From: Felix Dörre Date: Fri, 30 Dec 2016 12:01:43 +0000 (+0100) Subject: fix: restrict access to CATS-API even more X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=635da69a876542e30ed5cc5cbdc1ef4a9793ddfe fix: restrict access to CATS-API even more Change-Id: Idb32bf7e12e0f2704541108afb9a5fcc3e0762a7 --- diff --git a/src/org/cacert/gigi/api/APIPoint.java b/src/org/cacert/gigi/api/APIPoint.java index 8987afdb..72a555b1 100644 --- a/src/org/cacert/gigi/api/APIPoint.java +++ b/src/org/cacert/gigi/api/APIPoint.java @@ -6,6 +6,7 @@ import java.security.cert.X509Certificate; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.cacert.gigi.dbObjects.Certificate; import org.cacert.gigi.dbObjects.CertificateOwner; import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.pages.LoginPage; @@ -19,8 +20,9 @@ public abstract class APIPoint { return; } String serial = LoginPage.extractSerialFormCert(cert); + Certificate clientCert = Certificate.getBySerial(serial); CertificateOwner u = CertificateOwner.getByEnabledSerial(serial); - if (u == null) { + if (u == null || clientCert == null) { resp.sendError(403, "Error, cert authing required. Serial not found: " + serial); return; } @@ -42,6 +44,10 @@ public abstract class APIPoint { resp.sendError(500, "Error, no query String allowed."); return; } + process(req, resp, u, clientCert); + } + + protected void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException { process(req, resp, u); } diff --git a/src/org/cacert/gigi/api/CATSImport.java b/src/org/cacert/gigi/api/CATSImport.java index 49960cd4..afa0f2a6 100644 --- a/src/org/cacert/gigi/api/CATSImport.java +++ b/src/org/cacert/gigi/api/CATSImport.java @@ -8,24 +8,14 @@ import javax.servlet.http.HttpServletResponse; import org.cacert.gigi.dbObjects.CATS; import org.cacert.gigi.dbObjects.CertificateOwner; -import org.cacert.gigi.dbObjects.Organisation; import org.cacert.gigi.dbObjects.User; -public class CATSImport extends APIPoint { +public class CATSImport extends CATSRestrictedApi { public static final String PATH = "/cats/import"; @Override - public void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u) throws IOException { - if ( !(u instanceof Organisation)) { - resp.sendError(500, "Error, invalid cert"); - return; - } - if ( !((Organisation) u).isSelfOrganisation()) { - resp.sendError(500, "Error, invalid cert"); - return; - - } + public void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException { String target = req.getParameter("mid"); String testType = req.getParameter("variant"); String date = req.getParameter("date"); diff --git a/src/org/cacert/gigi/api/CATSResolve.java b/src/org/cacert/gigi/api/CATSResolve.java index 0e9f2a01..332885a9 100644 --- a/src/org/cacert/gigi/api/CATSResolve.java +++ b/src/org/cacert/gigi/api/CATSResolve.java @@ -5,31 +5,28 @@ import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.cacert.gigi.dbObjects.Certificate; import org.cacert.gigi.dbObjects.CertificateOwner; -import org.cacert.gigi.dbObjects.Organisation; import org.cacert.gigi.dbObjects.User; -public class CATSResolve extends APIPoint { +public class CATSResolve extends CATSRestrictedApi { public static final String PATH = "/cats/resolve"; @Override - public void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u) throws IOException { - if ( !(u instanceof Organisation)) { - resp.sendError(500, "Error, invalid cert"); - return; - } - if ( !((Organisation) u).isSelfOrganisation()) { - resp.sendError(500, "Error, invalid cert"); - return; - } + public void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException { String target = req.getParameter("serial"); if (target == null) { resp.sendError(500, "Error, requires a serial parameter"); return; } - - CertificateOwner o = CertificateOwner.getByEnabledSerial(target.toLowerCase()); + target = target.toLowerCase(); + Certificate clientCert = Certificate.getBySerial(target); + if (clientCert == null) { + resp.sendError(500, "Error, requires valid serial"); + return; + } + CertificateOwner o = CertificateOwner.getByEnabledSerial(target); if ( !