openid/tests/openid_test.module

<?php
// $Id: openid_test.module,v 1.5 2009/09/30 18:36:02 dries Exp $

/**
 * @file
 * Dummy OpenID Provider used with SimpleTest.
 *
 * The provider simply responds positively to all authentication requests. In
 * addition to a Provider Endpoint (a URL used for Drupal to communicate with
 * the provider using the OpenID Authentication protocol) the module provides
 * URLs used by the various discovery mechanisms.
 *
 * When a user enters an OpenID identity, the Relying Party (in the testing
 * scenario, this is the OpenID module) looks up the URL of the Provider
 * Endpoint using one of several discovery mechanisms. The Relying Party then
 * redirects the user to Provider Endpoint. The provider verifies the user's
 * identity and redirects the user back to the Relying Party accompanied by a
 * signed message confirming the identity. Before redirecting to a provider for
 * the first time, the Relying Party fetches a secret MAC key from the provider
 * by doing a direct "associate" HTTP request to the Provider Endpoint. This
 * key is used for verifying the signed messages from the provider.
 */

/**
 * Implement hook_menu().
 */
function openid_test_menu() {
  $items['openid-test/yadis/xrds'] = array(
    'title' => 'XRDS service document',
    'page callback' => 'openid_test_yadis_xrds',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
  );
  $items['openid-test/yadis/x-xrds-location'] = array(
    'title' => 'Yadis discovery using X-XRDS-Location header',
    'page callback' => 'openid_test_yadis_x_xrds_location',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
  );
  $items['openid-test/yadis/http-equiv'] = array(
    'title' => 'Yadis discovery using <meta http-equiv="X-XRDS-Location" ...>',
    'page callback' => 'openid_test_yadis_http_equiv',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
  );
  $items['openid-test/html/openid1'] = array(
    'title' => 'HTML-based discovery using <link rel="openid.server" ...>',
    'page callback' => 'openid_test_html_openid1',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
  );
  $items['openid-test/html/openid2'] = array(
    'title' => 'HTML-based discovery using <link rel="openid2.provider" ...>',
    'page callback' => 'openid_test_html_openid2',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
  );
  $items['openid-test/endpoint'] = array(
    'title' => 'OpenID Provider Endpoint',
    'page callback' => 'openid_test_endpoint',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
  );
  return $items;
}

/**
 * Menu callback; XRDS document that references the OP Endpoint URL.
 */
function openid_test_yadis_xrds() {
  if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') {
    drupal_add_http_header('Content-Type', 'application/xrds+xml');
    print '<?xml version="1.0" encoding="UTF-8"?>
      <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
        <XRD>
          <Service>
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
          </Service>
        <XRD>
      </xrds:XRDS>';
  }
  else {
    return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.');
  }
}

/**
 * Menu callback; regular HTML page with an X-XRDS-Location HTTP header.
 */
function openid_test_yadis_x_xrds_location() {
  drupal_add_http_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE)));
  return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.');
}

/**
 * Menu callback; regular HTML page with <meta> element.
 */
function openid_test_yadis_http_equiv() {
  $element = array(
    '#tag' => 'meta',
    '#attributes' => array(
      'http-equiv' => 'X-XRDS-Location',
      'content' => url('openid-test/yadis/xrds', array('absolute' => TRUE)),
    ),
  );
  drupal_add_html_head($element, 'openid_test_yadis_http_equiv');
  return t('This page includes a &lt;meta equiv=...&gt; element containing the URL of an XRDS document.');
}

/**
 * Menu callback; regular HTML page with OpenID 1.0 <link> element.
 */
function openid_test_html_openid1() {
  drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
  return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
}

/**
 * Menu callback; regular HTML page with OpenID 2.0 <link> element.
 */
function openid_test_html_openid2() {
  drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
  return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
}

/**
 * Menu callback; OpenID Provider Endpoint.
 *
 * It accepts "associate" requests directly from the Relying Party, and
 * "checkid_setup" requests made by the user's browser based on HTTP redirects
 * (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party.
 */
function openid_test_endpoint() {
  switch ($_REQUEST['openid_mode']) {
    case 'associate';
      _openid_test_endpoint_associate();
      break;
    case 'checkid_setup';
      _openid_test_endpoint_authenticate();
      break;
  }
}

