PageRenderTime 60ms CodeModel.GetById 27ms RepoModel.GetById 0ms app.codeStats 1ms

/inc/lib/Auth/OpenID/Consumer.php

https://bitbucket.org/yoander/mtrack
PHP | 2230 lines | 1121 code | 278 blank | 831 comment | 192 complexity | 8b9446deaf7e84fdb814f02d7c7e4079 MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0

Large files files are truncated, but you can click here to view the full file

    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * This module documents the main interface with the OpenID consumer
    5. 

  5.  * library.  The only part of the library which has to be used and
    6. 

  6.  * isn't documented in full here is the store required to create an
    7. 

  7.  * Auth_OpenID_Consumer instance.  More on the abstract store type and
    8. 

  8.  * concrete implementations of it that are provided in the
    9. 

  9.  * documentation for the Auth_OpenID_Consumer constructor.
    10. 

  10.  *
    11. 

  11.  * OVERVIEW
    12. 

  12.  *
    13. 

  13.  * The OpenID identity verification process most commonly uses the
    14. 

  14.  * following steps, as visible to the user of this library:
    15. 

  15.  *
    16. 

  16.  *   1. The user enters their OpenID into a field on the consumer's
    17. 

  17.  *      site, and hits a login button.
    18. 

  18.  *   2. The consumer site discovers the user's OpenID server using the
    19. 

  19.  *      YADIS protocol.
    20. 

  20.  *   3. The consumer site sends the browser a redirect to the identity
    21. 

  21.  *      server.  This is the authentication request as described in
    22. 

  22.  *      the OpenID specification.
    23. 

  23.  *   4. The identity server's site sends the browser a redirect back
    24. 

  24.  *      to the consumer site.  This redirect contains the server's
    25. 

  25.  *      response to the authentication request.
    26. 

  26.  *
    27. 

  27.  * The most important part of the flow to note is the consumer's site
    28. 

  28.  * must handle two separate HTTP requests in order to perform the full
    29. 

  29.  * identity check.
    30. 

  30.  *
    31. 

  31.  * LIBRARY DESIGN
    32. 

  32.  * 
    33. 

  33.  * This consumer library is designed with that flow in mind.  The goal
    34. 

  34.  * is to make it as easy as possible to perform the above steps
    35. 

  35.  * securely.
    36. 

  36.  *
    37. 

  37.  * At a high level, there are two important parts in the consumer
    38. 

  38.  * library.  The first important part is this module, which contains
    39. 

  39.  * the interface to actually use this library.  The second is the
    40. 

  40.  * Auth_OpenID_Interface class, which describes the interface to use
    41. 

  41.  * if you need to create a custom method for storing the state this
    42. 

  42.  * library needs to maintain between requests.
    43. 

  43.  *
    44. 

  44.  * In general, the second part is less important for users of the
    45. 

  45.  * library to know about, as several implementations are provided
    46. 

  46.  * which cover a wide variety of situations in which consumers may use
    47. 

  47.  * the library.
    48. 

  48.  *
    49. 

  49.  * This module contains a class, Auth_OpenID_Consumer, with methods
    50. 

  50.  * corresponding to the actions necessary in each of steps 2, 3, and 4
    51. 

  51.  * described in the overview.  Use of this library should be as easy
    52. 

  52.  * as creating an Auth_OpenID_Consumer instance and calling the
    53. 

  53.  * methods appropriate for the action the site wants to take.
    54. 

  54.  *
    55. 

  55.  * STORES AND DUMB MODE
    56. 

  56.  *
    57. 

  57.  * OpenID is a protocol that works best when the consumer site is able
    58. 

  58.  * to store some state.  This is the normal mode of operation for the
    59. 

  59.  * protocol, and is sometimes referred to as smart mode.  There is
    60. 

  60.  * also a fallback mode, known as dumb mode, which is available when
    61. 

  61.  * the consumer site is not able to store state.  This mode should be
    62. 

  62.  * avoided when possible, as it leaves the implementation more
    63. 

  63.  * vulnerable to replay attacks.
    64. 

  64.  *
    65. 

  65.  * The mode the library works in for normal operation is determined by
    66. 

  66.  * the store that it is given.  The store is an abstraction that
    67. 

  67.  * handles the data that the consumer needs to manage between http
    68. 

  68.  * requests in order to operate efficiently and securely.
    69. 

  69.  *
    70. 

  70.  * Several store implementation are provided, and the interface is
    71. 

  71.  * fully documented so that custom stores can be used as well.  See
    72. 

  72.  * the documentation for the Auth_OpenID_Consumer class for more
    73. 

  73.  * information on the interface for stores.  The implementations that
    74. 

  74.  * are provided allow the consumer site to store the necessary data in
    75. 

  75.  * several different ways, including several SQL databases and normal
    76. 

  76.  * files on disk.
    77. 

  77.  *
    78. 

  78.  * There is an additional concrete store provided that puts the system
    79. 

  79.  * in dumb mode.  This is not recommended, as it removes the library's
    80. 

  80.  * ability to stop replay attacks reliably.  It still uses time-based
    81. 

  81.  * checking to make replay attacks only possible within a small
    82. 

  82.  * window, but they remain possible within that window.  This store
    83. 

  83.  * should only be used if the consumer site has no way to retain data
    84. 

  84.  * between requests at all.
    85. 

  85.  *
    86. 

  86.  * IMMEDIATE MODE
    87. 

  87.  *
    88. 

  88.  * In the flow described above, the user may need to confirm to the
    89. 

  89.  * lidentity server that it's ok to authorize his or her identity.
    90. 

  90.  * The server may draw pages asking for information from the user
    91. 

  91.  * before it redirects the browser back to the consumer's site.  This
    92. 

  92.  * is generally transparent to the consumer site, so it is typically
    93. 

  93.  * ignored as an implementation detail.
    94. 

  94.  *
    95. 

  95.  * There can be times, however, where the consumer site wants to get a
    96. 

  96.  * response immediately.  When this is the case, the consumer can put
    97. 

  97.  * the library in immediate mode.  In immediate mode, there is an
    98. 

  98.  * extra response possible from the server, which is essentially the
    99. 

  99.  * server reporting that it doesn't have enough information to answer
    100. 

  100.  * the question yet.
    101. 

  101.  *
    102. 

  102.  * USING THIS LIBRARY
    103. 

  103.  *
    104. 

  104.  * Integrating this library into an application is usually a
    105. 

  105.  * relatively straightforward process.  The process should basically
    106. 

  106.  * follow this plan:
    107. 

  107.  *
    108. 

  108.  * Add an OpenID login field somewhere on your site.  When an OpenID
    109. 

  109.  * is entered in that field and the form is submitted, it should make
    110. 

  110.  * a request to the your site which includes that OpenID URL.
    111. 

  111.  *
    112. 

  112.  * First, the application should instantiate the Auth_OpenID_Consumer
    113. 

  113.  * class using the store of choice (Auth_OpenID_FileStore or one of
    114. 

  114.  * the SQL-based stores).  If the application has a custom
    115. 

  115.  * session-management implementation, an object implementing the
    116. 

  116.  * {@link Auth_Yadis_PHPSession} interface should be passed as the
    117. 

  117.  * second parameter.  Otherwise, the default uses $_SESSION.
    118. 

  118.  *
    119. 

  119.  * Next, the application should call the Auth_OpenID_Consumer object's
    120. 

  120.  * 'begin' method.  This method takes the OpenID URL.  The 'begin'
    121. 

  121.  * method returns an Auth_OpenID_AuthRequest object.
    122. 

  122.  *
    123. 

  123.  * Next, the application should call the 'redirectURL' method of the
    124. 

  124.  * Auth_OpenID_AuthRequest object.  The 'return_to' URL parameter is
    125. 

  125.  * the URL that the OpenID server will send the user back to after
    126. 

  126.  * attempting to verify his or her identity.  The 'trust_root' is the
    127. 

  127.  * URL (or URL pattern) that identifies your web site to the user when
    128. 

  128.  * he or she is authorizing it.  Send a redirect to the resulting URL
    129. 

  129.  * to the user's browser.
    130. 

  130.  *
    131. 

  131.  * That's the first half of the authentication process.  The second
    132. 

  132.  * half of the process is done after the user's ID server sends the
    133. 

  133.  * user's browser a redirect back to your site to complete their
    134. 

  134.  * login.
    135. 

