From acaf07f6e8c873e0069e84dac74bac3c7da98a97 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Fri, 30 Oct 2009 13:21:11 -0400 Subject: [PATCH] Added an "Verify Your Identity" page to the OpenID provider --- classes/statusnet.ini | 10 ++ plugins/OpenID/OpenIDPlugin.php | 9 ++ plugins/OpenID/User_openid_trustroot.php | 29 +++++ plugins/OpenID/openidserver.php | 24 +++- plugins/OpenID/openidtrust.php | 142 +++++++++++++++++++++++ 5 files changed, 212 insertions(+), 2 deletions(-) create mode 100644 plugins/OpenID/User_openid_trustroot.php create mode 100644 plugins/OpenID/openidtrust.php diff --git a/classes/statusnet.ini b/classes/statusnet.ini index 7931c7bcdf..623790b100 100644 --- a/classes/statusnet.ini +++ b/classes/statusnet.ini @@ -537,6 +537,16 @@ modified = 384 canonical = K display = U +[user_openid_trustroot] +trustroot = 130 +user_id = 129 +created = 142 +modified = 384 + +[user_openid__keys] +trustroot = K +user_id = K + [user_role] user_id = 129 role = 130 diff --git a/plugins/OpenID/OpenIDPlugin.php b/plugins/OpenID/OpenIDPlugin.php index 5ebee2cbe4..02fc79b040 100644 --- a/plugins/OpenID/OpenIDPlugin.php +++ b/plugins/OpenID/OpenIDPlugin.php @@ -150,6 +150,7 @@ class OpenIDPlugin extends Plugin case 'PublicxrdsAction': case 'OpenidsettingsAction': case 'OpenidserverAction': + case 'OpenidtrustAction': require_once(INSTALLDIR.'/plugins/OpenID/' . strtolower(mb_substr($cls, 0, -6)) . '.php'); return false; case 'User_openid': @@ -286,6 +287,14 @@ class OpenIDPlugin extends Plugin new ColumnDef('created', 'datetime', null, false), new ColumnDef('modified', 'timestamp'))); + $schema->ensureTable('user_openid_trustroot', + array(new ColumnDef('trustroot', 'varchar', + '255', false, 'PRI'), + new ColumnDef('user_id', 'integer', + null, false, 'PRI'), + new ColumnDef('created', 'datetime', + null, false), + new ColumnDef('modified', 'timestamp'))); return true; } } diff --git a/plugins/OpenID/User_openid_trustroot.php b/plugins/OpenID/User_openid_trustroot.php new file mode 100644 index 0000000000..4654b72df7 --- /dev/null +++ b/plugins/OpenID/User_openid_trustroot.php @@ -0,0 +1,29 @@ +mode, array('checkid_immediate', 'checkid_setup'))) { $cur = common_current_user(); - error_log("Request identity: " . $request->identity); if(!$cur){ /* Go log in, and then come back. */ common_set_returnto($_SERVER['REQUEST_URI']); common_redirect(common_local_url('login')); return; }else if(common_profile_url($cur->nickname) == $request->identity || $request->idSelect()){ - $response = &$request->answer(true, null, common_profile_url($cur->nickname)); + $user_openid_trustroot = User_openid_trustroot::pkeyGet( + array('user_id'=>$cur->id, 'trustroot'=>$request->trustroot)); + if(empty($user_openid_trustroot)){ + if($request->immediate){ + //cannot prompt the user to trust this trust root in immediate mode, so answer false + $response = &$request->answer(false); + }else{ + //ask the user to trust this trust root + $_SESSION['openid_trust_root'] = $request->trust_root; + $allowResponse = $request->answer(true, null, common_profile_url($cur->nickname)); + $denyResponse = $request->answer(false); + common_ensure_session(); + $_SESSION['openid_allow_url'] = $allowResponse->encodeToUrl(); + $_SESSION['openid_deny_url'] = $denyResponse->encodeToUrl(); + common_redirect(common_local_url('openidtrust')); + return; + } + }else{ + //user has previously authorized this trust root + $response = &$request->answer(true, null, common_profile_url($cur->nickname)); + } } else if ($request->immediate) { $response = &$request->answer(false); } else { diff --git a/plugins/OpenID/openidtrust.php b/plugins/OpenID/openidtrust.php new file mode 100644 index 0000000000..29c7bdc23c --- /dev/null +++ b/plugins/OpenID/openidtrust.php @@ -0,0 +1,142 @@ +. + */ + +if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } + +require_once INSTALLDIR.'/plugins/OpenID/openid.php'; +require_once(INSTALLDIR.'/plugins/OpenID/User_openid_trustroot.php'); + +class OpenidtrustAction extends Action +{ + var $trust_root; + var $allowUrl; + var $denyUrl; + var $user; + + /** + * Is this a read-only action? + * + * @return boolean false + */ + + function isReadOnly($args) + { + return false; + } + + /** + * Title of the page + * + * @return string title of the page + */ + + function title() + { + return _('OpenID Identity Verification'); + } + + function prepare($args) + { + parent::prepare($args); + common_ensure_session(); + $this->user = common_current_user(); + if(empty($this->user)){ + /* Go log in, and then come back. */ + common_set_returnto($_SERVER['REQUEST_URI']); + common_redirect(common_local_url('login')); + return; + } + $this->trust_root = $_SESSION['openid_trust_root']; + $this->allowUrl = $_SESSION['openid_allow_url']; + $this->denyUrl = $_SESSION['openid_deny_url']; + if(empty($this->trust_root) || empty($this->allowUrl) || empty($this->denyUrl)){ + $this->clientError(_('This page should only be reached during OpenID processing, not directly.')); + return; + } + return true; + } + + function handle($args) + { + parent::handle($args); + if($_SERVER['REQUEST_METHOD'] == 'POST'){ + $this->handleSubmit(); + }else{ + $this->showPage(); + } + } + + function handleSubmit() + { + unset($_SESSION['openid_trust_root']); + unset($_SESSION['openid_allow_url']); + unset($_SESSION['openid_deny_url']); + if($this->arg('allow')) + { + //save to database + $user_openid_trustroot = new User_openid_trustroot(); + $user_openid_trustroot->user_id = $this->user->id; + $user_openid_trustroot->trustroot = $this->trust_root; + $user_openid_trustroot->created = DB_DataObject_Cast::dateTime(); + if (!$user_openid_trustroot->insert()) { + $err = PEAR::getStaticProperty('DB_DataObject','lastError'); + common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__); + } + common_redirect($this->allowUrl, $code=302); + }else{ + common_redirect($this->denyUrl, $code=302); + } + } + + /** + * Show page notice + * + * Display a notice for how to use the page, or the + * error if it exists. + * + * @return void + */ + + function showPageNotice() + { + $this->element('p',null,sprintf(_('%s has asked to verify your identity. Click Continue to verify your identity and login without creating a new password.'),$this->trust_root)); + } + + /** + * Core of the display code + * + * Shows the login form. + * + * @return void + */ + + function showContent() + { + $this->elementStart('form', array('method' => 'post', + 'id' => 'form_openidtrust', + 'class' => 'form_settings', + 'action' => common_local_url('openidtrust'))); + $this->elementStart('fieldset'); + $this->submit('allow', _('Continue')); + $this->submit('deny', _('Cancel')); + + $this->elementEnd('fieldset'); + $this->elementEnd('form'); + } +}