modules/openid.php

   1 <?php
   2 /***************************************************************************
   3  *  Copyright (C) 2003-2008 Polytechnique.org                              *
   4  *  http://opensource.polytechnique.org/                                   *
   5  *                                                                         *
   6  *  This program is free software; you can redistribute it and/or modify   *
   7  *  it under the terms of the GNU General Public License as published by   *
   8  *  the Free Software Foundation; either version 2 of the License, or      *
   9  *  (at your option) any later version.                                    *
  10  *                                                                         *
  11  *  This program is distributed in the hope that it will be useful,        *
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
  14  *  GNU General Public License for more details.                           *
  15  *                                                                         *
  16  *  You should have received a copy of the GNU General Public License      *
  17  *  along with this program; if not, write to the Free Software            *
  18  *  Foundation, Inc.,                                                      *
  19  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  20  ***************************************************************************/
  21
  22
  23 /* Definitions for the OpenId Specification
  24  * http://openid.net/specs/openid-authentication-2_0.html
  25  *
  26  * OP Endpoint URL:             https://www.polytechnique.org/openid
  27  * OP Identifier:               https://www.polytechnique.org/openid
  28  * User-Supplied Identifier:    https://www.polytechnique.org/openid/{$hruid}
  29  *    Identity selection is not supported by this implementation
  30  * OP-Local Identifier:         {$hruid}
  31  */
  32
  33 /* Testing suite is here:
  34  * http://openidenabled.com/resources/openid-test/
  35  */
  36
  37 /* **checkid_immediate is not supported (yet)**, which means that we will
  38  * always ask for confirmation before redirecting to a third-party.
  39  * A sensible way to implement it would be to add a "Always trust this site"
  40  * checkbox to the form, and to store trusted websites per user. This still
  41  * raises the question of removing websites from that list.
  42  * Another possibility is to maintain a global whitelist.
  43  */
  44
  45 class OpenidModule extends PLModule
  46 {
  47     function handlers()
  48     {
  49         return array(
  50             'openid'            => $this->make_hook('openid', AUTH_PUBLIC),
  51             'openid/trust'      => $this->make_hook('trust', AUTH_COOKIE),
  52             'openid/user_xrds'  => $this->make_hook('user_xrds', AUTH_PUBLIC),
  53             'openid/melix'      => $this->make_hook('melix', AUTH_PUBLIC),
  54         );
  55     }
  56
  57     function handler_openid(&$page, $x = null)
  58     {
  59         $this->load('openid.inc.php');
  60         $user = get_user($x);
  61
  62         // Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
  63         // the request is not an OpenId message
  64         // Thus, we try to render the discovery page
  65         if (!array_key_exists('openid_mode', $_REQUEST)) {
  66             return $this->render_discovery_page($page, $user);
  67         }
  68
  69         // Create a server and decode the request
  70         $server = init_openid_server();
  71         $request = $server->decodeRequest();
  72
  73         // This request requires user interaction
  74         if (in_array($request->mode,
  75                      array('checkid_immediate', 'checkid_setup'))) {
  76
  77             // Each user has only one identity to choose from
  78             // So we can make automatically the identity selection
  79             if ($request->idSelect()) {
  80                 $request->identity = $user->hruid();
  81             }
  82
  83             // If we still don't have an identifier (used or desired), give up
  84             if (!$request->identity) {
  85                 $this->render_no_identifier_page($page, $request);
  86                 return;
  87             }
  88
  89             // We always require confirmation before sending information
  90             // to third-party websites
  91             if ($request->immediate) {
  92                 $response =& $request->answer(false);
  93             } else {
  94                 // Save request in session and jump to confirmation page
  95                 S::set('openid_request', serialize($request));
  96                 pl_redirect('openid/trust');
  97                 return;
  98             }
  99
 100         // Other requests can be automatically handled by the server
 101         } else {
 102             $response =& $server->handleRequest($request);
 103         }
 104
 105         // Render response
 106         $webresponse =& $server->encodeResponse($response);
 107         $this->render_openid_response($webresponse);
 108     }
 109
 110     function handler_trust(&$page, $x = null)
 111     {
 112         $this->load('openid.inc.php');
 113
 114         // Recover request in session
 115         $request = S::v('openid_request');
 116         if (is_null($request)) {
 117             // There is no authentication information, something went wrong
 118             pl_redirect('/');
 119             return;
 120         } else {
 121             // Unserialize the request
 122             require_once 'Auth/OpenID/Server.php';
 123             $request = unserialize($request);
 124         }
 125
 126         $server = init_openid_server();
 127         $user = S::user();
 128
 129         // Check that the identity matches the user currently logged in
 130         if ($request->identity != $user->hruid) {
 131             $response =& $request->answer(false);
 132             $webresponse =& $server->encodeResponse($response);
 133             $this->render_openid_response($webresponse);
 134             return;
 135         }
 136
 137         // Prepare Simple Registration response fields
 138         require_once 'Auth/OpenID/SReg.php';
 139         $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
 140         $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));
 141
 142
 143         // Ask the user for confirmation
 144         if ($_SERVER['REQUEST_METHOD'] != 'POST') {
 145             $page->changeTpl('openid/trust.tpl');
 146             $page->assign('relying_party', $request->trust_root);
 147             $page->assign_by_ref('sreg_data', $sreg_response->data);
 148             return;
 149         }
 150
 151         // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
 152         // Answer to the Relying Party based on the user's choice
 153         if (isset($_POST['trust'])) {
 154             S::kill('openid_request');
 155             $response =& $request->answer(true, null, $request->identity);
 156
 157             // Add the simple registration response values to the OpenID
 158             // response message.
