Project

General

Profile

Paste
Download (14.2 KB) Statistics
| Branch: | Revision:

root / drupal7 / modules / openid / tests / openid_test.module @ 27e02aed

1
<?php
2

    
3
/**
4
 * @file
5
 * Dummy OpenID Provider used with SimpleTest.
6
 *
7
 * The provider simply responds positively to all authentication requests. In
8
 * addition to a Provider Endpoint (a URL used for Drupal to communicate with
9
 * the provider using the OpenID Authentication protocol) the module provides
10
 * URLs used by the various discovery mechanisms.
11
 *
12
 * When a user enters an OpenID identity, the Relying Party (in the testing
13
 * scenario, this is the OpenID module) looks up the URL of the Provider
14
 * Endpoint using one of several discovery mechanisms. The Relying Party then
15
 * redirects the user to Provider Endpoint. The provider verifies the user's
16
 * identity and redirects the user back to the Relying Party accompanied by a
17
 * signed message confirming the identity. Before redirecting to a provider for
18
 * the first time, the Relying Party fetches a secret MAC key from the provider
19
 * by doing a direct "associate" HTTP request to the Provider Endpoint. This
20
 * key is used for verifying the signed messages from the provider.
21
 */
22

    
23
/**
24
 * Implements hook_menu().
25
 */
26
function openid_test_menu() {
27
  $items['openid-test/yadis/xrds'] = array(
28
    'title' => 'XRDS service document',
29
    'page callback' => 'openid_test_yadis_xrds',
30
    'access callback' => TRUE,
31
    'type' => MENU_CALLBACK,
32
  );
33
  $items['openid-test/yadis/x-xrds-location'] = array(
34
    'title' => 'Yadis discovery using X-XRDS-Location header',
35
    'page callback' => 'openid_test_yadis_x_xrds_location',
36
    'access callback' => TRUE,
37
    'type' => MENU_CALLBACK,
38
  );
39
  $items['openid-test/yadis/http-equiv'] = array(
40
    'title' => 'Yadis discovery using <meta http-equiv="X-XRDS-Location" ...>',
41
    'page callback' => 'openid_test_yadis_http_equiv',
42
    'access callback' => TRUE,
43
    'type' => MENU_CALLBACK,
44
  );
45
  $items['openid-test/html/openid1'] = array(
46
    'title' => 'HTML-based discovery using <link rel="openid.server" ...>',
47
    'page callback' => 'openid_test_html_openid1',
48
    'access callback' => TRUE,
49
    'type' => MENU_CALLBACK,
50
  );
51
  $items['openid-test/html/openid2'] = array(
52
    'title' => 'HTML-based discovery using <link rel="openid2.provider" ...>',
53
    'page callback' => 'openid_test_html_openid2',
54
    'access callback' => TRUE,
55
    'type' => MENU_CALLBACK,
56
  );
57
  $items['openid-test/endpoint'] = array(
58
    'title' => 'OpenID Provider Endpoint',
59
    'page callback' => 'openid_test_endpoint',
60
    'access callback' => TRUE,
61
    'type' => MENU_CALLBACK,
62
  );
63
  $items['openid-test/redirect'] = array(
64
    'title' => 'OpenID Provider Redirection Point',
65
    'page callback' => 'openid_test_redirect',
66
    'access callback' => TRUE,
67
    'type' => MENU_CALLBACK,
68
  );
69
  $items['openid-test/redirected/%/%'] = array(
70
    'title' => 'OpenID Provider Final URL',
71
    'page callback' => 'openid_test_redirected_method',
72
    'page arguments' => array(2, 3),
73
    'access callback' => TRUE,
74
    'type' => MENU_CALLBACK,
75
  );
76
  return $items;
77
}
78

    
79
/**
80
 * Implements hook_menu_site_status_alter().
81
 */
82
function openid_test_menu_site_status_alter(&$menu_site_status, $path) {
83
  // Allow access to openid endpoint and identity even in offline mode.
84
  if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && in_array($path, array('openid-test/yadis/xrds', 'openid-test/endpoint'))) {
85
    $menu_site_status = MENU_SITE_ONLINE;
86
  }
87
}
88

    
89
/**
90
 * Menu callback; XRDS document that references the OP Endpoint URL.
91
 */
92
function openid_test_yadis_xrds() {
93
  if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') {
94
    // Only respond to XRI requests for one specific XRI. The is used to verify
95
    // that the XRI has been properly encoded. The "+" sign in the _xrd_r query
96
    // parameter is decoded to a space by PHP.
97
    if (arg(3) == 'xri') {
98
      if (variable_get('clean_url', 0)) {
99
        if (arg(4) != '@example*résumé;%25' || $_GET['_xrd_r'] != 'application/xrds xml') {
100
          drupal_not_found();
101
        }
102
      }
103
      else {
104
        // Drupal cannot properly emulate an XRI proxy resolver using unclean
105
        // URLs, so the arguments gets messed up.
106
        if (arg(4) . '/' . arg(5) != '@example*résumé;%25?_xrd_r=application/xrds xml') {
107
          drupal_not_found();
108
        }
109
      }
110
    }
111
    drupal_add_http_header('Content-Type', 'application/xrds+xml');
112
    print '<?xml version="1.0" encoding="UTF-8"?>';
113
    if (!empty($_GET['doctype'])) {
114
      print "\n<!DOCTYPE dct [ <!ELEMENT blue (#PCDATA)> ]>\n";
115
    }
116
    print '
117
      <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
118
        <XRD>
119
          <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
120
          <ProviderID>xri://@</ProviderID>
121
          <CanonicalID>http://example.com/user</CanonicalID>
122
          <Service>
123
            <Type>http://example.com/this-is-ignored</Type>
124
          </Service>
125
          <Service priority="5">
126
            <Type>http://openid.net/signon/1.0</Type>
127
            <URI>http://example.com/this-is-only-openid-1.0</URI>
128
          </Service>
129
          <Service priority="10">
130
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
131
            <Type>http://openid.net/srv/ax/1.0</Type>
132
            <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
133
            <LocalID>http://example.com/xrds</LocalID>
134
          </Service>
135
          <Service priority="15">
136
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
137
            <URI>http://example.com/this-has-too-low-priority</URI>
138
          </Service>
139
          <Service>
140
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
141
            <URI>http://example.com/this-has-too-low-priority</URI>
142
          </Service>
143
          ';
144
    if (arg(3) == 'server') {
145
      print '
146
          <Service>
147
            <Type>http://specs.openid.net/auth/2.0/server</Type>
148
            <URI>http://example.com/this-has-too-low-priority</URI>
149
          </Service>
150
          <Service priority="20">
151
            <Type>http://specs.openid.net/auth/2.0/server</Type>
152
            <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
153
            <LocalID>' . url('openid-test/yadis/xrds/server', array('absolute' => TRUE)) . '</LocalID>
154
          </Service>';
155
    }
156
    elseif (arg(3) == 'delegate') {
157
      print '
158
          <Service priority="0">
159
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
160
            <Type>http://openid.net/srv/ax/1.0</Type>
161
            <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
162
            <openid:Delegate>http://example.com/xrds-delegate</openid:Delegate>
163
          </Service>';
164
    }
165
    print '
166
        </XRD>
167
      </xrds:XRDS>';
168
  }
169
  else {
170
    return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.');
171
  }
172
}
173

    
174
/**
175
 * Menu callback; regular HTML page with an X-XRDS-Location HTTP header.
176
 */
177
function openid_test_yadis_x_xrds_location() {
178
  drupal_add_http_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE)));
179
  return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.');
180
}
181

    
182
/**
183
 * Menu callback; regular HTML page with <meta> element.
184
 */
185
function openid_test_yadis_http_equiv() {
186
  $element = array(
187
    '#tag' => 'meta',
188
    '#attributes' => array(
189
      'http-equiv' => 'X-XRDS-Location',
190
      'content' => url('openid-test/yadis/xrds', array('absolute' => TRUE)),
191
    ),
192
  );
193
  drupal_add_html_head($element, 'openid_test_yadis_http_equiv');
194
  return t('This page includes a &lt;meta equiv=...&gt; element containing the URL of an XRDS document.');
195
}
196

    
197
/**
198
 * Menu callback; regular HTML page with OpenID 1.0 <link> element.
199
 */
200
function openid_test_html_openid1() {
201
  drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
202
  drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1'));
203
  return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
204
}
205

    
206
/**
207
 * Menu callback; regular HTML page with OpenID 2.0 <link> element.
208
 */
209
function openid_test_html_openid2() {
210
  drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
211
  drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2'));
212
  return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
213
}
214

    
215
/**
216
 * Menu callback; OpenID Provider Endpoint.
217
 *
218
 * It accepts "associate" requests directly from the Relying Party, and
219
 * "checkid_setup" requests made by the user's browser based on HTTP redirects
220
 * (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party.
221
 */
222
function openid_test_endpoint() {
223
  switch ($_REQUEST['openid_mode']) {
224
    case 'associate':
225
      _openid_test_endpoint_associate();
226
      break;
227
    case 'checkid_setup':
228
      _openid_test_endpoint_authenticate();
229
      break;
230
  }
231
}
232

    
233
/**
234
 * Menu callback; redirect during Normalization/Discovery.
235
 */
236
function openid_test_redirect($count = 0) {
237
  if ($count == 0) {
238
    $url = variable_get('openid_test_redirect_url', '');
239
  }
240
  else {
241
    $url = url('openid-test/redirect/' . --$count, array('absolute' => TRUE));
242
  }
243
  $http_response_code = variable_get('openid_test_redirect_http_reponse_code', 301);
244
  header('Location: ' . $url, TRUE, $http_response_code);
245
  exit();
246
}
247

