/*
* This is an implementation of OpenID 2.0 relying party support in stateless mode.
*
- * Copyright (c) 2007-2015 by the citadel.org team
+ * Copyright (c) 2007-2020 by the citadel.org team
*
* This program is open source software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
struct CitContext *CCC = CC; /* CachedCitContext - performance boost */
if (CCC->openid_data != NULL) {
- syslog(LOG_DEBUG, "Clearing OpenID session state");
+ syslog(LOG_DEBUG, "openid: Clearing OpenID session state");
Free_ctdl_openid((ctdl_openid **) &CCC->openid_data);
}
}
/*
- * Attach an OpenID to a Citadel account
+ * Attach an external authenticator (such as an OpenID) to a Citadel account
*/
-int attach_openid(struct ctdluser *who, StrBuf *claimed_id)
+int attach_extauth(struct ctdluser *who, StrBuf *claimed_id)
{
struct cdbdata *cdboi;
long fetched_usernum;
if (!who) return(1);
if (StrLength(claimed_id)==0) return(1);
- /* Check to see if this OpenID is already in the database */
+ /* Check to see if this authenticator is already in the database */
- cdboi = cdb_fetch(CDB_OPENID, ChrPtr(claimed_id), StrLength(claimed_id));
+ cdboi = cdb_fetch(CDB_EXTAUTH, ChrPtr(claimed_id), StrLength(claimed_id));
if (cdboi != NULL) {
memcpy(&fetched_usernum, cdboi->ptr, sizeof(long));
cdb_free(cdboi);
if (fetched_usernum == who->usernum) {
- syslog(LOG_INFO, "%s already associated; no action is taken", ChrPtr(claimed_id));
+ syslog(LOG_INFO, "openid: %s already associated; no action is taken", ChrPtr(claimed_id));
return(0);
}
else {
- syslog(LOG_INFO, "%s already belongs to another user", ChrPtr(claimed_id));
+ syslog(LOG_INFO, "openid: %s already belongs to another user", ChrPtr(claimed_id));
return(3);
}
}
memcpy(data, &who->usernum, sizeof(long));
memcpy(&data[sizeof(long)], ChrPtr(claimed_id), StrLength(claimed_id) + 1);
- cdb_store(CDB_OPENID, ChrPtr(claimed_id), StrLength(claimed_id), data, data_len);
+ cdb_store(CDB_EXTAUTH, ChrPtr(claimed_id), StrLength(claimed_id), data, data_len);
free(data);
- snprintf(buf, sizeof buf, "User <%s> (#%ld) has claimed the OpenID URL %s\n",
- who->fullname, who->usernum, ChrPtr(claimed_id));
- CtdlAideMessage(buf, "OpenID claim");
- syslog(LOG_INFO, "%s", buf);
+ snprintf(buf, sizeof buf, "User <%s> (#%ld) is now associated with %s\n", who->fullname, who->usernum, ChrPtr(claimed_id));
+ CtdlAideMessage(buf, "External authenticator claim");
+ syslog(LOG_INFO, "openid: %s", buf);
return(0);
}
-
/*
* When a user is being deleted, we have to delete any OpenID associations
*/
-void openid_purge(struct ctdluser *usbuf) {
+void extauth_purge(struct ctdluser *usbuf) {
struct cdbdata *cdboi;
HashList *keys = NULL;
HashPos *HashPos;
keys = NewHash(1, NULL);
if (!keys) return;
- cdb_rewind(CDB_OPENID);
- while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) {
+ cdb_rewind(CDB_EXTAUTH);
+ while (cdboi = cdb_next_item(CDB_EXTAUTH), cdboi != NULL) {
if (cdboi->len > sizeof(long)) {
memcpy(&usernum, cdboi->ptr, sizeof(long));
if (usernum == usbuf->usernum) {
HashPos = GetNewHashPos(keys, 0);
while (GetNextHashPos(keys, HashPos, &len, &Key, &Value)!=0)
{
- syslog(LOG_DEBUG, "Deleting associated OpenID <%s>", (char*)Value);
- cdb_delete(CDB_OPENID, Value, strlen(Value));
+ syslog(LOG_DEBUG, "openid: deleting associated external authenticator <%s>", (char*)Value);
