public function GetSRegDataForRequest(User $user)
{
require_once 'Auth/OpenID/SReg.php';
// Other common SReg fields we could fill are:
// dob, country, language, timezone.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($this->request);
return Auth_OpenID_SRegResponse::extractResponse($sreg_request, array('fullname' => $user->fullName(), 'nickname' => $user->displayName(), 'email' => $user->bestEmail(), 'gender' => $user->isFemale() ? 'F' : 'M'));
}
function check()
{
$this->config->load('openid');
$request_to = site_url($this->config->item('openid_request_to'));
$this->openid->set_request_to($request_to);
$response = $this->openid->getResponse();
switch ($response->status) {
case Auth_OpenID_CANCEL:
$data['msg'] = $this->lang->line('openid_cancel');
break;
case Auth_OpenID_FAILURE:
$data['error'] = $this->_set_message('openid_failure', $response->message);
break;
case Auth_OpenID_SUCCESS:
$openid = $response->getDisplayIdentifier();
$esc_identity = htmlspecialchars($openid, ENT_QUOTES);
$data['success'] = $this->_set_message('openid_success', array($esc_identity, $esc_identity), array('%s', '%t'));
if ($response->endpoint->canonicalID) {
$data['success'] .= $this->_set_message('openid_canonical', $response->endpoint->canonicalID);
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
foreach ($sreg as $key => $value) {
$data['success'] .= $this->_set_message('openid_content', array($key, $value), array('%s', '%t'));
}
$pape_resp = Auth_OpenID_PAPE_Response::fromSuccessResponse($response);
if ($pape_resp) {
if ($pape_resp->auth_policies) {
$data['success'] .= $this->lang->line('openid_pape_policies_affected');
foreach ($pape_resp->auth_policies as $uri) {
$data['success'] .= "<li><tt>{$uri}</tt></li>";
}
$data['success'] .= "</ul>";
} else {
$data['success'] .= $this->lang->line('openid_pape_not_affected');
}
if (isset($pape_resp->auth_age) && $pape_resp->auth_age) {
$data['success'] .= $this->_set_message('openid_auth_age', $pape_resp->auth_age);
}
if ($pape_resp->nist_auth_level) {
$data['success'] .= $this->_set_message('openid_nist_level', $pape_resp->nist_auth_level);
}
} else {
$data['success'] .= $this->lang->line('openid_pape_noresponse');
}
break;
}
$data['pape_policy_uris'] = array(PAPE_AUTH_MULTI_FACTOR_PHYSICAL, PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT);
// echo "nickname: $nickname";
// echo "esc_identity: $esc_identity";
$this->load->view('view_openid', $data);
}
/**
* login_finish action implementation.
*
* @access public
* @return string forward name.
*/
public function perform()
{
// if login do?
$identity = $this->af->get('openid_identity');
if ($this->af->get('janrain_nonce')) {
require_once 'Auth/OpenID.php';
require_once "Auth/OpenID/Consumer.php";
require_once "Auth/OpenID/FileStore.php";
require_once "Auth/OpenID/SReg.php";
require_once "Auth/OpenID/PAPE.php";
$store_path = $this->backend->getController()->getDirectory('tmp') . "/openid_filestore";
$consumer = new Auth_OpenID_Consumer(new Auth_OpenID_FileStore($store_path));
$response = $consumer->complete($this->config->get('url') . "login_finish");
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$this->ae->add(null, "認証がキャンセルされました.Pastitを利用するには認証してください.");
return 'login';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$this->ae->add(null, "認証に失敗しました.(" . $response->message . ")");
return 'login';
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
$openid_success_url = $response->getDisplayIdentifier();
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
$nickname = isset($sreg['nickname']) ? $sreg['nickname'] : "";
$this->session->set("identity", $identity);
$this->session->set("openid_success_url", $openid_success_url);
}
}
}
}
$um = $this->backend->getManager('user');
if ($user = $um->getUserByIdentity($identity)) {
$this->session->set('user', $user);
return array('redirect', '/');
} else {
if (!Ethna::isError($id = $um->create($identity, $nickname))) {
$user = $um->getUser($id);
$this->session->set('user', $user);
return array('redirect', 'setting');
} else {
$this->ae->addObject('name', $id);
return 'error500';
}
}
return 'login';
}
function openid_check($ci, $callback_url, &$data)
{
if (!isset($data)) {
$data = array();
}
$ci->lang->load('openid');
$ci->config->load('openid');
$ci->openid->set_request_to($callback_url);
$response = $ci->openid->getResponse();
switch ($response->status) {
case Auth_OpenID_CANCEL:
push_message($ci->lang->line('openid_cancel'), 'error', $ci);
break;
case Auth_OpenID_FAILURE:
push_message(set_message('openid_failure', $response->message), 'error', $ci);
break;
case Auth_OpenID_SUCCESS:
$openid = $response->getDisplayIdentifier();
$esc_identity = htmlspecialchars($openid, ENT_QUOTES);
$data['openid_identifier'] = $openid;
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
$ax_resp = new Auth_OpenID_AX_FetchResponse();
$ax = $ax_resp->fromSuccessResponse($response);
if (isset($sreg['email'])) {
$data['email'] = $sreg['email'];
}
if ($ax) {
if (isset($ax->data['http://axschema.org/contact/email'])) {
$data['email'] = $ax->getSingle('http://axschema.org/contact/email');
}
if (isset($ax->data['http://axschema.org/namePerson/first'])) {
$first_name = $ax->getSingle('http://axschema.org/namePerson/first');
} else {
$first_name = "Sample";
}
if (isset($ax->data['http://axschema.org/namePerson/last'])) {
$last_name = $ax->getSingle('http://axschema.org/namePerson/last');
} else {
$last_name = "Avatar";
}
if ($first_name != null && $last_name != null) {
$data['username'] = "******";
}
}
return true;
}
return false;
}
function addSregFields(&$response, $info, $req_url)
{
$username = getUsernameFromUrl($req_url);
$user = get_user_by_username($username);
if ($user) {
$email = $user->email;
$fullname = $user->name;
$sreg_data = array('fullname' => $fullname, 'email' => $email);
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
//error_log('DEBUG:' . (string)($response->fields));
$sreg_response->toMessage($response->fields);
}
}
function doAuth($info, $trusted = null, $fail_cancels = false, $idpSelect = null)
{
if (!$info) {
// There is no authentication information, so bail
return authCancel(null);
}
if ($info->idSelect()) {
if ($idpSelect) {
$req_url = idURL($idpSelect);
} else {
$trusted = false;
}
} else {
$req_url = $info->identity;
}
$user = getLoggedInUser();
setRequestInfo($info);
if (!$info->idSelect() && $req_url != idURL($user)) {
return login_render(array(), $req_url, $req_url);
}
$trust_root = $info->trust_root;
if ($trusted) {
setRequestInfo();
$server =& getServer();
$response =& $info->answer(true, null, $req_url);
// Answer with some sample Simple Registration data.
