openid_test.module

Dummy OpenID Provider used with SimpleTest.

The provider simply responds positively to all authentication requests. In addition to a Provider Endpoint (a URL used for Drupal to communicate with the provider using the OpenID Authentication protocol) the module provides URLs used by the various discovery mechanisms.

When a user enters an OpenID identity, the Relying Party (in the testing scenario, this is the OpenID module) looks up the URL of the Provider Endpoint using one of several discovery mechanisms. The Relying Party then redirects the user to Provider Endpoint. The provider verifies the user's identity and redirects the user back to the Relying Party accompanied by a signed message confirming the identity. Before redirecting to a provider for the first time, the Relying Party fetches a secret MAC key from the provider by doing a direct "associate" HTTP request to the Provider Endpoint. This key is used for verifying the signed messages from the provider.

File

drupal-7.x/modules/openid/tests/openid_test.module
View source
  1. <?php

  2. 

  3. /**

  4.  * @file

  5.  * Dummy OpenID Provider used with SimpleTest.

  6.  *

  7.  * The provider simply responds positively to all authentication requests. In

  8.  * addition to a Provider Endpoint (a URL used for Drupal to communicate with

  9.  * the provider using the OpenID Authentication protocol) the module provides

  10.  * URLs used by the various discovery mechanisms.

  11.  *

  12.  * When a user enters an OpenID identity, the Relying Party (in the testing

  13.  * scenario, this is the OpenID module) looks up the URL of the Provider

  14.  * Endpoint using one of several discovery mechanisms. The Relying Party then

  15.  * redirects the user to Provider Endpoint. The provider verifies the user's

  16.  * identity and redirects the user back to the Relying Party accompanied by a

  17.  * signed message confirming the identity. Before redirecting to a provider for

  18.  * the first time, the Relying Party fetches a secret MAC key from the provider

  19.  * by doing a direct "associate" HTTP request to the Provider Endpoint. This

  20.  * key is used for verifying the signed messages from the provider.

  21.  */

  22. 

  23. /**

  24.  * Implements hook_menu().

  25.  */

  26. function openid_test_menu() {

  27.   $items['openid-test/yadis/xrds'] = array(

  28.     'title' => 'XRDS service document',

  29.     'page callback' => 'openid_test_yadis_xrds',

  30.     'access callback' => TRUE,

  31.     'type' => MENU_CALLBACK,

  32.   );

  33.   $items['openid-test/yadis/x-xrds-location'] = array(

  34.     'title' => 'Yadis discovery using X-XRDS-Location header',

  35.     'page callback' => 'openid_test_yadis_x_xrds_location',

  36.     'access callback' => TRUE,

  37.     'type' => MENU_CALLBACK,

  38.   );

  39.   $items['openid-test/yadis/http-equiv'] = array(

  40.     'title' => 'Yadis discovery using <meta http-equiv="X-XRDS-Location" ...>',

  41.     'page callback' => 'openid_test_yadis_http_equiv',

  42.     'access callback' => TRUE,

  43.     'type' => MENU_CALLBACK,

  44.   );

  45.   $items['openid-test/html/openid1'] = array(

  46.     'title' => 'HTML-based discovery using <link rel="openid.server" ...>',

  47.     'page callback' => 'openid_test_html_openid1',

  48.     'access callback' => TRUE,

  49.     'type' => MENU_CALLBACK,

  50.   );

  51.   $items['openid-test/html/openid2'] = array(

  52.     'title' => 'HTML-based discovery using <link rel="openid2.provider" ...>',

  53.     'page callback' => 'openid_test_html_openid2',

  54.     'access callback' => TRUE,

  55.     'type' => MENU_CALLBACK,

  56.   );

  57.   $items['openid-test/endpoint'] = array(

  58.     'title' => 'OpenID Provider Endpoint',

  59.     'page callback' => 'openid_test_endpoint',

  60.     'access callback' => TRUE,

  61.     'type' => MENU_CALLBACK,

  62.   );

  63.   $items['openid-test/redirect'] = array(

  64.     'title' => 'OpenID Provider Redirection Point',

  65.     'page callback' => 'openid_test_redirect',

  66.     'access callback' => TRUE,

  67.     'type' => MENU_CALLBACK,

  68.   );

  69.   $items['openid-test/redirected/%/%'] = array(

  70.     'title' => 'OpenID Provider Final URL',

  71.     'page callback' => 'openid_test_redirected_method',

  72.     'page arguments' => array(2, 3),

  73.     'access callback' => TRUE,

  74.     'type' => MENU_CALLBACK,

  75.   );

  76.   return $items;

  77. }

  78. 

  79. /**

  80.  * Implements hook_menu_site_status_alter().

  81.  */

  82. function openid_test_menu_site_status_alter(&$menu_site_status, $path) {

  83.   // Allow access to openid endpoint and identity even in offline mode.

  84.   if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && in_array($path, array('openid-test/yadis/xrds', 'openid-test/endpoint'))) {

  85.     $menu_site_status = MENU_SITE_ONLINE;

  86.   }

  87. }

  88. 

  89. /**

  90.  * Menu callback; XRDS document that references the OP Endpoint URL.

  91.  */

  92. function openid_test_yadis_xrds() {

  93.   if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') {

  94.     // Only respond to XRI requests for one specific XRI. The is used to verify

  95.     // that the XRI has been properly encoded. The "+" sign in the _xrd_r query

  96.     // parameter is decoded to a space by PHP.

  97.     if (arg(3) == 'xri') {

  98.       if (variable_get('clean_url', 0)) {

  99.         if (arg(4) != '@example*résumé;%25' || $_GET['_xrd_r'] != 'application/xrds xml') {

  100.           drupal_not_found();

  101.         }

  102.       }

  103.       else {

  104.         // Drupal cannot properly emulate an XRI proxy resolver using unclean

  105.         // URLs, so the arguments gets messed up.

  106.         if (arg(4) . '/' . arg(5) != '@example*résumé;%25?_xrd_r=application/xrds xml') {

  107.           drupal_not_found();

  108.         }

  109.       }

  110.     }

  111.     drupal_add_http_header('Content-Type', 'application/xrds+xml');

  112.     print '<?xml version="1.0" encoding="UTF-8"?>';

  113.     if (!empty($_GET['doctype'])) {

  114.       print "\n<!DOCTYPE dct [ <!ELEMENT blue (#PCDATA)> ]>\n";

  115.     }

  116.     print '

  117.       <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">

  118.         <XRD>

  119.           <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>

  120.           <ProviderID>xri://@</ProviderID>

  121.           <CanonicalID>http://example.com/user</CanonicalID>

  122.           <Service>

  123.             <Type>http://example.com/this-is-ignored</Type>

  124.           </Service>

  125.           <Service priority="5">

  126.             <Type>http://openid.net/signon/1.0</Type>

  127.             <URI>http://example.com/this-is-only-openid-1.0</URI>

  128.           </Service>

  129.           <Service priority="10">

  130.             <Type>http://specs.openid.net/auth/2.0/signon</Type>

  131.             <Type>http://openid.net/srv/ax/1.0</Type>

  132.             <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>

  133.             <LocalID>http://example.com/xrds</LocalID>

  134.           </Service>

  135.           <Service priority="15">

  136.             <Type>http://specs.openid.net/auth/2.0/signon</Type>

  137.             <URI>http://example.com/this-has-too-low-priority</URI>

  138.           </Service>

  139.           <Service>

  140.             <Type>http://specs.openid.net/auth/2.0/signon</Type>

  141.             <URI>http://example.com/this-has-too-low-priority</URI>

  142.           </Service>

  143.           ';

  144.     if (arg(3) == 'server') {

  145.       print '

  146.           <Service>

  147.             <Type>http://specs.openid.net/auth/2.0/server</Type>

  148.             <URI>http://example.com/this-has-too-low-priority</URI>

  149.           </Service>

  150.           <Service priority="20">

  151.             <Type>http://specs.openid.net/auth/2.0/server</Type>

  152.             <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>

  153.           </Service>';

  154.     }

  155.     elseif (arg(3) == 'delegate') {

  156.       print '

  157.           <Service priority="0">

  158.             <Type>http://specs.openid.net/auth/2.0/signon</Type>

  159.             <Type>http://openid.net/srv/ax/1.0</Type>

  160.             <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>

  161.             <openid:Delegate>http://example.com/xrds-delegate</openid:Delegate>

  162.           </Service>';

  163.     }

  164.     print '

  165.         </XRD>

  166.       </xrds:XRDS>';

  167.   }

  168.   else {

  169.     return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.');

  170.   }

  171. }

  172. 

