diff options
Diffstat (limited to 'models/Auth/OpenID/Server.php')
-rw-r--r-- | models/Auth/OpenID/Server.php | 1765 |
1 files changed, 0 insertions, 1765 deletions
diff --git a/models/Auth/OpenID/Server.php b/models/Auth/OpenID/Server.php deleted file mode 100644 index cc8ba961c..000000000 --- a/models/Auth/OpenID/Server.php +++ /dev/null @@ -1,1765 +0,0 @@ -<?php - -/** - * OpenID server protocol and logic. - * - * Overview - * - * An OpenID server must perform three tasks: - * - * 1. Examine the incoming request to determine its nature and validity. - * 2. Make a decision about how to respond to this request. - * 3. Format the response according to the protocol. - * - * The first and last of these tasks may performed by the {@link - * Auth_OpenID_Server::decodeRequest()} and {@link - * Auth_OpenID_Server::encodeResponse} methods. Who gets to do the - * intermediate task -- deciding how to respond to the request -- will - * depend on what type of request it is. - * - * If it's a request to authenticate a user (a 'checkid_setup' or - * 'checkid_immediate' request), you need to decide if you will assert - * that this user may claim the identity in question. Exactly how you - * do that is a matter of application policy, but it generally - * involves making sure the user has an account with your system and - * is logged in, checking to see if that identity is hers to claim, - * and verifying with the user that she does consent to releasing that - * information to the party making the request. - * - * Examine the properties of the {@link Auth_OpenID_CheckIDRequest} - * object, and if and when you've come to a decision, form a response - * by calling {@link Auth_OpenID_CheckIDRequest::answer()}. - * - * Other types of requests relate to establishing associations between - * client and server and verifing the authenticity of previous - * communications. {@link Auth_OpenID_Server} contains all the logic - * and data necessary to respond to such requests; just pass it to - * {@link Auth_OpenID_Server::handleRequest()}. - * - * OpenID Extensions - * - * Do you want to provide other information for your users in addition - * to authentication? Version 1.2 of the OpenID protocol allows - * consumers to add extensions to their requests. For example, with - * sites using the Simple Registration - * Extension - * (http://openid.net/specs/openid-simple-registration-extension-1_0.html), - * a user can agree to have their nickname and e-mail address sent to - * a site when they sign up. - * - * Since extensions do not change the way OpenID authentication works, - * code to handle extension requests may be completely separate from - * the {@link Auth_OpenID_Request} class here. But you'll likely want - * data sent back by your extension to be signed. {@link - * Auth_OpenID_ServerResponse} provides methods with which you can add - * data to it which can be signed with the other data in the OpenID - * signature. - * - * For example: - * - * <pre> // when request is a checkid_* request - * $response = $request->answer(true); - * // this will a signed 'openid.sreg.timezone' parameter to the response - * response.addField('sreg', 'timezone', 'America/Los_Angeles')</pre> - * - * Stores - * - * The OpenID server needs to maintain state between requests in order - * to function. Its mechanism for doing this is called a store. The - * store interface is defined in Interface.php. Additionally, several - * concrete store implementations are provided, so that most sites - * won't need to implement a custom store. For a store backed by flat - * files on disk, see {@link Auth_OpenID_FileStore}. For stores based - * on MySQL, SQLite, or PostgreSQL, see the {@link - * Auth_OpenID_SQLStore} subclasses. - * - * Upgrading - * - * The keys by which a server looks up associations in its store have - * changed in version 1.2 of this library. If your store has entries - * created from version 1.0 code, you should empty it. - * - * PHP versions 4 and 5 - * - * LICENSE: See the COPYING file included in this distribution. - * - * @package OpenID - * @author JanRain, Inc. <openid@janrain.com> - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * Required imports - */ -require_once "Auth/OpenID.php"; -require_once "Auth/OpenID/Association.php"; -require_once "Auth/OpenID/CryptUtil.php"; -require_once "Auth/OpenID/BigMath.php"; -require_once "Auth/OpenID/DiffieHellman.php"; -require_once "Auth/OpenID/KVForm.php"; -require_once "Auth/OpenID/TrustRoot.php"; -require_once "Auth/OpenID/ServerRequest.php"; -require_once "Auth/OpenID/Message.php"; -require_once "Auth/OpenID/Nonce.php"; - -define('AUTH_OPENID_HTTP_OK', 200); -define('AUTH_OPENID_HTTP_REDIRECT', 302); -define('AUTH_OPENID_HTTP_ERROR', 400); - -/** - * @access private - */ -global $_Auth_OpenID_Request_Modes; -$_Auth_OpenID_Request_Modes = array('checkid_setup', - 'checkid_immediate'); - -/** - * @access private - */ -define('Auth_OpenID_ENCODE_KVFORM', 'kfvorm'); - -/** - * @access private - */ -define('Auth_OpenID_ENCODE_URL', 'URL/redirect'); - -/** - * @access private - */ -define('Auth_OpenID_ENCODE_HTML_FORM', 'HTML form'); - -/** - * @access private - */ -function Auth_OpenID_isError($obj, $cls = 'Auth_OpenID_ServerError') -{ - return is_a($obj, $cls); -} - -/** - * An error class which gets instantiated and returned whenever an - * OpenID protocol error occurs. Be prepared to use this in place of - * an ordinary server response. - * - * @package OpenID - */ -class Auth_OpenID_ServerError { - /** - * @access private - */ - function Auth_OpenID_ServerError($message = null, $text = null, - $reference = null, $contact = null) - { - $this->message = $message; - $this->text = $text; - $this->contact = $contact; - $this->reference = $reference; - } - - function getReturnTo() - { - if ($this->message && - $this->message->hasKey(Auth_OpenID_OPENID_NS, 'return_to')) { - return $this->message->getArg(Auth_OpenID_OPENID_NS, - 'return_to'); - } else { - return null; - } - } - - /** - * Returns the return_to URL for the request which caused this - * error. - */ - function hasReturnTo() - { - return $this->getReturnTo() !== null; - } - - /** - * Encodes this error's response as a URL suitable for - * redirection. If the response has no return_to, another - * Auth_OpenID_ServerError is returned. - */ - function encodeToURL() - { - if (!$this->message) { - return null; - } - - $msg = $this->toMessage(); - return $msg->toURL($this->getReturnTo()); - } - - /** - * Encodes the response to key-value form. This is a - * machine-readable format used to respond to messages which came - * directly from the consumer and not through the user-agent. See - * the OpenID specification. - */ - function encodeToKVForm() - { - return Auth_OpenID_KVForm::fromArray( - array('mode' => 'error', - 'error' => $this->toString())); - } - - function toFormMarkup($form_tag_attrs=null) - { - $msg = $this->toMessage(); - return $msg->toFormMarkup($this->getReturnTo(), $form_tag_attrs); - } - - function toHTML($form_tag_attrs=null) - { - return Auth_OpenID::autoSubmitHTML( - $this->toFormMarkup($form_tag_attrs)); - } - - function toMessage() - { - // Generate a Message object for sending to the relying party, - // after encoding. - $namespace = $this->message->getOpenIDNamespace(); - $reply = new Auth_OpenID_Message($namespace); - $reply->setArg(Auth_OpenID_OPENID_NS, 'mode', 'error'); - $reply->setArg(Auth_OpenID_OPENID_NS, 'error', $this->toString()); - - if ($this->contact !== null) { - $reply->setArg(Auth_OpenID_OPENID_NS, 'contact', $this->contact); - } - - if ($this->reference !== null) { - $reply->setArg(Auth_OpenID_OPENID_NS, 'reference', - $this->reference); - } - - return $reply; - } - - /** - * Returns one of Auth_OpenID_ENCODE_URL, - * Auth_OpenID_ENCODE_KVFORM, or null, depending on the type of - * encoding expected for this error's payload. - */ - function whichEncoding() - { - global $_Auth_OpenID_Request_Modes; - - if ($this->hasReturnTo()) { - if ($this->message->isOpenID2() && - (strlen($this->encodeToURL()) > - Auth_OpenID_OPENID1_URL_LIMIT)) { - return Auth_OpenID_ENCODE_HTML_FORM; - } else { - return Auth_OpenID_ENCODE_URL; - } - } - - if (!$this->message) { - return null; - } - - $mode = $this->message->getArg(Auth_OpenID_OPENID_NS, - 'mode'); - - if ($mode) { - if (!in_array($mode, $_Auth_OpenID_Request_Modes)) { - return Auth_OpenID_ENCODE_KVFORM; - } - } - return null; - } - - /** - * Returns this error message. - */ - function toString() - { - if ($this->text) { - return $this->text; - } else { - return get_class($this) . " error"; - } - } -} - -/** - * Error returned by the server code when a return_to is absent from a - * request. - * - * @package OpenID - */ -class Auth_OpenID_NoReturnToError extends Auth_OpenID_ServerError { - function Auth_OpenID_NoReturnToError($message = null, - $text = "No return_to URL available") - { - parent::Auth_OpenID_ServerError($message, $text); - } - - function toString() - { - return "No return_to available"; - } -} - -/** - * An error indicating that the return_to URL is malformed. - * - * @package OpenID - */ -class Auth_OpenID_MalformedReturnURL extends Auth_OpenID_ServerError { - function Auth_OpenID_MalformedReturnURL($message, $return_to) - { - $this->return_to = $return_to; - parent::Auth_OpenID_ServerError($message, "malformed return_to URL"); - } -} - -/** - * This error is returned when the trust_root value is malformed. - * - * @package OpenID - */ -class Auth_OpenID_MalformedTrustRoot extends Auth_OpenID_ServerError { - function Auth_OpenID_MalformedTrustRoot($message = null, - $text = "Malformed trust root") - { - parent::Auth_OpenID_ServerError($message, $text); - } - - function toString() - { - return "Malformed trust root"; - } -} - -/** - * The base class for all server request classes. - * - * @package OpenID - */ -class Auth_OpenID_Request { - var $mode = null; -} - -/** - * A request to verify the validity of a previous response. - * - * @package OpenID - */ -class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request { - var $mode = "check_authentication"; - var $invalidate_handle = null; - - function Auth_OpenID_CheckAuthRequest($assoc_handle, $signed, - $invalidate_handle = null) - { - $this->assoc_handle = $assoc_handle; - $this->signed = $signed; - if ($invalidate_handle !== null) { - $this->invalidate_handle = $invalidate_handle; - } - $this->namespace = Auth_OpenID_OPENID2_NS; - $this->message = null; - } - - static function fromMessage($message, $server=null) - { - $required_keys = array('assoc_handle', 'sig', 'signed'); - - foreach ($required_keys as $k) { - if (!$message->getArg(Auth_OpenID_OPENID_NS, $k)) { - return new Auth_OpenID_ServerError($message, - sprintf("%s request missing required parameter %s from \ - query", "check_authentication", $k)); - } - } - - $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle'); - $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig'); - - $signed_list = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); - $signed_list = explode(",", $signed_list); - - $signed = $message; - if ($signed->hasKey(Auth_OpenID_OPENID_NS, 'mode')) { - $signed->setArg(Auth_OpenID_OPENID_NS, 'mode', 'id_res'); - } - - $result = new Auth_OpenID_CheckAuthRequest($assoc_handle, $signed); - $result->message = $message; - $result->sig = $sig; - $result->invalidate_handle = $message->getArg(Auth_OpenID_OPENID_NS, - 'invalidate_handle'); - return $result; - } - - function answer($signatory) - { - $is_valid = $signatory->verify($this->assoc_handle, $this->signed); - - // Now invalidate that assoc_handle so it this checkAuth - // message cannot be replayed. - $signatory->invalidate($this->assoc_handle, true); - $response = new Auth_OpenID_ServerResponse($this); - - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'is_valid', - ($is_valid ? "true" : "false")); - - if ($this->invalidate_handle) { - $assoc = $signatory->getAssociation($this->invalidate_handle, - false); - if (!$assoc) { - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'invalidate_handle', - $this->invalidate_handle); - } - } - return $response; - } -} - -/** - * A class implementing plaintext server sessions. - * - * @package OpenID - */ -class Auth_OpenID_PlainTextServerSession { - /** - * An object that knows how to handle association requests with no - * session type. - */ - var $session_type = 'no-encryption'; - var $needs_math = false; - var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); - - static function fromMessage($unused_request) - { - return new Auth_OpenID_PlainTextServerSession(); - } - - function answer($secret) - { - return array('mac_key' => base64_encode($secret)); - } -} - -/** - * A class implementing DH-SHA1 server sessions. - * - * @package OpenID - */ -class Auth_OpenID_DiffieHellmanSHA1ServerSession { - /** - * An object that knows how to handle association requests with - * the Diffie-Hellman session type. - */ - - var $session_type = 'DH-SHA1'; - var $needs_math = true; - var $allowed_assoc_types = array('HMAC-SHA1'); - var $hash_func = 'Auth_OpenID_SHA1'; - - function Auth_OpenID_DiffieHellmanSHA1ServerSession($dh, $consumer_pubkey) - { - $this->dh = $dh; - $this->consumer_pubkey = $consumer_pubkey; - } - - static function getDH($message) - { - $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus'); - $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen'); - - if ((($dh_modulus === null) && ($dh_gen !== null)) || - (($dh_gen === null) && ($dh_modulus !== null))) { - - if ($dh_modulus === null) { - $missing = 'modulus'; - } else { - $missing = 'generator'; - } - - return new Auth_OpenID_ServerError($message, - 'If non-default modulus or generator is '. - 'supplied, both must be supplied. Missing '. - $missing); - } - - $lib = Auth_OpenID_getMathLib(); - - if ($dh_modulus || $dh_gen) { - $dh_modulus = $lib->base64ToLong($dh_modulus); - $dh_gen = $lib->base64ToLong($dh_gen); - if ($lib->cmp($dh_modulus, 0) == 0 || - $lib->cmp($dh_gen, 0) == 0) { - return new Auth_OpenID_ServerError( - $message, "Failed to parse dh_mod or dh_gen"); - } - $dh = new Auth_OpenID_DiffieHellman($dh_modulus, $dh_gen); - } else { - $dh = new Auth_OpenID_DiffieHellman(); - } - - $consumer_pubkey = $message->getArg(Auth_OpenID_OPENID_NS, - 'dh_consumer_public'); - if ($consumer_pubkey === null) { - return new Auth_OpenID_ServerError($message, - 'Public key for DH-SHA1 session '. - 'not found in query'); - } - - $consumer_pubkey = - $lib->base64ToLong($consumer_pubkey); - - if ($consumer_pubkey === false) { - return new Auth_OpenID_ServerError($message, - "dh_consumer_public is not base64"); - } - - return array($dh, $consumer_pubkey); - } - - static function fromMessage($message) - { - $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message); - - if (is_a($result, 'Auth_OpenID_ServerError')) { - return $result; - } else { - list($dh, $consumer_pubkey) = $result; - return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh, - $consumer_pubkey); - } - } - - function answer($secret) - { - $lib = Auth_OpenID_getMathLib(); - $mac_key = $this->dh->xorSecret($this->consumer_pubkey, $secret, - $this->hash_func); - return array( - 'dh_server_public' => - $lib->longToBase64($this->dh->public), - 'enc_mac_key' => base64_encode($mac_key)); - } -} - -/** - * A class implementing DH-SHA256 server sessions. - * - * @package OpenID - */ -class Auth_OpenID_DiffieHellmanSHA256ServerSession - extends Auth_OpenID_DiffieHellmanSHA1ServerSession { - - var $session_type = 'DH-SHA256'; - var $hash_func = 'Auth_OpenID_SHA256'; - var $allowed_assoc_types = array('HMAC-SHA256'); - - static function fromMessage($message) - { - $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message); - - if (is_a($result, 'Auth_OpenID_ServerError')) { - return $result; - } else { - list($dh, $consumer_pubkey) = $result; - return new Auth_OpenID_DiffieHellmanSHA256ServerSession($dh, - $consumer_pubkey); - } - } -} - -/** - * A request to associate with the server. - * - * @package OpenID - */ -class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { - var $mode = "associate"; - - static function getSessionClasses() - { - return array( - 'no-encryption' => 'Auth_OpenID_PlainTextServerSession', - 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ServerSession', - 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession'); - } - - function Auth_OpenID_AssociateRequest($session, $assoc_type) - { - $this->session = $session; - $this->namespace = Auth_OpenID_OPENID2_NS; - $this->assoc_type = $assoc_type; - } - - static function fromMessage($message, $server=null) - { - if ($message->isOpenID1()) { - $session_type = $message->getArg(Auth_OpenID_OPENID_NS, - 'session_type'); - - if ($session_type == 'no-encryption') { - // oidutil.log('Received OpenID 1 request with a no-encryption ' - // 'assocaition session type. Continuing anyway.') - } else if (!$session_type) { - $session_type = 'no-encryption'; - } - } else { - $session_type = $message->getArg(Auth_OpenID_OPENID_NS, - 'session_type'); - if ($session_type === null) { - return new Auth_OpenID_ServerError($message, - "session_type missing from request"); - } - } - - $session_class = Auth_OpenID::arrayGet( - Auth_OpenID_AssociateRequest::getSessionClasses(), - $session_type); - - if ($session_class === null) { - return new Auth_OpenID_ServerError($message, - "Unknown session type " . - $session_type); - } - - $session = call_user_func(array($session_class, 'fromMessage'), - $message); - if (is_a($session, 'Auth_OpenID_ServerError')) { - return $session; - } - - $assoc_type = $message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_type', 'HMAC-SHA1'); - - if (!in_array($assoc_type, $session->allowed_assoc_types)) { - $fmt = "Session type %s does not support association type %s"; - return new Auth_OpenID_ServerError($message, - sprintf($fmt, $session_type, $assoc_type)); - } - - $obj = new Auth_OpenID_AssociateRequest($session, $assoc_type); - $obj->message = $message; - $obj->namespace = $message->getOpenIDNamespace(); - return $obj; - } - - function answer($assoc) - { - $response = new Auth_OpenID_ServerResponse($this); - $response->fields->updateArgs(Auth_OpenID_OPENID_NS, - array( - 'expires_in' => sprintf('%d', $assoc->getExpiresIn()), - 'assoc_type' => $this->assoc_type, - 'assoc_handle' => $assoc->handle)); - - $response->fields->updateArgs(Auth_OpenID_OPENID_NS, - $this->session->answer($assoc->secret)); - - if (! ($this->session->session_type == 'no-encryption' - && $this->message->isOpenID1())) { - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'session_type', - $this->session->session_type); - } - - return $response; - } - - function answerUnsupported($text_message, - $preferred_association_type=null, - $preferred_session_type=null) - { - if ($this->message->isOpenID1()) { - return new Auth_OpenID_ServerError($this->message); - } - - $response = new Auth_OpenID_ServerResponse($this); - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'error_code', 'unsupported-type'); - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'error', $text_message); - - if ($preferred_association_type) { - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'assoc_type', - $preferred_association_type); - } - - if ($preferred_session_type) { - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'session_type', - $preferred_session_type); - } - $response->code = AUTH_OPENID_HTTP_ERROR; - return $response; - } -} - -/** - * A request to confirm the identity of a user. - * - * @package OpenID - */ -class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { - /** - * Return-to verification callback. Default is - * Auth_OpenID_verifyReturnTo from TrustRoot.php. - */ - var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo'; - - /** - * The mode of this request. - */ - var $mode = "checkid_setup"; // or "checkid_immediate" - - /** - * Whether this request is for immediate mode. - */ - var $immediate = false; - - /** - * The trust_root value for this request. - */ - var $trust_root = null; - - /** - * The OpenID namespace for this request. - * deprecated since version 2.0.2 - */ - var $namespace; - - static function make($message, $identity, $return_to, $trust_root = null, - $immediate = false, $assoc_handle = null, $server = null) - { - if ($server === null) { - return new Auth_OpenID_ServerError($message, - "server must not be null"); - } - - if ($return_to && - !Auth_OpenID_TrustRoot::_parse($return_to)) { - return new Auth_OpenID_MalformedReturnURL($message, $return_to); - } - - $r = new Auth_OpenID_CheckIDRequest($identity, $return_to, - $trust_root, $immediate, - $assoc_handle, $server); - - $r->namespace = $message->getOpenIDNamespace(); - $r->message = $message; - - if (!$r->trustRootValid()) { - return new Auth_OpenID_UntrustedReturnURL($message, - $return_to, - $trust_root); - } else { - return $r; - } - } - - function Auth_OpenID_CheckIDRequest($identity, $return_to, - $trust_root = null, $immediate = false, - $assoc_handle = null, $server = null, - $claimed_id = null) - { - $this->namespace = Auth_OpenID_OPENID2_NS; - $this->assoc_handle = $assoc_handle; - $this->identity = $identity; - if ($claimed_id === null) { - $this->claimed_id = $identity; - } else { - $this->claimed_id = $claimed_id; - } - $this->return_to = $return_to; - $this->trust_root = $trust_root; - $this->server = $server; - - if ($immediate) { - $this->immediate = true; - $this->mode = "checkid_immediate"; - } else { - $this->immediate = false; - $this->mode = "checkid_setup"; - } - } - - function equals($other) - { - return ( - (is_a($other, 'Auth_OpenID_CheckIDRequest')) && - ($this->namespace == $other->namespace) && - ($this->assoc_handle == $other->assoc_handle) && - ($this->identity == $other->identity) && - ($this->claimed_id == $other->claimed_id) && - ($this->return_to == $other->return_to) && - ($this->trust_root == $other->trust_root)); - } - - /* - * Does the relying party publish the return_to URL for this - * response under the realm? It is up to the provider to set a - * policy for what kinds of realms should be allowed. This - * return_to URL verification reduces vulnerability to data-theft - * attacks based on open proxies, corss-site-scripting, or open - * redirectors. - * - * This check should only be performed after making sure that the - * return_to URL matches the realm. - * - * @return true if the realm publishes a document with the - * return_to URL listed, false if not or if discovery fails - */ - function returnToVerified() - { - $fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); - return call_user_func_array($this->verifyReturnTo, - array($this->trust_root, $this->return_to, $fetcher)); - } - - static function fromMessage($message, $server) - { - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); - $immediate = null; - - if ($mode == "checkid_immediate") { - $immediate = true; - $mode = "checkid_immediate"; - } else { - $immediate = false; - $mode = "checkid_setup"; - } - - $return_to = $message->getArg(Auth_OpenID_OPENID_NS, - 'return_to'); - - if (($message->isOpenID1()) && - (!$return_to)) { - $fmt = "Missing required field 'return_to' from checkid request"; - return new Auth_OpenID_ServerError($message, $fmt); - } - - $identity = $message->getArg(Auth_OpenID_OPENID_NS, - 'identity'); - $claimed_id = $message->getArg(Auth_OpenID_OPENID_NS, 'claimed_id'); - if ($message->isOpenID1()) { - if ($identity === null) { - $s = "OpenID 1 message did not contain openid.identity"; - return new Auth_OpenID_ServerError($message, $s); - } - } else { - if ($identity && !$claimed_id) { - $s = "OpenID 2.0 message contained openid.identity but not " . - "claimed_id"; - return new Auth_OpenID_ServerError($message, $s); - } else if ($claimed_id && !$identity) { - $s = "OpenID 2.0 message contained openid.claimed_id " . - "but not identity"; - return new Auth_OpenID_ServerError($message, $s); - } - } - - // There's a case for making self.trust_root be a TrustRoot - // here. But if TrustRoot isn't currently part of the - // "public" API, I'm not sure it's worth doing. - if ($message->isOpenID1()) { - $trust_root_param = 'trust_root'; - } else { - $trust_root_param = 'realm'; - } - $trust_root = $message->getArg(Auth_OpenID_OPENID_NS, - $trust_root_param); - if (! $trust_root) { - $trust_root = $return_to; - } - - if (! $message->isOpenID1() && - ($return_to === null) && - ($trust_root === null)) { - return new Auth_OpenID_ServerError($message, - "openid.realm required when openid.return_to absent"); - } - - $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_handle'); - - $obj = Auth_OpenID_CheckIDRequest::make($message, - $identity, - $return_to, - $trust_root, - $immediate, - $assoc_handle, - $server); - - if (is_a($obj, 'Auth_OpenID_ServerError')) { - return $obj; - } - - $obj->claimed_id = $claimed_id; - - return $obj; - } - - function idSelect() - { - // Is the identifier to be selected by the IDP? - // So IDPs don't have to import the constant - return $this->identity == Auth_OpenID_IDENTIFIER_SELECT; - } - - function trustRootValid() - { - if (!$this->trust_root) { - return true; - } - - $tr = Auth_OpenID_TrustRoot::_parse($this->trust_root); - if ($tr === false) { - return new Auth_OpenID_MalformedTrustRoot($this->message, - $this->trust_root); - } - - if ($this->return_to !== null) { - return Auth_OpenID_TrustRoot::match($this->trust_root, - $this->return_to); - } else { - return true; - } - } - - /** - * Respond to this request. Return either an - * {@link Auth_OpenID_ServerResponse} or - * {@link Auth_OpenID_ServerError}. - * - * @param bool $allow Allow this user to claim this identity, and - * allow the consumer to have this information? - * - * @param string $server_url DEPRECATED. Passing $op_endpoint to - * the {@link Auth_OpenID_Server} constructor makes this optional. - * - * When an OpenID 1.x immediate mode request does not succeed, it - * gets back a URL where the request may be carried out in a - * not-so-immediate fashion. Pass my URL in here (the fully - * qualified address of this server's endpoint, i.e. - * http://example.com/server), and I will use it as a base for the - * URL for a new request. - * - * Optional for requests where {@link $immediate} is false or - * $allow is true. - * - * @param string $identity The OP-local identifier to answer with. - * Only for use when the relying party requested identifier - * selection. - * - * @param string $claimed_id The claimed identifier to answer - * with, for use with identifier selection in the case where the - * claimed identifier and the OP-local identifier differ, - * i.e. when the claimed_id uses delegation. - * - * If $identity is provided but this is not, $claimed_id will - * default to the value of $identity. When answering requests - * that did not ask for identifier selection, the response - * $claimed_id will default to that of the request. - * - * This parameter is new in OpenID 2.0. - * - * @return mixed - */ - function answer($allow, $server_url = null, $identity = null, - $claimed_id = null) - { - if (!$this->return_to) { - return new Auth_OpenID_NoReturnToError(); - } - - if (!$server_url) { - if ((!$this->message->isOpenID1()) && - (!$this->server->op_endpoint)) { - return new Auth_OpenID_ServerError(null, - "server should be constructed with op_endpoint to " . - "respond to OpenID 2.0 messages."); - } - - $server_url = $this->server->op_endpoint; - } - - if ($allow) { - $mode = 'id_res'; - } else if ($this->message->isOpenID1()) { - if ($this->immediate) { - $mode = 'id_res'; - } else { - $mode = 'cancel'; - } - } else { - if ($this->immediate) { - $mode = 'setup_needed'; - } else { - $mode = 'cancel'; - } - } - - if (!$this->trustRootValid()) { - return new Auth_OpenID_UntrustedReturnURL(null, - $this->return_to, - $this->trust_root); - } - - $response = new Auth_OpenID_ServerResponse($this); - - if ($claimed_id && - ($this->message->isOpenID1())) { - return new Auth_OpenID_ServerError(null, - "claimed_id is new in OpenID 2.0 and not " . - "available for ".$this->namespace); - } - - if ($identity && !$claimed_id) { - $claimed_id = $identity; - } - - if ($allow) { - - if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) { - if (!$identity) { - return new Auth_OpenID_ServerError(null, - "This request uses IdP-driven identifier selection. " . - "You must supply an identifier in the response."); - } - - $response_identity = $identity; - $response_claimed_id = $claimed_id; - - } else if ($this->identity) { - if ($identity && - ($this->identity != $identity)) { - $fmt = "Request was for %s, cannot reply with identity %s"; - return new Auth_OpenID_ServerError(null, - sprintf($fmt, $this->identity, $identity)); - } - - $response_identity = $this->identity; - $response_claimed_id = $this->claimed_id; - } else { - if ($identity) { - return new Auth_OpenID_ServerError(null, - "This request specified no identity and " . - "you supplied ".$identity); - } - - $response_identity = null; - } - - if (($this->message->isOpenID1()) && - ($response_identity === null)) { - return new Auth_OpenID_ServerError(null, - "Request was an OpenID 1 request, so response must " . - "include an identifier."); - } - - $response->fields->updateArgs(Auth_OpenID_OPENID_NS, - array('mode' => $mode, - 'return_to' => $this->return_to, - 'response_nonce' => Auth_OpenID_mkNonce())); - - if (!$this->message->isOpenID1()) { - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'op_endpoint', $server_url); - } - - if ($response_identity !== null) { - $response->fields->setArg( - Auth_OpenID_OPENID_NS, - 'identity', - $response_identity); - if ($this->message->isOpenID2()) { - $response->fields->setArg( - Auth_OpenID_OPENID_NS, - 'claimed_id', - $response_claimed_id); - } - } - - } else { - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'mode', $mode); - - if ($this->immediate) { - if (($this->message->isOpenID1()) && - (!$server_url)) { - return new Auth_OpenID_ServerError(null, - 'setup_url is required for $allow=false \ - in OpenID 1.x immediate mode.'); - } - - $setup_request = new Auth_OpenID_CheckIDRequest( - $this->identity, - $this->return_to, - $this->trust_root, - false, - $this->assoc_handle, - $this->server, - $this->claimed_id); - $setup_request->message = $this->message; - - $setup_url = $setup_request->encodeToURL($server_url); - - if ($setup_url === null) { - return new Auth_OpenID_NoReturnToError(); - } - - $response->fields->setArg(Auth_OpenID_OPENID_NS, - 'user_setup_url', - $setup_url); - } - } - - return $response; - } - - function encodeToURL($server_url) - { - if (!$this->return_to) { - return new Auth_OpenID_NoReturnToError(); - } - - // Imported from the alternate reality where these classes are - // used in both the client and server code, so Requests are - // Encodable too. That's right, code imported from alternate - // realities all for the love of you, id_res/user_setup_url. - - $q = array('mode' => $this->mode, - 'identity' => $this->identity, - 'claimed_id' => $this->claimed_id, - 'return_to' => $this->return_to); - - if ($this->trust_root) { - if ($this->message->isOpenID1()) { - $q['trust_root'] = $this->trust_root; - } else { - $q['realm'] = $this->trust_root; - } - } - - if ($this->assoc_handle) { - $q['assoc_handle'] = $this->assoc_handle; - } - - $response = new Auth_OpenID_Message( - $this->message->getOpenIDNamespace()); - $response->updateArgs(Auth_OpenID_OPENID_NS, $q); - return $response->toURL($server_url); - } - - function getCancelURL() - { - if (!$this->return_to) { - return new Auth_OpenID_NoReturnToError(); - } - - if ($this->immediate) { - return new Auth_OpenID_ServerError(null, - "Cancel is not an appropriate \ - response to immediate mode \ - requests."); - } - - $response = new Auth_OpenID_Message( - $this->message->getOpenIDNamespace()); - $response->setArg(Auth_OpenID_OPENID_NS, 'mode', 'cancel'); - return $response->toURL($this->return_to); - } -} - -/** - * This class encapsulates the response to an OpenID server request. - * - * @package OpenID - */ -class Auth_OpenID_ServerResponse { - - function Auth_OpenID_ServerResponse($request) - { - $this->request = $request; - $this->fields = new Auth_OpenID_Message($this->request->namespace); - } - - function whichEncoding() - { - global $_Auth_OpenID_Request_Modes; - - if (in_array($this->request->mode, $_Auth_OpenID_Request_Modes)) { - if ($this->fields->isOpenID2() && - (strlen($this->encodeToURL()) > - Auth_OpenID_OPENID1_URL_LIMIT)) { - return Auth_OpenID_ENCODE_HTML_FORM; - } else { - return Auth_OpenID_ENCODE_URL; - } - } else { - return Auth_OpenID_ENCODE_KVFORM; - } - } - - /* - * Returns the form markup for this response. - * - * @return str - */ - function toFormMarkup($form_tag_attrs=null) - { - return $this->fields->toFormMarkup($this->request->return_to, - $form_tag_attrs); - } - - /* - * Returns an HTML document containing the form markup for this - * response that autosubmits with javascript. - */ - function toHTML() - { - return Auth_OpenID::autoSubmitHTML($this->toFormMarkup()); - } - - /* - * Returns True if this response's encoding is ENCODE_HTML_FORM. - * Convenience method for server authors. - * - * @return bool - */ - function renderAsForm() - { - return $this->whichEncoding() == Auth_OpenID_ENCODE_HTML_FORM; - } - - - function encodeToURL() - { - return $this->fields->toURL($this->request->return_to); - } - - function addExtension($extension_response) - { - $extension_response->toMessage($this->fields); - } - - function needsSigning() - { - return $this->fields->getArg(Auth_OpenID_OPENID_NS, - 'mode') == 'id_res'; - } - - function encodeToKVForm() - { - return $this->fields->toKVForm(); - } -} - -/** - * A web-capable response object which you can use to generate a - * user-agent response. - * - * @package OpenID - */ -class Auth_OpenID_WebResponse { - var $code = AUTH_OPENID_HTTP_OK; - var $body = ""; - - function Auth_OpenID_WebResponse($code = null, $headers = null, - $body = null) - { - if ($code) { - $this->code = $code; - } - - if ($headers !== null) { - $this->headers = $headers; - } else { - $this->headers = array(); - } - - if ($body !== null) { - $this->body = $body; - } - } -} - -/** - * Responsible for the signature of query data and the verification of - * OpenID signature values. - * - * @package OpenID - */ -class Auth_OpenID_Signatory { - - // = 14 * 24 * 60 * 60; # 14 days, in seconds - var $SECRET_LIFETIME = 1209600; - - // keys have a bogus server URL in them because the filestore - // really does expect that key to be a URL. This seems a little - // silly for the server store, since I expect there to be only one - // server URL. - var $normal_key = 'http://localhost/|normal'; - var $dumb_key = 'http://localhost/|dumb'; - - /** - * Create a new signatory using a given store. - */ - function Auth_OpenID_Signatory($store) - { - // assert store is not None - $this->store = $store; - } - - /** - * Verify, using a given association handle, a signature with - * signed key-value pairs from an HTTP request. - */ - function verify($assoc_handle, $message) - { - $assoc = $this->getAssociation($assoc_handle, true); - if (!$assoc) { - // oidutil.log("failed to get assoc with handle %r to verify sig %r" - // % (assoc_handle, sig)) - return false; - } - - return $assoc->checkMessageSignature($message); - } - - /** - * Given a response, sign the fields in the response's 'signed' - * list, and insert the signature into the response. - */ - function sign($response) - { - $signed_response = $response; - $assoc_handle = $response->request->assoc_handle; - - if ($assoc_handle) { - // normal mode - $assoc = $this->getAssociation($assoc_handle, false, false); - if (!$assoc || ($assoc->getExpiresIn() <= 0)) { - // fall back to dumb mode - $signed_response->fields->setArg(Auth_OpenID_OPENID_NS, - 'invalidate_handle', $assoc_handle); - $assoc_type = ($assoc ? $assoc->assoc_type : 'HMAC-SHA1'); - - if ($assoc && ($assoc->getExpiresIn() <= 0)) { - $this->invalidate($assoc_handle, false); - } - - $assoc = $this->createAssociation(true, $assoc_type); - } - } else { - // dumb mode. - $assoc = $this->createAssociation(true); - } - - $signed_response->fields = $assoc->signMessage( - $signed_response->fields); - return $signed_response; - } - - /** - * Make a new association. - */ - function createAssociation($dumb = true, $assoc_type = 'HMAC-SHA1') - { - $secret = Auth_OpenID_CryptUtil::getBytes( - Auth_OpenID_getSecretSize($assoc_type)); - - $uniq = base64_encode(Auth_OpenID_CryptUtil::getBytes(4)); - $handle = sprintf('{%s}{%x}{%s}', $assoc_type, intval(time()), $uniq); - - $assoc = Auth_OpenID_Association::fromExpiresIn( - $this->SECRET_LIFETIME, $handle, $secret, $assoc_type); - - if ($dumb) { - $key = $this->dumb_key; - } else { - $key = $this->normal_key; - } - - $this->store->storeAssociation($key, $assoc); - return $assoc; - } - - /** - * Given an association handle, get the association from the - * store, or return a ServerError or null if something goes wrong. - */ - function getAssociation($assoc_handle, $dumb, $check_expiration=true) - { - if ($assoc_handle === null) { - return new Auth_OpenID_ServerError(null, - "assoc_handle must not be null"); - } - - if ($dumb) { - $key = $this->dumb_key; - } else { - $key = $this->normal_key; - } - - $assoc = $this->store->getAssociation($key, $assoc_handle); - - if (($assoc !== null) && ($assoc->getExpiresIn() <= 0)) { - if ($check_expiration) { - $this->store->removeAssociation($key, $assoc_handle); - $assoc = null; - } - } - - return $assoc; - } - - /** - * Invalidate a given association handle. - */ - function invalidate($assoc_handle, $dumb) - { - if ($dumb) { - $key = $this->dumb_key; - } else { - $key = $this->normal_key; - } - $this->store->removeAssociation($key, $assoc_handle); - } -} - -/** - * Encode an {@link Auth_OpenID_ServerResponse} to an - * {@link Auth_OpenID_WebResponse}. - * - * @package OpenID - */ -class Auth_OpenID_Encoder { - - var $responseFactory = 'Auth_OpenID_WebResponse'; - - /** - * Encode an {@link Auth_OpenID_ServerResponse} and return an - * {@link Auth_OpenID_WebResponse}. - */ - function encode($response) - { - $cls = $this->responseFactory; - - $encode_as = $response->whichEncoding(); - if ($encode_as == Auth_OpenID_ENCODE_KVFORM) { - $wr = new $cls(null, null, $response->encodeToKVForm()); - if (is_a($response, 'Auth_OpenID_ServerError')) { - $wr->code = AUTH_OPENID_HTTP_ERROR; - } - } else if ($encode_as == Auth_OpenID_ENCODE_URL) { - $location = $response->encodeToURL(); - $wr = new $cls(AUTH_OPENID_HTTP_REDIRECT, - array('location' => $location)); - } else if ($encode_as == Auth_OpenID_ENCODE_HTML_FORM) { - $wr = new $cls(AUTH_OPENID_HTTP_OK, array(), - $response->toHTML()); - } else { - return new Auth_OpenID_EncodingError($response); - } - /* Allow the response to carry a custom error code (ex: for Association errors) */ - if(isset($response->code)) { - $wr->code = $response->code; - } - return $wr; - } -} - -/** - * An encoder which also takes care of signing fields when required. - * - * @package OpenID - */ -class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder { - - function Auth_OpenID_SigningEncoder($signatory) - { - $this->signatory = $signatory; - } - - /** - * Sign an {@link Auth_OpenID_ServerResponse} and return an - * {@link Auth_OpenID_WebResponse}. - */ - function encode($response) - { - // the isinstance is a bit of a kludge... it means there isn't - // really an adapter to make the interfaces quite match. - if (!is_a($response, 'Auth_OpenID_ServerError') && - $response->needsSigning()) { - - if (!$this->signatory) { - return new Auth_OpenID_ServerError(null, - "Must have a store to sign request"); - } - - if ($response->fields->hasKey(Auth_OpenID_OPENID_NS, 'sig')) { - return new Auth_OpenID_AlreadySigned($response); - } - $response = $this->signatory->sign($response); - } - - return parent::encode($response); - } -} - -/** - * Decode an incoming query into an Auth_OpenID_Request. - * - * @package OpenID - */ -class Auth_OpenID_Decoder { - - function Auth_OpenID_Decoder($server) - { - $this->server = $server; - - $this->handlers = array( - 'checkid_setup' => 'Auth_OpenID_CheckIDRequest', - 'checkid_immediate' => 'Auth_OpenID_CheckIDRequest', - 'check_authentication' => 'Auth_OpenID_CheckAuthRequest', - 'associate' => 'Auth_OpenID_AssociateRequest' - ); - } - - /** - * Given an HTTP query in an array (key-value pairs), decode it - * into an Auth_OpenID_Request object. - */ - function decode($query) - { - if (!$query) { - return null; - } - - $message = Auth_OpenID_Message::fromPostArgs($query); - - if ($message === null) { - /* - * It's useful to have a Message attached to a - * ProtocolError, so we override the bad ns value to build - * a Message out of it. Kinda kludgy, since it's made of - * lies, but the parts that aren't lies are more useful - * than a 'None'. - */ - $old_ns = $query['openid.ns']; - - $query['openid.ns'] = Auth_OpenID_OPENID2_NS; - $message = Auth_OpenID_Message::fromPostArgs($query); - return new Auth_OpenID_ServerError( - $message, - sprintf("Invalid OpenID namespace URI: %s", $old_ns)); - } - - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); - if (!$mode) { - return new Auth_OpenID_ServerError($message, - "No mode value in message"); - } - - if (Auth_OpenID::isFailure($mode)) { - return new Auth_OpenID_ServerError($message, - $mode->message); - } - - $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, - $this->defaultDecoder($message)); - - if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) { - return call_user_func_array(array($handlerCls, 'fromMessage'), - array($message, $this->server)); - } else { - return $handlerCls; - } - } - - function defaultDecoder($message) - { - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); - - if (Auth_OpenID::isFailure($mode)) { - return new Auth_OpenID_ServerError($message, - $mode->message); - } - - return new Auth_OpenID_ServerError($message, - sprintf("Unrecognized OpenID mode %s", $mode)); - } -} - -/** - * An error that indicates an encoding problem occurred. - * - * @package OpenID - */ -class Auth_OpenID_EncodingError { - function Auth_OpenID_EncodingError($response) - { - $this->response = $response; - } -} - -/** - * An error that indicates that a response was already signed. - * - * @package OpenID - */ -class Auth_OpenID_AlreadySigned extends Auth_OpenID_EncodingError { - // This response is already signed. -} - -/** - * An error that indicates that the given return_to is not under the - * given trust_root. - * - * @package OpenID - */ -class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError { - function Auth_OpenID_UntrustedReturnURL($message, $return_to, - $trust_root) - { - parent::Auth_OpenID_ServerError($message, "Untrusted return_to URL"); - $this->return_to = $return_to; - $this->trust_root = $trust_root; - } - - function toString() - { - return sprintf("return_to %s not under trust_root %s", - $this->return_to, $this->trust_root); - } -} - -/** - * I handle requests for an OpenID server. - * - * Some types of requests (those which are not checkid requests) may - * be handed to my {@link handleRequest} method, and I will take care - * of it and return a response. - * - * For your convenience, I also provide an interface to {@link - * Auth_OpenID_Decoder::decode()} and {@link - * Auth_OpenID_SigningEncoder::encode()} through my methods {@link - * decodeRequest} and {@link encodeResponse}. - * - * All my state is encapsulated in an {@link Auth_OpenID_OpenIDStore}. - * - * Example: - * - * <pre> $oserver = new Auth_OpenID_Server(Auth_OpenID_FileStore($data_path), - * "http://example.com/op"); - * $request = $oserver->decodeRequest(); - * if (in_array($request->mode, array('checkid_immediate', - * 'checkid_setup'))) { - * if ($app->isAuthorized($request->identity, $request->trust_root)) { - * $response = $request->answer(true); - * } else if ($request->immediate) { - * $response = $request->answer(false); - * } else { - * $app->showDecidePage($request); - * return; - * } - * } else { - * $response = $oserver->handleRequest($request); - * } - * - * $webresponse = $oserver->encode($response);</pre> - * - * @package OpenID - */ -class Auth_OpenID_Server { - function Auth_OpenID_Server($store, $op_endpoint=null) - { - $this->store = $store; - $this->signatory = new Auth_OpenID_Signatory($this->store); - $this->encoder = new Auth_OpenID_SigningEncoder($this->signatory); - $this->decoder = new Auth_OpenID_Decoder($this); - $this->op_endpoint = $op_endpoint; - $this->negotiator = Auth_OpenID_getDefaultNegotiator(); - } - - /** - * Handle a request. Given an {@link Auth_OpenID_Request} object, - * call the appropriate {@link Auth_OpenID_Server} method to - * process the request and generate a response. - * - * @param Auth_OpenID_Request $request An {@link Auth_OpenID_Request} - * returned by {@link Auth_OpenID_Server::decodeRequest()}. - * - * @return Auth_OpenID_ServerResponse $response A response object - * capable of generating a user-agent reply. - */ - function handleRequest($request) - { - if (method_exists($this, "openid_" . $request->mode)) { - $handler = array($this, "openid_" . $request->mode); - return call_user_func($handler, &$request); - } - return null; - } - - /** - * The callback for 'check_authentication' messages. - */ - function openid_check_authentication($request) - { - return $request->answer($this->signatory); - } - - /** - * The callback for 'associate' messages. - */ - function openid_associate($request) - { - $assoc_type = $request->assoc_type; - $session_type = $request->session->session_type; - if ($this->negotiator->isAllowed($assoc_type, $session_type)) { - $assoc = $this->signatory->createAssociation(false, - $assoc_type); - return $request->answer($assoc); - } else { - $message = sprintf('Association type %s is not supported with '. - 'session type %s', $assoc_type, $session_type); - list($preferred_assoc_type, $preferred_session_type) = - $this->negotiator->getAllowedType(); - return $request->answerUnsupported($message, - $preferred_assoc_type, - $preferred_session_type); - } - } - - /** - * Encodes as response in the appropriate format suitable for - * sending to the user agent. - */ - function encodeResponse($response) - { - return $this->encoder->encode($response); - } - - /** - * Decodes a query args array into the appropriate - * {@link Auth_OpenID_Request} object. - */ - function decodeRequest($query=null) - { - if ($query === null) { - $query = Auth_OpenID::getQuery(); - } - - return $this->decoder->decode($query); - } -} - - |