src/plugins/authopenid/www/index.php -text
src/plugins/authopenid/www/post-login.php -text
src/plugins/authwebid/3rd-party/README -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/LICENSE -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/README.markdown -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/lib/Authentication.php -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/lib/Authentication_Delegated.php -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/lib/Authentication_Session.php -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/lib/Authentication_URL.php -text
+src/plugins/authwebid/3rd-party/WebIDDelegatedAuth/lib/Authentication_X509CertRepo.php -text
src/plugins/authwebid/NAME -text
src/plugins/authwebid/README -text
src/plugins/authwebid/bin/db-delete.pl -text
--- /dev/null
+Copyright (C) 2012 Melvin Carvalho, Akbar Hossain, László Török
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- /dev/null
+1. Introduction
+===============
+
+_WebIDDelegatedAuth_ is a scaled down version of _libAuthentication_
+(<https://github.com/melvincarvalho/libAuthentication>).
+Whereas libAuthentication is a more general purpose PHP support library for the WebID protocol,
+_WebIDDelegatedAuth_ can only be used to allow Web applications to support WebID authentication by delegating
+WebID authentication to their prefered third part WebID identification provider.
+All credit belongs to the initial authors of _libAuthentication_.
+
+Further details of the WebID protocol can be obtained at <http://webid.info>
+
+If you would like to learn how to get going quickly without diving to much into
+technical details, then read section 2. and 3.
+
+The core classes of _WebIDDelegatedAuth_ are tackled in section 3. and 4.
+
+--------------------------------------------------------------------------------
+
+2. How to set up "delegated" WebID authentication in a few lines of code
+================================================================================
+
+There are a few flavours of WebID authentication. The following very simple
+example shows how to setup a WebID authentication relying on a third party identity
+provider such as foafssl.org or auth.my-profile.eu.
+
+Prerequisites:
+
+ * Publicly available internet site
+ * Apache 2.2 and PHP 5.2.x or higher
+
+Checkout and create a script that will be the entry point for your application:
+
+ git clone https://github.com/WebIDauth/WebIDDelegatedAuth.git
+
+ cat > index.php
+ <?php
+
+ require_once('WebIDDelegatedAuth/lib/Authentication.php');
+ $auth = new Authentication_Delegated();
+
+ if (!$auth->isAuthenticated())
+ {
+ echo $auth->authnDiagnostic;
+ echo '<a href="https://foafssl.org/srv/idp?authreqissuer=http://localhost/index.php">Click here to Login</a>';
+ }
+ else
+ {
+ echo 'Your have succesfully logged in.<pre>';
+ print_r($auth);
+ }
+
+Make sure the _"authreqissuer"_ points to YOUR site (to reinvoke the same index.php) and...
+... YOU ARE DONE!
+
+You just set up you first WebID powered site. Behind the scenes,
+_WebIDDelegatedAuth_ has an embedded copy of foafssl.org's certificate (in its code) which is used
+in the authentication process.
+
+
+Note that if you wish to use another delegated identity verification
+service (for instance 'auth.my-profile.eu'), you may need to change line 4 as :
+
+ $auth = new Authentication_Delegate(TRUE, NULL, Authentication_URL::parse('https://auth.my-profile.eu'));
+
+Then you'd change the login link to :
+
+ echo '<a href="https://auth.my-profile.eu/auth/?authreqissuer=http://localhost/index.php">Click here to Login</a>';
+
+This will ensure that you wish to verify the server's response
+signature according to the proper certificate, which is also already present in Authentication_X509CertRepo.php
+
+Should you want to host your own WebID identity provider (like foafssl.org or auth.my-profile.net), you may check a PHP implementation at https://github.com/WebIDauth/WebIDauth (which is the software used to operate auth.my-profile.net).
+
+--------------------------------------------------------------------------------
+
+3. Brief overview of _WebIDDelegatedAuth_'s core classes
+================================================================================
+
+_WebIDDelegatedAuth_ provides the following core classes:
+
+* Authentication
+ Authenticate user by trying the supported authentication methods in a fixed
+ and reasonable sequence
+
+* Authentication_Delegated
+ Authenticate via the delegated WebID method using a 3rd party WebID
+ identity provider (foafssl.org and auth.my-profile.eu supported by default)
+
+* Authentication_Session
+ Create a session cookie after successful authentication to speed up
+ subsequent authentication attempts
+
+A detailed description of the core classes an their usage follows.
+
+--------------------------------------------------------------------------------
+
+4. Detailed description of _WebIDDelegatedAuth_'s core classes
+================================================================================
+
+class Authentication
+--------------------------------------------------------------------------------
+This class provides easy access to all supported authentication mechanisms.
+On instantiation, it performs the following operations:
+
+1. Checks if an authentication session cookie is present
+2. If 1. fails, it tries to authenticate via delegated WebID (see _Authentication\_Delegate_)
+3. If authentication is successful, it loads the corresponding WebID URI
+
+ $auth = new Authentication($config) // $config is optional
+
+On Success:
+
+- `$auth->isAuthenticated()` returns true
+- `$auth->webid` contains the authenticated webid
+
+On Error:
+
+If an error occurs, an explanation can be retrieved by inspecting
+`$auth->$authnDiagnostic`.
+If you want to terminate the authenticated session, it is a good idea to call
+`$auth->logout`.
+
+class Authentication_Session
+--------------------------------------------------------------------------------
+
+This class usually won't be instantiated directly. If a given authentication
+method succeeds, it can optionally persist that information by instantiating
+_Authentication\_Session_. It stores the authenticated webid and the parsed foaf
+file in `$_SESSION`. This results in a significant speed up in successive
+authentication attempts. If you want to create it manually, you can do that as follows:
+
+ $authSession = new Authentication_Session(1, $webid)
+
+where 1 indicates the fact of successful authentication and `$webid` is a URI string.
+
+class Authentication_Delegated
+--------------------------------------------------------------------------------
+
+Using the delegated WebID method is probably the easiest way to get you start
+quickly leveraging this powerful authentication method. It is also the easiest
+to set up. Refer to Section 2. for an example and make sure you set up the example
+using a public domain name or a public IP address. I you want find out more details
+how the identity provider works, see <https://foafssl.org/srv/idp>.
+
+You need to instantiate _Authentication\_Delegated_ at a common entry point
+to your site (e.g. index.php):
+
+ $auth = new Authentication_Delegated();
+
+Most of the input is automatically retrieved from the global php context variables
+(`$_REQUEST`, `$_SERVER` etc.), so using the default constructor parameters is fine.
+
+On Success:
+
+- `$auth->isAuthenticated()` returns true
+- `$auth->webid` contains the authenticated webid
+
+If not explicitly disabled, on successful authentication an instance of
+_Authentication\_Session_ will also be created, to speed up further authentication
+attempts. If that something you don't want to happend, you need to call the constructor
+as follows:
+
+ $auth = new Authentication_Delegated( false );
+
+On Error:
+
+If an error occurs, an explanation can be retrieved by inspecting `$auth->$authnDiagnostic`.
+If you want to terminate the authenticated session, it is a good idea to call `$auth->logout`.
+
--- /dev/null
+<?php
+
+/*-------------------------------------------------------------------------------------
+ *
+ * Filename : Authentication.php
+ * Date : 11th July 2012
+ *
+ * Copyright (C) 2012 Melvin Carvalho, Akbar Hossain, László Török
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Everything should be made as simple as possible, but no simpler."
+ * -- Albert Einstein
+ */
+//-------------------------------------------------------------------------------------
+
+require_once(dirname(__FILE__)."/Authentication_Delegated.php");
+
+/**
+ * Top-level authentication class that integrates multiple authentication
+ * procedures. (session or delegated WebID)
+ *
+ * @modified Andrei Sambra
+ */
+class Authentication {
+ /**
+ * After succesful authentication contains the webid
+ * @var string
+ */
+ public $webid = NULL;
+ public $isAuthenticated = 0;
+ public $authnDiagnostic = NULL;
+ private $session = NULL;
+
+ const STATUS_AUTH_VIA_SESSION = "Authenticated via a session";
+
+ public function __construct($ARCConfig, $sig = NULL)
+ {
+ // Authenticate via session and return
+ $this->session = new Authentication_Session();
+ if ($this->session->isAuthenticated) {
+ $this->webid = $this->session->webid;
+ $this->isAuthenticated = $this->session->isAuthenticated;
+ $this->authnDiagnostic = self::STATUS_AUTH_VIA_SESSION;
+ return;
+ }
+
+ // Authenticate via delegated login
+ $sig = isset($sig)?$sig:$_GET["sig"];
+ if (isset($sig))
+ {
+ $authDelegate = new Authentication_Delegated(FALSE);
+
+ $this->webid = $authDelegate->webid;
+ $this->isAuthenticated = $authDelegate->isAuthenticated;
+ $this->authnDiagnostic = $authDelegate->authnDiagnostic;
+ }
+
+ if ($this->isAuthenticated)
+ {
+ $this->session->setAuthenticatedWebid($this->webid);
+ }
+ else
+ {
+ $this->session->unsetAuthenticatedWebid();
+ $this->webid = NULL;
+ }
+ }
+
+ /**
+ * Is the current user authenticated?
+ * @return bool
+ */
+ public function isAuthenticated()
+ {
+ return $this->isAuthenticated;
+ }
+
+ /**
+ * Leave the authenticated session
+ */
+ public function logout()
+ {
+ $this->isAuthenticated = 0;
+ $this->session->unsetAuthenticatedWebid();
+ }
+}
+
+?>
--- /dev/null
+<?php
+
+/*-------------------------------------------------------------------------------------
+ *
+ * Filename : Authentication_Delegated.php
+ * Date : 11th July 2012
+ *
+ * Copyright (C) 2012 Melvin Carvalho, Akbar Hossain, László Török
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Everything should be made as simple as possible, but no simpler."
+ * -- Albert Einstein
+ */
+//-------------------------------------------------------------------------------------
+require_once(dirname(__FILE__)."/Authentication_URL.php");
+require_once(dirname(__FILE__)."/Authentication_X509CertRepo.php");
+require_once(dirname(__FILE__)."/Authentication_Session.php");
+/**
+ * Implements WebID Delegated Authentication using an Identity Provider
+ *
+ * @author Akbar Hossain
+ * @modified Andrei Sambra
+ */
+class Authentication_Delegated {
+ /**
+ * After succesful authentication contains the webid
+ * (e.g. http://foaf.me/tl73#me)
+ * @var string
+ */
+ public $webid = NULL;
+ public $isAuthenticated = 0;
+ /**
+ * Always contains the diagnostic message for the last authentication attempt
+ * @var string
+ */
+ public $authnDiagnostic = NULL;
+ /** @var Authentication_SignedURL */
+ private $requestURI = NULL;
+ /** @var Authentication_URL */
+ private $referer = NULL;
+ private $ts = NULL;
+ private $allowedTimeWindow = 0;
+ private $elapsedTime = 0;
+
+ const STATUS_AUTH_VIA_SESSION =
+ "Authenticated via a session";
+
+ const STATUS_DELEGATED_LOGIN_OK =
+ "Delegated WebID Login response has been authenticated";
+
+ const STATUS_SIGNATURE_VERIFICATION_ERR =
+ "Signature on response could not be verified";
+
+ const STATUS_UNSUPPORTED_SIGNATURE_ALG_ERR =
+ "Unsupported signature algorithm";
+
+ const STATUS_IDP_RESPONSE_TIMEOUT_ERR =
+ "Response from delegate IdP was outside of the allowed time window";
+
+ const STATUS_OPENSSL_VERIFICATION_ERR =
+ "Openssl verification error";
+
+ const STATUS_IDP_CERTIFICATE_MISSING =
+ "Signing IdP's certificate not found";
+
+ const SIG_ALG_RSA_SHA1 = 'rsa-sha1';
+ /**
+ * Perform delegated WebID authentication relying on an Identity Provider
+ * @param Authentication_SignedURL $request (if not specified infered from _GET)
+ * @param Authentication_X509CertRepo $certRepository (if not default is used)
+ * @param bool $createSession
+ * @param string $sigAlg
+ * @param int $allowedTimeWindow
+ */
+ public function __construct($createSession = TRUE,
+ Authentication_SignedURL $request = NULL,
+ Authentication_URL $referer = NULL,
+ Authentication_X509CertRepo $certRepository = NULL,
+ $sigAlg = self::SIG_ALG_RSA_SHA1,
+ $allowedTimeWindow = 300)
+ {
+ if ($createSession)
+ {
+ $session = new Authentication_Session();
+ if ($session->isAuthenticated)
+ {
+ $this->webid = $session->webid;
+ $this->isAuthenticated = $session->isAuthenticated;
+ $this->authnDiagnostic = self::STATUS_AUTH_VIA_SESSION;
+ return;
+ }
+ }
+
+ if ( ! $certRepository)
+ $certRepository = new Authentication_X509CertRepo();
+
+ if ( ! $request) {
+ $request = Authentication_SignedURL::parse(
+ ((isset($_SERVER["HTTPS"]) && ($_SERVER["HTTPS"] == "on")) ? "https" : "http")
+ . "://".$_SERVER["SERVER_NAME"]
+ . ($_SERVER["SERVER_PORT"] != ((isset($_SERVER["HTTPS"])
+ && ($_SERVER["HTTPS"] == "on")) ? 443 : 80) ? ":"
+ .$_SERVER["SERVER_PORT"] : "")
+ . $_SERVER["REQUEST_URI"]
+ );
+ }
+
+ $error = null;
+ $sig = null;
+ $ts = null;
+
+ isset($_GET["error"]) and $error = $_GET["error"];
+
+ isset($_GET["sig"]) and $sig = $_GET["sig"];
+
+ isset($_GET["ts"]) and $ts = $_GET["ts"];
+
+ $error = $request->getQueryParameter('error', $error);
+ $sig = $request->getQueryParameter('sig', $sig);
+ $ts = $request->getQueryParameter('ts', $ts);
+
+ $this->requestURI = $request;
+ if (NULL != $referer)
+ {
+ $this->referer = $referer;
+ }
+ else if (isset($_GET["referer"]))
+ {
+ $this->referer = Authentication_URL::parse($_GET["referer"]);
+ }
+ else
+ {
+ $this->referer = new Authentication_URL();
+ }
+ $this->ts = $ts;
+
+ $webid = null;
+ isset($_GET["webid"]) and $webid = $_GET["webid"];
+
+ $this->webid = $request->getQueryParameter('webid', $webid);
+ $this->allowedTimeWindow = $allowedTimeWindow;
+ $this->elapsedTime = time() - strtotime($ts);
+
+ /*
+ * Loads the trusted certificate of the IdP: its public key is used to
+ * verify the integrity of the signed assertion.
+ */
+ $idpCertificate = $certRepository->getIdpCertificate($this->referer->host);
+ if ( ! $idpCertificate)
+ {
+ $this->isAuthenticated = 0;
+ $this->authnDiagnostic = self::STATUS_IDP_CERTIFICATE_MISSING;
+
+ }
+ else if (($this->elapsedTime < $this->allowedTimeWindow) && ( ! isset($error)))
+ {
+
+ $signedInfo = $this->requestURI->urlWithoutSignature();
+ // Extracts the signature
+ $signature = $this->requestURI->digitalSignature();
+ // TODO this may be removed in the future
+ if ( ! $signature)
+ $signature = $sig;
+
+ // Only rsa-sha1 is supported at the moment.
+ if ($sigAlg == self::SIG_ALG_RSA_SHA1)
+ {
+ $pubKeyId = openssl_get_publickey($idpCertificate);
+
+ // Verifies the signature
+ $verified = openssl_verify($signedInfo, $signature, $pubKeyId);
+ if ($verified == 1)
+ {
+ // The verification was successful.
+ $this->isAuthenticated = 1;
+ $this->authnDiagnostic = self::STATUS_DELEGATED_LOGIN_OK;
+ }
+ else if ($verified == 0)
+ {
+ // The signature didn't match.
+ $this->isAuthenticated = 0;
+ $this->authnDiagnostic = self::STATUS_SIGNATURE_VERIFICATION_ERR;
+ }
+ else
+ {
+ // Error during the verification.
+ $this->isAuthenticated = 0;
+ $this->authnDiagnostic = self::STATUS_OPENSSL_VERIFICATION_ERR;
+ }
+
+ openssl_free_key($pubKeyId);
+
+ }
+ else
+ {
+ // Unsupported signature algorithm.
+ $this->isAuthenticated = 0;
+ $this->authnDiagnostic = self::STATUS_UNSUPPORTED_SIGNATURE_ALG_ERR;
+ }
+ }
+ else
+ {
+ $this->isAuthenticated = 0;
+ if (isset($error))
+ $this->authnDiagnostic = $error;
+ else
+ $this->authnDiagnostic = self::STATUS_IDP_RESPONSE_TIMEOUT_ERR;
+ }
+
+ if ($createSession)
+ {
+ if ($this->isAuthenticated)
+ $session->setAuthenticatedWebid($this->webid);
+ else
+ $session->unsetAuthenticatedWebid();
+ }
+ }
+
+ /**
+ * Is the current user authenticated?
