Always redirect to the canonic URL before discovery can occur
[platal.git] / modules / openid.php
1 <?php
2 /***************************************************************************
3 * Copyright (C) 2003-2008 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
5 * *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
10 * *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
15 * *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
18 * Foundation, Inc., *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
21
22
23 /* Definitions for the OpenId Specification
24 * http://openid.net/specs/openid-authentication-2_0.html
25 *
26 * OP Endpoint URL: https://www.polytechnique.org/openid
27 * OP Identifier: https://www.polytechnique.org/openid
28 * User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid}
29 * Identity selection is not supported by this implementation
30 * OP-Local Identifier: {$hruid}
31 */
32
33 /* Testing suite is here:
34 * http://openidenabled.com/resources/openid-test/
35 */
36
37 /* **checkid_immediate is not supported (yet)**, which means that we will
38 * always ask for confirmation before redirecting to a third-party.
39 * A sensible way to implement it would be to add a "Always trust this site"
40 * checkbox to the form, and to store trusted websites per user. This still
41 * raises the question of removing websites from that list.
42 * Another possibility is to maintain a global whitelist.
43 */
44
45 class OpenidModule extends PLModule
46 {
47 function handlers()
48 {
49 return array(
50 'openid' => $this->make_hook('openid', AUTH_PUBLIC),
51 'openid/trust' => $this->make_hook('trust', AUTH_COOKIE),
52 'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC),
53 'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC),
54 // 'openid/melix' => $this->make_hook('melix', AUTH_PUBLIC),
55 );
56 }
57
58 function handler_openid(&$page, $x = null)
59 {
60 $this->load('openid.inc.php');
61 $user = get_user($x);
62
63 // Spec ยง4.1.2: if "openid.mode" is absent, whe SHOULD assume that
64 // the request is not an OpenId message
65 // Thus, we try to render the discovery page
66 if (!array_key_exists('openid_mode', $_REQUEST)) {
67 return $this->render_discovery_page($page, $user);
68 }
69
70 // Create a server and decode the request
71 $server = init_openid_server();
72 $request = $server->decodeRequest();
73
74 // This request requires user interaction
75 if (in_array($request->mode,
76 array('checkid_immediate', 'checkid_setup'))) {
77
78 // Each user has only one identity to choose from
79 // So we can make automatically the identity selection
80 if ($request->idSelect()) {
81 $request->identity = get_user_openid_url($user);
82 }
83
84 // If we still don't have an identifier (used or desired), give up
85 if (!$request->identity) {
86 $this->render_no_identifier_page($page, $request);
87 return;
88 }
89
90 // We always require confirmation before sending information
91 // to third-party websites
92 if ($request->immediate) {
93 $response =& $request->answer(false);
94 } else {
95 // Save request in session and jump to confirmation page
96 S::set('openid_request', serialize($request));
97 pl_redirect('openid/trust');
98 return;
99 }
100
101 // Other requests can be automatically handled by the server
102 } else {
103 $response =& $server->handleRequest($request);
104 }
105
106 // Render response
107 $webresponse =& $server->encodeResponse($response);
108 $this->render_openid_response($webresponse);
109 }
110
111 function handler_trust(&$page, $x = null)
112 {
113 $this->load('openid.inc.php');
114
115 // Recover request in session
116 $request = S::v('openid_request');
117 if (is_null($request)) {
118 // There is no authentication information, something went wrong
119 pl_redirect('/');
120 return;
121 } else {
122 // Unserialize the request
123 require_once 'Auth/OpenID/Server.php';
124 $request = unserialize($request);
125 }
126
127 $server = init_openid_server();
128 $user = S::user();
129
130 // Check that the identity matches the user currently logged in
131 if ($request->identity != get_user_openid_url($user)) {
132 $response =& $request->answer(false);
133 $webresponse =& $server->encodeResponse($response);
134 $this->render_openid_response($webresponse);
135 return;
136 }
137
138 // Prepare Simple Registration response fields
139 require_once 'Auth/OpenID/SReg.php';
140 $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
141 $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));
142
143
144 // Ask the user for confirmation
145 if ($_SERVER['REQUEST_METHOD'] != 'POST') {
146 $page->changeTpl('openid/trust.tpl');
147 $page->assign('relying_party', $request->trust_root);
148 $page->assign_by_ref('sreg_data', $sreg_response->data);
149 return;
150 }
151
152 // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
153 // Answer to the Relying Party based on the user's choice
154 if (isset($_POST['trust'])) {
155 S::kill('openid_request');
156 $response =& $request->answer(true, null, $request->identity);
157
158 // Add the simple registration response values to the OpenID
159 // response message.
160 $sreg_response->toMessage($response->fields);
161
162 } else { // !isset($_POST['trust'])
163 S::kill('openid_request');
164 $response =& $request->answer(false);
165 }
166
167 // Generate a response to send to the user agent.
168 $webresponse =& $server->encodeResponse($response);
169 $this->render_openid_response($webresponse);
170 }
171
172 function handler_idp_xrds(&$page)
173 {
174 // Load constants
175 $this->load('openid.inc.php');
176
177 // Set XRDS content-type and template
178 header('Content-type: application/xrds+xml');
179 $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
180
181 // Set variables
182 $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
183 $page->assign('type', Auth_OpenID_TYPE_2_0_IDP);
184 $page->assign('uri', get_openid_url());
185 }
186
187 function handler_user_xrds(&$page, $x = null)
188 {
189 // Load constants
190 $this->load('openid.inc.php');
191
192 // Set XRDS content-type and template
193 header('Content-type: application/xrds+xml');
194 $page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
195
196 // Set variables
197 $page->assign('type1', Auth_OpenID_TYPE_2_0);
198 $page->assign('type2', Auth_OpenID_TYPE_1_1);
199 $page->assign('uri', get_openid_url());
200 }
201
202 function handler_melix(&$page, $x = null)
203 {
204 $this->load('openid.inc.php');
205 $user = get_user_by_alias($x);
206
207 // This will redirect to the canonic URL, which was not used
208 // if this hook was triggered
209 return render_discovery_page(&$page, $user);
210 }
211
212 //--------------------------------------------------------------------//
213
214 function render_discovery_page(&$page, $user)
215 {
216
217 // Show the documentation if this is not the OpenId page of an user
218 if (is_null($user)) {
219 pl_redirect('Xorg/OpenId');
220 }
221
222 // Redirect to the canonic URL if we are using an alias
223 // There might be a risk of redirection loop here
224 // if $_SERVER was not exactly what we expect
225 $current_url = 'http' . (empty($_SERVER['HTTPS']) ? '' : 's') . '://'
226 . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
227 $canonic_url = get_user_openid_url($user);
228 if ($current_url != $canonic_url) {
229 http_redirect($canonic_url);
230 }
231
232 // Include X-XRDS-Location response-header for Yadis discovery
233 header('X-XRDS-Location: ' . get_user_xrds_url($user));
234
235 // Select template
236 $page->changeTpl('openid/openid.tpl');
237
238 // Sets the title of the html page.
239 $page->setTitle($user->fullName());
240
241 // Sets the <link> tags for HTML-Based Discovery
242 $page->addLink('openid.server openid2.provider', get_openid_url());
243 $page->addLink('openid.delegate openid2.local_id', $user->hruid);
244
245 // Adds the global user property array to the display.
246 $page->assign_by_ref('user', $user);
247
248 return;
249 }
250
251 function render_no_identifier_page($page, $request)
252 {
253 // Select template
254 $page->changeTpl('openid/no_identifier.tpl');
255 }
256
257 function render_openid_response($webresponse)
258 {
259 // Send HTTP response code
260 if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
261 header(sprintf("HTTP/1.1 %d ", $webresponse->code),
262 true, $webresponse->code);
263 }
264
265 // Send headers
266 foreach ($webresponse->headers as $k => $v) {
267 header("$k: $v");
268 }
269 header('Connection: close');
270
271 // Send body
272 print $webresponse->body;
273 exit;
274 }
275 }
276
277 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
278 ?>