$sreg_data = array('fullname' => 'Example User', 'nickname' => 'example', 'dob' => '1970-01-01', 'email' => '*****@*****.**', 'gender' => 'F', 'postcode' => '12345', 'country' => 'ES', 'language' => 'eu', 'timezone' => 'America/New_York');
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$new_headers = array();
foreach ($webresponse->headers as $k => $v) {
$new_headers[] = $k . ": " . $v;
}
return array($new_headers, $webresponse->body);
} elseif ($fail_cancels) {
return authCancel($info);
} else {
return trust_render($info);
}
}
function run()
{
$consumer = getConsumer();
// Complete the authentication process using the server's
// response.
$return_to = getReturnTo();
$response = $consumer->complete($return_to);
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$msg = '验证被取消。';
//showmessage('cancel_openid_auth');
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$msg = "OpenID 认证失败: " . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
// 将openid记录到session里,在session超时时间内,由以后的逻辑绑定到已注册的uid上。
$_SESSION['openid_identifier'] = $response->getDisplayIdentifier();
$_SESSION['openid_binding'] = time();
//标记可以绑定了,但在发现是可直接登录用户时在要unset
if ($response->endpoint->canonicalID) {
$_SESSION['xri_canonicalid'] = $response->endpoint->canonicalID;
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$_SESSION['openid_sreg'] = $sreg_resp->contents();
//NOTE:记录SREG到会话
// echo var_dump($_SESSION['openid_identifier'])."--_SESSION['openid_identifier']<br>";
// echo var_dump($_SESSION['openid_binding'])."--_SESSION['openid_binding']<br>";
_OpenID_Action();
//添加动作
}
}
}
displayError($msg);
}
/**
*
* @return bool
* @param string $a_username
* @param string $a_password
* @param bool $isChallengeResponse[optional]
*/
public function fetchData($a_username, $a_password, $isChallengeResponse = false)
{
global $ilLog;
$ilLog->write(__METHOD__ . ': Fetch Data called');
$response = $this->settings->getConsumer()->complete($this->settings->getReturnLocation());
switch ($response->status) {
case Auth_OpenID_CANCEL:
die("Auth cancelled");
case Auth_OpenID_FAILURE:
die("Auth failed with message: " . $response->message);
case Auth_OpenID_SUCCESS:
$openid = $response->getDisplayIdentifier();
$esc_identity = htmlentities($openid);
$ilLog->write(__METHOD__ . ': Auth success with identity ' . $esc_identity);
if ($response->endpoint->canonicalID) {
$escaped_canonicalID = htmlentities($response->endpoint->canonicalID);
$ilLog->write(__METHOD__ . ': Auth success with canonical id: ' . $esc_identity);
}
include_once 'Auth/OpenID/SReg.php';
// Check if simple registration is supported
if (Auth_OpenID_supportsSReg($response->endpoint)) {
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response, true);
$this->response_data = $sreg_resp->contents();
$ilLog->write(__METHOD__ . ' auth data: ' . print_r($this->response_data, true));
return true;
} else {
// Try to fetch response values
foreach ($response->message->args->keys as $key => $mapping) {
if ($mapping[1] == 'sreg.nickname') {
$this->response_data['nickname'] = $response->message->args->values[$key];
}
if ($mapping[1] == 'sreg.email') {
$this->response_data['email'] = $response->message->args->values[$key];
}
}
}
return true;
}
return false;
}
/**
* Create a C{L{SRegResponse}} object from a successful OpenID
* library response
* (C{L{openid.consumer.consumer.SuccessResponse}}) response
* message
*
* success_response: A SuccessResponse from consumer.complete()
*
* signed_only: Whether to process only data that was
* signed in the id_res message from the server.
*
* Returns a simple registration response containing the data that
* was supplied with the C{id_res} response.
*/
function fromSuccessResponse(&$success_response, $signed_only = true)
{
global $Auth_OpenID_sreg_data_fields;
$obj = new Auth_OpenID_SRegResponse();
$obj->ns_uri = $obj->_getSRegNS($success_response->message);
if ($signed_only) {
$args = $success_response->getSignedNS($obj->ns_uri);
} else {
$args = $success_response->message->getArgs($obj->ns_uri);
}
if ($args === null || Auth_OpenID::isFailure($args)) {
return null;
}
foreach ($Auth_OpenID_sreg_data_fields as $field_name => $desc) {
if (in_array($field_name, array_keys($args))) {
$obj->data[$field_name] = $args[$field_name];
}
}
return $obj;
}
/**
* Attach SReg response to authentication response.
*/
function openid_server_sreg_auth_response($response)
{
$user = wp_get_current_user();
// should we include SREG in the response?
$include_sreg = false;
if (isset($GLOBALS['openid_server_sreg_trust'])) {
$include_sreg = $GLOBALS['openid_server_sreg_trust'];
} else {
$trusted_sites = get_usermeta($user->ID, 'openid_trusted_sites');
$request = $response->request;
$site_hash = md5($request->trust_root);
if (is_array($trusted_sites) && array_key_exists($site_hash, $trusted_sites)) {
$include_sreg = $trusted_sites[$site_hash]['release_attributes'];
}
}
if ($include_sreg) {
$sreg_data = array();
foreach ($GLOBALS['Auth_OpenID_sreg_data_fields'] as $field => $name) {
$sreg_data[$field] = openid_server_sreg_from_profile($field);
}
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($GLOBALS['openid_server_sreg_request'], $sreg_data);
$response->addExtension($sreg_response);
}
return $response;
}
/**
* Try to log in using OpenID
*
* Check the OpenID for validity; potentially store it.
*
* @return void
*/
function tryLogin()
{
$consumer = oid_consumer();
$response = $consumer->complete(common_local_url('finishaddopenid'));
if ($response->status == Auth_OpenID_CANCEL) {
$this->message(_m('OpenID authentication cancelled.'));
return;
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$this->message(sprintf(_m('OpenID authentication failed: %s'), $response->message));
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
$display = $response->getDisplayIdentifier();
$canonical = $response->endpoint && $response->endpoint->canonicalID ? $response->endpoint->canonicalID : $display;
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) {
$sreg = $sreg_resp->contents();
}
$cur = common_current_user();
$other = oid_get_user($canonical);
if ($other) {
if ($other->id == $cur->id) {
$this->message(_m('You already have this OpenID!'));
} else {
$this->message(_m('Someone else already has this OpenID.'));
}
return;
}
// start a transaction
$cur->query('BEGIN');
$result = oid_link_user($cur->id, $canonical, $display);
if (!$result) {
$this->message(_m('Error connecting user.'));
return;
}
if ($sreg) {
if (!oid_update_user($cur, $sreg)) {
$this->message(_m('Error updating profile'));
return;
}
}
// success!
$cur->query('COMMIT');
oid_set_last($display);
common_redirect(common_local_url('openidsettings'), 303);
}
}
}
}
/**
* Process an authentication response.
*
* @param array &$state The state array.
*/
public function postAuth(array &$state)
{
$consumer = $this->getConsumer($state);
$return_to = SimpleSAML_Utilities::selfURL();
// Complete the authentication process using the server's
// response.
