From 62b9a6519d6304820fdfa739ef9281e1cdaccb7d Mon Sep 17 00:00:00 2001
From: INOPIAE <m.maengel@inopiae.de>
Date: Thu, 4 Jun 2020 14:26:27 +0200
Subject: [PATCH] add: configuration of CommunityCA

Change-Id: Ic83a157173ca51f14e22ed9ceeb993e989b09625
---
 config/gigi.properties.template               |  3 +
 src/club/wpia/gigi/Gigi.java                  | 26 ++++++--
 src/club/wpia/gigi/pages/MainPage.java        | 10 ++-
 .../pages/MainPageNotLoginCommunity.templ     | 18 ++++++
 .../gigi/pages/account/MyDetailsForm.java     | 11 ++--
 .../wpia/gigi/pages/wot/RequestTTPPage.java   |  3 +-
 src/club/wpia/gigi/util/ServerConstants.java  |  7 ++
 tests/club/wpia/gigi/TestCommunityCAOff.java  | 64 +++++++++++++++++++
 tests/club/wpia/gigi/TestCommunityCAOn.java   | 19 ++++++
 .../club/wpia/gigi/testUtils/ManagedTest.java | 10 +++
 10 files changed, 157 insertions(+), 14 deletions(-)
 create mode 100644 src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ
 create mode 100644 tests/club/wpia/gigi/TestCommunityCAOff.java
 create mode 100644 tests/club/wpia/gigi/TestCommunityCAOn.java

diff --git a/config/gigi.properties.template b/config/gigi.properties.template
index 85f2afde..252b2be5 100644
--- a/config/gigi.properties.template
+++ b/config/gigi.properties.template
@@ -23,6 +23,9 @@ time.verificationMaxAgeMonths=24
 appName=SomeCA
 appIdentifier=someca
 
+#to use Gigi without public RA Agent functionality remove # from next line
+#communityCA=true
+
 #mail.support=support@wpia.local
 #mail.board=board@wpia.local
 #mail.quiz=quiz@wpia.local
diff --git a/src/club/wpia/gigi/Gigi.java b/src/club/wpia/gigi/Gigi.java
index d33d546d..aa892a5d 100644
--- a/src/club/wpia/gigi/Gigi.java
+++ b/src/club/wpia/gigi/Gigi.java
@@ -189,7 +189,15 @@ public final class Gigi extends HttpServlet {
             putPage(SupportOrgDomainPage.PATH + "*", new SupportOrgDomainPage(), null);
             putPage(ChangePasswordPage.PATH, new ChangePasswordPage(), account);
             putPage(History.PATH, new History(false), account);
-            putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class), account);
+
+            putPage(FindAgentAccess.PATH, new OneFormPage("Access to Find Agent", FindAgentAccess.class) {
+
+                @Override
+                public boolean isPermitted(AuthorizationContext ac) {
+                    return super.isPermitted(ac) && !ServerConstants.isCommunityCA();
+                }
+            }, account);
+
             putPage(History.SUPPORT_PATH, new History(true), null);
             putPage(UserTrainings.PATH, new UserTrainings(false), account);
             putPage(MyDetails.PATH, new MyDetails(), account);
@@ -214,7 +222,13 @@ public final class Gigi extends HttpServlet {
             }
 
             try {
-                putPage("/wot/rules", new StaticPage("Verification Rules", VerifyPage.class.getResourceAsStream("Rules.templ")), wot);
+                putPage("/wot/rules", new StaticPage("Verification Rules", VerifyPage.class.getResourceAsStream("Rules.templ")) {
+
+                    @Override
+                    public boolean isPermitted(AuthorizationContext ac) {
+                        return super.isPermitted(ac) && !ServerConstants.isCommunityCA();
+                    }
+                }, wot);
             } catch (UnsupportedEncodingException e) {
                 throw new ServletException(e);
             }
@@ -310,12 +324,10 @@ public final class Gigi extends HttpServlet {
         }
 
