X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=modules%2Fopenid.php;h=843effc59e9e4d1d0950e359df5a1a1be1313679;hb=cf81c359b80ad4280a0b3719e0a32c8adba2549d;hp=66ad7e211bb2e293efe890a9040878d4a7f9156b;hpb=ab2a43ac930df97405eeff6d4ad5c7ed9f86f68b;p=platal.git
diff --git a/modules/openid.php b/modules/openid.php
index 66ad7e2..843effc 100644
--- a/modules/openid.php
+++ b/modules/openid.php
@@ -22,25 +22,39 @@
/* Definitions for the OpenId Specification
* http://openid.net/specs/openid-authentication-2_0.html
- *
+ *
* OP Endpoint URL: https://www.polytechnique.org/openid
* OP Identifier: https://www.polytechnique.org/openid
- * User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid}
- * Identity selection is not supported by this implementation
- * OP-Local Identifier: {$hruid}
+ * User Identifier: https://www.polytechnique.org/openid/{hruid}
+ * OP-Local Identifier: {hruid}
+ */
+
+/* This implementation supports two modes:
+ * - entering the OP Identifier, which can simply be 'polytechnique.org'
+ * - entering the User Identifier, or some URL that resolves there
+ * In both cases, Yadis discovery is made possible through the X-XRDS-Location
+ * header.
+ *
+ * In the former case, Yadis discovery is performed on /, or where it redirects;
+ * see platal.php. It resolves to the XRDS for this OP, and User Identifier
+ * selection is performed after forcing the user to log in. This only works for
+ * version 2.0 of the OpenId protocol.
+ *
+ * In the latter cas, Yadis discovery is performed on /openid/{hruid}. It
+ * resolves ta a user-specific XRDS. This page also features HTML-based
+ * discovery. This works with any version of the protocol.
*/
/* Testing suite is here:
* http://openidenabled.com/resources/openid-test/
+ * It only supports User Indentifiers.
+ *
+ * To test OP Identifiers, download the JanRain PHP library and use the
+ * consumer provided as an example (although it appears that a failure is
+ * mistakenly reported: 'Server denied check_authentication').
+ * Reading the source of the server can also help understanding the code below.
*/
-/* **checkid_immediate is not supported (yet)**, which means that we will
- * always ask for confirmation before redirecting to a third-party.
- * A sensible way to implement it would be to add a "Always trust this site"
- * checkbox to the form, and to store trusted websites per user. This still
- * raises the question of removing websites from that list.
- * Another possibility is to maintain a global whitelist.
- */
class OpenidModule extends PLModule
{
@@ -49,6 +63,9 @@ class OpenidModule extends PLModule
return array(
'openid' => $this->make_hook('openid', AUTH_PUBLIC),
'openid/trust' => $this->make_hook('trust', AUTH_COOKIE),
+ 'openid/trusted' => $this->make_hook('trusted', AUTH_MDP),
+ 'admin/openid/trusted' => $this->make_hook('admin_trusted', AUTH_MDP),
+ 'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC),
'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC),
'openid/melix' => $this->make_hook('melix', AUTH_PUBLIC),
);
@@ -57,52 +74,49 @@ class OpenidModule extends PLModule
function handler_openid(&$page, $x = null)
{
$this->load('openid.inc.php');
- $user = get_user($x);
- // Spec §4.1.2: if "openid.mode" is absent, whe SHOULD assume that
+ // Spec §4.1.2: if "openid.mode" is absent, we SHOULD assume that
// the request is not an OpenId message
- // Thus, we try to render the discovery page
if (!array_key_exists('openid_mode', $_REQUEST)) {
- return $this->render_discovery_page($page, $user);
+ return $this->render_discovery_page($page, get_user($x));
}
- // Create a server and decode the request
+ // Now, deal with the OpenId message
$server = init_openid_server();
$request = $server->decodeRequest();
- // This request requires user interaction
- if (in_array($request->mode,
- array('checkid_immediate', 'checkid_setup'))) {
-
- // Each user has only one identity to choose from
- // So we can make automatically the identity selection
