upd: split certificate issuance as organisation into seperate

author Felix Dörre <felix@dogcraft.de>

Mon, 2 Nov 2015 01:40:08 +0000 (02:40 +0100)

committer Felix Dörre <felix@dogcraft.de>

Mon, 2 Nov 2015 01:40:48 +0000 (02:40 +0100)
author Felix Dörre <felix@dogcraft.de>
Mon, 2 Nov 2015 01:40:08 +0000 (02:40 +0100)
committer Felix Dörre <felix@dogcraft.de>
Mon, 2 Nov 2015 01:40:48 +0000 (02:40 +0100)
diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java

index 99b136b8fa089d410b4c3695e4aac7afe01d95ac..63ce7fe8d21a99de14fbdd300e24ef1491da8e2c 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -22,8 +22,10 @@ import javax.servlet.http.HttpSession;
  
  import org.cacert.gigi.database.DatabaseConnection;
  import org.cacert.gigi.dbObjects.CACertificate;
  
  import org.cacert.gigi.database.DatabaseConnection;
  import org.cacert.gigi.dbObjects.CACertificate;
+import org.cacert.gigi.dbObjects.CertificateOwner;
  import org.cacert.gigi.dbObjects.CertificateProfile;
  import org.cacert.gigi.dbObjects.DomainPingConfiguration;
  import org.cacert.gigi.dbObjects.CertificateProfile;
  import org.cacert.gigi.dbObjects.DomainPingConfiguration;
+import org.cacert.gigi.dbObjects.Organisation;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.Menu;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.Menu;
@@ -61,6 +63,7 @@ import org.cacert.gigi.pages.wot.AssurePage;
  import org.cacert.gigi.pages.wot.MyPoints;
  import org.cacert.gigi.pages.wot.RequestTTPPage;
  import org.cacert.gigi.ping.PingerDaemon;
  import org.cacert.gigi.pages.wot.MyPoints;
  import org.cacert.gigi.pages.wot.RequestTTPPage;
  import org.cacert.gigi.ping.PingerDaemon;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.ServerConstants;
  
  public class Gigi extends HttpServlet {
  import org.cacert.gigi.util.ServerConstants;
  
  public class Gigi extends HttpServlet {
@@ -129,8 +132,8 @@ public class Gigi extends HttpServlet {
              putPage(TTPAdminPage.PATH + "/*", new TTPAdminPage(), "Admin");
              putPage(CreateOrgPage.DEFAULT_PATH, new CreateOrgPage(), "Organisation Admin");
              putPage(ViewOrgPage.DEFAULT_PATH + "/*", new ViewOrgPage(), "Organisation Admin");
              putPage(TTPAdminPage.PATH + "/*", new TTPAdminPage(), "Admin");
              putPage(CreateOrgPage.DEFAULT_PATH, new CreateOrgPage(), "Organisation Admin");
              putPage(ViewOrgPage.DEFAULT_PATH + "/*", new ViewOrgPage(), "Organisation Admin");
-            putPage(FindDomainPage.PATH, new FindDomainPage("Find Domain"), "System Admin");
              putPage(FindUserPage.PATH, new FindUserPage("Find User"), "System Admin");
              putPage(FindUserPage.PATH, new FindUserPage("Find User"), "System Admin");
+            putPage(FindDomainPage.PATH, new FindDomainPage("Find Domain"), "System Admin");
              putPage(SupportUserDetailsPage.PATH + "*", new SupportUserDetailsPage("Support: User Details"), null);
              if (testing) {
                  try {
              putPage(SupportUserDetailsPage.PATH + "*", new SupportUserDetailsPage("Support: User Details"), null);
              if (testing) {
                  try {
@@ -187,7 +190,7 @@ public class Gigi extends HttpServlet {
  
      public static final String CERT_ISSUER = "org.cacert.gigi.issuer";
  
  
      public static final String CERT_ISSUER = "org.cacert.gigi.issuer";
  
-    public static final String USER = "user";
+    public static final String AUTH_CONTEXT = "auth";
  
      public static final String LOGIN_METHOD = "org.cacert.gigi.loginMethod";
  
  
      public static final String LOGIN_METHOD = "org.cacert.gigi.loginMethod";
  
@@ -322,6 +325,7 @@ public class Gigi extends HttpServlet {
                  resp.sendRedirect("https://" + ServerConstants.getWwwHostNamePortSecure() + req.getPathInfo());
                  return;
              }
                  resp.sendRedirect("https://" + ServerConstants.getWwwHostNamePortSecure() + req.getPathInfo());
                  return;
              }
+            AuthorizationContext currentAuthContext = LoginPage.getAuthorizationContext(req);
              User currentPageUser = LoginPage.getUser(req);
              if ( !p.isPermitted(currentPageUser)) {
                  if (hs.getAttribute("loggedin") == null) {
              User currentPageUser = LoginPage.getUser(req);
              if ( !p.isPermitted(currentPageUser)) {
                  if (hs.getAttribute("loggedin") == null) {
@@ -372,7 +376,12 @@ public class Gigi extends HttpServlet {
              vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
              vars.put("content", content);
              if (currentPageUser != null) {
              vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
              vars.put("content", content);
              if (currentPageUser != null) {
-                vars.put("loggedInAs", currentPageUser.getName().toString());
+                CertificateOwner target = currentAuthContext.getTarget();
+                if (target != currentPageUser) {
+                    vars.put("loggedInAs", ((Organisation) target).getName() + " (" + currentPageUser.getName().toString() + ")");
+                } else {
+                    vars.put("loggedInAs", currentPageUser.getName().toString());
+                }
                  vars.put("loginMethod", lang.getTranslation((String) req.getSession().getAttribute(LOGIN_METHOD)));
              }
              resp.setContentType("text/html; charset=utf-8");
                  vars.put("loginMethod", lang.getTranslation((String) req.getSession().getAttribute(LOGIN_METHOD)));
              }
              resp.setContentType("text/html; charset=utf-8");
diff --git a/src/org/cacert/gigi/api/GigiAPI.java b/src/org/cacert/gigi/api/GigiAPI.java

index 3af4714c2fdd7affbeee73c2039f56d555dce2db..a5acbe5605012fc08e3ef0b5cffc3b8228201b30 100644 (file)
--- a/src/org/cacert/gigi/api/GigiAPI.java
+++ b/src/org/cacert/gigi/api/GigiAPI.java
@@ -13,11 +13,12 @@ import javax.servlet.http.HttpServletResponse;
  
  import org.cacert.gigi.GigiApiException;
  import org.cacert.gigi.dbObjects.Certificate;
  
  import org.cacert.gigi.GigiApiException;
  import org.cacert.gigi.dbObjects.Certificate;
-import org.cacert.gigi.dbObjects.Job;
  import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
  import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
+import org.cacert.gigi.dbObjects.Job;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.account.certs.CertificateRequest;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.account.certs.CertificateRequest;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.PEM;
  
  public class GigiAPI extends HttpServlet {
  import org.cacert.gigi.util.PEM;
  
  public class GigiAPI extends HttpServlet {
@@ -66,9 +67,9 @@ public class GigiAPI extends HttpServlet {
                  return;
              }
              try {
                  return;
              }
              try {
-                CertificateRequest cr = new CertificateRequest(u, csr);
+                CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), csr);
                  Certificate result = cr.draft();
                  Certificate result = cr.draft();
-                Job job = result.issue(null, "2y");
+                Job job = result.issue(null, "2y", u);
                  job.waitFor(60000);
                  if (result.getStatus() != CertificateStatus.ISSUED) {
                      resp.sendError(510, "Error, issuing timed out");
                  job.waitFor(60000);
                  if (result.getStatus() != CertificateStatus.ISSUED) {
                      resp.sendError(510, "Error, issuing timed out");
diff --git a/src/org/cacert/gigi/dbObjects/Certificate.java b/src/org/cacert/gigi/dbObjects/Certificate.java

index 4300ac9abaa19fcb88b9120f92c6faed59ca00ac..7318ad802ece837cae337919fc638d360fd9bbdc 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/Certificate.java
+++ b/src/org/cacert/gigi/dbObjects/Certificate.java
@@ -109,7 +109,7 @@ public class Certificate implements IdCachable {
  
      private int id;
  
  
      private int id;
  
-    private User owner;
+    private CertificateOwner owner;
  
      private String serial;
  
  
      private String serial;
  
@@ -133,8 +133,8 @@ public class Certificate implements IdCachable {
  
      private CACertificate ca;
  
  
      private CACertificate ca;
  
-    public Certificate(User owner, HashMap<String, String> dn, String md, String csr, CSRType csrType, CertificateProfile profile, SubjectAlternateName... sans) throws GigiApiException, IOException {
-        if ( !profile.canBeIssuedBy(owner)) {
+    public Certificate(CertificateOwner owner, User actor, HashMap<String, String> dn, String md, String csr, CSRType csrType, CertificateProfile profile, SubjectAlternateName... sans) throws GigiApiException, IOException {
+        if ( !profile.canBeIssuedBy(owner, actor)) {
              throw new GigiApiException("You are not allowed to issue these certificates.");
          }
          this.owner = owner;
              throw new GigiApiException("You are not allowed to issue these certificates.");
          }
          this.owner = owner;
@@ -189,16 +189,12 @@ public class Certificate implements IdCachable {
      }
  
      private Certificate(GigiResultSet rs) {
      }
  
      private Certificate(GigiResultSet rs) {
-        //
-        if ( !rs.next()) {
-            throw new IllegalArgumentException("Invalid mid " + serial);
-        }
          this.id = rs.getInt("id");
          dnString = rs.getString("subject");
          md = rs.getString("md");
          csrName = rs.getString("csr_name");
          crtName = rs.getString("crt_name");
          this.id = rs.getInt("id");
          dnString = rs.getString("subject");
          md = rs.getString("md");
          csrName = rs.getString("csr_name");
          crtName = rs.getString("crt_name");
-        owner = User.getById(rs.getInt("memid"));
+        owner = CertificateOwner.getById(rs.getInt("memid"));
          profile = CertificateProfile.getById(rs.getInt("profile"));
          this.serial = rs.getString("serial");
  
          profile = CertificateProfile.getById(rs.getInt("profile"));
          this.serial = rs.getString("serial");
  
