From 4e63a9a6793583c7f7f4959724be2653ddc85f49 Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Wed, 4 May 2011 17:08:25 +0200
Subject: part of request #3163623: add support to login via ssl client
 certificate. web interface to register certificates is still missing

---
 src/SemanticScuttle/Service/User.php | 50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

(limited to 'src/SemanticScuttle/Service')

diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php
index 9ef8430..0071f9b 100644
--- a/src/SemanticScuttle/Service/User.php
+++ b/src/SemanticScuttle/Service/User.php
@@ -390,6 +390,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
                 $this->db->sql_freeresult($dbresult);
                 return (int)$_SESSION[$this->getSessionKey()];
             }
+        } else if (isset($_SERVER['SSL_CLIENT_M_SERIAL'])
+            && isset($_SERVER['SSL_CLIENT_V_END'])
+        ) {
+            $id = $this->getUserIdFromSslClientCert();
+            if ($id !== false) {
+                $this->setCurrentUserId($id);
+                return (int)$_SESSION[$this->getSessionKey()];
+            }
         }
         return false;
     }
@@ -420,6 +428,48 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
 
 
 
+    /**
+     * Tries to detect the user ID from the SSL client certificate passed
+     * to the web server.
+     *
+     * @return mixed Integer user ID if the certificate is valid and
+     *               assigned to a user, boolean false otherwise
+     */
+    protected function getUserIdFromSslClientCert()
+    {
+        if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])
+            || !isset($_SERVER['SSL_CLIENT_V_END'])
+        ) {
+            return false;
+        }
+        //TODO: verify this var is always there
+        if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
+            return false;
+        }
+
+        $serial = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $query = 'SELECT uId'
+            . ' FROM ' . $this->getTableName() . '_sslclientcerts'
+            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\'';
+        if (!($dbresult = $this->db->sql_query($query))) {
+            message_die(
+                GENERAL_ERROR, 'Could not load user for client certificate',
+                '', __LINE__, __FILE__, $query, $this->db
+            );
+            return false;
+        }
+
+        $row = $this->db->sql_fetchrow($dbresult);
+        $this->db->sql_freeresult($dbresult);
+
+        if (!$row) {
+            return false;
+        }
+        return (int)$row['uId'];
+    }
+
+
+
     /**
      * Try to authenticate and login a user with
      * username and password.
-- 
cgit v1.2.3