public function start()
{
/* From OWASP (prevent clickjacking):
*
* This new (nonstandard) X-FRAME-OPTIONS header is used to mark
* responses that shouldn't be framed. There are two options with
* X-FRAME-OPTIONS. The first is DENY, which prevents everyone from
* framing the content.
*
* This can also be done by apache itself:
* a2enmod headers
* Add to the Virtualhost, directory that hosts confusa:
* Header set X-Frame-Options "DENY"
*/
header('X-Frame-Options: DENY');
/*
* Strict-Transport-Security (RFC 6797)
* Once page has been accessed over HTTPS and this header was present,
* confirmant browsers will force subsequent requests over HTTPS aswell.
*/
header('Strict-Transport-Security: max-age=31536000');
/* Set tpl object to content page */
$this->contentPage->setTpl($this->tpl);
/* check the authentication-thing, catch the login-hook
* This is done via confusa_auth
*/
try {
$this->authenticate();
} catch (CGE_CriticalAttributeException $cae) {
$msg = "<b>" . $this->contentPage->translateMessageTag('fw_error_critical_attribute1') . "</b><br /><br />";
$msg .= htmlentities($cae->getMessage()) . "<br /><br />";
$msg .= $this->contentPage->translateMessageTag('fw_error_critical_attribute2');
Framework::error_output($msg);
$this->renderError = true;
} catch (MapNotFoundException $mnfe) {
$msg = $this->contentPage->translateMessageTag('fw_error_map_notfound');
/* if user is admin */
if ($this->person->isNRENAdmin()) {
$msg .= "<br /><br />";
$msg .= "<a href=\"attributes.php?mode=admin&anticsrf=" . Framework::getAntiCSRF() . "\">";
$msg .= $this->contentPage->translateMessageTag('fw_error_map_updatemap');
$msg .= "</>\n";
}
Framework::error_output($msg);
$this->renderError = true;
} catch (ConfusaGenException $cge) {
Framework::error_output($this->contentPage->translateMessageTag('fw_error_auth') . htmlentities($cge->getMessage()));
$this->renderError = true;
}
if ($this->isCSRFAttempt()) {
Framework::error_output($this->contentPage->translateMessageTag('fw_anticsrf_msg'));
$this->tpl->assign('instance', Config::get_config('system_name'));
$this->tpl->assign('errors', self::$errors);
$this->tpl->display('site.tpl');
exit(0);
}
/* Create a new anti CSRF token and export to the template engine */
$this->current_anticsrf = self::getAntiCSRF();
$this->tpl->assign('ganticsrf', 'anticsrf=' . $this->current_anticsrf);
$this->tpl->assign('panticsrf', '<input type="hidden" name="anticsrf" value="' . $this->current_anticsrf . '" />');
/*
* Try to run the pre-processing
*/
try {
$res = $this->contentPage->pre_process($this->person);
if ($res) {
$this->tpl->assign('extraHeader');
}
} catch (CGE_RemoteCredentialException $rce) {
$msg = $this->contentPage->translateMessageTag('fw_error_remote_credential1');
$msg .= "<i>" . htmlentities($rce->getMessage()) . "</i><br /><br />";
if ($this->person->isNRENAdmin()) {
$msg .= "<div style=\"text-align: center\">";
$msg .= self::translateMessageTag('fw_error_remote_credential2') . "</div>";
} else {
$msg .= Framework::error_output($this->contentPage->translateMessageTag('fw_error_remote_credential3'));
$this->renderError = true;
}
Framework::warning_output($msg);
} catch (KeyNotFoundException $knfe) {
$this->renderError = true;
$errorTag = PW::create(8);
$msg = "[{$errorTag}] " . $this->contentPage->translateMessageTag('fw_keynotfound1');
Logger::logEvent(LOG_NOTICE, "Framework", "start()", "Config-file not properly configured: " . $knfe->getMessage(), __LINE__, $errorTag);
$msg .= htmlentities($knfe->getMessage());
$msg .= "<br />" . $this->contentPage->translateMessageTag('fw_keynotfound2');
Framework::error_output($msg);
} catch (Exception $e) {
Framework::error_output($this->contentPage->translateMessageTag('fw_unhandledexp1') . "<br />" . htmlentities($e->getMessage()));
$this->renderError = true;
}
/* ----------------------------------------------------------------
* Admin messages, trigger on missing elements
*/
if ($this->person->isNRENAdmin()) {
$this->triggerAdminIssues();
}
/* Mode-hook, to catch mode-change regardless of target-page (not only
* index) */
if (isset($_GET['mode'])) {
$new_mode = NORMAL_MODE;
if (htmlentities($_GET['mode']) == 'admin') {
$new_mode = ADMIN_MODE;
}
$this->person->setMode($new_mode);
}
$this->tpl->assign('title_logo', $this->contentPage->translateMessageTag('l10n_title_logo'));
$this->tpl->assign('person', $this->person);
$this->tpl->assign('subscriber', $this->person->getSubscriber());
$this->tpl->assign('nren', $this->person->getNREN());
$this->tpl->assign('is_online', Config::get_config('ca_mode') === CA_COMODO);
/* If we have a renderError, do not allow the user-page to
* render, otherwise, run it, and catch all unhandled exception
*
* The general idea, is that the process() should be
* self-contained wrt to exceptions.
*
* A NREN admin is supposed to be able to "fix stuff" such as for instance
* CGE_CriticalAttributeExceptions and should hence see the pages also if
* renderError is set.
*/
if (!$this->renderError || $this->person->isNRENAdmin()) {
try {
$this->applyNRENBranding();
$this->contentPage->process($this->person);
} catch (KeyNotFoundException $knfe) {
$errorTag = PW::create(8);
$msg = "[{$errorTag}] " . $this->contentPage->translateMessageTag('fw_keynotfound1');
Logger::logEvent(LOG_NOTICE, "Framework", "start()", "Config-file not properly configured: " . $knfe->getMessage(), __LINE__, $errorTag);
$msg .= htmlentities($knfe->getMessage());
$msg .= "<br />" . $this->contentPage->translateMessageTag('fw_keynotfound2');
Framework::error_output($msg);
} catch (Exception $e) {
Logger::logEvent(LOG_INFO, "Framework", "start()", "Unhandleded exception when running contentPage->process()", __LINE__);
Framework::error_output($this->contentPage->translateMessageTag('fw_unhandledexp1') . "<br />\n" . htmlentities($e->getMessage()));
}
} else {
$nren = $this->person->getNREN();
if (isset($nren)) {
/* if all else fails, at least give the user some recovery information */
Framework::message_output($this->contentPage->translateMessageTag('fw_unrecoverable_nren') . htmlentities($this->person->getEPPN()));
} else {
$errorTag = PW::create();
Framework::error_output("[{$errorTag}] " . $this->contentPage->translateMessageTag('fw_unrecoverable_nonren'));
Logger::logEvent(LOG_WARNING, "Framework", "start()", "User contacting us from " . $_SERVER['REMOTE_ADDR'] . " tried to login from IdP that appears to have no NREN-mapping!", __LINE__, $errorTag);
}
}
$this->tpl->assign('logoutUrl', 'logout.php');
// see render_menu($this->person)
$this->tpl->assign('menu', $this->tpl->fetch('menu.tpl'));
$this->tpl->assign('errors', self::$errors);
$this->tpl->assign('messages', self::$messages);
$this->tpl->assign('successes', self::$successes);
$this->tpl->assign('warnings', self::$warnings);
if (Config::get_config('debug')) {
$db_debug_res = "";
$db_debug_res .= "<address>\n";
$db_debug_res .= "During this session, we had ";
$db_debug_res .= MDB2Wrapper::getConnCounter() . " individual DB-connections.<br />\n";
$db_debug_res .= "</address>\n";
$this->tpl->assign('db_debug', $db_debug_res);
}
$this->tpl->display('site.tpl');
if (!$this->renderError) {
$this->contentPage->post_process($this->person);
}
}
