From d9bf22a0e29c2a70049443a0ae8521a2c0492c8b Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sun, 11 Dec 2011 06:38:23 -0500 Subject: initial commit for git repository --- CHANGES.txt | 3 + README.txt | 46 + actions/admin.php | 34 + actions/login.php | 4 + actions/missing.php | 54 + actions/sync.php | 57 + graphics/login-bg.gif | Bin 0 -> 237 bytes graphics/openid.jpg | Bin 0 -> 1117 bytes languages/en.php | 119 + manifest.xml | 9 + models/Auth.old/OpenID.php | 576 +++++ models/Auth.old/OpenID/AX.php | 1013 ++++++++ models/Auth.old/OpenID/Association.php | 613 +++++ models/Auth.old/OpenID/BigMath.php | 471 ++++ models/Auth.old/OpenID/Consumer.php | 2189 +++++++++++++++++ models/Auth.old/OpenID/CryptUtil.php | 113 + models/Auth.old/OpenID/DatabaseConnection.php | 131 + models/Auth.old/OpenID/DiffieHellman.php | 112 + models/Auth.old/OpenID/Discover.php | 547 +++++ models/Auth.old/OpenID/DumbStore.php | 100 + models/Auth.old/OpenID/Extension.php | 58 + models/Auth.old/OpenID/FileStore.php | 618 +++++ models/Auth.old/OpenID/HMACSHA1.php | 99 + models/Auth.old/OpenID/Interface.php | 197 ++ models/Auth.old/OpenID/KVForm.php | 112 + models/Auth.old/OpenID/MemcachedStore.php | 207 ++ models/Auth.old/OpenID/Message.php | 895 +++++++ models/Auth.old/OpenID/MySQLStore.php | 77 + models/Auth.old/OpenID/Nonce.php | 109 + models/Auth.old/OpenID/PAPE.php | 311 +++ models/Auth.old/OpenID/Parse.php | 352 +++ models/Auth.old/OpenID/PostgreSQLStore.php | 107 + models/Auth.old/OpenID/SQLStore.php | 569 +++++ models/Auth.old/OpenID/SQLiteStore.php | 71 + models/Auth.old/OpenID/SReg.php | 521 ++++ models/Auth.old/OpenID/Server.php | 1698 +++++++++++++ models/Auth.old/OpenID/ServerRequest.php | 37 + models/Auth.old/OpenID/TrustRoot.php | 410 ++++ models/Auth.old/OpenID/URINorm.php | 231 ++ models/Auth.old/Yadis/HTTPFetcher.php | 114 + models/Auth.old/Yadis/Manager.php | 529 ++++ models/Auth.old/Yadis/Misc.php | 59 + models/Auth.old/Yadis/ParanoidHTTPFetcher.php | 203 ++ models/Auth.old/Yadis/ParseHTML.php | 259 ++ models/Auth.old/Yadis/PlainHTTPFetcher.php | 250 ++ models/Auth.old/Yadis/XML.php | 374 +++ models/Auth.old/Yadis/XRDS.php | 478 ++++ models/Auth.old/Yadis/XRI.php | 234 ++ models/Auth.old/Yadis/XRIRes.php | 72 + models/Auth.old/Yadis/Yadis.php | 337 +++ models/Auth/OpenID.php | 563 +++++ models/Auth/OpenID/AX.php | 1022 ++++++++ models/Auth/OpenID/Association.php | 610 +++++ models/Auth/OpenID/BigMath.php | 452 ++++ models/Auth/OpenID/Consumer.php | 2230 +++++++++++++++++ models/Auth/OpenID/CryptUtil.php | 108 + models/Auth/OpenID/DatabaseConnection.php | 130 + models/Auth/OpenID/DiffieHellman.php | 113 + models/Auth/OpenID/Discover.php | 606 +++++ models/Auth/OpenID/DumbStore.php | 99 + models/Auth/OpenID/Extension.php | 61 + models/Auth/OpenID/FileStore.php | 618 +++++ models/Auth/OpenID/HMAC.php | 98 + models/Auth/OpenID/Interface.php | 196 ++ models/Auth/OpenID/KVForm.php | 111 + models/Auth/OpenID/MDB2Store.php | 413 ++++ models/Auth/OpenID/MemcachedStore.php | 207 ++ models/Auth/OpenID/Message.php | 920 +++++++ models/Auth/OpenID/MySQLStore.php | 77 + models/Auth/OpenID/Nonce.php | 108 + models/Auth/OpenID/PAPE.php | 300 +++ models/Auth/OpenID/Parse.php | 377 +++ models/Auth/OpenID/PostgreSQLStore.php | 112 + models/Auth/OpenID/SQLStore.php | 557 +++++ models/Auth/OpenID/SQLiteStore.php | 70 + models/Auth/OpenID/SReg.php | 521 ++++ models/Auth/OpenID/Server.php | 1765 ++++++++++++++ models/Auth/OpenID/ServerRequest.php | 36 + models/Auth/OpenID/TrustRoot.php | 461 ++++ models/Auth/OpenID/URINorm.php | 249 ++ models/Auth/Yadis/HTTPFetcher.php | 174 ++ models/Auth/Yadis/Manager.php | 521 ++++ models/Auth/Yadis/Misc.php | 58 + models/Auth/Yadis/ParanoidHTTPFetcher.php | 245 ++ models/Auth/Yadis/ParseHTML.php | 258 ++ models/Auth/Yadis/PlainHTTPFetcher.php | 248 ++ models/Auth/Yadis/XML.php | 352 +++ models/Auth/Yadis/XRDS.php | 478 ++++ models/Auth/Yadis/XRI.php | 234 ++ models/Auth/Yadis/XRIRes.php | 72 + models/Auth/Yadis/Yadis.php | 382 +++ models/model.php | 701 ++++++ models/openid-php-openid-782224d/CHANGES-2.1.0 | 51 + models/openid-php-openid-782224d/COPYING | 202 ++ models/openid-php-openid-782224d/NEWS | 85 + models/openid-php-openid-782224d/README | 136 ++ models/openid-php-openid-782224d/README.Debian | 8 + models/openid-php-openid-782224d/README.git | 7 + .../Tests/Auth/OpenID/AX.php | 792 ++++++ .../Tests/Auth/OpenID/Association.php | 54 + .../Tests/Auth/OpenID/AssociationResponse.php | 377 +++ .../Tests/Auth/OpenID/AuthRequest.php | 299 +++ .../Tests/Auth/OpenID/BigMath.php | 234 ++ .../Tests/Auth/OpenID/Consumer.php | 2553 ++++++++++++++++++++ .../Tests/Auth/OpenID/CryptUtil.php | 54 + .../Tests/Auth/OpenID/DiffieHellman.php | 159 ++ .../Tests/Auth/OpenID/Discover_OpenID.php | 781 ++++++ .../Tests/Auth/OpenID/Extension.php | 44 + .../Tests/Auth/OpenID/HMAC.php | 165 ++ .../Tests/Auth/OpenID/KVForm.php | 260 ++ .../Tests/Auth/OpenID/MemStore.php | 176 ++ .../Tests/Auth/OpenID/Message.php | 1251 ++++++++++ .../Tests/Auth/OpenID/Negotiation.php | 346 +++ .../Tests/Auth/OpenID/Nonce.php | 166 ++ .../Tests/Auth/OpenID/OpenID_Yadis.php | 228 ++ .../Tests/Auth/OpenID/PAPE.php | 244 ++ .../Tests/Auth/OpenID/Parse.php | 185 ++ .../Tests/Auth/OpenID/RPVerify.php | 293 +++ .../Tests/Auth/OpenID/SReg.php | 672 ++++++ .../Tests/Auth/OpenID/Server.php | 2463 +++++++++++++++++++ .../Tests/Auth/OpenID/StoreTest.php | 755 ++++++ .../Tests/Auth/OpenID/TestUtil.php | 60 + .../Tests/Auth/OpenID/TrustRoot.php | 172 ++ .../Tests/Auth/OpenID/URINorm.php | 66 + .../Tests/Auth/OpenID/Util.php | 319 +++ .../Tests/Auth/OpenID/VerifyDisco.php | 422 ++++ .../Tests/Auth/OpenID/data/dhexch | 25 + .../Tests/Auth/OpenID/data/dhpriv | 29 + .../Tests/Auth/OpenID/data/hmac-sha1.txt | 49 + .../Tests/Auth/OpenID/data/hmac-sha256.txt | 29 + .../Tests/Auth/OpenID/data/linkparse.txt | 594 +++++ .../Tests/Auth/OpenID/data/n2b64 | 650 +++++ .../Tests/Auth/OpenID/data/openid.html | 11 + .../Auth/OpenID/data/test_discover_openid.html | 11 + .../Auth/OpenID/data/test_discover_openid2.html | 11 + .../OpenID/data/test_discover_openid2_xrds.xml | 12 + .../test_discover_openid2_xrds_no_local_id.xml | 11 + .../OpenID/data/test_discover_openid_1_and_2.html | 11 + .../data/test_discover_openid_1_and_2_xrds.xml | 16 + ...t_discover_openid_1_and_2_xrds_bad_delegate.xml | 17 + .../data/test_discover_openid_and_yadis.html | 12 + .../data/test_discover_openid_no_delegate.html | 10 + .../Auth/OpenID/data/test_discover_openid_ssl.xml | 19 + .../OpenID/data/test_discover_yadis_0entries.xml | 12 + .../data/test_discover_yadis_2_bad_local_id.xml | 15 + .../data/test_discover_yadis_2entries_delegate.xml | 22 + .../data/test_discover_yadis_2entries_idp.xml | 21 + .../data/test_discover_yadis_another_delegate.xml | 14 + .../Auth/OpenID/data/test_discover_yadis_idp.xml | 12 + .../data/test_discover_yadis_idp_delegate.xml | 13 + .../data/test_discover_yadis_no_delegate.xml | 11 + .../Tests/Auth/OpenID/data/trustroot.txt | 149 ++ .../Tests/Auth/OpenID/data/urinorm.txt | 87 + .../Tests/Auth/Yadis/DiscoverData.php | 152 ++ .../Tests/Auth/Yadis/Discover_Yadis.php | 230 ++ .../Tests/Auth/Yadis/ParseHTML.php | 86 + .../Tests/Auth/Yadis/TestUtil.php | 30 + .../Tests/Auth/Yadis/XRDS.php | 247 ++ .../Tests/Auth/Yadis/XRI.php | 142 ++ .../Tests/Auth/Yadis/Yadis.php | 88 + .../Tests/Auth/Yadis/data/README | 12 + .../Tests/Auth/Yadis/data/accept.txt | 118 + .../Tests/Auth/Yadis/data/brian.multi.xrds | 38 + .../Tests/Auth/Yadis/data/brian.multi_uri.xrds | 16 + .../Tests/Auth/Yadis/data/brian.xrds | 16 + .../Tests/Auth/Yadis/data/brian_priority.xrds | 22 + .../Auth/Yadis/data/delegated-20060809-r1.xrds | 34 + .../Auth/Yadis/data/delegated-20060809-r2.xrds | 34 + .../Tests/Auth/Yadis/data/delegated-20060809.xrds | 34 + .../Tests/Auth/Yadis/data/example-xrds.xml | 14 + .../Tests/Auth/Yadis/data/no-xrd.xml | 7 + .../Tests/Auth/Yadis/data/not-xrds.xml | 2 + .../Tests/Auth/Yadis/data/pip.xrds | 22 + .../Tests/Auth/Yadis/data/prefixsometimes.xrds | 34 + .../Tests/Auth/Yadis/data/ref.xrds | 109 + .../Tests/Auth/Yadis/data/sometimesprefix.xrds | 34 + .../Tests/Auth/Yadis/data/spoof1.xrds | 25 + .../Tests/Auth/Yadis/data/spoof2.xrds | 25 + .../Tests/Auth/Yadis/data/spoof3.xrds | 37 + .../Tests/Auth/Yadis/data/subsegments.xrds | 58 + .../Tests/Auth/Yadis/data/test1-discover.txt | 137 ++ .../Tests/Auth/Yadis/data/test1-parsehtml.txt | 149 ++ .../Tests/Auth/Yadis/data/test1-xrd.xml | 39 + .../Tests/Auth/Yadis/data/uri_priority.xrds | 16 + .../openid-php-openid-782224d/Tests/TestDriver.php | 202 ++ .../openid-php-openid-782224d/admin/adminutil.php | 30 + .../openid-php-openid-782224d/admin/brace_style.pl | 81 + models/openid-php-openid-782224d/admin/checkimport | 4 + .../openid-php-openid-782224d/admin/checkimports | 2 + .../openid-php-openid-782224d/admin/darcs-ignore | 3 + models/openid-php-openid-782224d/admin/docblocks | 15 + .../openid-php-openid-782224d/admin/docblocks.pl | 26 + models/openid-php-openid-782224d/admin/findallphp | 8 + models/openid-php-openid-782224d/admin/findglobals | 5 + models/openid-php-openid-782224d/admin/findphp | 8 + models/openid-php-openid-782224d/admin/fixperms | 15 + models/openid-php-openid-782224d/admin/gettlds.py | 47 + .../openid-php-openid-782224d/admin/library-name | 1 + .../openid-php-openid-782224d/admin/longlines.pl | 46 + models/openid-php-openid-782224d/admin/makedoc.sh | 5 + models/openid-php-openid-782224d/admin/mathlib | 18 + models/openid-php-openid-782224d/admin/nobadbraces | 4 + models/openid-php-openid-782224d/admin/nobadcase | 14 + models/openid-php-openid-782224d/admin/nolonglines | 14 + models/openid-php-openid-782224d/admin/notabs | 16 + models/openid-php-openid-782224d/admin/open_tag | 17 + .../openid-php-openid-782224d/admin/otb_test.php | 20 + models/openid-php-openid-782224d/admin/package.xml | 24 + .../openid-php-openid-782224d/admin/package2.xml | 74 + .../openid-php-openid-782224d/admin/packagexml.py | 155 ++ .../openid-php-openid-782224d/admin/phpaliases.py | 119 + .../admin/prepare-release | 12 + models/openid-php-openid-782224d/admin/runtests | 71 + models/openid-php-openid-782224d/admin/syntaxcheck | 5 + .../openid-php-openid-782224d/admin/texttest.php | 197 ++ .../admin/tutorials/OpenID/OpenID.pkg | 78 + models/openid-php-openid-782224d/admin/webtest.php | 12 + .../openid-php-openid-782224d/admin/xmlconfig.py | 55 + .../google/php-openid-apps-discover-1.0.1.tar.gz | Bin 0 -> 87918 bytes .../contrib/signed_assertions/AP.php | 180 ++ .../contrib/signed_assertions/SAML.php | 220 ++ .../contrib/upgrade-store-1.1-to-2.0 | 170 ++ models/openid-php-openid-782224d/examples/README | 134 + .../examples/consumer/common.php | 97 + .../examples/consumer/finish_auth.php | 98 + .../examples/consumer/index.php | 73 + .../examples/consumer/try_auth.php | 83 + .../openid-php-openid-782224d/examples/detect.php | 536 ++++ .../examples/discover.php | 100 + .../examples/server/index.php | 5 + .../examples/server/lib/actions.php | 164 ++ .../examples/server/lib/common.php | 95 + .../examples/server/lib/render.php | 114 + .../examples/server/lib/render/about.php | 47 + .../examples/server/lib/render/idpXrds.php | 32 + .../examples/server/lib/render/idpage.php | 31 + .../examples/server/lib/render/login.php | 65 + .../examples/server/lib/render/trust.php | 56 + .../examples/server/lib/render/userXrds.php | 34 + .../examples/server/lib/session.php | 178 ++ .../examples/server/openid-server.css | 74 + .../examples/server/server.php | 48 + .../examples/server/setup.php | 558 +++++ pages/admin.php | 27 + pages/confirm.php | 46 + pages/reset.php | 12 + pages/sso.php | 52 + return.php | 210 ++ start.php | 88 + views/default/openid_client/css.php | 46 + views/default/openid_client/forms/admin.php | 99 + views/default/openid_client/forms/login.php | 57 + views/default/openid_client/forms/missing.php | 73 + views/default/openid_client/forms/sync.php | 86 + 254 files changed, 56042 insertions(+) create mode 100644 CHANGES.txt create mode 100644 README.txt create mode 100644 actions/admin.php create mode 100644 actions/login.php create mode 100644 actions/missing.php create mode 100644 actions/sync.php create mode 100644 graphics/login-bg.gif create mode 100644 graphics/openid.jpg create mode 100644 languages/en.php create mode 100644 manifest.xml create mode 100644 models/Auth.old/OpenID.php create mode 100644 models/Auth.old/OpenID/AX.php create mode 100644 models/Auth.old/OpenID/Association.php create mode 100644 models/Auth.old/OpenID/BigMath.php create mode 100644 models/Auth.old/OpenID/Consumer.php create mode 100644 models/Auth.old/OpenID/CryptUtil.php create mode 100644 models/Auth.old/OpenID/DatabaseConnection.php create mode 100644 models/Auth.old/OpenID/DiffieHellman.php create mode 100644 models/Auth.old/OpenID/Discover.php create mode 100644 models/Auth.old/OpenID/DumbStore.php create mode 100644 models/Auth.old/OpenID/Extension.php create mode 100644 models/Auth.old/OpenID/FileStore.php create mode 100644 models/Auth.old/OpenID/HMACSHA1.php create mode 100644 models/Auth.old/OpenID/Interface.php create mode 100644 models/Auth.old/OpenID/KVForm.php create mode 100644 models/Auth.old/OpenID/MemcachedStore.php create mode 100644 models/Auth.old/OpenID/Message.php create mode 100644 models/Auth.old/OpenID/MySQLStore.php create mode 100644 models/Auth.old/OpenID/Nonce.php create mode 100644 models/Auth.old/OpenID/PAPE.php create mode 100644 models/Auth.old/OpenID/Parse.php create mode 100644 models/Auth.old/OpenID/PostgreSQLStore.php create mode 100644 models/Auth.old/OpenID/SQLStore.php create mode 100644 models/Auth.old/OpenID/SQLiteStore.php create mode 100644 models/Auth.old/OpenID/SReg.php create mode 100644 models/Auth.old/OpenID/Server.php create mode 100644 models/Auth.old/OpenID/ServerRequest.php create mode 100644 models/Auth.old/OpenID/TrustRoot.php create mode 100644 models/Auth.old/OpenID/URINorm.php create mode 100644 models/Auth.old/Yadis/HTTPFetcher.php create mode 100644 models/Auth.old/Yadis/Manager.php create mode 100644 models/Auth.old/Yadis/Misc.php create mode 100644 models/Auth.old/Yadis/ParanoidHTTPFetcher.php create mode 100644 models/Auth.old/Yadis/ParseHTML.php create mode 100644 models/Auth.old/Yadis/PlainHTTPFetcher.php create mode 100644 models/Auth.old/Yadis/XML.php create mode 100644 models/Auth.old/Yadis/XRDS.php create mode 100644 models/Auth.old/Yadis/XRI.php create mode 100644 models/Auth.old/Yadis/XRIRes.php create mode 100644 models/Auth.old/Yadis/Yadis.php create mode 100644 models/Auth/OpenID.php create mode 100644 models/Auth/OpenID/AX.php create mode 100644 models/Auth/OpenID/Association.php create mode 100644 models/Auth/OpenID/BigMath.php create mode 100644 models/Auth/OpenID/Consumer.php create mode 100644 models/Auth/OpenID/CryptUtil.php create mode 100644 models/Auth/OpenID/DatabaseConnection.php create mode 100644 models/Auth/OpenID/DiffieHellman.php create mode 100644 models/Auth/OpenID/Discover.php create mode 100644 models/Auth/OpenID/DumbStore.php create mode 100644 models/Auth/OpenID/Extension.php create mode 100644 models/Auth/OpenID/FileStore.php create mode 100644 models/Auth/OpenID/HMAC.php create mode 100644 models/Auth/OpenID/Interface.php create mode 100644 models/Auth/OpenID/KVForm.php create mode 100644 models/Auth/OpenID/MDB2Store.php create mode 100644 models/Auth/OpenID/MemcachedStore.php create mode 100644 models/Auth/OpenID/Message.php create mode 100644 models/Auth/OpenID/MySQLStore.php create mode 100644 models/Auth/OpenID/Nonce.php create mode 100644 models/Auth/OpenID/PAPE.php create mode 100644 models/Auth/OpenID/Parse.php create mode 100644 models/Auth/OpenID/PostgreSQLStore.php create mode 100644 models/Auth/OpenID/SQLStore.php create mode 100644 models/Auth/OpenID/SQLiteStore.php create mode 100644 models/Auth/OpenID/SReg.php create mode 100644 models/Auth/OpenID/Server.php create mode 100644 models/Auth/OpenID/ServerRequest.php create mode 100644 models/Auth/OpenID/TrustRoot.php create mode 100644 models/Auth/OpenID/URINorm.php create mode 100644 models/Auth/Yadis/HTTPFetcher.php create mode 100644 models/Auth/Yadis/Manager.php create mode 100644 models/Auth/Yadis/Misc.php create mode 100644 models/Auth/Yadis/ParanoidHTTPFetcher.php create mode 100644 models/Auth/Yadis/ParseHTML.php create mode 100644 models/Auth/Yadis/PlainHTTPFetcher.php create mode 100644 models/Auth/Yadis/XML.php create mode 100644 models/Auth/Yadis/XRDS.php create mode 100644 models/Auth/Yadis/XRI.php create mode 100644 models/Auth/Yadis/XRIRes.php create mode 100644 models/Auth/Yadis/Yadis.php create mode 100644 models/model.php create mode 100644 models/openid-php-openid-782224d/CHANGES-2.1.0 create mode 100644 models/openid-php-openid-782224d/COPYING create mode 100644 models/openid-php-openid-782224d/NEWS create mode 100644 models/openid-php-openid-782224d/README create mode 100644 models/openid-php-openid-782224d/README.Debian create mode 100644 models/openid-php-openid-782224d/README.git create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/AX.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Association.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/AssociationResponse.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/AuthRequest.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/BigMath.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Consumer.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/CryptUtil.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/DiffieHellman.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Discover_OpenID.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Extension.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/HMAC.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/KVForm.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/MemStore.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Message.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Negotiation.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Nonce.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/OpenID_Yadis.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/PAPE.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Parse.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/RPVerify.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/SReg.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Server.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/StoreTest.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/TestUtil.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/TrustRoot.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/URINorm.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Util.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/VerifyDisco.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/dhexch create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/dhpriv create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/hmac-sha1.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/hmac-sha256.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/linkparse.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/XRDS.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-xrd.xml create mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/uri_priority.xrds create mode 100644 models/openid-php-openid-782224d/Tests/TestDriver.php create mode 100644 models/openid-php-openid-782224d/admin/adminutil.php create mode 100644 models/openid-php-openid-782224d/admin/brace_style.pl create mode 100644 models/openid-php-openid-782224d/admin/checkimport create mode 100644 models/openid-php-openid-782224d/admin/checkimports create mode 100644 models/openid-php-openid-782224d/admin/darcs-ignore create mode 100644 models/openid-php-openid-782224d/admin/docblocks create mode 100644 models/openid-php-openid-782224d/admin/docblocks.pl create mode 100644 models/openid-php-openid-782224d/admin/findallphp create mode 100644 models/openid-php-openid-782224d/admin/findglobals create mode 100644 models/openid-php-openid-782224d/admin/findphp create mode 100644 models/openid-php-openid-782224d/admin/fixperms create mode 100644 models/openid-php-openid-782224d/admin/gettlds.py create mode 100644 models/openid-php-openid-782224d/admin/library-name create mode 100644 models/openid-php-openid-782224d/admin/longlines.pl create mode 100644 models/openid-php-openid-782224d/admin/makedoc.sh create mode 100644 models/openid-php-openid-782224d/admin/mathlib create mode 100644 models/openid-php-openid-782224d/admin/nobadbraces create mode 100644 models/openid-php-openid-782224d/admin/nobadcase create mode 100644 models/openid-php-openid-782224d/admin/nolonglines create mode 100644 models/openid-php-openid-782224d/admin/notabs create mode 100644 models/openid-php-openid-782224d/admin/open_tag create mode 100644 models/openid-php-openid-782224d/admin/otb_test.php create mode 100644 models/openid-php-openid-782224d/admin/package.xml create mode 100644 models/openid-php-openid-782224d/admin/package2.xml create mode 100644 models/openid-php-openid-782224d/admin/packagexml.py create mode 100644 models/openid-php-openid-782224d/admin/phpaliases.py create mode 100644 models/openid-php-openid-782224d/admin/prepare-release create mode 100644 models/openid-php-openid-782224d/admin/runtests create mode 100644 models/openid-php-openid-782224d/admin/syntaxcheck create mode 100644 models/openid-php-openid-782224d/admin/texttest.php create mode 100644 models/openid-php-openid-782224d/admin/tutorials/OpenID/OpenID.pkg create mode 100644 models/openid-php-openid-782224d/admin/webtest.php create mode 100644 models/openid-php-openid-782224d/admin/xmlconfig.py create mode 100644 models/openid-php-openid-782224d/contrib/google/php-openid-apps-discover-1.0.1.tar.gz create mode 100644 models/openid-php-openid-782224d/contrib/signed_assertions/AP.php create mode 100644 models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php create mode 100644 models/openid-php-openid-782224d/contrib/upgrade-store-1.1-to-2.0 create mode 100644 models/openid-php-openid-782224d/examples/README create mode 100644 models/openid-php-openid-782224d/examples/consumer/common.php create mode 100644 models/openid-php-openid-782224d/examples/consumer/finish_auth.php create mode 100644 models/openid-php-openid-782224d/examples/consumer/index.php create mode 100644 models/openid-php-openid-782224d/examples/consumer/try_auth.php create mode 100644 models/openid-php-openid-782224d/examples/detect.php create mode 100644 models/openid-php-openid-782224d/examples/discover.php create mode 100644 models/openid-php-openid-782224d/examples/server/index.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/actions.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/common.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/about.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/idpXrds.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/idpage.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/login.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/trust.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/userXrds.php create mode 100644 models/openid-php-openid-782224d/examples/server/lib/session.php create mode 100644 models/openid-php-openid-782224d/examples/server/openid-server.css create mode 100644 models/openid-php-openid-782224d/examples/server/server.php create mode 100644 models/openid-php-openid-782224d/examples/server/setup.php create mode 100644 pages/admin.php create mode 100644 pages/confirm.php create mode 100644 pages/reset.php create mode 100644 pages/sso.php create mode 100644 return.php create mode 100644 start.php create mode 100644 views/default/openid_client/css.php create mode 100644 views/default/openid_client/forms/admin.php create mode 100644 views/default/openid_client/forms/login.php create mode 100644 views/default/openid_client/forms/missing.php create mode 100644 views/default/openid_client/forms/sync.php diff --git a/CHANGES.txt b/CHANGES.txt new file mode 100644 index 000000000..b5d506dd5 --- /dev/null +++ b/CHANGES.txt @@ -0,0 +1,3 @@ +1.3 + +Added a reset page. See README.txt for more infomation. \ No newline at end of file diff --git a/README.txt b/README.txt new file mode 100644 index 000000000..f4103daf4 --- /dev/null +++ b/README.txt @@ -0,0 +1,46 @@ +/** + * Login using OpenID + * + * @package openid_client + * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2 + * @author Kevin Jardine + * @copyright Curverider 2008-2009 + * @link http://radagast.biz/ + * + */ + + Just unzip into your Elgg mod directory and activate. + + There are several configuration options that you can use to add fancier + features. These are available through the "Configure OpenID client" link + in the admin sidebar. But they are not needed for basic operation. + + *Single Sign-On Link* + + You can optionally configure a single-sign-on link of the form: + + http://url-for-your-elgg/pg/openid_client/sso?username=XXX + + where XXX is an OpenID. + + This can be useful if you are integrating Elgg into another application. + Just put that link into your application navigation, and your user will be + automatically logged-in to Elgg using OpenID. + + This feature is turned off by default. You can activate it on the admin page. + + This link may be insecure because it routes around the XSS protection system + normally used by the plugin. You have been warned. + + *Reset page* + + When logged-in as a site admin, you can visit: + + http://url-for-your-elgg/pg/openid_client/reset + + to reset all your OpenID associations and nonces. This may help if your + association data with a particular OpenID server has become corrupted. + + These are just cached values and will temporarily slow down the next people + who login to your site using OpenID, but not by a large amount. Once the + cache is refreshed, things should be back to normal. \ No newline at end of file diff --git a/actions/admin.php b/actions/admin.php new file mode 100644 index 000000000..568c852a5 --- /dev/null +++ b/actions/admin.php @@ -0,0 +1,34 @@ +wwwroot . "pg/openid_client/admin"); + diff --git a/actions/login.php b/actions/login.php new file mode 100644 index 000000000..44b8233fd --- /dev/null +++ b/actions/login.php @@ -0,0 +1,4 @@ +email = $email; + $details->name = $name; + openid_client_send_activate_confirmation_message($details); + system_message(sprintf(elgg_echo("openid_client:activate_confirmation"),$email)); + } elseif ($code{0} == 'n') { + //activate and login + $user = get_user($details->owner); + $user->email = $email; + $user->name = $name; + $user->active = 'yes'; + $user->save(); + system_message(sprintf(elgg_echo("openid_client:created_openid_account"),$email, $name)); + login($user); + } + forward(); +} elseif ($details) { + // regenerate the form + $user = get_user($details->owner); + $openid_url = $user->alias; + $email_confirmation = openid_client_check_email_confirmation($openid_url); + $body = openid_client_generate_missing_data_form($openid_url,$email,$fullname,$email_confirmation,$code); + page_draw(elgg_echo('openid_client:information_title'),$body); +} else { + // bad code - not much to do but inform user + forward(); +} diff --git a/actions/sync.php b/actions/sync.php new file mode 100644 index 000000000..3f93df9df --- /dev/null +++ b/actions/sync.php @@ -0,0 +1,57 @@ +name = $name; + system_message(sprintf(elgg_echo("openid_client:name_updated"),$name)); + } + + if ($emailchange) { + $i_code = get_input('i_code'); + if (empty($i_code)) { + $new_email = get_input('new_email'); + // this is an email address change request from a yellow OpenID, so the + // email address change must be confirmed with an email message + if (get_user_by_email($email)) { + register_error(sprintf(elgg_echo("openid_client:email_in_use"),$email)); + } else { + $details = openid_client_create_invitation('c',$user->username,$userid,$new_email,$user->name); + openid_client_send_change_confirmation_message($details); + system_message(sprintf(elgg_echo("openid_client:change_confirmation"), $email)); + } + } elseif (!($details = openid_client_get_invitation($i_code))) { + register_error(elgg_echo("openid_client:invalid_code_error")); + } else { + // this is an email address change request from a green OpenID, so the + // email address change does not need to be confirmed + + $email = $details->email; + $ident = $details->owner; + if (get_user_by_email($email)) { + register_error(sprintf(elgg_echo("openid_client:email_in_use"),$email)); + } else { + $user->email; + system_message(sprintf(elgg_echo("openid_client:email_updated"),$email)); + } + } + } + + if ($nosync) { + $store = new OpenID_ElggStore(); + $store->addNoSyncStatus($user); + } +} + +forward(); diff --git a/graphics/login-bg.gif b/graphics/login-bg.gif new file mode 100644 index 000000000..cde836c89 Binary files /dev/null and b/graphics/login-bg.gif differ diff --git a/graphics/openid.jpg b/graphics/openid.jpg new file mode 100644 index 000000000..4e7b8f856 Binary files /dev/null and b/graphics/openid.jpg differ diff --git a/languages/en.php b/languages/en.php new file mode 100644 index 000000000..3357305e8 --- /dev/null +++ b/languages/en.php @@ -0,0 +1,119 @@ + "Log in using OpenID", + 'openid_client_login_service' => "Service", + 'openid_client_logon' => "Logon", + 'openid_client_go' => "Go", + 'openid_client_remember_login' => "Remember login", + 'openid_client:already_loggedin' => "You are already logged in.", + 'openid_client:login_success' => "You have been logged on.", + 'openid_client:login_failure' => "The username was not specified. The system could not log you in.", + 'openid_client:disallowed' => "This site does not allow the OpenID that you entered. " + ."Please try another OpenID or contact the site administrator for more information.", + 'openid_client:redirect_error' => "Could not redirect to server: %s", + 'openid_client:authentication_failure' => "OpenID authentication failed: %s is not a valid OpenID URL.", + 'openid_client:authentication_cancelled' => "OpenID authentication cancelled.", + 'openid_client:authentication_failed' => "OpenID authentication failed (status: %s, message: %s )", + 'openid_client:banned' => "You have been banned from the system!", + 'openid_client:email_in_use' => "Cannot change your email address to %s because it is already in use.", + 'openid_client:email_updated' => "Your email address has been updated to %s", + 'openid_client:information_title' => "OpenID information", + 'openid_client:activate_confirmation' => "A confirmation message has been sent to %s ." + ." Please click on the link in that message to activate your account." + ." You will then be able to login using the OpenID you have supplied.", + 'openid_client:change_confirmation' => "Your email address has changed. A confirmation message has been sent to" + ." your new address at %s . Please click on the link in that message to confirm this new email address. ", + 'openid_client:activate_confirmation_subject' => "%s account verification", + 'openid_client:activate_confirmation_body' => "Dear %s,\n\nThank you for registering with %s.\n\n" + ."To complete your registration, visit the following URL:\n\n\t%s\n\nwithin seven days.\n\nRegards,\n\nThe %s team.", + 'openid_client:change_confirmation_subject' => "%s email change", + 'openid_client:change_confirmation_body' => "Dear %s,\n\nWe have received a request to change your email address" + ." registered with %s.\n\nTo change your email address to {%s}, visit the following URL:\n\n\t%s\n\nwithin seven days." + ."\n\nRegards,\n\nThe %s team.", + 'openid_client:email_label' => "Email:", + 'openid_client:name_label' => "Name:", + 'openid_client:submit_label' => "Submit", + 'openid_client:cancel_label' => "Cancel", + 'openid_client:nosync_label' => "Do not notify me again if the data on this system is not the same" + ." as the data on my OpenID server.", + 'openid_client:sync_instructions' => "The information on your Open ID server is not the same as on this system." + ." Tick the check boxes next to the information you would like to update (if any) and press submit.", + 'openid_client:missing_title' => "Please provide missing information", + 'openid_client:sync_title' => "Synchronise your information", + 'openid_client:missing_email' => "a valid email address", + 'openid_client:missing_name' => "your full name", + 'openid_client:and' => "and", + 'openid_client:missing_info_instructions' => "In order to create an account on this site you need to supply %s." + ." Please enter this information below.", + 'openid_client:create_email_in_use' => "Cannot create an account with the email address %s because it is already in use.", + 'openid_client:missing_name_error' => "You must provide a name.", + 'openid_client:invalid_email_error' => "You must provide a valid email address.", + 'openid_client:invalid_code_error' => "Your form code appears to be invalid. Codes only last for seven days;" + ." it's possible that yours is older.", + 'openid_client:user_creation_failed' => "Unable to create OpenID account.", + 'openid_client:created_openid_account' => "Created OpenID account, transferred email %s and name %s from the OpenID server.", + 'openid_client:name_updated' => "Your name has been updated to %s.", + 'openid_client:missing_confirmation_code' => "Your confirmation code appears to be missing. Please check your link and try again.", + 'openid_client:at_least_13' => "You must indicate that you are at least 13 years old to join.", + 'openid_client:account_created' => "Your account was created! You can now log in using the OpenID (%s) you supplied.", + 'openid_client:email_changed' => "Your email address has been changed to {%s} . " + ."You can now login using your OpenID if you are not already logged in.", + 'openid_client:thankyou' => "Thank you for registering for an account with %s!" + ." Registration is completely free, but before you confirm your details," + ." please take a moment to read the following documents:", + 'openid_client:terms' => "terms and conditions", + 'openid_client:privacy' => "privacy policy", + 'openid_client:acceptance' => "Submitting the form below indicates acceptance of these terms. " + ."Please note that currently you must be at least 13 years of age to join the site.", + 'openid_client:correct_age' => "I am at least thirteen years of age.", + 'openid_client:join_button_label' => "Join", + 'openid_client:confirmation_title' => "OpenID confirmation", + 'openid_client:admin_title' => "Configure OpenID client", + 'openid_client:default_server_title' => "Default server", + 'openid_client:default_server_instructions1' => "You can simplify logging on using OpenID by specifying a default OpenID server." + ." Users who enter a simple account name (eg. \"susan\") during an OpenID login can have it expanded to a full OpenID" + ." if you provide a default server here. Put \"%s\" where you want the account name added. For example, enter" + ." \"http://openidserver.com/%s/\" if you want the OpenID to become \"http://openidserver.com/susan/\" or" + ." \"http://%s.openidserver.com/\" if you want the OpenID to become \"http://susan.openidserver.com/\"", + 'openid_client:default_server_instructions2' => "The presence of dots (\".\") is used to distinguish OpenID URLs from simple" + ." account names, so you can only use this feature for default servers that do not allow dots in their simple account names.", + 'openid_client:server_sync_title' => "Server synchronisation", + 'openid_client:server_sync_instructions' => "Check this box if you want to automatically update this client site if a" + ." user logs in and their email address or name is different from that on their OpenID server. Leave this box unchecked" + ." if you want to allow your users to have the ability to maintain a different name or email address on this system" + ." from the ones on their OpenID server.", + 'openid_client:server_sync_label' => "Automatically update from the OpenID server.", + + 'openid_client:sso_title' => "Single sign-on", + 'openid_client:sso_instructions' => "Check this box if you want to activate the single sign-on link." + ." This link simulates an Elgg OpenID login form submit and can be used to create a one-click single sign-on with Elgg." + ." Note that it is a bit insecure becomes it circumvents Elgg's XSS security" + ." and could in principle be used to log the user into Elgg without his/her knowledge.", + 'openid_client:sso_label' => "Enable single sign-on (SSO) link.", + + 'openid_client:lists_title' => "OpenID lists", + 'openid_client:lists_instruction1' => "You can set up a green, yellow or red list of OpenIDs that this client will accept.", + 'openid_client:lists_instruction2' => "The green list contains OpenIDs that will be accepted to provide identification" + ." and that can supply a trusted email address.", + 'openid_client:lists_instruction3' => "The yellow list contains OpenIDs that will be accepted for identification only." + ." If they provide an email address, a message will be sent to that address for confirmation before registration is allowed.", + 'openid_client:lists_instruction4' => "The red list contains OpenIDs that should be rejected.", + 'openid_client:lists_instruction5' => "If you do not provide a green, yellow or red list, by default all OpenIDs" + ." will be given a green status (they will be accepted for identification and email addresses that they provide will be" + ." accepted without confirmation).", + 'openid_client:lists_instruction6' => "Put one OpenID entry on each line. You can use \"*\" as a wildcard character" + ." to match a number of possible OpenIDs or OpenID servers. Each OpenID must begin with http:// or https:// and end with a" + ." slash (\"/\") - eg. http://*.myopenid.com/", + 'openid_client:green_list_title' => "Green list", + 'openid_client:yellow_list_title' => "Yellow list", + 'openid_client:red_list_title' => "Red list", + 'openid_client:ok_button_label' => "OK", + 'openid_client:admin_response' => "OpenID client configuration values saved." + + ); + + add_translation("en",$english); + +?> \ No newline at end of file diff --git a/manifest.xml b/manifest.xml new file mode 100644 index 000000000..fd0d0a2a7 --- /dev/null +++ b/manifest.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/models/Auth.old/OpenID.php b/models/Auth.old/OpenID.php new file mode 100644 index 000000000..f4816e9e5 --- /dev/null +++ b/models/Auth.old/OpenID.php @@ -0,0 +1,576 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Require the fetcher code. + */ +require_once "Auth/Yadis/PlainHTTPFetcher.php"; +require_once "Auth/Yadis/ParanoidHTTPFetcher.php"; +require_once "Auth/OpenID/BigMath.php"; +/** + * Status code returned by the server when the only option is to show + * an error page, since we do not have enough information to redirect + * back to the consumer. The associated value is an error message that + * should be displayed on an HTML error page. + * + * @see Auth_OpenID_Server + */ +define('Auth_OpenID_LOCAL_ERROR', 'local_error'); + +/** + * Status code returned when there is an error to return in key-value + * form to the consumer. The caller should return a 400 Bad Request + * response with content-type text/plain and the value as the body. + * + * @see Auth_OpenID_Server + */ +define('Auth_OpenID_REMOTE_ERROR', 'remote_error'); + +/** + * Status code returned when there is a key-value form OK response to + * the consumer. The value associated with this code is the + * response. The caller should return a 200 OK response with + * content-type text/plain and the value as the body. + * + * @see Auth_OpenID_Server + */ +define('Auth_OpenID_REMOTE_OK', 'remote_ok'); + +/** + * Status code returned when there is a redirect back to the + * consumer. The value is the URL to redirect back to. The caller + * should return a 302 Found redirect with a Location: header + * containing the URL. + * + * @see Auth_OpenID_Server + */ +define('Auth_OpenID_REDIRECT', 'redirect'); + +/** + * Status code returned when the caller needs to authenticate the + * user. The associated value is a {@link Auth_OpenID_ServerRequest} + * object that can be used to complete the authentication. If the user + * has taken some authentication action, use the retry() method of the + * {@link Auth_OpenID_ServerRequest} object to complete the request. + * + * @see Auth_OpenID_Server + */ +define('Auth_OpenID_DO_AUTH', 'do_auth'); + +/** + * Status code returned when there were no OpenID arguments + * passed. This code indicates that the caller should return a 200 OK + * response and display an HTML page that says that this is an OpenID + * server endpoint. + * + * @see Auth_OpenID_Server + */ +define('Auth_OpenID_DO_ABOUT', 'do_about'); + +/** + * Defines for regexes and format checking. + */ +define('Auth_OpenID_letters', + "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"); + +define('Auth_OpenID_digits', + "0123456789"); + +define('Auth_OpenID_punct', + "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"); + +if (Auth_OpenID_getMathLib() === null) { + Auth_OpenID_setNoMathSupport(); +} + +/** + * The OpenID utility function class. + * + * @package OpenID + * @access private + */ +class Auth_OpenID { + + /** + * Return true if $thing is an Auth_OpenID_FailureResponse object; + * false if not. + * + * @access private + */ + function isFailure($thing) + { + return is_a($thing, 'Auth_OpenID_FailureResponse'); + } + + /** + * Gets the query data from the server environment based on the + * request method used. If GET was used, this looks at + * $_SERVER['QUERY_STRING'] directly. If POST was used, this + * fetches data from the special php://input file stream. + * + * Returns an associative array of the query arguments. + * + * Skips invalid key/value pairs (i.e. keys with no '=value' + * portion). + * + * Returns an empty array if neither GET nor POST was used, or if + * POST was used but php://input cannot be opened. + * + * @access private + */ + function getQuery($query_str=null) + { + $data = array(); + + if ($query_str !== null) { + $data = Auth_OpenID::params_from_string($query_str); + } else if (!array_key_exists('REQUEST_METHOD', $_SERVER)) { + // Do nothing. + } else { + // XXX HACK FIXME HORRIBLE. + // + // POSTing to a URL with query parameters is acceptable, but + // we don't have a clean way to distinguish those parameters + // when we need to do things like return_to verification + // which only want to look at one kind of parameter. We're + // going to emulate the behavior of some other environments + // by defaulting to GET and overwriting with POST if POST + // data is available. + $data = Auth_OpenID::params_from_string($_SERVER['QUERY_STRING']); + + if ($_SERVER['REQUEST_METHOD'] == 'POST') { + $str = file_get_contents('php://input'); + + if ($str === false) { + $post = array(); + } else { + $post = Auth_OpenID::params_from_string($str); + } + + $data = array_merge($data, $post); + } + } + + return $data; + } + + function params_from_string($str) + { + $chunks = explode("&", $str); + + $data = array(); + foreach ($chunks as $chunk) { + $parts = explode("=", $chunk, 2); + + if (count($parts) != 2) { + continue; + } + + list($k, $v) = $parts; + $data[$k] = urldecode($v); + } + + return $data; + } + + /** + * Create dir_name as a directory if it does not exist. If it + * exists, make sure that it is, in fact, a directory. Returns + * true if the operation succeeded; false if not. + * + * @access private + */ + function ensureDir($dir_name) + { + if (is_dir($dir_name) || @mkdir($dir_name)) { + return true; + } else { + if (Auth_OpenID::ensureDir(dirname($dir_name))) { + return is_dir($dir_name) || @mkdir($dir_name); + } else { + return false; + } + } + } + + /** + * Adds a string prefix to all values of an array. Returns a new + * array containing the prefixed values. + * + * @access private + */ + function addPrefix($values, $prefix) + { + $new_values = array(); + foreach ($values as $s) { + $new_values[] = $prefix . $s; + } + return $new_values; + } + + /** + * Convenience function for getting array values. Given an array + * $arr and a key $key, get the corresponding value from the array + * or return $default if the key is absent. + * + * @access private + */ + function arrayGet($arr, $key, $fallback = null) + { + if (is_array($arr)) { + if (array_key_exists($key, $arr)) { + return $arr[$key]; + } else { + return $fallback; + } + } else { + trigger_error("Auth_OpenID::arrayGet (key = ".$key.") expected " . + "array as first parameter, got " . + gettype($arr), E_USER_WARNING); + + return false; + } + } + + /** + * Replacement for PHP's broken parse_str. + */ + function parse_str($query) + { + if ($query === null) { + return null; + } + + $parts = explode('&', $query); + + $new_parts = array(); + for ($i = 0; $i < count($parts); $i++) { + $pair = explode('=', $parts[$i]); + + if (count($pair) != 2) { + continue; + } + + list($key, $value) = $pair; + $new_parts[$key] = urldecode($value); + } + + return $new_parts; + } + + /** + * Implements the PHP 5 'http_build_query' functionality. + * + * @access private + * @param array $data Either an array key/value pairs or an array + * of arrays, each of which holding two values: a key and a value, + * sequentially. + * @return string $result The result of url-encoding the key/value + * pairs from $data into a URL query string + * (e.g. "username=bob&id=56"). + */ + function httpBuildQuery($data) + { + $pairs = array(); + foreach ($data as $key => $value) { + if (is_array($value)) { + $pairs[] = urlencode($value[0])."=".urlencode($value[1]); + } else { + $pairs[] = urlencode($key)."=".urlencode($value); + } + } + return implode("&", $pairs); + } + + /** + * "Appends" query arguments onto a URL. The URL may or may not + * already have arguments (following a question mark). + * + * @access private + * @param string $url A URL, which may or may not already have + * arguments. + * @param array $args Either an array key/value pairs or an array of + * arrays, each of which holding two values: a key and a value, + * sequentially. If $args is an ordinary key/value array, the + * parameters will be added to the URL in sorted alphabetical order; + * if $args is an array of arrays, their order will be preserved. + * @return string $url The original URL with the new parameters added. + * + */ + function appendArgs($url, $args) + { + if (count($args) == 0) { + return $url; + } + + // Non-empty array; if it is an array of arrays, use + // multisort; otherwise use sort. + if (array_key_exists(0, $args) && + is_array($args[0])) { + // Do nothing here. + } else { + $keys = array_keys($args); + sort($keys); + $new_args = array(); + foreach ($keys as $key) { + $new_args[] = array($key, $args[$key]); + } + $args = $new_args; + } + + $sep = '?'; + if (strpos($url, '?') !== false) { + $sep = '&'; + } + + return $url . $sep . Auth_OpenID::httpBuildQuery($args); + } + + /** + * Turn a string into an ASCII string. + * + * Replace non-ascii characters with a %-encoded, UTF-8 + * encoding. This function will fail if the input is a string and + * there are non-7-bit-safe characters. It is assumed that the + * caller will have already translated the input into a Unicode + * character sequence, according to the encoding of the HTTP POST + * or GET. + * + * Do not escape anything that is already 7-bit safe, so we do the + * minimal transform on the identity URL + * + * @access private + */ + function quoteMinimal($s) + { + $res = array(); + for ($i = 0; $i < strlen($s); $i++) { + $c = $s[$i]; + if ($c >= "\x80") { + for ($j = 0; $j < count(utf8_encode($c)); $j++) { + array_push($res, sprintf("%02X", ord($c[$j]))); + } + } else { + array_push($res, $c); + } + } + + return implode('', $res); + } + + /** + * Implements python's urlunparse, which is not available in PHP. + * Given the specified components of a URL, this function rebuilds + * and returns the URL. + * + * @access private + * @param string $scheme The scheme (e.g. 'http'). Defaults to 'http'. + * @param string $host The host. Required. + * @param string $port The port. + * @param string $path The path. + * @param string $query The query. + * @param string $fragment The fragment. + * @return string $url The URL resulting from assembling the + * specified components. + */ + function urlunparse($scheme, $host, $port = null, $path = '/', + $query = '', $fragment = '') + { + + if (!$scheme) { + $scheme = 'http'; + } + + if (!$host) { + return false; + } + + if (!$path) { + $path = ''; + } + + $result = $scheme . "://" . $host; + + if ($port) { + $result .= ":" . $port; + } + + $result .= $path; + + if ($query) { + $result .= "?" . $query; + } + + if ($fragment) { + $result .= "#" . $fragment; + } + + return $result; + } + + /** + * Given a URL, this "normalizes" it by adding a trailing slash + * and / or a leading http:// scheme where necessary. Returns + * null if the original URL is malformed and cannot be normalized. + * + * @access private + * @param string $url The URL to be normalized. + * @return mixed $new_url The URL after normalization, or null if + * $url was malformed. + */ + function normalizeUrl($url) + { + if ($url === null) { + return null; + } + + assert(is_string($url)); + + $old_url = $url; + $url = trim($url); + + if (strpos($url, "://") === false) { + $url = "http://" . $url; + } + + $parsed = @parse_url($url); + + if ($parsed === false) { + return null; + } + + $defaults = array( + 'scheme' => '', + 'host' => '', + 'path' => '', + 'query' => '', + 'fragment' => '', + 'port' => '' + ); + + $parsed = array_merge($defaults, $parsed); + + if (($parsed['scheme'] == '') || + ($parsed['host'] == '')) { + if ($parsed['path'] == '' && + $parsed['query'] == '') { + return null; + } + + $url = 'http://' + $url; + $parsed = parse_url($url); + + $parsed = array_merge($defaults, $parsed); + } + + $tail = array_map(array('Auth_OpenID', 'quoteMinimal'), + array($parsed['path'], + $parsed['query'])); + if ($tail[0] == '') { + $tail[0] = '/'; + } + + $url = Auth_OpenID::urlunparse($parsed['scheme'], $parsed['host'], + $parsed['port'], $tail[0], $tail[1]); + + assert(is_string($url)); + + return $url; + } + + /** + * Replacement (wrapper) for PHP's intval() because it's broken. + * + * @access private + */ + function intval($value) + { + $re = "/^\\d+$/"; + + if (!preg_match($re, $value)) { + return false; + } + + return intval($value); + } + + /** + * Count the number of bytes in a string independently of + * multibyte support conditions. + * + * @param string $str The string of bytes to count. + * @return int The number of bytes in $str. + */ + function bytes($str) + { + return strlen(bin2hex($str)) / 2; + } + + /** + * Get the bytes in a string independently of multibyte support + * conditions. + */ + function toBytes($str) + { + $hex = bin2hex($str); + + if (!$hex) { + return array(); + } + + $b = array(); + for ($i = 0; $i < strlen($hex); $i += 2) { + $b[] = chr(base_convert(substr($hex, $i, 2), 16, 10)); + } + + return $b; + } + + function urldefrag($url) + { + $parts = explode("#", $url, 2); + + if (count($parts) == 1) { + return array($parts[0], ""); + } else { + return $parts; + } + } + + function filter($callback, &$sequence) + { + $result = array(); + + foreach ($sequence as $item) { + if (call_user_func_array($callback, array($item))) { + $result[] = $item; + } + } + + return $result; + } + + function update(&$dest, &$src) + { + foreach ($src as $k => $v) { + $dest[$k] = $v; + } + } +} +?> diff --git a/models/Auth.old/OpenID/AX.php b/models/Auth.old/OpenID/AX.php new file mode 100644 index 000000000..d183c44c2 --- /dev/null +++ b/models/Auth.old/OpenID/AX.php @@ -0,0 +1,1013 @@ +message = $message; + } +} + +/** + * Abstract class containing common code for attribute exchange + * messages. + * + * @package OpenID + */ +class Auth_OpenID_AX_Message extends Auth_OpenID_Extension { + /** + * ns_alias: The preferred namespace alias for attribute exchange + * messages + */ + var $ns_alias = 'ax'; + + /** + * mode: The type of this attribute exchange message. This must be + * overridden in subclasses. + */ + var $mode = null; + + var $ns_uri = Auth_OpenID_AX_NS_URI; + + /** + * Return Auth_OpenID_AX_Error if the mode in the attribute + * exchange arguments does not match what is expected for this + * class; true otherwise. + * + * @access private + */ + function _checkMode($ax_args) + { + $mode = Auth_OpenID::arrayGet($ax_args, 'mode'); + if ($mode != $this->mode) { + return new Auth_OpenID_AX_Error( + sprintf( + "Expected mode '%s'; got '%s'", + $this->mode, $mode)); + } + + return true; + } + + /** + * Return a set of attribute exchange arguments containing the + * basic information that must be in every attribute exchange + * message. + * + * @access private + */ + function _newArgs() + { + return array('mode' => $this->mode); + } +} + +/** + * Represents a single attribute in an attribute exchange + * request. This should be added to an AXRequest object in order to + * request the attribute. + * + * @package OpenID + */ +class Auth_OpenID_AX_AttrInfo { + /** + * Construct an attribute information object. Do not call this + * directly; call make(...) instead. + * + * @param string $type_uri The type URI for this attribute. + * + * @param int $count The number of values of this type to request. + * + * @param bool $required Whether the attribute will be marked as + * required in the request. + * + * @param string $alias The name that should be given to this + * attribute in the request. + */ + function Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, + $alias) + { + /** + * required: Whether the attribute will be marked as required + * when presented to the subject of the attribute exchange + * request. + */ + $this->required = $required; + + /** + * count: How many values of this type to request from the + * subject. Defaults to one. + */ + $this->count = $count; + + /** + * type_uri: The identifier that determines what the attribute + * represents and how it is serialized. For example, one type + * URI representing dates could represent a Unix timestamp in + * base 10 and another could represent a human-readable + * string. + */ + $this->type_uri = $type_uri; + + /** + * alias: The name that should be given to this attribute in + * the request. If it is not supplied, a generic name will be + * assigned. For example, if you want to call a Unix timestamp + * value 'tstamp', set its alias to that value. If two + * attributes in the same message request to use the same + * alias, the request will fail to be generated. + */ + $this->alias = $alias; + } + + /** + * Construct an attribute information object. For parameter + * details, see the constructor. + */ + function make($type_uri, $count=1, $required=false, + $alias=null) + { + if ($alias !== null) { + $result = Auth_OpenID_AX_checkAlias($alias); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + } + + return new Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, + $alias); + } + + /** + * When processing a request for this attribute, the OP should + * call this method to determine whether all available attribute + * values were requested. If self.count == UNLIMITED_VALUES, this + * returns True. Otherwise this returns False, in which case + * self.count is an integer. + */ + function wantsUnlimitedValues() + { + return $this->count === Auth_OpenID_AX_UNLIMITED_VALUES; + } +} + +/** + * Given a namespace mapping and a string containing a comma-separated + * list of namespace aliases, return a list of type URIs that + * correspond to those aliases. + * + * @param $namespace_map The mapping from namespace URI to alias + * @param $alias_list_s The string containing the comma-separated + * list of aliases. May also be None for convenience. + * + * @return $seq The list of namespace URIs that corresponds to the + * supplied list of aliases. If the string was zero-length or None, an + * empty list will be returned. + * + * return null If an alias is present in the list of aliases but + * is not present in the namespace map. + */ +function Auth_OpenID_AX_toTypeURIs(&$namespace_map, $alias_list_s) +{ + $uris = array(); + + if ($alias_list_s) { + foreach (explode(',', $alias_list_s) as $alias) { + $type_uri = $namespace_map->getNamespaceURI($alias); + if ($type_uri === null) { + // raise KeyError( + // 'No type is defined for attribute name %r' % (alias,)) + return new Auth_OpenID_AX_Error( + sprintf('No type is defined for attribute name %s', + $alias) + ); + } else { + $uris[] = $type_uri; + } + } + } + + return $uris; +} + +/** + * An attribute exchange 'fetch_request' message. This message is sent + * by a relying party when it wishes to obtain attributes about the + * subject of an OpenID authentication request. + * + * @package OpenID + */ +class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { + + var $mode = 'fetch_request'; + + function Auth_OpenID_AX_FetchRequest($update_url=null) + { + /** + * requested_attributes: The attributes that have been + * requested thus far, indexed by the type URI. + */ + $this->requested_attributes = array(); + + /** + * update_url: A URL that will accept responses for this + * attribute exchange request, even in the absence of the user + * who made this request. + */ + $this->update_url = $update_url; + } + + /** + * Add an attribute to this attribute exchange request. + * + * @param attribute: The attribute that is being requested + * @return true on success, false when the requested attribute is + * already present in this fetch request. + */ + function add($attribute) + { + if ($this->contains($attribute->type_uri)) { + return new Auth_OpenID_AX_Error( + sprintf("The attribute %s has already been requested", + $attribute->type_uri)); + } + + $this->requested_attributes[$attribute->type_uri] = $attribute; + + return true; + } + + /** + * Get the serialized form of this attribute fetch request. + * + * @returns Auth_OpenID_AX_FetchRequest The fetch request message parameters + */ + function getExtensionArgs() + { + $aliases = new Auth_OpenID_NamespaceMap(); + + $required = array(); + $if_available = array(); + + $ax_args = $this->_newArgs(); + + foreach ($this->requested_attributes as $type_uri => $attribute) { + if ($attribute->alias === null) { + $alias = $aliases->add($type_uri); + } else { + $alias = $aliases->addAlias($type_uri, $attribute->alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $attribute->alias, $type_uri + )); + } + } + + if ($attribute->required) { + $required[] = $alias; + } else { + $if_available[] = $alias; + } + + if ($attribute->count != 1) { + $ax_args['count.' . $alias] = strval($attribute->count); + } + + $ax_args['type.' . $alias] = $type_uri; + } + + if ($required) { + $ax_args['required'] = implode(',', $required); + } + + if ($if_available) { + $ax_args['if_available'] = implode(',', $if_available); + } + + return $ax_args; + } + + /** + * Get the type URIs for all attributes that have been marked as + * required. + * + * @return A list of the type URIs for attributes that have been + * marked as required. + */ + function getRequiredAttrs() + { + $required = array(); + foreach ($this->requested_attributes as $type_uri => $attribute) { + if ($attribute->required) { + $required[] = $type_uri; + } + } + + return $required; + } + + /** + * Extract a FetchRequest from an OpenID message + * + * @param message: The OpenID message containing the attribute + * fetch request + * + * @returns mixed An Auth_OpenID_AX_Error or the + * Auth_OpenID_AX_FetchRequest extracted from the message if + * successful + */ + function &fromOpenIDRequest($message) + { + $obj = new Auth_OpenID_AX_FetchRequest(); + $ax_args = $message->getArgs($obj->ns_uri); + + $result = $obj->parseExtensionArgs($ax_args); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + if ($obj->update_url) { + // Update URL must match the openid.realm of the + // underlying OpenID 2 message. + $realm = $message->getArg(Auth_OpenID_OPENID_NS, 'realm', + $message->getArg( + Auth_OpenID_OPENID_NS, + 'return_to')); + + if (!$realm) { + $obj = new Auth_OpenID_AX_Error( + sprintf("Cannot validate update_url %s " . + "against absent realm", $obj->update_url)); + } else if (!Auth_OpenID_TrustRoot::match($realm, + $obj->update_url)) { + $obj = new Auth_OpenID_AX_Error( + sprintf("Update URL %s failed validation against realm %s", + $obj->update_url, $realm)); + } + } + + return $obj; + } + + /** + * Given attribute exchange arguments, populate this FetchRequest. + * + * @return $result Auth_OpenID_AX_Error if the data to be parsed + * does not follow the attribute exchange specification. At least + * when 'if_available' or 'required' is not specified for a + * particular attribute type. Returns true otherwise. + */ + function parseExtensionArgs($ax_args) + { + $result = $this->_checkMode($ax_args); + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $aliases = new Auth_OpenID_NamespaceMap(); + + foreach ($ax_args as $key => $value) { + if (strpos($key, 'type.') === 0) { + $alias = substr($key, 5); + $type_uri = $value; + + $alias = $aliases->addAlias($type_uri, $alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $alias, $type_uri) + ); + } + + $count_s = Auth_OpenID::arrayGet($ax_args, 'count.' . $alias); + if ($count_s) { + $count = Auth_OpenID::intval($count_s); + if (($count === false) && + ($count_s === Auth_OpenID_AX_UNLIMITED_VALUES)) { + $count = $count_s; + } + } else { + $count = 1; + } + + if ($count === false) { + return new Auth_OpenID_AX_Error( + sprintf("Integer value expected for %s, got %s", + 'count.' . $alias, $count_s)); + } + + $attrinfo = Auth_OpenID_AX_AttrInfo::make($type_uri, $count, + false, $alias); + + if (Auth_OpenID_AX::isError($attrinfo)) { + return $attrinfo; + } + + $this->add($attrinfo); + } + } + + $required = Auth_OpenID_AX_toTypeURIs($aliases, + Auth_OpenID::arrayGet($ax_args, 'required')); + + foreach ($required as $type_uri) { + $attrib =& $this->requested_attributes[$type_uri]; + $attrib->required = true; + } + + $if_available = Auth_OpenID_AX_toTypeURIs($aliases, + Auth_OpenID::arrayGet($ax_args, 'if_available')); + + $all_type_uris = array_merge($required, $if_available); + + foreach ($aliases->iterNamespaceURIs() as $type_uri) { + if (!in_array($type_uri, $all_type_uris)) { + return new Auth_OpenID_AX_Error( + sprintf('Type URI %s was in the request but not ' . + 'present in "required" or "if_available"', + $type_uri)); + + } + } + + $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); + + return true; + } + + /** + * Iterate over the AttrInfo objects that are contained in this + * fetch_request. + */ + function iterAttrs() + { + return array_values($this->requested_attributes); + } + + function iterTypes() + { + return array_keys($this->requested_attributes); + } + + /** + * Is the given type URI present in this fetch_request? + */ + function contains($type_uri) + { + return in_array($type_uri, $this->iterTypes()); + } +} + +/** + * An abstract class that implements a message that has attribute keys + * and values. It contains the common code between fetch_response and + * store_request. + * + * @package OpenID + */ +class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { + + function Auth_OpenID_AX_KeyValueMessage() + { + $this->data = array(); + } + + /** + * Add a single value for the given attribute type to the + * message. If there are already values specified for this type, + * this value will be sent in addition to the values already + * specified. + * + * @param type_uri: The URI for the attribute + * @param value: The value to add to the response to the relying + * party for this attribute + * @return null + */ + function addValue($type_uri, $value) + { + if (!array_key_exists($type_uri, $this->data)) { + $this->data[$type_uri] = array(); + } + + $values =& $this->data[$type_uri]; + $values[] = $value; + } + + /** + * Set the values for the given attribute type. This replaces any + * values that have already been set for this attribute. + * + * @param type_uri: The URI for the attribute + * @param values: A list of values to send for this attribute. + */ + function setValues($type_uri, &$values) + { + $this->data[$type_uri] =& $values; + } + + /** + * Get the extension arguments for the key/value pairs contained + * in this message. + * + * @param aliases: An alias mapping. Set to None if you don't care + * about the aliases for this request. + * + * @access private + */ + function _getExtensionKVArgs(&$aliases) + { + if ($aliases === null) { + $aliases = new Auth_OpenID_NamespaceMap(); + } + + $ax_args = array(); + + foreach ($this->data as $type_uri => $values) { + $alias = $aliases->add($type_uri); + + $ax_args['type.' . $alias] = $type_uri; + $ax_args['count.' . $alias] = strval(count($values)); + + foreach ($values as $i => $value) { + $key = sprintf('value.%s.%d', $alias, $i + 1); + $ax_args[$key] = $value; + } + } + + return $ax_args; + } + + /** + * Parse attribute exchange key/value arguments into this object. + * + * @param ax_args: The attribute exchange fetch_response + * arguments, with namespacing removed. + * + * @return Auth_OpenID_AX_Error or true + */ + function parseExtensionArgs($ax_args) + { + $result = $this->_checkMode($ax_args); + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $aliases = new Auth_OpenID_NamespaceMap(); + + foreach ($ax_args as $key => $value) { + if (strpos($key, 'type.') === 0) { + $type_uri = $value; + $alias = substr($key, 5); + + $result = Auth_OpenID_AX_checkAlias($alias); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $alias = $aliases->addAlias($type_uri, $alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $alias, $type_uri) + ); + } + } + } + + foreach ($aliases->iteritems() as $pair) { + list($type_uri, $alias) = $pair; + + if (array_key_exists('count.' . $alias, $ax_args)) { + + $count_key = 'count.' . $alias; + $count_s = $ax_args[$count_key]; + + $count = Auth_OpenID::intval($count_s); + + if ($count === false) { + return new Auth_OpenID_AX_Error( + sprintf("Integer value expected for %s, got %s", + 'count. %s' . $alias, $count_s, + Auth_OpenID_AX_UNLIMITED_VALUES) + ); + } + + $values = array(); + for ($i = 1; $i < $count + 1; $i++) { + $value_key = sprintf('value.%s.%d', $alias, $i); + + if (!array_key_exists($value_key, $ax_args)) { + return new Auth_OpenID_AX_Error( + sprintf( + "No value found for key %s", + $value_key)); + } + + $value = $ax_args[$value_key]; + $values[] = $value; + } + } else { + $key = 'value.' . $alias; + + if (!array_key_exists($key, $ax_args)) { + return new Auth_OpenID_AX_Error( + sprintf( + "No value found for key %s", + $key)); + } + + $value = $ax_args['value.' . $alias]; + + if ($value == '') { + $values = array(); + } else { + $values = array($value); + } + } + + $this->data[$type_uri] = $values; + } + + return true; + } + + /** + * Get a single value for an attribute. If no value was sent for + * this attribute, use the supplied default. If there is more than + * one value for this attribute, this method will fail. + * + * @param type_uri: The URI for the attribute + * @param default: The value to return if the attribute was not + * sent in the fetch_response. + * + * @return $value Auth_OpenID_AX_Error on failure or the value of + * the attribute in the fetch_response message, or the default + * supplied + */ + function getSingle($type_uri, $default=null) + { + $values = Auth_OpenID::arrayGet($this->data, $type_uri); + if (!$values) { + return $default; + } else if (count($values) == 1) { + return $values[0]; + } else { + return new Auth_OpenID_AX_Error( + sprintf('More than one value present for %s', + $type_uri) + ); + } + } + + /** + * Get the list of values for this attribute in the + * fetch_response. + * + * XXX: what to do if the values are not present? default + * parameter? this is funny because it's always supposed to return + * a list, so the default may break that, though it's provided by + * the user's code, so it might be okay. If no default is + * supplied, should the return be None or []? + * + * @param type_uri: The URI of the attribute + * + * @return $values The list of values for this attribute in the + * response. May be an empty list. If the attribute was not sent + * in the response, returns Auth_OpenID_AX_Error. + */ + function get($type_uri) + { + if (array_key_exists($type_uri, $this->data)) { + return $this->data[$type_uri]; + } else { + return new Auth_OpenID_AX_Error( + sprintf("Type URI %s not found in response", + $type_uri) + ); + } + } + + /** + * Get the number of responses for a particular attribute in this + * fetch_response message. + * + * @param type_uri: The URI of the attribute + * + * @returns int The number of values sent for this attribute. If + * the attribute was not sent in the response, returns + * Auth_OpenID_AX_Error. + */ + function count($type_uri) + { + if (array_key_exists($type_uri, $this->data)) { + return count($this->get($type_uri)); + } else { + return new Auth_OpenID_AX_Error( + sprintf("Type URI %s not found in response", + $type_uri) + ); + } + } +} + +/** + * A fetch_response attribute exchange message. + * + * @package OpenID + */ +class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { + var $mode = 'fetch_response'; + + function Auth_OpenID_AX_FetchResponse($update_url=null) + { + $this->Auth_OpenID_AX_KeyValueMessage(); + $this->update_url = $update_url; + } + + /** + * Serialize this object into arguments in the attribute exchange + * namespace + * + * @return $args The dictionary of unqualified attribute exchange + * arguments that represent this fetch_response, or + * Auth_OpenID_AX_Error on error. + */ + function getExtensionArgs($request=null) + { + $aliases = new Auth_OpenID_NamespaceMap(); + + $zero_value_types = array(); + + if ($request !== null) { + // Validate the data in the context of the request (the + // same attributes should be present in each, and the + // counts in the response must be no more than the counts + // in the request) + + foreach ($this->data as $type_uri => $unused) { + if (!$request->contains($type_uri)) { + return new Auth_OpenID_AX_Error( + sprintf("Response attribute not present in request: %s", + $type_uri) + ); + } + } + + foreach ($request->iterAttrs() as $attr_info) { + // Copy the aliases from the request so that reading + // the response in light of the request is easier + if ($attr_info->alias === null) { + $aliases->add($attr_info->type_uri); + } else { + $alias = $aliases->addAlias($attr_info->type_uri, + $attr_info->alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $attr_info->alias, $attr_info->type_uri) + ); + } + } + + if (array_key_exists($attr_info->type_uri, $this->data)) { + $values = $this->data[$attr_info->type_uri]; + } else { + $values = array(); + $zero_value_types[] = $attr_info; + } + + if (($attr_info->count != Auth_OpenID_AX_UNLIMITED_VALUES) && + ($attr_info->count < count($values))) { + return new Auth_OpenID_AX_Error( + sprintf("More than the number of requested values " . + "were specified for %s", + $attr_info->type_uri) + ); + } + } + } + + $kv_args = $this->_getExtensionKVArgs($aliases); + + // Add the KV args into the response with the args that are + // unique to the fetch_response + $ax_args = $this->_newArgs(); + + // For each requested attribute, put its type/alias and count + // into the response even if no data were returned. + foreach ($zero_value_types as $attr_info) { + $alias = $aliases->getAlias($attr_info->type_uri); + $kv_args['type.' . $alias] = $attr_info->type_uri; + $kv_args['count.' . $alias] = '0'; + } + + $update_url = null; + if ($request) { + $update_url = $request->update_url; + } else { + $update_url = $this->update_url; + } + + if ($update_url) { + $ax_args['update_url'] = $update_url; + } + + Auth_OpenID::update(&$ax_args, $kv_args); + + return $ax_args; + } + + /** + * @return $result Auth_OpenID_AX_Error on failure or true on + * success. + */ + function parseExtensionArgs($ax_args) + { + $result = parent::parseExtensionArgs($ax_args); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); + + return true; + } + + /** + * Construct a FetchResponse object from an OpenID library + * SuccessResponse object. + * + * @param success_response: A successful id_res response object + * + * @param signed: Whether non-signed args should be processsed. If + * True (the default), only signed arguments will be processsed. + * + * @return $response A FetchResponse containing the data from the + * OpenID message + */ + function &fromSuccessResponse($success_response, $signed=true) + { + $obj = new Auth_OpenID_AX_FetchResponse(); + if ($signed) { + $ax_args = $success_response->getSignedNS($obj->ns_uri); + } else { + $ax_args = $success_response->message->getArgs($obj->ns_uri); + } + + return $obj->parseExtensionArgs($ax_args); + } +} + +/** + * A store request attribute exchange message representation. + * + * @package OpenID + */ +class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage { + var $mode = 'store_request'; + + /** + * @param array $aliases The namespace aliases to use when making + * this store response. Leave as None to use defaults. + */ + function getExtensionArgs($aliases=null) + { + $ax_args = $this->_newArgs(); + $kv_args = $this->_getExtensionKVArgs($aliases); + Auth_OpenID::update(&$ax_args, $kv_args); + return $ax_args; + } +} + +/** + * An indication that the store request was processed along with this + * OpenID transaction. Use make(), NOT the constructor, to create + * response objects. + * + * @package OpenID + */ +class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { + var $SUCCESS_MODE = 'store_response_success'; + var $FAILURE_MODE = 'store_response_failure'; + + /** + * Returns Auth_OpenID_AX_Error on error or an + * Auth_OpenID_AX_StoreResponse object on success. + */ + function &make($succeeded=true, $error_message=null) + { + if (($succeeded) && ($error_message !== null)) { + return new Auth_OpenID_AX_Error('An error message may only be '. + 'included in a failing fetch response'); + } + + return new Auth_OpenID_AX_StoreResponse($succeeded, $error_message); + } + + function Auth_OpenID_AX_StoreResponse($succeeded=true, $error_message=null) + { + if ($succeeded) { + $this->mode = $this->SUCCESS_MODE; + } else { + $this->mode = $this->FAILURE_MODE; + } + + $this->error_message = $error_message; + } + + /** + * Was this response a success response? + */ + function succeeded() + { + return $this->mode == $this->SUCCESS_MODE; + } + + function getExtensionArgs() + { + $ax_args = $this->_newArgs(); + if ((!$this->succeeded()) && $this->error_message) { + $ax_args['error'] = $this->error_message; + } + + return $ax_args; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Association.php b/models/Auth.old/OpenID/Association.php new file mode 100644 index 000000000..904655fb4 --- /dev/null +++ b/models/Auth.old/OpenID/Association.php @@ -0,0 +1,613 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * @access private + */ +require_once 'Auth/OpenID/CryptUtil.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID/KVForm.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID/HMACSHA1.php'; + +/** + * This class represents an association between a server and a + * consumer. In general, users of this library will never see + * instances of this object. The only exception is if you implement a + * custom {@link Auth_OpenID_OpenIDStore}. + * + * If you do implement such a store, it will need to store the values + * of the handle, secret, issued, lifetime, and assoc_type instance + * variables. + * + * @package OpenID + */ +class Auth_OpenID_Association { + + /** + * This is a HMAC-SHA1 specific value. + * + * @access private + */ + var $SIG_LENGTH = 20; + + /** + * The ordering and name of keys as stored by serialize. + * + * @access private + */ + var $assoc_keys = array( + 'version', + 'handle', + 'secret', + 'issued', + 'lifetime', + 'assoc_type' + ); + + var $_macs = array( + 'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1', + 'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256' + ); + + /** + * This is an alternate constructor (factory method) used by the + * OpenID consumer library to create associations. OpenID store + * implementations shouldn't use this constructor. + * + * @access private + * + * @param integer $expires_in This is the amount of time this + * association is good for, measured in seconds since the + * association was issued. + * + * @param string $handle This is the handle the server gave this + * association. + * + * @param string secret This is the shared secret the server + * generated for this association. + * + * @param assoc_type This is the type of association this + * instance represents. The only valid values of this field at + * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may + * be defined in the future. + * + * @return association An {@link Auth_OpenID_Association} + * instance. + */ + function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) + { + $issued = time(); + $lifetime = $expires_in; + return new Auth_OpenID_Association($handle, $secret, + $issued, $lifetime, $assoc_type); + } + + /** + * This is the standard constructor for creating an association. + * The library should create all of the necessary associations, so + * this constructor is not part of the external API. + * + * @access private + * + * @param string $handle This is the handle the server gave this + * association. + * + * @param string $secret This is the shared secret the server + * generated for this association. + * + * @param integer $issued This is the time this association was + * issued, in seconds since 00:00 GMT, January 1, 1970. (ie, a + * unix timestamp) + * + * @param integer $lifetime This is the amount of time this + * association is good for, measured in seconds since the + * association was issued. + * + * @param string $assoc_type This is the type of association this + * instance represents. The only valid values of this field at + * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may + * be defined in the future. + */ + function Auth_OpenID_Association( + $handle, $secret, $issued, $lifetime, $assoc_type) + { + if (!in_array($assoc_type, + Auth_OpenID_getSupportedAssociationTypes())) { + $fmt = 'Unsupported association type (%s)'; + trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR); + } + + $this->handle = $handle; + $this->secret = $secret; + $this->issued = $issued; + $this->lifetime = $lifetime; + $this->assoc_type = $assoc_type; + } + + /** + * This returns the number of seconds this association is still + * valid for, or 0 if the association is no longer valid. + * + * @return integer $seconds The number of seconds this association + * is still valid for, or 0 if the association is no longer valid. + */ + function getExpiresIn($now = null) + { + if ($now == null) { + $now = time(); + } + + return max(0, $this->issued + $this->lifetime - $now); + } + + /** + * This checks to see if two {@link Auth_OpenID_Association} + * instances represent the same association. + * + * @return bool $result true if the two instances represent the + * same association, false otherwise. + */ + function equal($other) + { + return ((gettype($this) == gettype($other)) + && ($this->handle == $other->handle) + && ($this->secret == $other->secret) + && ($this->issued == $other->issued) + && ($this->lifetime == $other->lifetime) + && ($this->assoc_type == $other->assoc_type)); + } + + /** + * Convert an association to KV form. + * + * @return string $result String in KV form suitable for + * deserialization by deserialize. + */ + function serialize() + { + $data = array( + 'version' => '2', + 'handle' => $this->handle, + 'secret' => base64_encode($this->secret), + 'issued' => strval(intval($this->issued)), + 'lifetime' => strval(intval($this->lifetime)), + 'assoc_type' => $this->assoc_type + ); + + assert(array_keys($data) == $this->assoc_keys); + + return Auth_OpenID_KVForm::fromArray($data, $strict = true); + } + + /** + * Parse an association as stored by serialize(). This is the + * inverse of serialize. + * + * @param string $assoc_s Association as serialized by serialize() + * @return Auth_OpenID_Association $result instance of this class + */ + function deserialize($class_name, $assoc_s) + { + $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true); + $keys = array(); + $values = array(); + foreach ($pairs as $key => $value) { + if (is_array($value)) { + list($key, $value) = $value; + } + $keys[] = $key; + $values[] = $value; + } + + $class_vars = get_class_vars($class_name); + $class_assoc_keys = $class_vars['assoc_keys']; + + sort($keys); + sort($class_assoc_keys); + + if ($keys != $class_assoc_keys) { + trigger_error('Unexpected key values: ' . var_export($keys, true), + E_USER_WARNING); + return null; + } + + $version = $pairs['version']; + $handle = $pairs['handle']; + $secret = $pairs['secret']; + $issued = $pairs['issued']; + $lifetime = $pairs['lifetime']; + $assoc_type = $pairs['assoc_type']; + + if ($version != '2') { + trigger_error('Unknown version: ' . $version, E_USER_WARNING); + return null; + } + + $issued = intval($issued); + $lifetime = intval($lifetime); + $secret = base64_decode($secret); + + return new $class_name( + $handle, $secret, $issued, $lifetime, $assoc_type); + } + + /** + * Generate a signature for a sequence of (key, value) pairs + * + * @access private + * @param array $pairs The pairs to sign, in order. This is an + * array of two-tuples. + * @return string $signature The binary signature of this sequence + * of pairs + */ + function sign($pairs) + { + $kv = Auth_OpenID_KVForm::fromArray($pairs); + + /* Invalid association types should be caught at constructor */ + $callback = $this->_macs[$this->assoc_type]; + + return call_user_func_array($callback, array($this->secret, $kv)); + } + + /** + * Generate a signature for some fields in a dictionary + * + * @access private + * @param array $fields The fields to sign, in order; this is an + * array of strings. + * @param array $data Dictionary of values to sign (an array of + * string => string pairs). + * @return string $signature The signature, base64 encoded + */ + function signMessage($message) + { + if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') || + $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) { + // Already has a sig + return null; + } + + $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS, + 'assoc_handle'); + + if ($extant_handle && ($extant_handle != $this->handle)) { + // raise ValueError("Message has a different association handle") + return null; + } + + $signed_message = $message; + $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', + $this->handle); + + $message_keys = array_keys($signed_message->toPostArgs()); + $signed_list = array(); + $signed_prefix = 'openid.'; + + foreach ($message_keys as $k) { + if (strpos($k, $signed_prefix) === 0) { + $signed_list[] = substr($k, strlen($signed_prefix)); + } + } + + $signed_list[] = 'signed'; + sort($signed_list); + + $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed', + implode(',', $signed_list)); + $sig = $this->getMessageSignature($signed_message); + $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig); + return $signed_message; + } + + /** + * Given a {@link Auth_OpenID_Message}, return the key/value pairs + * to be signed according to the signed list in the message. If + * the message lacks a signed list, return null. + * + * @access private + */ + function _makePairs(&$message) + { + $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); + if (!$signed) { + // raise ValueError('Message has no signed list: %s' % (message,)) + return null; + } + + $signed_list = explode(',', $signed); + $pairs = array(); + $data = $message->toPostArgs(); + foreach ($signed_list as $field) { + $pairs[] = array($field, Auth_OpenID::arrayGet($data, + 'openid.' . + $field, '')); + } + return $pairs; + } + + /** + * Given an {@link Auth_OpenID_Message}, return the signature for + * the signed list in the message. + * + * @access private + */ + function getMessageSignature(&$message) + { + $pairs = $this->_makePairs($message); + return base64_encode($this->sign($pairs)); + } + + /** + * Confirm that the signature of these fields matches the + * signature contained in the data. + * + * @access private + */ + function checkMessageSignature(&$message) + { + $sig = $message->getArg(Auth_OpenID_OPENID_NS, + 'sig'); + + if (!$sig) { + return false; + } + + $calculated_sig = $this->getMessageSignature($message); + return $calculated_sig == $sig; + } +} + +function Auth_OpenID_getSecretSize($assoc_type) +{ + if ($assoc_type == 'HMAC-SHA1') { + return 20; + } else if ($assoc_type == 'HMAC-SHA256') { + return 32; + } else { + return null; + } +} + +function Auth_OpenID_getAllAssociationTypes() +{ + return array('HMAC-SHA1', 'HMAC-SHA256'); +} + +function Auth_OpenID_getSupportedAssociationTypes() +{ + $a = array('HMAC-SHA1'); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $a[] = 'HMAC-SHA256'; + } + + return $a; +} + +function Auth_OpenID_getSessionTypes($assoc_type) +{ + $assoc_to_session = array( + 'HMAC-SHA1' => array('DH-SHA1', 'no-encryption')); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $assoc_to_session['HMAC-SHA256'] = + array('DH-SHA256', 'no-encryption'); + } + + return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array()); +} + +function Auth_OpenID_checkSessionType($assoc_type, $session_type) +{ + if (!in_array($session_type, + Auth_OpenID_getSessionTypes($assoc_type))) { + return false; + } + + return true; +} + +function Auth_OpenID_getDefaultAssociationOrder() +{ + $order = array(); + + if (!Auth_OpenID_noMathSupport()) { + $order[] = array('HMAC-SHA1', 'DH-SHA1'); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $order[] = array('HMAC-SHA256', 'DH-SHA256'); + } + } + + $order[] = array('HMAC-SHA1', 'no-encryption'); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $order[] = array('HMAC-SHA256', 'no-encryption'); + } + + return $order; +} + +function Auth_OpenID_getOnlyEncryptedOrder() +{ + $result = array(); + + foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) { + list($assoc, $session) = $pair; + + if ($session != 'no-encryption') { + if (Auth_OpenID_HMACSHA256_SUPPORTED && + ($assoc == 'HMAC-SHA256')) { + $result[] = $pair; + } else if ($assoc != 'HMAC-SHA256') { + $result[] = $pair; + } + } + } + + return $result; +} + +function &Auth_OpenID_getDefaultNegotiator() +{ + $x = new Auth_OpenID_SessionNegotiator( + Auth_OpenID_getDefaultAssociationOrder()); + return $x; +} + +function &Auth_OpenID_getEncryptedNegotiator() +{ + $x = new Auth_OpenID_SessionNegotiator( + Auth_OpenID_getOnlyEncryptedOrder()); + return $x; +} + +/** + * A session negotiator controls the allowed and preferred association + * types and association session types. Both the {@link + * Auth_OpenID_Consumer} and {@link Auth_OpenID_Server} use + * negotiators when creating associations. + * + * You can create and use negotiators if you: + + * - Do not want to do Diffie-Hellman key exchange because you use + * transport-layer encryption (e.g. SSL) + * + * - Want to use only SHA-256 associations + * + * - Do not want to support plain-text associations over a non-secure + * channel + * + * It is up to you to set a policy for what kinds of associations to + * accept. By default, the library will make any kind of association + * that is allowed in the OpenID 2.0 specification. + * + * Use of negotiators in the library + * ================================= + * + * When a consumer makes an association request, it calls {@link + * getAllowedType} to get the preferred association type and + * association session type. + * + * The server gets a request for a particular association/session type + * and calls {@link isAllowed} to determine if it should create an + * association. If it is supported, negotiation is complete. If it is + * not, the server calls {@link getAllowedType} to get an allowed + * association type to return to the consumer. + * + * If the consumer gets an error response indicating that the + * requested association/session type is not supported by the server + * that contains an assocation/session type to try, it calls {@link + * isAllowed} to determine if it should try again with the given + * combination of association/session type. + * + * @package OpenID + */ +class Auth_OpenID_SessionNegotiator { + function Auth_OpenID_SessionNegotiator($allowed_types) + { + $this->allowed_types = array(); + $this->setAllowedTypes($allowed_types); + } + + /** + * Set the allowed association types, checking to make sure each + * combination is valid. + * + * @access private + */ + function setAllowedTypes($allowed_types) + { + foreach ($allowed_types as $pair) { + list($assoc_type, $session_type) = $pair; + if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) { + return false; + } + } + + $this->allowed_types = $allowed_types; + return true; + } + + /** + * Add an association type and session type to the allowed types + * list. The assocation/session pairs are tried in the order that + * they are added. + * + * @access private + */ + function addAllowedType($assoc_type, $session_type = null) + { + if ($this->allowed_types === null) { + $this->allowed_types = array(); + } + + if ($session_type === null) { + $available = Auth_OpenID_getSessionTypes($assoc_type); + + if (!$available) { + return false; + } + + foreach ($available as $session_type) { + $this->addAllowedType($assoc_type, $session_type); + } + } else { + if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) { + $this->allowed_types[] = array($assoc_type, $session_type); + } else { + return false; + } + } + + return true; + } + + // Is this combination of association type and session type allowed? + function isAllowed($assoc_type, $session_type) + { + $assoc_good = in_array(array($assoc_type, $session_type), + $this->allowed_types); + + $matches = in_array($session_type, + Auth_OpenID_getSessionTypes($assoc_type)); + + return ($assoc_good && $matches); + } + + /** + * Get a pair of assocation type and session type that are + * supported. + */ + function getAllowedType() + { + if (!$this->allowed_types) { + return array(null, null); + } + + return $this->allowed_types[0]; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/BigMath.php b/models/Auth.old/OpenID/BigMath.php new file mode 100644 index 000000000..d99414e02 --- /dev/null +++ b/models/Auth.old/OpenID/BigMath.php @@ -0,0 +1,471 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Needed for random number generation + */ +require_once 'Auth/OpenID/CryptUtil.php'; + +/** + * Need Auth_OpenID::bytes(). + */ +require_once 'Auth/OpenID.php'; + +/** + * The superclass of all big-integer math implementations + * @access private + * @package OpenID + */ +class Auth_OpenID_MathLibrary { + /** + * Given a long integer, returns the number converted to a binary + * string. This function accepts long integer values of arbitrary + * magnitude and uses the local large-number math library when + * available. + * + * @param integer $long The long number (can be a normal PHP + * integer or a number created by one of the available long number + * libraries) + * @return string $binary The binary version of $long + */ + function longToBinary($long) + { + $cmp = $this->cmp($long, 0); + if ($cmp < 0) { + $msg = __FUNCTION__ . " takes only positive integers."; + trigger_error($msg, E_USER_ERROR); + return null; + } + + if ($cmp == 0) { + return "\x00"; + } + + $bytes = array(); + + while ($this->cmp($long, 0) > 0) { + array_unshift($bytes, $this->mod($long, 256)); + $long = $this->div($long, pow(2, 8)); + } + + if ($bytes && ($bytes[0] > 127)) { + array_unshift($bytes, 0); + } + + $string = ''; + foreach ($bytes as $byte) { + $string .= pack('C', $byte); + } + + return $string; + } + + /** + * Given a binary string, returns the binary string converted to a + * long number. + * + * @param string $binary The binary version of a long number, + * probably as a result of calling longToBinary + * @return integer $long The long number equivalent of the binary + * string $str + */ + function binaryToLong($str) + { + if ($str === null) { + return null; + } + + // Use array_merge to return a zero-indexed array instead of a + // one-indexed array. + $bytes = array_merge(unpack('C*', $str)); + + $n = $this->init(0); + + if ($bytes && ($bytes[0] > 127)) { + trigger_error("bytesToNum works only for positive integers.", + E_USER_WARNING); + return null; + } + + foreach ($bytes as $byte) { + $n = $this->mul($n, pow(2, 8)); + $n = $this->add($n, $byte); + } + + return $n; + } + + function base64ToLong($str) + { + $b64 = base64_decode($str); + + if ($b64 === false) { + return false; + } + + return $this->binaryToLong($b64); + } + + function longToBase64($str) + { + return base64_encode($this->longToBinary($str)); + } + + /** + * Returns a random number in the specified range. This function + * accepts $start, $stop, and $step values of arbitrary magnitude + * and will utilize the local large-number math library when + * available. + * + * @param integer $start The start of the range, or the minimum + * random number to return + * @param integer $stop The end of the range, or the maximum + * random number to return + * @param integer $step The step size, such that $result - ($step + * * N) = $start for some N + * @return integer $result The resulting randomly-generated number + */ + function rand($stop) + { + static $duplicate_cache = array(); + + // Used as the key for the duplicate cache + $rbytes = $this->longToBinary($stop); + + if (array_key_exists($rbytes, $duplicate_cache)) { + list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; + } else { + if ($rbytes[0] == "\x00") { + $nbytes = Auth_OpenID::bytes($rbytes) - 1; + } else { + $nbytes = Auth_OpenID::bytes($rbytes); + } + + $mxrand = $this->pow(256, $nbytes); + + // If we get a number less than this, then it is in the + // duplicated range. + $duplicate = $this->mod($mxrand, $stop); + + if (count($duplicate_cache) > 10) { + $duplicate_cache = array(); + } + + $duplicate_cache[$rbytes] = array($duplicate, $nbytes); + } + + do { + $bytes = "\x00" . Auth_OpenID_CryptUtil::getBytes($nbytes); + $n = $this->binaryToLong($bytes); + // Keep looping if this value is in the low duplicated range + } while ($this->cmp($n, $duplicate) < 0); + + return $this->mod($n, $stop); + } +} + +/** + * Exposes BCmath math library functionality. + * + * {@link Auth_OpenID_BcMathWrapper} wraps the functionality provided + * by the BCMath extension. + * + * @access private + * @package OpenID + */ +class Auth_OpenID_BcMathWrapper extends Auth_OpenID_MathLibrary{ + var $type = 'bcmath'; + + function add($x, $y) + { + return bcadd($x, $y); + } + + function sub($x, $y) + { + return bcsub($x, $y); + } + + function pow($base, $exponent) + { + return bcpow($base, $exponent); + } + + function cmp($x, $y) + { + return bccomp($x, $y); + } + + function init($number, $base = 10) + { + return $number; + } + + function mod($base, $modulus) + { + return bcmod($base, $modulus); + } + + function mul($x, $y) + { + return bcmul($x, $y); + } + + function div($x, $y) + { + return bcdiv($x, $y); + } + + /** + * Same as bcpowmod when bcpowmod is missing + * + * @access private + */ + function _powmod($base, $exponent, $modulus) + { + $square = $this->mod($base, $modulus); + $result = 1; + while($this->cmp($exponent, 0) > 0) { + if ($this->mod($exponent, 2)) { + $result = $this->mod($this->mul($result, $square), $modulus); + } + $square = $this->mod($this->mul($square, $square), $modulus); + $exponent = $this->div($exponent, 2); + } + return $result; + } + + function powmod($base, $exponent, $modulus) + { + if (function_exists('bcpowmod')) { + return bcpowmod($base, $exponent, $modulus); + } else { + return $this->_powmod($base, $exponent, $modulus); + } + } + + function toString($num) + { + return $num; + } +} + +/** + * Exposes GMP math library functionality. + * + * {@link Auth_OpenID_GmpMathWrapper} wraps the functionality provided + * by the GMP extension. + * + * @access private + * @package OpenID + */ +class Auth_OpenID_GmpMathWrapper extends Auth_OpenID_MathLibrary{ + var $type = 'gmp'; + + function add($x, $y) + { + return gmp_add($x, $y); + } + + function sub($x, $y) + { + return gmp_sub($x, $y); + } + + function pow($base, $exponent) + { + return gmp_pow($base, $exponent); + } + + function cmp($x, $y) + { + return gmp_cmp($x, $y); + } + + function init($number, $base = 10) + { + return gmp_init($number, $base); + } + + function mod($base, $modulus) + { + return gmp_mod($base, $modulus); + } + + function mul($x, $y) + { + return gmp_mul($x, $y); + } + + function div($x, $y) + { + return gmp_div_q($x, $y); + } + + function powmod($base, $exponent, $modulus) + { + return gmp_powm($base, $exponent, $modulus); + } + + function toString($num) + { + return gmp_strval($num); + } +} + +/** + * Define the supported extensions. An extension array has keys + * 'modules', 'extension', and 'class'. 'modules' is an array of PHP + * module names which the loading code will attempt to load. These + * values will be suffixed with a library file extension (e.g. ".so"). + * 'extension' is the name of a PHP extension which will be tested + * before 'modules' are loaded. 'class' is the string name of a + * {@link Auth_OpenID_MathWrapper} subclass which should be + * instantiated if a given extension is present. + * + * You can define new math library implementations and add them to + * this array. + */ +function Auth_OpenID_math_extensions() +{ + $result = array(); + + if (!defined('Auth_OpenID_BUGGY_GMP')) { + $result[] = + array('modules' => array('gmp', 'php_gmp'), + 'extension' => 'gmp', + 'class' => 'Auth_OpenID_GmpMathWrapper'); + } + + $result[] = array( + 'modules' => array('bcmath', 'php_bcmath'), + 'extension' => 'bcmath', + 'class' => 'Auth_OpenID_BcMathWrapper'); + + return $result; +} + +/** + * Detect which (if any) math library is available + */ +function Auth_OpenID_detectMathLibrary($exts) +{ + $loaded = false; + + foreach ($exts as $extension) { + // See if the extension specified is already loaded. + if ($extension['extension'] && + extension_loaded($extension['extension'])) { + $loaded = true; + } + + // Try to load dynamic modules. + if (!$loaded) { + foreach ($extension['modules'] as $module) { + if (dl($module . "." . PHP_SHLIB_SUFFIX)) { + $loaded = true; + break; + } + } + } + + // If the load succeeded, supply an instance of + // Auth_OpenID_MathWrapper which wraps the specified + // module's functionality. + if ($loaded) { + return $extension; + } + } + + return false; +} + +/** + * {@link Auth_OpenID_getMathLib} checks for the presence of long + * number extension modules and returns an instance of + * {@link Auth_OpenID_MathWrapper} which exposes the module's + * functionality. + * + * Checks for the existence of an extension module described by the + * result of {@link Auth_OpenID_math_extensions()} and returns an + * instance of a wrapper for that extension module. If no extension + * module is found, an instance of {@link Auth_OpenID_MathWrapper} is + * returned, which wraps the native PHP integer implementation. The + * proper calling convention for this method is $lib =& + * Auth_OpenID_getMathLib(). + * + * This function checks for the existence of specific long number + * implementations in the following order: GMP followed by BCmath. + * + * @return Auth_OpenID_MathWrapper $instance An instance of + * {@link Auth_OpenID_MathWrapper} or one of its subclasses + * + * @package OpenID + */ +function &Auth_OpenID_getMathLib() +{ + // The instance of Auth_OpenID_MathWrapper that we choose to + // supply will be stored here, so that subseqent calls to this + // method will return a reference to the same object. + static $lib = null; + + if (isset($lib)) { + return $lib; + } + + if (Auth_OpenID_noMathSupport()) { + $null = null; + return $null; + } + + // If this method has not been called before, look at + // Auth_OpenID_math_extensions and try to find an extension that + // works. + $ext = Auth_OpenID_detectMathLibrary(Auth_OpenID_math_extensions()); + if ($ext === false) { + $tried = array(); + foreach (Auth_OpenID_math_extensions() as $extinfo) { + $tried[] = $extinfo['extension']; + } + $triedstr = implode(", ", $tried); + + Auth_OpenID_setNoMathSupport(); + + $result = null; + return $result; + } + + // Instantiate a new wrapper + $class = $ext['class']; + $lib = new $class(); + + return $lib; +} + +function Auth_OpenID_setNoMathSupport() +{ + if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) { + define('Auth_OpenID_NO_MATH_SUPPORT', true); + } +} + +function Auth_OpenID_noMathSupport() +{ + return defined('Auth_OpenID_NO_MATH_SUPPORT'); +} + +?> diff --git a/models/Auth.old/OpenID/Consumer.php b/models/Auth.old/OpenID/Consumer.php new file mode 100644 index 000000000..47ee61e8f --- /dev/null +++ b/models/Auth.old/OpenID/Consumer.php @@ -0,0 +1,2189 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Require utility classes and functions for the consumer. + */ +require_once "Auth/OpenID.php"; +require_once "Auth/OpenID/Message.php"; +require_once "Auth/OpenID/HMACSHA1.php"; +require_once "Auth/OpenID/Association.php"; +require_once "Auth/OpenID/CryptUtil.php"; +require_once "Auth/OpenID/DiffieHellman.php"; +require_once "Auth/OpenID/KVForm.php"; +require_once "Auth/OpenID/Nonce.php"; +require_once "Auth/OpenID/Discover.php"; +require_once "Auth/Yadis/Manager.php"; +require_once "Auth/Yadis/XRI.php"; + +/** + * This is the status code returned when the complete method returns + * successfully. + */ +define('Auth_OpenID_SUCCESS', 'success'); + +/** + * Status to indicate cancellation of OpenID authentication. + */ +define('Auth_OpenID_CANCEL', 'cancel'); + +/** + * This is the status code completeAuth returns when the value it + * received indicated an invalid login. + */ +define('Auth_OpenID_FAILURE', 'failure'); + +/** + * This is the status code completeAuth returns when the + * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the + * identity server sends back a URL to send the user to to complete his + * or her login. + */ +define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); + +/** + * This is the status code beginAuth returns when the page fetched + * from the entered OpenID URL doesn't contain the necessary link tags + * to function as an identity page. + */ +define('Auth_OpenID_PARSE_ERROR', 'parse error'); + +/** + * An OpenID consumer implementation that performs discovery and does + * session management. See the Consumer.php file documentation for + * more information. + * + * @package OpenID + */ +class Auth_OpenID_Consumer { + + /** + * @access private + */ + var $discoverMethod = 'Auth_OpenID_discover'; + + /** + * @access private + */ + var $session_key_prefix = "_openid_consumer_"; + + /** + * @access private + */ + var $_token_suffix = "last_token"; + + /** + * Initialize a Consumer instance. + * + * You should create a new instance of the Consumer object with + * every HTTP request that handles OpenID transactions. + * + * @param Auth_OpenID_OpenIDStore $store This must be an object + * that implements the interface in {@link + * Auth_OpenID_OpenIDStore}. Several concrete implementations are + * provided, to cover most common use cases. For stores backed by + * MySQL, PostgreSQL, or SQLite, see the {@link + * Auth_OpenID_SQLStore} class and its sublcasses. For a + * filesystem-backed store, see the {@link Auth_OpenID_FileStore} + * module. As a last resort, if it isn't possible for the server + * to store state at all, an instance of {@link + * Auth_OpenID_DumbStore} can be used. + * + * @param mixed $session An object which implements the interface + * of the {@link Auth_Yadis_PHPSession} class. Particularly, this + * object is expected to have these methods: get($key), set($key), + * $value), and del($key). This defaults to a session object + * which wraps PHP's native session machinery. You should only + * need to pass something here if you have your own sessioning + * implementation. + * + * @param str $consumer_cls The name of the class to instantiate + * when creating the internal consumer object. This is used for + * testing. + */ + function Auth_OpenID_Consumer(&$store, $session = null, + $consumer_cls = null) + { + if ($session === null) { + $session = new Auth_Yadis_PHPSession(); + } + + $this->session =& $session; + + if ($consumer_cls !== null) { + $this->consumer =& new $consumer_cls($store); + } else { + $this->consumer =& new Auth_OpenID_GenericConsumer($store); + } + + $this->_token_key = $this->session_key_prefix . $this->_token_suffix; + } + + /** + * Used in testing to define the discovery mechanism. + * + * @access private + */ + function getDiscoveryObject(&$session, $openid_url, + $session_key_prefix) + { + return new Auth_Yadis_Discovery($session, $openid_url, + $session_key_prefix); + } + + /** + * Start the OpenID authentication process. See steps 1-2 in the + * overview at the top of this file. + * + * @param string $user_url Identity URL given by the user. This + * method performs a textual transformation of the URL to try and + * make sure it is normalized. For example, a user_url of + * example.com will be normalized to http://example.com/ + * normalizing and resolving any redirects the server might issue. + * + * @param bool $anonymous True if the OpenID request is to be sent + * to the server without any identifier information. Use this + * when you want to transport data but don't want to do OpenID + * authentication with identifiers. + * + * @return Auth_OpenID_AuthRequest $auth_request An object + * containing the discovered information will be returned, with a + * method for building a redirect URL to the server, as described + * in step 3 of the overview. This object may also be used to add + * extension arguments to the request, using its 'addExtensionArg' + * method. + */ + function begin($user_url, $anonymous=false) + { + $openid_url = $user_url; + + $disco = $this->getDiscoveryObject($this->session, + $openid_url, + $this->session_key_prefix); + + // Set the 'stale' attribute of the manager. If discovery + // fails in a fatal way, the stale flag will cause the manager + // to be cleaned up next time discovery is attempted. + + $m = $disco->getManager(); + $loader = new Auth_Yadis_ManagerLoader(); + + if ($m) { + if ($m->stale) { + $disco->destroyManager(); + } else { + $m->stale = true; + $disco->session->set($disco->session_key, + serialize($loader->toSession($m))); + } + } + + $endpoint = $disco->getNextService($this->discoverMethod, + $this->consumer->fetcher); + + // Reset the 'stale' attribute of the manager. + $m =& $disco->getManager(); + if ($m) { + $m->stale = false; + $disco->session->set($disco->session_key, + serialize($loader->toSession($m))); + } + + if ($endpoint === null) { + return null; + } else { + return $this->beginWithoutDiscovery($endpoint, + $anonymous); + } + } + + /** + * Start OpenID verification without doing OpenID server + * discovery. This method is used internally by Consumer.begin + * after discovery is performed, and exists to provide an + * interface for library users needing to perform their own + * discovery. + * + * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service + * endpoint descriptor. + * + * @param bool anonymous Set to true if you want to perform OpenID + * without identifiers. + * + * @return Auth_OpenID_AuthRequest $auth_request An OpenID + * authentication request object. + */ + function &beginWithoutDiscovery($endpoint, $anonymous=false) + { + $loader = new Auth_OpenID_ServiceEndpointLoader(); + $auth_req = $this->consumer->begin($endpoint); + $this->session->set($this->_token_key, + $loader->toSession($auth_req->endpoint)); + if (!$auth_req->setAnonymous($anonymous)) { + return new Auth_OpenID_FailureResponse(null, + "OpenID 1 requests MUST include the identifier " . + "in the request."); + } + return $auth_req; + } + + /** + * Called to interpret the server's response to an OpenID + * request. It is called in step 4 of the flow described in the + * consumer overview. + * + * @param array $query An array of the query parameters (key => + * value pairs) for this HTTP request. Defaults to null. If + * null, the GET or POST data are automatically gotten from the + * PHP environment. It is only useful to override $query for + * testing. + * + * @return Auth_OpenID_ConsumerResponse $response A instance of an + * Auth_OpenID_ConsumerResponse subclass. The type of response is + * indicated by the status attribute, which will be one of + * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. + */ + function complete($return_to, $query=null) + { + if ($return_to && !is_string($return_to)) { + // This is ugly, but we need to complain loudly when + // someone uses the API incorrectly. + trigger_error("return_to must be a string; see NEWS file " . + "for upgrading notes.", + E_USER_ERROR); + } + + if ($query === null) { + $query = Auth_OpenID::getQuery(); + } + + $loader = new Auth_OpenID_ServiceEndpointLoader(); + $endpoint_data = $this->session->get($this->_token_key); + $endpoint = + $loader->fromSession($endpoint_data); + + $message = Auth_OpenID_Message::fromPostArgs($query); + $response = $this->consumer->complete($message, $endpoint, $return_to); + $this->session->del($this->_token_key); + + if (in_array($response->status, array(Auth_OpenID_SUCCESS, + Auth_OpenID_CANCEL))) { + if ($response->identity_url !== null) { + $disco = $this->getDiscoveryObject($this->session, + $response->identity_url, + $this->session_key_prefix); + $disco->cleanup(true); + } + } + + return $response; + } +} + +/** + * A class implementing HMAC/DH-SHA1 consumer sessions. + * + * @package OpenID + */ +class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { + var $session_type = 'DH-SHA1'; + var $hash_func = 'Auth_OpenID_SHA1'; + var $secret_size = 20; + var $allowed_assoc_types = array('HMAC-SHA1'); + + function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null) + { + if ($dh === null) { + $dh = new Auth_OpenID_DiffieHellman(); + } + + $this->dh = $dh; + } + + function getRequest() + { + $math =& Auth_OpenID_getMathLib(); + + $cpub = $math->longToBase64($this->dh->public); + + $args = array('dh_consumer_public' => $cpub); + + if (!$this->dh->usingDefaultValues()) { + $args = array_merge($args, array( + 'dh_modulus' => + $math->longToBase64($this->dh->mod), + 'dh_gen' => + $math->longToBase64($this->dh->gen))); + } + + return $args; + } + + function extractSecret($response) + { + if (!$response->hasKey(Auth_OpenID_OPENID_NS, + 'dh_server_public')) { + return null; + } + + if (!$response->hasKey(Auth_OpenID_OPENID_NS, + 'enc_mac_key')) { + return null; + } + + $math =& Auth_OpenID_getMathLib(); + + $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, + 'dh_server_public')); + $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS, + 'enc_mac_key')); + + return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); + } +} + +/** + * A class implementing HMAC/DH-SHA256 consumer sessions. + * + * @package OpenID + */ +class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends + Auth_OpenID_DiffieHellmanSHA1ConsumerSession { + var $session_type = 'DH-SHA256'; + var $hash_func = 'Auth_OpenID_SHA256'; + var $secret_size = 32; + var $allowed_assoc_types = array('HMAC-SHA256'); +} + +/** + * A class implementing plaintext consumer sessions. + * + * @package OpenID + */ +class Auth_OpenID_PlainTextConsumerSession { + var $session_type = 'no-encryption'; + var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); + + function getRequest() + { + return array(); + } + + function extractSecret($response) + { + if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) { + return null; + } + + return base64_decode($response->getArg(Auth_OpenID_OPENID_NS, + 'mac_key')); + } +} + +/** + * Returns available session types. + */ +function Auth_OpenID_getAvailableSessionTypes() +{ + $types = array( + 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession', + 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', + 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); + + return $types; +} + +/** + * This class is the interface to the OpenID consumer logic. + * Instances of it maintain no per-request state, so they can be + * reused (or even used by multiple threads concurrently) as needed. + * + * @package OpenID + */ +class Auth_OpenID_GenericConsumer { + /** + * @access private + */ + var $discoverMethod = 'Auth_OpenID_discover'; + + /** + * This consumer's store object. + */ + var $store; + + /** + * @access private + */ + var $_use_assocs; + + /** + * @access private + */ + var $openid1_nonce_query_arg_name = 'janrain_nonce'; + + /** + * Another query parameter that gets added to the return_to for + * OpenID 1; if the user's session state is lost, use this claimed + * identifier to do discovery when verifying the response. + */ + var $openid1_return_to_identifier_name = 'openid1_claimed_id'; + + /** + * This method initializes a new {@link Auth_OpenID_Consumer} + * instance to access the library. + * + * @param Auth_OpenID_OpenIDStore $store This must be an object + * that implements the interface in {@link Auth_OpenID_OpenIDStore}. + * Several concrete implementations are provided, to cover most common use + * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see + * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a + * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. + * As a last resort, if it isn't possible for the server to store + * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. + * + * @param bool $immediate This is an optional boolean value. It + * controls whether the library uses immediate mode, as explained + * in the module description. The default value is False, which + * disables immediate mode. + */ + function Auth_OpenID_GenericConsumer(&$store) + { + $this->store =& $store; + $this->negotiator =& Auth_OpenID_getDefaultNegotiator(); + $this->_use_assocs = ($this->store ? true : false); + + $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); + + $this->session_types = Auth_OpenID_getAvailableSessionTypes(); + } + + /** + * Called to begin OpenID authentication using the specified + * {@link Auth_OpenID_ServiceEndpoint}. + * + * @access private + */ + function begin($service_endpoint) + { + $assoc = $this->_getAssociation($service_endpoint); + $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); + $r->return_to_args[$this->openid1_nonce_query_arg_name] = + Auth_OpenID_mkNonce(); + + if ($r->message->isOpenID1()) { + $r->return_to_args[$this->openid1_return_to_identifier_name] = + $r->endpoint->claimed_id; + } + + return $r; + } + + /** + * Given an {@link Auth_OpenID_Message}, {@link + * Auth_OpenID_ServiceEndpoint} and optional return_to URL, + * complete OpenID authentication. + * + * @access private + */ + function complete($message, $endpoint, $return_to) + { + $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', + ''); + + $mode_methods = array( + 'cancel' => '_complete_cancel', + 'error' => '_complete_error', + 'setup_needed' => '_complete_setup_needed', + 'id_res' => '_complete_id_res', + ); + + $method = Auth_OpenID::arrayGet($mode_methods, $mode, + '_completeInvalid'); + + return call_user_func_array(array(&$this, $method), + array($message, $endpoint, $return_to)); + } + + /** + * @access private + */ + function _completeInvalid($message, &$endpoint, $unused) + { + $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', + ''); + + return new Auth_OpenID_FailureResponse($endpoint, + sprintf("Invalid openid.mode '%s'", $mode)); + } + + /** + * @access private + */ + function _complete_cancel($message, &$endpoint, $unused) + { + return new Auth_OpenID_CancelResponse($endpoint); + } + + /** + * @access private + */ + function _complete_error($message, &$endpoint, $unused) + { + $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); + $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); + $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); + + return new Auth_OpenID_FailureResponse($endpoint, $error, + $contact, $reference); + } + + /** + * @access private + */ + function _complete_setup_needed($message, &$endpoint, $unused) + { + if (!$message->isOpenID2()) { + return $this->_completeInvalid($message, $endpoint); + } + + return new Auth_OpenID_SetupNeededResponse($endpoint); + } + + /** + * @access private + */ + function _complete_id_res($message, &$endpoint, $return_to) + { + $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, + 'user_setup_url'); + + if ($this->_checkSetupNeeded($message)) { + return SetupNeededResponse($endpoint, $user_setup_url); + } else { + return $this->_doIdRes($message, $endpoint, $return_to); + } + } + + /** + * @access private + */ + function _checkSetupNeeded($message) + { + // In OpenID 1, we check to see if this is a cancel from + // immediate mode by the presence of the user_setup_url + // parameter. + if ($message->isOpenID1()) { + $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, + 'user_setup_url'); + if ($user_setup_url !== null) { + return true; + } + } + + return false; + } + + /** + * @access private + */ + function _doIdRes($message, $endpoint, $return_to) + { + // Checks for presence of appropriate fields (and checks + // signed list fields) + $result = $this->_idResCheckForFields($message); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + if (!$this->_checkReturnTo($message, $return_to)) { + return new Auth_OpenID_FailureResponse(null, + sprintf("return_to does not match return URL. Expected %s, got %s", + $return_to, + $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); + } + + // Verify discovery information: + $result = $this->_verifyDiscoveryResults($message, $endpoint); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + $endpoint = $result; + + $result = $this->_idResCheckSignature($message, + $endpoint->server_url); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + $result = $this->_idResCheckNonce($message, $endpoint); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', + Auth_OpenID_NO_DEFAULT); + $signed_list = explode(',', $signed_list_str); + + $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); + + return new Auth_OpenID_SuccessResponse($endpoint, $message, + $signed_fields); + + } + + /** + * @access private + */ + function _checkReturnTo($message, $return_to) + { + // Check an OpenID message and its openid.return_to value + // against a return_to URL from an application. Return True + // on success, False on failure. + + // Check the openid.return_to args against args in the + // original message. + $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( + $message->toPostArgs()); + if (Auth_OpenID::isFailure($result)) { + return false; + } + + // Check the return_to base URL against the one in the + // message. + $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, + 'return_to'); + + $return_to_parts = parse_url($return_to); + $msg_return_to_parts = parse_url($msg_return_to); + + // If port is absent from both, add it so it's equal in the + // check below. + if ((!array_key_exists('port', $return_to_parts)) && + (!array_key_exists('port', $msg_return_to_parts))) { + $return_to_parts['port'] = null; + $msg_return_to_parts['port'] = null; + } + + // If path is absent from both, add it so it's equal in the + // check below. + if ((!array_key_exists('path', $return_to_parts)) && + (!array_key_exists('path', $msg_return_to_parts))) { + $return_to_parts['path'] = null; + $msg_return_to_parts['path'] = null; + } + + // The URL scheme, authority, and path MUST be the same + // between the two URLs. + foreach (array('scheme', 'host', 'port', 'path') as $component) { + // If the url component is absent in either URL, fail. + // There should always be a scheme, host, port, and path. + if (!array_key_exists($component, $return_to_parts)) { + return false; + } + + if (!array_key_exists($component, $msg_return_to_parts)) { + return false; + } + + if (Auth_OpenID::arrayGet($return_to_parts, $component) !== + Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { + return false; + } + } + + return true; + } + + /** + * @access private + */ + function _verifyReturnToArgs($query) + { + // Verify that the arguments in the return_to URL are present in this + // response. + + $message = Auth_OpenID_Message::fromPostArgs($query); + $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); + + // XXX: this should be checked by _idResCheckForFields + if (!$return_to) { + return new Auth_OpenID_FailureResponse(null, + "Response has no return_to"); + } + + $parsed_url = parse_url($return_to); + + $q = array(); + if (array_key_exists('query', $parsed_url)) { + $rt_query = $parsed_url['query']; + $q = Auth_OpenID::parse_str($rt_query); + } + + foreach ($q as $rt_key => $rt_value) { + if (!array_key_exists($rt_key, $query)) { + return new Auth_OpenID_FailureResponse(null, + sprintf("return_to parameter %s absent from query", $rt_key)); + } else { + $value = $query[$rt_key]; + if ($rt_value != $value) { + return new Auth_OpenID_FailureResponse(null, + sprintf("parameter %s value %s does not match " . + "return_to value %s", $rt_key, + $value, $rt_value)); + } + } + } + + // Make sure all non-OpenID arguments in the response are also + // in the signed return_to. + $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); + foreach ($bare_args as $key => $value) { + if (Auth_OpenID::arrayGet($q, $key) != $value) { + return new Auth_OpenID_FailureResponse(null, + sprintf("Parameter %s = %s not in return_to URL", + $key, $value)); + } + } + + return true; + } + + /** + * @access private + */ + function _idResCheckSignature($message, $server_url) + { + $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, + 'assoc_handle'); + + $assoc = $this->store->getAssociation($server_url, $assoc_handle); + + if ($assoc) { + if ($assoc->getExpiresIn() <= 0) { + // XXX: It might be a good idea sometimes to re-start + // the authentication with a new association. Doing it + // automatically opens the possibility for + // denial-of-service by a server that just returns + // expired associations (or really short-lived + // associations) + return new Auth_OpenID_FailureResponse(null, + 'Association with ' . $server_url . ' expired'); + } + + if (!$assoc->checkMessageSignature($message)) { + return new Auth_OpenID_FailureResponse(null, + "Bad signature"); + } + } else { + // It's not an association we know about. Stateless mode + // is our only possible path for recovery. XXX - async + // framework will not want to block on this call to + // _checkAuth. + if (!$this->_checkAuth($message, $server_url)) { + return new Auth_OpenID_FailureResponse(null, + "Server denied check_authentication"); + } + } + + return null; + } + + /** + * @access private + */ + function _verifyDiscoveryResults($message, $endpoint=null) + { + if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { + return $this->_verifyDiscoveryResultsOpenID2($message, + $endpoint); + } else { + return $this->_verifyDiscoveryResultsOpenID1($message, + $endpoint); + } + } + + /** + * @access private + */ + function _verifyDiscoveryResultsOpenID1($message, $endpoint) + { + $claimed_id = $message->getArg(Auth_OpenID_BARE_NS, + $this->openid1_return_to_identifier_name); + + if (($endpoint === null) && ($claimed_id === null)) { + return new Auth_OpenID_FailureResponse($endpoint, + 'When using OpenID 1, the claimed ID must be supplied, ' . + 'either by passing it through as a return_to parameter ' . + 'or by using a session, and supplied to the GenericConsumer ' . + 'as the argument to complete()'); + } else if (($endpoint !== null) && ($claimed_id === null)) { + $claimed_id = $endpoint->claimed_id; + } + + $to_match = new Auth_OpenID_ServiceEndpoint(); + $to_match->type_uris = array(Auth_OpenID_TYPE_1_1); + $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, + 'identity'); + + // Restore delegate information from the initiation phase + $to_match->claimed_id = $claimed_id; + + if ($to_match->local_id === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "Missing required field openid.identity"); + } + + $to_match_1_0 = $to_match->copy(); + $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); + + if ($endpoint !== null) { + $result = $this->_verifyDiscoverySingle($endpoint, $to_match); + + if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { + $result = $this->_verifyDiscoverySingle($endpoint, + $to_match_1_0); + } + + if (Auth_OpenID::isFailure($result)) { + // oidutil.log("Error attempting to use stored + // discovery information: " + str(e)) + // oidutil.log("Attempting discovery to + // verify endpoint") + } else { + return $endpoint; + } + } + + // Endpoint is either bad (failed verification) or None + $result = $this->_discoverAndVerify($to_match); + + if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { + return $this->_discoverAndVerify($to_match_1_0); + } else { + return $result; + } + } + + /** + * @access private + */ + function _verifyDiscoverySingle($endpoint, $to_match) + { + // Every type URI that's in the to_match endpoint has to be + // present in the discovered endpoint. + foreach ($to_match->type_uris as $type_uri) { + if (!$endpoint->usesExtension($type_uri)) { + return new Auth_OpenID_TypeURIMismatch($endpoint, + "Required type ".$type_uri." not present"); + } + } + + // Fragments do not influence discovery, so we can't compare a + // claimed identifier with a fragment to discovered + // information. + list($defragged_claimed_id, $_) = + Auth_OpenID::urldefrag($to_match->claimed_id); + + if ($defragged_claimed_id != $endpoint->claimed_id) { + return new Auth_OpenID_FailureResponse($endpoint, + sprintf('Claimed ID does not match (different subjects!), ' . + 'Expected %s, got %s', $defragged_claimed_id, + $endpoint->claimed_id)); + } + + if ($to_match->getLocalID() != $endpoint->getLocalID()) { + return new Auth_OpenID_FailureResponse($endpoint, + sprintf('local_id mismatch. Expected %s, got %s', + $to_match->getLocalID(), $endpoint->getLocalID())); + } + + // If the server URL is None, this must be an OpenID 1 + // response, because op_endpoint is a required parameter in + // OpenID 2. In that case, we don't actually care what the + // discovered server_url is, because signature checking or + // check_auth should take care of that check for us. + if ($to_match->server_url === null) { + if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { + return new Auth_OpenID_FailureResponse($endpoint, + "Preferred namespace mismatch (bug)"); + } + } else if ($to_match->server_url != $endpoint->server_url) { + return new Auth_OpenID_FailureResponse($endpoint, + sprintf('OP Endpoint mismatch. Expected %s, got %s', + $to_match->server_url, $endpoint->server_url)); + } + + return null; + } + + /** + * @access private + */ + function _verifyDiscoveryResultsOpenID2($message, $endpoint) + { + $to_match = new Auth_OpenID_ServiceEndpoint(); + $to_match->type_uris = array(Auth_OpenID_TYPE_2_0); + $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, + 'claimed_id'); + + $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, + 'identity'); + + $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, + 'op_endpoint'); + + if ($to_match->server_url === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "OP Endpoint URL missing"); + } + + // claimed_id and identifier must both be present or both be + // absent + if (($to_match->claimed_id === null) && + ($to_match->local_id !== null)) { + return new Auth_OpenID_FailureResponse($endpoint, + 'openid.identity is present without openid.claimed_id'); + } + + if (($to_match->claimed_id !== null) && + ($to_match->local_id === null)) { + return new Auth_OpenID_FailureResponse($endpoint, + 'openid.claimed_id is present without openid.identity'); + } + + if ($to_match->claimed_id === null) { + // This is a response without identifiers, so there's + // really no checking that we can do, so return an + // endpoint that's for the specified `openid.op_endpoint' + return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( + $to_match->server_url); + } + + if (!$endpoint) { + // The claimed ID doesn't match, so we have to do + // discovery again. This covers not using sessions, OP + // identifier endpoints and responses that didn't match + // the original request. + // oidutil.log('No pre-discovered information supplied.') + return $this->_discoverAndVerify($to_match); + } else { + + // The claimed ID matches, so we use the endpoint that we + // discovered in initiation. This should be the most + // common case. + $result = $this->_verifyDiscoverySingle($endpoint, $to_match); + + if (Auth_OpenID::isFailure($result)) { + $endpoint = $this->_discoverAndVerify($to_match); + + if (Auth_OpenID::isFailure($endpoint)) { + return $endpoint; + } + } + } + + // The endpoint we return should have the claimed ID from the + // message we just verified, fragment and all. + if ($endpoint->claimed_id != $to_match->claimed_id) { + $endpoint->claimed_id = $to_match->claimed_id; + } + + return $endpoint; + } + + /** + * @access private + */ + function _discoverAndVerify($to_match) + { + // oidutil.log('Performing discovery on %s' % (to_match.claimed_id,)) + list($unused, $services) = call_user_func($this->discoverMethod, + $to_match->claimed_id, + $this->fetcher); + + if (!$services) { + return new Auth_OpenID_FailureResponse(null, + sprintf("No OpenID information found at %s", + $to_match->claimed_id)); + } + + return $this->_verifyDiscoveryServices($services, $to_match); + } + + /** + * @access private + */ + function _verifyDiscoveryServices(&$services, &$to_match) + { + // Search the services resulting from discovery to find one + // that matches the information from the assertion + + foreach ($services as $endpoint) { + $result = $this->_verifyDiscoverySingle($endpoint, $to_match); + + if (!Auth_OpenID::isFailure($result)) { + // It matches, so discover verification has + // succeeded. Return this endpoint. + return $endpoint; + } + } + + return new Auth_OpenID_FailureResponse(null, + sprintf('No matching endpoint found after discovering %s', + $to_match->claimed_id)); + } + + /** + * Extract the nonce from an OpenID 1 response. Return the nonce + * from the BARE_NS since we independently check the return_to + * arguments are the same as those in the response message. + * + * See the openid1_nonce_query_arg_name class variable + * + * @returns $nonce The nonce as a string or null + * + * @access private + */ + function _idResGetNonceOpenID1($message, $endpoint) + { + return $message->getArg(Auth_OpenID_BARE_NS, + $this->openid1_nonce_query_arg_name); + } + + /** + * @access private + */ + function _idResCheckNonce($message, $endpoint) + { + if ($message->isOpenID1()) { + // This indicates that the nonce was generated by the consumer + $nonce = $this->_idResGetNonceOpenID1($message, $endpoint); + $server_url = ''; + } else { + $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, + 'response_nonce'); + + $server_url = $endpoint->server_url; + } + + if ($nonce === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "Nonce missing from response"); + } + + $parts = Auth_OpenID_splitNonce($nonce); + + if ($parts === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "Malformed nonce in response"); + } + + list($timestamp, $salt) = $parts; + + if (!$this->store->useNonce($server_url, $timestamp, $salt)) { + return new Auth_OpenID_FailureResponse($endpoint, + "Nonce already used or out of range"); + } + + return null; + } + + /** + * @access private + */ + function _idResCheckForFields($message) + { + $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); + $basic_sig_fields = array('return_to', 'identity'); + + $require_fields = array( + Auth_OpenID_OPENID2_NS => array_merge($basic_fields, + array('op_endpoint')), + + Auth_OpenID_OPENID1_NS => array_merge($basic_fields, + array('identity')) + ); + + $require_sigs = array( + Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, + array('response_nonce', + 'claimed_id', + 'assoc_handle')), + Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, + array('nonce')) + ); + + foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { + if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { + return new Auth_OpenID_FailureResponse(null, + "Missing required field '".$field."'"); + } + } + + $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, + 'signed', + Auth_OpenID_NO_DEFAULT); + $signed_list = explode(',', $signed_list_str); + + foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { + // Field is present and not in signed list + if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && + (!in_array($field, $signed_list))) { + return new Auth_OpenID_FailureResponse(null, + "'".$field."' not signed"); + } + } + + return null; + } + + /** + * @access private + */ + function _checkAuth($message, $server_url) + { + $request = $this->_createCheckAuthRequest($message); + if ($request === null) { + return false; + } + + $resp_message = $this->_makeKVPost($request, $server_url); + if (($resp_message === null) || + (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { + return false; + } + + return $this->_processCheckAuthResponse($resp_message, $server_url); + } + + /** + * @access private + */ + function _createCheckAuthRequest($message) + { + $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); + if ($signed === null) { + return null; + } + + $whitelist = array('assoc_handle', 'sig', + 'signed', 'invalidate_handle'); + + $check_args = array(); + + foreach ($whitelist as $k) { + $val = $message->getArg(Auth_OpenID_OPENID_NS, $k); + if ($val !== null) { + $check_args[$k] = $val; + } + } + + $signed = $message->getArg(Auth_OpenID_OPENID_NS, + 'signed'); + + if ($signed) { + foreach (explode(',', $signed) as $k) { + if ($k == 'ns') { + $check_args['ns'] = $message->getOpenIDNamespace(); + continue; + } + + $value = $message->getAliasedArg($k); + if ($value === null) { + return null; + } + + $check_args[$k] = $value; + } + } + + $check_args['mode'] = 'check_authentication'; + return Auth_OpenID_Message::fromOpenIDArgs($check_args); + } + + /** + * @access private + */ + function _processCheckAuthResponse($response, $server_url) + { + $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', + 'false'); + + $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, + 'invalidate_handle'); + + if ($invalidate_handle !== null) { + $this->store->removeAssociation($server_url, + $invalidate_handle); + } + + if ($is_valid == 'true') { + return true; + } + + return false; + } + + /** + * Adapt a POST response to a Message. + * + * @param $response Result of a POST to an OpenID endpoint. + * + * @access private + */ + function _httpResponseToMessage($response, $server_url) + { + // Should this function be named Message.fromHTTPResponse instead? + $response_message = Auth_OpenID_Message::fromKVForm($response->body); + + if ($response->status == 400) { + return Auth_OpenID_ServerErrorContainer::fromMessage( + $response_message); + } else if ($response->status != 200) { + return null; + } + + return $response_message; + } + + /** + * @access private + */ + function _makeKVPost($message, $server_url) + { + $body = $message->toURLEncoded(); + $resp = $this->fetcher->post($server_url, $body); + + if ($resp === null) { + return null; + } + + return $this->_httpResponseToMessage($resp, $server_url); + } + + /** + * @access private + */ + function _getAssociation($endpoint) + { + if (!$this->_use_assocs) { + return null; + } + + $assoc = $this->store->getAssociation($endpoint->server_url); + + if (($assoc === null) || + ($assoc->getExpiresIn() <= 0)) { + + $assoc = $this->_negotiateAssociation($endpoint); + + if ($assoc !== null) { + $this->store->storeAssociation($endpoint->server_url, + $assoc); + } + } + + return $assoc; + } + + /** + * Handle ServerErrors resulting from association requests. + * + * @return $result If server replied with an C{unsupported-type} + * error, return a tuple of supported C{association_type}, + * C{session_type}. Otherwise logs the error and returns null. + * + * @access private + */ + function _extractSupportedAssociationType(&$server_error, &$endpoint, + $assoc_type) + { + // Any error message whose code is not 'unsupported-type' + // should be considered a total failure. + if (($server_error->error_code != 'unsupported-type') || + ($server_error->message->isOpenID1())) { + return null; + } + + // The server didn't like the association/session type that we + // sent, and it sent us back a message that might tell us how + // to handle it. + + // Extract the session_type and assoc_type from the error + // message + $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, + 'assoc_type'); + + $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, + 'session_type'); + + if (($assoc_type === null) || ($session_type === null)) { + return null; + } else if (!$this->negotiator->isAllowed($assoc_type, + $session_type)) { + return null; + } else { + return array($assoc_type, $session_type); + } + } + + /** + * @access private + */ + function _negotiateAssociation($endpoint) + { + // Get our preferred session/association type from the negotiatior. + list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); + + $assoc = $this->_requestAssociation( + $endpoint, $assoc_type, $session_type); + + if (Auth_OpenID::isFailure($assoc)) { + return null; + } + + if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { + $why = $assoc; + + $supportedTypes = $this->_extractSupportedAssociationType( + $why, $endpoint, $assoc_type); + + if ($supportedTypes !== null) { + list($assoc_type, $session_type) = $supportedTypes; + + // Attempt to create an association from the assoc_type + // and session_type that the server told us it + // supported. + $assoc = $this->_requestAssociation( + $endpoint, $assoc_type, $session_type); + + if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { + // Do not keep trying, since it rejected the + // association type that it told us to use. + // oidutil.log('Server %s refused its suggested association + // 'type: session_type=%s, assoc_type=%s' + // % (endpoint.server_url, session_type, + // assoc_type)) + return null; + } else { + return $assoc; + } + } else { + return null; + } + } else { + return $assoc; + } + } + + /** + * @access private + */ + function _requestAssociation($endpoint, $assoc_type, $session_type) + { + list($assoc_session, $args) = $this->_createAssociateRequest( + $endpoint, $assoc_type, $session_type); + + $response_message = $this->_makeKVPost($args, $endpoint->server_url); + + if ($response_message === null) { + // oidutil.log('openid.associate request failed: %s' % (why[0],)) + return null; + } else if (is_a($response_message, + 'Auth_OpenID_ServerErrorContainer')) { + return $response_message; + } + + return $this->_extractAssociation($response_message, $assoc_session); + } + + /** + * @access private + */ + function _extractAssociation(&$assoc_response, &$assoc_session) + { + // Extract the common fields from the response, raising an + // exception if they are not found + $assoc_type = $assoc_response->getArg( + Auth_OpenID_OPENID_NS, 'assoc_type', + Auth_OpenID_NO_DEFAULT); + + if ($assoc_type === null) { + return new Auth_OpenID_FailureResponse(null, + 'assoc_type missing from association response'); + } + + $assoc_handle = $assoc_response->getArg( + Auth_OpenID_OPENID_NS, 'assoc_handle', + Auth_OpenID_NO_DEFAULT); + + if ($assoc_handle === null) { + return new Auth_OpenID_FailureResponse(null, + 'assoc_handle missing from association response'); + } + + // expires_in is a base-10 string. The Python parsing will + // accept literals that have whitespace around them and will + // accept negative values. Neither of these are really in-spec, + // but we think it's OK to accept them. + $expires_in_str = $assoc_response->getArg( + Auth_OpenID_OPENID_NS, 'expires_in', + Auth_OpenID_NO_DEFAULT); + + if ($expires_in_str === null) { + return new Auth_OpenID_FailureResponse(null, + 'expires_in missing from association response'); + } + + $expires_in = Auth_OpenID::intval($expires_in_str); + if ($expires_in === false) { + return null; + } + + // OpenID 1 has funny association session behaviour. + if ($assoc_response->isOpenID1()) { + $session_type = $this->_getOpenID1SessionType($assoc_response); + } else { + $session_type = $assoc_response->getArg( + Auth_OpenID_OPENID2_NS, 'session_type', + Auth_OpenID_NO_DEFAULT); + + if ($session_type === null) { + return new Auth_OpenID_FailureResponse(null, + 'session_type missing from association response'); + } + } + + // Session type mismatch + if ($assoc_session->session_type != $session_type) { + if ($assoc_response->isOpenID1() && + ($session_type == 'no-encryption')) { + // In OpenID 1, any association request can result in + // a 'no-encryption' association response. Setting + // assoc_session to a new no-encryption session should + // make the rest of this function work properly for + // that case. + $assoc_session = new Auth_OpenID_PlainTextConsumerSession(); + } else { + // Any other mismatch, regardless of protocol version + // results in the failure of the association session + // altogether. + return null; + } + } + + // Make sure assoc_type is valid for session_type + if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { + return null; + } + + // Delegate to the association session to extract the secret + // from the response, however is appropriate for that session + // type. + $secret = $assoc_session->extractSecret($assoc_response); + + if ($secret === null) { + return null; + } + + return Auth_OpenID_Association::fromExpiresIn( + $expires_in, $assoc_handle, $secret, $assoc_type); + } + + /** + * @access private + */ + function _createAssociateRequest($endpoint, $assoc_type, $session_type) + { + if (array_key_exists($session_type, $this->session_types)) { + $session_type_class = $this->session_types[$session_type]; + + if (is_callable($session_type_class)) { + $assoc_session = $session_type_class(); + } else { + $assoc_session = new $session_type_class(); + } + } else { + return null; + } + + $args = array( + 'mode' => 'associate', + 'assoc_type' => $assoc_type); + + if (!$endpoint->compatibilityMode()) { + $args['ns'] = Auth_OpenID_OPENID2_NS; + } + + // Leave out the session type if we're in compatibility mode + // *and* it's no-encryption. + if ((!$endpoint->compatibilityMode()) || + ($assoc_session->session_type != 'no-encryption')) { + $args['session_type'] = $assoc_session->session_type; + } + + $args = array_merge($args, $assoc_session->getRequest()); + $message = Auth_OpenID_Message::fromOpenIDArgs($args); + return array($assoc_session, $message); + } + + /** + * Given an association response message, extract the OpenID 1.X + * session type. + * + * This function mostly takes care of the 'no-encryption' default + * behavior in OpenID 1. + * + * If the association type is plain-text, this function will + * return 'no-encryption' + * + * @access private + * @return $typ The association type for this message + */ + function _getOpenID1SessionType($assoc_response) + { + // If it's an OpenID 1 message, allow session_type to default + // to None (which signifies "no-encryption") + $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, + 'session_type'); + + // Handle the differences between no-encryption association + // respones in OpenID 1 and 2: + + // no-encryption is not really a valid session type for OpenID + // 1, but we'll accept it anyway, while issuing a warning. + if ($session_type == 'no-encryption') { + // oidutil.log('WARNING: OpenID server sent "no-encryption"' + // 'for OpenID 1.X') + } else if (($session_type == '') || ($session_type === null)) { + // Missing or empty session type is the way to flag a + // 'no-encryption' response. Change the session type to + // 'no-encryption' so that it can be handled in the same + // way as OpenID 2 'no-encryption' respones. + $session_type = 'no-encryption'; + } + + return $session_type; + } +} + +/** + * This class represents an authentication request from a consumer to + * an OpenID server. + * + * @package OpenID + */ +class Auth_OpenID_AuthRequest { + + /** + * Initialize an authentication request with the specified token, + * association, and endpoint. + * + * Users of this library should not create instances of this + * class. Instances of this class are created by the library when + * needed. + */ + function Auth_OpenID_AuthRequest(&$endpoint, $assoc) + { + $this->assoc = $assoc; + $this->endpoint =& $endpoint; + $this->return_to_args = array(); + $this->message = new Auth_OpenID_Message(); + $this->message->setOpenIDNamespace( + $endpoint->preferredNamespace()); + $this->_anonymous = false; + } + + /** + * Add an extension to this checkid request. + * + * $extension_request: An object that implements the extension + * request interface for adding arguments to an OpenID message. + */ + function addExtension(&$extension_request) + { + $extension_request->toMessage($this->message); + } + + /** + * Add an extension argument to this OpenID authentication + * request. + * + * Use caution when adding arguments, because they will be + * URL-escaped and appended to the redirect URL, which can easily + * get quite long. + * + * @param string $namespace The namespace for the extension. For + * example, the simple registration extension uses the namespace + * 'sreg'. + * + * @param string $key The key within the extension namespace. For + * example, the nickname field in the simple registration + * extension's key is 'nickname'. + * + * @param string $value The value to provide to the server for + * this argument. + */ + function addExtensionArg($namespace, $key, $value) + { + $this->message->setArg($namespace, $key, $value); + } + + /** + * Set whether this request should be made anonymously. If a + * request is anonymous, the identifier will not be sent in the + * request. This is only useful if you are making another kind of + * request with an extension in this request. + * + * Anonymous requests are not allowed when the request is made + * with OpenID 1. + */ + function setAnonymous($is_anonymous) + { + if ($is_anonymous && $this->message->isOpenID1()) { + return false; + } else { + $this->_anonymous = $is_anonymous; + return true; + } + } + + /** + * Produce a {@link Auth_OpenID_Message} representing this + * request. + * + * @param string $realm The URL (or URL pattern) that identifies + * your web site to the user when she is authorizing it. + * + * @param string $return_to The URL that the OpenID provider will + * send the user back to after attempting to verify her identity. + * + * Not specifying a return_to URL means that the user will not be + * returned to the site issuing the request upon its completion. + * + * @param bool $immediate If true, the OpenID provider is to send + * back a response immediately, useful for behind-the-scenes + * authentication attempts. Otherwise the OpenID provider may + * engage the user before providing a response. This is the + * default case, as the user may need to provide credentials or + * approve the request before a positive response can be sent. + */ + function getMessage($realm, $return_to=null, $immediate=false) + { + if ($return_to) { + $return_to = Auth_OpenID::appendArgs($return_to, + $this->return_to_args); + } else if ($immediate) { + // raise ValueError( + // '"return_to" is mandatory when + //using "checkid_immediate"') + return new Auth_OpenID_FailureResponse(null, + "'return_to' is mandatory when using checkid_immediate"); + } else if ($this->message->isOpenID1()) { + // raise ValueError('"return_to" is + // mandatory for OpenID 1 requests') + return new Auth_OpenID_FailureResponse(null, + "'return_to' is mandatory for OpenID 1 requests"); + } else if ($this->return_to_args) { + // raise ValueError('extra "return_to" arguments + // were specified, but no return_to was specified') + return new Auth_OpenID_FailureResponse(null, + "extra 'return_to' arguments where specified, " . + "but no return_to was specified"); + } + + if ($immediate) { + $mode = 'checkid_immediate'; + } else { + $mode = 'checkid_setup'; + } + + $message = $this->message->copy(); + if ($message->isOpenID1()) { + $realm_key = 'trust_root'; + } else { + $realm_key = 'realm'; + } + + $message->updateArgs(Auth_OpenID_OPENID_NS, + array( + $realm_key => $realm, + 'mode' => $mode, + 'return_to' => $return_to)); + + if (!$this->_anonymous) { + if ($this->endpoint->isOPIdentifier()) { + // This will never happen when we're in compatibility + // mode, as long as isOPIdentifier() returns False + // whenever preferredNamespace() returns OPENID1_NS. + $claimed_id = $request_identity = + Auth_OpenID_IDENTIFIER_SELECT; + } else { + $request_identity = $this->endpoint->getLocalID(); + $claimed_id = $this->endpoint->claimed_id; + } + + // This is true for both OpenID 1 and 2 + $message->setArg(Auth_OpenID_OPENID_NS, 'identity', + $request_identity); + + if ($message->isOpenID2()) { + $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id', + $claimed_id); + } + } + + if ($this->assoc) { + $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', + $this->assoc->handle); + } + + return $message; + } + + function redirectURL($realm, $return_to = null, + $immediate = false) + { + $message = $this->getMessage($realm, $return_to, $immediate); + + if (Auth_OpenID::isFailure($message)) { + return $message; + } + + return $message->toURL($this->endpoint->server_url); + } + + /** + * Get html for a form to submit this request to the IDP. + * + * form_tag_attrs: An array of attributes to be added to the form + * tag. 'accept-charset' and 'enctype' have defaults that can be + * overridden. If a value is supplied for 'action' or 'method', it + * will be replaced. + */ + function formMarkup($realm, $return_to=null, $immediate=false, + $form_tag_attrs=null) + { + $message = $this->getMessage($realm, $return_to, $immediate); + + if (Auth_OpenID::isFailure($message)) { + return $message; + } + + return $message->toFormMarkup($this->endpoint->server_url, + $form_tag_attrs); + } + + function shouldSendRedirect() + { + return $this->endpoint->compatibilityMode(); + } +} + +/** + * The base class for responses from the Auth_OpenID_Consumer. + * + * @package OpenID + */ +class Auth_OpenID_ConsumerResponse { + var $status = null; + + function setEndpoint($endpoint) + { + $this->endpoint = $endpoint; + if ($endpoint === null) { + $this->identity_url = null; + } else { + $this->identity_url = $endpoint->claimed_id; + } + } + + function getDisplayIdentifier() + { + if ($this->endpoint !== null) { + return $this->endpoint->getDisplayIdentifier(); + } + return null; + } +} + +/** + * A response with a status of Auth_OpenID_SUCCESS. Indicates that + * this request is a successful acknowledgement from the OpenID server + * that the supplied URL is, indeed controlled by the requesting + * agent. This has three relevant attributes: + * + * claimed_id - The identity URL that has been authenticated + * + * signed_args - The arguments in the server's response that were + * signed and verified. + * + * status - Auth_OpenID_SUCCESS. + * + * @package OpenID + */ +class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_SUCCESS; + + /** + * @access private + */ + function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null) + { + $this->endpoint = $endpoint; + $this->identity_url = $endpoint->claimed_id; + $this->signed_args = $signed_args; + $this->message = $message; + + if ($this->signed_args === null) { + $this->signed_args = array(); + } + } + + /** + * Extract signed extension data from the server's response. + * + * @param string $prefix The extension namespace from which to + * extract the extension data. + */ + function extensionResponse($namespace_uri, $require_signed) + { + if ($require_signed) { + return $this->getSignedNS($namespace_uri); + } else { + return $this->message->getArgs($namespace_uri); + } + } + + function isOpenID1() + { + return $this->message->isOpenID1(); + } + + function isSigned($ns_uri, $ns_key) + { + // Return whether a particular key is signed, regardless of + // its namespace alias + return in_array($this->message->getKey($ns_uri, $ns_key), + $this->signed_args); + } + + function getSigned($ns_uri, $ns_key, $default = null) + { + // Return the specified signed field if available, otherwise + // return default + if ($this->isSigned($ns_uri, $ns_key)) { + return $this->message->getArg($ns_uri, $ns_key, $default); + } else { + return $default; + } + } + + function getSignedNS($ns_uri) + { + $args = array(); + + $msg_args = $this->message->getArgs($ns_uri); + + foreach ($msg_args as $key => $value) { + if (!$this->isSigned($ns_uri, $key)) { + return null; + } + } + + return $msg_args; + } + + /** + * Get the openid.return_to argument from this response. + * + * This is useful for verifying that this request was initiated by + * this consumer. + * + * @return string $return_to The return_to URL supplied to the + * server on the initial request, or null if the response did not + * contain an 'openid.return_to' argument. + */ + function getReturnTo() + { + return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to'); + } +} + +/** + * A response with a status of Auth_OpenID_FAILURE. Indicates that the + * OpenID protocol has failed. This could be locally or remotely + * triggered. This has three relevant attributes: + * + * claimed_id - The identity URL for which authentication was + * attempted, if it can be determined. Otherwise, null. + * + * message - A message indicating why the request failed, if one is + * supplied. Otherwise, null. + * + * status - Auth_OpenID_FAILURE. + * + * @package OpenID + */ +class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_FAILURE; + + function Auth_OpenID_FailureResponse($endpoint, $message = null, + $contact = null, $reference = null) + { + $this->setEndpoint($endpoint); + $this->message = $message; + $this->contact = $contact; + $this->reference = $reference; + } +} + +/** + * A specific, internal failure used to detect type URI mismatch. + * + * @package OpenID + */ +class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse { +} + +/** + * Exception that is raised when the server returns a 400 response + * code to a direct request. + * + * @package OpenID + */ +class Auth_OpenID_ServerErrorContainer { + function Auth_OpenID_ServerErrorContainer($error_text, + $error_code, + $message) + { + $this->error_text = $error_text; + $this->error_code = $error_code; + $this->message = $message; + } + + /** + * @access private + */ + function fromMessage($message) + { + $error_text = $message->getArg( + Auth_OpenID_OPENID_NS, 'error', ''); + $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code'); + return new Auth_OpenID_ServerErrorContainer($error_text, + $error_code, + $message); + } +} + +/** + * A response with a status of Auth_OpenID_CANCEL. Indicates that the + * user cancelled the OpenID authentication request. This has two + * relevant attributes: + * + * claimed_id - The identity URL for which authentication was + * attempted, if it can be determined. Otherwise, null. + * + * status - Auth_OpenID_SUCCESS. + * + * @package OpenID + */ +class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_CANCEL; + + function Auth_OpenID_CancelResponse($endpoint) + { + $this->setEndpoint($endpoint); + } +} + +/** + * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates + * that the request was in immediate mode, and the server is unable to + * authenticate the user without further interaction. + * + * claimed_id - The identity URL for which authentication was + * attempted. + * + * setup_url - A URL that can be used to send the user to the server + * to set up for authentication. The user should be redirected in to + * the setup_url, either in the current window or in a new browser + * window. Null in OpenID 2. + * + * status - Auth_OpenID_SETUP_NEEDED. + * + * @package OpenID + */ +class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_SETUP_NEEDED; + + function Auth_OpenID_SetupNeededResponse($endpoint, + $setup_url = null) + { + $this->setEndpoint($endpoint); + $this->setup_url = $setup_url; + } +} + +?> diff --git a/models/Auth.old/OpenID/CryptUtil.php b/models/Auth.old/OpenID/CryptUtil.php new file mode 100644 index 000000000..70351dcee --- /dev/null +++ b/models/Auth.old/OpenID/CryptUtil.php @@ -0,0 +1,113 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +if (!defined('Auth_OpenID_RAND_SOURCE')) { + /** + * The filename for a source of random bytes. Define this yourself + * if you have a different source of randomness. + */ + + // good version + define('Auth_OpenID_RAND_SOURCE', '/dev/urandom'); + // use this one for broken systems (eg. Windows) + //define('Auth_OpenID_RAND_SOURCE', null); +} + +class Auth_OpenID_CryptUtil { + /** + * Get the specified number of random bytes. + * + * Attempts to use a cryptographically secure (not predictable) + * source of randomness if available. If there is no high-entropy + * randomness source available, it will fail. As a last resort, + * for non-critical systems, define + * Auth_OpenID_RAND_SOURCE as null, and + * the code will fall back on a pseudo-random number generator. + * + * @param int $num_bytes The length of the return value + * @return string $bytes random bytes + */ + function getBytes($num_bytes) + { + static $f = null; + $bytes = ''; + if ($f === null) { + if (Auth_OpenID_RAND_SOURCE === null) { + $f = false; + } else { + $f = @fopen(Auth_OpenID_RAND_SOURCE, "r"); + if ($f === false) { + $msg = 'Define Auth_OpenID_RAND_SOURCE as null to ' . + ' continue with an insecure random number generator.'; + trigger_error($msg, E_USER_ERROR); + } + } + } + if ($f === false) { + // pseudorandom used + $bytes = ''; + for ($i = 0; $i < $num_bytes; $i += 4) { + $bytes .= pack('L', mt_rand()); + } + $bytes = substr($bytes, 0, $num_bytes); + } else { + $bytes = fread($f, $num_bytes); + } + return $bytes; + } + + /** + * Produce a string of length random bytes, chosen from chrs. If + * $chrs is null, the resulting string may contain any characters. + * + * @param integer $length The length of the resulting + * randomly-generated string + * @param string $chrs A string of characters from which to choose + * to build the new string + * @return string $result A string of randomly-chosen characters + * from $chrs + */ + function randomString($length, $population = null) + { + if ($population === null) { + return Auth_OpenID_CryptUtil::getBytes($length); + } + + $popsize = strlen($population); + + if ($popsize > 256) { + $msg = 'More than 256 characters supplied to ' . __FUNCTION__; + trigger_error($msg, E_USER_ERROR); + } + + $duplicate = 256 % $popsize; + + $str = ""; + for ($i = 0; $i < $length; $i++) { + do { + $n = ord(Auth_OpenID_CryptUtil::getBytes(1)); + } while ($n < $duplicate); + + $n %= $popsize; + $str .= $population[$n]; + } + + return $str; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/DatabaseConnection.php b/models/Auth.old/OpenID/DatabaseConnection.php new file mode 100644 index 000000000..3f4515fa5 --- /dev/null +++ b/models/Auth.old/OpenID/DatabaseConnection.php @@ -0,0 +1,131 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * An empty base class intended to emulate PEAR connection + * functionality in applications that supply their own database + * abstraction mechanisms. See {@link Auth_OpenID_SQLStore} for more + * information. You should subclass this class if you need to create + * an SQL store that needs to access its database using an + * application's database abstraction layer instead of a PEAR database + * connection. Any subclass of Auth_OpenID_DatabaseConnection MUST + * adhere to the interface specified here. + * + * @package OpenID + */ +class Auth_OpenID_DatabaseConnection { + /** + * Sets auto-commit mode on this database connection. + * + * @param bool $mode True if auto-commit is to be used; false if + * not. + */ + function autoCommit($mode) + { + } + + /** + * Run an SQL query with the specified parameters, if any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return mixed $result The result of calling this connection's + * internal query function. The type of result depends on the + * underlying database engine. This method is usually used when + * the result of a query is not important, like a DDL query. + */ + function query($sql, $params = array()) + { + } + + /** + * Starts a transaction on this connection, if supported. + */ + function begin() + { + } + + /** + * Commits a transaction on this connection, if supported. + */ + function commit() + { + } + + /** + * Performs a rollback on this connection, if supported. + */ + function rollback() + { + } + + /** + * Run an SQL query and return the first column of the first row + * of the result set, if any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return mixed $result The value of the first column of the + * first row of the result set. False if no such result was + * found. + */ + function getOne($sql, $params = array()) + { + } + + /** + * Run an SQL query and return the first row of the result set, if + * any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return array $result The first row of the result set, if any, + * keyed on column name. False if no such result was found. + */ + function getRow($sql, $params = array()) + { + } + + /** + * Run an SQL query with the specified parameters, if any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return array $result An array of arrays representing the + * result of the query; each array is keyed on column name. + */ + function getAll($sql, $params = array()) + { + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/DiffieHellman.php b/models/Auth.old/OpenID/DiffieHellman.php new file mode 100644 index 000000000..b9a8034bf --- /dev/null +++ b/models/Auth.old/OpenID/DiffieHellman.php @@ -0,0 +1,112 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +require_once 'Auth/OpenID.php'; +require_once 'Auth/OpenID/BigMath.php'; +require_once 'Auth/OpenID/HMACSHA1.php'; + +function Auth_OpenID_getDefaultMod() +{ + return '155172898181473697471232257763715539915724801'. + '966915404479707795314057629378541917580651227423'. + '698188993727816152646631438561595825688188889951'. + '272158842675419950341258706556549803580104870537'. + '681476726513255747040765857479291291572334510643'. + '245094715007229621094194349783925984760375594985'. + '848253359305585439638443'; +} + +function Auth_OpenID_getDefaultGen() +{ + return '2'; +} + +/** + * The Diffie-Hellman key exchange class. This class relies on + * {@link Auth_OpenID_MathLibrary} to perform large number operations. + * + * @access private + * @package OpenID + */ +class Auth_OpenID_DiffieHellman { + + var $mod; + var $gen; + var $private; + var $lib = null; + + function Auth_OpenID_DiffieHellman($mod = null, $gen = null, + $private = null, $lib = null) + { + if ($lib === null) { + $this->lib =& Auth_OpenID_getMathLib(); + } else { + $this->lib =& $lib; + } + + if ($mod === null) { + $this->mod = $this->lib->init(Auth_OpenID_getDefaultMod()); + } else { + $this->mod = $mod; + } + + if ($gen === null) { + $this->gen = $this->lib->init(Auth_OpenID_getDefaultGen()); + } else { + $this->gen = $gen; + } + + if ($private === null) { + $r = $this->lib->rand($this->mod); + $this->private = $this->lib->add($r, 1); + } else { + $this->private = $private; + } + + $this->public = $this->lib->powmod($this->gen, $this->private, + $this->mod); + } + + function getSharedSecret($composite) + { + return $this->lib->powmod($composite, $this->private, $this->mod); + } + + function getPublicKey() + { + return $this->public; + } + + function usingDefaultValues() + { + return ($this->mod == Auth_OpenID_getDefaultMod() && + $this->gen == Auth_OpenID_getDefaultGen()); + } + + function xorSecret($composite, $secret, $hash_func) + { + $dh_shared = $this->getSharedSecret($composite); + $dh_shared_str = $this->lib->longToBinary($dh_shared); + $hash_dh_shared = $hash_func($dh_shared_str); + + $xsecret = ""; + for ($i = 0; $i < Auth_OpenID::bytes($secret); $i++) { + $xsecret .= chr(ord($secret[$i]) ^ ord($hash_dh_shared[$i])); + } + + return $xsecret; + } +} diff --git a/models/Auth.old/OpenID/Discover.php b/models/Auth.old/OpenID/Discover.php new file mode 100644 index 000000000..b8f4d56ff --- /dev/null +++ b/models/Auth.old/OpenID/Discover.php @@ -0,0 +1,547 @@ +claimed_id = null; + $this->server_url = null; + $this->type_uris = array(); + $this->local_id = null; + $this->canonicalID = null; + $this->used_yadis = false; // whether this came from an XRDS + $this->display_identifier = null; + } + + function getDisplayIdentifier() + { + if ($this->display_identifier) { + return $this->display_identifier; + } + return $this->claimed_id; + } + + function usesExtension($extension_uri) + { + return in_array($extension_uri, $this->type_uris); + } + + function preferredNamespace() + { + if (in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris) || + in_array(Auth_OpenID_TYPE_2_0, $this->type_uris)) { + return Auth_OpenID_OPENID2_NS; + } else { + return Auth_OpenID_OPENID1_NS; + } + } + + /* + * Query this endpoint to see if it has any of the given type + * URIs. This is useful for implementing other endpoint classes + * that e.g. need to check for the presence of multiple versions + * of a single protocol. + * + * @param $type_uris The URIs that you wish to check + * + * @return all types that are in both in type_uris and + * $this->type_uris + */ + function matchTypes($type_uris) + { + $result = array(); + foreach ($type_uris as $test_uri) { + if ($this->supportsType($test_uri)) { + $result[] = $test_uri; + } + } + + return $result; + } + + function supportsType($type_uri) + { + // Does this endpoint support this type? + return ((in_array($type_uri, $this->type_uris)) || + (($type_uri == Auth_OpenID_TYPE_2_0) && + $this->isOPIdentifier())); + } + + function compatibilityMode() + { + return $this->preferredNamespace() != Auth_OpenID_OPENID2_NS; + } + + function isOPIdentifier() + { + return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris); + } + + function fromOPEndpointURL($op_endpoint_url) + { + // Construct an OP-Identifier OpenIDServiceEndpoint object for + // a given OP Endpoint URL + $obj = new Auth_OpenID_ServiceEndpoint(); + $obj->server_url = $op_endpoint_url; + $obj->type_uris = array(Auth_OpenID_TYPE_2_0_IDP); + return $obj; + } + + function parseService($yadis_url, $uri, $type_uris, $service_element) + { + // Set the state of this object based on the contents of the + // service element. Return true if successful, false if not + // (if findOPLocalIdentifier returns false). + $this->type_uris = $type_uris; + $this->server_url = $uri; + $this->used_yadis = true; + + if (!$this->isOPIdentifier()) { + $this->claimed_id = $yadis_url; + $this->local_id = Auth_OpenID_findOPLocalIdentifier( + $service_element, + $this->type_uris); + if ($this->local_id === false) { + return false; + } + } + + return true; + } + + function getLocalID() + { + // Return the identifier that should be sent as the + // openid.identity_url parameter to the server. + if ($this->local_id === null && $this->canonicalID === null) { + return $this->claimed_id; + } else { + if ($this->local_id) { + return $this->local_id; + } else { + return $this->canonicalID; + } + } + } + + /* + * Parse the given document as XRDS looking for OpenID services. + * + * @return array of Auth_OpenID_ServiceEndpoint or null if the + * document cannot be parsed. + */ + function fromXRDS($uri, $xrds_text) + { + $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text); + + if ($xrds) { + $yadis_services = + $xrds->services(array('filter_MatchesAnyOpenIDType')); + return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); + } + + return null; + } + + /* + * Create endpoints from a DiscoveryResult. + * + * @param discoveryResult Auth_Yadis_DiscoveryResult + * @return array of Auth_OpenID_ServiceEndpoint or null if + * endpoints cannot be created. + */ + function fromDiscoveryResult($discoveryResult) + { + if ($discoveryResult->isXRDS()) { + return Auth_OpenID_ServiceEndpoint::fromXRDS( + $discoveryResult->normalized_uri, + $discoveryResult->response_text); + } else { + return Auth_OpenID_ServiceEndpoint::fromHTML( + $discoveryResult->normalized_uri, + $discoveryResult->response_text); + } + } + + function fromHTML($uri, $html) + { + $discovery_types = array( + array(Auth_OpenID_TYPE_2_0, + 'openid2.provider', 'openid2.local_id'), + array(Auth_OpenID_TYPE_1_1, + 'openid.server', 'openid.delegate') + ); + + $services = array(); + + foreach ($discovery_types as $triple) { + list($type_uri, $server_rel, $delegate_rel) = $triple; + + $urls = Auth_OpenID_legacy_discover($html, $server_rel, + $delegate_rel); + + if ($urls === false) { + continue; + } + + list($delegate_url, $server_url) = $urls; + + $service = new Auth_OpenID_ServiceEndpoint(); + $service->claimed_id = $uri; + $service->local_id = $delegate_url; + $service->server_url = $server_url; + $service->type_uris = array($type_uri); + + $services[] = $service; + } + + return $services; + } + + function copy() + { + $x = new Auth_OpenID_ServiceEndpoint(); + + $x->claimed_id = $this->claimed_id; + $x->server_url = $this->server_url; + $x->type_uris = $this->type_uris; + $x->local_id = $this->local_id; + $x->canonicalID = $this->canonicalID; + $x->used_yadis = $this->used_yadis; + + return $x; + } +} + +function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) +{ + // Extract a openid:Delegate value from a Yadis Service element. + // If no delegate is found, returns null. Returns false on + // discovery failure (when multiple delegate/localID tags have + // different values). + + $service->parser->registerNamespace('openid', + Auth_OpenID_XMLNS_1_0); + + $service->parser->registerNamespace('xrd', + Auth_Yadis_XMLNS_XRD_2_0); + + $parser =& $service->parser; + + $permitted_tags = array(); + + if (in_array(Auth_OpenID_TYPE_1_1, $type_uris) || + in_array(Auth_OpenID_TYPE_1_0, $type_uris)) { + $permitted_tags[] = 'openid:Delegate'; + } + + if (in_array(Auth_OpenID_TYPE_2_0, $type_uris)) { + $permitted_tags[] = 'xrd:LocalID'; + } + + $local_id = null; + + foreach ($permitted_tags as $tag_name) { + $tags = $service->getElements($tag_name); + + foreach ($tags as $tag) { + $content = $parser->content($tag); + + if ($local_id === null) { + $local_id = $content; + } else if ($local_id != $content) { + return false; + } + } + } + + return $local_id; +} + +function filter_MatchesAnyOpenIDType(&$service) +{ + $uris = $service->getTypes(); + + foreach ($uris as $uri) { + if (in_array($uri, Auth_OpenID_getOpenIDTypeURIs())) { + return true; + } + } + + return false; +} + +function Auth_OpenID_bestMatchingService($service, $preferred_types) +{ + // Return the index of the first matching type, or something + // higher if no type matches. + // + // This provides an ordering in which service elements that + // contain a type that comes earlier in the preferred types list + // come before service elements that come later. If a service + // element has more than one type, the most preferred one wins. + + foreach ($preferred_types as $index => $typ) { + if (in_array($typ, $service->type_uris)) { + return $index; + } + } + + return count($preferred_types); +} + +function Auth_OpenID_arrangeByType($service_list, $preferred_types) +{ + // Rearrange service_list in a new list so services are ordered by + // types listed in preferred_types. Return the new list. + + // Build a list with the service elements in tuples whose + // comparison will prefer the one with the best matching service + $prio_services = array(); + foreach ($service_list as $index => $service) { + $prio_services[] = array(Auth_OpenID_bestMatchingService($service, + $preferred_types), + $index, $service); + } + + sort($prio_services); + + // Now that the services are sorted by priority, remove the sort + // keys from the list. + foreach ($prio_services as $index => $s) { + $prio_services[$index] = $prio_services[$index][2]; + } + + return $prio_services; +} + +// Extract OP Identifier services. If none found, return the rest, +// sorted with most preferred first according to +// OpenIDServiceEndpoint.openid_type_uris. +// +// openid_services is a list of OpenIDServiceEndpoint objects. +// +// Returns a list of OpenIDServiceEndpoint objects.""" +function Auth_OpenID_getOPOrUserServices($openid_services) +{ + $op_services = Auth_OpenID_arrangeByType($openid_services, + array(Auth_OpenID_TYPE_2_0_IDP)); + + $openid_services = Auth_OpenID_arrangeByType($openid_services, + Auth_OpenID_getOpenIDTypeURIs()); + + if ($op_services) { + return $op_services; + } else { + return $openid_services; + } +} + +function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services) +{ + $s = array(); + + if (!$yadis_services) { + return $s; + } + + foreach ($yadis_services as $service) { + $type_uris = $service->getTypes(); + $uris = $service->getURIs(); + + // If any Type URIs match and there is an endpoint URI + // specified, then this is an OpenID endpoint + if ($type_uris && + $uris) { + foreach ($uris as $service_uri) { + $openid_endpoint = new Auth_OpenID_ServiceEndpoint(); + if ($openid_endpoint->parseService($uri, + $service_uri, + $type_uris, + $service)) { + $s[] = $openid_endpoint; + } + } + } + } + + return $s; +} + +function Auth_OpenID_discoverWithYadis($uri, &$fetcher, + $endpoint_filter='Auth_OpenID_getOPOrUserServices', + $discover_function=null) +{ + // Discover OpenID services for a URI. Tries Yadis and falls back + // on old-style discovery if Yadis fails. + + // Might raise a yadis.discover.DiscoveryFailure if no document + // came back for that URI at all. I don't think falling back to + // OpenID 1.0 discovery on the same URL will help, so don't bother + // to catch it. + if ($discover_function === null) { + $discover_function = array('Auth_Yadis_Yadis', 'discover'); + } + + $openid_services = array(); + + $response = call_user_func_array($discover_function, + array($uri, &$fetcher)); + + $yadis_url = $response->normalized_uri; + $yadis_services = array(); + + if ($response->isFailure()) { + return array($uri, array()); + } + + $openid_services = Auth_OpenID_ServiceEndpoint::fromXRDS( + $yadis_url, + $response->response_text); + + if (!$openid_services) { + if ($response->isXRDS()) { + return Auth_OpenID_discoverWithoutYadis($uri, + $fetcher); + } + + // Try to parse the response as HTML to get OpenID 1.0/1.1 + // + $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( + $yadis_url, + $response->response_text); + } + + $openid_services = call_user_func_array($endpoint_filter, + array(&$openid_services)); + + return array($yadis_url, $openid_services); +} + +function Auth_OpenID_discoverURI($uri, &$fetcher) +{ + $parsed = parse_url($uri); + + if ($parsed && isset($parsed['scheme']) && + isset($parsed['host'])) { + if (!in_array($parsed['scheme'], array('http', 'https'))) { + // raise DiscoveryFailure('URI scheme is not HTTP or HTTPS', None) + return array($uri, array()); + } + } else { + $uri = 'http://' . $uri; + } + + $uri = Auth_OpenID::normalizeUrl($uri); + return Auth_OpenID_discoverWithYadis($uri, $fetcher); +} + +function Auth_OpenID_discoverWithoutYadis($uri, &$fetcher) +{ + $http_resp = @$fetcher->get($uri); + + if ($http_resp->status != 200) { + return array($uri, array()); + } + + $identity_url = $http_resp->final_url; + + // Try to parse the response as HTML to get OpenID 1.0/1.1 + $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( + $identity_url, + $http_resp->body); + + return array($identity_url, $openid_services); +} + +function Auth_OpenID_discoverXRI($iname, &$fetcher) +{ + $resolver = new Auth_Yadis_ProxyResolver($fetcher); + list($canonicalID, $yadis_services) = + $resolver->query($iname, + Auth_OpenID_getOpenIDTypeURIs(), + array('filter_MatchesAnyOpenIDType')); + + $openid_services = Auth_OpenID_makeOpenIDEndpoints($iname, + $yadis_services); + + $openid_services = Auth_OpenID_getOPOrUserServices($openid_services); + + for ($i = 0; $i < count($openid_services); $i++) { + $openid_services[$i]->canonicalID = $canonicalID; + $openid_services[$i]->claimed_id = $canonicalID; + $openid_services[$i]->display_identifier = $iname; + } + + // FIXME: returned xri should probably be in some normal form + return array($iname, $openid_services); +} + +function Auth_OpenID_discover($uri, &$fetcher) +{ + // If the fetcher (i.e., PHP) doesn't support SSL, we can't do + // discovery on an HTTPS URL. + if ($fetcher->isHTTPS($uri) && !$fetcher->supportsSSL()) { + return array($uri, array()); + } + + if (Auth_Yadis_identifierScheme($uri) == 'XRI') { + $result = Auth_OpenID_discoverXRI($uri, $fetcher); + } else { + $result = Auth_OpenID_discoverURI($uri, $fetcher); + } + + // If the fetcher doesn't support SSL, we can't interact with + // HTTPS server URLs; remove those endpoints from the list. + if (!$fetcher->supportsSSL()) { + $http_endpoints = array(); + list($new_uri, $endpoints) = $result; + + foreach ($endpoints as $e) { + if (!$fetcher->isHTTPS($e->server_url)) { + $http_endpoints[] = $e; + } + } + + $result = array($new_uri, $http_endpoints); + } + + return $result; +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/DumbStore.php b/models/Auth.old/OpenID/DumbStore.php new file mode 100644 index 000000000..ef1a37f82 --- /dev/null +++ b/models/Auth.old/OpenID/DumbStore.php @@ -0,0 +1,100 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Import the interface for creating a new store class. + */ +require_once 'Auth/OpenID/Interface.php'; +require_once 'Auth/OpenID/HMACSHA1.php'; + +/** + * This is a store for use in the worst case, when you have no way of + * saving state on the consumer site. Using this store makes the + * consumer vulnerable to replay attacks, as it's unable to use + * nonces. Avoid using this store if it is at all possible. + * + * Most of the methods of this class are implementation details. + * Users of this class need to worry only about the constructor. + * + * @package OpenID + */ +class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { + + /** + * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security + * of the tokens generated by the library, this class attempts to + * at least have a secure implementation of getAuthKey. + * + * When you create an instance of this class, pass in a secret + * phrase. The phrase is hashed with sha1 to make it the correct + * length and form for an auth key. That allows you to use a long + * string as the secret phrase, which means you can make it very + * difficult to guess. + * + * Each {@link Auth_OpenID_DumbStore} instance that is created for use by + * your consumer site needs to use the same $secret_phrase. + * + * @param string secret_phrase The phrase used to create the auth + * key returned by getAuthKey + */ + function Auth_OpenID_DumbStore($secret_phrase) + { + $this->auth_key = Auth_OpenID_SHA1($secret_phrase); + } + + /** + * This implementation does nothing. + */ + function storeAssociation($server_url, $association) + { + } + + /** + * This implementation always returns null. + */ + function getAssociation($server_url, $handle = null) + { + return null; + } + + /** + * This implementation always returns false. + */ + function removeAssociation($server_url, $handle) + { + return false; + } + + /** + * In a system truly limited to dumb mode, nonces must all be + * accepted. This therefore always returns true, which makes + * replay attacks feasible. + */ + function useNonce($server_url, $timestamp, $salt) + { + return true; + } + + /** + * This method returns the auth key generated by the constructor. + */ + function getAuthKey() + { + return $this->auth_key; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Extension.php b/models/Auth.old/OpenID/Extension.php new file mode 100644 index 000000000..73b5d502e --- /dev/null +++ b/models/Auth.old/OpenID/Extension.php @@ -0,0 +1,58 @@ +namespaces->addAlias($this->ns_uri, + $this->ns_alias) === null) { + if ($message->namespaces->getAlias($this->ns_uri) != + $this->ns_alias) { + return null; + } + } + + $message->updateArgs($this->ns_uri, + $this->getExtensionArgs()); + return $message; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/FileStore.php b/models/Auth.old/OpenID/FileStore.php new file mode 100644 index 000000000..f6bf1702b --- /dev/null +++ b/models/Auth.old/OpenID/FileStore.php @@ -0,0 +1,618 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Require base class for creating a new interface. + */ +require_once 'Auth/OpenID.php'; +require_once 'Auth/OpenID/Interface.php'; +require_once 'Auth/OpenID/HMACSHA1.php'; +require_once 'Auth/OpenID/Nonce.php'; + +/** + * This is a filesystem-based store for OpenID associations and + * nonces. This store should be safe for use in concurrent systems on + * both windows and unix (excluding NFS filesystems). There are a + * couple race conditions in the system, but those failure cases have + * been set up in such a way that the worst-case behavior is someone + * having to try to log in a second time. + * + * Most of the methods of this class are implementation details. + * People wishing to just use this store need only pay attention to + * the constructor. + * + * @package OpenID + */ +class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { + + /** + * Initializes a new {@link Auth_OpenID_FileStore}. This + * initializes the nonce and association directories, which are + * subdirectories of the directory passed in. + * + * @param string $directory This is the directory to put the store + * directories in. + */ + function Auth_OpenID_FileStore($directory) + { + if (!Auth_OpenID::ensureDir($directory)) { + trigger_error('Not a directory and failed to create: ' + . $directory, E_USER_ERROR); + } + $directory = realpath($directory); + + $this->directory = $directory; + $this->active = true; + + $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces'; + + $this->association_dir = $directory . DIRECTORY_SEPARATOR . + 'associations'; + + // Temp dir must be on the same filesystem as the assciations + // $directory. + $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp'; + + $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds + + if (!$this->_setup()) { + trigger_error('Failed to initialize OpenID file store in ' . + $directory, E_USER_ERROR); + } + } + + function destroy() + { + Auth_OpenID_FileStore::_rmtree($this->directory); + $this->active = false; + } + + /** + * Make sure that the directories in which we store our data + * exist. + * + * @access private + */ + function _setup() + { + return (Auth_OpenID::ensureDir($this->nonce_dir) && + Auth_OpenID::ensureDir($this->association_dir) && + Auth_OpenID::ensureDir($this->temp_dir)); + } + + /** + * Create a temporary file on the same filesystem as + * $this->association_dir. + * + * The temporary directory should not be cleaned if there are any + * processes using the store. If there is no active process using + * the store, it is safe to remove all of the files in the + * temporary directory. + * + * @return array ($fd, $filename) + * @access private + */ + function _mktemp() + { + $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir); + $file_obj = @fopen($name, 'wb'); + if ($file_obj !== false) { + return array($file_obj, $name); + } else { + Auth_OpenID_FileStore::_removeIfPresent($name); + } + } + + function cleanupNonces() + { + global $Auth_OpenID_SKEW; + + $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); + $now = time(); + + $removed = 0; + // Check all nonces for expiry + foreach ($nonces as $nonce_fname) { + $base = basename($nonce_fname); + $parts = explode('-', $base, 2); + $timestamp = $parts[0]; + $timestamp = intval($timestamp, 16); + if (abs($timestamp - $now) > $Auth_OpenID_SKEW) { + Auth_OpenID_FileStore::_removeIfPresent($nonce_fname); + $removed += 1; + } + } + return $removed; + } + + /** + * Create a unique filename for a given server url and + * handle. This implementation does not assume anything about the + * format of the handle. The filename that is returned will + * contain the domain name from the server URL for ease of human + * inspection of the data directory. + * + * @return string $filename + */ + function getAssociationFilename($server_url, $handle) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + if (strpos($server_url, '://') === false) { + trigger_error(sprintf("Bad server URL: %s", $server_url), + E_USER_WARNING); + return null; + } + + list($proto, $rest) = explode('://', $server_url, 2); + $parts = explode('/', $rest); + $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]); + $url_hash = Auth_OpenID_FileStore::_safe64($server_url); + if ($handle) { + $handle_hash = Auth_OpenID_FileStore::_safe64($handle); + } else { + $handle_hash = ''; + } + + $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash, + $handle_hash); + + return $this->association_dir. DIRECTORY_SEPARATOR . $filename; + } + + /** + * Store an association in the association directory. + */ + function storeAssociation($server_url, $association) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return false; + } + + $association_s = $association->serialize(); + $filename = $this->getAssociationFilename($server_url, + $association->handle); + list($tmp_file, $tmp) = $this->_mktemp(); + + if (!$tmp_file) { + trigger_error("_mktemp didn't return a valid file descriptor", + E_USER_WARNING); + return false; + } + + fwrite($tmp_file, $association_s); + + fflush($tmp_file); + + fclose($tmp_file); + + if (@rename($tmp, $filename)) { + return true; + } else { + // In case we are running on Windows, try unlinking the + // file in case it exists. + @unlink($filename); + + // Now the target should not exist. Try renaming again, + // giving up if it fails. + if (@rename($tmp, $filename)) { + return true; + } + } + + // If there was an error, don't leave the temporary file + // around. + Auth_OpenID_FileStore::_removeIfPresent($tmp); + return false; + } + + /** + * Retrieve an association. If no handle is specified, return the + * association with the most recent issue time. + * + * @return mixed $association + */ + function getAssociation($server_url, $handle = null) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + if ($handle === null) { + $handle = ''; + } + + // The filename with the empty handle is a prefix of all other + // associations for the given server URL. + $filename = $this->getAssociationFilename($server_url, $handle); + + if ($handle) { + return $this->_getAssociation($filename); + } else { + $association_files = + Auth_OpenID_FileStore::_listdir($this->association_dir); + $matching_files = array(); + + // strip off the path to do the comparison + $name = basename($filename); + foreach ($association_files as $association_file) { + $base = basename($association_file); + if (strpos($base, $name) === 0) { + $matching_files[] = $association_file; + } + } + + $matching_associations = array(); + // read the matching files and sort by time issued + foreach ($matching_files as $full_name) { + $association = $this->_getAssociation($full_name); + if ($association !== null) { + $matching_associations[] = array($association->issued, + $association); + } + } + + $issued = array(); + $assocs = array(); + foreach ($matching_associations as $key => $assoc) { + $issued[$key] = $assoc[0]; + $assocs[$key] = $assoc[1]; + } + + array_multisort($issued, SORT_DESC, $assocs, SORT_DESC, + $matching_associations); + + // return the most recently issued one. + if ($matching_associations) { + list($issued, $assoc) = $matching_associations[0]; + return $assoc; + } else { + return null; + } + } + } + + /** + * @access private + */ + function _getAssociation($filename) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + $assoc_file = @fopen($filename, 'rb'); + + if ($assoc_file === false) { + return null; + } + + $assoc_s = fread($assoc_file, filesize($filename)); + fclose($assoc_file); + + if (!$assoc_s) { + return null; + } + + $association = + Auth_OpenID_Association::deserialize('Auth_OpenID_Association', + $assoc_s); + + if (!$association) { + Auth_OpenID_FileStore::_removeIfPresent($filename); + return null; + } + + if ($association->getExpiresIn() == 0) { + Auth_OpenID_FileStore::_removeIfPresent($filename); + return null; + } else { + return $association; + } + } + + /** + * Remove an association if it exists. Do nothing if it does not. + * + * @return bool $success + */ + function removeAssociation($server_url, $handle) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + $assoc = $this->getAssociation($server_url, $handle); + if ($assoc === null) { + return false; + } else { + $filename = $this->getAssociationFilename($server_url, $handle); + return Auth_OpenID_FileStore::_removeIfPresent($filename); + } + } + + /** + * Return whether this nonce is present. As a side effect, mark it + * as no longer present. + * + * @return bool $present + */ + function useNonce($server_url, $timestamp, $salt) + { + global $Auth_OpenID_SKEW; + + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { + return False; + } + + if ($server_url) { + list($proto, $rest) = explode('://', $server_url, 2); + } else { + $proto = ''; + $rest = ''; + } + + $parts = explode('/', $rest, 2); + $domain = $this->_filenameEscape($parts[0]); + $url_hash = $this->_safe64($server_url); + $salt_hash = $this->_safe64($salt); + + $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto, + $domain, $url_hash, $salt_hash); + $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename; + + $result = @fopen($filename, 'x'); + + if ($result === false) { + return false; + } else { + fclose($result); + return true; + } + } + + /** + * Remove expired entries from the database. This is potentially + * expensive, so only run when it is acceptable to take time. + * + * @access private + */ + function _allAssocs() + { + $all_associations = array(); + + $association_filenames = + Auth_OpenID_FileStore::_listdir($this->association_dir); + + foreach ($association_filenames as $association_filename) { + $association_file = fopen($association_filename, 'rb'); + + if ($association_file !== false) { + $assoc_s = fread($association_file, + filesize($association_filename)); + fclose($association_file); + + // Remove expired or corrupted associations + $association = + Auth_OpenID_Association::deserialize( + 'Auth_OpenID_Association', $assoc_s); + + if ($association === null) { + Auth_OpenID_FileStore::_removeIfPresent( + $association_filename); + } else { + if ($association->getExpiresIn() == 0) { + $all_associations[] = array($association_filename, + $association); + } + } + } + } + + return $all_associations; + } + + function clean() + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); + $now = time(); + + // Check all nonces for expiry + foreach ($nonces as $nonce) { + if (!Auth_OpenID_checkTimestamp($nonce, $now)) { + $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce; + Auth_OpenID_FileStore::_removeIfPresent($filename); + } + } + + foreach ($this->_allAssocs() as $pair) { + list($assoc_filename, $assoc) = $pair; + if ($assoc->getExpiresIn() == 0) { + Auth_OpenID_FileStore::_removeIfPresent($assoc_filename); + } + } + } + + /** + * @access private + */ + function _rmtree($dir) + { + if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) { + $dir .= DIRECTORY_SEPARATOR; + } + + if ($handle = opendir($dir)) { + while ($item = readdir($handle)) { + if (!in_array($item, array('.', '..'))) { + if (is_dir($dir . $item)) { + + if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) { + return false; + } + } else if (is_file($dir . $item)) { + if (!unlink($dir . $item)) { + return false; + } + } + } + } + + closedir($handle); + + if (!@rmdir($dir)) { + return false; + } + + return true; + } else { + // Couldn't open directory. + return false; + } + } + + /** + * @access private + */ + function _mkstemp($dir) + { + foreach (range(0, 4) as $i) { + $name = tempnam($dir, "php_openid_filestore_"); + + if ($name !== false) { + return $name; + } + } + return false; + } + + /** + * @access private + */ + function _mkdtemp($dir) + { + foreach (range(0, 4) as $i) { + $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) . + "-" . strval(rand(1, time())); + if (!mkdir($name, 0700)) { + return false; + } else { + return $name; + } + } + return false; + } + + /** + * @access private + */ + function _listdir($dir) + { + $handle = opendir($dir); + $files = array(); + while (false !== ($filename = readdir($handle))) { + if (!in_array($filename, array('.', '..'))) { + $files[] = $dir . DIRECTORY_SEPARATOR . $filename; + } + } + return $files; + } + + /** + * @access private + */ + function _isFilenameSafe($char) + { + $_Auth_OpenID_filename_allowed = Auth_OpenID_letters . + Auth_OpenID_digits . "."; + return (strpos($_Auth_OpenID_filename_allowed, $char) !== false); + } + + /** + * @access private + */ + function _safe64($str) + { + $h64 = base64_encode(Auth_OpenID_SHA1($str)); + $h64 = str_replace('+', '_', $h64); + $h64 = str_replace('/', '.', $h64); + $h64 = str_replace('=', '', $h64); + return $h64; + } + + /** + * @access private + */ + function _filenameEscape($str) + { + $filename = ""; + $b = Auth_OpenID::toBytes($str); + + for ($i = 0; $i < count($b); $i++) { + $c = $b[$i]; + if (Auth_OpenID_FileStore::_isFilenameSafe($c)) { + $filename .= $c; + } else { + $filename .= sprintf("_%02X", ord($c)); + } + } + return $filename; + } + + /** + * Attempt to remove a file, returning whether the file existed at + * the time of the call. + * + * @access private + * @return bool $result True if the file was present, false if not. + */ + function _removeIfPresent($filename) + { + return @unlink($filename); + } + + function cleanupAssociations() + { + $removed = 0; + foreach ($this->_allAssocs() as $pair) { + list($assoc_filename, $assoc) = $pair; + if ($assoc->getExpiresIn() == 0) { + $this->_removeIfPresent($assoc_filename); + $removed += 1; + } + } + return $removed; + } +} + +?> diff --git a/models/Auth.old/OpenID/HMACSHA1.php b/models/Auth.old/OpenID/HMACSHA1.php new file mode 100644 index 000000000..9fc293e7f --- /dev/null +++ b/models/Auth.old/OpenID/HMACSHA1.php @@ -0,0 +1,99 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +require_once 'Auth/OpenID.php'; + +/** + * SHA1_BLOCKSIZE is this module's SHA1 blocksize used by the fallback + * implementation. + */ +define('Auth_OpenID_SHA1_BLOCKSIZE', 64); + +function Auth_OpenID_SHA1($text) +{ + if (function_exists('hash') && + function_exists('hash_algos') && + (in_array('sha1', hash_algos()))) { + // PHP 5 case (sometimes): 'hash' available and 'sha1' algo + // supported. + return hash('sha1', $text, true); + } else if (function_exists('sha1')) { + // PHP 4 case: 'sha1' available. + $hex = sha1($text); + $raw = ''; + for ($i = 0; $i < 40; $i += 2) { + $hexcode = substr($hex, $i, 2); + $charcode = (int)base_convert($hexcode, 16, 10); + $raw .= chr($charcode); + } + return $raw; + } else { + // Explode. + trigger_error('No SHA1 function found', E_USER_ERROR); + } +} + +/** + * Compute an HMAC/SHA1 hash. + * + * @access private + * @param string $key The HMAC key + * @param string $text The message text to hash + * @return string $mac The MAC + */ +function Auth_OpenID_HMACSHA1($key, $text) +{ + if (Auth_OpenID::bytes($key) > Auth_OpenID_SHA1_BLOCKSIZE) { + $key = Auth_OpenID_SHA1($key, true); + } + + $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00)); + $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE); + $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE); + $hash1 = Auth_OpenID_SHA1(($key ^ $ipad) . $text, true); + $hmac = Auth_OpenID_SHA1(($key ^ $opad) . $hash1, true); + return $hmac; +} + +if (function_exists('hash') && + function_exists('hash_algos') && + (in_array('sha256', hash_algos()))) { + function Auth_OpenID_SHA256($text) + { + // PHP 5 case: 'hash' available and 'sha256' algo supported. + return hash('sha256', $text, true); + } + define('Auth_OpenID_SHA256_SUPPORTED', true); +} else { + define('Auth_OpenID_SHA256_SUPPORTED', false); +} + +if (function_exists('hash_hmac') && + function_exists('hash_algos') && + (in_array('sha256', hash_algos()))) { + + function Auth_OpenID_HMACSHA256($key, $text) + { + // Return raw MAC (not hex string). + return hash_hmac('sha256', $key, $text, true); + } + + define('Auth_OpenID_HMACSHA256_SUPPORTED', true); +} else { + define('Auth_OpenID_HMACSHA256_SUPPORTED', false); +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Interface.php b/models/Auth.old/OpenID/Interface.php new file mode 100644 index 000000000..38fe36983 --- /dev/null +++ b/models/Auth.old/OpenID/Interface.php @@ -0,0 +1,197 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * This is the interface for the store objects the OpenID library + * uses. It is a single class that provides all of the persistence + * mechanisms that the OpenID library needs, for both servers and + * consumers. If you want to create an SQL-driven store, please see + * then {@link Auth_OpenID_SQLStore} class. + * + * Change: Version 2.0 removed the storeNonce, getAuthKey, and isDumb + * methods, and changed the behavior of the useNonce method to support + * one-way nonces. + * + * @package OpenID + * @author JanRain, Inc. + */ +class Auth_OpenID_OpenIDStore { + /** + * This method puts an Association object into storage, + * retrievable by server URL and handle. + * + * @param string $server_url The URL of the identity server that + * this association is with. Because of the way the server portion + * of the library uses this interface, don't assume there are any + * limitations on the character set of the input string. In + * particular, expect to see unescaped non-url-safe characters in + * the server_url field. + * + * @param Association $association The Association to store. + */ + function storeAssociation($server_url, $association) + { + trigger_error("Auth_OpenID_OpenIDStore::storeAssociation ". + "not implemented", E_USER_ERROR); + } + + /* + * Remove expired nonces from the store. + * + * Discards any nonce from storage that is old enough that its + * timestamp would not pass useNonce(). + * + * This method is not called in the normal operation of the + * library. It provides a way for store admins to keep their + * storage from filling up with expired data. + * + * @return the number of nonces expired + */ + function cleanupNonces() + { + trigger_error("Auth_OpenID_OpenIDStore::cleanupNonces ". + "not implemented", E_USER_ERROR); + } + + /* + * Remove expired associations from the store. + * + * This method is not called in the normal operation of the + * library. It provides a way for store admins to keep their + * storage from filling up with expired data. + * + * @return the number of associations expired. + */ + function cleanupAssociations() + { + trigger_error("Auth_OpenID_OpenIDStore::cleanupAssociations ". + "not implemented", E_USER_ERROR); + } + + /* + * Shortcut for cleanupNonces(), cleanupAssociations(). + * + * This method is not called in the normal operation of the + * library. It provides a way for store admins to keep their + * storage from filling up with expired data. + */ + function cleanup() + { + return array($this->cleanupNonces(), + $this->cleanupAssociations()); + } + + /** + * Report whether this storage supports cleanup + */ + function supportsCleanup() + { + return true; + } + + /** + * This method returns an Association object from storage that + * matches the server URL and, if specified, handle. It returns + * null if no such association is found or if the matching + * association is expired. + * + * If no handle is specified, the store may return any association + * which matches the server URL. If multiple associations are + * valid, the recommended return value for this method is the one + * most recently issued. + * + * This method is allowed (and encouraged) to garbage collect + * expired associations when found. This method must not return + * expired associations. + * + * @param string $server_url The URL of the identity server to get + * the association for. Because of the way the server portion of + * the library uses this interface, don't assume there are any + * limitations on the character set of the input string. In + * particular, expect to see unescaped non-url-safe characters in + * the server_url field. + * + * @param mixed $handle This optional parameter is the handle of + * the specific association to get. If no specific handle is + * provided, any valid association matching the server URL is + * returned. + * + * @return Association The Association for the given identity + * server. + */ + function getAssociation($server_url, $handle = null) + { + trigger_error("Auth_OpenID_OpenIDStore::getAssociation ". + "not implemented", E_USER_ERROR); + } + + /** + * This method removes the matching association if it's found, and + * returns whether the association was removed or not. + * + * @param string $server_url The URL of the identity server the + * association to remove belongs to. Because of the way the server + * portion of the library uses this interface, don't assume there + * are any limitations on the character set of the input + * string. In particular, expect to see unescaped non-url-safe + * characters in the server_url field. + * + * @param string $handle This is the handle of the association to + * remove. If there isn't an association found that matches both + * the given URL and handle, then there was no matching handle + * found. + * + * @return mixed Returns whether or not the given association existed. + */ + function removeAssociation($server_url, $handle) + { + trigger_error("Auth_OpenID_OpenIDStore::removeAssociation ". + "not implemented", E_USER_ERROR); + } + + /** + * Called when using a nonce. + * + * This method should return C{True} if the nonce has not been + * used before, and store it for a while to make sure nobody + * tries to use the same value again. If the nonce has already + * been used, return C{False}. + * + * Change: In earlier versions, round-trip nonces were used and a + * nonce was only valid if it had been previously stored with + * storeNonce. Version 2.0 uses one-way nonces, requiring a + * different implementation here that does not depend on a + * storeNonce call. (storeNonce is no longer part of the + * interface. + * + * @param string $nonce The nonce to use. + * + * @return bool Whether or not the nonce was valid. + */ + function useNonce($server_url, $timestamp, $salt) + { + trigger_error("Auth_OpenID_OpenIDStore::useNonce ". + "not implemented", E_USER_ERROR); + } + + /** + * Removes all entries from the store; implementation is optional. + */ + function reset() + { + } + +} +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/KVForm.php b/models/Auth.old/OpenID/KVForm.php new file mode 100644 index 000000000..6075c44f0 --- /dev/null +++ b/models/Auth.old/OpenID/KVForm.php @@ -0,0 +1,112 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Container for key-value/comma-newline OpenID format and parsing + */ +class Auth_OpenID_KVForm { + /** + * Convert an OpenID colon/newline separated string into an + * associative array + * + * @static + * @access private + */ + function toArray($kvs, $strict=false) + { + $lines = explode("\n", $kvs); + + $last = array_pop($lines); + if ($last !== '') { + array_push($lines, $last); + if ($strict) { + return false; + } + } + + $values = array(); + + for ($lineno = 0; $lineno < count($lines); $lineno++) { + $line = $lines[$lineno]; + $kv = explode(':', $line, 2); + if (count($kv) != 2) { + if ($strict) { + return false; + } + continue; + } + + $key = $kv[0]; + $tkey = trim($key); + if ($tkey != $key) { + if ($strict) { + return false; + } + } + + $value = $kv[1]; + $tval = trim($value); + if ($tval != $value) { + if ($strict) { + return false; + } + } + + $values[$tkey] = $tval; + } + + return $values; + } + + /** + * Convert an array into an OpenID colon/newline separated string + * + * @static + * @access private + */ + function fromArray($values) + { + if ($values === null) { + return null; + } + + ksort($values); + + $serialized = ''; + foreach ($values as $key => $value) { + if (is_array($value)) { + list($key, $value) = array($value[0], $value[1]); + } + + if (strpos($key, ':') !== false) { + return null; + } + + if (strpos($key, "\n") !== false) { + return null; + } + + if (strpos($value, "\n") !== false) { + return null; + } + $serialized .= "$key:$value\n"; + } + return $serialized; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/MemcachedStore.php b/models/Auth.old/OpenID/MemcachedStore.php new file mode 100644 index 000000000..7f9b180a4 --- /dev/null +++ b/models/Auth.old/OpenID/MemcachedStore.php @@ -0,0 +1,207 @@ + + * @copyright Open Web Technologies + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +/** + * Import the interface for creating a new store class. + */ +require_once 'Auth/OpenID/Interface.php'; + +/** + * This is a memcached-based store for OpenID associations and + * nonces. + * + * As memcache has limit of 250 chars for key length, + * server_url, handle and salt are hashed with sha1(). + * + * Most of the methods of this class are implementation details. + * People wishing to just use this store need only pay attention to + * the constructor. + * + * @package OpenID + */ +class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore { + + /** + * Initializes a new {@link Auth_OpenID_MemcachedStore} instance. + * Just saves memcached object as property. + * + * @param resource connection Memcache connection resourse + */ + function Auth_OpenID_MemcachedStore($connection, $compress = false) + { + $this->connection = $connection; + $this->compress = $compress ? MEMCACHE_COMPRESSED : 0; + } + + /** + * Store association until its expiration time in memcached. + * Overwrites any existing association with same server_url and + * handle. Handles list of associations for every server. + */ + function storeAssociation($server_url, $association) + { + // create memcached keys for association itself + // and list of associations for this server + $associationKey = $this->associationKey($server_url, + $association->handle); + $serverKey = $this->associationServerKey($server_url); + + // get list of associations + $serverAssociations = $this->connection->get($serverKey); + + // if no such list, initialize it with empty array + if (!$serverAssociations) { + $serverAssociations = array(); + } + // and store given association key in it + $serverAssociations[$association->issued] = $associationKey; + + // save associations' keys list + $this->connection->set( + $serverKey, + $serverAssociations, + $this->compress + ); + // save association itself + $this->connection->set( + $associationKey, + $association, + $this->compress, + $association->issued + $association->lifetime); + } + + /** + * Read association from memcached. If no handle given + * and multiple associations found, returns latest issued + */ + function getAssociation($server_url, $handle = null) + { + // simple case: handle given + if ($handle !== null) { + // get association, return null if failed + $association = $this->connection->get( + $this->associationKey($server_url, $handle)); + return $association ? $association : null; + } + + // no handle given, working with list + // create key for list of associations + $serverKey = $this->associationServerKey($server_url); + + // get list of associations + $serverAssociations = $this->connection->get($serverKey); + // return null if failed or got empty list + if (!$serverAssociations) { + return null; + } + + // get key of most recently issued association + $keys = array_keys($serverAssociations); + sort($keys); + $lastKey = $serverAssociations[array_pop($keys)]; + + // get association, return null if failed + $association = $this->connection->get($lastKey); + return $association ? $association : null; + } + + /** + * Immediately delete association from memcache. + */ + function removeAssociation($server_url, $handle) + { + // create memcached keys for association itself + // and list of associations for this server + $serverKey = $this->associationServerKey($server_url); + $associationKey = $this->associationKey($server_url, + $handle); + + // get list of associations + $serverAssociations = $this->connection->get($serverKey); + // return null if failed or got empty list + if (!$serverAssociations) { + return false; + } + + // ensure that given association key exists in list + $serverAssociations = array_flip($serverAssociations); + if (!array_key_exists($associationKey, $serverAssociations)) { + return false; + } + + // remove given association key from list + unset($serverAssociations[$associationKey]); + $serverAssociations = array_flip($serverAssociations); + + // save updated list + $this->connection->set( + $serverKey, + $serverAssociations, + $this->compress + ); + + // delete association + return $this->connection->delete($associationKey); + } + + /** + * Create nonce for server and salt, expiring after + * $Auth_OpenID_SKEW seconds. + */ + function useNonce($server_url, $timestamp, $salt) + { + global $Auth_OpenID_SKEW; + + // save one request to memcache when nonce obviously expired + if (abs($timestamp - time()) > $Auth_OpenID_SKEW) { + return false; + } + + // returns false when nonce already exists + // otherwise adds nonce + return $this->connection->add( + 'openid_nonce_' . sha1($server_url) . '_' . sha1($salt), + 1, // any value here + $this->compress, + $Auth_OpenID_SKEW); + } + + /** + * Memcache key is prefixed with 'openid_association_' string. + */ + function associationKey($server_url, $handle = null) + { + return 'openid_association_' . sha1($server_url) . '_' . sha1($handle); + } + + /** + * Memcache key is prefixed with 'openid_association_' string. + */ + function associationServerKey($server_url) + { + return 'openid_association_server_' . sha1($server_url); + } + + /** + * Report that this storage doesn't support cleanup + */ + function supportsCleanup() + { + return false; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Message.php b/models/Auth.old/OpenID/Message.php new file mode 100644 index 000000000..8a02ab22c --- /dev/null +++ b/models/Auth.old/OpenID/Message.php @@ -0,0 +1,895 @@ +keys = array(); + $this->values = array(); + + if (is_array($classic_array)) { + foreach ($classic_array as $key => $value) { + $this->set($key, $value); + } + } + } + + /** + * Returns true if $thing is an Auth_OpenID_Mapping object; false + * if not. + */ + function isA($thing) + { + return (is_object($thing) && + strtolower(get_class($thing)) == 'auth_openid_mapping'); + } + + /** + * Returns an array of the keys in the mapping. + */ + function keys() + { + return $this->keys; + } + + /** + * Returns an array of values in the mapping. + */ + function values() + { + return $this->values; + } + + /** + * Returns an array of (key, value) pairs in the mapping. + */ + function items() + { + $temp = array(); + + for ($i = 0; $i < count($this->keys); $i++) { + $temp[] = array($this->keys[$i], + $this->values[$i]); + } + return $temp; + } + + /** + * Returns the "length" of the mapping, or the number of keys. + */ + function len() + { + return count($this->keys); + } + + /** + * Sets a key-value pair in the mapping. If the key already + * exists, its value is replaced with the new value. + */ + function set($key, $value) + { + $index = array_search($key, $this->keys); + + if ($index !== false) { + $this->values[$index] = $value; + } else { + $this->keys[] = $key; + $this->values[] = $value; + } + } + + /** + * Gets a specified value from the mapping, associated with the + * specified key. If the key does not exist in the mapping, + * $default is returned instead. + */ + function get($key, $default = null) + { + $index = array_search($key, $this->keys); + + if ($index !== false) { + return $this->values[$index]; + } else { + return $default; + } + } + + /** + * @access private + */ + function _reflow() + { + // PHP is broken yet again. Sort the arrays to remove the + // hole in the numeric indexes that make up the array. + $old_keys = $this->keys; + $old_values = $this->values; + + $this->keys = array(); + $this->values = array(); + + foreach ($old_keys as $k) { + $this->keys[] = $k; + } + + foreach ($old_values as $v) { + $this->values[] = $v; + } + } + + /** + * Deletes a key-value pair from the mapping with the specified + * key. + */ + function del($key) + { + $index = array_search($key, $this->keys); + + if ($index !== false) { + unset($this->keys[$index]); + unset($this->values[$index]); + $this->_reflow(); + return true; + } + return false; + } + + /** + * Returns true if the specified value has a key in the mapping; + * false if not. + */ + function contains($value) + { + return (array_search($value, $this->keys) !== false); + } +} + +/** + * Maintains a bijective map between namespace uris and aliases. + * + * @package OpenID + */ +class Auth_OpenID_NamespaceMap { + function Auth_OpenID_NamespaceMap() + { + $this->alias_to_namespace = new Auth_OpenID_Mapping(); + $this->namespace_to_alias = new Auth_OpenID_Mapping(); + } + + function getAlias($namespace_uri) + { + return $this->namespace_to_alias->get($namespace_uri); + } + + function getNamespaceURI($alias) + { + return $this->alias_to_namespace->get($alias); + } + + function iterNamespaceURIs() + { + // Return an iterator over the namespace URIs + return $this->namespace_to_alias->keys(); + } + + function iterAliases() + { + // Return an iterator over the aliases""" + return $this->alias_to_namespace->keys(); + } + + function iteritems() + { + return $this->namespace_to_alias->items(); + } + + function addAlias($namespace_uri, $desired_alias) + { + // Add an alias from this namespace URI to the desired alias + global $Auth_OpenID_OPENID_PROTOCOL_FIELDS; + + // Check that desired_alias is not an openid protocol field as + // per the spec. + if (in_array($desired_alias, $Auth_OpenID_OPENID_PROTOCOL_FIELDS)) { + // "%r is not an allowed namespace alias" % (desired_alias,); + return null; + } + + // Check that desired_alias does not contain a period as per + // the spec. + if (strpos($desired_alias, '.') !== false) { + // "%r must not contain a dot" % (desired_alias,) + return null; + } + + // Check that there is not a namespace already defined for the + // desired alias + $current_namespace_uri = + $this->alias_to_namespace->get($desired_alias); + + if (($current_namespace_uri !== null) && + ($current_namespace_uri != $namespace_uri)) { + // Cannot map because previous mapping exists + return null; + } + + // Check that there is not already a (different) alias for + // this namespace URI + $alias = $this->namespace_to_alias->get($namespace_uri); + + if (($alias !== null) && ($alias != $desired_alias)) { + // fmt = ('Cannot map %r to alias %r. ' + // 'It is already mapped to alias %r') + // raise KeyError(fmt % (namespace_uri, desired_alias, alias)) + return null; + } + + assert((Auth_OpenID_NULL_NAMESPACE === $desired_alias) || + is_string($desired_alias)); + + $this->alias_to_namespace->set($desired_alias, $namespace_uri); + $this->namespace_to_alias->set($namespace_uri, $desired_alias); + + return $desired_alias; + } + + function add($namespace_uri) + { + // Add this namespace URI to the mapping, without caring what + // alias it ends up with + + // See if this namespace is already mapped to an alias + $alias = $this->namespace_to_alias->get($namespace_uri); + + if ($alias !== null) { + return $alias; + } + + // Fall back to generating a numerical alias + $i = 0; + while (1) { + $alias = 'ext' . strval($i); + if ($this->addAlias($namespace_uri, $alias) === null) { + $i += 1; + } else { + return $alias; + } + } + + // Should NEVER be reached! + return null; + } + + function contains($namespace_uri) + { + return $this->isDefined($namespace_uri); + } + + function isDefined($namespace_uri) + { + return $this->namespace_to_alias->contains($namespace_uri); + } +} + +/** + * In the implementation of this object, null represents the global + * namespace as well as a namespace with no key. + * + * @package OpenID + */ +class Auth_OpenID_Message { + + function Auth_OpenID_Message($openid_namespace = null) + { + // Create an empty Message + $this->allowed_openid_namespaces = array( + Auth_OpenID_OPENID1_NS, + Auth_OpenID_OPENID2_NS); + + $this->args = new Auth_OpenID_Mapping(); + $this->namespaces = new Auth_OpenID_NamespaceMap(); + if ($openid_namespace === null) { + $this->_openid_ns_uri = null; + } else { + $this->setOpenIDNamespace($openid_namespace); + } + } + + function isOpenID1() + { + return $this->getOpenIDNamespace() == Auth_OpenID_OPENID1_NS; + } + + function isOpenID2() + { + return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS; + } + + function fromPostArgs($args) + { + // Construct a Message containing a set of POST arguments + $obj = new Auth_OpenID_Message(); + + // Partition into "openid." args and bare args + $openid_args = array(); + foreach ($args as $key => $value) { + + if (is_array($value)) { + return null; + } + + $parts = explode('.', $key, 2); + + if (count($parts) == 2) { + list($prefix, $rest) = $parts; + } else { + $prefix = null; + } + + if ($prefix != 'openid') { + $obj->args->set(array(Auth_OpenID_BARE_NS, $key), $value); + } else { + $openid_args[$rest] = $value; + } + } + + if ($obj->_fromOpenIDArgs($openid_args)) { + return $obj; + } else { + return null; + } + } + + function fromOpenIDArgs($openid_args) + { + // Takes an array. + + // Construct a Message from a parsed KVForm message + $obj = new Auth_OpenID_Message(); + if ($obj->_fromOpenIDArgs($openid_args)) { + return $obj; + } else { + return null; + } + } + + /** + * @access private + */ + function _fromOpenIDArgs($openid_args) + { + global $Auth_OpenID_registered_aliases; + + // Takes an Auth_OpenID_Mapping instance OR an array. + + if (!Auth_OpenID_Mapping::isA($openid_args)) { + $openid_args = new Auth_OpenID_Mapping($openid_args); + } + + $ns_args = array(); + + // Resolve namespaces + foreach ($openid_args->items() as $pair) { + list($rest, $value) = $pair; + + $parts = explode('.', $rest, 2); + + if (count($parts) == 2) { + list($ns_alias, $ns_key) = $parts; + } else { + $ns_alias = Auth_OpenID_NULL_NAMESPACE; + $ns_key = $rest; + } + + if ($ns_alias == 'ns') { + if ($this->namespaces->addAlias($value, $ns_key) === null) { + return false; + } + } else if (($ns_alias == Auth_OpenID_NULL_NAMESPACE) && + ($ns_key == 'ns')) { + // null namespace + if ($this->namespaces->addAlias($value, + Auth_OpenID_NULL_NAMESPACE) === null) { + return false; + } + } else { + $ns_args[] = array($ns_alias, $ns_key, $value); + } + } + + // Ensure that there is an OpenID namespace definition + $openid_ns_uri = + $this->namespaces->getNamespaceURI(Auth_OpenID_NULL_NAMESPACE); + + if ($openid_ns_uri === null) { + $openid_ns_uri = Auth_OpenID_OPENID1_NS; + } + + $this->setOpenIDNamespace($openid_ns_uri); + + // Actually put the pairs into the appropriate namespaces + foreach ($ns_args as $triple) { + list($ns_alias, $ns_key, $value) = $triple; + $ns_uri = $this->namespaces->getNamespaceURI($ns_alias); + if ($ns_uri === null) { + // Only try to map an alias to a default if it's an + // OpenID 1.x message. + if ($openid_ns_uri == Auth_OpenID_OPENID1_NS) { + foreach ($Auth_OpenID_registered_aliases + as $alias => $uri) { + if ($alias == $ns_alias) { + $ns_uri = $uri; + break; + } + } + } + + if ($ns_uri === null) { + $ns_uri = $openid_ns_uri; + $ns_key = sprintf('%s.%s', $ns_alias, $ns_key); + } else { + $this->namespaces->addAlias($ns_uri, $ns_alias); + } + } + + $this->setArg($ns_uri, $ns_key, $value); + } + + return true; + } + + function setOpenIDNamespace($openid_ns_uri) + { + if (!in_array($openid_ns_uri, $this->allowed_openid_namespaces)) { + // raise ValueError('Invalid null namespace: %r' % (openid_ns_uri,)) + return false; + } + + $this->namespaces->addAlias($openid_ns_uri, + Auth_OpenID_NULL_NAMESPACE); + $this->_openid_ns_uri = $openid_ns_uri; + } + + function getOpenIDNamespace() + { + return $this->_openid_ns_uri; + } + + function fromKVForm($kvform_string) + { + // Create a Message from a KVForm string + return Auth_OpenID_Message::fromOpenIDArgs( + Auth_OpenID_KVForm::toArray($kvform_string)); + } + + function copy() + { + return $this; + } + + function toPostArgs() + { + // Return all arguments with openid. in front of namespaced + // arguments. + + $args = array(); + + // Add namespace definitions to the output + foreach ($this->namespaces->iteritems() as $pair) { + list($ns_uri, $alias) = $pair; + + if ($alias == Auth_OpenID_NULL_NAMESPACE) { + if ($ns_uri != Auth_OpenID_OPENID1_NS) { + $args['openid.ns'] = $ns_uri; + } else { + // drop the default null namespace + // definition. This potentially changes a message + // since we have no way of knowing whether it was + // explicitly specified at the time the message + // was parsed. The vast majority of the time, this + // will be the right thing to do. Possibly this + // could look in the signed list. + } + } else { + if ($this->getOpenIDNamespace() != Auth_OpenID_OPENID1_NS) { + $ns_key = 'openid.ns.' . $alias; + $args[$ns_key] = $ns_uri; + } + } + } + + foreach ($this->args->items() as $pair) { + list($ns_parts, $value) = $pair; + list($ns_uri, $ns_key) = $ns_parts; + $key = $this->getKey($ns_uri, $ns_key); + $args[$key] = $value; + } + + return $args; + } + + function toArgs() + { + // Return all namespaced arguments, failing if any + // non-namespaced arguments exist. + $post_args = $this->toPostArgs(); + $kvargs = array(); + foreach ($post_args as $k => $v) { + if (strpos($k, 'openid.') !== 0) { + // raise ValueError( + // 'This message can only be encoded as a POST, because it ' + // 'contains arguments that are not prefixed with "openid."') + return null; + } else { + $kvargs[substr($k, 7)] = $v; + } + } + + return $kvargs; + } + + function toFormMarkup($action_url, $form_tag_attrs = null, + $submit_text = "Continue") + { + $form = "
$attr) { + $form .= sprintf(" %s=\"%s\"", $name, $attr); + } + } + + $form .= ">\n"; + + foreach ($this->toPostArgs() as $name => $value) { + $form .= sprintf( + "\n", + $name, $value); + } + + $form .= sprintf("\n", + $submit_text); + + $form .= "
\n"; + + return $form; + } + + function toURL($base_url) + { + // Generate a GET URL with the parameters in this message + // attached as query parameters. + return Auth_OpenID::appendArgs($base_url, $this->toPostArgs()); + } + + function toKVForm() + { + // Generate a KVForm string that contains the parameters in + // this message. This will fail if the message contains + // arguments outside of the 'openid.' prefix. + return Auth_OpenID_KVForm::fromArray($this->toArgs()); + } + + function toURLEncoded() + { + // Generate an x-www-urlencoded string + $args = array(); + + foreach ($this->toPostArgs() as $k => $v) { + $args[] = array($k, $v); + } + + sort($args); + return Auth_OpenID::httpBuildQuery($args); + } + + /** + * @access private + */ + function _fixNS($namespace) + { + // Convert an input value into the internally used values of + // this object + + if ($namespace == Auth_OpenID_OPENID_NS) { + if ($this->_openid_ns_uri === null) { + // raise UndefinedOpenIDNamespace('OpenID namespace not set') + return null; + } else { + $namespace = $this->_openid_ns_uri; + } + } + + if (($namespace != Auth_OpenID_BARE_NS) && + (!is_string($namespace))) { + // raise TypeError( + // "Namespace must be BARE_NS, OPENID_NS or a string. got %r" + // % (namespace,)) + return null; + } + + if (($namespace != Auth_OpenID_BARE_NS) && + (strpos($namespace, ':') === false)) { + // fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r' + // warnings.warn(fmt % (namespace,), DeprecationWarning) + + if ($namespace == 'sreg') { + // fmt = 'Using %r instead of "sreg" as namespace' + // warnings.warn(fmt % (SREG_URI,), DeprecationWarning,) + return Auth_OpenID_SREG_URI; + } + } + + return $namespace; + } + + function hasKey($namespace, $ns_key) + { + $namespace = $this->_fixNS($namespace); + if ($namespace !== null) { + return $this->args->contains(array($namespace, $ns_key)); + } else { + return false; + } + } + + function getKey($namespace, $ns_key) + { + // Get the key for a particular namespaced argument + $namespace = $this->_fixNS($namespace); + if ($namespace == Auth_OpenID_BARE_NS) { + return $ns_key; + } + + $ns_alias = $this->namespaces->getAlias($namespace); + + // No alias is defined, so no key can exist + if ($ns_alias === null) { + return null; + } + + if ($ns_alias == Auth_OpenID_NULL_NAMESPACE) { + $tail = $ns_key; + } else { + $tail = sprintf('%s.%s', $ns_alias, $ns_key); + } + + return 'openid.' . $tail; + } + + function getArg($namespace, $key, $default = null) + { + // Get a value for a namespaced key. + $namespace = $this->_fixNS($namespace); + + if ($namespace !== null) { + if ((!$this->args->contains(array($namespace, $key))) && + ($default == Auth_OpenID_NO_DEFAULT)) { + return null; + } else { + return $this->args->get(array($namespace, $key), $default); + } + } else { + return null; + } + } + + function getArgs($namespace) + { + // Get the arguments that are defined for this namespace URI + + $namespace = $this->_fixNS($namespace); + if ($namespace !== null) { + $stuff = array(); + foreach ($this->args->items() as $pair) { + list($key, $value) = $pair; + list($pair_ns, $ns_key) = $key; + if ($pair_ns == $namespace) { + $stuff[$ns_key] = $value; + } + } + + return $stuff; + } + + return array(); + } + + function updateArgs($namespace, $updates) + { + // Set multiple key/value pairs in one call + + $namespace = $this->_fixNS($namespace); + + if ($namespace !== null) { + foreach ($updates as $k => $v) { + $this->setArg($namespace, $k, $v); + } + return true; + } else { + return false; + } + } + + function setArg($namespace, $key, $value) + { + // Set a single argument in this namespace + $namespace = $this->_fixNS($namespace); + + if ($namespace !== null) { + $this->args->set(array($namespace, $key), $value); + if ($namespace !== Auth_OpenID_BARE_NS) { + $this->namespaces->add($namespace); + } + return true; + } else { + return false; + } + } + + function delArg($namespace, $key) + { + $namespace = $this->_fixNS($namespace); + + if ($namespace !== null) { + return $this->args->del(array($namespace, $key)); + } else { + return false; + } + } + + function getAliasedArg($aliased_key, $default = null) + { + $parts = explode('.', $aliased_key, 2); + + if (count($parts) != 2) { + $ns = null; + } else { + list($alias, $key) = $parts; + + if ($alias == 'ns') { + // Return the namespace URI for a namespace alias + // parameter. + return $this->namespaces->getNamespaceURI($key); + } else { + $ns = $this->namespaces->getNamespaceURI($alias); + } + } + + if ($ns === null) { + $key = $aliased_key; + $ns = $this->getOpenIDNamespace(); + } + + return $this->getArg($ns, $key, $default); + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/MySQLStore.php b/models/Auth.old/OpenID/MySQLStore.php new file mode 100644 index 000000000..f8dc9ae17 --- /dev/null +++ b/models/Auth.old/OpenID/MySQLStore.php @@ -0,0 +1,77 @@ +sql['nonce_table'] = + "CREATE TABLE %s (\n". + " server_url VARCHAR(2047),\n". + " timestamp INTEGER,\n". + " salt CHAR(40),\n". + " UNIQUE (server_url(255), timestamp, salt)\n". + ") TYPE=InnoDB"; + + $this->sql['assoc_table'] = + "CREATE TABLE %s (\n". + " server_url BLOB,\n". + " handle VARCHAR(255),\n". + " secret BLOB,\n". + " issued INTEGER,\n". + " lifetime INTEGER,\n". + " assoc_type VARCHAR(64),\n". + " PRIMARY KEY (server_url(255), handle)\n". + ") TYPE=InnoDB"; + + $this->sql['set_assoc'] = + "REPLACE INTO %s VALUES (?, ?, !, ?, ?, ?)"; + + $this->sql['get_assocs'] = + "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". + "WHERE server_url = ?"; + + $this->sql['get_assoc'] = + "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". + "WHERE server_url = ? AND handle = ?"; + + $this->sql['remove_assoc'] = + "DELETE FROM %s WHERE server_url = ? AND handle = ?"; + + $this->sql['add_nonce'] = + "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)"; + + $this->sql['clean_nonce'] = + "DELETE FROM %s WHERE timestamp < ?"; + + $this->sql['clean_assoc'] = + "DELETE FROM %s WHERE issued + lifetime < ?"; + } + + /** + * @access private + */ + function blobEncode($blob) + { + return "0x" . bin2hex($blob); + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Nonce.php b/models/Auth.old/OpenID/Nonce.php new file mode 100644 index 000000000..effecac38 --- /dev/null +++ b/models/Auth.old/OpenID/Nonce.php @@ -0,0 +1,109 @@ + \ No newline at end of file diff --git a/models/Auth.old/OpenID/PAPE.php b/models/Auth.old/OpenID/PAPE.php new file mode 100644 index 000000000..ba9f9f64e --- /dev/null +++ b/models/Auth.old/OpenID/PAPE.php @@ -0,0 +1,311 @@ +preferred_auth_policies = $preferred_auth_policies; + $this->max_auth_age = $max_auth_age; + } + + /** + * Add an acceptable authentication policy URI to this request + * + * This method is intended to be used by the relying party to add + * acceptable authentication types to the request. + * + * policy_uri: The identifier for the preferred type of + * authentication. + */ + function addPolicyURI($policy_uri) + { + if (!in_array($policy_uri, $this->preferred_auth_policies)) { + $this->preferred_auth_policies[] = $policy_uri; + } + } + + function getExtensionArgs() + { + $ns_args = array( + 'preferred_auth_policies' => + implode(' ', $this->preferred_auth_policies) + ); + + if ($this->max_auth_age !== null) { + $ns_args['max_auth_age'] = strval($this->max_auth_age); + } + + return $ns_args; + } + + /** + * Instantiate a Request object from the arguments in a checkid_* + * OpenID message + */ + function fromOpenIDRequest($request) + { + $obj = new Auth_OpenID_PAPE_Request(); + $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); + + if ($args === null || $args === array()) { + return null; + } + + $obj->parseExtensionArgs($args); + return $obj; + } + + /** + * Set the state of this request to be that expressed in these + * PAPE arguments + * + * @param args: The PAPE arguments without a namespace + */ + function parseExtensionArgs($args) + { + // preferred_auth_policies is a space-separated list of policy + // URIs + $this->preferred_auth_policies = array(); + + $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); + if ($policies_str) { + foreach (explode(' ', $policies_str) as $uri) { + if (!in_array($uri, $this->preferred_auth_policies)) { + $this->preferred_auth_policies[] = $uri; + } + } + } + + // max_auth_age is base-10 integer number of seconds + $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age'); + if ($max_auth_age_str) { + $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str); + } else { + $this->max_auth_age = null; + } + } + + /** + * Given a list of authentication policy URIs that a provider + * supports, this method returns the subsequence of those types + * that are preferred by the relying party. + * + * @param supported_types: A sequence of authentication policy + * type URIs that are supported by a provider + * + * @return array The sub-sequence of the supported types that are + * preferred by the relying party. This list will be ordered in + * the order that the types appear in the supported_types + * sequence, and may be empty if the provider does not prefer any + * of the supported authentication types. + */ + function preferredTypes($supported_types) + { + $result = array(); + + foreach ($supported_types as $st) { + if (in_array($st, $this->preferred_auth_policies)) { + $result[] = $st; + } + } + return $result; + } +} + +/** + * A Provider Authentication Policy response, sent from a provider to + * a relying party + */ +class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { + + var $ns_alias = 'pape'; + var $ns_uri = Auth_OpenID_PAPE_NS_URI; + + function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_age=null, + $nist_auth_level=null) + { + if ($auth_policies) { + $this->auth_policies = $auth_policies; + } else { + $this->auth_policies = array(); + } + + $this->auth_age = $auth_age; + $this->nist_auth_level = $nist_auth_level; + } + + /** + * Add a authentication policy to this response + * + * This method is intended to be used by the provider to add a + * policy that the provider conformed to when authenticating the + * user. + * + * @param policy_uri: The identifier for the preferred type of + * authentication. + */ + function addPolicyURI($policy_uri) + { + if (!in_array($policy_uri, $this->auth_policies)) { + $this->auth_policies[] = $policy_uri; + } + } + + /** + * Create an Auth_OpenID_PAPE_Response object from a successful + * OpenID library response. + * + * @param success_response $success_response A SuccessResponse + * from Auth_OpenID_Consumer::complete() + * + * @returns: A provider authentication policy response from the + * data that was supplied with the id_res response. + */ + function fromSuccessResponse($success_response) + { + $obj = new Auth_OpenID_PAPE_Response(); + + // PAPE requires that the args be signed. + $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI); + + if ($args === null || $args === array()) { + return null; + } + + $result = $obj->parseExtensionArgs($args); + + if ($result === false) { + return null; + } else { + return $obj; + } + } + + /** + * Parse the provider authentication policy arguments into the + * internal state of this object + * + * @param args: unqualified provider authentication policy + * arguments + * + * @param strict: Whether to return false when bad data is + * encountered + * + * @return null The data is parsed into the internal fields of + * this object. + */ + function parseExtensionArgs($args, $strict=false) + { + $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); + if ($policies_str) { + $this->auth_policies = explode(" ", $policies_str); + } + + $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); + if ($nist_level_str !== null) { + $nist_level = Auth_OpenID::intval($nist_level_str); + + if ($nist_level === false) { + if ($strict) { + return false; + } else { + $nist_level = null; + } + } + + if (0 <= $nist_level && $nist_level < 5) { + $this->nist_auth_level = $nist_level; + } else if ($strict) { + return false; + } + } + + $auth_age_str = Auth_OpenID::arrayGet($args, 'auth_age'); + if ($auth_age_str !== null) { + $auth_age = Auth_OpenID::intval($auth_age_str); + if ($auth_age === false) { + if ($strict) { + return false; + } + } else { + if ($auth_age >= 0) { + $this->auth_age = $auth_age; + } else if ($strict) { + return false; + } + } + } + } + + function getExtensionArgs() + { + $ns_args = array( + 'auth_policies' => + implode(' ', $this->auth_policies) + ); + + if ($this->nist_auth_level !== null) { + if (!in_array($this->nist_auth_level, range(0, 4), true)) { + return false; + } + $ns_args['nist_auth_level'] = strval($this->nist_auth_level); + } + + if ($this->auth_age !== null) { + if ($this->auth_age < 0) { + return false; + } + + $result = Auth_OpenID::intval($this->auth_age); + + if ($result === false) { + return false; + } + + $ns_args['auth_age'] = + strval($result); + } + + return $ns_args; + } +} + +?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Parse.php b/models/Auth.old/OpenID/Parse.php new file mode 100644 index 000000000..d689f9ec9 --- /dev/null +++ b/models/Auth.old/OpenID/Parse.php @@ -0,0 +1,352 @@ + tags + * in the head of HTML or XHTML documents and parses out their + * attributes according to the OpenID spec. It is a liberal parser, + * but it requires these things from the data in order to work: + * + * - There must be an open tag + * + * - There must be an open tag inside of the tag + * + * - Only s that are found inside of the tag are parsed + * (this is by design) + * + * - The parser follows the OpenID specification in resolving the + * attributes of the link tags. This means that the attributes DO + * NOT get resolved as they would by an XML or HTML parser. In + * particular, only certain entities get replaced, and href + * attributes do not get resolved relative to a base URL. + * + * From http://openid.net/specs.bml: + * + * - The openid.server URL MUST be an absolute URL. OpenID consumers + * MUST NOT attempt to resolve relative URLs. + * + * - The openid.server URL MUST NOT include entities other than &, + * <, >, and ". + * + * The parser ignores SGML comments and . Both kinds + * of quoting are allowed for attributes. + * + * The parser deals with invalid markup in these ways: + * + * - Tag names are not case-sensitive + * + * - The tag is accepted even when it is not at the top level + * + * - The tag is accepted even when it is not a direct child of + * the tag, but a tag must be an ancestor of the + * tag + * + * - tags are accepted even when they are not direct children + * of the tag, but a tag must be an ancestor of the + * tag + * + * - If there is no closing tag for an open or tag, the + * remainder of the document is viewed as being inside of the + * tag. If there is no closing tag for a tag, the link tag is + * treated as a short tag. Exceptions to this rule are that + * closes and or closes + * + * - Attributes of the tag are not required to be quoted. + * + * - In the case of duplicated attribute names, the attribute coming + * last in the tag will be the value returned. + * + * - Any text that does not parse as an attribute within a link tag + * will be ignored. (e.g. will + * ignore pumpkin) + * + * - If there are more than one or tag, the parser only + * looks inside of the first one. + * + * - The contents of ". + "". + ""); + } +} + +/* + * Function to run when this file is included. + * Abstracted to a function to make life easier + * for some PHP optimizers. + */ +function Auth_OpenID_include_init() { + if (Auth_OpenID_getMathLib() === null) { + Auth_OpenID_setNoMathSupport(); + } +} diff --git a/models/Auth/OpenID/AX.php b/models/Auth/OpenID/AX.php new file mode 100644 index 000000000..7370715e3 --- /dev/null +++ b/models/Auth/OpenID/AX.php @@ -0,0 +1,1022 @@ +message = $message; + } +} + +/** + * Abstract class containing common code for attribute exchange + * messages. + * + * @package OpenID + */ +class Auth_OpenID_AX_Message extends Auth_OpenID_Extension { + /** + * ns_alias: The preferred namespace alias for attribute exchange + * messages + */ + var $ns_alias = 'ax'; + + /** + * mode: The type of this attribute exchange message. This must be + * overridden in subclasses. + */ + var $mode = null; + + var $ns_uri = Auth_OpenID_AX_NS_URI; + + /** + * Return Auth_OpenID_AX_Error if the mode in the attribute + * exchange arguments does not match what is expected for this + * class; true otherwise. + * + * @access private + */ + function _checkMode($ax_args) + { + $mode = Auth_OpenID::arrayGet($ax_args, 'mode'); + if ($mode != $this->mode) { + return new Auth_OpenID_AX_Error( + sprintf( + "Expected mode '%s'; got '%s'", + $this->mode, $mode)); + } + + return true; + } + + /** + * Return a set of attribute exchange arguments containing the + * basic information that must be in every attribute exchange + * message. + * + * @access private + */ + function _newArgs() + { + return array('mode' => $this->mode); + } +} + +/** + * Represents a single attribute in an attribute exchange + * request. This should be added to an AXRequest object in order to + * request the attribute. + * + * @package OpenID + */ +class Auth_OpenID_AX_AttrInfo { + /** + * Construct an attribute information object. Do not call this + * directly; call make(...) instead. + * + * @param string $type_uri The type URI for this attribute. + * + * @param int $count The number of values of this type to request. + * + * @param bool $required Whether the attribute will be marked as + * required in the request. + * + * @param string $alias The name that should be given to this + * attribute in the request. + */ + function Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, + $alias) + { + /** + * required: Whether the attribute will be marked as required + * when presented to the subject of the attribute exchange + * request. + */ + $this->required = $required; + + /** + * count: How many values of this type to request from the + * subject. Defaults to one. + */ + $this->count = $count; + + /** + * type_uri: The identifier that determines what the attribute + * represents and how it is serialized. For example, one type + * URI representing dates could represent a Unix timestamp in + * base 10 and another could represent a human-readable + * string. + */ + $this->type_uri = $type_uri; + + /** + * alias: The name that should be given to this attribute in + * the request. If it is not supplied, a generic name will be + * assigned. For example, if you want to call a Unix timestamp + * value 'tstamp', set its alias to that value. If two + * attributes in the same message request to use the same + * alias, the request will fail to be generated. + */ + $this->alias = $alias; + } + + /** + * Construct an attribute information object. For parameter + * details, see the constructor. + */ + static function make($type_uri, $count=1, $required=false, + $alias=null) + { + if ($alias !== null) { + $result = Auth_OpenID_AX_checkAlias($alias); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + } + + return new Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, + $alias); + } + + /** + * When processing a request for this attribute, the OP should + * call this method to determine whether all available attribute + * values were requested. If self.count == UNLIMITED_VALUES, this + * returns True. Otherwise this returns False, in which case + * self.count is an integer. + */ + function wantsUnlimitedValues() + { + return $this->count === Auth_OpenID_AX_UNLIMITED_VALUES; + } +} + +/** + * Given a namespace mapping and a string containing a comma-separated + * list of namespace aliases, return a list of type URIs that + * correspond to those aliases. + * + * @param $namespace_map The mapping from namespace URI to alias + * @param $alias_list_s The string containing the comma-separated + * list of aliases. May also be None for convenience. + * + * @return $seq The list of namespace URIs that corresponds to the + * supplied list of aliases. If the string was zero-length or None, an + * empty list will be returned. + * + * return null If an alias is present in the list of aliases but + * is not present in the namespace map. + */ +function Auth_OpenID_AX_toTypeURIs($namespace_map, $alias_list_s) +{ + $uris = array(); + + if ($alias_list_s) { + foreach (explode(',', $alias_list_s) as $alias) { + $type_uri = $namespace_map->getNamespaceURI($alias); + if ($type_uri === null) { + // raise KeyError( + // 'No type is defined for attribute name %r' % (alias,)) + return new Auth_OpenID_AX_Error( + sprintf('No type is defined for attribute name %s', + $alias) + ); + } else { + $uris[] = $type_uri; + } + } + } + + return $uris; +} + +/** + * An attribute exchange 'fetch_request' message. This message is sent + * by a relying party when it wishes to obtain attributes about the + * subject of an OpenID authentication request. + * + * @package OpenID + */ +class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { + + var $mode = 'fetch_request'; + + function Auth_OpenID_AX_FetchRequest($update_url=null) + { + /** + * requested_attributes: The attributes that have been + * requested thus far, indexed by the type URI. + */ + $this->requested_attributes = array(); + + /** + * update_url: A URL that will accept responses for this + * attribute exchange request, even in the absence of the user + * who made this request. + */ + $this->update_url = $update_url; + } + + /** + * Add an attribute to this attribute exchange request. + * + * @param attribute: The attribute that is being requested + * @return true on success, false when the requested attribute is + * already present in this fetch request. + */ + function add($attribute) + { + if ($this->contains($attribute->type_uri)) { + return new Auth_OpenID_AX_Error( + sprintf("The attribute %s has already been requested", + $attribute->type_uri)); + } + + $this->requested_attributes[$attribute->type_uri] = $attribute; + + return true; + } + + /** + * Get the serialized form of this attribute fetch request. + * + * @returns Auth_OpenID_AX_FetchRequest The fetch request message parameters + */ + function getExtensionArgs() + { + $aliases = new Auth_OpenID_NamespaceMap(); + + $required = array(); + $if_available = array(); + + $ax_args = $this->_newArgs(); + + foreach ($this->requested_attributes as $type_uri => $attribute) { + if ($attribute->alias === null) { + $alias = $aliases->add($type_uri); + } else { + $alias = $aliases->addAlias($type_uri, $attribute->alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $attribute->alias, $type_uri + )); + } + } + + if ($attribute->required) { + $required[] = $alias; + } else { + $if_available[] = $alias; + } + + if ($attribute->count != 1) { + $ax_args['count.' . $alias] = strval($attribute->count); + } + + $ax_args['type.' . $alias] = $type_uri; + } + + if ($required) { + $ax_args['required'] = implode(',', $required); + } + + if ($if_available) { + $ax_args['if_available'] = implode(',', $if_available); + } + + return $ax_args; + } + + /** + * Get the type URIs for all attributes that have been marked as + * required. + * + * @return A list of the type URIs for attributes that have been + * marked as required. + */ + function getRequiredAttrs() + { + $required = array(); + foreach ($this->requested_attributes as $type_uri => $attribute) { + if ($attribute->required) { + $required[] = $type_uri; + } + } + + return $required; + } + + /** + * Extract a FetchRequest from an OpenID message + * + * @param request: The OpenID request containing the attribute + * fetch request + * + * @returns mixed An Auth_OpenID_AX_Error or the + * Auth_OpenID_AX_FetchRequest extracted from the request message if + * successful + */ + static function fromOpenIDRequest($request) + { + $m = $request->message; + $obj = new Auth_OpenID_AX_FetchRequest(); + $ax_args = $m->getArgs($obj->ns_uri); + + $result = $obj->parseExtensionArgs($ax_args); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + if ($obj->update_url) { + // Update URL must match the openid.realm of the + // underlying OpenID 2 message. + $realm = $m->getArg(Auth_OpenID_OPENID_NS, 'realm', + $m->getArg( + Auth_OpenID_OPENID_NS, + 'return_to')); + + if (!$realm) { + $obj = new Auth_OpenID_AX_Error( + sprintf("Cannot validate update_url %s " . + "against absent realm", $obj->update_url)); + } else if (!Auth_OpenID_TrustRoot::match($realm, + $obj->update_url)) { + $obj = new Auth_OpenID_AX_Error( + sprintf("Update URL %s failed validation against realm %s", + $obj->update_url, $realm)); + } + } + + return $obj; + } + + /** + * Given attribute exchange arguments, populate this FetchRequest. + * + * @return $result Auth_OpenID_AX_Error if the data to be parsed + * does not follow the attribute exchange specification. At least + * when 'if_available' or 'required' is not specified for a + * particular attribute type. Returns true otherwise. + */ + function parseExtensionArgs($ax_args) + { + $result = $this->_checkMode($ax_args); + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $aliases = new Auth_OpenID_NamespaceMap(); + + foreach ($ax_args as $key => $value) { + if (strpos($key, 'type.') === 0) { + $alias = substr($key, 5); + $type_uri = $value; + + $alias = $aliases->addAlias($type_uri, $alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $alias, $type_uri) + ); + } + + $count_s = Auth_OpenID::arrayGet($ax_args, 'count.' . $alias); + if ($count_s) { + $count = Auth_OpenID::intval($count_s); + if (($count === false) && + ($count_s === Auth_OpenID_AX_UNLIMITED_VALUES)) { + $count = $count_s; + } + } else { + $count = 1; + } + + if ($count === false) { + return new Auth_OpenID_AX_Error( + sprintf("Integer value expected for %s, got %s", + 'count.' . $alias, $count_s)); + } + + $attrinfo = Auth_OpenID_AX_AttrInfo::make($type_uri, $count, + false, $alias); + + if (Auth_OpenID_AX::isError($attrinfo)) { + return $attrinfo; + } + + $this->add($attrinfo); + } + } + + $required = Auth_OpenID_AX_toTypeURIs($aliases, + Auth_OpenID::arrayGet($ax_args, 'required')); + + foreach ($required as $type_uri) { + $attrib = $this->requested_attributes[$type_uri]; + $attrib->required = true; + } + + $if_available = Auth_OpenID_AX_toTypeURIs($aliases, + Auth_OpenID::arrayGet($ax_args, 'if_available')); + + $all_type_uris = array_merge($required, $if_available); + + foreach ($aliases->iterNamespaceURIs() as $type_uri) { + if (!in_array($type_uri, $all_type_uris)) { + return new Auth_OpenID_AX_Error( + sprintf('Type URI %s was in the request but not ' . + 'present in "required" or "if_available"', + $type_uri)); + + } + } + + $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); + + return true; + } + + /** + * Iterate over the AttrInfo objects that are contained in this + * fetch_request. + */ + function iterAttrs() + { + return array_values($this->requested_attributes); + } + + function iterTypes() + { + return array_keys($this->requested_attributes); + } + + /** + * Is the given type URI present in this fetch_request? + */ + function contains($type_uri) + { + return in_array($type_uri, $this->iterTypes()); + } +} + +/** + * An abstract class that implements a message that has attribute keys + * and values. It contains the common code between fetch_response and + * store_request. + * + * @package OpenID + */ +class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { + + function Auth_OpenID_AX_KeyValueMessage() + { + $this->data = array(); + } + + /** + * Add a single value for the given attribute type to the + * message. If there are already values specified for this type, + * this value will be sent in addition to the values already + * specified. + * + * @param type_uri: The URI for the attribute + * @param value: The value to add to the response to the relying + * party for this attribute + * @return null + */ + function addValue($type_uri, $value) + { + if (!array_key_exists($type_uri, $this->data)) { + $this->data[$type_uri] = array(); + } + + $values =& $this->data[$type_uri]; + $values[] = $value; + } + + /** + * Set the values for the given attribute type. This replaces any + * values that have already been set for this attribute. + * + * @param type_uri: The URI for the attribute + * @param values: A list of values to send for this attribute. + */ + function setValues($type_uri, &$values) + { + $this->data[$type_uri] =& $values; + } + + /** + * Get the extension arguments for the key/value pairs contained + * in this message. + * + * @param aliases: An alias mapping. Set to None if you don't care + * about the aliases for this request. + * + * @access private + */ + function _getExtensionKVArgs($aliases) + { + if ($aliases === null) { + $aliases = new Auth_OpenID_NamespaceMap(); + } + + $ax_args = array(); + + foreach ($this->data as $type_uri => $values) { + $alias = $aliases->add($type_uri); + + $ax_args['type.' . $alias] = $type_uri; + $ax_args['count.' . $alias] = strval(count($values)); + + foreach ($values as $i => $value) { + $key = sprintf('value.%s.%d', $alias, $i + 1); + $ax_args[$key] = $value; + } + } + + return $ax_args; + } + + /** + * Parse attribute exchange key/value arguments into this object. + * + * @param ax_args: The attribute exchange fetch_response + * arguments, with namespacing removed. + * + * @return Auth_OpenID_AX_Error or true + */ + function parseExtensionArgs($ax_args) + { + $result = $this->_checkMode($ax_args); + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $aliases = new Auth_OpenID_NamespaceMap(); + + foreach ($ax_args as $key => $value) { + if (strpos($key, 'type.') === 0) { + $type_uri = $value; + $alias = substr($key, 5); + + $result = Auth_OpenID_AX_checkAlias($alias); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $alias = $aliases->addAlias($type_uri, $alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $alias, $type_uri) + ); + } + } + } + + foreach ($aliases->iteritems() as $pair) { + list($type_uri, $alias) = $pair; + + if (array_key_exists('count.' . $alias, $ax_args) && ($ax_args['count.' . $alias] !== Auth_OpenID_AX_UNLIMITED_VALUES)) { + + $count_key = 'count.' . $alias; + $count_s = $ax_args[$count_key]; + + $count = Auth_OpenID::intval($count_s); + + if ($count === false) { + return new Auth_OpenID_AX_Error( + sprintf("Integer value expected for %s, got %s", + 'count. %s' . $alias, $count_s, + Auth_OpenID_AX_UNLIMITED_VALUES) + ); + } + + $values = array(); + for ($i = 1; $i < $count + 1; $i++) { + $value_key = sprintf('value.%s.%d', $alias, $i); + + if (!array_key_exists($value_key, $ax_args)) { + return new Auth_OpenID_AX_Error( + sprintf( + "No value found for key %s", + $value_key)); + } + + $value = $ax_args[$value_key]; + $values[] = $value; + } + } else { + $key = 'value.' . $alias; + + if (!array_key_exists($key, $ax_args)) { + return new Auth_OpenID_AX_Error( + sprintf( + "No value found for key %s", + $key)); + } + + $value = $ax_args['value.' . $alias]; + + if ($value == '') { + $values = array(); + } else { + $values = array($value); + } + } + + $this->data[$type_uri] = $values; + } + + return true; + } + + /** + * Get a single value for an attribute. If no value was sent for + * this attribute, use the supplied default. If there is more than + * one value for this attribute, this method will fail. + * + * @param type_uri: The URI for the attribute + * @param default: The value to return if the attribute was not + * sent in the fetch_response. + * + * @return $value Auth_OpenID_AX_Error on failure or the value of + * the attribute in the fetch_response message, or the default + * supplied + */ + function getSingle($type_uri, $default=null) + { + $values = Auth_OpenID::arrayGet($this->data, $type_uri); + if (!$values) { + return $default; + } else if (count($values) == 1) { + return $values[0]; + } else { + return new Auth_OpenID_AX_Error( + sprintf('More than one value present for %s', + $type_uri) + ); + } + } + + /** + * Get the list of values for this attribute in the + * fetch_response. + * + * XXX: what to do if the values are not present? default + * parameter? this is funny because it's always supposed to return + * a list, so the default may break that, though it's provided by + * the user's code, so it might be okay. If no default is + * supplied, should the return be None or []? + * + * @param type_uri: The URI of the attribute + * + * @return $values The list of values for this attribute in the + * response. May be an empty list. If the attribute was not sent + * in the response, returns Auth_OpenID_AX_Error. + */ + function get($type_uri) + { + if (array_key_exists($type_uri, $this->data)) { + return $this->data[$type_uri]; + } else { + return new Auth_OpenID_AX_Error( + sprintf("Type URI %s not found in response", + $type_uri) + ); + } + } + + /** + * Get the number of responses for a particular attribute in this + * fetch_response message. + * + * @param type_uri: The URI of the attribute + * + * @returns int The number of values sent for this attribute. If + * the attribute was not sent in the response, returns + * Auth_OpenID_AX_Error. + */ + function count($type_uri) + { + if (array_key_exists($type_uri, $this->data)) { + return count($this->get($type_uri)); + } else { + return new Auth_OpenID_AX_Error( + sprintf("Type URI %s not found in response", + $type_uri) + ); + } + } +} + +/** + * A fetch_response attribute exchange message. + * + * @package OpenID + */ +class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { + var $mode = 'fetch_response'; + + function Auth_OpenID_AX_FetchResponse($update_url=null) + { + $this->Auth_OpenID_AX_KeyValueMessage(); + $this->update_url = $update_url; + } + + /** + * Serialize this object into arguments in the attribute exchange + * namespace + * + * @return $args The dictionary of unqualified attribute exchange + * arguments that represent this fetch_response, or + * Auth_OpenID_AX_Error on error. + */ + function getExtensionArgs($request=null) + { + $aliases = new Auth_OpenID_NamespaceMap(); + + $zero_value_types = array(); + + if ($request !== null) { + // Validate the data in the context of the request (the + // same attributes should be present in each, and the + // counts in the response must be no more than the counts + // in the request) + + foreach ($this->data as $type_uri => $unused) { + if (!$request->contains($type_uri)) { + return new Auth_OpenID_AX_Error( + sprintf("Response attribute not present in request: %s", + $type_uri) + ); + } + } + + foreach ($request->iterAttrs() as $attr_info) { + // Copy the aliases from the request so that reading + // the response in light of the request is easier + if ($attr_info->alias === null) { + $aliases->add($attr_info->type_uri); + } else { + $alias = $aliases->addAlias($attr_info->type_uri, + $attr_info->alias); + + if ($alias === null) { + return new Auth_OpenID_AX_Error( + sprintf("Could not add alias %s for URI %s", + $attr_info->alias, $attr_info->type_uri) + ); + } + } + + if (array_key_exists($attr_info->type_uri, $this->data)) { + $values = $this->data[$attr_info->type_uri]; + } else { + $values = array(); + $zero_value_types[] = $attr_info; + } + + if (($attr_info->count != Auth_OpenID_AX_UNLIMITED_VALUES) && + ($attr_info->count < count($values))) { + return new Auth_OpenID_AX_Error( + sprintf("More than the number of requested values " . + "were specified for %s", + $attr_info->type_uri) + ); + } + } + } + + $kv_args = $this->_getExtensionKVArgs($aliases); + + // Add the KV args into the response with the args that are + // unique to the fetch_response + $ax_args = $this->_newArgs(); + + // For each requested attribute, put its type/alias and count + // into the response even if no data were returned. + foreach ($zero_value_types as $attr_info) { + $alias = $aliases->getAlias($attr_info->type_uri); + $kv_args['type.' . $alias] = $attr_info->type_uri; + $kv_args['count.' . $alias] = '0'; + } + + $update_url = null; + if ($request) { + $update_url = $request->update_url; + } else { + $update_url = $this->update_url; + } + + if ($update_url) { + $ax_args['update_url'] = $update_url; + } + + Auth_OpenID::update($ax_args, $kv_args); + + return $ax_args; + } + + /** + * @return $result Auth_OpenID_AX_Error on failure or true on + * success. + */ + function parseExtensionArgs($ax_args) + { + $result = parent::parseExtensionArgs($ax_args); + + if (Auth_OpenID_AX::isError($result)) { + return $result; + } + + $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); + + return true; + } + + /** + * Construct a FetchResponse object from an OpenID library + * SuccessResponse object. + * + * @param success_response: A successful id_res response object + * + * @param signed: Whether non-signed args should be processsed. If + * True (the default), only signed arguments will be processsed. + * + * @return $response A FetchResponse containing the data from the + * OpenID message + */ + static function fromSuccessResponse($success_response, $signed=true) + { + $obj = new Auth_OpenID_AX_FetchResponse(); + if ($signed) { + $ax_args = $success_response->getSignedNS($obj->ns_uri); + } else { + $ax_args = $success_response->message->getArgs($obj->ns_uri); + } + if ($ax_args === null || Auth_OpenID::isFailure($ax_args) || + sizeof($ax_args) == 0) { + return null; + } + + $result = $obj->parseExtensionArgs($ax_args); + if (Auth_OpenID_AX::isError($result)) { + #XXX log me + return null; + } + return $obj; + } +} + +/** + * A store request attribute exchange message representation. + * + * @package OpenID + */ +class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage { + var $mode = 'store_request'; + + /** + * @param array $aliases The namespace aliases to use when making + * this store response. Leave as None to use defaults. + */ + function getExtensionArgs($aliases=null) + { + $ax_args = $this->_newArgs(); + $kv_args = $this->_getExtensionKVArgs($aliases); + Auth_OpenID::update($ax_args, $kv_args); + return $ax_args; + } +} + +/** + * An indication that the store request was processed along with this + * OpenID transaction. Use make(), NOT the constructor, to create + * response objects. + * + * @package OpenID + */ +class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { + var $SUCCESS_MODE = 'store_response_success'; + var $FAILURE_MODE = 'store_response_failure'; + + /** + * Returns Auth_OpenID_AX_Error on error or an + * Auth_OpenID_AX_StoreResponse object on success. + */ + function make($succeeded=true, $error_message=null) + { + if (($succeeded) && ($error_message !== null)) { + return new Auth_OpenID_AX_Error('An error message may only be '. + 'included in a failing fetch response'); + } + + return new Auth_OpenID_AX_StoreResponse($succeeded, $error_message); + } + + function Auth_OpenID_AX_StoreResponse($succeeded=true, $error_message=null) + { + if ($succeeded) { + $this->mode = $this->SUCCESS_MODE; + } else { + $this->mode = $this->FAILURE_MODE; + } + + $this->error_message = $error_message; + } + + /** + * Was this response a success response? + */ + function succeeded() + { + return $this->mode == $this->SUCCESS_MODE; + } + + function getExtensionArgs() + { + $ax_args = $this->_newArgs(); + if ((!$this->succeeded()) && $this->error_message) { + $ax_args['error'] = $this->error_message; + } + + return $ax_args; + } +} + diff --git a/models/Auth/OpenID/Association.php b/models/Auth/OpenID/Association.php new file mode 100644 index 000000000..d1ac1ed9b --- /dev/null +++ b/models/Auth/OpenID/Association.php @@ -0,0 +1,610 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * @access private + */ +require_once 'Auth/OpenID/CryptUtil.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID/KVForm.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID/HMAC.php'; + +/** + * This class represents an association between a server and a + * consumer. In general, users of this library will never see + * instances of this object. The only exception is if you implement a + * custom {@link Auth_OpenID_OpenIDStore}. + * + * If you do implement such a store, it will need to store the values + * of the handle, secret, issued, lifetime, and assoc_type instance + * variables. + * + * @package OpenID + */ +class Auth_OpenID_Association { + + /** + * This is a HMAC-SHA1 specific value. + * + * @access private + */ + var $SIG_LENGTH = 20; + + /** + * The ordering and name of keys as stored by serialize. + * + * @access private + */ + var $assoc_keys = array( + 'version', + 'handle', + 'secret', + 'issued', + 'lifetime', + 'assoc_type' + ); + + var $_macs = array( + 'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1', + 'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256' + ); + + /** + * This is an alternate constructor (factory method) used by the + * OpenID consumer library to create associations. OpenID store + * implementations shouldn't use this constructor. + * + * @access private + * + * @param integer $expires_in This is the amount of time this + * association is good for, measured in seconds since the + * association was issued. + * + * @param string $handle This is the handle the server gave this + * association. + * + * @param string secret This is the shared secret the server + * generated for this association. + * + * @param assoc_type This is the type of association this + * instance represents. The only valid values of this field at + * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may + * be defined in the future. + * + * @return association An {@link Auth_OpenID_Association} + * instance. + */ + static function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) + { + $issued = time(); + $lifetime = $expires_in; + return new Auth_OpenID_Association($handle, $secret, + $issued, $lifetime, $assoc_type); + } + + /** + * This is the standard constructor for creating an association. + * The library should create all of the necessary associations, so + * this constructor is not part of the external API. + * + * @access private + * + * @param string $handle This is the handle the server gave this + * association. + * + * @param string $secret This is the shared secret the server + * generated for this association. + * + * @param integer $issued This is the time this association was + * issued, in seconds since 00:00 GMT, January 1, 1970. (ie, a + * unix timestamp) + * + * @param integer $lifetime This is the amount of time this + * association is good for, measured in seconds since the + * association was issued. + * + * @param string $assoc_type This is the type of association this + * instance represents. The only valid values of this field at + * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may + * be defined in the future. + */ + function Auth_OpenID_Association( + $handle, $secret, $issued, $lifetime, $assoc_type) + { + if (!in_array($assoc_type, + Auth_OpenID_getSupportedAssociationTypes(), true)) { + $fmt = 'Unsupported association type (%s)'; + trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR); + } + + $this->handle = $handle; + $this->secret = $secret; + $this->issued = $issued; + $this->lifetime = $lifetime; + $this->assoc_type = $assoc_type; + } + + /** + * This returns the number of seconds this association is still + * valid for, or 0 if the association is no longer valid. + * + * @return integer $seconds The number of seconds this association + * is still valid for, or 0 if the association is no longer valid. + */ + function getExpiresIn($now = null) + { + if ($now == null) { + $now = time(); + } + + return max(0, $this->issued + $this->lifetime - $now); + } + + /** + * This checks to see if two {@link Auth_OpenID_Association} + * instances represent the same association. + * + * @return bool $result true if the two instances represent the + * same association, false otherwise. + */ + function equal($other) + { + return ((gettype($this) == gettype($other)) + && ($this->handle == $other->handle) + && ($this->secret == $other->secret) + && ($this->issued == $other->issued) + && ($this->lifetime == $other->lifetime) + && ($this->assoc_type == $other->assoc_type)); + } + + /** + * Convert an association to KV form. + * + * @return string $result String in KV form suitable for + * deserialization by deserialize. + */ + function serialize() + { + $data = array( + 'version' => '2', + 'handle' => $this->handle, + 'secret' => base64_encode($this->secret), + 'issued' => strval(intval($this->issued)), + 'lifetime' => strval(intval($this->lifetime)), + 'assoc_type' => $this->assoc_type + ); + + assert(array_keys($data) == $this->assoc_keys); + + return Auth_OpenID_KVForm::fromArray($data, $strict = true); + } + + /** + * Parse an association as stored by serialize(). This is the + * inverse of serialize. + * + * @param string $assoc_s Association as serialized by serialize() + * @return Auth_OpenID_Association $result instance of this class + */ + static function deserialize($class_name, $assoc_s) + { + $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true); + $keys = array(); + $values = array(); + foreach ($pairs as $key => $value) { + if (is_array($value)) { + list($key, $value) = $value; + } + $keys[] = $key; + $values[] = $value; + } + + $class_vars = get_class_vars($class_name); + $class_assoc_keys = $class_vars['assoc_keys']; + + sort($keys); + sort($class_assoc_keys); + + if ($keys != $class_assoc_keys) { + trigger_error('Unexpected key values: ' . var_export($keys, true), + E_USER_WARNING); + return null; + } + + $version = $pairs['version']; + $handle = $pairs['handle']; + $secret = $pairs['secret']; + $issued = $pairs['issued']; + $lifetime = $pairs['lifetime']; + $assoc_type = $pairs['assoc_type']; + + if ($version != '2') { + trigger_error('Unknown version: ' . $version, E_USER_WARNING); + return null; + } + + $issued = intval($issued); + $lifetime = intval($lifetime); + $secret = base64_decode($secret); + + return new $class_name( + $handle, $secret, $issued, $lifetime, $assoc_type); + } + + /** + * Generate a signature for a sequence of (key, value) pairs + * + * @access private + * @param array $pairs The pairs to sign, in order. This is an + * array of two-tuples. + * @return string $signature The binary signature of this sequence + * of pairs + */ + function sign($pairs) + { + $kv = Auth_OpenID_KVForm::fromArray($pairs); + + /* Invalid association types should be caught at constructor */ + $callback = $this->_macs[$this->assoc_type]; + + return call_user_func_array($callback, array($this->secret, $kv)); + } + + /** + * Generate a signature for some fields in a dictionary + * + * @access private + * @param array $fields The fields to sign, in order; this is an + * array of strings. + * @param array $data Dictionary of values to sign (an array of + * string => string pairs). + * @return string $signature The signature, base64 encoded + */ + function signMessage($message) + { + if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') || + $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) { + // Already has a sig + return null; + } + + $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS, + 'assoc_handle'); + + if ($extant_handle && ($extant_handle != $this->handle)) { + // raise ValueError("Message has a different association handle") + return null; + } + + $signed_message = $message; + $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', + $this->handle); + + $message_keys = array_keys($signed_message->toPostArgs()); + $signed_list = array(); + $signed_prefix = 'openid.'; + + foreach ($message_keys as $k) { + if (strpos($k, $signed_prefix) === 0) { + $signed_list[] = substr($k, strlen($signed_prefix)); + } + } + + $signed_list[] = 'signed'; + sort($signed_list); + + $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed', + implode(',', $signed_list)); + $sig = $this->getMessageSignature($signed_message); + $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig); + return $signed_message; + } + + /** + * Given a {@link Auth_OpenID_Message}, return the key/value pairs + * to be signed according to the signed list in the message. If + * the message lacks a signed list, return null. + * + * @access private + */ + function _makePairs($message) + { + $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); + if (!$signed || Auth_OpenID::isFailure($signed)) { + // raise ValueError('Message has no signed list: %s' % (message,)) + return null; + } + + $signed_list = explode(',', $signed); + $pairs = array(); + $data = $message->toPostArgs(); + foreach ($signed_list as $field) { + $pairs[] = array($field, Auth_OpenID::arrayGet($data, + 'openid.' . + $field, '')); + } + return $pairs; + } + + /** + * Given an {@link Auth_OpenID_Message}, return the signature for + * the signed list in the message. + * + * @access private + */ + function getMessageSignature($message) + { + $pairs = $this->_makePairs($message); + return base64_encode($this->sign($pairs)); + } + + /** + * Confirm that the signature of these fields matches the + * signature contained in the data. + * + * @access private + */ + function checkMessageSignature($message) + { + $sig = $message->getArg(Auth_OpenID_OPENID_NS, + 'sig'); + + if (!$sig || Auth_OpenID::isFailure($sig)) { + return false; + } + + $calculated_sig = $this->getMessageSignature($message); + return $calculated_sig == $sig; + } +} + +function Auth_OpenID_getSecretSize($assoc_type) +{ + if ($assoc_type == 'HMAC-SHA1') { + return 20; + } else if ($assoc_type == 'HMAC-SHA256') { + return 32; + } else { + return null; + } +} + +function Auth_OpenID_getAllAssociationTypes() +{ + return array('HMAC-SHA1', 'HMAC-SHA256'); +} + +function Auth_OpenID_getSupportedAssociationTypes() +{ + $a = array('HMAC-SHA1'); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $a[] = 'HMAC-SHA256'; + } + + return $a; +} + +function Auth_OpenID_getSessionTypes($assoc_type) +{ + $assoc_to_session = array( + 'HMAC-SHA1' => array('DH-SHA1', 'no-encryption')); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $assoc_to_session['HMAC-SHA256'] = + array('DH-SHA256', 'no-encryption'); + } + + return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array()); +} + +function Auth_OpenID_checkSessionType($assoc_type, $session_type) +{ + if (!in_array($session_type, + Auth_OpenID_getSessionTypes($assoc_type))) { + return false; + } + + return true; +} + +function Auth_OpenID_getDefaultAssociationOrder() +{ + $order = array(); + + if (!Auth_OpenID_noMathSupport()) { + $order[] = array('HMAC-SHA1', 'DH-SHA1'); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $order[] = array('HMAC-SHA256', 'DH-SHA256'); + } + } + + $order[] = array('HMAC-SHA1', 'no-encryption'); + + if (Auth_OpenID_HMACSHA256_SUPPORTED) { + $order[] = array('HMAC-SHA256', 'no-encryption'); + } + + return $order; +} + +function Auth_OpenID_getOnlyEncryptedOrder() +{ + $result = array(); + + foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) { + list($assoc, $session) = $pair; + + if ($session != 'no-encryption') { + if (Auth_OpenID_HMACSHA256_SUPPORTED && + ($assoc == 'HMAC-SHA256')) { + $result[] = $pair; + } else if ($assoc != 'HMAC-SHA256') { + $result[] = $pair; + } + } + } + + return $result; +} + +function Auth_OpenID_getDefaultNegotiator() +{ + return new Auth_OpenID_SessionNegotiator( + Auth_OpenID_getDefaultAssociationOrder()); +} + +function Auth_OpenID_getEncryptedNegotiator() +{ + return new Auth_OpenID_SessionNegotiator( + Auth_OpenID_getOnlyEncryptedOrder()); +} + +/** + * A session negotiator controls the allowed and preferred association + * types and association session types. Both the {@link + * Auth_OpenID_Consumer} and {@link Auth_OpenID_Server} use + * negotiators when creating associations. + * + * You can create and use negotiators if you: + + * - Do not want to do Diffie-Hellman key exchange because you use + * transport-layer encryption (e.g. SSL) + * + * - Want to use only SHA-256 associations + * + * - Do not want to support plain-text associations over a non-secure + * channel + * + * It is up to you to set a policy for what kinds of associations to + * accept. By default, the library will make any kind of association + * that is allowed in the OpenID 2.0 specification. + * + * Use of negotiators in the library + * ================================= + * + * When a consumer makes an association request, it calls {@link + * getAllowedType} to get the preferred association type and + * association session type. + * + * The server gets a request for a particular association/session type + * and calls {@link isAllowed} to determine if it should create an + * association. If it is supported, negotiation is complete. If it is + * not, the server calls {@link getAllowedType} to get an allowed + * association type to return to the consumer. + * + * If the consumer gets an error response indicating that the + * requested association/session type is not supported by the server + * that contains an assocation/session type to try, it calls {@link + * isAllowed} to determine if it should try again with the given + * combination of association/session type. + * + * @package OpenID + */ +class Auth_OpenID_SessionNegotiator { + function Auth_OpenID_SessionNegotiator($allowed_types) + { + $this->allowed_types = array(); + $this->setAllowedTypes($allowed_types); + } + + /** + * Set the allowed association types, checking to make sure each + * combination is valid. + * + * @access private + */ + function setAllowedTypes($allowed_types) + { + foreach ($allowed_types as $pair) { + list($assoc_type, $session_type) = $pair; + if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) { + return false; + } + } + + $this->allowed_types = $allowed_types; + return true; + } + + /** + * Add an association type and session type to the allowed types + * list. The assocation/session pairs are tried in the order that + * they are added. + * + * @access private + */ + function addAllowedType($assoc_type, $session_type = null) + { + if ($this->allowed_types === null) { + $this->allowed_types = array(); + } + + if ($session_type === null) { + $available = Auth_OpenID_getSessionTypes($assoc_type); + + if (!$available) { + return false; + } + + foreach ($available as $session_type) { + $this->addAllowedType($assoc_type, $session_type); + } + } else { + if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) { + $this->allowed_types[] = array($assoc_type, $session_type); + } else { + return false; + } + } + + return true; + } + + // Is this combination of association type and session type allowed? + function isAllowed($assoc_type, $session_type) + { + $assoc_good = in_array(array($assoc_type, $session_type), + $this->allowed_types); + + $matches = in_array($session_type, + Auth_OpenID_getSessionTypes($assoc_type)); + + return ($assoc_good && $matches); + } + + /** + * Get a pair of assocation type and session type that are + * supported. + */ + function getAllowedType() + { + if (!$this->allowed_types) { + return array(null, null); + } + + return $this->allowed_types[0]; + } +} + diff --git a/models/Auth/OpenID/BigMath.php b/models/Auth/OpenID/BigMath.php new file mode 100644 index 000000000..7fca2dc43 --- /dev/null +++ b/models/Auth/OpenID/BigMath.php @@ -0,0 +1,452 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * Needed for random number generation + */ +require_once 'Auth/OpenID/CryptUtil.php'; + +/** + * Need Auth_OpenID::bytes(). + */ +require_once 'Auth/OpenID.php'; + +/** + * The superclass of all big-integer math implementations + * @access private + * @package OpenID + */ +class Auth_OpenID_MathLibrary { + /** + * Given a long integer, returns the number converted to a binary + * string. This function accepts long integer values of arbitrary + * magnitude and uses the local large-number math library when + * available. + * + * @param integer $long The long number (can be a normal PHP + * integer or a number created by one of the available long number + * libraries) + * @return string $binary The binary version of $long + */ + function longToBinary($long) + { + $cmp = $this->cmp($long, 0); + if ($cmp < 0) { + $msg = __FUNCTION__ . " takes only positive integers."; + trigger_error($msg, E_USER_ERROR); + return null; + } + + if ($cmp == 0) { + return "\x00"; + } + + $bytes = array(); + + while ($this->cmp($long, 0) > 0) { + array_unshift($bytes, $this->mod($long, 256)); + $long = $this->div($long, pow(2, 8)); + } + + if ($bytes && ($bytes[0] > 127)) { + array_unshift($bytes, 0); + } + + $string = ''; + foreach ($bytes as $byte) { + $string .= pack('C', $byte); + } + + return $string; + } + + /** + * Given a binary string, returns the binary string converted to a + * long number. + * + * @param string $binary The binary version of a long number, + * probably as a result of calling longToBinary + * @return integer $long The long number equivalent of the binary + * string $str + */ + function binaryToLong($str) + { + if ($str === null) { + return null; + } + + // Use array_merge to return a zero-indexed array instead of a + // one-indexed array. + $bytes = array_merge(unpack('C*', $str)); + + $n = $this->init(0); + + if ($bytes && ($bytes[0] > 127)) { + trigger_error("bytesToNum works only for positive integers.", + E_USER_WARNING); + return null; + } + + foreach ($bytes as $byte) { + $n = $this->mul($n, pow(2, 8)); + $n = $this->add($n, $byte); + } + + return $n; + } + + function base64ToLong($str) + { + $b64 = base64_decode($str); + + if ($b64 === false) { + return false; + } + + return $this->binaryToLong($b64); + } + + function longToBase64($str) + { + return base64_encode($this->longToBinary($str)); + } + + /** + * Returns a random number in the specified range. This function + * accepts $start, $stop, and $step values of arbitrary magnitude + * and will utilize the local large-number math library when + * available. + * + * @param integer $start The start of the range, or the minimum + * random number to return + * @param integer $stop The end of the range, or the maximum + * random number to return + * @param integer $step The step size, such that $result - ($step + * * N) = $start for some N + * @return integer $result The resulting randomly-generated number + */ + function rand($stop) + { + static $duplicate_cache = array(); + + // Used as the key for the duplicate cache + $rbytes = $this->longToBinary($stop); + + if (array_key_exists($rbytes, $duplicate_cache)) { + list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; + } else { + if ($rbytes[0] == "\x00") { + $nbytes = Auth_OpenID::bytes($rbytes) - 1; + } else { + $nbytes = Auth_OpenID::bytes($rbytes); + } + + $mxrand = $this->pow(256, $nbytes); + + // If we get a number less than this, then it is in the + // duplicated range. + $duplicate = $this->mod($mxrand, $stop); + + if (count($duplicate_cache) > 10) { + $duplicate_cache = array(); + } + + $duplicate_cache[$rbytes] = array($duplicate, $nbytes); + } + + do { + $bytes = "\x00" . Auth_OpenID_CryptUtil::getBytes($nbytes); + $n = $this->binaryToLong($bytes); + // Keep looping if this value is in the low duplicated range + } while ($this->cmp($n, $duplicate) < 0); + + return $this->mod($n, $stop); + } +} + +/** + * Exposes BCmath math library functionality. + * + * {@link Auth_OpenID_BcMathWrapper} wraps the functionality provided + * by the BCMath extension. + * + * @access private + * @package OpenID + */ +class Auth_OpenID_BcMathWrapper extends Auth_OpenID_MathLibrary{ + var $type = 'bcmath'; + + function add($x, $y) + { + return bcadd($x, $y); + } + + function sub($x, $y) + { + return bcsub($x, $y); + } + + function pow($base, $exponent) + { + return bcpow($base, $exponent); + } + + function cmp($x, $y) + { + return bccomp($x, $y); + } + + function init($number, $base = 10) + { + return $number; + } + + function mod($base, $modulus) + { + return bcmod($base, $modulus); + } + + function mul($x, $y) + { + return bcmul($x, $y); + } + + function div($x, $y) + { + return bcdiv($x, $y); + } + + /** + * Same as bcpowmod when bcpowmod is missing + * + * @access private + */ + function _powmod($base, $exponent, $modulus) + { + $square = $this->mod($base, $modulus); + $result = 1; + while($this->cmp($exponent, 0) > 0) { + if ($this->mod($exponent, 2)) { + $result = $this->mod($this->mul($result, $square), $modulus); + } + $square = $this->mod($this->mul($square, $square), $modulus); + $exponent = $this->div($exponent, 2); + } + return $result; + } + + function powmod($base, $exponent, $modulus) + { + if (function_exists('bcpowmod')) { + return bcpowmod($base, $exponent, $modulus); + } else { + return $this->_powmod($base, $exponent, $modulus); + } + } + + function toString($num) + { + return $num; + } +} + +/** + * Exposes GMP math library functionality. + * + * {@link Auth_OpenID_GmpMathWrapper} wraps the functionality provided + * by the GMP extension. + * + * @access private + * @package OpenID + */ +class Auth_OpenID_GmpMathWrapper extends Auth_OpenID_MathLibrary{ + var $type = 'gmp'; + + function add($x, $y) + { + return gmp_add($x, $y); + } + + function sub($x, $y) + { + return gmp_sub($x, $y); + } + + function pow($base, $exponent) + { + return gmp_pow($base, $exponent); + } + + function cmp($x, $y) + { + return gmp_cmp($x, $y); + } + + function init($number, $base = 10) + { + return gmp_init($number, $base); + } + + function mod($base, $modulus) + { + return gmp_mod($base, $modulus); + } + + function mul($x, $y) + { + return gmp_mul($x, $y); + } + + function div($x, $y) + { + return gmp_div_q($x, $y); + } + + function powmod($base, $exponent, $modulus) + { + return gmp_powm($base, $exponent, $modulus); + } + + function toString($num) + { + return gmp_strval($num); + } +} + +/** + * Define the supported extensions. An extension array has keys + * 'modules', 'extension', and 'class'. 'modules' is an array of PHP + * module names which the loading code will attempt to load. These + * values will be suffixed with a library file extension (e.g. ".so"). + * 'extension' is the name of a PHP extension which will be tested + * before 'modules' are loaded. 'class' is the string name of a + * {@link Auth_OpenID_MathWrapper} subclass which should be + * instantiated if a given extension is present. + * + * You can define new math library implementations and add them to + * this array. + */ +function Auth_OpenID_math_extensions() +{ + $result = array(); + + if (!defined('Auth_OpenID_BUGGY_GMP')) { + $result[] = + array('modules' => array('gmp', 'php_gmp'), + 'extension' => 'gmp', + 'class' => 'Auth_OpenID_GmpMathWrapper'); + } + + $result[] = array('modules' => array('bcmath', 'php_bcmath'), + 'extension' => 'bcmath', + 'class' => 'Auth_OpenID_BcMathWrapper'); + + return $result; +} + +/** + * Detect which (if any) math library is available + */ +function Auth_OpenID_detectMathLibrary($exts) +{ + $loaded = false; + + $hasDl = function_exists('dl'); + foreach ($exts as $extension) { + if (extension_loaded($extension['extension'])) { + return $extension; + } + } + + return false; +} + +/** + * {@link Auth_OpenID_getMathLib} checks for the presence of long + * number extension modules and returns an instance of + * {@link Auth_OpenID_MathWrapper} which exposes the module's + * functionality. + * + * Checks for the existence of an extension module described by the + * result of {@link Auth_OpenID_math_extensions()} and returns an + * instance of a wrapper for that extension module. If no extension + * module is found, an instance of {@link Auth_OpenID_MathWrapper} is + * returned, which wraps the native PHP integer implementation. The + * proper calling convention for this method is $lib = + * Auth_OpenID_getMathLib(). + * + * This function checks for the existence of specific long number + * implementations in the following order: GMP followed by BCmath. + * + * @return Auth_OpenID_MathWrapper $instance An instance of + * {@link Auth_OpenID_MathWrapper} or one of its subclasses + * + * @package OpenID + */ +function Auth_OpenID_getMathLib() +{ + // The instance of Auth_OpenID_MathWrapper that we choose to + // supply will be stored here, so that subseqent calls to this + // method will return a reference to the same object. + static $lib = null; + + if (isset($lib)) { + return $lib; + } + + if (Auth_OpenID_noMathSupport()) { + $null = null; + return $null; + } + + // If this method has not been called before, look at + // Auth_OpenID_math_extensions and try to find an extension that + // works. + $ext = Auth_OpenID_detectMathLibrary(Auth_OpenID_math_extensions()); + if ($ext === false) { + $tried = array(); + foreach (Auth_OpenID_math_extensions() as $extinfo) { + $tried[] = $extinfo['extension']; + } + $triedstr = implode(", ", $tried); + + Auth_OpenID_setNoMathSupport(); + + $result = null; + return $result; + } + + // Instantiate a new wrapper + $class = $ext['class']; + $lib = new $class(); + + return $lib; +} + +function Auth_OpenID_setNoMathSupport() +{ + if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) { + define('Auth_OpenID_NO_MATH_SUPPORT', true); + } +} + +function Auth_OpenID_noMathSupport() +{ + return defined('Auth_OpenID_NO_MATH_SUPPORT'); +} + + diff --git a/models/Auth/OpenID/Consumer.php b/models/Auth/OpenID/Consumer.php new file mode 100644 index 000000000..021c03898 --- /dev/null +++ b/models/Auth/OpenID/Consumer.php @@ -0,0 +1,2230 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * Require utility classes and functions for the consumer. + */ +require_once "Auth/OpenID.php"; +require_once "Auth/OpenID/Message.php"; +require_once "Auth/OpenID/HMAC.php"; +require_once "Auth/OpenID/Association.php"; +require_once "Auth/OpenID/CryptUtil.php"; +require_once "Auth/OpenID/DiffieHellman.php"; +require_once "Auth/OpenID/KVForm.php"; +require_once "Auth/OpenID/Nonce.php"; +require_once "Auth/OpenID/Discover.php"; +require_once "Auth/OpenID/URINorm.php"; +require_once "Auth/Yadis/Manager.php"; +require_once "Auth/Yadis/XRI.php"; + +/** + * This is the status code returned when the complete method returns + * successfully. + */ +define('Auth_OpenID_SUCCESS', 'success'); + +/** + * Status to indicate cancellation of OpenID authentication. + */ +define('Auth_OpenID_CANCEL', 'cancel'); + +/** + * This is the status code completeAuth returns when the value it + * received indicated an invalid login. + */ +define('Auth_OpenID_FAILURE', 'failure'); + +/** + * This is the status code completeAuth returns when the + * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the + * identity server sends back a URL to send the user to to complete his + * or her login. + */ +define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); + +/** + * This is the status code beginAuth returns when the page fetched + * from the entered OpenID URL doesn't contain the necessary link tags + * to function as an identity page. + */ +define('Auth_OpenID_PARSE_ERROR', 'parse error'); + +/** + * An OpenID consumer implementation that performs discovery and does + * session management. See the Consumer.php file documentation for + * more information. + * + * @package OpenID + */ +class Auth_OpenID_Consumer { + + /** + * @access private + */ + var $discoverMethod = 'Auth_OpenID_discover'; + + /** + * @access private + */ + var $session_key_prefix = "_openid_consumer_"; + + /** + * @access private + */ + var $_token_suffix = "last_token"; + + /** + * Initialize a Consumer instance. + * + * You should create a new instance of the Consumer object with + * every HTTP request that handles OpenID transactions. + * + * @param Auth_OpenID_OpenIDStore $store This must be an object + * that implements the interface in {@link + * Auth_OpenID_OpenIDStore}. Several concrete implementations are + * provided, to cover most common use cases. For stores backed by + * MySQL, PostgreSQL, or SQLite, see the {@link + * Auth_OpenID_SQLStore} class and its sublcasses. For a + * filesystem-backed store, see the {@link Auth_OpenID_FileStore} + * module. As a last resort, if it isn't possible for the server + * to store state at all, an instance of {@link + * Auth_OpenID_DumbStore} can be used. + * + * @param mixed $session An object which implements the interface + * of the {@link Auth_Yadis_PHPSession} class. Particularly, this + * object is expected to have these methods: get($key), set($key), + * $value), and del($key). This defaults to a session object + * which wraps PHP's native session machinery. You should only + * need to pass something here if you have your own sessioning + * implementation. + * + * @param str $consumer_cls The name of the class to instantiate + * when creating the internal consumer object. This is used for + * testing. + */ + function Auth_OpenID_Consumer($store, $session = null, + $consumer_cls = null) + { + if ($session === null) { + $session = new Auth_Yadis_PHPSession(); + } + + $this->session = $session; + + if ($consumer_cls !== null) { + $this->consumer = new $consumer_cls($store); + } else { + $this->consumer = new Auth_OpenID_GenericConsumer($store); + } + + $this->_token_key = $this->session_key_prefix . $this->_token_suffix; + } + + /** + * Used in testing to define the discovery mechanism. + * + * @access private + */ + function getDiscoveryObject($session, $openid_url, + $session_key_prefix) + { + return new Auth_Yadis_Discovery($session, $openid_url, + $session_key_prefix); + } + + /** + * Start the OpenID authentication process. See steps 1-2 in the + * overview at the top of this file. + * + * @param string $user_url Identity URL given by the user. This + * method performs a textual transformation of the URL to try and + * make sure it is normalized. For example, a user_url of + * example.com will be normalized to http://example.com/ + * normalizing and resolving any redirects the server might issue. + * + * @param bool $anonymous True if the OpenID request is to be sent + * to the server without any identifier information. Use this + * when you want to transport data but don't want to do OpenID + * authentication with identifiers. + * + * @return Auth_OpenID_AuthRequest $auth_request An object + * containing the discovered information will be returned, with a + * method for building a redirect URL to the server, as described + * in step 3 of the overview. This object may also be used to add + * extension arguments to the request, using its 'addExtensionArg' + * method. + */ + function begin($user_url, $anonymous=false) + { + $openid_url = $user_url; + + $disco = $this->getDiscoveryObject($this->session, + $openid_url, + $this->session_key_prefix); + + // Set the 'stale' attribute of the manager. If discovery + // fails in a fatal way, the stale flag will cause the manager + // to be cleaned up next time discovery is attempted. + + $m = $disco->getManager(); + $loader = new Auth_Yadis_ManagerLoader(); + + if ($m) { + if ($m->stale) { + $disco->destroyManager(); + } else { + $m->stale = true; + $disco->session->set($disco->session_key, + serialize($loader->toSession($m))); + } + } + + $endpoint = $disco->getNextService($this->discoverMethod, + $this->consumer->fetcher); + + // Reset the 'stale' attribute of the manager. + $m = $disco->getManager(); + if ($m) { + $m->stale = false; + $disco->session->set($disco->session_key, + serialize($loader->toSession($m))); + } + + if ($endpoint === null) { + return null; + } else { + return $this->beginWithoutDiscovery($endpoint, + $anonymous); + } + } + + /** + * Start OpenID verification without doing OpenID server + * discovery. This method is used internally by Consumer.begin + * after discovery is performed, and exists to provide an + * interface for library users needing to perform their own + * discovery. + * + * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service + * endpoint descriptor. + * + * @param bool anonymous Set to true if you want to perform OpenID + * without identifiers. + * + * @return Auth_OpenID_AuthRequest $auth_request An OpenID + * authentication request object. + */ + function beginWithoutDiscovery($endpoint, $anonymous=false) + { + $loader = new Auth_OpenID_ServiceEndpointLoader(); + $auth_req = $this->consumer->begin($endpoint); + $this->session->set($this->_token_key, + $loader->toSession($auth_req->endpoint)); + if (!$auth_req->setAnonymous($anonymous)) { + return new Auth_OpenID_FailureResponse(null, + "OpenID 1 requests MUST include the identifier " . + "in the request."); + } + return $auth_req; + } + + /** + * Called to interpret the server's response to an OpenID + * request. It is called in step 4 of the flow described in the + * consumer overview. + * + * @param string $current_url The URL used to invoke the application. + * Extract the URL from your application's web + * request framework and specify it here to have it checked + * against the openid.current_url value in the response. If + * the current_url URL check fails, the status of the + * completion will be FAILURE. + * + * @param array $query An array of the query parameters (key => + * value pairs) for this HTTP request. Defaults to null. If + * null, the GET or POST data are automatically gotten from the + * PHP environment. It is only useful to override $query for + * testing. + * + * @return Auth_OpenID_ConsumerResponse $response A instance of an + * Auth_OpenID_ConsumerResponse subclass. The type of response is + * indicated by the status attribute, which will be one of + * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. + */ + function complete($current_url, $query=null) + { + if ($current_url && !is_string($current_url)) { + // This is ugly, but we need to complain loudly when + // someone uses the API incorrectly. + trigger_error("current_url must be a string; see NEWS file " . + "for upgrading notes.", + E_USER_ERROR); + } + + if ($query === null) { + $query = Auth_OpenID::getQuery(); + } + + $loader = new Auth_OpenID_ServiceEndpointLoader(); + $endpoint_data = $this->session->get($this->_token_key); + $endpoint = + $loader->fromSession($endpoint_data); + + $message = Auth_OpenID_Message::fromPostArgs($query); + $response = $this->consumer->complete($message, $endpoint, + $current_url); + $this->session->del($this->_token_key); + + if (in_array($response->status, array(Auth_OpenID_SUCCESS, + Auth_OpenID_CANCEL))) { + if ($response->identity_url !== null) { + $disco = $this->getDiscoveryObject($this->session, + $response->identity_url, + $this->session_key_prefix); + $disco->cleanup(true); + } + } + + return $response; + } +} + +/** + * A class implementing HMAC/DH-SHA1 consumer sessions. + * + * @package OpenID + */ +class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { + var $session_type = 'DH-SHA1'; + var $hash_func = 'Auth_OpenID_SHA1'; + var $secret_size = 20; + var $allowed_assoc_types = array('HMAC-SHA1'); + + function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null) + { + if ($dh === null) { + $dh = new Auth_OpenID_DiffieHellman(); + } + + $this->dh = $dh; + } + + function getRequest() + { + $math = Auth_OpenID_getMathLib(); + + $cpub = $math->longToBase64($this->dh->public); + + $args = array('dh_consumer_public' => $cpub); + + if (!$this->dh->usingDefaultValues()) { + $args = array_merge($args, array( + 'dh_modulus' => + $math->longToBase64($this->dh->mod), + 'dh_gen' => + $math->longToBase64($this->dh->gen))); + } + + return $args; + } + + function extractSecret($response) + { + if (!$response->hasKey(Auth_OpenID_OPENID_NS, + 'dh_server_public')) { + return null; + } + + if (!$response->hasKey(Auth_OpenID_OPENID_NS, + 'enc_mac_key')) { + return null; + } + + $math = Auth_OpenID_getMathLib(); + + $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, + 'dh_server_public')); + $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS, + 'enc_mac_key')); + + return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); + } +} + +/** + * A class implementing HMAC/DH-SHA256 consumer sessions. + * + * @package OpenID + */ +class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends + Auth_OpenID_DiffieHellmanSHA1ConsumerSession { + var $session_type = 'DH-SHA256'; + var $hash_func = 'Auth_OpenID_SHA256'; + var $secret_size = 32; + var $allowed_assoc_types = array('HMAC-SHA256'); +} + +/** + * A class implementing plaintext consumer sessions. + * + * @package OpenID + */ +class Auth_OpenID_PlainTextConsumerSession { + var $session_type = 'no-encryption'; + var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); + + function getRequest() + { + return array(); + } + + function extractSecret($response) + { + if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) { + return null; + } + + return base64_decode($response->getArg(Auth_OpenID_OPENID_NS, + 'mac_key')); + } +} + +/** + * Returns available session types. + */ +function Auth_OpenID_getAvailableSessionTypes() +{ + $types = array( + 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession', + 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', + 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); + + return $types; +} + +/** + * This class is the interface to the OpenID consumer logic. + * Instances of it maintain no per-request state, so they can be + * reused (or even used by multiple threads concurrently) as needed. + * + * @package OpenID + */ +class Auth_OpenID_GenericConsumer { + /** + * @access private + */ + var $discoverMethod = 'Auth_OpenID_discover'; + + /** + * This consumer's store object. + */ + var $store; + + /** + * @access private + */ + var $_use_assocs; + + /** + * @access private + */ + var $openid1_nonce_query_arg_name = 'janrain_nonce'; + + /** + * Another query parameter that gets added to the return_to for + * OpenID 1; if the user's session state is lost, use this claimed + * identifier to do discovery when verifying the response. + */ + var $openid1_return_to_identifier_name = 'openid1_claimed_id'; + + /** + * This method initializes a new {@link Auth_OpenID_Consumer} + * instance to access the library. + * + * @param Auth_OpenID_OpenIDStore $store This must be an object + * that implements the interface in {@link Auth_OpenID_OpenIDStore}. + * Several concrete implementations are provided, to cover most common use + * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see + * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a + * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. + * As a last resort, if it isn't possible for the server to store + * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. + * + * @param bool $immediate This is an optional boolean value. It + * controls whether the library uses immediate mode, as explained + * in the module description. The default value is False, which + * disables immediate mode. + */ + function Auth_OpenID_GenericConsumer($store) + { + $this->store = $store; + $this->negotiator = Auth_OpenID_getDefaultNegotiator(); + $this->_use_assocs = (is_null($this->store) ? false : true); + + $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); + + $this->session_types = Auth_OpenID_getAvailableSessionTypes(); + } + + /** + * Called to begin OpenID authentication using the specified + * {@link Auth_OpenID_ServiceEndpoint}. + * + * @access private + */ + function begin($service_endpoint) + { + $assoc = $this->_getAssociation($service_endpoint); + $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); + $r->return_to_args[$this->openid1_nonce_query_arg_name] = + Auth_OpenID_mkNonce(); + + if ($r->message->isOpenID1()) { + $r->return_to_args[$this->openid1_return_to_identifier_name] = + $r->endpoint->claimed_id; + } + + return $r; + } + + /** + * Given an {@link Auth_OpenID_Message}, {@link + * Auth_OpenID_ServiceEndpoint} and optional return_to URL, + * complete OpenID authentication. + * + * @access private + */ + function complete($message, $endpoint, $return_to) + { + $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', + ''); + + $mode_methods = array( + 'cancel' => '_complete_cancel', + 'error' => '_complete_error', + 'setup_needed' => '_complete_setup_needed', + 'id_res' => '_complete_id_res', + ); + + $method = Auth_OpenID::arrayGet($mode_methods, $mode, + '_completeInvalid'); + + return call_user_func_array(array($this, $method), + array($message, &$endpoint, $return_to)); + } + + /** + * @access private + */ + function _completeInvalid($message, $endpoint, $unused) + { + $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', + ''); + + return new Auth_OpenID_FailureResponse($endpoint, + sprintf("Invalid openid.mode '%s'", $mode)); + } + + /** + * @access private + */ + function _complete_cancel($message, $endpoint, $unused) + { + return new Auth_OpenID_CancelResponse($endpoint); + } + + /** + * @access private + */ + function _complete_error($message, $endpoint, $unused) + { + $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); + $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); + $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); + + return new Auth_OpenID_FailureResponse($endpoint, $error, + $contact, $reference); + } + + /** + * @access private + */ + function _complete_setup_needed($message, $endpoint, $unused) + { + if (!$message->isOpenID2()) { + return $this->_completeInvalid($message, $endpoint); + } + + $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS, + 'user_setup_url'); + return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url); + } + + /** + * @access private + */ + function _complete_id_res($message, $endpoint, $return_to) + { + $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, + 'user_setup_url'); + + if ($this->_checkSetupNeeded($message)) { + return new Auth_OpenID_SetupNeededResponse( + $endpoint, $user_setup_url); + } else { + return $this->_doIdRes($message, $endpoint, $return_to); + } + } + + /** + * @access private + */ + function _checkSetupNeeded($message) + { + // In OpenID 1, we check to see if this is a cancel from + // immediate mode by the presence of the user_setup_url + // parameter. + if ($message->isOpenID1()) { + $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, + 'user_setup_url'); + if ($user_setup_url !== null) { + return true; + } + } + + return false; + } + + /** + * @access private + */ + function _doIdRes($message, $endpoint, $return_to) + { + // Checks for presence of appropriate fields (and checks + // signed list fields) + $result = $this->_idResCheckForFields($message); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + if (!$this->_checkReturnTo($message, $return_to)) { + return new Auth_OpenID_FailureResponse(null, + sprintf("return_to does not match return URL. Expected %s, got %s", + $return_to, + $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); + } + + // Verify discovery information: + $result = $this->_verifyDiscoveryResults($message, $endpoint); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + $endpoint = $result; + + $result = $this->_idResCheckSignature($message, + $endpoint->server_url); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + $result = $this->_idResCheckNonce($message, $endpoint); + + if (Auth_OpenID::isFailure($result)) { + return $result; + } + + $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', + Auth_OpenID_NO_DEFAULT); + if (Auth_OpenID::isFailure($signed_list_str)) { + return $signed_list_str; + } + $signed_list = explode(',', $signed_list_str); + + $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); + + return new Auth_OpenID_SuccessResponse($endpoint, $message, + $signed_fields); + + } + + /** + * @access private + */ + function _checkReturnTo($message, $return_to) + { + // Check an OpenID message and its openid.return_to value + // against a return_to URL from an application. Return True + // on success, False on failure. + + // Check the openid.return_to args against args in the + // original message. + $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( + $message->toPostArgs()); + if (Auth_OpenID::isFailure($result)) { + return false; + } + + // Check the return_to base URL against the one in the + // message. + $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, + 'return_to'); + if (Auth_OpenID::isFailure($return_to)) { + // XXX log me + return false; + } + + $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to)); + $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to)); + + // If port is absent from both, add it so it's equal in the + // check below. + if ((!array_key_exists('port', $return_to_parts)) && + (!array_key_exists('port', $msg_return_to_parts))) { + $return_to_parts['port'] = null; + $msg_return_to_parts['port'] = null; + } + + // If path is absent from both, add it so it's equal in the + // check below. + if ((!array_key_exists('path', $return_to_parts)) && + (!array_key_exists('path', $msg_return_to_parts))) { + $return_to_parts['path'] = null; + $msg_return_to_parts['path'] = null; + } + + // The URL scheme, authority, and path MUST be the same + // between the two URLs. + foreach (array('scheme', 'host', 'port', 'path') as $component) { + // If the url component is absent in either URL, fail. + // There should always be a scheme, host, port, and path. + if (!array_key_exists($component, $return_to_parts)) { + return false; + } + + if (!array_key_exists($component, $msg_return_to_parts)) { + return false; + } + + if (Auth_OpenID::arrayGet($return_to_parts, $component) !== + Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { + return false; + } + } + + return true; + } + + /** + * @access private + */ + function _verifyReturnToArgs($query) + { + // Verify that the arguments in the return_to URL are present in this + // response. + + $message = Auth_OpenID_Message::fromPostArgs($query); + $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); + + if (Auth_OpenID::isFailure($return_to)) { + return $return_to; + } + // XXX: this should be checked by _idResCheckForFields + if (!$return_to) { + return new Auth_OpenID_FailureResponse(null, + "Response has no return_to"); + } + + $parsed_url = parse_url($return_to); + + $q = array(); + if (array_key_exists('query', $parsed_url)) { + $rt_query = $parsed_url['query']; + $q = Auth_OpenID::parse_str($rt_query); + } + + foreach ($q as $rt_key => $rt_value) { + if (!array_key_exists($rt_key, $query)) { + return new Auth_OpenID_FailureResponse(null, + sprintf("return_to parameter %s absent from query", $rt_key)); + } else { + $value = $query[$rt_key]; + if ($rt_value != $value) { + return new Auth_OpenID_FailureResponse(null, + sprintf("parameter %s value %s does not match " . + "return_to value %s", $rt_key, + $value, $rt_value)); + } + } + } + + // Make sure all non-OpenID arguments in the response are also + // in the signed return_to. + $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); + foreach ($bare_args as $key => $value) { + if (Auth_OpenID::arrayGet($q, $key) != $value) { + return new Auth_OpenID_FailureResponse(null, + sprintf("Parameter %s = %s not in return_to URL", + $key, $value)); + } + } + + return true; + } + + /** + * @access private + */ + function _idResCheckSignature($message, $server_url) + { + $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, + 'assoc_handle'); + if (Auth_OpenID::isFailure($assoc_handle)) { + return $assoc_handle; + } + + $assoc = $this->store->getAssociation($server_url, $assoc_handle); + + if ($assoc) { + if ($assoc->getExpiresIn() <= 0) { + // XXX: It might be a good idea sometimes to re-start + // the authentication with a new association. Doing it + // automatically opens the possibility for + // denial-of-service by a server that just returns + // expired associations (or really short-lived + // associations) + return new Auth_OpenID_FailureResponse(null, + 'Association with ' . $server_url . ' expired'); + } + + if (!$assoc->checkMessageSignature($message)) { + return new Auth_OpenID_FailureResponse(null, + "Bad signature"); + } + } else { + // It's not an association we know about. Stateless mode + // is our only possible path for recovery. XXX - async + // framework will not want to block on this call to + // _checkAuth. + if (!$this->_checkAuth($message, $server_url)) { + return new Auth_OpenID_FailureResponse(null, + "Server denied check_authentication"); + } + } + + return null; + } + + /** + * @access private + */ + function _verifyDiscoveryResults($message, $endpoint=null) + { + if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { + return $this->_verifyDiscoveryResultsOpenID2($message, + $endpoint); + } else { + return $this->_verifyDiscoveryResultsOpenID1($message, + $endpoint); + } + } + + /** + * @access private + */ + function _verifyDiscoveryResultsOpenID1($message, $endpoint) + { + $claimed_id = $message->getArg(Auth_OpenID_BARE_NS, + $this->openid1_return_to_identifier_name); + + if (($endpoint === null) && ($claimed_id === null)) { + return new Auth_OpenID_FailureResponse($endpoint, + 'When using OpenID 1, the claimed ID must be supplied, ' . + 'either by passing it through as a return_to parameter ' . + 'or by using a session, and supplied to the GenericConsumer ' . + 'as the argument to complete()'); + } else if (($endpoint !== null) && ($claimed_id === null)) { + $claimed_id = $endpoint->claimed_id; + } + + $to_match = new Auth_OpenID_ServiceEndpoint(); + $to_match->type_uris = array(Auth_OpenID_TYPE_1_1); + $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, + 'identity'); + + // Restore delegate information from the initiation phase + $to_match->claimed_id = $claimed_id; + + if ($to_match->local_id === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "Missing required field openid.identity"); + } + + $to_match_1_0 = $to_match->copy(); + $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); + + if ($endpoint !== null) { + $result = $this->_verifyDiscoverySingle($endpoint, $to_match); + + if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { + $result = $this->_verifyDiscoverySingle($endpoint, + $to_match_1_0); + } + + if (Auth_OpenID::isFailure($result)) { + // oidutil.log("Error attempting to use stored + // discovery information: " + str(e)) + // oidutil.log("Attempting discovery to + // verify endpoint") + } else { + return $endpoint; + } + } + + // Endpoint is either bad (failed verification) or None + return $this->_discoverAndVerify($to_match->claimed_id, + array($to_match, $to_match_1_0)); + } + + /** + * @access private + */ + function _verifyDiscoverySingle($endpoint, $to_match) + { + // Every type URI that's in the to_match endpoint has to be + // present in the discovered endpoint. + foreach ($to_match->type_uris as $type_uri) { + if (!$endpoint->usesExtension($type_uri)) { + return new Auth_OpenID_TypeURIMismatch($endpoint, + "Required type ".$type_uri." not present"); + } + } + + // Fragments do not influence discovery, so we can't compare a + // claimed identifier with a fragment to discovered + // information. + list($defragged_claimed_id, $_) = + Auth_OpenID::urldefrag($to_match->claimed_id); + + if ($defragged_claimed_id != $endpoint->claimed_id) { + return new Auth_OpenID_FailureResponse($endpoint, + sprintf('Claimed ID does not match (different subjects!), ' . + 'Expected %s, got %s', $defragged_claimed_id, + $endpoint->claimed_id)); + } + + if ($to_match->getLocalID() != $endpoint->getLocalID()) { + return new Auth_OpenID_FailureResponse($endpoint, + sprintf('local_id mismatch. Expected %s, got %s', + $to_match->getLocalID(), $endpoint->getLocalID())); + } + + // If the server URL is None, this must be an OpenID 1 + // response, because op_endpoint is a required parameter in + // OpenID 2. In that case, we don't actually care what the + // discovered server_url is, because signature checking or + // check_auth should take care of that check for us. + if ($to_match->server_url === null) { + if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { + return new Auth_OpenID_FailureResponse($endpoint, + "Preferred namespace mismatch (bug)"); + } + } else if ($to_match->server_url != $endpoint->server_url) { + return new Auth_OpenID_FailureResponse($endpoint, + sprintf('OP Endpoint mismatch. Expected %s, got %s', + $to_match->server_url, $endpoint->server_url)); + } + + return null; + } + + /** + * @access private + */ + function _verifyDiscoveryResultsOpenID2($message, $endpoint) + { + $to_match = new Auth_OpenID_ServiceEndpoint(); + $to_match->type_uris = array(Auth_OpenID_TYPE_2_0); + $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, + 'claimed_id'); + + $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, + 'identity'); + + $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, + 'op_endpoint'); + + if ($to_match->server_url === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "OP Endpoint URL missing"); + } + + // claimed_id and identifier must both be present or both be + // absent + if (($to_match->claimed_id === null) && + ($to_match->local_id !== null)) { + return new Auth_OpenID_FailureResponse($endpoint, + 'openid.identity is present without openid.claimed_id'); + } + + if (($to_match->claimed_id !== null) && + ($to_match->local_id === null)) { + return new Auth_OpenID_FailureResponse($endpoint, + 'openid.claimed_id is present without openid.identity'); + } + + if ($to_match->claimed_id === null) { + // This is a response without identifiers, so there's + // really no checking that we can do, so return an + // endpoint that's for the specified `openid.op_endpoint' + return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( + $to_match->server_url); + } + + if (!$endpoint) { + // The claimed ID doesn't match, so we have to do + // discovery again. This covers not using sessions, OP + // identifier endpoints and responses that didn't match + // the original request. + // oidutil.log('No pre-discovered information supplied.') + return $this->_discoverAndVerify($to_match->claimed_id, + array($to_match)); + } else { + + // The claimed ID matches, so we use the endpoint that we + // discovered in initiation. This should be the most + // common case. + $result = $this->_verifyDiscoverySingle($endpoint, $to_match); + + if (Auth_OpenID::isFailure($result)) { + $endpoint = $this->_discoverAndVerify($to_match->claimed_id, + array($to_match)); + if (Auth_OpenID::isFailure($endpoint)) { + return $endpoint; + } + } + } + + // The endpoint we return should have the claimed ID from the + // message we just verified, fragment and all. + if ($endpoint->claimed_id != $to_match->claimed_id) { + $endpoint->claimed_id = $to_match->claimed_id; + } + + return $endpoint; + } + + /** + * @access private + */ + function _discoverAndVerify($claimed_id, $to_match_endpoints) + { + // oidutil.log('Performing discovery on %s' % (claimed_id,)) + list($unused, $services) = call_user_func($this->discoverMethod, + $claimed_id, + &$this->fetcher); + + if (!$services) { + return new Auth_OpenID_FailureResponse(null, + sprintf("No OpenID information found at %s", + $claimed_id)); + } + + return $this->_verifyDiscoveryServices($claimed_id, $services, + $to_match_endpoints); + } + + /** + * @access private + */ + function _verifyDiscoveryServices($claimed_id, + $services, $to_match_endpoints) + { + // Search the services resulting from discovery to find one + // that matches the information from the assertion + + foreach ($services as $endpoint) { + foreach ($to_match_endpoints as $to_match_endpoint) { + $result = $this->_verifyDiscoverySingle($endpoint, + $to_match_endpoint); + + if (!Auth_OpenID::isFailure($result)) { + // It matches, so discover verification has + // succeeded. Return this endpoint. + return $endpoint; + } + } + } + + return new Auth_OpenID_FailureResponse(null, + sprintf('No matching endpoint found after discovering %s: %s', + $claimed_id, $result->message)); + } + + /** + * Extract the nonce from an OpenID 1 response. Return the nonce + * from the BARE_NS since we independently check the return_to + * arguments are the same as those in the response message. + * + * See the openid1_nonce_query_arg_name class variable + * + * @returns $nonce The nonce as a string or null + * + * @access private + */ + function _idResGetNonceOpenID1($message, $endpoint) + { + return $message->getArg(Auth_OpenID_BARE_NS, + $this->openid1_nonce_query_arg_name); + } + + /** + * @access private + */ + function _idResCheckNonce($message, $endpoint) + { + if ($message->isOpenID1()) { + // This indicates that the nonce was generated by the consumer + $nonce = $this->_idResGetNonceOpenID1($message, $endpoint); + $server_url = ''; + } else { + $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, + 'response_nonce'); + + $server_url = $endpoint->server_url; + } + + if ($nonce === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "Nonce missing from response"); + } + + $parts = Auth_OpenID_splitNonce($nonce); + + if ($parts === null) { + return new Auth_OpenID_FailureResponse($endpoint, + "Malformed nonce in response"); + } + + list($timestamp, $salt) = $parts; + + if (!$this->store->useNonce($server_url, $timestamp, $salt)) { + return new Auth_OpenID_FailureResponse($endpoint, + "Nonce already used or out of range"); + } + + return null; + } + + /** + * @access private + */ + function _idResCheckForFields($message) + { + $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); + $basic_sig_fields = array('return_to', 'identity'); + + $require_fields = array( + Auth_OpenID_OPENID2_NS => array_merge($basic_fields, + array('op_endpoint')), + + Auth_OpenID_OPENID1_NS => array_merge($basic_fields, + array('identity')) + ); + + $require_sigs = array( + Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, + array('response_nonce', + 'claimed_id', + 'assoc_handle', + 'op_endpoint')), + Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, + array('nonce')) + ); + + foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { + if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { + return new Auth_OpenID_FailureResponse(null, + "Missing required field '".$field."'"); + } + } + + $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, + 'signed', + Auth_OpenID_NO_DEFAULT); + if (Auth_OpenID::isFailure($signed_list_str)) { + return $signed_list_str; + } + $signed_list = explode(',', $signed_list_str); + + foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { + // Field is present and not in signed list + if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && + (!in_array($field, $signed_list))) { + return new Auth_OpenID_FailureResponse(null, + "'".$field."' not signed"); + } + } + + return null; + } + + /** + * @access private + */ + function _checkAuth($message, $server_url) + { + $request = $this->_createCheckAuthRequest($message); + if ($request === null) { + return false; + } + + $resp_message = $this->_makeKVPost($request, $server_url); + if (($resp_message === null) || + (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { + return false; + } + + return $this->_processCheckAuthResponse($resp_message, $server_url); + } + + /** + * @access private + */ + function _createCheckAuthRequest($message) + { + $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); + if ($signed) { + foreach (explode(',', $signed) as $k) { + $value = $message->getAliasedArg($k); + if ($value === null) { + return null; + } + } + } + $ca_message = $message->copy(); + $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', + 'check_authentication'); + return $ca_message; + } + + /** + * @access private + */ + function _processCheckAuthResponse($response, $server_url) + { + $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', + 'false'); + + $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, + 'invalidate_handle'); + + if ($invalidate_handle !== null) { + $this->store->removeAssociation($server_url, + $invalidate_handle); + } + + if ($is_valid == 'true') { + return true; + } + + return false; + } + + /** + * Adapt a POST response to a Message. + * + * @param $response Result of a POST to an OpenID endpoint. + * + * @access private + */ + static function _httpResponseToMessage($response, $server_url) + { + // Should this function be named Message.fromHTTPResponse instead? + $response_message = Auth_OpenID_Message::fromKVForm($response->body); + + if ($response->status == 400) { + return Auth_OpenID_ServerErrorContainer::fromMessage( + $response_message); + } else if ($response->status != 200 and $response->status != 206) { + return null; + } + + return $response_message; + } + + /** + * @access private + */ + function _makeKVPost($message, $server_url) + { + $body = $message->toURLEncoded(); + $resp = $this->fetcher->post($server_url, $body); + + if ($resp === null) { + return null; + } + + return $this->_httpResponseToMessage($resp, $server_url); + } + + /** + * @access private + */ + function _getAssociation($endpoint) + { + if (!$this->_use_assocs) { + return null; + } + + $assoc = $this->store->getAssociation($endpoint->server_url); + + if (($assoc === null) || + ($assoc->getExpiresIn() <= 0)) { + + $assoc = $this->_negotiateAssociation($endpoint); + + if ($assoc !== null) { + $this->store->storeAssociation($endpoint->server_url, + $assoc); + } + } + + return $assoc; + } + + /** + * Handle ServerErrors resulting from association requests. + * + * @return $result If server replied with an C{unsupported-type} + * error, return a tuple of supported C{association_type}, + * C{session_type}. Otherwise logs the error and returns null. + * + * @access private + */ + function _extractSupportedAssociationType($server_error, $endpoint, + $assoc_type) + { + // Any error message whose code is not 'unsupported-type' + // should be considered a total failure. + if (($server_error->error_code != 'unsupported-type') || + ($server_error->message->isOpenID1())) { + return null; + } + + // The server didn't like the association/session type that we + // sent, and it sent us back a message that might tell us how + // to handle it. + + // Extract the session_type and assoc_type from the error + // message + $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, + 'assoc_type'); + + $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, + 'session_type'); + + if (($assoc_type === null) || ($session_type === null)) { + return null; + } else if (!$this->negotiator->isAllowed($assoc_type, + $session_type)) { + return null; + } else { + return array($assoc_type, $session_type); + } + } + + /** + * @access private + */ + function _negotiateAssociation($endpoint) + { + // Get our preferred session/association type from the negotiatior. + list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); + + $assoc = $this->_requestAssociation( + $endpoint, $assoc_type, $session_type); + + if (Auth_OpenID::isFailure($assoc)) { + return null; + } + + if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { + $why = $assoc; + + $supportedTypes = $this->_extractSupportedAssociationType( + $why, $endpoint, $assoc_type); + + if ($supportedTypes !== null) { + list($assoc_type, $session_type) = $supportedTypes; + + // Attempt to create an association from the assoc_type + // and session_type that the server told us it + // supported. + $assoc = $this->_requestAssociation( + $endpoint, $assoc_type, $session_type); + + if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { + // Do not keep trying, since it rejected the + // association type that it told us to use. + // oidutil.log('Server %s refused its suggested association + // 'type: session_type=%s, assoc_type=%s' + // % (endpoint.server_url, session_type, + // assoc_type)) + return null; + } else { + return $assoc; + } + } else { + return null; + } + } else { + return $assoc; + } + } + + /** + * @access private + */ + function _requestAssociation($endpoint, $assoc_type, $session_type) + { + list($assoc_session, $args) = $this->_createAssociateRequest( + $endpoint, $assoc_type, $session_type); + + $response_message = $this->_makeKVPost($args, $endpoint->server_url); + + if ($response_message === null) { + // oidutil.log('openid.associate request failed: %s' % (why[0],)) + return null; + } else if (is_a($response_message, + 'Auth_OpenID_ServerErrorContainer')) { + return $response_message; + } + + return $this->_extractAssociation($response_message, $assoc_session); + } + + /** + * @access private + */ + function _extractAssociation($assoc_response, $assoc_session) + { + // Extract the common fields from the response, raising an + // exception if they are not found + $assoc_type = $assoc_response->getArg( + Auth_OpenID_OPENID_NS, 'assoc_type', + Auth_OpenID_NO_DEFAULT); + + if (Auth_OpenID::isFailure($assoc_type)) { + return $assoc_type; + } + + $assoc_handle = $assoc_response->getArg( + Auth_OpenID_OPENID_NS, 'assoc_handle', + Auth_OpenID_NO_DEFAULT); + + if (Auth_OpenID::isFailure($assoc_handle)) { + return $assoc_handle; + } + + // expires_in is a base-10 string. The Python parsing will + // accept literals that have whitespace around them and will + // accept negative values. Neither of these are really in-spec, + // but we think it's OK to accept them. + $expires_in_str = $assoc_response->getArg( + Auth_OpenID_OPENID_NS, 'expires_in', + Auth_OpenID_NO_DEFAULT); + + if (Auth_OpenID::isFailure($expires_in_str)) { + return $expires_in_str; + } + + $expires_in = Auth_OpenID::intval($expires_in_str); + if ($expires_in === false) { + + $err = sprintf("Could not parse expires_in from association ". + "response %s", print_r($assoc_response, true)); + return new Auth_OpenID_FailureResponse(null, $err); + } + + // OpenID 1 has funny association session behaviour. + if ($assoc_response->isOpenID1()) { + $session_type = $this->_getOpenID1SessionType($assoc_response); + } else { + $session_type = $assoc_response->getArg( + Auth_OpenID_OPENID2_NS, 'session_type', + Auth_OpenID_NO_DEFAULT); + + if (Auth_OpenID::isFailure($session_type)) { + return $session_type; + } + } + + // Session type mismatch + if ($assoc_session->session_type != $session_type) { + if ($assoc_response->isOpenID1() && + ($session_type == 'no-encryption')) { + // In OpenID 1, any association request can result in + // a 'no-encryption' association response. Setting + // assoc_session to a new no-encryption session should + // make the rest of this function work properly for + // that case. + $assoc_session = new Auth_OpenID_PlainTextConsumerSession(); + } else { + // Any other mismatch, regardless of protocol version + // results in the failure of the association session + // altogether. + return null; + } + } + + // Make sure assoc_type is valid for session_type + if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { + return null; + } + + // Delegate to the association session to extract the secret + // from the response, however is appropriate for that session + // type. + $secret = $assoc_session->extractSecret($assoc_response); + + if ($secret === null) { + return null; + } + + return Auth_OpenID_Association::fromExpiresIn( + $expires_in, $assoc_handle, $secret, $assoc_type); + } + + /** + * @access private + */ + function _createAssociateRequest($endpoint, $assoc_type, $session_type) + { + if (array_key_exists($session_type, $this->session_types)) { + $session_type_class = $this->session_types[$session_type]; + + if (is_callable($session_type_class)) { + $assoc_session = $session_type_class(); + } else { + $assoc_session = new $session_type_class(); + } + } else { + return null; + } + + $args = array( + 'mode' => 'associate', + 'assoc_type' => $assoc_type); + + if (!$endpoint->compatibilityMode()) { + $args['ns'] = Auth_OpenID_OPENID2_NS; + } + + // Leave out the session type if we're in compatibility mode + // *and* it's no-encryption. + if ((!$endpoint->compatibilityMode()) || + ($assoc_session->session_type != 'no-encryption')) { + $args['session_type'] = $assoc_session->session_type; + } + + $args = array_merge($args, $assoc_session->getRequest()); + $message = Auth_OpenID_Message::fromOpenIDArgs($args); + return array($assoc_session, $message); + } + + /** + * Given an association response message, extract the OpenID 1.X + * session type. + * + * This function mostly takes care of the 'no-encryption' default + * behavior in OpenID 1. + * + * If the association type is plain-text, this function will + * return 'no-encryption' + * + * @access private + * @return $typ The association type for this message + */ + function _getOpenID1SessionType($assoc_response) + { + // If it's an OpenID 1 message, allow session_type to default + // to None (which signifies "no-encryption") + $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, + 'session_type'); + + // Handle the differences between no-encryption association + // respones in OpenID 1 and 2: + + // no-encryption is not really a valid session type for OpenID + // 1, but we'll accept it anyway, while issuing a warning. + if ($session_type == 'no-encryption') { + // oidutil.log('WARNING: OpenID server sent "no-encryption"' + // 'for OpenID 1.X') + } else if (($session_type == '') || ($session_type === null)) { + // Missing or empty session type is the way to flag a + // 'no-encryption' response. Change the session type to + // 'no-encryption' so that it can be handled in the same + // way as OpenID 2 'no-encryption' respones. + $session_type = 'no-encryption'; + } + + return $session_type; + } +} + +/** + * This class represents an authentication request from a consumer to + * an OpenID server. + * + * @package OpenID + */ +class Auth_OpenID_AuthRequest { + + /** + * Initialize an authentication request with the specified token, + * association, and endpoint. + * + * Users of this library should not create instances of this + * class. Instances of this class are created by the library when + * needed. + */ + function Auth_OpenID_AuthRequest($endpoint, $assoc) + { + $this->assoc = $assoc; + $this->endpoint = $endpoint; + $this->return_to_args = array(); + $this->message = new Auth_OpenID_Message( + $endpoint->preferredNamespace()); + $this->_anonymous = false; + } + + /** + * Add an extension to this checkid request. + * + * $extension_request: An object that implements the extension + * request interface for adding arguments to an OpenID message. + */ + function addExtension($extension_request) + { + $extension_request->toMessage($this->message); + } + + /** + * Add an extension argument to this OpenID authentication + * request. + * + * Use caution when adding arguments, because they will be + * URL-escaped and appended to the redirect URL, which can easily + * get quite long. + * + * @param string $namespace The namespace for the extension. For + * example, the simple registration extension uses the namespace + * 'sreg'. + * + * @param string $key The key within the extension namespace. For + * example, the nickname field in the simple registration + * extension's key is 'nickname'. + * + * @param string $value The value to provide to the server for + * this argument. + */ + function addExtensionArg($namespace, $key, $value) + { + return $this->message->setArg($namespace, $key, $value); + } + + /** + * Set whether this request should be made anonymously. If a + * request is anonymous, the identifier will not be sent in the + * request. This is only useful if you are making another kind of + * request with an extension in this request. + * + * Anonymous requests are not allowed when the request is made + * with OpenID 1. + */ + function setAnonymous($is_anonymous) + { + if ($is_anonymous && $this->message->isOpenID1()) { + return false; + } else { + $this->_anonymous = $is_anonymous; + return true; + } + } + + /** + * Produce a {@link Auth_OpenID_Message} representing this + * request. + * + * @param string $realm The URL (or URL pattern) that identifies + * your web site to the user when she is authorizing it. + * + * @param string $return_to The URL that the OpenID provider will + * send the user back to after attempting to verify her identity. + * + * Not specifying a return_to URL means that the user will not be + * returned to the site issuing the request upon its completion. + * + * @param bool $immediate If true, the OpenID provider is to send + * back a response immediately, useful for behind-the-scenes + * authentication attempts. Otherwise the OpenID provider may + * engage the user before providing a response. This is the + * default case, as the user may need to provide credentials or + * approve the request before a positive response can be sent. + */ + function getMessage($realm, $return_to=null, $immediate=false) + { + if ($return_to) { + $return_to = Auth_OpenID::appendArgs($return_to, + $this->return_to_args); + } else if ($immediate) { + // raise ValueError( + // '"return_to" is mandatory when + //using "checkid_immediate"') + return new Auth_OpenID_FailureResponse(null, + "'return_to' is mandatory when using checkid_immediate"); + } else if ($this->message->isOpenID1()) { + // raise ValueError('"return_to" is + // mandatory for OpenID 1 requests') + return new Auth_OpenID_FailureResponse(null, + "'return_to' is mandatory for OpenID 1 requests"); + } else if ($this->return_to_args) { + // raise ValueError('extra "return_to" arguments + // were specified, but no return_to was specified') + return new Auth_OpenID_FailureResponse(null, + "extra 'return_to' arguments where specified, " . + "but no return_to was specified"); + } + + if ($immediate) { + $mode = 'checkid_immediate'; + } else { + $mode = 'checkid_setup'; + } + + $message = $this->message->copy(); + if ($message->isOpenID1()) { + $realm_key = 'trust_root'; + } else { + $realm_key = 'realm'; + } + + $message->updateArgs(Auth_OpenID_OPENID_NS, + array( + $realm_key => $realm, + 'mode' => $mode, + 'return_to' => $return_to)); + + if (!$this->_anonymous) { + if ($this->endpoint->isOPIdentifier()) { + // This will never happen when we're in compatibility + // mode, as long as isOPIdentifier() returns False + // whenever preferredNamespace() returns OPENID1_NS. + $claimed_id = $request_identity = + Auth_OpenID_IDENTIFIER_SELECT; + } else { + $request_identity = $this->endpoint->getLocalID(); + $claimed_id = $this->endpoint->claimed_id; + } + + // This is true for both OpenID 1 and 2 + $message->setArg(Auth_OpenID_OPENID_NS, 'identity', + $request_identity); + + if ($message->isOpenID2()) { + $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id', + $claimed_id); + } + } + + if ($this->assoc) { + $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', + $this->assoc->handle); + } + + return $message; + } + + function redirectURL($realm, $return_to = null, + $immediate = false) + { + $message = $this->getMessage($realm, $return_to, $immediate); + + if (Auth_OpenID::isFailure($message)) { + return $message; + } + + return $message->toURL($this->endpoint->server_url); + } + + /** + * Get html for a form to submit this request to the IDP. + * + * form_tag_attrs: An array of attributes to be added to the form + * tag. 'accept-charset' and 'enctype' have defaults that can be + * overridden. If a value is supplied for 'action' or 'method', it + * will be replaced. + */ + function formMarkup($realm, $return_to=null, $immediate=false, + $form_tag_attrs=null) + { + $message = $this->getMessage($realm, $return_to, $immediate); + + if (Auth_OpenID::isFailure($message)) { + return $message; + } + + return $message->toFormMarkup($this->endpoint->server_url, + $form_tag_attrs); + } + + /** + * Get a complete html document that will autosubmit the request + * to the IDP. + * + * Wraps formMarkup. See the documentation for that function. + */ + function htmlMarkup($realm, $return_to=null, $immediate=false, + $form_tag_attrs=null) + { + $form = $this->formMarkup($realm, $return_to, $immediate, + $form_tag_attrs); + + if (Auth_OpenID::isFailure($form)) { + return $form; + } + return Auth_OpenID::autoSubmitHTML($form); + } + + function shouldSendRedirect() + { + return $this->endpoint->compatibilityMode(); + } +} + +/** + * The base class for responses from the Auth_OpenID_Consumer. + * + * @package OpenID + */ +class Auth_OpenID_ConsumerResponse { + var $status = null; + + function setEndpoint($endpoint) + { + $this->endpoint = $endpoint; + if ($endpoint === null) { + $this->identity_url = null; + } else { + $this->identity_url = $endpoint->claimed_id; + } + } + + /** + * Return the display identifier for this response. + * + * The display identifier is related to the Claimed Identifier, but the + * two are not always identical. The display identifier is something the + * user should recognize as what they entered, whereas the response's + * claimed identifier (in the identity_url attribute) may have extra + * information for better persistence. + * + * URLs will be stripped of their fragments for display. XRIs will + * display the human-readable identifier (i-name) instead of the + * persistent identifier (i-number). + * + * Use the display identifier in your user interface. Use + * identity_url for querying your database or authorization server. + * + */ + function getDisplayIdentifier() + { + if ($this->endpoint !== null) { + return $this->endpoint->getDisplayIdentifier(); + } + return null; + } +} + +/** + * A response with a status of Auth_OpenID_SUCCESS. Indicates that + * this request is a successful acknowledgement from the OpenID server + * that the supplied URL is, indeed controlled by the requesting + * agent. This has three relevant attributes: + * + * claimed_id - The identity URL that has been authenticated + * + * signed_args - The arguments in the server's response that were + * signed and verified. + * + * status - Auth_OpenID_SUCCESS. + * + * @package OpenID + */ +class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_SUCCESS; + + /** + * @access private + */ + function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null) + { + $this->endpoint = $endpoint; + $this->identity_url = $endpoint->claimed_id; + $this->signed_args = $signed_args; + $this->message = $message; + + if ($this->signed_args === null) { + $this->signed_args = array(); + } + } + + /** + * Extract signed extension data from the server's response. + * + * @param string $prefix The extension namespace from which to + * extract the extension data. + */ + function extensionResponse($namespace_uri, $require_signed) + { + if ($require_signed) { + return $this->getSignedNS($namespace_uri); + } else { + return $this->message->getArgs($namespace_uri); + } + } + + function isOpenID1() + { + return $this->message->isOpenID1(); + } + + function isSigned($ns_uri, $ns_key) + { + // Return whether a particular key is signed, regardless of + // its namespace alias + return in_array($this->message->getKey($ns_uri, $ns_key), + $this->signed_args); + } + + function getSigned($ns_uri, $ns_key, $default = null) + { + // Return the specified signed field if available, otherwise + // return default + if ($this->isSigned($ns_uri, $ns_key)) { + return $this->message->getArg($ns_uri, $ns_key, $default); + } else { + return $default; + } + } + + function getSignedNS($ns_uri) + { + $args = array(); + + $msg_args = $this->message->getArgs($ns_uri); + if (Auth_OpenID::isFailure($msg_args)) { + return null; + } + + foreach ($msg_args as $key => $value) { + if (!$this->isSigned($ns_uri, $key)) { + unset($msg_args[$key]); + } + } + + return $msg_args; + } + + /** + * Get the openid.return_to argument from this response. + * + * This is useful for verifying that this request was initiated by + * this consumer. + * + * @return string $return_to The return_to URL supplied to the + * server on the initial request, or null if the response did not + * contain an 'openid.return_to' argument. + */ + function getReturnTo() + { + return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to'); + } +} + +/** + * A response with a status of Auth_OpenID_FAILURE. Indicates that the + * OpenID protocol has failed. This could be locally or remotely + * triggered. This has three relevant attributes: + * + * claimed_id - The identity URL for which authentication was + * attempted, if it can be determined. Otherwise, null. + * + * message - A message indicating why the request failed, if one is + * supplied. Otherwise, null. + * + * status - Auth_OpenID_FAILURE. + * + * @package OpenID + */ +class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_FAILURE; + + function Auth_OpenID_FailureResponse($endpoint, $message = null, + $contact = null, $reference = null) + { + $this->setEndpoint($endpoint); + $this->message = $message; + $this->contact = $contact; + $this->reference = $reference; + } +} + +/** + * A specific, internal failure used to detect type URI mismatch. + * + * @package OpenID + */ +class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse { +} + +/** + * Exception that is raised when the server returns a 400 response + * code to a direct request. + * + * @package OpenID + */ +class Auth_OpenID_ServerErrorContainer { + function Auth_OpenID_ServerErrorContainer($error_text, + $error_code, + $message) + { + $this->error_text = $error_text; + $this->error_code = $error_code; + $this->message = $message; + } + + /** + * @access private + */ + static function fromMessage($message) + { + $error_text = $message->getArg( + Auth_OpenID_OPENID_NS, 'error', ''); + $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code'); + return new Auth_OpenID_ServerErrorContainer($error_text, + $error_code, + $message); + } +} + +/** + * A response with a status of Auth_OpenID_CANCEL. Indicates that the + * user cancelled the OpenID authentication request. This has two + * relevant attributes: + * + * claimed_id - The identity URL for which authentication was + * attempted, if it can be determined. Otherwise, null. + * + * status - Auth_OpenID_SUCCESS. + * + * @package OpenID + */ +class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_CANCEL; + + function Auth_OpenID_CancelResponse($endpoint) + { + $this->setEndpoint($endpoint); + } +} + +/** + * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates + * that the request was in immediate mode, and the server is unable to + * authenticate the user without further interaction. + * + * claimed_id - The identity URL for which authentication was + * attempted. + * + * setup_url - A URL that can be used to send the user to the server + * to set up for authentication. The user should be redirected in to + * the setup_url, either in the current window or in a new browser + * window. Null in OpenID 2. + * + * status - Auth_OpenID_SETUP_NEEDED. + * + * @package OpenID + */ +class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { + var $status = Auth_OpenID_SETUP_NEEDED; + + function Auth_OpenID_SetupNeededResponse($endpoint, + $setup_url = null) + { + $this->setEndpoint($endpoint); + $this->setup_url = $setup_url; + } +} + + diff --git a/models/Auth/OpenID/CryptUtil.php b/models/Auth/OpenID/CryptUtil.php new file mode 100644 index 000000000..a92626777 --- /dev/null +++ b/models/Auth/OpenID/CryptUtil.php @@ -0,0 +1,108 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +if (!defined('Auth_OpenID_RAND_SOURCE')) { + /** + * The filename for a source of random bytes. Define this yourself + * if you have a different source of randomness. + */ + define('Auth_OpenID_RAND_SOURCE', '/dev/urandom'); +} + +class Auth_OpenID_CryptUtil { + /** + * Get the specified number of random bytes. + * + * Attempts to use a cryptographically secure (not predictable) + * source of randomness if available. If there is no high-entropy + * randomness source available, it will fail. As a last resort, + * for non-critical systems, define + * Auth_OpenID_RAND_SOURCE as null, and + * the code will fall back on a pseudo-random number generator. + * + * @param int $num_bytes The length of the return value + * @return string $bytes random bytes + */ + static function getBytes($num_bytes) + { + static $f = null; + $bytes = ''; + if ($f === null) { + if (Auth_OpenID_RAND_SOURCE === null) { + $f = false; + } else { + $f = @fopen(Auth_OpenID_RAND_SOURCE, "r"); + if ($f === false) { + $msg = 'Define Auth_OpenID_RAND_SOURCE as null to ' . + ' continue with an insecure random number generator.'; + trigger_error($msg, E_USER_ERROR); + } + } + } + if ($f === false) { + // pseudorandom used + $bytes = ''; + for ($i = 0; $i < $num_bytes; $i += 4) { + $bytes .= pack('L', mt_rand()); + } + $bytes = substr($bytes, 0, $num_bytes); + } else { + $bytes = fread($f, $num_bytes); + } + return $bytes; + } + + /** + * Produce a string of length random bytes, chosen from chrs. If + * $chrs is null, the resulting string may contain any characters. + * + * @param integer $length The length of the resulting + * randomly-generated string + * @param string $chrs A string of characters from which to choose + * to build the new string + * @return string $result A string of randomly-chosen characters + * from $chrs + */ + static function randomString($length, $population = null) + { + if ($population === null) { + return Auth_OpenID_CryptUtil::getBytes($length); + } + + $popsize = strlen($population); + + if ($popsize > 256) { + $msg = 'More than 256 characters supplied to ' . __FUNCTION__; + trigger_error($msg, E_USER_ERROR); + } + + $duplicate = 256 % $popsize; + + $str = ""; + for ($i = 0; $i < $length; $i++) { + do { + $n = ord(Auth_OpenID_CryptUtil::getBytes(1)); + } while ($n < $duplicate); + + $n %= $popsize; + $str .= $population[$n]; + } + + return $str; + } +} + diff --git a/models/Auth/OpenID/DatabaseConnection.php b/models/Auth/OpenID/DatabaseConnection.php new file mode 100644 index 000000000..0c7d08f91 --- /dev/null +++ b/models/Auth/OpenID/DatabaseConnection.php @@ -0,0 +1,130 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * An empty base class intended to emulate PEAR connection + * functionality in applications that supply their own database + * abstraction mechanisms. See {@link Auth_OpenID_SQLStore} for more + * information. You should subclass this class if you need to create + * an SQL store that needs to access its database using an + * application's database abstraction layer instead of a PEAR database + * connection. Any subclass of Auth_OpenID_DatabaseConnection MUST + * adhere to the interface specified here. + * + * @package OpenID + */ +class Auth_OpenID_DatabaseConnection { + /** + * Sets auto-commit mode on this database connection. + * + * @param bool $mode True if auto-commit is to be used; false if + * not. + */ + function autoCommit($mode) + { + } + + /** + * Run an SQL query with the specified parameters, if any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return mixed $result The result of calling this connection's + * internal query function. The type of result depends on the + * underlying database engine. This method is usually used when + * the result of a query is not important, like a DDL query. + */ + function query($sql, $params = array()) + { + } + + /** + * Starts a transaction on this connection, if supported. + */ + function begin() + { + } + + /** + * Commits a transaction on this connection, if supported. + */ + function commit() + { + } + + /** + * Performs a rollback on this connection, if supported. + */ + function rollback() + { + } + + /** + * Run an SQL query and return the first column of the first row + * of the result set, if any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return mixed $result The value of the first column of the + * first row of the result set. False if no such result was + * found. + */ + function getOne($sql, $params = array()) + { + } + + /** + * Run an SQL query and return the first row of the result set, if + * any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return array $result The first row of the result set, if any, + * keyed on column name. False if no such result was found. + */ + function getRow($sql, $params = array()) + { + } + + /** + * Run an SQL query with the specified parameters, if any. + * + * @param string $sql An SQL string with placeholders. The + * placeholders are assumed to be specific to the database engine + * for this connection. + * + * @param array $params An array of parameters to insert into the + * SQL string using this connection's escaping mechanism. + * + * @return array $result An array of arrays representing the + * result of the query; each array is keyed on column name. + */ + function getAll($sql, $params = array()) + { + } +} + diff --git a/models/Auth/OpenID/DiffieHellman.php b/models/Auth/OpenID/DiffieHellman.php new file mode 100644 index 000000000..3e25b7dbb --- /dev/null +++ b/models/Auth/OpenID/DiffieHellman.php @@ -0,0 +1,113 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +require_once 'Auth/OpenID.php'; +require_once 'Auth/OpenID/BigMath.php'; + +function Auth_OpenID_getDefaultMod() +{ + return '155172898181473697471232257763715539915724801'. + '966915404479707795314057629378541917580651227423'. + '698188993727816152646631438561595825688188889951'. + '272158842675419950341258706556549803580104870537'. + '681476726513255747040765857479291291572334510643'. + '245094715007229621094194349783925984760375594985'. + '848253359305585439638443'; +} + +function Auth_OpenID_getDefaultGen() +{ + return '2'; +} + +/** + * The Diffie-Hellman key exchange class. This class relies on + * {@link Auth_OpenID_MathLibrary} to perform large number operations. + * + * @access private + * @package OpenID + */ +class Auth_OpenID_DiffieHellman { + + var $mod; + var $gen; + var $private; + var $lib = null; + + function Auth_OpenID_DiffieHellman($mod = null, $gen = null, + $private = null, $lib = null) + { + if ($lib === null) { + $this->lib = Auth_OpenID_getMathLib(); + } else { + $this->lib = $lib; + } + + if ($mod === null) { + $this->mod = $this->lib->init(Auth_OpenID_getDefaultMod()); + } else { + $this->mod = $mod; + } + + if ($gen === null) { + $this->gen = $this->lib->init(Auth_OpenID_getDefaultGen()); + } else { + $this->gen = $gen; + } + + if ($private === null) { + $r = $this->lib->rand($this->mod); + $this->private = $this->lib->add($r, 1); + } else { + $this->private = $private; + } + + $this->public = $this->lib->powmod($this->gen, $this->private, + $this->mod); + } + + function getSharedSecret($composite) + { + return $this->lib->powmod($composite, $this->private, $this->mod); + } + + function getPublicKey() + { + return $this->public; + } + + function usingDefaultValues() + { + return ($this->mod == Auth_OpenID_getDefaultMod() && + $this->gen == Auth_OpenID_getDefaultGen()); + } + + function xorSecret($composite, $secret, $hash_func) + { + $dh_shared = $this->getSharedSecret($composite); + $dh_shared_str = $this->lib->longToBinary($dh_shared); + $hash_dh_shared = $hash_func($dh_shared_str); + + $xsecret = ""; + for ($i = 0; $i < Auth_OpenID::bytes($secret); $i++) { + $xsecret .= chr(ord($secret[$i]) ^ ord($hash_dh_shared[$i])); + } + + return $xsecret; + } +} + + diff --git a/models/Auth/OpenID/Discover.php b/models/Auth/OpenID/Discover.php new file mode 100644 index 000000000..7b0c640c5 --- /dev/null +++ b/models/Auth/OpenID/Discover.php @@ -0,0 +1,606 @@ +claimed_id = null; + $this->server_url = null; + $this->type_uris = array(); + $this->local_id = null; + $this->canonicalID = null; + $this->used_yadis = false; // whether this came from an XRDS + $this->display_identifier = null; + } + + function getDisplayIdentifier() + { + if ($this->display_identifier) { + return $this->display_identifier; + } + if (! $this->claimed_id) { + return $this->claimed_id; + } + $parsed = parse_url($this->claimed_id); + $scheme = $parsed['scheme']; + $host = $parsed['host']; + $path = $parsed['path']; + if (array_key_exists('query', $parsed)) { + $query = $parsed['query']; + $no_frag = "$scheme://$host$path?$query"; + } else { + $no_frag = "$scheme://$host$path"; + } + return $no_frag; + } + + function usesExtension($extension_uri) + { + return in_array($extension_uri, $this->type_uris); + } + + function preferredNamespace() + { + if (in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris) || + in_array(Auth_OpenID_TYPE_2_0, $this->type_uris)) { + return Auth_OpenID_OPENID2_NS; + } else { + return Auth_OpenID_OPENID1_NS; + } + } + + /* + * Query this endpoint to see if it has any of the given type + * URIs. This is useful for implementing other endpoint classes + * that e.g. need to check for the presence of multiple versions + * of a single protocol. + * + * @param $type_uris The URIs that you wish to check + * + * @return all types that are in both in type_uris and + * $this->type_uris + */ + function matchTypes($type_uris) + { + $result = array(); + foreach ($type_uris as $test_uri) { + if ($this->supportsType($test_uri)) { + $result[] = $test_uri; + } + } + + return $result; + } + + function supportsType($type_uri) + { + // Does this endpoint support this type? + return ((in_array($type_uri, $this->type_uris)) || + (($type_uri == Auth_OpenID_TYPE_2_0) && + $this->isOPIdentifier())); + } + + function compatibilityMode() + { + return $this->preferredNamespace() != Auth_OpenID_OPENID2_NS; + } + + function isOPIdentifier() + { + return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris); + } + + static function fromOPEndpointURL($op_endpoint_url) + { + // Construct an OP-Identifier OpenIDServiceEndpoint object for + // a given OP Endpoint URL + $obj = new Auth_OpenID_ServiceEndpoint(); + $obj->server_url = $op_endpoint_url; + $obj->type_uris = array(Auth_OpenID_TYPE_2_0_IDP); + return $obj; + } + + function parseService($yadis_url, $uri, $type_uris, $service_element) + { + // Set the state of this object based on the contents of the + // service element. Return true if successful, false if not + // (if findOPLocalIdentifier returns false). + $this->type_uris = $type_uris; + $this->server_url = $uri; + $this->used_yadis = true; + + if (!$this->isOPIdentifier()) { + $this->claimed_id = $yadis_url; + $this->local_id = Auth_OpenID_findOPLocalIdentifier( + $service_element, + $this->type_uris); + if ($this->local_id === false) { + return false; + } + } + + return true; + } + + function getLocalID() + { + // Return the identifier that should be sent as the + // openid.identity_url parameter to the server. + if ($this->local_id === null && $this->canonicalID === null) { + return $this->claimed_id; + } else { + if ($this->local_id) { + return $this->local_id; + } else { + return $this->canonicalID; + } + } + } + + /* + * Parse the given document as XRDS looking for OpenID consumer services. + * + * @return array of Auth_OpenID_ServiceEndpoint or null if the + * document cannot be parsed. + */ + function consumerFromXRDS($uri, $xrds_text) + { + $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text); + + if ($xrds) { + $yadis_services = + $xrds->services(array('filter_MatchesAnyOpenIDConsumerType')); + return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); + } + + return null; + } + + /* + * Parse the given document as XRDS looking for OpenID services. + * + * @return array of Auth_OpenID_ServiceEndpoint or null if the + * document cannot be parsed. + */ + static function fromXRDS($uri, $xrds_text) + { + $xrds = Auth_Yadis_XRDS::parseXRDS($xrds_text); + + if ($xrds) { + $yadis_services = + $xrds->services(array('filter_MatchesAnyOpenIDType')); + return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); + } + + return null; + } + + /* + * Create endpoints from a DiscoveryResult. + * + * @param discoveryResult Auth_Yadis_DiscoveryResult + * @return array of Auth_OpenID_ServiceEndpoint or null if + * endpoints cannot be created. + */ + static function fromDiscoveryResult($discoveryResult) + { + if ($discoveryResult->isXRDS()) { + return Auth_OpenID_ServiceEndpoint::fromXRDS( + $discoveryResult->normalized_uri, + $discoveryResult->response_text); + } else { + return Auth_OpenID_ServiceEndpoint::fromHTML( + $discoveryResult->normalized_uri, + $discoveryResult->response_text); + } + } + + static function fromHTML($uri, $html) + { + $discovery_types = array( + array(Auth_OpenID_TYPE_2_0, + 'openid2.provider', 'openid2.local_id'), + array(Auth_OpenID_TYPE_1_1, + 'openid.server', 'openid.delegate') + ); + + $services = array(); + + foreach ($discovery_types as $triple) { + list($type_uri, $server_rel, $delegate_rel) = $triple; + + $urls = Auth_OpenID_legacy_discover($html, $server_rel, + $delegate_rel); + + if ($urls === false) { + continue; + } + + list($delegate_url, $server_url) = $urls; + + $service = new Auth_OpenID_ServiceEndpoint(); + $service->claimed_id = $uri; + $service->local_id = $delegate_url; + $service->server_url = $server_url; + $service->type_uris = array($type_uri); + + $services[] = $service; + } + + return $services; + } + + function copy() + { + $x = new Auth_OpenID_ServiceEndpoint(); + + $x->claimed_id = $this->claimed_id; + $x->server_url = $this->server_url; + $x->type_uris = $this->type_uris; + $x->local_id = $this->local_id; + $x->canonicalID = $this->canonicalID; + $x->used_yadis = $this->used_yadis; + + return $x; + } +} + +function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) +{ + // Extract a openid:Delegate value from a Yadis Service element. + // If no delegate is found, returns null. Returns false on + // discovery failure (when multiple delegate/localID tags have + // different values). + + $service->parser->registerNamespace('openid', + Auth_OpenID_XMLNS_1_0); + + $service->parser->registerNamespace('xrd', + Auth_Yadis_XMLNS_XRD_2_0); + + $parser = $service->parser; + + $permitted_tags = array(); + + if (in_array(Auth_OpenID_TYPE_1_1, $type_uris) || + in_array(Auth_OpenID_TYPE_1_0, $type_uris)) { + $permitted_tags[] = 'openid:Delegate'; + } + + if (in_array(Auth_OpenID_TYPE_2_0, $type_uris)) { + $permitted_tags[] = 'xrd:LocalID'; + } + + $local_id = null; + + foreach ($permitted_tags as $tag_name) { + $tags = $service->getElements($tag_name); + + foreach ($tags as $tag) { + $content = $parser->content($tag); + + if ($local_id === null) { + $local_id = $content; + } else if ($local_id != $content) { + return false; + } + } + } + + return $local_id; +} + +function filter_MatchesAnyOpenIDType($service) +{ + $uris = $service->getTypes(); + + foreach ($uris as $uri) { + if (in_array($uri, Auth_OpenID_getOpenIDTypeURIs())) { + return true; + } + } + + return false; +} + +function filter_MatchesAnyOpenIDConsumerType(&$service) +{ + $uris = $service->getTypes(); + + foreach ($uris as $uri) { + if (in_array($uri, Auth_OpenID_getOpenIDConsumerTypeURIs())) { + return true; + } + } + + return false; +} + +function Auth_OpenID_bestMatchingService($service, $preferred_types) +{ + // Return the index of the first matching type, or something + // higher if no type matches. + // + // This provides an ordering in which service elements that + // contain a type that comes earlier in the preferred types list + // come before service elements that come later. If a service + // element has more than one type, the most preferred one wins. + + foreach ($preferred_types as $index => $typ) { + if (in_array($typ, $service->type_uris)) { + return $index; + } + } + + return count($preferred_types); +} + +function Auth_OpenID_arrangeByType($service_list, $preferred_types) +{ + // Rearrange service_list in a new list so services are ordered by + // types listed in preferred_types. Return the new list. + + // Build a list with the service elements in tuples whose + // comparison will prefer the one with the best matching service + $prio_services = array(); + foreach ($service_list as $index => $service) { + $prio_services[] = array(Auth_OpenID_bestMatchingService($service, + $preferred_types), + $index, $service); + } + + sort($prio_services); + + // Now that the services are sorted by priority, remove the sort + // keys from the list. + foreach ($prio_services as $index => $s) { + $prio_services[$index] = $prio_services[$index][2]; + } + + return $prio_services; +} + +// Extract OP Identifier services. If none found, return the rest, +// sorted with most preferred first according to +// OpenIDServiceEndpoint.openid_type_uris. +// +// openid_services is a list of OpenIDServiceEndpoint objects. +// +// Returns a list of OpenIDServiceEndpoint objects.""" +function Auth_OpenID_getOPOrUserServices($openid_services) +{ + $op_services = Auth_OpenID_arrangeByType($openid_services, + array(Auth_OpenID_TYPE_2_0_IDP)); + + $openid_services = Auth_OpenID_arrangeByType($openid_services, + Auth_OpenID_getOpenIDTypeURIs()); + + if ($op_services) { + return $op_services; + } else { + return $openid_services; + } +} + +function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services) +{ + $s = array(); + + if (!$yadis_services) { + return $s; + } + + foreach ($yadis_services as $service) { + $type_uris = $service->getTypes(); + $uris = $service->getURIs(); + + // If any Type URIs match and there is an endpoint URI + // specified, then this is an OpenID endpoint + if ($type_uris && + $uris) { + foreach ($uris as $service_uri) { + $openid_endpoint = new Auth_OpenID_ServiceEndpoint(); + if ($openid_endpoint->parseService($uri, + $service_uri, + $type_uris, + $service)) { + $s[] = $openid_endpoint; + } + } + } + } + + return $s; +} + +function Auth_OpenID_discoverWithYadis($uri, $fetcher, + $endpoint_filter='Auth_OpenID_getOPOrUserServices', + $discover_function=null) +{ + // Discover OpenID services for a URI. Tries Yadis and falls back + // on old-style discovery if Yadis fails. + + // Might raise a yadis.discover.DiscoveryFailure if no document + // came back for that URI at all. I don't think falling back to + // OpenID 1.0 discovery on the same URL will help, so don't bother + // to catch it. + if ($discover_function === null) { + $discover_function = array('Auth_Yadis_Yadis', 'discover'); + } + + $openid_services = array(); + + $response = call_user_func_array($discover_function, + array($uri, $fetcher)); + + $yadis_url = $response->normalized_uri; + $yadis_services = array(); + + if ($response->isFailure() && !$response->isXRDS()) { + return array($uri, array()); + } + + $openid_services = Auth_OpenID_ServiceEndpoint::fromXRDS( + $yadis_url, + $response->response_text); + + if (!$openid_services) { + if ($response->isXRDS()) { + return Auth_OpenID_discoverWithoutYadis($uri, + $fetcher); + } + + // Try to parse the response as HTML to get OpenID 1.0/1.1 + // + $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( + $yadis_url, + $response->response_text); + } + + $openid_services = call_user_func_array($endpoint_filter, + array($openid_services)); + + return array($yadis_url, $openid_services); +} + +function Auth_OpenID_discoverURI($uri, $fetcher) +{ + $uri = Auth_OpenID::normalizeUrl($uri); + return Auth_OpenID_discoverWithYadis($uri, $fetcher); +} + +function Auth_OpenID_discoverWithoutYadis($uri, $fetcher) +{ + $http_resp = @$fetcher->get($uri); + + if ($http_resp->status != 200 and $http_resp->status != 206) { + return array($uri, array()); + } + + $identity_url = $http_resp->final_url; + + // Try to parse the response as HTML to get OpenID 1.0/1.1 + $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( + $identity_url, + $http_resp->body); + + return array($identity_url, $openid_services); +} + +function Auth_OpenID_discoverXRI($iname, $fetcher) +{ + $resolver = new Auth_Yadis_ProxyResolver($fetcher); + list($canonicalID, $yadis_services) = + $resolver->query($iname, + Auth_OpenID_getOpenIDTypeURIs(), + array('filter_MatchesAnyOpenIDType')); + + $openid_services = Auth_OpenID_makeOpenIDEndpoints($iname, + $yadis_services); + + $openid_services = Auth_OpenID_getOPOrUserServices($openid_services); + + for ($i = 0; $i < count($openid_services); $i++) { + $openid_services[$i]->canonicalID = $canonicalID; + $openid_services[$i]->claimed_id = $canonicalID; + $openid_services[$i]->display_identifier = $iname; + } + + // FIXME: returned xri should probably be in some normal form + return array($iname, $openid_services); +} + +function Auth_OpenID_discover($uri, $fetcher) +{ + // If the fetcher (i.e., PHP) doesn't support SSL, we can't do + // discovery on an HTTPS URL. + if ($fetcher->isHTTPS($uri) && !$fetcher->supportsSSL()) { + return array($uri, array()); + } + + if (Auth_Yadis_identifierScheme($uri) == 'XRI') { + $result = Auth_OpenID_discoverXRI($uri, $fetcher); + } else { + $result = Auth_OpenID_discoverURI($uri, $fetcher); + } + + // If the fetcher doesn't support SSL, we can't interact with + // HTTPS server URLs; remove those endpoints from the list. + if (!$fetcher->supportsSSL()) { + $http_endpoints = array(); + list($new_uri, $endpoints) = $result; + + foreach ($endpoints as $e) { + if (!$fetcher->isHTTPS($e->server_url)) { + $http_endpoints[] = $e; + } + } + + $result = array($new_uri, $http_endpoints); + } + + return $result; +} + + diff --git a/models/Auth/OpenID/DumbStore.php b/models/Auth/OpenID/DumbStore.php new file mode 100644 index 000000000..e8f29ace5 --- /dev/null +++ b/models/Auth/OpenID/DumbStore.php @@ -0,0 +1,99 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * Import the interface for creating a new store class. + */ +require_once 'Auth/OpenID/Interface.php'; +require_once 'Auth/OpenID/HMAC.php'; + +/** + * This is a store for use in the worst case, when you have no way of + * saving state on the consumer site. Using this store makes the + * consumer vulnerable to replay attacks, as it's unable to use + * nonces. Avoid using this store if it is at all possible. + * + * Most of the methods of this class are implementation details. + * Users of this class need to worry only about the constructor. + * + * @package OpenID + */ +class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { + + /** + * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security + * of the tokens generated by the library, this class attempts to + * at least have a secure implementation of getAuthKey. + * + * When you create an instance of this class, pass in a secret + * phrase. The phrase is hashed with sha1 to make it the correct + * length and form for an auth key. That allows you to use a long + * string as the secret phrase, which means you can make it very + * difficult to guess. + * + * Each {@link Auth_OpenID_DumbStore} instance that is created for use by + * your consumer site needs to use the same $secret_phrase. + * + * @param string secret_phrase The phrase used to create the auth + * key returned by getAuthKey + */ + function Auth_OpenID_DumbStore($secret_phrase) + { + $this->auth_key = Auth_OpenID_SHA1($secret_phrase); + } + + /** + * This implementation does nothing. + */ + function storeAssociation($server_url, $association) + { + } + + /** + * This implementation always returns null. + */ + function getAssociation($server_url, $handle = null) + { + return null; + } + + /** + * This implementation always returns false. + */ + function removeAssociation($server_url, $handle) + { + return false; + } + + /** + * In a system truly limited to dumb mode, nonces must all be + * accepted. This therefore always returns true, which makes + * replay attacks feasible. + */ + function useNonce($server_url, $timestamp, $salt) + { + return true; + } + + /** + * This method returns the auth key generated by the constructor. + */ + function getAuthKey() + { + return $this->auth_key; + } +} + diff --git a/models/Auth/OpenID/Extension.php b/models/Auth/OpenID/Extension.php new file mode 100644 index 000000000..c4e38c038 --- /dev/null +++ b/models/Auth/OpenID/Extension.php @@ -0,0 +1,61 @@ +isOpenID1(); + $added = $message->namespaces->addAlias($this->ns_uri, + $this->ns_alias, + $implicit); + + if ($added === null) { + if ($message->namespaces->getAlias($this->ns_uri) != + $this->ns_alias) { + return null; + } + } + + $message->updateArgs($this->ns_uri, + $this->getExtensionArgs()); + return $message; + } +} + diff --git a/models/Auth/OpenID/FileStore.php b/models/Auth/OpenID/FileStore.php new file mode 100644 index 000000000..074421a0b --- /dev/null +++ b/models/Auth/OpenID/FileStore.php @@ -0,0 +1,618 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * Require base class for creating a new interface. + */ +require_once 'Auth/OpenID.php'; +require_once 'Auth/OpenID/Interface.php'; +require_once 'Auth/OpenID/HMAC.php'; +require_once 'Auth/OpenID/Nonce.php'; + +/** + * This is a filesystem-based store for OpenID associations and + * nonces. This store should be safe for use in concurrent systems on + * both windows and unix (excluding NFS filesystems). There are a + * couple race conditions in the system, but those failure cases have + * been set up in such a way that the worst-case behavior is someone + * having to try to log in a second time. + * + * Most of the methods of this class are implementation details. + * People wishing to just use this store need only pay attention to + * the constructor. + * + * @package OpenID + */ +class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { + + /** + * Initializes a new {@link Auth_OpenID_FileStore}. This + * initializes the nonce and association directories, which are + * subdirectories of the directory passed in. + * + * @param string $directory This is the directory to put the store + * directories in. + */ + function Auth_OpenID_FileStore($directory) + { + if (!Auth_OpenID::ensureDir($directory)) { + trigger_error('Not a directory and failed to create: ' + . $directory, E_USER_ERROR); + } + $directory = realpath($directory); + + $this->directory = $directory; + $this->active = true; + + $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces'; + + $this->association_dir = $directory . DIRECTORY_SEPARATOR . + 'associations'; + + // Temp dir must be on the same filesystem as the assciations + // $directory. + $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp'; + + $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds + + if (!$this->_setup()) { + trigger_error('Failed to initialize OpenID file store in ' . + $directory, E_USER_ERROR); + } + } + + function destroy() + { + Auth_OpenID_FileStore::_rmtree($this->directory); + $this->active = false; + } + + /** + * Make sure that the directories in which we store our data + * exist. + * + * @access private + */ + function _setup() + { + return (Auth_OpenID::ensureDir($this->nonce_dir) && + Auth_OpenID::ensureDir($this->association_dir) && + Auth_OpenID::ensureDir($this->temp_dir)); + } + + /** + * Create a temporary file on the same filesystem as + * $this->association_dir. + * + * The temporary directory should not be cleaned if there are any + * processes using the store. If there is no active process using + * the store, it is safe to remove all of the files in the + * temporary directory. + * + * @return array ($fd, $filename) + * @access private + */ + function _mktemp() + { + $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir); + $file_obj = @fopen($name, 'wb'); + if ($file_obj !== false) { + return array($file_obj, $name); + } else { + Auth_OpenID_FileStore::_removeIfPresent($name); + } + } + + function cleanupNonces() + { + global $Auth_OpenID_SKEW; + + $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); + $now = time(); + + $removed = 0; + // Check all nonces for expiry + foreach ($nonces as $nonce_fname) { + $base = basename($nonce_fname); + $parts = explode('-', $base, 2); + $timestamp = $parts[0]; + $timestamp = intval($timestamp, 16); + if (abs($timestamp - $now) > $Auth_OpenID_SKEW) { + Auth_OpenID_FileStore::_removeIfPresent($nonce_fname); + $removed += 1; + } + } + return $removed; + } + + /** + * Create a unique filename for a given server url and + * handle. This implementation does not assume anything about the + * format of the handle. The filename that is returned will + * contain the domain name from the server URL for ease of human + * inspection of the data directory. + * + * @return string $filename + */ + function getAssociationFilename($server_url, $handle) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + if (strpos($server_url, '://') === false) { + trigger_error(sprintf("Bad server URL: %s", $server_url), + E_USER_WARNING); + return null; + } + + list($proto, $rest) = explode('://', $server_url, 2); + $parts = explode('/', $rest); + $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]); + $url_hash = Auth_OpenID_FileStore::_safe64($server_url); + if ($handle) { + $handle_hash = Auth_OpenID_FileStore::_safe64($handle); + } else { + $handle_hash = ''; + } + + $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash, + $handle_hash); + + return $this->association_dir. DIRECTORY_SEPARATOR . $filename; + } + + /** + * Store an association in the association directory. + */ + function storeAssociation($server_url, $association) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return false; + } + + $association_s = $association->serialize(); + $filename = $this->getAssociationFilename($server_url, + $association->handle); + list($tmp_file, $tmp) = $this->_mktemp(); + + if (!$tmp_file) { + trigger_error("_mktemp didn't return a valid file descriptor", + E_USER_WARNING); + return false; + } + + fwrite($tmp_file, $association_s); + + fflush($tmp_file); + + fclose($tmp_file); + + if (@rename($tmp, $filename)) { + return true; + } else { + // In case we are running on Windows, try unlinking the + // file in case it exists. + @unlink($filename); + + // Now the target should not exist. Try renaming again, + // giving up if it fails. + if (@rename($tmp, $filename)) { + return true; + } + } + + // If there was an error, don't leave the temporary file + // around. + Auth_OpenID_FileStore::_removeIfPresent($tmp); + return false; + } + + /** + * Retrieve an association. If no handle is specified, return the + * association with the most recent issue time. + * + * @return mixed $association + */ + function getAssociation($server_url, $handle = null) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + if ($handle === null) { + $handle = ''; + } + + // The filename with the empty handle is a prefix of all other + // associations for the given server URL. + $filename = $this->getAssociationFilename($server_url, $handle); + + if ($handle) { + return $this->_getAssociation($filename); + } else { + $association_files = + Auth_OpenID_FileStore::_listdir($this->association_dir); + $matching_files = array(); + + // strip off the path to do the comparison + $name = basename($filename); + foreach ($association_files as $association_file) { + $base = basename($association_file); + if (strpos($base, $name) === 0) { + $matching_files[] = $association_file; + } + } + + $matching_associations = array(); + // read the matching files and sort by time issued + foreach ($matching_files as $full_name) { + $association = $this->_getAssociation($full_name); + if ($association !== null) { + $matching_associations[] = array($association->issued, + $association); + } + } + + $issued = array(); + $assocs = array(); + foreach ($matching_associations as $key => $assoc) { + $issued[$key] = $assoc[0]; + $assocs[$key] = $assoc[1]; + } + + array_multisort($issued, SORT_DESC, $assocs, SORT_DESC, + $matching_associations); + + // return the most recently issued one. + if ($matching_associations) { + list($issued, $assoc) = $matching_associations[0]; + return $assoc; + } else { + return null; + } + } + } + + /** + * @access private + */ + function _getAssociation($filename) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + $assoc_file = @fopen($filename, 'rb'); + + if ($assoc_file === false) { + return null; + } + + $assoc_s = fread($assoc_file, filesize($filename)); + fclose($assoc_file); + + if (!$assoc_s) { + return null; + } + + $association = + Auth_OpenID_Association::deserialize('Auth_OpenID_Association', + $assoc_s); + + if (!$association) { + Auth_OpenID_FileStore::_removeIfPresent($filename); + return null; + } + + if ($association->getExpiresIn() == 0) { + Auth_OpenID_FileStore::_removeIfPresent($filename); + return null; + } else { + return $association; + } + } + + /** + * Remove an association if it exists. Do nothing if it does not. + * + * @return bool $success + */ + function removeAssociation($server_url, $handle) + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + $assoc = $this->getAssociation($server_url, $handle); + if ($assoc === null) { + return false; + } else { + $filename = $this->getAssociationFilename($server_url, $handle); + return Auth_OpenID_FileStore::_removeIfPresent($filename); + } + } + + /** + * Return whether this nonce is present. As a side effect, mark it + * as no longer present. + * + * @return bool $present + */ + function useNonce($server_url, $timestamp, $salt) + { + global $Auth_OpenID_SKEW; + + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { + return false; + } + + if ($server_url) { + list($proto, $rest) = explode('://', $server_url, 2); + } else { + $proto = ''; + $rest = ''; + } + + $parts = explode('/', $rest, 2); + $domain = $this->_filenameEscape($parts[0]); + $url_hash = $this->_safe64($server_url); + $salt_hash = $this->_safe64($salt); + + $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto, + $domain, $url_hash, $salt_hash); + $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename; + + $result = @fopen($filename, 'x'); + + if ($result === false) { + return false; + } else { + fclose($result); + return true; + } + } + + /** + * Remove expired entries from the database. This is potentially + * expensive, so only run when it is acceptable to take time. + * + * @access private + */ + function _allAssocs() + { + $all_associations = array(); + + $association_filenames = + Auth_OpenID_FileStore::_listdir($this->association_dir); + + foreach ($association_filenames as $association_filename) { + $association_file = fopen($association_filename, 'rb'); + + if ($association_file !== false) { + $assoc_s = fread($association_file, + filesize($association_filename)); + fclose($association_file); + + // Remove expired or corrupted associations + $association = + Auth_OpenID_Association::deserialize( + 'Auth_OpenID_Association', $assoc_s); + + if ($association === null) { + Auth_OpenID_FileStore::_removeIfPresent( + $association_filename); + } else { + if ($association->getExpiresIn() == 0) { + $all_associations[] = array($association_filename, + $association); + } + } + } + } + + return $all_associations; + } + + function clean() + { + if (!$this->active) { + trigger_error("FileStore no longer active", E_USER_ERROR); + return null; + } + + $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); + $now = time(); + + // Check all nonces for expiry + foreach ($nonces as $nonce) { + if (!Auth_OpenID_checkTimestamp($nonce, $now)) { + $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce; + Auth_OpenID_FileStore::_removeIfPresent($filename); + } + } + + foreach ($this->_allAssocs() as $pair) { + list($assoc_filename, $assoc) = $pair; + if ($assoc->getExpiresIn() == 0) { + Auth_OpenID_FileStore::_removeIfPresent($assoc_filename); + } + } + } + + /** + * @access private + */ + function _rmtree($dir) + { + if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) { + $dir .= DIRECTORY_SEPARATOR; + } + + if ($handle = opendir($dir)) { + while ($item = readdir($handle)) { + if (!in_array($item, array('.', '..'))) { + if (is_dir($dir . $item)) { + + if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) { + return false; + } + } else if (is_file($dir . $item)) { + if (!unlink($dir . $item)) { + return false; + } + } + } + } + + closedir($handle); + + if (!@rmdir($dir)) { + return false; + } + + return true; + } else { + // Couldn't open directory. + return false; + } + } + + /** + * @access private + */ + function _mkstemp($dir) + { + foreach (range(0, 4) as $i) { + $name = tempnam($dir, "php_openid_filestore_"); + + if ($name !== false) { + return $name; + } + } + return false; + } + + /** + * @access private + */ + static function _mkdtemp($dir) + { + foreach (range(0, 4) as $i) { + $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) . + "-" . strval(rand(1, time())); + if (!mkdir($name, 0700)) { + return false; + } else { + return $name; + } + } + return false; + } + + /** + * @access private + */ + function _listdir($dir) + { + $handle = opendir($dir); + $files = array(); + while (false !== ($filename = readdir($handle))) { + if (!in_array($filename, array('.', '..'))) { + $files[] = $dir . DIRECTORY_SEPARATOR . $filename; + } + } + return $files; + } + + /** + * @access private + */ + function _isFilenameSafe($char) + { + $_Auth_OpenID_filename_allowed = Auth_OpenID_letters . + Auth_OpenID_digits . "."; + return (strpos($_Auth_OpenID_filename_allowed, $char) !== false); + } + + /** + * @access private + */ + function _safe64($str) + { + $h64 = base64_encode(Auth_OpenID_SHA1($str)); + $h64 = str_replace('+', '_', $h64); + $h64 = str_replace('/', '.', $h64); + $h64 = str_replace('=', '', $h64); + return $h64; + } + + /** + * @access private + */ + function _filenameEscape($str) + { + $filename = ""; + $b = Auth_OpenID::toBytes($str); + + for ($i = 0; $i < count($b); $i++) { + $c = $b[$i]; + if (Auth_OpenID_FileStore::_isFilenameSafe($c)) { + $filename .= $c; + } else { + $filename .= sprintf("_%02X", ord($c)); + } + } + return $filename; + } + + /** + * Attempt to remove a file, returning whether the file existed at + * the time of the call. + * + * @access private + * @return bool $result True if the file was present, false if not. + */ + function _removeIfPresent($filename) + { + return @unlink($filename); + } + + function cleanupAssociations() + { + $removed = 0; + foreach ($this->_allAssocs() as $pair) { + list($assoc_filename, $assoc) = $pair; + if ($assoc->getExpiresIn() == 0) { + $this->_removeIfPresent($assoc_filename); + $removed += 1; + } + } + return $removed; + } +} + + diff --git a/models/Auth/OpenID/HMAC.php b/models/Auth/OpenID/HMAC.php new file mode 100644 index 000000000..e9779bd4e --- /dev/null +++ b/models/Auth/OpenID/HMAC.php @@ -0,0 +1,98 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +require_once 'Auth/OpenID.php'; + +/** + * SHA1_BLOCKSIZE is this module's SHA1 blocksize used by the fallback + * implementation. + */ +define('Auth_OpenID_SHA1_BLOCKSIZE', 64); + +function Auth_OpenID_SHA1($text) +{ + if (function_exists('hash') && + function_exists('hash_algos') && + (in_array('sha1', hash_algos()))) { + // PHP 5 case (sometimes): 'hash' available and 'sha1' algo + // supported. + return hash('sha1', $text, true); + } else if (function_exists('sha1')) { + // PHP 4 case: 'sha1' available. + $hex = sha1($text); + $raw = ''; + for ($i = 0; $i < 40; $i += 2) { + $hexcode = substr($hex, $i, 2); + $charcode = (int)base_convert($hexcode, 16, 10); + $raw .= chr($charcode); + } + return $raw; + } else { + // Explode. + trigger_error('No SHA1 function found', E_USER_ERROR); + } +} + +/** + * Compute an HMAC/SHA1 hash. + * + * @access private + * @param string $key The HMAC key + * @param string $text The message text to hash + * @return string $mac The MAC + */ +function Auth_OpenID_HMACSHA1($key, $text) +{ + if (Auth_OpenID::bytes($key) > Auth_OpenID_SHA1_BLOCKSIZE) { + $key = Auth_OpenID_SHA1($key, true); + } + + $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00)); + $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE); + $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE); + $hash1 = Auth_OpenID_SHA1(($key ^ $ipad) . $text, true); + $hmac = Auth_OpenID_SHA1(($key ^ $opad) . $hash1, true); + return $hmac; +} + +if (function_exists('hash') && + function_exists('hash_algos') && + (in_array('sha256', hash_algos()))) { + function Auth_OpenID_SHA256($text) + { + // PHP 5 case: 'hash' available and 'sha256' algo supported. + return hash('sha256', $text, true); + } + define('Auth_OpenID_SHA256_SUPPORTED', true); +} else { + define('Auth_OpenID_SHA256_SUPPORTED', false); +} + +if (function_exists('hash_hmac') && + function_exists('hash_algos') && + (in_array('sha256', hash_algos()))) { + + function Auth_OpenID_HMACSHA256($key, $text) + { + // Return raw MAC (not hex string). + return hash_hmac('sha256', $text, $key, true); + } + + define('Auth_OpenID_HMACSHA256_SUPPORTED', true); +} else { + define('Auth_OpenID_HMACSHA256_SUPPORTED', false); +} + diff --git a/models/Auth/OpenID/Interface.php b/models/Auth/OpenID/Interface.php new file mode 100644 index 000000000..eca6b9c50 --- /dev/null +++ b/models/Auth/OpenID/Interface.php @@ -0,0 +1,196 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * This is the interface for the store objects the OpenID library + * uses. It is a single class that provides all of the persistence + * mechanisms that the OpenID library needs, for both servers and + * consumers. If you want to create an SQL-driven store, please see + * then {@link Auth_OpenID_SQLStore} class. + * + * Change: Version 2.0 removed the storeNonce, getAuthKey, and isDumb + * methods, and changed the behavior of the useNonce method to support + * one-way nonces. + * + * @package OpenID + * @author JanRain, Inc. + */ +class Auth_OpenID_OpenIDStore { + /** + * This method puts an Association object into storage, + * retrievable by server URL and handle. + * + * @param string $server_url The URL of the identity server that + * this association is with. Because of the way the server portion + * of the library uses this interface, don't assume there are any + * limitations on the character set of the input string. In + * particular, expect to see unescaped non-url-safe characters in + * the server_url field. + * + * @param Association $association The Association to store. + */ + function storeAssociation($server_url, $association) + { + trigger_error("Auth_OpenID_OpenIDStore::storeAssociation ". + "not implemented", E_USER_ERROR); + } + + /* + * Remove expired nonces from the store. + * + * Discards any nonce from storage that is old enough that its + * timestamp would not pass useNonce(). + * + * This method is not called in the normal operation of the + * library. It provides a way for store admins to keep their + * storage from filling up with expired data. + * + * @return the number of nonces expired + */ + function cleanupNonces() + { + trigger_error("Auth_OpenID_OpenIDStore::cleanupNonces ". + "not implemented", E_USER_ERROR); + } + + /* + * Remove expired associations from the store. + * + * This method is not called in the normal operation of the + * library. It provides a way for store admins to keep their + * storage from filling up with expired data. + * + * @return the number of associations expired. + */ + function cleanupAssociations() + { + trigger_error("Auth_OpenID_OpenIDStore::cleanupAssociations ". + "not implemented", E_USER_ERROR); + } + + /* + * Shortcut for cleanupNonces(), cleanupAssociations(). + * + * This method is not called in the normal operation of the + * library. It provides a way for store admins to keep their + * storage from filling up with expired data. + */ + function cleanup() + { + return array($this->cleanupNonces(), + $this->cleanupAssociations()); + } + + /** + * Report whether this storage supports cleanup + */ + function supportsCleanup() + { + return true; + } + + /** + * This method returns an Association object from storage that + * matches the server URL and, if specified, handle. It returns + * null if no such association is found or if the matching + * association is expired. + * + * If no handle is specified, the store may return any association + * which matches the server URL. If multiple associations are + * valid, the recommended return value for this method is the one + * most recently issued. + * + * This method is allowed (and encouraged) to garbage collect + * expired associations when found. This method must not return + * expired associations. + * + * @param string $server_url The URL of the identity server to get + * the association for. Because of the way the server portion of + * the library uses this interface, don't assume there are any + * limitations on the character set of the input string. In + * particular, expect to see unescaped non-url-safe characters in + * the server_url field. + * + * @param mixed $handle This optional parameter is the handle of + * the specific association to get. If no specific handle is + * provided, any valid association matching the server URL is + * returned. + * + * @return Association The Association for the given identity + * server. + */ + function getAssociation($server_url, $handle = null) + { + trigger_error("Auth_OpenID_OpenIDStore::getAssociation ". + "not implemented", E_USER_ERROR); + } + + /** + * This method removes the matching association if it's found, and + * returns whether the association was removed or not. + * + * @param string $server_url The URL of the identity server the + * association to remove belongs to. Because of the way the server + * portion of the library uses this interface, don't assume there + * are any limitations on the character set of the input + * string. In particular, expect to see unescaped non-url-safe + * characters in the server_url field. + * + * @param string $handle This is the handle of the association to + * remove. If there isn't an association found that matches both + * the given URL and handle, then there was no matching handle + * found. + * + * @return mixed Returns whether or not the given association existed. + */ + function removeAssociation($server_url, $handle) + { + trigger_error("Auth_OpenID_OpenIDStore::removeAssociation ". + "not implemented", E_USER_ERROR); + } + + /** + * Called when using a nonce. + * + * This method should return C{True} if the nonce has not been + * used before, and store it for a while to make sure nobody + * tries to use the same value again. If the nonce has already + * been used, return C{False}. + * + * Change: In earlier versions, round-trip nonces were used and a + * nonce was only valid if it had been previously stored with + * storeNonce. Version 2.0 uses one-way nonces, requiring a + * different implementation here that does not depend on a + * storeNonce call. (storeNonce is no longer part of the + * interface. + * + * @param string $nonce The nonce to use. + * + * @return bool Whether or not the nonce was valid. + */ + function useNonce($server_url, $timestamp, $salt) + { + trigger_error("Auth_OpenID_OpenIDStore::useNonce ". + "not implemented", E_USER_ERROR); + } + + /** + * Removes all entries from the store; implementation is optional. + */ + function reset() + { + } + +} diff --git a/models/Auth/OpenID/KVForm.php b/models/Auth/OpenID/KVForm.php new file mode 100644 index 000000000..dd02661d8 --- /dev/null +++ b/models/Auth/OpenID/KVForm.php @@ -0,0 +1,111 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +/** + * Container for key-value/comma-newline OpenID format and parsing + */ +class Auth_OpenID_KVForm { + /** + * Convert an OpenID colon/newline separated string into an + * associative array + * + * @static + * @access private + */ + static function toArray($kvs, $strict=false) + { + $lines = explode("\n", $kvs); + + $last = array_pop($lines); + if ($last !== '') { + array_push($lines, $last); + if ($strict) { + return false; + } + } + + $values = array(); + + for ($lineno = 0; $lineno < count($lines); $lineno++) { + $line = $lines[$lineno]; + $kv = explode(':', $line, 2); + if (count($kv) != 2) { + if ($strict) { + return false; + } + continue; + } + + $key = $kv[0]; + $tkey = trim($key); + if ($tkey != $key) { + if ($strict) { + return false; + } + } + + $value = $kv[1]; + $tval = trim($value); + if ($tval != $value) { + if ($strict) { + return false; + } + } + + $values[$tkey] = $tval; + } + + return $values; + } + + /** + * Convert an array into an OpenID colon/newline separated string + * + * @static + * @access private + */ + static function fromArray($values) + { + if ($values === null) { + return null; + } + + ksort($values); + + $serialized = ''; + foreach ($values as $key => $value) { + if (is_array($value)) { + list($key, $value) = array($value[0], $value[1]); + } + + if (strpos($key, ':') !== false) { + return null; + } + + if (strpos($key, "\n") !== false) { + return null; + } + + if (strpos($value, "\n") !== false) { + return null; + } + $serialized .= "$key:$value\n"; + } + return $serialized; + } +} + diff --git a/models/Auth/OpenID/MDB2Store.php b/models/Auth/OpenID/MDB2Store.php new file mode 100644 index 000000000..80024bada --- /dev/null +++ b/models/Auth/OpenID/MDB2Store.php @@ -0,0 +1,413 @@ + + * @copyright 2005 Janrain, Inc. + * @license http://www.gnu.org/copyleft/lesser.html LGPL + */ + +require_once 'MDB2.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID/Interface.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID.php'; + +/** + * @access private + */ +require_once 'Auth/OpenID/Nonce.php'; + +/** + * This store uses a PEAR::MDB2 connection to store persistence + * information. + * + * The table names used are determined by the class variables + * associations_table_name and nonces_table_name. To change the name + * of the tables used, pass new table names into the constructor. + * + * To create the tables with the proper schema, see the createTables + * method. + * + * @package OpenID + */ +class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { + /** + * This creates a new MDB2Store instance. It requires an + * established database connection be given to it, and it allows + * overriding the default table names. + * + * @param connection $connection This must be an established + * connection to a database of the correct type for the SQLStore + * subclass you're using. This must be a PEAR::MDB2 connection + * handle. + * + * @param associations_table: This is an optional parameter to + * specify the name of the table used for storing associations. + * The default value is 'oid_associations'. + * + * @param nonces_table: This is an optional parameter to specify + * the name of the table used for storing nonces. The default + * value is 'oid_nonces'. + */ + function Auth_OpenID_MDB2Store($connection, + $associations_table = null, + $nonces_table = null) + { + $this->associations_table_name = "oid_associations"; + $this->nonces_table_name = "oid_nonces"; + + // Check the connection object type to be sure it's a PEAR + // database connection. + if (!is_object($connection) || + !is_subclass_of($connection, 'mdb2_driver_common')) { + trigger_error("Auth_OpenID_MDB2Store expected PEAR connection " . + "object (got ".get_class($connection).")", + E_USER_ERROR); + return; + } + + $this->connection = $connection; + + // Be sure to set the fetch mode so the results are keyed on + // column name instead of column index. + $this->connection->setFetchMode(MDB2_FETCHMODE_ASSOC); + + if (PEAR::isError($this->connection->loadModule('Extended'))) { + trigger_error("Unable to load MDB2_Extended module", E_USER_ERROR); + return; + } + + if ($associations_table) { + $this->associations_table_name = $associations_table; + } + + if ($nonces_table) { + $this->nonces_table_name = $nonces_table; + } + + $this->max_nonce_age = 6 * 60 * 60; + } + + function tableExists($table_name) + { + return !PEAR::isError($this->connection->query( + sprintf("SELECT * FROM %s LIMIT 0", + $table_name))); + } + + function createTables() + { + $n = $this->create_nonce_table(); + $a = $this->create_assoc_table(); + + if (!$n || !$a) { + return false; + } + return true; + } + + function create_nonce_table() + { + if (!$this->tableExists($this->nonces_table_name)) { + switch ($this->connection->phptype) { + case "mysql": + case "mysqli": + // Custom SQL for MySQL to use InnoDB and variable- + // length keys + $r = $this->connection->exec( + sprintf("CREATE TABLE %s (\n". + " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n". + " timestamp INTEGER NOT NULL,\n". + " salt CHAR(40) NOT NULL,\n". + " UNIQUE (server_url(255), timestamp, salt)\n". + ") TYPE=InnoDB", + $this->nonces_table_name)); + if (PEAR::isError($r)) { + return false; + } + break; + default: + if (PEAR::isError( + $this->connection->loadModule('Manager'))) { + return false; + } + $fields = array( + "server_url" => array( + "type" => "text", + "length" => 2047, + "notnull" => true + ), + "timestamp" => array( + "type" => "integer", + "notnull" => true + ), + "salt" => array( + "type" => "text", + "length" => 40, + "fixed" => true, + "notnull" => true + ) + ); + $constraint = array( + "unique" => 1, + "fields" => array( + "server_url" => true, + "timestamp" => true, + "salt" => true + ) + ); + + $r = $this->connection->createTable($this->nonces_table_name, + $fields); + if (PEAR::isError($r)) { + return false; + } + + $r = $this->connection->createConstraint( + $this->nonces_table_name, + $this->nonces_table_name . "_constraint", + $constraint); + if (PEAR::isError($r)) { + return false; + } + break; + } + } + return true; + } + + function create_assoc_table() + { + if (!$this->tableExists($this->associations_table_name)) { + switch ($this->connection->phptype) { + case "mysql": + case "mysqli": + // Custom SQL for MySQL to use InnoDB and variable- + // length keys + $r = $this->connection->exec( + sprintf("CREATE TABLE %s(\n". + " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n". + " handle VARCHAR(255) NOT NULL,\n". + " secret BLOB NOT NULL,\n". + " issued INTEGER NOT NULL,\n". + " lifetime INTEGER NOT NULL,\n". + " assoc_type VARCHAR(64) NOT NULL,\n". + " PRIMARY KEY (server_url(255), handle)\n". + ") TYPE=InnoDB", + $this->associations_table_name)); + if (PEAR::isError($r)) { + return false; + } + break; + default: + if (PEAR::isError( + $this->connection->loadModule('Manager'))) { + return false; + } + $fields = array( + "server_url" => array( + "type" => "text", + "length" => 2047, + "notnull" => true + ), + "handle" => array( + "type" => "text", + "length" => 255, + "notnull" => true + ), + "secret" => array( + "type" => "blob", + "length" => "255", + "notnull" => true + ), + "issued" => array( + "type" => "integer", + "notnull" => true + ), + "lifetime" => array( + "type" => "integer", + "notnull" => true + ), + "assoc_type" => array( + "type" => "text", + "length" => 64, + "notnull" => true + ) + ); + $options = array( + "primary" => array( + "server_url" => true, + "handle" => true + ) + ); + + $r = $this->connection->createTable( + $this->associations_table_name, + $fields, + $options); + if (PEAR::isError($r)) { + return false; + } + break; + } + } + return true; + } + + function storeAssociation($server_url, $association) + { + $fields = array( + "server_url" => array( + "value" => $server_url, + "key" => true + ), + "handle" => array( + "value" => $association->handle, + "key" => true + ), + "secret" => array( + "value" => $association->secret, + "type" => "blob" + ), + "issued" => array( + "value" => $association->issued + ), + "lifetime" => array( + "value" => $association->lifetime + ), + "assoc_type" => array( + "value" => $association->assoc_type + ) + ); + + return !PEAR::isError($this->connection->replace( + $this->associations_table_name, + $fields)); + } + + function cleanupNonces() + { + global $Auth_OpenID_SKEW; + $v = time() - $Auth_OpenID_SKEW; + + return $this->connection->exec( + sprintf("DELETE FROM %s WHERE timestamp < %d", + $this->nonces_table_name, $v)); + } + + function cleanupAssociations() + { + return $this->connection->exec( + sprintf("DELETE FROM %s WHERE issued + lifetime < %d", + $this->associations_table_name, time())); + } + + function getAssociation($server_url, $handle = null) + { + $sql = ""; + $params = null; + $types = array( + "text", + "blob", + "integer", + "integer", + "text" + ); + if ($handle !== null) { + $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " . + "FROM %s WHERE server_url = ? AND handle = ?", + $this->associations_table_name); + $params = array($server_url, $handle); + } else { + $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " . + "FROM %s WHERE server_url = ? ORDER BY issued DESC", + $this->associations_table_name); + $params = array($server_url); + } + + $assoc = $this->connection->getRow($sql, $types, $params); + + if (!$assoc || PEAR::isError($assoc)) { + return null; + } else { + $association = new Auth_OpenID_Association($assoc['handle'], + stream_get_contents( + $assoc['secret']), + $assoc['issued'], + $assoc['lifetime'], + $assoc['assoc_type']); + fclose($assoc['secret']); + return $association; + } + } + + function removeAssociation($server_url, $handle) + { + $r = $this->connection->execParam( + sprintf("DELETE FROM %s WHERE server_url = ? AND handle = ?", + $this->associations_table_name), + array($server_url, $handle)); + + if (PEAR::isError($r) || $r == 0) { + return false; + } + return true; + } + + function useNonce($server_url, $timestamp, $salt) + { + global $Auth_OpenID_SKEW; + + if (abs($timestamp - time()) > $Auth_OpenID_SKEW ) { + return false; + } + + $fields = array( + "timestamp" => $timestamp, + "salt" => $salt + ); + + if (!empty($server_url)) { + $fields["server_url"] = $server_url; + } + + $r = $this->connection->autoExecute( + $this->nonces_table_name, + $fields, + MDB2_AUTOQUERY_INSERT); + + if (PEAR::isError($r)) { + return false; + } + return true; + } + + /** + * Resets the store by removing all records from the store's + * tables. + */ + function reset() + { + $this->connection->query(sprintf("DELETE FROM %s", + $this->associations_table_name)); + + $this->connection->query(sprintf("DELETE FROM %s", + $this->nonces_table_name)); + } + +} + +?> diff --git a/models/Auth/OpenID/MemcachedStore.php b/models/Auth/OpenID/MemcachedStore.php new file mode 100644 index 000000000..fc10800b1 --- /dev/null +++ b/models/Auth/OpenID/MemcachedStore.php @@ -0,0 +1,207 @@ + + * @copyright 2008 JanRain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + * Contributed by Open Web Technologies + */ + +/** + * Import the interface for creating a new store class. + */ +require_once 'Auth/OpenID/Interface.php'; + +/** + * This is a memcached-based store for OpenID associations and + * nonces. + * + * As memcache has limit of 250 chars for key length, + * server_url, handle and salt are hashed with sha1(). + * + * Most of the methods of this class are implementation details. + * People wishing to just use this store need only pay attention to + * the constructor. + * + * @package OpenID + */ +class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore { + + /** + * Initializes a new {@link Auth_OpenID_MemcachedStore} instance. + * Just saves memcached object as property. + * + * @param resource connection Memcache connection resourse + */ + function Auth_OpenID_MemcachedStore($connection, $compress = false) + { + $this->connection = $connection; + $this->compress = $compress ? MEMCACHE_COMPRESSED : 0; + } + + /** + * Store association until its expiration time in memcached. + * Overwrites any existing association with same server_url and + * handle. Handles list of associations for every server. + */ + function storeAssociation($server_url, $association) + { + // create memcached keys for association itself + // and list of associations for this server + $associationKey = $this->associationKey($server_url, + $association->handle); + $serverKey = $this->associationServerKey($server_url); + + // get list of associations + $serverAssociations = $this->connection->get($serverKey); + + // if no such list, initialize it with empty array + if (!$serverAssociations) { + $serverAssociations = array(); + } + // and store given association key in it + $serverAssociations[$association->issued] = $associationKey; + + // save associations' keys list + $this->connection->set( + $serverKey, + $serverAssociations, + $this->compress + ); + // save association itself + $this->connection->set( + $associationKey, + $association, + $this->compress, + $association->issued + $association->lifetime); + } + + /** + * Read association from memcached. If no handle given + * and multiple associations found, returns latest issued + */ + function getAssociation($server_url, $handle = null) + { + // simple case: handle given + if ($handle !== null) { + // get association, return null if failed + $association = $this->connection->get( + $this->associationKey($server_url, $handle)); + return $association ? $association : null; + } + + // no handle given, working with list + // create key for list of associations + $serverKey = $this->associationServerKey($server_url); + + // get list of associations + $serverAssociations = $this->connection->get($serverKey); + // return null if failed or got empty list + if (!$serverAssociations) { + return null; + } + + // get key of most recently issued association + $keys = array_keys($serverAssociations); + sort($keys); + $lastKey = $serverAssociations[array_pop($keys)]; + + // get association, return null if failed + $association = $this->connection->get($lastKey); + return $association ? $association : null; + } + + /** + * Immediately delete association from memcache. + */ + function removeAssociation($server_url, $handle) + { + // create memcached keys for association itself + // and list of associations for this server + $serverKey = $this->associationServerKey($server_url); + $associationKey = $this->associationKey($server_url, + $handle); + + // get list of associations + $serverAssociations = $this->connection->get($serverKey); + // return null if failed or got empty list + if (!$serverAssociations) { + return false; + } + + // ensure that given association key exists in list + $serverAssociations = array_flip($serverAssociations); + if (!array_key_exists($associationKey, $serverAssociations)) { + return false; + } + + // remove given association key from list + unset($serverAssociations[$associationKey]); + $serverAssociations = array_flip($serverAssociations); + + // save updated list + $this->connection->set( + $serverKey, + $serverAssociations, + $this->compress + ); + + // delete association + return $this->connection->delete($associationKey); + } + + /** + * Create nonce for server and salt, expiring after + * $Auth_OpenID_SKEW seconds. + */ + function useNonce($server_url, $timestamp, $salt) + { + global $Auth_OpenID_SKEW; + + // save one request to memcache when nonce obviously expired + if (abs($timestamp - time()) > $Auth_OpenID_SKEW) { + return false; + } + + // returns false when nonce already exists + // otherwise adds nonce + return $this->connection->add( + 'openid_nonce_' . sha1($server_url) . '_' . sha1($salt), + 1, // any value here + $this->compress, + $Auth_OpenID_SKEW); + } + + /** + * Memcache key is prefixed with 'openid_association_' string. + */ + function associationKey($server_url, $handle = null) + { + return 'openid_association_' . sha1($server_url) . '_' . sha1($handle); + } + + /** + * Memcache key is prefixed with 'openid_association_' string. + */ + function associationServerKey($server_url) + { + return 'openid_association_server_' . sha1($server_url); + } + + /** + * Report that this storage doesn't support cleanup + */ + function supportsCleanup() + { + return false; + } +} + diff --git a/models/Auth/OpenID/Message.php b/models/Auth/OpenID/Message.php new file mode 100644 index 000000000..9aa1fa468 --- /dev/null +++ b/models/Auth/OpenID/Message.php @@ -0,0 +1,920 @@ +keys = array(); + $this->values = array(); + + if (is_array($classic_array)) { + foreach ($classic_array as $key => $value) { + $this->set($key, $value); + } + } + } + + /** + * Returns true if $thing is an Auth_OpenID_Mapping object; false + * if not. + */ + static function isA($thing) + { + return (is_object($thing) && + strtolower(get_class($thing)) == 'auth_openid_mapping'); + } + + /** + * Returns an array of the keys in the mapping. + */ + function keys() + { + return $this->keys; + } + + /** + * Returns an array of values in the mapping. + */ + function values() + { + return $this->values; + } + + /** + * Returns an array of (key, value) pairs in the mapping. + */ + function items() + { + $temp = array(); + + for ($i = 0; $i < count($this->keys); $i++) { + $temp[] = array($this->keys[$i], + $this->values[$i]); + } + return $temp; + } + + /** + * Returns the "length" of the mapping, or the number of keys. + */ + function len() + { + return count($this->keys); + } + + /** + * Sets a key-value pair in the mapping. If the key already + * exists, its value is replaced with the new value. + */ + function set($key, $value) + { + $index = array_search($key, $this->keys); + + if ($index !== false) { + $this->values[$index] = $value; + } else { + $this->keys[] = $key; + $this->values[] = $value; + } + } + + /** + * Gets a specified value from the mapping, associated with the + * specified key. If the key does not exist in the mapping, + * $default is returned instead. + */ + function get($key, $default = null) + { + $index = array_search($key, $this->keys); + + if ($index !== false) { + return $this->values[$index]; + } else { + return $default; + } + } + + /** + * @access private + */ + function _reflow() + { + // PHP is broken yet again. Sort the arrays to remove the + // hole in the numeric indexes that make up the array. + $old_keys = $this->keys; + $old_values = $this->values; + + $this->keys = array(); + $this->values = array(); + + foreach ($old_keys as $k) { + $this->keys[] = $k; + } + + foreach ($old_values as $v) { + $this->values[] = $v; + } + } + + /** + * Deletes a key-value pair from the mapping with the specified + * key. + */ + function del($key) + { + $index = array_search($key, $this->keys); + + if ($index !== false) { + unset($this->keys[$index]); + unset($this->values[$index]); + $this->_reflow(); + return true; + } + return false; + } + + /** + * Returns true if the specified value has a key in the mapping; + * false if not. + */ + function contains($value) + { + return (array_search($value, $this->keys) !== false); + } +} + +/** + * Maintains a bijective map between namespace uris and aliases. + * + * @package OpenID + */ +class Auth_OpenID_NamespaceMap { + function Auth_OpenID_NamespaceMap() + { + $this->alias_to_namespace = new Auth_OpenID_Mapping(); + $this->namespace_to_alias = new Auth_OpenID_Mapping(); + $this->implicit_namespaces = array(); + } + + function getAlias($namespace_uri) + { + return $this->namespace_to_alias->get($namespace_uri); + } + + function getNamespaceURI($alias) + { + return $this->alias_to_namespace->get($alias); + } + + function iterNamespaceURIs() + { + // Return an iterator over the namespace URIs + return $this->namespace_to_alias->keys(); + } + + function iterAliases() + { + // Return an iterator over the aliases""" + return $this->alias_to_namespace->keys(); + } + + function iteritems() + { + return $this->namespace_to_alias->items(); + } + + function isImplicit($namespace_uri) + { + return in_array($namespace_uri, $this->implicit_namespaces); + } + + function addAlias($namespace_uri, $desired_alias, $implicit=false) + { + // Add an alias from this namespace URI to the desired alias + global $Auth_OpenID_OPENID_PROTOCOL_FIELDS; + + // Check that desired_alias is not an openid protocol field as + // per the spec. + if (in_array($desired_alias, $Auth_OpenID_OPENID_PROTOCOL_FIELDS)) { + Auth_OpenID::log("\"%s\" is not an allowed namespace alias", + $desired_alias); + return null; + } + + // Check that desired_alias does not contain a period as per + // the spec. + if (strpos($desired_alias, '.') !== false) { + Auth_OpenID::log('"%s" must not contain a dot', $desired_alias); + return null; + } + + // Check that there is not a namespace already defined for the + // desired alias + $current_namespace_uri = + $this->alias_to_namespace->get($desired_alias); + + if (($current_namespace_uri !== null) && + ($current_namespace_uri != $namespace_uri)) { + Auth_OpenID::log('Cannot map "%s" because previous mapping exists', + $namespace_uri); + return null; + } + + // Check that there is not already a (different) alias for + // this namespace URI + $alias = $this->namespace_to_alias->get($namespace_uri); + + if (($alias !== null) && ($alias != $desired_alias)) { + Auth_OpenID::log('Cannot map %s to alias %s. ' . + 'It is already mapped to alias %s', + $namespace_uri, $desired_alias, $alias); + return null; + } + + assert((Auth_OpenID_NULL_NAMESPACE === $desired_alias) || + is_string($desired_alias)); + + $this->alias_to_namespace->set($desired_alias, $namespace_uri); + $this->namespace_to_alias->set($namespace_uri, $desired_alias); + if ($implicit) { + array_push($this->implicit_namespaces, $namespace_uri); + } + + return $desired_alias; + } + + function add($namespace_uri) + { + // Add this namespace URI to the mapping, without caring what + // alias it ends up with + + // See if this namespace is already mapped to an alias + $alias = $this->namespace_to_alias->get($namespace_uri); + + if ($alias !== null) { + return $alias; + } + + // Fall back to generating a numerical alias + $i = 0; + while (1) { + $alias = 'ext' . strval($i); + if ($this->addAlias($namespace_uri, $alias) === null) { + $i += 1; + } else { + return $alias; + } + } + + // Should NEVER be reached! + return null; + } + + function contains($namespace_uri) + { + return $this->isDefined($namespace_uri); + } + + function isDefined($namespace_uri) + { + return $this->namespace_to_alias->contains($namespace_uri); + } +} + +/** + * In the implementation of this object, null represents the global + * namespace as well as a namespace with no key. + * + * @package OpenID + */ +class Auth_OpenID_Message { + + function Auth_OpenID_Message($openid_namespace = null) + { + // Create an empty Message + $this->allowed_openid_namespaces = array( + Auth_OpenID_OPENID1_NS, + Auth_OpenID_THE_OTHER_OPENID1_NS, + Auth_OpenID_OPENID2_NS); + + $this->args = new Auth_OpenID_Mapping(); + $this->namespaces = new Auth_OpenID_NamespaceMap(); + if ($openid_namespace === null) { + $this->_openid_ns_uri = null; + } else { + $implicit = Auth_OpenID_isOpenID1($openid_namespace); + $this->setOpenIDNamespace($openid_namespace, $implicit); + } + } + + function isOpenID1() + { + return Auth_OpenID_isOpenID1($this->getOpenIDNamespace()); + } + + function isOpenID2() + { + return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS; + } + + static function fromPostArgs($args) + { + // Construct a Message containing a set of POST arguments + $obj = new Auth_OpenID_Message(); + + // Partition into "openid." args and bare args + $openid_args = array(); + foreach ($args as $key => $value) { + + if (is_array($value)) { + return null; + } + + $parts = explode('.', $key, 2); + + if (count($parts) == 2) { + list($prefix, $rest) = $parts; + } else { + $prefix = null; + } + + if ($prefix != 'openid') { + $obj->args->set(array(Auth_OpenID_BARE_NS, $key), $value); + } else { + $openid_args[$rest] = $value; + } + } + + if ($obj->_fromOpenIDArgs($openid_args)) { + return $obj; + } else { + return null; + } + } + + static function fromOpenIDArgs($openid_args) + { + // Takes an array. + + // Construct a Message from a parsed KVForm message + $obj = new Auth_OpenID_Message(); + if ($obj->_fromOpenIDArgs($openid_args)) { + return $obj; + } else { + return null; + } + } + + /** + * @access private + */ + function _fromOpenIDArgs($openid_args) + { + global $Auth_OpenID_registered_aliases; + + // Takes an Auth_OpenID_Mapping instance OR an array. + + if (!Auth_OpenID_Mapping::isA($openid_args)) { + $openid_args = new Auth_OpenID_Mapping($openid_args); + } + + $ns_args = array(); + + // Resolve namespaces + foreach ($openid_args->items() as $pair) { + list($rest, $value) = $pair; + + $parts = explode('.', $rest, 2); + + if (count($parts) == 2) { + list($ns_alias, $ns_key) = $parts; + } else { + $ns_alias = Auth_OpenID_NULL_NAMESPACE; + $ns_key = $rest; + } + + if ($ns_alias == 'ns') { + if ($this->namespaces->addAlias($value, $ns_key) === null) { + return false; + } + } else if (($ns_alias == Auth_OpenID_NULL_NAMESPACE) && + ($ns_key == 'ns')) { + // null namespace + if ($this->setOpenIDNamespace($value, false) === false) { + return false; + } + } else { + $ns_args[] = array($ns_alias, $ns_key, $value); + } + } + + if (!$this->getOpenIDNamespace()) { + if ($this->setOpenIDNamespace(Auth_OpenID_OPENID1_NS, true) === + false) { + return false; + } + } + + // Actually put the pairs into the appropriate namespaces + foreach ($ns_args as $triple) { + list($ns_alias, $ns_key, $value) = $triple; + $ns_uri = $this->namespaces->getNamespaceURI($ns_alias); + if ($ns_uri === null) { + $ns_uri = $this->_getDefaultNamespace($ns_alias); + if ($ns_uri === null) { + + $ns_uri = Auth_OpenID_OPENID_NS; + $ns_key = sprintf('%s.%s', $ns_alias, $ns_key); + } else { + $this->namespaces->addAlias($ns_uri, $ns_alias, true); + } + } + + $this->setArg($ns_uri, $ns_key, $value); + } + + return true; + } + + function _getDefaultNamespace($mystery_alias) + { + global $Auth_OpenID_registered_aliases; + if ($this->isOpenID1()) { + return @$Auth_OpenID_registered_aliases[$mystery_alias]; + } + return null; + } + + function setOpenIDNamespace($openid_ns_uri, $implicit) + { + if (!in_array($openid_ns_uri, $this->allowed_openid_namespaces)) { + Auth_OpenID::log('Invalid null namespace: "%s"', $openid_ns_uri); + return false; + } + + $succeeded = $this->namespaces->addAlias($openid_ns_uri, + Auth_OpenID_NULL_NAMESPACE, + $implicit); + if ($succeeded === false) { + return false; + } + + $this->_openid_ns_uri = $openid_ns_uri; + + return true; + } + + function getOpenIDNamespace() + { + return $this->_openid_ns_uri; + } + + static function fromKVForm($kvform_string) + { + // Create a Message from a KVForm string + return Auth_OpenID_Message::fromOpenIDArgs( + Auth_OpenID_KVForm::toArray($kvform_string)); + } + + function copy() + { + return $this; + } + + function toPostArgs() + { + // Return all arguments with openid. in front of namespaced + // arguments. + + $args = array(); + + // Add namespace definitions to the output + foreach ($this->namespaces->iteritems() as $pair) { + list($ns_uri, $alias) = $pair; + if ($this->namespaces->isImplicit($ns_uri)) { + continue; + } + if ($alias == Auth_OpenID_NULL_NAMESPACE) { + $ns_key = 'openid.ns'; + } else { + $ns_key = 'openid.ns.' . $alias; + } + $args[$ns_key] = $ns_uri; + } + + foreach ($this->args->items() as $pair) { + list($ns_parts, $value) = $pair; + list($ns_uri, $ns_key) = $ns_parts; + $key = $this->getKey($ns_uri, $ns_key); + $args[$key] = $value; + } + + return $args; + } + + function toArgs() + { + // Return all namespaced arguments, failing if any + // non-namespaced arguments exist. + $post_args = $this->toPostArgs(); + $kvargs = array(); + foreach ($post_args as $k => $v) { + if (strpos($k, 'openid.') !== 0) { + // raise ValueError( + // 'This message can only be encoded as a POST, because it ' + // 'contains arguments that are not prefixed with "openid."') + return null; + } else { + $kvargs[substr($k, 7)] = $v; + } + } + + return $kvargs; + } + + function toFormMarkup($action_url, $form_tag_attrs = null, + $submit_text = "Continue") + { + $form = "
$attr) { + $form .= sprintf(" %s=\"%s\"", $name, $attr); + } + } + + $form .= ">\n"; + + foreach ($this->toPostArgs() as $name => $value) { + $form .= sprintf( + "\n", + $name, $value); + } + + $form .= sprintf("\n", + $submit_text); + + $form .= "
\n"; + + return $form; + } + + function toURL($base_url) + { + // Generate a GET URL with the parameters in this message + // attached as query parameters. + return Auth_OpenID::appendArgs($base_url, $this->toPostArgs()); + } + + function toKVForm() + { + // Generate a KVForm string that contains the parameters in + // this message. This will fail if the message contains + // arguments outside of the 'openid.' prefix. + return Auth_OpenID_KVForm::fromArray($this->toArgs()); + } + + function toURLEncoded() + { + // Generate an x-www-urlencoded string + $args = array(); + + foreach ($this->toPostArgs() as $k => $v) { + $args[] = array($k, $v); + } + + sort($args); + return Auth_OpenID::httpBuildQuery($args); + } + + /** + * @access private + */ + function _fixNS($namespace) + { + // Convert an input value into the internally used values of + // this object + + if ($namespace == Auth_OpenID_OPENID_NS) { + if ($this->_openid_ns_uri === null) { + return new Auth_OpenID_FailureResponse(null, + 'OpenID namespace not set'); + } else { + $namespace = $this->_openid_ns_uri; + } + } + + if (($namespace != Auth_OpenID_BARE_NS) && + (!is_string($namespace))) { + //TypeError + $err_msg = sprintf("Namespace must be Auth_OpenID_BARE_NS, ". + "Auth_OpenID_OPENID_NS or a string. got %s", + print_r($namespace, true)); + return new Auth_OpenID_FailureResponse(null, $err_msg); + } + + if (($namespace != Auth_OpenID_BARE_NS) && + (strpos($namespace, ':') === false)) { + // fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r' + // warnings.warn(fmt % (namespace,), DeprecationWarning) + + if ($namespace == 'sreg') { + // fmt = 'Using %r instead of "sreg" as namespace' + // warnings.warn(fmt % (SREG_URI,), DeprecationWarning,) + return Auth_OpenID_SREG_URI; + } + } + + return $namespace; + } + + function hasKey($namespace, $ns_key) + { + $namespace = $this->_fixNS($namespace); + if (Auth_OpenID::isFailure($namespace)) { + // XXX log me + return false; + } else { + return $this->args->contains(array($namespace, $ns_key)); + } + } + + function getKey($namespace, $ns_key) + { + // Get the key for a particular namespaced argument + $namespace = $this->_fixNS($namespace); + if (Auth_OpenID::isFailure($namespace)) { + return $namespace; + } + if ($namespace == Auth_OpenID_BARE_NS) { + return $ns_key; + } + + $ns_alias = $this->namespaces->getAlias($namespace); + + // No alias is defined, so no key can exist + if ($ns_alias === null) { + return null; + } + + if ($ns_alias == Auth_OpenID_NULL_NAMESPACE) { + $tail = $ns_key; + } else { + $tail = sprintf('%s.%s', $ns_alias, $ns_key); + } + + return 'openid.' . $tail; + } + + function getArg($namespace, $key, $default = null) + { + // Get a value for a namespaced key. + $namespace = $this->_fixNS($namespace); + + if (Auth_OpenID::isFailure($namespace)) { + return $namespace; + } else { + if ((!$this->args->contains(array($namespace, $key))) && + ($default == Auth_OpenID_NO_DEFAULT)) { + $err_msg = sprintf("Namespace %s missing required field %s", + $namespace, $key); + return new Auth_OpenID_FailureResponse(null, $err_msg); + } else { + return $this->args->get(array($namespace, $key), $default); + } + } + } + + function getArgs($namespace) + { + // Get the arguments that are defined for this namespace URI + + $namespace = $this->_fixNS($namespace); + if (Auth_OpenID::isFailure($namespace)) { + return $namespace; + } else { + $stuff = array(); + foreach ($this->args->items() as $pair) { + list($key, $value) = $pair; + list($pair_ns, $ns_key) = $key; + if ($pair_ns == $namespace) { + $stuff[$ns_key] = $value; + } + } + + return $stuff; + } + } + + function updateArgs($namespace, $updates) + { + // Set multiple key/value pairs in one call + + $namespace = $this->_fixNS($namespace); + + if (Auth_OpenID::isFailure($namespace)) { + return $namespace; + } else { + foreach ($updates as $k => $v) { + $this->setArg($namespace, $k, $v); + } + return true; + } + } + + function setArg($namespace, $key, $value) + { + // Set a single argument in this namespace + $namespace = $this->_fixNS($namespace); + + if (Auth_OpenID::isFailure($namespace)) { + return $namespace; + } else { + $this->args->set(array($namespace, $key), $value); + if ($namespace !== Auth_OpenID_BARE_NS) { + $this->namespaces->add($namespace); + } + return true; + } + } + + function delArg($namespace, $key) + { + $namespace = $this->_fixNS($namespace); + + if (Auth_OpenID::isFailure($namespace)) { + return $namespace; + } else { + return $this->args->del(array($namespace, $key)); + } + } + + function getAliasedArg($aliased_key, $default = null) + { + if ($aliased_key == 'ns') { + // Return the namespace URI for the OpenID namespace + return $this->getOpenIDNamespace(); + } + + $parts = explode('.', $aliased_key, 2); + + if (count($parts) != 2) { + $ns = null; + } else { + list($alias, $key) = $parts; + + if ($alias == 'ns') { + // Return the namespace URI for a namespace alias + // parameter. + return $this->namespaces->getNamespaceURI($key); + } else { + $ns = $this->namespaces->getNamespaceURI($alias); + } + } + + if ($ns === null) { + $key = $aliased_key; + $ns = $this->getOpenIDNamespace(); + } + + return $this->getArg($ns, $key, $default); + } +} + + diff --git a/models/Auth/OpenID/MySQLStore.php b/models/Auth/OpenID/MySQLStore.php new file mode 100644 index 000000000..810f059f1 --- /dev/null +++ b/models/Auth/OpenID/MySQLStore.php @@ -0,0 +1,77 @@ +sql['nonce_table'] = + "CREATE TABLE %s (\n". + " server_url VARCHAR(2047) NOT NULL,\n". + " timestamp INTEGER NOT NULL,\n". + " salt CHAR(40) NOT NULL,\n". + " UNIQUE (server_url(255), timestamp, salt)\n". + ") ENGINE=InnoDB"; + + $this->sql['assoc_table'] = + "CREATE TABLE %s (\n". + " server_url BLOB NOT NULL,\n". + " handle VARCHAR(255) NOT NULL,\n". + " secret BLOB NOT NULL,\n". + " issued INTEGER NOT NULL,\n". + " lifetime INTEGER NOT NULL,\n". + " assoc_type VARCHAR(64) NOT NULL,\n". + " PRIMARY KEY (server_url(255), handle)\n". + ") ENGINE=InnoDB"; + + $this->sql['set_assoc'] = + "REPLACE INTO %s (server_url, handle, secret, issued,\n". + " lifetime, assoc_type) VALUES (?, ?, !, ?, ?, ?)"; + + $this->sql['get_assocs'] = + "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". + "WHERE server_url = ?"; + + $this->sql['get_assoc'] = + "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". + "WHERE server_url = ? AND handle = ?"; + + $this->sql['remove_assoc'] = + "DELETE FROM %s WHERE server_url = ? AND handle = ?"; + + $this->sql['add_nonce'] = + "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)"; + + $this->sql['clean_nonce'] = + "DELETE FROM %s WHERE timestamp < ?"; + + $this->sql['clean_assoc'] = + "DELETE FROM %s WHERE issued + lifetime < ?"; + } + + /** + * @access private + */ + function blobEncode($blob) + { + return "0x" . bin2hex($blob); + } +} + diff --git a/models/Auth/OpenID/Nonce.php b/models/Auth/OpenID/Nonce.php new file mode 100644 index 000000000..b83c5911f --- /dev/null +++ b/models/Auth/OpenID/Nonce.php @@ -0,0 +1,108 @@ +preferred_auth_policies = $preferred_auth_policies; + $this->max_auth_age = $max_auth_age; + } + + /** + * Add an acceptable authentication policy URI to this request + * + * This method is intended to be used by the relying party to add + * acceptable authentication types to the request. + * + * policy_uri: The identifier for the preferred type of + * authentication. + */ + function addPolicyURI($policy_uri) + { + if (!in_array($policy_uri, $this->preferred_auth_policies)) { + $this->preferred_auth_policies[] = $policy_uri; + } + } + + function getExtensionArgs() + { + $ns_args = array( + 'preferred_auth_policies' => + implode(' ', $this->preferred_auth_policies) + ); + + if ($this->max_auth_age !== null) { + $ns_args['max_auth_age'] = strval($this->max_auth_age); + } + + return $ns_args; + } + + /** + * Instantiate a Request object from the arguments in a checkid_* + * OpenID message + */ + static function fromOpenIDRequest($request) + { + $obj = new Auth_OpenID_PAPE_Request(); + $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); + + if ($args === null || $args === array()) { + return null; + } + + $obj->parseExtensionArgs($args); + return $obj; + } + + /** + * Set the state of this request to be that expressed in these + * PAPE arguments + * + * @param args: The PAPE arguments without a namespace + */ + function parseExtensionArgs($args) + { + // preferred_auth_policies is a space-separated list of policy + // URIs + $this->preferred_auth_policies = array(); + + $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); + if ($policies_str) { + foreach (explode(' ', $policies_str) as $uri) { + if (!in_array($uri, $this->preferred_auth_policies)) { + $this->preferred_auth_policies[] = $uri; + } + } + } + + // max_auth_age is base-10 integer number of seconds + $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age'); + if ($max_auth_age_str) { + $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str); + } else { + $this->max_auth_age = null; + } + } + + /** + * Given a list of authentication policy URIs that a provider + * supports, this method returns the subsequence of those types + * that are preferred by the relying party. + * + * @param supported_types: A sequence of authentication policy + * type URIs that are supported by a provider + * + * @return array The sub-sequence of the supported types that are + * preferred by the relying party. This list will be ordered in + * the order that the types appear in the supported_types + * sequence, and may be empty if the provider does not prefer any + * of the supported authentication types. + */ + function preferredTypes($supported_types) + { + $result = array(); + + foreach ($supported_types as $st) { + if (in_array($st, $this->preferred_auth_policies)) { + $result[] = $st; + } + } + return $result; + } +} + +/** + * A Provider Authentication Policy response, sent from a provider to + * a relying party + */ +class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { + + var $ns_alias = 'pape'; + var $ns_uri = Auth_OpenID_PAPE_NS_URI; + + function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null, + $nist_auth_level=null) + { + if ($auth_policies) { + $this->auth_policies = $auth_policies; + } else { + $this->auth_policies = array(); + } + + $this->auth_time = $auth_time; + $this->nist_auth_level = $nist_auth_level; + } + + /** + * Add a authentication policy to this response + * + * This method is intended to be used by the provider to add a + * policy that the provider conformed to when authenticating the + * user. + * + * @param policy_uri: The identifier for the preferred type of + * authentication. + */ + function addPolicyURI($policy_uri) + { + if (!in_array($policy_uri, $this->auth_policies)) { + $this->auth_policies[] = $policy_uri; + } + } + + /** + * Create an Auth_OpenID_PAPE_Response object from a successful + * OpenID library response. + * + * @param success_response $success_response A SuccessResponse + * from Auth_OpenID_Consumer::complete() + * + * @returns: A provider authentication policy response from the + * data that was supplied with the id_res response. + */ + static function fromSuccessResponse($success_response) + { + $obj = new Auth_OpenID_PAPE_Response(); + + // PAPE requires that the args be signed. + $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI); + + if ($args === null || $args === array()) { + return null; + } + + $result = $obj->parseExtensionArgs($args); + + if ($result === false) { + return null; + } else { + return $obj; + } + } + + /** + * Parse the provider authentication policy arguments into the + * internal state of this object + * + * @param args: unqualified provider authentication policy + * arguments + * + * @param strict: Whether to return false when bad data is + * encountered + * + * @return null The data is parsed into the internal fields of + * this object. + */ + function parseExtensionArgs($args, $strict=false) + { + $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); + if ($policies_str && $policies_str != "none") { + $this->auth_policies = explode(" ", $policies_str); + } + + $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); + if ($nist_level_str !== null) { + $nist_level = Auth_OpenID::intval($nist_level_str); + + if ($nist_level === false) { + if ($strict) { + return false; + } else { + $nist_level = null; + } + } + + if (0 <= $nist_level && $nist_level < 5) { + $this->nist_auth_level = $nist_level; + } else if ($strict) { + return false; + } + } + + $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); + if ($auth_time !== null) { + if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) { + $this->auth_time = $auth_time; + } else if ($strict) { + return false; + } + } + } + + function getExtensionArgs() + { + $ns_args = array(); + if (count($this->auth_policies) > 0) { + $ns_args['auth_policies'] = implode(' ', $this->auth_policies); + } else { + $ns_args['auth_policies'] = 'none'; + } + + if ($this->nist_auth_level !== null) { + if (!in_array($this->nist_auth_level, range(0, 4), true)) { + return false; + } + $ns_args['nist_auth_level'] = strval($this->nist_auth_level); + } + + if ($this->auth_time !== null) { + if (!preg_match(PAPE_TIME_VALIDATOR, $this->auth_time)) { + return false; + } + + $ns_args['auth_time'] = $this->auth_time; + } + + return $ns_args; + } +} + diff --git a/models/Auth/OpenID/Parse.php b/models/Auth/OpenID/Parse.php new file mode 100644 index 000000000..6c2e72169 --- /dev/null +++ b/models/Auth/OpenID/Parse.php @@ -0,0 +1,377 @@ + tags + * in the head of HTML or XHTML documents and parses out their + * attributes according to the OpenID spec. It is a liberal parser, + * but it requires these things from the data in order to work: + * + * - There must be an open tag + * + * - There must be an open tag inside of the tag + * + * - Only s that are found inside of the tag are parsed + * (this is by design) + * + * - The parser follows the OpenID specification in resolving the + * attributes of the link tags. This means that the attributes DO + * NOT get resolved as they would by an XML or HTML parser. In + * particular, only certain entities get replaced, and href + * attributes do not get resolved relative to a base URL. + * + * From http://openid.net/specs.bml: + * + * - The openid.server URL MUST be an absolute URL. OpenID consumers + * MUST NOT attempt to resolve relative URLs. + * + * - The openid.server URL MUST NOT include entities other than &, + * <, >, and ". + * + * The parser ignores SGML comments and . Both kinds + * of quoting are allowed for attributes. + * + * The parser deals with invalid markup in these ways: + * + * - Tag names are not case-sensitive + * + * - The tag is accepted even when it is not at the top level + * + * - The tag is accepted even when it is not a direct child of + * the tag, but a tag must be an ancestor of the + * tag + * + * - tags are accepted even when they are not direct children + * of the tag, but a tag must be an ancestor of the + * tag + * + * - If there is no closing tag for an open or tag, the + * remainder of the document is viewed as being inside of the + * tag. If there is no closing tag for a tag, the link tag is + * treated as a short tag. Exceptions to this rule are that + * closes and or closes + * + * - Attributes of the tag are not required to be quoted. + * + * - In the case of duplicated attribute names, the attribute coming + * last in the tag will be the value returned. + * + * - Any text that does not parse as an attribute within a link tag + * will be ignored. (e.g. will + * ignore pumpkin) + * + * - If there are more than one or tag, the parser only + * looks inside of the first one. + * + * - The contents of + + +Name: Link inside comment inside head inside html + + + + + + +Name: Link inside of head after short head + + + + + + + +Name: Plain vanilla +Link: + + + + + + +Name: Ignore tags in the namespace +Link*: + + + + + + + + +Name: Short link tag +Link: + + + + + + +Name: Spaces in the HTML tag +Link: + + + + + + +Name: Spaces in the head tag +Link: + + + + + + +Name: Spaces in the link tag +Link: + + + + + + +Name: No whitespace +Link: + + + + +Name: Closed head tag +Link: + + + + + + + +Name: One good, one bad (after close head) +Link: + + + + + + + + +Name: One good, one bad (after open body) +Link: + + + + + + + + +Name: ill formed (missing close head) +Link: + + + + + + + +Name: Ill formed (no close head, link after ) +Link: + + + + + + + + +Name: Ignore random tags inside of html +Link: + + + + + +<link> + + +Name: case-folding +Link*: + +<HtMl> +<hEaD> +<LiNk> + + +Name: unexpected tags +Link: + +<butternut> +<html> +<summer> +<head> +<turban> +<link> + + +Name: un-closed script tags +Link*: + +<html> +<head> +<script> +<link> + + +Name: un-closed script tags (no whitespace) +Link*: + +<html><head><script><link> + + +Name: un-closed comment +Link*: + +<html> +<head> +<!-- +<link> + + +Name: un-closed CDATA +Link*: + +<html> +<head> +<![CDATA[ +<link> + + +Name: cdata-like +Link*: + +<html> +<head> +<![ACORN[ +<link> +]]> + + +Name: comment close only +Link: + +<html> +<head> +<link> +--> + + +Name: Vanilla, two links +Link: +Link: + +<html> +<head> +<link> +<link> + + +Name: extra tag, two links +Link: +Link: + +<html> +<gold nugget> +<head> +<link> +<link> + + +Name: case-fold, body ends, two links +Link: +Link*: + +<html> +<head> +<link> +<LiNk> +<body> +<link> + + +Name: simple, non-quoted rel +Link: rel=openid.server + +<html><head><link rel=openid.server> + + +Name: short tag has rel +Link: rel=openid.server + +<html><head><link rel=openid.server/> + + +Name: short tag w/space has rel +Link: rel=openid.server + +<html><head><link rel=openid.server /> + + +Name: extra non-attribute, has rel +Link: rel=openid.server + +<html><head><link hubbard rel=openid.server> + + +Name: non-attr, has rel, short +Link: rel=openid.server + +<html><head><link hubbard rel=openid.server/> + + +Name: non-attr, has rel, short, space +Link: rel=openid.server + +<html><head><link hubbard rel=openid.server /> + + +Name: misplaced slash has rel +Link: rel=openid.server + +<html><head><link / rel=openid.server> + + +Name: quoted rel +Link: rel=openid.server + +<html><head><link rel="openid.server"> + + +Name: single-quoted rel +Link: rel=openid.server + +<html><head><link rel='openid.server'> + + +Name: two links w/ rel +Link: x=y +Link: a=b + +<html><head><link x=y><link a=b> + + +Name: non-entity +Link: x=&y + +<html><head><link x=&y> + + +Name: quoted non-entity +Link: x=&y + +<html><head><link x="&y"> + + +Name: quoted entity +Link: x=& + +<html><head><link x="&"> + + +Name: entity not processed +Link: x= + +<html><head><link x=""> + + +Name: < +Link: x=< + +<html><head><link x="<"> + + +Name: > +Link: x=> + +<html><head><link x=">"> + + +Name: " +Link: x=" + +<html><head><link x="""> + + +Name: &" +Link: x=&" + +<html><head><link x="&""> + + +Name: mixed entity and non-entity +Link: x=&"…> + +<html><head><link x="&"…>"> + + +Name: mixed entity and non-entity (w/normal chars) +Link: x=x&"…>x + +<html><head><link x="x&"…>x"> + + +Name: broken tags +Link*: x=y + +<html><head><link x=y<> + + +Name: missing close pointy +Link: z=y + +<html><head><link x=y<link z=y /> + + +Name: missing attribute value +Link: x=y y*= +Link: x=y + +<html><head><link x=y y=><link x=y /> + + +Name: Missing close pointy (no following) +Link*: x=y + +<html><head><link x=y + + +Name: Should be quoted +Link: x*=< + +<html><head><link x="<"> + + +Name: Should be quoted (2) +Link: x*=> + +<html><head><link x=">"> + + +Name: Repeated attribute +Link: x=y + +<html><head><link x=z x=y> + + +Name: Repeated attribute (2) +Link: x=y + +<html><head><link x=y x=y> + + +Name: Two attributes +Link: x=y y=z + +<html><head><link x=y y=z> + + +Name: Well-formed link rel="openid.server" +Link: rel=openid.server href=http://www.myopenid.com/server + +<html> + <head> + <link rel="openid.server" + href="http://www.myopenid.com/server" /> + </head> +</html> + + +Name: Well-formed link rel="openid.server" and "openid.delegate" +Link: rel=openid.server href=http://www.myopenid.com/server +Link: rel=openid.delegate href=http://example.myopenid.com/ + +<html><head><link rel="openid.server" + href="http://www.myopenid.com/server" /> + <link rel="openid.delegate" href="http://example.myopenid.com/" /> +</head></html> + + +Name: from brian's livejournal page +Link: rel=stylesheet href=http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711 type=text/css +Link: rel=openid.server href=http://www.livejournal.com/openid/server.bml + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <link rel="stylesheet" + href="http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711" + type="text/css" /> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <meta name="foaf:maker" + content="foaf:mbox_sha1sum '12f8abdacb5b1a806711e23249da592c0d316260'" /> + <meta name="robots" content="noindex, nofollow, noarchive" /> + <meta name="googlebot" content="nosnippet" /> + <link rel="openid.server" + href="http://www.livejournal.com/openid/server.bml" /> + <title>Brian + + + +Name: non-ascii (Latin-1 or UTF8) +Link: x=® + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 new file mode 100644 index 000000000..b12a24604 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 @@ -0,0 +1,650 @@ +AA== 0 +AQ== 1 +Ag== 2 +Aw== 3 +BA== 4 +BQ== 5 +Bg== 6 +Bw== 7 +CA== 8 +CQ== 9 +Cg== 10 +Cw== 11 +DA== 12 +DQ== 13 +Dg== 14 +Dw== 15 +EA== 16 +EQ== 17 +Eg== 18 +Ew== 19 +FA== 20 +FQ== 21 +Fg== 22 +Fw== 23 +GA== 24 +GQ== 25 +Gg== 26 +Gw== 27 +HA== 28 +HQ== 29 +Hg== 30 +Hw== 31 +IA== 32 +IQ== 33 +Ig== 34 +Iw== 35 +JA== 36 +JQ== 37 +Jg== 38 +Jw== 39 +KA== 40 +KQ== 41 +Kg== 42 +Kw== 43 +LA== 44 +LQ== 45 +Lg== 46 +Lw== 47 +MA== 48 +MQ== 49 +Mg== 50 +Mw== 51 +NA== 52 +NQ== 53 +Ng== 54 +Nw== 55 +OA== 56 +OQ== 57 +Og== 58 +Ow== 59 +PA== 60 +PQ== 61 +Pg== 62 +Pw== 63 +QA== 64 +QQ== 65 +Qg== 66 +Qw== 67 +RA== 68 +RQ== 69 +Rg== 70 +Rw== 71 +SA== 72 +SQ== 73 +Sg== 74 +Sw== 75 +TA== 76 +TQ== 77 +Tg== 78 +Tw== 79 +UA== 80 +UQ== 81 +Ug== 82 +Uw== 83 +VA== 84 +VQ== 85 +Vg== 86 +Vw== 87 +WA== 88 +WQ== 89 +Wg== 90 +Ww== 91 +XA== 92 +XQ== 93 +Xg== 94 +Xw== 95 +YA== 96 +YQ== 97 +Yg== 98 +Yw== 99 +ZA== 100 +ZQ== 101 +Zg== 102 +Zw== 103 +aA== 104 +aQ== 105 +ag== 106 +aw== 107 +bA== 108 +bQ== 109 +bg== 110 +bw== 111 +cA== 112 +cQ== 113 +cg== 114 +cw== 115 +dA== 116 +dQ== 117 +dg== 118 +dw== 119 +eA== 120 +eQ== 121 +eg== 122 +ew== 123 +fA== 124 +fQ== 125 +fg== 126 +fw== 127 +AIA= 128 +AIE= 129 +AII= 130 +AIM= 131 +AIQ= 132 +AIU= 133 +AIY= 134 +AIc= 135 +AIg= 136 +AIk= 137 +AIo= 138 +AIs= 139 +AIw= 140 +AI0= 141 +AI4= 142 +AI8= 143 +AJA= 144 +AJE= 145 +AJI= 146 +AJM= 147 +AJQ= 148 +AJU= 149 +AJY= 150 +AJc= 151 +AJg= 152 +AJk= 153 +AJo= 154 +AJs= 155 +AJw= 156 +AJ0= 157 +AJ4= 158 +AJ8= 159 +AKA= 160 +AKE= 161 +AKI= 162 +AKM= 163 +AKQ= 164 +AKU= 165 +AKY= 166 +AKc= 167 +AKg= 168 +AKk= 169 +AKo= 170 +AKs= 171 +AKw= 172 +AK0= 173 +AK4= 174 +AK8= 175 +ALA= 176 +ALE= 177 +ALI= 178 +ALM= 179 +ALQ= 180 +ALU= 181 +ALY= 182 +ALc= 183 +ALg= 184 +ALk= 185 +ALo= 186 +ALs= 187 +ALw= 188 +AL0= 189 +AL4= 190 +AL8= 191 +AMA= 192 +AME= 193 +AMI= 194 +AMM= 195 +AMQ= 196 +AMU= 197 +AMY= 198 +AMc= 199 +AMg= 200 +AMk= 201 +AMo= 202 +AMs= 203 +AMw= 204 +AM0= 205 +AM4= 206 +AM8= 207 +ANA= 208 +ANE= 209 +ANI= 210 +ANM= 211 +ANQ= 212 +ANU= 213 +ANY= 214 +ANc= 215 +ANg= 216 +ANk= 217 +ANo= 218 +ANs= 219 +ANw= 220 +AN0= 221 +AN4= 222 +AN8= 223 +AOA= 224 +AOE= 225 +AOI= 226 +AOM= 227 +AOQ= 228 +AOU= 229 +AOY= 230 +AOc= 231 +AOg= 232 +AOk= 233 +AOo= 234 +AOs= 235 +AOw= 236 +AO0= 237 +AO4= 238 +AO8= 239 +APA= 240 +APE= 241 +API= 242 +APM= 243 +APQ= 244 +APU= 245 +APY= 246 +APc= 247 +APg= 248 +APk= 249 +APo= 250 +APs= 251 +APw= 252 +AP0= 253 +AP4= 254 +AP8= 255 +AQA= 256 +AQE= 257 +AQI= 258 +AQM= 259 +AQQ= 260 +AQU= 261 +AQY= 262 +AQc= 263 +AQg= 264 +AQk= 265 +AQo= 266 +AQs= 267 +AQw= 268 +AQ0= 269 +AQ4= 270 +AQ8= 271 +ARA= 272 +ARE= 273 +ARI= 274 +ARM= 275 +ARQ= 276 +ARU= 277 +ARY= 278 +ARc= 279 +ARg= 280 +ARk= 281 +ARo= 282 +ARs= 283 +ARw= 284 +AR0= 285 +AR4= 286 +AR8= 287 +ASA= 288 +ASE= 289 +ASI= 290 +ASM= 291 +ASQ= 292 +ASU= 293 +ASY= 294 +ASc= 295 +ASg= 296 +ASk= 297 +ASo= 298 +ASs= 299 +ASw= 300 +AS0= 301 +AS4= 302 +AS8= 303 +ATA= 304 +ATE= 305 +ATI= 306 +ATM= 307 +ATQ= 308 +ATU= 309 +ATY= 310 +ATc= 311 +ATg= 312 +ATk= 313 +ATo= 314 +ATs= 315 +ATw= 316 +AT0= 317 +AT4= 318 +AT8= 319 +AUA= 320 +AUE= 321 +AUI= 322 +AUM= 323 +AUQ= 324 +AUU= 325 +AUY= 326 +AUc= 327 +AUg= 328 +AUk= 329 +AUo= 330 +AUs= 331 +AUw= 332 +AU0= 333 +AU4= 334 +AU8= 335 +AVA= 336 +AVE= 337 +AVI= 338 +AVM= 339 +AVQ= 340 +AVU= 341 +AVY= 342 +AVc= 343 +AVg= 344 +AVk= 345 +AVo= 346 +AVs= 347 +AVw= 348 +AV0= 349 +AV4= 350 +AV8= 351 +AWA= 352 +AWE= 353 +AWI= 354 +AWM= 355 +AWQ= 356 +AWU= 357 +AWY= 358 +AWc= 359 +AWg= 360 +AWk= 361 +AWo= 362 +AWs= 363 +AWw= 364 +AW0= 365 +AW4= 366 +AW8= 367 +AXA= 368 +AXE= 369 +AXI= 370 +AXM= 371 +AXQ= 372 +AXU= 373 +AXY= 374 +AXc= 375 +AXg= 376 +AXk= 377 +AXo= 378 +AXs= 379 +AXw= 380 +AX0= 381 +AX4= 382 +AX8= 383 +AYA= 384 +AYE= 385 +AYI= 386 +AYM= 387 +AYQ= 388 +AYU= 389 +AYY= 390 +AYc= 391 +AYg= 392 +AYk= 393 +AYo= 394 +AYs= 395 +AYw= 396 +AY0= 397 +AY4= 398 +AY8= 399 +AZA= 400 +AZE= 401 +AZI= 402 +AZM= 403 +AZQ= 404 +AZU= 405 +AZY= 406 +AZc= 407 +AZg= 408 +AZk= 409 +AZo= 410 +AZs= 411 +AZw= 412 +AZ0= 413 +AZ4= 414 +AZ8= 415 +AaA= 416 +AaE= 417 +AaI= 418 +AaM= 419 +AaQ= 420 +AaU= 421 +AaY= 422 +Aac= 423 +Aag= 424 +Aak= 425 +Aao= 426 +Aas= 427 +Aaw= 428 +Aa0= 429 +Aa4= 430 +Aa8= 431 +AbA= 432 +AbE= 433 +AbI= 434 +AbM= 435 +AbQ= 436 +AbU= 437 +AbY= 438 +Abc= 439 +Abg= 440 +Abk= 441 +Abo= 442 +Abs= 443 +Abw= 444 +Ab0= 445 +Ab4= 446 +Ab8= 447 +AcA= 448 +AcE= 449 +AcI= 450 +AcM= 451 +AcQ= 452 +AcU= 453 +AcY= 454 +Acc= 455 +Acg= 456 +Ack= 457 +Aco= 458 +Acs= 459 +Acw= 460 +Ac0= 461 +Ac4= 462 +Ac8= 463 +AdA= 464 +AdE= 465 +AdI= 466 +AdM= 467 +AdQ= 468 +AdU= 469 +AdY= 470 +Adc= 471 +Adg= 472 +Adk= 473 +Ado= 474 +Ads= 475 +Adw= 476 +Ad0= 477 +Ad4= 478 +Ad8= 479 +AeA= 480 +AeE= 481 +AeI= 482 +AeM= 483 +AeQ= 484 +AeU= 485 +AeY= 486 +Aec= 487 +Aeg= 488 +Aek= 489 +Aeo= 490 +Aes= 491 +Aew= 492 +Ae0= 493 +Ae4= 494 +Ae8= 495 +AfA= 496 +AfE= 497 +AfI= 498 +AfM= 499 +AfQ= 500 +AfU= 501 +AfY= 502 +Afc= 503 +Afg= 504 +Afk= 505 +Afo= 506 +Afs= 507 +Afw= 508 +Af0= 509 +Af4= 510 +Af8= 511 +AgA= 512 +ALDs7paJl5xPh6ORH61iDA6pONpV0rTjGiTkLEW2JsVsRKaRiS4AGn2PTR1UZXP0vXAmRXwdSegQgWPUp3Hm3RofRcDh1SykZBLif7ulau1hVO+rhwRyKc7F8F+7LcMf/v+s73eOXUDbbI2r52wfr7skZy/IELhsC8EK6HzhACI3 124241322153253947064453752054205174382289463089695815605736438952932114700118408072544073767229325045596832952652232288773280299665950768731398747700657715829631597019676014848183966683866396215048196276450953653433516126074463193382764063985175903718735372053536664711482497859539116009770850968340298474039 +AOzgU1s6Pd2IkrJlvGND8legXTe50nyDCocI5mwT9rW0YsisY5jaaEOcu51BAq9MmXBPeVX0k/jlXwH4Pn3mCpUAU1rEOsTdcmSJp35siKliDdhTZHHdZNMW+igfXGX5OCsA/BaBcGnE6NnrGWXKyTOoVUGQLEkL2T5yhNUaCT83 166340174936369324883416612727439279977041963320514134445183426741643586944819834936989524033374309932122967866930503619179389342537723598234062828695747850043368572301869699886931403612266216965783079972698791813140295203826980649434652168563255385527187360027803388963151668338040517316899628026707657178935 +AO8hrpw+lDiJ13JahLtCb1RenupQcNd0wlTSck9OLL8wB/x6gAoj0PTLV05eZIbz43N3GUSDmmckjlxdHXiBJ9rsoB0P95l1CWIV+4rXblCqxmOdmlm6VZ13bqbI0x7l0cjeMrkmk+yJ067WqUolqQBlUWMTuJVfkxALJYH5xr/C 167923899524385316022824282304301434707626789716026029252173742527362300338760906999615029022863637963070711762128687835779073122264515776657475985362344360699359591353388569856862973447791264902182048648600267737826849280828116753682917256540180401899752566540869918949003470368970029744573140084219550547906 +QxAn7yrdVs5tlHV+Glbqdaj67c6Ni8am3bBLOL8PV5HbdrLf2xIPmNugo6MfUwFSnT+ZPJ51+VTOsItaNwCFju0Eh1cqyP3JWyLRPE7emKuo6xRhf+5ik0pTg77LEF4JXW6ofDqirpR4alFi0G2d9yImQPphsYJwYGF/nNT8u0Q= 47093316905427544098193936500644355852669366083115552072584429220248776817916430034648347490325490701471113667554329499736495877969341478442613611948220957798780043076906836236556612316544460763366275536846463456405604189392790111985912854476264292503164100482712281088955640964034295834935468665872932715332 +AI9PVzrbJUvmCihwSFans1lBKwudGEZpWWu8pkSK2zVgzGhMvUoGgMp6TG2zsUd1tV8zv7KsVD2t6pXmjT1wPUynufq97GVHI06SGpflDTt30WboYRh3DgYxvso1sOjUXpnDezcaqc2Aiz4nV5MSShkBlyBjA8z2worHDE+uXqw0 100635651531872121827765663065728398779771663753008344681972226973080394359405041113312675686974926993279775427390065833081040771269307007695807025882757371805607979134114890454059957194316765342461291139168706134406917264848659448693866813989352429841300235734400772946895458374870482441457514575059390213172 +FiinVicXOqqRLpxcGTorQpSAGeQ/PfDOuzYK9ViFtmPv6D0cYPfhUH4qXEHOejvmX+0b4lfaX8MWPVZxlqpfXiU9BhG76HJxkLF4ysipukeOvhoHzvcxE5bnhSF1i//bOSifATBLBEZInwqSVg5tHHPuuCkwTL91NqhOulp7Lsk= 15560440884463435471963622630292643727112462888414585143143739400703889930416938984547754943252935620248108237258540176511252143752416771350868493435174026287082706690332705481726295797196444796135827460509780634261726494455068460028424141500629527968240913757449787164107068039175831847071025316475940056777 +aYrxyQN/hkBne2ayqo2/iDLF3DZGgk080SOMJfsj9h3Z1OfFZM7TJA+y+/O7niqatosvKrfHrAw+Qs7c6tCZ6NPwYJ4QJLOF9bqH2u2a3fkI954voNUctlUagYUJsZXV8hdhLM6NwUyIZ3ZFkPcpTZp7nKQQ84tr1a8VjDIT5/o= 74114640794666001532816944350975062126079079113921109750255283189037502412929005615388097912507598112836936032143435813588205939470002911374442844578739574773399427907766548612582213272643279263782396527705126350063372192910060171635870872236876399794128383338399728947176692692942605589343038282957050865658 +AMpCUeKUX/vtRslWiUUuXNl1KA9uDAWjMUkTrdsxxRDESI7iZIn3TR9lW+0kV5fzkLF18iYLAwSGBmX1PS/T0UVFmoBPJ9yS7yktNL0lpQ3noyGFn8HHZ6XB3FkH3jegIfGbvwwhnhhFzpHPrXlpO5iU5Y+rexzp2XHWt4yJGuIL 142031143422642739313498629438991149460874309300342349421794421544918823888598660275343727563280565210534243383322796489809683834300630555650331646026843796764549231159336347965502383849513994449309613369541991287590422095953275586374371960367000083487965487661436037637475372929033613295072397262739084075531 +AIMIQVz0JIEKEI+PREu94m3v9XoiU/Q0CpsSuqkwSSje+Wyul5ea9oU5qgtOpdkMUOW91BJo0DW/GMZ8v3C4qyyP29TtjCcAHObJi9hfLSlnTSuzXZnDStooYYKqzfToLToCaAJKCXiXAVW0vWtapLnyqafrf/KgyGZ5u4HfXKY0 92013973253053602863003242446596060337454881568126916916519869242232429836082762281129448384605359749247852792606718908482332975424967542242332487707042773885428473061056052851768940900752317020681189773407893371297668591494665352294885305475871917069040377145530889271334616499701769138948975263435137525300 +ANfP+zPBTR27afneyac1KJhOB5Pq3AXB+SoAXJvQI/GkSoNhw5KdfqoIkLcoJi8wClCm424Gm1AdrdGwDFOM/iKTSPkrvMag93+b2EbQGX66/n2X3YRFNkgq/Gtb+2M8oCcAL054Z/iiMD67aU5RWzjqS64ePHsn01bJ7dqLgpMO 151548639867177154896951257541227014781655576169318283047778755573323724856619156348444192550664853912434681577093459933599575436686424046466113215132845213008587152894642577278656978304699131916299275797578171518984206145555369576872231567191579337901913492071976578289189524123204040497290426960375042970382 +AK0kHtacLGu1NFWMADq2rG8hpzM4UEYyPOL+aMJbnwXcUYptRIxb0YFZg35RN/RiZs4lQsiq+kEJKzMMV71TsJq59vMkIZhZoB3t8g9ZqBZuq0JYcTICDwRpNSttJidVpJ6P9sR3s1xPMYKdlSwt6EEc9htOXfZU+yHKYgn98X60 121583812047864398969816595368193171848971298823388059338224714026742264861090347096116404814514279627148994345584790617974476594451626305761040465570524035369799925437276511604752129817947910677564301623631349399504187314174538914591944778074509068973226322566160587813128746039859381466427380402262866230964 +W3sZlWW1Aev3x/DiH9MzwCAZzBj++x9cknLfGAHwgFqkLH6vimEH/r8hi85hzlCOG5CjwhoZ0D/Hsfr26ZJ3X4chG84byrfDnek1V9mm1++v+clJvlYgcuVgn2Opsba2TILTm1MDB+Ujs9brJ2AAKrE9+ep5nvtQVeG9PUGtdlo= 64240043913835461386212515483198059541440539167395859777194837833769712010594411295323900074066077107346806786205590345517755715510695858065925747020336398305793661773798243627926904542715123849691490667964262778804487343218972081260210371192903128886030021862362141928329650003493687310970684093289133340250 +FTQRk9/BIj21gbLwI22fHJWYj+8Ghdcc613hOtJ+/hQmh73HwTXLpaGK9aCptxVbpjW0r/bxaRjmgxu9u1CCZh5yRd7Z46Wk/LIPXGd3ycQzqRMFB7TISFQGJIcFoxRp3Eb5wa2OyrUg7c/D+kb7oFJq9P7mEwIh8TpLzwmu4SU= 14889529068556301710329043521845510156960298822469914567758538023025100741826628180855835334285179977296740667353391766487166458692144569279381035582718738461626140662441222061900764829681913534146898551570916312642104487829660946024590782808750587095559047648957238487820069966851521487428624726655438348581 +APYXO6uGvs9qWiEAkcWsaCaCrGJJCP2Z1g++XlJ67oZIgEoWITn3T/R2/c4edAfwUUzNHAYZN1h2dSrRoqlrRXrbxFtGOuRCUrXcGLFFcEbTrtm+z5z8xGRfcorx7Cu3FIBPMK5XcGPcbRZdyP1gBkeDMvuBNAo0/To+LP/dhCNM 172810804474418448604443090732221483571611665465870520701624598983692130272337358406272727413570938793741430131635927237320173996217984860203754686741782921346604605228620148450611724714868551781003004492587584071978757421616871762681049508123223983431502852926521520561941051298696758046005573332373854233420 +AIDNxhnDEe1kTJ3XGfTS8zKXeXPRdw5yifm8j8Ibzj/quExy7hFPtKct8hRskPR2qwTlMiW9Ra8Npg2USsqHV0rBoIkX7E3psxq5LBfp/q00l3SEBuLL4K2FGR87bPgU+Duk3RVrNMnColiTcnAR5XkoeWhn/r9MfJMIN9Y0FEh8 90449107125498302548188660544012777357148118984122992664008792590422284061463729084479315745509706793674355738023180454297730948397413371686013210006834869294564190666543874617716180411178090109573192518129248278410216362657350215009192850017507998797754539132540293137589672869131300859207213449571846080636 +AIRWavxYRsGlH0Yr0DudwrpYtbrByf9ZsDawKom7ubiRfepqYzcBlwt4adMMnkYSaXeYtOsD4KBm2ZvLKN3++RkYNmxgkyarORBEg7ERyiThBj7Ksw57pNHCAoHtBEhH7Wp9mHhuZtPvPgCEptmwCu9rYhLt4zZp+Zq8a02dkXvM 92930601962515884925250459851491509622611227724602941760145671636277317511265759558869239180653492283311584982044597979173761619470326096725838197524704577188104121460089235709339932110663536557497112887112782062772810759971739760085128369628777812332518137107605855679096146402427144185104230596200130247628 +AMNJGLcAiJtL5fUfkesWKYJurdYSnvsOZeZcrg7bemkEVjF6S9CcojimUl+ncr/YY5/EXnU0mg84fObtDxWWdJ7z7l0CFcoALTyEatDYKshT0xvdKY3u+LUShxIAyk8EcGnf+KoEaa4Mx3tg2oTBnVegXClOakNTWw8bu2ItagoQ 137134165107366719462230252606689766470445826753581409513106273517221906418464863733870948759313279128624638614534848890858250894834883265387344539280755177217350585564186248554307335197387734431939154077778003706720017441895613190141376534460438929588407764609772857975000507660651583780079804513519571438096 +BmGPZt8XqqI1PuLN4K1/PZMi2rfOYtHEMrcwZdSjKRm5qTkd0Pbb/5zPV07TnM0uLRvIQYTLloEY+GYyn0K5gDTEZpEtQ8ee6Y87zYGDwcf20eqYNxkA7FVV71vqCP/Uw3Oi6B+hMvsWZbvv2vH6MkAeADCrezOtwqVS+irftyc= 4480956865245875120472829476982311611308898564405318773810939350829150182630548948231116574193987272498161864310429976564278532538229396846813874244969927890037756969704618336242255039858182439641759659872128285423988638335967412040624105824571426792562334458751137508116412821914961236269913776304372561703 +APqFgCIYbJWuRyEGuOStPvcprj2PILQ0JpgwQ2jLKn3DvkWSd83qh7PWGKozGavsjh803K+ZzI7P2wP+Nc0r0El3q4nzaHvKaCtVRyMwbXv9wYLFZICeM6J1l9ljUMts4tbDoPzkIy3ScU7pYxarBWqMkcBU8qL6NN1vEdkeu0fW 175922170410080716883576123079908758276229469783745771772401183721225804343343063277676406040455068452258961299511343441961963941297631097736305638850193978800615558067791016294285848963023036905095022181004058235239390870177623185946205281141386416867569004073524130001309977475780893497185890756991672600534 +APA/rCcGeH6A+6ZwaBBDM6mB6tTD8mjkrOWEo/pK3MCZ+rrErMBnFp2S19GhlLOfuY8BHS+D834Fdm8+3wKYkWnXZpGb+e3v8ofOQ34G1HvzULOYtrEiC4ISZRt2SSyz2hU+PBXjVnplsHWTRxZDmBxTJdgli4ItAqxGCxj/aJ9m 168708388929747822981923386197903561880341990893945097067702518857172133291360611402092714329372304718329568897960770488377524912057166920574319430820488930520807742026377043178502591886293565177404635365772829346030773275726024973460121300339258054215286249329967181244588558220467488638468686270735376228198 +AKmwrLP108dCGWOWxE/6woJVLRi/Kra/DvdsPkkrZQmWIlUT7IvwM4gU6bUr4f6wpT08cIQls2cGh7dbSEaO0xLa3mmtKhPiAlzSnz0wuifF3JT9U3uXgUfCZuFtE0z7Oi7WTOrpl3k3GA7JFvXnY0lwblIQALVf6oWyNETnajGl 119160465301384937485959146028591622947513292915838943629387700439301197965652871741710280647524383590817798553034250156068573474278225305190573334054718387045488098320076877626430189054572361967283632592181431701411266656256255758079114072932140551282607247364388070762970060420036793573956057551235306893733 +VTe3rCzAL1Sljo3QAXEkAdBy1ZARHZwtrj6ZNRa5ttqd6/l21g4z3iHCeGo4rnE2F8wYTy+NlugjXw86OS+XojW5y6UzTtx0HX5IJ4POqN64aXWmaklGzroBEYWeuFFKcgQN3NOxkuJoDQ6VElP7Epz69kj5CsKJUwL0SjbNrFY= 59841866347633473702601462509811342285929528424012250265905695635971518533504187799047710303717472950129869674786231155102509311322791323986824635569605105662070745033595366004805920086888891275288347907772640070278731650628917037915863439204501060041944275512863990729926528905725569467329169134226609384534 +AIZt1xGhC/HrvpPASsvVIVdsu//tn0noyJmVYh3FdQ6yIh1uce47iCsrV1yvYqx5ZTbC0vnfnbjFcWqH+HtLX/DelgvhEwzqJ8hwQrfE1ShLG4ZjAVo1Z4GCjrDcEUMlwKcunuSJssuxeQuXwTLS92+q6QeBSS7OmfxPX29CLb4B 94399298271083745508290936113986978382457275531684761701599029877008571741877683365769553170771833981099580359640421358853566501815723434822307977440496208486103754978934472597505865596938563438311337045817621762649604204720249750058676095769230214181772215323235427976398686727606000594646472236822594174465 +NIhTPpWXS82VTA0LTd6TfM+HgLgUcmvnMYtLqPpuqCKZwalAycwl0XFYNyVvaY21J94j92ts/lRYgVtHDhk7/9nLXq5js/lsUnG8rWPHJo11JTxvW+df88aX0pw8u+biOWt87vc1MW1dsMTTsJFJAeBx77qU/Cwto95IVqM7vSE= 36889590210230649939994518345793530042252563793069578097360569338647730438860274349862767107939590441616825589851005429465345268710487649366046960918184701290985280638488938340668212498212581853679035928093386035688597446809895381618260692378376844452061580510108168030682664507293277674052032318576713776417 +KXdi4A2Z7tSiiX9YGtDtxUXIfQvPhcc48rUH+Q2SnXL7fLNmr+F4Rf3RiFBRiHKocPfE94pothop5qQJ5X221/DbEKWK6s+ChfQ636jvRxojoLMab3dPtaAPpDJHrfZMxbT4ZaDJT0tpA2e+zZrzBuDs+UUgCpty9nxtdm1gS7A= 29118662951481660380477444121362422614202367719725087486810943918529894738076273660245405874301505615796632229852040910511025841576465052938308369421493312085081188509808322692130449282585522349552501983296872614029139293444558468751646868108213623606366977549477663987815308260383403466635254115908032940976 +AIOTBZQR2EJJRmoWdRNFLG4fceoS3KnRTHRpPdllhHODqdg+QxTOcOvqIzBqgdD0JgO12SuNAjLQOiz0jhd02qkXw9Y1adGuKvL97ARFtNEuJiNzFAj7KpDLy2zk2rPJp4Lp7cjQs0fe8BQYnTzTsNRGm+4ybln/gse1YWu9w8y5 92394618277596007469808288231093678404089765494062813665106014405059399079199990128824492247005602685377185496959522609467906358619318009231448503013528692450191782140091818984176967246749464502089280153086163239846744554575017530385347720563798041108608545014076448155956762636929707905789978331102411214009 +NzfbJRBF4pqEeborJrjoknJgpfK+DZh2k9cE5dcElMPZ2Zn9im7desWGiBSQnu3KbTO4L/t4+m6nFTNcbIJnqbVSMDHdsfG72rG/t89aOuECQw0HMVVgONNNa6i/mw0jZSWnRLD4fa1YgbUlMd8jeqO9XcBDB4mVtDTxyeGa3vU= 38775530011374537813502898274019389132620116890266344603221997943675706375698597061571989090674289834838060050848545748579361837989319487970580969082824601965845786771062335733318139530316825802589479118956745739691326447349403950997231306042638797277408335778415717988679050762936401945487285814799382535925 +Y4BVPZ6necuLSwaqYEPeZp0lt9tTGFl/WCJJbwg7XpyvuwYKtzagC1NLzY5ymBfwGFw1yRlQuyGsYd9mBfC99DuVCIeh0JNrhJN1bNfoSzy5UO5+dmTr+dm66VGSRS0tFcViDTfCIleTV+zxo/xuZT+Bjxq7kZue8zGkjp42Kmo= 69872189501616471647606976308259279995249122669120675885925763529037695584466011511740991152346215507625265226811128801733353566555339153627478941716586678793853828514394269931890370517258825006937741437480128878717892485074131232336852490940507703859793477547154689914725314529986438108117871674332626168426 +AKCP9Mto4q/a2xNqM4N7PekbKspwt48OGPre+iqVwPrSP/jWKxg3CvvLNZzN5P+/FiUGIklMMFJ8w76OaHIPqKuwckj1gvCLECJEE+UAZWrNKPmpzd/ootN9/kQhNMuloTFCyhXAUUOXJ7Z0WVLb2u6fn4zroszSMBoWQEKC6lcq 112750701794692134675959811050012620191158543234019977304167102486465198271340022889272244811582365901584420008564301920174477182946432553537794834985703732129975734658113610563794129371053853971031300761815004524681756388784922001759202643614966614186697992611399618828963452661554240362943588548146868410154 +APOTAFA2waoAODECaGNgCHa8dNN+cjMnD01M+IeQFytzo9RLMzzzg/gpTUFpyLtFMcfbCkDYQMLXwE4crTimdz5sVvjGQ+5fSFQjoDY6Bw7MO6NAcLzlV/sI/1WyNBKaLQbcl2720n16tdUcdckQNnV+cC2J48CVxYM1c7QQlxA0 171043636512232272455501595416608280460445723238023572475354665686544174728784633443479486247342724860289312593374524429736857970220153680852977711594899595712511352458264354251161579203922747468321999465061463474727943140910084880926005209538535217464825087114791420210981711903880998556269523363208766099508 +AMGpxRlB8WVnsGqyyiy3/mzrPymtJW1o1HcDErK11ZwQV5PwTF3c0THwlnxDmcziLWHSWgPQwfRddVDCXMGW9BffJn+XO6aTcWDPmDAh+1DbWJPE1aqApGbHvQ8HONy90dQMZf1ayuwceWCVTuU1wnHdo9F/sIsRbuu7ic2OJDzY 135994898408425255747055209966103741651849229328236418804928584233229830656742052333413774490626915784901255640138520158698845938184666683995579777154437927013722740366497459963753542029774185193376253885864514386760437194444013834088425088260658670140534670789371556026135595577395047002643901630053097946328 +AJAw4uDYdSYkOrjtwJVWLv3pi1+UxWge4RmkWKqVquTsAVcT2tRZ+MFdHM457Hl7fmFIyxvGZQy4c2v1AbHEfPR8ID2sCRQpdcfrxEUZPMDqxfnHHm0ziny6W4X6ggdBzMp/sBWaVNTBL0e61/pELBGYNRGFMzGws7HQkr/sro1D 101254336834199527040756567675327011562230719161388328289463594628690618298993695452746353237675715087353241661592074446889034411683413957950360025295995263477031608845241728493807755308798509893719674568267846671753070163272328014412744008880395248474446310603301447848026040555910147467745595720879397834051 +AM09TdtXgYL4FI5CGNiVjf0T/AN/pZ5zZsBOi1MAUKMURiXnc1x8VKYTqM9Xb86mqNBBqphynIQG6/3e/YbGJgHlsSdrmKbo+P9daMr02I/7Z76/7Osa8+7Ky6lhVCbU3F0tBH4WvopkCQmuJ267afgvDD5kB+9uNr28deMH00cY 144124056591600568767398029380314564902309327093641173350205276895603332085753288682409279238417493662029954512382520307259348748813767324609446500382301421328754981718014234615523158887865271179104711373675849713359713282937065993613915015084108700238420759344034475478243507306107546245540340758766909867800 +AKDhK+/BKGXbrbBh2vM61OP8LN81YwlJKe68KNwUu4tjXlQg7i49Jis7QKPI/YFPUpSNTu5N2iCgeMnCX4+r3NAfivOao9lw4N3nc9bi839SIWdlokhwBHBYmCIgjehUeBAdkU4jKqlE06pIrpRmSvBtn7O4aWTbT+C++ViYAcGF 112973480670453665543892521898882856059335781900313607790238402438320486344365203510769919022496690291280873287383392088872774202832124927485754495093552572232234532821756395965072330282810574669371524103814871172318519695921477775100282448247625395376072233777533359104085023946019406729587713120941266551173 +ALxDiSxHjfxvP8ETvpE+SyDPTS7q3o3zCK519WTepygC58KSRfvDnIVIyV3toQKzgqD50kF1Ni5D/wuaSs62y3zg3kELX1g+WuBCc8+x50+kDtbHXa1Me3et/OqVS/QeppkcjK1UZMU29fXze6P/w6aQfvKQkE7koeQtZBKkYc0p 132203344567902304830160099595561253300484092355345272411265169562971473393256361094745618829297250316196312398486598077249124198329075791740755862221465178128527292695331061023291345396067863215552021206609309872689233899464919108147533679134727064586730810633196817136739658243232643507412032417747255282985 +VF0YUTvy8Mfi5o6X06DEvLm87r72mAtTdyyLNr0/GXlk0Xj3L2Oi2bVUMtcXQNRXg/mkdGP88pgdaP/eMzqkUU++vJ7t3UgOC1i3SHegpiBhhZh+aZHH/wjFV8Mz2XZB5z8MpMgN+QwALK1TT2Pyt/feQTsOy0imVanB5+OvCeQ= 59242171319056188000481457618922567543461456096441095927600135114274111606802456239311634638536207588762066940095527920532936960549439269891703098017342732142860571277442598349453761561189719823290643146391349978698217357430495238876700400634593256155537598291759795109752990651995982467695091946768443574756 +ezpwBt0N6QhTusiPcKrBvSB6yuk/KShTLUFQHdf5J1u1fgDYrp+aOWuXOFVfOd0bweiG4UxBQNXB2IDFWfYON0fBoaDqNk/41YyqXBSkKbiNWLi1y3zPmwTAiwK0PzYp2EPfk/t/j0HsDbvebu0ygcxb2tPqj4EQ1TXEdD007kU= 86533835313999945727720083706940213467453975054116752898416709637030456504024135513972566184073843025739226187558143854850980654667596935003124034699919861200483994576288766702308068265526535622439762454501169018136389983894783905946543636163866717367545972667876983557989192393479830223914708619684891389509 +U8BT26zT46tTZnkmTNxGUAlXbJhk5cNi4AMSd8fSvZHm55siMFGJ8Jl7mtdzEFR1UFAyEztf2fUhxdtMLe8ei/OJgM0j7myQ9STucEwnsShT7QS/DjBmfvcC42sl1CRpXkb0ZLrEJCPf+crtLKGrG7ExS1oawIAgALBiMQIL6mE= 58812148564290791415180898639607206220554150794356494356250223429674091688305329629529905854147200457536549527135776329004085047145097927266797668252160196098870200925284256433894773392353678965699083286106628662506590268955650280670838340651598082083455821825076016227525614626726458235627297885815646710369 +HfYii3U1SIkBZl09RHaGGA7H3np+qxyNeeCNY07PDl8LwZAaaYk/bHPeBVboan0I2X4o78zCD/gFXFBJ4rxwwUsVjHEioyO2JcpV2/oDOelJBD//78WzBMMSWt7ZKbJV9uYr9ZUM0BUD3fsk1esFCEdnDJdr86U0UMmiig2R+ME= 21039655953870571289679214995029926285040274249531458675115179004718812090027267801012507748013357317597416722235988917212676802092082137617336199787762782958420742299451435320649616271885264333948336627286638368859041172783505464468640994920853000441536629081040963398001710173320125308624362209157720438977 +AICOlee3daFyqTrTdtWjVb5M2rclh9BpIo1CRvKo2bF7NYcjrU0/VvbOnTVXDwdeGMLupbi76f0BrfDxYtkzMXvIZlgoTit4g5ennnklDHFBC5cogaGlri8U28w4/h5oMunZ1O4ezdpRgVJe9nTP/sSEMYiNS5IA7Zshdvm/XccF 90275777798511290102824338787811725003177532250296755103300529948194832904403489332420505850668003332750291879153080212231952155092379375422537931240723308384652734942204313672973885652497290433943089371705605128843469306776615573873479312715317072986990219294942040272550822460408702072075001377245051602693 +L0QUSVIjxvE201b1ztRZyOOxy8vkUz6626TH4tbLwXjjc+AhmrvplaVlavnOgHqve+/L18XNuAYP4BqdxIcWTx+yxBKm4ZS92dRJdcAtccvZpEJtYjdJvI6qbL5Ph6HluaVZwp4dyFyXuZOJGTfYdTb7PUWM0jNT/xsqyjxSQ2U= 33191267986826803728285073844005357792766429917696698533494382218509532051029343127452480789088572904364699220151221680328978554239767633887572649589456766209242252549993823283929686430100804479376247660556781589549613316880150951333982646510273364068770923588389668733632648346075516618646974067295703417701 +APlD9ECKJuACUmQUsbd2GTOpb2PgQVT08C/5hyNEVdA5bWoICX7epmoCKCybdolk+cfEBP6fSz33j+Vn8MbeiHBLdmF6ETbmcyOjldJ902MDvU8dqAa8IgEZN5Uh5x/xzN+3dqk9o0ji7yi291u90rpfIh85PPpDat2B4l5zs9i5 175040148659257809883308984693597046378367187659749953472629929701758633206586720399909808941145946314755491399962797299295431089674294356220216615950668954164397362123668926410543898553191541662075745481299747832013627018846822876386760538344447600390187421938699064459451308870669878673306013635576901916857 +KB7N0tE+A5vFhyrd/m6Qe1wTihkjqmBn+rinfmMAzRlvtxIBSyDLzQsOQs7L4oTG64ABU+YwcWVijvoeZNamaxGl4hatAH1pRqmC/r8FMvC4vqiFTbFHzQhkjM7uoHD1aKnxyBVgjMj0E0KZjrRxydZjIR2p13FXjLP3UQSFtII= 28173452509830313810392326357601136401754938805266458365469366750775669869895498658593356375710132149836430968810246171974040975430205200958564616924399794768861923079158311829444850822144940112488994119845741191519421434257276977333662656888696213514226866147767570046232093727585815615828360199830275208322 +bxFgV7eXwnbQScl4VzS3RTdcMW+NY6pcGkT1UsqHIeDVyBb8DnH/2/Z+DX3zniR1iW6FPdvhJJeQyPIax1ohILa11R27C1TLxGvTrRBGUycxjEcBIxamHveBsXbECWusYLEakeSDg9x4BTWMz1rTQajkorBoeEjYuW+xBxQtXME= 77994515143740690952370766995249847650881300682406161400195705464876513409097078624084133111941171517535435606295232558665316819077765607639545069239931096306624817379462598756505457054433358548941076472902905065316335603665413114267741896000877284610377452471067725794013283338924419969559537339967562669249 +AOH6E2eBzD76QdTJ6QbR/7OeF7AagUif9pEYx7fMqrIsXCJKKpLV/RHIItCDYP2WO4URCaVueoAJe3M/Shj4o6efvH9pf5Q8MLM0rn5MTHWhThivqYQDwjCp1ZsPgq1VFS+gcnmwgHhj2W7XzJxiNPeRXlxI2vL+XTT/wPBYhqEP 158686346608862569574095184731081143351413141116869402750758091813874232272198082464382169470744476593016502816563462778075467588097653320101723165887488327616477297401486647183409348122990505635004320879840358339260797834264972100385692477324858942142372580281421734058008608134075577990829273447077276721423 +ANDDgNXOB/rXwmS4KEjiHj7RCDocVrMv5SU0aw6AJzNTBfseFngqidXx2AJKOEeG7RDDN2gzn4K4qJktF0AIPG2JbELlLUu0MFlpOLxamp586qyp67Cl9OuPq3UZTyQhIsSIE3VQkvxuQkGsaV1owDV3BKIWQbQEqMQI3yT4ELHm 146598844784260148346676185962272439320781765598895126402049215152385925250917998794921584290777625240122575975327405909800121511343265147922400813488099624745229653124857224399973509428158163452130086943873214460600035260925149630502192183407327427517292065083168010281295559088633086659209316582810260124134 +Vprr6oBnWuxIzyTZjuxlKSdZhBc0upeNBHVIlXpQEnN1Q+XURKzp4/6Vg/koITftr3SMSgGpE7LkrERMGFgYaqM5XZ1RXYFKT9dRJnz9VRDITVZtdkDrU04bqo2Ur+jvZhvg/oHBDTgQ4nPLJfHO3+GEmUtck+g/wOVozMMgufY= 60816213163057201559480662231646403262735082707152897397414589876256824040344252799972529759737904461369360580708093117244392116003622336721789703580184437841209963565058475060017600871779929808204093448248984201640754565635410002090180110910120481044515630478472999135146756643143415057403006410330361346550 +do4LGsm0afQLHl9alWF2RVyEKPxLIErsf4pTPgScRE7ZiTSVErbCDeyzd/KHzhBLQs/DhHHcw+OXj541cIRm6jaLVKiT8EwLW/dVG0AkVli83sFh2f56Kk+bCGSKvfGEQcGLY2k7nQ06zoMlYR/xbZCka6Q6kSq4YBDQgigQ1lU= 83252051731120517035090523892596419800592471447735288551342681962005778435125655090199060145942826521644585427683714084736143440310518046334877897672493531918539106001203807757254797471481884534543367685912500572052457610702790097953420236852480969038388056545966568595395722585797418296411673622376893961813 +OL2Qoj4xkqRrQmuuLwrABG3BMMBNGjfBtVBNTdBf7g027Ghkk/z3aK3jKT1EPpdiOdn8zXYBSO1mTRGyK3n7Jo8ICOcnlBOF6cZtDsb9bvSVE26MOD2wzl6irU7vzS+s3vGBkN3AazrxPD4czk3xezA9y13DJVnNzgAgIQHEols= 39844525812817530522650122383059885756573694015271773938493414420875846359054562126060762455794481186614035892021706051863945033061233991184379580556219478200155757966121832613842937722944431875100059046588723473670448006803481527981834627086055642349130254917244469014754132003347635357123155857820000494171 +Ljgn+3Hcg5DOf6usRumk7P+ZrdTBRmo968HdZU1mS7LwLW3Hii2KNkwMV7J77zA0P1pnvhMSEEeh1RbCUjLtSIbt3RIcOEoc+aO0eINF8r99l83xF57CBI3MDA3AAbtaYATy/NUXSC2h4W5kdsQuR88139MFi5y8E5njqxHu3UI= 32456338403763561215581247445990611953939298888251578685087656354454727113846722731945605696397627662593375001096230320486703167389461057538581895745078593206660798580358701927596287363374862536765135996838944212622199018632046955402325290145163082309469649329852148345837780541107029165352782710901375425858 +AMt5/u+ZUNm+Xsucr4RQPUu6ExAOq/Jbcjm/Kb2YIAaEQ1czIL82wsu6YmpHcfMaxLjY+EnaaF+eCWQPeGd1av919+QFbQPeh5DT7ZT9klK7BFyVsN0nEDJQ3AMMJqq6lm4sUeVxDVTmMypYnkzRl7jqzyCRY1MHA+o2LyMECdOg 142886089970163885609957244378225169093559131065687633458877059657380607541767850701139140472705242750285722732461954100519608059127637509286558848391554697942686619832870045594188204522385787253648018847569919409782188708374165437385572046835539379151066214153911415525465041951116179326632238059135825466272 +AMvXeHCaa+zk5VdB27KoS8XpjSUngaw7Gwlq6e2RrkEOxBhU2rGWGJ3fhq1HBNRxDf0quqfYTMd1speisaEr3cIyx9BhYwB6A+Nex/Sf9DSixezhcgEz6c5CfwUYP0QTTOiZDqzz+GcjKikjN7DKJTO0WSXMRG8qX8FBbH0rlc9l 143142496664357119491819741364830737485524654099662921673419335301323845847085335210884201567922636945282124120681371777665458057821603161276185071778040317947168899788341482064834489328957963447735297898161379277478278414388733161844053774747425459239004132791029364174047523473372650441001639174571312926565 +AMxoMXHfE2i4khsAkv/lPtLQhbWUjP3kxYmlJkpacpicBB6z/TmG5zjmTC/sqzBvBn3J4UvMzKYFyk9/l7Wnuc480500a3S4HRVtMtirPueV8v/SPktL67eN2zoj1VZA/Rex0aRGjW2CzEKGwEn3G2bZSgdT8hKv7AypF69ppjz6 143539479941314279463880342636704987025205547180882175105616955926182352311179043850344463145750154442573797875223178075233807385237935671604701513551125937539235111702655902037518920150424691586943553275517626347557879039695678271564616114192941679606063184290901862703975921261779714258077775731727612132602 +ODvOKg7l9RCn5CePG1FfMitkR5l9+7JK67eU+WeA5p1YXCcKS8GbYAKCtXPD2QfxmQcrNYfAc6Yb/kksaq29oW7MzZuTDzK0HXY5xBc/fJzEuvU51gaI0PR3cuU1qRlLqwmIlyt16gto+2E64BgPgIKJcAjx+TfH/EqNeJ77/W4= 39488587053253042573878502921384752550143716864908041972426777545317969264945056510991363961916339225192727727267483337259701961148978214005913510275048195308792987888118270387288989623193626554910652030960235845935461155296845475356011099372367616732243132816329531758943935324760665826550992788664237161838 +AKkznyQtB+PGvbVroM5nUIzhJUjiNj7q4fC9sSFbmDgvehnwPElVlie6PimH2FKonGV4GSaxZ+osil+9omfkb4rO3pq8fy5KcFSw/gs09X/U2eEEcUt/4oSbjs2NaMIxQftM2CauULiwfkWdkMFTBkHnh7Bbyocc8dtmrBDdoI8a 118817437232756222334188081193205110010964766506378146125932730686679941224328135190204402802650523704343176483564284220367074983943319572348376466341132480772885833789613392397284313483009178508647973749522358005819092779831781339778163122774381387989185969990310049504391258988402795259963134610905036263194 +AJfwWA7XnYbTjlJt+9hO/Q/OubHkUkyMYrN6Jd0cN5MG9Rg8W3i8U6oJxT18p4XozkiOgPlF1lE7hIAW9KRKJKGTue+iw0okLq5UNMu2Ha6l5/wzKi0QzRVTBnQm2zjPlQpgUorBBty5mcbt/B/Y3vOE4I3iVXklVtjQ7zIBHaNK 106695084438708194568048926154027115609888551145480521213711726807296356271397749432698558860759334362315257102647885062353922543502466463770991058956633500180245599467233361812610650830611712448187310827443315947425061886163301613989593906515923245020641415290300558869209909418659128196109640872398602216266 +aCXItk5XhuNrbrqJr1Qm04U4y4AzSKDMms11PgVcdf5fCGdizibh6/oZqx5OitM26nRz2vob8F+ZIP0CIyIJU0T1M50dVTbbpwuVNdv/XI6gHekQt0d2g34x1TQJIcsT1VWwGWTPNMtht1hezBAYxwv105AGKnqdLiz04YAdEk0= 73134927546833985031652237686088635686032103401394612286045377544136784429757461671691980910279873140130943470029643791712859175007885735170485461366406852784845528918253441791024065848540598601036357817496637108534035807393364939272891745520961269029038360205258229770737579266643408540634722493263322616397 +APNeoaWlyNa554OtHP8F7GAY5V9F7LMoF2ssg5wBmsgGFktrRH1C4FdyD0COrzIb0Vcko1/HiTnA9JXlfGKc3gTHEnO0gxBSDjK41L+EIgUfR0EhAD9iftTaCoBM7qZN3R1MYrSz3sevQZNMFOOnRrzwWEXnJaPKAZXvsqPzOIF9 170899982929163229592439208307232242235219591108657660041403142612622997092685093132858257827585941687488772925553142105567685213341947938835403410054637382864108739466539574004149772568683507025358331323655651148107044968424043673850583150424463706583215452211942132017052425497789362680979074312857823248765 +ALhwBfBYpOk1pfJcNut0C2fEAd4hhYU03/ZQBqVe/7MgpEDjro7oMvSdba5kjH/VBssmZVqpvuZ5lG+vI9lXLukhwRKJg7m67HG8lZXvjDmjU/PCjxBPNt5r8/DziETYmMa+fhaMTw4hedZcwDe37t1VPIflvM94sBKu6be9yJAn 129516480651398210587505113546142851617282590236388547627336279692965778911450075230961856270046942312918567973875005814982283590898552829322178788678196583244198944578081007477482775130405341039067711963061287597331433268366003672643052056973656674139309732186091974604170508497340243515339072325943686631463 +c9vpoiZvtnj71b8XguD67WayOF57QgOX4V4L++nG2u/RY9VT2+0tJ/C4NIawVa7ScQZAPVLuhV4J50HJX7FZgtY5n+lwMzNo0av7i0IqTS+1BBO8eNJy2wkCbWWBxNybuNnF6OK7eXdPb2Mmwm2OmhN2/j7HAr0cD7rK/Hnif7I= 81358980280155473712258342299472964374474635149963153129588784719499494479288254287754874893180126149146558961101860327826747785201363745989346818037655063262173536227595206355647880155693272153902647256175878517626925488264893732295267833614283963802283320574654949992393798458265266551024756663538388467634 +APArEXNLzDydcHrieLDReJryWxFzcsN1dxjpJIVGeJp6itsJOrUtnmXVnETtaZhWsmN3/Zh0R7TgJ253f7PZ/Z2xCEdqF0hs2MmnERSywdWZQ0a0McbDUUaDjBNYFht1wvS6djbI1b8RfayrnEZ0miYdzrrP1ntU+5cM1QBAvj6T 168651870043094856205824264282870999215855903395882323164614939540734011037112413507417141209480771157672307388419164831992909066097194364645695794831939514470650008210390333649278806163193463937050083854756730458780288720541495880958909249273048328511615821480782977316719631334570687241232556472064072892051 +RhGyx6xibf0OvY1XjnmX5na3G7emG8PWbvEa1kIjR6pK6K1MrMZnxFefXpHWInFS7ADESNI9LHjZB8VW5QrjRVPMksgdEAlkhY7MyQxaclUlShFl2AfKYBfIIro+vg7mUMzMctD+07BLk+jejRHtPVIxHmNnZrZYds80ve5z3Xw= 49204219353786910100605282012781696579642953908541693903348594981245301165936599174304121350092894937817100350990938057159324959104937469442065996667276651025661016077514839755853073999975805394464570132481314896694678249282338429544941873047382467276103868995474424700207571657816852575364781281563515280764 +AKbFfU3GL6NILVyONPVD/X0tffk5HS//7FBp7n6JKMXu3VXvWnfTl32R0WyVHk2yP0iIyi6SUusSicOH9ncO8KJHmaoMGN9Fn+Zq94FTFqZne5NxHmCtwRAbFNDVGg4FeemGXEe1S5Kk1VcvWqnp+QgY0uwa7RtT8C7/T+1pZlwq 117110890075563714812929271250884717870581483065920538069845585667296154465072587148155060755111295509684258790280104272121160614620669593483929827848744548171793187278583947500205314283462739235860439216105116687015890394925743036369717346234391524403038196640934551590543386844279091801685432977718405127210 +AJ0xZ9dfRc6P4W31bMHBymgOq+38ETEIMvMtr+wB5WTcsquZY1IUB4IVkrHaOo3W2SIr479IfJOOQhmvyRS4iB05yDI88Z/fJfXarkH53gDivECuo+5+JmV7e0S6gCvOuVamwoQjlK3G32bCV2946ry4EyIsVZ6Alk9xk7X5HfGU 110384671994603894282707302829898242894456931176497230904862171369974466400767175784681299142670706023468915238955836087425993929524341269289746060546848852729416925808186253355106621584826213979718185296723694190658548757311188764342751280681935289121682174507629679900374674992438818324999211250580434317716 +fjzmb1D+YBU5Wn1GlwhxjiJS07k+fXxjeNRbOv5SjktzxOXmautO8xZ5ACOlYrTt5G2gzW2PU6sYNfByQ0xoUSyutOuQlD2r+8MnDrxCo6RxT3P0dUSX7q0IVj+oLK4GPbscnKLfe6KqUcYLMgKnDYnc+ztFD+csL6BQnM9WMLk= 88647261832601702291191332432291274285041869480562430895152086741320122435409959711452438332192792226899741738806447713240934608106883094466050154088410020909933636902495700779087737304255058561688767369900548260278700135161077055869478387490726087630962098228537973426295306997128615315548440548541717688505 +YDg99aHkQSh9RjytWknbXzcgLD8MrWUEHF46yQLHYANKXaQYyf3yGM9TYPCDUqWbOapqQe+XfOCoACLyRg7vVDsnOPRDI9ZFUgCQBNG06ZOxzktEhnNJoRC99da8jyodFqqk2f9UD1lVa8tsQdatjUDocwgJaDAOpYEyGnUlbXo= 67567767932654827067250684965667741848878457020992905661955722020937161710030993261011062929936964216357930453809610708591260182295097124272956485574313839759737390934220465669626974544253750900911093325004172643146669082793591441922014060981070503803266774197958528843445580649512373693546027107823355522426 +ANdsfO+cNtWsbT/QJHGkYAL2WCHWVPrX6oEz78pO8lUwiigVEow5roLI5Tm7GP7XffjF95z5WDxzpoam+Bfp4za75D6ZEHQmuFnpWQAmNLUHdKUE6UcsWN1rbV1uY+x+Nr5Vni/M7PfQi1yRTTJTYav40tFPb9rY48FsUotivoxd 151275723772668372472508916060743043308364940375633847663054782759325087560768667906829087958412643723335046123025802453213225972572697773468957759328009026531148112732519692142632237595562259864125679649273054426879080697360204352423668940795473103047320116317252295126635024518179060076282921965794883439709 +D2Z8YA0G/vzEVVQ6itLPUC92r9n9FKRpf6lDPWIgpZOOfIkukPp7zzTlo9Ej5IsBrZBbtGz/eYmlHeZ8Y9pQj8HFW24HeKYqjmR0ujbNxI0QgoE+VUwPVg0HhoQsOGmq47zpXpkDwpOAZbMh/t1Bafq6r2zM0qmiwOacJ8KFUas= 10814483230552506566705634583020057064935800294861277580077052473134972003523900930560478187758928889017740705417070994563709463926267126567504805864719383185267204810142444719634360655595490833208838383875687102074846353850310954150927702228780599083427768247170427544730791038729428517279760042619935478187 +XoZpSMHqlOyPYJS7dWSRNDJHCkjbo6+DECzu0FpB9O8bftcxan/06Twbo5d1lEqPlLx3w0XeWtrmCSCaeVcXVtlY3QuPjdKPv8LBnnhslPOVcbGyflaTPXU+ITWE6rwnIF+yWQl3NIwCV4EBtCT+3U//Dt/Ebif9gzfKpKltD6U= 66377743237695515693282032069691369056215169443985727092982918806809030742478033317158686828712146024066618073633406428345129492010236994055590530566431286733776441810601990431112187030942086686719669823512292071202675269428014136307286941704297995292544712278047959299939833088742083527714893795660235870117 +QUbbkyJQ0Nru9c/nPbphM6VxHp5DWlai6407KIDbTGvUReVYI7de1gO/BFphL9GA7gDareYoMuej3/SVp8lEujXywtXzjiI+j2TzR3YYiMBAMhsJO1wU9pxy69Cj5xeFFlrOycjE9sPS9nrqnEEEFNPiK/GDDTHj0KuNbWSCLrI= 45838919357034925862751142472777409057791233610959872523563363744902783251621354580995921495295078179996083468819097423327554678806691589090814275138081407920379810144694354354954459732280968086760894209634364189264517251735804373673532012530665557440070501687207620525228416650281363557992436992284712644274 +F+uI7ARCeAlnPLO1YR7RJj8LyhtE/EJMcY45lsNMff0YeENe8KOITZVxNA55FcxDYpg9sKi1UV3/ASqkqpH8MOxWpBdT2UwSX3oBkp6ETfJKqiag0C4MS8cQVsfcKF39BJ6KUE7X6KUEj11j2YIIRREmLPyZ0LatG7dN7Rmv2iI= 16797235966984072293396362937533957334369977688369659112225970370748312376722010874726300554329794854683394163379447263409228872034356195791733533528404245739693397078461712458035888813157166614479153484688995068722288153129390850561042173295997770817893349738328312152341860704179681230323810266038959856162 +ALkEoXznA7BJlBIfA3Avl9kygQcxexEMApwduVRiXeYG0uEXMQU4rgMJBlPqs+ly8LTIcLFaLnJAG2KFQn2GXz2TNa7w4xkegkrslIJEtBWX/lc7VzRtcLbhaXEs0Ci1ValnW9Up7dYOj3Qw9eNo/9M9b1fD9TI+0QXFtp1ge728 129924120553920201168632484268654219915712271781591182777925696006023100660478316445751842982460082888615429513674356810187315558964251402722465707617058251479494744427428152566665405423424700027316505872162698141109433045594670140335040479559124757490095995568556894332243767736124299898808796118800328801724 +Ki3FNTEE870E9GaNtbT418CLSmf++s6Di3hzAy8NgiDOFo+uuicJa54V3JNRxOBc99sl/chfZuaBQt14BFOQ0i+9rm2KD82okNABd+SNfXOb0Ow2taZX8CpkVJYDyphFPyHbPIKmzwMShNx9X2z9w4++tJgzBzGcFTPv1nhAlxc= 29618953883711174042338818332957726953262658484143534778541769862244883781157097499904047532839425875312731531093860721544220959674634750905085721866390609141599426547378130082409488797303960018348798930232014390380383063108812922828160584483043190739354817699497573863286563890071313017508437166939160221463 +AJq8tcSnAq6M32ViO4hVGiHY7Tb08cLVyxpl/v0Y5adYblvjrbsFcCmsNDi5PnBOBl5awR7KZdQ1xgq6jIs+SQbccEMvJvGUZW5MgcHrXBj9XVd+8oB0z0eahqXpgYBqLDeHLU6238xR3dJYFf+Xrcrzjg8swx66OmQKkAQVJtdq 108660120968150664552423780971948386965268856900017812123107864829782135741514930439461240950044759098603910762272795612101834680870627850178371693837566833495418727543557712057554231215186486008080050486837716071537742708913279026303380104388546316647349432118287628353129105425052237438199445863950767806314 +AI3mfrgcRwtE3mA12gSoQV1xyIGy/YA4pCCvja4mTjvzQOAfiZL0efadxZH5awohCC1SpZDCFsE9yYp4LugHKu/A8zMcp4k5ena8sTPDkSod1yucjybgmVJ5h17Pru28AzHQ/YUmCnojQv55aV2+AUhxzIfojY+NT2PKRqr+vuf+ 99645829268436288676280252226747461064597487404802430565833102291706103139410465131373666856042539909746769688396958963177805479987372681967013633920910376342526433530508868114301205524789149997372160919406352823342811006288909548557622230243808373083272214426118230701324879006645047374853535922112549545982 +TmXQ+D8XFKSclXwnTIH8d+sb1IV0gfm7GagJahaFL6A9rvYaZ0NTizkG5DQ0RmXyo0wPmLork/296whsdNdUxVAwnGFlWWvMV0ftR1fOvN9KoT0WtVZ4Rmu6Fuc7q1PskAZzIp7MkOAxILO4iX5dNuVC+GLZYIbpTel3Ga8fXuU= 55052751096768041533898435453266875315629605001878362193939750978427494147944918632414581744895066623527980497732722163665712245580312596487741856071020477624754815927936394948233480228964159047139170955663289543349257377302556035170334384320502468579367401821986660515827461352578142560630318492817238744805 +EF6KIBWQiQoHOnBdJs1p+WIcAv9ILt0cnQVo+o/2niOtI0C+eFBSiNgeddhotkQFgHvGUjq8BPYgtLC8A5IFKGzXu4SYj5ziagka0hqfhVs9zVHKNx2NUoMhPDG5R7+giwEGGPOayGHVNbsBf1FBYG91+mwy8hnNbhcHSnvLGk4= 11494909948912248031301686864833544028186348338729984264372557659364976118965740281229664413031002362633393381744365783802034700038490736736266032000546393704814403638058993380993275865674190555703046732456017652317200288968188655019374159412919163798248766655991273308390043613040731449231289437754791500366 +AL7wCh8tkFe07qChFAzRkrnNehvda/Teroj65X1Bmcr14+/zeJlZDObYRYBOm8YYSYNgJekcL3o9lLFE34sCMbSJgm4dGwpEVexiLVi+zc8ndnqBDSAnRqtC+3jbInm/v8l6cUvuzrUNtzXIQ/H4FrmPMiVy0EMerkMtkfw5GBsd 134080980697158076909534078193319899756347955848461100874771253577754225619652121295523443912922220564492468474647193062555347746840044705102003079330399499915801536721237211615317000955332058281901995149084303143543150689010335818219129745452688372571010816270728441637278434982752674030696337642893239393053 +APunLhlblRi3bbRBwSV8dsw8h5SvT8ncAmXPnca+e1dLzrQZzL7P2OhFope0mW1MCDl2kJPiGTdK3SiYJVsAFeR3r/0z96g3oq+8uS66T6VaJym0QToMsqQF4/fUMaTo9HsukyPyOgjVIU+6TiFd3SxQKIu1/GpQWVQIP2pkHFKM 176716779397275986910036615967409090183531310366246043951791503601618945774743601662530806467045971394247287367421508126613573039423674729894091424105133906122821596079925540513892022311039293333114333317886304014722168786051080135090242879622144693440448171583324154550086458411590240882982297314605229953676 +MM6B5AgdJKe5OLlPzcXwi9WhqQjx5KsnBYxxa3kWdGNTdk/IN6TVd4Ptn8lWkLm78mw3DXP4Ol1sQbIfkHRoKFUN6TaWg5aDCJBDXyHSTZI2FDc1di0Te1SwziYn0sIOe+R+rfuLuHlcT1xaZBgL6+dDLAZaZza36UEjn5i/pTs= 34273208848307582992498656582721015257885595139328466874135636009184357438445251703533153492315835793684794951576799764181908090765379592683793969576893243386892292517067596035059342970830813419330530731370385186653239446376170533147020072285887964430731437765184844167400169982662183791828762458682426369339 +AJK1dx77ZA4F0sYCgRL1LKSTvjGTKBHd4QBeVnE6FKJxIow82puqtsVZ7TBxbECex+LkLQPrEbuQaVr3giUDjg0aJCE0D9ZVXCUS06qulqcCCdWgGFHXDOQzTWDn6TlJCGxtTEMbMxSlUq1q0iKZ19kwMHiT3GydBn8/G7tIYd23 103022457217861194294329435482792508957642944252832971366936865663608381648431732294396977429863681671686490913575377744795372643599438468695483808375208871881849232129651519218503507811863794426234594709451104684234156597418383183271923307418704786548452806494411689822939919114966188329657999811363991575991 +fPZNsqUYBbVGA2FAiglnByxGJOZkVSpj8Y4QNW5wq6o/1e/PRwp0TLYJXIoCJRs82pAj0QDpQbHl5lCZmNxEIQP8o8xI//HCPxPIdgBJmSfm3VGetrOpqEGU0KJJqK4IsjoVpAfPFMUMOpGNz9CSvCHGk1AKrtYvrTJEKmETuig= 87751387019308584846595931543798879607048239290774788042055795835726250309378365187899578817976976035304304847968410200168743967600896348021636654074952051821111673620467434295067182213181329543946368332581250062140819766061014427755090798550122401239987766844126425179573454145697756278292448630509686471208 +EmT6DUd0bxcdprYhAnycQaxm89kltJOlIOGFFRmEK90H3RhzBGr5PRVTJVqemFVpVliO1gy1nPHgqDGVNIE1GXhrhyFJU6m+HJeNcduippRe38xPCiuraRkXao79X7WAiVYUq6RIH+UIRnfTvHBgzTwjrOvKJ5853hYmGaanjh0= 12917015385266582065020051081997430892582163827812227349569911846746592973268746845211126663077128575098045461893559476227689488349263954564361736197688317585888118974603264677576027836032271531903881104937422976121352854003385726888601980526287956222142458858211589791399646989299770657341412683499692330525 +APtOYyWzdY1A/YU0SGrtjPdMZA5E50Y3hJVXppwuuSk04TjXzcbu2Sqp7sMnKYbToRW4nB5p2UnaLPhTRy0yszOd1auLngW+0ttCybD6nTcVoP65gYOwXGfSEQysqKLb1OfV8kYq5Ba92Efn+CcWWWuS0wEr97W5M/Hccx9bGu0r 176473215292413922394356058789571494026727424839036665031567966488209592078148711908841964690807374236235612412767651029865069639786447019874344449598703213025389428836803984245755885691094364960118900160737925054803955567361126391353868279642836569627177281508980029006921064654964339077608785831304875404587 +Vs6bjpYfFA1R/QTeCfhMuZLZ+Zxo6wxq1jFZpi5SBR1LaUwAtOAj38OJC8L7zmxSOj/RGEmJHkulI3E1MH7P7xlWbY468/azfot5fX9BgHrtptV6Q0dkBUg7H91+tcxdbm4/V0HGQGa2rZp+XK1rO+U/d0ki6iNbsCsCR+OeyvI= 60957991334776853645581868230398759578123373154273044785333939425321390401088800849629483265841435899835570419798325123273632247193463641611211088549152950252041797959644227170492417662363676228611376046334386877555777556575818860902071813120592757466883038430756577949025778080997296219236534786815367760626 +GiauT9A+wmwJsFbS2OPIM6ultIbU+kT2NgACn1jFAy+vNBahdfHMCH0jJdCs5TbmKTCeiEf3ITc5TV1OSvIejJ0GRkTf80nY47TAhiP1aehZvMAv59NQHHTDUE1U4TPVYKIyFpm1V1A+JBHKJzuGrB4lvqB2ed7k4m/ZD5lFLMM= 18363925023885496669420377869542744504974590667921570026763131637088916425434675950812384919000566852243714758512996458727914094904422651029609645299422563453163291342992902510788457007623888307499601267675322986672697397389663297565071582648674012080122614260400848960757021864980761735684874056409664531651 +AL/9KOZLtZu4+ZQYQsmOgbST8F4RV4N/Z+l8qsbCFlHdXHqTTkcN0chsccE/3KkVTZsAnAyJqogbAvB/RZqttaK5a8iKlOEoerUS92FVQw/42WhsVaFggR9cHVuvCD6QqclZjSBQKQzUMy0YWPWlycAZDIv96tooA+V+Fk0jbcFs 134819194171226950171930028888667967094069342154233489571728632904658607624703819928943642011918061760802468868660586005724399808048609316802502143143910585363214684061242274402109137825176291816945489430125510625857564490981683683589784133305376252294774711594646923226452625156299996630452243345104727556460 +AK5x2N/4+PKlsW/fNrw76CnE+nS76Rd7Ugo3IKhMTB/IuCc5xG4MQHo5MlWE0oVkZ+Gs4CxUpvD/WCCjHHFlSxKG4mC6ehz3NVLglBt+f1RWfPkF28JPd0UaIOG3um8kG4J3JDN48PXOPP86A0H8ZYbE5+ImmXsGAcwvScUQRInU 122499245103202714319465533564374494931278163571999934877854825659720649344163774228004853964635693562785966889622928722984134944784141208867445419597834322541679973956606275877526560988151196822256754309120410807075405427166696093800381410682490767468563176131997424692783482903880902119461752084196789357012 +ALZ12i0hqFhwRAikcoahYzH/BUolhgZ9Jz6adLvvTO4wk6LLOpNC/zCz+LjM7HazZomT1SqeYJ2X+WeGFLADHuWo+Gp/I3S0UEneYHKJxoU7OoOtE0mB0BCncLckHao/LmbpnQpS+Lx5bRsr0yE6oWNea6gbyRm/R0to74MI3/KK 128128022342420083856194424802390993133863171077961467523372211039771843125192435716337829530528063182315478279257832480290950255315151577221042903861075751839976362752440630888566422581799720709574650482021111126414843635330535518992034746102956214991673417580508389225948159518319625680855827280146399752842 +APXxvLifWgehdwdTRAJP5KrchRzgbUsyMWKcPGm2ZkwGDJjoTl2LIOOGVFiL4CyPBxahkEHf0nMxBN5oNGX/Y4W4PuOAC8gMgHzdLkPWkpnTcyoe5DD+fQsqNuKVw9nvyB15fx8k0d6b056nfFjnnRqgybby7MSllAWSKRYRdxVm 172707950911363219032118650562553641123743396229371815589867086054370029540557395298194067635069298952836929253340374819975848769009260895874615676938511747311585257140973518651959463416682165208985512233703837931718385346209362040743041262031997793519095342415901373534535662377972036003546589624834285049190 +O+9ohtZ9SzGLJoZM8IRQAjhc/GPt2X5G+M22ZidYjx9WgOTrZDXorSyxLuHxay6djsJSgjxYMj8MuanYSn/DzPWBB1Gn4cDmIsfeYuzO+vUJ4l6d0nIvBg9Iqs61/PGFd46YxhnDiVQ9HEznyTjzESnNqc0+/OkQVJcwNHAcZBg= 42087920806448980363073662127262313840530298932643042322138035915324224188032438119079107631420338701086802583985117830416851550991102672642532160807467909040086448764318690465254898516502941122327185894900817634110254371864896139724173087625913998657136384357741816102965779105122269429701537815263708996632 +VJOZmvqrqsIUTQSSJpZPhbQIYN2tsfBhAciWnfAYpwjK9/ts7OP4Qgdp6T/V2EsSRPnfZ0VKdLg1CnEWDhfcODo+/BZcUrJ0AviFAEtdeUhoMSWXtjel9Ln2guHY4s33z2cN70+e8gfjes65lCzrxUIXEF4nKxzKBnScoooQP5k= 59391682001673484862915842850714742391303140646889359425353339320546979084250010101273851580028171449840778038774656177449549941659895629203970455580974953864068394275066532699748911169800076515776388213090834432354601344176559839798153004796057709798368011673585434643656820656931921831615507416411999846297 +FRyJCOgPziO6RDHX1JgYGZRcSAuoQFIZM4niD/B0twK3l+TRpmVigKZAJnZZFtmX+0JQkDwQn3lcBGQIL6mgy+j0hD58U2/Wd6xebuHSzf4OHVGo1cYoqZLplszA+hVCoDVTHi2YAZ+GtfQEggumcNVxqfEZd6D9Nu//hm0t21M= 14824975573460749317081504809641216868382341402512168178334301409725840669112911061147252565570697788806398498723577368905065980113760265945344671897779830912242224090954834750057278285419880820811348943398148063418809729356397202526234113316098584002071850758705282845646489058224513019380757604894853946195 +dUk5LyS7mduFJlvh5o8R73kJIeeTh0Zli/y3XjtIXfCaNRf+wDlD/pX91JEwsQ5Mvj8yq/Uq13QyWhoNwsPpXVcJtJ+02wtIn5darsBDfzcD/LbWhl7zTRUeMjZ72gAWi1djx94SWjrZJS2oWZU92Og1yOyKRG+ua0AhHfYYh6g= 82361050315899968537319599868832189063658136463903643442673674137187842597528653416212822014359684261704550279153006971937114135373937934986951573613797195556144113400128502946618028800530164890707031379614952207482505803377774320259789692177752930767589642007257364960987343146063216186985472686575891023784 +AI6rejwEznR35rIPuIz0CP2aWyhRUR3unJ90YfxyuVYxrqOJQGSDTSf6SGDDw5MqpZXa9pWuwpyrb6smOq4ZtC3Er7lipJfXDjhy+0k1qcfMjmqbATUscwXGpgW+MO71cttccEz6vhbjndi8gvG5M/vfL2l1jA8nXuBd4e254dbz 100186164434910864539376019601151338080943067893748898987236087770762310617199833479771711726248130012472861788210345311298499515751355424063761182369333224929721733015910055321263016834247318907562652286587380604998130368845939290804442878127169587599285040969551065995197981341260363722618429042861484922611 +AJ5vLZX0fSs8dUSBqd5hki48T9cYuR0atxR+qv7cRu9nD1vP8uNVR8dLitg3XH0RARt3ZmOgi/AuggZt6tTxuIBg+9JhBY9WW+BLL5CnYWHC3AKMi7MQBWciLtmBpyF152bDaEcV1PXxtml2KxX0Ba0C+hGVDmJSdi8Kjd4AkfU6 111256341508463539324514225759801553679558662737345522765042612717818066374840372549356543720386819501973783940451033901079765311790026584654529398345993992144903839534037331533660672892487693477412528974248713261092693018326068480417183236210881306241164169849090833681510163753605662526243408192127670285626 +ZhXtSzn1GiFfHHnSKUYZiTcEWqlI8owyCKFjCQ+VEvkdk50m8uN7RCQ6ZhI545tN7Uy0WdLstJhgJETBYLHHIoWsJn07mgPxuyO0XsqNroICMQEOO/YWQFk1c0VqZifcohQAwJj7fONzM7hTcA22/7gVigJ3iLq178jZOJsEPQs= 71686982768953132894579286530164112027530221141251507987469672039995314435159469907420372652392376452531392493658576814100773556880394271726970628960571077839124343525055625420896355363707908511865700866168843075071778015504724409171911254647909938237551680861008772396291072284353858575645679153885560978699 +Vc8Cw5m5yI+bJ5sUJYm/F2wyZ5x3D4ydyL0uU/3eVF2ZJu55OOlC9pUyyv7WGExClHvWpR9mhMnsqCLyseLfM2Q/YXJ7cjGPKp2xd+fvwHa4hRi1FdOxs96rJnb+HUt9hTwQByXgzpnUfs7AqrqaNf4WSlBNMu0IOOqDdB4iVHU= 60256873326783629723455608618518793848697944184579877638436234491615392142659293975260290798403892159720925893207048153291000664050780029732557737984085196691225472664027706406879051455184548871511448456651238810812870905640934953489289909009741493031472382758586341375517766302753448531830002512912250459253 +QmeUn6cbpE8YrDfMETz/+KVFaK+d4NHHzcdj/MnjcmqQSLpP/XwCW/aeudlN3SfKd6rNo1XZefunZO/ek+PHEIy899WzjiJaajhf2X05fl9WuPEaMES3Yrr+ClogFNQ+9jL8+7L+J8lDuqQzvchT0U0RPay5HSNZw+ZouVCiQ18= 46630904037845609335515965570673490721137364238213103678233212262384415738654627185220187275286458759154841820256007930773120637898228224906635911124921895934056288121005350040349882413280772888907627838315559544636626856478316691755270725623680935763476199888127096014398699432042227882284223578563208692575 +ALUBYIShA4w5kRUa6iNF8S33DqaprdOWjVBnO+j9CCGtUh+NNwfpKR8AKf536MtuFFtwaQvRIlkLpaTYXuRxzyU/YG2+UfRQF3pEmXQhcMxJqFzqZ5nWCIWlJ/KtYS4lcC/B7hD2UGAktnIdjVUTSxX60VzA+zxeunV2iBZXQlEs 127106299687401374061881872616647348819431126560557369258073443762502337592227172639640997680536372567116568811258505773087926491911004324918919511363985868314578663758269650473780772688462266790559846182685481907703974916356209771821075179827563487466641669110315430790405454641953880582274165368514679034156 +ANyAdMnVCVjmUZGiVdyvGE5mUQpKoJOJINqMAfzVUGvvxXFmGdoAx+xsDRNAP4KoijpXk6E3yPBPBZEWyhiHnyjEkktK/gX6gnb745afS0QIlsjhKCk/W/BHXkzC862Llnc1ZGAIsERnGceEoZHdICfDUh/7nMFp5WuSMzPB7nEO 154841617115465511611746667401422322067517612306328612547616471923266281876818466022676728696273611923942543658633762267658490816264271663863494188027433799849037906883352478212451733963905925106470599843045599411842850386623187980045961158399934160107237440980574028985561404965317132715808604373199725949198 +AJ4nfhDe+HojR2YrprDHW9FVUxsZvoIekwlNL2iKFRFcTB9IcEdh6QnGcaRinev7yEYUsL6saSxUj39uWlqo8udJFdszuuQUmnloIi34L5uj0m1OpLy2dawpFQr8pqyA7go4ugMMj6XCtiVnISUcK8wjHgY3Jed/EKK8k5ce0Jxt 111059703393618496515021583605572584329116596402705082562306930876194742195701060137568030171429700588269665205795898835699633817098262654446852249498668467827435829513531633390969638488553144849154126899372953755511962841193763362947708260103832329116485114451074371844037650417731807385491783373627950406765 +AL+heSTflb2MkRYFTKghfzqlVQ1oE5vcx0eCIsy9NJ2NGFXCRRvoGDVoB8UEsUWIRnaA+MIpwDKGpbOS8kRQrvBvPe/xM/t3jrGkaS6pN064+bCBx8Y/Jq31ZXNG8oUol+y1Eo6fkUKNl4EOetmZWK8VmhVwol5YngDffj4Q8ned 134567692290185631768518572983694048149859804864902017394351513816079806629664302312927579302025923096596995134868068794900003728293470554490807959649153000914807604036531509869958441069678002226922395630284261949256022972967357884468325217602330254290548618134453007903724438628204981673400911693835033278365 +AI272d2sbYIi637kHZC+6lievgcDvT5VKaCnus3fHwm2vfao7oYu31P4st9DlqPWJ635X6QtLkU5HgvVSy66MDj2fcOfwVL09ffkZYnoGNdhMADVgOq62Ro5cCpOdw8Ko0cCyVpVIaSysPuqY7kiClf9GTdyZz/uYHDgwWeNrc4R 99528854246023003959943182132914587584844397870416002887630245681136432049666385367430032197518895755482367603560037194955739661569172773017279832774100155646116233705958563163070414171045438199561777058338188494271322834524386565519620661180246416329082614115142485663975718653564590519408413408765689056785 +AN9S8vPzo4SkyKsk07nfyD0um1riJzRqqWF9KCL+kWMHajurgPACikYzu61tL7l1mNEaIU16Ndz541o+y76DgsTLYszu4KXUOEt1Gu3eHy05Fq18zCDlNesSVjkZjPmuJr2ku+p0cP0TLLMn7/KuVOm4GlEVc6OvBNZuEzRriSYZ 156823459768092337875922818543729136404805918580285507923139232733465414368775678369646914249412830351437211620056021568154043505276475345347569200977945836210758870414054407438380975491139001471954448623922841964684437333066353208837709613982022690623722155151315252634380695513434502419141555410441456920089 +AMc5H8kywLgiT4zz5xgoI90jejsHorbqUGtBeX9wke7zyvEKyWxRKScZwzRbinjDZzN48eg/30qTZOV2Rw97JFg+EA63iZ0vqfF8jErIt3hODniKX8zayCuNmiSb5kiZL0UDU1SNh8ER4m6o5vshBKkmqs0PeozfCGQtR3bZXlx4 139899247405256530335276706333424670310599977544642091674186635734421385499036688803073040921114325725234673132788498809189814711681909865484671959982394306416477300458309408833281654917008031099378445580498219376391819745965887864647387211647794422908411100892195529730435423964537342228510107659017578765432 +AKv+3H/TruTX3wdMWnLzD05em8u/QMl6lCHT4VkK+uZwBXoLeji54Tcs/hZIhj0Bdj0URrRt+7JdGSTy4Sr986AtVFxBJZA3lT+JT4JSrq3oY1Tv+tX/yg8ZodQmbpQyyfaFg3BgeHNmsUoCrdqhj4IwBqEXoOBRIXnzaTuqqSEw 120779384043726135670909127168686589868907326577918074234323699599475436892003731971700278391108690400460261929381703781833059801757700386671579819341589048987186473249926590758009001670959004477454905417357202448886738669226760846888369186457452643053236389556969071303251275912453385963613554945645058007344 +ANXIB+HxOyJd3YYsscMpqZpi/eYjZi5q6A0MohU4BiWEJK/E4uIObLJDH5yd4ng+hn7UMhc+R/AxG88hIdOc5NyG/QyFs95ZLUC26F9rkRifu2CBkgqR5EQi2cgwC8jGxQOkC62YND6cAn/ILsKTYaH0iavtO9Tz04vQp9Ypc82H 150122383481070201614242107655752525590609186454390549085509458064289390813495886095936526832230958746095739308601699615024239939948911472291507190108935262129646691795733786714291498653838550751365834947465294261687773081563139416397262227609481906371677917295227469553787085145970923979142676551778927103367 +ZQLFoW+dJ7vrHdMlcLRGKY6T6PZKnE2L3NjXymS/55my2CDBLdDf3oXwLlRjVt9KnEiXyQzLhyY2PrFA4k3N/3P5lVDLHero5c36TMshbHgbIKRGN2CGWPEFeQ4j040IwVbQCPJeuF3jL5ikCxWZFXfeEnTL6TqumLfD9yLQfKA= 70932215714423143395949105745758445705072524008235214324766464113352968998429901322485575506330607802260244612268338586532462314021433435523464635419846126736185176246740838082062856583684393425704173881940108783636582561707441482446854068022535943408999200681879161519209676205165680598258447492092651404448 +LzzvPw0FdtM2G/RRiqoajJiIH+Lw3jpL4H+08yOpp1bNITR2Aq0beu2nP0H4o2Z1/FNr2hzuGakkAhVbmmRXc8keoOkeaAQAP/8OYxHpjrqou3WPWaKx+vUCTSqVYYf8gnVKpAAC2cD+3lW+/ZJ538o+c0ovbUKNu1u1j1OBtA0= 33171669664542509840621265032202455391098253465550501094201777336478104142847268103467889435377685359857979277521589539506627375165485879405453566052091202280471235979376217319335800766353336252760793484157724210008639813552207624049019149744883918494762511376489708611103181576211531366514802868659603747853 +APrGj1lIIlxA57DNh+bTEAFbJK2Y2P3MxLShb4fPx2aY6j88k3umoe07ISQLf9PzNPeml4/0I3w0KNd2x4s9KHbj7NsIT64lhO6eQSEteqZXZGXUYUyNzhrTbAjt+Q9LVKItQhsTkTW2HTQ5RQZfGrkL118b/I18J4P+T8CGZdDz 176100632478477421621142147788721746818712752858710594712903769452749028606541677227413333567013253138397373757811889654342173021761934591400685421771460440213093509170325205622261487145789848227404883040799927313402244625239515162996390018403365063394514244196976794479529075569412676472840544017222373593331 +Fvcl/LemWk29I5LCjU1QedTjGlkvFF/kZXNkRJv+vNZ7qgq6pX8WB9yVkk6AoclDYAhCRfKTKuEpR23iafVuHpprPfNXcqBH8n01kq3U27xqIy2hS+D6BRBK67PQaekq31EB0aOcEb/DuNaXakS9+mtTMx6BKt+WoEY+NkzHK6c= 16126868736093163702771491576570380743773057522016869811780571865928979861357811080042796140032050364543242385458140594532945509386155523162799601656485075247603490060565663264947465987286983338572455184901756399862440455644131755848583379822279676555143231305246033911608913609591095831135803702269767527335 +AKW8tvaB8YZ7J5W2lmquBniJzUhRfqFdPZPqvBoMzR4cRh1CMNdSFsYsnsaF3KolNzogdsxFpHAaEMG6zSvpNJAoi4nixCqb5SETXrSLASXvNjI9MvCoE2JCRq7kMbjPL7cem+mBPWZITGUI6KVlJPLxQngHYSFxukqlx7jznwJH 116384596458828069344020651216200368975621068920641012055593076864629080375946542748377736186556382088448816531408136815533164209947323588157210859294774679831647934533061547276394884474877353537242203645373945111105805934070657589374883764420038511061919092743520704686962593876316976299391579463759429567047 +D5N2P4FrqDf7/2Z2BJsqah4SjUtolic/yNqdNzvNEogDKZKAJyGq4zhnHvkYXkEm2ueU/FDPJRqisszG0oULdU6c7p8acirEwsGLVh4RamnFRgmQSK1vbiYB3bR+P+iFX/bZ+TWjN2Y3YMa5UB//I6Zb5kEIjmTpjY2LEPI1e6s= 10937855369372570149476727082965401421189236366492771695094788039313362971972373068736123833330006002198346944149230147444718818161877123407713821100752433128205189334393732633989950841577315682292180735057952587083688644195300641998709155269462601925653013312848413290208844194513502358901613104779186502571 +V/A1ktS0xrcwlI8xrYqvlLCFYrdVp8tEzZaZ9iNNpPH/pzVsA0WbnnUeHbdilkje+4OdoX9C4U2xaOuWOfvqLR0c7GeCkSffCqyf4ZsBmjy/BQL6rCpxMF0gIHXO5O8aJ1h17hy9LTuNzWm4zVh4pNFuHC9L6nAcf92udMiIQzk= 61752386563628388546439207444896778638632243226541303179646524864765343154194512297447627825411023405896612559648434895675553567405277169056807223959390559391191382555701580549902639604424290133917402316755076644943742815711432111554988540913643347167948778404861099845961151998728662878854088239266688156473 +APoPgEKA0/r1FYmt/Iso6ChYK6dDU62Y+vH5h/LVE00biBYG1f7aL3GdllUTN+XQSHpqlDw8CD+9xojwZIMfgpgjOwLbbe7Aso460zLrg3R8aHBpbVt8iZUgjACwPYr5UyKbFzIAWaXcnYYQ+tCO9aDIuOz+/7eIF62C81zXFJVZ 175598490446477604563905754135475294999639698464908622773037381109011373179895295130424828038708319325919451724985361900259676699137657615076219968061941008972496322083528922054390781811699677037439989404270415929836486610353098273115864435328533577114470407444852521009919911888840405368858409835197558461785 +cL54ymLJhRx3U20Y9aUTIsXy9Ags+XHy4qk3F7uJyO46eiXSL7VrrR9vTQXAbETbu1YiVWfslsPht810eUDUVaVir6yLnXkywn46Ci42FEvVoTEFjO22uYcCh8nqB8H589w/+lVSlNrcILugwfdfCvK1iZzVimOO6l3qzfXToOU= 79171550718114578361958369278761819285111811576818442980166457146638966315793211967882077899426611721874954146020093740153495693185472340728106727284441726113022873005252623222594060645383105757498856463065370975867121188445567981809371870213273555432308279508351518168027875538720367440153667708369625129189 +QdQN4qW2QZq8/fmSaqlRiPSoDbhmF0oYjaY29HcKYGHdlOH0AMJb+RUIq1aszvVtjh7AYay2TNhaZMWQ6Qi3c42SNk3A1MVknT6zqiRCGjNFfxf/matbRLbTFQF832MAId708vrFLF/o2HpekMkc5hcHB6bkUUhEI1NLcMXwGck= 46226230186280253581676626651942823886592433541360244612432763620730826574920825070086312767146345247802570752482654580909236388357139147786783758670999083804670979821212991224400629053427330483809790366665043598754931511997925850227997764381723288657884346974360232490075739442406431704368767588177525348809 +cxHvCK/dyVDvaqCCQyLeaiBGA36mV5el+1lc2eUTkHGUzX5gU0QQCEp+iSXNJhIOON8VFpKOFsziuV0Z+3cegWRw/VnxnjXcBh6IDKdupzOPB+Yl8MA1ti/GrQjLC6ikcNYNjQT0ZThL7KTqEvvZJH68WYmD0IuK26swjNGIGaI= 80804939616399473443737611589382762718815989847332356984276911837267997590368701684135326680567847542004499684038240485603420973682522792156533112356849436451918522884749244246467852622918805139990256619014116276456718693703261686778030658826952213058982142604346352178078750879100976710761147710018148637090 +AIQ3OIZevkYoRGBmsFaXJobSfLeInuKKReVYNjP5VEPoMq0mXTltY6l09/rQ3d1JjsMD1PfA7emhxex+H9t3leBIfCi6Ux34GQEjXWpQc4awuiy9tbR077HaJyecvb8Qy1FTnOHoH5C043QJzrKYT/sFXjgB60piI8Y0R/hwxO4r 92845026347218330987427785323244729176754623818531419911990153715676845614711324345879159989637824921793015074978358052562420379797956750450245721653716740651389924718711940869162230097839047895842495414221110468446944827052871968998907462191349838598297775847512250220907563815783358238473966349820476321323 +LoG6ib5lUh57rdmSkZSWzBoudytFohS4uoU/uly6OaQDOi34GeNVxu/yr6RszJyL9JWkGNgFaBIv/HirH5zA9VQAL/6kpL93a0/GQ/nuHkHy3GWZPF/2+yJ0PfazQ40fWhHZfRxBngWslbguFPjj1XaJ37YzpQAYb/+QcUai9ic= 32658152290878644668906121702816147999633088014476055330179597550087921141413344679134407016170035735846077181424615228657687216737432274043674411132745299610950657139041836412322040866250189120286839287690983293111362228893996267791120043532014262644480689231457941173330523718758287779526551822788227954215 +AKu2jgOQCCfYZ3CLkXEH44aO4TtwMPeK/eq4FtNj9HZ9FxT0LLNJh0ZXPOaPJjgznvIw5C7/hNm7rUs1JeV8I8dj3nbS3EVERQz1gc/ckYB3H1bViWREOD5+TScDusi86YO/z4ar3dauKkg5kT1kKDuU/OP5kNMWvtJjHc4Vd3L3 120581042599355202025471829872601846477331097842315143148145881424071317426176264583672725691485724160094190478865850305422057632110749683552966861219554215519032344086824849470294473808177223497912069335635933312949412445851201918768630656712413082629164792850095444166888072453190903931430551124946191872759 +ANLs7OsR7oBM5jSjVADrk+Mx9d0TeieTIkxwWiJ5STKNQmW2EzPOjgbfcLhbYEhzzDFJveXO2dzz6/c8V5oW2yqg7VMx88DzEbpQnQpk/rOQRw9jbI4fxXNJHkNZCeysEVvFfLJb4ecsGA0xJ3Aylny/jP10ahPv2z5K99edGZSU 148116916208650944522110872759145096907599612943009577897396622287067669897712748449324334650112672914917664881091633448764667172850435775162090891556266912697811031318228334453406561952979778127173704706529448647577013482442758465809198730066784986763500579667100246958959793527011919373534159474250508506260 +AL+Er3n1qj+SBsZVtOMJYg4m0CN+DE6gRnC1F7nPvd2XnBe+QE0+LKfcpUDHVNxoydW4BDzNVwnUNbyjXZ+iuddPtO9hchVEI36UiuL0ydeldFpOZ9mtHJaAF6abd0MlHw4vXRf8CbOvXb5N4s76ggijlZBjRtU563sSmBcyq6Zt 134488725667189507159811764480908602790838430340670328479145818969651133017546803581865897303917708192047926432630297993507146075655594931523561067937580218599890162311074002344315818494246433967228889645359283635389151927472221799543158424012020308449895562192866672439712148770104592027035768027605661099629 +AK/04XOBSjjPpuFXTDF82RNWnKqZz9mJQbS2B5bn0ehFnBa6j+B+MazX+AxXTL/d5+hPLT1uexcnSMl3DcGGwKipOXg7Dtuj3pfJXHTrCqXAUYrIXI+8vKVQO55yQPGfzIg9SVgetwW1sDk+a28ZhJ5a9OddqNoi5C+dLce7ZtNb 123560902006294001923570614486104726169564351074482936927091682096999779538353161007361361829586988452098646362280351148131540524964916445100589671458589346440250329883789099771417949746709217272531950438336245613419967556433467843237384555807236658182067742367748737224684334525934210197178231424396818830171 +PzOEGHlihiveoWFAALY+LOfkRJfm0NUF/uR6cSU/tbpGAq4onNpr+iZIzEP5o3JBLOtDC595/NBPI0fzaXl0vQvgJs6KG8iKANjsLKQjIpZBkoKhdbG9MzTVQuAeuDW0w3sn2iMZ/v2dgAzRwfqmQYXJr3I2BbcwWraIJuZXw5A= 44381416070253681813077725822442106641846565789204187691647505370231831464947935035197059366680327425453811558282831465960889061956588244308214943856009686127871667376028831540813257349779756631357122923723235595360268572998278795110672666089470210929411514949652537714634611421849780859192966935514197771152 +APnuduN01GS9dO2m2uCLs400AR2lX7elOnIPC5U6e17qbukxWYzNhilZlM4kdGXAIeYpzFdSIW/gxRMZe6TXq9krFWRaaPyT2QwRfGHYnazS9F1QNYmW1zXdt+qVp0JGxmh5PyDstbP8Z3x50/E8Mb0gLLPhNAvzY2Jnr9A8Q1Hy 175507868985304663005133968393406051624825489142498103948374797086106732382869120248515993626061853699363294022457032257026588816021007648668265488426495800459085474654859258116280251546902009156490112550154951965894022789029787886785376415437170872937201839249103828294508088966180386198213606090453461193202 +QHEhL4iVzNdUsfG0izTEepwTOvxka8t/9MwuF1Ey6kxsI+ry4g4sJPgR2xMnbtOmvQn2NitAkfvA8JPCiL7a8+gmf+DVRDjKDfpfrtgAVmo+3rH+uJYTrKhAp8R7ggU2xIrvbIrgeUj7ieThPI3Rtap+IdkPCL853JC/+oKtytM= 45252649968839515171157821292772647085425694172492111870169593872127007254353374581972876464918186509502070064028725519394859148593053614163356612260257013360168930649423732336969778875205250872728821432415158634190866775855521719727700464116412886964736859295086745723651735554245035077902615220578218265299 +APeaekK4mVhEShCfM0mkRebcg1Iq5CgrFIEGOoh1nHzgebr5A9Wrhm9yD1Vd3e+fFD9urDRB4y5MHPJHX1U2NFToC+H8nQkFXL8bfd/9Wl2c7y8m0Mxwi53pLIdzETLbbfeOOtJvuSYYT3n8+/PeMnJ46UD8OfqtnFuS0/bVpFLS 173873040145444066957050580959132871919216036714423404143335635770937773583761934638398867981658394368476005882852706046614562314432695052874974848076542261910660410561876043187368112065303981001507235893831108658530338308496461162623683138693880482650786841100027392293758260448606244283355655751440485602002 +FqC/wgZDPTUoObPFSH5w4QR79zj/O+ZiHGTEnsBMwNZD3Gl/ClRDIsFMDDupNLgwgXsqCQbpwSOHOtAvUuAFwRpzt5B7lwIgtP5ism/AZRno5p+9WVSmUAM3glHsNtvYydz2MkXtnXzSMIR1ZVoLrdwMnckE4pbMzggqz+JZqxw= 15889870005716350976759704672045310928616256175405784574141006779373730686049218680335525720670897894546334915362899913262232170795516176419192840427996647372619000239408311568577050460995518058850793096827271653902583271225799114408537346367483775593212272587811309978019791973449354003275559762102731778844 +AJXNbv2AMWadF5h99ZAUy5gLnVK/hMaakFo0ZedtPNRJobxPmwj+h52G+Czd0U48G0V0wpdeUJC9v/4BhjzhCvNhNsdAT1+vQXDuteYQ1aspsEKLQ6b+NknO88QSbRJw53+KeOY2xe7PKOa4V89XnFFBF7wljRnIYrM8vvcqVQDk 105194875227030598769888785590198577650278341586165110611689226597424766274486797264032300493674927704016605741286512271390703088626381669060095573361828932336327125438452066548897528158329044309005232090053420259033538936293519762277428283316506398965916381374819450858053512398634116052299066189424983605476 +AIDRnUpBHepjBqYAlU4MG/8JxzX1mPxVNHpWvnEVgvqTQx/bisFPpXrYs3jAKIR/lzevYwhH0K/8Vvw4NK9iTMFqgSnU44AZztKsoxUXsEsl1UU56UscY5C7ciKU6vjjWI7nm/uHNOXdE82TQXkk2WX8ferNqZU5DaLFCb+zxb7w 90459642084794142567976043425270153270545560059973413835786695756473295513758287577749768786155290305189883600338986370836806413936196854410098516254596146039255388020628703824195128439558127783534033672712705194483515442668075394018677699876614329419492391568463215822656901183478205197671375262145069825776 +AIdvVNzJqWPgAShvi3GhbhMQft+SLigKGrhoqas2Saz/bA9u9Td6fAxa2LjrAqshW6cnm2aalc3Yv6RW/Y8vg7Ho31NSaRjT4zMUenykcC0/Y88UNxREi85wdnHwGytms6Lq49H8/7EFGJIyL1PLRWPmZn6XFkegscI/HUq/hiKm 95105613103051650721863964216778532448106311156426028879315612217763044797186635476805213120469258258125661666950525364331551671653846368977016286153840829836509696804585927581668281228810410814602664419962214359687545209312836366693384158782798559255789953908588601637765910472073600954502095647132310971046 +DdchOPjXrI6lpV84IdKCisPmdqZan8AARXRLADEhixsfXCYuO+WhNatI/fM1vgv+/TxwwIQjIfG1vOZcB36JUfjHYdItYQ70vUXaVFdpqvoBGyfOTU50Ds/11iGPCF8mWiQwR30/XAXytqDZtaVJVWsgHD3RigBSnSHhnvZAWYg= 9719024770319024562623340689338530708271347986326272393419504304391837979619189392867902307307106771234732135400958362219711925045600118964223238147375808749507928768896918369395426933218443166133187066167663170936604731896932630589251946733237697936733924510107175304126061649311812536190882160340308613512 +I+Z6rdTOt26/v3dtUP1plITb15fjb6aMDvqFS3AD1+nxBqnnk7ISGE9j6dv762EIWQpMzcCG5NCCq35KOHEwRXP28zup6olOMt3CBFgYVcBE2pWOpGiO19G/iFweYZXZPY5HgIkex7HBbb7l6HhomPc2sLL/IRhh2oogyHx2JMM= 25210054612455888156900839678249806510561198051210010474517915819801056434402727631042894881559517808906460418029149538469607239850657781476308872923928122553395468026744382526167194202058040459679991391557937527079948356545086684521068912222036707113005006607012596093923970784177288565193670152033981048003 +ALbBoyelCs4UkfnPjMT3S67ujhBHBEE0uxLx6kSGZq2IOMU/QdWYPFElRgYC/y++334FSEycjS6NAJJo2ITpZCO5AjNJ93J3WYgbDLiwu1VzKHX6ItfFNEk45km+QTi07+pDKcKNd1k0mxqpLd/PuZd5hRpPDDoKBb6i+mrCb2yF 128335905497646745013379107761994003743181143126608677203818152878840562628631384684712779135591095534911406031545494164782375276574093777950840330452805743803067864740000758175436633463846967335728314347497013853264454015790847388463800323796888198433722196292529074568758149650782323407298620158495364705413 +ANwlxEkeqmqYTxw1ZwMi1v2wo4ntPaEYZYoTLTJQfa+kuIksnHW9va243HAiOixd+rviVdm1dEwzESBbX0wiJNtRBpP+bnRxy4xOBjNoOB0c/tfka5JVwu5eeskyHx4V3inLviUaj86Yck42n5NaJFMfBvhzVftZ/YF9WBITI8g6 154592850289860621115358362871905683265658659789986179554827712019629689749439795961607030363152337159590319622241556795951071651584979664762468782303706550885785493534656062553770262954861884613383561063525714923031691298088562054236178003658891902606245782350998076658704876516153027797371814038658244397114 diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html new file mode 100644 index 000000000..1a57d44f2 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html @@ -0,0 +1,11 @@ + + + + Identity Page for Smoker + + + + +

foo

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html new file mode 100644 index 000000000..1a57d44f2 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html @@ -0,0 +1,11 @@ + + + + Identity Page for Smoker + + + + +

foo

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html new file mode 100644 index 000000000..a74c042e7 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html @@ -0,0 +1,11 @@ + + + + Identity Page for Smoker + + + + +

foo

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml new file mode 100644 index 000000000..8091ab94d --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml @@ -0,0 +1,12 @@ + + + + + http://specs.openid.net/auth/2.0/signon + http://www.myopenid.com/server + http://smoker.myopenid.com/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml new file mode 100644 index 000000000..e6a0eb977 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml @@ -0,0 +1,11 @@ + + + + + http://specs.openid.net/auth/2.0/signon + http://www.myopenid.com/server + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html new file mode 100644 index 000000000..5e581287b --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html @@ -0,0 +1,11 @@ + + + + Identity Page for Smoker + + + + +

foo

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml new file mode 100644 index 000000000..6d85d57e3 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml @@ -0,0 +1,16 @@ + + + + + + http://specs.openid.net/auth/2.0/signon + http://openid.net/signon/1.1 + http://www.myopenid.com/server + http://smoker.myopenid.com/ + http://smoker.myopenid.com/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml new file mode 100644 index 000000000..db7282e2b --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml @@ -0,0 +1,17 @@ + + + + + + http://specs.openid.net/auth/2.0/signon + http://openid.net/signon/1.0 + http://openid.net/signon/1.1 + http://www.myopenid.com/server + http://smoker.myopenid.com/ + http://localid.mismatch.invalid/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html new file mode 100644 index 000000000..3befa6fc3 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html @@ -0,0 +1,12 @@ + + + + Identity Page for Smoker + + + + + +

foo

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html new file mode 100644 index 000000000..f5180b3dc --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html @@ -0,0 +1,10 @@ + + + + Identity Page for Smoker + + + +

foo

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml new file mode 100644 index 000000000..111945c85 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml @@ -0,0 +1,19 @@ + + + + + + http://openid.net/signon/1.0 + http://nossl.vroom.unittest/server + http://smoker.myopenid.com/ + + + http://openid.net/signon/1.0 + https://ssl.vroom.unittest/server + http://smoker.myopenid.com/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml new file mode 100644 index 000000000..f161a0b31 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml @@ -0,0 +1,12 @@ + + + + + http://is-not-openid.unittest/ + http://noffing.unittest./ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml new file mode 100644 index 000000000..68c2ce1fc --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml @@ -0,0 +1,15 @@ + + + + + + http://specs.openid.net/auth/2.0/signon + http://www.myopenid.com/server + http://smoker.myopenid.com/ + http://localid.mismatch.invalid/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml new file mode 100644 index 000000000..372955b02 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml @@ -0,0 +1,22 @@ + + + + =!1000 + + + http://openid.net/signon/1.0 + http://www.myopenid.com/server + http://smoker.myopenid.com/ + + + + http://openid.net/signon/1.0 + http://www.livejournal.com/openid/server.bml + http://frank.livejournal.com/ + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml new file mode 100644 index 000000000..9a07b3d40 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml @@ -0,0 +1,21 @@ + + + + =!1000 + + + http://specs.openid.net/auth/2.0/signon + http://www.myopenid.com/server + http://smoker.myopenid.com/ + + + + http://specs.openid.net/auth/2.0/server + http://www.livejournal.com/openid/server.bml + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml new file mode 100644 index 000000000..2f3b9af37 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml @@ -0,0 +1,14 @@ + + + + + + http://openid.net/signon/1.0 + http://vroom.unittest/server + http://smoker.myopenid.com/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml new file mode 100644 index 000000000..f570d0437 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml @@ -0,0 +1,12 @@ + + + + + http://specs.openid.net/auth/2.0/server + http://www.myopenid.com/server + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml new file mode 100644 index 000000000..541060053 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml @@ -0,0 +1,13 @@ + + + + + http://specs.openid.net/auth/2.0/server + http://www.myopenid.com/server + http://smoker.myopenid.com/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml new file mode 100644 index 000000000..fbd673490 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml @@ -0,0 +1,11 @@ + + + + + http://openid.net/signon/1.0 + http://www.myopenid.com/server + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt new file mode 100644 index 000000000..1b6cb4ca5 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt @@ -0,0 +1,149 @@ +======================================== +Trust root parsing checking +======================================== + +---------------------------------------- +20: Does not parse +---------------------------------------- +baz.org +*.foo.com +http://*.schtuff.*/ +ftp://foo.com +ftp://*.foo.com +http://*.foo.com:80:90/ +foo.*.com +http://foo.*.com +http://www.* +http://*foo.com/ +http://foo.com\/ +http://localhost:1900foo/ +http://foo.com/invalid#fragment +http://π.pi.com/ +http://lambda.com/Λ + + + +5 +http:/// + +---------------------------------------- +15: Insane +---------------------------------------- +http://*/ +https://*/ +http://*.com +http://*.com/ +https://*.com/ +http://*.com.au/ +http://*.co.uk/ +http://*.foo.notatld/ +https://*.foo.notatld/ +http://*.museum/ +https://*.museum/ +http://www.schtuffcom/ +http://it/ +http://..it/ +http://.it/ + +---------------------------------------- +18: Sane +---------------------------------------- +http://*.schtuff.com./ +http://*.schtuff.com/ +http://*.foo.schtuff.com/ +http://*.schtuff.com +http://www.schtuff.com/ +http://www.schtuff.com./ +http://www.schutff.com +http://*.this.that.schtuff.com/ +http://*.foo.com/path +http://*.foo.com/path?action=foo2 +http://x.foo.com/path?action=foo2 +http://x.foo.com/path?action=%3D +http://localhost:8081/ +http://localhost:8082/?action=openid +https://foo.com/ +http://kink.fm/should/be/sane +http://beta.lingu.no/ +http://goathack.livejournal.org:8020/openid/login.bml + +======================================== +return_to matching +======================================== + +---------------------------------------- +45: matches +---------------------------------------- +http://foo.com/ HTTP://foo.com/ +http://*/ http://cnn.com/ +http://*/ http://livejournal.com/ +http://*/ http://met.museum/ +http://*:8081/ http://met.museum:8081/ +http://localhost:8081/x?action=openid http://localhost:8081/x?action=openid +http://*.foo.com http://b.foo.com +http://*.foo.com http://b.foo.com/ +http://*.foo.com/ http://b.foo.com +http://b.foo.com http://b.foo.com +http://b.foo.com http://b.foo.com/ +http://b.foo.com/ http://b.foo.com +http://*.b.foo.com http://b.foo.com +http://*.b.foo.com http://b.foo.com/ +http://*.b.foo.com/ http://b.foo.com +http://*.b.foo.com http://x.b.foo.com +http://*.b.foo.com http://w.x.b.foo.com +http://*.bar.co.uk http://www.bar.co.uk +http://*.uoregon.edu http://x.cs.uoregon.edu +http://x.com/abc http://x.com/abc +http://127.1/abc http://127.1/abc +http://10.0.0.1/abc http://10.0.0.1/abc +http://x.com/abc http://x.com/abc/def +http://*.x.com http://x.com/gallery +http://*.x.com http://foo.x.com/gallery +http://foo.x.com http://foo.x.com/gallery/xxx +http://*.x.com/gallery http://foo.x.com/gallery +http://localhost:8082/?action=openid http://localhost:8082/?action=openid +http://goathack.livejournal.org:8020/ http://goathack.livejournal.org:8020/openid/login.bml +https://foo.com https://foo.com +http://Foo.com http://foo.com +http://foo.com http://Foo.com +http://foo.com:80/ http://foo.com/ +http://foo.com/?x=y http://foo.com/?x=y&a=b +http://foo.com/x http://foo.com/x?y +http://mylid.net/j3h. http://mylid.net/j3h.?x=y +http://j3h.us http://j3h.us?ride=unicycle +https://www.filmclans.com:443/mattmartin/FilmClans https://www.filmclans.com/mattmartin/FilmClans/Logon.aspx?nonce=BVjqSOee +http://foo.com:80 http://foo.com +http://foo.com http://foo.com:80 +http://foo.com http://foo.com/ +http://foo.com/ http://foo.com +http://foo.com/ http://foo.com:80 +http://foo.com:80/ http://foo.com:80/stuff +http://foo.com:80/ http://foo.com/stuff + +---------------------------------------- +24: does not match +---------------------------------------- +http://*/ ftp://foo.com/ +http://*/ xxx +http://*.x.com/abc http://foo.x.com +http://*.x.com/abc http://*.x.com +http://*.com/ http://*.com/ +http://x.com/abc http://x.com/ +http://x.com/abc http://x.com/a +http://x.com/abc http://x.com/ab +http://x.com/abc http://x.com/abcd +http://*.cs.uoregon.edu http://x.uoregon.edu +http://*.foo.com http://bar.com +http://*.foo.com http://www.bar.com +http://*.bar.co.uk http://xxx.co.uk +https://foo.com http://foo.com +http://foo.com https://foo.com +http://foo.com:81 http://foo.com:80 +http://*:80 http://foo.com:81 +http://foo.com/?a=b http://foo.com/?x=y +http://foo.com/?a=b http://foo.com/?x=y&a=b +http://foo.com/?a=b http://foo.com/ +http://*.oo.com/ http://foo.com/ +http://foo.com/* http://foo.com/anything +http://foo.com http://foo.com:443 +https://foo.com https://foo.com:80 diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt new file mode 100644 index 000000000..9e10135b6 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt @@ -0,0 +1,87 @@ +Already normal form +http://example.com/ +http://example.com/ + +Add a trailing slash +http://example.com +http://example.com/ + +Remove an empty port segment +http://example.com:/ +http://example.com/ + +Remove a default port segment +http://example.com:80/ +http://example.com/ + +Capitalization in host names +http://wWw.exaMPLE.COm/ +http://www.example.com/ + +Capitalization in scheme names +htTP://example.com/ +http://example.com/ + +Capitalization in percent-escaped reserved characters +http://example.com/foo%2cbar +http://example.com/foo%2Cbar + +Unescape percent-encoded unreserved characters +http://example.com/foo%2Dbar%2dbaz +http://example.com/foo-bar-baz + +remove_dot_segments example 1 +http://example.com/a/b/c/./../../g +http://example.com/a/g + +remove_dot_segments example 2 +http://example.com/mid/content=5/../6 +http://example.com/mid/6 + +remove_dot_segments: single-dot +http://example.com/a/./b +http://example.com/a/b + +remove_dot_segments: double-dot +http://example.com/a/../b +http://example.com/b + +remove_dot_segments: leading double-dot +http://example.com/../b +http://example.com/b + +remove_dot_segments: trailing single-dot +http://example.com/a/. +http://example.com/a/ + +remove_dot_segments: trailing double-dot +http://example.com/a/.. +http://example.com/ + +remove_dot_segments: trailing single-dot-slash +http://example.com/a/./ +http://example.com/a/ + +remove_dot_segments: trailing double-dot-slash +http://example.com/a/../ +http://example.com/ + +Test of all kinds of syntax-based normalization +hTTPS://a/./b/../b/%63/%7bfoo%7d +https://a/b/c/%7Bfoo%7D + +Unsupported scheme +ftp://example.com/ +fail + +Non-absolute URI +http:/foo +fail + +Illegal character in URI +http://.com/ +fail + +Non-ascii character in URI +http://foo.com/ +fail \ No newline at end of file diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php new file mode 100644 index 000000000..bf02d660d --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php @@ -0,0 +1,152 @@ +', $example_xrds), + array('YADIS_HEADER', 'X-XRDS-Location'), + array('NAME', $test_name)); + + foreach ($mapping as $pair) { + list($k, $v) = $pair; + $template = str_replace($k, $v, $template); + } + + return $template; +} + +function generateSample($test_name, $base_url, + $_example_xrds = null, $filename = null) +{ + global $example_xrds, $default_test_file; + + if ($_example_xrds === null) { + $_example_xrds = $example_xrds; + } + + if ($filename === null) { + $filename = $default_test_file; + } + + $template = getData($filename, $test_name); + + if ($template === null) { + return null; + } + + return fillTemplate($test_name, $template, $base_url, $_example_xrds); +} + +function generateResult($base_url, $input_name, $id_name, $result_name, $success) +{ + $input_url = $base_url . $input_name; // urlparse.urljoin(base_url, input_name) + + // If the name is null then we expect the protocol to fail, which + // we represent by null + if ($id_name === null) { + // assert result_name is null + return array($input_url, null); // DiscoveryFailure + } + + $result = generateSample($result_name, $base_url); + list($headers, $content) = explode("\n\n", $result, 2); + $header_lines = explode("\n", $headers); + $ctype = null; + foreach ($header_lines as $header_line) { + if (strpos($header_line, 'Content-Type:') === 0) { + list($temp, $ctype) = explode(":", $header_line, 2); + $ctype = trim($ctype); + break; + } + } + + $id_url = $base_url . $id_name; + + $result = new Auth_Yadis_Yadis(); + $result->uri = $id_url; + if ($success) { + $result->xrds_uri = $base_url . $result_name; + } else { + $result->xrds_uri = null; + } + $result->content_type = $ctype; + $result->body = $content; + return array($input_url, $result); +} + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php new file mode 100644 index 000000000..0ca3b2eea --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php @@ -0,0 +1,230 @@ +base_url = $base_url; + } + + function get($url, $headers = null) + { + $current_url = $url; + while (true) { + $parsed = parse_url($current_url); + $path = substr($parsed['path'], 1); + $data = generateSample($path, $this->base_url); + + if ($data === null) { + return new Auth_Yadis_HTTPResponse($current_url, + 404, + array(), + ''); + } + + $response = mkResponse($data); + if (in_array($response->status, array(301, 302, 303, 307))) { + $current_url = $response->headers['location']; + } else { + $response->final_url = $current_url; + return $response; + } + } + } +} + +class BlankContentTypeFetcher { + function get($url, $headers=null) + { + return new Auth_Yadis_HTTPResponse( + $url, 200, array("Content-Type" => ""), ''); + } +} + +class NoContentTypeFetcher { + function get($url, $headers=null) + { + return new Auth_Yadis_HTTPResponse($url, 200, array(), ''); + } +} + +class MockFetcher { + function MockFetcher() { + $this->count = 0; + } + + function get($uri, $headers = null, $body = null) + { + $this->count++; + if ($this->count == 1) { + $headers = array(strtolower('X-XRDS-Location') . ': http://unittest/404'); + return new Auth_Yadis_HTTPResponse($uri, 200, $headers, ''); + } else { + return new Auth_Yadis_HTTPResponse($uri, 404); + } + } +} + +class TestSecondGet extends PHPUnit_Framework_TestCase { + function test_404() + { + $uri = "http://something.unittest/"; + $response = null; + $fetcher = new MockFetcher(); + $this->assertTrue( + Auth_Yadis_Yadis::discover($uri, $response, $fetcher) === null); + } +} + +class _TestCase extends PHPUnit_Framework_TestCase { + var $base_url = 'http://invalid.unittest/'; + + function _TestCase($input_name, $id_name, $result_name, $success) + { + parent::__construct(); + $this->input_name = $input_name; + $this->id_name = $id_name; + $this->result_name = $result_name; + $this->success = $success; + $this->fetcher = new TestFetcher($this->base_url); + } + + function setUp() + { + list($this->input_url, $this->expected) = generateResult($this->base_url, + $this->input_name, + $this->id_name, + $this->result_name, + $this->success); + } + + function runTest() + { + if ($this->expected === null) { + $result = Auth_Yadis_Yadis::discover($this->input_url, + $this->fetcher); + $this->assertTrue($result->isFailure()); + } else { + $result = Auth_Yadis_Yadis::discover($this->input_url, + $this->fetcher); + + if ($result === null) { + $this->fail("Discovery result was null"); + return; + } + + $this->assertEquals($this->input_url, $result->request_uri); + + $msg = 'Identity URL mismatch: actual = %s, expected = %s'; + $msg = sprintf($msg, $result->normalized_uri, $this->expected->uri); + $this->assertEquals($this->expected->uri, $result->normalized_uri, $msg); + + $msg = 'Content mismatch: actual = %s, expected = %s'; + $msg = sprintf($msg, $result->response_text, $this->expected->body); + $this->assertEquals($this->expected->body, $result->response_text, $msg); + + $this->assertEquals($this->expected->xrds_uri, $result->xrds_uri); + $this->assertEquals($this->expected->content_type, $result->content_type); + } + } + + function getName() + { + if ($this->input_url) { + return $this->input_url; + } else { + return $this->input_name; + } + } +} + +class Tests_Auth_Yadis_Discover_Yadis extends PHPUnit_Framework_TestSuite { + + function getName() + { + return "Tests_Auth_Yadis_Discover_Yadis"; + } + + function Tests_Auth_Yadis_Discover_Yadis() + { + global $testlist; + + foreach ($testlist as $test) { + list($success, $input_name, $id_name, $result_name) = $test; + $this->addTest(new _TestCase($input_name, $id_name, $result_name, $success)); + } + } +} + +class Tests_Auth_Yadis_Discover_Yadis_ContentTypes extends PHPUnit_Framework_TestCase { + function test_is_xrds_yadis_location() + { + $result = new Auth_Yadis_DiscoveryResult('http://request.uri/'); + $result->normalized_uri = "http://normalized/"; + $result->xrds_uri = "http://normalized/xrds"; + + $this->assertTrue($result->isXRDS()); + } + + function test_is_xrds_content_type() + { + $result = new Auth_Yadis_DiscoveryResult('http://request.uri/'); + $result->normalized_uri = $result->xrds_uri = "http://normalized/"; + $result->content_type = Auth_Yadis_CONTENT_TYPE; + + $this->assertTrue($result->isXRDS()); + } + + function test_is_xrds_neither() + { + $result = new Auth_Yadis_DiscoveryResult('http://request.uri/'); + $result->normalized_uri = $result->xrds_uri = "http://normalized/"; + $result->content_type = "another/content-type"; + + $this->assertTrue(!$result->isXRDS()); + } + + function test_no_content_type() + { + $fetcher = new NoContentTypeFetcher(); + $result = Auth_Yadis_Yadis::discover("http://bogus", $fetcher); + $this->assertEquals(null, $result->content_type); + } + + function test_blank_content_type() + { + $fetcher = new BlankContentTypeFetcher(); + $result = Auth_Yadis_Yadis::discover("http://bogus", $fetcher); + $this->assertEquals("", $result->content_type); + } +} + +global $Tests_Auth_Yadis_Discover_Yadis_other; +$Tests_Auth_Yadis_Discover_Yadis_other = array( + new Tests_Auth_Yadis_Discover_Yadis_ContentTypes() + ); + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php new file mode 100644 index 000000000..e3977bc75 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php @@ -0,0 +1,86 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +require_once 'Tests/Auth/Yadis/TestUtil.php'; +require_once 'Auth/Yadis/ParseHTML.php'; + +class Tests_Auth_Yadis_ParseTest extends PHPUnit_Framework_TestCase { + function Tests_Auth_Yadis_ParseTest($case) + { + list($result, $comment, $html) = $case; + + $this->result = $result; + $this->comment = $comment; + $this->html_string = $html; + $this->parser = new Auth_Yadis_ParseHTML(); + } + + function getName() + { + return $this->comment; + } + + function runTest() + { + $value = $this->parser->getHTTPEquiv($this->html_string); + + if ($this->result == "EOF") { + $this->assertTrue($value === null); + } else if ($this->result == "None") { + $this->assertTrue($value === null); + } else { + $this->assertEquals($this->result, $value); + } + } +} + +class Tests_Auth_Yadis_ParseHTML extends PHPUnit_Framework_TestSuite { + + function getName() + { + return "Tests_Auth_Yadis_Parse"; + } + + function parseTests($s) + { + $tests = array(); + + $cases = preg_split("/\f\n/", $s); + + foreach ($cases as $case) { + // Split the case text on newline, and keep the first two + // lines and re-join the rest (those are the HTML). + $parts = explode("\n", $case); + $result = $parts[0]; + $html_comment = $parts[1]; + $html_string = implode("\n", array_slice($parts, 2)); + $tests[] = array($result, $html_comment, $html_string); + } + + return $tests; + } + + function Tests_Auth_Yadis_ParseHTML() + { + $test_data = Tests_Auth_Yadis_readdata('test1-parsehtml.txt'); + + $test_cases = $this->parseTests($test_data); + + foreach ($test_cases as $case) { + $this->addTest(new Tests_Auth_Yadis_ParseTest($case)); + } + } +} + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php new file mode 100644 index 000000000..6c2581251 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php @@ -0,0 +1,30 @@ + 1, + 'pip.xrds' => 2 + ); + + foreach ($files as $filename => $service_count) { + $xml = Tests_Auth_Yadis_readdata($filename); + $xrds = Auth_Yadis_XRDS::parseXRDS($xml); + + $this->assertTrue($xrds !== null); + + if ($xrds) { + $this->assertEquals(count($xrds->services()), $service_count); + } else { + $this->fail("Could not test XRDS service list because the ". + "XRDS object is null"); + } + } + } + + function test_good_multi() + { + $xml = Tests_Auth_Yadis_readdata("brian.multi.xrds"); + $xrds = Auth_Yadis_XRDS::parseXRDS($xml); + $this->assertTrue($xrds !== null); + $this->assertEquals(count($xrds->services()), 1); + $s = $xrds->services(); + $s = $s[0]; + + $types = $s->getTypes(); + + $this->assertTrue(count($types) == 1); + $this->assertEquals('http://openid.net/signon/1.0', + $types[0]); + } + + function test_good_uri_multi() + { + $xml = Tests_Auth_Yadis_readdata("brian.multi_uri.xrds"); + $xrds = Auth_Yadis_XRDS::parseXRDS($xml); + $this->assertTrue($xrds !== null); + $this->assertEquals(1, count($xrds->services())); + } + + function test_uri_sorting() + { + $xml = Tests_Auth_Yadis_readdata("uri_priority.xrds"); + $xrds = Auth_Yadis_XRDS::parseXRDS($xml); + $services = $xrds->services(); + $uris = $services[0]->getURIs(); + + $expected_uris = array( + "http://zero.priority/", + "http://one.priority/", + "http://no.priority/" + ); + + $this->assertEquals($uris, $expected_uris); + } + + function test_bad() + { + $this->assertTrue(Auth_Yadis_XRDS::parseXRDS(null) === null); + $this->assertTrue(Auth_Yadis_XRDS::parseXRDS(5) === null); + $this->assertTrue(Auth_Yadis_XRDS::parseXRDS('') === null); + $this->assertTrue(Auth_Yadis_XRDS::parseXRDS('') === + null); + $this->assertTrue(Auth_Yadis_XRDS::parseXRDS("\x00") === null); + } + + function test_getCanonicalID() + { + $canonicalIDtests = array( + array("@ootao*test1", "delegated-20060809.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), + array("@ootao*test1", "delegated-20060809-r1.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), + array("@ootao*test1", "delegated-20060809-r2.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), + array("@ootao*test1", "sometimesprefix.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), + array("@ootao*test1", "prefixsometimes.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), + array("=keturn*isDrummond", "spoof1.xrds", null), + array("=keturn*isDrummond", "spoof2.xrds", null), + array("@keturn*is*drummond", "spoof3.xrds", null), + // Don't let IRI authorities be canonical for the GCS. + array("phreak.example.com", "delegated-20060809-r2.xrds", null) + // TODO: Refs + // ("@ootao*test.ref", "ref.xrds", "@!BAE.A650.823B.2475") + ); + + foreach ($canonicalIDtests as $tupl) { + list($iname, $filename, $expectedID) = $tupl; + + $xml = Tests_Auth_Yadis_readdata($filename); + $xrds = Auth_Yadis_XRDS::parseXRDS($xml); + $this->_getCanonicalID($iname, $xrds, $expectedID); + } + } + + function _getCanonicalID($iname, $xrds, $expectedID) + { + if ($expectedID === null) { + $result = Auth_Yadis_getCanonicalID($iname, $xrds); + if ($result !== false) { + $this->fail($iname.' (got '.$result.')'); + } + } else { + $cid = Auth_Yadis_getCanonicalID($iname, $xrds); + $this->assertEquals(Auth_Yadis_XRI($expectedID), $cid); + } + } + + function test_services_filters() + { + // First, just be sure that service objects do the right + // thing. + $xml = Tests_Auth_Yadis_readdata("brian_priority.xrds"); + $xrds = Auth_Yadis_XRDS::parseXRDS($xml, + array('openid' => + 'http://openid.net/xmlns/1.0')); + $this->assertTrue($xrds !== null); + + // Get list of service objects. + $services = $xrds->services(); + $this->assertEquals(count($services), 2, "first service count"); + + // Query the two service objecs. + $s1 = $services[0]; + $this->assertEquals($s1->getPriority(), 1, "first priority check"); + $types = $s1->getTypes(); + $this->assertEquals(count($types), 1, "first type check"); + + $s2 = $services[1]; + $this->assertEquals($s2->getPriority(), 2, "second priority check"); + $types = $s2->getTypes(); + $this->assertEquals(count($types), 1, "second type check"); + + function _DelegateFilter($service) + { + if ($service->getElements('openid:Delegate')) { + return true; + } + return false; + } + + // Make sure that a filter which matches both DOES match both. + $this->assertEquals(count( + $xrds->services(array("_DelegateFilter"))), 2, + "_DelegateFilter check"); + + // This filter should match all services in the document. + function _HasTypeAndURI($service) + { + if ($service->getTypes() && + $service->getURIs()) { + return true; + } + return false; + } + + // This filter should only match one. + function _URIMatchesSchtuff($service) + { + $uris = $service->getURIs(); + + foreach ($uris as $uri) { + if (preg_match("|schtuff|", $uri)) { + return true; + } + } + return false; + } + + // This filter should only match one. + function _URIMatchesMyOpenID($service) + { + $uris = $service->getURIs(); + + foreach ($uris as $uri) { + if (preg_match("|myopenid|", $uri)) { + return true; + } + } + return false; + } + + // Make sure a pair of filters in ALL mode only match one service. + $this->assertEquals(count( + $xrds->services(array("_HasTypeAndURI", + "_URIMatchesSchtuff"), + SERVICES_YADIS_MATCH_ALL)), 1, + "_HasTypeAndURI / _URIMatchesSchtuff check"); + + // Make sure a pair of filters in ALL mode only match one service. + $this->assertEquals(count( + $xrds->services(array("_HasTypeAndURI", + "_URIMatchesMyOpenID"), + SERVICES_YADIS_MATCH_ALL)), 1, + "_HasTypeAndURI / _URIMatchesMyOpenID check"); + + // Make sure a pair of filters in ANY mode matches both services. + $this->assertEquals(count( + $xrds->services(array("_URIMatchesMyOpenID", + "_URIMatchesSchtuff"))), 2, + "_URIMatchesMyOpenID / _URIMatchesSchtuff check"); + + // Make sure the order of the services returned (when using + // filters) is correct. + $s = $xrds->services(array("_URIMatchesMyOpenID", + "_URIMatchesSchtuff")); + + $this->assertTrue($s[0]->getPriority() === 1, "s[0] priority check"); + $this->assertTrue($s[1]->getPriority() === 2, "s[1] priority check"); + + // Make sure a bad filter mode gets us a null service list. + $this->assertTrue($xrds->services(array("_URIMatchesMyOpenID", + "_URIMatchesSchtuff"), + "bogus") === null, + "bogus filter check"); + } + + function test_multisegment_xri() + { + $xml = Tests_Auth_Yadis_readdata('subsegments.xrds'); + $xmldoc = Auth_Yadis_XRDS::parseXRDS($xml); + $result = Auth_Yadis_getCanonicalId('xri://=nishitani*masaki', $xmldoc); + $this->assertEquals($result, "xri://=!E117.EF2F.454B.C707!0000.0000.3B9A.CA01"); + } +} + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php new file mode 100644 index 000000000..403b1e32b --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php @@ -0,0 +1,142 @@ + + * @copyright 2005-2008 Janrain, Inc. + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + */ + +require_once "Auth/Yadis/XRIRes.php"; +require_once "Auth/Yadis/XRI.php"; +require_once "Auth/Yadis/Yadis.php"; + +class Tests_Auth_Yadis_XriDiscoveryTestCase extends PHPUnit_Framework_TestCase { + function runTest() + { + $this->assertEquals( + Auth_Yadis_identifierScheme('=john.smith'), 'XRI'); + + $this->assertEquals( + Auth_Yadis_identifierScheme(''), 'URI'); + + $this->assertEquals( + Auth_Yadis_identifierScheme('@smiths/john'), 'XRI'); + + $this->assertEquals( + Auth_Yadis_identifierScheme('smoker.myopenid.com'), 'URI'); + + $this->assertEquals( + Auth_Yadis_identifierScheme('xri://=john'), 'XRI'); + } +} + +class Tests_Auth_Yadis_XriEscapingTestCase extends PHPUnit_Framework_TestCase { + function test_escaping_percents() + { + $this->assertEquals(Auth_Yadis_escapeForIRI('@example/abc%2Fd/ef'), + '@example/abc%252Fd/ef'); + } + + function runTest() + { + // no escapes + $this->assertEquals('@example/foo/(@bar)', + Auth_Yadis_escapeForIRI('@example/foo/(@bar)')); + + // escape slashes + $this->assertEquals('@example/foo/(@bar%2Fbaz)', + Auth_Yadis_escapeForIRI('@example/foo/(@bar/baz)')); + + $this->assertEquals('@example/foo/(@bar%2Fbaz)/(+a%2Fb)', + Auth_Yadis_escapeForIRI('@example/foo/(@bar/baz)/(+a/b)')); + + // escape query ? and fragment + $this->assertEquals('@example/foo/(@baz%3Fp=q%23r)?i=j#k', + Auth_Yadis_escapeForIRI('@example/foo/(@baz?p=q#r)?i=j#k')); + } +} + +class Tests_Auth_Yadis_ProxyQueryTestCase extends PHPUnit_Framework_TestCase { + function setUp() + { + $this->proxy_url = 'http://xri.example.com/'; + $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); + $this->proxy = new Auth_Yadis_ProxyResolver($this->fetcher, + $this->proxy_url); + $this->servicetype = 'xri://+i-service*(+forwarding)*($v*1.0)'; + $this->servicetype_enc = 'xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29'; + } + + function runTest() + { + $st = $this->servicetype; + $ste = $this->servicetype_enc; + $args_esc = "_xrd_r=application%2Fxrds%2Bxml&_xrd_t=" . $ste; + $h = $this->proxy_url; + $this->assertEquals($h . '=foo?' . $args_esc, + $this->proxy->queryURL('=foo', $st)); + $this->assertEquals($h . '=foo/bar?baz&' . $args_esc, + $this->proxy->queryURL('=foo/bar?baz', $st)); + $this->assertEquals($h . '=foo/bar?baz=quux&' . $args_esc, + $this->proxy->queryURL('=foo/bar?baz=quux', $st)); + $this->assertEquals($h . '=foo/bar?mi=fa&so=la&' . $args_esc, + $this->proxy->queryURL('=foo/bar?mi=fa&so=la', $st)); + + $args_esc = "_xrd_r=application%2Fxrds%2Bxml&_xrd_t=" . $ste; + $h = $this->proxy_url; + $this->assertEquals($h . '=foo/bar??' . $args_esc, + $this->proxy->queryURL('=foo/bar?', $st)); + $this->assertEquals($h . '=foo/bar????' . $args_esc, + $this->proxy->queryURL('=foo/bar???', $st)); + } +} + +class Tests_Auth_Yadis_TestGetRootAuthority extends PHPUnit_Framework_TestCase { + function runTest() + { + $xris = array( + array("@foo", "@"), + array("@foo*bar", "@"), + array("@*foo*bar", "@"), + array("@foo/bar", "@"), + array("!!990!991", "!"), + array("!1001!02", "!"), + array("=foo*bar", "="), + array("(example.com)/foo", "(example.com)"), + array("(example.com)*bar/foo", "(example.com)"), + array("baz.example.com/foo", "baz.example.com"), + array("baz.example.com:8080/foo", "baz.example.com:8080") + // Looking at the ABNF in XRI Syntax 2.0, I don't think you can + // have example.com*bar. You can do (example.com)*bar, but that + // would mean something else. + // ("example.com*bar/(=baz)", "example.com*bar"), + // ("baz.example.com!01/foo", "baz.example.com!01"), + ); + + foreach ($xris as $tupl) { + list($thexri, $expected_root) = $tupl; + $this->assertEquals(Auth_Yadis_XRI($expected_root), + Auth_Yadis_rootAuthority($thexri), + 'rootAuthority test ('.$thexri.')'); + } + } +} + +class Tests_Auth_Yadis_XRI extends PHPUnit_Framework_TestSuite { + function getName() + { + return "Tests_Auth_Yadis_XRI"; + } + + function Tests_Auth_Yadis_XRI() + { + $this->addTest(new Tests_Auth_Yadis_ProxyQueryTestCase()); + $this->addTest(new Tests_Auth_Yadis_XriEscapingTestCase()); + $this->addTest(new Tests_Auth_Yadis_XriDiscoveryTestCase()); + $this->addTest(new Tests_Auth_Yadis_TestGetRootAuthority()); + } +} + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php new file mode 100644 index 000000000..5672a1565 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php @@ -0,0 +1,88 @@ +input_url = $input_url; + $this->redir_uri = $redir_uri; + $this->xrds_uri = $xrds_uri; + $this->num = $num; + } + + function getName() + { + return "Yadis discovery test ".$this->num; + } + + function runTest() + { + $fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); + $y = Auth_Yadis_Yadis::discover( + $this->input_url, $fetcher); + $this->assertTrue($y !== null); + + // Compare parts of returned Yadis object to expected URLs. + $this->assertEquals($this->redir_uri, $y->normalized_uri, "tried $this->input_url"); + + if ($this->xrds_uri) { + $this->assertEquals($this->xrds_uri, $y->xrds_uri); + // Compare contents of actual HTTP GET with that of Yadis + // response. + $f = Auth_Yadis_Yadis::getHTTPFetcher(); + $http_response = $f->get($this->xrds_uri); + + $this->assertEquals($http_response->body, $y->response_text); + } else { + $this->assertTrue($y->xrds_uri === null); + } + } +} + +class Tests_Auth_Yadis_Yadis extends PHPUnit_Framework_TestSuite { + + function getName() + { + return "Tests_Auth_Yadis_Yadis"; + } + + function parseTests($data) + { + $cases = explode("\n", $data); + $tests = array(); + + foreach ($cases as $line) { + if ($line && ($line[0] != "#")) { + $tests[] = explode("\t", $line, 3); + } + } + + return $tests; + } + + function Tests_Auth_Yadis_Yadis() + { + $test_data = file_get_contents('http://www.openidenabled.com/resources/yadis-test/discover/manifest.txt'); + + $test_cases = $this->parseTests($test_data); + + $i = 0; + foreach ($test_cases as $case) { + $i++; + list($input, $redir, $xrds) = $case; + $this->addTest(new Tests_Auth_Yadis_DiscoveryTest($input, + $redir, + $xrds, $i)); + } + } + +} + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README new file mode 100644 index 000000000..3739cf1c7 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README @@ -0,0 +1,12 @@ +delegated-20060809.xrds - results from proxy.xri.net, determined by + Drummond and Kevin to be incorrect. +delegated-20060809-r1.xrds - Drummond's 1st correction +delegated-20060809-r2.xrds - Drummond's 2nd correction + +spoofs: keturn's (=!E4)'s attempts to log in with Drummond's i-number (=!D2) +spoof1.xrds +spoof2.xrds +spoof3.xrds - attempt to steal @!C0!D2 by having "at least one" CanonicalID + match the $res service ProviderID. + +ref.xrds - resolving @ootao*test.ref, which refers to a neustar XRI. diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt new file mode 100644 index 000000000..0853321a8 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt @@ -0,0 +1,118 @@ +# Accept: [Accept: header value from RFC2616, +# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html] +# Available: [whitespace-separated content types] +# Expected: [Accept-header like list, containing the available content +# types with their q-values] + +Accept: */* +Available: text/plain +Expected: text/plain; q=1.0 + +Accept: */* +Available: text/plain, text/html +Expected: text/plain; q=1.0, text/html; q=1.0 + +# The order matters +Accept: */* +Available: text/html, text/plain +Expected: text/html; q=1.0, text/plain; q=1.0 + +Accept: text/*, */*; q=0.9 +Available: text/plain, image/jpeg +Expected: text/plain; q=1.0, image/jpeg; q=0.9 + +Accept: text/*, */*; q=0.9 +Available: image/jpeg, text/plain +Expected: text/plain; q=1.0, image/jpeg; q=0.9 + +# wildcard subtypes still reject differing main types +Accept: text/* +Available: image/jpeg, text/plain +Expected: text/plain; q=1.0 + +Accept: text/html +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html, text/* +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html, text/* +Available: text/plain, text/html +Expected: text/plain; q=1.0, text/html; q=1.0 + +Accept: text/html, text/*; q=0.9 +Available: text/plain, text/html +Expected: text/html; q=1.0, text/plain; q=0.9 + +# If a more specific type has a higher q-value, then the higher value wins +Accept: text/*; q=0.9, text/html +Available: text/plain, text/html +Expected: text/html; q=1.0, text/plain; q=0.9 + +Accept: */*, text/*; q=0.9, text/html; q=0.1 +Available: text/plain, text/html, image/monkeys +Expected: image/monkeys; q=1.0, text/plain; q=0.9, text/html; q=0.1 + +Accept: text/*, text/html; q=0 +Available: text/html +Expected: + +Accept: text/*, text/html; q=0 +Available: text/html, text/plain +Expected: text/plain; q=1.0 + +Accept: text/html +Available: text/plain +Expected: + +Accept: application/xrds+xml, text/html; q=0.9 +Available: application/xrds+xml, text/html +Expected: application/xrds+xml; q=1.0, text/html; q=0.9 + +Accept: application/xrds+xml, */*; q=0.9 +Available: application/xrds+xml, text/html +Expected: application/xrds+xml; q=1.0, text/html; q=0.9 + +Accept: application/xrds+xml, application/xhtml+xml; q=0.9, text/html; q=0.8, text/xml; q=0.7 +Available: application/xrds+xml, text/html +Expected: application/xrds+xml; q=1.0, text/html; q=0.8 + +# See http://www.rfc-editor.org/rfc/rfc3023.txt, section A.13 +Accept: application/xrds +Available: application/xrds+xml +Expected: + +Accept: application/xrds+xml +Available: application/xrds +Expected: + +Accept: application/xml +Available: application/xrds+xml +Expected: + +Available: application/xrds+xml +Accept: application/xml +Expected: + + + +################################################# +# The tests below this line are documentation of how this library +# works. If the implementation changes, it's acceptable to change the +# test to reflect that. These are specified so that we can make sure +# that the current implementation actually works the way that we +# expect it to given these inputs. + +Accept: text/html;level=1 +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html; level=1, text/html; level=9; q=0.1 +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html; level=9; q=0.1, text/html; level=1 +Available: text/html +Expected: text/html; q=1.0 diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds new file mode 100644 index 000000000..1bc95dea9 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds @@ -0,0 +1,38 @@ + + + + + + http://openid.net/signon/1.1 + http://www.myopenid.com/server + http://frank.myopenid.com/ + + + + + + + http://bar.com/ + http://bar.com/server + + + + http://foo.com + http://foo.com/server + + + + + + + http://openid.net/signon/1.0 + http://www.myopenid.com/server + http://brian.myopenid.com/ + + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds new file mode 100644 index 000000000..fce5ef72f --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds @@ -0,0 +1,16 @@ + + + + + + http://openid.net/signon/1.0 + http://www.myopenid.com/server + http://example.com/server + + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds new file mode 100644 index 000000000..c7539fe1b --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds @@ -0,0 +1,16 @@ + + + + + + http://openid.net/signon/1.0 + http://www.myopenid.com/server + http://brian.myopenid.com/ + + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds new file mode 100644 index 000000000..273077dfa --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds @@ -0,0 +1,22 @@ + + + + + + http://openid.net/signon/1.0 + http://www.schtuff.com/?action=openid_server + http://users.schtuff.com/brian + + + + http://openid.net/signon/1.0 + http://www.myopenid.com/server + http://brian.myopenid.com/ + + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds new file mode 100644 index 000000000..f994b140e --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds @@ -0,0 +1,34 @@ + + + + *ootao + + 2006-08-09T22:07:13.000Z + xri://@ + !5BAD.2AA.3C72.AF46 + @!5BAD.2AA.3C72.AF46 + + xri://$res*auth*($v*2.0) + xri://!!1003 + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/@ootao/ + + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + *test1 + SUCCESS + xri://!!1003 + !0000.0000.3B9A.CA01 + @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds new file mode 100644 index 000000000..68c08dc44 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds @@ -0,0 +1,34 @@ + + + + *ootao + + 2006-08-09T22:07:13.000Z + xri://@ + !5BAD.2AA.3C72.AF46 + @!5BAD.2AA.3C72.AF46 + + xri://$res*auth*($v*2.0) + xri://@!5BAD.2AA.3C72.AF46 + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/@ootao/ + + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + *test1 + SUCCESS + xri://@!5BAD.2AA.3C72.AF46 + !0000.0000.3B9A.CA01 + @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds new file mode 100644 index 000000000..073ee6889 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds @@ -0,0 +1,34 @@ + + + + *ootao + + 2006-08-09T22:07:13.000Z + xri://@ + !5BAD.2AA.3C72.AF46 + @!5BAD.2AA.3C72.AF46 + + xri://$res*auth*($v*2.0) + + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/@ootao/ + + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + *test1 + SUCCESS + xri://!!1003 + !0000.0000.3B9A.CA01 + @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml new file mode 100644 index 000000000..101ba3bd5 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml @@ -0,0 +1,14 @@ + + + + + + + http://example.com/ + http://www.openidenabled.com/ + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml new file mode 100644 index 000000000..ca66f7359 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml @@ -0,0 +1,7 @@ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml new file mode 100644 index 000000000..7f5bfd511 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml @@ -0,0 +1,2 @@ + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds new file mode 100644 index 000000000..ca271ab19 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds @@ -0,0 +1,22 @@ + + + + + + http://openid.net/signon/1.1 + http://openid.net/sreg/1.0 + https://pip.verisignlabs.com/server + + + + http://openid.net/signon/1.0 + http://openid.net/sreg/1.0 + https://pip.verisignlabs.com/server + + + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds new file mode 100644 index 000000000..5522a6e5e --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds @@ -0,0 +1,34 @@ + + + + *ootao + + 2006-08-09T22:07:13.000Z + xri://@ + !5BAD.2AA.3C72.AF46 + @!5BAD.2AA.3C72.AF46 + + xri://$res*auth*($v*2.0) + xri://@!5BAD.2AA.3C72.AF46 + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/@ootao/ + + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + *test1 + SUCCESS + xri://@!5BAD.2AA.3C72.AF46 + !0000.0000.3B9A.CA01 + xri://@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds new file mode 100644 index 000000000..69cf683db --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds @@ -0,0 +1,109 @@ + + + + *ootao + + 2006-08-15T18:56:09.000Z + xri://@ + !5BAD.2AA.3C72.AF46 + @!5BAD.2AA.3C72.AF46 + + xri://$res*auth*($v*2.0) + + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/@ootao/ + + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + *test.ref + SUCCESS + xri://!!1003 + !0000.0000.3B9A.CA03 + @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA03 + @!BAE.A650.823B.2475 + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + + !BAE.A650.823B.2475 + + 2006-08-15T18:56:10.000Z + xri://@ + !BAE.A650.823B.2475 + @!BAE.A650.823B.2475 + + (+wdnc) + + (+wdnc) + http://www.tcpacompliance.us + + + xri://$res*auth*($v*2.0) + + application/xrds+xml;trust=none + http://dev.dready.org/cgi-bin/xri + + + (+i-name) + + (+i-name) + http://www.inames.net + + + xri://+i-service*(+contact)*($v*1.0) + + xri://!!1001 + (+contact) + + text/html + + http://www.neustar.biz + + + + + !BAE.A650.823B.2475 + + 2006-08-15T18:56:10.000Z + xri://@ + !BAE.A650.823B.2475 + @!BAE.A650.823B.2475 + + (+wdnc) + + (+wdnc) + http://www.tcpacompliance.us + + + xri://$res*auth*($v*2.0) + + application/xrds+xml;trust=none + http://dev.dready.org/cgi-bin/xri + + + (+i-name) + + (+i-name) + http://www.inames.net + + + xri://+i-service*(+contact)*($v*1.0) + + xri://!!1001 + (+contact) + + text/html + + http://www.neustar.biz + + + \ No newline at end of file diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds new file mode 100644 index 000000000..eff755543 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds @@ -0,0 +1,34 @@ + + + + *ootao + + 2006-08-09T22:07:13.000Z + xri://@ + !5BAD.2AA.3C72.AF46 + xri://@!5BAD.2AA.3C72.AF46 + + xri://$res*auth*($v*2.0) + xri://@!5BAD.2AA.3C72.AF46 + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/@ootao/ + + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + + *test1 + SUCCESS + xri://@!5BAD.2AA.3C72.AF46 + !0000.0000.3B9A.CA01 + @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 + + http://openid.net/signon/1.0 + + https://linksafe.ezibroker.net/server/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds new file mode 100644 index 000000000..8e870c815 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds @@ -0,0 +1,25 @@ + + + + *keturn + xri://= + !E4 + =!E4 + + + xri://$res*auth*($v*2.0) + http://keturn.example.com/resolve/ + =!E4 + + + + *isDrummond + =!E4 + !D2 + =!D2 + + http://openid.net/signon/1.0 + http://keturn.example.com/openid + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds new file mode 100644 index 000000000..7547561e1 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds @@ -0,0 +1,25 @@ + + + + *keturn + xri://= + !E4 + =!E4 + + + xri://$res*auth*($v*2.0) + http://keturn.example.com/resolve/ + xri://= + + + + *isDrummond + xri://= + !D2 + =!D2 + + http://openid.net/signon/1.0 + http://keturn.example.com/openid + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds new file mode 100644 index 000000000..f4c43c9b4 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds @@ -0,0 +1,37 @@ + + + + *keturn + xri://@ + @E4 + @!E4 + + + xri://$res*auth*($v*2.0) + http://keturn.example.com/resolve/ + @!E4 + + + + *is + @!E4 + !D2 + =!C0 + =!E4!01 + + xri://$res*auth*($v*2.0) + http://keturn.example.com/resolve/ + @!C0 + + + + *drummond + @!C0 + !D2 + @!C0!D2 + + http://openid.net/signon/1.0 + http://keturn.example.com/openid + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds new file mode 100644 index 000000000..11d2e9122 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds @@ -0,0 +1,58 @@ + + + + *nishitani + + 2007-12-25T11:33:39.000Z + xri://= + !E117.EF2F.454B.C707 + =!E117.EF2F.454B.C707 + + http://openid.net/signon/1.0 + xri://!!1003!103 + https://linksafe.ezibroker.net/server/ + + + xri://$res*auth*($v*2.0) + xri://!!1003!103 + application/xrds+xml;trust=none + http://resolve.ezibroker.net/resolve/=nishitani/ + + + xri://+i-service*(+forwarding)*($v*1.0) + + xri://!!1003!103 + (+index) + + http://linksafe-forward.ezibroker.net/forwarding/ + + + + *masaki + SUCCESS + xri://!!1003 + !0000.0000.3B9A.CA01 + =!E117.EF2F.454B.C707!0000.0000.3B9A.CA01 + + http://openid.net/signon/1.0 + xri://!!1003!103 + https://linksafe.ezibroker.net/server/ + + + xri://+i-service*(+contact)*($v*1.0) + + xri://!!1003!103 + (+contact) + + http://linksafe-contact.ezibroker.net/contact/ + + + xri://+i-service*(+forwarding)*($v*1.0) + + xri://!!1003!103 + (+index) + + http://linksafe-forward.ezibroker.net/forwarding/ + + + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt new file mode 100644 index 000000000..7ec9b8788 --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt @@ -0,0 +1,137 @@ +equiv +Status: 200 OK +Content-Type: text/html + + + + +Joe Schmoe's Homepage + + +

Joe Schmoe's Homepage

+

Blah blah blah blah blah blah blah

+ + + +header +Status: 200 OK +Content-Type: text/html +YADIS_HEADER: URL_BASE/xrds + + + +Joe Schmoe's Homepage + + +

Joe Schmoe's Homepage

+

Blah blah blah blah blah blah blah

+ + +xrds +Status: 200 OK +Content-Type: application/xrds+xml + + + +xrds_ctparam +Status: 200 OK +Content-Type: application/xrds+xml; charset=UTF8 + + + +xrds_ctcase +Status: 200 OK +Content-Type: appliCATION/XRDS+xml + + + +xrds_html +Status: 200 OK +Content-Type: text/html + + + +redir_equiv +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/equiv + +You are presently being redirected. + +redir_header +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/header + +You are presently being redirected. + +redir_xrds +Status: 302 Found +Content-Type: application/xrds+xml +Location: URL_BASE/xrds + + + +redir_xrds_html +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/xrds_html + +You are presently being redirected. + +redir_redir_equiv +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/redir_equiv + +You are presently being redirected. + +lowercase_header +Status: 200 OK +Content-Type: text/html +x-xrds-location: URL_BASE/xrds + + + +Joe Schmoe's Homepage + + +

Joe Schmoe's Homepage

+

Blah blah blah blah blah blah blah

+ + +404_server_response +Status: 404 Not Found + +EEk! + +500_server_response +Status: 500 Server error + +EEk! + +201_server_response +Status: 201 Created + +EEk! + +404_with_header +Status: 404 Not Found +YADIS_HEADER: URL_BASE/xrds + +EEk! + +404_with_meta +Status: 404 Not Found +Content-Type: text/html + + + + +Joe Schmoe's Homepage + + +

Joe Schmoe's Homepage

+

Blah blah blah blah blah blah blah

+ + diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt new file mode 100644 index 000000000..752ad091d --- /dev/null +++ b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt @@ -0,0 +1,149 @@ +found + + + +found + + + +found + + + +found + + + +found + + + +found + + + +found + + + +found + + + +EOF + + +
+OpenID + +
+
+
+ + + + + + + + +

+

+
+ +
+
+
+
+
+
+
+ +
diff --git a/views/default/openid_client/forms/missing.php b/views/default/openid_client/forms/missing.php new file mode 100644 index 000000000..7810f3c57 --- /dev/null +++ b/views/default/openid_client/forms/missing.php @@ -0,0 +1,73 @@ + + * @copyright Curverider Ltd 2008-2009 + * @link http://elgg.com/ + * + * @uses the following values in $vars: + * + * 'openid_url' the OpenID + * 'email' the user's email (if known) + * 'fullname' the user's full name (if known) + * 'email_confirmation' whether the email address needs to be confirmed + * 'code' a magic code that associates this data with a real user + */ + +$emailLabel = elgg_echo('openid_client:email_label'); +$nameLabel = elgg_echo('openid_client:name_label'); +$submitLabel = elgg_echo('openid_client:submit_label'); +$cancelLabel = elgg_echo('openid_client:cancel_label'); + +$missing_email = elgg_echo('openid_client:missing_email'); +$missing_name = elgg_echo('openid_client:missing_name'); +$and = elgg_echo('openid_client:and'); +$email_form = "
$emailLabel
'; +$name_form = "
$nameLabel
'; +$email_hidden = ''."\n"; +$name_hidden = ''."\n"; + +if (!$vars['email'] && !$$vars['fullname']) { + $missing_fields = $missing_email.' '.$and.' '.$missing_name; + $visible_fields = $email_form.'
'.$name_form; + $hidden_fields = ''; +} elseif (!$vars['email']) { + $missing_fields = $missing_email; + $visible_fields = $email_form; + $hidden_fields = $name_hidden; +} elseif (!$vars['fullname']) { + $missing_fields = $missing_name; + $visible_fields = $name_form; + $hidden_fields = $email_hidden; +} + +$hidden_fields .= ''."\n"; + +$instructions = sprintf(elgg_echo('openid_client:missing_info_instructions'),$missing_fields); + +$action = $CONFIG->wwwroot.'action/openid_client/missing'; +$security_token = elgg_view('input/securitytoken'); + +$body .= <<< END + $instructions +
+ $security_token +

+ $visible_fields +

+

+ $hidden_fields + + +

+
+ +END; + +echo elgg_view('page_elements/contentwrapper',array('body'=>$body)); + +?> \ No newline at end of file diff --git a/views/default/openid_client/forms/sync.php b/views/default/openid_client/forms/sync.php new file mode 100644 index 000000000..6d921b278 --- /dev/null +++ b/views/default/openid_client/forms/sync.php @@ -0,0 +1,86 @@ + + * @copyright Curverider Ltd 2008-2009 + * @link http://elgg.com/ + * + * @uses the following values in $vars: + * + * 'userid' the user's GUID + * 'new_email' the user's new email + * 'new_name' the user's new full name + * 'email_confirmation' whether the email address needs to be confirmed + */ + +$emailLabel = elgg_echo('openid_client:email_label'); +$nameLabel = elgg_echo('openid_client:name_label'); +$submitLabel = elgg_echo('openid_client:submit_label'); +$cancelLabel = elgg_echo('openid_client:cancel_label'); +$noSyncLabel = elgg_echo('openid_client:nosync_label'); +$instructions = elgg_echo('openid_client:sync_instructions'); + +$new_email = $vars['new_email']; +$new_name = $vars['new_name']; +$email_confirmation = $vars['email_confirmation']; + +$user = get_user($vars['userid']); + +$old_email = $user->email; +$old_name = $user->name; +$openid_url = $user->alias; + +if ($new_email && $new_email != $old_email) { + $change_fields .= '
$old_email => $new_email
\n"; + if (!$email_confirmation) { + // the email address is from a green server, so we can change the email without a confirmation message + // add an invitation code however to prevent this form from being forged + // the user ident and new email address can then securely be stored in the database invitation table + // rather than the form + $details = openid_client_create_invitation('c',$openid_url,$vars['userid'],$new_email,$new_name); + $form_stuff = ''; + } else { + // the email will be confirmed anyway so it is safe to put it in the form + $form_stuff .= <<< END + +END; + } + +} +if ($new_name && $new_name != $old_name) { + $change_fields .= '
$old_name => $new_name
\n"; +} + +$action = $CONFIG->wwwroot.'action/openid_client/sync'; +$security_token = elgg_view('input/securitytoken'); + +$body .= <<< END + $instructions +
+ $security_token +

