valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324)

This commit is contained in:
Andrew Dolgov 2011-03-28 08:30:00 +04:00
parent f98252f27c
commit 3d72afa19a
10 changed files with 149 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config.php-dist
View File

@ -128,13 +128,9 @@
// Limits the amount of feeds daemon (or a cronjob) updates on one run
define('ALLOW_REMOTE_USER_AUTH', false);
// Set to 'true' if you trust your web server's REMOTE_USER or
// REDIRECT_SSL_CLIENT_S_DN_CN environment variables to validate
// that the user is logged in. This option can be used to integrate
// tt-rss with Apache's external authentication modules or SSL
// client certificate authentication.
// Please note that REMOTE_USER takes precedence over SSL certificate
// information.
// Set to 'true' if you trust your web server's REMOTE_USER
// environment variable that the user is logged in. This option can be
// used to integrate tt-rss with Apache's external authentication modules.
define('AUTO_LOGIN', false);
// Set this to true if you use ALLOW_REMOTE_USER_AUTH and you want

44
functions.php
View File

@ -1757,11 +1757,29 @@
return true;
}
function get_remote_user() {
$remote_user = $_SERVER["REMOTE_USER"];
function get_login_by_ssl_certificate($link) {
if (!$remote_user)
$remote_user = $_SERVER["REDIRECT_SSL_CLIENT_S_DN_CN"];
$cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
if ($cert_serial) {
$result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users
WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND
owner_uid = ttrss_users.id");
if (db_num_rows($result) != 0) {
return db_escape_string(db_fetch_result($result, 0, "login"));
}
}
return "";
}
function get_remote_user() {
$remote_user = "";
if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH) {
$remote_user = $_SERVER["REMOTE_USER"];
}
return db_escape_string($remote_user);
}
@ -1781,10 +1799,14 @@
$pwd_hash2 = encrypt_password($password, $login);
$login = db_escape_string($login);
if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
&& get_remote_user() && $login != "admin") {
$remote_user = get_remote_user();
$login = db_escape_string(get_remote_user());
if (!$remote_user)
$remote_user = get_login_by_ssl_certificate($link);
if ($remote_user && $login != "admin") {
$login = $remote_user;
$query = "SELECT id,login,access_level,pwd_hash
FROM ttrss_users WHERE
@ -1974,8 +1996,12 @@
}
if (!$_SESSION["uid"] || !validate_session($link)) {
if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
&& get_remote_user() && defined('AUTO_LOGIN') && AUTO_LOGIN) {
$cert_login = get_login_by_ssl_certificate($link);
if ($cert_login) {
authenticate_user($link, $cert_login, null);
$_SESSION["ref_schema_version"] = get_schema_version($link, true);
} else if (get_remote_user() && AUTO_LOGIN) {
authenticate_user($link, get_remote_user(), null);
$_SESSION["ref_schema_version"] = get_schema_version($link, true);
} else {

