X-Git-Url: https://code.citadel.org/?a=blobdiff_plain;f=citadel%2Fmodules%2Fopenid%2Fserv_openid_rp.c;h=2e65c1acc2bdb76136603fe1cfed967e24529c7b;hb=8c47559cb5ae97ec0fa35660ee16fd61a9451c72;hp=d9111246d957a3bae1b0d9b4cdb64e5f650a475e;hpb=67be936581ba15d10bb9f644fad2550d9d83395f;p=citadel.git diff --git a/citadel/modules/openid/serv_openid_rp.c b/citadel/modules/openid/serv_openid_rp.c index d9111246d..2e65c1acc 100644 --- a/citadel/modules/openid/serv_openid_rp.c +++ b/citadel/modules/openid/serv_openid_rp.c @@ -1,8 +1,23 @@ /* * $Id$ * - * OpenID 1.1 "relying party" implementation + * This is an implementation of OpenID 1.1 Relying Party support, in stateless mode. * + * Copyright (c) 2007-2009 by the citadel.org team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "sysdep.h" @@ -31,18 +46,420 @@ #include #include #include "ctdl_module.h" +#include "config.h" +#include "citserver.h" +#include "user_ops.h" + +struct ctdl_openid { + char claimed_id[1024]; + char server[1024]; + int verified; + HashList *sreg_keys; +}; -struct associate_handle { - char claimed_id[256]; - char assoc_type[32]; - time_t expires_in; - char assoc_handle[128]; - char mac_key[128]; -}; +/**************************************************************************/ +/* */ +/* Functions in this section handle Citadel internal OpenID mapping stuff */ +/* */ +/**************************************************************************/ + + +/* + * The structure of an openid record *key* is: + * + * |--------------claimed_id-------------| + * (actual length of claimed id) + * + * + * The structure of an openid record *value* is: + * + * |-----user_number----|------------claimed_id---------------| + * (sizeof long) (actual length of claimed id) + * + */ + + + +/* + * Attach an OpenID to a Citadel account + */ +int attach_openid(struct ctdluser *who, char *claimed_id) +{ + struct cdbdata *cdboi; + long fetched_usernum; + char *data; + int data_len; + char buf[2048]; + + if (!who) return(1); + if (!claimed_id) return(1); + if (IsEmptyStr(claimed_id)) return(1); + + /* Check to see if this OpenID is already in the database */ + + cdboi = cdb_fetch(CDB_OPENID, claimed_id, strlen(claimed_id)); + if (cdboi != NULL) { + memcpy(&fetched_usernum, cdboi->ptr, sizeof(long)); + cdb_free(cdboi); + + if (fetched_usernum == who->usernum) { + CtdlLogPrintf(CTDL_INFO, "%s already associated; no action is taken\n", claimed_id); + return(0); + } + else { + CtdlLogPrintf(CTDL_INFO, "%s already belongs to another user\n", claimed_id); + return(3); + } + } + + /* Not already in the database, so attach it now */ + + data_len = sizeof(long) + strlen(claimed_id) + 1; + data = malloc(data_len); + + memcpy(data, &who->usernum, sizeof(long)); + memcpy(&data[sizeof(long)], claimed_id, strlen(claimed_id) + 1); + + cdb_store(CDB_OPENID, claimed_id, strlen(claimed_id), data, data_len); + free(data); + + snprintf(buf, sizeof buf, "User <%s> (#%ld) has claimed the OpenID URL %s\n", + who->fullname, who->usernum, claimed_id); + aide_message(buf, "OpenID claim"); + CtdlLogPrintf(CTDL_INFO, "%s", buf); + return(0); +} + + + +/* + * When a user is being deleted, we have to delete any OpenID associations + */ +void openid_purge(struct ctdluser *usbuf) { + struct cdbdata *cdboi; + HashList *keys = NULL; + HashPos *HashPos; + char *deleteme = NULL; + long