use SSL serial to bind certificate to user; implement autologin using SSL certificate...

[tt-rss.git] / functions.php

diff --git a/functions.php b/functions.php
index 0dd7ca47bd13cd54ceee4ed5fdb446f3ed29382e..51731fa6e7e0a7028b56a915ca404a59d5648e04 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -1757,6 +1757,40 @@
                return true;
        }
 
+       function get_login_by_ssl_certificate($link) {
+
+               $cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
+
+               if ($cert_serial) {
+                       $result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users
+                               WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND
+                               owner_uid = ttrss_users.id");
+
+                       if (db_num_rows($result) != 0) {
+                               return db_escape_string(db_fetch_result($result, 0, "login"));
+                       }
+               }
+
+               return "";
+       }
+
+       function get_remote_user() {
+               $remote_user = "";
+
+               if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH) {
+                       $remote_user = $_SERVER["REMOTE_USER"];
+               }
+
+               return db_escape_string($remote_user);
+       }
+
+       function get_remote_fakepass() {
+               if (get_remote_user())
+                       return "******";
+               else
+                       return "";
+       }
+
        function authenticate_user($link, $login, $password, $force_auth = false) {
 
                if (!SINGLE_USER_MODE) {
@@ -1765,10 +1799,14 @@
                        $pwd_hash2 = encrypt_password($password, $login);
                        $login = db_escape_string($login);
 
-                       if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
-                                       && $_SERVER["REMOTE_USER"] && $login != "admin") {
+                       $remote_user = get_remote_user();
+
+                       if (!$remote_user)
+                               $remote_user = get_login_by_ssl_certificate($link);
+
+                       if ($remote_user && $login != "admin") {
 
-                               $login = db_escape_string($_SERVER["REMOTE_USER"]);
+                               $login = $remote_user;
 
                                $query = "SELECT id,login,access_level,pwd_hash
                    FROM ttrss_users WHERE
@@ -1958,9 +1996,13 @@
                        }
 
                        if (!$_SESSION["uid"] || !validate_session($link)) {
-                               if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
-                                       && $_SERVER["REMOTE_USER"] && defined('AUTO_LOGIN') && AUTO_LOGIN) {
-                                   authenticate_user($link,$_SERVER['REMOTE_USER'],null);
+                               $cert_login = get_login_by_ssl_certificate($link);
+
+                               if ($cert_login) {
+                                   authenticate_user($link, $cert_login, null);
+                                   $_SESSION["ref_schema_version"] = get_schema_version($link, true);
+                               } else if (get_remote_user() && AUTO_LOGIN) {
+                                   authenticate_user($link, get_remote_user(), null);
                                    $_SESSION["ref_schema_version"] = get_schema_version($link, true);
                                } else {
                                    render_login_form($link, $mobile);