Changeset 2184906

Timestamp:

11/02/2019 11:52:37 AM (6 years ago)

Author:

shfarr

Message:

moving to version 2.0

Location:

identity-plus/trunk

Files:

• lib/comments.php (modified) (6 diffs)
• lib/identity_plus/Identity_Plus_API.php (modified) (9 diffs)
• lib/identity_plus/api/Communication.php (modified) (3 diffs)
• lib/img/idp.svg (modified) (1 diff)
• lib/initialize.php (modified) (11 diffs)
• lib/settings_panel.php (modified) (15 diffs)
• readme.txt (modified) (2 diffs)

identity-plus/trunk/lib/comments.php

@@ -64 +64 @@
 function identity_plus_send_trust($cert_id, $amount, $intrusion_reference = NULL){
         $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file']) && isset($options['cert-password'])){
-                $identity_plus_api = new Identity_Plus_API(file_get_contents($options['cert-file']), $options['cert-password']);
+        if(!empty($options) && isset($options['cert-data']) && isset($options['cert-password'])){
+                $identity_plus_api = new Identity_Plus_API(base64_decode($options['cert-data']), $options['cert-password']);
 
                 if(isset($identity_plus_api) && $identity_plus_api != NULL){
@@ -86 +86 @@
 function identity_plus_revoke_intrusion($reference){
         $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file']) && isset($options['cert-password'])){
-                $identity_plus_api = new Identity_Plus_API(file_get_contents($options['cert-file']), $options['cert-password']);
+        if(!empty($options) && isset($options['cert-data']) && isset($options['cert-password'])){
+                $identity_plus_api = new Identity_Plus_API(base64_decode($options['cert-data']), $options['cert-password']);
                 
                 if(isset($identity_plus_api) && $identity_plus_api != NULL){
@@ -107 +107 @@
 function identity_plus_send_intrusion($cert_id){
         $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file']) && isset($options['cert-password'])){
-                $identity_plus_api = new Identity_Plus_API(file_get_contents($options['cert-file']), $options['cert-password']);
+        if(!empty($options) && isset($options['cert-data']) && isset($options['cert-password'])){
+                $identity_plus_api = new Identity_Plus_API(base64_decode($options['cert-data']), $options['cert-password']);
                 
                 if(isset($identity_plus_api) && $identity_plus_api != NULL){
@@ -117 +117 @@
                                 Identity_Plus_Utils::here().Identity_Plus_Utils::query());
 
-                        // careful, the comment is not commeing from the user that approves it
+                        // careful, the comment is not comming from the user that approves it
                         add_option("identity-plus/".$cert_id, "expire");
                         return $reference;
@@ -133 +133 @@
 function identity_plus_hide_comments(){
         $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file']) && isset($options['cert-password']) && isset($options['comments']) && $options['comments']){
+        if(!empty($options) && isset($options['cert-data']) && isset($options['cert-password']) && isset($options['comments']) && $options['comments']){
                 if(!isset($_SESSION['identity-plus-anonymous-id']) || $_SESSION['identity-plus-anonymous-id'] == 'N/A'){
                         ?><style>#commentform{display:none;}</style><?php
@@ -149 +149 @@
     
     if(isset($options['comments']) && $options['comments']){
-                $identity_plus_api = new Identity_Plus_API(file_get_contents($options['cert-file']), $options['cert-password']);
+                $identity_plus_api = new Identity_Plus_API(base64_decode($options['cert-data']), $options['cert-password']);
         
                 $message = isset($_SESSION['identity-plus-anonymous-id']) && $_SESSION['identity-plus-anonymous-id'] != 'N/A' ?

identity-plus/trunk/lib/identity_plus/Identity_Plus_API.php

@@ -20 +20 @@
 use identity_plus\api\communication\Intent;
 use identity_plus\api\communication\Intent_Reference;
+use identity_plus\api\communication\Service_Agent_Identity_Request;
+use identity_plus\api\communication\Service_Agent_Identity;
 
 /*
@@ -62 +64 @@
  */
 class Identity_Plus_API {
-    const api_endpoint = "https://api.identity.plus/v1";
-    const validation_endpoint = "https://signon.identity.plus";
-    // const api_endpoint = "https://dev-api.identity.plus:8443/v1";
-    // const validation_endpoint = "https://my.dev.identity.plus:8443";
+    const HOME = "identity.plus";
+    // const HOME = "local.stefanfarr.identityplus.app";
+    const api_endpoint = "https://api." . self::HOME . "/v1";
+    const validation_endpoint = "https://signon." . self::HOME;
     
     public $cert_details;
@@ -87 +89 @@
             $this->cert_details = openssl_x509_parse($this->cert);
         }
-        else return NULL;
+        else{
+            error_log("Unable to load key material from pkcs12 store.");
+            return NULL;
+        } 
     }
     
@@ -122 +127 @@
      */
     public function certificate_validation_endpoint($return_url = NULL){
-            if($return_url == NULL){
+        if($return_url == NULL){
             session_start();
             $_SESSION['identity-plus-return-query'] =  Identity_Plus_Utils::here().Identity_Plus_Utils::query();
@@ -131 +136 @@
         return self::validation_endpoint.'/' . $intent->value;
     }
-    
+
+    /**
+     * Renew Identity Plus Service Agent ID
+     * 
+     * @param unknown $service_domain the service to which the agent belongs. The service the current agent represents must be administrator 
+     * over the target service. By default it is the service the agent belongs (self renew)
+     * @param unknown $agent_name the name of the agent, if not provided it will be taken from the certificate (self renew)
+     * @return if all goes well an updated Service_Agent_Identity otherwise a Simple_Response containing an error code
+     */
+    public function issue_service_agent_identity($service_domain, $agent_name){
+        $request = new Service_Agent_Identity_Request($service_domain, $agent_name);
+        return $this->issue_call($request, "PUT");
+    }
+    
+    public function register_service($register_intent, $agent_name){
+        $args = array(
+            "authorization" => $register_intent, 
+            "agent-name" => $agent_name
+        );
+
+        $request = array(
+            "operation" => "issue-service-agent-certificate", 
+            "args" => $args
+        );
+        
+        $call = curl_init(self::validation_endpoint . "/api/v1");
+        
+        // curl_setopt($call, CURLOPT_VERBOSE, true);
+        curl_setopt($call, CURLOPT_URL, self::validation_endpoint . "/api/v1");
+        curl_setopt($call, CURLOPT_CUSTOMREQUEST, "POST");
+        curl_setopt($call, CURLOPT_POSTFIELDS, json_encode($request)); 
+        curl_setopt($call, CURLOPT_RETURNTRANSFER, true);
+        
+        curl_setopt($call, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($call, CURLOPT_SSL_VERIFYHOST, false);
+        
+        $result = curl_exec($call);
+                
+        curl_close ($call);
+        
+        return self::decode(json_decode($result));
+    }
+   
     /**
      * Initiates an binding API Call which will bind the local user to the identity + account with the given anonymoys id.
@@ -278 +325 @@
         curl_setopt($call, CURLOPT_POSTFIELDS, $request->to_json()); 
         curl_setopt($call, CURLOPT_RETURNTRANSFER, true);
-        
+        
+        curl_setopt($call, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($call, CURLOPT_SSL_VERIFYHOST, false);
+
         $result = curl_exec($call);
         
@@ -305 +355 @@
         return $encrypted;
     }
-    
-    /**
-     * An decryption function wrapper using the API certificate's private key
-     * 
-     * @param unknown $data: data to be decrypted. It is expected to be encrypted with the certificate's public key
-     * @return decrypted data
-     */
-    public function decrypt($data){
-        openssl_private_decrypt($data, $decrypted, $this->private_key);
-        return $decrypted;
-    }
+
 
     /**
@@ -322 +362 @@
      */
     public static function decode($data){
+        error_log('------------------\n'.json_encode($data).'------------------\n');
+        
         if(property_exists($data, 'Identity-Profile')) return new Identity_Profile($data->{'Identity-Profile'});
         else if(property_exists($data, 'Reference-Number')) return new Reference_Number($data->{'Reference-Number'});
         else if(property_exists($data, 'Anonymous-ID')) return new Anonymous_ID($data->{'Anonymous-ID'});
         else if(property_exists($data, 'Intent-Reference')) return new Intent_Reference($data->{'Intent-Reference'});
+        else if(property_exists($data, 'Service-Agent-Identity')) return new Service_Agent_Identity($data->{'Service-Agent-Identity'});
         else return new Simple_Response($data->{'Simple-Response'});
     }
@@ -348 +391 @@
     }
     
