archive
/
poidsy
ウォッチ 1
スター 0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 2 Wiki アクティビティ
PHP OpenID consumer
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
37 コミット
3 ブランチ
ツリー: 6e9424187c
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'6e9424187c' から
${ noResults }
poidsy/processor.php

processor.php 11KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357 
  1. <?PHP

  2. 

  3. /* Poidsy 0.5 - http://chris.smith.name/projects/poidsy

  4.  * Copyright (c) 2008-2010 Chris Smith

  5.  *

  6.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  7.  * of this software and associated documentation files (the "Software"), to deal

  8.  * in the Software without restriction, including without limitation the rights

  9.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  10.  * copies of the Software, and to permit persons to whom the Software is

  11.  * furnished to do so, subject to the following conditions:

  12.  *

  13.  * The above copyright notice and this permission notice shall be included in

  14.  * all copies or substantial portions of the Software.

  15.  *

  16.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  17.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  18.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  19.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  20.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  21.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  22.  * SOFTWARE.

  23.  */

  24. 

  25.  require_once(dirname(__FILE__) . '/logging.inc.php');

  26.  require_once(dirname(__FILE__) . '/discoverer.inc.php');

  27.  require_once(dirname(__FILE__) . '/poster.inc.php');

  28.  require_once(dirname(__FILE__) . '/sreg.inc.php');

  29.  require_once(dirname(__FILE__) . '/urlbuilder.inc.php');

  30.  require_once(dirname(__FILE__) . '/keymanager.inc.php');

  31. 

  32.  if (session_id() == '') {

  33.   // No session - testing maybe?

  34.   session_start();

  35.  }

  36. 

  37.  // Process any openid_url form fields (compatability with 0.1)

  38.  if (!defined('OPENID_URL') && isset($_POST['openid_url'])) {

  39.   define('OPENID_URL', $_POST['openid_url']);

  40.  } else if (!defined('OPENID_URL') && isset($_POST['openid_identifier'])) {

  41.   define('OPENID_URL', $_POST['openid_identifier']);

  42.  }

  43. 

  44.  // Maximum number of requests to allow without a OPENID_THROTTLE_GAP second

  45.  // gap between two of them

  46.  if (!defined('OPENID_THROTTLE_NUM')) {

  47.   define('OPENID_THROTTLE_NUM', 3);

  48.  }

  49. 

  50.  // Time to require between requests before the request counter is reset

  51.  if (!defined('OPENID_THROTTLE_GAP')) {

  52.   define('OPENID_THROTTLE_GAP', 30);

  53.  }

  54. 

  55.  // Whether or not to use the key manager

  56.  define('KEYMANAGER', !defined('OPENID_NOKEYMANAGER') && KeyManager::isSupported());

  57. 

  58.  /**

  59.   * Processes the current request.

  60.   */

  61.  function process() {

  62.   if (defined('OPENID_URL')) {

  63.    // Initial authentication attempt (they just entered their identifier)

  64.    Logger::log('Processing authentication attempt for %s', OPENID_URL);

  65. 

  66.    $reqs = checkRequests();

  67.    $disc = tryDiscovery(OPENID_URL);

  68. 

  69.    $_SESSION['openid'] = array(

  70.  	'identity' => $disc->getIdentity(),

  71. 	'delegate' => $disc->getDelegate(),

  72. 	'version' => $disc->getVersion(),

  73. 	'validated' => false,

  74. 	'server' => $disc->getServer(),

  75. 	'nonce' => uniqid(microtime(true), true),

  76. 	'requests' => $reqs,

  77.    );

  78. 

  79.    $handle = getHandle($disc->getServer());

  80. 

  81.    $url = URLBuilder::buildRequest(defined('OPENID_IMMEDIATE') ? 'immediate' : 'setup',

  82.               $disc->getServer(), $disc->getDelegate(),

  83.               $disc->getIdentity(), URLBuilder::getCurrentURL(), $handle, $disc->getVersion());

  84. 

  85.    URLBuilder::doRedirect($url);

  86.   } else if (isset($_REQUEST['openid_mode'])) {

  87.    checkNonce();

  88. 

  89.    $func = 'process' . str_replace(' ', '', ucwords(str_replace('_', ' ',

  90. 			strtolower($_REQUEST['openid_mode']))));

  91.    if (function_exists($func)) {

  92.     call_user_func($func, checkHandleRevocation());

  93.    }

  94.   }

  95.  }

  96. 

  97.  /**

  98.   * Retrieves or creates the 'requests' session array, which tracks the number

  99.   * of authentication attempts the user has made recently.

