allow authentication using SSL client certificates (closes #324)

config.php-dist

@@ -128,10 +128,13 @@
 	// Limits the amount of feeds daemon (or a cronjob) updates on one run
 
 	define('ALLOW_REMOTE_USER_AUTH', false);
-   // Set to 'true' if you trust your web server's REMOTE_USER
+	// Set to 'true' if you trust your web server's REMOTE_USER or 
-	// environment variable to validate that the user is logged in. This
+	// REDIRECT_SSL_CLIENT_S_DN_CN environment variables to validate 
-	// option can be used to integrate tt-rss with Apache's external
+	// that the user is logged in. This option can be used to integrate 
-	// authentication modules.
+	// tt-rss with Apache's external authentication modules or SSL
+	// client certificate authentication.
+	// Please note that REMOTE_USER takes precedence over SSL certificate
+	// information.
 
 	define('AUTO_LOGIN', false);
 	// Set this to true if you use ALLOW_REMOTE_USER_AUTH and you want

functions.php

@@ -1757,6 +1757,22 @@
 		return true;
 	}
 
+	function get_remote_user() {
+		$remote_user = $_SERVER["REMOTE_USER"];
+
+		if (!$remote_user)
+			$remote_user = $_SERVER["REDIRECT_SSL_CLIENT_S_DN_CN"];
+
+		return db_escape_string($remote_user);
+	}
+
+	function get_remote_fakepass() {
+		if (get_remote_user())
+			return "******";
+		else
+			return "";
+	}
+
 	function authenticate_user($link, $login, $password, $force_auth = false) {
 
 		if (!SINGLE_USER_MODE) {
@@ -1766,9 +1782,9 @@
 			$login = db_escape_string($login);
 
 			if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
-					&& $_SERVER["REMOTE_USER"] && $login != "admin") {
+					&& get_remote_user() && $login != "admin") {
 
-				$login = db_escape_string($_SERVER["REMOTE_USER"]);
+				$login = db_escape_string(get_remote_user());
 
 				$query = "SELECT id,login,access_level,pwd_hash
 	            FROM ttrss_users WHERE
@@ -1959,8 +1975,8 @@
 
 			if (!$_SESSION["uid"] || !validate_session($link)) {
 				if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH
-					&& $_SERVER["REMOTE_USER"] && defined('AUTO_LOGIN') && AUTO_LOGIN) {
+					&& get_remote_user() && defined('AUTO_LOGIN') && AUTO_LOGIN) {
-				    authenticate_user($link,$_SERVER['REMOTE_USER'],null);
+				    authenticate_user($link, get_remote_user(), null);
 				    $_SESSION["ref_schema_version"] = get_schema_version($link, true);
 				} else {
 				    render_login_form($link, $mobile);

login_form.php

@@ -131,11 +131,11 @@ function validateLoginForm(f) {
 			<tr><td align="right"><?php echo __("Login:") ?></td>
 			<td align="right"><input name="login"
 				onchange="fetchProfiles()" onfocus="fetchProfiles()"
-				value="<?php echo $_SERVER["REMOTE_USER"] ?>"></td></tr>
+				value="<?php echo get_remote_user() ?>"></td></tr>
 			<tr><td align="right"><?php echo __("Password:") ?></td>
 			<td align="right"><input type="password" name="password"
 				onchange="fetchProfiles()" onfocus="fetchProfiles()"
-				value="<?php echo $_SERVER["REMOTE_USER"] ?>"></td></tr>
+				value="<?php echo get_remote_fakepass() ?>"></td></tr>
 			<tr><td align="right"><?php echo __("Language:") ?></td>
 			<td align="right">
 			<?php