Newer
Older
Dries Buytaert
committed
<?php
// $Id$
/**
* @file
* Dummy OpenID Provider used with SimpleTest.
*
* The provider simply responds positively to all authentication requests. In
* addition to a Provider Endpoint (a URL used for Drupal to communicate with
* the provider using the OpenID Authentication protocol) the module provides
* URLs used by the various discovery mechanisms.
*
* When a user enters an OpenID identity, the Relying Party (in the testing
* scenario, this is the OpenID module) looks up the URL of the Provider
* Endpoint using one of several discovery mechanisms. The Relying Party then
* redirects the user to Provider Endpoint. The provider verifies the user's
* identity and redirects the user back to the Relying Party accompanied by a
* signed message confirming the identity. Before redirecting to a provider for
* the first time, the Relying Party fetches a secret MAC key from the provider
* by doing a direct "associate" HTTP request to the Provider Endpoint. This
* key is used for verifying the signed messages from the provider.
*/
/**
Dries Buytaert
committed
* Implement hook_menu().
Dries Buytaert
committed
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
*/
function openid_test_menu() {
$items['openid-test/yadis/xrds'] = array(
'title' => 'XRDS service document',
'page callback' => 'openid_test_yadis_xrds',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
$items['openid-test/yadis/x-xrds-location'] = array(
'title' => 'Yadis discovery using X-XRDS-Location header',
'page callback' => 'openid_test_yadis_x_xrds_location',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
$items['openid-test/yadis/http-equiv'] = array(
'title' => 'Yadis discovery using <meta http-equiv="X-XRDS-Location" ...>',
'page callback' => 'openid_test_yadis_http_equiv',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
$items['openid-test/html/openid1'] = array(
'title' => 'HTML-based discovery using <link rel="openid.server" ...>',
'page callback' => 'openid_test_html_openid1',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
$items['openid-test/html/openid2'] = array(
'title' => 'HTML-based discovery using <link rel="openid2.provider" ...>',
'page callback' => 'openid_test_html_openid2',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
$items['openid-test/endpoint'] = array(
'title' => 'OpenID Provider Endpoint',
'page callback' => 'openid_test_endpoint',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
return $items;
}
/**
* Menu callback; XRDS document that references the OP Endpoint URL.
*/
function openid_test_yadis_xrds() {
if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') {
drupal_set_header('Content-Type', 'application/xrds+xml');
print '<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service>
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
</Service>
<XRD>
</xrds:XRDS>';
}
else {
return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.');
}
}
/**
* Menu callback; regular HTML page with an X-XRDS-Location HTTP header.
*/
function openid_test_yadis_x_xrds_location() {
drupal_set_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE)));
return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.');
}
/**
* Menu callback; regular HTML page with <meta> element.
*/
function openid_test_yadis_http_equiv() {
drupal_add_html_head('<meta http-equiv="X-XRDS-Location" content="' . url('openid-test/yadis/xrds', array('absolute' => TRUE)) . '" />');
return t('This page includes a <meta equiv=...> element containing the URL of an XRDS document.');
}
/**
* Menu callback; regular HTML page with OpenID 1.0 <link> element.
*/
function openid_test_html_openid1() {
drupal_add_html_head('<link rel="openid.server" href="' . url('openid-test/endpoint', array('absolute' => TRUE)) . '" />');
return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.');
}
/**
* Menu callback; regular HTML page with OpenID 2.0 <link> element.
*/
function openid_test_html_openid2() {
drupal_add_html_head('<link rel="openid2.provider" href="' . url('openid-test/endpoint', array('absolute' => TRUE)) . '" />');
return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.');
}
/**
* Menu callback; OpenID Provider Endpoint.
*
* It accepts "associate" requests directly from the Relying Party, and
* "checkid_setup" requests made by the user's browser based on HTTP redirects
* (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party.
*/
function openid_test_endpoint() {
switch ($_REQUEST['openid_mode']) {
case 'associate';
_openid_test_endpoint_associate();
break;
case 'checkid_setup';
_openid_test_endpoint_authenticate();
break;
}
}
/**
* OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0,
* section 8).
*
* The purpose of association is to send the secret MAC key to the Relying Party
* using Diffie-Hellman key exchange. The MAC key is used in subsequent
* "authenticate" requests. The "associate" request is made by the Relying Party
* (in the testing scenario, this is the OpenID module that communicates with
* the endpoint using drupal_http_request()).
*/
function _openid_test_endpoint_associate() {
module_load_include('inc', 'openid');
// Use default parameters for Diffie-Helmann key exchange.
$mod = OPENID_DH_DEFAULT_MOD;
$gen = OPENID_DH_DEFAULT_GEN;
// Generate private Diffie-Helmann key.
$r = _openid_dh_rand($mod);
$private = bcadd($r, 1);
// Calculate public Diffie-Helmann key.
$public = bcpowmod($gen, $private, $mod);
// Calculate shared secret based on Relying Party's public key.
$cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']);
$shared = bcpowmod($cpub, $private, $mod);
// Encrypt the MAC key using the shared secret.
$enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key'))));
// Generate response including our public key and the MAC key. Using our
// public key and its own private key, the Relying Party can calculate the
// shared secret, and with this it can decrypt the encrypted MAC key.
$response = array(
'ns' => 'http://specs.openid.net/auth/2.0',
'assoc_handle' => 'openid-test',
'session_type' => $_REQUEST['openid_session_type'],
'assoc_type' => $_REQUEST['openid_assoc_type'],
'expires_in' => '3600',
'dh_server_public' => _openid_dh_long_to_base64($public),
'enc_mac_key' => $enc_mac_key,
);
// Respond to Relying Party in the special Key-Value Form Encoding (see OpenID
// Authentication 1.0, section 4.1.1).
drupal_set_header('Content-Type', 'text/plain');
print _openid_create_message($response);
}
/**
* OpenID endpoint; handle "authenticate" requests.
*
* All requests result in a successful response. The request is a GET or POST
* made by the user's browser based on an HTML form or HTTP redirect generated
* by the Relying Party. The user is redirected back to the Relying Party using
* a URL containing a signed message in the query string confirming the user's
* identity.
*/
function _openid_test_endpoint_authenticate() {
global $base_url;
module_load_include('inc', 'openid');
// Generate unique identifier for this authentication.
$nonce = _openid_nonce();
// Generate response containing the user's identity. The openid.sreg.xxx
// entries contain profile data stored by the OpenID Provider (see OpenID
// Simple Registration Extension 1.0).
$response = array(
'openid.ns' => OPENID_NS_2_0,
Dries Buytaert
committed
'openid.mode' => 'id_res',
'openid.op_endpoint' => $base_url . url('openid/provider'),
// openid.claimed_id is not sent by OpenID 1 clients.
'openid.claimed_id' => isset($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',
Dries Buytaert
committed
'openid.identity' => $_REQUEST['openid_identity'],
'openid.return_to' => $_REQUEST['openid_return_to'],
'openid.response_nonce' => $nonce,
'openid.assoc_handle' => 'openid-test',
'openid.sreg.email' => 'johndoe@example.com',
'openid.sreg.nickname' => 'johndoe',
'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle',
);
// Sign the message using the MAC key that was exchanged during association.
$association = new stdClass;
$association->mac_key = variable_get('mac_key');
$keys_to_sign = explode(',', $response['openid.signed']);
$response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);
// Put the signed message into the query string of a URL supplied by the
// Relying Party, and redirect the user.
drupal_set_header('Content-Type', 'text/plain');
Dries Buytaert
committed
header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));