/**
* Removes a (namespace_uri, alias) registration from the global
* namespace alias map. Returns true if the removal succeeded; false
* if not (if the mapping did not exist).
*/
function Auth_OpenID_removeNamespaceAlias($namespace_uri, $alias)
{
global $Auth_OpenID_registered_aliases;
if (Auth_OpenID::arrayGet($Auth_OpenID_registered_aliases, $alias) === $namespace_uri) {
unset($Auth_OpenID_registered_aliases[$alias]);
return true;
}
return false;
}
/**
* @access private
*/
function _verifyReturnToArgs($query)
{
// Verify that the arguments in the return_to URL are present in this
// response.
$message = Auth_OpenID_Message::fromPostArgs($query);
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
if (Auth_OpenID::isFailure($return_to)) {
return $return_to;
}
// XXX: this should be checked by _idResCheckForFields
if (!$return_to) {
return new Auth_OpenID_FailureResponse(null, "Response has no return_to");
}
$parsed_url = parse_url($return_to);
$q = array();
if (array_key_exists('query', $parsed_url)) {
$rt_query = $parsed_url['query'];
$q = Auth_OpenID::parse_str($rt_query);
}
foreach ($q as $rt_key => $rt_value) {
if (!array_key_exists($rt_key, $query)) {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key));
} else {
$value = $query[$rt_key];
if ($rt_value != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value));
}
}
}
// Make sure all non-OpenID arguments in the response are also
// in the signed return_to.
$bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
foreach ($bare_args as $key => $value) {
if (Auth_OpenID::arrayGet($q, $key) != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value));
}
}
return true;
}
/**
* @return $result Auth_OpenID_AX_Error on failure or true on
* success.
*/
function parseExtensionArgs($ax_args)
{
$result = parent::parseExtensionArgs($ax_args);
if (Auth_OpenID_AX::isError($result)) {
return $result;
}
$this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url');
return true;
}
/**
* Parse the provider authentication policy arguments into the
* internal state of this object
*
* @param args: unqualified provider authentication policy
* arguments
*
* @param strict: Whether to return false when bad data is
* encountered
*
* @return null The data is parsed into the internal fields of
* this object.
*/
function parseExtensionArgs($args, $strict = false)
{
$policies_str = Auth_OpenID::arrayGet($args, 'auth_policies');
if ($policies_str && $policies_str != "none") {
$this->auth_policies = explode(" ", $policies_str);
}
$nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level');
if ($nist_level_str !== null) {
$nist_level = Auth_OpenID::intval($nist_level_str);
if ($nist_level === false) {
if ($strict) {
return false;
} else {
$nist_level = null;
}
}
if (0 <= $nist_level && $nist_level < 5) {
$this->nist_auth_level = $nist_level;
} else {
if ($strict) {
return false;
}
}
}
$auth_time = Auth_OpenID::arrayGet($args, 'auth_time');
if ($auth_time !== null) {
if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) {
$this->auth_time = $auth_time;
} else {
if ($strict) {
return false;
}
}
}
}
/**
* @access private
*/
function _checkReturnTo($message, $return_to)
{
// Check an OpenID message and its openid.return_to value
// against a return_to URL from an application. Return True
// on success, False on failure.
// Check the openid.return_to args against args in the
// original message.
$result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs($message->toPostArgs());
if (Auth_OpenID::isFailure($result)) {
return false;
}
// Check the return_to base URL against the one in the
// message.
$msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
$return_to_parts = parse_url($return_to);
$msg_return_to_parts = parse_url($msg_return_to);
// If port is absent from both, add it so it's equal in the
// check below.
if (!array_key_exists('port', $return_to_parts) && !array_key_exists('port', $msg_return_to_parts)) {
$return_to_parts['port'] = null;
$msg_return_to_parts['port'] = null;
}
// If path is absent from both, add it so it's equal in the
// check below.
if (!array_key_exists('path', $return_to_parts) && !array_key_exists('path', $msg_return_to_parts)) {
$return_to_parts['path'] = null;
$msg_return_to_parts['path'] = null;
}
// The URL scheme, authority, and path MUST be the same
// between the two URLs.
foreach (array('scheme', 'host', 'port', 'path') as $component) {
// If the url component is absent in either URL, fail.
// There should always be a scheme, host, port, and path.
if (!array_key_exists($component, $return_to_parts)) {
return false;
}
if (!array_key_exists($component, $msg_return_to_parts)) {
return false;
}
if (Auth_OpenID::arrayGet($return_to_parts, $component) !== Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
return false;
}
}
return true;
}
function findFirstHref($link_attrs_list, $target_rel)
{
// Return the value of the href attribute for the first link
// tag in the list that has target_rel as a relationship.
// XXX: TESTME
$matches = $this->findLinksRel($link_attrs_list, $target_rel);
if (!$matches) {
return null;
}
$first = $matches[0];
return Auth_OpenID::arrayGet($first, 'href', null);
}
/**
* Get the openid.return_to argument from this response.
*
* This is useful for verifying that this request was initiated by
* this consumer.
*
* @return string $return_to The return_to URL supplied to the
* server on the initial request, or null if the response did not
* contain an 'openid.return_to' argument.
*/
function getReturnTo()
{
return Auth_OpenID::arrayGet($this->signed_args, 'openid.return_to');
}
function get($field_name, $default = null)
{
if (!Auth_OpenID_checkFieldName($field_name)) {
return null;
}
return Auth_OpenID::arrayGet($this->data, $field_name, $default);
}
function fetch($url, $body = null, $headers = null)
{
$this->fetchlog[] = array($url, $body, $headers);
$u = parse_url($url);
$proxy_host = $u['host'];
$xri = $u['path'];
$query = Auth_OpenID::arrayGet($u, 'query');
if (!$headers && !$query) {
trigger_error('Error in mock XRI fetcher: no headers or query');
}
if (Auth_Yadis_startswith($xri, '/')) {
$xri = substr($xri, 1);
}
if (array_key_exists($xri, $this->documents)) {
list($ctype, $body) = $this->documents[$xri];
$status = 200;
} else {
$status = 404;
$ctype = 'text/plain';
$body = '';
}
return new Auth_Yadis_HTTPResponse($url, $status, array('content-type' => $ctype), $body);
}
function get($handle)
{
return Auth_OpenID::arrayGet($this->assocs, $handle);
}
/**
* Parse the unqualified hybrid OAuth response parameters
* and add them to this object.
*
* This method is essentially the inverse of
* getExtensionArgs. This method restores the serialized hybrid
* OAuth response fields.
*
* If you are extracting arguments from a standard OpenID
* checkid_* response, you probably want to use fromSuccessResponse,
* which will extract the oauth namespace and arguments from the
* successful OpenID response. This method is intended for cases where the
* OpenID server needs more control over how the arguments are
* parsed than that method provides.
*
* $args = $message->getArgs($ns_uri);
* $response->parseExtensionArgs($args);
*
* $args: The unqualified hybrid OAuth arguments
*/
public function parseExtensionArgs($args)
{
$this->request_token = Auth_OpenID::arrayGet($args, 'request_token');
$this->scope = Auth_OpenID::arrayGet($args, 'scope');
return true;
}
/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$message = Auth_OpenID_Message::fromPostArgs($query);
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($message, "No mode value in message");
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server));
} else {
return $handlerCls;
}
}
/**
* Parse the provider authentication policy arguments into the
* internal state of this object
*
* @param args: unqualified provider authentication policy
* arguments
*
* @param strict: Whether to return false when bad data is
* encountered
*
* @return null The data is parsed into the internal fields of
* this object.
*/
function parseExtensionArgs($args, $strict = false)
{
$policies_str = Auth_OpenID::arrayGet($args, 'auth_policies');
if ($policies_str) {
$this->auth_policies = explode(" ", $policies_str);
}
$nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level');
if ($nist_level_str !== null) {
$nist_level = Auth_OpenID::intval($nist_level_str);
if ($nist_level === false) {
if ($strict) {
return false;
} else {
$nist_level = null;
}
}
if (0 <= $nist_level && $nist_level < 5) {
$this->nist_auth_level = $nist_level;
} else {
if ($strict) {
return false;
}
}
}
$auth_age_str = Auth_OpenID::arrayGet($args, 'auth_age');
if ($auth_age_str !== null) {
$auth_age = Auth_OpenID::intval($auth_age_str);
if ($auth_age === false) {
if ($strict) {
return false;
}
} else {
if ($auth_age >= 0) {
$this->auth_age = $auth_age;
} else {
if ($strict) {
return false;
}
}
}
}
}
/**
* Given a {@link Auth_OpenID_Message}, return the key/value pairs
* to be signed according to the signed list in the message. If
* the message lacks a signed list, return null.
*
* @access private
*/
function _makePairs(&$message)
{
$signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
if (!$signed || Auth_OpenID::isFailure($signed)) {
// raise ValueError('Message has no signed list: %s' % (message,))
return null;
}
$signed_list = explode(',', $signed);
$pairs = array();
$data = $message->toPostArgs();
foreach ($signed_list as $field) {
$pairs[] = array($field, Auth_OpenID::arrayGet($data, 'openid.' . $field, ''));
}
return $pairs;
}
function test_signInvalidHandle()
{
$request = new Auth_OpenID_ServerRequest();
$assoc_handle = '{bogus-assoc}{notvalid}';
$request->assoc_handle = $assoc_handle;
$response = new Auth_OpenID_CheckIDResponse($request);
$response->fields = array('foo' => 'amsigned', 'bar' => 'notsigned', 'azu' => 'alsosigned');
$response->signed = array('foo', 'azu');
$sresponse = $this->signatory->sign($response);
$new_assoc_handle = Auth_OpenID::arrayGet($sresponse->fields, 'assoc_handle');
$this->assertTrue($new_assoc_handle);
$this->assertFalse($new_assoc_handle == $assoc_handle);
$this->assertEquals(Auth_OpenID::arrayGet($sresponse->fields, 'invalidate_handle'), $assoc_handle);
$this->assertEquals(Auth_OpenID::arrayGet($sresponse->fields, 'signed'), 'foo,azu');
$this->assertTrue(Auth_OpenID::arrayGet($sresponse->fields, 'sig'));
// make sure the new key is a dumb mode association
$this->assertTrue($this->store->getAssociation($this->dumb_key, $new_assoc_handle));
$this->assertFalse($this->store->getAssociation($this->normal_key, $new_assoc_handle));
}
/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$message = Auth_OpenID_Message::fromPostArgs($query);
if ($message === null) {
/*
* It's useful to have a Message attached to a
* ProtocolError, so we override the bad ns value to build
* a Message out of it. Kinda kludgy, since it's made of
* lies, but the parts that aren't lies are more useful
* than a 'None'.
*/
$old_ns = $query['openid.ns'];
$query['openid.ns'] = Auth_OpenID_OPENID2_NS;
$message = Auth_OpenID_Message::fromPostArgs($query);
return new Auth_OpenID_ServerError(
$message,
sprintf("Invalid OpenID namespace URI: %s", $old_ns));
}
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($message,
"No mode value in message");
}
if (Auth_OpenID::isFailure($mode)) {
return new Auth_OpenID_ServerError($message,
$mode->message);
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode,
$this->defaultDecoder($message));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromMessage'),
array($message, $this->server));
} else {
return $handlerCls;
}
}
/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$myquery = array();
foreach ($query as $k => $v) {
if (strpos($k, $this->prefix) === 0) {
$myquery[$k] = $v;
}
}
if (!$myquery) {
return null;
}
$mode = Auth_OpenID::arrayGet($myquery, $this->prefix . 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($query, sprintf("No %s mode found in query", $this->prefix));
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($query));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromQuery'), array($query));
} else {
return $handlerCls;
}
}
function test_parseExtensionArgs()
{
$extension_args = array('mode' => 'fetch_request', 'type.' . $this->alias_a => $this->type_a, 'if_available' => $this->alias_a);
$this->msg->parseExtensionArgs($extension_args);
$this->assertEquals(array($this->type_a), $this->msg->iterTypes());
$attr_info = Auth_OpenID::arrayGet($this->msg->requested_attributes, $this->type_a);
$this->assertTrue($attr_info);
$this->assertFalse($attr_info->required);
$this->assertEquals($this->type_a, $attr_info->type_uri);
$this->assertEquals($this->alias_a, $attr_info->alias);
$this->assertEquals(array($attr_info), $this->msg->iterAttrs());
}
/**
* @access private
*/
function _verifyReturnToArgs($query)
{
// Verify that the arguments in the return_to URL are present in this
// response.
$message = Auth_OpenID_Message::fromPostArgs($query);
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
// modified by ben brown 2010-01-21
// for some reason the return url being specified is all jacked
//$return_to = preg_replace("/(.*?)\?.*/","$1",$return_to);
error_log("Looking at return to = {$return_to}");
if (Auth_OpenID::isFailure($return_to)) {
error_log("failing 1");
return $return_to;
}
// XXX: this should be checked by _idResCheckForFields
if (!$return_to) {
error_log("failing 2");
return new Auth_OpenID_FailureResponse(null, "Response has no return_to");
}
$parsed_url = parse_url($return_to);
error_log("parsed url: {$parsed_url}");
$q = array();
if (array_key_exists('query', $parsed_url)) {
$rt_query = $parsed_url['query'];
$q = Auth_OpenID::parse_str($rt_query);
}
foreach ($q as $rt_key => $rt_value) {
if (!array_key_exists($rt_key, $query)) {
error_log("failing 3");
return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key));
} else {
$value = $query[$rt_key];
if ($rt_value != $value) {
error_log("failing 4");
return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value));
}
}
}
// Make sure all non-OpenID arguments in the response are also
// in the signed return_to.
$bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
foreach ($bare_args as $key => $value) {
if (Auth_OpenID::arrayGet($q, $key) != $value) {
error_log("failing 5");
return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value));
}
}
return true;
}