$response = $consumer->complete($return_to);
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
throw new SimpleSAML_Error_UserAborted();
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
throw new SimpleSAML_Error_AuthSource($this->authId, 'Authentication failed: ' . var_export($response->message, TRUE));
} else {
if ($response->status != Auth_OpenID_SUCCESS) {
throw new SimpleSAML_Error_AuthSource($this->authId, 'General error. Try again.');
}
}
}
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->identity_url;
$attributes = array('openid' => array($openid));
$attributes['openid.server_url'] = array($response->endpoint->server_url);
if ($response->endpoint->canonicalID) {
$attributes['openid.canonicalID'] = array($response->endpoint->canonicalID);
}
if ($response->endpoint->local_id) {
$attributes['openid.local_id'] = array($response->endpoint->local_id);
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response, $this->validateSReg);
$sregresponse = $sreg_resp->contents();
if (is_array($sregresponse) && count($sregresponse) > 0) {
$attributes['openid.sregkeys'] = array_keys($sregresponse);
foreach ($sregresponse as $sregkey => $sregvalue) {
$attributes['openid.sreg.' . $sregkey] = array($sregvalue);
}
}
// Get AX response information
$ax = new Auth_OpenID_AX_FetchResponse();
$ax_resp = $ax->fromSuccessResponse($response);
if ($ax_resp instanceof Auth_OpenID_AX_FetchResponse && !empty($ax_resp->data)) {
$axresponse = $ax_resp->data;
$attributes['openid.axkeys'] = array_keys($axresponse);
foreach ($axresponse as $axkey => $axvalue) {
if (preg_match("/^\\w+:/", $axkey)) {
$attributes[$axkey] = is_array($axvalue) ? $axvalue : array($axvalue);
} else {
SimpleSAML_Logger::warning('Invalid attribute name in AX response: ' . var_export($axkey, TRUE));
}
}
}
SimpleSAML_Logger::debug('OpenID Returned Attributes: ' . implode(", ", array_keys($attributes)));
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
}
/**
* Retrieve user data from OpenID Simple Registration.
*
* @param string $identity_url OpenID to get user data about
* @param reference $data reference to user data array
* @see get_user_data
*/
function openid_get_user_data_sreg($data, $identity_url)
{
require_once dirname(__FILE__) . '/Auth/OpenID/SReg.php';
$response = openid_response();
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
if (!$sreg) {
return $data;
}
if (array_key_exists('email', $sreg) && $sreg['email']) {
$data['user_email'] = $sreg['email'];
}
if (array_key_exists('nickname', $sreg) && $sreg['nickname']) {
$data['nickname'] = $sreg['nickname'];
$data['user_nicename'] = $sreg['nickname'];
$data['display_name'] = $sreg['nickname'];
}
if (array_key_exists('fullname', $sreg) && $sreg['fullname']) {
$namechunks = explode(' ', $sreg['fullname'], 2);
if (isset($namechunks[0])) {
$data['first_name'] = $namechunks[0];
}
if (isset($namechunks[1])) {
$data['last_name'] = $namechunks[1];
}
$data['display_name'] = $sreg['fullname'];
}
return $data;
}
function finishAuth($tid)
{
// Complete the authentication process using the server's response.
$tr = Transaction::taste($tid);
ob_start();
$response = $this->consumer->complete($tr['finishURL']);
ob_end_clean();
$msg = '';
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$msg = _text("인증이 취소되었습니다.");
} else {
if ($response->status == Auth_OpenID_FAILURE) {
$msg = _text("오픈아이디 인증이 실패하였습니다: ") . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
$this->openid = $response->identity_url;
$this->delegatedid = $response->endpoint->local_id;
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$this->sreg = $sreg_resp->contents();
if (!isset($this->sreg['nickname'])) {
$this->sreg['nickname'] = "";
}
$msg = '';
if (empty($tr['authenticate_only'])) {
$this->setAcl($this->openid);
$this->update($this->openid, $this->delegatedid, $this->sreg['nickname']);
if (!empty($tr['need_writers'])) {
if (!Acl::check('group.writers')) {
$msg = _text("관리자 권한이 없는 오픈아이디 입니다") . " : " . $this->openid;
}
}
fireEvent("AfterOpenIDLogin", $this->openid);
} else {
Acl::authorize('openid_temp', $this->openid);
}
}
}
}
return $msg ? $this->_redirectWithError($msg, $tid) : $this->_redirectWithSucess($tid);
}
/**
* This method should handle any authentication and report back to the subject
*
* @access public
* @param array $credentials Array holding the user credentials
* @param array $options Array of extra options (return, entry_url)
* @param object $response Authentication response object
* @return boolean
* @since 1.5
*/
function onAuthenticate($credentials, $options, &$response)
{
$mainframe =& JFactory::getApplication();
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
define('Auth_OpenID_RAND_SOURCE', null);
} else {
$f = @fopen('/dev/urandom', 'r');
if ($f !== false) {
define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
fclose($f);
} else {
$f = @fopen('/dev/random', 'r');
if ($f !== false) {
define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
fclose($f);
} else {
define('Auth_OpenID_RAND_SOURCE', null);
}
}
}
jimport('openid.consumer');
jimport('joomla.filesystem.folder');
// Access the session data
$session =& JFactory::getSession();
// Create and/or start using the data store
$store_path = JPATH_ROOT . '/tmp/_joomla_openid_store';
if (!JFolder::exists($store_path) && !JFolder::create($store_path)) {
$response->type = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = "Could not create the FileStore directory '{$store_path}'. " . " Please check the effective permissions.";
return false;
}
// Create store object
$store = new Auth_OpenID_FileStore($store_path);
// Create a consumer object
$consumer = new Auth_OpenID_Consumer($store);
if (!isset($_SESSION['_openid_consumer_last_token'])) {
// Begin the OpenID authentication process.
if (!($auth_request = $consumer->begin($credentials['username']))) {
$response->type = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = 'Authentication error : could not connect to the openid server';
return false;
}
$sreg_request = Auth_OpenID_SRegRequest::build(array('email'), array('fullname', 'language', 'timezone'));
if ($sreg_request) {
$auth_request->addExtension($sreg_request);
}
$policy_uris = array();
if ($this->params->get('phishing-resistant', 0)) {
$policy_uris[] = 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant';
}
if ($this->params->get('multi-factor', 0)) {
$policy_uris[] = 'http://schemas.openid.net/pape/policies/2007/06/multi-factor';
}
if ($this->params->get('multi-factor-physical', 0)) {
$policy_uris[] = 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical';
}
$pape_request = new Auth_OpenID_PAPE_Request($policy_uris);
if ($pape_request) {
$auth_request->addExtension($pape_request);
}
//Create the entry url
$entry_url = isset($options['entry_url']) ? $options['entry_url'] : JURI::base();
$entry_url = JURI::getInstance($entry_url);
unset($options['entry_url']);
//We don't need this anymore
//Create the url query information
$options['return'] = isset($options['return']) ? base64_encode($options['return']) : base64_encode(JURI::base());
$options[JUtility::getToken()] = 1;
$process_url = sprintf($entry_url->toString() . "?option=com_user&task=login&username=%s", $credentials['username']);
$process_url .= '&' . JURI::buildQuery($options);
$session->set('return_url', $process_url);
$trust_url = $entry_url->toString(array('path', 'host', 'port', 'scheme'));
$session->set('trust_url', $trust_url);
// For OpenID 1, send a redirect. For OpenID 2, use a Javascript
// form to send a POST request to the server.
if ($auth_request->shouldSendRedirect()) {
$redirect_url = $auth_request->redirectURL($trust_url, $process_url);
// If the redirect URL can't be built, display an error
// message.
if (Auth_OpenID::isFailure($redirect_url)) {
displayError("Could not redirect to server: " . $redirect_url->message);
} else {
// Send redirect.