86
modules/pref-prefs.php
View File

@ -6,12 +6,12 @@
$subop = $_REQUEST["subop"];
$prefs_blacklist = array("HIDE_FEEDLIST", "SYNC_COUNTERS", "ENABLE_LABELS",
"ENABLE_SEARCH_TOOLBAR", "HIDE_READ_FEEDS", "ENABLE_FEED_ICONS",
"ENABLE_SEARCH_TOOLBAR", "HIDE_READ_FEEDS", "ENABLE_FEED_ICONS",
"ENABLE_OFFLINE_READING", "EXTENDED_FEEDLIST", "FEEDS_SORT_BY_UNREAD",
"OPEN_LINKS_IN_NEW_WINDOW", "USER_STYLESHEET_URL", "ENABLE_FLASH_PLAYER");
$profile_blacklist = array("ALLOW_DUPLICATE_POSTS", "PURGE_OLD_DAYS",
"PURGE_UNREAD_ARTICLES", "DIGEST_ENABLE", "DIGEST_CATCHUP",
$profile_blacklist = array("ALLOW_DUPLICATE_POSTS", "PURGE_OLD_DAYS",
"PURGE_UNREAD_ARTICLES", "DIGEST_ENABLE", "DIGEST_CATCHUP",
"BLACKLISTED_TAGS", "ENABLE_FEED_ICONS", "ENABLE_API_ACCESS",
"UPDATE_POST_ON_CHECKSUM_CHANGE", "DEFAULT_UPDATE_INTERVAL",
"MARK_UNREAD_ON_UPDATE", "USER_TIMEZONE", "SORT_HEADLINES_BY_FEED_DATE");
@ -47,18 +47,18 @@
$new_pw_hash = encrypt_password($new_pw, $_SESSION["name"]);
$active_uid = $_SESSION["uid"];
if ($old_pw && $new_pw) {
$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
$result = db_query($link, "SELECT id FROM ttrss_users WHERE
id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR
$result = db_query($link, "SELECT id FROM ttrss_users WHERE
id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR
pwd_hash = '$old_pw_hash2')");
if (db_num_rows($result) == 1) {
db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'
WHERE id = '$active_uid'");
db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'
WHERE id = '$active_uid'");
$_SESSION["pwd_hash"] = $new_pw_hash;
@ -81,7 +81,7 @@
$orig_theme = get_pref($link, "_THEME_ID");
foreach (array_keys($_POST) as $pref_name) {
$pref_name = db_escape_string($pref_name);
$value = db_escape_string($_POST[$pref_name]);
@ -119,10 +119,10 @@
$active_uid = $_SESSION["uid"];
db_query($link, "UPDATE ttrss_users SET email = '$email',
full_name = '$full_name' WHERE id = '$active_uid'");
full_name = '$full_name' WHERE id = '$active_uid'");
print __("Your personal data has been saved.");
return;
} else if ($subop == "reset-config") {
@ -135,7 +135,7 @@
$profile_qpart = "profile IS NULL";
}
db_query($link, "DELETE FROM ttrss_user_prefs
db_query($link, "DELETE FROM ttrss_user_prefs
WHERE $profile_qpart AND owner_uid = ".$_SESSION["uid"]);
initialize_user_prefs($link, $_SESSION["uid"], $_SESSION["profile"]);
@ -164,8 +164,8 @@
new Ajax.Request('backend.php', {
parameters: dojo.objectToQuery(this.getValues()),
onComplete: function(transport) {
notify_callback2(transport);
onComplete: function(transport) {
notify_callback2(transport);
} });
}
@ -176,7 +176,7 @@
$result = db_query($link, "SELECT email,full_name,
access_level FROM ttrss_users
WHERE id = ".$_SESSION["uid"]);
$email = htmlspecialchars(db_fetch_result($result, 0, "email"));
$full_name = htmlspecialchars(db_fetch_result($result, 0, "full_name"));
@ -192,9 +192,9 @@
print "<tr><td width=\"40%\">".__('Access level')."</td>";
print "<td>" . $access_level_names[$access_level] . "</td></tr>";
}
print "</table>";
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-prefs\">";
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"subop\" value=\"change-email\">";
@ -207,7 +207,7 @@
print "<div dojoType=\"dijit.layout.AccordionPane\" title=\"".__('Authentication')."\">";
$result = db_query($link, "SELECT id FROM ttrss_users
WHERE id = ".$_SESSION["uid"]." AND pwd_hash
WHERE id = ".$_SESSION["uid"]." AND pwd_hash
= 'SHA1:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'");
if (db_num_rows($result) != 0) {
@ -223,7 +223,7 @@
new Ajax.Request('backend.php', {
parameters: dojo.objectToQuery(this.getValues()),
onComplete: function(transport) {
onComplete: function(transport) {
notify('');
if (transport.responseText.indexOf('ERROR: ') == 0) {
notify_error(transport.responseText.replace('ERROR: ', ''));
