function test_fromSuccessResponse()
{
$name = "ziggy";
$value = "stardust";
$uri = "http://david.bowie.name/";
$args = array('mode' => 'id_res', 'ns' => Auth_OpenID_OPENID2_NS, 'ns.ax' => Auth_OpenID_AX_NS_URI, 'ax.mode' => 'fetch_response', 'ax.update_url' => 'http://example.com/realm/update_path', 'ax.type.' . $name => $uri, 'ax.count.' . $name => '1', 'ax.value.' . $name . '.1' => $value);
$sf = array();
foreach (array_keys($args) as $k) {
array_push($sf, $k);
}
$msg = Auth_OpenID_Message::fromOpenIDArgs($args);
$e = new FauxEndpoint();
$resp = new Auth_OpenID_SuccessResponse($e, $msg, $sf);
$ax_resp = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($resp, false);
$this->assertFalse($ax_resp === null);
$this->assertTrue(is_a($ax_resp, 'Auth_OpenID_AX_FetchResponse'));
$values = $ax_resp->get($uri);
$this->assertEquals(array($value), $values);
}
function test_overrideRequired()
{
// Be sure that caller CANNOT change the form charset for
// encoding type.
$m = Auth_OpenID_Message::fromPostArgs($this->postargs);
$tag_attrs = $this->form_tag_attrs;
$tag_attrs['accept-charset'] = 'UCS4';
$tag_attrs['enctype'] = 'invalid/x-broken';
$html = $m->toFormMarkup($this->action_url, $tag_attrs, $this->submit_text);
$this->_checkForm($html, $m, $this->action_url, $tag_attrs, $this->submit_text);
}
/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$message = Auth_OpenID_Message::fromPostArgs($query);
if ($message === null) {
/*
* It's useful to have a Message attached to a
* ProtocolError, so we override the bad ns value to build
* a Message out of it. Kinda kludgy, since it's made of
* lies, but the parts that aren't lies are more useful
* than a 'None'.
*/
$old_ns = $query['openid.ns'];
$query['openid.ns'] = Auth_OpenID_OPENID2_NS;
$message = Auth_OpenID_Message::fromPostArgs($query);
return new Auth_OpenID_ServerError(
$message,
sprintf("Invalid OpenID namespace URI: %s", $old_ns));
}
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($message,
"No mode value in message");
}
if (Auth_OpenID::isFailure($mode)) {
return new Auth_OpenID_ServerError($message,
$mode->message);
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode,
$this->defaultDecoder($message));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromMessage'),
array($message, $this->server));
} else {
return $handlerCls;
}
}
function fromKVForm($kvform_string)
{
// Create a Message from a KVForm string
return Auth_OpenID_Message::fromOpenIDArgs(Auth_OpenID_KVForm::toArray($kvform_string));
}
/**
* @access private
*/
function _createAssociateRequest($endpoint, $assoc_type, $session_type)
{
if (array_key_exists($session_type, $this->session_types)) {
$session_type_class = $this->session_types[$session_type];
if (is_callable($session_type_class)) {
$assoc_session = $session_type_class();
} else {
$assoc_session = new $session_type_class();
}
} else {
return null;
}
$args = array('mode' => 'associate', 'assoc_type' => $assoc_type);
if (!$endpoint->compatibilityMode()) {
$args['ns'] = Auth_OpenID_OPENID2_NS;
}
// Leave out the session type if we're in compatibility mode
// *and* it's no-encryption.
if (!$endpoint->compatibilityMode() || $assoc_session->session_type != 'no-encryption') {
$args['session_type'] = $assoc_session->session_type;
}
$args = array_merge($args, $assoc_session->getRequest());
$message = Auth_OpenID_Message::fromOpenIDArgs($args);
return array($assoc_session, $message);
}
function test_200()
{
$response = new Auth_Yadis_HTTPResponse();
$response->status = 200;
$response->body = "foo:bar\nbaz:quux\n";
$r = Auth_OpenID_GenericConsumer::_httpResponseToMessage($response, $this->server_url);
$expected_msg = Auth_OpenID_Message::fromOpenIDArgs(array('foo' => 'bar', 'baz' => 'quux'));
$this->assertEquals($expected_msg, $r);
}
function index()
{
try {
$member = Member::currentUser();
if ($member) {
// user is already logged in
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
$consumer = Injector::inst()->get('MyOpenIDConsumer');
$query = Auth_OpenID::getQuery();
$message = Auth_OpenID_Message::fromPostArgs($query);
$nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 'response_nonce');
list($timestamp, $salt) = Auth_OpenID_splitNonce($nonce);
$claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, 'claimed_id');
error_log(sprintf('OpenStackIdAuthenticator : id %s - salt %s - timestamp %s', $claimed_id, $salt, $timestamp));
// Complete the authentication process using the server's response.
$response = $consumer->complete(OpenStackIdCommon::getReturnTo());
if ($response->status == Auth_OpenID_CANCEL) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL');
SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL', SS_Log::WARN);
throw new Exception('The verification was cancelled. Please try again.');
} else {
if ($response->status == Auth_OpenID_FAILURE) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE');
SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE', SS_Log::WARN);
throw new Exception("The OpenID authentication failed.");
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_SUCCESS');
$openid = $response->getDisplayIdentifier();
$openid = OpenStackIdCommon::escape($openid);
if ($response->endpoint->canonicalID) {
$openid = escape($response->endpoint->canonicalID);
}
//get user info from openid response
$member = null;
list($email, $full_name) = $this->getUserProfileInfo($response);
if (!is_null($email)) {
//try to get user by email
$member = $this->member_repository->findByEmail($email);
}
if (!$member) {
// or by openid
$member = Member::get()->filter('IdentityURL', $openid)->first();
}
if ($member) {
$result = $member->canLogIn();
if ($result->valid()) {
$member->setIdentityUrl($openid);
$member->write();
$member->LogIn(true);
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
throw new Exception("Inactive User!");
}
throw new Exception("The OpenID authentication failed: can not find user " . $openid);
}
}
}
} catch (Exception $ex) {
Session::set("Security.Message.message", $ex->getMessage());
Session::set("Security.Message.type", "bad");
SS_Log::log($ex, SS_Log::WARN);
return $this->redirect("Security/badlogin");
}
}
function _setUpDH()
{
list($sess, $message) = $this->consumer->_createAssociateRequest($this->endpoint, 'HMAC-SHA1', 'DH-SHA1');
// XXX: this is testing _createAssociateRequest
$this->assertEquals($this->endpoint->compatibilityMode(), $message->isOpenID1());
$server_sess = Auth_OpenID_DiffieHellmanSHA1ServerSession::fromMessage($message);
$server_resp = $server_sess->answer($this->secret);
$server_resp['assoc_type'] = 'HMAC-SHA1';
$server_resp['assoc_handle'] = 'handle';
$server_resp['expires_in'] = '1000';
$server_resp['session_type'] = 'DH-SHA1';
return array($sess, Auth_OpenID_Message::fromOpenIDArgs($server_resp));
}
function test_openID2MismatchedDoesDisco_failure()
{
$mismatched = new Auth_OpenID_ServiceEndpoint();
$mismatched->identity = 'nothing special, but different';
$mismatched->local_id = 'green cheese';
$op_endpoint = 'Phone Home';
$msg = Auth_OpenID_Message::fromOpenIDArgs(array('ns' => Auth_OpenID_OPENID2_NS, 'identity' => 'sour grapes', 'claimed_id' => 'monkeysoft', 'op_endpoint' => $op_endpoint));
$result = $this->consumer->_verifyDiscoveryResults($msg, $mismatched);
$this->assertTrue(Auth_OpenID::isFailure($result));
}
function test_fromPostArgs_ns11()
{
// An example of the stuff that some Drupal installations send us,
// which includes openid.ns but is 1.1.