$mainframe->redirect($redirect_url);
return false;
}
} else {
// Generate form markup and render it.
$form_id = 'openid_message';
$form_html = $auth_request->htmlMarkup($trust_url, $process_url, false, array('id' => $form_id));
// Display an error if the form markup couldn't be generated;
// otherwise, render the HTML.
if (Auth_OpenID::isFailure($form_html)) {
//displayError("Could not redirect to server: " . $form_html->message);
} else {
JResponse::setBody($form_html);
echo JResponse::toString($mainframe->getCfg('gzip'));
$mainframe->close();
return false;
}
}
}
$result = $consumer->complete($session->get('return_url'));
switch ($result->status) {
case Auth_OpenID_SUCCESS:
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($result);
$sreg = $sreg_resp->contents();
$usermode = $this->params->get('usermode', 2);
/* in the following code, we deal with the transition from the old openid version to the new openid version
In the old version, the username was always taken straight from the login form. In the new version, we get a
username back from the openid provider. This is necessary for a number of reasons. First, providers such as
yahoo.com allow you to enter only the provider name in the username field (i.e. yahoo.com or flickr.com). Taking
this as the username would obviously cause problems because everybody who had an id from yahoo.com would have username
yahoo.com. Second, it is necessary because with the old way, we rely on the user entering the id the same every time.
This is bad because if the user enters the http:// one time and not the second time, they end up as two different users.
There are two possible settings here - the first setting, is to always use the new way, which is to get the username from
the provider after authentication. The second setting is to check if the username exists that we got from the provider. If it
doesn't, then we check if the entered username exists. If it does, then we update the database with the username from the provider
and continue happily along with the new username.
We had talked about a third option, which would be to always used the old way, but that seems insecure in the case of somebody using
a yahoo.com ID.
*/
if ($usermode && $usermode == 1) {
$response->username = $result->getDisplayIdentifier();
} else {
// first, check if the provider provided username exists in the database
$db =& JFactory::getDBO();
$query = 'SELECT username FROM #__users' . ' WHERE username='******' AND password=\'\'';
$db->setQuery($query);
$dbresult = $db->loadObject();
if ($dbresult) {
// if so, we set our username value to the provided value
$response->username = $result->getDisplayIdentifier();
} else {
// if it doesn't, we check if the username from the from exists in the database
$query = 'SELECT username FROM #__users' . ' WHERE username='******'username']) . ' AND password=\'\'';
$db->setQuery($query);
$dbresult = $db->loadObject();
if ($dbresult) {
// if it does, we update the database
$query = 'UPDATE #__users SET username='******' WHERE username='******'username']);
$db->setQuery($query);
$db->query();
if (!$db->query()) {
$response->status = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = $db->getErrorMsg();
//break out of the switch if we hit an error with our query
break;
}
}
$response->username = $result->getDisplayIdentifier();
// we return the username provided by the openid provider
}
}
$response->status = JAUTHENTICATE_STATUS_SUCCESS;
$response->error_message = '';
if (!isset($sreg['email'])) {
$response->email = str_replace(array('http://', 'https://'), '', $response->username);
$response->email = str_replace('/', '-', $response->email);
$response->email .= '@openid.';
} else {
$response->email = $sreg['email'];
}
$response->fullname = isset($sreg['fullname']) ? $sreg['fullname'] : $response->username;
$response->language = isset($sreg['language']) ? $sreg['language'] : '';
$response->timezone = isset($sreg['timezone']) ? $sreg['timezone'] : '';
break;
case Auth_OpenID_CANCEL:
$response->status = JAUTHENTICATE_STATUS_CANCEL;
$response->error_message = 'Authentication cancelled';
break;
case Auth_OpenID_FAILURE:
$response->status = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = 'Authentication failed';
break;
}
}
private function getUserProfileInfo($response)
{
if (Auth_OpenID_supportsSReg($response->endpoint)) {
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
$email = @$sreg['email'];
$full_name = @$sreg['fullname'];
} else {
//AX
// Get registration informations
$ax = new Auth_OpenID_AX_FetchResponse();
$obj = $ax->fromSuccessResponse($response);
$email = $obj->data["http://axschema.org/contact/email"][0];
if (isset($obj->data["http://axschema.org/namePerson/first"])) {
$full_name = $obj->data["http://axschema.org/namePerson/first"][0] . ' ' . $obj->data["http://axschema.org/namePerson/last"][0];
} else {
$full_name = $obj->data["http://axschema.org/namePerson"][0];
}
}
return array($email, $full_name);
}
/**
* Finish up authentication.
*
* @access public
* @return string
*/
public function finish_auth()
{
$msg = $error = $success = '';
$consumer = $this->_get_consumer();
// Complete the authentication process using the server's response.
$response = $consumer->complete($this->_get_self());
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
$data = $this->_throw_error(OPENID_RETURN_CANCEL);
} else {
if ($response->status == Auth_OpenID_FAILURE) {
$data = $this->_throw_error(OPENID_RETURN_FAILURE, $response->message);
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// if AX
$ax_resp = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);
if ($response->endpoint->used_yadis && $ax_resp) {
$data = $ax_resp->data;
$new_data = array();
foreach ($data as $i => $item) {
if (array_key_exists($i, $this->ax_aliases)) {
$new_data[$this->ax_aliases[$i]] = $item;
} else {
$new_data[$i] = $item;
}
}
$data = $new_data;
} else {
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$data = $sreg_resp->contents();
}
}
}
}
// if handling a popup request
if ($this->ci->session->userdata('_openid_popup')) {
$this->ci->session->unset_userdata('_openid_popup');
// store the data in a session
$this->ci->session->set_userdata('_openid_data', $data);
// close the popup
include OPENID_DIRECTORY . 'EasyOpenID_close.php';
die;
} else {
return $data;
}
}
function doAuth($info, $trusted = null, $fail_cancels = false, $idpSelect = null)
{
if (!$info) {
// There is no authentication information, so bail
return authCancel(null);
}
$auth = getAuth();
$cert_webid_23 = str_replace('#', '%23', $auth['agent']['webid']);
$cert_webid = str_replace('http://', '', $cert_webid_23);
// $cert_webid = urlencode($auth['agent']['webid']);
if ($_SERVER['HTTPS']) {
$host = "https://openid4.me/";
} else {
$host = "http://openid4.me/";
}
$normalized_webid = $host . $cert_webid;
if ($info->idSelect()) {
// if ($idpSelect) {
// $req_url = idURL($idpSelect);
if ($auth[isAuthenticated]) {
$req_url = $normalized_webid;
} else {
$trusted = false;
}
// } else {
// $trusted = false;
// }
} else {
$req_url = $info->identity;
if ($req_url != $normalized_webid) {
//Get link header
$link_webid = fetch_foaf_profile($req_url);
if ($cert_webid == $link_webid) {
$trusted = true;
} else {
$agent = get_agent(urldecode($link_webid));
/*
print "<pre>";
print_r($agent);
print "</pre>";
*/
$link_webid = isset($agent['agent']['webid']) ? str_replace('#', '%23', $agent['agent']['webid']) : '';
if ($cert_webid_23 == $link_webid) {
$trusted = true;
} else {
$trusted = false;
}
}
} else {
$trusted = true;
}
}
$user = getLoggedInUser();
setRequestInfo($info);
/*
if ((!$info->idSelect()) && ($req_url != idURL($user))) {
return login_render(array(), $req_url, $req_url);
}
*/
$trust_root = $info->trust_root;
if ($trusted) {
setRequestInfo();
$server =& getServer();
$response =& $info->answer(true, null, $req_url);
// Answer with some sample Simple Registration data.
