/** * Removes a (namespace_uri, alias) registration from the global * namespace alias map. Returns true if the removal succeeded; false * if not (if the mapping did not exist). */ function Auth_OpenID_removeNamespaceAlias($namespace_uri, $alias) { global $Auth_OpenID_registered_aliases; if (Auth_OpenID::arrayGet($Auth_OpenID_registered_aliases, $alias) === $namespace_uri) { unset($Auth_OpenID_registered_aliases[$alias]); return true; } return false; }
/** * @access private */ function _verifyReturnToArgs($query) { // Verify that the arguments in the return_to URL are present in this // response. $message = Auth_OpenID_Message::fromPostArgs($query); $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); if (Auth_OpenID::isFailure($return_to)) { return $return_to; } // XXX: this should be checked by _idResCheckForFields if (!$return_to) { return new Auth_OpenID_FailureResponse(null, "Response has no return_to"); } $parsed_url = parse_url($return_to); $q = array(); if (array_key_exists('query', $parsed_url)) { $rt_query = $parsed_url['query']; $q = Auth_OpenID::parse_str($rt_query); } foreach ($q as $rt_key => $rt_value) { if (!array_key_exists($rt_key, $query)) { return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key)); } else { $value = $query[$rt_key]; if ($rt_value != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value)); } } } // Make sure all non-OpenID arguments in the response are also // in the signed return_to. $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); foreach ($bare_args as $key => $value) { if (Auth_OpenID::arrayGet($q, $key) != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value)); } } return true; }
/** * @return $result Auth_OpenID_AX_Error on failure or true on * success. */ function parseExtensionArgs($ax_args) { $result = parent::parseExtensionArgs($ax_args); if (Auth_OpenID_AX::isError($result)) { return $result; } $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); return true; }
/** * Parse the provider authentication policy arguments into the * internal state of this object * * @param args: unqualified provider authentication policy * arguments * * @param strict: Whether to return false when bad data is * encountered * * @return null The data is parsed into the internal fields of * this object. */ function parseExtensionArgs($args, $strict = false) { $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); if ($policies_str && $policies_str != "none") { $this->auth_policies = explode(" ", $policies_str); } $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); if ($nist_level_str !== null) { $nist_level = Auth_OpenID::intval($nist_level_str); if ($nist_level === false) { if ($strict) { return false; } else { $nist_level = null; } } if (0 <= $nist_level && $nist_level < 5) { $this->nist_auth_level = $nist_level; } else { if ($strict) { return false; } } } $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); if ($auth_time !== null) { if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) { $this->auth_time = $auth_time; } else { if ($strict) { return false; } } } }
/** * @access private */ function _checkReturnTo($message, $return_to) { // Check an OpenID message and its openid.return_to value // against a return_to URL from an application. Return True // on success, False on failure. // Check the openid.return_to args against args in the // original message. $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs($message->toPostArgs()); if (Auth_OpenID::isFailure($result)) { return false; } // Check the return_to base URL against the one in the // message. $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); $return_to_parts = parse_url($return_to); $msg_return_to_parts = parse_url($msg_return_to); // If port is absent from both, add it so it's equal in the // check below. if (!array_key_exists('port', $return_to_parts) && !array_key_exists('port', $msg_return_to_parts)) { $return_to_parts['port'] = null; $msg_return_to_parts['port'] = null; } // If path is absent from both, add it so it's equal in the // check below. if (!array_key_exists('path', $return_to_parts) && !array_key_exists('path', $msg_return_to_parts)) { $return_to_parts['path'] = null; $msg_return_to_parts['path'] = null; } // The URL scheme, authority, and path MUST be the same // between the two URLs. foreach (array('scheme', 'host', 'port', 'path') as $component) { // If the url component is absent in either URL, fail. // There should always be a scheme, host, port, and path. if (!array_key_exists($component, $return_to_parts)) { return false; } if (!array_key_exists($component, $msg_return_to_parts)) { return false; } if (Auth_OpenID::arrayGet($return_to_parts, $component) !== Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { return false; } } return true; }
function findFirstHref($link_attrs_list, $target_rel) { // Return the value of the href attribute for the first link // tag in the list that has target_rel as a relationship. // XXX: TESTME $matches = $this->findLinksRel($link_attrs_list, $target_rel); if (!$matches) { return null; } $first = $matches[0]; return Auth_OpenID::arrayGet($first, 'href', null); }
