$request: The OpenID authentication request from which to
extract an sreg request.
$cls: name of class to use when creating sreg request object.
Used for testing.
Returns the newly created simple registration request
| static public fromOpenIDRequest ( $request, $cls = 'Auth_OpenID_SRegRequest' ) |
public function GetSRegDataForRequest(User $user)
{
require_once 'Auth/OpenID/SReg.php';
// Other common SReg fields we could fill are:
// dob, country, language, timezone.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($this->request);
return Auth_OpenID_SRegResponse::extractResponse($sreg_request, array('fullname' => $user->fullName(), 'nickname' => $user->displayName(), 'email' => $user->bestEmail(), 'gender' => $user->isFemale() ? 'F' : 'M'));
}
/**
* See if the OpenID authentication request includes SReg and add additional hooks if so.
*/
function openid_server_sreg_post_auth($request)
{
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
if ($sreg_request) {
$GLOBALS['openid_server_sreg_request'] = $sreg_request;
add_action('openid_server_trust_form', 'openid_server_sreg_trust_form');
add_action('openid_server_trust_submit', 'openid_server_sreg_trust_submit', 10, 2);
add_filter('openid_server_store_trusted_site', 'openid_server_sreg_store_trusted_site');
add_action('openid_server_auth_response', 'openid_server_sreg_auth_response');
}
}
function addSregFields(&$response, $info, $req_url)
{
$username = getUsernameFromUrl($req_url);
$user = get_user_by_username($username);
if ($user) {
$email = $user->email;
$fullname = $user->name;
$sreg_data = array('fullname' => $fullname, 'email' => $email);
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
//error_log('DEBUG:' . (string)($response->fields));
$sreg_response->toMessage($response->fields);
}
}
function doAuth($info, $trusted = null, $fail_cancels = false, $idpSelect = null)
{
if (!$info) {
// There is no authentication information, so bail
return authCancel(null);
}
if ($info->idSelect()) {
if ($idpSelect) {
$req_url = idURL($idpSelect);
} else {
$trusted = false;
}
} else {
$req_url = $info->identity;
}
$user = getLoggedInUser();
setRequestInfo($info);
if (!$info->idSelect() && $req_url != idURL($user)) {
return login_render(array(), $req_url, $req_url);
}
$trust_root = $info->trust_root;
if ($trusted) {
setRequestInfo();
$server =& getServer();
$response =& $info->answer(true, null, $req_url);
// Answer with some sample Simple Registration data.
$sreg_data = array('fullname' => 'Example User', 'nickname' => 'example', 'dob' => '1970-01-01', 'email' => '*****@*****.**', 'gender' => 'F', 'postcode' => '12345', 'country' => 'ES', 'language' => 'eu', 'timezone' => 'America/New_York');
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$new_headers = array();
foreach ($webresponse->headers as $k => $v) {
$new_headers[] = $k . ": " . $v;
}
return array($new_headers, $webresponse->body);
} elseif ($fail_cancels) {
return authCancel($info);
} else {
return trust_render($info);
}
}
function doAuth($info, $trusted = null, $fail_cancels = false, $idpSelect = null)
{
if (!$info) {
// There is no authentication information, so bail
return authCancel(null);
}
$auth = getAuth();
$cert_webid_23 = str_replace('#', '%23', $auth['agent']['webid']);
$cert_webid = str_replace('http://', '', $cert_webid_23);
// $cert_webid = urlencode($auth['agent']['webid']);
if ($_SERVER['HTTPS']) {
$host = "https://openid4.me/";
} else {
$host = "http://openid4.me/";
}
$normalized_webid = $host . $cert_webid;
if ($info->idSelect()) {
// if ($idpSelect) {
// $req_url = idURL($idpSelect);
if ($auth[isAuthenticated]) {
$req_url = $normalized_webid;
} else {
$trusted = false;
}
// } else {
// $trusted = false;
// }
} else {
$req_url = $info->identity;
if ($req_url != $normalized_webid) {
//Get link header
$link_webid = fetch_foaf_profile($req_url);
if ($cert_webid == $link_webid) {
$trusted = true;
} else {
$agent = get_agent(urldecode($link_webid));
/*
print "<pre>";
print_r($agent);
print "</pre>";
*/
$link_webid = isset($agent['agent']['webid']) ? str_replace('#', '%23', $agent['agent']['webid']) : '';
if ($cert_webid_23 == $link_webid) {
$trusted = true;
} else {
$trusted = false;
}
}
} else {
$trusted = true;
}
}
$user = getLoggedInUser();
setRequestInfo($info);
/*
if ((!$info->idSelect()) && ($req_url != idURL($user))) {
return login_render(array(), $req_url, $req_url);
}
*/
$trust_root = $info->trust_root;
if ($trusted) {
setRequestInfo();
$server =& getServer();
$response =& $info->answer(true, null, $req_url);
// Answer with some sample Simple Registration data.
