[platal.git] / modules / openid.php

<?php
/***************************************************************************
 *  Copyright (C) 2003-2008 Polytechnique.org                              *
 *  http://opensource.polytechnique.org/                                   *
 *                                                                         *
 *  This program is free software; you can redistribute it and/or modify   *
 *  it under the terms of the GNU General Public License as published by   *
 *  the Free Software Foundation; either version 2 of the License, or      *
 *  (at your option) any later version.                                    *
 *                                                                         *
 *  This program is distributed in the hope that it will be useful,        *
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
 *  GNU General Public License for more details.                           *
 *                                                                         *
 *  You should have received a copy of the GNU General Public License      *
 *  along with this program; if not, write to the Free Software            *
 *  Foundation, Inc.,                                                      *
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
 ***************************************************************************/


/* Definitions for the OpenId Specification
 * http://openid.net/specs/openid-authentication-2_0.html
 * 
 * OP Endpoint URL:             https://www.polytechnique.org/openid
 * OP Identifier:               https://www.polytechnique.org/openid
 * User-Supplied Identifier:    https://www.polytechnique.org/openid/{$hruid}
 *    Identity selection is not supported by this implementation
 * OP-Local Identifier:         {$hruid}
 */

/* Testing suite is here:
 * http://openidenabled.com/resources/openid-test/
 */

/* **checkid_immediate is not supported (yet)**, which means that we will
 * always ask for confirmation before redirecting to a third-party.
 * A sensible way to implement it would be to add a "Always trust this site"
 * checkbox to the form, and to store trusted websites per user. This still
 * raises the question of removing websites from that list.
 * Another possibility is to maintain a global whitelist.
 */

class OpenidModule extends PLModule
{
    function handlers()
    {
        return array(
            'openid'            => $this->make_hook('openid', AUTH_PUBLIC),
            'openid/trust'      => $this->make_hook('trust', AUTH_COOKIE),
            'openid/idp_xrds'   => $this->make_hook('idp_xrds', AUTH_PUBLIC),
            'openid/user_xrds'  => $this->make_hook('user_xrds', AUTH_PUBLIC),
        );
    }

    function handler_openid(&$page, $x = null)
    {
        $this->load('openid.inc.php');
        $user = get_user($x);

        // Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
        // the request is not an OpenId message
        // Thus, we try to render the discovery page
        if (!array_key_exists('openid_mode', $_REQUEST)) {
            return $this->render_discovery_page($page, $user);
        }

        // Create a server and decode the request
        $server = init_openid_server();
        $request = $server->decodeRequest();

        // This request requires user interaction
        if (in_array($request->mode,
                     array('checkid_immediate', 'checkid_setup'))) {

            // Each user has only one identity to choose from
            // So we can make automatically the identity selection
            if ($request->idSelect()) {
                $request->identity = get_user_openid_url($user);
            }

            // If we still don't have an identifier (used or desired), give up
            if (!$request->identity) {
                $this->render_no_identifier_page($page, $request);
                return;
            }

            // We always require confirmation before sending information
            // to third-party websites
            if ($request->immediate) {
                $response =& $request->answer(false);
            } else {
                // Save request in session and jump to confirmation page
                S::set('request', serialize($request));
                pl_redirect('openid/trust');
                return;
            }

        // Other requests can be automatically handled by the server
        } else {
            $response =& $server->handleRequest($request);
        }

        // Render response
        $webresponse =& $server->encodeResponse($response);
        $this->render_openid_response($webresponse);
    }

    function handler_trust(&$page, $x = null)
    {
        $this->load('openid.inc.php');

        // Recover request in session
        $request = S::v('request');
        if (is_null($request)) {
            // There is no authentication information, something went wrong
            pl_redirect('/');
            return;
        } else {
            // Unserialize the request
            require_once 'Auth/OpenID/Server.php';
            $request = unserialize($request);
        }

        $server = init_openid_server();
        $user = S::user();

        // Check that the identity matches the user currently logged in
        if ($request->identity != get_user_openid_url($user)) {
            $response =& $request->answer(false);
            $webresponse =& $server->encodeResponse($response);
            $this->render_openid_response($webresponse);
            return;
        }

        // Ask the user for confirmation
        if ($_SERVER['REQUEST_METHOD'] != 'POST') {
            $page->changeTpl('openid/trust.tpl');
            $page->assign('relying_party', $request->trust_root);
            return;
        }

        // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
        // Answer to the Relying Party based on the user's choice
        if (isset($_POST['trust'])) {
            unset($_SESSION['request']);
            $response =& $request->answer(true, null, $request->identity);

            // Answer with some sample Simple Registration data.
            // TODO USE REAL USER DATA FROM $user
            $sreg_data = array(
                               'fullname' => 'Example User',
                               'nickname' => 'example',
                               'dob' => '1970-01-01',
                               'email' => 'invalid@example.com',
                               'gender' => 'F',
                               'postcode' => '12345',
                               'country' => 'ES',
                               'language' => 'eu',
                               'timezone' => 'America/New_York');

            // Add the simple registration response values to the OpenID
            // response message.
            require_once 'Auth/OpenID/SReg.php';
            $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
            $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
            $sreg_response->toMessage($response->fields);

        } else { // !isset($_POST['trust'])
            unset($_SESSION['request']);
            $response =& $request->answer(false);
        }

        // Generate a response to send to the user agent.
        $webresponse =& $server->encodeResponse($response);
        $this->render_openid_response($webresponse);
    }

    function handler_idp_xrds(&$page)
    {
        // Load constants
        $this->load('openid.inc.php');

        // Set XRDS content-type and template
        header('Content-type: application/xrds+xml');
        $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);

        // Set variables
        $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
        $page->assign('type', Auth_OpenID_TYPE_2_0_IDP);
        $page->assign('uri', get_openid_url());
    }

    function handler_user_xrds(&$page, $x = null)
    {
        // Load constants
        $this->load('openid.inc.php');

        // Set XRDS content-type and template
        header('Content-type: application/xrds+xml');
        $page->changeTpl('openid/user_xrds.tpl', NO_SKIN);

        // Set variables
        $page->assign('type1', Auth_OpenID_TYPE_2_0);
        $page->assign('type2', Auth_OpenID_TYPE_1_1);
        $page->assign('uri', get_openid_url());
    }

    //--------------------------------------------------------------------//

    function render_discovery_page(&$page, $user)
    {

        // Show the documentation if this is not the OpenId page of an user
        if (is_null($user)) {
            pl_redirect('Xorg/OpenId');
        }

        // Include X-XRDS-Location response-header for Yadis discovery
        header('X-XRDS-Location: ' . get_user_xrds_url($user));

        // Select template
        $page->changeTpl('openid/openid.tpl');

        // Sets the title of the html page.
        $page->setTitle($user->fullName());

        // Sets the <link> tags for HTML-Based Discovery
        $page->addLink('openid.server openid2.provider', get_openid_url());
        $page->addLink('openid.delegate openid2.local_id', $user->hruid);

        // Adds the global user property array to the display.
        $page->assign_by_ref('user', $user);

        return;
    }

    function render_no_identifier_page($page, $request)
    {
        // Select template
        $page->changeTpl('openid/no_identifier.tpl');
    }

    function render_openid_response($webresponse)
    {
        // Send HTTP response code
        if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
            header(sprintf("HTTP/1.1 %d ", $webresponse->code),
                   true, $webresponse->code);
        }

        // Send headers
        foreach ($webresponse->headers as $k => $v) {
            header("$k: $v");
        }
        header('Connection: close');

