wpia.gigi.dbObjects.Group;
 import club.wpia.gigi.pages.admin.support.SupportEnterTicketPage;
 
@@ -16,6 +17,7 @@ public abstract class SEClientTest extends ClientTest {
 
     public SEClientTest() throws IOException, GigiApiException {
         grant(u, Group.SUPPORTER);
+        addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME);
         cookie = cookieWithCertificateLogin(u);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
     }