  135.  *
    136. 

  136.  * When that happens, the user will contact your site at the URL given
    137. 

  137.  * as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL
    138. 

  138.  * call made above.  The request will have several query parameters
    139. 

  139.  * added to the URL by the identity server as the information
    140. 

  140.  * necessary to finish the request.
    141. 

  141.  *
    142. 

  142.  * Lastly, instantiate an Auth_OpenID_Consumer instance as above and
    143. 

  143.  * call its 'complete' method, passing in all the received query
    144. 

  144.  * arguments.
    145. 

  145.  *
    146. 

  146.  * There are multiple possible return types possible from that
    147. 

  147.  * method. These indicate the whether or not the login was successful,
    148. 

  148.  * and include any additional information appropriate for their type.
    149. 

  149.  *
    150. 

  150.  * PHP versions 4 and 5
    151. 

  151.  *
    152. 

  152.  * LICENSE: See the COPYING file included in this distribution.
    153. 

  153.  *
    154. 

  154.  * @package OpenID
    155. 

  155.  * @author JanRain, Inc. <openid@janrain.com>
    156. 

  156.  * @copyright 2005-2008 Janrain, Inc.
    157. 

  157.  * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
    158. 

  158.  */
    159. 

  159. 

  160. /**
    161. 

  161.  * Require utility classes and functions for the consumer.
    162. 

  162.  */
    163. 

  163. require_once "Auth/OpenID.php";
    164. 

  164. require_once "Auth/OpenID/Message.php";
    165. 

  165. require_once "Auth/OpenID/HMAC.php";
    166. 

  166. require_once "Auth/OpenID/Association.php";
    167. 

  167. require_once "Auth/OpenID/CryptUtil.php";
    168. 

  168. require_once "Auth/OpenID/DiffieHellman.php";
    169. 

  169. require_once "Auth/OpenID/KVForm.php";
    170. 

  170. require_once "Auth/OpenID/Nonce.php";
    171. 

  171. require_once "Auth/OpenID/Discover.php";
    172. 

  172. require_once "Auth/OpenID/URINorm.php";
    173. 

  173. require_once "Auth/Yadis/Manager.php";
    174. 

  174. require_once "Auth/Yadis/XRI.php";
    175. 

  175. 

  176. /**
    177. 

  177.  * This is the status code returned when the complete method returns
    178. 

  178.  * successfully.
    179. 

  179.  */
    180. 

  180. define('Auth_OpenID_SUCCESS', 'success');
    181. 

  181. 

  182. /**
    183. 

  183.  * Status to indicate cancellation of OpenID authentication.
    184. 

  184.  */
    185. 

  185. define('Auth_OpenID_CANCEL', 'cancel');
    186. 

  186. 

  187. /**
    188. 

  188.  * This is the status code completeAuth returns when the value it
    189. 

  189.  * received indicated an invalid login.
    190. 

  190.  */
    191. 

  191. define('Auth_OpenID_FAILURE', 'failure');
    192. 

  192. 

  193. /**
    194. 

  194.  * This is the status code completeAuth returns when the
    195. 

  195.  * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the
    196. 

  196.  * identity server sends back a URL to send the user to to complete his
    197. 

  197.  * or her login.
    198. 

  198.  */
    199. 

  199. define('Auth_OpenID_SETUP_NEEDED', 'setup needed');
    200. 

  200. 

  201. /**
    202. 

  202.  * This is the status code beginAuth returns when the page fetched
    203. 

  203.  * from the entered OpenID URL doesn't contain the necessary link tags
    204. 

  204.  * to function as an identity page.
    205. 

  205.  */
    206. 

  206. define('Auth_OpenID_PARSE_ERROR', 'parse error');
    207. 

  207. 

  208. /**
    209. 

  209.  * An OpenID consumer implementation that performs discovery and does
    210. 

  210.  * session management.  See the Consumer.php file documentation for
    211. 

  211.  * more information.
    212. 

  212.  *
    213. 

  213.  * @package OpenID
    214. 

  214.  */
    215. 

  215. class Auth_OpenID_Consumer {
    216. 

  216. 

  217.     /**
    218. 

  218.      * @access private
    219. 

  219.      */
    220. 

  220.     var $discoverMethod = 'Auth_OpenID_discover';
    221. 

  221. 

  222.     /**
    223. 

  223.      * @access private
    224. 

  224.      */
    225. 

  225.     var $session_key_prefix = "_openid_consumer_";
    226. 

  226. 

  227.     /**
    228. 

  228.      * @access private
    229. 

  229.      */
    230. 

  230.     var $_token_suffix = "last_token";
    231. 

  231. 

  232.     /**
    233. 

  233.      * Initialize a Consumer instance.
    234. 

  234.      *
    235. 

  235.      * You should create a new instance of the Consumer object with
    236. 

  236.      * every HTTP request that handles OpenID transactions.
    237. 

  237.      *
    238. 

  238.      * @param Auth_OpenID_OpenIDStore $store This must be an object
    239. 

  239.      * that implements the interface in {@link
    240. 

  240.      * Auth_OpenID_OpenIDStore}.  Several concrete implementations are
    241. 

  241.      * provided, to cover most common use cases.  For stores backed by
    242. 

  242.      * MySQL, PostgreSQL, or SQLite, see the {@link
    243. 

  243.      * Auth_OpenID_SQLStore} class and its sublcasses.  For a
    244. 

  244.      * filesystem-backed store, see the {@link Auth_OpenID_FileStore}
    245. 

  245.      * module.  As a last resort, if it isn't possible for the server
    246. 

  246.      * to store state at all, an instance of {@link
    247. 

  247.      * Auth_OpenID_DumbStore} can be used.
    248. 

  248.      *
    249. 

  249.      * @param mixed $session An object which implements the interface
    250. 

  250.      * of the {@link Auth_Yadis_PHPSession} class.  Particularly, this
    251. 

  251.      * object is expected to have these methods: get($key), set($key),
    252. 

  252.      * $value), and del($key).  This defaults to a session object
    253. 

  253.      * which wraps PHP's native session machinery.  You should only
    254. 

  254.      * need to pass something here if you have your own sessioning
    255. 

  255.      * implementation.
    256. 

  256.      *
    257. 

  257.      * @param str $consumer_cls The name of the class to instantiate
    258. 

  258.      * when creating the internal consumer object.  This is used for
    259. 

  259.      * testing.
    260. 

  260.      */
    261. 

  261.     function Auth_OpenID_Consumer(&$store, $session = null,
    262. 

  262.                                   $consumer_cls = null)
    263. 

  263.     {
    264. 

  264.         if ($session === null) {
    265. 

  265.             $session = new Auth_Yadis_PHPSession();
    266. 

  266.         }
    267. 

  267. 

  268.         $this->session =& $session;
    269. 

  269. 

  270.         if ($consumer_cls !== null) {
    271. 

  271.             $this->consumer = new $consumer_cls($store);
    272. 

  272.         } else {
    273. 

  273.             $this->consumer = new Auth_OpenID_GenericConsumer($store);
    274. 

  274.         }
    275. 

  275. 

  276.         $this->_token_key = $this->session_key_prefix . $this->_token_suffix;
    277. 

  277.     }
    278. 

  278. 

  279.     /**
    280. 

  280.      * Used in testing to define the discovery mechanism.
    281. 

  281.      *
    282. 

  282.      * @access private
    283. 

  283.      */
    284. 

  284.     function getDiscoveryObject(&$session, $openid_url,
    285. 

  285.                                 $session_key_prefix)
    286. 

  286.     {
    287. 

  287.         return new Auth_Yadis_Discovery($session, $openid_url,
    288. 

  288.                                         $session_key_prefix);
    289. 

  289.     }
    290. 

  290. 

  291.     /**
    292. 

  292.      * Start the OpenID authentication process. See steps 1-2 in the
    293. 

  293.      * overview at the top of this file.
    294. 

  294.      *
    295. 

  295.      * @param string $user_url Identity URL given by the user. This
    296. 

  296.      * method performs a textual transformation of the URL to try and
    297. 

  297.      * make sure it is normalized. For example, a user_url of
    298. 

  298.      * example.com will be normalized to http://example.com/
    299. 

  299.      * normalizing and resolving any redirects the server might issue.
    300. 

  300.      *
    301. 

  301.      * @param bool $anonymous True if the OpenID request is to be sent
    302. 

