/**
* @access private
*/
function _extractAssociation($assoc_response, $assoc_session)
{
// Extract the common fields from the response, raising an
// exception if they are not found
$assoc_type = $assoc_response->getArg(Auth_OpenID_OPENID_NS, 'assoc_type', Auth_OpenID_NO_DEFAULT);
if (Auth_OpenID::isFailure($assoc_type)) {
return $assoc_type;
}
$assoc_handle = $assoc_response->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle', Auth_OpenID_NO_DEFAULT);
if (Auth_OpenID::isFailure($assoc_handle)) {
return $assoc_handle;
}
// expires_in is a base-10 string. The Python parsing will
// accept literals that have whitespace around them and will
// accept negative values. Neither of these are really in-spec,
// but we think it's OK to accept them.
$expires_in_str = $assoc_response->getArg(Auth_OpenID_OPENID_NS, 'expires_in', Auth_OpenID_NO_DEFAULT);
if (Auth_OpenID::isFailure($expires_in_str)) {
return $expires_in_str;
}
$expires_in = Auth_OpenID::intval($expires_in_str);
if ($expires_in === false) {
$err = sprintf("Could not parse expires_in from association " . "response %s", print_r($assoc_response, true));
return new Auth_OpenID_FailureResponse(null, $err);
}
// OpenID 1 has funny association session behaviour.
if ($assoc_response->isOpenID1()) {
$session_type = $this->_getOpenID1SessionType($assoc_response);
} else {
$session_type = $assoc_response->getArg(Auth_OpenID_OPENID2_NS, 'session_type', Auth_OpenID_NO_DEFAULT);
if (Auth_OpenID::isFailure($session_type)) {
return $session_type;
}
}
// Session type mismatch
if ($assoc_session->session_type != $session_type) {
if ($assoc_response->isOpenID1() && $session_type == 'no-encryption') {
// In OpenID 1, any association request can result in
// a 'no-encryption' association response. Setting
// assoc_session to a new no-encryption session should
// make the rest of this function work properly for
// that case.
$assoc_session = new Auth_OpenID_PlainTextConsumerSession();
} else {
// Any other mismatch, regardless of protocol version
// results in the failure of the association session
// altogether.
return null;
}
}
// Make sure assoc_type is valid for session_type
if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
return null;
}
// Delegate to the association session to extract the secret
// from the response, however is appropriate for that session
// type.
$secret = $assoc_session->extractSecret($assoc_response);
if ($secret === null) {
return null;
}
return Auth_OpenID_Association::fromExpiresIn($expires_in, $assoc_handle, $secret, $assoc_type);
}
/**
* Parse the provider authentication policy arguments into the
* internal state of this object
*
* @param args: unqualified provider authentication policy
* arguments
*
* @param strict: Whether to return false when bad data is
* encountered
*
* @return null The data is parsed into the internal fields of
* this object.
*/
function parseExtensionArgs($args, $strict = false)
{
$policies_str = Auth_OpenID::arrayGet($args, 'auth_policies');
if ($policies_str && $policies_str != "none") {
$this->auth_policies = explode(" ", $policies_str);
}
$nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level');
if ($nist_level_str !== null) {
$nist_level = Auth_OpenID::intval($nist_level_str);
if ($nist_level === false) {
if ($strict) {
return false;
} else {
$nist_level = null;
}
}
if (0 <= $nist_level && $nist_level < 5) {
$this->nist_auth_level = $nist_level;
} else {
if ($strict) {
return false;
}
}
}
$auth_time = Auth_OpenID::arrayGet($args, 'auth_time');
if ($auth_time !== null) {
if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) {
$this->auth_time = $auth_time;
} else {
if ($strict) {
return false;
}
}
}
}
/**
* Parse attribute exchange key/value arguments into this object.
*
* @param ax_args: The attribute exchange fetch_response
* arguments, with namespacing removed.
*
* @return Auth_OpenID_AX_Error or true
*/
function parseExtensionArgs($ax_args)
{
$result = $this->_checkMode($ax_args);
if (Auth_OpenID_AX::isError($result)) {
return $result;
}
$aliases = new Auth_OpenID_NamespaceMap();
foreach ($ax_args as $key => $value) {
if (strpos($key, 'type.') === 0) {
$type_uri = $value;
$alias = substr($key, 5);
$result = Auth_OpenID_AX_checkAlias($alias);
if (Auth_OpenID_AX::isError($result)) {
return $result;
}
$alias = $aliases->addAlias($type_uri, $alias);
if ($alias === null) {
return new Auth_OpenID_AX_Error(sprintf("Could not add alias %s for URI %s", $alias, $type_uri));
}
}
}
foreach ($aliases->iteritems() as $pair) {
list($type_uri, $alias) = $pair;
if (array_key_exists('count.' . $alias, $ax_args)) {
$count_key = 'count.' . $alias;
$count_s = $ax_args[$count_key];
$count = Auth_OpenID::intval($count_s);
if ($count === false) {
return new Auth_OpenID_AX_Error(sprintf("Integer value expected for %s, got %s", 'count. %s' . $alias, $count_s, Auth_OpenID_AX_UNLIMITED_VALUES));
}
$values = array();
for ($i = 1; $i < $count + 1; $i++) {
$value_key = sprintf('value.%s.%d', $alias, $i);
if (!array_key_exists($value_key, $ax_args)) {
return new Auth_OpenID_AX_Error(sprintf("No value found for key %s", $value_key));
}
$value = $ax_args[$value_key];
$values[] = $value;
}
} else {
$key = 'value.' . $alias;
if (!array_key_exists($key, $ax_args)) {
return new Auth_OpenID_AX_Error(sprintf("No value found for key %s", $key));
}
$value = $ax_args['value.' . $alias];
if ($value == '') {
$values = array();
} else {
$values = array($value);
}
}
$this->data[$type_uri] = $values;
}
return true;
}
function getExtensionArgs()
{
$ns_args = array('auth_policies' => implode(' ', $this->auth_policies));
if ($this->nist_auth_level !== null) {
if (!in_array($this->nist_auth_level, range(0, 4), true)) {
return false;
}
$ns_args['nist_auth_level'] = strval($this->nist_auth_level);
}
if ($this->auth_age !== null) {
if ($this->auth_age < 0) {
return false;
}
$result = Auth_OpenID::intval($this->auth_age);
if ($result === false) {
return false;
}
$ns_args['auth_age'] = strval($result);
}
return $ns_args;
}