@@ -278,11 +274,11 @@ public class Certificate implements IdCachable {
       * @throws GigiApiException
       *             if the period is bogus
       */
       * @throws GigiApiException
       *             if the period is bogus
       */
-    public Job issue(Date start, String period) throws IOException, GigiApiException {
+    public Job issue(Date start, String period, User actor) throws IOException, GigiApiException {
          if (getStatus() != CertificateStatus.DRAFT) {
              throw new IllegalStateException();
          }
          if (getStatus() != CertificateStatus.DRAFT) {
              throw new IllegalStateException();
          }
-        Notary.writeUserAgreement(owner, "CCA", "issue certificate", "", true, 0);
+        Notary.writeUserAgreement(actor, "CCA", "issue certificate", "", true, 0);
  
          return Job.sign(this, start, period);
  
  
          return Job.sign(this, start, period);
  
@@ -345,7 +341,7 @@ public class Certificate implements IdCachable {
          return md;
      }
  
          return md;
      }
  
-    public User getOwner() {
+    public CertificateOwner getOwner() {
          return owner;
      }
  
          return owner;
      }
  
@@ -366,6 +362,9 @@ public class Certificate implements IdCachable {
              GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT certs.id, " + concat + " as `subject`, `md`, `csr_name`, `crt_name`,`memid`, `profile`, `certs`.`serial` FROM `certs` LEFT JOIN `certAvas` ON `certAvas`.`certId`=`certs`.`id` WHERE `serial`=? GROUP BY `certs`.`id`");
              ps.setString(1, serial);
              GigiResultSet rs = ps.executeQuery();
              GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT certs.id, " + concat + " as `subject`, `md`, `csr_name`, `crt_name`,`memid`, `profile`, `certs`.`serial` FROM `certs` LEFT JOIN `certAvas` ON `certAvas`.`certId`=`certs`.`id` WHERE `serial`=? GROUP BY `certs`.`id`");
              ps.setString(1, serial);
              GigiResultSet rs = ps.executeQuery();
+            if ( !rs.next()) {
+                return null;
+            }
              int id = rs.getInt(1);
              Certificate c1 = cache.get(id);
              if (c1 != null) {
              int id = rs.getInt(1);
              Certificate c1 = cache.get(id);
              if (c1 != null) {
@@ -393,6 +392,9 @@ public class Certificate implements IdCachable {
              GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT certs.id, " + concat + " as subject, md, csr_name, crt_name,memid, profile, certs.serial FROM `certs` LEFT JOIN `certAvas` ON `certAvas`.`certId`=certs.id WHERE certs.id=? GROUP BY certs.id");
              ps.setInt(1, id);
              GigiResultSet rs = ps.executeQuery();
              GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT certs.id, " + concat + " as subject, md, csr_name, crt_name,memid, profile, certs.serial FROM `certs` LEFT JOIN `certAvas` ON `certAvas`.`certId`=certs.id WHERE certs.id=? GROUP BY certs.id");
              ps.setInt(1, id);
              GigiResultSet rs = ps.executeQuery();
+            if ( !rs.next()) {
+                return null;
+            }
  
              Certificate c = new Certificate(rs);
              cache.put(c);
  
              Certificate c = new Certificate(rs);
              cache.put(c);
diff --git a/src/org/cacert/gigi/dbObjects/CertificateProfile.java b/src/org/cacert/gigi/dbObjects/CertificateProfile.java

index 3a04090310f889f4c85a325f4d4b4217c5b6996c..0e6f29bac09b0dec6f641910a6414e2d4c0e8c00 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/CertificateProfile.java
+++ b/src/org/cacert/gigi/dbObjects/CertificateProfile.java
@@ -237,18 +237,27 @@ public class CertificateProfile implements IdCachable {
          return byId.values().toArray(new CertificateProfile[byId.size()]);
      }
  
          return byId.values().toArray(new CertificateProfile[byId.size()]);
      }
  
-    public boolean canBeIssuedBy(User u) {
+    public boolean canBeIssuedBy(CertificateOwner owner, User actor) {
+        if (pt.containsKey("orga")) {
+            if ( !(owner instanceof Organisation)) {
+                return false;
+            }
+        } else {
+            if (owner instanceof Organisation) {
+                return false;
+            }
+        }
          for (String s : req) {
              if (s.equals("points>=50")) {
          for (String s : req) {
              if (s.equals("points>=50")) {
-                if (u.getAssurancePoints() < 50) {
+                if (actor.getAssurancePoints() < 50) {
                      return false;
                  }
              } else if (s.equals("points>=100")) {
                      return false;
                  }
              } else if (s.equals("points>=100")) {
-                if (u.getAssurancePoints() < 100) {
+                if (actor.getAssurancePoints() < 100) {
                      return false;
                  }
              } else if (s.equals("codesign")) {
                      return false;
                  }
              } else if (s.equals("codesign")) {
-                if (u.isInGroup(Group.CODESIGNING)) {
+                if (actor.isInGroup(Group.CODESIGNING)) {
                      return false;
                  }
              } else {
                      return false;
                  }
              } else {
diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java

index 06006cf264d7ac9507077a709c49c69874b4c304..d25eacfb43bc0036aa4a8ae7c6fe9070a980b55f 100644 (file)
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -20,6 +20,7 @@ import org.cacert.gigi.dbObjects.Group;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.PasswordHash;
  
  public class LoginPage extends Page {
  import org.cacert.gigi.util.PasswordHash;
  
  public class LoginPage extends Page {
@@ -114,7 +115,15 @@ public class LoginPage extends Page {
      }
  
      public static User getUser(HttpServletRequest req) {
      }
  
      public static User getUser(HttpServletRequest req) {
-        return (User) req.getSession().getAttribute(USER);
+        AuthorizationContext ac = getAuthorizationContext(req);
+        if (ac == null) {
+            return null;
+        }
+        return ac.getActor();
+    }
+
+    public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
+        return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
      }
  
      private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
      }
  
      private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
@@ -169,7 +178,7 @@ public class LoginPage extends Page {
          HttpSession hs = req.getSession();
          hs.setAttribute(LOGGEDIN, true);
          hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
          HttpSession hs = req.getSession();
          hs.setAttribute(LOGGEDIN, true);
          hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
-        hs.setAttribute(USER, user);
+        hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
      }
  
      @Override
      }
  
      @Override
diff --git a/src/org/cacert/gigi/pages/account/MyDetails.java b/src/org/cacert/gigi/pages/account/MyDetails.java

index 9de78a2e439d05f1d79f87fadcc9bb62055f70df..a6118c67cd97925768063063fcba015d0e0454ff 100644 (file)
--- a/src/org/cacert/gigi/pages/account/MyDetails.java
+++ b/src/org/cacert/gigi/pages/account/MyDetails.java
@@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  import org.cacert.gigi.output.template.Form;
  import javax.servlet.http.HttpServletResponse;
  
  import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.Page;
  
  public class MyDetails extends Page {
  import org.cacert.gigi.pages.Page;
  
  public class MyDetails extends Page {
@@ -26,18 +27,27 @@ public class MyDetails extends Page {
          MyListingForm listingForm = new MyListingForm(req, getUser(req));
          map.put("detailsForm", form);
          map.put("contactMeForm", listingForm);
          MyListingForm listingForm = new MyListingForm(req, getUser(req));
          map.put("detailsForm", form);
          map.put("contactMeForm", listingForm);
+        if (LoginPage.getUser(req).getOrganisations().size() != 0) {
+            map.put("orgaForm", new MyOrganisationsForm(req));
+        }
          getDefaultTemplate().output(out, getLanguage(req), map);
      }
  
      @Override
          getDefaultTemplate().output(out, getLanguage(req), map);
      }
  
      @Override
-    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        if(req.getParameter("processDetails") != null) {
+    public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        if (req.getParameter("orgaForm") != null) {
+            Form.getForm(req, MyOrganisationsForm.class).submit(resp.getWriter(), req);
+        } else if (req.getParameter("processDetails") != null) {
              MyDetailsForm form = Form.getForm(req, MyDetailsForm.class);
              form.submit(resp.getWriter(), req);
          } else if (req.getParameter("processContact") != null) {
              MyListingForm form = Form.getForm(req, MyListingForm.class);
              form.submit(resp.getWriter(), req);
              MyDetailsForm form = Form.getForm(req, MyDetailsForm.class);
              form.submit(resp.getWriter(), req);
          } else if (req.getParameter("processContact") != null) {
              MyListingForm form = Form.getForm(req, MyListingForm.class);
              form.submit(resp.getWriter(), req);
+        } else {
+            return false;
          }
          }
-        super.doPost(req, resp);
+        resp.sendRedirect(PATH);
+        return true;
      }
      }
+
  }
  }
diff --git a/src/org/cacert/gigi/pages/account/MyDetails.templ b/src/org/cacert/gigi/pages/account/MyDetails.templ

index eb86e511f5042077f227cc15b084124026c67b48..a4940ceb05196cf9993c3526e79a501c395df3ee 100644 (file)
--- a/src/org/cacert/gigi/pages/account/MyDetails.templ
+++ b/src/org/cacert/gigi/pages/account/MyDetails.templ
@@ -1,3 +1,6 @@
  <?=$detailsForm?>
  <h2><?=_My Listing?></h2>
  <?=$detailsForm?>
  <h2><?=_My Listing?></h2>
-<?=$contactMeForm?>
-\ No newline at end of file
+<?=$contactMeForm?>
+<? if($orgaForm) { ?>
+<?=$orgaForm?>
+<? } ?>
diff --git a/src/org/cacert/gigi/pages/account/MyOrganisationsForm.java b/src/org/cacert/gigi/pages/account/MyOrganisationsForm.java

new file mode 100644 (file)

index 0000000..ead00a4
--- /dev/null
+++ b/src/org/cacert/gigi/pages/account/MyOrganisationsForm.java
@@ -0,0 +1,91 @@
+package org.cacert.gigi.pages.account;
+
+import java.io.PrintWriter;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.cacert.gigi.Gigi;
+import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.IterableDataset;
+import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
+import org.cacert.gigi.util.AuthorizationContext;
+
+public class MyOrganisationsForm extends Form {
+
+    private AuthorizationContext target;
+
+    public MyOrganisationsForm(HttpServletRequest hsr) {
+        super(hsr);
+        target = LoginPage.getAuthorizationContext(hsr);
+    }
+
+    private static Template template;
+
+    static {
+        template = new Template(MyListingForm.class.getResource("MyOrganisationsForm.templ"));
+    }
+
+    @Override
+    public boolean submit(PrintWriter out, HttpServletRequest req) {
+        if (req.getParameter("org-leave") != null) {
+            req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(target.getActor(), target.getActor()));
+            return true;
+        }
+        Enumeration<String> i = req.getParameterNames();
+        int orgId = -1;
+        while (i.hasMoreElements()) {
+            String s = i.nextElement();
+            if (s.startsWith("org:")) {
+                int id = Integer.parseInt(s.substring(4));
+                if (orgId == -1) {
+                    orgId = id;
+                } else {
+                    out.println(LoginPage.getLanguage(req).getTranslation("Error: invalid parameter."));
+                    return false;
+                }
+            }
+        }
+        for (Organisation org : target.getActor().getOrganisations()) {
+            if (org.getId() == orgId) {
+
+                req.getSession().setAttribute(Gigi.AUTH_CONTEXT, new AuthorizationContext(org, target.getActor()));
+                return true;
+            }
+        }
+        System.out.println("Switch fialed");
+        return false;
+    }
+
+    @Override
+    protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
+        final List<Organisation> o = target.getActor().getOrganisations();
+        if (target.getTarget() != target.getActor()) {
+            vars.put("personal", target.getTarget() != target.getActor());
+        }
+        vars.put("orgas", new IterableDataset() {
+
+            Iterator<Organisation> it = o.iterator();
+
+            @Override
+            public boolean next(Language l, Map<String, Object> vars) {
+                if ( !it.hasNext()) {
+                    return false;
+                }
+                Organisation o = it.next();
+                vars.put("orgName", o.getName());
+                vars.put("orgID", o.getId());
+                return true;
+            }
+        });
+        template.output(out, l, vars);
+
+    }
+
+}
diff --git a/src/org/cacert/gigi/pages/account/MyOrganisationsForm.templ b/src/org/cacert/gigi/pages/account/MyOrganisationsForm.templ

new file mode 100644 (file)

index 0000000..babc09d
--- /dev/null
+++ b/src/org/cacert/gigi/pages/account/MyOrganisationsForm.templ
@@ -0,0 +1,10 @@
+<input type='hidden' name='orgaForm' value='orga'/>
+<h2><?=_My Organisations?></h2>
+<table class="wrapper dataTable" width="400">
+<? foreach($orgas) { ?>
+<tr><td><?=$orgName?></td><td><?=$orgID?></td><td><input type='submit' value='<?=_switch to this organisation?>' name='org:<?=$orgID?>'/></td></tr>
+<? } ?>
+</table>
+<? if($personal) { ?>
+<input type='submit' value='<?=_switch back to personal use?>' name='org-leave'/>
+<? } ?>
diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java

index 5ac13fda21fb00188b36e3dbe823fc1455aaa97f..5712190bcd8f84e66329637fd9644e1e78806abe 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java
@@ -4,8 +4,6 @@ import java.io.IOException;
  import java.io.PrintWriter;
  import java.security.GeneralSecurityException;
  import java.util.HashMap;
  import java.io.PrintWriter;
  import java.security.GeneralSecurityException;
  import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
  import java.util.Map;
  
  import javax.servlet.http.HttpServletRequest;
  import java.util.Map;
  
  import javax.servlet.http.HttpServletRequest;
@@ -15,14 +13,15 @@ import org.cacert.gigi.dbObjects.Certificate;
  import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  import org.cacert.gigi.dbObjects.CertificateProfile;
  import org.cacert.gigi.dbObjects.Organisation;
  import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  import org.cacert.gigi.dbObjects.CertificateProfile;
  import org.cacert.gigi.dbObjects.Organisation;
-import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.CertificateValiditySelector;
  import org.cacert.gigi.output.HashAlgorithms;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.output.template.IterableDataset;
  import org.cacert.gigi.output.template.Template;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.CertificateValiditySelector;
  import org.cacert.gigi.output.HashAlgorithms;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.output.template.IterableDataset;
  import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.Page;
  import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.RandomToken;
  
  /**
  import org.cacert.gigi.util.RandomToken;
  
  /**
@@ -35,7 +34,7 @@ public class CertificateIssueForm extends Form {
  
      private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ"));
  
  
      private final static Template tIni = new Template(CertificateAdd.class.getResource("RequestCertificate.templ"));
  
-    private User u;
+    private AuthorizationContext c;
  
      private String spkacChallenge;
  
  
      private String spkacChallenge;
  
@@ -43,7 +42,7 @@ public class CertificateIssueForm extends Form {
  
      public CertificateIssueForm(HttpServletRequest hsr) {
          super(hsr);
  
      public CertificateIssueForm(HttpServletRequest hsr) {
          super(hsr);
-        u = Page.getUser(hsr);
+        c = LoginPage.getAuthorizationContext(hsr);
          spkacChallenge = RandomToken.generateToken(16);
      }
  
          spkacChallenge = RandomToken.generateToken(16);
      }
  
@@ -64,10 +63,10 @@ public class CertificateIssueForm extends Form {
          try {
              try {
                  if (csr != null) {
          try {
              try {
                  if (csr != null) {
-                    cr = new CertificateRequest(u, csr);
+                    cr = new CertificateRequest(c, csr);
                      cr.checkKeyStrength(out);
                  } else if (spkac != null) {
                      cr.checkKeyStrength(out);
                  } else if (spkac != null) {
-                    cr = new CertificateRequest(u, spkac, spkacChallenge);
+                    cr = new CertificateRequest(c, spkac, spkacChallenge);
                      cr.checkKeyStrength(out);
                  } else if (cr != null) {
                      login = "1".equals(req.getParameter("login"));
                      cr.checkKeyStrength(out);
                  } else if (cr != null) {
                      login = "1".equals(req.getParameter("login"));
@@ -93,7 +92,7 @@ public class CertificateIssueForm extends Form {
                          error.format(out, Page.getLanguage(req));
                          return false;
                      }
                          error.format(out, Page.getLanguage(req));
                          return false;
                      }
-                    result.issue(issueDate.getFrom(), issueDate.getTo()).waitFor(60000);
+                    result.issue(issueDate.getFrom(), issueDate.getTo(), c.getActor()).waitFor(60000);
                      this.result = result;
                      return true;
                  } else {
                      this.result = result;
                      return true;
                  } else {
@@ -144,7 +143,10 @@ public class CertificateIssueForm extends Form {
          }
  
          vars2.put("CN", cr.getName());
          }
  
          vars2.put("CN", cr.getName());
-        vars2.put("department", cr.getOu());
+        if (c.getTarget() instanceof Organisation) {
+            vars2.put("orga", "true");
+            vars2.put("department", cr.getOu());
+        }
          vars2.put("validity", issueDate);
          vars2.put("emails", content.toString());
          vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest()));
          vars2.put("validity", issueDate);
          vars2.put("emails", content.toString());
          vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest()));
@@ -160,7 +162,7 @@ public class CertificateIssueForm extends Form {
                      if (cp == null) {
                          return false;
                      }
                      if (cp == null) {
                          return false;
                      }
-                } while ( !cp.canBeIssuedBy(u));
+                } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor()));
  
                  if (cp.getId() == cr.getProfile().getId()) {
                      vars.put("selected", " selected");
  
                  if (cp.getId() == cr.getProfile().getId()) {
                      vars.put("selected", " selected");
@@ -172,27 +174,6 @@ public class CertificateIssueForm extends Form {
                  return true;
              }
          });
                  return true;
              }
          });
-        final List<Organisation> orgs = u.getOrganisations();
-        vars2.put("orga", orgs.size() == 0 ? null : new IterableDataset() {
-
-            Iterator<Organisation> iter = orgs.iterator();
-
-            @Override
-            public boolean next(Language l, Map<String, Object> vars) {
-                if ( !iter.hasNext()) {
-                    return false;
-                }
-                Organisation orga = iter.next();
-                vars.put("key", orga.getId());
-                vars.put("name", orga.getName());
-                if (orga == cr.getOrg()) {
-                    vars.put("selected", " selected");
-                } else {
-                    vars.put("selected", "");
-                }
-                return true;
-            }
-        });
  
          t.output(out, l, vars2);
      }
  
          t.output(out, l, vars2);
      }
diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.templ b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.templ

