Browse code

Ermögliche Client-Cert-Login auch für VMail-Accounts

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@2217 87cf0b9e-d624-0410-a070-f6ee81989793

bernd authored on05/03/2012 06:19:25
Showing5 changed files
... ...
@@ -63,8 +63,10 @@ elseif (isset($_REQUEST['type']) && isset($_REQUEST['username'])) {
63 63
     system_failure('Ihr Browser hat kein Client-Zertifikat gesendet');
64 64
 
65 65
   $ret = get_logins_by_cert($_SERVER['REDIRECT_SSL_CLIENT_CERT']);
66
+  DEBUG($ret);
66 67
   foreach ($ret as $account) {
67
-    if (($account['type'] == $_REQUEST['type']) && ($account['username'] == $_REQUEST['username'])) {
68
+    DEBUG('/'.$account['type'].'/'.$_REQUEST['type'].'/    /'.$account['username'].'/'.$_REQUEST['username'].'/    =>');
69
+    if (($account['type'] == urldecode($_REQUEST['type'])) && ($account['username'] == urldecode($_REQUEST['username']))) {
68 70
       $uid = $account['username'];
69 71
       $role = find_role($uid, '', True);
70 72
       setup_session($role, $uid);
... ...
@@ -114,7 +116,7 @@ else
114 116
         $type = 'Kundenaccount';
115 117
       }
116 118
       $destination = 'go/index/index';
117
-      if (check_path($account['startpage']))
119
+      if ($account['startpage'] && check_path($account['startpage']))
118 120
         $destination = $account['startpage'];
119 121
       output('<li>'.internal_link('', $type.': <strong>'.$account['username'].'</strong>', 'type='.$account['type'].'&username='.urlencode($account['username']).'&destination='.urlencode($destination)).'</li>');
120 122
     }
... ...
@@ -3,7 +3,7 @@
3 3
 require_once('inc/base.php');
4 4
 require_once('x509.php');
5 5
 
6
-require_role(ROLE_SYSTEMUSER);
6
+require_role(array(ROLE_SYSTEMUSER, ROLE_SUBUSER, ROLE_VMAIL_ACCOUNT));
7 7
 
8 8
 title('Anmeldung über Client-Zertifikat');
9 9
 output('<p>Sie können Sie an diesem Webinterface wahlweise auch über ein SSL-Client-Zertifikat anmelden. Dazu muss das gewünschte Zertifikat <em>vorher</em> in Ihrem Browser installiert werden und kann dann hier hinzugefügt werden.</p>
... ...
@@ -19,6 +19,15 @@ if (isset($_GET['clear']))
19 19
   unset($_SESSION['clientcert_issuer']);
20 20
 }
21 21
 
22
+$username = NULL;
23
+if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
24
+  $username = $_SESSION['userinfo']['username'];
25
+  if (isset($_SESSION['subuser']))
26
+    $username = $_SESSION['subuser'];
27
+} elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
28
+  $username = $_SESSION['mailaccount'];
29
+}
30
+
22 31
 if (isset($_SESSION['clientcert_cert']))
23 32
 {
24 33
   // FIXME: Es gibt keine Duplikaterkennung.
... ...
@@ -27,15 +36,12 @@ if (isset($_SESSION['clientcert_cert']))
27 36
   output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
28 37
 <div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br />
29 38
 <strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'</div>
30
-<p>Soll dieses Zertifikat für den Zugang zum Benutzerkonto <strong>'.$_SESSION['userinfo']['username'].'</strong> verwendet werden?</p>');
39
+<p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>');
31 40
   output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" /> &#160; '.internal_link('cert', 'Nein', 'clear').'</p>'));
32 41
   output('</div>');
33 42
 }
34 43
 
35 44
 
36
-$username = $_SESSION['userinfo']['username'];
37
-if (isset($_SESSION['subuser']))
38
-  $username = $_SESSION['subuser'];
39 45
 $certs = get_certs_by_username($username);
40 46
 if ($certs != NULL) {
41 47
   output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
... ...
@@ -2,7 +2,7 @@
2 2
 require_once('session/start.php');
3 3
 require_once('x509.php');
4 4
 
5
-require_role(ROLE_SYSTEMUSER);
5
+require_role(array(ROLE_SYSTEMUSER, ROLE_SUBUSER, ROLE_VMAIL_ACCOUNT));
6 6
 
