318 lines
11 KiB
PHP
318 lines
11 KiB
PHP
|
<?php
|
||
|
|
|
||
|
|
echo file_get_contents("html/header.html");
|
||
|
|
|
||
|
|
$ini_arr = parse_ini_file( "cacert.ini", true );
|
||
|
|
|
||
|
|
$wellKnownURL = $ini_arr[ 'URLs' ][ 'WellKnownURL' ];
|
||
|
|
$dbUser = $ini_arr['DB']['User'];
|
||
|
|
$dbPass = $ini_arr['DB']['Password'];
|
||
|
|
|
||
|
|
if (count($_POST) > 0) {
|
||
|
|
|
||
|
|
|
||
|
|
$db = new PDO("pgsql:host=localhost;port=5432;dbname=oidc_db;user=$dbUser;password=$dbPass");
|
||
|
|
|
||
|
|
$siteName = $_POST['siteName'];
|
||
|
|
$redirectURL = $_POST['redirectURL'];
|
||
|
|
$authMethod = $_POST['endpointAuth'];
|
||
|
|
$notes = $_POST['notes'];
|
||
|
|
|
||
|
|
$clientDN = $_SERVER['SSL_CLIENT_S_DN'];
|
||
|
|
$cn_pos = strpos( $clientDN, ',CN=' );
|
||
|
|
$clientName = substr( $clientDN, $cn_pos + 4 );
|
||
|
|
|
||
|
|
$stmt = $db->query("select created_at from clients where site_name = '$siteName' and owner_id like '%$clientName%' and deleted_at is null");
|
||
|
|
$res = $stmt->fetch(PDO::FETCH_ASSOC);
|
||
|
|
|
||
|
|
echo "<div class='scrollDiv' style='padding: 1em;' >";
|
||
|
|
|
||
|
|
if ($res) {
|
||
|
|
echo "<div style='background-color: darkred; color: white; padding: 1em;' >";
|
||
|
|
echo "<br>";
|
||
|
|
echo "Error: Found an existing record for that site: '$siteName'";
|
||
|
|
echo "<br>";
|
||
|
|
echo "</div>";
|
||
|
|
} else {
|
||
|
|
|
||
|
|
for ($emailIndex = 0; $emailIndex < 20; $emailIndex++) {
|
||
|
|
$emailSAN = 'SSL_CLIENT_SAN_Email_' . $emailIndex;
|
||
|
|
if (array_key_exists($emailSAN, $_SERVER)) {
|
||
|
|
$clientEMail[] = $_SERVER[$emailSAN];
|
||
|
|
} else {
|
||
|
|
break;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
switch( $authMethod ) {
|
||
|
|
case 'basic':
|
||
|
|
$endpointAuthMethod = 'client_secret_basic' ;
|
||
|
|
break;
|
||
|
|
|
||
|
|
case 'post':
|
||
|
|
$endpointAuthMethod = 'client_secret_post' ;
|
||
|
|
break;
|
||
|
|
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
$hydra_command = "/srv/hydra/bin/hydra create oauth2-client --endpoint " . $ini_arr[ 'URLs' ][ 'InternalHydraEndpointURL' ] . " --name '$siteName' --owner '$clientDN' --redirect-uri '$redirectURL' --token-endpoint-auth-method '$endpointAuthMethod' --scope openid,offline,offline_access,profile,email";
|
||
|
|
$retcode = exec($hydra_command, $hydraArray);
|
||
|
|
|
||
|
|
|
||
|
|
$outArray = [];
|
||
|
|
|
||
|
|
foreach ($hydraArray as $hydra) {
|
||
|
|
|
||
|
|
$keyIDX = strpos($hydra, "\t");
|
||
|
|
|
||
|
|
if ($keyIDX === false) {
|
||
|
|
$outArray[$hydra] = "";
|
||
|
|
} else {
|
||
|
|
$valIDX = strrpos($hydra, "\t", -1);
|
||
|
|
|
||
|
|
$key = substr($hydra, 0, $keyIDX);
|
||
|
|
|
||
|
|
$val = substr($hydra, $valIDX + 1);
|
||
|
|
|
||
|
|
$outArray[$key] = $val;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
if (array_key_exists('CLIENT ID', $outArray)) {
|
||
|
|
|
||
|
|
echo "<h3>Here are your Client ID and Client Secret</h3>";
|
||
|
|
echo "<h5>";
|
||
|
|
echo "Make <b>sure</b> that you copy these two values somewhere safe, because the Client Secret can ";
|
||
|
|
echo "not be retrieved again.";
|
||
|
|
echo "</h5>";
|
||
|
|
|
||
|
|
echo "<br>";
|
||
|
|
echo "<br>";
|
||
|
|
|
||
|
|
echo "<table>";
|
||
|
|
echo "<tr>";
|
||
|
|
echo "<td>";
|
||
|
|
echo "Client ID";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td> ";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td>";
