search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
clear sandbox/test commit
[ikiwiki.git] / IkiWiki / Plugin / openid.pm
blobbd2cfdc440f1ff68db5e5ddec7c874d3504edf49
1 #!/usr/bin/perl
2 # OpenID support.
3 package IkiWiki::Plugin::openid;
4
5 use warnings;
6 use strict;
7 use IkiWiki 3.00;
8
9 sub import {
10 add_underlay("openid-selector");
11 hook(type => "checkconfig", id => "openid", call => \&checkconfig);
12 hook(type => "getsetup", id => "openid", call => \&getsetup);
13 hook(type => "auth", id => "openid", call => \&auth);
14 hook(type => "formbuilder_setup", id => "openid",
15 call => \&formbuilder_setup, last => 1);
16 }
17
18 sub checkconfig () {
19 if ($config{cgi}) {
20 # Intercept normal signin form, so the openid selector
21 # can be displayed.
22 #
23 # When other auth hooks are registered, give the selector
24 # a reference to the normal signin form.
25 require IkiWiki::CGI;
26 my $real_cgi_signin;
27 if (keys %{$IkiWiki::hooks{auth}} > 1) {
28 $real_cgi_signin=\&IkiWiki::cgi_signin;
29 }
30 inject(name => "IkiWiki::cgi_signin", call => sub ($$) {
31 openid_selector($real_cgi_signin, @_);
32 });
33 }
34 }
35
36 sub getsetup () {
37 return
38 plugin => {
39 safe => 1,
40 rebuild => 0,
41 section => "auth",
42 },
43 openid_realm => {
44 type => "string",
45 description => "url pattern of openid realm (default is cgiurl)",
46 safe => 0,
47 rebuild => 0,
48 },
49 openid_cgiurl => {
50 type => "string",
51 description => "url to ikiwiki cgi to use for openid authentication (default is cgiurl)",
52 safe => 0,
53 rebuild => 0,
54 },
55 }
56
57 sub openid_selector {
58 my $real_cgi_signin=shift;
59 my $q=shift;
60 my $session=shift;
61
62 my $openid_url=$q->param('openid_identifier');
63 my $openid_error;
64
65 if (! load_openid_module()) {
66 if ($real_cgi_signin) {
67 $real_cgi_signin->($q, $session);
68 exit;
69 }
70 error(sprintf(gettext("failed to load openid module: "), @_));
71 }
72 elsif (defined $q->param("action") && $q->param("action") eq "verify") {
73 validate($q, $session, $openid_url, sub {
74 $openid_error=shift;
75 });
76 }
77
78 my $template=IkiWiki::template("openid-selector.tmpl");
79 $template->param(
80 cgiurl => IkiWiki::cgiurl(),
81 (defined $openid_error ? (openid_error => $openid_error) : ()),
82 (defined $openid_url ? (openid_url => $openid_url) : ()),
83 ($real_cgi_signin ? (nonopenidform => $real_cgi_signin->($q, $session, 1)) : ()),
84 );
85
86 IkiWiki::printheader($session);
87 print IkiWiki::cgitemplate($q, "signin", $template->output);
88 exit;
89 }
90
91 sub formbuilder_setup (@) {
92 my %params=@_;
93
94 my $form=$params{form};
95 my $session=$params{session};
96 my $cgi=$params{cgi};
97
98 if ($form->title eq "preferences" &&
99 IkiWiki::openiduser($session->param("name"))) {
100 $form->field(name => "openid_identifier", disabled => 1,
101 label => htmllink("", "", "ikiwiki/OpenID", noimageinline => 1),
102 value => $session->param("name"),
103 size => length($session->param("name")), force => 1,
104 fieldset => "login");
105 $form->field(name => "email", type => "hidden");
106 }
107 }
108
109 sub validate ($$$;$) {
110 my $q=shift;
111 my $session=shift;
112 my $openid_url=shift;
113 my $errhandler=shift;
114
115 my $csr=getobj($q, $session);
116
117 my $claimed_identity = $csr->claimed_identity($openid_url);
118 if (! $claimed_identity) {
119 if ($errhandler) {
120 $errhandler->($csr->err);
121 return 0;
122 }
123 else {
124 error($csr->err);
125 }
126 }
127
128 # Ask for client to provide a name and email, if possible.
