Changeset 1012287
- Timestamp:
- 10/22/2014 06:00:33 PM (11 years ago)
- Location:
- openam-authentication/trunk
- Files:
-
- 3 edited
-
README.md (modified) (3 diffs)
-
README.txt (modified) (3 diffs)
-
openam-rest.php (modified) (21 diffs)
Legend:
- Unmodified
- Added
- Removed
-
openam-authentication/trunk/README.md
r986438 r1012287 9 9 <tr><td>Requires at least:</td><td> 3.9</td></tr> 10 10 <tr><td>Tested up to:</td><td> 3.9.2</td></tr> 11 <tr><td>Stable tag:</td><td>1. 0.1</td></tr>11 <tr><td>Stable tag:</td><td>1.1</td></tr> 12 12 <tr><td>License:</td><td> CDDLv1.0</td></tr> 13 13 <tr><td>License URL</td><td>http://forgerock.org/projects/cddlv1-0/</td></tr> … … 39 39 <dd> 40 40 <ol> 41 <li>An OpenAM server up and running. It can be installed anywhere, as long as Wordpress can reach it. The OpenAM requires certain APIs, hence OpenAM 11.0 and above is required. 42 <li>Your wordpress installation up and running. This plug-in was written and tested for Wordpress 3.9.2, but it might work with previous versions. 41 <li>An OpenAM server up and running. It can be installed anywhere, as long as Wordpress can reach it. The OpenAM requires certain APIs, hence OpenAM 10.X and above is required. 42 <li> For versions of OpenAM 11.0 and older, the Legacy API mode will need to be enabled in the plugin 43 <li>Your wordpress installation up and running. This plug-in was written and tested for Wordpress 3.9.2 and 4.0.0 but it might work with previous versions. 43 44 </ol> 44 45 <dt> … … 83 84 <dt> 84 85 1.0 86 <dd>First release in Wordpress plugins 87 <dt>1.0.1 85 88 <dd> 86 First release in Wordpress plugins repository 89 Updated user access to use roles and not levels 87 90 <dt> 88 1.0.1 89 <dd>Updated user access to use roles and not levels 91 1.1 92 <dd>Introduced the Legacy REST API mode to support OpenAM versions older than 11.0 93 <dd>An option to enable debugging and specify the name of the debug file was introduced 90 94 </dl> -
openam-authentication/trunk/README.txt
r986438 r1012287 5 5 Requires at least: 3.9 6 6 Tested up to: 3.9.2 7 Stable tag: 1. 0.17 Stable tag: 1.1 8 8 License: CDDLv1.0 9 9 License URI: http://forgerock.org/projects/cddlv1-0/ … … 18 18 == Contributing == 19 19 The easiest way to contribute to this plugin is to submit a GitHub pull request. Here's the repo: 20 https://github.com/forgerock1/openam- wordpress-plugin20 https://github.com/forgerock1/openam-authentication 21 21 22 22 … … 68 68 = 1.0 = 69 69 First release in Wordpress plugins 70 70 71 = 1.0.1 = 71 72 Updated user access to use roles and not levels 72 73 = 1.1 = 74 Introduced the Legacy REST API mode to support OpenAM versions older than 11.0 75 An option to enable debugging and specify the name of the debug file was introduced -
openam-authentication/trunk/openam-rest.php
r986438 r1012287 34 34 // OpenAM General configuration parameters 35 35 add_option( 'openam_rest_enabled', 0 ); 36 add_option( 'openam_legacy_apis_enabled', 0 ); 36 37 add_option( 'openam_cookie_name', 'iPlanetDirectoryPro' ); 37 38 add_option( 'openam_base_url', 'https://openam.example.com:443/openam' ); … … 41 42 add_option( 'openam_logout_too', 0); 42 43 add_option( 'openam_wordpress_attributes', 'uid,mail' ); 43 add_option( 'openam_do_redirect', 0); 44 add_option( 'openam_do_redirect', 0); 45 add_option( 'openam_debug_enabled', 0); 46 add_option( 'openam_debug_file', '/Users/victor/logFile'); 44 47 45 48 // Constants 46 49 // OpenAM General Configuration parameters 47 50 define( 'OPENAM_REST_ENABLED', get_option( 'openam_rest_enabled' ) ); 51 define( 'OPENAM_LEGACY_APIS_ENABLED', get_option( 'openam_legacy_apis_enabled' ) ); 48 52 define( 'OPENAM_COOKIE_NAME', get_option( 'openam_cookie_name' ) ); 49 53 define( 'OPENAM_BASE_URL', get_option( 