         try {
-            final FileChannel knownPasswordHashesFile = FileChannel.open(
-                FileSystems.getDefault().getPath(knownPasswordHashesPath));
+            final FileChannel knownPasswordHashesFile = FileChannel.open(FileSystems.getDefault().getPath(knownPasswordHashesPath));
             return new DelegatingPasswordChecker(new PasswordChecker[] {
-                    new PasswordStrengthChecker(),
-                    new PasswordHashChecker(knownPasswordHashesFile, sha1)
-                });
+                    new PasswordStrengthChecker(), new PasswordHashChecker(knownPasswordHashesFile, sha1)
+            });
         } catch (IOException e) {
             if (knownPasswordHashesRequired) {
                 throw new RuntimeException("Error while opening password hash database, refusing startup", e);
diff --git a/src/club/wpia/gigi/pages/MainPage.java b/src/club/wpia/gigi/pages/MainPage.java
index 02232f2e..20e91791 100644
--- a/src/club/wpia/gigi/pages/MainPage.java
+++ b/src/club/wpia/gigi/pages/MainPage.java
@@ -19,11 +19,14 @@ import club.wpia.gigi.localisation.Language;
 import club.wpia.gigi.output.GroupList;
 import club.wpia.gigi.output.template.IterableDataset;
 import club.wpia.gigi.output.template.Template;
+import club.wpia.gigi.util.ServerConstants;
 
 public class MainPage extends Page {
 
     private static final Template notLog = new Template(MainPage.class.getResource("MainPageNotLogin.templ"));
 
+    private static final Template notLogCommunity = new Template(MainPage.class.getResource("MainPageNotLoginCommunity.templ"));
+
     public MainPage() {
         super("Home");
     }
@@ -41,7 +44,6 @@ public class MainPage extends Page {
             vars.put("vp", u.getVerificationPoints());
             vars.put("xp", u.getExperiencePoints());
 
-
             vars.put("catsinfo", false);
             if (u.canVerify() && !u.hasValidRAChallenge()) {
                 vars.put("catsinfo", true);
@@ -136,7 +138,11 @@ public class MainPage extends Page {
             getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
 
         } else {
-            notLog.output(resp.getWriter(), getLanguage(req), vars);
+            if (ServerConstants.isCommunityCA()) {
+                notLogCommunity.output(resp.getWriter(), getLanguage(req), vars);
+            } else {
+                notLog.output(resp.getWriter(), getLanguage(req), vars);
+            }
         }
     }
 
diff --git a/src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ b/src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ
new file mode 100644
index 00000000..aee37d76
--- /dev/null
+++ b/src/club/wpia/gigi/pages/MainPageNotLoginCommunity.templ
@@ -0,0 +1,18 @@
+<h3><?=_What is ${appName}??></h3>
+
+<p><?=_${appName} is a public Certificate Authority (CA) that issues affordable certificates. The service is provided by !'<a href="//wpia.club" target="_blank">'WPIA (World Privacy and Identity Association)!'</a>'.?></p>
+
+<p><?=_One goal of WPIA is to promote awareness and education on computer security through the use of encryption technologies, in particular by providing cryptographic certificates.?></p>
+<p><?=_Client certificates can be used to digitally sign and encrypt both emails and documents. Furthermore client certificates can authenticate and authorize users connecting to websites and applications without the need of a password.
+On the other hand, server certificates can be used to establish secure internet connections with the Transport Layer Security protocol (TLS).?></p>
+
+<p><?=_${appName} provides a community based service, which only verifies the email or the domain but NOT the identity of the person behind it. The duration of a certificate is therefore 6 months only.?></p>
+
+<p><?=_WPIA is working on a solution to provide a service to verify your digital identity to assure that data signed with your certificate is related to your person. As soon as this service is available ${appName} will replaced with a new CA.?></p>
+
+<p><?=_If you are interested - !'<a href="/register">'join ${appName}!'</a>' as fellow for free and get your own certificates.?></p>
+
+<hr/>
+
+<p><?=_For general documentation and help, please visit the ${appName} !(/kb/gigi)FAQ!'</a>'.?>
+<?=_For specific policies, see the ${appName} !(/policy)Policies page!'</a>'.?></p>
\ No newline at end of file
diff --git a/src/club/wpia/gigi/pages/account/MyDetailsForm.java b/src/club/wpia/gigi/pages/account/MyDetailsForm.java
index bf7cbcfd..0f775b9d 100644
--- a/src/club/wpia/gigi/pages/account/MyDetailsForm.java
+++ b/src/club/wpia/gigi/pages/account/MyDetailsForm.java
@@ -20,6 +20,7 @@ import club.wpia.gigi.output.GroupSelector;
 import club.wpia.gigi.output.NameInput;
 import club.wpia.gigi.output.template.Form;
 import club.wpia.gigi.output.template.Template;
+import club.wpia.gigi.util.ServerConstants;
 