 159             $sreg_response->toMessage($response->fields);
 160
 161         } else { // !isset($_POST['trust'])
 162             S::kill('openid_request');
 163             $response =& $request->answer(false);
 164         }
 165
 166         // Generate a response to send to the user agent.
 167         $webresponse =& $server->encodeResponse($response);
 168         $this->render_openid_response($webresponse);
 169     }
 170
 171     function handler_user_xrds(&$page, $x = null)
 172     {
 173         // Load constants
 174         $this->load('openid.inc.php');
 175
 176         // Make sure the user exists
 177         $user = get_user($x);
 178         if (is_null($user)) {
 179             return PL_NOT_FOUND;
 180         }
 181
 182         // Set XRDS content-type and template
 183         header('Content-type: application/xrds+xml');
 184         $page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
 185
 186         // Set variables
 187         $page->assign('type2', Auth_OpenID_TYPE_2_0);
 188         $page->assign('type1', Auth_OpenID_TYPE_1_1);
 189         $page->assign('provider', get_openid_url());
 190         $page->assign('local_id', $user->hruid);
 191     }
 192
 193     function handler_melix(&$page, $x = null)
 194     {
 195         $this->load('openid.inc.php');
 196         $user = get_user_by_alias($x);
 197
 198         // This will redirect to the canonic URL, which was not used
 199         // if this hook was triggered
 200         return $this->render_discovery_page(&$page, $user);
 201     }
 202
 203     //--------------------------------------------------------------------//
 204
 205     function render_discovery_page(&$page, $user)
 206     {
 207
 208         // Show the documentation if this is not the OpenId page of an user
 209         if (is_null($user)) {
 210             pl_redirect('Xorg/OpenId');
 211         }
 212
 213         // Redirect to the canonic URL if we are using an alias
 214         // There might be a risk of redirection loop here
 215         // if $_SERVER was not exactly what we expect
 216         $current_url = 'http' . (empty($_SERVER['HTTPS']) ? '' : 's') . '://'
 217                        . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
 218         $canonic_url = get_user_openid_url($user);
 219         if ($current_url != $canonic_url) {
 220             http_redirect($canonic_url);
 221         }
 222
 223         // Include X-XRDS-Location response-header for Yadis discovery
 224         header('X-XRDS-Location: ' . get_user_xrds_url($user));
 225
 226         // Select template
 227         $page->changeTpl('openid/openid.tpl');
 228
 229         // Sets the title of the html page.
 230         $page->setTitle($user->fullName());
 231
 232         // Sets the <link> tags for HTML-Based Discovery
 233         $page->addLink('openid.server openid2.provider', get_openid_url());
 234         $page->addLink('openid.delegate openid2.local_id', $user->hruid);
 235
 236         // Adds the global user property array to the display.
 237         $page->assign_by_ref('user', $user);
 238
 239         return;
 240     }
 241
 242     function render_no_identifier_page($page, $request)
 243     {
 244         // Select template
 245         $page->changeTpl('openid/no_identifier.tpl');
 246     }
 247
 248     function render_openid_response($webresponse)
 249     {
 250         // Send HTTP response code
 251         if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
 252             header(sprintf("HTTP/1.1 %d ", $webresponse->code),
 253                    true, $webresponse->code);
 254         }
 255
 256         // Send headers
 257         foreach ($webresponse->headers as $k => $v) {
 258             header("$k: $v");
 259         }
 260         header('Connection: close');
 261
 262         // Send body
 263         print $webresponse->body;
 264         exit;
 265     }
 266 }
 267
 268 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
 269 ?>