From 3d72afa19a7e8e7f7691086dedba7c5f9631f42f Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 28 Mar 2011 08:30:00 +0400 Subject: [PATCH] use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) --- config.php-dist | 10 ++-- functions.php | 44 ++++++++++++++---- modules/pref-prefs.php | 86 ++++++++++++++++++++--------------- prefs.js | 8 ++++ sanity_check.php | 2 +- schema/ttrss_schema_mysql.sql | 4 +- schema/ttrss_schema_pgsql.sql | 4 +- schema/versions/mysql/82.sql | 7 +++ schema/versions/pgsql/82.sql | 7 +++ sessions.php | 59 +++++++++++++----------- 10 files changed, 149 insertions(+), 82 deletions(-) create mode 100644 schema/versions/mysql/82.sql create mode 100644 schema/versions/pgsql/82.sql diff --git a/config.php-dist b/config.php-dist index c12e3ebe..26e8a02f 100644 --- a/config.php-dist +++ b/config.php-dist @@ -128,13 +128,9 @@ // Limits the amount of feeds daemon (or a cronjob) updates on one run define('ALLOW_REMOTE_USER_AUTH', false); - // Set to 'true' if you trust your web server's REMOTE_USER or - // REDIRECT_SSL_CLIENT_S_DN_CN environment variables to validate - // that the user is logged in. This option can be used to integrate - // tt-rss with Apache's external authentication modules or SSL - // client certificate authentication. - // Please note that REMOTE_USER takes precedence over SSL certificate - // information. + // Set to 'true' if you trust your web server's REMOTE_USER + // environment variable that the user is logged in. This option can be + // used to integrate tt-rss with Apache's external authentication modules. define('AUTO_LOGIN', false); // Set this to true if you use ALLOW_REMOTE_USER_AUTH and you want diff --git a/functions.php b/functions.php index ed443836..51731fa6 100644 --- a/functions.php +++ b/functions.php @@ -1757,11 +1757,29 @@ return true; } - function get_remote_user() { - $remote_user = $_SERVER["REMOTE_USER"]; + function get_login_by_ssl_certificate($link) { - if (!$remote_user) - $remote_user = $_SERVER["REDIRECT_SSL_CLIENT_S_DN_CN"]; + $cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]); + + if ($cert_serial) { + $result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users + WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND + owner_uid = ttrss_users.id"); + + if (db_num_rows($result) != 0) { + return db_escape_string(db_fetch_result($result, 0, "login")); + } + } + + return ""; + } + + function get_remote_user() { + $remote_user = ""; + + if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH) { + $remote_user = $_SERVER["REMOTE_USER"]; + } return db_escape_string($remote_user); } @@ -1781,10 +1799,14 @@ $pwd_hash2 = encrypt_password($password, $login); $login = db_escape_string($login); - if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH - && get_remote_user() && $login != "admin") { + $remote_user = get_remote_user(); - $login = db_escape_string(get_remote_user()); + if (!$remote_user) + $remote_user = get_login_by_ssl_certificate($link); + + if ($remote_user && $login != "admin") { + + $login = $remote_user; $query = "SELECT id,login,access_level,pwd_hash FROM ttrss_users WHERE @@ -1974,8 +1996,12 @@ } if (!$_SESSION["uid"] || !validate_session($link)) { - if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH - && get_remote_user() && defined('AUTO_LOGIN') && AUTO_LOGIN) { + $cert_login = get_login_by_ssl_certificate($link); + + if ($cert_login) { + authenticate_user($link, $cert_login, null); + $_SESSION["ref_schema_version"] = get_schema_version($link, true); + } else if (get_remote_user() && AUTO_LOGIN) { authenticate_user($link, get_remote_user(), null); $_SESSION["ref_schema_version"] = get_schema_version($link, true); } else { diff --git a/modules/pref-prefs.php b/modules/pref-prefs.php index 806d295d..1a2b2cd7 100644 --- a/modules/pref-prefs.php +++ b/modules/pref-prefs.php @@ -6,12 +6,12 @@ $subop = $_REQUEST["subop"]; $prefs_blacklist = array("HIDE_FEEDLIST", "SYNC_COUNTERS", "ENABLE_LABELS", - "ENABLE_SEARCH_TOOLBAR", "HIDE_READ_FEEDS", "ENABLE_FEED_ICONS", + "ENABLE_SEARCH_TOOLBAR", "HIDE_READ_FEEDS", "ENABLE_FEED_ICONS", "ENABLE_OFFLINE_READING", "EXTENDED_FEEDLIST", "FEEDS_SORT_BY_UNREAD", "OPEN_LINKS_IN_NEW_WINDOW", "USER_STYLESHEET_URL", "ENABLE_FLASH_PLAYER"); - $profile_blacklist = array("ALLOW_DUPLICATE_POSTS", "PURGE_OLD_DAYS", - "PURGE_UNREAD_ARTICLES", "DIGEST_ENABLE", "DIGEST_CATCHUP", + $profile_blacklist = array("ALLOW_DUPLICATE_POSTS", "PURGE_OLD_DAYS", + "PURGE_UNREAD_ARTICLES", "DIGEST_ENABLE", "DIGEST_CATCHUP", "BLACKLISTED_TAGS", "ENABLE_FEED_ICONS", "ENABLE_API_ACCESS", "UPDATE_POST_ON_CHECKSUM_CHANGE", "DEFAULT_UPDATE_INTERVAL", "MARK_UNREAD_ON_UPDATE", "USER_TIMEZONE", "SORT_HEADLINES_BY_FEED_DATE"); @@ -47,18 +47,18 @@ $new_pw_hash = encrypt_password($new_pw, $_SESSION["name"]); $active_uid = $_SESSION["uid"]; - + if ($old_pw && $new_pw) { $login = db_escape_string($_SERVER['PHP_AUTH_USER']); - $result = db_query($link, "SELECT id FROM ttrss_users WHERE - id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR + $result = db_query($link, "SELECT id FROM ttrss_users WHERE + id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR pwd_hash = '$old_pw_hash2')"); if (db_num_rows($result) == 1) { - db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash' - WHERE id = '$active_uid'"); + db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash' + WHERE id = '$active_uid'"); $_SESSION["pwd_hash"] = $new_pw_hash; @@ -81,7 +81,7 @@ $orig_theme = get_pref($link, "_THEME_ID"); foreach (array_keys($_POST) as $pref_name) { - + $pref_name = db_escape_string($pref_name); $value = db_escape_string($_POST[$pref_name]); @@ -119,10 +119,10 @@ $active_uid = $_SESSION["uid"]; db_query($link, "UPDATE ttrss_users SET email = '$email', - full_name = '$full_name' WHERE id = '$active_uid'"); - + full_name = '$full_name' WHERE id = '$active_uid'"); + print __("Your personal data has been saved."); - + return; } else if ($subop == "reset-config") { @@ -135,7 +135,7 @@ $profile_qpart = "profile IS NULL"; } - db_query($link, "DELETE FROM ttrss_user_prefs + db_query($link, "DELETE FROM ttrss_user_prefs WHERE $profile_qpart AND owner_uid = ".$_SESSION["uid"]); initialize_user_prefs($link, $_SESSION["uid"], $_SESSION["profile"]); @@ -164,8 +164,8 @@ new Ajax.Request('backend.php', { parameters: dojo.objectToQuery(this.getValues()), - onComplete: function(transport) { - notify_callback2(transport); + onComplete: function(transport) { + notify_callback2(transport); } }); } @@ -176,7 +176,7 @@ $result = db_query($link, "SELECT email,full_name, access_level FROM ttrss_users WHERE id = ".$_SESSION["uid"]); - + $email = htmlspecialchars(db_fetch_result($result, 0, "email")); $full_name = htmlspecialchars(db_fetch_result($result, 0, "full_name")); @@ -192,9 +192,9 @@ print "".__('Access level').""; print "" . $access_level_names[$access_level] . ""; } - + print ""; - + print ""; print ""; @@ -207,7 +207,7 @@ print "
"; $result = db_query($link, "SELECT id FROM ttrss_users - WHERE id = ".$_SESSION["uid"]." AND pwd_hash + WHERE id = ".$_SESSION["uid"]." AND pwd_hash = 'SHA1:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'"); if (db_num_rows($result) != 0) { @@ -223,7 +223,7 @@ new Ajax.Request('backend.php', { parameters: dojo.objectToQuery(this.getValues()), - onComplete: function(transport) { + onComplete: function(transport) { notify(''); if (transport.responseText.indexOf('ERROR: ') == 0) { notify_error(transport.responseText.replace('ERROR: ', '')); @@ -238,12 +238,12 @@ "; print ""; - + print ""; print ""; - + print ""; - + print ""; @@ -252,7 +252,7 @@ print ""; print "
".__("Old password")."
