/inc/lib/Auth/OpenID/Consumer.php
PHP | 2230 lines | 1121 code | 278 blank | 831 comment | 192 complexity | 8b9446deaf7e84fdb814f02d7c7e4079 MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0
- <?php
- /**
- * This module documents the main interface with the OpenID consumer
- * library. The only part of the library which has to be used and
- * isn't documented in full here is the store required to create an
- * Auth_OpenID_Consumer instance. More on the abstract store type and
- * concrete implementations of it that are provided in the
- * documentation for the Auth_OpenID_Consumer constructor.
- *
- * OVERVIEW
- *
- * The OpenID identity verification process most commonly uses the
- * following steps, as visible to the user of this library:
- *
- * 1. The user enters their OpenID into a field on the consumer's
- * site, and hits a login button.
- * 2. The consumer site discovers the user's OpenID server using the
- * YADIS protocol.
- * 3. The consumer site sends the browser a redirect to the identity
- * server. This is the authentication request as described in
- * the OpenID specification.
- * 4. The identity server's site sends the browser a redirect back
- * to the consumer site. This redirect contains the server's
- * response to the authentication request.
- *
- * The most important part of the flow to note is the consumer's site
- * must handle two separate HTTP requests in order to perform the full
- * identity check.
- *
- * LIBRARY DESIGN
- *
- * This consumer library is designed with that flow in mind. The goal
- * is to make it as easy as possible to perform the above steps
- * securely.
- *
- * At a high level, there are two important parts in the consumer
- * library. The first important part is this module, which contains
- * the interface to actually use this library. The second is the
- * Auth_OpenID_Interface class, which describes the interface to use
- * if you need to create a custom method for storing the state this
- * library needs to maintain between requests.
- *
- * In general, the second part is less important for users of the
- * library to know about, as several implementations are provided
- * which cover a wide variety of situations in which consumers may use
- * the library.
- *
- * This module contains a class, Auth_OpenID_Consumer, with methods
- * corresponding to the actions necessary in each of steps 2, 3, and 4
- * described in the overview. Use of this library should be as easy
- * as creating an Auth_OpenID_Consumer instance and calling the
- * methods appropriate for the action the site wants to take.
- *
- * STORES AND DUMB MODE
- *
- * OpenID is a protocol that works best when the consumer site is able
- * to store some state. This is the normal mode of operation for the
- * protocol, and is sometimes referred to as smart mode. There is
- * also a fallback mode, known as dumb mode, which is available when
- * the consumer site is not able to store state. This mode should be
- * avoided when possible, as it leaves the implementation more
- * vulnerable to replay attacks.
- *
- * The mode the library works in for normal operation is determined by
- * the store that it is given. The store is an abstraction that
- * handles the data that the consumer needs to manage between http
- * requests in order to operate efficiently and securely.
- *
- * Several store implementation are provided, and the interface is
- * fully documented so that custom stores can be used as well. See
- * the documentation for the Auth_OpenID_Consumer class for more
- * information on the interface for stores. The implementations that
- * are provided allow the consumer site to store the necessary data in
- * several different ways, including several SQL databases and normal
- * files on disk.
- *
- * There is an additional concrete store provided that puts the system
- * in dumb mode. This is not recommended, as it removes the library's
- * ability to stop replay attacks reliably. It still uses time-based
- * checking to make replay attacks only possible within a small
- * window, but they remain possible within that window. This store
- * should only be used if the consumer site has no way to retain data
- * between requests at all.
- *
- * IMMEDIATE MODE
- *
- * In the flow described above, the user may need to confirm to the
- * lidentity server that it's ok to authorize his or her identity.
- * The server may draw pages asking for information from the user
- * before it redirects the browser back to the consumer's site. This
- * is generally transparent to the consumer site, so it is typically
- * ignored as an implementation detail.
- *
- * There can be times, however, where the consumer site wants to get a
- * response immediately. When this is the case, the consumer can put
- * the library in immediate mode. In immediate mode, there is an
- * extra response possible from the server, which is essentially the
- * server reporting that it doesn't have enough information to answer
- * the question yet.
- *
- * USING THIS LIBRARY
- *
- * Integrating this library into an application is usually a
- * relatively straightforward process. The process should basically
- * follow this plan:
- *
- * Add an OpenID login field somewhere on your site. When an OpenID
- * is entered in that field and the form is submitted, it should make
- * a request to the your site which includes that OpenID URL.
- *
- * First, the application should instantiate the Auth_OpenID_Consumer
- * class using the store of choice (Auth_OpenID_FileStore or one of
- * the SQL-based stores). If the application has a custom
- * session-management implementation, an object implementing the
- * {@link Auth_Yadis_PHPSession} interface should be passed as the
- * second parameter. Otherwise, the default uses $_SESSION.
- *
- * Next, the application should call the Auth_OpenID_Consumer object's
- * 'begin' method. This method takes the OpenID URL. The 'begin'
- * method returns an Auth_OpenID_AuthRequest object.
- *
- * Next, the application should call the 'redirectURL' method of the
- * Auth_OpenID_AuthRequest object. The 'return_to' URL parameter is
- * the URL that the OpenID server will send the user back to after
- * attempting to verify his or her identity. The 'trust_root' is the
- * URL (or URL pattern) that identifies your web site to the user when
- * he or she is authorizing it. Send a redirect to the resulting URL
- * to the user's browser.
- *
- * That's the first half of the authentication process. The second
- * half of the process is done after the user's ID server sends the
- * user's browser a redirect back to your site to complete their
- * login.
- *
- * When that happens, the user will contact your site at the URL given
- * as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL
- * call made above. The request will have several query parameters
- * added to the URL by the identity server as the information
- * necessary to finish the request.
- *
- * Lastly, instantiate an Auth_OpenID_Consumer instance as above and
- * call its 'complete' method, passing in all the received query
- * arguments.
- *
- * There are multiple possible return types possible from that
- * method. These indicate the whether or not the login was successful,
- * and include any additional information appropriate for their type.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
- /**
- * Require utility classes and functions for the consumer.
- */
- require_once "Auth/OpenID.php";
- require_once "Auth/OpenID/Message.php";
- require_once "Auth/OpenID/HMAC.php";
- require_once "Auth/OpenID/Association.php";
- require_once "Auth/OpenID/CryptUtil.php";
- require_once "Auth/OpenID/DiffieHellman.php";
- require_once "Auth/OpenID/KVForm.php";
- require_once "Auth/OpenID/Nonce.php";
- require_once "Auth/OpenID/Discover.php";
- require_once "Auth/OpenID/URINorm.php";
- require_once "Auth/Yadis/Manager.php";
- require_once "Auth/Yadis/XRI.php";
- /**
- * This is the status code returned when the complete method returns
- * successfully.
- */
- define('Auth_OpenID_SUCCESS', 'success');
- /**
- * Status to indicate cancellation of OpenID authentication.
- */
- define('Auth_OpenID_CANCEL', 'cancel');
- /**
- * This is the status code completeAuth returns when the value it
- * received indicated an invalid login.
- */
- define('Auth_OpenID_FAILURE', 'failure');
- /**
- * This is the status code completeAuth returns when the
- * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the
- * identity server sends back a URL to send the user to to complete his
- * or her login.
- */
- define('Auth_OpenID_SETUP_NEEDED', 'setup needed');
- /**
- * This is the status code beginAuth returns when the page fetched
- * from the entered OpenID URL doesn't contain the necessary link tags
- * to function as an identity page.
- */
- define('Auth_OpenID_PARSE_ERROR', 'parse error');
- /**
- * An OpenID consumer implementation that performs discovery and does
- * session management. See the Consumer.php file documentation for
- * more information.
- *
- * @package OpenID
- */
- class Auth_OpenID_Consumer {
- /**
- * @access private
- */
- var $discoverMethod = 'Auth_OpenID_discover';
- /**
- * @access private
- */
- var $session_key_prefix = "_openid_consumer_";
- /**
- * @access private
- */
- var $_token_suffix = "last_token";
- /**
- * Initialize a Consumer instance.
- *
- * You should create a new instance of the Consumer object with
- * every HTTP request that handles OpenID transactions.
- *
- * @param Auth_OpenID_OpenIDStore $store This must be an object
- * that implements the interface in {@link
- * Auth_OpenID_OpenIDStore}. Several concrete implementations are
- * provided, to cover most common use cases. For stores backed by
- * MySQL, PostgreSQL, or SQLite, see the {@link
- * Auth_OpenID_SQLStore} class and its sublcasses. For a
- * filesystem-backed store, see the {@link Auth_OpenID_FileStore}
- * module. As a last resort, if it isn't possible for the server
- * to store state at all, an instance of {@link
- * Auth_OpenID_DumbStore} can be used.
- *
- * @param mixed $session An object which implements the interface
- * of the {@link Auth_Yadis_PHPSession} class. Particularly, this
- * object is expected to have these methods: get($key), set($key),
- * $value), and del($key). This defaults to a session object
- * which wraps PHP's native session machinery. You should only
- * need to pass something here if you have your own sessioning
- * implementation.
- *
- * @param str $consumer_cls The name of the class to instantiate
- * when creating the internal consumer object. This is used for
- * testing.
- */
- function Auth_OpenID_Consumer(&$store, $session = null,
- $consumer_cls = null)
- {
- if ($session === null) {
- $session = new Auth_Yadis_PHPSession();
- }
- $this->session =& $session;
- if ($consumer_cls !== null) {
- $this->consumer = new $consumer_cls($store);
- } else {
- $this->consumer = new Auth_OpenID_GenericConsumer($store);
- }
- $this->_token_key = $this->session_key_prefix . $this->_token_suffix;
- }
- /**
- * Used in testing to define the discovery mechanism.
- *
- * @access private
- */
- function getDiscoveryObject(&$session, $openid_url,
- $session_key_prefix)
- {
- return new Auth_Yadis_Discovery($session, $openid_url,
- $session_key_prefix);
- }
- /**
- * Start the OpenID authentication process. See steps 1-2 in the
- * overview at the top of this file.
- *
- * @param string $user_url Identity URL given by the user. This
- * method performs a textual transformation of the URL to try and
- * make sure it is normalized. For example, a user_url of
- * example.com will be normalized to http://example.com/
- * normalizing and resolving any redirects the server might issue.
- *
- * @param bool $anonymous True if the OpenID request is to be sent
- * to the server without any identifier information. Use this
- * when you want to transport data but don't want to do OpenID
- * authentication with identifiers.
- *
- * @return Auth_OpenID_AuthRequest $auth_request An object
- * containing the discovered information will be returned, with a
- * method for building a redirect URL to the server, as described
- * in step 3 of the overview. This object may also be used to add
- * extension arguments to the request, using its 'addExtensionArg'
- * method.
- */
- function begin($user_url, $anonymous=false)
- {
- $openid_url = $user_url;
- $disco = $this->getDiscoveryObject($this->session,
- $openid_url,
- $this->session_key_prefix);
- // Set the 'stale' attribute of the manager. If discovery
- // fails in a fatal way, the stale flag will cause the manager
- // to be cleaned up next time discovery is attempted.
- $m = $disco->getManager();
- $loader = new Auth_Yadis_ManagerLoader();
- if ($m) {
- if ($m->stale) {
- $disco->destroyManager();
- } else {
- $m->stale = true;
- $disco->session->set($disco->session_key,
- serialize($loader->toSession($m)));
- }
- }
- $endpoint = $disco->getNextService($this->discoverMethod,
- $this->consumer->fetcher);
- // Reset the 'stale' attribute of the manager.
- $m =& $disco->getManager();
- if ($m) {
- $m->stale = false;
- $disco->session->set($disco->session_key,
- serialize($loader->toSession($m)));
- }
- if ($endpoint === null) {
- return null;
- } else {
- return $this->beginWithoutDiscovery($endpoint,
- $anonymous);
- }
- }
- /**
- * Start OpenID verification without doing OpenID server
- * discovery. This method is used internally by Consumer.begin
- * after discovery is performed, and exists to provide an
- * interface for library users needing to perform their own
- * discovery.
- *
- * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service
- * endpoint descriptor.
- *
- * @param bool anonymous Set to true if you want to perform OpenID
- * without identifiers.
- *
- * @return Auth_OpenID_AuthRequest $auth_request An OpenID
- * authentication request object.
- */
- function &beginWithoutDiscovery($endpoint, $anonymous=false)
- {
- $loader = new Auth_OpenID_ServiceEndpointLoader();
- $auth_req = $this->consumer->begin($endpoint);
- $this->session->set($this->_token_key,
- $loader->toSession($auth_req->endpoint));
- if (!$auth_req->setAnonymous($anonymous)) {
- return new Auth_OpenID_FailureResponse(null,
- "OpenID 1 requests MUST include the identifier " .
- "in the request.");
- }
- return $auth_req;
- }
- /**
- * Called to interpret the server's response to an OpenID
- * request. It is called in step 4 of the flow described in the
- * consumer overview.
- *
- * @param string $current_url The URL used to invoke the application.
- * Extract the URL from your application's web
- * request framework and specify it here to have it checked
- * against the openid.current_url value in the response. If
- * the current_url URL check fails, the status of the
- * completion will be FAILURE.
- *
- * @param array $query An array of the query parameters (key =>
- * value pairs) for this HTTP request. Defaults to null. If
- * null, the GET or POST data are automatically gotten from the
- * PHP environment. It is only useful to override $query for
- * testing.
- *
- * @return Auth_OpenID_ConsumerResponse $response A instance of an
- * Auth_OpenID_ConsumerResponse subclass. The type of response is
- * indicated by the status attribute, which will be one of
- * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
- */
- function complete($current_url, $query=null)
- {
- if ($current_url && !is_string($current_url)) {
- // This is ugly, but we need to complain loudly when
- // someone uses the API incorrectly.
- trigger_error("current_url must be a string; see NEWS file " .
- "for upgrading notes.",
- E_USER_ERROR);
- }
- if ($query === null) {
- $query = Auth_OpenID::getQuery();
- }
- $loader = new Auth_OpenID_ServiceEndpointLoader();
- $endpoint_data = $this->session->get($this->_token_key);
- $endpoint =
- $loader->fromSession($endpoint_data);
- $message = Auth_OpenID_Message::fromPostArgs($query);
- $response = $this->consumer->complete($message, $endpoint,
- $current_url);
- $this->session->del($this->_token_key);
- if (in_array($response->status, array(Auth_OpenID_SUCCESS,
- Auth_OpenID_CANCEL))) {
- if ($response->identity_url !== null) {
- $disco = $this->getDiscoveryObject($this->session,
- $response->identity_url,
- $this->session_key_prefix);
- $disco->cleanup(true);
- }
- }
- return $response;
- }
- }
- /**
- * A class implementing HMAC/DH-SHA1 consumer sessions.
- *
- * @package OpenID
- */
- class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
- var $session_type = 'DH-SHA1';
- var $hash_func = 'Auth_OpenID_SHA1';
- var $secret_size = 20;
- var $allowed_assoc_types = array('HMAC-SHA1');
- function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
- {
- if ($dh === null) {
- $dh = new Auth_OpenID_DiffieHellman();
- }
- $this->dh = $dh;
- }
- function getRequest()
- {
- $math =& Auth_OpenID_getMathLib();
- $cpub = $math->longToBase64($this->dh->public);
- $args = array('dh_consumer_public' => $cpub);
- if (!$this->dh->usingDefaultValues()) {
- $args = array_merge($args, array(
- 'dh_modulus' =>
- $math->longToBase64($this->dh->mod),
- 'dh_gen' =>
- $math->longToBase64($this->dh->gen)));
- }
- return $args;
- }
- function extractSecret($response)
- {
- if (!$response->hasKey(Auth_OpenID_OPENID_NS,
- 'dh_server_public')) {
- return null;
- }
- if (!$response->hasKey(Auth_OpenID_OPENID_NS,
- 'enc_mac_key')) {
- return null;
- }
- $math =& Auth_OpenID_getMathLib();
- $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
- 'dh_server_public'));
- $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
- 'enc_mac_key'));
- return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
- }
- }
- /**
- * A class implementing HMAC/DH-SHA256 consumer sessions.
- *
- * @package OpenID
- */
- class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
- Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
- var $session_type = 'DH-SHA256';
- var $hash_func = 'Auth_OpenID_SHA256';
- var $secret_size = 32;
- var $allowed_assoc_types = array('HMAC-SHA256');
- }
- /**
- * A class implementing plaintext consumer sessions.
- *
- * @package OpenID
- */
- class Auth_OpenID_PlainTextConsumerSession {
- var $session_type = 'no-encryption';
- var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
- function getRequest()
- {
- return array();
- }
- function extractSecret($response)
- {
- if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
- return null;
- }
- return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
- 'mac_key'));
- }
- }
- /**
- * Returns available session types.
- */
- function Auth_OpenID_getAvailableSessionTypes()
- {
- $types = array(
- 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
- 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
- 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');
- return $types;
- }
- /**
- * This class is the interface to the OpenID consumer logic.
- * Instances of it maintain no per-request state, so they can be
- * reused (or even used by multiple threads concurrently) as needed.
- *
- * @package OpenID
- */
- class Auth_OpenID_GenericConsumer {
- /**
- * @access private
- */
- var $discoverMethod = 'Auth_OpenID_discover';
- /**
- * This consumer's store object.
- */
- var $store;
- /**
- * @access private
- */
- var $_use_assocs;
- /**
- * @access private
- */
- var $openid1_nonce_query_arg_name = 'janrain_nonce';
- /**
- * Another query parameter that gets added to the return_to for
- * OpenID 1; if the user's session state is lost, use this claimed
- * identifier to do discovery when verifying the response.
- */
- var $openid1_return_to_identifier_name = 'openid1_claimed_id';
- /**
- * This method initializes a new {@link Auth_OpenID_Consumer}
- * instance to access the library.
- *
- * @param Auth_OpenID_OpenIDStore $store This must be an object
- * that implements the interface in {@link Auth_OpenID_OpenIDStore}.
- * Several concrete implementations are provided, to cover most common use
- * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see
- * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a
- * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module.
- * As a last resort, if it isn't possible for the server to store
- * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used.
- *
- * @param bool $immediate This is an optional boolean value. It
- * controls whether the library uses immediate mode, as explained
- * in the module description. The default value is False, which
- * disables immediate mode.
- */
- function Auth_OpenID_GenericConsumer(&$store)
- {
- $this->store =& $store;
- $this->negotiator =& Auth_OpenID_getDefaultNegotiator();
- $this->_use_assocs = ($this->store ? true : false);
- $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
- $this->session_types = Auth_OpenID_getAvailableSessionTypes();
- }
- /**
- * Called to begin OpenID authentication using the specified
- * {@link Auth_OpenID_ServiceEndpoint}.
- *
- * @access private
- */
- function begin($service_endpoint)
- {
- $assoc = $this->_getAssociation($service_endpoint);
- $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
- $r->return_to_args[$this->openid1_nonce_query_arg_name] =
- Auth_OpenID_mkNonce();
- if ($r->message->isOpenID1()) {
- $r->return_to_args[$this->openid1_return_to_identifier_name] =
- $r->endpoint->claimed_id;
- }
- return $r;
- }
- /**
- * Given an {@link Auth_OpenID_Message}, {@link
- * Auth_OpenID_ServiceEndpoint} and optional return_to URL,
- * complete OpenID authentication.
- *
- * @access private
- */
- function complete($message, $endpoint, $return_to)
- {
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
- '<no mode set>');
- $mode_methods = array(
- 'cancel' => '_complete_cancel',
- 'error' => '_complete_error',
- 'setup_needed' => '_complete_setup_needed',
- 'id_res' => '_complete_id_res',
- );
- $method = Auth_OpenID::arrayGet($mode_methods, $mode,
- '_completeInvalid');
- return call_user_func_array(array(&$this, $method),
- array($message, &$endpoint, $return_to));
- }
- /**
- * @access private
- */
- function _completeInvalid($message, &$endpoint, $unused)
- {
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
- '<No mode set>');
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf("Invalid openid.mode '%s'", $mode));
- }
- /**
- * @access private
- */
- function _complete_cancel($message, &$endpoint, $unused)
- {
- return new Auth_OpenID_CancelResponse($endpoint);
- }
- /**
- * @access private
- */
- function _complete_error($message, &$endpoint, $unused)
- {
- $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
- $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
- $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
- return new Auth_OpenID_FailureResponse($endpoint, $error,
- $contact, $reference);
- }
- /**
- * @access private
- */
- function _complete_setup_needed($message, &$endpoint, $unused)
- {
- if (!$message->isOpenID2()) {
- return $this->_completeInvalid($message, $endpoint);
- }
- $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'user_setup_url');
- return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
- }
- /**
- * @access private
- */
- function _complete_id_res($message, &$endpoint, $return_to)
- {
- $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
- 'user_setup_url');
- if ($this->_checkSetupNeeded($message)) {
- return new Auth_OpenID_SetupNeededResponse(
- $endpoint, $user_setup_url);
- } else {
- return $this->_doIdRes($message, $endpoint, $return_to);
- }
- }
- /**
- * @access private
- */
- function _checkSetupNeeded($message)
- {
- // In OpenID 1, we check to see if this is a cancel from
- // immediate mode by the presence of the user_setup_url
- // parameter.
