Commit | Line | Data |
---|---|---|
24cfa984 AA |
1 | <?php |
2 | /*************************************************************************** | |
3 | * Copyright (C) 2003-2008 Polytechnique.org * | |
4 | * http://opensource.polytechnique.org/ * | |
5 | * * | |
6 | * This program is free software; you can redistribute it and/or modify * | |
7 | * it under the terms of the GNU General Public License as published by * | |
8 | * the Free Software Foundation; either version 2 of the License, or * | |
9 | * (at your option) any later version. * | |
10 | * * | |
11 | * This program is distributed in the hope that it will be useful, * | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * | |
14 | * GNU General Public License for more details. * | |
15 | * * | |
16 | * You should have received a copy of the GNU General Public License * | |
17 | * along with this program; if not, write to the Free Software * | |
18 | * Foundation, Inc., * | |
19 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * | |
20 | ***************************************************************************/ | |
21 | ||
a1af4a99 AA |
22 | |
23 | /* Definitions for the OpenId Specification | |
24 | * http://openid.net/specs/openid-authentication-2_0.html | |
25 | * | |
26 | * OP Endpoint URL: https://www.polytechnique.org/openid | |
27 | * OP Identifier: https://www.polytechnique.org/openid | |
28 | * User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid} | |
29 | * Identity selection is not supported by this implementation | |
30 | * OP-Local Identifier: {$hruid} | |
31 | */ | |
32 | ||
33536353 AA |
33 | /* Testing suite is here: |
34 | * http://openidenabled.com/resources/openid-test/ | |
35 | */ | |
36 | ||
37 | /* **checkid_immediate is not supported (yet)**, which means that we will | |
38 | * always ask for confirmation before redirecting to a third-party. | |
39 | * A sensible way to implement it would be to add a "Always trust this site" | |
40 | * checkbox to the form, and to store trusted websites per user. This still | |
41 | * raises the question of removing websites from that list. | |
42 | * Another possibility is to maintain a global whitelist. | |
43 | */ | |
44 | ||
24cfa984 AA |
45 | class OpenidModule extends PLModule |
46 | { | |
47 | function handlers() | |
48 | { | |
49 | return array( | |
a1af4a99 AA |
50 | 'openid' => $this->make_hook('openid', AUTH_PUBLIC), |
51 | 'openid/trust' => $this->make_hook('trust', AUTH_COOKIE), | |
b69727b4 AA |
52 | 'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC), |
53 | 'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC), | |
24cfa984 AA |
54 | ); |
55 | } | |
56 | ||
57 | function handler_openid(&$page, $x = null) | |
58 | { | |
a1af4a99 AA |
59 | $this->load('openid.inc.php'); |
60 | $user = get_user($x); | |
b69727b4 | 61 | |
33536353 AA |
62 | // Spec ยง4.1.2: if "openid.mode" is absent, whe SHOULD assume that |
63 | // the request is not an OpenId message | |
64 | // Thus, we try to render the discovery page | |
65 | if (!array_key_exists('openid_mode', $_REQUEST)) { | |
a1af4a99 | 66 | return $this->render_discovery_page($page, $user); |
24cfa984 AA |
67 | } |
68 | ||
a1af4a99 AA |
69 | // Create a server and decode the request |
70 | $server = init_openid_server(); | |
71 | $request = $server->decodeRequest(); | |
72 | ||
33536353 | 73 | // This request requires user interaction |
a1af4a99 AA |
74 | if (in_array($request->mode, |
75 | array('checkid_immediate', 'checkid_setup'))) { | |
76 | ||
77 | // Each user has only one identity to choose from | |
78 | // So we can make automatically the identity selection | |
