add: ensure that for RA Agent actions certificate login is used
authorINOPIAE <m.maengel@inopiae.de>
Wed, 10 Jul 2019 07:35:09 +0000 (09:35 +0200)
committerINOPIAE <m.maengel@inopiae.de>
Sun, 8 Sep 2019 19:18:47 +0000 (21:18 +0200)
related to issue #150

Change-Id: Ia6e474a9c3d7fb716c736aeb9b21dfe1f765de6c

src/club/wpia/gigi/util/AuthorizationContext.java
tests/club/wpia/gigi/pages/account/TestPasswordResetExternal.java
tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java
tests/club/wpia/gigi/pages/wot/TestVerification.java
tests/club/wpia/gigi/testUtils/ManagedTest.java
tests/club/wpia/gigi/testUtils/SEClientTest.java

index 9888309..566436a 100644 (file)
@@ -113,7 +113,7 @@ public class AuthorizationContext implements Outputable, Serializable {
     }
 
     public boolean canVerify() {
-        return target instanceof User && ((User) target).canVerify();
+        return target instanceof User && ((User) target).canVerify() && isStronglyAuthenticated();
     }
 
     public boolean isStronglyAuthenticated() {
index 1efc5f7..31510ab 100644 (file)
@@ -6,14 +6,15 @@ import static org.junit.Assert.*;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
-import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLEncoder;
+import java.security.GeneralSecurityException;
 
 import org.junit.Test;
 
+import club.wpia.gigi.GigiApiException;
 import club.wpia.gigi.dbObjects.User;
 import club.wpia.gigi.pages.PasswordResetPage;
 import club.wpia.gigi.pages.wot.TestVerification;
@@ -25,9 +26,9 @@ import club.wpia.gigi.util.RandomToken;
 public class TestPasswordResetExternal extends ClientTest {
 
     @Test
-    public void testByVerification() throws IOException {
+    public void testByVerification() throws IOException, GeneralSecurityException, GigiApiException, InterruptedException {
         User u = User.getById(createVerificationUser("fn", "ln", createUniqueName() + "@example.com", TEST_PASSWORD));
-        String cookie2 = login(u.getEmail(), TEST_PASSWORD);
+        String cookie2 = cookieWithCertificateLogin(u);
         URLConnection uc = TestVerification.buildupVerifyFormConnection(cookie2, email, true);
         String avalue = RandomToken.generateToken(32);
         uc.getOutputStream().write(("verifiedName=" + this.u.getPreferredName().getId() + "&date=" + TestVerification.validVerificationDateString() + "&location=testcase&countryCode=DE&certify=1&rules=1&assertion=1&points=10&passwordReset=1&passwordResetValue=" + URLEncoder.encode(avalue, "UTF-8")).getBytes("UTF-8"));
@@ -40,7 +41,6 @@ public class TestPasswordResetExternal extends ClientTest {
         mail = getMailReceiver().receive(this.u.getEmail());
         String link = mail.extractLink();
         String npw = TEST_PASSWORD + "'";
-        System.out.println(link);
         assertNotNull(toPasswordReset(avalue, link, npw, npw + "'"));
         assertNotNull(toPasswordReset(avalue + "'", link, npw, npw));
         assertNotNull(toPasswordReset(avalue, link, "a", "a"));
@@ -59,7 +59,6 @@ public class TestPasswordResetExternal extends ClientTest {
         uc2.setDoOutput(true);
         OutputStream o = uc2.getOutputStream();
         o.write(("csrf=" + csrf + "&pword1=" + URLEncoder.encode(npw, "UTF-8") + "&pword2=" + URLEncoder.encode(npw2, "UTF-8") + "&private_token=" + URLEncoder.encode(avalue, "UTF-8")).getBytes("UTF-8"));
-        System.out.println(((HttpURLConnection) uc2).getResponseCode());
         String readURL = IOUtils.readURL(uc2);
         return fetchStartErrorMessage(readURL);
     }
index e85b03e..ac4c23b 100644 (file)
@@ -7,18 +7,11 @@ import static org.junit.Assert.*;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
 import java.util.Random;
 
 import org.junit.Test;
 
 import club.wpia.gigi.GigiApiException;
-import club.wpia.gigi.dbObjects.Certificate;
-import club.wpia.gigi.dbObjects.Certificate.CSRType;
-import club.wpia.gigi.dbObjects.Digest;
 import club.wpia.gigi.dbObjects.Group;
 import club.wpia.gigi.pages.admin.support.FindCertPage;
 import club.wpia.gigi.pages.admin.support.FindUserByDomainPage;
@@ -32,22 +25,7 @@ public class TestSEAdminTicketSetting extends ClientTest {
 
     public TestSEAdminTicketSetting() throws IOException, GigiApiException {
         grant(u, Group.SUPPORTER);
-        try {
-            KeyPair kp = generateKeypair();
-            String csr = generatePEMCSR(kp, "CN=" + u.getPreferredName().toString());
-            Certificate c = new Certificate(u, u, Certificate.buildDN("CN", u.getPreferredName().toString()), Digest.SHA256, csr, CSRType.CSR, getClientProfile());
-            final PrivateKey pk = kp.getPrivate();
-            await(c.issue(null, "2y", u));
-            final X509Certificate ce = c.cert();
-            c.setLoginEnabled(true);
-            cookie = login(pk, ce);
-            loginCertificate = c;
-            loginPrivateKey = pk;
-        } catch (InterruptedException e) {
-            throw new GigiApiException(e.toString());
-        } catch (GeneralSecurityException e) {
-            throw new GigiApiException(e.toString());
-        }
+        cookie = cookieWithCertificateLogin(u);
     }
 
     @Test
index 5b61f23..a25a2bc 100644 (file)
@@ -9,6 +9,7 @@ import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URLConnection;
 import java.net.URLEncoder;
+import java.security.GeneralSecurityException;
 import java.sql.SQLException;
 import java.sql.Timestamp;
 import java.text.SimpleDateFormat;
@@ -43,7 +44,7 @@ public class TestVerification extends ManagedTest {
     private String cookie;
 
     @Before
-    public void setup() throws IOException {
+    public void setup() throws IOException, GeneralSecurityException, GigiApiException, InterruptedException {
         clearCaches();
         agentM = createUniqueName() + "@example.org";
         applicantM = createUniqueName() + "@example.org";
@@ -52,7 +53,8 @@ public class TestVerification extends ManagedTest {
         int applicantId = createVerifiedUser("a", "c", applicantM, TEST_PASSWORD);
         applicantName = User.getById(applicantId).getPreferredName().getId();
 
-        cookie = login(agentM, TEST_PASSWORD);
+        User users[] = User.findByEmail(agentM);
+        cookie = cookieWithCertificateLogin(users[0]);
     }
 
     private Matcher<String> isVerificationForm() {
@@ -158,7 +160,7 @@ public class TestVerification extends ManagedTest {
 
         String applicantCookie = login(applicantM, TEST_PASSWORD);
         String newDob = "day=1&month=1&year=" + ( !succeed ? 1911 : 1910);
-
+        loginCertificate = null;
         assertNull(executeBasicWebInteraction(applicantCookie, MyDetails.PATH, newDob + "&action=updateDoB", 0));
 
         uc.getOutputStream().write(("verifiedName=" + applicantName + "&date=" + validVerificationDateString() + "&location=testcase&countryCode=DE&certify=1&rules=1&assertion=1&points=10").getBytes("UTF-8"));
@@ -245,6 +247,7 @@ public class TestVerification extends ManagedTest {
         getMailReceiver().receive(applicantM);
 
         String cookie = login(applicantM, TEST_PASSWORD);
+        loginCertificate = null;
         URLConnection url = get(cookie, Points.PATH);
         String resp = IOUtils.readURL(url);
         resp = resp.split(Pattern.quote("</table>"))[1];
@@ -259,6 +262,7 @@ public class TestVerification extends ManagedTest {
         getMailReceiver().receive(applicantM);
 
         String cookie = login(agentM, TEST_PASSWORD);
+        loginCertificate = null;
         URLConnection url = get(cookie, Points.PATH);
         String resp = IOUtils.readURL(url);
         resp = resp.split(Pattern.quote("</table>"))[2];
@@ -303,8 +307,7 @@ public class TestVerification extends ManagedTest {
     }
 
     @Test
-    public void testMultipleVerification() throws IOException {
-
+    public void testMultipleVerification() throws IOException, GeneralSecurityException, GigiApiException, InterruptedException {
         User users[] = User.findByEmail(agentM);
         int agentID = users[0].getId();
 
@@ -341,7 +344,7 @@ public class TestVerification extends ManagedTest {
     }
 
     @Test
-    public void testRANotificationSet() throws IOException, GigiApiException {
+    public void testRANotificationSet() throws IOException, GigiApiException, GeneralSecurityException, InterruptedException {
         getMailReceiver().assertEmpty();
 
         User users[] = User.findByEmail(agentM);
@@ -350,15 +353,14 @@ public class TestVerification extends ManagedTest {
         User u = users[0];
         u.grantGroup(u, Group.VERIFY_NOTIFICATION);
         clearCaches();
-        cookie = login(agentM, TEST_PASSWORD);
-
-        String targetMail = u.getEmail();
+        cookie = cookieWithCertificateLogin(users[0]);
 
         // enter verification
         String uniqueLoc = createUniqueName();
         executeSuccess("date=" + validVerificationDateString() + "&location=" + uniqueLoc + "&countryCode=DE&certify=1&rules=1&assertion=1&points=10");
         getMailReceiver().receive(applicantM);
-        TestMail tm = getMailReceiver().receive(targetMail);
+
+        TestMail tm = getMailReceiver().receive(agentM);
         assertThat(tm.getMessage(), containsString("You entered a verification for the account with email address " + applicantM));
 
     }
@@ -373,16 +375,20 @@ public class TestVerification extends ManagedTest {
         User u = users[0];
         u.revokeGroup(u, Group.VERIFY_NOTIFICATION);
         clearCaches();
-        cookie = login(agentM, TEST_PASSWORD);
 
         // enter verification
         String uniqueLoc = createUniqueName();
         executeSuccess("date=" + validVerificationDateString() + "&location=" + uniqueLoc + "&countryCode=DE&certify=1&rules=1&assertion=1&points=10");
 
-        TestMail tm;
-
-        tm = getMailReceiver().receive(applicantM);
+        TestMail tm = getMailReceiver().receive(applicantM);
         assertThat(tm.getMessage(), not(containsString("You entered a verification for the account with email address " + applicantM)));
 
     }
+
+    @Test
+    public void testVerifyWithoutCertLogin() throws IOException {
+        cookie = login(agentM, TEST_PASSWORD);
+        loginCertificate = null;
+        assertEquals(403, get(cookie, VerifyPage.PATH).getResponseCode());
+    }
 }
index 25df272..4a8324b 100644 (file)
@@ -19,6 +19,7 @@ import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
+import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.PrivateKey;
@@ -44,6 +45,8 @@ import club.wpia.gigi.GigiApiException;
 import club.wpia.gigi.database.GigiPreparedStatement;
 import club.wpia.gigi.database.GigiResultSet;
 import club.wpia.gigi.dbObjects.Certificate;
+import club.wpia.gigi.dbObjects.Certificate.CSRType;
+import club.wpia.gigi.dbObjects.Digest;
 import club.wpia.gigi.dbObjects.EmailAddress;
 import club.wpia.gigi.dbObjects.Group;
 import club.wpia.gigi.dbObjects.Job;
@@ -550,4 +553,29 @@ public class ManagedTest extends ConfiguredTest {
             }
         }
     }
+
+    protected String cookieWithCertificateLogin(User u) throws IOException, GigiApiException {
+
+        try {
+            KeyPair kp;
+            kp = generateKeypair();
+
+            String csr;
+            csr = generatePEMCSR(kp, "CN=" + u.getPreferredName().toString());
+
+            Certificate c = new Certificate(u, u, Certificate.buildDN("CN", u.getPreferredName().toString()), Digest.SHA256, csr, CSRType.CSR, getClientProfile());
+            final PrivateKey pk = kp.getPrivate();
+            await(c.issue(null, "2y", u));
+            final X509Certificate ce = c.cert();
+            c.setLoginEnabled(true);
+            loginCertificate = c;
+            loginPrivateKey = pk;
+            return login(pk, ce);
+        } catch (InterruptedException e) {
+            throw new GigiApiException(e.toString());
+        } catch (GeneralSecurityException e) {
+            throw new GigiApiException(e.toString());
+        }
+
+    }
 }
index 358a8c1..a779672 100644 (file)
@@ -3,15 +3,8 @@ package club.wpia.gigi.testUtils;
 import static org.junit.Assert.*;
 
 import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
 
 import club.wpia.gigi.GigiApiException;
-import club.wpia.gigi.dbObjects.Certificate;
-import club.wpia.gigi.dbObjects.Certificate.CSRType;
-import club.wpia.gigi.dbObjects.Digest;
 import club.wpia.gigi.dbObjects.Group;
 import club.wpia.gigi.pages.admin.support.SupportEnterTicketPage;
 
@@ -23,22 +16,7 @@ public abstract class SEClientTest extends ClientTest {
 
     public SEClientTest() throws IOException, GigiApiException {
         grant(u, Group.SUPPORTER);
-        try {
-            KeyPair kp = generateKeypair();
-            String csr = generatePEMCSR(kp, "CN=" + u.getPreferredName().toString());
-            Certificate c = new Certificate(u, u, Certificate.buildDN("CN", u.getPreferredName().toString()), Digest.SHA256, csr, CSRType.CSR, getClientProfile());
-            final PrivateKey pk = kp.getPrivate();
-            await(c.issue(null, "2y", u));
-            final X509Certificate ce = c.cert();
-            c.setLoginEnabled(true);
-            loginCertificate = c;
-            loginPrivateKey = pk;
-            cookie = login(pk, ce);
-        } catch (InterruptedException e) {
-            throw new GigiApiException(e.toString());
-        } catch (GeneralSecurityException e) {
-            throw new GigiApiException(e.toString());
-        }
+        cookie = cookieWithCertificateLogin(u);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
     }