Merge branch 'bug-1394' into testserver-stable
[cacert-devel.git] / www / cats / cats_import.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 // Comment (to be romeved): better to disable shot open tags in php.ini
20
21 /*
22 cats_import.php
23
24 API for CATS to import passed tests into main CAcert database.
25 */
26
27 require_once('../../includes/lib/account.php');
28
29 function sanitize_string($buffer) {
30 return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
31 }
32
33 define ('UNDEFINED', 'nd');
34 // Specific for testserver: Accept Test-CATS-Server
35 define ('ALLOWED_IP', '192.109.159.27');
36 //define ('ALLOWED_IP', '213.154.225.243');
37 define ('ALLOWED_IP2', '192.109.159.28');
38 define ('CONFIG_FILEPATH', '/www/');
39
40 $remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
41 $server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
42 $https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
43 $ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
44
45 $access = FALSE;
46
47 // Access only from CATS.cacert.org with a client certificate for cats@cacert.org
48 if (
49 ($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2) &&
50 $https == 'on' &&
51 // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
52 // Ted: Is this specified? I don't think so, therefore I'd keep stristr
53 strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
54 ) $access = TRUE;
55
56 if ($access !== TRUE) {
57 echo 'UNAUTHORIZED ACCESS<br>'."\r\n";
58 echo 'IP: '.sanitize_string($remote_addr).'<br>'."\r\n";
59 echo 'Server: '.sanitize_string($server_name).'<br>'."\r\n";
60 echo 'HTTPS: '.sanitize_string($https).'<br>'."\r\n";
61 echo 'Client cert: '.sanitize_string($ssl_client_s_dn).'<br>'."\r\n";
62 trigger_error('Unauthorized access: ip('.$remote_addr.') server('.$server_name.') https('.$https.') cert('.$ssl_client_s_dn.')', E_USER_ERROR);
63 exit();
64 }
65
66 // Comment (to be romeved): do you we session autostart in php.ini??
67 // Ted: Sessions are quite meaningless for me since the upload protocol is stateless. Should session_start be called nevertheless?
68 session_start();
69
70 require_once(CONFIG_FILEPATH.'includes/mysql.php');
71
72 // Comment (to be romeved): dunno the difference between stripslashes and stripcslashes
73 // manual is iunclear too, please make sure there are no decoding issues
74 // Ted: I just used it here because I saw it elsewhere and it seems to work. Would you prefer stripslashes?
75 if (get_magic_quotes_gpc()) {
76 $serial = stripcslashes($_POST['serial']);
77 $root = stripcslashes($_POST['root']);
78 $type = stripcslashes($_POST['type']);
79 $variant = stripcslashes($_POST['variant']);
80 $date = stripcslashes($_POST['date']);
81 } else {
82 $serial = $_POST['serial'];
83 $root = $_POST['root'];
84 $type = $_POST['type'];
85 $variant = $_POST['variant'];
86 $date = $_POST['date'];
87 }
88
89 // Explicitly select all those IDs so I can insert new rows if needed.
90 $query = mysql_query('SELECT `id` FROM `cats_type` WHERE `type_text` = \''.mysql_real_escape_string($type).'\';');
91 if (!$query) {
92 echo 'Invalid query'."\r\n";
93 trigger_error('Invalid query', E_USER_ERROR);
94 exit();
95 }
96
97 if (mysql_num_rows($query) > 0) {
98 $result = mysql_fetch_array($query);
99 $typeID = $result['0'];
100 } else {
101 $query = mysql_query('INSERT INTO `cats_type` (`type_text`) VALUES (\''.mysql_real_escape_string($type).'\');');
102 if (!$query) {
103 echo 'Invalid query'."\r\n";
104 trigger_error('Invalid query', E_USER_ERROR);
105 exit();
106 }
107
108 $typeID = mysql_insert_id();
109 }
110
111 $query = mysql_query('SELECT `id` FROM `cats_variant` WHERE `type_id` = \''.(int)intval($typeID).'\' AND `test_text` = \''.mysql_real_escape_string($variant).'\';');
112 if (!$query) {
113 echo 'Invalid query'."\r\n";
114 trigger_error('Invalid query', E_USER_ERROR);
115 exit();
116 }
117
118 if (mysql_num_rows($query) > 0) {
119 $result = mysql_fetch_array($query);
120 $variantID = $result['0'];
121 } else {
122 $query = mysql_query('INSERT INTO `cats_variant` (`type_id`, `test_text`) VALUES (\''.(int)intval($typeID).'\', \''.mysql_real_escape_string($variant).'\');');
123 if (!$query) {
124 echo 'Invalid query'."\r\n";
125 trigger_error('Invalid query', E_USER_ERROR);
126 exit();
127 }
128
129 $variantID = mysql_insert_id();
130 }
131
132 // Now find the userid from cert serial
133 $query = mysql_query('SELECT `ec`.`memid` FROM `emailcerts` AS `ec`, `root_certs` AS `rc` WHERE `ec`.`rootcert` = `rc`.`id` AND `ec`.`serial` = \''.mysql_real_escape_string($serial).'\' AND `rc`.`cert_text` = \''.mysql_real_escape_string($root).'\';');
134 if (!$query) {
135 echo 'Invalid query'."\r\n";
136 trigger_error('Invalid query', E_USER_ERROR);
137 exit();
138 }
139
140 if (mysql_num_rows($query) > 0) {
141 $result = mysql_fetch_array($query);
142 $userID = $result['0'];
143 } else {
144 echo 'Cannot find cert '.sanitize_string($serial).' / '.sanitize_string($root)."\r\n";
145 // Let's treat this as an error, since it should not happen.
146 trigger_error('Cannot find cert '.$serial.' / '.$root.'!'.mysql_error(), E_USER_ERROR);
147 exit();
148 }
149
150 // The unique constraint on cats_passed assures that records are not stored multiply
151 $query = mysql_query('INSERT INTO `cats_passed` (`user_id`, `variant_id`, `pass_date`) VALUES (\''.(int)intval($userID).'\', \''.(int)intval($variantID).'\', \''.mysql_real_escape_string($date).'\');');
152 if (!$query) {
153 if (mysql_errno() != 1062) { // Duplicate Entry is considered success
154 echo 'Invalid query'."\r\n";
155 trigger_error('Invalid query', E_USER_ERROR);
156 exit();
157 }
158 }
159
160 // Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
161 if (!fix_assurer_flag($userID)) {
162 echo 'Invalid query'."\r\n";
163 trigger_error('Invalid query', E_USER_ERROR);
164 exit();
165 }
166
167 echo 'OK'."\r\n";
168
169 ?>