Commit | Line | Data |
---|---|---|
24cfa984 AA |
1 | <?php |
2 | /*************************************************************************** | |
3 | * Copyright (C) 2003-2008 Polytechnique.org * | |
4 | * http://opensource.polytechnique.org/ * | |
5 | * * | |
6 | * This program is free software; you can redistribute it and/or modify * | |
7 | * it under the terms of the GNU General Public License as published by * | |
8 | * the Free Software Foundation; either version 2 of the License, or * | |
9 | * (at your option) any later version. * | |
10 | * * | |
11 | * This program is distributed in the hope that it will be useful, * | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * | |
14 | * GNU General Public License for more details. * | |
15 | * * | |
16 | * You should have received a copy of the GNU General Public License * | |
17 | * along with this program; if not, write to the Free Software * | |
18 | * Foundation, Inc., * | |
19 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * | |
20 | ***************************************************************************/ | |
21 | ||
a1af4a99 AA |
22 | |
23 | /* Definitions for the OpenId Specification | |
24 | * http://openid.net/specs/openid-authentication-2_0.html | |
25 | * | |
26 | * OP Endpoint URL: https://www.polytechnique.org/openid | |
27 | * OP Identifier: https://www.polytechnique.org/openid | |
28 | * User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid} | |
29 | * Identity selection is not supported by this implementation | |
30 | * OP-Local Identifier: {$hruid} | |
31 | */ | |
32 | ||
33536353 AA |
33 | /* Testing suite is here: |
34 | * http://openidenabled.com/resources/openid-test/ | |
35 | */ | |
36 | ||
37 | /* **checkid_immediate is not supported (yet)**, which means that we will | |
38 | * always ask for confirmation before redirecting to a third-party. | |
39 | * A sensible way to implement it would be to add a "Always trust this site" | |
40 | * checkbox to the form, and to store trusted websites per user. This still | |
41 | * raises the question of removing websites from that list. | |
42 | * Another possibility is to maintain a global whitelist. | |
43 | */ | |
44 | ||
24cfa984 AA |
45 | class OpenidModule extends PLModule |
46 | { | |
47 | function handlers() | |
48 | { | |
49 | return array( | |
a1af4a99 AA |
50 | 'openid' => $this->make_hook('openid', AUTH_PUBLIC), |
51 | 'openid/trust' => $this->make_hook('trust', AUTH_COOKIE), | |
b69727b4 | 52 | 'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC), |
829fae6a | 53 | 'openid/melix' => $this->make_hook('melix', AUTH_PUBLIC), |
24cfa984 AA |
54 | ); |
55 | } | |
56 | ||
57 | function handler_openid(&$page, $x = null) | |
58 | { | |
a1af4a99 AA |
59 | $this->load('openid.inc.php'); |
60 | $user = get_user($x); | |
b69727b4 | 61 | |
33536353 AA |
62 | // Spec ยง4.1.2: if "openid.mode" is absent, whe SHOULD assume that |
63 | // the request is not an OpenId message | |
64 | // Thus, we try to render the discovery page | |
65 | if (!array_key_exists('openid_mode', $_REQUEST)) { | |
a1af4a99 | 66 | return $this->render_discovery_page($page, $user); |
24cfa984 AA |
67 | } |
68 | ||
a1af4a99 AA |
69 | // Create a server and decode the request |
70 | $server = init_openid_server(); | |
71 | $request = $server->decodeRequest(); | |
72 | ||
33536353 | 73 | // This request requires user interaction |
a1af4a99 AA |
74 | if (in_array($request->mode, |
75 | array('checkid_immediate', 'checkid_setup'))) { | |
76 | ||
77 | // Each user has only one identity to choose from | |
78 | // So we can make automatically the identity selection | |
79 | if ($request->idSelect()) { | |
80 | $request->identity = get_user_openid_url($user); | |
81 | } | |
82 | ||
83 | // If we still don't have an identifier (used or desired), give up | |
84 | if (!$request->identity) { | |
85 | $this->render_no_identifier_page($page, $request); | |
86 | return; | |
87 | } | |
88 | ||
89 | // We always require confirmation before sending information | |
90 | // to third-party websites | |
91 | if ($request->immediate) { | |
33536353 | 92 | $response =& $request->answer(false); |
a1af4a99 AA |
93 | } else { |
94 | // Save request in session and jump to confirmation page | |
087f7ecd | 95 | S::set('openid_request', serialize($request)); |
a1af4a99 AA |
96 | pl_redirect('openid/trust'); |
97 | return; | |
98 | } | |
99 | ||
33536353 AA |
100 | // Other requests can be automatically handled by the server |
101 | } else { | |
a1af4a99 | 102 | $response =& $server->handleRequest($request); |
24cfa984 AA |
103 | } |
104 | ||
a1af4a99 AA |
105 | // Render response |
106 | $webresponse =& $server->encodeResponse($response); | |
33536353 | 107 | $this->render_openid_response($webresponse); |
a1af4a99 | 108 | } |
b69727b4 | 109 | |
a1af4a99 AA |
110 | function handler_trust(&$page, $x = null) |
111 | { | |
112 | $this->load('openid.inc.php'); | |
24cfa984 | 113 | |
a1af4a99 | 114 | // Recover request in session |
087f7ecd | 115 | $request = S::v('openid_request'); |
a1af4a99 AA |
116 | if (is_null($request)) { |
117 | // There is no authentication information, something went wrong | |
118 | pl_redirect('/'); | |
119 | return; | |
120 | } else { | |
121 | // Unserialize the request | |
33536353 | 122 | require_once 'Auth/OpenID/Server.php'; |
a1af4a99 AA |
123 | $request = unserialize($request); |
124 | } | |
24cfa984 | 125 | |
a1af4a99 AA |
126 | $server = init_openid_server(); |
127 | $user = S::user(); | |
24cfa984 | 128 | |
a1af4a99 AA |
129 | // Check that the identity matches the user currently logged in |
130 | if ($request->identity != get_user_openid_url($user)) { | |
131 | $response =& $request->answer(false); | |
132 | $webresponse =& $server->encodeResponse($response); | |
133 | $this->render_openid_response($webresponse); | |
134 | return; | |
135 | } | |
136 | ||
12d4424c AA |
137 | // Prepare Simple Registration response fields |
138 | require_once 'Auth/OpenID/SReg.php'; | |
139 | $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request); | |
140 | $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user)); | |
141 | ||
142 | ||
33536353 | 143 | // Ask the user for confirmation |
a1af4a99 AA |
144 | if ($_SERVER['REQUEST_METHOD'] != 'POST') { |
145 | $page->changeTpl('openid/trust.tpl'); | |
146 | $page->assign('relying_party', $request->trust_root); | |
12d4424c | 147 | $page->assign_by_ref('sreg_data', $sreg_response->data); |
a1af4a99 AA |
148 | return; |
149 | } | |
150 | ||
33536353 AA |
151 | // At this point $_SERVER['REQUEST_METHOD'] == 'POST' |
152 | // Answer to the Relying Party based on the user's choice | |
153 | if (isset($_POST['trust'])) { | |
087f7ecd | 154 | S::kill('openid_request'); |
a1af4a99 AA |
155 | $response =& $request->answer(true, null, $request->identity); |
156 | ||
a1af4a99 AA |
157 | // Add the simple registration response values to the OpenID |
158 | // response message. | |
a1af4a99 AA |
159 | $sreg_response->toMessage($response->fields); |
160 | ||
33536353 | 161 | } else { // !isset($_POST['trust']) |
087f7ecd | 162 | S::kill('openid_request'); |
33536353 | 163 | $response =& $request->answer(false); |
a1af4a99 | 164 | } |
33536353 AA |
165 | |
166 | // Generate a response to send to the user agent. | |
167 | $webresponse =& $server->encodeResponse($response); | |
168 | $this->render_openid_response($webresponse); | |
b69727b4 AA |
169 | } |
170 | ||
b69727b4 AA |
171 | function handler_user_xrds(&$page, $x = null) |
172 | { | |
b69727b4 | 173 | // Load constants |
a1af4a99 | 174 | $this->load('openid.inc.php'); |
24cfa984 | 175 | |
b69727b4 AA |
176 | // Set XRDS content-type and template |
177 | header('Content-type: application/xrds+xml'); | |
178 | $page->changeTpl('openid/user_xrds.tpl', NO_SKIN); | |
24cfa984 | 179 | |
b69727b4 AA |
180 | // Set variables |
181 | $page->assign('type1', Auth_OpenID_TYPE_2_0); | |
182 | $page->assign('type2', Auth_OpenID_TYPE_1_1); | |
a1af4a99 | 183 | $page->assign('uri', get_openid_url()); |
24cfa984 AA |
184 | } |
185 | ||
2d8779e2 AA |
186 | function handler_melix(&$page, $x = null) |
187 | { | |
188 | $this->load('openid.inc.php'); | |
189 | $user = get_user_by_alias($x); | |
190 | ||
191 | // This will redirect to the canonic URL, which was not used | |
192 | // if this hook was triggered | |
829fae6a | 193 | return $this->render_discovery_page(&$page, $user); |
2d8779e2 AA |
194 | } |
195 | ||
a1af4a99 AA |
196 | //--------------------------------------------------------------------// |
197 | ||
198 | function render_discovery_page(&$page, $user) | |
199 | { | |
200 | ||
33536353 | 201 | // Show the documentation if this is not the OpenId page of an user |
a1af4a99 | 202 | if (is_null($user)) { |
33536353 | 203 | pl_redirect('Xorg/OpenId'); |
a1af4a99 AA |
204 | } |
205 | ||
2d8779e2 AA |
206 | // Redirect to the canonic URL if we are using an alias |
207 | // There might be a risk of redirection loop here | |
208 | // if $_SERVER was not exactly what we expect | |
209 | $current_url = 'http' . (empty($_SERVER['HTTPS']) ? '' : 's') . '://' | |
210 | . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; | |
211 | $canonic_url = get_user_openid_url($user); | |
212 | if ($current_url != $canonic_url) { | |
213 | http_redirect($canonic_url); | |
214 | } | |
215 | ||
a1af4a99 AA |
216 | // Include X-XRDS-Location response-header for Yadis discovery |
217 | header('X-XRDS-Location: ' . get_user_xrds_url($user)); | |
218 | ||
219 | // Select template | |
220 | $page->changeTpl('openid/openid.tpl'); | |
221 | ||
222 | // Sets the title of the html page. | |
223 | $page->setTitle($user->fullName()); | |
224 | ||
225 | // Sets the <link> tags for HTML-Based Discovery | |
226 | $page->addLink('openid.server openid2.provider', get_openid_url()); | |
227 | $page->addLink('openid.delegate openid2.local_id', $user->hruid); | |
228 | ||
229 | // Adds the global user property array to the display. | |
230 | $page->assign_by_ref('user', $user); | |
231 | ||
232 | return; | |
233 | } | |
234 | ||
235 | function render_no_identifier_page($page, $request) | |
236 | { | |
33536353 | 237 | // Select template |
a1af4a99 AA |
238 | $page->changeTpl('openid/no_identifier.tpl'); |
239 | } | |
240 | ||
33536353 | 241 | function render_openid_response($webresponse) |
a1af4a99 | 242 | { |
33536353 | 243 | // Send HTTP response code |
a1af4a99 AA |
244 | if ($webresponse->code != AUTH_OPENID_HTTP_OK) { |
245 | header(sprintf("HTTP/1.1 %d ", $webresponse->code), | |
246 | true, $webresponse->code); | |
247 | } | |
248 | ||
33536353 | 249 | // Send headers |
a1af4a99 AA |
250 | foreach ($webresponse->headers as $k => $v) { |
251 | header("$k: $v"); | |
252 | } | |
33536353 | 253 | header('Connection: close'); |
a1af4a99 | 254 | |
33536353 | 255 | // Send body |
a1af4a99 AA |
256 | print $webresponse->body; |
257 | exit; | |
258 | } | |
24cfa984 AA |
259 | } |
260 | ||
261 | // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: | |
2d8779e2 | 262 | ?> |