papi-icgpoa
changeset 0:532bf969e2f9 tip
First commit
| author | kan |
|---|---|
| date | Sun Jul 18 18:55:34 2010 +0200 (22 months ago) |
| parents | |
| children | |
| files | build.sh dist/icgpoa-form.tar.gz dist/icgpoa-simple.tar.gz www/backend.php www/config.php www/html/error.php www/html/login.php www/html/wayf.css www/icgpoa.php www/index-login.php www/index-simple.php www/util.php |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/build.sh Sun Jul 18 18:55:34 2010 +0200 1.3 @@ -0,0 +1,20 @@ 1.4 +#!/bin/sh 1.5 +mkdir temp 1.6 +cd temp 1.7 +mkdir icgpoa-simple 1.8 +mkdir icgpoa-form 1.9 +cd icgpoa-simple 1.10 +cp -r ../../www/* . 1.11 +rm index-login.php 1.12 +rm -rf html 1.13 +mv index-simple.php index.php 1.14 +cd .. 1.15 +tar -czvf ../dist/icgpoa-simple.tar.gz icgpoa-simple 1.16 +cd icgpoa-form 1.17 +cp -r ../../www/* . 1.18 +rm index-simple.php 1.19 +mv index-login.php index.php 1.20 +cd .. 1.21 +tar -czvf ../dist/icgpoa-form.tar.gz icgpoa-form 1.22 +cd .. 1.23 +rm -rf temp
2.1 Binary file dist/icgpoa-form.tar.gz has changed
3.1 Binary file dist/icgpoa-simple.tar.gz has changed
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/www/backend.php Sun Jul 18 18:55:34 2010 +0200 4.3 @@ -0,0 +1,44 @@ 4.4 +<?php 4.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 4.6 +// Based on the icGPoA developed by RedIRIS. 4.7 +// 4.8 +// You may distribute under the terms of the GNU General Public License, 4.9 +// as specified in the LICENSE file that was shipped with this distribution 4.10 + 4.11 +function papi_icgpoa_auth_user($username, $password) { 4.12 + return false; 4.13 +} 4.14 + 4.15 +function papi_icgpoa_username() { 4.16 + return $_REQUEST["username"]; 4.17 +} 4.18 + 4.19 +function papi_icgpoa_attrlist($userid, $papiopoa = '') { 4.20 + if (preg_match("/http(s)?:\/\/www\.rediris\.es\/SIRGPoA\/(.*)/", $papiopoa)) { 4.21 + // Atributos requeridos por el SIR 4.22 + $res = array( 4.23 + 'ePTI' => array( 4.24 + sha1($userid."SIR"), 4.25 + ), 4.26 + 'sHO' => array( 4.27 + "example.org", 4.28 + ), 4.29 + 'ePE' => array( 4.30 + "a:b", 4.31 + "b:c", 4.32 + ), 4.33 + ); 4.34 + } 4.35 + else { 4.36 + // Atributos por defecto a enviar si no sabemos que papiopoa era 4.37 + $res = array( 4.38 + 'ePTI' => array( 4.39 + sha1($userid."SIR"), 4.40 + ), 4.41 + ); 4.42 + } 4.43 + 4.44 + return $res; 4.45 +} 4.46 + 4.47 +?> 4.48 \ No newline at end of file
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/www/config.php Sun Jul 18 18:55:34 2010 +0200 5.3 @@ -0,0 +1,45 @@ 5.4 +<?php 5.5 +// 5.6 +// Clave privada 5.7 +$ICGPOA_PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY----- 5.8 +MIICXQIBAAKBgQDAe/nHUsgM+kH7MQjv8J5X6P+HokVM0wBl4i0nx6cevP2KCGvL 5.9 +OnjcaG58g02aMkshSdi2ro+A59KKB1O+fAxylFbN72Ozuia8DnFbdStrd1UafLGI 5.10 +uXnD6/5dfrLFj5IbBUKup/VdgV5B7rW8uUDFskFW8hypnYGjD+NY8DTznwIDAQAB 5.11 +AoGAWpV9lPo2PzU++/G1nQWF3yU9rB0HtAHQvCHW0lO5KFQUlXMlF30rB7710A8S 5.12 +5DAq/z17iW1ZB3cRs/eCx7AlQqy7khHpersKNV0uPahw8LQee3gpemFFB1i8UceY 5.13 +5ZowNyPxTmqBLEp3jOPc+Or26MS/hN7NlTNyFtcKuWcm/FECQQD3Mr05fyBHOnuT 5.14 +4+uezjVz4tPP9Qkwwoo/GIKur+rNkpUi12C8BIolSz/l1yHg6IlGRLNlZt1G6gcs 5.15 +/3WDZJwFAkEAx1aCHU14gGlVyFSKBxUSPyY/g7VBeWotGA70Mh2r3kmNHv3WDJ1I 