        // Send body
        print $webresponse->body;
        exit;
    }
}

// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
?>
Commit	Line	Data
24cfa984 AA	1	<?php
	2	/***************************************************************************
	3	* Copyright (C) 2003-2008 Polytechnique.org *
	4	* http://opensource.polytechnique.org/ *
	5	* *
	6	* This program is free software; you can redistribute it and/or modify *
	7	* it under the terms of the GNU General Public License as published by *
	8	* the Free Software Foundation; either version 2 of the License, or *
	9	* (at your option) any later version. *
	10	* *
	11	* This program is distributed in the hope that it will be useful, *
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
	14	* GNU General Public License for more details. *
	15	* *
	16	* You should have received a copy of the GNU General Public License *
	17	* along with this program; if not, write to the Free Software *
	18	* Foundation, Inc., *
	19	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
	20	***************************************************************************/
	21
a1af4a99 AA	22
	23	/* Definitions for the OpenId Specification
	24	* http://openid.net/specs/openid-authentication-2_0.html
	25	*
	26	* OP Endpoint URL: https://www.polytechnique.org/openid
	27	* OP Identifier: https://www.polytechnique.org/openid
	28	* User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid}
	29	* Identity selection is not supported by this implementation
	30	* OP-Local Identifier: {$hruid}
	31	*/
	32
33536353 AA	33	/* Testing suite is here:
	34	* http://openidenabled.com/resources/openid-test/
	35	*/
	36
	37	/* checkid_immediate is not supported (yet), which means that we will
	38	* always ask for confirmation before redirecting to a third-party.
	39	* A sensible way to implement it would be to add a "Always trust this site"
	40	* checkbox to the form, and to store trusted websites per user. This still
	41	* raises the question of removing websites from that list.
	42	* Another possibility is to maintain a global whitelist.
	43	*/
	44
24cfa984 AA	45	class OpenidModule extends PLModule
	46	{
	47	function handlers()
	48	{
	49	return array(
a1af4a99 AA	50	'openid' => $this->make_hook('openid', AUTH_PUBLIC),
a1af4a99 AA	51	'openid/trust' => $this->make_hook('trust', AUTH_COOKIE),
b69727b4 AA	52	'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC),
b69727b4 AA	53	'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC),
24cfa984 AA	54	);
	55	}
	56
	57	function handler_openid(&$page, $x = null)
	58	{
a1af4a99 AA	59	$this->load('openid.inc.php');
a1af4a99 AA	60	$user = get_user($x);
b69727b4	61
33536353 AA	62	// Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
	63	// the request is not an OpenId message
	64	// Thus, we try to render the discovery page
	65	if (!array_key_exists('openid_mode', $_REQUEST)) {
a1af4a99	66	return $this->render_discovery_page($page, $user);
24cfa984 AA	67	}
24cfa984 AA	68
a1af4a99 AA	69	// Create a server and decode the request
	70	$server = init_openid_server();
	71	$request = $server->decodeRequest();
	72
33536353	73	// This request requires user interaction
a1af4a99 AA	74	if (in_array($request->mode,
	75	array('checkid_immediate', 'checkid_setup'))) {
	76
	77	// Each user has only one identity to choose from
	78	// So we can make automatically the identity selection
	79	if ($request->idSelect()) {
	80	$request->identity = get_user_openid_url($user);
	81	}
	82
	83	// If we still don't have an identifier (used or desired), give up
	84	if (!$request->identity) {
	85	$this->render_no_identifier_page($page, $request);
	86	return;
	87	}
	88
	89	// We always require confirmation before sending information
	90	// to third-party websites
	91	if ($request->immediate) {
33536353	92	$response =& $request->answer(false);
a1af4a99 AA	93	} else {
	94	// Save request in session and jump to confirmation page
	95	S::set('request', serialize($request));
	96	pl_redirect('openid/trust');
	97	return;
	98	}
	99
33536353 AA	100	// Other requests can be automatically handled by the server
33536353 AA	101	} else {
a1af4a99	102	$response =& $server->handleRequest($request);
24cfa984 AA	103	}
24cfa984 AA	104
a1af4a99 AA	105	// Render response
a1af4a99 AA	106	$webresponse =& $server->encodeResponse($response);
33536353	107	$this->render_openid_response($webresponse);
a1af4a99	108	}
b69727b4	109
a1af4a99 AA	110	function handler_trust(&$page, $x = null)
	111	{
	112	$this->load('openid.inc.php');
24cfa984	113
a1af4a99 AA	114	// Recover request in session
	115	$request = S::v('request');
	116	if (is_null($request)) {
	117	// There is no authentication information, something went wrong
	118	pl_redirect('/');
	119	return;
	120	} else {
	121	// Unserialize the request
33536353	122	require_once 'Auth/OpenID/Server.php';
a1af4a99 AA	123	$request = unserialize($request);
a1af4a99 AA	124	}
24cfa984	125
a1af4a99 AA	126	$server = init_openid_server();
a1af4a99 AA	127	$user = S::user();
24cfa984	128
a1af4a99 AA	129	// Check that the identity matches the user currently logged in
	130	if ($request->identity != get_user_openid_url($user)) {
	131	$response =& $request->answer(false);
	132	$webresponse =& $server->encodeResponse($response);
	133	$this->render_openid_response($webresponse);
	134	return;
	135	}
	136
33536353	137	// Ask the user for confirmation
a1af4a99 AA	138	if ($_SERVER['REQUEST_METHOD'] != 'POST') {
	139	$page->changeTpl('openid/trust.tpl');
	140	$page->assign('relying_party', $request->trust_root);
	141	return;
	142	}
	143
33536353 AA	144	// At this point $_SERVER['REQUEST_METHOD'] == 'POST'
	145	// Answer to the Relying Party based on the user's choice
	146	if (isset($_POST['trust'])) {
a1af4a99 AA	147	unset($_SESSION['request']);
	148	$response =& $request->answer(true, null, $request->identity);
	149
	150	// Answer with some sample Simple Registration data.
33536353	151	// TODO USE REAL USER DATA FROM $user
a1af4a99 AA	152	$sreg_data = array(
	153	'fullname' => 'Example User',
	154	'nickname' => 'example',
	155	'dob' => '1970-01-01',
	156	'email' => 'invalid@example.com',
	157	'gender' => 'F',
	158	'postcode' => '12345',
	159	'country' => 'ES',
	160	'language' => 'eu',
	161	'timezone' => 'America/New_York');
	162
	163	// Add the simple registration response values to the OpenID
	164	// response message.
	165	require_once 'Auth/OpenID/SReg.php';
	166	$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
	167	$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
	168	$sreg_response->toMessage($response->fields);
	169
33536353 AA	170	} else { // !isset($_POST['trust'])
	171	unset($_SESSION['request']);
	172	$response =& $request->answer(false);
a1af4a99	173	}
33536353 AA	174
	175	// Generate a response to send to the user agent.
	176	$webresponse =& $server->encodeResponse($response);
	177	$this->render_openid_response($webresponse);
b69727b4 AA	178	}
	179
	180	function handler_idp_xrds(&$page)
	181	{
b69727b4	182	// Load constants
a1af4a99	183	$this->load('openid.inc.php');
b69727b4 AA	184
	185	// Set XRDS content-type and template
	186	header('Content-type: application/xrds+xml');
	187	$page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
	188
	189	// Set variables
	190	$page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
	191	$page->assign('type', Auth_OpenID_TYPE_2_0_IDP);
a1af4a99	192	$page->assign('uri', get_openid_url());
b69727b4 AA	193	}
	194
	195	function handler_user_xrds(&$page, $x = null)
	196	{
b69727b4	197	// Load constants
a1af4a99	198	$this->load('openid.inc.php');
24cfa984	199
b69727b4 AA	200	// Set XRDS content-type and template
	201	header('Content-type: application/xrds+xml');
	202	$page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
24cfa984	203
b69727b4 AA	204	// Set variables
	205	$page->assign('type1', Auth_OpenID_TYPE_2_0);
	206	$page->assign('type2', Auth_OpenID_TYPE_1_1);
a1af4a99	207	$page->assign('uri', get_openid_url());
24cfa984 AA	208	}
24cfa984 AA	209
a1af4a99 AA	210	//--------------------------------------------------------------------//
	211
	212	function render_discovery_page(&$page, $user)
	213	{
	214
33536353	215	// Show the documentation if this is not the OpenId page of an user
a1af4a99	216	if (is_null($user)) {
33536353	217	pl_redirect('Xorg/OpenId');
a1af4a99 AA	218	}
	219
	220	// Include X-XRDS-Location response-header for Yadis discovery
	221	header('X-XRDS-Location: ' . get_user_xrds_url($user));
	222
	223	// Select template
	224	$page->changeTpl('openid/openid.tpl');
	225
	226	// Sets the title of the html page.
	227	$page->setTitle($user->fullName());
	228
	229	// Sets the <link> tags for HTML-Based Discovery
	230	$page->addLink('openid.server openid2.provider', get_openid_url());
	231	$page->addLink('openid.delegate openid2.local_id', $user->hruid);
	232
	233	// Adds the global user property array to the display.
	234	$page->assign_by_ref('user', $user);
	235
	236	return;
	237	}
	238
	239	function render_no_identifier_page($page, $request)
	240	{
33536353	241	// Select template
a1af4a99 AA	242	$page->changeTpl('openid/no_identifier.tpl');
	243	}
	244
33536353	245	function render_openid_response($webresponse)
a1af4a99	246	{
33536353	247	// Send HTTP response code
a1af4a99 AA	248	if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
	249	header(sprintf("HTTP/1.1 %d ", $webresponse->code),
	250	true, $webresponse->code);
	251	}
	252
33536353	253	// Send headers
a1af4a99 AA	254	foreach ($webresponse->headers as $k => $v) {
	255	header("$k: $v");
	256	}
33536353	257	header('Connection: close');
a1af4a99	258
33536353	259	// Send body
a1af4a99 AA	260	print $webresponse->body;
	261	exit;
	262	}
24cfa984 AA	263	}
	264
	265	// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
	266	?>