1 |
85ad3d82
|
Assos Assos
|
<?php
|
2 |
|
|
|
3 |
|
|
/**
|
4 |
|
|
* @file
|
5 |
|
|
* Dummy OpenID Provider used with SimpleTest.
|
6 |
|
|
*
|
7 |
|
|
* The provider simply responds positively to all authentication requests. In
|
8 |
|
|
* addition to a Provider Endpoint (a URL used for Drupal to communicate with
|
9 |
|
|
* the provider using the OpenID Authentication protocol) the module provides
|
10 |
|
|
* URLs used by the various discovery mechanisms.
|
11 |
|
|
*
|
12 |
|
|
* When a user enters an OpenID identity, the Relying Party (in the testing
|
13 |
|
|
* scenario, this is the OpenID module) looks up the URL of the Provider
|
14 |
|
|
* Endpoint using one of several discovery mechanisms. The Relying Party then
|
15 |
|
|
* redirects the user to Provider Endpoint. The provider verifies the user's
|
16 |
|
|
* identity and redirects the user back to the Relying Party accompanied by a
|
17 |
|
|
* signed message confirming the identity. Before redirecting to a provider for
|
18 |
|
|
* the first time, the Relying Party fetches a secret MAC key from the provider
|
19 |
|
|
* by doing a direct "associate" HTTP request to the Provider Endpoint. This
|
20 |
|
|
* key is used for verifying the signed messages from the provider.
|
21 |
|
|
*/
|
22 |
|
|
|
23 |
|
|
/**
|
24 |
|
|
* Implements hook_menu().
|
25 |
|
|
*/
|
26 |
|
|
function openid_test_menu() {
|
27 |
|
|
$items['openid-test/yadis/xrds'] = array(
|
28 |
|
|
'title' => 'XRDS service document',
|
29 |
|
|
'page callback' => 'openid_test_yadis_xrds',
|
30 |
|
|
'access callback' => TRUE,
|
31 |
|
|
'type' => MENU_CALLBACK,
|
32 |
|
|
);
|
33 |
|
|
$items['openid-test/yadis/x-xrds-location'] = array(
|
34 |
|
|
'title' => 'Yadis discovery using X-XRDS-Location header',
|
35 |
|
|
'page callback' => 'openid_test_yadis_x_xrds_location',
|
36 |
|
|
'access callback' => TRUE,
|
37 |
|
|
'type' => MENU_CALLBACK,
|
38 |
|
|
);
|
39 |
|
|
$items['openid-test/yadis/http-equiv'] = array(
|
40 |
|
|
'title' => 'Yadis discovery using <meta http-equiv="X-XRDS-Location" ...>',
|
41 |
|
|
'page callback' => 'openid_test_yadis_http_equiv',
|
42 |
|
|
'access callback' => TRUE,
|
43 |
|
|
'type' => MENU_CALLBACK,
|
44 |
|
|
);
|
45 |
|
|
$items['openid-test/html/openid1'] = array(
|
46 |
|
|
'title' => 'HTML-based discovery using <link rel="openid.server" ...>',
|
47 |
|
|
'page callback' => 'openid_test_html_openid1',
|
48 |
|
|
'access callback' => TRUE,
|
49 |
|
|
'type' => MENU_CALLBACK,
|
50 |
|
|
);
|
51 |
|
|
$items['openid-test/html/openid2'] = array(
|
52 |
|
|
'title' => 'HTML-based discovery using <link rel="openid2.provider" ...>',
|
53 |
|
|
'page callback' => 'openid_test_html_openid2',
|
54 |
|
|
'access callback' => TRUE,
|
55 |
|
|
'type' => MENU_CALLBACK,
|
56 |
|
|
);
|
57 |
|
|
$items['openid-test/endpoint'] = array(
|
58 |
|
|
'title' => 'OpenID Provider Endpoint',
|
59 |
|
|
'page callback' => 'openid_test_endpoint',
|
60 |
|
|
'access callback' => TRUE,
|
61 |
|
|
'type' => MENU_CALLBACK,
|
62 |
|
|
);
|
63 |
|
|
$items['openid-test/redirect'] = array(
|
64 |
|
|
'title' => 'OpenID Provider Redirection Point',
|
65 |
|
|
'page callback' => 'openid_test_redirect',
|
66 |
|
|
'access callback' => TRUE,
|
67 |
|
|
'type' => MENU_CALLBACK,
|
68 |
|
|
);
|
69 |
|
|
$items['openid-test/redirected/%/%'] = array(
|
70 |
|
|
'title' => 'OpenID Provider Final URL',
|
71 |
|
|
'page callback' => 'openid_test_redirected_method',
|
72 |
|
|
'page arguments' => array(2, 3),
|
73 |
|
|
'access callback' => TRUE,
|
74 |
|
|
'type' => MENU_CALLBACK,
|
75 |
|
|
);
|
76 |
|
|
return $items;
|
77 |
|
|
}
|
78 |
|
|
|
79 |
|
|
/**
|
80 |
|
|
* Implements hook_menu_site_status_alter().
|
81 |
|
|
*/
|
82 |
|
|
function openid_test_menu_site_status_alter(&$menu_site_status, $path) {
|
83 |
|
|
// Allow access to openid endpoint and identity even in offline mode.
|
84 |
|
|
if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && in_array($path, array('openid-test/yadis/xrds', 'openid-test/endpoint'))) {
|
85 |
|
|
$menu_site_status = MENU_SITE_ONLINE;
|
86 |
|
|
}
|
87 |
|
|
}
|
88 |
|
|
|
89 |
|
|
/**
|
90 |
|
|
* Menu callback; XRDS document that references the OP Endpoint URL.
|
91 |
|
|
*/
|
92 |
|
|
function openid_test_yadis_xrds() {
|
93 |
|
|
if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') {
|
94 |
|
|
// Only respond to XRI requests for one specific XRI. The is used to verify
|
95 |
|
|
// that the XRI has been properly encoded. The "+" sign in the _xrd_r query
|
96 |
|
|
// parameter is decoded to a space by PHP.
|
97 |
|
|
if (arg(3) == 'xri') {
|
98 |
|
|
if (variable_get('clean_url', 0)) {
|
99 |
|
|
if (arg(4) != '@example*résumé;%25' || $_GET['_xrd_r'] != 'application/xrds xml') {
|
100 |
|
|
drupal_not_found();
|
101 |
|
|
}
|
102 |
|
|
}
|
103 |
|
|
else {
|
104 |
|
|
// Drupal cannot properly emulate an XRI proxy resolver using unclean
|
105 |
|
|
// URLs, so the arguments gets messed up.
|
106 |
|
|
if (arg(4) . '/' . arg(5) != '@example*résumé;%25?_xrd_r=application/xrds xml') {
|
107 |
|
|
drupal_not_found();
|
108 |
|
|
}
|
109 |
|
|
}
|
110 |
|
|
}
|
111 |
|
|
drupal_add_http_header('Content-Type', 'application/xrds+xml');
|
112 |
|
|
print '<?xml version="1.0" encoding="UTF-8"?>';
|
113 |
|
|
if (!empty($_GET['doctype'])) {
|
114 |
|
|
print "\n<!DOCTYPE dct [ <!ELEMENT blue (#PCDATA)> ]>\n";
|
115 |
|
|
}
|
116 |
|
|
print '
|
117 |
|
|
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
|
118 |
|
|
<XRD>
|
119 |
|
|
<Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
|
120 |
|
|
<ProviderID>xri://@</ProviderID>
|
121 |
|
|
<CanonicalID>http://example.com/user</CanonicalID>
|
122 |
|
|
<Service>
|
123 |
|
|
<Type>http://example.com/this-is-ignored</Type>
|
124 |
|
|
</Service>
|
125 |
|
|
<Service priority="5">
|
126 |
|
|
<Type>http://openid.net/signon/1.0</Type>
|
127 |
|
|
<URI>http://example.com/this-is-only-openid-1.0</URI>
|
128 |
|
|
</Service>
|
129 |
|
|
<Service priority="10">
|
130 |
|
|
<Type>http://specs.openid.net/auth/2.0/signon</Type>
|
131 |
|
|
<Type>http://openid.net/srv/ax/1.0</Type>
|
132 |
|
|
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
|
133 |
|
|
<LocalID>http://example.com/xrds</LocalID>
|
134 |
|
|
</Service>
|
135 |
|
|
<Service priority="15">
|
136 |
|
|
<Type>http://specs.openid.net/auth/2.0/signon</Type>
|
137 |
|
|
<URI>http://example.com/this-has-too-low-priority</URI>
|
138 |
|
|
</Service>
|
139 |
|
|
<Service>
|
140 |
|
|
<Type>http://specs.openid.net/auth/2.0/signon</Type>
|
141 |
|
|
<URI>http://example.com/this-has-too-low-priority</URI>
|
142 |
|
|
</Service>
|
143 |
|
|
';
|
144 |
|
|
if (arg(3) == 'server') {
|
145 |
|
|
print '
|
146 |
|
|
<Service>
|
147 |
|
|
<Type>http://specs.openid.net/auth/2.0/server</Type>
|
148 |
|
|
<URI>http://example.com/this-has-too-low-priority</URI>
|
149 |
|
|
</Service>
|
150 |
|
|
<Service priority="20">
|
151 |
|
|
<Type>http://specs.openid.net/auth/2.0/server</Type>
|
152 |
|
|
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
|
153 |
1afa1695
|
Assos Assos
|
<LocalID>' . url('openid-test/yadis/xrds/server', array('absolute' => TRUE)) . '</LocalID>
|
154 |
85ad3d82
|
Assos Assos
|
</Service>';
|
155 |
|
|
}
|
156 |
|
|
elseif (arg(3) == 'delegate') {
|
157 |
|
|
print '
|
158 |
|
|
<Service priority="0">
|
159 |
|
|
<Type>http://specs.openid.net/auth/2.0/signon</Type>
|
160 |
|
|
<Type>http://openid.net/srv/ax/1.0</Type>
|
161 |
|
|
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
|
162 |
|
|
<openid:Delegate>http://example.com/xrds-delegate</openid:Delegate>
|
163 |
|
|
</Service>';
|
164 |
|
|
}
|
165 |
|
|
print '
|
166 |
|
|
</XRD>
|
167 |
|
|
</xrds:XRDS>';
|
168 |
|
|
}
|
169 |
|
|
else {
|
170 |
|
|
return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.');
|
171 |
|
|
}
|
172 |
|
|
}
|
173 |
|
|
|
174 |
|
|
/**
|
175 |
|
|
* Menu callback; regular HTML page with an X-XRDS-Location HTTP header.
|
176 |
|
|
*/
|
177 |
|
|
function openid_test_yadis_x_xrds_location() {
|
178 |
|
|
drupal_add_http_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE)));
|
179 |
|
|
return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.');
|
180 |
|
|
}
|
181 |
|
|
|
182 |
|
|
/**
|
183 |
|
|
* Menu callback; regular HTML page with <meta> element.
|
184 |
|
|
*/
|
185 |
|
|
function openid_test_yadis_http_equiv() {
|
186 |
|
|
$element = array(
|
187 |
|
|
'#tag' => 'meta',
|
188 |
|
|
'#attributes' => array(
|
189 |
|
|
'http-equiv' => 'X-XRDS-Location',
|
190 |
|
|
'content' => url('openid-test/yadis/xrds', array('absolute' => TRUE)),
|
191 |
|
|
),
|
192 |
|
|
);
|
193 |
|
|
drupal_add_html_head($element, 'openid_test_yadis_http_equiv');
|
194 |
|
|
return t('This page includes a <meta equiv=...> element containing the URL of an XRDS document.');
|
195 |
|
|
}
|
196 |
|
|
|
197 |
|
|
/**
|
198 |
|
|
* Menu callback; regular HTML page with OpenID 1.0 <link> element.
|
199 |
|
|
*/
|
200 |
|
|
function openid_test_html_openid1() {
|
201 |
|
|
drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
|
202 |
|
|
drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1'));
|
203 |
|
|
return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.');
|
204 |
|
|
}
|
205 |
|
|
|
206 |
|
|
/**
|
207 |
|
|
* Menu callback; regular HTML page with OpenID 2.0 <link> element.
|
208 |
|
|
*/
|
209 |
|
|
function openid_test_html_openid2() {
|
210 |
|
|
drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
|
211 |
|
|
drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2'));
|
212 |
|
|
return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.');
|
213 |
|
|
}
|
214 |
|
|
|
215 |
|
|
/**
|
216 |
|
|
* Menu callback; OpenID Provider Endpoint.
|
217 |
|
|
*
|
218 |
|
|
* It accepts "associate" requests directly from the Relying Party, and
|
219 |
|
|
* "checkid_setup" requests made by the user's browser based on HTTP redirects
|
220 |
|
|
* (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party.
|
221 |
|
|
*/
|
222 |
|
|
function openid_test_endpoint() {
|
223 |
|
|
switch ($_REQUEST['openid_mode']) {
|
224 |
|
|
case 'associate':
|
225 |
|
|
_openid_test_endpoint_associate();
|
226 |
|
|
break;
|
227 |
|
|
case 'checkid_setup':
|
228 |
|
|
_openid_test_endpoint_authenticate();
|
229 |
|
|
break;
|
230 |
|
|
}
|
231 |
|
|
}
|
232 |
|
|
|
233 |
|
|
/**
|
234 |
|
|
* Menu callback; redirect during Normalization/Discovery.
|
235 |
|
|
*/
|
236 |
|
|
function openid_test_redirect($count = 0) {
|
237 |
|
|
if ($count == 0) {
|
238 |
|
|
$url = variable_get('openid_test_redirect_url', '');
|
239 |
|
|
}
|
240 |
|
|
else {
|
241 |
|
|
$url = url('openid-test/redirect/' . --$count, array('absolute' => TRUE));
|
242 |
|
|
}
|
243 |
|
|
$http_response_code = variable_get('openid_test_redirect_http_reponse_code', 301);
|
244 |
|
|
header('Location: ' . $url, TRUE, $http_response_code);
|
245 |
|
|
exit();
|
246 |
|
|
}
|
247 |
|
|
|
248 |
|
|
/**
|
249 |
|
|
* Menu callback; respond with appropriate callback.
|
250 |
|
|
*/
|
251 |
|
|
function openid_test_redirected_method($method1, $method2) {
|
252 |
|
|
return call_user_func('openid_test_' . $method1 . '_' . $method2);
|
253 |
|
|
}
|
254 |
|
|
|
255 |
|
|
/**
|
256 |
|
|
* OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0,
|
257 |
|
|
* section 8).
|
258 |
|
|
*
|
259 |
|
|
* The purpose of association is to send the secret MAC key to the Relying Party
|
260 |
|
|
* using Diffie-Hellman key exchange. The MAC key is used in subsequent
|
261 |
|
|
* "authenticate" requests. The "associate" request is made by the Relying Party
|
262 |
|
|
* (in the testing scenario, this is the OpenID module that communicates with
|
263 |
|
|
* the endpoint using drupal_http_request()).
|
264 |
|
|
*/
|
265 |
|
|
function _openid_test_endpoint_associate() {
|
266 |
|
|
module_load_include('inc', 'openid');
|
267 |
|
|
|
268 |
|
|
// Use default parameters for Diffie-Helmann key exchange.
|
269 |
|
|
$mod = OPENID_DH_DEFAULT_MOD;
|
270 |
|
|
$gen = OPENID_DH_DEFAULT_GEN;
|
271 |
|
|
|
272 |
|
|
// Generate private Diffie-Helmann key.
|
273 |
|
|
$r = _openid_dh_rand($mod);
|
274 |
|
|
$private = _openid_math_add($r, 1);
|
275 |
|
|
|
276 |
|
|
// Calculate public Diffie-Helmann key.
|
277 |
|
|
$public = _openid_math_powmod($gen, $private, $mod);
|
278 |
|
|
|
279 |
|
|
// Calculate shared secret based on Relying Party's public key.
|
280 |
|
|
$cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']);
|
281 |
|
|
$shared = _openid_math_powmod($cpub, $private, $mod);
|
282 |
|
|
|
283 |
|
|
// Encrypt the MAC key using the shared secret.
|
284 |
|
|
$enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key'))));
|
285 |
|
|
|
286 |
|
|
// Generate response including our public key and the MAC key. Using our
|
287 |
|
|
// public key and its own private key, the Relying Party can calculate the
|
288 |
|
|
// shared secret, and with this it can decrypt the encrypted MAC key.
|
289 |
|
|
$response = array(
|
290 |
|
|
'ns' => 'http://specs.openid.net/auth/2.0',
|
291 |
|
|
'assoc_handle' => 'openid-test',
|
292 |
|
|
'session_type' => $_REQUEST['openid_session_type'],
|
293 |
|
|
'assoc_type' => $_REQUEST['openid_assoc_type'],
|
294 |
|
|
'expires_in' => '3600',
|
295 |
|
|
'dh_server_public' => _openid_dh_long_to_base64($public),
|
296 |
|
|
'enc_mac_key' => $enc_mac_key,
|
297 |
|
|
);
|
298 |
|
|
|
299 |
|
|
// Respond to Relying Party in the special Key-Value Form Encoding (see OpenID
|
300 |
|
|
// Authentication 1.0, section 4.1.1).
