aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorPablo Martin <caedes@sindominio.net>2012-10-17 02:38:11 +0000
committerPablo Martin <caedes@sindominio.net>2012-10-17 02:38:11 +0000
commit0b8b67d74a51586c5a45012e9e0f7bbe54f7e954 (patch)
treec091196f6359bc7d6aa0c39b3ec061e0c2c7c983 /lib
downloadelgg-0b8b67d74a51586c5a45012e9e0f7bbe54f7e954.tar.gz
elgg-0b8b67d74a51586c5a45012e9e0f7bbe54f7e954.tar.bz2
Elgg OpenID server adapted for Elgg 1.8.
Diffstat (limited to 'lib')
-rwxr-xr-xlib/actions.php178
-rwxr-xr-xlib/common.php164
-rwxr-xr-xlib/session.php142
3 files changed, 484 insertions, 0 deletions
diff --git a/lib/actions.php b/lib/actions.php
new file mode 100755
index 000000000..40b1f7736
--- /dev/null
+++ b/lib/actions.php
@@ -0,0 +1,178 @@
+<?php
+
+require_once "common.php";
+require_once "session.php";
+
+require_once "Auth/OpenID.php";
+
+/**
+ * Handle a standard OpenID server request
+ */
+function action_default()
+{
+ global $store;
+
+ $server =& getServer();
+ $method = $_SERVER['REQUEST_METHOD'];
+ /*$request = null;
+ if ($method == 'GET') {
+ $request = $_GET;
+ } else {
+ $request = $_POST;
+ } */
+
+ $request = $server->decodeRequest();
+
+ error_log("in action_default, request = ".print_r($request,true));
+
+ if (!$request) {
+ return ""; //about_render();
+ }
+
+ setRequestInfo($request);
+
+ if (in_array($request->mode,
+ array('checkid_immediate', 'checkid_setup'))) {
+
+ error_log("in action_default, about to run isTrusted");
+
+ if (isTrusted($request->identity, $request->trust_root, $request->return_to)) {
+ error_log("in action_default, yes, is trusted");
+ $response =& $request->answer(true);
+ } else if ($request->immediate) {
+ error_log("in action_default, yes, immediate");
+ $response =& $request->answer(false, getServerURL());
+ } else {
+ if (!getLoggedInUser()) {
+ error_log("in action_default, calling login render");
+ #return login_render();
+ system_message(elgg_echo('openid_server:not_logged_in'));
+ return gatekeeper();
+ #return action_login();
+ }
+ error_log("in action_default, calling trust render");
+ return trust_render($request);
+ }
+ error_log("in action_default, about to add sreg fields");
+ addSregFields(&$response);
+
+ } else {
+ $response =& $server->handleRequest($request);
+ }
+
+ $webresponse =& $server->encodeResponse($response);
+
+ foreach ($webresponse->headers as $k => $v) {
+ header("$k: $v");
+ }
+
+ header(header_connection_close);
+ print $webresponse->body;
+ exit(0);
+}
+
+/**
+ * Log out the currently logged in user
+ */
+function action_logout()
+{
+ setLoggedInUser(null);
+ setRequestInfo(null);
+ return authCancel(null);
+}
+
+/**
+ * Check the input values for a login request
+ */
+function login_checkInput($input)
+{
+ $openid_url = false;
+ $errors = array();
+
+ if (!isset($input['openid_url'])) {
+ $errors[] = gettext('Enter an OpenID URL to continue');
+ }
+ if (!isset($input['password'])) {
+ $errors[] = gettext('Enter a password to continue');
+ }
+ if (count($errors) == 0) {
+ $openid_url = $input['openid_url'];
+ // don't normalise yet
+ // $openid_url = Auth_OpenID::normalizeUrl($openid_url);
+ $password = $input['password'];
+ if (!checkLogin($openid_url, $password)) {
+ $errors[] = 'The entered password does not match the ' .
