centralise authentication + more certificate checking
authorcommunity.cacert.org <community.cacert.org@d4452222-2f33-11de-9270-010000000000>
Fri, 29 May 2009 03:43:21 +0000 (03:43 +0000)
committercommunity.cacert.org <community.cacert.org@d4452222-2f33-11de-9270-010000000000>
Fri, 29 May 2009 03:43:21 +0000 (03:43 +0000)
git-svn-id: http://svn.cacert.cl/Software/Voting/vote@44 d4452222-2f33-11de-9270-010000000000

database.php
motion.php
proxy.php
vote.php

index 3bba8c3..e51d64a 100644 (file)
@@ -89,5 +89,49 @@ BODY;
                        mail($this->board,$subject,$body,"From: Voting System <returns@cacert.org>");
                        //mail("testsympa@lists.cacert.org",$subject,$body,"From: Voting System <returns@cacert.org>");
                }
+               function auth()
+               {
+                       $stmt = $this->getStatement("get voter");
+                       $stmt->execute(array($_SERVER['REMOTE_USER']));
+                       $user = $stmt->fetch();
+                       if ($user) return $user;
+                       if ($_SERVER['SSL_CLIENT_S_DN_EMAIL']) {
+                               $stmt->execute(array($_SERVER['SSL_CLIENT_S_DN_EMAIL']));
+                               $user = $stmt->fetch();
+                               if ($user) return $user;
+                       }
+                       $d=0;
+                       while ($email=$_SERVER["SSL_CLIENT_S_DN_EMAIL_$d"]) {
+                               $stmt->execute(array($email));
+                               $user = $stmt->fetch();
+                               if ($user) return $user;
+                               ++$d;
+                       }
+                       if (preg_match_all('/\/emailAddress=([^\/]*)/',$dn,$reg,PREG_SET_ORDER)) {
+                               foreach ($reg as $emailarr) { 
+                                       $stmt->execute(array($emailarr[1]));
+                                       $user = $stmt->fetch();
+                                       if ($user) return $user;
+                               }
+                       }
+                       if ($_SERVER['SSL_CLIENT_CERT']) {
+                               # subjectAltName unpresented by Apache http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
+                               # subjectAltName http://tools.ietf.org/html/rfc5280#section-4.2.1.6
+                               # WARNING WARNING openssl_x509_parse is an unstable PHP API
+                               $x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
+                               $subjectAltName = $x509['extensions']['subjectAltName']; // going off https://foaf.me/testSSL.php
+                               #print_r(split("[, ]",$subjectAltName));
+                               #print_r($x509);
+                               #echo $subjectAltName;
+                               if (preg_match_all('/email:([^, ]*)/',$subjectAltName,$reg,PREG_SET_ORDER)) {
+                                       foreach ($reg as $emailarr) { 
+                                               $stmt->execute(array($emailarr[1]));
+                                               $user = $stmt->fetch();
+                                               if ($user) return $user;
+                                       }
+                               }
+                       }
+                       return FALSE;
+               }
        }
 ?>
index 71fe4b7..de94bfd 100644 (file)
@@ -4,12 +4,9 @@
                header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
                exit();
        }
-       $user = $_SERVER['REMOTE_USER'];
        require_once("database.php");
        $db = new DB();
-       $stmt = $db->getStatement("get voter");
-       $stmt->execute(array($user));
-       if (!($user = $stmt->fetch())) {
+       if (!($user = $db->auth())) {
                header("HTTP/1.0 302 Redirect");
                header("Location: denied.php");
                exit();
index 69e086a..ff725cd 100644 (file)
--- a/proxy.php
+++ b/proxy.php
@@ -4,12 +4,9 @@
                header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
                exit();
        }
-       $user = $_SERVER['REMOTE_USER'];
        require_once("database.php");
        $db = new DB();
-       $stmt = $db->getStatement("get voter");
-       $stmt->execute(array($user));
-       if (!($user = $stmt->fetch())) {
+       if (!($user = $db->auth())) {
                header("HTTP/1.0 302 Redirect");
                header("Location: denied.php");
                exit();
index 7908413..126bf4b 100644 (file)
--- a/vote.php
+++ b/vote.php
@@ -4,12 +4,9 @@
                header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
                exit();
        }
-       $user = $_SERVER['REMOTE_USER'];
        require_once("database.php");
        $db = new DB();
-       $stmt = $db->getStatement("get voter");
-       $stmt->execute(array($user));
-       if (!($user = $stmt->fetch())) {
+       if (!($user = $db->auth())) {
                header("HTTP/1.0 302 Redirect");
                header("Location: denied.php");
                exit();