129 # Try sreg and ax
130 if ($claimed_identity->can("set_extension_args")) {
131 $claimed_identity->set_extension_args(
132 'http://openid.net/extensions/sreg/1.1',
133 {
134 optional => 'email,fullname,nickname',
135 },
136 );
137 $claimed_identity->set_extension_args(
138 'http://openid.net/srv/ax/1.0',
139 {
140 mode => 'fetch_request',
141 'required' => 'email,fullname,nickname,firstname',
142 'type.email' => "http://schema.openid.net/contact/email",
143 'type.fullname' => "http://axschema.org/namePerson",
144 'type.nickname' => "http://axschema.org/namePerson/friendly",
145 'type.firstname' => "http://axschema.org/namePerson/first",
146 },
147 );
148 }
149
150 my $cgiurl=$config{openid_cgiurl};
151 $cgiurl=$q->url if ! defined $cgiurl;
152
153 my $trust_root=$config{openid_realm};
154 $trust_root=$cgiurl if ! defined $trust_root;
155
156 my $check_url = $claimed_identity->check_url(
157 return_to => "$cgiurl?do=postsignin",
158 trust_root => $trust_root,
159 delayed_return => 1,
160 );
161 # Redirect the user to the OpenID server, which will
162 # eventually bounce them back to auth()
163 IkiWiki::redirect($q, $check_url);
164 exit 0;
165 }
166
167 sub auth ($$) {
168 my $q=shift;
169 my $session=shift;
170
171 if (defined $q->param('openid.mode')) {
172 my $csr=getobj($q, $session);
173
174 if (my $setup_url = $csr->user_setup_url) {
175 IkiWiki::redirect($q, $setup_url);
176 }
177 elsif ($csr->user_cancel) {
178 IkiWiki::redirect($q, IkiWiki::baseurl(undef));
179 }
180 elsif (my $vident = $csr->verified_identity) {
181 $session->param(name => $vident->url);
182
183 my @extensions;
184 if ($vident->can("signed_extension_fields")) {
185 @extensions=grep { defined } (
186 $vident->signed_extension_fields('http://openid.net/extensions/sreg/1.1'),
187 $vident->signed_extension_fields('http://openid.net/srv/ax/1.0'),
188 );
189 }
190 my $nickname;
191 foreach my $ext (@extensions) {
192 foreach my $field (qw{value.email email}) {
193 if (exists $ext->{$field} &&
194 defined $ext->{$field} &&
195 length $ext->{$field}) {
196 $session->param(email => $ext->{$field});
197 if (! defined $nickname &&
198 $ext->{$field}=~/(.+)@.+/) {
199 $nickname = $1;
200 }
201 last;
202 }
203 }
204 foreach my $field (qw{value.nickname nickname value.fullname fullname value.firstname}) {
205 if (exists $ext->{$field} &&
206 defined $ext->{$field} &&
207 length $ext->{$field}) {
208 $nickname=$ext->{$field};
209 last;
210 }
211 }
212 }
213 if (defined $nickname) {
214 $session->param(nickname =>
215 Encode::decode_utf8($nickname));
216 }
217 }
218 else {
219 error("OpenID failure: ".$csr->err);
220 }
221 }
222 elsif (defined $q->param('openid_identifier')) {
223 # myopenid.com affiliate support
224 validate($q, $session, $q->param('openid_identifier'));
225 }
226 }
227
228 sub getobj ($$) {
229 my $q=shift;
230 my $session=shift;
231
232 eval q{use Net::INET6Glue::INET_is_INET6}; # may not be available
233 eval q{use Net::OpenID::Consumer};
234 error($@) if $@;
235
236 my $ua;
237 eval q{use LWPx::ParanoidAgent};
238 if (! $@) {
239 $ua=LWPx::ParanoidAgent->new;
240 }
241 else {
242 $ua=LWP::UserAgent->new;
243 }
244
245 # Store the secret in the session.
246 my $secret=$session->param("openid_secret");
247 if (! defined $secret) {
248 $secret=rand;
249 $session->param(openid_secret => $secret);
250 }
251
252 my $cgiurl=$config{openid_cgiurl};
253 $cgiurl=$q->url if ! defined $cgiurl;
254
255 return Net::OpenID::Consumer->new(
256 ua => $ua,
257 args => $q,
258 consumer_secret => sub { return shift()+$secret },
259 required_root => $cgiurl,
260 );
261 }
262
263 sub load_openid_module {
264 # Give up if module is unavailable to avoid needing to depend on it.
265 eval q{use Net::OpenID::Consumer};
266 if ($@) {
267 debug("unable to load Net::OpenID::Consumer, not enabling OpenID login ($@)");
268 return;
269 }
270 return 1;
271 }
272
273 1
A wiki which has a git backend