part of request #3163623: add support to login via ssl client certificate. web interface to register certificates is still missing

4 files changed, 71 insertions, 1 deletions

diff --git a/data/schema/6.sql b/data/schema/6.sql
index 4ae7cb9..bc85ffd 100644
--- a/data/schema/6.sql
+++ b/data/schema/6.sql
@@ -2,3 +2,13 @@ CREATE TABLE `sc_version` (
   `schema_version` int(11) NOT NULL
 ) DEFAULT CHARSET=utf8;
 INSERT INTO `sc_version` (`schema_version`) VALUES ('6');
+
+CREATE TABLE `sc_users_sslclientcerts` (
+  `id` INT NOT NULL AUTO_INCREMENT ,
+  `uId` INT NOT NULL ,
+  `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslName` VARCHAR( 64 ) NOT NULL ,
+  `sslEmail` VARCHAR( 64 ) NOT NULL ,
+  PRIMARY KEY ( `id` ) ,
+  UNIQUE (`id`)
+) CHARACTER SET utf8 COLLATE utf8_general_ci;
diff --git a/data/tables.sql b/data/tables.sql
index 7a9c5bd..af0c81b 100644
--- a/data/tables.sql
+++ b/data/tables.sql
@@ -77,6 +77,16 @@ CREATE TABLE `sc_users` (
 
 -- --------------------------------------------------------
 
+CREATE TABLE `sc_users_sslclientcerts` (
+  `id` INT NOT NULL AUTO_INCREMENT ,
+  `uId` INT NOT NULL ,
+  `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslName` VARCHAR( 64 ) NOT NULL ,
+  `sslEmail` VARCHAR( 64 ) NOT NULL ,
+  PRIMARY KEY ( `id` ) ,
+  UNIQUE (`id`)
+) CHARACTER SET utf8 COLLATE utf8_general_ci;
+
 -- 
 -- Table structure for table `sc_watched`
 -- 
diff --git a/data/templates/toolbar.inc.php b/data/templates/toolbar.inc.php
index 0d9bf49..fb6638d 100644
--- a/data/templates/toolbar.inc.php
+++ b/data/templates/toolbar.inc.php
@@ -1,5 +1,5 @@
 <?php
-if ($userservice->isLoggedOn()) {
+if ($userservice->isLoggedOn() && is_object($currentUser)) {
     $cUserId = $userservice->getCurrentUserId();
     $cUsername = $currentUser->getUsername();
 ?>
diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php
index 9ef8430..0071f9b 100644
--- a/src/SemanticScuttle/Service/User.php
+++ b/src/SemanticScuttle/Service/User.php
@@ -390,6 +390,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
                 $this->db->sql_freeresult($dbresult);
                 return (int)$_SESSION[$this->getSessionKey()];
             }
+        } else if (isset($_SERVER['SSL_CLIENT_M_SERIAL'])
+            && isset($_SERVER['SSL_CLIENT_V_END'])
+        ) {
+            $id = $this->getUserIdFromSslClientCert();
+            if ($id !== false) {
+                $this->setCurrentUserId($id);
+                return (int)$_SESSION[$this->getSessionKey()];
+            }
         }
         return false;
     }
@@ -421,6 +429,48 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
 
 
     /**
+     * Tries to detect the user ID from the SSL client certificate passed
+     * to the web server.
+     *
+     * @return mixed Integer user ID if the certificate is valid and
+     *               assigned to a user, boolean false otherwise
+     */
+    protected function getUserIdFromSslClientCert()
+    {
+        if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])
+            || !isset($_SERVER['SSL_CLIENT_V_END'])
+        ) {
+            return false;
+        }
+        //TODO: verify this var is always there
+        if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
+            return false;
+        }
+
+        $serial = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $query = 'SELECT uId'
+            . ' FROM ' . $this->getTableName() . '_sslclientcerts'
+            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\'';
+        if (!($dbresult = $this->db->sql_query($query))) {
+            message_die(
+                GENERAL_ERROR, 'Could not load user for client certificate',
+                '', __LINE__, __FILE__, $query, $this->db
+            );
+            return false;
+        }
+
+        $row = $this->db->sql_fetchrow($dbresult);
+        $this->db->sql_freeresult($dbresult);
+
+        if (!$row) {
+            return false;
+        }
+        return (int)$row['uId'];
+    }
+
+
+
+    /**
      * Try to authenticate and login a user with
      * username and password.
      *