+ cdb_delete(CDB_EXTAUTH, Value, strlen(Value));
/* note: don't free(Value) -- deleting the hash list will handle this for us */
}
DeleteHashPos(&HashPos);
if (CtdlGetConfigInt("c_disable_newu"))
{
- cprintf("%d this system does not support openid.\n",
- ERROR + CMD_NOT_SUPPORTED);
+ cprintf("%d this system does not support openid.\n", ERROR + CMD_NOT_SUPPORTED);
return;
}
if (CtdlAccessCheck(ac_logged_in)) return;
- cdb_rewind(CDB_OPENID);
- cprintf("%d Associated OpenIDs:\n", LISTING_FOLLOWS);
+ cdb_rewind(CDB_EXTAUTH);
+ cprintf("%d Associated external authenticators:\n", LISTING_FOLLOWS);
- while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) {
+ while (cdboi = cdb_next_item(CDB_EXTAUTH), cdboi != NULL) {
if (cdboi->len > sizeof(long)) {
memcpy(&usernum, cdboi->ptr, sizeof(long));
if (usernum == CC->user.usernum) {
return;
}
if (CtdlAccessCheck(ac_aide)) return;
- cdb_rewind(CDB_OPENID);
+ cdb_rewind(CDB_EXTAUTH);
cprintf("%d List of all OpenIDs in the database:\n", LISTING_FOLLOWS);
- while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) {
+ while (cdboi = cdb_next_item(CDB_EXTAUTH), cdboi != NULL) {
if (cdboi->len > sizeof(long)) {
memcpy(&usernum, cdboi->ptr, sizeof(long));
if (CtdlGetUserByNumber(&usbuf, usernum) != 0) {
/* Now, if this logged us in, we have to attach the OpenID */
if (CC->logged_in) {
- attach_openid(&CC->user, oiddata->claimed_id);
+ attach_extauth(&CC->user, oiddata->claimed_id);
}
}
cprintf("%d An empty OpenID URL is not allowed.\n", ERROR + ILLEGAL_VALUE);
}
- cdb_rewind(CDB_OPENID);
- while (cdboi = cdb_next_item(CDB_OPENID), cdboi != NULL) {
+ cdb_rewind(CDB_EXTAUTH);
+ while (cdboi = cdb_next_item(CDB_EXTAUTH), cdboi != NULL) {
if (cdboi->len > sizeof(long)) {
memcpy(&usernum, cdboi->ptr, sizeof(long));
if (usernum == CC->user.usernum) {
return;
}
- cdb_delete(CDB_OPENID, id_to_detach, strlen(id_to_detach));
+ cdb_delete(CDB_EXTAUTH, id_to_detach, strlen(id_to_detach));
cprintf("%d %s detached from your account.\n", CIT_OK, id_to_detach);
}
HashPos *HashPos = GetNewHashPos(sreg_keys, 0);
while (GetNextHashPos(sreg_keys, HashPos, &len, &Key, &Value) != 0) {
- syslog(LOG_DEBUG, "%s = %s", Key, (char *)Value);
+ syslog(LOG_DEBUG, "openid: %s = %s", Key, (char *)Value);
if (cbmstrcasestr(Key, "value.nickname") != NULL) {
nickname = (char *)Value;
if (nickname == NULL) {
return(4);
}
- syslog(LOG_DEBUG, "The desired account name is <%s>", nickname);
+ syslog(LOG_DEBUG, "openid: the desired account name is <%s>", nickname);
- len = cutuserkey(nickname);
if (!CtdlGetUser(&CC->user, nickname)) {
- syslog(LOG_DEBUG, "<%s> is already taken by another user.", nickname);
+ syslog(LOG_DEBUG, "openid: <%s> is already taken by another user.", nickname);
memset(&CC->user, 0, sizeof(struct ctdluser));
return(5);
}
/* The desired account name is available. Create the account and log it in! */
- if (create_user(nickname, len, 1)) return(6);
+ if (create_user(nickname, CREATE_USER_BECOME_USER, NATIVE_AUTH_UID)) return(6);
/* Generate a random password.
* The user doesn't care what the password is since he is using OpenID.
CtdlSetPassword(new_password);
/* Now attach the verified OpenID to this account. */
- attach_openid(&CC->user, claimed_id);
+ attach_extauth(&CC->user, claimed_id);
return(0);
}
* If a user account exists which is associated with the Claimed ID, log it in and return zero.