+ $change_fields +

+

+ +

+ $form_stuff + + + +

+
+ +END; + +echo elgg_view('page_elements/contentwrapper',array('body'=>$body)); + +?> \ No newline at end of file -- cgit v1.2.3 From 580cd62f0a4fac5dba37a8a152afaecd99e8c767 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Thu, 15 Dec 2011 20:07:48 -0500 Subject: removed old libraries - depends on openid_api now --- models/Auth.old/OpenID.php | 576 ----- models/Auth.old/OpenID/AX.php | 1013 -------- models/Auth.old/OpenID/Association.php | 613 ----- models/Auth.old/OpenID/BigMath.php | 471 ---- models/Auth.old/OpenID/Consumer.php | 2189 ----------------- models/Auth.old/OpenID/CryptUtil.php | 113 - models/Auth.old/OpenID/DatabaseConnection.php | 131 - models/Auth.old/OpenID/DiffieHellman.php | 112 - models/Auth.old/OpenID/Discover.php | 547 ----- models/Auth.old/OpenID/DumbStore.php | 100 - models/Auth.old/OpenID/Extension.php | 58 - models/Auth.old/OpenID/FileStore.php | 618 ----- models/Auth.old/OpenID/HMACSHA1.php | 99 - models/Auth.old/OpenID/Interface.php | 197 -- models/Auth.old/OpenID/KVForm.php | 112 - models/Auth.old/OpenID/MemcachedStore.php | 207 -- models/Auth.old/OpenID/Message.php | 895 ------- models/Auth.old/OpenID/MySQLStore.php | 77 - models/Auth.old/OpenID/Nonce.php | 109 - models/Auth.old/OpenID/PAPE.php | 311 --- models/Auth.old/OpenID/Parse.php | 352 --- models/Auth.old/OpenID/PostgreSQLStore.php | 107 - models/Auth.old/OpenID/SQLStore.php | 569 ----- models/Auth.old/OpenID/SQLiteStore.php | 71 - models/Auth.old/OpenID/SReg.php | 521 ---- models/Auth.old/OpenID/Server.php | 1698 ------------- models/Auth.old/OpenID/ServerRequest.php | 37 - models/Auth.old/OpenID/TrustRoot.php | 410 ---- models/Auth.old/OpenID/URINorm.php | 231 -- models/Auth.old/Yadis/HTTPFetcher.php | 114 - models/Auth.old/Yadis/Manager.php | 529 ---- models/Auth.old/Yadis/Misc.php | 59 - models/Auth.old/Yadis/ParanoidHTTPFetcher.php | 203 -- models/Auth.old/Yadis/ParseHTML.php | 259 -- models/Auth.old/Yadis/PlainHTTPFetcher.php | 250 -- models/Auth.old/Yadis/XML.php | 374 --- models/Auth.old/Yadis/XRDS.php | 478 ---- models/Auth.old/Yadis/XRI.php | 234 -- models/Auth.old/Yadis/XRIRes.php | 72 - models/Auth.old/Yadis/Yadis.php | 337 --- models/Auth/OpenID.php | 563 ----- models/Auth/OpenID/AX.php | 1022 -------- models/Auth/OpenID/Association.php | 610 ----- models/Auth/OpenID/BigMath.php | 452 ---- models/Auth/OpenID/Consumer.php | 2230 ----------------- models/Auth/OpenID/CryptUtil.php | 108 - models/Auth/OpenID/DatabaseConnection.php | 130 - models/Auth/OpenID/DiffieHellman.php | 113 - models/Auth/OpenID/Discover.php | 606 ----- models/Auth/OpenID/DumbStore.php | 99 - models/Auth/OpenID/Extension.php | 61 - models/Auth/OpenID/FileStore.php | 618 ----- models/Auth/OpenID/HMAC.php | 98 - models/Auth/OpenID/Interface.php | 196 -- models/Auth/OpenID/KVForm.php | 111 - models/Auth/OpenID/MDB2Store.php | 413 ---- models/Auth/OpenID/MemcachedStore.php | 207 -- models/Auth/OpenID/Message.php | 920 ------- models/Auth/OpenID/MySQLStore.php | 77 - models/Auth/OpenID/Nonce.php | 108 - models/Auth/OpenID/PAPE.php | 300 --- models/Auth/OpenID/Parse.php | 377 --- models/Auth/OpenID/PostgreSQLStore.php | 112 - models/Auth/OpenID/SQLStore.php | 557 ----- models/Auth/OpenID/SQLiteStore.php | 70 - models/Auth/OpenID/SReg.php | 521 ---- models/Auth/OpenID/Server.php | 1765 -------------- models/Auth/OpenID/ServerRequest.php | 36 - models/Auth/OpenID/TrustRoot.php | 461 ---- models/Auth/OpenID/URINorm.php | 249 -- models/Auth/Yadis/HTTPFetcher.php | 174 -- models/Auth/Yadis/Manager.php | 521 ---- models/Auth/Yadis/Misc.php | 58 - models/Auth/Yadis/ParanoidHTTPFetcher.php | 245 -- models/Auth/Yadis/ParseHTML.php | 258 -- models/Auth/Yadis/PlainHTTPFetcher.php | 248 -- models/Auth/Yadis/XML.php | 352 --- models/Auth/Yadis/XRDS.php | 478 ---- models/Auth/Yadis/XRI.php | 234 -- models/Auth/Yadis/XRIRes.php | 72 - models/Auth/Yadis/Yadis.php | 382 --- models/openid-php-openid-782224d/CHANGES-2.1.0 | 51 - models/openid-php-openid-782224d/COPYING | 202 -- models/openid-php-openid-782224d/NEWS | 85 - models/openid-php-openid-782224d/README | 136 -- models/openid-php-openid-782224d/README.Debian | 8 - models/openid-php-openid-782224d/README.git | 7 - .../Tests/Auth/OpenID/AX.php | 792 ------ .../Tests/Auth/OpenID/Association.php | 54 - .../Tests/Auth/OpenID/AssociationResponse.php | 377 --- .../Tests/Auth/OpenID/AuthRequest.php | 299 --- .../Tests/Auth/OpenID/BigMath.php | 234 -- .../Tests/Auth/OpenID/Consumer.php | 2553 -------------------- .../Tests/Auth/OpenID/CryptUtil.php | 54 - .../Tests/Auth/OpenID/DiffieHellman.php | 159 -- .../Tests/Auth/OpenID/Discover_OpenID.php | 781 ------ .../Tests/Auth/OpenID/Extension.php | 44 - .../Tests/Auth/OpenID/HMAC.php | 165 -- .../Tests/Auth/OpenID/KVForm.php | 260 -- .../Tests/Auth/OpenID/MemStore.php | 176 -- .../Tests/Auth/OpenID/Message.php | 1251 ---------- .../Tests/Auth/OpenID/Negotiation.php | 346 --- .../Tests/Auth/OpenID/Nonce.php | 166 -- .../Tests/Auth/OpenID/OpenID_Yadis.php | 228 -- .../Tests/Auth/OpenID/PAPE.php | 244 -- .../Tests/Auth/OpenID/Parse.php | 185 -- .../Tests/Auth/OpenID/RPVerify.php | 293 --- .../Tests/Auth/OpenID/SReg.php | 672 ------ .../Tests/Auth/OpenID/Server.php | 2463 ------------------- .../Tests/Auth/OpenID/StoreTest.php | 755 ------ .../Tests/Auth/OpenID/TestUtil.php | 60 - .../Tests/Auth/OpenID/TrustRoot.php | 172 -- .../Tests/Auth/OpenID/URINorm.php | 66 - .../Tests/Auth/OpenID/Util.php | 319 --- .../Tests/Auth/OpenID/VerifyDisco.php | 422 ---- .../Tests/Auth/OpenID/data/dhexch | 25 - .../Tests/Auth/OpenID/data/dhpriv | 29 - .../Tests/Auth/OpenID/data/hmac-sha1.txt | 49 - .../Tests/Auth/OpenID/data/hmac-sha256.txt | 29 - .../Tests/Auth/OpenID/data/linkparse.txt | 594 ----- .../Tests/Auth/OpenID/data/n2b64 | 650 ----- .../Tests/Auth/OpenID/data/openid.html | 11 - .../Auth/OpenID/data/test_discover_openid.html | 11 - .../Auth/OpenID/data/test_discover_openid2.html | 11 - .../OpenID/data/test_discover_openid2_xrds.xml | 12 - .../test_discover_openid2_xrds_no_local_id.xml | 11 - .../OpenID/data/test_discover_openid_1_and_2.html | 11 - .../data/test_discover_openid_1_and_2_xrds.xml | 16 - ...t_discover_openid_1_and_2_xrds_bad_delegate.xml | 17 - .../data/test_discover_openid_and_yadis.html | 12 - .../data/test_discover_openid_no_delegate.html | 10 - .../Auth/OpenID/data/test_discover_openid_ssl.xml | 19 - .../OpenID/data/test_discover_yadis_0entries.xml | 12 - .../data/test_discover_yadis_2_bad_local_id.xml | 15 - .../data/test_discover_yadis_2entries_delegate.xml | 22 - .../data/test_discover_yadis_2entries_idp.xml | 21 - .../data/test_discover_yadis_another_delegate.xml | 14 - .../Auth/OpenID/data/test_discover_yadis_idp.xml | 12 - .../data/test_discover_yadis_idp_delegate.xml | 13 - .../data/test_discover_yadis_no_delegate.xml | 11 - .../Tests/Auth/OpenID/data/trustroot.txt | 149 -- .../Tests/Auth/OpenID/data/urinorm.txt | 87 - .../Tests/Auth/Yadis/DiscoverData.php | 152 -- .../Tests/Auth/Yadis/Discover_Yadis.php | 230 -- .../Tests/Auth/Yadis/ParseHTML.php | 86 - .../Tests/Auth/Yadis/TestUtil.php | 30 - .../Tests/Auth/Yadis/XRDS.php | 247 -- .../Tests/Auth/Yadis/XRI.php | 142 -- .../Tests/Auth/Yadis/Yadis.php | 88 - .../Tests/Auth/Yadis/data/README | 12 - .../Tests/Auth/Yadis/data/accept.txt | 118 - .../Tests/Auth/Yadis/data/brian.multi.xrds | 38 - .../Tests/Auth/Yadis/data/brian.multi_uri.xrds | 16 - .../Tests/Auth/Yadis/data/brian.xrds | 16 - .../Tests/Auth/Yadis/data/brian_priority.xrds | 22 - .../Auth/Yadis/data/delegated-20060809-r1.xrds | 34 - .../Auth/Yadis/data/delegated-20060809-r2.xrds | 34 - .../Tests/Auth/Yadis/data/delegated-20060809.xrds | 34 - .../Tests/Auth/Yadis/data/example-xrds.xml | 14 - .../Tests/Auth/Yadis/data/no-xrd.xml | 7 - .../Tests/Auth/Yadis/data/not-xrds.xml | 2 - .../Tests/Auth/Yadis/data/pip.xrds | 22 - .../Tests/Auth/Yadis/data/prefixsometimes.xrds | 34 - .../Tests/Auth/Yadis/data/ref.xrds | 109 - .../Tests/Auth/Yadis/data/sometimesprefix.xrds | 34 - .../Tests/Auth/Yadis/data/spoof1.xrds | 25 - .../Tests/Auth/Yadis/data/spoof2.xrds | 25 - .../Tests/Auth/Yadis/data/spoof3.xrds | 37 - .../Tests/Auth/Yadis/data/subsegments.xrds | 58 - .../Tests/Auth/Yadis/data/test1-discover.txt | 137 -- .../Tests/Auth/Yadis/data/test1-parsehtml.txt | 149 -- .../Tests/Auth/Yadis/data/test1-xrd.xml | 39 - .../Tests/Auth/Yadis/data/uri_priority.xrds | 16 - .../openid-php-openid-782224d/Tests/TestDriver.php | 202 -- .../openid-php-openid-782224d/admin/adminutil.php | 30 - .../openid-php-openid-782224d/admin/brace_style.pl | 81 - models/openid-php-openid-782224d/admin/checkimport | 4 - .../openid-php-openid-782224d/admin/checkimports | 2 - .../openid-php-openid-782224d/admin/darcs-ignore | 3 - models/openid-php-openid-782224d/admin/docblocks | 15 - .../openid-php-openid-782224d/admin/docblocks.pl | 26 - models/openid-php-openid-782224d/admin/findallphp | 8 - models/openid-php-openid-782224d/admin/findglobals | 5 - models/openid-php-openid-782224d/admin/findphp | 8 - models/openid-php-openid-782224d/admin/fixperms | 15 - models/openid-php-openid-782224d/admin/gettlds.py | 47 - .../openid-php-openid-782224d/admin/library-name | 1 - .../openid-php-openid-782224d/admin/longlines.pl | 46 - models/openid-php-openid-782224d/admin/makedoc.sh | 5 - models/openid-php-openid-782224d/admin/mathlib | 18 - models/openid-php-openid-782224d/admin/nobadbraces | 4 - models/openid-php-openid-782224d/admin/nobadcase | 14 - models/openid-php-openid-782224d/admin/nolonglines | 14 - models/openid-php-openid-782224d/admin/notabs | 16 - models/openid-php-openid-782224d/admin/open_tag | 17 - .../openid-php-openid-782224d/admin/otb_test.php | 20 - models/openid-php-openid-782224d/admin/package.xml | 24 - .../openid-php-openid-782224d/admin/package2.xml | 74 - .../openid-php-openid-782224d/admin/packagexml.py | 155 -- .../openid-php-openid-782224d/admin/phpaliases.py | 119 - .../admin/prepare-release | 12 - models/openid-php-openid-782224d/admin/runtests | 71 - models/openid-php-openid-782224d/admin/syntaxcheck | 5 - .../openid-php-openid-782224d/admin/texttest.php | 197 -- .../admin/tutorials/OpenID/OpenID.pkg | 78 - models/openid-php-openid-782224d/admin/webtest.php | 12 - .../openid-php-openid-782224d/admin/xmlconfig.py | 55 - .../google/php-openid-apps-discover-1.0.1.tar.gz | Bin 87918 -> 0 bytes .../contrib/signed_assertions/AP.php | 180 -- .../contrib/signed_assertions/SAML.php | 220 -- .../contrib/upgrade-store-1.1-to-2.0 | 170 -- models/openid-php-openid-782224d/examples/README | 134 - .../examples/consumer/common.php | 97 - .../examples/consumer/finish_auth.php | 98 - .../examples/consumer/index.php | 73 - .../examples/consumer/try_auth.php | 83 - .../openid-php-openid-782224d/examples/detect.php | 536 ---- .../examples/discover.php | 100 - .../examples/server/index.php | 5 - .../examples/server/lib/actions.php | 164 -- .../examples/server/lib/common.php | 95 - .../examples/server/lib/render.php | 114 - .../examples/server/lib/render/about.php | 47 - .../examples/server/lib/render/idpXrds.php | 32 - .../examples/server/lib/render/idpage.php | 31 - .../examples/server/lib/render/login.php | 65 - .../examples/server/lib/render/trust.php | 56 - .../examples/server/lib/render/userXrds.php | 34 - .../examples/server/lib/session.php | 178 -- .../examples/server/openid-server.css | 74 - .../examples/server/server.php | 48 - .../examples/server/setup.php | 558 ----- 232 files changed, 54219 deletions(-) delete mode 100644 models/Auth.old/OpenID.php delete mode 100644 models/Auth.old/OpenID/AX.php delete mode 100644 models/Auth.old/OpenID/Association.php delete mode 100644 models/Auth.old/OpenID/BigMath.php delete mode 100644 models/Auth.old/OpenID/Consumer.php delete mode 100644 models/Auth.old/OpenID/CryptUtil.php delete mode 100644 models/Auth.old/OpenID/DatabaseConnection.php delete mode 100644 models/Auth.old/OpenID/DiffieHellman.php delete mode 100644 models/Auth.old/OpenID/Discover.php delete mode 100644 models/Auth.old/OpenID/DumbStore.php delete mode 100644 models/Auth.old/OpenID/Extension.php delete mode 100644 models/Auth.old/OpenID/FileStore.php delete mode 100644 models/Auth.old/OpenID/HMACSHA1.php delete mode 100644 models/Auth.old/OpenID/Interface.php delete mode 100644 models/Auth.old/OpenID/KVForm.php delete mode 100644 models/Auth.old/OpenID/MemcachedStore.php delete mode 100644 models/Auth.old/OpenID/Message.php delete mode 100644 models/Auth.old/OpenID/MySQLStore.php delete mode 100644 models/Auth.old/OpenID/Nonce.php delete mode 100644 models/Auth.old/OpenID/PAPE.php delete mode 100644 models/Auth.old/OpenID/Parse.php delete mode 100644 models/Auth.old/OpenID/PostgreSQLStore.php delete mode 100644 models/Auth.old/OpenID/SQLStore.php delete mode 100644 models/Auth.old/OpenID/SQLiteStore.php delete mode 100644 models/Auth.old/OpenID/SReg.php delete mode 100644 models/Auth.old/OpenID/Server.php delete mode 100644 models/Auth.old/OpenID/ServerRequest.php delete mode 100644 models/Auth.old/OpenID/TrustRoot.php delete mode 100644 models/Auth.old/OpenID/URINorm.php delete mode 100644 models/Auth.old/Yadis/HTTPFetcher.php delete mode 100644 models/Auth.old/Yadis/Manager.php delete mode 100644 models/Auth.old/Yadis/Misc.php delete mode 100644 models/Auth.old/Yadis/ParanoidHTTPFetcher.php delete mode 100644 models/Auth.old/Yadis/ParseHTML.php delete mode 100644 models/Auth.old/Yadis/PlainHTTPFetcher.php delete mode 100644 models/Auth.old/Yadis/XML.php delete mode 100644 models/Auth.old/Yadis/XRDS.php delete mode 100644 models/Auth.old/Yadis/XRI.php delete mode 100644 models/Auth.old/Yadis/XRIRes.php delete mode 100644 models/Auth.old/Yadis/Yadis.php delete mode 100644 models/Auth/OpenID.php delete mode 100644 models/Auth/OpenID/AX.php delete mode 100644 models/Auth/OpenID/Association.php delete mode 100644 models/Auth/OpenID/BigMath.php delete mode 100644 models/Auth/OpenID/Consumer.php delete mode 100644 models/Auth/OpenID/CryptUtil.php delete mode 100644 models/Auth/OpenID/DatabaseConnection.php delete mode 100644 models/Auth/OpenID/DiffieHellman.php delete mode 100644 models/Auth/OpenID/Discover.php delete mode 100644 models/Auth/OpenID/DumbStore.php delete mode 100644 models/Auth/OpenID/Extension.php delete mode 100644 models/Auth/OpenID/FileStore.php delete mode 100644 models/Auth/OpenID/HMAC.php delete mode 100644 models/Auth/OpenID/Interface.php delete mode 100644 models/Auth/OpenID/KVForm.php delete mode 100644 models/Auth/OpenID/MDB2Store.php delete mode 100644 models/Auth/OpenID/MemcachedStore.php delete mode 100644 models/Auth/OpenID/Message.php delete mode 100644 models/Auth/OpenID/MySQLStore.php delete mode 100644 models/Auth/OpenID/Nonce.php delete mode 100644 models/Auth/OpenID/PAPE.php delete mode 100644 models/Auth/OpenID/Parse.php delete mode 100644 models/Auth/OpenID/PostgreSQLStore.php delete mode 100644 models/Auth/OpenID/SQLStore.php delete mode 100644 models/Auth/OpenID/SQLiteStore.php delete mode 100644 models/Auth/OpenID/SReg.php delete mode 100644 models/Auth/OpenID/Server.php delete mode 100644 models/Auth/OpenID/ServerRequest.php delete mode 100644 models/Auth/OpenID/TrustRoot.php delete mode 100644 models/Auth/OpenID/URINorm.php delete mode 100644 models/Auth/Yadis/HTTPFetcher.php delete mode 100644 models/Auth/Yadis/Manager.php delete mode 100644 models/Auth/Yadis/Misc.php delete mode 100644 models/Auth/Yadis/ParanoidHTTPFetcher.php delete mode 100644 models/Auth/Yadis/ParseHTML.php delete mode 100644 models/Auth/Yadis/PlainHTTPFetcher.php delete mode 100644 models/Auth/Yadis/XML.php delete mode 100644 models/Auth/Yadis/XRDS.php delete mode 100644 models/Auth/Yadis/XRI.php delete mode 100644 models/Auth/Yadis/XRIRes.php delete mode 100644 models/Auth/Yadis/Yadis.php delete mode 100644 models/openid-php-openid-782224d/CHANGES-2.1.0 delete mode 100644 models/openid-php-openid-782224d/COPYING delete mode 100644 models/openid-php-openid-782224d/NEWS delete mode 100644 models/openid-php-openid-782224d/README delete mode 100644 models/openid-php-openid-782224d/README.Debian delete mode 100644 models/openid-php-openid-782224d/README.git delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/AX.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Association.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/AssociationResponse.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/AuthRequest.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/BigMath.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Consumer.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/CryptUtil.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/DiffieHellman.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Discover_OpenID.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Extension.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/HMAC.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/KVForm.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/MemStore.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Message.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Negotiation.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Nonce.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/OpenID_Yadis.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/PAPE.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Parse.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/RPVerify.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/SReg.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Server.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/StoreTest.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/TestUtil.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/TrustRoot.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/URINorm.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/Util.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/VerifyDisco.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/dhexch delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/dhpriv delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/hmac-sha1.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/hmac-sha256.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/linkparse.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/XRDS.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-xrd.xml delete mode 100644 models/openid-php-openid-782224d/Tests/Auth/Yadis/data/uri_priority.xrds delete mode 100644 models/openid-php-openid-782224d/Tests/TestDriver.php delete mode 100644 models/openid-php-openid-782224d/admin/adminutil.php delete mode 100644 models/openid-php-openid-782224d/admin/brace_style.pl delete mode 100644 models/openid-php-openid-782224d/admin/checkimport delete mode 100644 models/openid-php-openid-782224d/admin/checkimports delete mode 100644 models/openid-php-openid-782224d/admin/darcs-ignore delete mode 100644 models/openid-php-openid-782224d/admin/docblocks delete mode 100644 models/openid-php-openid-782224d/admin/docblocks.pl delete mode 100644 models/openid-php-openid-782224d/admin/findallphp delete mode 100644 models/openid-php-openid-782224d/admin/findglobals delete mode 100644 models/openid-php-openid-782224d/admin/findphp delete mode 100644 models/openid-php-openid-782224d/admin/fixperms delete mode 100644 models/openid-php-openid-782224d/admin/gettlds.py delete mode 100644 models/openid-php-openid-782224d/admin/library-name delete mode 100644 models/openid-php-openid-782224d/admin/longlines.pl delete mode 100644 models/openid-php-openid-782224d/admin/makedoc.sh delete mode 100644 models/openid-php-openid-782224d/admin/mathlib delete mode 100644 models/openid-php-openid-782224d/admin/nobadbraces delete mode 100644 models/openid-php-openid-782224d/admin/nobadcase delete mode 100644 models/openid-php-openid-782224d/admin/nolonglines delete mode 100644 models/openid-php-openid-782224d/admin/notabs delete mode 100644 models/openid-php-openid-782224d/admin/open_tag delete mode 100644 models/openid-php-openid-782224d/admin/otb_test.php delete mode 100644 models/openid-php-openid-782224d/admin/package.xml delete mode 100644 models/openid-php-openid-782224d/admin/package2.xml delete mode 100644 models/openid-php-openid-782224d/admin/packagexml.py delete mode 100644 models/openid-php-openid-782224d/admin/phpaliases.py delete mode 100644 models/openid-php-openid-782224d/admin/prepare-release delete mode 100644 models/openid-php-openid-782224d/admin/runtests delete mode 100644 models/openid-php-openid-782224d/admin/syntaxcheck delete mode 100644 models/openid-php-openid-782224d/admin/texttest.php delete mode 100644 models/openid-php-openid-782224d/admin/tutorials/OpenID/OpenID.pkg delete mode 100644 models/openid-php-openid-782224d/admin/webtest.php delete mode 100644 models/openid-php-openid-782224d/admin/xmlconfig.py delete mode 100644 models/openid-php-openid-782224d/contrib/google/php-openid-apps-discover-1.0.1.tar.gz delete mode 100644 models/openid-php-openid-782224d/contrib/signed_assertions/AP.php delete mode 100644 models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php delete mode 100644 models/openid-php-openid-782224d/contrib/upgrade-store-1.1-to-2.0 delete mode 100644 models/openid-php-openid-782224d/examples/README delete mode 100644 models/openid-php-openid-782224d/examples/consumer/common.php delete mode 100644 models/openid-php-openid-782224d/examples/consumer/finish_auth.php delete mode 100644 models/openid-php-openid-782224d/examples/consumer/index.php delete mode 100644 models/openid-php-openid-782224d/examples/consumer/try_auth.php delete mode 100644 models/openid-php-openid-782224d/examples/detect.php delete mode 100644 models/openid-php-openid-782224d/examples/discover.php delete mode 100644 models/openid-php-openid-782224d/examples/server/index.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/actions.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/common.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/about.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/idpXrds.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/idpage.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/login.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/trust.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/render/userXrds.php delete mode 100644 models/openid-php-openid-782224d/examples/server/lib/session.php delete mode 100644 models/openid-php-openid-782224d/examples/server/openid-server.css delete mode 100644 models/openid-php-openid-782224d/examples/server/server.php delete mode 100644 models/openid-php-openid-782224d/examples/server/setup.php diff --git a/models/Auth.old/OpenID.php b/models/Auth.old/OpenID.php deleted file mode 100644 index f4816e9e5..000000000 --- a/models/Auth.old/OpenID.php +++ /dev/null @@ -1,576 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Require the fetcher code. - */ -require_once "Auth/Yadis/PlainHTTPFetcher.php"; -require_once "Auth/Yadis/ParanoidHTTPFetcher.php"; -require_once "Auth/OpenID/BigMath.php"; -/** - * Status code returned by the server when the only option is to show - * an error page, since we do not have enough information to redirect - * back to the consumer. The associated value is an error message that - * should be displayed on an HTML error page. - * - * @see Auth_OpenID_Server - */ -define('Auth_OpenID_LOCAL_ERROR', 'local_error'); - -/** - * Status code returned when there is an error to return in key-value - * form to the consumer. The caller should return a 400 Bad Request - * response with content-type text/plain and the value as the body. - * - * @see Auth_OpenID_Server - */ -define('Auth_OpenID_REMOTE_ERROR', 'remote_error'); - -/** - * Status code returned when there is a key-value form OK response to - * the consumer. The value associated with this code is the - * response. The caller should return a 200 OK response with - * content-type text/plain and the value as the body. - * - * @see Auth_OpenID_Server - */ -define('Auth_OpenID_REMOTE_OK', 'remote_ok'); - -/** - * Status code returned when there is a redirect back to the - * consumer. The value is the URL to redirect back to. The caller - * should return a 302 Found redirect with a Location: header - * containing the URL. - * - * @see Auth_OpenID_Server - */ -define('Auth_OpenID_REDIRECT', 'redirect'); - -/** - * Status code returned when the caller needs to authenticate the - * user. The associated value is a {@link Auth_OpenID_ServerRequest} - * object that can be used to complete the authentication. If the user - * has taken some authentication action, use the retry() method of the - * {@link Auth_OpenID_ServerRequest} object to complete the request. - * - * @see Auth_OpenID_Server - */ -define('Auth_OpenID_DO_AUTH', 'do_auth'); - -/** - * Status code returned when there were no OpenID arguments - * passed. This code indicates that the caller should return a 200 OK - * response and display an HTML page that says that this is an OpenID - * server endpoint. - * - * @see Auth_OpenID_Server - */ -define('Auth_OpenID_DO_ABOUT', 'do_about'); - -/** - * Defines for regexes and format checking. - */ -define('Auth_OpenID_letters', - "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"); - -define('Auth_OpenID_digits', - "0123456789"); - -define('Auth_OpenID_punct', - "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"); - -if (Auth_OpenID_getMathLib() === null) { - Auth_OpenID_setNoMathSupport(); -} - -/** - * The OpenID utility function class. - * - * @package OpenID - * @access private - */ -class Auth_OpenID { - - /** - * Return true if $thing is an Auth_OpenID_FailureResponse object; - * false if not. - * - * @access private - */ - function isFailure($thing) - { - return is_a($thing, 'Auth_OpenID_FailureResponse'); - } - - /** - * Gets the query data from the server environment based on the - * request method used. If GET was used, this looks at - * $_SERVER['QUERY_STRING'] directly. If POST was used, this - * fetches data from the special php://input file stream. - * - * Returns an associative array of the query arguments. - * - * Skips invalid key/value pairs (i.e. keys with no '=value' - * portion). - * - * Returns an empty array if neither GET nor POST was used, or if - * POST was used but php://input cannot be opened. - * - * @access private - */ - function getQuery($query_str=null) - { - $data = array(); - - if ($query_str !== null) { - $data = Auth_OpenID::params_from_string($query_str); - } else if (!array_key_exists('REQUEST_METHOD', $_SERVER)) { - // Do nothing. - } else { - // XXX HACK FIXME HORRIBLE. - // - // POSTing to a URL with query parameters is acceptable, but - // we don't have a clean way to distinguish those parameters - // when we need to do things like return_to verification - // which only want to look at one kind of parameter. We're - // going to emulate the behavior of some other environments - // by defaulting to GET and overwriting with POST if POST - // data is available. - $data = Auth_OpenID::params_from_string($_SERVER['QUERY_STRING']); - - if ($_SERVER['REQUEST_METHOD'] == 'POST') { - $str = file_get_contents('php://input'); - - if ($str === false) { - $post = array(); - } else { - $post = Auth_OpenID::params_from_string($str); - } - - $data = array_merge($data, $post); - } - } - - return $data; - } - - function params_from_string($str) - { - $chunks = explode("&", $str); - - $data = array(); - foreach ($chunks as $chunk) { - $parts = explode("=", $chunk, 2); - - if (count($parts) != 2) { - continue; - } - - list($k, $v) = $parts; - $data[$k] = urldecode($v); - } - - return $data; - } - - /** - * Create dir_name as a directory if it does not exist. If it - * exists, make sure that it is, in fact, a directory. Returns - * true if the operation succeeded; false if not. - * - * @access private - */ - function ensureDir($dir_name) - { - if (is_dir($dir_name) || @mkdir($dir_name)) { - return true; - } else { - if (Auth_OpenID::ensureDir(dirname($dir_name))) { - return is_dir($dir_name) || @mkdir($dir_name); - } else { - return false; - } - } - } - - /** - * Adds a string prefix to all values of an array. Returns a new - * array containing the prefixed values. - * - * @access private - */ - function addPrefix($values, $prefix) - { - $new_values = array(); - foreach ($values as $s) { - $new_values[] = $prefix . $s; - } - return $new_values; - } - - /** - * Convenience function for getting array values. Given an array - * $arr and a key $key, get the corresponding value from the array - * or return $default if the key is absent. - * - * @access private - */ - function arrayGet($arr, $key, $fallback = null) - { - if (is_array($arr)) { - if (array_key_exists($key, $arr)) { - return $arr[$key]; - } else { - return $fallback; - } - } else { - trigger_error("Auth_OpenID::arrayGet (key = ".$key.") expected " . - "array as first parameter, got " . - gettype($arr), E_USER_WARNING); - - return false; - } - } - - /** - * Replacement for PHP's broken parse_str. - */ - function parse_str($query) - { - if ($query === null) { - return null; - } - - $parts = explode('&', $query); - - $new_parts = array(); - for ($i = 0; $i < count($parts); $i++) { - $pair = explode('=', $parts[$i]); - - if (count($pair) != 2) { - continue; - } - - list($key, $value) = $pair; - $new_parts[$key] = urldecode($value); - } - - return $new_parts; - } - - /** - * Implements the PHP 5 'http_build_query' functionality. - * - * @access private - * @param array $data Either an array key/value pairs or an array - * of arrays, each of which holding two values: a key and a value, - * sequentially. - * @return string $result The result of url-encoding the key/value - * pairs from $data into a URL query string - * (e.g. "username=bob&id=56"). - */ - function httpBuildQuery($data) - { - $pairs = array(); - foreach ($data as $key => $value) { - if (is_array($value)) { - $pairs[] = urlencode($value[0])."=".urlencode($value[1]); - } else { - $pairs[] = urlencode($key)."=".urlencode($value); - } - } - return implode("&", $pairs); - } - - /** - * "Appends" query arguments onto a URL. The URL may or may not - * already have arguments (following a question mark). - * - * @access private - * @param string $url A URL, which may or may not already have - * arguments. - * @param array $args Either an array key/value pairs or an array of - * arrays, each of which holding two values: a key and a value, - * sequentially. If $args is an ordinary key/value array, the - * parameters will be added to the URL in sorted alphabetical order; - * if $args is an array of arrays, their order will be preserved. - * @return string $url The original URL with the new parameters added. - * - */ - function appendArgs($url, $args) - { - if (count($args) == 0) { - return $url; - } - - // Non-empty array; if it is an array of arrays, use - // multisort; otherwise use sort. - if (array_key_exists(0, $args) && - is_array($args[0])) { - // Do nothing here. - } else { - $keys = array_keys($args); - sort($keys); - $new_args = array(); - foreach ($keys as $key) { - $new_args[] = array($key, $args[$key]); - } - $args = $new_args; - } - - $sep = '?'; - if (strpos($url, '?') !== false) { - $sep = '&'; - } - - return $url . $sep . Auth_OpenID::httpBuildQuery($args); - } - - /** - * Turn a string into an ASCII string. - * - * Replace non-ascii characters with a %-encoded, UTF-8 - * encoding. This function will fail if the input is a string and - * there are non-7-bit-safe characters. It is assumed that the - * caller will have already translated the input into a Unicode - * character sequence, according to the encoding of the HTTP POST - * or GET. - * - * Do not escape anything that is already 7-bit safe, so we do the - * minimal transform on the identity URL - * - * @access private - */ - function quoteMinimal($s) - { - $res = array(); - for ($i = 0; $i < strlen($s); $i++) { - $c = $s[$i]; - if ($c >= "\x80") { - for ($j = 0; $j < count(utf8_encode($c)); $j++) { - array_push($res, sprintf("%02X", ord($c[$j]))); - } - } else { - array_push($res, $c); - } - } - - return implode('', $res); - } - - /** - * Implements python's urlunparse, which is not available in PHP. - * Given the specified components of a URL, this function rebuilds - * and returns the URL. - * - * @access private - * @param string $scheme The scheme (e.g. 'http'). Defaults to 'http'. - * @param string $host The host. Required. - * @param string $port The port. - * @param string $path The path. - * @param string $query The query. - * @param string $fragment The fragment. - * @return string $url The URL resulting from assembling the - * specified components. - */ - function urlunparse($scheme, $host, $port = null, $path = '/', - $query = '', $fragment = '') - { - - if (!$scheme) { - $scheme = 'http'; - } - - if (!$host) { - return false; - } - - if (!$path) { - $path = ''; - } - - $result = $scheme . "://" . $host; - - if ($port) { - $result .= ":" . $port; - } - - $result .= $path; - - if ($query) { - $result .= "?" . $query; - } - - if ($fragment) { - $result .= "#" . $fragment; - } - - return $result; - } - - /** - * Given a URL, this "normalizes" it by adding a trailing slash - * and / or a leading http:// scheme where necessary. Returns - * null if the original URL is malformed and cannot be normalized. - * - * @access private - * @param string $url The URL to be normalized. - * @return mixed $new_url The URL after normalization, or null if - * $url was malformed. - */ - function normalizeUrl($url) - { - if ($url === null) { - return null; - } - - assert(is_string($url)); - - $old_url = $url; - $url = trim($url); - - if (strpos($url, "://") === false) { - $url = "http://" . $url; - } - - $parsed = @parse_url($url); - - if ($parsed === false) { - return null; - } - - $defaults = array( - 'scheme' => '', - 'host' => '', - 'path' => '', - 'query' => '', - 'fragment' => '', - 'port' => '' - ); - - $parsed = array_merge($defaults, $parsed); - - if (($parsed['scheme'] == '') || - ($parsed['host'] == '')) { - if ($parsed['path'] == '' && - $parsed['query'] == '') { - return null; - } - - $url = 'http://' + $url; - $parsed = parse_url($url); - - $parsed = array_merge($defaults, $parsed); - } - - $tail = array_map(array('Auth_OpenID', 'quoteMinimal'), - array($parsed['path'], - $parsed['query'])); - if ($tail[0] == '') { - $tail[0] = '/'; - } - - $url = Auth_OpenID::urlunparse($parsed['scheme'], $parsed['host'], - $parsed['port'], $tail[0], $tail[1]); - - assert(is_string($url)); - - return $url; - } - - /** - * Replacement (wrapper) for PHP's intval() because it's broken. - * - * @access private - */ - function intval($value) - { - $re = "/^\\d+$/"; - - if (!preg_match($re, $value)) { - return false; - } - - return intval($value); - } - - /** - * Count the number of bytes in a string independently of - * multibyte support conditions. - * - * @param string $str The string of bytes to count. - * @return int The number of bytes in $str. - */ - function bytes($str) - { - return strlen(bin2hex($str)) / 2; - } - - /** - * Get the bytes in a string independently of multibyte support - * conditions. - */ - function toBytes($str) - { - $hex = bin2hex($str); - - if (!$hex) { - return array(); - } - - $b = array(); - for ($i = 0; $i < strlen($hex); $i += 2) { - $b[] = chr(base_convert(substr($hex, $i, 2), 16, 10)); - } - - return $b; - } - - function urldefrag($url) - { - $parts = explode("#", $url, 2); - - if (count($parts) == 1) { - return array($parts[0], ""); - } else { - return $parts; - } - } - - function filter($callback, &$sequence) - { - $result = array(); - - foreach ($sequence as $item) { - if (call_user_func_array($callback, array($item))) { - $result[] = $item; - } - } - - return $result; - } - - function update(&$dest, &$src) - { - foreach ($src as $k => $v) { - $dest[$k] = $v; - } - } -} -?> diff --git a/models/Auth.old/OpenID/AX.php b/models/Auth.old/OpenID/AX.php deleted file mode 100644 index d183c44c2..000000000 --- a/models/Auth.old/OpenID/AX.php +++ /dev/null @@ -1,1013 +0,0 @@ -message = $message; - } -} - -/** - * Abstract class containing common code for attribute exchange - * messages. - * - * @package OpenID - */ -class Auth_OpenID_AX_Message extends Auth_OpenID_Extension { - /** - * ns_alias: The preferred namespace alias for attribute exchange - * messages - */ - var $ns_alias = 'ax'; - - /** - * mode: The type of this attribute exchange message. This must be - * overridden in subclasses. - */ - var $mode = null; - - var $ns_uri = Auth_OpenID_AX_NS_URI; - - /** - * Return Auth_OpenID_AX_Error if the mode in the attribute - * exchange arguments does not match what is expected for this - * class; true otherwise. - * - * @access private - */ - function _checkMode($ax_args) - { - $mode = Auth_OpenID::arrayGet($ax_args, 'mode'); - if ($mode != $this->mode) { - return new Auth_OpenID_AX_Error( - sprintf( - "Expected mode '%s'; got '%s'", - $this->mode, $mode)); - } - - return true; - } - - /** - * Return a set of attribute exchange arguments containing the - * basic information that must be in every attribute exchange - * message. - * - * @access private - */ - function _newArgs() - { - return array('mode' => $this->mode); - } -} - -/** - * Represents a single attribute in an attribute exchange - * request. This should be added to an AXRequest object in order to - * request the attribute. - * - * @package OpenID - */ -class Auth_OpenID_AX_AttrInfo { - /** - * Construct an attribute information object. Do not call this - * directly; call make(...) instead. - * - * @param string $type_uri The type URI for this attribute. - * - * @param int $count The number of values of this type to request. - * - * @param bool $required Whether the attribute will be marked as - * required in the request. - * - * @param string $alias The name that should be given to this - * attribute in the request. - */ - function Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, - $alias) - { - /** - * required: Whether the attribute will be marked as required - * when presented to the subject of the attribute exchange - * request. - */ - $this->required = $required; - - /** - * count: How many values of this type to request from the - * subject. Defaults to one. - */ - $this->count = $count; - - /** - * type_uri: The identifier that determines what the attribute - * represents and how it is serialized. For example, one type - * URI representing dates could represent a Unix timestamp in - * base 10 and another could represent a human-readable - * string. - */ - $this->type_uri = $type_uri; - - /** - * alias: The name that should be given to this attribute in - * the request. If it is not supplied, a generic name will be - * assigned. For example, if you want to call a Unix timestamp - * value 'tstamp', set its alias to that value. If two - * attributes in the same message request to use the same - * alias, the request will fail to be generated. - */ - $this->alias = $alias; - } - - /** - * Construct an attribute information object. For parameter - * details, see the constructor. - */ - function make($type_uri, $count=1, $required=false, - $alias=null) - { - if ($alias !== null) { - $result = Auth_OpenID_AX_checkAlias($alias); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - } - - return new Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, - $alias); - } - - /** - * When processing a request for this attribute, the OP should - * call this method to determine whether all available attribute - * values were requested. If self.count == UNLIMITED_VALUES, this - * returns True. Otherwise this returns False, in which case - * self.count is an integer. - */ - function wantsUnlimitedValues() - { - return $this->count === Auth_OpenID_AX_UNLIMITED_VALUES; - } -} - -/** - * Given a namespace mapping and a string containing a comma-separated - * list of namespace aliases, return a list of type URIs that - * correspond to those aliases. - * - * @param $namespace_map The mapping from namespace URI to alias - * @param $alias_list_s The string containing the comma-separated - * list of aliases. May also be None for convenience. - * - * @return $seq The list of namespace URIs that corresponds to the - * supplied list of aliases. If the string was zero-length or None, an - * empty list will be returned. - * - * return null If an alias is present in the list of aliases but - * is not present in the namespace map. - */ -function Auth_OpenID_AX_toTypeURIs(&$namespace_map, $alias_list_s) -{ - $uris = array(); - - if ($alias_list_s) { - foreach (explode(',', $alias_list_s) as $alias) { - $type_uri = $namespace_map->getNamespaceURI($alias); - if ($type_uri === null) { - // raise KeyError( - // 'No type is defined for attribute name %r' % (alias,)) - return new Auth_OpenID_AX_Error( - sprintf('No type is defined for attribute name %s', - $alias) - ); - } else { - $uris[] = $type_uri; - } - } - } - - return $uris; -} - -/** - * An attribute exchange 'fetch_request' message. This message is sent - * by a relying party when it wishes to obtain attributes about the - * subject of an OpenID authentication request. - * - * @package OpenID - */ -class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { - - var $mode = 'fetch_request'; - - function Auth_OpenID_AX_FetchRequest($update_url=null) - { - /** - * requested_attributes: The attributes that have been - * requested thus far, indexed by the type URI. - */ - $this->requested_attributes = array(); - - /** - * update_url: A URL that will accept responses for this - * attribute exchange request, even in the absence of the user - * who made this request. - */ - $this->update_url = $update_url; - } - - /** - * Add an attribute to this attribute exchange request. - * - * @param attribute: The attribute that is being requested - * @return true on success, false when the requested attribute is - * already present in this fetch request. - */ - function add($attribute) - { - if ($this->contains($attribute->type_uri)) { - return new Auth_OpenID_AX_Error( - sprintf("The attribute %s has already been requested", - $attribute->type_uri)); - } - - $this->requested_attributes[$attribute->type_uri] = $attribute; - - return true; - } - - /** - * Get the serialized form of this attribute fetch request. - * - * @returns Auth_OpenID_AX_FetchRequest The fetch request message parameters - */ - function getExtensionArgs() - { - $aliases = new Auth_OpenID_NamespaceMap(); - - $required = array(); - $if_available = array(); - - $ax_args = $this->_newArgs(); - - foreach ($this->requested_attributes as $type_uri => $attribute) { - if ($attribute->alias === null) { - $alias = $aliases->add($type_uri); - } else { - $alias = $aliases->addAlias($type_uri, $attribute->alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $attribute->alias, $type_uri - )); - } - } - - if ($attribute->required) { - $required[] = $alias; - } else { - $if_available[] = $alias; - } - - if ($attribute->count != 1) { - $ax_args['count.' . $alias] = strval($attribute->count); - } - - $ax_args['type.' . $alias] = $type_uri; - } - - if ($required) { - $ax_args['required'] = implode(',', $required); - } - - if ($if_available) { - $ax_args['if_available'] = implode(',', $if_available); - } - - return $ax_args; - } - - /** - * Get the type URIs for all attributes that have been marked as - * required. - * - * @return A list of the type URIs for attributes that have been - * marked as required. - */ - function getRequiredAttrs() - { - $required = array(); - foreach ($this->requested_attributes as $type_uri => $attribute) { - if ($attribute->required) { - $required[] = $type_uri; - } - } - - return $required; - } - - /** - * Extract a FetchRequest from an OpenID message - * - * @param message: The OpenID message containing the attribute - * fetch request - * - * @returns mixed An Auth_OpenID_AX_Error or the - * Auth_OpenID_AX_FetchRequest extracted from the message if - * successful - */ - function &fromOpenIDRequest($message) - { - $obj = new Auth_OpenID_AX_FetchRequest(); - $ax_args = $message->getArgs($obj->ns_uri); - - $result = $obj->parseExtensionArgs($ax_args); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - if ($obj->update_url) { - // Update URL must match the openid.realm of the - // underlying OpenID 2 message. - $realm = $message->getArg(Auth_OpenID_OPENID_NS, 'realm', - $message->getArg( - Auth_OpenID_OPENID_NS, - 'return_to')); - - if (!$realm) { - $obj = new Auth_OpenID_AX_Error( - sprintf("Cannot validate update_url %s " . - "against absent realm", $obj->update_url)); - } else if (!Auth_OpenID_TrustRoot::match($realm, - $obj->update_url)) { - $obj = new Auth_OpenID_AX_Error( - sprintf("Update URL %s failed validation against realm %s", - $obj->update_url, $realm)); - } - } - - return $obj; - } - - /** - * Given attribute exchange arguments, populate this FetchRequest. - * - * @return $result Auth_OpenID_AX_Error if the data to be parsed - * does not follow the attribute exchange specification. At least - * when 'if_available' or 'required' is not specified for a - * particular attribute type. Returns true otherwise. - */ - function parseExtensionArgs($ax_args) - { - $result = $this->_checkMode($ax_args); - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $aliases = new Auth_OpenID_NamespaceMap(); - - foreach ($ax_args as $key => $value) { - if (strpos($key, 'type.') === 0) { - $alias = substr($key, 5); - $type_uri = $value; - - $alias = $aliases->addAlias($type_uri, $alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $alias, $type_uri) - ); - } - - $count_s = Auth_OpenID::arrayGet($ax_args, 'count.' . $alias); - if ($count_s) { - $count = Auth_OpenID::intval($count_s); - if (($count === false) && - ($count_s === Auth_OpenID_AX_UNLIMITED_VALUES)) { - $count = $count_s; - } - } else { - $count = 1; - } - - if ($count === false) { - return new Auth_OpenID_AX_Error( - sprintf("Integer value expected for %s, got %s", - 'count.' . $alias, $count_s)); - } - - $attrinfo = Auth_OpenID_AX_AttrInfo::make($type_uri, $count, - false, $alias); - - if (Auth_OpenID_AX::isError($attrinfo)) { - return $attrinfo; - } - - $this->add($attrinfo); - } - } - - $required = Auth_OpenID_AX_toTypeURIs($aliases, - Auth_OpenID::arrayGet($ax_args, 'required')); - - foreach ($required as $type_uri) { - $attrib =& $this->requested_attributes[$type_uri]; - $attrib->required = true; - } - - $if_available = Auth_OpenID_AX_toTypeURIs($aliases, - Auth_OpenID::arrayGet($ax_args, 'if_available')); - - $all_type_uris = array_merge($required, $if_available); - - foreach ($aliases->iterNamespaceURIs() as $type_uri) { - if (!in_array($type_uri, $all_type_uris)) { - return new Auth_OpenID_AX_Error( - sprintf('Type URI %s was in the request but not ' . - 'present in "required" or "if_available"', - $type_uri)); - - } - } - - $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); - - return true; - } - - /** - * Iterate over the AttrInfo objects that are contained in this - * fetch_request. - */ - function iterAttrs() - { - return array_values($this->requested_attributes); - } - - function iterTypes() - { - return array_keys($this->requested_attributes); - } - - /** - * Is the given type URI present in this fetch_request? - */ - function contains($type_uri) - { - return in_array($type_uri, $this->iterTypes()); - } -} - -/** - * An abstract class that implements a message that has attribute keys - * and values. It contains the common code between fetch_response and - * store_request. - * - * @package OpenID - */ -class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { - - function Auth_OpenID_AX_KeyValueMessage() - { - $this->data = array(); - } - - /** - * Add a single value for the given attribute type to the - * message. If there are already values specified for this type, - * this value will be sent in addition to the values already - * specified. - * - * @param type_uri: The URI for the attribute - * @param value: The value to add to the response to the relying - * party for this attribute - * @return null - */ - function addValue($type_uri, $value) - { - if (!array_key_exists($type_uri, $this->data)) { - $this->data[$type_uri] = array(); - } - - $values =& $this->data[$type_uri]; - $values[] = $value; - } - - /** - * Set the values for the given attribute type. This replaces any - * values that have already been set for this attribute. - * - * @param type_uri: The URI for the attribute - * @param values: A list of values to send for this attribute. - */ - function setValues($type_uri, &$values) - { - $this->data[$type_uri] =& $values; - } - - /** - * Get the extension arguments for the key/value pairs contained - * in this message. - * - * @param aliases: An alias mapping. Set to None if you don't care - * about the aliases for this request. - * - * @access private - */ - function _getExtensionKVArgs(&$aliases) - { - if ($aliases === null) { - $aliases = new Auth_OpenID_NamespaceMap(); - } - - $ax_args = array(); - - foreach ($this->data as $type_uri => $values) { - $alias = $aliases->add($type_uri); - - $ax_args['type.' . $alias] = $type_uri; - $ax_args['count.' . $alias] = strval(count($values)); - - foreach ($values as $i => $value) { - $key = sprintf('value.%s.%d', $alias, $i + 1); - $ax_args[$key] = $value; - } - } - - return $ax_args; - } - - /** - * Parse attribute exchange key/value arguments into this object. - * - * @param ax_args: The attribute exchange fetch_response - * arguments, with namespacing removed. - * - * @return Auth_OpenID_AX_Error or true - */ - function parseExtensionArgs($ax_args) - { - $result = $this->_checkMode($ax_args); - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $aliases = new Auth_OpenID_NamespaceMap(); - - foreach ($ax_args as $key => $value) { - if (strpos($key, 'type.') === 0) { - $type_uri = $value; - $alias = substr($key, 5); - - $result = Auth_OpenID_AX_checkAlias($alias); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $alias = $aliases->addAlias($type_uri, $alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $alias, $type_uri) - ); - } - } - } - - foreach ($aliases->iteritems() as $pair) { - list($type_uri, $alias) = $pair; - - if (array_key_exists('count.' . $alias, $ax_args)) { - - $count_key = 'count.' . $alias; - $count_s = $ax_args[$count_key]; - - $count = Auth_OpenID::intval($count_s); - - if ($count === false) { - return new Auth_OpenID_AX_Error( - sprintf("Integer value expected for %s, got %s", - 'count. %s' . $alias, $count_s, - Auth_OpenID_AX_UNLIMITED_VALUES) - ); - } - - $values = array(); - for ($i = 1; $i < $count + 1; $i++) { - $value_key = sprintf('value.%s.%d', $alias, $i); - - if (!array_key_exists($value_key, $ax_args)) { - return new Auth_OpenID_AX_Error( - sprintf( - "No value found for key %s", - $value_key)); - } - - $value = $ax_args[$value_key]; - $values[] = $value; - } - } else { - $key = 'value.' . $alias; - - if (!array_key_exists($key, $ax_args)) { - return new Auth_OpenID_AX_Error( - sprintf( - "No value found for key %s", - $key)); - } - - $value = $ax_args['value.' . $alias]; - - if ($value == '') { - $values = array(); - } else { - $values = array($value); - } - } - - $this->data[$type_uri] = $values; - } - - return true; - } - - /** - * Get a single value for an attribute. If no value was sent for - * this attribute, use the supplied default. If there is more than - * one value for this attribute, this method will fail. - * - * @param type_uri: The URI for the attribute - * @param default: The value to return if the attribute was not - * sent in the fetch_response. - * - * @return $value Auth_OpenID_AX_Error on failure or the value of - * the attribute in the fetch_response message, or the default - * supplied - */ - function getSingle($type_uri, $default=null) - { - $values = Auth_OpenID::arrayGet($this->data, $type_uri); - if (!$values) { - return $default; - } else if (count($values) == 1) { - return $values[0]; - } else { - return new Auth_OpenID_AX_Error( - sprintf('More than one value present for %s', - $type_uri) - ); - } - } - - /** - * Get the list of values for this attribute in the - * fetch_response. - * - * XXX: what to do if the values are not present? default - * parameter? this is funny because it's always supposed to return - * a list, so the default may break that, though it's provided by - * the user's code, so it might be okay. If no default is - * supplied, should the return be None or []? - * - * @param type_uri: The URI of the attribute - * - * @return $values The list of values for this attribute in the - * response. May be an empty list. If the attribute was not sent - * in the response, returns Auth_OpenID_AX_Error. - */ - function get($type_uri) - { - if (array_key_exists($type_uri, $this->data)) { - return $this->data[$type_uri]; - } else { - return new Auth_OpenID_AX_Error( - sprintf("Type URI %s not found in response", - $type_uri) - ); - } - } - - /** - * Get the number of responses for a particular attribute in this - * fetch_response message. - * - * @param type_uri: The URI of the attribute - * - * @returns int The number of values sent for this attribute. If - * the attribute was not sent in the response, returns - * Auth_OpenID_AX_Error. - */ - function count($type_uri) - { - if (array_key_exists($type_uri, $this->data)) { - return count($this->get($type_uri)); - } else { - return new Auth_OpenID_AX_Error( - sprintf("Type URI %s not found in response", - $type_uri) - ); - } - } -} - -/** - * A fetch_response attribute exchange message. - * - * @package OpenID - */ -class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { - var $mode = 'fetch_response'; - - function Auth_OpenID_AX_FetchResponse($update_url=null) - { - $this->Auth_OpenID_AX_KeyValueMessage(); - $this->update_url = $update_url; - } - - /** - * Serialize this object into arguments in the attribute exchange - * namespace - * - * @return $args The dictionary of unqualified attribute exchange - * arguments that represent this fetch_response, or - * Auth_OpenID_AX_Error on error. - */ - function getExtensionArgs($request=null) - { - $aliases = new Auth_OpenID_NamespaceMap(); - - $zero_value_types = array(); - - if ($request !== null) { - // Validate the data in the context of the request (the - // same attributes should be present in each, and the - // counts in the response must be no more than the counts - // in the request) - - foreach ($this->data as $type_uri => $unused) { - if (!$request->contains($type_uri)) { - return new Auth_OpenID_AX_Error( - sprintf("Response attribute not present in request: %s", - $type_uri) - ); - } - } - - foreach ($request->iterAttrs() as $attr_info) { - // Copy the aliases from the request so that reading - // the response in light of the request is easier - if ($attr_info->alias === null) { - $aliases->add($attr_info->type_uri); - } else { - $alias = $aliases->addAlias($attr_info->type_uri, - $attr_info->alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $attr_info->alias, $attr_info->type_uri) - ); - } - } - - if (array_key_exists($attr_info->type_uri, $this->data)) { - $values = $this->data[$attr_info->type_uri]; - } else { - $values = array(); - $zero_value_types[] = $attr_info; - } - - if (($attr_info->count != Auth_OpenID_AX_UNLIMITED_VALUES) && - ($attr_info->count < count($values))) { - return new Auth_OpenID_AX_Error( - sprintf("More than the number of requested values " . - "were specified for %s", - $attr_info->type_uri) - ); - } - } - } - - $kv_args = $this->_getExtensionKVArgs($aliases); - - // Add the KV args into the response with the args that are - // unique to the fetch_response - $ax_args = $this->_newArgs(); - - // For each requested attribute, put its type/alias and count - // into the response even if no data were returned. - foreach ($zero_value_types as $attr_info) { - $alias = $aliases->getAlias($attr_info->type_uri); - $kv_args['type.' . $alias] = $attr_info->type_uri; - $kv_args['count.' . $alias] = '0'; - } - - $update_url = null; - if ($request) { - $update_url = $request->update_url; - } else { - $update_url = $this->update_url; - } - - if ($update_url) { - $ax_args['update_url'] = $update_url; - } - - Auth_OpenID::update(&$ax_args, $kv_args); - - return $ax_args; - } - - /** - * @return $result Auth_OpenID_AX_Error on failure or true on - * success. - */ - function parseExtensionArgs($ax_args) - { - $result = parent::parseExtensionArgs($ax_args); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); - - return true; - } - - /** - * Construct a FetchResponse object from an OpenID library - * SuccessResponse object. - * - * @param success_response: A successful id_res response object - * - * @param signed: Whether non-signed args should be processsed. If - * True (the default), only signed arguments will be processsed. - * - * @return $response A FetchResponse containing the data from the - * OpenID message - */ - function &fromSuccessResponse($success_response, $signed=true) - { - $obj = new Auth_OpenID_AX_FetchResponse(); - if ($signed) { - $ax_args = $success_response->getSignedNS($obj->ns_uri); - } else { - $ax_args = $success_response->message->getArgs($obj->ns_uri); - } - - return $obj->parseExtensionArgs($ax_args); - } -} - -/** - * A store request attribute exchange message representation. - * - * @package OpenID - */ -class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage { - var $mode = 'store_request'; - - /** - * @param array $aliases The namespace aliases to use when making - * this store response. Leave as None to use defaults. - */ - function getExtensionArgs($aliases=null) - { - $ax_args = $this->_newArgs(); - $kv_args = $this->_getExtensionKVArgs($aliases); - Auth_OpenID::update(&$ax_args, $kv_args); - return $ax_args; - } -} - -/** - * An indication that the store request was processed along with this - * OpenID transaction. Use make(), NOT the constructor, to create - * response objects. - * - * @package OpenID - */ -class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { - var $SUCCESS_MODE = 'store_response_success'; - var $FAILURE_MODE = 'store_response_failure'; - - /** - * Returns Auth_OpenID_AX_Error on error or an - * Auth_OpenID_AX_StoreResponse object on success. - */ - function &make($succeeded=true, $error_message=null) - { - if (($succeeded) && ($error_message !== null)) { - return new Auth_OpenID_AX_Error('An error message may only be '. - 'included in a failing fetch response'); - } - - return new Auth_OpenID_AX_StoreResponse($succeeded, $error_message); - } - - function Auth_OpenID_AX_StoreResponse($succeeded=true, $error_message=null) - { - if ($succeeded) { - $this->mode = $this->SUCCESS_MODE; - } else { - $this->mode = $this->FAILURE_MODE; - } - - $this->error_message = $error_message; - } - - /** - * Was this response a success response? - */ - function succeeded() - { - return $this->mode == $this->SUCCESS_MODE; - } - - function getExtensionArgs() - { - $ax_args = $this->_newArgs(); - if ((!$this->succeeded()) && $this->error_message) { - $ax_args['error'] = $this->error_message; - } - - return $ax_args; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Association.php b/models/Auth.old/OpenID/Association.php deleted file mode 100644 index 904655fb4..000000000 --- a/models/Auth.old/OpenID/Association.php +++ /dev/null @@ -1,613 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * @access private - */ -require_once 'Auth/OpenID/CryptUtil.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID/KVForm.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID/HMACSHA1.php'; - -/** - * This class represents an association between a server and a - * consumer. In general, users of this library will never see - * instances of this object. The only exception is if you implement a - * custom {@link Auth_OpenID_OpenIDStore}. - * - * If you do implement such a store, it will need to store the values - * of the handle, secret, issued, lifetime, and assoc_type instance - * variables. - * - * @package OpenID - */ -class Auth_OpenID_Association { - - /** - * This is a HMAC-SHA1 specific value. - * - * @access private - */ - var $SIG_LENGTH = 20; - - /** - * The ordering and name of keys as stored by serialize. - * - * @access private - */ - var $assoc_keys = array( - 'version', - 'handle', - 'secret', - 'issued', - 'lifetime', - 'assoc_type' - ); - - var $_macs = array( - 'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1', - 'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256' - ); - - /** - * This is an alternate constructor (factory method) used by the - * OpenID consumer library to create associations. OpenID store - * implementations shouldn't use this constructor. - * - * @access private - * - * @param integer $expires_in This is the amount of time this - * association is good for, measured in seconds since the - * association was issued. - * - * @param string $handle This is the handle the server gave this - * association. - * - * @param string secret This is the shared secret the server - * generated for this association. - * - * @param assoc_type This is the type of association this - * instance represents. The only valid values of this field at - * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may - * be defined in the future. - * - * @return association An {@link Auth_OpenID_Association} - * instance. - */ - function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) - { - $issued = time(); - $lifetime = $expires_in; - return new Auth_OpenID_Association($handle, $secret, - $issued, $lifetime, $assoc_type); - } - - /** - * This is the standard constructor for creating an association. - * The library should create all of the necessary associations, so - * this constructor is not part of the external API. - * - * @access private - * - * @param string $handle This is the handle the server gave this - * association. - * - * @param string $secret This is the shared secret the server - * generated for this association. - * - * @param integer $issued This is the time this association was - * issued, in seconds since 00:00 GMT, January 1, 1970. (ie, a - * unix timestamp) - * - * @param integer $lifetime This is the amount of time this - * association is good for, measured in seconds since the - * association was issued. - * - * @param string $assoc_type This is the type of association this - * instance represents. The only valid values of this field at - * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may - * be defined in the future. - */ - function Auth_OpenID_Association( - $handle, $secret, $issued, $lifetime, $assoc_type) - { - if (!in_array($assoc_type, - Auth_OpenID_getSupportedAssociationTypes())) { - $fmt = 'Unsupported association type (%s)'; - trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR); - } - - $this->handle = $handle; - $this->secret = $secret; - $this->issued = $issued; - $this->lifetime = $lifetime; - $this->assoc_type = $assoc_type; - } - - /** - * This returns the number of seconds this association is still - * valid for, or 0 if the association is no longer valid. - * - * @return integer $seconds The number of seconds this association - * is still valid for, or 0 if the association is no longer valid. - */ - function getExpiresIn($now = null) - { - if ($now == null) { - $now = time(); - } - - return max(0, $this->issued + $this->lifetime - $now); - } - - /** - * This checks to see if two {@link Auth_OpenID_Association} - * instances represent the same association. - * - * @return bool $result true if the two instances represent the - * same association, false otherwise. - */ - function equal($other) - { - return ((gettype($this) == gettype($other)) - && ($this->handle == $other->handle) - && ($this->secret == $other->secret) - && ($this->issued == $other->issued) - && ($this->lifetime == $other->lifetime) - && ($this->assoc_type == $other->assoc_type)); - } - - /** - * Convert an association to KV form. - * - * @return string $result String in KV form suitable for - * deserialization by deserialize. - */ - function serialize() - { - $data = array( - 'version' => '2', - 'handle' => $this->handle, - 'secret' => base64_encode($this->secret), - 'issued' => strval(intval($this->issued)), - 'lifetime' => strval(intval($this->lifetime)), - 'assoc_type' => $this->assoc_type - ); - - assert(array_keys($data) == $this->assoc_keys); - - return Auth_OpenID_KVForm::fromArray($data, $strict = true); - } - - /** - * Parse an association as stored by serialize(). This is the - * inverse of serialize. - * - * @param string $assoc_s Association as serialized by serialize() - * @return Auth_OpenID_Association $result instance of this class - */ - function deserialize($class_name, $assoc_s) - { - $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true); - $keys = array(); - $values = array(); - foreach ($pairs as $key => $value) { - if (is_array($value)) { - list($key, $value) = $value; - } - $keys[] = $key; - $values[] = $value; - } - - $class_vars = get_class_vars($class_name); - $class_assoc_keys = $class_vars['assoc_keys']; - - sort($keys); - sort($class_assoc_keys); - - if ($keys != $class_assoc_keys) { - trigger_error('Unexpected key values: ' . var_export($keys, true), - E_USER_WARNING); - return null; - } - - $version = $pairs['version']; - $handle = $pairs['handle']; - $secret = $pairs['secret']; - $issued = $pairs['issued']; - $lifetime = $pairs['lifetime']; - $assoc_type = $pairs['assoc_type']; - - if ($version != '2') { - trigger_error('Unknown version: ' . $version, E_USER_WARNING); - return null; - } - - $issued = intval($issued); - $lifetime = intval($lifetime); - $secret = base64_decode($secret); - - return new $class_name( - $handle, $secret, $issued, $lifetime, $assoc_type); - } - - /** - * Generate a signature for a sequence of (key, value) pairs - * - * @access private - * @param array $pairs The pairs to sign, in order. This is an - * array of two-tuples. - * @return string $signature The binary signature of this sequence - * of pairs - */ - function sign($pairs) - { - $kv = Auth_OpenID_KVForm::fromArray($pairs); - - /* Invalid association types should be caught at constructor */ - $callback = $this->_macs[$this->assoc_type]; - - return call_user_func_array($callback, array($this->secret, $kv)); - } - - /** - * Generate a signature for some fields in a dictionary - * - * @access private - * @param array $fields The fields to sign, in order; this is an - * array of strings. - * @param array $data Dictionary of values to sign (an array of - * string => string pairs). - * @return string $signature The signature, base64 encoded - */ - function signMessage($message) - { - if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') || - $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) { - // Already has a sig - return null; - } - - $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_handle'); - - if ($extant_handle && ($extant_handle != $this->handle)) { - // raise ValueError("Message has a different association handle") - return null; - } - - $signed_message = $message; - $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', - $this->handle); - - $message_keys = array_keys($signed_message->toPostArgs()); - $signed_list = array(); - $signed_prefix = 'openid.'; - - foreach ($message_keys as $k) { - if (strpos($k, $signed_prefix) === 0) { - $signed_list[] = substr($k, strlen($signed_prefix)); - } - } - - $signed_list[] = 'signed'; - sort($signed_list); - - $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed', - implode(',', $signed_list)); - $sig = $this->getMessageSignature($signed_message); - $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig); - return $signed_message; - } - - /** - * Given a {@link Auth_OpenID_Message}, return the key/value pairs - * to be signed according to the signed list in the message. If - * the message lacks a signed list, return null. - * - * @access private - */ - function _makePairs(&$message) - { - $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); - if (!$signed) { - // raise ValueError('Message has no signed list: %s' % (message,)) - return null; - } - - $signed_list = explode(',', $signed); - $pairs = array(); - $data = $message->toPostArgs(); - foreach ($signed_list as $field) { - $pairs[] = array($field, Auth_OpenID::arrayGet($data, - 'openid.' . - $field, '')); - } - return $pairs; - } - - /** - * Given an {@link Auth_OpenID_Message}, return the signature for - * the signed list in the message. - * - * @access private - */ - function getMessageSignature(&$message) - { - $pairs = $this->_makePairs($message); - return base64_encode($this->sign($pairs)); - } - - /** - * Confirm that the signature of these fields matches the - * signature contained in the data. - * - * @access private - */ - function checkMessageSignature(&$message) - { - $sig = $message->getArg(Auth_OpenID_OPENID_NS, - 'sig'); - - if (!$sig) { - return false; - } - - $calculated_sig = $this->getMessageSignature($message); - return $calculated_sig == $sig; - } -} - -function Auth_OpenID_getSecretSize($assoc_type) -{ - if ($assoc_type == 'HMAC-SHA1') { - return 20; - } else if ($assoc_type == 'HMAC-SHA256') { - return 32; - } else { - return null; - } -} - -function Auth_OpenID_getAllAssociationTypes() -{ - return array('HMAC-SHA1', 'HMAC-SHA256'); -} - -function Auth_OpenID_getSupportedAssociationTypes() -{ - $a = array('HMAC-SHA1'); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $a[] = 'HMAC-SHA256'; - } - - return $a; -} - -function Auth_OpenID_getSessionTypes($assoc_type) -{ - $assoc_to_session = array( - 'HMAC-SHA1' => array('DH-SHA1', 'no-encryption')); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $assoc_to_session['HMAC-SHA256'] = - array('DH-SHA256', 'no-encryption'); - } - - return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array()); -} - -function Auth_OpenID_checkSessionType($assoc_type, $session_type) -{ - if (!in_array($session_type, - Auth_OpenID_getSessionTypes($assoc_type))) { - return false; - } - - return true; -} - -function Auth_OpenID_getDefaultAssociationOrder() -{ - $order = array(); - - if (!Auth_OpenID_noMathSupport()) { - $order[] = array('HMAC-SHA1', 'DH-SHA1'); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $order[] = array('HMAC-SHA256', 'DH-SHA256'); - } - } - - $order[] = array('HMAC-SHA1', 'no-encryption'); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $order[] = array('HMAC-SHA256', 'no-encryption'); - } - - return $order; -} - -function Auth_OpenID_getOnlyEncryptedOrder() -{ - $result = array(); - - foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) { - list($assoc, $session) = $pair; - - if ($session != 'no-encryption') { - if (Auth_OpenID_HMACSHA256_SUPPORTED && - ($assoc == 'HMAC-SHA256')) { - $result[] = $pair; - } else if ($assoc != 'HMAC-SHA256') { - $result[] = $pair; - } - } - } - - return $result; -} - -function &Auth_OpenID_getDefaultNegotiator() -{ - $x = new Auth_OpenID_SessionNegotiator( - Auth_OpenID_getDefaultAssociationOrder()); - return $x; -} - -function &Auth_OpenID_getEncryptedNegotiator() -{ - $x = new Auth_OpenID_SessionNegotiator( - Auth_OpenID_getOnlyEncryptedOrder()); - return $x; -} - -/** - * A session negotiator controls the allowed and preferred association - * types and association session types. Both the {@link - * Auth_OpenID_Consumer} and {@link Auth_OpenID_Server} use - * negotiators when creating associations. - * - * You can create and use negotiators if you: - - * - Do not want to do Diffie-Hellman key exchange because you use - * transport-layer encryption (e.g. SSL) - * - * - Want to use only SHA-256 associations - * - * - Do not want to support plain-text associations over a non-secure - * channel - * - * It is up to you to set a policy for what kinds of associations to - * accept. By default, the library will make any kind of association - * that is allowed in the OpenID 2.0 specification. - * - * Use of negotiators in the library - * ================================= - * - * When a consumer makes an association request, it calls {@link - * getAllowedType} to get the preferred association type and - * association session type. - * - * The server gets a request for a particular association/session type - * and calls {@link isAllowed} to determine if it should create an - * association. If it is supported, negotiation is complete. If it is - * not, the server calls {@link getAllowedType} to get an allowed - * association type to return to the consumer. - * - * If the consumer gets an error response indicating that the - * requested association/session type is not supported by the server - * that contains an assocation/session type to try, it calls {@link - * isAllowed} to determine if it should try again with the given - * combination of association/session type. - * - * @package OpenID - */ -class Auth_OpenID_SessionNegotiator { - function Auth_OpenID_SessionNegotiator($allowed_types) - { - $this->allowed_types = array(); - $this->setAllowedTypes($allowed_types); - } - - /** - * Set the allowed association types, checking to make sure each - * combination is valid. - * - * @access private - */ - function setAllowedTypes($allowed_types) - { - foreach ($allowed_types as $pair) { - list($assoc_type, $session_type) = $pair; - if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) { - return false; - } - } - - $this->allowed_types = $allowed_types; - return true; - } - - /** - * Add an association type and session type to the allowed types - * list. The assocation/session pairs are tried in the order that - * they are added. - * - * @access private - */ - function addAllowedType($assoc_type, $session_type = null) - { - if ($this->allowed_types === null) { - $this->allowed_types = array(); - } - - if ($session_type === null) { - $available = Auth_OpenID_getSessionTypes($assoc_type); - - if (!$available) { - return false; - } - - foreach ($available as $session_type) { - $this->addAllowedType($assoc_type, $session_type); - } - } else { - if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) { - $this->allowed_types[] = array($assoc_type, $session_type); - } else { - return false; - } - } - - return true; - } - - // Is this combination of association type and session type allowed? - function isAllowed($assoc_type, $session_type) - { - $assoc_good = in_array(array($assoc_type, $session_type), - $this->allowed_types); - - $matches = in_array($session_type, - Auth_OpenID_getSessionTypes($assoc_type)); - - return ($assoc_good && $matches); - } - - /** - * Get a pair of assocation type and session type that are - * supported. - */ - function getAllowedType() - { - if (!$this->allowed_types) { - return array(null, null); - } - - return $this->allowed_types[0]; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/BigMath.php b/models/Auth.old/OpenID/BigMath.php deleted file mode 100644 index d99414e02..000000000 --- a/models/Auth.old/OpenID/BigMath.php +++ /dev/null @@ -1,471 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Needed for random number generation - */ -require_once 'Auth/OpenID/CryptUtil.php'; - -/** - * Need Auth_OpenID::bytes(). - */ -require_once 'Auth/OpenID.php'; - -/** - * The superclass of all big-integer math implementations - * @access private - * @package OpenID - */ -class Auth_OpenID_MathLibrary { - /** - * Given a long integer, returns the number converted to a binary - * string. This function accepts long integer values of arbitrary - * magnitude and uses the local large-number math library when - * available. - * - * @param integer $long The long number (can be a normal PHP - * integer or a number created by one of the available long number - * libraries) - * @return string $binary The binary version of $long - */ - function longToBinary($long) - { - $cmp = $this->cmp($long, 0); - if ($cmp < 0) { - $msg = __FUNCTION__ . " takes only positive integers."; - trigger_error($msg, E_USER_ERROR); - return null; - } - - if ($cmp == 0) { - return "\x00"; - } - - $bytes = array(); - - while ($this->cmp($long, 0) > 0) { - array_unshift($bytes, $this->mod($long, 256)); - $long = $this->div($long, pow(2, 8)); - } - - if ($bytes && ($bytes[0] > 127)) { - array_unshift($bytes, 0); - } - - $string = ''; - foreach ($bytes as $byte) { - $string .= pack('C', $byte); - } - - return $string; - } - - /** - * Given a binary string, returns the binary string converted to a - * long number. - * - * @param string $binary The binary version of a long number, - * probably as a result of calling longToBinary - * @return integer $long The long number equivalent of the binary - * string $str - */ - function binaryToLong($str) - { - if ($str === null) { - return null; - } - - // Use array_merge to return a zero-indexed array instead of a - // one-indexed array. - $bytes = array_merge(unpack('C*', $str)); - - $n = $this->init(0); - - if ($bytes && ($bytes[0] > 127)) { - trigger_error("bytesToNum works only for positive integers.", - E_USER_WARNING); - return null; - } - - foreach ($bytes as $byte) { - $n = $this->mul($n, pow(2, 8)); - $n = $this->add($n, $byte); - } - - return $n; - } - - function base64ToLong($str) - { - $b64 = base64_decode($str); - - if ($b64 === false) { - return false; - } - - return $this->binaryToLong($b64); - } - - function longToBase64($str) - { - return base64_encode($this->longToBinary($str)); - } - - /** - * Returns a random number in the specified range. This function - * accepts $start, $stop, and $step values of arbitrary magnitude - * and will utilize the local large-number math library when - * available. - * - * @param integer $start The start of the range, or the minimum - * random number to return - * @param integer $stop The end of the range, or the maximum - * random number to return - * @param integer $step The step size, such that $result - ($step - * * N) = $start for some N - * @return integer $result The resulting randomly-generated number - */ - function rand($stop) - { - static $duplicate_cache = array(); - - // Used as the key for the duplicate cache - $rbytes = $this->longToBinary($stop); - - if (array_key_exists($rbytes, $duplicate_cache)) { - list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; - } else { - if ($rbytes[0] == "\x00") { - $nbytes = Auth_OpenID::bytes($rbytes) - 1; - } else { - $nbytes = Auth_OpenID::bytes($rbytes); - } - - $mxrand = $this->pow(256, $nbytes); - - // If we get a number less than this, then it is in the - // duplicated range. - $duplicate = $this->mod($mxrand, $stop); - - if (count($duplicate_cache) > 10) { - $duplicate_cache = array(); - } - - $duplicate_cache[$rbytes] = array($duplicate, $nbytes); - } - - do { - $bytes = "\x00" . Auth_OpenID_CryptUtil::getBytes($nbytes); - $n = $this->binaryToLong($bytes); - // Keep looping if this value is in the low duplicated range - } while ($this->cmp($n, $duplicate) < 0); - - return $this->mod($n, $stop); - } -} - -/** - * Exposes BCmath math library functionality. - * - * {@link Auth_OpenID_BcMathWrapper} wraps the functionality provided - * by the BCMath extension. - * - * @access private - * @package OpenID - */ -class Auth_OpenID_BcMathWrapper extends Auth_OpenID_MathLibrary{ - var $type = 'bcmath'; - - function add($x, $y) - { - return bcadd($x, $y); - } - - function sub($x, $y) - { - return bcsub($x, $y); - } - - function pow($base, $exponent) - { - return bcpow($base, $exponent); - } - - function cmp($x, $y) - { - return bccomp($x, $y); - } - - function init($number, $base = 10) - { - return $number; - } - - function mod($base, $modulus) - { - return bcmod($base, $modulus); - } - - function mul($x, $y) - { - return bcmul($x, $y); - } - - function div($x, $y) - { - return bcdiv($x, $y); - } - - /** - * Same as bcpowmod when bcpowmod is missing - * - * @access private - */ - function _powmod($base, $exponent, $modulus) - { - $square = $this->mod($base, $modulus); - $result = 1; - while($this->cmp($exponent, 0) > 0) { - if ($this->mod($exponent, 2)) { - $result = $this->mod($this->mul($result, $square), $modulus); - } - $square = $this->mod($this->mul($square, $square), $modulus); - $exponent = $this->div($exponent, 2); - } - return $result; - } - - function powmod($base, $exponent, $modulus) - { - if (function_exists('bcpowmod')) { - return bcpowmod($base, $exponent, $modulus); - } else { - return $this->_powmod($base, $exponent, $modulus); - } - } - - function toString($num) - { - return $num; - } -} - -/** - * Exposes GMP math library functionality. - * - * {@link Auth_OpenID_GmpMathWrapper} wraps the functionality provided - * by the GMP extension. - * - * @access private - * @package OpenID - */ -class Auth_OpenID_GmpMathWrapper extends Auth_OpenID_MathLibrary{ - var $type = 'gmp'; - - function add($x, $y) - { - return gmp_add($x, $y); - } - - function sub($x, $y) - { - return gmp_sub($x, $y); - } - - function pow($base, $exponent) - { - return gmp_pow($base, $exponent); - } - - function cmp($x, $y) - { - return gmp_cmp($x, $y); - } - - function init($number, $base = 10) - { - return gmp_init($number, $base); - } - - function mod($base, $modulus) - { - return gmp_mod($base, $modulus); - } - - function mul($x, $y) - { - return gmp_mul($x, $y); - } - - function div($x, $y) - { - return gmp_div_q($x, $y); - } - - function powmod($base, $exponent, $modulus) - { - return gmp_powm($base, $exponent, $modulus); - } - - function toString($num) - { - return gmp_strval($num); - } -} - -/** - * Define the supported extensions. An extension array has keys - * 'modules', 'extension', and 'class'. 'modules' is an array of PHP - * module names which the loading code will attempt to load. These - * values will be suffixed with a library file extension (e.g. ".so"). - * 'extension' is the name of a PHP extension which will be tested - * before 'modules' are loaded. 'class' is the string name of a - * {@link Auth_OpenID_MathWrapper} subclass which should be - * instantiated if a given extension is present. - * - * You can define new math library implementations and add them to - * this array. - */ -function Auth_OpenID_math_extensions() -{ - $result = array(); - - if (!defined('Auth_OpenID_BUGGY_GMP')) { - $result[] = - array('modules' => array('gmp', 'php_gmp'), - 'extension' => 'gmp', - 'class' => 'Auth_OpenID_GmpMathWrapper'); - } - - $result[] = array( - 'modules' => array('bcmath', 'php_bcmath'), - 'extension' => 'bcmath', - 'class' => 'Auth_OpenID_BcMathWrapper'); - - return $result; -} - -/** - * Detect which (if any) math library is available - */ -function Auth_OpenID_detectMathLibrary($exts) -{ - $loaded = false; - - foreach ($exts as $extension) { - // See if the extension specified is already loaded. - if ($extension['extension'] && - extension_loaded($extension['extension'])) { - $loaded = true; - } - - // Try to load dynamic modules. - if (!$loaded) { - foreach ($extension['modules'] as $module) { - if (dl($module . "." . PHP_SHLIB_SUFFIX)) { - $loaded = true; - break; - } - } - } - - // If the load succeeded, supply an instance of - // Auth_OpenID_MathWrapper which wraps the specified - // module's functionality. - if ($loaded) { - return $extension; - } - } - - return false; -} - -/** - * {@link Auth_OpenID_getMathLib} checks for the presence of long - * number extension modules and returns an instance of - * {@link Auth_OpenID_MathWrapper} which exposes the module's - * functionality. - * - * Checks for the existence of an extension module described by the - * result of {@link Auth_OpenID_math_extensions()} and returns an - * instance of a wrapper for that extension module. If no extension - * module is found, an instance of {@link Auth_OpenID_MathWrapper} is - * returned, which wraps the native PHP integer implementation. The - * proper calling convention for this method is $lib =& - * Auth_OpenID_getMathLib(). - * - * This function checks for the existence of specific long number - * implementations in the following order: GMP followed by BCmath. - * - * @return Auth_OpenID_MathWrapper $instance An instance of - * {@link Auth_OpenID_MathWrapper} or one of its subclasses - * - * @package OpenID - */ -function &Auth_OpenID_getMathLib() -{ - // The instance of Auth_OpenID_MathWrapper that we choose to - // supply will be stored here, so that subseqent calls to this - // method will return a reference to the same object. - static $lib = null; - - if (isset($lib)) { - return $lib; - } - - if (Auth_OpenID_noMathSupport()) { - $null = null; - return $null; - } - - // If this method has not been called before, look at - // Auth_OpenID_math_extensions and try to find an extension that - // works. - $ext = Auth_OpenID_detectMathLibrary(Auth_OpenID_math_extensions()); - if ($ext === false) { - $tried = array(); - foreach (Auth_OpenID_math_extensions() as $extinfo) { - $tried[] = $extinfo['extension']; - } - $triedstr = implode(", ", $tried); - - Auth_OpenID_setNoMathSupport(); - - $result = null; - return $result; - } - - // Instantiate a new wrapper - $class = $ext['class']; - $lib = new $class(); - - return $lib; -} - -function Auth_OpenID_setNoMathSupport() -{ - if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) { - define('Auth_OpenID_NO_MATH_SUPPORT', true); - } -} - -function Auth_OpenID_noMathSupport() -{ - return defined('Auth_OpenID_NO_MATH_SUPPORT'); -} - -?> diff --git a/models/Auth.old/OpenID/Consumer.php b/models/Auth.old/OpenID/Consumer.php deleted file mode 100644 index 47ee61e8f..000000000 --- a/models/Auth.old/OpenID/Consumer.php +++ /dev/null @@ -1,2189 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Require utility classes and functions for the consumer. - */ -require_once "Auth/OpenID.php"; -require_once "Auth/OpenID/Message.php"; -require_once "Auth/OpenID/HMACSHA1.php"; -require_once "Auth/OpenID/Association.php"; -require_once "Auth/OpenID/CryptUtil.php"; -require_once "Auth/OpenID/DiffieHellman.php"; -require_once "Auth/OpenID/KVForm.php"; -require_once "Auth/OpenID/Nonce.php"; -require_once "Auth/OpenID/Discover.php"; -require_once "Auth/Yadis/Manager.php"; -require_once "Auth/Yadis/XRI.php"; - -/** - * This is the status code returned when the complete method returns - * successfully. - */ -define('Auth_OpenID_SUCCESS', 'success'); - -/** - * Status to indicate cancellation of OpenID authentication. - */ -define('Auth_OpenID_CANCEL', 'cancel'); - -/** - * This is the status code completeAuth returns when the value it - * received indicated an invalid login. - */ -define('Auth_OpenID_FAILURE', 'failure'); - -/** - * This is the status code completeAuth returns when the - * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the - * identity server sends back a URL to send the user to to complete his - * or her login. - */ -define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); - -/** - * This is the status code beginAuth returns when the page fetched - * from the entered OpenID URL doesn't contain the necessary link tags - * to function as an identity page. - */ -define('Auth_OpenID_PARSE_ERROR', 'parse error'); - -/** - * An OpenID consumer implementation that performs discovery and does - * session management. See the Consumer.php file documentation for - * more information. - * - * @package OpenID - */ -class Auth_OpenID_Consumer { - - /** - * @access private - */ - var $discoverMethod = 'Auth_OpenID_discover'; - - /** - * @access private - */ - var $session_key_prefix = "_openid_consumer_"; - - /** - * @access private - */ - var $_token_suffix = "last_token"; - - /** - * Initialize a Consumer instance. - * - * You should create a new instance of the Consumer object with - * every HTTP request that handles OpenID transactions. - * - * @param Auth_OpenID_OpenIDStore $store This must be an object - * that implements the interface in {@link - * Auth_OpenID_OpenIDStore}. Several concrete implementations are - * provided, to cover most common use cases. For stores backed by - * MySQL, PostgreSQL, or SQLite, see the {@link - * Auth_OpenID_SQLStore} class and its sublcasses. For a - * filesystem-backed store, see the {@link Auth_OpenID_FileStore} - * module. As a last resort, if it isn't possible for the server - * to store state at all, an instance of {@link - * Auth_OpenID_DumbStore} can be used. - * - * @param mixed $session An object which implements the interface - * of the {@link Auth_Yadis_PHPSession} class. Particularly, this - * object is expected to have these methods: get($key), set($key), - * $value), and del($key). This defaults to a session object - * which wraps PHP's native session machinery. You should only - * need to pass something here if you have your own sessioning - * implementation. - * - * @param str $consumer_cls The name of the class to instantiate - * when creating the internal consumer object. This is used for - * testing. - */ - function Auth_OpenID_Consumer(&$store, $session = null, - $consumer_cls = null) - { - if ($session === null) { - $session = new Auth_Yadis_PHPSession(); - } - - $this->session =& $session; - - if ($consumer_cls !== null) { - $this->consumer =& new $consumer_cls($store); - } else { - $this->consumer =& new Auth_OpenID_GenericConsumer($store); - } - - $this->_token_key = $this->session_key_prefix . $this->_token_suffix; - } - - /** - * Used in testing to define the discovery mechanism. - * - * @access private - */ - function getDiscoveryObject(&$session, $openid_url, - $session_key_prefix) - { - return new Auth_Yadis_Discovery($session, $openid_url, - $session_key_prefix); - } - - /** - * Start the OpenID authentication process. See steps 1-2 in the - * overview at the top of this file. - * - * @param string $user_url Identity URL given by the user. This - * method performs a textual transformation of the URL to try and - * make sure it is normalized. For example, a user_url of - * example.com will be normalized to http://example.com/ - * normalizing and resolving any redirects the server might issue. - * - * @param bool $anonymous True if the OpenID request is to be sent - * to the server without any identifier information. Use this - * when you want to transport data but don't want to do OpenID - * authentication with identifiers. - * - * @return Auth_OpenID_AuthRequest $auth_request An object - * containing the discovered information will be returned, with a - * method for building a redirect URL to the server, as described - * in step 3 of the overview. This object may also be used to add - * extension arguments to the request, using its 'addExtensionArg' - * method. - */ - function begin($user_url, $anonymous=false) - { - $openid_url = $user_url; - - $disco = $this->getDiscoveryObject($this->session, - $openid_url, - $this->session_key_prefix); - - // Set the 'stale' attribute of the manager. If discovery - // fails in a fatal way, the stale flag will cause the manager - // to be cleaned up next time discovery is attempted. - - $m = $disco->getManager(); - $loader = new Auth_Yadis_ManagerLoader(); - - if ($m) { - if ($m->stale) { - $disco->destroyManager(); - } else { - $m->stale = true; - $disco->session->set($disco->session_key, - serialize($loader->toSession($m))); - } - } - - $endpoint = $disco->getNextService($this->discoverMethod, - $this->consumer->fetcher); - - // Reset the 'stale' attribute of the manager. - $m =& $disco->getManager(); - if ($m) { - $m->stale = false; - $disco->session->set($disco->session_key, - serialize($loader->toSession($m))); - } - - if ($endpoint === null) { - return null; - } else { - return $this->beginWithoutDiscovery($endpoint, - $anonymous); - } - } - - /** - * Start OpenID verification without doing OpenID server - * discovery. This method is used internally by Consumer.begin - * after discovery is performed, and exists to provide an - * interface for library users needing to perform their own - * discovery. - * - * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service - * endpoint descriptor. - * - * @param bool anonymous Set to true if you want to perform OpenID - * without identifiers. - * - * @return Auth_OpenID_AuthRequest $auth_request An OpenID - * authentication request object. - */ - function &beginWithoutDiscovery($endpoint, $anonymous=false) - { - $loader = new Auth_OpenID_ServiceEndpointLoader(); - $auth_req = $this->consumer->begin($endpoint); - $this->session->set($this->_token_key, - $loader->toSession($auth_req->endpoint)); - if (!$auth_req->setAnonymous($anonymous)) { - return new Auth_OpenID_FailureResponse(null, - "OpenID 1 requests MUST include the identifier " . - "in the request."); - } - return $auth_req; - } - - /** - * Called to interpret the server's response to an OpenID - * request. It is called in step 4 of the flow described in the - * consumer overview. - * - * @param array $query An array of the query parameters (key => - * value pairs) for this HTTP request. Defaults to null. If - * null, the GET or POST data are automatically gotten from the - * PHP environment. It is only useful to override $query for - * testing. - * - * @return Auth_OpenID_ConsumerResponse $response A instance of an - * Auth_OpenID_ConsumerResponse subclass. The type of response is - * indicated by the status attribute, which will be one of - * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. - */ - function complete($return_to, $query=null) - { - if ($return_to && !is_string($return_to)) { - // This is ugly, but we need to complain loudly when - // someone uses the API incorrectly. - trigger_error("return_to must be a string; see NEWS file " . - "for upgrading notes.", - E_USER_ERROR); - } - - if ($query === null) { - $query = Auth_OpenID::getQuery(); - } - - $loader = new Auth_OpenID_ServiceEndpointLoader(); - $endpoint_data = $this->session->get($this->_token_key); - $endpoint = - $loader->fromSession($endpoint_data); - - $message = Auth_OpenID_Message::fromPostArgs($query); - $response = $this->consumer->complete($message, $endpoint, $return_to); - $this->session->del($this->_token_key); - - if (in_array($response->status, array(Auth_OpenID_SUCCESS, - Auth_OpenID_CANCEL))) { - if ($response->identity_url !== null) { - $disco = $this->getDiscoveryObject($this->session, - $response->identity_url, - $this->session_key_prefix); - $disco->cleanup(true); - } - } - - return $response; - } -} - -/** - * A class implementing HMAC/DH-SHA1 consumer sessions. - * - * @package OpenID - */ -class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { - var $session_type = 'DH-SHA1'; - var $hash_func = 'Auth_OpenID_SHA1'; - var $secret_size = 20; - var $allowed_assoc_types = array('HMAC-SHA1'); - - function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null) - { - if ($dh === null) { - $dh = new Auth_OpenID_DiffieHellman(); - } - - $this->dh = $dh; - } - - function getRequest() - { - $math =& Auth_OpenID_getMathLib(); - - $cpub = $math->longToBase64($this->dh->public); - - $args = array('dh_consumer_public' => $cpub); - - if (!$this->dh->usingDefaultValues()) { - $args = array_merge($args, array( - 'dh_modulus' => - $math->longToBase64($this->dh->mod), - 'dh_gen' => - $math->longToBase64($this->dh->gen))); - } - - return $args; - } - - function extractSecret($response) - { - if (!$response->hasKey(Auth_OpenID_OPENID_NS, - 'dh_server_public')) { - return null; - } - - if (!$response->hasKey(Auth_OpenID_OPENID_NS, - 'enc_mac_key')) { - return null; - } - - $math =& Auth_OpenID_getMathLib(); - - $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, - 'dh_server_public')); - $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS, - 'enc_mac_key')); - - return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); - } -} - -/** - * A class implementing HMAC/DH-SHA256 consumer sessions. - * - * @package OpenID - */ -class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends - Auth_OpenID_DiffieHellmanSHA1ConsumerSession { - var $session_type = 'DH-SHA256'; - var $hash_func = 'Auth_OpenID_SHA256'; - var $secret_size = 32; - var $allowed_assoc_types = array('HMAC-SHA256'); -} - -/** - * A class implementing plaintext consumer sessions. - * - * @package OpenID - */ -class Auth_OpenID_PlainTextConsumerSession { - var $session_type = 'no-encryption'; - var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); - - function getRequest() - { - return array(); - } - - function extractSecret($response) - { - if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) { - return null; - } - - return base64_decode($response->getArg(Auth_OpenID_OPENID_NS, - 'mac_key')); - } -} - -/** - * Returns available session types. - */ -function Auth_OpenID_getAvailableSessionTypes() -{ - $types = array( - 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession', - 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', - 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); - - return $types; -} - -/** - * This class is the interface to the OpenID consumer logic. - * Instances of it maintain no per-request state, so they can be - * reused (or even used by multiple threads concurrently) as needed. - * - * @package OpenID - */ -class Auth_OpenID_GenericConsumer { - /** - * @access private - */ - var $discoverMethod = 'Auth_OpenID_discover'; - - /** - * This consumer's store object. - */ - var $store; - - /** - * @access private - */ - var $_use_assocs; - - /** - * @access private - */ - var $openid1_nonce_query_arg_name = 'janrain_nonce'; - - /** - * Another query parameter that gets added to the return_to for - * OpenID 1; if the user's session state is lost, use this claimed - * identifier to do discovery when verifying the response. - */ - var $openid1_return_to_identifier_name = 'openid1_claimed_id'; - - /** - * This method initializes a new {@link Auth_OpenID_Consumer} - * instance to access the library. - * - * @param Auth_OpenID_OpenIDStore $store This must be an object - * that implements the interface in {@link Auth_OpenID_OpenIDStore}. - * Several concrete implementations are provided, to cover most common use - * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see - * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a - * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. - * As a last resort, if it isn't possible for the server to store - * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. - * - * @param bool $immediate This is an optional boolean value. It - * controls whether the library uses immediate mode, as explained - * in the module description. The default value is False, which - * disables immediate mode. - */ - function Auth_OpenID_GenericConsumer(&$store) - { - $this->store =& $store; - $this->negotiator =& Auth_OpenID_getDefaultNegotiator(); - $this->_use_assocs = ($this->store ? true : false); - - $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); - - $this->session_types = Auth_OpenID_getAvailableSessionTypes(); - } - - /** - * Called to begin OpenID authentication using the specified - * {@link Auth_OpenID_ServiceEndpoint}. - * - * @access private - */ - function begin($service_endpoint) - { - $assoc = $this->_getAssociation($service_endpoint); - $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); - $r->return_to_args[$this->openid1_nonce_query_arg_name] = - Auth_OpenID_mkNonce(); - - if ($r->message->isOpenID1()) { - $r->return_to_args[$this->openid1_return_to_identifier_name] = - $r->endpoint->claimed_id; - } - - return $r; - } - - /** - * Given an {@link Auth_OpenID_Message}, {@link - * Auth_OpenID_ServiceEndpoint} and optional return_to URL, - * complete OpenID authentication. - * - * @access private - */ - function complete($message, $endpoint, $return_to) - { - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', - ''); - - $mode_methods = array( - 'cancel' => '_complete_cancel', - 'error' => '_complete_error', - 'setup_needed' => '_complete_setup_needed', - 'id_res' => '_complete_id_res', - ); - - $method = Auth_OpenID::arrayGet($mode_methods, $mode, - '_completeInvalid'); - - return call_user_func_array(array(&$this, $method), - array($message, $endpoint, $return_to)); - } - - /** - * @access private - */ - function _completeInvalid($message, &$endpoint, $unused) - { - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', - ''); - - return new Auth_OpenID_FailureResponse($endpoint, - sprintf("Invalid openid.mode '%s'", $mode)); - } - - /** - * @access private - */ - function _complete_cancel($message, &$endpoint, $unused) - { - return new Auth_OpenID_CancelResponse($endpoint); - } - - /** - * @access private - */ - function _complete_error($message, &$endpoint, $unused) - { - $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); - $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); - $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); - - return new Auth_OpenID_FailureResponse($endpoint, $error, - $contact, $reference); - } - - /** - * @access private - */ - function _complete_setup_needed($message, &$endpoint, $unused) - { - if (!$message->isOpenID2()) { - return $this->_completeInvalid($message, $endpoint); - } - - return new Auth_OpenID_SetupNeededResponse($endpoint); - } - - /** - * @access private - */ - function _complete_id_res($message, &$endpoint, $return_to) - { - $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, - 'user_setup_url'); - - if ($this->_checkSetupNeeded($message)) { - return SetupNeededResponse($endpoint, $user_setup_url); - } else { - return $this->_doIdRes($message, $endpoint, $return_to); - } - } - - /** - * @access private - */ - function _checkSetupNeeded($message) - { - // In OpenID 1, we check to see if this is a cancel from - // immediate mode by the presence of the user_setup_url - // parameter. - if ($message->isOpenID1()) { - $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, - 'user_setup_url'); - if ($user_setup_url !== null) { - return true; - } - } - - return false; - } - - /** - * @access private - */ - function _doIdRes($message, $endpoint, $return_to) - { - // Checks for presence of appropriate fields (and checks - // signed list fields) - $result = $this->_idResCheckForFields($message); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - if (!$this->_checkReturnTo($message, $return_to)) { - return new Auth_OpenID_FailureResponse(null, - sprintf("return_to does not match return URL. Expected %s, got %s", - $return_to, - $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); - } - - // Verify discovery information: - $result = $this->_verifyDiscoveryResults($message, $endpoint); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - $endpoint = $result; - - $result = $this->_idResCheckSignature($message, - $endpoint->server_url); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - $result = $this->_idResCheckNonce($message, $endpoint); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', - Auth_OpenID_NO_DEFAULT); - $signed_list = explode(',', $signed_list_str); - - $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); - - return new Auth_OpenID_SuccessResponse($endpoint, $message, - $signed_fields); - - } - - /** - * @access private - */ - function _checkReturnTo($message, $return_to) - { - // Check an OpenID message and its openid.return_to value - // against a return_to URL from an application. Return True - // on success, False on failure. - - // Check the openid.return_to args against args in the - // original message. - $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( - $message->toPostArgs()); - if (Auth_OpenID::isFailure($result)) { - return false; - } - - // Check the return_to base URL against the one in the - // message. - $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, - 'return_to'); - - $return_to_parts = parse_url($return_to); - $msg_return_to_parts = parse_url($msg_return_to); - - // If port is absent from both, add it so it's equal in the - // check below. - if ((!array_key_exists('port', $return_to_parts)) && - (!array_key_exists('port', $msg_return_to_parts))) { - $return_to_parts['port'] = null; - $msg_return_to_parts['port'] = null; - } - - // If path is absent from both, add it so it's equal in the - // check below. - if ((!array_key_exists('path', $return_to_parts)) && - (!array_key_exists('path', $msg_return_to_parts))) { - $return_to_parts['path'] = null; - $msg_return_to_parts['path'] = null; - } - - // The URL scheme, authority, and path MUST be the same - // between the two URLs. - foreach (array('scheme', 'host', 'port', 'path') as $component) { - // If the url component is absent in either URL, fail. - // There should always be a scheme, host, port, and path. - if (!array_key_exists($component, $return_to_parts)) { - return false; - } - - if (!array_key_exists($component, $msg_return_to_parts)) { - return false; - } - - if (Auth_OpenID::arrayGet($return_to_parts, $component) !== - Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { - return false; - } - } - - return true; - } - - /** - * @access private - */ - function _verifyReturnToArgs($query) - { - // Verify that the arguments in the return_to URL are present in this - // response. - - $message = Auth_OpenID_Message::fromPostArgs($query); - $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); - - // XXX: this should be checked by _idResCheckForFields - if (!$return_to) { - return new Auth_OpenID_FailureResponse(null, - "Response has no return_to"); - } - - $parsed_url = parse_url($return_to); - - $q = array(); - if (array_key_exists('query', $parsed_url)) { - $rt_query = $parsed_url['query']; - $q = Auth_OpenID::parse_str($rt_query); - } - - foreach ($q as $rt_key => $rt_value) { - if (!array_key_exists($rt_key, $query)) { - return new Auth_OpenID_FailureResponse(null, - sprintf("return_to parameter %s absent from query", $rt_key)); - } else { - $value = $query[$rt_key]; - if ($rt_value != $value) { - return new Auth_OpenID_FailureResponse(null, - sprintf("parameter %s value %s does not match " . - "return_to value %s", $rt_key, - $value, $rt_value)); - } - } - } - - // Make sure all non-OpenID arguments in the response are also - // in the signed return_to. - $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); - foreach ($bare_args as $key => $value) { - if (Auth_OpenID::arrayGet($q, $key) != $value) { - return new Auth_OpenID_FailureResponse(null, - sprintf("Parameter %s = %s not in return_to URL", - $key, $value)); - } - } - - return true; - } - - /** - * @access private - */ - function _idResCheckSignature($message, $server_url) - { - $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_handle'); - - $assoc = $this->store->getAssociation($server_url, $assoc_handle); - - if ($assoc) { - if ($assoc->getExpiresIn() <= 0) { - // XXX: It might be a good idea sometimes to re-start - // the authentication with a new association. Doing it - // automatically opens the possibility for - // denial-of-service by a server that just returns - // expired associations (or really short-lived - // associations) - return new Auth_OpenID_FailureResponse(null, - 'Association with ' . $server_url . ' expired'); - } - - if (!$assoc->checkMessageSignature($message)) { - return new Auth_OpenID_FailureResponse(null, - "Bad signature"); - } - } else { - // It's not an association we know about. Stateless mode - // is our only possible path for recovery. XXX - async - // framework will not want to block on this call to - // _checkAuth. - if (!$this->_checkAuth($message, $server_url)) { - return new Auth_OpenID_FailureResponse(null, - "Server denied check_authentication"); - } - } - - return null; - } - - /** - * @access private - */ - function _verifyDiscoveryResults($message, $endpoint=null) - { - if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { - return $this->_verifyDiscoveryResultsOpenID2($message, - $endpoint); - } else { - return $this->_verifyDiscoveryResultsOpenID1($message, - $endpoint); - } - } - - /** - * @access private - */ - function _verifyDiscoveryResultsOpenID1($message, $endpoint) - { - $claimed_id = $message->getArg(Auth_OpenID_BARE_NS, - $this->openid1_return_to_identifier_name); - - if (($endpoint === null) && ($claimed_id === null)) { - return new Auth_OpenID_FailureResponse($endpoint, - 'When using OpenID 1, the claimed ID must be supplied, ' . - 'either by passing it through as a return_to parameter ' . - 'or by using a session, and supplied to the GenericConsumer ' . - 'as the argument to complete()'); - } else if (($endpoint !== null) && ($claimed_id === null)) { - $claimed_id = $endpoint->claimed_id; - } - - $to_match = new Auth_OpenID_ServiceEndpoint(); - $to_match->type_uris = array(Auth_OpenID_TYPE_1_1); - $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, - 'identity'); - - // Restore delegate information from the initiation phase - $to_match->claimed_id = $claimed_id; - - if ($to_match->local_id === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "Missing required field openid.identity"); - } - - $to_match_1_0 = $to_match->copy(); - $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); - - if ($endpoint !== null) { - $result = $this->_verifyDiscoverySingle($endpoint, $to_match); - - if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { - $result = $this->_verifyDiscoverySingle($endpoint, - $to_match_1_0); - } - - if (Auth_OpenID::isFailure($result)) { - // oidutil.log("Error attempting to use stored - // discovery information: " + str(e)) - // oidutil.log("Attempting discovery to - // verify endpoint") - } else { - return $endpoint; - } - } - - // Endpoint is either bad (failed verification) or None - $result = $this->_discoverAndVerify($to_match); - - if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { - return $this->_discoverAndVerify($to_match_1_0); - } else { - return $result; - } - } - - /** - * @access private - */ - function _verifyDiscoverySingle($endpoint, $to_match) - { - // Every type URI that's in the to_match endpoint has to be - // present in the discovered endpoint. - foreach ($to_match->type_uris as $type_uri) { - if (!$endpoint->usesExtension($type_uri)) { - return new Auth_OpenID_TypeURIMismatch($endpoint, - "Required type ".$type_uri." not present"); - } - } - - // Fragments do not influence discovery, so we can't compare a - // claimed identifier with a fragment to discovered - // information. - list($defragged_claimed_id, $_) = - Auth_OpenID::urldefrag($to_match->claimed_id); - - if ($defragged_claimed_id != $endpoint->claimed_id) { - return new Auth_OpenID_FailureResponse($endpoint, - sprintf('Claimed ID does not match (different subjects!), ' . - 'Expected %s, got %s', $defragged_claimed_id, - $endpoint->claimed_id)); - } - - if ($to_match->getLocalID() != $endpoint->getLocalID()) { - return new Auth_OpenID_FailureResponse($endpoint, - sprintf('local_id mismatch. Expected %s, got %s', - $to_match->getLocalID(), $endpoint->getLocalID())); - } - - // If the server URL is None, this must be an OpenID 1 - // response, because op_endpoint is a required parameter in - // OpenID 2. In that case, we don't actually care what the - // discovered server_url is, because signature checking or - // check_auth should take care of that check for us. - if ($to_match->server_url === null) { - if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { - return new Auth_OpenID_FailureResponse($endpoint, - "Preferred namespace mismatch (bug)"); - } - } else if ($to_match->server_url != $endpoint->server_url) { - return new Auth_OpenID_FailureResponse($endpoint, - sprintf('OP Endpoint mismatch. Expected %s, got %s', - $to_match->server_url, $endpoint->server_url)); - } - - return null; - } - - /** - * @access private - */ - function _verifyDiscoveryResultsOpenID2($message, $endpoint) - { - $to_match = new Auth_OpenID_ServiceEndpoint(); - $to_match->type_uris = array(Auth_OpenID_TYPE_2_0); - $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, - 'claimed_id'); - - $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, - 'identity'); - - $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, - 'op_endpoint'); - - if ($to_match->server_url === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "OP Endpoint URL missing"); - } - - // claimed_id and identifier must both be present or both be - // absent - if (($to_match->claimed_id === null) && - ($to_match->local_id !== null)) { - return new Auth_OpenID_FailureResponse($endpoint, - 'openid.identity is present without openid.claimed_id'); - } - - if (($to_match->claimed_id !== null) && - ($to_match->local_id === null)) { - return new Auth_OpenID_FailureResponse($endpoint, - 'openid.claimed_id is present without openid.identity'); - } - - if ($to_match->claimed_id === null) { - // This is a response without identifiers, so there's - // really no checking that we can do, so return an - // endpoint that's for the specified `openid.op_endpoint' - return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( - $to_match->server_url); - } - - if (!$endpoint) { - // The claimed ID doesn't match, so we have to do - // discovery again. This covers not using sessions, OP - // identifier endpoints and responses that didn't match - // the original request. - // oidutil.log('No pre-discovered information supplied.') - return $this->_discoverAndVerify($to_match); - } else { - - // The claimed ID matches, so we use the endpoint that we - // discovered in initiation. This should be the most - // common case. - $result = $this->_verifyDiscoverySingle($endpoint, $to_match); - - if (Auth_OpenID::isFailure($result)) { - $endpoint = $this->_discoverAndVerify($to_match); - - if (Auth_OpenID::isFailure($endpoint)) { - return $endpoint; - } - } - } - - // The endpoint we return should have the claimed ID from the - // message we just verified, fragment and all. - if ($endpoint->claimed_id != $to_match->claimed_id) { - $endpoint->claimed_id = $to_match->claimed_id; - } - - return $endpoint; - } - - /** - * @access private - */ - function _discoverAndVerify($to_match) - { - // oidutil.log('Performing discovery on %s' % (to_match.claimed_id,)) - list($unused, $services) = call_user_func($this->discoverMethod, - $to_match->claimed_id, - $this->fetcher); - - if (!$services) { - return new Auth_OpenID_FailureResponse(null, - sprintf("No OpenID information found at %s", - $to_match->claimed_id)); - } - - return $this->_verifyDiscoveryServices($services, $to_match); - } - - /** - * @access private - */ - function _verifyDiscoveryServices(&$services, &$to_match) - { - // Search the services resulting from discovery to find one - // that matches the information from the assertion - - foreach ($services as $endpoint) { - $result = $this->_verifyDiscoverySingle($endpoint, $to_match); - - if (!Auth_OpenID::isFailure($result)) { - // It matches, so discover verification has - // succeeded. Return this endpoint. - return $endpoint; - } - } - - return new Auth_OpenID_FailureResponse(null, - sprintf('No matching endpoint found after discovering %s', - $to_match->claimed_id)); - } - - /** - * Extract the nonce from an OpenID 1 response. Return the nonce - * from the BARE_NS since we independently check the return_to - * arguments are the same as those in the response message. - * - * See the openid1_nonce_query_arg_name class variable - * - * @returns $nonce The nonce as a string or null - * - * @access private - */ - function _idResGetNonceOpenID1($message, $endpoint) - { - return $message->getArg(Auth_OpenID_BARE_NS, - $this->openid1_nonce_query_arg_name); - } - - /** - * @access private - */ - function _idResCheckNonce($message, $endpoint) - { - if ($message->isOpenID1()) { - // This indicates that the nonce was generated by the consumer - $nonce = $this->_idResGetNonceOpenID1($message, $endpoint); - $server_url = ''; - } else { - $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, - 'response_nonce'); - - $server_url = $endpoint->server_url; - } - - if ($nonce === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "Nonce missing from response"); - } - - $parts = Auth_OpenID_splitNonce($nonce); - - if ($parts === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "Malformed nonce in response"); - } - - list($timestamp, $salt) = $parts; - - if (!$this->store->useNonce($server_url, $timestamp, $salt)) { - return new Auth_OpenID_FailureResponse($endpoint, - "Nonce already used or out of range"); - } - - return null; - } - - /** - * @access private - */ - function _idResCheckForFields($message) - { - $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); - $basic_sig_fields = array('return_to', 'identity'); - - $require_fields = array( - Auth_OpenID_OPENID2_NS => array_merge($basic_fields, - array('op_endpoint')), - - Auth_OpenID_OPENID1_NS => array_merge($basic_fields, - array('identity')) - ); - - $require_sigs = array( - Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, - array('response_nonce', - 'claimed_id', - 'assoc_handle')), - Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, - array('nonce')) - ); - - foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { - if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { - return new Auth_OpenID_FailureResponse(null, - "Missing required field '".$field."'"); - } - } - - $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, - 'signed', - Auth_OpenID_NO_DEFAULT); - $signed_list = explode(',', $signed_list_str); - - foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { - // Field is present and not in signed list - if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && - (!in_array($field, $signed_list))) { - return new Auth_OpenID_FailureResponse(null, - "'".$field."' not signed"); - } - } - - return null; - } - - /** - * @access private - */ - function _checkAuth($message, $server_url) - { - $request = $this->_createCheckAuthRequest($message); - if ($request === null) { - return false; - } - - $resp_message = $this->_makeKVPost($request, $server_url); - if (($resp_message === null) || - (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { - return false; - } - - return $this->_processCheckAuthResponse($resp_message, $server_url); - } - - /** - * @access private - */ - function _createCheckAuthRequest($message) - { - $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); - if ($signed === null) { - return null; - } - - $whitelist = array('assoc_handle', 'sig', - 'signed', 'invalidate_handle'); - - $check_args = array(); - - foreach ($whitelist as $k) { - $val = $message->getArg(Auth_OpenID_OPENID_NS, $k); - if ($val !== null) { - $check_args[$k] = $val; - } - } - - $signed = $message->getArg(Auth_OpenID_OPENID_NS, - 'signed'); - - if ($signed) { - foreach (explode(',', $signed) as $k) { - if ($k == 'ns') { - $check_args['ns'] = $message->getOpenIDNamespace(); - continue; - } - - $value = $message->getAliasedArg($k); - if ($value === null) { - return null; - } - - $check_args[$k] = $value; - } - } - - $check_args['mode'] = 'check_authentication'; - return Auth_OpenID_Message::fromOpenIDArgs($check_args); - } - - /** - * @access private - */ - function _processCheckAuthResponse($response, $server_url) - { - $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', - 'false'); - - $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, - 'invalidate_handle'); - - if ($invalidate_handle !== null) { - $this->store->removeAssociation($server_url, - $invalidate_handle); - } - - if ($is_valid == 'true') { - return true; - } - - return false; - } - - /** - * Adapt a POST response to a Message. - * - * @param $response Result of a POST to an OpenID endpoint. - * - * @access private - */ - function _httpResponseToMessage($response, $server_url) - { - // Should this function be named Message.fromHTTPResponse instead? - $response_message = Auth_OpenID_Message::fromKVForm($response->body); - - if ($response->status == 400) { - return Auth_OpenID_ServerErrorContainer::fromMessage( - $response_message); - } else if ($response->status != 200) { - return null; - } - - return $response_message; - } - - /** - * @access private - */ - function _makeKVPost($message, $server_url) - { - $body = $message->toURLEncoded(); - $resp = $this->fetcher->post($server_url, $body); - - if ($resp === null) { - return null; - } - - return $this->_httpResponseToMessage($resp, $server_url); - } - - /** - * @access private - */ - function _getAssociation($endpoint) - { - if (!$this->_use_assocs) { - return null; - } - - $assoc = $this->store->getAssociation($endpoint->server_url); - - if (($assoc === null) || - ($assoc->getExpiresIn() <= 0)) { - - $assoc = $this->_negotiateAssociation($endpoint); - - if ($assoc !== null) { - $this->store->storeAssociation($endpoint->server_url, - $assoc); - } - } - - return $assoc; - } - - /** - * Handle ServerErrors resulting from association requests. - * - * @return $result If server replied with an C{unsupported-type} - * error, return a tuple of supported C{association_type}, - * C{session_type}. Otherwise logs the error and returns null. - * - * @access private - */ - function _extractSupportedAssociationType(&$server_error, &$endpoint, - $assoc_type) - { - // Any error message whose code is not 'unsupported-type' - // should be considered a total failure. - if (($server_error->error_code != 'unsupported-type') || - ($server_error->message->isOpenID1())) { - return null; - } - - // The server didn't like the association/session type that we - // sent, and it sent us back a message that might tell us how - // to handle it. - - // Extract the session_type and assoc_type from the error - // message - $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_type'); - - $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, - 'session_type'); - - if (($assoc_type === null) || ($session_type === null)) { - return null; - } else if (!$this->negotiator->isAllowed($assoc_type, - $session_type)) { - return null; - } else { - return array($assoc_type, $session_type); - } - } - - /** - * @access private - */ - function _negotiateAssociation($endpoint) - { - // Get our preferred session/association type from the negotiatior. - list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); - - $assoc = $this->_requestAssociation( - $endpoint, $assoc_type, $session_type); - - if (Auth_OpenID::isFailure($assoc)) { - return null; - } - - if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { - $why = $assoc; - - $supportedTypes = $this->_extractSupportedAssociationType( - $why, $endpoint, $assoc_type); - - if ($supportedTypes !== null) { - list($assoc_type, $session_type) = $supportedTypes; - - // Attempt to create an association from the assoc_type - // and session_type that the server told us it - // supported. - $assoc = $this->_requestAssociation( - $endpoint, $assoc_type, $session_type); - - if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { - // Do not keep trying, since it rejected the - // association type that it told us to use. - // oidutil.log('Server %s refused its suggested association - // 'type: session_type=%s, assoc_type=%s' - // % (endpoint.server_url, session_type, - // assoc_type)) - return null; - } else { - return $assoc; - } - } else { - return null; - } - } else { - return $assoc; - } - } - - /** - * @access private - */ - function _requestAssociation($endpoint, $assoc_type, $session_type) - { - list($assoc_session, $args) = $this->_createAssociateRequest( - $endpoint, $assoc_type, $session_type); - - $response_message = $this->_makeKVPost($args, $endpoint->server_url); - - if ($response_message === null) { - // oidutil.log('openid.associate request failed: %s' % (why[0],)) - return null; - } else if (is_a($response_message, - 'Auth_OpenID_ServerErrorContainer')) { - return $response_message; - } - - return $this->_extractAssociation($response_message, $assoc_session); - } - - /** - * @access private - */ - function _extractAssociation(&$assoc_response, &$assoc_session) - { - // Extract the common fields from the response, raising an - // exception if they are not found - $assoc_type = $assoc_response->getArg( - Auth_OpenID_OPENID_NS, 'assoc_type', - Auth_OpenID_NO_DEFAULT); - - if ($assoc_type === null) { - return new Auth_OpenID_FailureResponse(null, - 'assoc_type missing from association response'); - } - - $assoc_handle = $assoc_response->getArg( - Auth_OpenID_OPENID_NS, 'assoc_handle', - Auth_OpenID_NO_DEFAULT); - - if ($assoc_handle === null) { - return new Auth_OpenID_FailureResponse(null, - 'assoc_handle missing from association response'); - } - - // expires_in is a base-10 string. The Python parsing will - // accept literals that have whitespace around them and will - // accept negative values. Neither of these are really in-spec, - // but we think it's OK to accept them. - $expires_in_str = $assoc_response->getArg( - Auth_OpenID_OPENID_NS, 'expires_in', - Auth_OpenID_NO_DEFAULT); - - if ($expires_in_str === null) { - return new Auth_OpenID_FailureResponse(null, - 'expires_in missing from association response'); - } - - $expires_in = Auth_OpenID::intval($expires_in_str); - if ($expires_in === false) { - return null; - } - - // OpenID 1 has funny association session behaviour. - if ($assoc_response->isOpenID1()) { - $session_type = $this->_getOpenID1SessionType($assoc_response); - } else { - $session_type = $assoc_response->getArg( - Auth_OpenID_OPENID2_NS, 'session_type', - Auth_OpenID_NO_DEFAULT); - - if ($session_type === null) { - return new Auth_OpenID_FailureResponse(null, - 'session_type missing from association response'); - } - } - - // Session type mismatch - if ($assoc_session->session_type != $session_type) { - if ($assoc_response->isOpenID1() && - ($session_type == 'no-encryption')) { - // In OpenID 1, any association request can result in - // a 'no-encryption' association response. Setting - // assoc_session to a new no-encryption session should - // make the rest of this function work properly for - // that case. - $assoc_session = new Auth_OpenID_PlainTextConsumerSession(); - } else { - // Any other mismatch, regardless of protocol version - // results in the failure of the association session - // altogether. - return null; - } - } - - // Make sure assoc_type is valid for session_type - if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { - return null; - } - - // Delegate to the association session to extract the secret - // from the response, however is appropriate for that session - // type. - $secret = $assoc_session->extractSecret($assoc_response); - - if ($secret === null) { - return null; - } - - return Auth_OpenID_Association::fromExpiresIn( - $expires_in, $assoc_handle, $secret, $assoc_type); - } - - /** - * @access private - */ - function _createAssociateRequest($endpoint, $assoc_type, $session_type) - { - if (array_key_exists($session_type, $this->session_types)) { - $session_type_class = $this->session_types[$session_type]; - - if (is_callable($session_type_class)) { - $assoc_session = $session_type_class(); - } else { - $assoc_session = new $session_type_class(); - } - } else { - return null; - } - - $args = array( - 'mode' => 'associate', - 'assoc_type' => $assoc_type); - - if (!$endpoint->compatibilityMode()) { - $args['ns'] = Auth_OpenID_OPENID2_NS; - } - - // Leave out the session type if we're in compatibility mode - // *and* it's no-encryption. - if ((!$endpoint->compatibilityMode()) || - ($assoc_session->session_type != 'no-encryption')) { - $args['session_type'] = $assoc_session->session_type; - } - - $args = array_merge($args, $assoc_session->getRequest()); - $message = Auth_OpenID_Message::fromOpenIDArgs($args); - return array($assoc_session, $message); - } - - /** - * Given an association response message, extract the OpenID 1.X - * session type. - * - * This function mostly takes care of the 'no-encryption' default - * behavior in OpenID 1. - * - * If the association type is plain-text, this function will - * return 'no-encryption' - * - * @access private - * @return $typ The association type for this message - */ - function _getOpenID1SessionType($assoc_response) - { - // If it's an OpenID 1 message, allow session_type to default - // to None (which signifies "no-encryption") - $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, - 'session_type'); - - // Handle the differences between no-encryption association - // respones in OpenID 1 and 2: - - // no-encryption is not really a valid session type for OpenID - // 1, but we'll accept it anyway, while issuing a warning. - if ($session_type == 'no-encryption') { - // oidutil.log('WARNING: OpenID server sent "no-encryption"' - // 'for OpenID 1.X') - } else if (($session_type == '') || ($session_type === null)) { - // Missing or empty session type is the way to flag a - // 'no-encryption' response. Change the session type to - // 'no-encryption' so that it can be handled in the same - // way as OpenID 2 'no-encryption' respones. - $session_type = 'no-encryption'; - } - - return $session_type; - } -} - -/** - * This class represents an authentication request from a consumer to - * an OpenID server. - * - * @package OpenID - */ -class Auth_OpenID_AuthRequest { - - /** - * Initialize an authentication request with the specified token, - * association, and endpoint. - * - * Users of this library should not create instances of this - * class. Instances of this class are created by the library when - * needed. - */ - function Auth_OpenID_AuthRequest(&$endpoint, $assoc) - { - $this->assoc = $assoc; - $this->endpoint =& $endpoint; - $this->return_to_args = array(); - $this->message = new Auth_OpenID_Message(); - $this->message->setOpenIDNamespace( - $endpoint->preferredNamespace()); - $this->_anonymous = false; - } - - /** - * Add an extension to this checkid request. - * - * $extension_request: An object that implements the extension - * request interface for adding arguments to an OpenID message. - */ - function addExtension(&$extension_request) - { - $extension_request->toMessage($this->message); - } - - /** - * Add an extension argument to this OpenID authentication - * request. - * - * Use caution when adding arguments, because they will be - * URL-escaped and appended to the redirect URL, which can easily - * get quite long. - * - * @param string $namespace The namespace for the extension. For - * example, the simple registration extension uses the namespace - * 'sreg'. - * - * @param string $key The key within the extension namespace. For - * example, the nickname field in the simple registration - * extension's key is 'nickname'. - * - * @param string $value The value to provide to the server for - * this argument. - */ - function addExtensionArg($namespace, $key, $value) - { - $this->message->setArg($namespace, $key, $value); - } - - /** - * Set whether this request should be made anonymously. If a - * request is anonymous, the identifier will not be sent in the - * request. This is only useful if you are making another kind of - * request with an extension in this request. - * - * Anonymous requests are not allowed when the request is made - * with OpenID 1. - */ - function setAnonymous($is_anonymous) - { - if ($is_anonymous && $this->message->isOpenID1()) { - return false; - } else { - $this->_anonymous = $is_anonymous; - return true; - } - } - - /** - * Produce a {@link Auth_OpenID_Message} representing this - * request. - * - * @param string $realm The URL (or URL pattern) that identifies - * your web site to the user when she is authorizing it. - * - * @param string $return_to The URL that the OpenID provider will - * send the user back to after attempting to verify her identity. - * - * Not specifying a return_to URL means that the user will not be - * returned to the site issuing the request upon its completion. - * - * @param bool $immediate If true, the OpenID provider is to send - * back a response immediately, useful for behind-the-scenes - * authentication attempts. Otherwise the OpenID provider may - * engage the user before providing a response. This is the - * default case, as the user may need to provide credentials or - * approve the request before a positive response can be sent. - */ - function getMessage($realm, $return_to=null, $immediate=false) - { - if ($return_to) { - $return_to = Auth_OpenID::appendArgs($return_to, - $this->return_to_args); - } else if ($immediate) { - // raise ValueError( - // '"return_to" is mandatory when - //using "checkid_immediate"') - return new Auth_OpenID_FailureResponse(null, - "'return_to' is mandatory when using checkid_immediate"); - } else if ($this->message->isOpenID1()) { - // raise ValueError('"return_to" is - // mandatory for OpenID 1 requests') - return new Auth_OpenID_FailureResponse(null, - "'return_to' is mandatory for OpenID 1 requests"); - } else if ($this->return_to_args) { - // raise ValueError('extra "return_to" arguments - // were specified, but no return_to was specified') - return new Auth_OpenID_FailureResponse(null, - "extra 'return_to' arguments where specified, " . - "but no return_to was specified"); - } - - if ($immediate) { - $mode = 'checkid_immediate'; - } else { - $mode = 'checkid_setup'; - } - - $message = $this->message->copy(); - if ($message->isOpenID1()) { - $realm_key = 'trust_root'; - } else { - $realm_key = 'realm'; - } - - $message->updateArgs(Auth_OpenID_OPENID_NS, - array( - $realm_key => $realm, - 'mode' => $mode, - 'return_to' => $return_to)); - - if (!$this->_anonymous) { - if ($this->endpoint->isOPIdentifier()) { - // This will never happen when we're in compatibility - // mode, as long as isOPIdentifier() returns False - // whenever preferredNamespace() returns OPENID1_NS. - $claimed_id = $request_identity = - Auth_OpenID_IDENTIFIER_SELECT; - } else { - $request_identity = $this->endpoint->getLocalID(); - $claimed_id = $this->endpoint->claimed_id; - } - - // This is true for both OpenID 1 and 2 - $message->setArg(Auth_OpenID_OPENID_NS, 'identity', - $request_identity); - - if ($message->isOpenID2()) { - $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id', - $claimed_id); - } - } - - if ($this->assoc) { - $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', - $this->assoc->handle); - } - - return $message; - } - - function redirectURL($realm, $return_to = null, - $immediate = false) - { - $message = $this->getMessage($realm, $return_to, $immediate); - - if (Auth_OpenID::isFailure($message)) { - return $message; - } - - return $message->toURL($this->endpoint->server_url); - } - - /** - * Get html for a form to submit this request to the IDP. - * - * form_tag_attrs: An array of attributes to be added to the form - * tag. 'accept-charset' and 'enctype' have defaults that can be - * overridden. If a value is supplied for 'action' or 'method', it - * will be replaced. - */ - function formMarkup($realm, $return_to=null, $immediate=false, - $form_tag_attrs=null) - { - $message = $this->getMessage($realm, $return_to, $immediate); - - if (Auth_OpenID::isFailure($message)) { - return $message; - } - - return $message->toFormMarkup($this->endpoint->server_url, - $form_tag_attrs); - } - - function shouldSendRedirect() - { - return $this->endpoint->compatibilityMode(); - } -} - -/** - * The base class for responses from the Auth_OpenID_Consumer. - * - * @package OpenID - */ -class Auth_OpenID_ConsumerResponse { - var $status = null; - - function setEndpoint($endpoint) - { - $this->endpoint = $endpoint; - if ($endpoint === null) { - $this->identity_url = null; - } else { - $this->identity_url = $endpoint->claimed_id; - } - } - - function getDisplayIdentifier() - { - if ($this->endpoint !== null) { - return $this->endpoint->getDisplayIdentifier(); - } - return null; - } -} - -/** - * A response with a status of Auth_OpenID_SUCCESS. Indicates that - * this request is a successful acknowledgement from the OpenID server - * that the supplied URL is, indeed controlled by the requesting - * agent. This has three relevant attributes: - * - * claimed_id - The identity URL that has been authenticated - * - * signed_args - The arguments in the server's response that were - * signed and verified. - * - * status - Auth_OpenID_SUCCESS. - * - * @package OpenID - */ -class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_SUCCESS; - - /** - * @access private - */ - function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null) - { - $this->endpoint = $endpoint; - $this->identity_url = $endpoint->claimed_id; - $this->signed_args = $signed_args; - $this->message = $message; - - if ($this->signed_args === null) { - $this->signed_args = array(); - } - } - - /** - * Extract signed extension data from the server's response. - * - * @param string $prefix The extension namespace from which to - * extract the extension data. - */ - function extensionResponse($namespace_uri, $require_signed) - { - if ($require_signed) { - return $this->getSignedNS($namespace_uri); - } else { - return $this->message->getArgs($namespace_uri); - } - } - - function isOpenID1() - { - return $this->message->isOpenID1(); - } - - function isSigned($ns_uri, $ns_key) - { - // Return whether a particular key is signed, regardless of - // its namespace alias - return in_array($this->message->getKey($ns_uri, $ns_key), - $this->signed_args); - } - - function getSigned($ns_uri, $ns_key, $default = null) - { - // Return the specified signed field if available, otherwise - // return default - if ($this->isSigned($ns_uri, $ns_key)) { - return $this->message->getArg($ns_uri, $ns_key, $default); - } else { - return $default; - } - } - - function getSignedNS($ns_uri) - { - $args = array(); - - $msg_args = $this->message->getArgs($ns_uri); - - foreach ($msg_args as $key => $value) { - if (!$this->isSigned($ns_uri, $key)) { - return null; - } - } - - return $msg_args; - } - - /** - * Get the openid.return_to argument from this response. - * - * This is useful for verifying that this request was initiated by - * this consumer. - * - * @return string $return_to The return_to URL supplied to the - * server on the initial request, or null if the response did not - * contain an 'openid.return_to' argument. - */ - function getReturnTo() - { - return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to'); - } -} - -/** - * A response with a status of Auth_OpenID_FAILURE. Indicates that the - * OpenID protocol has failed. This could be locally or remotely - * triggered. This has three relevant attributes: - * - * claimed_id - The identity URL for which authentication was - * attempted, if it can be determined. Otherwise, null. - * - * message - A message indicating why the request failed, if one is - * supplied. Otherwise, null. - * - * status - Auth_OpenID_FAILURE. - * - * @package OpenID - */ -class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_FAILURE; - - function Auth_OpenID_FailureResponse($endpoint, $message = null, - $contact = null, $reference = null) - { - $this->setEndpoint($endpoint); - $this->message = $message; - $this->contact = $contact; - $this->reference = $reference; - } -} - -/** - * A specific, internal failure used to detect type URI mismatch. - * - * @package OpenID - */ -class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse { -} - -/** - * Exception that is raised when the server returns a 400 response - * code to a direct request. - * - * @package OpenID - */ -class Auth_OpenID_ServerErrorContainer { - function Auth_OpenID_ServerErrorContainer($error_text, - $error_code, - $message) - { - $this->error_text = $error_text; - $this->error_code = $error_code; - $this->message = $message; - } - - /** - * @access private - */ - function fromMessage($message) - { - $error_text = $message->getArg( - Auth_OpenID_OPENID_NS, 'error', ''); - $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code'); - return new Auth_OpenID_ServerErrorContainer($error_text, - $error_code, - $message); - } -} - -/** - * A response with a status of Auth_OpenID_CANCEL. Indicates that the - * user cancelled the OpenID authentication request. This has two - * relevant attributes: - * - * claimed_id - The identity URL for which authentication was - * attempted, if it can be determined. Otherwise, null. - * - * status - Auth_OpenID_SUCCESS. - * - * @package OpenID - */ -class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_CANCEL; - - function Auth_OpenID_CancelResponse($endpoint) - { - $this->setEndpoint($endpoint); - } -} - -/** - * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates - * that the request was in immediate mode, and the server is unable to - * authenticate the user without further interaction. - * - * claimed_id - The identity URL for which authentication was - * attempted. - * - * setup_url - A URL that can be used to send the user to the server - * to set up for authentication. The user should be redirected in to - * the setup_url, either in the current window or in a new browser - * window. Null in OpenID 2. - * - * status - Auth_OpenID_SETUP_NEEDED. - * - * @package OpenID - */ -class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_SETUP_NEEDED; - - function Auth_OpenID_SetupNeededResponse($endpoint, - $setup_url = null) - { - $this->setEndpoint($endpoint); - $this->setup_url = $setup_url; - } -} - -?> diff --git a/models/Auth.old/OpenID/CryptUtil.php b/models/Auth.old/OpenID/CryptUtil.php deleted file mode 100644 index 70351dcee..000000000 --- a/models/Auth.old/OpenID/CryptUtil.php +++ /dev/null @@ -1,113 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -if (!defined('Auth_OpenID_RAND_SOURCE')) { - /** - * The filename for a source of random bytes. Define this yourself - * if you have a different source of randomness. - */ - - // good version - define('Auth_OpenID_RAND_SOURCE', '/dev/urandom'); - // use this one for broken systems (eg. Windows) - //define('Auth_OpenID_RAND_SOURCE', null); -} - -class Auth_OpenID_CryptUtil { - /** - * Get the specified number of random bytes. - * - * Attempts to use a cryptographically secure (not predictable) - * source of randomness if available. If there is no high-entropy - * randomness source available, it will fail. As a last resort, - * for non-critical systems, define - * Auth_OpenID_RAND_SOURCE as null, and - * the code will fall back on a pseudo-random number generator. - * - * @param int $num_bytes The length of the return value - * @return string $bytes random bytes - */ - function getBytes($num_bytes) - { - static $f = null; - $bytes = ''; - if ($f === null) { - if (Auth_OpenID_RAND_SOURCE === null) { - $f = false; - } else { - $f = @fopen(Auth_OpenID_RAND_SOURCE, "r"); - if ($f === false) { - $msg = 'Define Auth_OpenID_RAND_SOURCE as null to ' . - ' continue with an insecure random number generator.'; - trigger_error($msg, E_USER_ERROR); - } - } - } - if ($f === false) { - // pseudorandom used - $bytes = ''; - for ($i = 0; $i < $num_bytes; $i += 4) { - $bytes .= pack('L', mt_rand()); - } - $bytes = substr($bytes, 0, $num_bytes); - } else { - $bytes = fread($f, $num_bytes); - } - return $bytes; - } - - /** - * Produce a string of length random bytes, chosen from chrs. If - * $chrs is null, the resulting string may contain any characters. - * - * @param integer $length The length of the resulting - * randomly-generated string - * @param string $chrs A string of characters from which to choose - * to build the new string - * @return string $result A string of randomly-chosen characters - * from $chrs - */ - function randomString($length, $population = null) - { - if ($population === null) { - return Auth_OpenID_CryptUtil::getBytes($length); - } - - $popsize = strlen($population); - - if ($popsize > 256) { - $msg = 'More than 256 characters supplied to ' . __FUNCTION__; - trigger_error($msg, E_USER_ERROR); - } - - $duplicate = 256 % $popsize; - - $str = ""; - for ($i = 0; $i < $length; $i++) { - do { - $n = ord(Auth_OpenID_CryptUtil::getBytes(1)); - } while ($n < $duplicate); - - $n %= $popsize; - $str .= $population[$n]; - } - - return $str; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/DatabaseConnection.php b/models/Auth.old/OpenID/DatabaseConnection.php deleted file mode 100644 index 3f4515fa5..000000000 --- a/models/Auth.old/OpenID/DatabaseConnection.php +++ /dev/null @@ -1,131 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * An empty base class intended to emulate PEAR connection - * functionality in applications that supply their own database - * abstraction mechanisms. See {@link Auth_OpenID_SQLStore} for more - * information. You should subclass this class if you need to create - * an SQL store that needs to access its database using an - * application's database abstraction layer instead of a PEAR database - * connection. Any subclass of Auth_OpenID_DatabaseConnection MUST - * adhere to the interface specified here. - * - * @package OpenID - */ -class Auth_OpenID_DatabaseConnection { - /** - * Sets auto-commit mode on this database connection. - * - * @param bool $mode True if auto-commit is to be used; false if - * not. - */ - function autoCommit($mode) - { - } - - /** - * Run an SQL query with the specified parameters, if any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return mixed $result The result of calling this connection's - * internal query function. The type of result depends on the - * underlying database engine. This method is usually used when - * the result of a query is not important, like a DDL query. - */ - function query($sql, $params = array()) - { - } - - /** - * Starts a transaction on this connection, if supported. - */ - function begin() - { - } - - /** - * Commits a transaction on this connection, if supported. - */ - function commit() - { - } - - /** - * Performs a rollback on this connection, if supported. - */ - function rollback() - { - } - - /** - * Run an SQL query and return the first column of the first row - * of the result set, if any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return mixed $result The value of the first column of the - * first row of the result set. False if no such result was - * found. - */ - function getOne($sql, $params = array()) - { - } - - /** - * Run an SQL query and return the first row of the result set, if - * any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return array $result The first row of the result set, if any, - * keyed on column name. False if no such result was found. - */ - function getRow($sql, $params = array()) - { - } - - /** - * Run an SQL query with the specified parameters, if any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return array $result An array of arrays representing the - * result of the query; each array is keyed on column name. - */ - function getAll($sql, $params = array()) - { - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/DiffieHellman.php b/models/Auth.old/OpenID/DiffieHellman.php deleted file mode 100644 index b9a8034bf..000000000 --- a/models/Auth.old/OpenID/DiffieHellman.php +++ /dev/null @@ -1,112 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -require_once 'Auth/OpenID.php'; -require_once 'Auth/OpenID/BigMath.php'; -require_once 'Auth/OpenID/HMACSHA1.php'; - -function Auth_OpenID_getDefaultMod() -{ - return '155172898181473697471232257763715539915724801'. - '966915404479707795314057629378541917580651227423'. - '698188993727816152646631438561595825688188889951'. - '272158842675419950341258706556549803580104870537'. - '681476726513255747040765857479291291572334510643'. - '245094715007229621094194349783925984760375594985'. - '848253359305585439638443'; -} - -function Auth_OpenID_getDefaultGen() -{ - return '2'; -} - -/** - * The Diffie-Hellman key exchange class. This class relies on - * {@link Auth_OpenID_MathLibrary} to perform large number operations. - * - * @access private - * @package OpenID - */ -class Auth_OpenID_DiffieHellman { - - var $mod; - var $gen; - var $private; - var $lib = null; - - function Auth_OpenID_DiffieHellman($mod = null, $gen = null, - $private = null, $lib = null) - { - if ($lib === null) { - $this->lib =& Auth_OpenID_getMathLib(); - } else { - $this->lib =& $lib; - } - - if ($mod === null) { - $this->mod = $this->lib->init(Auth_OpenID_getDefaultMod()); - } else { - $this->mod = $mod; - } - - if ($gen === null) { - $this->gen = $this->lib->init(Auth_OpenID_getDefaultGen()); - } else { - $this->gen = $gen; - } - - if ($private === null) { - $r = $this->lib->rand($this->mod); - $this->private = $this->lib->add($r, 1); - } else { - $this->private = $private; - } - - $this->public = $this->lib->powmod($this->gen, $this->private, - $this->mod); - } - - function getSharedSecret($composite) - { - return $this->lib->powmod($composite, $this->private, $this->mod); - } - - function getPublicKey() - { - return $this->public; - } - - function usingDefaultValues() - { - return ($this->mod == Auth_OpenID_getDefaultMod() && - $this->gen == Auth_OpenID_getDefaultGen()); - } - - function xorSecret($composite, $secret, $hash_func) - { - $dh_shared = $this->getSharedSecret($composite); - $dh_shared_str = $this->lib->longToBinary($dh_shared); - $hash_dh_shared = $hash_func($dh_shared_str); - - $xsecret = ""; - for ($i = 0; $i < Auth_OpenID::bytes($secret); $i++) { - $xsecret .= chr(ord($secret[$i]) ^ ord($hash_dh_shared[$i])); - } - - return $xsecret; - } -} diff --git a/models/Auth.old/OpenID/Discover.php b/models/Auth.old/OpenID/Discover.php deleted file mode 100644 index b8f4d56ff..000000000 --- a/models/Auth.old/OpenID/Discover.php +++ /dev/null @@ -1,547 +0,0 @@ -claimed_id = null; - $this->server_url = null; - $this->type_uris = array(); - $this->local_id = null; - $this->canonicalID = null; - $this->used_yadis = false; // whether this came from an XRDS - $this->display_identifier = null; - } - - function getDisplayIdentifier() - { - if ($this->display_identifier) { - return $this->display_identifier; - } - return $this->claimed_id; - } - - function usesExtension($extension_uri) - { - return in_array($extension_uri, $this->type_uris); - } - - function preferredNamespace() - { - if (in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris) || - in_array(Auth_OpenID_TYPE_2_0, $this->type_uris)) { - return Auth_OpenID_OPENID2_NS; - } else { - return Auth_OpenID_OPENID1_NS; - } - } - - /* - * Query this endpoint to see if it has any of the given type - * URIs. This is useful for implementing other endpoint classes - * that e.g. need to check for the presence of multiple versions - * of a single protocol. - * - * @param $type_uris The URIs that you wish to check - * - * @return all types that are in both in type_uris and - * $this->type_uris - */ - function matchTypes($type_uris) - { - $result = array(); - foreach ($type_uris as $test_uri) { - if ($this->supportsType($test_uri)) { - $result[] = $test_uri; - } - } - - return $result; - } - - function supportsType($type_uri) - { - // Does this endpoint support this type? - return ((in_array($type_uri, $this->type_uris)) || - (($type_uri == Auth_OpenID_TYPE_2_0) && - $this->isOPIdentifier())); - } - - function compatibilityMode() - { - return $this->preferredNamespace() != Auth_OpenID_OPENID2_NS; - } - - function isOPIdentifier() - { - return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris); - } - - function fromOPEndpointURL($op_endpoint_url) - { - // Construct an OP-Identifier OpenIDServiceEndpoint object for - // a given OP Endpoint URL - $obj = new Auth_OpenID_ServiceEndpoint(); - $obj->server_url = $op_endpoint_url; - $obj->type_uris = array(Auth_OpenID_TYPE_2_0_IDP); - return $obj; - } - - function parseService($yadis_url, $uri, $type_uris, $service_element) - { - // Set the state of this object based on the contents of the - // service element. Return true if successful, false if not - // (if findOPLocalIdentifier returns false). - $this->type_uris = $type_uris; - $this->server_url = $uri; - $this->used_yadis = true; - - if (!$this->isOPIdentifier()) { - $this->claimed_id = $yadis_url; - $this->local_id = Auth_OpenID_findOPLocalIdentifier( - $service_element, - $this->type_uris); - if ($this->local_id === false) { - return false; - } - } - - return true; - } - - function getLocalID() - { - // Return the identifier that should be sent as the - // openid.identity_url parameter to the server. - if ($this->local_id === null && $this->canonicalID === null) { - return $this->claimed_id; - } else { - if ($this->local_id) { - return $this->local_id; - } else { - return $this->canonicalID; - } - } - } - - /* - * Parse the given document as XRDS looking for OpenID services. - * - * @return array of Auth_OpenID_ServiceEndpoint or null if the - * document cannot be parsed. - */ - function fromXRDS($uri, $xrds_text) - { - $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text); - - if ($xrds) { - $yadis_services = - $xrds->services(array('filter_MatchesAnyOpenIDType')); - return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); - } - - return null; - } - - /* - * Create endpoints from a DiscoveryResult. - * - * @param discoveryResult Auth_Yadis_DiscoveryResult - * @return array of Auth_OpenID_ServiceEndpoint or null if - * endpoints cannot be created. - */ - function fromDiscoveryResult($discoveryResult) - { - if ($discoveryResult->isXRDS()) { - return Auth_OpenID_ServiceEndpoint::fromXRDS( - $discoveryResult->normalized_uri, - $discoveryResult->response_text); - } else { - return Auth_OpenID_ServiceEndpoint::fromHTML( - $discoveryResult->normalized_uri, - $discoveryResult->response_text); - } - } - - function fromHTML($uri, $html) - { - $discovery_types = array( - array(Auth_OpenID_TYPE_2_0, - 'openid2.provider', 'openid2.local_id'), - array(Auth_OpenID_TYPE_1_1, - 'openid.server', 'openid.delegate') - ); - - $services = array(); - - foreach ($discovery_types as $triple) { - list($type_uri, $server_rel, $delegate_rel) = $triple; - - $urls = Auth_OpenID_legacy_discover($html, $server_rel, - $delegate_rel); - - if ($urls === false) { - continue; - } - - list($delegate_url, $server_url) = $urls; - - $service = new Auth_OpenID_ServiceEndpoint(); - $service->claimed_id = $uri; - $service->local_id = $delegate_url; - $service->server_url = $server_url; - $service->type_uris = array($type_uri); - - $services[] = $service; - } - - return $services; - } - - function copy() - { - $x = new Auth_OpenID_ServiceEndpoint(); - - $x->claimed_id = $this->claimed_id; - $x->server_url = $this->server_url; - $x->type_uris = $this->type_uris; - $x->local_id = $this->local_id; - $x->canonicalID = $this->canonicalID; - $x->used_yadis = $this->used_yadis; - - return $x; - } -} - -function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) -{ - // Extract a openid:Delegate value from a Yadis Service element. - // If no delegate is found, returns null. Returns false on - // discovery failure (when multiple delegate/localID tags have - // different values). - - $service->parser->registerNamespace('openid', - Auth_OpenID_XMLNS_1_0); - - $service->parser->registerNamespace('xrd', - Auth_Yadis_XMLNS_XRD_2_0); - - $parser =& $service->parser; - - $permitted_tags = array(); - - if (in_array(Auth_OpenID_TYPE_1_1, $type_uris) || - in_array(Auth_OpenID_TYPE_1_0, $type_uris)) { - $permitted_tags[] = 'openid:Delegate'; - } - - if (in_array(Auth_OpenID_TYPE_2_0, $type_uris)) { - $permitted_tags[] = 'xrd:LocalID'; - } - - $local_id = null; - - foreach ($permitted_tags as $tag_name) { - $tags = $service->getElements($tag_name); - - foreach ($tags as $tag) { - $content = $parser->content($tag); - - if ($local_id === null) { - $local_id = $content; - } else if ($local_id != $content) { - return false; - } - } - } - - return $local_id; -} - -function filter_MatchesAnyOpenIDType(&$service) -{ - $uris = $service->getTypes(); - - foreach ($uris as $uri) { - if (in_array($uri, Auth_OpenID_getOpenIDTypeURIs())) { - return true; - } - } - - return false; -} - -function Auth_OpenID_bestMatchingService($service, $preferred_types) -{ - // Return the index of the first matching type, or something - // higher if no type matches. - // - // This provides an ordering in which service elements that - // contain a type that comes earlier in the preferred types list - // come before service elements that come later. If a service - // element has more than one type, the most preferred one wins. - - foreach ($preferred_types as $index => $typ) { - if (in_array($typ, $service->type_uris)) { - return $index; - } - } - - return count($preferred_types); -} - -function Auth_OpenID_arrangeByType($service_list, $preferred_types) -{ - // Rearrange service_list in a new list so services are ordered by - // types listed in preferred_types. Return the new list. - - // Build a list with the service elements in tuples whose - // comparison will prefer the one with the best matching service - $prio_services = array(); - foreach ($service_list as $index => $service) { - $prio_services[] = array(Auth_OpenID_bestMatchingService($service, - $preferred_types), - $index, $service); - } - - sort($prio_services); - - // Now that the services are sorted by priority, remove the sort - // keys from the list. - foreach ($prio_services as $index => $s) { - $prio_services[$index] = $prio_services[$index][2]; - } - - return $prio_services; -} - -// Extract OP Identifier services. If none found, return the rest, -// sorted with most preferred first according to -// OpenIDServiceEndpoint.openid_type_uris. -// -// openid_services is a list of OpenIDServiceEndpoint objects. -// -// Returns a list of OpenIDServiceEndpoint objects.""" -function Auth_OpenID_getOPOrUserServices($openid_services) -{ - $op_services = Auth_OpenID_arrangeByType($openid_services, - array(Auth_OpenID_TYPE_2_0_IDP)); - - $openid_services = Auth_OpenID_arrangeByType($openid_services, - Auth_OpenID_getOpenIDTypeURIs()); - - if ($op_services) { - return $op_services; - } else { - return $openid_services; - } -} - -function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services) -{ - $s = array(); - - if (!$yadis_services) { - return $s; - } - - foreach ($yadis_services as $service) { - $type_uris = $service->getTypes(); - $uris = $service->getURIs(); - - // If any Type URIs match and there is an endpoint URI - // specified, then this is an OpenID endpoint - if ($type_uris && - $uris) { - foreach ($uris as $service_uri) { - $openid_endpoint = new Auth_OpenID_ServiceEndpoint(); - if ($openid_endpoint->parseService($uri, - $service_uri, - $type_uris, - $service)) { - $s[] = $openid_endpoint; - } - } - } - } - - return $s; -} - -function Auth_OpenID_discoverWithYadis($uri, &$fetcher, - $endpoint_filter='Auth_OpenID_getOPOrUserServices', - $discover_function=null) -{ - // Discover OpenID services for a URI. Tries Yadis and falls back - // on old-style discovery if Yadis fails. - - // Might raise a yadis.discover.DiscoveryFailure if no document - // came back for that URI at all. I don't think falling back to - // OpenID 1.0 discovery on the same URL will help, so don't bother - // to catch it. - if ($discover_function === null) { - $discover_function = array('Auth_Yadis_Yadis', 'discover'); - } - - $openid_services = array(); - - $response = call_user_func_array($discover_function, - array($uri, &$fetcher)); - - $yadis_url = $response->normalized_uri; - $yadis_services = array(); - - if ($response->isFailure()) { - return array($uri, array()); - } - - $openid_services = Auth_OpenID_ServiceEndpoint::fromXRDS( - $yadis_url, - $response->response_text); - - if (!$openid_services) { - if ($response->isXRDS()) { - return Auth_OpenID_discoverWithoutYadis($uri, - $fetcher); - } - - // Try to parse the response as HTML to get OpenID 1.0/1.1 - // - $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( - $yadis_url, - $response->response_text); - } - - $openid_services = call_user_func_array($endpoint_filter, - array(&$openid_services)); - - return array($yadis_url, $openid_services); -} - -function Auth_OpenID_discoverURI($uri, &$fetcher) -{ - $parsed = parse_url($uri); - - if ($parsed && isset($parsed['scheme']) && - isset($parsed['host'])) { - if (!in_array($parsed['scheme'], array('http', 'https'))) { - // raise DiscoveryFailure('URI scheme is not HTTP or HTTPS', None) - return array($uri, array()); - } - } else { - $uri = 'http://' . $uri; - } - - $uri = Auth_OpenID::normalizeUrl($uri); - return Auth_OpenID_discoverWithYadis($uri, $fetcher); -} - -function Auth_OpenID_discoverWithoutYadis($uri, &$fetcher) -{ - $http_resp = @$fetcher->get($uri); - - if ($http_resp->status != 200) { - return array($uri, array()); - } - - $identity_url = $http_resp->final_url; - - // Try to parse the response as HTML to get OpenID 1.0/1.1 - $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( - $identity_url, - $http_resp->body); - - return array($identity_url, $openid_services); -} - -function Auth_OpenID_discoverXRI($iname, &$fetcher) -{ - $resolver = new Auth_Yadis_ProxyResolver($fetcher); - list($canonicalID, $yadis_services) = - $resolver->query($iname, - Auth_OpenID_getOpenIDTypeURIs(), - array('filter_MatchesAnyOpenIDType')); - - $openid_services = Auth_OpenID_makeOpenIDEndpoints($iname, - $yadis_services); - - $openid_services = Auth_OpenID_getOPOrUserServices($openid_services); - - for ($i = 0; $i < count($openid_services); $i++) { - $openid_services[$i]->canonicalID = $canonicalID; - $openid_services[$i]->claimed_id = $canonicalID; - $openid_services[$i]->display_identifier = $iname; - } - - // FIXME: returned xri should probably be in some normal form - return array($iname, $openid_services); -} - -function Auth_OpenID_discover($uri, &$fetcher) -{ - // If the fetcher (i.e., PHP) doesn't support SSL, we can't do - // discovery on an HTTPS URL. - if ($fetcher->isHTTPS($uri) && !$fetcher->supportsSSL()) { - return array($uri, array()); - } - - if (Auth_Yadis_identifierScheme($uri) == 'XRI') { - $result = Auth_OpenID_discoverXRI($uri, $fetcher); - } else { - $result = Auth_OpenID_discoverURI($uri, $fetcher); - } - - // If the fetcher doesn't support SSL, we can't interact with - // HTTPS server URLs; remove those endpoints from the list. - if (!$fetcher->supportsSSL()) { - $http_endpoints = array(); - list($new_uri, $endpoints) = $result; - - foreach ($endpoints as $e) { - if (!$fetcher->isHTTPS($e->server_url)) { - $http_endpoints[] = $e; - } - } - - $result = array($new_uri, $http_endpoints); - } - - return $result; -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/DumbStore.php b/models/Auth.old/OpenID/DumbStore.php deleted file mode 100644 index ef1a37f82..000000000 --- a/models/Auth.old/OpenID/DumbStore.php +++ /dev/null @@ -1,100 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Import the interface for creating a new store class. - */ -require_once 'Auth/OpenID/Interface.php'; -require_once 'Auth/OpenID/HMACSHA1.php'; - -/** - * This is a store for use in the worst case, when you have no way of - * saving state on the consumer site. Using this store makes the - * consumer vulnerable to replay attacks, as it's unable to use - * nonces. Avoid using this store if it is at all possible. - * - * Most of the methods of this class are implementation details. - * Users of this class need to worry only about the constructor. - * - * @package OpenID - */ -class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { - - /** - * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security - * of the tokens generated by the library, this class attempts to - * at least have a secure implementation of getAuthKey. - * - * When you create an instance of this class, pass in a secret - * phrase. The phrase is hashed with sha1 to make it the correct - * length and form for an auth key. That allows you to use a long - * string as the secret phrase, which means you can make it very - * difficult to guess. - * - * Each {@link Auth_OpenID_DumbStore} instance that is created for use by - * your consumer site needs to use the same $secret_phrase. - * - * @param string secret_phrase The phrase used to create the auth - * key returned by getAuthKey - */ - function Auth_OpenID_DumbStore($secret_phrase) - { - $this->auth_key = Auth_OpenID_SHA1($secret_phrase); - } - - /** - * This implementation does nothing. - */ - function storeAssociation($server_url, $association) - { - } - - /** - * This implementation always returns null. - */ - function getAssociation($server_url, $handle = null) - { - return null; - } - - /** - * This implementation always returns false. - */ - function removeAssociation($server_url, $handle) - { - return false; - } - - /** - * In a system truly limited to dumb mode, nonces must all be - * accepted. This therefore always returns true, which makes - * replay attacks feasible. - */ - function useNonce($server_url, $timestamp, $salt) - { - return true; - } - - /** - * This method returns the auth key generated by the constructor. - */ - function getAuthKey() - { - return $this->auth_key; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Extension.php b/models/Auth.old/OpenID/Extension.php deleted file mode 100644 index 73b5d502e..000000000 --- a/models/Auth.old/OpenID/Extension.php +++ /dev/null @@ -1,58 +0,0 @@ -namespaces->addAlias($this->ns_uri, - $this->ns_alias) === null) { - if ($message->namespaces->getAlias($this->ns_uri) != - $this->ns_alias) { - return null; - } - } - - $message->updateArgs($this->ns_uri, - $this->getExtensionArgs()); - return $message; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/FileStore.php b/models/Auth.old/OpenID/FileStore.php deleted file mode 100644 index f6bf1702b..000000000 --- a/models/Auth.old/OpenID/FileStore.php +++ /dev/null @@ -1,618 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Require base class for creating a new interface. - */ -require_once 'Auth/OpenID.php'; -require_once 'Auth/OpenID/Interface.php'; -require_once 'Auth/OpenID/HMACSHA1.php'; -require_once 'Auth/OpenID/Nonce.php'; - -/** - * This is a filesystem-based store for OpenID associations and - * nonces. This store should be safe for use in concurrent systems on - * both windows and unix (excluding NFS filesystems). There are a - * couple race conditions in the system, but those failure cases have - * been set up in such a way that the worst-case behavior is someone - * having to try to log in a second time. - * - * Most of the methods of this class are implementation details. - * People wishing to just use this store need only pay attention to - * the constructor. - * - * @package OpenID - */ -class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { - - /** - * Initializes a new {@link Auth_OpenID_FileStore}. This - * initializes the nonce and association directories, which are - * subdirectories of the directory passed in. - * - * @param string $directory This is the directory to put the store - * directories in. - */ - function Auth_OpenID_FileStore($directory) - { - if (!Auth_OpenID::ensureDir($directory)) { - trigger_error('Not a directory and failed to create: ' - . $directory, E_USER_ERROR); - } - $directory = realpath($directory); - - $this->directory = $directory; - $this->active = true; - - $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces'; - - $this->association_dir = $directory . DIRECTORY_SEPARATOR . - 'associations'; - - // Temp dir must be on the same filesystem as the assciations - // $directory. - $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp'; - - $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds - - if (!$this->_setup()) { - trigger_error('Failed to initialize OpenID file store in ' . - $directory, E_USER_ERROR); - } - } - - function destroy() - { - Auth_OpenID_FileStore::_rmtree($this->directory); - $this->active = false; - } - - /** - * Make sure that the directories in which we store our data - * exist. - * - * @access private - */ - function _setup() - { - return (Auth_OpenID::ensureDir($this->nonce_dir) && - Auth_OpenID::ensureDir($this->association_dir) && - Auth_OpenID::ensureDir($this->temp_dir)); - } - - /** - * Create a temporary file on the same filesystem as - * $this->association_dir. - * - * The temporary directory should not be cleaned if there are any - * processes using the store. If there is no active process using - * the store, it is safe to remove all of the files in the - * temporary directory. - * - * @return array ($fd, $filename) - * @access private - */ - function _mktemp() - { - $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir); - $file_obj = @fopen($name, 'wb'); - if ($file_obj !== false) { - return array($file_obj, $name); - } else { - Auth_OpenID_FileStore::_removeIfPresent($name); - } - } - - function cleanupNonces() - { - global $Auth_OpenID_SKEW; - - $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); - $now = time(); - - $removed = 0; - // Check all nonces for expiry - foreach ($nonces as $nonce_fname) { - $base = basename($nonce_fname); - $parts = explode('-', $base, 2); - $timestamp = $parts[0]; - $timestamp = intval($timestamp, 16); - if (abs($timestamp - $now) > $Auth_OpenID_SKEW) { - Auth_OpenID_FileStore::_removeIfPresent($nonce_fname); - $removed += 1; - } - } - return $removed; - } - - /** - * Create a unique filename for a given server url and - * handle. This implementation does not assume anything about the - * format of the handle. The filename that is returned will - * contain the domain name from the server URL for ease of human - * inspection of the data directory. - * - * @return string $filename - */ - function getAssociationFilename($server_url, $handle) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - if (strpos($server_url, '://') === false) { - trigger_error(sprintf("Bad server URL: %s", $server_url), - E_USER_WARNING); - return null; - } - - list($proto, $rest) = explode('://', $server_url, 2); - $parts = explode('/', $rest); - $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]); - $url_hash = Auth_OpenID_FileStore::_safe64($server_url); - if ($handle) { - $handle_hash = Auth_OpenID_FileStore::_safe64($handle); - } else { - $handle_hash = ''; - } - - $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash, - $handle_hash); - - return $this->association_dir. DIRECTORY_SEPARATOR . $filename; - } - - /** - * Store an association in the association directory. - */ - function storeAssociation($server_url, $association) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return false; - } - - $association_s = $association->serialize(); - $filename = $this->getAssociationFilename($server_url, - $association->handle); - list($tmp_file, $tmp) = $this->_mktemp(); - - if (!$tmp_file) { - trigger_error("_mktemp didn't return a valid file descriptor", - E_USER_WARNING); - return false; - } - - fwrite($tmp_file, $association_s); - - fflush($tmp_file); - - fclose($tmp_file); - - if (@rename($tmp, $filename)) { - return true; - } else { - // In case we are running on Windows, try unlinking the - // file in case it exists. - @unlink($filename); - - // Now the target should not exist. Try renaming again, - // giving up if it fails. - if (@rename($tmp, $filename)) { - return true; - } - } - - // If there was an error, don't leave the temporary file - // around. - Auth_OpenID_FileStore::_removeIfPresent($tmp); - return false; - } - - /** - * Retrieve an association. If no handle is specified, return the - * association with the most recent issue time. - * - * @return mixed $association - */ - function getAssociation($server_url, $handle = null) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - if ($handle === null) { - $handle = ''; - } - - // The filename with the empty handle is a prefix of all other - // associations for the given server URL. - $filename = $this->getAssociationFilename($server_url, $handle); - - if ($handle) { - return $this->_getAssociation($filename); - } else { - $association_files = - Auth_OpenID_FileStore::_listdir($this->association_dir); - $matching_files = array(); - - // strip off the path to do the comparison - $name = basename($filename); - foreach ($association_files as $association_file) { - $base = basename($association_file); - if (strpos($base, $name) === 0) { - $matching_files[] = $association_file; - } - } - - $matching_associations = array(); - // read the matching files and sort by time issued - foreach ($matching_files as $full_name) { - $association = $this->_getAssociation($full_name); - if ($association !== null) { - $matching_associations[] = array($association->issued, - $association); - } - } - - $issued = array(); - $assocs = array(); - foreach ($matching_associations as $key => $assoc) { - $issued[$key] = $assoc[0]; - $assocs[$key] = $assoc[1]; - } - - array_multisort($issued, SORT_DESC, $assocs, SORT_DESC, - $matching_associations); - - // return the most recently issued one. - if ($matching_associations) { - list($issued, $assoc) = $matching_associations[0]; - return $assoc; - } else { - return null; - } - } - } - - /** - * @access private - */ - function _getAssociation($filename) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - $assoc_file = @fopen($filename, 'rb'); - - if ($assoc_file === false) { - return null; - } - - $assoc_s = fread($assoc_file, filesize($filename)); - fclose($assoc_file); - - if (!$assoc_s) { - return null; - } - - $association = - Auth_OpenID_Association::deserialize('Auth_OpenID_Association', - $assoc_s); - - if (!$association) { - Auth_OpenID_FileStore::_removeIfPresent($filename); - return null; - } - - if ($association->getExpiresIn() == 0) { - Auth_OpenID_FileStore::_removeIfPresent($filename); - return null; - } else { - return $association; - } - } - - /** - * Remove an association if it exists. Do nothing if it does not. - * - * @return bool $success - */ - function removeAssociation($server_url, $handle) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - $assoc = $this->getAssociation($server_url, $handle); - if ($assoc === null) { - return false; - } else { - $filename = $this->getAssociationFilename($server_url, $handle); - return Auth_OpenID_FileStore::_removeIfPresent($filename); - } - } - - /** - * Return whether this nonce is present. As a side effect, mark it - * as no longer present. - * - * @return bool $present - */ - function useNonce($server_url, $timestamp, $salt) - { - global $Auth_OpenID_SKEW; - - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { - return False; - } - - if ($server_url) { - list($proto, $rest) = explode('://', $server_url, 2); - } else { - $proto = ''; - $rest = ''; - } - - $parts = explode('/', $rest, 2); - $domain = $this->_filenameEscape($parts[0]); - $url_hash = $this->_safe64($server_url); - $salt_hash = $this->_safe64($salt); - - $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto, - $domain, $url_hash, $salt_hash); - $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename; - - $result = @fopen($filename, 'x'); - - if ($result === false) { - return false; - } else { - fclose($result); - return true; - } - } - - /** - * Remove expired entries from the database. This is potentially - * expensive, so only run when it is acceptable to take time. - * - * @access private - */ - function _allAssocs() - { - $all_associations = array(); - - $association_filenames = - Auth_OpenID_FileStore::_listdir($this->association_dir); - - foreach ($association_filenames as $association_filename) { - $association_file = fopen($association_filename, 'rb'); - - if ($association_file !== false) { - $assoc_s = fread($association_file, - filesize($association_filename)); - fclose($association_file); - - // Remove expired or corrupted associations - $association = - Auth_OpenID_Association::deserialize( - 'Auth_OpenID_Association', $assoc_s); - - if ($association === null) { - Auth_OpenID_FileStore::_removeIfPresent( - $association_filename); - } else { - if ($association->getExpiresIn() == 0) { - $all_associations[] = array($association_filename, - $association); - } - } - } - } - - return $all_associations; - } - - function clean() - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); - $now = time(); - - // Check all nonces for expiry - foreach ($nonces as $nonce) { - if (!Auth_OpenID_checkTimestamp($nonce, $now)) { - $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce; - Auth_OpenID_FileStore::_removeIfPresent($filename); - } - } - - foreach ($this->_allAssocs() as $pair) { - list($assoc_filename, $assoc) = $pair; - if ($assoc->getExpiresIn() == 0) { - Auth_OpenID_FileStore::_removeIfPresent($assoc_filename); - } - } - } - - /** - * @access private - */ - function _rmtree($dir) - { - if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) { - $dir .= DIRECTORY_SEPARATOR; - } - - if ($handle = opendir($dir)) { - while ($item = readdir($handle)) { - if (!in_array($item, array('.', '..'))) { - if (is_dir($dir . $item)) { - - if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) { - return false; - } - } else if (is_file($dir . $item)) { - if (!unlink($dir . $item)) { - return false; - } - } - } - } - - closedir($handle); - - if (!@rmdir($dir)) { - return false; - } - - return true; - } else { - // Couldn't open directory. - return false; - } - } - - /** - * @access private - */ - function _mkstemp($dir) - { - foreach (range(0, 4) as $i) { - $name = tempnam($dir, "php_openid_filestore_"); - - if ($name !== false) { - return $name; - } - } - return false; - } - - /** - * @access private - */ - function _mkdtemp($dir) - { - foreach (range(0, 4) as $i) { - $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) . - "-" . strval(rand(1, time())); - if (!mkdir($name, 0700)) { - return false; - } else { - return $name; - } - } - return false; - } - - /** - * @access private - */ - function _listdir($dir) - { - $handle = opendir($dir); - $files = array(); - while (false !== ($filename = readdir($handle))) { - if (!in_array($filename, array('.', '..'))) { - $files[] = $dir . DIRECTORY_SEPARATOR . $filename; - } - } - return $files; - } - - /** - * @access private - */ - function _isFilenameSafe($char) - { - $_Auth_OpenID_filename_allowed = Auth_OpenID_letters . - Auth_OpenID_digits . "."; - return (strpos($_Auth_OpenID_filename_allowed, $char) !== false); - } - - /** - * @access private - */ - function _safe64($str) - { - $h64 = base64_encode(Auth_OpenID_SHA1($str)); - $h64 = str_replace('+', '_', $h64); - $h64 = str_replace('/', '.', $h64); - $h64 = str_replace('=', '', $h64); - return $h64; - } - - /** - * @access private - */ - function _filenameEscape($str) - { - $filename = ""; - $b = Auth_OpenID::toBytes($str); - - for ($i = 0; $i < count($b); $i++) { - $c = $b[$i]; - if (Auth_OpenID_FileStore::_isFilenameSafe($c)) { - $filename .= $c; - } else { - $filename .= sprintf("_%02X", ord($c)); - } - } - return $filename; - } - - /** - * Attempt to remove a file, returning whether the file existed at - * the time of the call. - * - * @access private - * @return bool $result True if the file was present, false if not. - */ - function _removeIfPresent($filename) - { - return @unlink($filename); - } - - function cleanupAssociations() - { - $removed = 0; - foreach ($this->_allAssocs() as $pair) { - list($assoc_filename, $assoc) = $pair; - if ($assoc->getExpiresIn() == 0) { - $this->_removeIfPresent($assoc_filename); - $removed += 1; - } - } - return $removed; - } -} - -?> diff --git a/models/Auth.old/OpenID/HMACSHA1.php b/models/Auth.old/OpenID/HMACSHA1.php deleted file mode 100644 index 9fc293e7f..000000000 --- a/models/Auth.old/OpenID/HMACSHA1.php +++ /dev/null @@ -1,99 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -require_once 'Auth/OpenID.php'; - -/** - * SHA1_BLOCKSIZE is this module's SHA1 blocksize used by the fallback - * implementation. - */ -define('Auth_OpenID_SHA1_BLOCKSIZE', 64); - -function Auth_OpenID_SHA1($text) -{ - if (function_exists('hash') && - function_exists('hash_algos') && - (in_array('sha1', hash_algos()))) { - // PHP 5 case (sometimes): 'hash' available and 'sha1' algo - // supported. - return hash('sha1', $text, true); - } else if (function_exists('sha1')) { - // PHP 4 case: 'sha1' available. - $hex = sha1($text); - $raw = ''; - for ($i = 0; $i < 40; $i += 2) { - $hexcode = substr($hex, $i, 2); - $charcode = (int)base_convert($hexcode, 16, 10); - $raw .= chr($charcode); - } - return $raw; - } else { - // Explode. - trigger_error('No SHA1 function found', E_USER_ERROR); - } -} - -/** - * Compute an HMAC/SHA1 hash. - * - * @access private - * @param string $key The HMAC key - * @param string $text The message text to hash - * @return string $mac The MAC - */ -function Auth_OpenID_HMACSHA1($key, $text) -{ - if (Auth_OpenID::bytes($key) > Auth_OpenID_SHA1_BLOCKSIZE) { - $key = Auth_OpenID_SHA1($key, true); - } - - $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00)); - $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE); - $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE); - $hash1 = Auth_OpenID_SHA1(($key ^ $ipad) . $text, true); - $hmac = Auth_OpenID_SHA1(($key ^ $opad) . $hash1, true); - return $hmac; -} - -if (function_exists('hash') && - function_exists('hash_algos') && - (in_array('sha256', hash_algos()))) { - function Auth_OpenID_SHA256($text) - { - // PHP 5 case: 'hash' available and 'sha256' algo supported. - return hash('sha256', $text, true); - } - define('Auth_OpenID_SHA256_SUPPORTED', true); -} else { - define('Auth_OpenID_SHA256_SUPPORTED', false); -} - -if (function_exists('hash_hmac') && - function_exists('hash_algos') && - (in_array('sha256', hash_algos()))) { - - function Auth_OpenID_HMACSHA256($key, $text) - { - // Return raw MAC (not hex string). - return hash_hmac('sha256', $key, $text, true); - } - - define('Auth_OpenID_HMACSHA256_SUPPORTED', true); -} else { - define('Auth_OpenID_HMACSHA256_SUPPORTED', false); -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Interface.php b/models/Auth.old/OpenID/Interface.php deleted file mode 100644 index 38fe36983..000000000 --- a/models/Auth.old/OpenID/Interface.php +++ /dev/null @@ -1,197 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * This is the interface for the store objects the OpenID library - * uses. It is a single class that provides all of the persistence - * mechanisms that the OpenID library needs, for both servers and - * consumers. If you want to create an SQL-driven store, please see - * then {@link Auth_OpenID_SQLStore} class. - * - * Change: Version 2.0 removed the storeNonce, getAuthKey, and isDumb - * methods, and changed the behavior of the useNonce method to support - * one-way nonces. - * - * @package OpenID - * @author JanRain, Inc. - */ -class Auth_OpenID_OpenIDStore { - /** - * This method puts an Association object into storage, - * retrievable by server URL and handle. - * - * @param string $server_url The URL of the identity server that - * this association is with. Because of the way the server portion - * of the library uses this interface, don't assume there are any - * limitations on the character set of the input string. In - * particular, expect to see unescaped non-url-safe characters in - * the server_url field. - * - * @param Association $association The Association to store. - */ - function storeAssociation($server_url, $association) - { - trigger_error("Auth_OpenID_OpenIDStore::storeAssociation ". - "not implemented", E_USER_ERROR); - } - - /* - * Remove expired nonces from the store. - * - * Discards any nonce from storage that is old enough that its - * timestamp would not pass useNonce(). - * - * This method is not called in the normal operation of the - * library. It provides a way for store admins to keep their - * storage from filling up with expired data. - * - * @return the number of nonces expired - */ - function cleanupNonces() - { - trigger_error("Auth_OpenID_OpenIDStore::cleanupNonces ". - "not implemented", E_USER_ERROR); - } - - /* - * Remove expired associations from the store. - * - * This method is not called in the normal operation of the - * library. It provides a way for store admins to keep their - * storage from filling up with expired data. - * - * @return the number of associations expired. - */ - function cleanupAssociations() - { - trigger_error("Auth_OpenID_OpenIDStore::cleanupAssociations ". - "not implemented", E_USER_ERROR); - } - - /* - * Shortcut for cleanupNonces(), cleanupAssociations(). - * - * This method is not called in the normal operation of the - * library. It provides a way for store admins to keep their - * storage from filling up with expired data. - */ - function cleanup() - { - return array($this->cleanupNonces(), - $this->cleanupAssociations()); - } - - /** - * Report whether this storage supports cleanup - */ - function supportsCleanup() - { - return true; - } - - /** - * This method returns an Association object from storage that - * matches the server URL and, if specified, handle. It returns - * null if no such association is found or if the matching - * association is expired. - * - * If no handle is specified, the store may return any association - * which matches the server URL. If multiple associations are - * valid, the recommended return value for this method is the one - * most recently issued. - * - * This method is allowed (and encouraged) to garbage collect - * expired associations when found. This method must not return - * expired associations. - * - * @param string $server_url The URL of the identity server to get - * the association for. Because of the way the server portion of - * the library uses this interface, don't assume there are any - * limitations on the character set of the input string. In - * particular, expect to see unescaped non-url-safe characters in - * the server_url field. - * - * @param mixed $handle This optional parameter is the handle of - * the specific association to get. If no specific handle is - * provided, any valid association matching the server URL is - * returned. - * - * @return Association The Association for the given identity - * server. - */ - function getAssociation($server_url, $handle = null) - { - trigger_error("Auth_OpenID_OpenIDStore::getAssociation ". - "not implemented", E_USER_ERROR); - } - - /** - * This method removes the matching association if it's found, and - * returns whether the association was removed or not. - * - * @param string $server_url The URL of the identity server the - * association to remove belongs to. Because of the way the server - * portion of the library uses this interface, don't assume there - * are any limitations on the character set of the input - * string. In particular, expect to see unescaped non-url-safe - * characters in the server_url field. - * - * @param string $handle This is the handle of the association to - * remove. If there isn't an association found that matches both - * the given URL and handle, then there was no matching handle - * found. - * - * @return mixed Returns whether or not the given association existed. - */ - function removeAssociation($server_url, $handle) - { - trigger_error("Auth_OpenID_OpenIDStore::removeAssociation ". - "not implemented", E_USER_ERROR); - } - - /** - * Called when using a nonce. - * - * This method should return C{True} if the nonce has not been - * used before, and store it for a while to make sure nobody - * tries to use the same value again. If the nonce has already - * been used, return C{False}. - * - * Change: In earlier versions, round-trip nonces were used and a - * nonce was only valid if it had been previously stored with - * storeNonce. Version 2.0 uses one-way nonces, requiring a - * different implementation here that does not depend on a - * storeNonce call. (storeNonce is no longer part of the - * interface. - * - * @param string $nonce The nonce to use. - * - * @return bool Whether or not the nonce was valid. - */ - function useNonce($server_url, $timestamp, $salt) - { - trigger_error("Auth_OpenID_OpenIDStore::useNonce ". - "not implemented", E_USER_ERROR); - } - - /** - * Removes all entries from the store; implementation is optional. - */ - function reset() - { - } - -} -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/KVForm.php b/models/Auth.old/OpenID/KVForm.php deleted file mode 100644 index 6075c44f0..000000000 --- a/models/Auth.old/OpenID/KVForm.php +++ /dev/null @@ -1,112 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Container for key-value/comma-newline OpenID format and parsing - */ -class Auth_OpenID_KVForm { - /** - * Convert an OpenID colon/newline separated string into an - * associative array - * - * @static - * @access private - */ - function toArray($kvs, $strict=false) - { - $lines = explode("\n", $kvs); - - $last = array_pop($lines); - if ($last !== '') { - array_push($lines, $last); - if ($strict) { - return false; - } - } - - $values = array(); - - for ($lineno = 0; $lineno < count($lines); $lineno++) { - $line = $lines[$lineno]; - $kv = explode(':', $line, 2); - if (count($kv) != 2) { - if ($strict) { - return false; - } - continue; - } - - $key = $kv[0]; - $tkey = trim($key); - if ($tkey != $key) { - if ($strict) { - return false; - } - } - - $value = $kv[1]; - $tval = trim($value); - if ($tval != $value) { - if ($strict) { - return false; - } - } - - $values[$tkey] = $tval; - } - - return $values; - } - - /** - * Convert an array into an OpenID colon/newline separated string - * - * @static - * @access private - */ - function fromArray($values) - { - if ($values === null) { - return null; - } - - ksort($values); - - $serialized = ''; - foreach ($values as $key => $value) { - if (is_array($value)) { - list($key, $value) = array($value[0], $value[1]); - } - - if (strpos($key, ':') !== false) { - return null; - } - - if (strpos($key, "\n") !== false) { - return null; - } - - if (strpos($value, "\n") !== false) { - return null; - } - $serialized .= "$key:$value\n"; - } - return $serialized; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/MemcachedStore.php b/models/Auth.old/OpenID/MemcachedStore.php deleted file mode 100644 index 7f9b180a4..000000000 --- a/models/Auth.old/OpenID/MemcachedStore.php +++ /dev/null @@ -1,207 +0,0 @@ - - * @copyright Open Web Technologies - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -/** - * Import the interface for creating a new store class. - */ -require_once 'Auth/OpenID/Interface.php'; - -/** - * This is a memcached-based store for OpenID associations and - * nonces. - * - * As memcache has limit of 250 chars for key length, - * server_url, handle and salt are hashed with sha1(). - * - * Most of the methods of this class are implementation details. - * People wishing to just use this store need only pay attention to - * the constructor. - * - * @package OpenID - */ -class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore { - - /** - * Initializes a new {@link Auth_OpenID_MemcachedStore} instance. - * Just saves memcached object as property. - * - * @param resource connection Memcache connection resourse - */ - function Auth_OpenID_MemcachedStore($connection, $compress = false) - { - $this->connection = $connection; - $this->compress = $compress ? MEMCACHE_COMPRESSED : 0; - } - - /** - * Store association until its expiration time in memcached. - * Overwrites any existing association with same server_url and - * handle. Handles list of associations for every server. - */ - function storeAssociation($server_url, $association) - { - // create memcached keys for association itself - // and list of associations for this server - $associationKey = $this->associationKey($server_url, - $association->handle); - $serverKey = $this->associationServerKey($server_url); - - // get list of associations - $serverAssociations = $this->connection->get($serverKey); - - // if no such list, initialize it with empty array - if (!$serverAssociations) { - $serverAssociations = array(); - } - // and store given association key in it - $serverAssociations[$association->issued] = $associationKey; - - // save associations' keys list - $this->connection->set( - $serverKey, - $serverAssociations, - $this->compress - ); - // save association itself - $this->connection->set( - $associationKey, - $association, - $this->compress, - $association->issued + $association->lifetime); - } - - /** - * Read association from memcached. If no handle given - * and multiple associations found, returns latest issued - */ - function getAssociation($server_url, $handle = null) - { - // simple case: handle given - if ($handle !== null) { - // get association, return null if failed - $association = $this->connection->get( - $this->associationKey($server_url, $handle)); - return $association ? $association : null; - } - - // no handle given, working with list - // create key for list of associations - $serverKey = $this->associationServerKey($server_url); - - // get list of associations - $serverAssociations = $this->connection->get($serverKey); - // return null if failed or got empty list - if (!$serverAssociations) { - return null; - } - - // get key of most recently issued association - $keys = array_keys($serverAssociations); - sort($keys); - $lastKey = $serverAssociations[array_pop($keys)]; - - // get association, return null if failed - $association = $this->connection->get($lastKey); - return $association ? $association : null; - } - - /** - * Immediately delete association from memcache. - */ - function removeAssociation($server_url, $handle) - { - // create memcached keys for association itself - // and list of associations for this server - $serverKey = $this->associationServerKey($server_url); - $associationKey = $this->associationKey($server_url, - $handle); - - // get list of associations - $serverAssociations = $this->connection->get($serverKey); - // return null if failed or got empty list - if (!$serverAssociations) { - return false; - } - - // ensure that given association key exists in list - $serverAssociations = array_flip($serverAssociations); - if (!array_key_exists($associationKey, $serverAssociations)) { - return false; - } - - // remove given association key from list - unset($serverAssociations[$associationKey]); - $serverAssociations = array_flip($serverAssociations); - - // save updated list - $this->connection->set( - $serverKey, - $serverAssociations, - $this->compress - ); - - // delete association - return $this->connection->delete($associationKey); - } - - /** - * Create nonce for server and salt, expiring after - * $Auth_OpenID_SKEW seconds. - */ - function useNonce($server_url, $timestamp, $salt) - { - global $Auth_OpenID_SKEW; - - // save one request to memcache when nonce obviously expired - if (abs($timestamp - time()) > $Auth_OpenID_SKEW) { - return false; - } - - // returns false when nonce already exists - // otherwise adds nonce - return $this->connection->add( - 'openid_nonce_' . sha1($server_url) . '_' . sha1($salt), - 1, // any value here - $this->compress, - $Auth_OpenID_SKEW); - } - - /** - * Memcache key is prefixed with 'openid_association_' string. - */ - function associationKey($server_url, $handle = null) - { - return 'openid_association_' . sha1($server_url) . '_' . sha1($handle); - } - - /** - * Memcache key is prefixed with 'openid_association_' string. - */ - function associationServerKey($server_url) - { - return 'openid_association_server_' . sha1($server_url); - } - - /** - * Report that this storage doesn't support cleanup - */ - function supportsCleanup() - { - return false; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Message.php b/models/Auth.old/OpenID/Message.php deleted file mode 100644 index 8a02ab22c..000000000 --- a/models/Auth.old/OpenID/Message.php +++ /dev/null @@ -1,895 +0,0 @@ -keys = array(); - $this->values = array(); - - if (is_array($classic_array)) { - foreach ($classic_array as $key => $value) { - $this->set($key, $value); - } - } - } - - /** - * Returns true if $thing is an Auth_OpenID_Mapping object; false - * if not. - */ - function isA($thing) - { - return (is_object($thing) && - strtolower(get_class($thing)) == 'auth_openid_mapping'); - } - - /** - * Returns an array of the keys in the mapping. - */ - function keys() - { - return $this->keys; - } - - /** - * Returns an array of values in the mapping. - */ - function values() - { - return $this->values; - } - - /** - * Returns an array of (key, value) pairs in the mapping. - */ - function items() - { - $temp = array(); - - for ($i = 0; $i < count($this->keys); $i++) { - $temp[] = array($this->keys[$i], - $this->values[$i]); - } - return $temp; - } - - /** - * Returns the "length" of the mapping, or the number of keys. - */ - function len() - { - return count($this->keys); - } - - /** - * Sets a key-value pair in the mapping. If the key already - * exists, its value is replaced with the new value. - */ - function set($key, $value) - { - $index = array_search($key, $this->keys); - - if ($index !== false) { - $this->values[$index] = $value; - } else { - $this->keys[] = $key; - $this->values[] = $value; - } - } - - /** - * Gets a specified value from the mapping, associated with the - * specified key. If the key does not exist in the mapping, - * $default is returned instead. - */ - function get($key, $default = null) - { - $index = array_search($key, $this->keys); - - if ($index !== false) { - return $this->values[$index]; - } else { - return $default; - } - } - - /** - * @access private - */ - function _reflow() - { - // PHP is broken yet again. Sort the arrays to remove the - // hole in the numeric indexes that make up the array. - $old_keys = $this->keys; - $old_values = $this->values; - - $this->keys = array(); - $this->values = array(); - - foreach ($old_keys as $k) { - $this->keys[] = $k; - } - - foreach ($old_values as $v) { - $this->values[] = $v; - } - } - - /** - * Deletes a key-value pair from the mapping with the specified - * key. - */ - function del($key) - { - $index = array_search($key, $this->keys); - - if ($index !== false) { - unset($this->keys[$index]); - unset($this->values[$index]); - $this->_reflow(); - return true; - } - return false; - } - - /** - * Returns true if the specified value has a key in the mapping; - * false if not. - */ - function contains($value) - { - return (array_search($value, $this->keys) !== false); - } -} - -/** - * Maintains a bijective map between namespace uris and aliases. - * - * @package OpenID - */ -class Auth_OpenID_NamespaceMap { - function Auth_OpenID_NamespaceMap() - { - $this->alias_to_namespace = new Auth_OpenID_Mapping(); - $this->namespace_to_alias = new Auth_OpenID_Mapping(); - } - - function getAlias($namespace_uri) - { - return $this->namespace_to_alias->get($namespace_uri); - } - - function getNamespaceURI($alias) - { - return $this->alias_to_namespace->get($alias); - } - - function iterNamespaceURIs() - { - // Return an iterator over the namespace URIs - return $this->namespace_to_alias->keys(); - } - - function iterAliases() - { - // Return an iterator over the aliases""" - return $this->alias_to_namespace->keys(); - } - - function iteritems() - { - return $this->namespace_to_alias->items(); - } - - function addAlias($namespace_uri, $desired_alias) - { - // Add an alias from this namespace URI to the desired alias - global $Auth_OpenID_OPENID_PROTOCOL_FIELDS; - - // Check that desired_alias is not an openid protocol field as - // per the spec. - if (in_array($desired_alias, $Auth_OpenID_OPENID_PROTOCOL_FIELDS)) { - // "%r is not an allowed namespace alias" % (desired_alias,); - return null; - } - - // Check that desired_alias does not contain a period as per - // the spec. - if (strpos($desired_alias, '.') !== false) { - // "%r must not contain a dot" % (desired_alias,) - return null; - } - - // Check that there is not a namespace already defined for the - // desired alias - $current_namespace_uri = - $this->alias_to_namespace->get($desired_alias); - - if (($current_namespace_uri !== null) && - ($current_namespace_uri != $namespace_uri)) { - // Cannot map because previous mapping exists - return null; - } - - // Check that there is not already a (different) alias for - // this namespace URI - $alias = $this->namespace_to_alias->get($namespace_uri); - - if (($alias !== null) && ($alias != $desired_alias)) { - // fmt = ('Cannot map %r to alias %r. ' - // 'It is already mapped to alias %r') - // raise KeyError(fmt % (namespace_uri, desired_alias, alias)) - return null; - } - - assert((Auth_OpenID_NULL_NAMESPACE === $desired_alias) || - is_string($desired_alias)); - - $this->alias_to_namespace->set($desired_alias, $namespace_uri); - $this->namespace_to_alias->set($namespace_uri, $desired_alias); - - return $desired_alias; - } - - function add($namespace_uri) - { - // Add this namespace URI to the mapping, without caring what - // alias it ends up with - - // See if this namespace is already mapped to an alias - $alias = $this->namespace_to_alias->get($namespace_uri); - - if ($alias !== null) { - return $alias; - } - - // Fall back to generating a numerical alias - $i = 0; - while (1) { - $alias = 'ext' . strval($i); - if ($this->addAlias($namespace_uri, $alias) === null) { - $i += 1; - } else { - return $alias; - } - } - - // Should NEVER be reached! - return null; - } - - function contains($namespace_uri) - { - return $this->isDefined($namespace_uri); - } - - function isDefined($namespace_uri) - { - return $this->namespace_to_alias->contains($namespace_uri); - } -} - -/** - * In the implementation of this object, null represents the global - * namespace as well as a namespace with no key. - * - * @package OpenID - */ -class Auth_OpenID_Message { - - function Auth_OpenID_Message($openid_namespace = null) - { - // Create an empty Message - $this->allowed_openid_namespaces = array( - Auth_OpenID_OPENID1_NS, - Auth_OpenID_OPENID2_NS); - - $this->args = new Auth_OpenID_Mapping(); - $this->namespaces = new Auth_OpenID_NamespaceMap(); - if ($openid_namespace === null) { - $this->_openid_ns_uri = null; - } else { - $this->setOpenIDNamespace($openid_namespace); - } - } - - function isOpenID1() - { - return $this->getOpenIDNamespace() == Auth_OpenID_OPENID1_NS; - } - - function isOpenID2() - { - return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS; - } - - function fromPostArgs($args) - { - // Construct a Message containing a set of POST arguments - $obj = new Auth_OpenID_Message(); - - // Partition into "openid." args and bare args - $openid_args = array(); - foreach ($args as $key => $value) { - - if (is_array($value)) { - return null; - } - - $parts = explode('.', $key, 2); - - if (count($parts) == 2) { - list($prefix, $rest) = $parts; - } else { - $prefix = null; - } - - if ($prefix != 'openid') { - $obj->args->set(array(Auth_OpenID_BARE_NS, $key), $value); - } else { - $openid_args[$rest] = $value; - } - } - - if ($obj->_fromOpenIDArgs($openid_args)) { - return $obj; - } else { - return null; - } - } - - function fromOpenIDArgs($openid_args) - { - // Takes an array. - - // Construct a Message from a parsed KVForm message - $obj = new Auth_OpenID_Message(); - if ($obj->_fromOpenIDArgs($openid_args)) { - return $obj; - } else { - return null; - } - } - - /** - * @access private - */ - function _fromOpenIDArgs($openid_args) - { - global $Auth_OpenID_registered_aliases; - - // Takes an Auth_OpenID_Mapping instance OR an array. - - if (!Auth_OpenID_Mapping::isA($openid_args)) { - $openid_args = new Auth_OpenID_Mapping($openid_args); - } - - $ns_args = array(); - - // Resolve namespaces - foreach ($openid_args->items() as $pair) { - list($rest, $value) = $pair; - - $parts = explode('.', $rest, 2); - - if (count($parts) == 2) { - list($ns_alias, $ns_key) = $parts; - } else { - $ns_alias = Auth_OpenID_NULL_NAMESPACE; - $ns_key = $rest; - } - - if ($ns_alias == 'ns') { - if ($this->namespaces->addAlias($value, $ns_key) === null) { - return false; - } - } else if (($ns_alias == Auth_OpenID_NULL_NAMESPACE) && - ($ns_key == 'ns')) { - // null namespace - if ($this->namespaces->addAlias($value, - Auth_OpenID_NULL_NAMESPACE) === null) { - return false; - } - } else { - $ns_args[] = array($ns_alias, $ns_key, $value); - } - } - - // Ensure that there is an OpenID namespace definition - $openid_ns_uri = - $this->namespaces->getNamespaceURI(Auth_OpenID_NULL_NAMESPACE); - - if ($openid_ns_uri === null) { - $openid_ns_uri = Auth_OpenID_OPENID1_NS; - } - - $this->setOpenIDNamespace($openid_ns_uri); - - // Actually put the pairs into the appropriate namespaces - foreach ($ns_args as $triple) { - list($ns_alias, $ns_key, $value) = $triple; - $ns_uri = $this->namespaces->getNamespaceURI($ns_alias); - if ($ns_uri === null) { - // Only try to map an alias to a default if it's an - // OpenID 1.x message. - if ($openid_ns_uri == Auth_OpenID_OPENID1_NS) { - foreach ($Auth_OpenID_registered_aliases - as $alias => $uri) { - if ($alias == $ns_alias) { - $ns_uri = $uri; - break; - } - } - } - - if ($ns_uri === null) { - $ns_uri = $openid_ns_uri; - $ns_key = sprintf('%s.%s', $ns_alias, $ns_key); - } else { - $this->namespaces->addAlias($ns_uri, $ns_alias); - } - } - - $this->setArg($ns_uri, $ns_key, $value); - } - - return true; - } - - function setOpenIDNamespace($openid_ns_uri) - { - if (!in_array($openid_ns_uri, $this->allowed_openid_namespaces)) { - // raise ValueError('Invalid null namespace: %r' % (openid_ns_uri,)) - return false; - } - - $this->namespaces->addAlias($openid_ns_uri, - Auth_OpenID_NULL_NAMESPACE); - $this->_openid_ns_uri = $openid_ns_uri; - } - - function getOpenIDNamespace() - { - return $this->_openid_ns_uri; - } - - function fromKVForm($kvform_string) - { - // Create a Message from a KVForm string - return Auth_OpenID_Message::fromOpenIDArgs( - Auth_OpenID_KVForm::toArray($kvform_string)); - } - - function copy() - { - return $this; - } - - function toPostArgs() - { - // Return all arguments with openid. in front of namespaced - // arguments. - - $args = array(); - - // Add namespace definitions to the output - foreach ($this->namespaces->iteritems() as $pair) { - list($ns_uri, $alias) = $pair; - - if ($alias == Auth_OpenID_NULL_NAMESPACE) { - if ($ns_uri != Auth_OpenID_OPENID1_NS) { - $args['openid.ns'] = $ns_uri; - } else { - // drop the default null namespace - // definition. This potentially changes a message - // since we have no way of knowing whether it was - // explicitly specified at the time the message - // was parsed. The vast majority of the time, this - // will be the right thing to do. Possibly this - // could look in the signed list. - } - } else { - if ($this->getOpenIDNamespace() != Auth_OpenID_OPENID1_NS) { - $ns_key = 'openid.ns.' . $alias; - $args[$ns_key] = $ns_uri; - } - } - } - - foreach ($this->args->items() as $pair) { - list($ns_parts, $value) = $pair; - list($ns_uri, $ns_key) = $ns_parts; - $key = $this->getKey($ns_uri, $ns_key); - $args[$key] = $value; - } - - return $args; - } - - function toArgs() - { - // Return all namespaced arguments, failing if any - // non-namespaced arguments exist. - $post_args = $this->toPostArgs(); - $kvargs = array(); - foreach ($post_args as $k => $v) { - if (strpos($k, 'openid.') !== 0) { - // raise ValueError( - // 'This message can only be encoded as a POST, because it ' - // 'contains arguments that are not prefixed with "openid."') - return null; - } else { - $kvargs[substr($k, 7)] = $v; - } - } - - return $kvargs; - } - - function toFormMarkup($action_url, $form_tag_attrs = null, - $submit_text = "Continue") - { - $form = "
$attr) { - $form .= sprintf(" %s=\"%s\"", $name, $attr); - } - } - - $form .= ">\n"; - - foreach ($this->toPostArgs() as $name => $value) { - $form .= sprintf( - "\n", - $name, $value); - } - - $form .= sprintf("\n", - $submit_text); - - $form .= "
\n"; - - return $form; - } - - function toURL($base_url) - { - // Generate a GET URL with the parameters in this message - // attached as query parameters. - return Auth_OpenID::appendArgs($base_url, $this->toPostArgs()); - } - - function toKVForm() - { - // Generate a KVForm string that contains the parameters in - // this message. This will fail if the message contains - // arguments outside of the 'openid.' prefix. - return Auth_OpenID_KVForm::fromArray($this->toArgs()); - } - - function toURLEncoded() - { - // Generate an x-www-urlencoded string - $args = array(); - - foreach ($this->toPostArgs() as $k => $v) { - $args[] = array($k, $v); - } - - sort($args); - return Auth_OpenID::httpBuildQuery($args); - } - - /** - * @access private - */ - function _fixNS($namespace) - { - // Convert an input value into the internally used values of - // this object - - if ($namespace == Auth_OpenID_OPENID_NS) { - if ($this->_openid_ns_uri === null) { - // raise UndefinedOpenIDNamespace('OpenID namespace not set') - return null; - } else { - $namespace = $this->_openid_ns_uri; - } - } - - if (($namespace != Auth_OpenID_BARE_NS) && - (!is_string($namespace))) { - // raise TypeError( - // "Namespace must be BARE_NS, OPENID_NS or a string. got %r" - // % (namespace,)) - return null; - } - - if (($namespace != Auth_OpenID_BARE_NS) && - (strpos($namespace, ':') === false)) { - // fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r' - // warnings.warn(fmt % (namespace,), DeprecationWarning) - - if ($namespace == 'sreg') { - // fmt = 'Using %r instead of "sreg" as namespace' - // warnings.warn(fmt % (SREG_URI,), DeprecationWarning,) - return Auth_OpenID_SREG_URI; - } - } - - return $namespace; - } - - function hasKey($namespace, $ns_key) - { - $namespace = $this->_fixNS($namespace); - if ($namespace !== null) { - return $this->args->contains(array($namespace, $ns_key)); - } else { - return false; - } - } - - function getKey($namespace, $ns_key) - { - // Get the key for a particular namespaced argument - $namespace = $this->_fixNS($namespace); - if ($namespace == Auth_OpenID_BARE_NS) { - return $ns_key; - } - - $ns_alias = $this->namespaces->getAlias($namespace); - - // No alias is defined, so no key can exist - if ($ns_alias === null) { - return null; - } - - if ($ns_alias == Auth_OpenID_NULL_NAMESPACE) { - $tail = $ns_key; - } else { - $tail = sprintf('%s.%s', $ns_alias, $ns_key); - } - - return 'openid.' . $tail; - } - - function getArg($namespace, $key, $default = null) - { - // Get a value for a namespaced key. - $namespace = $this->_fixNS($namespace); - - if ($namespace !== null) { - if ((!$this->args->contains(array($namespace, $key))) && - ($default == Auth_OpenID_NO_DEFAULT)) { - return null; - } else { - return $this->args->get(array($namespace, $key), $default); - } - } else { - return null; - } - } - - function getArgs($namespace) - { - // Get the arguments that are defined for this namespace URI - - $namespace = $this->_fixNS($namespace); - if ($namespace !== null) { - $stuff = array(); - foreach ($this->args->items() as $pair) { - list($key, $value) = $pair; - list($pair_ns, $ns_key) = $key; - if ($pair_ns == $namespace) { - $stuff[$ns_key] = $value; - } - } - - return $stuff; - } - - return array(); - } - - function updateArgs($namespace, $updates) - { - // Set multiple key/value pairs in one call - - $namespace = $this->_fixNS($namespace); - - if ($namespace !== null) { - foreach ($updates as $k => $v) { - $this->setArg($namespace, $k, $v); - } - return true; - } else { - return false; - } - } - - function setArg($namespace, $key, $value) - { - // Set a single argument in this namespace - $namespace = $this->_fixNS($namespace); - - if ($namespace !== null) { - $this->args->set(array($namespace, $key), $value); - if ($namespace !== Auth_OpenID_BARE_NS) { - $this->namespaces->add($namespace); - } - return true; - } else { - return false; - } - } - - function delArg($namespace, $key) - { - $namespace = $this->_fixNS($namespace); - - if ($namespace !== null) { - return $this->args->del(array($namespace, $key)); - } else { - return false; - } - } - - function getAliasedArg($aliased_key, $default = null) - { - $parts = explode('.', $aliased_key, 2); - - if (count($parts) != 2) { - $ns = null; - } else { - list($alias, $key) = $parts; - - if ($alias == 'ns') { - // Return the namespace URI for a namespace alias - // parameter. - return $this->namespaces->getNamespaceURI($key); - } else { - $ns = $this->namespaces->getNamespaceURI($alias); - } - } - - if ($ns === null) { - $key = $aliased_key; - $ns = $this->getOpenIDNamespace(); - } - - return $this->getArg($ns, $key, $default); - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/MySQLStore.php b/models/Auth.old/OpenID/MySQLStore.php deleted file mode 100644 index f8dc9ae17..000000000 --- a/models/Auth.old/OpenID/MySQLStore.php +++ /dev/null @@ -1,77 +0,0 @@ -sql['nonce_table'] = - "CREATE TABLE %s (\n". - " server_url VARCHAR(2047),\n". - " timestamp INTEGER,\n". - " salt CHAR(40),\n". - " UNIQUE (server_url(255), timestamp, salt)\n". - ") TYPE=InnoDB"; - - $this->sql['assoc_table'] = - "CREATE TABLE %s (\n". - " server_url BLOB,\n". - " handle VARCHAR(255),\n". - " secret BLOB,\n". - " issued INTEGER,\n". - " lifetime INTEGER,\n". - " assoc_type VARCHAR(64),\n". - " PRIMARY KEY (server_url(255), handle)\n". - ") TYPE=InnoDB"; - - $this->sql['set_assoc'] = - "REPLACE INTO %s VALUES (?, ?, !, ?, ?, ?)"; - - $this->sql['get_assocs'] = - "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". - "WHERE server_url = ?"; - - $this->sql['get_assoc'] = - "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". - "WHERE server_url = ? AND handle = ?"; - - $this->sql['remove_assoc'] = - "DELETE FROM %s WHERE server_url = ? AND handle = ?"; - - $this->sql['add_nonce'] = - "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)"; - - $this->sql['clean_nonce'] = - "DELETE FROM %s WHERE timestamp < ?"; - - $this->sql['clean_assoc'] = - "DELETE FROM %s WHERE issued + lifetime < ?"; - } - - /** - * @access private - */ - function blobEncode($blob) - { - return "0x" . bin2hex($blob); - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Nonce.php b/models/Auth.old/OpenID/Nonce.php deleted file mode 100644 index effecac38..000000000 --- a/models/Auth.old/OpenID/Nonce.php +++ /dev/null @@ -1,109 +0,0 @@ - \ No newline at end of file diff --git a/models/Auth.old/OpenID/PAPE.php b/models/Auth.old/OpenID/PAPE.php deleted file mode 100644 index ba9f9f64e..000000000 --- a/models/Auth.old/OpenID/PAPE.php +++ /dev/null @@ -1,311 +0,0 @@ -preferred_auth_policies = $preferred_auth_policies; - $this->max_auth_age = $max_auth_age; - } - - /** - * Add an acceptable authentication policy URI to this request - * - * This method is intended to be used by the relying party to add - * acceptable authentication types to the request. - * - * policy_uri: The identifier for the preferred type of - * authentication. - */ - function addPolicyURI($policy_uri) - { - if (!in_array($policy_uri, $this->preferred_auth_policies)) { - $this->preferred_auth_policies[] = $policy_uri; - } - } - - function getExtensionArgs() - { - $ns_args = array( - 'preferred_auth_policies' => - implode(' ', $this->preferred_auth_policies) - ); - - if ($this->max_auth_age !== null) { - $ns_args['max_auth_age'] = strval($this->max_auth_age); - } - - return $ns_args; - } - - /** - * Instantiate a Request object from the arguments in a checkid_* - * OpenID message - */ - function fromOpenIDRequest($request) - { - $obj = new Auth_OpenID_PAPE_Request(); - $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); - - if ($args === null || $args === array()) { - return null; - } - - $obj->parseExtensionArgs($args); - return $obj; - } - - /** - * Set the state of this request to be that expressed in these - * PAPE arguments - * - * @param args: The PAPE arguments without a namespace - */ - function parseExtensionArgs($args) - { - // preferred_auth_policies is a space-separated list of policy - // URIs - $this->preferred_auth_policies = array(); - - $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); - if ($policies_str) { - foreach (explode(' ', $policies_str) as $uri) { - if (!in_array($uri, $this->preferred_auth_policies)) { - $this->preferred_auth_policies[] = $uri; - } - } - } - - // max_auth_age is base-10 integer number of seconds - $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age'); - if ($max_auth_age_str) { - $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str); - } else { - $this->max_auth_age = null; - } - } - - /** - * Given a list of authentication policy URIs that a provider - * supports, this method returns the subsequence of those types - * that are preferred by the relying party. - * - * @param supported_types: A sequence of authentication policy - * type URIs that are supported by a provider - * - * @return array The sub-sequence of the supported types that are - * preferred by the relying party. This list will be ordered in - * the order that the types appear in the supported_types - * sequence, and may be empty if the provider does not prefer any - * of the supported authentication types. - */ - function preferredTypes($supported_types) - { - $result = array(); - - foreach ($supported_types as $st) { - if (in_array($st, $this->preferred_auth_policies)) { - $result[] = $st; - } - } - return $result; - } -} - -/** - * A Provider Authentication Policy response, sent from a provider to - * a relying party - */ -class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { - - var $ns_alias = 'pape'; - var $ns_uri = Auth_OpenID_PAPE_NS_URI; - - function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_age=null, - $nist_auth_level=null) - { - if ($auth_policies) { - $this->auth_policies = $auth_policies; - } else { - $this->auth_policies = array(); - } - - $this->auth_age = $auth_age; - $this->nist_auth_level = $nist_auth_level; - } - - /** - * Add a authentication policy to this response - * - * This method is intended to be used by the provider to add a - * policy that the provider conformed to when authenticating the - * user. - * - * @param policy_uri: The identifier for the preferred type of - * authentication. - */ - function addPolicyURI($policy_uri) - { - if (!in_array($policy_uri, $this->auth_policies)) { - $this->auth_policies[] = $policy_uri; - } - } - - /** - * Create an Auth_OpenID_PAPE_Response object from a successful - * OpenID library response. - * - * @param success_response $success_response A SuccessResponse - * from Auth_OpenID_Consumer::complete() - * - * @returns: A provider authentication policy response from the - * data that was supplied with the id_res response. - */ - function fromSuccessResponse($success_response) - { - $obj = new Auth_OpenID_PAPE_Response(); - - // PAPE requires that the args be signed. - $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI); - - if ($args === null || $args === array()) { - return null; - } - - $result = $obj->parseExtensionArgs($args); - - if ($result === false) { - return null; - } else { - return $obj; - } - } - - /** - * Parse the provider authentication policy arguments into the - * internal state of this object - * - * @param args: unqualified provider authentication policy - * arguments - * - * @param strict: Whether to return false when bad data is - * encountered - * - * @return null The data is parsed into the internal fields of - * this object. - */ - function parseExtensionArgs($args, $strict=false) - { - $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); - if ($policies_str) { - $this->auth_policies = explode(" ", $policies_str); - } - - $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); - if ($nist_level_str !== null) { - $nist_level = Auth_OpenID::intval($nist_level_str); - - if ($nist_level === false) { - if ($strict) { - return false; - } else { - $nist_level = null; - } - } - - if (0 <= $nist_level && $nist_level < 5) { - $this->nist_auth_level = $nist_level; - } else if ($strict) { - return false; - } - } - - $auth_age_str = Auth_OpenID::arrayGet($args, 'auth_age'); - if ($auth_age_str !== null) { - $auth_age = Auth_OpenID::intval($auth_age_str); - if ($auth_age === false) { - if ($strict) { - return false; - } - } else { - if ($auth_age >= 0) { - $this->auth_age = $auth_age; - } else if ($strict) { - return false; - } - } - } - } - - function getExtensionArgs() - { - $ns_args = array( - 'auth_policies' => - implode(' ', $this->auth_policies) - ); - - if ($this->nist_auth_level !== null) { - if (!in_array($this->nist_auth_level, range(0, 4), true)) { - return false; - } - $ns_args['nist_auth_level'] = strval($this->nist_auth_level); - } - - if ($this->auth_age !== null) { - if ($this->auth_age < 0) { - return false; - } - - $result = Auth_OpenID::intval($this->auth_age); - - if ($result === false) { - return false; - } - - $ns_args['auth_age'] = - strval($result); - } - - return $ns_args; - } -} - -?> \ No newline at end of file diff --git a/models/Auth.old/OpenID/Parse.php b/models/Auth.old/OpenID/Parse.php deleted file mode 100644 index d689f9ec9..000000000 --- a/models/Auth.old/OpenID/Parse.php +++ /dev/null @@ -1,352 +0,0 @@ - tags - * in the head of HTML or XHTML documents and parses out their - * attributes according to the OpenID spec. It is a liberal parser, - * but it requires these things from the data in order to work: - * - * - There must be an open tag - * - * - There must be an open tag inside of the tag - * - * - Only s that are found inside of the tag are parsed - * (this is by design) - * - * - The parser follows the OpenID specification in resolving the - * attributes of the link tags. This means that the attributes DO - * NOT get resolved as they would by an XML or HTML parser. In - * particular, only certain entities get replaced, and href - * attributes do not get resolved relative to a base URL. - * - * From http://openid.net/specs.bml: - * - * - The openid.server URL MUST be an absolute URL. OpenID consumers - * MUST NOT attempt to resolve relative URLs. - * - * - The openid.server URL MUST NOT include entities other than &, - * <, >, and ". - * - * The parser ignores SGML comments and . Both kinds - * of quoting are allowed for attributes. - * - * The parser deals with invalid markup in these ways: - * - * - Tag names are not case-sensitive - * - * - The tag is accepted even when it is not at the top level - * - * - The tag is accepted even when it is not a direct child of - * the tag, but a tag must be an ancestor of the - * tag - * - * - tags are accepted even when they are not direct children - * of the tag, but a tag must be an ancestor of the - * tag - * - * - If there is no closing tag for an open or tag, the - * remainder of the document is viewed as being inside of the - * tag. If there is no closing tag for a tag, the link tag is - * treated as a short tag. Exceptions to this rule are that - * closes and or closes - * - * - Attributes of the tag are not required to be quoted. - * - * - In the case of duplicated attribute names, the attribute coming - * last in the tag will be the value returned. - * - * - Any text that does not parse as an attribute within a link tag - * will be ignored. (e.g. will - * ignore pumpkin) - * - * - If there are more than one or tag, the parser only - * looks inside of the first one. - * - * - The contents of ". - "". - ""); - } -} - -/* - * Function to run when this file is included. - * Abstracted to a function to make life easier - * for some PHP optimizers. - */ -function Auth_OpenID_include_init() { - if (Auth_OpenID_getMathLib() === null) { - Auth_OpenID_setNoMathSupport(); - } -} diff --git a/models/Auth/OpenID/AX.php b/models/Auth/OpenID/AX.php deleted file mode 100644 index 7370715e3..000000000 --- a/models/Auth/OpenID/AX.php +++ /dev/null @@ -1,1022 +0,0 @@ -message = $message; - } -} - -/** - * Abstract class containing common code for attribute exchange - * messages. - * - * @package OpenID - */ -class Auth_OpenID_AX_Message extends Auth_OpenID_Extension { - /** - * ns_alias: The preferred namespace alias for attribute exchange - * messages - */ - var $ns_alias = 'ax'; - - /** - * mode: The type of this attribute exchange message. This must be - * overridden in subclasses. - */ - var $mode = null; - - var $ns_uri = Auth_OpenID_AX_NS_URI; - - /** - * Return Auth_OpenID_AX_Error if the mode in the attribute - * exchange arguments does not match what is expected for this - * class; true otherwise. - * - * @access private - */ - function _checkMode($ax_args) - { - $mode = Auth_OpenID::arrayGet($ax_args, 'mode'); - if ($mode != $this->mode) { - return new Auth_OpenID_AX_Error( - sprintf( - "Expected mode '%s'; got '%s'", - $this->mode, $mode)); - } - - return true; - } - - /** - * Return a set of attribute exchange arguments containing the - * basic information that must be in every attribute exchange - * message. - * - * @access private - */ - function _newArgs() - { - return array('mode' => $this->mode); - } -} - -/** - * Represents a single attribute in an attribute exchange - * request. This should be added to an AXRequest object in order to - * request the attribute. - * - * @package OpenID - */ -class Auth_OpenID_AX_AttrInfo { - /** - * Construct an attribute information object. Do not call this - * directly; call make(...) instead. - * - * @param string $type_uri The type URI for this attribute. - * - * @param int $count The number of values of this type to request. - * - * @param bool $required Whether the attribute will be marked as - * required in the request. - * - * @param string $alias The name that should be given to this - * attribute in the request. - */ - function Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, - $alias) - { - /** - * required: Whether the attribute will be marked as required - * when presented to the subject of the attribute exchange - * request. - */ - $this->required = $required; - - /** - * count: How many values of this type to request from the - * subject. Defaults to one. - */ - $this->count = $count; - - /** - * type_uri: The identifier that determines what the attribute - * represents and how it is serialized. For example, one type - * URI representing dates could represent a Unix timestamp in - * base 10 and another could represent a human-readable - * string. - */ - $this->type_uri = $type_uri; - - /** - * alias: The name that should be given to this attribute in - * the request. If it is not supplied, a generic name will be - * assigned. For example, if you want to call a Unix timestamp - * value 'tstamp', set its alias to that value. If two - * attributes in the same message request to use the same - * alias, the request will fail to be generated. - */ - $this->alias = $alias; - } - - /** - * Construct an attribute information object. For parameter - * details, see the constructor. - */ - static function make($type_uri, $count=1, $required=false, - $alias=null) - { - if ($alias !== null) { - $result = Auth_OpenID_AX_checkAlias($alias); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - } - - return new Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, - $alias); - } - - /** - * When processing a request for this attribute, the OP should - * call this method to determine whether all available attribute - * values were requested. If self.count == UNLIMITED_VALUES, this - * returns True. Otherwise this returns False, in which case - * self.count is an integer. - */ - function wantsUnlimitedValues() - { - return $this->count === Auth_OpenID_AX_UNLIMITED_VALUES; - } -} - -/** - * Given a namespace mapping and a string containing a comma-separated - * list of namespace aliases, return a list of type URIs that - * correspond to those aliases. - * - * @param $namespace_map The mapping from namespace URI to alias - * @param $alias_list_s The string containing the comma-separated - * list of aliases. May also be None for convenience. - * - * @return $seq The list of namespace URIs that corresponds to the - * supplied list of aliases. If the string was zero-length or None, an - * empty list will be returned. - * - * return null If an alias is present in the list of aliases but - * is not present in the namespace map. - */ -function Auth_OpenID_AX_toTypeURIs($namespace_map, $alias_list_s) -{ - $uris = array(); - - if ($alias_list_s) { - foreach (explode(',', $alias_list_s) as $alias) { - $type_uri = $namespace_map->getNamespaceURI($alias); - if ($type_uri === null) { - // raise KeyError( - // 'No type is defined for attribute name %r' % (alias,)) - return new Auth_OpenID_AX_Error( - sprintf('No type is defined for attribute name %s', - $alias) - ); - } else { - $uris[] = $type_uri; - } - } - } - - return $uris; -} - -/** - * An attribute exchange 'fetch_request' message. This message is sent - * by a relying party when it wishes to obtain attributes about the - * subject of an OpenID authentication request. - * - * @package OpenID - */ -class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { - - var $mode = 'fetch_request'; - - function Auth_OpenID_AX_FetchRequest($update_url=null) - { - /** - * requested_attributes: The attributes that have been - * requested thus far, indexed by the type URI. - */ - $this->requested_attributes = array(); - - /** - * update_url: A URL that will accept responses for this - * attribute exchange request, even in the absence of the user - * who made this request. - */ - $this->update_url = $update_url; - } - - /** - * Add an attribute to this attribute exchange request. - * - * @param attribute: The attribute that is being requested - * @return true on success, false when the requested attribute is - * already present in this fetch request. - */ - function add($attribute) - { - if ($this->contains($attribute->type_uri)) { - return new Auth_OpenID_AX_Error( - sprintf("The attribute %s has already been requested", - $attribute->type_uri)); - } - - $this->requested_attributes[$attribute->type_uri] = $attribute; - - return true; - } - - /** - * Get the serialized form of this attribute fetch request. - * - * @returns Auth_OpenID_AX_FetchRequest The fetch request message parameters - */ - function getExtensionArgs() - { - $aliases = new Auth_OpenID_NamespaceMap(); - - $required = array(); - $if_available = array(); - - $ax_args = $this->_newArgs(); - - foreach ($this->requested_attributes as $type_uri => $attribute) { - if ($attribute->alias === null) { - $alias = $aliases->add($type_uri); - } else { - $alias = $aliases->addAlias($type_uri, $attribute->alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $attribute->alias, $type_uri - )); - } - } - - if ($attribute->required) { - $required[] = $alias; - } else { - $if_available[] = $alias; - } - - if ($attribute->count != 1) { - $ax_args['count.' . $alias] = strval($attribute->count); - } - - $ax_args['type.' . $alias] = $type_uri; - } - - if ($required) { - $ax_args['required'] = implode(',', $required); - } - - if ($if_available) { - $ax_args['if_available'] = implode(',', $if_available); - } - - return $ax_args; - } - - /** - * Get the type URIs for all attributes that have been marked as - * required. - * - * @return A list of the type URIs for attributes that have been - * marked as required. - */ - function getRequiredAttrs() - { - $required = array(); - foreach ($this->requested_attributes as $type_uri => $attribute) { - if ($attribute->required) { - $required[] = $type_uri; - } - } - - return $required; - } - - /** - * Extract a FetchRequest from an OpenID message - * - * @param request: The OpenID request containing the attribute - * fetch request - * - * @returns mixed An Auth_OpenID_AX_Error or the - * Auth_OpenID_AX_FetchRequest extracted from the request message if - * successful - */ - static function fromOpenIDRequest($request) - { - $m = $request->message; - $obj = new Auth_OpenID_AX_FetchRequest(); - $ax_args = $m->getArgs($obj->ns_uri); - - $result = $obj->parseExtensionArgs($ax_args); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - if ($obj->update_url) { - // Update URL must match the openid.realm of the - // underlying OpenID 2 message. - $realm = $m->getArg(Auth_OpenID_OPENID_NS, 'realm', - $m->getArg( - Auth_OpenID_OPENID_NS, - 'return_to')); - - if (!$realm) { - $obj = new Auth_OpenID_AX_Error( - sprintf("Cannot validate update_url %s " . - "against absent realm", $obj->update_url)); - } else if (!Auth_OpenID_TrustRoot::match($realm, - $obj->update_url)) { - $obj = new Auth_OpenID_AX_Error( - sprintf("Update URL %s failed validation against realm %s", - $obj->update_url, $realm)); - } - } - - return $obj; - } - - /** - * Given attribute exchange arguments, populate this FetchRequest. - * - * @return $result Auth_OpenID_AX_Error if the data to be parsed - * does not follow the attribute exchange specification. At least - * when 'if_available' or 'required' is not specified for a - * particular attribute type. Returns true otherwise. - */ - function parseExtensionArgs($ax_args) - { - $result = $this->_checkMode($ax_args); - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $aliases = new Auth_OpenID_NamespaceMap(); - - foreach ($ax_args as $key => $value) { - if (strpos($key, 'type.') === 0) { - $alias = substr($key, 5); - $type_uri = $value; - - $alias = $aliases->addAlias($type_uri, $alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $alias, $type_uri) - ); - } - - $count_s = Auth_OpenID::arrayGet($ax_args, 'count.' . $alias); - if ($count_s) { - $count = Auth_OpenID::intval($count_s); - if (($count === false) && - ($count_s === Auth_OpenID_AX_UNLIMITED_VALUES)) { - $count = $count_s; - } - } else { - $count = 1; - } - - if ($count === false) { - return new Auth_OpenID_AX_Error( - sprintf("Integer value expected for %s, got %s", - 'count.' . $alias, $count_s)); - } - - $attrinfo = Auth_OpenID_AX_AttrInfo::make($type_uri, $count, - false, $alias); - - if (Auth_OpenID_AX::isError($attrinfo)) { - return $attrinfo; - } - - $this->add($attrinfo); - } - } - - $required = Auth_OpenID_AX_toTypeURIs($aliases, - Auth_OpenID::arrayGet($ax_args, 'required')); - - foreach ($required as $type_uri) { - $attrib = $this->requested_attributes[$type_uri]; - $attrib->required = true; - } - - $if_available = Auth_OpenID_AX_toTypeURIs($aliases, - Auth_OpenID::arrayGet($ax_args, 'if_available')); - - $all_type_uris = array_merge($required, $if_available); - - foreach ($aliases->iterNamespaceURIs() as $type_uri) { - if (!in_array($type_uri, $all_type_uris)) { - return new Auth_OpenID_AX_Error( - sprintf('Type URI %s was in the request but not ' . - 'present in "required" or "if_available"', - $type_uri)); - - } - } - - $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); - - return true; - } - - /** - * Iterate over the AttrInfo objects that are contained in this - * fetch_request. - */ - function iterAttrs() - { - return array_values($this->requested_attributes); - } - - function iterTypes() - { - return array_keys($this->requested_attributes); - } - - /** - * Is the given type URI present in this fetch_request? - */ - function contains($type_uri) - { - return in_array($type_uri, $this->iterTypes()); - } -} - -/** - * An abstract class that implements a message that has attribute keys - * and values. It contains the common code between fetch_response and - * store_request. - * - * @package OpenID - */ -class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { - - function Auth_OpenID_AX_KeyValueMessage() - { - $this->data = array(); - } - - /** - * Add a single value for the given attribute type to the - * message. If there are already values specified for this type, - * this value will be sent in addition to the values already - * specified. - * - * @param type_uri: The URI for the attribute - * @param value: The value to add to the response to the relying - * party for this attribute - * @return null - */ - function addValue($type_uri, $value) - { - if (!array_key_exists($type_uri, $this->data)) { - $this->data[$type_uri] = array(); - } - - $values =& $this->data[$type_uri]; - $values[] = $value; - } - - /** - * Set the values for the given attribute type. This replaces any - * values that have already been set for this attribute. - * - * @param type_uri: The URI for the attribute - * @param values: A list of values to send for this attribute. - */ - function setValues($type_uri, &$values) - { - $this->data[$type_uri] =& $values; - } - - /** - * Get the extension arguments for the key/value pairs contained - * in this message. - * - * @param aliases: An alias mapping. Set to None if you don't care - * about the aliases for this request. - * - * @access private - */ - function _getExtensionKVArgs($aliases) - { - if ($aliases === null) { - $aliases = new Auth_OpenID_NamespaceMap(); - } - - $ax_args = array(); - - foreach ($this->data as $type_uri => $values) { - $alias = $aliases->add($type_uri); - - $ax_args['type.' . $alias] = $type_uri; - $ax_args['count.' . $alias] = strval(count($values)); - - foreach ($values as $i => $value) { - $key = sprintf('value.%s.%d', $alias, $i + 1); - $ax_args[$key] = $value; - } - } - - return $ax_args; - } - - /** - * Parse attribute exchange key/value arguments into this object. - * - * @param ax_args: The attribute exchange fetch_response - * arguments, with namespacing removed. - * - * @return Auth_OpenID_AX_Error or true - */ - function parseExtensionArgs($ax_args) - { - $result = $this->_checkMode($ax_args); - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $aliases = new Auth_OpenID_NamespaceMap(); - - foreach ($ax_args as $key => $value) { - if (strpos($key, 'type.') === 0) { - $type_uri = $value; - $alias = substr($key, 5); - - $result = Auth_OpenID_AX_checkAlias($alias); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $alias = $aliases->addAlias($type_uri, $alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $alias, $type_uri) - ); - } - } - } - - foreach ($aliases->iteritems() as $pair) { - list($type_uri, $alias) = $pair; - - if (array_key_exists('count.' . $alias, $ax_args) && ($ax_args['count.' . $alias] !== Auth_OpenID_AX_UNLIMITED_VALUES)) { - - $count_key = 'count.' . $alias; - $count_s = $ax_args[$count_key]; - - $count = Auth_OpenID::intval($count_s); - - if ($count === false) { - return new Auth_OpenID_AX_Error( - sprintf("Integer value expected for %s, got %s", - 'count. %s' . $alias, $count_s, - Auth_OpenID_AX_UNLIMITED_VALUES) - ); - } - - $values = array(); - for ($i = 1; $i < $count + 1; $i++) { - $value_key = sprintf('value.%s.%d', $alias, $i); - - if (!array_key_exists($value_key, $ax_args)) { - return new Auth_OpenID_AX_Error( - sprintf( - "No value found for key %s", - $value_key)); - } - - $value = $ax_args[$value_key]; - $values[] = $value; - } - } else { - $key = 'value.' . $alias; - - if (!array_key_exists($key, $ax_args)) { - return new Auth_OpenID_AX_Error( - sprintf( - "No value found for key %s", - $key)); - } - - $value = $ax_args['value.' . $alias]; - - if ($value == '') { - $values = array(); - } else { - $values = array($value); - } - } - - $this->data[$type_uri] = $values; - } - - return true; - } - - /** - * Get a single value for an attribute. If no value was sent for - * this attribute, use the supplied default. If there is more than - * one value for this attribute, this method will fail. - * - * @param type_uri: The URI for the attribute - * @param default: The value to return if the attribute was not - * sent in the fetch_response. - * - * @return $value Auth_OpenID_AX_Error on failure or the value of - * the attribute in the fetch_response message, or the default - * supplied - */ - function getSingle($type_uri, $default=null) - { - $values = Auth_OpenID::arrayGet($this->data, $type_uri); - if (!$values) { - return $default; - } else if (count($values) == 1) { - return $values[0]; - } else { - return new Auth_OpenID_AX_Error( - sprintf('More than one value present for %s', - $type_uri) - ); - } - } - - /** - * Get the list of values for this attribute in the - * fetch_response. - * - * XXX: what to do if the values are not present? default - * parameter? this is funny because it's always supposed to return - * a list, so the default may break that, though it's provided by - * the user's code, so it might be okay. If no default is - * supplied, should the return be None or []? - * - * @param type_uri: The URI of the attribute - * - * @return $values The list of values for this attribute in the - * response. May be an empty list. If the attribute was not sent - * in the response, returns Auth_OpenID_AX_Error. - */ - function get($type_uri) - { - if (array_key_exists($type_uri, $this->data)) { - return $this->data[$type_uri]; - } else { - return new Auth_OpenID_AX_Error( - sprintf("Type URI %s not found in response", - $type_uri) - ); - } - } - - /** - * Get the number of responses for a particular attribute in this - * fetch_response message. - * - * @param type_uri: The URI of the attribute - * - * @returns int The number of values sent for this attribute. If - * the attribute was not sent in the response, returns - * Auth_OpenID_AX_Error. - */ - function count($type_uri) - { - if (array_key_exists($type_uri, $this->data)) { - return count($this->get($type_uri)); - } else { - return new Auth_OpenID_AX_Error( - sprintf("Type URI %s not found in response", - $type_uri) - ); - } - } -} - -/** - * A fetch_response attribute exchange message. - * - * @package OpenID - */ -class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { - var $mode = 'fetch_response'; - - function Auth_OpenID_AX_FetchResponse($update_url=null) - { - $this->Auth_OpenID_AX_KeyValueMessage(); - $this->update_url = $update_url; - } - - /** - * Serialize this object into arguments in the attribute exchange - * namespace - * - * @return $args The dictionary of unqualified attribute exchange - * arguments that represent this fetch_response, or - * Auth_OpenID_AX_Error on error. - */ - function getExtensionArgs($request=null) - { - $aliases = new Auth_OpenID_NamespaceMap(); - - $zero_value_types = array(); - - if ($request !== null) { - // Validate the data in the context of the request (the - // same attributes should be present in each, and the - // counts in the response must be no more than the counts - // in the request) - - foreach ($this->data as $type_uri => $unused) { - if (!$request->contains($type_uri)) { - return new Auth_OpenID_AX_Error( - sprintf("Response attribute not present in request: %s", - $type_uri) - ); - } - } - - foreach ($request->iterAttrs() as $attr_info) { - // Copy the aliases from the request so that reading - // the response in light of the request is easier - if ($attr_info->alias === null) { - $aliases->add($attr_info->type_uri); - } else { - $alias = $aliases->addAlias($attr_info->type_uri, - $attr_info->alias); - - if ($alias === null) { - return new Auth_OpenID_AX_Error( - sprintf("Could not add alias %s for URI %s", - $attr_info->alias, $attr_info->type_uri) - ); - } - } - - if (array_key_exists($attr_info->type_uri, $this->data)) { - $values = $this->data[$attr_info->type_uri]; - } else { - $values = array(); - $zero_value_types[] = $attr_info; - } - - if (($attr_info->count != Auth_OpenID_AX_UNLIMITED_VALUES) && - ($attr_info->count < count($values))) { - return new Auth_OpenID_AX_Error( - sprintf("More than the number of requested values " . - "were specified for %s", - $attr_info->type_uri) - ); - } - } - } - - $kv_args = $this->_getExtensionKVArgs($aliases); - - // Add the KV args into the response with the args that are - // unique to the fetch_response - $ax_args = $this->_newArgs(); - - // For each requested attribute, put its type/alias and count - // into the response even if no data were returned. - foreach ($zero_value_types as $attr_info) { - $alias = $aliases->getAlias($attr_info->type_uri); - $kv_args['type.' . $alias] = $attr_info->type_uri; - $kv_args['count.' . $alias] = '0'; - } - - $update_url = null; - if ($request) { - $update_url = $request->update_url; - } else { - $update_url = $this->update_url; - } - - if ($update_url) { - $ax_args['update_url'] = $update_url; - } - - Auth_OpenID::update($ax_args, $kv_args); - - return $ax_args; - } - - /** - * @return $result Auth_OpenID_AX_Error on failure or true on - * success. - */ - function parseExtensionArgs($ax_args) - { - $result = parent::parseExtensionArgs($ax_args); - - if (Auth_OpenID_AX::isError($result)) { - return $result; - } - - $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); - - return true; - } - - /** - * Construct a FetchResponse object from an OpenID library - * SuccessResponse object. - * - * @param success_response: A successful id_res response object - * - * @param signed: Whether non-signed args should be processsed. If - * True (the default), only signed arguments will be processsed. - * - * @return $response A FetchResponse containing the data from the - * OpenID message - */ - static function fromSuccessResponse($success_response, $signed=true) - { - $obj = new Auth_OpenID_AX_FetchResponse(); - if ($signed) { - $ax_args = $success_response->getSignedNS($obj->ns_uri); - } else { - $ax_args = $success_response->message->getArgs($obj->ns_uri); - } - if ($ax_args === null || Auth_OpenID::isFailure($ax_args) || - sizeof($ax_args) == 0) { - return null; - } - - $result = $obj->parseExtensionArgs($ax_args); - if (Auth_OpenID_AX::isError($result)) { - #XXX log me - return null; - } - return $obj; - } -} - -/** - * A store request attribute exchange message representation. - * - * @package OpenID - */ -class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage { - var $mode = 'store_request'; - - /** - * @param array $aliases The namespace aliases to use when making - * this store response. Leave as None to use defaults. - */ - function getExtensionArgs($aliases=null) - { - $ax_args = $this->_newArgs(); - $kv_args = $this->_getExtensionKVArgs($aliases); - Auth_OpenID::update($ax_args, $kv_args); - return $ax_args; - } -} - -/** - * An indication that the store request was processed along with this - * OpenID transaction. Use make(), NOT the constructor, to create - * response objects. - * - * @package OpenID - */ -class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { - var $SUCCESS_MODE = 'store_response_success'; - var $FAILURE_MODE = 'store_response_failure'; - - /** - * Returns Auth_OpenID_AX_Error on error or an - * Auth_OpenID_AX_StoreResponse object on success. - */ - function make($succeeded=true, $error_message=null) - { - if (($succeeded) && ($error_message !== null)) { - return new Auth_OpenID_AX_Error('An error message may only be '. - 'included in a failing fetch response'); - } - - return new Auth_OpenID_AX_StoreResponse($succeeded, $error_message); - } - - function Auth_OpenID_AX_StoreResponse($succeeded=true, $error_message=null) - { - if ($succeeded) { - $this->mode = $this->SUCCESS_MODE; - } else { - $this->mode = $this->FAILURE_MODE; - } - - $this->error_message = $error_message; - } - - /** - * Was this response a success response? - */ - function succeeded() - { - return $this->mode == $this->SUCCESS_MODE; - } - - function getExtensionArgs() - { - $ax_args = $this->_newArgs(); - if ((!$this->succeeded()) && $this->error_message) { - $ax_args['error'] = $this->error_message; - } - - return $ax_args; - } -} - diff --git a/models/Auth/OpenID/Association.php b/models/Auth/OpenID/Association.php deleted file mode 100644 index d1ac1ed9b..000000000 --- a/models/Auth/OpenID/Association.php +++ /dev/null @@ -1,610 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * @access private - */ -require_once 'Auth/OpenID/CryptUtil.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID/KVForm.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID/HMAC.php'; - -/** - * This class represents an association between a server and a - * consumer. In general, users of this library will never see - * instances of this object. The only exception is if you implement a - * custom {@link Auth_OpenID_OpenIDStore}. - * - * If you do implement such a store, it will need to store the values - * of the handle, secret, issued, lifetime, and assoc_type instance - * variables. - * - * @package OpenID - */ -class Auth_OpenID_Association { - - /** - * This is a HMAC-SHA1 specific value. - * - * @access private - */ - var $SIG_LENGTH = 20; - - /** - * The ordering and name of keys as stored by serialize. - * - * @access private - */ - var $assoc_keys = array( - 'version', - 'handle', - 'secret', - 'issued', - 'lifetime', - 'assoc_type' - ); - - var $_macs = array( - 'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1', - 'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256' - ); - - /** - * This is an alternate constructor (factory method) used by the - * OpenID consumer library to create associations. OpenID store - * implementations shouldn't use this constructor. - * - * @access private - * - * @param integer $expires_in This is the amount of time this - * association is good for, measured in seconds since the - * association was issued. - * - * @param string $handle This is the handle the server gave this - * association. - * - * @param string secret This is the shared secret the server - * generated for this association. - * - * @param assoc_type This is the type of association this - * instance represents. The only valid values of this field at - * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may - * be defined in the future. - * - * @return association An {@link Auth_OpenID_Association} - * instance. - */ - static function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) - { - $issued = time(); - $lifetime = $expires_in; - return new Auth_OpenID_Association($handle, $secret, - $issued, $lifetime, $assoc_type); - } - - /** - * This is the standard constructor for creating an association. - * The library should create all of the necessary associations, so - * this constructor is not part of the external API. - * - * @access private - * - * @param string $handle This is the handle the server gave this - * association. - * - * @param string $secret This is the shared secret the server - * generated for this association. - * - * @param integer $issued This is the time this association was - * issued, in seconds since 00:00 GMT, January 1, 1970. (ie, a - * unix timestamp) - * - * @param integer $lifetime This is the amount of time this - * association is good for, measured in seconds since the - * association was issued. - * - * @param string $assoc_type This is the type of association this - * instance represents. The only valid values of this field at - * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may - * be defined in the future. - */ - function Auth_OpenID_Association( - $handle, $secret, $issued, $lifetime, $assoc_type) - { - if (!in_array($assoc_type, - Auth_OpenID_getSupportedAssociationTypes(), true)) { - $fmt = 'Unsupported association type (%s)'; - trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR); - } - - $this->handle = $handle; - $this->secret = $secret; - $this->issued = $issued; - $this->lifetime = $lifetime; - $this->assoc_type = $assoc_type; - } - - /** - * This returns the number of seconds this association is still - * valid for, or 0 if the association is no longer valid. - * - * @return integer $seconds The number of seconds this association - * is still valid for, or 0 if the association is no longer valid. - */ - function getExpiresIn($now = null) - { - if ($now == null) { - $now = time(); - } - - return max(0, $this->issued + $this->lifetime - $now); - } - - /** - * This checks to see if two {@link Auth_OpenID_Association} - * instances represent the same association. - * - * @return bool $result true if the two instances represent the - * same association, false otherwise. - */ - function equal($other) - { - return ((gettype($this) == gettype($other)) - && ($this->handle == $other->handle) - && ($this->secret == $other->secret) - && ($this->issued == $other->issued) - && ($this->lifetime == $other->lifetime) - && ($this->assoc_type == $other->assoc_type)); - } - - /** - * Convert an association to KV form. - * - * @return string $result String in KV form suitable for - * deserialization by deserialize. - */ - function serialize() - { - $data = array( - 'version' => '2', - 'handle' => $this->handle, - 'secret' => base64_encode($this->secret), - 'issued' => strval(intval($this->issued)), - 'lifetime' => strval(intval($this->lifetime)), - 'assoc_type' => $this->assoc_type - ); - - assert(array_keys($data) == $this->assoc_keys); - - return Auth_OpenID_KVForm::fromArray($data, $strict = true); - } - - /** - * Parse an association as stored by serialize(). This is the - * inverse of serialize. - * - * @param string $assoc_s Association as serialized by serialize() - * @return Auth_OpenID_Association $result instance of this class - */ - static function deserialize($class_name, $assoc_s) - { - $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true); - $keys = array(); - $values = array(); - foreach ($pairs as $key => $value) { - if (is_array($value)) { - list($key, $value) = $value; - } - $keys[] = $key; - $values[] = $value; - } - - $class_vars = get_class_vars($class_name); - $class_assoc_keys = $class_vars['assoc_keys']; - - sort($keys); - sort($class_assoc_keys); - - if ($keys != $class_assoc_keys) { - trigger_error('Unexpected key values: ' . var_export($keys, true), - E_USER_WARNING); - return null; - } - - $version = $pairs['version']; - $handle = $pairs['handle']; - $secret = $pairs['secret']; - $issued = $pairs['issued']; - $lifetime = $pairs['lifetime']; - $assoc_type = $pairs['assoc_type']; - - if ($version != '2') { - trigger_error('Unknown version: ' . $version, E_USER_WARNING); - return null; - } - - $issued = intval($issued); - $lifetime = intval($lifetime); - $secret = base64_decode($secret); - - return new $class_name( - $handle, $secret, $issued, $lifetime, $assoc_type); - } - - /** - * Generate a signature for a sequence of (key, value) pairs - * - * @access private - * @param array $pairs The pairs to sign, in order. This is an - * array of two-tuples. - * @return string $signature The binary signature of this sequence - * of pairs - */ - function sign($pairs) - { - $kv = Auth_OpenID_KVForm::fromArray($pairs); - - /* Invalid association types should be caught at constructor */ - $callback = $this->_macs[$this->assoc_type]; - - return call_user_func_array($callback, array($this->secret, $kv)); - } - - /** - * Generate a signature for some fields in a dictionary - * - * @access private - * @param array $fields The fields to sign, in order; this is an - * array of strings. - * @param array $data Dictionary of values to sign (an array of - * string => string pairs). - * @return string $signature The signature, base64 encoded - */ - function signMessage($message) - { - if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') || - $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) { - // Already has a sig - return null; - } - - $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_handle'); - - if ($extant_handle && ($extant_handle != $this->handle)) { - // raise ValueError("Message has a different association handle") - return null; - } - - $signed_message = $message; - $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', - $this->handle); - - $message_keys = array_keys($signed_message->toPostArgs()); - $signed_list = array(); - $signed_prefix = 'openid.'; - - foreach ($message_keys as $k) { - if (strpos($k, $signed_prefix) === 0) { - $signed_list[] = substr($k, strlen($signed_prefix)); - } - } - - $signed_list[] = 'signed'; - sort($signed_list); - - $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed', - implode(',', $signed_list)); - $sig = $this->getMessageSignature($signed_message); - $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig); - return $signed_message; - } - - /** - * Given a {@link Auth_OpenID_Message}, return the key/value pairs - * to be signed according to the signed list in the message. If - * the message lacks a signed list, return null. - * - * @access private - */ - function _makePairs($message) - { - $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); - if (!$signed || Auth_OpenID::isFailure($signed)) { - // raise ValueError('Message has no signed list: %s' % (message,)) - return null; - } - - $signed_list = explode(',', $signed); - $pairs = array(); - $data = $message->toPostArgs(); - foreach ($signed_list as $field) { - $pairs[] = array($field, Auth_OpenID::arrayGet($data, - 'openid.' . - $field, '')); - } - return $pairs; - } - - /** - * Given an {@link Auth_OpenID_Message}, return the signature for - * the signed list in the message. - * - * @access private - */ - function getMessageSignature($message) - { - $pairs = $this->_makePairs($message); - return base64_encode($this->sign($pairs)); - } - - /** - * Confirm that the signature of these fields matches the - * signature contained in the data. - * - * @access private - */ - function checkMessageSignature($message) - { - $sig = $message->getArg(Auth_OpenID_OPENID_NS, - 'sig'); - - if (!$sig || Auth_OpenID::isFailure($sig)) { - return false; - } - - $calculated_sig = $this->getMessageSignature($message); - return $calculated_sig == $sig; - } -} - -function Auth_OpenID_getSecretSize($assoc_type) -{ - if ($assoc_type == 'HMAC-SHA1') { - return 20; - } else if ($assoc_type == 'HMAC-SHA256') { - return 32; - } else { - return null; - } -} - -function Auth_OpenID_getAllAssociationTypes() -{ - return array('HMAC-SHA1', 'HMAC-SHA256'); -} - -function Auth_OpenID_getSupportedAssociationTypes() -{ - $a = array('HMAC-SHA1'); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $a[] = 'HMAC-SHA256'; - } - - return $a; -} - -function Auth_OpenID_getSessionTypes($assoc_type) -{ - $assoc_to_session = array( - 'HMAC-SHA1' => array('DH-SHA1', 'no-encryption')); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $assoc_to_session['HMAC-SHA256'] = - array('DH-SHA256', 'no-encryption'); - } - - return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array()); -} - -function Auth_OpenID_checkSessionType($assoc_type, $session_type) -{ - if (!in_array($session_type, - Auth_OpenID_getSessionTypes($assoc_type))) { - return false; - } - - return true; -} - -function Auth_OpenID_getDefaultAssociationOrder() -{ - $order = array(); - - if (!Auth_OpenID_noMathSupport()) { - $order[] = array('HMAC-SHA1', 'DH-SHA1'); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $order[] = array('HMAC-SHA256', 'DH-SHA256'); - } - } - - $order[] = array('HMAC-SHA1', 'no-encryption'); - - if (Auth_OpenID_HMACSHA256_SUPPORTED) { - $order[] = array('HMAC-SHA256', 'no-encryption'); - } - - return $order; -} - -function Auth_OpenID_getOnlyEncryptedOrder() -{ - $result = array(); - - foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) { - list($assoc, $session) = $pair; - - if ($session != 'no-encryption') { - if (Auth_OpenID_HMACSHA256_SUPPORTED && - ($assoc == 'HMAC-SHA256')) { - $result[] = $pair; - } else if ($assoc != 'HMAC-SHA256') { - $result[] = $pair; - } - } - } - - return $result; -} - -function Auth_OpenID_getDefaultNegotiator() -{ - return new Auth_OpenID_SessionNegotiator( - Auth_OpenID_getDefaultAssociationOrder()); -} - -function Auth_OpenID_getEncryptedNegotiator() -{ - return new Auth_OpenID_SessionNegotiator( - Auth_OpenID_getOnlyEncryptedOrder()); -} - -/** - * A session negotiator controls the allowed and preferred association - * types and association session types. Both the {@link - * Auth_OpenID_Consumer} and {@link Auth_OpenID_Server} use - * negotiators when creating associations. - * - * You can create and use negotiators if you: - - * - Do not want to do Diffie-Hellman key exchange because you use - * transport-layer encryption (e.g. SSL) - * - * - Want to use only SHA-256 associations - * - * - Do not want to support plain-text associations over a non-secure - * channel - * - * It is up to you to set a policy for what kinds of associations to - * accept. By default, the library will make any kind of association - * that is allowed in the OpenID 2.0 specification. - * - * Use of negotiators in the library - * ================================= - * - * When a consumer makes an association request, it calls {@link - * getAllowedType} to get the preferred association type and - * association session type. - * - * The server gets a request for a particular association/session type - * and calls {@link isAllowed} to determine if it should create an - * association. If it is supported, negotiation is complete. If it is - * not, the server calls {@link getAllowedType} to get an allowed - * association type to return to the consumer. - * - * If the consumer gets an error response indicating that the - * requested association/session type is not supported by the server - * that contains an assocation/session type to try, it calls {@link - * isAllowed} to determine if it should try again with the given - * combination of association/session type. - * - * @package OpenID - */ -class Auth_OpenID_SessionNegotiator { - function Auth_OpenID_SessionNegotiator($allowed_types) - { - $this->allowed_types = array(); - $this->setAllowedTypes($allowed_types); - } - - /** - * Set the allowed association types, checking to make sure each - * combination is valid. - * - * @access private - */ - function setAllowedTypes($allowed_types) - { - foreach ($allowed_types as $pair) { - list($assoc_type, $session_type) = $pair; - if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) { - return false; - } - } - - $this->allowed_types = $allowed_types; - return true; - } - - /** - * Add an association type and session type to the allowed types - * list. The assocation/session pairs are tried in the order that - * they are added. - * - * @access private - */ - function addAllowedType($assoc_type, $session_type = null) - { - if ($this->allowed_types === null) { - $this->allowed_types = array(); - } - - if ($session_type === null) { - $available = Auth_OpenID_getSessionTypes($assoc_type); - - if (!$available) { - return false; - } - - foreach ($available as $session_type) { - $this->addAllowedType($assoc_type, $session_type); - } - } else { - if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) { - $this->allowed_types[] = array($assoc_type, $session_type); - } else { - return false; - } - } - - return true; - } - - // Is this combination of association type and session type allowed? - function isAllowed($assoc_type, $session_type) - { - $assoc_good = in_array(array($assoc_type, $session_type), - $this->allowed_types); - - $matches = in_array($session_type, - Auth_OpenID_getSessionTypes($assoc_type)); - - return ($assoc_good && $matches); - } - - /** - * Get a pair of assocation type and session type that are - * supported. - */ - function getAllowedType() - { - if (!$this->allowed_types) { - return array(null, null); - } - - return $this->allowed_types[0]; - } -} - diff --git a/models/Auth/OpenID/BigMath.php b/models/Auth/OpenID/BigMath.php deleted file mode 100644 index 7fca2dc43..000000000 --- a/models/Auth/OpenID/BigMath.php +++ /dev/null @@ -1,452 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * Needed for random number generation - */ -require_once 'Auth/OpenID/CryptUtil.php'; - -/** - * Need Auth_OpenID::bytes(). - */ -require_once 'Auth/OpenID.php'; - -/** - * The superclass of all big-integer math implementations - * @access private - * @package OpenID - */ -class Auth_OpenID_MathLibrary { - /** - * Given a long integer, returns the number converted to a binary - * string. This function accepts long integer values of arbitrary - * magnitude and uses the local large-number math library when - * available. - * - * @param integer $long The long number (can be a normal PHP - * integer or a number created by one of the available long number - * libraries) - * @return string $binary The binary version of $long - */ - function longToBinary($long) - { - $cmp = $this->cmp($long, 0); - if ($cmp < 0) { - $msg = __FUNCTION__ . " takes only positive integers."; - trigger_error($msg, E_USER_ERROR); - return null; - } - - if ($cmp == 0) { - return "\x00"; - } - - $bytes = array(); - - while ($this->cmp($long, 0) > 0) { - array_unshift($bytes, $this->mod($long, 256)); - $long = $this->div($long, pow(2, 8)); - } - - if ($bytes && ($bytes[0] > 127)) { - array_unshift($bytes, 0); - } - - $string = ''; - foreach ($bytes as $byte) { - $string .= pack('C', $byte); - } - - return $string; - } - - /** - * Given a binary string, returns the binary string converted to a - * long number. - * - * @param string $binary The binary version of a long number, - * probably as a result of calling longToBinary - * @return integer $long The long number equivalent of the binary - * string $str - */ - function binaryToLong($str) - { - if ($str === null) { - return null; - } - - // Use array_merge to return a zero-indexed array instead of a - // one-indexed array. - $bytes = array_merge(unpack('C*', $str)); - - $n = $this->init(0); - - if ($bytes && ($bytes[0] > 127)) { - trigger_error("bytesToNum works only for positive integers.", - E_USER_WARNING); - return null; - } - - foreach ($bytes as $byte) { - $n = $this->mul($n, pow(2, 8)); - $n = $this->add($n, $byte); - } - - return $n; - } - - function base64ToLong($str) - { - $b64 = base64_decode($str); - - if ($b64 === false) { - return false; - } - - return $this->binaryToLong($b64); - } - - function longToBase64($str) - { - return base64_encode($this->longToBinary($str)); - } - - /** - * Returns a random number in the specified range. This function - * accepts $start, $stop, and $step values of arbitrary magnitude - * and will utilize the local large-number math library when - * available. - * - * @param integer $start The start of the range, or the minimum - * random number to return - * @param integer $stop The end of the range, or the maximum - * random number to return - * @param integer $step The step size, such that $result - ($step - * * N) = $start for some N - * @return integer $result The resulting randomly-generated number - */ - function rand($stop) - { - static $duplicate_cache = array(); - - // Used as the key for the duplicate cache - $rbytes = $this->longToBinary($stop); - - if (array_key_exists($rbytes, $duplicate_cache)) { - list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; - } else { - if ($rbytes[0] == "\x00") { - $nbytes = Auth_OpenID::bytes($rbytes) - 1; - } else { - $nbytes = Auth_OpenID::bytes($rbytes); - } - - $mxrand = $this->pow(256, $nbytes); - - // If we get a number less than this, then it is in the - // duplicated range. - $duplicate = $this->mod($mxrand, $stop); - - if (count($duplicate_cache) > 10) { - $duplicate_cache = array(); - } - - $duplicate_cache[$rbytes] = array($duplicate, $nbytes); - } - - do { - $bytes = "\x00" . Auth_OpenID_CryptUtil::getBytes($nbytes); - $n = $this->binaryToLong($bytes); - // Keep looping if this value is in the low duplicated range - } while ($this->cmp($n, $duplicate) < 0); - - return $this->mod($n, $stop); - } -} - -/** - * Exposes BCmath math library functionality. - * - * {@link Auth_OpenID_BcMathWrapper} wraps the functionality provided - * by the BCMath extension. - * - * @access private - * @package OpenID - */ -class Auth_OpenID_BcMathWrapper extends Auth_OpenID_MathLibrary{ - var $type = 'bcmath'; - - function add($x, $y) - { - return bcadd($x, $y); - } - - function sub($x, $y) - { - return bcsub($x, $y); - } - - function pow($base, $exponent) - { - return bcpow($base, $exponent); - } - - function cmp($x, $y) - { - return bccomp($x, $y); - } - - function init($number, $base = 10) - { - return $number; - } - - function mod($base, $modulus) - { - return bcmod($base, $modulus); - } - - function mul($x, $y) - { - return bcmul($x, $y); - } - - function div($x, $y) - { - return bcdiv($x, $y); - } - - /** - * Same as bcpowmod when bcpowmod is missing - * - * @access private - */ - function _powmod($base, $exponent, $modulus) - { - $square = $this->mod($base, $modulus); - $result = 1; - while($this->cmp($exponent, 0) > 0) { - if ($this->mod($exponent, 2)) { - $result = $this->mod($this->mul($result, $square), $modulus); - } - $square = $this->mod($this->mul($square, $square), $modulus); - $exponent = $this->div($exponent, 2); - } - return $result; - } - - function powmod($base, $exponent, $modulus) - { - if (function_exists('bcpowmod')) { - return bcpowmod($base, $exponent, $modulus); - } else { - return $this->_powmod($base, $exponent, $modulus); - } - } - - function toString($num) - { - return $num; - } -} - -/** - * Exposes GMP math library functionality. - * - * {@link Auth_OpenID_GmpMathWrapper} wraps the functionality provided - * by the GMP extension. - * - * @access private - * @package OpenID - */ -class Auth_OpenID_GmpMathWrapper extends Auth_OpenID_MathLibrary{ - var $type = 'gmp'; - - function add($x, $y) - { - return gmp_add($x, $y); - } - - function sub($x, $y) - { - return gmp_sub($x, $y); - } - - function pow($base, $exponent) - { - return gmp_pow($base, $exponent); - } - - function cmp($x, $y) - { - return gmp_cmp($x, $y); - } - - function init($number, $base = 10) - { - return gmp_init($number, $base); - } - - function mod($base, $modulus) - { - return gmp_mod($base, $modulus); - } - - function mul($x, $y) - { - return gmp_mul($x, $y); - } - - function div($x, $y) - { - return gmp_div_q($x, $y); - } - - function powmod($base, $exponent, $modulus) - { - return gmp_powm($base, $exponent, $modulus); - } - - function toString($num) - { - return gmp_strval($num); - } -} - -/** - * Define the supported extensions. An extension array has keys - * 'modules', 'extension', and 'class'. 'modules' is an array of PHP - * module names which the loading code will attempt to load. These - * values will be suffixed with a library file extension (e.g. ".so"). - * 'extension' is the name of a PHP extension which will be tested - * before 'modules' are loaded. 'class' is the string name of a - * {@link Auth_OpenID_MathWrapper} subclass which should be - * instantiated if a given extension is present. - * - * You can define new math library implementations and add them to - * this array. - */ -function Auth_OpenID_math_extensions() -{ - $result = array(); - - if (!defined('Auth_OpenID_BUGGY_GMP')) { - $result[] = - array('modules' => array('gmp', 'php_gmp'), - 'extension' => 'gmp', - 'class' => 'Auth_OpenID_GmpMathWrapper'); - } - - $result[] = array('modules' => array('bcmath', 'php_bcmath'), - 'extension' => 'bcmath', - 'class' => 'Auth_OpenID_BcMathWrapper'); - - return $result; -} - -/** - * Detect which (if any) math library is available - */ -function Auth_OpenID_detectMathLibrary($exts) -{ - $loaded = false; - - $hasDl = function_exists('dl'); - foreach ($exts as $extension) { - if (extension_loaded($extension['extension'])) { - return $extension; - } - } - - return false; -} - -/** - * {@link Auth_OpenID_getMathLib} checks for the presence of long - * number extension modules and returns an instance of - * {@link Auth_OpenID_MathWrapper} which exposes the module's - * functionality. - * - * Checks for the existence of an extension module described by the - * result of {@link Auth_OpenID_math_extensions()} and returns an - * instance of a wrapper for that extension module. If no extension - * module is found, an instance of {@link Auth_OpenID_MathWrapper} is - * returned, which wraps the native PHP integer implementation. The - * proper calling convention for this method is $lib = - * Auth_OpenID_getMathLib(). - * - * This function checks for the existence of specific long number - * implementations in the following order: GMP followed by BCmath. - * - * @return Auth_OpenID_MathWrapper $instance An instance of - * {@link Auth_OpenID_MathWrapper} or one of its subclasses - * - * @package OpenID - */ -function Auth_OpenID_getMathLib() -{ - // The instance of Auth_OpenID_MathWrapper that we choose to - // supply will be stored here, so that subseqent calls to this - // method will return a reference to the same object. - static $lib = null; - - if (isset($lib)) { - return $lib; - } - - if (Auth_OpenID_noMathSupport()) { - $null = null; - return $null; - } - - // If this method has not been called before, look at - // Auth_OpenID_math_extensions and try to find an extension that - // works. - $ext = Auth_OpenID_detectMathLibrary(Auth_OpenID_math_extensions()); - if ($ext === false) { - $tried = array(); - foreach (Auth_OpenID_math_extensions() as $extinfo) { - $tried[] = $extinfo['extension']; - } - $triedstr = implode(", ", $tried); - - Auth_OpenID_setNoMathSupport(); - - $result = null; - return $result; - } - - // Instantiate a new wrapper - $class = $ext['class']; - $lib = new $class(); - - return $lib; -} - -function Auth_OpenID_setNoMathSupport() -{ - if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) { - define('Auth_OpenID_NO_MATH_SUPPORT', true); - } -} - -function Auth_OpenID_noMathSupport() -{ - return defined('Auth_OpenID_NO_MATH_SUPPORT'); -} - - diff --git a/models/Auth/OpenID/Consumer.php b/models/Auth/OpenID/Consumer.php deleted file mode 100644 index 021c03898..000000000 --- a/models/Auth/OpenID/Consumer.php +++ /dev/null @@ -1,2230 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * Require utility classes and functions for the consumer. - */ -require_once "Auth/OpenID.php"; -require_once "Auth/OpenID/Message.php"; -require_once "Auth/OpenID/HMAC.php"; -require_once "Auth/OpenID/Association.php"; -require_once "Auth/OpenID/CryptUtil.php"; -require_once "Auth/OpenID/DiffieHellman.php"; -require_once "Auth/OpenID/KVForm.php"; -require_once "Auth/OpenID/Nonce.php"; -require_once "Auth/OpenID/Discover.php"; -require_once "Auth/OpenID/URINorm.php"; -require_once "Auth/Yadis/Manager.php"; -require_once "Auth/Yadis/XRI.php"; - -/** - * This is the status code returned when the complete method returns - * successfully. - */ -define('Auth_OpenID_SUCCESS', 'success'); - -/** - * Status to indicate cancellation of OpenID authentication. - */ -define('Auth_OpenID_CANCEL', 'cancel'); - -/** - * This is the status code completeAuth returns when the value it - * received indicated an invalid login. - */ -define('Auth_OpenID_FAILURE', 'failure'); - -/** - * This is the status code completeAuth returns when the - * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the - * identity server sends back a URL to send the user to to complete his - * or her login. - */ -define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); - -/** - * This is the status code beginAuth returns when the page fetched - * from the entered OpenID URL doesn't contain the necessary link tags - * to function as an identity page. - */ -define('Auth_OpenID_PARSE_ERROR', 'parse error'); - -/** - * An OpenID consumer implementation that performs discovery and does - * session management. See the Consumer.php file documentation for - * more information. - * - * @package OpenID - */ -class Auth_OpenID_Consumer { - - /** - * @access private - */ - var $discoverMethod = 'Auth_OpenID_discover'; - - /** - * @access private - */ - var $session_key_prefix = "_openid_consumer_"; - - /** - * @access private - */ - var $_token_suffix = "last_token"; - - /** - * Initialize a Consumer instance. - * - * You should create a new instance of the Consumer object with - * every HTTP request that handles OpenID transactions. - * - * @param Auth_OpenID_OpenIDStore $store This must be an object - * that implements the interface in {@link - * Auth_OpenID_OpenIDStore}. Several concrete implementations are - * provided, to cover most common use cases. For stores backed by - * MySQL, PostgreSQL, or SQLite, see the {@link - * Auth_OpenID_SQLStore} class and its sublcasses. For a - * filesystem-backed store, see the {@link Auth_OpenID_FileStore} - * module. As a last resort, if it isn't possible for the server - * to store state at all, an instance of {@link - * Auth_OpenID_DumbStore} can be used. - * - * @param mixed $session An object which implements the interface - * of the {@link Auth_Yadis_PHPSession} class. Particularly, this - * object is expected to have these methods: get($key), set($key), - * $value), and del($key). This defaults to a session object - * which wraps PHP's native session machinery. You should only - * need to pass something here if you have your own sessioning - * implementation. - * - * @param str $consumer_cls The name of the class to instantiate - * when creating the internal consumer object. This is used for - * testing. - */ - function Auth_OpenID_Consumer($store, $session = null, - $consumer_cls = null) - { - if ($session === null) { - $session = new Auth_Yadis_PHPSession(); - } - - $this->session = $session; - - if ($consumer_cls !== null) { - $this->consumer = new $consumer_cls($store); - } else { - $this->consumer = new Auth_OpenID_GenericConsumer($store); - } - - $this->_token_key = $this->session_key_prefix . $this->_token_suffix; - } - - /** - * Used in testing to define the discovery mechanism. - * - * @access private - */ - function getDiscoveryObject($session, $openid_url, - $session_key_prefix) - { - return new Auth_Yadis_Discovery($session, $openid_url, - $session_key_prefix); - } - - /** - * Start the OpenID authentication process. See steps 1-2 in the - * overview at the top of this file. - * - * @param string $user_url Identity URL given by the user. This - * method performs a textual transformation of the URL to try and - * make sure it is normalized. For example, a user_url of - * example.com will be normalized to http://example.com/ - * normalizing and resolving any redirects the server might issue. - * - * @param bool $anonymous True if the OpenID request is to be sent - * to the server without any identifier information. Use this - * when you want to transport data but don't want to do OpenID - * authentication with identifiers. - * - * @return Auth_OpenID_AuthRequest $auth_request An object - * containing the discovered information will be returned, with a - * method for building a redirect URL to the server, as described - * in step 3 of the overview. This object may also be used to add - * extension arguments to the request, using its 'addExtensionArg' - * method. - */ - function begin($user_url, $anonymous=false) - { - $openid_url = $user_url; - - $disco = $this->getDiscoveryObject($this->session, - $openid_url, - $this->session_key_prefix); - - // Set the 'stale' attribute of the manager. If discovery - // fails in a fatal way, the stale flag will cause the manager - // to be cleaned up next time discovery is attempted. - - $m = $disco->getManager(); - $loader = new Auth_Yadis_ManagerLoader(); - - if ($m) { - if ($m->stale) { - $disco->destroyManager(); - } else { - $m->stale = true; - $disco->session->set($disco->session_key, - serialize($loader->toSession($m))); - } - } - - $endpoint = $disco->getNextService($this->discoverMethod, - $this->consumer->fetcher); - - // Reset the 'stale' attribute of the manager. - $m = $disco->getManager(); - if ($m) { - $m->stale = false; - $disco->session->set($disco->session_key, - serialize($loader->toSession($m))); - } - - if ($endpoint === null) { - return null; - } else { - return $this->beginWithoutDiscovery($endpoint, - $anonymous); - } - } - - /** - * Start OpenID verification without doing OpenID server - * discovery. This method is used internally by Consumer.begin - * after discovery is performed, and exists to provide an - * interface for library users needing to perform their own - * discovery. - * - * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service - * endpoint descriptor. - * - * @param bool anonymous Set to true if you want to perform OpenID - * without identifiers. - * - * @return Auth_OpenID_AuthRequest $auth_request An OpenID - * authentication request object. - */ - function beginWithoutDiscovery($endpoint, $anonymous=false) - { - $loader = new Auth_OpenID_ServiceEndpointLoader(); - $auth_req = $this->consumer->begin($endpoint); - $this->session->set($this->_token_key, - $loader->toSession($auth_req->endpoint)); - if (!$auth_req->setAnonymous($anonymous)) { - return new Auth_OpenID_FailureResponse(null, - "OpenID 1 requests MUST include the identifier " . - "in the request."); - } - return $auth_req; - } - - /** - * Called to interpret the server's response to an OpenID - * request. It is called in step 4 of the flow described in the - * consumer overview. - * - * @param string $current_url The URL used to invoke the application. - * Extract the URL from your application's web - * request framework and specify it here to have it checked - * against the openid.current_url value in the response. If - * the current_url URL check fails, the status of the - * completion will be FAILURE. - * - * @param array $query An array of the query parameters (key => - * value pairs) for this HTTP request. Defaults to null. If - * null, the GET or POST data are automatically gotten from the - * PHP environment. It is only useful to override $query for - * testing. - * - * @return Auth_OpenID_ConsumerResponse $response A instance of an - * Auth_OpenID_ConsumerResponse subclass. The type of response is - * indicated by the status attribute, which will be one of - * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. - */ - function complete($current_url, $query=null) - { - if ($current_url && !is_string($current_url)) { - // This is ugly, but we need to complain loudly when - // someone uses the API incorrectly. - trigger_error("current_url must be a string; see NEWS file " . - "for upgrading notes.", - E_USER_ERROR); - } - - if ($query === null) { - $query = Auth_OpenID::getQuery(); - } - - $loader = new Auth_OpenID_ServiceEndpointLoader(); - $endpoint_data = $this->session->get($this->_token_key); - $endpoint = - $loader->fromSession($endpoint_data); - - $message = Auth_OpenID_Message::fromPostArgs($query); - $response = $this->consumer->complete($message, $endpoint, - $current_url); - $this->session->del($this->_token_key); - - if (in_array($response->status, array(Auth_OpenID_SUCCESS, - Auth_OpenID_CANCEL))) { - if ($response->identity_url !== null) { - $disco = $this->getDiscoveryObject($this->session, - $response->identity_url, - $this->session_key_prefix); - $disco->cleanup(true); - } - } - - return $response; - } -} - -/** - * A class implementing HMAC/DH-SHA1 consumer sessions. - * - * @package OpenID - */ -class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { - var $session_type = 'DH-SHA1'; - var $hash_func = 'Auth_OpenID_SHA1'; - var $secret_size = 20; - var $allowed_assoc_types = array('HMAC-SHA1'); - - function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null) - { - if ($dh === null) { - $dh = new Auth_OpenID_DiffieHellman(); - } - - $this->dh = $dh; - } - - function getRequest() - { - $math = Auth_OpenID_getMathLib(); - - $cpub = $math->longToBase64($this->dh->public); - - $args = array('dh_consumer_public' => $cpub); - - if (!$this->dh->usingDefaultValues()) { - $args = array_merge($args, array( - 'dh_modulus' => - $math->longToBase64($this->dh->mod), - 'dh_gen' => - $math->longToBase64($this->dh->gen))); - } - - return $args; - } - - function extractSecret($response) - { - if (!$response->hasKey(Auth_OpenID_OPENID_NS, - 'dh_server_public')) { - return null; - } - - if (!$response->hasKey(Auth_OpenID_OPENID_NS, - 'enc_mac_key')) { - return null; - } - - $math = Auth_OpenID_getMathLib(); - - $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, - 'dh_server_public')); - $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS, - 'enc_mac_key')); - - return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); - } -} - -/** - * A class implementing HMAC/DH-SHA256 consumer sessions. - * - * @package OpenID - */ -class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends - Auth_OpenID_DiffieHellmanSHA1ConsumerSession { - var $session_type = 'DH-SHA256'; - var $hash_func = 'Auth_OpenID_SHA256'; - var $secret_size = 32; - var $allowed_assoc_types = array('HMAC-SHA256'); -} - -/** - * A class implementing plaintext consumer sessions. - * - * @package OpenID - */ -class Auth_OpenID_PlainTextConsumerSession { - var $session_type = 'no-encryption'; - var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); - - function getRequest() - { - return array(); - } - - function extractSecret($response) - { - if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) { - return null; - } - - return base64_decode($response->getArg(Auth_OpenID_OPENID_NS, - 'mac_key')); - } -} - -/** - * Returns available session types. - */ -function Auth_OpenID_getAvailableSessionTypes() -{ - $types = array( - 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession', - 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', - 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); - - return $types; -} - -/** - * This class is the interface to the OpenID consumer logic. - * Instances of it maintain no per-request state, so they can be - * reused (or even used by multiple threads concurrently) as needed. - * - * @package OpenID - */ -class Auth_OpenID_GenericConsumer { - /** - * @access private - */ - var $discoverMethod = 'Auth_OpenID_discover'; - - /** - * This consumer's store object. - */ - var $store; - - /** - * @access private - */ - var $_use_assocs; - - /** - * @access private - */ - var $openid1_nonce_query_arg_name = 'janrain_nonce'; - - /** - * Another query parameter that gets added to the return_to for - * OpenID 1; if the user's session state is lost, use this claimed - * identifier to do discovery when verifying the response. - */ - var $openid1_return_to_identifier_name = 'openid1_claimed_id'; - - /** - * This method initializes a new {@link Auth_OpenID_Consumer} - * instance to access the library. - * - * @param Auth_OpenID_OpenIDStore $store This must be an object - * that implements the interface in {@link Auth_OpenID_OpenIDStore}. - * Several concrete implementations are provided, to cover most common use - * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see - * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a - * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. - * As a last resort, if it isn't possible for the server to store - * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. - * - * @param bool $immediate This is an optional boolean value. It - * controls whether the library uses immediate mode, as explained - * in the module description. The default value is False, which - * disables immediate mode. - */ - function Auth_OpenID_GenericConsumer($store) - { - $this->store = $store; - $this->negotiator = Auth_OpenID_getDefaultNegotiator(); - $this->_use_assocs = (is_null($this->store) ? false : true); - - $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); - - $this->session_types = Auth_OpenID_getAvailableSessionTypes(); - } - - /** - * Called to begin OpenID authentication using the specified - * {@link Auth_OpenID_ServiceEndpoint}. - * - * @access private - */ - function begin($service_endpoint) - { - $assoc = $this->_getAssociation($service_endpoint); - $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); - $r->return_to_args[$this->openid1_nonce_query_arg_name] = - Auth_OpenID_mkNonce(); - - if ($r->message->isOpenID1()) { - $r->return_to_args[$this->openid1_return_to_identifier_name] = - $r->endpoint->claimed_id; - } - - return $r; - } - - /** - * Given an {@link Auth_OpenID_Message}, {@link - * Auth_OpenID_ServiceEndpoint} and optional return_to URL, - * complete OpenID authentication. - * - * @access private - */ - function complete($message, $endpoint, $return_to) - { - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', - ''); - - $mode_methods = array( - 'cancel' => '_complete_cancel', - 'error' => '_complete_error', - 'setup_needed' => '_complete_setup_needed', - 'id_res' => '_complete_id_res', - ); - - $method = Auth_OpenID::arrayGet($mode_methods, $mode, - '_completeInvalid'); - - return call_user_func_array(array($this, $method), - array($message, &$endpoint, $return_to)); - } - - /** - * @access private - */ - function _completeInvalid($message, $endpoint, $unused) - { - $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', - ''); - - return new Auth_OpenID_FailureResponse($endpoint, - sprintf("Invalid openid.mode '%s'", $mode)); - } - - /** - * @access private - */ - function _complete_cancel($message, $endpoint, $unused) - { - return new Auth_OpenID_CancelResponse($endpoint); - } - - /** - * @access private - */ - function _complete_error($message, $endpoint, $unused) - { - $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); - $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); - $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); - - return new Auth_OpenID_FailureResponse($endpoint, $error, - $contact, $reference); - } - - /** - * @access private - */ - function _complete_setup_needed($message, $endpoint, $unused) - { - if (!$message->isOpenID2()) { - return $this->_completeInvalid($message, $endpoint); - } - - $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS, - 'user_setup_url'); - return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url); - } - - /** - * @access private - */ - function _complete_id_res($message, $endpoint, $return_to) - { - $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, - 'user_setup_url'); - - if ($this->_checkSetupNeeded($message)) { - return new Auth_OpenID_SetupNeededResponse( - $endpoint, $user_setup_url); - } else { - return $this->_doIdRes($message, $endpoint, $return_to); - } - } - - /** - * @access private - */ - function _checkSetupNeeded($message) - { - // In OpenID 1, we check to see if this is a cancel from - // immediate mode by the presence of the user_setup_url - // parameter. - if ($message->isOpenID1()) { - $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, - 'user_setup_url'); - if ($user_setup_url !== null) { - return true; - } - } - - return false; - } - - /** - * @access private - */ - function _doIdRes($message, $endpoint, $return_to) - { - // Checks for presence of appropriate fields (and checks - // signed list fields) - $result = $this->_idResCheckForFields($message); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - if (!$this->_checkReturnTo($message, $return_to)) { - return new Auth_OpenID_FailureResponse(null, - sprintf("return_to does not match return URL. Expected %s, got %s", - $return_to, - $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); - } - - // Verify discovery information: - $result = $this->_verifyDiscoveryResults($message, $endpoint); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - $endpoint = $result; - - $result = $this->_idResCheckSignature($message, - $endpoint->server_url); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - $result = $this->_idResCheckNonce($message, $endpoint); - - if (Auth_OpenID::isFailure($result)) { - return $result; - } - - $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', - Auth_OpenID_NO_DEFAULT); - if (Auth_OpenID::isFailure($signed_list_str)) { - return $signed_list_str; - } - $signed_list = explode(',', $signed_list_str); - - $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); - - return new Auth_OpenID_SuccessResponse($endpoint, $message, - $signed_fields); - - } - - /** - * @access private - */ - function _checkReturnTo($message, $return_to) - { - // Check an OpenID message and its openid.return_to value - // against a return_to URL from an application. Return True - // on success, False on failure. - - // Check the openid.return_to args against args in the - // original message. - $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( - $message->toPostArgs()); - if (Auth_OpenID::isFailure($result)) { - return false; - } - - // Check the return_to base URL against the one in the - // message. - $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, - 'return_to'); - if (Auth_OpenID::isFailure($return_to)) { - // XXX log me - return false; - } - - $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to)); - $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to)); - - // If port is absent from both, add it so it's equal in the - // check below. - if ((!array_key_exists('port', $return_to_parts)) && - (!array_key_exists('port', $msg_return_to_parts))) { - $return_to_parts['port'] = null; - $msg_return_to_parts['port'] = null; - } - - // If path is absent from both, add it so it's equal in the - // check below. - if ((!array_key_exists('path', $return_to_parts)) && - (!array_key_exists('path', $msg_return_to_parts))) { - $return_to_parts['path'] = null; - $msg_return_to_parts['path'] = null; - } - - // The URL scheme, authority, and path MUST be the same - // between the two URLs. - foreach (array('scheme', 'host', 'port', 'path') as $component) { - // If the url component is absent in either URL, fail. - // There should always be a scheme, host, port, and path. - if (!array_key_exists($component, $return_to_parts)) { - return false; - } - - if (!array_key_exists($component, $msg_return_to_parts)) { - return false; - } - - if (Auth_OpenID::arrayGet($return_to_parts, $component) !== - Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { - return false; - } - } - - return true; - } - - /** - * @access private - */ - function _verifyReturnToArgs($query) - { - // Verify that the arguments in the return_to URL are present in this - // response. - - $message = Auth_OpenID_Message::fromPostArgs($query); - $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); - - if (Auth_OpenID::isFailure($return_to)) { - return $return_to; - } - // XXX: this should be checked by _idResCheckForFields - if (!$return_to) { - return new Auth_OpenID_FailureResponse(null, - "Response has no return_to"); - } - - $parsed_url = parse_url($return_to); - - $q = array(); - if (array_key_exists('query', $parsed_url)) { - $rt_query = $parsed_url['query']; - $q = Auth_OpenID::parse_str($rt_query); - } - - foreach ($q as $rt_key => $rt_value) { - if (!array_key_exists($rt_key, $query)) { - return new Auth_OpenID_FailureResponse(null, - sprintf("return_to parameter %s absent from query", $rt_key)); - } else { - $value = $query[$rt_key]; - if ($rt_value != $value) { - return new Auth_OpenID_FailureResponse(null, - sprintf("parameter %s value %s does not match " . - "return_to value %s", $rt_key, - $value, $rt_value)); - } - } - } - - // Make sure all non-OpenID arguments in the response are also - // in the signed return_to. - $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); - foreach ($bare_args as $key => $value) { - if (Auth_OpenID::arrayGet($q, $key) != $value) { - return new Auth_OpenID_FailureResponse(null, - sprintf("Parameter %s = %s not in return_to URL", - $key, $value)); - } - } - - return true; - } - - /** - * @access private - */ - function _idResCheckSignature($message, $server_url) - { - $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_handle'); - if (Auth_OpenID::isFailure($assoc_handle)) { - return $assoc_handle; - } - - $assoc = $this->store->getAssociation($server_url, $assoc_handle); - - if ($assoc) { - if ($assoc->getExpiresIn() <= 0) { - // XXX: It might be a good idea sometimes to re-start - // the authentication with a new association. Doing it - // automatically opens the possibility for - // denial-of-service by a server that just returns - // expired associations (or really short-lived - // associations) - return new Auth_OpenID_FailureResponse(null, - 'Association with ' . $server_url . ' expired'); - } - - if (!$assoc->checkMessageSignature($message)) { - return new Auth_OpenID_FailureResponse(null, - "Bad signature"); - } - } else { - // It's not an association we know about. Stateless mode - // is our only possible path for recovery. XXX - async - // framework will not want to block on this call to - // _checkAuth. - if (!$this->_checkAuth($message, $server_url)) { - return new Auth_OpenID_FailureResponse(null, - "Server denied check_authentication"); - } - } - - return null; - } - - /** - * @access private - */ - function _verifyDiscoveryResults($message, $endpoint=null) - { - if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { - return $this->_verifyDiscoveryResultsOpenID2($message, - $endpoint); - } else { - return $this->_verifyDiscoveryResultsOpenID1($message, - $endpoint); - } - } - - /** - * @access private - */ - function _verifyDiscoveryResultsOpenID1($message, $endpoint) - { - $claimed_id = $message->getArg(Auth_OpenID_BARE_NS, - $this->openid1_return_to_identifier_name); - - if (($endpoint === null) && ($claimed_id === null)) { - return new Auth_OpenID_FailureResponse($endpoint, - 'When using OpenID 1, the claimed ID must be supplied, ' . - 'either by passing it through as a return_to parameter ' . - 'or by using a session, and supplied to the GenericConsumer ' . - 'as the argument to complete()'); - } else if (($endpoint !== null) && ($claimed_id === null)) { - $claimed_id = $endpoint->claimed_id; - } - - $to_match = new Auth_OpenID_ServiceEndpoint(); - $to_match->type_uris = array(Auth_OpenID_TYPE_1_1); - $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, - 'identity'); - - // Restore delegate information from the initiation phase - $to_match->claimed_id = $claimed_id; - - if ($to_match->local_id === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "Missing required field openid.identity"); - } - - $to_match_1_0 = $to_match->copy(); - $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); - - if ($endpoint !== null) { - $result = $this->_verifyDiscoverySingle($endpoint, $to_match); - - if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { - $result = $this->_verifyDiscoverySingle($endpoint, - $to_match_1_0); - } - - if (Auth_OpenID::isFailure($result)) { - // oidutil.log("Error attempting to use stored - // discovery information: " + str(e)) - // oidutil.log("Attempting discovery to - // verify endpoint") - } else { - return $endpoint; - } - } - - // Endpoint is either bad (failed verification) or None - return $this->_discoverAndVerify($to_match->claimed_id, - array($to_match, $to_match_1_0)); - } - - /** - * @access private - */ - function _verifyDiscoverySingle($endpoint, $to_match) - { - // Every type URI that's in the to_match endpoint has to be - // present in the discovered endpoint. - foreach ($to_match->type_uris as $type_uri) { - if (!$endpoint->usesExtension($type_uri)) { - return new Auth_OpenID_TypeURIMismatch($endpoint, - "Required type ".$type_uri." not present"); - } - } - - // Fragments do not influence discovery, so we can't compare a - // claimed identifier with a fragment to discovered - // information. - list($defragged_claimed_id, $_) = - Auth_OpenID::urldefrag($to_match->claimed_id); - - if ($defragged_claimed_id != $endpoint->claimed_id) { - return new Auth_OpenID_FailureResponse($endpoint, - sprintf('Claimed ID does not match (different subjects!), ' . - 'Expected %s, got %s', $defragged_claimed_id, - $endpoint->claimed_id)); - } - - if ($to_match->getLocalID() != $endpoint->getLocalID()) { - return new Auth_OpenID_FailureResponse($endpoint, - sprintf('local_id mismatch. Expected %s, got %s', - $to_match->getLocalID(), $endpoint->getLocalID())); - } - - // If the server URL is None, this must be an OpenID 1 - // response, because op_endpoint is a required parameter in - // OpenID 2. In that case, we don't actually care what the - // discovered server_url is, because signature checking or - // check_auth should take care of that check for us. - if ($to_match->server_url === null) { - if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { - return new Auth_OpenID_FailureResponse($endpoint, - "Preferred namespace mismatch (bug)"); - } - } else if ($to_match->server_url != $endpoint->server_url) { - return new Auth_OpenID_FailureResponse($endpoint, - sprintf('OP Endpoint mismatch. Expected %s, got %s', - $to_match->server_url, $endpoint->server_url)); - } - - return null; - } - - /** - * @access private - */ - function _verifyDiscoveryResultsOpenID2($message, $endpoint) - { - $to_match = new Auth_OpenID_ServiceEndpoint(); - $to_match->type_uris = array(Auth_OpenID_TYPE_2_0); - $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, - 'claimed_id'); - - $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, - 'identity'); - - $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, - 'op_endpoint'); - - if ($to_match->server_url === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "OP Endpoint URL missing"); - } - - // claimed_id and identifier must both be present or both be - // absent - if (($to_match->claimed_id === null) && - ($to_match->local_id !== null)) { - return new Auth_OpenID_FailureResponse($endpoint, - 'openid.identity is present without openid.claimed_id'); - } - - if (($to_match->claimed_id !== null) && - ($to_match->local_id === null)) { - return new Auth_OpenID_FailureResponse($endpoint, - 'openid.claimed_id is present without openid.identity'); - } - - if ($to_match->claimed_id === null) { - // This is a response without identifiers, so there's - // really no checking that we can do, so return an - // endpoint that's for the specified `openid.op_endpoint' - return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( - $to_match->server_url); - } - - if (!$endpoint) { - // The claimed ID doesn't match, so we have to do - // discovery again. This covers not using sessions, OP - // identifier endpoints and responses that didn't match - // the original request. - // oidutil.log('No pre-discovered information supplied.') - return $this->_discoverAndVerify($to_match->claimed_id, - array($to_match)); - } else { - - // The claimed ID matches, so we use the endpoint that we - // discovered in initiation. This should be the most - // common case. - $result = $this->_verifyDiscoverySingle($endpoint, $to_match); - - if (Auth_OpenID::isFailure($result)) { - $endpoint = $this->_discoverAndVerify($to_match->claimed_id, - array($to_match)); - if (Auth_OpenID::isFailure($endpoint)) { - return $endpoint; - } - } - } - - // The endpoint we return should have the claimed ID from the - // message we just verified, fragment and all. - if ($endpoint->claimed_id != $to_match->claimed_id) { - $endpoint->claimed_id = $to_match->claimed_id; - } - - return $endpoint; - } - - /** - * @access private - */ - function _discoverAndVerify($claimed_id, $to_match_endpoints) - { - // oidutil.log('Performing discovery on %s' % (claimed_id,)) - list($unused, $services) = call_user_func($this->discoverMethod, - $claimed_id, - &$this->fetcher); - - if (!$services) { - return new Auth_OpenID_FailureResponse(null, - sprintf("No OpenID information found at %s", - $claimed_id)); - } - - return $this->_verifyDiscoveryServices($claimed_id, $services, - $to_match_endpoints); - } - - /** - * @access private - */ - function _verifyDiscoveryServices($claimed_id, - $services, $to_match_endpoints) - { - // Search the services resulting from discovery to find one - // that matches the information from the assertion - - foreach ($services as $endpoint) { - foreach ($to_match_endpoints as $to_match_endpoint) { - $result = $this->_verifyDiscoverySingle($endpoint, - $to_match_endpoint); - - if (!Auth_OpenID::isFailure($result)) { - // It matches, so discover verification has - // succeeded. Return this endpoint. - return $endpoint; - } - } - } - - return new Auth_OpenID_FailureResponse(null, - sprintf('No matching endpoint found after discovering %s: %s', - $claimed_id, $result->message)); - } - - /** - * Extract the nonce from an OpenID 1 response. Return the nonce - * from the BARE_NS since we independently check the return_to - * arguments are the same as those in the response message. - * - * See the openid1_nonce_query_arg_name class variable - * - * @returns $nonce The nonce as a string or null - * - * @access private - */ - function _idResGetNonceOpenID1($message, $endpoint) - { - return $message->getArg(Auth_OpenID_BARE_NS, - $this->openid1_nonce_query_arg_name); - } - - /** - * @access private - */ - function _idResCheckNonce($message, $endpoint) - { - if ($message->isOpenID1()) { - // This indicates that the nonce was generated by the consumer - $nonce = $this->_idResGetNonceOpenID1($message, $endpoint); - $server_url = ''; - } else { - $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, - 'response_nonce'); - - $server_url = $endpoint->server_url; - } - - if ($nonce === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "Nonce missing from response"); - } - - $parts = Auth_OpenID_splitNonce($nonce); - - if ($parts === null) { - return new Auth_OpenID_FailureResponse($endpoint, - "Malformed nonce in response"); - } - - list($timestamp, $salt) = $parts; - - if (!$this->store->useNonce($server_url, $timestamp, $salt)) { - return new Auth_OpenID_FailureResponse($endpoint, - "Nonce already used or out of range"); - } - - return null; - } - - /** - * @access private - */ - function _idResCheckForFields($message) - { - $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); - $basic_sig_fields = array('return_to', 'identity'); - - $require_fields = array( - Auth_OpenID_OPENID2_NS => array_merge($basic_fields, - array('op_endpoint')), - - Auth_OpenID_OPENID1_NS => array_merge($basic_fields, - array('identity')) - ); - - $require_sigs = array( - Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, - array('response_nonce', - 'claimed_id', - 'assoc_handle', - 'op_endpoint')), - Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, - array('nonce')) - ); - - foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { - if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { - return new Auth_OpenID_FailureResponse(null, - "Missing required field '".$field."'"); - } - } - - $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, - 'signed', - Auth_OpenID_NO_DEFAULT); - if (Auth_OpenID::isFailure($signed_list_str)) { - return $signed_list_str; - } - $signed_list = explode(',', $signed_list_str); - - foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { - // Field is present and not in signed list - if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && - (!in_array($field, $signed_list))) { - return new Auth_OpenID_FailureResponse(null, - "'".$field."' not signed"); - } - } - - return null; - } - - /** - * @access private - */ - function _checkAuth($message, $server_url) - { - $request = $this->_createCheckAuthRequest($message); - if ($request === null) { - return false; - } - - $resp_message = $this->_makeKVPost($request, $server_url); - if (($resp_message === null) || - (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { - return false; - } - - return $this->_processCheckAuthResponse($resp_message, $server_url); - } - - /** - * @access private - */ - function _createCheckAuthRequest($message) - { - $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); - if ($signed) { - foreach (explode(',', $signed) as $k) { - $value = $message->getAliasedArg($k); - if ($value === null) { - return null; - } - } - } - $ca_message = $message->copy(); - $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', - 'check_authentication'); - return $ca_message; - } - - /** - * @access private - */ - function _processCheckAuthResponse($response, $server_url) - { - $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', - 'false'); - - $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, - 'invalidate_handle'); - - if ($invalidate_handle !== null) { - $this->store->removeAssociation($server_url, - $invalidate_handle); - } - - if ($is_valid == 'true') { - return true; - } - - return false; - } - - /** - * Adapt a POST response to a Message. - * - * @param $response Result of a POST to an OpenID endpoint. - * - * @access private - */ - static function _httpResponseToMessage($response, $server_url) - { - // Should this function be named Message.fromHTTPResponse instead? - $response_message = Auth_OpenID_Message::fromKVForm($response->body); - - if ($response->status == 400) { - return Auth_OpenID_ServerErrorContainer::fromMessage( - $response_message); - } else if ($response->status != 200 and $response->status != 206) { - return null; - } - - return $response_message; - } - - /** - * @access private - */ - function _makeKVPost($message, $server_url) - { - $body = $message->toURLEncoded(); - $resp = $this->fetcher->post($server_url, $body); - - if ($resp === null) { - return null; - } - - return $this->_httpResponseToMessage($resp, $server_url); - } - - /** - * @access private - */ - function _getAssociation($endpoint) - { - if (!$this->_use_assocs) { - return null; - } - - $assoc = $this->store->getAssociation($endpoint->server_url); - - if (($assoc === null) || - ($assoc->getExpiresIn() <= 0)) { - - $assoc = $this->_negotiateAssociation($endpoint); - - if ($assoc !== null) { - $this->store->storeAssociation($endpoint->server_url, - $assoc); - } - } - - return $assoc; - } - - /** - * Handle ServerErrors resulting from association requests. - * - * @return $result If server replied with an C{unsupported-type} - * error, return a tuple of supported C{association_type}, - * C{session_type}. Otherwise logs the error and returns null. - * - * @access private - */ - function _extractSupportedAssociationType($server_error, $endpoint, - $assoc_type) - { - // Any error message whose code is not 'unsupported-type' - // should be considered a total failure. - if (($server_error->error_code != 'unsupported-type') || - ($server_error->message->isOpenID1())) { - return null; - } - - // The server didn't like the association/session type that we - // sent, and it sent us back a message that might tell us how - // to handle it. - - // Extract the session_type and assoc_type from the error - // message - $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, - 'assoc_type'); - - $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, - 'session_type'); - - if (($assoc_type === null) || ($session_type === null)) { - return null; - } else if (!$this->negotiator->isAllowed($assoc_type, - $session_type)) { - return null; - } else { - return array($assoc_type, $session_type); - } - } - - /** - * @access private - */ - function _negotiateAssociation($endpoint) - { - // Get our preferred session/association type from the negotiatior. - list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); - - $assoc = $this->_requestAssociation( - $endpoint, $assoc_type, $session_type); - - if (Auth_OpenID::isFailure($assoc)) { - return null; - } - - if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { - $why = $assoc; - - $supportedTypes = $this->_extractSupportedAssociationType( - $why, $endpoint, $assoc_type); - - if ($supportedTypes !== null) { - list($assoc_type, $session_type) = $supportedTypes; - - // Attempt to create an association from the assoc_type - // and session_type that the server told us it - // supported. - $assoc = $this->_requestAssociation( - $endpoint, $assoc_type, $session_type); - - if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { - // Do not keep trying, since it rejected the - // association type that it told us to use. - // oidutil.log('Server %s refused its suggested association - // 'type: session_type=%s, assoc_type=%s' - // % (endpoint.server_url, session_type, - // assoc_type)) - return null; - } else { - return $assoc; - } - } else { - return null; - } - } else { - return $assoc; - } - } - - /** - * @access private - */ - function _requestAssociation($endpoint, $assoc_type, $session_type) - { - list($assoc_session, $args) = $this->_createAssociateRequest( - $endpoint, $assoc_type, $session_type); - - $response_message = $this->_makeKVPost($args, $endpoint->server_url); - - if ($response_message === null) { - // oidutil.log('openid.associate request failed: %s' % (why[0],)) - return null; - } else if (is_a($response_message, - 'Auth_OpenID_ServerErrorContainer')) { - return $response_message; - } - - return $this->_extractAssociation($response_message, $assoc_session); - } - - /** - * @access private - */ - function _extractAssociation($assoc_response, $assoc_session) - { - // Extract the common fields from the response, raising an - // exception if they are not found - $assoc_type = $assoc_response->getArg( - Auth_OpenID_OPENID_NS, 'assoc_type', - Auth_OpenID_NO_DEFAULT); - - if (Auth_OpenID::isFailure($assoc_type)) { - return $assoc_type; - } - - $assoc_handle = $assoc_response->getArg( - Auth_OpenID_OPENID_NS, 'assoc_handle', - Auth_OpenID_NO_DEFAULT); - - if (Auth_OpenID::isFailure($assoc_handle)) { - return $assoc_handle; - } - - // expires_in is a base-10 string. The Python parsing will - // accept literals that have whitespace around them and will - // accept negative values. Neither of these are really in-spec, - // but we think it's OK to accept them. - $expires_in_str = $assoc_response->getArg( - Auth_OpenID_OPENID_NS, 'expires_in', - Auth_OpenID_NO_DEFAULT); - - if (Auth_OpenID::isFailure($expires_in_str)) { - return $expires_in_str; - } - - $expires_in = Auth_OpenID::intval($expires_in_str); - if ($expires_in === false) { - - $err = sprintf("Could not parse expires_in from association ". - "response %s", print_r($assoc_response, true)); - return new Auth_OpenID_FailureResponse(null, $err); - } - - // OpenID 1 has funny association session behaviour. - if ($assoc_response->isOpenID1()) { - $session_type = $this->_getOpenID1SessionType($assoc_response); - } else { - $session_type = $assoc_response->getArg( - Auth_OpenID_OPENID2_NS, 'session_type', - Auth_OpenID_NO_DEFAULT); - - if (Auth_OpenID::isFailure($session_type)) { - return $session_type; - } - } - - // Session type mismatch - if ($assoc_session->session_type != $session_type) { - if ($assoc_response->isOpenID1() && - ($session_type == 'no-encryption')) { - // In OpenID 1, any association request can result in - // a 'no-encryption' association response. Setting - // assoc_session to a new no-encryption session should - // make the rest of this function work properly for - // that case. - $assoc_session = new Auth_OpenID_PlainTextConsumerSession(); - } else { - // Any other mismatch, regardless of protocol version - // results in the failure of the association session - // altogether. - return null; - } - } - - // Make sure assoc_type is valid for session_type - if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { - return null; - } - - // Delegate to the association session to extract the secret - // from the response, however is appropriate for that session - // type. - $secret = $assoc_session->extractSecret($assoc_response); - - if ($secret === null) { - return null; - } - - return Auth_OpenID_Association::fromExpiresIn( - $expires_in, $assoc_handle, $secret, $assoc_type); - } - - /** - * @access private - */ - function _createAssociateRequest($endpoint, $assoc_type, $session_type) - { - if (array_key_exists($session_type, $this->session_types)) { - $session_type_class = $this->session_types[$session_type]; - - if (is_callable($session_type_class)) { - $assoc_session = $session_type_class(); - } else { - $assoc_session = new $session_type_class(); - } - } else { - return null; - } - - $args = array( - 'mode' => 'associate', - 'assoc_type' => $assoc_type); - - if (!$endpoint->compatibilityMode()) { - $args['ns'] = Auth_OpenID_OPENID2_NS; - } - - // Leave out the session type if we're in compatibility mode - // *and* it's no-encryption. - if ((!$endpoint->compatibilityMode()) || - ($assoc_session->session_type != 'no-encryption')) { - $args['session_type'] = $assoc_session->session_type; - } - - $args = array_merge($args, $assoc_session->getRequest()); - $message = Auth_OpenID_Message::fromOpenIDArgs($args); - return array($assoc_session, $message); - } - - /** - * Given an association response message, extract the OpenID 1.X - * session type. - * - * This function mostly takes care of the 'no-encryption' default - * behavior in OpenID 1. - * - * If the association type is plain-text, this function will - * return 'no-encryption' - * - * @access private - * @return $typ The association type for this message - */ - function _getOpenID1SessionType($assoc_response) - { - // If it's an OpenID 1 message, allow session_type to default - // to None (which signifies "no-encryption") - $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, - 'session_type'); - - // Handle the differences between no-encryption association - // respones in OpenID 1 and 2: - - // no-encryption is not really a valid session type for OpenID - // 1, but we'll accept it anyway, while issuing a warning. - if ($session_type == 'no-encryption') { - // oidutil.log('WARNING: OpenID server sent "no-encryption"' - // 'for OpenID 1.X') - } else if (($session_type == '') || ($session_type === null)) { - // Missing or empty session type is the way to flag a - // 'no-encryption' response. Change the session type to - // 'no-encryption' so that it can be handled in the same - // way as OpenID 2 'no-encryption' respones. - $session_type = 'no-encryption'; - } - - return $session_type; - } -} - -/** - * This class represents an authentication request from a consumer to - * an OpenID server. - * - * @package OpenID - */ -class Auth_OpenID_AuthRequest { - - /** - * Initialize an authentication request with the specified token, - * association, and endpoint. - * - * Users of this library should not create instances of this - * class. Instances of this class are created by the library when - * needed. - */ - function Auth_OpenID_AuthRequest($endpoint, $assoc) - { - $this->assoc = $assoc; - $this->endpoint = $endpoint; - $this->return_to_args = array(); - $this->message = new Auth_OpenID_Message( - $endpoint->preferredNamespace()); - $this->_anonymous = false; - } - - /** - * Add an extension to this checkid request. - * - * $extension_request: An object that implements the extension - * request interface for adding arguments to an OpenID message. - */ - function addExtension($extension_request) - { - $extension_request->toMessage($this->message); - } - - /** - * Add an extension argument to this OpenID authentication - * request. - * - * Use caution when adding arguments, because they will be - * URL-escaped and appended to the redirect URL, which can easily - * get quite long. - * - * @param string $namespace The namespace for the extension. For - * example, the simple registration extension uses the namespace - * 'sreg'. - * - * @param string $key The key within the extension namespace. For - * example, the nickname field in the simple registration - * extension's key is 'nickname'. - * - * @param string $value The value to provide to the server for - * this argument. - */ - function addExtensionArg($namespace, $key, $value) - { - return $this->message->setArg($namespace, $key, $value); - } - - /** - * Set whether this request should be made anonymously. If a - * request is anonymous, the identifier will not be sent in the - * request. This is only useful if you are making another kind of - * request with an extension in this request. - * - * Anonymous requests are not allowed when the request is made - * with OpenID 1. - */ - function setAnonymous($is_anonymous) - { - if ($is_anonymous && $this->message->isOpenID1()) { - return false; - } else { - $this->_anonymous = $is_anonymous; - return true; - } - } - - /** - * Produce a {@link Auth_OpenID_Message} representing this - * request. - * - * @param string $realm The URL (or URL pattern) that identifies - * your web site to the user when she is authorizing it. - * - * @param string $return_to The URL that the OpenID provider will - * send the user back to after attempting to verify her identity. - * - * Not specifying a return_to URL means that the user will not be - * returned to the site issuing the request upon its completion. - * - * @param bool $immediate If true, the OpenID provider is to send - * back a response immediately, useful for behind-the-scenes - * authentication attempts. Otherwise the OpenID provider may - * engage the user before providing a response. This is the - * default case, as the user may need to provide credentials or - * approve the request before a positive response can be sent. - */ - function getMessage($realm, $return_to=null, $immediate=false) - { - if ($return_to) { - $return_to = Auth_OpenID::appendArgs($return_to, - $this->return_to_args); - } else if ($immediate) { - // raise ValueError( - // '"return_to" is mandatory when - //using "checkid_immediate"') - return new Auth_OpenID_FailureResponse(null, - "'return_to' is mandatory when using checkid_immediate"); - } else if ($this->message->isOpenID1()) { - // raise ValueError('"return_to" is - // mandatory for OpenID 1 requests') - return new Auth_OpenID_FailureResponse(null, - "'return_to' is mandatory for OpenID 1 requests"); - } else if ($this->return_to_args) { - // raise ValueError('extra "return_to" arguments - // were specified, but no return_to was specified') - return new Auth_OpenID_FailureResponse(null, - "extra 'return_to' arguments where specified, " . - "but no return_to was specified"); - } - - if ($immediate) { - $mode = 'checkid_immediate'; - } else { - $mode = 'checkid_setup'; - } - - $message = $this->message->copy(); - if ($message->isOpenID1()) { - $realm_key = 'trust_root'; - } else { - $realm_key = 'realm'; - } - - $message->updateArgs(Auth_OpenID_OPENID_NS, - array( - $realm_key => $realm, - 'mode' => $mode, - 'return_to' => $return_to)); - - if (!$this->_anonymous) { - if ($this->endpoint->isOPIdentifier()) { - // This will never happen when we're in compatibility - // mode, as long as isOPIdentifier() returns False - // whenever preferredNamespace() returns OPENID1_NS. - $claimed_id = $request_identity = - Auth_OpenID_IDENTIFIER_SELECT; - } else { - $request_identity = $this->endpoint->getLocalID(); - $claimed_id = $this->endpoint->claimed_id; - } - - // This is true for both OpenID 1 and 2 - $message->setArg(Auth_OpenID_OPENID_NS, 'identity', - $request_identity); - - if ($message->isOpenID2()) { - $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id', - $claimed_id); - } - } - - if ($this->assoc) { - $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', - $this->assoc->handle); - } - - return $message; - } - - function redirectURL($realm, $return_to = null, - $immediate = false) - { - $message = $this->getMessage($realm, $return_to, $immediate); - - if (Auth_OpenID::isFailure($message)) { - return $message; - } - - return $message->toURL($this->endpoint->server_url); - } - - /** - * Get html for a form to submit this request to the IDP. - * - * form_tag_attrs: An array of attributes to be added to the form - * tag. 'accept-charset' and 'enctype' have defaults that can be - * overridden. If a value is supplied for 'action' or 'method', it - * will be replaced. - */ - function formMarkup($realm, $return_to=null, $immediate=false, - $form_tag_attrs=null) - { - $message = $this->getMessage($realm, $return_to, $immediate); - - if (Auth_OpenID::isFailure($message)) { - return $message; - } - - return $message->toFormMarkup($this->endpoint->server_url, - $form_tag_attrs); - } - - /** - * Get a complete html document that will autosubmit the request - * to the IDP. - * - * Wraps formMarkup. See the documentation for that function. - */ - function htmlMarkup($realm, $return_to=null, $immediate=false, - $form_tag_attrs=null) - { - $form = $this->formMarkup($realm, $return_to, $immediate, - $form_tag_attrs); - - if (Auth_OpenID::isFailure($form)) { - return $form; - } - return Auth_OpenID::autoSubmitHTML($form); - } - - function shouldSendRedirect() - { - return $this->endpoint->compatibilityMode(); - } -} - -/** - * The base class for responses from the Auth_OpenID_Consumer. - * - * @package OpenID - */ -class Auth_OpenID_ConsumerResponse { - var $status = null; - - function setEndpoint($endpoint) - { - $this->endpoint = $endpoint; - if ($endpoint === null) { - $this->identity_url = null; - } else { - $this->identity_url = $endpoint->claimed_id; - } - } - - /** - * Return the display identifier for this response. - * - * The display identifier is related to the Claimed Identifier, but the - * two are not always identical. The display identifier is something the - * user should recognize as what they entered, whereas the response's - * claimed identifier (in the identity_url attribute) may have extra - * information for better persistence. - * - * URLs will be stripped of their fragments for display. XRIs will - * display the human-readable identifier (i-name) instead of the - * persistent identifier (i-number). - * - * Use the display identifier in your user interface. Use - * identity_url for querying your database or authorization server. - * - */ - function getDisplayIdentifier() - { - if ($this->endpoint !== null) { - return $this->endpoint->getDisplayIdentifier(); - } - return null; - } -} - -/** - * A response with a status of Auth_OpenID_SUCCESS. Indicates that - * this request is a successful acknowledgement from the OpenID server - * that the supplied URL is, indeed controlled by the requesting - * agent. This has three relevant attributes: - * - * claimed_id - The identity URL that has been authenticated - * - * signed_args - The arguments in the server's response that were - * signed and verified. - * - * status - Auth_OpenID_SUCCESS. - * - * @package OpenID - */ -class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_SUCCESS; - - /** - * @access private - */ - function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null) - { - $this->endpoint = $endpoint; - $this->identity_url = $endpoint->claimed_id; - $this->signed_args = $signed_args; - $this->message = $message; - - if ($this->signed_args === null) { - $this->signed_args = array(); - } - } - - /** - * Extract signed extension data from the server's response. - * - * @param string $prefix The extension namespace from which to - * extract the extension data. - */ - function extensionResponse($namespace_uri, $require_signed) - { - if ($require_signed) { - return $this->getSignedNS($namespace_uri); - } else { - return $this->message->getArgs($namespace_uri); - } - } - - function isOpenID1() - { - return $this->message->isOpenID1(); - } - - function isSigned($ns_uri, $ns_key) - { - // Return whether a particular key is signed, regardless of - // its namespace alias - return in_array($this->message->getKey($ns_uri, $ns_key), - $this->signed_args); - } - - function getSigned($ns_uri, $ns_key, $default = null) - { - // Return the specified signed field if available, otherwise - // return default - if ($this->isSigned($ns_uri, $ns_key)) { - return $this->message->getArg($ns_uri, $ns_key, $default); - } else { - return $default; - } - } - - function getSignedNS($ns_uri) - { - $args = array(); - - $msg_args = $this->message->getArgs($ns_uri); - if (Auth_OpenID::isFailure($msg_args)) { - return null; - } - - foreach ($msg_args as $key => $value) { - if (!$this->isSigned($ns_uri, $key)) { - unset($msg_args[$key]); - } - } - - return $msg_args; - } - - /** - * Get the openid.return_to argument from this response. - * - * This is useful for verifying that this request was initiated by - * this consumer. - * - * @return string $return_to The return_to URL supplied to the - * server on the initial request, or null if the response did not - * contain an 'openid.return_to' argument. - */ - function getReturnTo() - { - return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to'); - } -} - -/** - * A response with a status of Auth_OpenID_FAILURE. Indicates that the - * OpenID protocol has failed. This could be locally or remotely - * triggered. This has three relevant attributes: - * - * claimed_id - The identity URL for which authentication was - * attempted, if it can be determined. Otherwise, null. - * - * message - A message indicating why the request failed, if one is - * supplied. Otherwise, null. - * - * status - Auth_OpenID_FAILURE. - * - * @package OpenID - */ -class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_FAILURE; - - function Auth_OpenID_FailureResponse($endpoint, $message = null, - $contact = null, $reference = null) - { - $this->setEndpoint($endpoint); - $this->message = $message; - $this->contact = $contact; - $this->reference = $reference; - } -} - -/** - * A specific, internal failure used to detect type URI mismatch. - * - * @package OpenID - */ -class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse { -} - -/** - * Exception that is raised when the server returns a 400 response - * code to a direct request. - * - * @package OpenID - */ -class Auth_OpenID_ServerErrorContainer { - function Auth_OpenID_ServerErrorContainer($error_text, - $error_code, - $message) - { - $this->error_text = $error_text; - $this->error_code = $error_code; - $this->message = $message; - } - - /** - * @access private - */ - static function fromMessage($message) - { - $error_text = $message->getArg( - Auth_OpenID_OPENID_NS, 'error', ''); - $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code'); - return new Auth_OpenID_ServerErrorContainer($error_text, - $error_code, - $message); - } -} - -/** - * A response with a status of Auth_OpenID_CANCEL. Indicates that the - * user cancelled the OpenID authentication request. This has two - * relevant attributes: - * - * claimed_id - The identity URL for which authentication was - * attempted, if it can be determined. Otherwise, null. - * - * status - Auth_OpenID_SUCCESS. - * - * @package OpenID - */ -class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_CANCEL; - - function Auth_OpenID_CancelResponse($endpoint) - { - $this->setEndpoint($endpoint); - } -} - -/** - * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates - * that the request was in immediate mode, and the server is unable to - * authenticate the user without further interaction. - * - * claimed_id - The identity URL for which authentication was - * attempted. - * - * setup_url - A URL that can be used to send the user to the server - * to set up for authentication. The user should be redirected in to - * the setup_url, either in the current window or in a new browser - * window. Null in OpenID 2. - * - * status - Auth_OpenID_SETUP_NEEDED. - * - * @package OpenID - */ -class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { - var $status = Auth_OpenID_SETUP_NEEDED; - - function Auth_OpenID_SetupNeededResponse($endpoint, - $setup_url = null) - { - $this->setEndpoint($endpoint); - $this->setup_url = $setup_url; - } -} - - diff --git a/models/Auth/OpenID/CryptUtil.php b/models/Auth/OpenID/CryptUtil.php deleted file mode 100644 index a92626777..000000000 --- a/models/Auth/OpenID/CryptUtil.php +++ /dev/null @@ -1,108 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -if (!defined('Auth_OpenID_RAND_SOURCE')) { - /** - * The filename for a source of random bytes. Define this yourself - * if you have a different source of randomness. - */ - define('Auth_OpenID_RAND_SOURCE', '/dev/urandom'); -} - -class Auth_OpenID_CryptUtil { - /** - * Get the specified number of random bytes. - * - * Attempts to use a cryptographically secure (not predictable) - * source of randomness if available. If there is no high-entropy - * randomness source available, it will fail. As a last resort, - * for non-critical systems, define - * Auth_OpenID_RAND_SOURCE as null, and - * the code will fall back on a pseudo-random number generator. - * - * @param int $num_bytes The length of the return value - * @return string $bytes random bytes - */ - static function getBytes($num_bytes) - { - static $f = null; - $bytes = ''; - if ($f === null) { - if (Auth_OpenID_RAND_SOURCE === null) { - $f = false; - } else { - $f = @fopen(Auth_OpenID_RAND_SOURCE, "r"); - if ($f === false) { - $msg = 'Define Auth_OpenID_RAND_SOURCE as null to ' . - ' continue with an insecure random number generator.'; - trigger_error($msg, E_USER_ERROR); - } - } - } - if ($f === false) { - // pseudorandom used - $bytes = ''; - for ($i = 0; $i < $num_bytes; $i += 4) { - $bytes .= pack('L', mt_rand()); - } - $bytes = substr($bytes, 0, $num_bytes); - } else { - $bytes = fread($f, $num_bytes); - } - return $bytes; - } - - /** - * Produce a string of length random bytes, chosen from chrs. If - * $chrs is null, the resulting string may contain any characters. - * - * @param integer $length The length of the resulting - * randomly-generated string - * @param string $chrs A string of characters from which to choose - * to build the new string - * @return string $result A string of randomly-chosen characters - * from $chrs - */ - static function randomString($length, $population = null) - { - if ($population === null) { - return Auth_OpenID_CryptUtil::getBytes($length); - } - - $popsize = strlen($population); - - if ($popsize > 256) { - $msg = 'More than 256 characters supplied to ' . __FUNCTION__; - trigger_error($msg, E_USER_ERROR); - } - - $duplicate = 256 % $popsize; - - $str = ""; - for ($i = 0; $i < $length; $i++) { - do { - $n = ord(Auth_OpenID_CryptUtil::getBytes(1)); - } while ($n < $duplicate); - - $n %= $popsize; - $str .= $population[$n]; - } - - return $str; - } -} - diff --git a/models/Auth/OpenID/DatabaseConnection.php b/models/Auth/OpenID/DatabaseConnection.php deleted file mode 100644 index 0c7d08f91..000000000 --- a/models/Auth/OpenID/DatabaseConnection.php +++ /dev/null @@ -1,130 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * An empty base class intended to emulate PEAR connection - * functionality in applications that supply their own database - * abstraction mechanisms. See {@link Auth_OpenID_SQLStore} for more - * information. You should subclass this class if you need to create - * an SQL store that needs to access its database using an - * application's database abstraction layer instead of a PEAR database - * connection. Any subclass of Auth_OpenID_DatabaseConnection MUST - * adhere to the interface specified here. - * - * @package OpenID - */ -class Auth_OpenID_DatabaseConnection { - /** - * Sets auto-commit mode on this database connection. - * - * @param bool $mode True if auto-commit is to be used; false if - * not. - */ - function autoCommit($mode) - { - } - - /** - * Run an SQL query with the specified parameters, if any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return mixed $result The result of calling this connection's - * internal query function. The type of result depends on the - * underlying database engine. This method is usually used when - * the result of a query is not important, like a DDL query. - */ - function query($sql, $params = array()) - { - } - - /** - * Starts a transaction on this connection, if supported. - */ - function begin() - { - } - - /** - * Commits a transaction on this connection, if supported. - */ - function commit() - { - } - - /** - * Performs a rollback on this connection, if supported. - */ - function rollback() - { - } - - /** - * Run an SQL query and return the first column of the first row - * of the result set, if any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return mixed $result The value of the first column of the - * first row of the result set. False if no such result was - * found. - */ - function getOne($sql, $params = array()) - { - } - - /** - * Run an SQL query and return the first row of the result set, if - * any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return array $result The first row of the result set, if any, - * keyed on column name. False if no such result was found. - */ - function getRow($sql, $params = array()) - { - } - - /** - * Run an SQL query with the specified parameters, if any. - * - * @param string $sql An SQL string with placeholders. The - * placeholders are assumed to be specific to the database engine - * for this connection. - * - * @param array $params An array of parameters to insert into the - * SQL string using this connection's escaping mechanism. - * - * @return array $result An array of arrays representing the - * result of the query; each array is keyed on column name. - */ - function getAll($sql, $params = array()) - { - } -} - diff --git a/models/Auth/OpenID/DiffieHellman.php b/models/Auth/OpenID/DiffieHellman.php deleted file mode 100644 index 3e25b7dbb..000000000 --- a/models/Auth/OpenID/DiffieHellman.php +++ /dev/null @@ -1,113 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -require_once 'Auth/OpenID.php'; -require_once 'Auth/OpenID/BigMath.php'; - -function Auth_OpenID_getDefaultMod() -{ - return '155172898181473697471232257763715539915724801'. - '966915404479707795314057629378541917580651227423'. - '698188993727816152646631438561595825688188889951'. - '272158842675419950341258706556549803580104870537'. - '681476726513255747040765857479291291572334510643'. - '245094715007229621094194349783925984760375594985'. - '848253359305585439638443'; -} - -function Auth_OpenID_getDefaultGen() -{ - return '2'; -} - -/** - * The Diffie-Hellman key exchange class. This class relies on - * {@link Auth_OpenID_MathLibrary} to perform large number operations. - * - * @access private - * @package OpenID - */ -class Auth_OpenID_DiffieHellman { - - var $mod; - var $gen; - var $private; - var $lib = null; - - function Auth_OpenID_DiffieHellman($mod = null, $gen = null, - $private = null, $lib = null) - { - if ($lib === null) { - $this->lib = Auth_OpenID_getMathLib(); - } else { - $this->lib = $lib; - } - - if ($mod === null) { - $this->mod = $this->lib->init(Auth_OpenID_getDefaultMod()); - } else { - $this->mod = $mod; - } - - if ($gen === null) { - $this->gen = $this->lib->init(Auth_OpenID_getDefaultGen()); - } else { - $this->gen = $gen; - } - - if ($private === null) { - $r = $this->lib->rand($this->mod); - $this->private = $this->lib->add($r, 1); - } else { - $this->private = $private; - } - - $this->public = $this->lib->powmod($this->gen, $this->private, - $this->mod); - } - - function getSharedSecret($composite) - { - return $this->lib->powmod($composite, $this->private, $this->mod); - } - - function getPublicKey() - { - return $this->public; - } - - function usingDefaultValues() - { - return ($this->mod == Auth_OpenID_getDefaultMod() && - $this->gen == Auth_OpenID_getDefaultGen()); - } - - function xorSecret($composite, $secret, $hash_func) - { - $dh_shared = $this->getSharedSecret($composite); - $dh_shared_str = $this->lib->longToBinary($dh_shared); - $hash_dh_shared = $hash_func($dh_shared_str); - - $xsecret = ""; - for ($i = 0; $i < Auth_OpenID::bytes($secret); $i++) { - $xsecret .= chr(ord($secret[$i]) ^ ord($hash_dh_shared[$i])); - } - - return $xsecret; - } -} - - diff --git a/models/Auth/OpenID/Discover.php b/models/Auth/OpenID/Discover.php deleted file mode 100644 index 7b0c640c5..000000000 --- a/models/Auth/OpenID/Discover.php +++ /dev/null @@ -1,606 +0,0 @@ -claimed_id = null; - $this->server_url = null; - $this->type_uris = array(); - $this->local_id = null; - $this->canonicalID = null; - $this->used_yadis = false; // whether this came from an XRDS - $this->display_identifier = null; - } - - function getDisplayIdentifier() - { - if ($this->display_identifier) { - return $this->display_identifier; - } - if (! $this->claimed_id) { - return $this->claimed_id; - } - $parsed = parse_url($this->claimed_id); - $scheme = $parsed['scheme']; - $host = $parsed['host']; - $path = $parsed['path']; - if (array_key_exists('query', $parsed)) { - $query = $parsed['query']; - $no_frag = "$scheme://$host$path?$query"; - } else { - $no_frag = "$scheme://$host$path"; - } - return $no_frag; - } - - function usesExtension($extension_uri) - { - return in_array($extension_uri, $this->type_uris); - } - - function preferredNamespace() - { - if (in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris) || - in_array(Auth_OpenID_TYPE_2_0, $this->type_uris)) { - return Auth_OpenID_OPENID2_NS; - } else { - return Auth_OpenID_OPENID1_NS; - } - } - - /* - * Query this endpoint to see if it has any of the given type - * URIs. This is useful for implementing other endpoint classes - * that e.g. need to check for the presence of multiple versions - * of a single protocol. - * - * @param $type_uris The URIs that you wish to check - * - * @return all types that are in both in type_uris and - * $this->type_uris - */ - function matchTypes($type_uris) - { - $result = array(); - foreach ($type_uris as $test_uri) { - if ($this->supportsType($test_uri)) { - $result[] = $test_uri; - } - } - - return $result; - } - - function supportsType($type_uri) - { - // Does this endpoint support this type? - return ((in_array($type_uri, $this->type_uris)) || - (($type_uri == Auth_OpenID_TYPE_2_0) && - $this->isOPIdentifier())); - } - - function compatibilityMode() - { - return $this->preferredNamespace() != Auth_OpenID_OPENID2_NS; - } - - function isOPIdentifier() - { - return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris); - } - - static function fromOPEndpointURL($op_endpoint_url) - { - // Construct an OP-Identifier OpenIDServiceEndpoint object for - // a given OP Endpoint URL - $obj = new Auth_OpenID_ServiceEndpoint(); - $obj->server_url = $op_endpoint_url; - $obj->type_uris = array(Auth_OpenID_TYPE_2_0_IDP); - return $obj; - } - - function parseService($yadis_url, $uri, $type_uris, $service_element) - { - // Set the state of this object based on the contents of the - // service element. Return true if successful, false if not - // (if findOPLocalIdentifier returns false). - $this->type_uris = $type_uris; - $this->server_url = $uri; - $this->used_yadis = true; - - if (!$this->isOPIdentifier()) { - $this->claimed_id = $yadis_url; - $this->local_id = Auth_OpenID_findOPLocalIdentifier( - $service_element, - $this->type_uris); - if ($this->local_id === false) { - return false; - } - } - - return true; - } - - function getLocalID() - { - // Return the identifier that should be sent as the - // openid.identity_url parameter to the server. - if ($this->local_id === null && $this->canonicalID === null) { - return $this->claimed_id; - } else { - if ($this->local_id) { - return $this->local_id; - } else { - return $this->canonicalID; - } - } - } - - /* - * Parse the given document as XRDS looking for OpenID consumer services. - * - * @return array of Auth_OpenID_ServiceEndpoint or null if the - * document cannot be parsed. - */ - function consumerFromXRDS($uri, $xrds_text) - { - $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text); - - if ($xrds) { - $yadis_services = - $xrds->services(array('filter_MatchesAnyOpenIDConsumerType')); - return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); - } - - return null; - } - - /* - * Parse the given document as XRDS looking for OpenID services. - * - * @return array of Auth_OpenID_ServiceEndpoint or null if the - * document cannot be parsed. - */ - static function fromXRDS($uri, $xrds_text) - { - $xrds = Auth_Yadis_XRDS::parseXRDS($xrds_text); - - if ($xrds) { - $yadis_services = - $xrds->services(array('filter_MatchesAnyOpenIDType')); - return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); - } - - return null; - } - - /* - * Create endpoints from a DiscoveryResult. - * - * @param discoveryResult Auth_Yadis_DiscoveryResult - * @return array of Auth_OpenID_ServiceEndpoint or null if - * endpoints cannot be created. - */ - static function fromDiscoveryResult($discoveryResult) - { - if ($discoveryResult->isXRDS()) { - return Auth_OpenID_ServiceEndpoint::fromXRDS( - $discoveryResult->normalized_uri, - $discoveryResult->response_text); - } else { - return Auth_OpenID_ServiceEndpoint::fromHTML( - $discoveryResult->normalized_uri, - $discoveryResult->response_text); - } - } - - static function fromHTML($uri, $html) - { - $discovery_types = array( - array(Auth_OpenID_TYPE_2_0, - 'openid2.provider', 'openid2.local_id'), - array(Auth_OpenID_TYPE_1_1, - 'openid.server', 'openid.delegate') - ); - - $services = array(); - - foreach ($discovery_types as $triple) { - list($type_uri, $server_rel, $delegate_rel) = $triple; - - $urls = Auth_OpenID_legacy_discover($html, $server_rel, - $delegate_rel); - - if ($urls === false) { - continue; - } - - list($delegate_url, $server_url) = $urls; - - $service = new Auth_OpenID_ServiceEndpoint(); - $service->claimed_id = $uri; - $service->local_id = $delegate_url; - $service->server_url = $server_url; - $service->type_uris = array($type_uri); - - $services[] = $service; - } - - return $services; - } - - function copy() - { - $x = new Auth_OpenID_ServiceEndpoint(); - - $x->claimed_id = $this->claimed_id; - $x->server_url = $this->server_url; - $x->type_uris = $this->type_uris; - $x->local_id = $this->local_id; - $x->canonicalID = $this->canonicalID; - $x->used_yadis = $this->used_yadis; - - return $x; - } -} - -function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) -{ - // Extract a openid:Delegate value from a Yadis Service element. - // If no delegate is found, returns null. Returns false on - // discovery failure (when multiple delegate/localID tags have - // different values). - - $service->parser->registerNamespace('openid', - Auth_OpenID_XMLNS_1_0); - - $service->parser->registerNamespace('xrd', - Auth_Yadis_XMLNS_XRD_2_0); - - $parser = $service->parser; - - $permitted_tags = array(); - - if (in_array(Auth_OpenID_TYPE_1_1, $type_uris) || - in_array(Auth_OpenID_TYPE_1_0, $type_uris)) { - $permitted_tags[] = 'openid:Delegate'; - } - - if (in_array(Auth_OpenID_TYPE_2_0, $type_uris)) { - $permitted_tags[] = 'xrd:LocalID'; - } - - $local_id = null; - - foreach ($permitted_tags as $tag_name) { - $tags = $service->getElements($tag_name); - - foreach ($tags as $tag) { - $content = $parser->content($tag); - - if ($local_id === null) { - $local_id = $content; - } else if ($local_id != $content) { - return false; - } - } - } - - return $local_id; -} - -function filter_MatchesAnyOpenIDType($service) -{ - $uris = $service->getTypes(); - - foreach ($uris as $uri) { - if (in_array($uri, Auth_OpenID_getOpenIDTypeURIs())) { - return true; - } - } - - return false; -} - -function filter_MatchesAnyOpenIDConsumerType(&$service) -{ - $uris = $service->getTypes(); - - foreach ($uris as $uri) { - if (in_array($uri, Auth_OpenID_getOpenIDConsumerTypeURIs())) { - return true; - } - } - - return false; -} - -function Auth_OpenID_bestMatchingService($service, $preferred_types) -{ - // Return the index of the first matching type, or something - // higher if no type matches. - // - // This provides an ordering in which service elements that - // contain a type that comes earlier in the preferred types list - // come before service elements that come later. If a service - // element has more than one type, the most preferred one wins. - - foreach ($preferred_types as $index => $typ) { - if (in_array($typ, $service->type_uris)) { - return $index; - } - } - - return count($preferred_types); -} - -function Auth_OpenID_arrangeByType($service_list, $preferred_types) -{ - // Rearrange service_list in a new list so services are ordered by - // types listed in preferred_types. Return the new list. - - // Build a list with the service elements in tuples whose - // comparison will prefer the one with the best matching service - $prio_services = array(); - foreach ($service_list as $index => $service) { - $prio_services[] = array(Auth_OpenID_bestMatchingService($service, - $preferred_types), - $index, $service); - } - - sort($prio_services); - - // Now that the services are sorted by priority, remove the sort - // keys from the list. - foreach ($prio_services as $index => $s) { - $prio_services[$index] = $prio_services[$index][2]; - } - - return $prio_services; -} - -// Extract OP Identifier services. If none found, return the rest, -// sorted with most preferred first according to -// OpenIDServiceEndpoint.openid_type_uris. -// -// openid_services is a list of OpenIDServiceEndpoint objects. -// -// Returns a list of OpenIDServiceEndpoint objects.""" -function Auth_OpenID_getOPOrUserServices($openid_services) -{ - $op_services = Auth_OpenID_arrangeByType($openid_services, - array(Auth_OpenID_TYPE_2_0_IDP)); - - $openid_services = Auth_OpenID_arrangeByType($openid_services, - Auth_OpenID_getOpenIDTypeURIs()); - - if ($op_services) { - return $op_services; - } else { - return $openid_services; - } -} - -function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services) -{ - $s = array(); - - if (!$yadis_services) { - return $s; - } - - foreach ($yadis_services as $service) { - $type_uris = $service->getTypes(); - $uris = $service->getURIs(); - - // If any Type URIs match and there is an endpoint URI - // specified, then this is an OpenID endpoint - if ($type_uris && - $uris) { - foreach ($uris as $service_uri) { - $openid_endpoint = new Auth_OpenID_ServiceEndpoint(); - if ($openid_endpoint->parseService($uri, - $service_uri, - $type_uris, - $service)) { - $s[] = $openid_endpoint; - } - } - } - } - - return $s; -} - -function Auth_OpenID_discoverWithYadis($uri, $fetcher, - $endpoint_filter='Auth_OpenID_getOPOrUserServices', - $discover_function=null) -{ - // Discover OpenID services for a URI. Tries Yadis and falls back - // on old-style discovery if Yadis fails. - - // Might raise a yadis.discover.DiscoveryFailure if no document - // came back for that URI at all. I don't think falling back to - // OpenID 1.0 discovery on the same URL will help, so don't bother - // to catch it. - if ($discover_function === null) { - $discover_function = array('Auth_Yadis_Yadis', 'discover'); - } - - $openid_services = array(); - - $response = call_user_func_array($discover_function, - array($uri, $fetcher)); - - $yadis_url = $response->normalized_uri; - $yadis_services = array(); - - if ($response->isFailure() && !$response->isXRDS()) { - return array($uri, array()); - } - - $openid_services = Auth_OpenID_ServiceEndpoint::fromXRDS( - $yadis_url, - $response->response_text); - - if (!$openid_services) { - if ($response->isXRDS()) { - return Auth_OpenID_discoverWithoutYadis($uri, - $fetcher); - } - - // Try to parse the response as HTML to get OpenID 1.0/1.1 - // - $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( - $yadis_url, - $response->response_text); - } - - $openid_services = call_user_func_array($endpoint_filter, - array($openid_services)); - - return array($yadis_url, $openid_services); -} - -function Auth_OpenID_discoverURI($uri, $fetcher) -{ - $uri = Auth_OpenID::normalizeUrl($uri); - return Auth_OpenID_discoverWithYadis($uri, $fetcher); -} - -function Auth_OpenID_discoverWithoutYadis($uri, $fetcher) -{ - $http_resp = @$fetcher->get($uri); - - if ($http_resp->status != 200 and $http_resp->status != 206) { - return array($uri, array()); - } - - $identity_url = $http_resp->final_url; - - // Try to parse the response as HTML to get OpenID 1.0/1.1 - $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( - $identity_url, - $http_resp->body); - - return array($identity_url, $openid_services); -} - -function Auth_OpenID_discoverXRI($iname, $fetcher) -{ - $resolver = new Auth_Yadis_ProxyResolver($fetcher); - list($canonicalID, $yadis_services) = - $resolver->query($iname, - Auth_OpenID_getOpenIDTypeURIs(), - array('filter_MatchesAnyOpenIDType')); - - $openid_services = Auth_OpenID_makeOpenIDEndpoints($iname, - $yadis_services); - - $openid_services = Auth_OpenID_getOPOrUserServices($openid_services); - - for ($i = 0; $i < count($openid_services); $i++) { - $openid_services[$i]->canonicalID = $canonicalID; - $openid_services[$i]->claimed_id = $canonicalID; - $openid_services[$i]->display_identifier = $iname; - } - - // FIXME: returned xri should probably be in some normal form - return array($iname, $openid_services); -} - -function Auth_OpenID_discover($uri, $fetcher) -{ - // If the fetcher (i.e., PHP) doesn't support SSL, we can't do - // discovery on an HTTPS URL. - if ($fetcher->isHTTPS($uri) && !$fetcher->supportsSSL()) { - return array($uri, array()); - } - - if (Auth_Yadis_identifierScheme($uri) == 'XRI') { - $result = Auth_OpenID_discoverXRI($uri, $fetcher); - } else { - $result = Auth_OpenID_discoverURI($uri, $fetcher); - } - - // If the fetcher doesn't support SSL, we can't interact with - // HTTPS server URLs; remove those endpoints from the list. - if (!$fetcher->supportsSSL()) { - $http_endpoints = array(); - list($new_uri, $endpoints) = $result; - - foreach ($endpoints as $e) { - if (!$fetcher->isHTTPS($e->server_url)) { - $http_endpoints[] = $e; - } - } - - $result = array($new_uri, $http_endpoints); - } - - return $result; -} - - diff --git a/models/Auth/OpenID/DumbStore.php b/models/Auth/OpenID/DumbStore.php deleted file mode 100644 index e8f29ace5..000000000 --- a/models/Auth/OpenID/DumbStore.php +++ /dev/null @@ -1,99 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * Import the interface for creating a new store class. - */ -require_once 'Auth/OpenID/Interface.php'; -require_once 'Auth/OpenID/HMAC.php'; - -/** - * This is a store for use in the worst case, when you have no way of - * saving state on the consumer site. Using this store makes the - * consumer vulnerable to replay attacks, as it's unable to use - * nonces. Avoid using this store if it is at all possible. - * - * Most of the methods of this class are implementation details. - * Users of this class need to worry only about the constructor. - * - * @package OpenID - */ -class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { - - /** - * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security - * of the tokens generated by the library, this class attempts to - * at least have a secure implementation of getAuthKey. - * - * When you create an instance of this class, pass in a secret - * phrase. The phrase is hashed with sha1 to make it the correct - * length and form for an auth key. That allows you to use a long - * string as the secret phrase, which means you can make it very - * difficult to guess. - * - * Each {@link Auth_OpenID_DumbStore} instance that is created for use by - * your consumer site needs to use the same $secret_phrase. - * - * @param string secret_phrase The phrase used to create the auth - * key returned by getAuthKey - */ - function Auth_OpenID_DumbStore($secret_phrase) - { - $this->auth_key = Auth_OpenID_SHA1($secret_phrase); - } - - /** - * This implementation does nothing. - */ - function storeAssociation($server_url, $association) - { - } - - /** - * This implementation always returns null. - */ - function getAssociation($server_url, $handle = null) - { - return null; - } - - /** - * This implementation always returns false. - */ - function removeAssociation($server_url, $handle) - { - return false; - } - - /** - * In a system truly limited to dumb mode, nonces must all be - * accepted. This therefore always returns true, which makes - * replay attacks feasible. - */ - function useNonce($server_url, $timestamp, $salt) - { - return true; - } - - /** - * This method returns the auth key generated by the constructor. - */ - function getAuthKey() - { - return $this->auth_key; - } -} - diff --git a/models/Auth/OpenID/Extension.php b/models/Auth/OpenID/Extension.php deleted file mode 100644 index c4e38c038..000000000 --- a/models/Auth/OpenID/Extension.php +++ /dev/null @@ -1,61 +0,0 @@ -isOpenID1(); - $added = $message->namespaces->addAlias($this->ns_uri, - $this->ns_alias, - $implicit); - - if ($added === null) { - if ($message->namespaces->getAlias($this->ns_uri) != - $this->ns_alias) { - return null; - } - } - - $message->updateArgs($this->ns_uri, - $this->getExtensionArgs()); - return $message; - } -} - diff --git a/models/Auth/OpenID/FileStore.php b/models/Auth/OpenID/FileStore.php deleted file mode 100644 index 074421a0b..000000000 --- a/models/Auth/OpenID/FileStore.php +++ /dev/null @@ -1,618 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * Require base class for creating a new interface. - */ -require_once 'Auth/OpenID.php'; -require_once 'Auth/OpenID/Interface.php'; -require_once 'Auth/OpenID/HMAC.php'; -require_once 'Auth/OpenID/Nonce.php'; - -/** - * This is a filesystem-based store for OpenID associations and - * nonces. This store should be safe for use in concurrent systems on - * both windows and unix (excluding NFS filesystems). There are a - * couple race conditions in the system, but those failure cases have - * been set up in such a way that the worst-case behavior is someone - * having to try to log in a second time. - * - * Most of the methods of this class are implementation details. - * People wishing to just use this store need only pay attention to - * the constructor. - * - * @package OpenID - */ -class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { - - /** - * Initializes a new {@link Auth_OpenID_FileStore}. This - * initializes the nonce and association directories, which are - * subdirectories of the directory passed in. - * - * @param string $directory This is the directory to put the store - * directories in. - */ - function Auth_OpenID_FileStore($directory) - { - if (!Auth_OpenID::ensureDir($directory)) { - trigger_error('Not a directory and failed to create: ' - . $directory, E_USER_ERROR); - } - $directory = realpath($directory); - - $this->directory = $directory; - $this->active = true; - - $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces'; - - $this->association_dir = $directory . DIRECTORY_SEPARATOR . - 'associations'; - - // Temp dir must be on the same filesystem as the assciations - // $directory. - $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp'; - - $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds - - if (!$this->_setup()) { - trigger_error('Failed to initialize OpenID file store in ' . - $directory, E_USER_ERROR); - } - } - - function destroy() - { - Auth_OpenID_FileStore::_rmtree($this->directory); - $this->active = false; - } - - /** - * Make sure that the directories in which we store our data - * exist. - * - * @access private - */ - function _setup() - { - return (Auth_OpenID::ensureDir($this->nonce_dir) && - Auth_OpenID::ensureDir($this->association_dir) && - Auth_OpenID::ensureDir($this->temp_dir)); - } - - /** - * Create a temporary file on the same filesystem as - * $this->association_dir. - * - * The temporary directory should not be cleaned if there are any - * processes using the store. If there is no active process using - * the store, it is safe to remove all of the files in the - * temporary directory. - * - * @return array ($fd, $filename) - * @access private - */ - function _mktemp() - { - $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir); - $file_obj = @fopen($name, 'wb'); - if ($file_obj !== false) { - return array($file_obj, $name); - } else { - Auth_OpenID_FileStore::_removeIfPresent($name); - } - } - - function cleanupNonces() - { - global $Auth_OpenID_SKEW; - - $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); - $now = time(); - - $removed = 0; - // Check all nonces for expiry - foreach ($nonces as $nonce_fname) { - $base = basename($nonce_fname); - $parts = explode('-', $base, 2); - $timestamp = $parts[0]; - $timestamp = intval($timestamp, 16); - if (abs($timestamp - $now) > $Auth_OpenID_SKEW) { - Auth_OpenID_FileStore::_removeIfPresent($nonce_fname); - $removed += 1; - } - } - return $removed; - } - - /** - * Create a unique filename for a given server url and - * handle. This implementation does not assume anything about the - * format of the handle. The filename that is returned will - * contain the domain name from the server URL for ease of human - * inspection of the data directory. - * - * @return string $filename - */ - function getAssociationFilename($server_url, $handle) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - if (strpos($server_url, '://') === false) { - trigger_error(sprintf("Bad server URL: %s", $server_url), - E_USER_WARNING); - return null; - } - - list($proto, $rest) = explode('://', $server_url, 2); - $parts = explode('/', $rest); - $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]); - $url_hash = Auth_OpenID_FileStore::_safe64($server_url); - if ($handle) { - $handle_hash = Auth_OpenID_FileStore::_safe64($handle); - } else { - $handle_hash = ''; - } - - $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash, - $handle_hash); - - return $this->association_dir. DIRECTORY_SEPARATOR . $filename; - } - - /** - * Store an association in the association directory. - */ - function storeAssociation($server_url, $association) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return false; - } - - $association_s = $association->serialize(); - $filename = $this->getAssociationFilename($server_url, - $association->handle); - list($tmp_file, $tmp) = $this->_mktemp(); - - if (!$tmp_file) { - trigger_error("_mktemp didn't return a valid file descriptor", - E_USER_WARNING); - return false; - } - - fwrite($tmp_file, $association_s); - - fflush($tmp_file); - - fclose($tmp_file); - - if (@rename($tmp, $filename)) { - return true; - } else { - // In case we are running on Windows, try unlinking the - // file in case it exists. - @unlink($filename); - - // Now the target should not exist. Try renaming again, - // giving up if it fails. - if (@rename($tmp, $filename)) { - return true; - } - } - - // If there was an error, don't leave the temporary file - // around. - Auth_OpenID_FileStore::_removeIfPresent($tmp); - return false; - } - - /** - * Retrieve an association. If no handle is specified, return the - * association with the most recent issue time. - * - * @return mixed $association - */ - function getAssociation($server_url, $handle = null) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - if ($handle === null) { - $handle = ''; - } - - // The filename with the empty handle is a prefix of all other - // associations for the given server URL. - $filename = $this->getAssociationFilename($server_url, $handle); - - if ($handle) { - return $this->_getAssociation($filename); - } else { - $association_files = - Auth_OpenID_FileStore::_listdir($this->association_dir); - $matching_files = array(); - - // strip off the path to do the comparison - $name = basename($filename); - foreach ($association_files as $association_file) { - $base = basename($association_file); - if (strpos($base, $name) === 0) { - $matching_files[] = $association_file; - } - } - - $matching_associations = array(); - // read the matching files and sort by time issued - foreach ($matching_files as $full_name) { - $association = $this->_getAssociation($full_name); - if ($association !== null) { - $matching_associations[] = array($association->issued, - $association); - } - } - - $issued = array(); - $assocs = array(); - foreach ($matching_associations as $key => $assoc) { - $issued[$key] = $assoc[0]; - $assocs[$key] = $assoc[1]; - } - - array_multisort($issued, SORT_DESC, $assocs, SORT_DESC, - $matching_associations); - - // return the most recently issued one. - if ($matching_associations) { - list($issued, $assoc) = $matching_associations[0]; - return $assoc; - } else { - return null; - } - } - } - - /** - * @access private - */ - function _getAssociation($filename) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - $assoc_file = @fopen($filename, 'rb'); - - if ($assoc_file === false) { - return null; - } - - $assoc_s = fread($assoc_file, filesize($filename)); - fclose($assoc_file); - - if (!$assoc_s) { - return null; - } - - $association = - Auth_OpenID_Association::deserialize('Auth_OpenID_Association', - $assoc_s); - - if (!$association) { - Auth_OpenID_FileStore::_removeIfPresent($filename); - return null; - } - - if ($association->getExpiresIn() == 0) { - Auth_OpenID_FileStore::_removeIfPresent($filename); - return null; - } else { - return $association; - } - } - - /** - * Remove an association if it exists. Do nothing if it does not. - * - * @return bool $success - */ - function removeAssociation($server_url, $handle) - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - $assoc = $this->getAssociation($server_url, $handle); - if ($assoc === null) { - return false; - } else { - $filename = $this->getAssociationFilename($server_url, $handle); - return Auth_OpenID_FileStore::_removeIfPresent($filename); - } - } - - /** - * Return whether this nonce is present. As a side effect, mark it - * as no longer present. - * - * @return bool $present - */ - function useNonce($server_url, $timestamp, $salt) - { - global $Auth_OpenID_SKEW; - - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { - return false; - } - - if ($server_url) { - list($proto, $rest) = explode('://', $server_url, 2); - } else { - $proto = ''; - $rest = ''; - } - - $parts = explode('/', $rest, 2); - $domain = $this->_filenameEscape($parts[0]); - $url_hash = $this->_safe64($server_url); - $salt_hash = $this->_safe64($salt); - - $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto, - $domain, $url_hash, $salt_hash); - $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename; - - $result = @fopen($filename, 'x'); - - if ($result === false) { - return false; - } else { - fclose($result); - return true; - } - } - - /** - * Remove expired entries from the database. This is potentially - * expensive, so only run when it is acceptable to take time. - * - * @access private - */ - function _allAssocs() - { - $all_associations = array(); - - $association_filenames = - Auth_OpenID_FileStore::_listdir($this->association_dir); - - foreach ($association_filenames as $association_filename) { - $association_file = fopen($association_filename, 'rb'); - - if ($association_file !== false) { - $assoc_s = fread($association_file, - filesize($association_filename)); - fclose($association_file); - - // Remove expired or corrupted associations - $association = - Auth_OpenID_Association::deserialize( - 'Auth_OpenID_Association', $assoc_s); - - if ($association === null) { - Auth_OpenID_FileStore::_removeIfPresent( - $association_filename); - } else { - if ($association->getExpiresIn() == 0) { - $all_associations[] = array($association_filename, - $association); - } - } - } - } - - return $all_associations; - } - - function clean() - { - if (!$this->active) { - trigger_error("FileStore no longer active", E_USER_ERROR); - return null; - } - - $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); - $now = time(); - - // Check all nonces for expiry - foreach ($nonces as $nonce) { - if (!Auth_OpenID_checkTimestamp($nonce, $now)) { - $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce; - Auth_OpenID_FileStore::_removeIfPresent($filename); - } - } - - foreach ($this->_allAssocs() as $pair) { - list($assoc_filename, $assoc) = $pair; - if ($assoc->getExpiresIn() == 0) { - Auth_OpenID_FileStore::_removeIfPresent($assoc_filename); - } - } - } - - /** - * @access private - */ - function _rmtree($dir) - { - if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) { - $dir .= DIRECTORY_SEPARATOR; - } - - if ($handle = opendir($dir)) { - while ($item = readdir($handle)) { - if (!in_array($item, array('.', '..'))) { - if (is_dir($dir . $item)) { - - if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) { - return false; - } - } else if (is_file($dir . $item)) { - if (!unlink($dir . $item)) { - return false; - } - } - } - } - - closedir($handle); - - if (!@rmdir($dir)) { - return false; - } - - return true; - } else { - // Couldn't open directory. - return false; - } - } - - /** - * @access private - */ - function _mkstemp($dir) - { - foreach (range(0, 4) as $i) { - $name = tempnam($dir, "php_openid_filestore_"); - - if ($name !== false) { - return $name; - } - } - return false; - } - - /** - * @access private - */ - static function _mkdtemp($dir) - { - foreach (range(0, 4) as $i) { - $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) . - "-" . strval(rand(1, time())); - if (!mkdir($name, 0700)) { - return false; - } else { - return $name; - } - } - return false; - } - - /** - * @access private - */ - function _listdir($dir) - { - $handle = opendir($dir); - $files = array(); - while (false !== ($filename = readdir($handle))) { - if (!in_array($filename, array('.', '..'))) { - $files[] = $dir . DIRECTORY_SEPARATOR . $filename; - } - } - return $files; - } - - /** - * @access private - */ - function _isFilenameSafe($char) - { - $_Auth_OpenID_filename_allowed = Auth_OpenID_letters . - Auth_OpenID_digits . "."; - return (strpos($_Auth_OpenID_filename_allowed, $char) !== false); - } - - /** - * @access private - */ - function _safe64($str) - { - $h64 = base64_encode(Auth_OpenID_SHA1($str)); - $h64 = str_replace('+', '_', $h64); - $h64 = str_replace('/', '.', $h64); - $h64 = str_replace('=', '', $h64); - return $h64; - } - - /** - * @access private - */ - function _filenameEscape($str) - { - $filename = ""; - $b = Auth_OpenID::toBytes($str); - - for ($i = 0; $i < count($b); $i++) { - $c = $b[$i]; - if (Auth_OpenID_FileStore::_isFilenameSafe($c)) { - $filename .= $c; - } else { - $filename .= sprintf("_%02X", ord($c)); - } - } - return $filename; - } - - /** - * Attempt to remove a file, returning whether the file existed at - * the time of the call. - * - * @access private - * @return bool $result True if the file was present, false if not. - */ - function _removeIfPresent($filename) - { - return @unlink($filename); - } - - function cleanupAssociations() - { - $removed = 0; - foreach ($this->_allAssocs() as $pair) { - list($assoc_filename, $assoc) = $pair; - if ($assoc->getExpiresIn() == 0) { - $this->_removeIfPresent($assoc_filename); - $removed += 1; - } - } - return $removed; - } -} - - diff --git a/models/Auth/OpenID/HMAC.php b/models/Auth/OpenID/HMAC.php deleted file mode 100644 index e9779bd4e..000000000 --- a/models/Auth/OpenID/HMAC.php +++ /dev/null @@ -1,98 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -require_once 'Auth/OpenID.php'; - -/** - * SHA1_BLOCKSIZE is this module's SHA1 blocksize used by the fallback - * implementation. - */ -define('Auth_OpenID_SHA1_BLOCKSIZE', 64); - -function Auth_OpenID_SHA1($text) -{ - if (function_exists('hash') && - function_exists('hash_algos') && - (in_array('sha1', hash_algos()))) { - // PHP 5 case (sometimes): 'hash' available and 'sha1' algo - // supported. - return hash('sha1', $text, true); - } else if (function_exists('sha1')) { - // PHP 4 case: 'sha1' available. - $hex = sha1($text); - $raw = ''; - for ($i = 0; $i < 40; $i += 2) { - $hexcode = substr($hex, $i, 2); - $charcode = (int)base_convert($hexcode, 16, 10); - $raw .= chr($charcode); - } - return $raw; - } else { - // Explode. - trigger_error('No SHA1 function found', E_USER_ERROR); - } -} - -/** - * Compute an HMAC/SHA1 hash. - * - * @access private - * @param string $key The HMAC key - * @param string $text The message text to hash - * @return string $mac The MAC - */ -function Auth_OpenID_HMACSHA1($key, $text) -{ - if (Auth_OpenID::bytes($key) > Auth_OpenID_SHA1_BLOCKSIZE) { - $key = Auth_OpenID_SHA1($key, true); - } - - $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00)); - $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE); - $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE); - $hash1 = Auth_OpenID_SHA1(($key ^ $ipad) . $text, true); - $hmac = Auth_OpenID_SHA1(($key ^ $opad) . $hash1, true); - return $hmac; -} - -if (function_exists('hash') && - function_exists('hash_algos') && - (in_array('sha256', hash_algos()))) { - function Auth_OpenID_SHA256($text) - { - // PHP 5 case: 'hash' available and 'sha256' algo supported. - return hash('sha256', $text, true); - } - define('Auth_OpenID_SHA256_SUPPORTED', true); -} else { - define('Auth_OpenID_SHA256_SUPPORTED', false); -} - -if (function_exists('hash_hmac') && - function_exists('hash_algos') && - (in_array('sha256', hash_algos()))) { - - function Auth_OpenID_HMACSHA256($key, $text) - { - // Return raw MAC (not hex string). - return hash_hmac('sha256', $text, $key, true); - } - - define('Auth_OpenID_HMACSHA256_SUPPORTED', true); -} else { - define('Auth_OpenID_HMACSHA256_SUPPORTED', false); -} - diff --git a/models/Auth/OpenID/Interface.php b/models/Auth/OpenID/Interface.php deleted file mode 100644 index eca6b9c50..000000000 --- a/models/Auth/OpenID/Interface.php +++ /dev/null @@ -1,196 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * This is the interface for the store objects the OpenID library - * uses. It is a single class that provides all of the persistence - * mechanisms that the OpenID library needs, for both servers and - * consumers. If you want to create an SQL-driven store, please see - * then {@link Auth_OpenID_SQLStore} class. - * - * Change: Version 2.0 removed the storeNonce, getAuthKey, and isDumb - * methods, and changed the behavior of the useNonce method to support - * one-way nonces. - * - * @package OpenID - * @author JanRain, Inc. - */ -class Auth_OpenID_OpenIDStore { - /** - * This method puts an Association object into storage, - * retrievable by server URL and handle. - * - * @param string $server_url The URL of the identity server that - * this association is with. Because of the way the server portion - * of the library uses this interface, don't assume there are any - * limitations on the character set of the input string. In - * particular, expect to see unescaped non-url-safe characters in - * the server_url field. - * - * @param Association $association The Association to store. - */ - function storeAssociation($server_url, $association) - { - trigger_error("Auth_OpenID_OpenIDStore::storeAssociation ". - "not implemented", E_USER_ERROR); - } - - /* - * Remove expired nonces from the store. - * - * Discards any nonce from storage that is old enough that its - * timestamp would not pass useNonce(). - * - * This method is not called in the normal operation of the - * library. It provides a way for store admins to keep their - * storage from filling up with expired data. - * - * @return the number of nonces expired - */ - function cleanupNonces() - { - trigger_error("Auth_OpenID_OpenIDStore::cleanupNonces ". - "not implemented", E_USER_ERROR); - } - - /* - * Remove expired associations from the store. - * - * This method is not called in the normal operation of the - * library. It provides a way for store admins to keep their - * storage from filling up with expired data. - * - * @return the number of associations expired. - */ - function cleanupAssociations() - { - trigger_error("Auth_OpenID_OpenIDStore::cleanupAssociations ". - "not implemented", E_USER_ERROR); - } - - /* - * Shortcut for cleanupNonces(), cleanupAssociations(). - * - * This method is not called in the normal operation of the - * library. It provides a way for store admins to keep their - * storage from filling up with expired data. - */ - function cleanup() - { - return array($this->cleanupNonces(), - $this->cleanupAssociations()); - } - - /** - * Report whether this storage supports cleanup - */ - function supportsCleanup() - { - return true; - } - - /** - * This method returns an Association object from storage that - * matches the server URL and, if specified, handle. It returns - * null if no such association is found or if the matching - * association is expired. - * - * If no handle is specified, the store may return any association - * which matches the server URL. If multiple associations are - * valid, the recommended return value for this method is the one - * most recently issued. - * - * This method is allowed (and encouraged) to garbage collect - * expired associations when found. This method must not return - * expired associations. - * - * @param string $server_url The URL of the identity server to get - * the association for. Because of the way the server portion of - * the library uses this interface, don't assume there are any - * limitations on the character set of the input string. In - * particular, expect to see unescaped non-url-safe characters in - * the server_url field. - * - * @param mixed $handle This optional parameter is the handle of - * the specific association to get. If no specific handle is - * provided, any valid association matching the server URL is - * returned. - * - * @return Association The Association for the given identity - * server. - */ - function getAssociation($server_url, $handle = null) - { - trigger_error("Auth_OpenID_OpenIDStore::getAssociation ". - "not implemented", E_USER_ERROR); - } - - /** - * This method removes the matching association if it's found, and - * returns whether the association was removed or not. - * - * @param string $server_url The URL of the identity server the - * association to remove belongs to. Because of the way the server - * portion of the library uses this interface, don't assume there - * are any limitations on the character set of the input - * string. In particular, expect to see unescaped non-url-safe - * characters in the server_url field. - * - * @param string $handle This is the handle of the association to - * remove. If there isn't an association found that matches both - * the given URL and handle, then there was no matching handle - * found. - * - * @return mixed Returns whether or not the given association existed. - */ - function removeAssociation($server_url, $handle) - { - trigger_error("Auth_OpenID_OpenIDStore::removeAssociation ". - "not implemented", E_USER_ERROR); - } - - /** - * Called when using a nonce. - * - * This method should return C{True} if the nonce has not been - * used before, and store it for a while to make sure nobody - * tries to use the same value again. If the nonce has already - * been used, return C{False}. - * - * Change: In earlier versions, round-trip nonces were used and a - * nonce was only valid if it had been previously stored with - * storeNonce. Version 2.0 uses one-way nonces, requiring a - * different implementation here that does not depend on a - * storeNonce call. (storeNonce is no longer part of the - * interface. - * - * @param string $nonce The nonce to use. - * - * @return bool Whether or not the nonce was valid. - */ - function useNonce($server_url, $timestamp, $salt) - { - trigger_error("Auth_OpenID_OpenIDStore::useNonce ". - "not implemented", E_USER_ERROR); - } - - /** - * Removes all entries from the store; implementation is optional. - */ - function reset() - { - } - -} diff --git a/models/Auth/OpenID/KVForm.php b/models/Auth/OpenID/KVForm.php deleted file mode 100644 index dd02661d8..000000000 --- a/models/Auth/OpenID/KVForm.php +++ /dev/null @@ -1,111 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -/** - * Container for key-value/comma-newline OpenID format and parsing - */ -class Auth_OpenID_KVForm { - /** - * Convert an OpenID colon/newline separated string into an - * associative array - * - * @static - * @access private - */ - static function toArray($kvs, $strict=false) - { - $lines = explode("\n", $kvs); - - $last = array_pop($lines); - if ($last !== '') { - array_push($lines, $last); - if ($strict) { - return false; - } - } - - $values = array(); - - for ($lineno = 0; $lineno < count($lines); $lineno++) { - $line = $lines[$lineno]; - $kv = explode(':', $line, 2); - if (count($kv) != 2) { - if ($strict) { - return false; - } - continue; - } - - $key = $kv[0]; - $tkey = trim($key); - if ($tkey != $key) { - if ($strict) { - return false; - } - } - - $value = $kv[1]; - $tval = trim($value); - if ($tval != $value) { - if ($strict) { - return false; - } - } - - $values[$tkey] = $tval; - } - - return $values; - } - - /** - * Convert an array into an OpenID colon/newline separated string - * - * @static - * @access private - */ - static function fromArray($values) - { - if ($values === null) { - return null; - } - - ksort($values); - - $serialized = ''; - foreach ($values as $key => $value) { - if (is_array($value)) { - list($key, $value) = array($value[0], $value[1]); - } - - if (strpos($key, ':') !== false) { - return null; - } - - if (strpos($key, "\n") !== false) { - return null; - } - - if (strpos($value, "\n") !== false) { - return null; - } - $serialized .= "$key:$value\n"; - } - return $serialized; - } -} - diff --git a/models/Auth/OpenID/MDB2Store.php b/models/Auth/OpenID/MDB2Store.php deleted file mode 100644 index 80024bada..000000000 --- a/models/Auth/OpenID/MDB2Store.php +++ /dev/null @@ -1,413 +0,0 @@ - - * @copyright 2005 Janrain, Inc. - * @license http://www.gnu.org/copyleft/lesser.html LGPL - */ - -require_once 'MDB2.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID/Interface.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID.php'; - -/** - * @access private - */ -require_once 'Auth/OpenID/Nonce.php'; - -/** - * This store uses a PEAR::MDB2 connection to store persistence - * information. - * - * The table names used are determined by the class variables - * associations_table_name and nonces_table_name. To change the name - * of the tables used, pass new table names into the constructor. - * - * To create the tables with the proper schema, see the createTables - * method. - * - * @package OpenID - */ -class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { - /** - * This creates a new MDB2Store instance. It requires an - * established database connection be given to it, and it allows - * overriding the default table names. - * - * @param connection $connection This must be an established - * connection to a database of the correct type for the SQLStore - * subclass you're using. This must be a PEAR::MDB2 connection - * handle. - * - * @param associations_table: This is an optional parameter to - * specify the name of the table used for storing associations. - * The default value is 'oid_associations'. - * - * @param nonces_table: This is an optional parameter to specify - * the name of the table used for storing nonces. The default - * value is 'oid_nonces'. - */ - function Auth_OpenID_MDB2Store($connection, - $associations_table = null, - $nonces_table = null) - { - $this->associations_table_name = "oid_associations"; - $this->nonces_table_name = "oid_nonces"; - - // Check the connection object type to be sure it's a PEAR - // database connection. - if (!is_object($connection) || - !is_subclass_of($connection, 'mdb2_driver_common')) { - trigger_error("Auth_OpenID_MDB2Store expected PEAR connection " . - "object (got ".get_class($connection).")", - E_USER_ERROR); - return; - } - - $this->connection = $connection; - - // Be sure to set the fetch mode so the results are keyed on - // column name instead of column index. - $this->connection->setFetchMode(MDB2_FETCHMODE_ASSOC); - - if (PEAR::isError($this->connection->loadModule('Extended'))) { - trigger_error("Unable to load MDB2_Extended module", E_USER_ERROR); - return; - } - - if ($associations_table) { - $this->associations_table_name = $associations_table; - } - - if ($nonces_table) { - $this->nonces_table_name = $nonces_table; - } - - $this->max_nonce_age = 6 * 60 * 60; - } - - function tableExists($table_name) - { - return !PEAR::isError($this->connection->query( - sprintf("SELECT * FROM %s LIMIT 0", - $table_name))); - } - - function createTables() - { - $n = $this->create_nonce_table(); - $a = $this->create_assoc_table(); - - if (!$n || !$a) { - return false; - } - return true; - } - - function create_nonce_table() - { - if (!$this->tableExists($this->nonces_table_name)) { - switch ($this->connection->phptype) { - case "mysql": - case "mysqli": - // Custom SQL for MySQL to use InnoDB and variable- - // length keys - $r = $this->connection->exec( - sprintf("CREATE TABLE %s (\n". - " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n". - " timestamp INTEGER NOT NULL,\n". - " salt CHAR(40) NOT NULL,\n". - " UNIQUE (server_url(255), timestamp, salt)\n". - ") TYPE=InnoDB", - $this->nonces_table_name)); - if (PEAR::isError($r)) { - return false; - } - break; - default: - if (PEAR::isError( - $this->connection->loadModule('Manager'))) { - return false; - } - $fields = array( - "server_url" => array( - "type" => "text", - "length" => 2047, - "notnull" => true - ), - "timestamp" => array( - "type" => "integer", - "notnull" => true - ), - "salt" => array( - "type" => "text", - "length" => 40, - "fixed" => true, - "notnull" => true - ) - ); - $constraint = array( - "unique" => 1, - "fields" => array( - "server_url" => true, - "timestamp" => true, - "salt" => true - ) - ); - - $r = $this->connection->createTable($this->nonces_table_name, - $fields); - if (PEAR::isError($r)) { - return false; - } - - $r = $this->connection->createConstraint( - $this->nonces_table_name, - $this->nonces_table_name . "_constraint", - $constraint); - if (PEAR::isError($r)) { - return false; - } - break; - } - } - return true; - } - - function create_assoc_table() - { - if (!$this->tableExists($this->associations_table_name)) { - switch ($this->connection->phptype) { - case "mysql": - case "mysqli": - // Custom SQL for MySQL to use InnoDB and variable- - // length keys - $r = $this->connection->exec( - sprintf("CREATE TABLE %s(\n". - " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n". - " handle VARCHAR(255) NOT NULL,\n". - " secret BLOB NOT NULL,\n". - " issued INTEGER NOT NULL,\n". - " lifetime INTEGER NOT NULL,\n". - " assoc_type VARCHAR(64) NOT NULL,\n". - " PRIMARY KEY (server_url(255), handle)\n". - ") TYPE=InnoDB", - $this->associations_table_name)); - if (PEAR::isError($r)) { - return false; - } - break; - default: - if (PEAR::isError( - $this->connection->loadModule('Manager'))) { - return false; - } - $fields = array( - "server_url" => array( - "type" => "text", - "length" => 2047, - "notnull" => true - ), - "handle" => array( - "type" => "text", - "length" => 255, - "notnull" => true - ), - "secret" => array( - "type" => "blob", - "length" => "255", - "notnull" => true - ), - "issued" => array( - "type" => "integer", - "notnull" => true - ), - "lifetime" => array( - "type" => "integer", - "notnull" => true - ), - "assoc_type" => array( - "type" => "text", - "length" => 64, - "notnull" => true - ) - ); - $options = array( - "primary" => array( - "server_url" => true, - "handle" => true - ) - ); - - $r = $this->connection->createTable( - $this->associations_table_name, - $fields, - $options); - if (PEAR::isError($r)) { - return false; - } - break; - } - } - return true; - } - - function storeAssociation($server_url, $association) - { - $fields = array( - "server_url" => array( - "value" => $server_url, - "key" => true - ), - "handle" => array( - "value" => $association->handle, - "key" => true - ), - "secret" => array( - "value" => $association->secret, - "type" => "blob" - ), - "issued" => array( - "value" => $association->issued - ), - "lifetime" => array( - "value" => $association->lifetime - ), - "assoc_type" => array( - "value" => $association->assoc_type - ) - ); - - return !PEAR::isError($this->connection->replace( - $this->associations_table_name, - $fields)); - } - - function cleanupNonces() - { - global $Auth_OpenID_SKEW; - $v = time() - $Auth_OpenID_SKEW; - - return $this->connection->exec( - sprintf("DELETE FROM %s WHERE timestamp < %d", - $this->nonces_table_name, $v)); - } - - function cleanupAssociations() - { - return $this->connection->exec( - sprintf("DELETE FROM %s WHERE issued + lifetime < %d", - $this->associations_table_name, time())); - } - - function getAssociation($server_url, $handle = null) - { - $sql = ""; - $params = null; - $types = array( - "text", - "blob", - "integer", - "integer", - "text" - ); - if ($handle !== null) { - $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " . - "FROM %s WHERE server_url = ? AND handle = ?", - $this->associations_table_name); - $params = array($server_url, $handle); - } else { - $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " . - "FROM %s WHERE server_url = ? ORDER BY issued DESC", - $this->associations_table_name); - $params = array($server_url); - } - - $assoc = $this->connection->getRow($sql, $types, $params); - - if (!$assoc || PEAR::isError($assoc)) { - return null; - } else { - $association = new Auth_OpenID_Association($assoc['handle'], - stream_get_contents( - $assoc['secret']), - $assoc['issued'], - $assoc['lifetime'], - $assoc['assoc_type']); - fclose($assoc['secret']); - return $association; - } - } - - function removeAssociation($server_url, $handle) - { - $r = $this->connection->execParam( - sprintf("DELETE FROM %s WHERE server_url = ? AND handle = ?", - $this->associations_table_name), - array($server_url, $handle)); - - if (PEAR::isError($r) || $r == 0) { - return false; - } - return true; - } - - function useNonce($server_url, $timestamp, $salt) - { - global $Auth_OpenID_SKEW; - - if (abs($timestamp - time()) > $Auth_OpenID_SKEW ) { - return false; - } - - $fields = array( - "timestamp" => $timestamp, - "salt" => $salt - ); - - if (!empty($server_url)) { - $fields["server_url"] = $server_url; - } - - $r = $this->connection->autoExecute( - $this->nonces_table_name, - $fields, - MDB2_AUTOQUERY_INSERT); - - if (PEAR::isError($r)) { - return false; - } - return true; - } - - /** - * Resets the store by removing all records from the store's - * tables. - */ - function reset() - { - $this->connection->query(sprintf("DELETE FROM %s", - $this->associations_table_name)); - - $this->connection->query(sprintf("DELETE FROM %s", - $this->nonces_table_name)); - } - -} - -?> diff --git a/models/Auth/OpenID/MemcachedStore.php b/models/Auth/OpenID/MemcachedStore.php deleted file mode 100644 index fc10800b1..000000000 --- a/models/Auth/OpenID/MemcachedStore.php +++ /dev/null @@ -1,207 +0,0 @@ - - * @copyright 2008 JanRain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - * Contributed by Open Web Technologies - */ - -/** - * Import the interface for creating a new store class. - */ -require_once 'Auth/OpenID/Interface.php'; - -/** - * This is a memcached-based store for OpenID associations and - * nonces. - * - * As memcache has limit of 250 chars for key length, - * server_url, handle and salt are hashed with sha1(). - * - * Most of the methods of this class are implementation details. - * People wishing to just use this store need only pay attention to - * the constructor. - * - * @package OpenID - */ -class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore { - - /** - * Initializes a new {@link Auth_OpenID_MemcachedStore} instance. - * Just saves memcached object as property. - * - * @param resource connection Memcache connection resourse - */ - function Auth_OpenID_MemcachedStore($connection, $compress = false) - { - $this->connection = $connection; - $this->compress = $compress ? MEMCACHE_COMPRESSED : 0; - } - - /** - * Store association until its expiration time in memcached. - * Overwrites any existing association with same server_url and - * handle. Handles list of associations for every server. - */ - function storeAssociation($server_url, $association) - { - // create memcached keys for association itself - // and list of associations for this server - $associationKey = $this->associationKey($server_url, - $association->handle); - $serverKey = $this->associationServerKey($server_url); - - // get list of associations - $serverAssociations = $this->connection->get($serverKey); - - // if no such list, initialize it with empty array - if (!$serverAssociations) { - $serverAssociations = array(); - } - // and store given association key in it - $serverAssociations[$association->issued] = $associationKey; - - // save associations' keys list - $this->connection->set( - $serverKey, - $serverAssociations, - $this->compress - ); - // save association itself - $this->connection->set( - $associationKey, - $association, - $this->compress, - $association->issued + $association->lifetime); - } - - /** - * Read association from memcached. If no handle given - * and multiple associations found, returns latest issued - */ - function getAssociation($server_url, $handle = null) - { - // simple case: handle given - if ($handle !== null) { - // get association, return null if failed - $association = $this->connection->get( - $this->associationKey($server_url, $handle)); - return $association ? $association : null; - } - - // no handle given, working with list - // create key for list of associations - $serverKey = $this->associationServerKey($server_url); - - // get list of associations - $serverAssociations = $this->connection->get($serverKey); - // return null if failed or got empty list - if (!$serverAssociations) { - return null; - } - - // get key of most recently issued association - $keys = array_keys($serverAssociations); - sort($keys); - $lastKey = $serverAssociations[array_pop($keys)]; - - // get association, return null if failed - $association = $this->connection->get($lastKey); - return $association ? $association : null; - } - - /** - * Immediately delete association from memcache. - */ - function removeAssociation($server_url, $handle) - { - // create memcached keys for association itself - // and list of associations for this server - $serverKey = $this->associationServerKey($server_url); - $associationKey = $this->associationKey($server_url, - $handle); - - // get list of associations - $serverAssociations = $this->connection->get($serverKey); - // return null if failed or got empty list - if (!$serverAssociations) { - return false; - } - - // ensure that given association key exists in list - $serverAssociations = array_flip($serverAssociations); - if (!array_key_exists($associationKey, $serverAssociations)) { - return false; - } - - // remove given association key from list - unset($serverAssociations[$associationKey]); - $serverAssociations = array_flip($serverAssociations); - - // save updated list - $this->connection->set( - $serverKey, - $serverAssociations, - $this->compress - ); - - // delete association - return $this->connection->delete($associationKey); - } - - /** - * Create nonce for server and salt, expiring after - * $Auth_OpenID_SKEW seconds. - */ - function useNonce($server_url, $timestamp, $salt) - { - global $Auth_OpenID_SKEW; - - // save one request to memcache when nonce obviously expired - if (abs($timestamp - time()) > $Auth_OpenID_SKEW) { - return false; - } - - // returns false when nonce already exists - // otherwise adds nonce - return $this->connection->add( - 'openid_nonce_' . sha1($server_url) . '_' . sha1($salt), - 1, // any value here - $this->compress, - $Auth_OpenID_SKEW); - } - - /** - * Memcache key is prefixed with 'openid_association_' string. - */ - function associationKey($server_url, $handle = null) - { - return 'openid_association_' . sha1($server_url) . '_' . sha1($handle); - } - - /** - * Memcache key is prefixed with 'openid_association_' string. - */ - function associationServerKey($server_url) - { - return 'openid_association_server_' . sha1($server_url); - } - - /** - * Report that this storage doesn't support cleanup - */ - function supportsCleanup() - { - return false; - } -} - diff --git a/models/Auth/OpenID/Message.php b/models/Auth/OpenID/Message.php deleted file mode 100644 index 9aa1fa468..000000000 --- a/models/Auth/OpenID/Message.php +++ /dev/null @@ -1,920 +0,0 @@ -keys = array(); - $this->values = array(); - - if (is_array($classic_array)) { - foreach ($classic_array as $key => $value) { - $this->set($key, $value); - } - } - } - - /** - * Returns true if $thing is an Auth_OpenID_Mapping object; false - * if not. - */ - static function isA($thing) - { - return (is_object($thing) && - strtolower(get_class($thing)) == 'auth_openid_mapping'); - } - - /** - * Returns an array of the keys in the mapping. - */ - function keys() - { - return $this->keys; - } - - /** - * Returns an array of values in the mapping. - */ - function values() - { - return $this->values; - } - - /** - * Returns an array of (key, value) pairs in the mapping. - */ - function items() - { - $temp = array(); - - for ($i = 0; $i < count($this->keys); $i++) { - $temp[] = array($this->keys[$i], - $this->values[$i]); - } - return $temp; - } - - /** - * Returns the "length" of the mapping, or the number of keys. - */ - function len() - { - return count($this->keys); - } - - /** - * Sets a key-value pair in the mapping. If the key already - * exists, its value is replaced with the new value. - */ - function set($key, $value) - { - $index = array_search($key, $this->keys); - - if ($index !== false) { - $this->values[$index] = $value; - } else { - $this->keys[] = $key; - $this->values[] = $value; - } - } - - /** - * Gets a specified value from the mapping, associated with the - * specified key. If the key does not exist in the mapping, - * $default is returned instead. - */ - function get($key, $default = null) - { - $index = array_search($key, $this->keys); - - if ($index !== false) { - return $this->values[$index]; - } else { - return $default; - } - } - - /** - * @access private - */ - function _reflow() - { - // PHP is broken yet again. Sort the arrays to remove the - // hole in the numeric indexes that make up the array. - $old_keys = $this->keys; - $old_values = $this->values; - - $this->keys = array(); - $this->values = array(); - - foreach ($old_keys as $k) { - $this->keys[] = $k; - } - - foreach ($old_values as $v) { - $this->values[] = $v; - } - } - - /** - * Deletes a key-value pair from the mapping with the specified - * key. - */ - function del($key) - { - $index = array_search($key, $this->keys); - - if ($index !== false) { - unset($this->keys[$index]); - unset($this->values[$index]); - $this->_reflow(); - return true; - } - return false; - } - - /** - * Returns true if the specified value has a key in the mapping; - * false if not. - */ - function contains($value) - { - return (array_search($value, $this->keys) !== false); - } -} - -/** - * Maintains a bijective map between namespace uris and aliases. - * - * @package OpenID - */ -class Auth_OpenID_NamespaceMap { - function Auth_OpenID_NamespaceMap() - { - $this->alias_to_namespace = new Auth_OpenID_Mapping(); - $this->namespace_to_alias = new Auth_OpenID_Mapping(); - $this->implicit_namespaces = array(); - } - - function getAlias($namespace_uri) - { - return $this->namespace_to_alias->get($namespace_uri); - } - - function getNamespaceURI($alias) - { - return $this->alias_to_namespace->get($alias); - } - - function iterNamespaceURIs() - { - // Return an iterator over the namespace URIs - return $this->namespace_to_alias->keys(); - } - - function iterAliases() - { - // Return an iterator over the aliases""" - return $this->alias_to_namespace->keys(); - } - - function iteritems() - { - return $this->namespace_to_alias->items(); - } - - function isImplicit($namespace_uri) - { - return in_array($namespace_uri, $this->implicit_namespaces); - } - - function addAlias($namespace_uri, $desired_alias, $implicit=false) - { - // Add an alias from this namespace URI to the desired alias - global $Auth_OpenID_OPENID_PROTOCOL_FIELDS; - - // Check that desired_alias is not an openid protocol field as - // per the spec. - if (in_array($desired_alias, $Auth_OpenID_OPENID_PROTOCOL_FIELDS)) { - Auth_OpenID::log("\"%s\" is not an allowed namespace alias", - $desired_alias); - return null; - } - - // Check that desired_alias does not contain a period as per - // the spec. - if (strpos($desired_alias, '.') !== false) { - Auth_OpenID::log('"%s" must not contain a dot', $desired_alias); - return null; - } - - // Check that there is not a namespace already defined for the - // desired alias - $current_namespace_uri = - $this->alias_to_namespace->get($desired_alias); - - if (($current_namespace_uri !== null) && - ($current_namespace_uri != $namespace_uri)) { - Auth_OpenID::log('Cannot map "%s" because previous mapping exists', - $namespace_uri); - return null; - } - - // Check that there is not already a (different) alias for - // this namespace URI - $alias = $this->namespace_to_alias->get($namespace_uri); - - if (($alias !== null) && ($alias != $desired_alias)) { - Auth_OpenID::log('Cannot map %s to alias %s. ' . - 'It is already mapped to alias %s', - $namespace_uri, $desired_alias, $alias); - return null; - } - - assert((Auth_OpenID_NULL_NAMESPACE === $desired_alias) || - is_string($desired_alias)); - - $this->alias_to_namespace->set($desired_alias, $namespace_uri); - $this->namespace_to_alias->set($namespace_uri, $desired_alias); - if ($implicit) { - array_push($this->implicit_namespaces, $namespace_uri); - } - - return $desired_alias; - } - - function add($namespace_uri) - { - // Add this namespace URI to the mapping, without caring what - // alias it ends up with - - // See if this namespace is already mapped to an alias - $alias = $this->namespace_to_alias->get($namespace_uri); - - if ($alias !== null) { - return $alias; - } - - // Fall back to generating a numerical alias - $i = 0; - while (1) { - $alias = 'ext' . strval($i); - if ($this->addAlias($namespace_uri, $alias) === null) { - $i += 1; - } else { - return $alias; - } - } - - // Should NEVER be reached! - return null; - } - - function contains($namespace_uri) - { - return $this->isDefined($namespace_uri); - } - - function isDefined($namespace_uri) - { - return $this->namespace_to_alias->contains($namespace_uri); - } -} - -/** - * In the implementation of this object, null represents the global - * namespace as well as a namespace with no key. - * - * @package OpenID - */ -class Auth_OpenID_Message { - - function Auth_OpenID_Message($openid_namespace = null) - { - // Create an empty Message - $this->allowed_openid_namespaces = array( - Auth_OpenID_OPENID1_NS, - Auth_OpenID_THE_OTHER_OPENID1_NS, - Auth_OpenID_OPENID2_NS); - - $this->args = new Auth_OpenID_Mapping(); - $this->namespaces = new Auth_OpenID_NamespaceMap(); - if ($openid_namespace === null) { - $this->_openid_ns_uri = null; - } else { - $implicit = Auth_OpenID_isOpenID1($openid_namespace); - $this->setOpenIDNamespace($openid_namespace, $implicit); - } - } - - function isOpenID1() - { - return Auth_OpenID_isOpenID1($this->getOpenIDNamespace()); - } - - function isOpenID2() - { - return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS; - } - - static function fromPostArgs($args) - { - // Construct a Message containing a set of POST arguments - $obj = new Auth_OpenID_Message(); - - // Partition into "openid." args and bare args - $openid_args = array(); - foreach ($args as $key => $value) { - - if (is_array($value)) { - return null; - } - - $parts = explode('.', $key, 2); - - if (count($parts) == 2) { - list($prefix, $rest) = $parts; - } else { - $prefix = null; - } - - if ($prefix != 'openid') { - $obj->args->set(array(Auth_OpenID_BARE_NS, $key), $value); - } else { - $openid_args[$rest] = $value; - } - } - - if ($obj->_fromOpenIDArgs($openid_args)) { - return $obj; - } else { - return null; - } - } - - static function fromOpenIDArgs($openid_args) - { - // Takes an array. - - // Construct a Message from a parsed KVForm message - $obj = new Auth_OpenID_Message(); - if ($obj->_fromOpenIDArgs($openid_args)) { - return $obj; - } else { - return null; - } - } - - /** - * @access private - */ - function _fromOpenIDArgs($openid_args) - { - global $Auth_OpenID_registered_aliases; - - // Takes an Auth_OpenID_Mapping instance OR an array. - - if (!Auth_OpenID_Mapping::isA($openid_args)) { - $openid_args = new Auth_OpenID_Mapping($openid_args); - } - - $ns_args = array(); - - // Resolve namespaces - foreach ($openid_args->items() as $pair) { - list($rest, $value) = $pair; - - $parts = explode('.', $rest, 2); - - if (count($parts) == 2) { - list($ns_alias, $ns_key) = $parts; - } else { - $ns_alias = Auth_OpenID_NULL_NAMESPACE; - $ns_key = $rest; - } - - if ($ns_alias == 'ns') { - if ($this->namespaces->addAlias($value, $ns_key) === null) { - return false; - } - } else if (($ns_alias == Auth_OpenID_NULL_NAMESPACE) && - ($ns_key == 'ns')) { - // null namespace - if ($this->setOpenIDNamespace($value, false) === false) { - return false; - } - } else { - $ns_args[] = array($ns_alias, $ns_key, $value); - } - } - - if (!$this->getOpenIDNamespace()) { - if ($this->setOpenIDNamespace(Auth_OpenID_OPENID1_NS, true) === - false) { - return false; - } - } - - // Actually put the pairs into the appropriate namespaces - foreach ($ns_args as $triple) { - list($ns_alias, $ns_key, $value) = $triple; - $ns_uri = $this->namespaces->getNamespaceURI($ns_alias); - if ($ns_uri === null) { - $ns_uri = $this->_getDefaultNamespace($ns_alias); - if ($ns_uri === null) { - - $ns_uri = Auth_OpenID_OPENID_NS; - $ns_key = sprintf('%s.%s', $ns_alias, $ns_key); - } else { - $this->namespaces->addAlias($ns_uri, $ns_alias, true); - } - } - - $this->setArg($ns_uri, $ns_key, $value); - } - - return true; - } - - function _getDefaultNamespace($mystery_alias) - { - global $Auth_OpenID_registered_aliases; - if ($this->isOpenID1()) { - return @$Auth_OpenID_registered_aliases[$mystery_alias]; - } - return null; - } - - function setOpenIDNamespace($openid_ns_uri, $implicit) - { - if (!in_array($openid_ns_uri, $this->allowed_openid_namespaces)) { - Auth_OpenID::log('Invalid null namespace: "%s"', $openid_ns_uri); - return false; - } - - $succeeded = $this->namespaces->addAlias($openid_ns_uri, - Auth_OpenID_NULL_NAMESPACE, - $implicit); - if ($succeeded === false) { - return false; - } - - $this->_openid_ns_uri = $openid_ns_uri; - - return true; - } - - function getOpenIDNamespace() - { - return $this->_openid_ns_uri; - } - - static function fromKVForm($kvform_string) - { - // Create a Message from a KVForm string - return Auth_OpenID_Message::fromOpenIDArgs( - Auth_OpenID_KVForm::toArray($kvform_string)); - } - - function copy() - { - return $this; - } - - function toPostArgs() - { - // Return all arguments with openid. in front of namespaced - // arguments. - - $args = array(); - - // Add namespace definitions to the output - foreach ($this->namespaces->iteritems() as $pair) { - list($ns_uri, $alias) = $pair; - if ($this->namespaces->isImplicit($ns_uri)) { - continue; - } - if ($alias == Auth_OpenID_NULL_NAMESPACE) { - $ns_key = 'openid.ns'; - } else { - $ns_key = 'openid.ns.' . $alias; - } - $args[$ns_key] = $ns_uri; - } - - foreach ($this->args->items() as $pair) { - list($ns_parts, $value) = $pair; - list($ns_uri, $ns_key) = $ns_parts; - $key = $this->getKey($ns_uri, $ns_key); - $args[$key] = $value; - } - - return $args; - } - - function toArgs() - { - // Return all namespaced arguments, failing if any - // non-namespaced arguments exist. - $post_args = $this->toPostArgs(); - $kvargs = array(); - foreach ($post_args as $k => $v) { - if (strpos($k, 'openid.') !== 0) { - // raise ValueError( - // 'This message can only be encoded as a POST, because it ' - // 'contains arguments that are not prefixed with "openid."') - return null; - } else { - $kvargs[substr($k, 7)] = $v; - } - } - - return $kvargs; - } - - function toFormMarkup($action_url, $form_tag_attrs = null, - $submit_text = "Continue") - { - $form = "
$attr) { - $form .= sprintf(" %s=\"%s\"", $name, $attr); - } - } - - $form .= ">\n"; - - foreach ($this->toPostArgs() as $name => $value) { - $form .= sprintf( - "\n", - $name, $value); - } - - $form .= sprintf("\n", - $submit_text); - - $form .= "
\n"; - - return $form; - } - - function toURL($base_url) - { - // Generate a GET URL with the parameters in this message - // attached as query parameters. - return Auth_OpenID::appendArgs($base_url, $this->toPostArgs()); - } - - function toKVForm() - { - // Generate a KVForm string that contains the parameters in - // this message. This will fail if the message contains - // arguments outside of the 'openid.' prefix. - return Auth_OpenID_KVForm::fromArray($this->toArgs()); - } - - function toURLEncoded() - { - // Generate an x-www-urlencoded string - $args = array(); - - foreach ($this->toPostArgs() as $k => $v) { - $args[] = array($k, $v); - } - - sort($args); - return Auth_OpenID::httpBuildQuery($args); - } - - /** - * @access private - */ - function _fixNS($namespace) - { - // Convert an input value into the internally used values of - // this object - - if ($namespace == Auth_OpenID_OPENID_NS) { - if ($this->_openid_ns_uri === null) { - return new Auth_OpenID_FailureResponse(null, - 'OpenID namespace not set'); - } else { - $namespace = $this->_openid_ns_uri; - } - } - - if (($namespace != Auth_OpenID_BARE_NS) && - (!is_string($namespace))) { - //TypeError - $err_msg = sprintf("Namespace must be Auth_OpenID_BARE_NS, ". - "Auth_OpenID_OPENID_NS or a string. got %s", - print_r($namespace, true)); - return new Auth_OpenID_FailureResponse(null, $err_msg); - } - - if (($namespace != Auth_OpenID_BARE_NS) && - (strpos($namespace, ':') === false)) { - // fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r' - // warnings.warn(fmt % (namespace,), DeprecationWarning) - - if ($namespace == 'sreg') { - // fmt = 'Using %r instead of "sreg" as namespace' - // warnings.warn(fmt % (SREG_URI,), DeprecationWarning,) - return Auth_OpenID_SREG_URI; - } - } - - return $namespace; - } - - function hasKey($namespace, $ns_key) - { - $namespace = $this->_fixNS($namespace); - if (Auth_OpenID::isFailure($namespace)) { - // XXX log me - return false; - } else { - return $this->args->contains(array($namespace, $ns_key)); - } - } - - function getKey($namespace, $ns_key) - { - // Get the key for a particular namespaced argument - $namespace = $this->_fixNS($namespace); - if (Auth_OpenID::isFailure($namespace)) { - return $namespace; - } - if ($namespace == Auth_OpenID_BARE_NS) { - return $ns_key; - } - - $ns_alias = $this->namespaces->getAlias($namespace); - - // No alias is defined, so no key can exist - if ($ns_alias === null) { - return null; - } - - if ($ns_alias == Auth_OpenID_NULL_NAMESPACE) { - $tail = $ns_key; - } else { - $tail = sprintf('%s.%s', $ns_alias, $ns_key); - } - - return 'openid.' . $tail; - } - - function getArg($namespace, $key, $default = null) - { - // Get a value for a namespaced key. - $namespace = $this->_fixNS($namespace); - - if (Auth_OpenID::isFailure($namespace)) { - return $namespace; - } else { - if ((!$this->args->contains(array($namespace, $key))) && - ($default == Auth_OpenID_NO_DEFAULT)) { - $err_msg = sprintf("Namespace %s missing required field %s", - $namespace, $key); - return new Auth_OpenID_FailureResponse(null, $err_msg); - } else { - return $this->args->get(array($namespace, $key), $default); - } - } - } - - function getArgs($namespace) - { - // Get the arguments that are defined for this namespace URI - - $namespace = $this->_fixNS($namespace); - if (Auth_OpenID::isFailure($namespace)) { - return $namespace; - } else { - $stuff = array(); - foreach ($this->args->items() as $pair) { - list($key, $value) = $pair; - list($pair_ns, $ns_key) = $key; - if ($pair_ns == $namespace) { - $stuff[$ns_key] = $value; - } - } - - return $stuff; - } - } - - function updateArgs($namespace, $updates) - { - // Set multiple key/value pairs in one call - - $namespace = $this->_fixNS($namespace); - - if (Auth_OpenID::isFailure($namespace)) { - return $namespace; - } else { - foreach ($updates as $k => $v) { - $this->setArg($namespace, $k, $v); - } - return true; - } - } - - function setArg($namespace, $key, $value) - { - // Set a single argument in this namespace - $namespace = $this->_fixNS($namespace); - - if (Auth_OpenID::isFailure($namespace)) { - return $namespace; - } else { - $this->args->set(array($namespace, $key), $value); - if ($namespace !== Auth_OpenID_BARE_NS) { - $this->namespaces->add($namespace); - } - return true; - } - } - - function delArg($namespace, $key) - { - $namespace = $this->_fixNS($namespace); - - if (Auth_OpenID::isFailure($namespace)) { - return $namespace; - } else { - return $this->args->del(array($namespace, $key)); - } - } - - function getAliasedArg($aliased_key, $default = null) - { - if ($aliased_key == 'ns') { - // Return the namespace URI for the OpenID namespace - return $this->getOpenIDNamespace(); - } - - $parts = explode('.', $aliased_key, 2); - - if (count($parts) != 2) { - $ns = null; - } else { - list($alias, $key) = $parts; - - if ($alias == 'ns') { - // Return the namespace URI for a namespace alias - // parameter. - return $this->namespaces->getNamespaceURI($key); - } else { - $ns = $this->namespaces->getNamespaceURI($alias); - } - } - - if ($ns === null) { - $key = $aliased_key; - $ns = $this->getOpenIDNamespace(); - } - - return $this->getArg($ns, $key, $default); - } -} - - diff --git a/models/Auth/OpenID/MySQLStore.php b/models/Auth/OpenID/MySQLStore.php deleted file mode 100644 index 810f059f1..000000000 --- a/models/Auth/OpenID/MySQLStore.php +++ /dev/null @@ -1,77 +0,0 @@ -sql['nonce_table'] = - "CREATE TABLE %s (\n". - " server_url VARCHAR(2047) NOT NULL,\n". - " timestamp INTEGER NOT NULL,\n". - " salt CHAR(40) NOT NULL,\n". - " UNIQUE (server_url(255), timestamp, salt)\n". - ") ENGINE=InnoDB"; - - $this->sql['assoc_table'] = - "CREATE TABLE %s (\n". - " server_url BLOB NOT NULL,\n". - " handle VARCHAR(255) NOT NULL,\n". - " secret BLOB NOT NULL,\n". - " issued INTEGER NOT NULL,\n". - " lifetime INTEGER NOT NULL,\n". - " assoc_type VARCHAR(64) NOT NULL,\n". - " PRIMARY KEY (server_url(255), handle)\n". - ") ENGINE=InnoDB"; - - $this->sql['set_assoc'] = - "REPLACE INTO %s (server_url, handle, secret, issued,\n". - " lifetime, assoc_type) VALUES (?, ?, !, ?, ?, ?)"; - - $this->sql['get_assocs'] = - "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". - "WHERE server_url = ?"; - - $this->sql['get_assoc'] = - "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". - "WHERE server_url = ? AND handle = ?"; - - $this->sql['remove_assoc'] = - "DELETE FROM %s WHERE server_url = ? AND handle = ?"; - - $this->sql['add_nonce'] = - "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)"; - - $this->sql['clean_nonce'] = - "DELETE FROM %s WHERE timestamp < ?"; - - $this->sql['clean_assoc'] = - "DELETE FROM %s WHERE issued + lifetime < ?"; - } - - /** - * @access private - */ - function blobEncode($blob) - { - return "0x" . bin2hex($blob); - } -} - diff --git a/models/Auth/OpenID/Nonce.php b/models/Auth/OpenID/Nonce.php deleted file mode 100644 index b83c5911f..000000000 --- a/models/Auth/OpenID/Nonce.php +++ /dev/null @@ -1,108 +0,0 @@ -preferred_auth_policies = $preferred_auth_policies; - $this->max_auth_age = $max_auth_age; - } - - /** - * Add an acceptable authentication policy URI to this request - * - * This method is intended to be used by the relying party to add - * acceptable authentication types to the request. - * - * policy_uri: The identifier for the preferred type of - * authentication. - */ - function addPolicyURI($policy_uri) - { - if (!in_array($policy_uri, $this->preferred_auth_policies)) { - $this->preferred_auth_policies[] = $policy_uri; - } - } - - function getExtensionArgs() - { - $ns_args = array( - 'preferred_auth_policies' => - implode(' ', $this->preferred_auth_policies) - ); - - if ($this->max_auth_age !== null) { - $ns_args['max_auth_age'] = strval($this->max_auth_age); - } - - return $ns_args; - } - - /** - * Instantiate a Request object from the arguments in a checkid_* - * OpenID message - */ - static function fromOpenIDRequest($request) - { - $obj = new Auth_OpenID_PAPE_Request(); - $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); - - if ($args === null || $args === array()) { - return null; - } - - $obj->parseExtensionArgs($args); - return $obj; - } - - /** - * Set the state of this request to be that expressed in these - * PAPE arguments - * - * @param args: The PAPE arguments without a namespace - */ - function parseExtensionArgs($args) - { - // preferred_auth_policies is a space-separated list of policy - // URIs - $this->preferred_auth_policies = array(); - - $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); - if ($policies_str) { - foreach (explode(' ', $policies_str) as $uri) { - if (!in_array($uri, $this->preferred_auth_policies)) { - $this->preferred_auth_policies[] = $uri; - } - } - } - - // max_auth_age is base-10 integer number of seconds - $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age'); - if ($max_auth_age_str) { - $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str); - } else { - $this->max_auth_age = null; - } - } - - /** - * Given a list of authentication policy URIs that a provider - * supports, this method returns the subsequence of those types - * that are preferred by the relying party. - * - * @param supported_types: A sequence of authentication policy - * type URIs that are supported by a provider - * - * @return array The sub-sequence of the supported types that are - * preferred by the relying party. This list will be ordered in - * the order that the types appear in the supported_types - * sequence, and may be empty if the provider does not prefer any - * of the supported authentication types. - */ - function preferredTypes($supported_types) - { - $result = array(); - - foreach ($supported_types as $st) { - if (in_array($st, $this->preferred_auth_policies)) { - $result[] = $st; - } - } - return $result; - } -} - -/** - * A Provider Authentication Policy response, sent from a provider to - * a relying party - */ -class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { - - var $ns_alias = 'pape'; - var $ns_uri = Auth_OpenID_PAPE_NS_URI; - - function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null, - $nist_auth_level=null) - { - if ($auth_policies) { - $this->auth_policies = $auth_policies; - } else { - $this->auth_policies = array(); - } - - $this->auth_time = $auth_time; - $this->nist_auth_level = $nist_auth_level; - } - - /** - * Add a authentication policy to this response - * - * This method is intended to be used by the provider to add a - * policy that the provider conformed to when authenticating the - * user. - * - * @param policy_uri: The identifier for the preferred type of - * authentication. - */ - function addPolicyURI($policy_uri) - { - if (!in_array($policy_uri, $this->auth_policies)) { - $this->auth_policies[] = $policy_uri; - } - } - - /** - * Create an Auth_OpenID_PAPE_Response object from a successful - * OpenID library response. - * - * @param success_response $success_response A SuccessResponse - * from Auth_OpenID_Consumer::complete() - * - * @returns: A provider authentication policy response from the - * data that was supplied with the id_res response. - */ - static function fromSuccessResponse($success_response) - { - $obj = new Auth_OpenID_PAPE_Response(); - - // PAPE requires that the args be signed. - $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI); - - if ($args === null || $args === array()) { - return null; - } - - $result = $obj->parseExtensionArgs($args); - - if ($result === false) { - return null; - } else { - return $obj; - } - } - - /** - * Parse the provider authentication policy arguments into the - * internal state of this object - * - * @param args: unqualified provider authentication policy - * arguments - * - * @param strict: Whether to return false when bad data is - * encountered - * - * @return null The data is parsed into the internal fields of - * this object. - */ - function parseExtensionArgs($args, $strict=false) - { - $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); - if ($policies_str && $policies_str != "none") { - $this->auth_policies = explode(" ", $policies_str); - } - - $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); - if ($nist_level_str !== null) { - $nist_level = Auth_OpenID::intval($nist_level_str); - - if ($nist_level === false) { - if ($strict) { - return false; - } else { - $nist_level = null; - } - } - - if (0 <= $nist_level && $nist_level < 5) { - $this->nist_auth_level = $nist_level; - } else if ($strict) { - return false; - } - } - - $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); - if ($auth_time !== null) { - if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) { - $this->auth_time = $auth_time; - } else if ($strict) { - return false; - } - } - } - - function getExtensionArgs() - { - $ns_args = array(); - if (count($this->auth_policies) > 0) { - $ns_args['auth_policies'] = implode(' ', $this->auth_policies); - } else { - $ns_args['auth_policies'] = 'none'; - } - - if ($this->nist_auth_level !== null) { - if (!in_array($this->nist_auth_level, range(0, 4), true)) { - return false; - } - $ns_args['nist_auth_level'] = strval($this->nist_auth_level); - } - - if ($this->auth_time !== null) { - if (!preg_match(PAPE_TIME_VALIDATOR, $this->auth_time)) { - return false; - } - - $ns_args['auth_time'] = $this->auth_time; - } - - return $ns_args; - } -} - diff --git a/models/Auth/OpenID/Parse.php b/models/Auth/OpenID/Parse.php deleted file mode 100644 index 6c2e72169..000000000 --- a/models/Auth/OpenID/Parse.php +++ /dev/null @@ -1,377 +0,0 @@ - tags - * in the head of HTML or XHTML documents and parses out their - * attributes according to the OpenID spec. It is a liberal parser, - * but it requires these things from the data in order to work: - * - * - There must be an open tag - * - * - There must be an open tag inside of the tag - * - * - Only s that are found inside of the tag are parsed - * (this is by design) - * - * - The parser follows the OpenID specification in resolving the - * attributes of the link tags. This means that the attributes DO - * NOT get resolved as they would by an XML or HTML parser. In - * particular, only certain entities get replaced, and href - * attributes do not get resolved relative to a base URL. - * - * From http://openid.net/specs.bml: - * - * - The openid.server URL MUST be an absolute URL. OpenID consumers - * MUST NOT attempt to resolve relative URLs. - * - * - The openid.server URL MUST NOT include entities other than &, - * <, >, and ". - * - * The parser ignores SGML comments and . Both kinds - * of quoting are allowed for attributes. - * - * The parser deals with invalid markup in these ways: - * - * - Tag names are not case-sensitive - * - * - The tag is accepted even when it is not at the top level - * - * - The tag is accepted even when it is not a direct child of - * the tag, but a tag must be an ancestor of the - * tag - * - * - tags are accepted even when they are not direct children - * of the tag, but a tag must be an ancestor of the - * tag - * - * - If there is no closing tag for an open or tag, the - * remainder of the document is viewed as being inside of the - * tag. If there is no closing tag for a tag, the link tag is - * treated as a short tag. Exceptions to this rule are that - * closes and or closes - * - * - Attributes of the tag are not required to be quoted. - * - * - In the case of duplicated attribute names, the attribute coming - * last in the tag will be the value returned. - * - * - Any text that does not parse as an attribute within a link tag - * will be ignored. (e.g. will - * ignore pumpkin) - * - * - If there are more than one or tag, the parser only - * looks inside of the first one. - * - * - The contents of - - -Name: Link inside comment inside head inside html - - - - - - -Name: Link inside of head after short head - - - - - - - -Name: Plain vanilla -Link: - - - - - - -Name: Ignore tags in the namespace -Link*: - - - - - - - - -Name: Short link tag -Link: - - - - - - -Name: Spaces in the HTML tag -Link: - - - - - - -Name: Spaces in the head tag -Link: - - - - - - -Name: Spaces in the link tag -Link: - - - - - - -Name: No whitespace -Link: - - - - -Name: Closed head tag -Link: - - - - - - - -Name: One good, one bad (after close head) -Link: - - - - - - - - -Name: One good, one bad (after open body) -Link: - - - - - - - - -Name: ill formed (missing close head) -Link: - - - - - - - -Name: Ill formed (no close head, link after ) -Link: - - - - - - - - -Name: Ignore random tags inside of html -Link: - - - - - -<link> - - -Name: case-folding -Link*: - -<HtMl> -<hEaD> -<LiNk> - - -Name: unexpected tags -Link: - -<butternut> -<html> -<summer> -<head> -<turban> -<link> - - -Name: un-closed script tags -Link*: - -<html> -<head> -<script> -<link> - - -Name: un-closed script tags (no whitespace) -Link*: - -<html><head><script><link> - - -Name: un-closed comment -Link*: - -<html> -<head> -<!-- -<link> - - -Name: un-closed CDATA -Link*: - -<html> -<head> -<![CDATA[ -<link> - - -Name: cdata-like -Link*: - -<html> -<head> -<![ACORN[ -<link> -]]> - - -Name: comment close only -Link: - -<html> -<head> -<link> ---> - - -Name: Vanilla, two links -Link: -Link: - -<html> -<head> -<link> -<link> - - -Name: extra tag, two links -Link: -Link: - -<html> -<gold nugget> -<head> -<link> -<link> - - -Name: case-fold, body ends, two links -Link: -Link*: - -<html> -<head> -<link> -<LiNk> -<body> -<link> - - -Name: simple, non-quoted rel -Link: rel=openid.server - -<html><head><link rel=openid.server> - - -Name: short tag has rel -Link: rel=openid.server - -<html><head><link rel=openid.server/> - - -Name: short tag w/space has rel -Link: rel=openid.server - -<html><head><link rel=openid.server /> - - -Name: extra non-attribute, has rel -Link: rel=openid.server - -<html><head><link hubbard rel=openid.server> - - -Name: non-attr, has rel, short -Link: rel=openid.server - -<html><head><link hubbard rel=openid.server/> - - -Name: non-attr, has rel, short, space -Link: rel=openid.server - -<html><head><link hubbard rel=openid.server /> - - -Name: misplaced slash has rel -Link: rel=openid.server - -<html><head><link / rel=openid.server> - - -Name: quoted rel -Link: rel=openid.server - -<html><head><link rel="openid.server"> - - -Name: single-quoted rel -Link: rel=openid.server - -<html><head><link rel='openid.server'> - - -Name: two links w/ rel -Link: x=y -Link: a=b - -<html><head><link x=y><link a=b> - - -Name: non-entity -Link: x=&y - -<html><head><link x=&y> - - -Name: quoted non-entity -Link: x=&y - -<html><head><link x="&y"> - - -Name: quoted entity -Link: x=& - -<html><head><link x="&"> - - -Name: entity not processed -Link: x= - -<html><head><link x=""> - - -Name: < -Link: x=< - -<html><head><link x="<"> - - -Name: > -Link: x=> - -<html><head><link x=">"> - - -Name: " -Link: x=" - -<html><head><link x="""> - - -Name: &" -Link: x=&" - -<html><head><link x="&""> - - -Name: mixed entity and non-entity -Link: x=&"…> - -<html><head><link x="&"…>"> - - -Name: mixed entity and non-entity (w/normal chars) -Link: x=x&"…>x - -<html><head><link x="x&"…>x"> - - -Name: broken tags -Link*: x=y - -<html><head><link x=y<> - - -Name: missing close pointy -Link: z=y - -<html><head><link x=y<link z=y /> - - -Name: missing attribute value -Link: x=y y*= -Link: x=y - -<html><head><link x=y y=><link x=y /> - - -Name: Missing close pointy (no following) -Link*: x=y - -<html><head><link x=y - - -Name: Should be quoted -Link: x*=< - -<html><head><link x="<"> - - -Name: Should be quoted (2) -Link: x*=> - -<html><head><link x=">"> - - -Name: Repeated attribute -Link: x=y - -<html><head><link x=z x=y> - - -Name: Repeated attribute (2) -Link: x=y - -<html><head><link x=y x=y> - - -Name: Two attributes -Link: x=y y=z - -<html><head><link x=y y=z> - - -Name: Well-formed link rel="openid.server" -Link: rel=openid.server href=http://www.myopenid.com/server - -<html> - <head> - <link rel="openid.server" - href="http://www.myopenid.com/server" /> - </head> -</html> - - -Name: Well-formed link rel="openid.server" and "openid.delegate" -Link: rel=openid.server href=http://www.myopenid.com/server -Link: rel=openid.delegate href=http://example.myopenid.com/ - -<html><head><link rel="openid.server" - href="http://www.myopenid.com/server" /> - <link rel="openid.delegate" href="http://example.myopenid.com/" /> -</head></html> - - -Name: from brian's livejournal page -Link: rel=stylesheet href=http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711 type=text/css -Link: rel=openid.server href=http://www.livejournal.com/openid/server.bml - -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"> - <head> - <link rel="stylesheet" - href="http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711" - type="text/css" /> - <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <meta name="foaf:maker" - content="foaf:mbox_sha1sum '12f8abdacb5b1a806711e23249da592c0d316260'" /> - <meta name="robots" content="noindex, nofollow, noarchive" /> - <meta name="googlebot" content="nosnippet" /> - <link rel="openid.server" - href="http://www.livejournal.com/openid/server.bml" /> - <title>Brian - - - -Name: non-ascii (Latin-1 or UTF8) -Link: x=® - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 deleted file mode 100644 index b12a24604..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/n2b64 +++ /dev/null @@ -1,650 +0,0 @@ -AA== 0 -AQ== 1 -Ag== 2 -Aw== 3 -BA== 4 -BQ== 5 -Bg== 6 -Bw== 7 -CA== 8 -CQ== 9 -Cg== 10 -Cw== 11 -DA== 12 -DQ== 13 -Dg== 14 -Dw== 15 -EA== 16 -EQ== 17 -Eg== 18 -Ew== 19 -FA== 20 -FQ== 21 -Fg== 22 -Fw== 23 -GA== 24 -GQ== 25 -Gg== 26 -Gw== 27 -HA== 28 -HQ== 29 -Hg== 30 -Hw== 31 -IA== 32 -IQ== 33 -Ig== 34 -Iw== 35 -JA== 36 -JQ== 37 -Jg== 38 -Jw== 39 -KA== 40 -KQ== 41 -Kg== 42 -Kw== 43 -LA== 44 -LQ== 45 -Lg== 46 -Lw== 47 -MA== 48 -MQ== 49 -Mg== 50 -Mw== 51 -NA== 52 -NQ== 53 -Ng== 54 -Nw== 55 -OA== 56 -OQ== 57 -Og== 58 -Ow== 59 -PA== 60 -PQ== 61 -Pg== 62 -Pw== 63 -QA== 64 -QQ== 65 -Qg== 66 -Qw== 67 -RA== 68 -RQ== 69 -Rg== 70 -Rw== 71 -SA== 72 -SQ== 73 -Sg== 74 -Sw== 75 -TA== 76 -TQ== 77 -Tg== 78 -Tw== 79 -UA== 80 -UQ== 81 -Ug== 82 -Uw== 83 -VA== 84 -VQ== 85 -Vg== 86 -Vw== 87 -WA== 88 -WQ== 89 -Wg== 90 -Ww== 91 -XA== 92 -XQ== 93 -Xg== 94 -Xw== 95 -YA== 96 -YQ== 97 -Yg== 98 -Yw== 99 -ZA== 100 -ZQ== 101 -Zg== 102 -Zw== 103 -aA== 104 -aQ== 105 -ag== 106 -aw== 107 -bA== 108 -bQ== 109 -bg== 110 -bw== 111 -cA== 112 -cQ== 113 -cg== 114 -cw== 115 -dA== 116 -dQ== 117 -dg== 118 -dw== 119 -eA== 120 -eQ== 121 -eg== 122 -ew== 123 -fA== 124 -fQ== 125 -fg== 126 -fw== 127 -AIA= 128 -AIE= 129 -AII= 130 -AIM= 131 -AIQ= 132 -AIU= 133 -AIY= 134 -AIc= 135 -AIg= 136 -AIk= 137 -AIo= 138 -AIs= 139 -AIw= 140 -AI0= 141 -AI4= 142 -AI8= 143 -AJA= 144 -AJE= 145 -AJI= 146 -AJM= 147 -AJQ= 148 -AJU= 149 -AJY= 150 -AJc= 151 -AJg= 152 -AJk= 153 -AJo= 154 -AJs= 155 -AJw= 156 -AJ0= 157 -AJ4= 158 -AJ8= 159 -AKA= 160 -AKE= 161 -AKI= 162 -AKM= 163 -AKQ= 164 -AKU= 165 -AKY= 166 -AKc= 167 -AKg= 168 -AKk= 169 -AKo= 170 -AKs= 171 -AKw= 172 -AK0= 173 -AK4= 174 -AK8= 175 -ALA= 176 -ALE= 177 -ALI= 178 -ALM= 179 -ALQ= 180 -ALU= 181 -ALY= 182 -ALc= 183 -ALg= 184 -ALk= 185 -ALo= 186 -ALs= 187 -ALw= 188 -AL0= 189 -AL4= 190 -AL8= 191 -AMA= 192 -AME= 193 -AMI= 194 -AMM= 195 -AMQ= 196 -AMU= 197 -AMY= 198 -AMc= 199 -AMg= 200 -AMk= 201 -AMo= 202 -AMs= 203 -AMw= 204 -AM0= 205 -AM4= 206 -AM8= 207 -ANA= 208 -ANE= 209 -ANI= 210 -ANM= 211 -ANQ= 212 -ANU= 213 -ANY= 214 -ANc= 215 -ANg= 216 -ANk= 217 -ANo= 218 -ANs= 219 -ANw= 220 -AN0= 221 -AN4= 222 -AN8= 223 -AOA= 224 -AOE= 225 -AOI= 226 -AOM= 227 -AOQ= 228 -AOU= 229 -AOY= 230 -AOc= 231 -AOg= 232 -AOk= 233 -AOo= 234 -AOs= 235 -AOw= 236 -AO0= 237 -AO4= 238 -AO8= 239 -APA= 240 -APE= 241 -API= 242 -APM= 243 -APQ= 244 -APU= 245 -APY= 246 -APc= 247 -APg= 248 -APk= 249 -APo= 250 -APs= 251 -APw= 252 -AP0= 253 -AP4= 254 -AP8= 255 -AQA= 256 -AQE= 257 -AQI= 258 -AQM= 259 -AQQ= 260 -AQU= 261 -AQY= 262 -AQc= 263 -AQg= 264 -AQk= 265 -AQo= 266 -AQs= 267 -AQw= 268 -AQ0= 269 -AQ4= 270 -AQ8= 271 -ARA= 272 -ARE= 273 -ARI= 274 -ARM= 275 -ARQ= 276 -ARU= 277 -ARY= 278 -ARc= 279 -ARg= 280 -ARk= 281 -ARo= 282 -ARs= 283 -ARw= 284 -AR0= 285 -AR4= 286 -AR8= 287 -ASA= 288 -ASE= 289 -ASI= 290 -ASM= 291 -ASQ= 292 -ASU= 293 -ASY= 294 -ASc= 295 -ASg= 296 -ASk= 297 -ASo= 298 -ASs= 299 -ASw= 300 -AS0= 301 -AS4= 302 -AS8= 303 -ATA= 304 -ATE= 305 -ATI= 306 -ATM= 307 -ATQ= 308 -ATU= 309 -ATY= 310 -ATc= 311 -ATg= 312 -ATk= 313 -ATo= 314 -ATs= 315 -ATw= 316 -AT0= 317 -AT4= 318 -AT8= 319 -AUA= 320 -AUE= 321 -AUI= 322 -AUM= 323 -AUQ= 324 -AUU= 325 -AUY= 326 -AUc= 327 -AUg= 328 -AUk= 329 -AUo= 330 -AUs= 331 -AUw= 332 -AU0= 333 -AU4= 334 -AU8= 335 -AVA= 336 -AVE= 337 -AVI= 338 -AVM= 339 -AVQ= 340 -AVU= 341 -AVY= 342 -AVc= 343 -AVg= 344 -AVk= 345 -AVo= 346 -AVs= 347 -AVw= 348 -AV0= 349 -AV4= 350 -AV8= 351 -AWA= 352 -AWE= 353 -AWI= 354 -AWM= 355 -AWQ= 356 -AWU= 357 -AWY= 358 -AWc= 359 -AWg= 360 -AWk= 361 -AWo= 362 -AWs= 363 -AWw= 364 -AW0= 365 -AW4= 366 -AW8= 367 -AXA= 368 -AXE= 369 -AXI= 370 -AXM= 371 -AXQ= 372 -AXU= 373 -AXY= 374 -AXc= 375 -AXg= 376 -AXk= 377 -AXo= 378 -AXs= 379 -AXw= 380 -AX0= 381 -AX4= 382 -AX8= 383 -AYA= 384 -AYE= 385 -AYI= 386 -AYM= 387 -AYQ= 388 -AYU= 389 -AYY= 390 -AYc= 391 -AYg= 392 -AYk= 393 -AYo= 394 -AYs= 395 -AYw= 396 -AY0= 397 -AY4= 398 -AY8= 399 -AZA= 400 -AZE= 401 -AZI= 402 -AZM= 403 -AZQ= 404 -AZU= 405 -AZY= 406 -AZc= 407 -AZg= 408 -AZk= 409 -AZo= 410 -AZs= 411 -AZw= 412 -AZ0= 413 -AZ4= 414 -AZ8= 415 -AaA= 416 -AaE= 417 -AaI= 418 -AaM= 419 -AaQ= 420 -AaU= 421 -AaY= 422 -Aac= 423 -Aag= 424 -Aak= 425 -Aao= 426 -Aas= 427 -Aaw= 428 -Aa0= 429 -Aa4= 430 -Aa8= 431 -AbA= 432 -AbE= 433 -AbI= 434 -AbM= 435 -AbQ= 436 -AbU= 437 -AbY= 438 -Abc= 439 -Abg= 440 -Abk= 441 -Abo= 442 -Abs= 443 -Abw= 444 -Ab0= 445 -Ab4= 446 -Ab8= 447 -AcA= 448 -AcE= 449 -AcI= 450 -AcM= 451 -AcQ= 452 -AcU= 453 -AcY= 454 -Acc= 455 -Acg= 456 -Ack= 457 -Aco= 458 -Acs= 459 -Acw= 460 -Ac0= 461 -Ac4= 462 -Ac8= 463 -AdA= 464 -AdE= 465 -AdI= 466 -AdM= 467 -AdQ= 468 -AdU= 469 -AdY= 470 -Adc= 471 -Adg= 472 -Adk= 473 -Ado= 474 -Ads= 475 -Adw= 476 -Ad0= 477 -Ad4= 478 -Ad8= 479 -AeA= 480 -AeE= 481 -AeI= 482 -AeM= 483 -AeQ= 484 -AeU= 485 -AeY= 486 -Aec= 487 -Aeg= 488 -Aek= 489 -Aeo= 490 -Aes= 491 -Aew= 492 -Ae0= 493 -Ae4= 494 -Ae8= 495 -AfA= 496 -AfE= 497 -AfI= 498 -AfM= 499 -AfQ= 500 -AfU= 501 -AfY= 502 -Afc= 503 -Afg= 504 -Afk= 505 -Afo= 506 -Afs= 507 -Afw= 508 -Af0= 509 -Af4= 510 -Af8= 511 -AgA= 512 -ALDs7paJl5xPh6ORH61iDA6pONpV0rTjGiTkLEW2JsVsRKaRiS4AGn2PTR1UZXP0vXAmRXwdSegQgWPUp3Hm3RofRcDh1SykZBLif7ulau1hVO+rhwRyKc7F8F+7LcMf/v+s73eOXUDbbI2r52wfr7skZy/IELhsC8EK6HzhACI3 124241322153253947064453752054205174382289463089695815605736438952932114700118408072544073767229325045596832952652232288773280299665950768731398747700657715829631597019676014848183966683866396215048196276450953653433516126074463193382764063985175903718735372053536664711482497859539116009770850968340298474039 -AOzgU1s6Pd2IkrJlvGND8legXTe50nyDCocI5mwT9rW0YsisY5jaaEOcu51BAq9MmXBPeVX0k/jlXwH4Pn3mCpUAU1rEOsTdcmSJp35siKliDdhTZHHdZNMW+igfXGX5OCsA/BaBcGnE6NnrGWXKyTOoVUGQLEkL2T5yhNUaCT83 166340174936369324883416612727439279977041963320514134445183426741643586944819834936989524033374309932122967866930503619179389342537723598234062828695747850043368572301869699886931403612266216965783079972698791813140295203826980649434652168563255385527187360027803388963151668338040517316899628026707657178935 -AO8hrpw+lDiJ13JahLtCb1RenupQcNd0wlTSck9OLL8wB/x6gAoj0PTLV05eZIbz43N3GUSDmmckjlxdHXiBJ9rsoB0P95l1CWIV+4rXblCqxmOdmlm6VZ13bqbI0x7l0cjeMrkmk+yJ067WqUolqQBlUWMTuJVfkxALJYH5xr/C 167923899524385316022824282304301434707626789716026029252173742527362300338760906999615029022863637963070711762128687835779073122264515776657475985362344360699359591353388569856862973447791264902182048648600267737826849280828116753682917256540180401899752566540869918949003470368970029744573140084219550547906 -QxAn7yrdVs5tlHV+Glbqdaj67c6Ni8am3bBLOL8PV5HbdrLf2xIPmNugo6MfUwFSnT+ZPJ51+VTOsItaNwCFju0Eh1cqyP3JWyLRPE7emKuo6xRhf+5ik0pTg77LEF4JXW6ofDqirpR4alFi0G2d9yImQPphsYJwYGF/nNT8u0Q= 47093316905427544098193936500644355852669366083115552072584429220248776817916430034648347490325490701471113667554329499736495877969341478442613611948220957798780043076906836236556612316544460763366275536846463456405604189392790111985912854476264292503164100482712281088955640964034295834935468665872932715332 -AI9PVzrbJUvmCihwSFans1lBKwudGEZpWWu8pkSK2zVgzGhMvUoGgMp6TG2zsUd1tV8zv7KsVD2t6pXmjT1wPUynufq97GVHI06SGpflDTt30WboYRh3DgYxvso1sOjUXpnDezcaqc2Aiz4nV5MSShkBlyBjA8z2worHDE+uXqw0 100635651531872121827765663065728398779771663753008344681972226973080394359405041113312675686974926993279775427390065833081040771269307007695807025882757371805607979134114890454059957194316765342461291139168706134406917264848659448693866813989352429841300235734400772946895458374870482441457514575059390213172 -FiinVicXOqqRLpxcGTorQpSAGeQ/PfDOuzYK9ViFtmPv6D0cYPfhUH4qXEHOejvmX+0b4lfaX8MWPVZxlqpfXiU9BhG76HJxkLF4ysipukeOvhoHzvcxE5bnhSF1i//bOSifATBLBEZInwqSVg5tHHPuuCkwTL91NqhOulp7Lsk= 15560440884463435471963622630292643727112462888414585143143739400703889930416938984547754943252935620248108237258540176511252143752416771350868493435174026287082706690332705481726295797196444796135827460509780634261726494455068460028424141500629527968240913757449787164107068039175831847071025316475940056777 -aYrxyQN/hkBne2ayqo2/iDLF3DZGgk080SOMJfsj9h3Z1OfFZM7TJA+y+/O7niqatosvKrfHrAw+Qs7c6tCZ6NPwYJ4QJLOF9bqH2u2a3fkI954voNUctlUagYUJsZXV8hdhLM6NwUyIZ3ZFkPcpTZp7nKQQ84tr1a8VjDIT5/o= 74114640794666001532816944350975062126079079113921109750255283189037502412929005615388097912507598112836936032143435813588205939470002911374442844578739574773399427907766548612582213272643279263782396527705126350063372192910060171635870872236876399794128383338399728947176692692942605589343038282957050865658 -AMpCUeKUX/vtRslWiUUuXNl1KA9uDAWjMUkTrdsxxRDESI7iZIn3TR9lW+0kV5fzkLF18iYLAwSGBmX1PS/T0UVFmoBPJ9yS7yktNL0lpQ3noyGFn8HHZ6XB3FkH3jegIfGbvwwhnhhFzpHPrXlpO5iU5Y+rexzp2XHWt4yJGuIL 142031143422642739313498629438991149460874309300342349421794421544918823888598660275343727563280565210534243383322796489809683834300630555650331646026843796764549231159336347965502383849513994449309613369541991287590422095953275586374371960367000083487965487661436037637475372929033613295072397262739084075531 -AIMIQVz0JIEKEI+PREu94m3v9XoiU/Q0CpsSuqkwSSje+Wyul5ea9oU5qgtOpdkMUOW91BJo0DW/GMZ8v3C4qyyP29TtjCcAHObJi9hfLSlnTSuzXZnDStooYYKqzfToLToCaAJKCXiXAVW0vWtapLnyqafrf/KgyGZ5u4HfXKY0 92013973253053602863003242446596060337454881568126916916519869242232429836082762281129448384605359749247852792606718908482332975424967542242332487707042773885428473061056052851768940900752317020681189773407893371297668591494665352294885305475871917069040377145530889271334616499701769138948975263435137525300 -ANfP+zPBTR27afneyac1KJhOB5Pq3AXB+SoAXJvQI/GkSoNhw5KdfqoIkLcoJi8wClCm424Gm1AdrdGwDFOM/iKTSPkrvMag93+b2EbQGX66/n2X3YRFNkgq/Gtb+2M8oCcAL054Z/iiMD67aU5RWzjqS64ePHsn01bJ7dqLgpMO 151548639867177154896951257541227014781655576169318283047778755573323724856619156348444192550664853912434681577093459933599575436686424046466113215132845213008587152894642577278656978304699131916299275797578171518984206145555369576872231567191579337901913492071976578289189524123204040497290426960375042970382 -AK0kHtacLGu1NFWMADq2rG8hpzM4UEYyPOL+aMJbnwXcUYptRIxb0YFZg35RN/RiZs4lQsiq+kEJKzMMV71TsJq59vMkIZhZoB3t8g9ZqBZuq0JYcTICDwRpNSttJidVpJ6P9sR3s1xPMYKdlSwt6EEc9htOXfZU+yHKYgn98X60 121583812047864398969816595368193171848971298823388059338224714026742264861090347096116404814514279627148994345584790617974476594451626305761040465570524035369799925437276511604752129817947910677564301623631349399504187314174538914591944778074509068973226322566160587813128746039859381466427380402262866230964 -W3sZlWW1Aev3x/DiH9MzwCAZzBj++x9cknLfGAHwgFqkLH6vimEH/r8hi85hzlCOG5CjwhoZ0D/Hsfr26ZJ3X4chG84byrfDnek1V9mm1++v+clJvlYgcuVgn2Opsba2TILTm1MDB+Ujs9brJ2AAKrE9+ep5nvtQVeG9PUGtdlo= 64240043913835461386212515483198059541440539167395859777194837833769712010594411295323900074066077107346806786205590345517755715510695858065925747020336398305793661773798243627926904542715123849691490667964262778804487343218972081260210371192903128886030021862362141928329650003493687310970684093289133340250 -FTQRk9/BIj21gbLwI22fHJWYj+8Ghdcc613hOtJ+/hQmh73HwTXLpaGK9aCptxVbpjW0r/bxaRjmgxu9u1CCZh5yRd7Z46Wk/LIPXGd3ycQzqRMFB7TISFQGJIcFoxRp3Eb5wa2OyrUg7c/D+kb7oFJq9P7mEwIh8TpLzwmu4SU= 14889529068556301710329043521845510156960298822469914567758538023025100741826628180855835334285179977296740667353391766487166458692144569279381035582718738461626140662441222061900764829681913534146898551570916312642104487829660946024590782808750587095559047648957238487820069966851521487428624726655438348581 -APYXO6uGvs9qWiEAkcWsaCaCrGJJCP2Z1g++XlJ67oZIgEoWITn3T/R2/c4edAfwUUzNHAYZN1h2dSrRoqlrRXrbxFtGOuRCUrXcGLFFcEbTrtm+z5z8xGRfcorx7Cu3FIBPMK5XcGPcbRZdyP1gBkeDMvuBNAo0/To+LP/dhCNM 172810804474418448604443090732221483571611665465870520701624598983692130272337358406272727413570938793741430131635927237320173996217984860203754686741782921346604605228620148450611724714868551781003004492587584071978757421616871762681049508123223983431502852926521520561941051298696758046005573332373854233420 -AIDNxhnDEe1kTJ3XGfTS8zKXeXPRdw5yifm8j8Ibzj/quExy7hFPtKct8hRskPR2qwTlMiW9Ra8Npg2USsqHV0rBoIkX7E3psxq5LBfp/q00l3SEBuLL4K2FGR87bPgU+Duk3RVrNMnColiTcnAR5XkoeWhn/r9MfJMIN9Y0FEh8 90449107125498302548188660544012777357148118984122992664008792590422284061463729084479315745509706793674355738023180454297730948397413371686013210006834869294564190666543874617716180411178090109573192518129248278410216362657350215009192850017507998797754539132540293137589672869131300859207213449571846080636 -AIRWavxYRsGlH0Yr0DudwrpYtbrByf9ZsDawKom7ubiRfepqYzcBlwt4adMMnkYSaXeYtOsD4KBm2ZvLKN3++RkYNmxgkyarORBEg7ERyiThBj7Ksw57pNHCAoHtBEhH7Wp9mHhuZtPvPgCEptmwCu9rYhLt4zZp+Zq8a02dkXvM 92930601962515884925250459851491509622611227724602941760145671636277317511265759558869239180653492283311584982044597979173761619470326096725838197524704577188104121460089235709339932110663536557497112887112782062772810759971739760085128369628777812332518137107605855679096146402427144185104230596200130247628 -AMNJGLcAiJtL5fUfkesWKYJurdYSnvsOZeZcrg7bemkEVjF6S9CcojimUl+ncr/YY5/EXnU0mg84fObtDxWWdJ7z7l0CFcoALTyEatDYKshT0xvdKY3u+LUShxIAyk8EcGnf+KoEaa4Mx3tg2oTBnVegXClOakNTWw8bu2ItagoQ 137134165107366719462230252606689766470445826753581409513106273517221906418464863733870948759313279128624638614534848890858250894834883265387344539280755177217350585564186248554307335197387734431939154077778003706720017441895613190141376534460438929588407764609772857975000507660651583780079804513519571438096 -BmGPZt8XqqI1PuLN4K1/PZMi2rfOYtHEMrcwZdSjKRm5qTkd0Pbb/5zPV07TnM0uLRvIQYTLloEY+GYyn0K5gDTEZpEtQ8ee6Y87zYGDwcf20eqYNxkA7FVV71vqCP/Uw3Oi6B+hMvsWZbvv2vH6MkAeADCrezOtwqVS+irftyc= 4480956865245875120472829476982311611308898564405318773810939350829150182630548948231116574193987272498161864310429976564278532538229396846813874244969927890037756969704618336242255039858182439641759659872128285423988638335967412040624105824571426792562334458751137508116412821914961236269913776304372561703 -APqFgCIYbJWuRyEGuOStPvcprj2PILQ0JpgwQ2jLKn3DvkWSd83qh7PWGKozGavsjh803K+ZzI7P2wP+Nc0r0El3q4nzaHvKaCtVRyMwbXv9wYLFZICeM6J1l9ljUMts4tbDoPzkIy3ScU7pYxarBWqMkcBU8qL6NN1vEdkeu0fW 175922170410080716883576123079908758276229469783745771772401183721225804343343063277676406040455068452258961299511343441961963941297631097736305638850193978800615558067791016294285848963023036905095022181004058235239390870177623185946205281141386416867569004073524130001309977475780893497185890756991672600534 -APA/rCcGeH6A+6ZwaBBDM6mB6tTD8mjkrOWEo/pK3MCZ+rrErMBnFp2S19GhlLOfuY8BHS+D834Fdm8+3wKYkWnXZpGb+e3v8ofOQ34G1HvzULOYtrEiC4ISZRt2SSyz2hU+PBXjVnplsHWTRxZDmBxTJdgli4ItAqxGCxj/aJ9m 168708388929747822981923386197903561880341990893945097067702518857172133291360611402092714329372304718329568897960770488377524912057166920574319430820488930520807742026377043178502591886293565177404635365772829346030773275726024973460121300339258054215286249329967181244588558220467488638468686270735376228198 -AKmwrLP108dCGWOWxE/6woJVLRi/Kra/DvdsPkkrZQmWIlUT7IvwM4gU6bUr4f6wpT08cIQls2cGh7dbSEaO0xLa3mmtKhPiAlzSnz0wuifF3JT9U3uXgUfCZuFtE0z7Oi7WTOrpl3k3GA7JFvXnY0lwblIQALVf6oWyNETnajGl 119160465301384937485959146028591622947513292915838943629387700439301197965652871741710280647524383590817798553034250156068573474278225305190573334054718387045488098320076877626430189054572361967283632592181431701411266656256255758079114072932140551282607247364388070762970060420036793573956057551235306893733 -VTe3rCzAL1Sljo3QAXEkAdBy1ZARHZwtrj6ZNRa5ttqd6/l21g4z3iHCeGo4rnE2F8wYTy+NlugjXw86OS+XojW5y6UzTtx0HX5IJ4POqN64aXWmaklGzroBEYWeuFFKcgQN3NOxkuJoDQ6VElP7Epz69kj5CsKJUwL0SjbNrFY= 59841866347633473702601462509811342285929528424012250265905695635971518533504187799047710303717472950129869674786231155102509311322791323986824635569605105662070745033595366004805920086888891275288347907772640070278731650628917037915863439204501060041944275512863990729926528905725569467329169134226609384534 -AIZt1xGhC/HrvpPASsvVIVdsu//tn0noyJmVYh3FdQ6yIh1uce47iCsrV1yvYqx5ZTbC0vnfnbjFcWqH+HtLX/DelgvhEwzqJ8hwQrfE1ShLG4ZjAVo1Z4GCjrDcEUMlwKcunuSJssuxeQuXwTLS92+q6QeBSS7OmfxPX29CLb4B 94399298271083745508290936113986978382457275531684761701599029877008571741877683365769553170771833981099580359640421358853566501815723434822307977440496208486103754978934472597505865596938563438311337045817621762649604204720249750058676095769230214181772215323235427976398686727606000594646472236822594174465 -NIhTPpWXS82VTA0LTd6TfM+HgLgUcmvnMYtLqPpuqCKZwalAycwl0XFYNyVvaY21J94j92ts/lRYgVtHDhk7/9nLXq5js/lsUnG8rWPHJo11JTxvW+df88aX0pw8u+biOWt87vc1MW1dsMTTsJFJAeBx77qU/Cwto95IVqM7vSE= 36889590210230649939994518345793530042252563793069578097360569338647730438860274349862767107939590441616825589851005429465345268710487649366046960918184701290985280638488938340668212498212581853679035928093386035688597446809895381618260692378376844452061580510108168030682664507293277674052032318576713776417 -KXdi4A2Z7tSiiX9YGtDtxUXIfQvPhcc48rUH+Q2SnXL7fLNmr+F4Rf3RiFBRiHKocPfE94pothop5qQJ5X221/DbEKWK6s+ChfQ636jvRxojoLMab3dPtaAPpDJHrfZMxbT4ZaDJT0tpA2e+zZrzBuDs+UUgCpty9nxtdm1gS7A= 29118662951481660380477444121362422614202367719725087486810943918529894738076273660245405874301505615796632229852040910511025841576465052938308369421493312085081188509808322692130449282585522349552501983296872614029139293444558468751646868108213623606366977549477663987815308260383403466635254115908032940976 -AIOTBZQR2EJJRmoWdRNFLG4fceoS3KnRTHRpPdllhHODqdg+QxTOcOvqIzBqgdD0JgO12SuNAjLQOiz0jhd02qkXw9Y1adGuKvL97ARFtNEuJiNzFAj7KpDLy2zk2rPJp4Lp7cjQs0fe8BQYnTzTsNRGm+4ybln/gse1YWu9w8y5 92394618277596007469808288231093678404089765494062813665106014405059399079199990128824492247005602685377185496959522609467906358619318009231448503013528692450191782140091818984176967246749464502089280153086163239846744554575017530385347720563798041108608545014076448155956762636929707905789978331102411214009 -NzfbJRBF4pqEeborJrjoknJgpfK+DZh2k9cE5dcElMPZ2Zn9im7desWGiBSQnu3KbTO4L/t4+m6nFTNcbIJnqbVSMDHdsfG72rG/t89aOuECQw0HMVVgONNNa6i/mw0jZSWnRLD4fa1YgbUlMd8jeqO9XcBDB4mVtDTxyeGa3vU= 38775530011374537813502898274019389132620116890266344603221997943675706375698597061571989090674289834838060050848545748579361837989319487970580969082824601965845786771062335733318139530316825802589479118956745739691326447349403950997231306042638797277408335778415717988679050762936401945487285814799382535925 -Y4BVPZ6necuLSwaqYEPeZp0lt9tTGFl/WCJJbwg7XpyvuwYKtzagC1NLzY5ymBfwGFw1yRlQuyGsYd9mBfC99DuVCIeh0JNrhJN1bNfoSzy5UO5+dmTr+dm66VGSRS0tFcViDTfCIleTV+zxo/xuZT+Bjxq7kZue8zGkjp42Kmo= 69872189501616471647606976308259279995249122669120675885925763529037695584466011511740991152346215507625265226811128801733353566555339153627478941716586678793853828514394269931890370517258825006937741437480128878717892485074131232336852490940507703859793477547154689914725314529986438108117871674332626168426 -AKCP9Mto4q/a2xNqM4N7PekbKspwt48OGPre+iqVwPrSP/jWKxg3CvvLNZzN5P+/FiUGIklMMFJ8w76OaHIPqKuwckj1gvCLECJEE+UAZWrNKPmpzd/ootN9/kQhNMuloTFCyhXAUUOXJ7Z0WVLb2u6fn4zroszSMBoWQEKC6lcq 112750701794692134675959811050012620191158543234019977304167102486465198271340022889272244811582365901584420008564301920174477182946432553537794834985703732129975734658113610563794129371053853971031300761815004524681756388784922001759202643614966614186697992611399618828963452661554240362943588548146868410154 -APOTAFA2waoAODECaGNgCHa8dNN+cjMnD01M+IeQFytzo9RLMzzzg/gpTUFpyLtFMcfbCkDYQMLXwE4crTimdz5sVvjGQ+5fSFQjoDY6Bw7MO6NAcLzlV/sI/1WyNBKaLQbcl2720n16tdUcdckQNnV+cC2J48CVxYM1c7QQlxA0 171043636512232272455501595416608280460445723238023572475354665686544174728784633443479486247342724860289312593374524429736857970220153680852977711594899595712511352458264354251161579203922747468321999465061463474727943140910084880926005209538535217464825087114791420210981711903880998556269523363208766099508 -AMGpxRlB8WVnsGqyyiy3/mzrPymtJW1o1HcDErK11ZwQV5PwTF3c0THwlnxDmcziLWHSWgPQwfRddVDCXMGW9BffJn+XO6aTcWDPmDAh+1DbWJPE1aqApGbHvQ8HONy90dQMZf1ayuwceWCVTuU1wnHdo9F/sIsRbuu7ic2OJDzY 135994898408425255747055209966103741651849229328236418804928584233229830656742052333413774490626915784901255640138520158698845938184666683995579777154437927013722740366497459963753542029774185193376253885864514386760437194444013834088425088260658670140534670789371556026135595577395047002643901630053097946328 -AJAw4uDYdSYkOrjtwJVWLv3pi1+UxWge4RmkWKqVquTsAVcT2tRZ+MFdHM457Hl7fmFIyxvGZQy4c2v1AbHEfPR8ID2sCRQpdcfrxEUZPMDqxfnHHm0ziny6W4X6ggdBzMp/sBWaVNTBL0e61/pELBGYNRGFMzGws7HQkr/sro1D 101254336834199527040756567675327011562230719161388328289463594628690618298993695452746353237675715087353241661592074446889034411683413957950360025295995263477031608845241728493807755308798509893719674568267846671753070163272328014412744008880395248474446310603301447848026040555910147467745595720879397834051 -AM09TdtXgYL4FI5CGNiVjf0T/AN/pZ5zZsBOi1MAUKMURiXnc1x8VKYTqM9Xb86mqNBBqphynIQG6/3e/YbGJgHlsSdrmKbo+P9daMr02I/7Z76/7Osa8+7Ky6lhVCbU3F0tBH4WvopkCQmuJ267afgvDD5kB+9uNr28deMH00cY 144124056591600568767398029380314564902309327093641173350205276895603332085753288682409279238417493662029954512382520307259348748813767324609446500382301421328754981718014234615523158887865271179104711373675849713359713282937065993613915015084108700238420759344034475478243507306107546245540340758766909867800 -AKDhK+/BKGXbrbBh2vM61OP8LN81YwlJKe68KNwUu4tjXlQg7i49Jis7QKPI/YFPUpSNTu5N2iCgeMnCX4+r3NAfivOao9lw4N3nc9bi839SIWdlokhwBHBYmCIgjehUeBAdkU4jKqlE06pIrpRmSvBtn7O4aWTbT+C++ViYAcGF 112973480670453665543892521898882856059335781900313607790238402438320486344365203510769919022496690291280873287383392088872774202832124927485754495093552572232234532821756395965072330282810574669371524103814871172318519695921477775100282448247625395376072233777533359104085023946019406729587713120941266551173 -ALxDiSxHjfxvP8ETvpE+SyDPTS7q3o3zCK519WTepygC58KSRfvDnIVIyV3toQKzgqD50kF1Ni5D/wuaSs62y3zg3kELX1g+WuBCc8+x50+kDtbHXa1Me3et/OqVS/QeppkcjK1UZMU29fXze6P/w6aQfvKQkE7koeQtZBKkYc0p 132203344567902304830160099595561253300484092355345272411265169562971473393256361094745618829297250316196312398486598077249124198329075791740755862221465178128527292695331061023291345396067863215552021206609309872689233899464919108147533679134727064586730810633196817136739658243232643507412032417747255282985 -VF0YUTvy8Mfi5o6X06DEvLm87r72mAtTdyyLNr0/GXlk0Xj3L2Oi2bVUMtcXQNRXg/mkdGP88pgdaP/eMzqkUU++vJ7t3UgOC1i3SHegpiBhhZh+aZHH/wjFV8Mz2XZB5z8MpMgN+QwALK1TT2Pyt/feQTsOy0imVanB5+OvCeQ= 59242171319056188000481457618922567543461456096441095927600135114274111606802456239311634638536207588762066940095527920532936960549439269891703098017342732142860571277442598349453761561189719823290643146391349978698217357430495238876700400634593256155537598291759795109752990651995982467695091946768443574756 -ezpwBt0N6QhTusiPcKrBvSB6yuk/KShTLUFQHdf5J1u1fgDYrp+aOWuXOFVfOd0bweiG4UxBQNXB2IDFWfYON0fBoaDqNk/41YyqXBSkKbiNWLi1y3zPmwTAiwK0PzYp2EPfk/t/j0HsDbvebu0ygcxb2tPqj4EQ1TXEdD007kU= 86533835313999945727720083706940213467453975054116752898416709637030456504024135513972566184073843025739226187558143854850980654667596935003124034699919861200483994576288766702308068265526535622439762454501169018136389983894783905946543636163866717367545972667876983557989192393479830223914708619684891389509 -U8BT26zT46tTZnkmTNxGUAlXbJhk5cNi4AMSd8fSvZHm55siMFGJ8Jl7mtdzEFR1UFAyEztf2fUhxdtMLe8ei/OJgM0j7myQ9STucEwnsShT7QS/DjBmfvcC42sl1CRpXkb0ZLrEJCPf+crtLKGrG7ExS1oawIAgALBiMQIL6mE= 58812148564290791415180898639607206220554150794356494356250223429674091688305329629529905854147200457536549527135776329004085047145097927266797668252160196098870200925284256433894773392353678965699083286106628662506590268955650280670838340651598082083455821825076016227525614626726458235627297885815646710369 -HfYii3U1SIkBZl09RHaGGA7H3np+qxyNeeCNY07PDl8LwZAaaYk/bHPeBVboan0I2X4o78zCD/gFXFBJ4rxwwUsVjHEioyO2JcpV2/oDOelJBD//78WzBMMSWt7ZKbJV9uYr9ZUM0BUD3fsk1esFCEdnDJdr86U0UMmiig2R+ME= 21039655953870571289679214995029926285040274249531458675115179004718812090027267801012507748013357317597416722235988917212676802092082137617336199787762782958420742299451435320649616271885264333948336627286638368859041172783505464468640994920853000441536629081040963398001710173320125308624362209157720438977 -AICOlee3daFyqTrTdtWjVb5M2rclh9BpIo1CRvKo2bF7NYcjrU0/VvbOnTVXDwdeGMLupbi76f0BrfDxYtkzMXvIZlgoTit4g5ennnklDHFBC5cogaGlri8U28w4/h5oMunZ1O4ezdpRgVJe9nTP/sSEMYiNS5IA7Zshdvm/XccF 90275777798511290102824338787811725003177532250296755103300529948194832904403489332420505850668003332750291879153080212231952155092379375422537931240723308384652734942204313672973885652497290433943089371705605128843469306776615573873479312715317072986990219294942040272550822460408702072075001377245051602693 -L0QUSVIjxvE201b1ztRZyOOxy8vkUz6626TH4tbLwXjjc+AhmrvplaVlavnOgHqve+/L18XNuAYP4BqdxIcWTx+yxBKm4ZS92dRJdcAtccvZpEJtYjdJvI6qbL5Ph6HluaVZwp4dyFyXuZOJGTfYdTb7PUWM0jNT/xsqyjxSQ2U= 33191267986826803728285073844005357792766429917696698533494382218509532051029343127452480789088572904364699220151221680328978554239767633887572649589456766209242252549993823283929686430100804479376247660556781589549613316880150951333982646510273364068770923588389668733632648346075516618646974067295703417701 -APlD9ECKJuACUmQUsbd2GTOpb2PgQVT08C/5hyNEVdA5bWoICX7epmoCKCybdolk+cfEBP6fSz33j+Vn8MbeiHBLdmF6ETbmcyOjldJ902MDvU8dqAa8IgEZN5Uh5x/xzN+3dqk9o0ji7yi291u90rpfIh85PPpDat2B4l5zs9i5 175040148659257809883308984693597046378367187659749953472629929701758633206586720399909808941145946314755491399962797299295431089674294356220216615950668954164397362123668926410543898553191541662075745481299747832013627018846822876386760538344447600390187421938699064459451308870669878673306013635576901916857 -KB7N0tE+A5vFhyrd/m6Qe1wTihkjqmBn+rinfmMAzRlvtxIBSyDLzQsOQs7L4oTG64ABU+YwcWVijvoeZNamaxGl4hatAH1pRqmC/r8FMvC4vqiFTbFHzQhkjM7uoHD1aKnxyBVgjMj0E0KZjrRxydZjIR2p13FXjLP3UQSFtII= 28173452509830313810392326357601136401754938805266458365469366750775669869895498658593356375710132149836430968810246171974040975430205200958564616924399794768861923079158311829444850822144940112488994119845741191519421434257276977333662656888696213514226866147767570046232093727585815615828360199830275208322 -bxFgV7eXwnbQScl4VzS3RTdcMW+NY6pcGkT1UsqHIeDVyBb8DnH/2/Z+DX3zniR1iW6FPdvhJJeQyPIax1ohILa11R27C1TLxGvTrRBGUycxjEcBIxamHveBsXbECWusYLEakeSDg9x4BTWMz1rTQajkorBoeEjYuW+xBxQtXME= 77994515143740690952370766995249847650881300682406161400195705464876513409097078624084133111941171517535435606295232558665316819077765607639545069239931096306624817379462598756505457054433358548941076472902905065316335603665413114267741896000877284610377452471067725794013283338924419969559537339967562669249 -AOH6E2eBzD76QdTJ6QbR/7OeF7AagUif9pEYx7fMqrIsXCJKKpLV/RHIItCDYP2WO4URCaVueoAJe3M/Shj4o6efvH9pf5Q8MLM0rn5MTHWhThivqYQDwjCp1ZsPgq1VFS+gcnmwgHhj2W7XzJxiNPeRXlxI2vL+XTT/wPBYhqEP 158686346608862569574095184731081143351413141116869402750758091813874232272198082464382169470744476593016502816563462778075467588097653320101723165887488327616477297401486647183409348122990505635004320879840358339260797834264972100385692477324858942142372580281421734058008608134075577990829273447077276721423 -ANDDgNXOB/rXwmS4KEjiHj7RCDocVrMv5SU0aw6AJzNTBfseFngqidXx2AJKOEeG7RDDN2gzn4K4qJktF0AIPG2JbELlLUu0MFlpOLxamp586qyp67Cl9OuPq3UZTyQhIsSIE3VQkvxuQkGsaV1owDV3BKIWQbQEqMQI3yT4ELHm 146598844784260148346676185962272439320781765598895126402049215152385925250917998794921584290777625240122575975327405909800121511343265147922400813488099624745229653124857224399973509428158163452130086943873214460600035260925149630502192183407327427517292065083168010281295559088633086659209316582810260124134 -Vprr6oBnWuxIzyTZjuxlKSdZhBc0upeNBHVIlXpQEnN1Q+XURKzp4/6Vg/koITftr3SMSgGpE7LkrERMGFgYaqM5XZ1RXYFKT9dRJnz9VRDITVZtdkDrU04bqo2Ur+jvZhvg/oHBDTgQ4nPLJfHO3+GEmUtck+g/wOVozMMgufY= 60816213163057201559480662231646403262735082707152897397414589876256824040344252799972529759737904461369360580708093117244392116003622336721789703580184437841209963565058475060017600871779929808204093448248984201640754565635410002090180110910120481044515630478472999135146756643143415057403006410330361346550 -do4LGsm0afQLHl9alWF2RVyEKPxLIErsf4pTPgScRE7ZiTSVErbCDeyzd/KHzhBLQs/DhHHcw+OXj541cIRm6jaLVKiT8EwLW/dVG0AkVli83sFh2f56Kk+bCGSKvfGEQcGLY2k7nQ06zoMlYR/xbZCka6Q6kSq4YBDQgigQ1lU= 83252051731120517035090523892596419800592471447735288551342681962005778435125655090199060145942826521644585427683714084736143440310518046334877897672493531918539106001203807757254797471481884534543367685912500572052457610702790097953420236852480969038388056545966568595395722585797418296411673622376893961813 -OL2Qoj4xkqRrQmuuLwrABG3BMMBNGjfBtVBNTdBf7g027Ghkk/z3aK3jKT1EPpdiOdn8zXYBSO1mTRGyK3n7Jo8ICOcnlBOF6cZtDsb9bvSVE26MOD2wzl6irU7vzS+s3vGBkN3AazrxPD4czk3xezA9y13DJVnNzgAgIQHEols= 39844525812817530522650122383059885756573694015271773938493414420875846359054562126060762455794481186614035892021706051863945033061233991184379580556219478200155757966121832613842937722944431875100059046588723473670448006803481527981834627086055642349130254917244469014754132003347635357123155857820000494171 -Ljgn+3Hcg5DOf6usRumk7P+ZrdTBRmo968HdZU1mS7LwLW3Hii2KNkwMV7J77zA0P1pnvhMSEEeh1RbCUjLtSIbt3RIcOEoc+aO0eINF8r99l83xF57CBI3MDA3AAbtaYATy/NUXSC2h4W5kdsQuR88139MFi5y8E5njqxHu3UI= 32456338403763561215581247445990611953939298888251578685087656354454727113846722731945605696397627662593375001096230320486703167389461057538581895745078593206660798580358701927596287363374862536765135996838944212622199018632046955402325290145163082309469649329852148345837780541107029165352782710901375425858 -AMt5/u+ZUNm+Xsucr4RQPUu6ExAOq/Jbcjm/Kb2YIAaEQ1czIL82wsu6YmpHcfMaxLjY+EnaaF+eCWQPeGd1av919+QFbQPeh5DT7ZT9klK7BFyVsN0nEDJQ3AMMJqq6lm4sUeVxDVTmMypYnkzRl7jqzyCRY1MHA+o2LyMECdOg 142886089970163885609957244378225169093559131065687633458877059657380607541767850701139140472705242750285722732461954100519608059127637509286558848391554697942686619832870045594188204522385787253648018847569919409782188708374165437385572046835539379151066214153911415525465041951116179326632238059135825466272 -AMvXeHCaa+zk5VdB27KoS8XpjSUngaw7Gwlq6e2RrkEOxBhU2rGWGJ3fhq1HBNRxDf0quqfYTMd1speisaEr3cIyx9BhYwB6A+Nex/Sf9DSixezhcgEz6c5CfwUYP0QTTOiZDqzz+GcjKikjN7DKJTO0WSXMRG8qX8FBbH0rlc9l 143142496664357119491819741364830737485524654099662921673419335301323845847085335210884201567922636945282124120681371777665458057821603161276185071778040317947168899788341482064834489328957963447735297898161379277478278414388733161844053774747425459239004132791029364174047523473372650441001639174571312926565 -AMxoMXHfE2i4khsAkv/lPtLQhbWUjP3kxYmlJkpacpicBB6z/TmG5zjmTC/sqzBvBn3J4UvMzKYFyk9/l7Wnuc480500a3S4HRVtMtirPueV8v/SPktL67eN2zoj1VZA/Rex0aRGjW2CzEKGwEn3G2bZSgdT8hKv7AypF69ppjz6 143539479941314279463880342636704987025205547180882175105616955926182352311179043850344463145750154442573797875223178075233807385237935671604701513551125937539235111702655902037518920150424691586943553275517626347557879039695678271564616114192941679606063184290901862703975921261779714258077775731727612132602 -ODvOKg7l9RCn5CePG1FfMitkR5l9+7JK67eU+WeA5p1YXCcKS8GbYAKCtXPD2QfxmQcrNYfAc6Yb/kksaq29oW7MzZuTDzK0HXY5xBc/fJzEuvU51gaI0PR3cuU1qRlLqwmIlyt16gto+2E64BgPgIKJcAjx+TfH/EqNeJ77/W4= 39488587053253042573878502921384752550143716864908041972426777545317969264945056510991363961916339225192727727267483337259701961148978214005913510275048195308792987888118270387288989623193626554910652030960235845935461155296845475356011099372367616732243132816329531758943935324760665826550992788664237161838 -AKkznyQtB+PGvbVroM5nUIzhJUjiNj7q4fC9sSFbmDgvehnwPElVlie6PimH2FKonGV4GSaxZ+osil+9omfkb4rO3pq8fy5KcFSw/gs09X/U2eEEcUt/4oSbjs2NaMIxQftM2CauULiwfkWdkMFTBkHnh7Bbyocc8dtmrBDdoI8a 118817437232756222334188081193205110010964766506378146125932730686679941224328135190204402802650523704343176483564284220367074983943319572348376466341132480772885833789613392397284313483009178508647973749522358005819092779831781339778163122774381387989185969990310049504391258988402795259963134610905036263194 -AJfwWA7XnYbTjlJt+9hO/Q/OubHkUkyMYrN6Jd0cN5MG9Rg8W3i8U6oJxT18p4XozkiOgPlF1lE7hIAW9KRKJKGTue+iw0okLq5UNMu2Ha6l5/wzKi0QzRVTBnQm2zjPlQpgUorBBty5mcbt/B/Y3vOE4I3iVXklVtjQ7zIBHaNK 106695084438708194568048926154027115609888551145480521213711726807296356271397749432698558860759334362315257102647885062353922543502466463770991058956633500180245599467233361812610650830611712448187310827443315947425061886163301613989593906515923245020641415290300558869209909418659128196109640872398602216266 -aCXItk5XhuNrbrqJr1Qm04U4y4AzSKDMms11PgVcdf5fCGdizibh6/oZqx5OitM26nRz2vob8F+ZIP0CIyIJU0T1M50dVTbbpwuVNdv/XI6gHekQt0d2g34x1TQJIcsT1VWwGWTPNMtht1hezBAYxwv105AGKnqdLiz04YAdEk0= 73134927546833985031652237686088635686032103401394612286045377544136784429757461671691980910279873140130943470029643791712859175007885735170485461366406852784845528918253441791024065848540598601036357817496637108534035807393364939272891745520961269029038360205258229770737579266643408540634722493263322616397 -APNeoaWlyNa554OtHP8F7GAY5V9F7LMoF2ssg5wBmsgGFktrRH1C4FdyD0COrzIb0Vcko1/HiTnA9JXlfGKc3gTHEnO0gxBSDjK41L+EIgUfR0EhAD9iftTaCoBM7qZN3R1MYrSz3sevQZNMFOOnRrzwWEXnJaPKAZXvsqPzOIF9 170899982929163229592439208307232242235219591108657660041403142612622997092685093132858257827585941687488772925553142105567685213341947938835403410054637382864108739466539574004149772568683507025358331323655651148107044968424043673850583150424463706583215452211942132017052425497789362680979074312857823248765 -ALhwBfBYpOk1pfJcNut0C2fEAd4hhYU03/ZQBqVe/7MgpEDjro7oMvSdba5kjH/VBssmZVqpvuZ5lG+vI9lXLukhwRKJg7m67HG8lZXvjDmjU/PCjxBPNt5r8/DziETYmMa+fhaMTw4hedZcwDe37t1VPIflvM94sBKu6be9yJAn 129516480651398210587505113546142851617282590236388547627336279692965778911450075230961856270046942312918567973875005814982283590898552829322178788678196583244198944578081007477482775130405341039067711963061287597331433268366003672643052056973656674139309732186091974604170508497340243515339072325943686631463 -c9vpoiZvtnj71b8XguD67WayOF57QgOX4V4L++nG2u/RY9VT2+0tJ/C4NIawVa7ScQZAPVLuhV4J50HJX7FZgtY5n+lwMzNo0av7i0IqTS+1BBO8eNJy2wkCbWWBxNybuNnF6OK7eXdPb2Mmwm2OmhN2/j7HAr0cD7rK/Hnif7I= 81358980280155473712258342299472964374474635149963153129588784719499494479288254287754874893180126149146558961101860327826747785201363745989346818037655063262173536227595206355647880155693272153902647256175878517626925488264893732295267833614283963802283320574654949992393798458265266551024756663538388467634 -APArEXNLzDydcHrieLDReJryWxFzcsN1dxjpJIVGeJp6itsJOrUtnmXVnETtaZhWsmN3/Zh0R7TgJ253f7PZ/Z2xCEdqF0hs2MmnERSywdWZQ0a0McbDUUaDjBNYFht1wvS6djbI1b8RfayrnEZ0miYdzrrP1ntU+5cM1QBAvj6T 168651870043094856205824264282870999215855903395882323164614939540734011037112413507417141209480771157672307388419164831992909066097194364645695794831939514470650008210390333649278806163193463937050083854756730458780288720541495880958909249273048328511615821480782977316719631334570687241232556472064072892051 -RhGyx6xibf0OvY1XjnmX5na3G7emG8PWbvEa1kIjR6pK6K1MrMZnxFefXpHWInFS7ADESNI9LHjZB8VW5QrjRVPMksgdEAlkhY7MyQxaclUlShFl2AfKYBfIIro+vg7mUMzMctD+07BLk+jejRHtPVIxHmNnZrZYds80ve5z3Xw= 49204219353786910100605282012781696579642953908541693903348594981245301165936599174304121350092894937817100350990938057159324959104937469442065996667276651025661016077514839755853073999975805394464570132481314896694678249282338429544941873047382467276103868995474424700207571657816852575364781281563515280764 -AKbFfU3GL6NILVyONPVD/X0tffk5HS//7FBp7n6JKMXu3VXvWnfTl32R0WyVHk2yP0iIyi6SUusSicOH9ncO8KJHmaoMGN9Fn+Zq94FTFqZne5NxHmCtwRAbFNDVGg4FeemGXEe1S5Kk1VcvWqnp+QgY0uwa7RtT8C7/T+1pZlwq 117110890075563714812929271250884717870581483065920538069845585667296154465072587148155060755111295509684258790280104272121160614620669593483929827848744548171793187278583947500205314283462739235860439216105116687015890394925743036369717346234391524403038196640934551590543386844279091801685432977718405127210 -AJ0xZ9dfRc6P4W31bMHBymgOq+38ETEIMvMtr+wB5WTcsquZY1IUB4IVkrHaOo3W2SIr479IfJOOQhmvyRS4iB05yDI88Z/fJfXarkH53gDivECuo+5+JmV7e0S6gCvOuVamwoQjlK3G32bCV2946ry4EyIsVZ6Alk9xk7X5HfGU 110384671994603894282707302829898242894456931176497230904862171369974466400767175784681299142670706023468915238955836087425993929524341269289746060546848852729416925808186253355106621584826213979718185296723694190658548757311188764342751280681935289121682174507629679900374674992438818324999211250580434317716 -fjzmb1D+YBU5Wn1GlwhxjiJS07k+fXxjeNRbOv5SjktzxOXmautO8xZ5ACOlYrTt5G2gzW2PU6sYNfByQ0xoUSyutOuQlD2r+8MnDrxCo6RxT3P0dUSX7q0IVj+oLK4GPbscnKLfe6KqUcYLMgKnDYnc+ztFD+csL6BQnM9WMLk= 88647261832601702291191332432291274285041869480562430895152086741320122435409959711452438332192792226899741738806447713240934608106883094466050154088410020909933636902495700779087737304255058561688767369900548260278700135161077055869478387490726087630962098228537973426295306997128615315548440548541717688505 -YDg99aHkQSh9RjytWknbXzcgLD8MrWUEHF46yQLHYANKXaQYyf3yGM9TYPCDUqWbOapqQe+XfOCoACLyRg7vVDsnOPRDI9ZFUgCQBNG06ZOxzktEhnNJoRC99da8jyodFqqk2f9UD1lVa8tsQdatjUDocwgJaDAOpYEyGnUlbXo= 67567767932654827067250684965667741848878457020992905661955722020937161710030993261011062929936964216357930453809610708591260182295097124272956485574313839759737390934220465669626974544253750900911093325004172643146669082793591441922014060981070503803266774197958528843445580649512373693546027107823355522426 -ANdsfO+cNtWsbT/QJHGkYAL2WCHWVPrX6oEz78pO8lUwiigVEow5roLI5Tm7GP7XffjF95z5WDxzpoam+Bfp4za75D6ZEHQmuFnpWQAmNLUHdKUE6UcsWN1rbV1uY+x+Nr5Vni/M7PfQi1yRTTJTYav40tFPb9rY48FsUotivoxd 151275723772668372472508916060743043308364940375633847663054782759325087560768667906829087958412643723335046123025802453213225972572697773468957759328009026531148112732519692142632237595562259864125679649273054426879080697360204352423668940795473103047320116317252295126635024518179060076282921965794883439709 -D2Z8YA0G/vzEVVQ6itLPUC92r9n9FKRpf6lDPWIgpZOOfIkukPp7zzTlo9Ej5IsBrZBbtGz/eYmlHeZ8Y9pQj8HFW24HeKYqjmR0ujbNxI0QgoE+VUwPVg0HhoQsOGmq47zpXpkDwpOAZbMh/t1Bafq6r2zM0qmiwOacJ8KFUas= 10814483230552506566705634583020057064935800294861277580077052473134972003523900930560478187758928889017740705417070994563709463926267126567504805864719383185267204810142444719634360655595490833208838383875687102074846353850310954150927702228780599083427768247170427544730791038729428517279760042619935478187 -XoZpSMHqlOyPYJS7dWSRNDJHCkjbo6+DECzu0FpB9O8bftcxan/06Twbo5d1lEqPlLx3w0XeWtrmCSCaeVcXVtlY3QuPjdKPv8LBnnhslPOVcbGyflaTPXU+ITWE6rwnIF+yWQl3NIwCV4EBtCT+3U//Dt/Ebif9gzfKpKltD6U= 66377743237695515693282032069691369056215169443985727092982918806809030742478033317158686828712146024066618073633406428345129492010236994055590530566431286733776441810601990431112187030942086686719669823512292071202675269428014136307286941704297995292544712278047959299939833088742083527714893795660235870117 -QUbbkyJQ0Nru9c/nPbphM6VxHp5DWlai6407KIDbTGvUReVYI7de1gO/BFphL9GA7gDareYoMuej3/SVp8lEujXywtXzjiI+j2TzR3YYiMBAMhsJO1wU9pxy69Cj5xeFFlrOycjE9sPS9nrqnEEEFNPiK/GDDTHj0KuNbWSCLrI= 45838919357034925862751142472777409057791233610959872523563363744902783251621354580995921495295078179996083468819097423327554678806691589090814275138081407920379810144694354354954459732280968086760894209634364189264517251735804373673532012530665557440070501687207620525228416650281363557992436992284712644274 -F+uI7ARCeAlnPLO1YR7RJj8LyhtE/EJMcY45lsNMff0YeENe8KOITZVxNA55FcxDYpg9sKi1UV3/ASqkqpH8MOxWpBdT2UwSX3oBkp6ETfJKqiag0C4MS8cQVsfcKF39BJ6KUE7X6KUEj11j2YIIRREmLPyZ0LatG7dN7Rmv2iI= 16797235966984072293396362937533957334369977688369659112225970370748312376722010874726300554329794854683394163379447263409228872034356195791733533528404245739693397078461712458035888813157166614479153484688995068722288153129390850561042173295997770817893349738328312152341860704179681230323810266038959856162 -ALkEoXznA7BJlBIfA3Avl9kygQcxexEMApwduVRiXeYG0uEXMQU4rgMJBlPqs+ly8LTIcLFaLnJAG2KFQn2GXz2TNa7w4xkegkrslIJEtBWX/lc7VzRtcLbhaXEs0Ci1ValnW9Up7dYOj3Qw9eNo/9M9b1fD9TI+0QXFtp1ge728 129924120553920201168632484268654219915712271781591182777925696006023100660478316445751842982460082888615429513674356810187315558964251402722465707617058251479494744427428152566665405423424700027316505872162698141109433045594670140335040479559124757490095995568556894332243767736124299898808796118800328801724 -Ki3FNTEE870E9GaNtbT418CLSmf++s6Di3hzAy8NgiDOFo+uuicJa54V3JNRxOBc99sl/chfZuaBQt14BFOQ0i+9rm2KD82okNABd+SNfXOb0Ow2taZX8CpkVJYDyphFPyHbPIKmzwMShNx9X2z9w4++tJgzBzGcFTPv1nhAlxc= 29618953883711174042338818332957726953262658484143534778541769862244883781157097499904047532839425875312731531093860721544220959674634750905085721866390609141599426547378130082409488797303960018348798930232014390380383063108812922828160584483043190739354817699497573863286563890071313017508437166939160221463 -AJq8tcSnAq6M32ViO4hVGiHY7Tb08cLVyxpl/v0Y5adYblvjrbsFcCmsNDi5PnBOBl5awR7KZdQ1xgq6jIs+SQbccEMvJvGUZW5MgcHrXBj9XVd+8oB0z0eahqXpgYBqLDeHLU6238xR3dJYFf+Xrcrzjg8swx66OmQKkAQVJtdq 108660120968150664552423780971948386965268856900017812123107864829782135741514930439461240950044759098603910762272795612101834680870627850178371693837566833495418727543557712057554231215186486008080050486837716071537742708913279026303380104388546316647349432118287628353129105425052237438199445863950767806314 -AI3mfrgcRwtE3mA12gSoQV1xyIGy/YA4pCCvja4mTjvzQOAfiZL0efadxZH5awohCC1SpZDCFsE9yYp4LugHKu/A8zMcp4k5ena8sTPDkSod1yucjybgmVJ5h17Pru28AzHQ/YUmCnojQv55aV2+AUhxzIfojY+NT2PKRqr+vuf+ 99645829268436288676280252226747461064597487404802430565833102291706103139410465131373666856042539909746769688396958963177805479987372681967013633920910376342526433530508868114301205524789149997372160919406352823342811006288909548557622230243808373083272214426118230701324879006645047374853535922112549545982 -TmXQ+D8XFKSclXwnTIH8d+sb1IV0gfm7GagJahaFL6A9rvYaZ0NTizkG5DQ0RmXyo0wPmLork/296whsdNdUxVAwnGFlWWvMV0ftR1fOvN9KoT0WtVZ4Rmu6Fuc7q1PskAZzIp7MkOAxILO4iX5dNuVC+GLZYIbpTel3Ga8fXuU= 55052751096768041533898435453266875315629605001878362193939750978427494147944918632414581744895066623527980497732722163665712245580312596487741856071020477624754815927936394948233480228964159047139170955663289543349257377302556035170334384320502468579367401821986660515827461352578142560630318492817238744805 -EF6KIBWQiQoHOnBdJs1p+WIcAv9ILt0cnQVo+o/2niOtI0C+eFBSiNgeddhotkQFgHvGUjq8BPYgtLC8A5IFKGzXu4SYj5ziagka0hqfhVs9zVHKNx2NUoMhPDG5R7+giwEGGPOayGHVNbsBf1FBYG91+mwy8hnNbhcHSnvLGk4= 11494909948912248031301686864833544028186348338729984264372557659364976118965740281229664413031002362633393381744365783802034700038490736736266032000546393704814403638058993380993275865674190555703046732456017652317200288968188655019374159412919163798248766655991273308390043613040731449231289437754791500366 -AL7wCh8tkFe07qChFAzRkrnNehvda/Teroj65X1Bmcr14+/zeJlZDObYRYBOm8YYSYNgJekcL3o9lLFE34sCMbSJgm4dGwpEVexiLVi+zc8ndnqBDSAnRqtC+3jbInm/v8l6cUvuzrUNtzXIQ/H4FrmPMiVy0EMerkMtkfw5GBsd 134080980697158076909534078193319899756347955848461100874771253577754225619652121295523443912922220564492468474647193062555347746840044705102003079330399499915801536721237211615317000955332058281901995149084303143543150689010335818219129745452688372571010816270728441637278434982752674030696337642893239393053 -APunLhlblRi3bbRBwSV8dsw8h5SvT8ncAmXPnca+e1dLzrQZzL7P2OhFope0mW1MCDl2kJPiGTdK3SiYJVsAFeR3r/0z96g3oq+8uS66T6VaJym0QToMsqQF4/fUMaTo9HsukyPyOgjVIU+6TiFd3SxQKIu1/GpQWVQIP2pkHFKM 176716779397275986910036615967409090183531310366246043951791503601618945774743601662530806467045971394247287367421508126613573039423674729894091424105133906122821596079925540513892022311039293333114333317886304014722168786051080135090242879622144693440448171583324154550086458411590240882982297314605229953676 -MM6B5AgdJKe5OLlPzcXwi9WhqQjx5KsnBYxxa3kWdGNTdk/IN6TVd4Ptn8lWkLm78mw3DXP4Ol1sQbIfkHRoKFUN6TaWg5aDCJBDXyHSTZI2FDc1di0Te1SwziYn0sIOe+R+rfuLuHlcT1xaZBgL6+dDLAZaZza36UEjn5i/pTs= 34273208848307582992498656582721015257885595139328466874135636009184357438445251703533153492315835793684794951576799764181908090765379592683793969576893243386892292517067596035059342970830813419330530731370385186653239446376170533147020072285887964430731437765184844167400169982662183791828762458682426369339 -AJK1dx77ZA4F0sYCgRL1LKSTvjGTKBHd4QBeVnE6FKJxIow82puqtsVZ7TBxbECex+LkLQPrEbuQaVr3giUDjg0aJCE0D9ZVXCUS06qulqcCCdWgGFHXDOQzTWDn6TlJCGxtTEMbMxSlUq1q0iKZ19kwMHiT3GydBn8/G7tIYd23 103022457217861194294329435482792508957642944252832971366936865663608381648431732294396977429863681671686490913575377744795372643599438468695483808375208871881849232129651519218503507811863794426234594709451104684234156597418383183271923307418704786548452806494411689822939919114966188329657999811363991575991 -fPZNsqUYBbVGA2FAiglnByxGJOZkVSpj8Y4QNW5wq6o/1e/PRwp0TLYJXIoCJRs82pAj0QDpQbHl5lCZmNxEIQP8o8xI//HCPxPIdgBJmSfm3VGetrOpqEGU0KJJqK4IsjoVpAfPFMUMOpGNz9CSvCHGk1AKrtYvrTJEKmETuig= 87751387019308584846595931543798879607048239290774788042055795835726250309378365187899578817976976035304304847968410200168743967600896348021636654074952051821111673620467434295067182213181329543946368332581250062140819766061014427755090798550122401239987766844126425179573454145697756278292448630509686471208 -EmT6DUd0bxcdprYhAnycQaxm89kltJOlIOGFFRmEK90H3RhzBGr5PRVTJVqemFVpVliO1gy1nPHgqDGVNIE1GXhrhyFJU6m+HJeNcduippRe38xPCiuraRkXao79X7WAiVYUq6RIH+UIRnfTvHBgzTwjrOvKJ5853hYmGaanjh0= 12917015385266582065020051081997430892582163827812227349569911846746592973268746845211126663077128575098045461893559476227689488349263954564361736197688317585888118974603264677576027836032271531903881104937422976121352854003385726888601980526287956222142458858211589791399646989299770657341412683499692330525 -APtOYyWzdY1A/YU0SGrtjPdMZA5E50Y3hJVXppwuuSk04TjXzcbu2Sqp7sMnKYbToRW4nB5p2UnaLPhTRy0yszOd1auLngW+0ttCybD6nTcVoP65gYOwXGfSEQysqKLb1OfV8kYq5Ba92Efn+CcWWWuS0wEr97W5M/Hccx9bGu0r 176473215292413922394356058789571494026727424839036665031567966488209592078148711908841964690807374236235612412767651029865069639786447019874344449598703213025389428836803984245755885691094364960118900160737925054803955567361126391353868279642836569627177281508980029006921064654964339077608785831304875404587 -Vs6bjpYfFA1R/QTeCfhMuZLZ+Zxo6wxq1jFZpi5SBR1LaUwAtOAj38OJC8L7zmxSOj/RGEmJHkulI3E1MH7P7xlWbY468/azfot5fX9BgHrtptV6Q0dkBUg7H91+tcxdbm4/V0HGQGa2rZp+XK1rO+U/d0ki6iNbsCsCR+OeyvI= 60957991334776853645581868230398759578123373154273044785333939425321390401088800849629483265841435899835570419798325123273632247193463641611211088549152950252041797959644227170492417662363676228611376046334386877555777556575818860902071813120592757466883038430756577949025778080997296219236534786815367760626 -GiauT9A+wmwJsFbS2OPIM6ultIbU+kT2NgACn1jFAy+vNBahdfHMCH0jJdCs5TbmKTCeiEf3ITc5TV1OSvIejJ0GRkTf80nY47TAhiP1aehZvMAv59NQHHTDUE1U4TPVYKIyFpm1V1A+JBHKJzuGrB4lvqB2ed7k4m/ZD5lFLMM= 18363925023885496669420377869542744504974590667921570026763131637088916425434675950812384919000566852243714758512996458727914094904422651029609645299422563453163291342992902510788457007623888307499601267675322986672697397389663297565071582648674012080122614260400848960757021864980761735684874056409664531651 -AL/9KOZLtZu4+ZQYQsmOgbST8F4RV4N/Z+l8qsbCFlHdXHqTTkcN0chsccE/3KkVTZsAnAyJqogbAvB/RZqttaK5a8iKlOEoerUS92FVQw/42WhsVaFggR9cHVuvCD6QqclZjSBQKQzUMy0YWPWlycAZDIv96tooA+V+Fk0jbcFs 134819194171226950171930028888667967094069342154233489571728632904658607624703819928943642011918061760802468868660586005724399808048609316802502143143910585363214684061242274402109137825176291816945489430125510625857564490981683683589784133305376252294774711594646923226452625156299996630452243345104727556460 -AK5x2N/4+PKlsW/fNrw76CnE+nS76Rd7Ugo3IKhMTB/IuCc5xG4MQHo5MlWE0oVkZ+Gs4CxUpvD/WCCjHHFlSxKG4mC6ehz3NVLglBt+f1RWfPkF28JPd0UaIOG3um8kG4J3JDN48PXOPP86A0H8ZYbE5+ImmXsGAcwvScUQRInU 122499245103202714319465533564374494931278163571999934877854825659720649344163774228004853964635693562785966889622928722984134944784141208867445419597834322541679973956606275877526560988151196822256754309120410807075405427166696093800381410682490767468563176131997424692783482903880902119461752084196789357012 -ALZ12i0hqFhwRAikcoahYzH/BUolhgZ9Jz6adLvvTO4wk6LLOpNC/zCz+LjM7HazZomT1SqeYJ2X+WeGFLADHuWo+Gp/I3S0UEneYHKJxoU7OoOtE0mB0BCncLckHao/LmbpnQpS+Lx5bRsr0yE6oWNea6gbyRm/R0to74MI3/KK 128128022342420083856194424802390993133863171077961467523372211039771843125192435716337829530528063182315478279257832480290950255315151577221042903861075751839976362752440630888566422581799720709574650482021111126414843635330535518992034746102956214991673417580508389225948159518319625680855827280146399752842 -APXxvLifWgehdwdTRAJP5KrchRzgbUsyMWKcPGm2ZkwGDJjoTl2LIOOGVFiL4CyPBxahkEHf0nMxBN5oNGX/Y4W4PuOAC8gMgHzdLkPWkpnTcyoe5DD+fQsqNuKVw9nvyB15fx8k0d6b056nfFjnnRqgybby7MSllAWSKRYRdxVm 172707950911363219032118650562553641123743396229371815589867086054370029540557395298194067635069298952836929253340374819975848769009260895874615676938511747311585257140973518651959463416682165208985512233703837931718385346209362040743041262031997793519095342415901373534535662377972036003546589624834285049190 -O+9ohtZ9SzGLJoZM8IRQAjhc/GPt2X5G+M22ZidYjx9WgOTrZDXorSyxLuHxay6djsJSgjxYMj8MuanYSn/DzPWBB1Gn4cDmIsfeYuzO+vUJ4l6d0nIvBg9Iqs61/PGFd46YxhnDiVQ9HEznyTjzESnNqc0+/OkQVJcwNHAcZBg= 42087920806448980363073662127262313840530298932643042322138035915324224188032438119079107631420338701086802583985117830416851550991102672642532160807467909040086448764318690465254898516502941122327185894900817634110254371864896139724173087625913998657136384357741816102965779105122269429701537815263708996632 -VJOZmvqrqsIUTQSSJpZPhbQIYN2tsfBhAciWnfAYpwjK9/ts7OP4Qgdp6T/V2EsSRPnfZ0VKdLg1CnEWDhfcODo+/BZcUrJ0AviFAEtdeUhoMSWXtjel9Ln2guHY4s33z2cN70+e8gfjes65lCzrxUIXEF4nKxzKBnScoooQP5k= 59391682001673484862915842850714742391303140646889359425353339320546979084250010101273851580028171449840778038774656177449549941659895629203970455580974953864068394275066532699748911169800076515776388213090834432354601344176559839798153004796057709798368011673585434643656820656931921831615507416411999846297 -FRyJCOgPziO6RDHX1JgYGZRcSAuoQFIZM4niD/B0twK3l+TRpmVigKZAJnZZFtmX+0JQkDwQn3lcBGQIL6mgy+j0hD58U2/Wd6xebuHSzf4OHVGo1cYoqZLplszA+hVCoDVTHi2YAZ+GtfQEggumcNVxqfEZd6D9Nu//hm0t21M= 14824975573460749317081504809641216868382341402512168178334301409725840669112911061147252565570697788806398498723577368905065980113760265945344671897779830912242224090954834750057278285419880820811348943398148063418809729356397202526234113316098584002071850758705282845646489058224513019380757604894853946195 -dUk5LyS7mduFJlvh5o8R73kJIeeTh0Zli/y3XjtIXfCaNRf+wDlD/pX91JEwsQ5Mvj8yq/Uq13QyWhoNwsPpXVcJtJ+02wtIn5darsBDfzcD/LbWhl7zTRUeMjZ72gAWi1djx94SWjrZJS2oWZU92Og1yOyKRG+ua0AhHfYYh6g= 82361050315899968537319599868832189063658136463903643442673674137187842597528653416212822014359684261704550279153006971937114135373937934986951573613797195556144113400128502946618028800530164890707031379614952207482505803377774320259789692177752930767589642007257364960987343146063216186985472686575891023784 -AI6rejwEznR35rIPuIz0CP2aWyhRUR3unJ90YfxyuVYxrqOJQGSDTSf6SGDDw5MqpZXa9pWuwpyrb6smOq4ZtC3Er7lipJfXDjhy+0k1qcfMjmqbATUscwXGpgW+MO71cttccEz6vhbjndi8gvG5M/vfL2l1jA8nXuBd4e254dbz 100186164434910864539376019601151338080943067893748898987236087770762310617199833479771711726248130012472861788210345311298499515751355424063761182369333224929721733015910055321263016834247318907562652286587380604998130368845939290804442878127169587599285040969551065995197981341260363722618429042861484922611 -AJ5vLZX0fSs8dUSBqd5hki48T9cYuR0atxR+qv7cRu9nD1vP8uNVR8dLitg3XH0RARt3ZmOgi/AuggZt6tTxuIBg+9JhBY9WW+BLL5CnYWHC3AKMi7MQBWciLtmBpyF152bDaEcV1PXxtml2KxX0Ba0C+hGVDmJSdi8Kjd4AkfU6 111256341508463539324514225759801553679558662737345522765042612717818066374840372549356543720386819501973783940451033901079765311790026584654529398345993992144903839534037331533660672892487693477412528974248713261092693018326068480417183236210881306241164169849090833681510163753605662526243408192127670285626 -ZhXtSzn1GiFfHHnSKUYZiTcEWqlI8owyCKFjCQ+VEvkdk50m8uN7RCQ6ZhI545tN7Uy0WdLstJhgJETBYLHHIoWsJn07mgPxuyO0XsqNroICMQEOO/YWQFk1c0VqZifcohQAwJj7fONzM7hTcA22/7gVigJ3iLq178jZOJsEPQs= 71686982768953132894579286530164112027530221141251507987469672039995314435159469907420372652392376452531392493658576814100773556880394271726970628960571077839124343525055625420896355363707908511865700866168843075071778015504724409171911254647909938237551680861008772396291072284353858575645679153885560978699 -Vc8Cw5m5yI+bJ5sUJYm/F2wyZ5x3D4ydyL0uU/3eVF2ZJu55OOlC9pUyyv7WGExClHvWpR9mhMnsqCLyseLfM2Q/YXJ7cjGPKp2xd+fvwHa4hRi1FdOxs96rJnb+HUt9hTwQByXgzpnUfs7AqrqaNf4WSlBNMu0IOOqDdB4iVHU= 60256873326783629723455608618518793848697944184579877638436234491615392142659293975260290798403892159720925893207048153291000664050780029732557737984085196691225472664027706406879051455184548871511448456651238810812870905640934953489289909009741493031472382758586341375517766302753448531830002512912250459253 -QmeUn6cbpE8YrDfMETz/+KVFaK+d4NHHzcdj/MnjcmqQSLpP/XwCW/aeudlN3SfKd6rNo1XZefunZO/ek+PHEIy899WzjiJaajhf2X05fl9WuPEaMES3Yrr+ClogFNQ+9jL8+7L+J8lDuqQzvchT0U0RPay5HSNZw+ZouVCiQ18= 46630904037845609335515965570673490721137364238213103678233212262384415738654627185220187275286458759154841820256007930773120637898228224906635911124921895934056288121005350040349882413280772888907627838315559544636626856478316691755270725623680935763476199888127096014398699432042227882284223578563208692575 -ALUBYIShA4w5kRUa6iNF8S33DqaprdOWjVBnO+j9CCGtUh+NNwfpKR8AKf536MtuFFtwaQvRIlkLpaTYXuRxzyU/YG2+UfRQF3pEmXQhcMxJqFzqZ5nWCIWlJ/KtYS4lcC/B7hD2UGAktnIdjVUTSxX60VzA+zxeunV2iBZXQlEs 127106299687401374061881872616647348819431126560557369258073443762502337592227172639640997680536372567116568811258505773087926491911004324918919511363985868314578663758269650473780772688462266790559846182685481907703974916356209771821075179827563487466641669110315430790405454641953880582274165368514679034156 -ANyAdMnVCVjmUZGiVdyvGE5mUQpKoJOJINqMAfzVUGvvxXFmGdoAx+xsDRNAP4KoijpXk6E3yPBPBZEWyhiHnyjEkktK/gX6gnb745afS0QIlsjhKCk/W/BHXkzC862Llnc1ZGAIsERnGceEoZHdICfDUh/7nMFp5WuSMzPB7nEO 154841617115465511611746667401422322067517612306328612547616471923266281876818466022676728696273611923942543658633762267658490816264271663863494188027433799849037906883352478212451733963905925106470599843045599411842850386623187980045961158399934160107237440980574028985561404965317132715808604373199725949198 -AJ4nfhDe+HojR2YrprDHW9FVUxsZvoIekwlNL2iKFRFcTB9IcEdh6QnGcaRinev7yEYUsL6saSxUj39uWlqo8udJFdszuuQUmnloIi34L5uj0m1OpLy2dawpFQr8pqyA7go4ugMMj6XCtiVnISUcK8wjHgY3Jed/EKK8k5ce0Jxt 111059703393618496515021583605572584329116596402705082562306930876194742195701060137568030171429700588269665205795898835699633817098262654446852249498668467827435829513531633390969638488553144849154126899372953755511962841193763362947708260103832329116485114451074371844037650417731807385491783373627950406765 -AL+heSTflb2MkRYFTKghfzqlVQ1oE5vcx0eCIsy9NJ2NGFXCRRvoGDVoB8UEsUWIRnaA+MIpwDKGpbOS8kRQrvBvPe/xM/t3jrGkaS6pN064+bCBx8Y/Jq31ZXNG8oUol+y1Eo6fkUKNl4EOetmZWK8VmhVwol5YngDffj4Q8ned 134567692290185631768518572983694048149859804864902017394351513816079806629664302312927579302025923096596995134868068794900003728293470554490807959649153000914807604036531509869958441069678002226922395630284261949256022972967357884468325217602330254290548618134453007903724438628204981673400911693835033278365 -AI272d2sbYIi637kHZC+6lievgcDvT5VKaCnus3fHwm2vfao7oYu31P4st9DlqPWJ635X6QtLkU5HgvVSy66MDj2fcOfwVL09ffkZYnoGNdhMADVgOq62Ro5cCpOdw8Ko0cCyVpVIaSysPuqY7kiClf9GTdyZz/uYHDgwWeNrc4R 99528854246023003959943182132914587584844397870416002887630245681136432049666385367430032197518895755482367603560037194955739661569172773017279832774100155646116233705958563163070414171045438199561777058338188494271322834524386565519620661180246416329082614115142485663975718653564590519408413408765689056785 -AN9S8vPzo4SkyKsk07nfyD0um1riJzRqqWF9KCL+kWMHajurgPACikYzu61tL7l1mNEaIU16Ndz541o+y76DgsTLYszu4KXUOEt1Gu3eHy05Fq18zCDlNesSVjkZjPmuJr2ku+p0cP0TLLMn7/KuVOm4GlEVc6OvBNZuEzRriSYZ 156823459768092337875922818543729136404805918580285507923139232733465414368775678369646914249412830351437211620056021568154043505276475345347569200977945836210758870414054407438380975491139001471954448623922841964684437333066353208837709613982022690623722155151315252634380695513434502419141555410441456920089 -AMc5H8kywLgiT4zz5xgoI90jejsHorbqUGtBeX9wke7zyvEKyWxRKScZwzRbinjDZzN48eg/30qTZOV2Rw97JFg+EA63iZ0vqfF8jErIt3hODniKX8zayCuNmiSb5kiZL0UDU1SNh8ER4m6o5vshBKkmqs0PeozfCGQtR3bZXlx4 139899247405256530335276706333424670310599977544642091674186635734421385499036688803073040921114325725234673132788498809189814711681909865484671959982394306416477300458309408833281654917008031099378445580498219376391819745965887864647387211647794422908411100892195529730435423964537342228510107659017578765432 -AKv+3H/TruTX3wdMWnLzD05em8u/QMl6lCHT4VkK+uZwBXoLeji54Tcs/hZIhj0Bdj0URrRt+7JdGSTy4Sr986AtVFxBJZA3lT+JT4JSrq3oY1Tv+tX/yg8ZodQmbpQyyfaFg3BgeHNmsUoCrdqhj4IwBqEXoOBRIXnzaTuqqSEw 120779384043726135670909127168686589868907326577918074234323699599475436892003731971700278391108690400460261929381703781833059801757700386671579819341589048987186473249926590758009001670959004477454905417357202448886738669226760846888369186457452643053236389556969071303251275912453385963613554945645058007344 -ANXIB+HxOyJd3YYsscMpqZpi/eYjZi5q6A0MohU4BiWEJK/E4uIObLJDH5yd4ng+hn7UMhc+R/AxG88hIdOc5NyG/QyFs95ZLUC26F9rkRifu2CBkgqR5EQi2cgwC8jGxQOkC62YND6cAn/ILsKTYaH0iavtO9Tz04vQp9Ypc82H 150122383481070201614242107655752525590609186454390549085509458064289390813495886095936526832230958746095739308601699615024239939948911472291507190108935262129646691795733786714291498653838550751365834947465294261687773081563139416397262227609481906371677917295227469553787085145970923979142676551778927103367 -ZQLFoW+dJ7vrHdMlcLRGKY6T6PZKnE2L3NjXymS/55my2CDBLdDf3oXwLlRjVt9KnEiXyQzLhyY2PrFA4k3N/3P5lVDLHero5c36TMshbHgbIKRGN2CGWPEFeQ4j040IwVbQCPJeuF3jL5ikCxWZFXfeEnTL6TqumLfD9yLQfKA= 70932215714423143395949105745758445705072524008235214324766464113352968998429901322485575506330607802260244612268338586532462314021433435523464635419846126736185176246740838082062856583684393425704173881940108783636582561707441482446854068022535943408999200681879161519209676205165680598258447492092651404448 -LzzvPw0FdtM2G/RRiqoajJiIH+Lw3jpL4H+08yOpp1bNITR2Aq0beu2nP0H4o2Z1/FNr2hzuGakkAhVbmmRXc8keoOkeaAQAP/8OYxHpjrqou3WPWaKx+vUCTSqVYYf8gnVKpAAC2cD+3lW+/ZJ538o+c0ovbUKNu1u1j1OBtA0= 33171669664542509840621265032202455391098253465550501094201777336478104142847268103467889435377685359857979277521589539506627375165485879405453566052091202280471235979376217319335800766353336252760793484157724210008639813552207624049019149744883918494762511376489708611103181576211531366514802868659603747853 -APrGj1lIIlxA57DNh+bTEAFbJK2Y2P3MxLShb4fPx2aY6j88k3umoe07ISQLf9PzNPeml4/0I3w0KNd2x4s9KHbj7NsIT64lhO6eQSEteqZXZGXUYUyNzhrTbAjt+Q9LVKItQhsTkTW2HTQ5RQZfGrkL118b/I18J4P+T8CGZdDz 176100632478477421621142147788721746818712752858710594712903769452749028606541677227413333567013253138397373757811889654342173021761934591400685421771460440213093509170325205622261487145789848227404883040799927313402244625239515162996390018403365063394514244196976794479529075569412676472840544017222373593331 -Fvcl/LemWk29I5LCjU1QedTjGlkvFF/kZXNkRJv+vNZ7qgq6pX8WB9yVkk6AoclDYAhCRfKTKuEpR23iafVuHpprPfNXcqBH8n01kq3U27xqIy2hS+D6BRBK67PQaekq31EB0aOcEb/DuNaXakS9+mtTMx6BKt+WoEY+NkzHK6c= 16126868736093163702771491576570380743773057522016869811780571865928979861357811080042796140032050364543242385458140594532945509386155523162799601656485075247603490060565663264947465987286983338572455184901756399862440455644131755848583379822279676555143231305246033911608913609591095831135803702269767527335 -AKW8tvaB8YZ7J5W2lmquBniJzUhRfqFdPZPqvBoMzR4cRh1CMNdSFsYsnsaF3KolNzogdsxFpHAaEMG6zSvpNJAoi4nixCqb5SETXrSLASXvNjI9MvCoE2JCRq7kMbjPL7cem+mBPWZITGUI6KVlJPLxQngHYSFxukqlx7jznwJH 116384596458828069344020651216200368975621068920641012055593076864629080375946542748377736186556382088448816531408136815533164209947323588157210859294774679831647934533061547276394884474877353537242203645373945111105805934070657589374883764420038511061919092743520704686962593876316976299391579463759429567047 -D5N2P4FrqDf7/2Z2BJsqah4SjUtolic/yNqdNzvNEogDKZKAJyGq4zhnHvkYXkEm2ueU/FDPJRqisszG0oULdU6c7p8acirEwsGLVh4RamnFRgmQSK1vbiYB3bR+P+iFX/bZ+TWjN2Y3YMa5UB//I6Zb5kEIjmTpjY2LEPI1e6s= 10937855369372570149476727082965401421189236366492771695094788039313362971972373068736123833330006002198346944149230147444718818161877123407713821100752433128205189334393732633989950841577315682292180735057952587083688644195300641998709155269462601925653013312848413290208844194513502358901613104779186502571 -V/A1ktS0xrcwlI8xrYqvlLCFYrdVp8tEzZaZ9iNNpPH/pzVsA0WbnnUeHbdilkje+4OdoX9C4U2xaOuWOfvqLR0c7GeCkSffCqyf4ZsBmjy/BQL6rCpxMF0gIHXO5O8aJ1h17hy9LTuNzWm4zVh4pNFuHC9L6nAcf92udMiIQzk= 61752386563628388546439207444896778638632243226541303179646524864765343154194512297447627825411023405896612559648434895675553567405277169056807223959390559391191382555701580549902639604424290133917402316755076644943742815711432111554988540913643347167948778404861099845961151998728662878854088239266688156473 -APoPgEKA0/r1FYmt/Iso6ChYK6dDU62Y+vH5h/LVE00biBYG1f7aL3GdllUTN+XQSHpqlDw8CD+9xojwZIMfgpgjOwLbbe7Aso460zLrg3R8aHBpbVt8iZUgjACwPYr5UyKbFzIAWaXcnYYQ+tCO9aDIuOz+/7eIF62C81zXFJVZ 175598490446477604563905754135475294999639698464908622773037381109011373179895295130424828038708319325919451724985361900259676699137657615076219968061941008972496322083528922054390781811699677037439989404270415929836486610353098273115864435328533577114470407444852521009919911888840405368858409835197558461785 -cL54ymLJhRx3U20Y9aUTIsXy9Ags+XHy4qk3F7uJyO46eiXSL7VrrR9vTQXAbETbu1YiVWfslsPht810eUDUVaVir6yLnXkywn46Ci42FEvVoTEFjO22uYcCh8nqB8H589w/+lVSlNrcILugwfdfCvK1iZzVimOO6l3qzfXToOU= 79171550718114578361958369278761819285111811576818442980166457146638966315793211967882077899426611721874954146020093740153495693185472340728106727284441726113022873005252623222594060645383105757498856463065370975867121188445567981809371870213273555432308279508351518168027875538720367440153667708369625129189 -QdQN4qW2QZq8/fmSaqlRiPSoDbhmF0oYjaY29HcKYGHdlOH0AMJb+RUIq1aszvVtjh7AYay2TNhaZMWQ6Qi3c42SNk3A1MVknT6zqiRCGjNFfxf/matbRLbTFQF832MAId708vrFLF/o2HpekMkc5hcHB6bkUUhEI1NLcMXwGck= 46226230186280253581676626651942823886592433541360244612432763620730826574920825070086312767146345247802570752482654580909236388357139147786783758670999083804670979821212991224400629053427330483809790366665043598754931511997925850227997764381723288657884346974360232490075739442406431704368767588177525348809 -cxHvCK/dyVDvaqCCQyLeaiBGA36mV5el+1lc2eUTkHGUzX5gU0QQCEp+iSXNJhIOON8VFpKOFsziuV0Z+3cegWRw/VnxnjXcBh6IDKdupzOPB+Yl8MA1ti/GrQjLC6ikcNYNjQT0ZThL7KTqEvvZJH68WYmD0IuK26swjNGIGaI= 80804939616399473443737611589382762718815989847332356984276911837267997590368701684135326680567847542004499684038240485603420973682522792156533112356849436451918522884749244246467852622918805139990256619014116276456718693703261686778030658826952213058982142604346352178078750879100976710761147710018148637090 -AIQ3OIZevkYoRGBmsFaXJobSfLeInuKKReVYNjP5VEPoMq0mXTltY6l09/rQ3d1JjsMD1PfA7emhxex+H9t3leBIfCi6Ux34GQEjXWpQc4awuiy9tbR077HaJyecvb8Qy1FTnOHoH5C043QJzrKYT/sFXjgB60piI8Y0R/hwxO4r 92845026347218330987427785323244729176754623818531419911990153715676845614711324345879159989637824921793015074978358052562420379797956750450245721653716740651389924718711940869162230097839047895842495414221110468446944827052871968998907462191349838598297775847512250220907563815783358238473966349820476321323 -LoG6ib5lUh57rdmSkZSWzBoudytFohS4uoU/uly6OaQDOi34GeNVxu/yr6RszJyL9JWkGNgFaBIv/HirH5zA9VQAL/6kpL93a0/GQ/nuHkHy3GWZPF/2+yJ0PfazQ40fWhHZfRxBngWslbguFPjj1XaJ37YzpQAYb/+QcUai9ic= 32658152290878644668906121702816147999633088014476055330179597550087921141413344679134407016170035735846077181424615228657687216737432274043674411132745299610950657139041836412322040866250189120286839287690983293111362228893996267791120043532014262644480689231457941173330523718758287779526551822788227954215 -AKu2jgOQCCfYZ3CLkXEH44aO4TtwMPeK/eq4FtNj9HZ9FxT0LLNJh0ZXPOaPJjgznvIw5C7/hNm7rUs1JeV8I8dj3nbS3EVERQz1gc/ckYB3H1bViWREOD5+TScDusi86YO/z4ar3dauKkg5kT1kKDuU/OP5kNMWvtJjHc4Vd3L3 120581042599355202025471829872601846477331097842315143148145881424071317426176264583672725691485724160094190478865850305422057632110749683552966861219554215519032344086824849470294473808177223497912069335635933312949412445851201918768630656712413082629164792850095444166888072453190903931430551124946191872759 -ANLs7OsR7oBM5jSjVADrk+Mx9d0TeieTIkxwWiJ5STKNQmW2EzPOjgbfcLhbYEhzzDFJveXO2dzz6/c8V5oW2yqg7VMx88DzEbpQnQpk/rOQRw9jbI4fxXNJHkNZCeysEVvFfLJb4ecsGA0xJ3Aylny/jP10ahPv2z5K99edGZSU 148116916208650944522110872759145096907599612943009577897396622287067669897712748449324334650112672914917664881091633448764667172850435775162090891556266912697811031318228334453406561952979778127173704706529448647577013482442758465809198730066784986763500579667100246958959793527011919373534159474250508506260 -AL+Er3n1qj+SBsZVtOMJYg4m0CN+DE6gRnC1F7nPvd2XnBe+QE0+LKfcpUDHVNxoydW4BDzNVwnUNbyjXZ+iuddPtO9hchVEI36UiuL0ydeldFpOZ9mtHJaAF6abd0MlHw4vXRf8CbOvXb5N4s76ggijlZBjRtU563sSmBcyq6Zt 134488725667189507159811764480908602790838430340670328479145818969651133017546803581865897303917708192047926432630297993507146075655594931523561067937580218599890162311074002344315818494246433967228889645359283635389151927472221799543158424012020308449895562192866672439712148770104592027035768027605661099629 -AK/04XOBSjjPpuFXTDF82RNWnKqZz9mJQbS2B5bn0ehFnBa6j+B+MazX+AxXTL/d5+hPLT1uexcnSMl3DcGGwKipOXg7Dtuj3pfJXHTrCqXAUYrIXI+8vKVQO55yQPGfzIg9SVgetwW1sDk+a28ZhJ5a9OddqNoi5C+dLce7ZtNb 123560902006294001923570614486104726169564351074482936927091682096999779538353161007361361829586988452098646362280351148131540524964916445100589671458589346440250329883789099771417949746709217272531950438336245613419967556433467843237384555807236658182067742367748737224684334525934210197178231424396818830171 -PzOEGHlihiveoWFAALY+LOfkRJfm0NUF/uR6cSU/tbpGAq4onNpr+iZIzEP5o3JBLOtDC595/NBPI0fzaXl0vQvgJs6KG8iKANjsLKQjIpZBkoKhdbG9MzTVQuAeuDW0w3sn2iMZ/v2dgAzRwfqmQYXJr3I2BbcwWraIJuZXw5A= 44381416070253681813077725822442106641846565789204187691647505370231831464947935035197059366680327425453811558282831465960889061956588244308214943856009686127871667376028831540813257349779756631357122923723235595360268572998278795110672666089470210929411514949652537714634611421849780859192966935514197771152 -APnuduN01GS9dO2m2uCLs400AR2lX7elOnIPC5U6e17qbukxWYzNhilZlM4kdGXAIeYpzFdSIW/gxRMZe6TXq9krFWRaaPyT2QwRfGHYnazS9F1QNYmW1zXdt+qVp0JGxmh5PyDstbP8Z3x50/E8Mb0gLLPhNAvzY2Jnr9A8Q1Hy 175507868985304663005133968393406051624825489142498103948374797086106732382869120248515993626061853699363294022457032257026588816021007648668265488426495800459085474654859258116280251546902009156490112550154951965894022789029787886785376415437170872937201839249103828294508088966180386198213606090453461193202 -QHEhL4iVzNdUsfG0izTEepwTOvxka8t/9MwuF1Ey6kxsI+ry4g4sJPgR2xMnbtOmvQn2NitAkfvA8JPCiL7a8+gmf+DVRDjKDfpfrtgAVmo+3rH+uJYTrKhAp8R7ggU2xIrvbIrgeUj7ieThPI3Rtap+IdkPCL853JC/+oKtytM= 45252649968839515171157821292772647085425694172492111870169593872127007254353374581972876464918186509502070064028725519394859148593053614163356612260257013360168930649423732336969778875205250872728821432415158634190866775855521719727700464116412886964736859295086745723651735554245035077902615220578218265299 -APeaekK4mVhEShCfM0mkRebcg1Iq5CgrFIEGOoh1nHzgebr5A9Wrhm9yD1Vd3e+fFD9urDRB4y5MHPJHX1U2NFToC+H8nQkFXL8bfd/9Wl2c7y8m0Mxwi53pLIdzETLbbfeOOtJvuSYYT3n8+/PeMnJ46UD8OfqtnFuS0/bVpFLS 173873040145444066957050580959132871919216036714423404143335635770937773583761934638398867981658394368476005882852706046614562314432695052874974848076542261910660410561876043187368112065303981001507235893831108658530338308496461162623683138693880482650786841100027392293758260448606244283355655751440485602002 -FqC/wgZDPTUoObPFSH5w4QR79zj/O+ZiHGTEnsBMwNZD3Gl/ClRDIsFMDDupNLgwgXsqCQbpwSOHOtAvUuAFwRpzt5B7lwIgtP5ism/AZRno5p+9WVSmUAM3glHsNtvYydz2MkXtnXzSMIR1ZVoLrdwMnckE4pbMzggqz+JZqxw= 15889870005716350976759704672045310928616256175405784574141006779373730686049218680335525720670897894546334915362899913262232170795516176419192840427996647372619000239408311568577050460995518058850793096827271653902583271225799114408537346367483775593212272587811309978019791973449354003275559762102731778844 -AJXNbv2AMWadF5h99ZAUy5gLnVK/hMaakFo0ZedtPNRJobxPmwj+h52G+Czd0U48G0V0wpdeUJC9v/4BhjzhCvNhNsdAT1+vQXDuteYQ1aspsEKLQ6b+NknO88QSbRJw53+KeOY2xe7PKOa4V89XnFFBF7wljRnIYrM8vvcqVQDk 105194875227030598769888785590198577650278341586165110611689226597424766274486797264032300493674927704016605741286512271390703088626381669060095573361828932336327125438452066548897528158329044309005232090053420259033538936293519762277428283316506398965916381374819450858053512398634116052299066189424983605476 -AIDRnUpBHepjBqYAlU4MG/8JxzX1mPxVNHpWvnEVgvqTQx/bisFPpXrYs3jAKIR/lzevYwhH0K/8Vvw4NK9iTMFqgSnU44AZztKsoxUXsEsl1UU56UscY5C7ciKU6vjjWI7nm/uHNOXdE82TQXkk2WX8ferNqZU5DaLFCb+zxb7w 90459642084794142567976043425270153270545560059973413835786695756473295513758287577749768786155290305189883600338986370836806413936196854410098516254596146039255388020628703824195128439558127783534033672712705194483515442668075394018677699876614329419492391568463215822656901183478205197671375262145069825776 -AIdvVNzJqWPgAShvi3GhbhMQft+SLigKGrhoqas2Saz/bA9u9Td6fAxa2LjrAqshW6cnm2aalc3Yv6RW/Y8vg7Ho31NSaRjT4zMUenykcC0/Y88UNxREi85wdnHwGytms6Lq49H8/7EFGJIyL1PLRWPmZn6XFkegscI/HUq/hiKm 95105613103051650721863964216778532448106311156426028879315612217763044797186635476805213120469258258125661666950525364331551671653846368977016286153840829836509696804585927581668281228810410814602664419962214359687545209312836366693384158782798559255789953908588601637765910472073600954502095647132310971046 -DdchOPjXrI6lpV84IdKCisPmdqZan8AARXRLADEhixsfXCYuO+WhNatI/fM1vgv+/TxwwIQjIfG1vOZcB36JUfjHYdItYQ70vUXaVFdpqvoBGyfOTU50Ds/11iGPCF8mWiQwR30/XAXytqDZtaVJVWsgHD3RigBSnSHhnvZAWYg= 9719024770319024562623340689338530708271347986326272393419504304391837979619189392867902307307106771234732135400958362219711925045600118964223238147375808749507928768896918369395426933218443166133187066167663170936604731896932630589251946733237697936733924510107175304126061649311812536190882160340308613512 -I+Z6rdTOt26/v3dtUP1plITb15fjb6aMDvqFS3AD1+nxBqnnk7ISGE9j6dv762EIWQpMzcCG5NCCq35KOHEwRXP28zup6olOMt3CBFgYVcBE2pWOpGiO19G/iFweYZXZPY5HgIkex7HBbb7l6HhomPc2sLL/IRhh2oogyHx2JMM= 25210054612455888156900839678249806510561198051210010474517915819801056434402727631042894881559517808906460418029149538469607239850657781476308872923928122553395468026744382526167194202058040459679991391557937527079948356545086684521068912222036707113005006607012596093923970784177288565193670152033981048003 -ALbBoyelCs4UkfnPjMT3S67ujhBHBEE0uxLx6kSGZq2IOMU/QdWYPFElRgYC/y++334FSEycjS6NAJJo2ITpZCO5AjNJ93J3WYgbDLiwu1VzKHX6ItfFNEk45km+QTi07+pDKcKNd1k0mxqpLd/PuZd5hRpPDDoKBb6i+mrCb2yF 128335905497646745013379107761994003743181143126608677203818152878840562628631384684712779135591095534911406031545494164782375276574093777950840330452805743803067864740000758175436633463846967335728314347497013853264454015790847388463800323796888198433722196292529074568758149650782323407298620158495364705413 -ANwlxEkeqmqYTxw1ZwMi1v2wo4ntPaEYZYoTLTJQfa+kuIksnHW9va243HAiOixd+rviVdm1dEwzESBbX0wiJNtRBpP+bnRxy4xOBjNoOB0c/tfka5JVwu5eeskyHx4V3inLviUaj86Yck42n5NaJFMfBvhzVftZ/YF9WBITI8g6 154592850289860621115358362871905683265658659789986179554827712019629689749439795961607030363152337159590319622241556795951071651584979664762468782303706550885785493534656062553770262954861884613383561063525714923031691298088562054236178003658891902606245782350998076658704876516153027797371814038658244397114 diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html deleted file mode 100644 index 1a57d44f2..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/openid.html +++ /dev/null @@ -1,11 +0,0 @@ - - - - Identity Page for Smoker - - - - -

