From d0470c5987aaecbc444c7100319df69b6f740680 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Mon, 22 Aug 2016 11:23:02 +0200
Subject: [PATCH] add: defense-in-depth mechanism to prevent unauthorized
 adding of groups

enforce that users must not add anyone to support-managed groups

Change-Id: I284842efba231ed7733837226626d80877e10cd7
---
 src/org/cacert/gigi/dbObjects/Group.java      | 39 ++++++++++++-------
 .../cacert/gigi/dbObjects/SupportedUser.java  |  2 +-
 src/org/cacert/gigi/dbObjects/User.java       | 17 ++++++--
 src/org/cacert/gigi/output/GroupSelector.java | 14 ++++---
 tests/org/cacert/gigi/TestOrga.java           |  8 ++--
 .../cacert/gigi/TestUserGroupMembership.java  | 23 +++++------
 tests/org/cacert/gigi/api/IssueCert.java      |  4 +-
 tests/org/cacert/gigi/api/TestFindAgent.java  | 10 ++---
 .../pages/account/TestCertificateRequest.java |  6 +--
 .../admin/TestSEAdminNotificationMail.java    |  6 ++-
 .../pages/admin/TestSEAdminPageDetails.java   |  5 ++-
 .../TestSEAdminPageUserDomainSearch.java      |  3 +-
 .../admin/TestSEAdminPageUserMailSearch.java  |  5 ++-
 .../pages/admin/TestSEAdminTicketSetting.java |  6 ++-
 .../cacert/gigi/pages/orga/TestOrgDomain.java |  2 +-
 .../gigi/pages/orga/TestOrgManagement.java    |  2 +-
 tests/org/cacert/gigi/pages/wot/TestTTP.java  |  2 +-
 .../cacert/gigi/pages/wot/TestTTPAdmin.java   | 11 +++---
 .../cacert/gigi/testUtils/BusinessTest.java   | 19 +++++++++
 .../cacert/gigi/testUtils/ManagedTest.java    | 26 ++++++++++---
 tests/org/cacert/gigi/testUtils/OrgTest.java  |  4 +-
 .../gigi/testUtils/RestrictedApiTest.java     |  2 +-
 .../org/cacert/gigi/pages/Manager.java        | 30 +++++++++++++-
 23 files changed, 170 insertions(+), 76 deletions(-)

diff --git a/src/org/cacert/gigi/dbObjects/Group.java b/src/org/cacert/gigi/dbObjects/Group.java
index 13080efb..287187a2 100644
--- a/src/org/cacert/gigi/dbObjects/Group.java
+++ b/src/org/cacert/gigi/dbObjects/Group.java
@@ -6,18 +6,18 @@ import org.cacert.gigi.output.template.Outputable;
 import org.cacert.gigi.output.template.TranslateCommand;
 
 public enum Group {
-    SUPPORTER("supporter", "supporter", true, true), //
-    ARBITRATOR("arbitrator", "arbitrator", true, true), //
-    BLOCKEDASSURER("blockedassurer", "may not verify", true, false), //
-    BLOCKEDASSUREE("blockedassuree", "may not be verified", true, false), //
-    BLOCKEDLOGIN("blockedlogin", "may not login", true, false), //
-    BLOCKEDCERT("blockedcert", "may not issue certificates", true, false), //
-    TTP_ASSURER("ttp-assurer", "may verify via TTP", true, true), //
-    TTP_APPLICANT("ttp-applicant", "requests to be verified via ttp", true, false), //
-    CODESIGNING("codesigning", "may issue codesigning certificates", true, false), //
-    ORGASSURER("orgassurer", "may verify organisations", true, true), //
-    NUCLEUS_ASSURER("nucleus-assurer", "may enter nucleus verifications", true, true), //
-    LOCATE_AGENT("locate-agent", "wants access to the locate agent system", false, false);
+    SUPPORTER("supporter", "supporter", true, false, true), //
+    ARBITRATOR("arbitrator", "arbitrator", true, false, true), //
+    BLOCKEDASSURER("blockedassurer", "may not verify", true, false, false), //
+    BLOCKEDASSUREE("blockedassuree", "may not be verified", true, false, false), //
+    BLOCKEDLOGIN("blockedlogin", "may not login", true, false, false), //
+    BLOCKEDCERT("blockedcert", "may not issue certificates", true, false, false), //
+    TTP_ASSURER("ttp-assurer", "may verify via TTP", true, false, true), //
+    TTP_APPLICANT("ttp-applicant", "requests to be verified via ttp", false, true, false), //
+    CODESIGNING("codesigning", "may issue codesigning certificates", true, false, false), //
+    ORGASSURER("orgassurer", "may verify organisations", true, false, true), //
+    NUCLEUS_ASSURER("nucleus-assurer", "may enter nucleus verifications", true, false, true), //
+    LOCATE_AGENT("locate-agent", "wants access to the locate agent system", false, true, false);
 