len; + void *Value; + const char *Key; + long usernum = 0L; + + keys = NewHash(1, NULL); + if (!keys) return; + + + cdb_rewind(CDB_OPENID); + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (usernum == usbuf->usernum) { + deleteme = strdup(cdboi->ptr + sizeof(long)), + Put(keys, deleteme, strlen(deleteme), deleteme, generic_free_handler); + } + } + cdb_free(cdboi); + } + + /* Go through the hash list, deleting keys we stored in it */ + + HashPos = GetNewHashPos(keys, 0); + while (GetNextHashPos(keys, HashPos, &len, &Key, &Value)!=0) + { + CtdlLogPrintf(CTDL_DEBUG, "Deleting associated OpenID <%s>\n", Value); + cdb_delete(CDB_OPENID, Value, strlen(Value)); + /* note: don't free(Value) -- deleting the hash list will handle this for us */ + } + DeleteHashPos(&HashPos); + DeleteHash(&keys); +} + + + +/* + * List the OpenIDs associated with the currently logged in account + */ +void cmd_oidl(char *argbuf) { + struct cdbdata *cdboi; + long usernum = 0L; + + if (CtdlAccessCheck(ac_logged_in)) return; + cdb_rewind(CDB_OPENID); + cprintf("%d Associated OpenIDs:\n", LISTING_FOLLOWS); + + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (usernum == CC->user.usernum) { + cprintf("%s\n", cdboi->ptr + sizeof(long)); + } + } + cdb_free(cdboi); + } + cprintf("000\n"); +} + + +/* + * List ALL OpenIDs in the database + */ +void cmd_oida(char *argbuf) { + struct cdbdata *cdboi; + long usernum; + struct ctdluser usbuf; + + if (CtdlAccessCheck(ac_aide)) return; + cdb_rewind(CDB_OPENID); + cprintf("%d List of all OpenIDs in the database:\n", LISTING_FOLLOWS); + + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (getuserbynumber(&usbuf, usernum) != 0) { + usbuf.fullname[0] = 0; + } + cprintf("%s|%ld|%s\n", + cdboi->ptr + sizeof(long), + usernum, + usbuf.fullname + ); + } + cdb_free(cdboi); + } + cprintf("000\n"); +} + + +/* + * Attempt to register (populate the vCard) the currently-logged-in user + * using the data from Simple Registration Extension, if present. + */ +void populate_vcard_from_sreg(HashList *sreg_keys) { + + struct vCard *v; + int pop = 0; /* number of fields populated */ + char *data = NULL; + char *postcode = NULL; + char *country = NULL; + + if (!sreg_keys) return; + v = vcard_new(); + if (!v) return; + + if (GetHash(sreg_keys, "identity", 8, (void *) &data)) { + vcard_add_prop(v, "url;type=openid", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.email", 10, (void *) &data)) { + vcard_add_prop(v, "email;internet", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.nickname", 13, (void *) &data)) { + vcard_add_prop(v, "nickname", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.fullname", 13, (void *) &data)) { + char n[256]; + vcard_add_prop(v, "fn", data); + vcard_fn_to_n(n, data, sizeof n); + vcard_add_prop(v, "n", n); + ++pop; + } + + if (!GetHash(sreg_keys, "sreg.postcode", 13, (void *) &postcode)) { + postcode = NULL; + } + + if (!GetHash(sreg_keys, "sreg.country", 12, (void *) &country)) { + country = NULL; + } + + if (postcode || country) { + char adr[256]; + snprintf(adr, sizeof adr, ";;;;;%s;%s", + (postcode ? postcode : ""), + (country ? country : "") + ); + vcard_add_prop(v, "adr", adr); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.dob", 8, (void *) &data)) { + vcard_add_prop(v, "bday", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.gender", 