Ermögliche Client-Cert-Login auch für VMail-Accounts (984013b)

Ermögliche Client-Cert-Login auch für VMail-Accounts

bernd commited on 2012-03-05 06:19:25
Zeige 5 geänderte Dateien mit 51 Einfügungen und 18 Löschungen.

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@2217 87cf0b9e-d624-0410-a070-f6ee81989793

certlogin/index.php 60b9abc..41c0450
modules/index/cert.php 3e39caf..d1bf2ad
modules/index/certsave.php 9f7553d..442b6a8
modules/index/include/x509.php 479fdfc..be71e80
modules/index/menu.php 8617ab3..b3b1d17

certlogin/index.php

Zeige Datei @ 984013b

@@ -63,8 +63,10 @@ elseif (isset($_REQUEST['type']) && isset($_REQUEST['username'])) {
     system_failure('Ihr Browser hat kein Client-Zertifikat gesendet');
 
   $ret = get_logins_by_cert($_SERVER['REDIRECT_SSL_CLIENT_CERT']);
+  DEBUG($ret);
   foreach ($ret as $account) {
-    if (($account['type'] == $_REQUEST['type']) && ($account['username'] == $_REQUEST['username'])) {
+    DEBUG('/'.$account['type'].'/'.$_REQUEST['type'].'/    /'.$account['username'].'/'.$_REQUEST['username'].'/    =>');
+    if (($account['type'] == urldecode($_REQUEST['type'])) && ($account['username'] == urldecode($_REQUEST['username']))) {
       $uid = $account['username'];
       $role = find_role($uid, '', True);
       setup_session($role, $uid);
@@ -114,7 +116,7 @@ else
         $type = 'Kundenaccount';
       }
       $destination = 'go/index/index';
-      if (check_path($account['startpage']))
+      if ($account['startpage'] && check_path($account['startpage']))
         $destination = $account['startpage'];
       output('<li>'.internal_link('', $type.': <strong>'.$account['username'].'</strong>', 'type='.$account['type'].'&username='.urlencode($account['username']).'&destination='.urlencode($destination)).'</li>');
     }

modules/index/cert.php

Zeige Datei @ 984013b

@@ -3,7 +3,7 @@
 require_once('inc/base.php');
 require_once('x509.php');
 
-require_role(ROLE_SYSTEMUSER);
+require_role(array(ROLE_SYSTEMUSER, ROLE_SUBUSER, ROLE_VMAIL_ACCOUNT));
 
 title('Anmeldung über Client-Zertifikat');
 output('<p>Sie können Sie an diesem Webinterface wahlweise auch über ein SSL-Client-Zertifikat anmelden. Dazu muss das gewünschte Zertifikat <em>vorher</em> in Ihrem Browser installiert werden und kann dann hier hinzugefügt werden.</p>
@@ -19,6 +19,15 @@ if (isset($_GET['clear']))
   unset($_SESSION['clientcert_issuer']);
 }
 
+$username = NULL;
+if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
+  $username = $_SESSION['userinfo']['username'];
+  if (isset($_SESSION['subuser']))
+    $username = $_SESSION['subuser'];
+} elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
+  $username = $_SESSION['mailaccount'];
+}
+
 if (isset($_SESSION['clientcert_cert']))
 {
   // FIXME: Es gibt keine Duplikaterkennung.
@@ -27,15 +36,12 @@ if (isset($_SESSION['clientcert_cert']))
   output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
 <div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br />
 <strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'</div>
-<p>Soll dieses Zertifikat für den Zugang zum Benutzerkonto <strong>'.$_SESSION['userinfo']['username'].'</strong> verwendet werden?</p>');
+<p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>');
   output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" /> &#160; '.internal_link('cert', 'Nein', 'clear').'</p>'));
   output('</div>');
 }
 
 
-$username = $_SESSION['userinfo']['username'];
-if (isset($_SESSION['subuser']))
-  $username = $_SESSION['subuser'];
 $certs = get_certs_by_username($username);
 if ($certs != NULL) {
   output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>

modules/index/certsave.php

Zeige Datei @ 984013b

@@ -2,7 +2,7 @@
 require_once('session/start.php');
 require_once('x509.php');
 
-require_role(ROLE_SYSTEMUSER);
+require_role(array(ROLE_SYSTEMUSER, ROLE_SUBUSER, ROLE_VMAIL_ACCOUNT));
 
 
 if ($_GET['action'] == 'new')
@@ -24,8 +24,15 @@ elseif ($_GET['action'] == 'delete')
   $cert = get_cert_by_id($_GET['id']);
   if (! $cert)
     system_failure('no ID');
-  if (!((!isset($_SESSION['subuser']) && $cert['username'] == $_SESSION['userinfo']['username']) ||
-        (isset($_SESSION['subuser']) && $cert['username'] == $_SESSION['subuser'])))
+  $username = NULL;
+  if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
+    $username = $_SESSION['userinfo']['username'];
+    if (isset($_SESSION['subuser']))
+      $username = $_SESSION['subuser'];
+  } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
+    $username = $_SESSION['mailaccount'];
+  }
+  if (! ($cert['username'] == $username))
     system_failure('Das Zertifikat ist nicht für Ihren Zugang eingerichtet');
   $sure = user_is_sure();
   if ($sure === NULL)

modules/index/include/x509.php

Zeige Datei @ 984013b

@@ -51,9 +51,21 @@ function get_certs_by_username($username)
 
 function add_clientcert($certdata, $dn, $issuer, $startpage='')
 {
+  $type = NULL;
+  $username = NULL;
+  if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
     $type = 'user';
+    $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
     if (isset($_SESSION['subuser']))
+      $username = mysql_real_escape_string($_SESSION['subuser']);
       $type = 'subuser';
+  } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
+    $type = 'email';
+    $username = mysql_real_escape_string($_SESSION['mailaccount']);
+  }
+  if (! $type || ! $username) {
+    system_failure('cannot get type or username of login');
+  }
   $certdata = mysql_real_escape_string($certdata);
   $dn = maybe_null(mysql_real_escape_string($dn));
   $issuer = maybe_null(mysql_real_escape_string($issuer));
@@ -61,12 +73,6 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
     system_failure('Startseite kaputt');
   $startpage = maybe_null(mysql_real_escape_string($startpage));
 
-  $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
-  if ($type == 'subuser')
-    $username = $_SESSION['subuser'];
-  if ($username == '')
-    system_failure('Kein Username');
-
   if ($certdata == '')
     system_failure('Kein Zertifikat');
   DEBUG($certdata);
@@ -82,9 +88,21 @@ VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})
 function delete_clientcert($id)
 {
   $id = (int) $id;
+  $type = NULL;
+  $username = NULL;
+  if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
+    $type = 'user';
     $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
     if (isset($_SESSION['subuser']))
       $username = mysql_real_escape_string($_SESSION['subuser']);
-  db_query("DELETE FROM system.clientcert WHERE id={$id} AND username='{$username}' LIMIT 1");
+      $type = 'subuser';
+  } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
+    $type = 'email';
+    $username = mysql_real_escape_string($_SESSION['mailaccount']);
+  }
+  if (! $type || ! $username) {
+    system_failure('cannot get type or username of login');
+  }
+  db_query("DELETE FROM system.clientcert WHERE id={$id} AND type='{$type}' AND username='{$username}' LIMIT 1");
 }
 

modules/index/menu.php

Zeige Datei @ 984013b

@@ -6,7 +6,7 @@ if ($role == ROLE_ANONYMOUS) {
   $menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
   $menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
 } else {
-  if ($role & (ROLE_SYSTEMUSER | ROLE_SUBUSER))
+  if ($role & (ROLE_SYSTEMUSER | ROLE_SUBUSER | ROLE_VMAIL_ACCOUNT))
     $menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
   if ($role & (ROLE_SYSTEMUSER | ROLE_CUSTOMER)) {
     $menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);


...	...	@@ -63,8 +63,10 @@ elseif (isset($_REQUEST['type']) && isset($_REQUEST['username'])) {
63	63	system_failure('Ihr Browser hat kein Client-Zertifikat gesendet');
64	64
65	65	$ret = get_logins_by_cert($_SERVER['REDIRECT_SSL_CLIENT_CERT']);
	66	+ DEBUG($ret);
66	67	foreach ($ret as $account) {
67		- if (($account['type'] == $_REQUEST['type']) && ($account['username'] == $_REQUEST['username'])) {
	68	+ DEBUG('/'.$account['type'].'/'.$_REQUEST['type'].'/ /'.$account['username'].'/'.$_REQUEST['username'].'/ =>');
	69	+ if (($account['type'] == urldecode($_REQUEST['type'])) && ($account['username'] == urldecode($_REQUEST['username']))) {
68	70	$uid = $account['username'];
69	71	$role = find_role($uid, '', True);
70	72	setup_session($role, $uid);
...	...	@@ -114,7 +116,7 @@ else
114	116	$type = 'Kundenaccount';
115	117	}
116	118	$destination = 'go/index/index';
117		- if (check_path($account['startpage']))
	119	+ if ($account['startpage'] && check_path($account['startpage']))
118	120	$destination = $account['startpage'];
119	121	output('<li>'.internal_link('', $type.': <strong>'.$account['username'].'</strong>', 'type='.$account['type'].'&username='.urlencode($account['username']).'&destination='.urlencode($destination)).'</li>');
120	122	}

...	...	@@ -3,7 +3,7 @@
3	3	require_once('inc/base.php');
4	4	require_once('x509.php');
5	5
6		-require_role(ROLE_SYSTEMUSER);
	6	+require_role(array(ROLE_SYSTEMUSER, ROLE_SUBUSER, ROLE_VMAIL_ACCOUNT));
7	7
8	8	title('Anmeldung über Client-Zertifikat');
9	9	output('<p>Sie können Sie an diesem Webinterface wahlweise auch über ein SSL-Client-Zertifikat anmelden. Dazu muss das gewünschte Zertifikat <em>vorher</em> in Ihrem Browser installiert werden und kann dann hier hinzugefügt werden.</p>
...	...	@@ -19,6 +19,15 @@ if (isset($_GET['clear']))
19	19	unset($_SESSION['clientcert_issuer']);
20	20	}
21	21
	22	+$username = NULL;
	23	+if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
	24	+ $username = $_SESSION['userinfo']['username'];
	25	+ if (isset($_SESSION['subuser']))
	26	+ $username = $_SESSION['subuser'];
	27	+} elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
	28	+ $username = $_SESSION['mailaccount'];
	29	+}
	30	+
22	31	if (isset($_SESSION['clientcert_cert']))
23	32	{
24	33	// FIXME: Es gibt keine Duplikaterkennung.
...	...	@@ -27,15 +36,12 @@ if (isset($_SESSION['clientcert_cert']))
27	36	output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
28	37	<div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br />
29	38	<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'</div>
30		-<p>Soll dieses Zertifikat für den Zugang zum Benutzerkonto <strong>'.$_SESSION['userinfo']['username'].'</strong> verwendet werden?</p>');
	39	+<p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>');
31	40	output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" />   '.internal_link('cert', 'Nein', 'clear').'</p>'));
32	41	output('</div>');
33	42	}
34	43
35	44
36		-$username = $_SESSION['userinfo']['username'];
37		-if (isset($_SESSION['subuser']))
38		- $username = $_SESSION['subuser'];
39	45	$certs = get_certs_by_username($username);
40	46	if ($certs != NULL) {
41	47	output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>

