public function executeTrust(sfWebRequest $request) { opApplicationConfiguration::registerJanRainOpenID(); require_once 'Auth/OpenID/Server.php'; require_once 'Auth/OpenID/FileStore.php'; require_once 'Auth/OpenID/SReg.php'; require_once 'Auth/OpenID/AX.php'; $info = unserialize($_SESSION['request']); $this->forward404Unless($info); $trusted = $request->hasParameter('trust') || $request->hasParameter('permanent'); if (!$trusted) { unset($_SESSION['request']); $url = $info->getCancelURL(); $this->redirect($url); } $reqUrl = $this->getController()->genUrl('OpenID/member?id=' . $this->getUser()->getMemberId(), true); if (!$info->idSelect()) { $this->forward404Unless($reqUrl === $info->identity, 'request:' . $reqUrl . '/identity:' . $info->identity); } unset($_SESSION['request']); $server = new Auth_OpenID_Server(new Auth_OpenID_FileStore(sfConfig::get('sf_cache_dir')), $info->identity); $response = $info->answer(true, null, $reqUrl); $sregRequest = Auth_OpenID_SRegRequest::fromOpenIDRequest($info); $axRequest = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($info); $allowedProfiles = $request->getParameter('profiles', array()); $requiredProfiles = $this->createListOfRequestedProfiles($sregRequest, $axRequest); $rejectedProfiles = array_diff_key($requiredProfiles, array_flip($allowedProfiles)); if (in_array(true, $rejectedProfiles)) { $url = $info->getCancelURL(); $this->redirect($url); } if ($sregRequest) { $sregExchange = new opOpenIDProfileExchange('sreg', $this->getUser()->getMember()); $sregResp = Auth_OpenID_SRegResponse::extractResponse($sregRequest, $sregExchange->getData($allowedProfiles)); $response->addExtension($sregResp); } if ($axRequest && !$axRequest instanceof Auth_OpenID_AX_Error) { $axResp = new Auth_OpenID_AX_FetchResponse(); $axExchange = new opOpenIDProfileExchange('ax', $this->getUser()->getMember()); $userData = $axExchange->getData($allowedProfiles); foreach ($axRequest->requested_attributes as $k => $v) { if (!empty($userData[$k])) { $axResp->addValue($k, $userData[$k]); } } $response->addExtension($axResp); } $log = Doctrine::getTable('OpenIDTrustLog')->log($info->trust_root, $this->getUser()->getMemberId()); if ($request->hasParameter('permanent')) { $log->is_permanent = true; $log->save(); } $response = $server->encodeResponse($response); return $this->writeResponse($response); }
function test_openidUpdateURLVerificationSuccessReturnTo() { $openid_req_msg = Auth_OpenID_Message::fromOpenIDArgs(array('mode' => 'checkid_setup', 'ns' => Auth_OpenID_OPENID2_NS, 'return_to' => 'http://example.com/realm', 'ns.ax' => Auth_OpenID_AX_NS_URI, 'ax.update_url' => 'http://example.com/realm/update_path', 'ax.mode' => 'fetch_request')); $openid_req = new Auth_OpenID_Request(); $openid_req->message =& $openid_req_msg; $fr = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($openid_req); $this->assertFalse(Auth_OpenID_AX::isError($fr)); }
function send_geni_user($server, $info) { $geni_user = geni_loadUser(); $req_url = idURL($geni_user->username); $response =& $info->answer(true, null, $req_url); // Answer with some sample Simple Registration data. global $portal_cert_file; global $portal_private_key_file; $sreg_data = array(); if ($geni_user) { $sreg_data['nickname'] = $geni_user->username; $sreg_data['email'] = $geni_user->email(); } if (empty($sreg_data)) { error_log("OpenID: Unable to access user information."); } // Add the simple registration response values to the OpenID // response message. $sreg_request = Auth_OpenID_SRegRequest::fromOpenIDRequest($info); $sreg_response = Auth_OpenID_SRegResponse::extractResponse($sreg_request, $sreg_data); $sreg_response->toMessage($response->fields); /* * Attribute Exchange (AX) is an OpenID extension to pass additional * attributes. This code was derived by looking at some client * examples and the AX code. No server-side examples of PHP OpenID * AX were found. * * AX seems to be fragile. Small changes to the code below can * result in authentication failures. * * The user URN has '+' characters but these consistently caused * authentication failures in testing. Replacing the '+' with '|' * worked, so that is a necessary transformation below. */ $ax_request = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($info); if ($ax_request and !Auth_OpenID_AX::isError($ax_request)) { /* error_log("received AX request: " . print_r($ax_request, true)); */ $ax_response = new Auth_OpenID_AX_FetchResponse(); add_project_slice_info($geni_user, $projects, $slices); foreach ($ax_request->iterTypes() as $ax_req_type) { switch ($ax_req_type) { case 'http://geni.net/projects': $ax_response->setValues($ax_req_type, $projects); break; case 'http://geni.net/slices': $ax_response->setValues($ax_req_type, $slices); break; case 'http://geni.net/user/urn': $urn = $geni_user->urn(); $urn = str_replace('+', '|', $urn); $ax_response->addValue('http://geni.net/user/urn', $urn); break; case 'http://geni.net/user/prettyname': $ax_response->addValue($ax_req_type, $geni_user->prettyName()); break; case 'http://geni.net/wimax/username': case 'http://geni.net/wimax/wimax_username': $wimax_name = null; if (isset($geni_user->ma_member->wimax_username)) { $wimax_name = $geni_user->ma_member->wimax_username; } /* Only send wimax name if it exists. */ if ($wimax_name) { $ax_response->addValue($ax_req_type, $wimax_name); } break; case 'http://geni.net/irods/username': /* Get the iRODS username. Do we need to respect the * 'irods_enabled' flag? */ $irods_username = null; if (isset($geni_user->ma_member->irods_username)) { $irods_username = $geni_user->ma_member->irods_username; } /* Only send it if it exists. */ if ($irods_username) { error_log("Returning iRODS username {$irods_username} for user " . $geni_user->urn()); $ax_response->addValue($ax_req_type, $irods_username); } else { error_log("No iRODS username in OpenID for user " . $geni_user->urn()); } break; case 'http://geni.net/irods/zone': /* Get the IRods zone for this user. */ $irods_zone = irods_default_zone(); /* Only send it if it exists. */ if ($irods_zone) { error_log("Returning iRODS zone {$irods_zone} for user " . $geni_user->urn()); $ax_response->addValue($ax_req_type, $irods_zone); } else { error_log("No iRODS zone in OpenID for user " . $geni_user->urn()); } break; } } $ax_response->toMessage($response->fields); } // Generate a response to send to the user agent. $webresponse =& $server->encodeResponse($response); $new_headers = array(); foreach ($webresponse->headers as $k => $v) { $new_headers[] = $k . ": " . $v; } return array($new_headers, $webresponse->body); }