5.16 +utlkYd4EcWNpGOXVJmViWcCTwlb6RMlGUwJBAIrNO8EQJ9C2/vLQtNnL0enLQMHx 5.17 +RgLSCYxaN+7cqoxZtVIF+7Q3HFbKhQuKm+RMzd/d7ZmPg8ow2Gyk2Jg5ov0CQEcr 5.18 +rOMXcOmwMi+Hd4yVymD/n/e/dHQMI7OOS0PFckK4Ugl5qb3xPjFwQrXqlf2B99kq 5.19 +3hKKajYPWvItKcf7cP8CQQDndl8yPPMRsYzH9kpq9uYNEWPAhxiX9cd3em8OxKKj 5.20 +YOqq2O2QoZfIw+cXwxU9ek6Bvzd2D439BKsYR+fsAiW1 5.21 +-----END RSA PRIVATE KEY-----"; 5.22 +// 5.23 +// Clave pública (como referencia) 5.24 +$ICGPOA_PUBLIC_KEY = "-----BEGIN PUBLIC KEY----- 5.25 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAe/nHUsgM+kH7MQjv8J5X6P+H 5.26 +okVM0wBl4i0nx6cevP2KCGvLOnjcaG58g02aMkshSdi2ro+A59KKB1O+fAxylFbN 5.27 +72Ozuia8DnFbdStrd1UafLGIuXnD6/5dfrLFj5IbBUKup/VdgV5B7rW8uUDFskFW 5.28 +8hypnYGjD+NY8DTznwIDAQAB 5.29 +-----END PUBLIC KEY-----"; 5.30 +// 5.31 +// Identificador PAPI en las aserciones 5.32 +$ICGPOA_AS_ID = "orgIdAS"; 5.33 +// 5.34 +// PoAs admitidos de los mensajes recibidos (regex) 5.35 +$ICGPOA_ACCEPTED_POAS = array( 5.36 + "(.*?)rediris.es", 5.37 + "(.*?)prise.es", 5.38 +); 5.39 +// 5.40 +// Tiempo de vida en milisegundos de la aserción 5.41 +$ICGPOA_TTL = 3600; 5.42 +// 5.43 +// Fichero de log (Sin especificar envía al log de error del servidor web) 5.44 +$ICGPOA_LOG = ""; 5.45 +// 5.46 +// Tamaño de la clave privada en bits (0 para autodetectar si PHP >= 5.2.0) 5.47 +$ICGPOA_KEY_SIZE = 0; 5.48 +?> 5.49 \ No newline at end of file
6.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 6.2 +++ b/www/html/error.php Sun Jul 18 18:55:34 2010 +0200 6.3 @@ -0,0 +1,28 @@ 6.4 +<?php 6.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 6.6 +// Based on the icGPoA developed by RedIRIS. 6.7 +// 6.8 +// You may distribute under the terms of the GNU General Public License, 6.9 +// as specified in the LICENSE file that was shipped with this distribution 6.10 + 6.11 +function papi_icgpoa_error_page($msg) { 6.12 + ?> 6.13 +<html> 6.14 + <head> 6.15 + <title>PAPI - icGPoA - Login</title> 6.16 + <link rel="stylesheet" type="text/css" href="html/wayf.css" /> 6.17 + </head> 6.18 + <body> 6.19 + <div id="content"> 6.20 + <div id="title">Error</div> 6.21 + <div id="text"> 6.22 + <p> </p> 6.23 + <p><?php echo $msg; ?></p> 6.24 + <p> </p> 6.25 + </div> 6.26 + </div> 6.27 + </body> 6.28 +</html> 6.29 +<?php 6.30 +} 6.31 +?> 6.32 \ No newline at end of file
7.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 7.2 +++ b/www/html/login.php Sun Jul 18 18:55:34 2010 +0200 7.3 @@ -0,0 +1,48 @@ 7.4 +<?php 7.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 7.6 +// Based on the icGPoA developed by RedIRIS. 7.7 +// 7.8 +// You may distribute under the terms of the GNU General Public License, 7.9 +// as specified in the LICENSE file that was shipped with this distribution 7.10 + 7.11 +function papi_icgpoa_login_page() { 7.12 + ?> 7.13 +<html> 7.14 + <head> 7.15 + <title>PAPI - icGPoA - Login</title> 7.16 + <link rel="stylesheet" type="text/css" href="html/wayf.css" /> 7.17 + </head> 7.18 + <body> 7.19 + <div id="content"> 7.20 + <div id="title">Login</div> 7.21 + <div id="text">Please, write your username and password.</div> 7.22 + <form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post" > 7.23 + <?php 7.24 + foreach ($_REQUEST as $name => $value) { 7.25 + ?> 7.26 + <input type="hidden" name="<?php echo $name; ?>" value="<?php echo $value; ?>" /> 7.27 + <?php 7.28 + } 7.29 + ?> 7.30 + <div class="row"> 7.31 + <div class="rowtitle">Username:</div> 7.32 + <div class="rowvalue"> 7.33 + <input class="formatted" type="text" name="username" /> 7.34 + </div> 7.35 + </div> 7.36 + <div class="row"> 7.37 + <div class="rowtitle">Password:</div> 7.38 + <div class="rowvalue"> 7.39 + <input class="formatted" type="password" name="password" /> 7.40 + </div> 7.41 + </div> 7.42 + <div class="centerrow"> 7.43 + <input type="submit" name="submit" value="Accept" /> 7.44 + </div> 7.45 + </form> 7.46 + </div> 7.47 + </body> 7.48 +</html> 7.49 +<?php 7.50 +} 7.51 +?> 7.52 \ No newline at end of file
8.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 8.2 +++ b/www/html/wayf.css Sun Jul 18 18:55:34 2010 +0200 8.3 @@ -0,0 +1,55 @@ 8.4 +html, body { 8.5 + font-family:verdana, arial, helvetica, sans-serif; 8.6 + font:12px/16px verdana, arial, helvetica, sans-serif; 8.7 + margin: 0; 8.8 + padding: 0; 8.9 + height:100%; 8.10 + color: #111; 8.11 + background-color: #fff; 8.12 +} 8.13 + 8.14 +body { 8.15 + text-align: center; 8.16 +} 8.17 + 8.18 +div#content { 8.19 + border: 1px solid black; 8.20 + padding: 1em; 8.21 + width: 500px; 8.22 + background: #eee; 8.23 + margin:10em auto 0 auto; 8.24 + text-align: left; 8.25 +} 8.26 + 8.27 +div#title { 8.28 + font-size: 120%; 8.29 + border-bottom: 1px solid black; 8.30 + font-weight: bold; 8.31 +} 8.32 + 8.33 +div#text { 8.34 + margin-top: 1em; 8.35 +} 8.36 + 8.37 +div.row { 8.38 + position: relative; 8.39 + padding: 1em; 8.40 +} 8.41 + 8.42 +div.centerrow { 8.43 + margin-top: 1em; 8.44 + text-align: center; 8.45 +} 8.46 + 8.47 +div.rowtitle { 8.48 + position: absolute; 8.49 +} 8.50 + 8.51 +div.rowvalue { 8.52 + margin-left: 12em; 8.53 +} 8.54 + 8.55 +input.formatted { 8.56 + border: 1px solid #000; 8.57 + width: 20em; 8.58 +} 8.59 \ No newline at end of file
9.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 9.2 +++ b/www/icgpoa.php Sun Jul 18 18:55:34 2010 +0200 9.3 @@ -0,0 +1,85 @@ 9.4 +<?php 9.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 9.6 +// Based on the icGPoA developed by RedIRIS. 9.7 +// 9.8 +// You may distribute under the terms of the GNU General Public License, 9.9 +// as specified in the LICENSE file that was shipped with this distribution 9.10 + 9.11 +require_once("config.php"); 9.12 +require_once("util.php"); 9.13 +require_once("backend.php"); 9.14 + 9.15 +function papi_icgpoa_core() { 9.16 + global $ICGPOA_KEY_SIZE, $ICGPOA_TTL, $ICGPOA_ACCEPTED_POAS, $ICGPOA_AS_ID, $ICGPOA_PRIVATE_KEY; 9.17 + // 9.18 + // Comprobaciones sobre la peticion PAPIv1 9.19 + // 9.20 + if (!isset($_REQUEST["ACTION"]) && !isset($_REQUEST["ATTREQ"])) { 9.21 + error("Unknown request. Use the PAPI 1.0 protocol"); 9.22 + } 9.23 + if (isset($_REQUEST["ACTION"]) && ($_REQUEST["ACTION"] != "CHECK" || !isset($_REQUEST["DATA"]) || !isset($_REQUEST["URL"]))) { 9.24 + error("Unknown request. Use the PAPI 1.0 protocol"); 9.25 + } 9.26 + if (isset($_REQUEST["ATTREQ"]) && (!isset($_REQUEST["PAPIPOAREF"]) || !isset($_REQUEST["PAPIPOAURL"]))) { 9.27 + error("Unknown request. Use the PAPI 1.0 protocol"); 9.28 + } 9.29 + if (isset($_REQUEST["ACTION"])) { 9.30 + $theURL = $_REQUEST["URL"]; 9.31 + $theRef = $_REQUEST["DATA"]; 9.32 + } 9.33 + else { 9.34 + $theURL = $_REQUEST["PAPIPOAURL"]; 9.35 + $theRef = $_REQUEST["PAPIPOAREF"]; 9.36 + } 9.37 + // 9.38 + // Comprobaciones sobre los dominios permitidos a enviarle una peticion PAPIv1 9.39 + // 9.40 + $valid = false; 9.41 + foreach ($ICGPOA_ACCEPTED_POAS as $poa) { 9.42 + $valid |= preg_match("/".$poa."/", $theURL); 9.43 + } 9.44 + if ($valid == false) { 9.45 + error("No matching PoA found"); 9.46 + } 9.47 + // 9.48 + // Obtiene la URL del PoA que inició la cadena de mensajes PAPI 9.49 + // 9.50 + $papiopoa = $theURL; 9.51 + if (isset($_REQUEST["PAPIOPOA"])) { 9.52 + $papiopoa = $_REQUEST["PAPIOPOA"]; 9.53 + } 9.54 + // 9.55 + // Genera la aserción del usuario y la encripta con la clave privada 9.56 + // 9.57 + $userid = papi_icgpoa_username(); 9.58 + $list_attrs = papi_icgpoa_attrlist($userid, $papiopoa); 9.59 + $attrs = array(); 9.60 + foreach ($list_attrs as $nameattr => $values) { 9.61 + $parsedvalues = implode("|", $values); 9.62 + $attrs[] = $nameattr."=".$parsedvalues; 9.63 + } 9.64 + $attributes = implode(",",$attrs); 9.65 + $assertion = $attributes."@".$ICGPOA_AS_ID; 9.66 + $now = time(); 9.67 + $ext = $now + $ICGPOA_TTL; 9.68 + $reply = $assertion . ":" . $ext . ":" . $now . ":" . $theRef; 9.69 + $safe = encrypt_private_key($reply, $ICGPOA_PRIVATE_KEY, $ICGPOA_KEY_SIZE); 9.70 + // 9.71 + // Construye mensaje de respuesta conforme a protocolo PAPIv1 9.72 + // 9.73 + if (strpos($theURL, "?")) { 9.74 + $redirectTo = $theURL . "&"; 9.75 + } else { 9.76 + $redirectTo = $theURL . "?"; 9.77 + } 9.78 + if (isset($_REQUEST["ACTION"])) { 9.79 + $redirectTo .= "ACTION=CHECKED" . "&" . "DATA=" . urlencode($safe); 9.80 + doLog("GPoA response to " . $theURL . ": " . $reply); 9.81 + } 9.82 + else { 9.83 + $redirectTo .= "AS=" . $ICGPOA_AS_ID . "&ACTION=CHECKED" . "&" . "DATA=" . urlencode($safe); 9.84 + doLog("AS response to " . $theURL . ": " . $reply); 9.85 + } 9.86 + header("Location: $redirectTo"); 9.87 +} 9.88 +?> 9.89 \ No newline at end of file
10.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 10.2 +++ b/www/index-login.php Sun Jul 18 18:55:34 2010 +0200 10.3 @@ -0,0 +1,25 @@ 10.4 +<?php 10.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 10.6 +// Based on the icGPoA developed by RedIRIS. 10.7 +// 10.8 +// You may distribute under the terms of the GNU General Public License, 10.9 +// as specified in the LICENSE file that was shipped with this distribution 10.10 + 10.11 +require_once("config.php"); 10.12 +require_once("icgpoa.php"); 10.13 +require_once("html/login.php"); 10.14 +require_once("html/error.php"); 10.15 + 10.16 +if (!array_key_exists("username", $_REQUEST)||!array_key_exists("password", $_REQUEST)) { 10.17 + papi_icgpoa_login_page(); 10.18 +} 10.19 +else { 10.20 + $res = papi_icgpoa_auth_user($_REQUEST["username"], $_REQUEST["password"]); 10.21 + if ($res == true) { 10.22 + papi_icgpoa_core(); 10.23 + } 10.24 + else { 10.25 + papi_icgpoa_error_page("Username and/or password are invalid."); 10.26 + } 10.27 +} 10.28 +?> 10.29 \ No newline at end of file
