import org.cacert.gigi.output.template.TranslateCommand;
public enum Group {
- SUPPORTER("supporter", "supporter", true, true), //
- ARBITRATOR("arbitrator", "arbitrator", true, true), //
- BLOCKEDASSURER("blockedassurer", "may not verify", true, false), //
- BLOCKEDASSUREE("blockedassuree", "may not be verified", true, false), //
- BLOCKEDLOGIN("blockedlogin", "may not login", true, false), //
- BLOCKEDCERT("blockedcert", "may not issue certificates", true, false), //
- TTP_ASSURER("ttp-assurer", "may verify via TTP", true, true), //
- TTP_APPLICANT("ttp-applicant", "requests to be verified via ttp", true, false), //
- CODESIGNING("codesigning", "may issue codesigning certificates", true, false), //
- ORGASSURER("orgassurer", "may verify organisations", true, true), //
- NUCLEUS_ASSURER("nucleus-assurer", "may enter nucleus verifications", true, true), //
- LOCATE_AGENT("locate-agent", "wants access to the locate agent system", false, false);
+ SUPPORTER("supporter", "supporter", true, false, true), //
+ ARBITRATOR("arbitrator", "arbitrator", true, false, true), //
+ BLOCKEDASSURER("blockedassurer", "may not verify", true, false, false), //
+ BLOCKEDASSUREE("blockedassuree", "may not be verified", true, false, false), //
+ BLOCKEDLOGIN("blockedlogin", "may not login", true, false, false), //
+ BLOCKEDCERT("blockedcert", "may not issue certificates", true, false, false), //
+ TTP_ASSURER("ttp-assurer", "may verify via TTP", true, false, true), //
+ TTP_APPLICANT("ttp-applicant", "requests to be verified via ttp", false, true, false), //
+ CODESIGNING("codesigning", "may issue codesigning certificates", true, false, false), //
+ ORGASSURER("orgassurer", "may verify organisations", true, false, true), //
+ NUCLEUS_ASSURER("nucleus-assurer", "may enter nucleus verifications", true, false, true), //
+ LOCATE_AGENT("locate-agent", "wants access to the locate agent system", false, true, false);
private final String dbName;
private final boolean managedBySupport;
+ private final boolean managedByUser;
+
private final boolean isSelfViewable;
/**
* @param isSelfViewable
* true iff user should be able to see others in the same group
*/
- private Group(String name, String display, boolean managedBySupport, boolean isSelfViewable) {
+ private Group(String name, String display, boolean managedBySupport, boolean managedByUser, boolean isSelfViewable) {
dbName = name;
tc = new TranslateCommand(display);
+ if (managedByUser && managedBySupport) {
+ throw new IllegalArgumentException("We do not allow groups to be user and support managable.");
+ }
+ if (managedByUser && isSelfViewable) {
+ throw new IllegalArgumentException("We do not allow groups to be self-viewable and managable by user.");
+ }
+ this.managedByUser = managedByUser;
this.managedBySupport = managedBySupport;
this.isSelfViewable = isSelfViewable;
}
return managedBySupport;
}
+ public boolean isManagedByUser() {
+ return managedByUser;
+ }
+
public boolean isSelfViewable() {
return isSelfViewable;
}
return target;
}
- public void grant(Group toMod) {
+ public void grant(Group toMod) throws GigiApiException {
target.grantGroup(supporter, toMod);
}
private Locale locale;
- private final Set<Group> groups = new HashSet<>();
+ private Set<Group> groups = new HashSet<>();
public static final int MINIMUM_AGE = 16;
locale = Language.getLocaleFromString(localeStr);
}
+ refreshGroups();
+ }
+
+ public synchronized void refreshGroups() {
+ HashSet<Group> hs = new HashSet<>();
try (GigiPreparedStatement psg = new GigiPreparedStatement("SELECT `permission` FROM `user_groups` WHERE `user`=? AND `deleted` is NULL")) {
- psg.setInt(1, rs.getInt("id"));
+ psg.setInt(1, getId());
try (GigiResultSet rs2 = psg.executeQuery()) {
while (rs2.next()) {
- groups.add(Group.getByString(rs2.getString(1)));
+ hs.add(Group.getByString(rs2.getString(1)));
}
}
}
+ groups = hs;
}
public User(String email, String password, DayDate dob, Locale locale, Country residenceCountry, NamePart... preferred) throws GigiApiException {
return Collections.unmodifiableSet(groups);
}
- public void grantGroup(User granter, Group toGrant) {
+ public void grantGroup(User granter, Group toGrant) throws GigiApiException {
+ if (toGrant.isManagedBySupport() && !granter.isInGroup(Group.SUPPORTER)) {
+ throw new GigiApiException("Group may only be managed by supporter");
+ }
groups.add(toGrant);
try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
ps.setInt(1, getId());
private Group value = null;
- private final boolean supportFlag;
+ private final boolean bySupporter;
- public GroupSelector(String name, boolean supportFlag) {
+ public GroupSelector(String name, boolean bySupporter) {
this.name = HTMLEncoder.encodeHTML(name);
- this.supportFlag = supportFlag;
+ this.bySupporter = bySupporter;
}
public void update(HttpServletRequest r) throws GigiApiException {
String vS = r.getParameter(name);
value = null;
for (Group g : Group.values()) {
- if (g.getDatabaseName().equals(vS) && g.isManagedBySupport() == supportFlag) {
+ if (g.getDatabaseName().equals(vS) && mayManage(g)) {
value = g;
}
}
public void output(PrintWriter out, Language l, Map<String, Object> vars) {
out.println("<select name='" + name + "'>");
for (Group g : Group.values()) {
- if (supportFlag == g.isManagedBySupport()) {
+ if (mayManage(g)) {
out.print("<option value='" + g.getDatabaseName());
if (g.equals(value)) {
out.print(" selected");
out.println("</select>");
}
+ private boolean mayManage(Group g) {
+ return (bySupporter && g.isManagedBySupport()) || ( !bySupporter && g.isManagedByUser());
+ }
+
public Group getGroup() {
return value;
}
@Test
public void testAddRm() throws GigiApiException, IOException {
User u1 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- u1.grantGroup(u1, Group.ORGASSURER);
+ u1.grantGroup(getSupporter(), Group.ORGASSURER);
User u2 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- u2.grantGroup(u1, Group.ORGASSURER);
+ u2.grantGroup(getSupporter(), Group.ORGASSURER);
User u3 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- u3.grantGroup(u1, Group.ORGASSURER);
+ u3.grantGroup(getSupporter(), Group.ORGASSURER);
User u4 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
- u4.grantGroup(u1, Group.ORGASSURER);
+ u4.grantGroup(getSupporter(), Group.ORGASSURER);
Organisation o1 = new Organisation("name", Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "prov", "city", "email", "optional name", "postal address", u1);
assertEquals(0, o1.getAllAdmins().size());
o1.addAdmin(u2, u1, false);
import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.*;
+import java.io.IOException;
import java.sql.SQLException;
import java.util.Arrays;
import java.util.Collections;
private final Group supporter = Group.getByString("supporter");
@Test
- public void testAddObject() throws GigiApiException, SQLException {
+ public void testAddObject() throws GigiApiException, SQLException, IOException {
User u = User.getById(createVerifiedUser("fname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
- User granter = User.getById(createVerifiedUser("grFname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
+ User granter = getSupporter();
assertBehavesEmpty(u);
u.grantGroup(granter, ttpGroup);
}
@Test
- public void testRemoveObject() throws GigiApiException, SQLException {
+ public void testRemoveObject() throws GigiApiException, SQLException, IOException {
User u = User.getById(createVerifiedUser("fname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
- User granter = User.getById(createVerifiedUser("grFname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
+ User granter = getSupporter();
assertBehavesEmpty(u);
u.grantGroup(granter, ttpGroup);
}
@Test
- public void testListGroup() throws GigiApiException {
- Group g = Group.getByString("supporter");
+ public void testListGroup() throws GigiApiException, IOException {
+ Group g = Group.SUPPORTER;
int start = g.getMembers(0, 10).length;