- if ($request->idSelect()) {
- $request->identity = $user->hruid();
- }
-
- // If we still don't have an identifier (used or desired), give up
- if (!$request->identity) {
- $this->render_no_identifier_page($page, $request);
- return;
- }
-
- // We always require confirmation before sending information
- // to third-party websites
- if ($request->immediate) {
- $response =& $request->answer(false);
- } else {
- // Save request in session and jump to confirmation page
- S::set('openid_request', serialize($request));
- pl_redirect('openid/trust');
- return;
- }
+ // In modes 'checkid_immediate' and 'checkid_setup', the request
+ // needs some logic and can not be automatically answered by the server
+
+ // Immediate mode
+ if ($request->mode == 'checkid_immediate') {
+
+ // We deny immediate requests, unless:
+ // - the user identifier is known by the RP
+ // - the user is logged in
+ // - the user identifier matches the user logged in
+ // - the user has whitelisted the site
+ $answer = !$request->idSelect()
+ && S::logged()
+ && $request->identity == S::user()->login()
+ && is_trusted_site(S::user(), $request->trust_root);
+ $response =& $request->answer($answer);
+
+ // Setup mode
+ } else if ($request->mode == 'checkid_setup') {
+
+ // We redirect to a page where the user will authenticate
+ // and confirm the use of his/her OpenId
+ // The request is saved in session before redirecting
+ S::set('openid_request', serialize($request));
+ pl_redirect('openid/trust');
+ return;
// Other requests can be automatically handled by the server
} else {
$response =& $server->handleRequest($request);
}
- // Render response
$webresponse =& $server->encodeResponse($response);
$this->render_openid_response($webresponse);
}
@@ -117,17 +131,24 @@ class OpenidModule extends PLModule
// There is no authentication information, something went wrong
pl_redirect('/');
return;
- } else {
- // Unserialize the request
- require_once 'Auth/OpenID/Server.php';
- $request = unserialize($request);
}
+ require_once 'Auth/OpenID/Server.php';
+ $request = unserialize($request);
+
$server = init_openid_server();
$user = S::user();
-
+ $identity = null;
+ $claimed_id = null;
+
+ // Set the identity to the user currently logged in
+ // if an OP Identifier was initially used
+ if ($request->identity == Auth_OpenID_IDENTIFIER_SELECT) {
+ $identity = $user->hruid;
+ $claimed_id = get_user_openid_url($user);
// Check that the identity matches the user currently logged in
- if ($request->identity != $user->hruid) {
+ // if an User Identifier was initially used
+ } else if ($request->identity != $user->hruid) {
$response =& $request->answer(false);
$webresponse =& $server->encodeResponse($response);
$this->render_openid_response($webresponse);
@@ -139,9 +160,10 @@ class OpenidModule extends PLModule
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, get_sreg_data($user));
+ $whitelisted = is_trusted_site($user, $request->trust_root);
// Ask the user for confirmation
- if ($_SERVER['REQUEST_METHOD'] != 'POST') {
+ if (!$whitelisted && $_SERVER['REQUEST_METHOD'] != 'POST') {
$page->changeTpl('openid/trust.tpl');
$page->assign('relying_party', $request->trust_root);
$page->assign_by_ref('sreg_data', $sreg_response->data);
@@ -149,41 +171,75 @@ class OpenidModule extends PLModule
}
// At this point $_SERVER['REQUEST_METHOD'] == 'POST'
- // Answer to the Relying Party based on the user's choice
- if (isset($_POST['trust'])) {
+
+ // Add 'always trusted' sites to whitelist
+ if (isset($_POST['trust']) && @$_POST['always']) {
+ add_trusted_site($user, $request->trust_root);
+ }
+
+ // Answer to the Relying Party
+ if ($whitelisted || isset($_POST['trust'])) {
S::kill('openid_request');
- $response =& $request->answer(true, null, $request->identity);
+ $response =& $request->answer(true, null, $identity, $claimed_id);
// Add the simple registration response values to the OpenID
// response message.