 public class MyDetailsForm extends Form {
 
@@ -176,10 +177,12 @@ public class MyDetailsForm extends Form {
         vars.put("groupSelector", selectedGroup);
         roles.output(out, l, vars);
 
-        boolean hasSignedContract = Contract.hasSignedContract(target, Contract.ContractType.RA_AGENT_CONTRACT);
-        vars.put("contractsign", hasSignedContract ? "disabled" : "");
-        vars.put("contractrevoke", hasSignedContract ? "" : "disabled");
-        contracts.output(out, l, vars);
+        if ( !ServerConstants.isCommunityCA()) {
+            boolean hasSignedContract = Contract.hasSignedContract(target, Contract.ContractType.RA_AGENT_CONTRACT);
+            vars.put("contractsign", hasSignedContract ? "disabled" : "");
+            vars.put("contractrevoke", hasSignedContract ? "" : "disabled");
+            contracts.output(out, l, vars);
+        }
     }
 
 }
diff --git a/src/club/wpia/gigi/pages/wot/RequestTTPPage.java b/src/club/wpia/gigi/pages/wot/RequestTTPPage.java
index 7d130234..de77751a 100644
--- a/src/club/wpia/gigi/pages/wot/RequestTTPPage.java
+++ b/src/club/wpia/gigi/pages/wot/RequestTTPPage.java
@@ -12,6 +12,7 @@ import club.wpia.gigi.output.template.Form;
 import club.wpia.gigi.pages.LoginPage;
 import club.wpia.gigi.pages.Page;
 import club.wpia.gigi.util.AuthorizationContext;
+import club.wpia.gigi.util.ServerConstants;
 
 public class RequestTTPPage extends Page {
 
@@ -63,7 +64,7 @@ public class RequestTTPPage extends Page {
 
     @Override
     public boolean isPermitted(AuthorizationContext ac) {
-        return ac != null && ac.getTarget() instanceof User;
+        return ac != null && ac.getTarget() instanceof User && !ServerConstants.isCommunityCA();
     }
 
 }
diff --git a/src/club/wpia/gigi/util/ServerConstants.java b/src/club/wpia/gigi/util/ServerConstants.java
index e2d459ba..db141847 100644
--- a/src/club/wpia/gigi/util/ServerConstants.java
+++ b/src/club/wpia/gigi/util/ServerConstants.java
@@ -76,6 +76,8 @@ public class ServerConstants {
 
     private static String mailQuizAdmin;
 
+    private static boolean communityCA;
+
     public static void init(Properties conf) {
         securePort = port = "";
         if ( !conf.getProperty("https.port").equals("443")) {
@@ -105,6 +107,7 @@ public class ServerConstants {
         mailBoard = conf.getProperty("mail.board", "board@" + suffix);
         mailQuiz = conf.getProperty("mail.quiz", "quiz@" + suffix);
         mailQuizAdmin = conf.getProperty("mail.quizAdmin", "quiz-admin@" + suffix);
+        communityCA = conf.getProperty("communityCA", "false").equalsIgnoreCase("true");
     }
 
     public static String getHostName(Host h) {
@@ -181,4 +184,8 @@ public class ServerConstants {
         return appIdentifier;
     }
 
+    public static boolean isCommunityCA() {
+        return communityCA;
+    }
+
 }
diff --git a/tests/club/wpia/gigi/TestCommunityCAOff.java b/tests/club/wpia/gigi/TestCommunityCAOff.java
new file mode 100644
index 00000000..461d2252
--- /dev/null
+++ b/tests/club/wpia/gigi/TestCommunityCAOff.java
@@ -0,0 +1,64 @@
+package club.wpia.gigi;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import org.junit.Test;
+
+import club.wpia.gigi.testUtils.ClientTest;
+import club.wpia.gigi.testUtils.IOUtils;
+
+public class TestCommunityCAOff extends ClientTest {
+
+    protected static boolean isCommunityCATest = false;
+
+    @Test
+    public void testMenuLoggedIn() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException {
+        String content = IOUtils.readURL(get("/"));
+
+        // Menu SomCA
+        // add RA Agent Status in later software version
+
+        // Menu Verification
+        testContent(content, "href=\"/wot/ttp\">Request TTP", !isCommunityCATest);
+        testContent(content, "href=\"/wot/rules\">Verification Rules", !isCommunityCATest);
+
+        // Menu My Details
+        testContent(content, "href=\"/account/find-agent\">Access to Find Agent", !isCommunityCATest);
+
+        assertThat(content, (containsString("Logged in")));
+
+    }
+
+    @Test
+    public void testMenuLoggedOut() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException {
+        String content = IOUtils.readURL(get("/logout"));
+        content = IOUtils.readURL(get("/"));
+
+        // Menu SomCA
+        // add RA Agent Status in later software version
+
+        assertThat(content, not((containsString("Logged in"))));
+
+        // text on not login page
+        testContent(content, "therefore 6 months only.", isCommunityCATest);
+    }
+
+    @Test
+    public void testMyDetails() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException {
+        String content = IOUtils.readURL(get("/account/details"));
+        testContent(content, "RA Agent Contract", !isCommunityCATest);
+    }
+
+    private void testContent(String content, String reference, boolean visible) {
+        if (visible) {
+            assertThat(content, containsString(reference));
+        } else {
+            assertThat(content, not(containsString(reference)));
+        }
+
+    }
+}
diff --git a/tests/club/wpia/gigi/TestCommunityCAOn.java b/tests/club/wpia/gigi/TestCommunityCAOn.java
new file mode 100644
index 00000000..b829e21f
--- /dev/null
+++ b/tests/club/wpia/gigi/TestCommunityCAOn.java
@@ -0,0 +1,19 @@
+package club.wpia.gigi;
+
+import java.util.Properties;
+
+import org.junit.BeforeClass;
+
+import club.wpia.gigi.testUtils.ManagedTest;
+
+public class TestCommunityCAOn extends TestCommunityCAOff {
+
+    @BeforeClass
+    public static void initEnvironmentHook() {
+        Properties additionalConfig = new Properties();
+        additionalConfig.setProperty("communityCA", "true");
+        isCommunityCATest = true;
+        ManagedTest.initEnvironment(additionalConfig);
+    }
+
+}
diff --git a/tests/club/wpia/gigi/testUtils/ManagedTest.java b/tests/club/wpia/gigi/testUtils/ManagedTest.java
index 4a8324bd..a6d51bec 100644
--- a/tests/club/wpia/gigi/testUtils/ManagedTest.java
+++ b/tests/club/wpia/gigi/testUtils/ManagedTest.java
@@ -26,6 +26,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.sql.SQLException;
 import java.util.Locale;
+import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -104,8 +105,17 @@ public class ManagedTest extends ConfiguredTest {
     private static boolean inited = false;
 
     public static Properties initEnvironment() {
+        return initEnvironment(new Properties());
+    }
+
+    public static Properties initEnvironment(Properties additionalConfig) {
         try {
             Properties mainProps = ConfiguredTest.initEnvironment();
+            for (Entry<Object, Object> i : additionalConfig.entrySet()) {
+                if (i.getKey() instanceof String && i.getValue() instanceof String) {
+                    mainProps.setProperty((String) i.getKey(), (String) i.getValue());
+                }
+            }
             if (inited) {
                 return mainProps;
             }
-- 
2.39.2