     private final String dbName;
 
@@ -25,6 +25,8 @@ public enum Group {
 
     private final boolean managedBySupport;
 
+    private final boolean managedByUser;
+
     private final boolean isSelfViewable;
 
     /**
@@ -40,9 +42,16 @@ public enum Group {
      * @param isSelfViewable
      *            true iff user should be able to see others in the same group
      */
-    private Group(String name, String display, boolean managedBySupport, boolean isSelfViewable) {
+    private Group(String name, String display, boolean managedBySupport, boolean managedByUser, boolean isSelfViewable) {
         dbName = name;
         tc = new TranslateCommand(display);
+        if (managedByUser && managedBySupport) {
+            throw new IllegalArgumentException("We do not allow groups to be user and support managable.");
+        }
+        if (managedByUser && isSelfViewable) {
+            throw new IllegalArgumentException("We do not allow groups to be self-viewable and managable by user.");
+        }
+        this.managedByUser = managedByUser;
         this.managedBySupport = managedBySupport;
         this.isSelfViewable = isSelfViewable;
     }
@@ -55,6 +64,10 @@ public enum Group {
         return managedBySupport;
     }
 
+    public boolean isManagedByUser() {
+        return managedByUser;
+    }
+
     public boolean isSelfViewable() {
         return isSelfViewable;
     }
diff --git a/src/org/cacert/gigi/dbObjects/SupportedUser.java b/src/org/cacert/gigi/dbObjects/SupportedUser.java
index a663215a..a4a3ba12 100644
--- a/src/org/cacert/gigi/dbObjects/SupportedUser.java
+++ b/src/org/cacert/gigi/dbObjects/SupportedUser.java
@@ -85,7 +85,7 @@ public class SupportedUser {
         return target;
     }
 
-    public void grant(Group toMod) {
+    public void grant(Group toMod) throws GigiApiException {
         target.grantGroup(supporter, toMod);
     }
 
diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index 3c9b972d..69b76ad2 100644
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -45,7 +45,7 @@ public class User extends CertificateOwner {
 
     private Locale locale;
 
-    private final Set<Group> groups = new HashSet<>();
+    private Set<Group> groups = new HashSet<>();
 
     public static final int MINIMUM_AGE = 16;
 
@@ -93,15 +93,21 @@ public class User extends CertificateOwner {
             locale = Language.getLocaleFromString(localeStr);
         }
 
+        refreshGroups();
+    }
+
+    public synchronized void refreshGroups() {
+        HashSet<Group> hs = new HashSet<>();
         try (GigiPreparedStatement psg = new GigiPreparedStatement("SELECT `permission` FROM `user_groups` WHERE `user`=? AND `deleted` is NULL")) {
-            psg.setInt(1, rs.getInt("id"));
+            psg.setInt(1, getId());
 
             try (GigiResultSet rs2 = psg.executeQuery()) {
                 while (rs2.next()) {
-                    groups.add(Group.getByString(rs2.getString(1)));
+                    hs.add(Group.getByString(rs2.getString(1)));
                 }
             }
         }
+        groups = hs;
     }
 
     public User(String email, String password, DayDate dob, Locale locale, Country residenceCountry, NamePart... preferred) throws GigiApiException {
@@ -438,7 +444,10 @@ public class User extends CertificateOwner {
         return Collections.unmodifiableSet(groups);
     }
 
