From e122d4337bb02ac572b3abe82d590aeeda5691f5 Mon Sep 17 00:00:00 2001 From: "community.cacert.org" Date: Fri, 29 May 2009 03:43:21 +0000 Subject: [PATCH] centralise authentication + more certificate checking git-svn-id: http://svn.cacert.cl/Software/Voting/vote@44 d4452222-2f33-11de-9270-010000000000 --- database.php | 44 ++++++++++++++++++++++++++++++++++++++++++++ motion.php | 5 +---- proxy.php | 5 +---- vote.php | 5 +---- 4 files changed, 47 insertions(+), 12 deletions(-) diff --git a/database.php b/database.php index 3bba8c3..e51d64a 100644 --- a/database.php +++ b/database.php @@ -89,5 +89,49 @@ BODY; mail($this->board,$subject,$body,"From: Voting System "); //mail("testsympa@lists.cacert.org",$subject,$body,"From: Voting System "); } + function auth() + { + $stmt = $this->getStatement("get voter"); + $stmt->execute(array($_SERVER['REMOTE_USER'])); + $user = $stmt->fetch(); + if ($user) return $user; + if ($_SERVER['SSL_CLIENT_S_DN_EMAIL']) { + $stmt->execute(array($_SERVER['SSL_CLIENT_S_DN_EMAIL'])); + $user = $stmt->fetch(); + if ($user) return $user; + } + $d=0; + while ($email=$_SERVER["SSL_CLIENT_S_DN_EMAIL_$d"]) { + $stmt->execute(array($email)); + $user = $stmt->fetch(); + if ($user) return $user; + ++$d; + } + if (preg_match_all('/\/emailAddress=([^\/]*)/',$dn,$reg,PREG_SET_ORDER)) { + foreach ($reg as $emailarr) { + $stmt->execute(array($emailarr[1])); + $user = $stmt->fetch(); + if ($user) return $user; + } + } + if ($_SERVER['SSL_CLIENT_CERT']) { + # subjectAltName unpresented by Apache http://httpd.apache.org/docs/trunk/mod/mod_ssl.html + # subjectAltName http://tools.ietf.org/html/rfc5280#section-4.2.1.6 + # WARNING WARNING openssl_x509_parse is an unstable PHP API + $x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']); + $subjectAltName = $x509['extensions']['subjectAltName']; // going off https://foaf.me/testSSL.php + #print_r(split("[, ]",$subjectAltName)); + #print_r($x509); + #echo $subjectAltName; + if (preg_match_all('/email:([^, ]*)/',$subjectAltName,$reg,PREG_SET_ORDER)) { + foreach ($reg as $emailarr) { + $stmt->execute(array($emailarr[1])); + $user = $stmt->fetch(); + if ($user) return $user; + } + } + } + return FALSE; + } } ?> diff --git a/motion.php b/motion.php index 71fe4b7..de94bfd 100644 --- a/motion.php +++ b/motion.php @@ -4,12 +4,9 @@ header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); } - $user = $_SERVER['REMOTE_USER']; require_once("database.php"); $db = new DB(); - $stmt = $db->getStatement("get voter"); - $stmt->execute(array($user)); - if (!($user = $stmt->fetch())) { + if (!($user = $db->auth())) { header("HTTP/1.0 302 Redirect"); header("Location: denied.php"); exit(); diff --git a/proxy.php b/proxy.php index 69e086a..ff725cd 100644 --- a/proxy.php +++ b/proxy.php @@ -4,12 +4,9 @@ header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); } - $user = $_SERVER['REMOTE_USER']; require_once("database.php"); $db = new DB(); - $stmt = $db->getStatement("get voter"); - $stmt->execute(array($user)); - if (!($user = $stmt->fetch())) { + if (!($user = $db->auth())) { header("HTTP/1.0 302 Redirect"); header("Location: denied.php"); exit(); diff --git a/vote.php b/vote.php index 7908413..126bf4b 100644 --- a/vote.php +++ b/vote.php @@ -4,12 +4,9 @@ header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); } - $user = $_SERVER['REMOTE_USER']; require_once("database.php"); $db = new DB(); - $stmt = $db->getStatement("get voter"); - $stmt->execute(array($user)); - if (!($user = $stmt->fetch())) { + if (!($user = $db->auth())) { header("HTTP/1.0 302 Redirect"); header("Location: denied.php"); exit();