  100.   *

  101.   * @return An array (by reference) containing details about recent requests

  102.   */

  103.  function &getRequests() {

  104.   if (!isset($_SESSION['openid']['requests'])) {

  105.    $_SESSION['openid']['requests'] = array('lasttime' => 0, 'count' => 0);

  106.   }

  107. 

  108.   return $_SESSION['openid']['requests'];

  109.  }

  110. 

  111.  /**

  112.   * Checks that the user isn't making requests too frequently, and redirects

  113.   * them with an appropriate error if they are.

  114.   *

  115.   * @return An array containing details about the requests that have been made

  116.   */

  117.  function &checkRequests() {

  118.   $requests = getRequests();

  119. 

  120.   if ($requests['lasttime'] < time() - OPENID_THROTTLE_GAP) {

  121. 

  122.    // Last request was a while ago, reset the timer

  123.    resetRequests(); 

  124. 

  125.   } else if ($requests['count'] > OPENID_THROTTLE_NUM) {

  126. 

  127.    Logger::log('Client throttled: %s requests made', $requests['count']);

  128. 

  129.    // More than the legal number of requests

  130.    error('throttled', 'You are trying to authenticate too often');

  131. 

  132.   }

  133. 

  134.   $requests['count']++;

  135.   $requests['lasttime'] = time();

  136. 

  137.   return $requests;

  138.  }

  139. 

  140.  /**

  141.   * Resets the recent requests counter (for example, after the required time

  142.   * has ellapsed, or after the user has successfully logged in).

  143.   *

  144.   * @param $decrement If true, the count will be decremented instead of cleared

  145.   * @return A copy of the requests array

  146.   */

  147.  function &resetRequests($decrement = false) {

  148.   $requests = getRequests();

  149. 

  150.   if ($decrement) {

  151.    $requests['count'] = max($requests['count'] - 1, 0);

  152.   } else {

  153.    $requests['count'] = 0;

  154.   }

  155. 

  156.   return $requests;

  157.  }

  158. 

  159.  /**

  160.   * Attempts to perform discovery on the specified URL, redirecting the user

  161.   * with an appropriate error if discovery fails.

  162.   *

  163.   * @param String $url The URL to perform discovery on

  164.   * @return An appropriate Discoverer object

  165.   */

  166.  function tryDiscovery($url) {

  167.   try {

  168.    $disc = new Discoverer($url);

  169. 

  170.    if ($disc->getServer() == null) {

  171.     Logger::log('Couldn\'t perform discovery on %s', $url);

  172.     error('notvalid', 'Claimed identity is not a valid identifier');

  173.    }

  174. 

  175.    return $disc;

  176.   } catch (Exception $e) {

  177.    Logger::log('Error during discovery on %s: %s', $url, $e->getMessage());

  178.    error('discovery', $e->getMessage());

  179.   }

  180.   

  181.   return null;

  182.  }

  183. 

  184.  /**

  185.   * Retrieves an association handle for the specified server. If we don't

  186.   * currently have one, attempts to associate with the server.

  187.   *

  188.   * @param String $server The server whose handle we're retrieving

  189.   * @return The association handle of the server or null on failure

  190.   */

  191.  function getHandle($server) {

  192.   if (KEYMANAGER) {

  193.    if (!KeyManager::hasHandle($server)) {

  194.     KeyManager::associate($server);

  195.    }

  196. 

  197.    return KeyManager::getHandle($server);

  198.   } else {

  199.    return null;

  200.   }

  201.  }

  202. 

  203.  /**

  204.   * Checks that the nonce specified in the current request equals the one

  205.   * stored in the user's session, and redirects them if it doesn't.

  206.   */

  207.  function checkNonce() {

  208.   if ($_REQUEST['openid_nonce'] != $_SESSION['openid']['nonce']) {

  209.    error('nonce', 'Nonce doesn\'t match - possible replay attack');

  210.   } else {

  211.    $_SESSION['openid']['nonce'] = uniqid(microtime(true), true);

  212.   }

  213.  }

  214. 

  215.  /**

  216.   * Checks to see if the request contains an instruction to invalidate the

  217.   * handle we used. If it does, the request is authenticated and the handle

  218.   * removed (or the user is redirected with an error if the IdP doesn't

  219.   * authenticate the message).

  220.   *

  221.   * @return True if the message has been authenticated, false otherwise

  222.   */

  223.  function checkHandleRevocation() {

  224.   $valid = false;

  225. 

  226.   if (KEYMANAGER && isset($_REQUEST['openid_invalidate_handle'])) {

  227.    $valid = KeyManager::dumbAuth();

  228. 

