Permit certificate-based login.

4 files changed, 49 insertions, 28 deletions

diff --git a/resources/config.sexp.sample b/resources/config.sexp.sample
index bebb7d0..0e0d98a 100644
--- a/resources/config.sexp.sample
+++ b/resources/config.sexp.sample
@@ -6,7 +6,8 @@
                   :user "benki"
                   :password ""}
  :websocket-base "ws://localhost:3001"
- :base-uri       "http://localhost:3001"
+ :base-uri       "https://localhost:4333"
+ :cert-req-base  "https://localhost:4334"
  :tag-base       "example.com"
  :web-port       3001
  :mode           :production   ;or :dev
diff --git a/schema.sql b/schema.sql
index ab9abb8..96b53a3 100644
--- a/schema.sql
+++ b/schema.sql
@@ -22,15 +22,15 @@ CREATE TABLE openids(
 );
 
 CREATE TABLE rsa_keys(
-  modulus  VARCHAR   NOT NULL,
-  exponent VARCHAR   NOT NULL,
+  modulus  NUMERIC   NOT NULL,
+  exponent NUMERIC   NOT NULL,
   PRIMARY KEY(modulus, exponent)
 );
 
 CREATE TABLE user_rsa_keys(
   "user"   INTEGER   NOT NULL,
-  modulus  VARCHAR   NOT NULL,
-  exponent VARCHAR   NOT NULL,
+  modulus  NUMERIC   NOT NULL,
+  exponent NUMERIC   NOT NULL,
   PRIMARY KEY("user", modulus, exponent),
   FOREIGN KEY("user") REFERENCES users,
   FOREIGN KEY(modulus, exponent) REFERENCES rsa_keys
diff --git a/src/mulk/benki/auth.clj b/src/mulk/benki/auth.clj
index 815fad0..9cbe405 100644
--- a/src/mulk/benki/auth.clj
+++ b/src/mulk/benki/auth.clj
@@ -19,6 +19,12 @@
 (defonce manager (ConsumerManager.))
 
 
+
+(defn find-user [user-id]
+  (first (if user-id
+           (query "SELECT * FROM users WHERE id = ?" user-id)
+           nil)))
+
 (defn return-from-openid-provider []
   (let [parlist      (ParameterList. (:query-params (request/ring-request)))
         discovered   (session/get :discovered)
@@ -37,9 +43,7 @@
               user-id (if openid
                         (:user openid)
                         nil)
-              user    (first (if user-id
-                               (query "SELECT * FROM users WHERE id = ?" user-id)
-                               nil))]
+              user    (find-user user-id)]
           (if user-id
             (do (session/put! :user user-id)
                 (if-let [return-uri (session/flash-get)]
@@ -101,22 +105,38 @@
     )})
 
 (defpage "/login" []
-  (session/flash-put! (or (session/flash-get)
-                          (get-in (request/ring-request) [:headers "referer"])))
-  (layout login-page-layout "Benki Login"
-    [:div#browserid-box
-     [:h2 "BrowserID login"]
-     [:a#browserid {:href "#"}
-      [:img {:src (resolve-uri "/3rdparty/browserid/sign_in_orange.png")
-             :alt "Sign in using BrowserID"}]]]
-    [:div#openid-login-panel
-     [:h2 "OpenID login"]
-     [:form {:action (resolve-uri "/login/authenticate"),
-             :method "GET"
-             :id     "openid_form"}
-      [:div {:id "openid_choice"}
-       [:p "Please select your OpenID provider:"]
-       [:div {:id "openid_btns"}]]
-      [:div {:id "openid_input_area"}
-       [:input {:type "text", :name "openid_identifier", :id "openid_identifier"}]
-       [:input {:type "submit"}]]]]))
+  (let [return-uri (or (session/flash-get)
+                       (get-in (request/ring-request) [:headers "referer"]))]
+    (with-dbt
+      (if-let [cert-user-id (and *client-cert*
+                                 (:user
+                                  (query1 "SELECT \"user\" FROM user_rsa_keys
+                                            WHERE modulus = (?::NUMERIC)
+                                                  AND exponent = (?::NUMERIC)"
+                                          (str (:modulus *client-cert*))
+                                          (str (:exponent *client-cert*)))))]
+        (let [cert-user (find-user cert-user-id)]
+          (session/put! :user cert-user-id)
+          (if return-uri
+            (redirect return-uri)
+            (layout {} "Authenticated!" [:p "Welcome back, " (:first_name cert-user) "!"])))
+        (do
+          (session/flash-put! return-uri)
+          (layout login-page-layout "Benki Login"
+            [:div#browserid-box
+             [:h2 "BrowserID login"]
+             [:a#browserid {:href "#"}
+              [:img {:src (resolve-uri "/3rdparty/browserid/sign_in_orange.png")
+                     :alt "Sign in using BrowserID"}]]]
+            [:div#openid-login-panel
+             [:h2 "OpenID login"]
+             [:form {:action (resolve-uri "/login/authenticate"),
+                     :method "GET"
+                     :id     "openid_form"}
+              [:div {:id "openid_choice"}
+               [:p "Please select your OpenID provider:"]
+               [:div {:id "openid_btns"}]]
+              [:div {:id "openid_input_area"}
+               [:input {:type "text", :name "openid_identifier", :id "openid_identifier"}]
+               [:input {:type "submit"}]]]]))))))
+  
\ No newline at end of file
diff --git a/src/mulk/benki/util.clj b/src/mulk/benki/util.clj
index d3df4af..0bfe5e9 100644
--- a/src/mulk/benki/util.clj
+++ b/src/mulk/benki/util.clj
@@ -59,7 +59,7 @@
 
 (defn linkrel [& args]
   (match [(vec args)]
-    [[:login]]           (fmt nil "/login")
+    [[:login]]           (str (:cert-req-base @benki-config) "/login")
     [[:home]]            (fmt nil "/")
     [[:marx]]            (fmt nil "/marx")
     [[:marx :submit]]    (fmt nil "/marx/submit")