-    public void grantGroup(User granter, Group toGrant) {
+    public void grantGroup(User granter, Group toGrant) throws GigiApiException {
+        if (toGrant.isManagedBySupport() && !granter.isInGroup(Group.SUPPORTER)) {
+            throw new GigiApiException("Group may only be managed by supporter");
+        }
         groups.add(toGrant);
         try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
             ps.setInt(1, getId());
diff --git a/src/org/cacert/gigi/output/GroupSelector.java b/src/org/cacert/gigi/output/GroupSelector.java
index a12a5cd4..850e1d5a 100644
--- a/src/org/cacert/gigi/output/GroupSelector.java
+++ b/src/org/cacert/gigi/output/GroupSelector.java
@@ -17,18 +17,18 @@ public class GroupSelector implements Outputable {
 
     private Group value = null;
 
-    private final boolean supportFlag;
+    private final boolean bySupporter;
 
-    public GroupSelector(String name, boolean supportFlag) {
+    public GroupSelector(String name, boolean bySupporter) {
         this.name = HTMLEncoder.encodeHTML(name);
-        this.supportFlag = supportFlag;
+        this.bySupporter = bySupporter;
     }
 
     public void update(HttpServletRequest r) throws GigiApiException {
         String vS = r.getParameter(name);
         value = null;
         for (Group g : Group.values()) {
-            if (g.getDatabaseName().equals(vS) && g.isManagedBySupport() == supportFlag) {
+            if (g.getDatabaseName().equals(vS) && mayManage(g)) {
                 value = g;
             }
         }
@@ -38,7 +38,7 @@ public class GroupSelector implements Outputable {
     public void output(PrintWriter out, Language l, Map<String, Object> vars) {
         out.println("<select name='" + name + "'>");
         for (Group g : Group.values()) {
-            if (supportFlag == g.isManagedBySupport()) {
+            if (mayManage(g)) {
                 out.print("<option value='" + g.getDatabaseName());
                 if (g.equals(value)) {
                     out.print(" selected");
@@ -51,6 +51,10 @@ public class GroupSelector implements Outputable {
         out.println("</select>");
     }
 
+    private boolean mayManage(Group g) {
+        return (bySupporter && g.isManagedBySupport()) || ( !bySupporter && g.isManagedByUser());
+    }
+
     public Group getGroup() {
         return value;
     }
diff --git a/tests/org/cacert/gigi/TestOrga.java b/tests/org/cacert/gigi/TestOrga.java
index 1a0a0aaf..ff3a56cc 100644
--- a/tests/org/cacert/gigi/TestOrga.java
+++ b/tests/org/cacert/gigi/TestOrga.java
@@ -17,13 +17,13 @@ public class TestOrga extends BusinessTest {
     @Test
     public void testAddRm() throws GigiApiException, IOException {
         User u1 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u1.grantGroup(u1, Group.ORGASSURER);
+        u1.grantGroup(getSupporter(), Group.ORGASSURER);
         User u2 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u2.grantGroup(u1, Group.ORGASSURER);
+        u2.grantGroup(getSupporter(), Group.ORGASSURER);
         User u3 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u3.grantGroup(u1, Group.ORGASSURER);
+        u3.grantGroup(getSupporter(), Group.ORGASSURER);
         User u4 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u4.grantGroup(u1, Group.ORGASSURER);
+        u4.grantGroup(getSupporter(), Group.ORGASSURER);
         Organisation o1 = new Organisation("name", Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "prov", "city", "email", "optional name", "postal address", u1);
         assertEquals(0, o1.getAllAdmins().size());
         o1.addAdmin(u2, u1, false);
diff --git a/tests/org/cacert/gigi/TestUserGroupMembership.java b/tests/org/cacert/gigi/TestUserGroupMembership.java
index 32bb1a99..ea92218b 100644
--- a/tests/org/cacert/gigi/TestUserGroupMembership.java
+++ b/tests/org/cacert/gigi/TestUserGroupMembership.java
@@ -3,6 +3,7 @@ package org.cacert.gigi;
 import static org.hamcrest.CoreMatchers.*;
 import static org.junit.Assert.*;
 
