Commit 38220bad authored by Dries's avatar Dries
Browse files

- Patch #225535 by flobruit, c960657: OpenID login fails for delegated OpenIDs.

parent cd545702
...@@ -50,6 +50,11 @@ ...@@ -50,6 +50,11 @@
*/ */
define('OPENID_NS_1_0', 'http://openid.net/signon/1.0'); define('OPENID_NS_1_0', 'http://openid.net/signon/1.0');
/**
* OpenID namespace used in Yadis documents.
*/
define('OPENID_NS_OPENID', 'http://openid.net/xmlns/1.0');
/** /**
* OpenID Simple Registration extension. * OpenID Simple Registration extension.
*/ */
...@@ -148,12 +153,12 @@ function _openid_xrds_parse($raw_xml) { ...@@ -148,12 +153,12 @@ function _openid_xrds_parse($raw_xml) {
foreach ($service_element->Type as $type) { foreach ($service_element->Type as $type) {
$service['types'][] = (string)$type; $service['types'][] = (string)$type;
} }
if ($service_element->children(OPENID_NS_XRD)->Delegate) {
$service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->Delegate;
}
if ($service_element->children(OPENID_NS_XRD)->LocalID) { if ($service_element->children(OPENID_NS_XRD)->LocalID) {
$service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->LocalID; $service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->LocalID;
} }
elseif ($service_element->children(OPENID_NS_OPENID)->Delegate) {
$service['identity'] = (string)$service_element->children(OPENID_NS_OPENID)->Delegate;
}
else { else {
$service['identity'] = FALSE; $service['identity'] = FALSE;
} }
......
...@@ -67,7 +67,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase { ...@@ -67,7 +67,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// The URL scheme is stripped in order to test that the supplied identifier // The URL scheme is stripped in order to test that the supplied identifier
// is normalized in openid_begin(). // is normalized in openid_begin().
$identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE));
$this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, $identity); $this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, 'http://example.com/xrds', $identity);
$identity = url('openid-test/yadis/xrds/delegate', array('absolute' => TRUE));
$this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, 'http://example.com/xrds-delegate', $identity);
// Identifier is the URL of an XRDS document containing an OP Identifier // Identifier is the URL of an XRDS document containing an OP Identifier
// Element. The Relying Party sends the special value // Element. The Relying Party sends the special value
...@@ -78,7 +81,7 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase { ...@@ -78,7 +81,7 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// is stripped in order to test that the returned identifier is normalized in // is stripped in order to test that the returned identifier is normalized in
// openid_complete(). // openid_complete().
variable_set('openid_test_response', array('openid.claimed_id' => preg_replace('@^https?://@', '', $identity))); variable_set('openid_test_response', array('openid.claimed_id' => preg_replace('@^https?://@', '', $identity)));
$this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, $identity); $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, 'http://specs.openid.net/auth/2.0/identifier_select', $identity);
variable_set('openid_test_response', array()); variable_set('openid_test_response', array());
// Identifier is the URL of an HTML page that is sent with an HTTP header // Identifier is the URL of an HTML page that is sent with an HTTP header
...@@ -91,11 +94,11 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase { ...@@ -91,11 +94,11 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// Identifier is an XRI. Resolve using our own dummy proxy resolver. // Identifier is an XRI. Resolve using our own dummy proxy resolver.
variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/'); variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/');
$this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user'); $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/xrds', 'http://example.com/user');
// Make sure that unverified CanonicalID are not trusted. // Make sure that unverified CanonicalID are not trusted.
variable_set('openid_test_canonical_id_status', 'bad value'); variable_set('openid_test_canonical_id_status', 'bad value');
$this->addIdentity('@example*résumé;%25', 2, FALSE); $this->addIdentity('@example*résumé;%25', 2, FALSE, FALSE);
// HTML-based discovery: // HTML-based discovery:
// If the User-supplied Identifier is a URL of an HTML page, the page may // If the User-supplied Identifier is a URL of an HTML page, the page may
...@@ -103,10 +106,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase { ...@@ -103,10 +106,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// Provider Endpoint. OpenID 1 and 2 describe slightly different formats. // Provider Endpoint. OpenID 1 and 2 describe slightly different formats.
// OpenID Authentication 1.1, section 3.1: // OpenID Authentication 1.1, section 3.1:
$this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1); $this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1, 'http://example.com/html-openid1');
// OpenID Authentication 2.0, section 7.3.3: // OpenID Authentication 2.0, section 7.3.3:
$this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2); $this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2, 'http://example.com/html-openid2');
} }
/** /**
...@@ -197,11 +200,16 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase { ...@@ -197,11 +200,16 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
* The User-supplied Identifier. * The User-supplied Identifier.
* @param $version * @param $version
* The protocol version used by the service. * The protocol version used by the service.
* @param $local_id
* The expected OP-Local Identifier found during discovery.
* @param $claimed_id * @param $claimed_id
* The expected Claimed Identifier returned by the OpenID Provider, or FALSE * The expected Claimed Identifier returned by the OpenID Provider, or FALSE
* if the discovery is expected to fail. * if the discovery is expected to fail.
*/ */
function addIdentity($identity, $version = 2, $claimed_id = NULL) { function addIdentity($identity, $version = 2, $local_id = 'http://example.com/xrds', $claimed_id = NULL) {
// Tell openid_test.module to only accept this OP-Local Identifier.
variable_set('openid_test_identity', $local_id);
$edit = array('openid_identifier' => $identity); $edit = array('openid_identifier' => $identity);
$this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID')); $this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID'));
......
...@@ -88,7 +88,7 @@ function openid_test_yadis_xrds() { ...@@ -88,7 +88,7 @@ function openid_test_yadis_xrds() {
} }
drupal_add_http_header('Content-Type', 'application/xrds+xml'); drupal_add_http_header('Content-Type', 'application/xrds+xml');
print '<?xml version="1.0" encoding="UTF-8"?> print '<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
<XRD> <XRD>
<Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/> <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
<ProviderID>xri://@</ProviderID> <ProviderID>xri://@</ProviderID>
...@@ -100,6 +100,7 @@ function openid_test_yadis_xrds() { ...@@ -100,6 +100,7 @@ function openid_test_yadis_xrds() {
<Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/srv/ax/1.0</Type> <Type>http://openid.net/srv/ax/1.0</Type>
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI> <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
<LocalID>http://example.com/xrds</LocalID>
</Service> </Service>
<Service priority="15"> <Service priority="15">
<Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type>
...@@ -121,6 +122,15 @@ function openid_test_yadis_xrds() { ...@@ -121,6 +122,15 @@ function openid_test_yadis_xrds() {
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI> <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
</Service>'; </Service>';
} }
elseif (arg(3) == 'delegate') {
print '
<Service priority="5">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
<openid:Delegate>http://example.com/xrds-delegate</openid:Delegate>
</Service>';
}
print ' print '
</XRD> </XRD>
</xrds:XRDS>'; </xrds:XRDS>';
...@@ -158,6 +168,7 @@ function openid_test_yadis_http_equiv() { ...@@ -158,6 +168,7 @@ function openid_test_yadis_http_equiv() {
*/ */
function openid_test_html_openid1() { function openid_test_html_openid1() {
drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE)))); drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1'));
return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.'); return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
} }
...@@ -166,6 +177,7 @@ function openid_test_html_openid1() { ...@@ -166,6 +177,7 @@ function openid_test_html_openid1() {
*/ */
function openid_test_html_openid2() { function openid_test_html_openid2() {
drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE)))); drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2'));
return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.'); return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
} }
...@@ -249,6 +261,18 @@ function _openid_test_endpoint_associate() { ...@@ -249,6 +261,18 @@ function _openid_test_endpoint_associate() {
function _openid_test_endpoint_authenticate() { function _openid_test_endpoint_authenticate() {
module_load_include('inc', 'openid'); module_load_include('inc', 'openid');
$expected_identity = variable_get('openid_test_identity');
if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) {
$response = variable_get('openid_test_response', array()) + array(
'openid.ns' => OPENID_NS_2_0,
'openid.mode' => 'error',
'openid.error' => 'Unexpted identity',
);
drupal_add_http_header('Content-Type', 'text/plain');
header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
return;
}
// Generate unique identifier for this authentication. // Generate unique identifier for this authentication.
$nonce = _openid_nonce(); $nonce = _openid_nonce();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment