diff options
Diffstat (limited to 'plugins/openid/lib/Auth/OpenID/Server.php')
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/Server.php | 344 |
1 files changed, 280 insertions, 64 deletions
diff --git a/plugins/openid/lib/Auth/OpenID/Server.php b/plugins/openid/lib/Auth/OpenID/Server.php index 5984c002..df8550a0 100644 --- a/plugins/openid/lib/Auth/OpenID/Server.php +++ b/plugins/openid/lib/Auth/OpenID/Server.php @@ -2,7 +2,7 @@ /** * OpenID server protocol and logic. - * + * * Overview * * An OpenID server must perform three tasks: @@ -10,7 +10,7 @@ * 1. Examine the incoming request to determine its nature and validity. * 2. Make a decision about how to respond to this request. * 3. Format the response according to the protocol. - * + * * The first and last of these tasks may performed by the {@link * Auth_OpenID_Server::decodeRequest()} and {@link * Auth_OpenID_Server::encodeResponse} methods. Who gets to do the @@ -37,7 +37,7 @@ * {@link Auth_OpenID_Server::handleRequest()}. * * OpenID Extensions - * + * * Do you want to provide other information for your users in addition * to authentication? Version 1.2 of the OpenID protocol allows * consumers to add extensions to their requests. For example, with @@ -131,6 +131,9 @@ define('Auth_OpenID_ENCODE_HTML_FORM', 'HTML form'); /** * @access private + * @param object|string $obj + * @param string $cls + * @return bool */ function Auth_OpenID_isError($obj, $cls = 'Auth_OpenID_ServerError') { @@ -145,8 +148,26 @@ function Auth_OpenID_isError($obj, $cls = 'Auth_OpenID_ServerError') * @package OpenID */ class Auth_OpenID_ServerError { + + /** @var Auth_OpenID_Message|null */ + private $message = null; + + /** @var null|string */ + private $text; + + /** @var null|string */ + private $contact; + + /** @var null|string */ + private $reference; + /** - * @access private + * Auth_OpenID_ServerError constructor. + * + * @param Auth_OpenID_Message $message + * @param string $text + * @param string $reference + * @param string $contact */ function __construct($message = null, $text = null, $reference = null, $contact = null) @@ -310,6 +331,9 @@ class Auth_OpenID_NoReturnToError extends Auth_OpenID_ServerError { * @package OpenID */ class Auth_OpenID_MalformedReturnURL extends Auth_OpenID_ServerError { + + private $return_to; + function __construct($message, $return_to) { $this->return_to = $return_to; @@ -341,7 +365,20 @@ class Auth_OpenID_MalformedTrustRoot extends Auth_OpenID_ServerError { * @package OpenID */ class Auth_OpenID_Request { - var $mode = null; + + public $mode = null; + + /** @var Auth_OpenID_Message|null */ + public $message = null; + + /** + * The OpenID namespace for this request. + * deprecated since version 2.0.2 + */ + public $namespace = ''; + + /** @var string */ + public $return_to = ''; } /** @@ -350,11 +387,15 @@ class Auth_OpenID_Request { * @package OpenID */ class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request { - var $mode = "check_authentication"; - var $invalidate_handle = null; + public $mode = "check_authentication"; + public $invalidate_handle = null; + + private $sig = ''; + private $assoc_handle = ''; + private $signed = ''; + - function __construct($assoc_handle, $signed, - $invalidate_handle = null) + function __construct($assoc_handle, $signed, $invalidate_handle = null) { $this->assoc_handle = $assoc_handle; $this->signed = $signed; @@ -362,27 +403,26 @@ class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request { $this->invalidate_handle = $invalidate_handle; } $this->namespace = Auth_OpenID_OPENID2_NS; - $this->message = null; } - static function fromMessage($message, $server=null) + /** + * @param Auth_OpenID_Message $message + * @return Auth_OpenID_CheckAuthRequest|Auth_OpenID_ServerError + */ + static function fromMessage($message) { $required_keys = array('assoc_handle', 'sig', 'signed'); foreach ($required_keys as $k) { if (!