From 86c54e084577b712268320f990facc8e9a09aec6 Mon Sep 17 00:00:00 2001 From: INOPIAE Date: Tue, 16 Jul 2019 22:04:28 +0200 Subject: [PATCH] add: ensure that for Support actions there is a valid Support Challenge related to issue #150 Change-Id: Ibdec5fc46cde59a0f19cefa50f5d3c3508849717 --- src/club/wpia/gigi/pages/MainPage.java | 4 +++ src/club/wpia/gigi/pages/MainPage.templ | 3 +++ .../admin/support/SupportEnterTicketPage.java | 2 +- .../wpia/gigi/util/AuthorizationContext.java | 2 +- tests/club/wpia/gigi/pages/TestMain.java | 25 +++++++++++++++++++ .../pages/admin/TestSEAdminTicketSetting.java | 16 ++++++++++++ .../wpia/gigi/testUtils/SEClientTest.java | 2 ++ 7 files changed, 52 insertions(+), 2 deletions(-) diff --git a/src/club/wpia/gigi/pages/MainPage.java b/src/club/wpia/gigi/pages/MainPage.java index a486618f..9b7e079c 100644 --- a/src/club/wpia/gigi/pages/MainPage.java +++ b/src/club/wpia/gigi/pages/MainPage.java @@ -47,6 +47,10 @@ public class MainPage extends Page { vars.put("catsinfo", true); vars.put("catsra", true); } + if (u.isInGroup(Group.SUPPORTER) && !u.hasValidSupportChallenge()) { + vars.put("catsinfo", true); + vars.put("catssupport", true); + } Certificate[] c = u.getCertificates(false); vars.put("c-no", c.length); diff --git a/src/club/wpia/gigi/pages/MainPage.templ b/src/club/wpia/gigi/pages/MainPage.templ index 8f9f8731..52b805b5 100644 --- a/src/club/wpia/gigi/pages/MainPage.templ +++ b/src/club/wpia/gigi/pages/MainPage.templ @@ -17,6 +17,9 @@

+ +

+
diff --git a/src/club/wpia/gigi/pages/admin/support/SupportEnterTicketPage.java b/src/club/wpia/gigi/pages/admin/support/SupportEnterTicketPage.java index 14b1faaf..3db0881b 100644 --- a/src/club/wpia/gigi/pages/admin/support/SupportEnterTicketPage.java +++ b/src/club/wpia/gigi/pages/admin/support/SupportEnterTicketPage.java @@ -47,7 +47,7 @@ public class SupportEnterTicketPage extends Page { @Override public boolean isPermitted(AuthorizationContext ac) { - return ac != null && ac.isInGroup(Group.SUPPORTER) && ac.isStronglyAuthenticated(); + return ac != null && ac.isInGroup(Group.SUPPORTER) && ac.isStronglyAuthenticated() && ac.getActor().hasValidSupportChallenge(); } } diff --git a/src/club/wpia/gigi/util/AuthorizationContext.java b/src/club/wpia/gigi/util/AuthorizationContext.java index 66c65450..0cc653c1 100644 --- a/src/club/wpia/gigi/util/AuthorizationContext.java +++ b/src/club/wpia/gigi/util/AuthorizationContext.java @@ -79,7 +79,7 @@ public class AuthorizationContext implements Outputable, Serializable { } public boolean canSupport() { - return getSupporterTicketId() != null && isInGroup(Group.SUPPORTER) && isStronglyAuthenticated(); + return getSupporterTicketId() != null && isInGroup(Group.SUPPORTER) && isStronglyAuthenticated() && ((User) target).hasValidSupportChallenge(); } private static final SprintfCommand sp = new SprintfCommand("Logged in as {0} via {1}.", Arrays.asList("${username", "${loginMethod")); diff --git a/tests/club/wpia/gigi/pages/TestMain.java b/tests/club/wpia/gigi/pages/TestMain.java index e6dce456..47c4c151 100644 --- a/tests/club/wpia/gigi/pages/TestMain.java +++ b/tests/club/wpia/gigi/pages/TestMain.java @@ -117,5 +117,30 @@ public class TestMain extends ClientTest { authenticate((HttpURLConnection) uc); content = IOUtils.readURL(uc); assertThat(content, not(containsString("you need to pass the RA Agent Challenge"))); + + // test Support challenge + uc = new URL("https://" + getSecureServerName()).openConnection(); + authenticate((HttpURLConnection) uc); + content = IOUtils.readURL(uc); + assertThat(content, not(containsString("you need to pass the Support Challenge"))); + + grant(u, Group.SUPPORTER); + cookie = login(loginPrivateKey, loginCertificate.cert()); + uc = new URL("https://" + getSecureServerName()).openConnection(); + authenticate((HttpURLConnection) uc); + content = IOUtils.readURL(uc); + assertThat(content, containsString("you need to pass the Support Challenge")); + + addChallengeInPast(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME); + uc = new URL("https://" + getSecureServerName()).openConnection(); + authenticate((HttpURLConnection) uc); + content = IOUtils.readURL(uc); + assertThat(content, containsString("you need to pass the Support Challenge")); + + addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME); + uc = new URL("https://" + getSecureServerName()).openConnection(); + authenticate((HttpURLConnection) uc); + content = IOUtils.readURL(uc); + assertThat(content, not(containsString("you need to pass the Support Challenge"))); } } diff --git a/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java b/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java index ac4c23bf..7562ed00 100644 --- a/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java +++ b/tests/club/wpia/gigi/pages/admin/TestSEAdminTicketSetting.java @@ -12,7 +12,9 @@ import java.util.Random; import org.junit.Test; import club.wpia.gigi.GigiApiException; +import club.wpia.gigi.dbObjects.CATS.CATSType; import club.wpia.gigi.dbObjects.Group; +import club.wpia.gigi.dbObjects.User; import club.wpia.gigi.pages.admin.support.FindCertPage; import club.wpia.gigi.pages.admin.support.FindUserByDomainPage; import club.wpia.gigi.pages.admin.support.FindUserByEmailPage; @@ -25,6 +27,7 @@ public class TestSEAdminTicketSetting extends ClientTest { public TestSEAdminTicketSetting() throws IOException, GigiApiException { grant(u, Group.SUPPORTER); + addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME); cookie = cookieWithCertificateLogin(u); } @@ -111,4 +114,17 @@ public class TestSEAdminTicketSetting extends ClientTest { assertEquals(403, get(cookiePW, FindCertPage.PATH).getResponseCode()); } + @Test + public void testNoSupportChallenge() throws MalformedURLException, UnsupportedEncodingException, IOException, GigiApiException { + User supporter1 = User.getById(createVerificationUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD)); + grant(supporter1, Group.SUPPORTER); + loginCertificate = null; + cookie = cookieWithCertificateLogin(supporter1); + + assertEquals(403, get(SupportEnterTicketPage.PATH).getResponseCode()); + assertEquals(403, get(FindUserByEmailPage.PATH).getResponseCode()); + assertEquals(403, get(FindUserByDomainPage.PATH).getResponseCode()); + assertEquals(403, get(FindCertPage.PATH).getResponseCode()); + } + } diff --git a/tests/club/wpia/gigi/testUtils/SEClientTest.java b/tests/club/wpia/gigi/testUtils/SEClientTest.java index a7796729..32cb1d84 100644 --- a/tests/club/wpia/gigi/testUtils/SEClientTest.java +++ b/tests/club/wpia/gigi/testUtils/SEClientTest.java @@ -5,6 +5,7 @@ import static org.junit.Assert.*; import java.io.IOException; import club.wpia.gigi.GigiApiException; +import club.wpia.gigi.dbObjects.CATS.CATSType; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.pages.admin.support.SupportEnterTicketPage; @@ -16,6 +17,7 @@ public abstract class SEClientTest extends ClientTest { public SEClientTest() throws IOException, GigiApiException { grant(u, Group.SUPPORTER); + addChallenge(u.getId(), CATSType.SUPPORT_DP_CHALLENGE_NAME); cookie = cookieWithCertificateLogin(u); assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode()); } -- 2.39.2