79 | if ($request->idSelect()) { | |
80 | $request->identity = get_user_openid_url($user); | |
81 | } | |
82 | ||
83 | // If we still don't have an identifier (used or desired), give up | |
84 | if (!$request->identity) { | |
85 | $this->render_no_identifier_page($page, $request); | |
86 | return; | |
87 | } | |
88 | ||
89 | // We always require confirmation before sending information | |
90 | // to third-party websites | |
91 | if ($request->immediate) { | |
33536353 | 92 | $response =& $request->answer(false); |
a1af4a99 AA |
93 | } else { |
94 | // Save request in session and jump to confirmation page | |
95 | S::set('request', serialize($request)); | |
96 | pl_redirect('openid/trust'); | |
97 | return; | |
98 | } | |
99 | ||
33536353 AA |
100 | // Other requests can be automatically handled by the server |
101 | } else { | |
a1af4a99 | 102 | $response =& $server->handleRequest($request); |
24cfa984 AA |
103 | } |
104 | ||
a1af4a99 AA |
105 | // Render response |
106 | $webresponse =& $server->encodeResponse($response); | |
33536353 | 107 | $this->render_openid_response($webresponse); |
a1af4a99 | 108 | } |
b69727b4 | 109 | |
a1af4a99 AA |
110 | function handler_trust(&$page, $x = null) |
111 | { | |
112 | $this->load('openid.inc.php'); | |
24cfa984 | 113 | |
a1af4a99 AA |
114 | // Recover request in session |
115 | $request = S::v('request'); | |
116 | if (is_null($request)) { | |
117 | // There is no authentication information, something went wrong | |
118 | pl_redirect('/'); | |
119 | return; | |
120 | } else { | |
121 | // Unserialize the request | |
33536353 | 122 | require_once 'Auth/OpenID/Server.php'; |
a1af4a99 AA |
123 | $request = unserialize($request); |
124 | } | |
24cfa984 | 125 | |
a1af4a99 AA |
126 | $server = init_openid_server(); |
127 | $user = S::user(); | |
24cfa984 | 128 | |
a1af4a99 AA |
129 | // Check that the identity matches the user currently logged in |
130 | if ($request->identity != get_user_openid_url($user)) { | |
131 | $response =& $request->answer(false); | |
132 | $webresponse =& $server->encodeResponse($response); | |
133 | $this->render_openid_response($webresponse); | |
134 | return; | |
135 | } | |
136 | ||
33536353 | 137 | // Ask the user for confirmation |
a1af4a99 AA |
138 | if ($_SERVER['REQUEST_METHOD'] != 'POST') { |
139 | $page->changeTpl('openid/trust.tpl'); | |
140 | $page->assign('relying_party', $request->trust_root); | |
141 | return; | |
142 | } | |
143 | ||
33536353 AA |
144 | // At this point $_SERVER['REQUEST_METHOD'] == 'POST' |
145 | // Answer to the Relying Party based on the user's choice | |
146 | if (isset($_POST['trust'])) { | |
a1af4a99 AA |
147 | unset($_SESSION['request']); |
148 | $response =& $request->answer(true, null, $request->identity); | |
149 | ||
150 | // Answer with some sample Simple Registration data. | |
33536353 | 151 | // TODO USE REAL USER DATA FROM $user |
a1af4a99 AA |
152 | $sreg_data = array( |
153 | 'fullname' => 'Example User', | |
154 | 'nickname' => 'example', | |
155 | 'dob' => '1970-01-01', | |
156 | 'email' => 'invalid@example.com', | |
157 | 'gender' => 'F', | |
158 | 'postcode' => '12345', | |
159 | 'country' => 'ES', | |
160 | 'language' => 'eu', | |
161 | 'timezone' => 'America/New_York'); | |
162 | ||
163 | // Add the simple registration response values to the OpenID | |
164 | // response message. | |
165 | require_once 'Auth/OpenID/SReg.php'; | |
166 | $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request); | |
167 | $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data); | |
168 | $sreg_response->toMessage($response->fields); | |
169 | ||
33536353 AA |