foo

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html deleted file mode 100644 index 1a57d44f2..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid.html +++ /dev/null @@ -1,11 +0,0 @@ - - - - Identity Page for Smoker - - - - -

foo

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html deleted file mode 100644 index a74c042e7..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2.html +++ /dev/null @@ -1,11 +0,0 @@ - - - - Identity Page for Smoker - - - - -

foo

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml deleted file mode 100644 index 8091ab94d..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds.xml +++ /dev/null @@ -1,12 +0,0 @@ - - - - - http://specs.openid.net/auth/2.0/signon - http://www.myopenid.com/server - http://smoker.myopenid.com/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml deleted file mode 100644 index e6a0eb977..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid2_xrds_no_local_id.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - - http://specs.openid.net/auth/2.0/signon - http://www.myopenid.com/server - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html deleted file mode 100644 index 5e581287b..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2.html +++ /dev/null @@ -1,11 +0,0 @@ - - - - Identity Page for Smoker - - - - -

foo

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml deleted file mode 100644 index 6d85d57e3..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - http://specs.openid.net/auth/2.0/signon - http://openid.net/signon/1.1 - http://www.myopenid.com/server - http://smoker.myopenid.com/ - http://smoker.myopenid.com/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml deleted file mode 100644 index db7282e2b..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_1_and_2_xrds_bad_delegate.xml +++ /dev/null @@ -1,17 +0,0 @@ - - - - - - http://specs.openid.net/auth/2.0/signon - http://openid.net/signon/1.0 - http://openid.net/signon/1.1 - http://www.myopenid.com/server - http://smoker.myopenid.com/ - http://localid.mismatch.invalid/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html deleted file mode 100644 index 3befa6fc3..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_and_yadis.html +++ /dev/null @@ -1,12 +0,0 @@ - - - - Identity Page for Smoker - - - - - -

foo

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html deleted file mode 100644 index f5180b3dc..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_no_delegate.html +++ /dev/null @@ -1,10 +0,0 @@ - - - - Identity Page for Smoker - - - -

foo

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml deleted file mode 100644 index 111945c85..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_openid_ssl.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - http://openid.net/signon/1.0 - http://nossl.vroom.unittest/server - http://smoker.myopenid.com/ - - - http://openid.net/signon/1.0 - https://ssl.vroom.unittest/server - http://smoker.myopenid.com/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml deleted file mode 100644 index f161a0b31..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_0entries.xml +++ /dev/null @@ -1,12 +0,0 @@ - - - - - http://is-not-openid.unittest/ - http://noffing.unittest./ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml deleted file mode 100644 index 68c2ce1fc..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2_bad_local_id.xml +++ /dev/null @@ -1,15 +0,0 @@ - - - - - - http://specs.openid.net/auth/2.0/signon - http://www.myopenid.com/server - http://smoker.myopenid.com/ - http://localid.mismatch.invalid/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml deleted file mode 100644 index 372955b02..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_delegate.xml +++ /dev/null @@ -1,22 +0,0 @@ - - - - =!1000 - - - http://openid.net/signon/1.0 - http://www.myopenid.com/server - http://smoker.myopenid.com/ - - - - http://openid.net/signon/1.0 - http://www.livejournal.com/openid/server.bml - http://frank.livejournal.com/ - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml deleted file mode 100644 index 9a07b3d40..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_2entries_idp.xml +++ /dev/null @@ -1,21 +0,0 @@ - - - - =!1000 - - - http://specs.openid.net/auth/2.0/signon - http://www.myopenid.com/server - http://smoker.myopenid.com/ - - - - http://specs.openid.net/auth/2.0/server - http://www.livejournal.com/openid/server.bml - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml deleted file mode 100644 index 2f3b9af37..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_another_delegate.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - http://openid.net/signon/1.0 - http://vroom.unittest/server - http://smoker.myopenid.com/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml deleted file mode 100644 index f570d0437..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp.xml +++ /dev/null @@ -1,12 +0,0 @@ - - - - - http://specs.openid.net/auth/2.0/server - http://www.myopenid.com/server - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml deleted file mode 100644 index 541060053..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_idp_delegate.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - http://specs.openid.net/auth/2.0/server - http://www.myopenid.com/server - http://smoker.myopenid.com/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml deleted file mode 100644 index fbd673490..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/test_discover_yadis_no_delegate.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - - http://openid.net/signon/1.0 - http://www.myopenid.com/server - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt deleted file mode 100644 index 1b6cb4ca5..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/trustroot.txt +++ /dev/null @@ -1,149 +0,0 @@ -======================================== -Trust root parsing checking -======================================== - ----------------------------------------- -20: Does not parse ----------------------------------------- -baz.org -*.foo.com -http://*.schtuff.*/ -ftp://foo.com -ftp://*.foo.com -http://*.foo.com:80:90/ -foo.*.com -http://foo.*.com -http://www.* -http://*foo.com/ -http://foo.com\/ -http://localhost:1900foo/ -http://foo.com/invalid#fragment -http://π.pi.com/ -http://lambda.com/Λ - - - -5 -http:/// - ----------------------------------------- -15: Insane ----------------------------------------- -http://*/ -https://*/ -http://*.com -http://*.com/ -https://*.com/ -http://*.com.au/ -http://*.co.uk/ -http://*.foo.notatld/ -https://*.foo.notatld/ -http://*.museum/ -https://*.museum/ -http://www.schtuffcom/ -http://it/ -http://..it/ -http://.it/ - ----------------------------------------- -18: Sane ----------------------------------------- -http://*.schtuff.com./ -http://*.schtuff.com/ -http://*.foo.schtuff.com/ -http://*.schtuff.com -http://www.schtuff.com/ -http://www.schtuff.com./ -http://www.schutff.com -http://*.this.that.schtuff.com/ -http://*.foo.com/path -http://*.foo.com/path?action=foo2 -http://x.foo.com/path?action=foo2 -http://x.foo.com/path?action=%3D -http://localhost:8081/ -http://localhost:8082/?action=openid -https://foo.com/ -http://kink.fm/should/be/sane -http://beta.lingu.no/ -http://goathack.livejournal.org:8020/openid/login.bml - -======================================== -return_to matching -======================================== - ----------------------------------------- -45: matches ----------------------------------------- -http://foo.com/ HTTP://foo.com/ -http://*/ http://cnn.com/ -http://*/ http://livejournal.com/ -http://*/ http://met.museum/ -http://*:8081/ http://met.museum:8081/ -http://localhost:8081/x?action=openid http://localhost:8081/x?action=openid -http://*.foo.com http://b.foo.com -http://*.foo.com http://b.foo.com/ -http://*.foo.com/ http://b.foo.com -http://b.foo.com http://b.foo.com -http://b.foo.com http://b.foo.com/ -http://b.foo.com/ http://b.foo.com -http://*.b.foo.com http://b.foo.com -http://*.b.foo.com http://b.foo.com/ -http://*.b.foo.com/ http://b.foo.com -http://*.b.foo.com http://x.b.foo.com -http://*.b.foo.com http://w.x.b.foo.com -http://*.bar.co.uk http://www.bar.co.uk -http://*.uoregon.edu http://x.cs.uoregon.edu -http://x.com/abc http://x.com/abc -http://127.1/abc http://127.1/abc -http://10.0.0.1/abc http://10.0.0.1/abc -http://x.com/abc http://x.com/abc/def -http://*.x.com http://x.com/gallery -http://*.x.com http://foo.x.com/gallery -http://foo.x.com http://foo.x.com/gallery/xxx -http://*.x.com/gallery http://foo.x.com/gallery -http://localhost:8082/?action=openid http://localhost:8082/?action=openid -http://goathack.livejournal.org:8020/ http://goathack.livejournal.org:8020/openid/login.bml -https://foo.com https://foo.com -http://Foo.com http://foo.com -http://foo.com http://Foo.com -http://foo.com:80/ http://foo.com/ -http://foo.com/?x=y http://foo.com/?x=y&a=b -http://foo.com/x http://foo.com/x?y -http://mylid.net/j3h. http://mylid.net/j3h.?x=y -http://j3h.us http://j3h.us?ride=unicycle -https://www.filmclans.com:443/mattmartin/FilmClans https://www.filmclans.com/mattmartin/FilmClans/Logon.aspx?nonce=BVjqSOee -http://foo.com:80 http://foo.com -http://foo.com http://foo.com:80 -http://foo.com http://foo.com/ -http://foo.com/ http://foo.com -http://foo.com/ http://foo.com:80 -http://foo.com:80/ http://foo.com:80/stuff -http://foo.com:80/ http://foo.com/stuff - ----------------------------------------- -24: does not match ----------------------------------------- -http://*/ ftp://foo.com/ -http://*/ xxx -http://*.x.com/abc http://foo.x.com -http://*.x.com/abc http://*.x.com -http://*.com/ http://*.com/ -http://x.com/abc http://x.com/ -http://x.com/abc http://x.com/a -http://x.com/abc http://x.com/ab -http://x.com/abc http://x.com/abcd -http://*.cs.uoregon.edu http://x.uoregon.edu -http://*.foo.com http://bar.com -http://*.foo.com http://www.bar.com -http://*.bar.co.uk http://xxx.co.uk -https://foo.com http://foo.com -http://foo.com https://foo.com -http://foo.com:81 http://foo.com:80 -http://*:80 http://foo.com:81 -http://foo.com/?a=b http://foo.com/?x=y -http://foo.com/?a=b http://foo.com/?x=y&a=b -http://foo.com/?a=b http://foo.com/ -http://*.oo.com/ http://foo.com/ -http://foo.com/* http://foo.com/anything -http://foo.com http://foo.com:443 -https://foo.com https://foo.com:80 diff --git a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt b/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt deleted file mode 100644 index 9e10135b6..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/OpenID/data/urinorm.txt +++ /dev/null @@ -1,87 +0,0 @@ -Already normal form -http://example.com/ -http://example.com/ - -Add a trailing slash -http://example.com -http://example.com/ - -Remove an empty port segment -http://example.com:/ -http://example.com/ - -Remove a default port segment -http://example.com:80/ -http://example.com/ - -Capitalization in host names -http://wWw.exaMPLE.COm/ -http://www.example.com/ - -Capitalization in scheme names -htTP://example.com/ -http://example.com/ - -Capitalization in percent-escaped reserved characters -http://example.com/foo%2cbar -http://example.com/foo%2Cbar - -Unescape percent-encoded unreserved characters -http://example.com/foo%2Dbar%2dbaz -http://example.com/foo-bar-baz - -remove_dot_segments example 1 -http://example.com/a/b/c/./../../g -http://example.com/a/g - -remove_dot_segments example 2 -http://example.com/mid/content=5/../6 -http://example.com/mid/6 - -remove_dot_segments: single-dot -http://example.com/a/./b -http://example.com/a/b - -remove_dot_segments: double-dot -http://example.com/a/../b -http://example.com/b - -remove_dot_segments: leading double-dot -http://example.com/../b -http://example.com/b - -remove_dot_segments: trailing single-dot -http://example.com/a/. -http://example.com/a/ - -remove_dot_segments: trailing double-dot -http://example.com/a/.. -http://example.com/ - -remove_dot_segments: trailing single-dot-slash -http://example.com/a/./ -http://example.com/a/ - -remove_dot_segments: trailing double-dot-slash -http://example.com/a/../ -http://example.com/ - -Test of all kinds of syntax-based normalization -hTTPS://a/./b/../b/%63/%7bfoo%7d -https://a/b/c/%7Bfoo%7D - -Unsupported scheme -ftp://example.com/ -fail - -Non-absolute URI -http:/foo -fail - -Illegal character in URI -http://.com/ -fail - -Non-ascii character in URI -http://foo.com/ -fail \ No newline at end of file diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php deleted file mode 100644 index bf02d660d..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/DiscoverData.php +++ /dev/null @@ -1,152 +0,0 @@ -', $example_xrds), - array('YADIS_HEADER', 'X-XRDS-Location'), - array('NAME', $test_name)); - - foreach ($mapping as $pair) { - list($k, $v) = $pair; - $template = str_replace($k, $v, $template); - } - - return $template; -} - -function generateSample($test_name, $base_url, - $_example_xrds = null, $filename = null) -{ - global $example_xrds, $default_test_file; - - if ($_example_xrds === null) { - $_example_xrds = $example_xrds; - } - - if ($filename === null) { - $filename = $default_test_file; - } - - $template = getData($filename, $test_name); - - if ($template === null) { - return null; - } - - return fillTemplate($test_name, $template, $base_url, $_example_xrds); -} - -function generateResult($base_url, $input_name, $id_name, $result_name, $success) -{ - $input_url = $base_url . $input_name; // urlparse.urljoin(base_url, input_name) - - // If the name is null then we expect the protocol to fail, which - // we represent by null - if ($id_name === null) { - // assert result_name is null - return array($input_url, null); // DiscoveryFailure - } - - $result = generateSample($result_name, $base_url); - list($headers, $content) = explode("\n\n", $result, 2); - $header_lines = explode("\n", $headers); - $ctype = null; - foreach ($header_lines as $header_line) { - if (strpos($header_line, 'Content-Type:') === 0) { - list($temp, $ctype) = explode(":", $header_line, 2); - $ctype = trim($ctype); - break; - } - } - - $id_url = $base_url . $id_name; - - $result = new Auth_Yadis_Yadis(); - $result->uri = $id_url; - if ($success) { - $result->xrds_uri = $base_url . $result_name; - } else { - $result->xrds_uri = null; - } - $result->content_type = $ctype; - $result->body = $content; - return array($input_url, $result); -} - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php deleted file mode 100644 index 0ca3b2eea..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/Discover_Yadis.php +++ /dev/null @@ -1,230 +0,0 @@ -base_url = $base_url; - } - - function get($url, $headers = null) - { - $current_url = $url; - while (true) { - $parsed = parse_url($current_url); - $path = substr($parsed['path'], 1); - $data = generateSample($path, $this->base_url); - - if ($data === null) { - return new Auth_Yadis_HTTPResponse($current_url, - 404, - array(), - ''); - } - - $response = mkResponse($data); - if (in_array($response->status, array(301, 302, 303, 307))) { - $current_url = $response->headers['location']; - } else { - $response->final_url = $current_url; - return $response; - } - } - } -} - -class BlankContentTypeFetcher { - function get($url, $headers=null) - { - return new Auth_Yadis_HTTPResponse( - $url, 200, array("Content-Type" => ""), ''); - } -} - -class NoContentTypeFetcher { - function get($url, $headers=null) - { - return new Auth_Yadis_HTTPResponse($url, 200, array(), ''); - } -} - -class MockFetcher { - function MockFetcher() { - $this->count = 0; - } - - function get($uri, $headers = null, $body = null) - { - $this->count++; - if ($this->count == 1) { - $headers = array(strtolower('X-XRDS-Location') . ': http://unittest/404'); - return new Auth_Yadis_HTTPResponse($uri, 200, $headers, ''); - } else { - return new Auth_Yadis_HTTPResponse($uri, 404); - } - } -} - -class TestSecondGet extends PHPUnit_Framework_TestCase { - function test_404() - { - $uri = "http://something.unittest/"; - $response = null; - $fetcher = new MockFetcher(); - $this->assertTrue( - Auth_Yadis_Yadis::discover($uri, $response, $fetcher) === null); - } -} - -class _TestCase extends PHPUnit_Framework_TestCase { - var $base_url = 'http://invalid.unittest/'; - - function _TestCase($input_name, $id_name, $result_name, $success) - { - parent::__construct(); - $this->input_name = $input_name; - $this->id_name = $id_name; - $this->result_name = $result_name; - $this->success = $success; - $this->fetcher = new TestFetcher($this->base_url); - } - - function setUp() - { - list($this->input_url, $this->expected) = generateResult($this->base_url, - $this->input_name, - $this->id_name, - $this->result_name, - $this->success); - } - - function runTest() - { - if ($this->expected === null) { - $result = Auth_Yadis_Yadis::discover($this->input_url, - $this->fetcher); - $this->assertTrue($result->isFailure()); - } else { - $result = Auth_Yadis_Yadis::discover($this->input_url, - $this->fetcher); - - if ($result === null) { - $this->fail("Discovery result was null"); - return; - } - - $this->assertEquals($this->input_url, $result->request_uri); - - $msg = 'Identity URL mismatch: actual = %s, expected = %s'; - $msg = sprintf($msg, $result->normalized_uri, $this->expected->uri); - $this->assertEquals($this->expected->uri, $result->normalized_uri, $msg); - - $msg = 'Content mismatch: actual = %s, expected = %s'; - $msg = sprintf($msg, $result->response_text, $this->expected->body); - $this->assertEquals($this->expected->body, $result->response_text, $msg); - - $this->assertEquals($this->expected->xrds_uri, $result->xrds_uri); - $this->assertEquals($this->expected->content_type, $result->content_type); - } - } - - function getName() - { - if ($this->input_url) { - return $this->input_url; - } else { - return $this->input_name; - } - } -} - -class Tests_Auth_Yadis_Discover_Yadis extends PHPUnit_Framework_TestSuite { - - function getName() - { - return "Tests_Auth_Yadis_Discover_Yadis"; - } - - function Tests_Auth_Yadis_Discover_Yadis() - { - global $testlist; - - foreach ($testlist as $test) { - list($success, $input_name, $id_name, $result_name) = $test; - $this->addTest(new _TestCase($input_name, $id_name, $result_name, $success)); - } - } -} - -class Tests_Auth_Yadis_Discover_Yadis_ContentTypes extends PHPUnit_Framework_TestCase { - function test_is_xrds_yadis_location() - { - $result = new Auth_Yadis_DiscoveryResult('http://request.uri/'); - $result->normalized_uri = "http://normalized/"; - $result->xrds_uri = "http://normalized/xrds"; - - $this->assertTrue($result->isXRDS()); - } - - function test_is_xrds_content_type() - { - $result = new Auth_Yadis_DiscoveryResult('http://request.uri/'); - $result->normalized_uri = $result->xrds_uri = "http://normalized/"; - $result->content_type = Auth_Yadis_CONTENT_TYPE; - - $this->assertTrue($result->isXRDS()); - } - - function test_is_xrds_neither() - { - $result = new Auth_Yadis_DiscoveryResult('http://request.uri/'); - $result->normalized_uri = $result->xrds_uri = "http://normalized/"; - $result->content_type = "another/content-type"; - - $this->assertTrue(!$result->isXRDS()); - } - - function test_no_content_type() - { - $fetcher = new NoContentTypeFetcher(); - $result = Auth_Yadis_Yadis::discover("http://bogus", $fetcher); - $this->assertEquals(null, $result->content_type); - } - - function test_blank_content_type() - { - $fetcher = new BlankContentTypeFetcher(); - $result = Auth_Yadis_Yadis::discover("http://bogus", $fetcher); - $this->assertEquals("", $result->content_type); - } -} - -global $Tests_Auth_Yadis_Discover_Yadis_other; -$Tests_Auth_Yadis_Discover_Yadis_other = array( - new Tests_Auth_Yadis_Discover_Yadis_ContentTypes() - ); - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php deleted file mode 100644 index e3977bc75..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/ParseHTML.php +++ /dev/null @@ -1,86 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -require_once 'Tests/Auth/Yadis/TestUtil.php'; -require_once 'Auth/Yadis/ParseHTML.php'; - -class Tests_Auth_Yadis_ParseTest extends PHPUnit_Framework_TestCase { - function Tests_Auth_Yadis_ParseTest($case) - { - list($result, $comment, $html) = $case; - - $this->result = $result; - $this->comment = $comment; - $this->html_string = $html; - $this->parser = new Auth_Yadis_ParseHTML(); - } - - function getName() - { - return $this->comment; - } - - function runTest() - { - $value = $this->parser->getHTTPEquiv($this->html_string); - - if ($this->result == "EOF") { - $this->assertTrue($value === null); - } else if ($this->result == "None") { - $this->assertTrue($value === null); - } else { - $this->assertEquals($this->result, $value); - } - } -} - -class Tests_Auth_Yadis_ParseHTML extends PHPUnit_Framework_TestSuite { - - function getName() - { - return "Tests_Auth_Yadis_Parse"; - } - - function parseTests($s) - { - $tests = array(); - - $cases = preg_split("/\f\n/", $s); - - foreach ($cases as $case) { - // Split the case text on newline, and keep the first two - // lines and re-join the rest (those are the HTML). - $parts = explode("\n", $case); - $result = $parts[0]; - $html_comment = $parts[1]; - $html_string = implode("\n", array_slice($parts, 2)); - $tests[] = array($result, $html_comment, $html_string); - } - - return $tests; - } - - function Tests_Auth_Yadis_ParseHTML() - { - $test_data = Tests_Auth_Yadis_readdata('test1-parsehtml.txt'); - - $test_cases = $this->parseTests($test_data); - - foreach ($test_cases as $case) { - $this->addTest(new Tests_Auth_Yadis_ParseTest($case)); - } - } -} - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php deleted file mode 100644 index 6c2581251..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/TestUtil.php +++ /dev/null @@ -1,30 +0,0 @@ - 1, - 'pip.xrds' => 2 - ); - - foreach ($files as $filename => $service_count) { - $xml = Tests_Auth_Yadis_readdata($filename); - $xrds = Auth_Yadis_XRDS::parseXRDS($xml); - - $this->assertTrue($xrds !== null); - - if ($xrds) { - $this->assertEquals(count($xrds->services()), $service_count); - } else { - $this->fail("Could not test XRDS service list because the ". - "XRDS object is null"); - } - } - } - - function test_good_multi() - { - $xml = Tests_Auth_Yadis_readdata("brian.multi.xrds"); - $xrds = Auth_Yadis_XRDS::parseXRDS($xml); - $this->assertTrue($xrds !== null); - $this->assertEquals(count($xrds->services()), 1); - $s = $xrds->services(); - $s = $s[0]; - - $types = $s->getTypes(); - - $this->assertTrue(count($types) == 1); - $this->assertEquals('http://openid.net/signon/1.0', - $types[0]); - } - - function test_good_uri_multi() - { - $xml = Tests_Auth_Yadis_readdata("brian.multi_uri.xrds"); - $xrds = Auth_Yadis_XRDS::parseXRDS($xml); - $this->assertTrue($xrds !== null); - $this->assertEquals(1, count($xrds->services())); - } - - function test_uri_sorting() - { - $xml = Tests_Auth_Yadis_readdata("uri_priority.xrds"); - $xrds = Auth_Yadis_XRDS::parseXRDS($xml); - $services = $xrds->services(); - $uris = $services[0]->getURIs(); - - $expected_uris = array( - "http://zero.priority/", - "http://one.priority/", - "http://no.priority/" - ); - - $this->assertEquals($uris, $expected_uris); - } - - function test_bad() - { - $this->assertTrue(Auth_Yadis_XRDS::parseXRDS(null) === null); - $this->assertTrue(Auth_Yadis_XRDS::parseXRDS(5) === null); - $this->assertTrue(Auth_Yadis_XRDS::parseXRDS('') === null); - $this->assertTrue(Auth_Yadis_XRDS::parseXRDS('') === - null); - $this->assertTrue(Auth_Yadis_XRDS::parseXRDS("\x00") === null); - } - - function test_getCanonicalID() - { - $canonicalIDtests = array( - array("@ootao*test1", "delegated-20060809.xrds", - "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), - array("@ootao*test1", "delegated-20060809-r1.xrds", - "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), - array("@ootao*test1", "delegated-20060809-r2.xrds", - "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), - array("@ootao*test1", "sometimesprefix.xrds", - "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), - array("@ootao*test1", "prefixsometimes.xrds", - "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01"), - array("=keturn*isDrummond", "spoof1.xrds", null), - array("=keturn*isDrummond", "spoof2.xrds", null), - array("@keturn*is*drummond", "spoof3.xrds", null), - // Don't let IRI authorities be canonical for the GCS. - array("phreak.example.com", "delegated-20060809-r2.xrds", null) - // TODO: Refs - // ("@ootao*test.ref", "ref.xrds", "@!BAE.A650.823B.2475") - ); - - foreach ($canonicalIDtests as $tupl) { - list($iname, $filename, $expectedID) = $tupl; - - $xml = Tests_Auth_Yadis_readdata($filename); - $xrds = Auth_Yadis_XRDS::parseXRDS($xml); - $this->_getCanonicalID($iname, $xrds, $expectedID); - } - } - - function _getCanonicalID($iname, $xrds, $expectedID) - { - if ($expectedID === null) { - $result = Auth_Yadis_getCanonicalID($iname, $xrds); - if ($result !== false) { - $this->fail($iname.' (got '.$result.')'); - } - } else { - $cid = Auth_Yadis_getCanonicalID($iname, $xrds); - $this->assertEquals(Auth_Yadis_XRI($expectedID), $cid); - } - } - - function test_services_filters() - { - // First, just be sure that service objects do the right - // thing. - $xml = Tests_Auth_Yadis_readdata("brian_priority.xrds"); - $xrds = Auth_Yadis_XRDS::parseXRDS($xml, - array('openid' => - 'http://openid.net/xmlns/1.0')); - $this->assertTrue($xrds !== null); - - // Get list of service objects. - $services = $xrds->services(); - $this->assertEquals(count($services), 2, "first service count"); - - // Query the two service objecs. - $s1 = $services[0]; - $this->assertEquals($s1->getPriority(), 1, "first priority check"); - $types = $s1->getTypes(); - $this->assertEquals(count($types), 1, "first type check"); - - $s2 = $services[1]; - $this->assertEquals($s2->getPriority(), 2, "second priority check"); - $types = $s2->getTypes(); - $this->assertEquals(count($types), 1, "second type check"); - - function _DelegateFilter($service) - { - if ($service->getElements('openid:Delegate')) { - return true; - } - return false; - } - - // Make sure that a filter which matches both DOES match both. - $this->assertEquals(count( - $xrds->services(array("_DelegateFilter"))), 2, - "_DelegateFilter check"); - - // This filter should match all services in the document. - function _HasTypeAndURI($service) - { - if ($service->getTypes() && - $service->getURIs()) { - return true; - } - return false; - } - - // This filter should only match one. - function _URIMatchesSchtuff($service) - { - $uris = $service->getURIs(); - - foreach ($uris as $uri) { - if (preg_match("|schtuff|", $uri)) { - return true; - } - } - return false; - } - - // This filter should only match one. - function _URIMatchesMyOpenID($service) - { - $uris = $service->getURIs(); - - foreach ($uris as $uri) { - if (preg_match("|myopenid|", $uri)) { - return true; - } - } - return false; - } - - // Make sure a pair of filters in ALL mode only match one service. - $this->assertEquals(count( - $xrds->services(array("_HasTypeAndURI", - "_URIMatchesSchtuff"), - SERVICES_YADIS_MATCH_ALL)), 1, - "_HasTypeAndURI / _URIMatchesSchtuff check"); - - // Make sure a pair of filters in ALL mode only match one service. - $this->assertEquals(count( - $xrds->services(array("_HasTypeAndURI", - "_URIMatchesMyOpenID"), - SERVICES_YADIS_MATCH_ALL)), 1, - "_HasTypeAndURI / _URIMatchesMyOpenID check"); - - // Make sure a pair of filters in ANY mode matches both services. - $this->assertEquals(count( - $xrds->services(array("_URIMatchesMyOpenID", - "_URIMatchesSchtuff"))), 2, - "_URIMatchesMyOpenID / _URIMatchesSchtuff check"); - - // Make sure the order of the services returned (when using - // filters) is correct. - $s = $xrds->services(array("_URIMatchesMyOpenID", - "_URIMatchesSchtuff")); - - $this->assertTrue($s[0]->getPriority() === 1, "s[0] priority check"); - $this->assertTrue($s[1]->getPriority() === 2, "s[1] priority check"); - - // Make sure a bad filter mode gets us a null service list. - $this->assertTrue($xrds->services(array("_URIMatchesMyOpenID", - "_URIMatchesSchtuff"), - "bogus") === null, - "bogus filter check"); - } - - function test_multisegment_xri() - { - $xml = Tests_Auth_Yadis_readdata('subsegments.xrds'); - $xmldoc = Auth_Yadis_XRDS::parseXRDS($xml); - $result = Auth_Yadis_getCanonicalId('xri://=nishitani*masaki', $xmldoc); - $this->assertEquals($result, "xri://=!E117.EF2F.454B.C707!0000.0000.3B9A.CA01"); - } -} - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php deleted file mode 100644 index 403b1e32b..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/XRI.php +++ /dev/null @@ -1,142 +0,0 @@ - - * @copyright 2005-2008 Janrain, Inc. - * @license http://www.apache.org/licenses/LICENSE-2.0 Apache - */ - -require_once "Auth/Yadis/XRIRes.php"; -require_once "Auth/Yadis/XRI.php"; -require_once "Auth/Yadis/Yadis.php"; - -class Tests_Auth_Yadis_XriDiscoveryTestCase extends PHPUnit_Framework_TestCase { - function runTest() - { - $this->assertEquals( - Auth_Yadis_identifierScheme('=john.smith'), 'XRI'); - - $this->assertEquals( - Auth_Yadis_identifierScheme(''), 'URI'); - - $this->assertEquals( - Auth_Yadis_identifierScheme('@smiths/john'), 'XRI'); - - $this->assertEquals( - Auth_Yadis_identifierScheme('smoker.myopenid.com'), 'URI'); - - $this->assertEquals( - Auth_Yadis_identifierScheme('xri://=john'), 'XRI'); - } -} - -class Tests_Auth_Yadis_XriEscapingTestCase extends PHPUnit_Framework_TestCase { - function test_escaping_percents() - { - $this->assertEquals(Auth_Yadis_escapeForIRI('@example/abc%2Fd/ef'), - '@example/abc%252Fd/ef'); - } - - function runTest() - { - // no escapes - $this->assertEquals('@example/foo/(@bar)', - Auth_Yadis_escapeForIRI('@example/foo/(@bar)')); - - // escape slashes - $this->assertEquals('@example/foo/(@bar%2Fbaz)', - Auth_Yadis_escapeForIRI('@example/foo/(@bar/baz)')); - - $this->assertEquals('@example/foo/(@bar%2Fbaz)/(+a%2Fb)', - Auth_Yadis_escapeForIRI('@example/foo/(@bar/baz)/(+a/b)')); - - // escape query ? and fragment - $this->assertEquals('@example/foo/(@baz%3Fp=q%23r)?i=j#k', - Auth_Yadis_escapeForIRI('@example/foo/(@baz?p=q#r)?i=j#k')); - } -} - -class Tests_Auth_Yadis_ProxyQueryTestCase extends PHPUnit_Framework_TestCase { - function setUp() - { - $this->proxy_url = 'http://xri.example.com/'; - $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); - $this->proxy = new Auth_Yadis_ProxyResolver($this->fetcher, - $this->proxy_url); - $this->servicetype = 'xri://+i-service*(+forwarding)*($v*1.0)'; - $this->servicetype_enc = 'xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29'; - } - - function runTest() - { - $st = $this->servicetype; - $ste = $this->servicetype_enc; - $args_esc = "_xrd_r=application%2Fxrds%2Bxml&_xrd_t=" . $ste; - $h = $this->proxy_url; - $this->assertEquals($h . '=foo?' . $args_esc, - $this->proxy->queryURL('=foo', $st)); - $this->assertEquals($h . '=foo/bar?baz&' . $args_esc, - $this->proxy->queryURL('=foo/bar?baz', $st)); - $this->assertEquals($h . '=foo/bar?baz=quux&' . $args_esc, - $this->proxy->queryURL('=foo/bar?baz=quux', $st)); - $this->assertEquals($h . '=foo/bar?mi=fa&so=la&' . $args_esc, - $this->proxy->queryURL('=foo/bar?mi=fa&so=la', $st)); - - $args_esc = "_xrd_r=application%2Fxrds%2Bxml&_xrd_t=" . $ste; - $h = $this->proxy_url; - $this->assertEquals($h . '=foo/bar??' . $args_esc, - $this->proxy->queryURL('=foo/bar?', $st)); - $this->assertEquals($h . '=foo/bar????' . $args_esc, - $this->proxy->queryURL('=foo/bar???', $st)); - } -} - -class Tests_Auth_Yadis_TestGetRootAuthority extends PHPUnit_Framework_TestCase { - function runTest() - { - $xris = array( - array("@foo", "@"), - array("@foo*bar", "@"), - array("@*foo*bar", "@"), - array("@foo/bar", "@"), - array("!!990!991", "!"), - array("!1001!02", "!"), - array("=foo*bar", "="), - array("(example.com)/foo", "(example.com)"), - array("(example.com)*bar/foo", "(example.com)"), - array("baz.example.com/foo", "baz.example.com"), - array("baz.example.com:8080/foo", "baz.example.com:8080") - // Looking at the ABNF in XRI Syntax 2.0, I don't think you can - // have example.com*bar. You can do (example.com)*bar, but that - // would mean something else. - // ("example.com*bar/(=baz)", "example.com*bar"), - // ("baz.example.com!01/foo", "baz.example.com!01"), - ); - - foreach ($xris as $tupl) { - list($thexri, $expected_root) = $tupl; - $this->assertEquals(Auth_Yadis_XRI($expected_root), - Auth_Yadis_rootAuthority($thexri), - 'rootAuthority test ('.$thexri.')'); - } - } -} - -class Tests_Auth_Yadis_XRI extends PHPUnit_Framework_TestSuite { - function getName() - { - return "Tests_Auth_Yadis_XRI"; - } - - function Tests_Auth_Yadis_XRI() - { - $this->addTest(new Tests_Auth_Yadis_ProxyQueryTestCase()); - $this->addTest(new Tests_Auth_Yadis_XriEscapingTestCase()); - $this->addTest(new Tests_Auth_Yadis_XriDiscoveryTestCase()); - $this->addTest(new Tests_Auth_Yadis_TestGetRootAuthority()); - } -} - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php b/models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php deleted file mode 100644 index 5672a1565..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/Yadis.php +++ /dev/null @@ -1,88 +0,0 @@ -input_url = $input_url; - $this->redir_uri = $redir_uri; - $this->xrds_uri = $xrds_uri; - $this->num = $num; - } - - function getName() - { - return "Yadis discovery test ".$this->num; - } - - function runTest() - { - $fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); - $y = Auth_Yadis_Yadis::discover( - $this->input_url, $fetcher); - $this->assertTrue($y !== null); - - // Compare parts of returned Yadis object to expected URLs. - $this->assertEquals($this->redir_uri, $y->normalized_uri, "tried $this->input_url"); - - if ($this->xrds_uri) { - $this->assertEquals($this->xrds_uri, $y->xrds_uri); - // Compare contents of actual HTTP GET with that of Yadis - // response. - $f = Auth_Yadis_Yadis::getHTTPFetcher(); - $http_response = $f->get($this->xrds_uri); - - $this->assertEquals($http_response->body, $y->response_text); - } else { - $this->assertTrue($y->xrds_uri === null); - } - } -} - -class Tests_Auth_Yadis_Yadis extends PHPUnit_Framework_TestSuite { - - function getName() - { - return "Tests_Auth_Yadis_Yadis"; - } - - function parseTests($data) - { - $cases = explode("\n", $data); - $tests = array(); - - foreach ($cases as $line) { - if ($line && ($line[0] != "#")) { - $tests[] = explode("\t", $line, 3); - } - } - - return $tests; - } - - function Tests_Auth_Yadis_Yadis() - { - $test_data = file_get_contents('http://www.openidenabled.com/resources/yadis-test/discover/manifest.txt'); - - $test_cases = $this->parseTests($test_data); - - $i = 0; - foreach ($test_cases as $case) { - $i++; - list($input, $redir, $xrds) = $case; - $this->addTest(new Tests_Auth_Yadis_DiscoveryTest($input, - $redir, - $xrds, $i)); - } - } - -} - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README deleted file mode 100644 index 3739cf1c7..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/README +++ /dev/null @@ -1,12 +0,0 @@ -delegated-20060809.xrds - results from proxy.xri.net, determined by - Drummond and Kevin to be incorrect. -delegated-20060809-r1.xrds - Drummond's 1st correction -delegated-20060809-r2.xrds - Drummond's 2nd correction - -spoofs: keturn's (=!E4)'s attempts to log in with Drummond's i-number (=!D2) -spoof1.xrds -spoof2.xrds -spoof3.xrds - attempt to steal @!C0!D2 by having "at least one" CanonicalID - match the $res service ProviderID. - -ref.xrds - resolving @ootao*test.ref, which refers to a neustar XRI. diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt deleted file mode 100644 index 0853321a8..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/accept.txt +++ /dev/null @@ -1,118 +0,0 @@ -# Accept: [Accept: header value from RFC2616, -# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html] -# Available: [whitespace-separated content types] -# Expected: [Accept-header like list, containing the available content -# types with their q-values] - -Accept: */* -Available: text/plain -Expected: text/plain; q=1.0 - -Accept: */* -Available: text/plain, text/html -Expected: text/plain; q=1.0, text/html; q=1.0 - -# The order matters -Accept: */* -Available: text/html, text/plain -Expected: text/html; q=1.0, text/plain; q=1.0 - -Accept: text/*, */*; q=0.9 -Available: text/plain, image/jpeg -Expected: text/plain; q=1.0, image/jpeg; q=0.9 - -Accept: text/*, */*; q=0.9 -Available: image/jpeg, text/plain -Expected: text/plain; q=1.0, image/jpeg; q=0.9 - -# wildcard subtypes still reject differing main types -Accept: text/* -Available: image/jpeg, text/plain -Expected: text/plain; q=1.0 - -Accept: text/html -Available: text/html -Expected: text/html; q=1.0 - -Accept: text/html, text/* -Available: text/html -Expected: text/html; q=1.0 - -Accept: text/html, text/* -Available: text/plain, text/html -Expected: text/plain; q=1.0, text/html; q=1.0 - -Accept: text/html, text/*; q=0.9 -Available: text/plain, text/html -Expected: text/html; q=1.0, text/plain; q=0.9 - -# If a more specific type has a higher q-value, then the higher value wins -Accept: text/*; q=0.9, text/html -Available: text/plain, text/html -Expected: text/html; q=1.0, text/plain; q=0.9 - -Accept: */*, text/*; q=0.9, text/html; q=0.1 -Available: text/plain, text/html, image/monkeys -Expected: image/monkeys; q=1.0, text/plain; q=0.9, text/html; q=0.1 - -Accept: text/*, text/html; q=0 -Available: text/html -Expected: - -Accept: text/*, text/html; q=0 -Available: text/html, text/plain -Expected: text/plain; q=1.0 - -Accept: text/html -Available: text/plain -Expected: - -Accept: application/xrds+xml, text/html; q=0.9 -Available: application/xrds+xml, text/html -Expected: application/xrds+xml; q=1.0, text/html; q=0.9 - -Accept: application/xrds+xml, */*; q=0.9 -Available: application/xrds+xml, text/html -Expected: application/xrds+xml; q=1.0, text/html; q=0.9 - -Accept: application/xrds+xml, application/xhtml+xml; q=0.9, text/html; q=0.8, text/xml; q=0.7 -Available: application/xrds+xml, text/html -Expected: application/xrds+xml; q=1.0, text/html; q=0.8 - -# See http://www.rfc-editor.org/rfc/rfc3023.txt, section A.13 -Accept: application/xrds -Available: application/xrds+xml -Expected: - -Accept: application/xrds+xml -Available: application/xrds -Expected: - -Accept: application/xml -Available: application/xrds+xml -Expected: - -Available: application/xrds+xml -Accept: application/xml -Expected: - - - -################################################# -# The tests below this line are documentation of how this library -# works. If the implementation changes, it's acceptable to change the -# test to reflect that. These are specified so that we can make sure -# that the current implementation actually works the way that we -# expect it to given these inputs. - -Accept: text/html;level=1 -Available: text/html -Expected: text/html; q=1.0 - -Accept: text/html; level=1, text/html; level=9; q=0.1 -Available: text/html -Expected: text/html; q=1.0 - -Accept: text/html; level=9; q=0.1, text/html; level=1 -Available: text/html -Expected: text/html; q=1.0 diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds deleted file mode 100644 index 1bc95dea9..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi.xrds +++ /dev/null @@ -1,38 +0,0 @@ - - - - - - http://openid.net/signon/1.1 - http://www.myopenid.com/server - http://frank.myopenid.com/ - - - - - - - http://bar.com/ - http://bar.com/server - - - - http://foo.com - http://foo.com/server - - - - - - - http://openid.net/signon/1.0 - http://www.myopenid.com/server - http://brian.myopenid.com/ - - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds deleted file mode 100644 index fce5ef72f..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.multi_uri.xrds +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - http://openid.net/signon/1.0 - http://www.myopenid.com/server - http://example.com/server - - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds deleted file mode 100644 index c7539fe1b..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian.xrds +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - http://openid.net/signon/1.0 - http://www.myopenid.com/server - http://brian.myopenid.com/ - - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds deleted file mode 100644 index 273077dfa..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/brian_priority.xrds +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - http://openid.net/signon/1.0 - http://www.schtuff.com/?action=openid_server - http://users.schtuff.com/brian - - - - http://openid.net/signon/1.0 - http://www.myopenid.com/server - http://brian.myopenid.com/ - - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds deleted file mode 100644 index f994b140e..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r1.xrds +++ /dev/null @@ -1,34 +0,0 @@ - - - - *ootao - - 2006-08-09T22:07:13.000Z - xri://@ - !5BAD.2AA.3C72.AF46 - @!5BAD.2AA.3C72.AF46 - - xri://$res*auth*($v*2.0) - xri://!!1003 - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/@ootao/ - - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - *test1 - SUCCESS - xri://!!1003 - !0000.0000.3B9A.CA01 - @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds deleted file mode 100644 index 68c08dc44..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809-r2.xrds +++ /dev/null @@ -1,34 +0,0 @@ - - - - *ootao - - 2006-08-09T22:07:13.000Z - xri://@ - !5BAD.2AA.3C72.AF46 - @!5BAD.2AA.3C72.AF46 - - xri://$res*auth*($v*2.0) - xri://@!5BAD.2AA.3C72.AF46 - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/@ootao/ - - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - *test1 - SUCCESS - xri://@!5BAD.2AA.3C72.AF46 - !0000.0000.3B9A.CA01 - @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds deleted file mode 100644 index 073ee6889..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/delegated-20060809.xrds +++ /dev/null @@ -1,34 +0,0 @@ - - - - *ootao - - 2006-08-09T22:07:13.000Z - xri://@ - !5BAD.2AA.3C72.AF46 - @!5BAD.2AA.3C72.AF46 - - xri://$res*auth*($v*2.0) - - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/@ootao/ - - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - *test1 - SUCCESS - xri://!!1003 - !0000.0000.3B9A.CA01 - @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml deleted file mode 100644 index 101ba3bd5..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/example-xrds.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - http://example.com/ - http://www.openidenabled.com/ - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml deleted file mode 100644 index ca66f7359..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/no-xrd.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml deleted file mode 100644 index 7f5bfd511..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/not-xrds.xml +++ /dev/null @@ -1,2 +0,0 @@ - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds deleted file mode 100644 index ca271ab19..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/pip.xrds +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - http://openid.net/signon/1.1 - http://openid.net/sreg/1.0 - https://pip.verisignlabs.com/server - - - - http://openid.net/signon/1.0 - http://openid.net/sreg/1.0 - https://pip.verisignlabs.com/server - - - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds deleted file mode 100644 index 5522a6e5e..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/prefixsometimes.xrds +++ /dev/null @@ -1,34 +0,0 @@ - - - - *ootao - - 2006-08-09T22:07:13.000Z - xri://@ - !5BAD.2AA.3C72.AF46 - @!5BAD.2AA.3C72.AF46 - - xri://$res*auth*($v*2.0) - xri://@!5BAD.2AA.3C72.AF46 - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/@ootao/ - - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - *test1 - SUCCESS - xri://@!5BAD.2AA.3C72.AF46 - !0000.0000.3B9A.CA01 - xri://@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds deleted file mode 100644 index 69cf683db..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/ref.xrds +++ /dev/null @@ -1,109 +0,0 @@ - - - - *ootao - - 2006-08-15T18:56:09.000Z - xri://@ - !5BAD.2AA.3C72.AF46 - @!5BAD.2AA.3C72.AF46 - - xri://$res*auth*($v*2.0) - - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/@ootao/ - - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - *test.ref - SUCCESS - xri://!!1003 - !0000.0000.3B9A.CA03 - @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA03 - @!BAE.A650.823B.2475 - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - - !BAE.A650.823B.2475 - - 2006-08-15T18:56:10.000Z - xri://@ - !BAE.A650.823B.2475 - @!BAE.A650.823B.2475 - - (+wdnc) - - (+wdnc) - http://www.tcpacompliance.us - - - xri://$res*auth*($v*2.0) - - application/xrds+xml;trust=none - http://dev.dready.org/cgi-bin/xri - - - (+i-name) - - (+i-name) - http://www.inames.net - - - xri://+i-service*(+contact)*($v*1.0) - - xri://!!1001 - (+contact) - - text/html - - http://www.neustar.biz - - - - - !BAE.A650.823B.2475 - - 2006-08-15T18:56:10.000Z - xri://@ - !BAE.A650.823B.2475 - @!BAE.A650.823B.2475 - - (+wdnc) - - (+wdnc) - http://www.tcpacompliance.us - - - xri://$res*auth*($v*2.0) - - application/xrds+xml;trust=none - http://dev.dready.org/cgi-bin/xri - - - (+i-name) - - (+i-name) - http://www.inames.net - - - xri://+i-service*(+contact)*($v*1.0) - - xri://!!1001 - (+contact) - - text/html - - http://www.neustar.biz - - - \ No newline at end of file diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds deleted file mode 100644 index eff755543..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/sometimesprefix.xrds +++ /dev/null @@ -1,34 +0,0 @@ - - - - *ootao - - 2006-08-09T22:07:13.000Z - xri://@ - !5BAD.2AA.3C72.AF46 - xri://@!5BAD.2AA.3C72.AF46 - - xri://$res*auth*($v*2.0) - xri://@!5BAD.2AA.3C72.AF46 - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/@ootao/ - - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - - *test1 - SUCCESS - xri://@!5BAD.2AA.3C72.AF46 - !0000.0000.3B9A.CA01 - @!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01 - - http://openid.net/signon/1.0 - - https://linksafe.ezibroker.net/server/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds deleted file mode 100644 index 8e870c815..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof1.xrds +++ /dev/null @@ -1,25 +0,0 @@ - - - - *keturn - xri://= - !E4 - =!E4 - - - xri://$res*auth*($v*2.0) - http://keturn.example.com/resolve/ - =!E4 - - - - *isDrummond - =!E4 - !D2 - =!D2 - - http://openid.net/signon/1.0 - http://keturn.example.com/openid - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds deleted file mode 100644 index 7547561e1..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof2.xrds +++ /dev/null @@ -1,25 +0,0 @@ - - - - *keturn - xri://= - !E4 - =!E4 - - - xri://$res*auth*($v*2.0) - http://keturn.example.com/resolve/ - xri://= - - - - *isDrummond - xri://= - !D2 - =!D2 - - http://openid.net/signon/1.0 - http://keturn.example.com/openid - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds deleted file mode 100644 index f4c43c9b4..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/spoof3.xrds +++ /dev/null @@ -1,37 +0,0 @@ - - - - *keturn - xri://@ - @E4 - @!E4 - - - xri://$res*auth*($v*2.0) - http://keturn.example.com/resolve/ - @!E4 - - - - *is - @!E4 - !D2 - =!C0 - =!E4!01 - - xri://$res*auth*($v*2.0) - http://keturn.example.com/resolve/ - @!C0 - - - - *drummond - @!C0 - !D2 - @!C0!D2 - - http://openid.net/signon/1.0 - http://keturn.example.com/openid - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds deleted file mode 100644 index 11d2e9122..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/subsegments.xrds +++ /dev/null @@ -1,58 +0,0 @@ - - - - *nishitani - - 2007-12-25T11:33:39.000Z - xri://= - !E117.EF2F.454B.C707 - =!E117.EF2F.454B.C707 - - http://openid.net/signon/1.0 - xri://!!1003!103 - https://linksafe.ezibroker.net/server/ - - - xri://$res*auth*($v*2.0) - xri://!!1003!103 - application/xrds+xml;trust=none - http://resolve.ezibroker.net/resolve/=nishitani/ - - - xri://+i-service*(+forwarding)*($v*1.0) - - xri://!!1003!103 - (+index) - - http://linksafe-forward.ezibroker.net/forwarding/ - - - - *masaki - SUCCESS - xri://!!1003 - !0000.0000.3B9A.CA01 - =!E117.EF2F.454B.C707!0000.0000.3B9A.CA01 - - http://openid.net/signon/1.0 - xri://!!1003!103 - https://linksafe.ezibroker.net/server/ - - - xri://+i-service*(+contact)*($v*1.0) - - xri://!!1003!103 - (+contact) - - http://linksafe-contact.ezibroker.net/contact/ - - - xri://+i-service*(+forwarding)*($v*1.0) - - xri://!!1003!103 - (+index) - - http://linksafe-forward.ezibroker.net/forwarding/ - - - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt deleted file mode 100644 index 7ec9b8788..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-discover.txt +++ /dev/null @@ -1,137 +0,0 @@ -equiv -Status: 200 OK -Content-Type: text/html - - - - -Joe Schmoe's Homepage - - -

Joe Schmoe's Homepage

-

Blah blah blah blah blah blah blah

- - - -header -Status: 200 OK -Content-Type: text/html -YADIS_HEADER: URL_BASE/xrds - - - -Joe Schmoe's Homepage - - -

Joe Schmoe's Homepage

-

Blah blah blah blah blah blah blah

- - -xrds -Status: 200 OK -Content-Type: application/xrds+xml - - - -xrds_ctparam -Status: 200 OK -Content-Type: application/xrds+xml; charset=UTF8 - - - -xrds_ctcase -Status: 200 OK -Content-Type: appliCATION/XRDS+xml - - - -xrds_html -Status: 200 OK -Content-Type: text/html - - - -redir_equiv -Status: 302 Found -Content-Type: text/plain -Location: URL_BASE/equiv - -You are presently being redirected. - -redir_header -Status: 302 Found -Content-Type: text/plain -Location: URL_BASE/header - -You are presently being redirected. - -redir_xrds -Status: 302 Found -Content-Type: application/xrds+xml -Location: URL_BASE/xrds - - - -redir_xrds_html -Status: 302 Found -Content-Type: text/plain -Location: URL_BASE/xrds_html - -You are presently being redirected. - -redir_redir_equiv -Status: 302 Found -Content-Type: text/plain -Location: URL_BASE/redir_equiv - -You are presently being redirected. - -lowercase_header -Status: 200 OK -Content-Type: text/html -x-xrds-location: URL_BASE/xrds - - - -Joe Schmoe's Homepage - - -

Joe Schmoe's Homepage

-

Blah blah blah blah blah blah blah

- - -404_server_response -Status: 404 Not Found - -EEk! - -500_server_response -Status: 500 Server error - -EEk! - -201_server_response -Status: 201 Created - -EEk! - -404_with_header -Status: 404 Not Found -YADIS_HEADER: URL_BASE/xrds - -EEk! - -404_with_meta -Status: 404 Not Found -Content-Type: text/html - - - - -Joe Schmoe's Homepage - - -

Joe Schmoe's Homepage

-

Blah blah blah blah blah blah blah

- - diff --git a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt b/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt deleted file mode 100644 index 752ad091d..000000000 --- a/models/openid-php-openid-782224d/Tests/Auth/Yadis/data/test1-parsehtml.txt +++ /dev/null @@ -1,149 +0,0 @@ -found - - - -found - - - -found - - - -found - - - -found - - - -found - - - -found - - - -found - - - -EOF - - -
-OpenID - -
-
-
- - - - - - - - -

-

-
- -
-
-
-
-
-
-
- -
diff --git a/views/default/openid_client/forms/missing.php b/views/default/openid_client/forms/missing.php deleted file mode 100644 index 7810f3c57..000000000 --- a/views/default/openid_client/forms/missing.php +++ /dev/null @@ -1,73 +0,0 @@ - - * @copyright Curverider Ltd 2008-2009 - * @link http://elgg.com/ - * - * @uses the following values in $vars: - * - * 'openid_url' the OpenID - * 'email' the user's email (if known) - * 'fullname' the user's full name (if known) - * 'email_confirmation' whether the email address needs to be confirmed - * 'code' a magic code that associates this data with a real user - */ - -$emailLabel = elgg_echo('openid_client:email_label'); -$nameLabel = elgg_echo('openid_client:name_label'); -$submitLabel = elgg_echo('openid_client:submit_label'); -$cancelLabel = elgg_echo('openid_client:cancel_label'); - -$missing_email = elgg_echo('openid_client:missing_email'); -$missing_name = elgg_echo('openid_client:missing_name'); -$and = elgg_echo('openid_client:and'); -$email_form = "
$emailLabel
'; -$name_form = "
$nameLabel
'; -$email_hidden = ''."\n"; -$name_hidden = ''."\n"; - -if (!$vars['email'] && !$$vars['fullname']) { - $missing_fields = $missing_email.' '.$and.' '.$missing_name; - $visible_fields = $email_form.'
'.$name_form; - $hidden_fields = ''; -} elseif (!$vars['email']) { - $missing_fields = $missing_email; - $visible_fields = $email_form; - $hidden_fields = $name_hidden; -} elseif (!$vars['fullname']) { - $missing_fields = $missing_name; - $visible_fields = $name_form; - $hidden_fields = $email_hidden; -} - -$hidden_fields .= ''."\n"; - -$instructions = sprintf(elgg_echo('openid_client:missing_info_instructions'),$missing_fields); - -$action = $CONFIG->wwwroot.'action/openid_client/missing'; -$security_token = elgg_view('input/securitytoken'); - -$body .= <<< END - $instructions -
- $security_token -

- $visible_fields -

-

- $hidden_fields - - -

-
- -END; - -echo elgg_view('page_elements/contentwrapper',array('body'=>$body)); - -?> \ No newline at end of file diff --git a/views/default/openid_client/forms/sync.php b/views/default/openid_client/forms/sync.php deleted file mode 100644 index 6d921b278..000000000 --- a/views/default/openid_client/forms/sync.php +++ /dev/null @@ -1,86 +0,0 @@ - - * @copyright Curverider Ltd 2008-2009 - * @link http://elgg.com/ - * - * @uses the following values in $vars: - * - * 'userid' the user's GUID - * 'new_email' the user's new email - * 'new_name' the user's new full name - * 'email_confirmation' whether the email address needs to be confirmed - */ - -$emailLabel = elgg_echo('openid_client:email_label'); -$nameLabel = elgg_echo('openid_client:name_label'); -$submitLabel = elgg_echo('openid_client:submit_label'); -$cancelLabel = elgg_echo('openid_client:cancel_label'); -$noSyncLabel = elgg_echo('openid_client:nosync_label'); -$instructions = elgg_echo('openid_client:sync_instructions'); - -$new_email = $vars['new_email']; -$new_name = $vars['new_name']; -$email_confirmation = $vars['email_confirmation']; - -$user = get_user($vars['userid']); - -$old_email = $user->email; -$old_name = $user->name; -$openid_url = $user->alias; - -if ($new_email && $new_email != $old_email) { - $change_fields .= '
$old_email => $new_email
\n"; - if (!$email_confirmation) { - // the email address is from a green server, so we can change the email without a confirmation message - // add an invitation code however to prevent this form from being forged - // the user ident and new email address can then securely be stored in the database invitation table - // rather than the form - $details = openid_client_create_invitation('c',$openid_url,$vars['userid'],$new_email,$new_name); - $form_stuff = ''; - } else { - // the email will be confirmed anyway so it is safe to put it in the form - $form_stuff .= <<< END - -END; - } - -} -if ($new_name && $new_name != $old_name) { - $change_fields .= '
$old_name => $new_name
\n"; -} - -$action = $CONFIG->wwwroot.'action/openid_client/sync'; -$security_token = elgg_view('input/securitytoken'); - -$body .= <<< END - $instructions -
- $security_token -

- $change_fields -

-

- -

- $form_stuff - - - -

-
- -END; - -echo elgg_view('page_elements/contentwrapper',array('body'=>$body)); - -?> \ No newline at end of file diff --git a/views/default/openid_client/login.php b/views/default/openid_client/login.php index f89b790c0..2b476ec8e 100644 --- a/views/default/openid_client/login.php +++ b/views/default/openid_client/login.php @@ -1,6 +1,6 @@ Date: Sat, 17 Dec 2011 15:02:00 -0500 Subject: added a possible UI for logging in --- graphics/openid_providers.png | Bin 0 -> 12400 bytes languages/en.php | 9 ++++++ start.php | 42 +++++++++++++++++++++++++++- views/default/openid_client/css.php | 50 +++++++++++++++++++++++++++++++++- views/default/openid_client/login.php | 10 ++++--- 5 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 graphics/openid_providers.png diff --git a/graphics/openid_providers.png b/graphics/openid_providers.png new file mode 100644 index 000000000..179e6d191 Binary files /dev/null and b/graphics/openid_providers.png differ diff --git a/languages/en.php b/languages/en.php index a5a5589ad..df20c95f9 100644 --- a/languages/en.php +++ b/languages/en.php @@ -4,6 +4,15 @@ */ $english = array( + + 'openid_client:login:header' => 'Log in with', + 'openid_client:or:header' => 'or', + 'openid_client:login:instructs' => 'Login in with %s', + 'openid_client:server:google' => 'Google', + 'openid_client:server:yahoo' => 'Yahoo', + 'openid_client:server:blogger' => 'Blogger', + 'openid_client:server:wordpress' => 'Wordpress', + 'openid_client:success:register' => 'Your account has been created.', 'openid_client:error:bad_register' => 'Unable to create an account. Please contact a site administrator.', ); diff --git a/start.php b/start.php index 34f3e136f..bd80dde48 100644 --- a/start.php +++ b/start.php @@ -12,7 +12,10 @@ elgg_register_event_handler('init', 'system', 'openid_client_init'); * OpenID client initialization */ function openid_client_init() { + elgg_extend_view('css/elgg', 'openid_client/css'); + elgg_extend_view('core/account/login_box', 'openid_client/login'); + elgg_register_plugin_hook_handler('register', 'menu:openid_login', 'openid_client_setup_menu'); $base = elgg_get_plugins_path() . 'openid_client/actions/openid_client'; elgg_register_action('openid_client/login', "$base/login.php", 'public'); @@ -23,7 +26,7 @@ function openid_client_init() { elgg_register_event_handler('create', 'user', 'openid_client_set_subtype', 1); - elgg_register_page_handler('openid_client', 'openid_client_page_handler'); + //elgg_register_page_handler('openid_client', 'openid_client_page_handler'); } /** @@ -42,6 +45,43 @@ function openid_client_set_subtype($event, $type, $user) { update_data($query); } +/** + * Register login options + * + * @param string $hook + * @param string $type + * @param array $menu + * @param array $params + * @return array + */ +function openid_client_setup_menu($hook, $type, $menu, $params) { + + $items = array( + 'large' => array('google', 'yahoo'), + 'small' => array('blogger', 'wordpress'), + ); + $items = elgg_trigger_plugin_hook('register', 'openid_login', null, $items); + + $priority = 100; + foreach ($items as $type => $servers) { + foreach ($servers as $server) { + $server_name = elgg_echo("openid_client:server:$server"); + $menu[] = ElggMenuItem::factory(array( + 'name' => $server, + 'text' => '', + 'title' => elgg_echo('openid_client:login:instructs', array($server_name)), + 'href' => "action/openid_client/login?server=$server", + 'is_action' => true, + 'section' => $type, + 'priority' => $priority, + )); + $priority += 10; + } + } + + return $menu; +} + /** * OpenID client page handler * diff --git a/views/default/openid_client/css.php b/views/default/openid_client/css.php index ff81520da..900de7e6e 100644 --- a/views/default/openid_client/css.php +++ b/views/default/openid_client/css.php @@ -2,5 +2,53 @@ /** * OpenID client CSS */ - + +$site_url = elgg_get_site_url(); + ?> + +.openid-client-login-or { + margin-top: 5px; + text-align: center; + color: #333; +} + +.elgg-menu-openid-login { + text-align: center; +} + +.elgg-menu-openid-login > li { + margin: 3px; +} + +.elgg-menu-openid-login span { + display: block; + background: url("mod/openid_client/graphics/openid_providers.png") no-repeat left; + border: 1px solid #ccc; +} + +.elgg-menu-openid-login-large span { + height: 32px; + width: 92px; +} + +.elgg-menu-openid-login-small span { + height: 20px; + width: 20px; +} + +.elgg-menu-item-google span { + background-position: -5px -14px; +} + +.elgg-menu-openid-login-large > .elgg-menu-item-yahoo span { + background-position: -105px -14px; +} + +.elgg-menu-item-blogger span { + background-position: -170px -62px; +} + +.elgg-menu-item-wordpress span { + background-position: -146px -62px; +} diff --git a/views/default/openid_client/login.php b/views/default/openid_client/login.php index 2b476ec8e..7e71b8bab 100644 --- a/views/default/openid_client/login.php +++ b/views/default/openid_client/login.php @@ -3,8 +3,10 @@ * OpenID client login choices */ -echo elgg_view('output/url', array( - 'text' => 'login with Google', - 'href' => 'action/openid_client/login', - 'is_action' => true, +echo ''; +echo '

' . elgg_echo('openid_client:login:header') . '

'; + +echo elgg_view_menu('openid_login', array( + 'class' => 'elgg-menu-hz', + 'sort_by' => 'priority', )); -- cgit v1.2.3 From 6f51b4a2ce1b7945ca5b02c5a00a701eb985c3f0 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 17 Dec 2011 15:55:57 -0500 Subject: fixed issues preventing account creation --- actions/openid_client/login.php | 2 +- classes/ElggOpenIDConsumer.php | 48 ++++++++++++++++++++++++++++++++++++----- languages/en.php | 9 ++++---- lib/helpers.php | 2 +- return.php | 5 +++-- start.php | 12 +++++------ 6 files changed, 59 insertions(+), 19 deletions(-) diff --git a/actions/openid_client/login.php b/actions/openid_client/login.php index 305ea3110..762f37f06 100644 --- a/actions/openid_client/login.php +++ b/actions/openid_client/login.php @@ -8,7 +8,7 @@ elgg_load_library('openid_consumer'); $store = new Auth_OpenID_FileStore('/tmp'); $consumer = new ElggOpenIDConsumer($store); -$consumer->setProvider('google'); +$consumer->setProvider(get_input('provider')); $consumer->setReturnURL(elgg_get_site_url() . 'mod/openid_client/return.php'); $html = $consumer->requestAuthentication(); diff --git a/classes/ElggOpenIDConsumer.php b/classes/ElggOpenIDConsumer.php index 6e6828e1c..864e47d41 100644 --- a/classes/ElggOpenIDConsumer.php +++ b/classes/ElggOpenIDConsumer.php @@ -6,6 +6,7 @@ class ElggOpenIDConsumer { protected $provider; + protected $username; protected $returnURL; protected $store; @@ -35,6 +36,15 @@ class ElggOpenIDConsumer { $this->provider = $provider; } + /** + * Set the OpenID username + * + * @param string $username + */ + public function setUsername($username) { + $this->username = $username; + } + /** * Set the return URL * @@ -119,11 +129,39 @@ class ElggOpenIDConsumer { */ protected function getProviderURL() { $url = null; - switch ($this->provider) { + $provider = $this->provider; + $username = $this->username; + switch ($provider) { case 'google': $url = 'https://www.google.com/accounts/o8/id'; break; + case 'yahoo': + $url = 'https://me.yahoo.com/'; + break; + case 'blogger': + $url = "http://$username.blogspot.com/"; + break; + case 'wordpress': + $url = ""; + break; + case 'aol': + $url = "http://openid.aol.com/$username"; + break; + case 'verisign': + $url = "http://username.pip.verisignlabs.com/"; + break; + case 'myopenid': + $url = 'https://myopenid.com/'; + break; + case 'myspace': + $url = 'https://api.myspace.com/openid'; + break; default: + $params = array( + 'provider' => $provider, + 'username' => $username, + ); + $url = elgg_trigger_plugin_hook('set', 'openid_client:url', $params); break; } @@ -199,7 +237,7 @@ class ElggOpenIDConsumer { $data = $this->extractUserData($sreg, $ax); $data['openid_identifier'] = $response->getDisplayIdentifier(); - return data; + return $data; } /** @@ -217,7 +255,7 @@ class ElggOpenIDConsumer { $data['email'] = $sreg['email']; } if (isset($ax['http://axschema.org/contact/email'])) { - $data['email'] = $ax['http://axschema.org/contact/email']; + $data['email'] = $ax['http://axschema.org/contact/email'][0]; } // display name @@ -225,10 +263,10 @@ class ElggOpenIDConsumer { $data['name'] = $sreg['fullname']; } if (isset($ax['http://axschema.org/namePerson/first'])) { - $data['name'] = $ax['http://axschema.org/namePerson/first']; + $data['name'] = $ax['http://axschema.org/namePerson/first'][0]; } if (isset($ax['http://axschema.org/namePerson/last'])) { - $data['name'] .= ' ' . $ax['http://axschema.org/namePerson/last']; + $data['name'] .= ' ' . $ax['http://axschema.org/namePerson/last'][0]; $data['name'] = trim($data['name']); } diff --git a/languages/en.php b/languages/en.php index df20c95f9..d68517b01 100644 --- a/languages/en.php +++ b/languages/en.php @@ -8,13 +8,14 @@ $english = array( 'openid_client:login:header' => 'Log in with', 'openid_client:or:header' => 'or', 'openid_client:login:instructs' => 'Login in with %s', - 'openid_client:server:google' => 'Google', - 'openid_client:server:yahoo' => 'Yahoo', - 'openid_client:server:blogger' => 'Blogger', - 'openid_client:server:wordpress' => 'Wordpress', + 'openid_client:provider:google' => 'Google', + 'openid_client:provider:yahoo' => 'Yahoo', + 'openid_client:provider:blogger' => 'Blogger', + 'openid_client:provider:wordpress' => 'Wordpress', 'openid_client:success:register' => 'Your account has been created.', 'openid_client:error:bad_register' => 'Unable to create an account. Please contact a site administrator.', + 'openid_client:error:bad_response' => 'Bad response from the OpenID server', ); add_translation('en', $english); diff --git a/lib/helpers.php b/lib/helpers.php index c7158235a..765fc0a61 100644 --- a/lib/helpers.php +++ b/lib/helpers.php @@ -43,7 +43,7 @@ function openid_client_prepare_registration_vars(array $data) { if (isset($data['username'])) { $vars['username'] = $data['username']; } else if (isset($data['email'])) { - $vars['username'] = array_pop(explode('@', $data['email'])); + $vars['username'] = array_shift(explode('@', $data['email'])); } else { $vars['username'] = null; } diff --git a/return.php b/return.php index 2ae21e21f..e53d17d7e 100644 --- a/return.php +++ b/return.php @@ -21,7 +21,8 @@ $url = elgg_get_site_url() . 'mod/openid_client/return.php'; $consumer->setReturnURL($url); $data = $consumer->completeAuthentication(); if (!$data || !$data['openid_identifier']) { - // @todo handle error + register_error(elgg_echo('openid_client:error:bad_response')); + forward(); } // does this user exist @@ -48,7 +49,7 @@ if ($users) { // register the new user $result = openid_client_registration_page_handler($data); if (!$result) { - register_error('openid_client:error:bad_register'); + register_error(elgg_echo('openid_client:error:bad_register')); forward(); } } diff --git a/start.php b/start.php index bd80dde48..afe12ae92 100644 --- a/start.php +++ b/start.php @@ -63,14 +63,14 @@ function openid_client_setup_menu($hook, $type, $menu, $params) { $items = elgg_trigger_plugin_hook('register', 'openid_login', null, $items); $priority = 100; - foreach ($items as $type => $servers) { - foreach ($servers as $server) { - $server_name = elgg_echo("openid_client:server:$server"); + foreach ($items as $type => $providers) { + foreach ($providers as $provider) { + $provider_name = elgg_echo("openid_client:provider:$provider"); $menu[] = ElggMenuItem::factory(array( - 'name' => $server, + 'name' => $provider, 'text' => '', - 'title' => elgg_echo('openid_client:login:instructs', array($server_name)), - 'href' => "action/openid_client/login?server=$server", + 'title' => elgg_echo('openid_client:login:instructs', array($provider_name)), + 'href' => "action/openid_client/login?provider=$provider", 'is_action' => true, 'section' => $type, 'priority' => $priority, -- cgit v1.2.3 From 3778bd5b448277dba6a779259de7b302ec39eb33 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 17 Dec 2011 16:21:27 -0500 Subject: using elgg store for associations --- actions/openid_client/login.php | 2 -- return.php | 1 - 2 files changed, 3 deletions(-) diff --git a/actions/openid_client/login.php b/actions/openid_client/login.php index 762f37f06..74a8de8f6 100644 --- a/actions/openid_client/login.php +++ b/actions/openid_client/login.php @@ -5,8 +5,6 @@ elgg_load_library('openid_consumer'); -$store = new Auth_OpenID_FileStore('/tmp'); - $consumer = new ElggOpenIDConsumer($store); $consumer->setProvider(get_input('provider')); $consumer->setReturnURL(elgg_get_site_url() . 'mod/openid_client/return.php'); diff --git a/return.php b/return.php index e53d17d7e..dbc57d318 100644 --- a/return.php +++ b/return.php @@ -15,7 +15,6 @@ elgg_load_library('openid_consumer'); elgg_load_library('openid_client'); // get user data from the response -$store = new Auth_OpenID_FileStore('/tmp'); $consumer = new ElggOpenIDConsumer($store); $url = elgg_get_site_url() . 'mod/openid_client/return.php'; $consumer->setReturnURL($url); -- cgit v1.2.3 From de76ce685a8bb37a4fc7daa621b496a3bbae3878 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 17 Dec 2011 16:21:41 -0500 Subject: preventing an openid user from setting password --- start.php | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/start.php b/start.php index afe12ae92..a1defd280 100644 --- a/start.php +++ b/start.php @@ -26,7 +26,8 @@ function openid_client_init() { elgg_register_event_handler('create', 'user', 'openid_client_set_subtype', 1); - //elgg_register_page_handler('openid_client', 'openid_client_page_handler'); + // don't let OpenID users set their passwords + elgg_register_event_handler('pagesetup', 'system', 'openid_client_remove_email'); } /** @@ -83,21 +84,11 @@ function openid_client_setup_menu($hook, $type, $menu, $params) { } /** - * OpenID client page handler - * - * @param type $page Array of URL segments - * @return bool + * Remove the password view from the account settings form */ -function openid_client_page_handler($page) { - - // this is test code for right now - elgg_load_library('openid_client'); - openid_client_registration_page_handler(array( - 'username' => 'john', - 'email' => 'john@example.org', - 'name' => 'John Doe', - 'openid_identifier' => 'abcdefghijklmnopqrstuvwxyz', - )); - - return true; +function openid_client_remove_email() { + $page_owner = elgg_get_page_owner_entity(); + if ($page_owner && elgg_instanceof($page_owner, 'user', 'openid')) { + elgg_unextend_view('forms/account/settings', 'core/settings/account/password'); + } } -- cgit v1.2.3 From aa9ed6f3eb46fb9508692d1b5d92c717c3648527 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 17 Dec 2011 17:16:38 -0500 Subject: added warnings for email/usernames --- languages/en.php | 6 +++ lib/helpers.php | 54 ++++++++++++++++++++++++-- views/default/forms/openid_client/register.php | 20 +++++++++- views/default/openid_client/register.php | 4 ++ 4 files changed, 79 insertions(+), 5 deletions(-) diff --git a/languages/en.php b/languages/en.php index d68517b01..4efb59463 100644 --- a/languages/en.php +++ b/languages/en.php @@ -13,9 +13,15 @@ $english = array( 'openid_client:provider:blogger' => 'Blogger', 'openid_client:provider:wordpress' => 'Wordpress', + 'openid_client:create' => 'Create an account', + 'openid_client:create:instructs' => 'Your account has been approved. We just need you to confirm or set the below information.', + 'openid_client:success:register' => 'Your account has been created.', 'openid_client:error:bad_register' => 'Unable to create an account. Please contact a site administrator.', 'openid_client:error:bad_response' => 'Bad response from the OpenID server', + 'openid_client:warning:username_not_available' => 'The username %s is not available. Please pick another.', + 'openid_client:warning:username_valid' => 'The username %s is not valid as this site. Please pick another.', + 'openid_client:warning:email_not_available' => 'The email address %s is not available. Please pick another.', ); add_translation('en', $english); diff --git a/lib/helpers.php b/lib/helpers.php index 765fc0a61..3fc101c42 100644 --- a/lib/helpers.php +++ b/lib/helpers.php @@ -17,12 +17,16 @@ function openid_client_registration_page_handler(array $data) { return false; } - $title = 'register'; + $title = elgg_echo('openid_client:create'); $vars = openid_client_prepare_registration_vars($data); $content = elgg_view('openid_client/register', $vars); - $body = elgg_view_layout('one_column', array('content' => $content)); + $params = array( + 'title' => $title, + 'content' => $content, + ); + $body = elgg_view_layout('one_column', $params); echo elgg_view_page($title, $body); return true; @@ -49,7 +53,9 @@ function openid_client_prepare_registration_vars(array $data) { } // is the username available - $vars['is_username_available'] = true; + if ($vars['username']) { + $vars['is_username_available'] = openid_client_is_username_available($vars['username']); + } // is the username valid try { @@ -62,5 +68,47 @@ function openid_client_prepare_registration_vars(array $data) { $vars['email'] = elgg_extract('email', $data); $vars['name'] = elgg_extract('name', $data); + if ($vars['email']) { + $vars['is_email_available'] = openid_client_is_email_available($vars['email']); + } + return $vars; } + +/** + * Is this username available? + * + * @param string $username The username + * @return bool + */ +function openid_client_is_username_available($username) { + $db_prefix = elgg_get_config('dbprefix'); + $username = sanitize_string($username); + + $query = "SELECT count(*) AS total FROM {$db_prefix}users_entity WHERE username = '$username'"; + $result = get_data_row($query); + if ($result->total == 0) { + return true; + } else { + return false; + } +} + +/** + * Is this email address available? + * + * @param string $email Email address + * @return bool + */ +function openid_client_is_email_available($email) { + $db_prefix = elgg_get_config('dbprefix'); + $email = sanitize_string($email); + + $query = "SELECT count(*) AS total FROM {$db_prefix}users_entity WHERE email = '$email'"; + $result = get_data_row($query); + if ($result->total == 0) { + return true; + } else { + return false; + } +} diff --git a/views/default/forms/openid_client/register.php b/views/default/forms/openid_client/register.php index 63d5ba04e..279d298c4 100644 --- a/views/default/forms/openid_client/register.php +++ b/views/default/forms/openid_client/register.php @@ -7,10 +7,19 @@ * @uses $vars['is_username_available'] * @uses $vars['is_username_valid'] * @uses $vars['email'] + * @uses $vars['is_email_available'] * @uses $vars['name'] */ $username_label = elgg_echo('username'); +$username_warning = ''; +if (!elgg_extract('is_username_available', $vars, true)) { + $username_warning = elgg_echo('openid_client:warning:username_not_available', array($vars['username'])); + $username_warning = "($username_warning)"; +} else if (!elgg_extract('is_username_valid', $vars, true)) { + $username_warning = elgg_echo('openid_client:warning:username_valid', array($vars['username'])); + $username_warning = "($username_warning)"; +} $username_input = elgg_view('input/text', array( 'name' => 'username', 'value' => $vars['username'], @@ -23,9 +32,16 @@ $name_input = elgg_view('input/text', array( )); $email_label = elgg_echo('email'); +$email_available = elgg_extract('is_email_available', $vars, true); +$email_warning = ''; +if (!$email_available) { + $email_warning = elgg_echo('openid_client:warning:email_not_available', array($vars['email'])); + $email_warning = "($email_warning)"; +} $email_input = elgg_view('input/email', array( 'name' => 'email', 'value' => $vars['email'], + 'disabled' => !$email_available, )); $openid_input = elgg_view('input/hidden', array( @@ -36,7 +52,7 @@ $button = elgg_view('input/submit', array('value' => elgg_echo('save'))); echo << - + $username_warning $username_input
@@ -44,7 +60,7 @@ echo <<
- + $email_warning $email_input
diff --git a/views/default/openid_client/register.php b/views/default/openid_client/register.php index 0c3770ed2..be448ef54 100644 --- a/views/default/openid_client/register.php +++ b/views/default/openid_client/register.php @@ -4,4 +4,8 @@ * */ +echo '

'; +echo elgg_echo('openid_client:create:instructs'); +echo '

'; + echo elgg_view_form('openid_client/register', array(), $vars); -- cgit v1.2.3 From aae0fa0c6762d25e048c297156f8969c6242eb11 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 17 Dec 2011 21:52:20 -0500 Subject: added support for OpenID 1.x --- actions/openid_client/login.php | 10 ++++++++-- classes/ElggOpenIDConsumer.php | 20 ++++++++++++++++---- languages/en.php | 1 + start.php | 28 ++++++++++++++++++++++------ views/default/forms/openid_client/login.php | 13 +++++++++++++ views/default/openid_client/js.php | 18 ++++++++++++++++++ views/default/openid_client/login.php | 6 ++++++ 7 files changed, 84 insertions(+), 12 deletions(-) create mode 100644 views/default/forms/openid_client/login.php create mode 100644 views/default/openid_client/js.php diff --git a/actions/openid_client/login.php b/actions/openid_client/login.php index 74a8de8f6..cf991ea0f 100644 --- a/actions/openid_client/login.php +++ b/actions/openid_client/login.php @@ -5,8 +5,12 @@ elgg_load_library('openid_consumer'); +$provider = get_input('openid_provider'); +$username = get_input('openid_username'); + $consumer = new ElggOpenIDConsumer($store); -$consumer->setProvider(get_input('provider')); +$consumer->setProvider($provider); +$consumer->setUsername($username); $consumer->setReturnURL(elgg_get_site_url() . 'mod/openid_client/return.php'); $html = $consumer->requestAuthentication(); @@ -14,5 +18,7 @@ if ($html) { echo $html; exit; } else { - register_error('oops'); + $provider_name = elgg_echo("openid_client:provider:$provider"); + register_error(elgg_echo('openid_client:error:no_html', array($provider_name))); + forward(); } diff --git a/classes/ElggOpenIDConsumer.php b/classes/ElggOpenIDConsumer.php index 864e47d41..3918086ab 100644 --- a/classes/ElggOpenIDConsumer.php +++ b/classes/ElggOpenIDConsumer.php @@ -142,13 +142,17 @@ class ElggOpenIDConsumer { $url = "http://$username.blogspot.com/"; break; case 'wordpress': - $url = ""; + // username is actually the blog name + $url = "http://$username.wordpress.com/"; + break; + case 'livejournal': + $url = "http://$username.livejournal.com/"; break; case 'aol': - $url = "http://openid.aol.com/$username"; + $url = "https://openid.aol.com/"; break; case 'verisign': - $url = "http://username.pip.verisignlabs.com/"; + $url = "https://pip.verisignlabs.com/ "; break; case 'myopenid': $url = 'https://myopenid.com/'; @@ -204,6 +208,8 @@ class ElggOpenIDConsumer { * the provider. If JavaScript is not enabled, a plain html form with a * continue button is displayed. * + * This also supports OpenID 1.x but has not been tested as thoroughly. + * * @return mixed */ protected function getForm() { @@ -213,7 +219,13 @@ class ElggOpenIDConsumer { return $html; } else { // OpenID 1.x - return false; + $redirect_url = $this->request->redirectURL(elgg_get_site_url(), $this->returnURL); + + if (Auth_OpenID::isFailure($redirect_url)) { + return false; + } else { + forward($redirect_url); + } } } diff --git a/languages/en.php b/languages/en.php index 4efb59463..8c5beff1b 100644 --- a/languages/en.php +++ b/languages/en.php @@ -19,6 +19,7 @@ $english = array( 'openid_client:success:register' => 'Your account has been created.', 'openid_client:error:bad_register' => 'Unable to create an account. Please contact a site administrator.', 'openid_client:error:bad_response' => 'Bad response from the OpenID server', + 'openid_client:error:no_html' => 'An error occurred trying to contact %s', 'openid_client:warning:username_not_available' => 'The username %s is not available. Please pick another.', 'openid_client:warning:username_valid' => 'The username %s is not valid as this site. Please pick another.', 'openid_client:warning:email_not_available' => 'The email address %s is not available. Please pick another.', diff --git a/start.php b/start.php index a1defd280..b243d6674 100644 --- a/start.php +++ b/start.php @@ -13,6 +13,7 @@ elgg_register_event_handler('init', 'system', 'openid_client_init'); */ function openid_client_init() { elgg_extend_view('css/elgg', 'openid_client/css'); + elgg_extend_view('js/elgg', 'openid_client/js'); elgg_extend_view('core/account/login_box', 'openid_client/login'); elgg_register_plugin_hook_handler('register', 'menu:openid_login', 'openid_client_setup_menu'); @@ -58,24 +59,39 @@ function openid_client_set_subtype($event, $type, $user) { function openid_client_setup_menu($hook, $type, $menu, $params) { $items = array( - 'large' => array('google', 'yahoo'), - 'small' => array('blogger', 'wordpress'), + 'large' => array( + 'google' => '', + 'yahoo' => '', + ), + 'small' => array( + 'blogger' => 'toggle', + 'wordpress' => 'toggle', + ), ); $items = elgg_trigger_plugin_hook('register', 'openid_login', null, $items); $priority = 100; foreach ($items as $type => $providers) { - foreach ($providers as $provider) { + foreach ($providers as $provider => $toggle) { $provider_name = elgg_echo("openid_client:provider:$provider"); - $menu[] = ElggMenuItem::factory(array( + + $options = array( 'name' => $provider, 'text' => '', 'title' => elgg_echo('openid_client:login:instructs', array($provider_name)), - 'href' => "action/openid_client/login?provider=$provider", + 'href' => "action/openid_client/login?openid_provider=$provider", 'is_action' => true, 'section' => $type, 'priority' => $priority, - )); + ); + + if ($toggle) { + $options['link_class'] = 'openid-client-toggle'; + $options['rel'] = $provider; + } + + $menu[] = ElggMenuItem::factory($options); + $priority += 10; } } diff --git a/views/default/forms/openid_client/login.php b/views/default/forms/openid_client/login.php new file mode 100644 index 000000000..eba6dbe4b --- /dev/null +++ b/views/default/forms/openid_client/login.php @@ -0,0 +1,13 @@ +'; +echo elgg_echo('username'); +echo ''; +echo elgg_view('input/text', array('name' => 'openid_username', 'class' => 'mbs')); + +echo elgg_view('input/hidden', array('name' => 'openid_provider')); + +echo elgg_view('input/submit', array('value' => elgg_echo('submit'))); \ No newline at end of file diff --git a/views/default/openid_client/js.php b/views/default/openid_client/js.php new file mode 100644 index 000000000..175577719 --- /dev/null +++ b/views/default/openid_client/js.php @@ -0,0 +1,18 @@ + + +// OpenID toggle +elgg.register_hook_handler('init', 'system', function() { + $(".openid-client-toggle").click(function(event) { + $("#openid-client-login-form").slideDown(); + + var provider_input = $("#openid-client-login-form input[name=openid_provider]"); + provider_input.attr('value', $(this).attr('rel')); + + event.preventDefault(); + }); +}); diff --git a/views/default/openid_client/login.php b/views/default/openid_client/login.php index 7e71b8bab..30685fe51 100644 --- a/views/default/openid_client/login.php +++ b/views/default/openid_client/login.php @@ -10,3 +10,9 @@ echo elgg_view_menu('openid_login', array( 'class' => 'elgg-menu-hz', 'sort_by' => 'priority', )); + +$form_vars = array( + 'class' => 'hidden', + 'id' => 'openid-client-login-form', +); +echo elgg_view_form('openid_client/login', $form_vars); -- cgit v1.2.3 From 77b5489778ebe1c4abc4c78ef0ae326c180dfdf8 Mon Sep 17 00:00:00 2001 From: cash Date: Mon, 19 Dec 2011 21:41:08 -0500 Subject: added return_to page to public pages of walled garden --- start.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/start.php b/start.php index b243d6674..dbbb41785 100644 --- a/start.php +++ b/start.php @@ -29,6 +29,9 @@ function openid_client_init() { // don't let OpenID users set their passwords elgg_register_event_handler('pagesetup', 'system', 'openid_client_remove_email'); + + // the return to page needs to be public + elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'openid_client_public'); } /** @@ -108,3 +111,16 @@ function openid_client_remove_email() { elgg_unextend_view('forms/account/settings', 'core/settings/account/password'); } } + +/** + * Add the return_to page to the list of public pages for walled garden + * + * @param string $hook Hook name + * @param string $type Hook type + * @param array $pages Array of public pages + * @return array + */ +function openid_client_public($hook, $type, $pages) { + $pages[] = 'mod/openid_client/return.php'; + return $pages; +} -- cgit v1.2.3 From 4d7ddc5164046ccecd6a901e2e959d180669dd31 Mon Sep 17 00:00:00 2001 From: cash Date: Mon, 19 Dec 2011 21:47:04 -0500 Subject: needed to add actions as public pages also --- start.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/start.php b/start.php index dbbb41785..a8e6fd94e 100644 --- a/start.php +++ b/start.php @@ -113,7 +113,8 @@ function openid_client_remove_email() { } /** - * Add the return_to page to the list of public pages for walled garden + * Add pages to the list of public pages for walled garden needed for OpenID + * transaction * * @param string $hook Hook name * @param string $type Hook type @@ -121,6 +122,8 @@ function openid_client_remove_email() { * @return array */ function openid_client_public($hook, $type, $pages) { + $pages[] = 'action/openid_client/login'; $pages[] = 'mod/openid_client/return.php'; + $pages[] = 'action/openid_client/register'; return $pages; } -- cgit v1.2.3 From 80ed1e24b59d62c411cb2bed5535d9e6fd9fcc9a Mon Sep 17 00:00:00 2001 From: cash Date: Mon, 19 Dec 2011 21:57:06 -0500 Subject: fixed logic bug with disabling email field --- views/default/forms/openid_client/register.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/views/default/forms/openid_client/register.php b/views/default/forms/openid_client/register.php index 279d298c4..6cae2bb84 100644 --- a/views/default/forms/openid_client/register.php +++ b/views/default/forms/openid_client/register.php @@ -41,7 +41,7 @@ if (!$email_available) { $email_input = elgg_view('input/email', array( 'name' => 'email', 'value' => $vars['email'], - 'disabled' => !$email_available, + 'disabled' => $email_available, )); $openid_input = elgg_view('input/hidden', array( -- cgit v1.2.3 From 11a7ca1c5c23af990422783b14d021a7c177032b Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 28 Jan 2012 12:27:05 -0500 Subject: fixed bug where email wasn't being passed to register action - now using annotations instead of metadata to hold openid identifier --- actions/openid_client/register.php | 3 ++- return.php | 7 +++---- start.php | 19 ++++++++----------- views/default/forms/openid_client/register.php | 2 +- 4 files changed, 14 insertions(+), 17 deletions(-) diff --git a/actions/openid_client/register.php b/actions/openid_client/register.php index c4d3501ed..f0ad2a5fd 100644 --- a/actions/openid_client/register.php +++ b/actions/openid_client/register.php @@ -19,8 +19,9 @@ try { forward(REFERER); } $user = get_entity($guid); +openid_client_set_subtype($user); -$user->openid_identifier = $openid_identifier; +$user->annotate('openid_identifier', $openid_identifier, ACCESS_PUBLIC); elgg_set_user_validation_status($guid, true, 'openid'); if (!elgg_trigger_plugin_hook('register', 'user', array('user' => $user), true)) { diff --git a/return.php b/return.php index dbc57d318..87ce5b19f 100644 --- a/return.php +++ b/return.php @@ -25,11 +25,10 @@ if (!$data || !$data['openid_identifier']) { } // does this user exist -$users = elgg_get_entities_from_metadata(array( +$users = elgg_get_entities_from_annotations(array( 'type' => 'user', - 'subtype' => 'openid', - 'metadata_name' => 'openid_identifier', - 'metadata_value' => $data['openid_identifier'], + 'annotation_name' => 'openid_identifier', + 'annotation_value' => $data['openid_identifier'], )); if ($users) { // log in user and maybe update account (admin setting, user prompt?) diff --git a/start.php b/start.php index a8e6fd94e..82dcd5c11 100644 --- a/start.php +++ b/start.php @@ -25,10 +25,8 @@ function openid_client_init() { $base = elgg_get_plugins_path() . 'openid_client/lib'; elgg_register_library('openid_client', "$base/helpers.php"); - elgg_register_event_handler('create', 'user', 'openid_client_set_subtype', 1); - // don't let OpenID users set their passwords - elgg_register_event_handler('pagesetup', 'system', 'openid_client_remove_email'); + elgg_register_event_handler('pagesetup', 'system', 'openid_client_remove_password'); // the return to page needs to be public elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'openid_client_public'); @@ -37,11 +35,10 @@ function openid_client_init() { /** * Set the correct subtype for OpenID users * - * @param string $event Event name - * @param string $type Object type - * @param ElggUser $user New user + * @param ElggUser $user New user + * @return void */ -function openid_client_set_subtype($event, $type, $user) { +function openid_client_set_subtype($user) { $db_prefix = elgg_get_config('dbprefix'); $guid = (int)$user->getGUID(); $subtype_id = (int)add_subtype('user', 'openid'); @@ -71,7 +68,7 @@ function openid_client_setup_menu($hook, $type, $menu, $params) { 'wordpress' => 'toggle', ), ); - $items = elgg_trigger_plugin_hook('register', 'openid_login', null, $items); + $items = elgg_trigger_plugin_hook('register', 'openid_client:login', null, $items); $priority = 100; foreach ($items as $type => $providers) { @@ -105,7 +102,7 @@ function openid_client_setup_menu($hook, $type, $menu, $params) { /** * Remove the password view from the account settings form */ -function openid_client_remove_email() { +function openid_client_remove_password() { $page_owner = elgg_get_page_owner_entity(); if ($page_owner && elgg_instanceof($page_owner, 'user', 'openid')) { elgg_unextend_view('forms/account/settings', 'core/settings/account/password'); @@ -116,8 +113,8 @@ function openid_client_remove_email() { * Add pages to the list of public pages for walled garden needed for OpenID * transaction * - * @param string $hook Hook name - * @param string $type Hook type + * @param string $hook Hook name + * @param string $type Hook type * @param array $pages Array of public pages * @return array */ diff --git a/views/default/forms/openid_client/register.php b/views/default/forms/openid_client/register.php index 6cae2bb84..6044f0f0b 100644 --- a/views/default/forms/openid_client/register.php +++ b/views/default/forms/openid_client/register.php @@ -41,7 +41,7 @@ if (!$email_available) { $email_input = elgg_view('input/email', array( 'name' => 'email', 'value' => $vars['email'], - 'disabled' => $email_available, + 'readonly' => $email_available, )); $openid_input = elgg_view('input/hidden', array( -- cgit v1.2.3 From 20b29861d4ab48ad3f80925906ee70eb89ccddbc Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 28 Jan 2012 12:40:18 -0500 Subject: supporting associating an OpenID with an existing account --- return.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/return.php b/return.php index 87ce5b19f..ab0fc622a 100644 --- a/return.php +++ b/return.php @@ -24,16 +24,29 @@ if (!$data || !$data['openid_identifier']) { forward(); } -// does this user exist +// is there an account already associated with this openid +$user = null; $users = elgg_get_entities_from_annotations(array( 'type' => 'user', 'annotation_name' => 'openid_identifier', 'annotation_value' => $data['openid_identifier'], )); if ($users) { - // log in user and maybe update account (admin setting, user prompt?) + // there should only be one account $user = $users[0]; +} else { + $email = elgg_extract('email', $data); + if ($email) { + $users = get_user_by_email($email); + if (count($users) === 1) { + $user = $users[0]; + $user->annotate('openid_identifier', $data['openid_identifier'], ACCESS_PUBLIC); + } + } +} +if ($user) { + // log in user and maybe update account (admin setting, user prompt?) try { login($user); } catch (LoginException $e) { -- cgit v1.2.3 From 1c1fe3b50e5a3297115c57543932a210d585a539 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Wed, 1 Feb 2012 07:19:29 -0500 Subject: working around bug in Elgg for river strings --- languages/en.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/languages/en.php b/languages/en.php index 8c5beff1b..34afb3700 100644 --- a/languages/en.php +++ b/languages/en.php @@ -23,6 +23,8 @@ $english = array( 'openid_client:warning:username_not_available' => 'The username %s is not available. Please pick another.', 'openid_client:warning:username_valid' => 'The username %s is not valid as this site. Please pick another.', 'openid_client:warning:email_not_available' => 'The email address %s is not available. Please pick another.', + + 'river:friend:user:openid' => "%s is now a friend with %s", ); add_translation('en', $english); -- cgit v1.2.3 From e69825051c3d19f188e68801ba945c1cd8b8cfdd Mon Sep 17 00:00:00 2001 From: Sem Date: Sat, 22 Sep 2012 05:06:19 +0200 Subject: Removed comercial openid providers and refactored openid login form. --- actions/openid_client/login.php | 15 ++++-- classes/ElggOpenIDConsumer.php | 68 ++-------------------------- graphics/openid_providers.png | Bin 12400 -> 0 bytes languages/en.php | 10 ++-- start.php | 60 +++--------------------- views/default/forms/openid_client/login.php | 42 ++++++++++++++--- views/default/openid_client/css.php | 51 ++------------------- views/default/openid_client/js.php | 22 ++++++--- views/default/openid_client/login.php | 18 -------- 9 files changed, 82 insertions(+), 204 deletions(-) delete mode 100644 graphics/openid_providers.png delete mode 100644 views/default/openid_client/login.php diff --git a/actions/openid_client/login.php b/actions/openid_client/login.php index cf991ea0f..604374ced 100644 --- a/actions/openid_client/login.php +++ b/actions/openid_client/login.php @@ -6,11 +6,13 @@ elgg_load_library('openid_consumer'); $provider = get_input('openid_provider'); -$username = get_input('openid_username'); + +if ($provider == 'others') { + $provider = get_input('openid_url'); +} $consumer = new ElggOpenIDConsumer($store); -$consumer->setProvider($provider); -$consumer->setUsername($username); +$consumer->setURL($provider); $consumer->setReturnURL(elgg_get_site_url() . 'mod/openid_client/return.php'); $html = $consumer->requestAuthentication(); @@ -18,7 +20,12 @@ if ($html) { echo $html; exit; } else { - $provider_name = elgg_echo("openid_client:provider:$provider"); + $flipped_providers = array_flip(elgg_get_config('openid_providers')); + if (isset($flipped_providers[$provider])) { + $provider_name = $flipped_providers[$provider]; + } else { + $provider_name = $provider; + } register_error(elgg_echo('openid_client:error:no_html', array($provider_name))); forward(); } diff --git a/classes/ElggOpenIDConsumer.php b/classes/ElggOpenIDConsumer.php index 3918086ab..098201343 100644 --- a/classes/ElggOpenIDConsumer.php +++ b/classes/ElggOpenIDConsumer.php @@ -5,8 +5,7 @@ class ElggOpenIDConsumer { - protected $provider; - protected $username; + protected $openIdUrl; protected $returnURL; protected $store; @@ -27,22 +26,13 @@ class ElggOpenIDConsumer { } } - /** - * Set the name of the OpenID provider - * - * @param string $provider - */ - public function setProvider($provider) { - $this->provider = $provider; - } - /** * Set the OpenID username * * @param string $username */ - public function setUsername($username) { - $this->username = $username; + public function setURL($url) { + $this->openIdUrl = $url; } /** @@ -70,7 +60,7 @@ class ElggOpenIDConsumer { return false; } - $url = $this->getProviderURL(); + $url = $this->openIdUrl; if (!$url) { return false; } @@ -122,56 +112,6 @@ class ElggOpenIDConsumer { return $data; } - /** - * Get the OpenID provider URL based on name - * - * @return string - */ - protected function getProviderURL() { - $url = null; - $provider = $this->provider; - $username = $this->username; - switch ($provider) { - case 'google': - $url = 'https://www.google.com/accounts/o8/id'; - break; - case 'yahoo': - $url = 'https://me.yahoo.com/'; - break; - case 'blogger': - $url = "http://$username.blogspot.com/"; - break; - case 'wordpress': - // username is actually the blog name - $url = "http://$username.wordpress.com/"; - break; - case 'livejournal': - $url = "http://$username.livejournal.com/"; - break; - case 'aol': - $url = "https://openid.aol.com/"; - break; - case 'verisign': - $url = "https://pip.verisignlabs.com/ "; - break; - case 'myopenid': - $url = 'https://myopenid.com/'; - break; - case 'myspace': - $url = 'https://api.myspace.com/openid'; - break; - default: - $params = array( - 'provider' => $provider, - 'username' => $username, - ); - $url = elgg_trigger_plugin_hook('set', 'openid_client:url', $params); - break; - } - - return $url; - } - /** * Add attribute requests to the OpenID authentication request * diff --git a/graphics/openid_providers.png b/graphics/openid_providers.png deleted file mode 100644 index 179e6d191..000000000 Binary files a/graphics/openid_providers.png and /dev/null differ diff --git a/languages/en.php b/languages/en.php index 34afb3700..4af3bf06a 100644 --- a/languages/en.php +++ b/languages/en.php @@ -5,13 +5,11 @@ $english = array( + 'openid_client' => 'OpenID', 'openid_client:login:header' => 'Log in with', - 'openid_client:or:header' => 'or', - 'openid_client:login:instructs' => 'Login in with %s', - 'openid_client:provider:google' => 'Google', - 'openid_client:provider:yahoo' => 'Yahoo', - 'openid_client:provider:blogger' => 'Blogger', - 'openid_client:provider:wordpress' => 'Wordpress', + 'openid_client:login' => 'Login in with OpenID', + 'openid_client:others' => 'Others...', + 'openid_client:url' => 'OpenID URL', 'openid_client:create' => 'Create an account', 'openid_client:create:instructs' => 'Your account has been approved. We just need you to confirm or set the below information.', diff --git a/start.php b/start.php index 82dcd5c11..1bf85eb74 100644 --- a/start.php +++ b/start.php @@ -15,7 +15,6 @@ function openid_client_init() { elgg_extend_view('css/elgg', 'openid_client/css'); elgg_extend_view('js/elgg', 'openid_client/js'); - elgg_extend_view('core/account/login_box', 'openid_client/login'); elgg_register_plugin_hook_handler('register', 'menu:openid_login', 'openid_client_setup_menu'); $base = elgg_get_plugins_path() . 'openid_client/actions/openid_client'; @@ -24,6 +23,13 @@ function openid_client_init() { $base = elgg_get_plugins_path() . 'openid_client/lib'; elgg_register_library('openid_client', "$base/helpers.php"); + + elgg_set_config('openid_providers', array( + 'N-1' => 'https://n-1.cc/openid/', + 'Ecoxarxes' => 'https://cooperativa.ecoxarxes.cat/openid/', + 'Anillosur' => 'https://anillosur.cc/openid/', + // ... + )); // don't let OpenID users set their passwords elgg_register_event_handler('pagesetup', 'system', 'openid_client_remove_password'); @@ -47,58 +53,6 @@ function openid_client_set_subtype($user) { update_data($query); } -/** - * Register login options - * - * @param string $hook - * @param string $type - * @param array $menu - * @param array $params - * @return array - */ -function openid_client_setup_menu($hook, $type, $menu, $params) { - - $items = array( - 'large' => array( - 'google' => '', - 'yahoo' => '', - ), - 'small' => array( - 'blogger' => 'toggle', - 'wordpress' => 'toggle', - ), - ); - $items = elgg_trigger_plugin_hook('register', 'openid_client:login', null, $items); - - $priority = 100; - foreach ($items as $type => $providers) { - foreach ($providers as $provider => $toggle) { - $provider_name = elgg_echo("openid_client:provider:$provider"); - - $options = array( - 'name' => $provider, - 'text' => '', - 'title' => elgg_echo('openid_client:login:instructs', array($provider_name)), - 'href' => "action/openid_client/login?openid_provider=$provider", - 'is_action' => true, - 'section' => $type, - 'priority' => $priority, - ); - - if ($toggle) { - $options['link_class'] = 'openid-client-toggle'; - $options['rel'] = $provider; - } - - $menu[] = ElggMenuItem::factory($options); - - $priority += 10; - } - } - - return $menu; -} - /** * Remove the password view from the account settings form */ diff --git a/views/default/forms/openid_client/login.php b/views/default/forms/openid_client/login.php index eba6dbe4b..1f440dc49 100644 --- a/views/default/forms/openid_client/login.php +++ b/views/default/forms/openid_client/login.php @@ -3,11 +3,41 @@ * OpenID login if username or full url required */ -echo ''; -echo elgg_view('input/text', array('name' => 'openid_username', 'class' => 'mbs')); +$options_values = array_flip(elgg_get_config('openid_providers')); +$options_values['others'] = elgg_echo('openid_client:others'); -echo elgg_view('input/hidden', array('name' => 'openid_provider')); +?> +

+ +
+ 'openid_provider', + 'options_values' => $options_values, +)); +?> +
+ + -echo elgg_view('input/submit', array('value' => elgg_echo('submit'))); \ No newline at end of file +
+ + + elgg_echo('login'))); ?> + + 'returntoreferer', 'value' => 'true')); + } + ?> +
\ No newline at end of file diff --git a/views/default/openid_client/css.php b/views/default/openid_client/css.php index 900de7e6e..d01fc6b5a 100644 --- a/views/default/openid_client/css.php +++ b/views/default/openid_client/css.php @@ -2,53 +2,12 @@ /** * OpenID client CSS */ - -$site_url = elgg_get_site_url(); - ?> -.openid-client-login-or { - margin-top: 5px; - text-align: center; - color: #333; -} - -.elgg-menu-openid-login { - text-align: center; -} - -.elgg-menu-openid-login > li { - margin: 3px; -} - -.elgg-menu-openid-login span { - display: block; - background: url("mod/openid_client/graphics/openid_providers.png") no-repeat left; - border: 1px solid #ccc; -} - -.elgg-menu-openid-login-large span { - height: 32px; - width: 92px; +.elgg-icon-openid { + background-image: url(mod/openid_client/graphics/openid_icon.png); } -.elgg-menu-openid-login-small span { - height: 20px; - width: 20px; -} - -.elgg-menu-item-google span { - background-position: -5px -14px; -} - -.elgg-menu-openid-login-large > .elgg-menu-item-yahoo span { - background-position: -105px -14px; -} - -.elgg-menu-item-blogger span { - background-position: -170px -62px; -} - -.elgg-menu-item-wordpress span { - background-position: -146px -62px; -} +.elgg-form-login { + margin-bottom: 10px; +} \ No newline at end of file diff --git a/views/default/openid_client/js.php b/views/default/openid_client/js.php index 175577719..171215593 100644 --- a/views/default/openid_client/js.php +++ b/views/default/openid_client/js.php @@ -7,12 +7,20 @@ // OpenID toggle elgg.register_hook_handler('init', 'system', function() { - $(".openid-client-toggle").click(function(event) { - $("#openid-client-login-form").slideDown(); - - var provider_input = $("#openid-client-login-form input[name=openid_provider]"); - provider_input.attr('value', $(this).attr('rel')); - - event.preventDefault(); + $('.openid-login-icon').click(function(e) { + var openid_box = $(this).prev('.elgg-form-openid-client-login'); + var shown = openid_box.is(':visible') ? openid_box : openid_box.prev(); + var hidden = !openid_box.is(':visible') ? openid_box : openid_box.prev(); + shown.fadeOut(function() { + hidden.fadeIn(); + }); + e.preventDefault(); + }); + $(".elgg-form-openid-client-login [name='openid_provider']").change(function(event) { + if (this.value == 'others') { + $(".openid-client-url").slideDown().find('input').focus(); + } else { + $(".openid-client-url").slideUp(); + } }); }); diff --git a/views/default/openid_client/login.php b/views/default/openid_client/login.php deleted file mode 100644 index 30685fe51..000000000 --- a/views/default/openid_client/login.php +++ /dev/null @@ -1,18 +0,0 @@ -' . elgg_echo('openid_client:or:header') . ''; -echo '

' . elgg_echo('openid_client:login:header') . '

'; - -echo elgg_view_menu('openid_login', array( - 'class' => 'elgg-menu-hz', - 'sort_by' => 'priority', -)); - -$form_vars = array( - 'class' => 'hidden', - 'id' => 'openid-client-login-form', -); -echo elgg_view_form('openid_client/login', $form_vars); -- cgit v1.2.3 From e826cb586ba363babddad98164bf4c8999aec300 Mon Sep 17 00:00:00 2001 From: Sem Date: Mon, 24 Sep 2012 15:33:16 +0200 Subject: Added remaining files to last commit. --- graphics/openid_icon.png | Bin 0 -> 733 bytes views/default/core/account/login_box.php | 23 ++++++++++++++++++++ views/default/core/account/login_dropdown.php | 29 ++++++++++++++++++++++++++ views/default/openid_client/icon.php | 8 +++++++ 4 files changed, 60 insertions(+) create mode 100644 graphics/openid_icon.png create mode 100644 views/default/core/account/login_box.php create mode 100644 views/default/core/account/login_dropdown.php create mode 100644 views/default/openid_client/icon.php diff --git a/graphics/openid_icon.png b/graphics/openid_icon.png new file mode 100644 index 000000000..97d4714c5 Binary files /dev/null and b/graphics/openid_icon.png differ diff --git a/views/default/core/account/login_box.php b/views/default/core/account/login_box.php new file mode 100644 index 000000000..1fe452e69 --- /dev/null +++ b/views/default/core/account/login_box.php @@ -0,0 +1,23 @@ + "{$login_url}action/login")); +$body .= elgg_view_form('openid_client/login', array('class' => 'elgg-form-login hidden'), array()); +$body .= elgg_view('openid_client/icon'); + +echo elgg_view_module($module, $title, $body); diff --git a/views/default/core/account/login_dropdown.php b/views/default/core/account/login_dropdown.php new file mode 100644 index 000000000..7882fde02 --- /dev/null +++ b/views/default/core/account/login_dropdown.php @@ -0,0 +1,29 @@ + "{$login_url}action/login"), array('returntoreferer' => TRUE)); +$body .= elgg_view_form('openid_client/login', array('class' => 'elgg-form-login hidden'), array()); +$body .= elgg_view('openid_client/icon'); +?> +
+ 'login#login-dropdown-box', + 'rel' => 'popup', + 'class' => 'elgg-button elgg-button-dropdown', + 'text' => elgg_echo('login'), + )); + echo elgg_view_module('dropdown', '', $body, array('id' => 'login-dropdown-box')); + ?> +
diff --git a/views/default/openid_client/icon.php b/views/default/openid_client/icon.php new file mode 100644 index 000000000..3a9a9d981 --- /dev/null +++ b/views/default/openid_client/icon.php @@ -0,0 +1,8 @@ + elgg_view_icon('openid') . elgg_echo('openid_client:login'), + 'href' => '', + 'title' => elgg_echo('openid_client'), + 'class' => "openid-login-icon", +)); \ No newline at end of file -- cgit v1.2.3 From 0b21941bed977701ab2d7be6a91711901ac02992 Mon Sep 17 00:00:00 2001 From: Sem Date: Mon, 24 Sep 2012 18:16:43 +0200 Subject: Added "remember me" support for OpenID --- actions/openid_client/login.php | 3 ++- return.php | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/actions/openid_client/login.php b/actions/openid_client/login.php index 604374ced..2a6896a61 100644 --- a/actions/openid_client/login.php +++ b/actions/openid_client/login.php @@ -6,6 +6,7 @@ elgg_load_library('openid_consumer'); $provider = get_input('openid_provider'); +$persistent = get_input('persistent', false); if ($provider == 'others') { $provider = get_input('openid_url'); @@ -13,7 +14,7 @@ if ($provider == 'others') { $consumer = new ElggOpenIDConsumer($store); $consumer->setURL($provider); -$consumer->setReturnURL(elgg_get_site_url() . 'mod/openid_client/return.php'); +$consumer->setReturnURL(elgg_get_site_url() . "mod/openid_client/return.php?persistent=$persistent"); $html = $consumer->requestAuthentication(); if ($html) { diff --git a/return.php b/return.php index ab0fc622a..b37f25bd9 100644 --- a/return.php +++ b/return.php @@ -14,9 +14,11 @@ require_once dirname(dirname(dirname(__FILE__))).'/engine/start.php'; elgg_load_library('openid_consumer'); elgg_load_library('openid_client'); +$persistent = get_input('persistent', false); + // get user data from the response $consumer = new ElggOpenIDConsumer($store); -$url = elgg_get_site_url() . 'mod/openid_client/return.php'; +$url = elgg_get_site_url() . "mod/openid_client/return.php?persistent=$persistent"; $consumer->setReturnURL($url); $data = $consumer->completeAuthentication(); if (!$data || !$data['openid_identifier']) { @@ -48,7 +50,7 @@ if ($users) { if ($user) { // log in user and maybe update account (admin setting, user prompt?) try { - login($user); + login($user, $persistent); } catch (LoginException $e) { register_error($e->getMessage()); forward(); -- cgit v1.2.3 From 347414453e74e7e8cad25820d9a77449edb8355c Mon Sep 17 00:00:00 2001 From: Pablo Martin Date: Wed, 17 Oct 2012 04:03:12 +0000 Subject: protect from account take over by faking email from server. --- return.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/return.php b/return.php index b37f25bd9..e9a723c39 100644 --- a/return.php +++ b/return.php @@ -40,9 +40,10 @@ if ($users) { $email = elgg_extract('email', $data); if ($email) { $users = get_user_by_email($email); - if (count($users) === 1) { - $user = $users[0]; - $user->annotate('openid_identifier', $data['openid_identifier'], ACCESS_PUBLIC); + if (count($users)) { + register_error(elgg_echo('openid_client:email_register') + forward(); + } } } -- cgit v1.2.3 From c631c4c4ed4c403ad152b2bdfc1c03f3ace48465 Mon Sep 17 00:00:00 2001 From: Pablo Martin Date: Mon, 5 Nov 2012 08:23:21 +0000 Subject: add upgrade scripts. --- upgrade.php | 12 +++++++++++ upgrades/2012100501.php | 53 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 upgrade.php create mode 100644 upgrades/2012100501.php diff --git a/upgrade.php b/upgrade.php new file mode 100644 index 000000000..37248d484 --- /dev/null +++ b/upgrade.php @@ -0,0 +1,12 @@ +guid"); + } + + if ($user->alias) { + $alias = $user->alias; + if (strpos($alias, 'pg/profile') !== FALSE) { + $alias = str_replace('pg/profile', 'profile', $alias); + } + error_log($alias); + $user->annotate('openid_identifier', $alias, ACCESS_PUBLIC); + } + return true; +} + + + +/* + * Run upgrade. First users, then pads + */ +// users +$options = array('type' => 'user', 'limit' => 0); + +$MIGRATED = 0; + +$previous_access = elgg_set_ignore_access(true); +$batch = new ElggBatch('elgg_get_entities', $options, "openid_client_user_2012100501", 100); +elgg_set_ignore_access($previous_access); + +if ($batch->callbackResult) { + error_log("Elgg openid users upgrade (201210050) succeeded"); + elgg_set_plugin_setting('version', 2012022501, 'openid_client'); +} else { + error_log("Elgg openid users upgrade (201210050) failed"); +} + + -- cgit v1.2.3 From cc75bdf9ef06e0bd408b877b2f7dd14a04588ee0 Mon Sep 17 00:00:00 2001 From: Pablo Martin Date: Mon, 5 Nov 2012 08:23:38 +0000 Subject: add upgrade and change networks urls. --- start.php | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/start.php b/start.php index 1bf85eb74..d59bb2dd1 100644 --- a/start.php +++ b/start.php @@ -25,9 +25,9 @@ function openid_client_init() { elgg_register_library('openid_client', "$base/helpers.php"); elgg_set_config('openid_providers', array( - 'N-1' => 'https://n-1.cc/openid/', - 'Ecoxarxes' => 'https://cooperativa.ecoxarxes.cat/openid/', - 'Anillosur' => 'https://anillosur.cc/openid/', + 'N-1' => 'https://n-1.cc/mod/openid_server/server.php', + 'Ecoxarxes' => 'https://cooperativa.ecoxarxes.cat/mod/openid_server/server.php', + 'Anillosur' => 'https://anillosur.cc/mod/openid_server/server.php', // ... )); @@ -36,6 +36,15 @@ function openid_client_init() { // the return to page needs to be public elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'openid_client_public'); + elgg_register_event_handler('upgrade', 'system', 'openid_client_run_upgrades'); + +} + +function openid_client_run_upgrades() { + if (include_once(elgg_get_plugins_path() . 'upgrade-tools/lib/upgrade_tools.php')) { + upgrade_module_run('openid_client'); + } + } /** -- cgit v1.2.3 From 1d73be56d89e698a0561b40b9b163c3e461fb56a Mon Sep 17 00:00:00 2001 From: Sem Date: Sat, 1 Dec 2012 01:33:49 +0000 Subject: Fixed ). --- return.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/return.php b/return.php index e9a723c39..3aa728ea6 100644 --- a/return.php +++ b/return.php @@ -41,7 +41,7 @@ if ($users) { if ($email) { $users = get_user_by_email($email); if (count($users)) { - register_error(elgg_echo('openid_client:email_register') + register_error(elgg_echo('openid_client:email_register')); forward(); } -- cgit v1.2.3 From 10e8d4bc5631e1b9f0a2ce805a851e7e5f33bfc1 Mon Sep 17 00:00:00 2001 From: Sem Date: Sat, 6 Apr 2013 17:08:08 +0200 Subject: Allow openid users set their password. --- start.php | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/start.php b/start.php index d59bb2dd1..970a42ed3 100644 --- a/start.php +++ b/start.php @@ -31,9 +31,6 @@ function openid_client_init() { // ... )); - // don't let OpenID users set their passwords - elgg_register_event_handler('pagesetup', 'system', 'openid_client_remove_password'); - // the return to page needs to be public elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'openid_client_public'); elgg_register_event_handler('upgrade', 'system', 'openid_client_run_upgrades'); @@ -62,16 +59,6 @@ function openid_client_set_subtype($user) { update_data($query); } -/** - * Remove the password view from the account settings form - */ -function openid_client_remove_password() { - $page_owner = elgg_get_page_owner_entity(); - if ($page_owner && elgg_instanceof($page_owner, 'user', 'openid')) { - elgg_unextend_view('forms/account/settings', 'core/settings/account/password'); - } -} - /** * Add pages to the list of public pages for walled garden needed for OpenID * transaction -- cgit v1.2.3 From 97e15a3a473728422f596d3c9b1da18631f992e0 Mon Sep 17 00:00:00 2001 From: Sem Date: Thu, 22 Aug 2013 17:35:10 -0400 Subject: Added @override keyword at some actions and views --- views/default/core/account/login_box.php | 1 + views/default/core/account/login_dropdown.php | 2 ++ 2 files changed, 3 insertions(+) diff --git a/views/default/core/account/login_box.php b/views/default/core/account/login_box.php index 1fe452e69..51b13398b 100644 --- a/views/default/core/account/login_box.php +++ b/views/default/core/account/login_box.php @@ -6,6 +6,7 @@ * @subpackage Core * * @uses $vars['module'] The module name. Default: aside + * @override views/default/core/account/login_box.php */ $module = elgg_extract('module', $vars, 'aside'); diff --git a/views/default/core/account/login_dropdown.php b/views/default/core/account/login_dropdown.php index 7882fde02..c3add2924 100644 --- a/views/default/core/account/login_dropdown.php +++ b/views/default/core/account/login_dropdown.php @@ -1,6 +1,8 @@ Date: Tue, 10 Sep 2013 13:54:06 +0200 Subject: change url anillosur.cc for anillosur.net and add saravea.net & enekenbat.cc --- start.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/start.php b/start.php index 970a42ed3..03bae6ed5 100644 --- a/start.php +++ b/start.php @@ -27,7 +27,10 @@ function openid_client_init() { elgg_set_config('openid_providers', array( 'N-1' => 'https://n-1.cc/mod/openid_server/server.php', 'Ecoxarxes' => 'https://cooperativa.ecoxarxes.cat/mod/openid_server/server.php', - 'Anillosur' => 'https://anillosur.cc/mod/openid_server/server.php', + 'Anillosur' => 'https://anillosur.net/mod/openid_server/server.php', + 'Saravea' => 'https://saravea.net/mod/openid_server/server.php', + 'Enekenbat' => 'https://enekenbat.cc/mod/openid_server/server.php', + // ... )); -- cgit v1.2.3 From 7f318825787bf0648e4fab7b53c741db0f447d20 Mon Sep 17 00:00:00 2001 From: capo Date: Tue, 10 Sep 2013 14:12:03 +0200 Subject: change url anillosur.cc for anillosur.net and add saravea & enekenbat --- start.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/start.php b/start.php index 970a42ed3..a21832230 100644 --- a/start.php +++ b/start.php @@ -27,7 +27,9 @@ function openid_client_init() { elgg_set_config('openid_providers', array( 'N-1' => 'https://n-1.cc/mod/openid_server/server.php', 'Ecoxarxes' => 'https://cooperativa.ecoxarxes.cat/mod/openid_server/server.php', - 'Anillosur' => 'https://anillosur.cc/mod/openid_server/server.php', + 'Anillosur' => 'https://anillosur.net/mod/openid_server/server.php', + 'Saravea' => 'https://saravea.net/mod/openid_server/server.php', + 'Enekenbat' => 'https://enekenbat.cc/mod/openid_server/server.php', // ... )); -- cgit v1.2.3 From 187315829e3ad518ade4fb6c759f9471cab3e3f5 Mon Sep 17 00:00:00 2001 From: Sem Date: Fri, 8 Nov 2013 06:44:51 +0100 Subject: Bumped version 1.8.0 --- manifest.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.xml b/manifest.xml index 8003097e8..eba4674c7 100644 --- a/manifest.xml +++ b/manifest.xml @@ -2,7 +2,7 @@ OpenID Client Core developers - 1.8 + 1.8.0 OpenID consumer for Elgg. Enabled users log in using their credentials from sites like Google and Yahoo. user http://www.elgg.org/ -- cgit v1.2.3