[Fusionforge-commits] r12887 - in trunk/src/plugins/authopenid: . 3rd-party include www

Olivier Berger olberger at fusionforge.org
Tue Mar 22 16:18:02 CET 2011


Author: olberger
Date: 2011-03-22 16:18:01 +0100 (Tue, 22 Mar 2011)
New Revision: 12887

Added:
   trunk/src/plugins/authopenid/3rd-party/README
Modified:
   trunk/src/plugins/authopenid/README
   trunk/src/plugins/authopenid/include/AuthOpenIDPlugin.class.php
   trunk/src/plugins/authopenid/www/index.php
   trunk/src/plugins/authopenid/www/post-login.php
Log:
Finished work on OpenID for now

Added: trunk/src/plugins/authopenid/3rd-party/README
===================================================================
--- trunk/src/plugins/authopenid/3rd-party/README	                        (rev 0)
+++ trunk/src/plugins/authopenid/3rd-party/README	2011-03-22 15:18:01 UTC (rev 12887)
@@ -0,0 +1,3 @@
+This copy of the lightopenid library was downloaded in March 2011.
+ 
+http://code.google.com/p/lightopenid/
\ No newline at end of file

Modified: trunk/src/plugins/authopenid/README
===================================================================
--- trunk/src/plugins/authopenid/README	2011-03-22 07:45:51 UTC (rev 12886)
+++ trunk/src/plugins/authopenid/README	2011-03-22 15:18:01 UTC (rev 12887)
@@ -3,6 +3,26 @@
 
 This is meant to be the external OpenID authentication plugin for FusionForge.
 
+If the plugin is activated by a user in its account management page, then 
+he/she may login to FusionForge using OpenID (provided that the plugin is 
+activated on the whole site/forge, of course).
+
+Any number of OpenID identities (URLs) can be used by a forg user to authenticate.
+
+Only one user may use an OpenID identity simultaneously.
+
+OpenID identities must have been added through the account management's OpenID tab, 
+and are associated to the user, provided he/she owns them (i.e. can successfully 
+log-in to these URLs).
+
+The logged-in session is granted full privileges of the user, for now. 
+This should be improved in a later version, as OpenID may not be trusted for critical 
+operations on the forge.
+
+The code depends on the lightopenid library (http://code.google.com/p/lightopenid/)
+
+USE IT AT YOUR OWN RISKS : THIS IS JUST A VERY EARLY PLUGIN, AND NO SECURITY AUDIT WAS CONDUCTED !
+ 
 -- Olivier Berger
 
 Local Variables:

Modified: trunk/src/plugins/authopenid/include/AuthOpenIDPlugin.class.php
===================================================================
--- trunk/src/plugins/authopenid/include/AuthOpenIDPlugin.class.php	2011-03-22 07:45:51 UTC (rev 12886)
+++ trunk/src/plugins/authopenid/include/AuthOpenIDPlugin.class.php	2011-03-22 15:18:01 UTC (rev 12887)
@@ -151,25 +151,7 @@
 		}
 		return $user_name;
 	}
-	/**
-	 * What GFUser is logged in?
-	 * @param unknown_type $params
-	 */
-	/*
 
-	function closeAuthSession($params) {
-		$this->initCAS();
-
-		if ($this->isSufficient() || $this->isRequired()) {
-			$this->unsetSessionCookie();
-			// logs user out from CAS
-			// TODO : make it optional to not mess with other apps' SSO sessions with CAS
-			phpCAS::logoutWithRedirectService(util_make_url('/'));
-		} else {
-			return true;
-		}
-	}
-*/
 	/**
 	 * Terminate an authentication session
 	 * @param unknown_type $params
@@ -188,6 +170,10 @@
 	
 	}
 	
+	/**
+	 * Displays link to OpenID identities management tab in user's page ('usermenu' hook)
+	 * @param unknown_type $params
+	 */
 	public function usermenu($params) {
 		global $G_SESSION, $HTML;
 		$text = $this->text; // this is what shows in the tab

Modified: trunk/src/plugins/authopenid/www/index.php
===================================================================
--- trunk/src/plugins/authopenid/www/index.php	2011-03-22 07:45:51 UTC (rev 12886)
+++ trunk/src/plugins/authopenid/www/index.php	2011-03-22 15:18:01 UTC (rev 12887)
@@ -1,9 +1,36 @@
 <?php
 
+/** External authentication via OpenID for FusionForge
+ * Copyright 2011, Roland Mas
+ * Copyright 2011, Olivier Berger & Institut Telecom
+ *
+ * This program was developped in the frame of the COCLICO project
+ * (http://www.coclico-project.org/) with financial support of the Paris
+ * Region council.
+ *
+ * This file is part of FusionForge
+ *
+ * This plugin, like FusionForge, is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * FusionForge is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with FusionForge; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  US
+ * 
+ */
 
 require_once ('../../../www/env.inc.php');
 require_once $gfcommon.'include/pre.php';
 
+// from lightopenid (http://code.google.com/p/lightopenid/)
+require_once 'openid.php';
 
 session_require_login();
 
@@ -17,9 +44,40 @@
 
 $openid_identity = htmlspecialchars(trim(getStringFromRequest('openid_identity', 'http://')));
 
-print_r($_GET);
-print_r($_POST);
+try {
+	
+	// initialize the OpenID lib handler which will read the posted args
+	$plugin->openid = new LightOpenID;
+	// check the 'openid_mode' that may be set on returning from OpenID provider
+	if($plugin->openid->mode) {
+		
+    	// or we are called back by the OpenID provider
+    	if($plugin->openid->mode == 'cancel') {
+        	$warning_msg .= _('User has canceled authentication. Identity not added.');
+    	} else {
+    	
+	    	// Authentication should have been attempted by OpenID provider
+    		if ($plugin->openid->validate()) {
+    			// If user successfully logged in to OpenID provider
+    			$res = db_query_params('INSERT INTO plugin_authopenid_user_identities (user_id, openid_identity) VALUES ($1,$2)',
+					array ($u->getID(),
+					$plugin->openid->identity)) ;
+				if (!$res || db_affected_rows($res) < 1) {
+					$error_msg = sprintf(_('Cannot insert new identity: %s'),
+						     db_error());
+				} else {
+					$feedback = _('Identity successfully added');
+					$openid_identity = 'http://';
+				}
+    		}
+    	}
+	}        
+} catch(ErrorException $e) {
+    $error_msg = 'OpenID error: '. $e->getMessage();
+    //exit(0);
+}
 
+// called to add a new identity
 if (getStringFromRequest('addidentity') != '') {
 	if ($openid_identity == '' || $openid_identity == 'http://') {
 		$error_msg = _('ERROR: Missing URL for the new identity');
@@ -31,15 +89,20 @@
 		if ($res && db_numrows($res) > 0) {
 			$error_msg = _('ERROR: identity already used by a forge user.');
 		} else {
-			$res = db_query_params('INSERT INTO plugin_authopenid_user_identities (user_id, openid_identity) VALUES ($1,$2)',
-					       array ($u->getID(),
-						      htmlspecialchars_decode($openid_identity))) ;
-			if (!$res || db_affected_rows($res) < 1) {
-				$error_msg = sprintf(_('Cannot insert new identity: %s'),
-						     db_error());
-			} else {
-				$feedback = _('Identity successfully added');
-				$openid_identity = 'http://';
+			
+			// TODO : redirect and check that the identity is authorized for the user
+			try {
+	
+				// initialize the OpenID lib handler which will read the posted args
+				$plugin->openid = new LightOpenID;
+				// check the 'openid_mode' that may be set on returning from OpenID provider
+				
+            	$plugin->openid->identity = htmlspecialchars_decode($openid_identity);
+            	session_redirect_external($plugin->openid->authUrl());
+            	
+        	} catch(ErrorException $e) {
+    			$error_msg = 'OpenID error: '. $e->getMessage();
+    			//exit(0);
 			}
 		}
 	}
@@ -107,7 +170,6 @@
 
 echo $HTML->boxBottom();
 
-
 site_user_footer(array());
 
 // Local Variables:

Modified: trunk/src/plugins/authopenid/www/post-login.php
===================================================================
--- trunk/src/plugins/authopenid/www/post-login.php	2011-03-22 07:45:51 UTC (rev 12886)
+++ trunk/src/plugins/authopenid/www/post-login.php	2011-03-22 15:18:01 UTC (rev 12887)
@@ -1,22 +1,19 @@
 <?php
-/**
- * FusionForge AuthCas login page
+/** External authentication via OpenID for FusionForge
+ * Copyright 2011, Roland Mas
+ * Copyright 2011, Olivier Berger & Institut Telecom
  *
- * This is main login page. It takes care of different account states
- * (by disallowing logging in with non-active account, with appropriate
- * notice).
+ * This program was developped in the frame of the COCLICO project
+ * (http://www.coclico-project.org/) with financial support of the Paris
+ * Region council.
  *
- * Copyright 1999-2001 (c) VA Linux Systems
- * Copyright 2011, Roland Mas
- * Copyright 2011 Olivier Berger & Institut Telecom
+ * This file is part of FusionForge
  *
- * This file is part of FusionForge.
+ * This plugin, like FusionForge, is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
  *
- * FusionForge is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
  * FusionForge is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
@@ -24,7 +21,8 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with FusionForge; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  US
+ * 
  */
 
 // FIXME : WTF ?!?!?!?
@@ -65,8 +63,14 @@
 		
 		// We're just called by the login form : redirect to the OpenID provider
         if(isset($_POST['openid_identifier'])) {
-            $plugin->openid->identity = $_POST['openid_identifier'];
-            session_redirect_external($plugin->openid->authUrl());
+        	$openid_identifier = $_POST['openid_identifier'];
+        	if($plugin->getUserNameFromOpenIDIdentity($openid_identifier)) {
+            	$plugin->openid->identity = $openid_identifier;
+            	session_redirect_external($plugin->openid->authUrl());
+        	}
+        	else {
+        		$warning_msg = _('No such OpenID identity registered yet');
+        	}
         }
         
     // or we are called back by the OpenID provider
@@ -84,7 +88,13 @@
 	    		
 	    		$username = $plugin->getUserNameFromOpenIDIdentity($plugin->openid->identity);
 				if ($username) {
-					$user = $plugin->startSession($username);
+					$user_tmp = user_get_object_by_name($username);
+					if($user_tmp->usesPlugin($plugin->name)) {
+						$user = $plugin->startSession($username);
+					}
+					else {
+						$warning_msg = _('OpenID plugin not activated for the user account');
+					}
 				}
 			
 				if($user) {
@@ -98,7 +108,7 @@
 					}
 				}
 				else {
-					$warning_msg .= sprintf (_("Unknown user with identity '%s'"),$plugin->openid->identity);
+					$warning_msg = sprintf (_("Unknown user with identity '%s'"),$plugin->openid->identity);
 				}
 	    	}
 		}
@@ -108,7 +118,7 @@
 	display_login_page($return_to, $triggered);
         
 } catch(ErrorException $e) {
-    echo $e->getMessage();
+    echo 'OpenID error'. $e->getMessage();
 }
 // Local Variables:
 // mode: php




More information about the Fusionforge-commits mailing list