projects / platal.git / blob
? search:


d535d7920e1095ce025bc341716ae814e856c178
[platal.git] / modules / openid.php
1 <?php
2 /***************************************************************************
3 * Copyright (C) 2003-2008 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
5 * *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
10 * *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
15 * *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
18 * Foundation, Inc., *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
21
22
23 /* Definitions for the OpenId Specification
24 * http://openid.net/specs/openid-authentication-2_0.html
25 *
26 * OP Endpoint URL: https://www.polytechnique.org/openid
27 * OP Identifier: https://www.polytechnique.org/openid
28 * User Identifier: https://www.polytechnique.org/openid/{hruid}
29 * OP-Local Identifier: {hruid}
30 */
31
32 /* This implementation supports two modes:
33 * - entering the OP Identifier, which can simply be 'polytechnique.org'
34 * - entering the User Identifier, or some URL that resolves there
35 * In both cases, Yadis discovery is made possible through the X-XRDS-Location
36 * header.
37 *
38 * In the former case, Yadis discovery is performed on /, or where it redirects;
39 * see platal.php. It resolves to the XRDS for this OP, and User Identifier
40 * selection is performed after forcing the user to log in. This only works for
41 * version 2.0 of the OpenId protocol.
42 *
43 * In the latter cas, Yadis discovery is performed on /openid/{hruid}. It
44 * resolves ta a user-specific XRDS. This page also features HTML-based
45 * discovery. This works with any version of the protocol.
46 */
47
48 /* Testing suite is here:
49 * http://openidenabled.com/resources/openid-test/
50 * It only supports User Indentifiers.
51 *
52 * To test OP Identifiers, download the JanRain PHP library and use the
53 * consumer provided as an example (although it appears that a failure is
54 * mistakenly reported: 'Server denied check_authentication').
55 * Reading the source of the server can also help understanding the code below.
56 */
57
58 /* **checkid_immediate is not supported (yet)**, which means that we will
59 * always ask for confirmation before redirecting to a third-party.
60 * A sensible way to implement it would be to add a "Always trust this site"
61 * checkbox to the form, and to store trusted websites per user. This still
62 * raises the question of removing websites from that list.
63 * Another possibility is to maintain a global whitelist.
64 */
65
66 class OpenidModule extends PLModule
67 {
68 function handlers()
69 {
70 return array(
71 'openid' => $this->make_hook('openid', AUTH_PUBLIC),
72 'openid/trust' => $this->make_hook('trust', AUTH_COOKIE),
73 'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC),
74 'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC),
75 'openid/melix' => $this->make_hook('melix', AUTH_PUBLIC),
76 );
77 }
78
79 function handler_openid(&$page, $x = null)
80 {
81 $this->load('openid.inc.php');
82
83 // Spec ยง4.1.2: if "openid.mode" is absent, whe SHOULD assume that
84 // the request is not an OpenId message
85 // Thus, we try to render the discovery page
86 if (!array_key_exists('openid_mode', $_REQUEST)) {
87 return $this->render_discovery_page($page, get_user($x));
88 }
89
90 // Create a server and decode the request
91 $server = init_openid_server();
92 $request = $server->decodeRequest();
93
94 // This request needs some logic and can not be automatically
95 // answered by the server
96 if (in_array($request->mode,
97 array('checkid_immediate', 'checkid_setup'))) {
98
99 // If the user identifier is not known by the RP yet
100 if ($request->idSelect()) {
101 if ($request->mode == 'checkid_immediate') {
102 // Deny authentication if we can't interact with the user
103 $response =& $request->answer(false);
104 } else {
105 // Otherwise save request in session and redirect
106 // to a page that requires authentication
107 S::set('openid_request', serialize($request));
108 pl_redirect('openid/trust');
109 return;
110 }
111
112 // If we still don't have an identifier (used or desired), give up
113 } else if (!$request->identity) {
114 $this->render_no_identifier_page($page, $request);
115 return;
116
117 // From now on we have an identifier
118 // We always require confirmation before sending information
119 // to third-party websites
120 // So for now we deny immediate requests
121 } else if ($request->immediate) {
122 $response =& $request->answer(false);
123
124 // The user may confirm the use of his OpenId
125 } else {
126 // Save request in session and jump to confirmation page
127 S::set('openid_request', serialize($request));
128 pl_redirect('openid/trust');
129 return;
130 }
131
132 // Other requests can be automatically handled by the server
133 } else {
134 $response =& $server->handleRequest($request);
135 }
136
137 // Render response
138 $webresponse =& $server->encodeResponse($response);
139 $this->render_openid_response($webresponse);
140 }
141
142 function handler_trust(&$page, $x = null)
143 {
144 $this->load('openid.inc.php');
145
146 // Recover request in session
147 $request = S::v('openid_request');
148 if (is_null($request)) {
149 // There is no authentication information, something went wrong
150 pl_redirect('/');
151 return;
152 }
153
154 // Unserialize the request
155 require_once 'Auth/OpenID/Server.php';
156 $request = unserialize($request);
157
158 $server = init_openid_server();
159 $user = S::user();
160 $identity = null;
161 $claimed_id = null;
162
163 // Set the identity to the user currently logged in
164 // if an OP Identifier was initially used
165 if ($request->identity == Auth_OpenID_IDENTIFIER_SELECT) {
166 $identity = $user->hruid;
167 $claimed_id = get_user_openid_url($user);
168 // Check that the identity matches the user currently logged in
169 // if an User Identifier was initially used
170 } else if ($request->identity != $user->hruid) {
171 $response =& $request->answer(false);
172 $webresponse =& $server->encodeResponse($response);
173 $this->render_openid_response($webresponse);
174 return;
175 }
176
177 // Prepare Simple Registration response fields
178 require_once 'Auth/OpenID/SReg.php';
179 $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
180 $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));
181
182
183 // Ask the user for confirmation
184 if ($_SERVER['REQUEST_METHOD'] != 'POST') {
185 $page->changeTpl('openid/trust.tpl');
186 $page->assign('relying_party', $request->trust_root);
187 $page->assign_by_ref('sreg_data', $sreg_response->data);
188 return;
189 }
190
191 // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
192 // Answer to the Relying Party
193 if (isset($_POST['trust'])) {
194 S::kill('openid_request');
195 $response =& $request->answer(true, null, $identity, $claimed_id);
196
197 // Add the simple registration response values to the OpenID
198 // response message.