'openam_base_url' ) ); … … 54 58 define( 'OPENAM_LOGOUT_TOO', get_option( 'openam_logout_too' ) ); 55 59 define( 'OPENAM_DO_REDIRECT', get_option( 'openam_do_redirect' ) ); 60 define( 'OPENAM_DEBUG_ENABLED', get_option( 'openam_debug_enabled' ) ); 61 define( 'OPENAM_DEBUG_FILE', get_option( 'openam_debug_file' ) ); 56 62 57 63 // OpenAM API endpoints … … 59 65 define( 'OPENAM_ATTRIBUTES_URI', '/json/users/' ); 60 66 define( 'OPENAM_SESSION_URI', '/json/sessions/' ); 67 68 // Legacy 69 define( 'OPENAM_LEGACY_AUTHN_URI', '/identity/json/authenticate' ); 70 define( 'OPENAM_LEGACY_ATTRIBUTES_URI', '/identity/json/attributes' ); 71 define( 'OPENAM_LEGACY_SESSION_VALIDATION', '/identity/json/isTokenValid' ); 72 define( 'OPENAM_LEGACY_SESSION_LOGOUT', '/identity/logout' ); 61 73 62 74 // Other constants … … 75 87 $tokenId = $_COOKIE[OPENAM_COOKIE_NAME]; 76 88 if (!empty($tokenId) AND ! is_user_logged_in()) { 89 openam_debug("openam_auth: TOKENID:" . $tokenId); 77 90 if (($_GET['action'] != 'logout') OR ( $_GET['loggedout'] != 'yes')) { 78 91 $am_response = isSessionValid($tokenId); 79 if ($am_response['valid'] or $am_response['valid' == 'true']) { // Session was valid 92 if ($am_response['valid'] or $am_response['valid' == 'true'] or 93 $am_response['boolean'] == '1') { // Session was valid 94 openam_debug("openam_auth: Authentication was succesful"); 80 95 $amAttributes = getAttributesFromOpenAM($tokenId, $am_response['uid'], OPENAM_WORDPRESS_ATTRIBUTES); 96 openam_debug("openam_auth: UID: " . print_r($amAttributes['uid'][0], TRUE)); 97 openam_debug("openam_auth: MAIL: " . print_r($amAttributes['mail'][0], TRUE)); 81 98 $user = loadUser($amAttributes['uid'][0], $amAttributes['mail'][0]); 82 99 remove_action('authenticate', 'wp_authenticate_username_password', 20); … … 88 105 // If no username nor password, then we are starting here 89 106 if ($username != '' and $password != '') { 90 91 107 $tokenId = authenticateWithOpenAM($username, $password); 92 108 if (!$tokenId) { … … 110 126 /* Verifies that the OpenAM session is valid */ 111 127 function isSessionValid($tokenId) { 112 $sessions_url=OPENAM_BASE_URL . OPENAM_SESSION_URI; 113 $headers = array( 'Content-Type' => 'application/json' ); 114 $response = wp_remote_post( $sessions_url . $tokenId . "?_action=validate", 115 array( 'headers' => $headers , 116 'sslverify' => false , 117 ) ); 118 $amResponse = json_decode( $response['body'], true ); 119 return $amResponse; 120 } 128 if (!OPENAM_LEGACY_APIS_ENABLED) { 129 openam_debug("isSessionValid: Legacy Mode Disabled"); 130 $sessions_url = OPENAM_BASE_URL . OPENAM_SESSION_URI; 131 $headers = array('Content-Type' => 'application/json'); 132 $response = wp_remote_post($sessions_url . $tokenId . "?_action=validate", array('headers' => $headers, 133 'sslverify' => false, 134 )); 135 $amResponse = json_decode($response['body'], true); 136 return $amResponse; 137 } else { 138 openam_debug("isSessionValid: Legacy Mode Enabled"); 139 $sessions_url = OPENAM_BASE_URL . OPENAM_LEGACY_SESSION_VALIDATION; 140 $response = wp_remote_post($sessions_url . "?tokenid=" . $tokenId, array( 141 'sslverify' => false, 142 )); 143 openam_debug("isSessionValid: isValid Response: " . print_r($response, TRUE)); 144 $amResponse = json_decode($response['body'], true); 145 return $amResponse; 146 147 } 148 } 149 121 150 122 151 /* Loads a user if found, if not it creates it in the local database using the … … 126 155 $userobj = new WP_User(); 127 156 $user = $userobj->get_data_by( 'login', $login ); 157 openam_debug("loadUser: user object: " . print_r($user, TRUE)); 128 158 $user = new WP_User($user->ID); // Attempt to load up the user with that ID 129 159 … … 136 166 $user = new WP_User ($new_user_id); 137 167 } 168 openam_debug("loadUser: WP_User loaded: " . print_r($user, TRUE)); 138 169 return $user; 139 170 } … … 141 172 /* Authenticates a user in OpenAM using the credentials passed */ 142 173 function authenticateWithOpenAM($username, $password) { 143 144 // $authentication_url = OPENAM_BASE_URL . OPENAM_AUTHN_URI; 174 if (!OPENAM_LEGACY_APIS_ENABLED) { 175 return authenticateWithModernOpenAM($username, $password); 176 } else { 177 return authenticateWithLegacyOpenAM($username, $password); 178 } 179 } 180 181 /* Authenticates a user in a modern OpenAM using the credentials passed */ 182 function authenticateWithModernOpenAM($username, $password) { 145 183 $authentication_url = createAuthenticationURL(); 184 openam_debug("authenticateWithModernOpenAM: AUTHN URL: " . $authentication_url); 146 185 $headers = array('X-OpenAM-Username' => $username, 147 186 'X-OpenAM-Password' => $password, … … 149 188 $response = wp_remote_post($authentication_url, array('headers' => $headers, 150 189 'body' => '{}', 151 'sslverify' => false ,190 'sslverify' => false 152 191 )); 192 openam_debug("authenticateWithModernOpenAM: RAW AUTHN RESPONSE: " . print_r($response, TRUE)); 153 193 if (empty($response->errors['http_request_failed'])) { 154 194 if ($response['response']['code'] == 200) { … … 158 198 setrawcookie(OPENAM_COOKIE_NAME, $amResponse['tokenId'], $expiration_date, '/', DOMAIN); 159 199 return $amResponse['tokenId']; 200 openam_debug("authenticateWithModernOpenAM:: AUTHN Response: " . print_r($amResponse,TRUE)); 160 201 } 161 202 return 0; … … 164 205 return 2; 165 206 } 207 208 /* Authenticates a user with a legacy OpenAM using the credentials passed */ 209 function authenticateWithLegacyOpenAM($username, $password) { 210 $authentication_url = OPENAM_BASE_URL . OPENAM_LEGACY_AUTHN_URI; 211 openam_debug("authenticateWithLegacyOpenAM: AUTHN URL: " . $authentication_url); 212 $uri_param = createLegacyAuthenticationURIParams(); 213 $uri = "?username=" . $username . "&password=" . $password . 214 $uri_param; 215 $response = wp_remote_post($authentication_url . $uri, array('headers' => $headers, 216 'sslverify' => false, 217 )); 218 openam_debug("authenticateWithLegacyOpenAM: RAW AUTHN RESPONSE: " . print_r($response, TRUE)); 219 if (empty($response->errors['http_request_failed'])) { 220 if ($response['response']['code'] == 200) { 221 $amResponse = json_decode($response['body'], true); 222 $number_of_hours = 2; 223 $expiration_date = time() + 60 * 60 * $number_of_hours; 224 setrawcookie(OPENAM_COOKIE_NAME, $amResponse['tokenId'], $expiration_date, '/', DOMAIN); 225 openam_debug("authenticateWithLegacyOpenAM: AUTHN RESPONSE: " . print_r($amResponse, TRUE)); 226 return $amResponse['tokenId']; 227 } 228 return 0; 229 } 230 else 231 return 2; 232 } 233 166 234 167 235 /* Creates the proper OpenAM authentication URL using the parameters configured */ … … 194 262 } 195 263 264 /* Creates the proper OpenAM authentication URL using the parameters configured */ 265 function createLegacyAuthenticationURIParams() { 266 267 $authentication_url = OPENAM_BASE_URL . OPENAM_LEGACY_AUTHN_URI; 268 $uri = ''; 269 if (OPENAM_REALM != '') { 270 $uri = REALM_PARAM . "=" . OPENAM_REALM; 271 } 272 if (OPENAM_AUTHN_MODULE != '') { 273 if ($uri != '') { 274 $uri .= "&" . MODULE_PARAM . "=" . OPENAM_AUTHN_MODULE; 275 } else { 276 $uri = MODULE_PARAM . "=" . OPENAM_AUTHN_MODULE; 277 } 278 } else { 279 if (OPENAM_SERVICE_CHAIN != '') { 280 if ($uri != '') { 281 $uri .= "&" . SERVICE_PARAM . "=" . OPENAM_SERVICE_CHAIN; 282 } else { 283 $uri = SERVICE_PARAM . "=" . OPENAM_SERVICE_CHAIN; 284 } 285 } 286 } 287 $uri_param = ''; 288 if ($uri != '') { 289 $uri_param = "&uri=" . urlencode($uri); 290 } 291 return $uri_param; 292 } 293 294 196 295 /* Pulls attributes from OpenAM using the existing session and username */ 197 296 function getAttributesFromOpenAM($tokenId, $username, $attributes) { 297 if (!OPENAM_LEGACY_APIS_ENABLED) { 298 openam_debug("getAttributesFromOpenAM: LEGACY NOT ENABLED"); 299 return getAttributesFromModernOpenAM($tokenId, $username, $attributes); 300 } else { 301 openam_debug("getAttributesFromOpenAM: LEGACY ENABLED"); 302 return getAttributesFromLegacyOpenAM($tokenId, $attributes); 303 } 304 } 305 306 307 /* Pulls attributes from OpenAM using the existing session and username */ 308 function getAttributesFromModernOpenAM($tokenId, $username, $attributes) { 198 309 $attributes_url=createAttributesURL(); 310 openam_debug("getAttributesFromModernOpenAM: ATTRIBUTE URL: " . $attributes_url); 199 311 $headers = array( OPENAM_COOKIE_NAME => $tokenId , 200 312 'Content-Type' => 'application/json' ); 201 313 $url = $attributes_url . $username . "?_fields=" . $attributes; 314 openam_debug("getAttributesFromModernOpenAM: full url: " . $url); 202 315 $response = wp_remote_get( $url, 203 316 array( 'headers' => $headers , 204 'sslverify' => false ,317 'sslverify' => false 205 318 ) ); 319 openam_debug("getAttributesFromModernOpenAM: RAW ATTR RESPONSE: " . 320 print_r($response, TRUE)); 206 321 $amResponse = json_decode( $response['body'], true ); 207 if ($response['response']['code'] == 200 ) 322 openam_debug("getAttributesFromModernOpenAM: ATTRIBUTE RESP: " . 323 print_r($amResponse, TRUE)); 324 if ($response['response']['code'] == 200 ) 208 325 return $amResponse; 209 326 else return 0; … … 221 338 } 222 339 340 /* Pulls attributes from OpenAM using the existing session and username */ 341 function getAttributesFromLegacyOpenAM($tokenId, $attributes) { 342 $attributes_url=createAttributesLegacyURL($tokenId); 343 openam_debug("getAttributesFromLegacyOpenAM: Attributes URL: " . $attributes_url); 344 $response = wp_remote_get( $attributes_url, 345 array( 'sslverify' => false 346 ) ); 347 openam_debug("getAttributesFromLegacyOpenAM: RAW ATTRS RESPONSE: " . 348 print_r($response, TRUE)); 349 $amResponse = json_decode( $response['body'], true ); 350 openam_debug("getAttributesFromLegacyOpenAM: ATTRIBUTES RESPONSE: " . 351 print_r($amResponse, TRUE)); 352 if ($response['response']['code'] == 200 ) { 353 $attr1 = $amResponse['attributes']; 354 foreach ($attr1 as $json_attr){ 355 $attr_name = $json_attr['name']; 356 $attr_value = $json_attr['values']; 357 $amResponse2[$attr_name] = $attr_value; 358 } 359 openam_debug("getAttributesFromLegacyOpenAM: Attributes: " . 360 print_r($amResponse2, TRUE)); 361 return $amResponse2; 362 } else return 0; 363 364 } 365 366 /* Creates the proper OpenAM Attributes URL using the configured parameters */ 367 function createAttributesLegacyURL($tokenId) { 368 369 $attributes_url = OPENAM_BASE_URL . OPENAM_LEGACY_ATTRIBUTES_URI . 370 "?subjectid=" . $tokenId; 371 if (OPENAM_WORDPRESS_ATTRIBUTES != '') { 372 $attributes = explode(',', OPENAM_WORDPRESS_ATTRIBUTES); 373 foreach ($attributes as $attributename) { 374 $attribute_uri .= "&attributenames=" . $attributename; 375 } 376 $attributes_url .= $attribute_uri; 377 } 378 return $attributes_url; 379 } 223 380 224 381 … … 248 405 'sslverify' => false, 249 406 )); 407 openam_debug("wp_logout: RAW RESPONSE LOGOUT: " . 408 print_r($response, TRUE)); 250 409 $expiration_date = time() - 60 ; 251 410 setcookie(OPENAM_COOKIE_NAME, '', $expiration_date, '/', DOMAIN); … … 283 442 284 443 function openam_login_url($login_url, $redirect = null) { 285 if (OPENAM_DO_REDIRECT) { 444 if (OPENAM_DO_REDIRECT) { 286 445 $new_url = createOpenAMLoginURL(); 287 446 if (!stripos($new_url, '?')) { … … 295 454 } 296 455 } 456 457 /* Writes to the debug file if debugging has been enabled 458 * 459 */ 460 function openam_debug($message) { 461 if (OPENAM_DEBUG_ENABLED) { 462 error_log($message . "\n", 3, OPENAM_DEBUG_FILE); 463 } 464 } 465 297 466 298 467 // Functions from here and down are used for the administration of the plugin … … 325 494 <input name="openam_rest_enabled" type="checkbox" id="openam_rest_enabled" value="1" <?php checked('1', get_option('openam_rest_enabled')); ?