]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blob - IkiWiki/Plugin/openid.pm
websetup: Only display Setup button on admins' preferences page.
[git.ikiwiki.info.git] / IkiWiki / Plugin / openid.pm
1 #!/usr/bin/perl
2 # OpenID support.
3 package IkiWiki::Plugin::openid;
5 use warnings;
6 use strict;
7 use IkiWiki 3.00;
9 sub import {
10         hook(type => "getopt", id => "openid", call => \&getopt);
11         hook(type => "getsetup", id => "openid", call => \&getsetup);
12         hook(type => "auth", id => "openid", call => \&auth);
13         hook(type => "formbuilder_setup", id => "openid",
14                 call => \&formbuilder_setup, last => 1);
15 }
17 sub getopt () {
18         eval q{use Getopt::Long};
19         error($@) if $@;
20         Getopt::Long::Configure('pass_through');
21         GetOptions("openidsignup=s" => \$config{openidsignup});
22 }
24 sub getsetup () {
25         return
26                 plugin => {
27                         safe => 1,
28                         rebuild => 0,
29                         section => "auth",
30                 },
31                 openidsignup => {
32                         type => "string",
33                         example => "http://myopenid.com/",
34                         description => "an url where users can signup for an OpenID",
35                         safe => 1,
36                         rebuild => 0,
37                 },
38 }
40 sub formbuilder_setup (@) {
41         my %params=@_;
43         my $form=$params{form};
44         my $session=$params{session};
45         my $cgi=$params{cgi};
46         
47         if ($form->title eq "signin") {
48                 # Give up if module is unavailable to avoid
49                 # needing to depend on it.
50                 eval q{use Net::OpenID::Consumer};
51                 if ($@) {
52                         debug("unable to load Net::OpenID::Consumer, not enabling OpenID login ($@)");
53                         return;
54                 }
56                 # This avoids it displaying a redundant label for the
57                 # OpenID fieldset.
58                 $form->fieldsets("OpenID");
60                 $form->field(
61                         name => "openid_url",
62                         label => gettext("Log in with")." ".htmllink("", "", "ikiwiki/OpenID", noimageinline => 1),
63                         fieldset => "OpenID",
64                         size => 30,
65                         comment => ($config{openidsignup} ? " | <a href=\"$config{openidsignup}\">".gettext("Get an OpenID")."</a>" : "")
66                 );
68                 # Handle submission of an OpenID as validation.
69                 if ($form->submitted && $form->submitted eq "Login" &&
70                     defined $form->field("openid_url") && 
71                     length $form->field("openid_url")) {
72                         $form->field(
73                                 name => "openid_url",
74                                 validate => sub {
75                                         validate($cgi, $session, shift, $form);
76                                 },
77                         );
78                         # Skip all other required fields in this case.
79                         foreach my $field ($form->field) {
80                                 next if $field eq "openid_url";
81                                 $form->field(name => $field, required => 0,
82                                         validate => '/.*/');
83                         }
84                 }
85         }
86         elsif ($form->title eq "preferences" &&
87                IkiWiki::openiduser($session->param("name"))) {
88                 $form->field(name => "openid_url", disabled => 1,
89                         label => htmllink("", "", "ikiwiki/OpenID", noimageinline => 1),
90                         value => $session->param("name"), 
91                         size => 50, force => 1,
92                         fieldset => "login");
93                 $form->field(name => "email", type => "hidden");
94         }
95 }
97 sub validate ($$$;$) {
98         my $q=shift;
99         my $session=shift;
100         my $openid_url=shift;
101         my $form=shift;
103         my $csr=getobj($q, $session);
105         my $claimed_identity = $csr->claimed_identity($openid_url);
106         if (! $claimed_identity) {
107                 if ($form) {
108                         # Put the error in the form and fail validation.
109                         $form->field(name => "openid_url", comment => $csr->err);
110                         return 0;
111                 }
112                 else {
113                         error($csr->err);
114                 }
115         }
117         # Ask for client to provide a name and email, if possible.