User ux = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.org", TEST_PASSWORD));
User ux2 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.org", TEST_PASSWORD));
assertEquals(0, g.getMembers(0, 10).length + start);
- ux.grantGroup(ux, g);
- assertEquals(1, g.getMembers(0, 10).length + start);
- ux2.grantGroup(ux, g);
+ ux.grantGroup(getSupporter(), g); // creates a supporter
assertEquals(2, g.getMembers(0, 10).length + start);
+ ux2.grantGroup(ux, g);
+ assertEquals(3, g.getMembers(0, 10).length + start);
ux2.revokeGroup(ux, g);
- assertEquals(1, g.getMembers(0, 10).length + start);
+ assertEquals(2, g.getMembers(0, 10).length + start);
ux.revokeGroup(ux, g);
- assertEquals(0, g.getMembers(0, 10).length + start);
+ assertEquals(1, g.getMembers(0, 10).length + start);
}
import org.cacert.gigi.dbObjects.Certificate;
import org.cacert.gigi.dbObjects.Certificate.CSRType;
import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
-import org.cacert.gigi.dbObjects.Country.CountryCodeType;
import org.cacert.gigi.dbObjects.CertificateProfile;
import org.cacert.gigi.dbObjects.Country;
+import org.cacert.gigi.dbObjects.Country.CountryCodeType;
import org.cacert.gigi.dbObjects.Digest;
import org.cacert.gigi.dbObjects.Domain;
import org.cacert.gigi.dbObjects.Group;
@Test
public void testIssueOrgCert() throws Exception {
makeAssurer(id);
- u.grantGroup(u, Group.ORGASSURER);
+ u.grantGroup(getSupporter(), Group.ORGASSURER);
Organisation o1 = new Organisation("name", Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "pr", "st", "test@mail", "", "", u);
o1.addAdmin(u, u, false);
assertEquals(501, v.getResponseCode());
assertThat(IOUtils.readURL(new InputStreamReader(v.getErrorStream(), "UTF-8")), containsString(FindAgentAccess.PATH));
- grant(u.getEmail(), Group.LOCATE_AGENT);
+ grant(u, Group.LOCATE_AGENT);
v = doApi(FindAgent.PATH_RESOLVE, "serial=" + target2.getSerial().toLowerCase());
assertEquals(u.getId(), Integer.parseInt(IOUtils.readURL(v)));
}
assertThat(v.getResponseMessage(), containsString("needs to enable access"));
// even if sender enables service
- grant((userUFirst ? u : us2).getEmail(), Group.LOCATE_AGENT);
+ grant((userUFirst ? u : us2), Group.LOCATE_AGENT);
v = doApi(FindAgent.PATH_MAIL, "from=" + id + "&to=" + u2 + "&subject=the-subject&body=body");
assertEquals(v.getResponseMessage(), 501, v.getResponseCode());
assertThat(v.getResponseMessage(), containsString("needs to enable access"));
// receiver needs to enable access as well
- grant((userUFirst ? us2 : u).getEmail(), Group.LOCATE_AGENT);
+ grant((userUFirst ? us2 : u), Group.LOCATE_AGENT);
v = doApi(FindAgent.PATH_MAIL, "from=" + id + "&to=" + u2 + "&subject=the-subject&body=body");
assertEquals(v.getResponseMessage(), 200, v.getResponseCode());
TestMail mail = getMailReceiver().receive();
String res = IOUtils.readURL(doApi(FindAgent.PATH_INFO, "id=" + id + "&id=" + u2)).replace("\r", "");
assertEquals(res, "");
- grant(email, Group.LOCATE_AGENT);
- grant(User.getById(u2).getEmail(), Group.LOCATE_AGENT);
+ grant(u, Group.LOCATE_AGENT);
+ grant(User.getById(u2), Group.LOCATE_AGENT);
res = IOUtils.readURL(doApi(FindAgent.PATH_INFO, "id=" + id + "&id=" + u2)).replace("\r", "");
assertEquals(id + ",true," + u.getPreferredName().toAbbreviatedString() + "\n" + u2 + ",false," + User.getById(u2).getPreferredName().toAbbreviatedString() + "\n", res);
}
AuthorizationContext ac;
- public TestCertificateRequest() throws GeneralSecurityException, IOException {
+ public TestCertificateRequest() throws GeneralSecurityException, IOException, GigiApiException {
ac = new AuthorizationContext(u, u);
makeAssurer(u.getId());
- grant(email, Group.CODESIGNING);
-
}
@Test
@Test
public void testCodesignModifiedName() throws Exception {
try {
- u.grantGroup(u, Group.CODESIGNING);
+ u.grantGroup(getSupporter(), Group.CODESIGNING);
CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
cr.update("name", "SHA512", "code-a", null, null, "email:" + email);