index dda8ce4fb9094785dfc46638eeb2d1b97c0de97f..7b00f194988bdab62f01b4ffb0c56ceab54295e0 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.templ
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.templ
@@ -24,19 +24,6 @@
      </select>
      </td>
    </tr>
      </select>
      </td>
    </tr>
-  <? if($orga) { ?>
-  <tr> 
-    <td>
-      <label for='org'><?=_Organisation?></label>
-    </td>  
-    <td><select name="org" id='org'>
-      <option value="-1"><?=_(none)?></option>
-    <? foreach($orga) { ?>
-      <option value="<?=$key?>"<?=$!selected?>><?=$name?></option>
-    <? } ?>
-    </select></td>
-  </tr>
-  <? } ?>
    <tr>
      <td>
      <label for='CN'><?=_Your name?></label>
    <tr>
      <td>
      <label for='CN'><?=_Your name?></label>
diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateModificationForm.java b/src/org/cacert/gigi/pages/account/certs/CertificateModificationForm.java

index 8449c20f019e961b5c49dea34fab52b846f7a6f3..6553a77323fc805e6af8c8ac92e5eb31be01f3cd 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateModificationForm.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateModificationForm.java
@@ -7,8 +7,8 @@ import java.util.Map;
  import javax.servlet.http.HttpServletRequest;
  
  import org.cacert.gigi.dbObjects.Certificate;
  import javax.servlet.http.HttpServletRequest;
  
  import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.CertificateOwner;
  import org.cacert.gigi.dbObjects.Job;
  import org.cacert.gigi.dbObjects.Job;
-import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.CertificateIterable;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.CertificateIterable;
  import org.cacert.gigi.output.template.Form;
@@ -17,14 +17,14 @@ import org.cacert.gigi.pages.LoginPage;
  
  public class CertificateModificationForm extends Form {
  
  
  public class CertificateModificationForm extends Form {
  
-    User target;
+    CertificateOwner target;
  
      final boolean withRevoked;
  
      public CertificateModificationForm(HttpServletRequest hsr, boolean withRevoked) {
          super(hsr);
          this.withRevoked = withRevoked;
  
      final boolean withRevoked;
  
      public CertificateModificationForm(HttpServletRequest hsr, boolean withRevoked) {
          super(hsr);
          this.withRevoked = withRevoked;
-        target = LoginPage.getUser(hsr);
+        target = LoginPage.getAuthorizationContext(hsr).getTarget();
      }
  
      private static final Template certTable = new Template(CertificateIterable.class.getResource("CertificateTable.templ"));
      }
  
      private static final Template certTable = new Template(CertificateIterable.class.getResource("CertificateTable.templ"));
diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java

index eb547cd3a22c915e94bbfeb86bd2a52eb344cde3..dae44fa0f8081f0b81c72df2b09bf37917e3af50 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateRequest.java
@@ -31,6 +31,7 @@ import org.cacert.gigi.dbObjects.Organisation;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.output.template.Scope;
  import org.cacert.gigi.output.template.SprintfCommand;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.output.template.Scope;
  import org.cacert.gigi.output.template.SprintfCommand;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.PEM;
  
  import sun.security.pkcs.PKCS9Attribute;
  import org.cacert.gigi.util.PEM;
  
  import sun.security.pkcs.PKCS9Attribute;
@@ -99,21 +100,19 @@ public class CertificateRequest {
  
      private String ou = "";
  
  
      private String ou = "";
  
-    private Organisation org = null;
-
-    private User u;
+    private AuthorizationContext ctx;
  
      private String pDNS, pMail;
  
  
      private String pDNS, pMail;
  
-    public CertificateRequest(User issuer, String csr) throws IOException, GeneralSecurityException, GigiApiException {
-        this(issuer, csr, (CertificateProfile) null);
+    public CertificateRequest(AuthorizationContext c, String csr) throws IOException, GeneralSecurityException, GigiApiException {
+        this(c, csr, (CertificateProfile) null);
      }
  
      }
  
-    public CertificateRequest(User issuer, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
-        u = issuer;
+    public CertificateRequest(AuthorizationContext ctx, String csr, CertificateProfile cp) throws GeneralSecurityException, IOException, IOException {
+        this.ctx = ctx;
          if (cp != null) {
              profile = cp;
          if (cp != null) {
              profile = cp;
-        } else if (u.getAssurancePoints() > 50) {
+        } else if (ctx.getActor().getAssurancePoints() > 50) {
              profile = CertificateProfile.getByName("client-a");
          }
          byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
              profile = CertificateProfile.getByName("client-a");
          }
          byte[] data = PEM.decode("(NEW )?CERTIFICATE REQUEST", csr);
@@ -162,7 +161,7 @@ public class CertificateRequest {
                  } else if (c instanceof ExtendedKeyUsageExtension) {
                      ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
                      String appendix = "";
                  } else if (c instanceof ExtendedKeyUsageExtension) {
                      ExtendedKeyUsageExtension ekue = (ExtendedKeyUsageExtension) c;
                      String appendix = "";
-                    if (u.getAssurancePoints() >= 50) {
+                    if (ctx.getActor().getAssurancePoints() >= 50) {
                          appendix = "-a";
                      }
                      for (String s : ekue.getExtendedKeyUsage()) {
                          appendix = "-a";
                      }
                      for (String s : ekue.getExtendedKeyUsage()) {
@@ -198,8 +197,8 @@ public class CertificateRequest {
          this.csrType = CSRType.CSR;
      }
  
          this.csrType = CSRType.CSR;
      }
  
-    public CertificateRequest(User issuer, String spkac, String spkacChallenge) throws IOException, GigiApiException, GeneralSecurityException {
-        u = issuer;
+    public CertificateRequest(AuthorizationContext ctx, String spkac, String spkacChallenge) throws IOException, GigiApiException, GeneralSecurityException {
+        this.ctx = ctx;
          String cleanedSPKAC = spkac.replaceAll("[\r\n]", "");
          byte[] data = Base64.getDecoder().decode(cleanedSPKAC);
          SPKAC parsed = new SPKAC(data);
          String cleanedSPKAC = spkac.replaceAll("[\r\n]", "");
          byte[] data = Base64.getDecoder().decode(cleanedSPKAC);
          SPKAC parsed = new SPKAC(data);
@@ -284,12 +283,11 @@ public class CertificateRequest {
          return name;
      }
  
          return name;
      }
  
-    public Organisation getOrg() {
-        return org;
-    }
-
      public String getOu() {
      public String getOu() {
-        return ou;
+        if (ctx.getTarget() instanceof Organisation) {
+            return ou;
+        }
+        throw new IllegalStateException();
      }
  
      public Digest getSelectedDigest() {
      }
  
      public Digest getSelectedDigest() {
@@ -307,32 +305,17 @@ public class CertificateRequest {
              selectedDigest = Digest.valueOf(hashAlg);
          }
          this.profile = CertificateProfile.getByName(profileStr);
              selectedDigest = Digest.valueOf(hashAlg);
          }
          this.profile = CertificateProfile.getByName(profileStr);
-        if (newOrgStr != null) {
-            Organisation neworg = Organisation.getById(Integer.parseInt(newOrgStr));
-            if (neworg == null || u.getOrganisations().contains(neworg)) {
-                PropertyTemplate orga = profile.getTemplates().get("orga");
-                if (orga != null) {
-                    org = neworg;
-                } else {
-                    org = null;
-                    error.mergeInto(new GigiApiException("No organisations for this certificate profile."));
-                }
-            } else {
-                error.mergeInto(new GigiApiException("Selected organisation is not part of your account."));
-            }
+        if (ctx.getTarget() instanceof Organisation) {
+            this.ou = ou;
          }
  
          }
  
-        this.ou = ou;
-
-        if ( !this.profile.canBeIssuedBy(u)) {
+        if ( !this.profile.canBeIssuedBy(ctx.getTarget(), ctx.getActor())) {
              this.profile = CertificateProfile.getById(1);
              error.mergeInto(new GigiApiException("Certificate Profile is invalid."));
              throw error;
          }
  
              this.profile = CertificateProfile.getById(1);
              error.mergeInto(new GigiApiException("Certificate Profile is invalid."));
              throw error;
          }
  
-        CertificateOwner owner = org != null ? org : u;
-
-        verifySANs(error, profile, parseSANBox(SANsStr), owner);
+        verifySANs(error, profile, parseSANBox(SANsStr), ctx.getTarget());
  
          if ( !error.isEmpty()) {
              throw error;
  
          if ( !error.isEmpty()) {
              throw error;
@@ -390,7 +373,7 @@ public class CertificateRequest {
          PropertyTemplate emailTemp = profile.getTemplates().get("email");
          PropertyTemplate nameTemp = profile.getTemplates().get("name");
          PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
          PropertyTemplate emailTemp = profile.getTemplates().get("email");
          PropertyTemplate nameTemp = profile.getTemplates().get("name");
          PropertyTemplate wotUserTemp = profile.getTemplates().get("name=WoTUser");
-        verifySANs(error, profile, SANs, org != null ? org : u);
+        verifySANs(error, profile, SANs, ctx.getTarget());
  
          // Ok, let's determine the CN
          // the CN is
  
          // Ok, let's determine the CN
          // the CN is
@@ -401,12 +384,12 @@ public class CertificateRequest {
          // primary domain. (domainTemp != null)
  
          String verifiedCN = null;
          // primary domain. (domainTemp != null)
  
          String verifiedCN = null;
-        if (org == null) {
-            verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
-        } else {
+        if (ctx.getTarget() instanceof Organisation) {
              if ( !name.equals("")) {
                  verifiedCN = name;
              }
              if ( !name.equals("")) {
                  verifiedCN = name;
              }
+        } else {
+            verifiedCN = verifyName(error, nameTemp, wotUserTemp, verifiedCN);
          }
          if (pDNS == null && domainTemp != null && domainTemp.isRequired()) {
              error.mergeInto(new GigiApiException("Server Certificates require a DNS name."));
          }
          if (pDNS == null && domainTemp != null && domainTemp.isRequired()) {
              error.mergeInto(new GigiApiException("Server Certificates require a DNS name."));
@@ -432,7 +415,8 @@ public class CertificateRequest {
              }
          }
  
