function test_mkSplit()
{
$t = 42;
$nonce_str = Auth_OpenID_mkNonce($t);
$this->assertTrue(preg_match(Tests_Auth_OpenID_nonce_re, $nonce_str));
list($et, $salt) = Auth_OpenID_splitNonce($nonce_str);
$this->assertEquals(6, strlen($salt));
$this->assertEquals($et, $t);
}
/**
* Respond to this request. Return either an
* {@link Auth_OpenID_ServerResponse} or
* {@link Auth_OpenID_ServerError}.
*
* @param bool $allow Allow this user to claim this identity, and
* allow the consumer to have this information?
*
* @param string $server_url DEPRECATED. Passing $op_endpoint to
* the {@link Auth_OpenID_Server} constructor makes this optional.
*
* When an OpenID 1.x immediate mode request does not succeed, it
* gets back a URL where the request may be carried out in a
* not-so-immediate fashion. Pass my URL in here (the fully
* qualified address of this server's endpoint, i.e.
* https://example.com/server), and I will use it as a base for the
* URL for a new request.
*
* Optional for requests where {@link $immediate} is false or
* $allow is true.
*
* @param string $identity The OP-local identifier to answer with.
* Only for use when the relying party requested identifier
* selection.
*
* @param string $claimed_id The claimed identifier to answer
* with, for use with identifier selection in the case where the
* claimed identifier and the OP-local identifier differ,
* i.e. when the claimed_id uses delegation.
*
* If $identity is provided but this is not, $claimed_id will
* default to the value of $identity. When answering requests
* that did not ask for identifier selection, the response
* $claimed_id will default to that of the request.
*
* This parameter is new in OpenID 2.0.
*
* @return mixed
*/
function answer($allow, $server_url = null, $identity = null,
$claimed_id = null)
{
if (!$this->return_to) {
return new Auth_OpenID_NoReturnToError();
}
if (!$server_url) {
if ((!$this->message->isOpenID1()) &&
(!$this->server->op_endpoint)) {
return new Auth_OpenID_ServerError(null,
"server should be constructed with op_endpoint to " .
"respond to OpenID 2.0 messages.");
}
$server_url = $this->server->op_endpoint;
}
if ($allow) {
$mode = 'id_res';
} else if ($this->message->isOpenID1()) {
if ($this->immediate) {
$mode = 'id_res';
} else {
$mode = 'cancel';
}
} else {
if ($this->immediate) {
$mode = 'setup_needed';
} else {
$mode = 'cancel';
}
}
if (!$this->trustRootValid()) {
return new Auth_OpenID_UntrustedReturnURL(null,
$this->return_to,
$this->trust_root);
}
$response = new Auth_OpenID_ServerResponse($this);
if ($claimed_id &&
($this->message->isOpenID1())) {
return new Auth_OpenID_ServerError(null,
"claimed_id is new in OpenID 2.0 and not " .
"available for ".$this->namespace);
}
if ($identity && !$claimed_id) {
$claimed_id = $identity;
}
if ($allow) {
if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) {
if (!$identity) {
return new Auth_OpenID_ServerError(null,
"This request uses IdP-driven identifier selection. " .
"You must supply an identifier in the response.");
}
$response_identity = $identity;
$response_claimed_id = $claimed_id;
} else if ($this->identity) {
if ($identity &&
($this->identity != $identity)) {
$fmt = "Request was for %s, cannot reply with identity %s";
return new Auth_OpenID_ServerError(null,
sprintf($fmt, $this->identity, $identity));
}
$response_identity = $this->identity;
$response_claimed_id = $this->claimed_id;
} else {
if ($identity) {
return new Auth_OpenID_ServerError(null,
"This request specified no identity and " .
"you supplied ".$identity);
}
$response_identity = null;
}
if (($this->message->isOpenID1()) &&
($response_identity === null)) {
return new Auth_OpenID_ServerError(null,
"Request was an OpenID 1 request, so response must " .
"include an identifier.");
}
$response->fields->updateArgs(Auth_OpenID_OPENID_NS,
array('mode' => $mode,
'return_to' => $this->return_to,
'response_nonce' => Auth_OpenID_mkNonce()));
if (!$this->message->isOpenID1()) {
$response->fields->setArg(Auth_OpenID_OPENID_NS,
'op_endpoint', $server_url);
}
if ($response_identity !== null) {
$response->fields->setArg(
Auth_OpenID_OPENID_NS,
'identity',
$response_identity);
if ($this->message->isOpenID2()) {
$response->fields->setArg(
Auth_OpenID_OPENID_NS,
'claimed_id',
$response_claimed_id);
}
}
} else {
$response->fields->setArg(Auth_OpenID_OPENID_NS,
'mode', $mode);
if ($this->immediate) {
if (($this->message->isOpenID1()) &&
(!$server_url)) {
return new Auth_OpenID_ServerError(null,
'setup_url is required for $allow=false \
in OpenID 1.x immediate mode.');
}
$setup_request =& new Auth_OpenID_CheckIDRequest(
$this->identity,
$this->return_to,
$this->trust_root,
false,
$this->assoc_handle,
$this->server,
$this->claimed_id);
$setup_request->message = $this->message;
$setup_url = $setup_request->encodeToURL($server_url);
if ($setup_url === null) {
return new Auth_OpenID_NoReturnToError();
}
$response->fields->setArg(Auth_OpenID_OPENID_NS,
'user_setup_url',
$setup_url);
}
}
return $response;
}
/**
* Called to begin OpenID authentication using the specified
* {@link Auth_OpenID_ServiceEndpoint}.
*
* @access private
*/
function begin($service_endpoint)
{
$assoc = $this->_getAssociation($service_endpoint);
$r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
$r->return_to_args[$this->openid1_nonce_query_arg_name] = Auth_OpenID_mkNonce();
if ($r->message->isOpenID1()) {
$r->return_to_args[$this->openid1_return_to_identifier_name] = $r->endpoint->claimed_id;
}
return $r;
}
function _testNonceCleanup(&$store)
{
if (!$store->supportsCleanup()) {
return;
}
$server_url = 'http://www.myopenid.com/openid';
$now = time();
$old_nonce1 = Auth_OpenID_mkNonce($now - 20000);
$old_nonce2 = Auth_OpenID_mkNonce($now - 10000);
$recent_nonce = Auth_OpenID_mkNonce($now - 600);
global $Auth_OpenID_SKEW;
$orig_skew = $Auth_OpenID_SKEW;
$Auth_OpenID_SKEW = 0;
$store->cleanupNonces();
// Set SKEW high so stores will keep our nonces.
$Auth_OpenID_SKEW = 100000;
$params = Auth_OpenID_splitNonce($old_nonce1);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$params = Auth_OpenID_splitNonce($old_nonce2);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$params = Auth_OpenID_splitNonce($recent_nonce);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$Auth_OpenID_SKEW = 3600;
$cleaned = $store->cleanupNonces();
$this->assertEquals(2, $cleaned);
// , "Cleaned %r nonces." % (cleaned,)
$Auth_OpenID_SKEW = 100000;
// A roundabout method of checking that the old nonces were
// cleaned is to see if we're allowed to add them again.
$params = Auth_OpenID_splitNonce($old_nonce1);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$params = Auth_OpenID_splitNonce($old_nonce2);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
// The recent nonce wasn't cleaned, so it should still fail.
$params = Auth_OpenID_splitNonce($recent_nonce);
array_unshift($params, $server_url);
$this->assertFalse(call_user_func_array(array(&$store, 'useNonce'), $params));
$Auth_OpenID_SKEW = $orig_skew;
}
function setUp()
{
global $GOODSIG;
$this->store = new GoodAssocStore();
$this->consumer = new ConfigurableConsumer($this->store);
$this->server_url = "http://idp.unittest/";
$claimed_id = 'bogus.claimed';
$this->message = Auth_OpenID_Message::fromOpenIDArgs(array('mode' => 'id_res', 'return_to' => 'return_to (just anything)', 'identity' => $claimed_id, 'assoc_handle' => 'does not matter', 'sig' => $GOODSIG, 'response_nonce' => Auth_OpenID_mkNonce(), 'signed' => 'identity,return_to,response_nonce,assoc_handle,claimed_id,op_endpoint', 'claimed_id' => $claimed_id, 'op_endpoint' => $this->server_url, 'ns' => Auth_OpenID_OPENID2_NS));
$this->endpoint = new Auth_OpenID_ServiceEndpoint();
$this->endpoint->server_url = $this->server_url;
$this->endpoint->claimed_id = $claimed_id;
$this->consumer->disableReturnToChecking();
}
/**
* Called to begin OpenID authentication using the specified
* {@link Auth_OpenID_ServiceEndpoint}.
*
* @access private
*/
function begin($service_endpoint)
{
$assoc = $this->_getAssociation($service_endpoint);
$r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
$r->return_to_args[$this->openid1_nonce_query_arg_name] = Auth_OpenID_mkNonce();
return $r;
}
