archive
/
poidsy
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 2 Wiki Attività
PHP OpenID consumer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commit
3 Rami (Branch)
Albero (Tree): bcb4edbc8a
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'bcb4edbc8a'
${ noResults }
poidsy/processor.php

processor.php 10KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327 
  1. <?PHP

  2. 

  3. /* Poidsy 0.5 - http://chris.smith.name/projects/poidsy

  4.  * Copyright (c) 2008-2009 Chris Smith

  5.  *

  6.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  7.  * of this software and associated documentation files (the "Software"), to deal

  8.  * in the Software without restriction, including without limitation the rights

  9.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  10.  * copies of the Software, and to permit persons to whom the Software is

  11.  * furnished to do so, subject to the following conditions:

  12.  *

  13.  * The above copyright notice and this permission notice shall be included in

  14.  * all copies or substantial portions of the Software.

  15.  *

  16.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  17.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  18.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  19.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  20.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  21.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  22.  * SOFTWARE.

  23.  */

  24. 

  25.  require_once(dirname(__FILE__) . '/logging.inc.php');

  26.  require_once(dirname(__FILE__) . '/discoverer.inc.php');

  27.  require_once(dirname(__FILE__) . '/poster.inc.php');

  28.  require_once(dirname(__FILE__) . '/sreg.inc.php');

  29.  require_once(dirname(__FILE__) . '/urlbuilder.inc.php');

  30.  require_once(dirname(__FILE__) . '/keymanager.inc.php');

  31. 

  32.  if (session_id() == '') {

  33.   // No session - testing maybe?

  34.   session_start();

  35.  }

  36. 

  37.  // Process any openid_url form fields (compatability with 0.1)

  38.  if (!defined('OPENID_URL') && isset($_POST['openid_url'])) {

  39.   define('OPENID_URL', $_POST['openid_url']);

  40.  } else if (!defined('OPENID_URL') && isset($_POST['openid_identifier'])) {

  41.   define('OPENID_URL', $_POST['openid_identifier']);

  42.  }

  43. 

  44.  // Maximum number of requests to allow without a OPENID_THROTTLE_GAP second

  45.  // gap between two of them

  46.  if (!defined('OPENID_THROTTLE_NUM')) {

  47.   define('OPENID_THROTTLE_NUM', 3);

  48.  }

  49. 

  50.  // Time to require between requests before the request counter is reset

  51.  if (!defined('OPENID_THROTTLE_GAP')) {

  52.   define('OPENID_THROTTLE_GAP', 30);

  53.  }

  54. 

  55.  // Whether or not to use the key manager

  56.  define('KEYMANAGER', !defined('OPENID_NOKEYMANAGER') && KeyManager::isSupported());

  57. 

  58.  /**

  59.   * Processes the current request.

  60.   */

  61.  function process() {

  62.   if (defined('OPENID_URL')) {

  63.    // Initial authentication attempt (they just entered their identifier)

  64.    Logger::log('Processing authentication attempt for %s', OPENID_URL);

  65. 

  66.    $reqs = checkRequests();

  67.    $disc = tryDiscovery(OPENID_URL);

  68. 

  69.    $_SESSION['openid'] = array(

  70.  	'identity' => $disc->getIdentity(),

  71. 	'delegate' => $disc->getDelegate(),

  72. 	'version' => $disc->getVersion(),

  73. 	'validated' => false,

  74. 	'server' => $disc->getServer(),

  75. 	'nonce' => uniqid(microtime(true), true),

  76. 	'requests' => $reqs,

  77.    );

  78. 

  79.    $handle = getHandle($disc->getServer());

  80. 

  81.    $url = URLBuilder::buildRequest(defined('OPENID_IMMEDIATE') ? 'immediate' : 'setup',

  82.               $disc->getServer(), $disc->getDelegate(),

  83.               $disc->getIdentity(), URLBuilder::getCurrentURL(), $handle, $disc->getVersion());

  84. 

  85.    URLBuilder::doRedirect($url);

  86.   } else if (isset($_REQUEST['openid_mode'])) {

  87.    checkNonce();

  88. 

  89.    $func = 'process' . str_replace(' ', '', ucwords(str_replace('_', ' ',

  90. 			strtolower($_REQUEST['openid_mode']))));

  91.    if (function_exists($func)) {

  92.     call_user_func($func, checkHandleRevocation());

  93.    }

  94.   }

  95.  }

  96. 

  97.  /**

  98.   * Checks that the user isn't making requests too frequently, and redirects

  99.   * them with an appropriate error if they are.

  100.   *

  101.   * @return An array containing details about the requests that have been made

  102.   */

  103.  function checkRequests() {

  104.   if (isset($_SESSION['openid']['requests'])) {

  105.    $requests = $_SESSION['openid']['requests'];

  106.   } else {

  107.    $requests = array('lasttime' => 0, 'count' => 0);

  108.   }

  109. 

  110.   if ($requests['lasttime'] < time() - OPENID_THROTTLE_GAP) {

  111. 

  112.    // Last request was a while ago, reset the timer

  113.    $requests['count'] = 0;

  114. 

  115.   } else if ($requests['count'] > OPENID_THROTTLE_NUM) {

  116. 

  117.    Logger::log('Client throttled: %s requests made', $requests['count']);

  118. 

  119.    // More than the legal number of requests

  120.    error('throttled', 'You are trying to authenticate too often');

  121. 

  122.   }

  123. 

  124.   $requests['count']++;

  125.   $requests['lasttime'] = time();

  126. 

  127.   return $requests;

  128.  }

  129. 

  130.  /**

  131.   * Attempts to perform discovery on the specified URL, redirecting the user

  132.   * with an appropriate error if discovery fails.

  133.   *

  134.   * @param String $url The URL to perform discovery on

  135.   * @return An appropriate Discoverer object

  136.   */

  137.  function tryDiscovery($url) {

  138.   try {

  139.    $disc = new Discoverer($url);

  140. 

  141.    if ($disc->getServer() == null) {

  142.     Logger::log('Couldn\'t perform discovery on %s', $url);

  143.     error('notvalid', 'Claimed identity is not a valid identifier');

  144.    }

  145. 

  146.    return $disc;

  147.   } catch (Exception $e) {

  148.    Logger::log('Error during discovery on %s: %s', $url, $e->getMessage());

  149.    error('discovery', $e->getMessage());

  150.   }

  151.   

  152.   return null;

  153.  }

  154. 

  155.  /**

  156.   * Retrieves an association handle for the specified server. If we don't

  157.   * currently have one, attempts to associate with the server.

  158.   *

  159.   * @param String $server The server whose handle we're retrieving

  160.   * @return The association handle of the server or null on failure

  161.   */

  162.  function getHandle($server) {

  163.   if (KEYMANAGER) {

  164.    if (!KeyManager::hasHandle($server)) {

  165.     KeyManager::associate($server);

  166.    }

  167. 

  168.    return KeyManager::getHandle($server);

  169.   } else {

  170.    return null;

  171.   }

  172.  }

  173. 

  174.  /**

  175.   * Checks that the nonce specified in the current request equals the one

  176.   * stored in the user's session, and redirects them if it doesn't.

  177.   */

  178.  function checkNonce() {

  179.   if ($_REQUEST['openid_nonce'] != $_SESSION['openid']['nonce']) {

  180.    error('nonce', 'Nonce doesn\'t match - possible replay attack');

  181.   } else {

  182.    $_SESSION['openid']['nonce'] = uniqid(microtime(true), true);

  183.   }

  184.  }

  185. 

  186.  /**

  187.   * Checks to see if the request contains an instruction to invalidate the

  188.   * handle we used. If it does, the request is authenticated and the handle

  189.   * removed (or the user is redirected with an error if the IdP doesn't

  190.   * authenticate the message).

  191.   *

  192.   * @return True if the message has been authenticated, false otherwise

  193.   */

  194.  function checkHandleRevocation() {

  195.   $valid = false;

  196. 

  197.   if (KEYMANAGER && isset($_REQUEST['openid_invalidate_handle'])) {

  198.    $valid = KeyManager::dumbAuth();

  199. 

  200.    if ($valid) {

  201.     KeyManager::removeKey($_SESSION['openid']['server'], $_REQUEST['openid_invalidate_handle']);

  202.    } else {

  203.     error('noauth', 'Provider didn\'t authenticate message');

  204.    }

  205.   }

  206. 

  207.   return $valid;

  208.  }

  209. 

  210.  /**

  211.   * Processes id_res requests.

  212.   *

  213.   * @param Boolean $valid True if the request has already been authenticated

  214.   */

  215.  function processIdRes($valid) {

  216.   if (isset($_REQUEST['openid_identity'])) {

  217.    processPositiveResponse($valid);

  218.   } else if (isset($_REQUEST['openid_user_setup_url'])) {

  219.    processSetupRequest();

  220.   }

  221.  }

  222.  

  223.  /**

  224.   * Processes a response where the provider is requesting to interact with the

  225.   * user in order to confirm their identity.

  226.   */

  227.  function processSetupRequest() {

  228.   if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) {

  229.    error('noimmediate', 'Couldn\'t perform immediate auth');

  230.   }

  231. 

  232.   $handle = getHandle($_SESSION['openid']['server']);

  233. 

  234.   $url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'],

  235.                                 $_SESSION['openid']['delegate'],

  236.                                 $_SESSION['openid']['identity'],

  237.                                 URLBuilder::getCurrentURL(), $handle);

  238. 

  239.   URLBuilder::doRedirect($url); 	

  240.  }

  241.  

  242.  /**

  243.   * Processes a positive authentication response.

  244.   *

  245.   * @param Boolean $valid True if the request has already been authenticated

  246.   */

  247.  function processPositiveResponse($valid) {

  248.   Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['identity']);

  249. 

  250.   if ($_REQUEST['openid_identity'] != $_SESSION['openid']['identity']) {

  251.    if ($_SESSION['openid']['identity'] == 'http://specs.openid.net/auth/2.0/identifier_select') {

  252.     $disc = new Discoverer($_REQUEST['openid_claimed_id'], false);

  253.  

  254.     if ($disc->hasServer($_SESSION['openid']['server'])) {

  255.      $_SESSION['openid']['identity'] = $_REQUEST['openid_identity']; 

  256.      $_SESSION['openid']['delegate'] = $_REQUEST['openid_claimed_id'];

  257.     } else {

  258.      error('diffid', 'The OP at ' . $_SESSION['openid']['server'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getServer() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getServer()));

  259.     }

  260.    } else {

  261.      error('diffid', 'Identity provider validated wrong identity. Expected it to '

  262.   	             . 'validate ' . $_SESSION['openid']['delegate'] . ' but it '

  263.   	             . 'validated ' . $_REQUEST['openid_identity']);

  264.    }

  265.   }

  266. 

  267.   if (!$valid) {

  268.    $dumbauth = true;

  269. 

  270.    if (KEYMANAGER) {

  271.     try {

  272.      $valid = KeyManager::authenticate($_SESSION['openid']['server'], $_REQUEST);

  273.      $dumbauth = false;

  274.     } catch (Exception $ex) {

  275.      // Ignore it - try dumb auth

  276.     }

  277.    }

  278. 

  279.    if ($dumbauth) {

  280.     $valid = KeyManager::dumbAuthenticate();

  281.    }

  282.   }

  283. 

  284.   $_SESSION['openid']['validated'] = $valid;

  285. 

  286.   if (!$valid) {

  287.   	error('noauth', 'Provider didn\'t authenticate response');

  288.   }

  289. 

  290.   parseSRegResponse();

  291.   URLBuilder::redirect(); 	

  292.  }

  293. 

  294.  /**

  295.   * Processes cancel modes.

  296.   *

  297.   * @param Boolean $valid True if the request has already been authenticated

  298.   */

  299.  function processCancel($valid) {

  300.   error('cancelled', 'Provider cancelled the authentication attempt');

  301.  }

  302. 

  303.  /**

  304.   * Processes error modes.

  305.   *

  306.   * @param Boolean $valid True if the request has already been authenticated

  307.   */

  308.  function processError($valid) {

  309.   error('perror', 'Provider error: ' . $_REQUEST['openid_error']);

  310.  }

  311. 

  312.  /**

  313.   * Populates the session array with the details of the specified error and

  314.   * redirects the user appropriately.

  315.   *

  316.   * @param String $code The error code that occured

  317.   * @param String $message A description of the error

  318.   */

  319.  function error($code, $message) {

  320.   $_SESSION['openid']['error'] = $message;

  321.   $_SESSION['openid']['errorcode'] = $code;

  322.   URLBuilder::redirect();

  323.  }

  324. 

  325.  // Here we go!

  326.  process();

  327. ?>