  302.      * to the server without any identifier information.  Use this
    303. 

  303.      * when you want to transport data but don't want to do OpenID
    304. 

  304.      * authentication with identifiers.
    305. 

  305.      *
    306. 

  306.      * @return Auth_OpenID_AuthRequest $auth_request An object
    307. 

  307.      * containing the discovered information will be returned, with a
    308. 

  308.      * method for building a redirect URL to the server, as described
    309. 

  309.      * in step 3 of the overview. This object may also be used to add
    310. 

  310.      * extension arguments to the request, using its 'addExtensionArg'
    311. 

  311.      * method.
    312. 

  312.      */
    313. 

  313.     function begin($user_url, $anonymous=false)
    314. 

  314.     {
    315. 

  315.         $openid_url = $user_url;
    316. 

  316. 

  317.         $disco = $this->getDiscoveryObject($this->session,
    318. 

  318.                                            $openid_url,
    319. 

  319.                                            $this->session_key_prefix);
    320. 

  320. 

  321.         // Set the 'stale' attribute of the manager.  If discovery
    322. 

  322.         // fails in a fatal way, the stale flag will cause the manager
    323. 

  323.         // to be cleaned up next time discovery is attempted.
    324. 

  324. 

  325.         $m = $disco->getManager();
    326. 

  326.         $loader = new Auth_Yadis_ManagerLoader();
    327. 

  327. 

  328.         if ($m) {
    329. 

  329.             if ($m->stale) {
    330. 

  330.                 $disco->destroyManager();
    331. 

  331.             } else {
    332. 

  332.                 $m->stale = true;
    333. 

  333.                 $disco->session->set($disco->session_key,
    334. 

  334.                                      serialize($loader->toSession($m)));
    335. 

  335.             }
    336. 

  336.         }
    337. 

  337. 

  338.         $endpoint = $disco->getNextService($this->discoverMethod,
    339. 

  339.                                            $this->consumer->fetcher);
    340. 

  340. 

  341.         // Reset the 'stale' attribute of the manager.
    342. 

  342.         $m =& $disco->getManager();
    343. 

  343.         if ($m) {
    344. 

  344.             $m->stale = false;
    345. 

  345.             $disco->session->set($disco->session_key,
    346. 

  346.                                  serialize($loader->toSession($m)));
    347. 

  347.         }
    348. 

  348. 

  349.         if ($endpoint === null) {
    350. 

  350.             return null;
    351. 

  351.         } else {
    352. 

  352.             return $this->beginWithoutDiscovery($endpoint,
    353. 

  353.                                                 $anonymous);
    354. 

  354.         }
    355. 

  355.     }
    356. 

  356. 

  357.     /**
    358. 

  358.      * Start OpenID verification without doing OpenID server
    359. 

  359.      * discovery. This method is used internally by Consumer.begin
    360. 

  360.      * after discovery is performed, and exists to provide an
    361. 

  361.      * interface for library users needing to perform their own
    362. 

  362.      * discovery.
    363. 

  363.      *
    364. 

  364.      * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service
    365. 

  365.      * endpoint descriptor.
    366. 

  366.      *
    367. 

  367.      * @param bool anonymous Set to true if you want to perform OpenID
    368. 

  368.      * without identifiers.
    369. 

  369.      *
    370. 

  370.      * @return Auth_OpenID_AuthRequest $auth_request An OpenID
    371. 

  371.      * authentication request object.
    372. 

  372.      */
    373. 

  373.     function &beginWithoutDiscovery($endpoint, $anonymous=false)
    374. 

  374.     {
    375. 

  375.         $loader = new Auth_OpenID_ServiceEndpointLoader();
    376. 

  376.         $auth_req = $this->consumer->begin($endpoint);
    377. 

  377.         $this->session->set($this->_token_key,
    378. 

  378.               $loader->toSession($auth_req->endpoint));
    379. 

  379.         if (!$auth_req->setAnonymous($anonymous)) {
    380. 

  380.             return new Auth_OpenID_FailureResponse(null,
    381. 

  381.               "OpenID 1 requests MUST include the identifier " .
    382. 

  382.               "in the request.");
    383. 

  383.         }
    384. 

  384.         return $auth_req;
    385. 

  385.     }
    386. 

  386. 

  387.     /**
    388. 

  388.      * Called to interpret the server's response to an OpenID
    389. 

  389.      * request. It is called in step 4 of the flow described in the
    390. 

  390.      * consumer overview.
    391. 

  391.      *
    392. 

  392.      * @param string $current_url The URL used to invoke the application.
    393. 

  393.      * Extract the URL from your application's web
    394. 

  394.      * request framework and specify it here to have it checked
    395. 

  395.      * against the openid.current_url value in the response.  If
    396. 

  396.      * the current_url URL check fails, the status of the
    397. 

  397.      * completion will be FAILURE.
    398. 

  398.      *
    399. 

  399.      * @param array $query An array of the query parameters (key =>
    400. 

  400.      * value pairs) for this HTTP request.  Defaults to null.  If
    401. 

  401.      * null, the GET or POST data are automatically gotten from the
    402. 

  402.      * PHP environment.  It is only useful to override $query for
    403. 

  403.      * testing.
    404. 

  404.      *
    405. 

  405.      * @return Auth_OpenID_ConsumerResponse $response A instance of an
    406. 

  406.      * Auth_OpenID_ConsumerResponse subclass. The type of response is
    407. 

  407.      * indicated by the status attribute, which will be one of
    408. 

  408.      * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
    409. 

  409.      */
    410. 

  410.     function complete($current_url, $query=null)
    411. 

  411.     {
    412. 

  412.         if ($current_url && !is_string($current_url)) {
    413. 

  413.             // This is ugly, but we need to complain loudly when
    414. 

  414.             // someone uses the API incorrectly.
    415. 

  415.             trigger_error("current_url must be a string; see NEWS file " .
    416. 

  416.                           "for upgrading notes.",
    417. 

  417.                           E_USER_ERROR);
    418. 

  418.         }
    419. 

  419. 

  420.         if ($query === null) {
    421. 

  421.             $query = Auth_OpenID::getQuery();
    422. 

  422.         }
    423. 

  423. 

  424.         $loader = new Auth_OpenID_ServiceEndpointLoader();
    425. 

  425.         $endpoint_data = $this->session->get($this->_token_key);
    426. 

  426.         $endpoint =
    427. 

  427.             $loader->fromSession($endpoint_data);
    428. 

  428. 

  429.         $message = Auth_OpenID_Message::fromPostArgs($query);
    430. 

  430.         $response = $this->consumer->complete($message, $endpoint, 
    431. 

  431.                                               $current_url);
    432. 

  432.         $this->session->del($this->_token_key);
    433. 

  433. 

  434.         if (in_array($response->status, array(Auth_OpenID_SUCCESS,
    435. 

  435.                                               Auth_OpenID_CANCEL))) {
    436. 

  436.             if ($response->identity_url !== null) {
    437. 

  437.                 $disco = $this->getDiscoveryObject($this->session,
    438. 

  438.                                                    $response->identity_url,
    439. 

  439.                                                    $this->session_key_prefix);
    440. 

  440.                 $disco->cleanup(true);
    441. 

  441.             }
    442. 

  442.         }
    443. 

  443. 

  444.         return $response;
    445. 

  445.     }
    446. 

  446. }
    447. 

  447. 

  448. /**
    449. 

  449.  * A class implementing HMAC/DH-SHA1 consumer sessions.
    450. 

  450.  *
    451. 

  451.  * @package OpenID
    452. 

  452.  */
    453. 

  453. class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
    454. 

  454.     var $session_type = 'DH-SHA1';
    455. 

  455.     var $hash_func = 'Auth_OpenID_SHA1';
    456. 

  456.     var $secret_size = 20;
    457. 

  457.     var $allowed_assoc_types = array('HMAC-SHA1');
    458. 

  458. 

  459.     function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
    460. 

  460.     {
    461. 

  461.         if ($dh === null) {
    462. 

  462.             $dh = new Auth_OpenID_DiffieHellman();
    463. 

  463.         }
    464. 

  464. 

  465.         $this->dh = $dh;
    466. 

  466.     }
    467. 

  467. 

  468.     function getRequest()
    469. 

  469.     {
    470. 

  470.         $math =& Auth_OpenID_getMathLib();
    471. 

  471. 

  472.         $cpub = $math->longToBase64($this->dh->public);
    473. 

  473. 

  474.         $args = array('dh_consumer_public' => $cpub);
    475. 

  475. 

  476.         if (!$this->dh->usingDefaultValues()) {
    477. 

  477.             $args = array_merge($args, array(
    478. 

  478.                 'dh_modulus' =>
    479. 

  479.                      $math->longToBase64($this->dh->mod),
    480. 

  480.                 'dh_gen' =>
    481. 

  481.                      $math->longToBase64($this->dh->gen)));
    482. 

  482.         }
    483. 

  483. 

  484.         return $args;
    485. 

  485.     }
    486. 

  486. 

  487.     function extractSecret($response)
    488. 

  488.     {
    489. 

  489.         if (!$response->hasKey(Auth_OpenID_OPENID_NS,
    490. 

  490.                                'dh_server_public')) {
    491. 

  491.             return null;
    492. 

  492.         }
    493. 

  493. 

  494.         if (!$response->hasKey(Auth_OpenID_OPENID_NS,
    495. 

  495.                                'enc_mac_key')) {
    496. 

  496.             return null;
    497. 

  497.         }
    498. 

  498. 

  499.         $math =& Auth_OpenID_getMathLib();
    500. 

  500. 

  501.         $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
    502. 

  502.                                                       'dh_server_public'));
    503. 

  503.         $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
    504. 

  504.                                                        'enc_mac_key'));
    505. 

  505. 

  506.         return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
    507. 

  507.     }
    508. 

  508. }
    509. 

  509. 

  510. /**
    511. 

  511.  * A class implementing HMAC/DH-SHA256 consumer sessions.
    512. 

  512.  *
    513. 

  513.  * @package OpenID
    514. 

  514.  */
    515. 

  515. class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
    516. 

  516.       Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
    517. 

  517.     var $session_type = 'DH-SHA256';
    518. 

  518.     var $hash_func = 'Auth_OpenID_SHA256';
    519. 

  519.     var $secret_size = 32;
    520. 

  520.     var $allowed_assoc_types = array('HMAC-SHA256');
    521. 

  521. }
    522. 

  522. 

  523. /**
    524. 

  524.  * A class implementing plaintext consumer sessions.
    525. 

  525.  *
    526. 

  526.  * @package OpenID
    527. 

  527.  */
    528. 

  528. class Auth_OpenID_PlainTextConsumerSession {
    529. 

  529.     var $session_type = 'no-encryption';
    530. 

  530.     var $allowed_assoc_types =  array('HMAC-SHA1', 'HMAC-SHA256');
    531. 

  531. 

  532.     function getRequest()
    533. 

  533.     {
    534. 

  534.         return array();
    535. 

  535.     }
    536. 

  536. 

  537.     function extractSecret($response)
    538. 

  538.     {
    539. 

  539.         if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
    540. 

  540.             return null;
    541. 

  541.         }
    542. 

  542. 

  543.         return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
    544. 

  544.                                                'mac_key'));
    545. 

  545.     }
    546. 

  546. }
    547. 

  547. 

  548. /**
    549. 

  549.  * Returns available session types.
    550. 

  550.  */
    551. 

  551. function Auth_OpenID_getAvailableSessionTypes()
    552. 

  552. {
    553. 

  553.     $types = array(
    554. 

  554.       'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
    555. 

  555.       'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
    556. 

  556.       'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');
    557. 

  557. 

  558.     return $types;
    559. 

  559. }
    560. 

  560. 

  561. /**
    562. 

  562.  * This class is the interface to the OpenID consumer logic.
    563. 

  563.  * Instances of it maintain no per-request state, so they can be
    564. 

  564.  * reused (or even used by multiple threads concurrently) as needed.
    565. 

  565.  *
    566. 

  566.  * @package OpenID
    567. 

  567.  */
    568. 

  568. class Auth_OpenID_GenericConsumer {
    569. 

  569.     /**
    570. 

  570.      * @access private
    571. 

  571.      */
    572. 

  572.     var $discoverMethod = 'Auth_OpenID_discover';
    573. 

  573. 

  574.     /**
    575. 

  575.      * This consumer's store object.
    576. 

  576.      */
    577. 

  577.     var $store;
    578. 

  578. 

  579.     /**
    580. 

  580.      * @access private
    581. 

  581.      */
    582. 

  582.     var $_use_assocs;
    583. 

  583. 

  584.     /**
    585. 

  585.      * @access private
    586. 

  586.      */
    587. 

  587.     var $openid1_nonce_query_arg_name = 'janrain_nonce';
    588. 

  588. 

  589.     /**
    590. 

  590.      * Another query parameter that gets added to the return_to for
    591. 

  591.      * OpenID 1; if the user's session state is lost, use this claimed
    592. 

  592.      * identifier to do discovery when verifying the response.
    593. 

  593.      */
    594. 

  594.     var $openid1_return_to_identifier_name = 'openid1_claimed_id';
    595. 

  595. 

  596.     /**
    597. 

  597.      * This method initializes a new {@link Auth_OpenID_Consumer}
    598. 

  598.      * instance to access the library.
    599. 

  599.      *
    600. 

  600.      * @param Auth_OpenID_OpenIDStore $store This must be an object
    601. 

  601.      * that implements the interface in {@link Auth_OpenID_OpenIDStore}.
    602. 

  602.      * Several concrete implementations are provided, to cover most common use
    603. 

  603.      * cases.  For stores backed by MySQL, PostgreSQL, or SQLite, see
    604. 

  604.      * the {@link Auth_OpenID_SQLStore} class and its sublcasses.  For a
    605. 

  605.      * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module.
    606. 

  606.      * As a last resort, if it isn't possible for the server to store
    607. 

  607.      * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used.
    608. 

  608.      *
    609. 

  609.      * @param bool $immediate This is an optional boolean value.  It
    610. 

  610.      * controls whether the library uses immediate mode, as explained
    611. 

  611.      * in the module description.  The default value is False, which
    612. 

  612.      * disables immediate mode.
    613. 

  613.      */
    614. 

  614.     function Auth_OpenID_GenericConsumer(&$store)
    615. 

  615.     {
    616. 

  616.         $this->store =& $store;
    617. 

  617.         $this->negotiator =& Auth_OpenID_getDefaultNegotiator();
    618. 

  618.         $this->_use_assocs = ($this->store ? true : false);
    619. 

  619. 

  620.         $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
    621. 

  621. 

  622.         $this->session_types = Auth_OpenID_getAvailableSessionTypes();
    623. 

  623.     }
    624. 

  624. 

  625.     /**
    626. 

  626.      * Called to begin OpenID authentication using the specified
    627. 

  627.      * {@link Auth_OpenID_ServiceEndpoint}.
    628. 

  628.      *
    629. 

  629.      * @access private
    630. 

  630.      */
    631. 

  631.     function begin($service_endpoint)
    632. 

  632.     {
    633. 

  633.         $assoc = $this->_getAssociation($service_endpoint);
    634. 

  634.         $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
    635. 

  635.         $r->return_to_args[$this->openid1_nonce_query_arg_name] =
    636. 

  636.             Auth_OpenID_mkNonce();
    637. 

  637. 

  638.         if ($r->message->isOpenID1()) {
    639. 

  639.             $r->return_to_args[$this->openid1_return_to_identifier_name] =
    640. 

  640.                 $r->endpoint->claimed_id;
    641. 

  641.         }
    642. 

  642. 

  643.         return $r;
    644. 

  644.     }
    645. 

  645. 

  646.     /**
    647. 

  647.      * Given an {@link Auth_OpenID_Message}, {@link
    648. 

  648.      * Auth_OpenID_ServiceEndpoint} and optional return_to URL,
    649. 

  649.      * complete OpenID authentication.
    650. 

  650.      *
    651. 

  651.      * @access private
    652. 

  652.      */
    653. 

  653.     function complete($message, $endpoint, $return_to)
    654. 

  654.     {
    655. 

  655.         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
    656. 

  656.                                  '<no mode set>');
    657. 

  657. 

  658.         $mode_methods = array(
    659. 

  659.                               'cancel' => '_complete_cancel',
    660. 

  660.                               'error' => '_complete_error',
    661. 

  661.                               'setup_needed' => '_complete_setup_needed',
    662. 

  662.                               'id_res' => '_complete_id_res',
    663. 

  663.                               );
    664. 

  664. 