$message->getArg(Auth_OpenID_OPENID_NS, $k)) { return new Auth_OpenID_ServerError($message, - sprintf("%s request missing required parameter %s from \ - query", "check_authentication", $k)); + sprintf("%s request missing required parameter %s from query", "check_authentication", $k)); } } $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle'); $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig'); - $signed_list = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); - $signed_list = explode(",", $signed_list); - $signed = $message; if ($signed->hasKey(Auth_OpenID_OPENID_NS, 'mode')) { $signed->setArg(Auth_OpenID_OPENID_NS, 'mode', 'id_res'); @@ -396,6 +436,10 @@ class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request { return $result; } + /** + * @param Auth_OpenID_Signatory $signatory + * @return Auth_OpenID_ServerResponse + */ function answer($signatory) { $is_valid = $signatory->verify($this->assoc_handle, $this->signed); @@ -432,11 +476,11 @@ class Auth_OpenID_PlainTextServerSession { * An object that knows how to handle association requests with no * session type. */ - var $session_type = 'no-encryption'; - var $needs_math = false; - var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); + public $session_type = 'no-encryption'; + public $needs_math = false; + public $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); - static function fromMessage($unused_request) + static function fromMessage() { return new Auth_OpenID_PlainTextServerSession(); } @@ -458,17 +502,32 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession { * the Diffie-Hellman session type. */ - var $session_type = 'DH-SHA1'; - var $needs_math = true; - var $allowed_assoc_types = array('HMAC-SHA1'); - var $hash_func = 'Auth_OpenID_SHA1'; + public $session_type = 'DH-SHA1'; + public $needs_math = true; + public $allowed_assoc_types = array('HMAC-SHA1'); + public $hash_func = 'Auth_OpenID_SHA1'; + /** @var Auth_OpenID_DiffieHellman */ + private $dh; + + private $consumer_pubkey = ''; + + /** + * Auth_OpenID_DiffieHellmanSHA1ServerSession constructor. + * + * @param Auth_OpenID_DiffieHellman $dh + * @param string $consumer_pubkey + */ function __construct($dh, $consumer_pubkey) { $this->dh = $dh; $this->consumer_pubkey = $consumer_pubkey; } + /** + * @param Auth_OpenID_Message $message + * @return array|Auth_OpenID_ServerError + */ static function getDH($message) { $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus'); @@ -556,9 +615,9 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession { class Auth_OpenID_DiffieHellmanSHA256ServerSession extends Auth_OpenID_DiffieHellmanSHA1ServerSession { - var $session_type = 'DH-SHA256'; - var $hash_func = 'Auth_OpenID_SHA256'; - var $allowed_assoc_types = array('HMAC-SHA256'); + public $session_type = 'DH-SHA256'; + public $hash_func = 'Auth_OpenID_SHA256'; + public $allowed_assoc_types = array('HMAC-SHA256'); static function fromMessage($message) { @@ -580,7 +639,12 @@ class Auth_OpenID_DiffieHellmanSHA256ServerSession * @package OpenID */ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { - var $mode = "associate"; + public $mode = "associate"; + + /** @var Auth_OpenID_PlainTextServerSession */ + public $session; + + public $assoc_type = ''; static function getSessionClasses() { @@ -590,6 +654,12 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession'); } + /** + * Auth_OpenID_AssociateRequest constructor. + * + * @param Auth_OpenID_PlainTextServerSession $session + * @param string $assoc_type + */ function __construct($session, $assoc_type) { $this->session = $session; @@ -597,7 +667,11 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { $this->assoc_type = $assoc_type; } - static function fromMessage($message, $server=null) + /** + * @param Auth_OpenID_Message $message + * @return Auth_OpenID_AssociateRequest|Auth_OpenID_ServerError|mixed + */ + static function fromMessage($message) { if ($message->isOpenID1()) { $session_type = $message->getArg(Auth_OpenID_OPENID_NS, @@ -649,6 +723,10 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { return $obj; } + /** + * @param Auth_OpenID_Association $assoc + * @return Auth_OpenID_ServerResponse + */ function answer($assoc) { $response = new