Commit b9123f23 authored by Dries's avatar Dries

- Patch #218097 by c960657: OpenID must use canonical ID when authenticating XRI i-names.

parent 58ea109d
...@@ -372,11 +372,18 @@ function openid_openid_discovery_method_info() { ...@@ -372,11 +372,18 @@ function openid_openid_discovery_method_info() {
function _openid_xri_discovery($claimed_id) { function _openid_xri_discovery($claimed_id) {
if (_openid_is_xri($claimed_id)) { if (_openid_is_xri($claimed_id)) {
// Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI) // Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI)
// Resolution Version 2.0, section 11.2). // Resolution Version 2.0, section 11.2 and 14.3).
$xrds_url = variable_get('xri_proxy_resolver', 'http://xri.net/') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml'; $xrds_url = variable_get('xri_proxy_resolver', 'http://xri.net/') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml';
$services = _openid_xrds_discovery($xrds_url); $services = _openid_xrds_discovery($xrds_url);
foreach ($services as &$service) { foreach ($services as $i => &$service) {
$service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID); $status = $service['xrd']->children(OPENID_NS_XRD)->Status;
if ($status && $status->attributes()->cid == 'verified') {
$service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID);
}
else {
// Ignore service if CanonicalID could not be verified.
unset($services[$i]);
}
} }
return $services; return $services;
} }
......
...@@ -72,6 +72,10 @@ class OpenIDFunctionalTest extends DrupalWebTestCase { ...@@ -72,6 +72,10 @@ class OpenIDFunctionalTest extends DrupalWebTestCase {
variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/'); variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/');
$this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user'); $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user');
// Make sure that unverified CanonicalID are not trusted.
variable_set('openid_test_canonical_id_status', 'bad value');
$this->addIdentity('@example*résumé;%25', 2, FALSE);
// HTML-based discovery: // HTML-based discovery:
// If the User-supplied Identifier is a URL of an HTML page, the page may // If the User-supplied Identifier is a URL of an HTML page, the page may
// contain a <link rel=...> element containing the URL of the OpenID // contain a <link rel=...> element containing the URL of the OpenID
...@@ -186,21 +190,28 @@ class OpenIDFunctionalTest extends DrupalWebTestCase { ...@@ -186,21 +190,28 @@ class OpenIDFunctionalTest extends DrupalWebTestCase {
* @param $version * @param $version
* The protocol version used by the service. * The protocol version used by the service.
* @param $claimed_id * @param $claimed_id
* The expected Claimed Identifier returned by the OpenID Provider. * The expected Claimed Identifier returned by the OpenID Provider, or FALSE
* if the discovery is expected to fail.
*/ */
function addIdentity($identity, $version = 2, $claimed_id = NULL) { function addIdentity($identity, $version = 2, $claimed_id = NULL) {
$this->drupalGet('user/' . $this->web_user->uid . '/openid');
$edit = array('openid_identifier' => $identity); $edit = array('openid_identifier' => $identity);
$this->drupalPost(NULL, $edit, t('Add an OpenID')); $this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID'));
if ($claimed_id === FALSE) {
$this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), t('Invalid identity was rejected.'));
return;
}
// OpenID 1 used a HTTP redirect, OpenID 2 uses a HTML form that is submitted automatically using JavaScript. // OpenID 1 used a HTTP redirect, OpenID 2 uses a HTML form that is submitted automatically using JavaScript.
if ($version == 2) { if ($version == 2) {
// Manually submit form because SimpleTest is not able to execute JavaScript. // Check we are on the OpenID redirect form.
$this->assertRaw('<script type="text/javascript">document.getElementById("openid-redirect-form").submit();</script>', t('JavaScript form submission found.')); $this->assertTitle(t('OpenID redirect'), t('OpenID redirect page was displayed.'));
// Submit form to the OpenID Provider Endpoint.
$this->drupalPost(NULL, array(), t('Send')); $this->drupalPost(NULL, array(), t('Send'));
} }
if (!$claimed_id) { if (!isset($claimed_id)) {
$claimed_id = $identity; $claimed_id = $identity;
} }
$this->assertRaw(t('Successfully added %identity', array('%identity' => $claimed_id)), t('Identity %identity was added.', array('%identity' => $identity))); $this->assertRaw(t('Successfully added %identity', array('%identity' => $claimed_id)), t('Identity %identity was added.', array('%identity' => $identity)));
......
...@@ -90,6 +90,7 @@ function openid_test_yadis_xrds() { ...@@ -90,6 +90,7 @@ function openid_test_yadis_xrds() {
print '<?xml version="1.0" encoding="UTF-8"?> print '<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD> <XRD>
<Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
<ProviderID>xri://@</ProviderID> <ProviderID>xri://@</ProviderID>
<CanonicalID>http://example.com/user</CanonicalID> <CanonicalID>http://example.com/user</CanonicalID>
<Service> <Service>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment