diff options
Diffstat (limited to 'models/openid-php-openid-782224d/contrib')
4 files changed, 570 insertions, 0 deletions
diff --git a/models/openid-php-openid-782224d/contrib/google/php-openid-apps-discover-1.0.1.tar.gz b/models/openid-php-openid-782224d/contrib/google/php-openid-apps-discover-1.0.1.tar.gz Binary files differnew file mode 100644 index 000000000..e86fdbf1d --- /dev/null +++ b/models/openid-php-openid-782224d/contrib/google/php-openid-apps-discover-1.0.1.tar.gz diff --git a/models/openid-php-openid-782224d/contrib/signed_assertions/AP.php b/models/openid-php-openid-782224d/contrib/signed_assertions/AP.php new file mode 100644 index 000000000..a24265018 --- /dev/null +++ b/models/openid-php-openid-782224d/contrib/signed_assertions/AP.php @@ -0,0 +1,180 @@ +<?php + +/** + * Introduces the notion of an Attribute Provider that attests and signs + * attributes + * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes + * PHP versions 4 and 5 + * + * LICENSE: See the COPYING file included in this distribution. + * + * @package OpenID + * @author Santosh Subramanian <subrasan@cs.sunysb.edu> + * @author Shishir Randive <srandive@cs.sunysb.edu> + * Stony Brook University. + * + */ +require_once 'Auth/OpenID/SAML.php'; +/** + * The Attribute_Provider class which signs the attribute,value pair + * for a given openid. + */ +class Attribute_Provider +{ + private $public_key_certificate=null; + private $private_key=null; + private $authenticatedUser=null; + private $notBefore=null; + private $notOnOrAfter=null; + private $rsadsa=null; + private $acsURI=null; + private $attribute=null; + private $value=null; + private $assertionTemplate=null; + /** + * Creates an Attribute_Provider object initialized with startup values. + * @param string $public_key_certificate - The public key certificate + of the signer. + * @param string $private_key - The private key of the signer. + * @param string $notBefore - Certificate validity time + * @param string $notOnOrAfter - Certificate validity time + * @param string $rsadsa - Choice of the algorithm (RSA/DSA) + * @param string $acsURI - URI of the signer. + * @param string $assertionTemplate - SAML template used for assertion + */ + function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI, + $assertionTemplate) + { + $this->public_key_certificate=$public_key_certificate; + $this->private_key=$private_key; + $this->notBefore=$notBefore; + $this->notOnOrAfter=$notOnOrAfter; + $this->rsadsa=$rsadsa; + $this->acsURI=$acsURI; + $this->assertionTemplate=$assertionTemplate; + } + /** + * Create the signed assertion. + * @param string $openid - Openid of the entity being asserted. + * @param string $attribute - The attribute name being asserted. + * @param string $value - The attribute value being asserted. + */ + function sign($openid,$attribute,$value) + { + $samlObj = new SAML(); + $responseXmlString = $samlObj->createSamlAssertion($openid, + $this->notBefore, + $this->notOnOrAfter, + $this->rsadsa, + $this->acsURI, + $attribute, + sha1($value), + $this->assertionTemplate); + $signedAssertion=$samlObj->signAssertion($responseXmlString, + $this->private_key, + $this->public_key_certificate); + return $signedAssertion; + } +} +/** + * The Attribute_Verifier class which verifies the signed assertion at the Relying party. + */ +class Attribute_Verifier +{ + /** + * The certificate the Relying party trusts. + */ + private $rootcert; + /** + * This function loads the public key certificate that the relying party trusts. + * @param string $cert - Trusted public key certificate. + */ + function load_trusted_root_cert($cert) + { + $this->rootcert=$cert; + } + /** + * Verifies the certificate given the SAML document. + * @param string - signed SAML assertion + * return @boolean - true if verification is successful, false if unsuccessful. + */ + function verify($responseXmlString) + { + $samlObj = new SAML(); + $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert); + return $ret; + } +} + +/** + * This is a Store Request creating class at the Attribute Provider. + */ +class AP_OP_StoreRequest +{ + /** + * Creates store request and adds it as an extension to AuthRequest object + passed to it. + * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to + the AuthRequest object. + * @param &Attribute_Provider &$attributeProvider - A reference to the + Attribute Provider object. + * @param string $attribute - The attribute name being asserted. + * @param string $value - The attribute value being asserted. + * @param string $openid - Openid of the entity being asserted. + * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object + returned with StoreRequest extension. + */ + static function createStoreRequest(&$auth_request,&$attributeProvider, + $attribute,$value,$openid) + { + if(!$auth_request){ + return null; + } + $signedAssertion=$attributeProvider->sign($openid,$attribute,$value); + $store_request=new Auth_OpenID_AX_StoreRequest; + $store_request->addValue($attribute,base64_encode($value)); + $store_request->addValue($attribute.'/signature', + base64_encode($signedAssertion)); + if($store_request) { + $auth_request->addExtension($store_request); + return $auth_request; + } + } +} + +/* + *This is implemented at the RP Takes care of getting the attribute from the + *AX_Fetch_Response object and verifying it. + */ +class RP_OP_Verify +{ + /** + * Verifies a given signed assertion. + * @param &Attribute_Verifier &$attributeVerifier - An instance of the class + passed for the verification. + * @param Auth_OpenID_Response - Response object for extraction. + * @return boolean - true if successful, false if verification fails. + */ + function verifyAssertion(&$attributeVerifier,$response) + { + $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response); + if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){ + $ax_args=$ax_resp->getExtensionArgs(); + if($ax_args) { + $value=base64_decode($ax_args['value.ext1.1']); + if($attributeVerifier->verify($value)){ + return base64_decode($ax_args['value.ext0.1']); + } else { + return null; + } + } else { + return null; + } + } else { + return null; + } + } +} + + +?> diff --git a/models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php b/models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php new file mode 100644 index 000000000..fa6df51f6 --- /dev/null +++ b/models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php @@ -0,0 +1,220 @@ +<?php +/** + ** PHP versions 4 and 5 + ** + ** LICENSE: See the COPYING file included in this distribution. + ** + ** @package OpenID + ** @author Santosh Subramanian <subrasan@cs.sunysb.edu> + ** @author Shishir Randive <srandive@cs.sunysb.edu> + ** Stony Brook University. + ** largely derived from + ** + * Copyright (C) 2007 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + **/ + +class SAML{ + private $assertionTemplate=null; + /** + * Returns a SAML response with various elements filled in. + * @param string $authenticatedUser The OpenId of the user + * @param string $notBefore The ISO 8601 formatted date before which the + response is invalid + * @param string $notOnOrAfter The ISO 8601 formatted data after which the + response is invalid + * @param string $rsadsa 'rsa' if the response will be signed with RSA keys, + 'dsa' for DSA keys + * @param string $requestID The ID of the request we're responding to + * @param string $destination The ACS URL that the response is submitted to + * @return string XML SAML response. + */ + function createSamlAssertion($authenticatedUser, $notBefore, $notOnOrAfter, $rsadsa, $acsURI,$attribute,$value,$assertionTemplate) + { + $samlResponse = $assertionTemplate; + $samlResponse = str_replace('USERNAME_STRING', $authenticatedUser, $samlResponse); + $samlResponse = str_replace('RESPONSE_ID', $this->samlCreateId(), $samlResponse); + $samlResponse = str_replace('ISSUE_INSTANT', $this->samlGetDateTime(time()), $samlResponse); + $samlResponse = str_replace('NOT_BEFORE', $this->samlGetDateTime(strtotime($notBefore)), $samlResponse); + $samlResponse = str_replace('NOT_ON_OR_AFTER', $this->samlGetDateTime(strtotime($notOnOrAfter)),$samlResponse); + $samlResponse = str_replace('ASSERTION_ID',$this->samlCreateId(), $samlResponse); + $samlResponse = str_replace('RSADSA', strtolower($rsadsa), $samlResponse); + $samlResponse = str_replace('ISSUER_DOMAIN', $acsURI, $samlResponse); + $samlResponse = str_replace('ATTRIBUTE_NAME', $attribute, $samlResponse); + $samlResponse = str_replace('ATTRIBUTE_VALUE', $value, $samlResponse); + return $samlResponse; + } + + /** + * Signs a SAML response with the given private key, and embeds the public key. + * @param string $responseXmlString The unsigned Assertion which will be signed + * @param string $priKey Private key to sign the certificate + * @param string $cert Public key certificate of signee + * @return string Signed Assertion + */ + function signAssertion($responseXmlString,$privKey,$cert) + { + if (file_exists("/tmp/xml")) { + $tempFileDir="/tmp/xml/"; + + } else { + mkdir("/tmp/xml",0777); + $tempFileDir="/tmp/xml/"; + } + $tempName = 'saml-response-' . $this->samlCreateId() . '.xml'; + $tempFileName=$tempFileDir.