11, (void *) &data)) { + vcard_add_prop(v, "x-funambol-gender", data); + ++pop; + } + + /* Only save the vCard if there is some useful data in it */ + if (pop > 0) { + char *ser; + ser = vcard_serialize(v); + if (ser) { + CtdlWriteObject(USERCONFIGROOM, "text/x-vcard", + ser, strlen(ser)+1, &CC->user, 0, 0, 0 + ); + free(ser); + } + } + vcard_free(v); +} + + +/* + * Create a new user account, manually specifying the name, after successfully + * verifying an OpenID (which will of course be attached to the account) + */ +void cmd_oidc(char *argbuf) { + struct ctdl_openid *oiddata = (struct ctdl_openid *) CC->openid_data; + + if (!oiddata) { + cprintf("%d You have not verified an OpenID yet.\n", ERROR); + return; + } + + if (!oiddata->verified) { + cprintf("%d You have not verified an OpenID yet.\n", ERROR); + return; + } + + /* We can make the semantics of OIDC exactly the same as NEWU, simply + * by _calling_ cmd_newu() and letting it run. Very clever! + */ + cmd_newu(argbuf); + + /* Now, if this logged us in, we have to attach the OpenID */ + if (CC->logged_in) { + attach_openid(&CC->user, oiddata->claimed_id); + if (oiddata->sreg_keys != NULL) { + populate_vcard_from_sreg(oiddata->sreg_keys); + } + } + +} + + + + +/* + * Detach an OpenID from the currently logged in account + */ +void cmd_oidd(char *argbuf) { + struct cdbdata *cdboi; + char id_to_detach[1024]; + int this_is_mine = 0; + long usernum = 0L; + + if (CtdlAccessCheck(ac_logged_in)) return; + extract_token(id_to_detach, argbuf, 0, '|', sizeof id_to_detach); + if (IsEmptyStr(id_to_detach)) { + cprintf("%d An empty OpenID URL is not allowed.\n", ERROR + ILLEGAL_VALUE); + } + + cdb_rewind(CDB_OPENID); + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (usernum == CC->user.usernum) { + this_is_mine = 1; + } + } + cdb_free(cdboi); + } + + if (!this_is_mine) { + cprintf("%d That OpenID was not found or not associated with your account.\n", + ERROR + ILLEGAL_VALUE); + return; + } + + cdb_delete(CDB_OPENID, id_to_detach, strlen(id_to_detach)); + cprintf("%d %s detached from your account.\n", CIT_OK, id_to_detach); +} + + + +/* + * Attempt to auto-create a new Citadel account using the nickname from Simple Registration Extension + */ +int openid_create_user_via_sreg(char *claimed_id, HashList *sreg_keys) +{ + char *desired_name = NULL; + char new_password[32]; + + if (config.c_auth_mode != AUTHMODE_NATIVE) return(1); + if (config.c_disable_newu) return(2); + if (CC->logged_in) return(3); + if (!GetHash(sreg_keys, "sreg.nickname", 13, (void *) &desired_name)) return(4); + + CtdlLogPrintf(CTDL_DEBUG, "The desired account name is <%s>\n", desired_name); + + if (!getuser(&CC->user, desired_name)) { + CtdlLogPrintf(CTDL_DEBUG, "<%s> is already taken by another user.\n", desired_name); + memset(&CC->user, 0, sizeof(struct ctdluser)); + return(5); + } + + /* The desired account name is available. Create the account and log it in! */ + if (create_user(desired_name, 1)) return(6); + + snprintf(new_password, sizeof new_password, "%08lx%08lx", random(), random()); + CtdlSetPassword(new_password); + attach_openid(&CC->user, claimed_id); + populate_vcard_from_sreg(sreg_keys); + return(0); +} + + +/* + * If a user account exists which is associated with the Claimed ID, log it in and return zero. + * Otherwise it returns