$agent = get_agent($auth['agent']['webid']);
$sreg_data = array();
if ($fullname = $agent['agent']['name']) {
$sreg_data = array_merge($sreg_data, array('fullname' => $fullname));
}
if ($nickname = $agent['agent']['nick'][0]) {
$sreg_data = array_merge($sreg_data, array('nickname' => $nickname));
}
if ($mbox = $agent['agent']['mbox'][0]) {
$mbox = str_replace('mailto:', '', $mbox);
$sreg_data = array_merge($sreg_data, array('email' => $mbox));
}
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$new_headers = array();
foreach ($webresponse->headers as $k => $v) {
$new_headers[] = $k . ": " . $v;
}
return array($new_headers, $webresponse->body);
} elseif ($fail_cancels) {
return authCancel($info);
} else {
return trust_render($info);
}
}
function tryLogin()
{
$consumer = oid_consumer();
$response = $consumer->complete(common_local_url('finishopenidlogin'));
if ($response->status == Auth_OpenID_CANCEL) {
// TRANS: Status message in case the response from the OpenID provider is that the logon attempt was cancelled.
$this->message(_m('OpenID authentication cancelled.'));
return;
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// TRANS: OpenID authentication failed; display the error message. %s is the error message.
$this->message(sprintf(_m('OpenID authentication failed: %s'), $response->message));
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$display = $response->getDisplayIdentifier();
$canonical = $response->endpoint->canonicalID ? $response->endpoint->canonicalID : $response->getDisplayIdentifier();
oid_assert_allowed($display);
oid_assert_allowed($canonical);
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) {
$sreg = $sreg_resp->contents();
}
// Launchpad teams extension
if (!oid_check_teams($response)) {
$this->message(_m('OpenID authentication aborted: you are not allowed to login to this site.'));
return;
}
$user = oid_get_user($canonical);
if ($user) {
oid_set_last($display);
# XXX: commented out at @edd's request until better
# control over how data flows from OpenID provider.
# oid_update_user($user, $sreg);
common_set_user($user);
common_real_login(true);
if (isset($_SESSION['openid_rememberme']) && $_SESSION['openid_rememberme']) {
common_rememberme($user);
}
unset($_SESSION['openid_rememberme']);
$this->goHome($user->nickname);
} else {
$this->saveValues($display, $canonical, $sreg);
$this->showForm(null, $this->bestNewNickname($display, $sreg));
}
}
}
}
}
/**
* Function to process the response of the OpenID server
*/
function processopenidresponse()
{
$consumer = new Auth_OpenID_Consumer(new OpenIDStorage(), new SessionWrapper());
$trust_root = Director::absoluteBaseURL();
$return_to_url = $trust_root . $this->Link('ProcessOpenIDResponse');
// Complete the authentication process using the server's response.
$response = $consumer->complete($return_to_url);
if ($response->status == Auth_OpenID_SUCCESS) {
Session::clear("FormInfo.Form_RegistrationWithOpenIDForm.data");
$openid = $response->identity_url;
if ($response->endpoint->canonicalID) {
$openid = $response->endpoint->canonicalID;
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
// Convert the simple registration data to the needed format
// try to split fullname to get firstname and surname
$data = array('IdentityURL' => $openid);
if (isset($sreg['nickname'])) {
$data['Nickname'] = $sreg['nickname'];
}
if (isset($sreg['fullname'])) {
$fullname = explode(' ', $sreg['fullname'], 2);
if (count($fullname) == 2) {
$data['FirstName'] = $fullname[0];
$data['Surname'] = $fullname[1];
} else {
$data['Surname'] = $fullname[0];
}
}
if (isset($sreg['country'])) {
$data['Country'] = $sreg['country'];
}
if (isset($sreg['email'])) {
$data['Email'] = $sreg['email'];
}
Session::set("FormInfo.Form_RegistrationForm.data", $data);
Director::redirect($this->Link('register'));
return;
}
// The server returned an error message, handle it!
if ($response->status == Auth_OpenID_CANCEL) {
$error_message = _t('ForumMemberProfile.CANCELLEDVERIFICATION', 'The verification was cancelled. Please try again.');
} else {
if ($response->status == Auth_OpenID_FAILURE) {
$error_message = _t('ForumMemberProfile.AUTHENTICATIONFAILED', 'The OpenID/i-name authentication failed.');
} else {
$error_message = _t('ForumMemberProfile.UNEXPECTEDERROR', 'An unexpected error occured. Please try again or register without OpenID');
}
}
$this->RegistrationWithOpenIDForm()->addErrorMessage("Blurb", $error_message, 'bad');
Director::redirect($this->Link('registerwithopenid'));
}
/**
* Retrieve user data from OpenID Simple Registration.
*
* @see get_user_data
*/
function get_user_data_sreg($identity_url, &$data)
{
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($this->response);
$sreg = $sreg_resp->contents();
$this->core->log->debug(var_export($sreg, true));
if (!$sreg) {
return false;
}
if (array_key_exists('email', $sreg) && $sreg['email']) {
$data['user_email'] = $sreg['email'];
}
if (array_key_exists('nickname', $sreg) && $sreg['nickname']) {
$data['nickname'] = $sreg['nickname'];
$data['user_nicename'] = $sreg['nickname'];
$data['display_name'] = $sreg['nickname'];
}
if (array_key_exists('fullname', $sreg) && $sreg['fullname']) {
$namechunks = explode(' ', $sreg['fullname'], 2);
if (isset($namechunks[0])) {
$data['first_name'] = $namechunks[0];
}
if (isset($namechunks[1])) {
$data['last_name'] = $namechunks[1];
}
$data['display_name'] = $sreg['fullname'];
}
return true;
}
/**
* openid_auth_2
* Authenticate user with OpenID, step 2
*/
private static function openid_auth_2()
{
$results = array();
$results['type'] = 'openid';
$consumer = Openid::get_consumer();
if ($consumer) {
$response = $consumer->complete(Openid::get_return_url());
if ($response->status == Auth_OpenID_CANCEL) {
$results['success'] = false;
$results['error'] = 'OpenID verification cancelled.';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
$results['success'] = false;
$results['error'] = 'OpenID authentication failed: ' . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// Extract the identity URL and Simple Registration data (if it was returned).