  173. /**

  174.  * Menu callback; regular HTML page with an X-XRDS-Location HTTP header.

  175.  */

  176. function openid_test_yadis_x_xrds_location() {

  177.   drupal_add_http_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE)));

  178.   return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.');

  179. }

  180. 

  181. /**

  182.  * Menu callback; regular HTML page with <meta> element.

  183.  */

  184. function openid_test_yadis_http_equiv() {

  185.   $element = array(

  186.     '#tag' => 'meta',

  187.     '#attributes' => array(

  188.       'http-equiv' => 'X-XRDS-Location',

  189.       'content' => url('openid-test/yadis/xrds', array('absolute' => TRUE)),

  190.     ),

  191.   );

  192.   drupal_add_html_head($element, 'openid_test_yadis_http_equiv');

  193.   return t('This page includes a &lt;meta equiv=...&gt; element containing the URL of an XRDS document.');

  194. }

  195. 

  196. /**

  197.  * Menu callback; regular HTML page with OpenID 1.0 <link> element.

  198.  */

  199. function openid_test_html_openid1() {

  200.   drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));

  201.   drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1'));

  202.   return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');

  203. }

  204. 

  205. /**

  206.  * Menu callback; regular HTML page with OpenID 2.0 <link> element.

  207.  */

  208. function openid_test_html_openid2() {

  209.   drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));

  210.   drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2'));

  211.   return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');

  212. }

  213. 

  214. /**

  215.  * Menu callback; OpenID Provider Endpoint.

  216.  *

  217.  * It accepts "associate" requests directly from the Relying Party, and

  218.  * "checkid_setup" requests made by the user's browser based on HTTP redirects

  219.  * (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party.

  220.  */

  221. function openid_test_endpoint() {

  222.   switch ($_REQUEST['openid_mode']) {

  223.     case 'associate':

  224.       _openid_test_endpoint_associate();

  225.       break;

  226.     case 'checkid_setup':

  227.       _openid_test_endpoint_authenticate();

  228.       break;

  229.   }

  230. }

  231. 

  232. /**

  233.  * Menu callback; redirect during Normalization/Discovery.

  234.  */

  235. function openid_test_redirect($count = 0) {

  236.   if ($count == 0) {

  237.     $url = variable_get('openid_test_redirect_url', '');

  238.   }

  239.   else {

  240.     $url = url('openid-test/redirect/' . --$count, array('absolute' => TRUE));

  241.   }

  242.   $http_response_code = variable_get('openid_test_redirect_http_reponse_code', 301);

  243.   header('Location: ' . $url, TRUE, $http_response_code);

  244.   exit();

  245. }

  246. 

  247. /**

  248.  * Menu callback; respond with appropriate callback.

  249.  */

  250. function openid_test_redirected_method($method1, $method2) {

  251.   return call_user_func('openid_test_' . $method1 . '_' . $method2);

  252. }

  253. 

  254. /**

  255.  * OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0,

  256.  * section 8).

  257.  *

  258.  * The purpose of association is to send the secret MAC key to the Relying Party

  259.  * using Diffie-Hellman key exchange. The MAC key is used in subsequent

  260.  * "authenticate" requests. The "associate" request is made by the Relying Party

  261.  * (in the testing scenario, this is the OpenID module that communicates with

  262.  * the endpoint using drupal_http_request()).

  263.  */

  264. function _openid_test_endpoint_associate() {

  265.   module_load_include('inc', 'openid');

  266. 

  267.   // Use default parameters for Diffie-Helmann key exchange.

  268.   $mod = OPENID_DH_DEFAULT_MOD;

  269.   $gen = OPENID_DH_DEFAULT_GEN;

  270. 

  271.   // Generate private Diffie-Helmann key.

  272.   $r = _openid_dh_rand($mod);

  273.   $private = _openid_math_add($r, 1);

  274. 

