1: <?php
   2: 
   3: /**
   4:  * OpenID server protocol and logic.
   5:  *
   6:  * Overview
   7:  *
   8:  * An OpenID server must perform three tasks:
   9:  *
  10:  *  1. Examine the incoming request to determine its nature and validity.
  11:  *  2. Make a decision about how to respond to this request.
  12:  *  3. Format the response according to the protocol.
  13:  *
  14:  * The first and last of these tasks may performed by the {@link
  15:  * Auth_OpenID_Server::decodeRequest()} and {@link
  16:  * Auth_OpenID_Server::encodeResponse} methods.  Who gets to do the
  17:  * intermediate task -- deciding how to respond to the request -- will
  18:  * depend on what type of request it is.
  19:  *
  20:  * If it's a request to authenticate a user (a 'checkid_setup' or
  21:  * 'checkid_immediate' request), you need to decide if you will assert
  22:  * that this user may claim the identity in question.  Exactly how you
  23:  * do that is a matter of application policy, but it generally
  24:  * involves making sure the user has an account with your system and
  25:  * is logged in, checking to see if that identity is hers to claim,
  26:  * and verifying with the user that she does consent to releasing that
  27:  * information to the party making the request.
  28:  *
  29:  * Examine the properties of the {@link Auth_OpenID_CheckIDRequest}
  30:  * object, and if and when you've come to a decision, form a response
  31:  * by calling {@link Auth_OpenID_CheckIDRequest::answer()}.
  32:  *
  33:  * Other types of requests relate to establishing associations between
  34:  * client and server and verifing the authenticity of previous
  35:  * communications.  {@link Auth_OpenID_Server} contains all the logic
  36:  * and data necessary to respond to such requests; just pass it to
  37:  * {@link Auth_OpenID_Server::handleRequest()}.
  38:  *
  39:  * OpenID Extensions
  40:  *
  41:  * Do you want to provide other information for your users in addition
  42:  * to authentication?  Version 1.2 of the OpenID protocol allows
  43:  * consumers to add extensions to their requests.  For example, with
  44:  * sites using the Simple Registration
  45:  * Extension
  46:  * (http://openid.net/specs/openid-simple-registration-extension-1_0.html),
  47:  * a user can agree to have their nickname and e-mail address sent to
  48:  * a site when they sign up.
  49:  *
  50:  * Since extensions do not change the way OpenID authentication works,
  51:  * code to handle extension requests may be completely separate from
  52:  * the {@link Auth_OpenID_Request} class here.  But you'll likely want
  53:  * data sent back by your extension to be signed.  {@link
  54:  * Auth_OpenID_ServerResponse} provides methods with which you can add
  55:  * data to it which can be signed with the other data in the OpenID
  56:  * signature.
  57:  *
  58:  * For example:
  59:  *
  60:  * <pre>  // when request is a checkid_* request
  61:  *  $response = $request->answer(true);
  62:  *  // this will a signed 'openid.sreg.timezone' parameter to the response
  63:  *  response.addField('sreg', 'timezone', 'America/Los_Angeles')</pre>
  64:  *
  65:  * Stores
  66:  *
  67:  * The OpenID server needs to maintain state between requests in order
  68:  * to function.  Its mechanism for doing this is called a store.  The
  69:  * store interface is defined in Interface.php.  Additionally, several
  70:  * concrete store implementations are provided, so that most sites
  71:  * won't need to implement a custom store.  For a store backed by flat
  72:  * files on disk, see {@link Auth_OpenID_FileStore}.  For stores based
  73:  * on MySQL, SQLite, or PostgreSQL, see the {@link
  74:  * Auth_OpenID_SQLStore} subclasses.
  75:  *
  76:  * Upgrading
  77:  *
  78:  * The keys by which a server looks up associations in its store have
  79:  * changed in version 1.2 of this library.  If your store has entries
  80:  * created from version 1.0 code, you should empty it.
  81:  *
  82:  * PHP versions 4 and 5
  83:  *
  84:  * LICENSE: See the COPYING file included in this distribution.
  85:  *
  86:  * @package OpenID
  87:  * @author JanRain, Inc. <openid@janrain.com>
  88:  * @copyright 2005-2008 Janrain, Inc.
  89:  * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
  90:  */
  91: 
  92: /**
  93:  * Required imports
  94:  */
  95: require_once "Auth/OpenID.php";
  96: require_once "Auth/OpenID/Association.php";
  97: require_once "Auth/OpenID/CryptUtil.php";
  98: require_once "Auth/OpenID/BigMath.php";
  99: require_once "Auth/OpenID/DiffieHellman.php";
 100: require_once "Auth/OpenID/KVForm.php";
 101: require_once "Auth/OpenID/TrustRoot.php";
 102: require_once "Auth/OpenID/ServerRequest.php";
 103: require_once "Auth/OpenID/Message.php";
 104: require_once "Auth/OpenID/Nonce.php";
 105: 
 106: define('AUTH_OPENID_HTTP_OK', 200);
 107: define('AUTH_OPENID_HTTP_REDIRECT', 302);
 108: define('AUTH_OPENID_HTTP_ERROR', 400);
 109: 
 110: /**
 111:  * @access private
 112:  */
 113: global $_Auth_OpenID_Request_Modes;
 114: $_Auth_OpenID_Request_Modes = array('checkid_setup',
 115:                                     'checkid_immediate');
 116: 
 117: /**
 118:  * @access private
 119:  */
 120: define('Auth_OpenID_ENCODE_KVFORM', 'kfvorm');
 121: 
 122: /**
 123:  * @access private
 124:  */
 125: define('Auth_OpenID_ENCODE_URL', 'URL/redirect');
 126: 
 127: /**
 128:  * @access private
 129:  */
 130: define('Auth_OpenID_ENCODE_HTML_FORM', 'HTML form');
 131: 
 132: /**
 133:  * @access private
 134:  */
 135: function Auth_OpenID_isError($obj, $cls = Auth_OpenID_ServerError)
 136: {
 137:     return ($obj instanceof $cls);
 138: }
 139: 
 140: /**
 141:  * An error class which gets instantiated and returned whenever an
 142:  * OpenID protocol error occurs.  Be prepared to use this in place of
 143:  * an ordinary server response.
 144:  *
 145:  * @package OpenID
 146:  */
 147: class Auth_OpenID_ServerError {
 148:     /**
 149:      * @access private
 150:      */
 151:     function Auth_OpenID_ServerError($message = null, $text = null,
 152:                                      $reference = null, $contact = null)
 153:     {
 154:         $this->message = $message;
 155:         $this->text = $text;
 156:         $this->contact = $contact;
 157:         $this->reference = $reference;
 158:     }
 159: 
 160:     function getReturnTo()
 161:     {
 162:         if ($this->message &&
 163:             $this->message->hasKey(Auth_OpenID_OPENID_NS, 'return_to')) {
 164:             return $this->message->getArg(Auth_OpenID_OPENID_NS,
 165:                                           'return_to');
 166:         } else {
 167:             return null;
 168:         }
 169:     }
 170: 
 171:     /**
 172:      * Returns the return_to URL for the request which caused this
 173:      * error.
 174:      */
 175:     function hasReturnTo()
 176:     {
 177:         return $this->getReturnTo() !== null;
 178:     }
 179: 
 180:     /**
 181:      * Encodes this error's response as a URL suitable for
 182:      * redirection.  If the response has no return_to, another
 183:      * Auth_OpenID_ServerError is returned.
 184:      */
 185:     function encodeToURL()
 186:     {
 187:         if (!$this->message) {
 188:             return null;
 189:         }
 190: 
 191:         $msg = $this->toMessage();
 192:         return $msg->toURL($this->getReturnTo());
 193:     }
 194: 
 195:     /**
 196:      * Encodes the response to key-value form.  This is a
 197:      * machine-readable format used to respond to messages which came
 198:      * directly from the consumer and not through the user-agent.  See
 199:      * the OpenID specification.