/** * Get the openid.return_to argument from this response. * * This is useful for verifying that this request was initiated by * this consumer. * * @return string $return_to The return_to URL supplied to the * server on the initial request, or null if the response did not * contain an 'openid.return_to' argument. */ function getReturnTo() { return Auth_OpenID::arrayGet($this->signed_args, 'openid.return_to'); }
function get($field_name, $default = null) { if (!Auth_OpenID_checkFieldName($field_name)) { return null; } return Auth_OpenID::arrayGet($this->data, $field_name, $default); }
function fetch($url, $body = null, $headers = null) { $this->fetchlog[] = array($url, $body, $headers); $u = parse_url($url); $proxy_host = $u['host']; $xri = $u['path']; $query = Auth_OpenID::arrayGet($u, 'query'); if (!$headers && !$query) { trigger_error('Error in mock XRI fetcher: no headers or query'); } if (Auth_Yadis_startswith($xri, '/')) { $xri = substr($xri, 1); } if (array_key_exists($xri, $this->documents)) { list($ctype, $body) = $this->documents[$xri]; $status = 200; } else { $status = 404; $ctype = 'text/plain'; $body = ''; } return new Auth_Yadis_HTTPResponse($url, $status, array('content-type' => $ctype), $body); }
function get($handle) { return Auth_OpenID::arrayGet($this->assocs, $handle); }
/** * Parse the unqualified hybrid OAuth response parameters * and add them to this object. * * This method is essentially the inverse of * getExtensionArgs. This method restores the serialized hybrid * OAuth response fields. * * If you are extracting arguments from a standard OpenID * checkid_* response, you probably want to use fromSuccessResponse, * which will extract the oauth namespace and arguments from the * successful OpenID response. This method is intended for cases where the * OpenID server needs more control over how the arguments are * parsed than that method provides. * * $args = $message->getArgs($ns_uri); * $response->parseExtensionArgs($args); * * $args: The unqualified hybrid OAuth arguments */ public function parseExtensionArgs($args) { $this->request_token = Auth_OpenID::arrayGet($args, 'request_token'); $this->scope = Auth_OpenID::arrayGet($args, 'scope'); return true; }
/** * Given an HTTP query in an array (key-value pairs), decode it * into an Auth_OpenID_Request object. */ function decode($query) { if (!$query) { return null; } $message = Auth_OpenID_Message::fromPostArgs($query); $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); if (!$mode) { return new Auth_OpenID_ServerError($message, "No mode value in message"); } $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message)); if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) { return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server)); } else { return $handlerCls; } }
/** * Parse the provider authentication policy arguments into the * internal state of this object * * @param args: unqualified provider authentication policy * arguments * * @param strict: Whether to return false when bad data is * encountered * * @return null The data is parsed into the internal fields of * this object. */ function parseExtensionArgs($args, $strict = false) { $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); if ($policies_str) { $this->auth_policies = explode(" ", $policies_str); } $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); if ($nist_level_str !== null) { $nist_level = Auth_OpenID::intval($nist_level_str); if ($nist_level === false) { if ($strict) { return false; } else { $nist_level = null; } } if (0 <= $nist_level && $nist_level < 5) { $this->nist_auth_level = $nist_level; } else { if ($strict) { return false; } } } $auth_age_str = Auth_OpenID::arrayGet($args, 'auth_age'); if ($auth_age_str !== null) { $auth_age = Auth_OpenID::intval($auth_age_str); if ($auth_age === false) { if ($strict) { return false; } } else { if ($auth_age >= 0) { $this->auth_age = $auth_age; } else { if ($strict) { return false; } } } } }
/** * Given a {@link Auth_OpenID_Message}, return the key/value pairs * to be signed according to the signed list in the message. If * the message lacks a signed list, return null. * * @access private */ function _makePairs(&$message) { $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); if (!$signed || Auth_OpenID::isFailure($signed)) { // raise ValueError('Message has no signed list: %s' % (message,)) return null; } $signed_list = explode(',', $signed); $pairs = array(); $data = $message->toPostArgs(); foreach ($signed_list as $field) { $pairs[] = array($field, Auth_OpenID::arrayGet($data, 'openid.' . $field, '')); } return $pairs; }
