centralise authentication + more certificate checking

git-svn-id: http://svn.cacert.cl/Software/Voting/vote@44 d4452222-2f33-11de-9270-010000000000
15 years ago · e122d4337b
parent 8094fd2df4
commit e122d4337b
4 changed files with 47 additions and 12 deletions
--- a/database.php
+++ b/database.php
@ -89,5 +89,49 @@ BODY;
 			mail($this->board,$subject,$body,"From: Voting System <returns@cacert.org>");
 			//mail("testsympa@lists.cacert.org",$subject,$body,"From: Voting System <returns@cacert.org>");
 		}
+		function auth()
+		{
+		        $stmt = $this->getStatement("get voter");
+		        $stmt->execute(array($_SERVER['REMOTE_USER']));
+		        $user = $stmt->fetch();
+			if ($user) return $user;
+			if ($_SERVER['SSL_CLIENT_S_DN_EMAIL']) {
+			        $stmt->execute(array($_SERVER['SSL_CLIENT_S_DN_EMAIL']));
+			        $user = $stmt->fetch();
+				if ($user) return $user;
+			}
+			$d=0;
+			while ($email=$_SERVER["SSL_CLIENT_S_DN_EMAIL_$d"]) {
+			        $stmt->execute(array($email));
+			        $user = $stmt->fetch();
+				if ($user) return $user;
+				++$d;
+			}
+			if (preg_match_all('/\/emailAddress=([^\/]*)/',$dn,$reg,PREG_SET_ORDER)) {
+			        foreach ($reg as $emailarr) { 
+			        	$stmt->execute(array($emailarr[1]));
+			        	$user = $stmt->fetch();
+					if ($user) return $user;
+				}
+			}
+			if ($_SERVER['SSL_CLIENT_CERT']) {
+				# subjectAltName unpresented by Apache http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
+				# subjectAltName http://tools.ietf.org/html/rfc5280#section-4.2.1.6
+				# WARNING WARNING openssl_x509_parse is an unstable PHP API
+				$x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
+				$subjectAltName = $x509['extensions']['subjectAltName']; // going off https://foaf.me/testSSL.php
+				#print_r(split("[, ]",$subjectAltName));
+				#print_r($x509);
+				#echo $subjectAltName;
+				if (preg_match_all('/email:([^, ]*)/',$subjectAltName,$reg,PREG_SET_ORDER)) {
+					foreach ($reg as $emailarr) { 
+			        		$stmt->execute(array($emailarr[1]));
+			        		$user = $stmt->fetch();
+						if ($user) return $user;
+					}
+				}
+			}
+			return FALSE;
+		}
 	}
 ?>
--- a/motion.php
+++ b/motion.php
@ -4,12 +4,9 @@
 		header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
 		exit();
 	}
-	$user = $_SERVER['REMOTE_USER'];
 	require_once("database.php");
 	$db = new DB();
-	$stmt = $db->getStatement("get voter");
-	$stmt->execute(array($user));
-	if (!($user = $stmt->fetch())) {
+	if (!($user = $db->auth())) {
 		header("HTTP/1.0 302 Redirect");
 		header("Location: denied.php");
 		exit();
--- a/proxy.php
+++ b/proxy.php
@ -4,12 +4,9 @@
 		header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
 		exit();
 	}
-	$user = $_SERVER['REMOTE_USER'];
 	require_once("database.php");
 	$db = new DB();
-	$stmt = $db->getStatement("get voter");
-	$stmt->execute(array($user));
-	if (!($user = $stmt->fetch())) {
+	if (!($user = $db->auth())) {
 		header("HTTP/1.0 302 Redirect");
 		header("Location: denied.php");
 		exit();
--- a/vote.php
+++ b/vote.php
@ -4,12 +4,9 @@
 		header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
 		exit();
 	}
-	$user = $_SERVER['REMOTE_USER'];
 	require_once("database.php");
 	$db = new DB();
-	$stmt = $db->getStatement("get voter");
-	$stmt->execute(array($user));
-	if (!($user = $stmt->fetch())) {
+	if (!($user = $db->auth())) {
 		header("HTTP/1.0 302 Redirect");
 		header("Location: denied.php");
 		exit();