cr.draft();
import java.io.IOException;
import java.net.MalformedURLException;
+import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.pages.admin.support.SupportEnterTicketPage;
import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage;
private int targetID;
- public TestSEAdminNotificationMail() throws IOException {
- grant(email, Group.SUPPORTER);
+ public TestSEAdminNotificationMail() throws IOException, GigiApiException {
+ grant(u, Group.SUPPORTER);
+ cookie = login(email, TEST_PASSWORD);
assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
String email = createUniqueName() + "@example.com";
public class TestSEAdminPageDetails extends ClientTest {
- public TestSEAdminPageDetails() throws IOException {
- grant(email, Group.SUPPORTER);
+ public TestSEAdminPageDetails() throws IOException, GigiApiException {
+ grant(u, Group.SUPPORTER);
+ cookie = login(email, TEST_PASSWORD);
assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
}
private int tid;
public TestSEAdminPageUserDomainSearch() throws IOException, GigiApiException {
- grant(email, Group.SUPPORTER);
+ grant(u, Group.SUPPORTER);
+ cookie = login(email, TEST_PASSWORD);
assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
String mail = createUniqueName() + "@example.com";
public class TestSEAdminPageUserMailSearch extends ClientTest {
- public TestSEAdminPageUserMailSearch() throws IOException {
- grant(email, Group.SUPPORTER);
+ public TestSEAdminPageUserMailSearch() throws IOException, GigiApiException {
+ grant(u, Group.SUPPORTER);
+ cookie = login(email, TEST_PASSWORD);
assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
}
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
+import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.pages.admin.support.FindUserByDomainPage;
import org.cacert.gigi.pages.admin.support.FindUserByEmailPage;
public class TestSEAdminTicketSetting extends ClientTest {
- public TestSEAdminTicketSetting() throws IOException {
- grant(email, Group.SUPPORTER);
+ public TestSEAdminTicketSetting() throws IOException, GigiApiException {
+ grant(u, Group.SUPPORTER);
+ cookie = login(email, TEST_PASSWORD);
}
@Test
public class TestOrgDomain extends OrgTest {
- public TestOrgDomain() throws IOException {
+ public TestOrgDomain() throws IOException, GigiApiException {
}
public class TestOrgManagement extends OrgTest {
- public TestOrgManagement() throws IOException {
+ public TestOrgManagement() throws IOException, GigiApiException {
}
public void testTTPApply() throws IOException {
String ttp = IOUtils.readURL(get(RequestTTPPage.PATH));
assertThat(ttp, containsString("<form"));
- executeBasicWebInteraction(cookie, RequestTTPPage.PATH, "country=0");
+ assertNull(executeBasicWebInteraction(cookie, RequestTTPPage.PATH, "country=0"));
ttp = IOUtils.readURL(get(RequestTTPPage.PATH));
assertThat(ttp, not(containsString("<form")));
import java.io.IOException;
import java.net.MalformedURLException;
+import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.dbObjects.User;
import org.cacert.gigi.pages.admin.TTPAdminPage;
}
@Test
- public void testHasRight() throws IOException {
+ public void testHasRight() throws IOException, GigiApiException {
testTTPAdmin(true);
}
@Test
- public void testHasNoRight() throws IOException {
+ public void testHasNoRight() throws IOException, GigiApiException {
testTTPAdmin(false);
}
- public void testTTPAdmin(boolean hasRight) throws IOException {
+ public void testTTPAdmin(boolean hasRight) throws IOException, GigiApiException {
if (hasRight) {
- grant(email, Group.getByString("ttp-assurer"));
+ grant(u, Group.getByString("ttp-assurer"));
}
- grant(u.getEmail(), TTPAdminPage.TTP_APPLICANT);
+ grant(u, TTPAdminPage.TTP_APPLICANT);
cookie = login(u.getEmail(), TEST_PASSWORD);
assertEquals( !hasRight ? 403 : 200, fetchStatusCode(TTPAdminPage.PATH));
import java.util.regex.Pattern;
import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.database.GigiPreparedStatement;
import org.cacert.gigi.dbObjects.Domain;
import org.cacert.gigi.dbObjects.EmailAddress;
+import org.cacert.gigi.dbObjects.Group;
import org.cacert.gigi.dbObjects.NamePart;
import org.cacert.gigi.dbObjects.NamePart.NamePartType;
import org.cacert.gigi.dbObjects.User;
public MailReceiver getMailReceiver() {
return InVMEmail.getInstance();
}
+
+ private User supporter;
+
+ public User getSupporter() throws GigiApiException, IOException {
+ if (supporter != null) {
+ return supporter;
+ }
+ supporter = createVerifiedUser();
+ try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+ ps.setInt(1, supporter.getId());
+ ps.setString(2, Group.SUPPORTER.getDatabaseName());
+ ps.setInt(3, supporter.getId());
+ ps.execute();
+ }
+ supporter.refreshGroups();
+ return supporter;
+ }
}
import org.cacert.gigi.dbObjects.Job;
import org.cacert.gigi.dbObjects.ObjectCache;
import org.cacert.gigi.dbObjects.User;
-import org.cacert.gigi.pages.Manager;
import org.cacert.gigi.pages.account.MyDetails;
import org.cacert.gigi.pages.main.RegisterPage;
import org.cacert.gigi.testUtils.TestEmailReceiver.TestMail;
}
}
- public static void grant(String email, Group g) throws IOException {
- HttpURLConnection huc = (HttpURLConnection) new URL("https://" + getServerName() + Manager.PATH).openConnection();
- huc.setDoOutput(true);
- huc.getOutputStream().write(("addpriv=y&priv=" + URLEncoder.encode(g.getDatabaseName(), "UTF-8") + "&email=" + URLEncoder.encode(email, "UTF-8")).getBytes("UTF-8"));
- assertEquals(200, huc.getResponseCode());
+ public static void grant(User u, Group g) throws IOException, GigiApiException {
+ u.grantGroup(getSupporter(), g);
+ clearCaches();
}
/**
return openConnection;
}
+ private static User supporter;
+
+ public static User getSupporter() throws GigiApiException, IOException {
+ if (supporter != null) {
+ return supporter;
+ }
+ int i = createVerifiedUser("fn", "ln", createUniqueName() + "@email.com", TEST_PASSWORD);
+ try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+ ps.setInt(1, i);
+ ps.setString(2, Group.SUPPORTER.getDatabaseName());
+ ps.setInt(3, i);
+ ps.execute();
+ }
+ clearCaches();
+ supporter = User.getById(i);
+ return supporter;
+ }
}
public class OrgTest extends ClientTest {
- public OrgTest() throws IOException {
+ public OrgTest() throws IOException, GigiApiException {
makeAssurer(u.getId());
- u.grantGroup(u, Group.ORGASSURER);
+ u.grantGroup(getSupporter(), Group.ORGASSURER);
clearCaches();
cookie = login(email, TEST_PASSWORD);
}
initEnvironment();
try {
User u = User.getById(createAssuranceUser("f", "l", createUniqueName() + "@email.com", TEST_PASSWORD));
- grant(u.getEmail(), Group.ORGASSURER);
+ grant(u, Group.ORGASSURER);
clearCaches();
u = User.getById(u.getId());
Organisation o = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
}
}
+ public User getSupporter() {
+ if (supporter != null) {
+ return supporter;
+ }
+ try {
+ User u = createAssurer( -1);
+ if ( !u.isInGroup(Group.SUPPORTER)) {
+ try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+ ps.setInt(1, u.getId());
+ ps.setString(2, Group.SUPPORTER.getDatabaseName());
+ ps.setInt(3, u.getId());
+ ps.execute();
+ }
+ u.refreshGroups();
+ }
+ supporter = u;
+ } catch (ReflectiveOperationException | GigiApiException e) {
+ e.printStackTrace();
+ }
+ return supporter;
+ }
+
public User getAssurer(int i) {
if (assurers[i] != null) {
return assurers[i];
User[] assurers = new User[25];
+ User supporter;
+
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
if (req.getParameter("create") != null) {
return;
}
if (req.getParameter("addpriv") != null) {
- u.grantGroup(u, Group.getByString(req.getParameter("priv")));
+ try {
+ u.grantGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
+ } catch (GigiApiException e) {
+ throw new Error(e);
+ }
resp.getWriter().println("Privilege granted");
} else {
u.revokeGroup(u, Group.getByString(req.getParameter("priv")));