From: INOPIAE Date: Wed, 10 Jul 2019 07:35:09 +0000 (+0200) Subject: add: ensure that for RA Agent actions certificate login is used X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=c23bd923858a6c589bddecebd65fdf0739c62e6a;ds=sidebyside add: ensure that for RA Agent actions certificate login is used related to issue #150 Change-Id: Ia6e474a9c3d7fb716c736aeb9b21dfe1f765de6c --- diff --git a/src/club/wpia/gigi/util/AuthorizationContext.java b/src/club/wpia/gigi/util/AuthorizationContext.java index 9888309a..566436ac 100644 --- a/src/club/wpia/gigi/util/AuthorizationContext.java +++ b/src/club/wpia/gigi/util/AuthorizationContext.java @@ -113,7 +113,7 @@ public class AuthorizationContext implements Outputable, Serializable { } public boolean canVerify() { - return target instanceof User && ((User) target).canVerify(); + return target instanceof User && ((User) target).canVerify() && isStronglyAuthenticated(); } public boolean isStronglyAuthenticated() { diff --git a/tests/club/wpia/gigi/pages/account/TestPasswordResetExternal.java b/tests/club/wpia/gigi/pages/account/TestPasswordResetExternal.java index 1efc5f73..31510abe 100644 --- a/tests/club/wpia/gigi/pages/account/TestPasswordResetExternal.java +++ b/tests/club/wpia/gigi/pages/account/TestPasswordResetExternal.java @@ -6,14 +6,15 @@ import static org.junit.Assert.*; import java.io.IOException; import java.io.OutputStream; import java.io.UnsupportedEncodingException; -import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; import java.net.URLConnection; import java.net.URLEncoder; +import java.security.GeneralSecurityException; import org.junit.Test; +import club.wpia.gigi.GigiApiException; import club.wpia.gigi.dbObjects.User; import club.wpia.gigi.pages.PasswordResetPage; import club.wpia.gigi.pages.wot.TestVerification; @@ -25,9 +26,9 @@ import club.wpia.gigi.util.RandomToken; public class TestPasswordResetExternal extends ClientTest { @Test - public void testByVerification() throws IOException { + public void testByVerification() throws IOException, GeneralSecurityException, GigiApiException, InterruptedException { User u = User.getById(createVerificationUser("fn", "ln", createUniqueName() + "@example.com", TEST_PASSWORD)); - String cookie2 = login(u.getEmail(), TEST_PASSWORD); + String cookie2 = cookieWithCertificateLogin(u); URLConnection uc = TestVerification.buildupVerifyFormConnection(cookie2, email, true); String avalue = RandomToken.generateToken(32); uc.getOutputStream().write(("verifiedName=" + this.u.getPreferredName().getId() + "&date=" + TestVerification.validVerificationDateString() + "&location=testcase&countryCode=DE&certify=1&rules=1&assertion=1&points=10&passwordReset=1&passwordResetValue=" + URLEncoder.encode(avalue, "UTF-8")).getBytes("UTF-8")); @@ -40,7 +41,6 @@ public class TestPasswordResetExternal extends ClientTest { mail = getMailReceiver().receive(this.u.getEmail()); String link = mail.extractLink(); String npw = TEST_PASSWORD + "'"; - System.out.println(link); assertNotNull(toPasswordReset(avalue, link, npw, npw + "'")); assertNotNull(toPasswordReset(avalue + "'", link, npw, npw)); assertNotNull(toPasswordReset(avalue, link, "a", "a")); @@ -59,7 +59,6 @@ public class TestPasswordResetExternal extends ClientTest { uc2.setDoOutput(true); OutputStream o = uc2.getOutputStream(); o.write(("csrf=" + csrf + "&pword1=" + URLEncoder.encode(npw, "UTF-8") + "&pword2=" + URLEncoder.encode(npw2, "UTF-8") + "&private_token=" + URLEncoder.encode(avalue, "UTF-8")).getBytes("UTF-8")); - System.out.println(((HttpURLConnection) uc2).getResponseCode()); String readURL = IOUtils.readURL(uc2); return fetchStartErrorMessage(readURL); } diff --git a/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java b/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java index e85b03e9..ac4c23bf 100644 --- a/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java +++ b/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java @@ -7,18 +7,11 @@ import static org.junit.Assert.*; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.MalformedURLException; -import java.security.GeneralSecurityException; -import java.security.KeyPair; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; import java.util.Random; import org.junit.Test; import club.wpia.gigi.GigiApiException; -import club.wpia.gigi.dbObjects.Certificate; -import club.wpia.gigi.dbObjects.Certificate.CSRType; -import club.wpia.gigi.dbObjects.Digest; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.pages.admin.support.FindCertPage; import club.wpia.gigi.pages.admin.support.FindUserByDomainPage; @@ -32,22 +25,7 @@ public class TestSEAdminTicketSetting extends ClientTest { public TestSEAdminTicketSetting() throws IOException, GigiApiException { grant(u, Group.SUPPORTER); - try { - KeyPair kp = generateKeypair(); - String csr = generatePEMCSR(kp, "CN=" + u.getPreferredName().toString()); - Certificate c = new Certificate(u, u, Certificate.buildDN("CN", u.getPreferredName().toString()), Digest.SHA256, csr, CSRType.CSR, getClientProfile()); - final PrivateKey pk = kp.getPrivate(); - await(c.issue(null, "2y", u)); - final X509Certificate ce = c.cert(); - c.setLoginEnabled(true); - cookie = login(pk, ce); - loginCertificate = c; - loginPrivateKey = pk; - } catch (InterruptedException e) { - throw new GigiApiException(e.toString()); - } catch (GeneralSecurityException e) { - throw new GigiApiException(e.toString()); - } + cookie = cookieWithCertificateLogin(u); } @Test diff --git a/tests/club/wpia/gigi/pages/wot/TestVerification.java b/tests/club/wpia/gigi/pages/wot/TestVerification.java index 5b61f231..a25a2bc4 100644 --- a/tests/club/wpia/gigi/pages/wot/TestVerification.java +++ b/tests/club/wpia/gigi/pages/wot/TestVerification.java @@ -9,6 +9,7 @@ import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URLConnection; import java.net.URLEncoder; +import java.security.GeneralSecurityException; import java.sql.SQLException; import java.sql.Timestamp; import java.text.SimpleDateFormat; @@ -43,7 +44,7 @@ public class TestVerification extends ManagedTest { private String cookie; @Before - public void setup() throws IOException { + public void setup() throws IOException, GeneralSecurityException, GigiApiException, InterruptedException { clearCaches(); agentM = createUniqueName() + "@example.org"; applicantM = createUniqueName() + "@example.org"; @@ -52,7 +53,8 @@ public class TestVerification extends ManagedTest { int applicantId = createVerifiedUser("a", "c", applicantM, TEST_PASSWORD); applicantName = User.getById(applicantId).getPreferredName().getId(); - cookie = login(agentM, TEST_PASSWORD); + User users[] = User.findByEmail(agentM); + cookie = cookieWithCertificateLogin(users[0]); } private Matcher isVerificationForm() { @@ -158,7 +160,7 @@ public class TestVerification extends ManagedTest { String applicantCookie = login(applicantM, TEST_PASSWORD); String newDob = "day=1&month=1&year=" + ( !succeed ? 1911 : 1910); - + loginCertificate = null; assertNull(executeBasicWebInteraction(applicantCookie, MyDetails.PATH, newDob + "&action=updateDoB", 0)); uc.getOutputStream().write(("verifiedName=" + applicantName + "&date=" + validVerificationDateString() + "&location=testcase&countryCode=DE&certify=1&rules=1&assertion=1&points=10").getBytes("UTF-8")); @@ -245,6 +247,7 @@ public class TestVerification extends ManagedTest { getMailReceiver().receive(applicantM); String cookie = login(applicantM, TEST_PASSWORD); + loginCertificate = null; URLConnection url = get(cookie, Points.PATH); String resp = IOUtils.readURL(url); resp = resp.split(Pattern.quote(""))[1]; @@ -259,6 +262,7 @@ public class TestVerification extends ManagedTest { getMailReceiver().receive(applicantM); String cookie = login(agentM, TEST_PASSWORD); + loginCertificate = null; URLConnection url = get(cookie, Points.PATH); String resp = IOUtils.readURL(url); resp = resp.split(Pattern.quote(""))[2]; @@ -303,8 +307,7 @@ public class TestVerification extends ManagedTest { } @Test - public void testMultipleVerification() throws IOException { - + public void testMultipleVerification() throws IOException, GeneralSecurityException, GigiApiException, InterruptedException { User users[] = User.findByEmail(agentM); int agentID = users[0].getId(); @@ -341,7 +344,7 @@ public class TestVerification extends ManagedTest { } @Test - public void testRANotificationSet() throws IOException, GigiApiException { + public void testRANotificationSet() throws IOException, GigiApiException, GeneralSecurityException, InterruptedException { getMailReceiver().assertEmpty(); User users[] = User.findByEmail(agentM); @@ -350,15 +353,14 @@ public class TestVerification extends ManagedTest { User u = users[0]; u.grantGroup(u, Group.VERIFY_NOTIFICATION); clearCaches(); - cookie = login(agentM, TEST_PASSWORD); - - String targetMail = u.getEmail(); + cookie = cookieWithCertificateLogin(users[0]); // enter verification String uniqueLoc = createUniqueName(); executeSuccess("date=" + validVerificationDateString() + "&location=" + uniqueLoc + "&countryCode=DE&certify=1&rules=1&assertion=1&points=10"); getMailReceiver().receive(applicantM); - TestMail tm = getMailReceiver().receive(targetMail); + + TestMail tm = getMailReceiver().receive(agentM); assertThat(tm.getMessage(), containsString("You entered a verification for the account with email address " + applicantM)); } @@ -373,16 +375,20 @@ public class TestVerification extends ManagedTest { User u = users[0]; u.revokeGroup(u, Group.VERIFY_NOTIFICATION); clearCaches(); - cookie = login(agentM, TEST_PASSWORD); // enter verification String uniqueLoc = createUniqueName(); executeSuccess("date=" + validVerificationDateString() + "&location=" + uniqueLoc + "&countryCode=DE&certify=1&rules=1&assertion=1&points=10"); - TestMail tm; - - tm = getMailReceiver().receive(applicantM); + TestMail tm = getMailReceiver().receive(applicantM); assertThat(tm.getMessage(), not(containsString("You entered a verification for the account with email address " + applicantM))); } + + @Test + public void testVerifyWithoutCertLogin() throws IOException { + cookie = login(agentM, TEST_PASSWORD); + loginCertificate = null; + assertEquals(403, get(cookie, VerifyPage.PATH).getResponseCode()); + } } diff --git a/tests/club/wpia/gigi/testUtils/ManagedTest.java b/tests/club/wpia/gigi/testUtils/ManagedTest.java index 25df2725..4a8324bd 100644 --- a/tests/club/wpia/gigi/testUtils/ManagedTest.java +++ b/tests/club/wpia/gigi/testUtils/ManagedTest.java @@ -19,6 +19,7 @@ import java.nio.file.Files; import java.nio.file.Paths; import java.security.GeneralSecurityException; import java.security.KeyManagementException; +import java.security.KeyPair; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.PrivateKey; @@ -44,6 +45,8 @@ import club.wpia.gigi.GigiApiException; import club.wpia.gigi.database.GigiPreparedStatement; import club.wpia.gigi.database.GigiResultSet; import club.wpia.gigi.dbObjects.Certificate; +import club.wpia.gigi.dbObjects.Certificate.CSRType; +import club.wpia.gigi.dbObjects.Digest; import club.wpia.gigi.dbObjects.EmailAddress; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.dbObjects.Job; @@ -550,4 +553,29 @@ public class ManagedTest extends ConfiguredTest { } } } + + protected String cookieWithCertificateLogin(User u) throws IOException, GigiApiException { + + try { + KeyPair kp; + kp = generateKeypair(); + + String csr; + csr = generatePEMCSR(kp, "CN=" + u.getPreferredName().toString()); + + Certificate c = new Certificate(u, u, Certificate.buildDN("CN", u.getPreferredName().toString()), Digest.SHA256, csr, CSRType.CSR, getClientProfile()); + final PrivateKey pk = kp.getPrivate(); + await(c.issue(null, "2y", u)); + final X509Certificate ce = c.cert(); + c.setLoginEnabled(true); + loginCertificate = c; + loginPrivateKey = pk; + return login(pk, ce); + } catch (InterruptedException e) { + throw new GigiApiException(e.toString()); + } catch (GeneralSecurityException e) { + throw new GigiApiException(e.toString()); + } + + } } diff --git a/tests/club/wpia/gigi/testUtils/SEClientTest.java b/tests/club/wpia/gigi/testUtils/SEClientTest.java index 358a8c1e..a7796729 100644 --- a/tests/club/wpia/gigi/testUtils/SEClientTest.java +++ b/tests/club/wpia/gigi/testUtils/SEClientTest.java @@ -3,15 +3,8 @@ package club.wpia.gigi.testUtils; import static org.junit.Assert.*; import java.io.IOException; -import java.security.GeneralSecurityException; -import java.security.KeyPair; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; import club.wpia.gigi.GigiApiException; -import club.wpia.gigi.dbObjects.Certificate; -import club.wpia.gigi.dbObjects.Certificate.CSRType; -import club.wpia.gigi.dbObjects.Digest; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.pages.admin.support.SupportEnterTicketPage; @@ -23,22 +16,7 @@ public abstract class SEClientTest extends ClientTest { public SEClientTest() throws IOException, GigiApiException { grant(u, Group.SUPPORTER); - try { - KeyPair kp = generateKeypair(); - String csr = generatePEMCSR(kp, "CN=" + u.getPreferredName().toString()); - Certificate c = new Certificate(u, u, Certificate.buildDN("CN", u.getPreferredName().toString()), Digest.SHA256, csr, CSRType.CSR, getClientProfile()); - final PrivateKey pk = kp.getPrivate(); - await(c.issue(null, "2y", u)); - final X509Certificate ce = c.cert(); - c.setLoginEnabled(true); - loginCertificate = c; - loginPrivateKey = pk; - cookie = login(pk, ce); - } catch (InterruptedException e) { - throw new GigiApiException(e.toString()); - } catch (GeneralSecurityException e) { - throw new GigiApiException(e.toString()); - } + cookie = cookieWithCertificateLogin(u); assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode()); }