  665.         $method = Auth_OpenID::arrayGet($mode_methods, $mode,
    666. 

  666.                                         '_completeInvalid');
    667. 

  667. 

  668.         return call_user_func_array(array(&$this, $method),
    669. 

  669.                                     array($message, &$endpoint, $return_to));
    670. 

  670.     }
    671. 

  671. 

  672.     /**
    673. 

  673.      * @access private
    674. 

  674.      */
    675. 

  675.     function _completeInvalid($message, &$endpoint, $unused)
    676. 

  676.     {
    677. 

  677.         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
    678. 

  678.                                  '<No mode set>');
    679. 

  679. 

  680.         return new Auth_OpenID_FailureResponse($endpoint,
    681. 

  681.                     sprintf("Invalid openid.mode '%s'", $mode));
    682. 

  682.     }
    683. 

  683. 

  684.     /**
    685. 

  685.      * @access private
    686. 

  686.      */
    687. 

  687.     function _complete_cancel($message, &$endpoint, $unused)
    688. 

  688.     {
    689. 

  689.         return new Auth_OpenID_CancelResponse($endpoint);
    690. 

  690.     }
    691. 

  691. 

  692.     /**
    693. 

  693.      * @access private
    694. 

  694.      */
    695. 

  695.     function _complete_error($message, &$endpoint, $unused)
    696. 

  696.     {
    697. 

  697.         $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
    698. 

  698.         $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
    699. 

  699.         $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
    700. 

  700. 

  701.         return new Auth_OpenID_FailureResponse($endpoint, $error,
    702. 

  702.                                                $contact, $reference);
    703. 

  703.     }
    704. 

  704. 

  705.     /**
    706. 

  706.      * @access private
    707. 

  707.      */
    708. 

  708.     function _complete_setup_needed($message, &$endpoint, $unused)
    709. 

  709.     {
    710. 

  710.         if (!$message->isOpenID2()) {
    711. 

  711.             return $this->_completeInvalid($message, $endpoint);
    712. 

  712.         }
    713. 

  713. 

  714.         $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
    715. 

  715.                                            'user_setup_url');
    716. 

  716.         return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
    717. 

  717.     }
    718. 

  718. 

  719.     /**
    720. 

  720.      * @access private
    721. 

  721.      */
    722. 

  722.     function _complete_id_res($message, &$endpoint, $return_to)
    723. 

  723.     {
    724. 

  724.         $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
    725. 

  725.                                            'user_setup_url');
    726. 

  726. 

  727.         if ($this->_checkSetupNeeded($message)) {
    728. 

  728.             return new Auth_OpenID_SetupNeededResponse(
    729. 

  729.                 $endpoint, $user_setup_url);
    730. 

  730.         } else {
    731. 

  731.             return $this->_doIdRes($message, $endpoint, $return_to);
    732. 

  732.         }
    733. 

  733.     }
    734. 

  734. 

  735.     /**
    736. 

  736.      * @access private
    737. 

  737.      */
    738. 

  738.     function _checkSetupNeeded($message)
    739. 

  739.     {
    740. 

  740.         // In OpenID 1, we check to see if this is a cancel from
    741. 

  741.         // immediate mode by the presence of the user_setup_url
    742. 

  742.         // parameter.
    743. 

  743.         if ($message->isOpenID1()) {
    744. 

  744.             $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
    745. 

  745.                                                'user_setup_url');
    746. 

  746.             if ($user_setup_url !== null) {
    747. 

  747.                 return true;
    748. 

  748.             }
    749. 

  749.         }
    750. 

  750. 

  751.         return false;
    752. 

  752.     }
    753. 

  753. 

  754.     /**
    755. 

  755.      * @access private
    756. 

  756.      */
    757. 

  757.     function _doIdRes($message, $endpoint, $return_to)
    758. 

  758.     {
    759. 

  759.         // Checks for presence of appropriate fields (and checks
    760. 

  760.         // signed list fields)
    761. 

  761.         $result = $this->_idResCheckForFields($message);
    762. 

  762. 

  763.         if (Auth_OpenID::isFailure($result)) {
    764. 

  764.             return $result;
    765. 

  765.         }
    766. 

  766. 

  767.         if (!$this->_checkReturnTo($message, $return_to)) {
    768. 

  768.             return new Auth_OpenID_FailureResponse(null,
    769. 

  769.             sprintf("return_to does not match return URL. Expected %s, got %s",
    770. 

  770.                     $return_to,
    771. 

  771.                     $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
    772. 

  772.         }
    773. 

  773. 

  774.         // Verify discovery information:
    775. 

  775.         $result = $this->_verifyDiscoveryResults($message, $endpoint);
    776. 

  776. 

  777.         if (Auth_OpenID::isFailure($result)) {
    778. 

  778.             return $result;
    779. 

  779.         }
    780. 

  780. 

  781.         $endpoint = $result;
    782. 

  782. 

  783.         $result = $this->_idResCheckSignature($message,
    784. 

  784.                                               $endpoint->server_url);
    785. 

  785. 

  786.         if (Auth_OpenID::isFailure($result)) {
    787. 

  787.             return $result;
    788. 

  788.         }
    789. 

  789. 

  790.         $result = $this->_idResCheckNonce($message, $endpoint);
    791. 

  791. 

  792.         if (Auth_OpenID::isFailure($result)) {
    793. 

  793.             return $result;
    794. 

  794.         }
    795. 

  795. 

  796.         $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
    797. 

  797.                                             Auth_OpenID_NO_DEFAULT);
    798. 

  798.         if (Auth_OpenID::isFailure($signed_list_str)) {
    799. 

  799.             return $signed_list_str;
    800. 

  800.         }
    801. 

  801.         $signed_list = explode(',', $signed_list_str);
    802. 

  802. 

  803.         $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
    804. 

  804. 

  805.         return new Auth_OpenID_SuccessResponse($endpoint, $message,
    806. 

  806.                                                $signed_fields);
    807. 

  807. 

  808.     }
    809. 

  809. 

  810.     /**
    811. 

  811.      * @access private
    812. 

  812.      */
    813. 

  813.     function _checkReturnTo($message, $return_to)
    814. 

  814.     {
    815. 

  815.         // Check an OpenID message and its openid.return_to value
    816. 

  816.         // against a return_to URL from an application.  Return True
    817. 

  817.         // on success, False on failure.
    818. 

  818. 

  819.         // Check the openid.return_to args against args in the
    820. 

  820.         // original message.
    821. 

  821.         $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
    822. 

  822.                                            $message->toPostArgs());
    823. 

  823.         if (Auth_OpenID::isFailure($result)) {
    824. 

  824.             return false;
    825. 

  825.         }
    826. 

  826. 

  827.         // Check the return_to base URL against the one in the
    828. 

  828.         // message.
    829. 

  829.         $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
    830. 

  830.                                           'return_to');
    831. 

  831.         if (Auth_OpenID::isFailure($return_to)) {
    832. 

  832.             // XXX log me
    833. 

  833.             return false;
    834. 

  834.         }
    835. 

  835. 

  836.         $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
    837. 

  837.         $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
    838. 

  838. 

  839.         // If port is absent from both, add it so it's equal in the
    840. 

  840.         // check below.
    841. 

  841.         if ((!array_key_exists('port', $return_to_parts)) &&
    842. 

  842.             (!array_key_exists('port', $msg_return_to_parts))) {
    843. 

  843.             $return_to_parts['port'] = null;
    844. 

  844.             $msg_return_to_parts['port'] = null;
    845. 

  845.         }
    846. 

  846. 

  847.         // If path is absent from both, add it so it's equal in the
    848. 

  848.         // check below.
    849. 

  849.         if ((!array_key_exists('path', $return_to_parts)) &&
    850. 

  850.             (!array_key_exists('path', $msg_return_to_parts))) {
    851. 

  851.             $return_to_parts['path'] = null;
    852. 

  852.             $msg_return_to_parts['path'] = null;
    853. 

  853.         }
    854. 

  854. 

  855.         // The URL scheme, authority, and path MUST be the same
    856. 

  856.         // between the two URLs.
    857. 

  857.         foreach (array('scheme', 'host', 'port', 'path') as $component) {
    858. 

  858.             // If the url component is absent in either URL, fail.
    859. 

  859.             // There should always be a scheme, host, port, and path.
    860. 

  860.             if (!array_key_exists($component, $return_to_parts)) {
    861. 