/**
 * OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0,
 * section 8).
 *
 * The purpose of association is to send the secret MAC key to the Relying Party
 * using Diffie-Hellman key exchange. The MAC key is used in subsequent
 * "authenticate" requests. The "associate" request is made by the Relying Party
 * (in the testing scenario, this is the OpenID module that communicates with
 * the endpoint using drupal_http_request()).
 */
function _openid_test_endpoint_associate() {
  module_load_include('inc', 'openid');

  // Use default parameters for Diffie-Helmann key exchange.
  $mod = OPENID_DH_DEFAULT_MOD;
  $gen = OPENID_DH_DEFAULT_GEN;

  // Generate private Diffie-Helmann key.
  $r = _openid_dh_rand($mod);
  $private = bcadd($r, 1);

  // Calculate public Diffie-Helmann key.
  $public = bcpowmod($gen, $private, $mod);

  // Calculate shared secret based on Relying Party's public key.
  $cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']);
  $shared = bcpowmod($cpub, $private, $mod);

  // Encrypt the MAC key using the shared secret.
  $enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key'))));

  // Generate response including our public key and the MAC key. Using our
  // public key and its own private key, the Relying Party can calculate the
  // shared secret, and with this it can decrypt the encrypted MAC key.
  $response = array(
    'ns' => 'http://specs.openid.net/auth/2.0',
    'assoc_handle' => 'openid-test',
    'session_type' => $_REQUEST['openid_session_type'],
    'assoc_type' => $_REQUEST['openid_assoc_type'],
    'expires_in' => '3600',
    'dh_server_public' => _openid_dh_long_to_base64($public),
    'enc_mac_key' => $enc_mac_key,
  );

  // Respond to Relying Party in the special Key-Value Form Encoding (see OpenID
  // Authentication 1.0, section 4.1.1).
  drupal_add_http_header('Content-Type', 'text/plain');
  print _openid_create_message($response);
}

/**
 * OpenID endpoint; handle "authenticate" requests.
 *
 * All requests result in a successful response. The request is a GET or POST
 * made by the user's browser based on an HTML form or HTTP redirect generated
 * by the Relying Party. The user is redirected back to the Relying Party using
 * a URL containing a signed message in the query string confirming the user's
 * identity.
 */
function _openid_test_endpoint_authenticate() {
  global $base_url;

  module_load_include('inc', 'openid');

  // Generate unique identifier for this authentication.
  $nonce = _openid_nonce();

  // Generate response containing the user's identity. The openid.sreg.xxx
  // entries contain profile data stored by the OpenID Provider (see OpenID
  // Simple Registration Extension 1.0).
  $response = array(
    'openid.ns' => OPENID_NS_2_0,
    'openid.mode' => 'id_res',
    'openid.op_endpoint' => $base_url . url('openid/provider'),
    // openid.claimed_id is not sent by OpenID 1 clients.
    'openid.claimed_id' => isset($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',
    'openid.identity' => $_REQUEST['openid_identity'],
    'openid.return_to' => $_REQUEST['openid_return_to'],
    'openid.response_nonce' => $nonce,
    'openid.assoc_handle' => 'openid-test',
    'openid.sreg.email' => 'johndoe@example.com',
    'openid.sreg.nickname' => 'johndoe',
    'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle',
  );

  // Sign the message using the MAC key that was exchanged during association.
  $association = new stdClass;
  $association->mac_key = variable_get('mac_key');
  $keys_to_sign = explode(',', $response['openid.signed']);
  $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);

  // Put the signed message into the query string of a URL supplied by the
  // Relying Party, and redirect the user.
  drupal_add_http_header('Content-Type', 'text/plain');
  header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
}
1	<?php
2	// $Id: openid_test.module,v 1.5 2009/09/30 18:36:02 dries Exp $
3
4	/**
5	* @file
6	* Dummy OpenID Provider used with SimpleTest.
7	*
8	* The provider simply responds positively to all authentication requests. In
9	* addition to a Provider Endpoint (a URL used for Drupal to communicate with
10	* the provider using the OpenID Authentication protocol) the module provides
11	* URLs used by the various discovery mechanisms.
12	*
13	* When a user enters an OpenID identity, the Relying Party (in the testing
14	* scenario, this is the OpenID module) looks up the URL of the Provider
15	* Endpoint using one of several discovery mechanisms. The Relying Party then
16	* redirects the user to Provider Endpoint. The provider verifies the user's
17	* identity and redirects the user back to the Relying Party accompanied by a
18	* signed message confirming the identity. Before redirecting to a provider for
19	* the first time, the Relying Party fetches a secret MAC key from the provider
20	* by doing a direct "associate" HTTP request to the Provider Endpoint. This
21	* key is used for verifying the signed messages from the provider.
22	*/
23
24	/**
25	* Implement hook_menu().
26	*/
27	function openid_test_menu() {
28	$items['openid-test/yadis/xrds'] = array(
29	'title' => 'XRDS service document',
30	'page callback' => 'openid_test_yadis_xrds',
31	'access callback' => TRUE,
32	'type' => MENU_CALLBACK,
33	);
34	$items['openid-test/yadis/x-xrds-location'] = array(
35	'title' => 'Yadis discovery using X-XRDS-Location header',
36	'page callback' => 'openid_test_yadis_x_xrds_location',
37	'access callback' => TRUE,
38	'type' => MENU_CALLBACK,
39	);
40	$items['openid-test/yadis/http-equiv'] = array(
41	'title' => 'Yadis discovery using <meta http-equiv="X-XRDS-Location" ...>',
42	'page callback' => 'openid_test_yadis_http_equiv',
43	'access callback' => TRUE,
44	'type' => MENU_CALLBACK,
45	);
46	$items['openid-test/html/openid1'] = array(
47	'title' => 'HTML-based discovery using <link rel="openid.server" ...>',
48	'page callback' => 'openid_test_html_openid1',
49	'access callback' => TRUE,
50	'type' => MENU_CALLBACK,
51	);
52	$items['openid-test/html/openid2'] = array(
53	'title' => 'HTML-based discovery using <link rel="openid2.provider" ...>',
54	'page callback' => 'openid_test_html_openid2',
55	'access callback' => TRUE,
56	'type' => MENU_CALLBACK,
57	);
58	$items['openid-test/endpoint'] = array(
59	'title' => 'OpenID Provider Endpoint',
60	'page callback' => 'openid_test_endpoint',
61	'access callback' => TRUE,
62	'type' => MENU_CALLBACK,
63	);
64	return $items;
65	}
66
67	/**
68	* Menu callback; XRDS document that references the OP Endpoint URL.
69	*/
70	function openid_test_yadis_xrds() {
71	if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') {
72	drupal_add_http_header('Content-Type', 'application/xrds+xml');
73	print '<?xml version="1.0" encoding="UTF-8"?>
74	<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd($v2.0)">
75	<XRD>
76	<Service>
77	<Type>http://specs.openid.net/auth/2.0/signon</Type>
78	<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
79	</Service>
80	<XRD>
81	</xrds:XRDS>';
82	}
83	else {
84	return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.');
85	}
86	}
87
88	/**
89	* Menu callback; regular HTML page with an X-XRDS-Location HTTP header.
90	*/
91	function openid_test_yadis_x_xrds_location() {
92	drupal_add_http_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE)));
93	return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.');
94	}
95
96	/**
97	* Menu callback; regular HTML page with <meta> element.
98	*/
99	function openid_test_yadis_http_equiv() {
100	$element = array(
101	'#tag' => 'meta',
102	'#attributes' => array(
103	'http-equiv' => 'X-XRDS-Location',
104	'content' => url('openid-test/yadis/xrds', array('absolute' => TRUE)),
105	),
106	);
107	drupal_add_html_head($element, 'openid_test_yadis_http_equiv');
108	return t('This page includes a <meta equiv=...> element containing the URL of an XRDS document.');
109	}
110
111	/**
112	* Menu callback; regular HTML page with OpenID 1.0 <link> element.
113	*/
114	function openid_test_html_openid1() {
115	drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
116	return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.');
117	}
118
119	/**
120	* Menu callback; regular HTML page with OpenID 2.0 <link> element.
121	*/
122	function openid_test_html_openid2() {
123	drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