199 $sreg_response->toMessage($response->fields);
200
201 } else { // !isset($_POST['trust'])
202 S::kill('openid_request');
203 $response =& $request->answer(false);
204 }
205
206 // Generate a response to send to the user agent.
207 $webresponse =& $server->encodeResponse($response);
208 $this->render_openid_response($webresponse);
209 }
210
211 function handler_idp_xrds(&$page)
212 {
213 $this->load('openid.inc.php');
214
215 // Set XRDS content-type and template
216 header('Content-type: application/xrds+xml');
217 $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
218
219 // Set variables
220 $page->assign('type2', Auth_OpenID_TYPE_2_0_IDP);
221 $page->assign('sreg', Auth_OpenID_SREG_URI);
222 $page->assign('provider', get_openid_url());
223 }
224
225 function handler_user_xrds(&$page, $x = null)
226 {
227 $this->load('openid.inc.php');
228
229 // Make sure the user exists
230 $user = get_user($x);
231 if (is_null($user)) {
232 return PL_NOT_FOUND;
233 }
234
235 // Set XRDS content-type and template
236 header('Content-type: application/xrds+xml');
237 $page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
238
239 // Set variables
240 $page->assign('type2', Auth_OpenID_TYPE_2_0);
241 $page->assign('type1', Auth_OpenID_TYPE_1_1);
242 $page->assign('sreg', Auth_OpenID_SREG_URI);
243 $page->assign('provider', get_openid_url());
244 $page->assign('local_id', $user->hruid);
245 }
246
247 function handler_melix(&$page, $x = null)
248 {
249 $this->load('openid.inc.php');
250 $user = get_user_by_alias($x);
251
252 // This will redirect to the canonic URL, which was not used
253 // if this hook was triggered
254 return $this->render_discovery_page(&$page, $user);
255 }
256
257 //--------------------------------------------------------------------//
258
259 function render_discovery_page(&$page, $user)
260 {
261
262 // Show the documentation if this is not the OpenId page of an user
263 if (is_null($user)) {
264 pl_redirect('Xorg/OpenId');
265 }
266
267 // Redirect to the canonic URL if we are using an alias
268 // There might be a risk of redirection loop here
269 // if $_SERVER was not exactly what we expect
270 $current_url = 'http' . (empty($_SERVER['HTTPS']) ? '' : 's') . '://'
271 . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
272 $canonic_url = get_user_openid_url($user);
273 if ($current_url != $canonic_url) {
274 http_redirect($canonic_url);
275 }
276
277 // Include X-XRDS-Location response-header for Yadis discovery
278 header('X-XRDS-Location: ' . get_user_xrds_url($user));
279
280 // Select template
281 $page->changeTpl('openid/openid.tpl');
282
283 // Sets the title of the html page.
284 $page->setTitle($user->fullName());
285
286 // Sets the <link> tags for HTML-Based Discovery
287 $page->addLink('openid.server openid2.provider', get_openid_url());
288 $page->addLink('openid.delegate openid2.local_id', $user->hruid);
289
290 // Adds the global user property array to the display.
291 $page->assign_by_ref('user', $user);
292
293 return;
294 }
295
296 function render_no_identifier_page($page, $request)
297 {
298 // Select template
299 $page->changeTpl('openid/no_identifier.tpl');
300 }
301
302 function render_openid_response($webresponse)
303 {
304 // Send HTTP response code
305 if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
306 header(sprintf("HTTP/1.1 %d ", $webresponse->code),
307 true, $webresponse->code);
308 }
309
310 // Send headers
311 foreach ($webresponse->headers as $k => $v) {
312 header("$k: $v");
313 }
314 header('Connection: close');
315
316 // Send body
317 print $webresponse->body;
318 exit;
319 }
320 }
321
322 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
323 ?>
plat/al