X-Git-Url: https://code.citadel.org/?a=blobdiff_plain;f=citadel%2Fmodules%2Fopenid%2Fserv_openid_rp.c;h=2e65c1acc2bdb76136603fe1cfed967e24529c7b;hb=8c47559cb5ae97ec0fa35660ee16fd61a9451c72;hp=f2b7e3d166500f053ae9dd0f35671e23ea11d417;hpb=ae57a3b5d4cb73eb840548c57677a1337dbf2892;p=citadel.git diff --git a/citadel/modules/openid/serv_openid_rp.c b/citadel/modules/openid/serv_openid_rp.c index f2b7e3d16..2e65c1acc 100644 --- a/citadel/modules/openid/serv_openid_rp.c +++ b/citadel/modules/openid/serv_openid_rp.c @@ -3,6 +3,21 @@ * * This is an implementation of OpenID 1.1 Relying Party support, in stateless mode. * + * Copyright (c) 2007-2009 by the citadel.org team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "sysdep.h" @@ -33,11 +48,13 @@ #include "ctdl_module.h" #include "config.h" #include "citserver.h" +#include "user_ops.h" struct ctdl_openid { char claimed_id[1024]; char server[1024]; - int validated; + int verified; + HashList *sreg_keys; }; @@ -55,7 +72,7 @@ struct ctdl_openid { * The structure of an openid record *key* is: * * |--------------claimed_id-------------| - * (auctual length of claimed id) + * (actual length of claimed id) * * * The structure of an openid record *value* is: @@ -66,6 +83,7 @@ struct ctdl_openid { */ + /* * Attach an OpenID to a Citadel account */ @@ -75,6 +93,7 @@ int attach_openid(struct ctdluser *who, char *claimed_id) long fetched_usernum; char *data; int data_len; + char buf[2048]; if (!who) return(1); if (!claimed_id) return(1); @@ -108,17 +127,55 @@ int attach_openid(struct ctdluser *who, char *claimed_id) cdb_store(CDB_OPENID, claimed_id, strlen(claimed_id), data, data_len); free(data); - CtdlLogPrintf(CTDL_INFO, "%s has been associated with %s (%ld)\n", - claimed_id, who->fullname, who->usernum); + snprintf(buf, sizeof buf, "User <%s> (#%ld) has claimed the OpenID URL %s\n", + who->fullname, who->usernum, claimed_id); + aide_message(buf, "OpenID claim"); + CtdlLogPrintf(CTDL_INFO, "%s", buf); return(0); } + /* * When a user is being deleted, we have to delete any OpenID associations */ void openid_purge(struct ctdluser *usbuf) { - /* FIXME finish this */ + struct cdbdata *cdboi; + HashList *keys = NULL; + HashPos *HashPos; + char *deleteme = NULL; + long len; + void *Value; + const char *Key; + long usernum = 0L; + + keys = NewHash(1, NULL); + if (!keys) return; + + + cdb_rewind(CDB_OPENID); + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (usernum == usbuf->usernum) { + deleteme = strdup(cdboi->ptr + sizeof(long)), + Put(keys, deleteme, strlen(deleteme), deleteme, generic_free_handler); + } + } + cdb_free(cdboi); + } + + /* Go through the hash list, deleting keys we stored in it */ + + HashPos = GetNewHashPos(keys, 0); + while (GetNextHashPos(keys, HashPos, &len, &Key, &Value)!=0) + { + CtdlLogPrintf(CTDL_DEBUG, "Deleting associated OpenID <%s>\n", Value); + cdb_delete(CDB_OPENID, Value, strlen(Value)); + /* note: don't free(Value) -- deleting the hash list will handle this for us */ + } + DeleteHashPos(&HashPos); + DeleteHash(&keys); } @@ -128,6 +185,7 @@ void openid_purge(struct ctdluser *usbuf) { */ void cmd_oidl(char *argbuf) { struct cdbdata *cdboi; + long usernum = 0L; if (CtdlAccessCheck(ac_logged_in)) return; cdb_rewind(CDB_OPENID); @@ -135,13 +193,264 @@ void cmd_oidl(char *argbuf) { while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { if (cdboi->len > sizeof(long)) { - cprintf("%s\n", cdboi->ptr + sizeof(long)); + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (usernum == CC->user.usernum) { + cprintf("%s\n", cdboi->ptr + sizeof(long)); + } } + cdb_free(cdboi); } cprintf("000\n"); } +/* + * List ALL OpenIDs in the database + */ +void cmd_oida(char *argbuf) { + struct cdbdata *cdboi; + long usernum; + struct ctdluser usbuf; + + if (CtdlAccessCheck(ac_aide)) return; + cdb_rewind(CDB_OPENID); + cprintf("%d List of all OpenIDs in the database:\n", LISTING_FOLLOWS); + + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (getuserbynumber(&usbuf, usernum) != 0) { + usbuf.fullname[0] = 0; + } + cprintf("%s|%ld|%s\n", + cdboi->ptr + sizeof(long), + usernum, + usbuf.fullname + ); + } + cdb_free(cdboi); + } + cprintf("000\n"); +} + + +/* + * Attempt to register (populate the vCard) the currently-logged-in user + * using the data from Simple Registration Extension, if present. + */ +void populate_vcard_from_sreg(HashList *sreg_keys) { + + struct vCard *v; + int pop = 0; /* number of fields populated */ + char *data = NULL; + char *postcode = NULL; + char *country = NULL; + + if (!sreg_keys) return; + v = vcard_new(); + if (!v) return; + + if (GetHash(sreg_keys, "identity", 8, (void *) &data)) { + vcard_add_prop(v, "url;type=openid", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.email", 10, (void *) &data)) { + vcard_add_prop(v, "email;internet", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.nickname", 13, (void *) &data)) { + vcard_add_prop(v, "nickname", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.fullname", 13, (void *) &data)) { + char n[256]; + vcard_add_prop(v, "fn", data); + vcard_fn_to_n(n, data, sizeof n); + vcard_add_prop(v, "n", n); + ++pop; + } + + if (!GetHash(sreg_keys, "sreg.postcode", 13, (void *) &postcode)) { + postcode = NULL; + } + + if (!GetHash(sreg_keys, "sreg.country", 12, (void *) &country)) { + country = NULL; + } + + if (postcode || country) { + char adr[256]; + snprintf(adr, sizeof adr, ";;;;;%s;%s", + (postcode ? postcode : ""), + (country ? country : "") + ); + vcard_add_prop(v, "adr", adr); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.dob", 8, (void *) &data)) { + vcard_add_prop(v, "bday", data); + ++pop; + } + + if (GetHash(sreg_keys, "sreg.gender", 11, (void *) &data)) { + vcard_add_prop(v, "x-funambol-gender", data); + ++pop; + } + + /* Only save the vCard if there is some useful data in it */ + if (pop > 0) { + char *ser; + ser = vcard_serialize(v); + if (ser) { + CtdlWriteObject(USERCONFIGROOM, "text/x-vcard", + ser, strlen(ser)+1, &CC->user, 0, 0, 0 + ); + free(ser); + } + } + vcard_free(v); +} + + +/* + * Create a new user account, manually specifying the name, after successfully + * verifying an OpenID (which will of course be attached to the account) + */ +void cmd_oidc(char *argbuf) { + struct ctdl_openid *oiddata = (struct ctdl_openid *) CC->openid_data; + + if (!oiddata) { + cprintf("%d You have not verified an OpenID yet.\n", ERROR); + return; + } + + if (!oiddata->verified) { + cprintf("%d You have not verified an OpenID yet.\n", ERROR); + return; + } + + /* We can make the semantics of OIDC exactly the same as NEWU, simply + * by _calling_ cmd_newu() and letting it run. Very clever! + */ + cmd_newu(argbuf); + + /* Now, if this logged us in, we have to attach the OpenID */ + if (CC->logged_in) { + attach_openid(&CC->user, oiddata->claimed_id); + if (oiddata->sreg_keys != NULL) { + populate_vcard_from_sreg(oiddata->sreg_keys); + } + } + +} + + + + +/* + * Detach an OpenID from the currently logged in account + */ +void cmd_oidd(char *argbuf) { + struct cdbdata *cdboi; + char id_to_detach[1024]; + int this_is_mine = 0; + long usernum = 0L; + + if (CtdlAccessCheck(ac_logged_in)) return; + extract_token(id_to_detach, argbuf, 0, '|', sizeof id_to_detach); + if (IsEmptyStr(id_to_detach)) { + cprintf("%d An empty OpenID URL is not allowed.\n", ERROR + ILLEGAL_VALUE); + } + + cdb_rewind(CDB_OPENID); + while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) { + if (cdboi->len > sizeof(long)) { + memcpy(&usernum, cdboi->ptr, sizeof(long)); + if (usernum == CC->user.usernum) { + this_is_mine = 1; + } + } + cdb_free(cdboi); + } + + if (!this_is_mine) { + cprintf("%d That OpenID was not found or not associated with your account.