Auth_OpenID_ServerResponse($this); @@ -661,7 +739,7 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { $response->fields->updateArgs(Auth_OpenID_OPENID_NS, $this->session->answer($assoc->secret)); - if (! ($this->session->session_type == 'no-encryption' + if (! ($this->session->session_type == 'no-encryption' && $this->message->isOpenID1())) { $response->fields->setArg(Auth_OpenID_OPENID_NS, 'session_type', @@ -711,29 +789,42 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { * Return-to verification callback. Default is * Auth_OpenID_verifyReturnTo from TrustRoot.php. */ - var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo'; + public $verifyReturnTo = 'Auth_OpenID_verifyReturnTo'; /** * The mode of this request. */ - var $mode = "checkid_setup"; // or "checkid_immediate" + public $mode = "checkid_setup"; // or "checkid_immediate" /** * Whether this request is for immediate mode. */ - var $immediate = false; + public $immediate = false; /** * The trust_root value for this request. */ - var $trust_root = null; + public $trust_root = null; + + public $assoc_handle = ''; + + /** @var Auth_OpenID_Server */ + private $server; + + private $claimed_id = ''; + + private $identity = ''; /** - * The OpenID namespace for this request. - * deprecated since version 2.0.2 + * @param Auth_OpenID_Message $message + * @param string $identity + * @param string $return_to + * @param string $trust_root + * @param bool $immediate + * @param string $assoc_handle + * @param Auth_OpenID_Server $server + * @return Auth_OpenID_CheckIDRequest|Auth_OpenID_MalformedReturnURL|Auth_OpenID_ServerError|Auth_OpenID_UntrustedReturnURL */ - var $namespace; - static function make($message, $identity, $return_to, $trust_root = null, $immediate = false, $assoc_handle = null, $server = null) { @@ -763,6 +854,17 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { } } + /** + * Auth_OpenID_CheckIDRequest constructor. + * + * @param $identity + * @param $return_to + * @param string $trust_root + * @param bool $immediate + * @param string $assoc_handle + * @param Auth_OpenID_Server $server + * @param string $claimed_id + */ function __construct($identity, $return_to, $trust_root = null, $immediate = false, $assoc_handle = null, $server = null, @@ -789,6 +891,10 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { } } + /** + * @param Auth_OpenID_CheckIDRequest $other + * @return bool + */ function equals($other) { return ( @@ -822,17 +928,18 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { array($this->trust_root, $this->return_to, $fetcher)); } + /** + * @param Auth_OpenID_Message $message + * @param Auth_OpenID_Server $server + * @return Auth_OpenID_CheckIDRequest|Auth_OpenID_MalformedReturnURL|Auth_OpenID_ServerError|Auth_OpenID_UntrustedReturnURL + */ static function fromMessage($message, $server) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); - $immediate = null; - if ($mode == "checkid_immediate") { $immediate = true; - $mode = "checkid_immediate"; } else { $immediate = false; - $mode = "checkid_setup"; } $return_to = $message->getArg(Auth_OpenID_OPENID_NS, @@ -872,13 +979,13 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { } else { $trust_root_param = 'realm'; } - $trust_root = $message->getArg(Auth_OpenID_OPENID_NS, + $trust_root = $message->getArg(Auth_OpenID_OPENID_NS, $trust_root_param); if (! $trust_root) { $trust_root = $return_to; } - if (! $message->isOpenID1() && + if (! $message->isOpenID1() && ($return_to === null) && ($trust_root === null)) { return new Auth_OpenID_ServerError($message, @@ -1025,7 +1132,7 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { } if ($allow) { - + $response_claimed_id = ''; if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) { if (!