Isekai-Project
/
isekai-openid-connect-generic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

whitespace- switching to sweet-sweet tabs

Browse Source
isekai
Jonathan Daggerhart 10 years ago
parent 782e674def
commit 0ddb501a55
2 changed files with 1036 additions and 1014 deletions
Show Stats Download Patch File Download Diff File

110
admin/openid-connect-generic-settings.php
Unescape Escape View File

@ -18,7 +18,7 @@ class OpenID_Connect_Generic_Settings {
/** /**
* @param $settings * @param $settings
*/ */
function __construct( $settings ){ function __construct( $settings ) {
$this->settings = $settings; $this->settings = $settings;
$this->settings_field_group = OPENID_CONNECT_GENERIC_SETTINGS_NAME . '-group'; $this->settings_field_group = OPENID_CONNECT_GENERIC_SETTINGS_NAME . '-group';
@ -39,90 +39,90 @@ class OpenID_Connect_Generic_Settings {
*/ */
$fields = array( $fields = array(
'login_type' => array( 'login_type' => array(
'title' => __('Login Type'), 'title' => __( 'Login Type' ),
'description' => __('Select how the client (login form) should provide login options.'), 'description' => __( 'Select how the client (login form) should provide login options.' ),
'type' => 'select', 'type' => 'select',
'options' => array( 'options' => array(
'button' => __('OpenID Connect button on login form'), 'button' => __( 'OpenID Connect button on login form' ),
'auto' => __('Auto Login - SSO'), 'auto' => __( 'Auto Login - SSO' ),
), ),
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'ep_login' => array( 'ep_login' => array(
'title' => __('Login Endpoint URL'), 'title' => __( 'Login Endpoint URL' ),
'description' => __('Identify provider authorization endpoint.'), 'description' => __( 'Identify provider authorization endpoint.' ),
'example' => 'https://example.com/oauth2/authorize', 'example' => 'https://example.com/oauth2/authorize',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'ep_token' => array( 'ep_token' => array(
'title' => __('Token Validation Endpoint URL'), 'title' => __( 'Token Validation Endpoint URL' ),
'description' => __('Identify provider token endpoint.'), 'description' => __( 'Identify provider token endpoint.' ),
'example' => 'https://example.com/oauth2/token', 'example' => 'https://example.com/oauth2/token',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'ep_userinfo' => array( 'ep_userinfo' => array(
'title' => __('Userinfo Endpoint URL'), 'title' => __( 'Userinfo Endpoint URL' ),
'description' => __('Identify provider User information endpoint.'), 'description' => __( 'Identify provider User information endpoint.' ),
'example' => 'https://example.com/oauth2/UserInfo', 'example' => 'https://example.com/oauth2/UserInfo',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'no_sslverify' => array( 'no_sslverify' => array(
'title' => __('Disable SSL Verify'), 'title' => __( 'Disable SSL Verify' ),
'description' => __('Do not require SSL verification during authorization. The OAuth extension uses curl to make the request. By default CURL will generally verify the SSL certificate to see if its valid an issued by an accepted CA. This setting disabled that verification.'), 'description' => __( 'Do not require SSL verification during authorization. The OAuth extension uses curl to make the request. By default CURL will generally verify the SSL certificate to see if its valid an issued by an accepted CA. This setting disabled that verification.' ),
'type' => 'checkbox', 'type' => 'checkbox',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'client_id' => array( 'client_id' => array(
'title' => __('Client ID'), 'title' => __( 'Client ID' ),
'description' => __('The ID this client will be recognized as when connecting the to Identity provider server.'), 'description' => __( 'The ID this client will be recognized as when connecting the to Identity provider server.' ),
'example' => 'my-wordpress-client-id', 'example' => 'my-wordpress-client-id',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'client_secret' => array( 'client_secret' => array(
'title' => __('Client Secret Key'), 'title' => __( 'Client Secret Key' ),
'description' => __('Arbitrary secret key the server expects from this client. Can be anything, but should be very unique.'), 'description' => __( 'Arbitrary secret key the server expects from this client. Can be anything, but should be very unique.' ),
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'scope' => array( 'scope' => array(
'title' => __('OpenID Scope'), 'title' => __( 'OpenID Scope' ),
'description' => __('Space separated list of scopes this client should access.'), 'description' => __( 'Space separated list of scopes this client should access.' ),
'example' => 'email profile openid', 'example' => 'email profile openid',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'identity_key' => array( 'identity_key' => array(
'title' => __('Identity Key'), 'title' => __( 'Identity Key' ),
'description' => __('Where in the response array to find the identification data. When in doubt, use "sub".'), 'description' => __( 'Where in the response array to find the identification data. When in doubt, use "sub".' ),
'example' => 'sub', 'example' => 'sub',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'allowed_regex' => array( 'allowed_regex' => array(
'title' => __('Authorization Regex'), 'title' => __( 'Authorization Regex' ),
'description' => __('Provide a regular expression that enforces your expectations concerning the identity value returned from the IDP.'), 'description' => __( 'Provide a regular expression that enforces your expectations concerning the identity value returned from the IDP.' ),
'type' => 'text', 'type' => 'text',
'section' => 'authorization_settings', 'section' => 'authorization_settings',
), ),
'enforce_privacy' => array( 'enforce_privacy' => array(
'title' => __('Enforce Privacy'), 'title' => __( 'Enforce Privacy' ),
'description' => __('Require users be logged in to see the site.'), 'description' => __( 'Require users be logged in to see the site.' ),
'type' => 'checkbox', 'type' => 'checkbox',
'section' => 'authorization_settings', 'section' => 'authorization_settings',
), ),
'enable_logging' => array( 'enable_logging' => array(
'title' => __('Enable Logging'), 'title' => __( 'Enable Logging' ),
'description' => __('Very simple log messages for debugging purposes.'), 'description' => __( 'Very simple log messages for debugging purposes.' ),
'type' => 'checkbox', 'type' => 'checkbox',
'section' => 'log_settings', 'section' => 'log_settings',
), ),
'log_limit' => array( 'log_limit' => array(
'title' => __('Log Limit'), 'title' => __( 'Log Limit' ),
'description' => __('Number of items to keep in the log. These logs are stored as an option in the database, so space is limited.'), 'description' => __( 'Number of items to keep in the log. These logs are stored as an option in the database, so space is limited.' ),
'type' => 'number', 'type' => 'number',
'section' => 'log_settings', 'section' => 'log_settings',
), ),
@ -146,33 +146,36 @@ class OpenID_Connect_Generic_Settings {
*/ */
public function admin_menu() { public function admin_menu() {
add_options_page( add_options_page(
__('OpenID Connect - Generic Client'), __( 'OpenID Connect - Generic Client' ),
__('OpenID Connect Client'), __( 'OpenID Connect Client' ),
'manage_options', 'manage_options',
$this->options_page_name, $this->options_page_name,
array( $this, 'settings_page') ); array( $this, 'settings_page' ) );
} }
/** /**
* Implements hook admin_init to register our settings * Implements hook admin_init to register our settings
*/ */
public function admin_init() { public function admin_init() {
register_setting( $this->settings_field_group, OPENID_CONNECT_GENERIC_SETTINGS_NAME, array( $this, 'sanitize_settings' ) ); register_setting( $this->settings_field_group, OPENID_CONNECT_GENERIC_SETTINGS_NAME, array(
$this,
'sanitize_settings'
) );
add_settings_section( 'client_settings', add_settings_section( 'client_settings',
__('Client Settings'), __( 'Client Settings' ),
array( $this, 'client_settings_description' ), array( $this, 'client_settings_description' ),
$this->options_page_name $this->options_page_name
); );
add_settings_section( 'authorization_settings', add_settings_section( 'authorization_settings',
__('Authorization Settings'), __( 'Authorization Settings' ),
array( $this, 'authorization_settings_description' ), array( $this, 'authorization_settings_description' ),
$this->options_page_name $this->options_page_name
); );
add_settings_section( 'log_settings', add_settings_section( 'log_settings',
__('Log Settings'), __( 'Log Settings' ),
array( $this, 'log_settings_description' ), array( $this, 'log_settings_description' ),
$this->options_page_name $this->options_page_name
); );
@ -180,8 +183,8 @@ class OpenID_Connect_Generic_Settings {
// preprocess fields and add them to the page // preprocess fields and add them to the page
foreach ( $this->settings_fields as $key => $field ) { foreach ( $this->settings_fields as $key => $field ) {
// make sure each key exists in the settings array // make sure each key exists in the settings array
if ( ! isset( $this->settings[ $key ] ) ){ if ( ! isset( $this->settings[ $key ] ) ) {
$this->settings[ $key ] = null; $this->settings[ $key ] = NULL;
} }
// determine appropriate output callback // determine appropriate output callback
@ -214,6 +217,7 @@ class OpenID_Connect_Generic_Settings {
* Sanitization callback for settings/option page * Sanitization callback for settings/option page
* *
* @param $input - submitted settings values * @param $input - submitted settings values
*
* @return array * @return array
*/ */
public function sanitize_settings( $input ) { public function sanitize_settings( $input ) {
@ -221,7 +225,7 @@ class OpenID_Connect_Generic_Settings {
// loop through settings fields to control what we're saving // loop through settings fields to control what we're saving
foreach ( $this->settings_fields as $key => $field ) { foreach ( $this->settings_fields as $key => $field ) {
if ( isset( $input[ $key ] ) ){ if ( isset( $input[ $key ] ) ) {
$options[ $key ] = sanitize_text_field( trim( $input[ $key ] ) ); $options[ $key ] = sanitize_text_field( trim( $input[ $key ] ) );
} }
else { else {
@ -239,6 +243,7 @@ class OpenID_Connect_Generic_Settings {
?> ?>
<div class="wrap"> <div class="wrap">
<h2><?php print esc_html( get_admin_page_title() ); ?></h2> <h2><?php print esc_html( get_admin_page_title() ); ?></h2>
<form method="post" action="options.php"> <form method="post" action="options.php">
<?php <?php
settings_fields( $this->settings_field_group ); settings_fields( $this->settings_field_group );
@ -247,17 +252,19 @@ class OpenID_Connect_Generic_Settings {
?> ?>
</form> </form>
<h4><?php _e('Notes'); ?></h4> <h4><?php _e( 'Notes' ); ?></h4>
<p class="description"> <p class="description">
<strong><?php _e('Redirect URI'); ?></strong> <code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code> <strong><?php _e( 'Redirect URI' ); ?></strong>
<code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code>
</p> </p>
<?php <?php
$logs = get_option( 'openid_connect_generic_logs', array() ); $logs = get_option( 'openid_connect_generic_logs', array() );
if ( !empty( $logs ) ) { if ( ! empty( $logs ) ) {
?> ?>
<h4><?php _e('Logs'); ?></h4> <h4><?php _e( 'Logs' ); ?></h4>
<table class="wp-list-table widefat fixed striped posts"> <table class="wp-list-table widefat fixed striped posts">
<thead> <thead>
<th>Type</th> <th>Type</th>
@ -266,7 +273,7 @@ class OpenID_Connect_Generic_Settings {
<th style="width: 65%;">Data</th> <th style="width: 65%;">Data</th>
</thead> </thead>
<tbody> <tbody>
<?php foreach( $logs as $log ){ ?> <?php foreach ( $logs as $log ) { ?>
<tr> <tr>
<td><?php print $log['type']; ?></td> <td><?php print $log['type']; ?></td>
<td><?php print date( 'Y-m-d H:i:s', $log['time'] ); ?></td> <td><?php print date( 'Y-m-d H:i:s', $log['time'] ); ?></td>
@ -312,7 +319,7 @@ class OpenID_Connect_Generic_Settings {
id="<?php print esc_attr( $field['key'] ); ?>" id="<?php print esc_attr( $field['key'] ); ?>"
name="<?php print esc_attr( $field['name'] ); ?>" name="<?php print esc_attr( $field['name'] ); ?>"
value="1" value="1"
<?php checked( $this->settings[ $field['key'] ] , 1 ); ?>> <?php checked( $this->settings[ $field['key'] ], 1 ); ?>>
<?php <?php
$this->do_field_description( $field ); $this->do_field_description( $field );
} }
@ -321,7 +328,7 @@ class OpenID_Connect_Generic_Settings {
* @param $field * @param $field
*/ */
function do_select( $field ) { function do_select( $field ) {
$current_value = ( $this->settings[ $field['key'] ] ? $this->settings[ $field['key'] ] : ''); $current_value = ( $this->settings[ $field['key'] ] ? $this->settings[ $field['key'] ] : '' );
?> ?>
<select name="<?php print esc_attr( $field['name'] ); ?>"> <select name="<?php print esc_attr( $field['name'] ); ?>">
<?php foreach ( $field['options'] as $value => $text ): ?> <?php foreach ( $field['options'] as $value => $text ): ?>
@ -337,27 +344,28 @@ class OpenID_Connect_Generic_Settings {
* *
* @param $field * @param $field
*/ */
public function do_field_description( $field ){ public function do_field_description( $field ) {
?> ?>
<p class="description"> <p class="description">
<?php print $field['description']; ?> <?php print $field['description']; ?>
<?php if ( isset( $field['example'] ) ) : ?> <?php if ( isset( $field['example'] ) ) : ?>
<br /><strong><?php _e( 'Example' ); ?>: </strong><code><?php print $field['example']; ?></code> <br/><strong><?php _e( 'Example' ); ?>: </strong>
<code><?php print $field['example']; ?></code>
<?php endif; ?> <?php endif; ?>
</p> </p>
<?php <?php
} }
public function client_settings_description() { public function client_settings_description() {
_e('Enter your OpenID Connect identity provider settings'); _e( 'Enter your OpenID Connect identity provider settings' );
} }
public function authorization_settings_description() { public function authorization_settings_description() {
_e('Control the authorization mechanics of the site'); _e( 'Control the authorization mechanics of the site' );
} }
