[platal.git] / modules / openid.php

<?php
/***************************************************************************
 *  Copyright (C) 2003-2008 Polytechnique.org                              *
 *  http://opensource.polytechnique.org/                                   *
 *                                                                         *
 *  This program is free software; you can redistribute it and/or modify   *
 *  it under the terms of the GNU General Public License as published by   *
 *  the Free Software Foundation; either version 2 of the License, or      *
 *  (at your option) any later version.                                    *
 *                                                                         *
 *  This program is distributed in the hope that it will be useful,        *
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
 *  GNU General Public License for more details.                           *
 *                                                                         *
 *  You should have received a copy of the GNU General Public License      *
 *  along with this program; if not, write to the Free Software            *
 *  Foundation, Inc.,                                                      *
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
 ***************************************************************************/


/* Definitions for the OpenId Specification
 * http://openid.net/specs/openid-authentication-2_0.html
 * 
 * OP Endpoint URL:             https://www.polytechnique.org/openid
 * OP Identifier:               https://www.polytechnique.org/openid
 * User-Supplied Identifier:    https://www.polytechnique.org/openid/{$hruid}
 *    Identity selection is not supported by this implementation
 * OP-Local Identifier:         {$hruid}
 */

/* Testing suite is here:
 * http://openidenabled.com/resources/openid-test/
 */

/* **checkid_immediate is not supported (yet)**, which means that we will
 * always ask for confirmation before redirecting to a third-party.
 * A sensible way to implement it would be to add a "Always trust this site"
 * checkbox to the form, and to store trusted websites per user. This still
 * raises the question of removing websites from that list.
 * Another possibility is to maintain a global whitelist.
 */

class OpenidModule extends PLModule
{
    function handlers()
    {
        return array(
            'openid'            => $this->make_hook('openid', AUTH_PUBLIC),
            'openid/trust'      => $this->make_hook('trust', AUTH_COOKIE),
            'openid/idp_xrds'   => $this->make_hook('idp_xrds', AUTH_PUBLIC),
            'openid/user_xrds'  => $this->make_hook('user_xrds', AUTH_PUBLIC),
        );
    }

    function handler_openid(&$page, $x = null)
    {
        $this->load('openid.inc.php');
        $user = get_user($x);

        // Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
        // the request is not an OpenId message
        // Thus, we try to render the discovery page
        if (!array_key_exists('openid_mode', $_REQUEST)) {
            return $this->render_discovery_page($page, $user);
        }

        // Create a server and decode the request
        $server = init_openid_server();
        $request = $server->decodeRequest();

        // This request requires user interaction
        if (in_array($request->mode,
                     array('checkid_immediate', 'checkid_setup'))) {

            // Each user has only one identity to choose from
            // So we can make automatically the identity selection
            if ($request->idSelect()) {
                $request->identity = get_user_openid_url($user);
            }

            // If we still don't have an identifier (used or desired), give up
            if (!$request->identity) {
                $this->render_no_identifier_page($page, $request);
                return;
            }

            // We always require confirmation before sending information
            // to third-party websites
            if ($request->immediate) {
                $response =& $request->answer(false);
            } else {
                // Save request in session and jump to confirmation page
                S::set('request', serialize($request));
                pl_redirect('openid/trust');
                return;
            }

        // Other requests can be automatically handled by the server
        } else {
            $response =& $server->handleRequest($request);
        }

        // Render response
        $webresponse =& $server->encodeResponse($response);
        $this->render_openid_response($webresponse);
    }

    function handler_trust(&$page, $x = null)
    {
        $this->load('openid.inc.php');

        // Recover request in session
        $request = S::v('request');
        if (is_null($request)) {
            // There is no authentication information, something went wrong
            pl_redirect('/');
            return;
        } else {
            // Unserialize the request
            require_once 'Auth/OpenID/Server.php';
            $request = unserialize($request);
        }

        $server = init_openid_server();
        $user = S::user();

        // Check that the identity matches the user currently logged in
        if ($request->identity != get_user_openid_url($user)) {
            $response =& $request->answer(false);
            $webresponse =& $server->encodeResponse($response);
            $this->render_openid_response($webresponse);
            return;
        }

        // Prepare Simple Registration response fields
        require_once 'Auth/OpenID/SReg.php';
        $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
        $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));


        // Ask the user for confirmation
        if ($_SERVER['REQUEST_METHOD'] != 'POST') {
            $page->changeTpl('openid/trust.tpl');
            $page->assign('relying_party', $request->trust_root);
            $page->assign_by_ref('sreg_data', $sreg_response->data);
            return;
        }

        // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
        // Answer to the Relying Party based on the user's choice
        if (isset($_POST['trust'])) {
            unset($_SESSION['request']);
            $response =& $request->answer(true, null, $request->identity);

            // Add the simple registration response values to the OpenID
            // response message.
            $sreg_response->toMessage($response->fields);

        } else { // !isset($_POST['trust'])
            unset($_SESSION['request']);
            $response =& $request->answer(false);
        }

        // Generate a response to send to the user agent.
        $webresponse =& $server->encodeResponse($response);
        $this->render_openid_response($webresponse);
    }

    function handler_idp_xrds(&$page)
    {
        // Load constants
        $this->load('openid.inc.php');

        // Set XRDS content-type and template
        header('Content-type: application/xrds+xml');
        $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);

        // Set variables
        $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
        $page->assign('type', Auth_OpenID_TYPE_2_0_IDP);
        $page->assign('uri', get_openid_url());
    }

    function handler_user_xrds(&$page, $x = null)
    {
        // Load constants
        $this->load('openid.inc.php');

        // Set XRDS content-type and template
        header('Content-type: application/xrds+xml');
        $page->changeTpl('openid/user_xrds.tpl', NO_SKIN);

        // Set variables
        $page->assign('type1', Auth_OpenID_TYPE_2_0);
        $page->assign('type2', Auth_OpenID_TYPE_1_1);
        $page->assign('uri', get_openid_url());
    }

    //--------------------------------------------------------------------//

    function render_discovery_page(&$page, $user)
    {

        // Show the documentation if this is not the OpenId page of an user
        if (is_null($user)) {
            pl_redirect('Xorg/OpenId');
        }

        // Include X-XRDS-Location response-header for Yadis discovery
        header('X-XRDS-Location: ' . get_user_xrds_url($user));

        // Select template
        $page->changeTpl('openid/openid.tpl');

        // Sets the title of the html page.
        $page->setTitle($user->fullName());

        // Sets the <link> tags for HTML-Based Discovery
        $page->addLink('openid.server openid2.provider', get_openid_url());
        $page->addLink('openid.delegate openid2.local_id', $user->hruid);

        // Adds the global user property array to the display.
        $page->assign_by_ref('user', $user);

        return;
    }

    function render_no_identifier_page($page, $request)
    {
        // Select template
        $page->changeTpl('openid/no_identifier.tpl');
    }

    function render_openid_response($webresponse)
    {
        // Send HTTP response code
        if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
            header(sprintf("HTTP/1.1 %d ", $webresponse->code),
                   true, $webresponse->code);
        }

        // Send headers
        foreach ($webresponse->headers as $k => $v) {
            header("$k: $v");
        }
        header('Connection: close');

        // Send body
        print $webresponse->body;
        exit;
    }
}

// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
?>
Commit	Line	Data
24cfa984 AA	1	<?php
	2	/***************************************************************************
	3	* Copyright (C) 2003-2008 Polytechnique.org *
	4	* http://opensource.polytechnique.org/ *
	5	* *
	6	* This program is free software; you can redistribute it and/or modify *
	7	* it under the terms of the GNU General Public License as published by *
	8	* the Free Software Foundation; either version 2 of the License, or *
	9	* (at your option) any later version. *
	10	* *
	11	* This program is distributed in the hope that it will be useful, *
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
	14	* GNU General Public License for more details. *
	15	* *
	16	* You should have received a copy of the GNU General Public License *
	17	* along with this program; if not, write to the Free Software *
	18	* Foundation, Inc., *
	19	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
	20	***************************************************************************/
	21
a1af4a99 AA	22
	23	/* Definitions for the OpenId Specification
	24	* http://openid.net/specs/openid-authentication-2_0.html
	25	*
	26	* OP Endpoint URL: https://www.polytechnique.org/openid
	27	* OP Identifier: https://www.polytechnique.org/openid
	28	* User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid}
	29	* Identity selection is not supported by this implementation
	30	* OP-Local Identifier: {$hruid}
	31	*/
	32
33536353 AA	33	/* Testing suite is here:
	34	* http://openidenabled.com/resources/openid-test/
	35	*/
	36
	37	/* checkid_immediate is not supported (yet), which means that we will
	38	* always ask for confirmation before redirecting to a third-party.
	39	* A sensible way to implement it would be to add a "Always trust this site"
	40	* checkbox to the form, and to store trusted websites per user. This still
	41	* raises the question of removing websites from that list.
	42	* Another possibility is to maintain a global whitelist.
	43	*/
	44
24cfa984 AA	45	class OpenidModule extends PLModule
	46	{
	47	function handlers()
	48	{
	49	return array(
a1af4a99 AA	50	'openid' => $this->make_hook('openid', AUTH_PUBLIC),
a1af4a99 AA	51	'openid/trust' => $this->make_hook('trust', AUTH_COOKIE),
b69727b4 AA	52	'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC),
b69727b4 AA	53	'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC),
24cfa984 AA	54	);
	55	}
	56
	57	function handler_openid(&$page, $x = null)
	58	{
a1af4a99 AA	59	$this->load('openid.inc.php');
a1af4a99 AA	60	$user = get_user($x);
b69727b4	61
33536353 AA	62	// Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
	63	// the request is not an OpenId message
	64	// Thus, we try to render the discovery page
	65	if (!array_key_exists('openid_mode', $_REQUEST)) {
a1af4a99	66	return $this->render_discovery_page($page, $user);
24cfa984 AA	67	}
24cfa984 AA	68
a1af4a99 AA	69	// Create a server and decode the request
	70	$server = init_openid_server();
	71	$request = $server->decodeRequest();
	72
33536353	73	// This request requires user interaction
a1af4a99 AA	74	if (in_array($request->mode,
	75	array('checkid_immediate', 'checkid_setup'))) {
	76
	77	// Each user has only one identity to choose from
	78	// So we can make automatically the identity selection
	79	if ($request->idSelect()) {
	80	$request->identity = get_user_openid_url($user);
	81	}
	82
	83	// If we still don't have an identifier (used or desired), give up
	84	if (!$request->identity) {
	85	$this->render_no_identifier_page($page, $request);
	86	return;
	87	}
	88
	89	// We always require confirmation before sending information
	90	// to third-party websites
	91	if ($request->immediate) {
33536353	92	$response =& $request->answer(false);
a1af4a99 AA	93	} else {
	94	// Save request in session and jump to confirmation page
	95	S::set('request', serialize($request));
	96	pl_redirect('openid/trust');
	97	return;
	98	}
	99
33536353 AA	100	// Other requests can be automatically handled by the server
33536353 AA	101	} else {
a1af4a99	102	$response =& $server->handleRequest($request);
24cfa984 AA	103	}
24cfa984 AA	104
a1af4a99 AA	105	// Render response
a1af4a99 AA	106	$webresponse =& $server->encodeResponse($response);
33536353	107	$this->render_openid_response($webresponse);
a1af4a99	108	}
b69727b4	109
a1af4a99 AA	110	function handler_trust(&$page, $x = null)
	111	{
	112	$this->load('openid.inc.php');
24cfa984	113
a1af4a99 AA	114	// Recover request in session
	115	$request = S::v('request');
	116	if (is_null($request)) {
	117	// There is no authentication information, something went wrong
	118	pl_redirect('/');
	119	return;
	120	} else {
	121	// Unserialize the request
33536353	122	require_once 'Auth/OpenID/Server.php';
a1af4a99 AA	123	$request = unserialize($request);
a1af4a99 AA	124	}
24cfa984	125
a1af4a99 AA	126	$server = init_openid_server();
a1af4a99 AA	127	$user = S::user();
24cfa984	128
a1af4a99 AA	129	// Check that the identity matches the user currently logged in
	130	if ($request->identity != get_user_openid_url($user)) {
	131	$response =& $request->answer(false);
	132	$webresponse =& $server->encodeResponse($response);
	133	$this->render_openid_response($webresponse);
	134	return;
	135	}
	136
12d4424c AA	137	// Prepare Simple Registration response fields
	138	require_once 'Auth/OpenID/SReg.php';
	139	$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
	140	$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));
	141
	142
33536353	143	// Ask the user for confirmation
a1af4a99 AA	144	if ($_SERVER['REQUEST_METHOD'] != 'POST') {
	145	$page->changeTpl('openid/trust.tpl');
	146	$page->assign('relying_party', $request->trust_root);
12d4424c	147	$page->assign_by_ref('sreg_data', $sreg_response->data);
a1af4a99 AA	148	return;
	149	}
	150
33536353 AA	151	// At this point $_SERVER['REQUEST_METHOD'] == 'POST'
	152	// Answer to the Relying Party based on the user's choice
	153	if (isset($_POST['trust'])) {
a1af4a99 AA	154	unset($_SESSION['request']);
	155	$response =& $request->answer(true, null, $request->identity);
	156
a1af4a99 AA	157	// Add the simple registration response values to the OpenID
a1af4a99 AA	158	// response message.
a1af4a99 AA	159	$sreg_response->toMessage($response->fields);
a1af4a99 AA	160
33536353 AA	161	} else { // !isset($_POST['trust'])
	162	unset($_SESSION['request']);
	163	$response =& $request->answer(false);
a1af4a99	164	}
33536353 AA	165
	166	// Generate a response to send to the user agent.
	167	$webresponse =& $server->encodeResponse($response);
	168	$this->render_openid_response($webresponse);
b69727b4 AA	169	}
	170
	171	function handler_idp_xrds(&$page)
	172	{
b69727b4	173	// Load constants
a1af4a99	174	$this->load('openid.inc.php');
b69727b4 AA	175
	176	// Set XRDS content-type and template
	177	header('Content-type: application/xrds+xml');
	178	$page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
	179
	180	// Set variables
	181	$page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
	182	$page->assign('type', Auth_OpenID_TYPE_2_0_IDP);
a1af4a99	183	$page->assign('uri', get_openid_url());
b69727b4 AA	184	}
	185
	186	function handler_user_xrds(&$page, $x = null)
	187	{
b69727b4	188	// Load constants
a1af4a99	189	$this->load('openid.inc.php');
24cfa984	190
b69727b4 AA	191	// Set XRDS content-type and template
	192	header('Content-type: application/xrds+xml');
	193	$page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
24cfa984	194
b69727b4 AA	195	// Set variables
	196	$page->assign('type1', Auth_OpenID_TYPE_2_0);
	197	$page->assign('type2', Auth_OpenID_TYPE_1_1);
a1af4a99	198	$page->assign('uri', get_openid_url());
24cfa984 AA	199	}
24cfa984 AA	200
a1af4a99 AA	201	//--------------------------------------------------------------------//
	202
	203	function render_discovery_page(&$page, $user)
	204	{
	205
33536353	206	// Show the documentation if this is not the OpenId page of an user
a1af4a99	207	if (is_null($user)) {
33536353	208	pl_redirect('Xorg/OpenId');
a1af4a99 AA	209	}
	210
	211	// Include X-XRDS-Location response-header for Yadis discovery
	212	header('X-XRDS-Location: ' . get_user_xrds_url($user));
	213
	214	// Select template
	215	$page->changeTpl('openid/openid.tpl');
	216
	217	// Sets the title of the html page.
	218	$page->setTitle($user->fullName());
	219
	220	// Sets the <link> tags for HTML-Based Discovery
	221	$page->addLink('openid.server openid2.provider', get_openid_url());
	222	$page->addLink('openid.delegate openid2.local_id', $user->hruid);
	223
	224	// Adds the global user property array to the display.
	225	$page->assign_by_ref('user', $user);
	226
	227	return;
	228	}
	229
	230	function render_no_identifier_page($page, $request)
	231	{
33536353	232	// Select template
a1af4a99 AA	233	$page->changeTpl('openid/no_identifier.tpl');
	234	}
	235
33536353	236	function render_openid_response($webresponse)
a1af4a99	237	{
33536353	238	// Send HTTP response code
a1af4a99 AA	239	if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
	240	header(sprintf("HTTP/1.1 %d ", $webresponse->code),
	241	true, $webresponse->code);
	242	}
	243
33536353	244	// Send headers
a1af4a99 AA	245	foreach ($webresponse->headers as $k => $v) {
	246	header("$k: $v");
	247	}
33536353	248	header('Connection: close');
a1af4a99	249
33536353	250	// Send body
a1af4a99 AA	251	print $webresponse->body;
	252	exit;
	253	}
24cfa984 AA	254	}
	255
	256	// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
	257	?>