123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393 |
- <?PHP
-
- /* Poidsy 0.6 - http://chris.smith.name/projects/poidsy
- * Copyright (c) 2008-2010 Chris Smith
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
- require_once(dirname(__FILE__) . '/logging.inc.php');
- require_once(dirname(__FILE__) . '/discoverer.inc.php');
- require_once(dirname(__FILE__) . '/poster.inc.php');
- require_once(dirname(__FILE__) . '/urlbuilder.inc.php');
- require_once(dirname(__FILE__) . '/keymanager.inc.php');
-
- if (session_id() == '') {
- // No session - testing maybe?
- session_start();
- }
-
- // Process any openid_url form fields (compatability with 0.1)
- if (!defined('OPENID_URL') && isset($_POST['openid_url'])) {
- define('OPENID_URL', $_POST['openid_url']);
- } else if (!defined('OPENID_URL') && isset($_POST['openid_identifier'])) {
- define('OPENID_URL', $_POST['openid_identifier']);
- }
-
- // Maximum number of requests to allow without a OPENID_THROTTLE_GAP second
- // gap between two of them
- if (!defined('OPENID_THROTTLE_NUM')) {
- define('OPENID_THROTTLE_NUM', 3);
- }
-
- // Time to require between requests before the request counter is reset
- if (!defined('OPENID_THROTTLE_GAP')) {
- define('OPENID_THROTTLE_GAP', 30);
- }
-
- // Whether or not to use the key manager
- define('KEYMANAGER', !defined('OPENID_NOKEYMANAGER') && KeyManager::isSupported());
-
- /**
- * Processes the current request.
- */
- function process() {
- if (defined('OPENID_URL')) {
- // Initial authentication attempt (they just entered their identifier)
- Logger::log('Processing authentication attempt for %s', OPENID_URL);
-
- $reqs = checkRequests();
- $disc = tryDiscovery(OPENID_URL);
-
- $_SESSION['openid'] = array(
- 'identity' => $disc->getClaimedId(),
- 'claimedId' => $disc->getClaimedId(),
- 'endpointUrl' => $disc->getEndpointUrl(),
- 'opLocalId' => $disc->getOpLocalId(),
- 'userSuppliedId' => $disc->getUserSuppliedId(),
- 'version' => $disc->getVersion(),
- 'validated' => false,
- 'nonce' => uniqid(microtime(true), true),
- 'requests' => $reqs,
- );
-
- $handle = getHandle($disc->getEndpointUrl());
-
- $url = URLBuilder::buildRequest(defined('OPENID_IMMEDIATE') ? 'immediate' : 'setup',
- $disc->getEndpointUrl(), $disc->getOpLocalId(),
- $disc->getClaimedId(), URLBuilder::getCurrentURL(), $handle, $disc->getVersion());
-
- URLBuilder::doRedirect($url);
- } else if (isset($_REQUEST['openid_mode'])) {
- checkNonce();
-
- $func = 'process' . str_replace(' ', '', ucwords(str_replace('_', ' ',
- strtolower($_REQUEST['openid_mode']))));
- if (function_exists($func)) {
- call_user_func($func, checkHandleRevocation());
- }
- }
- }
-
- /**
- * Retrieves or creates the 'requests' session array, which tracks the number
- * of authentication attempts the user has made recently.
- *
- * @return An array (by reference) containing details about recent requests
- */
- function &getRequests() {
- if (!isset($_SESSION['openid']['requests'])) {
- $_SESSION['openid']['requests'] = array('lasttime' => 0, 'count' => 0);
- }
-
- return $_SESSION['openid']['requests'];
- }
-
- /**
- * Checks that the user isn't making requests too frequently, and redirects
- * them with an appropriate error if they are.
- *
- * @return An array containing details about the requests that have been made
- */
- function &checkRequests() {
- $requests = getRequests();
-
- if ($requests['lasttime'] < time() - OPENID_THROTTLE_GAP) {
-
- // Last request was a while ago, reset the timer
- resetRequests();
-
- } else if ($requests['count'] > OPENID_THROTTLE_NUM) {
-
- Logger::log('Client throttled: %s requests made', $requests['count']);
-
- // More than the legal number of requests
- error('throttled', 'You are trying to authenticate too often');
-
- }
-
- $requests['count']++;
- $requests['lasttime'] = time();
-
- return $requests;
- }
-
- /**
- * Resets the recent requests counter (for example, after the required time
- * has ellapsed, or after the user has successfully logged in).
- *
- * @param $decrement If true, the count will be decremented instead of cleared
- * @return A copy of the requests array
- */
- function &resetRequests($decrement = false) {
- $requests = getRequests();
-
- if ($decrement) {
- $requests['count'] = max($requests['count'] - 1, 0);
- } else {
- $requests['count'] = 0;
- }
-
- return $requests;
- }
-
- /**
- * Attempts to perform discovery on the specified URL, redirecting the user
- * with an appropriate error if discovery fails.
- *
- * @param String $url The URL to perform discovery on
- * @return An appropriate Discoverer object
- */
- function tryDiscovery($url) {
- try {
- $disc = new Discoverer($url);
-
- if ($disc->getEndpointUrl() == null) {
- Logger::log('Couldn\'t perform discovery on %s', $url);
- error('notvalid', 'Claimed identity is not a valid identifier');
- }
-
- Logger::log('Finished discovery on %s', $url);
-
- return $disc;
- } catch (Exception $e) {
- Logger::log('Error during discovery on %s: %s', $url, $e->getMessage());
- error('discovery', $e->getMessage());
- }
-
- return null;
- }
-
- /**
- * Retrieves an association handle for the specified server. If we don't
- * currently have one, attempts to associate with the server.
- *
- * @param String $server The server whose handle we're retrieving
- * @return The association handle of the server or null on failure
- */
- function getHandle($server) {
- Logger::log('Attempting to find a handle for %s', $server);
-
- if (KEYMANAGER) {
- Logger::log('Using the key manager...');
- if (!KeyManager::hasHandle($server)) {
- Logger::log('Key manager has no handle, trying to associate with %s', $server);
- KeyManager::associate($server);
- }
-
- return KeyManager::getHandle($server);
- } else {
- Logger::log('Not using key manager...');
- return null;
- }
- }
-
- /**
- * Checks that the nonce specified in the current request equals the one
- * stored in the user's session, and redirects them if it doesn't.
- */
- function checkNonce() {
- if ($_REQUEST['openid_nonce'] != $_SESSION['openid']['nonce']) {
- error('nonce', 'Nonce doesn\'t match - possible replay attack');
- } else {
- $_SESSION['openid']['nonce'] = uniqid(microtime(true), true);
- }
- }
-
- /**
- * Checks to see if the request contains an instruction to invalidate the
- * handle we used. If it does, the request is authenticated and the handle
- * removed (or the user is redirected with an error if the IdP doesn't
- * authenticate the message).
- *
- * @return True if the message has been authenticated, false otherwise
- */
- function checkHandleRevocation() {
- $valid = false;
-
- if (KEYMANAGER && isset($_REQUEST['openid_invalidate_handle'])) {
- Logger::log('Request to invalidate handle received');
- $valid = KeyManager::dumbAuthenticate();
-
- if ($valid) {
- KeyManager::revokeHandle($_SESSION['openid']['endpointUrl'], $_REQUEST['openid_invalidate_handle']);
- } else {
- error('noauth', 'Provider didn\'t authenticate message');
- }
- }
-
- return $valid;
- }
-
- /**
- * Processes id_res requests.
- *
- * @param Boolean $valid True if the request has already been authenticated
- */
- function processIdRes($valid) {
- if (isset($_REQUEST['openid_identity'])) {
- processPositiveResponse($valid);
- } else if (isset($_REQUEST['openid_user_setup_url'])) {
- processSetupRequest();
- }
- }
-
- /**
- * Processes a response where the provider is requesting to interact with the
- * user in order to confirm their identity.