              }
          }
  
-        if (org != null) {
+        if (ctx.getTarget() instanceof Organisation) {
+            Organisation org = (Organisation) ctx.getTarget();
              subject.put("O", org.getName());
              subject.put("C", org.getState());
              subject.put("ST", org.getProvince());
              subject.put("O", org.getName());
              subject.put("C", org.getState());
              subject.put("ST", org.getProvince());
@@ -446,7 +430,7 @@ public class CertificateRequest {
              throw error;
          }
          try {
              throw error;
          }
          try {
-            return new Certificate(u, subject, selectedDigest.toString(), //
+            return new Certificate(ctx.getTarget(), ctx.getActor(), subject, selectedDigest.toString(), //
                      this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
          } catch (IOException e) {
              e.printStackTrace();
                      this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()]));
          } catch (IOException e) {
              e.printStackTrace();
@@ -481,84 +465,96 @@ public class CertificateRequest {
          } else {
              error.mergeInto(new GigiApiException("Internal configuration error detected."));
          }
          } else {
              error.mergeInto(new GigiApiException("Internal configuration error detected."));
          }
-        if (name != null && u.isValidName(name)) {
-            if (realIsOK) {
-                verifiedCN = name;
-            } else {
-                error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
+        if (ctx.getTarget() instanceof User) {
+            User u = (User) ctx.getTarget();
+            if (name != null && u.isValidName(name)) {
+                if (realIsOK) {
+                    verifiedCN = name;
+                } else {
+                    error.mergeInto(new GigiApiException("Your real name is not allowed in this certificate."));
+                    if (defaultIsOK) {
+                        name = DEFAULT_CN;
+                    } else if (nullIsOK) {
+                        name = "";
+                    }
+                }
+            } else if (name != null && name.equals(DEFAULT_CN)) {
                  if (defaultIsOK) {
                  if (defaultIsOK) {
-                    name = DEFAULT_CN;
-                } else if (nullIsOK) {
-                    name = "";
+                    verifiedCN = name;
+                } else {
+                    error.mergeInto(new GigiApiException("The default name is not allowed in this certificate."));
+                    if (nullIsOK) {
+                        name = "";
+                    } else if (realIsOK) {
+                        name = u.getName().toString();
+                    }
                  }
                  }
-            }
-        } else if (name != null && name.equals(DEFAULT_CN)) {
-            if (defaultIsOK) {
-                verifiedCN = name;
-            } else {
-                error.mergeInto(new GigiApiException("The default name is not allowed in this certificate."));
+            } else if (name == null || name.equals("")) {
                  if (nullIsOK) {
                  if (nullIsOK) {
-                    name = "";
-                } else if (realIsOK) {
-                    name = u.getName().toString();
+                    verifiedCN = "";
+                } else {
+                    error.mergeInto(new GigiApiException("A name is required in this certificate."));
+                    if (defaultIsOK) {
+                        name = DEFAULT_CN;
+                    } else if (realIsOK) {
+                        name = u.getName().toString();
+                    }
                  }
                  }
-            }
-        } else if (name == null || name.equals("")) {
-            if (nullIsOK) {
-                verifiedCN = "";
              } else {
              } else {
-                error.mergeInto(new GigiApiException("A name is required in this certificate."));
-                if (defaultIsOK) {
+                error.mergeInto(new GigiApiException("The name you entered was invalid."));
+
+            }
+            if (wotUserTemp != null) {
+                if ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple()) {
+                    error.mergeInto(new GigiApiException("Internal configuration error detected."));
+                }
+                if ( !name.equals(DEFAULT_CN)) {
                      name = DEFAULT_CN;
                      name = DEFAULT_CN;
-                } else if (realIsOK) {
-                    name = u.getName().toString();
+                    error.mergeInto(new GigiApiException("You may not change the name for this certificate type."));
+                } else {
+                    verifiedCN = DEFAULT_CN;
                  }
                  }
-            }
-        } else {
-            error.mergeInto(new GigiApiException("The name you entered was invalid."));
  
  
-        }
-        if (wotUserTemp != null) {
-            if ( !wotUserTemp.isRequired() || wotUserTemp.isMultiple()) {
-                error.mergeInto(new GigiApiException("Internal configuration error detected."));
-            }
-            if ( !name.equals(DEFAULT_CN)) {
-                name = DEFAULT_CN;
-                error.mergeInto(new GigiApiException("You may not change the name for this certificate type."));
              } else {
              } else {
-                verifiedCN = DEFAULT_CN;
-            }
+                if (nameTemp != null) {
+                    if (name.equals("")) {
+                        if (nameTemp.isRequired()) {
+                            // nothing, but required
+                            name = DEFAULT_CN;
+                            error.mergeInto(new GigiApiException("No name entered, but one was required."));
+                        } else {
+                            // nothing and not required
  
  
-        } else {
-            if (nameTemp != null) {
-                if (name.equals("")) {
-                    if (nameTemp.isRequired()) {
-                        // nothing, but required
-                        name = DEFAULT_CN;
-                        error.mergeInto(new GigiApiException("No name entered, but one was required."));
+                        }
+                    } else if (u.isValidName(name)) {
+                        verifiedCN = name;
                      } else {
                      } else {
-                        // nothing and not required
-
+                        if (nameTemp.isRequired()) {
+                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
+                        } else if (name.equals(DEFAULT_CN)) {
+                            verifiedCN = DEFAULT_CN;
+                        } else {
+                            name = DEFAULT_CN;
+                            error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+                        }
                      }
                      }
-                } else if (u.isValidName(name)) {
-                    verifiedCN = name;
                  } else {
                  } else {
-                    if (nameTemp.isRequired()) {
-                        error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account, because a name is required for this certificate type."));
-                    } else if (name.equals(DEFAULT_CN)) {
-                        verifiedCN = DEFAULT_CN;
-                    } else {
-                        name = DEFAULT_CN;
-                        error.mergeInto(new GigiApiException("The name entered, does not match the details in your account. You cannot issue certificates with this name. Enter a name that matches the one that has been assured in your account or keep the default name."));
+                    if ( !name.equals("")) {
+                        name = "";
+                        error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
                      }
                  }
                      }
                  }
+            }
+        } else {
+            if (realIsOK) {
+                verifiedCN = name;
              } else {
              } else {
-                if ( !name.equals("")) {
-                    name = "";
-                    error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
-                }
+                verifiedCN = "";
+                name = "";
+                error.mergeInto(new GigiApiException("No real name is included in this certificate. The real name, you entered will be ignored."));
              }
          }
              }
          }
+
          return verifiedCN;
      }
  }
          return verifiedCN;
      }
  }
diff --git a/src/org/cacert/gigi/pages/account/certs/Certificates.java b/src/org/cacert/gigi/pages/account/certs/Certificates.java

index 799927fdb1ca21e6c390f06074c74231e7ad3bc3..766d21ea0ab7e6b5ba50f678721084d76b6cd35f 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/Certificates.java
+++ b/src/org/cacert/gigi/pages/account/certs/Certificates.java
@@ -85,7 +85,7 @@ public class Certificates extends Page implements HandlesMixedRequest {
          String serial = pi;
          try {
              Certificate c = Certificate.getBySerial(serial);
          String serial = pi;
          try {
              Certificate c = Certificate.getBySerial(serial);
-            if (c == null || getUser(req).getId() != c.getOwner().getId()) {
+            if (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId()) {
                  resp.sendError(404);
                  return true;
              }
                  resp.sendError(404);
                  return true;
              }
@@ -142,7 +142,7 @@ public class Certificates extends Page implements HandlesMixedRequest {
  
              String serial = pi;
              Certificate c = Certificate.getBySerial(serial);
  
              String serial = pi;
              Certificate c = Certificate.getBySerial(serial);
-            if (c == null || LoginPage.getUser(req).getId() != c.getOwner().getId()) {
+            if (c == null || LoginPage.getAuthorizationContext(req).getTarget().getId() != c.getOwner().getId()) {
                  resp.sendError(404);
                  return;
              }
                  resp.sendError(404);
                  return;
              }
diff --git a/src/org/cacert/gigi/pages/account/domain/DomainManagementForm.java b/src/org/cacert/gigi/pages/account/domain/DomainManagementForm.java

index 617d3d6540e1bd2f3aa35f4910af29ed3ca99767..98e3cab3129be8ab9bc9da428ee3151efb8776be 100644 (file)
--- a/src/org/cacert/gigi/pages/account/domain/DomainManagementForm.java
+++ b/src/org/cacert/gigi/pages/account/domain/DomainManagementForm.java
@@ -6,8 +6,8 @@ import java.util.Map;
  import javax.servlet.http.HttpServletRequest;
  
  import org.cacert.gigi.GigiApiException;
  import javax.servlet.http.HttpServletRequest;
  
  import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.CertificateOwner;
  import org.cacert.gigi.dbObjects.Domain;
  import org.cacert.gigi.dbObjects.Domain;
-import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.output.template.IterableDataset;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.output.template.IterableDataset;
@@ -19,9 +19,9 @@ public class DomainManagementForm extends Form {
  
      private static final Template t = new Template(DomainManagementForm.class.getResource("DomainManagementForm.templ"));
  
  
      private static final Template t = new Template(DomainManagementForm.class.getResource("DomainManagementForm.templ"));
  
-    private User target;
+    private CertificateOwner target;
  
