From: INOPIAE Date: Thu, 18 Jul 2019 05:43:48 +0000 (+0200) Subject: add: ensure that for OrgAdmin action there is a valid OrgAdmin Challenge X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=ae1472c79b919cde36c2666ea243b005d33bfd68 add: ensure that for OrgAdmin action there is a valid OrgAdmin Challenge last patch of series. Fixes issue #150 Change-Id: I17bf8fd5ea9af89792d6ac4fe8f39261e8aa0192 --- diff --git a/src/club/wpia/gigi/pages/MainPage.java b/src/club/wpia/gigi/pages/MainPage.java index 9ebd30fa..02232f2e 100644 --- a/src/club/wpia/gigi/pages/MainPage.java +++ b/src/club/wpia/gigi/pages/MainPage.java @@ -128,6 +128,11 @@ public class MainPage extends Page { vars.put("certlogininfo", false); } + if ( !o.isEmpty() && !u.hasValidOrgAdminChallenge()) { + vars.put("catsinfo", true); + vars.put("catsorgadmin", true); + } + getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars); } else { diff --git a/src/club/wpia/gigi/pages/MainPage.templ b/src/club/wpia/gigi/pages/MainPage.templ index 9b7ea86e..963208e8 100644 --- a/src/club/wpia/gigi/pages/MainPage.templ +++ b/src/club/wpia/gigi/pages/MainPage.templ @@ -23,9 +23,12 @@

