Initial commit

697165fe · Julian · 697165fe · 697165fe · 697165fe · 697165fe
Commit 697165fe authored Feb 19, 2022 by Julian
--- a/action.php
+++ b/action.php
+<?php
+if(!defined('DOKU_INC')) die();
+class action_plugin_authuffd extends DokuWiki_Action_Plugin
+{
+	function register(Doku_Event_Handler $controller)
+	{
+		global $conf;
+		if($conf['authtype'] != 'authuffd')
+			return;
+		$conf['profileconfirm'] = false; /* password confirmation doesn't work with SSO users */
+		$controller->register_hook('HTML_LOGINFORM_OUTPUT', 'BEFORE', $this, 'handle_loginform');
+	}
+	function handle_loginform(Doku_Event &$event, $param)
+	{
+		$event->data->_content = array(
+			form_openfieldset(array('_legend' => 'Login with:', 'class' => 'plugin_authuffd')),
+			form_hidden(array('name' => 'oauth2_login', 'value' => '1')),
+			form_button(array('type' => 'submit', 'value' => htmlspecialchars($this->getConf('name')))),
+			form_closefieldset()
+		);
+	}
+	function handle_dologin(Doku_Event &$event, $param)
+	{
+		msg('handle_dologin');
+	}
+}
--- a/auth.php
+++ b/auth.php
+<?php
+use dokuwiki\HTTP\DokuHTTPClient;
+if(!defined('DOKU_INC')) die();
+class auth_plugin_authuffd extends DokuWiki_Auth_Plugin
+{
+	function __construct()
+	{
+		parent::__construct();
+		$this->cando['external'] = true;
+	}
+	private function getOAuth2RedirectURI()
+	{
+		if ($this->getConf('oauth2_redirect_uri') !== '')
+			return $this->getConf('oauth2_redirect_uri');
+		else
+			return DOKU_URL . DOKU_SCRIPT;
+	}
+	private function requestOAuth2AccessToken()
+	{
+		global $INPUT;
+		if (!isset($_SESSION[DOKU_COOKIE]['uffd-auth-state']))
+			return false;
+		if (!$INPUT->get->has('code'))
+			return false;
+		if ($INPUT->get->str('state', null) != $_SESSION[DOKU_COOKIE]['uffd-auth-state'])
+			return false;
+		unset($_SESSION[DOKU_COOKIE]['uffd-auth-state']);
+		$http = new DokuHTTPClient;
+		$http->keep_alive = false;
+		$http->user = $this->getConf('oauth2_client_id');
+		$http->pass = $this->getConf('oauth2_client_secret');
+		$params = array(
+			'grant_type' => 'authorization_code',
+			'code' => $INPUT->get->str('code'),
+			'redirect_uri' => $this->getOAuth2RedirectURI()
+		);
+		$ok = $http->get($this->getConf('baseurl') . '/oauth2/token?' . http_build_query($params, '', '&', PHP_QUERY_RFC3986));
+		if (!$ok || $http->status != 200)
+			return false;
+		return json_decode($http->resp_body)->access_token;
+	}
+	/* This is essentially a copy of auth_logoff but without the final call to $auth->logOff so logOff is only called for user-initiated logouts. */
+	private function clearSession($keepbc = false)
+	{
+		global $conf;
+		global $USERINFO;
+		global $auth;
+		global $INPUT;
+		// make sure the session is writable (it usually is)
+		@session_start();
+		if(isset($_SESSION[DOKU_COOKIE]['auth']))
+			unset($_SESSION[DOKU_COOKIE]['auth']);
+		if (isset($_SESSION[DOKU_COOKIE]['uffd-auth-state']))
+			unset($_SESSION[DOKU_COOKIE]['uffd-auth-state']);
+		if (isset($_SESSION[DOKU_COOKIE]['uffd-auth-redirect']))
+			unset($_SESSION[DOKU_COOKIE]['uffd-auth-redirect']);
+		if (isset($_SESSION[DOKU_COOKIE]['auth']))
+			unset($_SESSION[DOKU_COOKIE]['auth']);
+		if(!$keepbc && isset($_SESSION[DOKU_COOKIE]['bc']))
+			unset($_SESSION[DOKU_COOKIE]['bc']);
+		$INPUT->server->remove('REMOTE_USER');
+		$USERINFO = null;
+		$cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
+		setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
+	}
+	function trustExternal($user, $pass, $sticky = false)
+	{
+		global $USERINFO, $INPUT, $conf;
+		if (!empty($_SESSION[DOKU_COOKIE]['auth']) && $_SESSION[DOKU_COOKIE]['auth']['time'] < time() - $conf['auth_security_timeout'])
+			$this->clearSession();
+		if (!empty($_SESSION[DOKU_COOKIE]['auth']))
+		{
+			$USERINFO['name'] = $_SESSION[DOKU_COOKIE]['auth']['info']['name'];
+			$USERINFO['mail'] = $_SESSION[DOKU_COOKIE]['auth']['info']['mail'];
+			$USERINFO['grps'] = $_SESSION[DOKU_COOKIE]['auth']['info']['grps'];
+			$_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user'];
+			return true;
+		}
+		$access_token = $this->requestOAuth2AccessToken();
+		if ($access_token)
+		{
+			$http = new DokuHTTPClient;
+			$http->keep_alive = false;
+			$http->headers['Authorization'] = 'Bearer ' . $access_token;
+			$ok = $http->get($this->getConf('baseurl') . '/oauth2/userinfo');
+			if (!$ok || $http->status != 200)
+			{
+				msg('OAuth2 login failed');
+				$this->clearSession();
+				return false;
+			}
+			$data = json_decode($http->resp_body);
+			$USERINFO['name'] = $_SESSION[DOKU_COOKIE]['auth']['info']['name'] = $data->name;
+			$USERINFO['mail'] = $_SESSION[DOKU_COOKIE]['auth']['info']['mail'] = $data->email;
+			$USERINFO['grps'] = $_SESSION[DOKU_COOKIE]['auth']['info']['grps'] = $data->groups;
+			$_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user'] = $data->nickname;
+			$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
+			$uri = $_SESSION[DOKU_COOKIE]['uffd-auth-redirect'];
+			unset($_SESSION[DOKU_COOKIE]['uffd-auth-redirect']);
+			send_redirect($uri);
+			return true; /* never reached */
+		}
+		if ($INPUT->has('oauth2_login'))
+		{
+			$state = bin2hex(random_bytes(8));
+			$_SESSION[DOKU_COOKIE]['uffd-auth-state'] = $state;
+			$_SESSION[DOKU_COOKIE]['uffd-auth-redirect'] = $_SERVER['REQUEST_URI'];
+			$params = array(
+				'response_type' => 'code',
+				'client_id' => $this->getConf('oauth2_client_id'),
+				'redirect_uri' => $this->getOAuth2RedirectURI(),
+				'scope' => 'profile',
+				'state' => $state
+			);
+			send_redirect($this->getConf('baseurl') . '/oauth2/authorize?' . http_build_query($params, '', '&', PHP_QUERY_RFC3986));
+			return false; /* never reached */
+		}
+		$this->clearSession();
+		return false;
+	}
+	function logOff()
+	{
+		$this->clearSession();
+		send_redirect($this->getConf('baseurl') . '/logout');
+	}
+	function getUserData($user, $requireGroups = true)
+	{
+		if ($_SESSION[DOKU_COOKIE]['auth']['user'] == $user)
+			return $_SESSION[DOKU_COOKIE]['auth']['info'];
+		$http = new DokuHTTPClient;
+		$http->keep_alive = false;
+		$http->user = $this->getConf('api_username');
+		$http->pass = $this->getConf('api_password');
+		$params = array(
+			'loginname' => $user
+		);
+		$ok = $http->get($this->getConf('baseurl') . '/api/v1/getusers?' . http_build_query($params, '', '&', PHP_QUERY_RFC3986));
+		if (!$ok || $http->status != 200)
+			return false;
+		$results = json_decode($http->resp_body);
+		if (!$results)
+			return false;
+		return array(
+			'name' => $results[0]->displayname,
+			'mail' => $results[0]->email,
+			'grps' => $results[0]->groups,
+		);
+	}
+}
--- a/conf/default.php
+++ b/conf/default.php
+<?php
+$conf['name'] = 'uffd';
+$conf['baseurl'] = '';
+$conf['oauth2_client_id'] = '';
+$conf['oauth2_client_secret'] = '';
+$conf['oauth2_redirect_uri'] = '';
+$conf['api_username'] = '';
+$conf['api_password'] = '';
--- a/conf/metadata.php
+++ b/conf/metadata.php
+<?php
+$meta['name'] = array('string');
+$meta['baseurl'] = array('string','_caution' => 'danger');
+$meta['oauth2_client_id'] = array('string','_caution' => 'danger');
+$meta['oauth2_client_secret'] = array('password','_caution' => 'danger');
+$meta['oauth2_redirect_uri'] = array('string','_caution' => 'danger');
+$meta['api_username'] = array('string','_caution' => 'danger');
+$meta['api_password'] = array('password','_caution' => 'danger');
--- a/plugin.info.txt
+++ b/plugin.info.txt
+base   authuffd
+author Julian Rother
+email  julian@cccv.de
+date   2022-02-19
+name   Authentication with Uffd
+desc   Auth plugin for login via uffd
+url    https://git.cccv.de/uffd/dokuwiki-plugin-authuffd