nonzero. + */ +int login_via_openid(char *claimed_id) +{ + struct cdbdata *cdboi; + long usernum = 0; + + cdboi = cdb_fetch(CDB_OPENID, claimed_id, strlen(claimed_id)); + if (cdboi == NULL) { + return(-1); + } + + memcpy(&usernum, cdboi->ptr, sizeof(long)); + cdb_free(cdboi); + + if (!getuserbynumber(&CC->user, usernum)) { + /* Now become the user we just created */ + safestrncpy(CC->curr_user, CC->user.fullname, sizeof CC->curr_user); + do_login(); + return(0); + } + else { + memset(&CC->user, 0, sizeof(struct ctdluser)); + return(-1); + } +} + + + + +/**************************************************************************/ +/* */ +/* Functions in this section handle OpenID protocol */ +/* */ +/**************************************************************************/ + + /* * Locate a tag and, given its 'rel=' parameter, return its 'href' parameter */ @@ -58,12 +475,12 @@ void extract_link(char *target_buf, int target_size, char *rel, char *source_buf while (ptr = bmstrcasestr(ptr, "'); @@ -139,17 +556,18 @@ size_t fh_callback(void *ptr, size_t size, size_t nmemb, void *stream) fh->total_bytes_received += got_bytes; } - return got_bytes; + return (size * nmemb); /* always succeed; libcurl doesn't need to know if we truncated it */ } /* - * Begin an HTTP fetch (returns number of bytes actually fetched, or -1 for error) - * We first try 'curl' or 'wget' because they have more robust HTTP handling, and also - * support HTTPS. If neither one works, we fall back to a built in mini HTTP client. + * Begin an HTTP fetch (returns number of bytes actually fetched, or -1 for error) using libcurl. + * + * If 'normalize_len' is nonzero, the caller is specifying the buffer size of 'url', and is + * requesting that the effective (normalized) URL be copied back to it. */ -int fetch_http(char *url, char *target_buf, int maxbytes) +int fetch_http(char *url, char *target_buf, int maxbytes, int normalize_len) { CURL *curl; CURLcode res; @@ -159,6 +577,7 @@ int fetch_http(char *url, char *target_buf, int maxbytes) 0, maxbytes }; + char *effective_url = NULL; if (!url) return(-1); if (!target_buf) return(-1); @@ -177,157 +596,84 @@ int fetch_http(char *url, char *target_buf, int maxbytes) curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fh_callback); curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errmsg); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1); - +#ifdef CURLOPT_HTTP_CONTENT_DECODING + curl_easy_setopt(curl, CURLOPT_HTTP_CONTENT_DECODING, 1); + curl_easy_setopt(curl, CURLOPT_ENCODING, ""); +#endif + curl_easy_setopt(curl, CURLOPT_USERAGENT, CITADEL); + curl_easy_setopt(curl, CURLOPT_TIMEOUT, 180); /* die after 180 seconds */ + if (!IsEmptyStr(config.c_ip_addr)) { + curl_easy_setopt(curl, CURLOPT_INTERFACE, config.c_ip_addr); + } res = curl_easy_perform(curl); if (res) { - CtdlLogPrintf(CTDL_ALERT, "libcurl error %d: %s\n", res, errmsg); + CtdlLogPrintf(CTDL_DEBUG, "fetch_http() libcurl error %d: %s\n", res, errmsg); + } + if (normalize_len > 0) { + curl_easy_getinfo(curl, CURLINFO_EFFECTIVE_URL, &effective_url); + safestrncpy(url, effective_url, normalize_len); } - curl_easy_cleanup(curl); return fh.total_bytes_received; } -#define ASSOCIATE_RESPONSE_SIZE 4096 - -/* - * libcurl callback function for prepare_openid_associate_request() - */ -size_t associate_callback(void *ptr, size_t size, size_t nmemb, void *stream) -{ - char *response = (char *) stream; - int got_bytes = (size * nmemb); - int len = strlen(response); - - if ((len + got_bytes + 1) < ASSOCIATE_RESPONSE_SIZE) { - memcpy(&response[len], ptr, got_bytes); - response[len+got_bytes] = 0; - } - - return got_bytes; -} - - -/* - * Process the response from an "associate" request - */ -struct associate_handle *process_associate_response(char *claimed_id, char *associate_response) -{ - struct associate_handle *h = NULL; - - h = (struct associate_handle *) malloc(sizeof(struct associate_handle)); - safestrncpy(h->claimed_id, claimed_id, sizeof h->claimed_id); - - - - - // FIXME finish this - - - return h; -} - - - -/* - * Establish a shared secret with an OpenID Identity Provider by sending - * an "associate" request. - */ -struct associate_handle *prepare_openid_associate_request( - char *claimed_id, char *openid_server, char *openid_delegate) -{ - CURL *curl; - CURLcode res; - struct curl_httppost *formpost=NULL; - struct curl_httppost *lastptr=NULL; - char associate_response[ASSOCIATE_RESPONSE_SIZE]; - struct associate_handle *h = NULL; - - memset(associate_response, 0, ASSOCIATE_RESPONSE_SIZE); - - curl_formadd(&formpost, - &lastptr, - CURLFORM_COPYNAME, "openid.mode", - CURLFORM_COPYCONTENTS, "associate", - CURLFORM_END - ); - - curl_formadd(&formpost, - &lastptr, - CURLFORM_COPYNAME, "openid.session_type", - CURLFORM_COPYCONTENTS, "", - CURLFORM_END - ); - - curl = curl_easy_init(); - if (curl) { - curl_easy_setopt(curl, CURLOPT_URL, openid_server); - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); - curl_easy_setopt(curl, CURLOPT_WRITEDATA, associate_response); - curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, associate_callback); - curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1); - - curl_easy_setopt(curl, CURLOPT_HTTPPOST, formpost); - res = curl_easy_perform(curl); - h = process_associate_response(claimed_id, associate_response); - curl_easy_cleanup(curl); - } - curl_formfree(formpost); - - return h; -} - - - - - /* - * Begin the first portion of an OpenID checkid_setup operation. + * Setup an OpenID authentication */ -void cmd_oid1(char *argbuf) { - char openid_url[1024]; +void cmd_oids(char *argbuf) { char return_to[1024]; char trust_root[1024]; int i; char buf[SIZ]; - struct associate_handle *h = NULL; + struct CitContext *CCC = CC; /* CachedCitContext - performance boost */ + struct ctdl_openid *oiddata; - if (CC->logged_in) { - cprintf("%d Already logged in.\n", ERROR + ALREADY_LOGGED_IN); + oiddata = (struct ctdl_openid *) CCC->openid_data; + + if (oiddata != NULL) { + if (oiddata->sreg_keys != NULL) { + DeleteHash(&oiddata->sreg_keys); + oiddata->sreg_keys = NULL; + } + free(CCC->openid_data); + } + oiddata = malloc(sizeof(struct ctdl_openid)); + if (oiddata == NULL) { + cprintf("%d malloc failed\n", ERROR + INTERNAL_ERROR); return; } + memset(oiddata, 0, sizeof(struct ctdl_openid)); + CCC->openid_data = (void *) oiddata; - extract_token(openid_url, argbuf, 0, '|', sizeof openid_url); + extract_token(oiddata->claimed_id, argbuf, 0, '|', sizeof oiddata->claimed_id); extract_token(return_to, argbuf, 1, '|', sizeof return_to); extract_token(trust_root, argbuf, 2, '|', sizeof trust_root); + oiddata->verified = 0; - i = fetch_http(openid_url, buf, sizeof