$tempName; + while (file_exists($tempFileName)) + $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml'; + + if (!$handle = fopen($tempFileName, 'w')) { + return null; + } + if (fwrite($handle, $responseXmlString) === false) { + return null; + } + fclose($handle); + $cmd = 'xmlsec1 --sign --privkey-pem ' . $privKey . + ',' . $cert . ' --output ' . $tempFileName . + '.out ' . $tempFileName; + exec($cmd, $resp); + unlink($tempFileName); + + $xmlResult = @file_get_contents($tempFileName . '.out'); + if (!$xmlResult) { + return null; + } else { + unlink($tempFileName . '.out'); + return $xmlResult; + } + } + + + /** + * Verify a saml response with the given public key. + * @param string $responseXmlString Response to sign + * @param string $rootcert trusted public key certificate + * @return string Signed SAML response + */ + function verifyAssertion($responseXmlString,$rootcert) + { + date_default_timezone_set("UTC"); + if (file_exists("/tmp/xml")) { + $tempFileDir="/tmp/xml/"; + + } else { + mkdir("/tmp/xml",0777); + $tempFileDir="/tmp/xml/"; + } + + $tempName = 'saml-response-' . $this->samlCreateId() . '.xml'; + $tempFileName=$tempFileDir.$tempName; + while (file_exists($tempFileName)) + $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml'; + + if (!$handle = fopen($tempFileName, 'w')) { + return false; + } + + if (fwrite($handle, $responseXmlString) === false) { + return false; + } + + $p=xml_parser_create(); + $result=xml_parse_into_struct($p,$responseXmlString,$vals,$index); + xml_parser_free($p); + $cert_info=$index["X509CERTIFICATE"]; + $conditions=$index["CONDITIONS"]; + foreach($cert_info as $key=>$value){ + file_put_contents($tempFileName.'.cert',$vals[$value]['value']); + } + $cert=$tempFileName.'.cert'; + $before=0; + $after=0; + foreach($conditions as $key=>$value){ + $before=$vals[$value]['attributes']['NOTBEFORE']; + $after=$vals[$value]['attributes']['NOTONORAFTER']; + } + $before=$this->validSamlDateFormat($before); + $after=$this->validSamlDateFormat($after); + if(strtotime("now") < $before || strtotime("now") >= $after){ + unlink($tempFileName); + unlink($cert); + return false; + } + fclose($handle); + $cmd = 'xmlsec1 --verify --pubkey-cert ' . $cert .'--trusted '.$rootcert. ' '.$tempFileName.'* 2>&1 1>/dev/null'; + exec($cmd,$resp); + if(strcmp($resp[0],"FAIL") == 0){ + $value = false; + }elseif(strcmp($resp[0],"ERROR") == 0){ + $value = false; + }elseif(strcmp($resp[0],"OK") == 0){ + $value = TRUE; + } + unlink($tempFileName); + unlink($cert); + return $value; + } + + /** + * Creates a 40-character string containing 160-bits of pseudorandomness. + * @return string Containing pseudorandomness of 160 bits + */ + + function samlCreateId() + { + $rndChars = 'abcdefghijklmnop'; + $rndId = ''; + for ($i = 0; $i < 40; $i++ ) { + $rndId .= $rndChars[rand(0,strlen($rndChars)-1)]; + } + return $rndId; + } + + /** + * Returns a unix timestamp in xsd:dateTime format. + * @param timestamp int UNIX Timestamp to convert to xsd:dateTime + * ISO 8601 format. + * @return string + */ + function samlGetDateTime($timestamp) + { + return gmdate('Y-m-d\TH:i:s\Z', $timestamp); + } + /** + * Attempts to check whether a SAML date is valid. Returns true or false. + * @param string $samlDate + * @return bool + */ + + function validSamlDateFormat($samlDate) + { + if ($samlDate == "") return false; + $indexT = strpos($samlDate, 'T'); + $indexZ = strpos($samlDate, 'Z'); + if (($indexT != 10) || ($indexZ != 19)) { + return false; + } + $dateString = substr($samlDate, 0, 10); + $timeString = substr($samlDate, $indexT + 1, 8); + list($year, $month, $day) = explode('-', $dateString); + list($hour, $minute, $second) = explode(':', $timeString); + $parsedDate = gmmktime($hour, $minute, $second, $month, $day, $year); + if (($parsedDate === false) || ($parsedDate == -1)) return false; + if (!checkdate($month, $day, $year)) return false; + return $parsedDate; + } + +} +?> diff --git a/models/openid-php-openid-782224d/contrib/upgrade-store-1.1-to-2.0 b/models/openid-php-openid-782224d/contrib/upgrade-store-1.1-to-2.0 new file mode 100644 index 000000000..1f587c357 --- /dev/null +++ b/models/openid-php-openid-782224d/contrib/upgrade-store-1.1-to-2.0 @@ -0,0 +1,170 @@ +#!/usr/bin/env python +# SQL Store Upgrade Script +# for version 1.x to 2.0 of the OpenID library. +# Doesn't depend on the openid library, so you can run this python +# script to update databases for ruby or PHP as well. +# +# Testers note: +# +# A SQLite3 db with the 1.2 schema exists in +# openid/test/data/openid-1.2-consumer-sqlitestore.db if you want something +# to try upgrading. +# +# TODO: +# * test data for mysql and postgresql. +# * automated tests. + +import os +import getpass +import sys +from optparse import OptionParser + + +def askForPassword(): + return getpass.getpass("DB Password: ") + +def askForConfirmation(dbname,tablename): + print """The table %s from the database %s will be dropped, and + an empty table with the new nonce table schema will replace it."""%( + tablename, dbname) + return raw_input("Continue? ").lower().strip().startswith('y') + +def doSQLiteUpgrade(db_conn, nonce_table_name='oid_nonces'): + cur = db_conn.cursor() + cur.execute('DROP TABLE %s'%nonce_table_name) + sql = """ + CREATE TABLE %s ( + server_url VARCHAR, + timestamp INTEGER, + salt CHAR(40), + UNIQUE(server_url, timestamp, salt) + ); + """%nonce_table_name + cur.execute(sql) + cur.close() + +def doMySQLUpgrade(db_conn, nonce_table_name='oid_nonces'): + cur = db_conn.cursor() + cur.execute('DROP TABLE %s'%nonce_table_name) + sql = """ + CREATE TABLE %s ( + server_url BLOB, + timestamp INTEGER, + salt CHAR(40), + PRIMARY KEY (server_url(255), timestamp, salt) + ) + TYPE=InnoDB; + """%nonce_table_name + cur.execute(sql) + cur.close() + +def doPostgreSQLUpgrade(db_conn, nonce_table_name='oid_nonces'): + cur = db_conn.cursor() + cur.execute('DROP TABLE %s'%nonce_table_name) + sql = """ + CREATE TABLE %s ( + server_url VARCHAR(2047), + timestamp INTEGER, + salt CHAR(40), + PRIMARY KEY (server_url, timestamp, salt) + ); + """%nonce_table_name + cur.execute(sql) + cur.close() + db_conn.commit() + +def main(argv=None): + parser = OptionParser() + parser.add_option("-u", "--user", dest="username", + default=os.environ.get('USER'), + help="User name to use to connect to the DB. " + "Defaults to USER environment variable.") + parser.add_option('-t', '--table', dest='tablename', default='oid_nonces', + help='The name of the nonce table to drop and recreate. ' + ' Defaults to "oid_nonces", the default table name for ' + 'the openid stores.') + parser.add_option('--mysql', dest='mysql_db_name', + help='Upgrade a table from this MySQL database. ' + 'Requires username for database.') + parser.add_option('--pg', '--postgresql', dest='postgres_db_name', + help='Upgrade a table from this PostgreSQL database. ' + 'Requires username for database.') + parser.add_option('--sqlite', dest='sqlite_db_name', + help='Upgrade a table from this SQLite database file.') + parser.add_option('--host', dest='db_host', + default='localhost', + help='Host on which to find MySQL or PostgreSQL DB.') + (options, args) = parser.parse_args(argv) + + db_conn = None + + if options.sqlite_db_name: + try: + from pysqlite2 import dbapi2 as sqlite + except ImportError: + print "You must have pysqlite2 installed in your PYTHONPATH." + return 1 + try: + db_conn = sqlite.connect(options.sqlite_db_name) + except Exception, e: + print "Could not connect to SQLite database:", str(e) + return 1 + + if askForConfirmation(options.sqlite_db_name, options.tablename): + doSQLiteUpgrade(db_conn, nonce_table_name=options.tablename) + + if options.postgres_db_name: + if not options.username: + print "A username is required to open a PostgreSQL Database." + return 1 + password = askForPassword() + try: + import psycopg + except ImportError: + print "You need psycopg installed to update a postgres DB." + return 1 + + try: + db_conn = psycopg.connect(database = options.postgres_db_name, + user = options.username, + host = options.db_host, + password = password) + except Exception, e: + print "Could not connect to PostgreSQL database:", str(e) + return 1 + + if askForConfirmation(options.postgres_db_name, options.tablename): + doPostgreSQLUpgrade(db_conn, nonce_table_name=options.tablename) + + if options.mysql_db_name: + if not options.username: + print "A username is required to open a MySQL Database." + return 1 + password = askForPassword() + try: + import MySQLdb + except ImportError: + print "You must have MySQLdb installed to update a MySQL DB." + return 1 + + try: + db_conn = MySQLdb.connect(options.db_host, options.username, + password, options.mysql_db_name) + except Exception, e: + print "Could not connect to MySQL database:", str(e) + return 1 + + if askForConfirmation(options.mysql_db_name, options.tablename): + doMySQLUpgrade(db_conn, nonce_table_name=options.tablename) + + if db_conn: + db_conn.close() + else: + parser.print_help() + + return 0 + + +if __name__ == '__main__': + retval = main() + sys.exit(retval) |