Cert-Login geht jetztauch mit sub-usern (f89f9ca) - webinterface.git

Cert-Login geht jetztauch mit sub-usern

bernd commited on 2010-10-01 10:45:35
Zeige 5 geänderte Dateien mit 24 Einfügungen und 6 Löschungen.

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@1823 87cf0b9e-d624-0410-a070-f6ee81989793

certlogin/index.php 5fd34fa..2bbbd6d
modules/index/cert.php 86aafe2..3e39caf
modules/index/include/x509.php 7256842..401bacd
modules/index/menu.php 0bc52c3..48741e8
session/checkuser.php bd6ab3f..1d51695

certlogin/index.php

Zeige Datei @ f89f9ca

@@ -45,7 +45,7 @@ DEBUG($_SERVER);
 if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($_REQUEST['backto']) && check_path($_REQUEST['backto']))
 {
   DEBUG('recording client-cert');
-  if (isset($_SERVER['REDIRECT_SSL_CLIENT_CERT']) && $_SERVER['REDIRECT_SSL_CLIENT_S_DN'] != '' && $_SERVER['REDIRECT_SSL_CLIENT_I_DN'] != '')
+  if (isset($_SERVER['REDIRECT_SSL_CLIENT_CERT']) && isset($_SERVER['REDIRECT_SSL_CLIENT_S_DN']) && isset($_SERVER['REDIRECT_SSL_CLIENT_I_DN']))
   {
     $_SESSION['clientcert_cert'] = prepare_cert($_SERVER['REDIRECT_SSL_CLIENT_CERT']);
     $_SESSION['clientcert_dn'] = $_SERVER['REDIRECT_SSL_CLIENT_S_DN'];
@@ -105,6 +105,9 @@ else
       if ($account['type'] == 'email') {
         $type = 'E-Mail-Konto';
       }
+      elseif ($account['type'] == 'subuser') {
+        $type = 'Unter-Nutzer';
+      }
       elseif ($account['type'] == 'customer') {
         $type = 'Kundenaccount';
       }

modules/index/cert.php

Zeige Datei @ f89f9ca

@@ -33,7 +33,10 @@ if (isset($_SESSION['clientcert_cert']))
 }
 
 
-$certs = get_certs_by_username($_SESSION['userinfo']['username']);
+$username = $_SESSION['userinfo']['username'];
+if (isset($_SESSION['subuser']))
+  $username = $_SESSION['subuser'];
+$certs = get_certs_by_username($username);
 if ($certs != NULL) {
   output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
   <ul>');

modules/index/include/x509.php

Zeige Datei @ f89f9ca

@@ -51,6 +51,9 @@ function get_certs_by_username($username)
 
 function add_clientcert($certdata, $dn, $issuer, $startpage='')
 {
+  $type = 'user';
+  if (isset($_SESSION['subuser']))
+    $type = 'subuser';
   $certdata = mysql_real_escape_string($certdata);
   $dn = maybe_null(mysql_real_escape_string($dn));
   $issuer = maybe_null(mysql_real_escape_string($issuer));
@@ -59,6 +62,8 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
   $startpage = maybe_null(mysql_real_escape_string($startpage));
 
   $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
+  if ($type == 'subuser')
+    $username = $_SESSION['subuser'];
   if ($username == '')
     system_failure('Kein Username');
 
@@ -69,7 +74,7 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
   DEBUG($issuer);
 
   db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`) 
-VALUES ({$dn}, {$issuer}, '{$certdata}', 'user', '{$username}', {$startpage})");
+VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})");
 
 }
 

modules/index/menu.php

Zeige Datei @ f89f9ca

@@ -6,7 +6,7 @@ if ($role == ROLE_ANONYMOUS) {
   $menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
   $menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
 } else {
-  if ($role & ROLE_SYSTEMUSER && ! ($role & ROLE_SUBUSER))
+  if ($role & (ROLE_SYSTEMUSER | ROLE_SUBUSER))
     $menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
   if ($role & (ROLE_SYSTEMUSER | ROLE_CUSTOMER) && ! $role & ROLE_SUBUSER) {
     $menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);

session/checkuser.php

Zeige Datei @ f89f9ca

@@ -95,12 +95,19 @@ function find_role($login, $password, $i_am_admin = False)
 
   // Sub-User
 
-  $result = db_query("SELECT uid FROM system.subusers WHERE username='{$login}' AND password=SHA1('{$password}')");
+  $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
   if (@mysql_num_rows($result) > 0)
   {
-    // FIXME: Admin-Su-Anmeldung geht damit nicht
+    $entry = mysql_fetch_object($result);
+    $db_password = $entry->password;
+    $hash = sha1($password);
+    if ($hash == $db_password || $i_am_admin)
+    {
+      logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
       return ROLE_SUBUSER;
     }
+    logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
+  }
 
 
   // Nothing?


...	...	@@ -95,12 +95,19 @@ function find_role($login, $password, $i_am_admin = False)
95	95
96	96	// Sub-User
97	97
98		- $result = db_query("SELECT uid FROM system.subusers WHERE username='{$login}' AND password=SHA1('{$password}')");
	98	+ $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
99	99	if (@mysql_num_rows($result) > 0)
100	100	{
101		- // FIXME: Admin-Su-Anmeldung geht damit nicht
	101	+ $entry = mysql_fetch_object($result);
	102	+ $db_password = $entry->password;
	103	+ $hash = sha1($password);
	104	+ if ($hash == $db_password \|\| $i_am_admin)
	105	+ {
	106	+ logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
102	107	return ROLE_SUBUSER;
103	108	}
	109	+ logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing subuser »{$login}«.");
	110	+ }
104	111
105	112
106	113	// Nothing?
107	114

...	...	@@ -45,7 +45,7 @@ DEBUG($_SERVER);
45	45	if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($_REQUEST['backto']) && check_path($_REQUEST['backto']))
46	46	{
47	47	DEBUG('recording client-cert');
48		- if (isset($_SERVER['REDIRECT_SSL_CLIENT_CERT']) && $_SERVER['REDIRECT_SSL_CLIENT_S_DN'] != '' && $_SERVER['REDIRECT_SSL_CLIENT_I_DN'] != '')
	48	+ if (isset($_SERVER['REDIRECT_SSL_CLIENT_CERT']) && isset($_SERVER['REDIRECT_SSL_CLIENT_S_DN']) && isset($_SERVER['REDIRECT_SSL_CLIENT_I_DN']))
49	49	{
50	50	$_SESSION['clientcert_cert'] = prepare_cert($_SERVER['REDIRECT_SSL_CLIENT_CERT']);
51	51	$_SESSION['clientcert_dn'] = $_SERVER['REDIRECT_SSL_CLIENT_S_DN'];
...	...	@@ -105,6 +105,9 @@ else
105	105	if ($account['type'] == 'email') {
106	106	$type = 'E-Mail-Konto';
107	107	}
	108	+ elseif ($account['type'] == 'subuser') {
	109	+ $type = 'Unter-Nutzer';
	110	+ }
108	111	elseif ($account['type'] == 'customer') {
109	112	$type = 'Kundenaccount';
110	113	}

...	...	@@ -33,7 +33,10 @@ if (isset($_SESSION['clientcert_cert']))
33	33	}
34	34
35	35
36		-$certs = get_certs_by_username($_SESSION['userinfo']['username']);
	36	+$username = $_SESSION['userinfo']['username'];
	37	+if (isset($_SESSION['subuser']))
	38	+ $username = $_SESSION['subuser'];
	39	+$certs = get_certs_by_username($username);
37	40	if ($certs != NULL) {
38	41	output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
39	42	<ul>');

...	...	@@ -51,6 +51,9 @@ function get_certs_by_username($username)
51	51
52	52	function add_clientcert($certdata, $dn, $issuer, $startpage='')
53	53	{
	54	+ $type = 'user';
	55	+ if (isset($_SESSION['subuser']))
	56	+ $type = 'subuser';
54	57	$certdata = mysql_real_escape_string($certdata);
55	58	$dn = maybe_null(mysql_real_escape_string($dn));
56	59	$issuer = maybe_null(mysql_real_escape_string($issuer));
...	...	@@ -59,6 +62,8 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
59	62	$startpage = maybe_null(mysql_real_escape_string($startpage));
60	63
61	64	$username = mysql_real_escape_string($_SESSION['userinfo']['username']);
	65	+ if ($type == 'subuser')
	66	+ $username = $_SESSION['subuser'];
62	67	if ($username == '')
63	68	system_failure('Kein Username');
64	69
...	...	@@ -69,7 +74,7 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
69	74	DEBUG($issuer);
70	75
71	76	db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`)
72		-VALUES ({$dn}, {$issuer}, '{$certdata}', 'user', '{$username}', {$startpage})");
	77	+VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})");
73	78
74	79	}
75	80

...	...	@@ -6,7 +6,7 @@ if ($role == ROLE_ANONYMOUS) {
6	6	$menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
7	7	$menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
8	8	} else {
9		- if ($role & ROLE_SYSTEMUSER && ! ($role & ROLE_SUBUSER))
	9	+ if ($role & (ROLE_SYSTEMUSER \| ROLE_SUBUSER))
10	10	$menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
11	11	if ($role & (ROLE_SYSTEMUSER \| ROLE_CUSTOMER) && ! $role & ROLE_SUBUSER) {
12	12	$menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);