* Otherwise it returns nonzero.
*/
-int login_via_openid(StrBuf *claimed_id)
+int login_via_extauth(StrBuf *claimed_id)
{
struct cdbdata *cdboi;
long usernum = 0;
- cdboi = cdb_fetch(CDB_OPENID, ChrPtr(claimed_id), StrLength(claimed_id));
+ cdboi = cdb_fetch(CDB_EXTAUTH, ChrPtr(claimed_id), StrLength(claimed_id));
if (cdboi == NULL) {
return(-1);
}
XML_ParserFree(xp);
}
else {
- syslog(LOG_ALERT, "Cannot create XML parser");
+ syslog(LOG_ERR, "openid: cannot create XML parser");
}
if (xrds.selected_service_priority < INT_MAX) {
StrBuf *x_xrds_location = NULL;
if (!SuppliedURL) return(0);
- syslog(LOG_DEBUG, "perform_openid2_discovery(%s)", ChrPtr(SuppliedURL));
+ syslog(LOG_DEBUG, "openid: perform_openid2_discovery(%s)", ChrPtr(SuppliedURL));
if (StrLength(SuppliedURL) == 0) return(0);
ReplyBuf = NewStrBuf();
result = curl_easy_perform(curl);
if (result) {
- syslog(LOG_DEBUG, "libcurl error %d: %s", result, errmsg);
+ syslog(LOG_DEBUG, "openid: libcurl error %d: %s", result, errmsg);
}
curl_slist_free_all(my_headers);
curl_easy_cleanup(curl);
if ( (x_xrds_location)
&& (strcmp(ChrPtr(x_xrds_location), ChrPtr(SuppliedURL)))
) {
- syslog(LOG_DEBUG, "X-XRDS-Location: %s ... recursing!", ChrPtr(x_xrds_location));
+ syslog(LOG_DEBUG, "openid: X-XRDS-Location: %s ... recursing!", ChrPtr(x_xrds_location));
return_value = perform_openid2_discovery(x_xrds_location);
FreeStrBuf(&x_xrds_location);
}
CCC->openid_data = oiddata = malloc(sizeof(ctdl_openid));
if (oiddata == NULL) {
- syslog(LOG_ALERT, "malloc() failed: %s", strerror(errno));
+ syslog(LOG_ERR, "openid: malloc() failed: %m");
cprintf("%d malloc failed\n", ERROR + INTERNAL_ERROR);
return;
}
StrBufExtract_NextToken(oiddata->claimed_id, ArgBuf, &Pos, '|');
StrBufExtract_NextToken(return_to, ArgBuf, &Pos, '|');
- syslog(LOG_DEBUG, "User-Supplied Identifier is: %s", ChrPtr(oiddata->claimed_id));
+ syslog(LOG_DEBUG, "openid: user-Supplied Identifier is: %s", ChrPtr(oiddata->claimed_id));
/********** OpenID 2.0 section 7.3 - Discovery **********/
/*
* If we get to this point we are in possession of a valid OpenID Provider URL.
