/**
* @param IOpenIdUser $user
* @param $realm
* @param array $data
* @return array|mixed
* @throws \Exception
*/
public function getTrustedSites(IOpenIdUser $user, $realm, $data = array())
{
$res = array();
try {
if (!OpenIdUriHelper::isValidRealm($realm)) {
throw new OpenIdInvalidRealmException(sprintf('realm %s is invalid', $realm));
}
//get all possible sub-domains
$sub_domains = $this->getSubDomains($realm);
$sites = $this->repository->getMatchingOnesByUserId($user->getId(), $sub_domains, $data);
//iterate over all retrieved sites and check the set policies by user
foreach ($sites as $site) {
$policy = $site->getAuthorizationPolicy();
//if denied then break
if ($policy == IAuthService::AuthorizationResponse_DenyForever) {
array_push($res, $site);
break;
}
$trusted_data = $site->getData();
$diff = array_diff($data, $trusted_data);
//if pre approved data is contained or equal than a former one
if (count($diff) == 0) {
array_push($res, $site);
break;
}
}
} catch (Exception $ex) {
$this->log_service->error($ex);
throw $ex;
}
return $res;
}
public function __construct($error, $contact = null, $reference = null, OpenIdRequest $request = null)
{
parent::__construct();
$this->setHttpCode(self::HttpErrorResponse);
$this[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Error)] = $error;
//opt values
if (!is_null($contact)) {
$this[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Contact)] = $contact;
}
if (!is_null($reference)) {
$this[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Reference)] = $reference;
}
if (!is_null($request)) {
$return_to = $request->getParam(OpenIdProtocol::OpenIDProtocol_ReturnTo);
if (!is_null($return_to) && !empty($return_to) && OpenIdUriHelper::checkReturnTo($return_to)) {
$this->setReturnTo($return_to);
}
}
}
public function isValid()
{
$mode = $this->getMode();
$claimed_assoc = $this->getAssocHandle();
$claimed_nonce = $this->getNonce();
$claimed_sig = $this->getSig();
$claimed_op_endpoint = $this->getOPEndpoint();
$claimed_identity = $this->getClaimedId();
$claimed_realm = $this->getRealm();
$claimed_returnTo = $this->getReturnTo();
$signed = $this->getSigned();
$valid_realm = OpenIdUriHelper::checkRealm($claimed_realm, $claimed_returnTo);
$res = !is_null($mode) && !empty($mode) && $mode == OpenIdProtocol::CheckAuthenticationMode && !is_null($claimed_returnTo) && !empty($claimed_returnTo) && OpenIdUriHelper::checkReturnTo($claimed_returnTo) && !is_null($claimed_realm) && !empty($claimed_realm) && $valid_realm && !is_null($claimed_assoc) && !empty($claimed_assoc) && !is_null($claimed_sig) && !empty($claimed_sig) && !is_null($signed) && !empty($signed) && !is_null($claimed_nonce) && !empty($claimed_nonce) && !is_null($claimed_op_endpoint) && !empty($claimed_op_endpoint) && $claimed_op_endpoint == $this->op_endpoint_url && !is_null($claimed_identity) && !empty($claimed_identity) && OpenIdUriHelper::isValidUrl($claimed_identity);
if (!$res) {
$msg = sprintf("return_to is empty? %b.", empty($claimed_returnTo)) . PHP_EOL;
$msg = $msg . sprintf("realm is empty? %b.", empty($claimed_realm)) . PHP_EOL;
$msg = $msg . sprintf("claimed_id is empty? %b.", empty($claimed_id)) . PHP_EOL;
$msg = $msg . sprintf("identity is empty? %b.", empty($claimed_identity)) . PHP_EOL;
$msg = $msg . sprintf("mode is empty? %b.", empty($mode)) . PHP_EOL;
$msg = $msg . sprintf("is valid realm? %b.", $valid_realm) . PHP_EOL;
