use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324)
This commit is contained in:
parent
f98252f27c
commit
3d72afa19a
|
@ -128,13 +128,9 @@
|
|||
// Limits the amount of feeds daemon (or a cronjob) updates on one run
|
||||
|
||||
define('ALLOW_REMOTE_USER_AUTH', false);
|
||||
// Set to 'true' if you trust your web server's REMOTE_USER or
|
||||
// REDIRECT_SSL_CLIENT_S_DN_CN environment variables to validate
|
||||
// that the user is logged in. This option can be used to integrate
|
||||
// tt-rss with Apache's external authentication modules or SSL
|
||||
// client certificate authentication.
|
||||
// Please note that REMOTE_USER takes precedence over SSL certificate
|
||||
// information.
|
||||
// Set to 'true' if you trust your web server's REMOTE_USER
|
||||
// environment variable that the user is logged in. This option can be
|
||||
// used to integrate tt-rss with Apache's external authentication modules.
|
||||
|
||||
define('AUTO_LOGIN', false);
|
||||
// Set this to true if you use ALLOW_REMOTE_USER_AUTH and you want
|
||||
|
|
|
@ -1757,11 +1757,29 @@
|
|||
return true;
|
||||
}
|
||||
|
||||
function get_remote_user() {
|
||||
$remote_user = $_SERVER["REMOTE_USER"];
|
||||
function get_login_by_ssl_certificate($link) {
|
||||
|
||||
if (!$remote_user)
|
||||
$remote_user = $_SERVER["REDIRECT_SSL_CLIENT_S_DN_CN"];
|
||||
$cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
|
||||
|
||||
if ($cert_serial) {
|
||||
$result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users
|
||||
WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND
|
||||
owner_uid = ttrss_users.id");
|
||||
|
||||
if (db_num_rows($result) != 0) {
|
||||
return db_escape_string(db_fetch_result($result, 0, "login"));
|
||||
}
|
||||
}
|
||||
|
||||
return "";
|
||||
}
|
||||
|
||||
function get_remote_user() {
|
||||
$remote_user = "";
|
||||
|
||||
if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH) {
|
||||
$remote_user = $_SERVER["REMOTE_USER"];
|
||||
}
|
||||
|
||||
return db_escape_string($remote_user);
|
||||
}
|
||||
|
@ -1781,10 +1799,14 @@
|
|||
$pwd_hash2 = encrypt_password($password, $login);
|
||||
$login = db_escape_string($login);
|
||||
|
||||
if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
|
||||
&& get_remote_user() && $login != "admin") {
|
||||
$remote_user = get_remote_user();
|
||||
|
||||
$login = db_escape_string(get_remote_user());
|
||||
if (!$remote_user)
|
||||
$remote_user = get_login_by_ssl_certificate($link);
|
||||
|
||||
if ($remote_user && $login != "admin") {
|
||||
|
||||
$login = $remote_user;
|
||||
|
||||
$query = "SELECT id,login,access_level,pwd_hash
|
||||
FROM ttrss_users WHERE
|
||||
|
@ -1974,8 +1996,12 @@
|
|||
}
|
||||
|
||||
if (!$_SESSION["uid"] || !validate_session($link)) {
|
||||
if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
|
||||
&& get_remote_user() && defined('AUTO_LOGIN') && AUTO_LOGIN) {
|
||||
$cert_login = get_login_by_ssl_certificate($link);
|
||||
|
||||
if ($cert_login) {
|
||||
authenticate_user($link, $cert_login, null);
|
||||
$_SESSION["ref_schema_version"] = get_schema_version($link, true);
|
||||
} else if (get_remote_user() && AUTO_LOGIN) {
|
||||
authenticate_user($link, get_remote_user(), null);
|
||||
$_SESSION["ref_schema_version"] = get_schema_version($link, true);
|
||||
} else {
|
||||
|
|
|
@ -432,6 +432,20 @@
|
|||
required=\"1\" $regexp
|
||||
name=\"$pref_name\" value=\"$value\">";
|
||||
|
||||
} else if ($pref_name == "SSL_CERT_SERIAL") {
|
||||
|
||||
print "<input dojoType=\"dijit.form.ValidationTextBox\"
|
||||
id=\"SSL_CERT_SERIAL\"
|
||||
name=\"$pref_name\" value=\"$value\">";
|
||||
|
||||
$cert_serial = htmlspecialchars($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
|
||||
|
||||
if ($cert_serial) {
|
||||
print " <button dojoType=\"dijit.form.Button\"
|
||||
onclick=\"insertSSLserial('$cert_serial')\">" .