- -

- + +

+ + +

+
diff --git a/src/club/wpia/gigi/pages/orga/MyOrganisationsForm.java b/src/club/wpia/gigi/pages/orga/MyOrganisationsForm.java index a083b7cd..d5a67108 100644 --- a/src/club/wpia/gigi/pages/orga/MyOrganisationsForm.java +++ b/src/club/wpia/gigi/pages/orga/MyOrganisationsForm.java @@ -62,7 +62,7 @@ public class MyOrganisationsForm extends Form { @Override protected void outputContent(PrintWriter out, Language l, Map vars) { final List o = target.getActor().getOrganisations(); - vars.put("certlogin", target.isStronglyAuthenticated()); + vars.put("certlogin", target.isStronglyAuthenticated() && target.getActor().hasValidOrgAdminChallenge()); if (target.getTarget() != target.getActor()) { vars.put("personal", target.getTarget() != target.getActor()); } diff --git a/src/club/wpia/gigi/pages/orga/SwitchOrganisation.java b/src/club/wpia/gigi/pages/orga/SwitchOrganisation.java index 1d680ca0..16ccbf43 100644 --- a/src/club/wpia/gigi/pages/orga/SwitchOrganisation.java +++ b/src/club/wpia/gigi/pages/orga/SwitchOrganisation.java @@ -19,7 +19,7 @@ public class SwitchOrganisation extends ManagedFormPage { @Override public boolean isPermitted(AuthorizationContext ac) { - return ac != null && ac.getActor().getOrganisations().size() != 0 && ac.isStronglyAuthenticated(); + return ac != null && ac.getActor().getOrganisations().size() != 0 && ac.isStronglyAuthenticated() && ac.getActor().hasValidOrgAdminChallenge(); } @Override diff --git a/src/club/wpia/gigi/pages/orga/ViewOrgPage.java b/src/club/wpia/gigi/pages/orga/ViewOrgPage.java index 03274215..de4e9d04 100644 --- a/src/club/wpia/gigi/pages/orga/ViewOrgPage.java +++ b/src/club/wpia/gigi/pages/orga/ViewOrgPage.java @@ -36,7 +36,7 @@ public class ViewOrgPage extends ManagedMultiFormPage { @Override public boolean isPermitted(AuthorizationContext ac) { - return ac != null && ((ac.isInGroup(CreateOrgPage.ORG_AGENT) && ac.getActor().hasValidOrgAgentChallenge()) || ac.getActor().getOrganisations(true).size() != 0) && ac.isStronglyAuthenticated(); + return ac != null && ((ac.isInGroup(CreateOrgPage.ORG_AGENT) && ac.getActor().hasValidOrgAgentChallenge()) || (ac.getActor().getOrganisations(true).size() != 0) && ac.getActor().hasValidOrgAdminChallenge()) && ac.isStronglyAuthenticated(); } @Override diff --git a/tests/club/wpia/gigi/pages/TestMain.java b/tests/club/wpia/gigi/pages/TestMain.java index dfc6579e..be642f03 100644 --- a/tests/club/wpia/gigi/pages/TestMain.java +++ b/tests/club/wpia/gigi/pages/TestMain.java @@ -147,9 +147,26 @@ public class TestMain extends ClientTest { addChallenge(u.getId(), CATSType.TTP_AGENT_CHALLENGE); testChallengeText("you need to pass the TTP RA Agent Challenge", false); + + // test Org Admin Challenge + Organisation o = new Organisation(createUniqueName(), Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "pr", "city", "test@example.com", "", "", u); + User admin = User.getById(createVerificationUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD)); + + loginCertificate = null; + cookie = cookieWithCertificateLogin(admin); + testChallengeText("you need to pass the Organisation Administrator Challenge", false); + + o.addAdmin(admin, u, true); + testChallengeText("you need to pass the Organisation Administrator Challenge", true); + + addChallengeInPast(admin.getId(), CATSType.ORG_ADMIN_DP_CHALLENGE_NAME); + testChallengeText("you need to pass the Organisation Administrator Challenge", true); + + addChallenge(admin.getId(), CATSType.ORG_ADMIN_DP_CHALLENGE_NAME); + testChallengeText("you need to pass the Organisation Administrator Challenge", false); } - private void testChallengeText(String contentText, boolean contains) throws IOException, MalformedURLException { + private void testChallengeText(String contentText, boolean contains) throws IOException, MalformedURLException, GigiApiException { URLConnection uc = new URL("https://" + getSecureServerName()).openConnection(); authenticate((HttpURLConnection) uc); String content = IOUtils.readURL(uc); diff --git a/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java b/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java index f04f66ae..97b8fbe7 100644 --- a/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java +++ b/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java @@ -10,6 +10,7 @@ import java.net.URLEncoder; import org.junit.Test; import club.wpia.gigi.GigiApiException; +import club.wpia.gigi.dbObjects.CATS.CATSType; import club.wpia.gigi.dbObjects.Domain; import club.wpia.gigi.dbObjects.Organisation; import club.wpia.gigi.dbObjects.User; @@ -99,6 +100,7 @@ public class TestOrgDomain extends OrgTest { Domain d = new Domain(u, o, dom); assertEquals(1, o.getDomains().length); User admin = createOrgAdmin(o); + addChallenge(admin.getId(), CATSType.ORG_ADMIN_DP_CHALLENGE_NAME); String adminCookie = cookieWithCertificateLogin(admin); assertNull(executeBasicWebInteraction(adminCookie, SwitchOrganisation.PATH, "org:" + o.getId() + "=y", 0)); diff --git a/tests/club/wpia/gigi/pages/orga/TestOrgSwitch.java b/tests/club/wpia/gigi/pages/orga/TestOrgSwitch.java index 90362a9a..c19f387c 100644 --- a/tests/club/wpia/gigi/pages/orga/TestOrgSwitch.java +++ b/tests/club/wpia/gigi/pages/orga/TestOrgSwitch.java @@ -8,12 +8,18 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URLConnection; import java.net.URLEncoder; +import java.security.GeneralSecurityException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; import java.sql.SQLException; import org.junit.After; import org.junit.Test; import club.wpia.gigi.GigiApiException; +import club.wpia.gigi.dbObjects.CATS.CATSType; +import club.wpia.gigi.dbObjects.Certificate; import club.wpia.gigi.dbObjects.Organisation; import club.wpia.gigi.dbObjects.User; import club.wpia.gigi.testUtils.IOUtils; @@ -27,6 +33,10 @@ public class TestOrgSwitch extends OrgTest { private Organisation org2 = createUniqueOrg(); + private Certificate cagent; + + private PrivateKey pkagent; + public TestOrgSwitch() throws IOException, GigiApiException { assertEquals(403, get(SwitchOrganisation.PATH).getResponseCode()); @@ -35,6 +45,9 @@ public class TestOrgSwitch extends OrgTest { u2 = User.getById(createVerificationUser("testworker", "testname", email, TEST_PASSWORD)); assertNull(executeBasicWebInteraction(cookie, ViewOrgPage.DEFAULT_PATH + "/" + org1.getId(), "email=" + URLEncoder.encode(u2.getEmail(), "UTF-8") + "&do_affiliate=y&master=y", 1)); assertNull(executeBasicWebInteraction(cookie, ViewOrgPage.DEFAULT_PATH + "/" + org2.getId(), "email=" + URLEncoder.encode(u2.getEmail(), "UTF-8") + "&do_affiliate=y&master=y", 1)); + addChallenge(u2.getId(), CATSType.ORG_ADMIN_DP_CHALLENGE_NAME); + cagent = loginCertificate; + pkagent = loginPrivateKey; // login with new user u2 cookie = cookieWithCertificateLogin(u2); @@ -127,4 +140,24 @@ public class TestOrgSwitch extends OrgTest { URLConnection uc = get(cookie, SwitchOrganisation.PATH); assertEquals(403, ((HttpURLConnection) uc).getResponseCode()); } + + @Test + public void testSwitchOrgLoginChallenge() throws IOException, GigiApiException, KeyManagementException, NoSuchAlgorithmException, GeneralSecurityException { + loginCertificate = cagent; + loginPrivateKey = pkagent; + cookie = login(pkagent, cagent.cert()); + String email = createUniqueName() + "@testdom.com"; + User u3 = User.getById(createVerificationUser("testworker", "testname", email, TEST_PASSWORD)); + assertNull(executeBasicWebInteraction(cookie, ViewOrgPage.DEFAULT_PATH + "/" + org1.getId(), "email=" + URLEncoder.encode(u3.getEmail(), "UTF-8") + "&do_affiliate=y&master=y", 1)); + assertNull(executeBasicWebInteraction(cookie, ViewOrgPage.DEFAULT_PATH + "/" + org2.getId(), "email=" + URLEncoder.encode(u3.getEmail(), "UTF-8") + "&do_affiliate=y&master=y", 1)); + + cookie = cookieWithCertificateLogin(u3); + URLConnection uc = get(cookie, SwitchOrganisation.PATH); + assertEquals(403, ((HttpURLConnection) uc).getResponseCode()); + + addChallenge(u3.getId(), CATSType.ORG_ADMIN_DP_CHALLENGE_NAME); + clearCaches(); + uc = get(cookie, SwitchOrganisation.PATH); + assertEquals(200, ((HttpURLConnection) uc).getResponseCode()); + } }