\n", + ERROR + ILLEGAL_VALUE); + return; + } + + cdb_delete(CDB_OPENID, id_to_detach, strlen(id_to_detach)); + cprintf("%d %s detached from your account.\n", CIT_OK, id_to_detach); +} + + + +/* + * Attempt to auto-create a new Citadel account using the nickname from Simple Registration Extension + */ +int openid_create_user_via_sreg(char *claimed_id, HashList *sreg_keys) +{ + char *desired_name = NULL; + char new_password[32]; + + if (config.c_auth_mode != AUTHMODE_NATIVE) return(1); + if (config.c_disable_newu) return(2); + if (CC->logged_in) return(3); + if (!GetHash(sreg_keys, "sreg.nickname", 13, (void *) &desired_name)) return(4); + + CtdlLogPrintf(CTDL_DEBUG, "The desired account name is <%s>\n", desired_name); + + if (!getuser(&CC->user, desired_name)) { + CtdlLogPrintf(CTDL_DEBUG, "<%s> is already taken by another user.\n", desired_name); + memset(&CC->user, 0, sizeof(struct ctdluser)); + return(5); + } + + /* The desired account name is available. Create the account and log it in! */ + if (create_user(desired_name, 1)) return(6); + + snprintf(new_password, sizeof new_password, "%08lx%08lx", random(), random()); + CtdlSetPassword(new_password); + attach_openid(&CC->user, claimed_id); + populate_vcard_from_sreg(sreg_keys); + return(0); +} + + +/* + * If a user account exists which is associated with the Claimed ID, log it in and return zero. + * Otherwise it returns nonzero. + */ +int login_via_openid(char *claimed_id) +{ + struct cdbdata *cdboi; + long usernum = 0; + + cdboi = cdb_fetch(CDB_OPENID, claimed_id, strlen(claimed_id)); + if (cdboi == NULL) { + return(-1); + } + + memcpy(&usernum, cdboi->ptr, sizeof(long)); + cdb_free(cdboi); + + if (!getuserbynumber(&CC->user, usernum)) { + /* Now become the user we just created */ + safestrncpy(CC->curr_user, CC->user.fullname, sizeof CC->curr_user); + do_login(); + return(0); + } + else { + memset(&CC->user, 0, sizeof(struct ctdluser)); + return(-1); + } +} + + /**************************************************************************/ @@ -287,7 +596,12 @@ int fetch_http(char *url, char *target_buf, int maxbytes, int normalize_len) curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fh_callback); curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errmsg); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1); +#ifdef CURLOPT_HTTP_CONTENT_DECODING + curl_easy_setopt(curl, CURLOPT_HTTP_CONTENT_DECODING, 1); + curl_easy_setopt(curl, CURLOPT_ENCODING, ""); +#endif curl_easy_setopt(curl, CURLOPT_USERAGENT, CITADEL); + curl_easy_setopt(curl, CURLOPT_TIMEOUT, 180); /* die after 180 seconds */ if (!IsEmptyStr(config.c_ip_addr)) { curl_easy_setopt(curl, CURLOPT_INTERFACE, config.c_ip_addr); } @@ -315,16 +629,13 @@ void cmd_oids(char *argbuf) { struct CitContext *CCC = CC; /* CachedCitContext - performance boost */ struct ctdl_openid *oiddata; - /* commented out because we may be attempting to attach an OpenID to - * an existing account that is logged in - * - if (CCC->logged_in) { - cprintf("%d Already logged in.\n", ERROR + ALREADY_LOGGED_IN); - return; - } - */ + oiddata = (struct ctdl_openid *) CCC->openid_data; - if (CCC->openid_data != NULL) { + if (oiddata != NULL) { + if (oiddata->sreg_keys != NULL) { + DeleteHash(&oiddata->sreg_keys); + oiddata->sreg_keys = NULL; + } free(CCC->openid_data); } oiddata = malloc(sizeof(struct ctdl_openid)); @@ -338,7 +649,7 @@ void cmd_oids(char *argbuf) { extract_token(oiddata->claimed_id, argbuf, 0, '|', sizeof oiddata->claimed_id); extract_token(return_to, argbuf, 1, '|', sizeof return_to); extract_token(trust_root, argbuf, 2, '|', sizeof trust_root); - oiddata->validated = 0; + oiddata->verified = 0; i = fetch_http(oiddata->claimed_id, buf, sizeof buf - 1, sizeof oiddata->claimed_id); CtdlLogPrintf(CTDL_DEBUG, "Normalized URL and Claimed ID is: %s\n", oiddata->claimed_id); @@ -370,7 +681,7 @@ void cmd_oids(char *argbuf) { urlesc(escaped_return_to, sizeof escaped_return_to, return_to); urlesc(escaped_trust_root, sizeof escaped_trust_root, trust_root); urlesc(escaped_sreg_optional, sizeof escaped_sreg_optional, - "nickname,email,fullname,postcode,country"); + "nickname,email,fullname,postcode,country,dob,gender"); snprintf(redirect_string, sizeof redirect_string, "%s" @@ -395,12 +706,6 @@ void cmd_oids(char *argbuf) { -/* - * Callback function to free a pointer (used below in the hash list) - */ -void free_oid_key(void *ptr) { - free(ptr); -} /* @@ -411,7 +716,6 @@ void cmd_oidf(char *argbuf) { char thiskey[1024]; char thisdata[1024]; HashList *keys = NULL; - HashPos *HashPos; struct ctdl_openid *oiddata = (struct ctdl_openid *) CC->openid_data; keys = NewHash(1, NULL); @@ -426,7 +730,7 @@ void cmd_oidf(char *argbuf) { extract_token(thiskey, buf, 0, '|', sizeof thiskey); extract_token(thisdata, buf, 1, '|', sizeof thisdata); CtdlLogPrintf(CTDL_DEBUG, "%s: [%d] %s\n", thiskey, strlen(thisdata), thisdata); - Put(keys, thiskey, strlen(thiskey), strdup(thisdata), free_oid_key); + Put(keys, thiskey, strlen(thiskey), strdup(thisdata), generic_free_handler); } @@ -512,7 +816,12 @@ void cmd_oidf(char *argbuf) { curl_easy_setopt(curl, CURLOPT_HTTPPOST, formpost); curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errmsg); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1); +#ifdef CURLOPT_HTTP_CONTENT_DECODING + curl_easy_setopt(curl, CURLOPT_HTTP_CONTENT_DECODING, 1); + curl_easy_setopt(curl, CURLOPT_ENCODING, ""); +#endif curl_easy_setopt(curl, CURLOPT_USERAGENT, CITADEL); + curl_easy_setopt(curl, CURLOPT_TIMEOUT, 180); /* die after 180 seconds */ if (!IsEmptyStr(config.c_ip_addr)) { curl_easy_setopt(curl, CURLOPT_INTERFACE, config.c_ip_addr); } @@ -527,64 +836,92 @@ void cmd_oidf(char *argbuf) { valbuf[fh.total_bytes_received] = 0; if (bmstrcasestr(valbuf, "is_valid:true")) { - oiddata->validated = 1; + oiddata->verified = 1; } - CtdlLogPrintf(CTDL_DEBUG, "Authentication %s.\n", (oiddata->validated ? "succeeded" : "failed") ); + CtdlLogPrintf(CTDL_DEBUG, "Authentication %s.\n", (oiddata->verified ? "succeeded" : "failed") ); /* Respond to the client */ - if (oiddata->validated) { + if (oiddata->verified) { /* If we were already logged in, attach the OpenID to the user's account */ if (CC->logged_in) { if (attach_openid(&CC->user, oiddata->claimed_id) == 0) { cprintf("attach\n"); + CtdlLogPrintf(CTDL_DEBUG, "OpenID attach succeeded\n"); } else { cprintf("fail\n"); + CtdlLogPrintf(CTDL_DEBUG, "OpenID attach failed\n"); } } - /* Otherwise, a user is attempting to log in using the validated OpenID */ + /* Otherwise, a user is attempting to log in using the verified OpenID */ else { - cprintf("fail\n"); // FIXME do the login here!! - } + /* + * Existing user who has claimed this OpenID? + * + * Note: if you think that sending the password back over the wire is insecure, + * check your assumptions. If someone has successfully asserted an OpenID that + * is associated with the account, they already have password equivalency and can + * login, so they could just as easily change the password, etc. + */ + if (login_via_openid(oiddata->claimed_id) == 0) { + cprintf("authenticate\n%s\n%s\n", CC->user.fullname, CC->user.password); + logged_in_response(); + CtdlLogPrintf(CTDL_DEBUG, "Logged in using previously claimed OpenID\n"); + } + + /* + * If this system does not allow self-service new user registration, the + * remaining modes do not apply, so fail here and now. + */ + else if (config.c_disable_newu) { + cprintf("fail\n"); + CtdlLogPrintf(CTDL_DEBUG, "Creating user failed due to local policy\n"); + } + + /* + * New user whose OpenID is verified and Simple Registration Extension is in use? + */ + else if (openid_create_user_via_sreg(oiddata->claimed_id, keys) == 0) { + cprintf("authenticate\n%s\n%s\n", CC->user.fullname, CC->user.password); + logged_in_response(); + CtdlLogPrintf(CTDL_DEBUG, "Successfully auto-created new user\n"); + } + /* + * OpenID is verified, but the desired username either was not specified or + * conflicts with an existing user. Manual account creation is required. + */ + else { + char *desired_name = NULL; + cprintf("verify_only\n"); + cprintf("%s\n", oiddata->claimed_id); + if (GetHash(keys, "sreg.nickname", 13, (void *) &desired_name)) { + cprintf("%s\n", desired_name); + } + else { + cprintf("\n"); + } + CtdlLogPrintf(CTDL_DEBUG, "The desired Simple Registration name is already taken.\n"); + } + } } else { cprintf("fail\n"); } cprintf("000\n"); - /* Free the hash list */ - long len; - void *Value; - char *Key; - - HashPos = GetNewHashPos(); - while (GetNextHashPos(keys, HashPos, &len, &Key, &Value)!=0) - { - free(Value); + if (oiddata->sreg_keys != NULL) { + DeleteHash(&oiddata->sreg_keys); + oiddata->sreg_keys = NULL; } - DeleteHashPos(&HashPos); + oiddata->sreg_keys = keys; } -// mode = [6] id_res -// identity = [50] http://uncensored.citadel.org/~ajc/MyID.config.php -// assoc_handle = [26] 6ekac3ju181tgepk7v4h9r7ui7 -// return_to = [42] http://jemcaterers.net/finish_openid_login -// sreg.nickname = [17] IGnatius T Foobar -// sreg.email = [26] ajc@uncensored.citadel.org -// sreg.fullname = [10] Art Cancro -// sreg.postcode = [5] 10549 -// sreg.country = [2] US -// signed = [102] mode,identity,assoc_handle,return_to,sreg.nickname,sreg.email,sreg.fullname,sreg.postcode,sreg.country -// sig = [28] vixxxU4MAqWfxxxxCfrHv3TxxxhEw= - - - /**************************************************************************/ /* */ @@ -597,29 +934,37 @@ void cmd_oidf(char *argbuf) { * This cleanup function blows away the temporary memory used by this module. */ void openid_cleanup_function(void) { + struct ctdl_openid *oiddata = (struct ctdl_openid *) CC->openid_data; - if (CC->openid_data != NULL) { - free(CC->openid_data); + if (oiddata != NULL) { + CtdlLogPrintf(CTDL_DEBUG, "Clearing OpenID session state\n"); + if (oiddata->sreg_keys != NULL) { + DeleteHash(&oiddata->sreg_keys); + oiddata->sreg_keys = NULL; + } + free(oiddata); } } CTDL_MODULE_INIT(openid_rp) { - if (!threading) - { + if (!threading) { curl_global_init(CURL_GLOBAL_ALL); - CtdlRegisterProtoHook(cmd_oids, "OIDS", "Setup OpenID authentication"); - CtdlRegisterProtoHook(cmd_oidf, "OIDF", "Finalize OpenID authentication"); - CtdlRegisterProtoHook(cmd_oidl, "OIDL", "List OpenIDs associated with an account"); - CtdlRegisterSessionHook(openid_cleanup_function, EVT_STOP); + + /* Only enable the OpenID command set when native mode authentication is in use. */ + if (config.c_auth_mode == AUTHMODE_NATIVE) { + CtdlRegisterProtoHook(cmd_oids, "OIDS", "Setup OpenID authentication"); + CtdlRegisterProtoHook(cmd_oidf, "OIDF", "Finalize OpenID authentication"); + CtdlRegisterProtoHook(cmd_oidl, "OIDL", "List OpenIDs associated with an account"); + CtdlRegisterProtoHook(cmd_oidd, "OIDD", "Detach an OpenID from an account"); + CtdlRegisterProtoHook(cmd_oidc, "OIDC", "Create new user after validating OpenID"); + CtdlRegisterProtoHook(cmd_oida, "OIDA", "List all OpenIDs in the database"); + } + CtdlRegisterSessionHook(openid_cleanup_function, EVT_LOGOUT); CtdlRegisterUserHook(openid_purge, EVT_PURGEUSER); } /* return our Subversion id for the Log */ return "$Id$"; } - - -/* FIXME ... we have to add the new openid database to serv_vandelay.c */ -