$agent = get_agent($auth['agent']['webid']);
$sreg_data = array();
if ($fullname = $agent['agent']['name']) {
$sreg_data = array_merge($sreg_data, array('fullname' => $fullname));
}
if ($nickname = $agent['agent']['nick'][0]) {
$sreg_data = array_merge($sreg_data, array('nickname' => $nickname));
}
if ($mbox = $agent['agent']['mbox'][0]) {
$mbox = str_replace('mailto:', '', $mbox);
$sreg_data = array_merge($sreg_data, array('email' => $mbox));
}
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$new_headers = array();
foreach ($webresponse->headers as $k => $v) {
$new_headers[] = $k . ": " . $v;
}
return array($new_headers, $webresponse->body);
} elseif ($fail_cancels) {
return authCancel($info);
} else {
return trust_render($info);
}
}
/**
* Process a request.
*
* This function never returns.
*
* @param Auth_OpenID_Request $request The request we are processing.
*/
public function processRequest(array $state)
{
assert('isset($state["request"])');
$request = $state['request'];
$sreg_req = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$ax_req = Auth_OpenId_AX_FetchRequest::fromOpenIDRequest($request);
/* In resume.php there should be a way to display data requested through sreg or ax. */
if (!$this->authSource->isAuthenticated()) {
if ($request->immediate) {
/* Not logged in, and we cannot show a login form. */
$this->sendResponse($request->answer(FALSE));
}
$resumeURL = $this->getStateURL('resume.php', $state);
$this->authSource->requireAuth(array('ReturnTo' => $resumeURL));
}
$identity = $this->getIdentity();
assert('$identity !== FALSE');
/* Should always be logged in here. */
if (!$request->idSelect() && $identity !== $request->identity) {
/* The identity in the request doesn't match the one of the logged in user. */
throw new SimpleSAML_Error_Exception('Logged in as different user than the one requested.');
}
if ($this->isTrusted($identity, $request->trust_root)) {
$trusted = TRUE;
} elseif (isset($state['TrustResponse'])) {
$trusted = (bool) $state['TrustResponse'];
} else {
if ($request->immediate) {
/* Not trusted, and we cannot show a trust-form. */
$this->sendResponse($request->answer(FALSE));
}
$trustURL = $this->getStateURL('trust.php', $state);
SimpleSAML_Utilities::redirectTrustedURL($trustURL);
}
if (!$trusted) {
/* The user doesn't trust this site. */
$this->sendResponse($request->answer(FALSE));
}
$response = $request->answer(TRUE, NULL, $identity);
//Process attributes
$attributes = $this->authSource->getAttributes();
foreach ($attributes as $key => $attr) {
if (is_array($attr) && count($attr) === 1) {
$attributes[$key] = $attr[0];
}
}
$pc = new SimpleSAML_Auth_ProcessingChain($this->authProc, array(), 'idp');
$state = array('Attributes' => $attributes, 'isPassive' => TRUE);
$pc->processStatePassive(&$state);
$attributes = $state['Attributes'];
//Process SREG requests
$sreg_resp = Auth_OpenID_SRegResponse::extractResponse($sreg_req, $attributes);
$sreg_resp->toMessage($response->fields);
//Process AX requests
$ax_resp = new Auth_OpenID_AX_FetchResponse();
foreach ($ax_req->iterTypes() as $type_uri) {
if (isset($attributes[$type_uri])) {
$ax_resp->addValue($type_uri, $attributes[$type_uri]);
}
}
$ax_resp->toMessage($response->fields);
/* The user is authenticated, and trusts this site. */
$this->sendResponse($response);
}
function generateAllowResponse($request, $user)
{
$response = $request->answer(true, null, common_profile_url($user->nickname));
$profile = $user->getProfile();
$sreg_data = array('fullname' => $profile->fullname, 'nickname' => $user->nickname, 'email' => $user->email, 'language' => $user->language, 'timezone' => $user->timezone);
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
return $response;
}
public function executeTrust(sfWebRequest $request)
{
opApplicationConfiguration::registerJanRainOpenID();
require_once 'Auth/OpenID/Server.php';
require_once 'Auth/OpenID/FileStore.php';
require_once 'Auth/OpenID/SReg.php';