  275.   // Calculate public Diffie-Helmann key.

  276.   $public = _openid_math_powmod($gen, $private, $mod);

  277. 

  278.   // Calculate shared secret based on Relying Party's public key.

  279.   $cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']);

  280.   $shared = _openid_math_powmod($cpub, $private, $mod);

  281. 

  282.   // Encrypt the MAC key using the shared secret.

  283.   $enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key'))));

  284. 

  285.   // Generate response including our public key and the MAC key. Using our

  286.   // public key and its own private key, the Relying Party can calculate the

  287.   // shared secret, and with this it can decrypt the encrypted MAC key.

  288.   $response = array(

  289.     'ns' => 'http://specs.openid.net/auth/2.0',

  290.     'assoc_handle' => 'openid-test',

  291.     'session_type' => $_REQUEST['openid_session_type'],

  292.     'assoc_type' => $_REQUEST['openid_assoc_type'],

  293.     'expires_in' => '3600',

  294.     'dh_server_public' => _openid_dh_long_to_base64($public),

  295.     'enc_mac_key' => $enc_mac_key,

  296.   );

  297. 

  298.   // Respond to Relying Party in the special Key-Value Form Encoding (see OpenID

  299.   // Authentication 1.0, section 4.1.1).

  300.   drupal_add_http_header('Content-Type', 'text/plain');

  301.   print _openid_create_message($response);

  302. }

  303. 

  304. /**

  305.  * OpenID endpoint; handle "authenticate" requests.

  306.  *

  307.  * All requests result in a successful response. The request is a GET or POST

  308.  * made by the user's browser based on an HTML form or HTTP redirect generated

  309.  * by the Relying Party. The user is redirected back to the Relying Party using

  310.  * a URL containing a signed message in the query string confirming the user's

  311.  * identity.

  312.  */

  313. function _openid_test_endpoint_authenticate() {

  314.   module_load_include('inc', 'openid');

  315. 

  316.   $expected_identity = variable_get('openid_test_identity');

  317.   if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) {

  318.     $response = variable_get('openid_test_response', array()) + array(

  319.       'openid.ns' => OPENID_NS_2_0,

  320.       'openid.mode' => 'error',

  321.       'openid.error' => 'Unexpted identity',

  322.     );

  323.     drupal_add_http_header('Content-Type', 'text/plain');

  324.     header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));

  325.     return;

  326.   }

  327. 

  328.   // Generate unique identifier for this authentication.

  329.   $nonce = _openid_nonce();

  330. 

  331.   // Generate response containing the user's identity.

  332.   $response = variable_get('openid_test_response', array()) + array(

  333.     'openid.ns' => OPENID_NS_2_0,

  334.     'openid.mode' => 'id_res',

  335.     'openid.op_endpoint' => url('openid-test/endpoint', array('absolute' => TRUE)),

  336.     'openid.claimed_id' => !empty($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',

  337.     'openid.identity' => $_REQUEST['openid_identity'],

  338.     'openid.return_to' => $_REQUEST['openid_return_to'],

  339.     'openid.response_nonce' => $nonce,

  340.     'openid.assoc_handle' => 'openid-test',

  341.   );

  342. 

  343.   if (isset($response['openid.signed'])) {

  344.     $keys_to_sign = explode(',', $response['openid.signed']);

  345.   }

  346.   else {

  347.     // Unless openid.signed is explicitly defined, all keys are signed.

  348.     $keys_to_sign = array();

  349.     foreach ($response as $key => $value) {

  350.       // Strip off the "openid." prefix.

  351.       $keys_to_sign[] = substr($key, 7);

  352.     }

  353.     $response['openid.signed'] = implode(',', $keys_to_sign);

  354.   }

  355. 

  356.   // Sign the message using the MAC key that was exchanged during association.

  357.   $association = new stdClass();

  358.   $association->mac_key = variable_get('mac_key');

  359.   if (!isset($response['openid.sig'])) {

  360.     $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);

  361.   }

  362. 

  363.   // Put the signed message into the query string of a URL supplied by the

  364.   // Relying Party, and redirect the user.

  365.   drupal_add_http_header('Content-Type', 'text/plain');

  366.   header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));

  367. }