(o instanceof User)) { resp.sendError(500, "Error, requires valid serial"); return; diff --git a/src/org/cacert/gigi/api/CATSRestrictedApi.java b/src/org/cacert/gigi/api/CATSRestrictedApi.java new file mode 100644 index 00000000..b7ff83a9 --- /dev/null +++ b/src/org/cacert/gigi/api/CATSRestrictedApi.java @@ -0,0 +1,44 @@ +package org.cacert.gigi.api; + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.cacert.gigi.dbObjects.Certificate; +import org.cacert.gigi.dbObjects.Certificate.SANType; +import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName; +import org.cacert.gigi.dbObjects.CertificateOwner; +import org.cacert.gigi.dbObjects.Organisation; +import org.cacert.gigi.util.ServerConstants; + +public abstract class CATSRestrictedApi extends APIPoint { + + @Override + public final void process(HttpServletRequest req, HttpServletResponse resp, CertificateOwner u, Certificate clientCert) throws IOException { + if ( !(u instanceof Organisation)) { + resp.sendError(500, "Error, invalid cert"); + return; + } + if ( !((Organisation) u).isSelfOrganisation()) { + resp.sendError(500, "Error, invalid cert"); + return; + } + if ( !hasMail(clientCert, ServerConstants.getQuizMailAddress())) { + resp.sendError(500, "Error, invalid cert"); + return; + } + processAuthenticated(req, resp); + } + + public abstract void processAuthenticated(HttpServletRequest req, HttpServletResponse resp) throws IOException; + + public boolean hasMail(Certificate clientCert, String mail) { + for (SubjectAlternateName a : clientCert.getSANs()) { + if (a.getType() == SANType.EMAIL && a.getName().equals(mail)) { + return true; + } + } + return false; + } +} diff --git a/src/org/cacert/gigi/util/ServerConstants.java b/src/org/cacert/gigi/util/ServerConstants.java index cab50b4e..0a6b5ae4 100644 --- a/src/org/cacert/gigi/util/ServerConstants.java +++ b/src/org/cacert/gigi/util/ServerConstants.java @@ -114,4 +114,8 @@ public class ServerConstants { return "board@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", ""); } + public static String getQuizMailAddress() { + return "quiz@" + ServerConstants.getWwwHostName().replaceFirst("^www\\.", ""); + } + } diff --git a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java index e4ec22b9..4fbfc4f0 100644 --- a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java +++ b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java @@ -22,6 +22,7 @@ import org.cacert.gigi.dbObjects.Digest; import org.cacert.gigi.dbObjects.Group; import org.cacert.gigi.dbObjects.Organisation; import org.cacert.gigi.dbObjects.User; +import org.cacert.gigi.util.ServerConstants; import org.junit.BeforeClass; public class RestrictedApiTest extends ClientTest { @@ -30,6 +31,8 @@ public class RestrictedApiTest extends ClientTest { protected static X509Certificate ce; + protected static Organisation selfOrg; + public RestrictedApiTest() { makeAssurer(id); } @@ -42,15 +45,15 @@ public class RestrictedApiTest extends ClientTest { grant(u, Group.ORGASSURER); clearCaches(); u = User.getById(u.getId()); - Organisation o = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u); - assertTrue(o.isSelfOrganisation()); + selfOrg = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u); + assertTrue(selfOrg.isSelfOrganisation()); KeyPair kp = generateKeypair(); - String key1 = generatePEMCSR(kp, "EMAIL=cats@cacert.org"); - Certificate c = new Certificate(o, u, Certificate.buildDN("EMAIL", "cats@cacert.org"), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getByName("client-orga"), new Certificate.SubjectAlternateName(SANType.EMAIL, "cats@cacert.org")); + String key1 = generatePEMCSR(kp, "EMAIL=" + ServerConstants.getQuizMailAddress()); + Certificate apiCert = new Certificate(selfOrg, u, Certificate.buildDN("EMAIL", ServerConstants.getQuizMailAddress()), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getByName("client-orga"), new Certificate.SubjectAlternateName(SANType.EMAIL, ServerConstants.getQuizMailAddress())); pk = kp.getPrivate(); - await(c.issue(null, "2y", u)); - ce = c.cert(); - c.setLoginEnabled(true); + await(apiCert.issue(null, "2y", u)); + ce = apiCert.cert(); + apiCert.setLoginEnabled(true); } catch (IOException e) { throw new Error(e); } catch (GigiApiException e) {