From 0b8b67d74a51586c5a45012e9e0f7bbe54f7e954 Mon Sep 17 00:00:00 2001
From: Pablo Martin <caedes@sindominio.net>
Date: Wed, 17 Oct 2012 02:38:11 +0000
Subject: Elgg OpenID server adapted for Elgg 1.8.

---
 lib/actions.php | 178 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/common.php  | 164 +++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/session.php | 142 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 484 insertions(+)
 create mode 100755 lib/actions.php
 create mode 100755 lib/common.php
 create mode 100755 lib/session.php

(limited to 'lib')

diff --git a/lib/actions.php b/lib/actions.php
new file mode 100755
index 000000000..40b1f7736
--- /dev/null
+++ b/lib/actions.php
@@ -0,0 +1,178 @@
+<?php
+
+require_once "common.php";
+require_once "session.php";
+
+require_once "Auth/OpenID.php";
+
+/**
+ * Handle a standard OpenID server request
+ */
+function action_default()
+{
+	global $store;
+	
+    $server =& getServer();
+    $method = $_SERVER['REQUEST_METHOD'];
+    /*$request = null;
+    if ($method == 'GET') {
+        $request = $_GET;
+    } else {
+        $request = $_POST;
+    } */
+
+    $request = $server->decodeRequest();
+    
+    error_log("in action_default, request = ".print_r($request,true));
+
+    if (!$request) {
+        return ""; //about_render();
+    }
+
+    setRequestInfo($request);
+
+    if (in_array($request->mode,
+                 array('checkid_immediate', 'checkid_setup'))) {
+                     
+        error_log("in action_default, about to run isTrusted");
+
+        if (isTrusted($request->identity, $request->trust_root, $request->return_to)) {
+            error_log("in action_default, yes, is trusted");
+            $response =& $request->answer(true);
+        } else if ($request->immediate) {
+             error_log("in action_default, yes, immediate");
+            $response =& $request->answer(false, getServerURL());
+        } else {
+            if (!getLoggedInUser()) {
+                 error_log("in action_default, calling login render");
+                #return login_render();
+                system_message(elgg_echo('openid_server:not_logged_in'));
+                return gatekeeper();
+                #return action_login();
+            }
+             error_log("in action_default, calling trust render");
+            return trust_render($request);
+        }
+        error_log("in action_default, about to add sreg fields");
+		addSregFields(&$response);
+
+    } else {
+        $response =& $server->handleRequest($request);
+    }
+	
+    $webresponse =& $server->encodeResponse($response);
+
+    foreach ($webresponse->headers as $k => $v) {
+        header("$k: $v");
+    }
+
+    header(header_connection_close);
+    print $webresponse->body;
+    exit(0);
+}
+
+/**
+ * Log out the currently logged in user
+ */
+function action_logout()
+{
+    setLoggedInUser(null);
+    setRequestInfo(null);
+    return authCancel(null);
+}
+
+/**
+ * Check the input values for a login request
+ */
+function login_checkInput($input)
+{
+    $openid_url = false;
+    $errors = array();
+
+    if (!isset($input['openid_url'])) {
+        $errors[] = gettext('Enter an OpenID URL to continue');
+    }
+    if (!isset($input['password'])) {
+        $errors[] = gettext('Enter a password to continue');
+    }
+    if (count($errors) == 0) {
+        $openid_url = $input['openid_url'];
+        // don't normalise yet
+        // $openid_url = Auth_OpenID::normalizeUrl($openid_url);
+        $password = $input['password'];
+        if (!checkLogin($openid_url, $password)) {
+            $errors[] = 'The entered password does not match the ' .