+ 'entered identity URL.';
+ }
+ }
+ return array($errors, $openid_url);
+}
+
+/**
+ * Log in a user and potentially continue the requested identity approval
+ */
+function action_login()
+{
+ $method = $_SERVER['REQUEST_METHOD'];
+ switch ($method) {
+ case 'GET':
+ return login_render();
+ case 'POST':
+ $info = getRequestInfo();
+ $fields = $_POST;
+ if (isset($fields['cancel'])) {
+ return authCancel($info);
+ }
+
+ list ($errors, $openid_url) = login_checkInput($fields);
+ if (count($errors) || !$openid_url) {
+ $needed = $info ? $info->identity : false;
+ //KJ - use $openid_url instead
+ // return login_render($errors, @$fields['openid_url'], $needed);
+ return login_render($errors, $openid_url, $needed);
+ } else {
+ setLoggedInUser(normaliseUsername($openid_url));
+ return doAuth($info);
+ }
+ default:
+ return login_render(array('Unsupported HTTP method: $method'));
+ }
+}
+
+/**
+ * Ask the user whether he wants to trust this site
+ */
+function action_trust()
+{
+ global $store;
+
+ $info = getRequestInfo();
+ $trusted = isset($_POST['trust']);
+ if ($info && isset($_POST['remember'])) {
+ error_log("setTrustedSite0");
+ $store->setTrustedSite($info->trust_root);
+ }
+ return doAuth($info, $trusted, true);
+}
+
+function action_sites()
+{
+ global $store;
+
+ $sites = $store->getTrustedSites();
+
+ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+ if (isset($_POST['forget'])) {
+ $store->removeAllTrustedSites();
+ } elseif (isset($_POST['remove'])) {
+ foreach ($_POST as $k => $v) {
+ if (preg_match('/^site[0-9]+$/', $k)) {
+ $store->removeTrustedSite($v);
+ }
+ }
+ }
+ }
+ return sites_render($store->getTrustedSites());
+}
+
+?>
diff --git a/lib/common.php b/lib/common.php
new file mode 100755
index 000000000..b50a990bd
--- /dev/null
+++ b/lib/common.php
@@ -0,0 +1,164 @@
+<?php
+
+require_once "session.php";
+
+require_once "Auth/OpenID/Server.php";
+require_once "Auth/OpenID/SReg.php";
+try {
+ include_once "Auth/OpenID/HMACSHA1.php";
+} catch(Exception $e) {
+ // new way :P
+ require_once "Auth/OpenID/HMAC.php";
+}
+
+function getUsernameFromUrl($url)
+{
+ $un = trim($url);
+ $lun = strlen($un);
+ $last_stroke_pos = strrpos($un,"/");
+ if ($last_stroke_pos === false) {
+ // no slash, so assume that this is already a username
+ $username = $url;
+ } else {
+ if ($last_stroke_pos == ($lun - 1)) {
+ // this url ends in a slash - ignore it
+ $un = substr($un, 0,-1);
+ }
+ $last_stroke_pos = strrpos($un,"/");
+ $username = substr($un,$last_stroke_pos+1);
+ }
+
+ return $username;
+}
+
+function normaliseUsername($username)
+// check to see if the current username contains a slash
+// if so, assume that this is an OpenID URL
+// if not, munge it until it is
+// normalise OpenID URLs to include a closing slash
+{
+ global $CONFIG;
+
+ $stroke_pos = strpos($username,"/");
+ if ($stroke_pos === false) {
+ return $CONFIG->wwwroot."profile/".$username;
+ } else {
+ if (substr($username,-1,1) == "/") {
+ return substr($username, 0, strlen($username-1));
+ } else {
+ return $username;
+ }
+ }
+}
+
+function addSregFields(&$response,$info, $req_url)
+{
+ $username = getUsernameFromUrl($req_url);
+ $user = get_user_by_username($username);
+ if ($user) {
+ $email = $user->email;
+ $fullname = $user->name;
+
+ $sreg_data = array(
+ 'fullname' => $fullname,
+ 'email' => $email
+ );
+
+ // Add the simple registration response values to the OpenID
+ // response message.
+ $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
+
+ $sreg_response = Auth_OpenID_SRegResponse::extractResponse(
+ $sreg_request, $sreg_data);
+ error_log('DEBUG:' . (string)($response->fields));
+ $sreg_response->toMessage($response->fields);
+ }
+
+}
+
+// KJ - this code is now used in trust.php
+
+/*function authCancel($info)
+{
+ if ($info) {
+ setRequestInfo();
+ $url = $info->getCancelURL();
+ } else {
+ $url = getServerURL();
+ }
+ return redirect_render($url);
+}
+
+function doAuth($info, $trusted=null, $fail_cancels=false,$idpSelect=null)
+{
+ if (!$info) {
+ // There is no authentication information, so bail
+ return authCancel(null);
+ }
+
+ if ($info->idSelect()) {
+ if ($idpSelect) {
+ $req_url = idURL($idpSelect);
+ } else {
+ $trusted = false;
+ }
+ } else {
+ $req_url = normaliseUsername($info->identity);
+ }
+
+ $user = getLoggedInUser();
+ setRequestInfo($info);
+