  
-    public DomainManagementForm(HttpServletRequest hsr, User target) {
+    public DomainManagementForm(HttpServletRequest hsr, CertificateOwner target) {
          super(hsr);
          this.target = target;
      }
          super(hsr);
          this.target = target;
      }
diff --git a/src/org/cacert/gigi/pages/account/domain/DomainOverview.java b/src/org/cacert/gigi/pages/account/domain/DomainOverview.java

index 7a851c36ef106b15d34102efa58221cffae47614..ed707612cc227d3f6b9d96e93e3ef5bde2a0fc29 100644 (file)
--- a/src/org/cacert/gigi/pages/account/domain/DomainOverview.java
+++ b/src/org/cacert/gigi/pages/account/domain/DomainOverview.java
@@ -7,9 +7,11 @@ import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  import org.cacert.gigi.GigiApiException;
  import javax.servlet.http.HttpServletResponse;
  
  import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.CertificateOwner;
  import org.cacert.gigi.dbObjects.Domain;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.dbObjects.Domain;
  import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.Page;
  
  public class DomainOverview extends Page {
  import org.cacert.gigi.pages.Page;
  
  public class DomainOverview extends Page {
@@ -22,7 +24,7 @@ public class DomainOverview extends Page {
  
      @Override
      public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  
      @Override
      public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        User u = getUser(req);
+        CertificateOwner u = LoginPage.getAuthorizationContext(req).getTarget();
          String pi = req.getPathInfo();
          if (pi.length() - PATH.length() > 0) {
              int i = Integer.parseInt(pi.substring(PATH.length()));
          String pi = req.getPathInfo();
          if (pi.length() - PATH.length() > 0) {
              int i = Integer.parseInt(pi.substring(PATH.length()));
@@ -48,11 +50,13 @@ public class DomainOverview extends Page {
          }
          try {
              DomainManagementForm domMan = new DomainManagementForm(req, u);
          }
          try {
              DomainManagementForm domMan = new DomainManagementForm(req, u);
-            DomainAddForm domAdd = new DomainAddForm(req, u);
              HashMap<String, Object> vars = new HashMap<>();
              vars.put("doms", u.getDomains());
              vars.put("domainman", domMan);
              HashMap<String, Object> vars = new HashMap<>();
              vars.put("doms", u.getDomains());
              vars.put("domainman", domMan);
-            vars.put("domainadd", domAdd);
+            if (u instanceof User) {
+                DomainAddForm domAdd = new DomainAddForm(req, (User) u);
+                vars.put("domainadd", domAdd);
+            }
              getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
          } catch (GigiApiException e) {
              e.format(resp.getWriter(), getLanguage(req));
              getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
          } catch (GigiApiException e) {
              e.format(resp.getWriter(), getLanguage(req));
diff --git a/src/org/cacert/gigi/pages/account/domain/DomainOverview.templ b/src/org/cacert/gigi/pages/account/domain/DomainOverview.templ

index 11364a53c38e02891987218238c4fe0c35209ec3..bcbe426728aa75ba53f96f6b9307443c8a09844e 100644 (file)
--- a/src/org/cacert/gigi/pages/account/domain/DomainOverview.templ
+++ b/src/org/cacert/gigi/pages/account/domain/DomainOverview.templ
@@ -1,5 +1,6 @@
  <?=$domainman?>
  <h2><?=_Add Domain?></h2>
  <?=$domainman?>
  <h2><?=_Add Domain?></h2>
+<? if($domainadd) { ?>
  <p>
  <?=_Please Note: You only need to enter the main part of your domain, eg. mydomain.com rather then www.mydomain.com. Once you have verified your domain you are able to enter any sub-domain, such as www.mydomain.com or www.this.is.mydomain.com as the system checks from right to left, rather then specific hostnames when you upload a CSR to the system.?>
  </p>
  <p>
  <?=_Please Note: You only need to enter the main part of your domain, eg. mydomain.com rather then www.mydomain.com. Once you have verified your domain you are able to enter any sub-domain, such as www.mydomain.com or www.this.is.mydomain.com as the system checks from right to left, rather then specific hostnames when you upload a CSR to the system.?>
  </p>
@@ -7,3 +8,6 @@
  <p>
  <?=_Currently we only issue certificates for Punycode domains if the person requesting them has code signing attributes attached to their account, as these have potentially slightly higher security risk.?>
  </p>
  <p>
  <?=_Currently we only issue certificates for Punycode domains if the person requesting them has code signing attributes attached to their account, as these have potentially slightly higher security risk.?>
  </p>
+<? } else { ?>
+Please contact your Organisation Assurer to add a domain.
+<? } ?>
diff --git a/src/org/cacert/gigi/pages/account/mail/MailOverview.java b/src/org/cacert/gigi/pages/account/mail/MailOverview.java

index 593307da32fa7e7c8a0039b8129a733fd4f8c894..092b6a57a94ec00178149d5e6f08a5658a3cbd84 100644 (file)
--- a/src/org/cacert/gigi/pages/account/mail/MailOverview.java
+++ b/src/org/cacert/gigi/pages/account/mail/MailOverview.java
@@ -46,5 +46,4 @@ public class MailOverview extends Page {
          }
          super.doPost(req, resp);
      }
          }
          super.doPost(req, resp);
      }
-
  }
  }
diff --git a/src/org/cacert/gigi/pages/orga/AffiliationForm.java b/src/org/cacert/gigi/pages/orga/AffiliationForm.java

index ad988895b351d5c26e375813257ba881cbf5639c..c8dd3e5224a27a199581a2fdf8ed5be996d9f319 100644 (file)
--- a/src/org/cacert/gigi/pages/orga/AffiliationForm.java
+++ b/src/org/cacert/gigi/pages/orga/AffiliationForm.java
@@ -42,6 +42,8 @@ public class AffiliationForm extends Form {
              if (byEmail != null && byEmail.canAssure()) {
                  o.addAdmin(byEmail, LoginPage.getUser(req), req.getParameter("master") != null);
                  return true;
              if (byEmail != null && byEmail.canAssure()) {
                  o.addAdmin(byEmail, LoginPage.getUser(req), req.getParameter("master") != null);
                  return true;
+            } else {
+                out.println(Page.getLanguage(req).getTranslation("Requested user is not an assurer. We need an assurer here."));
              }
          }
          out.println(Page.getLanguage(req).getTranslation("No action could have been carried out."));
              }
          }
          out.println(Page.getLanguage(req).getTranslation("No action could have been carried out."));
diff --git a/src/org/cacert/gigi/util/AuthorizationContext.java b/src/org/cacert/gigi/util/AuthorizationContext.java

new file mode 100644 (file)

index 0000000..4a329a9
--- /dev/null
+++ b/src/org/cacert/gigi/util/AuthorizationContext.java
@@ -0,0 +1,29 @@
+package org.cacert.gigi.util;
+
+import org.cacert.gigi.dbObjects.CertificateOwner;
+import org.cacert.gigi.dbObjects.Group;
+import org.cacert.gigi.dbObjects.User;
+
+public class AuthorizationContext {
+
+    CertificateOwner target;
+
+    User actor;
+
+    public AuthorizationContext(CertificateOwner target, User actor) {
+        this.target = target;
+        this.actor = actor;
+    }
+
+    public CertificateOwner getTarget() {
+        return target;
+    }
+
+    public User getActor() {
+        return actor;
+    }
+
+    public boolean hasRight(Group g) {
+        return actor.isInGroup(g);
+    }
+}
diff --git a/tests/org/cacert/gigi/TestCertificate.java b/tests/org/cacert/gigi/TestCertificate.java

index d8553e1f6c17340da38c2bbbe35602615ec1bad8..9a8955e03439b89b1dd9f9d46ce8b329717020d3 100644 (file)
--- a/tests/org/cacert/gigi/TestCertificate.java
+++ b/tests/org/cacert/gigi/TestCertificate.java
@@ -31,9 +31,9 @@ public class TestCertificate extends ManagedTest {
      public void testClientCertLoginStates() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
          KeyPair kp = generateKeypair();
          String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
      public void testClientCertLoginStates() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
          KeyPair kp = generateKeypair();
          String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
-        Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
          final PrivateKey pk = kp.getPrivate();
          final PrivateKey pk = kp.getPrivate();
-        c.issue(null, "2y").waitFor(60000);
+        c.issue(null, "2y", u).waitFor(60000);
          final X509Certificate ce = c.cert();
          assertNotNull(login(pk, ce));
      }
          final X509Certificate ce = c.cert();
          assertNotNull(login(pk, ce));
      }
@@ -42,11 +42,11 @@ public class TestCertificate extends ManagedTest {
      public void testSANs() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
          KeyPair kp = generateKeypair();
          String key = generatePEMCSR(kp, "CN=testmail@example.com");
      public void testSANs() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
          KeyPair kp = generateKeypair();
          String key = generatePEMCSR(kp, "CN=testmail@example.com");
-        Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1),//
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1),//
                  new SubjectAlternateName(SANType.EMAIL, "testmail@example.com"), new SubjectAlternateName(SANType.DNS, "testmail.example.com"));
  
          testFails(CertificateStatus.DRAFT, c);
                  new SubjectAlternateName(SANType.EMAIL, "testmail@example.com"), new SubjectAlternateName(SANType.DNS, "testmail.example.com"));
  
          testFails(CertificateStatus.DRAFT, c);
-        c.issue(null, "2y").waitFor(60000);
+        c.issue(null, "2y", u).waitFor(60000);
          X509Certificate cert = c.cert();
          Collection<List<?>> sans = cert.getSubjectAlternativeNames();
          assertEquals(2, sans.size());
          X509Certificate cert = c.cert();
          Collection<List<?>> sans = cert.getSubjectAlternativeNames();
          assertEquals(2, sans.size());
@@ -93,11 +93,11 @@ public class TestCertificate extends ManagedTest {
      public void testCertLifeCycle() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
          KeyPair kp = generateKeypair();
          String key = generatePEMCSR(kp, "CN=testmail@example.com");
      public void testCertLifeCycle() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
          KeyPair kp = generateKeypair();
          String key = generatePEMCSR(kp, "CN=testmail@example.com");
-        Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
          final PrivateKey pk = kp.getPrivate();
  
