Browse code

Cert-Login geht jetztauch mit sub-usern

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@1823 87cf0b9e-d624-0410-a070-f6ee81989793

bernd authored on01/10/2010 10:45:35
Showing5 changed files
... ...
@@ -45,7 +45,7 @@ DEBUG($_SERVER);
45 45
 if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($_REQUEST['backto']) && check_path($_REQUEST['backto']))
46 46
 {
47 47
   DEBUG('recording client-cert');
48
-  if (isset($_SERVER['REDIRECT_SSL_CLIENT_CERT']) && $_SERVER['REDIRECT_SSL_CLIENT_S_DN'] != '' && $_SERVER['REDIRECT_SSL_CLIENT_I_DN'] != '')
48
+  if (isset($_SERVER['REDIRECT_SSL_CLIENT_CERT']) && isset($_SERVER['REDIRECT_SSL_CLIENT_S_DN']) && isset($_SERVER['REDIRECT_SSL_CLIENT_I_DN']))
49 49
   {
50 50
     $_SESSION['clientcert_cert'] = prepare_cert($_SERVER['REDIRECT_SSL_CLIENT_CERT']);
51 51
     $_SESSION['clientcert_dn'] = $_SERVER['REDIRECT_SSL_CLIENT_S_DN'];
... ...
@@ -105,6 +105,9 @@ else
105 105
       if ($account['type'] == 'email') {
106 106
         $type = 'E-Mail-Konto';
107 107
       }
108
+      elseif ($account['type'] == 'subuser') {
109
+        $type = 'Unter-Nutzer';
110
+      }
108 111
       elseif ($account['type'] == 'customer') {
109 112
         $type = 'Kundenaccount';
110 113
       }
... ...
@@ -33,7 +33,10 @@ if (isset($_SESSION['clientcert_cert']))
33 33
 }
34 34
 
35 35
 
36
-$certs = get_certs_by_username($_SESSION['userinfo']['username']);
36
+$username = $_SESSION['userinfo']['username'];
37
+if (isset($_SESSION['subuser']))
38
+  $username = $_SESSION['subuser'];
39
+$certs = get_certs_by_username($username);
37 40
 if ($certs != NULL) {
38 41
   output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
39 42
   <ul>');
... ...
@@ -51,14 +51,19 @@ function get_certs_by_username($username)
51 51
 
52 52
 function add_clientcert($certdata, $dn, $issuer, $startpage='')
53 53
 {
54
+  $type = 'user';
55
+  if (isset($_SESSION['subuser']))
56
+    $type = 'subuser';
54 57
   $certdata = mysql_real_escape_string($certdata);
55 58
   $dn = maybe_null(mysql_real_escape_string($dn));
56 59
   $issuer = maybe_null(mysql_real_escape_string($issuer));
57 60
   if ($startpage &&  ! check_path($startpage))
58 61
     system_failure('Startseite kaputt');
59 62
   $startpage = maybe_null(mysql_real_escape_string($startpage));
60
-  
63
+
61 64
   $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
65
+  if ($type == 'subuser')
66
+    $username = $_SESSION['subuser'];
62 67
   if ($username == '')
63 68
     system_failure('Kein Username');
64 69
 
... ...
@@ -69,7 +74,7 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
69 74
   DEBUG($issuer);
70 75
 
71 76
   db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`) 
72
-VALUES ({$dn}, {$issuer}, '{$certdata}', 'user', '{$username}', {$startpage})");
77
+VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})");
73 78
 
74 79
 }
75 80
 
... ...
@@ -6,7 +6,7 @@ if ($role == ROLE_ANONYMOUS) {
6 6
   $menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
7 7
   $menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
8 8
 } else {
9
-  if ($role & ROLE_SYSTEMUSER && ! ($role & ROLE_SUBUSER))
9
+  if ($role & (ROLE_SYSTEMUSER | ROLE_SUBUSER))
10 10
     $menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
11 11
   if ($role & (ROLE_SYSTEMUSER | ROLE_CUSTOMER) && ! $role & ROLE_SUBUSER) {
12 12
     $menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);
... ...
@@ -95,11 +95,18 @@ function find_role($login, $password, $i_am_admin = False)
95 95
 
96 96
   // Sub-User
97 97
 
98
-  $result = db_query("SELECT uid FROM system.subusers WHERE username='{$login}' AND password=SHA1('{$password}')");
98
+  $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
99 99
   if (@mysql_num_rows($result) > 0)
100 100
   {
101
-    // FIXME: Admin-Su-Anmeldung geht damit nicht
102
-    return ROLE_SUBUSER;
101
+    $entry = mysql_fetch_object($result);
102
+    $db_password = $entry->password;
103
+    $hash = sha1($password);
104
+    if ($hash == $db_password || $i_am_admin)
105
+    {
106
+      logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
107
+      return ROLE_SUBUSER;
108
+    }
109
+    logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
103 110
   }
104 111
 
105 112