+import java.io.IOException;
 import java.sql.SQLException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -23,10 +24,10 @@ public class TestUserGroupMembership extends BusinessTest {
     private final Group supporter = Group.getByString("supporter");
 
     @Test
-    public void testAddObject() throws GigiApiException, SQLException {
+    public void testAddObject() throws GigiApiException, SQLException, IOException {
         User u = User.getById(createVerifiedUser("fname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
 
-        User granter = User.getById(createVerifiedUser("grFname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
+        User granter = getSupporter();
         assertBehavesEmpty(u);
 
         u.grantGroup(granter, ttpGroup);
@@ -55,10 +56,10 @@ public class TestUserGroupMembership extends BusinessTest {
     }
 
     @Test
-    public void testRemoveObject() throws GigiApiException, SQLException {
+    public void testRemoveObject() throws GigiApiException, SQLException, IOException {
         User u = User.getById(createVerifiedUser("fname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
 
-        User granter = User.getById(createVerifiedUser("grFname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
+        User granter = getSupporter();
 
         assertBehavesEmpty(u);
         u.grantGroup(granter, ttpGroup);
@@ -99,20 +100,20 @@ public class TestUserGroupMembership extends BusinessTest {
     }
 
     @Test
-    public void testListGroup() throws GigiApiException {
-        Group g = Group.getByString("supporter");
+    public void testListGroup() throws GigiApiException, IOException {
+        Group g = Group.SUPPORTER;
         int start = g.getMembers(0, 10).length;
         User ux = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.org", TEST_PASSWORD));
         User ux2 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.org", TEST_PASSWORD));
         assertEquals(0, g.getMembers(0, 10).length + start);
-        ux.grantGroup(ux, g);
-        assertEquals(1, g.getMembers(0, 10).length + start);
-        ux2.grantGroup(ux, g);
+        ux.grantGroup(getSupporter(), g); // creates a supporter
         assertEquals(2, g.getMembers(0, 10).length + start);
+        ux2.grantGroup(ux, g);
+        assertEquals(3, g.getMembers(0, 10).length + start);
         ux2.revokeGroup(ux, g);
-        assertEquals(1, g.getMembers(0, 10).length + start);
+        assertEquals(2, g.getMembers(0, 10).length + start);
         ux.revokeGroup(ux, g);
-        assertEquals(0, g.getMembers(0, 10).length + start);
+        assertEquals(1, g.getMembers(0, 10).length + start);
 
     }
 
diff --git a/tests/org/cacert/gigi/api/IssueCert.java b/tests/org/cacert/gigi/api/IssueCert.java
index 03ab3f3e..fc1e9d1c 100644
--- a/tests/org/cacert/gigi/api/IssueCert.java
+++ b/tests/org/cacert/gigi/api/IssueCert.java
@@ -18,9 +18,9 @@ import java.security.cert.X509Certificate;
 import org.cacert.gigi.dbObjects.Certificate;
 import org.cacert.gigi.dbObjects.Certificate.CSRType;
 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
-import org.cacert.gigi.dbObjects.Country.CountryCodeType;
 import org.cacert.gigi.dbObjects.CertificateProfile;
 import org.cacert.gigi.dbObjects.Country;
+import org.cacert.gigi.dbObjects.Country.CountryCodeType;
 import org.cacert.gigi.dbObjects.Digest;
 import org.cacert.gigi.dbObjects.Domain;
 import org.cacert.gigi.dbObjects.Group;
@@ -87,7 +87,7 @@ public class IssueCert extends ClientTest {
     @Test
     public void testIssueOrgCert() throws Exception {
         makeAssurer(id);
-        u.grantGroup(u, Group.ORGASSURER);
+        u.grantGroup(getSupporter(), Group.ORGASSURER);
 
