Isekai-Project
/
isekai-openid-connect-generic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

refactoring some internal settings for clarity

Browse Source
isekai
Jonathan Daggerhart 10 years ago
parent 2e3167fa20
commit c646078421
6 changed files with 168 additions and 156 deletions
Show Stats Download Patch File Download Diff File

151
includes/openid-connect-generic-client-wrapper.php
Unescape Escape View File

@ -55,21 +55,12 @@ class OpenID_Connect_Generic_Client_Wrapper {
add_action( 'wp_ajax_nopriv_openid-connect-authorize', array( $client_wrapper, 'authentication_request_callback' ) ); add_action( 'wp_ajax_nopriv_openid-connect-authorize', array( $client_wrapper, 'authentication_request_callback' ) );
} }
$client_wrapper->startup();
return $client_wrapper;
}
/**
* Handle the initial validation that should occur on each page load
*/
function startup(){
$this->handle_privacy();
// verify token for any logged in user // verify token for any logged in user
if ( is_user_logged_in() ) { if ( is_user_logged_in() ) {
$this->check_user_token(); $client_wrapper->check_user_token();
} }
return $client_wrapper;
} }
/** /**
@ -81,26 +72,6 @@ class OpenID_Connect_Generic_Client_Wrapper {
return $this->client->make_authentication_url(); return $this->client->make_authentication_url();
} }
/**
* Handle the privacy settings
*/
function handle_privacy() {
// check if privacy enforcement is enabled
if ( $this->settings->enforce_privacy &&
! is_user_logged_in() &&
// avoid redirects on cron or ajax
( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) &&
( ! defined( 'DOING_CRON' ) || ! DOING_CRON )
) {
global $pagenow;
// avoid redirect loop
if ( $pagenow != 'wp-login.php' && ! isset( $_GET['loggedout'] ) && ! isset( $_GET['login-error'] ) ) {
$this->error_redirect( new WP_Error( 'privacy', __( 'This site requires login.' ), $_GET ) );
}
}
}
/** /**
* Check the user's cookie * Check the user's cookie
*/ */
@ -146,7 +117,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
* Remove cookies * Remove cookies
*/ */
function wp_logout() { function wp_logout() {
setcookie( $this->cookie_id_key, '1', 0, COOKIEPATH, COOKIE_DOMAIN, TRUE ); setcookie( $this->cookie_id_key, false, 0, COOKIEPATH, COOKIE_DOMAIN, TRUE );
} }
/** /**
@ -173,7 +144,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
$settings = $this->settings; $settings = $this->settings;
$client = $this->client; $client = $this->client;
// // start the authentication flow
$authentication_request = $client->validate_authentication_request( $_GET ); $authentication_request = $client->validate_authentication_request( $_GET );
if ( is_wp_error( $authentication_request ) ){ if ( is_wp_error( $authentication_request ) ){
@ -208,78 +179,68 @@ class OpenID_Connect_Generic_Client_Wrapper {
$this->error_redirect( $valid ); $this->error_redirect( $valid );
} }
// - end authentication /**
* End authentication
// - start authorization * -
* Start Authorization
*/
// The id_token is used to identify the authenticated user, e.g. for SSO. // The id_token is used to identify the authenticated user, e.g. for SSO.
// The access_token must be used to prove access rights to protected resources // The access_token must be used to prove access rights to protected resources
// e.g. for the userinfo endpoint // e.g. for the userinfo endpoint
//
$id_token_claim = $client->get_id_token_claim( $token_response ); $id_token_claim = $client->get_id_token_claim( $token_response );
if ( is_wp_error( $id_token_claim ) ){ if ( is_wp_error( $id_token_claim ) ){
$this->error_redirect( $id_token_claim ); $this->error_redirect( $id_token_claim );
} }
// // validate our id_token has required values
$valid = $client->validate_id_token_claim( $id_token_claim ); $valid = $client->validate_id_token_claim( $id_token_claim );
if ( is_wp_error( $valid ) ){ if ( is_wp_error( $valid ) ){
$this->error_redirect( $valid ); $this->error_redirect( $valid );
} }
// exchange the token_response for a user_claim
//
// // if desired, admins can use regex to determine if the identity value is valid
// // according to their own standards expectations
// if ( ! empty( $settings->allowed_regex ) &&
// preg_match( $settings->allowed_regex, $id_token_claim[ $settings->identity_key ] ) !== 1
// ) {
// return new WP_Error( 'no-subject-identity', __( 'No subject identity' ), $id_token_claim );
// }
//
$user_claim = $client->get_user_claim( $token_response ); $user_claim = $client->get_user_claim( $token_response );
if ( is_wp_error( $user_claim ) ){ if ( is_wp_error( $user_claim ) ){
$this->error_redirect( $user_claim ); $this->error_redirect( $user_claim );
} }
// // validate our user_claim has required values
$valid = $client->validate_user_claim( $user_claim, $id_token_claim ); $valid = $client->validate_user_claim( $user_claim, $id_token_claim );
if ( is_wp_error( $valid ) ){ if ( is_wp_error( $valid ) ){
$this->error_redirect( $valid ); $this->error_redirect( $valid );
} }
// - end authorization /**
* End authorization
* -
* Request is authenticated and authorized - start user handling
// request is authenticated and authorized */
// - start user handling $subject_identity = $client->get_subject_identity( $id_token_claim );
$user_identity = $client->get_user_identity( $id_token_claim ); $user = $this->get_user_by_identity( $subject_identity );
$user = $this->get_user_by_identity( $user_identity );
// if we didn't find an existing user, we'll need to create it // if we didn't find an existing user, we'll need to create it
if ( ! $user ) { if ( ! $user ) {
$user = $this->create_new_user( $user_identity, $user_claim ); $user = $this->create_new_user( $subject_identity, $user_claim );
} }
// // validate the found / created user
$valid = $this->validate_user( $user ); $valid = $this->validate_user( $user );
if ( is_wp_error( $valid ) ){ if ( is_wp_error( $valid ) ){
$this->error_redirect( $valid ); $this->error_redirect( $valid );
} }
$this->login_user( $user, $token_response, $id_token_claim, $user_claim, $user_identity ); // login the found / created user
$this->login_user( $user, $token_response, $id_token_claim, $user_claim, $subject_identity );
// log our success
$this->logger->log( "Successful login for: {$user->user_login} ({$user->ID})", 'login-success' ); $this->logger->log( "Successful login for: {$user->user_login} ({$user->ID})", 'login-success' );
// go home!
wp_redirect( home_url() ); wp_redirect( home_url() );
} }
@ -300,11 +261,11 @@ class OpenID_Connect_Generic_Client_Wrapper {
} }
/** /**
* * Record user meta data, and provide an authorization cookie
* *
* @param $user * @param $user
*/ */
function login_user( $user, $token_response, $id_token_claim, $user_claim, $user_identity ){ function login_user( $user, $token_response, $id_token_claim, $user_claim, $subject_identity ){
// hey, we made it! // hey, we made it!
// let's remember the tokens for future reference // let's remember the tokens for future reference
update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response ); update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response );
@ -313,26 +274,26 @@ class OpenID_Connect_Generic_Client_Wrapper {
// save our authorization cookie for the response expiration // save our authorization cookie for the response expiration
$oauth_expiry = $token_response['expires_in'] + current_time( 'timestamp', TRUE ); $oauth_expiry = $token_response['expires_in'] + current_time( 'timestamp', TRUE );
setcookie( $this->cookie_id_key, $user_identity, $oauth_expiry, COOKIEPATH, COOKIE_DOMAIN, TRUE ); setcookie( $this->cookie_id_key, $subject_identity, $oauth_expiry, COOKIEPATH, COOKIE_DOMAIN, TRUE );
// get a cookie and go home! // you did great, have a cookie!
wp_set_auth_cookie( $user->ID, FALSE ); wp_set_auth_cookie( $user->ID, FALSE );
} }
/** /**
* Get the user that has meta data matching a
* *
* * @param $subject_identity
* @param $user_identity
* *
* @return false|\WP_User * @return false|\WP_User
*/ */
function get_user_by_identity( $user_identity ){ function get_user_by_identity( $subject_identity ){
// look for user by their openid-connect-generic-user-identity value // look for user by their openid-connect-generic-subject-identity value
$user_query = new WP_User_Query( array( $user_query = new WP_User_Query( array(
'meta_query' => array( 'meta_query' => array(
array( array(
'key' => 'openid-connect-generic-user-identity', 'key' => 'openid-connect-generic-subject-identity',
'value' => $user_identity, 'value' => $subject_identity,
) )
) )
) ); ) );
@ -354,7 +315,11 @@ class OpenID_Connect_Generic_Client_Wrapper {