    
248
/**
249
 * Menu callback; respond with appropriate callback.
250
 */
251
function openid_test_redirected_method($method1, $method2) {
252
  return call_user_func('openid_test_' . $method1 . '_' . $method2);
253
}
254

    
255
/**
256
 * OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0,
257
 * section 8).
258
 *
259
 * The purpose of association is to send the secret MAC key to the Relying Party
260
 * using Diffie-Hellman key exchange. The MAC key is used in subsequent
261
 * "authenticate" requests. The "associate" request is made by the Relying Party
262
 * (in the testing scenario, this is the OpenID module that communicates with
263
 * the endpoint using drupal_http_request()).
264
 */
265
function _openid_test_endpoint_associate() {
266
  module_load_include('inc', 'openid');
267

    
268
  // Use default parameters for Diffie-Helmann key exchange.
269
  $mod = OPENID_DH_DEFAULT_MOD;
270
  $gen = OPENID_DH_DEFAULT_GEN;
271

    
272
  // Generate private Diffie-Helmann key.
273
  $r = _openid_dh_rand($mod);
274
  $private = _openid_math_add($r, 1);
275

    
276
  // Calculate public Diffie-Helmann key.
277
  $public = _openid_math_powmod($gen, $private, $mod);
278

    
279
  // Calculate shared secret based on Relying Party's public key.
280
  $cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']);
281
  $shared = _openid_math_powmod($cpub, $private, $mod);
282

    
283
  // Encrypt the MAC key using the shared secret.
284
  $enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key'))));
285

    
286
  // Generate response including our public key and the MAC key. Using our
287
  // public key and its own private key, the Relying Party can calculate the
288
  // shared secret, and with this it can decrypt the encrypted MAC key.
289
  $response = array(
290
    'ns' => 'http://specs.openid.net/auth/2.0',
291
    'assoc_handle' => 'openid-test',
292
    'session_type' => $_REQUEST['openid_session_type'],
293
    'assoc_type' => $_REQUEST['openid_assoc_type'],
294
    'expires_in' => '3600',
295
    'dh_server_public' => _openid_dh_long_to_base64($public),
296
    'enc_mac_key' => $enc_mac_key,
297
  );
298

    
299
  // Respond to Relying Party in the special Key-Value Form Encoding (see OpenID
300
  // Authentication 1.0, section 4.1.1).
301
  drupal_add_http_header('Content-Type', 'text/plain');
302
  print _openid_create_message($response);
303
}
304

    
305
/**
306
 * OpenID endpoint; handle "authenticate" requests.
307
 *
308
 * All requests result in a successful response. The request is a GET or POST
309
 * made by the user's browser based on an HTML form or HTTP redirect generated
310
 * by the Relying Party. The user is redirected back to the Relying Party using
311
 * a URL containing a signed message in the query string confirming the user's
312
 * identity.
313
 */
314
function _openid_test_endpoint_authenticate() {
315
  module_load_include('inc', 'openid');
316

    
317
  $expected_identity = variable_get('openid_test_identity');
318
  if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) {
319
    $response = variable_get('openid_test_response', array()) + array(
320
      'openid.ns' => OPENID_NS_2_0,
321
      'openid.mode' => 'error',
322
      'openid.error' => 'Unexpted identity',
323
    );
324
    drupal_add_http_header('Content-Type', 'text/plain');
325
    header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
326
    return;
327
  }
328

    
329
  // Generate unique identifier for this authentication.
330
  $nonce = _openid_nonce();
331

    
332
  // Generate response containing the user's identity.
333
  $response = variable_get('openid_test_response', array()) + array(
334
    'openid.ns' => OPENID_NS_2_0,
335
    'openid.mode' => 'id_res',
336
    'openid.op_endpoint' => url('openid-test/endpoint', array('absolute' => TRUE)),
337
    'openid.claimed_id' => !empty($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',
338
    'openid.identity' => $_REQUEST['openid_identity'],
339
    'openid.return_to' => $_REQUEST['openid_return_to'],
340
    'openid.response_nonce' => $nonce,
341
    'openid.assoc_handle' => 'openid-test',
342
  );
343

    
344
  if (isset($response['openid.signed'])) {
345
    $keys_to_sign = explode(',', $response['openid.signed']);
346
  }
347
  else {
348
    // Unless openid.signed is explicitly defined, all keys are signed.
349
    $keys_to_sign = array();
350
    foreach ($response as $key => $value) {
351
      // Strip off the "openid." prefix.
352
      $keys_to_sign[] = substr($key, 7);
353
    }
354
    $response['openid.signed'] = implode(',', $keys_to_sign);
355
  }
356

    
357
  // Sign the message using the MAC key that was exchanged during association.
358
  $association = new stdClass();
359
  $association->mac_key = variable_get('mac_key');
360
  if (!isset($response['openid.sig'])) {
361
    $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);
362
  }
363

    
364
  // Put the signed message into the query string of a URL supplied by the
365
  // Relying Party, and redirect the user.
366
  drupal_add_http_header('Content-Type', 'text/plain');
367
  header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
368
}