- if ($message->isOpenID1()) {
- $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
- 'user_setup_url');
- if ($user_setup_url !== null) {
- return true;
- }
- }
- return false;
- }
- /**
- * @access private
- */
- function _doIdRes($message, $endpoint, $return_to)
- {
- // Checks for presence of appropriate fields (and checks
- // signed list fields)
- $result = $this->_idResCheckForFields($message);
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
- if (!$this->_checkReturnTo($message, $return_to)) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("return_to does not match return URL. Expected %s, got %s",
- $return_to,
- $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
- }
- // Verify discovery information:
- $result = $this->_verifyDiscoveryResults($message, $endpoint);
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
- $endpoint = $result;
- $result = $this->_idResCheckSignature($message,
- $endpoint->server_url);
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
- $result = $this->_idResCheckNonce($message, $endpoint);
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
- $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($signed_list_str)) {
- return $signed_list_str;
- }
- $signed_list = explode(',', $signed_list_str);
- $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
- return new Auth_OpenID_SuccessResponse($endpoint, $message,
- $signed_fields);
- }
- /**
- * @access private
- */
- function _checkReturnTo($message, $return_to)
- {
- // Check an OpenID message and its openid.return_to value
- // against a return_to URL from an application. Return True
- // on success, False on failure.
- // Check the openid.return_to args against args in the
- // original message.
- $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
- $message->toPostArgs());
- if (Auth_OpenID::isFailure($result)) {
- return false;
- }
- // Check the return_to base URL against the one in the
- // message.
- $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
- 'return_to');
- if (Auth_OpenID::isFailure($return_to)) {
- // XXX log me
- return false;
- }
- $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
- $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
- // If port is absent from both, add it so it's equal in the
- // check below.
- if ((!array_key_exists('port', $return_to_parts)) &&
- (!array_key_exists('port', $msg_return_to_parts))) {
- $return_to_parts['port'] = null;
- $msg_return_to_parts['port'] = null;
- }
- // If path is absent from both, add it so it's equal in the
- // check below.
- if ((!array_key_exists('path', $return_to_parts)) &&
- (!array_key_exists('path', $msg_return_to_parts))) {
- $return_to_parts['path'] = null;
- $msg_return_to_parts['path'] = null;
- }
- // The URL scheme, authority, and path MUST be the same
- // between the two URLs.
- foreach (array('scheme', 'host', 'port', 'path') as $component) {
- // If the url component is absent in either URL, fail.
- // There should always be a scheme, host, port, and path.
- if (!array_key_exists($component, $return_to_parts)) {
- return false;
- }
- if (!array_key_exists($component, $msg_return_to_parts)) {
- return false;
- }
- if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
- Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
- return false;
- }
- }
- return true;
- }
- /**
- * @access private
- */
- function _verifyReturnToArgs($query)
- {
- // Verify that the arguments in the return_to URL are present in this
- // response.
- $message = Auth_OpenID_Message::fromPostArgs($query);
- $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
- if (Auth_OpenID::isFailure($return_to)) {
- return $return_to;
- }
- // XXX: this should be checked by _idResCheckForFields
- if (!$return_to) {
- return new Auth_OpenID_FailureResponse(null,
- "Response has no return_to");
- }
- $parsed_url = parse_url($return_to);
- $q = array();
- if (array_key_exists('query', $parsed_url)) {
- $rt_query = $parsed_url['query'];
- $q = Auth_OpenID::parse_str($rt_query);
- }
- foreach ($q as $rt_key => $rt_value) {
- if (!array_key_exists($rt_key, $query)) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("return_to parameter %s absent from query", $rt_key));
- } else {
- $value = $query[$rt_key];
- if ($rt_value != $value) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("parameter %s value %s does not match " .
- "return_to value %s", $rt_key,
- $value, $rt_value));
- }
- }
- }
- // Make sure all non-OpenID arguments in the response are also
- // in the signed return_to.
- $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
- foreach ($bare_args as $key => $value) {
- if (Auth_OpenID::arrayGet($q, $key) != $value) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("Parameter %s = %s not in return_to URL",
- $key, $value));
- }
- }
- return true;
- }
- /**
- * @access private
- */
- function _idResCheckSignature($message, $server_url)
- {
- $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_handle');
- if (Auth_OpenID::isFailure($assoc_handle)) {
- return $assoc_handle;
- }
- $assoc = $this->store->getAssociation($server_url, $assoc_handle);
- if ($assoc) {
- if ($assoc->getExpiresIn() <= 0) {
- // XXX: It might be a good idea sometimes to re-start
- // the authentication with a new association. Doing it
- // automatically opens the possibility for
- // denial-of-service by a server that just returns
- // expired associations (or really short-lived
- // associations)
- return new Auth_OpenID_FailureResponse(null,
- 'Association with ' . $server_url . ' expired');
- }
- if (!$assoc->checkMessageSignature($message)) {
- return new Auth_OpenID_FailureResponse(null,
- "Bad signature");
- }
- } else {
- // It's not an association we know about. Stateless mode
- // is our only possible path for recovery. XXX - async
- // framework will not want to block on this call to
- // _checkAuth.
- if (!$this->_checkAuth($message, $server_url)) {
- return new Auth_OpenID_FailureResponse(null,
- "Server denied check_authentication");
- }
- }
- return null;
- }
- /**
- * @access private
- */
- function _verifyDiscoveryResults($message, $endpoint=null)
- {
- if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
- return $this->_verifyDiscoveryResultsOpenID2($message,
- $endpoint);
- } else {
- return $this->_verifyDiscoveryResultsOpenID1($message,
- $endpoint);
- }
- }
- /**
- * @access private
- */
- function _verifyDiscoveryResultsOpenID1($message, $endpoint)
- {
- $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
- $this->openid1_return_to_identifier_name);
- if (($endpoint === null) && ($claimed_id === null)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- 'When using OpenID 1, the claimed ID must be supplied, ' .
- 'either by passing it through as a return_to parameter ' .
- 'or by using a session, and supplied to the GenericConsumer ' .
- 'as the argument to complete()');
- } else if (($endpoint !== null) && ($claimed_id === null)) {
- $claimed_id = $endpoint->claimed_id;
- }
- $to_match = new Auth_OpenID_ServiceEndpoint();
- $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
- $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
- 'identity');
- // Restore delegate information from the initiation phase
- $to_match->claimed_id = $claimed_id;
- if ($to_match->local_id === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Missing required field openid.identity");
- }
- $to_match_1_0 = $to_match->copy();
- $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
- if ($endpoint !== null) {
- $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
- if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
- $result = $this->_verifyDiscoverySingle($endpoint,
- $to_match_1_0);
- }
- if (Auth_OpenID::isFailure($result)) {
- // oidutil.log("Error attempting to use stored
- // discovery information: " + str(e))
- // oidutil.log("Attempting discovery to
- // verify endpoint")
- } else {
- return $endpoint;
- }
- }
- // Endpoint is either bad (failed verification) or None
- return $this->_discoverAndVerify($to_match->claimed_id,
- array($to_match, $to_match_1_0));
- }
- /**
- * @access private
- */
- function _verifyDiscoverySingle($endpoint, $to_match)
- {
- // Every type URI that's in the to_match endpoint has to be
- // present in the discovered endpoint.
- foreach ($to_match->type_uris as $type_uri) {
- if (!$endpoint->usesExtension($type_uri)) {
- return new Auth_OpenID_TypeURIMismatch($endpoint,
- "Required type ".$type_uri." not present");
- }
- }
- // Fragments do not influence discovery, so we can't compare a
- // claimed identifier with a fragment to discovered
- // information.
- list($defragged_claimed_id, $_) =
- Auth_OpenID::urldefrag($to_match->claimed_id);
- if ($defragged_claimed_id != $endpoint->claimed_id) {
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf('Claimed ID does not match (different subjects!), ' .
- 'Expected %s, got %s', $defragged_claimed_id,
- $endpoint->claimed_id));
- }
- if ($to_match->getLocalID() != $endpoint->getLocalID()) {
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf('local_id mismatch. Expected %s, got %s',
- $to_match->getLocalID(), $endpoint->getLocalID()));
- }
- // If the server URL is None, this must be an OpenID 1
- // response, because op_endpoint is a required parameter in
- // OpenID 2. In that case, we don't actually care what the
- // discovered server_url is, because signature checking or
- // check_auth should take care of that check for us.
- if ($to_match->server_url === null) {
- if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Preferred namespace mismatch (bug)");
- }
- } else if ($to_match->server_url != $endpoint->server_url) {
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf('OP Endpoint mismatch. Expected %s, got %s',
- $to_match->server_url, $endpoint->server_url));
- }
- return null;
- }
- /**
- * @access private
- */
- function _verifyDiscoveryResultsOpenID2($message, $endpoint)
- {
- $to_match = new Auth_OpenID_ServiceEndpoint();
- $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
- $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'claimed_id');
- $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'identity');
- $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'op_endpoint');
- if ($to_match->server_url === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "OP Endpoint URL missing");
- }
- // claimed_id and identifier must both be present or both be
- // absent
- if (($to_match->claimed_id === null) &&
- ($to_match->local_id !== null)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- 'openid.identity is present without openid.claimed_id');
- }
- if (($to_match->claimed_id !== null) &&
- ($to_match->local_id === null)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- 'openid.claimed_id is present without openid.identity');
- }
- if ($to_match->claimed_id === null) {
- // This is a response without identifiers, so there's
- // really no checking that we can do, so return an
- // endpoint that's for the specified `openid.op_endpoint'
- return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
- $to_match->server_url);
- }
- if (!$endpoint) {
- // The claimed ID doesn't match, so we have to do
- // discovery again. This covers not using sessions, OP
- // identifier endpoints and responses that didn't match
- // the original request.
- // oidutil.log('No pre-discovered information supplied.')
- return $this->_discoverAndVerify($to_match->claimed_id,
- array($to_match));
- } else {
- // The claimed ID matches, so we use the endpoint that we
- // discovered in initiation. This should be the most
- // common case.
- $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
- if (Auth_OpenID::isFailure($result)) {
- $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
- array($to_match));
- if (Auth_OpenID::isFailure($endpoint)) {
- return $endpoint;
- }
- }
- }
- // The endpoint we return should have the claimed ID from the
- // message we just verified, fragment and all.
- if ($endpoint->claimed_id != $to_match->claimed_id) {
- $endpoint->claimed_id = $to_match->claimed_id;
- }
- return $endpoint;
- }
- /**
- * @access private
- */
- function _discoverAndVerify($claimed_id, $to_match_endpoints)
- {
- // oidutil.log('Performing discovery on %s' % (claimed_id,))
- list($unused, $services) = call_user_func($this->discoverMethod,
- $claimed_id,
- &$this->fetcher);
- if (!$services) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("No OpenID information found at %s",
- $claimed_id));
- }
- return $this->_verifyDiscoveryServices($claimed_id, $services,
- $to_match_endpoints);
- }
- /**
- * @access private
- */
- function _verifyDiscoveryServices($claimed_id,
- &$services, &$to_match_endpoints)
- {
- // Search the services resulting from discovery to find one
- // that matches the information from the assertion
- foreach ($services as $endpoint) {
- foreach ($to_match_endpoints as $to_match_endpoint) {
- $result = $this->_verifyDiscoverySingle($endpoint,
- $to_match_endpoint);
- if (!Auth_OpenID::isFailure($result)) {
- // It matches, so discover verification has
- // succeeded. Return this endpoint.
- return $endpoint;
- }
- }
- }
- return new Auth_OpenID_FailureResponse(null,
- sprintf('No matching endpoint found after discovering %s',
- $claimed_id));
- }
- /**
- * Extract the nonce from an OpenID 1 response. Return the nonce
- * from the BARE_NS since we independently check the return_to
- * arguments are the same as those in the response message.
- *
- * See the openid1_nonce_query_arg_name class variable
- *
- * @returns $nonce The nonce as a string or null
- *
- * @access private
- */
- function _idResGetNonceOpenID1($message, $endpoint)
- {
- return $message->getArg(Auth_OpenID_BARE_NS,
- $this->openid1_nonce_query_arg_name);
- }
- /**
- * @access private
- */
- function _idResCheckNonce($message, $endpoint)
- {
- if ($message->isOpenID1()) {
- // This indicates that the nonce was generated by the consumer
- $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
- $server_url = '';
- } else {
- $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'response_nonce');
- $server_url = $endpoint->server_url;
- }
- if ($nonce === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Nonce missing from response");
- }
- $parts = Auth_OpenID_splitNonce($nonce);
- if ($parts === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Malformed nonce in response");
- }
- list($timestamp, $salt) = $parts;
- if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Nonce already used or out of range");
- }
- return null;
- }
- /**
- * @access private
- */
- function _idResCheckForFields($message)
- {
- $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
- $basic_sig_fields = array('return_to', 'identity');
- $require_fields = array(
- Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
- array('op_endpoint')),
- Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
- array('identity'))
- );
- $require_sigs = array(
- Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
- array('response_nonce',
- 'claimed_id',
- 'assoc_handle',
- 'op_endpoint')),
- Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
- array('nonce'))
- );
- foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
- if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
- return new Auth_OpenID_FailureResponse(null,
- "Missing required field '".$field."'");
- }
- }
- $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
- 'signed',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($signed_list_str)) {
- return $signed_list_str;
- }
- $signed_list = explode(',', $signed_list_str);
- foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
- // Field is present and not in signed list
- if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
- (!in_array($field, $signed_list))) {
- return new Auth_OpenID_FailureResponse(null,
- "'".$field."' not signed");
- }
- }
- return null;
- }
- /**
- * @access private
- */
- function _checkAuth($message, $server_url)
- {
- $request = $this->_createCheckAuthRequest($message);
- if ($request === null) {
- return false;
- }
- $resp_message = $this->_makeKVPost($request, $server_url);
- if (($resp_message === null) ||
- (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
- return false;
- }
- return $this->_processCheckAuthResponse($resp_message, $server_url);
- }
- /**
- * @access private
- */
- function _createCheckAuthRequest($message)
- {
- $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
- if ($signed) {
- foreach (explode(',', $signed) as $k) {
- $value = $message->getAliasedArg($k);
- if ($value === null) {
- return null;
- }
- }
- }
- $ca_message = $message->copy();
- $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode',
- 'check_authentication');
- return $ca_message;
- }
- /**
- * @access private
- */
- function _processCheckAuthResponse($response, $server_url)
- {
- $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
- 'false');
- $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
- 'invalidate_handle');
- if ($invalidate_handle !== null) {
- $this->store->removeAssociation($server_url,
- $invalidate_handle);
- }
- if ($is_valid == 'true') {
- return true;
- }
- return false;
- }
- /**
- * Adapt a POST response to a Message.
- *
- * @param $response Result of a POST to an OpenID endpoint.
- *
- * @access private
- */
- function _httpResponseToMessage($response, $server_url)
- {
- // Should this function be named Message.fromHTTPResponse instead?
- $response_message = Auth_OpenID_Message::fromKVForm($response->body);
- if ($response->status == 400) {
- return Auth_OpenID_ServerErrorContainer::fromMessage(
- $response_message);
- } else if ($response->status != 200 and $response->status != 206) {
- return null;
- }
- return $response_message;
- }
- /**
- * @access private
- */
- function _makeKVPost($message, $server_url)
- {
- $body = $message->toURLEncoded();
- $resp = $this->fetcher->post($server_url, $body);
- if ($resp === null) {
- return null;
- }
- return $this->_httpResponseToMessage($resp, $server_url);
- }
- /**
- * @access private
- */
- function _getAssociation($endpoint)
- {
- if (!$this->_use_assocs) {
- return null;
- }
- $assoc = $this->store->getAssociation($endpoint->server_url);
- if (($assoc === null) ||
- ($assoc->getExpiresIn() <= 0)) {
- $assoc = $this->_negotiateAssociation($endpoint);
- if ($assoc !== null) {
- $this->store->storeAssociation($endpoint->server_url,
- $assoc);
- }
- }
- return $assoc;
- }
- /**
- * Handle ServerErrors resulting from association requests.
- *
- * @return $result If server replied with an C{unsupported-type}
- * error, return a tuple of supported C{association_type},
- * C{session_type}. Otherwise logs the error and returns null.
- *
- * @access private
- */
- function _extractSupportedAssociationType(&$server_error, &$endpoint,
- $assoc_type)
- {
- // Any error message whose code is not 'unsupported-type'
- // should be considered a total failure.
- if (($server_error->error_code != 'unsupported-type') ||
- ($server_error->message->isOpenID1())) {
- return null;
- }
- // The server didn't like the association/session type that we
- // sent, and it sent us back a message that might tell us how
- // to handle it.
- // Extract the session_type and assoc_type from the error
- // message
- $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_type');
- $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
- 'session_type');
- if (($assoc_type === null) || ($session_type === null)) {
- return null;
- } else if (!$this->negotiator->isAllowed($assoc_type,
- $session_type)) {
- return null;
- } else {
- return array($assoc_type, $session_type);
- }
- }
- /**
- * @access private
- */
- function _negotiateAssociation($endpoint)
- {
- // Get our preferred session/association type from the negotiatior.
- list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
- $assoc = $this->_requestAssociation(
- $endpoint, $assoc_type, $session_type);
- if (Auth_OpenID::isFailure($assoc)) {
- return null;
- }
- if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
- $why = $assoc;
- $supportedTypes = $this->_extractSupportedAssociationType(
- $why, $endpoint, $assoc_type);
- if ($supportedTypes !== null) {
- list($assoc_type, $session_type) = $supportedTypes;
- // Attempt to create an association from the assoc_type
- // and session_type that the server told us it
- // supported.
- $assoc = $this->_requestAssociation(
- $endpoint, $assoc_type, $session_type);
- if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
- // Do not keep trying, since it rejected the
- // association type that it told us to use.
- // oidutil.log('Server %s refused its suggested association
- // 'type: session_type=%s, assoc_type=%s'
- // % (endpoint.server_url, session_type,
- // assoc_type))
- return null;
- } else {
- return $assoc;
- }
- } else {
- return null;
- }
- } else {
- return $assoc;
- }
- }
- /**
- * @access private
- */
- function _requestAssociation($endpoint, $assoc_type, $session_type)
- {
- list($assoc_session, $args) = $this->_createAssociateRequest(
- $endpoint, $assoc_type, $session_type);
- $response_message = $this->_makeKVPost($args, $endpoint->server_url);
- if ($response_message === null) {
- // oidutil.log('openid.associate request failed: %s' % (why[0],))
- return null;
- } else if (is_a($response_message,
- 'Auth_OpenID_ServerErrorContainer')) {
- return $response_message;
- }
- return $this->_extractAssociation($response_message, $assoc_session);
- }
- /**
- * @access private
- */
- function _extractAssociation(&$assoc_response, &$assoc_session)
- {
- // Extract the common fields from the response, raising an
- // exception if they are not found
- $assoc_type = $assoc_response->getArg(
- Auth_OpenID_OPENID_NS, 'assoc_type',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($assoc_type)) {
- return $assoc_type;
- }
- $assoc_handle = $assoc_response->getArg(
- Auth_OpenID_OPENID_NS, 'assoc_handle',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($assoc_handle)) {
- return $assoc_handle;
- }
- // expires_in is a base-10 string. The Python parsing will
- // accept literals that have whitespace around them and will
- // accept negative values. Neither of these are really in-spec,
- // but we think it's OK to accept them.
- $expires_in_str = $assoc_response->getArg(
- Auth_OpenID_OPENID_NS, 'expires_in',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($expires_in_str)) {
- return $expires_in_str;
- }
- $expires_in = Auth_OpenID::intval($expires_in_str);
- if ($expires_in === false) {
-
- $err = sprintf("Could not parse expires_in from association ".
- "response %s", print_r($assoc_response, true));
- return new Auth_OpenID_FailureResponse(null, $err);
- }
- // OpenID 1 has funny association session behaviour.
- if ($assoc_response->isOpenID1()) {
- $session_type = $this->_getOpenID1SessionType($assoc_response);
- } else {
- $session_type = $assoc_response->getArg(
- Auth_OpenID_OPENID2_NS, 'session_type',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($session_type)) {
- return $session_type;
- }
- }
- // Session type mismatch
- if ($assoc_session->session_type != $session_type) {
- if ($assoc_response->isOpenID1() &&
- ($session_type == 'no-encryption')) {
- // In OpenID 1, any association request can result in
- // a 'no-encryption' association response. Setting
- // assoc_session to a new no-encryption session should
- // make the rest of this function work properly for
- // that case.
- $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
- } else {
- // Any other mismatch, regardless of protocol version
- // results in the failure of the association session
- // altogether.
- return null;
- }
- }
- // Make sure assoc_type is valid for session_type
- if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
- return null;
- }
- // Delegate to the association session to extract the secret
- // from the response, however is appropriate for that session
- // type.
- $secret = $assoc_session->extractSecret($assoc_response);
- if ($secret === null) {
- return null;
- }
- return Auth_OpenID_Association::fromExpiresIn(
- $expires_in, $assoc_handle, $secret, $assoc_type);
- }
- /**
- * @access private
- */
- function _createAssociateRequest($endpoint, $assoc_type, $session_type)
- {
- if (array_key_exists($session_type, $this->session_types)) {
- $session_type_class = $this->session_types[$session_type];
- if (is_callable($session_type_class)) {
- $assoc_session = $session_type_class();
- } else {
- $assoc_session = new $session_type_class();
- }
- } else {
- return null;
- }
- $args = array(
- 'mode' => 'associate',
- 'assoc_type' => $assoc_type);
- if (!$endpoint->compatibilityMode()) {
- $args['ns'] = Auth_OpenID_OPENID2_NS;
- }
- // Leave out the session type if we're in compatibility mode
- // *and* it's no-encryption.
- if ((!$endpoint->compatibilityMode()) ||
- ($assoc_session->session_type != 'no-encryption')) {
- $args['session_type'] = $assoc_session->session_type;
- }
- $args = array_merge($args, $assoc_session->getRequest());
- $message = Auth_OpenID_Message::fromOpenIDArgs($args);
- return array($assoc_session, $message);
- }
- /**
- * Given an association response message, extract the OpenID 1.X
- * session type.
- *
- * This function mostly takes care of the 'no-encryption' default
- * behavior in OpenID 1.
- *
- * If the association type is plain-text, this function will
- * return 'no-encryption'
- *
- * @access private
- * @return $typ The association type for this message
- */
- function _getOpenID1SessionType($assoc_response)
- {
- // If it's an OpenID 1 message, allow session_type to default
- // to None (which signifies "no-encryption")
- $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
- 'session_type');
- // Handle the differences between no-encryption association
- // respones in OpenID 1 and 2:
- // no-encryption is not really a valid session type for OpenID
- // 1, but we'll accept it anyway, while issuing a warning.
- if ($session_type == 'no-encryption') {
- // oidutil.log('WARNING: OpenID server sent "no-encryption"'
- // 'for OpenID 1.X')
- } else if (($session_type == '') || ($session_type === null)) {
- // Missing or empty session type is the way to flag a
- // 'no-encryption' response. Change the session type to
- // 'no-encryption' so that it can be handled in the same
- // way as OpenID 2 'no-encryption' respones.
- $session_type = 'no-encryption';
- }
- return $session_type;
- }
- }
- /**
- * This class represents an authentication request from a consumer to
- * an OpenID server.
- *
- * @package OpenID
- */
- class Auth_OpenID_AuthRequest {
- /**
- * Initialize an authentication request with the specified token,
- * association, and endpoint.
- *
- * Users of this library should not create instances of this
- * class. Instances of this class are created by the library when
- * needed.
- */
- function Auth_OpenID_AuthRequest(&$endpoint, $assoc)
- {
- $this->assoc = $assoc;
- $this->endpoint =& $endpoint;
- $this->return_to_args = array();
- $this->message = new Auth_OpenID_Message(
- $endpoint->preferredNamespace());
- $this->_anonymous = false;
- }
- /**
- * Add an extension to this checkid request.
- *
- * $extension_request: An object that implements the extension
- * request interface for adding arguments to an OpenID message.
- */
- function addExtension(&$extension_request)
- {
- $extension_request->toMessage($this->message);
- }
- /**
- * Add an extension argument to this OpenID authentication
- * request.
- *
- * Use caution when adding arguments, because they will be
- * URL-escaped and appended to the redirect URL, which can easily
- * get quite long.
- *
- * @param string $namespace The namespace for the extension. For
- * example, the simple registration extension uses the namespace
- * 'sreg'.
- *
- * @param string $key The key within the extension namespace. For
- * example, the nickname field in the simple registration
- * extension's key is 'nickname'.
- *
- * @param string $value The value to provide to the server for
- * this argument.
- */
- function addExtensionArg($namespace, $key, $value)
- {
- return $this->message->setArg($namespace, $key, $value);
- }
- /**
- * Set whether this request should be made anonymously. If a
- * request is anonymous, the identifier will not be sent in the
- * request. This is only useful if you are making another kind of
- * request with an extension in this request.
- *
- * Anonymous requests are not allowed when the request is made
- * with OpenID 1.
- */
- function setAnonymous($is_anonymous)
- {
- if ($is_anonymous && $this->message->isOpenID1()) {
- return false;
- } else {
- $this->_anonymous = $is_anonymous;
- return true;
- }
- }
- /**
- * Produce a {@link Auth_OpenID_Message} representing this
- * request.
- *
- * @param string $realm The URL (or URL pattern) that identifies
- * your web site to the user when she is authorizing it.
- *
- * @param string $return_to The URL that the OpenID provider will
- * send the user back to after attempting to verify her identity.
- *
- * Not specifying a return_to URL means that the user will not be
- * returned to the site issuing the request upon its completion.
- *
- * @param bool $immediate If true, the OpenID provider is to send
- * back a response immediately, useful for behind-the-scenes
- * authentication attempts. Otherwise the OpenID provider may
- * engage the user before providing a response. This is the
- * default case, as the user may need to provide credentials or
- * approve the request before a positive response can be sent.
- */
- function getMessage($realm, $return_to=null, $immediate=false)
- {
- if ($return_to) {
- $return_to = Auth_OpenID::appendArgs($return_to,
- $this->return_to_args);
- } else if ($immediate) {
- // raise ValueError(
- // '"return_to" is mandatory when
- //using "checkid_immediate"')
- return new Auth_OpenID_FailureResponse(null,
- "'return_to' is mandatory when using checkid_immediate");
- } else if ($this->message->isOpenID1()) {
- // raise ValueError('"return_to" is
- // mandatory for OpenID 1 requests')
- return new Auth_OpenID_FailureResponse(null,
- "'return_to' is mandatory for OpenID 1 requests");
- } else if ($this->return_to_args) {
- // raise ValueError('extra "return_to" arguments
- // were specified, but no return_to was specified')
- return new Auth_OpenID_FailureResponse(null,
- "extra 'return_to' arguments where specified, " .
- "but no return_to was specified");
- }
- if ($immediate) {
- $mode = 'checkid_immediate';
- } else {
- $mode = 'checkid_setup';
- }
- $message = $this->message->copy();
- if ($message->isOpenID1()) {
- $realm_key = 'trust_root';
- } else {
- $realm_key = 'realm';
- }
- $message->updateArgs(Auth_OpenID_OPENID_NS,
- array(
- $realm_key => $realm,
- 'mode' => $mode,
- 'return_to' => $return_to));
- if (!$this->_anonymous) {
- if ($this->endpoint->isOPIdentifier()) {
- // This will never happen when we're in compatibility
- // mode, as long as isOPIdentifier() returns False
- // whenever preferredNamespace() returns OPENID1_NS.
- $claimed_id = $request_identity =
- Auth_OpenID_IDENTIFIER_SELECT;
- } else {
- $request_identity = $this->endpoint->getLocalID();
- $claimed_id = $this->endpoint->claimed_id;
- }
- // This is true for both OpenID 1 and 2
- $message->setArg(Auth_OpenID_OPENID_NS, 'identity',
- $request_identity);
- if ($message->isOpenID2()) {
- $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id',
- $claimed_id);
- }
- }
- if ($this->assoc) {
- $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
- $this->assoc->handle);
- }
- return $message;
- }
- function redirectURL($realm, $return_to = null,
- $immediate = false)
- {
- $message = $this->getMessage($realm, $return_to, $immediate);
- if (Auth_OpenID::isFailure($message)) {
- return $message;
- }
- return $message->toURL($this->endpoint->server_url);
- }
- /**
- * Get html for a form to submit this request to the IDP.
- *
- * form_tag_attrs: An array of attributes to be added to the form
- * tag. 'accept-charset' and 'enctype' have defaults that can be
- * overridden. If a value is supplied for 'action' or 'method', it
- * will be replaced.
- */
- function formMarkup($realm, $return_to=null, $immediate=false,
- $form_tag_attrs=null)
- {
- $message = $this->getMessage($realm, $return_to, $immediate);
- if (Auth_OpenID::isFailure($message)) {
- return $message;
- }
- return $message->toFormMarkup($this->endpoint->server_url,
- $form_tag_attrs);
- }
- /**
- * Get a complete html document that will autosubmit the request
- * to the IDP.
- *
- * Wraps formMarkup. See the documentation for that function.
- */
- function htmlMarkup($realm, $return_to=null, $immediate=false,
- $form_tag_attrs=null)
- {
- $form = $this->formMarkup($realm, $return_to, $immediate,
- $form_tag_attrs);
- if (Auth_OpenID::isFailure($form)) {
- return $form;
- }
- return Auth_OpenID::autoSubmitHTML($form);
- }
- function shouldSendRedirect()
- {
- return $this->endpoint->compatibilityMode();
- }
- }
- /**
- * The base class for responses from the Auth_OpenID_Consumer.
- *
- * @package OpenID
- */
- class Auth_OpenID_ConsumerResponse {
- var $status = null;
- function setEndpoint($endpoint)
- {
- $this->endpoint = $endpoint;
- if ($endpoint === null) {
- $this->identity_url = null;
- } else {
- $this->identity_url = $endpoint->claimed_id;
- }
- }
- /**
- * Return the display identifier for this response.
- *
- * The display identifier is related to the Claimed Identifier, but the
- * two are not always identical. The display identifier is something the
- * user should recognize as what they entered, whereas the response's
- * claimed identifier (in the identity_url attribute) may have extra
- * information for better persistence.
- *
- * URLs will be stripped of their fragments for display. XRIs will
- * display the human-readable identifier (i-name) instead of the
- * persistent identifier (i-number).
- *
- * Use the display identifier in your user interface. Use
- * identity_url for querying your database or authorization server.
- *
- */
- function getDisplayIdentifier()
- {
- if ($this->endpoint !== null) {
- return $this->endpoint->getDisplayIdentifier();
- }
- return null;
- }
- }
- /**
- * A response with a status of Auth_OpenID_SUCCESS. Indicates that
- * this request is a successful acknowledgement from the OpenID server
- * that the supplied URL is, indeed controlled by the requesting
- * agent. This has three relevant attributes:
- *
- * claimed_id - The identity URL that has been authenticated
- *
- * signed_args - The arguments in the server's response that were
- * signed and verified.
- *
- * status - Auth_OpenID_SUCCESS.
- *
- * @package OpenID
- */
- class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_SUCCESS;
- /**
- * @access private
- */
- function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
- {
- $this->endpoint = $endpoint;
- $this->identity_url = $endpoint->claimed_id;
- $this->signed_args = $signed_args;
- $this->message = $message;
- if ($this->signed_args === null) {
- $this->signed_args = array();
- }
- }
- /**
- * Extract signed extension data from the server's response.
- *
- * @param string $prefix The extension namespace from which to
- * extract the extension data.
- */
- function extensionResponse($namespace_uri, $require_signed)
- {
- if ($require_signed) {
- return $this->getSignedNS($namespace_uri);
- } else {
- return $this->message->getArgs($namespace_uri);
- }
- }
- function isOpenID1()
- {
- return $this->message->isOpenID1();
- }
- function isSigned($ns_uri, $ns_key)
- {
- // Return whether a particular key is signed, regardless of
- // its namespace alias
- return in_array($this->message->getKey($ns_uri, $ns_key),
- $this->signed_args);
- }
- function getSigned($ns_uri, $ns_key, $default = null)
- {
- // Return the specified signed field if available, otherwise
- // return default
- if ($this->isSigned($ns_uri, $ns_key)) {
- return $this->message->getArg($ns_uri, $ns_key, $default);
- } else {
- return $default;
- }
- }
- function getSignedNS($ns_uri)
- {
- $args = array();
- $msg_args = $this->message->getArgs($ns_uri);
- if (Auth_OpenID::isFailure($msg_args)) {
- return null;
- }
- foreach ($msg_args as $key => $value) {
- if (!$this->isSigned($ns_uri, $key)) {
- return null;
- }
- }
- return $msg_args;
- }
- /**
- * Get the openid.return_to argument from this response.
- *
- * This is useful for verifying that this request was initiated by
- * this consumer.
- *
- * @return string $return_to The return_to URL supplied to the
- * server on the initial request, or null if the response did not
- * contain an 'openid.return_to' argument.
- */
- function getReturnTo()
- {
- return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to');
- }
- }
- /**
- * A response with a status of Auth_OpenID_FAILURE. Indicates that the
- * OpenID protocol has failed. This could be locally or remotely
- * triggered. This has three relevant attributes:
- *
- * claimed_id - The identity URL for which authentication was
- * attempted, if it can be determined. Otherwise, null.
- *
- * message - A message indicating why the request failed, if one is
- * supplied. Otherwise, null.
- *
- * status - Auth_OpenID_FAILURE.
- *
- * @package OpenID
- */
- class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_FAILURE;
- function Auth_OpenID_FailureResponse($endpoint, $message = null,
- $contact = null, $reference = null)
- {
- $this->setEndpoint($endpoint);
- $this->message = $message;
- $this->contact = $contact;
- $this->reference = $reference;
- }
- }
- /**
- * A specific, internal failure used to detect type URI mismatch.
- *
- * @package OpenID
- */
- class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse {
- }
- /**
- * Exception that is raised when the server returns a 400 response
- * code to a direct request.
- *
- * @package OpenID
- */
- class Auth_OpenID_ServerErrorContainer {
- function Auth_OpenID_ServerErrorContainer($error_text,
- $error_code,
- $message)
- {
- $this->error_text = $error_text;
- $this->error_code = $error_code;
- $this->message = $message;
- }
- /**
- * @access private
- */
- function fromMessage($message)
- {
- $error_text = $message->getArg(
- Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>');
- $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code');
- return new Auth_OpenID_ServerErrorContainer($error_text,
- $error_code,
- $message);
- }
- }
- /**
- * A response with a status of Auth_OpenID_CANCEL. Indicates that the
- * user cancelled the OpenID authentication request. This has two
- * relevant attributes:
- *
- * claimed_id - The identity URL for which authentication was
- * attempted, if it can be determined. Otherwise, null.
- *
- * status - Auth_OpenID_SUCCESS.
- *
- * @package OpenID
- */
- class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_CANCEL;
- function Auth_OpenID_CancelResponse($endpoint)
- {
- $this->setEndpoint($endpoint);
- }
- }
- /**
- * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates
- * that the request was in immediate mode, and the server is unable to
- * authenticate the user without further interaction.
- *
- * claimed_id - The identity URL for which authentication was
- * attempted.
- *
- * setup_url - A URL that can be used to send the user to the server
- * to set up for authentication. The user should be redirected in to
- * the setup_url, either in the current window or in a new browser
- * window. Null in OpenID 2.
- *
- * status - Auth_OpenID_SETUP_NEEDED.
- *
- * @package OpenID
- */
- class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_SETUP_NEEDED;
- function Auth_OpenID_SetupNeededResponse($endpoint,
- $setup_url = null)
- {
- $this->setEndpoint($endpoint);
- $this->setup_url = $setup_url;
- }
- }
- ?>