$query = array('openid.assoc_handle' => '', 'openid.claimed_id' => 'http://foobar.invalid/', 'openid.identity' => 'http://foobar.myopenid.com', 'openid.mode' => 'checkid_setup', 'openid.ns' => 'http://openid.net/signon/1.1', 'openid.ns.sreg' => 'http://openid.net/extensions/sreg/1.1', 'openid.return_to' => 'http://drupal.invalid/return_to', 'openid.sreg.required' => 'nickname,email', 'openid.trust_root' => 'http://drupal.invalid');
$m = Auth_OpenID_Message::fromPostArgs($query);
$this->assertTrue($m->isOpenID1());
}
function test_fromSuccessResponse()
{
$openid_req_msg = Auth_OpenID_Message::fromOpenIDArgs(array('mode' => 'id_res', 'ns' => Auth_OpenID_OPENID2_NS, 'ns.pape' => Auth_OpenID_PAPE_NS_URI, 'auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)), 'auth_time' => '2008-03-02T12:34:56Z'));
$signed_stuff = array('auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)), 'auth_time' => '2008-03-02T12:34:56Z');
$oid_req = new PAPE_DummySuccessResponse($openid_req_msg, $signed_stuff);
$req = Auth_OpenID_PAPE_Response::fromSuccessResponse($oid_req);
$this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $req->auth_policies);
$this->assertEquals('2008-03-02T12:34:56Z', $req->auth_time);
}
function test_openidUpdateURLVerificationSuccessReturnTo()
{
$openid_req_msg = Auth_OpenID_Message::fromOpenIDArgs(array('mode' => 'checkid_setup', 'ns' => Auth_OpenID_OPENID2_NS, 'return_to' => 'http://example.com/realm', 'ns.ax' => Auth_OpenID_AX_NS_URI, 'ax.update_url' => 'http://example.com/realm/update_path', 'ax.mode' => 'fetch_request'));
$fr = Auth_OpenID_AX_FetchRequest::fromOpenIDRequest($openid_req_msg);
$this->assertFalse(Auth_OpenID_AX::isError($fr));
}
function testUnsupportedWithRetry()
{
$msg = new Auth_OpenID_Message($this->endpoint->preferredNamespace());
$msg->setArg(Auth_OpenID_OPENID_NS, 'error', 'Unsupported type');
$msg->setArg(Auth_OpenID_OPENID_NS, 'error_code', 'unsupported-type');
$msg->setArg(Auth_OpenID_OPENID_NS, 'assoc_type', 'HMAC-SHA1');
$msg->setArg(Auth_OpenID_OPENID_NS, 'session_type', 'DH-SHA1');
$assoc = new Auth_OpenID_Association('handle', 'secretxx', 'issued', 10000, 'HMAC-SHA1');
$this->consumer->return_messages = array($assoc, $msg);
$result = $this->consumer->_negotiateAssociation($this->endpoint);
$this->assertTrue($result === null);
// $this->failUnlessLogMatches('Server error when requesting an association')
}
function test_verifyAssocMismatch()
{
// Attempt to validate sign-all message with a signed-list
// assoc.
$assoc_handle = '{vroom}{zoom}';
$assoc = Auth_OpenID_Association::fromExpiresIn(60, $assoc_handle, 'sekrit', 'HMAC-SHA1');
$this->store->storeAssociation($this->dumb_key, $assoc);
$signed = Auth_OpenID_Message::fromPostArgs(array('foo' => 'bar', 'apple' => 'orange', 'openid.sig' => "d71xlHtqnq98DonoSgoK/nD+QRM="));
$verified = $this->signatory->verify($assoc_handle, $signed);
$this->assertFalse($verified);
}
function _test($uri)
{
// Create a request message with simple registration fields
$sreg_req = Auth_OpenID_SRegRequest::build(array('nickname', 'email'), array('fullname'));
$req_msg = new Auth_OpenID_Message($uri);
$req_msg->updateArgs(Auth_OpenID_SREG_NS_URI, $sreg_req->getExtensionArgs());
$req = new Auth_OpenID_Request();
$req->message =& $req_msg;
$req->namespace = $req_msg->getOpenIDNamespace();
// -> send checkid_* request
// Create an empty response message
$resp_msg = new Auth_OpenID_Message($uri);
$resp = new Auth_OpenID_ServerResponse($req);
$resp->fields = $resp_msg;
$data = array('nickname' => 'linusaur', 'postcode' => '12345', 'country' => 'US', 'gender' => 'M', 'fullname' => 'Leonhard Euler', 'email' => '*****@*****.**', 'dob' => '0000-00-00', 'language' => 'en-us');
// Put the requested data fields in the response message
$sreg_resp = Auth_OpenID_SRegResponse::extractResponse($sreg_req, $data);
$resp->addExtension($sreg_resp);
// <- send id_res response
// Extract the fields that were sent
$sreg_data_resp = $resp->fields->getArgs(Auth_OpenID_SREG_NS_URI);
$this->assertEquals(array('nickname' => 'linusaur', 'email' => '*****@*****.**', 'fullname' => 'Leonhard Euler'), $sreg_data_resp);
}
/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$message = Auth_OpenID_Message::fromPostArgs($query);
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($message, "No mode value in message");
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server));
} else {
return $handlerCls;
}
}