-    
-    
-    /**
-     * Extract the identity + anonymous id from a returning url.
-     * This happens upon a redirect-back from Identity +
-     *
-     * @param unknown &$http_session, the session variable, so that we don't hard code around session
-     */
-    function legacy_http_extract_anonymous_id(&$http_session){
-        $payload =  Identity_Plus_Utils::base64url_decode($_GET['idp-api-response']);
-        $response = $this->decrypt($payload);
-
-        $serial_number = Identity_Plus_API::decode(json_decode($response));
-        if($serial_number instanceof Anonymous_ID){
-            $http_session['identity-plus-anonymous-id'] = $serial_number->serial_number;
-        }
-        else $http_session['identity-plus-anonymous-id'] = 'N/A';
-    
-        // clear the identity + id extraction url to eliminate confusion
-        // and complications
-        if(!isset($http_session['identity-plus-return-query'])){
-            $q = Identity_Plus_Utils::query();
-            $q = substr($q, 0, strpos($q, "idp-api-response=") -1);
-            $http_session['identity-plus-return-query'] = Identity_Plus_Utils::here().$q;
-        }
-    }
 }

identity-plus/trunk/lib/identity_plus/api/Communication.php

@@ -129 +129 @@
         $this->salt = Identity_Plus_Utils::random_text(16);
     }
-
-    /**
-     * Empty initializer, it is necessary to initialize to null the public fields.
-     * The deserializer will override the final modifier and re-initialize the fields
-     * with the proper values
-     */
-    public function construct($json){
-        // restore_object(object);
-    }
+}
+
+/**
+ * The Agent Certificate Renewal request is used to issue certificates for Service Agents (Clients). 
+ * This can happen in two ways,:
+ * either the request is made for a valid previous certificate, in which a renewal procedure is executed,
+ * or it needs to be performed with an initial secret and then an issuing is performed.
+ * A service agent can rewnew its own certificate this way, but care must be taken as the previous certificate will be 
+ * revoked uppon issuing the new one.
+ * 
+ * @author Stefan Harsan Farr
+ */
+class Service_Agent_Identity_Request extends API_Request{
+
+    /**
+     * Name of the agent to issue certificate for.
+     * If the name exists, it will renew, otherwise it will create a new agent
+     */
+    public $agent_name;
+    
+    /**
+     * Domain Name of the service where the agent should be issued.
+     * 
+     * By default (if the domain is not specified), the agent will be created/renewed within the service
+     * to which the calling agent (the one whose certificate is used to make this call) belongs to.
+     * 
+     * If the target service is specified, then the calling service (the service to which the calling agent belongs to)
+     * must have administrative rights in target service. Otherwise this operation will fail 
+     */
+    public $service_domain;
+    
+    public function __construct($service_domain, $agent_name){
+            $this->service_domain = $service_domain;
+            $this->agent_name = $agent_name;
+    }
+}
+
+/**
+ * The core response for most request containing a reference number
+ * It comes in response to a call that requires a reference number such as an intrusion report
+ * 
+ * @author Stefan Harsan Farr
+ */
+class Service_Agent_Identity extends API_Response{
+   
+    /**
+     * p12 certificate format
+     */
+    public $p12;
+
+    /**
+     * Password for the p12 format
+     */
+    public $password;
+
+    /**
+     * PEM encoded certificate
+     */
+    public $certificate;
+    
+    /**
+     * PEM encoded private key
+     */
+    public $private_key;
+    
+    
+    public function __construct($data){
+        parent::__construct($data);
+        $this->p12 = $data->{'p12'};
+        $this->password = $data->{'password'};
+        $this->certificate = $data->{'certificate'};
+        $this->private_key = $data->{'private-key'};
+    }
 }
 
@@ -279 +343 @@
     public $local_intrusions;
     
+    /**
+     * In case this was an out of band authorization, the id of the certificate that made the authorization
+     */
+    public $authorizing_certificate;
+
     /**
      * Empty initializer, it is necessary to initialize to null the public fields.
@@ -296 +365 @@
         $this->local_trust = $data->{'local-trust'};
         $this->local_intrusions = $data->{'local-intrusions'};
+        if(isset($data->{'authorizing-certificate'})) $this->authorizing_certificate = $data->{'authorizing-certificate'};
     }
 }

identity-plus/trunk/lib/img/idp.svg

@@ -3 +3 @@
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-     width="128px" height="128px" viewBox="0 0 128 128" style="enable-background:new 0 0 128 128;" xml:space="preserve">
+     width="415px" height="640px" viewBox="0 0 415 640" enable-background="new 0 0 415 640" xml:space="preserve">
 <g>
-    <rect style="fill:#444444;" width="128" height="128"/>
     <g>
-        <g>
-            <g>
-                <path style="fill:#FFFFFF;" d="M22.386,44.303V38.49h4.291v5.813H22.386z M22.386,89.979V52.054h4.325v37.924H22.386z"/>
-                <path style="fill:#FFFFFF;" d="M53.432,90.774c-5.052,0-8.991-1.753-11.817-5.26c-2.826-3.506-4.239-8.351-4.239-14.533
-                    c0-5.813,1.458-10.536,4.377-14.169c2.918-3.633,6.765-5.45,11.54-5.45c2.353,0,4.706,0.508,7.059,1.522
-                    c2.353,1.016,4.141,2.595,5.363,4.741v-1.142V37.348l4.152-0.381v53.011h-3.563l-0.622-5.709
-                    c-1.315,2.145-3.098,3.766-5.347,4.861C58.085,90.227,55.785,90.774,53.432,90.774z M53.328,87.384
-                    c2.146,0,4.025-0.393,5.64-1.177s2.907-1.892,3.875-3.322c0.969-1.43,1.69-3.073,2.163-4.931
-                    c0.473-1.856,0.709-3.915,0.709-6.177c0-11.28-4.152-16.92-12.456-16.92c-1.961,0-3.691,0.467-5.19,1.401
-                    c-1.5,0.934-2.682,2.192-3.547,3.771c-0.865,1.581-1.505,3.299-1.92,5.156c-0.416,1.857-0.623,3.813-0.623,5.865
-                    c0,1.777,0.126,3.443,0.381,5c0.253,1.558,0.668,3.04,1.246,4.446c0.576,1.407,1.292,2.613,2.146,3.616
-                    c0.853,1.004,1.926,1.8,3.218,2.388C50.259,87.089,51.713,87.384,53.328,87.384z"/>
-            </g>
-        </g>
-        <g>
-            <g>
-                <line style="fill:none;stroke:#4292D3;stroke-width:4.252;stroke-miterlimit:10;" x1="96.4" y1="45.25" x2="96.4" y2="82.75"/>
-                <line style="fill:none;stroke:#4292D3;stroke-width:4.252;stroke-miterlimit:10;" x1="115.15" y1="64" x2="77.65" y2="64"/>
-            </g>
-        </g>
+        <path fill="#4596CE" d="M101.563,638.821H3.5L316.177,3.42h97.661L101.563,638.821z"/>
     </g>
 </g>
-<g>
-</g>
-<g>
-</g>
-<g>
-</g>
-<g>
-</g>
-<g>
-</g>
 </svg>

identity-plus/trunk/lib/initialize.php

@@ -23 +23 @@
 add_action('manage_users_custom_column',  'idp_show_user_id_column_content', 10, 3);
 
+function idp_problems($options){
+    // if(True) return "Manually disabled ...";
+
+    if(empty($options) || !isset($options['cert-data']) || !isset($options['cert-password'])){
+        return "API Certificate is missing! Please follow the steps below to prove ownership of this domain and activate the Identity Plus services.";
+    }
+
+    $cert_store = array();
+
+    if(openssl_pkcs12_read (base64_decode($options['cert-data']) , $cert_store , $options['cert-password'])){
+        $cert_details = openssl_x509_parse($cert_store['cert']);
+        $now = time();
+        $days = floor(abs($cert_details['validTo_time_t'] - $now) / 86400);
+        $all_days = floor(abs($cert_details['validTo_time_t'] - $cert_details['validFrom_time_t']) / 86400);
+
+        if(floor($days - $all_days/3) <= 0) return "renew";
+
+        // disable Identity Plus if agent certificate expired
+        // user must go through re-initialziation process
+        if($cert_details['validTo_time_t'] - $now < 0) return "Certificate expired!" . strval($cert_details['validTo_time_t'] - $now);
+        // $idp_on = $days > 500;
+    }
+    else return "Certificate password might be wrong!";
+}
+
+// check for potential problems
+if(idp_problems(get_option( 'identity_plus_settings' )) == "renew"){
+    $options = get_option( 'identity_plus_settings' );
+    // if the problem is renew perform a renew and then re-initialize options
+    idenity_plus_renew_service_agent_certificate();
+}
+
+/**
+ * Lazy create identity + API object
+ * 
+ * @param unknown $options
+ */
+function identity_plus_create_api($options){
+    return new Identity_Plus_API(base64_decode($options['cert-data']), $options['cert-password']);
+}
+
 function idp_add_user_id_column($columns) {
     $columns['user_id'] = 'Id +';
@@ -28 +69 @@
 }
  
+
 function idp_show_user_id_column_content($value, $column_name, $user_id) {
     $user = get_userdata( $user_id );
@@ -38 +80 @@
 }
 
+
+
 function identity_plus_initialize(){
         if(!function_exists("curl_init")){
+            error_log("Curl extension is not installed on the server! Identity + needs php5-curl extension to work. <br>(for Ubuntu type: sudo apt-get install php5-curl)");
             return;
-            add_settings_error('identity_plus_settings', 'identity-plus-curl-error', "Curl extension is not installed on the server! Identity + needs php5-curl extension to work. <br>(for Ubuntu type: sudo apt-get install php5-curl)", "error");
-        }
+        }
+
+        // attempt to start session
+        session_start();
     