         Organisation o1 = new Organisation("name", Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "pr", "st", "test@mail", "", "", u);
         o1.addAdmin(u, u, false);
diff --git a/tests/org/cacert/gigi/api/TestFindAgent.java b/tests/org/cacert/gigi/api/TestFindAgent.java
index 3b8b9927..d7213961 100644
--- a/tests/org/cacert/gigi/api/TestFindAgent.java
+++ b/tests/org/cacert/gigi/api/TestFindAgent.java
@@ -33,7 +33,7 @@ public class TestFindAgent extends RestrictedApiTest {
         assertEquals(501, v.getResponseCode());
         assertThat(IOUtils.readURL(new InputStreamReader(v.getErrorStream(), "UTF-8")), containsString(FindAgentAccess.PATH));
 
-        grant(u.getEmail(), Group.LOCATE_AGENT);
+        grant(u, Group.LOCATE_AGENT);
         v = doApi(FindAgent.PATH_RESOLVE, "serial=" + target2.getSerial().toLowerCase());
         assertEquals(u.getId(), Integer.parseInt(IOUtils.readURL(v)));
     }
@@ -58,13 +58,13 @@ public class TestFindAgent extends RestrictedApiTest {
         assertThat(v.getResponseMessage(), containsString("needs to enable access"));
 
         // even if sender enables service
-        grant((userUFirst ? u : us2).getEmail(), Group.LOCATE_AGENT);
+        grant((userUFirst ? u : us2), Group.LOCATE_AGENT);
         v = doApi(FindAgent.PATH_MAIL, "from=" + id + "&to=" + u2 + "&subject=the-subject&body=body");
         assertEquals(v.getResponseMessage(), 501, v.getResponseCode());
         assertThat(v.getResponseMessage(), containsString("needs to enable access"));
 
         // receiver needs to enable access as well
-        grant((userUFirst ? us2 : u).getEmail(), Group.LOCATE_AGENT);
+        grant((userUFirst ? us2 : u), Group.LOCATE_AGENT);
         v = doApi(FindAgent.PATH_MAIL, "from=" + id + "&to=" + u2 + "&subject=the-subject&body=body");
         assertEquals(v.getResponseMessage(), 200, v.getResponseCode());
         TestMail mail = getMailReceiver().receive();
@@ -79,8 +79,8 @@ public class TestFindAgent extends RestrictedApiTest {
 
         String res = IOUtils.readURL(doApi(FindAgent.PATH_INFO, "id=" + id + "&id=" + u2)).replace("\r", "");
         assertEquals(res, "");
-        grant(email, Group.LOCATE_AGENT);
-        grant(User.getById(u2).getEmail(), Group.LOCATE_AGENT);
+        grant(u, Group.LOCATE_AGENT);
+        grant(User.getById(u2), Group.LOCATE_AGENT);
         res = IOUtils.readURL(doApi(FindAgent.PATH_INFO, "id=" + id + "&id=" + u2)).replace("\r", "");
         assertEquals(id + ",true," + u.getPreferredName().toAbbreviatedString() + "\n" + u2 + ",false," + User.getById(u2).getPreferredName().toAbbreviatedString() + "\n", res);
     }
diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
index 98f105f0..0beaef87 100644
--- a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
+++ b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
@@ -20,11 +20,9 @@ public class TestCertificateRequest extends ClientTest {
 
     AuthorizationContext ac;
 
-    public TestCertificateRequest() throws GeneralSecurityException, IOException {
+    public TestCertificateRequest() throws GeneralSecurityException, IOException, GigiApiException {
         ac = new AuthorizationContext(u, u);
         makeAssurer(u.getId());
-        grant(email, Group.CODESIGNING);
-
     }
 