buf - 1); + i = fetch_http(oiddata->claimed_id, buf, sizeof buf - 1, sizeof oiddata->claimed_id); + CtdlLogPrintf(CTDL_DEBUG, "Normalized URL and Claimed ID is: %s\n", oiddata->claimed_id); buf[sizeof buf - 1] = 0; if (i > 0) { - char openid_server[1024]; char openid_delegate[1024]; - extract_link(openid_server, sizeof openid_server, "openid.server", buf); + extract_link(oiddata->server, sizeof oiddata->server, "openid.server", buf); extract_link(openid_delegate, sizeof openid_delegate, "openid.delegate", buf); - if (IsEmptyStr(openid_server)) { + if (IsEmptyStr(oiddata->server)) { cprintf("%d There is no OpenID identity provider at this URL.\n", ERROR); return; } /* Empty delegate is legal; we just use the openid_url instead */ if (IsEmptyStr(openid_delegate)) { - safestrncpy(openid_delegate, openid_url, sizeof openid_delegate); + safestrncpy(openid_delegate, oiddata->claimed_id, sizeof openid_delegate); } - /* Prepare an "associate" request */ - h = prepare_openid_associate_request(openid_url, openid_server, openid_delegate); - - /* Now we know where to redirect to. */ + /* Assemble a URL to which the user-agent will be redirected. */ char redirect_string[4096]; - char escaped_identity[1024]; - char escaped_return_to[1024]; + char escaped_identity[512]; + char escaped_return_to[2048]; char escaped_trust_root[1024]; char escaped_sreg_optional[256]; @@ -335,18 +681,21 @@ void cmd_oid1(char *argbuf) { urlesc(escaped_return_to, sizeof escaped_return_to, return_to); urlesc(escaped_trust_root, sizeof escaped_trust_root, trust_root); urlesc(escaped_sreg_optional, sizeof escaped_sreg_optional, - "nickname,email,fullname,postcode,country"); + "nickname,email,fullname,postcode,country,dob,gender"); snprintf(redirect_string, sizeof redirect_string, "%s" "?openid.mode=checkid_setup" - "&openid_identity=%s" + "&openid.identity=%s" "&openid.return_to=%s" "&openid.trust_root=%s" "&openid.sreg.optional=%s" , - openid_server, escaped_identity, escaped_return_to, - escaped_trust_root, escaped_sreg_optional + oiddata->server, + escaped_identity, + escaped_return_to, + escaped_trust_root, + escaped_sreg_optional ); cprintf("%d %s\n", CIT_OK, redirect_string); return; @@ -359,15 +708,263 @@ void cmd_oid1(char *argbuf) { -/* To insert this module into the server activate the next block by changing the #if 0 to #if 1 */ +/* + * Finalize an OpenID authentication + */ +void cmd_oidf(char *argbuf) { + char buf[2048]; + char thiskey[1024]; + char thisdata[1024]; + HashList *keys = NULL; + struct ctdl_openid *oiddata = (struct ctdl_openid *) CC->openid_data; + + keys = NewHash(1, NULL); + if (!keys) { + cprintf("%d NewHash() failed\n", ERROR + INTERNAL_ERROR); + return; + } + + cprintf("%d Transmit OpenID data now\n", START_CHAT_MODE); + + while (client_getln(buf, sizeof buf), strcmp(buf, "000")) { + extract_token(thiskey, buf, 0, '|', sizeof thiskey); + extract_token(thisdata, buf, 1, '|', sizeof thisdata); + CtdlLogPrintf(CTDL_DEBUG, "%s: [%d] %s\n", thiskey, strlen(thisdata), thisdata); + Put(keys, thiskey, strlen(thiskey), strdup(thisdata), generic_free_handler); + } + + + /* Now that we have all of the parameters, we have to validate the signature against the server */ + CtdlLogPrintf(CTDL_DEBUG, "About to validate the signature...