".__("New password")."
"; - + print ""; print ""; @@ -278,11 +278,11 @@ $profile_qpart = "profile IS NULL"; } - $result = db_query($link, "SELECT + $result = db_query($link, "SELECT ttrss_user_prefs.pref_name,short_desc,help_text,value,type_name, section_name,def_value,section_id FROM ttrss_prefs,ttrss_prefs_types,ttrss_prefs_sections,ttrss_user_prefs - WHERE type_id = ttrss_prefs_types.id AND + WHERE type_id = ttrss_prefs_types.id AND $profile_qpart AND section_id = ttrss_prefs_sections.id AND ttrss_user_prefs.pref_name = ttrss_prefs.pref_name AND @@ -299,7 +299,7 @@ new Ajax.Request('backend.php', { parameters: dojo.objectToQuery(this.getValues()), - onComplete: function(transport) { + onComplete: function(transport) { var msg = transport.responseText; if (msg.match('PREFS_THEME_CHANGED')) { window.location.reload(); @@ -313,14 +313,14 @@ $lnum = 0; $active_section = ""; - + while ($line = db_fetch_assoc($result)) { if (in_array($line["pref_name"], $prefs_blacklist)) { continue; } - if ($_SESSION["profile"] && in_array($line["pref_name"], + if ($_SESSION["profile"] && in_array($line["pref_name"], $profile_blacklist)) { continue; } @@ -333,8 +333,8 @@ print ""; - $active_section = $line["section_name"]; - + $active_section = $line["section_name"]; + print ""; if ($line["section_id"] == 2) { @@ -345,7 +345,7 @@ print ""; } @@ -383,7 +383,7 @@ print ""; print "

".__($active_section)."

" . __($line["short_desc"]); if ($help_text) print "
".__($help_text)."
"; - + print "
"; @@ -402,14 +402,14 @@ $limits = array(15, 30, 45, 60); - print_select($pref_name, $value, $limits, + print_select($pref_name, $value, $limits, 'dojoType="dijit.form.Select"'); } else if ($pref_name == "DEFAULT_UPDATE_INTERVAL") { global $update_intervals_nodefault; - print_select_hash($pref_name, $value, $update_intervals_nodefault, + print_select_hash($pref_name, $value, $update_intervals_nodefault, 'dojoType="dijit.form.Select"'); } else if ($type_name == "bool") { @@ -432,6 +432,20 @@ required=\"1\" $regexp name=\"$pref_name\" value=\"$value\">"; + } else if ($pref_name == "SSL_CERT_SERIAL") { + + print ""; + + $cert_serial = htmlspecialchars($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]); + + if ($cert_serial) { + print " "; + } + } else { $regexp = ($type_name == 'integer') ? 'regexp="^\d*$"' : ''; diff --git a/prefs.js b/prefs.js index 02d65bc4..ae2c9f78 100644 --- a/prefs.js +++ b/prefs.js @@ -1693,3 +1693,11 @@ function customizeCSS() { exception_error("customizeCSS", e); } } + +function insertSSLserial(value) { + try { + dijit.byId("SSL_CERT_SERIAL").attr('value', value); + } catch (e) { + exception_error("insertSSLcerial", e); + } +} diff --git a/sanity_check.php b/sanity_check.php index c9d0fe92..96f4e839 100644 --- a/sanity_check.php +++ b/sanity_check.php @@ -2,7 +2,7 @@ require_once "functions.php"; define('EXPECTED_CONFIG_VERSION', 21); - define('SCHEMA_VERSION', 81); + define('SCHEMA_VERSION', 82); if (!file_exists("config.php")) { print "Fatal Error: You forgot to copy diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql index a7c555cb..a4acf1e4 100644 --- a/schema/ttrss_schema_mysql.sql +++ b/schema/ttrss_schema_mysql.sql @@ -258,7 +258,7 @@ create table ttrss_tags (id integer primary key auto_increment, create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8; -insert into ttrss_version values (81); +insert into ttrss_version values (82); create table ttrss_enclosures (id integer primary key auto_increment, content_url text not null, @@ -391,6 +391,8 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1); +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); + create table ttrss_user_prefs ( owner_uid integer not null, pref_name varchar(250), diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql index d7320641..fbb693ce 100644 --- a/schema/ttrss_schema_pgsql.sql +++ b/schema/ttrss_schema_pgsql.sql @@ -229,7 +229,7 @@ create index ttrss_tags_post_int_id_idx on ttrss_tags(post_int_id); create table ttrss_version (schema_version int not null); -insert into ttrss_version values (81); +insert into ttrss_version values (82); create table ttrss_enclosures (id serial not null primary key, content_url text not null, @@ -355,6 +355,8 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1); +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); + create table ttrss_user_prefs ( owner_uid integer not null references ttrss_users(id) ON DELETE CASCADE, pref_name varchar(250) not null references ttrss_prefs(pref_name) ON DELETE CASCADE, diff --git a/schema/versions/mysql/82.sql b/schema/versions/mysql/82.sql new file mode 100644 index 00000000..79fe5f49 --- /dev/null +++ b/schema/versions/mysql/82.sql @@ -0,0 +1,7 @@ +begin; + +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); + +update ttrss_version set schema_version = 82; + +commit; diff --git a/schema/versions/pgsql/82.sql b/schema/versions/pgsql/82.sql new file mode 100644 index 00000000..79fe5f49 --- /dev/null +++ b/schema/versions/pgsql/82.sql @@ -0,0 +1,7 @@ +begin; + +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); + +update ttrss_version set schema_version = 82; + +commit; diff --git a/sessions.php b/sessions.php index 2ad5a57f..8588f580 100644 --- a/sessions.php +++ b/sessions.php @@ -7,28 +7,33 @@ $session_expire = SESSION_EXPIRE_TIME; //seconds $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME; + if ($_SERVER['HTTPS'] == "on") { + $session_name .= "_ssl"; + ini_set("session.cookie_secure", true); + } + ini_set("session.gc_probability", 50); ini_set("session.name", $session_name); ini_set("session.use_only_cookies", true); ini_set("session.gc_maxlifetime", SESSION_EXPIRE_TIME); function ttrss_open ($s, $n) { - + global $session_connection; - + $session_connection = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); - + return true; } function ttrss_read ($id){ - - global $session_connection,$session_read; + + global $session_connection,$session_read; $query = "SELECT data FROM ttrss_sessions WHERE id='$id'"; $res = db_query($session_connection, $query); - + if (db_num_rows($res) != 1) { return ""; } else { @@ -39,61 +44,61 @@ } function ttrss_write ($id, $data) { - - if (! $data) { - return false; + + if (! $data) { + return false; } - + global $session_connection, $session_read, $session_expire; - + $expire = time() + $session_expire; - + $data = db_escape_string(base64_encode($data), $session_connection); - + if ($session_read) { - $query = "UPDATE ttrss_sessions SET data='$data', - expire='$expire' WHERE id='$id'"; + $query = "UPDATE ttrss_sessions SET data='$data', + expire='$expire' WHERE id='$id'"; } else { $query = "INSERT INTO ttrss_sessions (id, data, expire) VALUES ('$id', '$data', '$expire')"; } - + db_query($session_connection, $query); return true; } function ttrss_close () { - + global $session_connection; - + db_close($session_connection); - + return true; } function ttrss_destroy ($id) { - + global $session_connection; $query = "DELETE FROM ttrss_sessions WHERE id = '$id'"; - + db_query($session_connection, $query); - + return true; } function ttrss_gc ($expire) { - + global $session_connection; - + $query = "DELETE FROM ttrss_sessions WHERE expire < " . time(); - + db_query($session_connection, $query); } if (DATABASE_BACKED_SESSIONS) { - session_set_save_handler("ttrss_open", - "ttrss_close", "ttrss_read", "ttrss_write", + session_set_save_handler("ttrss_open", + "ttrss_close", "ttrss_read", "ttrss_write", "ttrss_destroy", "ttrss_gc"); }