|
||
|
|
echo $outArray['CLIENT ID'];
|
||
|
|
echo "</td>";
|
||
|
|
echo "</tr>";
|
||
|
|
echo "<tr>";
|
||
|
|
echo "<td>";
|
||
|
|
echo "Client Secret";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td> ";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td>";
|
||
|
|
echo $outArray['CLIENT SECRET'];
|
||
|
|
echo "</td>";
|
||
|
|
echo "</tr>";
|
||
|
|
echo "</table>";
|
||
|
|
echo "<br>";
|
||
|
|
echo "<br>";
|
||
|
|
echo "<p>";
|
||
|
|
echo "You will also need the following URLs for your site plugin.";
|
||
|
|
echo "</p>";
|
||
|
|
echo "<br>";
|
||
|
|
echo "<table>";
|
||
|
|
echo "<tr>";
|
||
|
|
echo "<td>";
|
||
|
|
echo "Authorize";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td> </td>";
|
||
|
|
echo "<td>";
|
||
|
|
echo $ini_arr[ 'AuthURL' ];
|
||
|
|
echo "</td>";
|
||
|
|
echo "</tr>";
|
||
|
|
echo "<tr>";
|
||
|
|
echo "<td>";
|
||
|
|
echo "Token";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td> </td>";
|
||
|
|
echo "<td>";
|
||
|
|
echo $ini_arr[ 'TokenURL' ];
|
||
|
|
echo "</td>";
|
||
|
|
echo "</tr>";
|
||
|
|
echo "<tr>";
|
||
|
|
echo "<td>";
|
||
|
|
echo "User Info";
|
||
|
|
echo "</td>";
|
||
|
|
echo "<td> </td>";
|
||
|
|
echo "<td>";
|
||
|
|
echo $ini_arr[ 'UserInfoURL' ];
|
||
|
|
echo "</td>";
|
||
|
|
echo "</tr>";
|
||
|
|
echo "</table>";
|
||
|
|
|
||
|
|
|
||
|
|
echo "<br>";
|
||
|
|
?>
|
||
|
|
<p>
|
||
|
|
Download a list of relevant URLs
|
||
|
|
<a href="<?php echo $wellKnownURL ?>"
|
||
|
|
title="OpenID Config"
|
||
|
|
target="_blank" download="openid_configuration.json">here</a>
|
||
|
|
</p>
|
||
|
|
|
||
|
|
<?php
|
||
|
|
echo "<br>";
|
||
|
|
|
||
|
|
|
||
|
|
$stmt = $db->prepare("insert into clients
|
||
|
|
( site_name, site_owner, client_id, owner_id, redirect_url )
|
||
|
|
values ( ?, ?, ?, ?, ? ) ");
|
||
|
|
|
||
|
|
$clientID = $outArray['CLIENT ID'];
|
||
|
|
$retcode = $stmt->execute([$siteName, $clientName, $clientID, $clientDN, $redirectURL]);
|
||
|
|
|
||
|
|
|
||
|
|
$dbClientID = $db->lastInsertID();
|
||
|
|
|
||
|
|
$stmt = $db->prepare("insert into owner_email ( client_id, e_mail ) values ( ?, ? )");
|
||
|
|
|
||
|
|
foreach ($clientEMail as $mail) {
|
||
|
|
$retcode = $stmt->execute([$dbClientID, $mail]);
|
||
|
|
}
|
||
|
|
|
||
|
|
} else {
|
||
|
|
echo "<p style='padding: 1em' >";
|
||
|
|
echo "Unable to register new client.";
|
||
|
|
echo "</p>";
|
||
|
|
|
||
|
|
}
|
||
|
|
|
||
|
|
}
|
||
|
|
|
||
|
|
} else {
|
||
|
|
?>
|
||
|
|
|
||
|
|
<div class="scrollDiv" >
|
||
|
|
<div class="myDiv">
|
||
|
|
<table style="float: left; position: relative; padding-left: 1em; padding-right: 1em; border: none ;">
|
||
|
|
<tr style="border: none">
|
||
|
|
<td style="border: none">
|
||
|
|
<h2 style="display: table-row; color: black; ">
|
||
|
|
How to Register a New Site
|
||
|
|
</h2>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
|
||
|
|
<tr>
|
||
|
|
<td>
|
||
|
|
<div>
|
||
|
|
<div style="text-align: left">
|
||
|
|
To make use of this system and register a site,
|
||
|
|
you need the following things:
|
||
|
|
</div>
|
||
|
|
<ol style="line-height: 125%; text-align: left">
|
||
|
|
<li>
|
||
|
|
A unique name to identify your site registration
|
||
|
|
</li>
|
||
|
|
<br>
|
||
|
|
<li>
|
||
|
|
The "Redirect URL" that the OpenID plugin
|
||
|
|
for the site that you are registering requires.
|
||
|
|
</li>
|
||
|
|
<br>
|
||
|
|
<li>
|
||
|
|
Does your plugin use Post or Basic authentication?
|
||
|
|
The default is POST. If you have requirements other than those two, please contact
|
||
|
|
the CAcert OpenID development team at bmccullough@cacert.org
|
||
|
|
</li>
|
||
|
|
<br>
|
||
|
|
<li>
|
||
|
|
Optional notes for yourself.
|
||
|
|
</li>
|
||
|
|
</ol>
|
||
|
|
<p>
|
||
|
|
You may download the various URLs provided by the OpenID component
|
||
|
|
<a href="<?php echo $wellKnownURL ?>"
|
||
|
|
title="OpenID Config"
|
||
|
|
target="_blank" download="openid_configuration.json">here</a>
|
||
|
|
</p>
|
||
|
|
</div>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td>
|
||
|
|
<div style="display: block; padding: 15px; width: 80%">
|
||
|
|
<br>
|
||
|
|
<form action="register.php" method="post">
|
||
|
|
<div>
|
||
|
|
<table>
|
||
|
|
<tr>
|
||
|
|
<td>
|
||
|
|
<label for="siteName">Site Name </label>
|
||
|
|
</td>
|
||
|
|
<td>
|
||
|
|
<input type="text" id="siteName" name="siteName" size="50" value=""/>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
|
||
|
|
<tr>
|
||
|
|
<td>
|
||
|
|
<label for="redirectURL">Redirect URL </label>
|
||
|
|
</td>
|
||
|
|
<td>
|
||
|
|
<input type="text" id="redirectURL" name="redirectURL" size="50"
|
||
|
|
value=""/>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
|
||
|
|
<tr>
|
||
|
|
<td>
|
||
|
|
<label for="endpointAuth">Auth Method </label>
|
||
|
|
</td>
|
||
|
|
<td>
|
||
|
|
<input type="radio" id="post_auth" name="endpointAuth" value="post"
|
||
|
|
checked/>
|
||
|
|
<label for="post_auth">Post</label>
|
||
|
|
<br>
|
||
|
|
<input type="radio" id="basic_auth" name="endpointAuth" value="basic"/>
|
||
|
|
<label for="basic_auth">Basic</label>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
|
||
|
|
<tr>
|
||
|
|
<td>
|
||
|
|
<label for="notes">Notes </label>
|
||
|
|
</td>
|
||
|
|
<td>
|
||
|
|
<input type="text" id="notes" name="notes" size="50" value=""/>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
</table>
|
||
|
|
</div>
|
||
|
|
<br>
|
||
|
|
<input type="submit" value="Register Site">
|
||
|
|
|
||
|
|
</form>
|
||
|
|
</div>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
</table>
|
||
|
|
|
||
|
|
<br>
|
||
|
|
<br>
|
||
|
|
<br>
|
||
|
|
|
||
|
|
<?php
|
||
|
|
}
|
||
|
|
|
||
|
|
echo "<div class='pageFooter'>";
|
||
|
|
|
||
|
|
echo file_get_contents("html/footer.html");
|
||
|
|
|
||
|
|
echo "<br>";
|
||
|
|
echo '<p>Copyright © CAcert, Inc ';
|
||
|
|
echo date("Y");
|
||
|
|
echo "</p>";
|
||
|
|
|
||
|
|
echo "</div>";
|
||
|
|
|
||
|
|
echo "</div>";
|