...	...	@@ -2,7 +2,7 @@
2	2	require_once('session/start.php');
3	3	require_once('x509.php');
4	4
5		-require_role(ROLE_SYSTEMUSER);
	5	+require_role(array(ROLE_SYSTEMUSER, ROLE_SUBUSER, ROLE_VMAIL_ACCOUNT));
6	6
7	7
8	8	if ($_GET['action'] == 'new')
...	...	@@ -24,8 +24,15 @@ elseif ($_GET['action'] == 'delete')
24	24	$cert = get_cert_by_id($_GET['id']);
25	25	if (! $cert)
26	26	system_failure('no ID');
27		- if (!((!isset($_SESSION['subuser']) && $cert['username'] == $_SESSION['userinfo']['username']) \|\|
28		- (isset($_SESSION['subuser']) && $cert['username'] == $_SESSION['subuser'])))
	27	+ $username = NULL;
	28	+ if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
	29	+ $username = $_SESSION['userinfo']['username'];
	30	+ if (isset($_SESSION['subuser']))
	31	+ $username = $_SESSION['subuser'];
	32	+ } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
	33	+ $username = $_SESSION['mailaccount'];
	34	+ }
	35	+ if (! ($cert['username'] == $username))
29	36	system_failure('Das Zertifikat ist nicht für Ihren Zugang eingerichtet');
30	37	$sure = user_is_sure();
31	38	if ($sure === NULL)

...	...	@@ -51,9 +51,21 @@ function get_certs_by_username($username)
51	51
52	52	function add_clientcert($certdata, $dn, $issuer, $startpage='')
53	53	{
	54	+ $type = NULL;
	55	+ $username = NULL;
	56	+ if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
54	57	$type = 'user';
	58	+ $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
55	59	if (isset($_SESSION['subuser']))
	60	+ $username = mysql_real_escape_string($_SESSION['subuser']);
56	61	$type = 'subuser';
	62	+ } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
	63	+ $type = 'email';
	64	+ $username = mysql_real_escape_string($_SESSION['mailaccount']);
	65	+ }
	66	+ if (! $type \|\| ! $username) {
	67	+ system_failure('cannot get type or username of login');
	68	+ }
57	69	$certdata = mysql_real_escape_string($certdata);
58	70	$dn = maybe_null(mysql_real_escape_string($dn));
59	71	$issuer = maybe_null(mysql_real_escape_string($issuer));
...	...	@@ -61,12 +73,6 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
61	73	system_failure('Startseite kaputt');
62	74	$startpage = maybe_null(mysql_real_escape_string($startpage));
63	75
64		- $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
65		- if ($type == 'subuser')
66		- $username = $_SESSION['subuser'];
67		- if ($username == '')
68		- system_failure('Kein Username');
69		-
70	76	if ($certdata == '')
71	77	system_failure('Kein Zertifikat');
72	78	DEBUG($certdata);
...	...	@@ -82,9 +88,21 @@ VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})
82	88	function delete_clientcert($id)
83	89	{
84	90	$id = (int) $id;
	91	+ $type = NULL;
	92	+ $username = NULL;
	93	+ if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
	94	+ $type = 'user';
85	95	$username = mysql_real_escape_string($_SESSION['userinfo']['username']);
86	96	if (isset($_SESSION['subuser']))
87	97	$username = mysql_real_escape_string($_SESSION['subuser']);
88		- db_query("DELETE FROM system.clientcert WHERE id={$id} AND username='{$username}' LIMIT 1");
	98	+ $type = 'subuser';
	99	+ } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
	100	+ $type = 'email';
	101	+ $username = mysql_real_escape_string($_SESSION['mailaccount']);
	102	+ }
	103	+ if (! $type \|\| ! $username) {
	104	+ system_failure('cannot get type or username of login');
	105	+ }
	106	+ db_query("DELETE FROM system.clientcert WHERE id={$id} AND type='{$type}' AND username='{$username}' LIMIT 1");
89	107	}
90	108

...	...	@@ -6,7 +6,7 @@ if ($role == ROLE_ANONYMOUS) {
6	6	$menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
7	7	$menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
8	8	} else {
9		- if ($role & (ROLE_SYSTEMUSER \| ROLE_SUBUSER))
	9	+ if ($role & (ROLE_SYSTEMUSER \| ROLE_SUBUSER \| ROLE_VMAIL_ACCOUNT))
10	10	$menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
11	11	if ($role & (ROLE_SYSTEMUSER \| ROLE_CUSTOMER)) {
12	12	$menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);
13	13

webinterface.git