|
301 |
|
|
drupal_add_http_header('Content-Type', 'text/plain');
|
302 |
|
|
print _openid_create_message($response);
|
303 |
|
|
}
|
304 |
|
|
|
305 |
|
|
/**
|
306 |
|
|
* OpenID endpoint; handle "authenticate" requests.
|
307 |
|
|
*
|
308 |
|
|
* All requests result in a successful response. The request is a GET or POST
|
309 |
|
|
* made by the user's browser based on an HTML form or HTTP redirect generated
|
310 |
|
|
* by the Relying Party. The user is redirected back to the Relying Party using
|
311 |
|
|
* a URL containing a signed message in the query string confirming the user's
|
312 |
|
|
* identity.
|
313 |
|
|
*/
|
314 |
|
|
function _openid_test_endpoint_authenticate() {
|
315 |
|
|
module_load_include('inc', 'openid');
|
316 |
|
|
|
317 |
|
|
$expected_identity = variable_get('openid_test_identity');
|
318 |
|
|
if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) {
|
319 |
|
|
$response = variable_get('openid_test_response', array()) + array(
|
320 |
|
|
'openid.ns' => OPENID_NS_2_0,
|
321 |
|
|
'openid.mode' => 'error',
|
322 |
|
|
'openid.error' => 'Unexpted identity',
|
323 |
|
|
);
|
324 |
|
|
drupal_add_http_header('Content-Type', 'text/plain');
|
325 |
|
|
header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
|
326 |
|
|
return;
|
327 |
|
|
}
|
328 |
|
|
|
329 |
|
|
// Generate unique identifier for this authentication.
|
330 |
|
|
$nonce = _openid_nonce();
|
331 |
|
|
|
332 |
|
|
// Generate response containing the user's identity.
|
333 |
|
|
$response = variable_get('openid_test_response', array()) + array(
|
334 |
|
|
'openid.ns' => OPENID_NS_2_0,
|
335 |
|
|
'openid.mode' => 'id_res',
|
336 |
|
|
'openid.op_endpoint' => url('openid-test/endpoint', array('absolute' => TRUE)),
|
337 |
|
|
'openid.claimed_id' => !empty($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',
|
338 |
|
|
'openid.identity' => $_REQUEST['openid_identity'],
|
339 |
|
|
'openid.return_to' => $_REQUEST['openid_return_to'],
|
340 |
|
|
'openid.response_nonce' => $nonce,
|
341 |
|
|
'openid.assoc_handle' => 'openid-test',
|
342 |
|
|
);
|
343 |
|
|
|
344 |
|
|
if (isset($response['openid.signed'])) {
|
345 |
|
|
$keys_to_sign = explode(',', $response['openid.signed']);
|
346 |
|
|
}
|
347 |
|
|
else {
|
348 |
|
|
// Unless openid.signed is explicitly defined, all keys are signed.
|
349 |
|
|
$keys_to_sign = array();
|
350 |
|
|
foreach ($response as $key => $value) {
|
351 |
|
|
// Strip off the "openid." prefix.
|
352 |
|
|
$keys_to_sign[] = substr($key, 7);
|
353 |
|
|
}
|
354 |
|
|
$response['openid.signed'] = implode(',', $keys_to_sign);
|
355 |
|
|
}
|
356 |
|
|
|
357 |
|
|
// Sign the message using the MAC key that was exchanged during association.
|
358 |
|
|
$association = new stdClass();
|
359 |
|
|
$association->mac_key = variable_get('mac_key');
|
360 |
|
|
if (!isset($response['openid.sig'])) {
|
361 |
|
|
$response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);
|
362 |
|
|
}
|
363 |
|
|
|
364 |
|
|
// Put the signed message into the query string of a URL supplied by the
|
365 |
|
|
// Relying Party, and redirect the user.
|
366 |
|
|
drupal_add_http_header('Content-Type', 'text/plain');
|
367 |
|
|
header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
|
368 |
|
|
} |