 200:      */
 201:     function encodeToKVForm()
 202:     {
 203:         return Auth_OpenID_KVForm::fromArray(
 204:                                       array('mode' => 'error',
 205:                                             'error' => $this->toString()));
 206:     }
 207: 
 208:     function toFormMarkup($form_tag_attrs=null)
 209:     {
 210:         $msg = $this->toMessage();
 211:         return $msg->toFormMarkup($this->getReturnTo(), $form_tag_attrs);
 212:     }
 213: 
 214:     function toHTML($form_tag_attrs=null)
 215:     {
 216:         return Auth_OpenID::autoSubmitHTML(
 217:                       $this->toFormMarkup($form_tag_attrs));
 218:     }
 219: 
 220:     function toMessage()
 221:     {
 222:         // Generate a Message object for sending to the relying party,
 223:         // after encoding.
 224:         $namespace = $this->message->getOpenIDNamespace();
 225:         $reply = new Auth_OpenID_Message($namespace);
 226:         $reply->setArg(Auth_OpenID_OPENID_NS, 'mode', 'error');
 227:         $reply->setArg(Auth_OpenID_OPENID_NS, 'error', $this->toString());
 228: 
 229:         if ($this->contact !== null) {
 230:             $reply->setArg(Auth_OpenID_OPENID_NS, 'contact', $this->contact);
 231:         }
 232: 
 233:         if ($this->reference !== null) {
 234:             $reply->setArg(Auth_OpenID_OPENID_NS, 'reference',
 235:                            $this->reference);
 236:         }
 237: 
 238:         return $reply;
 239:     }
 240: 
 241:     /**
 242:      * Returns one of Auth_OpenID_ENCODE_URL,
 243:      * Auth_OpenID_ENCODE_KVFORM, or null, depending on the type of
 244:      * encoding expected for this error's payload.
 245:      */
 246:     function whichEncoding()
 247:     {
 248:         global $_Auth_OpenID_Request_Modes;
 249: 
 250:         if ($this->hasReturnTo()) {
 251:             if ($this->message->isOpenID2() &&
 252:                 (strlen($this->encodeToURL()) >
 253:                    Auth_OpenID_OPENID1_URL_LIMIT)) {
 254:                 return Auth_OpenID_ENCODE_HTML_FORM;
 255:             } else {
 256:                 return Auth_OpenID_ENCODE_URL;
 257:             }
 258:         }
 259: 
 260:         if (!$this->message) {
 261:             return null;
 262:         }
 263: 
 264:         $mode = $this->message->getArg(Auth_OpenID_OPENID_NS,
 265:                                        'mode');
 266: 
 267:         if ($mode) {
 268:             if (!in_array($mode, $_Auth_OpenID_Request_Modes)) {
 269:                 return Auth_OpenID_ENCODE_KVFORM;
 270:             }
 271:         }
 272:         return null;
 273:     }
 274: 
 275:     /**
 276:      * Returns this error message.
 277:      */
 278:     function toString()
 279:     {
 280:         if ($this->text) {
 281:             return $this->text;
 282:         } else {
 283:             return get_class($this) . " error";
 284:         }
 285:     }
 286: }
 287: 
 288: /**
 289:  * Error returned by the server code when a return_to is absent from a
 290:  * request.
 291:  *
 292:  * @package OpenID
 293:  */
 294: class Auth_OpenID_NoReturnToError extends Auth_OpenID_ServerError {
 295:     function Auth_OpenID_NoReturnToError($message = null,
 296:                                          $text = "No return_to URL available")
 297:     {
 298:         parent::Auth_OpenID_ServerError($message, $text);
 299:     }
 300: 
 301:     function toString()
 302:     {
 303:         return "No return_to available";
 304:     }
 305: }
 306: 
 307: /**
 308:  * An error indicating that the return_to URL is malformed.
 309:  *
 310:  * @package OpenID
 311:  */
 312: class Auth_OpenID_MalformedReturnURL extends Auth_OpenID_ServerError {
 313:     function Auth_OpenID_MalformedReturnURL($message, $return_to)
 314:     {
 315:         $this->return_to = $return_to;
 316:         parent::Auth_OpenID_ServerError($message, "malformed return_to URL");
 317:     }
 318: }
 319: 
 320: /**
 321:  * This error is returned when the trust_root value is malformed.
 322:  *
 323:  * @package OpenID
 324:  */
 325: class Auth_OpenID_MalformedTrustRoot extends Auth_OpenID_ServerError {
 326:     function Auth_OpenID_MalformedTrustRoot($message = null,
 327:                                             $text = "Malformed trust root")
 328:     {
 329:         parent::Auth_OpenID_ServerError($message, $text);
 330:     }
 331: 
 332:     function toString()
 333:     {
 334:         return "Malformed trust root";
 335:     }
 336: }
 337: 
 338: /**
 339:  * The base class for all server request classes.
 340:  *
 341:  * @package OpenID
 342:  */
 343: class Auth_OpenID_Request {
 344:     var $mode = null;
 345: }
 346: 
 347: /**
 348:  * A request to verify the validity of a previous response.
 349:  *
 350:  * @package OpenID
 351:  */
 352: class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request {
 353:     var $mode = "check_authentication";
 354:     var $invalidate_handle = null;
 355: 
 356:     function Auth_OpenID_CheckAuthRequest($assoc_handle, $signed,
 357:                                           $invalidate_handle = null)
 358:     {
 359:         $this->assoc_handle = $assoc_handle;
 360:         $this->signed = $signed;
 361:         if ($invalidate_handle !== null) {
 362:             $this->invalidate_handle = $invalidate_handle;
 363:         }
 364:         $this->namespace = Auth_OpenID_OPENID2_NS;
 365:         $this->message = null;
 366:     }
 367: 
 368:     static function fromMessage($message, $server=null)
 369:     {
 370:         $required_keys = array('assoc_handle', 'sig', 'signed');
 371: 
 372:         foreach ($required_keys as $k) {
 373:             if (!$message->getArg(Auth_OpenID_OPENID_NS, $k)) {
 374:                 return new Auth_OpenID_ServerError($message,
 375:                     sprintf("%s request missing required parameter %s from \
 376:                             query", "check_authentication", $k));
 377:             }
 378:         }
 379: 
 380:         $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle');
 381:         $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig');
 382: 
 383:         $signed_list = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
 384:         $signed_list = explode(",", $signed_list);
 385: 
 386:         $signed = $message;
 387:         if ($signed->hasKey(Auth_OpenID_OPENID_NS, 'mode')) {
 388:             $signed->setArg(Auth_OpenID_OPENID_NS, 'mode', 'id_res');
 389:         }
 390: 
 391:         $result = new Auth_OpenID_CheckAuthRequest($assoc_handle, $signed);
 392:         $result->message = $message;
 393:         $result->sig = $sig;
 394:         $result->invalidate_handle = $message->getArg(Auth_OpenID_OPENID_NS,
 395:                                                       'invalidate_handle');
 396:         return $result;
 397:     }
 398: 
 399:     function answer($signatory)
 400:     {
 401:         $is_valid = $signatory->verify($this->assoc_handle, $this->signed);
 402: 
 403:         // Now invalidate that assoc_handle so it this checkAuth
 404:         // message cannot be replayed.
 405:         $signatory->invalidate($this->assoc_handle, true);
 406:         $response = new Auth_OpenID_ServerResponse($this);
 407: 
 408:         $response->fields->setArg(Auth_OpenID_OPENID_NS,
 409:                                   'is_valid',
 410:                                   ($is_valid ? "true" : "false"));
 411: 
 412:         if ($this->invalidate_handle) {
 413:             $assoc = $signatory->getAssociation($this->invalidate_handle,
 414:                                                 false);
 415:             if (!$assoc) {
 416:                 $response->fields->setArg(Auth_OpenID_OPENID_NS,
 417:                                           'invalidate_handle',
 418:                                           $this->invalidate_handle);
 419:             }
 420:         }
 421:         return $response;
 422:     }
 423: }
 424: 
 425: /**
 426:  * A class implementing plaintext server sessions.
 427:  *
 428:  * @package OpenID
 429:  */
 430: class Auth_OpenID_PlainTextServerSession {
 431:     /**
 432:      * An object that knows how to handle association requests with no
 433:      * session type.
 434:      */
 435:     var $session_type = 'no-encryption';
 436:     var $needs_math = false;
 437:     var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
 438: 
 439:     static function fromMessage($unused_request)
 440:     {
 441:         return new Auth_OpenID_PlainTextServerSession();
 442:     }
 443: 
 444:     function answer($secret)
 445:     {
 446:         return array('mac_key' => base64_encode($secret));
 447:     }
 448: }
 449: 
 450: /**
 451:  * A class implementing DH-SHA1 server sessions.
 452:  *
 453:  * @package OpenID
 454:  */
 455: class Auth_OpenID_DiffieHellmanSHA1ServerSession {
 456:     /**
 457:      * An object that knows how to handle association requests with
 458:      * the Diffie-Hellman session type.
 459:      */
 460: 
 461:     var $session_type = 'DH-SHA1';
 462:     var $needs_math = true;
 463:     var $allowed_assoc_types = array('HMAC-SHA1');
 464:     var $hash_func = 'Auth_OpenID_SHA1';
 465: 
 466:     function Auth_OpenID_DiffieHellmanSHA1ServerSession($dh, $consumer_pubkey)
 467:     {
 468:         $this->dh = $dh;
 469:         $this->consumer_pubkey = $consumer_pubkey;
 470:     }
 471: 
 472:     static function getDH($message)
 473:     {
 474:         $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus');
 475:         $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen');
 476: 
 477:         if ((($dh_modulus === null) && ($dh_gen !== null)) ||
 478:             (($dh_gen === null) && ($dh_modulus !== null))) {
 479: 
 480:             if ($dh_modulus === null) {
 481:                 $missing = 'modulus';
 482:             } else {
 483:                 $missing = 'generator';
 484:             }
 485: 
 486:             return new Auth_OpenID_ServerError($message,
 487:                                 'If non-default modulus or generator is '.
 488:                                 'supplied, both must be supplied.  Missing '.
 489:                                 $missing);
 490:         }
 491: 
 492:         $lib = Auth_OpenID_getMathLib();
 493: 
 494:         if ($dh_modulus || $dh_gen) {
 495:             $dh_modulus = $lib->base64ToLong($dh_modulus);
 496:             $dh_gen = $lib->base64ToLong($dh_gen);
 497:             if ($lib->cmp($dh_modulus, 0) == 0 ||
 498:                 $lib->cmp($dh_gen, 0) == 0) {
 499:                 return new Auth_OpenID_ServerError(
 500:                   $message, "Failed to parse dh_mod or dh_gen");
 501:             }
 502:             $dh = new Auth_OpenID_DiffieHellman($dh_modulus, $dh_gen);
 503:         } else {
 504:             $dh = new Auth_OpenID_DiffieHellman();
 505:         }
 506: 
 507:         $consumer_pubkey = $message->getArg(Auth_OpenID_OPENID_NS,
 508:                                             'dh_consumer_public');
 509:         if ($consumer_pubkey === null) {
 510:             return new Auth_OpenID_ServerError($message,
 511:                                   'Public key for DH-SHA1 session '.
 512:                                   'not found in query');
 513:         }
 514: 
 515:         $consumer_pubkey =
 516:             $lib->base64ToLong($consumer_pubkey);
 517: 
 518:         if ($consumer_pubkey === false) {
 519:             return new Auth_OpenID_ServerError($message,
 520:                                        "dh_consumer_public is not base64");
 521:         }
 522: 
 523:         return array($dh, $consumer_pubkey);
 524:     }
 525: 
 526:     static function fromMessage($message)
 527:     {
 528:         $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
 529: 
 530:         if (($result instanceof  Auth_OpenID_ServerError)) {
 531:             return $result;
 532:         } else {
 533:             list($dh, $consumer_pubkey) = $result;
 534:             return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh,
 535:                                                     $consumer_pubkey);
 536:         }
 537:     }
 538: 
 539:     function answer($secret)
 540:     {
 541:         $lib = Auth_OpenID_getMathLib();
 542:         $mac_key = $this->dh->xorSecret($this->consumer_pubkey, $secret,
 543:                                         $this->hash_func);
 544:         return array(
 545:            'dh_server_public' =>
 546:                 $lib->longToBase64($this->dh->public),
 547:            'enc_mac_key' => base64_encode($mac_key));
 548:     }
 549: }
 550: 
 551: /**
 552:  * A class implementing DH-SHA256 server sessions.
 553:  *
 554:  * @package OpenID
 555:  */
 556: class Auth_OpenID_DiffieHellmanSHA256ServerSession
 557:       extends Auth_OpenID_DiffieHellmanSHA1ServerSession {
 558: 
 559:     var $session_type = 'DH-SHA256';
 560:     var $hash_func = 'Auth_OpenID_SHA256';
 561:     var $allowed_assoc_types = array('HMAC-SHA256');
 562: 
 563:     static function fromMessage($message)
 564:     {
 565:         $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
 566: 
 567:         if ($result instanceof Auth_OpenID_ServerError) {
 568:             return $result;
 569:         } else {
 570:             list($dh, $consumer_pubkey) = $result;
 571:             return new Auth_OpenID_DiffieHellmanSHA256ServerSession($dh,
 572:                                                       $consumer_pubkey);
 573:         }
 574:     }
 575: }
 576: 
 577: /**
 578:  * A request to associate with the server.
 579:  *
 580:  * @package OpenID
 581:  */
 582: class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request {
 583:     var $mode = "associate";
 584: 
 585:     static function getSessionClasses()
 586:     {
 587:         return array(
 588:           'no-encryption' => 'Auth_OpenID_PlainTextServerSession',
 589:           'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ServerSession',
 590:           'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession');
 591:     }
 592: 
 593:     function Auth_OpenID_AssociateRequest($session, $assoc_type)
 594:     {
 595:         $this->session = $session;
 596:         $this->namespace = Auth_OpenID_OPENID2_NS;
 597:         $this->assoc_type = $assoc_type;
 598:     }
 599: 
 600:     static function fromMessage($message, $server=null)
 601:     {
 602:         if ($message->isOpenID1()) {
 603:             $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
 604:                                              'session_type');
 605: 
 606:             if ($session_type == 'no-encryption') {
 607:                 // oidutil.log('Received OpenID 1 request with a no-encryption '
 608:                 //             'assocaition session type. Continuing anyway.')
 609:             } else if (!$session_type) {
 610:                 $session_type = 'no-encryption';
 611:             }
 612:         } else {
 613:             $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
 614:                                              'session_type');
 615:             if ($session_type === null) {
 616:                 return new Auth_OpenID_ServerError($message,
 617:                   "session_type missing from request");
 618:             }
 619:         }
 620: 
 621:         $session_class = Auth_OpenID::arrayGet(
 622:            Auth_OpenID_AssociateRequest::getSessionClasses(),
 623:            $session_type);
 624: 
 625:         if ($session_class === null) {
 626:             return new Auth_OpenID_ServerError($message,
 627:                                                "Unknown session type " .
 628:                                                $session_type);
 629:         }
 630: 
 631:         $session = call_user_func(array($session_class, 'fromMessage'),
 632:                                   $message);
 633:         if ($session instanceof Auth_OpenID_ServerError) {
 634:             return $session;
 635:         }
 636: 
 637:         $assoc_type = $message->getArg(Auth_OpenID_OPENID_NS,
 638:                                        'assoc_type', 'HMAC-SHA1');
 639: 
 640:         if (!in_array($assoc_type, $session->allowed_assoc_types)) {
 641:             $fmt = "Session type %s does not support association type %s";
 642:             return new Auth_OpenID_ServerError($message,
 643:               sprintf($fmt, $session_type, $assoc_type));
 644:         }
 645: 
 646:         $obj = new Auth_OpenID_AssociateRequest($session, $assoc_type);
 647:         $obj->message = $message;
 648:         $obj->namespace = $message->getOpenIDNamespace();
 649:         return $obj;
 650:     }
 651: 
 652:     function answer($assoc)
 653:     {
 654:         $response = new Auth_OpenID_ServerResponse($this);
 655:         $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
 656:            array(
 657:                  'expires_in' => sprintf('%d', $assoc->getExpiresIn()),
 658:                  'assoc_type' => $this->assoc_type,
 659:                  'assoc_handle' => $assoc->handle));
 660: 
 661:         $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
 662:            $this->session->answer($assoc->secret));
 663: 
 664:         if (! ($this->session->session_type == 'no-encryption'
 665:                && $this->message->isOpenID1())) {
 666:             $response->fields->setArg(Auth_OpenID_OPENID_NS,
 667:                                       'session_type',
 668:                                       $this->session->session_type);
 669:         }
 670: 
 671:         return $response;
 672:     }
 673: 
 674:     function answerUnsupported($text_message,
 675:                                $preferred_association_type=null,
 676:                                $preferred_session_type=null)
 677:     {
 678:         if ($this->message->isOpenID1()) {
 679:             return new Auth_OpenID_ServerError($this->message);
 680:         }
 681: 
 682:         $response = new Auth_OpenID_ServerResponse($this);
 683:         $response->fields->setArg(Auth_OpenID_OPENID_NS,
 684:                                   'error_code', 'unsupported-type');
 685:         $response->fields->setArg(Auth_OpenID_OPENID_NS,
 686:                                   'error', $text_message);
 687: 
 688:         if ($preferred_association_type) {
 689:             $response->fields->setArg(Auth_OpenID_OPENID_NS,
 690:                                       'assoc_type',
 691:                                       $preferred_association_type);
 692:         }
 693: 
 694:         if ($preferred_session_type) {
 695:             $response->fields->setArg(Auth_OpenID_OPENID_NS,
 696:                                       'session_type',
 697:                                       $preferred_session_type);
 698:         }
 699:         $response->code = AUTH_OPENID_HTTP_ERROR;
 700:         return $response;
 701:     }
 702: }
 703: 
 704: /**
 705:  * A request to confirm the identity of a user.
 706:  *
 707:  * @package OpenID
 708:  */
 709: class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request {
 710:     /**
 711:      * Return-to verification callback.  Default is
 712:      * Auth_OpenID_verifyReturnTo from TrustRoot.php.
 713:      */
 714:     var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo';
 715: 
 716:     /**
 717:      * The mode of this request.
 718:      */
 719:     var $mode = "checkid_setup"; // or "checkid_immediate"
 720: 
 721:     /**
 722:      * Whether this request is for immediate mode.
 723:      */
 724:     var $immediate = false;
 725: 
 726:     /**
 727:      * The trust_root value for this request.
 728:      */
 729:     var $trust_root = null;
 730: 
 731:     /**
 732:      * The OpenID namespace for this request.
 733:      * deprecated since version 2.0.2
 734:      */
 735:     var $namespace;
 736: 
 737:     static function make($message, $identity, $return_to, $trust_root = null,
 738:                   $immediate = false, $assoc_handle = null, $server = null)
 739:     {
 740:         if ($server === null) {
 741:             return new Auth_OpenID_ServerError($message,
 742:                                                "server must not be null");
 743:         }
 744: 
 745:         if ($return_to &&
 746:             !Auth_OpenID_TrustRoot::_parse($return_to)) {
 747:             return new Auth_OpenID_MalformedReturnURL($message, $return_to);
 748:         }
 749: 
 750:         $r = new Auth_OpenID_CheckIDRequest($identity, $return_to,
 751:                                             $trust_root, $immediate,
 752:                                             $assoc_handle, $server);
 753: 
 754:         $r->namespace = $message->getOpenIDNamespace();
 755:         $r->message = $message;
 756: 
 757:         if (!$r->trustRootValid()) {
 758:             return new Auth_OpenID_UntrustedReturnURL($message,
 759:                                                       $return_to,
 760:                                                       $trust_root);
 761:         } else {
 762:             return $r;
 763:         }
 764:     }
 765: 
 766:     function Auth_OpenID_CheckIDRequest($identity, $return_to,
 767:                                         $trust_root = null, $immediate = false,
 768:                                         $assoc_handle = null, $server = null,
 769:                                         $claimed_id = null)
 770:     {
 771:         $this->namespace = Auth_OpenID_OPENID2_NS;
 772:         $this->assoc_handle = $assoc_handle;
 773:         $this->identity = $identity;
 774:         if ($claimed_id === null) {
 775:             $this->claimed_id = $identity;
 776:         } else {
 777:             $this->claimed_id = $claimed_id;
 778:         }
 779:         $this->return_to = $return_to;
 780:         $this->trust_root = $trust_root;
 781:         $this->server = $server;
 782: 
 783:         if ($immediate) {
 784:             $this->immediate = true;
 785:             $this->mode = "checkid_immediate";
 786:         } else {
 787:             $this->immediate = false;
 788:             $this->mode = "checkid_setup";
 789:         }
 790:     }
 791: 
 792:     function equals($other)
 793:     {
 794:         return (
 795:                 ($other instanceof Auth_OpenID_CheckIDRequest) &&
 796:                 ($this->namespace == $other->namespace) &&
 797:                 ($this->assoc_handle == $other->assoc_handle) &&
 798:                 ($this->identity == $other->identity) &&
 799:                 ($this->claimed_id == $other->claimed_id) &&
 800:                 ($this->return_to == $other->return_to) &&
 801:                 ($this->trust_root == $other->trust_root));
 802:     }
 803: 
 804:     /*
 805:      * Does the relying party publish the return_to URL for this
 806:      * response under the realm? It is up to the provider to set a
 807:      * policy for what kinds of realms should be allowed. This
 808:      * return_to URL verification reduces vulnerability to data-theft
 809:      * attacks based on open proxies, corss-site-scripting, or open
 810:      * redirectors.
 811:      *
 812:      * This check should only be performed after making sure that the
 813:      * return_to URL matches the realm.
 814:      *
 815:      * @return true if the realm publishes a document with the
 816:      * return_to URL listed, false if not or if discovery fails
 817:      */
 818:     function returnToVerified()
 819:     {
 820:         $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
 821:         return call_user_func_array($this->verifyReturnTo,
 822:                                     array($this->trust_root, $this->return_to, $fetcher));
 823:     }
 824: 
 825:     static function fromMessage($message, $server)
 826:     {
 827:         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
 828:         $immediate = null;
 829: 
 830:         if ($mode == "checkid_immediate") {
 831:             $immediate = true;
 832:             $mode = "checkid_immediate";
 833:         } else {
 834:             $immediate = false;
 835:             $mode = "checkid_setup";
 836:         }
 837: 
 838:         $return_to = $message->getArg(Auth_OpenID_OPENID_NS,
 839:                                       'return_to');
 840: 
 841:         if (($message->isOpenID1()) &&
 842:             (!$return_to)) {
 843:             $fmt = "Missing required field 'return_to' from checkid request";
 844:             return new Auth_OpenID_ServerError($message, $fmt);
 845:         }
 846: 
 847:         $identity = $message->getArg(Auth_OpenID_OPENID_NS,
 848:                                      'identity');
 849:         $claimed_id = $message->getArg(Auth_OpenID_OPENID_NS, 'claimed_id');
 850:         if ($message->isOpenID1()) {
 851:             if ($identity === null) {
 852:                 $s = "OpenID 1 message did not contain openid.identity";
 853:                 return new Auth_OpenID_ServerError($message, $s);
 854:             }
 855:         } else {
 856:             if ($identity && !$claimed_id) {
 857:                 $s = "OpenID 2.0 message contained openid.identity but not " .
 858:                   "claimed_id";
 859:                 return new Auth_OpenID_ServerError($message, $s);
 860:             } else if ($claimed_id && !$identity) {
 861:                 $s = "OpenID 2.0 message contained openid.claimed_id " .
 862:                   "but not identity";
 863:                 return new Auth_OpenID_ServerError($message, $s);
 864:             }
 865:         }
 866: 
 867:         // There's a case for making self.trust_root be a TrustRoot
 868:         // here.  But if TrustRoot isn't currently part of the
 869:         // "public" API, I'm not sure it's worth doing.
