archive
/
poidsy
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
PHP OpenID consumer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 Commits
3 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
poidsy/processor.php

processor.php 12KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393 
  1. <?PHP

  2. 

  3. /* Poidsy 0.6 - http://chris.smith.name/projects/poidsy

  4.  * Copyright (c) 2008-2010 Chris Smith

  5.  *

  6.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  7.  * of this software and associated documentation files (the "Software"), to deal

  8.  * in the Software without restriction, including without limitation the rights

  9.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  10.  * copies of the Software, and to permit persons to whom the Software is

  11.  * furnished to do so, subject to the following conditions:

  12.  *

  13.  * The above copyright notice and this permission notice shall be included in

  14.  * all copies or substantial portions of the Software.

  15.  *

  16.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  17.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  18.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  19.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  20.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  21.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  22.  * SOFTWARE.

  23.  */

  24. 

  25.  require_once(dirname(__FILE__) . '/logging.inc.php');

  26.  require_once(dirname(__FILE__) . '/discoverer.inc.php');

  27.  require_once(dirname(__FILE__) . '/poster.inc.php');

  28.  require_once(dirname(__FILE__) . '/urlbuilder.inc.php');

  29.  require_once(dirname(__FILE__) . '/keymanager.inc.php');

  30. 

  31.  if (session_id() == '') {

  32.   // No session - testing maybe?

  33.   session_start();

  34.  }

  35. 

  36.  // Process any openid_url form fields (compatability with 0.1)

  37.  if (!defined('OPENID_URL') && isset($_POST['openid_url'])) {

  38.   define('OPENID_URL', $_POST['openid_url']);

  39.  } else if (!defined('OPENID_URL') && isset($_POST['openid_identifier'])) {

  40.   define('OPENID_URL', $_POST['openid_identifier']);

  41.  }

  42. 

  43.  // Maximum number of requests to allow without a OPENID_THROTTLE_GAP second

  44.  // gap between two of them

  45.  if (!defined('OPENID_THROTTLE_NUM')) {

  46.   define('OPENID_THROTTLE_NUM', 3);

  47.  }

  48. 

  49.  // Time to require between requests before the request counter is reset

  50.  if (!defined('OPENID_THROTTLE_GAP')) {

  51.   define('OPENID_THROTTLE_GAP', 30);

  52.  }

  53. 

  54.  // Whether or not to use the key manager

  55.  define('KEYMANAGER', !defined('OPENID_NOKEYMANAGER') && KeyManager::isSupported());

  56. 

  57.  /**

  58.   * Processes the current request.

  59.   */

  60.  function process() {

  61.   if (defined('OPENID_URL')) {

  62.    // Initial authentication attempt (they just entered their identifier)

  63.    Logger::log('Processing authentication attempt for %s', OPENID_URL);

  64. 

  65.    $reqs = checkRequests();

  66.    $disc = tryDiscovery(OPENID_URL);

  67. 

  68.    $_SESSION['openid'] = array(

  69. 	'identity' => $disc->getClaimedId(),

  70. 	'claimedId' => $disc->getClaimedId(),

  71. 	'endpointUrl' => $disc->getEndpointUrl(),

  72. 	'opLocalId' => $disc->getOpLocalId(),

  73. 	'userSuppliedId' => $disc->getUserSuppliedId(),

  74. 	'version' => $disc->getVersion(),

  75. 	'validated' => false,

  76. 	'nonce' => uniqid(microtime(true), true),

  77. 	'requests' => $reqs,

  78.    );

  79. 

  80.    $handle = getHandle($disc->getEndpointUrl());

  81. 

  82.    $url = URLBuilder::buildRequest(defined('OPENID_IMMEDIATE') ? 'immediate' : 'setup',

  83.               $disc->getEndpointUrl(), $disc->getOpLocalId(),

  84.               $disc->getClaimedId(), URLBuilder::getCurrentURL(), $handle, $disc->getVersion());

  85. 

