* @version 2.2.0-ul-2 */ /** * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * The license for this software can likely be found here: * http://www.gnu.org/licenses/gpl-2.0.html */ /** * This program also use the PHP OpenID library by JanRain, Inc. * which is licensed under the Apache license 2.0: * http://www.apache.org/licenses/LICENSE-2.0 */ // must be run within Dokuwiki if(!defined('DOKU_INC')) die(); if(!defined('DOKU_PLUGIN')) define('DOKU_PLUGIN',DOKU_INC.'lib/plugins/'); require_once(DOKU_PLUGIN.'action.php'); class action_plugin_openid extends DokuWiki_Action_Plugin { /** * Return some info */ function getInfo() { return array( 'author' => 'h6e.net / 7usr7local / tzzee', 'email' => 'pjw-git-2018@usr-local.org', 'date' => '2023-02-18', 'name' => 'OpenID plugin', 'desc' => 'Authenticate on a DokuWiki with OpenID (Vers. 2.2.0-ul-2)', 'url' => 'https://github.com/usr-local/dokuwiki-openid', ); } /** * Register the eventhandlers */ function register(Doku_Event_Handler $controller) { $controller->register_hook('FORM_LOGIN_OUTPUT', 'BEFORE', $this, 'handle_login_form', array()); $controller->register_hook('FORM_UPDATEPROFILE_OUTPUT', 'AFTER', $this, 'handle_profile_form', array()); $controller->register_hook('ACTION_ACT_PREPROCESS', 'BEFORE', $this, 'handle_act_preprocess', array()); $controller->register_hook('TPL_ACT_UNKNOWN', 'BEFORE', $this, 'handle_act_unknown', array()); } /** * Returns the Consumer URL */ function _self($do) { global $ID; return wl($ID, 'do=' . $do, true, '&'); } /** * Redirect the user */ function _redirect($url) { header('Location: ' . $url); exit; } /** * Return an OpenID Consumer */ function getConsumer() { global $conf; if (isset($this->consumer)) { return $this->consumer; } define('Auth_OpenID_RAND_SOURCE', null); set_include_path( get_include_path() . PATH_SEPARATOR . dirname(__FILE__) ); require_once "Auth/OpenID/Consumer.php"; require_once "Auth/OpenID/FileStore.php"; // start session (needed for YADIS) session_start(); // create file storage area for OpenID data $store = new Auth_OpenID_FileStore($conf['tmpdir'] . '/openid'); // create OpenID consumer $this->consumer = new Auth_OpenID_Consumer($store); return $this->consumer; } /** * Handles the openid action */ function handle_act_preprocess(&$event, $param) { global $ID, $conf, $auth; $disabled = explode(',', $conf['disableactions']); if ($this->getConf('openid_disable_registration')) { $disabled[] = 'register'; } if ($this->getConf('openid_disable_update_profile')) { $disabled[] = 'resendpwd'; $disabled[] = 'profile'; } $conf['disableactions'] = implode(',', $disabled); $user = $_SERVER['REMOTE_USER']; // Do not ask the user a password he didn't set if ($event->data == 'profile') { $conf['profileconfirm'] = 0; if (preg_match('!^https?://!', $user)) { $this->_redirect( $this->_self('openid') ); } } if ($event->data != 'openid' && $event->data != 'logout') { // Warn the user to register an account if he's using a not registered OpenID // and if registration is possible if (preg_match('!^https?://!', $user)) { if ($auth && $auth->canDo('addUser') && actionOK('register')) { $message = sprintf($this->getLang('complete_registration_notice'), $this->_self('openid')); msg($message, 2); } } } if ($event->data == 'openid') { // not sure this if it's useful there $event->stopPropagation(); $event->preventDefault(); if (isset($_POST['mode']) && ($_POST['mode'] == 'login' || $_POST['mode'] == 'add')) { // we try to login with the OpenID submited $consumer = $this->getConsumer(); $auth = $consumer->begin($_POST['openid_identifier']); if (!