 870:         if ($message->isOpenID1()) {
 871:             $trust_root_param = 'trust_root';
 872:         } else {
 873:             $trust_root_param = 'realm';
 874:         }
 875:         $trust_root = $message->getArg(Auth_OpenID_OPENID_NS,
 876:                                        $trust_root_param);
 877:         if (! $trust_root) {
 878:             $trust_root = $return_to;
 879:         }
 880: 
 881:         if (! $message->isOpenID1() &&
 882:             ($return_to === null) &&
 883:             ($trust_root === null)) {
 884:             return new Auth_OpenID_ServerError($message,
 885:               "openid.realm required when openid.return_to absent");
 886:         }
 887: 
 888:         $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
 889:                                          'assoc_handle');
 890: 
 891:         $obj = Auth_OpenID_CheckIDRequest::make($message,
 892:                                                 $identity,
 893:                                                 $return_to,
 894:                                                 $trust_root,
 895:                                                 $immediate,
 896:                                                 $assoc_handle,
 897:                                                 $server);
 898: 
 899:         if ($obj instanceof Auth_OpenID_ServerError) {
 900:             return $obj;
 901:         }
 902: 
 903:         $obj->claimed_id = $claimed_id;
 904: 
 905:         return $obj;
 906:     }
 907: 
 908:     function idSelect()
 909:     {
 910:         // Is the identifier to be selected by the IDP?
 911:         // So IDPs don't have to import the constant
 912:         return $this->identity == Auth_OpenID_IDENTIFIER_SELECT;
 913:     }
 914: 
 915:     function trustRootValid()
 916:     {
 917:         if (!$this->trust_root) {
 918:             return true;
 919:         }
 920: 
 921:         $tr = Auth_OpenID_TrustRoot::_parse($this->trust_root);
 922:         if ($tr === false) {
 923:             return new Auth_OpenID_MalformedTrustRoot($this->message,
 924:                                                       $this->trust_root);
 925:         }
 926: 
 927:         if ($this->return_to !== null) {
 928:             return Auth_OpenID_TrustRoot::match($this->trust_root,
 929:                                                 $this->return_to);
 930:         } else {
 931:             return true;
 932:         }
 933:     }
 934: 
 935:     /**
 936:      * Respond to this request.  Return either an
 937:      * {@link Auth_OpenID_ServerResponse} or
 938:      * {@link Auth_OpenID_ServerError}.
 939:      *
 940:      * @param bool $allow Allow this user to claim this identity, and
 941:      * allow the consumer to have this information?
 942:      *
 943:      * @param string $server_url DEPRECATED.  Passing $op_endpoint to
 944:      * the {@link Auth_OpenID_Server} constructor makes this optional.
 945:      *
 946:      * When an OpenID 1.x immediate mode request does not succeed, it
 947:      * gets back a URL where the request may be carried out in a
 948:      * not-so-immediate fashion.  Pass my URL in here (the fully
 949:      * qualified address of this server's endpoint, i.e.
 950:      * http://example.com/server), and I will use it as a base for the
 951:      * URL for a new request.
 952:      *
 953:      * Optional for requests where {@link $immediate} is false or
 954:      * $allow is true.
 955:      *
 956:      * @param string $identity The OP-local identifier to answer with.
 957:      * Only for use when the relying party requested identifier
 958:      * selection.
 959:      *
 960:      * @param string $claimed_id The claimed identifier to answer
 961:      * with, for use with identifier selection in the case where the
 962:      * claimed identifier and the OP-local identifier differ,
 963:      * i.e. when the claimed_id uses delegation.
 964:      *
 965:      * If $identity is provided but this is not, $claimed_id will
 966:      * default to the value of $identity.  When answering requests
 967:      * that did not ask for identifier selection, the response
 968:      * $claimed_id will default to that of the request.
 969:      *
 970:      * This parameter is new in OpenID 2.0.
 971:      *
 972:      * @return mixed
 973:      */
 974:     function answer($allow, $server_url = null, $identity = null,
 975:                     $claimed_id = null)
 976:     {
 977:         if (!$this->return_to) {
 978:             return new Auth_OpenID_NoReturnToError();
 979:         }
 980: 
 981:         if (!$server_url) {
 982:             if ((!$this->message->isOpenID1()) &&
 983:                 (!$this->server->op_endpoint)) {
 984:                 return new Auth_OpenID_ServerError(null,
 985:                   "server should be constructed with op_endpoint to " .
 986:                   "respond to OpenID 2.0 messages.");
 987:             }
 988: 
 989:             $server_url = $this->server->op_endpoint;
 990:         }
 991: 
 992:         if ($allow) {
 993:             $mode = 'id_res';
 994:         } else if ($this->message->isOpenID1()) {
 995:             if ($this->immediate) {
 996:                 $mode = 'id_res';
 997:             } else {
 998:                 $mode = 'cancel';
 999:             }
1000:         } else {
1001:             if ($this->immediate) {
1002:                 $mode = 'setup_needed';
1003:             } else {
1004:                 $mode = 'cancel';
1005:             }
1006:         }
1007: 
1008:         if (!$this->trustRootValid()) {
1009:             return new Auth_OpenID_UntrustedReturnURL(null,
1010:                                                       $this->return_to,
1011:                                                       $this->trust_root);
1012:         }
1013: 
1014:         $response = new Auth_OpenID_ServerResponse($this);
1015: 
1016:         if ($claimed_id &&
1017:             ($this->message->isOpenID1())) {
1018:             return new Auth_OpenID_ServerError(null,
1019:               "claimed_id is new in OpenID 2.0 and not " .
1020:               "available for ".$this->namespace);
1021:         }
1022: 
1023:         if ($identity && !$claimed_id) {
1024:             $claimed_id = $identity;
1025:         }
1026: 
1027:         if ($allow) {
1028: 
1029:             if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) {
1030:                 if (!$identity) {
1031:                     return new Auth_OpenID_ServerError(null,
1032:                       "This request uses IdP-driven identifier selection.  " .
1033:                       "You must supply an identifier in the response.");
1034:                 }
1035: 
1036:                 $response_identity = $identity;
1037:                 $response_claimed_id = $claimed_id;
1038: 
1039:             } else if ($this->identity) {
1040:                 if ($identity &&
1041:                     ($this->identity != $identity)) {
1042:                     $fmt = "Request was for %s, cannot reply with identity %s";
1043:                     return new Auth_OpenID_ServerError(null,
1044:                       sprintf($fmt, $this->identity, $identity));
1045:                 }
1046: 
1047:                 $response_identity = $this->identity;
1048:                 $response_claimed_id = $this->claimed_id;
1049:             } else {
1050:                 if ($identity) {
1051:                     return new Auth_OpenID_ServerError(null,
1052:                       "This request specified no identity and " .
1053:                       "you supplied ".$identity);
1054:                 }
1055: 
1056:                 $response_identity = null;
1057:             }
1058: 
1059:             if (($this->message->isOpenID1()) &&
1060:                 ($response_identity === null)) {
1061:                 return new Auth_OpenID_ServerError(null,
1062:                   "Request was an OpenID 1 request, so response must " .
1063:                   "include an identifier.");
1064:             }
1065: 
1066:             $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
1067:                    array('mode' => $mode,
1068:                          'return_to' => $this->return_to,
1069:                          'response_nonce' => Auth_OpenID_mkNonce()));
1070: 
1071:             if (!$this->message->isOpenID1()) {
1072:                 $response->fields->setArg(Auth_OpenID_OPENID_NS,
1073:                                           'op_endpoint', $server_url);
1074:             }
1075: 
1076:             if ($response_identity !== null) {
1077:                 $response->fields->setArg(
1078:                                           Auth_OpenID_OPENID_NS,
1079:                                           'identity',
1080:                                           $response_identity);
1081:                 if ($this->message->isOpenID2()) {
1082:                     $response->fields->setArg(
1083:                                               Auth_OpenID_OPENID_NS,
1084:                                               'claimed_id',
1085:                                               $response_claimed_id);
1086:                 }
1087:             }
1088: 
1089:         } else {
1090:             $response->fields->setArg(Auth_OpenID_OPENID_NS,
1091:                                       'mode', $mode);
1092: 
1093:             if ($this->immediate) {
1094:                 if (($this->message->isOpenID1()) &&
1095:                     (!$server_url)) {
1096:                     return new Auth_OpenID_ServerError(null,
1097:                                  'setup_url is required for $allow=false \
1098:                                   in OpenID 1.x immediate mode.');
1099:                 }
1100: 
1101:                 $setup_request = new Auth_OpenID_CheckIDRequest(
1102:                                                 $this->identity,
1103:                                                 $this->return_to,
1104:                                                 $this->trust_root,
1105:                                                 false,
1106:                                                 $this->assoc_handle,
1107:                                                 $this->server,
1108:                                                 $this->claimed_id);
1109:                 $setup_request->message = $this->message;
1110: 
1111:                 $setup_url = $setup_request->encodeToURL($server_url);
1112: 
1113:                 if ($setup_url === null) {
1114:                     return new Auth_OpenID_NoReturnToError();
1115:                 }
1116: 
1117:                 $response->fields->setArg(Auth_OpenID_OPENID_NS,
1118:                                           'user_setup_url',
1119:                                           $setup_url);
1120:             }
1121:         }
1122: 
1123:         return $response;
1124:     }
1125: 
1126:     function encodeToURL($server_url)
1127:     {
1128:         if (!$this->return_to) {
1129:             return new Auth_OpenID_NoReturnToError();
1130:         }
1131: 
1132:         // Imported from the alternate reality where these classes are
1133:         // used in both the client and server code, so Requests are
1134:         // Encodable too.  That's right, code imported from alternate
1135:         // realities all for the love of you, id_res/user_setup_url.
1136: 
1137:         $q = array('mode' => $this->mode,
1138:                    'identity' => $this->identity,
1139:                    'claimed_id' => $this->claimed_id,
1140:                    'return_to' => $this->return_to);
1141: 
1142:         if ($this->trust_root) {
1143:             if ($this->message->isOpenID1()) {
1144:                 $q['trust_root'] = $this->trust_root;
1145:             } else {
1146:                 $q['realm'] = $this->trust_root;
1147:             }
1148:         }
1149: 
1150:         if ($this->assoc_handle) {
1151:             $q['assoc_handle'] = $this->assoc_handle;
1152:         }
1153: 
1154:         $response = new Auth_OpenID_Message(
1155:             $this->message->getOpenIDNamespace());
1156:         $response->updateArgs(Auth_OpenID_OPENID_NS, $q);
1157:         return $response->toURL($server_url);
1158:     }
1159: 
1160:     function getCancelURL()
1161:     {
1162:         if (!$this->return_to) {
1163:             return new Auth_OpenID_NoReturnToError();
1164:         }
1165: 
1166:         if ($this->immediate) {
1167:             return new Auth_OpenID_ServerError(null,
1168:                                                "Cancel is not an appropriate \
1169:                                                response to immediate mode \
1170:                                                requests.");
1171:         }
1172: 
1173:         $response = new Auth_OpenID_Message(
1174:             $this->message->getOpenIDNamespace());
1175:         $response->setArg(Auth_OpenID_OPENID_NS, 'mode', 'cancel');
1176:         return $response->toURL($this->return_to);
1177:     }
1178: }
1179: 
1180: /**
1181:  * This class encapsulates the response to an OpenID server request.
1182:  *
1183:  * @package OpenID
1184:  */
1185: class Auth_OpenID_ServerResponse {
1186: 
1187:     function Auth_OpenID_ServerResponse($request)
1188:     {
1189:         $this->request = $request;
1190:         $this->fields = new Auth_OpenID_Message($this->request->namespace);
1191:     }
1192: 
1193:     function whichEncoding()
1194:     {
1195:       global $_Auth_OpenID_Request_Modes;
1196: 
1197:         if (in_array($this->request->mode, $_Auth_OpenID_Request_Modes)) {
1198:             if ($this->fields->isOpenID2() &&
1199:                 (strlen($this->encodeToURL()) >
1200:                    Auth_OpenID_OPENID1_URL_LIMIT)) {
1201:                 return Auth_OpenID_ENCODE_HTML_FORM;
1202:             } else {
1203:                 return Auth_OpenID_ENCODE_URL;
1204:             }
1205:         } else {
1206:             return Auth_OpenID_ENCODE_KVFORM;
1207:         }
1208:     }
1209: 
1210:     /*
1211:      * Returns the form markup for this response.
1212:      *
1213:      * @return str
1214:      */
1215:     function toFormMarkup($form_tag_attrs=null)
1216:     {
1217:         return $this->fields->toFormMarkup($this->request->return_to,
1218:                                            $form_tag_attrs);
1219:     }
1220: 
1221:     /*
1222:      * Returns an HTML document containing the form markup for this
1223:      * response that autosubmits with javascript.
1224:      */
1225:     function toHTML()
1226:     {
1227:         return Auth_OpenID::autoSubmitHTML($this->toFormMarkup());
1228:     }
1229: 
1230:     /*
1231:      * Returns True if this response's encoding is ENCODE_HTML_FORM.
1232:      * Convenience method for server authors.
1233:      *
1234:      * @return bool
1235:      */
1236:     function renderAsForm()
1237:     {
1238:         return $this->whichEncoding() == Auth_OpenID_ENCODE_HTML_FORM;
1239:     }
1240: 
1241: 
1242:     function encodeToURL()
1243:     {
1244:         return $this->fields->toURL($this->request->return_to);
1245:     }
1246: 
1247:     function addExtension($extension_response)
1248:     {
1249:         $extension_response->toMessage($this->fields);
1250:     }
1251: 
1252:     function needsSigning()
1253:     {
1254:         return $this->fields->getArg(Auth_OpenID_OPENID_NS,
1255:                                      'mode') == 'id_res';
1256:     }
1257: 
1258:     function encodeToKVForm()
1259:     {
1260:         return $this->fields->toKVForm();
1261:     }
1262: }
1263: 
1264: /**
1265:  * A web-capable response object which you can use to generate a
1266:  * user-agent response.
1267:  *
1268:  * @package OpenID
1269:  */
1270: class Auth_OpenID_WebResponse {
1271:     var $code = AUTH_OPENID_HTTP_OK;
1272:     var $body = "";
1273: 
1274:     function Auth_OpenID_WebResponse($code = null, $headers = null,
1275:                                      $body = null)
1276:     {
1277:         if ($code) {
1278:             $this->code = $code;
1279:         }
1280: 
1281:         if ($headers !== null) {
1282:             $this->headers = $headers;
1283:         } else {
1284:             $this->headers = array();
1285:         }
1286: 
1287:         if ($body !== null) {
1288:             $this->body = $body;
1289:         }
1290:     }
1291: }
1292: 
1293: /**
1294:  * Responsible for the signature of query data and the verification of
1295:  * OpenID signature values.
1296:  *
1297:  * @package OpenID
1298:  */
1299: class Auth_OpenID_Signatory {
1300: 
1301:     // = 14 * 24 * 60 * 60; # 14 days, in seconds
1302:     var $SECRET_LIFETIME = 1209600;
1303: 
1304:     // keys have a bogus server URL in them because the filestore
1305:     // really does expect that key to be a URL.  This seems a little
1306:     // silly for the server store, since I expect there to be only one
1307:     // server URL.
1308:     var $normal_key = 'http://localhost/|normal';
1309:     var $dumb_key = 'http://localhost/|dumb';
1310: 
1311:     /**
1312:      * Create a new signatory using a given store.
1313:      */
1314:     function Auth_OpenID_Signatory($store)
1315:     {
1316:         // assert store is not None
1317:         $this->store = $store;
1318:     }
1319: 
1320:     /**
1321:      * Verify, using a given association handle, a signature with
1322:      * signed key-value pairs from an HTTP request.