  86.    URLBuilder::doRedirect($url);

  87.   } else if (isset($_REQUEST['openid_mode'])) {

  88.    checkNonce();

  89. 

  90.    $func = 'process' . str_replace(' ', '', ucwords(str_replace('_', ' ',

  91. 			strtolower($_REQUEST['openid_mode']))));

  92.    if (function_exists($func)) {

  93.     call_user_func($func, checkHandleRevocation());

  94.    }

  95.   }

  96.  }

  97. 

  98.  /**

  99.   * Retrieves or creates the 'requests' session array, which tracks the number

  100.   * of authentication attempts the user has made recently.

  101.   *

  102.   * @return An array (by reference) containing details about recent requests

  103.   */

  104.  function &getRequests() {

  105.   if (!isset($_SESSION['openid']['requests'])) {

  106.    $_SESSION['openid']['requests'] = array('lasttime' => 0, 'count' => 0);

  107.   }

  108. 

  109.   return $_SESSION['openid']['requests'];

  110.  }

  111. 

  112.  /**

  113.   * Checks that the user isn't making requests too frequently, and redirects

  114.   * them with an appropriate error if they are.

  115.   *

  116.   * @return An array containing details about the requests that have been made

  117.   */

  118.  function &checkRequests() {

  119.   $requests = getRequests();

  120. 

  121.   if ($requests['lasttime'] < time() - OPENID_THROTTLE_GAP) {

  122. 

  123.    // Last request was a while ago, reset the timer

  124.    resetRequests(); 

  125. 

  126.   } else if ($requests['count'] > OPENID_THROTTLE_NUM) {

  127. 

  128.    Logger::log('Client throttled: %s requests made', $requests['count']);

  129. 

  130.    // More than the legal number of requests

  131.    error('throttled', 'You are trying to authenticate too often');

  132. 

  133.   }

  134. 

  135.   $requests['count']++;

  136.   $requests['lasttime'] = time();

  137. 

  138.   return $requests;

  139.  }

  140. 

  141.  /**

  142.   * Resets the recent requests counter (for example, after the required time

  143.   * has ellapsed, or after the user has successfully logged in).

  144.   *

  145.   * @param $decrement If true, the count will be decremented instead of cleared

  146.   * @return A copy of the requests array

  147.   */

  148.  function &resetRequests($decrement = false) {

  149.   $requests = getRequests();

  150. 

  151.   if ($decrement) {

  152.    $requests['count'] = max($requests['count'] - 1, 0);

  153.   } else {

  154.    $requests['count'] = 0;

  155.   }

  156. 

  157.   return $requests;

  158.  }

  159. 

  160.  /**

  161.   * Attempts to perform discovery on the specified URL, redirecting the user

  162.   * with an appropriate error if discovery fails.

  163.   *

  164.   * @param String $url The URL to perform discovery on

  165.   * @return An appropriate Discoverer object

  166.   */

  167.  function tryDiscovery($url) {

  168.   try {

  169.    $disc = new Discoverer($url);

  170. 

  171.    if ($disc->getEndpointUrl() == null) {

  172.     Logger::log('Couldn\'t perform discovery on %s', $url);

  173.     error('notvalid', 'Claimed identity is not a valid identifier');

  174.    }

  175. 

  176.    Logger::log('Finished discovery on %s', $url);

  177. 

  178.    return $disc;

  179.   } catch (Exception $e) {

  180.    Logger::log('Error during discovery on %s: %s', $url, $e->getMessage());

  181.    error('discovery', $e->getMessage());

  182.   }

  183.   

  184.   return null;

  185.  }

  186. 

  187.  /**

  188.   * Retrieves an association handle for the specified server. If we don't

  189.   * currently have one, attempts to associate with the server.

  190.   *

  191.   * @param String $server The server whose handle we're retrieving

  192.   * @return The association handle of the server or null on failure

  193.   */

  194.  function getHandle($server) {

  195.   Logger::log('Attempting to find a handle for %s', $server);

  196. 