         // make sure we have everything that is needed to
         // run Identity + (certificate, password)
         $options = get_option( 'identity_plus_settings' );
-        $idp_on = !empty($options) && isset($options['cert-file']) && file_exists($options['cert-file']) && isset($options['cert-password']);
-
-        if($idp_on){
-            $cert_store = array();
-            $idp_on = openssl_pkcs12_read (file_get_contents($options['cert-file']) , $cert_store , $options['cert-password']);
-        }
+
+        if($_GET['identity-plus-register-intent']){
+            idenity_plus_issue_service_agent_certificate();
+        }
 
         // if we have Identity + then we can start using it
-        if($idp_on){
-            // attempt to start session
-            session_start();
+        if(!idp_problems($options)){
             $identity_plus_api = null;
 
             // if returning from Identity + with information payload
             // extract the payload set the session variable
-            if($_GET['resp']){
+            if($_GET['identity-plus-intent']){
                     // the response gives us a reference  (a one time anonymous id corresponding to the user)
                     // will use that as anonymous id, the server does the rest
-                    $_SESSION['identity-plus-anonymous-id'] = $_GET['resp'];
-            }
-
-            // if returning from Identity + with information payload
-            // extract the payload set the session variable
-            else if($_GET['idp-api-response']){
-                    // create the API in a lazy way, only if it is necessary
-                    if($identity_plus_api == null) $identity_plus_api = identity_plus_create_api($options);
-                    $identity_plus_api->legacy_http_extract_anonymous_id($_SESSION);
+                    $_SESSION['identity-plus-anonymous-id'] = $_GET['identity-plus-intent'];
             }
     
@@ -111 +146 @@
             $is_resource_protected = false;
             $page = $_SERVER['REQUEST_URI'];
-            $filter = isset($options['page-filter']) && strlen($options['page-filter']) > 0 ? $options['page-filter'] : "/wp-admin\n/wp-login.php";
+            $filter = isset($options['page-filter']) && strlen($options['page-filter']) > 0 ? $options['page-filter'] : "/wp-admin\n/wp-login.php\n/?rest_route=/\n/wp-json/";
     
             // iterate through the filter and see if the resource is protected
@@ -147 +182 @@
 
 /**
- * Lazy create identity + API object
- * 
- * @param unknown $options
- */
-function identity_plus_create_api($options){
-        return new Identity_Plus_API(file_get_contents($options['cert-file']), $options['cert-password']);
-}
-
-
-/**
  * Issue an API call to Identity + and obtain the Certificate status and the 
  * Identity + Profile associated with the certificate. 
@@ -184 +209 @@
             exit();
         }
-        else $_SESSION['identity-plus-user-profile'] = $profile;
-        
+        else{
+            $_SESSION['identity-plus-user-profile'] = $profile;
+            $_SESSION['identity-plus-anonymous-id'] = $profile->authorizing_certificate;
+        }
+
         return $identity_plus_api;
 }
 
+/**
+ * Facilitate auto binding of the current user
+ */
+function auto_bind_current_user(){
+    // get the options again and create the api
+    $options = get_option( 'identity_plus_settings' );
+    if($identity_plus_api == null) $identity_plus_api = identity_plus_create_api($options);
+    
+    $now = time();
+    $your_date = strtotime(wp_get_current_user()->user_registered);
+    $days = ceil(abs($now - $your_date) / 86400);
+    $profile = $identity_plus_api->bind_local_user($_SESSION['identity-plus-anonymous-id'], wp_get_current_user()->ID, $days);
+    
+    // make sure we are have a local user id bound
+    if($profile->local_user_name != null){
+        add_user_meta($user_id, 'identity-plus-bound', $profile->local_user_name);
+    }
+
+    // update session data with fresh information after binding
+    $_SESSION['identity-plus-user-profile'] = $profile;
+    $_SESSION['identity-plus-anonymous-id'] = $profile->authorizing_certificate;
+}
 
 /**
@@ -204 +254 @@
             
         // If user is logged in and the Identity + profile is not bound
+        // we are disabling this to allow for manual connect / disconnect
         if(is_user_logged_in() && !isset($profile->local_user_name) && false){
-            if($identity_plus_api == null) $identity_plus_api = identity_plus_create_api($options);
-    
-            $now = time();
-            $your_date = strtotime(wp_get_current_user()->user_registered);
-            $days = ceil(abs($now - $your_date) / 86400);
-            $profile = $identity_plus_api->bind_local_user($_SESSION['identity-plus-anonymous-id'], wp_get_current_user()->ID, $days);
-            $_SESSION['identity-plus-user-profile'] = $profile;
+            auto_bind_current_user();
         }
             
@@ -228 +273 @@
             }
         }
-            
+
+        // Enforce is on and No Identity + Profile
+        // we should block the access
+        if(!is_user_logged_in() && !isset($profile->local_user_name) && isset($options['enforce']) && $options['enforce']){
+            include 'protected.php';
+            exit();
+        }
+        
         // make sure we remember how this user is bound locally as well
         // this is not entirely necessary, Identity + will communicate this info back,
@@ -302 +354 @@
         if(isset($_SESSION['identity-plus-anonymous-id']) && $_SESSION['identity-plus-anonymous-id'] != 'N/A'){
                 $options = get_option( 'identity_plus_settings' );
-                if(!empty($options) && isset($options['cert-file']) && isset($options['cert-password'])){
+                if(!empty($options) && isset($options['cert-data']) && isset($options['cert-password'])){
                         $identity_plus_api = identity_plus_create_api($options);
                 }
@@ -337 +389 @@
                 .identity-plus-cf{border:0px; width:100%; height:110px; overflow-x:hidden; overflow-y:hidden; border-top:1px solid #000000;}
                 @media screen and (max-width: 700px){ .identity-plus-cf{height:210px; overflow-x:hidden; overflow-y:hidden; }}
-                #wpfooter{bottom:120px;
+                #wpfooter{bottom:120px;}
+                #wpcontent{background:#FFFFFF;}
         </style>
-        <?php 
+        <?php
+}
+
+function idenity_plus_renew_service_agent_certificate(){
+    $options = get_option( 'identity_plus_settings' );
+    if($identity_plus_api == null) $identity_plus_api = identity_plus_create_api($options);
+    $new_identity = $identity_plus_api->issue_service_agent_identity(null, "Default");
+
+    if(isset($new_identity->p12) && isset($new_identity->password)){
+        $options['cert-data'] = $new_identity->p12;
+        $options['cert-password'] = $new_identity->password;
+    }
+
+    update_option( 'identity_plus_settings', $options);
+}
+
+function idenity_plus_issue_service_agent_certificate(){
+    $options = get_option( 'identity_plus_settings' );
+
+    // we remember this reference because we will fetch the user profile with it
+    // instead of the certificate id, if we do not already have one
+    if(!isset($_SESSION['identity-plus-anonymous-id'])) $_SESSION['identity-plus-anonymous-id'] = $_GET['identity-plus-register-intent'];
+
+    if($identity_plus_api == null) $identity_plus_api = identity_plus_create_api($options);
+    $new_identity = $identity_plus_api->register_service($_GET['identity-plus-register-intent'], "Default");
+
+    if(isset($new_identity->p12) && isset($new_identity->password)){
+        $options['cert-data'] = $new_identity->p12;
+        $options['cert-password'] = $new_identity->password;
+    }
+
+    update_option( 'identity_plus_settings', $options);
+
+    $identity_plus_api == null;
+    unset($_SESSION['identity-plus-user-profile']);
+
+    auto_bind_current_user();
 }
 
@@ -361 +450 @@
         // unbind users on Identity +
         $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file']) && isset($options['cert-password'])){
-                $identity_plus_api = new Identity_Plus_API(file_get_contents($options['cert-file']), $options['cert-password']);
+        if(!empty($options) && isset($options['cert-data']) && isset($options['cert-password'])){
+                $identity_plus_api = new Identity_Plus_API(base64_decode($options['cert-data']), $options['cert-password']);
     
                 $users = get_users(array('meta_key' => 'identity-plus-bound'));

identity-plus/trunk/lib/settings_panel.php

@@ -7 +7 @@
 
 use identity_plus\api\communication\Intent_Type;
+use identity_plus\api\Identity_Plus_API;
 
 
@@ -16 +17 @@
 
 function identity_plus_add_admin_menu(  ) {
-        add_options_page( 'IdentityPlus Settings', 'Identity +', 'manage_options', 'identity_plus_network_of_trust', 'identity_plus_options_page' );
+        add_options_page( 'IdentityPlus Settings', 'Identity Plus', 'manage_options', 'identity_plus_network_of_trust', 'identity_plus_options_page' );
 }
 
