function test_mkSplit() { $t = 42; $nonce_str = Auth_OpenID_mkNonce($t); $this->assertTrue(preg_match(Tests_Auth_OpenID_nonce_re, $nonce_str)); list($et, $salt) = Auth_OpenID_splitNonce($nonce_str); $this->assertEquals(6, strlen($salt)); $this->assertEquals($et, $t); }
/** * Respond to this request. Return either an * {@link Auth_OpenID_ServerResponse} or * {@link Auth_OpenID_ServerError}. * * @param bool $allow Allow this user to claim this identity, and * allow the consumer to have this information? * * @param string $server_url DEPRECATED. Passing $op_endpoint to * the {@link Auth_OpenID_Server} constructor makes this optional. * * When an OpenID 1.x immediate mode request does not succeed, it * gets back a URL where the request may be carried out in a * not-so-immediate fashion. Pass my URL in here (the fully * qualified address of this server's endpoint, i.e. * https://example.com/server), and I will use it as a base for the * URL for a new request. * * Optional for requests where {@link $immediate} is false or * $allow is true. * * @param string $identity The OP-local identifier to answer with. * Only for use when the relying party requested identifier * selection. * * @param string $claimed_id The claimed identifier to answer * with, for use with identifier selection in the case where the * claimed identifier and the OP-local identifier differ, * i.e. when the claimed_id uses delegation. * * If $identity is provided but this is not, $claimed_id will * default to the value of $identity. When answering requests * that did not ask for identifier selection, the response * $claimed_id will default to that of the request. * * This parameter is new in OpenID 2.0. * * @return mixed */ function answer($allow, $server_url = null, $identity = null, $claimed_id = null) { if (!$this->return_to) { return new Auth_OpenID_NoReturnToError(); } if (!$server_url) { if ((!$this->message->isOpenID1()) && (!$this->server->op_endpoint)) { return new Auth_OpenID_ServerError(null, "server should be constructed with op_endpoint to " . "respond to OpenID 2.0 messages."); } $server_url = $this->server->op_endpoint; } if ($allow) { $mode = 'id_res'; } else if ($this->message->isOpenID1()) { if ($this->immediate) { $mode = 'id_res'; } else { $mode = 'cancel'; } } else { if ($this->immediate) { $mode = 'setup_needed'; } else { $mode = 'cancel'; } } if (!$this->trustRootValid()) { return new Auth_OpenID_UntrustedReturnURL(null, $this->return_to, $this->trust_root); } $response = new Auth_OpenID_ServerResponse($this); if ($claimed_id && ($this->message->isOpenID1())) { return new Auth_OpenID_ServerError(null, "claimed_id is new in OpenID 2.0 and not " . "available for ".$this->namespace); } if ($identity && !$claimed_id) { $claimed_id = $identity; } if ($allow) { if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) { if (!$identity) { return new Auth_OpenID_ServerError(null, "This request uses IdP-driven identifier selection. " . "You must supply an identifier in the response."); } $response_identity = $identity; $response_claimed_id = $claimed_id; } else if ($this->identity) { if ($identity && ($this->identity != $identity)) { $fmt = "Request was for %s, cannot reply with identity %s"; return new Auth_OpenID_ServerError(null, sprintf($fmt, $this->identity, $identity)); } $response_identity = $this->identity; $response_claimed_id = $this->claimed_id; } else { if ($identity) { return new Auth_OpenID_ServerError(null, "This request specified no identity and " . "you supplied ".$identity); } $response_identity = null; } if (($this->message->isOpenID1()) && ($response_identity === null)) { return new Auth_OpenID_ServerError(null, "Request was an OpenID 1 request, so response must " . "include an identifier."); } $response->fields->updateArgs(Auth_OpenID_OPENID_NS, array('mode' => $mode, 'return_to' => $this->return_to, 'response_nonce' => Auth_OpenID_mkNonce())); if (!$this->message->isOpenID1()) { $response->fields->setArg(Auth_OpenID_OPENID_NS, 'op_endpoint', $server_url); } if ($response_identity !