throw new InvalidOpenIdMessageException($msg);
}
return $res;
}
private static function urinorm($uri)
{
$uri_matches = array();
preg_match(self::URIPattern, $uri, $uri_matches);
if (count($uri_matches) < 9) {
for ($i = count($uri_matches); $i <= 9; $i++) {
$uri_matches[] = '';
}
}
$illegal_matches = array();
preg_match(self::URLIllegalCharRE, $uri, $illegal_matches);
if ($illegal_matches) {
return null;
}
$scheme = $uri_matches[2];
if ($scheme) {
$scheme = strtolower($scheme);
}
$scheme = $uri_matches[2];
if ($scheme === '') {
// No scheme specified
return null;
}
$scheme = strtolower($scheme);
if (!in_array($scheme, array('http', 'https'))) {
// Not an absolute HTTP or HTTPS URI
return null;
}
$authority = $uri_matches[4];
if ($authority === '') {
// Not an absolute URI
return null;
}
$authority_matches = array();
preg_match(self::AuthorityPattern, $authority, $authority_matches);
if (count($authority_matches) === 0) {
// URI does not have a valid authority
return null;
}
if (count($authority_matches) < 4) {
for ($i = count($authority_matches); $i <= 4; $i++) {
$authority_matches[] = '';
}
}
list($_whole, $userinfo, $host, $port) = $authority_matches;
if ($userinfo === null) {
$userinfo = '';
}
if (strpos($host, '%') !== -1) {
$host = strtolower($host);
$host = preg_replace_callback(self::EncodedPattern, function ($mo) {
return chr(intval($mo[1], 16));
}, $host);
// NO IDNA.
// $host = unicode($host, 'utf-8').encode('idna');
} else {
$host = strtolower($host);
}
if ($port) {
if ($port == ':' || $scheme == 'http' && $port == ':80' || $scheme == 'https' && $port == ':443') {
$port = '';
}
} else {
$port = '';
}
$authority = $userinfo . $host . $port;
$path = $uri_matches[5];
$path = preg_replace_callback(self::EncodedPattern, function ($mo) {
$_unreserved = OpenIdUriHelper::getUnreserved();
$i = intval($mo[1], 16);
if ($_unreserved[$i]) {
return chr($i);
} else {
return strtoupper($mo[0]);
}
return $mo[0];
}, $path);
$path = self::remove_dot_segments($path);
if (!$path) {
$path = '/';
}
$query = $uri_matches[6];
if ($query === null) {
$query = '';
}
$fragment = $uri_matches[8];
if ($fragment === null) {
$fragment = '';
}
return $scheme . '://' . $authority . $path . $query . $fragment;
}
/**
* @param $claimed_id
* @param $identity
* @return bool
* @throws \openid\exceptions\InvalidOpenIdMessageException
*/
private function isValidIdentifier($claimed_id, $identity)
{
/*
* openid.claimed_id" and "openid.identity" SHALL be either both present or both absent.
* If neither value is present, the assertion is not about an identifier, and will contain
* other information in its payload, using extensions.
*/
if (empty($this->user_identity_endpoint)) {
throw new InvalidOpenIdMessageException("user_identity_endpoint is not set.");
}
if (is_null($claimed_id) && is_null($identity)) {
return false;
}
//http://specs.openid.net/auth/2.0/identifier_select
if ($claimed_id == $identity && $identity == OpenIdProtocol::IdentifierSelectType) {
return true;
}
if (OpenIdUriHelper::isValidUrl($claimed_id) && OpenIdUriHelper::isValidUrl($identity)) {
$identity_url_pattern = $this->user_identity_endpoint;
$url_parts = explode("@", $identity_url_pattern, 2);
$base_identity_url = $url_parts[0];
if (strpos($identity, $base_identity_url) !== false) {
return true;
}
if (strpos($claimed_id, $base_identity_url) !== false) {
return true;
}
}
return false;
}