  229.    if ($valid) {

  230.     KeyManager::removeKey($_SESSION['openid']['server'], $_REQUEST['openid_invalidate_handle']);

  231.    } else {

  232.     error('noauth', 'Provider didn\'t authenticate message');

  233.    }

  234.   }

  235. 

  236.   return $valid;

  237.  }

  238. 

  239.  /**

  240.   * Processes id_res requests.

  241.   *

  242.   * @param Boolean $valid True if the request has already been authenticated

  243.   */

  244.  function processIdRes($valid) {

  245.   if (isset($_REQUEST['openid_identity'])) {

  246.    processPositiveResponse($valid);

  247.   } else if (isset($_REQUEST['openid_user_setup_url'])) {

  248.    processSetupRequest();

  249.   }

  250.  }

  251.  

  252.  /**

  253.   * Processes a response where the provider is requesting to interact with the

  254.   * user in order to confirm their identity.

  255.   */

  256.  function processSetupRequest() {

  257.   if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) {

  258.    error('noimmediate', 'Couldn\'t perform immediate auth');

  259.   }

  260. 

  261.   $handle = getHandle($_SESSION['openid']['server']);

  262. 

  263.   $url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'],

  264.                                 $_SESSION['openid']['delegate'],

  265.                                 $_SESSION['openid']['identity'],

  266.                                 URLBuilder::getCurrentURL(), $handle);

  267. 

  268.   URLBuilder::doRedirect($url); 	

  269.  }

  270.  

  271.  /**

  272.   * Processes a positive authentication response.

  273.   *

  274.   * @param Boolean $valid True if the request has already been authenticated

  275.   */

  276.  function processPositiveResponse($valid) {

  277.   Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['identity']);

  278. 

  279.   if ($_REQUEST['openid_identity'] != $_SESSION['openid']['identity']) {

  280.    if ($_SESSION['openid']['identity'] == 'http://specs.openid.net/auth/2.0/identifier_select') {

  281.     $disc = new Discoverer($_REQUEST['openid_claimed_id'], false);

  282.  

  283.     if ($disc->hasServer($_SESSION['openid']['server'])) {

  284.      $_SESSION['openid']['identity'] = $_REQUEST['openid_identity']; 

  285.      $_SESSION['openid']['delegate'] = $_REQUEST['openid_claimed_id'];

  286.      resetRequests(true);

  287.     } else {

  288.      error('diffid', 'The OP at ' . $_SESSION['openid']['server'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getServer() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getServer()));

  289.     }

  290.    } else {

  291.      error('diffid', 'Identity provider validated wrong identity. Expected it to '

  292.   	             . 'validate ' . $_SESSION['openid']['delegate'] . ' but it '

  293.   	             . 'validated ' . $_REQUEST['openid_identity']);

  294.    }

  295.   }

  296. 

  297.   if (!$valid) {

  298.    $dumbauth = true;

  299. 

  300.    if (KEYMANAGER) {

  301.     try {

  302.      $valid = KeyManager::authenticate($_SESSION['openid']['server'], $_REQUEST);

  303.      $dumbauth = false;

  304.     } catch (Exception $ex) {

  305.      // Ignore it - try dumb auth

  306.     }

  307.    }

  308. 

  309.    if ($dumbauth) {

  310.     $valid = KeyManager::dumbAuthenticate();

  311.    }

  312.   }

  313. 

  314.   $_SESSION['openid']['validated'] = $valid;

  315. 

  316.   if (!$valid) {

  317.   	error('noauth', 'Provider didn\'t authenticate response');

  318.   }

  319. 

  320.   parseSRegResponse();

  321.   URLBuilder::redirect(); 

  322.  }

  323. 

  324.  /**

  325.   * Processes cancel modes.

  326.   *

  327.   * @param Boolean $valid True if the request has already been authenticated

  328.   */

  329.  function processCancel($valid) {

  330.   error('cancelled', 'Provider cancelled the authentication attempt');

  331.  }

  332. 

  333.  /**

  334.   * Processes error modes.

  335.   *

  336.   * @param Boolean $valid True if the request has already been authenticated

  337.   */

  338.  function processError($valid) {

  339.   error('perror', 'Provider error: ' . $_REQUEST['openid_error']);

  340.  }

  341. 

  342.  /**

  343.   * Populates the session array with the details of the specified error and

  344.   * redirects the user appropriately.

  345.   *

  346.   * @param String $code The error code that occured

  347.   * @param String $message A description of the error

  348.   */

  349.  function error($code, $message) {

  350.   $_SESSION['openid']['error'] = $message;

  351.   $_SESSION['openid']['errorcode'] = $code;

  352.   URLBuilder::redirect();

  353.  }

  354. 

  355.  // Here we go!

  356.  process();

  357. ?>