X-Git-Url: https://code.citadel.org/?a=blobdiff_plain;f=citadel%2Fmodules%2Fopenid%2Fserv_openid_rp.c;h=93d2ca0ed05ea5fe8dcadeb72835815f39fa5f62;hb=2f2a94fdbc2c109240ff62de5cbe4eb1671020b5;hp=f757765ccf8f709d8fa2f3ccadb50563f7691cdc;hpb=12054cbcdac65ec73b0df57e2989c05632dc0ea5;p=citadel.git diff --git a/citadel/modules/openid/serv_openid_rp.c b/citadel/modules/openid/serv_openid_rp.c index f757765cc..93d2ca0ed 100644 --- a/citadel/modules/openid/serv_openid_rp.c +++ b/citadel/modules/openid/serv_openid_rp.c @@ -66,7 +66,6 @@ enum { }; - void Free_ctdl_openid(ctdl_openid **FreeMe) { if (*FreeMe == NULL) { @@ -352,12 +351,7 @@ void populate_vcard_from_sreg(HashList *sreg_keys) { void cmd_oidc(char *argbuf) { ctdl_openid *oiddata = (ctdl_openid *) CC->openid_data; - if (!oiddata) { - cprintf("%d You have not verified an OpenID yet.\n", ERROR); - return; - } - - if (!oiddata->verified) { + if ( (!oiddata) || (!oiddata->verified) ) { cprintf("%d You have not verified an OpenID yet.\n", ERROR); return; } @@ -415,7 +409,6 @@ void cmd_oidd(char *argbuf) { } - /* * Attempt to auto-create a new Citadel account using the nickname from Simple Registration Extension */ @@ -688,7 +681,7 @@ int parse_xrds_document(StrBuf *ReplyBuf) { struct xrds xrds; int return_value = 0; - // syslog(LOG_DEBUG, "\033[32m --- XRDS DOCUMENT --- \n%s\033[0m", ChrPtr(ReplyBuf)); + syslog(LOG_DEBUG, "\033[32m --- XRDS DOCUMENT --- \n%s\033[0m", ChrPtr(ReplyBuf)); memset(&xrds, 0, sizeof (struct xrds)); xrds.selected_service_priority = INT_MAX; @@ -855,8 +848,6 @@ void cmd_oids(char *argbuf) { StrBuf *ArgBuf = NULL; StrBuf *ReplyBuf = NULL; StrBuf *return_to = NULL; - StrBuf *trust_root = NULL; - StrBuf *openid_delegate = NULL; StrBuf *RedirectUrl = NULL; ctdl_openid *oiddata; int discovery_succeeded = 0; @@ -876,16 +867,13 @@ void cmd_oids(char *argbuf) { oiddata->verified = 0; oiddata->claimed_id = NewStrBufPlain(NULL, StrLength(ArgBuf)); - trust_root = NewStrBufPlain(NULL, StrLength(ArgBuf)); return_to = NewStrBufPlain(NULL, StrLength(ArgBuf)); StrBufExtract_NextToken(oiddata->claimed_id, ArgBuf, &Pos, '|'); StrBufExtract_NextToken(return_to, ArgBuf, &Pos, '|'); - StrBufExtract_NextToken(trust_root, ArgBuf, &Pos, '|'); syslog(LOG_DEBUG, "User-Supplied Identifier is: %s", ChrPtr(oiddata->claimed_id)); - /********** OpenID 2.0 section 7.3 - Discovery **********/ /* Section 7.3.1 says we have to attempt XRI based discovery. @@ -906,46 +894,54 @@ void cmd_oids(char *argbuf) { * If we get to this point we are in possession of a valid OpenID Provider URL. */ syslog(LOG_DEBUG, "OP URI '%s' discovered using method %d", - ChrPtr(oiddata->claimed_id), + ChrPtr(oiddata->op_url), discovery_succeeded ); - /* Empty delegate is legal; we just use the openid_url instead */ - if (StrLength(openid_delegate) == 0) { - StrBufPlain(openid_delegate, SKEY(oiddata->claimed_id)); + /* We have to "normalize" our Claimed ID otherwise it will cause some OP's to barf */ + if (cbmstrcasestr(ChrPtr(oiddata->claimed_id), "://") == NULL) { + StrBuf *cid = oiddata->claimed_id; + oiddata->claimed_id = NewStrBufPlain(HKEY("http://")); + StrBufAppendBuf(oiddata->claimed_id, cid, 0); + FreeStrBuf(&cid); } - /* Assemble a URL to which the user-agent will be redirected. */ + /* + * OpenID 2.0 section 9: request authentication + * Assemble a URL to which the user-agent will be redirected. + */ RedirectUrl = NewStrBufDup(oiddata->op_url); - - StrBufAppendBufPlain(RedirectUrl, HKEY("?openid.mode=checkid_setup&openid.identity="), 0); - StrBufUrlescAppend(RedirectUrl, openid_delegate, NULL); - + + StrBufAppendBufPlain(RedirectUrl, HKEY("?openid.ns=http:%2F%2Fspecs.openid.net%2Fauth%2F2.0"), 0); + + StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.mode=checkid_setup"), 0); + + StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.claimed_id="), 0); + StrBufUrlescAppend(RedirectUrl, oiddata->claimed_id, NULL); + + StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.identity="), 0); + StrBufUrlescAppend(RedirectUrl, oiddata->claimed_id, NULL); + StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.return_to="), 0); StrBufUrlescAppend(RedirectUrl, return_to, NULL); - - StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.trust_root="), 0); - StrBufUrlescAppend(RedirectUrl, trust_root, NULL); - + +/* StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.sreg.optional="), 0); StrBufUrlescAppend(RedirectUrl, NULL, "nickname,email,fullname,postcode,country,dob,gender"); +*/ + syslog(LOG_DEBUG, "\033[36m%s\033[0m", ChrPtr(RedirectUrl)); cprintf("%d %s\n", CIT_OK, ChrPtr(RedirectUrl)); } FreeStrBuf(&ArgBuf); FreeStrBuf(&ReplyBuf); FreeStrBuf(&return_to); - FreeStrBuf(&trust_root); - FreeStrBuf(&openid_delegate); FreeStrBuf(&RedirectUrl); } - - - /* * Finalize an OpenID authentication */ @@ -962,7 +958,7 @@ void cmd_oidf(char *argbuf) { return; } if (StrLength(oiddata->op_url) == 0){ - cprintf("%d need a remote server to authenticate against\n", ERROR + ILLEGAL_VALUE); + cprintf("%d No OpenID Endpoint URL has been obtained.\n", ERROR + ILLEGAL_VALUE); return; } keys = NewHash(1, NULL); @@ -974,16 +970,44 @@ void cmd_oidf(char *argbuf) { while (client_getln(buf, sizeof buf), strcmp(buf, "000")) { len = extract_token(thiskey, buf, 0, '|', sizeof thiskey); - if (len < 0) + if (len < 0) { len = sizeof(thiskey) - 1; + } extract_token(thisdata, buf, 1, '|', sizeof thisdata); syslog(LOG_DEBUG, "%s: ["SIZE_T_FMT"] %s", thiskey, strlen(thisdata), thisdata); Put(keys, thiskey, len, strdup(thisdata), NULL); } + /* Check to see if this is a correct response */ + + /* oooh, really bad juju here. we're just accepting the assertion without validating it. */ + oiddata->verified = 1; + + char *openid_ns = NULL; + if ( (!GetHash(keys, "ns", 2, (void *) &openid_ns)) + || (strcasecmp(openid_ns, "http://specs.openid.net/auth/2.0")) + ) { + syslog(LOG_DEBUG, "This is not an an OpenID assertion"); + oiddata->verified = 0; + } + + char *openid_mode = NULL; + if ( (!GetHash(keys, "mode", 4, (void *) &openid_mode)) + || (strcasecmp(openid_mode, "id_res")) + ) { + oiddata->verified = 0; + } + + char *openid_claimed_id = NULL; + if (GetHash(keys, "claimed_id", 10, (void *) &openid_claimed_id)) { + FreeStrBuf(&oiddata->claimed_id); + oiddata->claimed_id = NewStrBufPlain(openid_claimed_id, -1); + syslog(LOG_DEBUG, "Provider is asserting the Claimed ID '%s'", ChrPtr(oiddata->claimed_id)); + } +#if 0 /* Now that we have all of the parameters, we have to validate the signature against the server */ - syslog(LOG_DEBUG, "About to validate the signature..."); + syslog(LOG_DEBUG, "Validating signature..."); CURL *curl; CURLcode res; @@ -1064,12 +1088,17 @@ void cmd_oidf(char *argbuf) { curl_easy_cleanup(curl); curl_formfree(formpost); + + // syslog(LOG_DEBUG, "\033[36m --- VALIDATION REPLY ---\n%s\033[0m", ChrPtr(ReplyBuf)); + + if (cbmstrcasestr(ChrPtr(ReplyBuf), "is_valid:true")) { oiddata->verified = 1; } FreeStrBuf(&ReplyBuf); syslog(LOG_DEBUG, "Authentication %s.", (oiddata->verified ? "succeeded" : "failed") ); +#endif /* Respond to the client */