124	return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.');
125	}
126
127	/**
128	* Menu callback; OpenID Provider Endpoint.
129	*
130	* It accepts "associate" requests directly from the Relying Party, and
131	* "checkid_setup" requests made by the user's browser based on HTTP redirects
132	* (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party.
133	*/
134	function openid_test_endpoint() {
135	switch ($_REQUEST['openid_mode']) {
136	case 'associate';
137	_openid_test_endpoint_associate();
138	break;
139	case 'checkid_setup';
140	_openid_test_endpoint_authenticate();
141	break;
142	}
143	}
144
145	/**
146	* OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0,
147	* section 8).
148	*
149	* The purpose of association is to send the secret MAC key to the Relying Party
150	* using Diffie-Hellman key exchange. The MAC key is used in subsequent
151	* "authenticate" requests. The "associate" request is made by the Relying Party
152	* (in the testing scenario, this is the OpenID module that communicates with
153	* the endpoint using drupal_http_request()).
154	*/
155	function _openid_test_endpoint_associate() {
156	module_load_include('inc', 'openid');
157
158	// Use default parameters for Diffie-Helmann key exchange.
159	$mod = OPENID_DH_DEFAULT_MOD;
160	$gen = OPENID_DH_DEFAULT_GEN;
161
162	// Generate private Diffie-Helmann key.
163	$r = _openid_dh_rand($mod);
164	$private = bcadd($r, 1);
165
166	// Calculate public Diffie-Helmann key.
167	$public = bcpowmod($gen, $private, $mod);
168
169	// Calculate shared secret based on Relying Party's public key.
170	$cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']);
171	$shared = bcpowmod($cpub, $private, $mod);
172
173	// Encrypt the MAC key using the shared secret.
174	$enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key'))));
175
176	// Generate response including our public key and the MAC key. Using our
177	// public key and its own private key, the Relying Party can calculate the
178	// shared secret, and with this it can decrypt the encrypted MAC key.
179	$response = array(
180	'ns' => 'http://specs.openid.net/auth/2.0',
181	'assoc_handle' => 'openid-test',
182	'session_type' => $_REQUEST['openid_session_type'],
183	'assoc_type' => $_REQUEST['openid_assoc_type'],
184	'expires_in' => '3600',
185	'dh_server_public' => _openid_dh_long_to_base64($public),
186	'enc_mac_key' => $enc_mac_key,
187	);
188
189	// Respond to Relying Party in the special Key-Value Form Encoding (see OpenID
190	// Authentication 1.0, section 4.1.1).
191	drupal_add_http_header('Content-Type', 'text/plain');
192	print _openid_create_message($response);
193	}
194
195	/**
196	* OpenID endpoint; handle "authenticate" requests.
197	*
198	* All requests result in a successful response. The request is a GET or POST
199	* made by the user's browser based on an HTML form or HTTP redirect generated
200	* by the Relying Party. The user is redirected back to the Relying Party using
201	* a URL containing a signed message in the query string confirming the user's
202	* identity.
203	*/
204	function _openid_test_endpoint_authenticate() {
205	global $base_url;
206
207	module_load_include('inc', 'openid');
208
209	// Generate unique identifier for this authentication.
210	$nonce = _openid_nonce();
211
212	// Generate response containing the user's identity. The openid.sreg.xxx
213	// entries contain profile data stored by the OpenID Provider (see OpenID
214	// Simple Registration Extension 1.0).
215	$response = array(
216	'openid.ns' => OPENID_NS_2_0,
217	'openid.mode' => 'id_res',
218	'openid.op_endpoint' => $base_url . url('openid/provider'),
219	// openid.claimed_id is not sent by OpenID 1 clients.
220	'openid.claimed_id' => isset($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '',
221	'openid.identity' => $_REQUEST['openid_identity'],
222	'openid.return_to' => $_REQUEST['openid_return_to'],
223	'openid.response_nonce' => $nonce,
224	'openid.assoc_handle' => 'openid-test',
225	'openid.sreg.email' => 'johndoe@example.com',
226	'openid.sreg.nickname' => 'johndoe',
227	'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle',
228	);
229
230	// Sign the message using the MAC key that was exchanged during association.
231	$association = new stdClass;
232	$association->mac_key = variable_get('mac_key');
233	$keys_to_sign = explode(',', $response['openid.signed']);
234	$response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);
235
236	// Put the signed message into the query string of a URL supplied by the
237	// Relying Party, and redirect the user.
238	drupal_add_http_header('Content-Type', 'text/plain');
239	header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
240	}