From 4e63a9a6793583c7f7f4959724be2653ddc85f49 Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Wed, 4 May 2011 17:08:25 +0200 Subject: [PATCH] part of request #3163623: add support to login via ssl client certificate. web interface to register certificates is still missing --- data/schema/6.sql | 10 ++++++ data/tables.sql | 10 ++++++ data/templates/toolbar.inc.php | 2 +- src/SemanticScuttle/Service/User.php | 50 ++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 1 deletion(-) diff --git a/data/schema/6.sql b/data/schema/6.sql index 4ae7cb9..bc85ffd 100644 --- a/data/schema/6.sql +++ b/data/schema/6.sql @@ -2,3 +2,13 @@ CREATE TABLE `sc_version` ( `schema_version` int(11) NOT NULL ) DEFAULT CHARSET=utf8; INSERT INTO `sc_version` (`schema_version`) VALUES ('6'); + +CREATE TABLE `sc_users_sslclientcerts` ( + `id` INT NOT NULL AUTO_INCREMENT , + `uId` INT NOT NULL , + `sslSerial` VARCHAR( 32 ) NOT NULL , + `sslName` VARCHAR( 64 ) NOT NULL , + `sslEmail` VARCHAR( 64 ) NOT NULL , + PRIMARY KEY ( `id` ) , + UNIQUE (`id`) +) CHARACTER SET utf8 COLLATE utf8_general_ci; diff --git a/data/tables.sql b/data/tables.sql index 7a9c5bd..af0c81b 100644 --- a/data/tables.sql +++ b/data/tables.sql @@ -77,6 +77,16 @@ CREATE TABLE `sc_users` ( -- -------------------------------------------------------- +CREATE TABLE `sc_users_sslclientcerts` ( + `id` INT NOT NULL AUTO_INCREMENT , + `uId` INT NOT NULL , + `sslSerial` VARCHAR( 32 ) NOT NULL , + `sslName` VARCHAR( 64 ) NOT NULL , + `sslEmail` VARCHAR( 64 ) NOT NULL , + PRIMARY KEY ( `id` ) , + UNIQUE (`id`) +) CHARACTER SET utf8 COLLATE utf8_general_ci; + -- -- Table structure for table `sc_watched` -- diff --git a/data/templates/toolbar.inc.php b/data/templates/toolbar.inc.php index 0d9bf49..fb6638d 100644 --- a/data/templates/toolbar.inc.php +++ b/data/templates/toolbar.inc.php @@ -1,5 +1,5 @@ isLoggedOn()) { +if ($userservice->isLoggedOn() && is_object($currentUser)) { $cUserId = $userservice->getCurrentUserId(); $cUsername = $currentUser->getUsername(); ?> diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php index 9ef8430..0071f9b 100644 --- a/src/SemanticScuttle/Service/User.php +++ b/src/SemanticScuttle/Service/User.php @@ -390,6 +390,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $this->db->sql_freeresult($dbresult); return (int)$_SESSION[$this->getSessionKey()]; } + } else if (isset($_SERVER['SSL_CLIENT_M_SERIAL']) + && isset($_SERVER['SSL_CLIENT_V_END']) + ) { + $id = $this->getUserIdFromSslClientCert(); + if ($id !== false) { + $this->setCurrentUserId($id); + return (int)$_SESSION[$this->getSessionKey()]; + } } return false; } @@ -420,6 +428,48 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService + /** + * Tries to detect the user ID from the SSL client certificate passed + * to the web server. + * + * @return mixed Integer user ID if the certificate is valid and + * assigned to a user, boolean false otherwise + */ + protected function getUserIdFromSslClientCert() + { + if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) + || !isset($_SERVER['SSL_CLIENT_V_END']) + ) { + return false; + } + //TODO: verify this var is always there + if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) { + return false; + } + + $serial = $_SERVER['SSL_CLIENT_M_SERIAL']; + $query = 'SELECT uId' + . ' FROM ' . $this->getTableName() . '_sslclientcerts' + . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\''; + if (!($dbresult = $this->db->sql_query($query))) { + message_die( + GENERAL_ERROR, 'Could not load user for client certificate', + '', __LINE__, __FILE__, $query, $this->db + ); + return false; + } + + $row = $this->db->sql_fetchrow($dbresult); + $this->db->sql_freeresult($dbresult); + + if (!$row) { + return false; + } + return (int)$row['uId']; + } + + + /** * Try to authenticate and login a user with * username and password.