TYPO3 CMS  TYPO3_6-2
Consumer.php
Go to the documentation of this file.
1 <?php
2 
163 require_once "Auth/OpenID.php";
164 require_once "Auth/OpenID/Message.php";
165 require_once "Auth/OpenID/HMAC.php";
166 require_once "Auth/OpenID/Association.php";
167 require_once "Auth/OpenID/CryptUtil.php";
168 require_once "Auth/OpenID/DiffieHellman.php";
169 require_once "Auth/OpenID/KVForm.php";
170 require_once "Auth/OpenID/Nonce.php";
171 require_once "Auth/OpenID/Discover.php";
172 require_once "Auth/OpenID/URINorm.php";
173 require_once "Auth/Yadis/Manager.php";
174 require_once "Auth/Yadis/XRI.php";
175 
180 define('Auth_OpenID_SUCCESS', 'success');
181 
185 define('Auth_OpenID_CANCEL', 'cancel');
186 
191 define('Auth_OpenID_FAILURE', 'failure');
192 
199 define('Auth_OpenID_SETUP_NEEDED', 'setup needed');
200 
206 define('Auth_OpenID_PARSE_ERROR', 'parse error');
207 
215 class Auth_OpenID_Consumer {
216 
220  var $discoverMethod = 'Auth_OpenID_discover';
221 
225  var $session_key_prefix = "_openid_consumer_";
226 
230  var $_token_suffix = "last_token";
231 
261  function Auth_OpenID_Consumer($store, $session = null,
262  $consumer_cls = null)
263  {
264  if ($session === null) {
265  $session = new Auth_Yadis_PHPSession();
266  }
267 
268  $this->session = $session;
269 
270  if ($consumer_cls !== null) {
271  $this->consumer = new $consumer_cls($store);
272  } else {
273  $this->consumer = new Auth_OpenID_GenericConsumer($store);
274  }
275 
276  $this->_token_key = $this->session_key_prefix . $this->_token_suffix;
277  }
278 
284  function getDiscoveryObject($session, $openid_url,
285  $session_key_prefix)
286  {
287  return new Auth_Yadis_Discovery($session, $openid_url,
288  $session_key_prefix);
289  }
290 
313  function begin($user_url, $anonymous=false)
314  {
315  $openid_url = $user_url;
316 
317  $disco = $this->getDiscoveryObject($this->session,
318  $openid_url,
319  $this->session_key_prefix);
320 
321  // Set the 'stale' attribute of the manager. If discovery
322  // fails in a fatal way, the stale flag will cause the manager
323  // to be cleaned up next time discovery is attempted.
324 
325  $m = $disco->getManager();
326  $loader = new Auth_Yadis_ManagerLoader();
327 
328  if ($m) {
329  if ($m->stale) {
330  $disco->destroyManager();
331  } else {
332  $m->stale = true;
333  $disco->session->set($disco->session_key,
334  serialize($loader->toSession($m)));
335  }
336  }
337 
338  $endpoint = $disco->getNextService($this->discoverMethod,
339  $this->consumer->fetcher);
340 
341  // Reset the 'stale' attribute of the manager.
342  $m = $disco->getManager();
343  if ($m) {
344  $m->stale = false;
345  $disco->session->set($disco->session_key,
346  serialize($loader->toSession($m)));
347  }
348 
349  if ($endpoint === null) {
350  return null;
351  } else {
352  return $this->beginWithoutDiscovery($endpoint,
353  $anonymous);
354  }
355  }
356 
373  function beginWithoutDiscovery($endpoint, $anonymous=false)
374  {
375  $loader = new Auth_OpenID_ServiceEndpointLoader();
376  $auth_req = $this->consumer->begin($endpoint);
377  $this->session->set($this->_token_key,
378  $loader->toSession($auth_req->endpoint));
379  if (!$auth_req->setAnonymous($anonymous)) {
380  return new Auth_OpenID_FailureResponse(null,
381  "OpenID 1 requests MUST include the identifier " .
382  "in the request.");
383  }
384  return $auth_req;
385  }
386 
410  function complete($current_url, $query=null)
411  {
412  if ($current_url && !is_string($current_url)) {
413  // This is ugly, but we need to complain loudly when
414  // someone uses the API incorrectly.
415  trigger_error("current_url must be a string; see NEWS file " .
416  "for upgrading notes.",
417  E_USER_ERROR);
418  }
419 
420  if ($query === null) {
421  $query = Auth_OpenID::getQuery();
422  }
423 
424  $loader = new Auth_OpenID_ServiceEndpointLoader();
425  $endpoint_data = $this->session->get($this->_token_key);
426  $endpoint =
427  $loader->fromSession($endpoint_data);
428 
429  $message = Auth_OpenID_Message::fromPostArgs($query);
430  $response = $this->consumer->complete($message, $endpoint,
431  $current_url);
432  $this->session->del($this->_token_key);
433 
434  if (in_array($response->status, array(Auth_OpenID_SUCCESS,
435  Auth_OpenID_CANCEL))) {
436  if ($response->identity_url !== null) {
437  $disco = $this->getDiscoveryObject($this->session,
438  $response->identity_url,
439  $this->session_key_prefix);
440  $disco->cleanup(true);
441  }
442  }
443 
444  return $response;
445  }
446 }
447 
453 class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
454  var $session_type = 'DH-SHA1';
455  var $hash_func = 'Auth_OpenID_SHA1';
456  var $secret_size = 20;
457  var $allowed_assoc_types = array('HMAC-SHA1');
458 
459  function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
460  {
461  if ($dh === null) {
462  $dh = new Auth_OpenID_DiffieHellman();
463  }
464 
465  $this->dh = $dh;
466  }
467 
468  function getRequest()
469  {
470  $math = Auth_OpenID_getMathLib();
471 
472  $cpub = $math->longToBase64($this->dh->public);
473 
474  $args = array('dh_consumer_public' => $cpub);
475 
476  if (!$this->dh->usingDefaultValues()) {
477  $args = array_merge($args, array(
478  'dh_modulus' =>
479  $math->longToBase64($this->dh->mod),
480  'dh_gen' =>
481  $math->longToBase64($this->dh->gen)));
482  }
483 
484  return $args;
485  }
486 
487  function extractSecret($response)
488  {
489  if (!$response->hasKey(Auth_OpenID_OPENID_NS,
490  'dh_server_public')) {
491  return null;
492  }
493 
494  if (!$response->hasKey(Auth_OpenID_OPENID_NS,
495  'enc_mac_key')) {
496  return null;
497  }
498 
499  $math = Auth_OpenID_getMathLib();
500 
501  $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
502  'dh_server_public'));
503  $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
504  'enc_mac_key'));
505 
506  return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
507  }
508 }
509 
515 class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
516  Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
517  var $session_type = 'DH-SHA256';
518  var $hash_func = 'Auth_OpenID_SHA256';
519  var $secret_size = 32;
520  var $allowed_assoc_types = array('HMAC-SHA256');
521 }
522 
528 class Auth_OpenID_PlainTextConsumerSession {
529  var $session_type = 'no-encryption';
530  var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
531 
532  function getRequest()
533  {
534  return array();
535  }
536 
537  function extractSecret($response)
538  {
539  if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
540  return null;
541  }
542 
543  return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
544  'mac_key'));
545  }
546 }
547 
551 function Auth_OpenID_getAvailableSessionTypes()
552 {
553  $types = array(
554  'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
555  'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
556  'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');
557 
558  return $types;
559 }
560 
568 class Auth_OpenID_GenericConsumer {
572  var $discoverMethod = 'Auth_OpenID_discover';
573 
577  var $store;
578 
582  var $_use_assocs;
583 
587  var $openid1_nonce_query_arg_name = 'janrain_nonce';
588 
594  var $openid1_return_to_identifier_name = 'openid1_claimed_id';
595 
614  function Auth_OpenID_GenericConsumer($store)
615  {
616  $this->store = $store;
617  $this->negotiator = Auth_OpenID_getDefaultNegotiator();
618  $this->_use_assocs = (is_null($this->store) ? false : true);
619  if (get_class($this->store) == "Auth_OpenID_DumbStore") {
620  $this->_use_assocs = false;
621  }
622 
623  $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
624 
625  $this->session_types = Auth_OpenID_getAvailableSessionTypes();
626  }
627 
634  function begin($service_endpoint)
635  {
636  $assoc = $this->_getAssociation($service_endpoint);
637  $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
638  $r->return_to_args[$this->openid1_nonce_query_arg_name] =
639  Auth_OpenID_mkNonce();
640 
641  if ($r->message->isOpenID1()) {
642  $r->return_to_args[$this->openid1_return_to_identifier_name] =
643  $r->endpoint->claimed_id;
644  }
645 
646  return $r;
647  }
648 
656  function complete($message, $endpoint, $return_to)
657  {
658  $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
659  '<no mode set>');
660 
661  $mode_methods = array(
662  'cancel' => '_complete_cancel',
663  'error' => '_complete_error',
664  'setup_needed' => '_complete_setup_needed',
665  'id_res' => '_complete_id_res',
666  );
667 
668  $method = Auth_OpenID::arrayGet($mode_methods, $mode,
669  '_completeInvalid');
670 
671  return call_user_func_array(array($this, $method),
672  array($message, $endpoint, $return_to));
673  }
674 
678  function _completeInvalid($message, $endpoint, $unused)
679  {
680  $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
681  '<No mode set>');
682 
683  return new Auth_OpenID_FailureResponse($endpoint,
684  sprintf("Invalid openid.mode '%s'", $mode));
685  }
686 
690  function _complete_cancel($message, $endpoint, $unused)
691  {
692  return new Auth_OpenID_CancelResponse($endpoint);
693  }
694 
698  function _complete_error($message, $endpoint, $unused)
699  {
700  $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
701  $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
702  $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
703 
704  return new Auth_OpenID_FailureResponse($endpoint, $error,
705  $contact, $reference);
706  }
707 
711  function _complete_setup_needed($message, $endpoint, $unused)
712  {
713  if (!$message->isOpenID2()) {
714  return $this->_completeInvalid($message, $endpoint);
715  }
716 
717  $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
718  'user_setup_url');
719  return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
720  }
721 
725  function _complete_id_res($message, $endpoint, $return_to)
726  {
727  $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
728  'user_setup_url');
729 
730  if ($this->_checkSetupNeeded($message)) {
731  return new Auth_OpenID_SetupNeededResponse(
732  $endpoint, $user_setup_url);
733  } else {
734  return $this->_doIdRes($message, $endpoint, $return_to);
735  }
736  }
737 
741  function _checkSetupNeeded($message)
742  {
743  // In OpenID 1, we check to see if this is a cancel from
744  // immediate mode by the presence of the user_setup_url
745  // parameter.
746  if ($message->isOpenID1()) {
747  $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
748  'user_setup_url');
749  if ($user_setup_url !== null) {
750  return true;
751  }
752  }
753 
754  return false;
755  }
756 
760  function _doIdRes($message, $endpoint, $return_to)
761  {
762  // Checks for presence of appropriate fields (and checks
763  // signed list fields)
764  $result = $this->_idResCheckForFields($message);
765 
766  if (Auth_OpenID::isFailure($result)) {
767  return $result;
768  }
769 
770  if (!$this->_checkReturnTo($message, $return_to)) {
771  return new Auth_OpenID_FailureResponse(null,
772  sprintf("return_to does not match return URL. Expected %s, got %s",
773  $return_to,
774  $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
775  }
776 
777  // Verify discovery information:
778  $result = $this->_verifyDiscoveryResults($message, $endpoint);
779 
780  if (Auth_OpenID::isFailure($result)) {
781  return $result;
782  }
783 
784  $endpoint = $result;
785 
786  $result = $this->_idResCheckSignature($message,
787  $endpoint->server_url);
788 
789  if (Auth_OpenID::isFailure($result)) {
790  return $result;
791  }
792 
793  $result = $this->_idResCheckNonce($message, $endpoint);
794 
795  if (Auth_OpenID::isFailure($result)) {
796  return $result;
797  }
798 
799  $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
800  Auth_OpenID_NO_DEFAULT);
801  if (Auth_OpenID::isFailure($signed_list_str)) {
802  return $signed_list_str;
803  }
804  $signed_list = explode(',', $signed_list_str);
805 
806  $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
807 
808  return new Auth_OpenID_SuccessResponse($endpoint, $message,
809  $signed_fields);
810 
811  }
812 
816  function _checkReturnTo($message, $return_to)
817  {
818  // Check an OpenID message and its openid.return_to value
819  // against a return_to URL from an application. Return True
820  // on success, False on failure.
821 
822  // Check the openid.return_to args against args in the
823  // original message.
824  $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
825  $message->toPostArgs());
826  if (Auth_OpenID::isFailure($result)) {
827  return false;
828  }
829 
830  // Check the return_to base URL against the one in the
831  // message.
832  $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
833  'return_to');
834  if (Auth_OpenID::isFailure($return_to)) {
835  // XXX log me
836  return false;
837  }
838 
839  $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
840  $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
841 
842  // If port is absent from both, add it so it's equal in the
843  // check below.
844  if ((!array_key_exists('port', $return_to_parts)) &&
845  (!array_key_exists('port', $msg_return_to_parts))) {
846  $return_to_parts['port'] = null;
847  $msg_return_to_parts['port'] = null;
848  }
849 
850  // If path is absent from both, add it so it's equal in the
851  // check below.
852  if ((!array_key_exists('path', $return_to_parts)) &&
853  (!array_key_exists('path', $msg_return_to_parts))) {
854  $return_to_parts['path'] = null;
855  $msg_return_to_parts['path'] = null;
856  }
857 
858  // The URL scheme, authority, and path MUST be the same
859  // between the two URLs.
860  foreach (array('scheme', 'host', 'port', 'path') as $component) {
861  // If the url component is absent in either URL, fail.
862  // There should always be a scheme, host, port, and path.
863  if (!array_key_exists($component, $return_to_parts)) {
864  return false;
865  }
866 
867  if (!array_key_exists($component, $msg_return_to_parts)) {
868  return false;
869  }
870 
871  if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
872  Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
873  return false;
874  }
875  }
876 
877  return true;
878  }
879 
883  function _verifyReturnToArgs($query)
884  {
885  // Verify that the arguments in the return_to URL are present in this
886  // response.
887 
888  $message = Auth_OpenID_Message::fromPostArgs($query);
889  $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
890 
891  if (Auth_OpenID::isFailure($return_to)) {
892  return $return_to;
893  }
894  // XXX: this should be checked by _idResCheckForFields
895  if (!$return_to) {
896  return new Auth_OpenID_FailureResponse(null,
897  "Response has no return_to");
898  }
899 
900  $parsed_url = parse_url($return_to);
901 
902  $q = array();
903  if (array_key_exists('query', $parsed_url)) {
904  $rt_query = $parsed_url['query'];
905  $q = Auth_OpenID::parse_str($rt_query);
906  }
907 
908  foreach ($q as $rt_key => $rt_value) {
909  if (!array_key_exists($rt_key, $query)) {
910  return new Auth_OpenID_FailureResponse(null,
911  sprintf("return_to parameter %s absent from query", $rt_key));
912  } else {
913  $value = $query[$rt_key];
914  if ($rt_value != $value) {
915  return new Auth_OpenID_FailureResponse(null,
916  sprintf("parameter %s value %s does not match " .
917  "return_to value %s", $rt_key,
918  $value, $rt_value));
919  }
920  }
921  }
922 
923  // Make sure all non-OpenID arguments in the response are also
924  // in the signed return_to.
925  $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
926  foreach ($bare_args as $key => $value) {
927  if (Auth_OpenID::arrayGet($q, $key) != $value) {
928  return new Auth_OpenID_FailureResponse(null,
929  sprintf("Parameter %s = %s not in return_to URL",
930  $key, $value));
931  }
932  }
933 
934  return true;
935  }
936 
940  function _idResCheckSignature($message, $server_url)
941  {
942  $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
943  'assoc_handle');
944  if (Auth_OpenID::isFailure($assoc_handle)) {
945  return $assoc_handle;
946  }
947 
948  $assoc = $this->store->getAssociation($server_url, $assoc_handle);
949 
950  if ($assoc) {
951  if ($assoc->getExpiresIn() <= 0) {
952  // XXX: It might be a good idea sometimes to re-start
953  // the authentication with a new association. Doing it
954  // automatically opens the possibility for
955  // denial-of-service by a server that just returns
956  // expired associations (or really short-lived
957  // associations)
958  return new Auth_OpenID_FailureResponse(null,
959  'Association with ' . $server_url . ' expired');
960  }
961 
962  if (!$assoc->checkMessageSignature($message)) {
963  // If we get a "bad signature" here, it means that the association
964  // is unrecoverabley corrupted in some way. Any futher attempts
965  // to login with this association is likely to fail. Drop it.
966  $this->store->removeAssociation($server_url, $assoc_handle);
967  return new Auth_OpenID_FailureResponse(null,
968  "Bad signature");
969  }
970  } else {
971  // It's not an association we know about. Stateless mode
972  // is our only possible path for recovery. XXX - async
973  // framework will not want to block on this call to
974  // _checkAuth.
975  if (!$this->_checkAuth($message, $server_url)) {
976  return new Auth_OpenID_FailureResponse(null,
977  "Server denied check_authentication");
978  }
979  }
980 
981  return null;
982  }
983 
987  function _verifyDiscoveryResults($message, $endpoint=null)
988  {
989  if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
990  return $this->_verifyDiscoveryResultsOpenID2($message,
991  $endpoint);
992  } else {
993  return $this->_verifyDiscoveryResultsOpenID1($message,
994  $endpoint);
995  }
996  }
997 
1001  function _verifyDiscoveryResultsOpenID1($message, $endpoint)
1002  {
1003  $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
1004  $this->openid1_return_to_identifier_name);
1005 
1006  if (($endpoint === null) && ($claimed_id === null)) {
1007  return new Auth_OpenID_FailureResponse($endpoint,
1008  'When using OpenID 1, the claimed ID must be supplied, ' .
1009  'either by passing it through as a return_to parameter ' .
1010  'or by using a session, and supplied to the GenericConsumer ' .
1011  'as the argument to complete()');
1012  } else if (($endpoint !== null) && ($claimed_id === null)) {
1013  $claimed_id = $endpoint->claimed_id;
1014  }
1015 
1016  $to_match = new Auth_OpenID_ServiceEndpoint();
1017  $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
1018  $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
1019  'identity');
1020 
1021  // Restore delegate information from the initiation phase
1022  $to_match->claimed_id = $claimed_id;
1023 
1024  if ($to_match->local_id === null) {
1025  return new Auth_OpenID_FailureResponse($endpoint,
1026  "Missing required field openid.identity");
1027  }
1028 
1029  $to_match_1_0 = $to_match->copy();
1030  $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
1031 
1032  if ($endpoint !== null) {
1033  $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
1034 
1035  if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
1036  $result = $this->_verifyDiscoverySingle($endpoint,
1037  $to_match_1_0);
1038  }
1039 
1040  if (Auth_OpenID::isFailure($result)) {
1041  // oidutil.log("Error attempting to use stored
1042  // discovery information: " + str(e))
1043  // oidutil.log("Attempting discovery to
1044  // verify endpoint")
1045  } else {
1046  return $endpoint;
1047  }
1048  }
1049 
1050  // Endpoint is either bad (failed verification) or None
1051  return $this->_discoverAndVerify($to_match->claimed_id,
1052  array($to_match, $to_match_1_0));
1053  }
1054 
1058  function _verifyDiscoverySingle($endpoint, $to_match)
1059  {
1060  // Every type URI that's in the to_match endpoint has to be
1061  // present in the discovered endpoint.
1062  foreach ($to_match->type_uris as $type_uri) {
1063  if (!$endpoint->usesExtension($type_uri)) {
1064  return new Auth_OpenID_TypeURIMismatch($endpoint,
1065  "Required type ".$type_uri." not present");
1066  }
1067  }
1068 
1069  // Fragments do not influence discovery, so we can't compare a
1070  // claimed identifier with a fragment to discovered
1071  // information.
1072  list($defragged_claimed_id, $_) =
1073  Auth_OpenID::urldefrag($to_match->claimed_id);
1074 
1075  if ($defragged_claimed_id != $endpoint->claimed_id) {
1076  return new Auth_OpenID_FailureResponse($endpoint,
1077  sprintf('Claimed ID does not match (different subjects!), ' .
1078  'Expected %s, got %s', $defragged_claimed_id,
1079  $endpoint->claimed_id));
1080  }
1081 
1082  if ($to_match->getLocalID() != $endpoint->getLocalID()) {
1083  return new Auth_OpenID_FailureResponse($endpoint,
1084  sprintf('local_id mismatch. Expected %s, got %s',
1085  $to_match->getLocalID(), $endpoint->getLocalID()));
1086  }
1087 
1088  // If the server URL is None, this must be an OpenID 1
1089  // response, because op_endpoint is a required parameter in
1090  // OpenID 2. In that case, we don't actually care what the
1091  // discovered server_url is, because signature checking or
1092  // check_auth should take care of that check for us.
1093  if ($to_match->server_url === null) {
1094  if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
1095  return new Auth_OpenID_FailureResponse($endpoint,
1096  "Preferred namespace mismatch (bug)");
1097  }
1098  } else if ($to_match->server_url != $endpoint->server_url) {
1099  return new Auth_OpenID_FailureResponse($endpoint,
1100  sprintf('OP Endpoint mismatch. Expected %s, got %s',
1101  $to_match->server_url, $endpoint->server_url));
1102  }
1103 
1104  return null;
1105  }
1106 
1110  function _verifyDiscoveryResultsOpenID2($message, $endpoint)
1111  {
1112  $to_match = new Auth_OpenID_ServiceEndpoint();
1113  $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
1114  $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1115  'claimed_id');
1116 
1117  $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1118  'identity');
1119 
1120  $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
1121  'op_endpoint');
1122 
1123  if ($to_match->server_url === null) {
1124  return new Auth_OpenID_FailureResponse($endpoint,
1125  "OP Endpoint URL missing");
1126  }
1127 
1128  // claimed_id and identifier must both be present or both be
1129  // absent
1130  if (($to_match->claimed_id === null) &&
1131  ($to_match->local_id !== null)) {
1132  return new Auth_OpenID_FailureResponse($endpoint,
1133  'openid.identity is present without openid.claimed_id');
1134  }
1135 
1136  if (($to_match->claimed_id !== null) &&
1137  ($to_match->local_id === null)) {
1138  return new Auth_OpenID_FailureResponse($endpoint,
1139  'openid.claimed_id is present without openid.identity');
1140  }
1141 
1142  if ($to_match->claimed_id === null) {
1143  // This is a response without identifiers, so there's
1144  // really no checking that we can do, so return an
1145  // endpoint that's for the specified `openid.op_endpoint'
1146  return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
1147  $to_match->server_url);
1148  }
1149 
1150  if (!$endpoint) {
1151  // The claimed ID doesn't match, so we have to do
1152  // discovery again. This covers not using sessions, OP
1153  // identifier endpoints and responses that didn't match
1154  // the original request.
1155  // oidutil.log('No pre-discovered information supplied.')
1156  return $this->_discoverAndVerify($to_match->claimed_id,
1157  array($to_match));
1158  } else {
1159 
1160  // The claimed ID matches, so we use the endpoint that we
1161  // discovered in initiation. This should be the most
1162  // common case.
1163  $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
1164 
1165  if (Auth_OpenID::isFailure($result)) {
1166  $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
1167  array($to_match));
1168  if (Auth_OpenID::isFailure($endpoint)) {
1169  return $endpoint;
1170  }
1171  }
1172  }
1173 
1174  // The endpoint we return should have the claimed ID from the
1175  // message we just verified, fragment and all.