  861.                 return false;
    862. 

  862.             }
    863. 

  863. 

  864.             if (!array_key_exists($component, $msg_return_to_parts)) {
    865. 

  865.                 return false;
    866. 

  866.             }
    867. 

  867. 

  868.             if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
    869. 

  869.                 Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
    870. 

  870.                 return false;
    871. 

  871.             }
    872. 

  872.         }
    873. 

  873. 

  874.         return true;
    875. 

  875.     }
    876. 

  876. 

  877.     /**
    878. 

  878.      * @access private
    879. 

  879.      */
    880. 

  880.     function _verifyReturnToArgs($query)
    881. 

  881.     {
    882. 

  882.         // Verify that the arguments in the return_to URL are present in this
    883. 

  883.         // response.
    884. 

  884. 

  885.         $message = Auth_OpenID_Message::fromPostArgs($query);
    886. 

  886.         $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
    887. 

  887. 

  888.         if (Auth_OpenID::isFailure($return_to)) {
    889. 

  889.             return $return_to;
    890. 

  890.         }
    891. 

  891.         // XXX: this should be checked by _idResCheckForFields
    892. 

  892.         if (!$return_to) {
    893. 

  893.             return new Auth_OpenID_FailureResponse(null,
    894. 

  894.                            "Response has no return_to");
    895. 

  895.         }
    896. 

  896. 

  897.         $parsed_url = parse_url($return_to);
    898. 

  898. 

  899.         $q = array();
    900. 

  900.         if (array_key_exists('query', $parsed_url)) {
    901. 

  901.             $rt_query = $parsed_url['query'];
    902. 

  902.             $q = Auth_OpenID::parse_str($rt_query);
    903. 

  903.         }
    904. 

  904. 

  905.         foreach ($q as $rt_key => $rt_value) {
    906. 

  906.             if (!array_key_exists($rt_key, $query)) {
    907. 

  907.                 return new Auth_OpenID_FailureResponse(null,
    908. 

  908.                   sprintf("return_to parameter %s absent from query", $rt_key));
    909. 

  909.             } else {
    910. 

  910.                 $value = $query[$rt_key];
    911. 

  911.                 if ($rt_value != $value) {
    912. 

  912.                     return new Auth_OpenID_FailureResponse(null,
    913. 

  913.                       sprintf("parameter %s value %s does not match " .
    914. 

  914.                               "return_to value %s", $rt_key,
    915. 

  915.                               $value, $rt_value));
    916. 

  916.                 }
    917. 

  917.             }
    918. 

  918.         }
    919. 

  919. 

  920.         // Make sure all non-OpenID arguments in the response are also
    921. 

  921.         // in the signed return_to.
    922. 

  922.         $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
    923. 

  923.         foreach ($bare_args as $key => $value) {
    924. 

  924.             if (Auth_OpenID::arrayGet($q, $key) != $value) {
    925. 

  925.                 return new Auth_OpenID_FailureResponse(null,
    926. 

  926.                   sprintf("Parameter %s = %s not in return_to URL",
    927. 

  927.                           $key, $value));
    928. 

  928.             }
    929. 

  929.         }
    930. 

  930. 

  931.         return true;
    932. 

  932.     }
    933. 

  933. 

  934.     /**
    935. 

  935.      * @access private
    936. 

  936.      */
    937. 

  937.     function _idResCheckSignature($message, $server_url)
    938. 

  938.     {
    939. 

  939.         $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
    940. 

  940.                                          'assoc_handle');
    941. 

  941.         if (Auth_OpenID::isFailure($assoc_handle)) {
    942. 

  942.             return $assoc_handle;
    943. 

  943.         }
    944. 

  944. 

  945.         $assoc = $this->store->getAssociation($server_url, $assoc_handle);
    946. 

  946. 

  947.         if ($assoc) {
    948. 

  948.             if ($assoc->getExpiresIn() <= 0) {
    949. 

  949.                 // XXX: It might be a good idea sometimes to re-start
    950. 

  950.                 // the authentication with a new association. Doing it
    951. 

  951.                 // automatically opens the possibility for
    952. 

  952.                 // denial-of-service by a server that just returns
    953. 

  953.                 // expired associations (or really short-lived
    954. 

  954.                 // associations)
    955. 

  955.                 return new Auth_OpenID_FailureResponse(null,
    956. 

  956.                              'Association with ' . $server_url . ' expired');
    957. 

  957.             }
    958. 

  958. 

  959.             if (!$assoc->checkMessageSignature($message)) {
    960. 

  960.                 return new Auth_OpenID_FailureResponse(null,
    961. 

  961.                                                        "Bad signature");
    962. 

  962.             }
    963. 

  963.         } else {
    964. 

  964.             // It's not an association we know about.  Stateless mode
    965. 

  965.             // is our only possible path for recovery.  XXX - async
    966. 

  966.             // framework will not want to block on this call to
    967. 

  967.             // _checkAuth.
    968. 

  968.             if (!$this->_checkAuth($message, $server_url)) {
    969. 

  969.                 return new Auth_OpenID_FailureResponse(null,
    970. 

  970.                              "Server denied check_authentication");
    971. 

  971.             }
    972. 

  972.         }
    973. 

  973. 

  974.         return null;
    975. 

  975.     }
    976. 

  976. 

  977.     /**
    978. 

  978.      * @access private
    979. 

  979.      */
    980. 

  980.     function _verifyDiscoveryResults($message, $endpoint=null)
    981. 

  981.     {
    982. 

  982.         if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
    983. 

  983.             return $this->_verifyDiscoveryResultsOpenID2($message,
    984. 

  984.                                                          $endpoint);
    985. 

  985.         } else {
    986. 

  986.             return $this->_verifyDiscoveryResultsOpenID1($message,
    987. 

  987.                                                          $endpoint);
    988. 

  988.         }
    989. 

  989.     }
    990. 

  990. 

  991.     /**
    992. 

  992.      * @access private
    993. 

  993.      */
    994. 

  994.     function _verifyDiscoveryResultsOpenID1($message, $endpoint)
    995. 

  995.     {
    996. 

  996.         $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
    997. 

  997.                                 $this->openid1_return_to_identifier_name);
    998. 

  998. 

  999.         if (($endpoint === null) && ($claimed_id === null)) {
    1000. 

  1000.             return new Auth_OpenID_FailureResponse($endpoint,
    1001. 

  1001.               'When using OpenID 1, the claimed ID must be supplied, ' .
    1002. 

  1002.               'either by passing it through as a return_to parameter ' .
    1003. 

  1003.               'or by using a session, and supplied to the GenericConsumer ' .
    1004. 

  1004.               'as the argument to complete()');
    1005. 

  1005.         } else if (($endpoint !== null) && ($claimed_id === null)) {
    1006. 

  1006.             $claimed_id = $endpoint->claimed_id;
    1007. 

  1007.         }
    1008. 

  1008. 

  1009.         $to_match = new Auth_OpenID_ServiceEndpoint();
    1010. 

  1010.         $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
    1011. 

  1011.         $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
    1012. 

  1012.                                                'identity');
    1013. 

  1013. 

  1014.         // Restore delegate information from the initiation phase
    1015. 

  1015.         $to_match->claimed_id = $claimed_id;
    1016. 

  1016. 

  1017.         if ($to_match->local_id === null) {
    1018. 

  1018.             return new Auth_OpenID_FailureResponse($endpoint,
    1019. 

  1019.                          "Missing required field openid.identity");
    1020. 

  1020.         }
    1021. 

  1021. 

  1022.         $to_match_1_0 = $to_match->copy();
    1023. 

  1023.         $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
    1024. 

  1024. 

  1025.         if ($endpoint !== null) {
    1026. 

  1026.             $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
    1027. 

  1027. 

  1028.             if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
    1029. 

  1029.                 $result = $this->_verifyDiscoverySingle($endpoint,
    1030. 

  1030.                                                         $to_match_1_0);
    1031. 

  1031.             }
    1032. 

  1032. 

  1033.             if (Auth_OpenID::isFailure($result)) {
    1034. 

  1034.                 // oidutil.log("Error attempting to use stored
    1035. 

  1035.                 //             discovery information: " + str(e))
    1036. 

  1036.                 //             oidutil.log("Attempting discovery to
    1037. 

  1037.                 //             verify endpoint")
    1038. 

  1038.             } else {
    1039. 

  1039.                 return $endpoint;
    1040. 

  1040.             }
    1041. 

  1041.         }
    1042. 

  1042. 

  1043.         // Endpoint is either bad (failed verification) or None
    1044. 

  1044.         return $this->_discoverAndVerify($to_match->claimed_id,
    1045. 

  1045.                                          array($to_match, $to_match_1_0));
    1046. 

  1046.     }
    1047. 

  1047. 

  1048.     /**
    1049. 

  1049.      * @access private
    1050. 

  1050.      */
    1051. 

  1051.     function _verifyDiscoverySingle($endpoint, $to_match)
    1052. 

  1052.     {
    1053. 

  1053.         // Every type URI that's in the to_match endpoint has to be
    1054. 

  1054.         // present in the discovered endpoint.
    1055. 

  1055.         foreach ($to_match->type_uris as $type_uri) {
    1056. 

  1056.             if (!$endpoint->usesExtension($type_uri)) {
    1057. 

  1057.                 return new Auth_OpenID_TypeURIMismatch($endpoint,
    1058. 

  1058.                              "Required type ".$type_uri." not present");
    1059. 

  1059.             }
    1060. 

  1060.         }
    1061. 

  1061. 

  1062.         // Fragments do not influence discovery, so we can't compare a
    1063. 

  1063.         // claimed identifier with a fragment to discovered
    1064. 

  1064.         // information.
    1065. 

  1065.         list($defragged_claimed_id, $_) =
    1066. 

  1066.             Auth_OpenID::urldefrag($to_match->claimed_id);
    1067. 

  1067. 

  1068.         if ($defragged_claimed_id != $endpoint->claimed_id) {
    1069. 

  1069.             return new Auth_OpenID_FailureResponse($endpoint,
    1070. 

  1070.               sprintf('Claimed ID does not match (different subjects!), ' .
    1071. 

  1071.                       'Expected %s, got %s', $defragged_claimed_id,
    1072. 

  1072.                       $endpoint->claimed_id));
    1073. 

  1073.         }
    1074. 

  1074. 

  1075.         if ($to_match->getLocalID() != $endpoint->getLocalID()) {
    1076. 

  1076.             return new Auth_OpenID_FailureResponse($endpoint,
    1077. 

  1077.               sprintf('local_id mismatch. Expected %s, got %s',
    1078. 

  1078.                       $to_match->getLocalID(), $endpoint->getLocalID()));
    1079. 

  1079.         }
    1080. 

  1080. 

  1081.         // If the server URL is None, this must be an OpenID 1
    1082. 

  1082.         // response, because op_endpoint is a required parameter in
    1083. 

  1083.         // OpenID 2. In that case, we don't actually care what the
    1084. 

  1084.         // discovered server_url is, because signature checking or
    1085. 

  1085.         // check_auth should take care of that check for us.
    1086. 

  1086.         if ($to_match->server_url === null) {
    1087. 

  1087.             if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
    1088. 

  1088.                 return new Auth_OpenID_FailureResponse($endpoint,
    1089. 

  1089.                              "Preferred namespace mismatch (bug)");
    1090. 

  1090.             }
    1091. 

  1091.         } else if ($to_match->server_url != $endpoint->server_url) {
    1092. 

  1092.             return new Auth_OpenID_FailureResponse($endpoint,
    1093. 

  1093.               sprintf('OP Endpoint mismatch. Expected %s, got %s',
    1094. 

  1094.                       $to_match->server_url, $endpoint->server_url));
    1095. 

  1095.         }
    1096. 

  1096. 

  1097.         return null;
    1098. 

  1098.     }
    1099. 

  1099. 

  1100.     /**
    1101. 

  1101.      * @access private
    1102. 

  1102.      */
    1103. 

  1103.     function _verifyDiscoveryResultsOpenID2($message, $endpoint)
    1104. 

  1104.     {
    1105. 

  1105.         $to_match = new Auth_OpenID_ServiceEndpoint();
    1106. 

  1106.         $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
    1107. 

  1107.         $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
    1108. 

  1108.                                                  'claimed_id');
    1109. 

  1109. 

  1110.         $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
    1111. 

  1111.                                                 'identity');
    1112. 

  1112. 

  1113.         $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
    1114. 

  1114.                                                  'op_endpoint');
    1115. 

  1115. 

  1116.         if ($to_match->server_url === null) {
    1117. 

  1117.             return new Auth_OpenID_FailureResponse($endpoint,
    1118. 

  1118.                          "OP Endpoint URL missing");
    1119. 

  1119.         }
    1120. 

  1120. 

  1121.         // claimed_id and identifier must both be present or both be
    1122. 

  1122.         // absent
    1123. 

  1123.         if (($to_match->claimed_id === null) &&
    1124. 

  1124.             ($to_match->local_id !== null)) {
    1125. 

  1125.             return new Auth_OpenID_FailureResponse($endpoint,
    1126. 

  1126.               'openid.identity is present without openid.claimed_id');
    1127. 

  1127.         }
    1128. 

  1128. 

  1129.         if (($to_match->claimed_id !== null) &&
    1130. 

  1130.             ($to_match->local_id === null)) {
    1131. 

  1131.             return new Auth_OpenID_FailureResponse($endpoint,
    1132. 

  1132.               'openid.claimed_id is present without openid.identity');
    1133. 

  1133.         }
    1134. 

  1134. 

  1135.         if ($to_match->claimed_id === null) {
    1136. 

  1136.             // This is a response without identifiers, so there's
    1137. 

  1137.             // really no checking that we can do, so return an
    1138. 

  1138.             // endpoint that's for the specified `openid.op_endpoint'
    1139. 

  1139.             return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
    1140. 

  1140.                                                 $to_match->server_url);
    1141. 

  1141.         }
    1142. 

  1142. 

  1143.         if (!$endpoint) {
    1144. 

  1144.             // The claimed ID doesn't match, so we have to do
    1145. 

  1145.             // discovery again. This covers not using sessions, OP
    1146. 

  1146.             // identifier endpoints and responses that didn't match
    1147. 

  1147.             // the original request.
    1148. 

  1148.             // oidutil.log('No pre-discovered information supplied.')
    1149. 

  1149.             return $this->_discoverAndVerify($to_match->claimed_id,
    1150. 

  1150.                                              array($to_match));
    1151. 

  1151.         } else {
    1152. 

  1152. 

  1153.             // The claimed ID matches, so we use the endpoint that we
    1154. 

  1154.             // discovered in initiation. This should be the most
    1155. 

  1155.             // common case.
    1156. 

  1156.             $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
    1157. 

  1157. 

  1158.             if (Auth_OpenID::isFailure($result)) {
    1159. 

  1159.                 $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
    1160. 

  1160.                                                       array($to_match));
    1161. 

  1161.                 if (Auth_OpenID::isFailure($endpoint)) {
    1162. 

  1162.                     return $endpoint;
    1163. 

  1163.                 }
    1164. 

  1164.             }
    1165. 

  1165.         }
    1166. 

  1166. 

  1167.         // The endpoint we return should have the claimed ID from the
    1168. 

  1168.         // message we just verified, fragment and all.
    1169. 

  1169.         if ($endpoint->claimed_id != $to_match->claimed_id) {
    1170. 

  1170.             $endpoint->claimed_id = $to_match->claimed_id;
    1171. 

  1171.         }
    1172. 

  1172. 

  1173.         return $endpoint;
    1174. 

  1174.     }
    1175. 

  1175. 

  1176.     /**
    1177. 

  1177.      * @access private
    1178. 

  1178.      */
    1179. 

  1179.     function _discoverAndVerify($claimed_id, $to_match_endpoints)
    1180. 

  1180.     {
    1181. 

  1181.         // oidutil.log('Performing discovery on %s' % (claimed_id,))
    1182. 

  1182.         list($unused, $services) = call_user_func($this->discoverMethod,
    1183. 

  1183.                                                   $claimed_id,
    1184. 

  1184.                                                   &$this->fetcher);
    1185. 

  1185. 

  1186.         if (!$services) {
    1187. 

  1187.             return new Auth_OpenID_FailureResponse(null,
    1188. 

  1188.               sprintf("No OpenID information found at %s",
    1189. 

  1189.                       $claimed_id));
    1190. 

  1190.         }
    1191. 

  1191. 

  1192.         return $this->_verifyDiscoveryServices($claimed_id, $services,
    1193. 

  1193.                                                $to_match_endpoints);
    1194. 

  1194.     }
    1195. 

  1195. 

  1196.     /**
    1197. 

  1197.      * @access private
    1198. 

  1198.      */
    1199. 

  1199.     function _verifyDiscoveryServices($claimed_id, 
    1200. 

  1200.                                       &$services, &$to_match_endpoints)
    1201. 

  1201.     {
    1202. 

  1202.         // Search the services resulting from discovery to find one
    1203. 

  1203.         // that matches the information from the assertion
    1204. 

  1204. 

  1205.         foreach ($services as $endpoint) {
    1206. 

  1206.             foreach ($to_match_endpoints as $to_match_endpoint) {
    1207. 

  1207.                 $result = $this->_verifyDiscoverySingle($endpoint, 
    1208. 

  1208.                                                         $to_match_endpoint);
    1209. 

  1209. 

  1210.                 if (!Auth_OpenID::isFailure($result)) {
    1211. 

  1211.                     // It matches, so discover verification has
    1212. 

  1212.                     // succeeded. Return this endpoint.
    1213. 

  1213.                     return $endpoint;
    1214. 

  1214.                 }
    1215. 

  1215.             }
    1216. 

  1216.         }
    1217. 

  1217. 

  1218.         return new Auth_OpenID_FailureResponse(null,
    1219. 

  1219.           sprintf('No matching endpoint found after discovering %s',
    1220. 

  1220.                   $claimed_id));
    1221. 

  1221.     }
    1222. 

  1222. 

  1223.     /**
    1224. 

  1224.      * Extract the nonce from an OpenID 1 response.  Return the nonce
    1225. 

  1225.      * from the BARE_NS since we independently check the return_to
    1226. 

  1226.      * arguments are the same as those in the response message.
    1227. 

  1227.      *
    1228. 

  1228.      * See the openid1_nonce_query_arg_name class variable
    1229. 

  1229.      *
    1230. 

  1230.      * @returns $nonce The nonce as a string or null
    1231. 

  1231.      *
    1232. 

  1232.      * @access private
    1233. 

  1233.      */
    1234. 

  1234.     function _idResGetNonceOpenID1($message, $endpoint)
    1235. 

  1235.     {
    1236. 

  1236.         return $message->getArg(Auth_OpenID_BARE_NS,
    1237. 

  1237.                                 $this->openid1_nonce_query_arg_name);
    1238. 

  1238.     }
    1239. 

  1239. 

  1240.     /**
    1241. 

  1241.      * @access private
    1242. 

  1242.      */
    1243. 

  1243.     function _idResCheckNonce($message, $endpoint)
    1244. 

  1244.     {
    1245. 

  1245.         if ($message->isOpenID1()) {
    1246. 

  1246.             // This indicates that the nonce was generated by the consumer
    1247. 

  1247.             $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
    1248. 

  1248.             $server_url = '';
    1249. 

  1249.         } else {
    1250. 

  1250.             $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
    1251. 

  1251.                                       'response_nonce');
    1252. 

  1252. 

  1253.             $server_url = $endpoint->server_url;
    1254. 

  1254.         }
    1255. 

  1255. 

  1256.         if ($nonce === null) {
    1257. 

  1257.             return new Auth_OpenID_FailureResponse($endpoint,
    1258. 

  1258.                                      "Nonce missing from response");
    1259. 

  1259.         }
    1260. 

  1260. 

  1261.         $parts = Auth_OpenID_splitNonce($nonce);
    1262. 

  1262. 

  1263.         if ($parts === null) {
    1264. 

  1264.             return new Auth_OpenID_FailureResponse($endpoint,
    1265. 

  1265.                                      "Malformed nonce in response");
    1266. 

  1266.         }
    1267. 

  1267. 

  1268.         list($timestamp, $salt) = $parts;
    1269. 

  1269. 

  1270.         if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
    1271. 

  1271.             return new Auth_OpenID_FailureResponse($endpoint,
    1272. 

  1272.                          "Nonce already used or out of range");
    1273. 

  1273.         }
    1274. 

  1274. 

  1275.         return null;
    1276. 

  1276.     }
    1277. 

  1277. 

  1278.     /**
    1279. 

  1279.      * @access private
    1280. 

  1280.      */
    1281. 

  1281.     function _idResCheckForFields($message)
    1282. 

  1282.     {
    1283. 

  1283.         $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
    1284. 

  1284.         $basic_sig_fields = array('return_to', 'identity');
    1285. 

  1285. 

  1286.         $require_fields = array(
    1287. 

  1287.             Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
    1288. 

  1288.                                                   array('op_endpoint')),
    1289. 

  1289. 

  1290.             Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
    1291. 

  1291.                                                   array('identity'))
    1292. 

  1292.             );
    1293. 

  1293. 

  1294.         $require_sigs = array(
    1295. 

  1295.             Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
    1296. 

  1296.                                                   array('response_nonce',
    1297. 

  1297.                                                         'claimed_id',
    1298. 

  1298.                                                         'assoc_handle',
    1299. 

  1299.                                                         'op_endpoint')),
    1300. 

  1300.             Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
    1301. 

  1301.                                                   array('nonce'))
    1302. 

  1302.             );
    1303. 

  1303. 

  1304.         foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
    1305. 

  1305.             if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
    1306. 

  1306.                 return new Auth_OpenID_FailureResponse(null,
    1307. 

  1307.                              "Missing required field '".$field."'");
    1308. 

  1308.             }
    1309. 

  1309.         }
    1310. 

  1310. 

  1311.         $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
    1312. 

  1312.                                             'signed',
    1313. 

  1313.                                             Auth_OpenID_NO_DEFAULT);
    1314. 

  1314.         if (Auth_OpenID::isFailure($signed_list_str)) {
    1315. 

  1315.             return $signed_list_str;
    1316. 

  1316.         }
    1317. 

  1317.         $signed_list = explode(',', $signed_list_str);
    1318. 

  1318. 

  1319.         foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
    1320. 

  1320.             // Field is present and not in signed list
    1321. 

  1321.             if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
    1322. 

  1322.                 (!in_array($field, $signed_list))) {
    1323. 

  1323.                 return new Auth_OpenID_FailureResponse(null,
    1324. 

  1324.                              "'".$field."' not signed");
    1325. 

  1325.             }
    1326. 

  1326.         }
    1327. 

  1327. 

  1328.         return null;
    1329. 

  1329.     }
    1330. 

  1330. 

  1331.     /**
    1332. 

  1332.      * @access private
    1333. 

  1333.      */
    1334. 

  1334.     function _checkAuth($message, $server_url)
    1335. 

  1335.     {
    1336. 

  1336.         $request = $this->_createCheckAuthRequest($message);
    1337. 

  1337.         if ($request === null) {
    1338. 

  1338.             return false;
    1339. 

  1339.         }
    1340. 

  1340. 

  1341.         $resp_message = $this->_makeKVPost($request, $server_url);
    1342. 

  1342.         if (($resp_message === null) ||
    1343. 

  1343.             (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
    1344. 

  1344.             return false;
    1345. 

  1345.         }
    1346. 

  1346. 

  1347.         return $this->_processCheckAuthResponse($resp_message, $server_url);
    1348. 

  1348.     }
    1349. 

  1349. 

  1350.     /**
    1351. 

  1351.      * @access private
    1352. 

  1352.      */
    1353. 

  1353.     function _createCheckAuthRequest($message)
    1354. 

  1354.     {
    1355. 

  1355.         $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
    1356. 

  1356.         if ($signed) {
    1357. 

  1357.             foreach (explode(',', $signed) as $k) {
    1358. 

  1358.                 $value = $message->getAliasedArg($k);
    1359. 

  1359.                 if ($value === null) {
    1360. 

  1360.                     return null;
    1361. 

  1361.                 }
    1362. 

  1362.             }
    1363. 

  1363.         }
    1364. 

  1364.         $ca_message = $message->copy();
    1365. 

  1365.         $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 
    1366. 

  1366.                             'check_authentication');
    1367. 

  1367.         return $ca_message;
    1368. 

  1368.     }
    1369. 

  1369. 

  1370.     /**
    1371. 

  1371.      * @access private
    1372. 

  1372.      */
    1373. 

  1373.     function _processCheckAuthResponse($response, 
    1374.

Large files files are truncated, but you can click here to view the full file