@@ -22 +23 @@
 
 function identity_plus_settings_init(  ) {
-        if(!function_exists("curl_init")) add_settings_error('identity_plus_settings', 'identity-plus-curl-error', "Curl extension is not installed on the server! Identity + needs php5-curl extension to work. <br>(for Ubuntu type: sudo apt-get install php5-curl)", "error");
-        
-        $options = get_option( 'identity_plus_settings' );
-    
-        if(!empty($options) && isset($options['cert-file'])){
-                $cs = array();
-                if(!openssl_pkcs12_read (file_get_contents($options['cert-file']), $cs , isset($options['cert-password']) ? $options['cert-password'] : '')){
-                        add_settings_error('identity_plus_settings', 'identity-plus-api-certificate-error', "Certificate password might be wrong!", "error");
-                }
+        if(!function_exists("curl_init")){
+            add_settings_error('identity_plus_settings', 'identity-plus-curl-error', "Curl extension is not installed on the server! Identity + needs php-curl extension to work. <br>(for Ubuntu type: sudo apt-get install php-curl)", "error");
         }
-        else add_settings_error('identity_plus_settings', 'identity-plus-api-certificate-error', "API Certificate is missing!", "error");
-    
-        register_setting( 'identity_plus_cert_section', 'identity_plus_settings' , 'identity_plus_handle_file_upload');
-    
-        add_settings_section('identity_plus_identity_plus_cert_section_section', __( 'API Certificate', 'identity_plus' ), 'identity_plus_api_section_callback', 'identity_plus_cert_section');
-        add_settings_field('cert-file', __( 'Certificate File', 'identity_plus' ),  'identity_plus_cert_file_render', 'identity_plus_cert_section', 'identity_plus_identity_plus_cert_section_section');
-        add_settings_field('cert-password', __( 'Certificate Password', 'identity_plus' ), 'identity_plus_cert_password_render', 'identity_plus_cert_section',  'identity_plus_identity_plus_cert_section_section' );
-            
-        add_settings_section('identity_plus_access_section',    __( 'Resource Access', 'identity_plus' ), 'identity_plus_settings_section_callback', 'identity_plus_cert_section');
-        add_settings_field('enforce', __( 'Filtered Page Access', 'identity_plus' ), 'identity_plus_enforce_render', 'identity_plus_cert_section', 'identity_plus_access_section');
-#       add_settings_field('lock-down', __( 'Lock Down Filtered Pages', 'identity_plus' ), 'identity_plus_lock_down_render', 'identity_plus_cert_section', 'identity_plus_access_section');
-        add_settings_field('page-filter', __( 'Page Filter', 'identity_plus' ), 'identity_plus_page_filter_render', 'identity_plus_cert_section',   'identity_plus_access_section');
-    
-        add_settings_section('identity_plus_network_of_trust_section', __( 'Network Of Trust', 'identity_plus' ), 'identity_plus_not_section_callback', 'identity_plus_cert_section');
-        add_settings_field('comments', __( 'Comments', 'identity_plus' ),   'identity_plus_comments_render', 'identity_plus_cert_section', 'identity_plus_network_of_trust_section');
+
+        $problems = idp_problems(get_option( 'identity_plus_settings' ));
+        if($problems) add_settings_error('identity_plus_settings', 'identity-plus-api-certificate-error', $problems, "error");
 }
 
@@ -52 +34 @@
 
 function identity_plus_cert_file_render( ) {
-        $options = get_option( 'identity_plus_settings' );?>
-        <input type="file" name="identity-plus-api-cert-file" /><?php
-}
-
+        ?><input type="file" style="margin-top:5px;" name="identity-plus-api-cert-file" /><?php
+}
 
 
 function identity_plus_cert_password_render(  ) { 
         $options = get_option( 'identity_plus_settings' ); ?>
-        <input type='text' name='identity_plus_settings[cert-password]' style="width:350px;" value='<?php echo isset($options['cert-password']) ? $options['cert-password'] : ""; ?>'><?php
-}
-
+        <input type='text' name='identity_plus_settings[cert-password]' style="width:350px; margin-bottom:10px; margin-top:5px;" placeholder="Type/Paste Certificate Password" value='<?php echo isset($options['cert-password']) ? $options['cert-password'] : ""; ?>'><?php
+}
 
 
@@ -78 +57 @@
 function identity_plus_enforce_render(  ) {
         $options = get_option( 'identity_plus_settings' );?>
-        <input type='checkbox' id='identity_plus_settings[enforce]' name='identity_plus_settings[enforce]' <?php isset($options['enforce']) ? checked( $options['enforce'], 1 ) : ""; ?> value='1'><label for='identity_plus_settings[enforce]'>Enforce Identity + Device Certificate</label>
-        <p class="identity-plus-hint" style="max-width:640px; font-size:90%; color:rgba(0, 0, 0, 0.6);">When Identity + certificate is enforced, resources starting with any of the enumerated filters will only 
-        be accessible from devices (desktop / laptop /mobile ) bearing a valid Identity + SSL Client Certificate. Local user roles apply</p><?php
+        <input type='checkbox' id='identity_plus_settings[enforce]' name='identity_plus_settings[enforce]' <?php isset($options['enforce']) ? checked( $options['enforce'], 1 ) : ""; ?> value='1'><label for='identity_plus_settings[enforce]'>Enforce Device Identity</label>
+        <p class="identity-plus-hint" style="margin-bottom:10px;">When Identity Plus device id is enforced, resources starting with any of the enumerated filters will only 
+        be accessible from devices (desktop / laptop /mobile ) bearing a valid Identity + SSL Client Certificate. </p><?php
 }
 
@@ -95 +74 @@
 function identity_plus_page_filter_render(  ) { 
         $options = get_option( 'identity_plus_settings' );?>
-        <label for='identity_plus_settings[page-filter]'>One filter per line.</label>
-        <textarea cols='40' rows='5' name='identity_plus_settings[page-filter]'><?php echo isset($options['page-filter']) && strlen($options['page-filter']) > 0 ? $options['page-filter'] : "/wp-admin\n/wp-login.php"; ?></textarea>
+        <textarea cols='40' rows='5' name='identity_plus_settings[page-filter]'><?php echo isset($options['page-filter']) && strlen($options['page-filter']) > 0 ? $options['page-filter'] : "/wp-admin\n/wp-login.php\n/?rest_route=/\n/wp-json/"; ?></textarea>
         <?php
 }
@@ -110 +88 @@
 