1323:      */
1324:     function verify($assoc_handle, $message)
1325:     {
1326:         $assoc = $this->getAssociation($assoc_handle, true);
1327:         if (!$assoc) {
1328:             // oidutil.log("failed to get assoc with handle %r to verify sig %r"
1329:             //             % (assoc_handle, sig))
1330:             return false;
1331:         }
1332: 
1333:         return $assoc->checkMessageSignature($message);
1334:     }
1335: 
1336:     /**
1337:      * Given a response, sign the fields in the response's 'signed'
1338:      * list, and insert the signature into the response.
1339:      */
1340:     function sign($response)
1341:     {
1342:         $signed_response = $response;
1343:         $assoc_handle = $response->request->assoc_handle;
1344: 
1345:         if ($assoc_handle) {
1346:             // normal mode
1347:             $assoc = $this->getAssociation($assoc_handle, false, false);
1348:             if (!$assoc || ($assoc->getExpiresIn() <= 0)) {
1349:                 // fall back to dumb mode
1350:                 $signed_response->fields->setArg(Auth_OpenID_OPENID_NS,
1351:                              'invalidate_handle', $assoc_handle);
1352:                 $assoc_type = ($assoc ? $assoc->assoc_type : 'HMAC-SHA1');
1353: 
1354:                 if ($assoc && ($assoc->getExpiresIn() <= 0)) {
1355:                     $this->invalidate($assoc_handle, false);
1356:                 }
1357: 
1358:                 $assoc = $this->createAssociation(true, $assoc_type);
1359:             }
1360:         } else {
1361:             // dumb mode.
1362:             $assoc = $this->createAssociation(true);
1363:         }
1364: 
1365:         $signed_response->fields = $assoc->signMessage(
1366:                                       $signed_response->fields);
1367:         return $signed_response;
1368:     }
1369: 
1370:     /**
1371:      * Make a new association.
1372:      */
1373:     function createAssociation($dumb = true, $assoc_type = 'HMAC-SHA1')
1374:     {
1375:         $secret = Auth_OpenID_CryptUtil::getBytes(
1376:                     Auth_OpenID_getSecretSize($assoc_type));
1377: 
1378:         $uniq = base64_encode(Auth_OpenID_CryptUtil::getBytes(4));
1379:         $handle = sprintf('{%s}{%x}{%s}', $assoc_type, intval(time()), $uniq);
1380: 
1381:         $assoc = Auth_OpenID_Association::fromExpiresIn(
1382:                       $this->SECRET_LIFETIME, $handle, $secret, $assoc_type);
1383: 
1384:         if ($dumb) {
1385:             $key = $this->dumb_key;
1386:         } else {
1387:             $key = $this->normal_key;
1388:         }
1389: 
1390:         $this->store->storeAssociation($key, $assoc);
1391:         return $assoc;
1392:     }
1393: 
1394:     /**
1395:      * Given an association handle, get the association from the
1396:      * store, or return a ServerError or null if something goes wrong.
1397:      */
1398:     function getAssociation($assoc_handle, $dumb, $check_expiration=true)
1399:     {
1400:         if ($assoc_handle === null) {
1401:             return new Auth_OpenID_ServerError(null,
1402:                                      "assoc_handle must not be null");
1403:         }
1404: 
1405:         if ($dumb) {
1406:             $key = $this->dumb_key;
1407:         } else {
1408:             $key = $this->normal_key;
1409:         }
1410: 
1411:         $assoc = $this->store->getAssociation($key, $assoc_handle);
1412: 
1413:         if (($assoc !== null) && ($assoc->getExpiresIn() <= 0)) {
1414:             if ($check_expiration) {
1415:                 $this->store->removeAssociation($key, $assoc_handle);
1416:                 $assoc = null;
1417:             }
1418:         }
1419: 
1420:         return $assoc;
1421:     }
1422: 
1423:     /**
1424:      * Invalidate a given association handle.
1425:      */
1426:     function invalidate($assoc_handle, $dumb)
1427:     {
1428:         if ($dumb) {
1429:             $key = $this->dumb_key;
1430:         } else {
1431:             $key = $this->normal_key;
1432:         }
1433:         $this->store->removeAssociation($key, $assoc_handle);
1434:     }
1435: }
1436: 
1437: /**
1438:  * Encode an {@link Auth_OpenID_ServerResponse} to an
1439:  * {@link Auth_OpenID_WebResponse}.
1440:  *
1441:  * @package OpenID
1442:  */
1443: class Auth_OpenID_Encoder {
1444: 
1445:     var $responseFactory = 'Auth_OpenID_WebResponse';
1446: 
1447:     /**
1448:      * Encode an {@link Auth_OpenID_ServerResponse} and return an
1449:      * {@link Auth_OpenID_WebResponse}.
1450:      */
1451:     function encode($response)
1452:     {
1453:         $cls = $this->responseFactory;
1454: 
1455:         $encode_as = $response->whichEncoding();
1456:         if ($encode_as == Auth_OpenID_ENCODE_KVFORM) {
1457:             $wr = new $cls(null, null, $response->encodeToKVForm());
1458:             if ($response instanceof Auth_OpenID_ServerError) {
1459:                 $wr->code = AUTH_OPENID_HTTP_ERROR;
1460:             }
1461:         } else if ($encode_as == Auth_OpenID_ENCODE_URL) {
1462:             $location = $response->encodeToURL();
1463:             $wr = new $cls(AUTH_OPENID_HTTP_REDIRECT,
1464:                            array('location' => $location));
1465:         } else if ($encode_as == Auth_OpenID_ENCODE_HTML_FORM) {
1466:           $wr = new $cls(AUTH_OPENID_HTTP_OK, array(),
1467:                          $response->toHTML());
1468:         } else {
1469:             return new Auth_OpenID_EncodingError($response);
1470:         }
1471:         /* Allow the response to carry a custom error code (ex: for Association errors) */
1472:         if(isset($response->code)) {
1473:             $wr->code = $response->code;
1474:         }
1475:         return $wr;
1476:     }
1477: }
1478: 
1479: /**
1480:  * An encoder which also takes care of signing fields when required.
1481:  *
1482:  * @package OpenID
1483:  */
1484: class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder {
1485: 
1486:     function Auth_OpenID_SigningEncoder($signatory)
1487:     {
1488:         $this->signatory = $signatory;
1489:     }
1490: 
1491:     /**
1492:      * Sign an {@link Auth_OpenID_ServerResponse} and return an
1493:      * {@link Auth_OpenID_WebResponse}.
1494:      */
1495:     function encode($response)
1496:     {
1497:         // the isinstance is a bit of a kludge... it means there isn't
1498:         // really an adapter to make the interfaces quite match.
1499:         if (!$response instanceof Auth_OpenID_ServerError &&
1500:             $response->needsSigning()) {
1501: 
1502:             if (!$this->signatory) {
1503:                 return new Auth_OpenID_ServerError(null,
1504:                                        "Must have a store to sign request");
1505:             }
1506: 
1507:             if ($response->fields->hasKey(Auth_OpenID_OPENID_NS, 'sig')) {
1508:                 return new Auth_OpenID_AlreadySigned($response);
1509:             }
1510:             $response = $this->signatory->sign($response);
1511:         }
1512: 
1513:         return parent::encode($response);
1514:     }
1515: }
1516: 
1517: /**
1518:  * Decode an incoming query into an Auth_OpenID_Request.
1519:  *
1520:  * @package OpenID
1521:  */
1522: class Auth_OpenID_Decoder {
1523: 
1524:     function Auth_OpenID_Decoder($server)
1525:     {
1526:         $this->server = $server;
1527: 
1528:         $this->handlers = array(
1529:             'checkid_setup' => 'Auth_OpenID_CheckIDRequest',
1530:             'checkid_immediate' => 'Auth_OpenID_CheckIDRequest',
1531:             'check_authentication' => 'Auth_OpenID_CheckAuthRequest',
1532:             'associate' => 'Auth_OpenID_AssociateRequest'
1533:             );
1534:     }
1535: 
1536:     /**
1537:      * Given an HTTP query in an array (key-value pairs), decode it
1538:      * into an Auth_OpenID_Request object.