$identity) { return new Auth_OpenID_ServerError(null, @@ -1165,9 +1272,7 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { if ($this->immediate) { return new Auth_OpenID_ServerError(null, - "Cancel is not an appropriate \ - response to immediate mode \ - requests."); + "Cancel is not an appropriate response to immediate mode requests."); } $response = new Auth_OpenID_Message( @@ -1184,6 +1289,16 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { */ class Auth_OpenID_ServerResponse { + public $code; + + /** @var Auth_OpenID_Request */ + public $request; + + /** + * Auth_OpenID_ServerResponse constructor. + * + * @param Auth_OpenID_Request $request + */ function __construct($request) { $this->request = $request; @@ -1244,6 +1359,9 @@ class Auth_OpenID_ServerResponse { return $this->fields->toURL($this->request->return_to); } + /** + * @param Auth_OpenID_Extension $extension_response + */ function addExtension($extension_response) { $extension_response->toMessage($this->fields); @@ -1268,8 +1386,8 @@ class Auth_OpenID_ServerResponse { * @package OpenID */ class Auth_OpenID_WebResponse { - var $code = AUTH_OPENID_HTTP_OK; - var $body = ""; + public $code = AUTH_OPENID_HTTP_OK; + public $body = ""; function __construct($code = null, $headers = null, $body = null) @@ -1299,17 +1417,22 @@ class Auth_OpenID_WebResponse { class Auth_OpenID_Signatory { // = 14 * 24 * 60 * 60; # 14 days, in seconds - var $SECRET_LIFETIME = 1209600; + public $SECRET_LIFETIME = 1209600; // keys have a bogus server URL in them because the filestore // really does expect that key to be a URL. This seems a little // silly for the server store, since I expect there to be only one // server URL. - var $normal_key = 'http://localhost/|normal'; - var $dumb_key = 'http://localhost/|dumb'; + public $normal_key = 'http://localhost/|normal'; + public $dumb_key = 'http://localhost/|dumb'; + + /** @var Auth_OpenID_OpenIDStore */ + private $store; /** * Create a new signatory using a given store. + * + * @param Auth_OpenID_OpenIDStore $store */ function __construct($store) { @@ -1320,6 +1443,10 @@ class Auth_OpenID_Signatory { /** * Verify, using a given association handle, a signature with * signed key-value pairs from an HTTP request. + * + * @param string $assoc_handle + * @param Auth_OpenID_Message $message + * @return bool */ function verify($assoc_handle, $message) { @@ -1336,11 +1463,16 @@ class Auth_OpenID_Signatory { /** * Given a response, sign the fields in the response's 'signed' * list, and insert the signature into the response. + * + * @param Auth_OpenID_ServerResponse $response + * @return mixed */ function sign($response) { $signed_response = $response; - $assoc_handle = $response->request->assoc_handle; + /** @var Auth_OpenID_CheckIDRequest $request */ + $request = $response->request; + $assoc_handle = $request->assoc_handle; if ($assoc_handle) { // normal mode @@ -1369,6 +1501,10 @@ class Auth_OpenID_Signatory { /** * Make a new association. + * + * @param bool $dumb + * @param string $assoc_type + * @return Auth_OpenID_Association */ function createAssociation($dumb = true, $assoc_type = 'HMAC-SHA1') { @@ -1394,6 +1530,11 @@ class Auth_OpenID_Signatory { /** * Given an association handle, get the association from the * store, or return a ServerError or null if something goes wrong. + * + * @param string $assoc_handle + * @param bool $dumb + * @param bool $check_expiration + * @return Auth_OpenID_Association|Auth_OpenID_ServerError|null */ function getAssociation($assoc_handle, $dumb, $check_expiration=true) { @@ -1422,6 +1563,9 @@ class Auth_OpenID_Signatory { /** * Invalidate a given association handle. + * + * @param string $assoc_handle + * @param bool $dumb */ function invalidate($assoc_handle, $dumb) { @@ -1442,11 +1586,14 @@ class Auth_OpenID_Signatory { */ class Auth_OpenID_Encoder { - var $responseFactory = 'Auth_OpenID_WebResponse'; + public $responseFactory = 'Auth_OpenID_WebResponse'; /** * Encode an {@link Auth_OpenID_ServerResponse} and return an * {@link Auth_OpenID_WebResponse}. + * + * @param Auth_OpenID_ServerResponse $response + * @return Auth_OpenID_EncodingError */ function encode($response) { @@ -1483,6 +1630,14 @@ class Auth_OpenID_Encoder { */ class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder { + /** @var Auth_OpenID_Signatory */ + private $signatory; + + /** + * Auth_OpenID_SigningEncoder constructor. + * + * @param