 
-
-function identity_plus_api_section_callback(  ) {
-        ?><p class="identity-plus-separator" style="padding-top:5px;"></p><p class="identity-plus-hint">With Identity + all communication is encrypted, even redirects. We don't use tokens, we use public key criptography for authentication.</p>
-        <div class="cert"><h4>Certificate Details</h4><?php 
-        $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file'])){
-                $cs = array();
-                if(openssl_pkcs12_read (file_get_contents($options['cert-file']), $cs , isset($options['cert-password']) ? $options['cert-password'] : '')){
-                        $cert_details = openssl_x509_parse($cs['cert']);
-                        $now = time();
-                        $your_date = strtotime(wp_get_current_user()->user_registered);
-                        $days = floor(abs($cert_details['validTo_time_t'] - $now) / 86400);
-                        ?>
-                        <p><span>Serial No: </span><?php echo strtoupper(dechex($cert_details['serialNumber'])) ?></p>
-                        <p><span>Subject: </span><?php echo substr(str_replace("/", ", ", $cert_details['name']), 2) ?></p>
-                        <p><span>Valid Until: </span><?php echo date(DATE_RFC2822, $cert_details['validTo_time_t']) ?></p> 
-                        <p><span>Expires In: </span><?php echo  $days?> days</p>
-                        <?php 
-                }
-                else{
-                        ?><p>API certificate cannot be read.</p><?php 
-                }
-        }
-        ?><p style="margin:10px 0 0 0; float:left; clear:both; font-size:80%; max-width:550px; color:#808080;">file: <?php echo !isset($options['cert-file']) ? "API Certificate Not Loaded" : $options['cert-file']; ?> <a target="_blank" href="https://my.identity.plus"><?php echo !isset($options['cert-file']) ? "Get A Certificate" : "Renew Certificate"; ?></a></p></div><?php
-}
-
-
-
 function identity_plus_settings_section_callback(  ) { 
         ?><p class="identity-plus-separator" style="padding-top:5px;"></p><p class="identity-plus-hint">You can restrict access to critical sections of your site to authorized devices only</p><?php 
@@ -147 +97 @@
         ?>
         <style>
-                .identity-plus-main-fm {margin:0; background:url('<?php echo plugins_url( 'img/idp.svg', __FILE__ ) ?>') no-repeat top left; background-size:64px;}
+                .identity-plus-main-fm{ float:left; overflow:hidden; clear:left;}
+                .identity-plus-main-fm-header {margin:0; background:url('<?php echo plugins_url( 'img/idp.svg', __FILE__ ) ?>') no-repeat top left; background-size:42px; margin-bottom:30px;}
+                .identity-plus-main-fm-header h1{padding-left:50px; padding-top:20px; margin-bottom:0; font-size:30px;font-weight:normal; }
+                .identity-plus-main-fm-header h5{padding-left:50px; font-size:14px; font-weight:300; padding-bottom:0px; padding-top:0; margin:10px 0px 0px 0px;}
+                h5.identity-plus-title {font-weight:300; font-size:16px; line-height:130%; margin:0; max-width:640px; color:#909090;}
+                .identity-plus-main-fm p{margin:0;}
                 .identity-plus-main-fm th{padding-bottom:15px; padding-top:15px; color:#136a92;}
                 .identity-plus-main-fm td{padding-bottom:10px; padding-top:10px; }
-                .identity-plus-main-fm h1{padding-left:80px; padding-top:10px; margin-bottom:0; font-size:36px;font-weight:normal; }
-                .identity-plus-main-fm h5{padding-left:80px; font-size:20px; font-weight:300; padding-bottom:5px; padding-top:0; margin-top:15px;}
-                .identity-plus-main-fm h2, .identity-plus-main-fm h3{border-bottom:0; background:#303030; float:left; clear:left; padding:5px 20px; margin-bottom:0px; color:#62B2F3; font-weight:normal; border-top-left-radius:5px; border-top-right-radius:5px; margin-left:10px;}
-                .identity-plus-main-fm h4{border-bottom:1px solid #E0E0E0; color:#707070; padding-bottom:3px; padding-top:10px; margin-bottom:5px; font-weight:normal; font-size:16px;padding-top:0; margin-top:0; }
+                .identity-plus-main-fm h2, .identity-plus-main-fm h3{border:1px solid #72777c; border-bottom:0; background:#72777c; float:left; clear:left; padding:8px 20px; margin-bottom:0px; color:#FFFFFF; font-weight:normal; border-top-left-radius:1px; border-top-right-radius:1px; margin-left:0px; margin-top:50px;}
+                .identity-plus-main-fm h4{border-bottom:1px solid #E0E0E0; color:#707070; padding-bottom:3px; padding-top:15px; margin-bottom:5px; font-weight:normal; font-size:16px;padding-top:0; margin-top:0; }
                 .identity-plus-main-fm .cert {max-width:600px; border-radius:3px; float:left; clear:both;}
                 .identity-plus-main-fm .cert p span{font-weight:bold;}
                 .identity-plus-main-fm .cert p{margin:0px; float:left; clear:left;}
                 .identity-plus-main-fm .cert {padding:10px; background:rgba(255, 255, 255, 0.6); border:1px solid rgba(0, 0, 0, 0.3);}
-                .identity-plus-separator{border-top:1px solid #303030; margin-top:0px; float:left; width:90%; clear:both; height:5px; margin-bottom:0px;}
-                .identity-plus-hint{float:left; clear:both; max-width:600px; color:#606060; font-size:14px; margin-top:0px; margin-bottom:10px;}
-                .identity-plus-brand span{color:#4292D3;}
+                .identity-plus-separator{border-top:1px solid #72777c; margin-top:0px; float:left; width:100%; clear:both; height:5px; margin-bottom:0px;}
+                .identity-plus-hint{float:left; clear:both; max-width:600px; color:#909090; font-size:12px; margin-top:0px; margin-bottom:10px;}
+                .identity-plus-brand span{color:#4292D3; margin-left:0.1em;}
                 .identity-plus-main-fm input, .identity-plus-main-fm textarea{ float:left; clear:left;}
                 .identity-plus-main-fm input[type="checkbox"]{ margin-top:0; margin-right:5px;}
@@ -167 +120 @@
                 .identity-plus-main-fm table{max-width:600px; float:left; clear:left;}
                 .identity-plus-main-fm table th img{border-radius:60px; border:3px solid #D0D0D0;}
+                .identity-plus-main-fm a.toggle-off {font-size:16px; color:#202020; padding:5px 0px 5px 0px; margin-right:30px; cursor:pointer;}
+                .identity-plus-main-fm a.toggle-on {font-size:16px; color:#202020;  padding:5px 0px 5px 0px; margin-right:30px; cursor:pointer; border-bottom:1px solid #606060; display:inline-block;}
+                .circular_progress {transform: rotate(90deg);display: inline;}
+                div.holder-more {overflow: hidden;width: 128px;height: 128px;margin-top: 1px;margin-right: 30px;text-align: center; padding-left: 0; display: inline-block; float:left; clear:left; margin-right:30px;}
+                div.holder-more p.overlay {position: relative;width: 100%;line-height: 120%;top: -93px;font-weight: 400; font-size:120%;}
+                div.holder-more p.overlay span {font-weight: 300;font-size: 90%;color: #606060;}
+                #wpfooter{position:static;}
+                .nodisp{display:none;}
+                .identity-plus-main-fm input[type=checkbox], .identity-plus-main-fm input[type=radio]{margin:0px 10px 5px 0px; float;left; clear:left; box-shadow:none;}
+                .identity-plus-main-fm input[type=text]{padding:5px; box-shadow:none;}
+                .identity-plus-main-fm textarea{margin:0px 10px 5px 0px; float:left; clear:left; margin-bottom:20px; border-radius:1px; border:1px solid #72777c; box-shadow:none; padding:5px 10px; background:rgba(0,0,0,0.05); font-family:monospace;}
+                .identity-plus-main-fm textarea:focus{box-shadow:none;}
+                .identity-plus-main-fm .submit{float:left; clear:left; margin-top:0px; padding:0px; height:32px;}
+                .identity-plus-main-fm .submit input[type="submit"]{text-decoration:none; background:#4292D3; color:#FFFFFF; display:inline-block; border-radius:1px; border:1px solid rgba(0,0,0,0.1); cursor:pointer; box-shadow:none; text-shadow:none; font-size:14px; padding:3px 18px; height:auto;}
+                .identity-plus-main-fm a.submit{text-decoration:none; background:#4292D3; color:#FFFFFF; display:inline-block; border-radius:1px; border:1px solid rgba(0,0,0,0.1); cursor:pointer; box-shadow:none; text-shadow:none; font-size:14px; padding:8px 18px 6px 18px; height:auto;}
+                .wp-core-ui .notice.is-dismissible{margin-left:0;}
         </style>
         <?php 
 }
 