|
||||
__('Fill automatically') . "</button>";
|
||||
}
|
||||
|
||||
} else {
|
||||
$regexp = ($type_name == 'integer') ? 'regexp="^\d*$"' : '';
|
||||
|
||||
|
|
8
prefs.js
8
prefs.js
|
@ -1693,3 +1693,11 @@ function customizeCSS() {
|
|||
exception_error("customizeCSS", e);
|
||||
}
|
||||
}
|
||||
|
||||
function insertSSLserial(value) {
|
||||
try {
|
||||
dijit.byId("SSL_CERT_SERIAL").attr('value', value);
|
||||
} catch (e) {
|
||||
exception_error("insertSSLcerial", e);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
require_once "functions.php";
|
||||
|
||||
define('EXPECTED_CONFIG_VERSION', 21);
|
||||
define('SCHEMA_VERSION', 81);
|
||||
define('SCHEMA_VERSION', 82);
|
||||
|
||||
if (!file_exists("config.php")) {
|
||||
print "<b>Fatal Error</b>: You forgot to copy
|
||||
|
|
|
@ -258,7 +258,7 @@ create table ttrss_tags (id integer primary key auto_increment,
|
|||
|
||||
create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8;
|
||||
|
||||
insert into ttrss_version values (81);
|
||||
insert into ttrss_version values (82);
|
||||
|
||||
create table ttrss_enclosures (id integer primary key auto_increment,
|
||||
content_url text not null,
|
||||
|
@ -391,6 +391,8 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_
|
|||
|
||||
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1);
|
||||
|
||||
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
|
||||
|
||||
create table ttrss_user_prefs (
|
||||
owner_uid integer not null,
|
||||
pref_name varchar(250),
|
||||
|
|
|
@ -229,7 +229,7 @@ create index ttrss_tags_post_int_id_idx on ttrss_tags(post_int_id);
|
|||
|
||||
create table ttrss_version (schema_version int not null);
|
||||
|
||||
insert into ttrss_version values (81);
|
||||
insert into ttrss_version values (82);
|
||||
|
||||
create table ttrss_enclosures (id serial not null primary key,
|
||||
content_url text not null,
|
||||
|
@ -355,6 +355,8 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_
|
|||
|
||||
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1);
|
||||
|
||||
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
|
||||
|
||||
create table ttrss_user_prefs (
|
||||
owner_uid integer not null references ttrss_users(id) ON DELETE CASCADE,
|
||||
pref_name varchar(250) not null references ttrss_prefs(pref_name) ON DELETE CASCADE,
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
begin;
|
||||
|
||||
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
|
||||
|
||||
update ttrss_version set schema_version = 82;
|
||||
|
||||
commit;
|
|
@ -0,0 +1,7 @@
|
|||
begin;
|
||||
|
||||
insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
|
||||
|
||||
update ttrss_version set schema_version = 82;
|
||||
|
||||
commit;
|
|
@ -7,6 +7,11 @@
|
|||
$session_expire = SESSION_EXPIRE_TIME; //seconds
|
||||
$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
|
||||
|
||||
if ($_SERVER['HTTPS'] == "on") {
|
||||
$session_name .= "_ssl";
|
||||
ini_set("session.cookie_secure", true);
|
||||
}
|
||||
|
||||
ini_set("session.gc_probability", 50);
|
||||
ini_set("session.name", $session_name);
|
||||
ini_set("session.use_only_cookies", true);
|
||||
|
|
Loading…
Reference in New Issue