+                'entered identity URL.';
+        }
+    }
+    return array($errors, $openid_url);
+}
+
+/**
+ * Log in a user and potentially continue the requested identity approval
+ */
+function action_login()
+{
+    $method = $_SERVER['REQUEST_METHOD'];
+    switch ($method) {
+    case 'GET':
+        return login_render();
+    case 'POST':
+        $info = getRequestInfo();
+        $fields = $_POST;
+        if (isset($fields['cancel'])) {
+            return authCancel($info);
+        }
+
+        list ($errors, $openid_url) = login_checkInput($fields);
+        if (count($errors) || !$openid_url) {
+            $needed = $info ? $info->identity : false;
+            //KJ - use $openid_url instead
+            // return login_render($errors, @$fields['openid_url'], $needed);
+            return login_render($errors, $openid_url, $needed);
+        } else {
+            setLoggedInUser(normaliseUsername($openid_url));
+            return doAuth($info);
+        }
+    default:
+        return login_render(array('Unsupported HTTP method: $method'));
+    }
+}
+
+/**
+ * Ask the user whether he wants to trust this site
+ */
+function action_trust()
+{
+	global $store;
+	
+    $info = getRequestInfo();
+    $trusted = isset($_POST['trust']);
+    if ($info && isset($_POST['remember'])) {
+        error_log("setTrustedSite0");
+        $store->setTrustedSite($info->trust_root);
+    }
+    return doAuth($info, $trusted, true);
+}
+
+function action_sites()
+{
+	global $store;
+	
+	$sites = $store->getTrustedSites();
+	
+    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+        if (isset($_POST['forget'])) {
+            $store->removeAllTrustedSites();
+        } elseif (isset($_POST['remove'])) {
+            foreach ($_POST as $k => $v) {
+                if (preg_match('/^site[0-9]+$/', $k)) {
+                    $store->removeTrustedSite($v);
+                }
+            }
+        }
+    }
+    return sites_render($store->getTrustedSites());
+}
+
+?>
diff --git a/lib/common.php b/lib/common.php
new file mode 100755
index 000000000..b50a990bd
--- /dev/null
+++ b/lib/common.php
@@ -0,0 +1,164 @@
+<?php
+
+require_once "session.php";
+
+require_once "Auth/OpenID/Server.php";
+require_once "Auth/OpenID/SReg.php";
+try {
+                include_once "Auth/OpenID/HMACSHA1.php";
+} catch(Exception $e) {
+                // new way :P
+                require_once "Auth/OpenID/HMAC.php";
+}
+
+function getUsernameFromUrl($url)
+{
+	$un = trim($url);
+    $lun = strlen($un);
+    $last_stroke_pos = strrpos($un,"/");
+    if ($last_stroke_pos === false) {
+	    // no slash, so assume that this is already a username
+	    $username = $url;
+	} else {
+	    if ($last_stroke_pos == ($lun - 1)) {
+			// this url ends in a slash - ignore it	    
+	    	$un = substr($un, 0,-1);
+		}
+	    $last_stroke_pos = strrpos($un,"/");
+	    $username = substr($un,$last_stroke_pos+1);
+	}
+    
+    return $username;
+}
+
+function normaliseUsername($username)
+// check to see if the current username contains a slash
+// if so, assume that this is an OpenID URL
+// if not, munge it until it is
+// normalise OpenID URLs to include a closing slash
+{
+	global $CONFIG;
+	
+	$stroke_pos = strpos($username,"/");
+	if ($stroke_pos === false) {
+		return $CONFIG->wwwroot."profile/".$username;
+	} else {
+		if (substr($username,-1,1) == "/") {
+			return substr($username, 0, strlen($username-1));
+		} else {
+			return $username;
+		}
+	}
+}
+
+function addSregFields(&$response,$info, $req_url)
+{
+	$username = getUsernameFromUrl($req_url);
+	$user = get_user_by_username($username);
+	if ($user) {
+    	$email = $user->email;
+    	$fullname = $user->name;
+    	
+    	$sreg_data = array(
+                           'fullname'   => $fullname,
+                           'email'      => $email
+        );
+    	
+    	// Add the simple registration response values to the OpenID
+        // response message.
+        $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
+    
+        $sreg_response = Auth_OpenID_SRegResponse::extractResponse(
+                                              $sreg_request, $sreg_data);
+	error_log('DEBUG:' . (string)($response->fields));
+        $sreg_response->toMessage($response->fields);
+    }
+
+}
+
+// KJ - this code is now used in trust.php
+
+/*function authCancel($info)
+{
+    if ($info) {
+        setRequestInfo();
+        $url = $info->getCancelURL();
+    } else {
+        $url = getServerURL();
+    }
+    return redirect_render($url);
+}
+
+function doAuth($info, $trusted=null, $fail_cancels=false,$idpSelect=null)
+{
+    if (!$info) {
+        // There is no authentication information, so bail
+        return authCancel(null);
+    }
+
+    if ($info->idSelect()) {
+        if ($idpSelect) {
+            $req_url = idURL($idpSelect);
+        } else {