     @Test
@@ -62,7 +60,7 @@ public class TestCertificateRequest extends ClientTest {
     @Test
     public void testCodesignModifiedName() throws Exception {
         try {
-            u.grantGroup(u, Group.CODESIGNING);
+            u.grantGroup(getSupporter(), Group.CODESIGNING);
             CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
             cr.update("name", "SHA512", "code-a", null, null, "email:" + email);
             cr.draft();
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java
index 689fb513..c51e5cc4 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java
@@ -6,6 +6,7 @@ import static org.junit.Assert.*;
 import java.io.IOException;
 import java.net.MalformedURLException;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.pages.admin.support.SupportEnterTicketPage;
 import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage;
@@ -18,8 +19,9 @@ public class TestSEAdminNotificationMail extends ClientTest {
 
     private int targetID;
 
-    public TestSEAdminNotificationMail() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminNotificationMail() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
 
         String email = createUniqueName() + "@example.com";
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java
index 08541dec..e9b31abb 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java
@@ -27,8 +27,9 @@ import org.junit.Test;
 
 public class TestSEAdminPageDetails extends ClientTest {
 
-    public TestSEAdminPageDetails() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminPageDetails() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
     }
 
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java
index d1916c10..57c5c15c 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java
@@ -32,7 +32,8 @@ public class TestSEAdminPageUserDomainSearch extends ClientTest {
     private int tid;
 
     public TestSEAdminPageUserDomainSearch() throws IOException, GigiApiException {
-        grant(email, Group.SUPPORTER);
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
 
         String mail = createUniqueName() + "@example.com";
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java
index 71dfeaee..29918b5a 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java
@@ -22,8 +22,9 @@ import org.junit.Test;
 
 public class TestSEAdminPageUserMailSearch extends ClientTest {
 
-    public TestSEAdminPageUserMailSearch() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminPageUserMailSearch() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
     }
 
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java
index 62d89de2..01e17b3c 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java
@@ -6,6 +6,7 @@ import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.pages.admin.support.FindUserByDomainPage;
 import org.cacert.gigi.pages.admin.support.FindUserByEmailPage;
@@ -15,8 +16,9 @@ import org.junit.Test;
 
 public class TestSEAdminTicketSetting extends ClientTest {
 
-    public TestSEAdminTicketSetting() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminTicketSetting() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
     }
 
     @Test
diff --git a/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java b/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java
index d1b930db..b24bb83e 100644
--- a/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java
+++ b/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java
@@ -13,7 +13,7 @@ import org.junit.Test;
 
 public class TestOrgDomain extends OrgTest {
 
-    public TestOrgDomain() throws IOException {
+    public TestOrgDomain() throws IOException, GigiApiException {
 
     }
 
diff --git a/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java b/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java
index 760ca198..65951dc8 100644
--- a/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java
+++ b/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java
@@ -26,7 +26,7 @@ import org.junit.Test;
 
 public class TestOrgManagement extends OrgTest {
 
-    public TestOrgManagement() throws IOException {
+    public TestOrgManagement() throws IOException, GigiApiException {
 
     }
 
diff --git a/tests/org/cacert/gigi/pages/wot/TestTTP.java b/tests/org/cacert/gigi/pages/wot/TestTTP.java
index 34b0ca6d..0d376386 100644
--- a/tests/org/cacert/gigi/pages/wot/TestTTP.java
+++ b/tests/org/cacert/gigi/pages/wot/TestTTP.java
@@ -21,7 +21,7 @@ public class TestTTP extends ClientTest {
     public void testTTPApply() throws IOException {
         String ttp = IOUtils.readURL(get(RequestTTPPage.PATH));
         assertThat(ttp, containsString("<form"));
-        executeBasicWebInteraction(cookie, RequestTTPPage.PATH, "country=0");
+        assertNull(executeBasicWebInteraction(cookie, RequestTTPPage.PATH, "country=0"));
 
         ttp = IOUtils.readURL(get(RequestTTPPage.PATH));
         assertThat(ttp, not(containsString("<form")));
diff --git a/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java b/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java
index 31b0e51b..d04b0b66 100644
--- a/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java
+++ b/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java
@@ -5,6 +5,7 @@ import static org.junit.Assert.*;
 import java.io.IOException;
 import java.net.MalformedURLException;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.pages.admin.TTPAdminPage;
@@ -20,20 +21,20 @@ public class TestTTPAdmin extends ClientTest {
     }
 