* @return string * @return string
*/ */
private function get_username_from_claim( $user_claim ) { private function get_username_from_claim( $user_claim ) {
if ( isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) { // allow settings to take first stab at username
if ( !empty( $this->settings->identity_key ) && isset( $user_claim[ $this->settings->identity_key ] ) ) {
$desired_username = $user_claim[ $this->settings->identity_key ];
}
else if ( isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
$desired_username = $user_claim['preferred_username']; $desired_username = $user_claim['preferred_username'];
} }
else if ( isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) { else if ( isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
@ -388,25 +353,28 @@ class OpenID_Connect_Generic_Client_Wrapper {
} }
/** /**
* Create a new user from details in a user_claim
* *
* * @param $subject_identity
* @param $user_identity
* @param $user_claim * @param $user_claim
* *
* @return \WP_Error | \WP_User * @return \WP_Error | \WP_User
*/ */
function create_new_user( $user_identity, $user_claim){ function create_new_user( $subject_identity, $user_claim){
// default username & email to the user identity, since that is the only // default username & email to the subject identity
// thing we can be sure to have $username = $subject_identity;
$username = $user_identity; $email = $subject_identity;
$email = $user_identity;
// allow claim details to determine username // allow claim details to determine username
if ( isset( $user_claim['email'] ) ) { if ( isset( $user_claim['email'] ) ) {
$email = $user_claim['email']; $email = $user_claim['email'];
$username = $this->get_username_from_claim( $user_claim ); $username = $this->get_username_from_claim( $user_claim );
if ( is_wp_error( $username ) ){
return $username;
} }
// if no name exists, attempt another request for userinfo }
// if no email exists, attempt another request for userinfo
else if ( isset( $token_response['access_token'] ) ) { else if ( isset( $token_response['access_token'] ) ) {
$user_claim_result = $this->client->request_userinfo( $token_response['access_token'] ); $user_claim_result = $this->client->request_userinfo( $token_response['access_token'] );
@ -417,11 +385,14 @@ class OpenID_Connect_Generic_Client_Wrapper {
$user_claim = json_decode( $user_claim_result['body'], TRUE ); $user_claim = json_decode( $user_claim_result['body'], TRUE );
if ( isset( $user_claim['email'] ) ) { // check for email in claim
if ( ! isset( $user_claim['email'] ) ) {
return new WP_Error( 'incomplete-user-claim', __( 'User claim incomplete' ), $user_claim );
}
$email = $user_claim['email']; $email = $user_claim['email'];
$username = $this->get_username_from_claim( $user_claim ); $username = $this->get_username_from_claim( $user_claim );
} }
}
// allow other plugins / themes to determine authorization // allow other plugins / themes to determine authorization
// of new accounts based on the returned user claim // of new accounts based on the returned user claim
@ -439,13 +410,15 @@ class OpenID_Connect_Generic_Client_Wrapper {
return new WP_Error( 'failed-user-creation', __( 'Failed user creation.' ), $uid ); return new WP_Error( 'failed-user-creation', __( 'Failed user creation.' ), $uid );
} }
// retrieve our new user
$user = get_user_by( 'id', $uid ); $user = get_user_by( 'id', $uid );
$this->log( "New user created: {$user->user_login} ($uid)", 'success' );
// save some meta data about this new user for the future // save some meta data about this new user for the future
add_user_meta( $user->ID, 'openid-connect-generic-user', TRUE, TRUE ); add_user_meta( $user->ID, 'openid-connect-generic-user', TRUE, TRUE );
add_user_meta( $user->ID, 'openid-connect-generic-user-identity', (string) $user_identity, TRUE ); add_user_meta( $user->ID, 'openid-connect-generic-subject-identity', (string) $subject_identity, TRUE );
// log the results
$this->logger->log( "New user created: {$user->user_login} ($uid)", 'success' );
// allow plugins / themes to take action on new user creation // allow plugins / themes to take action on new user creation
do_action( 'openid-connect-generic-user-create', $user, $user_claim ); do_action( 'openid-connect-generic-user-create', $user, $user_claim );