+ if ($req_url != $user) {
+ return login_render(array(), $req_url, $req_url);
+ }
+
+ $trust_root = $info->trust_root;
+ // $fail_cancels = $fail_cancels || isset($sites[$trust_root]);
+ $trusted = isset($trusted) ? $trusted : isTrusted($req_url,$trust_root);
+ if ($trusted) {
+ setRequestInfo();
+ $server =& getServer();
+ $response =& $info->answer(true, null, $req_url);
+
+ addSregFields($response, $info, $req_url);
+
+ $webresponse =& $server->encodeResponse($response);
+
+ $new_headers = array();
+
+ foreach ($webresponse->headers as $k => $v) {
+ $new_headers[] = $k.": ".$v;
+ }
+
+ return array($new_headers, $webresponse->body);
+ } elseif ($fail_cancels) {
+ return authCancel($info);
+ } else {
+ return trust_render($info);
+ }
+}*/
+
+
+function trust_render($info) {
+
+ $vars = array('openid_url' =>getLoggedInUser(), 'openid_trust_root' =>htmlspecialchars($info->trust_root));
+ $title = elgg_echo('openid_server:trust_title');
+ return array(
+ array(),
+ elgg_view_page(
+ $title,
+ elgg_view_layout('content', array(
+ 'title' => $title,
+ 'content' => elgg_view_form("openid_server/trust", array(), $vars),
+ 'filter' => false,
+ ))
+ ));
+}
+
+function login_render($errors=null, $input=null, $needed=null) {
+ system_message(elgg_echo('openid_server:not_logged_in'));
+ forward(current_page_url());
+}
+
+?>
diff --git a/lib/session.php b/lib/session.php
new file mode 100755
index 000000000..25940b3bb
--- /dev/null
+++ b/lib/session.php
@@ -0,0 +1,142 @@
+<?php
+
+//require_once(dirname(dirname(__FILE__)).'/config.php');
+//require_once "render.php";
+
+require_once "Auth/OpenID/Server.php";
+
+// require_once('elgg/includes.php');
+
+/**
+ * Set up the session
+ */
+// get information from Elgg if logged in
+// KJ - this should not be necessary as it can always be generated from the user name
+function init()
+{
+ global $CFG;
+
+ if (isloggedin()) {
+ setLoggedInUser(normaliseUsername($_SESSION['user']->username));
+ } else {
+ setLoggedInUser(null);
+ }
+}
+
+
+/**
+ * Get the URL of the current script
+ */
+function getServerURL()
+{
+ global $CONFIG;
+
+ return $CONFIG->wwwroot.'mod/openid_server/server.php';
+}
+
+/**
+ * Build a URL to a server action
+ */
+function buildURL($action=null, $escaped=true)
+{
+ $url = getServerURL();
+ if ($action) {
+ $url .= '/' . $action;
+ }
+ return $escaped ? htmlspecialchars($url, ENT_QUOTES) : $url;
+}
+
+/**
+ * Extract the current action from the request
+ * KJ - this should be replaced by Elgg 1 action system
+ */
+function getAction()
+{
+ $path_info = @$_SERVER['PATH_INFO'];
+ $action = ($path_info) ? substr($path_info, 1) : '';
+ $function_name = 'action_' . $action;
+ return $function_name;
+}
+
+/**
+ * Write the response to the request
+ */
+function writeResponse($resp)
+{
+ list ($headers, $body) = $resp;
+ array_walk($headers, 'header');
+ header(header_connection_close);
+ print $body;
+}
+
+/**
+ * Instantiate a new OpenID server object
+ */
+function getServer()
+{
+ global $CONFIG;
+ static $server;
+ $op_endpoint = getServerURL();
+ error_log("In getServer()");
+ if (!isset($server)) {
+ $server =& new Auth_OpenID_Server(getOpenIDServerStore(),$op_endpoint);
+ }
+ return $server;
+}
+
+/**
+ * Return whether the trust root is currently trusted
+ *
+ */
+function isTrusted($identity_url, $trust_root, $return_to)
+{
+ global $store;
+
+ if ($identity_url != getLoggedInUser()) {
+ return false;
+ }
+
+ $sites = $store->getTrustedSites($identity_url);
+
+ if (empty($sites)) {
+ return false;
+ } else {
+ return in_array($trust_root, $sites) && fnmatch($trust_root.'*',$return_to);
+ }
+}
+
+
+/**
+ * Get the openid_url out of the cookie
+ *
+ * @return mixed $openid_url The URL that was stored in the cookie or
+ * false if there is none present or if the cookie is bad.
+ */
+function getLoggedInUser()
+{
+ global $CONFIG;
+ if (isloggedin()) {
+ return $CONFIG->wwwroot.'profile/'.$_SESSION['user']->username;
+ } else {
+ return '';
+ }
+}
+
+function getRequestInfo()
+{
+ return isset($_SESSION['openid_server_request'])
+ ? unserialize($_SESSION['openid_server_request'])
+ : false;
+}
+
+function setRequestInfo($info=null)
+{
+ error_log("in setRequestInfo");
+ if (!isset($info)) {
+ unset($_SESSION['openid_server_request']);
+ } else {
+ $_SESSION['openid_server_request'] = serialize($info);
+ }
+}
+
+?>