/** * Given an HTTP query in an array (key-value pairs), decode it * into an Auth_OpenID_Request object. */ function decode($query) { if (!$query) { return null; } $message = Auth_OpenID_Message::fromPostArgs($query); if ($message === null) { /* * It's useful to have a Message attached to a * ProtocolError, so we override the bad ns value to build * a Message out of it. Kinda kludgy, since it's made of * lies, but the parts that aren't lies are more useful * than a 'None'. */ $old_ns = $query['openid.ns']; $query['openid.ns'] = Auth_OpenID_OPENID2_NS; $message = Auth_OpenID_Message::fromPostArgs($query); return new Auth_OpenID_ServerError( $message, sprintf("Invalid OpenID namespace URI: %s", $old_ns)); } $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); if (!$mode) { return new Auth_OpenID_ServerError($message, "No mode value in message"); } if (Auth_OpenID::isFailure($mode)) { return new Auth_OpenID_ServerError($message, $mode->message); } $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message)); if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) { return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server)); } else { return $handlerCls; } }
/** * @access private */ function _verifyReturnToArgs($query) { // Verify that the arguments in the return_to URL are present in this // response. $message = Auth_OpenID_Message::fromPostArgs($query); $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); if (Auth_OpenID::isFailure($return_to)) { return $return_to; } // XXX: this should be checked by _idResCheckForFields if (!$return_to) { return new Auth_OpenID_FailureResponse(null, "Response has no return_to"); } $parsed_url = parse_url($return_to); $q = array(); if (array_key_exists('query', $parsed_url)) { $rt_query = $parsed_url['query']; $q = Auth_OpenID::parse_str($rt_query); } foreach ($q as $rt_key => $rt_value) { if (!array_key_exists($rt_key, $query)) { return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key)); } else { $value = $query[$rt_key]; if ($rt_value != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value)); } } } // Make sure all non-OpenID arguments in the response are also // in the signed return_to. $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); foreach ($bare_args as $key => $value) { if (Auth_OpenID::arrayGet($q, $key) != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value)); } } return true; }
function test_overrideRequired() { // Be sure that caller CANNOT change the form charset for // encoding type. $m = Auth_OpenID_Message::fromPostArgs($this->postargs); $tag_attrs = $this->form_tag_attrs; $tag_attrs['accept-charset'] = 'UCS4'; $tag_attrs['enctype'] = 'invalid/x-broken'; $html = $m->toFormMarkup($this->action_url, $tag_attrs, $this->submit_text); $this->_checkForm($html, $m, $this->action_url, $tag_attrs, $this->submit_text); }
function setUp() { $this->store = new GoodAssocStore(); $this->consumer = new Auth_OpenID_GenericConsumer($this->store); $this->consumer->discoverMethod = array($this, 'discoveryFunc'); $this->identifier = "http://idp.unittest/1337"; $this->server_url = "http://endpoint.unittest/"; $this->message = Auth_OpenID_Message::fromPostArgs(array('openid.ns' => Auth_OpenID_OPENID2_NS, 'openid.identity' => $this->identifier, 'openid.claimed_id' => $this->identifier, 'openid.op_endpoint' => $this->server_url)); $this->endpoint = new Auth_OpenID_ServiceEndpoint(); $this->endpoint->server_url = $this->server_url; }
function index() { try { $member = Member::currentUser(); if ($member) { // user is already logged in return $this->redirect(OpenStackIdCommon::getRedirectBackUrl()); } $consumer = Injector::inst()->get('MyOpenIDConsumer'); $query = Auth_OpenID::getQuery(); $message = Auth_OpenID_Message::fromPostArgs($query); $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 'response_nonce'); list($timestamp, $salt) = Auth_OpenID_splitNonce($nonce); $claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, 'claimed_id'); error_log(sprintf('OpenStackIdAuthenticator : id %s - salt %s - timestamp %s', $claimed_id, $salt, $timestamp)); // Complete the authentication process using the server's response. $response = $consumer->complete(OpenStackIdCommon::getReturnTo()); if ($response->status == Auth_OpenID_CANCEL) { error_log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL'); SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL', SS_Log::WARN); throw new Exception('The verification was cancelled. Please try again.'); } else { if ($response->status == Auth_OpenID_FAILURE) { error_log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE'); SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE', SS_Log::WARN); throw new Exception("The OpenID authentication failed."); } else { if ($response->status == Auth_OpenID_SUCCESS) { error_log('OpenStackIdAuthenticator : Auth_OpenID_SUCCESS'); $openid = $response->getDisplayIdentifier(); $openid = OpenStackIdCommon::escape($openid); if ($response->endpoint->canonicalID) { $openid = escape($response->endpoint->canonicalID); } //get user info from openid response $member = null; list($email, $full_name) = $this->getUserProfileInfo($response); if (!is_null($email)) { //try to get user by email $member = $this->member_repository->findByEmail($email); } if (!$member) { // or by openid $member = Member::get()->filter('IdentityURL', $openid)->first(); } if ($member) { $result = $member->canLogIn(); if ($result->valid()) { $member->setIdentityUrl($openid); $member->write(); $member->LogIn(true); return $this->redirect(OpenStackIdCommon::getRedirectBackUrl()); } throw new Exception("Inactive User!"); } throw new Exception("The OpenID authentication failed: can not find user " . $openid); } } } } catch (Exception $ex) { Session::set("Security.Message.message", $ex->getMessage()); Session::set("Security.Message.type", "bad"); SS_Log::log($ex, SS_Log::WARN); return $this->redirect("Security/badlogin"); } }
function test_fromPostArgs_ns11() { // An example of the stuff that some Drupal installations send us, // which includes openid.ns but is 1.1. $query = array('openid.assoc_handle' => '', 'openid.claimed_id' => 'http://foobar.invalid/', 'openid.identity' => 'http://foobar.myopenid.com', 'openid.mode' => 'checkid_setup', 'openid.ns' => 'http://openid.net/signon/1.1', 'openid.ns.sreg' => 'http://openid.net/extensions/sreg/1.1', 'openid.return_to' => 'http://drupal.invalid/return_to', 'openid.sreg.required' => 'nickname,email', 'openid.trust_root' => 'http://drupal.invalid'); $m = Auth_OpenID_Message::fromPostArgs($query); $this->assertTrue($m->isOpenID1()); }
function test_verifyAssocMismatch() { // Attempt to validate sign-all message with a signed-list // assoc. $assoc_handle = '{vroom}{zoom}'; $assoc = Auth_OpenID_Association::fromExpiresIn(60, $assoc_handle, 'sekrit', 'HMAC-SHA1'); $this->store->storeAssociation($this->dumb_key, $assoc); $signed = Auth_OpenID_Message::fromPostArgs(array('foo' => 'bar', 'apple' => 'orange', 'openid.sig' => "d71xlHtqnq98DonoSgoK/nD+QRM=")); $verified = $this->signatory->verify($assoc_handle, $signed); $this->assertFalse($verified); }
/** * Given an HTTP query in an array (key-value pairs), decode it * into an Auth_OpenID_Request object. */ function decode($query) { if (!$query) { return null; } $message = Auth_OpenID_Message::fromPostArgs($query); $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); if (!$mode) { return new Auth_OpenID_ServerError($message, "No mode value in message"); } $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message)); if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) { return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server)); } else { return $handlerCls; } }
/** * @access private */ function _verifyReturnToArgs($query) { // Verify that the arguments in the return_to URL are present in this // response. $message = Auth_OpenID_Message::fromPostArgs($query); $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); // XXX: this should be checked by _idResCheckForFields if (!$return_to) { return new Auth_OpenID_FailureResponse(null, "no openid.return_to in query"); } $parsed_url = parse_url($return_to); $q = array(); if (array_key_exists('query', $parsed_url)) { $rt_query = $parsed_url['query']; $q = Auth_OpenID::parse_str($rt_query); } foreach ($q as $rt_key => $rt_value) { if (!array_key_exists($rt_key, $query)) { return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key)); } else { $value = $query[$rt_key]; if ($rt_value != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value)); } } } return true; }
/** * @access private */ function _verifyReturnToArgs($query) { // Verify that the arguments in the return_to URL are present in this // response. $message = Auth_OpenID_Message::fromPostArgs($query); $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); // modified by ben brown 2010-01-21 // for some reason the return url being specified is all jacked //$return_to = preg_replace("/(.*?)\?.*/","$1",$return_to); error_log("Looking at return to = {$return_to}"); if (Auth_OpenID::isFailure($return_to)) { error_log("failing 1"); return $return_to; } // XXX: this should be checked by _idResCheckForFields if (!$return_to) { error_log("failing 2"); return new Auth_OpenID_FailureResponse(null, "Response has no return_to"); } $parsed_url = parse_url($return_to); error_log("parsed url: {$parsed_url}"); $q = array(); if (array_key_exists('query', $parsed_url)) { $rt_query = $parsed_url['query']; $q = Auth_OpenID::parse_str($rt_query); } foreach ($q as $rt_key => $rt_value) { if (!array_key_exists($rt_key, $query)) { error_log("failing 3"); return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key)); } else { $value = $query[$rt_key]; if ($rt_value != $value) { error_log("failing 4"); return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value)); } } } // Make sure all non-OpenID arguments in the response are also // in the signed return_to. $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); foreach ($bare_args as $key => $value) { if (Auth_OpenID::arrayGet($q, $key) != $value) { error_log("failing 5"); return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value)); } } return true; }