public function log_settings_description() { public function log_settings_description() {
_e('Log information about login attempts through OpenID Connect Generic'); _e( 'Log information about login attempts through OpenID Connect Generic' );
} }
} }

182
openid-connect-generic.php
Unescape Escape View File

@ -62,28 +62,28 @@ class OpenID_Connect_Generic {
private $redirect_uri; private $redirect_uri;
private $logs = null; private $logs = NULL;
/** /**
* Initialize the plugin * Initialize the plugin
*/ */
function __construct(){ function __construct() {
add_action( 'init', array( $this, 'init' ) ); add_action( 'init', array( $this, 'init' ) );
$this->redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); $this->redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
// translatable errors // translatable errors
$this->errors = array( $this->errors = array(
1 => __('Cannot get authentication response'), 1 => __( 'Cannot get authentication response' ),
2 => __('Cannot get token response'), 2 => __( 'Cannot get token response' ),
3 => __('Cannot get user claims'), 3 => __( 'Cannot get user claims' ),
4 => __('Cannot get valid token'), 4 => __( 'Cannot get valid token' ),
5 => __('Cannot get user key'), 5 => __( 'Cannot get user key' ),
6 => __('Cannot create authorized user'), 6 => __( 'Cannot create authorized user' ),
7 => __('User not found'), 7 => __( 'User not found' ),
8 => __('You do not have access to this site'), 8 => __( 'You do not have access to this site' ),
9 => __('Cannot get authorization to join this site'), 9 => __( 'Cannot get authorization to join this site' ),
99 => __('Unknown error') 99 => __( 'Unknown error' )
); );
} }
@ -94,18 +94,19 @@ class OpenID_Connect_Generic {
* @return array * @return array
*/ */
public function get_settings() { public function get_settings() {
if ( ! empty( $this->settings ) ){ if ( ! empty( $this->settings ) ) {
return $this->settings; return $this->settings;
} }
$this->settings = wp_parse_args( get_option( OPENID_CONNECT_GENERIC_SETTINGS_NAME, array() ), $this->default_settings ); $this->settings = wp_parse_args( get_option( OPENID_CONNECT_GENERIC_SETTINGS_NAME, array() ), $this->default_settings );
return $this->settings; return $this->settings;
} }
/** /**
* Retrieve all log messages * Retrieve all log messages
*/ */
public function get_logs(){ public function get_logs() {
if ( is_null( $this->logs ) ) { if ( is_null( $this->logs ) ) {
$this->logs = get_option( 'openid_connect_generic_logs', array() ); $this->logs = get_option( 'openid_connect_generic_logs', array() );
} }
@ -116,7 +117,7 @@ class OpenID_Connect_Generic {
/** /**
* *
*/ */
public function log( $data, $type = 'error' ){ public function log( $data, $type = 'error' ) {
if ( (bool) $this->settings['enable_logging'] ) { if ( (bool) $this->settings['enable_logging'] ) {
$this->add_log_message( $data, $type ); $this->add_log_message( $data, $type );
} }
@ -128,7 +129,7 @@ class OpenID_Connect_Generic {
* @param $data array - extra data about the message * @param $data array - extra data about the message
* @param $type string - simple message type string, defaults to error * @param $type string - simple message type string, defaults to error
*/ */
public function add_log_message( $data = array(), $type = 'error' ){ public function add_log_message( $data = array(), $type = 'error' ) {
// construct our message // construct our message
$message = array( $message = array(
'type' => $type, 'type' => $type,
@ -146,19 +147,19 @@ class OpenID_Connect_Generic {
while ( $items_to_remove > 0 ) { while ( $items_to_remove > 0 ) {
array_shift( $logs ); array_shift( $logs );
$items_to_remove--; $items_to_remove --;
} }
// save our logs // save our logs
$this->logs = $logs; $this->logs = $logs;
update_option( 'openid_connect_generic_logs', $logs, false ); update_option( 'openid_connect_generic_logs', $logs, FALSE );
} }
/** /**
* Implements hook init * Implements hook init
* - hook plugin into WP as needed * - hook plugin into WP as needed
*/ */
public function init(){ public function init() {
// check the user's status based on plugin settings // check the user's status based on plugin settings
$this->check_user_status(); $this->check_user_status();
@ -172,14 +173,23 @@ class OpenID_Connect_Generic {
add_filter( 'login_message', array( $this, 'login_message' ), 99 ); add_filter( 'login_message', array( $this, 'login_message' ), 99 );
// alter the requests according to settings // alter the requests according to settings
add_filter( 'openid-connect-generic-alter-request', array( $this, 'alter_request' ), 10, 3 ); add_filter( 'openid-connect-generic-alter-request', array(
$this,
'alter_request'
), 10, 3 );
// administration yo! // administration yo!
