modules/openid.php

   1 <?php
   2 /***************************************************************************
   3  *  Copyright (C) 2003-2008 Polytechnique.org                              *
   4  *  http://opensource.polytechnique.org/                                   *
   5  *                                                                         *
   6  *  This program is free software; you can redistribute it and/or modify   *
   7  *  it under the terms of the GNU General Public License as published by   *
   8  *  the Free Software Foundation; either version 2 of the License, or      *
   9  *  (at your option) any later version.                                    *
  10  *                                                                         *
  11  *  This program is distributed in the hope that it will be useful,        *
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
  14  *  GNU General Public License for more details.                           *
  15  *                                                                         *
  16  *  You should have received a copy of the GNU General Public License      *
  17  *  along with this program; if not, write to the Free Software            *
  18  *  Foundation, Inc.,                                                      *
  19  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  20  ***************************************************************************/
  21
  22
  23 /* Definitions for the OpenId Specification
  24  * http://openid.net/specs/openid-authentication-2_0.html
  25  *
  26  * OP Endpoint URL:             https://www.polytechnique.org/openid
  27  * OP Identifier:               https://www.polytechnique.org/openid
  28  * User-Supplied Identifier:    https://www.polytechnique.org/openid/{$hruid}
  29  *    Identity selection is not supported by this implementation
  30  * OP-Local Identifier:         {$hruid}
  31  */
  32
  33 /* Testing suite is here:
  34  * http://openidenabled.com/resources/openid-test/
  35  */
  36
  37 /* **checkid_immediate is not supported (yet)**, which means that we will
  38  * always ask for confirmation before redirecting to a third-party.
  39  * A sensible way to implement it would be to add a "Always trust this site"
  40  * checkbox to the form, and to store trusted websites per user. This still
  41  * raises the question of removing websites from that list.
  42  * Another possibility is to maintain a global whitelist.
  43  */
  44
  45 class OpenidModule extends PLModule
  46 {
  47     function handlers()
  48     {
  49         return array(
  50             'openid'            => $this->make_hook('openid', AUTH_PUBLIC),
  51             'openid/trust'      => $this->make_hook('trust', AUTH_COOKIE),
  52             'openid/idp_xrds'   => $this->make_hook('idp_xrds', AUTH_PUBLIC),
  53             'openid/user_xrds'  => $this->make_hook('user_xrds', AUTH_PUBLIC),
  54 //            'openid/melix'      => $this->make_hook('melix', AUTH_PUBLIC),
  55         );
  56     }
  57
  58     function handler_openid(&$page, $x = null)
  59     {
  60         $this->load('openid.inc.php');
  61         $user = get_user($x);
  62
  63         // Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
  64         // the request is not an OpenId message
  65         // Thus, we try to render the discovery page
  66         if (!array_key_exists('openid_mode', $_REQUEST)) {
  67             return $this->render_discovery_page($page, $user);
  68         }
  69
  70         // Create a server and decode the request
  71         $server = init_openid_server();
  72         $request = $server->decodeRequest();
  73
  74         // This request requires user interaction
  75         if (in_array($request->mode,
  76                      array('checkid_immediate', 'checkid_setup'))) {
  77
  78             // Each user has only one identity to choose from
  79             // So we can make automatically the identity selection
  80             if ($request->idSelect()) {
  81                 $request->identity = get_user_openid_url($user);
  82             }
  83
  84             // If we still don't have an identifier (used or desired), give up
  85             if (!$request->identity) {
  86                 $this->render_no_identifier_page($page, $request);
  87                 return;
  88             }
  89
  90             // We always require confirmation before sending information
  91             // to third-party websites
  92             if ($request->immediate) {
  93                 $response =& $request->answer(false);
  94             } else {
  95                 // Save request in session and jump to confirmation page
  96                 S::set('openid_request', serialize($request));
  97                 pl_redirect('openid/trust');
  98                 return;
  99             }
 100
 101         // Other requests can be automatically handled by the server
 102         } else {
 103             $response =& $server->handleRequest($request);
 104         }
 105
 106         // Render response
 107         $webresponse =& $server->encodeResponse($response);
 108         $this->render_openid_response($webresponse);
 109     }
 110
 111     function handler_trust(&$page, $x = null)
 112     {
 113         $this->load('openid.inc.php');
 114
 115         // Recover request in session
 116         $request = S::v('openid_request');
 117         if (is_null($request)) {
 118             // There is no authentication information, something went wrong
 119             pl_redirect('/');
 120             return;
 121         } else {
 122             // Unserialize the request
 123             require_once 'Auth/OpenID/Server.php';
 124             $request = unserialize($request);
 125         }
 126
 127         $server = init_openid_server();
 128         $user = S::user();
 129
 130         // Check that the identity matches the user currently logged in
 131         if ($request->identity != get_user_openid_url($user)) {
 132             $response =& $request->answer(false);
 133             $webresponse =& $server->encodeResponse($response);
 134             $this->render_openid_response($webresponse);
 135             return;
 136         }
 137
 138         // Prepare Simple Registration response fields
 139         require_once 'Auth/OpenID/SReg.php';
 140         $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
 141         $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));
 142
 143
 144         // Ask the user for confirmation
 145         if ($_SERVER['REQUEST_METHOD'] != 'POST') {
 146             $page->changeTpl('openid/trust.tpl');
 147             $page->assign('relying_party', $request->trust_root);
 148             $page->assign_by_ref('sreg_data', $sreg_response->data);
 149             return;
 150         }
 151
 152         // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
 153         // Answer to the Relying Party based on the user's choice
 154         if (isset($_POST['trust'])) {
 155             S::kill('openid_request');
 156             $response =& $request->answer(true, null, $request->identity);
 157
 158             // Add the simple registration response values to the OpenID
 159             // response message.
 160             $sreg_response->toMessage($response->fields);
 161
 162         } else { // !isset($_POST['trust'])
 163             S::kill('openid_request');
 164             $response =& $request->answer(false);
 165         }
 166
 167         // Generate a response to send to the user agent.
 168         $webresponse =& $server->encodeResponse($response);
 169         $this->render_openid_response($webresponse);
 170     }
 171
 172     function handler_idp_xrds(&$page)
 173     {
 174         // Load constants
 175         $this->load('openid.inc.php');
 176
 177         // Set XRDS content-type and template
 178         header('Content-type: application/xrds+xml');
 179         $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
 180
 181         // Set variables
 182         $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
 183         $page->assign('type', Auth_OpenID_TYPE_2_0_IDP);
 184         $page->assign('uri', get_openid_url());
 185     }
 186
 187     function handler_user_xrds(&$page, $x = null)
 188     {
 189         // Load constants
 190         $this->load('openid.inc.php');
 191
 192         // Set XRDS content-type and template
 193         header('Content-type: application/xrds+xml');
 194         $page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
 195
 196         // Set variables
 197         $page->assign('type1', Auth_OpenID_TYPE_2_0);
 198         $page->assign('type2', Auth_OpenID_TYPE_1_1);
 199         $page->assign('uri', get_openid_url());
 200     }
 201
 202     function handler_melix(&$page, $x = null)
 203     {
 204         $this->load('openid.inc.php');
 205         $user = get_user_by_alias($x);
 206
 207         // This will redirect to the canonic URL, which was not used
 208         // if this hook was triggered
 209         return render_discovery_page(&$page, $user);
 210     }
 211
 212     //--------------------------------------------------------------------//
 213
 214     function render_discovery_page(&$page, $user)
 215     {
 216
 217         // Show the documentation if this is not the OpenId page of an user
 218         if (is_null($user)) {
 219             pl_redirect('Xorg/OpenId');
 220         }
 221
 222         // Redirect to the canonic URL if we are using an alias
 223         // There might be a risk of redirection loop here
 224         // if $_SERVER was not exactly what we expect
 225         $current_url = 'http' . (empty($_SERVER['HTTPS']) ? '' : 's') . '://'
 226                        . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
 227         $canonic_url = get_user_openid_url($user);
 228         if ($current_url != $canonic_url) {
 229             http_redirect($canonic_url);
 230         }
 231
 232         // Include X-XRDS-Location response-header for Yadis discovery
 233         header('X-XRDS-Location: ' . get_user_xrds_url($user));
 234
 235         // Select template
 236         $page->changeTpl('openid/openid.tpl');
 237
 238         // Sets the title of the html page.
 239         $page->setTitle($user->fullName());
 240
 241         // Sets the <link> tags for HTML-Based Discovery
 242         $page->addLink('openid.server openid2.provider', get_openid_url());
 243         $page->addLink('openid.delegate openid2.local_id', $user->hruid);
 244
 245         // Adds the global user property array to the display.
 246         $page->assign_by_ref('user', $user);
 247
 248         return;
 249     }
 250
 251     function render_no_identifier_page($page, $request)
 252     {
 253         // Select template
 254         $page->changeTpl('openid/no_identifier.tpl');
 255     }
 256
 257     function render_openid_response($webresponse)
 258     {
 259         // Send HTTP response code
 260         if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
 261             header(sprintf("HTTP/1.1 %d ", $webresponse->code),
 262                    true, $webresponse->code);
 263         }
 264
 265         // Send headers
 266         foreach ($webresponse->headers as $k => $v) {
 267             header("$k: $v");
 268         }
 269         header('Connection: close');
 270
 271         // Send body
 272         print $webresponse->body;
 273         exit;
 274     }
 275 }
 276
 277 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
 278 ?>