\n"); + + CURL *curl; + CURLcode res; + struct curl_httppost *formpost = NULL; + struct curl_httppost *lastptr = NULL; + char errmsg[1024] = ""; + char *o_assoc_handle = NULL; + char *o_sig = NULL; + char *o_signed = NULL; + int num_signed_values; + int i; + char k_keyname[128]; + char k_o_keyname[128]; + char *k_value = NULL; + char valbuf[1024]; + + struct fh_data fh = { + valbuf, + 0, + sizeof valbuf + }; + + curl_formadd(&formpost, &lastptr, + CURLFORM_COPYNAME, "openid.mode", + CURLFORM_COPYCONTENTS, "check_authentication", + CURLFORM_END); + CtdlLogPrintf(CTDL_DEBUG, "%25s : %s\n", "openid.mode", "check_authentication"); + + if (GetHash(keys, "assoc_handle", 12, (void *) &o_assoc_handle)) { + curl_formadd(&formpost, &lastptr, + CURLFORM_COPYNAME, "openid.assoc_handle", + CURLFORM_COPYCONTENTS, o_assoc_handle, + CURLFORM_END); + CtdlLogPrintf(CTDL_DEBUG, "%25s : %s\n", "openid.assoc_handle", o_assoc_handle); + } + + if (GetHash(keys, "sig", 3, (void *) &o_sig)) { + curl_formadd(&formpost, &lastptr, + CURLFORM_COPYNAME, "openid.sig", + CURLFORM_COPYCONTENTS, o_sig, + CURLFORM_END); + CtdlLogPrintf(CTDL_DEBUG, "%25s : %s\n", "openid.sig", o_sig); + } + + if (GetHash(keys, "signed", 6, (void *) &o_signed)) { + curl_formadd(&formpost, &lastptr, + CURLFORM_COPYNAME, "openid.signed", + CURLFORM_COPYCONTENTS, o_signed, + CURLFORM_END); + CtdlLogPrintf(CTDL_DEBUG, "%25s : %s\n", "openid.signed", o_signed); + + num_signed_values = num_tokens(o_signed, ','); + for (i=0; iserver); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, &fh); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fh_callback); + curl_easy_setopt(curl, CURLOPT_HTTPPOST, formpost); + curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errmsg); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1); +#ifdef CURLOPT_HTTP_CONTENT_DECODING + curl_easy_setopt(curl, CURLOPT_HTTP_CONTENT_DECODING, 1); + curl_easy_setopt(curl, CURLOPT_ENCODING, ""); +#endif + curl_easy_setopt(curl, CURLOPT_USERAGENT, CITADEL); + curl_easy_setopt(curl, CURLOPT_TIMEOUT, 180); /* die after 180 seconds */ + if (!IsEmptyStr(config.c_ip_addr)) { + curl_easy_setopt(curl, CURLOPT_INTERFACE, config.c_ip_addr); + } + + res = curl_easy_perform(curl); + if (res) { + CtdlLogPrintf(CTDL_DEBUG, "cmd_oidf() libcurl error %d: %s\n", res, errmsg); + } + curl_easy_cleanup(curl); + curl_formfree(formpost); + + valbuf[fh.total_bytes_received] = 0; + + if (bmstrcasestr(valbuf, "is_valid:true")) { + oiddata->verified = 1; + } + + CtdlLogPrintf(CTDL_DEBUG, "Authentication %s.\n", (oiddata->verified ? "succeeded" : "failed") ); + + /* Respond to the client */ + + if (oiddata->verified) { + + /* If we were already logged in, attach the OpenID to the user's account */ + if (CC->logged_in) { + if (attach_openid(&CC->user, oiddata->claimed_id) == 0) { + cprintf("attach\n"); + CtdlLogPrintf(CTDL_DEBUG, "OpenID attach succeeded\n"); + } + else { + cprintf("fail\n"); + CtdlLogPrintf(CTDL_DEBUG, "OpenID attach failed\n"); + } + } + + /* Otherwise, a user is attempting to log in using the verified OpenID */ + else { + /* + * Existing user who has claimed this OpenID? + * + * Note: if you think that sending the password back over the wire is insecure, + * check your assumptions. If someone has successfully asserted an OpenID that + * is associated with the account, they already have password equivalency and can + * login, so they could just as easily change the password, etc. + */ + if (login_via_openid(oiddata->claimed_id) == 0) { + cprintf("authenticate\n%s\n%s\n", CC->user.fullname, CC->user.password); + logged_in_response(); + CtdlLogPrintf(CTDL_DEBUG, "Logged in using previously claimed OpenID\n"); + } + + /* + * If this system does not allow self-service new user registration, the + * remaining modes do not apply, so fail here and now. + */ + else if (config.c_disable_newu) { + cprintf("fail\n"); + CtdlLogPrintf(CTDL_DEBUG, "Creating user failed due to local policy\n"); + } + + /* + * New user whose OpenID is verified and Simple Registration Extension is in use? + */ + else if (openid_create_user_via_sreg(oiddata->claimed_id, keys) == 0) { + cprintf("authenticate\n%s\n%s\n", CC->user.fullname, CC->user.password); + logged_in_response(); + CtdlLogPrintf(CTDL_DEBUG, "Successfully auto-created new user\n"); + } + + /* + * OpenID is verified, but the desired username either was not specified or + * conflicts with an existing user. Manual account creation is required. + */ + else { + char *desired_name = NULL; + cprintf("verify_only\n"); + cprintf("%s\n", oiddata->claimed_id); + if (GetHash(keys, "sreg.nickname", 13, (void *) &desired_name)) { + cprintf("%s\n", desired_name); + } + else { + cprintf("\n"); + } + CtdlLogPrintf(CTDL_DEBUG, "The desired Simple Registration name is already taken.\n"); + } + } + } + else { + cprintf("fail\n"); + } + cprintf("000\n"); + + if (oiddata->sreg_keys != NULL) { + DeleteHash(&oiddata->sreg_keys); + oiddata->sreg_keys = NULL; + } + oiddata->sreg_keys = keys; +} + + + +/**************************************************************************/ +/* */ +/* Functions in this section handle module initialization and shutdown */ +/* */ +/**************************************************************************/ + + +/* + * This cleanup function blows away the temporary memory used by this module. + */ +void openid_cleanup_function(void) { + struct ctdl_openid *oiddata = (struct ctdl_openid *) CC->openid_data; + + if (oiddata != NULL) { + CtdlLogPrintf(CTDL_DEBUG, "Clearing OpenID session state\n"); + if (oiddata->sreg_keys != NULL) { + DeleteHash(&oiddata->sreg_keys); + oiddata->sreg_keys = NULL; + } + free(oiddata); + } +} + + CTDL_MODULE_INIT(openid_rp) { - if (!threading) - { + if (!threading) { curl_global_init(CURL_GLOBAL_ALL); - CtdlRegisterProtoHook(cmd_oid1, "OID1", "Begin OpenID checkid_setup operation"); + + /* Only enable the OpenID command set when native mode authentication is in use. */ + if (config.c_auth_mode == AUTHMODE_NATIVE) { + CtdlRegisterProtoHook(cmd_oids, "OIDS", "Setup OpenID authentication"); + CtdlRegisterProtoHook(cmd_oidf, "OIDF", "Finalize OpenID authentication"); + CtdlRegisterProtoHook(cmd_oidl, "OIDL", "List OpenIDs associated with an account"); + CtdlRegisterProtoHook(cmd_oidd, "OIDD", "Detach an OpenID from an account"); + CtdlRegisterProtoHook(cmd_oidc, "OIDC", "Create new user after validating OpenID"); + CtdlRegisterProtoHook(cmd_oida, "OIDA", "List all OpenIDs in the database"); + } + CtdlRegisterSessionHook(openid_cleanup_function, EVT_LOGOUT); + CtdlRegisterUserHook(openid_purge, EVT_PURGEUSER); } - /* return our Subversion id for the Log */ - return "$Id$"; + /* return our Subversion id for the Log */ + return "$Id$"; }