$auth) { msg($this->getLang('enter_valid_openid_error'), -1); return; } // add an attribute query extension if we've never seen this OpenID before. $associations = $this->get_associations(); if (!isset($associations[$openid])) { require_once('Auth/OpenID/SReg.php'); $e = Auth_OpenID_SRegRequest::build(array(),array('nickname','email','fullname')); $auth->addExtension($e); } // redirect to OpenID provider for authentication // this fix an issue with mod_rewrite with JainRain library // when a parameter seems to be non existing in the query $return_to = $this->_self('openid') . '&id=' . $ID; $url = $auth->redirectURL(DOKU_URL, $return_to); $this->_redirect($url); } else if (isset($_POST['mode']) && $_POST['mode'] == 'extra') { // we register the user on the wiki and associate the account with his OpenID $this->register_user(); } else if (isset($_POST['mode']) && $_POST['mode'] == 'delete') { foreach ($_POST['delete'] as $identity => $state) { $this->remove_openid_association($user, $identity); } } else if ($_GET['openid_mode'] == 'id_res') { $consumer = $this->getConsumer(); $response = $consumer->complete($this->_self('openid')); // set session variable depending on authentication result if ($response->status == Auth_OpenID_SUCCESS) { $openid = isset($_GET['openid1_claimed_id']) ? $_GET['openid1_claimed_id'] : $_GET['openid_claimed_id']; if (empty($openid)) { msg("Can't find OpenID claimed ID.", -1); return false; } if (isset($user) && !preg_match('!^https?://!', $user)) { $result = $this->register_openid_association($user, $openid); if ($result) { msg($this->getLang('openid_identity_added'), 1); } } else { $authenticate = $this->login_user($openid); if ($authenticate) { $log = array('message' => 'logged in temporarily', 'user' => $user); trigger_event('PLUGIN_LOGLOG_LOG', $log); // redirect to the page itself (without do=openid) $this->_redirect(wl($ID)); } } } else { msg($this->getLang('openid_authentication_failed') . ': ' . $response->message, -1); $log = array('message' => 'failed login attempt', 'user' => $user); trigger_event('PLUGIN_LOGLOG_LOG', $log); return; } } else if ($_GET['openid_mode'] == 'cancel') { // User cancelled the authentication msg($this->getLang('openid_authentication_canceled'), 0); return; // fall through to what ever action was called } } if ($this->getConf('openid_disable_registration') && $event->data == 'register') { $event->stopPropagation(); $event->preventDefault(); msg($this->getLang('openid_registration_denied'), -1); return; } if ($this->getConf('openid_disable_update_profile') && ($event->data == 'profile'||$event->data == 'resendpwd')) { $event->stopPropagation(); $event->preventDefault(); msg($this->getLang('openid_update_profile_denied'), -1); return; } return; // fall through to what ever action was called } /** * Create the OpenID login/complete forms */ function handle_act_unknown(&$event, $param) { global $auth, $ID; if ($event->data != 'openid') { return; } $event->stopPropagation(); $event->preventDefault(); $user = $_SERVER['REMOTE_USER']; if (empty($user)) { print $this->locale_xhtml('intro'); print '
', $this->getLang('openid_complete_text'), '
', NL; print '', sprintf($this->getLang('openid_complete_disabled_text'), wl($ID)), '
', NL; } } else if (!$this->getConf('openid_disable_update_profile')) { echo '' . $this->getLang('none') . '
'; } echo '$msg
", $this->_self('openid')); $pos = $event->data->findPositionByAttribute('type', 'submit'); $event->data->addHTML($msg, $pos+2); } function handle_profile_form(&$event, $param) { echo '', sprintf($this->getLang('manage_link'), $this->_self('openid')), '
'; } /** * Gets called when a OpenID login was succesful * * We store available userinfo in Session and Cookie */ function login_user($openid) { global $USERINFO, $auth, $conf; // look for associations passed from an auth backend in user infos $users = $auth->retrieveUsers(); foreach ($users as $id => $user) { if (isset($user['openids'])) { foreach ($user['openids'] as $identity) { if ($identity == $openid) { return $this->update_session($id); } } } } $associations = $this->get_associations(); // this openid is associated with a real wiki user account if (isset($associations[$openid])) { $user = $associations[$openid]; return $this->update_session($user); } // no real wiki user account associated // note that the generated cookie is invalid and will be invalided // when the 'auth_security_timeout' expire $this->update_session($openid); $redirect_url = $this->_self('openid'); $sregs = array('email', 'nickname', 'fullname'); foreach ($sregs as $sreg) { if (!empty($_GET["openid_sreg_$sreg"])) { $redirect_url .