  197.   if (KEYMANAGER) {

  198.    Logger::log('Using the key manager...');

  199.    if (!KeyManager::hasHandle($server)) {

  200.     Logger::log('Key manager has no handle, trying to associate with %s', $server);

  201.     KeyManager::associate($server);

  202.    }

  203. 

  204.    return KeyManager::getHandle($server);

  205.   } else {

  206.    Logger::log('Not using key manager...');

  207.    return null;

  208.   }

  209.  }

  210. 

  211.  /**

  212.   * Checks that the nonce specified in the current request equals the one

  213.   * stored in the user's session, and redirects them if it doesn't.

  214.   */

  215.  function checkNonce() {

  216.   if ($_REQUEST['openid_nonce'] != $_SESSION['openid']['nonce']) {

  217.    error('nonce', 'Nonce doesn\'t match - possible replay attack');

  218.   } else {

  219.    $_SESSION['openid']['nonce'] = uniqid(microtime(true), true);

  220.   }

  221.  }

  222. 

  223.  /**

  224.   * Checks to see if the request contains an instruction to invalidate the

  225.   * handle we used. If it does, the request is authenticated and the handle

  226.   * removed (or the user is redirected with an error if the IdP doesn't

  227.   * authenticate the message).

  228.   *

  229.   * @return True if the message has been authenticated, false otherwise

  230.   */

  231.  function checkHandleRevocation() {

  232.   $valid = false;

  233. 

  234.   if (KEYMANAGER && isset($_REQUEST['openid_invalidate_handle'])) {

  235.    Logger::log('Request to invalidate handle received');

  236.    $valid = KeyManager::dumbAuthenticate();

  237. 

  238.    if ($valid) {

  239.     KeyManager::revokeHandle($_SESSION['openid']['endpointUrl'], $_REQUEST['openid_invalidate_handle']);

  240.    } else {

  241.     error('noauth', 'Provider didn\'t authenticate message');

  242.    }

  243.   }

  244. 

  245.   return $valid;

  246.  }

  247. 

  248.  /**

  249.   * Processes id_res requests.

  250.   *

  251.   * @param Boolean $valid True if the request has already been authenticated

  252.   */

  253.  function processIdRes($valid) {

  254.   if (isset($_REQUEST['openid_identity'])) {

  255.    processPositiveResponse($valid);

  256.   } else if (isset($_REQUEST['openid_user_setup_url'])) {

  257.    processSetupRequest();

  258.   }

  259.  }

  260.  

  261.  /**

  262.   * Processes a response where the provider is requesting to interact with the

  263.   * user in order to confirm their identity.

  264.   */

  265.  function processSetupRequest() {

  266.   if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) {

  267.    error('noimmediate', 'Couldn\'t perform immediate auth');

  268.   }

  269. 

  270.   $handle = getHandle($_SESSION['openid']['endpointUrl']);

  271. 

  272.   $url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'],

  273.                                 $_SESSION['openid']['opLocalId'],

  274.                                 $_SESSION['openid']['claimedId'],

  275.                                 URLBuilder::getCurrentURL(), $handle);

  276. 

  277.   URLBuilder::doRedirect($url); 	

  278.  }

  279.  

  280.  /**

  281.   * Processes a positive authentication response.

  282.   *

  283.   * @param Boolean $valid True if the request has already been authenticated

  284.   */

  285.  function processPositiveResponse($valid) {

  286.   Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['claimedId']);

  287. 

  288.   if (!URLBuilder::isValidReturnToURL($_REQUEST['openid_return_to'])) {

  289.    Logger::log('Return_to check failed: %s, URL: %s', $_REQUEST['openid_return_to'], URLBuilder::getCurrentURL(true));

  290.    error('diffreturnto', 'The identity provider stated return URL was '

  291.                          . $_REQUEST['openid_return_to'] . ' but it actually seems to be '

  292.                          . URLBuilder::getCurrentURL());

  293.   }

  294. 