$sreg_response->toMessage($response->fields);
- } else { // !isset($_POST['trust'])
+ } else { // !$whitelisted && !isset($_POST['trust'])
S::kill('openid_request');
$response =& $request->answer(false);
}
- // Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$this->render_openid_response($webresponse);
}
+ function handler_trusted(&$page, $action = 'list', $id = null)
+ {
+ $page->setTitle('Sites tiers de confiance');
+ $page->assign('title', 'Mes sites tiers de confiance pour OpenId');
+ $table_editor = new PLTableEditor('openid/trusted', 'openid_trusted', 'id');
+ $table_editor->set_where_clause('user_id = ' . XDB::escape(S::user()->id()));
+ $table_editor->vars['user_id']['display'] = false;
+ $table_editor->describe('url', 'site tiers', true);
+ $page->assign('deleteonly', true);
+ $table_editor->apply($page, $action, $id);
+ }
+
+ function handler_admin_trusted(&$page, $action = 'list', $id = null)
+ {
+ $page->setTitle('Sites tiers de confiance');
+ $page->assign('title', 'Sites tiers de confiance globaux pour OpenId');
+ $table_editor = new PLTableEditor('admin/openid/trusted', 'openid_trusted', 'id');
+ $table_editor->set_where_clause('user_id IS NULL');
+ $table_editor->vars['user_id']['display'] = false;
+ $table_editor->describe('url', 'site tiers', true);
+ $page->assign('readonly', true);
+ $table_editor->apply($page, $action, $id);
+ }
+
+ function handler_idp_xrds(&$page)
+ {
+ $this->load('openid.inc.php');
+ header('Content-type: application/xrds+xml');
+ $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN);
+ $page->assign('type2', Auth_OpenID_TYPE_2_0_IDP);
+ $page->assign('sreg', Auth_OpenID_SREG_URI);
+ $page->assign('provider', get_openid_url());
+ }
+
function handler_user_xrds(&$page, $x = null)
{
- // Load constants
$this->load('openid.inc.php');
- // Make sure the user exists
$user = get_user($x);
if (is_null($user)) {
return PL_NOT_FOUND;
}
- // Set XRDS content-type and template
header('Content-type: application/xrds+xml');
$page->changeTpl('openid/user_xrds.tpl', NO_SKIN);
-
- // Set variables
$page->assign('type2', Auth_OpenID_TYPE_2_0);
$page->assign('type1', Auth_OpenID_TYPE_1_1);
$page->assign('sreg', Auth_OpenID_SREG_URI);
@@ -224,43 +280,26 @@ class OpenidModule extends PLModule
// Include X-XRDS-Location response-header for Yadis discovery
header('X-XRDS-Location: ' . get_user_xrds_url($user));
- // Select template
$page->changeTpl('openid/openid.tpl');
-
- // Sets the title of the html page.
$page->setTitle($user->fullName());
-
- // Sets the tags for HTML-Based Discovery
+ // Set the tags for HTML-Based Discovery
$page->addLink('openid.server openid2.provider', get_openid_url());
$page->addLink('openid.delegate openid2.local_id', $user->hruid);
-
- // Adds the global user property array to the display.
$page->assign_by_ref('user', $user);
return;
}
- function render_no_identifier_page($page, $request)
- {
- // Select template
- $page->changeTpl('openid/no_identifier.tpl');
- }
-
function render_openid_response($webresponse)
{
- // Send HTTP response code
if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
header(sprintf("HTTP/1.1 %d ", $webresponse->code),
true, $webresponse->code);
}
-
- // Send headers
foreach ($webresponse->headers as $k => $v) {
header("$k: $v");
}
header('Connection: close');
-
- // Send body
print $webresponse->body;
exit;
}