summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcommunity.cacert.org <community.cacert.org@d4452222-2f33-11de-9270-010000000000>2009-05-29 03:43:21 +0000
committercommunity.cacert.org <community.cacert.org@d4452222-2f33-11de-9270-010000000000>2009-05-29 03:43:21 +0000
commite122d4337bb02ac572b3abe82d590aeeda5691f5 (patch)
tree898db159e1582a3ae2859c7f19985a9c7434b838
parent8094fd2df48244899e0e76fc4cce4c586aa1ce67 (diff)
downloadcacert-boardvoting-e122d4337bb02ac572b3abe82d590aeeda5691f5.tar.gz
cacert-boardvoting-e122d4337bb02ac572b3abe82d590aeeda5691f5.tar.xz
cacert-boardvoting-e122d4337bb02ac572b3abe82d590aeeda5691f5.zip
centralise authentication + more certificate checking
git-svn-id: http://svn.cacert.cl/Software/Voting/vote@44 d4452222-2f33-11de-9270-010000000000
-rw-r--r--database.php44
-rw-r--r--motion.php5
-rw-r--r--proxy.php5
-rw-r--r--vote.php5
4 files changed, 47 insertions, 12 deletions
diff --git a/database.php b/database.php
index 3bba8c3..e51d64a 100644
--- a/database.php
+++ b/database.php
@@ -89,5 +89,49 @@ BODY;
mail($this->board,$subject,$body,"From: Voting System <returns@cacert.org>");
//mail("testsympa@lists.cacert.org",$subject,$body,"From: Voting System <returns@cacert.org>");
}
+ function auth()
+ {
+ $stmt = $this->getStatement("get voter");
+ $stmt->execute(array($_SERVER['REMOTE_USER']));
+ $user = $stmt->fetch();
+ if ($user) return $user;
+ if ($_SERVER['SSL_CLIENT_S_DN_EMAIL']) {
+ $stmt->execute(array($_SERVER['SSL_CLIENT_S_DN_EMAIL']));
+ $user = $stmt->fetch();
+ if ($user) return $user;
+ }
+ $d=0;
+ while ($email=$_SERVER["SSL_CLIENT_S_DN_EMAIL_$d"]) {
+ $stmt->execute(array($email));
+ $user = $stmt->fetch();
+ if ($user) return $user;
+ ++$d;
+ }
+ if (preg_match_all('/\/emailAddress=([^\/]*)/',$dn,$reg,PREG_SET_ORDER)) {
+ foreach ($reg as $emailarr) {
+ $stmt->execute(array($emailarr[1]));
+ $user = $stmt->fetch();
+ if ($user) return $user;
+ }
+ }
+ if ($_SERVER['SSL_CLIENT_CERT']) {
+ # subjectAltName unpresented by Apache http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
+ # subjectAltName http://tools.ietf.org/html/rfc5280#section-4.2.1.6
+ # WARNING WARNING openssl_x509_parse is an unstable PHP API
+ $x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
+ $subjectAltName = $x509['extensions']['subjectAltName']; // going off https://foaf.me/testSSL.php
+ #print_r(split("[, ]",$subjectAltName));
+ #print_r($x509);
+ #echo $subjectAltName;
+ if (preg_match_all('/email:([^, ]*)/',$subjectAltName,$reg,PREG_SET_ORDER)) {
+ foreach ($reg as $emailarr) {
+ $stmt->execute(array($emailarr[1]));
+ $user = $stmt->fetch();
+ if ($user) return $user;
+ }
+ }
+ }
+ return FALSE;
+ }
}
?>
diff --git a/motion.php b/motion.php
index 71fe4b7..de94bfd 100644
--- a/motion.php
+++ b/motion.php
@@ -4,12 +4,9 @@
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
- $user = $_SERVER['REMOTE_USER'];
require_once("database.php");
$db = new DB();
- $stmt = $db->getStatement("get voter");
- $stmt->execute(array($user));
- if (!($user = $stmt->fetch())) {
+ if (!($user = $db->auth())) {
header("HTTP/1.0 302 Redirect");
header("Location: denied.php");
exit();
diff --git a/proxy.php b/proxy.php
index 69e086a..ff725cd 100644
--- a/proxy.php
+++ b/proxy.php
@@ -4,12 +4,9 @@
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
- $user = $_SERVER['REMOTE_USER'];
require_once("database.php");
$db = new DB();
- $stmt = $db->getStatement("get voter");
- $stmt->execute(array($user));
- if (!($user = $stmt->fetch())) {
+ if (!($user = $db->auth())) {
header("HTTP/1.0 302 Redirect");
header("Location: denied.php");
exit();
diff --git a/vote.php b/vote.php
index 7908413..126bf4b 100644
--- a/vote.php
+++ b/vote.php
@@ -4,12 +4,9 @@
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
- $user = $_SERVER['REMOTE_USER'];
require_once("database.php");
$db = new DB();
- $stmt = $db->getStatement("get voter");
- $stmt->execute(array($user));
- if (!($user = $stmt->fetch())) {
+ if (!($user = $db->auth())) {
header("HTTP/1.0 302 Redirect");
header("Location: denied.php");
exit();