1539:      */
1540:     function decode($query)
1541:     {
1542:         if (!$query) {
1543:             return null;
1544:         }
1545: 
1546:         $message = Auth_OpenID_Message::fromPostArgs($query);
1547: 
1548:         if ($message === null) {
1549:             /*
1550:              * It's useful to have a Message attached to a
1551:              * ProtocolError, so we override the bad ns value to build
1552:              * a Message out of it.  Kinda kludgy, since it's made of
1553:              * lies, but the parts that aren't lies are more useful
1554:              * than a 'None'.
1555:              */
1556:             $old_ns = $query['openid.ns'];
1557: 
1558:             $query['openid.ns'] = Auth_OpenID_OPENID2_NS;
1559:             $message = Auth_OpenID_Message::fromPostArgs($query);
1560:             return new Auth_OpenID_ServerError(
1561:                   $message,
1562:                   sprintf("Invalid OpenID namespace URI: %s", $old_ns));
1563:         }
1564: 
1565:         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
1566:         if (!$mode) {
1567:             return new Auth_OpenID_ServerError($message,
1568:                                                "No mode value in message");
1569:         }
1570: 
1571:         if (Auth_OpenID::isFailure($mode)) {
1572:             return new Auth_OpenID_ServerError($message,
1573:                                                $mode->message);
1574:         }
1575: 
1576:         $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode,
1577:                                             $this->defaultDecoder($message));
1578: 
1579:         if (!($handlerCls instanceof Auth_OpenID_ServerError)) {
1580:             return call_user_func_array(array($handlerCls, 'fromMessage'),
1581:                                         array($message, $this->server));
1582:         } else {
1583:             return $handlerCls;
1584:         }
1585:     }
1586: 
1587:     function defaultDecoder($message)
1588:     {
1589:         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
1590: 
1591:         if (Auth_OpenID::isFailure($mode)) {
1592:             return new Auth_OpenID_ServerError($message,
1593:                                                $mode->message);
1594:         }
1595: 
1596:         return new Auth_OpenID_ServerError($message,
1597:                        sprintf("Unrecognized OpenID mode %s", $mode));
1598:     }
1599: }
1600: 
1601: /**
1602:  * An error that indicates an encoding problem occurred.
1603:  *
1604:  * @package OpenID
1605:  */
1606: class Auth_OpenID_EncodingError {
1607:     function Auth_OpenID_EncodingError($response)
1608:     {
1609:         $this->response = $response;
1610:     }
1611: }
1612: 
1613: /**
1614:  * An error that indicates that a response was already signed.
1615:  *
1616:  * @package OpenID
1617:  */
1618: class Auth_OpenID_AlreadySigned extends Auth_OpenID_EncodingError {
1619:     // This response is already signed.
1620: }
1621: 
1622: /**
1623:  * An error that indicates that the given return_to is not under the
1624:  * given trust_root.
1625:  *
1626:  * @package OpenID
1627:  */
1628: class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError {
1629:     function Auth_OpenID_UntrustedReturnURL($message, $return_to,
1630:                                             $trust_root)
1631:     {
1632:         parent::Auth_OpenID_ServerError($message, "Untrusted return_to URL");
1633:         $this->return_to = $return_to;
1634:         $this->trust_root = $trust_root;
1635:     }
1636: 
1637:     function toString()
1638:     {
1639:         return sprintf("return_to %s not under trust_root %s",
1640:                        $this->return_to, $this->trust_root);
1641:     }
1642: }
1643: 
1644: /**
1645:  * I handle requests for an OpenID server.
1646:  *
1647:  * Some types of requests (those which are not checkid requests) may
1648:  * be handed to my {@link handleRequest} method, and I will take care
1649:  * of it and return a response.
1650:  *
1651:  * For your convenience, I also provide an interface to {@link
1652:  * Auth_OpenID_Decoder::decode()} and {@link
1653:  * Auth_OpenID_SigningEncoder::encode()} through my methods {@link
1654:  * decodeRequest} and {@link encodeResponse}.
1655:  *
1656:  * All my state is encapsulated in an {@link Auth_OpenID_OpenIDStore}.
1657:  *
1658:  * Example:
1659:  *
1660:  * <pre> $oserver = new Auth_OpenID_Server(Auth_OpenID_FileStore($data_path),
1661:  *                                   "http://example.com/op");
1662:  * $request = $oserver->decodeRequest();
1663:  * if (in_array($request->mode, array('checkid_immediate',
1664:  *                                    'checkid_setup'))) {
1665:  *     if ($app->isAuthorized($request->identity, $request->trust_root)) {
1666:  *         $response = $request->answer(true);
1667:  *     } else if ($request->immediate) {
1668:  *         $response = $request->answer(false);
1669:  *     } else {
1670:  *         $app->showDecidePage($request);
1671:  *         return;
1672:  *     }
1673:  * } else {
1674:  *     $response = $oserver->handleRequest($request);
1675:  * }
1676:  *
1677:  * $webresponse = $oserver->encode($response);</pre>
1678:  *
1679:  * @package OpenID
1680:  */
1681: class Auth_OpenID_Server {
1682:     function Auth_OpenID_Server($store, $op_endpoint=null)
1683:     {
1684:         $this->store = $store;
1685:         $this->signatory = new Auth_OpenID_Signatory($this->store);
1686:         $this->encoder = new Auth_OpenID_SigningEncoder($this->signatory);
1687:         $this->decoder = new Auth_OpenID_Decoder($this);
1688:         $this->op_endpoint = $op_endpoint;
1689:         $this->negotiator = Auth_OpenID_getDefaultNegotiator();
1690:     }
1691: 
1692:     /**
1693:      * Handle a request.  Given an {@link Auth_OpenID_Request} object,
1694:      * call the appropriate {@link Auth_OpenID_Server} method to
1695:      * process the request and generate a response.
1696:      *
1697:      * @param Auth_OpenID_Request $request An {@link Auth_OpenID_Request}
1698:      * returned by {@link Auth_OpenID_Server::decodeRequest()}.
1699:      *
1700:      * @return Auth_OpenID_ServerResponse $response A response object
1701:      * capable of generating a user-agent reply.
1702:      */
1703:     function handleRequest($request)
1704:     {
1705:         if (method_exists($this, "openid_" . $request->mode)) {
1706:             $handler = array($this, "openid_" . $request->mode);
1707:             return call_user_func($handler, &$request);
1708:         }
1709:         return null;
1710:     }
1711: 
1712:     /**
1713:      * The callback for 'check_authentication' messages.
1714:      */
1715:     function openid_check_authentication($request)
1716:     {
1717:         return $request->answer($this->signatory);
1718:     }
1719: 
1720:     /**
1721:      * The callback for 'associate' messages.
1722:      */
1723:     function openid_associate($request)
1724:     {
1725:         $assoc_type = $request->assoc_type;
1726:         $session_type = $request->session->session_type;
1727:         if ($this->negotiator->isAllowed($assoc_type, $session_type)) {
1728:             $assoc = $this->signatory->createAssociation(false,
1729:                                                          $assoc_type);
1730:             return $request->answer($assoc);
1731:         } else {
1732:             $message = sprintf('Association type %s is not supported with '.
1733:                                'session type %s', $assoc_type, $session_type);
1734:             list($preferred_assoc_type, $preferred_session_type) =
1735:                 $this->negotiator->getAllowedType();
1736:             return $request->answerUnsupported($message,
1737:                                                $preferred_assoc_type,
1738:                                                $preferred_session_type);
1739:         }
1740:     }
1741: 
1742:     /**
1743:      * Encodes as response in the appropriate format suitable for
1744:      * sending to the user agent.
1745:      */
1746:     function encodeResponse($response)
1747:     {
1748:         return $this->encoder->encode($response);
1749:     }
1750: 
1751:     /**
1752:      * Decodes a query args array into the appropriate
1753:      * {@link Auth_OpenID_Request} object.
1754:      */
1755:     function decodeRequest($query=null)
1756:     {
1757:         if ($query === null) {
1758:             $query = Auth_OpenID::getQuery();
1759:         }
1760: 
1761:         return $this->decoder->decode($query);
1762:     }
1763: }
1764: 
1765: 
1766: