Fixed bug #12706: OpenID redirects to wrong page and does not create a BE session...
[Packages/TYPO3.CMS.git] / typo3 / sysext / openid / sv1 / class.tx_openid_sv1.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2008-2009 Dmitry Dulepov <dmitry@typo3.org>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 *
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
24 /**
25 * [CLASS/FUNCTION INDEX of SCRIPT]
26 *
27 *
28 *
29 * 57: class tx_openid_sv1 extends t3lib_svbase
30 * 92: public function init()
31 * 119: public function initAuth($subType, array $loginData, array $authenticationInformation, t3lib_userAuth &$parentObject)
32 * 139: public function getUser()
33 * 176: public function authUser(array $userRecord)
34 * 221: protected function includePHPOpenIDLibrary()
35 * 250: protected function getUserRecord($openIDIdentifier)
36 * 273: protected function getOpenIDConsumer()
37 * 300: protected function sendOpenIDRequest()
38 * 368: protected function getReturnURL()
39 * 414: protected function writeLog($message)
40 *
41 * TOTAL FUNCTIONS: 10
42 * (This index is automatically created/updated by the extension "extdeveval")
43 *
44 */
45
46 require_once(PATH_t3lib . 'class.t3lib_svbase.php');
47
48 /**
49 * Service "OpenID Authentication" for the "openid" extension.
50 *
51 * $Id$
52 *
53 * @author Dmitry Dulepov <dmitry@typo3.org>
54 * @package TYPO3
55 * @subpackage tx_openid
56 */
57 class tx_openid_sv1 extends t3lib_svbase {
58 /** Class name */
59 public $prefixId = 'tx_openid_sv1'; // Same as class name
60
61 /** Path to this script relative to the extension directory */
62 public $scriptRelPath = 'sv1/class.tx_openid_sv1.php';
63
64 /** The extension key */
65 public $extKey = 'openid';
66
67 /** Login data as passed to initAuth() */
68 protected $loginData = array();
69
70 /**
71 * Additional authentication information provided by t3lib_userAuth. We use
72 * it to decide what database table contains user records.
73 */
74 protected $authenticationInformation = array();
75
76 /**
77 * OpenID response object. It is initialized when OpenID provider returns
78 * with success/failure response to us.
79 *
80 * @var Auth_OpenID_ConsumerResponse
81 */
82 protected $openIDResponse = null;
83
84 /**
85 * A reference to the calling object
86 *
87 * @var t3lib_userAuth
88 */
89 protected $parentObject;
90
91 /**
92 * If set to true, than libraries are already included.
93 */
94 protected static $openIDLibrariesIncluded = false;
95
96 /**
97 * Contructs the OpenID authentication service.
98 */
99 public function __construct() {
100 // Auth_Yadis_Yadis::getHTTPFetcher() will use a cURL fetcher if the functionality
101 // is available in PHP, however the TYPO3 setting is not considered here:
102 if (!defined('Auth_Yadis_CURL_OVERRIDE')) {
103 if (!$GLOBALS['TYPO3_CONF_VARS']['SYS']['curlUse']) {
104 define('Auth_Yadis_CURL_OVERRIDE', true);
105 }
106 }
107 }
108
109 /**
110 * Checks if service is available,. In case of this service we check that
111 * prerequesties for "PHP OpenID" libraries are fulfilled:
112 * - GMP or BCMATH PHP extensions are installed and functional
113 * - set_include_path() PHP function is available
114 *
115 * @return boolean true if service is available
116 */
117 public function init() {
118 $available = false;
119 if (extension_loaded('gmp')) {
120 $available = is_callable('gmp_init');
121 } elseif (extension_loaded('bcmath')) {
122 $available = is_callable('bcadd');
123 } else {
124 $this->writeLog('Neither bcmath, nor gmp PHP extension found. OpenID authentication will not be available.');
125 }
126 // We also need set_include_path() PHP function
127 if (!is_callable('set_include_path')) {
128 $available = false;
129 $this->writeDevLog('set_include_path() PHP function is not available. OpenID authentication is disabled.');
130 }
131 return $available ? parent::init() : false;
132 }
133
134 /**
135 * Initializes authentication for this service.
136 *
137 * @param string $subType: Subtype for authentication (either "getUserFE" or "getUserBE")
138 * @param array $loginData: Login data submitted by user and preprocessed by t3lib/class.t3lib_userauth.php
139 * @param array $authenticationInformation: Additional TYPO3 information for authentication services (unused here)
140 * @param t3lib_userAuth $parentObject: Calling object
141 * @return void
142 */
143 public function initAuth($subType, array $loginData, array $authenticationInformation, t3lib_userAuth &$parentObject) {
144 // Store login and authetication data
145 $this->loginData = $loginData;
146 $this->authenticationInformation = $authenticationInformation;
147 // If we are here after authentication by the OpenID server, get its response.
148 if (t3lib_div::_GP('tx_openid_mode') == 'finish' && $this->openIDResponse == null) {
149 $this->includePHPOpenIDLibrary();
150 $openIDConsumer = $this->getOpenIDConsumer();
151 $this->openIDResponse = $openIDConsumer->complete($this->getReturnURL());
152 }
153 $this->parentObject = $parentObject;
154 }
155
156 /**
157 * This function returns the user record back to the t3lib_userAuth. it does not
158 * mean that user is authenticated, it means only that user is found. This
159 * function makes sure that user cannot be authenticated by any other service
160 * if user tries to use OpenID to authenticate.
161 *
162 * @return mixed User record (content of fe_users/be_users as appropriate for the current mode)
163 */
164 public function getUser() {
165 $userRecord = null;
166 if ($this->loginData['status'] == 'login') {
167 if ($this->openIDResponse instanceof Auth_OpenID_ConsumerResponse) {
168 // We are running inside the OpenID return script
169 // Note: we cannot use $this->openIDResponse->getDisplayIdentifier()
170 // because it may return a different identifier. For example,
171 // LiveJournal server converts all underscore characters in the
172 // original identfier to dashes.
173 if ($this->openIDResponse->status == Auth_OpenID_SUCCESS) {
174 $claimedOpenIDIdentifier = t3lib_div::_GP('tx_openid_claimed');
175 if ($claimedOpenIDIdentifier) {
176 $userRecord = $this->getUserRecord($claimedOpenIDIdentifier);
177 $this->writeLog('User \'%s\' logged in with OpenID \'%s\'',
178 $userRecord[$this->parentObject->formfield_uname], $claimedOpenIDIdentifier);
179 }
180 }
181 } else {
182 // Here if user just started authentication
183 $userRecord = $this->getUserRecord($this->loginData['uname']);
184 }
185 // The above function will return user record from the OpenID. It means that
186 // user actually tried to authenticate using his OpenID. In this case
187 // we must change the password in the record to a long random string so
188 // that this user cannot be authenticated with other service.
189 if (is_array($userRecord)) {
190 $userRecord[$this->authenticationInformation['db_user']['userident_column']] = uniqid($this->prefixId . chr(10), true);
191 }
192 }
193 return $userRecord;
194 }
195
196 /**
197 * Authenticates user using OpenID.
198 *
199 * @param array $userRecord User record
200 * @return int Code that shows if user is really authenticated.
201 * @see t3lib_userAuth::checkAuthentication()
202 */
203 public function authUser(array $userRecord) {
204 $result = 0; // 0 means authentication failure
205
206 if ($userRecord['tx_openid_openid'] == '') {
207 // If user does not have OpenID, let other services to try (code 100)
208 $result = 100;
209 } else {
210 // Check if user is identified by the OpenID
211 if ($this->openIDResponse instanceof Auth_OpenID_ConsumerResponse) {
212 // If we have a response, it means OpenID server tried to authenticate
213 // the user. Now we just look what is the status and provide
214 // corresponding response to the caller
215 if ($this->openIDResponse->status == Auth_OpenID_SUCCESS) {
216 // Success (code 200)
217 $result = 200;
218 } else {
219 $this->writeDevLog('OpenID authentication failed with code \'%s\'.',
220 $this->openIDResponse->status);
221 }
222 } else {
223 // We may need to send a request to the OpenID server.
224 // Check if the user identifier looks like OpenID user identifier first.
225 // Prevent PHP warning in case if identifiers is not an OpenID identifier
226 // (not an URL).
227 $urlParts = @parse_url($this->loginData['uname']);
228 if (is_array($urlParts) && $urlParts['scheme'] != '' && $urlParts['host']) {
229 // Yes, this looks like a good OpenID. Ask OpenID server (should not return)
230 $this->sendOpenIDRequest();
231 // If we are here, it means we have a valid OpenID but failed to
232 // contact the server. We stop authentication process.
233 // Alternatively it may mean that OpenID format is not correct.
234 // In both cases we return code 0 (complete failure)
235 } else {
236 $result = 100;
237 }
238 }
239 }
240
241 return $result;
242 }
243
244 /**
245 * Includes necessary files for the PHP OpenID library
246 *
247 * @return void
248 */
249 protected function includePHPOpenIDLibrary() {
250 if (!self::$openIDLibrariesIncluded) {
251
252 // Prevent further calls
253 self::$openIDLibrariesIncluded = true;
254
255 // PHP OpenID libraries requires adjustments of path settings
256 $oldIncludePath = get_include_path();
257 $phpOpenIDLibPath = t3lib_extMgm::extPath('openid') . 'lib/php-openid';
258 @set_include_path($phpOpenIDLibPath . PATH_SEPARATOR .
259 $phpOpenIDLibPath . PATH_SEPARATOR . 'Auth' .
260 PATH_SEPARATOR . $oldIncludePath);
261
262 // Make sure that random generator is properly set up. Constant could be
263 // defined by the previous inclusion of the file
264 if (!defined('Auth_OpenID_RAND_SOURCE')) {
265 if (TYPO3_OS == 'WIN') {
266 // No random generator on Windows!
267 define('Auth_OpenID_RAND_SOURCE', null);
268 } elseif (!is_readable('/dev/urandom')) {
269 if (is_readable('/dev/random')) {
270 define('Auth_OpenID_RAND_SOURCE', '/dev/random');
271 } else {
272 define('Auth_OpenID_RAND_SOURCE', null);
273 }
274 }
275 }
276
277 // Include files
278 require_once($phpOpenIDLibPath . '/Auth/OpenID/Consumer.php');
279 require_once($phpOpenIDLibPath . '/Auth/OpenID/FileStore.php');
280
281 // Restore path
282 @set_include_path($oldIncludePath);
283
284 if (!is_array($_SESSION)) {
285 // Yadis requires session but session is not initialized when
286 // processing Backend authentication
287 @session_start();
288 $this->writeLog('Session is initialized');
289 }
290 }
291 }
292
293 /**
294 * Gets user record for the user with the OpenID provided by the user
295 *
296 * @param string $openIDIdentifier OpenID identifier to search for
297 * @return array Database fields from the table that corresponds to the current login mode (FE/BE)
298 */
299 protected function getUserRecord($openIDIdentifier) {
300 $record = null;
301 if ($openIDIdentifier) {
302 list($record) = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('*',
303 $this->authenticationInformation['db_user']['table'],
304 'tx_openid_openid=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($openIDIdentifier, $this->authenticationInformation['db_user']['table']) .
305 $this->authenticationInformation['db_user']['check_pid_clause'] .
306 $this->authenticationInformation['db_user']['enable_clause']);
307 } else {
308 // This should never happen and generally means hack attempt.
309 // We just log it and do not return any records.
310 $this->writeLog('getUserRecord is called with the empty OpenID');
311 }
312 return $record;
313 }
314
315 /**
316 * Creates OpenID Consumer object with a TYPO3-specific store. This function
317 * is almost identical to the example from the PHP OpenID library.
318 * @todo use DB (or the caching framework) instead of the filesystem to store OpenID data
319 * @return Auth_OpenID_Consumer Consumer instance
320 */
321 protected function getOpenIDConsumer() {
322 // TODO Change this to a TYPO3-specific database-based store in future.
323 // File-based store is ineffective and insecure. After changing
324 // get rid of the FileStore include in includePHPOpenIDLibrary()
325 $openIDStorePath = PATH_site . 'typo3temp' . DIRECTORY_SEPARATOR . 'tx_openid';
326
327 // For now we just prevent any web access to these files
328 if (!file_exists($openIDStorePath . '/.htaccess')) {
329 file_put_contents($openIDStorePath . '/.htaccess', 'deny from all');
330 }
331 $openIDStore = new Auth_OpenID_FileStore($openIDStorePath);
332 return new Auth_OpenID_Consumer($openIDStore);
333 }
334
335 /**
336 * Sends request to the OpenID server to authenticate the user with the
337 * given ID. This function is almost identical to the example from the PHP
338 * OpenID library. Due to the OpenID specification we cannot do a slient login.
339 * Sometimes we have to redirect to the OpenID provider web site so that
340 * user can enter his password there. In this case we will redirect and provide
341 * a return adress to the special script inside this directory, which will
342 * handle the result appropriately.
343 *
344 * This function does not return on success. If it returns, it means something
345 * went totally wrong with OpenID.
346 *
347 * @return void
348 */
349 protected function sendOpenIDRequest() {
350 $this->includePHPOpenIDLibrary();
351
352 $openIDIdentifier = $this->loginData['uname'];
353
354 // Initialize OpenID client system, get the consumer
355 $openIDConsumer = $this->getOpenIDConsumer();
356
357 // Begin the OpenID authentication process
358 $authenticationRequest = $openIDConsumer->begin($openIDIdentifier);
359 if (!$authenticationRequest) {
360 // Not a valid OpenID. Since it can be some other ID, we just return
361 // and let other service handle it.
362 $this->writeLog('Could not create authentication request for OpenID identifier \'%s\'', $openIDIdentifier);
363 return;
364 }
365
366 // Redirect the user to the OpenID server for authentication.
367 // Store the token for this authentication so we can verify the
368 // response.
369
370 // For OpenID version 1, we *should* send a redirect. For OpenID version 2,
371 // we should use a Javascript form to send a POST request to the server.
372 $returnURL = $this->getReturnURL();
373 $trustedRoot = t3lib_div::getIndpEnv('TYPO3_SITE_URL');
374
375 if ($authenticationRequest->shouldSendRedirect()) {
376 $redirectURL = $authenticationRequest->redirectURL($trustedRoot, $returnURL);
377
378 // If the redirect URL can't be built, return. We can only return.
379 if (Auth_OpenID::isFailure($redirectURL)) {
380 $this->writeLog('Authentication request could not create redirect URL for OpenID identifier \'%s\'', $openIDIdentifier);
381 return;
382 }
383
384 // Send redirect. We use 303 code because it allows to redirect POST
385 // requests without resending the form. This is exactly what we need here.
386 // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.4
387 @ob_end_clean();
388 t3lib_utility_Http::redirect($redirectURL, t3lib_utility_Http::HTTP_STATUS_303);
389 } else {
390 $formHtml = $authenticationRequest->htmlMarkup($trustedRoot,
391 $returnURL, false, array('id' => 'openid_message'));
392
393 // Display an error if the form markup couldn't be generated;
394 // otherwise, render the HTML.
395 if (Auth_OpenID::isFailure($formHtml)) {
396 // Form markup cannot be generated
397 $this->writeLog('Could not create form markup for OpenID identifier \'%s\'', $openIDIdentifier);
398 return;
399 } else {
400 @ob_end_clean();
401 echo $formHtml;
402 }
403 }
404 // If we reached this point, we must not return!
405 exit;
406 }
407
408 /**
409 * Creates return URL for the OpenID server. When a user is authenticated by
410 * the OpenID server, the user will be sent to this URL to complete
411 * authentication process with the current site. We send it to our script.
412 *
413 * @return string Return URL
414 */
415 protected function getReturnURL() {
416 if ($this->authenticationInformation['loginType'] == 'FE') {
417 // We will use eID to send user back, create session data and
418 // return to the calling page.
419 // Notice: 'pid' and 'logintype' parameter names cannot be changed!
420 // They are essential for FE user authentication.
421 $returnURL = 'index.php?eID=tx_openid&' .
422 'pid=' . $this->authenticationInformation['db_user']['checkPidList'] . '&' .
423 'logintype=login&';
424 } else {
425 // In the Backend we will use dedicated script to create session.
426 // It is much easier for the Backend to manage users.
427 // Notice: 'login_status' parameter name cannot be changed!
428 // It is essential for BE user authentication.
429 $absoluteSiteURL = substr(t3lib_div::getIndpEnv('TYPO3_SITE_URL'), strlen(t3lib_div::getIndpEnv('TYPO3_REQUEST_HOST')));
430 $returnURL = $absoluteSiteURL . TYPO3_mainDir . 'sysext/' . $this->extKey . '/class.tx_openid_return.php?login_status=login&';
431 }
432 if (t3lib_div::_GP('tx_openid_mode') == 'finish') {
433 $requestURL = t3lib_div::_GP('tx_openid_location');
434 $claimedIdentifier = t3lib_div::_GP('tx_openid_claimed');
435 } else {
436 $requestURL = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL');
437 $claimedIdentifier = $this->loginData['uname'];
438 }
439 $returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&' .
440 'tx_openid_mode=finish&' .
441 'tx_openid_claimed=' . rawurlencode($claimedIdentifier);
442 return t3lib_div::locationHeaderUrl($returnURL);
443 }
444
445 /**
446 * Writes log message. Destination log depends on the current system mode.
447 * For FE the function writes to the admin panel log. For BE messages are
448 * sent to the system log. If developer log is enabled, messages are also
449 * sent there.
450 *
451 * This function accepts variable number of arguments and can format
452 * parameters. The syntax is the same as for sprintf()
453 *
454 * @param string $message Message to output
455 * @return void
456 * @see sprintf()
457 * @see t3lib::divLog()
458 * @see t3lib_div::sysLog()
459 * @see t3lib_timeTrack::setTSlogMessage()
460 */
461 protected function writeLog($message) {
462 if (func_num_args() > 1) {
463 $params = func_get_args();
464 array_shift($params);
465 $message = vsprintf($message, $params);
466 }
467 if (TYPO3_MODE == 'BE') {
468 t3lib_div::sysLog($message, $this->extKey, 1);
469 } else {
470 $GLOBALS['TT']->setTSlogMessage($message);
471 }
472 if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['enable_DLOG']) {
473 t3lib_div::devLog($message, $this->extKey, 1);
474 }
475 }
476 }
477
478 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/openid/sv1/class.tx_openid_sv1.php']) {
479 include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/openid/sv1/class.tx_openid_sv1.php']);
480 }
481
482 ?>