part of request #3163623: add support to login via ssl client certificate. web interface to register certificates is still missing

2011-05-04 17:08:25 +02:00 · 2011-05-04 17:08:25 +02:00 · 4e63a9a679
commit 4e63a9a679
parent dda05f5cc7
4 changed files with 71 additions and 1 deletions
--- a/data/schema/6.sql
+++ b/data/schema/6.sql
@ -2,3 +2,13 @@ CREATE TABLE `sc_version` (
  `schema_version` int(11) NOT NULL
 ) DEFAULT CHARSET=utf8;
 INSERT INTO `sc_version` (`schema_version`) VALUES ('6');
+
+CREATE TABLE `sc_users_sslclientcerts` (
+  `id` INT NOT NULL AUTO_INCREMENT ,
+  `uId` INT NOT NULL ,
+  `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslName` VARCHAR( 64 ) NOT NULL ,
+  `sslEmail` VARCHAR( 64 ) NOT NULL ,
+  PRIMARY KEY ( `id` ) ,
+  UNIQUE (`id`)
+) CHARACTER SET utf8 COLLATE utf8_general_ci;
--- a/data/tables.sql
+++ b/data/tables.sql
@ -77,6 +77,16 @@ CREATE TABLE `sc_users` (

 -- --------------------------------------------------------

+CREATE TABLE `sc_users_sslclientcerts` (
+  `id` INT NOT NULL AUTO_INCREMENT ,
+  `uId` INT NOT NULL ,
+  `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslName` VARCHAR( 64 ) NOT NULL ,
+  `sslEmail` VARCHAR( 64 ) NOT NULL ,
+  PRIMARY KEY ( `id` ) ,
+  UNIQUE (`id`)
+) CHARACTER SET utf8 COLLATE utf8_general_ci;
+
 -- 
 -- Table structure for table `sc_watched`
 -- 
--- a/data/templates/toolbar.inc.php
+++ b/data/templates/toolbar.inc.php
@ -1,5 +1,5 @@
 <?php
-if ($userservice->isLoggedOn()) {
+if ($userservice->isLoggedOn() && is_object($currentUser)) {
    $cUserId = $userservice->getCurrentUserId();
    $cUsername = $currentUser->getUsername();
 ?>
--- a/src/SemanticScuttle/Service/User.php
+++ b/src/SemanticScuttle/Service/User.php
@ -390,6 +390,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
                $this->db->sql_freeresult($dbresult);
                return (int)$_SESSION[$this->getSessionKey()];
            }
+        } else if (isset($_SERVER['SSL_CLIENT_M_SERIAL'])
+            && isset($_SERVER['SSL_CLIENT_V_END'])
+        ) {
+            $id = $this->getUserIdFromSslClientCert();
+            if ($id !== false) {
+                $this->setCurrentUserId($id);
+                return (int)$_SESSION[$this->getSessionKey()];
+            }
        }
        return false;
    }
@ -420,6 +428,48 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService



+    /**
+     * Tries to detect the user ID from the SSL client certificate passed
+     * to the web server.
+     *
+     * @return mixed Integer user ID if the certificate is valid and
+     *               assigned to a user, boolean false otherwise
+     */
+    protected function getUserIdFromSslClientCert()
+    {
+        if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])
+            || !isset($_SERVER['SSL_CLIENT_V_END'])
+        ) {
+            return false;
+        }
+        //TODO: verify this var is always there
+        if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
+            return false;
+        }
+
+        $serial = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $query = 'SELECT uId'
+            . ' FROM ' . $this->getTableName() . '_sslclientcerts'
+            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\'';
+        if (!($dbresult = $this->db->sql_query($query))) {
+            message_die(
+                GENERAL_ERROR, 'Could not load user for client certificate',
+                '', __LINE__, __FILE__, $query, $this->db
+            );
+            return false;
+        }
+
+        $row = $this->db->sql_fetchrow($dbresult);
+        $this->db->sql_freeresult($dbresult);
+
+        if (!$row) {
+            return false;
+        }
+        return (int)$row['uId'];
+    }
+
+
+
    /**
     * Try to authenticate and login a user with
     * username and password.