= "&$sreg=" . urlencode($_GET["openid_sreg_$sreg"]); } } // we will advice the user to register a real user account $this->_redirect($redirect_url); } /** * Register the user in DokuWiki user conf, * write the OpenID association in the OpenID conf */ function register_user() { global $ID, $lang, $conf, $auth, $openid_associations; if(!$auth->canDo('addUser')) return false; $_POST['login'] = $_POST['nickname']; // clean username $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); $_POST['login'] = cleanID($_POST['login']); // clean fullname and email $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['fullname'])); $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['email'])); if (empty($_POST['login']) || empty($_POST['fullname']) || empty($_POST['email'])) { msg($lang['regmissing'], -1); return false; } else if (!mail_isvalid($_POST['email'])) { msg($lang['regbadmail'], -1); return false; } // okay try to create the user if (!$auth->createUser($_POST['login'], auth_pwgen(), $_POST['fullname'], $_POST['email'])) { msg($lang['reguexists'], -1); return false; } $user = $_POST['login']; $openid = $_SERVER['REMOTE_USER']; // we update the OpenID associations array $this->register_openid_association($user, $openid); $this->update_session($user); $log = array('message' => 'logged in permanently', 'user' => $user); trigger_event('PLUGIN_LOGLOG_LOG', $log); // account created, everything OK $this->_redirect(wl($ID)); } /** * Update user sessions * * Note that this doesn't play well with DokuWiki 'auth_security_timeout' configuration. * * So, you better set it to an high value, like '60*60*24', the user being disconnected * in that case one day after authentication */ function update_session($user) { session_start(); global $USERINFO, $INFO, $conf, $auth; $_SERVER['REMOTE_USER'] = $user; $USERINFO = $auth->getUserData($user); if (empty($USERINFO)) { $USERINFO['pass'] = 'invalid'; $USERINFO['name'] = 'OpenID'; $USERINFO['grps'] = array($conf['defaultgroup'], 'openid'); } $pass = auth_encrypt($USERINFO['pass'], auth_cookiesalt()); auth_setCookie($user, $pass, false); // auth data has changed, reinit the $INFO array $INFO = pageinfo(); return true; } function register_openid_association($user, $openid) { $associations = $this->get_associations(); if (isset($associations[$openid])) { msg($this->getLang('openid_already_user_error'), -1); return false; } $associations[$openid] = $user; $this->write_openid_associations($associations); return true; } function remove_openid_association($user, $openid) { $associations = $this->get_associations(); if (isset($associations[$openid]) && $associations[$openid] == $user) { unset($associations[$openid]); $this->write_openid_associations($associations); return true; } return false; } function write_openid_associations($associations) { $cfg = ' $login) { $cfg .= '$openid_associations["' . addslashes($id) . '"] = "' . addslashes($login) . '"' . ";\n"; } file_put_contents(DOKU_CONF.'openid.php', $cfg); $this->openid_associations = $associations; } function get_associations($username = null) { if (isset($this->openid_associations)) { $openid_associations = $this->openid_associations; } else if (file_exists(DOKU_CONF.'openid.php')) { // load OpenID associations array $openid_associations = array(); include(DOKU_CONF.'openid.php'); $this->openid_associations = $openid_associations; } else { $this->openid_associations = $openid_associations = $openid_associations = array(); } // Maybe is there a better way to filter the array if (!empty($username)) { $user_openid_associations = array(); foreach ((array)$openid_associations as $openid => $login) { if ($username == $login) { $user_openid_associations[$openid] = $login; } } return $user_openid_associations; } return $openid_associations; } }