consumer.php

简介：IceBB是一个强大

     * authentication request object.
     */
    function &beginWithoutDiscovery($endpoint, $anonymous=false)
    {
        $loader = new Auth_OpenID_ServiceEndpointLoader();
        $auth_req = $this->consumer->begin($endpoint);
        $this->session->set($this->_token_key,
              $loader->toSession($auth_req->endpoint));
        if (!$auth_req->setAnonymous($anonymous)) {
            return new Auth_OpenID_FailureResponse(null,
              "OpenID 1 requests MUST include the identifier " .
              "in the request.");
        }
        return $auth_req;
    }

    /**
     * Called to interpret the server's response to an OpenID
     * request. It is called in step 4 of the flow described in the
     * consumer overview.
     *
     * @param array $query An array of the query parameters (key =>
     * value pairs) for this HTTP request.  Defaults to null.  If
     * null, the GET or POST data are automatically gotten from the
     * PHP environment.  It is only useful to override $query for
     * testing.
     *
     * @return Auth_OpenID_ConsumerResponse $response A instance of an
     * Auth_OpenID_ConsumerResponse subclass. The type of response is
     * indicated by the status attribute, which will be one of
     * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
     */
    function complete($return_to, $query=null)
    {
        if ($return_to && !is_string($return_to)) {
            // This is ugly, but we need to complain loudly when
            // someone uses the API incorrectly.
            trigger_error("return_to must be a string; see NEWS file " .
                          "for upgrading notes.",
                          E_USER_ERROR);
        }

        if ($query === null) {
            $query = Auth_OpenID::getQuery();
        }

        $loader = new Auth_OpenID_ServiceEndpointLoader();
        $endpoint_data = $this->session->get($this->_token_key);
        $endpoint =
            $loader->fromSession($endpoint_data);

        $message = Auth_OpenID_Message::fromPostArgs($query);
        $response = $this->consumer->complete($message, $endpoint, $return_to);
        $this->session->del($this->_token_key);

        if (in_array($response->status, array(Auth_OpenID_SUCCESS,
                                              Auth_OpenID_CANCEL))) {
            if ($response->identity_url !== null) {
                $disco = $this->getDiscoveryObject($this->session,
                                                   $response->identity_url,
                                                   $this->session_key_prefix);
                $disco->cleanup(true);
            }
        }

        return $response;
    }
}

/**
 * A class implementing HMAC/DH-SHA1 consumer sessions.
 *
 * @package OpenID
 */
class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
    var $session_type = 'DH-SHA1';
    var $hash_func = 'Auth_OpenID_SHA1';
    var $secret_size = 20;
    var $allowed_assoc_types = array('HMAC-SHA1');

    function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
    {
        if ($dh === null) {
            $dh = new Auth_OpenID_DiffieHellman();
        }

        $this->dh = $dh;
    }

    function getRequest()
    {
        $math =& Auth_OpenID_getMathLib();

        $cpub = $math->longToBase64($this->dh->public);

        $args = array('dh_consumer_public' => $cpub);

        if (!$this->dh->usingDefaultValues()) {
            $args = array_merge($args, array(
                'dh_modulus' =>
                     $math->longToBase64($this->dh->mod),
                'dh_gen' =>
                     $math->longToBase64($this->dh->gen)));
        }

        return $args;
    }

    function extractSecret($response)
    {
        if (!$response->hasKey(Auth_OpenID_OPENID_NS,
                               'dh_server_public')) {
            return null;
        }

        if (!$response->hasKey(Auth_OpenID_OPENID_NS,
                               'enc_mac_key')) {
            return null;
        }

        $math =& Auth_OpenID_getMathLib();

        $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
                                                      'dh_server_public'));
        $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
                                                       'enc_mac_key'));

        return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
    }
}

/**
 * A class implementing HMAC/DH-SHA256 consumer sessions.
 *
 * @package OpenID
 */
class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
      Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
    var $session_type = 'DH-SHA256';
    var $hash_func = 'Auth_OpenID_SHA256';
    var $secret_size = 32;
    var $allowed_assoc_types = array('HMAC-SHA256');
}

/**
 * A class implementing plaintext consumer sessions.
 *
 * @package OpenID
 */
class Auth_OpenID_PlainTextConsumerSession {
    var $session_type = 'no-encryption';
    var $allowed_assoc_types =  array('HMAC-SHA1');

    function getRequest()
    {
        return array();
    }

    function extractSecret($response)
    {
        if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
            return null;
        }

        return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
                                               'mac_key'));
    }
}

/**
 * Returns available session types.
 */
function Auth_OpenID_getAvailableSessionTypes()
{
    $types = array(
      'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
      'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
      'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');

    return $types;
}

/**
 * This class is the interface to the OpenID consumer logic.
 * Instances of it maintain no per-request state, so they can be
 * reused (or even used by multiple threads concurrently) as needed.
 *
 * @package OpenID
 */
class Auth_OpenID_GenericConsumer {
    /**
     * @access private
     */
    var $discoverMethod = 'Auth_OpenID_discover';

    /**
     * This consumer's store object.
     */
    var $store;

    /**
     * @access private
     */
    var $_use_assocs;

    /**
     * @access private
     */
    var $openid1_nonce_query_arg_name = 'janrain_nonce';

    /**
     * Another query parameter that gets added to the return_to for
     * OpenID 1; if the user's session state is lost, use this claimed
     * identifier to do discovery when verifying the response.
     */
    var $openid1_return_to_identifier_name = 'openid1_claimed_id';

    /**
     * This method initializes a new {@link Auth_OpenID_Consumer}
     * instance to access the library.
     *
     * @param Auth_OpenID_OpenIDStore $store This must be an object
     * that implements the interface in {@link Auth_OpenID_OpenIDStore}.
     * Several concrete implementations are provided, to cover most common use
     * cases.  For stores backed by MySQL, PostgreSQL, or SQLite, see
     * the {@link Auth_OpenID_SQLStore} class and its sublcasses.  For a
     * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module.
     * As a last resort, if it isn't possible for the server to store
     * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used.
     *
     * @param bool $immediate This is an optional boolean value.  It
     * controls whether the library uses immediate mode, as explained
     * in the module description.  The default value is False, which
     * disables immediate mode.
     */
    function Auth_OpenID_GenericConsumer(&$store)
    {
        $this->store =& $store;
        $this->negotiator =& Auth_OpenID_getDefaultNegotiator();
        $this->_use_assocs = ($this->store ? true : false);

        $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();

        $this->session_types = Auth_OpenID_getAvailableSessionTypes();
    }

    /**
     * Called to begin OpenID authentication using the specified
     * {@link Auth_OpenID_ServiceEndpoint}.
     *
     * @access private
     */
    function begin($service_endpoint)
    {
        $assoc = $this->_getAssociation($service_endpoint);
        $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
        $r->return_to_args[$this->openid1_nonce_query_arg_name] =
            Auth_OpenID_mkNonce();

        if ($r->message->isOpenID1()) {
            $r->return_to_args[$this->openid1_return_to_identifier_name] =
                $r->endpoint->claimed_id;
        }

        return $r;
    }

    /**
     * Given an {@link Auth_OpenID_Message}, {@link
     * Auth_OpenID_ServiceEndpoint} and optional return_to URL,
     * complete OpenID authentication.
     *
     * @access private
     */
    function complete($message, $endpoint, $return_to)
    {
        $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
                                 '<no mode set>');

        $mode_methods = array(
                              'cancel' => '_complete_cancel',
                              'error' => '_complete_error',
                              'setup_needed' => '_complete_setup_needed',
                              'id_res' => '_complete_id_res',
                              );

        $method = Auth_OpenID::arrayGet($mode_methods, $mode,
                                        '_completeInvalid');

        return call_user_func_array(array(&$this, $method),
                                    array($message, $endpoint, $return_to));
    }

    /**
     * @access private
     */
    function _completeInvalid($message, &$endpoint, $unused)
    {
        $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
                                 '<No mode set>');

        return new Auth_OpenID_FailureResponse($endpoint,
                    sprintf("Invalid openid.mode '%s'", $mode));
    }

    /**
     * @access private
     */
    function _complete_cancel($message, &$endpoint, $unused)
    {
        return new Auth_OpenID_CancelResponse($endpoint);
    }

    /**
     * @access private
     */
    function _complete_error($message, &$endpoint, $unused)
    {
        $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
        $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
        $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');

        return new Auth_OpenID_FailureResponse($endpoint, $error,
                                               $contact, $reference);
    }

    /**
     * @access private
     */
    function _complete_setup_needed($message, &$endpoint, $unused)
    {
        if (!$message->isOpenID2()) {
            return $this->_completeInvalid($message, $endpoint);
        }

        return new Auth_OpenID_SetupNeededResponse($endpoint);
    }

    /**
     * @access private
     */
    function _complete_id_res($message, &$endpoint, $return_to)
    {
        $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
                                           'user_setup_url');

        if ($this->_checkSetupNeeded($message)) {
            return SetupNeededResponse($endpoint, $user_setup_url);
        } else {
            return $this->_doIdRes($message, $endpoint, $return_to);
        }
    }

    /**
     * @access private
     */
    function _checkSetupNeeded($message)
    {
        // In OpenID 1, we check to see if this is a cancel from
        // immediate mode by the presence of the user_setup_url
        // parameter.
        if ($message->isOpenID1()) {
            $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
                                               'user_setup_url');
            if ($user_setup_url !== null) {
                return true;
            }
        }