11.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 11.2 +++ b/www/index-simple.php Sun Jul 18 18:55:34 2010 +0200 11.3 @@ -0,0 +1,12 @@ 11.4 +<?php 11.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 11.6 +// Based on the icGPoA developed by RedIRIS. 11.7 +// 11.8 +// You may distribute under the terms of the GNU General Public License, 11.9 +// as specified in the LICENSE file that was shipped with this distribution 11.10 + 11.11 +require_once("config.php"); 11.12 +require_once("icgpoa.php"); 11.13 + 11.14 +papi_icgpoa_core(); 11.15 +?> 11.16 \ No newline at end of file
12.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 12.2 +++ b/www/util.php Sun Jul 18 18:55:34 2010 +0200 12.3 @@ -0,0 +1,69 @@ 12.4 +<?php 12.5 +// Copyright (c) 2010, PRiSE. All Rights Reserved. 12.6 +// Based on the icGPoA developed by RedIRIS. 12.7 +// 12.8 +// You may distribute under the terms of the GNU General Public License, 12.9 +// as specified in the LICENSE file that was shipped with this distribution 12.10 + 12.11 +// Constant for encrypt and decrypt data with openssl 12.12 +define('PADDINGSIZE', 11); 12.13 + 12.14 +function encrypt_private_key($in, $key, $key_bits = 0) { 12.15 +// Get the byte size of data string 12.16 + $inputSize = strlen($in); 12.17 + 12.18 + // Get details of the key 12.19 + $res = openssl_get_privatekey($key); 12.20 + if ($key_bits==0) { 12.21 + $key_details = openssl_pkey_get_details($res); 12.22 + } 12.23 + else { 12.24 + $key_details=array('bits' => $key_bits); 12.25 + } 12.26 + 12.27 + // Get the output block maximun size in Bytes 12.28 + $outputBlockSize = $key_details['bits']/8; 12.29 + 12.30 + // Total number of blocks 12.31 + $inputBlockSize = $outputBlockSize - PADDINGSIZE; 12.32 + $numBlocks = ceil($inputSize/$inputBlockSize); 12.33 + 12.34 + // Start to encrypt. 12.35 + $blockCount = 0; 12.36 + $cryptBuffer = array(); 12.37 + 12.38 + while ($blockCount < $numBlocks) { 12.39 + $index = $blockCount * $inputBlockSize; 12.40 + $block = substr($in, $index, $inputBlockSize); 12.41 + openssl_private_encrypt($block, $crypttext, $key); 12.42 + $cryptBuffer[$blockCount] = $crypttext; 12.43 + $blockCount++; 12.44 + } 12.45 + // Now joint the array with the blocks string encripted 12.46 + $cryptData = join("", $cryptBuffer); 12.47 + 12.48 + $base64CryptData = base64_encode($cryptData); 12.49 + 12.50 + // Return the encrypted, joined and base64 encode data string. 12.51 + return $base64CryptData; 12.52 +} 12.53 + 12.54 +function error($msg) { 12.55 + doLog($msg); 12.56 + header("HTTP/1.0 500 Server error: $msg"); 12.57 + exit(); 12.58 +} 12.59 + 12.60 +function doLog($msg) { 12.61 + global $ICGPOA_LOG, $ICGPOA_AS_ID; 12.62 + 12.63 + $emsg = @date("d-M-Y H:i:s") . ", " . $asId . ": " . $msg . "\n"; 12.64 + if ($ICGPOA_LOG == "") { 12.65 + error_log($emsg); 12.66 + } 12.67 + else if ($ICGPOA_LOG != "/dev/null") { 12.68 + error_log($emsg, 3, $ICGPOA_LOG); 12.69 + } 12.70 +} 12.71 + 12.72 +?> 12.73 \ No newline at end of file