- */
- function processSetupRequest() {
- if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) {
- error('noimmediate', 'Couldn\'t perform immediate auth');
- }
-
- $handle = getHandle($_SESSION['openid']['endpointUrl']);
-
- $url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'],
- $_SESSION['openid']['opLocalId'],
- $_SESSION['openid']['claimedId'],
- URLBuilder::getCurrentURL(), $handle);
-
- URLBuilder::doRedirect($url);
- }
-
- /**
- * Processes a positive authentication response.
- *
- * @param Boolean $valid True if the request has already been authenticated
- */
- function processPositiveResponse($valid) {
- Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['claimedId']);
-
- if (!URLBuilder::isValidReturnToURL($_REQUEST['openid_return_to'])) {
- Logger::log('Return_to check failed: %s, URL: %s', $_REQUEST['openid_return_to'], URLBuilder::getCurrentURL(true));
- error('diffreturnto', 'The identity provider stated return URL was '
- . $_REQUEST['openid_return_to'] . ' but it actually seems to be '
- . URLBuilder::getCurrentURL());
- }
-
- $id = $_REQUEST[isset($_REQUEST['openid_claimed_id']) ? 'openid_claimed_id' : 'openid_identity'];
-
- if (!URLBuilder::isSameURL($id, $_SESSION['openid']['claimedId']) && !URLBuilder::isSameURL($id, $_SESSION['openid']['opLocalId'])) {
- if ($_SESSION['openid']['claimedId'] == 'http://specs.openid.net/auth/2.0/identifier_select') {
- $disc = new Discoverer($_REQUEST['openid_claimed_id'], false);
-
- if ($disc->hasServer($_SESSION['openid']['endpointUrl'])) {
- $_SESSION['openid']['identity'] = $_REQUEST['openid_identity'];
- $_SESSION['openid']['opLocalId'] = $_REQUEST['openid_claimed_id'];
- } else {
- error('diffid', 'The OP at ' . $_SESSION['openid']['endpointUrl'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getEndpointUrl() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getEndpointUrl()));
- }
- } else {
- error('diffid', 'Identity provider validated wrong identity. Expected it to '
- . 'validate ' . $_SESSION['openid']['claimedId'] . ' but it '
- . 'validated ' . $id);
- }
- }
-
- resetRequests(true);
-
- if (!$valid) {
- $dumbauth = true;
-
- if (KEYMANAGER) {
- try {
- Logger::log('Attempting to authenticate using association...');
- $valid = KeyManager::authenticate($_SESSION['openid']['endpointUrl'], $_REQUEST);
- $dumbauth = false;
- } catch (Exception $ex) {
- // Ignore it - try dumb auth
- }
- }
-
- if ($dumbauth) {
- Logger::log('Attempting to authenticate using dumb auth...');
- $valid = KeyManager::dumbAuthenticate();
- }
- }
-
- $_SESSION['openid']['validated'] = $valid;
-
- if (!$valid) {
- Logger::log('Validation failed!');
- error('noauth', 'Provider didn\'t authenticate response');
- }
-
- Processor::callHandlers();
- URLBuilder::redirect();
- }
-
- /**
- * Processes cancel modes.
- *
- * @param Boolean $valid True if the request has already been authenticated
- */
- function processCancel($valid) {
- error('cancelled', 'Provider cancelled the authentication attempt');
- }
-
- /**
- * Processes error modes.
- *
- * @param Boolean $valid True if the request has already been authenticated
- */
- function processError($valid) {
- error('perror', 'Provider error: ' . $_REQUEST['openid_error']);
- }
-
- /**
- * Populates the session array with the details of the specified error and
- * redirects the user appropriately.
- *
- * @param String $code The error code that occured
- * @param String $message A description of the error
- */
- function error($code, $message) {
- $_SESSION['openid']['error'] = $message;
- $_SESSION['openid']['errorcode'] = $code;
- URLBuilder::redirect();
- }
-
- class Processor {
-
- public static function callHandlers() {
- global $_POIDSY;
-
- if (empty($_POIDSY['handlers'])) { return; }
-
- foreach ($_POIDSY['handlers'] as $handler) {
- $handler->parseResponse();
- }
- }
-
- }
-
- // Here we go!
- process();
- ?>
|