1176  if ($endpoint->claimed_id != $to_match->claimed_id) {
1177  $endpoint->claimed_id = $to_match->claimed_id;
1178  }
1179 
1180  return $endpoint;
1181  }
1182 
1186  function _discoverAndVerify($claimed_id, $to_match_endpoints)
1187  {
1188  // oidutil.log('Performing discovery on %s' % (claimed_id,))
1189  list($unused, $services) = call_user_func_array($this->discoverMethod,
1190  array(
1191  $claimed_id,
1192  $this->fetcher,
1193  ));
1194 
1195  if (!$services) {
1196  return new Auth_OpenID_FailureResponse(null,
1197  sprintf("No OpenID information found at %s",
1198  $claimed_id));
1199  }
1200 
1201  return $this->_verifyDiscoveryServices($claimed_id, $services,
1202  $to_match_endpoints);
1203  }
1204 
1208  function _verifyDiscoveryServices($claimed_id,
1209  $services, $to_match_endpoints)
1210  {
1211  // Search the services resulting from discovery to find one
1212  // that matches the information from the assertion
1213 
1214  foreach ($services as $endpoint) {
1215  foreach ($to_match_endpoints as $to_match_endpoint) {
1216  $result = $this->_verifyDiscoverySingle($endpoint,
1217  $to_match_endpoint);
1218 
1219  if (!Auth_OpenID::isFailure($result)) {
1220  // It matches, so discover verification has
1221  // succeeded. Return this endpoint.
1222  return $endpoint;
1223  }
1224  }
1225  }
1226 
1227  return new Auth_OpenID_FailureResponse(null,
1228  sprintf('No matching endpoint found after discovering %s: %s',
1229  $claimed_id, $result->message));
1230  }
1231 
1243  function _idResGetNonceOpenID1($message, $endpoint)
1244  {
1245  return $message->getArg(Auth_OpenID_BARE_NS,
1246  $this->openid1_nonce_query_arg_name);
1247  }
1248 
1252  function _idResCheckNonce($message, $endpoint)
1253  {
1254  if ($message->isOpenID1()) {
1255  // This indicates that the nonce was generated by the consumer
1256  $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
1257  $server_url = '';
1258  } else {
1259  $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
1260  'response_nonce');
1261 
1262  $server_url = $endpoint->server_url;
1263  }
1264 
1265  if ($nonce === null) {
1266  return new Auth_OpenID_FailureResponse($endpoint,
1267  "Nonce missing from response");
1268  }
1269 
1270  $parts = Auth_OpenID_splitNonce($nonce);
1271 
1272  if ($parts === null) {
1273  return new Auth_OpenID_FailureResponse($endpoint,
1274  "Malformed nonce in response");
1275  }
1276 
1277  list($timestamp, $salt) = $parts;
1278 
1279  if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
1280  return new Auth_OpenID_FailureResponse($endpoint,
1281  "Nonce already used or out of range");
1282  }
1283 
1284  return null;
1285  }
1286 
1290  function _idResCheckForFields($message)
1291  {
1292  $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
1293  $basic_sig_fields = array('return_to', 'identity');
1294 
1295  $require_fields = array(
1296  Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
1297  array('op_endpoint')),
1298 
1299  Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
1300  array('identity'))
1301  );
1302 
1303  $require_sigs = array(
1304  Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
1305  array('response_nonce',
1306  'claimed_id',
1307  'assoc_handle',
1308  'op_endpoint')),
1309  Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
1310  array('nonce'))
1311  );
1312 
1313  foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
1314  if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
1315  return new Auth_OpenID_FailureResponse(null,
1316  "Missing required field '".$field."'");
1317  }
1318  }
1319 
1320  $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
1321  'signed',
1322  Auth_OpenID_NO_DEFAULT);
1323  if (Auth_OpenID::isFailure($signed_list_str)) {
1324  return $signed_list_str;
1325  }
1326  $signed_list = explode(',', $signed_list_str);
1327 
1328  foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
1329  // Field is present and not in signed list
1330  if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
1331  (!in_array($field, $signed_list))) {
1332  return new Auth_OpenID_FailureResponse(null,
1333  "'".$field."' not signed");
1334  }
1335  }
1336 
1337  return null;
1338  }
1339 
1343  function _checkAuth($message, $server_url)
1344  {
1345  $request = $this->_createCheckAuthRequest($message);
1346  if ($request === null) {
1347  return false;
1348  }
1349 
1350  $resp_message = $this->_makeKVPost($request, $server_url);
1351  if (($resp_message === null) ||
1352  (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
1353  return false;
1354  }
1355 
1356  return $this->_processCheckAuthResponse($resp_message, $server_url);
1357  }
1358 
1362  function _createCheckAuthRequest($message)
1363  {
1364  $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
1365  if ($signed) {
1366  foreach (explode(',', $signed) as $k) {
1367  $value = $message->getAliasedArg($k);
1368  if ($value === null) {
1369  return null;
1370  }
1371  }
1372  }
1373  $ca_message = $message->copy();
1374  $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode',
1375  'check_authentication');
1376  return $ca_message;
1377  }
1378 
1382  function _processCheckAuthResponse($response, $server_url)
1383  {
1384  $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
1385  'false');
1386 
1387  $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
1388  'invalidate_handle');
1389 
1390  if ($invalidate_handle !== null) {
1391  $this->store->removeAssociation($server_url,
1392  $invalidate_handle);
1393  }
1394 
1395  if ($is_valid == 'true') {
1396  return true;
1397  }
1398 
1399  return false;
1400  }
1401 
1409  static function _httpResponseToMessage($response, $server_url)
1410  {
1411  // Should this function be named Message.fromHTTPResponse instead?
1412  $response_message = Auth_OpenID_Message::fromKVForm($response->body);
1413 
1414  if ($response->status == 400) {
1415  return Auth_OpenID_ServerErrorContainer::fromMessage(
1416  $response_message);
1417  } else if ($response->status != 200 and $response->status != 206) {
1418  return null;
1419  }
1420 
1421  return $response_message;
1422  }
1423 
1427  function _makeKVPost($message, $server_url)
1428  {
1429  $body = $message->toURLEncoded();
1430  $resp = $this->fetcher->post($server_url, $body);
1431 
1432  if ($resp === null) {
1433  return null;
1434  }
1435 
1436  return $this->_httpResponseToMessage($resp, $server_url);
1437  }
1438 
1442  function _getAssociation($endpoint)
1443  {
1444  if (!$this->_use_assocs) {
1445  return null;
1446  }
1447 
1448  $assoc = $this->store->getAssociation($endpoint->server_url);
1449 
1450  if (($assoc === null) ||
1451  ($assoc->getExpiresIn() <= 0)) {
1452 
1453  $assoc = $this->_negotiateAssociation($endpoint);
1454 
1455  if ($assoc !== null) {
1456  $this->store->storeAssociation($endpoint->server_url,
1457  $assoc);
1458  }
1459  }
1460 
1461  return $assoc;
1462  }
1463 
1473  function _extractSupportedAssociationType($server_error, $endpoint,
1474  $assoc_type)
1475  {
1476  // Any error message whose code is not 'unsupported-type'
1477  // should be considered a total failure.
1478  if (($server_error->error_code != 'unsupported-type') ||
1479  ($server_error->message->isOpenID1())) {
1480  return null;
1481  }
1482 
1483  // The server didn't like the association/session type that we
1484  // sent, and it sent us back a message that might tell us how
1485  // to handle it.
1486 
1487  // Extract the session_type and assoc_type from the error
1488  // message
1489  $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1490  'assoc_type');
1491 
1492  $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1493  'session_type');
1494 
1495  if (($assoc_type === null) || ($session_type === null)) {
1496  return null;
1497  } else if (!$this->negotiator->isAllowed($assoc_type,
1498  $session_type)) {
1499  return null;
1500  } else {
1501  return array($assoc_type, $session_type);
1502  }
1503  }
1504 
1508  function _negotiateAssociation($endpoint)
1509  {
1510  // Get our preferred session/association type from the negotiatior.
1511  list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
1512 
1513  $assoc = $this->_requestAssociation(
1514  $endpoint, $assoc_type, $session_type);
1515 
1516  if (Auth_OpenID::isFailure($assoc)) {
1517  return null;
1518  }
1519 
1520  if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1521  $why = $assoc;
1522 
1523  $supportedTypes = $this->_extractSupportedAssociationType(
1524  $why, $endpoint, $assoc_type);
1525 
1526  if ($supportedTypes !== null) {
1527  list($assoc_type, $session_type) = $supportedTypes;
1528 
1529  // Attempt to create an association from the assoc_type
1530  // and session_type that the server told us it
1531  // supported.
1532  $assoc = $this->_requestAssociation(
1533  $endpoint, $assoc_type, $session_type);
1534 
1535  if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1536  // Do not keep trying, since it rejected the
1537  // association type that it told us to use.
1538  // oidutil.log('Server %s refused its suggested association
1539  // 'type: session_type=%s, assoc_type=%s'
1540  // % (endpoint.server_url, session_type,
1541  // assoc_type))
1542  return null;
1543  } else {
1544  return $assoc;
1545  }
1546  } else {
1547  return null;
1548  }
1549  } else {
1550  return $assoc;
1551  }
1552  }
1553 
1557  function _requestAssociation($endpoint, $assoc_type, $session_type)
1558  {
1559  list($assoc_session, $args) = $this->_createAssociateRequest(
1560  $endpoint, $assoc_type, $session_type);
1561 
1562  $response_message = $this->_makeKVPost($args, $endpoint->server_url);
1563 
1564  if ($response_message === null) {
1565  // oidutil.log('openid.associate request failed: %s' % (why[0],))
1566  return null;
1567  } else if (is_a($response_message,
1568  'Auth_OpenID_ServerErrorContainer')) {
1569  return $response_message;
1570  }
1571 
1572  return $this->_extractAssociation($response_message, $assoc_session);
1573  }
1574 
1578  function _extractAssociation($assoc_response, $assoc_session)
1579  {
1580  // Extract the common fields from the response, raising an
1581  // exception if they are not found
1582  $assoc_type = $assoc_response->getArg(
1583  Auth_OpenID_OPENID_NS, 'assoc_type',
1584  Auth_OpenID_NO_DEFAULT);
1585 
1586  if (Auth_OpenID::isFailure($assoc_type)) {
1587  return $assoc_type;
1588  }
1589 
1590  $assoc_handle = $assoc_response->getArg(
1591  Auth_OpenID_OPENID_NS, 'assoc_handle',
1592  Auth_OpenID_NO_DEFAULT);
1593 
1594  if (Auth_OpenID::isFailure($assoc_handle)) {
1595  return $assoc_handle;
1596  }
1597 
1598  // expires_in is a base-10 string. The Python parsing will
1599  // accept literals that have whitespace around them and will
1600  // accept negative values. Neither of these are really in-spec,
1601  // but we think it's OK to accept them.
1602  $expires_in_str = $assoc_response->getArg(
1603  Auth_OpenID_OPENID_NS, 'expires_in',
1604  Auth_OpenID_NO_DEFAULT);
1605 
1606  if (Auth_OpenID::isFailure($expires_in_str)) {
1607  return $expires_in_str;
1608  }
1609 
1610  $expires_in = Auth_OpenID::intval($expires_in_str);
1611  if ($expires_in === false) {
1612 
1613  $err = sprintf("Could not parse expires_in from association ".
1614  "response %s", print_r($assoc_response, true));
1615  return new Auth_OpenID_FailureResponse(null, $err);
1616  }
1617 
1618  // OpenID 1 has funny association session behaviour.
1619  if ($assoc_response->isOpenID1()) {
1620  $session_type = $this->_getOpenID1SessionType($assoc_response);
1621  } else {
1622  $session_type = $assoc_response->getArg(
1623  Auth_OpenID_OPENID2_NS, 'session_type',
1624  Auth_OpenID_NO_DEFAULT);
1625 
1626  if (Auth_OpenID::isFailure($session_type)) {
1627  return $session_type;
1628  }
1629  }
1630 
1631  // Session type mismatch
1632  if ($assoc_session->session_type != $session_type) {
1633  if ($assoc_response->isOpenID1() &&
1634  ($session_type == 'no-encryption')) {
1635  // In OpenID 1, any association request can result in
1636  // a 'no-encryption' association response. Setting
1637  // assoc_session to a new no-encryption session should
1638  // make the rest of this function work properly for
1639  // that case.
1640  $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
1641  } else {
1642  // Any other mismatch, regardless of protocol version
1643  // results in the failure of the association session
1644  // altogether.
1645  return null;
1646  }
1647  }
1648 
1649  // Make sure assoc_type is valid for session_type
1650  if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
1651  return null;
1652  }
1653 
1654  // Delegate to the association session to extract the secret
1655  // from the response, however is appropriate for that session
1656  // type.
1657  $secret = $assoc_session->extractSecret($assoc_response);
1658 
1659  if ($secret === null) {
1660  return null;
1661  }
1662 
1663  return Auth_OpenID_Association::fromExpiresIn(
1664  $expires_in, $assoc_handle, $secret, $assoc_type);
1665  }
1666 
1670  function _createAssociateRequest($endpoint, $assoc_type, $session_type)
1671  {
1672  if (array_key_exists($session_type, $this->session_types)) {
1673  $session_type_class = $this->session_types[$session_type];
1674 
1675  if (is_callable($session_type_class)) {
1676  $assoc_session = $session_type_class();
1677  } else {
1678  $assoc_session = new $session_type_class();
1679  }
1680  } else {
1681  return null;
1682  }
1683 
1684  $args = array(
1685  'mode' => 'associate',
1686  'assoc_type' => $assoc_type);
1687 
1688  if (!$endpoint->compatibilityMode()) {
1689  $args['ns'] = Auth_OpenID_OPENID2_NS;
1690  }
1691 
1692  // Leave out the session type if we're in compatibility mode
1693  // *and* it's no-encryption.
1694  if ((!$endpoint->compatibilityMode()) ||
1695  ($assoc_session->session_type != 'no-encryption')) {
1696  $args['session_type'] = $assoc_session->session_type;
1697  }
1698 
1699  $args = array_merge($args, $assoc_session->getRequest());
1700  $message = Auth_OpenID_Message::fromOpenIDArgs($args);
1701  return array($assoc_session, $message);
1702  }
1703 
1717  function _getOpenID1SessionType($assoc_response)
1718  {
1719  // If it's an OpenID 1 message, allow session_type to default
1720  // to None (which signifies "no-encryption")
1721  $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
1722  'session_type');
1723 
1724  // Handle the differences between no-encryption association
1725  // respones in OpenID 1 and 2:
1726 
1727  // no-encryption is not really a valid session type for OpenID
1728  // 1, but we'll accept it anyway, while issuing a warning.
1729  if ($session_type == 'no-encryption') {
1730  // oidutil.log('WARNING: OpenID server sent "no-encryption"'
1731  // 'for OpenID 1.X')
1732  } else if (($session_type == '') || ($session_type === null)) {
1733  // Missing or empty session type is the way to flag a
1734  // 'no-encryption' response. Change the session type to
1735  // 'no-encryption' so that it can be handled in the same
1736  // way as OpenID 2 'no-encryption' respones.
1737  $session_type = 'no-encryption';
1738  }
1739 
1740  return $session_type;
1741  }
1742 }
1743 
1750 class Auth_OpenID_AuthRequest {
1751 
1760  function Auth_OpenID_AuthRequest($endpoint, $assoc)
1761  {
1762  $this->assoc = $assoc;
1763  $this->endpoint = $endpoint;
1764  $this->return_to_args = array();
1765  $this->message = new Auth_OpenID_Message(
1766  $endpoint->preferredNamespace());
1767  $this->_anonymous = false;
1768  }
1769 
1776  function addExtension($extension_request)
1777  {
1778  $extension_request->toMessage($this->message);
1779  }
1780 
1800  function addExtensionArg($namespace, $key, $value)
1801  {
1802  return $this->message->setArg($namespace, $key, $value);
1803  }
1804 
1814  function setAnonymous($is_anonymous)
1815  {
1816  if ($is_anonymous && $this->message->isOpenID1()) {
1817  return false;
1818  } else {
1819  $this->_anonymous = $is_anonymous;
1820  return true;
1821  }
1822  }
1823 
1844  function getMessage($realm, $return_to=null, $immediate=false)
1845  {
1846  if ($return_to) {
1847  $return_to = Auth_OpenID::appendArgs($return_to,
1848  $this->return_to_args);
1849  } else if ($immediate) {
1850  // raise ValueError(
1851  // '"return_to" is mandatory when
1852  //using "checkid_immediate"')
1853  return new Auth_OpenID_FailureResponse(null,
1854  "'return_to' is mandatory when using checkid_immediate");
1855  } else if ($this->message->isOpenID1()) {
1856  // raise ValueError('"return_to" is
1857  // mandatory for OpenID 1 requests')
1858  return new Auth_OpenID_FailureResponse(null,
1859  "'return_to' is mandatory for OpenID 1 requests");
1860  } else if ($this->return_to_args) {
1861  // raise ValueError('extra "return_to" arguments
1862  // were specified, but no return_to was specified')
1863  return new Auth_OpenID_FailureResponse(null,
1864  "extra 'return_to' arguments where specified, " .
1865  "but no return_to was specified");
1866  }
1867 
1868  if ($immediate) {
1869  $mode = 'checkid_immediate';
1870  } else {
1871  $mode = 'checkid_setup';
1872  }
1873 
1874  $message = $this->message->copy();
1875  if ($message->isOpenID1()) {
1876  $realm_key = 'trust_root';
1877  } else {
1878  $realm_key = 'realm';
1879  }
1880 
1881  $message->updateArgs(Auth_OpenID_OPENID_NS,
1882  array(
1883  $realm_key => $realm,
1884  'mode' => $mode,
1885  'return_to' => $return_to));
1886 
1887  if (!$this->_anonymous) {
1888  if ($this->endpoint->isOPIdentifier()) {
1889  // This will never happen when we're in compatibility
1890  // mode, as long as isOPIdentifier() returns False
1891  // whenever preferredNamespace() returns OPENID1_NS.
1892  $claimed_id = $request_identity =
1893  Auth_OpenID_IDENTIFIER_SELECT;
1894  } else {
1895  $request_identity = $this->endpoint->getLocalID();
1896  $claimed_id = $this->endpoint->claimed_id;
1897  }
1898 
1899  // This is true for both OpenID 1 and 2
1900  $message->setArg(Auth_OpenID_OPENID_NS, 'identity',
1901  $request_identity);
1902 
1903  if ($message->isOpenID2()) {
1904  $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id',
1905  $claimed_id);
1906  }
1907  }
1908 
1909  if ($this->assoc) {
1910  $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
1911  $this->assoc->handle);
1912  }
1913 
1914  return $message;
1915  }
1916 
1917  function redirectURL($realm, $return_to = null,
1918  $immediate = false)
1919  {
1920  $message = $this->getMessage($realm, $return_to, $immediate);
1921 
1922  if (Auth_OpenID::isFailure($message)) {
1923  return $message;
1924  }
1925 
1926  return $message->toURL($this->endpoint->server_url);
1927  }
1928 
1937  function formMarkup($realm, $return_to=null, $immediate=false,
1938  $form_tag_attrs=null)
1939  {
1940  $message = $this->getMessage($realm, $return_to, $immediate);
1941 
1942  if (Auth_OpenID::isFailure($message)) {
1943  return $message;
1944  }
1945 
1946  return $message->toFormMarkup($this->endpoint->server_url,
1947  $form_tag_attrs);
1948  }
1949 
1956  function htmlMarkup($realm, $return_to=null, $immediate=false,
1957  $form_tag_attrs=null)
1958  {
1959  $form = $this->formMarkup($realm, $return_to, $immediate,
1960  $form_tag_attrs);
1961 
1962  if (Auth_OpenID::isFailure($form)) {
1963  return $form;
1964  }
1965  return Auth_OpenID::autoSubmitHTML($form);
1966  }
1967 
1968  function shouldSendRedirect()
1969  {
1970  return $this->endpoint->compatibilityMode();
1971  }
1972 }
1973 
1979 class Auth_OpenID_ConsumerResponse {
1980  var $status = null;
1981 
1982  function setEndpoint($endpoint)
1983  {
1984  $this->endpoint = $endpoint;
1985  if ($endpoint === null) {
1986  $this->identity_url = null;
1987  } else {
1988  $this->identity_url = $endpoint->claimed_id;
1989  }
1990  }
1991 
2009  function getDisplayIdentifier()
2010  {
2011  if ($this->endpoint !== null) {
2012  return $this->endpoint->getDisplayIdentifier();
2013  }
2014  return null;
2015  }
2016 }
2017 
2033 class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse {
2034  var $status = Auth_OpenID_SUCCESS;
2035 
2039  function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
2040  {
2041  $this->endpoint = $endpoint;
2042  $this->identity_url = $endpoint->claimed_id;
2043  $this->signed_args = $signed_args;
2044  $this->message = $message;
2045 
2046  if ($this->signed_args === null) {
2047  $this->signed_args = array();
2048  }
2049  }
2050 
2057  function extensionResponse($namespace_uri, $require_signed)
2058  {
2059  if ($require_signed) {
2060  return $this->getSignedNS($namespace_uri);
2061  } else {
2062  return $this->message->getArgs($namespace_uri);
2063  }
2064  }
2065 
2066  function isOpenID1()
2067  {
2068  return $this->message->isOpenID1();
2069  }
2070 
2071  function isSigned($ns_uri, $ns_key)
2072  {
2073  // Return whether a particular key is signed, regardless of
2074  // its namespace alias
2075  return in_array($this->message->getKey($ns_uri, $ns_key),
2076  $this->signed_args);
2077  }
2078 
2079  function getSigned($ns_uri, $ns_key, $default = null)
2080  {
2081  // Return the specified signed field if available, otherwise
2082  // return default
2083  if ($this->isSigned($ns_uri, $ns_key)) {
2084  return $this->message->getArg($ns_uri, $ns_key, $default);
2085  } else {
2086  return $default;
2087  }
2088  }
2089 
2090  function getSignedNS($ns_uri)
2091  {
2092  $args = array();
2093 
2094  $msg_args = $this->message->getArgs($ns_uri);
2095  if (Auth_OpenID::isFailure($msg_args)) {
2096  return null;
2097  }
2098 
2099  foreach ($msg_args as $key => $value) {
2100  if (!$this->isSigned($ns_uri, $key)) {
2101  unset($msg_args[$key]);
2102  }
2103  }
2104 
2105  return $msg_args;
2106  }
2107 
2118  function getReturnTo()
2119  {
2120  return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to');
2121  }
2122 }
2123 
2139 class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse {
2140  var $status = Auth_OpenID_FAILURE;
2141 
2142  function Auth_OpenID_FailureResponse($endpoint, $message = null,
2143  $contact = null, $reference = null)
2144  {
2145  $this->setEndpoint($endpoint);
2146  $this->message = $message;
2147  $this->contact = $contact;
2148  $this->reference = $reference;
2149  }
2150 }
2151 
2157 class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse {
2158 }
2159 
2166 class Auth_OpenID_ServerErrorContainer {
2167  function Auth_OpenID_ServerErrorContainer($error_text,
2168  $error_code,
2169  $message)
2170  {
2171  $this->error_text = $error_text;
2172  $this->error_code = $error_code;
2173  $this->message = $message;
2174  }
2175 
2179  static function fromMessage($message)
2180  {
2181  $error_text = $message->getArg(
2182  Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>');
2183  $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code');
2184  return new Auth_OpenID_ServerErrorContainer($error_text,
2185  $error_code,
2186  $message);
2187  }
2188 }
2189 
2202 class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse {
2203  var $status = Auth_OpenID_CANCEL;
2204 
2205  function Auth_OpenID_CancelResponse($endpoint)
2206  {
2207  $this->setEndpoint($endpoint);
2208  }
2209 }
2210 
2228 class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse {
2229  var $status = Auth_OpenID_SETUP_NEEDED;
2230 
2231  function Auth_OpenID_SetupNeededResponse($endpoint,
2232  $setup_url = null)
2233  {
2234  $this->setEndpoint($endpoint);
2235  $this->setup_url = $setup_url;
2236  }
2237 }
2238 
2239 
Auth_OpenID_Consumer\$discoverMethod
$discoverMethod
Definition: Consumer.php:220
Auth_OpenID_FAILURE
const Auth_OpenID_FAILURE
Definition: Consumer.php:191
Auth_Yadis_Yadis\getHTTPFetcher
static getHTTPFetcher($timeout=20)
Definition: Yadis.php:253
Auth_OpenID_GenericConsumer\_checkReturnTo
_checkReturnTo($message, $return_to)
Definition: Consumer.php:816
Auth_OpenID_TYPE_1_1
const Auth_OpenID_TYPE_1_1
Definition: Discover.php:18
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\getRequest
getRequest()
Definition: Consumer.php:468
Auth_OpenID_Consumer
Definition: Consumer.php:215
Auth_Yadis_PHPSession
Definition: Manager.php:17
Auth_OpenID_ConsumerResponse\getDisplayIdentifier
getDisplayIdentifier()
Definition: Consumer.php:2009
Auth_OpenID_ServiceEndpoint
Definition: Discover.php:63
Auth_OpenID_ServerErrorContainer
Definition: Consumer.php:2166
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\Auth_OpenID_DiffieHellmanSHA1ConsumerSession
Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh=null)
Definition: Consumer.php:459
Auth_OpenID_GenericConsumer\_complete_setup_needed
_complete_setup_needed($message, $endpoint, $unused)
Definition: Consumer.php:711
Auth_OpenID_SUCCESS
const Auth_OpenID_SUCCESS
Definition: Consumer.php:180
Auth_OpenID_Consumer\$_token_suffix
$_token_suffix
Definition: Consumer.php:230
Auth_OpenID_TYPE_1_0
const Auth_OpenID_TYPE_1_0
Definition: Discover.php:19
Auth_OpenID_SuccessResponse\isSigned
isSigned($ns_uri, $ns_key)
Definition: Consumer.php:2071
Auth_OpenID_SuccessResponse\extensionResponse
extensionResponse($namespace_uri, $require_signed)
Definition: Consumer.php:2057
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\extractSecret
extractSecret($response)
Definition: Consumer.php:487
Auth_OpenID_GenericConsumer\_httpResponseToMessage
static _httpResponseToMessage($response, $server_url)
Definition: Consumer.php:1409
Auth_OpenID_GenericConsumer\_idResGetNonceOpenID1
_idResGetNonceOpenID1($message, $endpoint)
Definition: Consumer.php:1243
Auth_OpenID_SuccessResponse\isOpenID1
isOpenID1()
Definition: Consumer.php:2066
Auth_OpenID_PlainTextConsumerSession\extractSecret
extractSecret($response)
Definition: Consumer.php:537
Auth_OpenID_getDefaultNegotiator
Auth_OpenID_getDefaultNegotiator()
Definition: Association.php:472
Auth_OpenID_GenericConsumer\_getOpenID1SessionType
_getOpenID1SessionType($assoc_response)
Definition: Consumer.php:1717
E_USER_ERROR
if(!defined('ADODB_ERROR_HANDLER_TYPE')) define('ADODB_ERROR_HANDLER_TYPE' E_USER_ERROR
Definition: adodb-errorhandler.inc.php:16
Auth_OpenID_splitNonce
Auth_OpenID_splitNonce($nonce_string)
Definition: Nonce.php:30
Auth_OpenID_AuthRequest\htmlMarkup
htmlMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null)
Definition: Consumer.php:1956
Auth_OpenID_getMathLib
Auth_OpenID_getMathLib()
Definition: BigMath.php:399
Auth_OpenID_AuthRequest\addExtensionArg
addExtensionArg($namespace, $key, $value)
Definition: Consumer.php:1800
Auth_Yadis_Discovery
Definition: Manager.php:369
Auth_OpenID_CancelResponse\Auth_OpenID_CancelResponse
Auth_OpenID_CancelResponse($endpoint)
Definition: Consumer.php:2205
Auth_OpenID_GenericConsumer\_checkSetupNeeded
_checkSetupNeeded($message)
Definition: Consumer.php:741
Auth_Yadis_ManagerLoader
Definition: Manager.php:223
Auth_OpenID_TypeURIMismatch
Definition: Consumer.php:2157
Auth_OpenID_CancelResponse
Definition: Consumer.php:2202
Auth_OpenID_GenericConsumer\_negotiateAssociation
_negotiateAssociation($endpoint)
Definition: Consumer.php:1508
Auth_OpenID_SuccessResponse\getReturnTo
getReturnTo()
Definition: Consumer.php:2118
Auth_OpenID_GenericConsumer\_verifyDiscoveryResults
_verifyDiscoveryResults($message, $endpoint=null)
Definition: Consumer.php:987
Auth_OpenID_TYPE_2_0
const Auth_OpenID_TYPE_2_0
Definition: Discover.php:21
Auth_OpenID_DiffieHellmanSHA1ConsumerSession
Definition: Consumer.php:453
Auth_OpenID_GenericConsumer\$_use_assocs
$_use_assocs
Definition: Consumer.php:582
Auth_OpenID_CANCEL
const Auth_OpenID_CANCEL
Definition: Consumer.php:185
Auth_OpenID_FailureResponse
Definition: Consumer.php:2139
Auth_OpenID\arrayGet
static arrayGet($arr, $key, $fallback=null)
Definition: OpenID.php:242
Auth_OpenID_AuthRequest\formMarkup
formMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null)
Definition: Consumer.php:1937
Auth_OpenID_PlainTextConsumerSession
Definition: Consumer.php:528
Auth_OpenID_GenericConsumer\_processCheckAuthResponse
_processCheckAuthResponse($response, $server_url)
Definition: Consumer.php:1382
Auth_OpenID_urinorm
Auth_OpenID_urinorm($uri)
Definition: URINorm.php:142
Auth_OpenID_Message\fromKVForm
static fromKVForm($kvform_string)
Definition: Message.php:596
Auth_OpenID_Consumer\complete
complete($current_url, $query=null)
Definition: Consumer.php:410
Auth_OpenID_GenericConsumer\_idResCheckSignature
_idResCheckSignature($message, $server_url)
Definition: Consumer.php:940
Auth_OpenID_GenericConsumer\Auth_OpenID_GenericConsumer
Auth_OpenID_GenericConsumer($store)
Definition: Consumer.php:614
Auth_OpenID_SuccessResponse\getSignedNS
getSignedNS($ns_uri)
Definition: Consumer.php:2090
Auth_OpenID_Consumer\beginWithoutDiscovery
beginWithoutDiscovery($endpoint, $anonymous=false)
Definition: Consumer.php:373
Auth_OpenID_AuthRequest\getMessage
getMessage($realm, $return_to=null, $immediate=false)
Definition: Consumer.php:1844
Auth_OpenID_GenericConsumer\_verifyDiscoveryResultsOpenID1
_verifyDiscoveryResultsOpenID1($message, $endpoint)
Definition: Consumer.php:1001
Auth_OpenID_PlainTextConsumerSession\getRequest
getRequest()
Definition: Consumer.php:532
Auth_OpenID_AuthRequest\redirectURL
redirectURL($realm, $return_to=null, $immediate=false)
Definition: Consumer.php:1917
Auth_OpenID_ServerErrorContainer\Auth_OpenID_ServerErrorContainer
Auth_OpenID_ServerErrorContainer($error_text, $error_code, $message)
Definition: Consumer.php:2167
Auth_OpenID_GenericConsumer\_completeInvalid
_completeInvalid($message, $endpoint, $unused)
Definition: Consumer.php:678
Auth_OpenID_GenericConsumer\_extractAssociation
_extractAssociation($assoc_response, $assoc_session)
Definition: Consumer.php:1578
Auth_OpenID_GenericConsumer\_verifyDiscoveryResultsOpenID2
_verifyDiscoveryResultsOpenID2($message, $endpoint)
Definition: Consumer.php:1110
Auth_OpenID\intval
static intval($value)
Definition: OpenID.php:444
Auth_OpenID_SuccessResponse\getSigned
getSigned($ns_uri, $ns_key, $default=null)
Definition: Consumer.php:2079
Auth_OpenID_Consumer\begin
begin($user_url, $anonymous=false)
Definition: Consumer.php:313
Auth_OpenID_Consumer\Auth_OpenID_Consumer
Auth_OpenID_Consumer($store, $session=null, $consumer_cls=null)
Definition: Consumer.php:261
Auth_OpenID_GenericConsumer\_verifyDiscoveryServices
_verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints)
Definition: Consumer.php:1208
Auth_OpenID_GenericConsumer\_getAssociation
_getAssociation($endpoint)
Definition: Consumer.php:1442
Auth_OpenID_SetupNeededResponse\Auth_OpenID_SetupNeededResponse
Auth_OpenID_SetupNeededResponse($endpoint, $setup_url=null)
Definition: Consumer.php:2231
Auth_OpenID_AuthRequest\Auth_OpenID_AuthRequest
Auth_OpenID_AuthRequest($endpoint, $assoc)
Definition: Consumer.php:1760
Auth_OpenID_GenericConsumer\_verifyDiscoverySingle
_verifyDiscoverySingle($endpoint, $to_match)
Definition: Consumer.php:1058
Auth_OpenID_GenericConsumer\_complete_id_res
_complete_id_res($message, $endpoint, $return_to)
Definition: Consumer.php:725
Auth_OpenID_AuthRequest
Definition: Consumer.php:1750
Auth_OpenID_NO_DEFAULT
const Auth_OpenID_NO_DEFAULT
Definition: Message.php:50
$result
if($list_of_literals) if(!empty($literals)) if(!empty($literals)) $result
Analyse literals to prepend the N char to them if their contents aren&#39;t numeric.
Definition: adodb-mssql_n.inc.php:148
Auth_OpenID_AuthRequest\addExtension
addExtension($extension_request)
Definition: Consumer.php:1776
Auth_OpenID_ServiceEndpointLoader
Definition: Manager.php:196
Auth_OpenID_IDENTIFIER_SELECT
const Auth_OpenID_IDENTIFIER_SELECT
Definition: Message.php:18
Auth_OpenID\appendArgs
static appendArgs($url, $args)
Definition: OpenID.php:324
Auth_OpenID_ServiceEndpoint\fromOPEndpointURL
static fromOPEndpointURL($op_endpoint_url)
Definition: Discover.php:152
Auth_OpenID_DiffieHellmanSHA256ConsumerSession
Definition: Consumer.php:515
Auth_OpenID_BARE_NS
const Auth_OpenID_BARE_NS
Definition: Message.php:46
Auth_OpenID_SetupNeededResponse
Definition: Consumer.php:2228
Auth_OpenID_GenericConsumer\_createAssociateRequest
_createAssociateRequest($endpoint, $assoc_type, $session_type)
Definition: Consumer.php:1670
Auth_OpenID_GenericConsumer\_makeKVPost
_makeKVPost($message, $server_url)
Definition: Consumer.php:1427
Auth_OpenID\addPrefix
static addPrefix($values, $prefix)
Definition: OpenID.php:226
Auth_OpenID_AuthRequest\setAnonymous
setAnonymous($is_anonymous)
Definition: Consumer.php:1814
Auth_OpenID_SuccessResponse
Definition: Consumer.php:2033
Auth_OpenID_ConsumerResponse
Definition: Consumer.php:1979
Auth_OpenID_Consumer\$session_key_prefix
$session_key_prefix
Definition: Consumer.php:225
Auth_OpenID_GenericConsumer
Definition: Consumer.php:568
Auth_OpenID_GenericConsumer\_complete_error
_complete_error($message, $endpoint, $unused)
Definition: Consumer.php:698
Auth_OpenID\parse_str
static parse_str($query)
Definition: OpenID.php:262
Auth_OpenID_DiffieHellman
Definition: DiffieHellman.php:43
Auth_OpenID_Message\fromOpenIDArgs
static fromOpenIDArgs($openid_args)
Definition: Message.php:479
Auth_OpenID_OPENID1_NS
const Auth_OpenID_OPENID1_NS
Definition: Message.php:25
Auth_OpenID_FailureResponse\Auth_OpenID_FailureResponse
Auth_OpenID_FailureResponse($endpoint, $message=null, $contact=null, $reference=null)
Definition: Consumer.php:2142
Auth_OpenID_GenericConsumer\$store
$store
Definition: Consumer.php:577
Auth_OpenID_OPENID_NS
const Auth_OpenID_OPENID_NS
Definition: Message.php:42
Auth_OpenID_Message
Definition: Message.php:414
Auth_OpenID_Consumer\getDiscoveryObject
getDiscoveryObject($session, $openid_url, $session_key_prefix)
Definition: Consumer.php:284
Auth_OpenID_OPENID2_NS
const Auth_OpenID_OPENID2_NS
Definition: Message.php:35
Auth_OpenID_GenericConsumer\_idResCheckForFields
_idResCheckForFields($message)
Definition: Consumer.php:1290
Auth_OpenID_SETUP_NEEDED
const Auth_OpenID_SETUP_NEEDED
Definition: Consumer.php:199
Auth_OpenID_ConsumerResponse\setEndpoint
setEndpoint($endpoint)
Definition: Consumer.php:1982
Auth_OpenID_Association\fromExpiresIn
static fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
Definition: Association.php:97
Auth_OpenID_Message\fromPostArgs
static fromPostArgs($args)
Definition: Message.php:444
Auth_OpenID_GenericConsumer\_complete_cancel
_complete_cancel($message, $endpoint, $unused)
Definition: Consumer.php:690
Auth_OpenID_GenericConsumer\_idResCheckNonce
_idResCheckNonce($message, $endpoint)
Definition: Consumer.php:1252
Auth_OpenID_GenericConsumer\_checkAuth
_checkAuth($message, $server_url)
Definition: Consumer.php:1343
Auth_OpenID_GenericConsumer\_requestAssociation
_requestAssociation($endpoint, $assoc_type, $session_type)
Definition: Consumer.php:1557
Auth_OpenID_mkNonce
Auth_OpenID_mkNonce($when=null)
Definition: Nonce.php:91
Auth_OpenID\autoSubmitHTML
static autoSubmitHTML($form, $title="OpenId transaction in progress")
Definition: OpenID.php:532
Auth_OpenID_GenericConsumer\begin
begin($service_endpoint)
Definition: Consumer.php:634
Auth_OpenID\isFailure
static isFailure($thing)
Definition: OpenID.php:118
Auth_OpenID_GenericConsumer\_createCheckAuthRequest
_createCheckAuthRequest($message)
Definition: Consumer.php:1362
Auth_OpenID_getAvailableSessionTypes
Auth_OpenID_getAvailableSessionTypes()
Definition: Consumer.php:551
Auth_OpenID_ServerErrorContainer\fromMessage
static fromMessage($message)
Definition: Consumer.php:2179
Auth_OpenID_GenericConsumer\_doIdRes
_doIdRes($message, $endpoint, $return_to)
Definition: Consumer.php:760
Auth_OpenID_GenericConsumer\complete
complete($message, $endpoint, $return_to)
Definition: Consumer.php:656
Auth_OpenID\urldefrag
static urldefrag($url)
Definition: OpenID.php:487
Auth_OpenID_AuthRequest\shouldSendRedirect
shouldSendRedirect()
Definition: Consumer.php:1968
Auth_OpenID\getQuery
static getQuery($query_str=null)
Definition: OpenID.php:142
Auth_OpenID_GenericConsumer\_discoverAndVerify
_discoverAndVerify($claimed_id, $to_match_endpoints)
Definition: Consumer.php:1186
Auth_OpenID_GenericConsumer\_extractSupportedAssociationType
_extractSupportedAssociationType($server_error, $endpoint, $assoc_type)
Definition: Consumer.php:1473
Auth_OpenID_GenericConsumer\_verifyReturnToArgs
_verifyReturnToArgs($query)
Definition: Consumer.php:883
Auth_OpenID_SuccessResponse\Auth_OpenID_SuccessResponse
Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
Definition: Consumer.php:2039