7 7
 
8 8
 if ($_GET['action'] == 'new')
... ...
@@ -24,8 +24,15 @@ elseif ($_GET['action'] == 'delete')
24 24
   $cert = get_cert_by_id($_GET['id']);
25 25
   if (! $cert)
26 26
     system_failure('no ID');
27
-  if (!((!isset($_SESSION['subuser']) && $cert['username'] == $_SESSION['userinfo']['username']) ||
28
-        (isset($_SESSION['subuser']) && $cert['username'] == $_SESSION['subuser'])))
27
+  $username = NULL;
28
+  if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
29
+    $username = $_SESSION['userinfo']['username'];
30
+    if (isset($_SESSION['subuser']))
31
+      $username = $_SESSION['subuser'];
32
+  } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
33
+    $username = $_SESSION['mailaccount'];
34
+  }
35
+  if (! ($cert['username'] == $username))
29 36
     system_failure('Das Zertifikat ist nicht für Ihren Zugang eingerichtet');
30 37
   $sure = user_is_sure();
31 38
   if ($sure === NULL)
... ...
@@ -51,9 +51,21 @@ function get_certs_by_username($username)
51 51
 
52 52
 function add_clientcert($certdata, $dn, $issuer, $startpage='')
53 53
 {
54
-  $type = 'user';
55
-  if (isset($_SESSION['subuser']))
56
-    $type = 'subuser';
54
+  $type = NULL;
55
+  $username = NULL;
56
+  if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
57
+    $type = 'user';
58
+    $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
59
+    if (isset($_SESSION['subuser']))
60
+      $username = mysql_real_escape_string($_SESSION['subuser']);
61
+      $type = 'subuser';
62
+  } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
63
+    $type = 'email';
64
+    $username = mysql_real_escape_string($_SESSION['mailaccount']);
65
+  }
66
+  if (! $type || ! $username) {
67
+    system_failure('cannot get type or username of login');
68
+  }
57 69
   $certdata = mysql_real_escape_string($certdata);
58 70
   $dn = maybe_null(mysql_real_escape_string($dn));
59 71
   $issuer = maybe_null(mysql_real_escape_string($issuer));
... ...
@@ -61,12 +73,6 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
61 73
     system_failure('Startseite kaputt');
62 74
   $startpage = maybe_null(mysql_real_escape_string($startpage));
63 75
 
64
-  $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
65
-  if ($type == 'subuser')
66
-    $username = $_SESSION['subuser'];
67
-  if ($username == '')
68
-    system_failure('Kein Username');
69
-
70 76
   if ($certdata == '')
71 77
     system_failure('Kein Zertifikat');
72 78
   DEBUG($certdata);
... ...
@@ -82,9 +88,21 @@ VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})
82 88
 function delete_clientcert($id)
83 89
 {
84 90
   $id = (int) $id;
85
-  $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
86
-  if (isset($_SESSION['subuser']))
87
-    $username = mysql_real_escape_string($_SESSION['subuser']);
88
-  db_query("DELETE FROM system.clientcert WHERE id={$id} AND username='{$username}' LIMIT 1");
91
+  $type = NULL;
92
+  $username = NULL;
93
+  if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
94
+    $type = 'user';
95
+    $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
96
+    if (isset($_SESSION['subuser']))
97
+      $username = mysql_real_escape_string($_SESSION['subuser']);
98
+      $type = 'subuser';
99
+  } elseif ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
100
+    $type = 'email';
101
+    $username = mysql_real_escape_string($_SESSION['mailaccount']);
102
+  }
103
+  if (! $type || ! $username) {
104
+    system_failure('cannot get type or username of login');
105
+  }
106
+  db_query("DELETE FROM system.clientcert WHERE id={$id} AND type='{$type}' AND username='{$username}' LIMIT 1");
89 107
 }
90 108
 
... ...
@@ -6,7 +6,7 @@ if ($role == ROLE_ANONYMOUS) {
6 6
   $menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
7 7
   $menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
8 8
 } else {
9
-  if ($role & (ROLE_SYSTEMUSER | ROLE_SUBUSER))
9
+  if ($role & (ROLE_SYSTEMUSER | ROLE_SUBUSER | ROLE_VMAIL_ACCOUNT))
10 10
     $menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
11 11
   if ($role & (ROLE_SYSTEMUSER | ROLE_CUSTOMER)) {
12 12
     $menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);