From 7455811ad7546fb0de628876cccf671532ae67ce Mon Sep 17 00:00:00 2001 From: kotnik Date: Thu, 15 Mar 2012 16:48:23 +0100 Subject: [PATCH] Issue #314781 by neizod, kotnik: Access rules for realms. --- openid_provider.inc | 20 +++++++++++++++---- openid_provider.module | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 4 deletions(-) diff --git a/openid_provider.inc b/openid_provider.inc index de1f962..463ab05 100644 --- a/openid_provider.inc +++ b/openid_provider.inc @@ -153,6 +153,20 @@ function _openid_provider_association_load($assoc_handle) { function openid_provider_authentication_response($request) { global $user; + // Determine the realm (openid.trust_root in 1.x) + $realm = (empty($request['openid.realm'])) ? $request['openid.trust_root'] : $request['openid.realm']; + + $whitelist = variable_get('openid_provider_whitelist', array()); + $blacklist = variable_get('openid_provider_blacklist', array()); + + // If realm on blacklist, or whitelist_only, cancel the login request. + if (in_array($realm, $blacklist) || (variable_get('openid_provider_whitelist_only', FALSE) && !in_array($realm, $whitelist))) { + if (!empty($_POST)) + unset($_POST); + $response = openid_provider_authentication_error($request); + return openid_redirect_http($request['openid.return_to'], $response); + } + // If the user is not yet logged in, redirect to the login page before continuing. if (!$user->uid) { if ($request['openid.mode'] == 'checkid_immediate') { @@ -163,9 +177,6 @@ function openid_provider_authentication_response($request) { drupal_goto('user/login', array('query' => array('destination' => 'openid/provider/continue'))); } - // Determine the realm (openid.trust_root in 1.x) - $realm = (empty($request['openid.realm'])) ? $request['openid.trust_root'] : $request['openid.realm']; - // Check for a directed identity request. if ($request['openid.identity'] == 'http://specs.openid.net/auth/2.0/identifier_select') { $identity = openid_provider_url(openid_provider_user_path($user->uid)); @@ -217,7 +228,8 @@ function openid_provider_authentication_response($request) { $response = array_merge($response, module_invoke_all('openid_provider', 'response', $response, $request)); $rp = _openid_provider_rp_load($user->uid, $realm); - if (!empty($rp->auto_release)) { + $sites_auto_release = variable_get('openid_provider_sites_auto_release', 'none'); + if (!empty($rp->auto_release) || ($sites_auto_release == 'all') || (($sites_auto_release == 'whitelist') && in_array($realm, $whitelist))) { $response = _openid_provider_sign($response); _openid_provider_rp_save($user->uid, $realm, TRUE); _openid_provider_debug('automatic response authentication success using redirect to %url (request dump: 
%request
, response dump: 
%response
)', array('%url' => $request['openid.return_to'], '%response' => var_export($response, TRUE), '%request' => var_export($request, TRUE))); diff --git a/openid_provider.module b/openid_provider.module index 95dbdca..92b8425 100644 --- a/openid_provider.module +++ b/openid_provider.module @@ -305,10 +305,62 @@ function openid_provider_admin_settings($form, &$form_state) { '#description' => t('This will enable debugging of this module to the watchdog.'), '#default_value' => variable_get('openid_provider_debugging', false), ); + $form['sitelist'] = array( + '#type' => 'fieldset', + '#title' => t('Sites management'), + '#collapsible' => TRUE, + '#collapsed' => FALSE, + ); + $form['sitelist']['openid_provider_sites_auto_release'] = array( + '#type' => 'radios', + '#title' => t('Automatically login without confirmation page'), + '#options' => array( + 'all' => 'Anonymous sites (unrecommended)', + 'whitelist' => 'Whitelist only', + 'none' => 'Always ask', + ), + '#default_value' => variable_get('openid_provider_sites_auto_release', 'none'), + '#description' => t('Select "Whitelist only" to allow trusted partner sites logged in automatically. Select "Anonymous sites" is unrecommended due to its violating the standard for user to be asked before logged in into unregistered sites.'), + ); + $form['sitelist']['openid_provider_whitelist_only'] = array( + '#type' => 'checkbox', + '#title' => t('Disable anonymous sites'), + '#default_value' => variable_get('openid_provider_whitelist_only', FALSE), + '#description' => t('Only allow sites on the whitelist to login using the OpenID provider.'), + ); + $form['sitelist']['openid_provider_whitelist'] = array( + '#type' => 'textarea', + '#title' => t('Whitelist'), + '#default_value' => @implode(PHP_EOL, variable_get('openid_provider_whitelist', array())), + '#description' => t('Sites on this list can be logged in through the OpenID provider. Enter one site per line with the full URL e.g. http://www.example.com/.'), + ); + $form['sitelist']['openid_provider_blacklist'] = array( + '#type' => 'textarea', + '#title' => t('Blacklist'), + '#default_value' => @implode(PHP_EOL, variable_get('openid_provider_blacklist', array())), + '#description' => t('Sites on this list will be completely forbidden to login through the OpenID provider. Enter one site per line with the full URL e.g. http://www.example.com/. The blacklist has precendence over the whitelist, that is: sites also on the whitelist will be considered blacklisted.'), + ); return system_settings_form($form); } /** + * Split the newline separated list of whitelisted and blacklisted sites into an array. + */ +function openid_provider_admin_settings_validate($form, &$form_state) { + $sites = array(); + if (!empty($form_state['values']['openid_provider_whitelist'])) { + $sites = preg_split( '/\r\n|\r|\n/', $form_state['values']['openid_provider_whitelist']); + } + $form_state['values']['openid_provider_whitelist'] = $sites; + + $sites = array(); + if (!empty($form_state['values']['openid_provider_blacklist'])) { + $sites = preg_split( '/\r\n|\r|\n/', $form_state['values']['openid_provider_blacklist']); + } + $form_state['values']['openid_provider_blacklist'] = $sites; +} + +/** * Implements of hook_xrds(). * * Return a XRDS for this server to discover it based on the root url -- 1.7.9.4