consumer.php

简介：IceBB是一个强大

        if (($to_match->claimed_id !== null) &&
            ($to_match->local_id === null)) {
            return new Auth_OpenID_FailureResponse($endpoint,
              'openid.claimed_id is present without openid.identity');
        }

        if ($to_match->claimed_id === null) {
            // This is a response without identifiers, so there's
            // really no checking that we can do, so return an
            // endpoint that's for the specified `openid.op_endpoint'
            return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
                                                $to_match->server_url);
        }

        if (!$endpoint) {
            // The claimed ID doesn't match, so we have to do
            // discovery again. This covers not using sessions, OP
            // identifier endpoints and responses that didn't match
            // the original request.
            // oidutil.log('No pre-discovered information supplied.')
            return $this->_discoverAndVerify($to_match);
        } else {

            // The claimed ID matches, so we use the endpoint that we
            // discovered in initiation. This should be the most
            // common case.
            $result = $this->_verifyDiscoverySingle($endpoint, $to_match);

            if (Auth_OpenID::isFailure($result)) {
                $endpoint = $this->_discoverAndVerify($to_match);

                if (Auth_OpenID::isFailure($endpoint)) {
                    return $endpoint;
                }
            }
        }

        // The endpoint we return should have the claimed ID from the
        // message we just verified, fragment and all.
        if ($endpoint->claimed_id != $to_match->claimed_id) {
            $endpoint->claimed_id = $to_match->claimed_id;
        }

        return $endpoint;
    }

    /**
     * @access private
     */
    function _discoverAndVerify($to_match)
    {
        // oidutil.log('Performing discovery on %s' % (to_match.claimed_id,))
        list($unused, $services) = call_user_func($this->discoverMethod,
                                                  $to_match->claimed_id,
                                                  $this->fetcher);

        if (!$services) {
            return new Auth_OpenID_FailureResponse(null,
              sprintf("No OpenID information found at %s",
                      $to_match->claimed_id));
        }

        return $this->_verifyDiscoveryServices($services, $to_match);
    }

    /**
     * @access private
     */
    function _verifyDiscoveryServices(&$services, &$to_match)
    {
        // Search the services resulting from discovery to find one
        // that matches the information from the assertion

        foreach ($services as $endpoint) {
            $result = $this->_verifyDiscoverySingle($endpoint, $to_match);

            if (!Auth_OpenID::isFailure($result)) {
                // It matches, so discover verification has
                // succeeded. Return this endpoint.
                return $endpoint;
            }
        }

        return new Auth_OpenID_FailureResponse(null,
          sprintf('No matching endpoint found after discovering %s',
                  $to_match->claimed_id));
    }

    /**
     * Extract the nonce from an OpenID 1 response.  Return the nonce
     * from the BARE_NS since we independently check the return_to
     * arguments are the same as those in the response message.
     *
     * See the openid1_nonce_query_arg_name class variable
     *
     * @returns $nonce The nonce as a string or null
     *
     * @access private
     */
    function _idResGetNonceOpenID1($message, $endpoint)
    {
        return $message->getArg(Auth_OpenID_BARE_NS,
                                $this->openid1_nonce_query_arg_name);
    }

    /**
     * @access private
     */
    function _idResCheckNonce($message, $endpoint)
    {
        if ($message->isOpenID1()) {
            // This indicates that the nonce was generated by the consumer
            $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
            $server_url = '';
        } else {
            $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
                                      'response_nonce');

            $server_url = $endpoint->server_url;
        }

        if ($nonce === null) {
            return new Auth_OpenID_FailureResponse($endpoint,
                                     "Nonce missing from response");
        }

        $parts = Auth_OpenID_splitNonce($nonce);

        if ($parts === null) {
            return new Auth_OpenID_FailureResponse($endpoint,
                                     "Malformed nonce in response");
        }

        list($timestamp, $salt) = $parts;

        if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
            return new Auth_OpenID_FailureResponse($endpoint,
                         "Nonce already used or out of range");
        }

        return null;
    }

    /**
     * @access private
     */
    function _idResCheckForFields($message)
    {
        $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
        $basic_sig_fields = array('return_to', 'identity');

        $require_fields = array(
            Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
                                                  array('op_endpoint')),

            Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
                                                  array('identity'))
            );

        $require_sigs = array(
            Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
                                                  array('response_nonce',
                                                        'claimed_id',
                                                        'assoc_handle')),
            Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
                                                  array('nonce'))
            );

        foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
            if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
                return new Auth_OpenID_FailureResponse(null,
                             "Missing required field '".$field."'");
            }
        }

        $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
                                            'signed',
                                            Auth_OpenID_NO_DEFAULT);
        $signed_list = explode(',', $signed_list_str);

        foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
            // Field is present and not in signed list
            if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
                (!in_array($field, $signed_list))) {
                return new Auth_OpenID_FailureResponse(null,
                             "'".$field."' not signed");
            }
        }

        return null;
    }

    /**
     * @access private
     */
    function _checkAuth($message, $server_url)
    {
        $request = $this->_createCheckAuthRequest($message);
        if ($request === null) {
            return false;
        }

        $resp_message = $this->_makeKVPost($request, $server_url);
        if (($resp_message === null) ||
            (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
            return false;
        }

        return $this->_processCheckAuthResponse($resp_message, $server_url);
    }

    /**
     * @access private
     */
    function _createCheckAuthRequest($message)
    {
        $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
        if ($signed === null) {
            return null;
        }

        $whitelist = array('assoc_handle', 'sig',
                           'signed', 'invalidate_handle');

        $check_args = array();

        foreach ($whitelist as $k) {
            $val = $message->getArg(Auth_OpenID_OPENID_NS, $k);
            if ($val !== null) {
                $check_args[$k] = $val;
            }
        }

        $signed = $message->getArg(Auth_OpenID_OPENID_NS,
                                   'signed');

        if ($signed) {
            foreach (explode(',', $signed) as $k) {
                if ($k == 'ns') {
                    $check_args['ns'] = $message->getOpenIDNamespace();
                    continue;
                }

                $value = $message->getAliasedArg($k);
                if ($value === null) {
                    return null;
                }

                $check_args[$k] = $value;
            }
        }

        $check_args['mode'] = 'check_authentication';
        return Auth_OpenID_Message::fromOpenIDArgs($check_args);
    }

    /**
     * @access private
     */
    function _processCheckAuthResponse($response, $server_url)
    {
        $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
                                      'false');

        $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
                                               'invalidate_handle');

        if ($invalidate_handle !== null) {
            $this->store->removeAssociation($server_url,
                                            $invalidate_handle);
        }

        if ($is_valid == 'true') {
            return true;
        }

        return false;
    }

    /**
     * Adapt a POST response to a Message.
     *
     * @param $response Result of a POST to an OpenID endpoint.
     *
     * @access private
     */
    function _httpResponseToMessage($response, $server_url)
    {
        // Should this function be named Message.fromHTTPResponse instead?
        $response_message = Auth_OpenID_Message::fromKVForm($response->body);

        if ($response->status == 400) {
            return Auth_OpenID_ServerErrorContainer::fromMessage(
                        $response_message);
        } else if ($response->status != 200) {
            return null;
        }

        return $response_message;
    }

    /**
     * @access private
     */
    function _makeKVPost($message, $server_url)
    {
        $body = $message->toURLEncoded();
        $resp = $this->fetcher->post($server_url, $body);

        if ($resp === null) {
            return null;
        }

        return $this->_httpResponseToMessage($resp, $server_url);
    }

    /**
     * @access private
     */
    function _getAssociation($endpoint)
    {
        if (!$this->_use_assocs) {
            return null;
        }

        $assoc = $this->store->getAssociation($endpoint->server_url);

        if (($assoc === null) ||
            ($assoc->getExpiresIn() <= 0)) {

            $assoc = $this->_negotiateAssociation($endpoint);

            if ($assoc !== null) {
                $this->store->storeAssociation($endpoint->server_url,
                                               $assoc);
            }
        }

        return $assoc;
    }

    /**
     * Handle ServerErrors resulting from association requests.
     *
     * @return $result If server replied with an C{unsupported-type}
     * error, return a tuple of supported C{association_type},
     * C{session_type}.  Otherwise logs the error and returns null.
     *
     * @access private
     */
    function _extractSupportedAssociationType(&$server_error, &$endpoint,
                                              $assoc_type)
    {
        // Any error message whose code is not 'unsupported-type'
        // should be considered a total failure.
        if (($server_error->error_code != 'unsupported-type') ||
            ($server_error->message->isOpenID1())) {
            return null;
        }

        // The server didn't like the association/session type that we
        // sent, and it sent us back a message that might tell us how
        // to handle it.

        // Extract the session_type and assoc_type from the error
        // message
        $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
                                                     'assoc_type');