+            $trusted = false;
+        }
+    } else {
+        $req_url = normaliseUsername($info->identity);
+    }
+
+    $user = getLoggedInUser();
+    setRequestInfo($info);
+
+    if ($req_url != $user) {
+        return login_render(array(), $req_url, $req_url);
+    }
+
+    $trust_root = $info->trust_root;
+    // $fail_cancels = $fail_cancels || isset($sites[$trust_root]);
+    $trusted = isset($trusted) ? $trusted : isTrusted($req_url,$trust_root);
+    if ($trusted) {
+        setRequestInfo();
+        $server =& getServer();
+        $response =& $info->answer(true, null, $req_url);
+
+        addSregFields($response, $info, $req_url);
+
+        $webresponse =& $server->encodeResponse($response);
+
+        $new_headers = array();
+
+        foreach ($webresponse->headers as $k => $v) {
+            $new_headers[] = $k.": ".$v;
+        }
+
+        return array($new_headers, $webresponse->body);
+    } elseif ($fail_cancels) {
+        return authCancel($info);
+    } else {
+        return trust_render($info);
+    }
+}*/
+
+
+function trust_render($info) {
+    
+    $vars = array('openid_url' =>getLoggedInUser(), 'openid_trust_root' =>htmlspecialchars($info->trust_root));
+	$title = elgg_echo('openid_server:trust_title');
+	return array(
+		array(),
+		elgg_view_page(
+			$title,
+			elgg_view_layout('content', array(
+				'title' => $title,
+				'content' => elgg_view_form("openid_server/trust", array(), $vars),
+				'filter' => false,
+			))
+		));
+}
+
+function login_render($errors=null, $input=null, $needed=null) {
+    system_message(elgg_echo('openid_server:not_logged_in'));
+    forward(current_page_url());
+}
+
+?>
diff --git a/lib/session.php b/lib/session.php
new file mode 100755
index 000000000..25940b3bb
--- /dev/null
+++ b/lib/session.php
@@ -0,0 +1,142 @@
+<?php
+
+//require_once(dirname(dirname(__FILE__)).'/config.php'); 
+//require_once "render.php";
+
+require_once "Auth/OpenID/Server.php";
+
+// require_once('elgg/includes.php');
+
+/**
+ * Set up the session
+ */
+// get information from Elgg if logged in
+// KJ - this should not be necessary as it can always be generated from the user name
+function init()
+{
+	global $CFG;
+
+	if (isloggedin()) {
+		setLoggedInUser(normaliseUsername($_SESSION['user']->username));
+	} else {
+		setLoggedInUser(null);
+	}
+}
+
+
+/**
+ * Get the URL of the current script
+ */
+function getServerURL()
+{
+    global $CONFIG;
+    
+    return $CONFIG->wwwroot.'mod/openid_server/server.php';
+}
+
+/**
+ * Build a URL to a server action
+ */
+function buildURL($action=null, $escaped=true)
+{
+    $url = getServerURL();
+    if ($action) {
+        $url .= '/' . $action;
+    }
+    return $escaped ? htmlspecialchars($url, ENT_QUOTES) : $url;
+}
+
+/**
+ * Extract the current action from the request
+ * KJ - this should be replaced by Elgg 1 action system
+ */
+function getAction()
+{
+    $path_info = @$_SERVER['PATH_INFO'];
+    $action = ($path_info) ? substr($path_info, 1) : '';
+    $function_name = 'action_' . $action;
+    return $function_name;
+}
+
+/**
+ * Write the response to the request
+ */
+function writeResponse($resp)
+{
+    list ($headers, $body) = $resp;
+    array_walk($headers, 'header');
+    header(header_connection_close);
+    print $body;
+}
+
+/**
+ * Instantiate a new OpenID server object
+ */
+function getServer()
+{
+    global $CONFIG;
+    static $server;
+    $op_endpoint = getServerURL();
+    error_log("In getServer()");
+    if (!isset($server)) {
+        $server =& new Auth_OpenID_Server(getOpenIDServerStore(),$op_endpoint);
+    }
+    return $server;
+}
+
+/**
+ * Return whether the trust root is currently trusted
+ *
+ */
+function isTrusted($identity_url, $trust_root, $return_to)
+{
+	global $store;
+	
+    if ($identity_url != getLoggedInUser()) {
+        return false;
+    }
+    
+    $sites = $store->getTrustedSites($identity_url);
+    
+    if (empty($sites)) {
+	    return false;
+    } else {
+		return in_array($trust_root, $sites) && fnmatch($trust_root.'*',$return_to);
+	}
+}
+
+
+/**
+ * Get the openid_url out of the cookie
+ *
+ * @return mixed $openid_url The URL that was stored in the cookie or
+ * false if there is none present or if the cookie is bad.
+ */
+function getLoggedInUser()
+{
+    global $CONFIG;
+    if (isloggedin()) {
+        return $CONFIG->wwwroot.'profile/'.$_SESSION['user']->username;
+    } else {
+        return '';
+    }    
+}
+
+function getRequestInfo()
+{
+    return isset($_SESSION['openid_server_request'])
+        ? unserialize($_SESSION['openid_server_request'])
+        : false;
+}
+
+function setRequestInfo($info=null)
+{
+    error_log("in setRequestInfo");
+    if (!isset($info)) {
+        unset($_SESSION['openid_server_request']);
+    } else {
+        $_SESSION['openid_server_request'] = serialize($info);
+    }
+}
+
+?>
-- 
cgit v1.2.3