@ -238,12 +238,12 @@
</script>";
print "<table width=\"100%\" class=\"prefPrefsList\">";
print "<tr><td width=\"40%\">".__("Old password")."</td>";
print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" type=\"password\" required=\"1\" name=\"old_password\"></td></tr>";
print "<tr><td width=\"40%\">".__("New password")."</td>";
print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" type=\"password\" required=\"1\"
name=\"new_password\"></td></tr>";
@ -252,7 +252,7 @@
print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" type=\"password\" required=\"1\" name=\"confirm_password\"></td></tr>";
print "</table>";
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-prefs\">";
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"subop\" value=\"change-password\">";
@ -278,11 +278,11 @@
$profile_qpart = "profile IS NULL";
}
$result = db_query($link, "SELECT
$result = db_query($link, "SELECT
ttrss_user_prefs.pref_name,short_desc,help_text,value,type_name,
section_name,def_value,section_id
FROM ttrss_prefs,ttrss_prefs_types,ttrss_prefs_sections,ttrss_user_prefs
WHERE type_id = ttrss_prefs_types.id AND
WHERE type_id = ttrss_prefs_types.id AND
$profile_qpart AND
section_id = ttrss_prefs_sections.id AND
ttrss_user_prefs.pref_name = ttrss_prefs.pref_name AND
@ -299,7 +299,7 @@
new Ajax.Request('backend.php', {
parameters: dojo.objectToQuery(this.getValues()),
onComplete: function(transport) {
onComplete: function(transport) {
var msg = transport.responseText;
if (msg.match('PREFS_THEME_CHANGED')) {
window.location.reload();
@ -313,14 +313,14 @@
$lnum = 0;
$active_section = "";
while ($line = db_fetch_assoc($result)) {
if (in_array($line["pref_name"], $prefs_blacklist)) {
continue;
}
if ($_SESSION["profile"] && in_array($line["pref_name"],
if ($_SESSION["profile"] && in_array($line["pref_name"],
$profile_blacklist)) {
continue;
}
@ -333,8 +333,8 @@
print "<table width=\"100%\" class=\"prefPrefsList\">";
$active_section = $line["section_name"];
$active_section = $line["section_name"];
print "<tr><td colspan=\"3\"><h3>".__($active_section)."</h3></td></tr>";
if ($line["section_id"] == 2) {
@ -345,7 +345,7 @@
print "<td><select name=\"_THEME_ID\" dojoType=\"dijit.form.Select\">";
print "<option value='Default'>".__('Default')."</option>";
print "<option value='----------------' disabled=\"1\">--------</option>";
print "<option value='----------------' disabled=\"1\">--------</option>";
foreach ($themes as $t) {
$base = $t['base'];
@ -360,7 +360,7 @@
print "<option $selected value='$base'>$name</option>";
}
print "</select></td></tr>";
}
@ -383,7 +383,7 @@
print "<td width=\"40%\" class=\"prefName\" id=\"$pref_name\">" . __($line["short_desc"]);
if ($help_text) print "<div class=\"prefHelp\">".__($help_text)."</div>";
print "</td>";
print "<td class=\"prefValue\">";
@ -402,14 +402,14 @@
$limits = array(15, 30, 45, 60);
print_select($pref_name, $value, $limits,
print_select($pref_name, $value, $limits,
'dojoType="dijit.form.Select"');
} else if ($pref_name == "DEFAULT_UPDATE_INTERVAL") {
global $update_intervals_nodefault;
print_select_hash($pref_name, $value, $update_intervals_nodefault,
print_select_hash($pref_name, $value, $update_intervals_nodefault,
'dojoType="dijit.form.Select"');
} else if ($type_name == "bool") {
@ -432,6 +432,20 @@
required=\"1\" $regexp
name=\"$pref_name\" value=\"$value\">";
} else if ($pref_name == "SSL_CERT_SERIAL") {
print "<input dojoType=\"dijit.form.ValidationTextBox\"
id=\"SSL_CERT_SERIAL\"
name=\"$pref_name\" value=\"$value\">";
$cert_serial = htmlspecialchars($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
if ($cert_serial) {
print " <button dojoType=\"dijit.form.Button\"
onclick=\"insertSSLserial('$cert_serial')\">" .
__('Fill automatically') . "</button>";
}
} else {
$regexp = ($type_name == 'integer') ? 'regexp="^\d*$"' : '';