*/
- syslog(LOG_DEBUG, "OP URI '%s' discovered using method %d",
+ syslog(LOG_DEBUG, "openid: OP URI '%s' discovered using method %d",
ChrPtr(oiddata->op_url),
discovery_succeeded
);
StrBufAppendBufPlain(RedirectUrl, HKEY("&openid.ax.type.nickname="), 0);
StrBufUrlescAppend(RedirectUrl, NULL, "http://axschema.org/namePerson/nickname");
- syslog(LOG_DEBUG, "OpenID: redirecting client to %s", ChrPtr(RedirectUrl));
+ syslog(LOG_DEBUG, "openid: redirecting client to %s", ChrPtr(RedirectUrl));
cprintf("%d %s\n", CIT_OK, ChrPtr(RedirectUrl));
}
if ( (!GetHash(keys, "ns", 2, (void *) &openid_ns))
|| (strcasecmp(openid_ns, "http://specs.openid.net/auth/2.0"))
) {
- syslog(LOG_DEBUG, "This is not an an OpenID assertion");
+ syslog(LOG_DEBUG, "openid: this is not an an OpenID assertion");
oiddata->verified = 0;
}
if (GetHash(keys, "claimed_id", 10, (void *) &openid_claimed_id)) {
FreeStrBuf(&oiddata->claimed_id);
oiddata->claimed_id = NewStrBufPlain(openid_claimed_id, -1);
- syslog(LOG_DEBUG, "Provider is asserting the Claimed ID '%s'", ChrPtr(oiddata->claimed_id));
+ syslog(LOG_DEBUG, "openid: provider is asserting the Claimed ID '%s'", ChrPtr(oiddata->claimed_id));
}
/* Validate the assertion against the server */
- syslog(LOG_DEBUG, "Validating...");
+ syslog(LOG_DEBUG, "openid: validating...");
CURL *curl;
CURLcode res;
res = curl_easy_perform(curl);
if (res) {
- syslog(LOG_DEBUG, "cmd_oidf() libcurl error %d: %s", res, errmsg);
+ syslog(LOG_DEBUG, "openid: cmd_oidf() libcurl error %d: %s", res, errmsg);
oiddata->verified = 0;
}
curl_easy_cleanup(curl);
curl_formfree(formpost);
- /* syslog(LOG_DEBUG, "Validation reply: \n%s", ChrPtr(ReplyBuf)); */
if (cbmstrcasestr(ChrPtr(ReplyBuf), "is_valid:true") == NULL) {
oiddata->verified = 0;
}
FreeStrBuf(&ReplyBuf);
- syslog(LOG_DEBUG, "OpenID authentication %s", (oiddata->verified ? "succeeded" : "failed") );
+ syslog(LOG_DEBUG, "openid: authentication %s", (oiddata->verified ? "succeeded" : "failed") );
/* Respond to the client */
/* If we were already logged in, attach the OpenID to the user's account */
if (CC->logged_in) {
- if (attach_openid(&CC->user, oiddata->claimed_id) == 0) {
+ if (attach_extauth(&CC->user, oiddata->claimed_id) == 0) {
cprintf("attach\n");
- syslog(LOG_DEBUG, "OpenID attach succeeded");
+ syslog(LOG_DEBUG, "openid: attach succeeded");
}
else {
cprintf("fail\n");
- syslog(LOG_DEBUG, "OpenID attach failed");
+ syslog(LOG_DEBUG, "openid: attach failed");
}
}
* is associated with the account, they already have password equivalency and can
* login, so they could just as easily change the password, etc.
*/
- if (login_via_openid(oiddata->claimed_id) == 0) {
+ if (login_via_extauth(oiddata->claimed_id) == 0) {
cprintf("authenticate\n%s\n%s\n", CC->user.fullname, CC->user.password);
logged_in_response();
- syslog(LOG_DEBUG, "Logged in using previously claimed OpenID");
+ syslog(LOG_DEBUG, "openid: logged in using previously claimed OpenID");
}
/*
*/
else if (CtdlGetConfigInt("c_disable_newu")) {
cprintf("fail\n");
- syslog(LOG_DEBUG, "Creating user failed due to local policy");
+ syslog(LOG_DEBUG, "openid: creating user failed due to local policy");
}
/*
else if (openid_create_user_via_ax(oiddata->claimed_id, keys) == 0) {
cprintf("authenticate\n%s\n%s\n", CC->user.fullname, CC->user.password);
logged_in_response();
- syslog(LOG_DEBUG, "Successfully auto-created new user");
+ syslog(LOG_DEBUG, "openid: successfully auto-created new user");
}
/*
else {
cprintf("\n");
}
- syslog(LOG_DEBUG, "The desired display name is already taken.");
+ syslog(LOG_DEBUG, "openid: the desired display name is already taken.");
}
}
}
CTDL_MODULE_INIT(openid_rp)
{
if (!threading) {
-// evcurl call this for us. curl_global_init(CURL_GLOBAL_ALL);
/* Only enable the OpenID command set when native mode authentication is in use. */
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_NATIVE) {
CtdlRegisterProtoHook(cmd_oida, "OIDA", "List all OpenIDs in the database");
}
CtdlRegisterSessionHook(openid_cleanup_function, EVT_LOGOUT, PRIO_LOGOUT + 10);
- CtdlRegisterUserHook(openid_purge, EVT_PURGEUSER);
+ CtdlRegisterUserHook(extauth_purge, EVT_PURGEUSER);
openid_level_supported = 1; /* This module supports OpenID 1.0 only */
}