> /> 326 495 <?php _e('This checkbox enables or disables this plugin') ?></label> 327 </fieldset></td> 496 </fieldset></td></tr> 497 498 <tr valign="top"> 499 <th scope="row"><?php _e('OpenAM-Legacy enabled') ?></th> 500 <td> <fieldset><legend class="screen-reader-text"><span><?php _e('OpenAM Legacy enabled') ?></span></legend><label for="openam_legacy_apis_enabled"> 501 <input name="openam_legacy_apis_enabled" type="checkbox" id="openam_legacy_apis_enabled" value="1" <?php checked('1', get_option('openam_legacy_apis_enabled')); ?> /> 502 <?php _e('This checkbox enables or disables the use of legacy REST APIs (For OpenAM 11.0 and older)') ?></label> 503 </fieldset></td></tr> 328 504 329 505 <tr valign="top"> … … 340 516 <td><input type="text" name="openam_base_url" value="<?php echo get_option('openam_base_url'); ?>" class="regular-text code" /> 341 517 <span class="description"> 342 <?php _e('The OpenAM deployment URL. Example: <code>http://openam.example.com:80/openam /</code>') ?>518 <?php _e('The OpenAM deployment URL. Example: <code>http://openam.example.com:80/openam</code>') ?> 343 519 </span> 344 520 </td> … … 402 578 <?php _e('Redirect to OpenAM for Login') ?> 403 579 </span></legend><label for="openam_do_redirect"> 404 <input name="openam_do_redirect" type="checkbox" id="openam_ logout_too" value="1" <?php checked('1', get_option('openam_do_redirect')); ?> />580 <input name="openam_do_redirect" type="checkbox" id="openam_do_redirect" value="1" <?php checked('1', get_option('openam_do_redirect')); ?> /> 405 581 <?php _e('For authentication chains and modules with a more complex workflow than user/password, redirect to OpenAM') ?></label> 582 </fieldset></td></tr> 583 584 <tr valign="top"> 585 <th scope="row"><?php _e('Enable debug') ?></th> 586 <td> 587 <fieldset><legend class="screen-reader-text"><span> 588 <?php _e('Enable debug') ?> 589 </span></legend><label for="openam_debug_enabled"> 590 <input name="openam_debug_enabled" type="checkbox" id="openam_debug_enabled" value="1" <?php checked('1', get_option('openam_debug_enabled')); ?> /> 591 <?php _e('Enables debug in the module. If enabled, the debug file must be specified. Remember to turn-off in production environment') ?></label> 406 592 </fieldset></td> 593 </tr> 594 595 <tr valign="top"> 596 <th scope="row"><label for="openam_debug_file"><?php _e('Name of the debug file') ?></label></th> 597 <td><input type="text" name="openam_debug_file" value="<?php echo get_option('openam_debug_file'); ?>" class="regular-text code" /> 598 <span class="description"> 599 <?php _e('Name of the debug file') ?> 600 </span> 601 </td> 602 </tr> 407 603 408 604 </table> 409 605 410 606 <input type="hidden" name="action" value="update" /> 411 <input type="hidden" name="page_options" value="openam_rest_enabled,openam_cookie_name,openam_base_url, 412 openam_realm,openam_authn_module,openam_service_chain,openam_logout_too,openam_do_redirect,openam_wordpress_attributes" /> 607 <input type="hidden" name="page_options" value="openam_rest_enabled,openam_legacy_apis_enabled,openam_cookie_name,openam_base_url, 608 openam_realm,openam_authn_module,openam_service_chain,openam_logout_too,openam_do_redirect,openam_wordpress_attributes, 609 openam_debug_enabled, openam_debug_file" /> 413 610 414 611 <p class="submit">
Note: See TracChangeset
for help on using the changeset viewer.