     @Test
-    public void testHasRight() throws IOException {
+    public void testHasRight() throws IOException, GigiApiException {
         testTTPAdmin(true);
     }
 
     @Test
-    public void testHasNoRight() throws IOException {
+    public void testHasNoRight() throws IOException, GigiApiException {
         testTTPAdmin(false);
     }
 
-    public void testTTPAdmin(boolean hasRight) throws IOException {
+    public void testTTPAdmin(boolean hasRight) throws IOException, GigiApiException {
         if (hasRight) {
-            grant(email, Group.getByString("ttp-assurer"));
+            grant(u, Group.getByString("ttp-assurer"));
         }
-        grant(u.getEmail(), TTPAdminPage.TTP_APPLICANT);
+        grant(u, TTPAdminPage.TTP_APPLICANT);
         cookie = login(u.getEmail(), TEST_PASSWORD);
 
         assertEquals( !hasRight ? 403 : 200, fetchStatusCode(TTPAdminPage.PATH));
diff --git a/tests/org/cacert/gigi/testUtils/BusinessTest.java b/tests/org/cacert/gigi/testUtils/BusinessTest.java
index cc095e30..db888c03 100644
--- a/tests/org/cacert/gigi/testUtils/BusinessTest.java
+++ b/tests/org/cacert/gigi/testUtils/BusinessTest.java
@@ -15,8 +15,10 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.dbObjects.Domain;
 import org.cacert.gigi.dbObjects.EmailAddress;
+import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.NamePart;
 import org.cacert.gigi.dbObjects.NamePart.NamePartType;
 import org.cacert.gigi.dbObjects.User;
@@ -155,4 +157,21 @@ public abstract class BusinessTest extends ConfiguredTest {
     public MailReceiver getMailReceiver() {
         return InVMEmail.getInstance();
     }
+
+    private User supporter;
+
+    public User getSupporter() throws GigiApiException, IOException {
+        if (supporter != null) {
+            return supporter;
+        }
+        supporter = createVerifiedUser();
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+            ps.setInt(1, supporter.getId());
+            ps.setString(2, Group.SUPPORTER.getDatabaseName());
+            ps.setInt(3, supporter.getId());
+            ps.execute();
+        }
+        supporter.refreshGroups();
+        return supporter;
+    }
 }
diff --git a/tests/org/cacert/gigi/testUtils/ManagedTest.java b/tests/org/cacert/gigi/testUtils/ManagedTest.java
index a0228f16..22da1eab 100644
--- a/tests/org/cacert/gigi/testUtils/ManagedTest.java
+++ b/tests/org/cacert/gigi/testUtils/ManagedTest.java
@@ -42,7 +42,6 @@ import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Job;
 import org.cacert.gigi.dbObjects.ObjectCache;
 import org.cacert.gigi.dbObjects.User;
-import org.cacert.gigi.pages.Manager;
 import org.cacert.gigi.pages.account.MyDetails;
 import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.testUtils.TestEmailReceiver.TestMail;
@@ -289,11 +288,9 @@ public class ManagedTest extends ConfiguredTest {
         }
     }
 
-    public static void grant(String email, Group g) throws IOException {
-        HttpURLConnection huc = (HttpURLConnection) new URL("https://" + getServerName() + Manager.PATH).openConnection();
-        huc.setDoOutput(true);
-        huc.getOutputStream().write(("addpriv=y&priv=" + URLEncoder.encode(g.getDatabaseName(), "UTF-8") + "&email=" + URLEncoder.encode(email, "UTF-8")).getBytes("UTF-8"));
-        assertEquals(200, huc.getResponseCode());
+    public static void grant(User u, Group g) throws IOException, GigiApiException {
+        u.grantGroup(getSupporter(), g);
+        clearCaches();
     }
 