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
$results['website'] = $response->getDisplayIdentifier();
if (@$sreg['email']) {
$results['email'] = $sreg['email'];
}
if (@$sreg['nickname']) {
$results['username'] = $sreg['nickname'];
}
if (@$sreg['fullname']) {
$results['name'] = $sreg['fullname'];
}
$users = User::get_from_website($results['website']);
if (count($users) > 0) {
if (count($users) == 1) {
$user = new User($users[0]);
$results['success'] = true;
$results['username'] = $user->username;
} else {
// Several users for the same website/openid? Allowed but stupid, try to get a match on username.
// Should we make website field unique?
foreach ($users as $id) {
$user = new User($id);
if ($user->username == $results['username']) {
$results['success'] = true;
$results['username'] = $user->username;
}
}
}
} else {
// Don't return success if an user already exists for this username but don't have this openid identity as website
$user = User::get_from_username($results['username']);
if ($user->id) {
$results['success'] = false;
$results['error'] = 'No user associated to this OpenID and username already taken.';
} else {
$results['success'] = true;
$results['error'] = 'No user associated to this OpenID.';
}
}
}
}
}
}
return $results;
}
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$esc_identity = htmlspecialchars($openid);
$people = $POD->getPeople(array('openid' => $esc_identity));
if (!$POD->isAuthenticated()) {
if ($people->count() == 1) {
// successful login
$POD->changeActor(array('id' => $people->getNext()->get('id')));
$days = 15;
setcookie('pp_auth', $POD->currentUser()->get('authSecret'), time() + 86400 * $days, "/");
header("Location: " . $POD->siteRoot(false));
exit;
} else {
if ($people->count() == 0) {
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
$open_id_info['openid'] = $openid;
$open_id_info['email'] = @$sreg['email'];
$open_id_info['fullname'] = @$sreg['fullname'];
$open_id_info['nickname'] = @$sreg['nickname'];
$open_id_info['zip'] = @$sreg['postcode'];
}
}
} else {
if ($people->count() == 0) {
// a valid id was passed in by a user who was already authenticated, and there is nobody else with this id, so that means we
// were adding it to an account
$POD->currentUser()->addMeta('openid', $esc_identity);
$POD->addMessage('Your OpenID was added!');
} else {
static function authenticate_openid($getData, $store_path, $returnData = false)
{
global $serendipity;
$trust_root = $serendipity['baseURL'] . 'serendipity_admin.php';
$path_extra = dirname(__FILE__) . DIRECTORY_SEPARATOR . 'PHP-openid';
$path = ini_get('include_path');
$path = $path_extra . PATH_SEPARATOR . $path;
ini_set('include_path', $path);
require_once "Auth/OpenID/Consumer.php";
require_once "Auth/OpenID/FileStore.php";
require_once "Auth/OpenID/SReg.php";
require_once "Auth/OpenID/PAPE.php";
$store = new Auth_OpenID_FileStore($store_path);
$consumer = new Auth_OpenID_Consumer($store);
$response = $consumer->complete($trust_root);
//, $getData);
if ($response->status == Auth_OpenID_CANCEL) {
$success = 'Verification cancelled.';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
$success = "OpenID authentication failed: " . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$esc_identity = escape($openid);
$success = sprintf('You have successfully verified ' . '<a href="%s">%s</a> as your identity.', $esc_identity, $esc_identity);
if ($response->endpoint->canonicalID) {
$escaped_canonicalID = escape($response->endpoint->canonicalID);
$success .= ' (XRI CanonicalID: ' . $escaped_canonicalID . ') ';
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
if (@$sreg['email']) {
escape($sreg['email']);
$success .= " You also returned '" . escape($sreg['email']) . "' as your email.";
}
if (@$sreg['nickname']) {
$success .= " Your nickname is '" . escape($sreg['nickname']) . "'.";
}
if (@$sreg['fullname']) {
$success .= " Your fullname is '" . escape($sreg['fullname']) . "'.";
}
}
}
}
if (!empty($openid)) {
if ($returnData) {
return array('realname' => $realname, 'email' => $email, 'openID' => $openid);
}
$password = md5($openid);
$query = "SELECT DISTINCT a.email, a.authorid, a.userlevel, a.right_publish, a.realname\r\n FROM\r\n {$serendipity['dbPrefix']}authors AS a, {$serendipity['dbPrefix']}openid_authors AS oa\r\n WHERE\r\n oa.openid_url = '" . serendipity_db_escape_string($openid) . "' and \r\n oa.authorid = a.authorid";
$row = serendipity_db_query($query, true, 'assoc');
if (is_array($row)) {
serendipity_setCookie('old_session', session_id());
serendipity_setAuthorToken();
$_SESSION['serendipityUser'] = $serendipity['serendipityUser'] = $row['realname'];
$_SESSION['serendipityPassword'] = $serendipity['serendipityPassword'] = $password;
$_SESSION['serendipityEmail'] = $serendipity['serendipityEmail'] = $email;
$_SESSION['serendipityAuthorid'] = $serendipity['authorid'] = $row['authorid'];
$_SESSION['serendipityUserlevel'] = $serendipity['serendipityUserlevel'] = $row['userlevel'];
$_SESSION['serendipityAuthedUser'] = $serendipity['serendipityAuthedUser'] = true;
$_SESSION['serendipityRightPublish'] = $serendipity['serendipityRightPublish'] = $row['right_publish'];
$_SESSION['serendipityRealname'] = $serendipity['serendipityRealname'] = $row['realname'];
$_SESSION['serendipityOpenID'] = true;
serendipity_load_configuration($serendipity['authorid']);
return true;
} else {
$_SESSION['serendipityAuthedUser'] = false;
@session_destroy();
}
}
return false;
}
/**
* Iff user was authenticated (at URL returned by getLoginUrl),
* returns associative array that WILL contain user's Harvard email
* address (mail) and that MAY contain user's name (displayName).