          testFails(CertificateStatus.DRAFT, c);
          final PrivateKey pk = kp.getPrivate();
  
          testFails(CertificateStatus.DRAFT, c);
-        c.issue(null, "2y").waitFor(60000);
+        c.issue(null, "2y", u).waitFor(60000);
  
          testFails(CertificateStatus.ISSUED, c);
          X509Certificate cert = c.cert();
  
          testFails(CertificateStatus.ISSUED, c);
          X509Certificate cert = c.cert();
@@ -121,7 +121,7 @@ public class TestCertificate extends ManagedTest {
          }
          if (status != CertificateStatus.DRAFT) {
              try {
          }
          if (status != CertificateStatus.DRAFT) {
              try {
-                c.issue(null, "2y");
+                c.issue(null, "2y", u);
                  fail(status + " is in invalid state");
              } catch (IllegalStateException ise) {
  
                  fail(status + " is in invalid state");
              } catch (IllegalStateException ise) {
  
diff --git a/tests/org/cacert/gigi/TestCrossDomainAccess.java b/tests/org/cacert/gigi/TestCrossDomainAccess.java

index 7e0a4f4e498f515152e5a63211bacdcd26421157..7bc9c317e91908bb083aa0b19222acd6b21c71c9 100644 (file)
--- a/tests/org/cacert/gigi/TestCrossDomainAccess.java
+++ b/tests/org/cacert/gigi/TestCrossDomainAccess.java
@@ -48,9 +48,9 @@ public class TestCrossDomainAccess extends ManagedTest {
          User u = User.getById(createVerifiedUser("fn", "ln", "testmail@example.com", TEST_PASSWORD));
          KeyPair kp = generateKeypair();
          String key = generatePEMCSR(kp, "CN=testmail@example.com");
          User u = User.getById(createVerifiedUser("fn", "ln", "testmail@example.com", TEST_PASSWORD));
          KeyPair kp = generateKeypair();
          String key = generatePEMCSR(kp, "CN=testmail@example.com");
-        Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
          final PrivateKey pk = kp.getPrivate();
          final PrivateKey pk = kp.getPrivate();
-        c.issue(null, "2y").waitFor(60000);
+        c.issue(null, "2y", u).waitFor(60000);
  
          URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePort()).openConnection();
          authenticateClientCert(pk, c.cert(), (HttpURLConnection) con);
  
          URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePort()).openConnection();
          authenticateClientCert(pk, c.cert(), (HttpURLConnection) con);
diff --git a/tests/org/cacert/gigi/TestSeparateSessionScope.java b/tests/org/cacert/gigi/TestSeparateSessionScope.java

index c82f8e07d51a5c18b14484fa4c2e50bf6159fdad..f80c216c4877eec95cece080551d376b8254eb25 100644 (file)
--- a/tests/org/cacert/gigi/TestSeparateSessionScope.java
+++ b/tests/org/cacert/gigi/TestSeparateSessionScope.java
@@ -30,9 +30,10 @@ public class TestSeparateSessionScope extends ManagedTest {
          String cookie = login(mail, TEST_PASSWORD);
          KeyPair kp = generateKeypair();
          String csr = generatePEMCSR(kp, "CN=hans");
          String cookie = login(mail, TEST_PASSWORD);
          KeyPair kp = generateKeypair();
          String csr = generatePEMCSR(kp, "CN=hans");
-        Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+        User u = User.getById(user);
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
          final PrivateKey pk = kp.getPrivate();
          final PrivateKey pk = kp.getPrivate();
-        c.issue(null, "2y").waitFor(60000);
+        c.issue(null, "2y", u).waitFor(60000);
          final X509Certificate ce = c.cert();
          String scookie = login(pk, ce);
  
          final X509Certificate ce = c.cert();
          String scookie = login(pk, ce);
  
@@ -49,11 +50,12 @@ public class TestSeparateSessionScope extends ManagedTest {
          int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD);
          KeyPair kp = generateKeypair();
          String csr = generatePEMCSR(kp, "CN=hans");
          int user = createAssuranceUser("test", "tugo", mail, TEST_PASSWORD);
          KeyPair kp = generateKeypair();
          String csr = generatePEMCSR(kp, "CN=hans");
-        Certificate c = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
-        Certificate c2 = new Certificate(User.getById(user), Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+        User u = User.getById(user);
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
+        Certificate c2 = new Certificate(u, u, Certificate.buildDN("CN", "hans"), "sha256", csr, CSRType.CSR, CertificateProfile.getById(1));
          final PrivateKey pk = kp.getPrivate();
          final PrivateKey pk = kp.getPrivate();
-        Job j1 = c.issue(null, "2y");
-        c2.issue(null, "2y").waitFor(60000);
+        Job j1 = c.issue(null, "2y", u);
+        c2.issue(null, "2y", u).waitFor(60000);
          j1.waitFor(60000);
          final X509Certificate ce = c.cert();
          String scookie = login(pk, ce);
          j1.waitFor(60000);
          final X509Certificate ce = c.cert();
          String scookie = login(pk, ce);
diff --git a/tests/org/cacert/gigi/api/IssueCert.java b/tests/org/cacert/gigi/api/IssueCert.java

index 74240b26d3a804ac547267ea69e074122b915c68..b49435910655b6572303dacdf812a429c670d29f 100644 (file)
--- a/tests/org/cacert/gigi/api/IssueCert.java
+++ b/tests/org/cacert/gigi/api/IssueCert.java
@@ -28,9 +28,9 @@ public class IssueCert extends ClientTest {
      public void testIssueCert() throws Exception {
          KeyPair kp = generateKeypair();
          String key1 = generatePEMCSR(kp, "EMAIL=testmail@example.com");
      public void testIssueCert() throws Exception {
          KeyPair kp = generateKeypair();
          String key1 = generatePEMCSR(kp, "EMAIL=testmail@example.com");
-        Certificate c = new Certificate(u, Certificate.buildDN("EMAIL", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
+        Certificate c = new Certificate(u, u, Certificate.buildDN("EMAIL", "testmail@example.com"), "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
          final PrivateKey pk = kp.getPrivate();
          final PrivateKey pk = kp.getPrivate();
-        c.issue(null, "2y").waitFor(60000);
+        c.issue(null, "2y", u).waitFor(60000);
          final X509Certificate ce = c.cert();
          HttpURLConnection connection = (HttpURLConnection) new URL("https://" + getServerName().replaceFirst("^www.", "api.") + "/account/certs/new").openConnection();
          authenticateClientCert(pk, ce, connection);
          final X509Certificate ce = c.cert();
          HttpURLConnection connection = (HttpURLConnection) new URL("https://" + getServerName().replaceFirst("^www.", "api.") + "/account/certs/new").openConnection();
          authenticateClientCert(pk, ce, connection);
diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java

index 4d668b74caba6b6740d0086613876ec6355078dc..4430605442d398b9aac7cdea847f04fb4c506b1a 100644 (file)
--- a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
+++ b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
@@ -11,13 +11,17 @@ import org.cacert.gigi.GigiApiException;
  import org.cacert.gigi.dbObjects.Group;
  import org.cacert.gigi.pages.account.certs.CertificateRequest;
  import org.cacert.gigi.testUtils.ClientTest;
  import org.cacert.gigi.dbObjects.Group;
  import org.cacert.gigi.pages.account.certs.CertificateRequest;
  import org.cacert.gigi.testUtils.ClientTest;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.junit.Test;
  
  public class TestCertificateRequest extends ClientTest {
  
      KeyPair kp = generateKeypair();
  
  import org.junit.Test;
  
  public class TestCertificateRequest extends ClientTest {
  
      KeyPair kp = generateKeypair();
  
+    AuthorizationContext ac;
+
      public TestCertificateRequest() throws GeneralSecurityException, IOException {
      public TestCertificateRequest() throws GeneralSecurityException, IOException {
+        ac = new AuthorizationContext(u, u);
          makeAssurer(u.getId());
          grant(email, Group.CODESIGNING);
  
          makeAssurer(u.getId());
          grant(email, Group.CODESIGNING);
  
@@ -26,7 +30,7 @@ public class TestCertificateRequest extends ClientTest {
      @Test
      public void testIssuingOtherName() throws Exception {
          try {
      @Test
      public void testIssuingOtherName() throws Exception {
          try {
-            new CertificateRequest(u, generatePEMCSR(kp, "CN=hansi")).draft();
+            new CertificateRequest(ac, generatePEMCSR(kp, "CN=hansi")).draft();
              fail();
          } catch (GigiApiException e) {
              assertThat(e.getMessage(), containsString("name you entered was invalid"));
              fail();
          } catch (GigiApiException e) {
              assertThat(e.getMessage(), containsString("name you entered was invalid"));
@@ -35,18 +39,18 @@ public class TestCertificateRequest extends ClientTest {
  
      @Test
      public void testIssuingDefault() throws Exception {
  
      @Test
      public void testIssuingDefault() throws Exception {
-        new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
+        new CertificateRequest(ac, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
      }
  
      @Test
      public void testIssuingRealName() throws Exception {
      }
  
      @Test
      public void testIssuingRealName() throws Exception {
-        new CertificateRequest(u, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
+        new CertificateRequest(ac, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
      }
  
      @Test
      public void testIssuingModifiedName() throws Exception {
          try {
      }
  
