function Auth_OpenID_checkTimestamp($nonce_string,
$allowed_skew = null,
$now = null)
{
// Is the timestamp that is part of the specified nonce string
// within the allowed clock-skew of the current time?
global $Auth_OpenID_SKEW;
if ($allowed_skew === null) {
$allowed_skew = $Auth_OpenID_SKEW;
}
$parts = Auth_OpenID_splitNonce($nonce_string);
if ($parts == null) {
return false;
}
if ($now === null) {
$now = time();
}
$stamp = $parts[0];
// Time after which we should not use the nonce
$past = $now - $allowed_skew;
// Time that is too far in the future for us to allow
$future = $now + $allowed_skew;
// the stamp is not too far in the future and is not too far
// in the past
return (($past <= $stamp) && ($stamp <= $future));
}
function runTest()
{
$result = Auth_OpenID_splitNonce($this->nonce_str);
$this->assertNull($result);
}
/**
* @access private
*/
function _idResCheckNonce($message, $endpoint)
{
if ($message->isOpenID1()) {
// This indicates that the nonce was generated by the consumer
$nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
$server_url = '';
} else {
$nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 'response_nonce');
$server_url = $endpoint->server_url;
}
if ($nonce === null) {
return new Auth_OpenID_FailureResponse($endpoint, "Nonce missing from response");
}
$parts = Auth_OpenID_splitNonce($nonce);
if ($parts === null) {
return new Auth_OpenID_FailureResponse($endpoint, "Malformed nonce in response");
}
list($timestamp, $salt) = $parts;
if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
return new Auth_OpenID_FailureResponse($endpoint, "Nonce already used or out of range");
}
return null;
}
function index()
{
try {
$member = Member::currentUser();
if ($member) {
// user is already logged in
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
$consumer = Injector::inst()->get('MyOpenIDConsumer');
$query = Auth_OpenID::getQuery();
$message = Auth_OpenID_Message::fromPostArgs($query);
$nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 'response_nonce');
list($timestamp, $salt) = Auth_OpenID_splitNonce($nonce);
$claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, 'claimed_id');
error_log(sprintf('OpenStackIdAuthenticator : id %s - salt %s - timestamp %s', $claimed_id, $salt, $timestamp));
// Complete the authentication process using the server's response.
$response = $consumer->complete(OpenStackIdCommon::getReturnTo());
if ($response->status == Auth_OpenID_CANCEL) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL');
SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL', SS_Log::WARN);
throw new Exception('The verification was cancelled. Please try again.');
} else {
if ($response->status == Auth_OpenID_FAILURE) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE');
SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE', SS_Log::WARN);
throw new Exception("The OpenID authentication failed.");
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_SUCCESS');
$openid = $response->getDisplayIdentifier();
$openid = OpenStackIdCommon::escape($openid);
if ($response->endpoint->canonicalID) {
$openid = escape($response->endpoint->canonicalID);
}
//get user info from openid response
$member = null;
list($email, $full_name) = $this->getUserProfileInfo($response);
if (!is_null($email)) {
//try to get user by email
$member = $this->member_repository->findByEmail($email);
}
if (!$member) {
// or by openid
$member = Member::get()->filter('IdentityURL', $openid)->first();
}
if ($member) {
$result = $member->canLogIn();
if ($result->valid()) {
$member->setIdentityUrl($openid);
$member->write();
$member->LogIn(true);
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
throw new Exception("Inactive User!");
}
throw new Exception("The OpenID authentication failed: can not find user " . $openid);
}
}
}
} catch (Exception $ex) {
Session::set("Security.Message.message", $ex->getMessage());
Session::set("Security.Message.type", "bad");
SS_Log::log($ex, SS_Log::WARN);
return $this->redirect("Security/badlogin");
}
}
function _testNonceCleanup(&$store)
{
if (!$store->supportsCleanup()) {
return;
}
$server_url = 'http://www.myopenid.com/openid';
$now = time();
$old_nonce1 = Auth_OpenID_mkNonce($now - 20000);
$old_nonce2 = Auth_OpenID_mkNonce($now - 10000);
$recent_nonce = Auth_OpenID_mkNonce($now - 600);
global $Auth_OpenID_SKEW;
$orig_skew = $Auth_OpenID_SKEW;
$Auth_OpenID_SKEW = 0;
$store->cleanupNonces();
// Set SKEW high so stores will keep our nonces.
$Auth_OpenID_SKEW = 100000;
$params = Auth_OpenID_splitNonce($old_nonce1);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$params = Auth_OpenID_splitNonce($old_nonce2);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$params = Auth_OpenID_splitNonce($recent_nonce);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$Auth_OpenID_SKEW = 3600;
$cleaned = $store->cleanupNonces();
$this->assertEquals(2, $cleaned);
// , "Cleaned %r nonces." % (cleaned,)
$Auth_OpenID_SKEW = 100000;
// A roundabout method of checking that the old nonces were
// cleaned is to see if we're allowed to add them again.
$params = Auth_OpenID_splitNonce($old_nonce1);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
$params = Auth_OpenID_splitNonce($old_nonce2);
array_unshift($params, $server_url);
$this->assertTrue(call_user_func_array(array(&$store, 'useNonce'), $params));
// The recent nonce wasn't cleaned, so it should still fail.
$params = Auth_OpenID_splitNonce($recent_nonce);
array_unshift($params, $server_url);
$this->assertFalse(call_user_func_array(array(&$store, 'useNonce'), $params));
$Auth_OpenID_SKEW = $orig_skew;
}
function test_badNonce()
{
// remove the nonce from the store
$nonce = Auth_OpenID_mkNonce();
list($timestamp, $salt) = Auth_OpenID_splitNonce($nonce);
$this->store->useNonce($this->server_url, $timestamp, $salt);
$response = Auth_OpenID_Message::fromOpenIDArgs(array('response_nonce' => $nonce, 'ns' => Auth_OpenID_OPENID2_NS));
$result = $this->consumer->_idResCheckNonce($response, $this->endpoint);
$this->assertTrue(Auth_OpenID::isFailure($result));
}