8
prefs.js
View File

@ -1693,3 +1693,11 @@ function customizeCSS() {
exception_error("customizeCSS", e);
}
}
function insertSSLserial(value) {
try {
dijit.byId("SSL_CERT_SERIAL").attr('value', value);
} catch (e) {
exception_error("insertSSLcerial", e);
}
}

2
sanity_check.php
View File

@ -2,7 +2,7 @@
require_once "functions.php";
define('EXPECTED_CONFIG_VERSION', 21);
define('SCHEMA_VERSION', 81);
define('SCHEMA_VERSION', 82);
if (!file_exists("config.php")) {
print "<b>Fatal Error</b>: You forgot to copy

4
schema/ttrss_schema_mysql.sql
View File

@ -258,7 +258,7 @@ create table ttrss_tags (id integer primary key auto_increment,
create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8;
insert into ttrss_version values (81);
insert into ttrss_version values (82);
create table ttrss_enclosures (id integer primary key auto_increment,
content_url text not null,
@ -391,6 +391,8 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1);
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
create table ttrss_user_prefs (
owner_uid integer not null,
pref_name varchar(250),

4
schema/ttrss_schema_pgsql.sql
View File

@ -229,7 +229,7 @@ create index ttrss_tags_post_int_id_idx on ttrss_tags(post_int_id);
create table ttrss_version (schema_version int not null);
insert into ttrss_version values (81);
insert into ttrss_version values (82);
create table ttrss_enclosures (id serial not null primary key,
content_url text not null,
@ -355,6 +355,8 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1);
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
create table ttrss_user_prefs (
owner_uid integer not null references ttrss_users(id) ON DELETE CASCADE,
pref_name varchar(250) not null references ttrss_prefs(pref_name) ON DELETE CASCADE,

7
schema/versions/mysql/82.sql Normal file
View File

@ -0,0 +1,7 @@
begin;
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
update ttrss_version set schema_version = 82;
commit;

7
schema/versions/pgsql/82.sql Normal file
View File

@ -0,0 +1,7 @@
begin;
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
update ttrss_version set schema_version = 82;
commit;

59
sessions.php
View File

@ -7,28 +7,33 @@
$session_expire = SESSION_EXPIRE_TIME; //seconds
$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
if ($_SERVER['HTTPS'] == "on") {
$session_name .= "_ssl";
ini_set("session.cookie_secure", true);
}
ini_set("session.gc_probability", 50);
ini_set("session.name", $session_name);
ini_set("session.use_only_cookies", true);
ini_set("session.gc_maxlifetime", SESSION_EXPIRE_TIME);
function ttrss_open ($s, $n) {
global $session_connection;
$session_connection = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
return true;
}
function ttrss_read ($id){
global $session_connection,$session_read;
global $session_connection,$session_read;
$query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
$res = db_query($session_connection, $query);
if (db_num_rows($res) != 1) {
return "";
} else {
@ -39,61 +44,61 @@
}
function ttrss_write ($id, $data) {
if (! $data) {
return false;
if (! $data) {
return false;
}
global $session_connection, $session_read, $session_expire;
$expire = time() + $session_expire;
$data = db_escape_string(base64_encode($data), $session_connection);
if ($session_read) {
$query = "UPDATE ttrss_sessions SET data='$data',
expire='$expire' WHERE id='$id'";
$query = "UPDATE ttrss_sessions SET data='$data',
expire='$expire' WHERE id='$id'";
} else {
$query = "INSERT INTO ttrss_sessions (id, data, expire)
VALUES ('$id', '$data', '$expire')";
}
db_query($session_connection, $query);
return true;
}
function ttrss_close () {
global $session_connection;
db_close($session_connection);
return true;
}
function ttrss_destroy ($id) {
global $session_connection;
$query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
db_query($session_connection, $query);
return true;
}
function ttrss_gc ($expire) {
global $session_connection;
$query = "DELETE FROM ttrss_sessions WHERE expire < " . time();
db_query($session_connection, $query);
}
if (DATABASE_BACKED_SESSIONS) {
session_set_save_handler("ttrss_open",
"ttrss_close", "ttrss_read", "ttrss_write",
session_set_save_handler("ttrss_open",
"ttrss_close", "ttrss_read", "ttrss_write",
"ttrss_destroy", "ttrss_gc");
}