      @Test
      public void testIssuingModifiedName() throws Exception {
          try {
-            new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab")).draft();
+            new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab")).draft();
              fail();
          } catch (GigiApiException e) {
              assertThat(e.getMessage(), containsString("name you entered was invalid"));
              fail();
          } catch (GigiApiException e) {
              assertThat(e.getMessage(), containsString("name you entered was invalid"));
@@ -58,7 +62,7 @@ public class TestCertificateRequest extends ClientTest {
      @Test
      public void testCodesignModifiedName() throws Exception {
          try {
      @Test
      public void testCodesignModifiedName() throws Exception {
          try {
-            CertificateRequest cr = new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab"));
+            CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
              cr.update("name", "SHA512", "code-a", null, null, "email:" + email, null, null);
          } catch (GigiApiException e) {
              assertThat(e.getMessage(), containsString("does not match the details"));
              cr.update("name", "SHA512", "code-a", null, null, "email:" + email, null, null);
          } catch (GigiApiException e) {
              assertThat(e.getMessage(), containsString("does not match the details"));
diff --git a/tests/org/cacert/gigi/ping/TestSSL.java b/tests/org/cacert/gigi/ping/TestSSL.java

index 19aafe258b3bff4986dd4aa4aebc06ae5e9422c9..01386c5344f9b84bd54f5c847dcb78529f774329 100644 (file)
--- a/tests/org/cacert/gigi/ping/TestSSL.java
+++ b/tests/org/cacert/gigi/ping/TestSSL.java
@@ -185,8 +185,9 @@ public class TestSSL extends PingTest {
      private void createCertificate(String test, CertificateProfile profile) throws GeneralSecurityException, IOException, SQLException, InterruptedException, GigiApiException {
          kp = generateKeypair();
          String csr = generatePEMCSR(kp, "CN=" + test);
      private void createCertificate(String test, CertificateProfile profile) throws GeneralSecurityException, IOException, SQLException, InterruptedException, GigiApiException {
          kp = generateKeypair();
          String csr = generatePEMCSR(kp, "CN=" + test);
-        c = new Certificate(User.getById(id), Certificate.buildDN("CN", test), "sha256", csr, CSRType.CSR, profile);
-        c.issue(null, "2y").waitFor(60000);
+        User u = User.getById(id);
+        c = new Certificate(u, u, Certificate.buildDN("CN", test), "sha256", csr, CSRType.CSR, profile);
+        c.issue(null, "2y", u).waitFor(60000);
      }
  
      private boolean acceptSSLServer(SSLServerSocket sss) throws IOException {
      }
  
      private boolean acceptSSLServer(SSLServerSocket sss) throws IOException {
diff --git a/util-testing/org/cacert/gigi/DevelLauncher.java b/util-testing/org/cacert/gigi/DevelLauncher.java

index 9fab71c9cfc784d8cf80a5e2b2a5c8a8745478a7..df5a790d24297fd728316c9e0978da3ae8924eb7 100644 (file)
--- a/util-testing/org/cacert/gigi/DevelLauncher.java
+++ b/util-testing/org/cacert/gigi/DevelLauncher.java
@@ -31,6 +31,7 @@ import org.cacert.gigi.dbObjects.User;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.Template;
  import org.cacert.gigi.pages.Page;
  import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.Template;
  import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.ServerConstants;
  import org.kamranzafar.jtar.TarEntry;
  import org.kamranzafar.jtar.TarHeader;
  import org.cacert.gigi.util.ServerConstants;
  import org.kamranzafar.jtar.TarEntry;
  import org.kamranzafar.jtar.TarHeader;
@@ -195,7 +196,7 @@ public class DevelLauncher {
                      }
                      sess.setAttribute(LOGGEDIN, true);
                      sess.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
                      }
                      sess.setAttribute(LOGGEDIN, true);
                      sess.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
-                    sess.setAttribute(USER, user);
+                    sess.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
                      req.getSession().setAttribute(LOGIN_METHOD, "Ticket");
                      resp.getWriter().println("ticket consumed");
                      ticketUsed = true;
                      req.getSession().setAttribute(LOGIN_METHOD, "Ticket");
                      resp.getWriter().println("ticket consumed");
                      ticketUsed = true;
diff --git a/util-testing/org/cacert/gigi/pages/Manager.java b/util-testing/org/cacert/gigi/pages/Manager.java

index 8b81820b2a1228fd26374f20cdfb99cbddf9d0ef..3701fb980c63cd8eb4ebdaf97d21532183d4b640 100644 (file)
--- a/util-testing/org/cacert/gigi/pages/Manager.java
+++ b/util-testing/org/cacert/gigi/pages/Manager.java
@@ -37,6 +37,7 @@ import org.cacert.gigi.localisation.Language;
  import org.cacert.gigi.output.template.IterableDataset;
  import org.cacert.gigi.output.template.Template;
  import org.cacert.gigi.pages.account.certs.CertificateRequest;
  import org.cacert.gigi.output.template.IterableDataset;
  import org.cacert.gigi.output.template.Template;
  import org.cacert.gigi.pages.account.certs.CertificateRequest;
+import org.cacert.gigi.util.AuthorizationContext;
  import org.cacert.gigi.util.Notary;
  
  import sun.security.x509.X509Key;
  import org.cacert.gigi.util.Notary;
  
  import sun.security.x509.X509Key;
@@ -243,10 +244,10 @@ public class Manager extends Page {
  
                  byte[] res = s.getEncoded(sign);
  
  
                  byte[] res = s.getEncoded(sign);
  
-                CertificateRequest cr = new CertificateRequest(u, Base64.getEncoder().encodeToString(res), "challange");
+                CertificateRequest cr = new CertificateRequest(new AuthorizationContext(u, u), Base64.getEncoder().encodeToString(res), "challange");
                  cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, "", "email:" + u.getEmail(), resp.getWriter(), req);
                  Certificate draft = cr.draft();
                  cr.update(CertificateRequest.DEFAULT_CN, Digest.SHA512.toString(), "client", null, "", "email:" + u.getEmail(), resp.getWriter(), req);
                  Certificate draft = cr.draft();
-                draft.issue(null, "2y").waitFor(10000);
+                draft.issue(null, "2y", u).waitFor(10000);
                  if (draft.getStatus() == CertificateStatus.ISSUED) {
                      resp.getWriter().println("added certificate");
                  } else {
                  if (draft.getStatus() == CertificateStatus.ISSUED) {
                      resp.getWriter().println("added certificate");
                  } else {
diff --git a/util-testing/org/cacert/gigi/util/SimpleSigner.java b/util-testing/org/cacert/gigi/util/SimpleSigner.java

index b61f851e16e7a2a63ec22b2ca1eece703e545bca..843867b6e5120e2ee0cb575507200d6a17c9b8ac 100644 (file)
--- a/util-testing/org/cacert/gigi/util/SimpleSigner.java
+++ b/util-testing/org/cacert/gigi/util/SimpleSigner.java
@@ -568,6 +568,21 @@ public class SimpleSigner {
                      2, 5, 4, 11
              };
              break;
                      2, 5, 4, 11
              };
              break;
+        case "ST":
+            oid = new int[] {
+                    2, 5, 4, 8
+            };
+            break;
+        case "L":
+            oid = new int[] {
+                    2, 5, 4, 7
+            };
+            break;
+        case "C":
+            oid = new int[] {
+                    2, 5, 4, 6
+            };
+            break;
          default:
              throw new Error("unknown RDN-type: " + key);
          }
          default:
              throw new Error("unknown RDN-type: " + key);
          }
author	Felix Dörre <felix@dogcraft.de>
	Mon, 2 Nov 2015 01:40:08 +0000 (02:40 +0100)
committer	Felix Dörre <felix@dogcraft.de>
	Mon, 2 Nov 2015 01:40:48 +0000 (02:40 +0100)
src/org/cacert/gigi/Gigi.java		patch \| blob \| history
src/org/cacert/gigi/api/GigiAPI.java		patch \| blob \| history
src/org/cacert/gigi/dbObjects/Certificate.java		patch \| blob \| history
src/org/cacert/gigi/dbObjects/CertificateProfile.java		patch \| blob \| history
src/org/cacert/gigi/pages/LoginPage.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/MyDetails.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/MyDetails.templ		patch \| blob \| history
src/org/cacert/gigi/pages/account/MyOrganisationsForm.java	[new file with mode: 0644]	patch \| blob
src/org/cacert/gigi/pages/account/MyOrganisationsForm.templ	[new file with mode: 0644]	patch \| blob
src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.templ		patch \| blob \| history
src/org/cacert/gigi/pages/account/certs/CertificateModificationForm.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/certs/CertificateRequest.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/certs/Certificates.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/domain/DomainManagementForm.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/domain/DomainOverview.java		patch \| blob \| history
src/org/cacert/gigi/pages/account/domain/DomainOverview.templ		patch \| blob \| history
src/org/cacert/gigi/pages/account/mail/MailOverview.java		patch \| blob \| history
src/org/cacert/gigi/pages/orga/AffiliationForm.java		patch \| blob \| history
src/org/cacert/gigi/util/AuthorizationContext.java	[new file with mode: 0644]	patch \| blob
tests/org/cacert/gigi/TestCertificate.java		patch \| blob \| history
tests/org/cacert/gigi/TestCrossDomainAccess.java		patch \| blob \| history
tests/org/cacert/gigi/TestSeparateSessionScope.java		patch \| blob \| history
tests/org/cacert/gigi/api/IssueCert.java		patch \| blob \| history
tests/org/cacert/gigi/pages/account/TestCertificateRequest.java		patch \| blob \| history
tests/org/cacert/gigi/ping/TestSSL.java		patch \| blob \| history
util-testing/org/cacert/gigi/DevelLauncher.java		patch \| blob \| history
util-testing/org/cacert/gigi/pages/Manager.java		patch \| blob \| history
util-testing/org/cacert/gigi/util/SimpleSigner.java		patch \| blob \| history