  295.   $id = $_REQUEST[isset($_REQUEST['openid_claimed_id']) ? 'openid_claimed_id' : 'openid_identity'];

  296. 

  297.   if (!URLBuilder::isSameURL($id, $_SESSION['openid']['claimedId']) && !URLBuilder::isSameURL($id, $_SESSION['openid']['opLocalId'])) {

  298.    if ($_SESSION['openid']['claimedId'] == 'http://specs.openid.net/auth/2.0/identifier_select') {

  299.     $disc = new Discoverer($_REQUEST['openid_claimed_id'], false);

  300. 

  301.     if ($disc->hasServer($_SESSION['openid']['endpointUrl'])) {

  302.      $_SESSION['openid']['identity'] = $_REQUEST['openid_identity']; 

  303.      $_SESSION['openid']['opLocalId'] = $_REQUEST['openid_claimed_id'];

  304.     } else {

  305.      error('diffid', 'The OP at ' . $_SESSION['openid']['endpointUrl'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getEndpointUrl() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getEndpointUrl()));

  306.     }

  307.    } else {

  308.      error('diffid', 'Identity provider validated wrong identity. Expected it to '

  309. 	             . 'validate ' . $_SESSION['openid']['claimedId'] . ' but it '

  310.   	             . 'validated ' . $id);

  311.    }

  312.   }

  313. 

  314.   resetRequests(true);

  315. 

  316.   if (!$valid) {

  317.    $dumbauth = true;

  318. 

  319.    if (KEYMANAGER) {

  320.     try {

  321.      Logger::log('Attempting to authenticate using association...');

  322.      $valid = KeyManager::authenticate($_SESSION['openid']['endpointUrl'], $_REQUEST);

  323.      $dumbauth = false;

  324.     } catch (Exception $ex) {

  325.      // Ignore it - try dumb auth

  326.     }

  327.    }

  328. 

  329.    if ($dumbauth) {

  330.     Logger::log('Attempting to authenticate using dumb auth...');

  331.     $valid = KeyManager::dumbAuthenticate();

  332.    }

  333.   }

  334. 

  335.   $_SESSION['openid']['validated'] = $valid;

  336. 

  337.   if (!$valid) {

  338.    Logger::log('Validation failed!');

  339.    error('noauth', 'Provider didn\'t authenticate response');

  340.   }

  341. 

  342.   Processor::callHandlers();

  343.   URLBuilder::redirect(); 

  344.  }

  345. 

  346.  /**

  347.   * Processes cancel modes.

  348.   *

  349.   * @param Boolean $valid True if the request has already been authenticated

  350.   */

  351.  function processCancel($valid) {

  352.   error('cancelled', 'Provider cancelled the authentication attempt');

  353.  }

  354. 

  355.  /**

  356.   * Processes error modes.

  357.   *

  358.   * @param Boolean $valid True if the request has already been authenticated

  359.   */

  360.  function processError($valid) {

  361.   error('perror', 'Provider error: ' . $_REQUEST['openid_error']);

  362.  }

  363. 

  364.  /**

  365.   * Populates the session array with the details of the specified error and

  366.   * redirects the user appropriately.

  367.   *

  368.   * @param String $code The error code that occured

  369.   * @param String $message A description of the error

  370.   */

  371.  function error($code, $message) {

  372.   $_SESSION['openid']['error'] = $message;

  373.   $_SESSION['openid']['errorcode'] = $code;

  374.   URLBuilder::redirect();

  375.  }

  376. 

  377.  class Processor {

  378. 

  379.   public static function callHandlers() {

  380.    global $_POIDSY;

  381. 

  382.    if (empty($_POIDSY['handlers'])) { return; }

  383. 

  384.    foreach ($_POIDSY['handlers'] as $handler) {

  385.     $handler->parseResponse();

  386.    }

  387.   }

  388. 

  389.  }

  390. 

  391.  // Here we go!

  392.  process();

  393. ?>