function test_signInvalidHandle() { $request = new Auth_OpenID_ServerRequest(); $assoc_handle = '{bogus-assoc}{notvalid}'; $request->assoc_handle = $assoc_handle; $response = new Auth_OpenID_CheckIDResponse($request); $response->fields = array('foo' => 'amsigned', 'bar' => 'notsigned', 'azu' => 'alsosigned'); $response->signed = array('foo', 'azu'); $sresponse = $this->signatory->sign($response); $new_assoc_handle = Auth_OpenID::arrayGet($sresponse->fields, 'assoc_handle'); $this->assertTrue($new_assoc_handle); $this->assertFalse($new_assoc_handle == $assoc_handle); $this->assertEquals(Auth_OpenID::arrayGet($sresponse->fields, 'invalidate_handle'), $assoc_handle); $this->assertEquals(Auth_OpenID::arrayGet($sresponse->fields, 'signed'), 'foo,azu'); $this->assertTrue(Auth_OpenID::arrayGet($sresponse->fields, 'sig')); // make sure the new key is a dumb mode association $this->assertTrue($this->store->getAssociation($this->dumb_key, $new_assoc_handle)); $this->assertFalse($this->store->getAssociation($this->normal_key, $new_assoc_handle)); }
/** * Given an HTTP query in an array (key-value pairs), decode it * into an Auth_OpenID_Request object. */ function decode($query) { if (!$query) { return null; } $message = Auth_OpenID_Message::fromPostArgs($query); if ($message === null) { /* * It's useful to have a Message attached to a * ProtocolError, so we override the bad ns value to build * a Message out of it. Kinda kludgy, since it's made of * lies, but the parts that aren't lies are more useful * than a 'None'. */ $old_ns = $query['openid.ns']; $query['openid.ns'] = Auth_OpenID_OPENID2_NS; $message = Auth_OpenID_Message::fromPostArgs($query); return new Auth_OpenID_ServerError( $message, sprintf("Invalid OpenID namespace URI: %s", $old_ns)); } $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); if (!$mode) { return new Auth_OpenID_ServerError($message, "No mode value in message"); } if (Auth_OpenID::isFailure($mode)) { return new Auth_OpenID_ServerError($message, $mode->message); } $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message)); if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) { return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server)); } else { return $handlerCls; } }
/** * Given an HTTP query in an array (key-value pairs), decode it * into an Auth_OpenID_Request object. */ function decode($query) { if (!$query) { return null; } $myquery = array(); foreach ($query as $k => $v) { if (strpos($k, $this->prefix) === 0) { $myquery[$k] = $v; } } if (!$myquery) { return null; } $mode = Auth_OpenID::arrayGet($myquery, $this->prefix . 'mode'); if (!$mode) { return new Auth_OpenID_ServerError($query, sprintf("No %s mode found in query", $this->prefix)); } $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($query)); if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) { return call_user_func_array(array($handlerCls, 'fromQuery'), array($query)); } else { return $handlerCls; } }
function test_parseExtensionArgs() { $extension_args = array('mode' => 'fetch_request', 'type.' . $this->alias_a => $this->type_a, 'if_available' => $this->alias_a); $this->msg->parseExtensionArgs($extension_args); $this->assertEquals(array($this->type_a), $this->msg->iterTypes()); $attr_info = Auth_OpenID::arrayGet($this->msg->requested_attributes, $this->type_a); $this->assertTrue($attr_info); $this->assertFalse($attr_info->required); $this->assertEquals($this->type_a, $attr_info->type_uri); $this->assertEquals($this->alias_a, $attr_info->alias); $this->assertEquals(array($attr_info), $this->msg->iterAttrs()); }
/** * @access private */ function _verifyReturnToArgs($query) { // Verify that the arguments in the return_to URL are present in this // response. $message = Auth_OpenID_Message::fromPostArgs($query); $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); // modified by ben brown 2010-01-21 // for some reason the return url being specified is all jacked //$return_to = preg_replace("/(.*?)\?.*/","$1",$return_to); error_log("Looking at return to = {$return_to}"); if (Auth_OpenID::isFailure($return_to)) { error_log("failing 1"); return $return_to; } // XXX: this should be checked by _idResCheckForFields if (!$return_to) { error_log("failing 2"); return new Auth_OpenID_FailureResponse(null, "Response has no return_to"); } $parsed_url = parse_url($return_to); error_log("parsed url: {$parsed_url}"); $q = array(); if (array_key_exists('query', $parsed_url)) { $rt_query = $parsed_url['query']; $q = Auth_OpenID::parse_str($rt_query); } foreach ($q as $rt_key => $rt_value) { if (!array_key_exists($rt_key, $query)) { error_log("failing 3"); return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key)); } else { $value = $query[$rt_key]; if ($rt_value != $value) { error_log("failing 4"); return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value)); } } } // Make sure all non-OpenID arguments in the response are also // in the signed return_to. $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); foreach ($bare_args as $key => $value) { if (Auth_OpenID::arrayGet($q, $key) != $value) { error_log("failing 5"); return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value)); } } return true; }