+ * @return bool
+ */
+ public function isAuthenticated()
+ {
+ return $this->isAuthenticated;
+ }
+ /**
+ * Leave the authenticated session
+ */
+ public function logout()
+ {
+ $this->isAuthenticated = 0;
+ $this->session->unsetAuthenticatedWebid();
+ }
+
+}
+?>
--- /dev/null
+<?php
+
+/*-------------------------------------------------------------------------------------
+ *
+ * Filename : Authentication_Session.php
+ * Date : 11th July 2012
+ *
+ * Copyright (C) 2012 Melvin Carvalho, Akbar Hossain, László Török
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Everything should be made as simple as possible, but no simpler."
+ * -- Albert Einstein
+ */
+//-------------------------------------------------------------------------------------
+/**
+ * Persist authentication information in the session storage
+ *
+ * @author Akbar Hossain
+ * @modified Andrei Sambra
+ */
+class Authentication_Session
+{
+
+ public $webid = NULL;
+ public $isAuthenticated = 0;
+
+ private $authnSession = NULL;
+
+ const IS_AUTHENTICATED = 'Authentication_isAuthenticated';
+ const WEBID = 'Authentication_webid';
+
+ /**
+ * Created authenticated session
+ * @param int $isAuthenticated
+ * @param string $webid
+ */
+ public function __construct($isAuthenticated = 0, $webid = NULL)
+ {
+ $this->authnSession = session_name();
+
+ if (isset($this->authnSession))
+ {
+ $this->isAuthenticated = isset($_SESSION[self::IS_AUTHENTICATED]) ?
+ $_SESSION[self::IS_AUTHENTICATED]:$isAuthenticated;
+
+ $this->webid = isset($_SESSION[self::WEBID]) ?
+ $_SESSION[self::WEBID]:$webid;
+ }
+ }
+
+ /**
+ * Set an authenticated webid
+ * @param mixed $webid
+ */
+ public function setAuthenticatedWebid($webid)
+ {
+ if ( ! is_null($webid))
+ {
+ $_SESSION[self::IS_AUTHENTICATED] = 1;
+ $_SESSION[self::WEBID] = $webid;
+
+ $this->isAuthenticated = 1;
+ $this->webid = $webid;
+ }
+ }
+
+ /**
+ * Unset authenticated webid for current session
+ */
+ public function unsetAuthenticatedWebid()
+ {
+ $_SESSION[self::IS_AUTHENTICATED] = 0;
+ $_SESSION[self::WEBID] = NULL;
+
+ $this->isAuthenticated = 0;
+ $this->webid = NULL;
+ }
+}
+
+?>
--- /dev/null
+<?php
+/*-------------------------------------------------------------------------------------
+ *
+ * Filename : Authentication_URL.php
+ * Date : 11th July 2012
+ *
+ * Copyright (C) 2012 Melvin Carvalho, Akbar Hossain, László Török
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Everything should be made as simple as possible, but no simpler."
+ * -- Albert Einstein
+ */
+//-------------------------------------------------------------------------------------
+
+/**
+ * Represents a valid Uniform Resource Locator
+ *
+ * @author László Török
+ * @modified Andrei Sambra
+ */
+class Authentication_URL
+{
+ public $scheme;
+ public $host;
+ public $port;
+ public $path;
+ public $parsedURL;
+ private $query = array();
+
+ /**
+ *
+ * @param string $URL_string String to parse
+ * @return Authentication_URL A valid Authentication_URL instance
+ * (or NULL on error)
+ */
+ public static function parse($URL_string)
+ {
+ $URL = new Authentication_URL();
+ $isOk = $URL->parseInternal($URL_string);
+ return $isOk ? $URL : NULL;
+ }
+ /**
+ * Returns query string parameter value by key
+ * @param string $key
+ * @param mixed $default
+ * @return mixed The required "value" (or $default if not found)
+ */
+ public function getQueryParameter($key,$default = NULL)
+ {
+ return isset($this->query[$key]) ? $this->query[$key] : $default;
+ }
+ /**
+ * Normalized URL serialization scheme://domain:port/path
+ * @return <type> Returns the parsed URL in a normalized form
+ */
+ public function __toString()
+ {
+ return $this->scheme.'://'.$this->host.':'.$this->port.$this->path;
+ }
+
+ protected function parseInternal($URL_string)
+ {
+ $URL_map = @parse_URL($URL_string);
+
+ if ( ! $URL_map
+ || ! $URL_map['host']
+ // some minimalistic sanitization
+ || ! preg_match('/[a-zA-Z0-9._-]*[a-zA-Z0-9]$/', $URL_map['host']))
+ {
+ return false;
+ }
+ $URL_map = array_map('trim', $URL_map);
+
+ $this->parsedURL = $URL_string;
+ $this->scheme = isset($URL_map['scheme']) ? $URL_map['scheme'] : 'http';
+ $this->host = $URL_map['host'];
+ $this->port = isset($URL_map['port']) ?
+ (int)$URL_map['port'] : ($this->scheme == 'https') ? 443 : 80;
+ $this->path = isset($URL_map['path']) ? $URL_map['path'] : '';
+ if (isset($URL_map['query']))
+ {
+ parse_str($URL_map['query'], $this->query);
+ }
+ if (!$this->query)
+ {
+ $this->query = array();
+ }
+
+ if ($this->path == '')
+ {
+ $this->path = '/';
+ }
+
+ $this->path .= isset($URL_map['query']) ? "?$URL_map[query]" : '';
+
+ isset($URL_map['fragment']) and $this->path .= '#'.$URL_map['fragment'];
+
+ return true;
+ }
+}
+
+/**
+ * Represents a special "signed" URL used in authentication scenarios
+ */
+class Authentication_SignedURL extends Authentication_URL
+{
+ /**
+ * Returns the digital signature string extracted from the signed URL
+ * @return string
+ */
+ public function digitalSignature()
+ {
+ $data = $this->getQueryParameter('sig');
+ return base64_decode(str_pad(strtr($data, '-_', '+/'),
+ strlen($data) % 4, '=', STR_PAD_RIGHT));
+ }
+ /**
+ * Returns the original parsed URL without the digital signature
+ * @return string
+ */
+ public function URLWithoutSignature()
+ {
+ $sig = $this->getQueryParameter('sig');
+
+ $encodedsig=urlencode(isset($sig) ? $sig : NULL);
+ $encodedsig='&sig='.$encodedsig;
+ $startofsig=strpos($this->parsedURL, $encodedsig);
+ $start=substr($this->parsedURL, 0, $startofsig);
+ return $start;
+ }
+ /**
+ * Parses the given URL string into a Authentication_SignedURL
+ * @param string $URL_string
+ * @return Authentication_SignedURL
+ */
+ public static function parse($URL_string)
+ {
+ $URL = new Authentication_SignedURL();
+ $isOk = $URL->parseInternal($URL_string);
+ return $isOk ? $URL : NULL;
+ }
+}
+
+?>
--- /dev/null
+<?php
+/*-------------------------------------------------------------------------------------
+ *
+ * Filename : Authentication_X509CertRepo.php
+ * Date : 11th July 2012
+ *
+ * Copyright (C) 2012 Melvin Carvalho, Akbar Hossain, László Török
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Everything should be made as simple as possible, but no simpler."
+ * -- Albert Einstein
+ */
+//-------------------------------------------------------------------------------------
+
+
+/**
+ * An X509Certificate repository
+ *
+ */
+class Authentication_X509CertRepo
+{
+ const DEFAULT_IDP = 'foafssl.org';
+
+ private $IDPCertificates = array ( self::DEFAULT_IDP =>
+"-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhFboiwS5HzsQAAerGOj8
+Zk6qvEf2QVarlm+c1fxd6f3OoQ9ezib1LjXitw+z2xcLG8lzaTmKOU0jw7KZp6WL
+W6gqhAWj2BQ1Lkl9R7aAUpA3ypk52gik8u/5JiWpTt1EV99DP5XNzzQ/QVjkvBlj
+rY+1ZeM+XtKzGfbK7eWh583xn3AE6maprXfLAo3BjUWJOQe0VHGYgrBVOcRQrSQ6
+34/f+jk22tmYZRzdTT/ZCadeLd7NryIeJbEu0W105JYvKodawSM3/zjt4fXFIPyB
+z8vHHmHRd2syDWqUy46YVQfqCfUBdXkHbvVQBtAfvRGUhYbFQm926an6z9uRE5LC
+aQIDAQAB
+-----END PUBLIC KEY-----
+",
+ 'auth.my-profile.eu' =>
+"-----BEGIN CERTIFICATE-----
+MIIHKzCCBhOgAwIBAgIDBerZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
+MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTIwNDA0MTA0NTEw
+WhcNMTMwNDA0MTg1MjI3WjBuMRkwFwYDVQQNExBoWTdENnQ3M1A5Y1B2ckF6MQsw
+CQYDVQQGEwJGUjEbMBkGA1UEAxMSYXV0aC5teS1wcm9maWxlLmV1MScwJQYJKoZI
+hvcNAQkBFhhwb3N0bWFzdGVyQG15LXByb2ZpbGUuZXUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC9Ix5SIxwgZjGvx63VXYhFU2+A94FXEO7qr1Ri1ZdZ
+WUjItBUNvK6JzdFA1oAPYtGMDs/Uev99Ibj4FfUT3R2GYI2WWv1nGZk6zXFN51Z3
+2JAXh1XgX1IW47mhVfzR2yy/i31yPn0oOEhyA3R3dYPs3K6HTd1Eng2rtzbYieVK
+zamTkVQmyMG2WFmJBbJ5QoCRkGHR5ZnkJ/4jhZF41GyTTW71dcwOb3ITi9GDsSHv
+D5jfUTZy5PXN/91H48SdrVVj6KEziD4h7FnPHpgzpsKJt1wehc83EWR89IEeY/dC
+62sNz0s1sMg1BNhoqKesdCSUhjEURGyqGUaF7Ge+0baJAgMBAAGjggOxMIIDrTAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNV
+HQ4EFgQUMM0hTiEKfr0/Lp85d7KgQlBfNgcwHwYDVR0jBBgwFoAU60I00Jiwq5/0
+G2sI98xkLu8OLEUwLAYDVR0RBCUwI4ISYXV0aC5teS1wcm9maWxlLmV1gg1teS1w
+cm9maWxlLmV1MIICIQYDVR0gBIICGDCCAhQwggIQBgsrBgEEAYG1NwECAjCCAf8w
+LgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYw
+NAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0
+ZS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNj
+b3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9m
+IHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBp
+bnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFy
+dHkgb2JsaWdhdGlvbnMuMIGcBggrBgEFBQcCAjCBjzAnFiBTdGFydENvbSBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTADAgECGmRMaWFiaWxpdHkgYW5kIHdhcnJhbnRp
+ZXMgYXJlIGxpbWl0ZWQhIFNlZSBzZWN0aW9uICJMZWdhbCBhbmQgTGltaXRhdGlv
+bnMiIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3kuMDUGA1UdHwQuMCwwKqAooCaG
+JGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUH
+AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1
+Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0
+c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBww
+GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBp
+JFAAxZ2gzThBLAGITaUqXBLMgauQQkFjK6AwmPXu3XxDpxAsXTM6ce0DpwOjDWXQ
+CCvF8pydSUKBIwuGN8BcQaC5qnyHamc62YO5Q+VkHbRcLyCB/zqjsOO2+G75AZf9
+Z9PIzHUFTxIO2rWu76K6IT8vIpjiIwfF5r5irPOzjbWTFTCQwbhBCF7XdMPlma6d
+UFGtn+/N7Hg5F/TPHdI7z/oJIkTP79h73+H9Nv6OD7DKIMWZBfvwR9vNIxvaLOMW
+0uxmn9nSfUiAHli5nhvI6gAk1JJf31sOkWmd66KIQzC4pR+GRjPzdmbZpXCjqbjq
+rsXEfOCMHw9T3c5vV5qy
+-----END CERTIFICATE-----
+"
+);
+ public function __construct(array $IDPCertificates = array())
+ {
+ $this->IDPCertificates =
+ array_merge($this->IDPCertificates, $IDPCertificates);
+ }
+
+ /**
+ * Get the Identity Provider's certificate
+ * @param string $IPDDomainName Identity Provider's domain name
+ * (e.g. foafssl.org)
+ * @return object requiested x509 certificate content
+ * (or the default IDP's certificate, if the requested is not found)
+ */
+ public function getIdpCertificate($IDPDomainName)
+ {
+ return isset($this->IDPCertificates[$IDPDomainName]) ?
+ $this->IDPCertificates[$IDPDomainName]
+ : $this->IDPCertificates[self::DEFAULT_IDP];
+ }
+}
+?>