+function settings_header(){ ?>
+    <table><tr>
+            <td><h5 class="identity-plus-title">
+                Authenticate with your device and prevent unknown and malicious devices from accessing your Wordpress account. Great security at great convenience.
+            </h5></td>
+    </tr></table>
+<?php }
+
+function identity_plus_api_section_callback(  ) {
+    $problems = idp_problems(get_option( 'identity_plus_settings' ));
+
+    settings_header();
+
+    ?>
+    
+    <div class="identity-plus-main-fm" >
+        <h2>Service Identity</h2>
+        <p class="identity-plus-separator" style="padding-top:5px;"></p>
+        <p class="identity-plus-hint">Your Worpress uses PKI credentials to authenticate into Indentity Plus. This is necessary to make sure nobody impersonates your service.</p>
+    </div>
+    <div class="identity-plus-main-fm" >
+    <table class=""><tr>
+
+    <?php
+    
+    if(!$problems){
+        // display dial for certificate lifetime
+        // and expiry
+        ?>
+        <td valign="top"><div class="holder-more"><?php
+            $perimeter = 2*3.14*60;
+            $options = get_option( 'identity_plus_settings' );
+            $dash = 0;
+            $days = 0;
+            if(!empty($options) && isset($options['cert-data'])){
+                    $cs = array();
+                    if(openssl_pkcs12_read (base64_decode($options['cert-data']), $cs , isset($options['cert-password']) ? $options['cert-password'] : '')){
+                            $cert_details = openssl_x509_parse($cs['cert']);
+                            $now = time();
+                            $days = floor(abs($cert_details['validTo_time_t'] - $now) / 86400);
+                            $all_days = floor(abs($cert_details['validTo_time_t'] - $cert_details['validFrom_time_t']) / 86400);
+                            $dash = $perimeter*($days*1.0/$all_days*1.0);
+                    }
+            }
+            ?><div class="holder-more">
+            <svg width="124.0" height="124.0" viewBox="0 0 124.0 124.0" class="circular_progress">
+                <circle cx="62.0" cy="62.0" r="60.0" fill="none" stroke="#E7E7E7" stroke-width="1.5"></circle>
+                <circle cx="62.0" cy="62.0" r="60.0" fill="none" stroke="#007aD0" stroke-width="1.5" stroke-dasharray="<?php echo $perimeter; ?>" stroke-dashoffset="<?php echo ($perimeter - $dash);?>"></circle>
+            </svg>
+            <p class="overlay"><span><?php echo $days == 0 ? "" : "Expires"; ?><br><?php echo $days == 0 ? "N/A" : date("yy, M, d", $cert_details['validTo_time_t']) ?></span><br><?php echo $days == 0 ? "" : $days . "d"?><span></span></p>
+        </div><?php
+        ?></div>
+        </td>
+    <?php } ?>
+
+    <td valign="top"><div class="identity-plus-main-fm">
+        <script>
+            function toggle_renewal(mode){
+                document.getElementById('renew-fm').className = mode == 0 ? 'identity-plus-hint' : 'nodisp'; 
+                document.getElementById('upload-fm').className = mode == 0 ? 'nodisp' : 'identity-plus-hint';
+                document.getElementById('integrated').className = mode == 0 ? 'toggle-on' : 'toggle-off'; 
+                document.getElementById('manual').className = mode == 0 ? 'toggle-off' : 'toggle-on';
+            }
+        </script>
+        <a id="integrated" class="toggle-on" onclick="toggle_renewal(0)">Automated</a>
+        <a id="manual" class="toggle-off" onclick="toggle_renewal(1);">Manual</a>
+    </div>
+
+    <?php if(empty($options) || !isset($options['cert-data'])){ ?>
+        <form id="renew-fm" class="identity-plus-main-fm" action="admin-post.php" method='post' enctype="multipart/form-data">
+                <div>
+                    <p class="identity-plus-hint" style="font-size:13px; margin-bottom:5px;">Click the button below to add certify your ownership of this Wordpress instance.</p>
+                    <a class="submit" href="<?php echo("https://register." . Identity_Plus_API::HOME . "/?service=" . get_bloginfo('name') . "&url=" . urlencode((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));?>" target="_blank">Certify Ownership</a>
+                </div>
+        </form>
+    <?php } else { ?>
+        <form id="renew-fm" class="identity-plus-main-fm" action="admin-post.php" method='post' enctype="multipart/form-data">
+                <input type="hidden" name="action" value="renew_certificate">
+                <div>
+                    <p class="identity-plus-hint" style="font-size:13px; margin-bottom:5px;">To avoid outage, your service identity (certificate) will be renewed automatically in <?php echo floor($days - $all_days/3); ?> days.</p>
+                    <?php submit_button("Auto-Renew Now"); ?>
+                </div>
+        </form>
+    <?php } ?>
+
+    <form id="upload-fm" class="nodisp" action="admin-post.php" method='post' enctype="multipart/form-data">
+            <input type="hidden" name="action" value="upload_certificate">
+            <div>
+                <p class="identity-plus-hint" style="font-size:13px;">Create the service in your <a href="https://my.identity.plus" target="_blank">identityp.plus dashboard</a>, issue the Service Agent Identity and upload it manually.</p>
+                <?php identity_plus_cert_file_render(); ?>
+                <?php identity_plus_cert_password_render(); ?>
+                <?php submit_button("Upload Manually"); ?>
+            </div>
+    </form>
+    </td></tr></table>
+
+    <?php if(!$problems){ 
+        // add the access restriction configuration section
+        // and also the network of trust enrollment
+        ?>
+        <div class="identity-plus-main-fm" >
+            <h2>Access Restrictions</h2>
+            <p class="identity-plus-separator" style="padding-top:5px;"></p><p class="identity-plus-hint">You can restrict access to critical sections of your site to authorized devices only. Add one resource pattern per line.</p>
+        </div>
+        <form id="upload-fm" class="identity-plus-main-fm" action="admin-post.php" method='post' enctype="multipart/form-data">
+                <input type="hidden" name="action" value="save_access">
+                <div>
+                    <?php identity_plus_page_filter_render(); ?>
+                    <?php identity_plus_enforce_render(); ?>
+                    <?php submit_button("Save"); ?>
+                </div>
+        </form>
+
+        <div class="identity-plus-main-fm" >
+            <h2>Network of Trust</h2>
+            <p class="identity-plus-separator" style="padding-top:5px;"></p><p class="identity-plus-hint">Collaborate with the Identity Plus community to better identify legitimate users using anonymized hooks (no personal information is shared). This will help eliminate SPAM and fake accounts.</p>
+        </div>
+        <form id="upload-fm" class="identity-plus-main-fm" action="admin-post.php" method='post' enctype="multipart/form-data">
+                <input type="hidden" name="action" value="not_enroll">
+                <div>
+                    <?php submit_button(isset($options['not_enroll']) && $options['not_enroll'] == 1 ? "Disable" : "Enroll"); ?>
+                </div>
+        </form>
+    <?php
+    }
+}
+
+add_action( 'admin_post_not_enroll', 'identity_plus_admin_not_enroll');
+function identity_plus_admin_not_enroll(){
+    $options = get_option( 'identity_plus_settings');
+
+    if(isset($options['not_enroll']) && $options['not_enroll'] == 1) $options['not_enroll'] = 0;
+    else  $options['not_enroll'] = 1;
+
+    update_option( 'identity_plus_settings', $options);
+
+    wp_redirect( $_SERVER["HTTP_REFERER"], 302, 'WordPress' );
+    exit;
+    status_header(200);
+    die("Certificate uploaded.");
+}
+
+add_action( 'admin_post_save_access', 'identity_plus_admin_save_access');
+function identity_plus_admin_save_access(){
+    $options = get_option( 'identity_plus_settings');
+
+    $options['page-filter'] = $_POST["identity_plus_settings"]["page-filter"];
+    $options['enforce'] = $_POST["identity_plus_settings"]["enforce"];
+
+    update_option( 'identity_plus_settings', $options);
+
+    wp_redirect( $_SERVER["HTTP_REFERER"], 302, 'WordPress' );
+    exit;
+    status_header(200);
+    die("Certificate uploaded.");
+}
 
 
 function identity_plus_options_page(  ) { 
         ?>
-        <form class="identity-plus-main-fm" action='options.php' method='post' enctype="multipart/form-data">
-                <h1 class="identity-plus-brand">Identity<span>plus</span></h1>
-                <h5>man &amp; machine</h5>
-                <?php
-                        settings_fields( 'identity_plus_cert_section' );
-                        do_settings_sections( 'identity_plus_cert_section' );
-                        submit_button();
-                ?>
-        </form>
-        <?php
-}
-
-
-
-function identity_plus_handle_file_upload($option){
-        if(!empty($_FILES["identity-plus-api-cert-file"]["tmp_name"])){
-                $urls = wp_handle_upload($_FILES["identity-plus-api-cert-file"], array('test_form' => FALSE));
-                if(!empty($urls["error"])){
-                    add_settings_error('identity_plus_settings', 'identity-plus-upload-error', $urls["error"], "error");
-                }
-                if(!empty($urls["file"])) $option['cert-file'] = $urls["file"];
-        }
+        <div class="identity-plus-main-fm-header">
+            <h1 class="identity-plus-brand">identity<span>plus</span></h1>
+            <h5>authenticate everything</h5>
+        </div>
         
-        $old_options = get_option( 'identity_plus_settings' );
-        if(!isset($option['cert-file']) && isset($old_options['cert-file'])) $option['cert-file'] = $old_options['cert-file'];
-    
-        return $option;
+        <?php 
+        
+        identity_plus_api_section_callback();
 }
 
@@ -212 +318 @@
 }
 
+add_action( 'admin_post_upload_certificate', 'identity_plus_admin_upload_certificate');
+function identity_plus_admin_upload_certificate(){
+    $options = get_option( 'identity_plus_settings');
+
+    if(!empty($_FILES["identity-plus-api-cert-file"]["tmp_name"])){
+        $options['cert-data'] = base64_encode(file_get_contents($_FILES["identity-plus-api-cert-file"]["tmp_name"]));
+        $options['cert-password'] = $_POST["identity_plus_settings"]["cert-password"];
+    }
+
+    update_option( 'identity_plus_settings', $options);
+
+    wp_redirect( $_SERVER["HTTP_REFERER"], 302, 'WordPress' );
+    exit;
+    status_header(200);
+    die("Certificate uploaded.");
+}
+
+add_action( 'admin_post_renew_certificate', 'identity_plus_admin_renew_certificate');
+function identity_plus_admin_renew_certificate(){
+    idenity_plus_renew_service_agent_certificate();
+
+    wp_redirect( $_SERVER["HTTP_REFERER"], 302, 'WordPress' );
+    exit;
+    status_header(200);
+    die("Certificate renewed.");
+}
 
 
@@ -222 +354 @@
         if($identity_plus_api == null) $identity_plus_api = identity_plus_create_api($options);
 
-        if(isset($_SESSION['identity-plus-user-profile'])){
-            $profile = $identity_plus_api->bind_local_user($_SESSION['identity-plus-anonymous-id'], $user_id, $days);
-
-            $_SESSION['identity-plus-user-profile'] = $profile;
-            add_user_meta($user_id, 'identity-plus-bound', $user_id);
-            $error = "I: Your wordpress account and your identity plus account have been connected!";
-            set_transient("identity_plus_acc_{$user_id}", $error, 45);      
-
-            wp_redirect( $_SERVER['HTTP_REFERER'] );
-        }
-        else{
-            $user_info = get_userdata($user_id);
-            $intent = $identity_plus_api->create_intent(Intent_Type::bind, $user_id, $user_info->user_firstname . ' ' . $user_info->user_lastname, $user_info->user_email, '', $_SERVER['HTTP_REFERER'] . '&bind=true');
-            wp_redirect('https://get.identity.plus?intent=' . $intent->value);
-        }
+        $user_info = get_userdata($user_id);
+        $intent = $identity_plus_api->create_intent(Intent_Type::bind, $user_id, $user_info->user_firstname . ' ' . $user_info->user_lastname, $user_info->user_email, '', $_SERVER['HTTP_REFERER'] . '&bind=true');
+        unset($_SESSION['identity-plus-user-profile']);
+        unset($_SESSION['identity-plus-anonymous-id']);
+        wp_redirect(Identity_Plus_API::validation_endpoint.'/' . $intent->value);
 
         exit();
@@ -271 +393 @@
 function identity_plus_add_idp_page(  ) {
         $options = get_option( 'identity_plus_settings' );
-        if(!empty($options) && isset($options['cert-file'])){
+        if(!empty($options) && isset($options['cert-data'])){
             add_menu_page( 
                     'My IdentityPlus',
-                    'Device Identity', 
+                    'Device Login', 
                     'exist', 
                     'identity_plus_authentication', 
                     'identity_plus_authentication_page',
-                    'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHN2ZyAgIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgICB4bWxuczpjYz0iaHR0cDovL2NyZWF0aXZlY29tbW9ucy5vcmcvbnMjIiAgIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyIgICB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiAgIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgICB4bWxuczpzb2RpcG9kaT0iaHR0cDovL3NvZGlwb2RpLnNvdXJjZWZvcmdlLm5ldC9EVEQvc29kaXBvZGktMC5kdGQiICAgeG1sbnM6aW5rc2NhcGU9Imh0dHA6Ly93d3cuaW5rc2NhcGUub3JnL25hbWVzcGFjZXMvaW5rc2NhcGUiICAgdmVyc2lvbj0iMS4xIiAgIGlkPSJMYXllcl8xIiAgIHg9IjBweCIgICB5PSIwcHgiICAgd2lkdGg9IjEyOHB4IiAgIGhlaWdodD0iMTI4cHgiICAgdmlld0JveD0iMCAwIDEyOCAxMjgiICAgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMTI4IDEyODsiICAgeG1sOnNwYWNlPSJwcmVzZXJ2ZSIgICBpbmtzY2FwZTp2ZXJzaW9uPSIwLjkxIHIxMzcyNSIgICBzb2RpcG9kaTpkb2NuYW1lPSJkYXJrLXBsdXMtc2ltcGxlLnN2ZyI+PG1ldGFkYXRhICAgICBpZD0ibWV0YWRhdGEzOSI+PHJkZjpSREY+PGNjOldvcmsgICAgICAgICByZGY6YWJvdXQ9IiI+PGRjOmZvcm1hdD5pbWFnZS9zdmcreG1sPC9kYzpmb3JtYXQ+PGRjOnR5cGUgICAgICAgICAgIHJkZjpyZXNvdXJjZT0iaHR0cDovL3B1cmwub3JnL2RjL2RjbWl0eXBlL1N0aWxsSW1hZ2UiIC8+PC9jYzpXb3JrPjwvcmRmOlJERj48L21ldGFkYXRhPjxkZWZzICAgICBpZD0iZGVmczM3IiAvPjxzb2RpcG9kaTpuYW1lZHZpZXcgICAgIHBhZ2Vjb2xvcj0iI2ZmZmZmZiIgICAgIGJvcmRlcmNvbG9yPSIjNjY2NjY2IiAgICAgYm9yZGVyb3BhY2l0eT0iMSIgICAgIG9iamVjdHRvbGVyYW5jZT0iMTAiICAgICBncmlkdG9sZXJhbmNlPSIxMCIgICAgIGd1aWRldG9sZXJhbmNlPSIxMCIgICAgIGlua3NjYXBlOnBhZ2VvcGFjaXR5PSIwIiAgICAgaW5rc2NhcGU6cGFnZXNoYWRvdz0iMiIgICAgIGlua3NjYXBlOndpbmRvdy13aWR0aD0iOTQ4IiAgICAgaW5rc2NhcGU6d2luZG93LWhlaWdodD0iNDgwIiAgICAgaWQ9Im5hbWVkdmlldzM1IiAgICAgc2hvd2dyaWQ9ImZhbHNlIiAgICAgaW5rc2NhcGU6em9vbT0iMS40ODk3NjUxIiAgICAgaW5rc2NhcGU6Y3g9IjEwNi45NzU5IiAgICAgaW5rc2NhcGU6Y3k9IjY0IiAgICAgaW5rc2NhcGU6d2luZG93LXg9IjEzMSIgICAgIGlua3NjYXBlOndpbmRvdy15PSI0NDAiICAgICBpbmtzY2FwZTp3aW5kb3ctbWF4aW1pemVkPSIwIiAgICAgaW5rc2NhcGU6Y3VycmVudC1sYXllcj0iZzMiIC8+PGcgICAgIGlkPSJnMyIgICAgIHN0eWxlPSJmaWxsOiNjY2NjY2MiPjxwYXRoICAgICAgIHN0eWxlPSJmaWxsOiNjY2NjY2MiICAgICAgIGQ9Im0gMCwwIDAsMTI4IDEyOCwwIDAsLTEyOCB6IG0gMTIuNjQwNjI1LDQwLjAxNzU3OCAxMS43MzYzMjgsMCAwLDkuNTcyMjY2IC0xMS43MzYzMjgsMCB6IG0gNDQuMDY0NDUzLC02IDExLjgwMjczNCwwIDAsNTcuMDE1NjI1IGMgLTguMDAxNzcsLTAuMzY2MTE5IC0xMi41Nzk4MTgsMC4zMjQzMTMgLTIzLjkwMDM5LDAuOTQ5MjE5IC00LjUyNDU0NSwwIC04LjI0MTM2MywtMS43OTIyOSAtMTEuMTQ4NDM4LC01LjM3Njk1MyAtMi45MDcwNzQsLTMuNjA2NTIyIC00LjM1OTM3NSwtOC4yMzkyNDYgLTQuMzU5Mzc1LC0xMy45MDAzOTEgMCwtNS42NjExNDUgMS40NTIzMDEsLTEwLjI4NDQ3OCA0LjM1OTM3NSwtMTMuODY5MTQgMi45MDcwNzUsLTMuNjA2NTIyIDYuNjIzODkzLC01LjQxMDE1NyAxMS4xNDg0MzgsLTUuNDEwMTU3IDE3LjE0MDM1NywxLjA2OTY5IDExLjA2MDU2NCw0LjM5NDExNCAxMi4wOTc2NTYsLTE5LjQwODIwMyB6IG0gMzUuNzM2MzI4LDE0LjkxNzk2OSA3LjgwNDY4NCwwIDAsMTcuMTc5Njg3IDE3LjExMzI5LDAgMCw3LjczNjMyOCAtMTcuMTEzMjksMCAwLDE3LjE4MTY0MSAtNy44MDQ2ODQsMCAwLC0xNy4xODE2NDEgLTE3LjExMzI4MSwwIDAsLTcuNzM2MzI4IDE3LjExMzI4MSwwIHogbSAtNzkuODAwNzgxLDUuMzc2OTUzIDExLjczNjMyOCwwIDAsMzYuNzIwNzAzIC0xMS43MzYzMjgsMCB6IG0gMzYuMzI2MTcyLDcuNjM4NjcyIGMgLTIuNDkxNzc4LDAgLTQuNDAzMDA4LDAuOTE3ODU5IC01LjczNjMyOCwyLjc1MzkwNiAtMS4zMTE0NjIsMS44MzYwNDcgLTEuOTY4NzUsNC41MDI3NjcgLTEuOTY4NzUsOCAwLDMuNDk3MjMzIDAuNjU3Mjg4LDYuMTYzOTUzIDEuOTY4NzUsOCAxLjMzMzMyLDEuODM2MDQ3IDMuMjQ0NTUsMi43NTM5MDYgNS43MzYzMjgsMi43NTM5MDYgMi41MTM2MzYsMCA0LjQyNjgxOSwtMC45MTc4NTkgNS43MzgyODEsLTIuNzUzOTA2IDEuMzMzMzIsLTEuODM2MDQ3IDIsLTQuNTAyNzY3IDIsLTggMCwtMy40OTcyMzMgLTAuNjY2NjgsLTYuMTYzOTUzIC0yLC04IC0xLjMxMTQ2MiwtMS44MzYwNDcgLTMuMjI0NjQ1LC0yLjc1MzkwNiAtNS43MzgyODEsLTIuNzUzOTA2IHoiICAgICAgIGlkPSJyZWN0NSIgICAgICAgaW5rc2NhcGU6Y29ubmVjdG9yLWN1cnZhdHVyZT0iMCIgICAgICAgc29kaXBvZGk6bm9kZXR5cGVzPSJjY2NjY2NjY2NjY2NjY2NzY2NjY2NjY2NjY2NjY2NjY2NjY2Njc2NzY3Njc2NzIiAvPjwvZz48ZyAgICAgaWQ9ImcyNSIgLz48ZyAgICAgaWQ9ImcyNyIgLz48ZyAgICAgaWQ9ImcyOSIgLz48ZyAgICAgaWQ9ImczMSIgLz48ZyAgICAgaWQ9ImczMyIgLz48L3N2Zz4='
+                    'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJMYXllcl8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB3aWR0aD0iNjQwcHgiIGhlaWdodD0iNjQwcHgiIHZpZXdCb3g9IjAgMCA2NDAgNjQwIiBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAgMCA2NDAgNjQwIiB4bWw6c3BhY2U9InByZXNlcnZlIj4KPGc+PHBhdGggZmlsbD0iIzQ1OTZDRSIgZD0iTTI0NC44NTcsNTg4LjAyN0gxMDcuODMxTDM5NS41MTMsMy40MmgxMzYuNjU2TDI0NC44NTcsNTg4LjAyN3oiLz48L2c+Cjwvc3ZnPgo='
             );
         }
 }
+
+function connect_header(){ ?>
+    <table><tr>
+            <th><img width="64" height="64" src="<?php echo plugins_url( 'img/unknown.jpg', __FILE__ ) ?>"></th>
+            <td><p class="identity-plus-hint">
+                Your Wordpress uses <a target="_blank" title="My Identity Plus Application" href="https://my.identity.plus"class="identity-plus-brand">identity<span>plus</span></a> to protect your account and your credentials.
+                You can now enjoy secure, passwordless authentication experience. Only devices owned and registered by you can access your Wordpress account.
+            </p></td>
+    </tr></table>
+<?php }
 
 function identity_plus_idp_page(  ) {
@@ -295 +427 @@
 
         ?>
-                <?php if(get_user_meta($user_id, 'identity-plus-bound', true)){ ?>
-                    <table><tr>
-                            <th><img width="64" height="64" src="https://get.identity.plus/widgets/profile-picture"></th>
-                            <td><p class="identity-plus-hint">
-                                Your Wordpress uses <a target="_blank" title="My Identity Plus Application" href="https://my.identity.plus"><span>identity</span></a> to protect your account and your credentials.
-                                You can now enjoy secure password-less experience. Only devices owned and registered by you can access your Wordpress account.
-                            </p></td>
-                    </tr></table>
+                <?php if(get_user_meta($user_id, 'identity-plus-bound', true)){ 
+                    connect_header(); 
+
+                    ?>
 
                     <h2>Disconnect</h2><p class="identity-plus-separator" style="padding-top:5px;"></p>
-                    <?php if(isset($options['enforce']) && checked( $options['enforce'], 1 )){ ?>
+                    <?php if(isset($options['enforce']) && $options['enforce'] == 1 ){ ?>
                         <p class="identity-plus-hint" >Your <a href="<?php echo admin_url('options-general.php?page=identity_plus_network_of_trust'); ?>">identityplus settings</a> only allow admin access from certified devices. Disconnect is disabled as you would lock yourself out from admin section.</p>
                     <?php } else { ?>
                         <p class="identity-plus-hint" >By disconnecting your identityplus account from the local account, you will lose the ability to sign in via device id. Are you sure?</p>
                         <input type="hidden" name="action" value="identity_plus_disconnect">
-                        <div><input type="checkbox" id="idp-i-am-sure" name="idp-i-am-sure" onchange="document.getElementById('identity_plus_disconnect').style.display = document.getElementById('idp-i-am-sure').checked ? 'block' : 'none';"><label for="idp-i-am-sure">Yes, I am sure I want to disconnect.</label></div>
-                        <input type="submit" id="identity_plus_disconnect" style="display:none; background:#900000; color:#FFFFFF; padding:7px 15px 5px 15px; border-radius:2px; border:1px solid #500000" value="DISCONNECT">
+                        <div style="margin-top:10px;"><input type="checkbox" id="idp-i-am-sure" name="idp-i-am-sure" onchange="document.getElementById('identity_plus_disconnect').style.display = document.getElementById('idp-i-am-sure').checked ? 'block' : 'none';"><label for="idp-i-am-sure">Yes, I am sure I want to disconnect.</label></div>
+                        <input type="submit" id="identity_plus_disconnect" style="display:none; background:#900000; color:#FFFFFF; padding:8px 18px 6px 18px; border-radius:3px; border:1px solid rgba(0,0,0,0.1);" value="Disconnect">
                     <?php } ?>
 
-                <?php } else if(isset($_SESSION['identity-plus-user-profile'])){ ?>
-                    <table><tr>
-                            <th><img width="64" height="64" src="https://get.identity.plus/widgets/profile-picture"></th>
-                            <td>
-                                <p class="identity-plus-hint">
-                                    Your Wordpress uses <a target="_blank" title="My Identity Plus Application" href="https://identity.plus"><span>identity</span></a> to protect your account and your credentials by
-                                    only allowing devices owned and registered by you to access your Wordpress account.
-                                </p>
-                            </td>
-                    </tr></table>
+                <?php } else if(isset($_SESSION['identity-plus-user-profile'])){ 
+                    connect_header();
+
+                    ?>
                     
                     <p class="identity-plus-hint" >Connect your identity<span class="identity-plus-brand">plus</span> account for secure, password-less login experience.</p>
                     <input type="hidden" name="action" value="identity_plus_connect">
-                    <input type="submit" id="identity_plus_disconnect" style="background:#303030; color:#62B2F3; padding:7px 15px 5px 15px; border-radius:2px; border:1px solid #000000" value="CONNECT">
-                <?php } else { ?>
-                    <table><tr>
-                            <td>
-                                <p class="identity-plus-hint">
-                                    Your Wordpress uses <a target="_blank" title="My Identity Plus Application" href="https://identity.plus"><span>identity</span></a> to protect your account and your credentials by
-                                    only allowing devices owned and registered by you to access your Wordpress account.
-                                </p>
-                            </td>
-                    </tr></table>
+                    <input type="submit" id="identity_plus_disconnect" style="background:#4292D3; color:#FFFFFF; padding:8px 18px 6px 18px; border-radius:3px; border:1px solid rgba(0,0,0,0.1); cursor:pointer; margin-top:10px;" value="Connect">
+                <?php } else { 
+                    connect_header();
+
+                    ?>
                     
-                    <p class="identity-plus-hint" >Get your free <span class="identity-plus-brand">plus</span> account for secure, password-less login experience.</p>
+                    <p class="identity-plus-hint" >Get your free identity<span class="identity-plus-brand">plus</span> account for secure, password-less login experience.</p>
                     <input type="hidden" name="action" value="identity_plus_connect">
                     <input type="submit" id="identity_plus_disconnect" style="background:#303030; color:#62B2F3; padding:7px 15px 5px 15px; border-radius:2px; border:1px solid #000000" value="Get Id+">
@@ -348 +465 @@
 function identity_plus_authentication_page(  ) {
         ?>
+        <div class="identity-plus-main-fm-header">
+            <h1 class="identity-plus-brand">identity<span>plus</span></h1>
+            <h5>authenticate everything</h5>
+        </div>
         <form class="identity-plus-main-fm" method="post" action="<?php echo admin_url( 'admin.php' ); ?>">
-                <h1 class="identity-plus-brand">Identity<span>plus</span></h1>
-                <h5>man &amp; machine</h5>
                 <?php wp_nonce_field('my_delete_action'); ?>
                 <?php identity_plus_idp_page(); ?>
@@ -359 +478 @@
 
 add_filter('upload_mimes', 'identity_plus_enable_extra_extensions');
-

identity-plus/trunk/readme.txt

@@ -3 +3 @@
 Tags: authentication, security, 2factor, comments, spam, VPN, tls authentication, SSL client certificate, device identity, identity in the browser, two factor, login, two step authentication, password, admin, mobile, multi-factor, android, iphone, sso, strong two-step verification
 Requires at least: 3.9
-Tested up to: 4.9.8
-Stable tag: 1.0
+Tested up to: 5.2.4
+Stable tag: 2.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -78 +78 @@
 1. If the certificate in your browser expires, or you manually revoke it you will not be able to access your blog. This conflict needs to be resolved on Identityplus. Simply issue a new certificate for your browser, install it and all will be back to normal.
 2. You lose your device and it's connected to your Identityplus. Take your other device, go to Identityplus and revoke the certificate of your lost device. This will revoke access to any Identityplus bound account, so you are safe.
-3. You locked your self out of your Wordpress. No problem. You need to go to your Worpress back-end, (access the files). In your wp-content/uploads/.../, you will find the certificate file you uploaded (a *.p12 keystore file). Delete the file. This will disable the plugin, and you can use your regular wordpress login to access your back-end.
+3. You locked your self out of your Wordpress. No problem.
+
+    a. You need to go to your Worpress back-end, (access the files). 
+    b. In your wp-content/plugins/identity-plus/lib folder, edit the initialize.php file. 
+    c. Uncomment this line: // if(True) return "Manually disabled ...";
+    d. Access your Wordpress using user name and password
+    e. Uninstall the plugin and perform a fresh install
 
 == Changelog == 
+
+== 2.0 ==
+This is a major update. We recommend deactivating the "Enforce Identity + Device Certificate" flag for safety during certificate update.
+
+Added automatic & one click API certificate renewal. This grately improves user experience for maitaining the Identity Plus plugin and prevents accidental certificate expiration, which may cause service outage.
+Integrated the new service installation proces via automated wizard. It is no longer needed for the user to log into identity plus account and issue certificate before installation. Using the mobile application, or registered device, you can now onboard the service, issue the certificate and activate identity plus in one short flow.
+We've also moved the certificate storage from file to the database for enhanced security.
 
 == 1.6.4 ==