require_once 'Auth/OpenID/AX.php';
$info = unserialize($_SESSION['request']);
$this->forward404Unless($info);
$trusted = $request->hasParameter('trust') || $request->hasParameter('permanent');
if (!$trusted) {
unset($_SESSION['request']);
$url = $info->getCancelURL();
$this->redirect($url);
}
$reqUrl = $this->getController()->genUrl('OpenID/member?id=' . $this->getUser()->getMemberId(), true);
if (!$info->idSelect()) {
$this->forward404Unless($reqUrl === $info->identity, 'request:' . $reqUrl . '/identity:' . $info->identity);
}
unset($_SESSION['request']);
$server = new Auth_OpenID_Server(new Auth_OpenID_FileStore(sfConfig::get('sf_cache_dir')), $info->identity);
$response = $info->answer(true, null, $reqUrl);
$sregRequest = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$axRequest = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($info);
$allowedProfiles = $request->getParameter('profiles', array());
$requiredProfiles = $this->createListOfRequestedProfiles($sregRequest, $axRequest);
$rejectedProfiles = array_diff_key($requiredProfiles, array_flip($allowedProfiles));
if (in_array(true, $rejectedProfiles)) {
$url = $info->getCancelURL();
$this->redirect($url);
}
if ($sregRequest) {
$sregExchange = new opOpenIDProfileExchange('sreg', $this->getUser()->getMember());
$sregResp = Auth_OpenID_SRegResponse::extractResponse($sregRequest, $sregExchange->getData($allowedProfiles));
$response->addExtension($sregResp);
}
if ($axRequest && !$axRequest instanceof Auth_OpenID_AX_Error) {
$axResp = new Auth_OpenID_AX_FetchResponse();
$axExchange = new opOpenIDProfileExchange('ax', $this->getUser()->getMember());
$userData = $axExchange->getData($allowedProfiles);
foreach ($axRequest->requested_attributes as $k => $v) {
if (!empty($userData[$k])) {
$axResp->addValue($k, $userData[$k]);
}
}
$response->addExtension($axResp);
}
$log = Doctrine::getTable('OpenIDTrustLog')->log($info->trust_root, $this->getUser()->getMemberId());
if ($request->hasParameter('permanent')) {
$log->is_permanent = true;
$log->save();
}
$response = $server->encodeResponse($response);
return $this->writeResponse($response);
}
function fromOpenIDRequest(&$thing, &$test_case)
{
__setTestCase($test_case);
$obj = parent::fromOpenIDRequest($thing, 'TestingReq');
return $obj;
}
/**
* Authenticate the currently logged in user. This sends the
* result, and is thus no-return.
*/
public function authenticate()
{
global $serverUri;
$id = $this->session->getUser();
if (!$id) {
$this->cancel();
}
$req = $this->session->getRequestInfo();
if (!$req) {
$this->cancel();
}
assert($id && $req);
$fullid = "{$serverUri}?name=" . urlencode($id);
$resp = $req->answer(true, NULL, $fullid);
$this->checkError($resp);
/* Get more data to send. */
$data = $this->nc->getIdValue($id);
$sregData = array();
$sregKeys = array("name" => "fullname", "email" => "email", "website" => "website", "nick" => "nickname");
if ($data) {
foreach ($sregKeys as $key => $val) {
if (isset($data->{$key})) {
$sregData[$val] = $data->{$key};
}
}
}
/* Add simple registration data to response. */
$sregReq = Auth_OpenID_SRegRequest::fromOpenIDRequest($req);
$sregResp = Auth_OpenID_SRegResponse::extractResponse($sregReq, $sregData);
$sregResp->toMessage($resp->fields);
/* Send response and clean out request info. */
$this->session->setRequestInfo(NULL);
$this->sendResponse($resp);
}
/**
* Convenience function for copying all the sreg data that was
* requested from a supplied set of sreg data into the response
* message. If no data were requested, no data will be sent.
*
* openid_request: The OpenID (checkid_*) request that may be
* requesting sreg data.
*
* data: The simple registration data to send. All requested fields
* that are present in this dictionary will be added to the response
* message.
*
* openid_response: The OpenID C{id_res} response to which the simple
* registration data should be added
*
* Does not return a value; updates the openid_response instead.
