From 7a95cc4fd6e899a95343e03d586d6c387439b403 Mon Sep 17 00:00:00 2001 From: INOPIAE Date: Wed, 17 Jul 2019 10:50:09 +0200 Subject: [PATCH] add: ensure that for TTPAgent action there is a valid TTPAgent Challenge related to issue #150 Change-Id: Ia3658d5ccb5b41ec8954259160f2db2005109691 --- src/club/wpia/gigi/pages/MainPage.java | 4 + src/club/wpia/gigi/pages/MainPage.templ | 3 + .../wpia/gigi/pages/admin/TTPAdminPage.java | 2 +- .../wpia/gigi/pages/wot/VerificationForm.java | 3 + .../gigi/pages/wot/VerificationForm.templ | 4 +- src/club/wpia/gigi/util/Notary.java | 4 +- tests/club/wpia/gigi/pages/TestMain.java | 79 ++++++++----------- .../wpia/gigi/pages/wot/TestTTPAdmin.java | 10 +++ .../wpia/gigi/pages/wot/TestVerification.java | 17 ++++ 9 files changed, 78 insertions(+), 48 deletions(-) diff --git a/src/club/wpia/gigi/pages/MainPage.java b/src/club/wpia/gigi/pages/MainPage.java index e0170185..9ebd30fa 100644 --- a/src/club/wpia/gigi/pages/MainPage.java +++ b/src/club/wpia/gigi/pages/MainPage.java @@ -55,6 +55,10 @@ public class MainPage extends Page { vars.put("catsinfo", true); vars.put("catsorgagent", true); } + if (u.isInGroup(Group.TTP_AGENT) && !u.hasValidTTPAgentChallenge()) { + vars.put("catsinfo", true); + vars.put("catsttpagent", true); + } Certificate[] c = u.getCertificates(false); vars.put("c-no", c.length); diff --git a/src/club/wpia/gigi/pages/MainPage.templ b/src/club/wpia/gigi/pages/MainPage.templ index e8ecee42..9b7ea86e 100644 --- a/src/club/wpia/gigi/pages/MainPage.templ +++ b/src/club/wpia/gigi/pages/MainPage.templ @@ -23,6 +23,9 @@

+ +

+
diff --git a/src/club/wpia/gigi/pages/admin/TTPAdminPage.java b/src/club/wpia/gigi/pages/admin/TTPAdminPage.java index 90d58b24..fd1c90cd 100644 --- a/src/club/wpia/gigi/pages/admin/TTPAdminPage.java +++ b/src/club/wpia/gigi/pages/admin/TTPAdminPage.java @@ -90,6 +90,6 @@ public class TTPAdminPage extends Page { @Override public boolean isPermitted(AuthorizationContext ac) { - return ac != null && ac.isInGroup(Group.TTP_AGENT) && ac.isStronglyAuthenticated(); + return ac != null && ac.isInGroup(Group.TTP_AGENT) && ac.isStronglyAuthenticated() && ac.getActor().hasValidTTPAgentChallenge(); } } diff --git a/src/club/wpia/gigi/pages/wot/VerificationForm.java b/src/club/wpia/gigi/pages/wot/VerificationForm.java index 77f2be09..327b6eb5 100644 --- a/src/club/wpia/gigi/pages/wot/VerificationForm.java +++ b/src/club/wpia/gigi/pages/wot/VerificationForm.java @@ -12,6 +12,7 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; import club.wpia.gigi.GigiApiException; +import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.dbObjects.Name; import club.wpia.gigi.dbObjects.User; import club.wpia.gigi.dbObjects.Verification.VerificationType; @@ -152,6 +153,8 @@ public class VerificationForm extends Form { return true; } }); + res.put("ttpinfo", agent.isInGroup(Group.TTP_AGENT) && !agent.hasValidTTPAgentChallenge() && applicant.isInGroup(Group.TTP_APPLICANT)); + templ.output(out, l, res); } diff --git a/src/club/wpia/gigi/pages/wot/VerificationForm.templ b/src/club/wpia/gigi/pages/wot/VerificationForm.templ index 277dd8c6..9f192653 100644 --- a/src/club/wpia/gigi/pages/wot/VerificationForm.templ +++ b/src/club/wpia/gigi/pages/wot/VerificationForm.templ @@ -55,7 +55,9 @@ - + +
