add: user client certificate must have a verification within <=24 months

author INOPIAE <m.maengel@inopiae.de>

Sun, 29 Sep 2019 18:36:55 +0000 (20:36 +0200)

committer INOPIAE <m.maengel@inopiae.de>

Sun, 26 Jan 2020 15:08:16 +0000 (16:08 +0100)
author INOPIAE <m.maengel@inopiae.de>
Sun, 29 Sep 2019 18:36:55 +0000 (20:36 +0200)
committer INOPIAE <m.maengel@inopiae.de>
Sun, 26 Jan 2020 15:08:16 +0000 (16:08 +0100)
diff --git a/src/club/wpia/gigi/dbObjects/Name.java b/src/club/wpia/gigi/dbObjects/Name.java

index fbcf10eed4c94fc76c8c975102e339e31c83f7a8..ce8e7e2a1ca465eceecc4a6e84117f43fa4a18eb 100644 (file)
--- a/src/club/wpia/gigi/dbObjects/Name.java
+++ b/src/club/wpia/gigi/dbObjects/Name.java
@@ -1,6 +1,9 @@
  package club.wpia.gigi.dbObjects;
  
  import java.io.PrintWriter;
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
+import java.util.Date;
  import java.util.Map;
  
  import club.wpia.gigi.GigiApiException;
@@ -11,6 +14,7 @@ import club.wpia.gigi.dbObjects.NamePart.NamePartType;
  import club.wpia.gigi.localisation.Language;
  import club.wpia.gigi.output.template.Outputable;
  import club.wpia.gigi.util.HTMLEncoder;
+import club.wpia.gigi.util.TimeConditions;
  
  public class Name implements Outputable, IdCachable {
  
@@ -512,4 +516,26 @@ public class Name implements Outputable, IdCachable {
          }
          return initals.toString();
      }
+
+    public boolean isValidVerification() {
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
+        Calendar c = Calendar.getInstance();
+        c.setTimeInMillis(System.currentTimeMillis());
+        c.add(Calendar.MONTH, -TimeConditions.getInstance().getVerificationMonths());
+        String date = sdf.format(new Date(c.getTimeInMillis()));
+        try (GigiPreparedStatement query = new GigiPreparedStatement("SELECT COUNT(id) FROM `notary` WHERE `to` = ? AND `deleted` IS NULL AND (`expire` IS NULL OR `expire` > CURRENT_TIMESTAMP) AND `date` > ?")) {
+            query.setInt(1, getId());
+            query.setString(2, date);
+            GigiResultSet rs = query.executeQuery();
+
+            if (rs.next()) {
+                if (rs.getInt(1) > 0) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+    }
+
  }
diff --git a/src/club/wpia/gigi/dbObjects/User.java b/src/club/wpia/gigi/dbObjects/User.java

index 714bfc3a9122b95bcb1fad5bbd51a2f0ebb0678b..3d88aa6a49ec242b33f3c5b3092b779b4f3a370d 100644 (file)
--- a/src/club/wpia/gigi/dbObjects/User.java
+++ b/src/club/wpia/gigi/dbObjects/User.java
@@ -338,6 +338,15 @@ public class User extends CertificateOwner {
          return false;
      }
  
+    public boolean isValidNameVerification(String name) {
+        for (Name n : getNames()) {
+            if (n.matches(name) && n.isValidVerification()) {
+                return true;
+            }
+        }
+        return false;
+    }
+
      public void updateDefaultEmail(EmailAddress newMail) throws GigiApiException {
          for (EmailAddress email : getEmails()) {
              if (email.getAddress().equals(newMail.getAddress())) {
diff --git a/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java b/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java

index d9d090caa3e36aee24eb1296b50c41edc14b002e..28a5b098b75f73254884217743a7f3e4f4e2fddd 100644 (file)
--- a/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/club/wpia/gigi/pages/account/certs/CertificateRequest.java
@@ -443,7 +443,7 @@ public class CertificateRequest {
                  subject.put("OU", ou);
              }
          }
-        System.out.println(subject);
+
          if ( !error.isEmpty()) {
              throw error;
          }
@@ -493,7 +493,11 @@ public class CertificateRequest {
              User u = (User) ctx.getTarget();
              if (name != null && u.isValidName(name)) {
                  if (realIsOK) {
-                    verifiedCN = name;
+                    if (u.isValidNameVerification(name)) {
+                        verifiedCN = name;
+                    } else {
+                        error.mergeInto(new GigiApiException(SprintfCommand.createSimple("The entered name needs a valid verification within the last {0} months.", TimeConditions.getInstance().getVerificationMonths())));
+                    }
                  } else {
                      error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
                      if (defaultIsOK) {
diff --git a/tests/club/wpia/gigi/dbObjects/TestUser.java b/tests/club/wpia/gigi/dbObjects/TestUser.java

index e7aa70cff60c09cf2660f03222424b0c527c8542..7d7b6dba93692942e61596b6651aa7fb9cefbbd5 100644 (file)
--- a/tests/club/wpia/gigi/dbObjects/TestUser.java
+++ b/tests/club/wpia/gigi/dbObjects/TestUser.java
@@ -134,4 +134,19 @@ public class TestUser extends ClientBusinessTest {
          assertThat(result, ArrayContains.contains(CoreMatchers.equalTo(type)));
      }
  
+    @Test
+    public void testValidVerification() throws GigiApiException {
+        User u0 = User.getById(createVerifiedUser("f", "l", createUniqueName() + "@email.com", TEST_PASSWORD));
+        assertFalse(u0.isValidNameVerification(u0.getPreferredName().toString()));
+
+        add100Points(u0.getId());
+        assertTrue(u0.isValidNameVerification(u0.getPreferredName().toString()));
+
+        setVerificationDateToPast(u0.getPreferredName());
+        assertFalse(u0.isValidNameVerification(u0.getPreferredName().toString()));
+
+        add100Points(u0.getId());
+        assertTrue(u0.isValidNameVerification(u0.getPreferredName().toString()));
+    }
+
  }
diff --git a/tests/club/wpia/gigi/dbObjects/TestVerifyName.java b/tests/club/wpia/gigi/dbObjects/TestVerifyName.java

index 7f3af269d484acbc4d1baaa252b8b2eebd664b2e..7ad2c7f4532919a35d8e241726519d6908478815 100644 (file)
--- a/tests/club/wpia/gigi/dbObjects/TestVerifyName.java
+++ b/tests/club/wpia/gigi/dbObjects/TestVerifyName.java
@@ -5,13 +5,9 @@ import static org.junit.Assert.*;
  import org.junit.Test;
  
  import club.wpia.gigi.GigiApiException;
-import club.wpia.gigi.dbObjects.Country;
-import club.wpia.gigi.dbObjects.Name;
-import club.wpia.gigi.dbObjects.NamePart;
-import club.wpia.gigi.dbObjects.User;
-import club.wpia.gigi.dbObjects.Verification.VerificationType;
  import club.wpia.gigi.dbObjects.Country.CountryCodeType;
  import club.wpia.gigi.dbObjects.NamePart.NamePartType;
+import club.wpia.gigi.dbObjects.Verification.VerificationType;
  import club.wpia.gigi.testUtils.ClientBusinessTest;
  import club.wpia.gigi.util.Notary;
  
@@ -35,4 +31,20 @@ public class TestVerifyName extends ClientBusinessTest {
          assertEquals(10, n4.getVerificationPoints());
          assertEquals(10, u.getMaxVerifyPoints());
      }
+
+    @Test
+    public void testValidVerification() throws GigiApiException {
+        User u0 = User.getById(createVerifiedUser("f", "l", createUniqueName() + "@email.com", TEST_PASSWORD));
+        assertFalse(u0.getPreferredName().isValidVerification());
+
+        add100Points(u0.getId());
+        assertTrue(u0.getPreferredName().isValidVerification());
+
+        setVerificationDateToPast(u0.getPreferredName());
+        assertFalse(u0.getPreferredName().isValidVerification());
+
+        add100Points(u0.getId());
+        assertTrue(u0.getPreferredName().isValidVerification());
+    }
+
  }
diff --git a/tests/club/wpia/gigi/pages/account/TestCertificateRequest.java b/tests/club/wpia/gigi/pages/account/TestCertificateRequest.java