2
includes/openid-connect-generic-client.php
Unescape Escape View File

@ -317,7 +317,7 @@ class OpenID_Connect_Generic_Client {
* *
* @return mixed * @return mixed
*/ */
function get_user_identity( $id_token_claim ){ function get_subject_identity( $id_token_claim ){
return $id_token_claim['sub']; return $id_token_claim['sub'];
} }
} }

71
includes/openid-connect-generic-settings-page.php
Unescape Escape View File

@ -44,33 +44,6 @@ class OpenID_Connect_Generic_Settings_Page {
), ),
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'ep_login' => array(
'title' => __( 'Login Endpoint URL' ),
'description' => __( 'Identify provider authorization endpoint.' ),
'example' => 'https://example.com/oauth2/authorize',
'type' => 'text',
'section' => 'client_settings',
),
'ep_token' => array(
'title' => __( 'Token Validation Endpoint URL' ),
'description' => __( 'Identify provider token endpoint.' ),
'example' => 'https://example.com/oauth2/token',
'type' => 'text',
'section' => 'client_settings',
),
'ep_userinfo' => array(
'title' => __( 'Userinfo Endpoint URL' ),
'description' => __( 'Identify provider User information endpoint.' ),
'example' => 'https://example.com/oauth2/UserInfo',
'type' => 'text',
'section' => 'client_settings',
),
'no_sslverify' => array(
'title' => __( 'Disable SSL Verify' ),
'description' => __( 'Do not require SSL verification during authorization. The OAuth extension uses curl to make the request. By default CURL will generally verify the SSL certificate to see if its valid an issued by an accepted CA. This setting disabled that verification.' ),
'type' => 'checkbox',
'section' => 'client_settings',
),
'client_id' => array( 'client_id' => array(
'title' => __( 'Client ID' ), 'title' => __( 'Client ID' ),
'description' => __( 'The ID this client will be recognized as when connecting the to Identity provider server.' ), 'description' => __( 'The ID this client will be recognized as when connecting the to Identity provider server.' ),
@ -91,18 +64,39 @@ class OpenID_Connect_Generic_Settings_Page {
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'identity_key' => array( 'endpoint_login' => array(
'title' => __( 'Identity Key' ), 'title' => __( 'Login Endpoint URL' ),
'description' => __( 'Where in the response array to find the identification data. When in doubt, use "sub".' ), 'description' => __( 'Identify provider authorization endpoint.' ),
'example' => 'sub', 'example' => 'https://example.com/oauth2/authorize',
'type' => 'text', 'type' => 'text',
'section' => 'client_settings', 'section' => 'client_settings',
), ),
'allowed_regex' => array( 'endpoint_userinfo' => array(
'title' => __( 'Authorization Regex' ), 'title' => __( 'Userinfo Endpoint URL' ),
'description' => __( 'Provide a regular expression that enforces your expectations concerning the identity value returned from the IDP.' ), 'description' => __( 'Identify provider User information endpoint.' ),
'example' => 'https://example.com/oauth2/UserInfo',
'type' => 'text', 'type' => 'text',
'section' => 'authorization_settings', 'section' => 'client_settings',
),
'endpoint_token' => array(
'title' => __( 'Token Validation Endpoint URL' ),
'description' => __( 'Identify provider token endpoint.' ),
'example' => 'https://example.com/oauth2/token',
'type' => 'text',
'section' => 'client_settings',
),
'no_sslverify' => array(
'title' => __( 'Disable SSL Verify' ),
'description' => __( 'Do not require SSL verification during authorization. The OAuth extension uses curl to make the request. By default CURL will generally verify the SSL certificate to see if its valid an issued by an accepted CA. This setting disabled that verification.' ),
'type' => 'checkbox',
'section' => 'client_settings',
),
'identity_key' => array(
'title' => __( 'Identity Key' ),
'description' => __( 'Where in the user claim array to find the user\'s identification data. Possible standard values: preferred_username, name, or sub. If you\'re having trouble, use "sub".' ),
'example' => 'preferred_username',
'type' => 'text',
'section' => 'client_settings',
), ),
'enforce_privacy' => array( 'enforce_privacy' => array(
'title' => __( 'Enforce Privacy' ), 'title' => __( 'Enforce Privacy' ),
@ -273,9 +267,10 @@ class OpenID_Connect_Generic_Settings_Page {
<code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code> <code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code>
</p> </p>
<?php <?php if ( $this->settings->enable_logging ) { ?>
//$this->show_logs(); <h2><?php _e( 'Logs' ); ?> </h2>
?> <div><?php print $this->logger->get_logs_table(); ?></div>
<?php } ?>
</div> </div>
<?php <?php
} }

