diff --git a/openid_provider.inc b/openid_provider.inc index 3ce282f..0aac7e0 100644 --- a/openid_provider.inc +++ b/openid_provider.inc @@ -153,6 +153,19 @@ function _openid_provider_association_load($assoc_handle) { function openid_provider_authentication_response($request) { global $user; + // Determine the realm (openid.trust_root in 1.x) + $realm = (empty($request['openid.realm'])) ? $request['openid.trust_root'] : $request['openid.realm']; + + $whitelist = variable_get('openid_provider_whitelist', array()); + $blacklist = variable_get('openid_provider_blacklist', array()); + + // If realm on blacklist, or whitelist_only, cancel the login request. + if (in_array($realm, $blacklist) || (variable_get('openid_provider_whitelist_only', FALSE) && !in_array($realm, $whitelist))) { + if (!empty($_POST)) + unset($_POST); + drupal_goto($request['openid.return_to']); + } + // If the user is not yet logged in, redirect to the login page before continuing. if (!$user->uid) { if ($request['openid.mode'] == 'checkid_immediate') { @@ -163,9 +176,6 @@ function openid_provider_authentication_response($request) { drupal_goto('user/login', array('query' => array('destination' => 'openid/provider/continue'))); } - // Determine the realm (openid.trust_root in 1.x) - $realm = (empty($request['openid.realm'])) ? $request['openid.trust_root'] : $request['openid.realm']; - // Check for a directed identity request. if ($request['openid.identity'] == 'http://specs.openid.net/auth/2.0/identifier_select') { $identity = openid_provider_url(openid_provider_user_path($user->uid)); @@ -217,7 +227,8 @@ function openid_provider_authentication_response($request) { $response = array_merge($response, module_invoke_all('openid_provider', 'response', $response, $request)); $rp = _openid_provider_rp_load($user->uid, $realm); - if (!empty($rp->auto_release)) { + $sites_auto_release = variable_get('openid_provider_sites_auto_release', 'none'); + if (!empty($rp->auto_release) || ($sites_auto_release == 'all') || (($sites_auto_release == 'whitelist') && in_array($realm, $whitelist))) { $response = _openid_provider_sign($response); _openid_provider_rp_save($user->uid, $realm, TRUE); _openid_provider_debug('automatic response authentication success using redirect to %url (request dump:
%request, response dump:
%response)', array('%url' => $request['openid.return_to'], '%response' => var_export($response, TRUE), '%request' => var_export($request, TRUE))); diff --git a/openid_provider.module b/openid_provider.module index c3c112d..6c50710 100644 --- a/openid_provider.module +++ b/openid_provider.module @@ -304,10 +304,62 @@ function openid_provider_admin_settings($form, &$form_state) { '#description' => t('This will enable debugging of this module to the watchdog.'), '#default_value' => variable_get('openid_provider_debugging', false), ); + $form['sitelist'] = array( + '#type' => 'fieldset', + '#title' => t('Sites management'), + '#collapsible' => TRUE, + '#collapsed' => FALSE, + ); + $form['sitelist']['openid_provider_sites_auto_release'] = array( + '#type' => 'radios', + '#title' => t('Automatically login without confirmation page'), + '#options' => array( + 'all' => 'Anonymous sites (unrecommended)', + 'whitelist' => 'Whitelist only', + 'none' => 'Always ask', + ), + '#default_value' => variable_get('openid_provider_sites_auto_release', 'none'), + '#description' => t('Select "Whitelist only" to allow trusted partner sites logged in automatically. Select "Anonymous sites" is unrecommended due to its violating the standard for user to be asked before logged in into unregistered sites.'), + ); + $form['sitelist']['openid_provider_whitelist_only'] = array( + '#type' => 'checkbox', + '#title' => t('Disable anonymous sites'), + '#default_value' => variable_get('openid_provider_whitelist_only', FALSE), + '#description' => t('Only allow sites on the whitelist to login using the OpenID provider.'), + ); + $form['sitelist']['openid_provider_whitelist'] = array( + '#type' => 'textarea', + '#title' => t('Whitelist'), + '#default_value' => @implode(PHP_EOL, variable_get('openid_provider_whitelist', array())), + '#description' => t('Sites on this list can be logged in through the OpenID provider. Enter one site per line with the full URL e.g. http://www.example.com/.'), + ); + $form['sitelist']['openid_provider_blacklist'] = array( + '#type' => 'textarea', + '#title' => t('Blacklist'), + '#default_value' => @implode(PHP_EOL, variable_get('openid_provider_blacklist', array())), + '#description' => t('Sites on this list will be completely forbidden to login through the OpenID provider. Enter one site per line with the full URL e.g. http://www.example.com/. The blacklist has precendence over the whitelist, that is: sites also on the whitelist will be considered blacklisted.'), + ); return system_settings_form($form); } /** + * Split the newline separated list of whitelisted and blacklisted sites into an array. + */ +function openid_provider_admin_settings_validate($form, &$form_state) { + $sites = array(); + if (!empty($form_state['values']['openid_provider_whitelist'])) { + $sites = preg_split( '/\r\n|\r|\n/', $form_state['values']['openid_provider_whitelist']); + } + $form_state['values']['openid_provider_whitelist'] = $sites; + + $sites = array(); + if (!empty($form_state['values']['openid_provider_blacklist'])) { + $sites = preg_split( '/\r\n|\r|\n/', $form_state['values']['openid_provider_blacklist']); + } + $form_state['values']['openid_provider_blacklist'] = $sites; +} + +/** * Implements of hook_xrds(). * * Return a XRDS for this server to discover it based on the root url