index bb6c575d7ed81d4457c0ac21951a8c3010ae2c3c..372f2bfaba86144d4023d921a38e5d115ac71d3a 100644 (file)
--- a/tests/club/wpia/gigi/pages/account/TestCertificateRequest.java
+++ b/tests/club/wpia/gigi/pages/account/TestCertificateRequest.java
@@ -15,6 +15,7 @@ import club.wpia.gigi.database.GigiPreparedStatement;
  import club.wpia.gigi.dbObjects.EmailAddress;
  import club.wpia.gigi.dbObjects.Group;
  import club.wpia.gigi.pages.account.certs.CertificateRequest;
+import club.wpia.gigi.testUtils.ClientBusinessTest;
  import club.wpia.gigi.testUtils.ClientTest;
  import club.wpia.gigi.util.AuthorizationContext;
  import club.wpia.gigi.util.TimeConditions;
@@ -135,4 +136,19 @@ public class TestCertificateRequest extends ClientTest {
          }
  
      }
+
+    @Test
+    public void testVerificationInPast() throws IOException, GeneralSecurityException, GigiApiException {
+
+        ClientBusinessTest.setVerificationDateToPast(u.getPreferredName());
+        try {
+            CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
+            cr.update(u.getPreferredName().toString(), "SHA512", "client-a", null, null, "email:" + email);
+            cr.draft();
+            fail();
+        } catch (GigiApiException e) {
+            assertThat(e.getMessage(), containsString("The entered name needs a valid verification within the last"));
+        }
+
+    }
  }
diff --git a/tests/club/wpia/gigi/testUtils/ClientBusinessTest.java b/tests/club/wpia/gigi/testUtils/ClientBusinessTest.java

index 023d55ed4b3ab43da9567346d26d03db72502409..3a6156946a2b72e77baa9a4fc5f5dab801566a50 100644 (file)
--- a/tests/club/wpia/gigi/testUtils/ClientBusinessTest.java
+++ b/tests/club/wpia/gigi/testUtils/ClientBusinessTest.java
@@ -1,8 +1,14 @@
  package club.wpia.gigi.testUtils;
  
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
+import java.util.Date;
+
  import club.wpia.gigi.GigiApiException;
+import club.wpia.gigi.database.GigiPreparedStatement;
  import club.wpia.gigi.dbObjects.Name;
  import club.wpia.gigi.dbObjects.User;
+import club.wpia.gigi.util.TimeConditions;
  
  public class ClientBusinessTest extends BusinessTest {
  
@@ -21,4 +27,18 @@ public class ClientBusinessTest extends BusinessTest {
              throw new Error(e);
          }
      }
+
+    public static void setVerificationDateToPast(Name name) {
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
+        Calendar c = Calendar.getInstance();
+        c.setTimeInMillis(System.currentTimeMillis());
+        c.add(Calendar.MONTH, -TimeConditions.getInstance().getVerificationMonths());
+        String date = sdf.format(new Date(c.getTimeInMillis()));
+        GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `notary` SET `date`=? WHERE `to`=? AND `date`>?");
+        ps.setString(1, date);
+        ps.setInt(2, name.getId());
+        ps.setString(3, date);
+        ps.execute();
+        ps.close();
+    }
  }
diff --git a/tests/club/wpia/gigi/testUtils/ConfiguredTest.java b/tests/club/wpia/gigi/testUtils/ConfiguredTest.java

index 322af0bc55e6d15e2b744316b8431b0c2c4d17c4..43be01db7d2b64443c484d6ce751274fde334aa3 100644 (file)
--- a/tests/club/wpia/gigi/testUtils/ConfiguredTest.java
+++ b/tests/club/wpia/gigi/testUtils/ConfiguredTest.java
@@ -360,9 +360,11 @@ public abstract class ConfiguredTest {
      }
  
      public static void add100Points(int uid) {
-        try (GigiPreparedStatement ps2 = new GigiPreparedStatement("INSERT INTO `notary` SET `from`=?, `to`=?, points='100'")) {
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
+        try (GigiPreparedStatement ps2 = new GigiPreparedStatement("INSERT INTO `notary` SET `from`=?, `to`=?, points='100', `date`=?")) {
              ps2.setInt(1, uid);
              ps2.setInt(2, User.getById(uid).getPreferredName().getId());
+            ps2.setString(3, sdf.format(new Date(System.currentTimeMillis())));
              ps2.execute();
          }
      }
diff --git a/util-testing/club/wpia/gigi/pages/Manager.java b/util-testing/club/wpia/gigi/pages/Manager.java