Auth_OpenID_Signatory $signatory + */ function __construct($signatory) { $this->signatory = $signatory; @@ -1491,6 +1646,9 @@ class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder { /** * Sign an {@link Auth_OpenID_ServerResponse} and return an * {@link Auth_OpenID_WebResponse}. + * + * @param Auth_OpenID_ServerResponse $response + * @return Auth_OpenID_AlreadySigned|Auth_OpenID_EncodingError|Auth_OpenID_ServerError */ function encode($response) { @@ -1521,21 +1679,32 @@ class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder { */ class Auth_OpenID_Decoder { + /** @var Auth_OpenID_Server */ + private $server; + + private $handlers = array( + 'checkid_setup' => 'Auth_OpenID_CheckIDRequest', + 'checkid_immediate' => 'Auth_OpenID_CheckIDRequest', + 'check_authentication' => 'Auth_OpenID_CheckAuthRequest', + 'associate' => 'Auth_OpenID_AssociateRequest' + ); + + /** + * Auth_OpenID_Decoder constructor. + * + * @param Auth_OpenID_Server $server + */ function __construct($server) { $this->server = $server; - - $this->handlers = array( - 'checkid_setup' => 'Auth_OpenID_CheckIDRequest', - 'checkid_immediate' => 'Auth_OpenID_CheckIDRequest', - 'check_authentication' => 'Auth_OpenID_CheckAuthRequest', - 'associate' => 'Auth_OpenID_AssociateRequest' - ); } /** * Given an HTTP query in an array (key-value pairs), decode it * into an Auth_OpenID_Request object. + * + * @param array $query + * @return Auth_OpenID_ServerError|mixed */ function decode($query) { @@ -1584,6 +1753,10 @@ class Auth_OpenID_Decoder { } } + /** + * @param Auth_OpenID_Message $message + * @return Auth_OpenID_ServerError + */ function defaultDecoder($message) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); @@ -1628,8 +1801,18 @@ class Auth_OpenID_AlreadySigned extends Auth_OpenID_EncodingError { * @package OpenID */ class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError { - function __construct($message, $return_to, - $trust_root) + + private $return_to = ''; + private $trust_root = ''; + + /** + * Auth_OpenID_UntrustedReturnURL constructor. + * + * @param Auth_OpenID_Message|null $message + * @param null|string $return_to + * @param null|string $trust_root + */ + function __construct($message, $return_to, $trust_root) { parent::__construct($message, "Untrusted return_to URL"); $this->return_to = $return_to; @@ -1681,6 +1864,27 @@ class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError { * @package OpenID */ class Auth_OpenID_Server { + + /** @var Auth_OpenID_OpenIDStore */ + private $store; + /** @var Auth_OpenID_Signatory */ + private $signatory; + /** @var Auth_OpenID_SigningEncoder */ + private $encoder; + /** @var Auth_OpenID_Decoder */ + private $decoder; + /** @var Auth_OpenID_SessionNegotiator */ + private $negotiator; + + /** @var Auth_OpenID_ServiceEndpoint|null */ + public $op_endpoint; + + /** + * Auth_OpenID_Server constructor. + * + * @param Auth_OpenID_OpenIDStore $store + * @param Auth_OpenID_ServiceEndpoint|null $op_endpoint + */ function __construct($store, $op_endpoint=null) { $this->store = $store; @@ -1713,6 +1917,9 @@ class Auth_OpenID_Server { /** * The callback for 'check_authentication' messages. + * + * @param Auth_OpenID_CheckAuthRequest $request + * @return mixed */ function openid_check_authentication($request) { @@ -1721,6 +1928,9 @@ class Auth_OpenID_Server { /** * The callback for 'associate' messages. + * + * @param Auth_OpenID_AssociateRequest $request + * @return mixed */ function openid_associate($request) { @@ -1744,6 +1954,9 @@ class Auth_OpenID_Server { /** * Encodes as response in the appropriate format suitable for * sending to the user agent. + * + * @param Auth_OpenID_ServerResponse $response + * @return Auth_OpenID_AlreadySigned|Auth_OpenID_EncodingError|Auth_OpenID_ServerError */ function encodeResponse($response) { @@ -1753,6 +1966,9 @@ class Auth_OpenID_Server { /** * Decodes a query args array into the appropriate * {@link Auth_OpenID_Request} object. + * + * @param array|null $query + * @return Auth_OpenID_ServerError|mixed */ function decodeRequest($query=null) { |