     /**
@@ -486,4 +483,21 @@ public class ManagedTest extends ConfiguredTest {
         return openConnection;
     }
 
+    private static User supporter;
+
+    public static User getSupporter() throws GigiApiException, IOException {
+        if (supporter != null) {
+            return supporter;
+        }
+        int i = createVerifiedUser("fn", "ln", createUniqueName() + "@email.com", TEST_PASSWORD);
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+            ps.setInt(1, i);
+            ps.setString(2, Group.SUPPORTER.getDatabaseName());
+            ps.setInt(3, i);
+            ps.execute();
+        }
+        clearCaches();
+        supporter = User.getById(i);
+        return supporter;
+    }
 }
diff --git a/tests/org/cacert/gigi/testUtils/OrgTest.java b/tests/org/cacert/gigi/testUtils/OrgTest.java
index 2a9f5da7..5a42a4a6 100644
--- a/tests/org/cacert/gigi/testUtils/OrgTest.java
+++ b/tests/org/cacert/gigi/testUtils/OrgTest.java
@@ -10,9 +10,9 @@ import org.cacert.gigi.dbObjects.Organisation;
 
 public class OrgTest extends ClientTest {
 
-    public OrgTest() throws IOException {
+    public OrgTest() throws IOException, GigiApiException {
         makeAssurer(u.getId());
-        u.grantGroup(u, Group.ORGASSURER);
+        u.grantGroup(getSupporter(), Group.ORGASSURER);
         clearCaches();
         cookie = login(email, TEST_PASSWORD);
     }
diff --git a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
index 2301b0ae..e4ec22b9 100644
--- a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
+++ b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
@@ -39,7 +39,7 @@ public class RestrictedApiTest extends ClientTest {
         initEnvironment();
         try {
             User u = User.getById(createAssuranceUser("f", "l", createUniqueName() + "@email.com", TEST_PASSWORD));
-            grant(u.getEmail(), Group.ORGASSURER);
+            grant(u, Group.ORGASSURER);
             clearCaches();
             u = User.getById(u.getId());
             Organisation o = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
diff --git a/util-testing/org/cacert/gigi/pages/Manager.java b/util-testing/org/cacert/gigi/pages/Manager.java
index a2435c95..2fd78ba7 100644
--- a/util-testing/org/cacert/gigi/pages/Manager.java
+++ b/util-testing/org/cacert/gigi/pages/Manager.java
@@ -96,6 +96,28 @@ public class Manager extends Page {
         }
     }
 
+    public User getSupporter() {
+        if (supporter != null) {
+            return supporter;
+        }
+        try {
+            User u = createAssurer( -1);
+            if ( !u.isInGroup(Group.SUPPORTER)) {
+                try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+                    ps.setInt(1, u.getId());
+                    ps.setString(2, Group.SUPPORTER.getDatabaseName());
+                    ps.setInt(3, u.getId());
+                    ps.execute();
+                }
+                u.refreshGroups();
+            }
+            supporter = u;
+        } catch (ReflectiveOperationException | GigiApiException e) {
+            e.printStackTrace();
+        }
+        return supporter;
+    }
+
     public User getAssurer(int i) {
         if (assurers[i] != null) {
             return assurers[i];
@@ -261,6 +283,8 @@ public class Manager extends Page {
 
     User[] assurers = new User[25];
 
+    User supporter;
+
     @Override
     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         if (req.getParameter("create") != null) {
@@ -273,7 +297,11 @@ public class Manager extends Page {
                 return;
             }
             if (req.getParameter("addpriv") != null) {
-                u.grantGroup(u, Group.getByString(req.getParameter("priv")));
+                try {
+                    u.grantGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
+                } catch (GigiApiException e) {
+                    throw new Error(e);
+                }
                 resp.getWriter().println("Privilege granted");
             } else {
                 u.revokeGroup(u, Group.getByString(req.getParameter("priv")));
-- 
2.39.2