index f68d307bcb8a14789722c11d07d10a9ef7e07541..0ca611994798cedbadfd8868aad45791ff0e2b24 100644 (file)
--- a/util-testing/club/wpia/gigi/pages/Manager.java
+++ b/util-testing/club/wpia/gigi/pages/Manager.java
@@ -48,6 +48,7 @@ import club.wpia.gigi.dbObjects.DomainPingExecution;
  import club.wpia.gigi.dbObjects.DomainPingType;
  import club.wpia.gigi.dbObjects.EmailAddress;
  import club.wpia.gigi.dbObjects.Group;
+import club.wpia.gigi.dbObjects.Name;
  import club.wpia.gigi.dbObjects.NamePart;
  import club.wpia.gigi.dbObjects.NamePart.NamePartType;
  import club.wpia.gigi.dbObjects.User;
@@ -447,6 +448,17 @@ public class Manager extends Page {
  
              resp.getWriter().println("User has been verified " + verifications + " times." + info);
  
+        } else if (req.getParameter("verifyexpire") != null) {
+            String mail = req.getParameter("verifyEmail");
+            User byEmail = User.getByEmail(mail);
+            if (byEmail == null) {
+                resp.getWriter().println("User not found.");
+                return;
+            } else {
+                setVerificationDateToPast(byEmail.getPreferredName());
+            }
+
+            resp.getWriter().println("Verification set to time past the limit.");
          } else if (req.getParameter("letverify") != null) {
              String mail = req.getParameter("letverifyEmail");
              User byEmail = User.getByEmail(mail);
@@ -628,4 +640,18 @@ public class Manager extends Page {
  
          form.output(resp.getWriter(), getLanguage(req), vars);
      }
+
+    private static void setVerificationDateToPast(Name name) {
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
+        Calendar c = Calendar.getInstance();
+        c.setTimeInMillis(System.currentTimeMillis());
+        c.add(Calendar.MONTH, -TimeConditions.getInstance().getVerificationMonths());
+        String date = sdf.format(new Date(c.getTimeInMillis()));
+        GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `notary` SET `date`=? WHERE `to`=? AND `date`>?");
+        ps.setString(1, date);
+        ps.setInt(2, name.getId());
+        ps.setString(3, date);
+        ps.execute();
+        ps.close();
+    }
  }
diff --git a/util-testing/club/wpia/gigi/pages/Manager.templ b/util-testing/club/wpia/gigi/pages/Manager.templ

index 89627aeea5fb50dfdfdda21378252e2d9e1ef5a1..f6e1519ab89c27d9084a85b07402a0efd21ff7b0 100644 (file)
--- a/util-testing/club/wpia/gigi/pages/Manager.templ
+++ b/util-testing/club/wpia/gigi/pages/Manager.templ
@@ -70,6 +70,7 @@ Email: <input type="text" name="verifyEmail"/>
  </td><td>
  Verification Points to issue to preferred name: </br>
  <input type="text" name="verificationPoints" value="100"/> <input type="submit" value="Add Points" name="verify"/>
+<input type="submit" value="Set Verification date past limit" name="verifyexpire"/>
  </td></tr>
  
  <tr><td>
author	INOPIAE <m.maengel@inopiae.de>
	Sun, 29 Sep 2019 18:36:55 +0000 (20:36 +0200)
committer	INOPIAE <m.maengel@inopiae.de>
	Sun, 26 Jan 2020 15:08:16 +0000 (16:08 +0100)
src/club/wpia/gigi/dbObjects/Name.java		patch \| blob \| history
src/club/wpia/gigi/dbObjects/User.java		patch \| blob \| history
src/club/wpia/gigi/pages/account/certs/CertificateRequest.java		patch \| blob \| history
tests/club/wpia/gigi/dbObjects/TestUser.java		patch \| blob \| history
tests/club/wpia/gigi/dbObjects/TestVerifyName.java		patch \| blob \| history
tests/club/wpia/gigi/pages/account/TestCertificateRequest.java		patch \| blob \| history
tests/club/wpia/gigi/testUtils/ClientBusinessTest.java		patch \| blob \| history
tests/club/wpia/gigi/testUtils/ConfiguredTest.java		patch \| blob \| history
util-testing/club/wpia/gigi/pages/Manager.java		patch \| blob \| history
util-testing/club/wpia/gigi/pages/Manager.templ		patch \| blob \| history