if ( is_admin() ) { if ( is_admin() ) {
// use the ajax url to handle processing authorization without any html output // use the ajax url to handle processing authorization without any html output
// this callback will occur when then IDP returns with an authenticated value // this callback will occur when then IDP returns with an authenticated value
add_action( 'wp_ajax_openid-connect-authorize', array( $this, 'auth_callback' ) ); add_action( 'wp_ajax_openid-connect-authorize', array(
add_action( 'wp_ajax_nopriv_openid-connect-authorize', array( $this, 'auth_callback' ) ); $this,
'auth_callback'
) );
add_action( 'wp_ajax_nopriv_openid-connect-authorize', array(
$this,
'auth_callback'
) );
// initialize the settings page // initialize the settings page
require_once OPENID_CONNECT_GENERIC_DIR . '/admin/openid-connect-generic-settings.php'; require_once OPENID_CONNECT_GENERIC_DIR . '/admin/openid-connect-generic-settings.php';
@ -190,17 +200,16 @@ class OpenID_Connect_Generic {
/** /**
* Validate the user's status based on plugin settings * Validate the user's status based on plugin settings
*/ */
function check_user_status(){ function check_user_status() {
$settings = $this->get_settings(); $settings = $this->get_settings();
// check if privacy enforcement is enabled // check if privacy enforcement is enabled
if ( $settings['enforce_privacy'] && if ( $settings['enforce_privacy'] &&
! is_user_logged_in() && ! is_user_logged_in() &&
// avoid redirects on cron or ajax // avoid redirects on cron or ajax
( ! defined( 'DOING_AJAX') || ! DOING_AJAX ) && ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) &&
( ! defined( 'DOING_CRON' ) || ! DOING_CRON ) ( ! defined( 'DOING_CRON' ) || ! DOING_CRON )
) ) {
{
global $pagenow; global $pagenow;
// avoid redirect loop // avoid redirect loop
@ -219,8 +228,8 @@ class OpenID_Connect_Generic {
/** /**
* Check the user's cookie * Check the user's cookie
*/ */
function check_user_token(){ function check_user_token() {
$is_openid_connect_user = get_user_meta( wp_get_current_user()->ID, 'openid-connect-generic-user', true ); $is_openid_connect_user = get_user_meta( wp_get_current_user()->ID, 'openid-connect-generic-user', TRUE );
if ( is_user_logged_in() && ! empty( $is_openid_connect_user ) && ! isset( $_COOKIE[ $this->cookie_id_key ] ) ) { if ( is_user_logged_in() && ! empty( $is_openid_connect_user ) && ! isset( $_COOKIE[ $this->cookie_id_key ] ) ) {
wp_logout(); wp_logout();
@ -233,7 +242,7 @@ class OpenID_Connect_Generic {
* Control the authentication and subsequent authorization of the user when * Control the authentication and subsequent authorization of the user when
* returning from the IDP. * returning from the IDP.
*/ */
function auth_callback(){ function auth_callback() {
$settings = $this->get_settings(); $settings = $this->get_settings();
// look for an existing error of some kind // look for an existing error of some kind
@ -242,7 +251,7 @@ class OpenID_Connect_Generic {
} }
// make sure we have a legitimate authentication code and valid state // make sure we have a legitimate authentication code and valid state
if ( !isset( $_GET['code'] ) || !isset( $_GET['state'] ) || !$this->check_state( $_GET['state'] ) ) { if ( ! isset( $_GET['code'] ) || ! isset( $_GET['state'] ) || ! $this->check_state( $_GET['state'] ) ) {
$this->error( 1 ); $this->error( 1 );
} }
@ -251,18 +260,18 @@ class OpenID_Connect_Generic {
$token_result = $this->request_authentication_token( $_GET['code'] ); $token_result = $this->request_authentication_token( $_GET['code'] );
// ensure the token is not an error generated by wp // ensure the token is not an error generated by wp
if ( is_wp_error( $token_result ) ){ if ( is_wp_error( $token_result ) ) {
$this->error( 2, $token_result ); $this->error( 2, $token_result );
} }
// extract token response from token // extract token response from token
$token_response = json_decode( $token_result['body'], true ); $token_response = json_decode( $token_result['body'], TRUE );
// we need to ensure 3 specific items exist with the token response in order // we need to ensure 3 specific items exist with the token response in order
// to proceed with confidence: id_token, access_token, and token_type == 'Bearer' // to proceed with confidence: id_token, access_token, and token_type == 'Bearer'
if ( ! isset( $token_response['id_token'] ) || ! isset( $token_response['access_token'] ) || if ( ! isset( $token_response['id_token'] ) || ! isset( $token_response['access_token'] ) ||
! isset( $token_response['token_type'] ) || $token_response['token_type'] !== 'Bearer' ) ! isset( $token_response['token_type'] ) || $token_response['token_type'] !== 'Bearer'
{ ) {
$this->error( 4 ); $this->error( 4 );
} }
@ -274,10 +283,10 @@ class OpenID_Connect_Generic {
// e.g. for the userinfo endpoint // e.g. for the userinfo endpoint
// break apart the id_token int eh response for decoding // break apart the id_token int eh response for decoding
$tmp = explode('.', $token_response['id_token'] ); $tmp = explode( '.', $token_response['id_token'] );