118         # Try sreg and ax
119         if ($claimed_identity->can("set_extension_args")) {
120                 $claimed_identity->set_extension_args(
121                         'http://openid.net/extensions/sreg/1.1',
122                         {
123                                 optional => 'email,fullname,nickname',
124                         },
125                 );
126                 $claimed_identity->set_extension_args(
127                         'http://openid.net/srv/ax/1.0',
128                         {
129                                 mode => 'fetch_request',
130                                 'required' => 'email,fullname,nickname,firstname',
131                                 'type.email' => "http://schema.openid.net/contact/email",
132                                 'type.fullname' => "http://axschema.org/namePerson",
133                                 'type.nickname' => "http://axschema.org/namePerson/friendly",
134                                 'type.firstname' => "http://axschema.org/namePerson/first",
135                         },
136                 );
137         }
139         my $check_url = $claimed_identity->check_url(
140                 return_to => IkiWiki::cgiurl(do => "postsignin"),
141                 trust_root => $config{cgiurl},
142                 delayed_return => 1,
143         );
144         # Redirect the user to the OpenID server, which will
145         # eventually bounce them back to auth()
146         IkiWiki::redirect($q, $check_url);
147         exit 0;
150 sub auth ($$) {
151         my $q=shift;
152         my $session=shift;
154         if (defined $q->param('openid.mode')) {
155                 my $csr=getobj($q, $session);
157                 if (my $setup_url = $csr->user_setup_url) {
158                         IkiWiki::redirect($q, $setup_url);
159                 }
160                 elsif ($csr->user_cancel) {
161                         IkiWiki::redirect($q, $config{url});
162                 }
163                 elsif (my $vident = $csr->verified_identity) {
164                         $session->param(name => $vident->url);
166                         my @extensions;
167                         if ($vident->can("signed_extension_fields")) {
168                                 @extensions=grep { defined } (
169                                         $vident->signed_extension_fields('http://openid.net/extensions/sreg/1.1'),
170                                         $vident->signed_extension_fields('http://openid.net/srv/ax/1.0'),
171                                 );
172                         }
173                         foreach my $ext (@extensions) {
174                                 foreach my $field (qw{value.email email}) {
175                                         if (exists $ext->{$field} &&
176                                             defined $ext->{$field} &&
177                                             length $ext->{$field}) {
178                                                 $session->param(email => $ext->{$field});
179                                                 last;
180                                         }
181                                 }
182                                 foreach my $field (qw{value.nickname nickname value.fullname fullname value.firstname}) {
183                                         if (exists $ext->{$field} &&
184                                             defined $ext->{$field} &&
185                                             length $ext->{$field}) {
186                                                 $session->param(username => $ext->{$field});
187                                                 last;
188                                         }
189                                 }
190                         }
191                 }
192                 else {
193                         error("OpenID failure: ".$csr->err);
194                 }
195         }
196         elsif (defined $q->param('openid_identifier')) {
197                 # myopenid.com affiliate support
198                 validate($q, $session, $q->param('openid_identifier'));
199         }
202 sub getobj ($$) {
203         my $q=shift;
204         my $session=shift;
206         eval q{use Net::OpenID::Consumer};
207         error($@) if $@;
209         my $ua;
210         eval q{use LWPx::ParanoidAgent};
211         if (! $@) {
212                 $ua=LWPx::ParanoidAgent->new;
213         }
214         else {
215                 $ua=LWP::UserAgent->new;
216         }
218         # Store the secret in the session.
219         my $secret=$session->param("openid_secret");
220         if (! defined $secret) {
221                 $secret=rand;
222                 $session->param(openid_secret => $secret);
223         }
225         return Net::OpenID::Consumer->new(
226                 ua => $ua,
227                 args => $q,
228                 consumer_secret => sub { return shift()+$secret },
229                 required_root => $config{cgiurl},
230         );