*/
function Auth_OpenID_sendSRegFields(&$openid_request, $data, &$openid_response)
{
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($openid_request->message);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $data);
$sreg_response->toMessage($openid_response->fields);
}
private function doAuth($info, $trusted = null, $fail_cancels = false, $idpSelect = null, $accepted_scopes = null)
{
if (!$info) {
// There is no authentication information, so bail
return $this->openid->authCancel(null);
}
if ($info->idSelect()) {
if ($idpSelect) {
$req_url = $this->openid->idURL($idpSelect);
} else {
$trusted = false;
}
} else {
$req_url = $info->identity;
}
$id_url = $this->openid->idUrl($_SESSION['id']);
$this->openid->setRequestInfo($info);
if (!$info->idSelect() && $req_url != $id_url) {
return $this->openid->authCancel($info);
}
if ($trusted) {
// prepare the OpenID response object
$this->openid->setRequestInfo();
$server =& $this->openid->getOpenIdServer();
$response =& $info->answer(true, null, $req_url);
// Simple Registration Extension
$people = $this->model('people');
$person = $people->get_person($_SESSION['id'], true);
$date_of_birth_month = date('n', $person['date_of_birth']);
$date_of_birth_day = date('j', $person['date_of_birth']);
$date_of_birth_year = date('y', $person['date_of_birth']);
// Answer with Simple Registration data.
$sreg_data = array('fullname' => $person['first_name'] . ' ' . $person['last_name'], 'nickname' => $person['first_name'], 'dob' => $date_of_birth_year . '-' . $date_of_birth_month . '-' . $date_of_birth_day, 'email' => $person['email'], 'gender' => $person['gender'], 'country' => 'US', 'language' => 'en');
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
// Hybrid OAuth Extension
$oauth_request = HybridOAuthRequest::fromOpenIDRequest($info);
// handle accepted scopes (generates OAuth token)
if ($oauth_request !== null) {
$oauthDataStore = new PartuzaOAuthDataStore();
$consumer = $oauthDataStore->lookup_consumer($oauth_request->consumer);
$token = $oauthDataStore->new_request_token($consumer, '');
$oauthDataStore->authorize_request_token($token->key);
$oauth_response = HybridOAuthResponse::buildResponse($oauth_request, $token->key, $accepted_scopes);
$oauth_response->toMessage($response->fields);
}
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
header('Location: ' . $webresponse->headers['location']);
header('Connection: close');
echo $webresponse->body;
} elseif ($fail_cancels) {
return $this->openid->authCancel($info);
} else {
return $this->trust_render($info);
}
}
public static function getForm(Auth_OpenID_Request $request, Users_Model_Profile $profile)
{
// The class Auth_OpenID_SRegRequest is included in the following file
require_once 'libs/Auth/OpenID/SReg.php';
$sregRequest = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$props = $sregRequest->allRequestedFields();
$args = $sregRequest->getExtensionArgs();
if (isset($args['required'])) {
$required = explode(',', $args['required']);
} else {
$required = false;
}
$sregProps = array();
foreach ($props as $field) {
$sregProps[$field] = $required && in_array($field, $required);
}
$personalInfoForm = new Users_Form_PersonalInfo(null, $profile, $sregRequest, $sregProps);
return $personalInfoForm;
}
function send_geni_user($server, $info)
{
$geni_user = geni_loadUser();
$req_url = idURL($geni_user->username);
$response =& $info->answer(true, null, $req_url);
// Answer with some sample Simple Registration data.
global $portal_cert_file;
global $portal_private_key_file;
$sreg_data = array();
if ($geni_user) {
$sreg_data['nickname'] = $geni_user->username;
$sreg_data['email'] = $geni_user->email();
}
if (empty($sreg_data)) {
error_log("OpenID: Unable to access user information.");
}
// Add the simple registration response values to the OpenID
// response message.
$sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info);
$sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data);
$sreg_response->toMessage($response->fields);
/*
* Attribute Exchange (AX) is an OpenID extension to pass additional
* attributes. This code was derived by looking at some client
* examples and the AX code. No server-side examples of PHP OpenID
* AX were found.
*
* AX seems to be fragile. Small changes to the code below can
* result in authentication failures.
*
* The user URN has '+' characters but these consistently caused
* authentication failures in testing. Replacing the '+' with '|'
* worked, so that is a necessary transformation below.
*/
$ax_request = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($info);
if ($ax_request and !Auth_OpenID_AX::isError($ax_request)) {
/* error_log("received AX request: " . print_r($ax_request, true)); */
$ax_response = new Auth_OpenID_AX_FetchResponse();
add_project_slice_info($geni_user, $projects, $slices);
foreach ($ax_request->iterTypes() as $ax_req_type) {
switch ($ax_req_type) {
case 'http://geni.net/projects':
$ax_response->setValues($ax_req_type, $projects);
break;
case 'http://geni.net/slices':
$ax_response->setValues($ax_req_type, $slices);
break;
case 'http://geni.net/user/urn':
$urn = $geni_user->urn();
$urn = str_replace('+', '|', $urn);
$ax_response->addValue('http://geni.net/user/urn', $urn);
break;
case 'http://geni.net/user/prettyname':
$ax_response->addValue($ax_req_type, $geni_user->prettyName());
break;
case 'http://geni.net/wimax/username':
case 'http://geni.net/wimax/wimax_username':
$wimax_name = null;
if (isset($geni_user->ma_member->wimax_username)) {
$wimax_name = $geni_user->ma_member->wimax_username;
}
/* Only send wimax name if it exists. */
if ($wimax_name) {
$ax_response->addValue($ax_req_type, $wimax_name);
}
break;
case 'http://geni.net/irods/username':
/* Get the iRODS username. Do we need to respect the
* 'irods_enabled' flag?
*/
$irods_username = null;
if (isset($geni_user->ma_member->irods_username)) {
$irods_username = $geni_user->ma_member->irods_username;
}
/* Only send it if it exists. */
if ($irods_username) {
error_log("Returning iRODS username {$irods_username} for user " . $geni_user->urn());
$ax_response->addValue($ax_req_type, $irods_username);
} else {
error_log("No iRODS username in OpenID for user " . $geni_user->urn());
}
break;
case 'http://geni.net/irods/zone':
/* Get the IRods zone for this user. */
$irods_zone = irods_default_zone();
/* Only send it if it exists. */
if ($irods_zone) {
error_log("Returning iRODS zone {$irods_zone} for user " . $geni_user->urn());
$ax_response->addValue($ax_req_type, $irods_zone);
} else {
error_log("No iRODS zone in OpenID for user " . $geni_user->urn());
}
break;
}
}
$ax_response->toMessage($response->fields);
}
// Generate a response to send to the user agent.
$webresponse =& $server->encodeResponse($response);
$new_headers = array();
foreach ($webresponse->headers as $k => $v) {
$new_headers[] = $k . ": " . $v;
}
return array($new_headers, $webresponse->body);
}
private function _hasSreg(Auth_OpenID_Request $request)
{
// The class Auth_OpenID_SRegRequest is included in the following file
require_once 'libs/Auth/OpenID/SReg.php';
$sregRequest = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$props = $sregRequest->allRequestedFields();
return is_array($props) && count($props) > 0;
}
public function trustAction(Request $request)
{
if (!$this->securityContext->isGranted('IS_AUTHENTICATED_FULLY')) {
$request->getSession()->set('_security.target_path', $request->headers->get('referer'));
throw new AccessDeniedException();
}
require_once 'Auth/OpenID/SReg.php';
$server = $this->getServer();
$params = $request->server->get('QUERY_STRING');
$params = $this->decodeQuery($params);
$openidRequest = $server->decodeRequest($params);
if (!$openidRequest) {
throw new HttpException(400);
}
if (!$openidRequest instanceof \Auth_OpenID_Request) {
return $this->handleServerError($openidRequest);
}
if ('checkid_setup' !== $openidRequest->mode) {
throw new HttpException(400);
}
$sRegRequest = \Auth_OpenID_SRegRequest::fromOpenIDRequest($openidRequest);
$user = $this->securityContext->getToken()->getUser();
$fields = $this->getFieldsData($user, $sRegRequest);
$form = $this->createTrustForm($user, $sRegRequest);
if ('POST' === $request->getMethod()) {
$form->bindRequest($request);
$trust = $request->request->get('trust');
if ($form->isValid() && !empty($trust)) {
$unique = $this->adapter->getUserUnique($user);
$identifier = $this->getIdentifierUri($unique);
$openidResponse = $openidRequest->answer(true, null, $identifier);
$sRegResponse = \Auth_OpenID_SRegResponse::extractResponse($sRegRequest, $fields);
$sRegResponse->toMessage($openidResponse->fields);
$webResponse = $server->encodeResponse($openidResponse);
return $this->convertResponse($webResponse);
}
}
$template = 'AlbOpenIDServerBundle:OpenIDServer:trust.html.twig';
return $this->render($template, array('form' => $form->createView(), 'form_action' => $this->getTrustUri($params), 'requested_fields' => $fields));
}