// Extract the id_token's claims from the token // Extract the id_token's claims from the token
$id_token_claim = json_decode( base64_decode( $tmp[1] ), true ); $id_token_claim = json_decode( base64_decode( $tmp[1] ), TRUE );
// make sure we can find our identification data and that it has a value // make sure we can find our identification data and that it has a value
if ( ! isset( $id_token_claim[ $settings['identity_key'] ] ) || empty( $id_token_claim[ $settings['identity_key'] ] ) ) { if ( ! isset( $id_token_claim[ $settings['identity_key'] ] ) || empty( $id_token_claim[ $settings['identity_key'] ] ) ) {
@ -286,9 +295,9 @@ class OpenID_Connect_Generic {
// if desired, admins can use regex to determine if the identity value is valid // if desired, admins can use regex to determine if the identity value is valid
// according to their own standards expectations // according to their own standards expectations
if ( isset( $settings['allowed_regex'] ) && !empty( $settings['allowed_regex'] ) && if ( isset( $settings['allowed_regex'] ) && ! empty( $settings['allowed_regex'] ) &&
preg_match( $settings['allowed_regex'], $id_token_claim[ $settings['identity_key'] ] ) !== 1) preg_match( $settings['allowed_regex'], $id_token_claim[ $settings['identity_key'] ] ) !== 1
{ ) {
$this->error( 5 ); $this->error( 5 );
} }
@ -300,7 +309,7 @@ class OpenID_Connect_Generic {
$this->error( 3, $user_claim_result ); $this->error( 3, $user_claim_result );
} }
$user_claim = json_decode( $user_claim_result['body'], true ); $user_claim = json_decode( $user_claim_result['body'], TRUE );
// make sure the id_token sub === user_claim sub, according to spec // make sure the id_token sub === user_claim sub, according to spec
if ( $id_token_claim[ $settings['identity_key'] ] !== $user_claim['sub'] ) { if ( $id_token_claim[ $settings['identity_key'] ] !== $user_claim['sub'] ) {
@ -315,9 +324,9 @@ class OpenID_Connect_Generic {
// allow plugins / themes to halt the login process early // allow plugins / themes to halt the login process early
// based on the user_claim // based on the user_claim
$login_user = apply_filters( 'openid-connect-generic-user-login-test', true, $user_claim ); $login_user = apply_filters( 'openid-connect-generic-user-login-test', TRUE, $user_claim );
if ( ! $login_user ){ if ( ! $login_user ) {
$this->error( 8 ); $this->error( 8 );
} }
@ -329,14 +338,13 @@ class OpenID_Connect_Generic {
'value' => $user_identity, 'value' => $user_identity,
) )
) )
)); ) );
// if we found an existing users, grab the first one returned // if we found an existing users, grab the first one returned
if ( $user_query->get_total() > 0 ) { if ( $user_query->get_total() > 0 ) {
$users = $user_query->get_results(); $users = $user_query->get_results();
$user = $users[0]; $user = $users[0];
} } // otherwise, user does not exist and we'll need to create it
// otherwise, user does not exist and we'll need to create it
else { else {
// default username & email to the user identity, since that is the only // default username & email to the user identity, since that is the only
// thing we can be sure to have // thing we can be sure to have
@ -347,8 +355,7 @@ class OpenID_Connect_Generic {
if ( isset( $user_claim['email'] ) ) { if ( isset( $user_claim['email'] ) ) {
$email = $user_claim['email']; $email = $user_claim['email'];
$username = $this->get_username_from_claim( $user_claim ); $username = $this->get_username_from_claim( $user_claim );
} } // if no name exists, attempt another request for userinfo
// if no name exists, attempt another request for userinfo
else if ( isset( $token_response['access_token'] ) ) { else if ( isset( $token_response['access_token'] ) ) {
$user_claim_result = $this->request_userinfo( $token_response['access_token'] ); $user_claim_result = $this->request_userinfo( $token_response['access_token'] );
@ -357,7 +364,7 @@ class OpenID_Connect_Generic {
$this->error( 3, $user_claim_result ); $this->error( 3, $user_claim_result );
} }
$user_claim = json_decode( $user_claim_result['body'], true ); $user_claim = json_decode( $user_claim_result['body'], TRUE );
if ( isset( $user_claim['email'] ) ) { if ( isset( $user_claim['email'] ) ) {
$email = $user_claim['email']; $email = $user_claim['email'];
@ -367,29 +374,29 @@ class OpenID_Connect_Generic {
// allow other plugins / themes to determine authorization // allow other plugins / themes to determine authorization
// of new accounts based on the returned user claim // of new accounts based on the returned user claim
$create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim ); $create_user = apply_filters( 'openid-connect-generic-user-creation-test', TRUE, $user_claim );
if ( ! $create_user ) { if ( ! $create_user ) {
$this->error( 9 ); $this->error( 9 );
} }
// create the new user // create the new user
$uid = wp_create_user( $username, wp_generate_password( 32, true, true ), $email ); $uid = wp_create_user( $username, wp_generate_password( 32, TRUE, TRUE ), $email );
