-
Notifications
You must be signed in to change notification settings - Fork 8
/
main.inc.php
314 lines (273 loc) · 8 KB
/
main.inc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
<?php
/*
Plugin Name: OpenId Connect
Version: 1.0.4
Description: This plugin provides OpenID Connect integration.
Plugin URI: http://piwigo.org/ext/extension_view.php?eid=918
Author: Jasper Weyne
Author URI: http://github.com/jasperweyne
Has Settings: true
*/
/*
Copyright 2020-2021 Jasper Weyne
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
defined('PHPWG_ROOT_PATH') or die('Hacking attempt!');
/// Define plugin constants
global $prefixeTable;
define('OIDC_ID', basename(dirname(__FILE__)));
define('OIDC_PATH' , PHPWG_PLUGINS_PATH . OIDC_ID . '/');
define('OIDC_ADMIN', get_root_url() . 'admin.php?page=plugin-' . OIDC_ID);
define('OIDC_SESSION', OIDC_ID);
define('OIDC_TABLE', $prefixeTable . "oidc");
require(OIDC_PATH . 'oidc.php');
/// Link event handlers
// The menubar is cached in the block manager before applying the full template
add_event_handler('plugins_loaded', 'oidc_init'); // earliest init possible
add_event_handler('load_profile_in_template', 'oidc_profile');
add_event_handler('blockmanager_apply', 'override_login_link');
add_event_handler('loc_begin_password', 'oidc_redirect');
add_event_handler('loc_begin_register', 'oidc_redirect');
add_event_handler('try_log_user', 'password_login');
add_event_handler('loc_end_identification', 'oidc_identification');
add_event_handler('user_init', 'refresh_login');
add_event_handler('get_admin_plugin_menu_links', 'oidc_admin_link');
add_event_handler('delete_user', 'oidc_delete_user');
add_event_handler('ws_add_methods', 'oidc_api');
/// Utility methods
/**
* Generate a random password
* based on: https://stackoverflow.com/questions/4356289/php-random-string-generator/31107425#31107425
*/
function random_pass($length = 16, $keyspace = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-=+;:,.?")
{
$pieces = [];
$max = mb_strlen($keyspace, '8bit') - 1;
for ($i = 0; $i < $length; ++$i) {
$pieces []= $keyspace[random_int(0, $max)];
}
return implode('', $pieces);
}
/**
* Check whether an access token or OpenID token isn't expired.
*/
function is_token_unexpired($access_token, $oidc): bool
{
if (isset($access_token->expires)) {
return $access_token->expires >= time();
} else {
// If user info retrieval is successful, token is still valid
try {
$oidc->setAccessToken($access_token->access_token);
$oidc->requestUserInfo();
return true;
} catch (\Exception $e) {
return false;
}
}
}
/// Event handlers
/**
* Deserialize the database-stored contents of plugin settings
* Override them with contents of conf.php
*/
function oidc_init()
{
global $conf;
$conf['OIDC'] = safe_unserialize($conf['OIDC']);
if (file_exists(OIDC_PATH . 'conf.php')) {
$overrideConfig = (include OIDC_PATH . 'conf.php');
$conf['OIDC'] = array_merge($conf['OIDC'], $overrideConfig);
}
}
/**
* Removes the Profile/Registration block.
*/
function oidc_profile()
{
global $template;
if (isset($_SESSION[OIDC_SESSION])) {
$template->assign('SPECIAL_USER', true);
}
}
/**
* Rewrite the login link in menu to link to the authorization code flow
*/
function override_login_link()
{
global $template;
// If U_LOGIN is present and authorization grant is enabled, replace U_LOGIN link
if ($template->get_template_vars('U_LOGIN') !== null && can_authorization_grant())
$template->assign('U_LOGIN', OIDC_PATH . 'auth.php');
// If resource owner credentials grant is enabled, set U_REGISTER to registration url
if (can_resource_owner_credentials_grant()) {
if (!empty($conf['OIDC']['registration_url']))
$template->assign('U_REGISTER', $conf['OIDC']['registration_url']);
else
$template->clear_assign('U_REGISTER');
}
}
/**
* Rewrite the contents of the identification.php where applicable
*/
function oidc_identification()
{
global $template;
global $conf;
redirect_auth();
if (can_resource_owner_credentials_grant()) {
if ($template->get_template_vars('U_LOST_PASSWORD') !== null) {
// Password lost URL
if (!empty($conf['OIDC']['password_reset_url']))
$template->assign('U_LOST_PASSWORD', $conf['OIDC']['password_reset_url']);
else
$template->clear_assign('U_LOST_PASSWORD');
}
if ($template->get_template_vars('U_REGISTER') !== null) {
// Registration URL
if (!empty($conf['OIDC']['registration_url']))
$template->assign('U_REGISTER', $conf['OIDC']['registration_url']);
else
$template->clear_assign('U_REGISTER');
}
}
}
/**
* Redirect for password.php and register.php if applicable
*/
function oidc_redirect()
{
redirect_auth();
if (can_resource_owner_credentials_grant()) {
redirect(get_root_url() . 'identification.php');
}
}
/**
* Refresh the user, log out if expired
*/
function refresh_login($user)
{
global $conf;
// If disabled, don't attempt to refresh
if (!can_authorization_grant() && !can_resource_owner_credentials_grant()) {
return;
}
// If user is not logged in, don't attempt to refresh
if ($user['id'] == $conf['guest_id']) {
return;
}
// Retrieve access token for current session
$json = $_SESSION[OIDC_SESSION];
// If no access token was found, reject the refresh
if (!$json) {
oidc_logout();
}
$accessToken = json_decode($json);
// If the token is not expired, refreshing isn't necessary
$oidc = get_oidc_client();
if (is_token_unexpired($accessToken, $oidc)) {
return;
}
// Try to obtain refreshed access token
try {
$response = $oidc->refreshToken($accessToken->refresh_token);
if (isset($response->refresh_token)) {
$accessToken->refresh_token = $response->refresh_token;
}
if (isset($response->access_token)) {
$accessToken->access_token = $response->access_token;
}
if (isset($response->expires_in)) {
$accessToken->expires = time() + $response->expires_in;
}
$_SESSION[OIDC_SESSION] = json_encode($accessToken);
} catch (\Exception $e) {
// Log out if an unknown problem arises
$page['errors'][] = $e->getMessage();
oidc_logout();
}
}
/**
* Use the given input to begin the resource owner credentials flow
*/
function password_login($success, $username, $password, $remember_me)
{
// If user is logged in through another hook, skip
if ($success === true) {
return true;
}
// If resource owner credentials flow is disable, don't attempt
if (!can_resource_owner_credentials_grant()) {
return false;
}
// Begin login attempt
$success = false;
// Try to request token with auth params
$oidc = get_oidc_client();
$oidc->addAuthParam([
'username' => $username,
'password' => $password,
]);
try {
$response = $oidc->requestResourceOwnerToken(true);
if (isset($response->access_token)) {
$oidc->setAccessToken($response->access_token);
$success = oidc_login($oidc, $response, $remember_me);
}
} catch (\Exception $e) {
// silently fail
}
// If login unsuccessful, trigger login_failure accordingly
if (!$success) {
trigger_notify('login_failure', stripslashes($username));
}
return $success;
}
/**
* Add OpenID Connect menu entry to plugins
*/
function oidc_admin_link($menu)
{
$menu[] = [
'NAME' => 'OpenID Connect',
'URL' => OIDC_ADMIN,
];
return $menu;
}
/**
* Delete users from the OIDC user table if applicable
*/
function oidc_delete_user($user_id)
{
$query = '
DELETE FROM '.OIDC_TABLE.'
WHERE `user_id` = '.$user_id.'
;';
pwg_query($query);
}
/**
* Register WS API methods
*/
function oidc_api($params)
{
$service = &$params[0];
$service->addMethod(
'pwg.session.login_oidc',
'api_login',
array(
'access_token' => array(),
),
'Tries to login the user using an OIDC token.',
OIDC_PATH . 'api.php',
array('post_only' => true)
);
}
?>