public function executeTrust(sfWebRequest $request)
{
opApplicationConfiguration::registerJanRainOpenID();
require_once 'Auth/OpenID/Server.php';
require_once 'Auth/OpenID/FileStore.php';
require_once 'Auth/OpenID/SReg.php';
require_once 'Auth/OpenID/AX.php';
$info = unserialize($_SESSION['request']);
$this->forward404Unless($info);
$trusted = $request->hasParameter('trust') || $request->hasParameter('permanent');
if (!$trusted) {
unset($_SESSION['request']);
$url = $info->getCancelURL();
$this->redirect($url);
}
$reqUrl = $this->getController()->genUrl('OpenID/member?id=' . $this->getUser()->getMemberId(), true);
if (!$info->idSelect()) {
$this->forward404Unless($reqUrl === $info->identity, 'request:' . $reqUrl . '/identity:' . $info->identity);
}
unset($_SESSION['request']);
$server = new Auth_OpenID_Server(new Auth_OpenID_FileStore(sfConfig::get('sf_cache_dir')), $info->identity);
$response = $info->answer(true, null, $reqUrl);
$sregRequest = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$axRequest = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($info);
$allowedProfiles = $request->getParameter('profiles', array());
$requiredProfiles = $this->createListOfRequestedProfiles($sregRequest, $axRequest);
$rejectedProfiles = array_diff_key($requiredProfiles, array_flip($allowedProfiles));
if (in_array(true, $rejectedProfiles)) {
$url = $info->getCancelURL();
$this->redirect($url);
}
if ($sregRequest) {
$sregExchange = new opOpenIDProfileExchange('sreg', $this->getUser()->getMember());
$sregResp = Auth_OpenID_SRegResponse::extractResponse($sregRequest, $sregExchange->getData($allowedProfiles));
$response->addExtension($sregResp);
}
if ($axRequest && !$axRequest instanceof Auth_OpenID_AX_Error) {
$axResp = new Auth_OpenID_AX_FetchResponse();
$axExchange = new opOpenIDProfileExchange('ax', $this->getUser()->getMember());
$userData = $axExchange->getData($allowedProfiles);
foreach ($axRequest->requested_attributes as $k => $v) {
if (!empty($userData[$k])) {
$axResp->addValue($k, $userData[$k]);
}
}
$response->addExtension($axResp);
}
$log = Doctrine::getTable('OpenIDTrustLog')->log($info->trust_root, $this->getUser()->getMemberId());
if ($request->hasParameter('permanent')) {
$log->is_permanent = true;
$log->save();
}
$response = $server->encodeResponse($response);
return $this->writeResponse($response);
}
/**
* Process a request.
*
* This function never returns.
*
* @param Auth_OpenID_Request $request The request we are processing.
*/
public function processRequest(array $state)
{
assert('isset($state["request"])');
$request = $state['request'];
$sreg_req = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$ax_req = Auth_OpenId_AX_FetchRequest::fromOpenIDRequest($request);
/* In resume.php there should be a way to display data requested through sreg or ax. */
if (!$this->authSource->isAuthenticated()) {
if ($request->immediate) {
/* Not logged in, and we cannot show a login form. */
$this->sendResponse($request->answer(FALSE));
}
$resumeURL = $this->getStateURL('resume.php', $state);
$this->authSource->requireAuth(array('ReturnTo' => $resumeURL));
}
$identity = $this->getIdentity();
assert('$identity !== FALSE');
/* Should always be logged in here. */
if (!$request->idSelect() && $identity !== $request->identity) {
/* The identity in the request doesn't match the one of the logged in user. */
throw new SimpleSAML_Error_Exception('Logged in as different user than the one requested.');
}
if ($this->isTrusted($identity, $request->trust_root)) {
$trusted = TRUE;
} elseif (isset($state['TrustResponse'])) {
$trusted = (bool) $state['TrustResponse'];
} else {
if ($request->immediate) {
/* Not trusted, and we cannot show a trust-form. */
$this->sendResponse($request->answer(FALSE));
}
$trustURL = $this->getStateURL('trust.php', $state);
SimpleSAML_Utilities::redirectTrustedURL($trustURL);
}
if (!$trusted) {
/* The user doesn't trust this site. */
$this->sendResponse($request->answer(FALSE));
}
$response = $request->answer(TRUE, NULL, $identity);
//Process attributes
$attributes = $this->authSource->getAttributes();
foreach ($attributes as $key => $attr) {
if (is_array($attr) && count($attr) === 1) {
$attributes[$key] = $attr[0];
}
}
$pc = new SimpleSAML_Auth_ProcessingChain($this->authProc, array(), 'idp');
$state = array('Attributes' => $attributes, 'isPassive' => TRUE);
$pc->processStatePassive(&$state);
$attributes = $state['Attributes'];
//Process SREG requests
$sreg_resp = Auth_OpenID_SRegResponse::extractResponse($sreg_req, $attributes);
$sreg_resp->toMessage($response->fields);
//Process AX requests
$ax_resp = new Auth_OpenID_AX_FetchResponse();
foreach ($ax_req->iterTypes() as $type_uri) {
if (isset($attributes[$type_uri])) {
$ax_resp->addValue($type_uri, $attributes[$type_uri]);
}
}
$ax_resp->toMessage($response->fields);
/* The user is authenticated, and trusts this site. */
$this->sendResponse($response);
}
function send_geni_user($server, $info)
{
$geni_user = geni_loadUser();
$req_url = idURL($geni_user->username);
$response =& $info->answer(true, null, $req_url);
// Answer with some sample Simple Registration data.
global $portal_cert_file;
global $portal_private_key_file;
$sreg_data = array();
if ($geni_user) {
$sreg_data['nickname'] = $geni_user->username;
$sreg_data['email'] = $geni_user->email();
}
if (empty($sreg_data)) {
error_log("OpenID: Unable to access user information.");
}
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
/*
* Attribute Exchange (AX) is an OpenID extension to pass additional
* attributes. This code was derived by looking at some client
* examples and the AX code. No server-side examples of PHP OpenID
* AX were found.
*
* AX seems to be fragile. Small changes to the code below can
* result in authentication failures.
*
* The user URN has '+' characters but these consistently caused
* authentication failures in testing. Replacing the '+' with '|'
* worked, so that is a necessary transformation below.
*/
$ax_request = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($info);
if ($ax_request and !Auth_OpenID_AX::isError($ax_request)) {
/* error_log("received AX request: " . print_r($ax_request, true)); */
$ax_response = new Auth_OpenID_AX_FetchResponse();
add_project_slice_info($geni_user, $projects, $slices);
foreach ($ax_request->iterTypes() as $ax_req_type) {
switch ($ax_req_type) {
case 'http://geni.net/projects':
$ax_response->setValues($ax_req_type, $projects);
break;
case 'http://geni.net/slices':
$ax_response->setValues($ax_req_type, $slices);
break;
case 'http://geni.net/user/urn':
$urn = $geni_user->urn();
$urn = str_replace('+', '|', $urn);
$ax_response->addValue('http://geni.net/user/urn', $urn);
break;
case 'http://geni.net/user/prettyname':
$ax_response->addValue($ax_req_type, $geni_user->prettyName());
break;
case 'http://geni.net/wimax/username':
case 'http://geni.net/wimax/wimax_username':
$wimax_name = null;
if (isset($geni_user->ma_member->wimax_username)) {
$wimax_name = $geni_user->ma_member->wimax_username;
}
/* Only send wimax name if it exists. */
if ($wimax_name) {
$ax_response->addValue($ax_req_type, $wimax_name);
}
break;
case 'http://geni.net/irods/username':
/* Get the iRODS username. Do we need to respect the
* 'irods_enabled' flag?
*/
$irods_username = null;
if (isset($geni_user->ma_member->irods_username)) {
$irods_username = $geni_user->ma_member->irods_username;
}
/* Only send it if it exists. */
if ($irods_username) {
error_log("Returning iRODS username {$irods_username} for user " . $geni_user->urn());
$ax_response->addValue($ax_req_type, $irods_username);
} else {
error_log("No iRODS username in OpenID for user " . $geni_user->urn());
}
break;
case 'http://geni.net/irods/zone':
/* Get the IRods zone for this user. */
$irods_zone = irods_default_zone();
/* Only send it if it exists. */
if ($irods_zone) {
error_log("Returning iRODS zone {$irods_zone} for user " . $geni_user->urn());
$ax_response->addValue($ax_req_type, $irods_zone);
} else {
error_log("No iRODS zone in OpenID for user " . $geni_user->urn());
}
break;
}
}
$ax_response->toMessage($response->fields);
}
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$new_headers = array();
foreach ($webresponse->headers as $k => $v) {
$new_headers[] = $k . ": " . $v;
}
return array($new_headers, $webresponse->body);
}