// make sure we didn't fail in creating the user // make sure we didn't fail in creating the user
if ( is_wp_error( $uid ) ) { if ( is_wp_error( $uid ) ) {
$this->error( 6, $uid ); $this->error( 6, $uid );
} }
$this->log(array( $this->log( array(
'message' => 'New user created: '. $uid 'message' => 'New user created: ' . $uid
), 'success' ); ), 'success' );
$user = get_user_by( 'id', $uid ); $user = get_user_by( 'id', $uid );
// save some meta data about this new user for the future // save some meta data about this new user for the future
add_user_meta( $user->ID, 'openid-connect-generic-user', true, true ); add_user_meta( $user->ID, 'openid-connect-generic-user', TRUE, TRUE );
add_user_meta( $user->ID, 'openid-connect-generic-user-identity', (string) $user_identity, true ); add_user_meta( $user->ID, 'openid-connect-generic-user-identity', (string) $user_identity, TRUE );
// allow plugins / themes to take action on new user creation // allow plugins / themes to take action on new user creation
do_action( 'openid-connect-generic-user-create', $user, $user_claim ); do_action( 'openid-connect-generic-user-create', $user, $user_claim );
@ -407,13 +414,13 @@ class OpenID_Connect_Generic {
update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim ); update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
// save our authorization cookie for the response expiration // save our authorization cookie for the response expiration
$oauth_expiry = $token_response['expires_in'] + current_time( 'timestamp', true ); $oauth_expiry = $token_response['expires_in'] + current_time( 'timestamp', TRUE );
setcookie( $this->cookie_id_key, $user_identity, $oauth_expiry, COOKIEPATH, COOKIE_DOMAIN, true ); setcookie( $this->cookie_id_key, $user_identity, $oauth_expiry, COOKIEPATH, COOKIE_DOMAIN, TRUE );
// get a cookie and go home! // get a cookie and go home!
wp_set_auth_cookie( $user->ID, false ); wp_set_auth_cookie( $user->ID, FALSE );
$this->log(array( $this->log( array(
'message' => "Successful login for: {$user->user_login} ({$user->ID})" 'message' => "Successful login for: {$user->user_login} ({$user->ID})"
), 'success' ); ), 'success' );
@ -425,9 +432,10 @@ class OpenID_Connect_Generic {
* Using the authorization_code, request an authentication token from the idp * Using the authorization_code, request an authentication token from the idp
* *
* @param $code - authorization_code * @param $code - authorization_code
*
* @return array|\WP_Error * @return array|\WP_Error
*/ */
function request_authentication_token( $code ){ function request_authentication_token( $code ) {
$settings = $this->get_settings(); $settings = $this->get_settings();
$request = array( $request = array(
@ -454,16 +462,17 @@ class OpenID_Connect_Generic {
* Using an access_token, request the userinfo from the idp * Using an access_token, request the userinfo from the idp
* *
* @param $access_token * @param $access_token
*
* @return array|\WP_Error * @return array|\WP_Error
*/ */
function request_userinfo( $access_token ){ function request_userinfo( $access_token ) {
$settings = $this->get_settings(); $settings = $this->get_settings();
// allow modifications to the request // allow modifications to the request
$request = apply_filters( 'openid-connect-generic-alter-request', array(), $settings, 'get-userinfo' ); $request = apply_filters( 'openid-connect-generic-alter-request', array(), $settings, 'get-userinfo' );
// attempt the request // attempt the request
$response = wp_remote_get( $settings['ep_userinfo'].'?access_token='.$access_token, $request ); $response = wp_remote_get( $settings['ep_userinfo'] . '?access_token=' . $access_token, $request );
return $response; return $response;
} }
@ -474,11 +483,12 @@ class OpenID_Connect_Generic {
* @param $request * @param $request
* @param $settings * @param $settings
* @param $op * @param $op
*
* @return mixed * @return mixed
*/ */
function alter_request( $request, $settings, $op ){ function alter_request( $request, $settings, $op ) {
if ( isset( $settings['no_sslverify'] ) && $settings['no_sslverify'] ) { if ( isset( $settings['no_sslverify'] ) && $settings['no_sslverify'] ) {
$request['sslverify'] = false; $request['sslverify'] = FALSE;
} }
return $request; return $request;
@ -510,7 +520,7 @@ class OpenID_Connect_Generic {
* *
* @return string * @return string
*/ */
function new_state(){ function new_state() {
$states = get_option( 'openid-connect-generic-valid-states', array() ); $states = get_option( 'openid-connect-generic-valid-states', array() );
// new state w/ timestamp // new state w/ timestamp
@ -527,25 +537,26 @@ class OpenID_Connect_Generic {
* Check the validity of a given state * Check the validity of a given state
* *
* @param $state * @param $state
*
* @return bool * @return bool
*/ */
function check_state( $state ){ function check_state( $state ) {
$states = get_option( 'openid-connect-generic-valid-states', array() ); $states = get_option( 'openid-connect-generic-valid-states', array() );
$valid = false; $valid = FALSE;
// remove any expired states // remove any expired states
foreach ( $states as $code => $timestamp ){ foreach ( $states as $code => $timestamp ) {
if ( ( $timestamp + $this->state_time_limit ) < time() ) { if ( ( $timestamp + $this->state_time_limit ) < time() ) {
unset( $states[ $code ] ); unset( $states[ $code ] );
} }
} }
// see if the current state is still within the list of valid states // see if the current state is still within the list of valid states
if ( isset( $states[ $state ] ) ){ if ( isset( $states[ $state ] ) ) {
// state is valid, remove it // state is valid, remove it
unset( $states[ $state ] ); unset( $states[ $state ] );
$valid = true; $valid = TRUE;
} }
// save our altered states // save our altered states
@ -558,9 +569,10 @@ class OpenID_Connect_Generic {
* Implements filter login_message * Implements filter login_message
* *
* @param $message * @param $message
*
* @return string * @return string
*/ */
function login_message( $message ){ function login_message( $message ) {
$settings = $this->get_settings(); $settings = $this->get_settings();
// errors and auto login can't happen at the same time // errors and auto login can't happen at the same time
@ -574,7 +586,7 @@ class OpenID_Connect_Generic {
// login button is appended to existing messages in case of error // login button is appended to existing messages in case of error
if ( $settings['login_type'] == 'button' ) { if ( $settings['login_type'] == 'button' ) {
$message.= $this->login_button(); $message .= $this->login_button();
} }
return $message; return $message;
@ -588,7 +600,7 @@ class OpenID_Connect_Generic {
*/ */
function error( $error_number ) { function error( $error_number ) {
$args = func_get_args(); $args = func_get_args();
$error_number = array_shift($args); $error_number = array_shift( $args );
$url = wp_login_url() . '?login-error=' . $error_number; $url = wp_login_url() . '?login-error=' . $error_number;
$error = array( $error = array(
@ -597,7 +609,7 @@ class OpenID_Connect_Generic {
); );
// allow for additional error details // allow for additional error details
if ( !empty( $args ) ){ if ( ! empty( $args ) ) {
$error['details'] = $args; $error['details'] = $args;
} }
@ -613,9 +625,10 @@ class OpenID_Connect_Generic {
* Display an error message to the user * Display an error message to the user
* *
* @param $error_number * @param $error_number
*
* @return string * @return string
*/ */
function get_error_message( $error_number ){ function get_error_message( $error_number ) {
// fallback to unknown error // fallback to unknown error
if ( ! isset( $this->errors[ $error_number ] ) ) { if ( ! isset( $this->errors[ $error_number ] ) ) {
$error_number = 99; $error_number = 99;
@ -634,8 +647,8 @@ class OpenID_Connect_Generic {
* @return string * @return string
*/ */
function login_button() { function login_button() {
$text = apply_filters( 'openid-connect-generic-login-button-text', __('Login with OpenID Connect') ); $text = apply_filters( 'openid-connect-generic-login-button-text', __( 'Login with OpenID Connect' ) );
$href =$this->make_authentication_url(); $href = $this->make_authentication_url();
ob_start(); ob_start();
?> ?>
@ -651,30 +664,31 @@ class OpenID_Connect_Generic {
* *
* Remove cookies * Remove cookies
*/ */
function wp_logout(){ function wp_logout() {
setcookie( $this->cookie_id_key , '1', 0, COOKIEPATH, COOKIE_DOMAIN, true ); setcookie( $this->cookie_id_key, '1', 0, COOKIEPATH, COOKIE_DOMAIN, TRUE );
} }
/** /**
* Avoid user_login collisions by incrementing * Avoid user_login collisions by incrementing
* *
* @param $user_claim array * @param $user_claim array
*
* @return string * @return string
*/ */
function get_username_from_claim( $user_claim ){ function get_username_from_claim( $user_claim ) {
if ( isset( $user_claim['preferred_username'] ) && !empty( $user_claim['preferred_username'] ) ) { if ( isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
$desired_username = $user_claim['preferred_username']; $desired_username = $user_claim['preferred_username'];
} }
else if ( isset( $user_claim['name'] ) && !empty( $user_claim['name'] ) ) { else if ( isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
$desired_username = $user_claim['name']; $desired_username = $user_claim['name'];
} }
else if ( isset( $user_claim['email'] ) && !empty( $user_claim['email'] ) ) { else if ( isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
$tmp = explode( '@', $user_claim['email'] ); $tmp = explode( '@', $user_claim['email'] );
$desired_username = $tmp[0]; $desired_username = $tmp[0];
} }
else { else {
// nothing to build a name from // nothing to build a name from
return false; return FALSE;
} }
// normalize the data a bit // normalize the data a bit
@ -688,7 +702,7 @@ class OpenID_Connect_Generic {
// etc // etc
$count = 1; $count = 1;
while ( username_exists( $username ) ) { while ( username_exists( $username ) ) {
$count++; $count ++;
$username = $desired_name . $count; $username = $desired_name . $count;
} }

Write Preview
Loading…
Cancel
Save