170 | } else { // !isset($_POST['trust']) |
171 | unset($_SESSION['request']); | |
172 | $response =& $request->answer(false); | |
a1af4a99 | 173 | } |
33536353 AA |
174 | |
175 | // Generate a response to send to the user agent. | |
176 | $webresponse =& $server->encodeResponse($response); | |
177 | $this->render_openid_response($webresponse); | |
b69727b4 AA |
178 | } |
179 | ||
180 | function handler_idp_xrds(&$page) | |
181 | { | |
b69727b4 | 182 | // Load constants |
a1af4a99 | 183 | $this->load('openid.inc.php'); |
b69727b4 AA |
184 | |
185 | // Set XRDS content-type and template | |
186 | header('Content-type: application/xrds+xml'); | |
187 | $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN); | |
188 | ||
189 | // Set variables | |
190 | $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN); | |
191 | $page->assign('type', Auth_OpenID_TYPE_2_0_IDP); | |
a1af4a99 | 192 | $page->assign('uri', get_openid_url()); |
b69727b4 AA |
193 | } |
194 | ||
195 | function handler_user_xrds(&$page, $x = null) | |
196 | { | |
b69727b4 | 197 | // Load constants |
a1af4a99 | 198 | $this->load('openid.inc.php'); |
24cfa984 | 199 | |
b69727b4 AA |
200 | // Set XRDS content-type and template |
201 | header('Content-type: application/xrds+xml'); | |
202 | $page->changeTpl('openid/user_xrds.tpl', NO_SKIN); | |
24cfa984 | 203 | |
b69727b4 AA |
204 | // Set variables |
205 | $page->assign('type1', Auth_OpenID_TYPE_2_0); | |
206 | $page->assign('type2', Auth_OpenID_TYPE_1_1); | |
a1af4a99 | 207 | $page->assign('uri', get_openid_url()); |
24cfa984 AA |
208 | } |
209 | ||
a1af4a99 AA |
210 | //--------------------------------------------------------------------// |
211 | ||
212 | function render_discovery_page(&$page, $user) | |
213 | { | |
214 | ||
33536353 | 215 | // Show the documentation if this is not the OpenId page of an user |
a1af4a99 | 216 | if (is_null($user)) { |
33536353 | 217 | pl_redirect('Xorg/OpenId'); |
a1af4a99 AA |
218 | } |
219 | ||
220 | // Include X-XRDS-Location response-header for Yadis discovery | |
221 | header('X-XRDS-Location: ' . get_user_xrds_url($user)); | |
222 | ||
223 | // Select template | |
224 | $page->changeTpl('openid/openid.tpl'); | |
225 | ||
226 | // Sets the title of the html page. | |
227 | $page->setTitle($user->fullName()); | |
228 | ||
229 | // Sets the <link> tags for HTML-Based Discovery | |
230 | $page->addLink('openid.server openid2.provider', get_openid_url()); | |
231 | $page->addLink('openid.delegate openid2.local_id', $user->hruid); | |
232 | ||
233 | // Adds the global user property array to the display. | |
234 | $page->assign_by_ref('user', $user); | |
235 | ||
236 | return; | |
237 | } | |
238 | ||
239 | function render_no_identifier_page($page, $request) | |
240 | { | |
33536353 | 241 | // Select template |
a1af4a99 AA |
242 | $page->changeTpl('openid/no_identifier.tpl'); |
243 | } | |
244 | ||
33536353 | 245 | function render_openid_response($webresponse) |
a1af4a99 | 246 | { |
33536353 | 247 | // Send HTTP response code |
a1af4a99 AA |
248 | if ($webresponse->code != AUTH_OPENID_HTTP_OK) { |
249 | header(sprintf("HTTP/1.1 %d ", $webresponse->code), | |
250 | true, $webresponse->code); | |
251 | } | |
252 | ||
33536353 | 253 | // Send headers |
a1af4a99 AA |
254 | foreach ($webresponse->headers as $k => $v) { |
255 | header("$k: $v"); | |
256 | } | |
33536353 | 257 | header('Connection: close'); |
a1af4a99 | 258 | |
33536353 | 259 | // Send body |
a1af4a99 AA |
260 | print $webresponse->body; |
261 | exit; | |
262 | } | |
24cfa984 AA |
263 | } |
264 | ||
265 | // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: | |
266 | ?> |