+ checked> diff --git a/src/club/wpia/gigi/util/Notary.java b/src/club/wpia/gigi/util/Notary.java index c349a0f9..a345f57e 100644 --- a/src/club/wpia/gigi/util/Notary.java +++ b/src/club/wpia/gigi/util/Notary.java @@ -209,8 +209,8 @@ public class Notary { } return; } else if (t == VerificationType.TTP_ASSISTED) { - if ( !agent.isInGroup(Group.TTP_AGENT)) { - throw new GigiApiException("RA Agent needs to be TTP RA Agent."); + if ( !agent.isInGroup(Group.TTP_AGENT) || !agent.hasValidTTPAgentChallenge()) { + throw new GigiApiException("RA Agent needs to be TTP RA Agent and have a valid TTP RA Agent Challenge."); } if ( !applicant.isInGroup(Group.TTP_APPLICANT)) { throw new GigiApiException("Applicant needs to be TTP Applicant."); diff --git a/tests/club/wpia/gigi/pages/TestMain.java b/tests/club/wpia/gigi/pages/TestMain.java index 70a71a5d..dfc6579e 100644 --- a/tests/club/wpia/gigi/pages/TestMain.java +++ b/tests/club/wpia/gigi/pages/TestMain.java @@ -97,75 +97,66 @@ public class TestMain extends ClientTest { @Test public void testValidChallenges() throws GeneralSecurityException, IOException, GigiApiException, InterruptedException { - cookie = cookieWithCertificateLogin(u); // test RA Agent challenge - URLConnection uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - String content = IOUtils.readURL(uc); - assertThat(content, not(containsString("you need to pass the RA Agent Challenge"))); + cookie = cookieWithCertificateLogin(u); + testChallengeText("you need to pass the RA Agent Challenge", false); add100Points(u.getId()); addChallengeInPast(u.getId(), CATSType.AGENT_CHALLENGE); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, containsString("you need to pass the RA Agent Challenge")); + testChallengeText("you need to pass the RA Agent Challenge", true); addChallenge(u.getId(), CATSType.AGENT_CHALLENGE); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, not(containsString("you need to pass the RA Agent Challenge"))); + testChallengeText("you need to pass the RA Agent Challenge", false); // test Support challenge - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, not(containsString("you need to pass the Support Challenge"))); + testChallengeText("you need to pass the Support Challenge", false); grant(u, Group.SUPPORTER); cookie = login(loginPrivateKey, loginCertificate.cert()); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, containsString("you need to pass the Support Challenge")); + testChallengeText("you need to pass the Support Challenge", true); addChallengeInPast(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, containsString("you need to pass the Support Challenge")); + testChallengeText("you need to pass the Support Challenge", true); addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, not(containsString("you need to pass the Support Challenge"))); + testChallengeText("you need to pass the Support Challenge", false); // test Org Agent challenge - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, not(containsString("you need to pass the Organisation Agent Challenge"))); + testChallengeText("you need to pass the Organisation Agent Challenge", false); grant(u, Group.ORG_AGENT); cookie = login(loginPrivateKey, loginCertificate.cert()); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, containsString("you need to pass the Organisation Agent Challenge")); + testChallengeText("you need to pass the Organisation Agent Challenge", true); addChallengeInPast(u.getId(), CATSType.ORG_AGENT_CHALLENGE); - uc = new URL("https://" + getSecureServerName()).openConnection(); - authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, containsString("you need to pass the Organisation Agent Challenge")); + testChallengeText("you need to pass the Organisation Agent Challenge", true); addChallenge(u.getId(), CATSType.ORG_AGENT_CHALLENGE); - uc = new URL("https://" + getSecureServerName()).openConnection(); + testChallengeText("you need to pass the Organisation Agent Challenge", false); + + // test TTP Agent challenge + testChallengeText("you need to pass the TTP RA Agent Challenge", false); + + grant(u, Group.TTP_AGENT); + cookie = login(loginPrivateKey, loginCertificate.cert()); + testChallengeText("you need to pass the TTP RA Agent Challenge", true); + + addChallengeInPast(u.getId(), CATSType.TTP_AGENT_CHALLENGE); + testChallengeText("you need to pass the TTP RA Agent Challenge", true); + + addChallenge(u.getId(), CATSType.TTP_AGENT_CHALLENGE); + testChallengeText("you need to pass the TTP RA Agent Challenge", false); + } + + private void testChallengeText(String contentText, boolean contains) throws IOException, MalformedURLException { + URLConnection uc = new URL("https://" + getSecureServerName()).openConnection(); authenticate((HttpURLConnection) uc); - content = IOUtils.readURL(uc); - assertThat(content, not(containsString("you need to pass the Organisation Agent Challenge"))); + String content = IOUtils.readURL(uc); + if (contains) { + assertThat(content, containsString(contentText)); + } else { + assertThat(content, not(containsString(contentText))); + } } } diff --git a/tests/club/wpia/gigi/pages/wot/TestTTPAdmin.java b/tests/club/wpia/gigi/pages/wot/TestTTPAdmin.java index 0e11f6df..ec423d68 100644 --- a/tests/club/wpia/gigi/pages/wot/TestTTPAdmin.java +++ b/tests/club/wpia/gigi/pages/wot/TestTTPAdmin.java @@ -9,6 +9,7 @@ import java.security.GeneralSecurityException; import org.junit.Test; import club.wpia.gigi.GigiApiException; +import club.wpia.gigi.dbObjects.CATS.CATSType; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.dbObjects.User; import club.wpia.gigi.pages.admin.TTPAdminPage; @@ -35,6 +36,7 @@ public class TestTTPAdmin extends ClientTest { public void testTTPAdmin(boolean hasRight) throws IOException, GigiApiException, GeneralSecurityException, InterruptedException { if (hasRight) { grant(u, Group.TTP_AGENT); + addChallenge(u.getId(), CATSType.TTP_AGENT_CHALLENGE); } grant(u, TTPAdminPage.TTP_APPLICANT); cookie = cookieWithCertificateLogin(u); @@ -56,4 +58,12 @@ public class TestTTPAdmin extends ClientTest { loginCertificate = null; assertEquals(403, get(cookie, TTPAdminPage.PATH).getResponseCode()); } + + @Test + public void testAccessTTPPageWithoutValidChallenge() throws IOException, GigiApiException { + grant(u, Group.TTP_AGENT); + loginCertificate = null; + cookie = cookieWithCertificateLogin(u); + assertEquals(403, get(cookie, TTPAdminPage.PATH).getResponseCode()); + } } diff --git a/tests/club/wpia/gigi/pages/wot/TestVerification.java b/tests/club/wpia/gigi/pages/wot/TestVerification.java index 9ad541a3..81ec4df5 100644 --- a/tests/club/wpia/gigi/pages/wot/TestVerification.java +++ b/tests/club/wpia/gigi/pages/wot/TestVerification.java @@ -404,4 +404,21 @@ public class TestVerification extends ManagedTest { addChallenge(applicantId, CATSType.AGENT_CHALLENGE); assertEquals(200, get(cookie, VerifyPage.PATH).getResponseCode()); } + + @Test + public void testVerifyValidTTPChallenge() throws IOException, GigiApiException { + grant(User.getByEmail(agentM), Group.TTP_AGENT); + grant(User.getById(applicantId), Group.TTP_APPLICANT); + cookie = cookieWithCertificateLogin(User.getById(applicantId)); + cookie = cookieWithCertificateLogin(User.getByEmail(agentM)); + + // test without valid challenge + String content = search("email=" + URLEncoder.encode(applicantM, "UTF-8") + "&day=1&month=1&year=1910"); + assertThat(content, containsString("you need to pass the TTP RA Agent Challenge")); + + // test with valid challenge + addChallenge(User.getByEmail(agentM).getId(), CATSType.TTP_AGENT_CHALLENGE); + content = search("email=" + URLEncoder.encode(applicantM, "UTF-8") + "&day=1&month=1&year=1910"); + assertThat(content, not(containsString("you need to pass the TTP RA Agent Challenge"))); + } } -- 2.39.2