*
* @param return_to URL to which CS50 ID returned user
*
* @return user as associative array
*/
public static function getUser($return_to)
{
// ignore Janrain's use of deprecated functions
$error_reporting = error_reporting();
error_reporting($error_reporting & ~E_DEPRECATED);
// load Janrain's libary
set_include_path(get_include_path() . PATH_SEPARATOR . dirname(__FILE__) . DIRECTORY_SEPARATOR . "share" . DIRECTORY_SEPARATOR . "php-openid-2.3.0");
require_once "Auth/OpenID/AX.php";
require_once "Auth/OpenID/Consumer.php";
require_once "Auth/OpenID/FileStore.php";
require_once "Auth/OpenID/SReg.php";
// ensure $_SESSION exists for Yadis
@session_start();
// prepare filesystem-based store
$path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . md5($return_to);
@mkdir($path, 0700);
if (!is_dir($path)) {
trigger_error("Could not create {$path}", E_USER_ERROR);
}
if (!is_readable($path)) {
trigger_error("Could not read from {$path}", E_USER_ERROR);
}
if (!is_writable($path)) {
trigger_error("Could not write to {$path}", E_USER_ERROR);
}
$store = new Auth_OpenID_FileStore($path);
// get response
$consumer = new Auth_OpenID_Consumer($store);
$response = $consumer->complete($return_to);
if ($response->status == Auth_OpenID_SUCCESS) {
// get user's identity
$user = ["identity" => $response->identity_url];
// get Simple Registration fields, if any
if ($sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response)) {
$user = array_merge($user, $sreg_resp->contents());
}
// get Attribute Exchange attributes, if any
if ($ax_resp = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response)) {
$user = array_merge($user, $ax_resp->data);
}
}
// restore error_reporting
error_reporting($error_reporting);
// return user unless error
return isset($user) ? $user : false;
}
function run()
{
$consumer = getConsumer();
// Complete the authentication process using the server's
// response.
$return_to = getReturnTo();
$response = $consumer->complete($return_to);
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$msg = 'Verification cancelled.';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$msg = "OpenID authentication failed: " . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$esc_identity = escape($openid);
$google = strpos($openid, "google.com");
$success = sprintf('You have successfully verified ' . '<a href="%s">%s</a> as your identity.', $esc_identity, $esc_identity);
if ($response->endpoint->canonicalID) {
$escaped_canonicalID = escape($response->endpoint->canonicalID);
$success .= ' (XRI CanonicalID: ' . $escaped_canonicalID . ') ';
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
if (@$sreg['email']) {
$success .= " You also returned '" . escape($sreg['email']) . "' as your email.";
}
if (@$sreg['nickname']) {
$success .= " Your nickname is '" . escape($sreg['nickname']) . "'.";
}
if (@$sreg['fullname']) {
$success .= " Your fullname is '" . escape($sreg['fullname']) . "'.";
}
$pape_resp = Auth_OpenID_PAPE_Response::fromSuccessResponse($response);
if ($pape_resp) {
if ($pape_resp->auth_policies) {
$success .= "<p>The following PAPE policies affected the authentication:</p><ul>";
foreach ($pape_resp->auth_policies as $uri) {
$escaped_uri = escape($uri);
$success .= "<li><tt>{$escaped_uri}</tt></li>";
}
$success .= "</ul>";
} else {
$success .= "<p>No PAPE policies affected the authentication.</p>";
}
if ($pape_resp->auth_age) {
$age = escape($pape_resp->auth_age);
$success .= "<p>The authentication age returned by the " . "server is: <tt>" . $age . "</tt></p>";
}
if ($pape_resp->nist_auth_level) {
$auth_level = escape($pape_resp->nist_auth_level);
$success .= "<p>The NIST auth level returned by the " . "server is: <tt>" . $auth_level . "</tt></p>";
}
} else {
$success .= "<p>No PAPE response was sent by the provider.</p>";
}
}
}
}
include 'index.php';
}
function escape($thing)
{
return htmlentities($thing);
}
$return_to = getReturnTo();
$response = $consumer->complete($return_to);
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$msg = 'Verification cancelled.';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$msg = "OpenID authentication failed: " . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$esc_identity = escape($openid);
$msg = sprintf('You have successfully verified ' . '<a href="%s">%s</a> as your identity.', $esc_identity, $esc_identity);
$sreg = Auth_OpenID_SRegResponse::fromSuccessResponse($response)->contents();
$_SESSION['openid'] = $openid;
$_SESSION['username'] = @$sreg['username'];
$_SESSION['faction'] = @$sreg['faction'];
}
}
}
$_SESSION['msg'] = $msg;
header("Location: index.php");
/**
* Get attributes from OpenID response and populate 'user'-like structure
* If matching user exists then return matching user
*
* @param string $resp - the OpenID response
* @return user object - false on multiple matches, or the matching user object
* _or_ new user object with members:
* username, email, firstname, lastname, country
*/
function openid_resp_to_user(&$resp)
{
$tmp_users = array();
$user = new stdClass();
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($resp);
$sreg = $sreg_resp->contents();
if (defined('ADD_AX_SUPPORT')) {
$ax_resp = new Auth_OpenID_AX_FetchResponse();
$ax = $ax_resp->fromSuccessResponse($resp);
}
// We'll attempt to use the user's nickname to set their username
if (isset($sreg['nickname']) && !empty($sreg['nickname']) && !($tmp_users['username'] = get_records('user', 'username', addslashes($sreg['nickname']))) || defined('USE_EMAIL_FOR_USERNAME') && isset($sreg['email']) && !empty($sreg['email']) && !($tmp_users['username_email'] = get_records('user', 'username', $sreg['email']))) {
$user->username = addslashes(isset($sreg['nickname']) && !empty($sreg['nickname']) ? $sreg['nickname'] : $sreg['email']);
} else {
if (defined('ADD_AX_SUPPORT') && (($nickname = get_ax_data(AX_SCHEMA_NICKNAME, $ax)) && !($tmp_users['username'] = get_records('user', 'username', addslashes($nickname))) || defined('USE_EMAIL_FOR_USERNAME') && ($useremail = get_ax_data(AX_SCHEMA_EMAIL, $ax)) && !($tmp_users['username_email'] = get_records('user', 'username', $useremail)))) {
// better to fall-back to email? may show-up in various display blocks
$user->username = addslashes($nickname ? $nickname : $useremail);
} else {
$user->username = openid_normalize_url_as_username($resp->identity_url);
}
}
// SREG fullname
if (isset($sreg['fullname']) && !empty($sreg['fullname'])) {
$name = openid_parse_full_name($sreg['fullname']);
$user->firstname = addslashes($name['first']);
$user->lastname = addslashes($name['last']);
} else {
if (defined('ADD_AX_SUPPORT') && (get_ax_data(AX_SCHEMA_FULLNAME, $ax) || get_ax_data(AX_SCHEMA_LASTNAME, $ax))) {
if (get_ax_data(AX_SCHEMA_LASTNAME, $ax)) {
$user->firstname = addslashes(get_ax_data(AX_SCHEMA_FIRSTNAME, $ax));
$user->lastname = addslashes(get_ax_data(AX_SCHEMA_LASTNAME, $ax));
} else {
// fullname
$name = openid_parse_full_name(get_ax_data(AX_SCHEMA_FULLNAME, $ax));
$user->firstname = addslashes($name['first']);
$user->lastname = addslashes($name['last']);
}
}
}
if (!empty($user->lastname)) {
$tmp_users['fullname'] = get_records_select('user', "firstname = '" . $user->firstname . "' AND lastname = '" . $user->lastname . "'");
}
// SREG email
if (!empty($sreg['email']) && !($tmp_users['email'] = get_records('user', 'email', $sreg['email']))) {
$user->email = addslashes($sreg['email']);
} else {
if (defined('ADD_AX_SUPPORT') && ($useremail = get_ax_data(AX_SCHEMA_EMAIL, $ax)) && !($tmp_users['email'] = get_records('user', 'email', $useremail))) {
$user->email = addslashes($useremail);
}
}
// SREG country
$country = '';
if (isset($sreg['country']) && !empty($sreg['country'])) {
$country = $sreg['country'];
} else {
if (defined('ADD_AX_SUPPORT') && get_ax_data(AX_SCHEMA_COUNTRY, $ax)) {
$country = get_ax_data(AX_SCHEMA_COUNTRY, $ax);
}
}
if (!empty($country)) {
$country_code = strtoupper($country);
$countries = get_list_of_countries();
if (strlen($country) != 2 || !isset($countries[$country_code])) {
$countries_keys = array_keys($countries);
$countries_vals = array_values($countries);
$country_code = array_search($country, $countries_vals);
if ($country_code > 0) {
$country_code = $countries_keys[$country_code];
} else {
$country_code = '';
}
}
if (!empty($country_code)) {
$user->country = $country_code;
}
}
/* We're currently not attempting to get language and timezone values
// SREG language
if (isset($sreg['language']) && !empty($sreg['language'])) {
}
// SREG timezone
if (isset($sreg['timezone']) && !empty($sreg['timezone'])) {
}
*/
$config = get_config('auth/openid');
//error_log("/auth/openid/locallib.php::auth/openid::config=...");
//err_dump($config);
//error_log("/auth/openid/locallib.php::openid_resp_to_user() - check for user matching ...");
//err_dump($user);
// Map OpenID fields to whether field MUST be unique
// TBD: make unique fields configurable im OpenID: auth_config_users.html
// Keys must match keys in tmp_users[] array - set above.
$openid_fields = array('email' => 1, 'fullname' => 0, 'username' => 0, 'username_email' => 1);
foreach ($openid_fields as $openid_field => $field_unique) {
$match_array = str_word_count($config->auth_openid_match_fields, 1, '_');
$num = !empty($match_array) ? 1 : 0;
if ($field_unique && !empty($tmp_users[$openid_field]) && count($tmp_users[$openid_field]) > $num) {
//error_log("/auth/openid/locallib.php::openid_resp_to_user() - multiple matches on count(tmp_users[{$openid_field}])=".count($tmp_users[$openid_field])." ...");
//err_dump($tmp_users[$openid_field]);
//error_log("> match_array=...");
//err_dump($match_array);
return false;
}
}
$matching_user = null;
// check tmp_users[] matches for valid existing user,
// return false if conflicts between matching fields
if (!empty($config->auth_openid_match_fields)) {
$openid_match_fields = explode(',', $config->auth_openid_match_fields);
foreach ($openid_match_fields as $match_field) {
$match_field = trim($match_field);
if (!empty($tmp_users[$match_field]) && count($tmp_users[$match_field]) == 1) {
if (!$matching_user) {
$matching_user = reset($tmp_users[$match_field]);
} else {
if ($openid_fields[$match_field] && $matching_user->id != reset($tmp_users[$match_field])->id) {
// unique field matches different user!
return false;
}
}
}
}
}
if (!empty($matching_user)) {
merge_user_fields($matching_user, $user);
//error_log( "openid_resp_to_user() - merged matching user: ");
//err_dump($matching_user);
return $matching_user;
}
return $user;
}
/**
* Verify login and extract member data information
*
* @access private
* @return boolean
*/
private function _checkFirstPass()
{
//-----------------------------------------
// Retrieve stored data
//-----------------------------------------
$id = IPSText::md5Clean($this->request['myopenid']);
if (!$id) {
$this->auth_errors[] = 'no_myopenid';
$this->return_code = 'NO_USER';
return false;
}
$this->data_store = $this->DB->buildAndFetch(array('select' => '*', 'from' => 'openid_temp', 'where' => "id='{$id}'"));
if (!$this->DB->getTotalRows()) {
$this->auth_errors[] = 'no_myopenid';
$this->return_code = 'NO_USER';
return false;
}
$this->DB->delete('openid_temp', "id='{$id}'");
$consumer = $this->_getConsumer();
if ($this->is_admin_auth) {
$return_to = $this->settings['base_url'] . 'app=core&module=login&do=login-complete&myopenid=' . $id;
} else {
$return_to = $this->settings['base_url'] . 'app=core&module=global§ion=login&do=process&myopenid=' . $id;
}
$response = $consumer->complete($return_to);
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$this->auth_errors[] = 'no_openid';
$this->return_code = 'WRONG_OPENID';
return false;
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$this->auth_errors[] = 'no_openid';
$this->return_code = 'WRONG_OPENID';
return false;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
if (is_array($sreg) and count($sreg)) {
$this->data_store = array_merge($this->data_store, $sreg);
}
}
}
}
session_unset();
return true;
}
/**
* Try to log in using OpenID
*
* Check the OpenID for validity; potentially store it.
*
* @return void
*/
function tryLogin()
{
$consumer = oid_consumer();
$response = $consumer->complete(common_local_url('finishaddopenid'));
if ($response->status == Auth_OpenID_CANCEL) {
// TRANS: Status message in case the response from the OpenID provider is that the logon attempt was cancelled.
$this->message(_m('OpenID authentication cancelled.'));
return;
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// TRANS: OpenID authentication failed; display the error message.
// TRANS: %s is the error message.
$this->message(sprintf(_m('OpenID authentication failed: %s.'), $response->message));
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
$display = $response->getDisplayIdentifier();
$canonical = $response->endpoint && $response->endpoint->canonicalID ? $response->endpoint->canonicalID : $display;
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) {
$sreg = $sreg_resp->contents();
}
// Launchpad teams extension
if (!oid_check_teams($response)) {
// TRANS: OpenID authentication error.
$this->message(_m('OpenID authentication aborted: You are not allowed to login to this site.'));
return;
}
$cur = common_current_user();
$other = oid_get_user($canonical);
if ($other) {
if ($other->id == $cur->id) {
// TRANS: Message in case a user tries to add an OpenID that is already connected to them.
$this->message(_m('You already have this OpenID!'));
} else {
// TRANS: Message in case a user tries to add an OpenID that is already used by another user.
$this->message(_m('Someone else already has this OpenID.'));
}
return;
}
// start a transaction
$cur->query('BEGIN');
$result = oid_link_user($cur->id, $canonical, $display);
if (!$result) {
// TRANS: Message in case the OpenID object cannot be connected to the user.
$this->message(_m('Error connecting user.'));
return;
}
if (Event::handle('StartOpenIDUpdateUser', array($cur, $canonical, &$sreg))) {
if ($sreg) {
if (!oid_update_user($cur, $sreg)) {
// TRANS: Message in case the user or the user profile cannot be saved in StatusNet.
$this->message(_m('Error updating profile.'));
return;
}
}
}
Event::handle('EndOpenIDUpdateUser', array($cur, $canonical, $sreg));
// success!
$cur->query('COMMIT');
oid_set_last($display);
common_redirect(common_local_url('openidsettings'), 303);
}
}
}
}
