Skip to content

GitLab

Commit 38220bad authored by Dries's avatar Dries
Browse files
Options

- Patch #225535 by flobruit, c960657: OpenID login fails for delegated OpenIDs.

parent cd545702
Hide whitespace changes
Inline Side-by-side
Showing with 48 additions and 11 deletions
modules/openid/openid.inc
View file @ 38220bad
......@@ -50,6 +50,11 @@
*/
define('OPENID_NS_1_0', 'http://openid.net/signon/1.0');
/**
* OpenID namespace used in Yadis documents.
*/
define('OPENID_NS_OPENID', 'http://openid.net/xmlns/1.0');
/**
* OpenID Simple Registration extension.
*/
......@@ -148,12 +153,12 @@ function _openid_xrds_parse($raw_xml) {
foreach ($service_element->Type as $type) {
$service['types'][] = (string)$type;
}
if ($service_element->children(OPENID_NS_XRD)->Delegate) {
$service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->Delegate;
}
if ($service_element->children(OPENID_NS_XRD)->LocalID) {
$service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->LocalID;
}
elseif ($service_element->children(OPENID_NS_OPENID)->Delegate) {
$service['identity'] = (string)$service_element->children(OPENID_NS_OPENID)->Delegate;
}
else {
$service['identity'] = FALSE;
}
......
modules/openid/openid.test
View file @ 38220bad
......@@ -67,7 +67,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// The URL scheme is stripped in order to test that the supplied identifier
// is normalized in openid_begin().
$identity = url('openid-test/yadis/xrds', array('absolute' => TRUE));
$this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, $identity);
$this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, 'http://example.com/xrds', $identity);
$identity = url('openid-test/yadis/xrds/delegate', array('absolute' => TRUE));
$this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, 'http://example.com/xrds-delegate', $identity);
// Identifier is the URL of an XRDS document containing an OP Identifier
// Element. The Relying Party sends the special value
......@@ -78,7 +81,7 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// is stripped in order to test that the returned identifier is normalized in
// openid_complete().
variable_set('openid_test_response', array('openid.claimed_id' => preg_replace('@^https?://@', '', $identity)));
$this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, $identity);
$this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, 'http://specs.openid.net/auth/2.0/identifier_select', $identity);
variable_set('openid_test_response', array());
// Identifier is the URL of an HTML page that is sent with an HTTP header
......@@ -91,11 +94,11 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// Identifier is an XRI. Resolve using our own dummy proxy resolver.
variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/');
$this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user');
$this->addIdentity('@example*résumé;%25', 2, 'http://example.com/xrds', 'http://example.com/user');
// Make sure that unverified CanonicalID are not trusted.
variable_set('openid_test_canonical_id_status', 'bad value');
$this->addIdentity('@example*résumé;%25', 2, FALSE);
$this->addIdentity('@example*résumé;%25', 2, FALSE, FALSE);
// HTML-based discovery:
// If the User-supplied Identifier is a URL of an HTML page, the page may
......@@ -103,10 +106,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// Provider Endpoint. OpenID 1 and 2 describe slightly different formats.
// OpenID Authentication 1.1, section 3.1:
$this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1);
$this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1, 'http://example.com/html-openid1');
// OpenID Authentication 2.0, section 7.3.3:
$this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2);
$this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2, 'http://example.com/html-openid2');
}
/**
......@@ -197,11 +200,16 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
* The User-supplied Identifier.
* @param $version
* The protocol version used by the service.
* @param $local_id
* The expected OP-Local Identifier found during discovery.
* @param $claimed_id
* The expected Claimed Identifier returned by the OpenID Provider, or FALSE
* if the discovery is expected to fail.
*/
function addIdentity($identity, $version = 2, $claimed_id = NULL) {
function addIdentity($identity, $version = 2, $local_id = 'http://example.com/xrds', $claimed_id = NULL) {
// Tell openid_test.module to only accept this OP-Local Identifier.
variable_set('openid_test_identity', $local_id);
$edit = array('openid_identifier' => $identity);
$this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID'));
......
modules/openid/tests/openid_test.module
View file @ 38220bad
......@@ -88,7 +88,7 @@ function openid_test_yadis_xrds() {
}
drupal_add_http_header('Content-Type', 'application/xrds+xml');
print '<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
<XRD>
<Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
<ProviderID>xri://@</ProviderID>
......@@ -100,6 +100,7 @@ function openid_test_yadis_xrds() {
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
<LocalID>http://example.com/xrds</LocalID>
</Service>
<Service priority="15">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
......@@ -121,6 +122,15 @@ function openid_test_yadis_xrds() {
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
</Service>';
}
elseif (arg(3) == 'delegate') {
print '
<Service priority="5">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
<openid:Delegate>http://example.com/xrds-delegate</openid:Delegate>
</Service>';
}
print '
</XRD>
</xrds:XRDS>';
......@@ -158,6 +168,7 @@ function openid_test_yadis_http_equiv() {
*/
function openid_test_html_openid1() {
drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1'));
return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
}
......@@ -166,6 +177,7 @@ function openid_test_html_openid1() {
*/
function openid_test_html_openid2() {
drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2'));
return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
}
......@@ -249,6 +261,18 @@ function _openid_test_endpoint_associate() {
function _openid_test_endpoint_authenticate() {
module_load_include('inc', 'openid');
$expected_identity = variable_get('openid_test_identity');
if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) {
$response = variable_get('openid_test_response', array()) + array(
'openid.ns' => OPENID_NS_2_0,
'openid.mode' => 'error',
'openid.error' => 'Unexpted identity',
);
drupal_add_http_header('Content-Type', 'text/plain');
header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
return;
}
// Generate unique identifier for this authentication.
$nonce = _openid_nonce();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment