public function start() { /* From OWASP (prevent clickjacking): * * This new (nonstandard) X-FRAME-OPTIONS header is used to mark * responses that shouldn't be framed. There are two options with * X-FRAME-OPTIONS. The first is DENY, which prevents everyone from * framing the content. * * This can also be done by apache itself: * a2enmod headers * Add to the Virtualhost, directory that hosts confusa: * Header set X-Frame-Options "DENY" */ header('X-Frame-Options: DENY'); /* * Strict-Transport-Security (RFC 6797) * Once page has been accessed over HTTPS and this header was present, * confirmant browsers will force subsequent requests over HTTPS aswell. */ header('Strict-Transport-Security: max-age=31536000'); /* Set tpl object to content page */ $this->contentPage->setTpl($this->tpl); /* check the authentication-thing, catch the login-hook * This is done via confusa_auth */ try { $this->authenticate(); } catch (CGE_CriticalAttributeException $cae) { $msg = "<b>" . $this->contentPage->translateMessageTag('fw_error_critical_attribute1') . "</b><br /><br />"; $msg .= htmlentities($cae->getMessage()) . "<br /><br />"; $msg .= $this->contentPage->translateMessageTag('fw_error_critical_attribute2'); Framework::error_output($msg); $this->renderError = true; } catch (MapNotFoundException $mnfe) { $msg = $this->contentPage->translateMessageTag('fw_error_map_notfound'); /* if user is admin */ if ($this->person->isNRENAdmin()) { $msg .= "<br /><br />"; $msg .= "<a href=\"attributes.php?mode=admin&anticsrf=" . Framework::getAntiCSRF() . "\">"; $msg .= $this->contentPage->translateMessageTag('fw_error_map_updatemap'); $msg .= "</>\n"; } Framework::error_output($msg); $this->renderError = true; } catch (ConfusaGenException $cge) { Framework::error_output($this->contentPage->translateMessageTag('fw_error_auth') . htmlentities($cge->getMessage())); $this->renderError = true; } if ($this->isCSRFAttempt()) { Framework::error_output($this->contentPage->translateMessageTag('fw_anticsrf_msg')); $this->tpl->assign('instance', Config::get_config('system_name')); $this->tpl->assign('errors', self::$errors); $this->tpl->display('site.tpl'); exit(0); } /* Create a new anti CSRF token and export to the template engine */ $this->current_anticsrf = self::getAntiCSRF(); $this->tpl->assign('ganticsrf', 'anticsrf=' . $this->current_anticsrf); $this->tpl->assign('panticsrf', '<input type="hidden" name="anticsrf" value="' . $this->current_anticsrf . '" />'); /* * Try to run the pre-processing */ try { $res = $this->contentPage->pre_process($this->person); if ($res) { $this->tpl->assign('extraHeader'); } } catch (CGE_RemoteCredentialException $rce) { $msg = $this->contentPage->translateMessageTag('fw_error_remote_credential1'); $msg .= "<i>" . htmlentities($rce->getMessage()) . "</i><br /><br />"; if ($this->person->isNRENAdmin()) { $msg .= "<div style=\"text-align: center\">"; $msg .= self::translateMessageTag('fw_error_remote_credential2') . "</div>"; } else { $msg .= Framework::error_output($this->contentPage->translateMessageTag('fw_error_remote_credential3')); $this->renderError = true; } Framework::warning_output($msg); } catch (KeyNotFoundException $knfe) { $this->renderError = true; $errorTag = PW::create(8); $msg = "[{$errorTag}] " . $this->contentPage->translateMessageTag('fw_keynotfound1'); Logger::logEvent(LOG_NOTICE, "Framework", "start()", "Config-file not properly configured: " . $knfe->getMessage(), __LINE__, $errorTag); $msg .= htmlentities($knfe->getMessage()); $msg .