== null) { $response->fields->setArg( Auth_OpenID_OPENID_NS, 'identity', $response_identity); if ($this->message->isOpenID2()) { $response->fields->setArg( Auth_OpenID_OPENID_NS, 'claimed_id', $response_claimed_id); } } } else { $response->fields->setArg(Auth_OpenID_OPENID_NS, 'mode', $mode); if ($this->immediate) { if (($this->message->isOpenID1()) && (!$server_url)) { return new Auth_OpenID_ServerError(null, 'setup_url is required for $allow=false \ in OpenID 1.x immediate mode.'); } $setup_request =& new Auth_OpenID_CheckIDRequest( $this->identity, $this->return_to, $this->trust_root, false, $this->assoc_handle, $this->server, $this->claimed_id); $setup_request->message = $this->message; $setup_url = $setup_request->encodeToURL($server_url); if ($setup_url === null) { return new Auth_OpenID_NoReturnToError(); } $response->fields->setArg(Auth_OpenID_OPENID_NS, 'user_setup_url', $setup_url); } } return $response; }
/** * Called to begin OpenID authentication using the specified * {@link Auth_OpenID_ServiceEndpoint}. * * @access private */ function begin($service_endpoint) { $assoc = $this->_getAssociation($service_endpoint); $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); $r->return_to_args[$this->openid1_nonce_query_arg_name] = Auth_OpenID_mkNonce(); if ($r->message->isOpenID1()) { $r->return_to_args[$this->openid1_return_to_identifier_name] = $r->endpoint->claimed_id; } return $r; }
function _testNonceCleanup(&$store) { if (!$store->supportsCleanup()) { return; } $server_url = 'http://www.myopenid.com/openid'; $now = time(); $old_nonce1 = Auth_OpenID_mkNonce($now - 20000); $old_nonce2 = Auth_OpenID_mkNonce($now - 10000); $recent_nonce = Auth_OpenID_mkNonce($now - 600); global $Auth_OpenID_SKEW; $orig_skew = $Auth_OpenID_SKEW; $Auth_OpenID_SKEW = 0; $store->cleanupNonces(); // Set SKEW high so stores will keep our nonces. $Auth_OpenID_SKEW = 100000; $params = Auth_OpenID_splitNonce($old_nonce1); array_unshift($params, $server_url); $this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params)); $params = Auth_OpenID_splitNonce($old_nonce2); array_unshift($params, $server_url); $this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params)); $params = Auth_OpenID_splitNonce($recent_nonce); array_unshift($params, $server_url); $this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params)); $Auth_OpenID_SKEW = 3600; $cleaned = $store->cleanupNonces(); $this->assertEquals(2, $cleaned); // , "Cleaned %r nonces." % (cleaned,) $Auth_OpenID_SKEW = 100000; // A roundabout method of checking that the old nonces were // cleaned is to see if we're allowed to add them again. $params = Auth_OpenID_splitNonce($old_nonce1); array_unshift($params, $server_url); $this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params)); $params = Auth_OpenID_splitNonce($old_nonce2); array_unshift($params, $server_url); $this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params)); // The recent nonce wasn't cleaned, so it should still fail. $params = Auth_OpenID_splitNonce($recent_nonce); array_unshift($params, $server_url); $this->assertFalse(call_user_func_array(array(&$store, 'useNonce'), $params)); $Auth_OpenID_SKEW = $orig_skew; }
function setUp() { global $GOODSIG; $this->store = new GoodAssocStore(); $this->consumer = new ConfigurableConsumer($this->store); $this->server_url = "http://idp.unittest/"; $claimed_id = 'bogus.claimed'; $this->message = Auth_OpenID_Message::fromOpenIDArgs(array('mode' => 'id_res', 'return_to' => 'return_to (just anything)', 'identity' => $claimed_id, 'assoc_handle' => 'does not matter', 'sig' => $GOODSIG, 'response_nonce' => Auth_OpenID_mkNonce(), 'signed' => 'identity,return_to,response_nonce,assoc_handle,claimed_id,op_endpoint', 'claimed_id' => $claimed_id, 'op_endpoint' => $this->server_url, 'ns' => Auth_OpenID_OPENID2_NS)); $this->endpoint = new Auth_OpenID_ServiceEndpoint(); $this->endpoint->server_url = $this->server_url; $this->endpoint->claimed_id = $claimed_id; $this->consumer->disableReturnToChecking(); }
/** * Called to begin OpenID authentication using the specified * {@link Auth_OpenID_ServiceEndpoint}. * * @access private */ function begin($service_endpoint) { $assoc = $this->_getAssociation($service_endpoint); $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); $r->return_to_args[$this->openid1_nonce_query_arg_name] = Auth_OpenID_mkNonce(); return $r; }