20
includes/wp-option-logger.php
Unescape Escape View File

@ -180,17 +180,24 @@ class WP_Option_Logger {
$logs = $this->get_logs(); $logs = $this->get_logs();
} }
ini_set( 'xdebug.var_display_max_depth', -1 );
ob_start(); ob_start();
?> ?>
<table class="wp-list-table widefat fixed striped posts"> <style type="text/css">
#logger-table .col-data { width: 85% }
#logger-table .col-details div { padding: 4px 0; border-bottom: 1px solid #bbb; }
#logger-table .col-details label { font-weight: bold; }
</style>
<table id="logger-table" class="wp-list-table widefat fixed striped posts">
<thead> <thead>
<th>Details</th> <th class="col-details">Details</th>
<th style="width: 85%;">Data</th> <th class="col-data">Data</th>
</thead> </thead>
<tbody> <tbody>
<?php foreach ( $logs as $log ) { ?> <?php foreach ( $logs as $log ) { ?>
<tr> <tr>
<td> <td class="col-details">
<div> <div>
<label><?php _e( 'Type' ); ?>: </label> <label><?php _e( 'Type' ); ?>: </label>
<?php print $log['type']; ?> <?php print $log['type']; ?>
@ -204,11 +211,12 @@ class WP_Option_Logger {
<?php print ( $log['user_ID'] ) ? get_userdata( $log['user_ID'] )->user_login : '0'; ?> <?php print ( $log['user_ID'] ) ? get_userdata( $log['user_ID'] )->user_login : '0'; ?>
</div> </div>
<div> <div>
<label><?php _e( 'URI: ' ); ?>: </label> <label><?php _e( 'URI ' ); ?>: </label>
<?php print $log['uri']; ?> <?php print $log['uri']; ?>
</div> </div>
</td> </td>
<td><?php var_dump( $log['data'] ); ?></td>
<td class="col-data"><?php var_dump( $log['data'] ); ?></td>
</tr> </tr>
<?php } ?> <?php } ?>
</tbody> </tbody>

6
includes/wp-option-settings.php
Unescape Escape View File

@ -8,11 +8,15 @@ class WP_Option_Settings {
private $option_name; private $option_name;
// stored option values array // stored option values array
private $values = array(); private $values;
// default plugin settings values // default plugin settings values
private $default_settings; private $default_settings;
/**
* @param $option_name
* @param array $default_settings
*/
function __construct( $option_name, $default_settings = array() ){ function __construct( $option_name, $default_settings = array() ){
$this->option_name = $option_name; $this->option_name = $option_name;
$this->default_settings = $default_settings; $this->default_settings = $default_settings;

50
openid-connect-generic.php
Unescape Escape View File

@ -73,9 +73,9 @@ class OpenID_Connect_Generic {
$this->settings->client_id, $this->settings->client_id,
$this->settings->client_secret, $this->settings->client_secret,
$this->settings->scope, $this->settings->scope,
$this->settings->ep_login, $this->settings->endpoint_login,
$this->settings->ep_userinfo, $this->settings->endpoint_userinfo,
$this->settings->ep_token, $this->settings->endpoint_token,
// redirect uri // redirect uri
admin_url( 'admin-ajax.php?action=openid-connect-authorize' ) admin_url( 'admin-ajax.php?action=openid-connect-authorize' )
); );
@ -88,6 +88,33 @@ class OpenID_Connect_Generic {
} }
} }
/**
* Check if privacy enforcement is enabled, and redirect users that aren't
* logged in.
*/
function enforce_privacy_redirect() {
if ( $this->settings->enforce_privacy && ! is_user_logged_in() ) {
// our client endpoint relies on the wp admind ajax endpoint
if ( ! defined( 'DOING_AJAX') || ! DOING_AJAX || ! isset( $_GET['action'] ) || $_GET['action'] != 'openid-connect-authorize' ) {
auth_redirect();
}
}
}
/**
* Enforce privacy settings for rss feeds
*
* @param $content
*
* @return mixed
*/
function enforce_privacy_feeds( $content ){
if ( $this->settings->enforce_privacy && ! is_user_logged_in() ) {
$content = 'Private site';
}
return $content;
}
/** /**
* Autoloader * Autoloader
* *
@ -112,20 +139,19 @@ class OpenID_Connect_Generic {
// default settings values // default settings values
array( array(
// oauth client settings // oauth client settings
'login_type' => 'button',
'client_id' => '', 'client_id' => '',
'client_secret' => '', 'client_secret' => '',
'scope' => '', 'scope' => '',
'ep_login' => '', 'endpoint_login' => '',
'ep_userinfo' => '', 'endpoint_userinfo' => '',
'ep_token' => '', 'endpoint_token' => '',
// non-standard settings // non-standard settings
'no_sslverify' => 0, 'no_sslverify' => 0,
'identity_key' => 'sub', 'identity_key' => 'preferred_username',
'allowed_regex' => '',
// plugin settings // plugin settings
'login_type' => 'button',
'enforce_privacy' => 0, 'enforce_privacy' => 0,
'enable_logging' => 0, 'enable_logging' => 0,
'log_limit' => 1000, 'log_limit' => 1000,
@ -137,6 +163,12 @@ class OpenID_Connect_Generic {
$plugin = new self( $settings, $logger ); $plugin = new self( $settings, $logger );
add_action( 'init', array( $plugin, 'init' ) ); add_action( 'init', array( $plugin, 'init' ) );
// privacy hooks
add_action( 'template_redireect', array( $plugin, 'enforce_privacy_redirect' ), 0 );
add_filter( 'the_content_feed', array( $plugin, 'enforce_privacy_feeds' ), 999 );
add_filter( 'the_excerpt_rss', array( $plugin, 'enforce_privacy_feeds' ), 999 );
add_filter( 'comment_text_rss', array( $plugin, 'enforce_privacy_feeds' ), 999 );
} }
} }

Write Preview
Loading…
Cancel
Save