= "<br />" . $this->contentPage->translateMessageTag('fw_keynotfound2'); Framework::error_output($msg); } catch (Exception $e) { Framework::error_output($this->contentPage->translateMessageTag('fw_unhandledexp1') . "<br />" . htmlentities($e->getMessage())); $this->renderError = true; } /* ---------------------------------------------------------------- * Admin messages, trigger on missing elements */ if ($this->person->isNRENAdmin()) { $this->triggerAdminIssues(); } /* Mode-hook, to catch mode-change regardless of target-page (not only * index) */ if (isset($_GET['mode'])) { $new_mode = NORMAL_MODE; if (htmlentities($_GET['mode']) == 'admin') { $new_mode = ADMIN_MODE; } $this->person->setMode($new_mode); } $this->tpl->assign('title_logo', $this->contentPage->translateMessageTag('l10n_title_logo')); $this->tpl->assign('person', $this->person); $this->tpl->assign('subscriber', $this->person->getSubscriber()); $this->tpl->assign('nren', $this->person->getNREN()); $this->tpl->assign('is_online', Config::get_config('ca_mode') === CA_COMODO); /* If we have a renderError, do not allow the user-page to * render, otherwise, run it, and catch all unhandled exception * * The general idea, is that the process() should be * self-contained wrt to exceptions. * * A NREN admin is supposed to be able to "fix stuff" such as for instance * CGE_CriticalAttributeExceptions and should hence see the pages also if * renderError is set. */ if (!$this->renderError || $this->person->isNRENAdmin()) { try { $this->applyNRENBranding(); $this->contentPage->process($this->person); } catch (KeyNotFoundException $knfe) { $errorTag = PW::create(8); $msg = "[{$errorTag}] " . $this->contentPage->translateMessageTag('fw_keynotfound1'); Logger::logEvent(LOG_NOTICE, "Framework", "start()", "Config-file not properly configured: " . $knfe->getMessage(), __LINE__, $errorTag); $msg .= htmlentities($knfe->getMessage()); $msg .= "<br />" . $this->contentPage->translateMessageTag('fw_keynotfound2'); Framework::error_output($msg); } catch (Exception $e) { Logger::logEvent(LOG_INFO, "Framework", "start()", "Unhandleded exception when running contentPage->process()", __LINE__); Framework::error_output($this->contentPage->translateMessageTag('fw_unhandledexp1') . "<br />\n" . htmlentities($e->getMessage())); } } else { $nren = $this->person->getNREN(); if (isset($nren)) { /* if all else fails, at least give the user some recovery information */ Framework::message_output($this->contentPage->translateMessageTag('fw_unrecoverable_nren') . htmlentities($this->person->getEPPN())); } else { $errorTag = PW::create(); Framework::error_output("[{$errorTag}] " . $this->contentPage->translateMessageTag('fw_unrecoverable_nonren')); Logger::logEvent(LOG_WARNING, "Framework", "start()", "User contacting us from " . $_SERVER['REMOTE_ADDR'] . " tried to login from IdP that appears to have no NREN-mapping!", __LINE__, $errorTag); } } $this->tpl->assign('logoutUrl', 'logout.php'); // see render_menu($this->person) $this->tpl->assign('menu', $this->tpl->fetch('menu.tpl')); $this->tpl->assign('errors', self::$errors); $this->tpl->assign('messages', self::$messages); $this->tpl->assign('successes', self::$successes); $this->tpl->assign('warnings', self::$warnings); if (Config::get_config('debug')) { $db_debug_res = ""; $db_debug_res .= "<address>\n"; $db_debug_res .= "During this session, we had "; $db_debug_res .= MDB2Wrapper::getConnCounter() . " individual DB-connections.<br />\n"; $db_debug_res .= "</address>\n"; $this->tpl->assign('db_debug', $db_debug_res); } $this->tpl->display('site.tpl'); if (!$this->renderError) { $this->contentPage->post_process($this->person); } }